Re: [Qemu-devel] [PATCH for 4.0 v1 1/5] riscv: plic: Fix incorrect irq calculation

[Palmer Dabbelt]

On Thu, 28 Mar 2019 10:34:08 PDT (-0700), alistai...@gmail.com wrote:

On Wed, Mar 27, 2019 at 8:15 PM Palmer Dabbelt  wrote:


On Wed, 27 Mar 2019 09:29:56 PDT (-0700), alistai...@gmail.com wrote:
> On Wed, Mar 27, 2019 at 3:29 AM Palmer Dabbelt  wrote:
>>
>> On Wed, 20 Mar 2019 17:46:09 PDT (-0700), Alistair Francis wrote:
>> > The irq is incorrectly calculated to be off by one. It has worked in the
>> > past as the priority_base offset has also been set incorrectly. We are
>> > about to fix the priority_base offset so first first the irq
>> > calculation.
>> >
>> > Signed-off-by: Alistair Francis 
>> > ---
>> >  hw/riscv/sifive_plic.c | 4 ++--
>> >  1 file changed, 2 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/hw/riscv/sifive_plic.c b/hw/riscv/sifive_plic.c
>> > index 1c703e1a37..70a85cd075 100644
>> > --- a/hw/riscv/sifive_plic.c
>> > +++ b/hw/riscv/sifive_plic.c
>> > @@ -206,7 +206,7 @@ static uint64_t sifive_plic_read(void *opaque, hwaddr 
addr, unsigned size)
>> >  if (addr >= plic->priority_base && /* 4 bytes per source */
>> >  addr < plic->priority_base + (plic->num_sources << 2))
>> >  {
>> > -uint32_t irq = (addr - plic->priority_base) >> 2;
>> > +uint32_t irq = ((addr - plic->priority_base) >> 2) + 1;
>> >  if (RISCV_DEBUG_PLIC) {
>> >  qemu_log("plic: read priority: irq=%d priority=%d\n",
>> >  irq, plic->source_priority[irq]);
>> > @@ -279,7 +279,7 @@ static void sifive_plic_write(void *opaque, hwaddr 
addr, uint64_t value,
>> >  if (addr >= plic->priority_base && /* 4 bytes per source */
>> >  addr < plic->priority_base + (plic->num_sources << 2))
>> >  {
>> > -uint32_t irq = (addr - plic->priority_base) >> 2;
>> > +uint32_t irq = ((addr - plic->priority_base) >> 2) + 1;
>> >  plic->source_priority[irq] = value & 7;
>> >  if (RISCV_DEBUG_PLIC) {
>> >  qemu_log("plic: write priority: irq=%d priority=%d\n",
>>
>> I think this breaks bisectability and should be merged with the
>> *_PLIC_PRIORITY_BASE modifications as otherwise we'll end up the priority 
being
>> set for the brong IRQ.
>
> Good point, I can merge them together.
>
>>
>> I'm also not sure how this fixes the bug listed in the OpenSBI PR.  As far 
as I
>> can understand it, all this does is ensure that source 0 is actually treated 
as
>> illegal (and shrinks the number of sources to match what's actually there, 
but
>> that shouldn't fix the bug).  That looks more like a cleanup than an actual 
fix.
>
> The problem is that before we where off by one. We supported 0 - (n -
> 1) and this patch set changes QEMU to support 1 - n. This is because
> of the "addr < plic->priority_base + (plic->num_sources << 2)"
> comparison. As priority_base is now 0x04 instead of 0x00 the
> comparison will work correctly.

So something in OpenSBI is going through the entire set of sources and
initializing the priorities?  That makes sense for the off-by-one, I was just
wondering because the array shrank so the specific offset in that error would
still be invalid with the new patch set.


Yep, that is what caught this. The array only shrinks for the FU540
board, the virt board doesn't shrink and that is the board that
OpenSBI caught the bug with.


OK, that makes sense.



Alistair



>
> Alistair
>
>>
>> Am I missing something?

Re: [Qemu-devel] [PATCH 2/2] intel_iommu: Drop extended root field

[Peter Xu]

I didn't really CC David and Alexey, I'm doing it again...

On Fri, Mar 29, 2019 at 12:55:38PM +0800, Peter Xu wrote:
> On Thu, Mar 28, 2019 at 11:56:40AM +, Dr. David Alan Gilbert wrote:
> > * Peter Xu (pet...@redhat.com) wrote:
> > > VTD_RTADDR_RTT is dropped even by the VT-d spec, so QEMU should
> > > probably do the same thing (after all we never really implemented it).
> > > Since we've had a field for that in the migration stream, to keep
> > > compatibility we need to fill the hole up.
> > > 
> > > Please refer to VT-d spec 10.4.6.
> > > 
> > > Signed-off-by: Peter Xu 
> > > ---
> > >  hw/i386/intel_iommu.c  | 6 ++
> > >  hw/i386/intel_iommu_internal.h | 1 -
> > >  hw/i386/trace-events   | 2 +-
> > >  include/hw/i386/intel_iommu.h  | 1 -
> > >  4 files changed, 3 insertions(+), 7 deletions(-)
> > > 
> > > diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
> > > index 11ece40ed0..91be1cf239 100644
> > > --- a/hw/i386/intel_iommu.c
> > > +++ b/hw/i386/intel_iommu.c
> > > @@ -1718,12 +1718,11 @@ error:
> > >  static void vtd_root_table_setup(IntelIOMMUState *s)
> > >  {
> > >  s->root = vtd_get_quad_raw(s, DMAR_RTADDR_REG);
> > > -s->root_extended = s->root & VTD_RTADDR_RTT;
> > >  s->root &= VTD_RTADDR_ADDR_MASK(s->aw_bits);
> > >  
> > >  vtd_update_scalable_state(s);
> > >  
> > > -trace_vtd_reg_dmar_root(s->root, s->root_extended);
> > > +trace_vtd_reg_dmar_root(s->root, s->root_scalable);
> > >  }
> > >  
> > >  static void vtd_iec_notify_all(IntelIOMMUState *s, bool global,
> > > @@ -2982,7 +2981,7 @@ static const VMStateDescription vtd_vmstate = {
> > >  VMSTATE_UINT16(next_frcd_reg, IntelIOMMUState),
> > >  VMSTATE_UINT8_ARRAY(csr, IntelIOMMUState, DMAR_REG_SIZE),
> > >  VMSTATE_UINT8(iq_last_desc_type, IntelIOMMUState),
> > > -VMSTATE_BOOL(root_extended, IntelIOMMUState),
> > > +VMSTATE_UNUSED(sizeof(bool)),
> > 
> > I'm not sure that's right; a VMSTATE_BOOL uses get_bool/put_bool that
> > always writes a single byte, so probably a 
> >VMSTATE_UNUSED(1 /* Was a bool */);
> > 
> > may be safer?
> 
> Probably true. I am sure it's 1 byte on x86_64 but indeed I don't know
> all the rest of archs...  Will repost.
> 
> Also, since you mentioned about it, I noticed that we have a similar
> case where VMSTATE_UNUSED is used in vmstate_ppc_cpu with type that
> may have different size with different host/compilers:
> 
> VMSTATE_UNUSED(sizeof(target_ulong)), /* was _EQUAL(env.spr[SPR_PVR]) 
> */
> 
> Would that be problematic too?  CCing Alexey and David for this.
> 
> Maybe we should comment on VMSTATE_BOOL about the fact (because it
> seems error prone)? And maybe also on VMSTATE_UNUSED too.
> 
> -- 
> Peter Xu

Regards,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH 2/2] intel_iommu: Drop extended root field

[Peter Xu]

On Thu, Mar 28, 2019 at 11:56:40AM +, Dr. David Alan Gilbert wrote:
> * Peter Xu (pet...@redhat.com) wrote:
> > VTD_RTADDR_RTT is dropped even by the VT-d spec, so QEMU should
> > probably do the same thing (after all we never really implemented it).
> > Since we've had a field for that in the migration stream, to keep
> > compatibility we need to fill the hole up.
> > 
> > Please refer to VT-d spec 10.4.6.
> > 
> > Signed-off-by: Peter Xu 
> > ---
> >  hw/i386/intel_iommu.c  | 6 ++
> >  hw/i386/intel_iommu_internal.h | 1 -
> >  hw/i386/trace-events   | 2 +-
> >  include/hw/i386/intel_iommu.h  | 1 -
> >  4 files changed, 3 insertions(+), 7 deletions(-)
> > 
> > diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
> > index 11ece40ed0..91be1cf239 100644
> > --- a/hw/i386/intel_iommu.c
> > +++ b/hw/i386/intel_iommu.c
> > @@ -1718,12 +1718,11 @@ error:
> >  static void vtd_root_table_setup(IntelIOMMUState *s)
> >  {
> >  s->root = vtd_get_quad_raw(s, DMAR_RTADDR_REG);
> > -s->root_extended = s->root & VTD_RTADDR_RTT;
> >  s->root &= VTD_RTADDR_ADDR_MASK(s->aw_bits);
> >  
> >  vtd_update_scalable_state(s);
> >  
> > -trace_vtd_reg_dmar_root(s->root, s->root_extended);
> > +trace_vtd_reg_dmar_root(s->root, s->root_scalable);
> >  }
> >  
> >  static void vtd_iec_notify_all(IntelIOMMUState *s, bool global,
> > @@ -2982,7 +2981,7 @@ static const VMStateDescription vtd_vmstate = {
> >  VMSTATE_UINT16(next_frcd_reg, IntelIOMMUState),
> >  VMSTATE_UINT8_ARRAY(csr, IntelIOMMUState, DMAR_REG_SIZE),
> >  VMSTATE_UINT8(iq_last_desc_type, IntelIOMMUState),
> > -VMSTATE_BOOL(root_extended, IntelIOMMUState),
> > +VMSTATE_UNUSED(sizeof(bool)),
> 
> I'm not sure that's right; a VMSTATE_BOOL uses get_bool/put_bool that
> always writes a single byte, so probably a 
>VMSTATE_UNUSED(1 /* Was a bool */);
> 
> may be safer?

Probably true. I am sure it's 1 byte on x86_64 but indeed I don't know
all the rest of archs...  Will repost.

Also, since you mentioned about it, I noticed that we have a similar
case where VMSTATE_UNUSED is used in vmstate_ppc_cpu with type that
may have different size with different host/compilers:

VMSTATE_UNUSED(sizeof(target_ulong)), /* was _EQUAL(env.spr[SPR_PVR]) */

Would that be problematic too?  CCing Alexey and David for this.

Maybe we should comment on VMSTATE_BOOL about the fact (because it
seems error prone)? And maybe also on VMSTATE_UNUSED too.

-- 
Peter Xu

[Qemu-devel] [PATCH for-4.0 v3 0/6] NBD server alignment improvement

[Eric Blake]

I'm tired of nbdkit being able to trigger an assertion failure
in qemu-img convert.  Let's get this into 4.0-rc2.

Since v2:
- add more patches, including a respin of a separately-posted
nbd/client: Deal with unaligned size from server
- Don't make unaligned sector from server inaccessible; instead,
round our requests down and handle the tail locally
- fix another issue reported by Rich where 'qemu-img map' output
was less than stellar

Eric Blake (6):
  iotests: Add 241 to test NBD on unaligned images
  nbd/client: Lower min_block for block-status, unaligned size
  nbd/client: Report offsets in bdrv_block_status
  nbd/client: Support qemu-img convert from unaligned size
  block: Add bdrv_get_request_alignment()
  nbd/server: Advertise actual minimum block size

 include/sysemu/block-backend.h |  1 +
 block/block-backend.c  |  7 
 block/nbd-client.c | 48 +--
 block/nbd.c| 19 -
 nbd/server.c   | 13 ---
 tests/qemu-iotests/209.out |  4 +-
 tests/qemu-iotests/223.out | 18 -
 tests/qemu-iotests/241 | 70 ++
 tests/qemu-iotests/241.out |  8 
 tests/qemu-iotests/group   |  1 +
 10 files changed, 169 insertions(+), 20 deletions(-)
 create mode 100755 tests/qemu-iotests/241
 create mode 100644 tests/qemu-iotests/241.out

-- 
2.20.1

[Qemu-devel] [PATCH v3 2/6] nbd/client: Lower min_block for block-status, unaligned size

[Eric Blake]

We have a latent bug in our NBD client code, tickled by the brand new
nbdkit 1.11.10 block status support:

$ nbdkit --filter=log --filter=truncate -U - \
   data data="1" size=511 truncate=64K logfile=/dev/stdout \
   --run 'qemu-img convert $nbd /var/tmp/out'
...
qemu-img: block/io.c:2122: bdrv_co_block_status: Assertion `*pnum && 
QEMU_IS_ALIGNED(*pnum, align) && align > offset - aligned_offset' failed.

The culprit? Our implementation of .bdrv_co_block_status can return
unaligned block status for any server that operates with a lower
actual alignment than what we tell the block layer in
request_alignment, in violation of the block layer's constraints. To
date, we've been unable to trip the bug, because qemu as NBD server
always advertises block sizing (at which point it is a server bug if
the server sends unaligned status - although qemu 3.1 is such a server
and I've sent separate patches for 4.0 both to get the server to obey
the spec, and to let the client to tolerate server oddities at EOF).

But nbdkit does not (yet) advertise block sizing, and therefore is not
in violation of the spec for returning block status at whatever
boundaries it wants, and those unaligned results can occur anywhere
rather than just at EOF. While we are still wise to avoid sending
sub-sector read/write requests to a server of unknown origin, we MUST
consider that a server telling us block status without an advertised
block size is correct.  So, we either have to munge unaligned answers
from the server into aligned ones that we hand back to the block
layer, or we have to tell the block layer about a smaller alignment.

Similarly, if the server advertises an image size that is not
sector-aligned, we might as well assume that the server intends to let
us access those tail bytes, and therefore supports a minimum block
size of 1, regardless of whether the server supports block status
(although we still need more patches to fix the problem that with an
unaligned image, we can send read or block status requests that exceed
EOF to the server). Again, qemu as server cannot trip this problem
(because it rounds images to sector alignment), but nbdkit advertised
unaligned size even before it gained block status support.

Solve both alignment problems at once by using better heuristics on
what alignment to report to the block layer when the server did not
give us something to work with. Note that very few NBD servers
implement block status (to date, only qemu and nbdkit are known to do
so); and as the NBD spec mentioned block sizing constraints prior to
documenting block status, it can be assumed that any future
implementations of block status are aware that they must advertise
block size if they want a minimum size other than 1.

We've had a long history of struggles with picking the right alignment
to use in the block layer, as evidenced by the commit message of
fd8d372d (v2.12) that introduced the current choice of forced 512-byte
alignment.

There is no iotest coverage for this fix, because qemu can't provoke
it, and I didn't want to make test 241 dependent on nbdkit.

Fixes: fd8d372d
Reported-by: Richard W.M. Jones 
Signed-off-by: Eric Blake 
---
 block/nbd.c | 19 ++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/block/nbd.c b/block/nbd.c
index 2e72df528ac..208be596027 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -437,7 +437,24 @@ static void nbd_refresh_limits(BlockDriverState *bs, Error 
**errp)
 uint32_t min = s->info.min_block;
 uint32_t max = MIN_NON_ZERO(NBD_MAX_BUFFER_SIZE, s->info.max_block);

-bs->bl.request_alignment = min ? min : BDRV_SECTOR_SIZE;
+/*
+ * If the server did not advertise an alignment:
+ * - a size that is not sector-aligned implies that an alignment
+ *   of 1 can be used to access those tail bytes
+ * - advertisement of block status requires an alignment of 1, so
+ *   that we don't violate block layer constraints that block
+ *   status is always aligned (as we can't control whether the
+ *   server will report sub-sector extents, such as a hole at EOF
+ *   on an unaligned POSIX file)
+ * - otherwise, assume the server is so old that we are safer avoiding
+ *   sub-sector requests
+ */
+if (!min) {
+min = (!QEMU_IS_ALIGNED(s->info.size, BDRV_SECTOR_SIZE) ||
+   s->info.base_allocation) ? 1 : BDRV_SECTOR_SIZE;
+}
+
+bs->bl.request_alignment = min;
 bs->bl.max_pdiscard = max;
 bs->bl.max_pwrite_zeroes = max;
 bs->bl.max_transfer = max;
-- 
2.20.1

[Qemu-devel] [PATCH v3 4/6] nbd/client: Support qemu-img convert from unaligned size

[Eric Blake]

If an NBD server advertises a size that is not a multiple of a sector,
the block layer rounds up that size, even though we set info.size to
the exact byte value sent by the server. The block layer then proceeds
to let us read or query block status on the hole that it added past
EOF, which the NBD server is unlikely to be happy with. Fortunately,
qemu as a server never advertizes an unaligned size, so we generally
don't run into this problem; but the nbdkit server makes it easy to
test:

$ printf %1000d 1 > f1
$ ~/nbdkit/nbdkit -fv file f1 & pid=$!
$ qemu-img convert -f raw nbd://localhost:10809 f2
$ kill $pid
$ qemu-img compare f1 f2

Pre-patch, the server attempts a 1024-byte read, which nbdkit
rightfully rejects as going beyond its advertised 1000 byte size; the
conversion fails and the output files differ (not even the first
sector is copied, because qemu-img does not follow ddrescue's habit of
trying smaller reads to get as much information as possible in spite
of errors). Post-patch, the client's attempts to read (and query block
status, for new enough nbdkit) are properly truncated to the server's
length, with sane handling of the hole the block layer forced on
us. Although f2 ends up as a larger file (1024 bytes instead of 1000),
qemu-img compare shows the two images to have identical contents for
display to the guest.

I didn't add iotests coverage since I didn't want to add a dependency
on nbdkit in iotests. I also did NOT patch write, trim, or write
zeroes - these commands continue to fail (usually with ENOSPC, but
whatever the server chose), because we really can't write to the end
of the file, and because 'qemu-img convert' is the most common case
where we care about being tolerant (which is read-only). Perhaps we
could truncate the request if the client is writing zeros to the tail,
but that seems like more work, especially if the block layer is fixed
in 4.1 to track byte-accurate sizing (in which case this patch would
be reverted as unnecessary).

Signed-off-by: Eric Blake 
---
 block/nbd-client.c | 39 ++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/block/nbd-client.c b/block/nbd-client.c
index 3edb508f668..409c2171bc3 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -848,6 +848,25 @@ int nbd_client_co_preadv(BlockDriverState *bs, uint64_t 
offset,
 if (!bytes) {
 return 0;
 }
+/*
+ * Work around the fact that the block layer doesn't do
+ * byte-accurate sizing yet - if the read exceeds the server's
+ * advertised size because the block layer rounded size up, then
+ * truncate the request to the server and tail-pad with zero.
+ */
+if (offset >= client->info.size) {
+assert(bytes < BDRV_SECTOR_SIZE);
+qemu_iovec_memset(qiov, 0, 0, bytes);
+return 0;
+}
+if (offset + bytes > client->info.size) {
+uint64_t slop = offset + bytes - client->info.size;
+
+assert(slop < BDRV_SECTOR_SIZE);
+qemu_iovec_memset(qiov, bytes - slop, 0, slop);
+request.len -= slop;
+}
+
 ret = nbd_co_send_request(bs, , NULL);
 if (ret < 0) {
 return ret;
@@ -966,7 +985,8 @@ int coroutine_fn 
nbd_client_co_block_status(BlockDriverState *bs,
 .from = offset,
 .len = MIN(MIN_NON_ZERO(QEMU_ALIGN_DOWN(INT_MAX,
 bs->bl.request_alignment),
-client->info.max_block), bytes),
+client->info.max_block),
+   MIN(bytes, client->info.size - offset)),
 .flags = NBD_CMD_FLAG_REQ_ONE,
 };

@@ -977,6 +997,23 @@ int coroutine_fn 
nbd_client_co_block_status(BlockDriverState *bs,
 return BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID;
 }

+/*
+ * Work around the fact that the block layer doesn't do
+ * byte-accurate sizing yet - if the status request exceeds the
+ * server's advertised size because the block layer rounded size
+ * up, we truncated the request to the server (above), or are
+ * called on just the hole.
+ */
+if (offset >= client->info.size) {
+*pnum = bytes;
+assert(bytes < BDRV_SECTOR_SIZE);
+/* Intentionally don't report offset_valid for the hole */
+return BDRV_BLOCK_ZERO;
+}
+
+if (client->info.min_block) {
+assert(QEMU_IS_ALIGNED(request.len, client->info.min_block));
+}
 ret = nbd_co_send_request(bs, , NULL);
 if (ret < 0) {
 return ret;
-- 
2.20.1

[Qemu-devel] [PATCH v3 5/6] block: Add bdrv_get_request_alignment()

[Eric Blake]

The next patch needs access to a device's minimum permitted
alignment, since NBD wants to advertise this to clients. Add
an accessor function, borrowing from blk_get_max_transfer()
for accessing a backend's block limits.

Signed-off-by: Eric Blake 
Message-Id: <20180802144834.520904-2-ebl...@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy 
---
 include/sysemu/block-backend.h | 1 +
 block/block-backend.c  | 7 +++
 2 files changed, 8 insertions(+)

diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
index e2066eb06b2..3be05c2d689 100644
--- a/include/sysemu/block-backend.h
+++ b/include/sysemu/block-backend.h
@@ -177,6 +177,7 @@ bool blk_is_available(BlockBackend *blk);
 void blk_lock_medium(BlockBackend *blk, bool locked);
 void blk_eject(BlockBackend *blk, bool eject_flag);
 int blk_get_flags(BlockBackend *blk);
+uint32_t blk_get_request_alignment(BlockBackend *blk);
 uint32_t blk_get_max_transfer(BlockBackend *blk);
 int blk_get_max_iov(BlockBackend *blk);
 void blk_set_guest_block_size(BlockBackend *blk, int align);
diff --git a/block/block-backend.c b/block/block-backend.c
index edad02a0f2a..f78e82a707f 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -1764,6 +1764,13 @@ int blk_get_flags(BlockBackend *blk)
 }
 }

+/* Returns the minimum request alignment, in bytes; guaranteed nonzero */
+uint32_t blk_get_request_alignment(BlockBackend *blk)
+{
+BlockDriverState *bs = blk_bs(blk);
+return bs ? bs->bl.request_alignment : BDRV_SECTOR_SIZE;
+}
+
 /* Returns the maximum transfer length, in bytes; guaranteed nonzero */
 uint32_t blk_get_max_transfer(BlockBackend *blk)
 {
-- 
2.20.1

Re: [Qemu-devel] [PATCH for-4.0?] nbd/client: Deal with unaligned size from server

[Eric Blake]

On 3/28/19 7:36 AM, Kevin Wolf wrote:

>>>
>>> I think making the behaviour inconsistent across different block
>>> drivers, so that some round up and some round down, is a bad idea.
>>> Even without the inconsistency, rounding down is already a bad idea
>>> because it means data loss when you copy the disk.
>>
>> Concur, truncation is safe, but surprising when it is not done
>> consistently (and we're too late to switch away from our current
>> behavior of rounding up).
>>

>> Option 3:
>>
>> Teach the nbd code to special-case past-EOF read and block-status to do
>> the right thing, but not worry about write/write-zero/trim (those will
>> fail, but that's less important for qemu-img convert).
>>
>> I'll post a v2 patch along those lines.
> 
> This would be similar to what file-posix does for short reads (just adds
> zero padding), so it should be reasonable to do the same in NBD. This is
> probably the nicest option.

Now posted: Message-Id: <20190329042750.14704-1-ebl...@redhat.com>
Subject: [PATCH for-4.0 v3 0/6] NBD server alignment improvement

I think there's still a bug in the blkdebug driver for letting unaligned
block status leak back to the block layer, but I'm out of time to
investigate that today, and blkdebug is not used in production images,
so it's less urgent.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH v3 3/6] nbd/client: Report offsets in bdrv_block_status

[Eric Blake]

It is desirable for 'qemu-img map' to have the same output for a file
whether it is served over file or nbd protocols. However, ever since
we implemented block status for NBD (2.12), the NBD protocol forgot to
inform the block layer that as the final layer in the chain, the
offset is valid; without an offset, the human-readable form of
qemu-img map gives up with the unhelpful:

$ nbdkit -U - data data="1" size=512 --run 'qemu-img map $nbd'
Offset  Length  Mapped to   File
qemu-img: File contains external, encrypted or compressed clusters.

The --output=json form always works, because it is reporting the
lower-level bdrv_block_status results directly rather than trying to
filter out sparse ranges for human consumption.

With this patch, the output changes to:

Offset  Length  Mapped to   File
0   0x200   0   
nbd+unix://?socket=/tmp/nbdkitOxeoLa/socket

This change is observable to several iotests.

Fixes: 78a33ab5
Reported-by: Richard W.M. Jones 
Signed-off-by: Eric Blake 
---
 block/nbd-client.c |  9 +++--
 tests/qemu-iotests/209.out |  4 ++--
 tests/qemu-iotests/223.out | 18 +-
 tests/qemu-iotests/241.out |  2 +-
 4 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/block/nbd-client.c b/block/nbd-client.c
index 150af9cc46f..3edb508f668 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -972,7 +972,9 @@ int coroutine_fn 
nbd_client_co_block_status(BlockDriverState *bs,

 if (!client->info.base_allocation) {
 *pnum = bytes;
-return BDRV_BLOCK_DATA;
+*map = offset;
+*file = bs;
+return BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID;
 }

 ret = nbd_co_send_request(bs, , NULL);
@@ -995,8 +997,11 @@ int coroutine_fn 
nbd_client_co_block_status(BlockDriverState *bs,

 assert(extent.length);
 *pnum = extent.length;
+*map = offset;
+*file = bs;
 return (extent.flags & NBD_STATE_HOLE ? 0 : BDRV_BLOCK_DATA) |
-   (extent.flags & NBD_STATE_ZERO ? BDRV_BLOCK_ZERO : 0);
+(extent.flags & NBD_STATE_ZERO ? BDRV_BLOCK_ZERO : 0) |
+BDRV_BLOCK_OFFSET_VALID;
 }

 void nbd_client_detach_aio_context(BlockDriverState *bs)
diff --git a/tests/qemu-iotests/209.out b/tests/qemu-iotests/209.out
index 0d29724e84a..214e27bfcec 100644
--- a/tests/qemu-iotests/209.out
+++ b/tests/qemu-iotests/209.out
@@ -1,2 +1,2 @@
-[{ "start": 0, "length": 524288, "depth": 0, "zero": false, "data": true},
-{ "start": 524288, "length": 524288, "depth": 0, "zero": true, "data": false}]
+[{ "start": 0, "length": 524288, "depth": 0, "zero": false, "data": true, 
"offset": 0},
+{ "start": 524288, "length": 524288, "depth": 0, "zero": true, "data": false, 
"offset": 524288}]
diff --git a/tests/qemu-iotests/223.out b/tests/qemu-iotests/223.out
index 95c40a17ad7..7828a447392 100644
--- a/tests/qemu-iotests/223.out
+++ b/tests/qemu-iotests/223.out
@@ -67,18 +67,18 @@ read 1048576/1048576 bytes at offset 1048576
 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 read 2097152/2097152 bytes at offset 2097152
 2 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-[{ "start": 0, "length": 4096, "depth": 0, "zero": false, "data": true},
-{ "start": 4096, "length": 1044480, "depth": 0, "zero": true, "data": false},
-{ "start": 1048576, "length": 3145728, "depth": 0, "zero": false, "data": 
true}]
+[{ "start": 0, "length": 4096, "depth": 0, "zero": false, "data": true, 
"offset": OFFSET},
+{ "start": 4096, "length": 1044480, "depth": 0, "zero": true, "data": false, 
"offset": OFFSET},
+{ "start": 1048576, "length": 3145728, "depth": 0, "zero": false, "data": 
true, "offset": OFFSET}]
 [{ "start": 0, "length": 65536, "depth": 0, "zero": false, "data": false},
-{ "start": 65536, "length": 2031616, "depth": 0, "zero": false, "data": true},
+{ "start": 65536, "length": 2031616, "depth": 0, "zero": false, "data": true, 
"offset": OFFSET},
 { "start": 2097152, "length": 2097152, "depth": 0, "zero": false, "data": 
false}]

 === Contrast to small granularity dirty-bitmap ===

-[{ "start": 0, "length": 512, "depth": 0, "zero": false, "data": true},
+[{ "start": 0, "length": 512, "depth": 0, "zero": false, "data": true, 
"offset": OFFSET},
 { "start": 512, "length": 512, "depth": 0, "zero": false, "data": false},
-{ "start": 1024, "length": 2096128, "depth": 0, "zero": false, "data": true},
+{ "start": 1024, "length": 2096128, "depth": 0, "zero": false, "data": true, 
"offset": OFFSET},
 { "start": 2097152, "length": 2097152, "depth": 0, "zero": false, "data": 
false}]

 === End qemu NBD server ===
@@ -94,10 +94,10 @@ read 2097152/2097152 bytes at offset 2097152
 === Use qemu-nbd as server ===

 [{ "start": 0, "length": 65536, "depth": 0, "zero": false, "data": false},
-{ "start": 65536, "length": 2031616, "depth": 0, "zero": false, "data": true},
+{ "start": 65536, "length": 2031616, "depth": 0, "zero": false, "data": true, 
"offset": OFFSET},
 { "start": 

[Qemu-devel] [PATCH v3 6/6] nbd/server: Advertise actual minimum block size

[Eric Blake]

Both NBD_CMD_BLOCK_STATUS and structured NBD_CMD_READ will split their
reply according to bdrv_block_status() boundaries. If the block device
has a request_alignment smaller than 512, but we advertise a block
alignment of 512 to the client, then this can result in the server
reply violating client expectations by reporting a smaller region of
the export than what the client is permitted to address (although this
is less of an issue for qemu 4.0 clients, given recent client patches
to overlook our non-compliance at EOF).  Since it's always better to
be strict in what we send, it is worth advertising the actual minimum
block limit rather than blindly rounding it up to 512.

Note that this patch is not foolproof - it is still possible to
provoke non-compliant server behavior using:

$ qemu-nbd --image-opts 
driver=blkdebug,align=512,image.driver=file,image.filename=/path/to/non-aligned-file

That is arguably a bug in the blkdebug driver (it should never pass
back block status smaller than its alignment, even if it has to make
multiple bdrv_get_status calls and determine the
least-common-denominator status among the group to return). It may
also be possible to observe issues with a backing layer with smaller
alignment than the active layer, although so far I have been unable to
write a reliable iotest for that scenario (but again, an issue like
that could be argued to be a bug in the block layer, or something
where we need a flag to bdrv_block_status() to state whether the
result must be aligned to the current layer's limits or can be
subdivided for accuracy when chasing backing files).

Anyways, as blkdebug is not normally used, and as this patch makes our
server more interoperable with qemu 3.1 clients, it is worth applying
now, even while we still work on a larger patch series for the 4.1
timeframe to have byte-accurate file lengths.

Note that the iotests output changes - both pre- and post-patch, the
server is reporting a mid-sector hole; but pre-patch, the client was
then rounding that up to a sector boundary as a workaround, while
post-patch the client doesn't have to round because it sees the
server's smaller advertised block size.

Signed-off-by: Eric Blake 
Reviewed-by: Vladimir Sementsov-Ogievskiy 
---
 nbd/server.c   | 13 -
 tests/qemu-iotests/241.out |  3 ++-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index fd013a2817a..218a2aa5e65 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -607,13 +607,16 @@ static int nbd_negotiate_handle_info(NBDClient *client, 
uint16_t myflags,
 /* Send NBD_INFO_BLOCK_SIZE always, but tweak the minimum size
  * according to whether the client requested it, and according to
  * whether this is OPT_INFO or OPT_GO. */
-/* minimum - 1 for back-compat, or 512 if client is new enough.
- * TODO: consult blk_bs(blk)->bl.request_alignment? */
-sizes[0] =
-(client->opt == NBD_OPT_INFO || blocksize) ? BDRV_SECTOR_SIZE : 1;
+/* minimum - 1 for back-compat, or actual if client will obey it. */
+if (client->opt == NBD_OPT_INFO || blocksize) {
+sizes[0] = blk_get_request_alignment(exp->blk);
+} else {
+sizes[0] = 1;
+}
+assert(sizes[0] <= NBD_MAX_BUFFER_SIZE);
 /* preferred - Hard-code to 4096 for now.
  * TODO: is blk_bs(blk)->bl.opt_transfer appropriate? */
-sizes[1] = 4096;
+sizes[1] = MAX(4096, sizes[0]);
 /* maximum - At most 32M, but smaller as appropriate. */
 sizes[2] = MIN(blk_get_max_transfer(exp->blk), NBD_MAX_BUFFER_SIZE);
 trace_nbd_negotiate_handle_info_block_size(sizes[0], sizes[1], sizes[2]);
diff --git a/tests/qemu-iotests/241.out b/tests/qemu-iotests/241.out
index 91dcde97560..eccc7254d12 100644
--- a/tests/qemu-iotests/241.out
+++ b/tests/qemu-iotests/241.out
@@ -2,6 +2,7 @@ QA output created by 241

 === Exporting unaligned raw image ===

-[{ "start": 0, "length": 1024, "depth": 0, "zero": false, "data": true, 
"offset": OFFSET}]
+[{ "start": 0, "length": 1000, "depth": 0, "zero": false, "data": true, 
"offset": OFFSET},
+{ "start": 1000, "length": 24, "depth": 0, "zero": true, "data": true, 
"offset": OFFSET}]
 1 KiB (0x400) bytes allocated at offset 0 bytes (0x0)
 *** done
-- 
2.20.1

[Qemu-devel] [PATCH v3 1/6] iotests: Add 241 to test NBD on unaligned images

[Eric Blake]

Add a test for the NBD client workaround in the previous patch.  It's
not really feasible for an iotest to assume a specific tracing engine,
so we can't really probe trace_nbd_parse_blockstatus_compliance to see
if the server was fixed vs. whether the client just worked around the
server (other than by rearranging order between code patches and this
test). But having a successful exchange sure beats the previous state
of an error message.

Not tested yet, but worth adding to this test in future patches: an
NBD server that can advertise a non-sector-aligned size (such as
nbdkit) causes qemu as the NBD client to misbehave when it rounds the
size up and accesses beyond the advertised size. Qemu as NBD server
never advertises a non-sector-aligned size (since bdrv_getlength()
currently rounds up to sector boundaries); until qemu can act as such
a server, testing that flaw will have to rely on external binaries.

Signed-off-by: Eric Blake 
---
 tests/qemu-iotests/241 | 70 ++
 tests/qemu-iotests/241.out |  7 
 tests/qemu-iotests/group   |  1 +
 3 files changed, 78 insertions(+)
 create mode 100755 tests/qemu-iotests/241
 create mode 100644 tests/qemu-iotests/241.out

diff --git a/tests/qemu-iotests/241 b/tests/qemu-iotests/241
new file mode 100755
index 000..44871158918
--- /dev/null
+++ b/tests/qemu-iotests/241
@@ -0,0 +1,70 @@
+#!/bin/bash
+#
+# Test qemu-nbd vs. unaligned images
+#
+# Copyright (C) 2018-2019 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+
+seq="$(basename $0)"
+echo "QA output created by $seq"
+
+status=1 # failure is the default!
+
+nbd_unix_socket=$TEST_DIR/test_qemu_nbd_socket
+
+_cleanup()
+{
+_cleanup_test_img
+nbd_server_stop
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+. ./common.nbd
+
+_supported_fmt raw
+_supported_proto nbd
+_supported_os Linux
+_require_command QEMU_NBD
+
+echo
+echo "=== Exporting unaligned raw image ==="
+echo
+
+# can't use _make_test_img, because qemu-img rounds image size up,
+# and because we want to use Unix socket rather than TCP port. Likewise,
+# we have to redirect TEST_IMG to our server.
+# This tests that we can deal with the hole at the end of an unaligned
+# raw file (either because the server doesn't advertise alignment too
+# large, or because the client ignores the server's noncompliance).
+printf %01000d 0 > "$TEST_IMG_FILE"
+nbd_server_start_unix_socket -f $IMGFMT "$TEST_IMG_FILE"
+TEST_IMG="nbd:unix:$nbd_unix_socket"
+
+$QEMU_IMG map --output=json "$TEST_IMG" | _filter_qemu_img_map
+$QEMU_IO -c map "$TEST_IMG"
+
+# Not tested yet: we also want to ensure that qemu as NBD client does
+# not access beyond the end of a server's advertised unaligned size.
+# However, since qemu as server always rounds up to a sector alignment,
+# we would have to use nbdkit to provoke the current client failures.
+
+# success, all done
+echo '*** done'
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/241.out b/tests/qemu-iotests/241.out
new file mode 100644
index 000..044afc0c6f8
--- /dev/null
+++ b/tests/qemu-iotests/241.out
@@ -0,0 +1,7 @@
+QA output created by 241
+
+=== Exporting unaligned raw image ===
+
+[{ "start": 0, "length": 1024, "depth": 0, "zero": false, "data": true}]
+1 KiB (0x400) bytes allocated at offset 0 bytes (0x0)
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 41da10c6cf5..bae77183809 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -240,6 +240,7 @@
 238 auto quick
 239 rw auto quick
 240 auto quick
+241 rw auto quick
 242 rw auto quick
 243 rw auto quick
 244 rw auto quick
-- 
2.20.1

[Qemu-devel] [PULL 6/8] spapr: Simplify handling of host-serial and host-model values

[David Gibson]

27461d69a0f "ppc: add host-serial and host-model machine attributes
(CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine
properties for spapr to explicitly control the values advertised to the
guest in device tree properties with the same names.

The previous behaviour on KVM was to unconditionally populate the device
tree with the real host serial number and model, which leaks possibly
sensitive information about the host to the guest.

To maintain compatibility for old machine types, we allowed those props
to be set to "passthrough" to take the value from the host as before.  Or
they could be set to "none" to explicitly omit the device tree items.

Special casing specific values on what's otherwise a user supplied string
is very ugly.  So, this patch simplifies things by implementing the
backwards compatibility in a different way: we have a machine class flag
set for the older machines, and we only load the host values into the
device tree if A) they're not set by the user and B) we have that flag set.

This does mean that the "passthrough" functionality is no longer available
with the current machine type.  That's ok though: if a user or management
layer really wants the information passed through they can read it
themselves (OpenStack Nova already does something similar for x86).

It also means the user can't explicitly ask for the values to be omitted
on the old machine types.  I think that's an acceptable trade-off: if you
care enough about not leaking the host information you can either move to
the new machine type, or use a dummy value for the properties.

For the new machine type, this also removes an odd inconsistency
between running on a POWER and non-POWER (or non-Linux) hosts: if the
host information couldn't be read from where we expect (in the host's
device tree as exposed by Linux), we'd fallback to omitting the guest
device tree items.

While we're there, improve some poorly worded comments, and the help text
for the properties.

Signed-off-by: David Gibson 
Reviewed-by: Daniel P. Berrangé 
Reviewed-by: Greg Kurz 
Tested-by: Greg Kurz 
---
 hw/ppc/spapr.c | 57 ++
 include/hw/ppc/spapr.h |  1 +
 2 files changed, 20 insertions(+), 38 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 6c16d6cfaf..4fc711b5a8 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1252,38 +1252,8 @@ static void *spapr_build_fdt(SpaprMachineState *spapr)
 _FDT(fdt_setprop_string(fdt, 0, "model", "IBM pSeries (emulated by 
qemu)"));
 _FDT(fdt_setprop_string(fdt, 0, "compatible", "qemu,pseries"));
 
-/*
- * Add info to guest to indentify which host is it being run on
- * and what is the uuid of the guest
- */
-if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
-if (g_str_equal(spapr->host_model, "passthrough")) {
-/* -M host-model=passthrough */
-if (kvmppc_get_host_model()) {
-_FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
-g_free(buf);
-}
-} else {
-/* -M host-model= */
-_FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
-}
-}
-
-if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
-if (g_str_equal(spapr->host_serial, "passthrough")) {
-/* -M host-serial=passthrough */
-if (kvmppc_get_host_serial()) {
-_FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
-g_free(buf);
-}
-} else {
-/* -M host-serial= */
-_FDT(fdt_setprop_string(fdt, 0, "host-serial", 
spapr->host_serial));
-}
-}
-
+/* Guest UUID & Name*/
 buf = qemu_uuid_unparse_strdup(_uuid);
-
 _FDT(fdt_setprop_string(fdt, 0, "vm,uuid", buf));
 if (qemu_uuid_set) {
 _FDT(fdt_setprop_string(fdt, 0, "system-id", buf));
@@ -1295,6 +1265,21 @@ static void *spapr_build_fdt(SpaprMachineState *spapr)
 qemu_get_vm_name()));
 }
 
+/* Host Model & Serial Number */
+if (spapr->host_model) {
+_FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
+} else if (smc->broken_host_serial_model && kvmppc_get_host_model()) {
+_FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+g_free(buf);
+}
+
+if (spapr->host_serial) {
+_FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
+} else if (smc->broken_host_serial_model && kvmppc_get_host_serial()) {
+_FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+g_free(buf);
+}
+
 _FDT(fdt_setprop_cell(fdt, 0, "#address-cells", 2));
 _FDT(fdt_setprop_cell(fdt, 0, "#size-cells", 2));
 
@@ -3352,12 +3337,12 @@ static void spapr_instance_init(Object *obj)
 spapr_get_host_model, spapr_set_host_model,
 _abort);
 object_property_set_description(obj, 

[Qemu-devel] [PULL 5/8] target/ppc: Fix QEMU crash with stxsdx

[David Gibson]

From: Greg Kurz 

I've been hitting several QEMU crashes while running a fedora29 ppc64le
guest under TCG. Each time, this would occur several minutes after the
guest reached login:

Fedora 29 (Twenty Nine)
Kernel 4.20.6-200.fc29.ppc64le on an ppc64le (hvc0)

Web console: https://localhost:9090/

localhost login:
tcg/tcg.c:3211: tcg fatal error

This happens because a bug crept up in the gen_stxsdx() helper when it
was converted to use VSR register accessors by commit 8b3b2d75c7c04
"target/ppc: introduce get_cpu_vsr{l,h}() and set_cpu_vsr{l,h}() helpers
for VSR register access".

The code creates a temporary, passes it directly to gen_qemu_st64_i64()
and then to set_cpu_vrsh()... which looks like this was mistakenly
coded as a load instead of a store.

Reverse the logic: read the VSR to the temporary first and then store
it to memory.

Fixes: 8b3b2d75c7c0481544e277dad226223245e058eb
Signed-off-by: Greg Kurz 
Message-Id: <155371035249.2038502.12364252604337688538.st...@bahia.lan>
Reviewed-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 target/ppc/translate/vsx-impl.inc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/ppc/translate/vsx-impl.inc.c 
b/target/ppc/translate/vsx-impl.inc.c
index 508e9199c8..489b2436e4 100644
--- a/target/ppc/translate/vsx-impl.inc.c
+++ b/target/ppc/translate/vsx-impl.inc.c
@@ -356,8 +356,8 @@ static void gen_##name(DisasContext *ctx)   
  \
 gen_set_access_type(ctx, ACCESS_INT); \
 EA = tcg_temp_new();  \
 gen_addr_reg_index(ctx, EA);  \
+get_cpu_vsrh(t0, xS(ctx->opcode));\
 gen_qemu_##operation(ctx, t0, EA);\
-set_cpu_vsrh(xS(ctx->opcode), t0);\
 tcg_temp_free(EA);\
 tcg_temp_free_i64(t0);\
 }
-- 
2.20.1

[Qemu-devel] [PULL 4/8] target/ppc: Improve comment of bcctr used for spectre v2 mitigation

[David Gibson]

From: Greg Kurz 

Signed-off-by: Greg Kurz 
Message-Id: <155359567174.1794128.3183997593369465355.st...@bahia.lan>
Signed-off-by: David Gibson 
---
 target/ppc/translate.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index 576210d901..badc1ae1a3 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -3753,7 +3753,15 @@ static void gen_bcond(DisasContext *ctx, int type)
  * All ISAs up to v3 describe this form of bcctr as invalid but
  * some processors, ie. 64-bit server processors compliant with
  * arch 2.x, do implement a "test and decrement" logic instead,
- * as described in their respective UMs.
+ * as described in their respective UMs. This logic involves CTR
+ * to act as both the branch target and a counter, which makes
+ * it basically useless and thus never used in real code.
+ *
+ * This form was hence chosen to trigger extra micro-architectural
+ * side-effect on real HW needed for the Spectre v2 workaround.
+ * It is up to guests that implement such workaround, ie. linux, to
+ * use this form in a way it just triggers the side-effect without
+ * doing anything else harmful.
  */
 if (unlikely(!is_book3s_arch2x(ctx))) {
 gen_inval_exception(ctx, POWERPC_EXCP_INVAL_INVAL);
-- 
2.20.1

[Qemu-devel] [PULL 7/8] spapr/irq: Add XIVE sanity checks on non-P9 machines

[David Gibson]

From: Cédric Le Goater 

On non-P9 machines, the XIVE interrupt mode is not advertised, see
spapr_dt_ov5_platform_support(). Add a couple of checks on the machine
configuration to filter bogus setups and prevent OS failures :

 Interrupt modes

  CPU/Compat  XICSXIVEdual

   P8/P8  OK  QEMU failure (1)OK (3)
   P9/P8  OK  QEMU failure (2)OK (3)
   P9/P9  OK  OK  OK

  (1) CPU exception model is incompatible with XIVE and the presenters
  will fail to realize.

  (2) CPU exception model is compatible with XIVE, but the XIVE CAS
  advertisement is dropped when in POWER8 mode. So we could ended up
  booting with the XIVE DT properties but without the HCALLs. Avoid
  confusing Linux with such settings and fail under QEMU.

  (3) force XICS in machine init

Remove the check on XIVE-only machines in spapr_machine_init(), which
has now become redundant.

Signed-off-by: Cédric Le Goater 
Message-Id: <20190328100044.11408-1-...@kaod.org>
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c |  8 +---
 hw/ppc/spapr_irq.c | 50 ++
 2 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 4fc711b5a8..b52b82d298 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -2780,13 +2780,7 @@ static void spapr_machine_init(MachineState *machine)
 
 /* advertise XIVE on POWER9 machines */
 if (spapr->irq->ov5 & (SPAPR_OV5_XIVE_EXPLOIT | SPAPR_OV5_XIVE_BOTH)) {
-if (ppc_type_check_compat(machine->cpu_type, CPU_POWERPC_LOGICAL_3_00,
-  0, spapr->max_compat_pvr)) {
-spapr_ovec_set(spapr->ov5, OV5_XIVE_EXPLOIT);
-} else if (spapr->irq->ov5 & SPAPR_OV5_XIVE_EXPLOIT) {
-error_report("XIVE-only machines require a POWER9 CPU");
-exit(1);
-}
+spapr_ovec_set(spapr->ov5, OV5_XIVE_EXPLOIT);
 }
 
 /* init CPUs */
diff --git a/hw/ppc/spapr_irq.c b/hw/ppc/spapr_irq.c
index 253e4de7fd..0a84e4cf63 100644
--- a/hw/ppc/spapr_irq.c
+++ b/hw/ppc/spapr_irq.c
@@ -16,6 +16,7 @@
 #include "hw/ppc/spapr_xive.h"
 #include "hw/ppc/xics.h"
 #include "hw/ppc/xics_spapr.h"
+#include "cpu-models.h"
 #include "sysemu/kvm.h"
 
 #include "trace.h"
@@ -582,12 +583,55 @@ SpaprIrq spapr_irq_dual = {
 .get_nodename = spapr_irq_get_nodename_dual,
 };
 
+
+static void spapr_irq_check(SpaprMachineState *spapr, Error **errp)
+{
+MachineState *machine = MACHINE(spapr);
+
+/*
+ * Sanity checks on non-P9 machines. On these, XIVE is not
+ * advertised, see spapr_dt_ov5_platform_support()
+ */
+if (!ppc_type_check_compat(machine->cpu_type, CPU_POWERPC_LOGICAL_3_00,
+   0, spapr->max_compat_pvr)) {
+/*
+ * If the 'dual' interrupt mode is selected, force XICS as CAS
+ * negotiation is useless.
+ */
+if (spapr->irq == _irq_dual) {
+spapr->irq = _irq_xics;
+return;
+}
+
+/*
+ * Non-P9 machines using only XIVE is a bogus setup. We have two
+ * scenarios to take into account because of the compat mode:
+ *
+ * 1. POWER7/8 machines should fail to init later on when creating
+ *the XIVE interrupt presenters because a POWER9 exception
+ *model is required.
+
+ * 2. POWER9 machines using the POWER8 compat mode won't fail and
+ *will let the OS boot with a partial XIVE setup : DT
+ *properties but no hcalls.
+ *
+ * To cover both and not confuse the OS, add an early failure in
+ * QEMU.
+ */
+if (spapr->irq == _irq_xive) {
+error_setg(errp, "XIVE-only machines require a POWER9 CPU");
+return;
+}
+}
+}
+
 /*
  * sPAPR IRQ frontend routines for devices
  */
 void spapr_irq_init(SpaprMachineState *spapr, Error **errp)
 {
 MachineState *machine = MACHINE(spapr);
+Error *local_err = NULL;
 
 if (machine_kernel_irqchip_split(machine)) {
 error_setg(errp, "kernel_irqchip split mode not supported on pseries");
@@ -600,6 +644,12 @@ void spapr_irq_init(SpaprMachineState *spapr, Error **errp)
 return;
 }
 
+spapr_irq_check(spapr, _err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
 /* Initialize the MSI IRQ allocator. */
 if (!SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
 spapr_irq_msi_init(spapr, spapr->irq->nr_msis);
-- 
2.20.1

[Qemu-devel] [PULL 8/8] exec: Only count mapped memory backends for qemu_getrampagesize()

[David Gibson]

qemu_getrampagesize() works out the minimum host page size backing any of
guest RAM.  This is required in a few places, such as for POWER8 PAPR KVM
guests, because limitations of the hardware virtualization mean the guest
can't use pagesizes larger than the host pages backing its memory.

However, it currently checks against *every* memory backend, whether or not
it is actually mapped into guest memory at the moment.  This is incorrect.

This can cause a problem attempting to add memory to a POWER8 pseries KVM
guest which is configured to allow hugepages in the guest (e.g.
-machine cap-hpt-max-page-size=16m).  If you attempt to add non-hugepage,
you can (correctly) create a memory backend, however it (correctly) will
throw an error when you attempt to map that memory into the guest by
'device_add'ing a pc-dimm.

What's not correct is that if you then reset the guest a startup check
against qemu_getrampagesize() will cause a fatal error because of the new
memory object, even though it's not mapped into the guest.

This patch corrects the problem by adjusting find_max_supported_pagesize()
(called from qemu_getrampagesize() via object_child_foreach) to exclude
non-mapped memory backends.

Signed-off-by: David Gibson 
Reviewed-by: Igor Mammedov 
Acked-by: David Hildenbrand 
---
 exec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/exec.c b/exec.c
index 86a38d3b3b..6ab62f4eee 100644
--- a/exec.c
+++ b/exec.c
@@ -1692,9 +1692,10 @@ static int find_max_supported_pagesize(Object *obj, void 
*opaque)
 long *hpsize_min = opaque;
 
 if (object_dynamic_cast(obj, TYPE_MEMORY_BACKEND)) {
-long hpsize = host_memory_backend_pagesize(MEMORY_BACKEND(obj));
+HostMemoryBackend *backend = MEMORY_BACKEND(obj);
+long hpsize = host_memory_backend_pagesize(backend);
 
-if (hpsize < *hpsize_min) {
+if (host_memory_backend_is_mapped(backend) && (hpsize < *hpsize_min)) {
 *hpsize_min = hpsize;
 }
 }
-- 
2.20.1

[Qemu-devel] [PULL 1/8] target/ppc: Fix TCG temporary leaks in gen_bcond()

[David Gibson]

From: Greg Kurz 

Signed-off-by: Greg Kurz 
Message-Id: <155327782047.1283071.10234727692461848972.st...@bahia.lan>
Tested-by: Suraj Jitindar Singh 
Signed-off-by: David Gibson 
---
 target/ppc/translate.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index 98b37cebc2..aaafa3a715 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -3749,6 +3749,8 @@ static void gen_bcond(DisasContext *ctx, int type)
 TCGv temp = tcg_temp_new();
 if (unlikely(type == BCOND_CTR)) {
 gen_inval_exception(ctx, POWERPC_EXCP_INVAL_INVAL);
+tcg_temp_free(temp);
+tcg_temp_free(target);
 return;
 }
 tcg_gen_subi_tl(cpu_ctr, cpu_ctr, 1);
-- 
2.20.1

[Qemu-devel] [PULL 3/8] target/ppc: Consolidate 64-bit server processor detection in a helper

[David Gibson]

From: Greg Kurz 

We use PPC_SEGMENT_64B in various places to guard code that is specific
to 64-bit server processors compliant with arch 2.x. Consolidate the
logic in a helper macro with an explicit name.

Signed-off-by: Greg Kurz 
Message-Id: <155327783157.1283071.3747129891004927299.st...@bahia.lan>
Tested-by: Suraj Jitindar Singh 
Signed-off-by: David Gibson 
---
 hw/ppc/ppc.c |  2 +-
 target/ppc/cpu.h |  6 ++
 target/ppc/helper_regs.h |  2 +-
 target/ppc/translate.c   | 10 --
 4 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c
index 49d57469fb..ad20584f26 100644
--- a/hw/ppc/ppc.c
+++ b/hw/ppc/ppc.c
@@ -1101,7 +1101,7 @@ clk_setup_cb cpu_ppc_tb_init (CPUPPCState *env, uint32_t 
freq)
 tb_env = g_malloc0(sizeof(ppc_tb_t));
 env->tb_env = tb_env;
 tb_env->flags = PPC_DECR_UNDERFLOW_TRIGGERED;
-if (env->insns_flags & PPC_SEGMENT_64B) {
+if (is_book3s_arch2x(env)) {
 /* All Book3S 64bit CPUs implement level based DEC logic */
 tb_env->flags |= PPC_DECR_UNDERFLOW_LEVEL;
 }
diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
index fc12b4688e..0707177584 100644
--- a/target/ppc/cpu.h
+++ b/target/ppc/cpu.h
@@ -2409,6 +2409,12 @@ enum {
 target_ulong cpu_read_xer(CPUPPCState *env);
 void cpu_write_xer(CPUPPCState *env, target_ulong xer);
 
+/*
+ * All 64-bit server processors compliant with arch 2.x, ie. 970 and newer,
+ * have PPC_SEGMENT_64B.
+ */
+#define is_book3s_arch2x(ctx) (!!((ctx)->insns_flags & PPC_SEGMENT_64B))
+
 static inline void cpu_get_tb_cpu_state(CPUPPCState *env, target_ulong *pc,
 target_ulong *cs_base, uint32_t *flags)
 {
diff --git a/target/ppc/helper_regs.h b/target/ppc/helper_regs.h
index a2205e1044..c863abc0bf 100644
--- a/target/ppc/helper_regs.h
+++ b/target/ppc/helper_regs.h
@@ -152,7 +152,7 @@ static inline int hreg_store_msr(CPUPPCState *env, 
target_ulong value,
  * - 64-bit embedded implementations do not need any operation to be
  *   performed when PR is set.
  */
-if ((env->insns_flags & PPC_SEGMENT_64B) && ((value >> MSR_PR) & 1)) {
+if (is_book3s_arch2x(env) && ((value >> MSR_PR) & 1)) {
 value |= (1 << MSR_EE) | (1 << MSR_DR) | (1 << MSR_IR);
 }
 #endif
diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index d3aaa6482c..576210d901 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -3755,7 +3755,7 @@ static void gen_bcond(DisasContext *ctx, int type)
  * arch 2.x, do implement a "test and decrement" logic instead,
  * as described in their respective UMs.
  */
-if (unlikely(!(ctx->insns_flags & PPC_SEGMENT_64B))) {
+if (unlikely(!is_book3s_arch2x(ctx))) {
 gen_inval_exception(ctx, POWERPC_EXCP_INVAL_INVAL);
 tcg_temp_free(temp);
 tcg_temp_free(target);
@@ -3913,7 +3913,7 @@ static void gen_rfi(DisasContext *ctx)
 /* This instruction doesn't exist anymore on 64-bit server
  * processors compliant with arch 2.x
  */
-if (ctx->insns_flags & PPC_SEGMENT_64B) {
+if (is_book3s_arch2x(ctx)) {
 gen_inval_exception(ctx, POWERPC_EXCP_INVAL_INVAL);
 return;
 }
@@ -6535,8 +6535,7 @@ static void gen_msgclr(DisasContext *ctx)
 GEN_PRIV;
 #else
 CHK_HV;
-/* 64-bit server processors compliant with arch 2.x */
-if (ctx->insns_flags & PPC_SEGMENT_64B) {
+if (is_book3s_arch2x(ctx)) {
 gen_helper_book3s_msgclr(cpu_env, cpu_gpr[rB(ctx->opcode)]);
 } else {
 gen_helper_msgclr(cpu_env, cpu_gpr[rB(ctx->opcode)]);
@@ -6550,8 +6549,7 @@ static void gen_msgsnd(DisasContext *ctx)
 GEN_PRIV;
 #else
 CHK_HV;
-/* 64-bit server processors compliant with arch 2.x */
-if (ctx->insns_flags & PPC_SEGMENT_64B) {
+if (is_book3s_arch2x(ctx)) {
 gen_helper_book3s_msgsnd(cpu_gpr[rB(ctx->opcode)]);
 } else {
 gen_helper_msgsnd(cpu_gpr[rB(ctx->opcode)]);
-- 
2.20.1

[Qemu-devel] [PULL 0/8] ppc-for-4.0 queue 20190329

[David Gibson]

The following changes since commit a04d91c701251a9b32b7364ddb48029ba024cb75:

  Merge remote-tracking branch 
'remotes/alistair/tags/pull-device-tree-20190327' into staging (2019-03-28 
12:39:43 +)

are available in the Git repository at:

  git://github.com/dgibson/qemu.git tags/ppc-for-4.0-20190329

for you to fetch changes up to 7d5489e6d15e2922e45a41e4808d03a48457a5ee:

  exec: Only count mapped memory backends for qemu_getrampagesize() (2019-03-29 
14:24:08 +1100)


ppc patch queue 2019-03-29

Here's a set of bugfixes for ppc, aimed at qemu-4.0 during hard freeze.

We have one cleanup that's not strictly a bugfix, but will avoid an
ugly external interface making it to a released version.

We have one change to generic code to tweak the semantics of
qemu_getrampagesize() which fixes a bug for ppc.  This does have a
possible impact on s390x which uses this function for a different
purpose.  I've discussed with David Hildenbrand and Igor Mammedov,
however and we think it won't immediately break anything due to some
existing bugs in the s390 usage.  David H will be following up with
some s390 fixes in that area.


Cédric Le Goater (1):
  spapr/irq: Add XIVE sanity checks on non-P9 machines

David Gibson (2):
  spapr: Simplify handling of host-serial and host-model values
  exec: Only count mapped memory backends for qemu_getrampagesize()

Greg Kurz (5):
  target/ppc: Fix TCG temporary leaks in gen_bcond()
  target/ppc: Enable "decrement and test CTR" version of bcctr
  target/ppc: Consolidate 64-bit server processor detection in a helper
  target/ppc: Improve comment of bcctr used for spectre v2 mitigation
  target/ppc: Fix QEMU crash with stxsdx

 exec.c  |  5 +--
 hw/ppc/ppc.c|  2 +-
 hw/ppc/spapr.c  | 65 +++-
 hw/ppc/spapr_irq.c  | 50 
 include/hw/ppc/spapr.h  |  1 +
 target/ppc/cpu.h|  6 
 target/ppc/helper_regs.h|  2 +-
 target/ppc/translate.c  | 66 +++--
 target/ppc/translate/vsx-impl.inc.c |  2 +-
 9 files changed, 131 insertions(+), 68 deletions(-)

[Qemu-devel] [PULL 2/8] target/ppc: Enable "decrement and test CTR" version of bcctr

[David Gibson]

From: Greg Kurz 

Even if all ISAs up to v3 indeed mention:

If the "decrement and test CTR" option is specified (BO2=0), the
instruction form is invalid.

The UMs of all existing 64-bit server class processors say:

If BO[2] = 0, the contents of CTR (before any update) are used as the
target address and for the test of the contents of CTR to resolve the
branch. The contents of the CTR are then decremented and written back
to the CTR.

The linux kernel has spectre v2 mitigation code that relies on a
BO[2] = 0 variant of bcctr, which is now activated by default on
spapr, even with TCG. This causes linux guests to panic with
the default machine type under TCG.

Since any CPU model can provide its own behaviour for invalid forms,
we could possibly introduce a new instruction flag to handle this.
In practice, since the behaviour is shared by all 64-bit server
processors starting with 970 up to POWER9, let's reuse the
PPC_SEGMENT_64B flag. Caveat: this may have to be fixed later if
POWER10 introduces a different behaviour.

The existing behaviour of throwing a program interrupt is kept for
all other CPU models.

Signed-off-by: Greg Kurz 
Message-Id: <155327782604.1283071.10640596307206921951.st...@bahia.lan>
Tested-by: Suraj Jitindar Singh 
Signed-off-by: David Gibson 
---
 target/ppc/translate.c | 52 ++
 1 file changed, 37 insertions(+), 15 deletions(-)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index aaafa3a715..d3aaa6482c 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -3747,22 +3747,44 @@ static void gen_bcond(DisasContext *ctx, int type)
 if ((bo & 0x4) == 0) {
 /* Decrement and test CTR */
 TCGv temp = tcg_temp_new();
-if (unlikely(type == BCOND_CTR)) {
-gen_inval_exception(ctx, POWERPC_EXCP_INVAL_INVAL);
-tcg_temp_free(temp);
-tcg_temp_free(target);
-return;
-}
-tcg_gen_subi_tl(cpu_ctr, cpu_ctr, 1);
-if (NARROW_MODE(ctx)) {
-tcg_gen_ext32u_tl(temp, cpu_ctr);
-} else {
-tcg_gen_mov_tl(temp, cpu_ctr);
-}
-if (bo & 0x2) {
-tcg_gen_brcondi_tl(TCG_COND_NE, temp, 0, l1);
+
+if (type == BCOND_CTR) {
+/*
+ * All ISAs up to v3 describe this form of bcctr as invalid but
+ * some processors, ie. 64-bit server processors compliant with
+ * arch 2.x, do implement a "test and decrement" logic instead,
+ * as described in their respective UMs.
+ */
+if (unlikely(!(ctx->insns_flags & PPC_SEGMENT_64B))) {
+gen_inval_exception(ctx, POWERPC_EXCP_INVAL_INVAL);
+tcg_temp_free(temp);
+tcg_temp_free(target);
+return;
+}
+
+if (NARROW_MODE(ctx)) {
+tcg_gen_ext32u_tl(temp, cpu_ctr);
+} else {
+tcg_gen_mov_tl(temp, cpu_ctr);
+}
+if (bo & 0x2) {
+tcg_gen_brcondi_tl(TCG_COND_NE, temp, 0, l1);
+} else {
+tcg_gen_brcondi_tl(TCG_COND_EQ, temp, 0, l1);
+}
+tcg_gen_subi_tl(cpu_ctr, cpu_ctr, 1);
 } else {
-tcg_gen_brcondi_tl(TCG_COND_EQ, temp, 0, l1);
+tcg_gen_subi_tl(cpu_ctr, cpu_ctr, 1);
+if (NARROW_MODE(ctx)) {
+tcg_gen_ext32u_tl(temp, cpu_ctr);
+} else {
+tcg_gen_mov_tl(temp, cpu_ctr);
+}
+if (bo & 0x2) {
+tcg_gen_brcondi_tl(TCG_COND_NE, temp, 0, l1);
+} else {
+tcg_gen_brcondi_tl(TCG_COND_EQ, temp, 0, l1);
+}
 }
 tcg_temp_free(temp);
 }
-- 
2.20.1

Re: [Qemu-devel] [PATCH] MAINTAINERS: Update the latest email address

[Zhang, Chen]

Ping... May need to wait until the 4.1 version? 

Thanks
Zhang Chen

> -Original Message-
> From: Zhang, Chen
> Sent: Friday, March 15, 2019 2:13 PM
> To: Li Zhijian ; Zhang Chen ;
> Dr. David Alan Gilbert ; Juan Quintela
> ; zhanghailiang ;
> Jason Wang ; Peter Maydell
> ; qemu-dev 
> Cc: Zhang, Chen 
> Subject: [PATCH] MAINTAINERS: Update the latest email address
> 
> From: Zhang Chen 
> 
> Signed-off-by: Zhang Chen 
> ---
>  MAINTAINERS | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 0e7baa9aa2..f127b1356c 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -2167,7 +2167,7 @@ F: include/migration/failover.h
>  F: docs/COLO-FT.txt
> 
>  COLO Proxy
> -M: Zhang Chen 
> +M: Zhang Chen 
>  M: Li Zhijian 
>  S: Supported
>  F: docs/colo-proxy.txt
> --
> 2.17.GIT

Re: [Qemu-devel] [PATCH 0/5] QEMU VFIO live migration

[Zhao Yan]

On Fri, Mar 29, 2019 at 12:04:31AM +0800, Alex Williamson wrote:
> On Thu, 28 Mar 2019 10:21:38 +0100
> Erik Skultety  wrote:
> 
> > On Thu, Mar 28, 2019 at 04:36:03AM -0400, Zhao Yan wrote:
> > > hi Alex and Dave,
> > > Thanks for your replies.
> > > Please see my comments inline.
> > >
> > > On Thu, Mar 28, 2019 at 06:10:20AM +0800, Alex Williamson wrote:  
> > > > On Wed, 27 Mar 2019 20:18:54 +
> > > > "Dr. David Alan Gilbert"  wrote:
> > > >  
> > > > > * Zhao Yan (yan.y.z...@intel.com) wrote:  
> > > > > > On Wed, Feb 20, 2019 at 07:42:42PM +0800, Cornelia Huck wrote:  
> > > > > > > > > > >   b) How do we detect if we're migrating from/to the 
> > > > > > > > > > > wrong device or
> > > > > > > > > > > version of device?  Or say to a device with older 
> > > > > > > > > > > firmware or perhaps
> > > > > > > > > > > a device that has less device memory ?  
> > > > > > > > > > Actually it's still an open for VFIO migration. Need to 
> > > > > > > > > > think about
> > > > > > > > > > whether it's better to check that in libvirt or qemu (like 
> > > > > > > > > > a device magic
> > > > > > > > > > along with verion ?).  
> > > > > > > >
> > > > > > > > We must keep the hardware generation is the same with one POD 
> > > > > > > > of public cloud
> > > > > > > > providers. But we still think about the live migration between 
> > > > > > > > from the the lower
> > > > > > > > generation of hardware migrated to the higher generation.  
> > > > > > >
> > > > > > > Agreed, lower->higher is the one direction that might make sense 
> > > > > > > to
> > > > > > > support.
> > > > > > >
> > > > > > > But regardless of that, I think we need to make sure that 
> > > > > > > incompatible
> > > > > > > devices/versions fail directly instead of failing in a subtle, 
> > > > > > > hard to
> > > > > > > debug way. Might be useful to do some initial sanity checks in 
> > > > > > > libvirt
> > > > > > > as well.
> > > > > > >
> > > > > > > How easy is it to obtain that information in a form that can be
> > > > > > > consumed by higher layers? Can we find out the device type at 
> > > > > > > least?
> > > > > > > What about some kind of revision?  
> > > > > > hi Alex and Cornelia
> > > > > > for device compatibility, do you think it's a good idea to use 
> > > > > > "version"
> > > > > > and "device version" fields?
> > > > > >
> > > > > > version field: identify live migration interface's version. it can 
> > > > > > have a
> > > > > > sort of backward compatibility, like target machine's version >= 
> > > > > > source
> > > > > > machine's version. something like that.  
> > > >
> > > > Don't we essentially already have this via the device specific region?
> > > > The struct vfio_info_cap_header includes id and version fields, so we
> > > > can declare a migration id and increment the version for any
> > > > incompatible changes to the protocol.  
> > > yes, good idea!
> > > so, what about declaring below new cap?
> > > #define VFIO_REGION_INFO_CAP_MIGRATION 4
> > > struct vfio_region_info_cap_migration {
> > > struct vfio_info_cap_header header;
> > > __u32 device_version_len;
> > > __u8  device_version[];
> > > };
> 
> I'm not sure why we need a new region for everything, it seems this
> could fit within the protocol of a single region.  This could simply be
> a new action to retrieve the version where the protocol would report
> the number of bytes available, just like the migration stream itself.
so, to get version of VFIO live migration device state interface (simply
call it migration interface?),
a new cap looks like this:
#define VFIO_REGION_INFO_CAP_MIGRATION 4
it contains struct vfio_info_cap_header only.
when get region info of the migration region, we query this cap and get
migration interface's version. right?

or just directly use VFIO_REGION_INFO_CAP_TYPE is fine?


> > > > > > device_version field consists two parts:
> > > > > > 1. vendor id : it takes 32 bits. e.g. 0x8086.  
> > > >
> > > > Who allocates IDs?  If we're going to use PCI vendor IDs, then I'd
> > > > suggest we use a bit to flag it as such so we can reserve that portion
> > > > of the 32bit address space.  See for example:
> > > >
> > > > #define VFIO_REGION_TYPE_PCI_VENDOR_TYPE(1 << 31)
> > > > #define VFIO_REGION_TYPE_PCI_VENDOR_MASK(0x)
> > > >
> > > > For vendor specific regions.  
> > > Yes, use PCI vendor ID.
> > > you are right, we need to use highest bit 
> > > (VFIO_REGION_TYPE_PCI_VENDOR_TYPE)
> > > to identify it's a PCI ID.
> > > Thanks for pointing it out.
> > > But, I have a question. what is VFIO_REGION_TYPE_PCI_VENDOR_MASK used for?
> > > why it's 0x? I searched QEMU and kernel code and did not find anywhere
> > > uses it.
> 
> PCI vendor IDs are 16bits, it's just indicating that when the
> PCI_VENDOR_TYPE bit is set the valid data is the lower 16bits.

thanks:)

> > > > > > 2. vendor proprietary string: it can be any string that a vendor 
> > > > > > driver
> 

Re: [Qemu-devel] [PATCH 1/2] intel_iommu: Fix root_scalable migration breakage

[Peter Xu]

On Fri, Mar 29, 2019 at 09:51:06AM +0800, Yi Sun wrote:
> On 19-03-28 18:49:32, Peter Xu wrote:
> > When introducing the initial support for scalable mode we added a
> > new field into vmstate however we blindly migrate that field without
> > notice.  That'll break migration no matter forward or backward.
> > 
> Just curious, what is the scenario to break migration? From latest
> qemu integrated scalable mode patches to an old qemu without scalable
> mode?

Yes, just try to fetch/build a 3.1 QEMU and migrate that to a latest
QEMU with -M pc-q35-3.1 and it'll crash with the iommu device.

> 
> The changes look good to me. Thanks for the fix!
> 
> Reviewed-by: Yi Sun 

Thanks,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH 1/2] intel_iommu: Fix root_scalable migration breakage

[Yi Sun]

On 19-03-28 18:49:32, Peter Xu wrote:
> When introducing the initial support for scalable mode we added a
> new field into vmstate however we blindly migrate that field without
> notice.  That'll break migration no matter forward or backward.
> 
Just curious, what is the scenario to break migration? From latest
qemu integrated scalable mode patches to an old qemu without scalable
mode?

The changes look good to me. Thanks for the fix!

Reviewed-by: Yi Sun 

> The normal way should be that we use something like
> VMSTATE_UINT32_TEST() or subsections for the new vmstate field however
> for this case of vt-d we can even make it simpler because we've
> already migrated all the registers and it'll be fairly simple that we
> re-generate root_scalable field from the register values during post
> load of the device.
> 
> Fixes: fb43cf739e ("intel_iommu: scalable mode emulation")
> Signed-off-by: Peter Xu 

Re: [Qemu-devel] [qemu-s390x] [PATCH for-4.0?] exec: Only count mapped memory backends for qemu_getrampagesize()

[David Gibson]

On Thu, Mar 28, 2019 at 10:26:07AM +0100, David Hildenbrand wrote:
> On 28.03.19 02:18, David Gibson wrote:
> > On Wed, Mar 27, 2019 at 03:22:58PM +0100, David Hildenbrand wrote:
> >> On 27.03.19 10:03, David Gibson wrote:
> >>> On Wed, Mar 27, 2019 at 09:10:01AM +0100, David Hildenbrand wrote:
>  On 27.03.19 01:12, David Gibson wrote:
> > On Tue, Mar 26, 2019 at 06:02:51PM +0100, David Hildenbrand wrote:
> >> On 26.03.19 15:08, Igor Mammedov wrote:
> >>> On Tue, 26 Mar 2019 14:50:58 +1100
> >>> David Gibson  wrote:
> >>>
>  qemu_getrampagesize() works out the minimum host page size backing 
>  any of
>  guest RAM.  This is required in a few places, such as for POWER8 
>  PAPR KVM
>  guests, because limitations of the hardware virtualization mean the 
>  guest
>  can't use pagesizes larger than the host pages backing its memory.
> 
>  However, it currently checks against *every* memory backend, whether 
>  or not
>  it is actually mapped into guest memory at the moment.  This is 
>  incorrect.
> 
>  This can cause a problem attempting to add memory to a POWER8 
>  pseries KVM
>  guest which is configured to allow hugepages in the guest (e.g.
>  -machine cap-hpt-max-page-size=16m).  If you attempt to add 
>  non-hugepage,
>  you can (correctly) create a memory backend, however it (correctly) 
>  will
>  throw an error when you attempt to map that memory into the guest by
>  'device_add'ing a pc-dimm.
> 
>  What's not correct is that if you then reset the guest a startup 
>  check
>  against qemu_getrampagesize() will cause a fatal error because of 
>  the new
>  memory object, even though it's not mapped into the guest.
> >>> I'd say that backend should be remove by mgmt app since device_add 
> >>> failed
> >>> instead of leaving it to hang around. (but fatal error either not a 
> >>> nice
> >>> behavior on QEMU part)
> >>
> >> Indeed, it should be removed. Depending on the options (huge pages with
> >> prealloc?) memory might be consumed for unused memory. Undesired.
> >
> > Right, but if the guest initiates a reboot before the management gets
> > to that, we'll have a crash.
> >
> 
>  Yes, I agree.
> 
>  At least on s390x (extending on what Igor said):
> 
>  mc->init() -> s390_memory_init() ->
>  memory_region_allocate_system_memory() -> 
>  host_memory_backend_set_mapped()
> 
> 
>  ac->init_machine() -> kvm_arch_init() ->
>  kvm_s390_configure_mempath_backing() -> qemu_getrampagesize()
> 
> 
>  And in vl.c
> 
>  configure_accelerator(current_machine, argv[0]);
>  ...
>  machine_run_board_init()
> 
>  So memory is indeed not mapped before calling qemu_getrampagesize().
> 
> 
>  We *could* move the call to kvm_s390_configure_mempath_backing() to
>  s390_memory_init().
> 
>  cap_hpage_1m is not needed before we create VCPUs, so this would work 
>  fine.
> 
>  We could than eventually make qemu_getrampagesize() asssert if no
>  backends are mapped at all, to catch other user that rely on this being
>  correct.
> >>>
> >>> So.. I had a look at the usage in kvm_s390_configure_mempath_backing()
> >>> and I'm pretty sure it's broken.  It will work in the case where
> >>> there's only one backend.  And if that's the default -mem-path rather
> >>> than an explicit memory backend then my patch won't break it any
> >>> further.
> >>
> >> On the second look, I think I get your point.
> >>
> >> 1. Why on earth does "find_max_supported_pagesize" find the "minimum
> >> page size". What kind of nasty stuff is this.
> > 
> > Ah, yeah, the naming is bad because of history.
> > 
> > The original usecase of this was because on POWER (before POWER9) the
> > way MMU virtualization works, pages inserted into the guest MMU view
> > have to be host-contiguous: there's no 2nd level translation that lets
> > them be broken into smaller host pages.
> > 
> > The upshot is that a KVM guest can only use large pages if it's backed
> > by large pages on the host.  We have to advertise the availability of
> > large pages to the guest at boot time though, and there's no way to
> > restrict it to certain parts of guest RAM.
> > 
> > So, this code path was finding the _maximum_ page size the guest could
> > use... which depends on the _minimum page_ size used on the host.
> > When this was moved to (partly) generic code we didn't think to
> > improve all the names.
> > 
> >> 2. qemu_mempath_getpagesize() is not affected by your patch
> > 
> > Correct.
> > 
> >> and that
> >> seems to be the only thing used on s390x for now.
> > 
> > Uh.. what?
> > 
> >> I sent a patch to move the call on s390x. But we really have to detect
> 

Re: [Qemu-devel] [PATCH v1] s390x/kvm: Configure page size after memory has actually been initialized

[David Gibson]

On Thu, Mar 28, 2019 at 12:39:24PM +0100, Igor Mammedov wrote:
> On Thu, 28 Mar 2019 11:18:02 +0100
> David Hildenbrand  wrote:
> 
> > On 28.03.19 01:24, David Gibson wrote:
> > > On Wed, Mar 27, 2019 at 09:06:53PM +0100, David Hildenbrand wrote:  
> > >> On 27.03.19 17:45, Igor Mammedov wrote:  
> > >>> On Wed, 27 Mar 2019 14:59:44 +0100
> > >>> David Hildenbrand  wrote:
> > >>>  
> >  Right now we configure the pagesize quite early, when initializing KVM.
> >  This is long before system memory is actually allocated via
> >  memory_region_allocate_system_memory(), and therefore memory backends
> >  marked as mapped.
> > 
> >  Instead, let's configure the maximum page size after initializing
> >  memory in s390_memory_init(). cap_hpage_1m is still properly
> >  configured before creating any CPUs, and therefore before configuring
> >  the CPU model and eventually enabling CMMA.
> > 
> >  We might later want to replace qemu_getrampagesize() by another
> >  detection mechanism, e.g. only looking at mapped, initial memory.
> >  We don't support any memory devices yet, and if so, we can always 
> >  reject
> >  devices with a page size bigger than the initial page size when
> >  hotplugging. qemu_getrampagesize() should work for now, especially when
> >  converting it to only look at mapped backends.
> > 
> >  Signed-off-by: David Hildenbrand   
> > >>>
> > >>> Acked-by: Igor Mammedov   
> > >>
> > >> BTW, do we want
> > >>
> > >> qemu_getmaxrampagesize()
> > >> qemu_getminrampagesize()  
> > > 
> > > That could work.
> > >   
> > >> or similar. qemu_getrampagesize() in its current form is really far from
> > >> beautiful.  
> > > 
> > > Yeah, and AFAICT the way it's used here remains incorrect.
> > >   
> > 
> > Soo,
> > 
> > this is all a big mess :)
> > 
> > 
> > 1. We have to decide on the page size before initializing the CPU model
> > (due to CMMA) and before creating any CPUs -> We have to do it
> > early/before machine init.
> > 
> > 2. Memory devices (if ever supported) are created + realized (+ backends
> > mapped) after machine init.
> > 
> > 3. Memory backends are created delayed, so even after creating devices.
> > 
> > All we can do for s390x is
> > 
> > a) Use the page size of initial memory when configuring the page size in
> > KVM. (AFAICS what would be done right now)
> > 
> > b) When cold/hotplugging memory devices, reject devices with a page size
> > bigger than the page size of initial memory. Not an issue now. In the
> > future it might be "unfortunate" but at least we can print a nice error
> > from the machine hotplug handler "page size not supported in this
> > configuration".
> > 
> > I double checked, "-numa" is not supported in s390x. So "-numa
> > node,mempath=..." does not apply. However this might change and we can
> > easily forget about this. Also, getting rid of -mem-path might be one
> > issue. So the right think to do would be
> > 
> > a) this patch
> > b) introduce and use qemu_getmaxrampagesize()
> > 
> > Then, we would properly detect the maximum page size *for initial
> > memory*. Memory devices, we will have to worry about in the future, but
> > should be easy to handle (remember and check against maximum configured
> >  page size).
> 
> Problem David tries to solve is that 

Uh, which David?

>  1: user hotplugged backend with wrong page size
>  2: hotplug of associated device 'pc-dimm' cleanly fails with error
>  3: guest does reboot and QEMU crashes with fatal error
> 
> Issue is that qemu_getmaxrampagesize() iterates over backends which
> might be used for guest RAM or theoretically might be used for
> something else.
> 
> using 'mapped' attribute is a hack that currently works around issue [3]
> but it's prone to being incorrect depending on call order.

I'm not sure what you mean by that.  For the purposes we need on ppc
checking the RAM that's actually present in the guest really is what
we need.

> maybe we should prevent [1] in the first place (but making backends
> depend on machine/accel doesn't look good either)?

Yeah, I wondered about this.  There's no way to do it right now, and a
hook would be kinda ugly.  Not sure if it's more or less ugly than the
alternatives.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH for-4.1 v2 00/36] tcg: Move the softmmu tlb to CPUNegativeOffsetState

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20190328230404.12909-1-richard.hender...@linaro.org/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Message-id: 20190328230404.12909-1-richard.hender...@linaro.org
Subject: [Qemu-devel] [PATCH for-4.1 v2 00/36] tcg: Move the softmmu tlb to 
CPUNegativeOffsetState
Type: series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 t [tag update]
patchew/20190328133503.6490-1-peter.mayd...@linaro.org -> 
patchew/20190328133503.6490-1-peter.mayd...@linaro.org
 t [tag update]
patchew/20190328143003.16702-1-peter.mayd...@linaro.org -> 
patchew/20190328143003.16702-1-peter.mayd...@linaro.org
 t [tag update]
patchew/20190328152635.2794-1-peter.mayd...@linaro.org -> 
patchew/20190328152635.2794-1-peter.mayd...@linaro.org
 t [tag update]
patchew/20190328152944.3199-1-peter.mayd...@linaro.org -> 
patchew/20190328152944.3199-1-peter.mayd...@linaro.org
 * [new tag]   
patchew/20190328230404.12909-1-richard.hender...@linaro.org -> 
patchew/20190328230404.12909-1-richard.hender...@linaro.org
Auto packing the repository in background for optimum performance.
See "git help gc" for manual housekeeping.
Switched to a new branch 'test'
f9a66881e4 tcg/arm: Use LDRD to load tlb mask+table
a586dfdc11 tcg/aarch64: Use LDP to load tlb mask+table
7ef50708e7 cpu: Remove CPU_COMMON
7c6cb89b16 cpu: Move the softmmu tlb to CPUNegativeOffsetState
3543e67ac0 cpu: Move icount_decr to CPUNegativeOffsetState
113e6c106f cpu: Introduce CPUNegativeOffsetState
95d493bf38 cpu: Introduce cpu_set_cpustate_pointers
34c8a29e55 cpu: Move ENV_OFFSET to exec/gen-icount.h
dd15a5a8c7 target/xtensa: Use env_cpu, env_archcpu
a95792f513 target/unicore32: Use env_cpu, env_archcpu
5c574e3f08 target/tricore: Use env_cpu
17a6f23a59 target/tilegx: Use env_cpu
a6ab5b9053 target/sparc: Use env_cpu, env_archcpu
2818ba16bf target/sh4: Use env_cpu, env_archcpu
950b4f85e6 target/s390x: Use env_cpu, env_archcpu
ca5cfd47a6 target/riscv: Use env_cpu, env_archcpu
b66b95baa1 target/ppc: Use env_cpu, env_archcpu
ddb073ba26 target/openrisc: Use env_cpu, env_archcpu
2e474a6b7d target/nios2: Use env_cpu, env_archcpu
3825a5e3dd target/moxie: Use env_cpu, env_archcpu
0bbc8862a5 target/mips: Use env_cpu, env_archcpu
0583f518fa target/microblaze: Use env_cpu, env_archcpu
c2cf5d2738 target/m68k: Use env_cpu, env_archcpu
65f2736258 target/lm32: Use env_cpu, env_archcpu
928c5fa23c target/i386: Use env_cpu, env_archcpu
6302562a79 target/hppa: Use env_cpu, env_archcpu
745b9da831 target/cris: Use env_cpu, env_archcpu
71ddd63a36 target/arm: Use env_cpu, env_archcpu
a9d03a568d target/alpha: Use env_cpu, env_archcpu
a7dd6ee21d cpu: Introduce env_archcpu
def257dbab cpu: Replace ENV_GET_CPU with env_cpu
3f602af99d cpu: Define ArchCPU
f1145468e6 cpu: Define CPUArchState with typedef
53b9e78cca tcg: Create struct CPUTLB
73e019c8f9 tcg: Split out target/arch/cpu-param.h
2c6d24b7d4 tcg: Fold CPUTLBWindow into CPUTLBDesc

=== OUTPUT BEGIN ===
1/36 Checking commit 2c6d24b7d40f (tcg: Fold CPUTLBWindow into CPUTLBDesc)
2/36 Checking commit 73e019c8f909 (tcg: Split out target/arch/cpu-param.h)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#56: 
new file mode 100644

WARNING: Block comments use a leading /* on a separate line
#357: FILE: target/i386/cpu-param.h:4:
+/* ??? This is really 48 bits, sign-extended, but the only thing

WARNING: Block comments use * on subsequent lines
#358: FILE: target/i386/cpu-param.h:5:
+/* ??? This is really 48 bits, sign-extended, but the only thing
+   accessible to userland with bit 48 set is the VSYSCALL, and that

WARNING: Block comments use a trailing */ on a separate line
#359: FILE: target/i386/cpu-param.h:6:
+   is handled via other mechanisms.  */

WARNING: Block comments use a leading /* on a separate line
#466: FILE: target/m68k/cpu-param.h:2:
+/* Coldfire Linux uses 8k pages

ERROR: code indent should never use tabs
#1024: FILE: target/sh4/cpu-param.h:2:
+#define TARGET_PAGE_BITS 12^I/* 4k */$

total: 1 errors, 5 warnings, 1030 lines checked

Patch 2/36 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

3/36 Checking commit 53b9e78ccaf7 (tcg: Create struct CPUTLB)
WARNING: line over 80 characters
#350: FILE: accel/tcg/cputlb.c:781:
+env_tlb(env)->d[mmu_idx].viotlb[vidx] = 
env_tlb(env)->d[mmu_idx].iotlb[index];

total: 0 errors, 1 warnings, 677 lines checked

Patch 3/36 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, 

Re: [Qemu-devel] [PATCH] spapr/irq: Add XIVE sanity checks on non-P9 machines

[David Gibson]

On Thu, Mar 28, 2019 at 11:00:44AM +0100, Cédric Le Goater wrote:
> On non-P9 machines, the XIVE interrupt mode is not advertised, see
> spapr_dt_ov5_platform_support(). Add a couple of checks on the machine
> configuration to filter bogus setups and prevent OS failures :
> 
>  Interrupt modes
> 
>   CPU/Compat  XICSXIVEdual
> 
>P8/P8  OK  QEMU failure (1)OK (3)
>P9/P8  OK  QEMU failure (2)OK (3)
>P9/P9  OK  OK  OK
> 
>   (1) CPU exception model is incompatible with XIVE and the presenters
>   will fail to realize.
> 
>   (2) CPU exception model is compatible with XIVE, but the XIVE CAS
>   advertisement is dropped when in POWER8 mode. So we could ended up
>   booting with the XIVE DT properties but without the HCALLs. Avoid
>   confusing Linux with such settings and fail under QEMU.
> 
>   (3) force XICS in machine init
> 
> Remove the check on XIVE-only machines in spapr_machine_init(), which
> has now become redundant.
> 
> Signed-off-by: Cédric Le Goater 

Applied, thanks.

> ---
>  hw/ppc/spapr.c |  8 +---
>  hw/ppc/spapr_irq.c | 50 ++
>  2 files changed, 51 insertions(+), 7 deletions(-)
> 
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index adde36a01da3..33ab7b683ba2 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -2806,13 +2806,7 @@ static void spapr_machine_init(MachineState *machine)
>  
>  /* advertise XIVE on POWER9 machines */
>  if (spapr->irq->ov5 & (SPAPR_OV5_XIVE_EXPLOIT | SPAPR_OV5_XIVE_BOTH)) {
> -if (ppc_type_check_compat(machine->cpu_type, 
> CPU_POWERPC_LOGICAL_3_00,
> -  0, spapr->max_compat_pvr)) {
> -spapr_ovec_set(spapr->ov5, OV5_XIVE_EXPLOIT);
> -} else if (spapr->irq->ov5 & SPAPR_OV5_XIVE_EXPLOIT) {
> -error_report("XIVE-only machines require a POWER9 CPU");
> -exit(1);
> -}
> +spapr_ovec_set(spapr->ov5, OV5_XIVE_EXPLOIT);
>  }
>  
>  /* init CPUs */
> diff --git a/hw/ppc/spapr_irq.c b/hw/ppc/spapr_irq.c
> index 5809c955501c..b1f79ea9def6 100644
> --- a/hw/ppc/spapr_irq.c
> +++ b/hw/ppc/spapr_irq.c
> @@ -16,6 +16,7 @@
>  #include "hw/ppc/spapr_xive.h"
>  #include "hw/ppc/xics.h"
>  #include "hw/ppc/xics_spapr.h"
> +#include "cpu-models.h"
>  #include "sysemu/kvm.h"
>  
>  #include "trace.h"
> @@ -566,12 +567,55 @@ SpaprIrq spapr_irq_dual = {
>  .get_nodename = spapr_irq_get_nodename_dual,
>  };
>  
> +
> +static void spapr_irq_check(SpaprMachineState *spapr, Error **errp)
> +{
> +MachineState *machine = MACHINE(spapr);
> +
> +/*
> + * Sanity checks on non-P9 machines. On these, XIVE is not
> + * advertised, see spapr_dt_ov5_platform_support()
> + */
> +if (!ppc_type_check_compat(machine->cpu_type, CPU_POWERPC_LOGICAL_3_00,
> +   0, spapr->max_compat_pvr)) {
> +/*
> + * If the 'dual' interrupt mode is selected, force XICS as CAS
> + * negotiation is useless.
> + */
> +if (spapr->irq == _irq_dual) {
> +spapr->irq = _irq_xics;
> +return;
> +}
> +
> +/*
> + * Non-P9 machines using only XIVE is a bogus setup. We have two
> + * scenarios to take into account because of the compat mode:
> + *
> + * 1. POWER7/8 machines should fail to init later on when creating
> + *the XIVE interrupt presenters because a POWER9 exception
> + *model is required.
> +
> + * 2. POWER9 machines using the POWER8 compat mode won't fail and
> + *will let the OS boot with a partial XIVE setup : DT
> + *properties but no hcalls.
> + *
> + * To cover both and not confuse the OS, add an early failure in
> + * QEMU.
> + */
> +if (spapr->irq == _irq_xive) {
> +error_setg(errp, "XIVE-only machines require a POWER9 CPU");
> +return;
> +}
> +}
> +}
> +
>  /*
>   * sPAPR IRQ frontend routines for devices
>   */
>  void spapr_irq_init(SpaprMachineState *spapr, Error **errp)
>  {
>  MachineState *machine = MACHINE(spapr);
> +Error *local_err = NULL;
>  
>  if (machine_kernel_irqchip_split(machine)) {
>  error_setg(errp, "kernel_irqchip split mode not supported on 
> pseries");
> @@ -584,6 +628,12 @@ void spapr_irq_init(SpaprMachineState *spapr, Error 
> **errp)
>  return;
>  }
>  
> +spapr_irq_check(spapr, _err);
> +if (local_err) {
> +error_propagate(errp, local_err);
> +return;
> +}
> +
>  /* Initialize the MSI IRQ allocator. */
>  if (!SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
>  spapr_irq_msi_init(spapr, spapr->irq->nr_msis);

-- 
David Gibson| I'll have my music baroque, and my code
david AT 

Re: [Qemu-devel] [PATCH v2 2/2] exec: Introduce qemu_getmaxrampagesize() and rename qemu_getrampagesize()

[David Gibson]

On Thu, Mar 28, 2019 at 12:34:58PM +0100, David Hildenbrand wrote:
> Rename qemu_getrampagesize() to qemu_getminrampagesize(). While at it,
> properly rename find_min_supported_pagesize() to find_max_pagesize().
> 
> s390x is actually interrested into the maximum ram pagesize, so

s/interrested/interested/

> introduce and use qemu_getmaxrampagesize().
> 
> Signed-off-by: David Hildenbrand 

Looks good in concept to me.  Comments below are just minor suggested
polish.

> ---
>  exec.c | 39 ++
>  hw/ppc/spapr_caps.c|  4 ++--
>  hw/s390x/s390-virtio-ccw.c |  2 +-
>  hw/vfio/spapr.c|  2 +-
>  target/ppc/kvm.c   |  2 +-
>  5 files changed, 40 insertions(+), 9 deletions(-)
> 
> diff --git a/exec.c b/exec.c
> index 6ab62f4eee..cf74f5f284 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -1687,7 +1687,7 @@ void ram_block_dump(Monitor *mon)
>   * when we actually open and map them.  Iterate over the file
>   * descriptors instead, and use qemu_fd_getpagesize().
>   */
> -static int find_max_supported_pagesize(Object *obj, void *opaque)
> +static int find_min_pagesize(Object *obj, void *opaque)

Maybe find_min_host_pagesize() to clarify exactly what we're finding.

>  {
>  long *hpsize_min = opaque;
>  
> @@ -1703,7 +1703,23 @@ static int find_max_supported_pagesize(Object *obj, 
> void *opaque)
>  return 0;
>  }
>  
> -long qemu_getrampagesize(void)
> +static int find_max_pagesize(Object *obj, void *opaque)
> +{
> +long *hpsize_max = opaque;
> +
> +if (object_dynamic_cast(obj, TYPE_MEMORY_BACKEND)) {
> +HostMemoryBackend *backend = MEMORY_BACKEND(obj);
> +long hpsize = host_memory_backend_pagesize(backend);
> +
> +if (host_memory_backend_is_mapped(backend) && (hpsize > 
> *hpsize_max)) {
> +*hpsize_max = hpsize;
> +}
> +}
> +
> +return 0;
> +}
> +
> +long qemu_getminrampagesize(void)

s/getminrampagesize/minrampagesize/ for brevity.

The "get" doesn't really add anything useful.

>  {
>  long hpsize = LONG_MAX;
>  long mainrampagesize;
> @@ -1723,7 +1739,7 @@ long qemu_getrampagesize(void)
>   */
>  memdev_root = object_resolve_path("/objects", NULL);
>  if (memdev_root) {
> -object_child_foreach(memdev_root, find_max_supported_pagesize, 
> );
> +object_child_foreach(memdev_root, find_min_pagesize, );
>  }
>  if (hpsize == LONG_MAX) {
>  /* No additional memory regions found ==> Report main RAM page size 
> */
> @@ -1746,8 +1762,23 @@ long qemu_getrampagesize(void)
>  
>  return hpsize;
>  }
> +
> +long qemu_getmaxrampagesize(void)

Same here.

> +{
> +long pagesize = qemu_mempath_getpagesize(mem_path);
> +Object *memdev_root = object_resolve_path("/objects", NULL);
> +
> +if (memdev_root) {
> +object_child_foreach(memdev_root, find_max_pagesize, );
> +}
> +return pagesize;
> +}
>  #else
> -long qemu_getrampagesize(void)
> +long qemu_getminrampagesize(void)
> +{
> +return getpagesize();
> +}
> +long qemu_getmaxrampagesize(void)
>  {
>  return getpagesize();
>  }
> diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
> index edc5ed0e0c..3177dc2390 100644
> --- a/hw/ppc/spapr_caps.c
> +++ b/hw/ppc/spapr_caps.c
> @@ -347,7 +347,7 @@ static void cap_hpt_maxpagesize_apply(SpaprMachineState 
> *spapr,
>  warn_report("Many guests require at least 64kiB hpt-max-page-size");
>  }
>  
> -spapr_check_pagesize(spapr, qemu_getrampagesize(), errp);
> +spapr_check_pagesize(spapr, qemu_getminrampagesize(), errp);
>  }
>  
>  static bool spapr_pagesize_cb(void *opaque, uint32_t seg_pshift,
> @@ -609,7 +609,7 @@ static SpaprCapabilities 
> default_caps_with_cpu(SpaprMachineState *spapr,
>  uint8_t mps;
>  
>  if (kvmppc_hpt_needs_host_contiguous_pages()) {
> -mps = ctz64(qemu_getrampagesize());
> +mps = ctz64(qemu_getminrampagesize());
>  } else {
>  mps = 34; /* allow everything up to 16GiB, i.e. everything */
>  }
> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> index 3be5679657..143ac974ca 100644
> --- a/hw/s390x/s390-virtio-ccw.c
> +++ b/hw/s390x/s390-virtio-ccw.c
> @@ -188,7 +188,7 @@ static void s390_memory_init(ram_addr_t mem_size)
>   * Configure the maximum page size. As no memory devices were created
>   * yet, this is the page size of initial memory only.
>   */
> -s390_set_max_pagesize(qemu_getrampagesize(), _err);
> +s390_set_max_pagesize(qemu_getmaxrampagesize(), _err);
>  if (local_err) {
>  error_report_err(local_err);
>  exit(EXIT_FAILURE);
> diff --git a/hw/vfio/spapr.c b/hw/vfio/spapr.c
> index 57fe758e54..30d409a46f 100644
> --- a/hw/vfio/spapr.c
> +++ b/hw/vfio/spapr.c
> @@ -148,7 +148,7 @@ int vfio_spapr_create_window(VFIOContainer *container,
>  uint64_t pagesize = memory_region_iommu_get_min_page_size(iommu_mr);
>  

Re: [Qemu-devel] [PATCH for-4.0] spapr: Simplify handling of host-serial and host-model values

[David Gibson]

On Thu, Mar 28, 2019 at 01:56:48PM +0100, Greg Kurz wrote:
> On Thu, 28 Mar 2019 15:40:25 +1100
> David Gibson  wrote:
> 
> > 27461d69a0f "ppc: add host-serial and host-model machine attributes
> > (CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine
> > properties for spapr to explicitly control the values advertised to the
> > guest in device tree properties with the same names.
> > 
> > The previous behaviour on KVM was to unconditionally populate the device
> > tree with the real host serial number and model, which leaks possibly
> > sensitive information about the host to the guest.
> > 
> > To maintain compatibility for old machine types, we allowed those props
> > to be set to "passthrough" to take the value from the host as before.  Or
> > they could be set to "none" to explicitly omit the device tree items.
> > 
> > Special casing specific values on what's otherwise a user supplied string
> > is very ugly.  So, this patch simplifies things by implementing the
> > backwards compatibility in a different way: we have a machine class flag
> > set for the older machines, and we only load the host values into the
> > device tree if A) they're not set by the user and B) we have that flag set.
> > 
> > This does mean that the "passthrough" functionality is no longer available
> > with the current machine type.  That's ok though: if a user or management
> > layer really wants the information passed through they can read it
> > themselves (OpenStack Nova already does something similar for x86).
> > 
> > It also means the user can't explicitly ask for the values to be omitted
> > on the old machine types.  I think that's an acceptable trade-off: if you
> > care enough about not leaking the host information you can either move to
> > the new machine type, or use a dummy value for the properties.
> > 
> > This also removes an odd inconsistency between running on a POWER and
> > non-POWER (or non-Linux) hosts: if the host information couldn't be read
> > from where we expect (in the host's device tree as exposed by Linux), we'd
> > fallback to omitting the guest device tree items.
> 
> This is still the case, isn't it ? A pseries-3.1 machine on a POWER linux host
> has the DT items but the same machine on any other setup doesn't have them...
> or maybe^Wlikely I don't understand what you mean :)

So, I was talking about the case of the new machine type there.  Which
admittedly probably wasn't terribly clear in context.

> > While we're there, improve some poorly worded comments, and the help text
> > for the properties.
> > 
> > Signed-off-by: David Gibson 
> > ---
> > 
> > I've (tentatively) put this into my ppc-for-4.0 tree already, which I
> > hope to push in the next few days.  I realize it's very late to make
> > such a cleanup in 4.0, however I'd like to clean up the interface
> > before it goes into a released version which we have to support for
> > ages.
> > 
> 
> Sure. So, I've tested on POWER, non-POWER, with KVM, with TCG. It works as
> expected. Just one remark: when running an old machine type under TCG on
> a POWER host, the DT items are populated with the host data if QEMU was
> built with KVM support, and missing if QEMU was built without KVM support.
> This makes me wonder if kvm_enabled() should be added somewhere in the
> picture... Anyway, this has always been here and could be addressed in
> some other patch.

I don't see that there's much point.  Yes, the old behaviour is broken
and inconsistent, and the new machine type behaviour fixes that.  I
don't see much profit in tweaking the exact areas of inconsistency in
the old behaviour.

> I've just one typo in the description of "host-serial" below. Appart from
> that:
> 
> Reviewed-by: Greg Kurz 
> 
> and
> 
> Tested-by: Greg Kurz 

Thanks.

> 
> >  hw/ppc/spapr.c | 57 ++
> >  include/hw/ppc/spapr.h |  1 +
> >  2 files changed, 20 insertions(+), 38 deletions(-)
> > 
> > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> > index 6c16d6cfaf..c46c6e2670 100644
> > --- a/hw/ppc/spapr.c
> > +++ b/hw/ppc/spapr.c
> > @@ -1252,38 +1252,8 @@ static void *spapr_build_fdt(SpaprMachineState 
> > *spapr)
> >  _FDT(fdt_setprop_string(fdt, 0, "model", "IBM pSeries (emulated by 
> > qemu)"));
> >  _FDT(fdt_setprop_string(fdt, 0, "compatible", "qemu,pseries"));
> >  
> > -/*
> > - * Add info to guest to indentify which host is it being run on
> > - * and what is the uuid of the guest
> > - */
> > -if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
> > -if (g_str_equal(spapr->host_model, "passthrough")) {
> > -/* -M host-model=passthrough */
> > -if (kvmppc_get_host_model()) {
> > -_FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
> > -g_free(buf);
> > -}
> > -} else {
> > -/* -M host-model= */
> > -_FDT(fdt_setprop_string(fdt, 0, "host-model", 
> 

Re: [Qemu-devel] [PATCH v7 0/2] spapr-rtas: add ibm, get-vpd RTAS interface

[David Gibson]

On Thu, Mar 28, 2019 at 02:21:51PM +0100, Greg Kurz wrote:
> On Wed, 27 Mar 2019 17:41:00 -0300
> "Maxiwell S. Garcia"  wrote:
> 
> > Here are two patches to add a handler for ibm,get-vpd RTAS calls.
> > This RTAS exposes host information in case of set QEMU options
> > 'host-serial' and 'host-model' as 'passthrough'.
> > 
> > The patch 1 creates helper functions to get valid 'host-serial'
> > and 'host-model' parameters, guided by QEMU command line. These
> > parameters are useful to build the guest device tree and to return
> > get-vpd RTAS calls. The patch 2 adds the ibm,get-vpd itself.
> > 
> > Update v7:
> > * rtas_get_vpd_fields as a static array in spapr machine state
> > 
> > Maxiwell S. Garcia (2):
> >   spapr: helper functions to get valid host fields
> >   spapr-rtas: add ibm,get-vpd RTAS interface
> > 
> >  hw/ppc/spapr.c | 48 +++--
> >  hw/ppc/spapr_rtas.c| 96 ++
> >  include/hw/ppc/spapr.h | 14 +-
> >  3 files changed, 135 insertions(+), 23 deletions(-)
> > 
> 
> Hi Maxiwell,
> 
> David sent a patch to rework how the host data is exposed to the guest.
> Especially, the special casing of the "none" and "passthrough" strings
> is no more... I'm afraid you'll have to rework your patches accordingly:
> code+changelog in patch 1 and at least changelog in patch 2.

Yes.  Also note that this won't be merged until qemu 4.1.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH v2 1/2] s390x/kvm: Configure page size after memory has actually been initialized

[David Gibson]

On Thu, Mar 28, 2019 at 12:34:57PM +0100, David Hildenbrand wrote:
> Right now we configure the pagesize quite early, when initializing KVM.
> This is long before system memory is actually allocated via
> memory_region_allocate_system_memory(), and therefore memory backends
> marked as mapped.
> 
> Instead, let's configure the maximum page size after initializing
> memory in s390_memory_init(). cap_hpage_1m is still properly
> configured before creating any CPUs, and therefore before configuring
> the CPU model and eventually enabling CMMA.
> 
> This is not a fix but rather a preparation for the future, when initial
> memory might reside on memory backends (not the case for s390x right now)
> We will replace qemu_getrampagesize() soon by a function that will always
> return the maximum page size (not the minimum page size, which only
> works by pure luck so far, as there are no memory backends).
> 
> Acked-by: Igor Mammedov 
> Signed-off-by: David Hildenbrand 

Reviewed-by: David Gibson 

> ---
>  hw/s390x/s390-virtio-ccw.c | 12 
>  target/s390x/cpu.c |  7 +++
>  target/s390x/cpu.h |  1 +
>  target/s390x/kvm-stub.c|  4 
>  target/s390x/kvm.c | 35 ++-
>  target/s390x/kvm_s390x.h   |  1 +
>  6 files changed, 39 insertions(+), 21 deletions(-)
> 
> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> index d11069b860..3be5679657 100644
> --- a/hw/s390x/s390-virtio-ccw.c
> +++ b/hw/s390x/s390-virtio-ccw.c
> @@ -15,6 +15,7 @@
>  #include "cpu.h"
>  #include "hw/boards.h"
>  #include "exec/address-spaces.h"
> +#include "exec/ram_addr.h"
>  #include "hw/s390x/s390-virtio-hcall.h"
>  #include "hw/s390x/sclp.h"
>  #include "hw/s390x/s390_flic.h"
> @@ -163,6 +164,7 @@ static void s390_memory_init(ram_addr_t mem_size)
>  MemoryRegion *sysmem = get_system_memory();
>  ram_addr_t chunk, offset = 0;
>  unsigned int number = 0;
> +Error *local_err = NULL;
>  gchar *name;
>  
>  /* allocate RAM for core */
> @@ -182,6 +184,15 @@ static void s390_memory_init(ram_addr_t mem_size)
>  }
>  g_free(name);
>  
> +/*
> + * Configure the maximum page size. As no memory devices were created
> + * yet, this is the page size of initial memory only.
> + */
> +s390_set_max_pagesize(qemu_getrampagesize(), _err);
> +if (local_err) {
> +error_report_err(local_err);
> +exit(EXIT_FAILURE);
> +}
>  /* Initialize storage key device */
>  s390_skeys_init();
>  /* Initialize storage attributes device */
> @@ -253,6 +264,7 @@ static void ccw_init(MachineState *machine)
>  DeviceState *dev;
>  
>  s390_sclp_init();
> +/* init memory + setup max page size. Required for the CPU model */
>  s390_memory_init(machine->ram_size);
>  
>  /* init CPUs (incl. CPU model) early so s390_has_feature() works */
> diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
> index 698dd9cb82..b58ef0a8ef 100644
> --- a/target/s390x/cpu.c
> +++ b/target/s390x/cpu.c
> @@ -399,6 +399,13 @@ int s390_set_memory_limit(uint64_t new_limit, uint64_t 
> *hw_limit)
>  return 0;
>  }
>  
> +void s390_set_max_pagesize(uint64_t pagesize, Error **errp)
> +{
> +if (kvm_enabled()) {
> +kvm_s390_set_max_pagesize(pagesize, errp);
> +}
> +}
> +
>  void s390_cmma_reset(void)
>  {
>  if (kvm_enabled()) {
> diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
> index cb6d77053a..c14be2b5ba 100644
> --- a/target/s390x/cpu.h
> +++ b/target/s390x/cpu.h
> @@ -734,6 +734,7 @@ static inline void s390_do_cpu_load_normal(CPUState *cs, 
> run_on_cpu_data arg)
>  /* cpu.c */
>  void s390_crypto_reset(void);
>  int s390_set_memory_limit(uint64_t new_limit, uint64_t *hw_limit);
> +void s390_set_max_pagesize(uint64_t pagesize, Error **errp);
>  void s390_cmma_reset(void);
>  void s390_enable_css_support(S390CPU *cpu);
>  int s390_assign_subch_ioeventfd(EventNotifier *notifier, uint32_t sch_id,
> diff --git a/target/s390x/kvm-stub.c b/target/s390x/kvm-stub.c
> index bf7795e47a..22b4514ca6 100644
> --- a/target/s390x/kvm-stub.c
> +++ b/target/s390x/kvm-stub.c
> @@ -93,6 +93,10 @@ int kvm_s390_set_mem_limit(uint64_t new_limit, uint64_t 
> *hw_limit)
>  return 0;
>  }
>  
> +void kvm_s390_set_max_pagesize(uint64_t pagesize, Error **errp)
> +{
> +}
> +
>  void kvm_s390_crypto_reset(void)
>  {
>  }
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index 19530fb94e..bee73dc1a4 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -283,44 +283,37 @@ void kvm_s390_crypto_reset(void)
>  }
>  }
>  
> -static int kvm_s390_configure_mempath_backing(KVMState *s)
> +void kvm_s390_set_max_pagesize(uint64_t pagesize, Error **errp)
>  {
> -size_t path_psize = qemu_getrampagesize();
> -
> -if (path_psize == 4 * KiB) {
> -return 0;
> +if (pagesize == 4 * KiB) {
> +return;
>  }
>  
>  if (!hpage_1m_allowed()) {
> -

Re: [Qemu-devel] [PATCH v1] s390x/kvm: Configure page size after memory has actually been initialized

[David Gibson]

On Thu, Mar 28, 2019 at 11:18:02AM +0100, David Hildenbrand wrote:
> On 28.03.19 01:24, David Gibson wrote:
> > On Wed, Mar 27, 2019 at 09:06:53PM +0100, David Hildenbrand wrote:
> >> On 27.03.19 17:45, Igor Mammedov wrote:
> >>> On Wed, 27 Mar 2019 14:59:44 +0100
> >>> David Hildenbrand  wrote:
> >>>
>  Right now we configure the pagesize quite early, when initializing KVM.
>  This is long before system memory is actually allocated via
>  memory_region_allocate_system_memory(), and therefore memory backends
>  marked as mapped.
> 
>  Instead, let's configure the maximum page size after initializing
>  memory in s390_memory_init(). cap_hpage_1m is still properly
>  configured before creating any CPUs, and therefore before configuring
>  the CPU model and eventually enabling CMMA.
> 
>  We might later want to replace qemu_getrampagesize() by another
>  detection mechanism, e.g. only looking at mapped, initial memory.
>  We don't support any memory devices yet, and if so, we can always reject
>  devices with a page size bigger than the initial page size when
>  hotplugging. qemu_getrampagesize() should work for now, especially when
>  converting it to only look at mapped backends.
> 
>  Signed-off-by: David Hildenbrand 
> >>>
> >>> Acked-by: Igor Mammedov 
> >>
> >> BTW, do we want
> >>
> >> qemu_getmaxrampagesize()
> >> qemu_getminrampagesize()
> > 
> > That could work.
> > 
> >> or similar. qemu_getrampagesize() in its current form is really far from
> >> beautiful.
> > 
> > Yeah, and AFAICT the way it's used here remains incorrect.
> > 
> 
> Soo,
> 
> this is all a big mess :)
> 
> 
> 1. We have to decide on the page size before initializing the CPU model
> (due to CMMA) and before creating any CPUs -> We have to do it
> early/before machine init.
> 
> 2. Memory devices (if ever supported) are created + realized (+ backends
> mapped) after machine init.
> 
> 3. Memory backends are created delayed, so even after creating devices.
> 
> All we can do for s390x is
> 
> a) Use the page size of initial memory when configuring the page size in
> KVM. (AFAICS what would be done right now)

Is the page size used here visible to the guest?

> b) When cold/hotplugging memory devices, reject devices with a page size
> bigger than the page size of initial memory. Not an issue now. In the
> future it might be "unfortunate" but at least we can print a nice error
> from the machine hotplug handler "page size not supported in this
> configuration".

Right, ppc does something similar, though for different reasons.

> I double checked, "-numa" is not supported in s390x. So "-numa
> node,mempath=..." does not apply. However this might change and we can
> easily forget about this. Also, getting rid of -mem-path might be one
> issue. So the right think to do would be
> 
> a) this patch
> b) introduce and use qemu_getmaxrampagesize()
> 
> Then, we would properly detect the maximum page size *for initial
> memory*. Memory devices, we will have to worry about in the future, but
> should be easy to handle (remember and check against maximum configured
>  page size).
> 
> Thoughts?

Sounds reasonable.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH for-4.1] hw/ssi/xilinx_spips: Avoid variable length array

[Alistair Francis]

On Thu, Mar 28, 2019 at 8:39 AM Peter Maydell  wrote:
>
> In the stripe8() function we use a variable length array; however
> we know that the maximum length required is MAX_NUM_BUSSES. Use
> a fixed-length array and an assert instead.
>
> Signed-off-by: Peter Maydell 

Reviewed-by: Alistair Francis 

Who's tree should this go through?

Alistair

> ---
>  hw/ssi/xilinx_spips.c | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index 16f88f74029..c615058cc1b 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -429,12 +429,14 @@ static void xlnx_zynqmp_qspips_reset(DeviceState *d)
>
>  static inline void stripe8(uint8_t *x, int num, bool dir)
>  {
> -uint8_t r[num];
> -memset(r, 0, sizeof(uint8_t) * num);
> +uint8_t r[MAX_NUM_BUSSES];
>  int idx[2] = {0, 0};
>  int bit[2] = {0, 7};
>  int d = dir;
>
> +assert(num <= MAX_NUM_BUSSES);
> +memset(r, 0, sizeof(uint8_t) * num);
> +
>  for (idx[0] = 0; idx[0] < num; ++idx[0]) {
>  for (bit[0] = 7; bit[0] >= 0; bit[0]--) {
>  r[idx[!d]] |= x[idx[d]] & 1 << bit[d] ? 1 << bit[!d] : 0;
> --
> 2.20.1
>
>

[Qemu-devel] [PATCH for-4.1 v2 03/36] tcg: Create struct CPUTLB

[Richard Henderson]

Move all softmmu tlb data into this structure.  Arrange the
members so that we are able to place mask+table together and
at a smaller absolute offset from ENV.

Acked-by: Alistair Francis 
Signed-off-by: Richard Henderson 
---
 accel/tcg/softmmu_template.h |   4 +-
 include/exec/cpu-defs.h  |  61 ---
 include/exec/cpu_ldst.h  |   6 +-
 accel/tcg/cputlb.c   | 147 ++-
 target/arm/translate-a64.c   |   2 +-
 tcg/aarch64/tcg-target.inc.c |  10 +--
 tcg/arm/tcg-target.inc.c |  10 +--
 tcg/i386/tcg-target.inc.c|   4 +-
 tcg/mips/tcg-target.inc.c|  12 +--
 tcg/ppc/tcg-target.inc.c |   8 +-
 tcg/riscv/tcg-target.inc.c   |  12 +--
 tcg/s390/tcg-target.inc.c|   8 +-
 tcg/sparc/tcg-target.inc.c   |  12 +--
 13 files changed, 135 insertions(+), 161 deletions(-)

diff --git a/accel/tcg/softmmu_template.h b/accel/tcg/softmmu_template.h
index e970a8b378..fc6371aed1 100644
--- a/accel/tcg/softmmu_template.h
+++ b/accel/tcg/softmmu_template.h
@@ -102,7 +102,7 @@ static inline DATA_TYPE glue(io_read, SUFFIX)(CPUArchState 
*env,
   bool recheck,
   MMUAccessType access_type)
 {
-CPUIOTLBEntry *iotlbentry = >iotlb[mmu_idx][index];
+CPUIOTLBEntry *iotlbentry = _tlb(env)->d[mmu_idx].iotlb[index];
 return io_readx(env, iotlbentry, mmu_idx, addr, retaddr, recheck,
 access_type, DATA_SIZE);
 }
@@ -273,7 +273,7 @@ static inline void glue(io_write, SUFFIX)(CPUArchState *env,
   uintptr_t retaddr,
   bool recheck)
 {
-CPUIOTLBEntry *iotlbentry = >iotlb[mmu_idx][index];
+CPUIOTLBEntry *iotlbentry = _tlb(env)->d[mmu_idx].iotlb[index];
 return io_writex(env, iotlbentry, mmu_idx, val, addr, retaddr,
  recheck, DATA_SIZE);
 }
diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index 2694481769..fbe8945606 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -78,6 +78,7 @@ typedef uint64_t target_ulong;
 #endif
 
 #if !defined(CONFIG_USER_ONLY) && defined(CONFIG_TCG)
+
 /* use a fully associative victim tlb of 8 entries */
 #define CPU_VTLB_SIZE 8
 
@@ -147,6 +148,10 @@ typedef struct CPUIOTLBEntry {
 MemTxAttrs attrs;
 } CPUIOTLBEntry;
 
+/*
+ * Data elements that are per MMU mode, minus the bits accessed by
+ * the TCG fast path.
+ */
 typedef struct CPUTLBDesc {
 /*
  * Describe a region covering all of the large pages allocated
@@ -160,16 +165,31 @@ typedef struct CPUTLBDesc {
 int64_t window_begin_ns;
 /* maximum number of entries observed in the window */
 size_t window_max_entries;
+size_t n_used_entries;
 /* The next index to use in the tlb victim table.  */
 size_t vindex;
-size_t n_used_entries;
+/* The tlb victim table, in two parts.  */
+CPUTLBEntry vtable[CPU_VTLB_SIZE];
+CPUIOTLBEntry viotlb[CPU_VTLB_SIZE];
+/* The iotlb.  */
+CPUIOTLBEntry *iotlb;
 } CPUTLBDesc;
 
+/*
+ * Data elements that are per MMU mode, accessed by the fast path.
+ */
+typedef struct CPUTLBDescFast {
+/* Contains (n_entries - 1) << CPU_TLB_ENTRY_BITS */
+uintptr_t mask;
+/* The array of tlb entries itself. */
+CPUTLBEntry *table;
+} CPUTLBDescFast;
+
 /*
  * Data elements that are shared between all MMU modes.
  */
 typedef struct CPUTLBCommon {
-/* Serialize updates to tlb_table and tlb_v_table, and others as noted. */
+/* Serialize updates to tlb_table and vtable, and others as noted. */
 QemuSpin lock;
 /*
  * Within dirty, for each bit N, modifications have been made to
@@ -187,35 +207,24 @@ typedef struct CPUTLBCommon {
 size_t elide_flush_count;
 } CPUTLBCommon;
 
-# define CPU_TLB\
-/* tlb_mask[i] contains (n_entries - 1) << CPU_TLB_ENTRY_BITS */\
-uintptr_t tlb_mask[NB_MMU_MODES];   \
-CPUTLBEntry *tlb_table[NB_MMU_MODES];
-# define CPU_IOTLB  \
-CPUIOTLBEntry *iotlb[NB_MMU_MODES];
-
 /*
+ * The entire softmmu tlb, for all MMU modes.
  * The meaning of each of the MMU modes is defined in the target code.
- * Note that NB_MMU_MODES is not yet defined; we can only reference it
- * within preprocessor defines that will be expanded later.
  */
-#define CPU_COMMON_TLB \
-CPUTLBCommon tlb_c; \
-CPUTLBDesc tlb_d[NB_MMU_MODES]; \
-CPU_TLB \
-CPUTLBEntry tlb_v_table[NB_MMU_MODES][CPU_VTLB_SIZE];   \
-CPU_IOTLB   \
-CPUIOTLBEntry iotlb_v[NB_MMU_MODES][CPU_VTLB_SIZE];
+typedef struct CPUTLB {
+CPUTLBDescFast f[NB_MMU_MODES];
+CPUTLBDesc 

[Qemu-devel] [PATCH for-4.1 v2 00/36] tcg: Move the softmmu tlb to CPUNegativeOffsetState

[Richard Henderson]

Changes from v1->v2:
  * Add cpu_set_cpustate_pointers.
  * Add icount_decr_ptr to CPUState.

Blurb from v1:

This started merely as an attempt to reduce the size of each
softmmu lookup by using smaller offsets from env.  But in the
end it also represents a significant cleanup in the boilerplate
that each target must define.

With respect to the initial goal, here are the relevant code
snips generated for loading the mask & table fields for a
qemu_ld from an aarch64 guest on the indicated host.

BEFORE:

x86_64:
0x7f9698c5f73b:  48 23 bd 98 32 00 00 andq 0x3298(%rbp), %rdi
0x7f9698c5f742:  48 03 bd d8 32 00 00 addq 0x32d8(%rbp), %rdi

aarch64:
0x9e001e28:  91400e61  add  x1, x19, #3, lsl #12
0x9e001e2c:  f9414c20  ldr  x0, [x1, #0x298]
0x9e001e30:  f9416c21  ldr  x1, [x1, #0x2d8]

aarch32:
0xa2b7f0d4:  e2862a03  add  r2, r6, #0x3000
0xa2b7f0d8:  e592c20c  ldr  ip, [r2, #0x20c]
0xa2b7f0dc:  e59c  ldr  r2, [r2, #0x22c]

AFTER:

x86_64:
0x7fa40a000154:  48 23 7d e0  andq -0x20(%rbp), %rdi
0x7fa40a000158:  48 03 7d e8  addq -0x18(%rbp), %rdi

aarch64:
0xa20001b4:  a97e0660  ldp  x0, x1, [x19, #-0x20]

aarch32:
0xa2c7f0d4:  e14604d8  ldrd r0, r1, [r6, #-0x48]

The other tcg hosts do not see as significant difference.  PPC and
mips have 16-bit signed offsets, and have no load-pair/multiple.
S390x has 20-bit signed offsets and, like x86, uses a read-operate
instruction form.  Sparc and RISC-V have 13 and 12-bit signed offsets
respectively, and so do avoid an extra add insn in this case, but
do not have load-pair/multiple.

All that said, in the end I'm most happy with the diffstat result.


r~



Richard Henderson (36):
  tcg: Fold CPUTLBWindow into CPUTLBDesc
  tcg: Split out target/arch/cpu-param.h
  tcg: Create struct CPUTLB
  cpu: Define CPUArchState with typedef
  cpu: Define ArchCPU
  cpu: Replace ENV_GET_CPU with env_cpu
  cpu: Introduce env_archcpu
  target/alpha: Use env_cpu, env_archcpu
  target/arm: Use env_cpu, env_archcpu
  target/cris: Use env_cpu, env_archcpu
  target/hppa: Use env_cpu, env_archcpu
  target/i386: Use env_cpu, env_archcpu
  target/lm32: Use env_cpu, env_archcpu
  target/m68k: Use env_cpu, env_archcpu
  target/microblaze: Use env_cpu, env_archcpu
  target/mips: Use env_cpu, env_archcpu
  target/moxie: Use env_cpu, env_archcpu
  target/nios2: Use env_cpu, env_archcpu
  target/openrisc: Use env_cpu, env_archcpu
  target/ppc: Use env_cpu, env_archcpu
  target/riscv: Use env_cpu, env_archcpu
  target/s390x: Use env_cpu, env_archcpu
  target/sh4: Use env_cpu, env_archcpu
  target/sparc: Use env_cpu, env_archcpu
  target/tilegx: Use env_cpu
  target/tricore: Use env_cpu
  target/unicore32: Use env_cpu, env_archcpu
  target/xtensa: Use env_cpu, env_archcpu
  cpu: Move ENV_OFFSET to exec/gen-icount.h
  cpu: Introduce cpu_set_cpustate_pointers
  cpu: Introduce CPUNegativeOffsetState
  cpu: Move icount_decr to CPUNegativeOffsetState
  cpu: Move the softmmu tlb to CPUNegativeOffsetState
  cpu: Remove CPU_COMMON
  tcg/aarch64: Use LDP to load tlb mask+table
  tcg/arm: Use LDRD to load tlb mask+table

 accel/tcg/atomic_template.h   |   8 +-
 accel/tcg/softmmu_template.h  |  24 +--
 include/exec/cpu-all.h|  58 +++
 include/exec/cpu-defs.h   | 113 -
 include/exec/cpu_ldst.h   |   6 +-
 include/exec/cpu_ldst_template.h  |   6 +-
 include/exec/cpu_ldst_useronly_template.h |   6 +-
 include/exec/gen-icount.h |  14 +-
 include/exec/softmmu-semi.h   |  16 +-
 include/qom/cpu.h |  40 ++---
 linux-user/cpu_loop-common.h  |   2 +-
 linux-user/m68k/target_cpu.h  |   2 +-
 target/alpha/cpu-param.h  |  19 +++
 target/alpha/cpu.h|  40 +
 target/arm/cpu-param.h|  22 +++
 target/arm/cpu.h  |  52 +-
 target/cris/cpu-param.h   |   5 +
 target/cris/cpu.h |  25 +--
 target/hppa/cpu-param.h   |  22 +++
 target/hppa/cpu.h |  38 +
 target/i386/cpu-param.h   |  14 ++
 target/i386/cpu.h |  40 +
 target/lm32/cpu-param.h   |   5 +
 target/lm32/cpu.h |  25 +--
 target/m68k/cpu-param.h   |   9 +
 target/m68k/cpu.h |  28 +---
 target/microblaze/cpu-param.h |   6 +
 target/microblaze/cpu.h   |  63 +++
 target/mips/cpu-param.h   |  18 ++
 target/mips/cpu.h |  21 +--
 target/mips/mips-defs.h   |  15 --
 target/moxie/cpu-param.h  |   5 +
 target/moxie/cpu.h|  29 +---
 target/nios2/cpu-param.h  |   9 +
 target/nios2/cpu.h   

[Qemu-devel] [PATCH for-4.1 v2 09/36] target/arm: Use env_cpu, env_archcpu

[Richard Henderson]

Combined uses of CPU(arm_env_get_cpu()) were failures to use
the more proper, ENV_GET_CPU macro, now replaced by env_cpu.

Signed-off-by: Richard Henderson 
---
 target/arm/cpu.h  |   5 --
 linux-user/aarch64/cpu_loop.c |   6 +-
 linux-user/aarch64/signal.c   |   4 +-
 linux-user/arm/cpu_loop.c |   2 +-
 linux-user/syscall.c  |   8 +--
 target/arm/arm-semi.c |   4 +-
 target/arm/cpu64.c|   2 +-
 target/arm/helper-a64.c   |   4 +-
 target/arm/helper.c   | 118 +-
 target/arm/op_helper.c|  21 +++---
 target/arm/translate-a64.c|   2 +-
 target/arm/translate.c|   2 +-
 target/arm/vfp_helper.c   |   2 +-
 13 files changed, 87 insertions(+), 93 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index b6bd34f5b5..3de68c5844 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -903,11 +903,6 @@ struct ARMCPU {
 uint32_t sve_max_vq;
 };
 
-static inline ARMCPU *arm_env_get_cpu(CPUARMState *env)
-{
-return container_of(env, ARMCPU, env);
-}
-
 void arm_cpu_post_init(Object *obj);
 
 uint64_t arm_cpu_mp_affinity(int idx, uint8_t clustersz);
diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
index d75fd9d3e2..97f355ee23 100644
--- a/linux-user/aarch64/cpu_loop.c
+++ b/linux-user/aarch64/cpu_loop.c
@@ -72,7 +72,7 @@
 /* AArch64 main loop */
 void cpu_loop(CPUARMState *env)
 {
-CPUState *cs = CPU(arm_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr;
 abi_long ret;
 target_siginfo_t info;
@@ -167,8 +167,8 @@ void arm_init_pauth_key(ARMPACKey *key)
 
 void target_cpu_copy_regs(CPUArchState *env, struct target_pt_regs *regs)
 {
-ARMCPU *cpu = arm_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+ARMCPU *cpu = env_archcpu(env);
+CPUState *cs = env_cpu(env);
 TaskState *ts = cs->opaque;
 struct image_info *info = ts->info;
 int i;
diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index f84a9cf28a..cd521ee42d 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -314,7 +314,7 @@ static int target_restore_sigframe(CPUARMState *env,
 break;
 
 case TARGET_SVE_MAGIC:
-if (cpu_isar_feature(aa64_sve, arm_env_get_cpu(env))) {
+if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 vq = (env->vfp.zcr_el[1] & 0xf) + 1;
 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 if (!sve && size == sve_size) {
@@ -433,7 +433,7 @@ static void target_setup_frame(int usig, struct 
target_sigaction *ka,
   );
 
 /* SVE state needs saving only if it exists.  */
-if (cpu_isar_feature(aa64_sve, arm_env_get_cpu(env))) {
+if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 vq = (env->vfp.zcr_el[1] & 0xf) + 1;
 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 sve_ofs = alloc_sigframe_space(sve_size, );
diff --git a/linux-user/arm/cpu_loop.c b/linux-user/arm/cpu_loop.c
index b7e7a6323c..ece4cf335e 100644
--- a/linux-user/arm/cpu_loop.c
+++ b/linux-user/arm/cpu_loop.c
@@ -206,7 +206,7 @@ do_kernel_trap(CPUARMState *env)
 
 void cpu_loop(CPUARMState *env)
 {
-CPUState *cs = CPU(arm_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr;
 unsigned int n, insn;
 target_siginfo_t info;
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e2fc01ad6c..88dfd9c236 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9690,10 +9690,10 @@ static abi_long do_syscall1(void *cpu_env, int num, 
abi_long arg1,
  * even though the current architectural maximum is VQ=16.
  */
 ret = -TARGET_EINVAL;
-if (cpu_isar_feature(aa64_sve, arm_env_get_cpu(cpu_env))
+if (cpu_isar_feature(aa64_sve, env_archcpu(cpu_env))
 && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
 CPUARMState *env = cpu_env;
-ARMCPU *cpu = arm_env_get_cpu(env);
+ARMCPU *cpu = env_archcpu(env);
 uint32_t vq, old_vq;
 
 old_vq = (env->vfp.zcr_el[1] & 0xf) + 1;
@@ -9710,7 +9710,7 @@ static abi_long do_syscall1(void *cpu_env, int num, 
abi_long arg1,
 case TARGET_PR_SVE_GET_VL:
 ret = -TARGET_EINVAL;
 {
-ARMCPU *cpu = arm_env_get_cpu(cpu_env);
+ARMCPU *cpu = env_archcpu(cpu_env);
 if (cpu_isar_feature(aa64_sve, cpu)) {
 ret = ((cpu->env.vfp.zcr_el[1] & 0xf) + 1) * 16;
 }
@@ -9719,7 +9719,7 @@ static abi_long do_syscall1(void *cpu_env, int num, 
abi_long arg1,
 case TARGET_PR_PAC_RESET_KEYS:
 {
 CPUARMState *env = cpu_env;
-ARMCPU *cpu = arm_env_get_cpu(env);
+ARMCPU *cpu = env_archcpu(env);

[Qemu-devel] [PATCH for-4.1 v2 13/36] target/lm32: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/lm32/cpu.h   |  5 -
 target/lm32/helper.c| 19 ++-
 target/lm32/op_helper.c |  6 +++---
 target/lm32/translate.c |  2 +-
 4 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/target/lm32/cpu.h b/target/lm32/cpu.h
index 258f2b4266..69beb16972 100644
--- a/target/lm32/cpu.h
+++ b/target/lm32/cpu.h
@@ -195,11 +195,6 @@ struct LM32CPU {
 uint32_t features;
 };
 
-static inline LM32CPU *lm32_env_get_cpu(CPULM32State *env)
-{
-return container_of(env, LM32CPU, env);
-}
-
 #define ENV_OFFSET offsetof(LM32CPU, env)
 
 #ifndef CONFIG_USER_ONLY
diff --git a/target/lm32/helper.c b/target/lm32/helper.c
index a039a993ff..674cbd7fe4 100644
--- a/target/lm32/helper.c
+++ b/target/lm32/helper.c
@@ -58,28 +58,23 @@ hwaddr lm32_cpu_get_phys_page_debug(CPUState *cs, vaddr 
addr)
 
 void lm32_breakpoint_insert(CPULM32State *env, int idx, target_ulong address)
 {
-LM32CPU *cpu = lm32_env_get_cpu(env);
-
-cpu_breakpoint_insert(CPU(cpu), address, BP_CPU,
+cpu_breakpoint_insert(env_cpu(env), address, BP_CPU,
   >cpu_breakpoint[idx]);
 }
 
 void lm32_breakpoint_remove(CPULM32State *env, int idx)
 {
-LM32CPU *cpu = lm32_env_get_cpu(env);
-
 if (!env->cpu_breakpoint[idx]) {
 return;
 }
 
-cpu_breakpoint_remove_by_ref(CPU(cpu), env->cpu_breakpoint[idx]);
+cpu_breakpoint_remove_by_ref(env_cpu(env), env->cpu_breakpoint[idx]);
 env->cpu_breakpoint[idx] = NULL;
 }
 
 void lm32_watchpoint_insert(CPULM32State *env, int idx, target_ulong address,
 lm32_wp_t wp_type)
 {
-LM32CPU *cpu = lm32_env_get_cpu(env);
 int flags = 0;
 
 switch (wp_type) {
@@ -98,26 +93,24 @@ void lm32_watchpoint_insert(CPULM32State *env, int idx, 
target_ulong address,
 }
 
 if (flags != 0) {
-cpu_watchpoint_insert(CPU(cpu), address, 1, flags,
->cpu_watchpoint[idx]);
+cpu_watchpoint_insert(env_cpu(env), address, 1, flags,
+  >cpu_watchpoint[idx]);
 }
 }
 
 void lm32_watchpoint_remove(CPULM32State *env, int idx)
 {
-LM32CPU *cpu = lm32_env_get_cpu(env);
-
 if (!env->cpu_watchpoint[idx]) {
 return;
 }
 
-cpu_watchpoint_remove_by_ref(CPU(cpu), env->cpu_watchpoint[idx]);
+cpu_watchpoint_remove_by_ref(env_cpu(env), env->cpu_watchpoint[idx]);
 env->cpu_watchpoint[idx] = NULL;
 }
 
 static bool check_watchpoints(CPULM32State *env)
 {
-LM32CPU *cpu = lm32_env_get_cpu(env);
+LM32CPU *cpu = env_archcpu(env);
 int i;
 
 for (i = 0; i < cpu->num_watchpoints; i++) {
diff --git a/target/lm32/op_helper.c b/target/lm32/op_helper.c
index 234d55e056..ebff4c4518 100644
--- a/target/lm32/op_helper.c
+++ b/target/lm32/op_helper.c
@@ -16,7 +16,7 @@
 #if !defined(CONFIG_USER_ONLY)
 void raise_exception(CPULM32State *env, int index)
 {
-CPUState *cs = CPU(lm32_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = index;
 cpu_loop_exit(cs);
@@ -29,7 +29,7 @@ void HELPER(raise_exception)(CPULM32State *env, uint32_t 
index)
 
 void HELPER(hlt)(CPULM32State *env)
 {
-CPUState *cs = CPU(lm32_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->halted = 1;
 cs->exception_index = EXCP_HLT;
@@ -39,7 +39,7 @@ void HELPER(hlt)(CPULM32State *env)
 void HELPER(ill)(CPULM32State *env)
 {
 #ifndef CONFIG_USER_ONLY
-CPUState *cs = CPU(lm32_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 fprintf(stderr, "VM paused due to illegal instruction. "
 "Connect a debugger or switch to the monitor console "
 "to find out more.\n");
diff --git a/target/lm32/translate.c b/target/lm32/translate.c
index b32feb7564..e2163809f2 100644
--- a/target/lm32/translate.c
+++ b/target/lm32/translate.c
@@ -1052,7 +1052,7 @@ static inline void decode(DisasContext *dc, uint32_t ir)
 void gen_intermediate_code(CPUState *cs, struct TranslationBlock *tb)
 {
 CPULM32State *env = cs->env_ptr;
-LM32CPU *cpu = lm32_env_get_cpu(env);
+LM32CPU *cpu = env_archcpu(env);
 struct DisasContext ctx, *dc = 
 uint32_t pc_start;
 uint32_t page_start;
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 01/36] tcg: Fold CPUTLBWindow into CPUTLBDesc

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 include/exec/cpu-defs.h | 17 -
 accel/tcg/cputlb.c  | 24 
 2 files changed, 16 insertions(+), 25 deletions(-)

diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index 8f2a848bf5..52d150aaf1 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -127,18 +127,6 @@ typedef struct CPUIOTLBEntry {
 MemTxAttrs attrs;
 } CPUIOTLBEntry;
 
-/**
- * struct CPUTLBWindow
- * @begin_ns: host time (in ns) at the beginning of the time window
- * @max_entries: maximum number of entries observed in the window
- *
- * See also: tlb_mmu_resize_locked()
- */
-typedef struct CPUTLBWindow {
-int64_t begin_ns;
-size_t max_entries;
-} CPUTLBWindow;
-
 typedef struct CPUTLBDesc {
 /*
  * Describe a region covering all of the large pages allocated
@@ -148,9 +136,12 @@ typedef struct CPUTLBDesc {
  */
 target_ulong large_page_addr;
 target_ulong large_page_mask;
+/* host time (in ns) at the beginning of the time window */
+int64_t window_begin_ns;
+/* maximum number of entries observed in the window */
+size_t window_max_entries;
 /* The next index to use in the tlb victim table.  */
 size_t vindex;
-CPUTLBWindow window;
 size_t n_used_entries;
 } CPUTLBDesc;
 
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index 88cc8389e9..23586f9974 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -79,11 +79,11 @@ static inline size_t sizeof_tlb(CPUArchState *env, 
uintptr_t mmu_idx)
 return env->tlb_mask[mmu_idx] + (1 << CPU_TLB_ENTRY_BITS);
 }
 
-static void tlb_window_reset(CPUTLBWindow *window, int64_t ns,
+static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
  size_t max_entries)
 {
-window->begin_ns = ns;
-window->max_entries = max_entries;
+desc->window_begin_ns = ns;
+desc->window_max_entries = max_entries;
 }
 
 static void tlb_dyn_init(CPUArchState *env)
@@ -94,7 +94,7 @@ static void tlb_dyn_init(CPUArchState *env)
 CPUTLBDesc *desc = >tlb_d[i];
 size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
 
-tlb_window_reset(>window, get_clock_realtime(), 0);
+tlb_window_reset(desc, get_clock_realtime(), 0);
 desc->n_used_entries = 0;
 env->tlb_mask[i] = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
 env->tlb_table[i] = g_new(CPUTLBEntry, n_entries);
@@ -151,18 +151,18 @@ static void tlb_mmu_resize_locked(CPUArchState *env, int 
mmu_idx)
 int64_t now = get_clock_realtime();
 int64_t window_len_ms = 100;
 int64_t window_len_ns = window_len_ms * 1000 * 1000;
-bool window_expired = now > desc->window.begin_ns + window_len_ns;
+bool window_expired = now > desc->window_begin_ns + window_len_ns;
 
-if (desc->n_used_entries > desc->window.max_entries) {
-desc->window.max_entries = desc->n_used_entries;
+if (desc->n_used_entries > desc->window_max_entries) {
+desc->window_max_entries = desc->n_used_entries;
 }
-rate = desc->window.max_entries * 100 / old_size;
+rate = desc->window_max_entries * 100 / old_size;
 
 if (rate > 70) {
 new_size = MIN(old_size << 1, 1 << CPU_TLB_DYN_MAX_BITS);
 } else if (rate < 30 && window_expired) {
-size_t ceil = pow2ceil(desc->window.max_entries);
-size_t expected_rate = desc->window.max_entries * 100 / ceil;
+size_t ceil = pow2ceil(desc->window_max_entries);
+size_t expected_rate = desc->window_max_entries * 100 / ceil;
 
 /*
  * Avoid undersizing when the max number of entries seen is just below
@@ -182,7 +182,7 @@ static void tlb_mmu_resize_locked(CPUArchState *env, int 
mmu_idx)
 
 if (new_size == old_size) {
 if (window_expired) {
-tlb_window_reset(>window, now, desc->n_used_entries);
+tlb_window_reset(desc, now, desc->n_used_entries);
 }
 return;
 }
@@ -190,7 +190,7 @@ static void tlb_mmu_resize_locked(CPUArchState *env, int 
mmu_idx)
 g_free(env->tlb_table[mmu_idx]);
 g_free(env->iotlb[mmu_idx]);
 
-tlb_window_reset(>window, now, 0);
+tlb_window_reset(desc, now, 0);
 /* desc->n_used_entries is cleared by the caller */
 env->tlb_mask[mmu_idx] = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 env->tlb_table[mmu_idx] = g_try_new(CPUTLBEntry, new_size);
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 12/36] target/i386: Use env_cpu, env_archcpu

[Richard Henderson]

Combined uses of CPU(x86_env_get_cpu()) were failures to use
the more proper, ENV_GET_CPU macro, now replaced by env_cpu.

Signed-off-by: Richard Henderson 
---
 target/i386/cpu.h  |  5 -
 bsd-user/main.c|  3 +--
 hw/i386/kvmvapic.c |  4 ++--
 hw/i386/pc.c   |  2 +-
 linux-user/i386/cpu_loop.c |  2 +-
 linux-user/i386/signal.c   |  2 +-
 linux-user/vm86.c  | 18 +-
 target/i386/bpt_helper.c   |  4 ++--
 target/i386/cpu.c  |  4 ++--
 target/i386/excp_helper.c  |  2 +-
 target/i386/fpu_helper.c   |  2 +-
 target/i386/helper.c   | 16 ++--
 target/i386/misc_helper.c  | 24 +++-
 target/i386/seg_helper.c   | 14 +++---
 target/i386/smm_helper.c   |  4 ++--
 target/i386/svm_helper.c   | 22 +++---
 16 files changed, 58 insertions(+), 70 deletions(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 450842185a..7ff5ab77c1 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1477,11 +1477,6 @@ struct X86CPU {
 int32_t hv_max_vps;
 };
 
-static inline X86CPU *x86_env_get_cpu(CPUX86State *env)
-{
-return container_of(env, X86CPU, env);
-}
-
 #define ENV_OFFSET offsetof(X86CPU, env)
 
 #ifndef CONFIG_USER_ONLY
diff --git a/bsd-user/main.c b/bsd-user/main.c
index 0d3156974c..e554ebdfb3 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -139,8 +139,7 @@ static void set_idt(int n, unsigned int dpl)
 
 void cpu_loop(CPUX86State *env)
 {
-X86CPU *cpu = x86_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(cpu);
 int trapnr;
 abi_ulong pc;
 //target_siginfo_t info;
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index 70f6f26a94..fe5b12ef6e 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -152,7 +152,7 @@ static void update_guest_rom_state(VAPICROMState *s)
 
 static int find_real_tpr_addr(VAPICROMState *s, CPUX86State *env)
 {
-CPUState *cs = CPU(x86_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 hwaddr paddr;
 target_ulong addr;
 
@@ -279,7 +279,7 @@ instruction_ok:
 
 static int update_rom_mapping(VAPICROMState *s, CPUX86State *env, target_ulong 
ip)
 {
-CPUState *cs = CPU(x86_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 hwaddr paddr;
 uint32_t rom_state_vaddr;
 uint32_t pos, patch, offset;
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 6077d27361..f2caaa8132 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -405,7 +405,7 @@ uint64_t cpu_get_tsc(CPUX86State *env)
 /* IRQ handling */
 int cpu_get_pic_interrupt(CPUX86State *env)
 {
-X86CPU *cpu = x86_env_get_cpu(env);
+X86CPU *cpu = env_archcpu(env);
 int intno;
 
 if (!kvm_irqchip_in_kernel()) {
diff --git a/linux-user/i386/cpu_loop.c b/linux-user/i386/cpu_loop.c
index 51cfa006c9..71da24384f 100644
--- a/linux-user/i386/cpu_loop.c
+++ b/linux-user/i386/cpu_loop.c
@@ -82,7 +82,7 @@ static void set_idt(int n, unsigned int dpl)
 
 void cpu_loop(CPUX86State *env)
 {
-CPUState *cs = CPU(x86_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr;
 abi_ulong pc;
 abi_ulong ret;
diff --git a/linux-user/i386/signal.c b/linux-user/i386/signal.c
index fecb4c99c3..97a39204cc 100644
--- a/linux-user/i386/signal.c
+++ b/linux-user/i386/signal.c
@@ -198,7 +198,7 @@ static void setup_sigcontext(struct target_sigcontext *sc,
 struct target_fpstate *fpstate, CPUX86State *env, abi_ulong mask,
 abi_ulong fpstate_addr)
 {
-CPUState *cs = CPU(x86_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 #ifndef TARGET_X86_64
 uint16_t magic;
 
diff --git a/linux-user/vm86.c b/linux-user/vm86.c
index 9c393df424..2fa7a89edc 100644
--- a/linux-user/vm86.c
+++ b/linux-user/vm86.c
@@ -72,7 +72,7 @@ static inline unsigned int vm_getl(CPUX86State *env,
 
 void save_v86_state(CPUX86State *env)
 {
-CPUState *cs = CPU(x86_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 TaskState *ts = cs->opaque;
 struct target_vm86plus_struct * target_v86;
 
@@ -132,7 +132,7 @@ static inline void return_to_32bit(CPUX86State *env, int 
retval)
 
 static inline int set_IF(CPUX86State *env)
 {
-CPUState *cs = CPU(x86_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 TaskState *ts = cs->opaque;
 
 ts->v86flags |= VIF_MASK;
@@ -145,7 +145,7 @@ static inline int set_IF(CPUX86State *env)
 
 static inline void clear_IF(CPUX86State *env)
 {
-CPUState *cs = CPU(x86_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 TaskState *ts = cs->opaque;
 
 ts->v86flags &= ~VIF_MASK;
@@ -163,7 +163,7 @@ static inline void clear_AC(CPUX86State *env)
 
 static inline int set_vflags_long(unsigned long eflags, CPUX86State *env)
 {
-CPUState *cs = CPU(x86_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 TaskState *ts = cs->opaque;
 
 set_flags(ts->v86flags, eflags, ts->v86mask);
@@ -177,7 +177,7 @@ static inline int set_vflags_long(unsigned long eflags, 
CPUX86State 

[Qemu-devel] [PATCH for-4.1 v2 05/36] cpu: Define ArchCPU

[Richard Henderson]

For all targets, do this just before including exec/cpu-all.h.

Acked-by: Alistair Francis 
Signed-off-by: Richard Henderson 
---
 target/alpha/cpu.h  | 1 +
 target/arm/cpu.h| 1 +
 target/cris/cpu.h   | 1 +
 target/hppa/cpu.h   | 1 +
 target/i386/cpu.h   | 1 +
 target/lm32/cpu.h   | 1 +
 target/m68k/cpu.h   | 1 +
 target/microblaze/cpu.h | 1 +
 target/mips/cpu.h   | 1 +
 target/moxie/cpu.h  | 1 +
 target/nios2/cpu.h  | 1 +
 target/openrisc/cpu.h   | 1 +
 target/ppc/cpu.h| 1 +
 target/riscv/cpu.h  | 1 +
 target/s390x/cpu.h  | 1 +
 target/sh4/cpu.h| 1 +
 target/sparc/cpu.h  | 1 +
 target/tilegx/cpu.h | 1 +
 target/tricore/cpu.h| 1 +
 target/unicore32/cpu.h  | 1 +
 target/xtensa/cpu.h | 1 +
 21 files changed, 21 insertions(+)

diff --git a/target/alpha/cpu.h b/target/alpha/cpu.h
index fac622aa02..6629b869d2 100644
--- a/target/alpha/cpu.h
+++ b/target/alpha/cpu.h
@@ -301,6 +301,7 @@ void alpha_cpu_do_unaligned_access(CPUState *cpu, vaddr 
addr,
 #define cpu_signal_handler cpu_alpha_signal_handler
 
 typedef CPUAlphaState CPUArchState;
+typedef AlphaCPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index e043fd3f97..30776ce15f 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -3044,6 +3044,7 @@ static inline bool arm_cpu_data_is_big_endian(CPUARMState 
*env)
 }
 
 typedef CPUARMState CPUArchState;
+typedef ARMCPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/cris/cpu.h b/target/cris/cpu.h
index 95662c36b2..bcd17bf88b 100644
--- a/target/cris/cpu.h
+++ b/target/cris/cpu.h
@@ -285,6 +285,7 @@ int cris_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, 
int size, int rw,
 #define SFR_RW_MM_TLB_HI   env->pregs[PR_SRS]][6
 
 typedef CPUCRISState CPUArchState;
+typedef CRISCPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h
index 7c1d1e0a0e..f90b11dd0b 100644
--- a/target/hppa/cpu.h
+++ b/target/hppa/cpu.h
@@ -231,6 +231,7 @@ static inline HPPACPU *hppa_env_get_cpu(CPUHPPAState *env)
 #define ENV_OFFSET  offsetof(HPPACPU, env)
 
 typedef CPUHPPAState CPUArchState;
+typedef HPPACPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 84ca69ea1a..bb1464d451 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1750,6 +1750,7 @@ static inline target_long lshift(target_long x, int n)
 void tcg_x86_init(void);
 
 typedef CPUX86State CPUArchState;
+typedef X86CPU ArchCPU;
 
 #include "exec/cpu-all.h"
 #include "svm.h"
diff --git a/target/lm32/cpu.h b/target/lm32/cpu.h
index 5b24cfcc1f..5eef4ccfc5 100644
--- a/target/lm32/cpu.h
+++ b/target/lm32/cpu.h
@@ -257,6 +257,7 @@ int lm32_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, 
int size, int rw,
   int mmu_idx);
 
 typedef CPULM32State CPUArchState;
+typedef LM32CPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 48c051c7d2..5db18909cc 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -536,6 +536,7 @@ void m68k_cpu_unassigned_access(CPUState *cs, hwaddr addr,
 unsigned size);
 
 typedef CPUM68KState CPUArchState;
+typedef M68kCPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/microblaze/cpu.h b/target/microblaze/cpu.h
index 58e165..d7c1846e49 100644
--- a/target/microblaze/cpu.h
+++ b/target/microblaze/cpu.h
@@ -366,6 +366,7 @@ int mb_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, 
int size, int rw,
 int mmu_idx);
 
 typedef CPUMBState CPUArchState;
+typedef MicroBlazeCPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/mips/cpu.h b/target/mips/cpu.h
index 608ae23289..8c5a40b5ad 100644
--- a/target/mips/cpu.h
+++ b/target/mips/cpu.h
@@ -1091,6 +1091,7 @@ static inline int cpu_mmu_index (CPUMIPSState *env, bool 
ifetch)
 }
 
 typedef CPUMIPSState CPUArchState;
+typedef MIPSCPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/moxie/cpu.h b/target/moxie/cpu.h
index 10ba6aa7be..4bc5e07af9 100644
--- a/target/moxie/cpu.h
+++ b/target/moxie/cpu.h
@@ -119,6 +119,7 @@ static inline int cpu_mmu_index(CPUMoxieState *env, bool 
ifetch)
 }
 
 typedef CPUMoxieState CPUArchState;
+typedef MoxieCPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/nios2/cpu.h b/target/nios2/cpu.h
index 2b4bd25d65..272ab10e67 100644
--- a/target/nios2/cpu.h
+++ b/target/nios2/cpu.h
@@ -244,6 +244,7 @@ static inline int cpu_interrupts_enabled(CPUNios2State *env)
 }
 
 typedef CPUNios2State CPUArchState;
+typedef Nios2CPU ArchCPU;
 
 #include "exec/cpu-all.h"
 
diff --git a/target/openrisc/cpu.h b/target/openrisc/cpu.h
index 9bd583f13a..20ea1ca973 100644
--- a/target/openrisc/cpu.h
+++ b/target/openrisc/cpu.h
@@ -364,6 +364,7 @@ void cpu_openrisc_count_stop(OpenRISCCPU *cpu);
 #define CPU_RESOLVING_TYPE TYPE_OPENRISC_CPU
 
 typedef CPUOpenRISCState CPUArchState;
+typedef 

[Qemu-devel] [PATCH for-4.1 v2 16/36] target/mips: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/mips/cpu.h|  5 -
 hw/intc/mips_gic.c   |  2 +-
 hw/mips/mips_int.c   |  2 +-
 linux-user/mips/cpu_loop.c   |  2 +-
 target/mips/helper.c | 15 +--
 target/mips/op_helper.c  | 25 +++--
 target/mips/translate.c  |  3 +--
 target/mips/translate_init.inc.c |  4 +---
 8 files changed, 21 insertions(+), 37 deletions(-)

diff --git a/target/mips/cpu.h b/target/mips/cpu.h
index e7ad81becb..914cc26c21 100644
--- a/target/mips/cpu.h
+++ b/target/mips/cpu.h
@@ -1051,11 +1051,6 @@ struct MIPSCPU {
 CPUMIPSState env;
 };
 
-static inline MIPSCPU *mips_env_get_cpu(CPUMIPSState *env)
-{
-return container_of(env, MIPSCPU, env);
-}
-
 #define ENV_OFFSET offsetof(MIPSCPU, env)
 
 void mips_cpu_list (FILE *f, fprintf_function cpu_fprintf);
diff --git a/hw/intc/mips_gic.c b/hw/intc/mips_gic.c
index 15e6e40f9f..8f509493ea 100644
--- a/hw/intc/mips_gic.c
+++ b/hw/intc/mips_gic.c
@@ -44,7 +44,7 @@ static void mips_gic_set_vp_irq(MIPSGICState *gic, int vp, 
int pin)
   GIC_VP_MASK_CMP_SHF;
 }
 if (kvm_enabled())  {
-kvm_mips_set_ipi_interrupt(mips_env_get_cpu(gic->vps[vp].env),
+kvm_mips_set_ipi_interrupt(env_archcpu(gic->vps[vp].env),
pin + GIC_CPU_PIN_OFFSET,
ored_level);
 } else {
diff --git a/hw/mips/mips_int.c b/hw/mips/mips_int.c
index 5ddeb15848..f899f6ceb3 100644
--- a/hw/mips/mips_int.c
+++ b/hw/mips/mips_int.c
@@ -76,7 +76,7 @@ void cpu_mips_irq_init_cpu(MIPSCPU *cpu)
 qemu_irq *qi;
 int i;
 
-qi = qemu_allocate_irqs(cpu_mips_irq_request, mips_env_get_cpu(env), 8);
+qi = qemu_allocate_irqs(cpu_mips_irq_request, env_archcpu(env), 8);
 for (i = 0; i < 8; i++) {
 env->irq[i] = qi[i];
 }
diff --git a/linux-user/mips/cpu_loop.c b/linux-user/mips/cpu_loop.c
index 828137cd84..ac6c6d1504 100644
--- a/linux-user/mips/cpu_loop.c
+++ b/linux-user/mips/cpu_loop.c
@@ -425,7 +425,7 @@ static int do_break(CPUMIPSState *env, target_siginfo_t 
*info,
 
 void cpu_loop(CPUMIPSState *env)
 {
-CPUState *cs = CPU(mips_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 target_siginfo_t info;
 int trapnr;
 abi_long ret;
diff --git a/target/mips/helper.c b/target/mips/helper.c
index c44cdca3b5..1fc0a4ce4b 100644
--- a/target/mips/helper.c
+++ b/target/mips/helper.c
@@ -336,10 +336,8 @@ static int get_physical_address (CPUMIPSState *env, hwaddr 
*physical,
 
 void cpu_mips_tlb_flush(CPUMIPSState *env)
 {
-MIPSCPU *cpu = mips_env_get_cpu(env);
-
 /* Flush qemu's TLB and discard all shadowed entries.  */
-tlb_flush(CPU(cpu));
+tlb_flush(env_cpu(env));
 env->tlb->tlb_in_use = env->tlb->nb_tlb;
 }
 
@@ -401,7 +399,7 @@ void cpu_mips_store_status(CPUMIPSState *env, target_ulong 
val)
 #if defined(TARGET_MIPS64)
 if ((env->CP0_Status ^ old) & (old & (7 << CP0St_UX))) {
 /* Access to at least one of the 64-bit segments has been disabled */
-tlb_flush(CPU(mips_env_get_cpu(env)));
+tlb_flush(env_cpu(env));
 }
 #endif
 if (env->CP0_Config3 & (1 << CP0C3_MT)) {
@@ -446,7 +444,7 @@ void cpu_mips_store_cause(CPUMIPSState *env, target_ulong 
val)
 static void raise_mmu_exception(CPUMIPSState *env, target_ulong address,
 int rw, int tlb_error)
 {
-CPUState *cs = CPU(mips_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int exception = 0, error_code = 0;
 
 if (rw == MMU_INST_FETCH) {
@@ -1400,8 +1398,7 @@ bool mips_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 #if !defined(CONFIG_USER_ONLY)
 void r4k_invalidate_tlb (CPUMIPSState *env, int idx, int use_extra)
 {
-MIPSCPU *cpu = mips_env_get_cpu(env);
-CPUState *cs;
+CPUState *cs = env_cpu(env);
 r4k_tlb_t *tlb;
 target_ulong addr;
 target_ulong end;
@@ -1427,7 +1424,6 @@ void r4k_invalidate_tlb (CPUMIPSState *env, int idx, int 
use_extra)
 /* 1k pages are not supported. */
 mask = tlb->PageMask | ~(TARGET_PAGE_MASK << 1);
 if (tlb->V0) {
-cs = CPU(cpu);
 addr = tlb->VPN & ~mask;
 #if defined(TARGET_MIPS64)
 if (addr >= (0x8000ULL & env->SEGMask)) {
@@ -1441,7 +1437,6 @@ void r4k_invalidate_tlb (CPUMIPSState *env, int idx, int 
use_extra)
 }
 }
 if (tlb->V1) {
-cs = CPU(cpu);
 addr = (tlb->VPN & ~mask) | ((mask >> 1) + 1);
 #if defined(TARGET_MIPS64)
 if (addr >= (0x8000ULL & env->SEGMask)) {
@@ -1462,7 +1457,7 @@ void QEMU_NORETURN do_raise_exception_err(CPUMIPSState 
*env,
   int error_code,
   uintptr_t pc)
 {
-CPUState *cs = CPU(mips_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 qemu_log_mask(CPU_LOG_INT, "%s: %d %d\n",
   __func__, 

[Qemu-devel] [PATCH for-4.1 v2 14/36] target/m68k: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 linux-user/m68k/target_cpu.h |  2 +-
 target/m68k/cpu.h|  5 -
 linux-user/m68k-sim.c|  3 +--
 linux-user/m68k/cpu_loop.c   |  2 +-
 target/m68k/helper.c | 33 -
 target/m68k/m68k-semi.c  |  4 ++--
 target/m68k/op_helper.c  | 12 ++--
 target/m68k/translate.c  |  4 +---
 8 files changed, 24 insertions(+), 41 deletions(-)

diff --git a/linux-user/m68k/target_cpu.h b/linux-user/m68k/target_cpu.h
index 7a26f3c3fc..bc7446fbaf 100644
--- a/linux-user/m68k/target_cpu.h
+++ b/linux-user/m68k/target_cpu.h
@@ -31,7 +31,7 @@ static inline void cpu_clone_regs(CPUM68KState *env, 
target_ulong newsp)
 
 static inline void cpu_set_tls(CPUM68KState *env, target_ulong newtls)
 {
-CPUState *cs = CPU(m68k_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 TaskState *ts = cs->opaque;
 
 ts->tp_value = newtls;
diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index b216be33b4..eb3048914e 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -163,11 +163,6 @@ struct M68kCPU {
 CPUM68KState env;
 };
 
-static inline M68kCPU *m68k_env_get_cpu(CPUM68KState *env)
-{
-return container_of(env, M68kCPU, env);
-}
-
 #define ENV_OFFSET offsetof(M68kCPU, env)
 
 void m68k_cpu_do_interrupt(CPUState *cpu);
diff --git a/linux-user/m68k-sim.c b/linux-user/m68k-sim.c
index 34d332d8b1..9bc6ff3d3a 100644
--- a/linux-user/m68k-sim.c
+++ b/linux-user/m68k-sim.c
@@ -91,7 +91,6 @@ static int translate_openflags(int flags)
 #define ARG(x) tswap32(args[x])
 void do_m68k_simcall(CPUM68KState *env, int nr)
 {
-M68kCPU *cpu = m68k_env_get_cpu(env);
 uint32_t *args;
 
 args = (uint32_t *)(unsigned long)(env->aregs[7] + 4);
@@ -159,6 +158,6 @@ void do_m68k_simcall(CPUM68KState *env, int nr)
 check_err(env, lseek(ARG(0), (int32_t)ARG(1), ARG(2)));
 break;
 default:
-cpu_abort(CPU(cpu), "Unsupported m68k sim syscall %d\n", nr);
+cpu_abort(env_cpu(env), "Unsupported m68k sim syscall %d\n", nr);
 }
 }
diff --git a/linux-user/m68k/cpu_loop.c b/linux-user/m68k/cpu_loop.c
index 42d8d841ea..f2c33057b3 100644
--- a/linux-user/m68k/cpu_loop.c
+++ b/linux-user/m68k/cpu_loop.c
@@ -23,7 +23,7 @@
 
 void cpu_loop(CPUM68KState *env)
 {
-CPUState *cs = CPU(m68k_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr;
 unsigned int n;
 target_siginfo_t info;
diff --git a/target/m68k/helper.c b/target/m68k/helper.c
index 3e26d337bf..c519086c4b 100644
--- a/target/m68k/helper.c
+++ b/target/m68k/helper.c
@@ -174,8 +174,6 @@ void m68k_cpu_init_gdb(M68kCPU *cpu)
 
 void HELPER(cf_movec_to)(CPUM68KState *env, uint32_t reg, uint32_t val)
 {
-M68kCPU *cpu = m68k_env_get_cpu(env);
-
 switch (reg) {
 case M68K_CR_CACR:
 env->cacr = val;
@@ -192,7 +190,7 @@ void HELPER(cf_movec_to)(CPUM68KState *env, uint32_t reg, 
uint32_t val)
 break;
 /* TODO: Implement control registers.  */
 default:
-cpu_abort(CPU(cpu),
+cpu_abort(env_cpu(env),
   "Unimplemented control register write 0x%x = 0x%x\n",
   reg, val);
 }
@@ -200,8 +198,6 @@ void HELPER(cf_movec_to)(CPUM68KState *env, uint32_t reg, 
uint32_t val)
 
 void HELPER(m68k_movec_to)(CPUM68KState *env, uint32_t reg, uint32_t val)
 {
-M68kCPU *cpu = m68k_env_get_cpu(env);
-
 switch (reg) {
 /* MC680[1234]0 */
 case M68K_CR_SFC:
@@ -254,14 +250,13 @@ void HELPER(m68k_movec_to)(CPUM68KState *env, uint32_t 
reg, uint32_t val)
 env->mmu.ttr[M68K_DTTR1] = val;
 return;
 }
-cpu_abort(CPU(cpu), "Unimplemented control register write 0x%x = 0x%x\n",
+cpu_abort(env_cpu(env),
+  "Unimplemented control register write 0x%x = 0x%x\n",
   reg, val);
 }
 
 uint32_t HELPER(m68k_movec_from)(CPUM68KState *env, uint32_t reg)
 {
-M68kCPU *cpu = m68k_env_get_cpu(env);
-
 switch (reg) {
 /* MC680[1234]0 */
 case M68K_CR_SFC:
@@ -298,7 +293,7 @@ uint32_t HELPER(m68k_movec_from)(CPUM68KState *env, 
uint32_t reg)
 case M68K_CR_DTT1:
 return env->mmu.ttr[M68K_DTTR1];
 }
-cpu_abort(CPU(cpu), "Unimplemented control register read 0x%x\n",
+cpu_abort(env_cpu(env), "Unimplemented control register read 0x%x\n",
   reg);
 }
 
@@ -409,8 +404,7 @@ static void dump_address_map(FILE *f, fprintf_function 
cpu_fprintf,
 uint32_t last_logical, last_physical;
 int32_t size;
 int last_attr = -1, attr = -1;
-M68kCPU *cpu = m68k_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(env);
 
 if (env->mmu.tcr & M68K_TCR_PAGE_8K) {
 /* 8k page */
@@ -644,8 +638,7 @@ static int get_physical_address(CPUM68KState *env, hwaddr 
*physical,
 int *prot, target_ulong address,
 int access_type, target_ulong *page_size)
 {
-M68kCPU *cpu = 

[Qemu-devel] [PATCH for-4.1 v2 19/36] target/openrisc: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/openrisc/cpu.h  | 5 -
 linux-user/openrisc/cpu_loop.c | 2 +-
 target/openrisc/exception_helper.c | 5 ++---
 target/openrisc/sys_helper.c   | 8 
 4 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/target/openrisc/cpu.h b/target/openrisc/cpu.h
index 3eda7957cf..853cf633e7 100644
--- a/target/openrisc/cpu.h
+++ b/target/openrisc/cpu.h
@@ -317,11 +317,6 @@ typedef struct OpenRISCCPU {
 
 } OpenRISCCPU;
 
-static inline OpenRISCCPU *openrisc_env_get_cpu(CPUOpenRISCState *env)
-{
-return container_of(env, OpenRISCCPU, env);
-}
-
 #define ENV_OFFSET offsetof(OpenRISCCPU, env)
 
 void cpu_openrisc_list(FILE *f, fprintf_function cpu_fprintf);
diff --git a/linux-user/openrisc/cpu_loop.c b/linux-user/openrisc/cpu_loop.c
index f496e4b48a..4b8165b261 100644
--- a/linux-user/openrisc/cpu_loop.c
+++ b/linux-user/openrisc/cpu_loop.c
@@ -23,7 +23,7 @@
 
 void cpu_loop(CPUOpenRISCState *env)
 {
-CPUState *cs = CPU(openrisc_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr;
 abi_long ret;
 target_siginfo_t info;
diff --git a/target/openrisc/exception_helper.c 
b/target/openrisc/exception_helper.c
index 6073a5b21c..dd639ba5f2 100644
--- a/target/openrisc/exception_helper.c
+++ b/target/openrisc/exception_helper.c
@@ -25,15 +25,14 @@
 
 void HELPER(exception)(CPUOpenRISCState *env, uint32_t excp)
 {
-OpenRISCCPU *cpu = openrisc_env_get_cpu(env);
+OpenRISCCPU *cpu = env_archcpu(env);
 
 raise_exception(cpu, excp);
 }
 
 static void QEMU_NORETURN do_range(CPUOpenRISCState *env, uintptr_t pc)
 {
-OpenRISCCPU *cpu = openrisc_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = EXCP_RANGE;
 cpu_loop_exit_restore(cs, pc);
diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
index 05f66c455b..8f11cb8202 100644
--- a/target/openrisc/sys_helper.c
+++ b/target/openrisc/sys_helper.c
@@ -30,8 +30,8 @@
 void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr, target_ulong rb)
 {
 #ifndef CONFIG_USER_ONLY
-OpenRISCCPU *cpu = openrisc_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+OpenRISCCPU *cpu = env_archcpu(env);
+CPUState *cs = env_cpu(env);
 target_ulong mr;
 int idx;
 
@@ -194,8 +194,8 @@ target_ulong HELPER(mfspr)(CPUOpenRISCState *env, 
target_ulong rd,
target_ulong spr)
 {
 #ifndef CONFIG_USER_ONLY
-OpenRISCCPU *cpu = openrisc_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+OpenRISCCPU *cpu = env_archcpu(env);
+CPUState *cs = env_cpu(env);
 int idx;
 
 switch (spr) {
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 20/36] target/ppc: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/ppc/cpu.h|   7 +-
 target/ppc/helper_regs.h|   4 +-
 hw/ppc/ppc.c|  18 ++---
 hw/ppc/ppc405_uc.c  |   2 +-
 hw/ppc/ppc_booke.c  |   4 +-
 linux-user/ppc/cpu_loop.c   |   2 +-
 target/ppc/excp_helper.c|  14 ++--
 target/ppc/fpu_helper.c |  14 ++--
 target/ppc/kvm.c|   5 +-
 target/ppc/misc_helper.c|  22 ++
 target/ppc/mmu-hash64.c |  14 ++--
 target/ppc/mmu_helper.c | 116 +---
 target/ppc/translate_init.inc.c |  87 
 13 files changed, 137 insertions(+), 172 deletions(-)

diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
index a5d44d1b1f..c3fe154979 100644
--- a/target/ppc/cpu.h
+++ b/target/ppc/cpu.h
@@ -1191,11 +1191,6 @@ struct PowerPCCPU {
 int32_t mig_slb_nr;
 };
 
-static inline PowerPCCPU *ppc_env_get_cpu(CPUPPCState *env)
-{
-return container_of(env, PowerPCCPU, env);
-}
-
 #define ENV_OFFSET offsetof(PowerPCCPU, env)
 
 PowerPCCPUClass *ppc_cpu_class_by_pvr(uint32_t pvr);
@@ -2429,7 +2424,7 @@ static inline int booke206_tlbm_to_tlbn(CPUPPCState *env, 
ppcmas_tlb_t *tlbm)
 }
 }
 
-cpu_abort(CPU(ppc_env_get_cpu(env)), "Unknown TLBe: %d\n", id);
+cpu_abort(env_cpu(env), "Unknown TLBe: %d\n", id);
 return 0;
 }
 
diff --git a/target/ppc/helper_regs.h b/target/ppc/helper_regs.h
index a2205e1044..337ca93fae 100644
--- a/target/ppc/helper_regs.h
+++ b/target/ppc/helper_regs.h
@@ -115,7 +115,7 @@ static inline int hreg_store_msr(CPUPPCState *env, 
target_ulong value,
 {
 int excp;
 #if !defined(CONFIG_USER_ONLY)
-CPUState *cs = CPU(ppc_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 #endif
 
 excp = 0;
@@ -173,7 +173,7 @@ static inline int hreg_store_msr(CPUPPCState *env, 
target_ulong value,
 #if !defined(CONFIG_USER_ONLY)
 static inline void check_tlb_flush(CPUPPCState *env, bool global)
 {
-CPUState *cs = CPU(ppc_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 /* Handle global flushes first */
 if (global && (env->tlb_need_flush & TLB_NEED_GLOBAL_FLUSH)) {
diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c
index 49d57469fb..6beed2a918 100644
--- a/hw/ppc/ppc.c
+++ b/hw/ppc/ppc.c
@@ -385,7 +385,7 @@ void ppc40x_system_reset(PowerPCCPU *cpu)
 
 void store_40x_dbcr0(CPUPPCState *env, uint32_t val)
 {
-PowerPCCPU *cpu = ppc_env_get_cpu(env);
+PowerPCCPU *cpu = env_archcpu(env);
 
 switch ((val >> 28) & 0x3) {
 case 0x0:
@@ -785,7 +785,7 @@ target_ulong cpu_ppc_load_decr(CPUPPCState *env)
 
 target_ulong cpu_ppc_load_hdecr(CPUPPCState *env)
 {
-PowerPCCPU *cpu = ppc_env_get_cpu(env);
+PowerPCCPU *cpu = env_archcpu(env);
 PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
 ppc_tb_t *tb_env = env->tb_env;
 uint64_t hdecr;
@@ -923,7 +923,7 @@ static inline void _cpu_ppc_store_decr(PowerPCCPU *cpu, 
target_ulong decr,
 
 void cpu_ppc_store_decr(CPUPPCState *env, target_ulong value)
 {
-PowerPCCPU *cpu = ppc_env_get_cpu(env);
+PowerPCCPU *cpu = env_archcpu(env);
 PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
 int nr_bits = 32;
 
@@ -955,7 +955,7 @@ static inline void _cpu_ppc_store_hdecr(PowerPCCPU *cpu, 
target_ulong hdecr,
 
 void cpu_ppc_store_hdecr(CPUPPCState *env, target_ulong value)
 {
-PowerPCCPU *cpu = ppc_env_get_cpu(env);
+PowerPCCPU *cpu = env_archcpu(env);
 PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
 
 _cpu_ppc_store_hdecr(cpu, cpu_ppc_load_hdecr(env), value,
@@ -980,7 +980,7 @@ static void cpu_ppc_store_purr(PowerPCCPU *cpu, uint64_t 
value)
 static void cpu_ppc_set_tb_clk (void *opaque, uint32_t freq)
 {
 CPUPPCState *env = opaque;
-PowerPCCPU *cpu = ppc_env_get_cpu(env);
+PowerPCCPU *cpu = env_archcpu(env);
 ppc_tb_t *tb_env = env->tb_env;
 
 tb_env->tb_freq = freq;
@@ -1095,7 +1095,7 @@ const VMStateDescription vmstate_ppc_timebase = {
 /* Set up (once) timebase frequency (in Hz) */
 clk_setup_cb cpu_ppc_tb_init (CPUPPCState *env, uint32_t freq)
 {
-PowerPCCPU *cpu = ppc_env_get_cpu(env);
+PowerPCCPU *cpu = env_archcpu(env);
 ppc_tb_t *tb_env;
 
 tb_env = g_malloc0(sizeof(ppc_tb_t));
@@ -1165,7 +1165,7 @@ static void cpu_4xx_fit_cb (void *opaque)
 uint64_t now, next;
 
 env = opaque;
-cpu = ppc_env_get_cpu(env);
+cpu = env_archcpu(env);
 tb_env = env->tb_env;
 ppc40x_timer = tb_env->opaque;
 now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
@@ -1235,7 +1235,7 @@ static void cpu_4xx_pit_cb (void *opaque)
 ppc40x_timer_t *ppc40x_timer;
 
 env = opaque;
-cpu = ppc_env_get_cpu(env);
+cpu = env_archcpu(env);
 tb_env = env->tb_env;
 ppc40x_timer = tb_env->opaque;
 env->spr[SPR_40x_TSR] |= 1 << 27;
@@ -1261,7 +1261,7 @@ static void cpu_4xx_wdt_cb (void *opaque)
 uint64_t now, next;
 
 env = opaque;
-cpu = ppc_env_get_cpu(env);
+cpu = 

[Qemu-devel] [PATCH for-4.1 v2 24/36] target/sparc: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/sparc/cpu.h  |  5 -
 bsd-user/main.c |  2 +-
 hw/sparc/leon3.c|  4 ++--
 hw/sparc/sun4m.c|  4 ++--
 hw/sparc64/sparc64.c|  2 +-
 linux-user/sparc/cpu_loop.c |  2 +-
 target/sparc/fop_helper.c   |  2 +-
 target/sparc/helper.c   |  8 
 target/sparc/ldst_helper.c  | 33 +++--
 target/sparc/mmu_helper.c   | 10 +-
 10 files changed, 32 insertions(+), 40 deletions(-)

diff --git a/target/sparc/cpu.h b/target/sparc/cpu.h
index 77dec0d865..bf6f63d029 100644
--- a/target/sparc/cpu.h
+++ b/target/sparc/cpu.h
@@ -532,11 +532,6 @@ struct SPARCCPU {
 CPUSPARCState env;
 };
 
-static inline SPARCCPU *sparc_env_get_cpu(CPUSPARCState *env)
-{
-return container_of(env, SPARCCPU, env);
-}
-
 #define ENV_OFFSET offsetof(SPARCCPU, env)
 
 #ifndef CONFIG_USER_ONLY
diff --git a/bsd-user/main.c b/bsd-user/main.c
index e554ebdfb3..7a0eb316a2 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -485,7 +485,7 @@ static void flush_windows(CPUSPARCState *env)
 
 void cpu_loop(CPUSPARCState *env)
 {
-CPUState *cs = CPU(sparc_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr, ret, syscall_nr;
 //target_siginfo_t info;
 
diff --git a/hw/sparc/leon3.c b/hw/sparc/leon3.c
index 774639af33..ef74bc81c2 100644
--- a/hw/sparc/leon3.c
+++ b/hw/sparc/leon3.c
@@ -91,7 +91,7 @@ static void leon3_set_pil_in(void *opaque, uint32_t pil_in)
 
 env->interrupt_index = TT_EXTINT | i;
 if (old_interrupt != env->interrupt_index) {
-cs = CPU(sparc_env_get_cpu(env));
+cs = env_cpu(env);
 trace_leon3_set_irq(i);
 cpu_interrupt(cs, CPU_INTERRUPT_HARD);
 }
@@ -99,7 +99,7 @@ static void leon3_set_pil_in(void *opaque, uint32_t pil_in)
 }
 }
 } else if (!env->pil_in && (env->interrupt_index & ~15) == TT_EXTINT) {
-cs = CPU(sparc_env_get_cpu(env));
+cs = env_cpu(env);
 trace_leon3_reset_irq(env->interrupt_index & 15);
 env->interrupt_index = 0;
 cpu_reset_interrupt(cs, CPU_INTERRUPT_HARD);
diff --git a/hw/sparc/sun4m.c b/hw/sparc/sun4m.c
index ca1e3825d5..a87bef6d4f 100644
--- a/hw/sparc/sun4m.c
+++ b/hw/sparc/sun4m.c
@@ -147,7 +147,7 @@ void cpu_check_irqs(CPUSPARCState *env)
 
 env->interrupt_index = TT_EXTINT | i;
 if (old_interrupt != env->interrupt_index) {
-cs = CPU(sparc_env_get_cpu(env));
+cs = env_cpu(env);
 trace_sun4m_cpu_interrupt(i);
 cpu_interrupt(cs, CPU_INTERRUPT_HARD);
 }
@@ -155,7 +155,7 @@ void cpu_check_irqs(CPUSPARCState *env)
 }
 }
 } else if (!env->pil_in && (env->interrupt_index & ~15) == TT_EXTINT) {
-cs = CPU(sparc_env_get_cpu(env));
+cs = env_cpu(env);
 trace_sun4m_cpu_reset_interrupt(env->interrupt_index & 15);
 env->interrupt_index = 0;
 cpu_reset_interrupt(cs, CPU_INTERRUPT_HARD);
diff --git a/hw/sparc64/sparc64.c b/hw/sparc64/sparc64.c
index 408388945e..689801f37d 100644
--- a/hw/sparc64/sparc64.c
+++ b/hw/sparc64/sparc64.c
@@ -46,7 +46,7 @@ void cpu_check_irqs(CPUSPARCState *env)
 if (env->ivec_status & 0x20) {
 return;
 }
-cs = CPU(sparc_env_get_cpu(env));
+cs = env_cpu(env);
 /* check if TM or SM in SOFTINT are set
setting these also causes interrupt 14 */
 if (env->softint & (SOFTINT_TIMER | SOFTINT_STIMER)) {
diff --git a/linux-user/sparc/cpu_loop.c b/linux-user/sparc/cpu_loop.c
index 7d5b337b97..7a4f5792be 100644
--- a/linux-user/sparc/cpu_loop.c
+++ b/linux-user/sparc/cpu_loop.c
@@ -145,7 +145,7 @@ static void flush_windows(CPUSPARCState *env)
 
 void cpu_loop (CPUSPARCState *env)
 {
-CPUState *cs = CPU(sparc_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr;
 abi_long ret;
 target_siginfo_t info;
diff --git a/target/sparc/fop_helper.c b/target/sparc/fop_helper.c
index b6642fd1d7..9eb9b75718 100644
--- a/target/sparc/fop_helper.c
+++ b/target/sparc/fop_helper.c
@@ -53,7 +53,7 @@ static target_ulong do_check_ieee_exceptions(CPUSPARCState 
*env, uintptr_t ra)
 }
 
 if ((fsr & FSR_CEXC_MASK) & ((fsr & FSR_TEM_MASK) >> 23)) {
-CPUState *cs = CPU(sparc_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 /* Unmasked exception, generate a trap.  Note that while
the helper is marked as NO_WG, we can get away with
diff --git a/target/sparc/helper.c b/target/sparc/helper.c
index 46232788c8..1a52061fbf 100644
--- a/target/sparc/helper.c
+++ b/target/sparc/helper.c
@@ -26,7 +26,7 @@
 
 void cpu_raise_exception_ra(CPUSPARCState *env, int tt, uintptr_t ra)
 {
-CPUState *cs = CPU(sparc_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 

[Qemu-devel] [PATCH for-4.1 v2 06/36] cpu: Replace ENV_GET_CPU with env_cpu

[Richard Henderson]

Now that we have both ArchCPU and CPUArchState, we can define
this generically instead of via macro in each target's cpu.h.

Acked-by: Alistair Francis 
Signed-off-by: Richard Henderson 
---
 accel/tcg/atomic_template.h   |  8 +--
 accel/tcg/softmmu_template.h  | 20 
 include/exec/cpu-all.h| 12 +
 include/exec/cpu_ldst_template.h  |  6 +--
 include/exec/cpu_ldst_useronly_template.h |  6 +--
 include/exec/softmmu-semi.h   | 16 +++---
 linux-user/cpu_loop-common.h  |  2 +-
 target/alpha/cpu.h|  2 -
 target/arm/cpu.h  |  2 -
 target/cris/cpu.h |  2 -
 target/hppa/cpu.h |  1 -
 target/i386/cpu.h |  2 -
 target/lm32/cpu.h |  2 -
 target/m68k/cpu.h |  2 -
 target/microblaze/cpu.h   |  2 -
 target/mips/cpu.h |  2 -
 target/moxie/cpu.h|  2 -
 target/nios2/cpu.h|  2 -
 target/openrisc/cpu.h |  2 -
 target/ppc/cpu.h  |  2 -
 target/riscv/cpu.h|  1 -
 target/s390x/cpu.h|  2 -
 target/sh4/cpu.h  |  2 -
 target/sparc/cpu.h|  2 -
 target/tilegx/cpu.h   |  2 -
 target/tricore/cpu.h  |  2 -
 target/unicore32/cpu.h|  2 -
 target/xtensa/cpu.h   |  2 -
 accel/tcg/cputlb.c| 22 -
 accel/tcg/tcg-runtime.c   |  4 +-
 accel/tcg/translate-all.c |  2 +-
 accel/tcg/user-exec.c |  2 +-
 bsd-user/syscall.c|  6 +--
 linux-user/arm/cpu_loop.c |  2 +-
 linux-user/cris/cpu_loop.c|  2 +-
 linux-user/elfload.c  |  6 +--
 linux-user/m68k/cpu_loop.c|  2 +-
 linux-user/main.c |  2 +-
 linux-user/mips/cpu_loop.c|  2 +-
 linux-user/nios2/cpu_loop.c   |  2 +-
 linux-user/riscv/cpu_loop.c   |  2 +-
 linux-user/signal.c   |  8 +--
 linux-user/syscall.c  | 18 +++
 linux-user/uname.c|  2 +-
 target/arm/helper.c   | 42 
 target/hppa/op_helper.c   |  2 +-
 target/i386/hax-all.c |  6 +--
 target/i386/hvf/x86_decode.c  | 22 -
 target/i386/hvf/x86_emu.c | 60 +--
 target/i386/mem_helper.c  |  4 +-
 target/m68k/op_helper.c   |  2 +-
 target/nios2/mmu.c|  4 +-
 target/nios2/op_helper.c  |  2 +-
 target/ppc/mmu_helper.c   |  2 +-
 target/s390x/gdbstub.c| 24 -
 target/s390x/mem_helper.c |  2 +-
 target/sh4/op_helper.c|  2 +-
 docs/devel/tracing.txt|  4 +-
 scripts/tracetool/format/tcg_helper_c.py  |  2 +-
 59 files changed, 176 insertions(+), 198 deletions(-)

diff --git a/accel/tcg/atomic_template.h b/accel/tcg/atomic_template.h
index 685602b076..5aaf186253 100644
--- a/accel/tcg/atomic_template.h
+++ b/accel/tcg/atomic_template.h
@@ -62,21 +62,21 @@
 #define ATOMIC_TRACE_RMW do {   \
 uint8_t info = glue(trace_mem_build_info_no_se, MEND)(SHIFT, false); \
 \
-trace_guest_mem_before_exec(ENV_GET_CPU(env), addr, info);  \
-trace_guest_mem_before_exec(ENV_GET_CPU(env), addr, \
+trace_guest_mem_before_exec(env_cpu(env), addr, info);  \
+trace_guest_mem_before_exec(env_cpu(env), addr, \
 info | TRACE_MEM_ST);   \
 } while (0)
 
 #define ATOMIC_TRACE_LD do {\
 uint8_t info = glue(trace_mem_build_info_no_se, MEND)(SHIFT, false); \
 \
-trace_guest_mem_before_exec(ENV_GET_CPU(env), addr, info);  \
+trace_guest_mem_before_exec(env_cpu(env), addr, info);  \
 } while (0)
 
 # define ATOMIC_TRACE_ST do {   \
 uint8_t info = glue(trace_mem_build_info_no_se, MEND)(SHIFT, true); \
 \
-trace_guest_mem_before_exec(ENV_GET_CPU(env), addr, info);  \
+trace_guest_mem_before_exec(env_cpu(env), addr, info);  \
 } while (0)
 
 /* Define host-endian atomic operations.  Note that END is used within
diff --git 

[Qemu-devel] [PATCH for-4.1 v2 15/36] target/microblaze: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/microblaze/cpu.h  | 35 ++--
 linux-user/microblaze/cpu_loop.c |  2 +-
 target/microblaze/mmu.c  |  5 ++---
 target/microblaze/op_helper.c|  2 +-
 target/microblaze/translate.c|  2 +-
 5 files changed, 20 insertions(+), 26 deletions(-)

diff --git a/target/microblaze/cpu.h b/target/microblaze/cpu.h
index 3ca5d21451..a9748d57ad 100644
--- a/target/microblaze/cpu.h
+++ b/target/microblaze/cpu.h
@@ -310,11 +310,6 @@ struct MicroBlazeCPU {
 CPUMBState env;
 };
 
-static inline MicroBlazeCPU *mb_env_get_cpu(CPUMBState *env)
-{
-return container_of(env, MicroBlazeCPU, env);
-}
-
 #define ENV_OFFSET offsetof(MicroBlazeCPU, env)
 
 void mb_cpu_do_interrupt(CPUState *cs);
@@ -345,21 +340,6 @@ int cpu_mb_signal_handler(int host_signum, void *pinfo,
 #define MMU_USER_IDX2
 /* See NB_MMU_MODES further up the file.  */
 
-static inline int cpu_mmu_index (CPUMBState *env, bool ifetch)
-{
-MicroBlazeCPU *cpu = mb_env_get_cpu(env);
-
-/* Are we in nommu mode?.  */
-if (!(env->sregs[SR_MSR] & MSR_VM) || !cpu->cfg.use_mmu) {
-return MMU_NOMMU_IDX;
-}
-
-if (env->sregs[SR_MSR] & MSR_UM) {
-return MMU_USER_IDX;
-}
-return MMU_KERNEL_IDX;
-}
-
 int mb_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, int size, int rw,
 int mmu_idx);
 
@@ -384,4 +364,19 @@ void mb_cpu_transaction_failed(CPUState *cs, hwaddr 
physaddr, vaddr addr,
MemTxResult response, uintptr_t retaddr);
 #endif
 
+static inline int cpu_mmu_index(CPUMBState *env, bool ifetch)
+{
+MicroBlazeCPU *cpu = env_archcpu(env);
+
+/* Are we in nommu mode?.  */
+if (!(env->sregs[SR_MSR] & MSR_VM) || !cpu->cfg.use_mmu) {
+return MMU_NOMMU_IDX;
+}
+
+if (env->sregs[SR_MSR] & MSR_UM) {
+return MMU_USER_IDX;
+}
+return MMU_KERNEL_IDX;
+}
+
 #endif
diff --git a/linux-user/microblaze/cpu_loop.c b/linux-user/microblaze/cpu_loop.c
index c2190e15fd..f70329e021 100644
--- a/linux-user/microblaze/cpu_loop.c
+++ b/linux-user/microblaze/cpu_loop.c
@@ -23,7 +23,7 @@
 
 void cpu_loop(CPUMBState *env)
 {
-CPUState *cs = CPU(mb_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr, ret;
 target_siginfo_t info;
 
diff --git a/target/microblaze/mmu.c b/target/microblaze/mmu.c
index fcf86b12d5..6763421ba2 100644
--- a/target/microblaze/mmu.c
+++ b/target/microblaze/mmu.c
@@ -34,7 +34,7 @@ static unsigned int tlb_decode_size(unsigned int f)
 
 static void mmu_flush_idx(CPUMBState *env, unsigned int idx)
 {
-CPUState *cs = CPU(mb_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 struct microblaze_mmu *mmu = >mmu;
 unsigned int tlb_size;
 uint32_t tlb_tag, end, t;
@@ -228,7 +228,6 @@ uint32_t mmu_read(CPUMBState *env, bool ext, uint32_t rn)
 
 void mmu_write(CPUMBState *env, bool ext, uint32_t rn, uint32_t v)
 {
-MicroBlazeCPU *cpu = mb_env_get_cpu(env);
 uint64_t tmp64;
 unsigned int i;
 qemu_log_mask(CPU_LOG_MMU,
@@ -269,7 +268,7 @@ void mmu_write(CPUMBState *env, bool ext, uint32_t rn, 
uint32_t v)
 /* Changes to the zone protection reg flush the QEMU TLB.
Fortunately, these are very uncommon.  */
 if (v != env->mmu.regs[rn]) {
-tlb_flush(CPU(cpu));
+tlb_flush(env_cpu(env));
 }
 env->mmu.regs[rn] = v;
 break;
diff --git a/target/microblaze/op_helper.c b/target/microblaze/op_helper.c
index e23dcfdc20..aa91d3a257 100644
--- a/target/microblaze/op_helper.c
+++ b/target/microblaze/op_helper.c
@@ -84,7 +84,7 @@ uint32_t helper_get(uint32_t id, uint32_t ctrl)
 
 void helper_raise_exception(CPUMBState *env, uint32_t index)
 {
-CPUState *cs = CPU(mb_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = index;
 cpu_loop_exit(cs);
diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index 78ca265b04..816ba53721 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -1603,7 +1603,7 @@ static inline void decode(DisasContext *dc, uint32_t ir)
 void gen_intermediate_code(CPUState *cs, struct TranslationBlock *tb)
 {
 CPUMBState *env = cs->env_ptr;
-MicroBlazeCPU *cpu = mb_env_get_cpu(env);
+MicroBlazeCPU *cpu = env_archcpu(env);
 uint32_t pc_start;
 struct DisasContext ctx;
 struct DisasContext *dc = 
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 02/36] tcg: Split out target/arch/cpu-param.h

[Richard Henderson]

For all targets, into this new file move TARGET_LONG_BITS,
TARGET_PAGE_BITS, TARGET_PHYS_ADDR_SPACE_BITS,
TARGET_VIRT_ADDR_SPACE_BITS, and NB_MMU_MODES.

Include this new file from exec/cpu-defs.h.

This now removes the somewhat odd requirement that target/arch/cpu.h
defines TARGET_LONG_BITS before including exec/cpu-defs.h, so push the
bulk of the includes within target/arch/cpu.h to the top.

Acked-by: Alistair Francis 
Signed-off-by: Richard Henderson 
---
 include/exec/cpu-defs.h   | 22 +-
 target/alpha/cpu-param.h  | 19 +++
 target/alpha/cpu.h| 23 +--
 target/arm/cpu-param.h| 22 ++
 target/arm/cpu.h  | 33 +++--
 target/cris/cpu-param.h   |  5 +
 target/cris/cpu.h | 11 +--
 target/hppa/cpu-param.h   | 22 ++
 target/hppa/cpu.h | 24 +---
 target/i386/cpu-param.h   | 14 ++
 target/i386/cpu.h | 21 -
 target/lm32/cpu-param.h   |  5 +
 target/lm32/cpu.h | 12 +++-
 target/m68k/cpu-param.h   |  9 +
 target/m68k/cpu.h | 16 ++--
 target/microblaze/cpu-param.h |  6 ++
 target/microblaze/cpu.h   | 14 ++
 target/mips/cpu-param.h   | 18 ++
 target/mips/cpu.h |  3 +--
 target/mips/mips-defs.h   | 15 ---
 target/moxie/cpu-param.h  |  5 +
 target/moxie/cpu.h| 12 +---
 target/nios2/cpu-param.h  |  9 +
 target/nios2/cpu.h| 17 ++---
 target/openrisc/cpu-param.h   |  5 +
 target/openrisc/cpu.h | 14 +++---
 target/ppc/cpu-param.h| 25 +
 target/ppc/cpu.h  | 35 ++-
 target/riscv/cpu-param.h  | 11 +++
 target/riscv/cpu.h| 21 -
 target/s390x/cpu-param.h  |  5 +
 target/s390x/cpu.h| 11 +--
 target/sh4/cpu-param.h|  9 +
 target/sh4/cpu.h  | 14 +-
 target/sparc/cpu-param.h  | 17 +
 target/sparc/cpu.h| 20 ++--
 target/tilegx/cpu-param.h |  5 +
 target/tilegx/cpu.h   |  9 +
 target/tricore/cpu-param.h|  5 +
 target/tricore/cpu.h  |  4 +---
 target/tricore/tricore-defs.h |  5 -
 target/unicore32/cpu-param.h  |  5 +
 target/unicore32/cpu.h| 10 +-
 target/xtensa/cpu-param.h |  9 +
 target/xtensa/cpu.h   | 21 +
 45 files changed, 289 insertions(+), 328 deletions(-)
 create mode 100644 target/alpha/cpu-param.h
 create mode 100644 target/arm/cpu-param.h
 create mode 100644 target/cris/cpu-param.h
 create mode 100644 target/hppa/cpu-param.h
 create mode 100644 target/i386/cpu-param.h
 create mode 100644 target/lm32/cpu-param.h
 create mode 100644 target/m68k/cpu-param.h
 create mode 100644 target/microblaze/cpu-param.h
 create mode 100644 target/mips/cpu-param.h
 create mode 100644 target/moxie/cpu-param.h
 create mode 100644 target/nios2/cpu-param.h
 create mode 100644 target/openrisc/cpu-param.h
 create mode 100644 target/ppc/cpu-param.h
 create mode 100644 target/riscv/cpu-param.h
 create mode 100644 target/s390x/cpu-param.h
 create mode 100644 target/sh4/cpu-param.h
 create mode 100644 target/sparc/cpu-param.h
 create mode 100644 target/tilegx/cpu-param.h
 create mode 100644 target/tricore/cpu-param.h
 create mode 100644 target/unicore32/cpu-param.h
 create mode 100644 target/xtensa/cpu-param.h

diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index 52d150aaf1..2694481769 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -34,8 +34,28 @@
 #endif
 #include "exec/memattrs.h"
 
+#include "cpu-param.h"
+
 #ifndef TARGET_LONG_BITS
-#error TARGET_LONG_BITS must be defined before including this header
+# error TARGET_LONG_BITS must be defined in cpu-param.h
+#endif
+#ifndef NB_MMU_MODES
+# error NB_MMU_MODES must be defined in cpu-param.h
+#endif
+#ifndef TARGET_PHYS_ADDR_SPACE_BITS
+# error TARGET_PHYS_ADDR_SPACE_BITS must be defined in cpu-param.h
+#endif
+#ifndef TARGET_VIRT_ADDR_SPACE_BITS
+# error TARGET_VIRT_ADDR_SPACE_BITS must be defined in cpu-param.h
+#endif
+#ifndef TARGET_PAGE_BITS
+# ifdef TARGET_PAGE_BITS_VARY
+#  ifndef TARGET_PAGE_BITS_MIN
+#   error TARGET_PAGE_BITS_MIN must be defined in cpu-param.h
+#  endif
+# else
+#  error TARGET_PAGE_BITS must be defined in cpu-param.h
+# endif
 #endif
 
 #define TARGET_LONG_SIZE (TARGET_LONG_BITS / 8)
diff --git a/target/alpha/cpu-param.h b/target/alpha/cpu-param.h
new file mode 100644
index 00..6e76e740e2
--- /dev/null
+++ b/target/alpha/cpu-param.h
@@ -0,0 +1,19 @@
+#define TARGET_LONG_BITS 64
+#define TARGET_PAGE_BITS 13

[Qemu-devel] [PATCH for-4.1 v2 18/36] target/nios2: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/nios2/cpu.h |  5 -
 hw/nios2/cpu_pic.c |  5 +
 target/nios2/mmu.c | 10 +-
 3 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/target/nios2/cpu.h b/target/nios2/cpu.h
index e0e12a910e..3fc27ead81 100644
--- a/target/nios2/cpu.h
+++ b/target/nios2/cpu.h
@@ -193,11 +193,6 @@ typedef struct Nios2CPU {
 uint32_t fast_tlb_miss_addr;
 } Nios2CPU;
 
-static inline Nios2CPU *nios2_env_get_cpu(CPUNios2State *env)
-{
-return NIOS2_CPU(container_of(env, Nios2CPU, env));
-}
-
 #define ENV_OFFSET offsetof(Nios2CPU, env)
 
 void nios2_tcg_init(void);
diff --git a/hw/nios2/cpu_pic.c b/hw/nios2/cpu_pic.c
index 6bccce2f32..9e39955bd1 100644
--- a/hw/nios2/cpu_pic.c
+++ b/hw/nios2/cpu_pic.c
@@ -54,12 +54,9 @@ static void nios2_pic_cpu_handler(void *opaque, int irq, int 
level)
 
 void nios2_check_interrupts(CPUNios2State *env)
 {
-Nios2CPU *cpu = nios2_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
-
 if (env->irq_pending) {
 env->irq_pending = 0;
-cpu_interrupt(cs, CPU_INTERRUPT_HARD);
+cpu_interrupt(env_cpu(env), CPU_INTERRUPT_HARD);
 }
 }
 
diff --git a/target/nios2/mmu.c b/target/nios2/mmu.c
index 0752699e25..173da3becc 100644
--- a/target/nios2/mmu.c
+++ b/target/nios2/mmu.c
@@ -72,7 +72,7 @@ unsigned int mmu_translate(CPUNios2State *env,
Nios2MMULookup *lu,
target_ulong vaddr, int rw, int mmu_idx)
 {
-Nios2CPU *cpu = nios2_env_get_cpu(env);
+Nios2CPU *cpu = env_archcpu(env);
 int pid = (env->mmu.tlbmisc_wr & CR_TLBMISC_PID_MASK) >> 4;
 int vpn = vaddr >> 12;
 
@@ -114,7 +114,7 @@ unsigned int mmu_translate(CPUNios2State *env,
 static void mmu_flush_pid(CPUNios2State *env, uint32_t pid)
 {
 CPUState *cs = env_cpu(env);
-Nios2CPU *cpu = nios2_env_get_cpu(env);
+Nios2CPU *cpu = env_archcpu(env);
 int idx;
 MMU_LOG(qemu_log("TLB Flush PID %d\n", pid));
 
@@ -138,7 +138,7 @@ static void mmu_flush_pid(CPUNios2State *env, uint32_t pid)
 void mmu_write(CPUNios2State *env, uint32_t rn, uint32_t v)
 {
 CPUState *cs = env_cpu(env);
-Nios2CPU *cpu = nios2_env_get_cpu(env);
+Nios2CPU *cpu = env_archcpu(env);
 
 MMU_LOG(qemu_log("mmu_write %08X = %08X\n", rn, v));
 
@@ -255,7 +255,7 @@ void mmu_write(CPUNios2State *env, uint32_t rn, uint32_t v)
 
 void mmu_init(CPUNios2State *env)
 {
-Nios2CPU *cpu = nios2_env_get_cpu(env);
+Nios2CPU *cpu = env_archcpu(env);
 Nios2MMU *mmu = >mmu;
 
 MMU_LOG(qemu_log("mmu_init\n"));
@@ -266,7 +266,7 @@ void mmu_init(CPUNios2State *env)
 
 void dump_mmu(FILE *f, fprintf_function cpu_fprintf, CPUNios2State *env)
 {
-Nios2CPU *cpu = nios2_env_get_cpu(env);
+Nios2CPU *cpu = env_archcpu(env);
 int i;
 
 cpu_fprintf(f, "MMU: ways %d, entries %d, pid bits %d\n",
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 28/36] target/xtensa: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/xtensa/cpu.h  | 17 ++---
 hw/xtensa/pic_cpu.c  |  2 +-
 linux-user/xtensa/cpu_loop.c |  2 +-
 target/xtensa/dbg_helper.c   |  4 ++--
 target/xtensa/exc_helper.c   |  9 -
 target/xtensa/helper.c   |  2 +-
 target/xtensa/mmu_helper.c   | 11 ---
 target/xtensa/xtensa-semi.c  |  2 +-
 8 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index e6f57e0b64..d5465c2853 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -529,11 +529,6 @@ struct XtensaCPU {
 CPUXtensaState env;
 };
 
-static inline XtensaCPU *xtensa_env_get_cpu(const CPUXtensaState *env)
-{
-return container_of(env, XtensaCPU, env);
-}
-
 #define ENV_OFFSET offsetof(XtensaCPU, env)
 
 
@@ -712,10 +707,15 @@ static inline int cpu_mmu_index(CPUXtensaState *env, bool 
ifetch)
 #define XTENSA_CSBASE_LBEG_OFF_MASK 0x00ff
 #define XTENSA_CSBASE_LBEG_OFF_SHIFT 16
 
+typedef CPUXtensaState CPUArchState;
+typedef XtensaCPU ArchCPU;
+
+#include "exec/cpu-all.h"
+
 static inline void cpu_get_tb_cpu_state(CPUXtensaState *env, target_ulong *pc,
 target_ulong *cs_base, uint32_t *flags)
 {
-CPUState *cs = CPU(xtensa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 *pc = env->pc;
 *cs_base = 0;
@@ -785,9 +785,4 @@ static inline void cpu_get_tb_cpu_state(CPUXtensaState 
*env, target_ulong *pc,
 }
 }
 
-typedef CPUXtensaState CPUArchState;
-typedef XtensaCPU ArchCPU;
-
-#include "exec/cpu-all.h"
-
 #endif
diff --git a/hw/xtensa/pic_cpu.c b/hw/xtensa/pic_cpu.c
index a8939f5e58..df3acbb541 100644
--- a/hw/xtensa/pic_cpu.c
+++ b/hw/xtensa/pic_cpu.c
@@ -33,7 +33,7 @@
 
 void check_interrupts(CPUXtensaState *env)
 {
-CPUState *cs = CPU(xtensa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int minlevel = xtensa_get_cintlevel(env);
 uint32_t int_set_enabled = env->sregs[INTSET] & env->sregs[INTENABLE];
 int level;
diff --git a/linux-user/xtensa/cpu_loop.c b/linux-user/xtensa/cpu_loop.c
index bee78edb8a..64831c9199 100644
--- a/linux-user/xtensa/cpu_loop.c
+++ b/linux-user/xtensa/cpu_loop.c
@@ -123,7 +123,7 @@ static void xtensa_underflow12(CPUXtensaState *env)
 
 void cpu_loop(CPUXtensaState *env)
 {
-CPUState *cs = CPU(xtensa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 target_siginfo_t info;
 abi_ulong ret;
 int trapnr;
diff --git a/target/xtensa/dbg_helper.c b/target/xtensa/dbg_helper.c
index cd8fbd653a..be1f81107b 100644
--- a/target/xtensa/dbg_helper.c
+++ b/target/xtensa/dbg_helper.c
@@ -71,7 +71,7 @@ void HELPER(wsr_ibreaka)(CPUXtensaState *env, uint32_t i, 
uint32_t v)
 static void set_dbreak(CPUXtensaState *env, unsigned i, uint32_t dbreaka,
 uint32_t dbreakc)
 {
-CPUState *cs = CPU(xtensa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int flags = BP_CPU | BP_STOP_BEFORE_ACCESS;
 uint32_t mask = dbreakc | ~DBREAKC_MASK;
 
@@ -118,7 +118,7 @@ void HELPER(wsr_dbreakc)(CPUXtensaState *env, uint32_t i, 
uint32_t v)
 set_dbreak(env, i, env->sregs[DBREAKA + i], v);
 } else {
 if (env->cpu_watchpoint[i]) {
-CPUState *cs = CPU(xtensa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cpu_watchpoint_remove_by_ref(cs, env->cpu_watchpoint[i]);
 env->cpu_watchpoint[i] = NULL;
diff --git a/target/xtensa/exc_helper.c b/target/xtensa/exc_helper.c
index 4a1f7aef5d..601341d13a 100644
--- a/target/xtensa/exc_helper.c
+++ b/target/xtensa/exc_helper.c
@@ -34,7 +34,7 @@
 
 void HELPER(exception)(CPUXtensaState *env, uint32_t excp)
 {
-CPUState *cs = CPU(xtensa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = excp;
 if (excp == EXCP_YIELD) {
@@ -100,7 +100,7 @@ void HELPER(debug_exception)(CPUXtensaState *env, uint32_t 
pc, uint32_t cause)
 
 void HELPER(waiti)(CPUXtensaState *env, uint32_t pc, uint32_t intlevel)
 {
-CPUState *cpu;
+CPUState *cpu = env_cpu(env);
 
 env->pc = pc;
 env->sregs[PS] = (env->sregs[PS] & ~PS_INTLEVEL) |
@@ -111,11 +111,10 @@ void HELPER(waiti)(CPUXtensaState *env, uint32_t pc, 
uint32_t intlevel)
 qemu_mutex_unlock_iothread();
 
 if (env->pending_irq_level) {
-cpu_loop_exit(CPU(xtensa_env_get_cpu(env)));
+cpu_loop_exit(cpu);
 return;
 }
 
-cpu = CPU(xtensa_env_get_cpu(env));
 cpu->halted = 1;
 HELPER(exception)(env, EXCP_HLT);
 }
@@ -165,7 +164,7 @@ static void handle_interrupt(CPUXtensaState *env)
 (env->config->level_mask[level] &
  env->sregs[INTSET] &
  env->sregs[INTENABLE])) {
-CPUState *cs = CPU(xtensa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 if (level > 1) {
 env->sregs[EPC1 + level - 1] = env->pc;
diff --git a/target/xtensa/helper.c b/target/xtensa/helper.c
index f4867a9b56..51c8d992b9 100644
--- 

[Qemu-devel] [PATCH for-4.1 v2 17/36] target/moxie: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/moxie/cpu.h   | 5 -
 target/moxie/helper.c| 6 +++---
 target/moxie/translate.c | 2 +-
 3 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/target/moxie/cpu.h b/target/moxie/cpu.h
index c050d6e15d..71e7cf0f08 100644
--- a/target/moxie/cpu.h
+++ b/target/moxie/cpu.h
@@ -90,11 +90,6 @@ typedef struct MoxieCPU {
 CPUMoxieState env;
 } MoxieCPU;
 
-static inline MoxieCPU *moxie_env_get_cpu(CPUMoxieState *env)
-{
-return container_of(env, MoxieCPU, env);
-}
-
 #define ENV_OFFSET offsetof(MoxieCPU, env)
 
 void moxie_cpu_do_interrupt(CPUState *cs);
diff --git a/target/moxie/helper.c b/target/moxie/helper.c
index f3d8ee7d6b..a22870228c 100644
--- a/target/moxie/helper.c
+++ b/target/moxie/helper.c
@@ -42,7 +42,7 @@ void tlb_fill(CPUState *cs, target_ulong addr, int size,
 
 void helper_raise_exception(CPUMoxieState *env, int ex)
 {
-CPUState *cs = CPU(moxie_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = ex;
 /* Stash the exception type.  */
@@ -79,7 +79,7 @@ uint32_t helper_udiv(CPUMoxieState *env, uint32_t a, uint32_t 
b)
 
 void helper_debug(CPUMoxieState *env)
 {
-CPUState *cs = CPU(moxie_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = EXCP_DEBUG;
 cpu_loop_exit(cs);
@@ -89,7 +89,7 @@ void helper_debug(CPUMoxieState *env)
 
 void moxie_cpu_do_interrupt(CPUState *cs)
 {
-CPUState *cs = CPU(moxie_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = -1;
 }
diff --git a/target/moxie/translate.c b/target/moxie/translate.c
index 68ca223e22..bb25a3dee7 100644
--- a/target/moxie/translate.c
+++ b/target/moxie/translate.c
@@ -816,7 +816,7 @@ static int decode_opc(MoxieCPU *cpu, DisasContext *ctx)
 void gen_intermediate_code(CPUState *cs, struct TranslationBlock *tb)
 {
 CPUMoxieState *env = cs->env_ptr;
-MoxieCPU *cpu = moxie_env_get_cpu(env);
+MoxieCPU *cpu = env_archcpu(env);
 DisasContext ctx;
 target_ulong pc_start;
 int num_insns, max_insns;
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 31/36] cpu: Introduce CPUNegativeOffsetState

[Richard Henderson]

Nothing in there so far, but all of the plumbing done
within the target ArchCPU state.

Signed-off-by: Richard Henderson 
---
 include/exec/cpu-all.h  | 25 +
 include/exec/cpu-defs.h |  8 
 target/alpha/cpu.h  |  1 +
 target/arm/cpu.h|  1 +
 target/cris/cpu.h   |  1 +
 target/hppa/cpu.h   |  1 +
 target/i386/cpu.h   |  1 +
 target/lm32/cpu.h   |  1 +
 target/m68k/cpu.h   |  1 +
 target/microblaze/cpu.h |  5 +++--
 target/mips/cpu.h   |  1 +
 target/moxie/cpu.h  |  1 +
 target/nios2/cpu.h  |  2 ++
 target/openrisc/cpu.h   |  2 +-
 target/ppc/cpu.h|  2 ++
 target/riscv/cpu.h  |  1 +
 target/s390x/cpu.h  |  1 +
 target/sh4/cpu.h|  1 +
 target/sparc/cpu.h  |  1 +
 target/tilegx/cpu.h |  1 +
 target/tricore/cpu.h|  1 +
 target/unicore32/cpu.h  |  1 +
 target/xtensa/cpu.h |  1 +
 23 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 1ed7d1e005..b42741f273 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -403,4 +403,29 @@ static inline CPUState *env_cpu(CPUArchState *env)
 {
 return _archcpu(env)->parent_obj;
 }
+
+/**
+ * env_neg(env)
+ * @env: The architecture environment
+ *
+ * Return the CPUNegativeOffsetState associated with the environment.
+ */
+static inline CPUNegativeOffsetState *env_neg(CPUArchState *env)
+{
+ArchCPU *arch_cpu = container_of(env, ArchCPU, env);
+return _cpu->neg;
+}
+
+/**
+ * cpu_neg(cpu)
+ * @cpu: The generic CPUState
+ *
+ * Return the CPUNegativeOffsetState associated with the cpu.
+ */
+static inline CPUNegativeOffsetState *cpu_neg(CPUState *cpu)
+{
+ArchCPU *arch_cpu = container_of(cpu, ArchCPU, parent_obj);
+return _cpu->neg;
+}
+
 #endif /* CPU_ALL_H */
diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index fbe8945606..ad97991faf 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -227,4 +227,12 @@ typedef struct CPUTLB {
 
 #endif  /* !CONFIG_USER_ONLY && CONFIG_TCG */
 
+/*
+ * This structure must be placed in ArchCPU immedately
+ * before CPUArchState, as a field named "neg".
+ */
+typedef struct CPUNegativeOffsetState {
+/* Empty */
+} CPUNegativeOffsetState;
+
 #endif
diff --git a/target/alpha/cpu.h b/target/alpha/cpu.h
index 93919bbaa2..c63fa929f6 100644
--- a/target/alpha/cpu.h
+++ b/target/alpha/cpu.h
@@ -267,6 +267,7 @@ struct AlphaCPU {
 CPUState parent_obj;
 /*< public >*/
 
+CPUNegativeOffsetState neg;
 CPUAlphaState env;
 
 /* This alarm doesn't exist in real hardware; we wish it did.  */
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index df0409a703..cae0f509fc 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -711,6 +711,7 @@ struct ARMCPU {
 CPUState parent_obj;
 /*< public >*/
 
+CPUNegativeOffsetState neg;
 CPUARMState env;
 
 /* Coprocessor information */
diff --git a/target/cris/cpu.h b/target/cris/cpu.h
index b87a559137..9191553cd7 100644
--- a/target/cris/cpu.h
+++ b/target/cris/cpu.h
@@ -180,6 +180,7 @@ struct CRISCPU {
 CPUState parent_obj;
 /*< public >*/
 
+CPUNegativeOffsetState neg;
 CPUCRISState env;
 };
 
diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h
index 65986dacbf..21395c115c 100644
--- a/target/hppa/cpu.h
+++ b/target/hppa/cpu.h
@@ -218,6 +218,7 @@ struct HPPACPU {
 CPUState parent_obj;
 /*< public >*/
 
+CPUNegativeOffsetState neg;
 CPUHPPAState env;
 QEMUTimer *alarm_timer;
 };
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index c5351bea7e..239f907f76 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1366,6 +1366,7 @@ struct X86CPU {
 CPUState parent_obj;
 /*< public >*/
 
+CPUNegativeOffsetState neg;
 CPUX86State env;
 
 bool hyperv_vapic;
diff --git a/target/lm32/cpu.h b/target/lm32/cpu.h
index deb83153b3..ff5c6893bc 100644
--- a/target/lm32/cpu.h
+++ b/target/lm32/cpu.h
@@ -186,6 +186,7 @@ struct LM32CPU {
 CPUState parent_obj;
 /*< public >*/
 
+CPUNegativeOffsetState neg;
 CPULM32State env;
 
 uint32_t revision;
diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 2b180cf18d..087e73f9e2 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -160,6 +160,7 @@ struct M68kCPU {
 CPUState parent_obj;
 /*< public >*/
 
+CPUNegativeOffsetState neg;
 CPUM68KState env;
 };
 
diff --git a/target/microblaze/cpu.h b/target/microblaze/cpu.h
index ff3abb61af..618fc8ff1f 100644
--- a/target/microblaze/cpu.h
+++ b/target/microblaze/cpu.h
@@ -287,6 +287,9 @@ struct MicroBlazeCPU {
 
 /*< public >*/
 
+CPUNegativeOffsetState neg;
+CPUMBState env;
+
 /* Microblaze Configuration Settings */
 struct {
 bool stackprot;
@@ -306,8 +309,6 @@ struct MicroBlazeCPU {
 char *version;
 uint8_t pvr;
 } cfg;
-
-CPUMBState env;
 };
 
 
diff --git a/target/mips/cpu.h b/target/mips/cpu.h
index 

[Qemu-devel] [PATCH for-4.1 v2 04/36] cpu: Define CPUArchState with typedef

[Richard Henderson]

For all targets, do this just before including exec/cpu-all.h.

Acked-by: Alistair Francis 
Signed-off-by: Richard Henderson 
---
 target/alpha/cpu.h  | 4 ++--
 target/arm/cpu.h| 4 ++--
 target/cris/cpu.h   | 4 ++--
 target/hppa/cpu.h   | 4 ++--
 target/i386/cpu.h   | 5 ++---
 target/lm32/cpu.h   | 5 ++---
 target/m68k/cpu.h   | 4 ++--
 target/microblaze/cpu.h | 5 ++---
 target/mips/cpu.h   | 6 ++
 target/moxie/cpu.h  | 4 ++--
 target/nios2/cpu.h  | 5 ++---
 target/openrisc/cpu.h   | 4 ++--
 target/ppc/cpu.h| 4 ++--
 target/riscv/cpu.h  | 4 ++--
 target/s390x/cpu.h  | 8 
 target/sh4/cpu.h| 4 ++--
 target/sparc/cpu.h  | 4 ++--
 target/tilegx/cpu.h | 4 ++--
 target/tricore/cpu.h| 6 +-
 target/unicore32/cpu.h  | 4 ++--
 target/xtensa/cpu.h | 4 ++--
 21 files changed, 43 insertions(+), 53 deletions(-)

diff --git a/target/alpha/cpu.h b/target/alpha/cpu.h
index e4aacbe5a3..fac622aa02 100644
--- a/target/alpha/cpu.h
+++ b/target/alpha/cpu.h
@@ -26,8 +26,6 @@
 
 #define ALIGNED_ONLY
 
-#define CPUArchState struct CPUAlphaState
-
 /* Alpha processors have a weak memory model */
 #define TCG_GUEST_DEFAULT_MO  (0)
 
@@ -302,6 +300,8 @@ void alpha_cpu_do_unaligned_access(CPUState *cpu, vaddr 
addr,
 #define cpu_list alpha_cpu_list
 #define cpu_signal_handler cpu_alpha_signal_handler
 
+typedef CPUAlphaState CPUArchState;
+
 #include "exec/cpu-all.h"
 
 enum {
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 12af124159..e043fd3f97 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -29,8 +29,6 @@
 /* ARM processors have a weak memory model */
 #define TCG_GUEST_DEFAULT_MO  (0)
 
-#define CPUArchState struct CPUARMState
-
 #define EXCP_UDEF1   /* undefined instruction */
 #define EXCP_SWI 2   /* software interrupt */
 #define EXCP_PREFETCH_ABORT  3
@@ -3045,6 +3043,8 @@ static inline bool arm_cpu_data_is_big_endian(CPUARMState 
*env)
 }
 }
 
+typedef CPUARMState CPUArchState;
+
 #include "exec/cpu-all.h"
 
 /* Bit usage in the TB flags field: bit 31 indicates whether we are
diff --git a/target/cris/cpu.h b/target/cris/cpu.h
index 832796d457..95662c36b2 100644
--- a/target/cris/cpu.h
+++ b/target/cris/cpu.h
@@ -25,8 +25,6 @@
 #include "cpu-qom.h"
 #include "exec/cpu-defs.h"
 
-#define CPUArchState struct CPUCRISState
-
 #define EXCP_NMI1
 #define EXCP_GURU   2
 #define EXCP_BUSFAULT   3
@@ -286,6 +284,8 @@ int cris_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, 
int size, int rw,
 #define SFR_RW_MM_TLB_LO   env->pregs[PR_SRS]][5
 #define SFR_RW_MM_TLB_HI   env->pregs[PR_SRS]][6
 
+typedef CPUCRISState CPUArchState;
+
 #include "exec/cpu-all.h"
 
 static inline void cpu_get_tb_cpu_state(CPUCRISState *env, target_ulong *pc,
diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h
index fe97786de1..7c1d1e0a0e 100644
--- a/target/hppa/cpu.h
+++ b/target/hppa/cpu.h
@@ -31,8 +31,6 @@
basis.  It's probably easier to fall back to a strong memory model.  */
 #define TCG_GUEST_DEFAULT_MOTCG_MO_ALL
 
-#define CPUArchState struct CPUHPPAState
-
 #define ALIGNED_ONLY
 #define MMU_KERNEL_IDX   0
 #define MMU_USER_IDX 3
@@ -232,6 +230,8 @@ static inline HPPACPU *hppa_env_get_cpu(CPUHPPAState *env)
 #define ENV_GET_CPU(e)  CPU(hppa_env_get_cpu(e))
 #define ENV_OFFSET  offsetof(HPPACPU, env)
 
+typedef CPUHPPAState CPUArchState;
+
 #include "exec/cpu-all.h"
 
 static inline int cpu_mmu_index(CPUHPPAState *env, bool ifetch)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 6716958276..84ca69ea1a 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1,4 +1,3 @@
-
 /*
  * i386 virtual CPU header
  *
@@ -44,8 +43,6 @@
 #define ELF_MACHINE_UNAME "i686"
 #endif
 
-#define CPUArchState struct CPUX86State
-
 enum {
 R_EAX = 0,
 R_ECX = 1,
@@ -1752,6 +1749,8 @@ static inline target_long lshift(target_long x, int n)
 /* translate.c */
 void tcg_x86_init(void);
 
+typedef CPUX86State CPUArchState;
+
 #include "exec/cpu-all.h"
 #include "svm.h"
 
diff --git a/target/lm32/cpu.h b/target/lm32/cpu.h
index 3c9c8a904c..5b24cfcc1f 100644
--- a/target/lm32/cpu.h
+++ b/target/lm32/cpu.h
@@ -24,9 +24,6 @@
 #include "cpu-qom.h"
 #include "exec/cpu-defs.h"
 
-#define CPUArchState struct CPULM32State
-
-struct CPULM32State;
 typedef struct CPULM32State CPULM32State;
 
 static inline int cpu_mmu_index(CPULM32State *env, bool ifetch)
@@ -259,6 +256,8 @@ bool lm32_cpu_do_semihosting(CPUState *cs);
 int lm32_cpu_handle_mmu_fault(CPUState *cpu, vaddr address, int size, int rw,
   int mmu_idx);
 
+typedef CPULM32State CPUArchState;
+
 #include "exec/cpu-all.h"
 
 static inline void cpu_get_tb_cpu_state(CPULM32State *env, target_ulong *pc,
diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 6bf44604b5..48c051c7d2 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -25,8 +25,6 @@
 #include "exec/cpu-defs.h"
 #include "cpu-qom.h"
 

[Qemu-devel] [PATCH for-4.1 v2 22/36] target/s390x: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/s390x/cpu.h  |  5 
 linux-user/s390x/cpu_loop.c |  2 +-
 target/s390x/cc_helper.c|  5 ++--
 target/s390x/diag.c |  2 +-
 target/s390x/excp_helper.c  |  6 ++---
 target/s390x/fpu_helper.c   |  4 +--
 target/s390x/helper.c   |  7 +++---
 target/s390x/int_helper.c   |  3 +--
 target/s390x/interrupt.c|  6 ++---
 target/s390x/mem_helper.c   | 28 -
 target/s390x/misc_helper.c  | 50 ++---
 target/s390x/mmu_helper.c   |  8 +++---
 target/s390x/sigp.c |  4 +--
 13 files changed, 56 insertions(+), 74 deletions(-)

diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
index 3dd60c5346..372d4c198f 100644
--- a/target/s390x/cpu.h
+++ b/target/s390x/cpu.h
@@ -163,11 +163,6 @@ struct S390CPU {
 uint32_t irqstate_saved_size;
 };
 
-static inline S390CPU *s390_env_get_cpu(CPUS390XState *env)
-{
-return container_of(env, S390CPU, env);
-}
-
 #define ENV_OFFSET offsetof(S390CPU, env)
 
 #ifndef CONFIG_USER_ONLY
diff --git a/linux-user/s390x/cpu_loop.c b/linux-user/s390x/cpu_loop.c
index 51b5412ea2..1050f6923c 100644
--- a/linux-user/s390x/cpu_loop.c
+++ b/linux-user/s390x/cpu_loop.c
@@ -26,7 +26,7 @@
 
 void cpu_loop(CPUS390XState *env)
 {
-CPUState *cs = CPU(s390_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr, n, sig;
 target_siginfo_t info;
 target_ulong addr;
diff --git a/target/s390x/cc_helper.c b/target/s390x/cc_helper.c
index 0e467bf2b6..e9732500ad 100644
--- a/target/s390x/cc_helper.c
+++ b/target/s390x/cc_helper.c
@@ -405,7 +405,6 @@ static uint32_t cc_calc_lcbb(uint64_t dst)
 static uint32_t do_calc_cc(CPUS390XState *env, uint32_t cc_op,
   uint64_t src, uint64_t dst, uint64_t vr)
 {
-S390CPU *cpu = s390_env_get_cpu(env);
 uint32_t r = 0;
 
 switch (cc_op) {
@@ -526,7 +525,7 @@ static uint32_t do_calc_cc(CPUS390XState *env, uint32_t 
cc_op,
 break;
 
 default:
-cpu_abort(CPU(cpu), "Unknown CC operation: %s\n", cc_name(cc_op));
+cpu_abort(env_cpu(env), "Unknown CC operation: %s\n", cc_name(cc_op));
 }
 
 HELPER_LOG("%s: %15s 0x%016lx 0x%016lx 0x%016lx = %d\n", __func__,
@@ -550,7 +549,7 @@ uint32_t HELPER(calc_cc)(CPUS390XState *env, uint32_t 
cc_op, uint64_t src,
 void HELPER(load_psw)(CPUS390XState *env, uint64_t mask, uint64_t addr)
 {
 load_psw(env, mask, addr);
-cpu_loop_exit(CPU(s390_env_get_cpu(env)));
+cpu_loop_exit(env_cpu(env));
 }
 
 void HELPER(sacf)(CPUS390XState *env, uint64_t a1)
diff --git a/target/s390x/diag.c b/target/s390x/diag.c
index aafa740f61..65eabf0461 100644
--- a/target/s390x/diag.c
+++ b/target/s390x/diag.c
@@ -55,7 +55,7 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t 
r3)
 
 void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t 
ra)
 {
-CPUState *cs = CPU(s390_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 uint64_t addr =  env->regs[r1];
 uint64_t subcode = env->regs[r3];
 IplParameterBlock *iplb;
diff --git a/target/s390x/excp_helper.c b/target/s390x/excp_helper.c
index f84bfb1284..b83c1e6559 100644
--- a/target/s390x/excp_helper.c
+++ b/target/s390x/excp_helper.c
@@ -36,7 +36,7 @@
 void QEMU_NORETURN tcg_s390_program_interrupt(CPUS390XState *env, uint32_t 
code,
   int ilen, uintptr_t ra)
 {
-CPUState *cs = CPU(s390_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cpu_restore_state(cs, ra, true);
 qemu_log_mask(CPU_LOG_INT, "program interrupt at %#" PRIx64 "\n",
@@ -51,7 +51,7 @@ void QEMU_NORETURN tcg_s390_data_exception(CPUS390XState 
*env, uint32_t dxc,
 g_assert(dxc <= 0xff);
 #if !defined(CONFIG_USER_ONLY)
 /* Store the DXC into the lowcore */
-stl_phys(CPU(s390_env_get_cpu(env))->as,
+stl_phys(env_cpu(env)->as,
  env->psa + offsetof(LowCore, data_exc_code), dxc);
 #endif
 
@@ -261,7 +261,7 @@ static void do_svc_interrupt(CPUS390XState *env)
 static void do_ext_interrupt(CPUS390XState *env)
 {
 QEMUS390FLICState *flic = QEMU_S390_FLIC(s390_get_flic());
-S390CPU *cpu = s390_env_get_cpu(env);
+S390CPU *cpu = env_archcpu(env);
 uint64_t mask, addr;
 uint16_t cpu_addr;
 LowCore *lowcore;
diff --git a/target/s390x/fpu_helper.c b/target/s390x/fpu_helper.c
index 1be68bafea..906fa8ce99 100644
--- a/target/s390x/fpu_helper.c
+++ b/target/s390x/fpu_helper.c
@@ -114,8 +114,6 @@ static void handle_exceptions(CPUS390XState *env, bool XxC, 
uintptr_t retaddr)
 
 static inline int float_comp_to_cc(CPUS390XState *env, int float_compare)
 {
-S390CPU *cpu = s390_env_get_cpu(env);
-
 switch (float_compare) {
 case float_relation_equal:
 return 0;
@@ -126,7 +124,7 @@ static inline int float_comp_to_cc(CPUS390XState *env, int 
float_compare)
 case float_relation_unordered:
 return 3;
 default:
-cpu_abort(CPU(cpu), 

[Qemu-devel] [PATCH for-4.1 v2 25/36] target/tilegx: Use env_cpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/tilegx/cpu.h  | 5 -
 linux-user/tilegx/cpu_loop.c | 2 +-
 target/tilegx/helper.c   | 2 +-
 3 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/target/tilegx/cpu.h b/target/tilegx/cpu.h
index 135df63523..7f8fe7c513 100644
--- a/target/tilegx/cpu.h
+++ b/target/tilegx/cpu.h
@@ -138,11 +138,6 @@ typedef struct TileGXCPU {
 CPUTLGState env;
 } TileGXCPU;
 
-static inline TileGXCPU *tilegx_env_get_cpu(CPUTLGState *env)
-{
-return container_of(env, TileGXCPU, env);
-}
-
 #define ENV_OFFSET offsetof(TileGXCPU, env)
 
 /* TILE-Gx memory attributes */
diff --git a/linux-user/tilegx/cpu_loop.c b/linux-user/tilegx/cpu_loop.c
index 4f39eb9ad3..d4abe29dcd 100644
--- a/linux-user/tilegx/cpu_loop.c
+++ b/linux-user/tilegx/cpu_loop.c
@@ -206,7 +206,7 @@ static void do_fetch(CPUTLGState *env, int trapnr, bool 
quad)
 
 void cpu_loop(CPUTLGState *env)
 {
-CPUState *cs = CPU(tilegx_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr;
 
 while (1) {
diff --git a/target/tilegx/helper.c b/target/tilegx/helper.c
index 4964bb9111..a57a679825 100644
--- a/target/tilegx/helper.c
+++ b/target/tilegx/helper.c
@@ -28,7 +28,7 @@
 
 void helper_exception(CPUTLGState *env, uint32_t excp)
 {
-CPUState *cs = CPU(tilegx_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = excp;
 cpu_loop_exit(cs);
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 21/36] target/riscv: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/riscv/cpu.h  |  5 -
 linux-user/riscv/cpu_loop.c |  2 +-
 target/riscv/cpu_helper.c   |  4 ++--
 target/riscv/csr.c  | 12 ++--
 target/riscv/op_helper.c|  8 
 5 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index e97f6c4889..c18dd5eb24 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -211,11 +211,6 @@ typedef struct RISCVCPU {
 CPURISCVState env;
 } RISCVCPU;
 
-static inline RISCVCPU *riscv_env_get_cpu(CPURISCVState *env)
-{
-return container_of(env, RISCVCPU, env);
-}
-
 static inline int riscv_has_ext(CPURISCVState *env, target_ulong ext)
 {
 return (env->misa & ext) != 0;
diff --git a/linux-user/riscv/cpu_loop.c b/linux-user/riscv/cpu_loop.c
index 31700f75d0..c1134597fd 100644
--- a/linux-user/riscv/cpu_loop.c
+++ b/linux-user/riscv/cpu_loop.c
@@ -25,7 +25,7 @@
 
 void cpu_loop(CPURISCVState *env)
 {
-CPUState *cs = CPU(riscv_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr, signum, sigcode;
 target_ulong sigaddr;
 target_ulong ret;
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index b17f169681..72f82c1ccf 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -191,7 +191,7 @@ static int get_physical_address(CPURISCVState *env, hwaddr 
*physical,
 }
 }
 
-CPUState *cs = CPU(riscv_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int va_bits = PGSHIFT + levels * ptidxbits;
 target_ulong mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
 target_ulong masked_msbs = (addr >> (va_bits - 1)) & mask;
@@ -320,7 +320,7 @@ restart:
 static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
 MMUAccessType access_type)
 {
-CPUState *cs = CPU(riscv_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int page_fault_exceptions =
 (env->priv_ver >= PRIV_VERSION_1_10_0) &&
 get_field(env->satp, SATP_MODE) != VM_1_10_MBARE;
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index e1d91b6c60..97a4e10e3e 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -296,7 +296,7 @@ static int write_mstatus(CPURISCVState *env, int csrno, 
target_ulong val)
 if (env->priv_ver <= PRIV_VERSION_1_09_1) {
 if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP |
 MSTATUS_MPRV | MSTATUS_SUM | MSTATUS_VM)) {
-tlb_flush(CPU(riscv_env_get_cpu(env)));
+tlb_flush(env_cpu(env));
 }
 mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
 MSTATUS_SPP | MSTATUS_FS | MSTATUS_MPRV | MSTATUS_SUM |
@@ -307,7 +307,7 @@ static int write_mstatus(CPURISCVState *env, int csrno, 
target_ulong val)
 if (env->priv_ver >= PRIV_VERSION_1_10_0) {
 if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP |
 MSTATUS_MPRV | MSTATUS_SUM)) {
-tlb_flush(CPU(riscv_env_get_cpu(env)));
+tlb_flush(env_cpu(env));
 }
 mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
 MSTATUS_SPP | MSTATUS_FS | MSTATUS_MPRV | MSTATUS_SUM |
@@ -382,7 +382,7 @@ static int write_misa(CPURISCVState *env, int csrno, 
target_ulong val)
 
 /* flush translation cache */
 if (val != env->misa) {
-tb_flush(CPU(riscv_env_get_cpu(env)));
+tb_flush(env_cpu(env));
 }
 
 env->misa = val;
@@ -549,7 +549,7 @@ static int write_mbadaddr(CPURISCVState *env, int csrno, 
target_ulong val)
 static int rmw_mip(CPURISCVState *env, int csrno, target_ulong *ret_value,
target_ulong new_value, target_ulong write_mask)
 {
-RISCVCPU *cpu = riscv_env_get_cpu(env);
+RISCVCPU *cpu = env_archcpu(env);
 /* Allow software control of delegable interrupts not claimed by hardware 
*/
 target_ulong mask = write_mask & delegable_ints & ~env->miclaim;
 uint32_t old_mip;
@@ -712,7 +712,7 @@ static int write_satp(CPURISCVState *env, int csrno, 
target_ulong val)
 return 0;
 }
 if (env->priv_ver <= PRIV_VERSION_1_09_1 && (val ^ env->sptbr)) {
-tlb_flush(CPU(riscv_env_get_cpu(env)));
+tlb_flush(env_cpu(env));
 env->sptbr = val & (((target_ulong)
 1 << (TARGET_PHYS_ADDR_SPACE_BITS - PGSHIFT)) - 1);
 }
@@ -723,7 +723,7 @@ static int write_satp(CPURISCVState *env, int csrno, 
target_ulong val)
 if (env->priv == PRV_S && get_field(env->mstatus, MSTATUS_TVM)) {
 return -1;
 } else {
-tlb_flush(CPU(riscv_env_get_cpu(env)));
+tlb_flush(env_cpu(env));
 env->satp = val;
 }
 }
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index b7dc18a41e..f078bafbe6 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -28,7 +28,7 @@
 void QEMU_NORETURN riscv_raise_exception(CPURISCVState *env,
  

[Qemu-devel] [PATCH for-4.1 v2 29/36] cpu: Move ENV_OFFSET to exec/gen-icount.h

[Richard Henderson]

Now that we have ArchCPU, we can define this generically,
in the one place that needs it.

Signed-off-by: Richard Henderson 
---
 include/exec/gen-icount.h | 2 ++
 target/alpha/cpu.h| 1 -
 target/arm/cpu.h  | 2 --
 target/cris/cpu.h | 1 -
 target/hppa/cpu.h | 1 -
 target/i386/cpu.h | 1 -
 target/lm32/cpu.h | 1 -
 target/m68k/cpu.h | 1 -
 target/microblaze/cpu.h   | 1 -
 target/mips/cpu.h | 1 -
 target/moxie/cpu.h| 1 -
 target/nios2/cpu.h| 1 -
 target/openrisc/cpu.h | 1 -
 target/ppc/cpu.h  | 1 -
 target/riscv/cpu.h| 2 --
 target/s390x/cpu.h| 1 -
 target/sh4/cpu.h  | 1 -
 target/sparc/cpu.h| 1 -
 target/tilegx/cpu.h   | 1 -
 target/tricore/cpu.h  | 1 -
 target/unicore32/cpu.h| 1 -
 target/xtensa/cpu.h   | 2 --
 22 files changed, 2 insertions(+), 24 deletions(-)

diff --git a/include/exec/gen-icount.h b/include/exec/gen-icount.h
index 24f7991781..9cfa6ccce5 100644
--- a/include/exec/gen-icount.h
+++ b/include/exec/gen-icount.h
@@ -5,6 +5,8 @@
 
 /* Helpers for instruction counting code generation.  */
 
+#define ENV_OFFSET   offsetof(ArchCPU, env)
+
 static TCGOp *icount_start_insn;
 
 static inline void gen_tb_start(TranslationBlock *tb)
diff --git a/target/alpha/cpu.h b/target/alpha/cpu.h
index e22518871a..93919bbaa2 100644
--- a/target/alpha/cpu.h
+++ b/target/alpha/cpu.h
@@ -273,7 +273,6 @@ struct AlphaCPU {
 QEMUTimer *alarm_timer;
 };
 
-#define ENV_OFFSET offsetof(AlphaCPU, env)
 
 #ifndef CONFIG_USER_ONLY
 extern const struct VMStateDescription vmstate_alpha_cpu;
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 3de68c5844..df0409a703 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -907,8 +907,6 @@ void arm_cpu_post_init(Object *obj);
 
 uint64_t arm_cpu_mp_affinity(int idx, uint8_t clustersz);
 
-#define ENV_OFFSET offsetof(ARMCPU, env)
-
 #ifndef CONFIG_USER_ONLY
 extern const struct VMStateDescription vmstate_arm_cpu;
 #endif
diff --git a/target/cris/cpu.h b/target/cris/cpu.h
index 6111dbb14c..b87a559137 100644
--- a/target/cris/cpu.h
+++ b/target/cris/cpu.h
@@ -183,7 +183,6 @@ struct CRISCPU {
 CPUCRISState env;
 };
 
-#define ENV_OFFSET offsetof(CRISCPU, env)
 
 #ifndef CONFIG_USER_ONLY
 extern const struct VMStateDescription vmstate_cris_cpu;
diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h
index 1387066324..65986dacbf 100644
--- a/target/hppa/cpu.h
+++ b/target/hppa/cpu.h
@@ -222,7 +222,6 @@ struct HPPACPU {
 QEMUTimer *alarm_timer;
 };
 
-#define ENV_OFFSET  offsetof(HPPACPU, env)
 
 typedef CPUHPPAState CPUArchState;
 typedef HPPACPU ArchCPU;
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 7ff5ab77c1..c5351bea7e 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1477,7 +1477,6 @@ struct X86CPU {
 int32_t hv_max_vps;
 };
 
-#define ENV_OFFSET offsetof(X86CPU, env)
 
 #ifndef CONFIG_USER_ONLY
 extern struct VMStateDescription vmstate_x86_cpu;
diff --git a/target/lm32/cpu.h b/target/lm32/cpu.h
index 69beb16972..deb83153b3 100644
--- a/target/lm32/cpu.h
+++ b/target/lm32/cpu.h
@@ -195,7 +195,6 @@ struct LM32CPU {
 uint32_t features;
 };
 
-#define ENV_OFFSET offsetof(LM32CPU, env)
 
 #ifndef CONFIG_USER_ONLY
 extern const struct VMStateDescription vmstate_lm32_cpu;
diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index eb3048914e..2b180cf18d 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -163,7 +163,6 @@ struct M68kCPU {
 CPUM68KState env;
 };
 
-#define ENV_OFFSET offsetof(M68kCPU, env)
 
 void m68k_cpu_do_interrupt(CPUState *cpu);
 bool m68k_cpu_exec_interrupt(CPUState *cpu, int int_req);
diff --git a/target/microblaze/cpu.h b/target/microblaze/cpu.h
index a9748d57ad..ff3abb61af 100644
--- a/target/microblaze/cpu.h
+++ b/target/microblaze/cpu.h
@@ -310,7 +310,6 @@ struct MicroBlazeCPU {
 CPUMBState env;
 };
 
-#define ENV_OFFSET offsetof(MicroBlazeCPU, env)
 
 void mb_cpu_do_interrupt(CPUState *cs);
 bool mb_cpu_exec_interrupt(CPUState *cs, int int_req);
diff --git a/target/mips/cpu.h b/target/mips/cpu.h
index 914cc26c21..49c226b587 100644
--- a/target/mips/cpu.h
+++ b/target/mips/cpu.h
@@ -1051,7 +1051,6 @@ struct MIPSCPU {
 CPUMIPSState env;
 };
 
-#define ENV_OFFSET offsetof(MIPSCPU, env)
 
 void mips_cpu_list (FILE *f, fprintf_function cpu_fprintf);
 
diff --git a/target/moxie/cpu.h b/target/moxie/cpu.h
index 71e7cf0f08..00b1486659 100644
--- a/target/moxie/cpu.h
+++ b/target/moxie/cpu.h
@@ -90,7 +90,6 @@ typedef struct MoxieCPU {
 CPUMoxieState env;
 } MoxieCPU;
 
-#define ENV_OFFSET offsetof(MoxieCPU, env)
 
 void moxie_cpu_do_interrupt(CPUState *cs);
 void moxie_cpu_dump_state(CPUState *cpu, FILE *f,
diff --git a/target/nios2/cpu.h b/target/nios2/cpu.h
index 3fc27ead81..39a2471b18 100644
--- a/target/nios2/cpu.h
+++ b/target/nios2/cpu.h
@@ -193,7 +193,6 @@ typedef struct Nios2CPU {
 uint32_t fast_tlb_miss_addr;
 } Nios2CPU;
 
-#define ENV_OFFSET 

[Qemu-devel] [PATCH for-4.1 v2 10/36] target/cris: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/cris/cpu.h  |  5 -
 linux-user/cris/cpu_loop.c |  2 +-
 target/cris/mmu.c  |  3 +--
 target/cris/op_helper.c| 10 +++---
 target/cris/translate.c|  2 +-
 5 files changed, 6 insertions(+), 16 deletions(-)

diff --git a/target/cris/cpu.h b/target/cris/cpu.h
index 632ebf84b0..6111dbb14c 100644
--- a/target/cris/cpu.h
+++ b/target/cris/cpu.h
@@ -183,11 +183,6 @@ struct CRISCPU {
 CPUCRISState env;
 };
 
-static inline CRISCPU *cris_env_get_cpu(CPUCRISState *env)
-{
-return container_of(env, CRISCPU, env);
-}
-
 #define ENV_OFFSET offsetof(CRISCPU, env)
 
 #ifndef CONFIG_USER_ONLY
diff --git a/linux-user/cris/cpu_loop.c b/linux-user/cris/cpu_loop.c
index d012e70a7a..06709f19c1 100644
--- a/linux-user/cris/cpu_loop.c
+++ b/linux-user/cris/cpu_loop.c
@@ -23,7 +23,7 @@
 
 void cpu_loop(CPUCRISState *env)
 {
-CPUState *cs = CPU(cris_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr, ret;
 target_siginfo_t info;
 
diff --git a/target/cris/mmu.c b/target/cris/mmu.c
index b8db908823..ff0d3f4182 100644
--- a/target/cris/mmu.c
+++ b/target/cris/mmu.c
@@ -290,7 +290,6 @@ static int cris_mmu_translate_page(struct cris_mmu_result 
*res,
 
 void cris_mmu_flush_pid(CPUCRISState *env, uint32_t pid)
 {
-CRISCPU *cpu = cris_env_get_cpu(env);
target_ulong vaddr;
unsigned int idx;
uint32_t lo, hi;
@@ -316,7 +315,7 @@ void cris_mmu_flush_pid(CPUCRISState *env, uint32_t pid)
vaddr = tlb_vpn << TARGET_PAGE_BITS;
D_LOG("flush pid=%x vaddr=%x\n", 
  pid, vaddr);
-tlb_flush_page(CPU(cpu), vaddr);
+tlb_flush_page(env_cpu(env), vaddr);
}
}
}
diff --git a/target/cris/op_helper.c b/target/cris/op_helper.c
index 0ee3a3117b..acb137a8ce 100644
--- a/target/cris/op_helper.c
+++ b/target/cris/op_helper.c
@@ -67,7 +67,7 @@ void tlb_fill(CPUState *cs, target_ulong addr, int size,
 
 void helper_raise_exception(CPUCRISState *env, uint32_t index)
 {
-CPUState *cs = CPU(cris_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = index;
 cpu_loop_exit(cs);
@@ -85,8 +85,7 @@ void helper_tlb_flush_pid(CPUCRISState *env, uint32_t pid)
 void helper_spc_write(CPUCRISState *env, uint32_t new_spc)
 {
 #if !defined(CONFIG_USER_ONLY)
-CRISCPU *cpu = cris_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(env);
 
 tlb_flush_page(cs, env->pregs[PR_SPC]);
 tlb_flush_page(cs, new_spc);
@@ -99,9 +98,6 @@ void helper_spc_write(CPUCRISState *env, uint32_t new_spc)
 
 void helper_movl_sreg_reg(CPUCRISState *env, uint32_t sreg, uint32_t reg)
 {
-#if !defined(CONFIG_USER_ONLY)
-CRISCPU *cpu = cris_env_get_cpu(env);
-#endif
uint32_t srs;
srs = env->pregs[PR_SRS];
srs &= 3;
@@ -143,7 +139,7 @@ void helper_movl_sreg_reg(CPUCRISState *env, uint32_t sreg, 
uint32_t reg)
D_LOG("tlb flush vaddr=%x v=%d pc=%x\n", 
  vaddr, tlb_v, env->pc);
if (tlb_v) {
-tlb_flush_page(CPU(cpu), vaddr);
+tlb_flush_page(env_cpu(env), vaddr);
}
}
}
diff --git a/target/cris/translate.c b/target/cris/translate.c
index 11b2c11174..b5598c6fd5 100644
--- a/target/cris/translate.c
+++ b/target/cris/translate.c
@@ -3104,7 +3104,7 @@ void gen_intermediate_code(CPUState *cs, struct 
TranslationBlock *tb)
  * delayslot, like in real hw.
  */
 pc_start = tb->pc & ~1;
-dc->cpu = cris_env_get_cpu(env);
+dc->cpu = env_archcpu(env);
 dc->tb = tb;
 
 dc->is_jmp = DISAS_NEXT;
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 26/36] target/tricore: Use env_cpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/tricore/cpu.h   | 5 -
 target/tricore/op_helper.c | 4 ++--
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/target/tricore/cpu.h b/target/tricore/cpu.h
index ed32622388..9ea5060a87 100644
--- a/target/tricore/cpu.h
+++ b/target/tricore/cpu.h
@@ -208,11 +208,6 @@ struct TriCoreCPU {
 CPUTriCoreState env;
 };
 
-static inline TriCoreCPU *tricore_env_get_cpu(CPUTriCoreState *env)
-{
-return TRICORE_CPU(container_of(env, TriCoreCPU, env));
-}
-
 #define ENV_OFFSET offsetof(TriCoreCPU, env)
 
 hwaddr tricore_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
diff --git a/target/tricore/op_helper.c b/target/tricore/op_helper.c
index ed9dc0c83e..ba2f21a6c3 100644
--- a/target/tricore/op_helper.c
+++ b/target/tricore/op_helper.c
@@ -29,7 +29,7 @@ static void QEMU_NORETURN
 raise_exception_sync_internal(CPUTriCoreState *env, uint32_t class, int tin,
   uintptr_t pc, uint32_t fcd_pc)
 {
-CPUState *cs = CPU(tricore_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 /* in case we come from a helper-call we need to restore the PC */
 cpu_restore_state(cs, pc, true);
 
@@ -2800,7 +2800,7 @@ static inline void QEMU_NORETURN 
do_raise_exception_err(CPUTriCoreState *env,
 int error_code,
 uintptr_t pc)
 {
-CPUState *cs = CPU(tricore_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 cs->exception_index = exception;
 env->error_code = error_code;
 /* now we have a real cpu fault */
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 23/36] target/sh4: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/sh4/cpu.h  |  5 -
 linux-user/sh4/cpu_loop.c |  2 +-
 target/sh4/helper.c   | 26 --
 target/sh4/op_helper.c|  9 +++--
 4 files changed, 16 insertions(+), 26 deletions(-)

diff --git a/target/sh4/cpu.h b/target/sh4/cpu.h
index 95094a517a..1f94e7bf7b 100644
--- a/target/sh4/cpu.h
+++ b/target/sh4/cpu.h
@@ -207,11 +207,6 @@ struct SuperHCPU {
 CPUSH4State env;
 };
 
-static inline SuperHCPU *sh_env_get_cpu(CPUSH4State *env)
-{
-return container_of(env, SuperHCPU, env);
-}
-
 #define ENV_OFFSET offsetof(SuperHCPU, env)
 
 void superh_cpu_do_interrupt(CPUState *cpu);
diff --git a/linux-user/sh4/cpu_loop.c b/linux-user/sh4/cpu_loop.c
index 47e54b9b61..677c5a461c 100644
--- a/linux-user/sh4/cpu_loop.c
+++ b/linux-user/sh4/cpu_loop.c
@@ -23,7 +23,7 @@
 
 void cpu_loop(CPUSH4State *env)
 {
-CPUState *cs = CPU(sh_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr, ret;
 target_siginfo_t info;
 
diff --git a/target/sh4/helper.c b/target/sh4/helper.c
index 2ff0cf4060..5240da715e 100644
--- a/target/sh4/helper.c
+++ b/target/sh4/helper.c
@@ -238,8 +238,6 @@ static void update_itlb_use(CPUSH4State * env, int itlbnb)
 
 static int itlb_replacement(CPUSH4State * env)
 {
-SuperHCPU *cpu = sh_env_get_cpu(env);
-
 if ((env->mmucr & 0xe000) == 0xe000) {
return 0;
 }
@@ -252,7 +250,7 @@ static int itlb_replacement(CPUSH4State * env)
 if ((env->mmucr & 0x2c00) == 0x) {
return 3;
 }
-cpu_abort(CPU(cpu), "Unhandled itlb_replacement");
+cpu_abort(env_cpu(env), "Unhandled itlb_replacement");
 }
 
 /* Find the corresponding entry in the right TLB
@@ -308,7 +306,7 @@ static int copy_utlb_entry_itlb(CPUSH4State *env, int utlb)
 itlb = itlb_replacement(env);
 ientry = >itlb[itlb];
 if (ientry->v) {
-tlb_flush_page(CPU(sh_env_get_cpu(env)), ientry->vpn << 10);
+tlb_flush_page(env_cpu(env), ientry->vpn << 10);
 }
 *ientry = env->utlb[utlb];
 update_itlb_use(env, itlb);
@@ -533,14 +531,14 @@ hwaddr superh_cpu_get_phys_page_debug(CPUState *cs, vaddr 
addr)
 
 void cpu_load_tlb(CPUSH4State * env)
 {
-SuperHCPU *cpu = sh_env_get_cpu(env);
+CPUState *cs = env_cpu(env);
 int n = cpu_mmucr_urc(env->mmucr);
 tlb_t * entry = >utlb[n];
 
 if (entry->v) {
 /* Overwriting valid entry in utlb. */
 target_ulong address = entry->vpn << 10;
-tlb_flush_page(CPU(cpu), address);
+tlb_flush_page(cs, address);
 }
 
 /* Take values into cpu status from registers. */
@@ -563,7 +561,7 @@ void cpu_load_tlb(CPUSH4State * env)
 entry->size = 1024 * 1024; /* 1M */
 break;
 default:
-cpu_abort(CPU(cpu), "Unhandled load_tlb");
+cpu_abort(cs, "Unhandled load_tlb");
 break;
 }
 entry->sh   = (uint8_t)cpu_ptel_sh(env->ptel);
@@ -590,7 +588,7 @@ void cpu_load_tlb(CPUSH4State * env)
 entry->v = 0;
 }
 
-tlb_flush(CPU(sh_env_get_cpu(s)));
+tlb_flush(env_cpu(s));
 }
 
 uint32_t cpu_sh4_read_mmaped_itlb_addr(CPUSH4State *s,
@@ -616,7 +614,7 @@ void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, hwaddr 
addr,
 if (entry->v) {
 /* Overwriting valid entry in itlb. */
 target_ulong address = entry->vpn << 10;
-tlb_flush_page(CPU(sh_env_get_cpu(s)), address);
+tlb_flush_page(env_cpu(s), address);
 }
 entry->asid = asid;
 entry->vpn = vpn;
@@ -658,7 +656,7 @@ void cpu_sh4_write_mmaped_itlb_data(CPUSH4State *s, hwaddr 
addr,
 if (entry->v) {
 /* Overwriting valid entry in utlb. */
 target_ulong address = entry->vpn << 10;
-tlb_flush_page(CPU(sh_env_get_cpu(s)), address);
+tlb_flush_page(env_cpu(s), address);
 }
 entry->ppn = (mem_value & 0x1c00) >> 10;
 entry->v   = (mem_value & 0x0100) >> 8;
@@ -711,7 +709,7 @@ void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, hwaddr 
addr,
 if (entry->vpn == vpn
 && (!use_asid || entry->asid == asid || entry->sh)) {
if (utlb_match_entry) {
-CPUState *cs = CPU(sh_env_get_cpu(s));
+CPUState *cs = env_cpu(s);
 
/* Multiple TLB Exception */
 cs->exception_index = 0x140;
@@ -743,14 +741,14 @@ void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, 
hwaddr addr,
}
 
 if (needs_tlb_flush) {
-tlb_flush_page(CPU(sh_env_get_cpu(s)), vpn << 10);
+tlb_flush_page(env_cpu(s), vpn << 10);
 }
 
 } else {
 int index = (addr & 0x3f00) >> 8;
 tlb_t * entry = >utlb[index];
if (entry->v) {
-CPUState *cs = CPU(sh_env_get_cpu(s));
+CPUState *cs = env_cpu(s);
 
/* Overwriting valid entry in utlb. */
 target_ulong address = 

[Qemu-devel] [PATCH for-4.1 v2 07/36] cpu: Introduce env_archcpu

[Richard Henderson]

This will foo_env_get_cpu with a generic definition.
No changes to the target specific code so far.

Signed-off-by: Richard Henderson 
---
 include/exec/cpu-all.h | 14 --
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 9fb3f57684..0951fd9053 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -371,6 +371,17 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
 
 int cpu_exec(CPUState *cpu);
 
+/**
+ * env_archcpu(env)
+ * @env: The architecture environment
+ *
+ * Return the ArchCPU associated with the environment.
+ */
+static inline ArchCPU *env_archcpu(CPUArchState *env)
+{
+return container_of(env, ArchCPU, env);
+}
+
 /**
  * env_cpu(env)
  * @env: The architecture environment
@@ -379,8 +390,7 @@ int cpu_exec(CPUState *cpu);
  */
 static inline CPUState *env_cpu(CPUArchState *env)
 {
-ArchCPU *arch_cpu = container_of(env, ArchCPU, env);
-return _cpu->parent_obj;
+return _archcpu(env)->parent_obj;
 }
 
 #endif /* CPU_ALL_H */
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 35/36] tcg/aarch64: Use LDP to load tlb mask+table

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 tcg/aarch64/tcg-target.inc.c | 9 +++--
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/tcg/aarch64/tcg-target.inc.c b/tcg/aarch64/tcg-target.inc.c
index ac765137ae..979efbcfe4 100644
--- a/tcg/aarch64/tcg-target.inc.c
+++ b/tcg/aarch64/tcg-target.inc.c
@@ -1463,14 +1463,11 @@ static void tcg_out_tlb_read(TCGContext *s, TCGReg 
addr_reg, TCGMemOp opc,
  tcg_insn_unit **label_ptr, int mem_index,
  bool is_read)
 {
-int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
-int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
-int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
 unsigned a_bits = get_alignment_bits(opc);
 unsigned s_bits = opc & MO_SIZE;
 unsigned a_mask = (1u << a_bits) - 1;
 unsigned s_mask = (1u << s_bits) - 1;
-TCGReg mask_base = TCG_AREG0, table_base = TCG_AREG0, x3;
+TCGReg x3;
 TCGType mask_type;
 uint64_t compare_mask;
 
@@ -1478,8 +1475,8 @@ static void tcg_out_tlb_read(TCGContext *s, TCGReg 
addr_reg, TCGMemOp opc,
  ? TCG_TYPE_I64 : TCG_TYPE_I32);
 
 /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
-tcg_out_ld(s, mask_type, TCG_REG_X0, mask_base, mask_ofs);
-tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_X1, table_base, table_ofs);
+tcg_out_insn(s, 3314, LDP, TCG_REG_X0, TCG_REG_X1, TCG_AREG0,
+ TLB_MASK_TABLE_OFS(mem_index), 1, 0);
 
 /* Extract the TLB index from the address into X0.  */
 tcg_out_insn(s, 3502S, AND_LSR, mask_type == TCG_TYPE_I64,
-- 
2.17.1

[Qemu-devel] [PATCH for-4.1 v2 32/36] cpu: Move icount_decr to CPUNegativeOffsetState

[Richard Henderson]

Amusingly, we had already ignored the comment to keep this value at the
end of CPUState.  This restores the minimum negative offset from TCG_AREG0
for code generation.

For the couple of uses within qom/cpu.c, add a pointer from the CPUState
object to the IcountDecr object within CPUNegativeOffsetState.

Signed-off-by: Richard Henderson 
---
 include/exec/cpu-all.h|  1 +
 include/exec/cpu-defs.h   |  3 ++-
 include/exec/gen-icount.h | 16 ++--
 include/qom/cpu.h | 40 ++-
 accel/tcg/cpu-exec.c  | 23 +++---
 accel/tcg/tcg-all.c   |  6 ++
 accel/tcg/translate-all.c |  8 
 cpus.c|  9 +
 qom/cpu.c |  4 ++--
 9 files changed, 56 insertions(+), 54 deletions(-)

diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index b42741f273..be975acdb2 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -380,6 +380,7 @@ int cpu_exec(CPUState *cpu);
 static inline void cpu_set_cpustate_pointers(ArchCPU *cpu)
 {
 cpu->parent_obj.env_ptr = >env;
+cpu->parent_obj.icount_decr_ptr = >neg.icount_decr;
 }
 
 /**
diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index ad97991faf..3971910653 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -33,6 +33,7 @@
 #include "exec/hwaddr.h"
 #endif
 #include "exec/memattrs.h"
+#include "qom/cpu.h"
 
 #include "cpu-param.h"
 
@@ -232,7 +233,7 @@ typedef struct CPUTLB {
  * before CPUArchState, as a field named "neg".
  */
 typedef struct CPUNegativeOffsetState {
-/* Empty */
+IcountDecr icount_decr;
 } CPUNegativeOffsetState;
 
 #endif
diff --git a/include/exec/gen-icount.h b/include/exec/gen-icount.h
index 9cfa6ccce5..f7669b6841 100644
--- a/include/exec/gen-icount.h
+++ b/include/exec/gen-icount.h
@@ -5,8 +5,6 @@
 
 /* Helpers for instruction counting code generation.  */
 
-#define ENV_OFFSET   offsetof(ArchCPU, env)
-
 static TCGOp *icount_start_insn;
 
 static inline void gen_tb_start(TranslationBlock *tb)
@@ -21,7 +19,8 @@ static inline void gen_tb_start(TranslationBlock *tb)
 }
 
 tcg_gen_ld_i32(count, cpu_env,
-   -ENV_OFFSET + offsetof(CPUState, icount_decr.u32));
+   offsetof(ArchCPU, neg.icount_decr.u32) -
+   offsetof(ArchCPU, env));
 
 if (tb_cflags(tb) & CF_USE_ICOUNT) {
 imm = tcg_temp_new_i32();
@@ -39,7 +38,8 @@ static inline void gen_tb_start(TranslationBlock *tb)
 
 if (tb_cflags(tb) & CF_USE_ICOUNT) {
 tcg_gen_st16_i32(count, cpu_env,
- -ENV_OFFSET + offsetof(CPUState, 
icount_decr.u16.low));
+ offsetof(ArchCPU, neg.icount_decr.u16.low) -
+ offsetof(ArchCPU, env));
 }
 
 tcg_temp_free_i32(count);
@@ -60,14 +60,18 @@ static inline void gen_tb_end(TranslationBlock *tb, int 
num_insns)
 static inline void gen_io_start(void)
 {
 TCGv_i32 tmp = tcg_const_i32(1);
-tcg_gen_st_i32(tmp, cpu_env, -ENV_OFFSET + offsetof(CPUState, can_do_io));
+tcg_gen_st_i32(tmp, cpu_env,
+   offsetof(ArchCPU, parent_obj.can_do_io) -
+   offsetof(ArchCPU, env));
 tcg_temp_free_i32(tmp);
 }
 
 static inline void gen_io_end(void)
 {
 TCGv_i32 tmp = tcg_const_i32(0);
-tcg_gen_st_i32(tmp, cpu_env, -ENV_OFFSET + offsetof(CPUState, can_do_io));
+tcg_gen_st_i32(tmp, cpu_env,
+   offsetof(ArchCPU, parent_obj.can_do_io) -
+   offsetof(ArchCPU, env));
 tcg_temp_free_i32(tmp);
 }
 
diff --git a/include/qom/cpu.h b/include/qom/cpu.h
index 1d6099e5d4..6431b0bf8b 100644
--- a/include/qom/cpu.h
+++ b/include/qom/cpu.h
@@ -229,17 +229,25 @@ typedef struct CPUClass {
 bool gdb_stop_before_watchpoint;
 } CPUClass;
 
+/*
+ * Low 16 bits: number of cycles left, used only in icount mode.
+ * High 16 bits: Set to -1 to force TCG to stop executing linked TBs
+ * for this CPU and return to its top level loop (even in non-icount mode).
+ * This allows a single read-compare-cbranch-write sequence to test
+ * for both decrementer underflow and exceptions.
+ */
+typedef union IcountDecr {
+uint32_t u32;
+struct {
 #ifdef HOST_WORDS_BIGENDIAN
-typedef struct icount_decr_u16 {
-uint16_t high;
-uint16_t low;
-} icount_decr_u16;
+uint16_t high;
+uint16_t low;
 #else
-typedef struct icount_decr_u16 {
-uint16_t low;
-uint16_t high;
-} icount_decr_u16;
+uint16_t low;
+uint16_t high;
 #endif
+} u16;
+} IcountDecr;
 
 typedef struct CPUBreakpoint {
 vaddr pc;
@@ -311,11 +319,6 @@ struct qemu_work_item;
  * @crash_occurred: Indicates the OS reported a crash (panic) for this CPU
  * @singlestep_enabled: Flags for single-stepping.
  * @icount_extra: Instructions until next timer event.
- * @icount_decr: Low 16 bits: number of cycles left, only used in icount mode.
- * High 16 bits: Set to -1 to force TCG to stop 

[Qemu-devel] [PATCH for-4.1 v2 33/36] cpu: Move the softmmu tlb to CPUNegativeOffsetState

[Richard Henderson]

We have for some time had code within the tcg backends to
handle large positive offsets from env.  This move makes
sure that need not happen.  Indeed, we are able to assert
at build time that simple offsets suffice for all hosts.

Signed-off-by: Richard Henderson 
---
 include/exec/cpu-defs.h  | 22 +---
 tcg/aarch64/tcg-target.inc.c | 29 ++
 tcg/arm/tcg-target.inc.c | 40 
 tcg/i386/tcg-target.inc.c|  6 --
 tcg/mips/tcg-target.inc.c| 39 ---
 tcg/ppc/tcg-target.inc.c | 30 ---
 tcg/riscv/tcg-target.inc.c   | 31 +++-
 tcg/s390/tcg-target.inc.c| 11 +-
 tcg/sparc/tcg-target.inc.c   | 32 +
 9 files changed, 74 insertions(+), 166 deletions(-)

diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index 3971910653..4cde7d611c 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -178,13 +178,14 @@ typedef struct CPUTLBDesc {
 
 /*
  * Data elements that are per MMU mode, accessed by the fast path.
+ * The structure is aligned to aid loading the pair with one insn.
  */
 typedef struct CPUTLBDescFast {
 /* Contains (n_entries - 1) << CPU_TLB_ENTRY_BITS */
 uintptr_t mask;
 /* The array of tlb entries itself. */
 CPUTLBEntry *table;
-} CPUTLBDescFast;
+} CPUTLBDescFast QEMU_ALIGNED(2 * sizeof(void *));
 
 /*
  * Data elements that are shared between all MMU modes.
@@ -211,28 +212,35 @@ typedef struct CPUTLBCommon {
 /*
  * The entire softmmu tlb, for all MMU modes.
  * The meaning of each of the MMU modes is defined in the target code.
+ * Since this is placed within CPUNegativeOffsetState, the smallest
+ * negative offsets are at the end of the struct.
  */
 typedef struct CPUTLB {
-CPUTLBDescFast f[NB_MMU_MODES];
-CPUTLBDesc d[NB_MMU_MODES];
 CPUTLBCommon c;
+CPUTLBDesc d[NB_MMU_MODES];
+CPUTLBDescFast f[NB_MMU_MODES];
 } CPUTLB;
 
-/* There are target-specific members named "tlb".  This is temporary.  */
-#define CPU_COMMONCPUTLB tlb_;
-#define env_tlb(ENV)  (&(ENV)->tlb_)
+#define env_tlb(ENV)  (_neg(ENV)->tlb)
+
+/* This will be used by TCG backends to compute offsets.  */
+#define TLB_MASK_TABLE_OFS(IDX) \
+((int)offsetof(ArchCPU, neg.tlb.f[IDX]) - (int)offsetof(ArchCPU, env))
 
 #else
 
-#define CPU_COMMON  /* Nothing */
+typedef struct CPUTLB { } CPUTLB;
 
 #endif  /* !CONFIG_USER_ONLY && CONFIG_TCG */
 
+#define CPU_COMMON  /* Nothing */
+
 /*
  * This structure must be placed in ArchCPU immedately
  * before CPUArchState, as a field named "neg".
  */
 typedef struct CPUNegativeOffsetState {
+CPUTLB tlb;
 IcountDecr icount_decr;
 } CPUNegativeOffsetState;
 
diff --git a/tcg/aarch64/tcg-target.inc.c b/tcg/aarch64/tcg-target.inc.c
index 5e6af10faf..ac765137ae 100644
--- a/tcg/aarch64/tcg-target.inc.c
+++ b/tcg/aarch64/tcg-target.inc.c
@@ -1451,9 +1451,9 @@ static void add_qemu_ldst_label(TCGContext *s, bool 
is_ld, TCGMemOpIdx oi,
 label->label_ptr[0] = label_ptr;
 }
 
-/* We expect to use a 24-bit unsigned offset from ENV.  */
-QEMU_BUILD_BUG_ON(offsetof(CPUArchState, tlb_.f[NB_MMU_MODES - 1].table)
-  > 0xff);
+/* We expect to use a 7-bit scaled negative offset from ENV.  */
+QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -512);
 
 /* Load and compare a TLB entry, emitting the conditional jump to the
slow path for the failure case, which will be patched later when finalizing
@@ -1463,8 +1463,9 @@ static void tcg_out_tlb_read(TCGContext *s, TCGReg 
addr_reg, TCGMemOp opc,
  tcg_insn_unit **label_ptr, int mem_index,
  bool is_read)
 {
-int mask_ofs = offsetof(CPUArchState, tlb_.f[mem_index].mask);
-int table_ofs = offsetof(CPUArchState, tlb_.f[mem_index].table);
+int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
+int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
+int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
 unsigned a_bits = get_alignment_bits(opc);
 unsigned s_bits = opc & MO_SIZE;
 unsigned a_mask = (1u << a_bits) - 1;
@@ -1473,24 +1474,6 @@ static void tcg_out_tlb_read(TCGContext *s, TCGReg 
addr_reg, TCGMemOp opc,
 TCGType mask_type;
 uint64_t compare_mask;
 
-if (table_ofs > 0xfff) {
-int table_hi = table_ofs & ~0xfff;
-int mask_hi = mask_ofs & ~0xfff;
-
-table_base = TCG_REG_X1;
-if (mask_hi == table_hi) {
-mask_base = table_base;
-} else if (mask_hi) {
-mask_base = TCG_REG_X0;
-tcg_out_insn(s, 3401, ADDI, TCG_TYPE_I64,
- mask_base, TCG_AREG0, mask_hi);
-}
-tcg_out_insn(s, 3401, ADDI, TCG_TYPE_I64,
- table_base, TCG_AREG0, table_hi);
-mask_ofs -= mask_hi;
-table_ofs -= 

[Qemu-devel] [PATCH for-4.1 v2 27/36] target/unicore32: Use env_cpu, env_archcpu

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/unicore32/cpu.h  |  5 -
 hw/unicore32/puv3.c |  2 +-
 target/unicore32/helper.c   |  8 ++--
 target/unicore32/op_helper.c|  2 +-
 target/unicore32/softmmu.c  | 11 ---
 target/unicore32/translate.c| 26 ++
 target/unicore32/ucf64_helper.c |  2 +-
 7 files changed, 11 insertions(+), 45 deletions(-)

diff --git a/target/unicore32/cpu.h b/target/unicore32/cpu.h
index 162e33257d..14c2d047fd 100644
--- a/target/unicore32/cpu.h
+++ b/target/unicore32/cpu.h
@@ -76,11 +76,6 @@ struct UniCore32CPU {
 CPUUniCore32State env;
 };
 
-static inline UniCore32CPU *uc32_env_get_cpu(CPUUniCore32State *env)
-{
-return container_of(env, UniCore32CPU, env);
-}
-
 #define ENV_OFFSET offsetof(UniCore32CPU, env)
 
 void uc32_cpu_do_interrupt(CPUState *cpu);
diff --git a/hw/unicore32/puv3.c b/hw/unicore32/puv3.c
index b42e600f74..132e6086ee 100644
--- a/hw/unicore32/puv3.c
+++ b/hw/unicore32/puv3.c
@@ -56,7 +56,7 @@ static void puv3_soc_init(CPUUniCore32State *env)
 
 /* Initialize interrupt controller */
 cpu_intc = qemu_allocate_irq(puv3_intc_cpu_handler,
- uc32_env_get_cpu(env), 0);
+ env_archcpu(env), 0);
 dev = sysbus_create_simple("puv3_intc", PUV3_INTC_BASE, cpu_intc);
 for (i = 0; i < PUV3_IRQS_NR; i++) {
 irqs[i] = qdev_get_gpio_in(dev, i);
diff --git a/target/unicore32/helper.c b/target/unicore32/helper.c
index a5ff2ddb74..19ba865482 100644
--- a/target/unicore32/helper.c
+++ b/target/unicore32/helper.c
@@ -31,8 +31,6 @@
 void helper_cp0_set(CPUUniCore32State *env, uint32_t val, uint32_t creg,
 uint32_t cop)
 {
-UniCore32CPU *cpu = uc32_env_get_cpu(env);
-
 /*
  * movc pp.nn, rn, #imm9
  *  rn: UCOP_REG_D
@@ -101,7 +99,7 @@ void helper_cp0_set(CPUUniCore32State *env, uint32_t val, 
uint32_t creg,
 case 6:
 if ((cop <= 6) && (cop >= 2)) {
 /* invalid all tlb */
-tlb_flush(CPU(cpu));
+tlb_flush(env_cpu(env));
 return;
 }
 break;
@@ -218,10 +216,8 @@ void helper_cp1_putc(target_ulong x)
 #ifdef CONFIG_USER_ONLY
 void switch_mode(CPUUniCore32State *env, int mode)
 {
-UniCore32CPU *cpu = uc32_env_get_cpu(env);
-
 if (mode != ASR_MODE_USER) {
-cpu_abort(CPU(cpu), "Tried to switch out of user mode\n");
+cpu_abort(env_cpu(env), "Tried to switch out of user mode\n");
 }
 }
 
diff --git a/target/unicore32/op_helper.c b/target/unicore32/op_helper.c
index e0a15882d3..44ff84420e 100644
--- a/target/unicore32/op_helper.c
+++ b/target/unicore32/op_helper.c
@@ -19,7 +19,7 @@
 
 void HELPER(exception)(CPUUniCore32State *env, uint32_t excp)
 {
-CPUState *cs = CPU(uc32_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = excp;
 cpu_loop_exit(cs);
diff --git a/target/unicore32/softmmu.c b/target/unicore32/softmmu.c
index 00c7e0d028..2f31592faf 100644
--- a/target/unicore32/softmmu.c
+++ b/target/unicore32/softmmu.c
@@ -36,8 +36,6 @@
 /* Map CPU modes onto saved register banks.  */
 static inline int bank_number(CPUUniCore32State *env, int mode)
 {
-UniCore32CPU *cpu = uc32_env_get_cpu(env);
-
 switch (mode) {
 case ASR_MODE_USER:
 case ASR_MODE_SUSR:
@@ -51,7 +49,7 @@ static inline int bank_number(CPUUniCore32State *env, int 
mode)
 case ASR_MODE_INTR:
 return 4;
 }
-cpu_abort(CPU(cpu), "Bad mode %x\n", mode);
+cpu_abort(env_cpu(env), "Bad mode %x\n", mode);
 return -1;
 }
 
@@ -126,8 +124,7 @@ static int get_phys_addr_ucv2(CPUUniCore32State *env, 
uint32_t address,
 int access_type, int is_user, uint32_t *phys_ptr, int *prot,
 target_ulong *page_size)
 {
-UniCore32CPU *cpu = uc32_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(env);
 int code;
 uint32_t table;
 uint32_t desc;
@@ -174,11 +171,11 @@ static int get_phys_addr_ucv2(CPUUniCore32State *env, 
uint32_t address,
 *page_size = TARGET_PAGE_SIZE;
 break;
 default:
-cpu_abort(CPU(cpu), "wrong page type!");
+cpu_abort(cs, "wrong page type!");
 }
 break;
 default:
-cpu_abort(CPU(cpu), "wrong page type!");
+cpu_abort(cs, "wrong page type!");
 }
 
 *phys_ptr = phys_addr;
diff --git a/target/unicore32/translate.c b/target/unicore32/translate.c
index 002569ff3b..2e8341d13b 100644
--- a/target/unicore32/translate.c
+++ b/target/unicore32/translate.c
@@ -179,7 +179,7 @@ static void store_reg(DisasContext *s, int reg, TCGv var)
 #define UCOP_SET_L  UCOP_SET(24)
 #define UCOP_SET_S  UCOP_SET(24)
 
-#define ILLEGAL cpu_abort(CPU(cpu), \
+#define ILLEGAL cpu_abort(env_cpu(env), \
 "Illegal UniCore32 

[Qemu-devel] [PATCH for-4.1 v2 11/36] target/hppa: Use env_cpu, env_archcpu

[Richard Henderson]

Combined uses of CPU(hppa_env_get_cpu()) were failures to use
the more proper, ENV_GET_CPU macro, now replaced by env_cpu.

Signed-off-by: Richard Henderson 
---
 target/hppa/cpu.h  |  5 -
 linux-user/hppa/cpu_loop.c |  2 +-
 target/hppa/helper.c   |  3 +--
 target/hppa/int_helper.c   |  4 ++--
 target/hppa/mem_helper.c   | 10 --
 target/hppa/op_helper.c|  8 +++-
 6 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h
index 6ae73e24e4..1387066324 100644
--- a/target/hppa/cpu.h
+++ b/target/hppa/cpu.h
@@ -222,11 +222,6 @@ struct HPPACPU {
 QEMUTimer *alarm_timer;
 };
 
-static inline HPPACPU *hppa_env_get_cpu(CPUHPPAState *env)
-{
-return container_of(env, HPPACPU, env);
-}
-
 #define ENV_OFFSET  offsetof(HPPACPU, env)
 
 typedef CPUHPPAState CPUArchState;
diff --git a/linux-user/hppa/cpu_loop.c b/linux-user/hppa/cpu_loop.c
index 880955fdef..9915456a1d 100644
--- a/linux-user/hppa/cpu_loop.c
+++ b/linux-user/hppa/cpu_loop.c
@@ -105,7 +105,7 @@ static abi_ulong hppa_lws(CPUHPPAState *env)
 
 void cpu_loop(CPUHPPAState *env)
 {
-CPUState *cs = CPU(hppa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 target_siginfo_t info;
 abi_ulong ret;
 int trapnr;
diff --git a/target/hppa/helper.c b/target/hppa/helper.c
index ac750b62ef..eb5047037e 100644
--- a/target/hppa/helper.c
+++ b/target/hppa/helper.c
@@ -70,8 +70,7 @@ void cpu_hppa_put_psw(CPUHPPAState *env, target_ureg psw)
 /* If PSW_P changes, it affects how we translate addresses.  */
 if ((psw ^ old_psw) & PSW_P) {
 #ifndef CONFIG_USER_ONLY
-CPUState *src = CPU(hppa_env_get_cpu(env));
-tlb_flush_by_mmuidx(src, 0xf);
+tlb_flush_by_mmuidx(env_cpu(env), 0xf);
 #endif
 }
 }
diff --git a/target/hppa/int_helper.c b/target/hppa/int_helper.c
index 8d5edd3a20..89241c31e7 100644
--- a/target/hppa/int_helper.c
+++ b/target/hppa/int_helper.c
@@ -77,7 +77,7 @@ void HELPER(write_eirr)(CPUHPPAState *env, target_ureg val)
 {
 env->cr[CR_EIRR] &= ~val;
 qemu_mutex_lock_iothread();
-eval_interrupt(hppa_env_get_cpu(env));
+eval_interrupt(env_archcpu(env));
 qemu_mutex_unlock_iothread();
 }
 
@@ -85,7 +85,7 @@ void HELPER(write_eiem)(CPUHPPAState *env, target_ureg val)
 {
 env->cr[CR_EIEM] = val;
 qemu_mutex_lock_iothread();
-eval_interrupt(hppa_env_get_cpu(env));
+eval_interrupt(env_archcpu(env));
 qemu_mutex_unlock_iothread();
 }
 #endif /* !CONFIG_USER_ONLY */
diff --git a/target/hppa/mem_helper.c b/target/hppa/mem_helper.c
index c9b57d07c3..77d5cb6c42 100644
--- a/target/hppa/mem_helper.c
+++ b/target/hppa/mem_helper.c
@@ -55,7 +55,7 @@ static hppa_tlb_entry *hppa_find_tlb(CPUHPPAState *env, vaddr 
addr)
 
 static void hppa_flush_tlb_ent(CPUHPPAState *env, hppa_tlb_entry *ent)
 {
-CPUState *cs = CPU(hppa_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 unsigned i, n = 1 << (2 * ent->page_size);
 uint64_t addr = ent->va_b;
 
@@ -324,7 +324,7 @@ static void ptlb_work(CPUState *cpu, run_on_cpu_data data)
 
 void HELPER(ptlb)(CPUHPPAState *env, target_ulong addr)
 {
-CPUState *src = CPU(hppa_env_get_cpu(env));
+CPUState *src = env_cpu(env);
 CPUState *cpu;
 trace_hppa_tlb_ptlb(env);
 run_on_cpu_data data = RUN_ON_CPU_TARGET_PTR(addr);
@@ -341,17 +341,15 @@ void HELPER(ptlb)(CPUHPPAState *env, target_ulong addr)
number of pages/entries (we choose all), and is local to the cpu.  */
 void HELPER(ptlbe)(CPUHPPAState *env)
 {
-CPUState *src = CPU(hppa_env_get_cpu(env));
 trace_hppa_tlb_ptlbe(env);
 memset(env->tlb, 0, sizeof(env->tlb));
-tlb_flush_by_mmuidx(src, 0xf);
+tlb_flush_by_mmuidx(env_cpu(env), 0xf);
 }
 
 void cpu_hppa_change_prot_id(CPUHPPAState *env)
 {
 if (env->psw & PSW_P) {
-CPUState *src = CPU(hppa_env_get_cpu(env));
-tlb_flush_by_mmuidx(src, 0xf);
+tlb_flush_by_mmuidx(env_cpu(env), 0xf);
 }
 }
 
diff --git a/target/hppa/op_helper.c b/target/hppa/op_helper.c
index 952e97a7d7..04d23c1b22 100644
--- a/target/hppa/op_helper.c
+++ b/target/hppa/op_helper.c
@@ -29,8 +29,7 @@
 
 void QEMU_NORETURN HELPER(excp)(CPUHPPAState *env, int excp)
 {
-HPPACPU *cpu = hppa_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = excp;
 cpu_loop_exit(cs);
@@ -38,8 +37,7 @@ void QEMU_NORETURN HELPER(excp)(CPUHPPAState *env, int excp)
 
 void QEMU_NORETURN hppa_dynamic_excp(CPUHPPAState *env, int excp, uintptr_t ra)
 {
-HPPACPU *cpu = hppa_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = excp;
 cpu_loop_exit_restore(cs, ra);
@@ -630,7 +628,7 @@ target_ureg HELPER(read_interval_timer)(void)
 #ifndef CONFIG_USER_ONLY
 void HELPER(write_interval_timer)(CPUHPPAState *env, target_ureg val)
 {
-HPPACPU *cpu = hppa_env_get_cpu(env);
+HPPACPU *cpu = env_archcpu(env);
 uint64_t 

[Qemu-devel] [PATCH for-4.1 v2 34/36] cpu: Remove CPU_COMMON

[Richard Henderson]

This macro is now always empty, so remove it.  This leaves the
entire contents of CPUArchState under the control of the guest
architecture.

Signed-off-by: Richard Henderson 
---
 include/exec/cpu-defs.h | 2 --
 target/alpha/cpu.h  | 3 ---
 target/arm/cpu.h| 4 +---
 target/cris/cpu.h   | 2 --
 target/hppa/cpu.h   | 3 ---
 target/i386/cpu.h   | 4 +---
 target/lm32/cpu.h   | 2 --
 target/m68k/cpu.h   | 2 --
 target/microblaze/cpu.h | 2 --
 target/mips/cpu.h   | 2 --
 target/moxie/cpu.h  | 3 ---
 target/nios2/cpu.h  | 2 --
 target/openrisc/cpu.h   | 2 --
 target/ppc/cpu.h| 2 --
 target/riscv/cpu.h  | 4 
 target/s390x/cpu.h  | 2 --
 target/sh4/cpu.h| 2 --
 target/sparc/cpu.h  | 2 --
 target/tilegx/cpu.h | 2 --
 target/tricore/cpu.h| 2 --
 target/unicore32/cpu.h  | 2 --
 target/xtensa/cpu.h | 2 --
 22 files changed, 2 insertions(+), 51 deletions(-)

diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index 4cde7d611c..1f75a97701 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -233,8 +233,6 @@ typedef struct CPUTLB { } CPUTLB;
 
 #endif  /* !CONFIG_USER_ONLY && CONFIG_TCG */
 
-#define CPU_COMMON  /* Nothing */
-
 /*
  * This structure must be placed in ArchCPU immedately
  * before CPUArchState, as a field named "neg".
diff --git a/target/alpha/cpu.h b/target/alpha/cpu.h
index c63fa929f6..3b2751a45c 100644
--- a/target/alpha/cpu.h
+++ b/target/alpha/cpu.h
@@ -246,9 +246,6 @@ struct CPUAlphaState {
 /* This alarm doesn't exist in real hardware; we wish it did.  */
 uint64_t alarm_expire;
 
-/* Those resources are used only in QEMU core */
-CPU_COMMON
-
 int error_code;
 
 uint32_t features;
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index cae0f509fc..d7a444a5ff 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -635,9 +635,7 @@ typedef struct CPUARMState {
 /* Fields up to this point are cleared by a CPU reset */
 struct {} end_reset_fields;
 
-CPU_COMMON
-
-/* Fields after CPU_COMMON are preserved across CPU reset. */
+/* Fields after this point are preserved across CPU reset. */
 
 /* Internal CPU feature flags.  */
 uint64_t features;
diff --git a/target/cris/cpu.h b/target/cris/cpu.h
index 9191553cd7..d63d5c29f6 100644
--- a/target/cris/cpu.h
+++ b/target/cris/cpu.h
@@ -163,8 +163,6 @@ typedef struct CPUCRISState {
 /* Fields up to this point are cleared by a CPU reset */
 struct {} end_reset_fields;
 
-CPU_COMMON
-
 /* Members from load_info on are preserved across resets.  */
 void *load_info;
 } CPUCRISState;
diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h
index 21395c115c..93e64414a0 100644
--- a/target/hppa/cpu.h
+++ b/target/hppa/cpu.h
@@ -197,9 +197,6 @@ struct CPUHPPAState {
 target_ureg cr_back[2];  /* back of cr17/cr18 */
 target_ureg shadow[7];   /* shadow registers */
 
-/* Those resources are used only in QEMU core */
-CPU_COMMON
-
 /* ??? The number of entries isn't specified by the architecture.  */
 /* ??? Implement a unified itlb/dtlb for the moment.  */
 /* ??? We should use a more intelligent data structure.  */
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 239f907f76..8e167dc2a8 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1286,9 +1286,7 @@ typedef struct CPUX86State {
 /* Fields up to this point are cleared by a CPU reset */
 struct {} end_reset_fields;
 
-CPU_COMMON
-
-/* Fields after CPU_COMMON are preserved across CPU reset. */
+/* Fields after this point are preserved across CPU reset. */
 
 /* processor features (e.g. for CPUID insn) */
 /* Minimum level/xlevel/xlevel2, based on CPU model + features */
diff --git a/target/lm32/cpu.h b/target/lm32/cpu.h
index ff5c6893bc..473809257b 100644
--- a/target/lm32/cpu.h
+++ b/target/lm32/cpu.h
@@ -159,8 +159,6 @@ struct CPULM32State {
 /* Fields up to this point are cleared by a CPU reset */
 struct {} end_reset_fields;
 
-CPU_COMMON
-
 /* Fields from here on are preserved across CPU reset. */
 uint32_t eba;   /* exception base address */
 uint32_t deba;  /* debug exception base address */
diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 087e73f9e2..3efd038df9 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -143,8 +143,6 @@ typedef struct CPUM68KState {
 /* Fields up to this point are cleared by a CPU reset */
 struct {} end_reset_fields;
 
-CPU_COMMON
-
 /* Fields from here on are preserved across CPU reset. */
 uint32_t features;
 } CPUM68KState;
diff --git a/target/microblaze/cpu.h b/target/microblaze/cpu.h
index 618fc8ff1f..aa84480913 100644
--- a/target/microblaze/cpu.h
+++ b/target/microblaze/cpu.h
@@ -266,8 +266,6 @@ struct CPUMBState {
 /* Fields up to this point are cleared by a CPU reset */
 struct {} end_reset_fields;
 
-CPU_COMMON
-
 /* These 

[Qemu-devel] [PATCH for-4.1 v2 30/36] cpu: Introduce cpu_set_cpustate_pointers

[Richard Henderson]

Consolidate some boilerplate from foo_cpu_initfn.

Signed-off-by: Richard Henderson 
---
 include/exec/cpu-all.h  | 12 +++-
 target/alpha/cpu.c  |  3 +--
 target/arm/cpu.c|  3 +--
 target/cris/cpu.c   |  3 +--
 target/hppa/cpu.c   |  2 +-
 target/i386/cpu.c   |  3 +--
 target/lm32/cpu.c   |  3 +--
 target/m68k/cpu.c   |  4 +---
 target/microblaze/cpu.c |  3 +--
 target/mips/cpu.c   |  3 +--
 target/moxie/cpu.c  |  3 +--
 target/nios2/cpu.c  |  6 ++
 target/openrisc/cpu.c   |  3 +--
 target/ppc/translate_init.inc.c |  3 +--
 target/riscv/cpu.c  |  3 +--
 target/s390x/cpu.c  |  9 +
 target/sh4/cpu.c|  3 +--
 target/sparc/cpu.c  |  3 +--
 target/tilegx/cpu.c |  4 +---
 target/tricore/cpu.c|  4 +---
 target/unicore32/cpu.c  |  3 +--
 target/xtensa/cpu.c |  3 +--
 22 files changed, 37 insertions(+), 49 deletions(-)

diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 0951fd9053..1ed7d1e005 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -371,6 +371,17 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
 
 int cpu_exec(CPUState *cpu);
 
+/**
+ * cpu_set_cpustate_pointers(cpu)
+ * @cpu: The cpu object
+ *
+ * Set the generic pointers in CPUState into the outer object.
+ */
+static inline void cpu_set_cpustate_pointers(ArchCPU *cpu)
+{
+cpu->parent_obj.env_ptr = >env;
+}
+
 /**
  * env_archcpu(env)
  * @env: The architecture environment
@@ -392,5 +403,4 @@ static inline CPUState *env_cpu(CPUArchState *env)
 {
 return _archcpu(env)->parent_obj;
 }
-
 #endif /* CPU_ALL_H */
diff --git a/target/alpha/cpu.c b/target/alpha/cpu.c
index 1fd95d6c0f..82a37e0371 100644
--- a/target/alpha/cpu.c
+++ b/target/alpha/cpu.c
@@ -196,11 +196,10 @@ static void ev67_cpu_initfn(Object *obj)
 
 static void alpha_cpu_initfn(Object *obj)
 {
-CPUState *cs = CPU(obj);
 AlphaCPU *cpu = ALPHA_CPU(obj);
 CPUAlphaState *env = >env;
 
-cs->env_ptr = env;
+cpu_set_cpustate_pointers(cpu);
 
 env->lock_addr = -1;
 #if defined(CONFIG_USER_ONLY)
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 4155782197..4138fa8112 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -694,10 +694,9 @@ static void cpreg_hashtable_data_destroy(gpointer data)
 
 static void arm_cpu_initfn(Object *obj)
 {
-CPUState *cs = CPU(obj);
 ARMCPU *cpu = ARM_CPU(obj);
 
-cs->env_ptr = >env;
+cpu_set_cpustate_pointers(cpu);
 cpu->cp_regs = g_hash_table_new_full(g_int_hash, g_int_equal,
  g_free, cpreg_hashtable_data_destroy);
 
diff --git a/target/cris/cpu.c b/target/cris/cpu.c
index a23aba2688..15717712eb 100644
--- a/target/cris/cpu.c
+++ b/target/cris/cpu.c
@@ -176,12 +176,11 @@ static void cris_disas_set_info(CPUState *cpu, 
disassemble_info *info)
 
 static void cris_cpu_initfn(Object *obj)
 {
-CPUState *cs = CPU(obj);
 CRISCPU *cpu = CRIS_CPU(obj);
 CRISCPUClass *ccc = CRIS_CPU_GET_CLASS(obj);
 CPUCRISState *env = >env;
 
-cs->env_ptr = env;
+cpu_set_cpustate_pointers(cpu);
 
 env->pregs[PR_VR] = ccc->vr;
 
diff --git a/target/hppa/cpu.c b/target/hppa/cpu.c
index 00bf444620..544b4e2e4c 100644
--- a/target/hppa/cpu.c
+++ b/target/hppa/cpu.c
@@ -138,7 +138,7 @@ static void hppa_cpu_initfn(Object *obj)
 HPPACPU *cpu = HPPA_CPU(obj);
 CPUHPPAState *env = >env;
 
-cs->env_ptr = env;
+cpu_set_cpustate_pointers(cpu);
 cs->exception_index = -1;
 cpu_hppa_loaded_fr0(env);
 cpu_hppa_put_psw(env, PSW_W);
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index cdec1db05e..35824c8f8d 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5539,13 +5539,12 @@ static void x86_cpu_get_crash_info_qom(Object *obj, 
Visitor *v,
 
 static void x86_cpu_initfn(Object *obj)
 {
-CPUState *cs = CPU(obj);
 X86CPU *cpu = X86_CPU(obj);
 X86CPUClass *xcc = X86_CPU_GET_CLASS(obj);
 CPUX86State *env = >env;
 FeatureWord w;
 
-cs->env_ptr = env;
+cpu_set_cpustate_pointers(cpu);
 
 object_property_add(obj, "family", "int",
 x86_cpuid_version_get_family,
diff --git a/target/lm32/cpu.c b/target/lm32/cpu.c
index b7499cb627..b5c213183c 100644
--- a/target/lm32/cpu.c
+++ b/target/lm32/cpu.c
@@ -146,11 +146,10 @@ static void lm32_cpu_realizefn(DeviceState *dev, Error 
**errp)
 
 static void lm32_cpu_initfn(Object *obj)
 {
-CPUState *cs = CPU(obj);
 LM32CPU *cpu = LM32_CPU(obj);
 CPULM32State *env = >env;
 
-cs->env_ptr = env;
+cpu_set_cpustate_pointers(cpu);
 
 env->flags = 0;
 }
diff --git a/target/m68k/cpu.c b/target/m68k/cpu.c
index 582e3a73b3..930e1be59f 100644
--- a/target/m68k/cpu.c
+++ b/target/m68k/cpu.c
@@ -238,11 +238,9 @@ static void 

[Qemu-devel] [PATCH for-4.1 v2 08/36] target/alpha: Use env_cpu, env_archcpu

[Richard Henderson]

With exactly one exception, most uses of alpha_env_get_cpu
were failures to use the more proper, ENV_GET_CPU macro,
now replaced by env_cpu.

Signed-off-by: Richard Henderson 
---
 target/alpha/cpu.h  | 5 -
 linux-user/alpha/cpu_loop.c | 2 +-
 target/alpha/helper.c   | 8 +++-
 target/alpha/sys_helper.c   | 8 
 4 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/target/alpha/cpu.h b/target/alpha/cpu.h
index 788edd5cb3..e22518871a 100644
--- a/target/alpha/cpu.h
+++ b/target/alpha/cpu.h
@@ -273,11 +273,6 @@ struct AlphaCPU {
 QEMUTimer *alarm_timer;
 };
 
-static inline AlphaCPU *alpha_env_get_cpu(CPUAlphaState *env)
-{
-return container_of(env, AlphaCPU, env);
-}
-
 #define ENV_OFFSET offsetof(AlphaCPU, env)
 
 #ifndef CONFIG_USER_ONLY
diff --git a/linux-user/alpha/cpu_loop.c b/linux-user/alpha/cpu_loop.c
index 824b6d6658..2acdefde03 100644
--- a/linux-user/alpha/cpu_loop.c
+++ b/linux-user/alpha/cpu_loop.c
@@ -23,7 +23,7 @@
 
 void cpu_loop(CPUAlphaState *env)
 {
-CPUState *cs = CPU(alpha_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 int trapnr;
 target_siginfo_t info;
 abi_long sysret;
diff --git a/target/alpha/helper.c b/target/alpha/helper.c
index 57e2c212b3..4769d44fd9 100644
--- a/target/alpha/helper.c
+++ b/target/alpha/helper.c
@@ -118,7 +118,7 @@ static int get_physical_address(CPUAlphaState *env, 
target_ulong addr,
 int prot_need, int mmu_idx,
 target_ulong *pphys, int *pprot)
 {
-CPUState *cs = CPU(alpha_env_get_cpu(env));
+CPUState *cs = env_cpu(env);
 target_long saddr = addr;
 target_ulong phys = 0;
 target_ulong L1pte, L2pte, L3pte;
@@ -463,8 +463,7 @@ void alpha_cpu_dump_state(CPUState *cs, FILE *f, 
fprintf_function cpu_fprintf,
We expect that ENV->PC has already been updated.  */
 void QEMU_NORETURN helper_excp(CPUAlphaState *env, int excp, int error)
 {
-AlphaCPU *cpu = alpha_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = excp;
 env->error_code = error;
@@ -475,8 +474,7 @@ void QEMU_NORETURN helper_excp(CPUAlphaState *env, int 
excp, int error)
 void QEMU_NORETURN dynamic_excp(CPUAlphaState *env, uintptr_t retaddr,
 int excp, int error)
 {
-AlphaCPU *cpu = alpha_env_get_cpu(env);
-CPUState *cs = CPU(cpu);
+CPUState *cs = env_cpu(env);
 
 cs->exception_index = excp;
 env->error_code = error;
diff --git a/target/alpha/sys_helper.c b/target/alpha/sys_helper.c
index ac22323191..f9c34b1144 100644
--- a/target/alpha/sys_helper.c
+++ b/target/alpha/sys_helper.c
@@ -44,17 +44,17 @@ uint64_t helper_load_pcc(CPUAlphaState *env)
 #ifndef CONFIG_USER_ONLY
 void helper_tbia(CPUAlphaState *env)
 {
-tlb_flush(CPU(alpha_env_get_cpu(env)));
+tlb_flush(env_cpu(env));
 }
 
 void helper_tbis(CPUAlphaState *env, uint64_t p)
 {
-tlb_flush_page(CPU(alpha_env_get_cpu(env)), p);
+tlb_flush_page(env_cpu(env), p);
 }
 
 void helper_tb_flush(CPUAlphaState *env)
 {
-tb_flush(CPU(alpha_env_get_cpu(env)));
+tb_flush(env_cpu(env));
 }
 
 void helper_halt(uint64_t restart)
@@ -78,7 +78,7 @@ uint64_t helper_get_walltime(void)
 
 void helper_set_alarm(CPUAlphaState *env, uint64_t expire)
 {
-AlphaCPU *cpu = alpha_env_get_cpu(env);
+AlphaCPU *cpu = env_archcpu(env);
 
 if (expire) {
 env->alarm_expire = expire;
-- 
2.17.1

Re: [Qemu-devel] [PATCH for-4.1] hw/ssi/xilinx_spips: Avoid variable length array

[Francisco Iglesias]

On [2019 Mar 28] Thu 15:26:35, Peter Maydell wrote:
> In the stripe8() function we use a variable length array; however
> we know that the maximum length required is MAX_NUM_BUSSES. Use
> a fixed-length array and an assert instead.
> 
> Signed-off-by: Peter Maydell 

Reviewed-by: Francisco Iglesias 

> ---
>  hw/ssi/xilinx_spips.c | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index 16f88f74029..c615058cc1b 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -429,12 +429,14 @@ static void xlnx_zynqmp_qspips_reset(DeviceState *d)
>  
>  static inline void stripe8(uint8_t *x, int num, bool dir)
>  {
> -uint8_t r[num];
> -memset(r, 0, sizeof(uint8_t) * num);
> +uint8_t r[MAX_NUM_BUSSES];
>  int idx[2] = {0, 0};
>  int bit[2] = {0, 7};
>  int d = dir;
>  
> +assert(num <= MAX_NUM_BUSSES);
> +memset(r, 0, sizeof(uint8_t) * num);
> +
>  for (idx[0] = 0; idx[0] < num; ++idx[0]) {
>  for (bit[0] = 7; bit[0] >= 0; bit[0]--) {
>  r[idx[!d]] |= x[idx[d]] & 1 << bit[d] ? 1 << bit[!d] : 0;
> -- 
> 2.20.1
> 
> 

[Qemu-devel] [PATCH for-4.1 v2 36/36] tcg/arm: Use LDRD to load tlb mask+table

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 tcg/arm/tcg-target.inc.c | 109 +++
 1 file changed, 52 insertions(+), 57 deletions(-)

diff --git a/tcg/arm/tcg-target.inc.c b/tcg/arm/tcg-target.inc.c
index 4a8c12e9a4..7601eff16e 100644
--- a/tcg/arm/tcg-target.inc.c
+++ b/tcg/arm/tcg-target.inc.c
@@ -278,6 +278,7 @@ static const char *target_parse_constraint(TCGArgConstraint 
*ct,
 tcg_regset_reset_reg(ct->u.regs, TCG_REG_R0);
 tcg_regset_reset_reg(ct->u.regs, TCG_REG_R1);
 tcg_regset_reset_reg(ct->u.regs, TCG_REG_R2);
+tcg_regset_reset_reg(ct->u.regs, TCG_REG_R3);
 tcg_regset_reset_reg(ct->u.regs, TCG_REG_R14);
 #endif
 break;
@@ -1253,75 +1254,69 @@ static TCGReg tcg_out_tlb_read(TCGContext *s, TCGReg 
addrlo, TCGReg addrhi,
 unsigned s_bits = opc & MO_SIZE;
 unsigned a_bits = get_alignment_bits(opc);
 
-/* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
-tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP, TCG_AREG0, mask_off);
-tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R2, TCG_AREG0, table_off);
-
-/* Extract the tlb index from the address into TMP.  */
-tcg_out_dat_reg(s, COND_AL, ARITH_AND, TCG_REG_TMP, TCG_REG_TMP, addrlo,
-SHIFT_IMM_LSR(TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS));
-
 /*
- * Add the tlb_table pointer, creating the CPUTLBEntry address in R2.
- * Load the tlb comparator into R0/R1 and the fast path addend into R2.
+ * We don't support inline unaligned acceses, but we can easily
+ * support overalignment checks.
  */
-if (cmp_off == 0) {
-   if (use_armv6_instructions && TARGET_LONG_BITS == 64) {
-tcg_out_ldrd_rwb(s, COND_AL, TCG_REG_R0, TCG_REG_R2, TCG_REG_TMP);
-} else {
-tcg_out_ld32_rwb(s, COND_AL, TCG_REG_R0, TCG_REG_R2, TCG_REG_TMP);
-}
-} else {
-tcg_out_dat_reg(s, COND_AL, ARITH_ADD,
-   TCG_REG_R2, TCG_REG_R2, TCG_REG_TMP, 0);
-if (use_armv6_instructions && TARGET_LONG_BITS == 64) {
-tcg_out_ldrd_8(s, COND_AL, TCG_REG_R0, TCG_REG_R2, cmp_off);
-} else {
-tcg_out_ld32_12(s, COND_AL, TCG_REG_R0, TCG_REG_R2, cmp_off);
-   }
-}
-if (!use_armv6_instructions && TARGET_LONG_BITS == 64) {
-tcg_out_ld32_12(s, COND_AL, TCG_REG_R1, TCG_REG_R2, cmp_off + 4);
-}
-
-/* Load the tlb addend.  */
-tcg_out_ld32_12(s, COND_AL, TCG_REG_R2, TCG_REG_R2,
-offsetof(CPUTLBEntry, addend));
-
-/* Check alignment.  We don't support inline unaligned acceses,
-   but we can easily support overalignment checks.  */
 if (a_bits < s_bits) {
 a_bits = s_bits;
 }
 
-if (use_armv7_instructions) {
-tcg_target_ulong mask = ~(TARGET_PAGE_MASK | ((1 << a_bits) - 1));
-int rot = encode_imm(mask);
-
-if (rot >= 0) { 
-tcg_out_dat_imm(s, COND_AL, ARITH_BIC, TCG_REG_TMP, addrlo,
-rotl(mask, rot) | (rot << 7));
-} else {
-tcg_out_movi32(s, COND_AL, TCG_REG_TMP, mask);
-tcg_out_dat_reg(s, COND_AL, ARITH_BIC, TCG_REG_TMP,
-addrlo, TCG_REG_TMP, 0);
-}
-tcg_out_dat_reg(s, COND_AL, ARITH_CMP, 0, TCG_REG_R0, TCG_REG_TMP, 0);
+/* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
+if (use_armv6_instructions) {
+tcg_out_ldrd_8(s, COND_AL, TCG_REG_R0, TCG_AREG0, fast_off);
 } else {
-if (a_bits) {
-tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo,
-(1 << a_bits) - 1);
-}
-tcg_out_dat_reg(s, (a_bits ? COND_EQ : COND_AL), ARITH_CMP,
-0, TCG_REG_R0, TCG_REG_TMP,
-SHIFT_IMM_LSL(TARGET_PAGE_BITS));
+tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R0, TCG_AREG0, mask_off);
+tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R1, TCG_AREG0, table_off);
 }
 
+/* Extract the tlb index from the address into R0.  */
+tcg_out_dat_reg(s, COND_AL, ARITH_AND, TCG_REG_R0, TCG_REG_R0, addrlo,
+SHIFT_IMM_LSR(TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS));
+
+/*
+ * Add the tlb_table pointer, creating the CPUTLBEntry address in R1.
+ * Load the tlb comparator into R2/R3 and the fast path addend into R1.
+ */
+if (cmp_off == 0) {
+if (use_armv6_instructions && TARGET_LONG_BITS == 64) {
+tcg_out_ldrd_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
+} else {
+tcg_out_ld32_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
+}
+} else {
+tcg_out_dat_reg(s, COND_AL, ARITH_ADD,
+TCG_REG_R1, TCG_REG_R1, TCG_REG_R0, 0);
+if (use_armv6_instructions && TARGET_LONG_BITS == 64) {
+tcg_out_ldrd_8(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
+} else {
+tcg_out_ld32_12(s, COND_AL, TCG_REG_R2, TCG_REG_R1, 

Re: [Qemu-devel] Issues around TYPE_INTERFACE

[Philippe Mathieu-Daudé]

Le lun. 18 mars 2019 14:04, Markus Armbruster  a écrit :

> Daniel P. Berrangé  writes:
>
> > On Mon, Mar 18, 2019 at 11:59:43AM +, Peter Maydell wrote:
> >> On Mon, 18 Mar 2019 at 11:54, Daniel P. Berrangé 
> wrote:
> >> > > TYPE_ACPI_DEVICE_IF
> >> > > TYPE_ARM_LINUX_BOOT_IF
> >> > > TYPE_TEST_IF
> >> > > TYPE_TPM_IF
> >> > >
> >> > > TYPE_IDAU_INTERFACE
> >> > > TYPE_IPMI_INTERFACE
> >> > > TYPE_PNV_XSCOM_INTERFACE
> >> >
> >> > I'm not so bothered by these, though they are pointless unless
> >> > perhaps it is to avoid clash with a similarly named object
> >> > type
> >>
> >> For the ones of these that I'm responsible for, I was
> >> partly following an existing example, but I find it useful
> >> as a user of the APIs that it's clear that I'm dealing
> >> with an interface and not an object.
>
> Me too.
>

+2


> >>  For instance if I
> >> see a PROP_LINK that wants a TYPE_IDAU_INTERFACE I know
> >> I need to implement an interface on some suitable object,
> >> whereas if it were a TYPE_IDAU I'd be expecting to need
> >> to create (or write a subclass of) a concrete object.
> >> So I'd prefer us to settle on a convention that does
> >> explicitly mark the interface-ness in the type name.
> >
> > If we do want such a naming convention, then I think we'd want to have
> > checkpatch enforce it. eg in the .c file validate the TypeInfo struct:
> >
> > static const TypeInfo acpi_dev_if_info = {
> > .name  = TYPE_ACPI_DEVICE_IF,
> > .parent= TYPE_INTERFACE,
> > .class_size = sizeof(AcpiDeviceIfClass),
> > };
> >
> > If '.parent'  is a TYPE_INTERFACE, or another type ending in _IF, then
> > enforce the .name also ends in _IF  (or whatever name convention we
> > pick)
>

What about abstract objects?


> Very nice to have.
>
> In case teaching it to checkpatch turns out to be too onerous: perhaps
> certain things would be easier to check in a program that looks at
> sources rather than patches.  Other projects have that as "make
> syntax-check".
>

make cocci-check?

>

Re: [Qemu-devel] "qemu-img: File contains external, encrypted or compressed clusters."

[Eric Blake]

On 3/28/19 7:30 AM, Eric Blake wrote:
> On 3/28/19 5:59 AM, Richard W.M. Jones wrote:
>> This error message is confusing and looks wrong to me:
> 
> Confusing, but intentional design decision at the time (that said, I
> would also welcome an improvement).
> 
>>
>> $ ./nbdkit -U - data data="1" size=1M --run 'qemu-img map $nbd'
>> Offset  Length  Mapped to   File
>> qemu-img: File contains external, encrypted or compressed clusters.
> 
> It's due to the fact that the human output WANTS to fill in the "mapped
> to" column, but can't, because there is no "File" that you can open and
> read from the "Mapped to" offset of that file to see the same thing as
> the guest would see at "Offset".
> 
> Perhaps if we tweaked the output to just say:
> 
> $ qemu-img map file
> Offset  Length  Mapped to   File
> 0   0x1000  N/A
> (try again with --output=json for full details)
> $
> 

That's still a worthwhile idea for 4.1 for compressed/encrypted images.
But for NBD, I can do one better; I'll post a patch for 4.0 that makes
nbd behave more like file-posix - in short, the protocol level should be
returning BDRV_BLOCK_OFFSET_VALID in addition to everything else it
learns from the server, improving the output to:

Offset  Length  Mapped to   File
0   0x1ff   0   nbd://localhost:10809

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v2 for-4.1] hw/arm/raspi: Diagnose requests for too much RAM

[Wainer dos Santos Moschetta]

On 03/28/2019 12:29 PM, Peter Maydell wrote:

The Raspberry Pi boards have a physical memory map which does
not allow for more than 1GB of RAM. Currently if the user tries
to ask for more then we fail in a confusing way:

$ qemu-system-aarch64 --machine raspi3 -m 8G
Unexpected error in visit_type_uintN() at qapi/qapi-visit-core.c:164:
qemu-system-aarch64: Parameter 'vcram-base' expects uint32_t
Aborted (core dumped)

Catch this earlier and diagnose it with a more friendly message:
$ qemu-system-aarch64 --machine raspi3 -m 8G
qemu-system-aarch64: Requested ram size is too large for this machine: maximum 
is 1GB

Fixes: https://bugs.launchpad.net/qemu/+bug/1794187
Signed-off-by: Peter Maydell 
---
Changes v1->v2: use '>', not '>='...

  hw/arm/raspi.c | 7 +++
  1 file changed, 7 insertions(+)

diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index 66899c28dc1..fe2bb511b98 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -12,6 +12,7 @@
   */
  
  #include "qemu/osdep.h"

+#include "qemu/units.h"
  #include "qapi/error.h"
  #include "qemu-common.h"
  #include "cpu.h"
@@ -175,6 +176,12 @@ static void raspi_init(MachineState *machine, int version)
  BusState *bus;
  DeviceState *carddev;
  
+if (machine->ram_size > 1 * GiB) {

+error_report("Requested ram size is too large for this machine: "
+ "maximum is 1GB");


1GB vs 1GiB... maybe the message should display "GiB" to avoid any 
confusion?


Also I was wondering what is need for Patchew to start catching errors 
like in v1.


- Wainer


+exit(1);
+}
+
  object_initialize(>soc, sizeof(s->soc),
version == 3 ? TYPE_BCM2837 : TYPE_BCM2836);
  object_property_add_child(OBJECT(machine), "soc", OBJECT(>soc),

Re: [Qemu-devel] Block format 'raw' does not support the option 'share-rw'

[Michal Suchánek]

On Thu, 28 Mar 2019 16:56:48 +0100
Michal Suchánek  wrote:

> Hello,
> 
> I tried to update my machine definitions to work with current qemu.
> 
> Unfortunately, while qemu 2.11 supports disk sharing with raw images
> qemu 3.1 does not. That looks bogus to me. What is not supported about
> writing random block into a file in parallel?

And of course it is because the option is supported on a different
option (yes, options that have options get convoluted) and the error
message is quite unhelpful in diagnosing that.

Now if different formats can register new option handlers which
magically make an option supported I don't see how the diagnostic can
do much better, unfortunately.

Thanks

Michal

Re: [Qemu-devel] [PATCH 31/35] cpu: Move icount_decr to CPUNegativeOffsetState

[Richard Henderson]

On 3/25/19 10:23 AM, Paolo Bonzini wrote:
> I think you should, because moving it to obj-y would be a major headache
> if we ever were to resurrect the multiarch patches by Peter C.
> 
> That said, does cpu_neg really need env_neg and thus ArchCPU?  Perhaps
> you could:
> 
> 1) define CPUTLB in terms of MAX_MMU_MODES (12) instead of NB_MMU_MODES
> 
> 2) assert that
> 
>offsetof(ArchCPU, env) - offsetof(ArchCPU, neg) ==
>   sizeof(CPUNegativeOffsetState)

This doesn't work, since CPUTLB depends on target_ulong.

I think I'll go back to a pointer from CPUState to icount_decr, but clean up
how this and CPUState->env_ptr are initialized.


r~

Re: [Qemu-devel] [PATCH v2 for-4.1] hw/arm/raspi: Diagnose requests for too much RAM

[Richard Henderson]

On 3/28/19 8:29 AM, Peter Maydell wrote:
> The Raspberry Pi boards have a physical memory map which does
> not allow for more than 1GB of RAM. Currently if the user tries
> to ask for more then we fail in a confusing way:
> 
> $ qemu-system-aarch64 --machine raspi3 -m 8G
> Unexpected error in visit_type_uintN() at qapi/qapi-visit-core.c:164:
> qemu-system-aarch64: Parameter 'vcram-base' expects uint32_t
> Aborted (core dumped)
> 
> Catch this earlier and diagnose it with a more friendly message:
> $ qemu-system-aarch64 --machine raspi3 -m 8G
> qemu-system-aarch64: Requested ram size is too large for this machine: 
> maximum is 1GB
> 
> Fixes: https://bugs.launchpad.net/qemu/+bug/1794187
> Signed-off-by: Peter Maydell 
> ---
> Changes v1->v2: use '>', not '>='...

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [libvirt] [PULL 04/14] audio: -audiodev command line option basic implementation

[Eric Blake]

On 3/28/19 3:06 PM, Eric Blake wrote:
> On 3/28/19 2:32 PM, Markus Armbruster wrote:
> 
 Adding Markus to CC so we can figure out how to wire up the
 introspection for such command line options.
>>>

> 
> Alternative 6:
> 
> Don't worry about patching q-c-l-o, but instead patch query-qemu-features:
> 
> https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg07584.html
> 
> Add a new feature: audiodev-command-line
> 
> That addition becomes both introspectible (since query-qemu-features
> options are introspectible regardless of their runtime state) and
> queryable (not that this feature needs runtime queries, but others might).
> 
> And, since we're already proposing query-qemu-features for 4.0 for
> another reason, making it 2 reasons instead of 1 feels like extra
> justification for getting it done in a timely manner.

And answering myself after a bit more thought - the question is not just
about "can we use the command line instead of envvars", but one step
further of "once we are using the command line, what works in this
release as opposed to added in later releases".  So we still want
introspection to land on the full QAPI types for audiodev, even if, for
4.0, we can't actually use QMP to change them. This means we at least
need a QMP command that references the QAPI types (even if the command
is named "x-audiodev-dummy" and always fails), so that the types at
least make it into the introspection output, coupled with the
query-qemu-features bit to state that even when we remove the hack of
the x-audiodev-dummy command later, we can still use audiodev and scrape
enough out of introspection for our needs.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [libvirt] [PULL 04/14] audio: -audiodev command line option basic implementation

[Eric Blake]

On 3/28/19 2:32 PM, Markus Armbruster wrote:

>>> Adding Markus to CC so we can figure out how to wire up the
>>> introspection for such command line options.
>>
>> query-command-line-options has always been woefully incomplete.  Sadly,
>> my replacement is still not ready.
>>
>> A reliable "witness" could serve a stop gap.  Unfortunately,
>> query-qmp-schema doesn't provide one: the series does not change
>> generated qapi-introspect.c.
>>
>> Need to think some more.
> 
> There is no witness in query-qmp-schema.


> 5. Screw it, create a new query command to return just the information
>from qemu_options[].
> 
> Alternatives 1. to 3. break ABI in different ways.  Finding out which of
> the ABI breaks upset libvirt would be easy enough.  But even if one of
> them is fine with libvirt, ABI breaks are best avoided.  Risking one in
> 4.0 is out of the question, we're far too late in the cycle.
> 
> Alternative 5. feels simpler than 4., and is similarly ugly.  This might
> still be acceptable (barely) for 4.0.
> 
> Opinions?

Alternative 6:

Don't worry about patching q-c-l-o, but instead patch query-qemu-features:

https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg07584.html

Add a new feature: audiodev-command-line

That addition becomes both introspectible (since query-qemu-features
options are introspectible regardless of their runtime state) and
queryable (not that this feature needs runtime queries, but others might).

And, since we're already proposing query-qemu-features for 4.0 for
another reason, making it 2 reasons instead of 1 feels like extra
justification for getting it done in a timely manner.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [libvirt] [PULL 04/14] audio: -audiodev command line option basic implementation

[Markus Armbruster]

Markus Armbruster  writes:

> Pavel Hrdina  writes:
>
>> On Tue, Mar 12, 2019 at 08:12:40AM +0100, Gerd Hoffmann wrote:
>>> From: Kővágó, Zoltán 
>>> 
>>> Audio drivers now get an Audiodev * as config paramters, instead of the
>>> global audio_option structs.  There is some code in audio/audio_legacy.c
>>> that converts the old environment variables to audiodev options (this
>>> way backends do not have to worry about legacy options).  It also
>>> contains a replacement of -audio-help, which prints out the equivalent
>>> -audiodev based config of the currently specified environment variables.
>>> 
>>> Note that backends are not updated and still rely on environment
>>> variables.
>>> 
>>> Also note that (due to moving try-poll from global to backend specific
>>> option) currently ALSA and OSS will always try poll mode, regardless of
>>> environment variables or -audiodev options.
>>
>> Hi,
>>
>> I'm glad that this is merged now and I wanted to start working on
>> libvirt patches, but there is one big issue with this command,
>> it's not introspectable by query-command-line-options.
>>
>> My guess based on the QEMU code is that it uses the new function that
>> allows you to use JSON on qemu command line.
>>
>> Without the introspection libvirt cannot implement the new option in
>> sensible way (without version check).
>>
>> Adding Markus to CC so we can figure out how to wire up the
>> introspection for such command line options.
>
> query-command-line-options has always been woefully incomplete.  Sadly,
> my replacement is still not ready.
>
> A reliable "witness" could serve a stop gap.  Unfortunately,
> query-qmp-schema doesn't provide one: the series does not change
> generated qapi-introspect.c.
>
> Need to think some more.

There is no witness in query-qmp-schema.

We don't want to parse output of -help.

query-command-line-options sucks.  To recap, here are its known defects:

0. It doesn't actually return information on command line options, it
returns information on QemuOpts.  All the other defects follow from this
one.

1. It fails to report most command line options.  Example: -audio.

2. It sometimes screws up the option name.  Example: -m is reported as
   "option": "memory".

2. It sometimes reports no parameters when there are in fact parameters.
   Example: -netdev.

3. It sometimes misses parameters.  Example: -drive misses driver-
   specific parameters.

Can we make q-c-l-o suck less?

Command line options are actually defined in qemu-options.hx, which gets
massaged into qemu_options[].  For each option, qemu_options[] gives us
the option name (without leading '-'), and whether the option takes an
argument.

This is less information per option than q-c-l-o provides now.  Can we
add it to its output anyway without confusing existing users?

Trouble is the QAPI schema is rather inflexible.  It returns a array of
objects with two members "option" and "parameters".  Strictly speaking,
the following are all ABI:

"option" is the name of the option (modulo the defect mentioned
above).

The option takes an argument.

The argument uses QemuOpts syntax.

At least the parameters in "parameters" are recognized.

Therefore,

we can't add options that take no argument, and

we can't add options with different argument syntax

without breaking ABI.

Alternatives:

1. We add only options that take an argument, like this:

{"option": "NAME", "parameters": []}

   The meaning of "parameters": [] changes.  In addition to "argument
   uses QemuOpts syntax, parameters unknown", it can now also mean
   "argument uses some other syntax".

2. We add all options that way.

   The meaning of "parameters": [] changes more drastically.  In
   addition to "argument uses QemuOpts syntax, parameters unknown", it
   can now also mean "argument uses some other syntax" and "no
   argument".

3. We add options that take an argument like

{"option": "NAME", "parameters": null}

   and options that don't take one like

{"option": "NAME"}

   This turns the *semantic* ABI breaks into *syntactic* ones.

4. We make the syntactic ABI breaks opt-in, i.e. make q-c-l-o take a
flag.

5. Screw it, create a new query command to return just the information
   from qemu_options[].

Alternatives 1. to 3. break ABI in different ways.  Finding out which of
the ABI breaks upset libvirt would be easy enough.  But even if one of
them is fine with libvirt, ABI breaks are best avoided.  Risking one in
4.0 is out of the question, we're far too late in the cycle.

Alternative 5. feels simpler than 4., and is similarly ugly.  This might
still be acceptable (barely) for 4.0.

Opinions?

Re: [Qemu-devel] [PATCH for-4.1] target/arm: Stop using variable length array in dc_zva

[Richard Henderson]

On 3/28/19 7:30 AM, Peter Maydell wrote:
> -void *hostaddr[maxidx];
> +void *hostaddr[DIV_ROUND_UP(2 * KiB, 1 << TARGET_PAGE_BITS_MIN)];

A very fancy way of writing "2".

>  int try, i;
>  unsigned mmu_idx = cpu_mmu_index(env, false);
>  TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
>  
> +assert(maxidx <= sizeof(hostaddr));

ARRAY_SIZE(hostaddr).


r~

Re: [Qemu-devel] [PATCH for-4.0] hw/usb/bus.c: Handle "no speed matched" case in usb_mask_to_str()

[Philippe Mathieu-Daudé]

Le jeu. 28 mars 2019 14:36, Peter Maydell  a
écrit :

> In usb_mask_to_str() we convert a mask of USB speeds into
> a human-readable string (like "full+high") for use in
> tracing and error messages. However the conversion code
> doesn't do anything to the string buffer if the passed in
> speedmask doesn't match any of the recognized speeds,
> which means that the tracing and error messages will
> end up with random garbage in them. This can happen if
> we're doing USB device passthrough.
>
> Handle the "unrecognized speed" case by using the
> string "unknown".
>
> Fixes: https://bugs.launchpad.net/qemu/+bug/1603785
> Signed-off-by: Peter Maydell 
> ---
> Tested by temporarily fiddling with the callsites to
> pass in a 0 speedmask, since I don't have any USB passthrough
> stuff handy.
> ---
>  hw/usb/bus.c | 4 
>  1 file changed, 4 insertions(+)
>
> diff --git a/hw/usb/bus.c b/hw/usb/bus.c
> index 6fffab7bfa4..9a74dc95601 100644
> --- a/hw/usb/bus.c
> +++ b/hw/usb/bus.c
> @@ -500,6 +500,10 @@ static void usb_mask_to_str(char *dest, size_t size,
>  speeds[i].name);
>  }
>  }
> +
> +if (pos == 0) {
> +snprintf(dest, size, "unknown");
> +}
>  }
>
>  void usb_check_attach(USBDevice *dev, Error **errp)
> --
> 2.20.1
>

Reviewed-by: Philippe Mathieu-Daudé 

>

Re: [Qemu-devel] [Qemu-arm] [PATCH for-4.1] target/arm: Stop using variable length array in dc_zva

[Philippe Mathieu-Daudé]

Le jeu. 28 mars 2019 15:30, Peter Maydell  a
écrit :

> Currently the dc_zva helper function uses a variable length
> array. In fact we know (as the comment above remarks) that
> the length of this array is bounded because the architecture
> limits the block size and QEMU limits the target page size.
> Use a fixed array size and assert that we don't run off it.
>
> Signed-off-by: Peter Maydell 
> ---
> A small move in the direction of "avoid using variable length
> arrays in QEMU"...
>
>  target/arm/helper.c | 5 -
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/target/arm/helper.c b/target/arm/helper.c
> index a36f4b3d699..1b6225cb598 100644
> --- a/target/arm/helper.c
> +++ b/target/arm/helper.c
> @@ -1,4 +1,5 @@
>  #include "qemu/osdep.h"
> +#include "qemu/units.h"
>  #include "target/arm/idau.h"
>  #include "trace.h"
>  #include "cpu.h"
> @@ -12412,11 +12413,13 @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t
> vaddr_in)
>   * same QEMU executable.
>   */
>  int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE);
> -void *hostaddr[maxidx];
> +void *hostaddr[DIV_ROUND_UP(2 * KiB, 1 << TARGET_PAGE_BITS_MIN)];
>

Or g_new()... For 2K nowadays that is fine.

Reviewed-by: Philippe Mathieu-Daudé 

 int try, i;
>  unsigned mmu_idx = cpu_mmu_index(env, false);
>  TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
>
> +assert(maxidx <= sizeof(hostaddr));
> +
>  for (try = 0; try < 2; try++) {
>
>  for (i = 0; i < maxidx; i++) {
> --
> 2.20.1
>
>
>

Re: [Qemu-devel] [PATCH v2 for-4.1] hw/arm/raspi: Diagnose requests for too much RAM

[Philippe Mathieu-Daudé]

Le jeu. 28 mars 2019 16:29, Peter Maydell  a
écrit :

> The Raspberry Pi boards have a physical memory map which does
> not allow for more than 1GB of RAM. Currently if the user tries
> to ask for more then we fail in a confusing way:
>
> $ qemu-system-aarch64 --machine raspi3 -m 8G
> Unexpected error in visit_type_uintN() at qapi/qapi-visit-core.c:164:
> qemu-system-aarch64: Parameter 'vcram-base' expects uint32_t
> Aborted (core dumped)
>
> Catch this earlier and diagnose it with a more friendly message:
> $ qemu-system-aarch64 --machine raspi3 -m 8G
> qemu-system-aarch64: Requested ram size is too large for this machine:
> maximum is 1GB
>
> Fixes: https://bugs.launchpad.net/qemu/+bug/1794187
> Signed-off-by: Peter Maydell 
> ---
> Changes v1->v2: use '>', not '>='...
>

Argh I missed this...

Reviewed-by: Philippe Mathieu-Daudé 


>  hw/arm/raspi.c | 7 +++
>  1 file changed, 7 insertions(+)
>
> diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
> index 66899c28dc1..fe2bb511b98 100644
> --- a/hw/arm/raspi.c
> +++ b/hw/arm/raspi.c
> @@ -12,6 +12,7 @@
>   */
>
>  #include "qemu/osdep.h"
> +#include "qemu/units.h"
>  #include "qapi/error.h"
>  #include "qemu-common.h"
>  #include "cpu.h"
> @@ -175,6 +176,12 @@ static void raspi_init(MachineState *machine, int
> version)
>  BusState *bus;
>  DeviceState *carddev;
>
> +if (machine->ram_size > 1 * GiB) {
> +error_report("Requested ram size is too large for this machine: "
> + "maximum is 1GB");
> +exit(1);
> +}
> +
>  object_initialize(>soc, sizeof(s->soc),
>version == 3 ? TYPE_BCM2837 : TYPE_BCM2836);
>  object_property_add_child(OBJECT(machine), "soc", OBJECT(>soc),
> --
> 2.20.1
>
>

Re: [Qemu-devel] [PATCH 2/2] Add file-posix-dynamic-auto-read-only feature

[Eric Blake]

On 3/28/19 1:28 PM, Kevin Wolf wrote:
> auto-read-only=on changed its behaviour in file-posix for the 4.0
> release. This change cannot be detected through the usual mechanisms
> like schema introspection. Add a new feature to query-qemu-features to
> allow libvirt to detect the presence of the new behaviour.

Oddly enough, introspecting the schema is sufficient to learn about this
particular feature (that is, until we actually have a runtime feature
that requires us to run the command, merely seeing what features the
command supports is useful on its own). But that doesn't change the fact
that we should keep things as a command.

Reviewed-by: Eric Blake 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [Qemu-arm] [PATCH for-4.1] hw/ssi/xilinx_spips: Avoid variable length array

[Philippe Mathieu-Daudé]

Le jeu. 28 mars 2019 16:41, Edgar E. Iglesias  a
écrit :

> + Francisco
>
> On Thu, 28 Mar. 2019, 16:26 Peter Maydell, 
> wrote:
>
>> In the stripe8() function we use a variable length array; however
>> we know that the maximum length required is MAX_NUM_BUSSES. Use
>> a fixed-length array and an assert instead.
>>
>> Signed-off-by: Peter Maydell 
>> ---
>>  hw/ssi/xilinx_spips.c | 6 --
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
>> index 16f88f74029..c615058cc1b 100644
>> --- a/hw/ssi/xilinx_spips.c
>> +++ b/hw/ssi/xilinx_spips.c
>> @@ -429,12 +429,14 @@ static void xlnx_zynqmp_qspips_reset(DeviceState *d)
>>
>>  static inline void stripe8(uint8_t *x, int num, bool dir)
>>  {
>> -uint8_t r[num];
>> -memset(r, 0, sizeof(uint8_t) * num);
>> +uint8_t r[MAX_NUM_BUSSES];
>>  int idx[2] = {0, 0};
>>  int bit[2] = {0, 7};
>>  int d = dir;
>>
>> +assert(num <= MAX_NUM_BUSSES);
>> +memset(r, 0, sizeof(uint8_t) * num);
>> +
>>  for (idx[0] = 0; idx[0] < num; ++idx[0]) {
>>  for (bit[0] = 7; bit[0] >= 0; bit[0]--) {
>>  r[idx[!d]] |= x[idx[d]] & 1 << bit[d] ? 1 << bit[!d] : 0;
>> --
>> 2.20.1
>>
>
Reviewed-by: Philippe Mathieu-Daudé 

>

Re: [Qemu-devel] [PATCH 1/2] qmp: Add query-qemu-features

[Eric Blake]

On 3/28/19 1:28 PM, Kevin Wolf wrote:
> From: Stefan Hajnoczi 
> 
> QMP clients can usually detect the presence of features via schema
> introspection.  There are rare features that do not involve schema
> changes and are therefore impossible to detect with schema
> introspection.
> 
> This patch adds the query-qemu-features command. It returns a struct
> containing booleans for each feature that QEMU can support.
> 
> The decision to make this a command rather than something statically
> defined in the schema is intentional. It allows QEMU to decide which
> features are available at runtime, if necessary.
> 
> Signed-off-by: Stefan Hajnoczi 
> Signed-off-by: Kevin Wolf 
> ---
>  qapi/misc.json | 23 +++
>  qmp.c  | 10 ++
>  2 files changed, 33 insertions(+)

Addition of a new QMP command, but justifiable for 4.0 because of the
nature of the bug which it will enable us to fix.  Still, let's get it
into -rc2 rather than delaying the release...

Reviewed-by: Eric Blake 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v2] block/file-posix: ignore fail on unlock bytes

[Kevin Wolf]

Am 28.03.2019 um 08:21 hat Vladimir Sementsov-Ogievskiy geschrieben:
> bdrv_replace_child() calls bdrv_check_perm() with error_abort on
> loosening permissions. However file-locking operations may fail even
> in this case, for example on NFS. And this leads to Qemu crash.
> 
> Let's ignore such errors, as we do already on permission update commit
> and abort.
> 
> Signed-off-by: Vladimir Sementsov-Ogievskiy 

I think this would better be fixed in block.c code so that unlock never
fails for any block driver.

But we're late for 4.0, so if fixing it in block.c proves difficult,
this might still be better than nothing and I could accept it as a
preliminary solution.

Kevin

Re: [Qemu-devel] [Qemu-ppc] [PATCH v7 0/2] spapr-rtas: add ibm, get-vpd RTAS interface

[Maxiwell S. Garcia]

Hi,

On Thu, Mar 28, 2019 at 02:21:51PM +0100, Greg Kurz wrote:
> On Wed, 27 Mar 2019 17:41:00 -0300
> "Maxiwell S. Garcia"  wrote:
> 
> > Here are two patches to add a handler for ibm,get-vpd RTAS calls.
> > This RTAS exposes host information in case of set QEMU options
> > 'host-serial' and 'host-model' as 'passthrough'.
> > 
> > The patch 1 creates helper functions to get valid 'host-serial'
> > and 'host-model' parameters, guided by QEMU command line. These
> > parameters are useful to build the guest device tree and to return
> > get-vpd RTAS calls. The patch 2 adds the ibm,get-vpd itself.
> > 
> > Update v7:
> > * rtas_get_vpd_fields as a static array in spapr machine state
> > 
> > Maxiwell S. Garcia (2):
> >   spapr: helper functions to get valid host fields
> >   spapr-rtas: add ibm,get-vpd RTAS interface
> > 
> >  hw/ppc/spapr.c | 48 +++--
> >  hw/ppc/spapr_rtas.c| 96 ++
> >  include/hw/ppc/spapr.h | 14 +-
> >  3 files changed, 135 insertions(+), 23 deletions(-)
> > 
> 
> Hi Maxiwell,
> 
> David sent a patch to rework how the host data is exposed to the guest.
> Especially, the special casing of the "none" and "passthrough" strings
> is no more... I'm afraid you'll have to rework your patches accordingly:
> code+changelog in patch 1 and at least changelog in patch 2.
> 
> Cheers,

IIUC, the 'ibm,get-vpd' RTAS should return information about the
platform/cabinet. Thus, it's not necessary to add new nodes in the guest
device tree to export information like that. Since it's a POWER specific
functionality, may 'ibm,get-vpd' export host information if the
guest instance allows it? Or is it better return only the 'host-serial'
and 'host-model' content, like in the patch "spapr: Simplify handling
of host-serial and host-model values"?

> 
> --
> Greg
> 

[Qemu-devel] [PATCH 2/2] Add file-posix-dynamic-auto-read-only feature

[Kevin Wolf]

auto-read-only=on changed its behaviour in file-posix for the 4.0
release. This change cannot be detected through the usual mechanisms
like schema introspection. Add a new feature to query-qemu-features to
allow libvirt to detect the presence of the new behaviour.

Signed-off-by: Kevin Wolf 
---
 qapi/misc.json | 7 ++-
 qmp.c  | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/qapi/misc.json b/qapi/misc.json
index d892f37633..df23c54a65 100644
--- a/qapi/misc.json
+++ b/qapi/misc.json
@@ -3058,10 +3058,15 @@
 # Information about support for QEMU features that isn't available through
 # schema introspection.
 #
+# @file-posix-dynamic-auto-read-only:
+#   true if auto-read-only=on means that the image file is dynamically reopened
+#   read-only or read-write depending on whether any writers are attached to
+#   the node.
+#
 # Since: 4.0
 ##
 { 'struct': 'QemuFeatures',
-  'data': { } }
+  'data': { 'file-posix-dynamic-auto-read-only': 'bool' } }
 
 ##
 # @query-qemu-features:
diff --git a/qmp.c b/qmp.c
index 0aad533eca..2a887c1e7d 100644
--- a/qmp.c
+++ b/qmp.c
@@ -723,6 +723,7 @@ QemuFeatures *qmp_query_qemu_features(Error **errp)
 QemuFeatures *caps = g_new(QemuFeatures, 1);
 
 *caps = (QemuFeatures) {
+.file_posix_dynamic_auto_read_only = true,
 };
 
 return caps;
-- 
2.20.1

[Qemu-devel] [PATCH for-4.0 0/2] file-posix: query-qemu-features for auto-read-only

[Kevin Wolf]

auto-read-only=on changed its behaviour in file-posix for the 4.0
release. This change cannot be detected through the usual mechanisms
like schema introspection.

I took Stefan's patch 'qmp: add query-qemu-capabilities', removed the
feature that he originally wanted this for and addressed the review
comments. The introduction of the file-posix-dynamic-auto-read-only
feature is a separate patch.

Stefan, I kept you as the author of the first patch and also your
Signed-off-by. Is this okay with you or would you prefer a change?

Kevin Wolf (1):
  Add file-posix-dynamic-auto-read-only feature

Stefan Hajnoczi (1):
  qmp: Add query-qemu-features

 qapi/misc.json | 28 
 qmp.c  | 11 +++
 2 files changed, 39 insertions(+)

-- 
2.20.1

Re: [Qemu-devel] [PATCH v2 3/3] nbd/server: Advertise actual minimum block size

[Eric Blake]

On 3/28/19 3:46 AM, Vladimir Sementsov-Ogievskiy wrote:
> 28.03.2019 1:39, Eric Blake wrote:
>> Both NBD_CMD_BLOCK_STATUS and structured NBD_CMD_READ will split their
>> reply according to bdrv_block_status() boundaries. If the block device
>> has a request_alignment smaller than 512, but we advertise a block
>> alignment of 512 to the client, then this can result in the server
>> reply violating client expectations by reporting a smaller region of
>> the export than what the client is permitted to address (although this
>> is less of an issue for qemu 4.0 clients, given recent client patches
>> to overlook our non-compliance).  Since it's always better to be
>> strict in what we send, it is worth advertising the actual minimum
>> block limit rather than blindly rounding it up to 512.
>>
>> Note that this patch is not foolproof - it is still possible to
>> provoke non-compliant server behavior using:
>>
>> $ qemu-nbd --image-opts 
>> driver=blkdebug,align=512,image.driver=file,image.filename=/path/to/non-aligned-file
>>
>> But as blkdebug is not normally used, and as this patch makes our
>> server more interoperable with qemu 3.1 clients, it is worth applying
>> now, even while we still work on a larger patch for the 4.1 timeframe
>> to improve the block layer to prevent the mid-block status changes
>> that can be observed now with blkdebug or with a backing layer with
>> smaller alignment than the active layer.
>>
>> Note that the iotests output changes - both pre- and post-patch, the
>> server is reporting a mid-sector hole; but pre-patch, the client was
>> then rounding that up to a sector boundary as a workaround, while
>> post-patch the client doesn't have to round because it sees the
>> server's smaller advertised block size.
>>
>> Signed-off-by: Eric Blake 
>> ---
>>   nbd/server.c   | 12 +++-
>>   tests/qemu-iotests/241.out |  3 ++-
>>   2 files changed, 9 insertions(+), 6 deletions(-)
>>
>> diff --git a/nbd/server.c b/nbd/server.c
>> index fd013a2817a..c76f32dbb50 100644
>> --- a/nbd/server.c
>> +++ b/nbd/server.c
>> @@ -607,13 +607,15 @@ static int nbd_negotiate_handle_info(NBDClient 
>> *client, uint16_t myflags,
>>   /* Send NBD_INFO_BLOCK_SIZE always, but tweak the minimum size
>>* according to whether the client requested it, and according to
>>* whether this is OPT_INFO or OPT_GO. */
>> -/* minimum - 1 for back-compat, or 512 if client is new enough.
>> - * TODO: consult blk_bs(blk)->bl.request_alignment? */
>> -sizes[0] =
>> -(client->opt == NBD_OPT_INFO || blocksize) ? BDRV_SECTOR_SIZE : 
>> 1;
>> +/* minimum - 1 for back-compat, or actual if client will obey it. */
>> +if (client->opt == NBD_OPT_INFO || blocksize) {
>> +sizes[0] = blk_get_request_alignment(exp->blk);
> 
> hope it will never exceed NBD_MAX_BUFFER_SIZE ))

I can add an assert.

> 
> Reviewed-by: Vladimir Sementsov-Ogievskiy 

Thanks. I've got more patches coming, so I think I'll respin this series
into v3 with my other patches included. I'm still aiming to get this
into 4.2-rc2 though.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH 1/2] qmp: Add query-qemu-features

[Kevin Wolf]

From: Stefan Hajnoczi 

QMP clients can usually detect the presence of features via schema
introspection.  There are rare features that do not involve schema
changes and are therefore impossible to detect with schema
introspection.

This patch adds the query-qemu-features command. It returns a struct
containing booleans for each feature that QEMU can support.

The decision to make this a command rather than something statically
defined in the schema is intentional. It allows QEMU to decide which
features are available at runtime, if necessary.

Signed-off-by: Stefan Hajnoczi 
Signed-off-by: Kevin Wolf 
---
 qapi/misc.json | 23 +++
 qmp.c  | 10 ++
 2 files changed, 33 insertions(+)

diff --git a/qapi/misc.json b/qapi/misc.json
index 8b3ca4fdd3..d892f37633 100644
--- a/qapi/misc.json
+++ b/qapi/misc.json
@@ -3051,3 +3051,26 @@
   'data': 'NumaOptions',
   'allow-preconfig': true
 }
+
+##
+# @QemuFeatures:
+#
+# Information about support for QEMU features that isn't available through
+# schema introspection.
+#
+# Since: 4.0
+##
+{ 'struct': 'QemuFeatures',
+  'data': { } }
+
+##
+# @query-qemu-features:
+#
+# Return the features supported by this QEMU. Most features can be detected
+# via schema introspection but some are not observable from the schema. This
+# command offers a way to check for the presence of such features.
+#
+# Since: 4.0
+##
+{ 'command': 'query-qemu-features',
+  'returns': 'QemuFeatures' }
diff --git a/qmp.c b/qmp.c
index b92d62cd5f..0aad533eca 100644
--- a/qmp.c
+++ b/qmp.c
@@ -717,3 +717,13 @@ MemoryInfo *qmp_query_memory_size_summary(Error **errp)
 
 return mem_info;
 }
+
+QemuFeatures *qmp_query_qemu_features(Error **errp)
+{
+QemuFeatures *caps = g_new(QemuFeatures, 1);
+
+*caps = (QemuFeatures) {
+};
+
+return caps;
+}
-- 
2.20.1

Re: [Qemu-devel] [PATCH v2 1/3] iotests: Add 241 to test NBD on unaligned images

[Eric Blake]

On 3/28/19 3:20 AM, Vladimir Sementsov-Ogievskiy wrote:
> 28.03.2019 1:39, Eric Blake wrote:
>> Add a test for the NBD client workaround in the previous patch.  It's
>> not really feasible for an iotest to assume a specific tracing engine,
>> so we can't really probe for the new
>> trace_nbd_parse_blockstatus_compliance to see if the server was fixed
>> vs. whether the client just worked around the server (other than by
>> rearranging order between code patches and this test). But having a
>> successful exchange sure beats the previous state of an error message.
>>

>> +seq="$(basename $0)"
>> +echo "QA output created by $seq"
>> +
>> +status=1 # failure is the default!
>> +
>> +nbd_unix_socket=$TEST_DIR/test_qemu_nbd_socket
>> +rm -f "${TEST_DIR}/qemu-nbd.pid"
> 
> hmm, strange that we need to remove something from test directory at start.

Well, until we follow through with our thread of implementing per-test
scratch directories for iotests, it proved invaluable to me during
testing (as a failed test does not properly clean up after itself).


>> +# can't use _make_test_img, because qemu-img rounds image size up,
>> +# and because we want to use Unix socket rather than TCP port. Likewise,
>> +# we have to redirect TEST_IMG to our server.
>> +# This tests that we can deal with the hole at the end of an unaligned
>> +# raw file (either because the server doesn't advertise alignment too
>> +# large, or because the client ignores the server's noncompliance).
>> +printf %01000d 0 > "$TEST_IMG_FILE"
>> +nbd_server_start_unix_socket -f $IMGFMT -e 42 -x '' "$TEST_IMG_FILE"
> 
> why do we need -e 42? we don't have more than one client simultaneously..

Matches what other tests use. You are right that I could get away
without it, though.

> and -x '' is the default anyway

Ditto.

> 
>> +TEST_IMG="nbd:unix:$nbd_unix_socket"
>> +
>> +$QEMU_IMG map --output=json "$TEST_IMG" | _filter_qemu_img_map
> 
> is filter needed? seems like not

I'd rather keep the filter (makes it easier to copy-and-paste between
other tests, especially if it does matter down the road)

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v2] block/file-posix: ignore fail on unlock bytes

[Eric Blake]

On 3/28/19 2:21 AM, Vladimir Sementsov-Ogievskiy wrote:
> bdrv_replace_child() calls bdrv_check_perm() with error_abort on
> loosening permissions. However file-locking operations may fail even
> in this case, for example on NFS. And this leads to Qemu crash.
> 
> Let's ignore such errors, as we do already on permission update commit
> and abort.
> 
> Signed-off-by: Vladimir Sementsov-Ogievskiy 
> ---
> 
> v2: - simplify expression [Eric]
> - fix bug s/new_perm/new_shared
> 
>  block/file-posix.c | 14 ++
>  1 file changed, 14 insertions(+)

Reviewed-by: Eric Blake 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [Bug 1806243] Re: ARM conditional branch after if-then instruction not working

[Vincent Hamp]

I honestly wouldn't know where to start. The wrong branch instructions
were created by an embedded forth compiler. I just tried mem-copying a
single definition containing one of those erroneous branches to some ram
array and then call into it with a pointer. The problem is that the
definition assumes certain preconditions like a register pointing to
forth's stack and all... Without those preconditions calling the
definition immediately hardfaults the core at the very first load
instruction.

After playing around with it for like ~2h I think that's not worth the
trouble. I'm glad the QEMU inconsistency is fixed, let's leave it at
that (I tested with 3.1.0 btw). :)

Thank you for all your trouble.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1806243

Title:
  ARM conditional branch after if-then instruction not working

Status in QEMU:
  Fix Released

Bug description:
  Hello

  There seems to be an issue with QEMU when debugging if-then condition
  blocks from the thumb2 instruction set. The following snippet runs
  fine during normal execution, but keeps hanging at the conditional
  branch when debugging. The jump at the branch should only be executed
  as long as $r0 is lower than $r1. Problem is that once both are equal,
  the execution is not continued past the branch and the program counter
  never gets popped.

  2000407a:   push{lr}
  2000407c:   movsr0, r6
  2000407e:   ldmia   r7!, {r1, r6}
  20004080:   push{r0, r1}
  20004082:   str.w   r6, [r7, #-4]!
  20004086:   ldr r6, [sp, #0]
  20004088:   pop {r0, r1}
  2000408a:   addsr0, #1
  2000408c:   cmp r0, r1
  2000408e:   itt lt
  20004090:   pushlt  {r0, r1}
  20004092:   blt.w   0x20004082  ; unpredictable   // <-- GDB hangs 
here
  20004096:   pop {pc}

  I have tried to reproduce the problem with inline assembly but for
  some reason the following example just worked:

  void f() {
static uint8_t stack[256]{};
stack[255] = 4;

asm volatile("\n\t"
 "push{lr}"
 "\n\t"

 // pre-conditions
 "movsr7, %[stack]"
 "\n\t"
 "movsr6, #1"
 "\n\t"

 "movsr0, r6"
 "\n\t"
 "ldmia   r7!, {r1, r6}"
 "\n\t"
 "push{r0, r1}"
 "\n\t"
 "1:"
 "\n\t"
 "str.w   r6, [r7, #-4]!"
 "\n\t"
 "ldr r6, [sp, #0]"
 "\n\t"
 "pop {r0, r1}"
 "\n\t"
 "addsr0, #1"
 "\n\t"
 "cmp r0, r1"
 "\n\t"
 "itt lt"
 "\n\t"
 "pushlt  {r0, r1}"
 "\n\t"

 // Original instruction
 //"blt.w   0x20004082"  //   ; unpredictable 

 // Trying to fake it
 "blt.w   1b"
 "\n\t"

 "pop {pc}"
 "\n\t"
 :
 : [stack] "r"([255]));
  }

  The only real major difference I see to the other code snipped is that
  the inline assembly is running from flash memory where as the original
  code runs in ram? Maybe that's a clue somehow?

  Quickly reading through already reported ARM bugs I think this might be 
related:
  https://bugs.launchpad.net/qemu/+bug/1364501
  At least the symptoms sound identical.

  
  The versions I'm running are:
  QEMU 3.0.0
  arm-none-eabi-gdb 8.2

  I've also captured some trace output for single stepping from the
  pushlt to the blt.w instruction with the trace arguments unimp,
  guest_errors, op, int, exec.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1806243/+subscriptions

[Qemu-devel] [PATCH 2/2 v3] usb-mtp: refactor the flow of usb_mtp_write_data

[Bandan Das]

There's no functional change but the flow is (hopefully)
more consistent for both file and folder object types.

Signed-off-by: Bandan Das 
---
 hw/usb/dev-mtp.c | 57 +---
 1 file changed, 30 insertions(+), 27 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 4dc1317e2e..0afb926719 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1599,7 +1599,7 @@ static int usb_mtp_update_object(MTPObject *parent, char 
*name)
 return ret;
 }
 
-static int usb_mtp_write_data(MTPState *s)
+static void usb_mtp_write_data(MTPState *s, uint32_t handle)
 {
 MTPData *d = s->data_out;
 MTPObject *parent =
@@ -1616,26 +1616,33 @@ static int usb_mtp_write_data(MTPState *s)
 if (!parent || !s->write_pending) {
 usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, d->trans,
 0, 0, 0, 0);
-return 1;
+return;
 }
 
 if (s->dataset.filename) {
 path = g_strdup_printf("%s/%s", parent->path, s->dataset.filename);
 if (s->dataset.format == FMT_ASSOCIATION) {
 ret = mkdir(path, mask);
-goto free;
+if (!ret) {
+usb_mtp_queue_result(s, RES_OK, d->trans, 3,
+ QEMU_STORAGE_ID,
+ s->dataset.parent_handle,
+ handle);
+goto close;
+}
+goto done;
 }
+
 d->fd = open(path, O_CREAT | O_WRONLY |
  O_CLOEXEC | O_NOFOLLOW, mask);
 if (d->fd == -1) {
-usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
- 0, 0, 0, 0);
+ret = 1;
 goto done;
 }
 
 /* Return success if initiator sent 0 sized data */
 if (!s->dataset.size) {
-goto success;
+goto done;
 }
 if (d->length != MTP_WRITE_BUF_SZ && !d->pending) {
 d->write_status = WRITE_END;
@@ -1647,13 +1654,12 @@ static int usb_mtp_write_data(MTPState *s)
 rc = write_retry(d->fd, d->data, d->data_offset,
  d->offset - d->data_offset);
 if (rc != d->data_offset) {
-usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
- 0, 0, 0, 0);
+ret = 1;
 goto done;
 }
 if (d->write_status != WRITE_END) {
 g_free(path);
-return ret;
+return;
 } else {
 /*
  * Return an incomplete transfer if file size doesn't match
@@ -1665,16 +1671,20 @@ static int usb_mtp_write_data(MTPState *s)
 usb_mtp_update_object(parent, s->dataset.filename)) {
 usb_mtp_queue_result(s, RES_INCOMPLETE_TRANSFER, d->trans,
  0, 0, 0, 0);
-goto done;
+goto close;
 }
 }
 }
 
-success:
-usb_mtp_queue_result(s, RES_OK, d->trans,
- 0, 0, 0, 0);
-
 done:
+if (ret) {
+usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
+ 0, 0, 0, 0);
+} else {
+usb_mtp_queue_result(s, RES_OK, d->trans,
+ 0, 0, 0, 0);
+}
+close:
 /*
  * The write dataset is kept around and freed only
  * on success or if another write request comes in
@@ -1683,12 +1693,10 @@ done:
 close(d->fd);
 d->fd = -1;
 }
-free:
 g_free(s->dataset.filename);
 s->dataset.size = 0;
 g_free(path);
 s->write_pending = false;
-return ret;
 }
 
 static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen)
@@ -1725,16 +1733,11 @@ static void usb_mtp_write_metadata(MTPState *s, 
uint64_t dlen)
 s->write_pending = true;
 
 if (s->dataset.format == FMT_ASSOCIATION) {
-if (usb_mtp_write_data(s)) {
-/* next_handle will be allocated to the newly created dir */
-usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
- 0, 0, 0, 0);
-return;
-}
+usb_mtp_write_data(s, next_handle);
+} else {
+usb_mtp_queue_result(s, RES_OK, d->trans, 3, QEMU_STORAGE_ID,
+ s->dataset.parent_handle, next_handle);
 }
-
-usb_mtp_queue_result(s, RES_OK, d->trans, 3, QEMU_STORAGE_ID,
- s->dataset.parent_handle, next_handle);
 }
 
 static void usb_mtp_get_data(MTPState *s, mtp_container *container,
@@ -1814,14 +1817,14 @@ static void usb_mtp_get_data(MTPState *s, mtp_container 
*container,
 } else {
 d->write_status = WRITE_START;
 }
-usb_mtp_write_data(s);
+usb_mtp_write_data(s, 0);
 

[Qemu-devel] [PATCH 1/2 v3] usb-mtp: remove usb_mtp_object_free_one

[Bandan Das]

This function is used in the delete path only and can
be replaced by a call to usb_mtp_object_free.

Reviewed-by: Peter Maydell 
Signed-off-by: Bandan Das 
---
 hw/usb/dev-mtp.c | 14 ++
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 91b820baaf..4dc1317e2e 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1150,16 +1150,6 @@ enum {
 DELETE_PARTIAL = (DELETE_FAILURE | DELETE_SUCCESS),
 };
 
-/* Assumes that children, if any, have been already freed */
-static void usb_mtp_object_free_one(MTPState *s, MTPObject *o)
-{
-assert(o->nchildren == 0);
-QTAILQ_REMOVE(>objects, o, next);
-g_free(o->name);
-g_free(o->path);
-g_free(o);
-}
-
 static int usb_mtp_deletefn(MTPState *s, MTPObject *o, uint32_t trans)
 {
 MTPObject *iter, *iter2;
@@ -1181,14 +1171,14 @@ static int usb_mtp_deletefn(MTPState *s, MTPObject *o, 
uint32_t trans)
 if (remove(o->path)) {
 ret |= DELETE_FAILURE;
 } else {
-usb_mtp_object_free_one(s, o);
+usb_mtp_object_free(s, o);
 ret |= DELETE_SUCCESS;
 }
 } else if (o->format == FMT_ASSOCIATION) {
 if (rmdir(o->path)) {
 ret |= DELETE_FAILURE;
 } else {
-usb_mtp_object_free_one(s, o);
+usb_mtp_object_free(s, o);
 ret |= DELETE_SUCCESS;
 }
 }
-- 
2.19.2

[Qemu-devel] [PATCH 0/2 v3] misc usb-mtp fixes

[Bandan Das]

v3:
  2/2: Fix indentation
   Add back sending RES_OK for success
v2:
  1/2: Add Reviewed-by tag
  2/2: remove extra vars and directly call usb_mtp_queue_result
  
The first patch removes a unnecessary function
and the second is just a code reorg of usb_mtp_write_data
to make it less confusing. Applies on top of
[PATCH v3] usb-mtp: fix return status of delete
Message-ID: 


Bandan Das (2):
  usb-mtp: remove usb_mtp_object_free_one
  usb-mtp: refactor the flow of usb_mtp_write_data

 hw/usb/dev-mtp.c | 71 ++--
 1 file changed, 32 insertions(+), 39 deletions(-)

-- 
2.19.2