Re: [Qemu-devel] [PATCH 2/3] virtio-pci: Add virtio_queue_valid checks ahead of virtio_queue_get_num
On Fri, Mar 29, 2013 at 04:33:11AM +, Nicholas A. Bellinger wrote: From: Nicholas Bellinger n...@linux-iscsi.org This patch adds a number of virtio_queue_valid() checks to virtio-pci ahead of virtio_queue_get_num() usage in order to skip operation upon the detection of an uninitialized VQ. There is one exception in virtio_ioport_read():VIRTIO_PCI_QUEUE_NUM, where virtio_queue_get_num() may still be called without a valid vdev-vq[n].vring.desc physical address. Cc: Michael S. Tsirkin m...@redhat.com Cc: Asias He as...@redhat.com Cc: Paolo Bonzini pbonz...@redhat.com Signed-off-by: Nicholas Bellinger n...@linux-iscsi.org Makes sense. Minor nit: virtio_queue_valid calls virtio_queue_get_num internally, so we can drop it everywhere we know queue is valid. --- hw/virtio-pci.c | 27 +++ 1 files changed, 27 insertions(+), 0 deletions(-) diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c index 0d67b84..231ca0c 100644 --- a/hw/virtio-pci.c +++ b/hw/virtio-pci.c @@ -211,6 +211,9 @@ static void virtio_pci_start_ioeventfd(VirtIOPCIProxy *proxy) } for (n = 0; n VIRTIO_PCI_QUEUE_MAX; n++) { +if (!virtio_queue_valid(proxy-vdev, n)) { +continue; +} if (!virtio_queue_get_num(proxy-vdev, n)) { continue; } @@ -225,6 +228,9 @@ static void virtio_pci_start_ioeventfd(VirtIOPCIProxy *proxy) assign_error: while (--n = 0) { +if (!virtio_queue_valid(proxy-vdev, n)) { +continue; +} if (!virtio_queue_get_num(proxy-vdev, n)) { continue; } @@ -246,6 +252,9 @@ static void virtio_pci_stop_ioeventfd(VirtIOPCIProxy *proxy) } for (n = 0; n VIRTIO_PCI_QUEUE_MAX; n++) { +if (!virtio_queue_valid(proxy-vdev, n)) { +continue; +} if (!virtio_queue_get_num(proxy-vdev, n)) { continue; } @@ -546,6 +555,9 @@ static int kvm_virtio_pci_vector_use(VirtIOPCIProxy *proxy, int nvqs) MSIMessage msg; for (queue_no = 0; queue_no nvqs; queue_no++) { +if (!virtio_queue_valid(vdev, queue_no)) { +continue; +} if (!virtio_queue_get_num(vdev, queue_no)) { break; } @@ -593,6 +605,9 @@ static void kvm_virtio_pci_vector_release(VirtIOPCIProxy *proxy, int nvqs) int queue_no; for (queue_no = 0; queue_no nvqs; queue_no++) { +if (!virtio_queue_valid(vdev, queue_no)) { +continue; +} if (!virtio_queue_get_num(vdev, queue_no)) { break; } @@ -665,6 +680,9 @@ static int kvm_virtio_pci_vector_unmask(PCIDevice *dev, unsigned vector, int ret, queue_no; for (queue_no = 0; queue_no proxy-nvqs_with_notifiers; queue_no++) { +if (!virtio_queue_valid(vdev, queue_no)) { +continue; +} if (!virtio_queue_get_num(vdev, queue_no)) { break; } @@ -695,6 +713,9 @@ static void kvm_virtio_pci_vector_mask(PCIDevice *dev, unsigned vector) int queue_no; for (queue_no = 0; queue_no proxy-nvqs_with_notifiers; queue_no++) { +if (!virtio_queue_valid(vdev, queue_no)) { +continue; +} if (!virtio_queue_get_num(vdev, queue_no)) { break; } @@ -717,6 +738,9 @@ static void kvm_virtio_pci_vector_poll(PCIDevice *dev, VirtQueue *vq; for (queue_no = 0; queue_no proxy-nvqs_with_notifiers; queue_no++) { +if (!virtio_queue_valid(vdev, queue_no)) { +continue; +} if (!virtio_queue_get_num(vdev, queue_no)) { break; } @@ -790,6 +814,9 @@ static int virtio_pci_set_guest_notifiers(DeviceState *d, int nvqs, bool assign) } for (n = 0; n nvqs; n++) { +if (!virtio_queue_valid(vdev, n)) { +continue; +} if (!virtio_queue_get_num(vdev, n)) { break; } -- 1.7.2.5
Re: [Qemu-devel] [PATCH 3/3] vhost: Check+skip uninitialized VQs in vhost_verify_ring_mappings
On Fri, Mar 29, 2013 at 04:33:12AM +, Nicholas A. Bellinger wrote: From: Nicholas Bellinger n...@linux-iscsi.org With the virtio_queue_valid() checks in place to skip uninitialized VQs within virtio-pci code, go ahead and skip the same uninitialized VQs during vhost_verify_ring_mappings(). Note this patch does not prevent vhost_virtqueue_start() from executing by checking virtio_queue_valid(), as other logic during seabios - virtio-scsi LLD guest hand-off appears to depend upon this execution. Weird. cpu_physical_memory_map only succeeds for PA==0 by chance, we really should not depend on this. So the right thing really should be to skip vhost_virtqueue_start IMHO, maybe add an explicit valid flag in vhost_virtqueue so vhost_verify_ring_mappings can check it. What exactly does it do that is needed? Cc: Michael S. Tsirkin m...@redhat.com Cc: Asias He as...@redhat.com Cc: Paolo Bonzini pbonz...@redhat.com Signed-off-by: Nicholas Bellinger n...@linux-iscsi.org --- hw/vhost.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/hw/vhost.c b/hw/vhost.c index 4d6aee3..3a71aee 100644 --- a/hw/vhost.c +++ b/hw/vhost.c @@ -314,6 +314,9 @@ static int vhost_verify_ring_mappings(struct vhost_dev *dev, hwaddr l; void *p; +if (!vq-ring_phys || !vq-ring_size) { +continue; +} if (!ranges_overlap(start_addr, size, vq-ring_phys, vq-ring_size)) { continue; } -- 1.7.2.5
Re: [Qemu-devel] [PATCH 0/3] virtio/vhost: Add checks for uninitialized VQs
On Fri, Mar 29, 2013 at 04:33:09AM +, Nicholas A. Bellinger wrote: From: Nicholas Bellinger n...@linux-iscsi.org Hi folks, This series adds a virtio_queue_valid() for use by virtio-pci code in order to prevent opreations upon uninitialized VQs, that is currently expected to occur during seabios setup of virtio-scsi. This also includes a vhost specific check for uninitialized VQs in vhost_verify_ring_mappings() to avoid this same case. Please review. --nab Okay, and does this fix the failures in vhost_verify_ring_mappings that you've observed? Michael S. Tsirkin (1): virtio: add API to check that ring is setup Nicholas Bellinger (2): virtio-pci: Add virtio_queue_valid checks ahead of virtio_queue_get_num vhost: Check+skip uninitialized VQs in vhost_verify_ring_mappings hw/vhost.c |3 +++ hw/virtio-pci.c | 27 +++ hw/virtio.c |5 + hw/virtio.h |1 + 4 files changed, 36 insertions(+), 0 deletions(-) -- 1.7.2.5
Re: [Qemu-devel] vNVRAM / blobstore design
On Fri, Mar 29, 2013 at 01:33:01PM -0400, Kenneth Goldman wrote: One thing I'd like to get clarity about is the following corner-case. A user supplies some VM image as persistent storage for the TPM. It contains garbage. How do we handle this case? Does the TPM then just start writing its state into this image or do we want to have some layer in place that forces a user to go through the step of formatting after that layer indicates that the data are unreadable. Besides that a completely empty image also contains garbage from the perspective of TPM persistent state and for that layer. A garbage persistent storage should be handled the same way a physical TPM would handle an NV failure - failure mode. It's a broken part that must be replaced with a factory fresh part. That's done by some admin tool nulling the storage. Empty (length zero or non-existent) is different from corrupt. The TPM should detect that and initialize itself to factory defaults. Those defaults are specified in the TPM specification. My intention would (again) be to put a header in front of every blob. That header would contain a crc32 covering that header (minus the crc32 field itself of course) plus the blob to determine whether the blob is garbage or not. It is similar in those terms as the 1st implementation where we also had a directory that contained that crc32 for the directory itself and for each blob. This is not a filesystem, I know that. I agree that an integrity value should be included. This is a security device, and layers of protection are good. I wonder about the choice of algorithm. The TPM doesn't have crc32 code but it does have SHA-1. Why not reuse code rather than add a new function? You want to protect against someone who is able to manipulate some bits in the file (content) but not others (hash)? What's the attack you are trying to protect against here? I'm guessing the only result of extra checksums would be unbootable guests when qemu manages to corrupt the checksum without any help from attackers ... -- MST
[Qemu-devel] [PATCH v4 0/7] target-i386: add PCLMULQDQ and AES-NI instructions
This patch series adds the PCLMULQDQ and AES-NI instructions to the x86 emulation. Along with the SSE4.1 and SSE4.2 series, this brings the instructions emulation to the level of a Westmere CPU. It has been tested with the valgrind testsuite and with the kernel autotest. Changes v1 - v2: - Patch 3: Declare all constant tables as static. Changes v2 - v3: - Use constant tables from aes.c. - Fix AES instructions when source and destination registers are the same. Changes v3 - v4: - Update dissassembler code to support these instructions. Aurelien Jarno (7): disas/i386.c: disassemble pclmulqdq instruction target-i386: add pclmulqdq instruction target-i386: enable PCLMULQDQ on Westmere CPU disas/i386.c: disassemble aes-ni instructions aes: move aes.h from include/block to include/qemu aes: make Td[0-5] and Te[0-5] tables non static target-i386: add AES-NI instructions block/qcow.c |2 +- block/qcow2.c|2 +- block/qcow2.h|2 +- disas/i386.c | 84 ++- include/block/aes.h | 26 --- include/qemu/aes.h | 45 target-i386/cpu.c| 19 +- target-i386/fpu_helper.c |1 + target-i386/ops_sse.h| 111 + target-i386/ops_sse_header.h | 11 + target-i386/translate.c | 10 + util/aes.c | 506 +- 12 files changed, 517 insertions(+), 302 deletions(-) delete mode 100644 include/block/aes.h create mode 100644 include/qemu/aes.h -- 1.7.10.4
[Qemu-devel] [PATCH v4 4/7] disas/i386.c: disassemble aes-ni instructions
Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- disas/i386.c | 67 -- 1 file changed, 61 insertions(+), 6 deletions(-) diff --git a/disas/i386.c b/disas/i386.c index c52efbc..04c033c 100644 --- a/disas/i386.c +++ b/disas/i386.c @@ -665,6 +665,12 @@ fetch_data(struct disassemble_info *info, bfd_byte *addr) #define PREGRP96 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 96 } } #define PREGRP97 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 97 } } #define PREGRP98 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 98 } } +#define PREGRP99 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 99 } } +#define PREGRP100 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 100 } } +#define PREGRP101 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 101 } } +#define PREGRP102 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 102 } } +#define PREGRP103 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 103 } } +#define PREGRP104 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 104 } } #define X86_64_0 NULL, { { NULL, X86_64_SPECIAL }, { NULL, 0 } } @@ -2719,6 +2725,55 @@ static const struct dis386 prefix_user_table[][4] = { { pclmulqdq, { XM, EXx, Ib } }, { (bad), { XX } }, }, + + /* PREGRP99 */ + { +{ (bad), { XX } }, +{ (bad), { XX } }, +{ aesimc, { XM, EXx } }, +{ (bad), { XX } }, + }, + + /* PREGRP100 */ + { +{ (bad), { XX } }, +{ (bad), { XX } }, +{ aesenc, { XM, EXx } }, +{ (bad), { XX } }, + }, + + /* PREGRP101 */ + { +{ (bad), { XX } }, +{ (bad), { XX } }, +{ aesenclast, { XM, EXx } }, +{ (bad), { XX } }, + }, + + /* PREGRP102 */ + { +{ (bad), { XX } }, +{ (bad), { XX } }, +{ aesdec, { XM, EXx } }, +{ (bad), { XX } }, + }, + + /* PREGRP103 */ + { +{ (bad), { XX } }, +{ (bad), { XX } }, +{ aesdeclast, { XM, EXx } }, +{ (bad), { XX } }, + }, + + /* PREGRP104 */ + { +{ (bad), { XX } }, +{ (bad), { XX } }, +{ aeskeygenassist, { XM, EXx, Ib } }, +{ (bad), { XX } }, + }, + }; static const struct dis386 x86_64_table[][2] = { @@ -2990,11 +3045,11 @@ static const struct dis386 three_byte_table[][256] = { { (bad), { XX } }, { (bad), { XX } }, { (bad), { XX } }, -{ (bad), { XX } }, -{ (bad), { XX } }, -{ (bad), { XX } }, -{ (bad), { XX } }, -{ (bad), { XX } }, +{ PREGRP99 }, +{ PREGRP100 }, +{ PREGRP101 }, +{ PREGRP102 }, +{ PREGRP103 }, /* e0 */ { (bad), { XX } }, { (bad), { XX } }, @@ -3285,7 +3340,7 @@ static const struct dis386 three_byte_table[][256] = { { (bad), { XX } }, { (bad), { XX } }, { (bad), { XX } }, -{ (bad), { XX } }, +{ PREGRP104 }, /* e0 */ { (bad), { XX } }, { (bad), { XX } }, -- 1.7.10.4
[Qemu-devel] [PATCH v4 3/7] target-i386: enable PCLMULQDQ on Westmere CPU
The PCLMULQDQ instruction has been introduced on the Westmere CPU. Reviewed-by: Richard Henderson r...@twiddle.net Reviewed-by: Edgar E. Iglesias edgar.igles...@gmail.com Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- target-i386/cpu.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-i386/cpu.c b/target-i386/cpu.c index 41382c5..5941d40 100644 --- a/target-i386/cpu.c +++ b/target-i386/cpu.c @@ -687,7 +687,7 @@ static x86_def_t builtin_x86_defs[] = { CPUID_DE | CPUID_FP87, .ext_features = CPUID_EXT_AES | CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | - CPUID_EXT_SSE3, + CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3, .ext2_features = CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX, .ext3_features = CPUID_EXT3_LAHF_LM, .xlevel = 0x800A, -- 1.7.10.4
[Qemu-devel] [PATCH v4 7/7] target-i386: add AES-NI instructions
Reviewed-by: Edgar E. Iglesias edgar.igles...@gmail.com Reviewed-by: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- disas/i386.c |4 +- target-i386/cpu.c|6 +-- target-i386/fpu_helper.c |1 + target-i386/ops_sse.h| 87 ++ target-i386/ops_sse_header.h |6 +++ target-i386/translate.c |7 6 files changed, 106 insertions(+), 5 deletions(-) diff --git a/disas/i386.c b/disas/i386.c index 04c033c..47f1f2e 100644 --- a/disas/i386.c +++ b/disas/i386.c @@ -1447,7 +1447,7 @@ static const unsigned char threebyte_0x38_uses_DATA_prefix[256] = { /* a0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* af */ /* b0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* bf */ /* c0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* cf */ - /* d0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* df */ + /* d0 */ 0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1, /* df */ /* e0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* ef */ /* f0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* ff */ /* ---*/ @@ -1519,7 +1519,7 @@ static const unsigned char threebyte_0x3a_uses_DATA_prefix[256] = { /* a0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* af */ /* b0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* bf */ /* c0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* cf */ - /* d0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* df */ + /* d0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1, /* df */ /* e0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* ef */ /* f0 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* ff */ /* ---*/ diff --git a/target-i386/cpu.c b/target-i386/cpu.c index 5941d40..321d945 100644 --- a/target-i386/cpu.c +++ b/target-i386/cpu.c @@ -390,13 +390,13 @@ typedef struct x86_def_t { #define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | \ CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \ CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \ - CPUID_EXT_MOVBE | CPUID_EXT_HYPERVISOR) + CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR) /* missing: CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX, CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA, CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA, - CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_AES, - CPUID_EXT_XSAVE, CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C, + CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE, + CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C, CPUID_EXT_RDRAND */ #define TCG_EXT2_FEATURES ((TCG_FEATURES CPUID_EXT2_AMD_ALIASES) | \ CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \ diff --git a/target-i386/fpu_helper.c b/target-i386/fpu_helper.c index 29a8fb6..c0427fe 100644 --- a/target-i386/fpu_helper.c +++ b/target-i386/fpu_helper.c @@ -20,6 +20,7 @@ #include math.h #include cpu.h #include helper.h +#include qemu/aes.h #include qemu/host-utils.h #if !defined(CONFIG_USER_ONLY) diff --git a/target-i386/ops_sse.h b/target-i386/ops_sse.h index 2ee5b8d..eb24b5f 100644 --- a/target-i386/ops_sse.h +++ b/target-i386/ops_sse.h @@ -2203,6 +2203,93 @@ void glue(helper_pclmulqdq, SUFFIX)(CPUX86State *env, Reg *d, Reg *s, d-Q(0) = resl; d-Q(1) = resh; } + +/* AES-NI op helpers */ +static const uint8_t aes_shifts[16] = { +0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11 +}; + +static const uint8_t aes_ishifts[16] = { +0, 13, 10, 7, 4, 1, 14, 11, 8, 5, 2, 15, 12, 9, 6, 3 +}; + +void glue(helper_aesdec, SUFFIX)(CPUX86State *env, Reg *d, Reg *s) +{ +int i; +Reg st = *d; +Reg rk = *s; + +for (i = 0 ; i 4 ; i++) { +d-L(i) = rk.L(i) ^ bswap32(AES_Td0[st.B(aes_ishifts[4*i+0])] ^ +AES_Td1[st.B(aes_ishifts[4*i+1])] ^ +AES_Td2[st.B(aes_ishifts[4*i+2])] ^ +AES_Td3[st.B(aes_ishifts[4*i+3])]); +} +} + +void glue(helper_aesdeclast, SUFFIX)(CPUX86State *env, Reg *d, Reg *s) +{ +int i; +Reg st = *d; +Reg rk = *s; + +for (i = 0; i 16; i++) { +d-B(i) = rk.B(i) ^ (AES_Td4[st.B(aes_ishifts[i])] 0xff); +} +} + +void glue(helper_aesenc, SUFFIX)(CPUX86State *env, Reg *d, Reg *s) +{ +int i; +Reg st = *d; +Reg rk = *s; + +for (i = 0 ; i 4 ; i++) { +d-L(i) = rk.L(i) ^ bswap32(AES_Te0[st.B(aes_shifts[4*i+0])] ^ +AES_Te1[st.B(aes_shifts[4*i+1])] ^ +AES_Te2[st.B(aes_shifts[4*i+2])] ^ +AES_Te3[st.B(aes_shifts[4*i+3])]); +} +} + +void glue(helper_aesenclast, SUFFIX)(CPUX86State *env, Reg *d, Reg *s) +{ +int i; +Reg st = *d; +Reg rk = *s; + +for (i = 0; i 16; i++) { +d-B(i)
[Qemu-devel] [PATCH v4 2/7] target-i386: add pclmulqdq instruction
Reviewed-by: Richard Henderson r...@twiddle.net Reviewed-by: Edgar E. Iglesias edgar.igles...@gmail.com Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- target-i386/cpu.c| 19 +-- target-i386/ops_sse.h| 24 target-i386/ops_sse_header.h |5 + target-i386/translate.c |3 +++ 4 files changed, 41 insertions(+), 10 deletions(-) diff --git a/target-i386/cpu.c b/target-i386/cpu.c index 4b43759..41382c5 100644 --- a/target-i386/cpu.c +++ b/target-i386/cpu.c @@ -387,17 +387,16 @@ typedef struct x86_def_t { CPUID_PSE36 (needed for Solaris) */ /* missing: CPUID_VME, CPUID_DTS, CPUID_SS, CPUID_HT, CPUID_TM, CPUID_PBE */ -#define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_MONITOR | \ - CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | CPUID_EXT_SSE41 | \ - CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | CPUID_EXT_MOVBE | \ - CPUID_EXT_HYPERVISOR) +#define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | \ + CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \ + CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \ + CPUID_EXT_MOVBE | CPUID_EXT_HYPERVISOR) /* missing: - CPUID_EXT_PCLMULQDQ, CPUID_EXT_DTES64, CPUID_EXT_DSCPL, - CPUID_EXT_VMX, CPUID_EXT_SMX, CPUID_EXT_EST, CPUID_EXT_TM2, - CPUID_EXT_CID, CPUID_EXT_FMA, CPUID_EXT_XTPR, CPUID_EXT_PDCM, - CPUID_EXT_PCID, CPUID_EXT_DCA, CPUID_EXT_X2APIC, - CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_AES, CPUID_EXT_XSAVE, - CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C, + CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX, + CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA, + CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA, + CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_AES, + CPUID_EXT_XSAVE, CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C, CPUID_EXT_RDRAND */ #define TCG_EXT2_FEATURES ((TCG_FEATURES CPUID_EXT2_AMD_ALIASES) | \ CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \ diff --git a/target-i386/ops_sse.h b/target-i386/ops_sse.h index a11dba1..2ee5b8d 100644 --- a/target-i386/ops_sse.h +++ b/target-i386/ops_sse.h @@ -2179,6 +2179,30 @@ target_ulong helper_popcnt(CPUX86State *env, target_ulong n, uint32_t type) return POPCOUNT(n, 5); #endif } + +void glue(helper_pclmulqdq, SUFFIX)(CPUX86State *env, Reg *d, Reg *s, +uint32_t ctrl) +{ +uint64_t ah, al, b, resh, resl; + +ah = 0; +al = d-Q((ctrl 1) != 0); +b = s-Q((ctrl 16) != 0); +resh = resl = 0; + +while (b) { +if (b 1) { +resl ^= al; +resh ^= ah; +} +ah = (ah 1) | (al 63); +al = 1; +b = 1; +} + +d-Q(0) = resl; +d-Q(1) = resh; +} #endif #undef SHIFT diff --git a/target-i386/ops_sse_header.h b/target-i386/ops_sse_header.h index 401eac6..2842233 100644 --- a/target-i386/ops_sse_header.h +++ b/target-i386/ops_sse_header.h @@ -336,6 +336,11 @@ DEF_HELPER_3(crc32, tl, i32, tl, i32) DEF_HELPER_3(popcnt, tl, env, tl, i32) #endif +/* AES-NI op helpers */ +#if SHIFT == 1 +DEF_HELPER_4(glue(pclmulqdq, SUFFIX), void, env, Reg, Reg, i32) +#endif + #undef SHIFT #undef Reg #undef SUFFIX diff --git a/target-i386/translate.c b/target-i386/translate.c index 7596a90..d649e99 100644 --- a/target-i386/translate.c +++ b/target-i386/translate.c @@ -3147,6 +3147,8 @@ struct SSEOpHelper_eppi { #define SSE41_OP(x) { { NULL, gen_helper_ ## x ## _xmm }, CPUID_EXT_SSE41 } #define SSE42_OP(x) { { NULL, gen_helper_ ## x ## _xmm }, CPUID_EXT_SSE42 } #define SSE41_SPECIAL { { NULL, SSE_SPECIAL }, CPUID_EXT_SSE41 } +#define PCLMULQDQ_OP(x) { { NULL, gen_helper_ ## x ## _xmm }, \ +CPUID_EXT_PCLMULQDQ } static const struct SSEOpHelper_epp sse_op_table6[256] = { [0x00] = SSSE3_OP(pshufb), @@ -3216,6 +3218,7 @@ static const struct SSEOpHelper_eppi sse_op_table7[256] = { [0x40] = SSE41_OP(dpps), [0x41] = SSE41_OP(dppd), [0x42] = SSE41_OP(mpsadbw), +[0x44] = PCLMULQDQ_OP(pclmulqdq), [0x60] = SSE42_OP(pcmpestrm), [0x61] = SSE42_OP(pcmpestri), [0x62] = SSE42_OP(pcmpistrm), -- 1.7.10.4
[Qemu-devel] [PATCH v4 5/7] aes: move aes.h from include/block to include/qemu
Move aes.h from include/block to include/qemu to show it can be reused by other subsystems. Cc: Kevin Wolf kw...@redhat.com Cc: Stefan Hajnoczi stefa...@redhat.com Reviewed-by: Edgar E. Iglesias edgar.igles...@gmail.com Reviewed-by: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- block/qcow.c|2 +- block/qcow2.c |2 +- block/qcow2.h |2 +- include/block/aes.h | 26 -- include/qemu/aes.h | 26 ++ util/aes.c |2 +- 6 files changed, 30 insertions(+), 30 deletions(-) delete mode 100644 include/block/aes.h create mode 100644 include/qemu/aes.h diff --git a/block/qcow.c b/block/qcow.c index 13d396b..3278e55 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -25,7 +25,7 @@ #include block/block_int.h #include qemu/module.h #include zlib.h -#include block/aes.h +#include qemu/aes.h #include migration/migration.h /**/ diff --git a/block/qcow2.c b/block/qcow2.c index 7e7d775..1d18073 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -25,7 +25,7 @@ #include block/block_int.h #include qemu/module.h #include zlib.h -#include block/aes.h +#include qemu/aes.h #include block/qcow2.h #include qemu/error-report.h #include qapi/qmp/qerror.h diff --git a/block/qcow2.h b/block/qcow2.h index bf8db2a..9421843 100644 --- a/block/qcow2.h +++ b/block/qcow2.h @@ -25,7 +25,7 @@ #ifndef BLOCK_QCOW2_H #define BLOCK_QCOW2_H -#include block/aes.h +#include qemu/aes.h #include block/coroutine.h //#define DEBUG_ALLOC diff --git a/include/block/aes.h b/include/block/aes.h deleted file mode 100644 index a0167eb..000 --- a/include/block/aes.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef QEMU_AES_H -#define QEMU_AES_H - -#define AES_MAXNR 14 -#define AES_BLOCK_SIZE 16 - -struct aes_key_st { -uint32_t rd_key[4 *(AES_MAXNR + 1)]; -int rounds; -}; -typedef struct aes_key_st AES_KEY; - -int AES_set_encrypt_key(const unsigned char *userKey, const int bits, - AES_KEY *key); -int AES_set_decrypt_key(const unsigned char *userKey, const int bits, - AES_KEY *key); - -void AES_encrypt(const unsigned char *in, unsigned char *out, - const AES_KEY *key); -void AES_decrypt(const unsigned char *in, unsigned char *out, - const AES_KEY *key); -void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, -const unsigned long length, const AES_KEY *key, -unsigned char *ivec, const int enc); - -#endif diff --git a/include/qemu/aes.h b/include/qemu/aes.h new file mode 100644 index 000..a0167eb --- /dev/null +++ b/include/qemu/aes.h @@ -0,0 +1,26 @@ +#ifndef QEMU_AES_H +#define QEMU_AES_H + +#define AES_MAXNR 14 +#define AES_BLOCK_SIZE 16 + +struct aes_key_st { +uint32_t rd_key[4 *(AES_MAXNR + 1)]; +int rounds; +}; +typedef struct aes_key_st AES_KEY; + +int AES_set_encrypt_key(const unsigned char *userKey, const int bits, + AES_KEY *key); +int AES_set_decrypt_key(const unsigned char *userKey, const int bits, + AES_KEY *key); + +void AES_encrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key); +void AES_decrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key); +void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, +const unsigned long length, const AES_KEY *key, +unsigned char *ivec, const int enc); + +#endif diff --git a/util/aes.c b/util/aes.c index 1da7bff..54c7b98 100644 --- a/util/aes.c +++ b/util/aes.c @@ -28,7 +28,7 @@ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include qemu-common.h -#include block/aes.h +#include qemu/aes.h #ifndef NDEBUG #define NDEBUG -- 1.7.10.4
[Qemu-devel] [PATCH v4 1/7] disas/i386.c: disassemble pclmulqdq instruction
Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- disas/i386.c | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/disas/i386.c b/disas/i386.c index 73cc06f..c52efbc 100644 --- a/disas/i386.c +++ b/disas/i386.c @@ -664,6 +664,7 @@ fetch_data(struct disassemble_info *info, bfd_byte *addr) #define PREGRP95 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 95 } } #define PREGRP96 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 96 } } #define PREGRP97 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 97 } } +#define PREGRP98 NULL, { { NULL, USE_PREFIX_USER_TABLE }, { NULL, 98 } } #define X86_64_0 NULL, { { NULL, X86_64_SPECIAL }, { NULL, 0 } } @@ -1503,7 +1504,7 @@ static const unsigned char threebyte_0x3a_uses_DATA_prefix[256] = { /* 10 */ 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0, /* 1f */ /* 20 */ 1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0, /* 2f */ /* 30 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* 3f */ - /* 40 */ 1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0, /* 4f */ + /* 40 */ 1,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0, /* 4f */ /* 50 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* 5f */ /* 60 */ 1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0, /* 6f */ /* 70 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* 7f */ @@ -2710,6 +2711,14 @@ static const struct dis386 prefix_user_table[][4] = { { punpckldq,{ MX, EMq } }, { (bad), { XX } }, }, + + /* PREGRP98 */ + { +{ (bad), { XX } }, +{ (bad), { XX } }, +{ pclmulqdq, { XM, EXx, Ib } }, +{ (bad), { XX } }, + }, }; static const struct dis386 x86_64_table[][2] = { @@ -3102,7 +3111,7 @@ static const struct dis386 three_byte_table[][256] = { { PREGRP84 }, { PREGRP85 }, { (bad), { XX } }, -{ (bad), { XX } }, +{ PREGRP98 }, { (bad), { XX } }, { (bad), { XX } }, { (bad), { XX } }, -- 1.7.10.4
[Qemu-devel] [PATCH v4 6/7] aes: make Td[0-5] and Te[0-5] tables non static
Remove static attribute to Td[0-5] and Te[0-5] tables so that they can be used outside of aes.c. Change their type from u32 to uint32_t, to keep the u32 udef local to aes.c. Prefix them with AES_ so that they do not conflict with other symbols. Reviewed-by: Edgar E. Iglesias edgar.igles...@gmail.com Reviewed-by: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- include/qemu/aes.h | 19 ++ util/aes.c | 504 ++-- 2 files changed, 271 insertions(+), 252 deletions(-) Note: while renaming Td/Te tables, I replaced tabs with spaces, but kept the remaining code style to keep the unrolled loops readable. diff --git a/include/qemu/aes.h b/include/qemu/aes.h index a0167eb..e79c707 100644 --- a/include/qemu/aes.h +++ b/include/qemu/aes.h @@ -23,4 +23,23 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, const int enc); +/* +AES_Te0[x] = S [x].[02, 01, 01, 03]; +AES_Te1[x] = S [x].[03, 02, 01, 01]; +AES_Te2[x] = S [x].[01, 03, 02, 01]; +AES_Te3[x] = S [x].[01, 01, 03, 02]; +AES_Te4[x] = S [x].[01, 01, 01, 01]; + +AES_Td0[x] = Si[x].[0e, 09, 0d, 0b]; +AES_Td1[x] = Si[x].[0b, 0e, 09, 0d]; +AES_Td2[x] = Si[x].[0d, 0b, 0e, 09]; +AES_Td3[x] = Si[x].[09, 0d, 0b, 0e]; +AES_Td4[x] = Si[x].[01, 01, 01, 01]; +*/ + +extern const uint32_t AES_Te0[256], AES_Te1[256], AES_Te2[256], + AES_Te3[256], AES_Te4[256]; +extern const uint32_t AES_Td0[256], AES_Td1[256], AES_Td2[256], + AES_Td3[256], AES_Td4[256]; + #endif diff --git a/util/aes.c b/util/aes.c index 54c7b98..91e97fa 100644 --- a/util/aes.c +++ b/util/aes.c @@ -44,20 +44,20 @@ typedef uint8_t u8; # define PUTU32(ct, st) { (ct)[0] = (u8)((st) 24); (ct)[1] = (u8)((st) 16); (ct)[2] = (u8)((st) 8); (ct)[3] = (u8)(st); } /* -Te0[x] = S [x].[02, 01, 01, 03]; -Te1[x] = S [x].[03, 02, 01, 01]; -Te2[x] = S [x].[01, 03, 02, 01]; -Te3[x] = S [x].[01, 01, 03, 02]; -Te4[x] = S [x].[01, 01, 01, 01]; +AES_Te0[x] = S [x].[02, 01, 01, 03]; +AES_Te1[x] = S [x].[03, 02, 01, 01]; +AES_Te2[x] = S [x].[01, 03, 02, 01]; +AES_Te3[x] = S [x].[01, 01, 03, 02]; +AES_Te4[x] = S [x].[01, 01, 01, 01]; -Td0[x] = Si[x].[0e, 09, 0d, 0b]; -Td1[x] = Si[x].[0b, 0e, 09, 0d]; -Td2[x] = Si[x].[0d, 0b, 0e, 09]; -Td3[x] = Si[x].[09, 0d, 0b, 0e]; -Td4[x] = Si[x].[01, 01, 01, 01]; +AES_Td0[x] = Si[x].[0e, 09, 0d, 0b]; +AES_Td1[x] = Si[x].[0b, 0e, 09, 0d]; +AES_Td2[x] = Si[x].[0d, 0b, 0e, 09]; +AES_Td3[x] = Si[x].[09, 0d, 0b, 0e]; +AES_Td4[x] = Si[x].[01, 01, 01, 01]; */ -static const u32 Te0[256] = { +const uint32_t AES_Te0[256] = { 0xc66363a5U, 0xf87c7c84U, 0xee99U, 0xf67b7b8dU, 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U, 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU, @@ -123,7 +123,7 @@ static const u32 Te0[256] = { 0x824141c3U, 0x29b0U, 0x5a2d2d77U, 0x1e0f0f11U, 0x7bb0b0cbU, 0xa85454fcU, 0x6dd6U, 0x2c16163aU, }; -static const u32 Te1[256] = { +const uint32_t AES_Te1[256] = { 0xa5c66363U, 0x84f87c7cU, 0x99eeU, 0x8df67b7bU, 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U, 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU, @@ -189,7 +189,7 @@ static const u32 Te1[256] = { 0xc3824141U, 0xb029U, 0x775a2d2dU, 0x111e0f0fU, 0xcb7bb0b0U, 0xfca85454U, 0xd66dU, 0x3a2c1616U, }; -static const u32 Te2[256] = { +const uint32_t AES_Te2[256] = { 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU, 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U, 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU, @@ -255,7 +255,7 @@ static const u32 Te2[256] = { 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU, 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U, }; -static const u32 Te3[256] = { +const uint32_t AES_Te3[256] = { 0x6363a5c6U, 0x7c7c84f8U, 0x99eeU, 0x7b7b8df6U, 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U, @@ -322,7 +322,7 @@ static const u32 Te3[256] = { 0x4141c382U, 0xb029U, 0x2d2d775aU, 0x0f0f111eU, 0xb0b0cb7bU, 0x5454fca8U, 0xd66dU, 0x16163a2cU, }; -static const u32 Te4[256] = { +const uint32_t AES_Te4[256] = { 0x63636363U, 0x7c7c7c7cU, 0xU, 0x7b7b7b7bU, 0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U, 0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU, @@ -388,7 +388,7 @@ static const u32 Te4[256] = { 0x41414141U, 0xU, 0x2d2d2d2dU, 0x0f0f0f0fU, 0xb0b0b0b0U, 0x54545454U, 0xU, 0x16161616U, }; -static const u32 Td0[256] = { +const uint32_t AES_Td0[256] = { 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U, 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U, 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U, @@ -454,7 +454,7 @@ static const u32 Td0[256] = { 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
Re: [Qemu-devel] [PATCH] target-moxie: set do_interrupt to a target-specific helper function
Hi Dunrong, I can't reproduce the segfault, but your patch still looks right to me. Thanks! Signed-of-by: Anthony Green gr...@moxielogic.com AG On Sat, Mar 30, 2013 at 9:35 PM, Dunrong Huang huan...@cloud-times.com wrote: The value of do_interrupt member of CPUClass shoule be set to a target-specific function, or it will lead to a segfault like below: $ moxie-softmmu/qemu-system-moxie -M moxiesim Segmentation fault Cc: Anthony Green gr...@moxielogic.com Cc: Blue Swirl blauwir...@gmail.com Cc: Andreas Färber afaer...@suse.de Signed-off-by: Dunrong Huang huan...@cloud-times.com --- target-moxie/cpu.c| 1 + target-moxie/cpu.h| 2 +- target-moxie/helper.c | 7 +-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/target-moxie/cpu.c b/target-moxie/cpu.c index c17d3f0..c0855f0 100644 --- a/target-moxie/cpu.c +++ b/target-moxie/cpu.c @@ -98,6 +98,7 @@ static void moxie_cpu_class_init(ObjectClass *oc, void *data) cc-class_by_name = moxie_cpu_class_by_name; dc-vmsd = vmstate_moxie_cpu; +cc-do_interrupt = moxie_cpu_do_interrupt; } static void moxielite_initfn(Object *obj) diff --git a/target-moxie/cpu.h b/target-moxie/cpu.h index b96236f..988729a 100644 --- a/target-moxie/cpu.h +++ b/target-moxie/cpu.h @@ -117,7 +117,7 @@ static inline MoxieCPU *moxie_env_get_cpu(CPUMoxieState *env) MoxieCPU *cpu_moxie_init(const char *cpu_model); int cpu_moxie_exec(CPUMoxieState *s); -void do_interrupt(CPUMoxieState *env); +void moxie_cpu_do_interrupt(CPUState *cs); void moxie_translate_init(void); int cpu_moxie_signal_handler(int host_signum, void *pinfo, void *puc); diff --git a/target-moxie/helper.c b/target-moxie/helper.c index 8604ce8..6e0ac2a 100644 --- a/target-moxie/helper.c +++ b/target-moxie/helper.c @@ -102,7 +102,7 @@ void helper_debug(CPUMoxieState *env) #if defined(CONFIG_USER_ONLY) -void do_interrupt(CPUState *env) +void moxie_cpu_do_interrupt(CPUState *env) { env-exception_index = -1; } @@ -147,8 +147,11 @@ int cpu_moxie_handle_mmu_fault(CPUMoxieState *env, target_ulong address, } -void do_interrupt(CPUMoxieState *env) +void moxie_cpu_do_interrupt(CPUState *cs) { +MoxieCPU *cpu = MOXIE_CPU(cs); +CPUMoxieState *env = cpu-env; + switch (env-exception_index) { case MOXIE_EX_BREAK: break; -- 1.8.1.5
Re: [Qemu-devel] [PATCH]: Fix conditional compilation for OpenBSD
On Sun, Mar 31, 2013 at 12:48:04AM +, Peter Maydell wrote: Hi Michael; thanks for the patch. However I think we should fix this by having a configure check for sem_timedwait [or whatever the functions we need are], rather than by piling up another OS ifdef check. (If you want to have a go at that it would probably be useful to read the wiki.qemu.org page on submitting patches; in particular without a Signed-off-by: line we can't apply a patch at all.) -- PMM What about this? Re-use the exting the pthread checker code in 'configure', define HAS_PTHREAD and use this instead of OS specific #if checks. I have built this on 1. Ubuntu 10.04.3 LTS (Linux 2.6.32-36-generic i686) 2. OpenBSD 5.1 (OpenBSD 5.1 GENERIC.MP#188 i386) 3. OpenBSD 5.1 (OpenBSD 5.1 GENERIC#243 amd64) - Michael diff --git a/configure b/configure index f2af714..2e521e2 100755 --- a/configure +++ b/configure @@ -2296,6 +2296,10 @@ else done fi +if [ $pthread = 'yes' ]; then + QEMU_CFLAGS=-DHAS_PTHREAD $QEMU_CFLAGS +fi + if test $mingw32 != yes -a $pthread = no; then echo echo Error: pthread check failed diff --git a/include/qemu/thread-posix.h b/include/qemu/thread-posix.h index 0f30dcc..f547f29 100644 --- a/include/qemu/thread-posix.h +++ b/include/qemu/thread-posix.h @@ -12,7 +12,7 @@ struct QemuCond { }; struct QemuSemaphore { -#if defined(__APPLE__) || defined(__NetBSD__) +#ifdef HAS_PTHREAD pthread_mutex_t lock; pthread_cond_t cond; int count; diff --git a/util/qemu-thread-posix.c b/util/qemu-thread-posix.c index 4489abf..edf4715 100644 --- a/util/qemu-thread-posix.c +++ b/util/qemu-thread-posix.c @@ -122,7 +122,7 @@ void qemu_sem_init(QemuSemaphore *sem, int init) { int rc; -#if defined(__APPLE__) || defined(__NetBSD__) +#ifdef HAS_PTHREAD rc = pthread_mutex_init(sem-lock, NULL); if (rc != 0) { error_exit(rc, __func__); @@ -147,7 +147,7 @@ void qemu_sem_destroy(QemuSemaphore *sem) { int rc; -#if defined(__APPLE__) || defined(__NetBSD__) +#ifdef HAS_PTHREAD rc = pthread_cond_destroy(sem-cond); if (rc 0) { error_exit(rc, __func__); @@ -168,7 +168,7 @@ void qemu_sem_post(QemuSemaphore *sem) { int rc; -#if defined(__APPLE__) || defined(__NetBSD__) +#ifdef HAS_PTHREAD pthread_mutex_lock(sem-lock); if (sem-count == INT_MAX) { rc = EINVAL; @@ -206,7 +206,7 @@ int qemu_sem_timedwait(QemuSemaphore *sem, int ms) int rc; struct timespec ts; -#if defined(__APPLE__) || defined(__NetBSD__) +#ifdef HAS_PTHREAD compute_abs_deadline(ts, ms); pthread_mutex_lock(sem-lock); --sem-count; @@ -249,7 +249,7 @@ int qemu_sem_timedwait(QemuSemaphore *sem, int ms) void qemu_sem_wait(QemuSemaphore *sem) { -#if defined(__APPLE__) || defined(__NetBSD__) +#ifdef HAS_PTHREAD pthread_mutex_lock(sem-lock); --sem-count; while (sem-count 0) {
[Qemu-devel] [Bug 1162227] Re: Mouse works badly when connecting to host via vnc
I tried to reproduce this bug using lastest stable version (1.4.0) and master (5e3a0f418c4d57399778cee0b55aebfb663b6425). This versions seem to add -usbdevice tablet by default (and this is very good). But I think that if guest OS doesn't support tablet device then bug will still appear. So, I added option -usbdevice mouse to simulate this situation. And bug really appeared (i. e. mouse disappeared). So, please fix it or document it. Configurations: * A: Ubuntu precise 64-bit, x11vnc 0.9.12, Qemu 1.4.0, C: Debian squeeze 64-bit, xvnc4viewer 4.1.1, B: Ubuntu precise 64-bit, command line: /opt/qemu-1.4.0/bin/qemu-system-x86_64 -enable-kvm -m 256 -daemonize -snapshot -drive cache=none,file=/dev/sda -net none -usbdevice mouse * A: Ubuntu precise 64-bit, x11vnc 0.9.12, Qemu 5e3a0f418c4d57399778cee0b55aebfb663b6425, C: Debian squeeze 64-bit, xvnc4viewer 4.1.1, B: Ubuntu precise 64-bit, command line: /opt/qemu-5e3a0f418c4d57399778cee0b55aebfb663b6425/bin/qemu-system-x86_64 -enable-kvm -m 256 -daemonize -snapshot -drive cache=none,file=/dev/sda -net none -usbdevice mouse Same for -vnc option (i. e. pointers was not synced when using -usbdevice mouse) -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1162227 Title: Mouse works badly when connecting to host via vnc Status in QEMU: New Bug description: Let's assume we have some physical host A. This host runs qemu guest B locally without any options like -vnc etc. Then I connect from some physical host C to the host A via VNC or Teamviewer ( www.teamviewer.com ). And then I try to remote control (via this vnc connection) qemu guest. But I cannot do this because my mouse disappears when I click at my qemu guest. I see little black square only. (This square is vnc feature, it automatically appears when mouse disappears.) When I click to some objects inside guest I will instead click to another random object inside guest. I saw this bug in the following configurations: * A: Debian squeeze 64-bit, Teamviewer 8, Qemu 1.1.2, C: Ubuntu precise 64-bit, Teamviewer 8, B: Windows 7 32-bit, command line: qemu-system-x86_64 --enable-kvm -m 2048 -daemonize -localtime -drive cache=none,file=/root/vm/w7-sp1-i386-en.cow * A: Debian squeeze 64-bit, Teamviewer 8, Qemu 1.1.2, C: Ubuntu precise 64-bit, Teamviewer 8, B: Debian squeeze 64-bit, command line: qemu-system-x86_64 -enable-kvm -m 256 -daemonize -snapshot -net none -drive cache=none,file=/dev/sda * A: Debian squeeze 64-bit, x11vnc 0.9.10, Qemu 1.1.2, C: Ubuntu precise 64-bit, xvnc4viewer 4.1.1, B: Windows 7 32-bit, command line: qemu-system-x86_64 --enable-kvm -m 2048 -daemonize -localtime -drive cache=none,file=/root/vm/w7-sp1-i386-en.cow Also, if I add -usbdevice tablet option, this bug will disappear. So, probably, this bug is not a bug. But in this case you should document it. I. e. you should add to docs something like add -usbdevice tablet if you remote control qemu host. Also, if I use -vnc option (in the text above I didn't use it!) my mouse doesn't work as expected, too. The pointers don't line up, i. e. are not synced. But if I add -usbdevice tablet option, mouse will work. As far as I know this is not a bug. But then document it, too. Qemu's man page already says It is very useful to enable the usb tablet device when using this option (option -usbdevice tablet) in qemu 1.1.2. But I think this is not enough. The man page should say: You should add -usbdevice tablet option and your guest OS should support tablet device or your mouse will not work. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1162227/+subscriptions
Re: [Qemu-devel] [PATCH]: Fix conditional compilation for OpenBSD
On 31 March 2013 13:46, Michael W. Bombardieri m...@ii.net wrote: What about this? Re-use the exting the pthread checker code in 'configure', define HAS_PTHREAD and use this instead of OS specific #if checks. I have built this on 1. Ubuntu 10.04.3 LTS (Linux 2.6.32-36-generic i686) 2. OpenBSD 5.1 (OpenBSD 5.1 GENERIC.MP#188 i386) 3. OpenBSD 5.1 (OpenBSD 5.1 GENERIC#243 amd64) This doesn't look right, because it means we'll use the fallback code even for OSes like Linux which do have the ability to use the (preferable) semaphore code. You want a config check for sem_timedwait, which will succeed on Linux and fail on the BSDs, and then instead of #if defined(various BSDs) you have #ifndef CONFIG_SEM_TIMEDWAIT. +if [ $pthread = 'yes' ]; then + QEMU_CFLAGS=-DHAS_PTHREAD $QEMU_CFLAGS +fi + Have a look in configure at how we handle the preadv() check as an example. There's a little test program which is compiled to see if the function exists, and we set a shell variable. Then later on we write CONFIG_PREADV=y to the config-host.mak file. This avoids enormous compiler command lines for every config check. Also you still aren't providing a Signed-off-by: line for your patch, and it would be nice if you could submit it in the git format-patch format that makes it trivial to apply. thanks -- PMM
Re: [Qemu-devel] [SeaBIOS] [PATCH v16] Add pvpanic device driver
On Sat, Mar 30, 2013 at 09:20:09AM -0400, Kevin O'Connor wrote: On Fri, Mar 29, 2013 at 02:49:12PM +0100, Paolo Bonzini wrote: Il 29/03/2013 14:33, Kevin O'Connor ha scritto: On Fri, Mar 29, 2013 at 04:18:44PM +0800, Hu Tao wrote: pvpanic device is used to notify host(qemu) when guest panic happens. Thanks. However, we're planning a move of ACPI tables from SeaBIOS to QEMU. I think this should wait until after the move. The device should be in QEMU 1.5, and the SSDT probably will still be in SeaBIOS by then (and might even be the last to move, since it's quite complex and dynamic). I don't think it is fair to block this patch on those grounds... What is the user visible impact of not having a panic device? My main concern is that the patch creates a new fw_cfg channel between qemu and seabios thats sole purpose is to alter the OS visible ACPI tables. These types of QEMU-SeaBIOS interfaces are fragile and are (in sum) quite complex. The patch uses existing channel between qemu and seabios, one romfile_loadint() is all it takes. We already have number of interfaces to change OS visible ACPI tables, that's why we want to move ACPI table creation to QEMU in the first place. It is unfortunate to start blocking features now before we have an alternative. When ACPI table creation will move into QEMU the code in this patch will be dropped along with all the other code that serves similar purpose. -- Gleb.
[Qemu-devel] [Bug 922076] Re: doesn't clear screen on boot
UPDATE: The second bug (which is started with Also, I found another bug! I am learning...) is fixed in 1.4.0 About the first bug: screen clears on real hardware, so it is really bug. Also, it is reproducible with Qemu 1.4.0 and Qemu 5e3a0f418c4d57399778cee0b55aebfb663b6425. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/922076 Title: doesn't clear screen on boot Status in QEMU: New Bug description: When I start Linux in Qemu via qemu -kernel /vmlinuz ..., opens Qemu window, it shows message Starting Seabios (version 0.5.1-2010...), and then Linux writes messages like Loading, please wait... on top of previous message! For example, I can see Loading, please wait...on 0.5.1-2010...) So, Qemu doesn't clean screan before booting OS. Moreover, when I start Linux via qemu /disk-image, Qemu shows Starting Seabios (version 0.5.1-2010...), then switches to graphical mode, shows GRUB, then switches back to text mode and shows Starting Seabios again! And again Linux prints messages on top of Seabios messages, and we see a mix of symbols on screen. Also, I found another bug! I am learning now to write kernels. And I see that operator *(char *)0xb8000 = 0 in C code of kernel doesn't clean first charaster of screen in Qemu in -curses mode! If I want to real clean this charaster, I must type *(char *)0xb8000 = ' '. I attach a kernel (x86, multiboot) with this bug. Just type make (you need gcc) and qemu -curses -kernel kernel. You will see that screen is not cleared, but kernel tries to clean it. If you change 0 to ' ', all will work! To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/922076/+subscriptions
[Qemu-devel] [Bug 1127369] Re: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699
This has been fixed in commit d6e839e718c2540b880ac9d2d7a49fb7ade02cfb ** Changed in: qemu Status: New = Fix Committed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1127369 Title: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699 Status in QEMU: Fix Committed Bug description: I am running daily automated tests of the qemu git mainline that involve building qemu on a Linux host (32-bit), booting a NetBSD guest in qemu-system-i386, and running the NetBSD operating system test suite on the guest. Since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, there has been a marked increase in the number of failing test cases. Before that commit, the number of failing test cases was typically in the range 3 to 6, but since that commit, test runs often show 10 or more failed tests, or they end prematurely due to a segmentation fault in the test framework itself. To aid in reproducing the problem, I have prepared a disk image containing a NetBSD 6.0.1 system configured to automatically run the test suite on boot. To reproduce the problem, run the following shell commands: wget http://www.gson.org/bugs/qemu/NetBSD-6.0.1-i386-test.img.gz gunzip NetBSD-6.0.1-i386-test.img.gz qemu-system-i386 -m 32 -nographic -snapshot -hda NetBSD-6.0.1-i386-test.img The disk image is about 144 MB in size and uncompresses to 2 GB. The test run typically takes a couple of hours, printing progress messages to the terminal as it goes. When it finishes, the virtual machine will be automatically powered down, causing qemu to exit. Near the end of the output, before the shutdown messages, there should be a summary of the test results. The expected output looks like this: Summary for 500 test programs: 2958 passed test cases. 5 failed test cases. 45 expected failed test cases. 70 skipped test cases. A number of failed test cases in the range 3 to 6 should be considered normal. Please ignore the expected failed test cases. Using a version of qemu affected by the bug, the summary will look more like this: Summary for 500 test programs: 2951 passed test cases. 12 failed test cases. 45 expected failed test cases. 69 skipped test cases. Or it may end with a segmentation fault like this: p2k_ffs_race: atf-report: ERROR: 10912: Unexpected token `EOF'; expected end of test case or test case's stdout/stderr line [1] Segmentation fault (core dumped) atf-run | Done(1) atf-report The problem goes away if the -m 32 is omitted from the qemu command line, which leads me to suspect that the problem may be related to paging or swapping activity in the guest. The revision listed in the subject, b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, is the first one exhibiting the excessive test failures, but the bug may already have been introduced in the previous commit, fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd. If I attempt to run the test on fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd, the guest fails to boot. The revision before that, 32761257c0b9fa7ee04d2871a6e48a41f119c469, works as expected. -- Andreas Gustafsson, g...@gson.org To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1127369/+subscriptions
Re: [Qemu-devel] [PATCH] target-moxie: set do_interrupt to a target-specific helper function
Am 31.03.2013 03:35, schrieb Dunrong Huang: The value of do_interrupt member of CPUClass shoule be set to a target-specific function, or it will lead to a segfault like below: $ moxie-softmmu/qemu-system-moxie -M moxiesim Segmentation fault Cc: Anthony Green gr...@moxielogic.com Cc: Blue Swirl blauwir...@gmail.com Cc: Andreas Färber afaer...@suse.de Signed-off-by: Dunrong Huang huan...@cloud-times.com --- target-moxie/cpu.c| 1 + target-moxie/cpu.h| 2 +- target-moxie/helper.c | 7 +-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/target-moxie/cpu.c b/target-moxie/cpu.c index c17d3f0..c0855f0 100644 --- a/target-moxie/cpu.c +++ b/target-moxie/cpu.c @@ -98,6 +98,7 @@ static void moxie_cpu_class_init(ObjectClass *oc, void *data) cc-class_by_name = moxie_cpu_class_by_name; dc-vmsd = vmstate_moxie_cpu; +cc-do_interrupt = moxie_cpu_do_interrupt; } static void moxielite_initfn(Object *obj) diff --git a/target-moxie/cpu.h b/target-moxie/cpu.h index b96236f..988729a 100644 --- a/target-moxie/cpu.h +++ b/target-moxie/cpu.h @@ -117,7 +117,7 @@ static inline MoxieCPU *moxie_env_get_cpu(CPUMoxieState *env) MoxieCPU *cpu_moxie_init(const char *cpu_model); int cpu_moxie_exec(CPUMoxieState *s); -void do_interrupt(CPUMoxieState *env); +void moxie_cpu_do_interrupt(CPUState *cs); void moxie_translate_init(void); int cpu_moxie_signal_handler(int host_signum, void *pinfo, void *puc); diff --git a/target-moxie/helper.c b/target-moxie/helper.c index 8604ce8..6e0ac2a 100644 --- a/target-moxie/helper.c +++ b/target-moxie/helper.c @@ -102,7 +102,7 @@ void helper_debug(CPUMoxieState *env) #if defined(CONFIG_USER_ONLY) -void do_interrupt(CPUState *env) +void moxie_cpu_do_interrupt(CPUState *env) { env-exception_index = -1; } Anthony, CPUState should not be named env but rather cs (to reserve cpu for MoxieCPU). That's unrelated to this patch though. @@ -147,8 +147,11 @@ int cpu_moxie_handle_mmu_fault(CPUMoxieState *env, target_ulong address, } -void do_interrupt(CPUMoxieState *env) +void moxie_cpu_do_interrupt(CPUState *cs) { +MoxieCPU *cpu = MOXIE_CPU(cs); +CPUMoxieState *env = cpu-env; + switch (env-exception_index) { case MOXIE_EX_BREAK: break; That exception_index is used once from CPUMoxieState and once from CPUState is telling me something is fishy here... Are any test images available? Hooking up cc-do_interrupt is the correct thing to do though, so that could be sorted out later, Reviewed-by: Andreas Färber afaer...@suse.de Andreas -- SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
[Qemu-devel] [Bug 1127369] Re: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699
Thanks for the detailed test case and fix. However unfortunately I cannot see d6e839e718 in the current qemu git. Is it possible the commit hash changed because of a rebase when it was committed? -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1127369 Title: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699 Status in QEMU: Fix Committed Bug description: I am running daily automated tests of the qemu git mainline that involve building qemu on a Linux host (32-bit), booting a NetBSD guest in qemu-system-i386, and running the NetBSD operating system test suite on the guest. Since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, there has been a marked increase in the number of failing test cases. Before that commit, the number of failing test cases was typically in the range 3 to 6, but since that commit, test runs often show 10 or more failed tests, or they end prematurely due to a segmentation fault in the test framework itself. To aid in reproducing the problem, I have prepared a disk image containing a NetBSD 6.0.1 system configured to automatically run the test suite on boot. To reproduce the problem, run the following shell commands: wget http://www.gson.org/bugs/qemu/NetBSD-6.0.1-i386-test.img.gz gunzip NetBSD-6.0.1-i386-test.img.gz qemu-system-i386 -m 32 -nographic -snapshot -hda NetBSD-6.0.1-i386-test.img The disk image is about 144 MB in size and uncompresses to 2 GB. The test run typically takes a couple of hours, printing progress messages to the terminal as it goes. When it finishes, the virtual machine will be automatically powered down, causing qemu to exit. Near the end of the output, before the shutdown messages, there should be a summary of the test results. The expected output looks like this: Summary for 500 test programs: 2958 passed test cases. 5 failed test cases. 45 expected failed test cases. 70 skipped test cases. A number of failed test cases in the range 3 to 6 should be considered normal. Please ignore the expected failed test cases. Using a version of qemu affected by the bug, the summary will look more like this: Summary for 500 test programs: 2951 passed test cases. 12 failed test cases. 45 expected failed test cases. 69 skipped test cases. Or it may end with a segmentation fault like this: p2k_ffs_race: atf-report: ERROR: 10912: Unexpected token `EOF'; expected end of test case or test case's stdout/stderr line [1] Segmentation fault (core dumped) atf-run | Done(1) atf-report The problem goes away if the -m 32 is omitted from the qemu command line, which leads me to suspect that the problem may be related to paging or swapping activity in the guest. The revision listed in the subject, b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, is the first one exhibiting the excessive test failures, but the bug may already have been introduced in the previous commit, fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd. If I attempt to run the test on fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd, the guest fails to boot. The revision before that, 32761257c0b9fa7ee04d2871a6e48a41f119c469, works as expected. -- Andreas Gustafsson, g...@gson.org To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1127369/+subscriptions
Re: [Qemu-devel] [Xen-devel] [PATCHv3] QEMU(upstream): Disable xen's use of O_DIRECT by default as it results in crashes.
Stefano, --On 29 March 2013 17:19:26 + Stefano Stabellini stefano.stabell...@eu.citrix.com wrote: I think so. blkfront reads sectors when QEMU moves to XenbusStateConnected, in blkfront_connect. blk_connect is called from xen_be_try_initialise, which moves to XenbusStateConnected on success. So, QEMU's blk_connect will always be called before blkfront's blkfront_connect. Alex, do you have any updates on this patch? Sorry, I've been snowed under with other stuff. I got to the speed bump below, then didn't get back to it after Paolo's reply. I'll see if I can get some time tomorrow. -- Alex Bligh -- Forwarded Message -- Date: 20 March 2013 10:26:21 +0100 From: Paolo Bonzini pbonz...@redhat.com To: Alex Bligh a...@alex.org.uk CC: Stefano Stabellini stefano.stabell...@eu.citrix.com, George Dunlap george.dun...@eu.citrix.com, Ian Campbell ian.campb...@citrix.com, Ian Jackson ian.jack...@eu.citrix.com, qemu-devel@nongnu.org, xen-devel xen-de...@lists.xen.org, Anthony Liguori anth...@codemonkey.ws Subject: Re: [Xen-devel] [PATCHv3] QEMU(upstream): Disable xen's use of O_DIRECT by default as it results in crashes. Il 20/03/2013 09:33, Alex Bligh ha scritto: Stefano, --On 19 March 2013 15:13:29 + Stefano Stabellini stefano.stabell...@eu.citrix.com wrote: Therefore I think that the current change is not safe, but it is pretty easy to make it safe. You just need to move the call to blk_open from blk_init to blk_connect. Actually you can move most of blk_init to blk_connect, you just need to keep the 4 xenstore_write_be_int at the end of the function. The final of these 4 writes in blk_init is: xenstore_write_be_int(blkdev-xendev, sectors, blkdev-file_size / blkdev-file_blk); and blkdev-filesize comes from bdrv_getlength(blkdev-bs), and that requires (I think) bdrv_open to have been called. Can these 4 writes move safely to blk_connect? Or can we write the sectors count as (say) 0 here and fix it later in blk_connect? The remainder look ok. I think so. blkfront reads sectors when QEMU moves to XenbusStateConnected, in blkfront_connect. blk_connect is called from xen_be_try_initialise, which moves to XenbusStateConnected on success. So, QEMU's blk_connect will always be called before blkfront's blkfront_connect. Paolo -- End Forwarded Message --
Re: [Qemu-devel] [PATCH] target-moxie: set do_interrupt to a target-specific helper function
Thanks, applied. On Sun, Mar 31, 2013 at 1:35 AM, Dunrong Huang huan...@cloud-times.com wrote: The value of do_interrupt member of CPUClass shoule be set to a target-specific function, or it will lead to a segfault like below: $ moxie-softmmu/qemu-system-moxie -M moxiesim Segmentation fault Cc: Anthony Green gr...@moxielogic.com Cc: Blue Swirl blauwir...@gmail.com Cc: Andreas Färber afaer...@suse.de Signed-off-by: Dunrong Huang huan...@cloud-times.com --- target-moxie/cpu.c| 1 + target-moxie/cpu.h| 2 +- target-moxie/helper.c | 7 +-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/target-moxie/cpu.c b/target-moxie/cpu.c index c17d3f0..c0855f0 100644 --- a/target-moxie/cpu.c +++ b/target-moxie/cpu.c @@ -98,6 +98,7 @@ static void moxie_cpu_class_init(ObjectClass *oc, void *data) cc-class_by_name = moxie_cpu_class_by_name; dc-vmsd = vmstate_moxie_cpu; +cc-do_interrupt = moxie_cpu_do_interrupt; } static void moxielite_initfn(Object *obj) diff --git a/target-moxie/cpu.h b/target-moxie/cpu.h index b96236f..988729a 100644 --- a/target-moxie/cpu.h +++ b/target-moxie/cpu.h @@ -117,7 +117,7 @@ static inline MoxieCPU *moxie_env_get_cpu(CPUMoxieState *env) MoxieCPU *cpu_moxie_init(const char *cpu_model); int cpu_moxie_exec(CPUMoxieState *s); -void do_interrupt(CPUMoxieState *env); +void moxie_cpu_do_interrupt(CPUState *cs); void moxie_translate_init(void); int cpu_moxie_signal_handler(int host_signum, void *pinfo, void *puc); diff --git a/target-moxie/helper.c b/target-moxie/helper.c index 8604ce8..6e0ac2a 100644 --- a/target-moxie/helper.c +++ b/target-moxie/helper.c @@ -102,7 +102,7 @@ void helper_debug(CPUMoxieState *env) #if defined(CONFIG_USER_ONLY) -void do_interrupt(CPUState *env) +void moxie_cpu_do_interrupt(CPUState *env) { env-exception_index = -1; } @@ -147,8 +147,11 @@ int cpu_moxie_handle_mmu_fault(CPUMoxieState *env, target_ulong address, } -void do_interrupt(CPUMoxieState *env) +void moxie_cpu_do_interrupt(CPUState *cs) { +MoxieCPU *cpu = MOXIE_CPU(cs); +CPUMoxieState *env = cpu-env; + switch (env-exception_index) { case MOXIE_EX_BREAK: break; -- 1.8.1.5
[Qemu-devel] [Bug 1127369] Re: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699
Oops sorry. The correct commit hash is 52ae646d4a3ebdcdcc973492c6a56f2c49b6578f -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1127369 Title: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699 Status in QEMU: Fix Committed Bug description: I am running daily automated tests of the qemu git mainline that involve building qemu on a Linux host (32-bit), booting a NetBSD guest in qemu-system-i386, and running the NetBSD operating system test suite on the guest. Since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, there has been a marked increase in the number of failing test cases. Before that commit, the number of failing test cases was typically in the range 3 to 6, but since that commit, test runs often show 10 or more failed tests, or they end prematurely due to a segmentation fault in the test framework itself. To aid in reproducing the problem, I have prepared a disk image containing a NetBSD 6.0.1 system configured to automatically run the test suite on boot. To reproduce the problem, run the following shell commands: wget http://www.gson.org/bugs/qemu/NetBSD-6.0.1-i386-test.img.gz gunzip NetBSD-6.0.1-i386-test.img.gz qemu-system-i386 -m 32 -nographic -snapshot -hda NetBSD-6.0.1-i386-test.img The disk image is about 144 MB in size and uncompresses to 2 GB. The test run typically takes a couple of hours, printing progress messages to the terminal as it goes. When it finishes, the virtual machine will be automatically powered down, causing qemu to exit. Near the end of the output, before the shutdown messages, there should be a summary of the test results. The expected output looks like this: Summary for 500 test programs: 2958 passed test cases. 5 failed test cases. 45 expected failed test cases. 70 skipped test cases. A number of failed test cases in the range 3 to 6 should be considered normal. Please ignore the expected failed test cases. Using a version of qemu affected by the bug, the summary will look more like this: Summary for 500 test programs: 2951 passed test cases. 12 failed test cases. 45 expected failed test cases. 69 skipped test cases. Or it may end with a segmentation fault like this: p2k_ffs_race: atf-report: ERROR: 10912: Unexpected token `EOF'; expected end of test case or test case's stdout/stderr line [1] Segmentation fault (core dumped) atf-run | Done(1) atf-report The problem goes away if the -m 32 is omitted from the qemu command line, which leads me to suspect that the problem may be related to paging or swapping activity in the guest. The revision listed in the subject, b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, is the first one exhibiting the excessive test failures, but the bug may already have been introduced in the previous commit, fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd. If I attempt to run the test on fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd, the guest fails to boot. The revision before that, 32761257c0b9fa7ee04d2871a6e48a41f119c469, works as expected. -- Andreas Gustafsson, g...@gson.org To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1127369/+subscriptions
[Qemu-devel] [Bug 1127369] Re: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699
Thank you. Now if someone could also fix bug 1154328 , my automated tests might run again... -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1127369 Title: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699 Status in QEMU: Fix Committed Bug description: I am running daily automated tests of the qemu git mainline that involve building qemu on a Linux host (32-bit), booting a NetBSD guest in qemu-system-i386, and running the NetBSD operating system test suite on the guest. Since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, there has been a marked increase in the number of failing test cases. Before that commit, the number of failing test cases was typically in the range 3 to 6, but since that commit, test runs often show 10 or more failed tests, or they end prematurely due to a segmentation fault in the test framework itself. To aid in reproducing the problem, I have prepared a disk image containing a NetBSD 6.0.1 system configured to automatically run the test suite on boot. To reproduce the problem, run the following shell commands: wget http://www.gson.org/bugs/qemu/NetBSD-6.0.1-i386-test.img.gz gunzip NetBSD-6.0.1-i386-test.img.gz qemu-system-i386 -m 32 -nographic -snapshot -hda NetBSD-6.0.1-i386-test.img The disk image is about 144 MB in size and uncompresses to 2 GB. The test run typically takes a couple of hours, printing progress messages to the terminal as it goes. When it finishes, the virtual machine will be automatically powered down, causing qemu to exit. Near the end of the output, before the shutdown messages, there should be a summary of the test results. The expected output looks like this: Summary for 500 test programs: 2958 passed test cases. 5 failed test cases. 45 expected failed test cases. 70 skipped test cases. A number of failed test cases in the range 3 to 6 should be considered normal. Please ignore the expected failed test cases. Using a version of qemu affected by the bug, the summary will look more like this: Summary for 500 test programs: 2951 passed test cases. 12 failed test cases. 45 expected failed test cases. 69 skipped test cases. Or it may end with a segmentation fault like this: p2k_ffs_race: atf-report: ERROR: 10912: Unexpected token `EOF'; expected end of test case or test case's stdout/stderr line [1] Segmentation fault (core dumped) atf-run | Done(1) atf-report The problem goes away if the -m 32 is omitted from the qemu command line, which leads me to suspect that the problem may be related to paging or swapping activity in the guest. The revision listed in the subject, b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, is the first one exhibiting the excessive test failures, but the bug may already have been introduced in the previous commit, fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd. If I attempt to run the test on fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd, the guest fails to boot. The revision before that, 32761257c0b9fa7ee04d2871a6e48a41f119c469, works as expected. -- Andreas Gustafsson, g...@gson.org To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1127369/+subscriptions
[Qemu-devel] [Bug 1127369] Re: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699
Thanks - fix committed to Fedora. Hopefully this will squash the rare and random segfaults in the libguestfs test suite. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1127369 Title: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699 Status in QEMU: Fix Committed Bug description: I am running daily automated tests of the qemu git mainline that involve building qemu on a Linux host (32-bit), booting a NetBSD guest in qemu-system-i386, and running the NetBSD operating system test suite on the guest. Since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, there has been a marked increase in the number of failing test cases. Before that commit, the number of failing test cases was typically in the range 3 to 6, but since that commit, test runs often show 10 or more failed tests, or they end prematurely due to a segmentation fault in the test framework itself. To aid in reproducing the problem, I have prepared a disk image containing a NetBSD 6.0.1 system configured to automatically run the test suite on boot. To reproduce the problem, run the following shell commands: wget http://www.gson.org/bugs/qemu/NetBSD-6.0.1-i386-test.img.gz gunzip NetBSD-6.0.1-i386-test.img.gz qemu-system-i386 -m 32 -nographic -snapshot -hda NetBSD-6.0.1-i386-test.img The disk image is about 144 MB in size and uncompresses to 2 GB. The test run typically takes a couple of hours, printing progress messages to the terminal as it goes. When it finishes, the virtual machine will be automatically powered down, causing qemu to exit. Near the end of the output, before the shutdown messages, there should be a summary of the test results. The expected output looks like this: Summary for 500 test programs: 2958 passed test cases. 5 failed test cases. 45 expected failed test cases. 70 skipped test cases. A number of failed test cases in the range 3 to 6 should be considered normal. Please ignore the expected failed test cases. Using a version of qemu affected by the bug, the summary will look more like this: Summary for 500 test programs: 2951 passed test cases. 12 failed test cases. 45 expected failed test cases. 69 skipped test cases. Or it may end with a segmentation fault like this: p2k_ffs_race: atf-report: ERROR: 10912: Unexpected token `EOF'; expected end of test case or test case's stdout/stderr line [1] Segmentation fault (core dumped) atf-run | Done(1) atf-report The problem goes away if the -m 32 is omitted from the qemu command line, which leads me to suspect that the problem may be related to paging or swapping activity in the guest. The revision listed in the subject, b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699, is the first one exhibiting the excessive test failures, but the bug may already have been introduced in the previous commit, fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd. If I attempt to run the test on fdbb84d1332ae0827d60f1a2ca03c7d5678c6edd, the guest fails to boot. The revision before that, 32761257c0b9fa7ee04d2871a6e48a41f119c469, works as expected. -- Andreas Gustafsson, g...@gson.org To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1127369/+subscriptions
Re: [Qemu-devel] vNVRAM / blobstore design
Michael S. Tsirkin m...@redhat.com wrote on 03/31/2013 04:17:28 AM: You want to protect against someone who is able to manipulate some bits in the file (content) but not others (hash)? What's the attack you are trying to protect against here? I'm guessing the only result of extra checksums would be unbootable guests when qemu manages to corrupt the checksum without any help from attackers ... You are of course correct. I advised an integrity value just to detect a hardware or software fault. The check value would not protect against an attack.
Re: [Qemu-devel] [Bug 1127369] Re: i386 emulation unreliable since commit b76f0d8c2e3eac94bc7fd90a510cb7426b2a2699
Anthony, On Sun, Mar 31, 2013 at 07:24:20PM -, Andreas Gustafsson wrote: Thank you. Now if someone could also fix bug 1154328 , my automated tests might run again... This bug is indeed quite problematic and is caused by one of your patches: commit a29753f8aa79a34a324afebe340182a51a5aef11 Author: Anthony Liguori aligu...@us.ibm.com Date: Tue Mar 5 23:21:19 2013 +0530 qemu-char: convert fd_chr to use a GIOChannel This uses the newly introduced IOWatchPoll source. Signed-off-by: Anthony Liguori aligu...@us.ibm.com Signed-off-by: Amit Shah amit.s...@redhat.com Message-id: 0cb5d14510ee835a0ebc23676d10a2cce9280da5.1362505276.git.amit.s...@redhat.com Signed-off-by: Anthony Liguori aligu...@us.ibm.com Are you aware of the issue? Are you working on a fix? Regards, Aurelien -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net
[Qemu-devel] Modifying a program counter
Hello everyone, I am a Computer science student which is new to QEMU, new to this list. For the student project that I am working on, which is system security related, I am executing a program in QEMU user mode emulation. To simulate a program control flow change, like it happens in a real attack, I would like to modify program counter and 'tell' QEMU to jump to a certain instruction and continue execution from there. Is something like that possible to achieve with QEMU? And if so, could you give me some advice how to do this? Thank you very much and all the best, Ivan
[Qemu-devel] [PATCH v5 00/19] tcg-arm improvements
Changes v4-v5: * Incorprate stack realignment into frame size, instead of pushing r12. * Disassemble prologues with -d out_asm. Changes v3-v4: * Local stack frame fix has been reworked to be independant of the rest of the change set, making it possible to cherry-pick to stable. * While doing that, I've dropped the patch that pulled the epilogue into the exit_tb expansion, as the stated reason (one insn in the epilogue) is no longer true -- there's the stack pop as well. This obviated several of the changes that PMM suggested. * I've dropped all of the changes to goto_tb, as Aurelien tried the same thing a while ago, and there were reports of no real speedup, ascribed to Dcache pollution. Hopefully I've addressed all of the outstanding comments to which there is still code that applies. The patch set is available at git://github.com/rth7680/qemu.git tcg-arm r~ Richard Henderson (19): tcg-arm: Fix local stack frame tcg: Log the contents of the prologue with -d out_asm tcg-arm: Use bic to implement and with constant tcg-arm: Handle negated constant arguments to and/sub tcg-arm: Allow constant first argument to sub tcg-arm: Use tcg_out_dat_rIN for compares tcg-arm: Handle constant arguments to add2/sub2 tcg-arm: Improve constant generation tcg-arm: Implement deposit for armv7 tcg-arm: Implement division instructions tcg-arm: Use TCG_REG_TMP name for the tcg temporary tcg-arm: Use R12 for the tcg temporary tcg-arm: Cleanup multiply subroutines tcg-arm: Cleanup most primitive load store subroutines tcg-arm: Split out tcg_out_tlb_read tcg-arm: Improve scheduling of tcg_out_tlb_read tcg-arm: Use movi32 + blx for calls on v7 tcg-arm: Convert to CONFIG_QEMU_LDST_OPTIMIZATION tcg-arm: Tidy exit_tb configure |2 +- disas/arm.c |4 + include/exec/exec-all.h | 17 + tcg/arm/tcg-target.c| 1470 +++ tcg/arm/tcg-target.h| 14 +- tcg/tcg.c | 10 + 6 files changed, 875 insertions(+), 642 deletions(-) -- 1.8.1.4
[Qemu-devel] [PATCH v5 01/19] tcg-arm: Fix local stack frame
We were not allocating TCG_STATIC_CALL_ARGS_SIZE, so this meant that any helper with more than 4 arguments would clobber the saved regs. Realizing that we're supposed to have this memory pre-allocated means we can clean up the tcg_out_arg functions, which were trying to do more stack allocation. Allocate stack memory for the TCG temporaries while we're at it. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 120 --- 1 file changed, 46 insertions(+), 74 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 94c6ca4..d099b68 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -1017,64 +1017,35 @@ static const void * const qemu_st_helpers[4] = { * argreg is where we want to put this argument, arg is the argument itself. * Return value is the updated argreg ready for the next call. * Note that argreg 0..3 is real registers, 4+ on stack. - * When we reach the first stacked argument, we allocate space for it - * and the following stacked arguments using str r8, [sp, #-0x10]!. - * Following arguments are filled in with str r8, [sp, #0xNN]. - * For more than 4 stacked arguments we'd need to know how much - * space to allocate when we pushed the first stacked argument. - * We don't need this, so don't implement it (and will assert if you try it.) * * We provide routines for arguments which are: immediate, 32 bit * value in register, 16 and 8 bit values in register (which must be zero * extended before use) and 64 bit value in a lo:hi register pair. */ -#define DEFINE_TCG_OUT_ARG(NAME, ARGPARAM) \ -static TCGReg NAME(TCGContext *s, TCGReg argreg, ARGPARAM) \ -{ \ -if (argreg 4) { \ -TCG_OUT_ARG_GET_ARG(argreg); \ -} else if (argreg == 4) { \ -TCG_OUT_ARG_GET_ARG(TCG_REG_R8); \ -tcg_out32(s, (COND_AL 28) | 0x052d8010);\ -} else { \ -assert(argreg 8);\ -TCG_OUT_ARG_GET_ARG(TCG_REG_R8); \ -tcg_out32(s, (COND_AL 28) | 0x058d8000 | (argreg - 4) * 4); \ -} \ -return argreg + 1; \ -} - -#define TCG_OUT_ARG_GET_ARG(A) tcg_out_dat_imm(s, COND_AL, ARITH_MOV, A, 0, arg) -DEFINE_TCG_OUT_ARG(tcg_out_arg_imm32, uint32_t arg) -#undef TCG_OUT_ARG_GET_ARG -#define TCG_OUT_ARG_GET_ARG(A) tcg_out_ext8u(s, COND_AL, A, arg) -DEFINE_TCG_OUT_ARG(tcg_out_arg_reg8, TCGReg arg) -#undef TCG_OUT_ARG_GET_ARG -#define TCG_OUT_ARG_GET_ARG(A) tcg_out_ext16u(s, COND_AL, A, arg) -DEFINE_TCG_OUT_ARG(tcg_out_arg_reg16, TCGReg arg) -#undef TCG_OUT_ARG_GET_ARG - -/* We don't use the macro for this one to avoid an unnecessary reg-reg - * move when storing to the stack. - */ -static TCGReg tcg_out_arg_reg32(TCGContext *s, TCGReg argreg, TCGReg arg) -{ -if (argreg 4) { -tcg_out_mov_reg(s, COND_AL, argreg, arg); -} else if (argreg == 4) { -/* str arg, [sp, #-0x10]! */ -tcg_out32(s, (COND_AL 28) | 0x052d0010 | (arg 12)); -} else { -assert(argreg 8); -/* str arg, [sp, #0xNN] */ -tcg_out32(s, (COND_AL 28) | 0x058d | - (arg 12) | (argreg - 4) * 4); -} -return argreg + 1; -} - -static inline TCGReg tcg_out_arg_reg64(TCGContext *s, TCGReg argreg, - TCGReg arglo, TCGReg arghi) +#define DEFINE_TCG_OUT_ARG(NAME, ARGTYPE, MOV_ARG, EXT_ARG)\ +static TCGReg NAME(TCGContext *s, TCGReg argreg, ARGTYPE arg) \ +{ \ +if (argreg 4) { \ +MOV_ARG(s, COND_AL, argreg, arg); \ +} else { \ +int ofs = (argreg - 4) * 4;\ +EXT_ARG; \ +assert(ofs + 4 = TCG_STATIC_CALL_ARGS_SIZE); \ +tcg_out_st32_12(s, COND_AL, arg, TCG_REG_CALL_STACK, ofs); \ +} \ +return argreg + 1; \ +} + +DEFINE_TCG_OUT_ARG(tcg_out_arg_imm32, uint32_t, tcg_out_movi32, +(tcg_out_movi32(s, COND_AL, TCG_REG_R8, arg), arg = TCG_REG_R8))
[Qemu-devel] [PATCH v5 02/19] tcg: Log the contents of the prologue with -d out_asm
This makes it easier to verify changes to the code generating the prologue. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/tcg.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/tcg/tcg.c b/tcg/tcg.c index 1d8265e..de68c16 100644 --- a/tcg/tcg.c +++ b/tcg/tcg.c @@ -268,6 +268,16 @@ void tcg_prologue_init(TCGContext *s) tcg_target_qemu_prologue(s); flush_icache_range((tcg_target_ulong)s-code_buf, (tcg_target_ulong)s-code_ptr); + +#ifdef DEBUG_DISAS +if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM)) { +size_t size = s-code_ptr - s-code_buf; +qemu_log(PROLOGUE: [size=%d]\n, size); +log_disas(s-code_buf, size); +qemu_log(\n); +qemu_log_flush(); +} +#endif } void tcg_set_frame(TCGContext *s, int reg, -- 1.8.1.4
[Qemu-devel] [PATCH v5 07/19] tcg-arm: Handle constant arguments to add2/sub2
We get to re-use the _rIN and _rIK subroutines to handle the various combinations of add vs sub. Fold the 21 into the opcode enum values so that we can explicitly add TO_CPSR as desired. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 106 --- 1 file changed, 58 insertions(+), 48 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 57e8748..9e8c97c 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -302,27 +302,26 @@ static inline int tcg_target_const_match(tcg_target_long val, } } +#define TO_CPSR (1 20) + enum arm_data_opc_e { -ARITH_AND = 0x0, -ARITH_EOR = 0x1, -ARITH_SUB = 0x2, -ARITH_RSB = 0x3, -ARITH_ADD = 0x4, -ARITH_ADC = 0x5, -ARITH_SBC = 0x6, -ARITH_RSC = 0x7, -ARITH_TST = 0x8, -ARITH_CMP = 0xa, -ARITH_CMN = 0xb, -ARITH_ORR = 0xc, -ARITH_MOV = 0xd, -ARITH_BIC = 0xe, -ARITH_MVN = 0xf, +ARITH_AND = 0x0 21, +ARITH_EOR = 0x1 21, +ARITH_SUB = 0x2 21, +ARITH_RSB = 0x3 21, +ARITH_ADD = 0x4 21, +ARITH_ADC = 0x5 21, +ARITH_SBC = 0x6 21, +ARITH_RSC = 0x7 21, +ARITH_TST = 0x8 21 | TO_CPSR, +ARITH_CMP = 0xa 21 | TO_CPSR, +ARITH_CMN = 0xb 21 | TO_CPSR, +ARITH_ORR = 0xc 21, +ARITH_MOV = 0xd 21, +ARITH_BIC = 0xe 21, +ARITH_MVN = 0xf 21, }; -#define TO_CPSR(opc) \ - ((opc == ARITH_CMP || opc == ARITH_CMN || opc == ARITH_TST) 20) - #define SHIFT_IMM_LSL(im) (((im) 7) | 0x00) #define SHIFT_IMM_LSR(im) (((im) 7) | 0x20) #define SHIFT_IMM_ASR(im) (((im) 7) | 0x40) @@ -409,7 +408,7 @@ static inline void tcg_out_blx_imm(TCGContext *s, int32_t offset) static inline void tcg_out_dat_reg(TCGContext *s, int cond, int opc, int rd, int rn, int rm, int shift) { -tcg_out32(s, (cond 28) | (0 25) | (opc 21) | TO_CPSR(opc) | +tcg_out32(s, (cond 28) | (0 25) | opc | (rn 16) | (rd 12) | shift | rm); } @@ -421,29 +420,10 @@ static inline void tcg_out_mov_reg(TCGContext *s, int cond, int rd, int rm) } } -static inline void tcg_out_dat_reg2(TCGContext *s, -int cond, int opc0, int opc1, int rd0, int rd1, -int rn0, int rn1, int rm0, int rm1, int shift) -{ -if (rd0 == rn1 || rd0 == rm1) { -tcg_out32(s, (cond 28) | (0 25) | (opc0 21) | (1 20) | -(rn0 16) | (8 12) | shift | rm0); -tcg_out32(s, (cond 28) | (0 25) | (opc1 21) | -(rn1 16) | (rd1 12) | shift | rm1); -tcg_out_dat_reg(s, cond, ARITH_MOV, -rd0, 0, TCG_REG_R8, SHIFT_IMM_LSL(0)); -} else { -tcg_out32(s, (cond 28) | (0 25) | (opc0 21) | (1 20) | -(rn0 16) | (rd0 12) | shift | rm0); -tcg_out32(s, (cond 28) | (0 25) | (opc1 21) | -(rn1 16) | (rd1 12) | shift | rm1); -} -} - static inline void tcg_out_dat_imm(TCGContext *s, int cond, int opc, int rd, int rn, int im) { -tcg_out32(s, (cond 28) | (1 25) | (opc 21) | TO_CPSR(opc) | +tcg_out32(s, (cond 28) | (1 25) | opc | (rn 16) | (rd 12) | im); } @@ -1523,6 +1503,7 @@ static uint8_t *tb_ret_addr; static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args, const int *const_args) { +TCGArg a0, a1, a2, a3, a4, a5; int c; switch (opc) { @@ -1655,14 +1636,44 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, tcg_out_dat_rI(s, COND_AL, c, args[0], args[1], args[2], const_args[2]); break; case INDEX_op_add2_i32: -tcg_out_dat_reg2(s, COND_AL, ARITH_ADD, ARITH_ADC, -args[0], args[1], args[2], args[3], -args[4], args[5], SHIFT_IMM_LSL(0)); +a0 = args[0], a1 = args[1], a2 = args[2]; +a3 = args[3], a4 = args[4], a5 = args[5]; +if (a0 == a3 || (a0 == a5 !const_args[5])) { +a0 = TCG_REG_R8; +} +tcg_out_dat_rIN(s, COND_AL, ARITH_ADD | TO_CPSR, ARITH_SUB | TO_CPSR, +a0, a2, a4, const_args[4]); +tcg_out_dat_rIK(s, COND_AL, ARITH_ADC, ARITH_SBC, +a1, a3, a5, const_args[5]); +tcg_out_mov_reg(s, COND_AL, args[0], a0); break; case INDEX_op_sub2_i32: -tcg_out_dat_reg2(s, COND_AL, ARITH_SUB, ARITH_SBC, -args[0], args[1], args[2], args[3], -args[4], args[5], SHIFT_IMM_LSL(0)); +a0 = args[0], a1 = args[1], a2 = args[2]; +a3 = args[3], a4 = args[4], a5 = args[5]; +if ((a0 == a3 !const_args[3]) || (a0 == a5 !const_args[5])) { +a0 = TCG_REG_R8; +} +if (const_args[2]) { +if (const_args[4]) { +tcg_out_movi32(s, COND_AL, a0,
[Qemu-devel] [PATCH v5 05/19] tcg-arm: Allow constant first argument to sub
This allows the generation of RSB instructions. Reviewed-by: Aurelien Jarno aurel...@aurel32.net Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index f34828b..a430f1b 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -1625,8 +1625,17 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, args[0], args[1], args[2], const_args[2]); break; case INDEX_op_sub_i32: -tcg_out_dat_rIN(s, COND_AL, ARITH_SUB, ARITH_ADD, -args[0], args[1], args[2], const_args[2]); +if (const_args[1]) { +if (const_args[2]) { +tcg_out_movi32(s, COND_AL, args[0], args[1] - args[2]); +} else { +tcg_out_dat_rI(s, COND_AL, ARITH_RSB, + args[0], args[2], args[1], 1); +} +} else { +tcg_out_dat_rIN(s, COND_AL, ARITH_SUB, ARITH_ADD, +args[0], args[1], args[2], const_args[2]); +} break; case INDEX_op_and_i32: tcg_out_dat_rIK(s, COND_AL, ARITH_AND, ARITH_BIC, @@ -1819,7 +1828,7 @@ static const TCGTargetOpDef arm_op_defs[] = { /* TODO: r, r, ri */ { INDEX_op_add_i32, { r, r, rIN } }, -{ INDEX_op_sub_i32, { r, r, rIN } }, +{ INDEX_op_sub_i32, { r, rI, rIN } }, { INDEX_op_mul_i32, { r, r, r } }, { INDEX_op_mulu2_i32, { r, r, r, r } }, { INDEX_op_muls2_i32, { r, r, r, r } }, -- 1.8.1.4
[Qemu-devel] [PATCH v5 04/19] tcg-arm: Handle negated constant arguments to and/sub
This greatly improves code generation for addition of small negative constants. Reviewed-by: Aurelien Jarno aurel...@aurel32.net Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 41 +++-- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 01d9a0c..f34828b 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -147,6 +147,7 @@ static void patch_reloc(uint8_t *code_ptr, int type, #define TCG_CT_CONST_ARM 0x100 #define TCG_CT_CONST_INV 0x200 +#define TCG_CT_CONST_NEG 0x400 /* parse target specific constraints */ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) @@ -161,6 +162,9 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) case 'K': ct-ct |= TCG_CT_CONST_INV; break; +case 'N': /* The gcc constraint letter is L, already used here. */ + ct-ct |= TCG_CT_CONST_NEG; + break; case 'r': ct-ct |= TCG_CT_REG; @@ -291,6 +295,8 @@ static inline int tcg_target_const_match(tcg_target_long val, return 1; } else if ((ct TCG_CT_CONST_INV) check_fit_imm(~val)) { return 1; +} else if ((ct TCG_CT_CONST_NEG) check_fit_imm(-val)) { +return 1; } else { return 0; } @@ -512,6 +518,27 @@ static void tcg_out_dat_rIK(TCGContext *s, int cond, int opc, int opinv, } } +static void tcg_out_dat_rIN(TCGContext *s, int cond, int opc, int opneg, +TCGArg dst, TCGArg lhs, TCGArg rhs, +bool rhs_is_const) +{ +/* Emit either the reg,imm or reg,reg form of a data-processing insn. + * rhs must satisfy the rIN constraint. + */ +if (rhs_is_const) { +int rot = encode_imm(rhs); +if (rot 0) { +rhs = -rhs; +rot = encode_imm(rhs); +assert(rot = 0); +opc = opneg; +} +tcg_out_dat_imm(s, cond, opc, dst, lhs, rotl(rhs, rot) | (rot 7)); +} else { +tcg_out_dat_reg(s, cond, opc, dst, lhs, rhs, SHIFT_IMM_LSL(0)); +} +} + static inline void tcg_out_mul32(TCGContext *s, int cond, int rd, int rs, int rm) { @@ -1594,11 +1621,13 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, ARITH_MOV, args[0], 0, args[3], const_args[3]); break; case INDEX_op_add_i32: -c = ARITH_ADD; -goto gen_arith; +tcg_out_dat_rIN(s, COND_AL, ARITH_ADD, ARITH_SUB, +args[0], args[1], args[2], const_args[2]); +break; case INDEX_op_sub_i32: -c = ARITH_SUB; -goto gen_arith; +tcg_out_dat_rIN(s, COND_AL, ARITH_SUB, ARITH_ADD, +args[0], args[1], args[2], const_args[2]); +break; case INDEX_op_and_i32: tcg_out_dat_rIK(s, COND_AL, ARITH_AND, ARITH_BIC, args[0], args[1], args[2], const_args[2]); @@ -1789,8 +1818,8 @@ static const TCGTargetOpDef arm_op_defs[] = { { INDEX_op_st_i32, { r, r } }, /* TODO: r, r, ri */ -{ INDEX_op_add_i32, { r, r, rI } }, -{ INDEX_op_sub_i32, { r, r, rI } }, +{ INDEX_op_add_i32, { r, r, rIN } }, +{ INDEX_op_sub_i32, { r, r, rIN } }, { INDEX_op_mul_i32, { r, r, r } }, { INDEX_op_mulu2_i32, { r, r, r, r } }, { INDEX_op_muls2_i32, { r, r, r, r } }, -- 1.8.1.4
[Qemu-devel] [PATCH v5 09/19] tcg-arm: Implement deposit for armv7
We have BFI and BFC available for implementing it. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 36 tcg/arm/tcg-target.h | 5 - 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 1f38795..1044c68 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -702,6 +702,35 @@ static inline void tcg_out_bswap32(TCGContext *s, int cond, int rd, int rn) } } +bool tcg_target_deposit_valid(int ofs, int len) +{ +/* ??? Without bfi, we could improve over generic code by combining + the right-shift from a non-zero ofs with the orr. We do run into + problems when rd == rs, and the mask generated from ofs+len don't + fit into an immediate. We would have to be careful not to pessimize + wrt the optimizations performed on the expanded code. */ +return use_armv7_instructions; +} + +static inline void tcg_out_deposit(TCGContext *s, int cond, TCGReg rd, + TCGArg a1, int ofs, int len, bool const_a1) +{ +if (const_a1) { +uint32_t mask = (2u (len - 1)) - 1; +a1 = mask; +if (a1 == 0) { +/* bfi becomes bfc with rn == 15. */ +a1 = 15; +} else { +tcg_out_movi32(s, cond, TCG_REG_R8, a1); +a1 = TCG_REG_R8; +} +} +/* bfi/bfc */ +tcg_out32(s, 0x07c00010 | (cond 28) | (rd 12) | a1 + | (ofs 7) | ((ofs + len - 1) 16)); +} + static inline void tcg_out_ld32_12(TCGContext *s, int cond, int rd, int rn, tcg_target_long im) { @@ -1835,6 +1864,11 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, tcg_out_ext16u(s, COND_AL, args[0], args[1]); break; +case INDEX_op_deposit_i32: +tcg_out_deposit(s, COND_AL, args[0], args[2], +args[3], args[4], const_args[2]); +break; + default: tcg_abort(); } @@ -1919,6 +1953,8 @@ static const TCGTargetOpDef arm_op_defs[] = { { INDEX_op_ext16s_i32, { r, r } }, { INDEX_op_ext16u_i32, { r, r } }, +{ INDEX_op_deposit_i32, { r, 0, ri } }, + { -1 }, }; diff --git a/tcg/arm/tcg-target.h b/tcg/arm/tcg-target.h index 354dd8a..209f585 100644 --- a/tcg/arm/tcg-target.h +++ b/tcg/arm/tcg-target.h @@ -71,10 +71,13 @@ typedef enum { #define TCG_TARGET_HAS_eqv_i32 0 #define TCG_TARGET_HAS_nand_i32 0 #define TCG_TARGET_HAS_nor_i32 0 -#define TCG_TARGET_HAS_deposit_i32 0 +#define TCG_TARGET_HAS_deposit_i32 1 #define TCG_TARGET_HAS_movcond_i32 1 #define TCG_TARGET_HAS_muls2_i321 +extern bool tcg_target_deposit_valid(int ofs, int len); +#define TCG_TARGET_deposit_i32_valid tcg_target_deposit_valid + enum { TCG_AREG0 = TCG_REG_R6, }; -- 1.8.1.4
[Qemu-devel] [PATCH v5 16/19] tcg-arm: Improve scheduling of tcg_out_tlb_read
The schedule was fully serial, with no possibility for dual issue. The old schedule had a minimal issue of 7 cycles; the new schedule has a minimal issue of 5 cycles. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 110 ++- 1 file changed, 57 insertions(+), 53 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 3e62b09..35598a8 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -178,18 +178,12 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) ct-ct |= TCG_CT_REG; tcg_regset_set32(ct-u.regs, 0, (1 TCG_TARGET_NB_REGS) - 1); #ifdef CONFIG_SOFTMMU -/* r0 and r1 will be overwritten when reading the tlb entry, +/* r0-r2 will be overwritten when reading the tlb entry, so don't use these. */ tcg_regset_reset_reg(ct-u.regs, TCG_REG_R0); tcg_regset_reset_reg(ct-u.regs, TCG_REG_R1); -#if TARGET_LONG_BITS == 64 -/* If we're passing env to the helper as r0 and need a regpair - * for the address then r2 will be overwritten as we're setting - * up the args to the helper. - */ tcg_regset_reset_reg(ct-u.regs, TCG_REG_R2); #endif -#endif break; case 'L': ct-ct |= TCG_CT_REG; @@ -203,30 +197,16 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) /* qemu_st address data_reg */ case 's': -ct-ct |= TCG_CT_REG; -tcg_regset_set32(ct-u.regs, 0, (1 TCG_TARGET_NB_REGS) - 1); -/* r0 and r1 will be overwritten when reading the tlb entry - (softmmu only) and doing the byte swapping, so don't - use these. */ -tcg_regset_reset_reg(ct-u.regs, TCG_REG_R0); -tcg_regset_reset_reg(ct-u.regs, TCG_REG_R1); -#if defined(CONFIG_SOFTMMU) (TARGET_LONG_BITS == 64) -/* Avoid clashes with registers being used for helper args */ -tcg_regset_reset_reg(ct-u.regs, TCG_REG_R2); -tcg_regset_reset_reg(ct-u.regs, TCG_REG_R3); -#endif -break; /* qemu_st64 data_reg2 */ case 'S': ct-ct |= TCG_CT_REG; tcg_regset_set32(ct-u.regs, 0, (1 TCG_TARGET_NB_REGS) - 1); -/* r0 and r1 will be overwritten when reading the tlb entry -(softmmu only) and doing the byte swapping, so don't -use these. */ +/* r0-r2 will be overwritten when reading the tlb entry (softmmu only) + and r0-r1 doing the byte swapping, so don't use these. */ tcg_regset_reset_reg(ct-u.regs, TCG_REG_R0); tcg_regset_reset_reg(ct-u.regs, TCG_REG_R1); -#ifdef CONFIG_SOFTMMU -/* r2 is still needed to load data_reg, so don't use it. */ +#if defined(CONFIG_SOFTMMU) +/* Avoid clashes with registers being used for helper args */ tcg_regset_reset_reg(ct-u.regs, TCG_REG_R2); #if TARGET_LONG_BITS == 64 /* Avoid clashes with registers being used for helper args */ @@ -341,6 +321,8 @@ typedef enum { INSN_LDRSB_REG = 0x001000d0, INSN_STRB_IMM = 0x0440, INSN_STRB_REG = 0x0640, + +INSN_LDRD_IMM = 0x004000d0, } ARMInsn; #define SHIFT_IMM_LSL(im) (((im) 7) | 0x00) @@ -806,15 +788,6 @@ static inline void tcg_out_ld32_12(TCGContext *s, int cond, TCGReg rt, tcg_out_memop_12(s, cond, INSN_LDR_IMM, rt, rn, imm12, 1, 0); } -/* Offset pre-increment with base writeback. */ -static inline void tcg_out_ld32_12wb(TCGContext *s, int cond, TCGReg rt, - TCGReg rn, int imm12) -{ -/* ldr with writeback and both register equals is UNPREDICTABLE */ -assert(rd != rn); -tcg_out_memop_12(s, cond, INSN_LDR_IMM, rt, rn, imm12, 1, 1); -} - static inline void tcg_out_st32_12(TCGContext *s, int cond, TCGReg rt, TCGReg rn, int imm12) { @@ -1151,47 +1124,78 @@ static TCGReg tcg_out_arg_reg64(TCGContext *s, TCGReg argreg, #define TLB_SHIFT (CPU_TLB_ENTRY_BITS + CPU_TLB_BITS) -/* Load and compare a TLB entry, leaving the flags set. Leaves R0 pointing +/* Load and compare a TLB entry, leaving the flags set. Leaves R2 pointing to the tlb entry. Clobbers R1 and TMP. */ static void tcg_out_tlb_read(TCGContext *s, TCGReg addrlo, TCGReg addrhi, int s_bits, int tlb_offset) { +TCGReg base = TCG_AREG0; + /* Should generate something like the following: - * shr r8, addr_reg, #TARGET_PAGE_BITS - * and r0, r8, #(CPU_TLB_SIZE - 1) @ Assumption: CPU_TLB_BITS = 8 - * add r0, env, r0 lsl #CPU_TLB_ENTRY_BITS + * pre-v7: + * shrtmp, addr_reg, #TARGET_PAGE_BITS (1) + * addr2, env, #off 0xff00 + * andr0, tmp, #(CPU_TLB_SIZE - 1) (2) + * addr2, r2, r0, lsl #CPU_TLB_ENTRY_BITS (3) + * ldrr0, [r2, #off 0xff]!
[Qemu-devel] [PATCH v5 15/19] tcg-arm: Split out tcg_out_tlb_read
Share code between qemu_ld and qemu_st to process the tlb. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 169 +-- 1 file changed, 70 insertions(+), 99 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 7b13a82..3e62b09 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -1148,40 +1148,15 @@ static TCGReg tcg_out_arg_reg64(TCGContext *s, TCGReg argreg, argreg = tcg_out_arg_reg32(s, argreg, arghi); return argreg; } -#endif /* SOFTMMU */ #define TLB_SHIFT (CPU_TLB_ENTRY_BITS + CPU_TLB_BITS) -static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) -{ -int addr_reg, data_reg, data_reg2, bswap; -#ifdef CONFIG_SOFTMMU -int mem_index, s_bits, tlb_offset; -TCGReg argreg; -# if TARGET_LONG_BITS == 64 -int addr_reg2; -# endif -uint32_t *label_ptr; -#endif - -#ifdef TARGET_WORDS_BIGENDIAN -bswap = 1; -#else -bswap = 0; -#endif -data_reg = *args++; -if (opc == 3) -data_reg2 = *args++; -else -data_reg2 = 0; /* suppress warning */ -addr_reg = *args++; -#ifdef CONFIG_SOFTMMU -# if TARGET_LONG_BITS == 64 -addr_reg2 = *args++; -# endif -mem_index = *args; -s_bits = opc 3; +/* Load and compare a TLB entry, leaving the flags set. Leaves R0 pointing + to the tlb entry. Clobbers R1 and TMP. */ +static void tcg_out_tlb_read(TCGContext *s, TCGReg addrlo, TCGReg addrhi, + int s_bits, int tlb_offset) +{ /* Should generate something like the following: * shr r8, addr_reg, #TARGET_PAGE_BITS * and r0, r8, #(CPU_TLB_SIZE - 1) @ Assumption: CPU_TLB_BITS = 8 @@ -1191,13 +1166,13 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) # error # endif tcg_out_dat_reg(s, COND_AL, ARITH_MOV, TCG_REG_TMP, -0, addr_reg, SHIFT_IMM_LSR(TARGET_PAGE_BITS)); +0, addrlo, SHIFT_IMM_LSR(TARGET_PAGE_BITS)); tcg_out_dat_imm(s, COND_AL, ARITH_AND, TCG_REG_R0, TCG_REG_TMP, CPU_TLB_SIZE - 1); tcg_out_dat_reg(s, COND_AL, ARITH_ADD, TCG_REG_R0, TCG_AREG0, TCG_REG_R0, SHIFT_IMM_LSL(CPU_TLB_ENTRY_BITS)); + /* We assume that the offset is contained within 20 bits. */ -tlb_offset = offsetof(CPUArchState, tlb_table[mem_index][0].addr_read); assert((tlb_offset ~0xf) == 0); if (tlb_offset 0xfff) { tcg_out_dat_imm(s, COND_AL, ARITH_ADD, TCG_REG_R0, TCG_REG_R0, @@ -1207,16 +1182,48 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) tcg_out_ld32_12wb(s, COND_AL, TCG_REG_R1, TCG_REG_R0, tlb_offset); tcg_out_dat_reg(s, COND_AL, ARITH_CMP, 0, TCG_REG_R1, TCG_REG_TMP, SHIFT_IMM_LSL(TARGET_PAGE_BITS)); + /* Check alignment. */ -if (s_bits) +if (s_bits) { tcg_out_dat_imm(s, COND_EQ, ARITH_TST, -0, addr_reg, (1 s_bits) - 1); -# if TARGET_LONG_BITS == 64 -/* XXX: possibly we could use a block data load in the first access. */ -tcg_out_ld32_12(s, COND_EQ, TCG_REG_R1, TCG_REG_R0, 4); -tcg_out_dat_reg(s, COND_EQ, ARITH_CMP, 0, -TCG_REG_R1, addr_reg2, SHIFT_IMM_LSL(0)); -# endif +0, addrlo, (1 s_bits) - 1); +} + +if (TARGET_LONG_BITS == 64) { +/* XXX: possibly we could use a block data load in the first access. */ +tcg_out_ld32_12(s, COND_EQ, TCG_REG_R1, TCG_REG_R0, 4); +tcg_out_dat_reg(s, COND_EQ, ARITH_CMP, 0, +TCG_REG_R1, addrhi, SHIFT_IMM_LSL(0)); +} +} +#endif /* SOFTMMU */ + +static void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) +{ +TCGReg addr_reg, data_reg, data_reg2; +bool bswap; +#ifdef CONFIG_SOFTMMU +int mem_index, s_bits; +TCGReg argreg, addr_reg2; +uint32_t *label_ptr; +#endif +#ifdef TARGET_WORDS_BIGENDIAN +bswap = 1; +#else +bswap = 0; +#endif + +data_reg = *args++; +data_reg2 = (opc == 3 ? *args++ : 0); +addr_reg = *args++; +#ifdef CONFIG_SOFTMMU +addr_reg2 = (TARGET_LONG_BITS == 64 ? *args++ : 0); +mem_index = *args; +s_bits = opc 3; + +tcg_out_tlb_read(s, addr_reg, addr_reg2, s_bits, + offsetof(CPUArchState, tlb_table[mem_index][0].addr_read)); + tcg_out_ld32_12(s, COND_EQ, TCG_REG_R1, TCG_REG_R0, offsetof(CPUTLBEntry, addend) - offsetof(CPUTLBEntry, addr_read)); @@ -1272,11 +1279,11 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) */ argreg = TCG_REG_R0; argreg = tcg_out_arg_reg32(s, argreg, TCG_AREG0); -#if TARGET_LONG_BITS == 64 -argreg = tcg_out_arg_reg64(s, argreg, addr_reg, addr_reg2); -#else -argreg = tcg_out_arg_reg32(s, argreg, addr_reg); -#endif +if (TARGET_LONG_BITS == 64)
[Qemu-devel] [PATCH v5 08/19] tcg-arm: Improve constant generation
Try fully rotated arguments to mov and mvn before trying movt or full decomposition. Begin decomposition with mvn when it looks like it'll help. Examples include -:mov r9, #0x0fa0 -:orr r9, r9, #0x000ee000 -:orr r9, r9, #0x0ff0 -:orr r9, r9, #0xf000 +:mvn r9, #0x005f +:eor r9, r9, #0x00011000 Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 67 ++-- 1 file changed, 44 insertions(+), 23 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 9e8c97c..1f38795 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -427,15 +427,31 @@ static inline void tcg_out_dat_imm(TCGContext *s, (rn 16) | (rd 12) | im); } -static inline void tcg_out_movi32(TCGContext *s, -int cond, int rd, uint32_t arg) -{ -/* TODO: This is very suboptimal, we can easily have a constant - * pool somewhere after all the instructions. */ -if ((int)arg 0 (int)arg = -0x100) { -tcg_out_dat_imm(s, cond, ARITH_MVN, rd, 0, (~arg) 0xff); -} else if (use_armv7_instructions) { -/* use movw/movt */ +static void tcg_out_movi32(TCGContext *s, int cond, int rd, uint32_t arg) +{ +int rot, opc, rn; + +/* For armv7, make sure not to use movw+movt when mov/mvn would do. + Speed things up by only checking when movt would be required. + Prior to armv7, have one go at fully rotated immediates before + doing the decomposition thing below. */ +if (!use_armv7_instructions || (arg 0x)) { +rot = encode_imm(arg); +if (rot = 0) { +tcg_out_dat_imm(s, cond, ARITH_MOV, rd, 0, +rotl(arg, rot) | (rot 7)); +return; +} +rot = encode_imm(~arg); +if (rot = 0) { +tcg_out_dat_imm(s, cond, ARITH_MVN, rd, 0, +rotl(~arg, rot) | (rot 7)); +return; +} +} + +/* Use movw + movt. */ +if (use_armv7_instructions) { /* movw */ tcg_out32(s, (cond 28) | 0x0300 | (rd 12) | ((arg 4) 0x000f) | (arg 0xfff)); @@ -444,22 +460,27 @@ static inline void tcg_out_movi32(TCGContext *s, tcg_out32(s, (cond 28) | 0x0340 | (rd 12) | ((arg 12) 0x000f) | ((arg 16) 0xfff)); } -} else { -int opc = ARITH_MOV; -int rn = 0; - -do { -int i, rot; - -i = ctz32(arg) ~1; -rot = ((32 - i) 7) 0xf00; -tcg_out_dat_imm(s, cond, opc, rd, rn, ((arg i) 0xff) | rot); -arg = ~(0xff i); +return; +} -opc = ARITH_ORR; -rn = rd; -} while (arg); +/* TODO: This is very suboptimal, we can easily have a constant + pool somewhere after all the instructions. */ +opc = ARITH_MOV; +rn = 0; +/* If we have lots of leading 1's, we can shorten the sequence by + beginning with mvn and then clearing higher bits with eor. */ +if (clz32(~arg) clz32(arg)) { +opc = ARITH_MVN, arg = ~arg; } +do { +int i = ctz32(arg) ~1; +rot = ((32 - i) 7) 0xf00; +tcg_out_dat_imm(s, cond, opc, rd, rn, ((arg i) 0xff) | rot); +arg = ~(0xff i); + +opc = ARITH_EOR; +rn = rd; +} while (arg); } static inline void tcg_out_dat_rI(TCGContext *s, int cond, int opc, TCGArg dst, -- 1.8.1.4
[Qemu-devel] [PATCH v5 10/19] tcg-arm: Implement division instructions
An armv7 extension implements division, present on Cortex A15. Signed-off-by: Richard Henderson r...@twiddle.net --- disas/arm.c | 4 tcg/arm/tcg-target.c | 36 tcg/arm/tcg-target.h | 7 ++- 3 files changed, 46 insertions(+), 1 deletion(-) diff --git a/disas/arm.c b/disas/arm.c index 4927d8a..76e97a8 100644 --- a/disas/arm.c +++ b/disas/arm.c @@ -819,6 +819,10 @@ static const struct opcode32 arm_opcodes[] = {ARM_EXT_V3M, 0x00800090, 0x0fa000f0, %22?sumull%20's%c\t%12-15r, %16-19r, %0-3r, %8-11r}, {ARM_EXT_V3M, 0x00a00090, 0x0fa000f0, %22?sumlal%20's%c\t%12-15r, %16-19r, %0-3r, %8-11r}, + /* IDIV instructions. */ + {ARM_EXT_DIV, 0x0710f010, 0x0ff0f0f0, sdiv%c\t%16-19r, %0-3r, %8-11r}, + {ARM_EXT_DIV, 0x0730f010, 0x0ff0f0f0, udiv%c\t%16-19r, %0-3r, %8-11r}, + /* V7 instructions. */ {ARM_EXT_V7, 0xf450f000, 0xfd70f000, pli\t%P}, {ARM_EXT_V7, 0x0320f0f0, 0x0ff0, dbg%c\t#%0-3d}, diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 1044c68..e3d2cfa 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -591,6 +591,16 @@ static inline void tcg_out_smull32(TCGContext *s, } } +static inline void tcg_out_sdiv(TCGContext *s, int cond, int rd, int rn, int rm) +{ +tcg_out32(s, 0x0710f010 | (cond 28) | (rd 16) | rn | (rm 8)); +} + +static inline void tcg_out_udiv(TCGContext *s, int cond, int rd, int rn, int rm) +{ +tcg_out32(s, 0x0730f010 | (cond 28) | (rd 16) | rn | (rm 8)); +} + static inline void tcg_out_ext8s(TCGContext *s, int cond, int rd, int rn) { @@ -1869,6 +1879,25 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, args[3], args[4], const_args[2]); break; +case INDEX_op_div_i32: +tcg_out_sdiv(s, COND_AL, args[0], args[1], args[2]); +break; +case INDEX_op_divu_i32: +tcg_out_udiv(s, COND_AL, args[0], args[1], args[2]); +break; +case INDEX_op_rem_i32: +tcg_out_sdiv(s, COND_AL, TCG_REG_R8, args[1], args[2]); +tcg_out_mul32(s, COND_AL, TCG_REG_R8, TCG_REG_R8, args[2]); +tcg_out_dat_reg(s, COND_AL, ARITH_SUB, args[0], args[1], TCG_REG_R8, +SHIFT_IMM_LSL(0)); +break; +case INDEX_op_remu_i32: +tcg_out_udiv(s, COND_AL, TCG_REG_R8, args[1], args[2]); +tcg_out_mul32(s, COND_AL, TCG_REG_R8, TCG_REG_R8, args[2]); +tcg_out_dat_reg(s, COND_AL, ARITH_SUB, args[0], args[1], TCG_REG_R8, +SHIFT_IMM_LSL(0)); +break; + default: tcg_abort(); } @@ -1955,6 +1984,13 @@ static const TCGTargetOpDef arm_op_defs[] = { { INDEX_op_deposit_i32, { r, 0, ri } }, +#if TCG_TARGET_HAS_div_i32 +{ INDEX_op_div_i32, { r, r, r } }, +{ INDEX_op_rem_i32, { r, r, r } }, +{ INDEX_op_divu_i32, { r, r, r } }, +{ INDEX_op_remu_i32, { r, r, r } }, +#endif + { -1 }, }; diff --git a/tcg/arm/tcg-target.h b/tcg/arm/tcg-target.h index 209f585..3be41cc 100644 --- a/tcg/arm/tcg-target.h +++ b/tcg/arm/tcg-target.h @@ -56,7 +56,6 @@ typedef enum { #define TCG_TARGET_CALL_STACK_OFFSET 0 /* optional instructions */ -#define TCG_TARGET_HAS_div_i32 0 #define TCG_TARGET_HAS_ext8s_i321 #define TCG_TARGET_HAS_ext16s_i32 1 #define TCG_TARGET_HAS_ext8u_i320 /* and r0, r1, #0xff */ @@ -75,6 +74,12 @@ typedef enum { #define TCG_TARGET_HAS_movcond_i32 1 #define TCG_TARGET_HAS_muls2_i321 +#ifdef __ARM_ARCH_EXT_IDIV__ +#define TCG_TARGET_HAS_div_i32 1 +#else +#define TCG_TARGET_HAS_div_i32 0 +#endif + extern bool tcg_target_deposit_valid(int ofs, int len); #define TCG_TARGET_deposit_i32_valid tcg_target_deposit_valid -- 1.8.1.4
[Qemu-devel] [PATCH v5 17/19] tcg-arm: Use movi32 + blx for calls on v7
Work better with branch predition when we have movw+movt, as the size of the code is the same. Perhaps re-evaluate when we have a proper constant pool. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 35598a8..ff6dc90 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -1019,6 +1019,9 @@ static inline void tcg_out_call(TCGContext *s, uint32_t addr) } else { tcg_out_bl(s, COND_AL, val); } +} else if (use_armv7_instructions) { +tcg_out_movi32(s, COND_AL, TCG_REG_TMP, addr); +tcg_out_blx(s, COND_AL, TCG_REG_TMP); } else { tcg_out_dat_imm(s, COND_AL, ARITH_ADD, TCG_REG_R14, TCG_REG_PC, 4); tcg_out_ld32_12(s, COND_AL, TCG_REG_PC, TCG_REG_PC, -4); -- 1.8.1.4
[Qemu-devel] [PATCH v5 19/19] tcg-arm: Tidy exit_tb
Use tcg_out_movi32 when it's profitable, which is always for v7. Simplify the logic around tcg_out_goto, now that we're sure that it won't generate a multi-insn branch. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index c27e4ee..eaade4a 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -1604,17 +1604,16 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, switch (opc) { case INDEX_op_exit_tb: -{ -uint8_t *ld_ptr = s-code_ptr; -if (args[0] 8) -tcg_out_ld32_12(s, COND_AL, TCG_REG_R0, TCG_REG_PC, 0); -else -tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R0, 0, args[0]); +if (use_armv7_instructions || check_fit_imm(args[0])) { +tcg_out_movi32(s, COND_AL, TCG_REG_R0, args[0]); tcg_out_goto(s, COND_AL, (tcg_target_ulong) tb_ret_addr); -if (args[0] 8) { -*ld_ptr = (uint8_t) (s-code_ptr - ld_ptr) - 8; -tcg_out32(s, args[0]); -} +} else { +/* Lacking a real constant pool, use a pc-relative load. Since + tcg_out_goto will always emit 1 insn, we know without further + ado that 0 plus the standard 8 bias is right. */ +tcg_out_ld32_12(s, COND_AL, TCG_REG_R0, TCG_REG_PC, 0); +tcg_out_goto(s, COND_AL, (tcg_target_ulong) tb_ret_addr); +tcg_out32(s, args[0]); } break; case INDEX_op_goto_tb: -- 1.8.1.4
[Qemu-devel] [PATCH v5 13/19] tcg-arm: Cleanup multiply subroutines
Make the code more readable by only having one copy of the magic numbers, swapping registers as needed prior to that. Speed the compiler by not applying the rd == rn avoidance for v6 or later. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 85 +++- 1 file changed, 45 insertions(+), 40 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 6e1a4b5..24a2354 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -542,55 +542,60 @@ static void tcg_out_dat_rIN(TCGContext *s, int cond, int opc, int opneg, } } -static inline void tcg_out_mul32(TCGContext *s, -int cond, int rd, int rs, int rm) -{ -if (rd != rm) -tcg_out32(s, (cond 28) | (rd 16) | (0 12) | -(rs 8) | 0x90 | rm); -else if (rd != rs) -tcg_out32(s, (cond 28) | (rd 16) | (0 12) | -(rm 8) | 0x90 | rs); -else { -tcg_out32(s, (cond 28) | (TCG_REG_TMP 16) | (0 12) | -(rs 8) | 0x90 | rm); -tcg_out_dat_reg(s, cond, ARITH_MOV, -rd, 0, TCG_REG_TMP, SHIFT_IMM_LSL(0)); +static inline void tcg_out_mul32(TCGContext *s, int cond, TCGReg rd, + TCGReg rn, TCGReg rm) +{ +/* if ArchVersion() 6 d == n then UNPREDICTABLE; */ +if (!use_armv6_instructions rd == rn) { +if (rd == rm) { +/* rd == rn == rm; copy an input to tmp first. */ +tcg_out_mov_reg(s, cond, TCG_REG_TMP, rn); +rm = rn = TCG_REG_TMP; +} else { +rn = rm; +rm = rd; +} } +/* mul */ +tcg_out32(s, (cond 28) | 0x90 | (rd 16) | (rm 8) | rn); } -static inline void tcg_out_umull32(TCGContext *s, -int cond, int rd0, int rd1, int rs, int rm) +static inline void tcg_out_umull32(TCGContext *s, int cond, TCGReg rd0, + TCGReg rd1, TCGReg rn, TCGReg rm) { -if (rd0 != rm rd1 != rm) -tcg_out32(s, (cond 28) | 0x800090 | -(rd1 16) | (rd0 12) | (rs 8) | rm); -else if (rd0 != rs rd1 != rs) -tcg_out32(s, (cond 28) | 0x800090 | -(rd1 16) | (rd0 12) | (rm 8) | rs); -else { -tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_TMP, 0, rm, SHIFT_IMM_LSL(0)); -tcg_out32(s, (cond 28) | 0x800090 | TCG_REG_TMP | -(rd1 16) | (rd0 12) | (rs 8)); +/* if ArchVersion() 6 (dHi == n || dLo == n) then UNPREDICTABLE; */ +if (!use_armv6_instructions (rd0 == rn || rd1 == rn)) { +if (rd0 == rm || rd1 == rm) { +tcg_out_mov_reg(s, cond, TCG_REG_TMP, rn); +rn = TCG_REG_TMP; +} else { +TCGReg t = rn; +rn = rm; +rm = t; +} } +/* umull */ +tcg_out32(s, (cond 28) | 0x00800090 | + (rd1 16) | (rd0 12) | (rm 8) | rn); } -static inline void tcg_out_smull32(TCGContext *s, -int cond, int rd0, int rd1, int rs, int rm) +static inline void tcg_out_smull32(TCGContext *s, int cond, TCGReg rd0, + TCGReg rd1, TCGReg rn, TCGReg rm) { -if (rd0 != rm rd1 != rm) -tcg_out32(s, (cond 28) | 0xc00090 | -(rd1 16) | (rd0 12) | (rs 8) | rm); -else if (rd0 != rs rd1 != rs) -tcg_out32(s, (cond 28) | 0xc00090 | -(rd1 16) | (rd0 12) | (rm 8) | rs); -else { -tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_TMP, 0, rm, SHIFT_IMM_LSL(0)); -tcg_out32(s, (cond 28) | 0xc00090 | TCG_REG_TMP | -(rd1 16) | (rd0 12) | (rs 8)); +/* if ArchVersion() 6 (dHi == n || dLo == n) then UNPREDICTABLE; */ +if (!use_armv6_instructions (rd0 == rn || rd1 == rn)) { +if (rd0 == rm || rd1 == rm) { +tcg_out_mov_reg(s, cond, TCG_REG_TMP, rn); +rn = TCG_REG_TMP; +} else { +TCGReg t = rn; +rn = rm; +rm = t; +} } +/* smull */ +tcg_out32(s, (cond 28) | 0x00c00090 | + (rd1 16) | (rd0 12) | (rm 8) | rn); } static inline void tcg_out_sdiv(TCGContext *s, int cond, int rd, int rn, int rm) -- 1.8.1.4
Re: [Qemu-devel] Modifying a program counter
On 31 March 2013 23:33, Ivan Jovanovic jovanovic.d.i...@gmail.com wrote: I am a Computer science student which is new to QEMU, new to this list. For the student project that I am working on, which is system security related, I am executing a program in QEMU user mode emulation. To simulate a program control flow change, like it happens in a real attack, I would like to modify program counter and 'tell' QEMU to jump to a certain instruction and continue execution from there. Ignoring the fact that the program counter doesn't just change at random in a real attack, I suggest you use QEMU's gdb stub. You can connect a debugger to the stub, and then either manually or under the control of a script stop execution of the guest binary at any point, change its PC register and resume. -- PMM
[Qemu-devel] [PATCH v5 14/19] tcg-arm: Cleanup most primitive load store subroutines
Use even more primitive helper functions to avoid lots of duplicated code. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 235 --- 1 file changed, 111 insertions(+), 124 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 24a2354..7b13a82 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -306,7 +306,7 @@ static inline int tcg_target_const_match(tcg_target_long val, #define TO_CPSR (1 20) -enum arm_data_opc_e { +typedef enum { ARITH_AND = 0x0 21, ARITH_EOR = 0x1 21, ARITH_SUB = 0x2 21, @@ -322,7 +322,26 @@ enum arm_data_opc_e { ARITH_MOV = 0xd 21, ARITH_BIC = 0xe 21, ARITH_MVN = 0xf 21, -}; + +INSN_LDR_IMM = 0x0410, +INSN_LDR_REG = 0x0610, +INSN_STR_IMM = 0x0400, +INSN_STR_REG = 0x0600, + +INSN_LDRH_IMM = 0x005000b0, +INSN_LDRH_REG = 0x001000b0, +INSN_LDRSH_IMM = 0x005000f0, +INSN_LDRSH_REG = 0x001000f0, +INSN_STRH_IMM = 0x004000b0, +INSN_STRH_REG = 0x00b0, + +INSN_LDRB_IMM = 0x0450, +INSN_LDRB_REG = 0x0650, +INSN_LDRSB_IMM = 0x005000d0, +INSN_LDRSB_REG = 0x001000d0, +INSN_STRB_IMM = 0x0440, +INSN_STRB_REG = 0x0640, +} ARMInsn; #define SHIFT_IMM_LSL(im) (((im) 7) | 0x00) #define SHIFT_IMM_LSR(im) (((im) 7) | 0x20) @@ -748,187 +767,155 @@ static inline void tcg_out_deposit(TCGContext *s, int cond, TCGReg rd, | (ofs 7) | ((ofs + len - 1) 16)); } -static inline void tcg_out_ld32_12(TCGContext *s, int cond, -int rd, int rn, tcg_target_long im) +/* Note that this routine is used for both LDR and LDRH formats, so we do + not wish to include an immediate shift at this point. */ +static void tcg_out_memop_r(TCGContext *s, int cond, ARMInsn opc, TCGReg rt, +TCGReg rn, TCGReg rm, bool u, bool p, bool w) { -if (im = 0) -tcg_out32(s, (cond 28) | 0x0590 | -(rn 16) | (rd 12) | (im 0xfff)); -else -tcg_out32(s, (cond 28) | 0x0510 | -(rn 16) | (rd 12) | ((-im) 0xfff)); +tcg_out32(s, (cond 28) | opc | (u 23) | (p 24) + | (w 21) | (rn 16) | (rt 12) | rm); +} + +static void tcg_out_memop_8(TCGContext *s, int cond, ARMInsn opc, TCGReg rt, +TCGReg rn, int imm8, bool p, bool w) +{ +bool u = 1; +if (imm8 0) { +imm8 = -imm8; +u = 0; +} +tcg_out32(s, (cond 28) | opc | (u 23) | (p 24) | (w 21) | + (rn 16) | (rt 12) | ((imm8 0xf0) 4) | (imm8 0xf)); +} + +static void tcg_out_memop_12(TCGContext *s, int cond, ARMInsn opc, TCGReg rt, + TCGReg rn, int imm12, bool p, bool w) +{ +bool u = 1; +if (imm12 0) { +imm12 = -imm12; +u = 0; +} +tcg_out32(s, (cond 28) | opc | (u 23) | (p 24) | (w 21) | + (rn 16) | (rt 12) | imm12); +} + +static inline void tcg_out_ld32_12(TCGContext *s, int cond, TCGReg rt, + TCGReg rn, int imm12) +{ +tcg_out_memop_12(s, cond, INSN_LDR_IMM, rt, rn, imm12, 1, 0); } /* Offset pre-increment with base writeback. */ -static inline void tcg_out_ld32_12wb(TCGContext *s, int cond, - int rd, int rn, tcg_target_long im) +static inline void tcg_out_ld32_12wb(TCGContext *s, int cond, TCGReg rt, + TCGReg rn, int imm12) { /* ldr with writeback and both register equals is UNPREDICTABLE */ assert(rd != rn); - -if (im = 0) { -tcg_out32(s, (cond 28) | 0x05b0 | -(rn 16) | (rd 12) | (im 0xfff)); -} else { -tcg_out32(s, (cond 28) | 0x0530 | -(rn 16) | (rd 12) | ((-im) 0xfff)); -} +tcg_out_memop_12(s, cond, INSN_LDR_IMM, rt, rn, imm12, 1, 1); } -static inline void tcg_out_st32_12(TCGContext *s, int cond, -int rd, int rn, tcg_target_long im) +static inline void tcg_out_st32_12(TCGContext *s, int cond, TCGReg rt, + TCGReg rn, int imm12) { -if (im = 0) -tcg_out32(s, (cond 28) | 0x0580 | -(rn 16) | (rd 12) | (im 0xfff)); -else -tcg_out32(s, (cond 28) | 0x0500 | -(rn 16) | (rd 12) | ((-im) 0xfff)); +tcg_out_memop_12(s, cond, INSN_STR_IMM, rt, rn, imm12, 1, 0); } -static inline void tcg_out_ld32_r(TCGContext *s, int cond, -int rd, int rn, int rm) +static inline void tcg_out_ld32_r(TCGContext *s, int cond, TCGReg rt, + TCGReg rn, TCGReg rm) { -tcg_out32(s, (cond 28) | 0x0790 | -(rn 16) | (rd 12) | rm); +tcg_out_memop_r(s, cond, INSN_LDR_REG, rt, rn, rm, 1, 1, 0); }
[Qemu-devel] [PATCH v5 06/19] tcg-arm: Use tcg_out_dat_rIN for compares
This allows us to emit CMN instructions. Reviewed-by: Aurelien Jarno aurel...@aurel32.net Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 40 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index a430f1b..57e8748 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -1615,10 +1615,10 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, /* Constraints mean that v2 is always in the same register as dest, * so we only need to do if condition passed, move v1 to dest. */ -tcg_out_dat_rI(s, COND_AL, ARITH_CMP, 0, - args[1], args[2], const_args[2]); -tcg_out_dat_rI(s, tcg_cond_to_arm_cond[args[5]], - ARITH_MOV, args[0], 0, args[3], const_args[3]); +tcg_out_dat_rIN(s, COND_AL, ARITH_CMP, ARITH_CMN, 0, +args[1], args[2], const_args[2]); +tcg_out_dat_rIK(s, tcg_cond_to_arm_cond[args[5]], ARITH_MOV, +ARITH_MVN, args[0], 0, args[3], const_args[3]); break; case INDEX_op_add_i32: tcg_out_dat_rIN(s, COND_AL, ARITH_ADD, ARITH_SUB, @@ -1715,7 +1715,7 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, break; case INDEX_op_brcond_i32: -tcg_out_dat_rI(s, COND_AL, ARITH_CMP, 0, +tcg_out_dat_rIN(s, COND_AL, ARITH_CMP, ARITH_CMN, 0, args[0], args[1], const_args[1]); tcg_out_goto_label(s, tcg_cond_to_arm_cond[args[2]], args[3]); break; @@ -1728,15 +1728,15 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, * TCG_COND_LE(U) -- (a0 = a2 a1 == a3) || (a1 = a3 a1 != a3), * TCG_COND_GT(U) -- (a0 a2 a1 == a3) || a1 a3, */ -tcg_out_dat_reg(s, COND_AL, ARITH_CMP, 0, -args[1], args[3], SHIFT_IMM_LSL(0)); -tcg_out_dat_reg(s, COND_EQ, ARITH_CMP, 0, -args[0], args[2], SHIFT_IMM_LSL(0)); +tcg_out_dat_rIN(s, COND_AL, ARITH_CMP, ARITH_CMN, 0, +args[1], args[3], const_args[3]); +tcg_out_dat_rIN(s, COND_EQ, ARITH_CMP, ARITH_CMN, 0, +args[0], args[2], const_args[2]); tcg_out_goto_label(s, tcg_cond_to_arm_cond[args[4]], args[5]); break; case INDEX_op_setcond_i32: -tcg_out_dat_rI(s, COND_AL, ARITH_CMP, 0, - args[1], args[2], const_args[2]); +tcg_out_dat_rIN(s, COND_AL, ARITH_CMP, ARITH_CMN, 0, +args[1], args[2], const_args[2]); tcg_out_dat_imm(s, tcg_cond_to_arm_cond[args[3]], ARITH_MOV, args[0], 0, 1); tcg_out_dat_imm(s, tcg_cond_to_arm_cond[tcg_invert_cond(args[3])], @@ -1744,10 +1744,10 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, break; case INDEX_op_setcond2_i32: /* See brcond2_i32 comment */ -tcg_out_dat_reg(s, COND_AL, ARITH_CMP, 0, -args[2], args[4], SHIFT_IMM_LSL(0)); -tcg_out_dat_reg(s, COND_EQ, ARITH_CMP, 0, -args[1], args[3], SHIFT_IMM_LSL(0)); +tcg_out_dat_rIN(s, COND_AL, ARITH_CMP, ARITH_CMN, 0, +args[2], args[4], const_args[4]); +tcg_out_dat_rIN(s, COND_EQ, ARITH_CMP, ARITH_CMN, 0, +args[1], args[3], const_args[3]); tcg_out_dat_imm(s, tcg_cond_to_arm_cond[args[5]], ARITH_MOV, args[0], 0, 1); tcg_out_dat_imm(s, tcg_cond_to_arm_cond[tcg_invert_cond(args[5])], @@ -1845,15 +1845,15 @@ static const TCGTargetOpDef arm_op_defs[] = { { INDEX_op_rotl_i32, { r, r, ri } }, { INDEX_op_rotr_i32, { r, r, ri } }, -{ INDEX_op_brcond_i32, { r, rI } }, -{ INDEX_op_setcond_i32, { r, r, rI } }, -{ INDEX_op_movcond_i32, { r, r, rI, rI, 0 } }, +{ INDEX_op_brcond_i32, { r, rIN } }, +{ INDEX_op_setcond_i32, { r, r, rIN } }, +{ INDEX_op_movcond_i32, { r, r, rIN, rIK, 0 } }, /* TODO: r, r, r, r, ri, ri */ { INDEX_op_add2_i32, { r, r, r, r, r, r } }, { INDEX_op_sub2_i32, { r, r, r, r, r, r } }, -{ INDEX_op_brcond2_i32, { r, r, r, r } }, -{ INDEX_op_setcond2_i32, { r, r, r, r, r } }, +{ INDEX_op_brcond2_i32, { r, r, rIN, rIN } }, +{ INDEX_op_setcond2_i32, { r, r, r, rIN, rIN } }, #if TARGET_LONG_BITS == 32 { INDEX_op_qemu_ld8u, { r, l } }, -- 1.8.1.4
[Qemu-devel] [PATCH v5 18/19] tcg-arm: Convert to CONFIG_QEMU_LDST_OPTIMIZATION
Move the slow path out of line, as the TODO's mention. This allows the fast path to be unconditional, which can speed up the fast path as well, depending on the core. Signed-off-by: Richard Henderson r...@twiddle.net --- configure | 2 +- include/exec/exec-all.h | 17 +++ tcg/arm/tcg-target.c| 344 +--- 3 files changed, 230 insertions(+), 133 deletions(-) diff --git a/configure b/configure index f2af714..bae3132 100755 --- a/configure +++ b/configure @@ -4124,7 +4124,7 @@ upper() { } case $cpu in - i386|x86_64|ppc) + arm|i386|x86_64|ppc) # The TCG interpreter currently does not support ld/st optimization. if test $tcg_interpreter = no ; then echo CONFIG_QEMU_LDST_OPTIMIZATION=y $config_target_mak diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h index e856191..88e87f0 100644 --- a/include/exec/exec-all.h +++ b/include/exec/exec-all.h @@ -338,6 +338,23 @@ extern uintptr_t tci_tb_ptr; # elif defined (_ARCH_PPC) !defined (_ARCH_PPC64) # define GETRA() ((uintptr_t)__builtin_return_address(0)) # define GETPC_LDST() ((uintptr_t) ((*(int32_t *)(GETRA() - 4)) - 1)) +# elif defined (__arm__) +/* We define two insns between the return address and the branch back to + straight-line. Find and decode that branch insn. */ +# define GETRA() ((uintptr_t)__builtin_return_address(0)) +# define GETPC_LDST() tcg_getpc_ldst(GETRA()) +static inline uintptr_t tcg_getpc_ldst(uintptr_t ra) +{ +int32_t b; +ra += 8;/* skip the two insns */ +b = *(int32_t *)ra; /* load the branch insn */ +b = (b 8) (8 - 2);/* extract the displacement */ +ra += 8;/* branches are relative to pc+8 */ +ra += b;/* apply the displacement */ +ra -= 4;/* return a pointer into the current opcode, + not the start of the next opcode */ +return ra; +} # else # error CONFIG_QEMU_LDST_OPTIMIZATION needs GETPC_LDST() implementation! # endif diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index ff6dc90..c27e4ee 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -415,6 +415,20 @@ static inline void tcg_out_dat_reg(TCGContext *s, (rn 16) | (rd 12) | shift | rm); } +static inline void tcg_out_nop(TCGContext *s) +{ +if (use_armv7_instructions) { +/* Architected nop introduced in v6k. */ +/* ??? This is an MSR (imm) 0,0,0 insn. Anyone know if this + also Just So Happened to do nothing on pre-v6k so that we + don't need to conditionalize it? */ +tcg_out32(s, 0xe320f000); +} else { +/* Prior to that the assembler uses mov r0, r0. */ +tcg_out_dat_reg(s, COND_AL, ARITH_MOV, 0, 0, 0, SHIFT_IMM_LSL(0)); +} +} + static inline void tcg_out_mov_reg(TCGContext *s, int cond, int rd, int rm) { /* Simple reg-reg move, optimising out the 'do nothing' case */ @@ -979,27 +993,17 @@ static inline void tcg_out_st8(TCGContext *s, int cond, */ static inline void tcg_out_goto(TCGContext *s, int cond, uint32_t addr) { -int32_t val; +int32_t val = addr - (uint32_t)s-code_ptr; -if (addr 1) { -/* goto to a Thumb destination isn't supported */ -tcg_abort(); -} +/* We don't support a goto with a thumb destination. */ +assert((addr 3) == 0); -val = addr - (tcg_target_long) s-code_ptr; -if (val - 8 0x01fd val - 8 -0x01fd) -tcg_out_b(s, cond, val); -else { -if (cond == COND_AL) { -tcg_out_ld32_12(s, COND_AL, TCG_REG_PC, TCG_REG_PC, -4); -tcg_out32(s, addr); -} else { -tcg_out_movi32(s, cond, TCG_REG_TMP, val - 8); -tcg_out_dat_reg(s, cond, ARITH_ADD, -TCG_REG_PC, TCG_REG_PC, -TCG_REG_TMP, SHIFT_IMM_LSL(0)); -} -} +/* The code buffer is limited to 16MB, with the prologue located + at the end of it. Therefore we needn't care for any out of + range branches. */ +assert(val - 8 0x01fd val - 8 -0x01fd); + +tcg_out_b(s, cond, val); } /* The call case is mostly used for helpers - so it's not unreasonable @@ -1044,14 +1048,9 @@ static inline void tcg_out_goto_label(TCGContext *s, int cond, int label_index) { TCGLabel *l = s-labels[label_index]; -if (l-has_value) +if (l-has_value) { tcg_out_goto(s, cond, l-u.value); -else if (cond == COND_AL) { -tcg_out_ld32_12(s, COND_AL, TCG_REG_PC, TCG_REG_PC, -4); -tcg_out_reloc(s, s-code_ptr, R_ARM_ABS32, label_index, 31337); -s-code_ptr += 4; } else { -/* Probably this should be preferred even for COND_AL... */ tcg_out_reloc(s, s-code_ptr, R_ARM_PC24, label_index, 31337); tcg_out_b_noaddr(s, cond); } @@ -1203,6
Re: [Qemu-devel] [PATCH] target-moxie: set do_interrupt to a target-specific helper function
Hi Andreas, On Sun, Mar 31, 2013 at 1:01 PM, Andreas Färber afaer...@suse.de wrote: That exception_index is used once from CPUMoxieState and once from CPUState is telling me something is fishy here... Are any test images available? I have some basic RTEMS based test apps, but nothing that generates an interrupt (just exceptions). That's because Hooking up cc-do_interrupt is the correct thing to do though, so that could be sorted out later, ...I just implemented a basic interrupt controller and timer interrupt device in an FPGA-based SoC last week ( http://moxielogic.org/blog/?p=734 ). Let me implement this platform support in QEMU, and maybe these issues will sort themselves out as I do the work. Thanks, AG Reviewed-by: Andreas Färber afaer...@suse.de Andreas -- SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
Re: [Qemu-devel] [PATCH] target-ppc: fix nego and subf*o instructions
On 2013-03-30 16:54, Aurelien Jarno wrote: The overflow computation of nego and subf*o instructions has been broken in commit ffe30937. This patch fixes it. With this change the PPC emulation passes the Gwenole Beauchesne testsuite again. Cc: Alexander Graf ag...@suse.de Cc: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- target-ppc/translate.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-ppc/translate.c b/target-ppc/translate.c index 5e741d1..062493a 100644 --- a/target-ppc/translate.c +++ b/target-ppc/translate.c @@ -749,7 +749,7 @@ static inline void gen_op_arith_compute_ov(DisasContext *ctx, TCGv arg0, tcg_gen_xor_tl(cpu_ov, arg0, arg1); tcg_gen_xor_tl(t0, arg1, arg2); if (sub) { -tcg_gen_and_tl(cpu_ov, cpu_ov, t0); +tcg_gen_andc_tl(cpu_ov, t0, cpu_ov); } else { tcg_gen_andc_tl(cpu_ov, cpu_ov, t0); } I'm a bit confused. This is the exact same algorithm that's used on ARM and i386. And as far as I can determine, all three platforms have the same definition of overflow. r~
[Qemu-devel] [PATCH v5 11/19] tcg-arm: Use TCG_REG_TMP name for the tcg temporary
Don't hard-code R8. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 122 ++- 1 file changed, 62 insertions(+), 60 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index e3d2cfa..b62d9f6 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -113,6 +113,8 @@ static const int tcg_target_call_oarg_regs[2] = { TCG_REG_R0, TCG_REG_R1 }; +#define TCG_REG_TMP TCG_REG_R8 + static inline void reloc_abs32(void *code_ptr, tcg_target_long target) { *(uint32_t *) code_ptr = target; @@ -550,10 +552,10 @@ static inline void tcg_out_mul32(TCGContext *s, tcg_out32(s, (cond 28) | (rd 16) | (0 12) | (rm 8) | 0x90 | rs); else { -tcg_out32(s, (cond 28) | ( 8 16) | (0 12) | +tcg_out32(s, (cond 28) | (TCG_REG_TMP 16) | (0 12) | (rs 8) | 0x90 | rm); tcg_out_dat_reg(s, cond, ARITH_MOV, -rd, 0, TCG_REG_R8, SHIFT_IMM_LSL(0)); +rd, 0, TCG_REG_TMP, SHIFT_IMM_LSL(0)); } } @@ -568,8 +570,8 @@ static inline void tcg_out_umull32(TCGContext *s, (rd1 16) | (rd0 12) | (rm 8) | rs); else { tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_R8, 0, rm, SHIFT_IMM_LSL(0)); -tcg_out32(s, (cond 28) | 0x800098 | +TCG_REG_TMP, 0, rm, SHIFT_IMM_LSL(0)); +tcg_out32(s, (cond 28) | 0x800090 | TCG_REG_TMP | (rd1 16) | (rd0 12) | (rs 8)); } } @@ -585,8 +587,8 @@ static inline void tcg_out_smull32(TCGContext *s, (rd1 16) | (rd0 12) | (rm 8) | rs); else { tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_R8, 0, rm, SHIFT_IMM_LSL(0)); -tcg_out32(s, (cond 28) | 0xc00098 | +TCG_REG_TMP, 0, rm, SHIFT_IMM_LSL(0)); +tcg_out32(s, (cond 28) | 0xc00090 | TCG_REG_TMP | (rd1 16) | (rd0 12) | (rs 8)); } } @@ -656,11 +658,11 @@ static inline void tcg_out_bswap16s(TCGContext *s, int cond, int rd, int rn) tcg_out32(s, 0x06ff0fb0 | (cond 28) | (rd 12) | rn); } else { tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_R8, 0, rn, SHIFT_IMM_LSL(24)); +TCG_REG_TMP, 0, rn, SHIFT_IMM_LSL(24)); tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_R8, 0, TCG_REG_R8, SHIFT_IMM_ASR(16)); +TCG_REG_TMP, 0, TCG_REG_TMP, SHIFT_IMM_ASR(16)); tcg_out_dat_reg(s, cond, ARITH_ORR, -rd, TCG_REG_R8, rn, SHIFT_IMM_LSR(8)); +rd, TCG_REG_TMP, rn, SHIFT_IMM_LSR(8)); } } @@ -671,11 +673,11 @@ static inline void tcg_out_bswap16(TCGContext *s, int cond, int rd, int rn) tcg_out32(s, 0x06bf0fb0 | (cond 28) | (rd 12) | rn); } else { tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_R8, 0, rn, SHIFT_IMM_LSL(24)); +TCG_REG_TMP, 0, rn, SHIFT_IMM_LSL(24)); tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_R8, 0, TCG_REG_R8, SHIFT_IMM_LSR(16)); +TCG_REG_TMP, 0, TCG_REG_TMP, SHIFT_IMM_LSR(16)); tcg_out_dat_reg(s, cond, ARITH_ORR, -rd, TCG_REG_R8, rn, SHIFT_IMM_LSR(8)); +rd, TCG_REG_TMP, rn, SHIFT_IMM_LSR(8)); } } @@ -688,10 +690,10 @@ static inline void tcg_out_bswap16st(TCGContext *s, int cond, int rd, int rn) tcg_out32(s, 0x06bf0fb0 | (cond 28) | (rd 12) | rn); } else { tcg_out_dat_reg(s, cond, ARITH_MOV, -TCG_REG_R8, 0, rn, SHIFT_IMM_LSR(8)); -tcg_out_dat_imm(s, cond, ARITH_AND, TCG_REG_R8, TCG_REG_R8, 0xff); +TCG_REG_TMP, 0, rn, SHIFT_IMM_LSR(8)); +tcg_out_dat_imm(s, cond, ARITH_AND, TCG_REG_TMP, TCG_REG_TMP, 0xff); tcg_out_dat_reg(s, cond, ARITH_ORR, -rd, TCG_REG_R8, rn, SHIFT_IMM_LSL(8)); +rd, TCG_REG_TMP, rn, SHIFT_IMM_LSL(8)); } } @@ -702,13 +704,13 @@ static inline void tcg_out_bswap32(TCGContext *s, int cond, int rd, int rn) tcg_out32(s, 0x06bf0f30 | (cond 28) | (rd 12) | rn); } else { tcg_out_dat_reg(s, cond, ARITH_EOR, -TCG_REG_R8, rn, rn, SHIFT_IMM_ROR(16)); +TCG_REG_TMP, rn, rn, SHIFT_IMM_ROR(16)); tcg_out_dat_imm(s, cond, ARITH_BIC, -TCG_REG_R8, TCG_REG_R8, 0xff | 0x800); +TCG_REG_TMP, TCG_REG_TMP, 0xff | 0x800); tcg_out_dat_reg(s, cond, ARITH_MOV, rd, 0, rn, SHIFT_IMM_ROR(8)); tcg_out_dat_reg(s, cond, ARITH_EOR, -rd, rd, TCG_REG_R8,
Re: [Qemu-devel] [PATCH v4 0/7] target-i386: add PCLMULQDQ and AES-NI instructions
On 2013-03-31 04:02, Aurelien Jarno wrote: Changes v3 - v4: - Update dissassembler code to support these instructions. Reviewed-by: Richard Henderson r...@twiddle.net r~
[Qemu-devel] [PATCH v5 12/19] tcg-arm: Use R12 for the tcg temporary
R12 is call clobbered, while R8 is call saved. This change gives tcg one more call saved register for real data. Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index b62d9f6..6e1a4b5 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -113,7 +113,7 @@ static const int tcg_target_call_oarg_regs[2] = { TCG_REG_R0, TCG_REG_R1 }; -#define TCG_REG_TMP TCG_REG_R8 +#define TCG_REG_TMP TCG_REG_R12 static inline void reloc_abs32(void *code_ptr, tcg_target_long target) { -- 1.8.1.4
[Qemu-devel] [PATCH v5 03/19] tcg-arm: Use bic to implement and with constant
This greatly improves the code we can produce for deposit without armv7 support. Reviewed-by: Aurelien Jarno aurel...@aurel32.net Signed-off-by: Richard Henderson r...@twiddle.net --- tcg/arm/tcg-target.c | 52 ++-- tcg/arm/tcg-target.h | 2 -- 2 files changed, 42 insertions(+), 12 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index d099b68..01d9a0c 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -145,6 +145,9 @@ static void patch_reloc(uint8_t *code_ptr, int type, } } +#define TCG_CT_CONST_ARM 0x100 +#define TCG_CT_CONST_INV 0x200 + /* parse target specific constraints */ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) { @@ -155,6 +158,9 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) case 'I': ct-ct |= TCG_CT_CONST_ARM; break; +case 'K': + ct-ct |= TCG_CT_CONST_INV; + break; case 'r': ct-ct |= TCG_CT_REG; @@ -275,16 +281,19 @@ static inline int check_fit_imm(uint32_t imm) * add, sub, eor...: ditto */ static inline int tcg_target_const_match(tcg_target_long val, -const TCGArgConstraint *arg_ct) + const TCGArgConstraint *arg_ct) { int ct; ct = arg_ct-ct; -if (ct TCG_CT_CONST) +if (ct TCG_CT_CONST) { return 1; -else if ((ct TCG_CT_CONST_ARM) check_fit_imm(val)) +} else if ((ct TCG_CT_CONST_ARM) check_fit_imm(val)) { return 1; -else +} else if ((ct TCG_CT_CONST_INV) check_fit_imm(~val)) { +return 1; +} else { return 0; +} } enum arm_data_opc_e { @@ -482,6 +491,27 @@ static inline void tcg_out_dat_rI(TCGContext *s, int cond, int opc, TCGArg dst, } } +static void tcg_out_dat_rIK(TCGContext *s, int cond, int opc, int opinv, +TCGReg dst, TCGReg lhs, TCGArg rhs, +bool rhs_is_const) +{ +/* Emit either the reg,imm or reg,reg form of a data-processing insn. + * rhs must satisfy the rIK constraint. + */ +if (rhs_is_const) { +int rot = encode_imm(rhs); +if (rot 0) { +rhs = ~rhs; +rot = encode_imm(rhs); +assert(rot = 0); +opc = opinv; +} +tcg_out_dat_imm(s, cond, opc, dst, lhs, rotl(rhs, rot) | (rot 7)); +} else { +tcg_out_dat_reg(s, cond, opc, dst, lhs, rhs, SHIFT_IMM_LSL(0)); +} +} + static inline void tcg_out_mul32(TCGContext *s, int cond, int rd, int rs, int rm) { @@ -1570,11 +1600,13 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, c = ARITH_SUB; goto gen_arith; case INDEX_op_and_i32: -c = ARITH_AND; -goto gen_arith; +tcg_out_dat_rIK(s, COND_AL, ARITH_AND, ARITH_BIC, +args[0], args[1], args[2], const_args[2]); +break; case INDEX_op_andc_i32: -c = ARITH_BIC; -goto gen_arith; +tcg_out_dat_rIK(s, COND_AL, ARITH_BIC, ARITH_AND, +args[0], args[1], args[2], const_args[2]); +break; case INDEX_op_or_i32: c = ARITH_ORR; goto gen_arith; @@ -1762,8 +1794,8 @@ static const TCGTargetOpDef arm_op_defs[] = { { INDEX_op_mul_i32, { r, r, r } }, { INDEX_op_mulu2_i32, { r, r, r, r } }, { INDEX_op_muls2_i32, { r, r, r, r } }, -{ INDEX_op_and_i32, { r, r, rI } }, -{ INDEX_op_andc_i32, { r, r, rI } }, +{ INDEX_op_and_i32, { r, r, rIK } }, +{ INDEX_op_andc_i32, { r, r, rIK } }, { INDEX_op_or_i32, { r, r, rI } }, { INDEX_op_xor_i32, { r, r, rI } }, { INDEX_op_neg_i32, { r, r } }, diff --git a/tcg/arm/tcg-target.h b/tcg/arm/tcg-target.h index b6eed1f..354dd8a 100644 --- a/tcg/arm/tcg-target.h +++ b/tcg/arm/tcg-target.h @@ -49,8 +49,6 @@ typedef enum { #define TCG_TARGET_NB_REGS 16 -#define TCG_CT_CONST_ARM 0x100 - /* used for function call generation */ #define TCG_REG_CALL_STACK TCG_REG_R13 #define TCG_TARGET_STACK_ALIGN 8 -- 1.8.1.4
Re: [Qemu-devel] [PATCH] target-ppc: fix nego and subf*o instructions
On 1 April 2013 00:19, Richard Henderson r...@twiddle.net wrote: On 2013-03-30 16:54, Aurelien Jarno wrote: The overflow computation of nego and subf*o instructions has been broken in commit ffe30937. This patch fixes it. With this change the PPC emulation passes the Gwenole Beauchesne testsuite again. Cc: Alexander Graf ag...@suse.de Cc: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- target-ppc/translate.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-ppc/translate.c b/target-ppc/translate.c index 5e741d1..062493a 100644 --- a/target-ppc/translate.c +++ b/target-ppc/translate.c @@ -749,7 +749,7 @@ static inline void gen_op_arith_compute_ov(DisasContext *ctx, TCGv arg0, tcg_gen_xor_tl(cpu_ov, arg0, arg1); tcg_gen_xor_tl(t0, arg1, arg2); if (sub) { -tcg_gen_and_tl(cpu_ov, cpu_ov, t0); +tcg_gen_andc_tl(cpu_ov, t0, cpu_ov); } else { tcg_gen_andc_tl(cpu_ov, cpu_ov, t0); } I'm a bit confused. This is the exact same algorithm that's used on ARM and i386. And as far as I can determine, all three platforms have the same definition of overflow. I think it's not quite the same as ARM because the two arguments to subtract are reversed for PPC (ie PPC is 'subtract from', not 'subtract'). I think that means you want 'xor_tl(cpu_ov, arg0, arg2)' for your first xor, maybe? (untested) -- PMM
[Qemu-devel] [PATCH] Document mcast+ipv6 (Was: Re: socket, mcast looping back frames - IPv6 broken)
Stefan Hajnoczi, le Mon 11 Mar 2013 09:36:14 +0100, a écrit : Otherwise we may just document that one has to disable Duplicate Address Detection to get IPv6 working :/ Seems like this might be the only way for now. Here is a patch Samuel Document how to get IPv6 working with mcast socket Document that IPv6 can not work in mcast mode unless disabling DAD in the guest. Signed-off-by: Samuel Thibault samuel.thiba...@ens-lyon.org diff --git a/qemu-options.hx b/qemu-options.hx index c40ba55..9074a24 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -1683,6 +1683,12 @@ mcast support is compatible with User Mode Linux (argument @option{eth@var{N}=mc @url{http://user-mode-linux.sf.net}. @item Use @option{fd=h} to specify an already opened UDP multicast socket. +@item +Since with multicast diffusion the guest will receive its own frames, its IPv6 +Duplicate Address Detection (DAD) will erroneously detect a duplicate, thus +preventing IPv6 from working. One has to disable DAD to get IPv6 working, for +instance on Linux by setting the sysctl @code{net.ipv6.conf.all.accept_dad} to +0. @end enumerate Example:
[Qemu-devel] [PATCH] hw/wom: Implement write-only-memory device
The lack of a write-only-memory device is a gaping hole in QEMU's otherwise comprehensive range of device models. This patch implements a model of the popular Signetics 25120 9046xN random access WOM. --- hw/Makefile.objs | 2 + hw/wom.c | 127 +++ 2 files changed, 129 insertions(+) create mode 100644 hw/wom.c diff --git a/hw/Makefile.objs b/hw/Makefile.objs index d0b2ecb..f26b593 100644 --- a/hw/Makefile.objs +++ b/hw/Makefile.objs @@ -195,6 +195,8 @@ common-obj-y += bt-hci-csr.o common-obj-y += ps2.o common-obj-y += qdev-properties-system.o +common-obj-y += wom.o + # xen backend driver support common-obj-$(CONFIG_XEN_BACKEND) += xen_backend.o xen_devconfig.o common-obj-$(CONFIG_XEN_BACKEND) += xen_console.o xenfb.o xen_disk.o xen_nic.o diff --git a/hw/wom.c b/hw/wom.c new file mode 100644 index 000..ff3c66c --- /dev/null +++ b/hw/wom.c @@ -0,0 +1,127 @@ +// +// Signetics 25120 9046xN random access write only memory +// +// Written by Peter Maydell +// +// This code is licensed under the Shrove Tuesday Public Licence +// You should have received a copy of the STPL along with this code; +// if not, see +// http://www.chiark.greenend.org.uk/~christi/public/initview/LICENCE +// +// Datasheet for this chip available here: +// http://www2.vmi.edu/Faculty/squirejc/Research/IC_Datasheets/digital_cmos/Write%20Only%20Memory.pdf + +// TODO : consider adding WOM support to QEMU core memory system +// for improved efficiency and symmetry with ROM support + +#include hw/sysbus.h + +#define WOMSIZE 9046 + +typedef struct wom_state { + SysBusDevice parent_obj; + MemoryRegion iomem; + qemu_irq irq[30]; + uint8_t memory[WOMSIZE]; + uint32_t numinsertions; +} wom_state; + +#define TYPE_WOM wom +#define WOM(obj) OBJECT_CHECK(wom_state, (obj), TYPE_WOM) + +static uint64_t wom_read(void *opaque, hwaddr offset, unsigned size) +{ + qemu_log_mask(LOG_GUEST_ERROR, wom_read: attempt to read from write only memory\n); + + return 0xdeadbeef; +} + +static void wom_write(void *opaque, hwaddr offset, uint64_t value, + unsigned size) +{ + // Most important feature of this device + wom_state *s = (wom_state *)opaque; + assert(offset WOMSIZE); + s-memory[offset] = value; +} + +static const MemoryRegionOps wom_ops = { + .read = wom_read, + .write = wom_write, + .endianness = DEVICE_NATIVE_ENDIAN, +}; + +static void wom_set_chipdestruct(void *opaque, int line, int level) +{ + // Self-destruct signal + if (0 != level) +{ + // We use hw_error to simulate a blown-up chip taking out the rest of the board + hw_error(WOM has self-destructed!\n); +} +} + +static void wom_reset(DeviceState *dev) +{ + wom_state *s = WOM(dev); + memset(s-memory, 0, WOMSIZE); +} + +static void wom_realize(DeviceState *dev, Error **errp) +{ + wom_state *s = WOM(dev); + SysBusDevice *sbd = SYS_BUS_DEVICE(dev); + + // GPIO input 0 is the self-destruct signal + qdev_init_gpio_in(dev, wom_set_chipdestruct, 1); + + // TODO: better model the relation between number of insertions and number of pins to more + // closely track the graph in the datasheet + int numirqs = 30 / (s-numinsertions + 1); + for (int i = 0; i numirqs; i++) +{ + sysbus_init_irq(sbd, s-irq[i]); +} + + memory_region_init_io(s-iomem, wom_ops, s, wom, WOMSIZE); + sysbus_init_mmio(sbd, s-iomem); +} + +static const VMStateDescription vmstate_wom = { + .name = wom, + .version_id = 1, + .minimum_version_id = 1, + .fields = (VMStateField[]) { +VMSTATE_UINT8_ARRAY(memory, wom_state, WOMSIZE), +VMSTATE_END_OF_LIST() + } +}; + +static Property wom_properties[] = { + DEFINE_PROP_UINT32(num-insertions, wom_state, numinsertions, 0), + DEFINE_PROP_END_OF_LIST(), +}; + +static void wom_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + + dc-realize = wom_realize; + dc-props = wom_properties; + dc-vmsd = vmstate_wom; + dc-reset = wom_reset; +} + +static const TypeInfo wom_info = { + .name = TYPE_WOM, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_size = sizeof(wom_state), + .class_init = wom_class_init, +}; + +static void wom_register_types(void) +{ + type_register_static(wom_info); +} + +type_init(wom_register_types) -- 1.7.11.4
Re: [Qemu-devel] [PATCH] target-ppc: fix nego and subf*o instructions
On Sun, Mar 31, 2013 at 04:19:45PM -0700, Richard Henderson wrote: On 2013-03-30 16:54, Aurelien Jarno wrote: The overflow computation of nego and subf*o instructions has been broken in commit ffe30937. This patch fixes it. With this change the PPC emulation passes the Gwenole Beauchesne testsuite again. Cc: Alexander Graf ag...@suse.de Cc: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- target-ppc/translate.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-ppc/translate.c b/target-ppc/translate.c index 5e741d1..062493a 100644 --- a/target-ppc/translate.c +++ b/target-ppc/translate.c @@ -749,7 +749,7 @@ static inline void gen_op_arith_compute_ov(DisasContext *ctx, TCGv arg0, tcg_gen_xor_tl(cpu_ov, arg0, arg1); tcg_gen_xor_tl(t0, arg1, arg2); if (sub) { -tcg_gen_and_tl(cpu_ov, cpu_ov, t0); +tcg_gen_andc_tl(cpu_ov, t0, cpu_ov); } else { tcg_gen_andc_tl(cpu_ov, cpu_ov, t0); } I'm a bit confused. This is the exact same algorithm that's used on ARM and i386. And as far as I can determine, all three platforms have the same definition of overflow. I based my patch on the previous version of the code, which swaps *both* the brcond conditions testing the results of the xor. As far I understand the brcond are replaced by the and/andc in your patch. -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net
Re: [Qemu-devel] [PATCH] target-ppc: fix nego and subf*o instructions
On Mon, Apr 01, 2013 at 12:50:58AM +0100, Peter Maydell wrote: On 1 April 2013 00:19, Richard Henderson r...@twiddle.net wrote: On 2013-03-30 16:54, Aurelien Jarno wrote: The overflow computation of nego and subf*o instructions has been broken in commit ffe30937. This patch fixes it. With this change the PPC emulation passes the Gwenole Beauchesne testsuite again. Cc: Alexander Graf ag...@suse.de Cc: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- target-ppc/translate.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-ppc/translate.c b/target-ppc/translate.c index 5e741d1..062493a 100644 --- a/target-ppc/translate.c +++ b/target-ppc/translate.c @@ -749,7 +749,7 @@ static inline void gen_op_arith_compute_ov(DisasContext *ctx, TCGv arg0, tcg_gen_xor_tl(cpu_ov, arg0, arg1); tcg_gen_xor_tl(t0, arg1, arg2); if (sub) { -tcg_gen_and_tl(cpu_ov, cpu_ov, t0); +tcg_gen_andc_tl(cpu_ov, t0, cpu_ov); } else { tcg_gen_andc_tl(cpu_ov, cpu_ov, t0); } I'm a bit confused. This is the exact same algorithm that's used on ARM and i386. And as far as I can determine, all three platforms have the same definition of overflow. I think it's not quite the same as ARM because the two arguments to subtract are reversed for PPC (ie PPC is 'subtract from', not 'subtract'). I think that means you want 'xor_tl(cpu_ov, arg0, arg2)' for your first xor, maybe? (untested) Indeed, this way of doing also works, and is also cleaner. I'll send a new version of the patch. Thanks. -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net
[Qemu-devel] [PATCH v2] target-ppc: fix nego and subf*o instructions
The overflow computation of nego and subf*o instructions has been broken in commit ffe30937. Contrary to other targets, the instruction is subtract from an not subtract on PowerPC. This patch fixes the issue by using the correct argument in the xor computation. Thanks to Peter Maydell for the hint. With this change the PPC emulation passes the Gwenole Beauchesne testsuite again. Cc: Alexander Graf ag...@suse.de Cc: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- target-ppc/translate.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-ppc/translate.c b/target-ppc/translate.c index 5e741d1..294ab58 100644 --- a/target-ppc/translate.c +++ b/target-ppc/translate.c @@ -746,7 +746,7 @@ static inline void gen_op_arith_compute_ov(DisasContext *ctx, TCGv arg0, { TCGv t0 = tcg_temp_new(); -tcg_gen_xor_tl(cpu_ov, arg0, arg1); +tcg_gen_xor_tl(cpu_ov, arg0, arg2); tcg_gen_xor_tl(t0, arg1, arg2); if (sub) { tcg_gen_and_tl(cpu_ov, cpu_ov, t0); -- 1.7.10.4
Re: [Qemu-devel] [PATCH] target-ppc: fix nego and subf*o instructions
On 03/31/2013 04:50 PM, Peter Maydell wrote: I'm a bit confused. This is the exact same algorithm that's used on ARM and i386. And as far as I can determine, all three platforms have the same definition of overflow. I think it's not quite the same as ARM because the two arguments to subtract are reversed for PPC (ie PPC is 'subtract from', not 'subtract'). I think that means you want 'xor_tl(cpu_ov, arg0, arg2)' for your first xor, maybe? (untested) Oh, duh. Of course. r~
Re: [Qemu-devel] [PATCH v2] target-ppc: fix nego and subf*o instructions
On 03/31/2013 05:33 PM, Aurelien Jarno wrote: The overflow computation of nego and subf*o instructions has been broken in commit ffe30937. Contrary to other targets, the instruction is subtract from an not subtract on PowerPC. This patch fixes the issue by using the correct argument in the xor computation. Thanks to Peter Maydell for the hint. With this change the PPC emulation passes the Gwenole Beauchesne testsuite again. Cc: Alexander Graf ag...@suse.de Cc: Richard Henderson r...@twiddle.net Signed-off-by: Aurelien Jarno aurel...@aurel32.net --- target-ppc/translate.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Reviewed-by: Richard Henderson r...@twiddle.net r~
Re: [Qemu-devel] [PATCH v9 16/24] The FTSSP010 is a multi-function synchronous serial port interface controller which supports SSP, SPI, I2S, AC97 and SPDIF.
2013/3/31 Peter Crosthwaite peter.crosthwa...@xilinx.com: Hi Kuo-Jung I think you may have accidentally dropped your subject line and promoted your long commit message to subject line. Looks better in previous versions. Yes, it's an accident, I'll fix it later. On Mon, Mar 25, 2013 at 10:09 PM, Kuo-Jung Su dant...@gmail.com wrote: From: Kuo-Jung Su dant...@faraday-tech.com Only I2S and SPI protocol have been implemented in this patch. Signed-off-by: Kuo-Jung Su dant...@faraday-tech.com --- hw/arm/Makefile.objs|3 +- hw/arm/ftplat_a369.c| 31 +++ hw/arm/ftplat_a369soc.c | 17 ++ hw/faraday.h|3 + hw/ftssp010.c | 504 +++ hw/ftssp010.h | 96 + 6 files changed, 653 insertions(+), 1 deletion(-) create mode 100644 hw/ftssp010.c create mode 100644 hw/ftssp010.h diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs index 2bb67f7..42c8472 100644 --- a/hw/arm/Makefile.objs +++ b/hw/arm/Makefile.objs @@ -25,7 +25,8 @@ obj-y += strongarm.o obj-y += imx_serial.o imx_ccm.o imx_timer.o imx_avic.o obj-$(CONFIG_KVM) += kvm/arm_gic.o obj-y += ftintc020.o ftahbc020.o ftddrii030.o ftpwmtmr010.o ftwdt010.o \ -ftrtc011.o ftdmac020.o ftapbbrg020.o ftnandc021.o fti2c010.o +ftrtc011.o ftdmac020.o ftapbbrg020.o ftnandc021.o fti2c010.o \ +ftssp010.o obj-y := $(addprefix ../,$(obj-y)) diff --git a/hw/arm/ftplat_a369.c b/hw/arm/ftplat_a369.c index 827c58a..922fb55 100644 --- a/hw/arm/ftplat_a369.c +++ b/hw/arm/ftplat_a369.c @@ -11,6 +11,7 @@ #include hw/arm-misc.h #include hw/devices.h #include hw/i2c.h +#include hw/audio.h #include hw/boards.h #include hw/ssi.h #include net/net.h @@ -28,6 +29,7 @@ static void a369_system_reset(void *opaque) static void a369_board_init(QEMUMachineInitArgs *args) { +int i, nr_flash; ARMCPU *cpu; DeviceState *ds; FaradaySoCState *s; @@ -79,6 +81,35 @@ static void a369_board_init(QEMUMachineInitArgs *args) abort(); } +/* Attach the spi flash to ftssp010.0 */ +nr_flash = 1; +for (i = 0; i nr_flash; i++) { +SSIBus *ssi = (SSIBus *)qdev_get_child_bus(s-spi[0], spi); +DeviceState *fl = ssi_create_slave_no_init(ssi, w25q64); +qemu_irq cs_line; + +qdev_init_nofail(fl); +cs_line = qdev_get_gpio_in(fl, 0); +sysbus_connect_irq(SYS_BUS_DEVICE(s-spi[0]), i + 1, cs_line); +} + +/* Attach the wm8731 to fti2c010.0 ftssp010.0 */ +for (i = 0; i 1; ++i) { +i2c_bus *i2c = (i2c_bus *)qdev_get_child_bus(s-i2c[0], i2c); +ds = i2c_create_slave(i2c, wm8731, 0x1B); +object_property_set_link(OBJECT(s-i2s[0]), + OBJECT(ds), + codec, + local_errp); +if (local_errp) { +fprintf(stderr, a369: Unable to set codec link for FTSSP010\n); +abort(); +} +audio_codec_data_req_set(ds, + ftssp010_i2s_data_req, + s-i2s[0]); +} + /* System start-up */ if (args-kernel_filename) { diff --git a/hw/arm/ftplat_a369soc.c b/hw/arm/ftplat_a369soc.c index b6e82ad..9391764 100644 --- a/hw/arm/ftplat_a369soc.c +++ b/hw/arm/ftplat_a369soc.c @@ -206,6 +206,23 @@ static void a369soc_chip_init(FaradaySoCState *s) s-i2c[0] = ds; ds = sysbus_create_simple(fti2c010, 0x92A0, s-pic[52]); s-i2c[1] = ds; + +/* ftssp010 */ +ds = sysbus_create_simple(ftssp010, 0x9270, s-pic[49]); +s-spi[0] = ds; +s-i2s[0] = ds; + +/* ftssp010 - DMA (Tx) */ +ack = qdev_get_gpio_in(ds, 0); +req = qdev_get_gpio_in(s-pdma[0], 7); +qdev_connect_gpio_out(s-pdma[0], 7, ack); +qdev_connect_gpio_out(ds, 0, req); + +/* ftssp010 - DMA (Rx) */ +ack = qdev_get_gpio_in(ds, 1); +req = qdev_get_gpio_in(s-pdma[0], 8); +qdev_connect_gpio_out(s-pdma[0], 8, ack); +qdev_connect_gpio_out(ds, 1, req); } static void a369soc_realize(DeviceState *dev, Error **errp) diff --git a/hw/faraday.h b/hw/faraday.h index 7373ba0..39a608c 100644 --- a/hw/faraday.h +++ b/hw/faraday.h @@ -121,4 +121,7 @@ static inline void faraday_soc_ahb_remap(FaradaySoCState *s, bool active) } } +/* ftssp010.c */ +void ftssp010_i2s_data_req(void *opaque, int tx, int rx); + #endif diff --git a/hw/ftssp010.c b/hw/ftssp010.c new file mode 100644 index 000..fe1ddbb --- /dev/null +++ b/hw/ftssp010.c @@ -0,0 +1,504 @@ +/* + * QEMU model of the FTSSP010 Controller + * + * Copyright (C) 2012 Faraday Technology + * Written by Dante Su dant...@faraday-tech.com + * + * This file is licensed under GNU GPL v2+. + */ + +#include hw/sysbus.h +#include hw/i2c.h +#include hw/ssi.h
Re: [Qemu-devel] [Qemu-trivial] [PATCH] hw/i386/pc: reject to boot a wrong header magic kernel
OK, Thanks! I will update this patch as your comment. 在 2013-03-29五的 15:46 +0100,Stefan Hajnoczi写道: On Fri, Mar 29, 2013 at 1:38 AM, li guang lig.f...@cn.fujitsu.com wrote: 在 2013-03-28四的 10:42 +0100,Stefan Hajnoczi写道: On Wed, Mar 27, 2013 at 02:10:31PM +0800, liguang wrote: if head magic is missing or wrong unexpectedly, we'd better to reject booting. e.g. I make a mistake to boot a vmlinuz for MIPS(which I think it's for x86) like this: qemu-system-x86_64 -kernel vmlinuz -initrd demord then qemu report: qemu: linux kernel too old to load a ram disk that's misleading. Signed-off-by: liguang lig.f...@cn.fujitsu.com --- hw/i386/pc.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/hw/i386/pc.c b/hw/i386/pc.c index b1e06fa..2b78dfc 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -683,8 +683,10 @@ static void load_linux(void *fw_cfg, if (load_multiboot(fw_cfg, f, kernel_filename, initrd_filename, kernel_cmdline, kernel_size, header)) { return; +} else { +fprintf(stderr, please assure specicified kernel is for x86!\n); +exit(1); load_multiboot() can fail for other reasons so this error messing is misleading. Giving QEMU a non-x86 kernel is just one scenario where this may fail. according to my check of load_mutiboot function, mostly it will return 0 if it's not multboot, or 1 it's a multiboot, so print this message, or can I just print wrong kernel image! ? Yes, load_multiboot() fails if the image is not a valid multiboot image. An error message like not a valid multiboot image is good. } -protocol = 0; } Why did you drop protocol = 0? I think we only want either normal or multi boot linux kernel, I can't see meaning let other case go on. so, here, if a normal kernel, OK, go on, if multiboot, OK, go on, others, NO, end up. so, protocol = 0 is meaningless here. I looked in more detail now and here is why we cannot drop this line of code: uint16_t protocol; Note that the variable is not initialized. [...] if (ldl_p(header+0x202) == 0x53726448) protocol = lduw_p(header+0x206); else { /* This looks like a multiboot kernel. If it is, let's stop treating it like a Linux kernel. */ if (load_multiboot(fw_cfg, f, kernel_filename, initrd_filename, kernel_cmdline, kernel_size, header)) return; protocol = 0; Set it to 0 here so it's initialized } if (protocol 0x200 || !(header[0x211] 0x01)) { Use variable here - so we *must* initialize it before use. Stefan
[Qemu-devel] [PATCH v2] hw/i386/pc: reject to boot a wrong header magic kernel
if head magic is missing or wrong unexpectedly, we'd better to reject booting. e.g. I make a mistake to boot a vmlinuz for MIPS(which I think it's for x86) like this: qemu-system-x86_64 -kernel vmlinuz -initrd demord then qemu report: qemu: linux kernel too old to load a ram disk that's misleading. Signed-off-by: liguang lig.f...@cn.fujitsu.com --- hw/i386/pc.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/hw/i386/pc.c b/hw/i386/pc.c index b1e06fa..bfbb5fe 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -683,6 +683,9 @@ static void load_linux(void *fw_cfg, if (load_multiboot(fw_cfg, f, kernel_filename, initrd_filename, kernel_cmdline, kernel_size, header)) { return; +} else { +fprintf(stderr, not a valid multiboot image!\n); +exit(1); } protocol = 0; } -- 1.7.2.5
Re: [Qemu-devel] A crash problem about loadvm
于 2013-3-30 18:38, Liuji (Jeremy) 写道: Hello, everyone I found a problem about loadvm, when I use Spice. Host OS: Fedora 17 Qemu: 1.4.0 Spice: 0.12.2 Quest OS: WinXP 1) Use the following command to start the VM: qemu-kvm -enable-kvm -name winxp -M pc-0.15 -m 1024 -smp 2 -boot c -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/home/test/winxp.qcow2,if=virtio,index=0,format=qcow2 -net nic,model=virtio,macaddr=52:54:00:05:11:12 -monitor stdio -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -chardev pty,id=charchannel1 -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=arbitrary.virtio.serial.port.name -device usb-tablet,id=input0 -spice port=3001,addr=186.100.8.131,disable-ticketing,plaintext-channel=main,plaintext-channel=playback,plaintext-channel=record,image-compression=auto_glz -vga qxl -global qxl-vga.vram_size=67108864 -device AC97,id=sound0,bus=pci.0,addr=0x4 2) Use spice client to connect the VM. 3) Exec the savevm command in the qemu monitor. 4) List snapshot information: info snapshots IDTAG VM SIZEDATE VM CLOCK 1 vm-20130330181626 224M 2013-03-30 18:16:26 00:00:17.294 5) Load the snapshot. But the process crashed: loadvm vm-20130330181626 red_dispatcher_loadvm_commands: Segmentation fault (core dumped) I use the GDB to analyze the core-dump file: #0 0x7f6cbdc37a15 in spice_char_device_write_to_device (dev=0x7f6cc5248320) at char_device.c:439 439 sif = SPICE_CONTAINEROF(dev-sin-base.sif, SpiceCharDeviceInterface, base); (gdb) p dev $1 = (SpiceCharDeviceState *) 0x7f6cc5248320 (gdb) p dev-sin $2 = (SpiceCharDeviceInstance *) 0x0 I have always found this problem after the commit(fc24f3bd2ed4c97c99ad40e747732ae46dff2009 spice: notify spice server on vm start/stop). Could you give me some advices to debug this problem? -- Best Regards, Jeremy Liu Seems some step missing for spice server, need to check the status in migration. -- Best Regards Wenchao Xia
Re: [Qemu-devel] [PATCH] target-moxie: set do_interrupt to a target-specific helper function
Hi Anthony, thanks for your reply. Below is the backtrace from core dump file, it may help. $ moxie-softmmu/qemu-system-moxie -M moxiesim Segmentation fault (core dumped) $ gdb moxie-softmmu/qemu-system-moxie core GNU gdb (Gentoo) 7.4.1 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-pc-linux-gnu. For bug reporting instructions, please see: http://bugs.gentoo.org/... Reading symbols from /home/mathslinux/Develop/QEMU/qemu/moxie-softmmu/qemu-system-moxie...done. warning: core file may not match specified executable file. [New LWP 1016] [New LWP 1015] warning: Could not load shared library symbols for linux-vdso.so.1. Do you need set solib-search-path or set sysroot? [Thread debugging using libthread_db enabled] Using host libthread_db library /lib64/libthread_db.so.1. Core was generated by `moxie-softmmu/qemu-system-moxie -M moxiesim'. Program terminated with signal 11, Segmentation fault. #0 0x in ?? () (gdb) bt #0 0x in ?? () #1 0x7fc256f31691 in cpu_moxie_exec (env=0x7fc2589c5ee0) at /home/mathslinux/Develop/QEMU/qemu/cpu-exec.c:278 #2 0x7fc256f34833 in tcg_cpu_exec (env=0x7fc2589c5ee0) at /home/mathslinux/Develop/QEMU/qemu/cpus.c:1117 #3 0x7fc256f3496a in tcg_exec_all () at /home/mathslinux/Develop/QEMU/qemu/cpus.c:1150 #4 0x7fc256f33c60 in qemu_tcg_cpu_thread_fn (arg=0x7fc2589c5dd0) at /home/mathslinux/Develop/QEMU/qemu/cpus.c:843 #5 0x7fc2533f1ea7 in start_thread () from /lib64/libpthread.so.0 #6 0x7fc24f6fa06d in clone () from /lib64/libc.so.6 (gdb) l cpu-exec.c:278 273cc-do_interrupt(cpu); 274 #endif 275ret = env-exception_index; 276break; 277 #else 278cc-do_interrupt(cpu); 279env-exception_index = -1; 280 #endif 281} 282} On Sun, Mar 31, 2013 at 8:33 PM, Anthony Green gr...@moxielogic.com wrote: Hi Dunrong, I can't reproduce the segfault, but your patch still looks right to me. Thanks! Signed-of-by: Anthony Green gr...@moxielogic.com AG On Sat, Mar 30, 2013 at 9:35 PM, Dunrong Huang huan...@cloud-times.com wrote: The value of do_interrupt member of CPUClass shoule be set to a target-specific function, or it will lead to a segfault like below: $ moxie-softmmu/qemu-system-moxie -M moxiesim Segmentation fault Cc: Anthony Green gr...@moxielogic.com Cc: Blue Swirl blauwir...@gmail.com Cc: Andreas Färber afaer...@suse.de Signed-off-by: Dunrong Huang huan...@cloud-times.com --- target-moxie/cpu.c| 1 + target-moxie/cpu.h| 2 +- target-moxie/helper.c | 7 +-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/target-moxie/cpu.c b/target-moxie/cpu.c index c17d3f0..c0855f0 100644 --- a/target-moxie/cpu.c +++ b/target-moxie/cpu.c @@ -98,6 +98,7 @@ static void moxie_cpu_class_init(ObjectClass *oc, void *data) cc-class_by_name = moxie_cpu_class_by_name; dc-vmsd = vmstate_moxie_cpu; +cc-do_interrupt = moxie_cpu_do_interrupt; } static void moxielite_initfn(Object *obj) diff --git a/target-moxie/cpu.h b/target-moxie/cpu.h index b96236f..988729a 100644 --- a/target-moxie/cpu.h +++ b/target-moxie/cpu.h @@ -117,7 +117,7 @@ static inline MoxieCPU *moxie_env_get_cpu(CPUMoxieState *env) MoxieCPU *cpu_moxie_init(const char *cpu_model); int cpu_moxie_exec(CPUMoxieState *s); -void do_interrupt(CPUMoxieState *env); +void moxie_cpu_do_interrupt(CPUState *cs); void moxie_translate_init(void); int cpu_moxie_signal_handler(int host_signum, void *pinfo, void *puc); diff --git a/target-moxie/helper.c b/target-moxie/helper.c index 8604ce8..6e0ac2a 100644 --- a/target-moxie/helper.c +++ b/target-moxie/helper.c @@ -102,7 +102,7 @@ void helper_debug(CPUMoxieState *env) #if defined(CONFIG_USER_ONLY) -void do_interrupt(CPUState *env) +void moxie_cpu_do_interrupt(CPUState *env) { env-exception_index = -1; } @@ -147,8 +147,11 @@ int cpu_moxie_handle_mmu_fault(CPUMoxieState *env, target_ulong address, } -void do_interrupt(CPUMoxieState *env) +void moxie_cpu_do_interrupt(CPUState *cs) { +MoxieCPU *cpu = MOXIE_CPU(cs); +CPUMoxieState *env = cpu-env; + switch (env-exception_index) { case MOXIE_EX_BREAK: break; -- 1.8.1.5 -- * Best Regards, -- * *黄敦荣 Linux **Developer **北京云端时代科技有限公司 ** * *电 话:+86 10 62415355-620* *传 真:+86 10 62415355-609* *手 机:+86 18618450559* *邮 箱: huan...@cbcos.com* *地址: 北京市海淀区中关村南4街18号紫金数码园3号楼1层(100190)* * 云基地: 北京亦庄经济技术开发区北工大软件园(100176)