[Bug 1846451] Re: K800 keyboard no longer works when attached to a VM

[Gerd Hoffmann]

Try this:

   
   

Not fully sure this works for hotplugged devices though.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1846451

Title:
  K800 keyboard no longer works when attached to a VM

Status in QEMU:
  Fix Released

Bug description:
  I use Logitech K800 keyboard which is connected to a PC through
  Logitech unifying receiver. In order to control my windows VM i attach
  unifying receiver USB device to a VM using "virsh attach-device VM-
  Name ./device.xml". Device ID as seen in lsusb is 046d:c52b.

  As of v4.1.0 keyboard no longer works when attached to a windows VM.
  When attached receiver is still at least partially functional.
  Logitech pairing utility properly displays paired keyboard, pressing
  buttons on the keyboard shows changing indicator icon in pairing
  utility. Pairing and unpairing works. Pressing keys however fails to
  register any key presses.

  Downgrading to v4.0.0 fixes the issue.

  device.xml used to attach USB device:
  ```
  
  
  
  
  
  

  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1846451/+subscriptions

Re: The issues about architecture of the COLO checkpoint

[Daniel Cho]

Hi Zhang,

Thanks for your help.
However, did you occur the error which the function qemu_hexdump in
colo-compare.c will crash the qemu process while doing operation with
network?

We are working on VM fault tolerance study and COLO function
evalutation first. Currently we did not have a confirmed plan on it.

Best regard,
Daniel Cho

Zhang, Chen  於 2020年2月24日 週一 上午2:43寫道：

>
>
>
>
>
> From: Daniel Cho 
> Sent: Thursday, February 20, 2020 11:49 AM
> To: Zhang, Chen 
> Cc: Dr. David Alan Gilbert ; Zhanghailiang 
> ; qemu-devel@nongnu.org; Jason Wang 
> 
> Subject: Re: The issues about architecture of the COLO checkpoint
>
>
>
> Hi Zhang,
>
>
>
> Thanks, I will configure on code for testing first.
>
> However, if you have free time, could you please send the patch file to us, 
> Thanks.
>
>
>
> OK, I will send this patch recently.
>
> By the way, can you share QNAP’s plan and status for COLO?
>
>
>
> Best Regard,
>
> Daniel Cho
>
>
>
>
>
> Zhang, Chen  於 2020年2月20日 週四 上午11:07寫道：
>
>
>
> On 2/18/2020 5:22 PM, Daniel Cho wrote:
>
> Hi Hailiang,
>
> Thanks for your help. If we have any problems we will contact you for your 
> favor.
>
>
>
>
>
> Hi Zhang,
>
>
>
> " If colo-compare got a primary packet without related secondary packet in a 
> certain time , it will automatically trigger checkpoint.  "
>
> As you said, the colo-compare will trigger checkpoint, but does it need to 
> limit checkpoint times?
>
> There is a problem about doing many checkpoints while we use fio to random 
> write files. Then it will cause low throughput on PVM.
>
> Is this situation is normal on COLO?
>
>
>
> Hi Daniel,
>
> The checkpoint time is designed to be user adjustable based on user 
> environment(workload/network status/business conditions...).
>
> In net/colo-compare.c
>
> /* TODO: Should be configurable */
> #define REGULAR_PACKET_CHECK_MS 3000
>
> If you need, I can send a patch for this issue. Make users can change the 
> value by QMP and qemu monitor commands.
>
> Thanks
>
> Zhang Chen
>
>
>
>
>
> Best regards,
>
> Daniel Cho
>
>
>
> Zhang, Chen  於 2020年2月17日 週一 下午1:36寫道：
>
>
>
> On 2/15/2020 11:35 AM, Daniel Cho wrote:
>
> Hi Dave,
>
>
>
> Yes, I agree with you, it does need a timeout.
>
>
>
> Hi Daniel and Dave,
>
> Current colo-compare already have the timeout mechanism.
>
> Named packet_check_timer,  It will scan primary packet queue to make sure all 
> the primary packet not stay too long time.
>
> If colo-compare got a primary packet without related secondary packet in a 
> certain time , it will automatic trigger checkpoint.
>
> https://github.com/qemu/qemu/blob/master/net/colo-compare.c#L847
>
>
>
> Thanks
>
> Zhang Chen
>
>
>
>
>
> Hi Hailiang,
>
>
>
> We base on qemu-4.1.0 for using COLO feature, in your patch, we found a lot 
> of difference  between your version and ours.
>
> Could you give us a latest release version which is close your developing 
> code?
>
>
>
> Thanks.
>
>
>
> Regards
>
> Daniel Cho
>
>
>
> Dr. David Alan Gilbert  於 2020年2月13日 週四 下午6:38寫道：
>
> * Daniel Cho (daniel...@qnap.com) wrote:
> > Hi Hailiang,
> >
> > 1.
> > OK, we will try the patch
> > “0001-COLO-Optimize-memory-back-up-process.patch”,
> > and thanks for your help.
> >
> > 2.
> > We understand the reason to compare PVM and SVM's packet. However, the
> > empty of SVM's packet queue might happened on setting COLO feature and SVM
> > broken.
> >
> > On situation 1 ( setting COLO feature ):
> > We could force do checkpoint after setting COLO feature finish, then it
> > will protect the state of PVM and SVM . As the Zhang Chen said.
> >
> > On situation 2 ( SVM broken ):
> > COLO will do failover for PVM, so it might not cause any wrong on PVM.
> >
> > However, those situations are our views, so there might be a big difference
> > between reality and our views.
> > If we have any wrong views and opinions, please let us know, and correct
> > us.
>
> It does need a timeout; the SVM being broken or being in a state where
> it never sends the corresponding packet (because of a state difference)
> can happen and COLO needs to timeout when the packet hasn't arrived
> after a while and trigger the checkpoint.
>
> Dave
>
> > Thanks.
> >
> > Best regards,
> > Daniel Cho
> >
> > Zhang, Chen  於 2020年2月13日 週四 上午10:17寫道：
> >
> > > Add cc Jason Wang, he is a network expert.
> > >
> > > In case some network things goes wrong.
> > >
> > >
> > >
> > > Thanks
> > >
> > > Zhang Chen
> > >
> > >
> > >
> > > *From:* Zhang, Chen
> > > *Sent:* Thursday, February 13, 2020 10:10 AM
> > > *To:* 'Zhanghailiang' ; Daniel Cho <
> > > daniel...@qnap.com>
> > > *Cc:* Dr. David Alan Gilbert ; qemu-devel@nongnu.org
> > > *Subject:* RE: The issues about architecture of the COLO checkpoint
> > >
> > >
> > >
> > > For the issue 2:
> > >
> > >
> > >
> > > COLO need use the network packets to confirm PVM and SVM in the same 
> > > state,
> > >
> > > Generally speaking, we can’t send PVM packets without compared with SVM
> > > packets.
> > >
> > > But to 

Re: [PATCH 2/2] util: add util function buffer_zero_avx512()

[Robert Hoo]

Thanks Richard:-)
Sorry for late reply.
On Thu, 2020-02-13 at 10:20 -0800, Richard Henderson wrote:
> On 2/12/20 11:52 PM, Robert Hoo wrote:
> > And initialize buffer_is_zero() with it, when Intel AVX512F is
> > available on host.
> > 
> > This function utilizes Intel AVX512 fundamental instructions which
> > perform over previous AVX2 instructions.
> 
> Is it not still true that any AVX512 insn will cause the entire cpu
> package,
> not just the current core, to drop frequency by 20%?
> 
> As far as I know one should only use the 512-bit instructions when
> you can
> overcome that frequency drop, which seems unlikely in this
> case.  That said...
> I don't think so. AVX512 has been applied in various places.
> > +if (unlikely(len < 64)) { /*buff less than 512 bits,
> > unlikely*/
> > +return buffer_zero_int(buf, len);
> > +}
> 
> First, len < 64 has been eliminated already in select_accel_fn.
> Second, len < 256 is not handled properly by the code below...
> 
Right. I'm going to fix this in v2.
> 
> > +/* Begin with an unaligned head of 64 bytes.  */
> > +t = _mm512_loadu_si512(buf);
> > +p = (__m512i *)(((uintptr_t)buf + 5 * 64) & -64);
> > +e = (__m512i *)(((uintptr_t)buf + len) & -64);
> > +
> > +/* Loop over 64-byte aligned blocks of 256.  */
> > +while (p < e) {
> > +__builtin_prefetch(p);
> > +if (unlikely(_mm512_test_epi64_mask(t, t))) {
> > +return false;
> > +}
> > +t = p[-4] | p[-3] | p[-2] | p[-1];
> > +p += 4;
> > +}
> > +
> > +t |= _mm512_loadu_si512(buf + len - 4 * 64);
> > +t |= _mm512_loadu_si512(buf + len - 3 * 64);
> > +t |= _mm512_loadu_si512(buf + len - 2 * 64);
> > +t |= _mm512_loadu_si512(buf + len - 1 * 64);
> 
> ... because this final sequence loads 256 bytes.
> 
> Rather than make a second test vs 256 in buffer_zero_avx512, I wonder
> if it
> would be better to have select_accel_fn do the job.  Have a global
> variable
> buffer_accel_size alongside buffer_accel so there's only one branch
> (mis)predict to worry about.
> 
Thanks Richard, very enlightening!
Inspired by your suggestion, I'm thinking go further: use immediate
rather than a global variable, so that saves 1 memory(/cache) access. 

#ifdef CONFIG_AVX512F_OPT   
#define OPTIMIZE_LEN256
#else
#define OPTIMIZE_LEN64
#endif
> FWIW, something that the compiler should do, but doesn't currently,
> is use
> vpternlogq to perform a 3-input OR.  Something like
> 
> /* 0xfe -> orABC */
> t = _mm512_ternarylogic_epi64(t, p[-4], p[-3], 0xfe);
> t = _mm512_ternarylogic_epi64(t, p[-2], p[-1], 0xfe);
> 
Very enlightening. Yes, seems compiler doesn't do this.
I tried explicitly use this, however, looks it will have more
instructions generated, and unit test shows it performs less than then
conventional code.
Let me keep the conventional code for this moment, will ask around and
dig further outside this patch.

> 
> r~

RE: The issues about architecture of the COLO checkpoint

[Zhanghailiang]

Hi Daniel,

I have fixed this problem, and send V2, please refer to that series.

Thanks,

From: Daniel Cho [mailto:daniel...@qnap.com]
Sent: Thursday, February 20, 2020 11:52 AM
To: Zhang, Chen 
Cc: Dr. David Alan Gilbert ; Zhanghailiang 
; qemu-devel@nongnu.org; Jason Wang 

Subject: Re: The issues about architecture of the COLO checkpoint

Hi Hailiang,

I have already patched the file to my branch, but there is a problem while 
doing migration.
Here is the error message from SVM
"qemu-system-x86_64: /root/download/qemu-4.1.0/memory.c:1079: 
memory_region_transaction_commit: Assertion `qemu_mutex_iothread_locked()' 
failed."

Do you have this problem?

Best regards,
Daniel Cho

Daniel Cho mailto:daniel...@qnap.com>> 於 2020年2月20日 週四 
上午11:49寫道：
Hi Zhang,

Thanks, I will configure on code for testing first.
However, if you have free time, could you please send the patch file to us, 
Thanks.

Best Regard,
Daniel Cho


Zhang, Chen mailto:chen.zh...@intel.com>> 於 2020年2月20日 週四 
上午11:07寫道：


On 2/18/2020 5:22 PM, Daniel Cho wrote:
Hi Hailiang,
Thanks for your help. If we have any problems we will contact you for your 
favor.


Hi Zhang,

" If colo-compare got a primary packet without related secondary packet in a 
certain time , it will automatically trigger checkpoint.  "
As you said, the colo-compare will trigger checkpoint, but does it need to 
limit checkpoint times?
There is a problem about doing many checkpoints while we use fio to random 
write files. Then it will cause low throughput on PVM.
Is this situation is normal on COLO?



Hi Daniel,

The checkpoint time is designed to be user adjustable based on user 
environment(workload/network status/business conditions...).

In net/colo-compare.c

/* TODO: Should be configurable */
#define REGULAR_PACKET_CHECK_MS 3000

If you need, I can send a patch for this issue. Make users can change the value 
by QMP and qemu monitor commands.

Thanks

Zhang Chen



Best regards,
Daniel Cho

Zhang, Chen mailto:chen.zh...@intel.com>> 於 2020年2月17日 週一 
下午1:36寫道：


On 2/15/2020 11:35 AM, Daniel Cho wrote:
Hi Dave,

Yes, I agree with you, it does need a timeout.



Hi Daniel and Dave,

Current colo-compare already have the timeout mechanism.

Named packet_check_timer,  It will scan primary packet queue to make sure all 
the primary packet not stay too long time.

If colo-compare got a primary packet without related secondary packet in a 
certain time , it will automatic trigger checkpoint.

https://github.com/qemu/qemu/blob/master/net/colo-compare.c#L847



Thanks

Zhang Chen



Hi Hailiang,

We base on qemu-4.1.0 for using COLO feature, in your patch, we found a lot of 
difference  between your version and ours.
Could you give us a latest release version which is close your developing code?

Thanks.

Regards
Daniel Cho

Dr. David Alan Gilbert mailto:dgilb...@redhat.com>> 於 
2020年2月13日 週四 下午6:38寫道：
* Daniel Cho (daniel...@qnap.com) wrote:
> Hi Hailiang,
>
> 1.
> OK, we will try the patch
> “0001-COLO-Optimize-memory-back-up-process.patch”,
> and thanks for your help.
>
> 2.
> We understand the reason to compare PVM and SVM's packet. However, the
> empty of SVM's packet queue might happened on setting COLO feature and SVM
> broken.
>
> On situation 1 ( setting COLO feature ):
> We could force do checkpoint after setting COLO feature finish, then it
> will protect the state of PVM and SVM . As the Zhang Chen said.
>
> On situation 2 ( SVM broken ):
> COLO will do failover for PVM, so it might not cause any wrong on PVM.
>
> However, those situations are our views, so there might be a big difference
> between reality and our views.
> If we have any wrong views and opinions, please let us know, and correct
> us.

It does need a timeout; the SVM being broken or being in a state where
it never sends the corresponding packet (because of a state difference)
can happen and COLO needs to timeout when the packet hasn't arrived
after a while and trigger the checkpoint.

Dave

> Thanks.
>
> Best regards,
> Daniel Cho
>
> Zhang, Chen mailto:chen.zh...@intel.com>> 於 2020年2月13日 
> 週四 上午10:17寫道：
>
> > Add cc Jason Wang, he is a network expert.
> >
> > In case some network things goes wrong.
> >
> >
> >
> > Thanks
> >
> > Zhang Chen
> >
> >
> >
> > *From:* Zhang, Chen
> > *Sent:* Thursday, February 13, 2020 10:10 AM
> > *To:* 'Zhanghailiang' 
> > mailto:zhang.zhanghaili...@huawei.com>>; 
> > Daniel Cho <
> > daniel...@qnap.com>
> > *Cc:* Dr. David Alan Gilbert 
> > mailto:dgilb...@redhat.com>>; 
> > qemu-devel@nongnu.org
> > *Subject:* RE: The issues about architecture of the COLO checkpoint
> >
> >
> >
> > For the issue 2:
> >
> >
> >
> > COLO need use the network packets to confirm PVM and SVM in the same state,
> >
> > Generally speaking, we can’t send PVM packets without compared with SVM
> > packets.
> >
> > But to prevent jamming, I think COLO can do force checkpoint and send the
> > 

[PATCH V2 7/8] COLO: Migrate dirty pages during the gap of checkpointing

[zhanghailiang]

We can migrate some dirty pages during the gap of checkpointing,
by this way, we can reduce the amount of ram migrated during checkpointing.

Signed-off-by: zhanghailiang 
---
 migration/colo.c   | 73 --
 migration/migration.h  |  1 +
 migration/trace-events |  1 +
 qapi/migration.json|  4 ++-
 4 files changed, 75 insertions(+), 4 deletions(-)

diff --git a/migration/colo.c b/migration/colo.c
index 44942c4e23..c36d94072f 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -47,6 +47,13 @@ static COLOMode last_colo_mode;
 
 #define COLO_BUFFER_BASE_SIZE (4 * 1024 * 1024)
 
+#define DEFAULT_RAM_PENDING_CHECK 1000
+
+/* should be calculated by bandwidth and max downtime ? */
+#define THRESHOLD_PENDING_SIZE (100 * 1024 * 1024UL)
+
+static int checkpoint_request;
+
 bool migration_in_colo_state(void)
 {
 MigrationState *s = migrate_get_current();
@@ -517,6 +524,20 @@ static void colo_compare_notify_checkpoint(Notifier 
*notifier, void *data)
 colo_checkpoint_notify(data);
 }
 
+static bool colo_need_migrate_ram_background(MigrationState *s)
+{
+uint64_t pending_size, pend_pre, pend_compat, pend_post;
+int64_t max_size = THRESHOLD_PENDING_SIZE;
+
+qemu_savevm_state_pending(s->to_dst_file, max_size, _pre,
+  _compat, _post);
+pending_size = pend_pre + pend_compat + pend_post;
+
+trace_colo_need_migrate_ram_background(pending_size);
+return (pending_size >= max_size);
+}
+
+
 static void colo_process_checkpoint(MigrationState *s)
 {
 QIOChannelBuffer *bioc;
@@ -572,6 +593,8 @@ static void colo_process_checkpoint(MigrationState *s)
 
 timer_mod(s->colo_delay_timer,
 current_time + s->parameters.x_checkpoint_delay);
+timer_mod(s->pending_ram_check_timer,
+current_time + DEFAULT_RAM_PENDING_CHECK);
 
 while (s->state == MIGRATION_STATUS_COLO) {
 if (failover_get_state() != FAILOVER_STATUS_NONE) {
@@ -584,9 +607,30 @@ static void colo_process_checkpoint(MigrationState *s)
 if (s->state != MIGRATION_STATUS_COLO) {
 goto out;
 }
-ret = colo_do_checkpoint_transaction(s, bioc, fb);
-if (ret < 0) {
-goto out;
+if (atomic_xchg(_request, 0)) {
+/* start a colo checkpoint */
+ret = colo_do_checkpoint_transaction(s, bioc, fb);
+if (ret < 0) {
+goto out;
+}
+} else {
+if (colo_need_migrate_ram_background(s)) {
+colo_send_message(s->to_dst_file,
+  COLO_MESSAGE_MIGRATE_RAM_BACKGROUND,
+  _err);
+if (local_err) {
+goto out;
+}
+
+qemu_savevm_state_iterate(s->to_dst_file, false);
+qemu_put_byte(s->to_dst_file, QEMU_VM_EOF);
+ret = qemu_file_get_error(s->to_dst_file);
+if (ret < 0) {
+error_setg_errno(_err, -ret,
+"Failed to send dirty pages backgroud");
+goto out;
+}
+}
 }
 }
 
@@ -627,6 +671,8 @@ out:
 colo_compare_unregister_notifier(_compare_notifier);
 timer_del(s->colo_delay_timer);
 timer_free(s->colo_delay_timer);
+timer_del(s->pending_ram_check_timer);
+timer_free(s->pending_ram_check_timer);
 qemu_sem_destroy(>colo_checkpoint_sem);
 
 /*
@@ -644,6 +690,7 @@ void colo_checkpoint_notify(void *opaque)
 MigrationState *s = opaque;
 int64_t next_notify_time;
 
+atomic_inc(_request);
 qemu_sem_post(>colo_checkpoint_sem);
 s->colo_checkpoint_time = qemu_clock_get_ms(QEMU_CLOCK_HOST);
 next_notify_time = s->colo_checkpoint_time +
@@ -651,6 +698,19 @@ void colo_checkpoint_notify(void *opaque)
 timer_mod(s->colo_delay_timer, next_notify_time);
 }
 
+static void colo_pending_ram_check_notify(void *opaque)
+{
+int64_t next_notify_time;
+MigrationState *s = opaque;
+
+if (migration_in_colo_state()) {
+next_notify_time = DEFAULT_RAM_PENDING_CHECK +
+   qemu_clock_get_ms(QEMU_CLOCK_HOST);
+timer_mod(s->pending_ram_check_timer, next_notify_time);
+qemu_sem_post(>colo_checkpoint_sem);
+}
+}
+
 void migrate_start_colo_process(MigrationState *s)
 {
 qemu_mutex_unlock_iothread();
@@ -658,6 +718,8 @@ void migrate_start_colo_process(MigrationState *s)
 s->colo_delay_timer =  timer_new_ms(QEMU_CLOCK_HOST,
 colo_checkpoint_notify, s);
 
+s->pending_ram_check_timer = timer_new_ms(QEMU_CLOCK_HOST,
+colo_pending_ram_check_notify, s);
 qemu_sem_init(>colo_exit_sem, 0);
 migrate_set_state(>state, MIGRATION_STATUS_ACTIVE,
   MIGRATION_STATUS_COLO);
@@ -806,6 +868,11 @@ static void 
colo_wait_handle_message(MigrationIncomingState *mis,
 

[PATCH V2 8/8] migration/colo: Only flush ram cache while do checkpoint

[zhanghailiang]

After add migrating ram backgroud, we will call ram_load
for this process, but we should not flush ram cache during
this process. Move the flush action to the right place.

Signed-off-by: zhanghailiang 
---
 migration/colo.c | 1 +
 migration/ram.c  | 5 +
 migration/ram.h  | 1 +
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/migration/colo.c b/migration/colo.c
index c36d94072f..18df8289f8 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -799,6 +799,7 @@ static void 
colo_incoming_process_checkpoint(MigrationIncomingState *mis,
 
 qemu_mutex_lock_iothread();
 vmstate_loading = true;
+colo_flush_ram_cache();
 ret = qemu_load_device_state(fb);
 if (ret < 0) {
 error_setg(errp, "COLO: load device state failed");
diff --git a/migration/ram.c b/migration/ram.c
index 1b3f423351..7bc841d14f 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -3305,7 +3305,7 @@ static bool postcopy_is_running(void)
  * Flush content of RAM cache into SVM's memory.
  * Only flush the pages that be dirtied by PVM or SVM or both.
  */
-static void colo_flush_ram_cache(void)
+void colo_flush_ram_cache(void)
 {
 RAMBlock *block = NULL;
 void *dst_host;
@@ -3576,9 +3576,6 @@ static int ram_load(QEMUFile *f, void *opaque, int 
version_id)
 }
 trace_ram_load_complete(ret, seq_iter);
 
-if (!ret  && migration_incoming_in_colo_state()) {
-colo_flush_ram_cache();
-}
 return ret;
 }
 
diff --git a/migration/ram.h b/migration/ram.h
index 5ceaff7cb4..ae14341482 100644
--- a/migration/ram.h
+++ b/migration/ram.h
@@ -67,5 +67,6 @@ int ram_dirty_bitmap_reload(MigrationState *s, RAMBlock *rb);
 int colo_init_ram_cache(void);
 void colo_release_ram_cache(void);
 void colo_incoming_start_dirty_log(void);
+void colo_flush_ram_cache(void);
 
 #endif
-- 
2.21.0

[PATCH V2 4/8] COLO: Optimize memory back-up process

[zhanghailiang]

This patch will reduce the downtime of VM for the initial process,
Privously, we copied all these memory in preparing stage of COLO
while we need to stop VM, which is a time-consuming process.
Here we optimize it by a trick, back-up every page while in migration
process while COLO is enabled, though it affects the speed of the
migration, but it obviously reduce the downtime of back-up all SVM'S
memory in COLO preparing stage.

Signed-off-by: zhanghailiang 
---
 migration/colo.c |  3 +++
 migration/ram.c  | 68 +++-
 migration/ram.h  |  1 +
 3 files changed, 54 insertions(+), 18 deletions(-)

diff --git a/migration/colo.c b/migration/colo.c
index 93c5a452fb..44942c4e23 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -26,6 +26,7 @@
 #include "qemu/main-loop.h"
 #include "qemu/rcu.h"
 #include "migration/failover.h"
+#include "migration/ram.h"
 #ifdef CONFIG_REPLICATION
 #include "replication.h"
 #endif
@@ -845,6 +846,8 @@ void *colo_process_incoming_thread(void *opaque)
  */
 qemu_file_set_blocking(mis->from_src_file, true);
 
+colo_incoming_start_dirty_log();
+
 bioc = qio_channel_buffer_new(COLO_BUFFER_BASE_SIZE);
 fb = qemu_fopen_channel_input(QIO_CHANNEL(bioc));
 object_unref(OBJECT(bioc));
diff --git a/migration/ram.c b/migration/ram.c
index ed23ed1c7c..ebf9e6ba51 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -2277,6 +2277,7 @@ static void ram_list_init_bitmaps(void)
  * dirty_memory[DIRTY_MEMORY_MIGRATION] don't include the whole
  * guest memory.
  */
+
 block->bmap = bitmap_new(pages);
 bitmap_set(block->bmap, 0, pages);
 block->clear_bmap_shift = shift;
@@ -2986,7 +2987,6 @@ int colo_init_ram_cache(void)
 }
 return -errno;
 }
-memcpy(block->colo_cache, block->host, block->used_length);
 }
 }
 
@@ -3000,19 +3000,36 @@ int colo_init_ram_cache(void)
 
 RAMBLOCK_FOREACH_NOT_IGNORED(block) {
 unsigned long pages = block->max_length >> TARGET_PAGE_BITS;
-
 block->bmap = bitmap_new(pages);
-bitmap_set(block->bmap, 0, pages);
 }
 }
-ram_state = g_new0(RAMState, 1);
-ram_state->migration_dirty_pages = 0;
-qemu_mutex_init(_state->bitmap_mutex);
-memory_global_dirty_log_start();
 
+ram_state_init(_state);
 return 0;
 }
 
+/* TODO: duplicated with ram_init_bitmaps */
+void colo_incoming_start_dirty_log(void)
+{
+RAMBlock *block = NULL;
+/* For memory_global_dirty_log_start below. */
+qemu_mutex_lock_iothread();
+qemu_mutex_lock_ramlist();
+
+memory_global_dirty_log_sync();
+WITH_RCU_READ_LOCK_GUARD() {
+RAMBLOCK_FOREACH_NOT_IGNORED(block) {
+ramblock_sync_dirty_bitmap(ram_state, block);
+/* Discard this dirty bitmap record */
+bitmap_zero(block->bmap, block->max_length >> TARGET_PAGE_BITS);
+}
+memory_global_dirty_log_start();
+}
+ram_state->migration_dirty_pages = 0;
+qemu_mutex_unlock_ramlist();
+qemu_mutex_unlock_iothread();
+}
+
 /* It is need to hold the global lock to call this helper */
 void colo_release_ram_cache(void)
 {
@@ -3032,9 +3049,7 @@ void colo_release_ram_cache(void)
 }
 }
 }
-qemu_mutex_destroy(_state->bitmap_mutex);
-g_free(ram_state);
-ram_state = NULL;
+ram_state_cleanup(_state);
 }
 
 /**
@@ -3302,7 +3317,6 @@ static void colo_flush_ram_cache(void)
 ramblock_sync_dirty_bitmap(ram_state, block);
 }
 }
-
 trace_colo_flush_ram_cache_begin(ram_state->migration_dirty_pages);
 WITH_RCU_READ_LOCK_GUARD() {
 block = QLIST_FIRST_RCU(_list.blocks);
@@ -3348,7 +3362,7 @@ static int ram_load_precopy(QEMUFile *f)
 
 while (!ret && !(flags & RAM_SAVE_FLAG_EOS)) {
 ram_addr_t addr, total_ram_bytes;
-void *host = NULL;
+void *host = NULL, *host_bak = NULL;
 uint8_t ch;
 
 /*
@@ -3379,20 +3393,35 @@ static int ram_load_precopy(QEMUFile *f)
  RAM_SAVE_FLAG_COMPRESS_PAGE | RAM_SAVE_FLAG_XBZRLE)) {
 RAMBlock *block = ram_block_from_stream(f, flags);
 
+host = host_from_ram_block_offset(block, addr);
 /*
- * After going into COLO, we should load the Page into colo_cache.
+ * After going into COLO stage, we should not load the page
+ * into SVM's memory diretly, we put them into colo_cache firstly.
+ * NOTE: We need to keep a copy of SVM's ram in colo_cache.
+ * Privously, we copied all these memory in preparing stage of COLO
+ * while we need to stop VM, which is a time-consuming process.
+ * Here we optimize it by a trick, back-up every page while in
+ * migration process while COLO is enabled, though it affects the
+ * speed of 

[PATCH V2 3/8] savevm: Don't call colo_init_ram_cache twice

[zhanghailiang]

This helper has been called twice which is wrong.
Left the one where called while get COLO enable message
from source side.

Signed-off-by: zhanghailiang 
---
 migration/migration.c | 5 -
 1 file changed, 5 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index 06d1ff9d56..e8c62c6e2e 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -484,11 +484,6 @@ static void process_incoming_migration_co(void *opaque)
 goto fail;
 }
 
-if (colo_init_ram_cache() < 0) {
-error_report("Init ram cache failed");
-goto fail;
-}
-
 qemu_thread_create(>colo_incoming_thread, "COLO incoming",
  colo_process_incoming_thread, mis, QEMU_THREAD_JOINABLE);
 mis->have_colo_incoming_thread = true;
-- 
2.21.0

[PATCH V2 2/8] migration/colo: wrap incoming checkpoint process into new helper

[zhanghailiang]

Split checkpoint incoming process into a helper.

Signed-off-by: zhanghailiang 
Reviewed-by: Dr. David Alan Gilbert 
---
 migration/colo.c | 260 ---
 1 file changed, 133 insertions(+), 127 deletions(-)

diff --git a/migration/colo.c b/migration/colo.c
index 2c88aa57a2..93c5a452fb 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -664,13 +664,138 @@ void migrate_start_colo_process(MigrationState *s)
 qemu_mutex_lock_iothread();
 }
 
-static void colo_wait_handle_message(QEMUFile *f, int *checkpoint_request,
- Error **errp)
+static void colo_incoming_process_checkpoint(MigrationIncomingState *mis,
+  QEMUFile *fb, QIOChannelBuffer *bioc, Error **errp)
+{
+uint64_t total_size;
+uint64_t value;
+Error *local_err = NULL;
+int ret;
+
+qemu_mutex_lock_iothread();
+vm_stop_force_state(RUN_STATE_COLO);
+trace_colo_vm_state_change("run", "stop");
+qemu_mutex_unlock_iothread();
+
+/* FIXME: This is unnecessary for periodic checkpoint mode */
+colo_send_message(mis->to_src_file, COLO_MESSAGE_CHECKPOINT_REPLY,
+ _err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+colo_receive_check_message(mis->from_src_file,
+   COLO_MESSAGE_VMSTATE_SEND, _err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+qemu_mutex_lock_iothread();
+cpu_synchronize_all_pre_loadvm();
+ret = qemu_loadvm_state_main(mis->from_src_file, mis);
+qemu_mutex_unlock_iothread();
+
+if (ret < 0) {
+error_setg(errp, "Load VM's live state (ram) error");
+return;
+}
+
+value = colo_receive_message_value(mis->from_src_file,
+ COLO_MESSAGE_VMSTATE_SIZE, _err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+/*
+ * Read VM device state data into channel buffer,
+ * It's better to re-use the memory allocated.
+ * Here we need to handle the channel buffer directly.
+ */
+if (value > bioc->capacity) {
+bioc->capacity = value;
+bioc->data = g_realloc(bioc->data, bioc->capacity);
+}
+total_size = qemu_get_buffer(mis->from_src_file, bioc->data, value);
+if (total_size != value) {
+error_setg(errp, "Got %" PRIu64 " VMState data, less than expected"
+" %" PRIu64, total_size, value);
+return;
+}
+bioc->usage = total_size;
+qio_channel_io_seek(QIO_CHANNEL(bioc), 0, 0, NULL);
+
+colo_send_message(mis->to_src_file, COLO_MESSAGE_VMSTATE_RECEIVED,
+ _err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+qemu_mutex_lock_iothread();
+vmstate_loading = true;
+ret = qemu_load_device_state(fb);
+if (ret < 0) {
+error_setg(errp, "COLO: load device state failed");
+qemu_mutex_unlock_iothread();
+return;
+}
+
+#ifdef CONFIG_REPLICATION
+replication_get_error_all(_err);
+if (local_err) {
+error_propagate(errp, local_err);
+qemu_mutex_unlock_iothread();
+return;
+}
+
+/* discard colo disk buffer */
+replication_do_checkpoint_all(_err);
+if (local_err) {
+error_propagate(errp, local_err);
+qemu_mutex_unlock_iothread();
+return;
+}
+#else
+abort();
+#endif
+/* Notify all filters of all NIC to do checkpoint */
+colo_notify_filters_event(COLO_EVENT_CHECKPOINT, _err);
+
+if (local_err) {
+error_propagate(errp, local_err);
+qemu_mutex_unlock_iothread();
+return;
+}
+
+vmstate_loading = false;
+vm_start();
+trace_colo_vm_state_change("stop", "run");
+qemu_mutex_unlock_iothread();
+
+if (failover_get_state() == FAILOVER_STATUS_RELAUNCH) {
+failover_set_state(FAILOVER_STATUS_RELAUNCH,
+FAILOVER_STATUS_NONE);
+failover_request_active(NULL);
+return;
+}
+
+colo_send_message(mis->to_src_file, COLO_MESSAGE_VMSTATE_LOADED,
+ _err);
+if (local_err) {
+error_propagate(errp, local_err);
+}
+}
+
+static void colo_wait_handle_message(MigrationIncomingState *mis,
+QEMUFile *fb, QIOChannelBuffer *bioc, Error **errp)
 {
 COLOMessage msg;
 Error *local_err = NULL;
 
-msg = colo_receive_message(f, _err);
+msg = colo_receive_message(mis->from_src_file, _err);
 if (local_err) {
 error_propagate(errp, local_err);
 return;
@@ -678,10 +803,9 @@ static void colo_wait_handle_message(QEMUFile *f, int 
*checkpoint_request,
 
 switch (msg) {
 case COLO_MESSAGE_CHECKPOINT_REQUEST:
-*checkpoint_request = 1;
+colo_incoming_process_checkpoint(mis, fb, bioc, errp);
 break;
 default:
-*checkpoint_request = 0;
  

[PATCH V2 0/8] Optimize VM's downtime while do checkpoint in COLO

[zhanghailiang]

This series try to  tries to reduce VM's pause time while do checkpoint in COLO 
state.

Here, we use two methods to reduce the downtime during COLO stage:
The first one is to reduce the time of backup PVM's memory into cache,
Instread of doing this once time backup all PVM's memory when VM is stopped, we 
backup
them during the live migration time.

Secondly, we reduced the total number of dirty pages while do checkpoint with 
VM been paused,
instead of sending all dirty pages while VM been pause, it sends part of dirty 
pages
during the gap time of two checkpoints when SVM and PVM are running.

V1 -> V2:
- Fix tested problem found by Daniel Cho
- Fix a degradation after rebase to master (first patch)

Please review, thanks.

Hailiang Zhang (8):
  migration: fix COLO broken caused by a previous commit
  migration/colo: wrap incoming checkpoint process into new helper
  savevm: Don't call colo_init_ram_cache twice
  COLO: Optimize memory back-up process
  ram/colo: only record bitmap of dirty pages in COLO stage
  migration: recognize COLO as part of activating process
  COLO: Migrate dirty pages during the gap of checkpointing
  migration/colo: Only flush ram cache while do checkpoint

 migration/colo.c   | 337 +
 migration/migration.c  |   7 +-
 migration/migration.h  |   1 +
 migration/ram.c|  78 +++---
 migration/ram.h|   2 +
 migration/trace-events |   1 +
 qapi/migration.json|   4 +-
 7 files changed, 269 insertions(+), 161 deletions(-)

--
2.21.0

[PATCH V2 1/8] migration: fix COLO broken caused by a previous commit

[zhanghailiang]

This commit "migration: Create migration_is_running()" broke
COLO. Becuase there is a process broken by this commit.

colo_process_checkpoint
 ->colo_do_checkpoint_transaction
   ->migrate_set_block_enabled
 ->qmp_migrate_set_capabilities

It can be fixed by make COLO process as an exception,
Maybe we need a better way to fix it.

Cc: Juan Quintela 
Signed-off-by: zhanghailiang 
---
 migration/migration.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/migration/migration.c b/migration/migration.c
index 8fb68795dc..06d1ff9d56 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -865,7 +865,6 @@ bool migration_is_running(int state)
 case MIGRATION_STATUS_DEVICE:
 case MIGRATION_STATUS_WAIT_UNPLUG:
 case MIGRATION_STATUS_CANCELLING:
-case MIGRATION_STATUS_COLO:
 return true;
 
 default:
-- 
2.21.0

[PATCH V2 6/8] migration: recognize COLO as part of activating process

[zhanghailiang]

We will migrate parts of dirty pages backgroud lively during the gap time
of two checkpoints, without this modification, it will not work
because ram_save_iterate() will check it before send RAM_SAVE_FLAG_EOS
at the end of it.

Signed-off-by: zhanghailiang 
---
 migration/migration.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/migration/migration.c b/migration/migration.c
index e8c62c6e2e..f71c337600 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -840,6 +840,7 @@ bool migration_is_setup_or_active(int state)
 case MIGRATION_STATUS_PRE_SWITCHOVER:
 case MIGRATION_STATUS_DEVICE:
 case MIGRATION_STATUS_WAIT_UNPLUG:
+case MIGRATION_STATUS_COLO:
 return true;
 
 default:
-- 
2.21.0

[PATCH V2 5/8] ram/colo: only record bitmap of dirty pages in COLO stage

[zhanghailiang]

It is only need to record bitmap of dirty pages while goes
into COLO stage.

Signed-off-by: zhanghailiang 
---
 migration/ram.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index ebf9e6ba51..1b3f423351 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -2735,7 +2735,7 @@ static inline void *host_from_ram_block_offset(RAMBlock 
*block,
 }
 
 static inline void *colo_cache_from_block_offset(RAMBlock *block,
- ram_addr_t offset)
+ ram_addr_t offset, bool record_bitmap)
 {
 if (!offset_in_ramblock(block, offset)) {
 return NULL;
@@ -2751,7 +2751,8 @@ static inline void *colo_cache_from_block_offset(RAMBlock 
*block,
 * It help us to decide which pages in ram cache should be flushed
 * into VM's RAM later.
 */
-if (!test_and_set_bit(offset >> TARGET_PAGE_BITS, block->bmap)) {
+if (record_bitmap &&
+!test_and_set_bit(offset >> TARGET_PAGE_BITS, block->bmap)) {
 ram_state->migration_dirty_pages++;
 }
 return block->colo_cache + offset;
@@ -3408,13 +3409,13 @@ static int ram_load_precopy(QEMUFile *f)
 if (migration_incoming_colo_enabled()) {
 if (migration_incoming_in_colo_state()) {
 /* In COLO stage, put all pages into cache temporarily */
-host = colo_cache_from_block_offset(block, addr);
+host = colo_cache_from_block_offset(block, addr, true);
 } else {
/*
 * In migration stage but before COLO stage,
 * Put all pages into both cache and SVM's memory.
 */
-host_bak = colo_cache_from_block_offset(block, addr);
+host_bak = colo_cache_from_block_offset(block, addr, 
false);
 }
 }
 if (!host) {
-- 
2.21.0

[PATCH RESEND 3/3] util/pty: fix a null pointer reference in qemu_openpty_raw

[Longpeng(Mike)]

From: Longpeng 

q_ptsname may failed ane return null, so use the returned pointer
as the param of strcpy will cause null pointer deference. Use the
return string of openpty instead of call ptsname.

Signed-off-by: Longpeng 
---
 util/qemu-openpty.c | 10 ++
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/util/qemu-openpty.c b/util/qemu-openpty.c
index 2e8b43b..2bea4ba 100644
--- a/util/qemu-openpty.c
+++ b/util/qemu-openpty.c
@@ -112,13 +112,7 @@ int qemu_openpty_raw(int *aslave, char *pty_name)
 {
 int amaster;
 struct termios tty;
-#if defined(__OpenBSD__) || defined(__DragonFly__)
-char pty_buf[PATH_MAX];
-#define q_ptsname(x) pty_buf
-#else
-char *pty_buf = NULL;
-#define q_ptsname(x) ptsname(x)
-#endif
+char pty_buf[PATH_MAX] = { 0 };
 
 if (openpty(, aslave, pty_buf, NULL, NULL) < 0) {
 return -1;
@@ -130,7 +124,7 @@ int qemu_openpty_raw(int *aslave, char *pty_name)
 tcsetattr(*aslave, TCSAFLUSH, );
 
 if (pty_name) {
-strcpy(pty_name, q_ptsname(amaster));
+strcpy(pty_name, pty_buf);
 }
 
 return amaster;
-- 
1.8.3.1

[PATCH RESEND 2/3] vhost: fix a null pointer reference of vhost_log

[Longpeng(Mike)]

From: Longpeng 

vhost_log_alloc() may fails and returned pointer of log is null.
However there're two places derefernce the return pointer without
check.

Signed-off-by: Longpeng 
---
 hw/virtio/vhost.c | 19 +--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 9edfadc..c7ad6e5 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -219,6 +219,10 @@ static struct vhost_log *vhost_log_get(uint64_t size, bool 
share)
 
 if (!log || log->size != size) {
 log = vhost_log_alloc(size, share);
+if (!log) {
+return NULL;
+}
+
 if (share) {
 vhost_log_shm = log;
 } else {
@@ -270,10 +274,17 @@ static bool vhost_dev_log_is_shared(struct vhost_dev *dev)
 
 static inline void vhost_dev_log_resize(struct vhost_dev *dev, uint64_t size)
 {
-struct vhost_log *log = vhost_log_get(size, vhost_dev_log_is_shared(dev));
-uint64_t log_base = (uintptr_t)log->log;
+struct vhost_log *log;
+uint64_t log_base;
 int r;
 
+log = vhost_log_get(size, vhost_dev_log_is_shared(dev));
+if (!log) {
+return;
+}
+
+log_base = (uintptr_t)log->log;
+
 /* inform backend of log switching, this must be done before
releasing the current log, to ensure no logging is lost */
 r = dev->vhost_ops->vhost_set_log_base(dev, log_base, log);
@@ -1640,6 +1651,10 @@ int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice 
*vdev)
 hdev->log_size = vhost_get_log_size(hdev);
 hdev->log = vhost_log_get(hdev->log_size,
   vhost_dev_log_is_shared(hdev));
+if (!hdev->log) {
+goto fail_vq;
+}
+
 log_base = (uintptr_t)hdev->log->log;
 r = hdev->vhost_ops->vhost_set_log_base(hdev,
 hdev->log_size ? log_base : 0,
-- 
1.8.3.1

[PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read

[Longpeng(Mike)]

From: Longpeng 

vfio_pci_load_rom() maybe failed and then the vdev->rom is NULL in
some situation (though I've not encountered yet), maybe we should
avoid the VM abort.

Signed-off-by: Longpeng 
---
 hw/vfio/pci.c | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index 5e75a95..ed798ae 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -768,7 +768,7 @@ static void vfio_update_msi(VFIOPCIDevice *vdev)
 }
 }
 
-static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
+static bool vfio_pci_load_rom(VFIOPCIDevice *vdev)
 {
 struct vfio_region_info *reg_info;
 uint64_t size;
@@ -778,7 +778,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
 if (vfio_get_region_info(>vbasedev,
  VFIO_PCI_ROM_REGION_INDEX, _info)) {
 error_report("vfio: Error getting ROM info: %m");
-return;
+return false;
 }
 
 trace_vfio_pci_load_rom(vdev->vbasedev.name, (unsigned long)reg_info->size,
@@ -797,7 +797,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
 error_printf("Device option ROM contents are probably invalid "
 "(check dmesg).\nSkip option ROM probe with rombar=0, "
 "or load from file with romfile=\n");
-return;
+return false;
 }
 
 vdev->rom = g_malloc(size);
@@ -849,6 +849,8 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
 data[6] = -csum;
 }
 }
+
+return true;
 }
 
 static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size)
@@ -863,8 +865,9 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr addr, 
unsigned size)
 uint64_t data = 0;
 
 /* Load the ROM lazily when the guest tries to read it */
-if (unlikely(!vdev->rom && !vdev->rom_read_failed)) {
-vfio_pci_load_rom(vdev);
+if (unlikely(!vdev->rom && !vdev->rom_read_failed) &&
+!vfio_pci_load_rom(vdev)) {
+return 0;
 }
 
 memcpy(, vdev->rom + addr,
-- 
1.8.3.1

[PATCH RESEND 0/3] fix some warnings by static code scan tool

[Longpeng(Mike)]

From: Longpeng 

Hi guys,
Our tool find some potential issues in QEMU source code, maybe
they're misreported, hope you could have a look at them.

Longpeng (Mike) (3):
  vfio/pci: fix a null pointer reference in vfio_rom_read
  vhost: fix a null pointer reference of vhost_log
  util/pty: fix a null pointer reference in qemu_openpty_raw

 hw/vfio/pci.c   | 13 -
 hw/virtio/vhost.c   | 19 +--
 util/qemu-openpty.c | 10 ++
 3 files changed, 27 insertions(+), 15 deletions(-)

-- 
1.8.3.1

[PATCH] target/i386/hax-posix: fix two 'format-truncation' compile warnings

[pannengyuan]

From: Pan Nengyuan 

Fix compile warnings:
/mnt/sdb/qemu-new/qemu_test/qemu/target/i386/hax-posix.c:124:56: error: ‘%02d’ 
directive output may be truncated writing between 2 and 11 bytes into a region 
of size 3 [-Werror=format-truncation=]
 snprintf(name, sizeof HAX_VM_DEVFS, "/dev/hax_vm/vm%02d", vm_id);
^~~~
/mnt/sdb/qemu-new/qemu_test/qemu/target/i386/hax-posix.c:124:41: note: 
directive argument in the range [-2147483648, 64]
 snprintf(name, sizeof HAX_VM_DEVFS, "/dev/hax_vm/vm%02d", vm_id);
 ^~~~
In file included from /usr/include/stdio.h:873,
 from /mnt/sdb/qemu-new/qemu_test/qemu/include/qemu/osdep.h:99,
 from 
/mnt/sdb/qemu-new/qemu_test/qemu/target/i386/hax-posix.c:14:
/usr/include/bits/stdio2.h:67:10: note: ‘__builtin___snprintf_chk’ output 
between 17 and 26 bytes into a destination of size 17
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
  ^~~~
__bos (__s), __fmt, __va_arg_pack ());
~
/mnt/sdb/qemu-new/qemu_test/qemu/target/i386/hax-posix.c: In function 
‘hax_vcpu_devfs_string’:
/mnt/sdb/qemu-new/qemu_test/qemu/target/i386/hax-posix.c:143:55: error: ‘%02d’ 
directive output may be truncated writing between 2 and 11 bytes into a region 
of size 10 [-Werror=format-truncation=]
 snprintf(name, sizeof HAX_VCPU_DEVFS, "/dev/hax_vm%02d/vcpu%02d",
   ^~~~
/mnt/sdb/qemu-new/qemu_test/qemu/target/i386/hax-posix.c:143:43: note: 
directive argument in the range [-2147483648, 64]
 snprintf(name, sizeof HAX_VCPU_DEVFS, "/dev/hax_vm%02d/vcpu%02d",
   ^~
/mnt/sdb/qemu-new/qemu_test/qemu/target/i386/hax-posix.c:143:43: note: 
directive argument in the range [-2147483648, 64]
In file included from /usr/include/stdio.h:873,
 from /mnt/sdb/qemu-new/qemu_test/qemu/include/qemu/osdep.h:99,
 from 
/mnt/sdb/qemu-new/qemu_test/qemu/target/i386/hax-posix.c:14:
/usr/include/bits/stdio2.h:67:10: note: ‘__builtin___snprintf_chk’ output 
between 21 and 39 bytes into a destination of size 21
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
  ^~~~
__bos (__s), __fmt, __va_arg_pack ());

We know that we have checked the vm_id and vcpu_id in the first(less than 
0x40), it will never be truncated in snprintf().
Thus, this patch add an assertion to clear this false-positive warning.

Reported-by: Euler Robot 
Signed-off-by: Pan Nengyuan 
---
 target/i386/hax-posix.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/target/i386/hax-posix.c b/target/i386/hax-posix.c
index a5426a6dac..197d5bc0f9 100644
--- a/target/i386/hax-posix.c
+++ b/target/i386/hax-posix.c
@@ -121,7 +121,8 @@ static char *hax_vm_devfs_string(int vm_id)
 return NULL;
 }
 
-snprintf(name, sizeof HAX_VM_DEVFS, "/dev/hax_vm/vm%02d", vm_id);
+int len = snprintf(name, sizeof HAX_VM_DEVFS, "/dev/hax_vm/vm%02d", vm_id);
+assert(len < sizeof HAX_VM_DEVFS);
 return name;
 }
 
@@ -140,8 +141,9 @@ static char *hax_vcpu_devfs_string(int vm_id, int vcpu_id)
 return NULL;
 }
 
-snprintf(name, sizeof HAX_VCPU_DEVFS, "/dev/hax_vm%02d/vcpu%02d",
- vm_id, vcpu_id);
+int len = snprintf(name, sizeof HAX_VCPU_DEVFS, "/dev/hax_vm%02d/vcpu%02d",
+   vm_id, vcpu_id);
+assert(len < sizeof HAX_VCPU_DEVFS);
 return name;
 }
 
-- 
2.18.2

Re: [PATCH v2] net: tulip: check frame size and r/w data length

[Jason Wang]

On 2020/2/17 下午7:38, P J P wrote:

From: Prasad J Pandit 

Tulip network driver while copying tx/rx buffers does not check
frame size against r/w data length. This may lead to OOB buffer
access. Add check to avoid it.

Reported-by: Li Qiang 
Reported-by: Ziming Zhang 
Signed-off-by: Prasad J Pandit 
---
  hw/net/tulip.c | 19 +--
  1 file changed, 17 insertions(+), 2 deletions(-)

Update v2: retain earlier len[12] & s->rx_frame_len checks
   -> https://lists.gnu.org/archive/html/qemu-devel/2020-02/msg04160.html

diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index cfac2719d3..ea4fd371e3 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct 
tulip_descriptor *desc)
  } else {
  len = s->rx_frame_len;
  }
+
+if (s->rx_frame_len + len >= sizeof(s->rx_frame)) {
+return;
+}



What's the goal of this checking?



  pci_dma_write(>dev, desc->buf_addr1, s->rx_frame +
  (s->rx_frame_size - s->rx_frame_len), len);
  s->rx_frame_len -= len;
@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct 
tulip_descriptor *desc)
  } else {
  len = s->rx_frame_len;
  }
+
+if (s->rx_frame_len + len >= sizeof(s->rx_frame)) {
+return;
+}
  pci_dma_write(>dev, desc->buf_addr2, s->rx_frame +
  (s->rx_frame_size - s->rx_frame_len), len);
  s->rx_frame_len -= len;
@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t 
*buf, size_t size)
  
  trace_tulip_receive(buf, size);
  
-if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) {

+if (size < 14 || size > sizeof(s->rx_frame) - 4
+|| s->rx_frame_len || tulip_rx_stopped(s)) {
  return 0;



It's better to move those checks in .can_receive().



  }
  
@@ -558,7 +567,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)

  if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) {
  /* Internal or external Loopback */
  tulip_receive(s, s->tx_frame, s->tx_frame_len);
-} else {
+} else if (s->tx_frame_len < sizeof(s->tx_frame)) {



Should we use <= here?



  qemu_send_packet(qemu_get_queue(s->nic),
  s->tx_frame, s->tx_frame_len);
  }
@@ -575,12 +584,18 @@ static void tulip_copy_tx_buffers(TULIPState *s, struct 
tulip_descriptor *desc)
  int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & 
TDES1_BUF1_SIZE_MASK;
  int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & 
TDES1_BUF2_SIZE_MASK;
  
+if (s->tx_frame_len + len1 >= sizeof(s->tx_frame)) {

+return;
+}



I think it's better to add a return value here to make sure caller 
tulip_xmit_list_update() can exit the loop early




  if (len1) {
  pci_dma_read(>dev, desc->buf_addr1,
  s->tx_frame + s->tx_frame_len, len1);
  s->tx_frame_len += len1;
  }
  
+if (s->tx_frame_len + len2 >= sizeof(s->tx_frame)) {

+return;
+}
  if (len2) {
  pci_dma_read(>dev, desc->buf_addr2,
  s->tx_frame + s->tx_frame_len, len2);



One more thing.

It looks to me there could be a user trigger-able infinite loop in 
tun_list_update() through always set TDES0_OWN in its descriptors?


Thanks

[PATCH] hw/arm: Use TYPE_PL011 to create serial port

[Gavin Shan]

This uses TYPE_PL011 when creating the serial port, to make the code
a bit more atomatic.

Signed-off-by: Gavin Shan 
---
 hw/arm/sbsa-ref.c| 3 ++-
 hw/arm/virt.c| 3 ++-
 hw/arm/xlnx-versal.c | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index 9b5bcb5634..df0a165047 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -39,6 +39,7 @@
 #include "hw/pci-host/gpex.h"
 #include "hw/qdev-properties.h"
 #include "hw/usb.h"
+#include "hw/char/pl011.h"
 #include "net/net.h"
 
 #define RAMLIMIT_GB 8192
@@ -409,7 +410,7 @@ static void create_uart(const SBSAMachineState *sms, int 
uart,
 {
 hwaddr base = sbsa_ref_memmap[uart].base;
 int irq = sbsa_ref_irqmap[uart];
-DeviceState *dev = qdev_create(NULL, "pl011");
+DeviceState *dev = qdev_create(NULL, TYPE_PL011);
 SysBusDevice *s = SYS_BUS_DEVICE(dev);
 
 qdev_prop_set_chr(dev, "chardev", chr);
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index f788fe27d6..d0da513737 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -71,6 +71,7 @@
 #include "hw/mem/pc-dimm.h"
 #include "hw/mem/nvdimm.h"
 #include "hw/acpi/generic_event_device.h"
+#include "hw/char/pl011.h"
 
 #define DEFINE_VIRT_MACHINE_LATEST(major, minor, latest) \
 static void virt_##major##_##minor##_class_init(ObjectClass *oc, \
@@ -724,7 +725,7 @@ static void create_uart(const VirtMachineState *vms, int 
uart,
 int irq = vms->irqmap[uart];
 const char compat[] = "arm,pl011\0arm,primecell";
 const char clocknames[] = "uartclk\0apb_pclk";
-DeviceState *dev = qdev_create(NULL, "pl011");
+DeviceState *dev = qdev_create(NULL, TYPE_PL011);
 SysBusDevice *s = SYS_BUS_DEVICE(dev);
 
 qdev_prop_set_chr(dev, "chardev", chr);
diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
index 1cf3daaf4f..403fc7b881 100644
--- a/hw/arm/xlnx-versal.c
+++ b/hw/arm/xlnx-versal.c
@@ -22,6 +22,7 @@
 #include "hw/misc/unimp.h"
 #include "hw/intc/arm_gicv3_common.h"
 #include "hw/arm/xlnx-versal.h"
+#include "hw/char/pl011.h"
 
 #define XLNX_VERSAL_ACPU_TYPE ARM_CPU_TYPE_NAME("cortex-a72")
 #define GEM_REVISION0x40070106
@@ -144,7 +145,7 @@ static void versal_create_uarts(Versal *s, qemu_irq *pic)
 DeviceState *dev;
 MemoryRegion *mr;
 
-dev = qdev_create(NULL, "pl011");
+dev = qdev_create(NULL, TYPE_PL011);
 s->lpd.iou.uart[i] = SYS_BUS_DEVICE(dev);
 qdev_prop_set_chr(dev, "chardev", serial_hd(i));
 object_property_add_child(OBJECT(s), name, OBJECT(dev), _fatal);
-- 
2.23.0

RE: [PATCH 3/3] COLO: Optimize memory back-up process

[Zhanghailiang]

Hi Dave,

> -Original Message-
> From: Dr. David Alan Gilbert [mailto:dgilb...@redhat.com]
> Sent: Friday, February 21, 2020 2:25 AM
> To: Zhanghailiang 
> Cc: qemu-devel@nongnu.org; quint...@redhat.com; chen.zh...@intel.com;
> daniel...@qnap.com
> Subject: Re: [PATCH 3/3] COLO: Optimize memory back-up process
> 
> * Hailiang Zhang (zhang.zhanghaili...@huawei.com) wrote:
> > This patch will reduce the downtime of VM for the initial process,
> > Privously, we copied all these memory in preparing stage of COLO
> > while we need to stop VM, which is a time-consuming process.
> > Here we optimize it by a trick, back-up every page while in migration
> > process while COLO is enabled, though it affects the speed of the
> > migration, but it obviously reduce the downtime of back-up all SVM'S
> > memory in COLO preparing stage.
> >
> > Signed-off-by: Hailiang Zhang 
> 
> OK, I think this is right, but it took me quite a while to understand,
> I think one of the comments below might not be right:
> 

> > ---
> >  migration/colo.c |  3 +++
> >  migration/ram.c  | 35 +++
> >  migration/ram.h  |  1 +
> >  3 files changed, 31 insertions(+), 8 deletions(-)
> >
> > diff --git a/migration/colo.c b/migration/colo.c
> > index d30c6bc4ad..febf010571 100644
> > --- a/migration/colo.c
> > +++ b/migration/colo.c
> > @@ -26,6 +26,7 @@
> >  #include "qemu/main-loop.h"
> >  #include "qemu/rcu.h"
> >  #include "migration/failover.h"
> > +#include "migration/ram.h"
> >  #ifdef CONFIG_REPLICATION
> >  #include "replication.h"
> >  #endif
> > @@ -906,6 +907,8 @@ void *colo_process_incoming_thread(void
> *opaque)
> >   */
> >  qemu_file_set_blocking(mis->from_src_file, true);
> >
> > +colo_incoming_start_dirty_log();
> > +
> >  bioc = qio_channel_buffer_new(COLO_BUFFER_BASE_SIZE);
> >  fb = qemu_fopen_channel_input(QIO_CHANNEL(bioc));
> >  object_unref(OBJECT(bioc));
> > diff --git a/migration/ram.c b/migration/ram.c
> > index ed23ed1c7c..24a8aa3527 100644
> > --- a/migration/ram.c
> > +++ b/migration/ram.c
> > @@ -2986,7 +2986,6 @@ int colo_init_ram_cache(void)
> >  }
> >  return -errno;
> >  }
> > -memcpy(block->colo_cache, block->host,
> block->used_length);
> >  }
> >  }
> >
> > @@ -3005,12 +3004,16 @@ int colo_init_ram_cache(void)
> >  bitmap_set(block->bmap, 0, pages);
> >  }
> >  }
> > +
> > +return 0;
> > +}
> > +
> > +void colo_incoming_start_dirty_log(void)
> > +{
> >  ram_state = g_new0(RAMState, 1);
> >  ram_state->migration_dirty_pages = 0;
> >  qemu_mutex_init(_state->bitmap_mutex);
> >  memory_global_dirty_log_start();
> > -
> > -return 0;
> >  }
> >
> >  /* It is need to hold the global lock to call this helper */
> > @@ -3348,7 +3351,7 @@ static int ram_load_precopy(QEMUFile *f)
> >
> >  while (!ret && !(flags & RAM_SAVE_FLAG_EOS)) {
> >  ram_addr_t addr, total_ram_bytes;
> > -void *host = NULL;
> > +void *host = NULL, *host_bak = NULL;
> >  uint8_t ch;
> >
> >  /*
> > @@ -3378,13 +3381,26 @@ static int ram_load_precopy(QEMUFile *f)
> >  if (flags & (RAM_SAVE_FLAG_ZERO | RAM_SAVE_FLAG_PAGE |
> >   RAM_SAVE_FLAG_COMPRESS_PAGE |
> RAM_SAVE_FLAG_XBZRLE)) {
> >  RAMBlock *block = ram_block_from_stream(f, flags);
> > -
> >  /*
> > - * After going into COLO, we should load the Page into
> colo_cache.
> > + * After going into COLO, we should load the Page into
> colo_cache
> > + * NOTE: We need to keep a copy of SVM's ram in
> colo_cache.
> > + * Privously, we copied all these memory in preparing stage
> of COLO
> > + * while we need to stop VM, which is a time-consuming
> process.
> > + * Here we optimize it by a trick, back-up every page while
> in
> > + * migration process while COLO is enabled, though it
> affects the
> > + * speed of the migration, but it obviously reduce the
> downtime of
> > + * back-up all SVM'S memory in COLO preparing stage.
> >   */
> > -if (migration_incoming_in_colo_state()) {
> > +if (migration_incoming_colo_enabled()) {
> >  host = colo_cache_from_block_offset(block, addr);
> > -} else {
> > +/*
> > + * After going into COLO, load the Page into
> colo_cache.
> > + */
> > +if (!migration_incoming_in_colo_state()) {
> > +host_bak = host;
> > +}
> > +}
> > +if (!migration_incoming_in_colo_state()) {
> >  host = host_from_ram_block_offset(block, addr);
> 
> So this works out as quite complicated:
>a) In normal migration we do the last one and just set:
>  host = host_from_ram_block_offset(block, addr);
>  

RE: [PATCH 2/3] COLO: Migrate dirty pages during the gap of checkpointing

[Zhanghailiang]

> -Original Message-
> From: Dr. David Alan Gilbert [mailto:dgilb...@redhat.com]
> Sent: Thursday, February 20, 2020 2:51 AM
> To: Zhanghailiang 
> Cc: qemu-devel@nongnu.org; quint...@redhat.com; chen.zh...@intel.com;
> daniel...@qnap.com
> Subject: Re: [PATCH 2/3] COLO: Migrate dirty pages during the gap of
> checkpointing
> 
> * Hailiang Zhang (zhang.zhanghaili...@huawei.com) wrote:
> > We can migrate some dirty pages during the gap of checkpointing,
> > by this way, we can reduce the amount of ram migrated during
> checkpointing.
> >
> > Signed-off-by: Hailiang Zhang 
> > ---
> >  migration/colo.c   | 69
> +++---
> >  migration/migration.h  |  1 +
> >  migration/trace-events |  1 +
> >  qapi/migration.json|  4 ++-
> >  4 files changed, 70 insertions(+), 5 deletions(-)
> >
> > diff --git a/migration/colo.c b/migration/colo.c
> > index 93c5a452fb..d30c6bc4ad 100644
> > --- a/migration/colo.c
> > +++ b/migration/colo.c
> > @@ -46,6 +46,13 @@ static COLOMode last_colo_mode;
> >
> >  #define COLO_BUFFER_BASE_SIZE (4 * 1024 * 1024)
> >
> > +#define DEFAULT_RAM_PENDING_CHECK 1000
> > +
> > +/* should be calculated by bandwidth and max downtime ? */
> > +#define THRESHOLD_PENDING_SIZE (100 * 1024 * 1024UL)
> 
> Turn both of these magic constants into parameters.
> 

Good idea, will do this in later patches.

> > +static int checkpoint_request;
> > +
> >  bool migration_in_colo_state(void)
> >  {
> >  MigrationState *s = migrate_get_current();
> > @@ -516,6 +523,20 @@ static void
> colo_compare_notify_checkpoint(Notifier *notifier, void *data)
> >  colo_checkpoint_notify(data);
> >  }
> >
> > +static bool colo_need_migrate_ram_background(MigrationState *s)
> > +{
> > +uint64_t pending_size, pend_pre, pend_compat, pend_post;
> > +int64_t max_size = THRESHOLD_PENDING_SIZE;
> > +
> > +qemu_savevm_state_pending(s->to_dst_file, max_size, _pre,
> > +  _compat, _post);
> > +pending_size = pend_pre + pend_compat + pend_post;
> > +
> > +trace_colo_need_migrate_ram_background(pending_size);
> > +return (pending_size >= max_size);
> > +}
> > +
> > +
> >  static void colo_process_checkpoint(MigrationState *s)
> >  {
> >  QIOChannelBuffer *bioc;
> > @@ -571,6 +592,8 @@ static void
> colo_process_checkpoint(MigrationState *s)
> >
> >  timer_mod(s->colo_delay_timer,
> >  current_time + s->parameters.x_checkpoint_delay);
> > +timer_mod(s->pending_ram_check_timer,
> > +current_time + DEFAULT_RAM_PENDING_CHECK);
> 
> What happens if the iterate takes a while and this triggers in the
> middle of the iterate?
> 

It will trigger another iterate after this one been finished.

> >  while (s->state == MIGRATION_STATUS_COLO) {
> >  if (failover_get_state() != FAILOVER_STATUS_NONE) {
> > @@ -583,10 +606,25 @@ static void
> colo_process_checkpoint(MigrationState *s)
> >  if (s->state != MIGRATION_STATUS_COLO) {
> >  goto out;
> >  }
> > -ret = colo_do_checkpoint_transaction(s, bioc, fb);
> > -if (ret < 0) {
> > -goto out;
> > -}
> > +if (atomic_xchg(_request, 0)) {
> > +/* start a colo checkpoint */
> > +ret = colo_do_checkpoint_transaction(s, bioc, fb);
> > +if (ret < 0) {
> > +goto out;
> > +}
> > +} else {
> > +if (colo_need_migrate_ram_background(s)) {
> > +colo_send_message(s->to_dst_file,
> > +
> COLO_MESSAGE_MIGRATE_RAM_BACKGROUND,
> > +  _err);
> > +if (local_err) {
> > +goto out;
> > +}
> > +
> > +qemu_savevm_state_iterate(s->to_dst_file, false);
> > +qemu_put_byte(s->to_dst_file, QEMU_VM_EOF);
> 
> Maybe you should do a qemu_file_get_error(..) at this point to check
> it's OK.

Agreed, we should check it.

> 
> > +}
> > + }
> >  }
> >
> >  out:
> > @@ -626,6 +664,8 @@ out:
> >  colo_compare_unregister_notifier(_compare_notifier);
> >  timer_del(s->colo_delay_timer);
> >  timer_free(s->colo_delay_timer);
> > +timer_del(s->pending_ram_check_timer);
> > +timer_free(s->pending_ram_check_timer);
> >  qemu_sem_destroy(>colo_checkpoint_sem);
> >
> >  /*
> > @@ -643,6 +683,7 @@ void colo_checkpoint_notify(void *opaque)
> >  MigrationState *s = opaque;
> >  int64_t next_notify_time;
> >
> > +atomic_inc(_request);
> 
> Can you explain what you've changed about this atomic in this patch,
> I don't quite see what you're doing.
> 

We use this to check who waked it from waiting for colo_checkpoint_sem,
By background migration request or checkpoint request.
If the value is zero, it is waked by background migration request, or it is 
waked
By checkpoint request.


> >  qemu_sem_post(>colo_checkpoint_sem);
> >  s->colo_checkpoint_time =

[PATCH v2 0/2] delete virtio queues in vhost-user-blk-unrealize

[pannengyuan]

From: Pan Nengyuan 

This series patch fix memleaks when detaching vhost-user-blk device.
1. use old virtio_del_queue to fix memleaks, it's easier for stable branches to 
merge.
   As the discussion in 
https://lists.nongnu.org/archive/html/qemu-devel/2020-01/msg02903.html

2. convert virtio_del_queue to the new one(virtio_delete_queue).

v2->v1: rename vqs to vhost_vqs to avoid confusing with virtqs (suggented by 
Stefan Hajnoczi)

Pan Nengyuan (2):
  vhost-user-blk: delete virtioqueues in unrealize to fix memleaks
  vhost-use-blk: convert to new virtio_delete_queue

 hw/block/vhost-user-blk.c  | 23 +--
 include/hw/virtio/vhost-user-blk.h |  3 ++-
 2 files changed, 19 insertions(+), 7 deletions(-)

-- 
2.18.2

[PATCH v2 2/2] vhost-use-blk: convert to new virtio_delete_queue

[pannengyuan]

From: Pan Nengyuan 

use the new virtio_delete_queue function to cleanup.

Signed-off-by: Pan Nengyuan 
---
V2->V1:
- rename vqs to vhost_vqs to avoid confusing with virtqs (suggented by Stefan 
Hajnoczi)
---
 hw/block/vhost-user-blk.c  | 19 +++
 include/hw/virtio/vhost-user-blk.h |  3 ++-
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c
index 2eba8b9db0..12925a47ec 100644
--- a/hw/block/vhost-user-blk.c
+++ b/hw/block/vhost-user-blk.c
@@ -306,7 +306,7 @@ static int vhost_user_blk_connect(DeviceState *dev)
 s->connected = true;
 
 s->dev.nvqs = s->num_queues;
-s->dev.vqs = s->vqs;
+s->dev.vqs = s->vhost_vqs;
 s->dev.vq_index = 0;
 s->dev.backend_features = 0;
 
@@ -420,13 +420,14 @@ static void vhost_user_blk_device_realize(DeviceState 
*dev, Error **errp)
 virtio_init(vdev, "virtio-blk", VIRTIO_ID_BLOCK,
 sizeof(struct virtio_blk_config));
 
+s->virtqs = g_new(VirtQueue *, s->num_queues);
 for (i = 0; i < s->num_queues; i++) {
-virtio_add_queue(vdev, s->queue_size,
- vhost_user_blk_handle_output);
+s->virtqs[i] = virtio_add_queue(vdev, s->queue_size,
+vhost_user_blk_handle_output);
 }
 
 s->inflight = g_new0(struct vhost_inflight, 1);
-s->vqs = g_new0(struct vhost_virtqueue, s->num_queues);
+s->vhost_vqs = g_new0(struct vhost_virtqueue, s->num_queues);
 s->watch = 0;
 s->connected = false;
 
@@ -458,11 +459,12 @@ reconnect:
 return;
 
 virtio_err:
-g_free(s->vqs);
+g_free(s->vhost_vqs);
 g_free(s->inflight);
 for (i = 0; i < s->num_queues; i++) {
-virtio_del_queue(vdev, i);
+virtio_delete_queue(s->virtqs[i]);
 }
+g_free(s->virtqs);
 virtio_cleanup(vdev);
 vhost_user_cleanup(>vhost_user);
 }
@@ -478,12 +480,13 @@ static void vhost_user_blk_device_unrealize(DeviceState 
*dev, Error **errp)
  NULL, NULL, NULL, false);
 vhost_dev_cleanup(>dev);
 vhost_dev_free_inflight(s->inflight);
-g_free(s->vqs);
+g_free(s->vhost_vqs);
 g_free(s->inflight);
 
 for (i = 0; i < s->num_queues; i++) {
-virtio_del_queue(vdev, i);
+virtio_delete_queue(s->virtqs[i]);
 }
+g_free(s->virtqs);
 virtio_cleanup(vdev);
 vhost_user_cleanup(>vhost_user);
 }
diff --git a/include/hw/virtio/vhost-user-blk.h 
b/include/hw/virtio/vhost-user-blk.h
index 108bfadeeb..05ea0ad183 100644
--- a/include/hw/virtio/vhost-user-blk.h
+++ b/include/hw/virtio/vhost-user-blk.h
@@ -36,7 +36,8 @@ typedef struct VHostUserBlk {
 struct vhost_dev dev;
 struct vhost_inflight *inflight;
 VhostUserState vhost_user;
-struct vhost_virtqueue *vqs;
+struct vhost_virtqueue *vhost_vqs;
+VirtQueue **virtqs;
 guint watch;
 bool connected;
 } VHostUserBlk;
-- 
2.18.2

[PATCH v2 1/2] vhost-user-blk: delete virtioqueues in unrealize to fix memleaks

[pannengyuan]

From: Pan Nengyuan 

virtio queues forgot to delete in unrealize, and aslo error path in
realize, this patch fix these memleaks, the leak stack is as follow:

Direct leak of 114688 byte(s) in 16 object(s) allocated from:
#0 0x7f24024fdbf0 in calloc (/lib64/libasan.so.3+0xcabf0)
#1 0x7f2401642015 in g_malloc0 (/lib64/libglib-2.0.so.0+0x50015)
#2 0x55ad175a6447 in virtio_add_queue /mnt/sdb/qemu/hw/virtio/virtio.c:2327
#3 0x55ad17570cf9 in vhost_user_blk_device_realize 
/mnt/sdb/qemu/hw/block/vhost-user-blk.c:419
#4 0x55ad175a3707 in virtio_device_realize 
/mnt/sdb/qemu/hw/virtio/virtio.c:3509
#5 0x55ad176ad0d1 in device_set_realized /mnt/sdb/qemu/hw/core/qdev.c:876
#6 0x55ad1781ff9d in property_set_bool /mnt/sdb/qemu/qom/object.c:2080
#7 0x55ad178245ae in object_property_set_qobject 
/mnt/sdb/qemu/qom/qom-qobject.c:26
#8 0x55ad17821eb4 in object_property_set_bool 
/mnt/sdb/qemu/qom/object.c:1338
#9 0x55ad177aeed7 in virtio_pci_realize 
/mnt/sdb/qemu/hw/virtio/virtio-pci.c:1801

Reported-by: Euler Robot 
Signed-off-by: Pan Nengyuan 
Reviewed-by: Stefan Hajnoczi 
---
v2->v1: There is no change in this patch(only change the patch2/2)
---
 hw/block/vhost-user-blk.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c
index d8c459c575..2eba8b9db0 100644
--- a/hw/block/vhost-user-blk.c
+++ b/hw/block/vhost-user-blk.c
@@ -460,6 +460,9 @@ reconnect:
 virtio_err:
 g_free(s->vqs);
 g_free(s->inflight);
+for (i = 0; i < s->num_queues; i++) {
+virtio_del_queue(vdev, i);
+}
 virtio_cleanup(vdev);
 vhost_user_cleanup(>vhost_user);
 }
@@ -468,6 +471,7 @@ static void vhost_user_blk_device_unrealize(DeviceState 
*dev, Error **errp)
 {
 VirtIODevice *vdev = VIRTIO_DEVICE(dev);
 VHostUserBlk *s = VHOST_USER_BLK(dev);
+int i;
 
 virtio_set_status(vdev, 0);
 qemu_chr_fe_set_handlers(>chardev,  NULL, NULL, NULL,
@@ -476,6 +480,10 @@ static void vhost_user_blk_device_unrealize(DeviceState 
*dev, Error **errp)
 vhost_dev_free_inflight(s->inflight);
 g_free(s->vqs);
 g_free(s->inflight);
+
+for (i = 0; i < s->num_queues; i++) {
+virtio_del_queue(vdev, i);
+}
 virtio_cleanup(vdev);
 vhost_user_cleanup(>vhost_user);
 }
-- 
2.18.2

Re: [PATCH] hw/char/pl011: Enable TxFIFO and async transmission

[Gavin Shan]

On 2/21/20 8:46 PM, Philippe Mathieu-Daudé wrote:

On 2/21/20 10:37 AM, Philippe Mathieu-Daudé wrote:

Cc'ing Igor & Drew.

On 2/21/20 7:28 AM, no-re...@patchew.org wrote:

Patchew URL: https://patchew.org/QEMU/20200221044908.266883-1-gs...@redhat.com/

 >

=== TEST SCRIPT BEGIN ===
#!/bin/bash
make docker-image-centos7 V=1 NETWORK=1
time make docker-test-quick@centos7 SHOW_ENV=1 J=14 NETWORK=1
=== TEST SCRIPT END ===

[...]
   TEST    check-qtest-aarch64: tests/qtest/bios-tables-test

**
ERROR:/tmp/qemu-test/src/tests/qtest/acpi-utils.c:145:acpi_find_rsdp_address_uefi:
 code should not be reached
ERROR - Bail out! 
ERROR:/tmp/qemu-test/src/tests/qtest/acpi-utils.c:145:acpi_find_rsdp_address_uefi:
 code should not be reached
make: *** [check-qtest-aarch64] Error 1


The virt machine is not happy, busy-looping?

$ QTEST_QEMU_BINARY=aarch64-softmmu/qemu-system-aarch64 \
   tests/qtest/bios-tables-test
/aarch64/acpi/virt: ^C


So this test runs:

$ qemu-system-aarch64 -M virt -pflash pc-bios/edk2-aarch64-code.fd -pflash 
pc-bios/edk2-arm-vars.fd -cdrom 
tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2 -cpu cortex-a57 
-serial stdio


.../...



12638@1582277983.172625:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172629:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172633:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172636:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172640:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172643:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172647:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172650:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172654:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172658:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172661:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172665:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172668:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172672:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172675:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172679:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172682:pl011_read addr 0x0018 value 0x0010
12638@1582277983.172686:pl011_read addr 0x0018 value 0x0010
[keep looping]



Thanks, Phil. It seems there is some race, which causes the PL011_FLAG_TXFF
isn't cleared properly. It should be fixed in v2, which was just posted.
At least, I didn't see the error locally with v2 :)

   # QTEST_QEMU_BINARY=aarch64-softmmu/qemu-system-aarch64 
tests/qtest/bios-tables-test
 :
   # End of virt tests
   # End of acpi tests
   # End of aarch64 tests

Thanks,
Gavin

[PATCH v2] hw/char/pl011: Enable TxFIFO and async transmission

[Gavin Shan]

The depth of TxFIFO can be 1 or 16 depending on LCR[4]. The TxFIFO is
disabled when its depth is 1. It's nice to have TxFIFO enabled if
possible because more characters can be piled and transmitted at once,
which would have less overhead. Besides, we can be blocked because of
qemu_chr_fe_write_all(), which isn't nice.

This enables TxFIFO if possible. On ther other hand, the asynchronous
transmission is enabled if needed, as we did in hw/char/cadence_uart.c

Signed-off-by: Gavin Shan 
---
v2: Put write_{count,fifo} into migration subsection
Don't start async IO handle if it has been started, to avoid race
Update with PL011_FLAG_{TXFF,TXFE} on changing write_count
---
 hw/char/pl011.c | 105 +---
 include/hw/char/pl011.h |   3 ++
 2 files changed, 102 insertions(+), 6 deletions(-)

diff --git a/hw/char/pl011.c b/hw/char/pl011.c
index 13e784f9d9..de5c4254fe 100644
--- a/hw/char/pl011.c
+++ b/hw/char/pl011.c
@@ -169,6 +169,73 @@ static void pl011_set_read_trigger(PL011State *s)
 s->read_trigger = 1;
 }
 
+static gboolean pl011_xmit(GIOChannel *chan, GIOCondition cond, void *opaque)
+{
+PL011State *s = (PL011State *)opaque;
+int ret;
+
+/* Drain FIFO if there is no backend */
+if (!qemu_chr_fe_backend_connected(>chr)) {
+s->write_count = 0;
+s->flags &= ~PL011_FLAG_TXFF;
+s->flags |= PL011_FLAG_TXFE;
+return FALSE;
+}
+
+/* Nothing to do */
+if (!s->write_count) {
+return FALSE;
+}
+
+ret = qemu_chr_fe_write(>chr, s->write_fifo, s->write_count);
+if (ret > 0) {
+s->write_count -= ret;
+memmove(s->write_fifo, s->write_fifo + ret, s->write_count);
+s->flags &= ~PL011_FLAG_TXFF;
+if (!s->write_count) {
+s->flags |= PL011_FLAG_TXFE;
+}
+}
+
+if (s->write_count) {
+s->watch_tag = qemu_chr_fe_add_watch(>chr, G_IO_OUT | G_IO_HUP,
+ pl011_xmit, s);
+if (!s->watch_tag) {
+s->write_count = 0;
+s->flags &= ~PL011_FLAG_TXFF;
+s->flags |= PL011_FLAG_TXFE;
+return FALSE;
+}
+}
+
+s->int_level |= PL011_INT_TX;
+pl011_update(s);
+return FALSE;
+}
+
+static void pl011_write_fifo(void *opaque, const unsigned char *buf, int size)
+{
+PL011State *s = (PL011State *)opaque;
+int depth = (s->lcr & 0x10) ? 16 : 1;
+
+if (size >= (depth - s->write_count)) {
+size = depth - s->write_count;
+}
+
+if (size > 0) {
+memcpy(s->write_fifo + s->write_count, buf, size);
+s->write_count += size;
+if (s->write_count >= depth) {
+s->flags |= PL011_FLAG_TXFF;
+}
+s->flags &= ~PL011_FLAG_TXFE;
+}
+
+if (!s->watch_tag) {
+pl011_xmit(NULL, G_IO_OUT, s);
+}
+}
+
 static void pl011_write(void *opaque, hwaddr offset,
 uint64_t value, unsigned size)
 {
@@ -179,13 +246,8 @@ static void pl011_write(void *opaque, hwaddr offset,
 
 switch (offset >> 2) {
 case 0: /* UARTDR */
-/* ??? Check if transmitter is enabled.  */
 ch = value;
-/* XXX this blocks entire thread. Rewrite to use
- * qemu_chr_fe_write and background I/O callbacks */
-qemu_chr_fe_write_all(>chr, , 1);
-s->int_level |= PL011_INT_TX;
-pl011_update(s);
+pl011_write_fifo(opaque, , 1);
 break;
 case 1: /* UARTRSR/UARTECR */
 s->rsr = 0;
@@ -207,7 +269,16 @@ static void pl011_write(void *opaque, hwaddr offset,
 if ((s->lcr ^ value) & 0x10) {
 s->read_count = 0;
 s->read_pos = 0;
+
+if (s->watch_tag) {
+g_source_remove(s->watch_tag);
+s->watch_tag = 0;
+}
+s->write_count = 0;
+s->flags &= ~PL011_FLAG_TXFF;
+s->flags |= PL011_FLAG_TXFE;
 }
+
 s->lcr = value;
 pl011_set_read_trigger(s);
 break;
@@ -292,6 +363,24 @@ static const MemoryRegionOps pl011_ops = {
 .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
+static bool pl011_write_fifo_needed(void *opaque)
+{
+PL011State *s = (PL011State *)opaque;
+return s->write_count > 0;
+}
+
+static const VMStateDescription vmstate_pl011_write_fifo = {
+.name = "pl011/write_fifo",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = pl011_write_fifo_needed,
+.fields = (VMStateField[]) {
+VMSTATE_INT32(write_count, PL011State),
+VMSTATE_UINT8_ARRAY(write_fifo, PL011State, 16),
+VMSTATE_END_OF_LIST()
+}
+};
+
 static const VMStateDescription vmstate_pl011 = {
 .name = "pl011",
 .version_id = 2,
@@ -314,6 +403,10 @@ static const VMStateDescription vmstate_pl011 = {
 VMSTATE_INT32(read_count, PL011State),
 VMSTATE_INT32(read_trigger, PL011State),
 VMSTATE_END_OF_LIST()
+},
+

Re: [PATCH] virtiofsd/helper: Add shared/no_shared options to help message

[Xiao Yang]

Hi David,

Do you have any comment on this patch? :-)
Cc qemu-devel@nongnu.org

Best Regards,
Xiao Yang

On 2020/2/10 18:44, Xiao Yang wrote:
> From: Xiao Yang 
>
> Also add a hint that user should start 'ireg' daemon before using shared 
> cache.
>
> Signed-off-by: Xiao Yang 
> ---
>  tools/virtiofsd/helper.c | 4 
>  1 file changed, 4 insertions(+)
>
> diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
> index 819c2bc13c..0aa02b99b0 100644
> --- a/tools/virtiofsd/helper.c
> +++ b/tools/virtiofsd/helper.c
> @@ -171,6 +171,10 @@ void fuse_cmdline_help(void)
> "   default: no_writeback\n"
> "-o xattr|no_xattr  enable/disable xattr\n"
> "   default: no_xattr\n"
> +   "-o shared|no_sharedenable/disable shared cache\n"
> +   "   default: no_shared\n"
> +   "   please start 'ireg' daemon before 
> "
> +   "using shared cache\n"
> );
>  }
>  

Re: [PATCH v4] Implement the Screamer sound chip for the mac99 machine type

[Programmingkid]

> On Feb 23, 2020, at 12:00 PM, qemu-ppc-requ...@nongnu.org wrote:
> 
> Message: 2
> Date: Sun, 23 Feb 2020 12:43:37 +0300
> From: Andrew Randrianasulu 
> To: hsp.c...@gmail.com, qemu-devel@nongnu.org, "qemu-...@nongnu.org"
>   
> Subject: Re: [PATCH v4] Implement the Screamer sound chip for the
>   mac99 machine type
> Message-ID: <202002231243.37654.randrianas...@gmail.com>
> Content-Type: text/plain;  charset="us-ascii"
> 
> Just thought I must share my uneducated guess on issue reported at
> 
> https://www.emaculation.com/forum/viewtopic.php?f=34=9820
>> Please note that running with 1024Mb of memory will make sound stop working 
>> in Mac OS 9.x. So run with less memory.
>> As will running without virtual memory.
> 
> My guess this has something to do with device memory regions, may be because 
> Linux  always uses Virtual memory
> (MMU, address translation), as well as Mac OS X 10.x - this little issue was 
> unnoticed until recently ?

Interesting theory. We may have to consult the 'Inside Macintosh' series under 
Memory management to find out how Mac OS 9 works with non-virtual memory. 

[RESEND PATCH v2] migration/throttle: Add throttle-trig-thres migration parameter

[Keqian Zhu]

Currently, if the bytes_dirty_period is more than the 50% of
bytes_xfer_period, we start or increase throttling.

If we make this percentage higher, then we can tolerate higher
dirty rate during migration, which means less impact on guest.
The side effect of higher percentage is longer migration time.
We can make this parameter configurable to switch between mig-
ration time first or guest performance first.

The default value is 50 and valid range is 1 to 100.

Signed-off-by: Keqian Zhu 
---
Changelog:

v1->v2
 -Use full name for parameter. Suggested by Eric Blake.
 -Change the upper bound of threshold to 100.
 -Extract the throttle strategy as function.

---
Cc: Juan Quintela 
Cc: "Dr. David Alan Gilbert" 
Cc: Eric Blake 
Cc: Markus Armbruster 

---
 migration/migration.c | 24 
 migration/ram.c   | 52 +--
 monitor/hmp-cmds.c|  7 ++
 qapi/migration.json   | 16 -
 4 files changed, 76 insertions(+), 23 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index 8fb68795dc..42d2d556e3 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -78,6 +78,7 @@
 /*0: means nocompress, 1: best speed, ... 9: best compress ratio */
 #define DEFAULT_MIGRATE_COMPRESS_LEVEL 1
 /* Define default autoconverge cpu throttle migration parameters */
+#define DEFAULT_MIGRATE_THROTTLE_TRIGGER_THRESHOLD 50
 #define DEFAULT_MIGRATE_CPU_THROTTLE_INITIAL 20
 #define DEFAULT_MIGRATE_CPU_THROTTLE_INCREMENT 10
 #define DEFAULT_MIGRATE_MAX_CPU_THROTTLE 99
@@ -778,6 +779,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error 
**errp)
 params->compress_wait_thread = s->parameters.compress_wait_thread;
 params->has_decompress_threads = true;
 params->decompress_threads = s->parameters.decompress_threads;
+params->has_throttle_trigger_threshold = true;
+params->throttle_trigger_threshold = 
s->parameters.throttle_trigger_threshold;
 params->has_cpu_throttle_initial = true;
 params->cpu_throttle_initial = s->parameters.cpu_throttle_initial;
 params->has_cpu_throttle_increment = true;
@@ -1164,6 +1167,15 @@ static bool migrate_params_check(MigrationParameters 
*params, Error **errp)
 return false;
 }
 
+if (params->has_throttle_trigger_threshold &&
+(params->throttle_trigger_threshold < 1 ||
+ params->throttle_trigger_threshold > 100)) {
+error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
+   "throttle_trigger_threshold",
+   "an integer in the range of 1 to 100");
+return false;
+}
+
 if (params->has_cpu_throttle_initial &&
 (params->cpu_throttle_initial < 1 ||
  params->cpu_throttle_initial > 99)) {
@@ -1279,6 +1291,10 @@ static void 
migrate_params_test_apply(MigrateSetParameters *params,
 dest->decompress_threads = params->decompress_threads;
 }
 
+if (params->has_throttle_trigger_threshold) {
+dest->throttle_trigger_threshold = params->throttle_trigger_threshold;
+}
+
 if (params->has_cpu_throttle_initial) {
 dest->cpu_throttle_initial = params->cpu_throttle_initial;
 }
@@ -1360,6 +1376,10 @@ static void migrate_params_apply(MigrateSetParameters 
*params, Error **errp)
 s->parameters.decompress_threads = params->decompress_threads;
 }
 
+if (params->has_throttle_trigger_threshold) {
+s->parameters.throttle_trigger_threshold = 
params->throttle_trigger_threshold;
+}
+
 if (params->has_cpu_throttle_initial) {
 s->parameters.cpu_throttle_initial = params->cpu_throttle_initial;
 }
@@ -3506,6 +3526,9 @@ static Property migration_properties[] = {
 DEFINE_PROP_UINT8("x-decompress-threads", MigrationState,
   parameters.decompress_threads,
   DEFAULT_MIGRATE_DECOMPRESS_THREAD_COUNT),
+DEFINE_PROP_UINT8("x-throttle-trigger-threshold", MigrationState,
+  parameters.throttle_trigger_threshold,
+  DEFAULT_MIGRATE_THROTTLE_TRIGGER_THRESHOLD),
 DEFINE_PROP_UINT8("x-cpu-throttle-initial", MigrationState,
   parameters.cpu_throttle_initial,
   DEFAULT_MIGRATE_CPU_THROTTLE_INITIAL),
@@ -3606,6 +3629,7 @@ static void migration_instance_init(Object *obj)
 params->has_compress_level = true;
 params->has_compress_threads = true;
 params->has_decompress_threads = true;
+params->has_throttle_trigger_threshold = true;
 params->has_cpu_throttle_initial = true;
 params->has_cpu_throttle_increment = true;
 params->has_max_bandwidth = true;
diff --git a/migration/ram.c b/migration/ram.c
index ed23ed1c7c..3a38253903 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -896,11 +896,38 @@ static void migration_update_rates(RAMState *rs, int64_t 
end_time)
 }
 }
 
+static void migration_trigger_throttle(RAMState *rs)
+{
+MigrationState *s = migrate_get_current();
+

[PATCH] migration/throttle: Add throttle-trig-thres migration parameter

[Keqian Zhu]

Currently, if the bytes_dirty_period is more than the 50% of
bytes_xfer_period, we start or increase throttling.

If we make this percentage higher, then we can tolerate higher
dirty rate during migration, which means less impact on guest.
The side effect of higher percentage is longer migration time.
We can make this parameter configurable to switch between mig-
ration time first or guest performance first.

The default value is 50 and valid range is 1 to 100.

Signed-off-by: Keqian Zhu 
---
Changelog:

v1->v2
 -Use full name for parameter. Suggested by Eric Blake.
 -Change the upper bound of threshold to 100.
 -Extract the throttle strategy as function.

---
Cc: Juan Quintela 
Cc: "Dr. David Alan Gilbert" 
Cc: Eric Blake 
Cc: Markus Armbruster 

---
 migration/migration.c | 24 
 migration/ram.c   | 52 +--
 monitor/hmp-cmds.c|  7 ++
 qapi/migration.json   | 16 -
 4 files changed, 76 insertions(+), 23 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index 8fb68795dc..42d2d556e3 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -78,6 +78,7 @@
 /*0: means nocompress, 1: best speed, ... 9: best compress ratio */
 #define DEFAULT_MIGRATE_COMPRESS_LEVEL 1
 /* Define default autoconverge cpu throttle migration parameters */
+#define DEFAULT_MIGRATE_THROTTLE_TRIGGER_THRESHOLD 50
 #define DEFAULT_MIGRATE_CPU_THROTTLE_INITIAL 20
 #define DEFAULT_MIGRATE_CPU_THROTTLE_INCREMENT 10
 #define DEFAULT_MIGRATE_MAX_CPU_THROTTLE 99
@@ -778,6 +779,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error 
**errp)
 params->compress_wait_thread = s->parameters.compress_wait_thread;
 params->has_decompress_threads = true;
 params->decompress_threads = s->parameters.decompress_threads;
+params->has_throttle_trigger_threshold = true;
+params->throttle_trigger_threshold = 
s->parameters.throttle_trigger_threshold;
 params->has_cpu_throttle_initial = true;
 params->cpu_throttle_initial = s->parameters.cpu_throttle_initial;
 params->has_cpu_throttle_increment = true;
@@ -1164,6 +1167,15 @@ static bool migrate_params_check(MigrationParameters 
*params, Error **errp)
 return false;
 }
 
+if (params->has_throttle_trigger_threshold &&
+(params->throttle_trigger_threshold < 1 ||
+ params->throttle_trigger_threshold > 100)) {
+error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
+   "throttle_trigger_threshold",
+   "an integer in the range of 1 to 100");
+return false;
+}
+
 if (params->has_cpu_throttle_initial &&
 (params->cpu_throttle_initial < 1 ||
  params->cpu_throttle_initial > 99)) {
@@ -1279,6 +1291,10 @@ static void 
migrate_params_test_apply(MigrateSetParameters *params,
 dest->decompress_threads = params->decompress_threads;
 }
 
+if (params->has_throttle_trigger_threshold) {
+dest->throttle_trigger_threshold = params->throttle_trigger_threshold;
+}
+
 if (params->has_cpu_throttle_initial) {
 dest->cpu_throttle_initial = params->cpu_throttle_initial;
 }
@@ -1360,6 +1376,10 @@ static void migrate_params_apply(MigrateSetParameters 
*params, Error **errp)
 s->parameters.decompress_threads = params->decompress_threads;
 }
 
+if (params->has_throttle_trigger_threshold) {
+s->parameters.throttle_trigger_threshold = 
params->throttle_trigger_threshold;
+}
+
 if (params->has_cpu_throttle_initial) {
 s->parameters.cpu_throttle_initial = params->cpu_throttle_initial;
 }
@@ -3506,6 +3526,9 @@ static Property migration_properties[] = {
 DEFINE_PROP_UINT8("x-decompress-threads", MigrationState,
   parameters.decompress_threads,
   DEFAULT_MIGRATE_DECOMPRESS_THREAD_COUNT),
+DEFINE_PROP_UINT8("x-throttle-trigger-threshold", MigrationState,
+  parameters.throttle_trigger_threshold,
+  DEFAULT_MIGRATE_THROTTLE_TRIGGER_THRESHOLD),
 DEFINE_PROP_UINT8("x-cpu-throttle-initial", MigrationState,
   parameters.cpu_throttle_initial,
   DEFAULT_MIGRATE_CPU_THROTTLE_INITIAL),
@@ -3606,6 +3629,7 @@ static void migration_instance_init(Object *obj)
 params->has_compress_level = true;
 params->has_compress_threads = true;
 params->has_decompress_threads = true;
+params->has_throttle_trigger_threshold = true;
 params->has_cpu_throttle_initial = true;
 params->has_cpu_throttle_increment = true;
 params->has_max_bandwidth = true;
diff --git a/migration/ram.c b/migration/ram.c
index ed23ed1c7c..3a38253903 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -896,11 +896,38 @@ static void migration_update_rates(RAMState *rs, int64_t 
end_time)
 }
 }
 
+static void migration_trigger_throttle(RAMState *rs)
+{
+MigrationState *s = migrate_get_current();
+

Re: [PATCH v4] Implement the Screamer sound chip for the mac99 machine type

[Programmingkid]

> On Feb 23, 2020, at 9:17 AM, Howard Spoelstra  wrote:
> 
> 
> 
> On Fri, Feb 21, 2020 at 1:09 PM Howard Spoelstra  wrote:
> 
> 
> The current screamer-enabled builds for OSX and Windows are on 
> www.emaculation.com ;-)
> As you see from testing, there are reasons why the patches from Mark's 
> screamer branch are not in master yet, and these have not all been addressed. 
> There still needs to be testing on Linux and certainly on Windows builds, and 
> from what I mentioned above that might not be plain sailing. 
> I guess I'll wait with providing new builds when the patches for both 
> openbios and qemu are reviewed and in some repo from which I can build easily.
> 
> Best,
> Howard
> 
> Hi,
> 
> There is indeed an issue when building your code for Windows.
> Whereas the current screamer from Mark just plays sound, a build with your 
> patches will not.
> I need to Ctrl-Alt-G to exit grab, click on the command (cmd.exe) window in 
> which the Qemu textual output is showing and then grab the mouse again to get 
> sound. A simple grab exit/grab cycle is not enough, a click somewhere outside 
> the Qemu window will also not do. Only a click to activate the command window 
> and then grab again. Happens with both GTK and SDL GUIs.
> 
> Command line is:
> qemu-system-ppc-master-screamer-john-v4.exe -L pc-bios -boot c -m 256 -M 
> mac99,via=pmu ^
> -drive file=C:\mac-disks\9.2.img ^
> -sdl -serial stdio ^
> -bios openbios-qemu-screamer-john-v2.elf
> 
> Took me ages to find this regularity ;-)
> 
> Best,
> Howard

Thank you very much for catching this problem. Could you send me your Windows 
binary of QEMU that uses my patch. I would like to see if I can reproduce the 
problem on my computer. 

Re: [PATCH] migration/throttle: Add throttle-trig-thres migration parameter

[zhukeqian]

Hi, Eric

On 2020/2/21 22:14, Eric Blake wrote:
> On 2/20/20 8:57 PM, Keqian Zhu wrote:
>> Currently, if the bytes_dirty_period is more than the 50% of
>> bytes_xfer_period, we start or increase throttling.
>>
>> If we make this percentage higher, then we can tolerate higher
>> dirty rate during migration, which means less impact on guest.
>> The side effect of higher percentage is longer migration time.
>>
>> We can configure this parameter to switch between migration time
>> firt or guest performance first. The default value is 50.
>>
>> Signed-off-by: Keqian Zhu 
>> ---
>> Cc: Juan Quintela 
>> Cc: "Dr. David Alan Gilbert" 
>> Cc: Eric Blake 
>> Cc: Markus Armbruster 
>> ---
> 
>> +++ b/qapi/migration.json
>> @@ -524,6 +524,10 @@
>>   #  compression, so set the decompress-threads to the 
>> number about 1/4
>>   #  of compress-threads is adequate.
>>   #
>> +# @throttle-trig-thres: The ratio of bytes_dirty_period and 
>> bytes_xfer_period to
>> +#   trigger throttling. It is expressed as percentage. 
>> The
>> +#   default value is 50. (Since 5.0)
>> +#
> 
> Abbreviating feels odd; can you please spell this out as 
> throttle-trigger-threshold?
OK, I will use full name in v2.
> 
> Can the threshold exceed 100%?
If the threshold exceed 100% and the dirty rate is between 100% and threshold, 
then throttling
will not be started, so the migration will not converge and last an uncertain 
time until the workload
in guest is down by itself. So I think that the threshold exceed 100% maybe not 
suitable :).
> 

Thanks.
Keqian

RE: RFC: Split EPT huge pages in advance of dirty logging

[Zhoujian (jay)]

> -Original Message-
> From: Peter Feiner [mailto:pfei...@google.com]
> Sent: Saturday, February 22, 2020 8:19 AM
> To: Junaid Shahid 
> Cc: Ben Gardon ; Zhoujian (jay)
> ; Peter Xu ;
> k...@vger.kernel.org; qemu-devel@nongnu.org; pbonz...@redhat.com;
> dgilb...@redhat.com; quint...@redhat.com; Liujinsong (Paul)
> ; linfeng (M) ; wangxin (U)
> ; Huangweidong (C)
> 
> Subject: Re: RFC: Split EPT huge pages in advance of dirty logging
> 
> On Fri, Feb 21, 2020 at 2:08 PM Junaid Shahid  wrote:
> >
> > On 2/20/20 9:34 AM, Ben Gardon wrote:
> > >
> > > FWIW, we currently do this eager splitting at Google for live
> > > migration. When the log-dirty-memory flag is set on a memslot we
> > > eagerly split all pages in the slot down to 4k granularity.
> > > As Jay said, this does not cause crippling lock contention because
> > > the vCPU page faults generated by write protection / splitting can
> > > be resolved in the fast page fault path without acquiring the MMU lock.
> > > I believe +Junaid Shahid tried to upstream this approach at some
> > > point in the past, but the patch set didn't make it in. (This was
> > > before my time, so I'm hoping he has a link.) I haven't done the
> > > analysis to know if eager splitting is more or less efficient with
> > > parallel slow-path page faults, but it's definitely faster under the
> > > MMU lock.
> > >
> >
> > I am not sure if we ever posted those patches upstream. Peter Feiner would
> know for sure. One notable difference in what we do compared to the approach
> outlined by Jay is that we don't rely on tdp_page_fault() to do the 
> splitting. So
> we don't have to create a dummy VCPU and the specialized split function is 
> also
> much faster.

I'm curious and interested in the way you implemented, especially you mentioned
that the performance is much faster without a dummy VCPU.

> We've been carrying these patches since 2015. I've never posted them.
> Getting them in shape for upstream consumption will take some work. I can
> look into this next week.

It will be nice if you're going to post it to the upstream.

Regards,
Jay Zhou

> 
> Peter

Re: [PATCH] hw/char/pl011: Output characters using best-effort mode

[Gavin Shan]

Hi Marc,

On 2/21/20 8:09 PM, Marc Zyngier wrote:

On 2020-02-21 04:24, Gavin Shan wrote:

On 2/20/20 9:10 PM, Peter Maydell wrote:

On Thu, 20 Feb 2020 at 09:10, Marc Zyngier  wrote:

On 2020-02-20 06:01, Gavin Shan wrote:

This fixes the issue by using newly added API
qemu_chr_fe_try_write_all(),
which provides another type of service (best-effort). It's different
from
qemu_chr_fe_write_all() as the data will be dropped if the backend has
been running into so-called broken state or 50 attempts of
transmissions.
The broken state is cleared if the data is transmitted at once.


I don't think dropping the serial port output is an acceptable outcome.


Agreed. The correct fix for this is the one cryptically described
in the XXX comment this patch deletes:

-    /* XXX this blocks entire thread. Rewrite to use
- * qemu_chr_fe_write and background I/O callbacks */

The idea is that essentially we end up emulating the real
hardware's transmit FIFO:
  * as data arrives from the guest we put it in the FIFO
  * we try to send the data with qemu_chr_fe_write(), which does
    not block
  * if qemu_chr_fe_write() tells us it did not send all the data,
    we use qemu_chr_fe_add_watch() to set up an I/O callback
    which will get called when the output chardev has drained
    enough that we can try again
  * we make sure all the guest visible registers and mechanisms
    for tracking tx fifo level (status bits, interrupts, etc) are
    correctly wired up

Then we don't lose data or block QEMU if the guest sends
faster than the chardev backend can handle, assuming the
guest is well-behaved -- just as with a real hardware slow
serial port, the guest will fill the tx fifo and then either poll
or wait for an interrupt telling it that the fifo has drained
before it tries to send more data.

There is an example of this in hw/char/cadence_uart.c
(and an example of how it works for a UART with no tx
fifo in hw/char-cmsdk-apb-uart.c, which is basically the
same except the 'fifo' is just one byte.)

You will also find an awful lot of XXX comments like the
above one in various UART models in hw/char, because
converting an old-style simple blocking UART implementation
to a non-blocking one is a bit fiddly and needs knowledge
of the specifics of the UART behaviour.

The other approach here would be that we could add
options to relevant chardev backends so the user
could say "if you couldn't connect to the tcp server I
specified, throw away data rather than waiting", where
we don't have suitable options already. If the user specifically
tells us they're ok to throw away the serial data, then it's
fine to throw away the serial data :-)



I was intended to convince Marc that it's fine to lose data if the
serial connection is broken with an example. Now, I'm taking the
example trying to convince both of you: Lets assume we have a ARM
board and the UART (RS232) cable is unplugged and plugged in the middle of
system booting. I think we would get some output lost. We're emulating
pl011 and I think it would have same behavior. However, I'm not sure
if it makes sense :)


But the case you describe in the commit message is not that one.
The analogy is that of a serial port *plugged* and asserting flow control.



Thanks for your time on the discussion.

Well, I would say we saw two side of a coin. TCP connection isn't bidirectional
until accept() is called on server side. The connection isn't fully functional
until two directions are finalized. It would be unplug if the connection is 
treated
as the cable :)


Another thing is that the "system" as been constructed this way by the
user. QEMU is not in a position to choose and output what is convenient,
when it is convenient. In my world, the serial output is absolutely
crucial. This is where I look for clues about failures and odd behaviours,
and I rely on the serial port emulation to be 100% reliable (and for what
it's worth, the Linux kernel can output to the serial port asynchronously,
to some extent).

[...]



Yep, totally agreed :)


If above analysis is correct and the first approach doesn't work out. We have to
consider the 2nd approach - adding option to backend to allow losing data. I'm
going to add "allow-data-lost" option for TYPE_CHARDEV_SOCKET. With the option,
a back-off algorithm in tcp_chr_write(): The channel is consider as broken if
it fails to transmit data in last continuous 5 times. The transmission is still
issued when the channel is in broken state and recovered to normal state if
transmission succeeds for once.


That'd be an option if you could configure the UART with something that says
"no flow control". In that case, dropping data on the floor becomes perfectly
acceptable, as it requires buy-in from the user.



Yep, the point is to has user's buy-in and it seems an explicit option like
"allow-data-lost" fills the gap, but it seems Peter isn't reaching conclusion
or decision yet. Lets see what's that finally :)

Thanks,
Gavin

Re: [PATCH] hw/char/pl011: Output characters using best-effort mode

[Gavin Shan]

On 2/22/20 5:15 AM, Paolo Bonzini wrote:

On 21/02/20 14:14, Peter Maydell wrote:

The initial case reported by Gavin in this thread is
"-serial tcp:127.0.0.1:50900" with the other end being a program which
listens on TCP port 50900 and then sleeps without accepting any incoming
connections, which blocks the serial port output and effectively blocks
the guest bootup. If you want to insulate the guest from badly
behaved consumers like that (or the related consumer who accepts
the connection and then just doesn't read data from it) you probably
need to deal with more than just POLLHUP. But I'm not sure how much
we should care about these cases as opposed to just telling users
not to do that...


No, I think we don't do anything (on purpose; that is, it was considered
the lesser evil) for x86 in that case.



Paolo and Peter, thanks for your time on the discussion. So I think the
conclusion is we don't do anything for pl011 either? :)

Actually, the issue was reported by libvirt developer. A VM is started
with serial on tcp socket, which is never accepted on server side. It
practically blocks the VM to boot up. I will tell the libvirt developer
to hack their code to avoid the race if we don't do anything in qemu.

Thanks,
Gavin

[RFC PATCH v2 2/2] hw/arm/integratorcp: Map a CFI parallel flash

[Philippe Mathieu-Daudé]

The Linux kernel displays errors why trying to detect the flash:

  Linux version 4.16.0 (linus@genomnajs) (gcc version 7.2.1 20171011 (Linaro 
GCC 7.2-2017.11)) #142 PREEMPT Wed May 9 13:24:55 CEST 2018
  CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00093177
  CPU: VIVT data cache, VIVT instruction cache
  OF: fdt: Machine model: ARM Integrator/CP
  ...
  of-flash 2400.flash: Integrator/CP flash protection
  of-flash 2400.flash: do_map_probe() failed for type cfi_probe
  of-flash 2400.flash: do_map_probe() failed

Since we have a CFI pflash model available, wire it.
The kernel properly detects it:

  of-flash 2400.flash: Integrator/CP flash protection
  2400.flash: Found 1 x32 devices at 0x0 in 32-bit bank. Manufacturer ID 
0x00 Chip ID 0x00
  Intel/Sharp Extended Query Table at 0x0031
  Using buffer write method

Signed-off-by: Philippe Mathieu-Daudé 
---
v2: Kconfig change was not committed

RFC because I have no idea of the flash model, its ID code, and which
default CFI family (1 or 2).
---
 hw/arm/integratorcp.c | 11 +++
 hw/arm/Kconfig|  1 +
 2 files changed, 12 insertions(+)

diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
index 59804140cd..40cedfd55a 100644
--- a/hw/arm/integratorcp.c
+++ b/hw/arm/integratorcp.c
@@ -8,6 +8,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/units.h"
 #include "qapi/error.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
@@ -24,6 +25,7 @@
 #include "hw/char/pl011.h"
 #include "hw/hw.h"
 #include "hw/irq.h"
+#include "hw/block/flash.h"
 
 #define TYPE_INTEGRATOR_CM "integrator_core"
 #define INTEGRATOR_CM(obj) \
@@ -589,6 +591,7 @@ static void integratorcp_init(MachineState *machine)
 MemoryRegion *ram_alias = g_new(MemoryRegion, 1);
 qemu_irq pic[32];
 DeviceState *dev, *sic, *icp;
+DriveInfo *dinfo;
 int i;
 
 cpuobj = object_new(machine->cpu_type);
@@ -646,6 +649,14 @@ static void integratorcp_init(MachineState *machine)
   qdev_get_gpio_in_named(icp, ICP_GPIO_MMC_CARDIN, 0));
 sysbus_create_varargs("pl041", 0x1d00, pic[25], NULL);
 
+dinfo = drive_get(IF_PFLASH, 0, 0);
+if (!pflash_cfi01_register(0x2400, "pflash", 16 * MiB,
+   dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+   64 * KiB, 4, 0, 0, 0, 0, 0)) {
+error_report("Error registering flash memory");
+exit(1);
+}
+
 if (nd_table[0].used)
 smc91c111_init(_table[0], 0xc800, pic[27]);
 
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index 61635f52c4..7f179f960f 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -73,6 +73,7 @@ config INTEGRATOR
 select PL050 # keyboard/mouse
 select PL110 # pl111 LCD controller
 select PL181 # display
+select PFLASH_CFI01
 select SMC91C111
 
 config MAINSTONE
-- 
2.21.1

[PATCH v2 1/2] hw/arm/integratorcp: Map the audio codec controller

[Philippe Mathieu-Daudé]

The Linux kernel displays errors why trying to detect the PL041
audio interface:

  Linux version 4.16.0 (linus@genomnajs) (gcc version 7.2.1 20171011 (Linaro 
GCC 7.2-2017.11)) #142 PREEMPT Wed May 9 13:24:55 CEST 2018
  CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00093177
  CPU: VIVT data cache, VIVT instruction cache
  OF: fdt: Machine model: ARM Integrator/CP
  ...
  OF: amba_device_add() failed (-19) for /fpga/aaci@1d00

Since we have it already modelled, simply plug it.

Signed-off-by: Philippe Mathieu-Daudé 
---
v2: Kconfig change was not committed
---
 hw/arm/integratorcp.c | 1 +
 hw/arm/Kconfig| 1 +
 2 files changed, 2 insertions(+)

diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
index 0cd94d9f09..59804140cd 100644
--- a/hw/arm/integratorcp.c
+++ b/hw/arm/integratorcp.c
@@ -644,6 +644,7 @@ static void integratorcp_init(MachineState *machine)
   qdev_get_gpio_in_named(icp, ICP_GPIO_MMC_WPROT, 0));
 qdev_connect_gpio_out(dev, 1,
   qdev_get_gpio_in_named(icp, ICP_GPIO_MMC_CARDIN, 0));
+sysbus_create_varargs("pl041", 0x1d00, pic[25], NULL);
 
 if (nd_table[0].used)
 smc91c111_init(_table[0], 0xc800, pic[27]);
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index 3d86691ae0..61635f52c4 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -69,6 +69,7 @@ config INTEGRATOR
 select INTEGRATOR_DEBUG
 select PL011 # UART
 select PL031 # RTC
+select PL041 # audio
 select PL050 # keyboard/mouse
 select PL110 # pl111 LCD controller
 select PL181 # display
-- 
2.21.1

[PATCH v2 0/2] hw/arm/integratorcp: Map Audio controller and parallel flash

[Philippe Mathieu-Daudé]

While looking whether Thomas's test patch [*] requires a respin
or not, I noticed we could complete the integrator model.
Thomas patch still applies properly ;)

Since v1:
- Added uncommitted Kconfig
- Use hobbyist git-identity

[*] https://www.mail-archive.com/qemu-devel@nongnu.org/msg675828.html

Philippe Mathieu-Daudé (2):
  hw/arm/integratorcp: Map the audio codec controller
  hw/arm/integratorcp: Map a CFI parallel flash

 hw/arm/integratorcp.c | 12 
 hw/arm/Kconfig|  2 ++
 2 files changed, 14 insertions(+)

-- 
2.21.1

[PATCH 0/2] hw/arm/integratorcp: Map Audio controller and parallel flash

[Philippe Mathieu-Daudé]

From: Philippe Mathieu-Daudé 

While looking whether Thomas's test patch [*] requires a respin
or not, I noticed we could complete the integrator model.
Thomas patch still applies properly ;)

[*] https://www.mail-archive.com/qemu-devel@nongnu.org/msg675828.html

Philippe Mathieu-Daudé (2):
  hw/arm/integratorcp: Map the audio codec controller
  hw/arm/integratorcp: Map a CFI parallel flash

 hw/arm/integratorcp.c | 12 
 1 file changed, 12 insertions(+)

-- 
2.21.1

Re: [PATCH] hw/char/pl011: Output characters using best-effort mode

[Gavin Shan]

On 2/21/20 11:44 PM, Peter Maydell wrote:

On Fri, 21 Feb 2020 at 11:44, Paolo Bonzini  wrote:


On 21/02/20 11:21, Peter Maydell wrote:

Before you do that, I would suggest investigating:
  * is this a problem we've already had on x86 and that there is a
standard solution for

Disconnected sockets always lose data (see tcp_chr_write in
chardev/char-socket.c).

For connected sockets, 8250 does at most 4 retries (each retry is
triggered by POLLOUT|POLLHUP).  After these four retries the output
chardev is considered broken, just like in Gavin's patch, and only a
reset will restart the output.


  * should this be applicable to more than just the socket chardev?
What's special about the socket chardev?


For 8250 there's no difference between socket and everything else.


Interesting, I didn't know our 8250 emulation had this
retry-and-drop-data logic. Is it feasible to put it into
the chardev layer instead, so that every serial device
can get it without having to manually implement it?



It seems 8250 retries, but never drops data. s->tsr_retry is always
1 when neither G_IO_OUT nor G_IO_HUP happens. In that case, there is
always a asynchronous IO handler (serial_xmit()), which will be scheduled
on event G_IO_OUT, apart from G_IO_HUP. I don't think the event will be
triggered in our this particular case. This eventually has UART_LSR_THRE
cleared in LSR (0x5) to hold upper layer. So there is no data lost if I'm
correct.

It would be very rare running into successive 4 failures in 8250 because
serial_xmit() is called on G_IO_OUT event as G_IO_HUP is rare. I doubt the
logic has been ever used, maybe Marcandre Lureau knows the background.

Thanks,
Gavin

[PATCH 1/2] hw/arm/integratorcp: Map the audio codec controller

[Philippe Mathieu-Daudé]

From: Philippe Mathieu-Daudé 

The Linux kernel displays errors why trying to detect the PL041
audio interface:

  Linux version 4.16.0 (linus@genomnajs) (gcc version 7.2.1 20171011 (Linaro 
GCC 7.2-2017.11)) #142 PREEMPT Wed May 9 13:24:55 CEST 2018
  CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00093177
  CPU: VIVT data cache, VIVT instruction cache
  OF: fdt: Machine model: ARM Integrator/CP
  ...
  OF: amba_device_add() failed (-19) for /fpga/aaci@1d00

Since we have it already modelled, simply plug it.

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/arm/integratorcp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
index 0cd94d9f09..59804140cd 100644
--- a/hw/arm/integratorcp.c
+++ b/hw/arm/integratorcp.c
@@ -644,6 +644,7 @@ static void integratorcp_init(MachineState *machine)
   qdev_get_gpio_in_named(icp, ICP_GPIO_MMC_WPROT, 0));
 qdev_connect_gpio_out(dev, 1,
   qdev_get_gpio_in_named(icp, ICP_GPIO_MMC_CARDIN, 0));
+sysbus_create_varargs("pl041", 0x1d00, pic[25], NULL);
 
 if (nd_table[0].used)
 smc91c111_init(_table[0], 0xc800, pic[27]);
-- 
2.21.1

[RFC PATCH 2/2] hw/arm/integratorcp: Map a CFI parallel flash

[Philippe Mathieu-Daudé]

From: Philippe Mathieu-Daudé 

The Linux kernel displays errors why trying to detect the flash:

  Linux version 4.16.0 (linus@genomnajs) (gcc version 7.2.1 20171011 (Linaro 
GCC 7.2-2017.11)) #142 PREEMPT Wed May 9 13:24:55 CEST 2018
  CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00093177
  CPU: VIVT data cache, VIVT instruction cache
  OF: fdt: Machine model: ARM Integrator/CP
  ...
  of-flash 2400.flash: Integrator/CP flash protection
  of-flash 2400.flash: do_map_probe() failed for type cfi_probe
  of-flash 2400.flash: do_map_probe() failed

Since we have a CFI pflash model available, wire it.
The kernel properly detects it:

  of-flash 2400.flash: Integrator/CP flash protection
  2400.flash: Found 1 x32 devices at 0x0 in 32-bit bank. Manufacturer ID 
0x00 Chip ID 0x00
  Intel/Sharp Extended Query Table at 0x0031
  Using buffer write method

Signed-off-by: Philippe Mathieu-Daudé 
---
RFC because I have no idea of the flash model, its ID code, and which
default CFI family (1 or 2).
---
 hw/arm/integratorcp.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
index 59804140cd..40cedfd55a 100644
--- a/hw/arm/integratorcp.c
+++ b/hw/arm/integratorcp.c
@@ -8,6 +8,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/units.h"
 #include "qapi/error.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
@@ -24,6 +25,7 @@
 #include "hw/char/pl011.h"
 #include "hw/hw.h"
 #include "hw/irq.h"
+#include "hw/block/flash.h"
 
 #define TYPE_INTEGRATOR_CM "integrator_core"
 #define INTEGRATOR_CM(obj) \
@@ -589,6 +591,7 @@ static void integratorcp_init(MachineState *machine)
 MemoryRegion *ram_alias = g_new(MemoryRegion, 1);
 qemu_irq pic[32];
 DeviceState *dev, *sic, *icp;
+DriveInfo *dinfo;
 int i;
 
 cpuobj = object_new(machine->cpu_type);
@@ -646,6 +649,14 @@ static void integratorcp_init(MachineState *machine)
   qdev_get_gpio_in_named(icp, ICP_GPIO_MMC_CARDIN, 0));
 sysbus_create_varargs("pl041", 0x1d00, pic[25], NULL);
 
+dinfo = drive_get(IF_PFLASH, 0, 0);
+if (!pflash_cfi01_register(0x2400, "pflash", 16 * MiB,
+   dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+   64 * KiB, 4, 0, 0, 0, 0, 0)) {
+error_report("Error registering flash memory");
+exit(1);
+}
+
 if (nd_table[0].used)
 smc91c111_init(_table[0], 0xc800, pic[27]);
 
-- 
2.21.1

[PATCH 0/2] hw/arm/gumstix: Trivial cleanups

[Philippe Mathieu-Daudé]

From: Philippe Mathieu-Daudé 

Two house keeping patches while looking at the Gumstix boards,
to make the code slightly more readable/documented.

Philippe Mathieu-Daudé (2):
  hw/arm/gumstix: Simplify since the machines are little-endian only
  hw/arm/gumstix: Use the IEC binary prefix definitions

 hw/arm/gumstix.c | 42 ++
 1 file changed, 14 insertions(+), 28 deletions(-)

-- 
2.21.1

[PATCH 2/2] hw/arm/gumstix: Use the IEC binary prefix definitions

[Philippe Mathieu-Daudé]

From: Philippe Mathieu-Daudé 

IEC binary prefixes ease code review: the unit is explicit.

Add a comment describing the Connex uses a Numonyx RC28F128J3F75
flash, and the Verdex uses a Micron RC28F256P30TFA.

Correct the Verdex machine description (we model the 'Pro' board).

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/arm/gumstix.c | 23 +--
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/hw/arm/gumstix.c b/hw/arm/gumstix.c
index 94904d717b..ca918fda0c 100644
--- a/hw/arm/gumstix.c
+++ b/hw/arm/gumstix.c
@@ -35,6 +35,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/units.h"
 #include "qemu/error-report.h"
 #include "hw/arm/pxa.h"
 #include "net/net.h"
@@ -45,18 +46,14 @@
 #include "sysemu/qtest.h"
 #include "cpu.h"
 
-static const int sector_len = 128 * 1024;
+static const int sector_len = 128 * KiB;
 
 static void connex_init(MachineState *machine)
 {
 PXA2xxState *cpu;
 DriveInfo *dinfo;
-MemoryRegion *address_space_mem = get_system_memory();
 
-uint32_t connex_rom = 0x0100;
-uint32_t connex_ram = 0x0400;
-
-cpu = pxa255_init(address_space_mem, connex_ram);
+cpu = pxa255_init(get_system_memory(), 64 * MiB);
 
 dinfo = drive_get(IF_PFLASH, 0, 0);
 if (!dinfo && !qtest_enabled()) {
@@ -65,7 +62,8 @@ static void connex_init(MachineState *machine)
 exit(1);
 }
 
-if (!pflash_cfi01_register(0x, "connext.rom", connex_rom,
+/* Numonyx RC28F128J3F75 */
+if (!pflash_cfi01_register(0x, "connext.rom", 16 * MiB,
dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
sector_len, 2, 0, 0, 0, 0, 0)) {
 error_report("Error registering flash memory");
@@ -81,12 +79,8 @@ static void verdex_init(MachineState *machine)
 {
 PXA2xxState *cpu;
 DriveInfo *dinfo;
-MemoryRegion *address_space_mem = get_system_memory();
 
-uint32_t verdex_rom = 0x0200;
-uint32_t verdex_ram = 0x1000;
-
-cpu = pxa270_init(address_space_mem, verdex_ram, machine->cpu_type);
+cpu = pxa270_init(get_system_memory(), 256 * MiB, machine->cpu_type);
 
 dinfo = drive_get(IF_PFLASH, 0, 0);
 if (!dinfo && !qtest_enabled()) {
@@ -95,7 +89,8 @@ static void verdex_init(MachineState *machine)
 exit(1);
 }
 
-if (!pflash_cfi01_register(0x, "verdex.rom", verdex_rom,
+/* Micron RC28F256P30TFA */
+if (!pflash_cfi01_register(0x, "verdex.rom", 32 * MiB,
dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
sector_len, 2, 0, 0, 0, 0, 0)) {
 error_report("Error registering flash memory");
@@ -126,7 +121,7 @@ static void verdex_class_init(ObjectClass *oc, void *data)
 {
 MachineClass *mc = MACHINE_CLASS(oc);
 
-mc->desc = "Gumstix Verdex (PXA270)";
+mc->desc = "Gumstix Verdex Pro XL6P COMs (PXA270)";
 mc->init = verdex_init;
 mc->ignore_memory_transaction_failures = true;
 mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c0");
-- 
2.21.1

[PATCH 1/2] hw/arm/gumstix: Simplify since the machines are little-endian only

[Philippe Mathieu-Daudé]

From: Philippe Mathieu-Daudé 

As the Connex and Verdex machines only boot in little-endian,
we can simplify the code.

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/arm/gumstix.c | 19 +--
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/hw/arm/gumstix.c b/hw/arm/gumstix.c
index f26a0e8010..94904d717b 100644
--- a/hw/arm/gumstix.c
+++ b/hw/arm/gumstix.c
@@ -51,7 +51,6 @@ static void connex_init(MachineState *machine)
 {
 PXA2xxState *cpu;
 DriveInfo *dinfo;
-int be;
 MemoryRegion *address_space_mem = get_system_memory();
 
 uint32_t connex_rom = 0x0100;
@@ -66,14 +65,9 @@ static void connex_init(MachineState *machine)
 exit(1);
 }
 
-#ifdef TARGET_WORDS_BIGENDIAN
-be = 1;
-#else
-be = 0;
-#endif
 if (!pflash_cfi01_register(0x, "connext.rom", connex_rom,
dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
-   sector_len, 2, 0, 0, 0, 0, be)) {
+   sector_len, 2, 0, 0, 0, 0, 0)) {
 error_report("Error registering flash memory");
 exit(1);
 }
@@ -87,7 +81,6 @@ static void verdex_init(MachineState *machine)
 {
 PXA2xxState *cpu;
 DriveInfo *dinfo;
-int be;
 MemoryRegion *address_space_mem = get_system_memory();
 
 uint32_t verdex_rom = 0x0200;
@@ -102,14 +95,9 @@ static void verdex_init(MachineState *machine)
 exit(1);
 }
 
-#ifdef TARGET_WORDS_BIGENDIAN
-be = 1;
-#else
-be = 0;
-#endif
 if (!pflash_cfi01_register(0x, "verdex.rom", verdex_rom,
dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
-   sector_len, 2, 0, 0, 0, 0, be)) {
+   sector_len, 2, 0, 0, 0, 0, 0)) {
 error_report("Error registering flash memory");
 exit(1);
 }
@@ -152,6 +140,9 @@ static const TypeInfo verdex_type = {
 
 static void gumstix_machine_init(void)
 {
+if (target_words_bigendian()) {
+return;
+}
 type_register_static(_type);
 type_register_static(_type);
 }
-- 
2.21.1

Re: [RFC v3 3/3] ACPI/unit-test: Add a new test for pxb-pcie for arm

[Michael S. Tsirkin]

On Sat, Feb 22, 2020 at 09:40:07AM +, miaoyubo wrote:
> 
> > -Original Message-
> > From: Michael S. Tsirkin [mailto:m...@redhat.com]
> > Sent: Friday, February 21, 2020 7:19 PM
> > To: miaoyubo 
> > Cc: peter.mayd...@linaro.org; shannon.zha...@gmail.com; Xiexiangyou
> > ; imamm...@redhat.com;
> > qemu-devel@nongnu.org
> > Subject: Re: [RFC v3 3/3] ACPI/unit-test: Add a new test for pxb-pcie for 
> > arm
> > 
> > On Fri, Feb 21, 2020 at 02:35:12PM +0800, Yubo Miao wrote:
> > > From: miaoyubo 
> > >
> > > Currently, pxb-pcie could be defined by the cmdline like
> > > --device pxb-pcie,id=pci.9,bus_nr=128 However pxb-pcie is not
> > > described in acpi tables for arm.
> > >
> > > The formal two patches support pxb-pcie for arm, escpcially the
> > > specification for pxb-pcie in DSDT table.
> > >
> > > Add a testcase to make sure the ACPI table is correct for guest.
> > >
> > > Signed-off-by: miaoyubo 
> > 
> > 
> > Please look at the top of tests/qtest/bios-tables-test.c for how to add or
> > update tests.
> > 
> 
> Thanks for replying, I didn't notice that, I would follow the steps to 
> rebuild this patch.
> 
> > > ---
> > >  tests/data/acpi/virt/DSDT.pxb  | Bin 0 -> 34209 bytes
> > > tests/qtest/bios-tables-test.c |  54 +
> > >  2 files changed, 48 insertions(+), 6 deletions(-)  create mode 100644
> > > tests/data/acpi/virt/DSDT.pxb
> > >
> > > diff --git a/tests/data/acpi/virt/DSDT.pxb
> > > b/tests/data/acpi/virt/DSDT.pxb new file mode 100644 index
> > >
> > ..4eea3192c75ff28f7054d626
> > a936
> > > 3ca025b6c0ad
> > > GIT binary patch
> > 
> > I can't read this.
> > 
> 
> I just have a question that is: 
> I just rebuild this aml with tests/data/acpi/rebuild-expected-aml.sh
> and git send it or send the aml with attachment?

git send it pls


> > > literal 34209
> > >
> > zcmeI*cXU+szJ~D)1PGxe5PG+us9-{YGz}UAMT!L#ks?x*Dx!d5hoIP
> > d
> > >
> > z?}}o>iWL;GW5HgrlKbvVM??^)~qbMIProvd|8p2_U*%qO!m?AgcPkRQ( > r)WX
> > >
> > zR3DKyBsMVKK5tZUEMJ#Z3xXj0I{cizY-H-_vUpxu>HLbszg^Hd*
> > >
> > zYT59@{GfDxK}u{$QSzH5MFX?4va_qcnOYVriD$G-YqqdX5KgQUqzA#0T0ymH9a
> > J-P
> > > zt=#;Qdf_)p=V$jH6t9{xXmH68P3ev)8EFlwrs(=X$_(9dxJh>6UU8FZi5vcVla%Bp
> > >
> > zz50)g^-pXvw4i9XAYFAU@nN}Xb+t___n%uw)`
> > 8L
> > >
> > z7F4goX88!*;pB+$X8_2BOj*;OO*!h6xx+mI)uU#l*o>||BPVi3ji?#5Y(|dH
> > >
> > z=oUF6C2B^h<}5a88su#W_0%%JtAk+ikeZ+X7unGJtJq-j+)WHX7uzKy&`9
> > %
> > 
> > ...
> 
> Regards,
> Miao

[PATCH 2/2] net/colo-compare.c: Expose "expired_scan_cycle" to user

[Zhang Chen]

From: Zhang Chen 

The "expired_scan_cycle" determines colo-compare scan expired
net packet cycle.

Signed-off-by: Zhang Chen 
---
 net/colo-compare.c | 48 +++---
 qemu-options.hx|  3 ++-
 2 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index ec09b2a524..10c0239f9d 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -48,7 +48,6 @@ static NotifierList colo_compare_notifiers =
 #define COLO_COMPARE_FREE_PRIMARY 0x01
 #define COLO_COMPARE_FREE_SECONDARY   0x02
 
-/* TODO: Should be configurable */
 #define REGULAR_PACKET_CHECK_MS 3000
 #define DEFAULT_TIME_OUT_MS 3000
 
@@ -94,6 +93,7 @@ typedef struct CompareState {
 SocketReadState notify_rs;
 bool vnet_hdr;
 uint32_t compare_timeout;
+uint32_t expired_scan_cycle;
 
 /*
  * Record the connection that through the NIC
@@ -823,7 +823,7 @@ static void check_old_packet_regular(void *opaque)
 /* if have old packet we will notify checkpoint */
 colo_old_packet_check(s);
 timer_mod(s->packet_check_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) +
-REGULAR_PACKET_CHECK_MS);
+  s->expired_scan_cycle);
 }
 
 /* Public API, Used for COLO frame to notify compare event */
@@ -853,7 +853,7 @@ static void colo_compare_timer_init(CompareState *s)
 SCALE_MS, check_old_packet_regular,
 s);
 timer_mod(s->packet_check_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) +
-REGULAR_PACKET_CHECK_MS);
+  s->expired_scan_cycle);
 }
 
 static void colo_compare_timer_del(CompareState *s)
@@ -1018,6 +1018,39 @@ out:
 error_propagate(errp, local_err);
 }
 
+static void compare_get_expired_scan_cycle(Object *obj, Visitor *v,
+   const char *name, void *opaque,
+   Error **errp)
+{
+CompareState *s = COLO_COMPARE(obj);
+uint32_t value = s->expired_scan_cycle;
+
+visit_type_uint32(v, name, , errp);
+}
+
+static void compare_set_expired_scan_cycle(Object *obj, Visitor *v,
+   const char *name, void *opaque,
+   Error **errp)
+{
+CompareState *s = COLO_COMPARE(obj);
+Error *local_err = NULL;
+uint32_t value;
+
+visit_type_uint32(v, name, , _err);
+if (local_err) {
+goto out;
+}
+if (!value) {
+error_setg(_err, "Property '%s.%s' requires a positive value",
+   object_get_typename(obj), name);
+goto out;
+}
+s->expired_scan_cycle = value;
+
+out:
+error_propagate(errp, local_err);
+}
+
 static void compare_pri_rs_finalize(SocketReadState *pri_rs)
 {
 CompareState *s = container_of(pri_rs, CompareState, pri_rs);
@@ -1129,6 +1162,11 @@ static void colo_compare_complete(UserCreatable *uc, 
Error **errp)
 s->compare_timeout = DEFAULT_TIME_OUT_MS;
 }
 
+if (!s->expired_scan_cycle) {
+/* Set default value to 3000 MS */
+s->expired_scan_cycle = REGULAR_PACKET_CHECK_MS;
+}
+
 if (find_and_check_chardev(, s->pri_indev, errp) ||
 !qemu_chr_fe_init(>chr_pri_in, chr, errp)) {
 return;
@@ -1228,6 +1266,10 @@ static void colo_compare_init(Object *obj)
 compare_get_timeout,
 compare_set_timeout, NULL, NULL, NULL);
 
+object_property_add(obj, "expired_scan_cycle", "uint32",
+compare_get_expired_scan_cycle,
+compare_set_expired_scan_cycle, NULL, NULL, NULL);
+
 s->vnet_hdr = false;
 object_property_add_bool(obj, "vnet_hdr_support", compare_get_vnet_hdr,
  compare_set_vnet_hdr, NULL);
diff --git a/qemu-options.hx b/qemu-options.hx
index 3832d0ae8a..8069428c73 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4598,7 +4598,7 @@ Dump the network traffic on netdev @var{dev} to the file 
specified by
 The file format is libpcap, so it can be analyzed with tools such as tcpdump
 or Wireshark.
 
-@item -object 
colo-compare,id=@var{id},primary_in=@var{chardevid},secondary_in=@var{chardevid},outdev=@var{chardevid},iothread=@var{id}[,vnet_hdr_support][,notify_dev=@var{id}][,compare_timeout=@var{ms}]
+@item -object 
colo-compare,id=@var{id},primary_in=@var{chardevid},secondary_in=@var{chardevid},outdev=@var{chardevid},iothread=@var{id}[,vnet_hdr_support][,notify_dev=@var{id}][,compare_timeout=@var{ms}][,expired_scan_cycle=@var{ms}]
 
 Colo-compare gets packet from primary_in@var{chardevid} and 
secondary_in@var{chardevid}, than compare primary packet with
 secondary packet. If the packets are same, we will output primary
@@ -4608,6 +4608,7 @@ In order to improve efficiency, we need to put the task 
of comparison
 in another thread. If it has the vnet_hdr_support flag, colo compare
 will send/recv packet with 

[PATCH 0/2] net/colo-compare.c: Expose more COLO internal

[Zhang Chen]

From: Zhang Chen 

Make a way to config COLO parameter detailed according to user cases
and environment.

Zhang Chen (2):
  net/colo-compare.c: Expose "compare_timeout" to user
  net/colo-compare.c: Expose "expired_scan_cycle" to user

 net/colo-compare.c | 95 +++---
 qemu-options.hx|  6 ++-
 2 files changed, 94 insertions(+), 7 deletions(-)

-- 
2.17.1

[PATCH 1/2] net/colo-compare.c: Expose "compare_timeout" to user

[Zhang Chen]

From: Zhang Chen 

The "compare_timeout" determines the max time to hold the primary net packet.
This patch expose the "compare_timeout", make user can
adjest this value according to the specific application scenario.

QMP command demo:
{ "execute": "qom-get",
 "arguments": { "path": "/objects/comp0",
"property": "compare_timeout" } }

{ "execute": "qom-set",
 "arguments": { "path": "/objects/comp0",
"property": "compare_timeout",
"value": 5000} }

Signed-off-by: Zhang Chen 
---
 net/colo-compare.c | 47 --
 qemu-options.hx|  5 +++--
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index 7ee17f2cf8..ec09b2a524 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -50,6 +50,7 @@ static NotifierList colo_compare_notifiers =
 
 /* TODO: Should be configurable */
 #define REGULAR_PACKET_CHECK_MS 3000
+#define DEFAULT_TIME_OUT_MS 3000
 
 static QemuMutex event_mtx;
 static QemuCond event_complete_cond;
@@ -92,6 +93,7 @@ typedef struct CompareState {
 SocketReadState sec_rs;
 SocketReadState notify_rs;
 bool vnet_hdr;
+uint32_t compare_timeout;
 
 /*
  * Record the connection that through the NIC
@@ -607,10 +609,9 @@ static int colo_old_packet_check_one_conn(Connection *conn,
   CompareState *s)
 {
 GList *result = NULL;
-int64_t check_time = REGULAR_PACKET_CHECK_MS;
 
 result = g_queue_find_custom(>primary_list,
- _time,
+ >compare_timeout,
  (GCompareFunc)colo_old_packet_check_one);
 
 if (result) {
@@ -984,6 +985,39 @@ static void compare_set_notify_dev(Object *obj, const char 
*value, Error **errp)
 s->notify_dev = g_strdup(value);
 }
 
+static void compare_get_timeout(Object *obj, Visitor *v,
+const char *name, void *opaque,
+Error **errp)
+{
+CompareState *s = COLO_COMPARE(obj);
+uint32_t value = s->compare_timeout;
+
+visit_type_uint32(v, name, , errp);
+}
+
+static void compare_set_timeout(Object *obj, Visitor *v,
+const char *name, void *opaque,
+Error **errp)
+{
+CompareState *s = COLO_COMPARE(obj);
+Error *local_err = NULL;
+uint32_t value;
+
+visit_type_uint32(v, name, , _err);
+if (local_err) {
+goto out;
+}
+if (!value) {
+error_setg(_err, "Property '%s.%s' requires a positive value",
+   object_get_typename(obj), name);
+goto out;
+}
+s->compare_timeout = value;
+
+out:
+error_propagate(errp, local_err);
+}
+
 static void compare_pri_rs_finalize(SocketReadState *pri_rs)
 {
 CompareState *s = container_of(pri_rs, CompareState, pri_rs);
@@ -1090,6 +1124,11 @@ static void colo_compare_complete(UserCreatable *uc, 
Error **errp)
 return;
 }
 
+if (!s->compare_timeout) {
+/* Set default value to 3000 MS */
+s->compare_timeout = DEFAULT_TIME_OUT_MS;
+}
+
 if (find_and_check_chardev(, s->pri_indev, errp) ||
 !qemu_chr_fe_init(>chr_pri_in, chr, errp)) {
 return;
@@ -1185,6 +1224,10 @@ static void colo_compare_init(Object *obj)
 compare_get_notify_dev, compare_set_notify_dev,
 NULL);
 
+object_property_add(obj, "compare_timeout", "uint32",
+compare_get_timeout,
+compare_set_timeout, NULL, NULL, NULL);
+
 s->vnet_hdr = false;
 object_property_add_bool(obj, "vnet_hdr_support", compare_get_vnet_hdr,
  compare_set_vnet_hdr, NULL);
diff --git a/qemu-options.hx b/qemu-options.hx
index ac315c1ac4..3832d0ae8a 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4598,7 +4598,7 @@ Dump the network traffic on netdev @var{dev} to the file 
specified by
 The file format is libpcap, so it can be analyzed with tools such as tcpdump
 or Wireshark.
 
-@item -object 
colo-compare,id=@var{id},primary_in=@var{chardevid},secondary_in=@var{chardevid},outdev=@var{chardevid},iothread=@var{id}[,vnet_hdr_support][,notify_dev=@var{id}]
+@item -object 
colo-compare,id=@var{id},primary_in=@var{chardevid},secondary_in=@var{chardevid},outdev=@var{chardevid},iothread=@var{id}[,vnet_hdr_support][,notify_dev=@var{id}][,compare_timeout=@var{ms}]
 
 Colo-compare gets packet from primary_in@var{chardevid} and 
secondary_in@var{chardevid}, than compare primary packet with
 secondary packet. If the packets are same, we will output primary
@@ -4606,7 +4606,8 @@ packet to outdev@var{chardevid}, else we will notify 
colo-frame
 do checkpoint and send primary packet to outdev@var{chardevid}.
 In order to improve efficiency, we need to put the task of 

Re: [PATCH 1/1] target/riscv: Fix VS mode interrupts forwarding.

[Jose Martins]

No problem. But I'm failing to see what you mean. My reasoning was:
the specification mandates that only VS mode interrupt bits are
writable in hideleg, all the others must be hardwired to zero. This
means the hypervisor can't really delegate S mode interrupts as you
are saying. So, if this is implemented correctly, you will never get
inside that if condition because of an HS interrupt. And all
delegatable asynchronous exception values must be decremented. So,
checking if this is an async exception should do the job.

Jose

On Sun, 23 Feb 2020 at 15:10, Rajnesh Kanwal  wrote:
>
> Hello Jose,
>
> Sorry I didn't see that as it hadn't became a part of the port. I don't know 
> how
> they proceed with same patches.
>
> Just to add, there is a minor problem with your patch. The cause value should
> only be decremented by one for VS mode interrupts. In case if hypervisor has
> delegated S mode interrupts then we should not decrement cause for those
> interrupts.
>
> Regards,
> Rajnesh
>
>
> On Sun, Feb 23, 2020 at 7:41 PM Jose Martins  wrote:
>>
>> Hello rajnesh,
>>
>> I had already submitted almost this exact patch a few weeks ago.
>>
>> Jose
>>
>> On Sun, 23 Feb 2020 at 13:51,  wrote:
>> >
>> > From: Rajnesh Kanwal 
>> >
>> > Currently riscv_cpu_local_irq_pending is used to find out pending
>> > interrupt and VS mode interrupts are being shifted to represent
>> > S mode interrupts in this function. So when the cause returned by
>> > this function is passed to riscv_cpu_do_interrupt to actually
>> > forward the interrupt, the VS mode forwarding check does not work
>> > as intended and interrupt is actually forwarded to hypervisor. This
>> > patch fixes this issue.
>> >
>> > Signed-off-by: Rajnesh Kanwal 
>> > ---
>> >  target/riscv/cpu_helper.c | 9 -
>> >  1 file changed, 8 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
>> > index b9e90dfd9a..59535ecba6 100644
>> > --- a/target/riscv/cpu_helper.c
>> > +++ b/target/riscv/cpu_helper.c
>> > @@ -46,7 +46,7 @@ static int riscv_cpu_local_irq_pending(CPURISCVState 
>> > *env)
>> >  target_ulong pending = env->mip & env->mie &
>> > ~(MIP_VSSIP | MIP_VSTIP | MIP_VSEIP);
>> >  target_ulong vspending = (env->mip & env->mie &
>> > -  (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP)) >> 1;
>> > +  (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP));
>> >
>> >  target_ulong mie= env->priv < PRV_M ||
>> >(env->priv == PRV_M && mstatus_mie);
>> > @@ -900,6 +900,13 @@ void riscv_cpu_do_interrupt(CPUState *cs)
>> >
>> >  if (riscv_cpu_virt_enabled(env) && ((hdeleg >> cause) & 1) &&
>> >  !force_hs_execp) {
>> > +/*
>> > + * See if we need to adjust cause. Yes if its VS mode 
>> > interrupt
>> > + * no if hypervisor has delegated one of hs mode's 
>> > interrupt
>> > + */
>> > +if (cause == IRQ_VS_TIMER || cause == IRQ_VS_SOFT ||
>> > +cause == IRQ_VS_EXT)
>> > +cause = cause - 1;
>> >  /* Trap to VS mode */
>> >  } else if (riscv_cpu_virt_enabled(env)) {
>> >  /* Trap into HS mode, from virt */
>> > --
>> > 2.17.1
>> >
>> >

Re: [PATCH 1/1] target/riscv: Fix VS mode interrupts forwarding.

[Jose Martins]

Hello rajnesh,

I had already submitted almost this exact patch a few weeks ago.

Jose

On Sun, 23 Feb 2020 at 13:51,  wrote:
>
> From: Rajnesh Kanwal 
>
> Currently riscv_cpu_local_irq_pending is used to find out pending
> interrupt and VS mode interrupts are being shifted to represent
> S mode interrupts in this function. So when the cause returned by
> this function is passed to riscv_cpu_do_interrupt to actually
> forward the interrupt, the VS mode forwarding check does not work
> as intended and interrupt is actually forwarded to hypervisor. This
> patch fixes this issue.
>
> Signed-off-by: Rajnesh Kanwal 
> ---
>  target/riscv/cpu_helper.c | 9 -
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
> index b9e90dfd9a..59535ecba6 100644
> --- a/target/riscv/cpu_helper.c
> +++ b/target/riscv/cpu_helper.c
> @@ -46,7 +46,7 @@ static int riscv_cpu_local_irq_pending(CPURISCVState *env)
>  target_ulong pending = env->mip & env->mie &
> ~(MIP_VSSIP | MIP_VSTIP | MIP_VSEIP);
>  target_ulong vspending = (env->mip & env->mie &
> -  (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP)) >> 1;
> +  (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP));
>
>  target_ulong mie= env->priv < PRV_M ||
>(env->priv == PRV_M && mstatus_mie);
> @@ -900,6 +900,13 @@ void riscv_cpu_do_interrupt(CPUState *cs)
>
>  if (riscv_cpu_virt_enabled(env) && ((hdeleg >> cause) & 1) &&
>  !force_hs_execp) {
> +/*
> + * See if we need to adjust cause. Yes if its VS mode 
> interrupt
> + * no if hypervisor has delegated one of hs mode's interrupt
> + */
> +if (cause == IRQ_VS_TIMER || cause == IRQ_VS_SOFT ||
> +cause == IRQ_VS_EXT)
> +cause = cause - 1;
>  /* Trap to VS mode */
>  } else if (riscv_cpu_virt_enabled(env)) {
>  /* Trap into HS mode, from virt */
> --
> 2.17.1
>
>

RE: The issues about architecture of the COLO checkpoint

[Zhang, Chen]

From: Daniel Cho 
Sent: Thursday, February 20, 2020 11:49 AM
To: Zhang, Chen 
Cc: Dr. David Alan Gilbert ; Zhanghailiang 
; qemu-devel@nongnu.org; Jason Wang 

Subject: Re: The issues about architecture of the COLO checkpoint

Hi Zhang,

Thanks, I will configure on code for testing first.
However, if you have free time, could you please send the patch file to us, 
Thanks.

OK, I will send this patch recently.
By the way, can you share QNAP’s plan and status for COLO?

Best Regard,
Daniel Cho


Zhang, Chen mailto:chen.zh...@intel.com>> 於 2020年2月20日 週四 
上午11:07寫道：


On 2/18/2020 5:22 PM, Daniel Cho wrote:
Hi Hailiang,
Thanks for your help. If we have any problems we will contact you for your 
favor.


Hi Zhang,

" If colo-compare got a primary packet without related secondary packet in a 
certain time , it will automatically trigger checkpoint.  "
As you said, the colo-compare will trigger checkpoint, but does it need to 
limit checkpoint times?
There is a problem about doing many checkpoints while we use fio to random 
write files. Then it will cause low throughput on PVM.
Is this situation is normal on COLO?



Hi Daniel,

The checkpoint time is designed to be user adjustable based on user 
environment(workload/network status/business conditions...).

In net/colo-compare.c

/* TODO: Should be configurable */
#define REGULAR_PACKET_CHECK_MS 3000

If you need, I can send a patch for this issue. Make users can change the value 
by QMP and qemu monitor commands.

Thanks

Zhang Chen



Best regards,
Daniel Cho

Zhang, Chen mailto:chen.zh...@intel.com>> 於 2020年2月17日 週一 
下午1:36寫道：


On 2/15/2020 11:35 AM, Daniel Cho wrote:
Hi Dave,

Yes, I agree with you, it does need a timeout.



Hi Daniel and Dave,

Current colo-compare already have the timeout mechanism.

Named packet_check_timer,  It will scan primary packet queue to make sure all 
the primary packet not stay too long time.

If colo-compare got a primary packet without related secondary packet in a 
certain time , it will automatic trigger checkpoint.

https://github.com/qemu/qemu/blob/master/net/colo-compare.c#L847



Thanks

Zhang Chen



Hi Hailiang,

We base on qemu-4.1.0 for using COLO feature, in your patch, we found a lot of 
difference  between your version and ours.
Could you give us a latest release version which is close your developing code?

Thanks.

Regards
Daniel Cho

Dr. David Alan Gilbert mailto:dgilb...@redhat.com>> 於 
2020年2月13日 週四 下午6:38寫道：
* Daniel Cho (daniel...@qnap.com) wrote:
> Hi Hailiang,
>
> 1.
> OK, we will try the patch
> “0001-COLO-Optimize-memory-back-up-process.patch”,
> and thanks for your help.
>
> 2.
> We understand the reason to compare PVM and SVM's packet. However, the
> empty of SVM's packet queue might happened on setting COLO feature and SVM
> broken.
>
> On situation 1 ( setting COLO feature ):
> We could force do checkpoint after setting COLO feature finish, then it
> will protect the state of PVM and SVM . As the Zhang Chen said.
>
> On situation 2 ( SVM broken ):
> COLO will do failover for PVM, so it might not cause any wrong on PVM.
>
> However, those situations are our views, so there might be a big difference
> between reality and our views.
> If we have any wrong views and opinions, please let us know, and correct
> us.

It does need a timeout; the SVM being broken or being in a state where
it never sends the corresponding packet (because of a state difference)
can happen and COLO needs to timeout when the packet hasn't arrived
after a while and trigger the checkpoint.

Dave

> Thanks.
>
> Best regards,
> Daniel Cho
>
> Zhang, Chen mailto:chen.zh...@intel.com>> 於 2020年2月13日 
> 週四 上午10:17寫道：
>
> > Add cc Jason Wang, he is a network expert.
> >
> > In case some network things goes wrong.
> >
> >
> >
> > Thanks
> >
> > Zhang Chen
> >
> >
> >
> > *From:* Zhang, Chen
> > *Sent:* Thursday, February 13, 2020 10:10 AM
> > *To:* 'Zhanghailiang' 
> > mailto:zhang.zhanghaili...@huawei.com>>; 
> > Daniel Cho <
> > daniel...@qnap.com>
> > *Cc:* Dr. David Alan Gilbert 
> > mailto:dgilb...@redhat.com>>; 
> > qemu-devel@nongnu.org
> > *Subject:* RE: The issues about architecture of the COLO checkpoint
> >
> >
> >
> > For the issue 2:
> >
> >
> >
> > COLO need use the network packets to confirm PVM and SVM in the same state,
> >
> > Generally speaking, we can’t send PVM packets without compared with SVM
> > packets.
> >
> > But to prevent jamming, I think COLO can do force checkpoint and send the
> > PVM packets in this case.
> >
> >
> >
> > Thanks
> >
> > Zhang Chen
> >
> >
> >
> > *From:* Zhanghailiang 
> > mailto:zhang.zhanghaili...@huawei.com>>
> > *Sent:* Thursday, February 13, 2020 9:45 AM
> > *To:* Daniel Cho mailto:daniel...@qnap.com>>
> > *Cc:* Dr. David Alan Gilbert 
> > mailto:dgilb...@redhat.com>>; 
> > qemu-devel@nongnu.org;
> > Zhang, Chen mailto:chen.zh...@intel.com>>
> > 

Re: [PATCH] hw/ide: Remove status register read side effect

[BALATON Zoltan]

On Sun, 23 Feb 2020, jasper.low...@bt.com wrote:

ide_exec_cmd 0.461 pid=147030 bus=0x55b77f922d10 state=0x55b77f922d98 cmd=0xef


The command is run here if I'm not mistaken Does this set the irq right 
away on QEMU where on real hadware this may take some time? Not sure if 
that's a problem but trying to understand what's happening.



pci_cfg_read 53.231 pid=147030 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x4
ide_ioport_read 35.577 pid=147030 addr=0x7 reg=b'Status' val=0x50 
bus=0x55b77f922d10 s=0x55b77f922d98
ide_ioport_read 29.095 pid=147030 addr=0x7 reg=b'Status' val=0x50 
bus=0x55b77f922d10 s=0x55b77f922d98


So these ide_ioport_read calls clear the irq bit...


ide_ioport_write 19.146 pid=147030 addr=0x6 reg=b'Device/Head' val=0xe0 
bus=0x55b77f922d10 s=0x55b77f922d98
pci_cfg_read 9.468 pid=147030 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x0
pci_cfg_read 127.712 pid=147030 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x0
pci_cfg_read 101.942 pid=147030 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x0


...that would be checked here?


It looks like I've made mistakes in previous comments about the error
and what the problem might be. Excuse my inexperience. Rather than
spinning on ARTTIM23_INTR_CH1 it might be the case that Solaris 10 is
spinning on CFR_INTR_CH0. I think this because of the following trace:

pci_cfg_read 53.231 pid=147030 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x4

The two reads on the io status register show that DRDY (drive ready
indicator bit) and DSC (drive seek complete bit). This doesn't look
unusual to me. The error bit is also not set which is reassuring.


What I don't get is why ide_ioport_read is called at all and from where if 
that's meant to emulate legacy ide ISA ioport reads and we have a PCI 
device accessed via PCI regs? Should the device behave differently in 
legacy and native mode with respect of clearing irq bit on register reads?



I read through some of
ftp://ftp.seagate.com/pub/acrobat/reference/111-1c.pdf and I'm confused
by the discussion regarding interrupts and the status register.


INTRQ is cleared when the host reads the status register.


My understand is that INTRQ is the signal from pin 31 on the drive and
that the status register is on the drive. I understand the quoted
statement as when the host (CMD646) reads the status register of the
drive, the drive will lower the interrupt on this pin.

The CMD646 has CFR_INTR_CH0 and ARTTIM23_INTR_CH1 in it's PCI
configuration space. This is necessary to determine the source of an
interrupt when the CMD646 ports are in PCI IDE Native Mode. Are we
saying that when the drive lowers the interrupt, the CMD646 sees this
and then clears CFR_INTR_CH0 and ARTTIM23_INTR_CH1 automatically? If
this were the case then I don't know why there is an interface to clear
them by writing to them.


There's a possibility that software may want to clear bits without reading 
the current value so having a way to do that can be explained.



Also, if reading the ioport status register was enough to clear
CFR_INTR_CH0 and ARTTIM23_INTR_CH1 (specific to CMD646) I can't reason
why Linux, Solaris, and OpenBSD would have specific routines to clear
them (following the CMD646 documentation) rather than just reading the
ioport status register.


But the doc not mentioning irq bits should be cleared on read and drivers 
do it by writing after reading is sufficient evidence that CMD646 likely 
does not clear bits on read.



With the patch, the tracing output changes to this:
ide_ioport_read 128.512 pid=162907 addr=0x7 reg=b'Status' val=0x0 
bus=0x55909512bd10 s=0x55909512c168
ide_ioport_write 22.622 pid=162907 addr=0x6 reg=b'Device/Head' val=0xe0 
bus=0x55909512bd10 s=0x55909512c168
ide_ioport_write 21.330 pid=162907 addr=0x1 reg=b'Features' val=0x3 
bus=0x55909512bd10 s=0x55909512bd98
ide_ioport_write 13.926 pid=162907 addr=0x2 reg=b'Sector Count' val=0x42 
bus=0x55909512bd10 s=0x55909512bd98
ide_ioport_write 9.278 pid=162907 addr=0x7 reg=b'Command' val=0xef 
bus=0x55909512bd10 s=0x55909512bd98
ide_exec_cmd 0.921 pid=162907 bus=0x55909512bd10 state=0x55909512bd98 cmd=0xef
pci_cfg_read 40.647 pid=162907 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x4
ide_ioport_read 40.445 pid=162907 addr=0x7 reg=b'Status' val=0x50 
bus=0x55909512bd10 s=0x55909512bd98
ide_ioport_read 31.580 pid=162907 addr=0x7 reg=b'Status' val=0x50 
bus=0x55909512bd10 s=0x55909512bd98
ide_ioport_write 17.923 pid=162907 addr=0x6 reg=b'Device/Head' val=0xe0 
bus=0x55909512bd10 s=0x55909512bd98
pci_cfg_read 10.931 pid=162907 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x4
pci_cfg_read 19.136 pid=162907 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x4
pci_cfg_write 26.650 pid=162907 dev=b'cmd646-ide' devid=0x3 fnid=0x0 offs=0x50 
val=0x4


The difference here is that status bits still there after ide_ioport_read 
when it gets it via pci_cfg_read than writes to that reg to clear it.



Now there is no 

Re: [PATCH 1/1] target/riscv: Fix VS mode interrupts forwarding.

[Rajnesh Kanwal]

Hello Jose,

Sorry I didn't see that as it hadn't became a part of the port. I don't
know how
they proceed with same patches.

Just to add, there is a minor problem with your patch. The cause value
should
only be decremented by one for VS mode interrupts. In case if hypervisor has
delegated S mode interrupts then we should not decrement cause for those
interrupts.

Regards,
Rajnesh


On Sun, Feb 23, 2020 at 7:41 PM Jose Martins 
wrote:

> Hello rajnesh,
>
> I had already submitted almost this exact patch a few weeks ago.
>
> Jose
>
> On Sun, 23 Feb 2020 at 13:51,  wrote:
> >
> > From: Rajnesh Kanwal 
> >
> > Currently riscv_cpu_local_irq_pending is used to find out pending
> > interrupt and VS mode interrupts are being shifted to represent
> > S mode interrupts in this function. So when the cause returned by
> > this function is passed to riscv_cpu_do_interrupt to actually
> > forward the interrupt, the VS mode forwarding check does not work
> > as intended and interrupt is actually forwarded to hypervisor. This
> > patch fixes this issue.
> >
> > Signed-off-by: Rajnesh Kanwal 
> > ---
> >  target/riscv/cpu_helper.c | 9 -
> >  1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
> > index b9e90dfd9a..59535ecba6 100644
> > --- a/target/riscv/cpu_helper.c
> > +++ b/target/riscv/cpu_helper.c
> > @@ -46,7 +46,7 @@ static int riscv_cpu_local_irq_pending(CPURISCVState
> *env)
> >  target_ulong pending = env->mip & env->mie &
> > ~(MIP_VSSIP | MIP_VSTIP | MIP_VSEIP);
> >  target_ulong vspending = (env->mip & env->mie &
> > -  (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP)) >> 1;
> > +  (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP));
> >
> >  target_ulong mie= env->priv < PRV_M ||
> >(env->priv == PRV_M && mstatus_mie);
> > @@ -900,6 +900,13 @@ void riscv_cpu_do_interrupt(CPUState *cs)
> >
> >  if (riscv_cpu_virt_enabled(env) && ((hdeleg >> cause) & 1)
> &&
> >  !force_hs_execp) {
> > +/*
> > + * See if we need to adjust cause. Yes if its VS mode
> interrupt
> > + * no if hypervisor has delegated one of hs mode's
> interrupt
> > + */
> > +if (cause == IRQ_VS_TIMER || cause == IRQ_VS_SOFT ||
> > +cause == IRQ_VS_EXT)
> > +cause = cause - 1;
> >  /* Trap to VS mode */
> >  } else if (riscv_cpu_virt_enabled(env)) {
> >  /* Trap into HS mode, from virt */
> > --
> > 2.17.1
> >
> >
>

Re: [PATCH v4] Implement the Screamer sound chip for the mac99 machine type

[Howard Spoelstra]

On Fri, Feb 21, 2020 at 1:09 PM Howard Spoelstra  wrote:

>
>
> The current screamer-enabled builds for OSX and Windows are on
> www.emaculation.com ;-)
> As you see from testing, there are reasons why the patches from Mark's
> screamer branch are not in master yet, and these have not all been
> addressed. There still needs to be testing on Linux and certainly on
> Windows builds, and from what I mentioned above that might not be plain
> sailing.
> I guess I'll wait with providing new builds when the patches for both
> openbios and qemu are reviewed and in some repo from which I can build
> easily.
>
> Best,
> Howard
>

Hi,

There is indeed an issue when building your code for Windows.
Whereas the current screamer from Mark just plays sound, a build with your
patches will not.
I need to Ctrl-Alt-G to exit grab, click on the command (cmd.exe) window in
which the Qemu textual output is showing and then grab the mouse again to
get sound. A simple grab exit/grab cycle is not enough, a click somewhere
outside the Qemu window will also not do. Only a click to activate the
command window and then grab again. Happens with both GTK and SDL GUIs.

Command line is:
qemu-system-ppc-master-screamer-john-v4.exe -L pc-bios -boot c -m 256 -M
mac99,via=pmu ^
-drive file=C:\mac-disks\9.2.img ^
-sdl -serial stdio ^
-bios openbios-qemu-screamer-john-v2.elf

Took me ages to find this regularity ;-)

Best,
Howard

[PATCH 1/1] target/riscv: Fix VS mode interrupts forwarding.

[rajnesh . kanwal49]

From: Rajnesh Kanwal 

Currently riscv_cpu_local_irq_pending is used to find out pending
interrupt and VS mode interrupts are being shifted to represent
S mode interrupts in this function. So when the cause returned by
this function is passed to riscv_cpu_do_interrupt to actually
forward the interrupt, the VS mode forwarding check does not work
as intended and interrupt is actually forwarded to hypervisor. This
patch fixes this issue.

Signed-off-by: Rajnesh Kanwal 
---
 target/riscv/cpu_helper.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index b9e90dfd9a..59535ecba6 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -46,7 +46,7 @@ static int riscv_cpu_local_irq_pending(CPURISCVState *env)
 target_ulong pending = env->mip & env->mie &
~(MIP_VSSIP | MIP_VSTIP | MIP_VSEIP);
 target_ulong vspending = (env->mip & env->mie &
-  (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP)) >> 1;
+  (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP));
 
 target_ulong mie= env->priv < PRV_M ||
   (env->priv == PRV_M && mstatus_mie);
@@ -900,6 +900,13 @@ void riscv_cpu_do_interrupt(CPUState *cs)
 
 if (riscv_cpu_virt_enabled(env) && ((hdeleg >> cause) & 1) &&
 !force_hs_execp) {
+/*
+ * See if we need to adjust cause. Yes if its VS mode interrupt
+ * no if hypervisor has delegated one of hs mode's interrupt
+ */
+if (cause == IRQ_VS_TIMER || cause == IRQ_VS_SOFT ||
+cause == IRQ_VS_EXT)
+cause = cause - 1;
 /* Trap to VS mode */
 } else if (riscv_cpu_virt_enabled(env)) {
 /* Trap into HS mode, from virt */
-- 
2.17.1

[PATCH RESEND v31 21/22] BootLinuxConsoleTest: Test the RX-Virt machine

[Yoshinori Sato]

From: Philippe Mathieu-Daudé 

Add two tests for the rx-virt machine, based on the recommended test
setup from Yoshinori Sato:
https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg03586.html

- U-Boot prompt
- Linux kernel with Sash shell

These are very quick tests:

  $ avocado run -t arch:rx tests/acceptance/boot_linux_console.py
  JOB ID : 84a6ef01c0b87975ecbfcb31a920afd735753ace
  JOB LOG: 
/home/phil/avocado/job-results/job-2019-05-24T05.02-84a6ef0/job.log
   (1/2) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_rx_uboot: 
PASS (0.11 s)
   (2/2) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_rx_linux: 
PASS (0.45 s)
  RESULTS: PASS 2 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | 
CANCEL 0

Tests can also be run with:

  $ avocado --show=console run -t arch:rx tests/acceptance/boot_linux_console.py
  console: U-Boot 2016.05-rc3-23705-ga1ef3c71cb-dirty (Feb 05 2019 - 21:56:06 
+0900)
  console: Linux version 4.19.0+ (yo-satoh@yo-satoh-debian) (gcc version 9.0.0 
20181105 (experimental) (GCC)) #137 Wed Feb 20 23:20:02 JST 2019
  console: Built 1 zonelists, mobility grouping on.  Total pages: 8128
  ...
  console: SuperH (H)SCI(F) driver initialized
  console: 88240.serial: ttySC0 at MMIO 0x88240 (irq = 215, base_baud = 0) is a 
sci
  console: console [ttySC0] enabled
  console: 88248.serial: ttySC1 at MMIO 0x88248 (irq = 219, base_baud = 0) is a 
sci

Signed-off-by: Philippe Mathieu-Daudé 
Based-on: 20190517045136.3509-1-richard.hender...@linaro.org
"RX architecture support"
Signed-off-by: Yoshinori Sato 
---
 tests/acceptance/boot_linux_console.py | 46 ++
 1 file changed, 46 insertions(+)

diff --git a/tests/acceptance/boot_linux_console.py 
b/tests/acceptance/boot_linux_console.py
index 34d37eba3b..367cf480a5 100644
--- a/tests/acceptance/boot_linux_console.py
+++ b/tests/acceptance/boot_linux_console.py
@@ -686,3 +686,49 @@ class BootLinuxConsole(Test):
 tar_hash = '49e88d9933742f0164b60839886c9739cb7a0d34'
 self.vm.add_args('-cpu', 'dc233c')
 self.do_test_advcal_2018('02', tar_hash, 'santas-sleigh-ride.elf')
+
+def test_rx_uboot(self):
+"""
+:avocado: tags=arch:rx
+:avocado: tags=machine:rx-virt
+:avocado: tags=endian:little
+"""
+uboot_url = ('https://acc.dl.osdn.jp/users/23/23888/u-boot.bin.gz')
+uboot_hash = '9b78dbd43b40b2526848c0b1ce9de02c24f4dcdb'
+uboot_path = self.fetch_asset(uboot_url, asset_hash=uboot_hash)
+uboot_path = archive.uncompress(uboot_path, self.workdir)
+
+self.vm.set_machine('rx-virt')
+self.vm.set_console()
+self.vm.add_args('-bios', uboot_path,
+ '-no-reboot')
+self.vm.launch()
+uboot_version = 'U-Boot 2016.05-rc3-23705-ga1ef3c71cb-dirty'
+self.wait_for_console_pattern(uboot_version)
+gcc_version = 'rx-unknown-linux-gcc (GCC) 9.0.0 20181105 
(experimental)'
+# FIXME limit baudrate on chardev, else we type too fast
+#self.exec_command_and_wait_for_pattern('version', gcc_version)
+
+def test_rx_linux(self):
+"""
+:avocado: tags=arch:rx
+:avocado: tags=machine:rx-virt
+:avocado: tags=endian:little
+"""
+dtb_url = ('https://acc.dl.osdn.jp/users/23/23887/rx-qemu.dtb')
+dtb_hash = '7b4e4e2c71905da44e86ce47adee2210b026ac18'
+dtb_path = self.fetch_asset(dtb_url, asset_hash=dtb_hash)
+kernel_url = ('http://acc.dl.osdn.jp/users/23/23845/zImage')
+kernel_hash = '39a81067f8d72faad90866ddfefa19165d68fc99'
+kernel_path = self.fetch_asset(kernel_url, asset_hash=kernel_hash)
+
+self.vm.set_machine('rx-virt')
+self.vm.set_console()
+kernel_command_line = self.KERNEL_COMMON_COMMAND_LINE + 'earlycon'
+self.vm.add_args('-kernel', kernel_path,
+ '-dtb', dtb_path,
+ '-no-reboot')
+self.vm.launch()
+self.wait_for_console_pattern('Sash command shell (version 1.1.1)')
+self.exec_command_and_wait_for_pattern('printenv',
+   'TERM=linux')
-- 
2.20.1

[PATCH RESEND v31 15/22] hw/timer: RX62N internal timer modules

[Yoshinori Sato]

renesas_tmr: 8bit timer modules.
renesas_cmt: 16bit compare match timer modules.
This part use many renesas's CPU.
Hardware manual.
https://www.renesas.com/us/en/doc/products/mpumcu/doc/rx_family/r01uh0033ej0140_rx62n.pdf

Signed-off-by: Yoshinori Sato 
Reviewed-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-7-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 include/hw/timer/renesas_cmt.h |  38 +++
 include/hw/timer/renesas_tmr.h |  53 
 hw/timer/renesas_cmt.c | 278 
 hw/timer/renesas_tmr.c | 458 +
 hw/timer/Kconfig   |   6 +
 hw/timer/Makefile.objs |   3 +
 6 files changed, 836 insertions(+)
 create mode 100644 include/hw/timer/renesas_cmt.h
 create mode 100644 include/hw/timer/renesas_tmr.h
 create mode 100644 hw/timer/renesas_cmt.c
 create mode 100644 hw/timer/renesas_tmr.c

diff --git a/include/hw/timer/renesas_cmt.h b/include/hw/timer/renesas_cmt.h
new file mode 100644
index 00..acd25c6e0b
--- /dev/null
+++ b/include/hw/timer/renesas_cmt.h
@@ -0,0 +1,38 @@
+/*
+ * Renesas Compare-match timer Object
+ *
+ * Copyright (c) 2019 Yoshinori Sato
+ *
+ * This code is licensed under the GPL version 2 or later.
+ *
+ */
+
+#ifndef HW_RENESAS_CMT_H
+#define HW_RENESAS_CMT_H
+
+#include "hw/sysbus.h"
+
+#define TYPE_RENESAS_CMT "renesas-cmt"
+#define RCMT(obj) OBJECT_CHECK(RCMTState, (obj), TYPE_RENESAS_CMT)
+
+enum {
+CMT_CH = 2,
+CMT_NR_IRQ = 1 * CMT_CH,
+};
+
+typedef struct RCMTState {
+SysBusDevice parent_obj;
+
+uint64_t input_freq;
+MemoryRegion memory;
+
+uint16_t cmstr;
+uint16_t cmcr[CMT_CH];
+uint16_t cmcnt[CMT_CH];
+uint16_t cmcor[CMT_CH];
+int64_t tick[CMT_CH];
+qemu_irq cmi[CMT_CH];
+QEMUTimer *timer[CMT_CH];
+} RCMTState;
+
+#endif
diff --git a/include/hw/timer/renesas_tmr.h b/include/hw/timer/renesas_tmr.h
new file mode 100644
index 00..5787004c74
--- /dev/null
+++ b/include/hw/timer/renesas_tmr.h
@@ -0,0 +1,53 @@
+/*
+ * Renesas 8bit timer Object
+ *
+ * Copyright (c) 2018 Yoshinori Sato
+ *
+ * This code is licensed under the GPL version 2 or later.
+ *
+ */
+
+#ifndef HW_RENESAS_TMR_H
+#define HW_RENESAS_TMR_H
+
+#include "hw/sysbus.h"
+
+#define TYPE_RENESAS_TMR "renesas-tmr"
+#define RTMR(obj) OBJECT_CHECK(RTMRState, (obj), TYPE_RENESAS_TMR)
+
+enum timer_event {
+cmia = 0,
+cmib = 1,
+ovi = 2,
+none = 3,
+TMR_NR_EVENTS = 4
+};
+
+enum {
+TMR_CH = 2,
+TMR_NR_IRQ = 3 * TMR_CH,
+};
+
+typedef struct RTMRState {
+SysBusDevice parent_obj;
+
+uint64_t input_freq;
+MemoryRegion memory;
+
+uint8_t tcnt[TMR_CH];
+uint8_t tcora[TMR_CH];
+uint8_t tcorb[TMR_CH];
+uint8_t tcr[TMR_CH];
+uint8_t tccr[TMR_CH];
+uint8_t tcor[TMR_CH];
+uint8_t tcsr[TMR_CH];
+int64_t tick;
+int64_t div_round[TMR_CH];
+enum timer_event next[TMR_CH];
+qemu_irq cmia[TMR_CH];
+qemu_irq cmib[TMR_CH];
+qemu_irq ovi[TMR_CH];
+QEMUTimer *timer[TMR_CH];
+} RTMRState;
+
+#endif
diff --git a/hw/timer/renesas_cmt.c b/hw/timer/renesas_cmt.c
new file mode 100644
index 00..574772b89b
--- /dev/null
+++ b/hw/timer/renesas_cmt.c
@@ -0,0 +1,278 @@
+/*
+ * Renesas 16bit Compare-match timer
+ *
+ * Datasheet: RX62N Group, RX621 Group User's Manual: Hardware
+ * (Rev.1.40 R01UH0033EJ0140)
+ *
+ * Copyright (c) 2019 Yoshinori Sato
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "qemu/log.h"
+#include "qapi/error.h"
+#include "qemu/timer.h"
+#include "cpu.h"
+#include "hw/hw.h"
+#include "hw/irq.h"
+#include "hw/sysbus.h"
+#include "hw/registerfields.h"
+#include "hw/qdev-properties.h"
+#include "hw/timer/renesas_cmt.h"
+#include "migration/vmstate.h"
+#include "qemu/error-report.h"
+
+/*
+ *  +0 CMSTR - common control
+ *  +2 CMCR  - ch0
+ *  +4 CMCNT - ch0
+ *  +6 CMCOR - ch0
+ *  +8 CMCR  - ch1
+ * +10 CMCNT - ch1
+ * +12 CMCOR - ch1
+ * If we think that the address of CH 0 has an offset of +2,
+ * we can treat it with the same address as CH 1, so define it like that.
+ */
+REG16(CMSTR, 0)
+  FIELD(CMSTR, STR0, 0, 1)
+  FIELD(CMSTR, STR1, 1, 1)
+  FIELD(CMSTR, STR,  0, 2)
+/* This addeess is channel offset */
+REG16(CMCR, 0)
+  FIELD(CMCR, CKS, 0, 2)
+  FIELD(CMCR, CMIE, 6, 

[PATCH RESEND v31 04/22] target/rx: TCG translation

[Yoshinori Sato]

This part only supported RXv1 instructions.
Instruction manual.
https://www.renesas.com/us/en/doc/products/mpumcu/doc/rx_family/r01us0032ej0120_rxsm.pdf

Signed-off-by: Yoshinori Sato 
Reviewed-by: Richard Henderson 
Tested-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-2-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 target/rx/insns.decode  |  621 ++
 target/rx/translate.c   | 2432 +++
 target/rx/Makefile.objs |   12 +
 3 files changed, 3065 insertions(+)
 create mode 100644 target/rx/insns.decode
 create mode 100644 target/rx/translate.c
 create mode 100644 target/rx/Makefile.objs

diff --git a/target/rx/insns.decode b/target/rx/insns.decode
new file mode 100644
index 00..232a61fc8e
--- /dev/null
+++ b/target/rx/insns.decode
@@ -0,0 +1,621 @@
+#
+# Renesas RX instruction decode definitions.
+#
+# Copyright (c) 2019 Richard Henderson 
+# Copyright (c) 2019 Yoshinori Sato 
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see .
+#
+
+  cd dsp sz
+  dsp sz
+  rs
+rd rs
+rd imm
+   rd rs rs2
+   rd imm rs2
+rd rs ld mi
+rs ld mi imm
+rs ld mi rs2
+  ld sz rd cd
+
+%b1_bdsp   24:3 !function=bdsp_s
+
+@b1_bcnd_s  cd:1 ...dsp=%b1_bdsp sz=1
+@b1_bra_s   dsp=%b1_bdsp sz=1
+
+%b2_r_016:4
+%b2_li_2   18:2 !function=li
+%b2_li_8   24:2 !function=li
+%b2_dsp5_3 23:4 19:1
+
+@b2_rds   rd:4  rs=%b2_r_0
+@b2_rds_li    rd:4  rs2=%b2_r_0 imm=%b2_li_8
+@b2_rds_uimm4    imm:4 rd:4 rs2=%b2_r_0
+@b2_rs2_uimm4    imm:4 rs2:4rd=0
+@b2_rds_imm5    ... imm:5 rd:4  rs2=%b2_r_0
+@b2_rd_rs_li     rs2:4 rd:4 imm=%b2_li_8
+@b2_rd_ld_ub    .. ld:2 rs:4 rd:4   mi=4
+@b2_ld_imm3 .. ld:2 rs:4 . imm:3mi=4
+@b2_bcnd_b  cd:4 dsp:s8 sz=2
+@b2_bra_b    dsp:s8 sz=2
+
+
+
+%b3_r_08:4
+%b3_li_10  18:2 !function=li
+%b3_dsp5_8 23:1 16:4
+%b3_bdsp   8:s8 16:8
+
+@b3_rd_rs      rs:4 rd:4   
+@b3_rs_rd      rd:4 rs:4   
+@b3_rd_li       rd:4 \
+rs2=%b3_r_0 imm=%b3_li_10
+@b3_rd_ld    mi:2  ld:2 rs:4 rd:4  
+@b3_rd_ld_ub      .. ld:2 rs:4 rd:4 mi=4
+@b3_rd_ld_ul      .. ld:2 rs:4 rd:4 mi=2
+@b3_rd_rs_rs2     rd:4 rs:4 rs2:4  
+@b3_rds_imm5     ... imm:5 rd:4 rs2=%b3_r_0
+@b3_rd_rs_imm5   ... imm:5 rs2:4 rd:4  
+@b3_bcnd_w  ... cd:1    dsp=%b3_bdsp sz=3
+@b3_bra_w       dsp=%b3_bdsp sz=3
+@b3_ld_rd_rs      .. ld:2 rs:4 rd:4 mi=0
+@b3_sz_ld_rd_cd   sz:2 ld:2 rd:4 cd:4  
+
+
+
+%b4_li_18  18:2 !function=li
+%b4_dsp_16 0:s8 8:8
+%b4_bdsp   0:s8 8:8 16:8
+
+@b4_rd_ldmi  mi:2  ld:2   rs:4 rd:4
+@b4_bra_a          \
+dsp=%b4_bdsp sz=4
+
+# ABS rd
+ABS_rr 0111 1110 0010  @b2_rds
+# ABS rs, rd
+ABS_rr  1100       @b3_rd_rs
+
+# ADC #imm, rd
+ADC_ir  1101 0111 ..00 0010    @b3_rd_li
+# ADC rs, rd
+ADC_rr  1100  1011     @b3_rd_rs
+# ADC dsp[rs].l, rd
+# Note only mi==2 allowed.
+ADC_mr  0110 ..10 00..  0010   @b4_rd_ldmi
+
+# ADD #uimm4, rd
+ADD_irr0110 0010   @b2_rds_uimm4
+# ADD #imm, rs, rd
+ADD_irr0111 00..   @b2_rd_rs_li
+# ADD dsp[rs].ub, rd
+# ADD rs, rd
+ADD_mr 0100 10..   @b2_rd_ld_ub
+# ADD dsp[rs], rd
+ADD_mr  0110 ..00 10..     @b3_rd_ld
+# ADD rs, rs2, rd
+ADD_rrr  0010      @b3_rd_rs_rs2
+
+# 

[PATCH RESEND v31 16/22] hw/char: RX62N serial communication interface (SCI)

[Yoshinori Sato]

This module supported only non FIFO type.
Hardware manual.
https://www.renesas.com/us/en/doc/products/mpumcu/doc/rx_family/r01uh0033ej0140_rx62n.pdf

Signed-off-by: Yoshinori Sato 
Reviewed-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-8-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 include/hw/char/renesas_sci.h |  45 +
 hw/char/renesas_sci.c | 342 ++
 hw/char/Kconfig   |   3 +
 hw/char/Makefile.objs |   1 +
 4 files changed, 391 insertions(+)
 create mode 100644 include/hw/char/renesas_sci.h
 create mode 100644 hw/char/renesas_sci.c

diff --git a/include/hw/char/renesas_sci.h b/include/hw/char/renesas_sci.h
new file mode 100644
index 00..50d1336944
--- /dev/null
+++ b/include/hw/char/renesas_sci.h
@@ -0,0 +1,45 @@
+/*
+ * Renesas Serial Communication Interface
+ *
+ * Copyright (c) 2018 Yoshinori Sato
+ *
+ * This code is licensed under the GPL version 2 or later.
+ *
+ */
+
+#include "chardev/char-fe.h"
+#include "qemu/timer.h"
+#include "hw/sysbus.h"
+
+#define TYPE_RENESAS_SCI "renesas-sci"
+#define RSCI(obj) OBJECT_CHECK(RSCIState, (obj), TYPE_RENESAS_SCI)
+
+enum {
+ERI = 0,
+RXI = 1,
+TXI = 2,
+TEI = 3,
+SCI_NR_IRQ = 4,
+};
+
+typedef struct {
+SysBusDevice parent_obj;
+MemoryRegion memory;
+
+uint8_t smr;
+uint8_t brr;
+uint8_t scr;
+uint8_t tdr;
+uint8_t ssr;
+uint8_t rdr;
+uint8_t scmr;
+uint8_t semr;
+
+uint8_t read_ssr;
+int64_t trtime;
+int64_t rx_next;
+QEMUTimer *timer;
+CharBackend chr;
+uint64_t input_freq;
+qemu_irq irq[SCI_NR_IRQ];
+} RSCIState;
diff --git a/hw/char/renesas_sci.c b/hw/char/renesas_sci.c
new file mode 100644
index 00..0760a51f43
--- /dev/null
+++ b/hw/char/renesas_sci.c
@@ -0,0 +1,342 @@
+/*
+ * Renesas Serial Communication Interface
+ *
+ * Datasheet: RX62N Group, RX621 Group User's Manual: Hardware
+ * (Rev.1.40 R01UH0033EJ0140)
+ *
+ * Copyright (c) 2019 Yoshinori Sato
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "hw/hw.h"
+#include "hw/irq.h"
+#include "hw/sysbus.h"
+#include "hw/registerfields.h"
+#include "hw/qdev-properties.h"
+#include "hw/char/renesas_sci.h"
+#include "migration/vmstate.h"
+#include "qemu/error-report.h"
+
+/* SCI register map */
+REG8(SMR, 0)
+  FIELD(SMR, CKS,  0, 2)
+  FIELD(SMR, MP,   2, 1)
+  FIELD(SMR, STOP, 3, 1)
+  FIELD(SMR, PM,   4, 1)
+  FIELD(SMR, PE,   5, 1)
+  FIELD(SMR, CHR,  6, 1)
+  FIELD(SMR, CM,   7, 1)
+REG8(BRR, 1)
+REG8(SCR, 2)
+  FIELD(SCR, CKE, 0, 2)
+  FIELD(SCR, TEIE, 2, 1)
+  FIELD(SCR, MPIE, 3, 1)
+  FIELD(SCR, RE,   4, 1)
+  FIELD(SCR, TE,   5, 1)
+  FIELD(SCR, RIE,  6, 1)
+  FIELD(SCR, TIE,  7, 1)
+REG8(TDR, 3)
+REG8(SSR, 4)
+  FIELD(SSR, MPBT, 0, 1)
+  FIELD(SSR, MPB,  1, 1)
+  FIELD(SSR, TEND, 2, 1)
+  FIELD(SSR, ERR, 3, 3)
+FIELD(SSR, PER,  3, 1)
+FIELD(SSR, FER,  4, 1)
+FIELD(SSR, ORER, 5, 1)
+  FIELD(SSR, RDRF, 6, 1)
+  FIELD(SSR, TDRE, 7, 1)
+REG8(RDR, 5)
+REG8(SCMR, 6)
+  FIELD(SCMR, SMIF, 0, 1)
+  FIELD(SCMR, SINV, 2, 1)
+  FIELD(SCMR, SDIR, 3, 1)
+  FIELD(SCMR, BCP2, 7, 1)
+REG8(SEMR, 7)
+  FIELD(SEMR, ACS0, 0, 1)
+  FIELD(SEMR, ABCS, 4, 1)
+
+static int can_receive(void *opaque)
+{
+RSCIState *sci = RSCI(opaque);
+if (sci->rx_next > qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)) {
+return 0;
+} else {
+return FIELD_EX8(sci->scr, SCR, RE);
+}
+}
+
+static void receive(void *opaque, const uint8_t *buf, int size)
+{
+RSCIState *sci = RSCI(opaque);
+sci->rx_next = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + sci->trtime;
+if (FIELD_EX8(sci->ssr, SSR, RDRF) || size > 1) {
+sci->ssr = FIELD_DP8(sci->ssr, SSR, ORER, 1);
+if (FIELD_EX8(sci->scr, SCR, RIE)) {
+qemu_set_irq(sci->irq[ERI], 1);
+}
+} else {
+sci->rdr = buf[0];
+sci->ssr = FIELD_DP8(sci->ssr, SSR, RDRF, 1);
+if (FIELD_EX8(sci->scr, SCR, RIE)) {
+qemu_irq_pulse(sci->irq[RXI]);
+}
+}
+}
+
+static void send_byte(RSCIState *sci)
+{
+if (qemu_chr_fe_backend_connected(>chr)) {
+qemu_chr_fe_write_all(>chr, >tdr, 1);
+}
+timer_mod(sci->timer,
+  

[PATCH RESEND v31 07/22] target/rx: RX disassembler

[Yoshinori Sato]

Signed-off-by: Yoshinori Sato 
Reviewed-by: Richard Henderson 
Tested-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-5-ys...@users.sourceforge.jp>
Signed-off-by: Richard Henderson 
---
 include/disas/dis-asm.h |5 +
 target/rx/disas.c   | 1480 +++
 2 files changed, 1485 insertions(+)
 create mode 100644 target/rx/disas.c

diff --git a/include/disas/dis-asm.h b/include/disas/dis-asm.h
index f87f468809..c5f9fa08ab 100644
--- a/include/disas/dis-asm.h
+++ b/include/disas/dis-asm.h
@@ -226,6 +226,10 @@ enum bfd_architecture
 #define bfd_mach_nios2r22
   bfd_arch_lm32,   /* Lattice Mico32 */
 #define bfd_mach_lm32 1
+  bfd_arch_rx,   /* Renesas RX */
+#define bfd_mach_rx0x75
+#define bfd_mach_rx_v2 0x76
+#define bfd_mach_rx_v3 0x77
   bfd_arch_last
   };
 #define bfd_mach_s390_31 31
@@ -436,6 +440,7 @@ int print_insn_little_nios2 (bfd_vma, 
disassemble_info*);
 int print_insn_xtensa   (bfd_vma, disassemble_info*);
 int print_insn_riscv32  (bfd_vma, disassemble_info*);
 int print_insn_riscv64  (bfd_vma, disassemble_info*);
+int print_insn_rx(bfd_vma, disassemble_info *);
 
 #if 0
 /* Fetch the disassembler for a given BFD, if that support is available.  */
diff --git a/target/rx/disas.c b/target/rx/disas.c
new file mode 100644
index 00..8cada4825d
--- /dev/null
+++ b/target/rx/disas.c
@@ -0,0 +1,1480 @@
+/*
+ * Renesas RX Disassembler
+ *
+ * Copyright (c) 2019 Yoshinori Sato 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "disas/dis-asm.h"
+#include "qemu/bitops.h"
+#include "cpu.h"
+
+typedef struct DisasContext {
+disassemble_info *dis;
+uint32_t addr;
+uint32_t pc;
+} DisasContext;
+
+
+static uint32_t decode_load_bytes(DisasContext *ctx, uint32_t insn,
+   int i, int n)
+{
+bfd_byte buf;
+while (++i <= n) {
+ctx->dis->read_memory_func(ctx->addr++, , 1, ctx->dis);
+insn |= buf << (32 - i * 8);
+}
+return insn;
+}
+
+static int32_t li(DisasContext *ctx, int sz)
+{
+int32_t addr;
+bfd_byte buf[4];
+addr = ctx->addr;
+
+switch (sz) {
+case 1:
+ctx->addr += 1;
+ctx->dis->read_memory_func(addr, buf, 1, ctx->dis);
+return (int8_t)buf[0];
+case 2:
+ctx->addr += 2;
+ctx->dis->read_memory_func(addr, buf, 2, ctx->dis);
+return ldsw_le_p(buf);
+case 3:
+ctx->addr += 3;
+ctx->dis->read_memory_func(addr, buf, 3, ctx->dis);
+return (int8_t)buf[2] << 16 | lduw_le_p(buf);
+case 0:
+ctx->addr += 4;
+ctx->dis->read_memory_func(addr, buf, 4, ctx->dis);
+return ldl_le_p(buf);
+default:
+g_assert_not_reached();
+}
+}
+
+static int bdsp_s(DisasContext *ctx, int d)
+{
+/*
+ * 0 -> 8
+ * 1 -> 9
+ * 2 -> 10
+ * 3 -> 3
+ * :
+ * 7 -> 7
+ */
+if (d < 3) {
+d += 8;
+}
+return d;
+}
+
+/* Include the auto-generated decoder.  */
+#include "decode.inc.c"
+
+#define prt(...) (ctx->dis->fprintf_func)((ctx->dis->stream), __VA_ARGS__)
+
+#define RX_MEMORY_BYTE 0
+#define RX_MEMORY_WORD 1
+#define RX_MEMORY_LONG 2
+
+#define RX_IM_BYTE 0
+#define RX_IM_WORD 1
+#define RX_IM_LONG 2
+#define RX_IM_UWORD 3
+
+static const char size[] = {'b', 'w', 'l'};
+static const char cond[][4] = {
+"eq", "ne", "c", "nc", "gtu", "leu", "pz", "n",
+"ge", "lt", "gt", "le", "o", "no", "ra", "f"
+};
+static const char psw[] = {
+'c', 'z', 's', 'o', 0, 0, 0, 0,
+'i', 'u', 0, 0, 0, 0, 0, 0,
+};
+
+static uint32_t rx_index_addr(int ld, int size, DisasContext *ctx)
+{
+bfd_byte buf[2];
+switch (ld) {
+case 0:
+return 0;
+case 1:
+ctx->dis->read_memory_func(ctx->addr, buf, 1, ctx->dis);
+ctx->addr += 1;
+return ((uint8_t)buf[0]) << size;
+case 2:
+ctx->dis->read_memory_func(ctx->addr, buf, 2, ctx->dis);
+ctx->addr += 2;
+return lduw_le_p(buf) << size;
+}
+g_assert_not_reached();
+}
+
+static void operand(DisasContext *ctx, int ld, int mi, int rs, int rd)
+{
+int dsp;
+static const char sizes[][4] = {".b", ".w", ".l", ".uw", ".ub"};
+if (ld < 3) {
+switch (mi) {
+case 4:
+/* dsp[rs].ub */
+dsp = rx_index_addr(ld, 

[PATCH RESEND v31 17/22] hw/rx: RX Target hardware definition

[Yoshinori Sato]

rx62n - RX62N cpu.
rx-virt - RX QEMU virtual target.

Signed-off-by: Yoshinori Sato 

Message-Id: <20190616142836.10614-17-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-9-ys...@users.sourceforge.jp>
Signed-off-by: Richard Henderson 
[PMD: Use TYPE_RX62N_CPU, use #define for RX62N_NR_TMR/CMT/SCI,
 renamed CPU -> MCU, device -> microcontroller]
Signed-off-by: Philippe Mathieu-Daudé 
---
v23 changes.
Add missing includes.

v21 changes.
rx_load_image move to rx-virt.c

v19: Fixed typo (Peter Maydell)
Signed-off-by: Yoshinori Sato 
---
 include/hw/rx/rx.h|   7 ++
 include/hw/rx/rx62n.h |  91 
 hw/rx/rx-virt.c   | 142 +
 hw/rx/rx62n.c | 239 ++
 hw/rx/Kconfig |  14 +++
 hw/rx/Makefile.objs   |   2 +
 6 files changed, 495 insertions(+)
 create mode 100644 include/hw/rx/rx.h
 create mode 100644 include/hw/rx/rx62n.h
 create mode 100644 hw/rx/rx-virt.c
 create mode 100644 hw/rx/rx62n.c
 create mode 100644 hw/rx/Kconfig
 create mode 100644 hw/rx/Makefile.objs

diff --git a/include/hw/rx/rx.h b/include/hw/rx/rx.h
new file mode 100644
index 00..ff5924b81f
--- /dev/null
+++ b/include/hw/rx/rx.h
@@ -0,0 +1,7 @@
+#ifndef QEMU_RX_H
+#define QEMU_RX_H
+/* Definitions for RX board emulation.  */
+
+#include "target/rx/cpu-qom.h"
+
+#endif
diff --git a/include/hw/rx/rx62n.h b/include/hw/rx/rx62n.h
new file mode 100644
index 00..97ea8ddb8e
--- /dev/null
+++ b/include/hw/rx/rx62n.h
@@ -0,0 +1,91 @@
+/*
+ * RX62N MCU Object
+ *
+ * Datasheet: RX62N Group, RX621 Group User's Manual: Hardware
+ * (Rev.1.40 R01UH0033EJ0140)
+ *
+ * Copyright (c) 2019 Yoshinori Sato
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#ifndef HW_RX_RX62N_H
+#define HW_RX_RX62N_H
+
+#include "hw/sysbus.h"
+#include "hw/intc/rx_icu.h"
+#include "hw/timer/renesas_tmr.h"
+#include "hw/timer/renesas_cmt.h"
+#include "hw/char/renesas_sci.h"
+#include "target/rx/cpu.h"
+#include "qemu/units.h"
+
+#define TYPE_RX62N "rx62n"
+#define RX62N(obj) OBJECT_CHECK(RX62NState, (obj), TYPE_RX62N)
+
+#define RX62N_NR_TMR2
+#define RX62N_NR_CMT2
+#define RX62N_NR_SCI6
+
+typedef struct RX62NState {
+SysBusDevice parent_obj;
+
+RXCPU cpu;
+RXICUState icu;
+RTMRState tmr[RX62N_NR_TMR];
+RCMTState cmt[RX62N_NR_CMT];
+RSCIState sci[RX62N_NR_SCI];
+
+MemoryRegion *sysmem;
+bool kernel;
+
+MemoryRegion iram;
+MemoryRegion iomem1;
+MemoryRegion d_flash;
+MemoryRegion iomem2;
+MemoryRegion iomem3;
+MemoryRegion c_flash;
+qemu_irq irq[NR_IRQS];
+} RX62NState;
+
+/*
+ * RX62N Peripheral Address
+ * See users manual section 5
+ */
+#define RX62N_ICUBASE 0x00087000
+#define RX62N_TMRBASE 0x00088200
+#define RX62N_CMTBASE 0x00088000
+#define RX62N_SCIBASE 0x00088240
+
+/*
+ * RX62N Peripheral IRQ
+ * See users manual section 11
+ */
+#define RX62N_TMR_IRQBASE 174
+#define RX62N_CMT_IRQBASE 28
+#define RX62N_SCI_IRQBASE 214
+
+/*
+ * RX62N Internal Memory
+ * It is the value of R5F562N8.
+ * Please change the size for R5F562N7.
+ */
+#define RX62N_IRAM_BASE 0x
+#define RX62N_IRAM_SIZE (96 * KiB)
+#define RX62N_DFLASH_BASE 0x0010
+#define RX62N_DFLASH_SIZE (32 * KiB)
+#define RX62N_CFLASH_BASE 0xfff8
+#define RX62N_CFLASH_SIZE (512 * KiB)
+
+#define RX62N_PCLK (48 * 1000 * 1000)
+#endif
diff --git a/hw/rx/rx-virt.c b/hw/rx/rx-virt.c
new file mode 100644
index 00..38c9e55221
--- /dev/null
+++ b/hw/rx/rx-virt.c
@@ -0,0 +1,142 @@
+/*
+ * RX QEMU virtual platform
+ *
+ * Copyright (c) 2019 Yoshinori Sato
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "cpu.h"
+#include "hw/hw.h"

[PATCH RESEND v31 14/22] hw/intc: RX62N interrupt controller (ICUa)

[Yoshinori Sato]

This implementation supported only ICUa.
Hardware manual.
https://www.renesas.com/us/en/doc/products/mpumcu/doc/rx_family/r01uh0033ej0140_rx62n.pdf

Signed-off-by: Yoshinori Sato 
Reviewed-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-6-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 include/hw/intc/rx_icu.h |  56 ++
 hw/intc/rx_icu.c | 379 +++
 hw/intc/Kconfig  |   3 +
 hw/intc/Makefile.objs|   1 +
 4 files changed, 439 insertions(+)
 create mode 100644 include/hw/intc/rx_icu.h
 create mode 100644 hw/intc/rx_icu.c

diff --git a/include/hw/intc/rx_icu.h b/include/hw/intc/rx_icu.h
new file mode 100644
index 00..acfcf06aef
--- /dev/null
+++ b/include/hw/intc/rx_icu.h
@@ -0,0 +1,56 @@
+#ifndef RX_ICU_H
+#define RX_ICU_H
+
+#include "qemu-common.h"
+#include "hw/irq.h"
+
+enum TRG_MODE {
+TRG_LEVEL = 0,
+TRG_NEDGE = 1,  /* Falling */
+TRG_PEDGE = 2,  /* Raising */
+TRG_BEDGE = 3,  /* Both */
+};
+
+struct IRQSource {
+enum TRG_MODE sense;
+int level;
+};
+
+enum {
+/* Software interrupt request */
+SWI = 27,
+NR_IRQS = 256,
+};
+
+struct RXICUState {
+SysBusDevice parent_obj;
+
+MemoryRegion memory;
+struct IRQSource src[NR_IRQS];
+char *icutype;
+uint32_t nr_irqs;
+uint32_t *map;
+uint32_t nr_sense;
+uint32_t *init_sense;
+
+uint8_t ir[NR_IRQS];
+uint8_t dtcer[NR_IRQS];
+uint8_t ier[NR_IRQS / 8];
+uint8_t ipr[142];
+uint8_t dmasr[4];
+uint16_t fir;
+uint8_t nmisr;
+uint8_t nmier;
+uint8_t nmiclr;
+uint8_t nmicr;
+int req_irq;
+qemu_irq _irq;
+qemu_irq _fir;
+qemu_irq _swi;
+};
+typedef struct RXICUState RXICUState;
+
+#define TYPE_RXICU "rx-icu"
+#define RXICU(obj) OBJECT_CHECK(RXICUState, (obj), TYPE_RXICU)
+
+#endif /* RX_ICU_H */
diff --git a/hw/intc/rx_icu.c b/hw/intc/rx_icu.c
new file mode 100644
index 00..ab9a300467
--- /dev/null
+++ b/hw/intc/rx_icu.c
@@ -0,0 +1,379 @@
+/*
+ * RX Interrupt Control Unit
+ *
+ * Warning: Only ICUa is supported.
+ *
+ * Datasheet: RX62N Group, RX621 Group User's Manual: Hardware
+ * (Rev.1.40 R01UH0033EJ0140)
+ *
+ * Copyright (c) 2019 Yoshinori Sato
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "qemu/log.h"
+#include "qapi/error.h"
+#include "cpu.h"
+#include "hw/hw.h"
+#include "hw/irq.h"
+#include "hw/sysbus.h"
+#include "hw/registerfields.h"
+#include "hw/qdev-properties.h"
+#include "hw/intc/rx_icu.h"
+#include "migration/vmstate.h"
+#include "qemu/error-report.h"
+
+REG8(IR, 0)
+  FIELD(IR, IR,  0, 1)
+REG8(DTCER, 0x100)
+  FIELD(DTCER, DTCE,  0, 1)
+REG8(IER, 0x200)
+REG8(SWINTR, 0x2e0)
+  FIELD(SWINTR, SWINT, 0, 1)
+REG16(FIR, 0x2f0)
+  FIELD(FIR, FVCT, 0, 8)
+  FIELD(FIR, FIEN, 15, 1)
+REG8(IPR, 0x300)
+  FIELD(IPR, IPR, 0, 4)
+REG8(DMRSR, 0x400)
+REG8(IRQCR, 0x500)
+  FIELD(IRQCR, IRQMD, 2, 2)
+REG8(NMISR, 0x580)
+  FIELD(NMISR, NMIST, 0, 1)
+  FIELD(NMISR, LVDST, 1, 1)
+  FIELD(NMISR, OSTST, 2, 1)
+REG8(NMIER, 0x581)
+  FIELD(NMIER, NMIEN, 0, 1)
+  FIELD(NMIER, LVDEN, 1, 1)
+  FIELD(NMIER, OSTEN, 2, 1)
+REG8(NMICLR, 0x582)
+  FIELD(NMICLR, NMICLR, 0, 1)
+  FIELD(NMICLR, OSTCLR, 2, 1)
+REG8(NMICR, 0x583)
+  FIELD(NMICR, NMIMD, 3, 1)
+
+#define request(icu, n) (icu->ipr[icu->map[n]] << 8 | n)
+
+static void set_irq(RXICUState *icu, int n_IRQ, int req)
+{
+if ((icu->fir & R_FIR_FIEN_MASK) &&
+(icu->fir & R_FIR_FVCT_MASK) == n_IRQ) {
+qemu_set_irq(icu->_fir, req);
+} else {
+qemu_set_irq(icu->_irq, req);
+}
+}
+
+static void rxicu_request(RXICUState *icu, int n_IRQ)
+{
+int enable;
+
+enable = icu->ier[n_IRQ / 8] & (1 << (n_IRQ & 7));
+if (n_IRQ > 0 && enable != 0 && atomic_read(>req_irq) < 0) {
+atomic_set(>req_irq, n_IRQ);
+set_irq(icu, n_IRQ, request(icu, n_IRQ));
+}
+}
+
+static void rxicu_set_irq(void *opaque, int n_IRQ, int level)
+{
+RXICUState *icu = opaque;
+struct IRQSource *src;
+int issue;
+
+if (n_IRQ >= NR_IRQS) {
+error_report("%s: IRQ %d out of range", __func__, n_IRQ);
+return;
+}
+
+src = >src[n_IRQ];
+
+level = (level != 0);
+switch (src->sense) {
+case TRG_LEVEL:
+/* level-sensitive irq */

[PATCH RESEND v31 09/22] target/rx: Replace operand with prt_ldmi in disassembler

[Yoshinori Sato]

From: Richard Henderson 

This has consistency with prt_ri().  It loads all data before
beginning output.  It uses exactly one call to prt() to emit
the full instruction.

Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Yoshinori Sato 
Signed-off-by: Yoshinori Sato 
Message-Id: <20190607091116.49044-20-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 target/rx/disas.c | 77 +--
 1 file changed, 27 insertions(+), 50 deletions(-)

diff --git a/target/rx/disas.c b/target/rx/disas.c
index 64342537ee..515b365528 100644
--- a/target/rx/disas.c
+++ b/target/rx/disas.c
@@ -135,18 +135,18 @@ static void rx_index_addr(DisasContext *ctx, char out[8], 
int ld, int mi)
 sprintf(out, "%u", dsp << (mi < 3 ? mi : 4 - mi));
 }
 
-static void operand(DisasContext *ctx, int ld, int mi, int rs, int rd)
+static void prt_ldmi(DisasContext *ctx, const char *insn,
+ int ld, int mi, int rs, int rd)
 {
 static const char sizes[][4] = {".b", ".w", ".l", ".uw", ".ub"};
 char dsp[8];
 
 if (ld < 3) {
 rx_index_addr(ctx, dsp, ld, mi);
-prt("%s[r%d]%s", dsp, rs, sizes[mi]);
+prt("%s\t%s[r%d]%s, r%d", insn, dsp, rs, sizes[mi], rd);
 } else {
-prt("r%d", rs);
+prt("%s\tr%d, r%d", insn, rs, rd);
 }
-prt(", r%d", rd);
 }
 
 static void prt_ir(DisasContext *ctx, const char *insn, int imm, int rd)
@@ -416,8 +416,7 @@ static bool trans_AND_ir(DisasContext *ctx, arg_AND_ir *a)
 /* and rs,rd */
 static bool trans_AND_mr(DisasContext *ctx, arg_AND_mr *a)
 {
-prt("and\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "and", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -440,8 +439,7 @@ static bool trans_OR_ir(DisasContext *ctx, arg_OR_ir *a)
 /* or rs,rd */
 static bool trans_OR_mr(DisasContext *ctx, arg_OR_mr *a)
 {
-prt("or\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "or", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -463,8 +461,7 @@ static bool trans_XOR_ir(DisasContext *ctx, arg_XOR_ir *a)
 /* xor rs,rd */
 static bool trans_XOR_mr(DisasContext *ctx, arg_XOR_mr *a)
 {
-prt("xor\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "xor", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -479,8 +476,7 @@ static bool trans_TST_ir(DisasContext *ctx, arg_TST_ir *a)
 /* tst rs, rd */
 static bool trans_TST_mr(DisasContext *ctx, arg_TST_mr *a)
 {
-prt("tst\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "tst", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -548,8 +544,7 @@ static bool trans_ADD_irr(DisasContext *ctx, arg_ADD_irr *a)
 /* add dsp[rs], rd */
 static bool trans_ADD_mr(DisasContext *ctx, arg_ADD_mr *a)
 {
-prt("add\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "add", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -573,8 +568,7 @@ static bool trans_CMP_ir(DisasContext *ctx, arg_CMP_ir *a)
 /* cmp dsp[rs], rs2 */
 static bool trans_CMP_mr(DisasContext *ctx, arg_CMP_mr *a)
 {
-prt("cmp\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "cmp", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -589,8 +583,7 @@ static bool trans_SUB_ir(DisasContext *ctx, arg_SUB_ir *a)
 /* sub dsp[rs], rd */
 static bool trans_SUB_mr(DisasContext *ctx, arg_SUB_mr *a)
 {
-prt("sub\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "sub", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -611,8 +604,7 @@ static bool trans_SBB_rr(DisasContext *ctx, arg_SBB_rr *a)
 /* sbb dsp[rs], rd */
 static bool trans_SBB_mr(DisasContext *ctx, arg_SBB_mr *a)
 {
-prt("sbb\t");
-operand(ctx, a->ld, RX_IM_LONG, a->rs, a->rd);
+prt_ldmi(ctx, "sbb", a->ld, RX_IM_LONG, a->rs, a->rd);
 return true;
 }
 
@@ -640,8 +632,7 @@ static bool trans_MAX_ir(DisasContext *ctx, arg_MAX_ir *a)
 /* max dsp[rs], rd */
 static bool trans_MAX_mr(DisasContext *ctx, arg_MAX_mr *a)
 {
-prt("max\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "max", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -656,8 +647,7 @@ static bool trans_MIN_ir(DisasContext *ctx, arg_MIN_ir *a)
 /* min dsp[rs], rd */
 static bool trans_MIN_mr(DisasContext *ctx, arg_MIN_mr *a)
 {
-prt("max\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "min", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -673,8 +663,7 @@ static bool trans_MUL_ir(DisasContext *ctx, arg_MUL_ir *a)
 /* mul dsp[rs], rd */
 static bool trans_MUL_mr(DisasContext *ctx, arg_MUL_mr *a)
 {
-prt("mul\t");
-operand(ctx, a->ld, a->mi, a->rs, a->rd);
+prt_ldmi(ctx, "mul", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
@@ -696,8 +685,7 @@ static bool trans_EMUL_ir(DisasContext *ctx, arg_EMUL_ir *a)
 /* emul dsp[rs], rd */
 static bool trans_EMUL_mr(DisasContext 

[PATCH RESEND v31 06/22] target/rx: CPU definition

[Yoshinori Sato]

Signed-off-by: Yoshinori Sato 

Message-Id: <20190616142836.10614-4-ys...@users.sourceforge.jp>
Reviewed-by: Richard Henderson 
Message-Id: <20190607091116.49044-4-ys...@users.sourceforge.jp>
Signed-off-by: Richard Henderson 
[PMD: Use newer QOM style, split cpu-qom.h, restrict access to
 extable array, use rx_cpu_tlb_fill() extracted from patch of
 Yoshinori Sato 'Convert to CPUClass::tlb_fill']
Signed-off-by: Philippe Mathieu-Daudé 
Acked-by: Igor Mammedov 
Signed-off-by: Yoshinori Sato 
---
 target/rx/cpu-param.h   |  31 ++
 target/rx/cpu-qom.h |  42 
 target/rx/cpu.h | 181 +
 target/rx/cpu.c | 218 
 target/rx/gdbstub.c | 112 +
 gdb-xml/rx-core.xml |  70 +
 target/rx/Makefile.objs |   1 -
 7 files changed, 654 insertions(+), 1 deletion(-)
 create mode 100644 target/rx/cpu-param.h
 create mode 100644 target/rx/cpu-qom.h
 create mode 100644 target/rx/cpu.h
 create mode 100644 target/rx/cpu.c
 create mode 100644 target/rx/gdbstub.c
 create mode 100644 gdb-xml/rx-core.xml

diff --git a/target/rx/cpu-param.h b/target/rx/cpu-param.h
new file mode 100644
index 00..5da87fbebe
--- /dev/null
+++ b/target/rx/cpu-param.h
@@ -0,0 +1,31 @@
+/*
+ *  RX cpu parameters
+ *
+ *  Copyright (c) 2019 Yoshinori Sato
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#ifndef RX_CPU_PARAM_H
+#define RX_CPU_PARAM_H
+
+#define TARGET_LONG_BITS 32
+#define TARGET_PAGE_BITS 12
+
+#define TARGET_PHYS_ADDR_SPACE_BITS 32
+#define TARGET_VIRT_ADDR_SPACE_BITS 32
+
+#define NB_MMU_MODES 1
+#define MMU_MODE0_SUFFIX _all
+
+#endif
diff --git a/target/rx/cpu-qom.h b/target/rx/cpu-qom.h
new file mode 100644
index 00..8328900f3f
--- /dev/null
+++ b/target/rx/cpu-qom.h
@@ -0,0 +1,42 @@
+#ifndef QEMU_RX_CPU_QOM_H
+#define QEMU_RX_CPU_QOM_H
+
+#include "hw/core/cpu.h"
+/*
+ * RX CPU
+ *
+ * Copyright (c) 2019 Yoshinori Sato
+ * SPDX-License-Identifier: LGPL-2.0+
+ */
+
+#define TYPE_RX_CPU "rx-cpu"
+
+#define TYPE_RX62N_CPU RX_CPU_TYPE_NAME("rx62n")
+
+#define RXCPU_CLASS(klass) \
+OBJECT_CLASS_CHECK(RXCPUClass, (klass), TYPE_RX_CPU)
+#define RXCPU(obj) \
+OBJECT_CHECK(RXCPU, (obj), TYPE_RX_CPU)
+#define RXCPU_GET_CLASS(obj) \
+OBJECT_GET_CLASS(RXCPUClass, (obj), TYPE_RX_CPU)
+
+/*
+ * RXCPUClass:
+ * @parent_realize: The parent class' realize handler.
+ * @parent_reset: The parent class' reset handler.
+ *
+ * A RX CPU model.
+ */
+typedef struct RXCPUClass {
+/*< private >*/
+CPUClass parent_class;
+/*< public >*/
+
+DeviceRealize parent_realize;
+void (*parent_reset)(CPUState *cpu);
+
+} RXCPUClass;
+
+#define CPUArchState struct CPURXState
+
+#endif
diff --git a/target/rx/cpu.h b/target/rx/cpu.h
new file mode 100644
index 00..2d1eb7665c
--- /dev/null
+++ b/target/rx/cpu.h
@@ -0,0 +1,181 @@
+/*
+ *  RX emulation definition
+ *
+ *  Copyright (c) 2019 Yoshinori Sato
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#ifndef RX_CPU_H
+#define RX_CPU_H
+
+#include "qemu/bitops.h"
+#include "qemu-common.h"
+#include "hw/registerfields.h"
+#include "cpu-qom.h"
+
+#include "exec/cpu-defs.h"
+
+/* PSW define */
+REG32(PSW, 0)
+FIELD(PSW, C, 0, 1)
+FIELD(PSW, Z, 1, 1)
+FIELD(PSW, S, 2, 1)
+FIELD(PSW, O, 3, 1)
+FIELD(PSW, I, 16, 1)
+FIELD(PSW, U, 17, 1)
+FIELD(PSW, PM, 20, 1)
+FIELD(PSW, IPL, 24, 4)
+
+/* FPSW define */
+REG32(FPSW, 0)
+FIELD(FPSW, RM, 0, 2)
+FIELD(FPSW, CV, 2, 1)
+FIELD(FPSW, CO, 3, 1)
+FIELD(FPSW, CZ, 4, 1)
+FIELD(FPSW, CU, 5, 1)
+FIELD(FPSW, CX, 6, 1)
+FIELD(FPSW, CE, 7, 1)
+FIELD(FPSW, CAUSE, 2, 6)
+FIELD(FPSW, DN, 8, 1)
+FIELD(FPSW, EV, 10, 1)
+FIELD(FPSW, EO, 11, 1)
+FIELD(FPSW, EZ, 12, 1)
+FIELD(FPSW, EU, 13, 1)
+FIELD(FPSW, EX, 14, 1)
+FIELD(FPSW, ENABLE, 10, 5)
+FIELD(FPSW, FV, 26, 1)
+FIELD(FPSW, FO, 

[PATCH RESEND v31 20/22] Add rx-softmmu

[Yoshinori Sato]

Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Yoshinori Sato 
Message-Id: <20190607091116.49044-17-ys...@users.sourceforge.jp>
Signed-off-by: Richard Henderson 
pick ed65c02993 target/rx: Add RX to SysEmuTarget
pick 01372568ae tests: Add rx to machine-none-test.c
[PMD: Squashed patches from Richard Henderson modifying
  qapi/common.json and tests/machine-none-test.c]
Signed-off-by: Philippe Mathieu-Daudé 
---
 configure   | 11 ++-
 default-configs/rx-softmmu.mak  |  3 +++
 qapi/machine.json   |  2 +-
 include/exec/poison.h   |  1 +
 include/sysemu/arch_init.h  |  1 +
 arch_init.c |  2 ++
 tests/qtest/machine-none-test.c |  1 +
 hw/Kconfig  |  1 +
 8 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 default-configs/rx-softmmu.mak

diff --git a/configure b/configure
index d57261e3ad..d852d7101d 100755
--- a/configure
+++ b/configure
@@ -4128,7 +4128,7 @@ fi
 fdt_required=no
 for target in $target_list; do
   case $target in
-
aarch64*-softmmu|arm*-softmmu|ppc*-softmmu|microblaze*-softmmu|mips64el-softmmu|riscv*-softmmu)
+
aarch64*-softmmu|arm*-softmmu|ppc*-softmmu|microblaze*-softmmu|mips64el-softmmu|riscv*-softmmu|rx-softmmu)
   fdt_required=yes
 ;;
   esac
@@ -7793,6 +7793,12 @@ case "$target_name" in
 mttcg=yes
 gdb_xml_files="riscv-64bit-cpu.xml riscv-32bit-fpu.xml riscv-64bit-fpu.xml 
riscv-64bit-csr.xml riscv-64bit-virtual.xml"
   ;;
+  rx)
+TARGET_ARCH=rx
+bflt="yes"
+target_compiler=$cross_cc_rx
+gdb_xml_files="rx-core.xml"
+  ;;
   sh4|sh4eb)
 TARGET_ARCH=sh4
 bflt="yes"
@@ -7974,6 +7980,9 @@ for i in $ARCH $TARGET_BASE_ARCH ; do
   riscv*)
 disas_config "RISCV"
   ;;
+  rx)
+disas_config "RX"
+  ;;
   s390*)
 disas_config "S390"
   ;;
diff --git a/default-configs/rx-softmmu.mak b/default-configs/rx-softmmu.mak
new file mode 100644
index 00..a3eecefb11
--- /dev/null
+++ b/default-configs/rx-softmmu.mak
@@ -0,0 +1,3 @@
+# Default configuration for rx-softmmu
+
+CONFIG_RX_VIRT=y
diff --git a/qapi/machine.json b/qapi/machine.json
index 6c11e3cf3a..40f8b9d872 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -26,7 +26,7 @@
   'data' : [ 'aarch64', 'alpha', 'arm', 'cris', 'hppa', 'i386', 'lm32',
  'm68k', 'microblaze', 'microblazeel', 'mips', 'mips64',
  'mips64el', 'mipsel', 'moxie', 'nios2', 'or1k', 'ppc',
- 'ppc64', 'riscv32', 'riscv64', 's390x', 'sh4',
+ 'ppc64', 'riscv32', 'riscv64', 'rx', 's390x', 'sh4',
  'sh4eb', 'sparc', 'sparc64', 'tricore', 'unicore32',
  'x86_64', 'xtensa', 'xtensaeb' ] }
 
diff --git a/include/exec/poison.h b/include/exec/poison.h
index 955eb863ab..7b9ac361dc 100644
--- a/include/exec/poison.h
+++ b/include/exec/poison.h
@@ -26,6 +26,7 @@
 #pragma GCC poison TARGET_PPC
 #pragma GCC poison TARGET_PPC64
 #pragma GCC poison TARGET_ABI32
+#pragma GCC poison TARGET_RX
 #pragma GCC poison TARGET_S390X
 #pragma GCC poison TARGET_SH4
 #pragma GCC poison TARGET_SPARC
diff --git a/include/sysemu/arch_init.h b/include/sysemu/arch_init.h
index 62c6fe4cf1..6c011acc52 100644
--- a/include/sysemu/arch_init.h
+++ b/include/sysemu/arch_init.h
@@ -24,6 +24,7 @@ enum {
 QEMU_ARCH_NIOS2 = (1 << 17),
 QEMU_ARCH_HPPA = (1 << 18),
 QEMU_ARCH_RISCV = (1 << 19),
+QEMU_ARCH_RX = (1 << 20),
 };
 
 extern const uint32_t arch_type;
diff --git a/arch_init.c b/arch_init.c
index 705d0b94ad..d9eb0ec1dd 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -77,6 +77,8 @@ int graphic_depth = 32;
 #define QEMU_ARCH QEMU_ARCH_PPC
 #elif defined(TARGET_RISCV)
 #define QEMU_ARCH QEMU_ARCH_RISCV
+#elif defined(TARGET_RX)
+#define QEMU_ARCH QEMU_ARCH_RX
 #elif defined(TARGET_S390X)
 #define QEMU_ARCH QEMU_ARCH_S390X
 #elif defined(TARGET_SH4)
diff --git a/tests/qtest/machine-none-test.c b/tests/qtest/machine-none-test.c
index 5953d31755..8bb54a6360 100644
--- a/tests/qtest/machine-none-test.c
+++ b/tests/qtest/machine-none-test.c
@@ -56,6 +56,7 @@ static struct arch2cpu cpus_map[] = {
 { "hppa", "hppa" },
 { "riscv64", "rv64gcsu-v1.10.0" },
 { "riscv32", "rv32gcsu-v1.9.1" },
+{ "rx", "rx62n" },
 };
 
 static const char *get_cpu_model_by_arch(const char *arch)
diff --git a/hw/Kconfig b/hw/Kconfig
index ecf491bf04..62f9ebdc22 100644
--- a/hw/Kconfig
+++ b/hw/Kconfig
@@ -55,6 +55,7 @@ source nios2/Kconfig
 source openrisc/Kconfig
 source ppc/Kconfig
 source riscv/Kconfig
+source rx/Kconfig
 source s390x/Kconfig
 source sh4/Kconfig
 source sparc/Kconfig
-- 
2.20.1

[PATCH RESEND v31 05/22] target/rx: TCG helper

[Yoshinori Sato]

Signed-off-by: Yoshinori Sato 

Message-Id: <20190616142836.10614-3-ys...@users.sourceforge.jp>
Reviewed-by: Richard Henderson 
Message-Id: <20190607091116.49044-3-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
[PMD: Removed tlb_fill, extracted from patch of Yoshinori Sato
 'Convert to CPUClass::tlb_fill']
Signed-off-by: Philippe Mathieu-Daudé 
Signed-off-by: Yoshinori Sato 
---
 target/rx/helper.h|  31 +++
 target/rx/helper.c| 149 +
 target/rx/op_helper.c | 470 ++
 3 files changed, 650 insertions(+)
 create mode 100644 target/rx/helper.h
 create mode 100644 target/rx/helper.c
 create mode 100644 target/rx/op_helper.c

diff --git a/target/rx/helper.h b/target/rx/helper.h
new file mode 100644
index 00..f0b7ebbbf7
--- /dev/null
+++ b/target/rx/helper.h
@@ -0,0 +1,31 @@
+DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
+DEF_HELPER_1(raise_access_fault, noreturn, env)
+DEF_HELPER_1(raise_privilege_violation, noreturn, env)
+DEF_HELPER_1(wait, noreturn, env)
+DEF_HELPER_1(debug, noreturn, env)
+DEF_HELPER_2(rxint, noreturn, env, i32)
+DEF_HELPER_1(rxbrk, noreturn, env)
+DEF_HELPER_FLAGS_3(fadd, TCG_CALL_NO_WG, f32, env, f32, f32)
+DEF_HELPER_FLAGS_3(fsub, TCG_CALL_NO_WG, f32, env, f32, f32)
+DEF_HELPER_FLAGS_3(fmul, TCG_CALL_NO_WG, f32, env, f32, f32)
+DEF_HELPER_FLAGS_3(fdiv, TCG_CALL_NO_WG, f32, env, f32, f32)
+DEF_HELPER_FLAGS_3(fcmp, TCG_CALL_NO_WG, void, env, f32, f32)
+DEF_HELPER_FLAGS_2(ftoi, TCG_CALL_NO_WG, i32, env, f32)
+DEF_HELPER_FLAGS_2(round, TCG_CALL_NO_WG, i32, env, f32)
+DEF_HELPER_FLAGS_2(itof, TCG_CALL_NO_WG, f32, env, i32)
+DEF_HELPER_2(set_fpsw, void, env, i32)
+DEF_HELPER_FLAGS_2(racw, TCG_CALL_NO_WG, void, env, i32)
+DEF_HELPER_FLAGS_2(set_psw_rte, TCG_CALL_NO_WG, void, env, i32)
+DEF_HELPER_FLAGS_2(set_psw, TCG_CALL_NO_WG, void, env, i32)
+DEF_HELPER_1(pack_psw, i32, env)
+DEF_HELPER_FLAGS_3(div, TCG_CALL_NO_WG, i32, env, i32, i32)
+DEF_HELPER_FLAGS_3(divu, TCG_CALL_NO_WG, i32, env, i32, i32)
+DEF_HELPER_FLAGS_1(scmpu, TCG_CALL_NO_WG, void, env)
+DEF_HELPER_1(smovu, void, env)
+DEF_HELPER_1(smovf, void, env)
+DEF_HELPER_1(smovb, void, env)
+DEF_HELPER_2(sstr, void, env, i32)
+DEF_HELPER_FLAGS_2(swhile, TCG_CALL_NO_WG, void, env, i32)
+DEF_HELPER_FLAGS_2(suntil, TCG_CALL_NO_WG, void, env, i32)
+DEF_HELPER_FLAGS_2(rmpa, TCG_CALL_NO_WG, void, env, i32)
+DEF_HELPER_1(satr, void, env)
diff --git a/target/rx/helper.c b/target/rx/helper.c
new file mode 100644
index 00..a6a337a311
--- /dev/null
+++ b/target/rx/helper.c
@@ -0,0 +1,149 @@
+/*
+ *  RX emulation
+ *
+ *  Copyright (c) 2019 Yoshinori Sato
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/bitops.h"
+#include "cpu.h"
+#include "exec/log.h"
+#include "exec/cpu_ldst.h"
+#include "sysemu/sysemu.h"
+#include "hw/irq.h"
+
+void rx_cpu_unpack_psw(CPURXState *env, uint32_t psw, int rte)
+{
+if (env->psw_pm == 0) {
+env->psw_ipl = FIELD_EX32(psw, PSW, IPL);
+if (rte) {
+/* PSW.PM can write RTE and RTFI */
+env->psw_pm = FIELD_EX32(psw, PSW, PM);
+}
+env->psw_u = FIELD_EX32(psw, PSW, U);
+env->psw_i = FIELD_EX32(psw, PSW, I);
+}
+env->psw_o = FIELD_EX32(psw, PSW, O) << 31;
+env->psw_s = FIELD_EX32(psw, PSW, S) << 31;
+env->psw_z = 1 - FIELD_EX32(psw, PSW, Z);
+env->psw_c = FIELD_EX32(psw, PSW, C);
+}
+
+#define INT_FLAGS (CPU_INTERRUPT_HARD | CPU_INTERRUPT_FIR)
+void rx_cpu_do_interrupt(CPUState *cs)
+{
+RXCPU *cpu = RXCPU(cs);
+CPURXState *env = >env;
+int do_irq = cs->interrupt_request & INT_FLAGS;
+uint32_t save_psw;
+
+env->in_sleep = 0;
+
+if (env->psw_u) {
+env->usp = env->regs[0];
+} else {
+env->isp = env->regs[0];
+}
+save_psw = rx_cpu_pack_psw(env);
+env->psw_pm = env->psw_i = env->psw_u = 0;
+
+if (do_irq) {
+if (do_irq & CPU_INTERRUPT_FIR) {
+env->bpc = env->pc;
+env->bpsw = save_psw;
+env->pc = env->fintv;
+env->psw_ipl = 15;
+cs->interrupt_request &= ~CPU_INTERRUPT_FIR;
+qemu_set_irq(env->ack, env->ack_irq);
+qemu_log_mask(CPU_LOG_INT, "fast interrupt raised\n");
+} else if (do_irq & CPU_INTERRUPT_HARD) {
+env->isp -= 4;
+

[PATCH RESEND v31 19/22] hw/rx: Restrict the RX62N microcontroller to the RX62N CPU core

[Yoshinori Sato]

From: Philippe Mathieu-Daudé 

While the VIRT machine can use different microcontrollers,
the RX62N microcontroller is tied to the RX62N CPU core.

Signed-off-by: Philippe Mathieu-Daudé 
Signed-off-by: Yoshinori Sato 
---
 hw/rx/rx-virt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/rx/rx-virt.c b/hw/rx/rx-virt.c
index 38c9e55221..c59360408e 100644
--- a/hw/rx/rx-virt.c
+++ b/hw/rx/rx-virt.c
@@ -17,6 +17,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/error-report.h"
 #include "qapi/error.h"
 #include "qemu-common.h"
 #include "cpu.h"
@@ -56,6 +57,7 @@ static void rx_load_image(RXCPU *cpu, const char *filename,
 
 static void rxvirt_init(MachineState *machine)
 {
+MachineClass *mc = MACHINE_GET_CLASS(machine);
 RX62NState *s = g_new(RX62NState, 1);
 MemoryRegion *sysmem = get_system_memory();
 MemoryRegion *sdram = g_new(MemoryRegion, 1);
-- 
2.20.1

[PATCH RESEND v31 12/22] target/rx: Collect all bytes during disassembly

[Yoshinori Sato]

From: Richard Henderson 

Collected, to be used in the next patch.

Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Yoshinori Sato 
Signed-off-by: Yoshinori Sato 
Message-Id: <20190607091116.49044-23-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 target/rx/disas.c | 62 ---
 1 file changed, 42 insertions(+), 20 deletions(-)

diff --git a/target/rx/disas.c b/target/rx/disas.c
index ebc1a44249..5a32a87534 100644
--- a/target/rx/disas.c
+++ b/target/rx/disas.c
@@ -25,43 +25,59 @@ typedef struct DisasContext {
 disassemble_info *dis;
 uint32_t addr;
 uint32_t pc;
+uint8_t len;
+uint8_t bytes[8];
 } DisasContext;
 
 
 static uint32_t decode_load_bytes(DisasContext *ctx, uint32_t insn,
-   int i, int n)
+  int i, int n)
 {
-bfd_byte buf;
+uint32_t addr = ctx->addr;
+
+g_assert(ctx->len == i);
+g_assert(n <= ARRAY_SIZE(ctx->bytes));
+
 while (++i <= n) {
-ctx->dis->read_memory_func(ctx->addr++, , 1, ctx->dis);
-insn |= buf << (32 - i * 8);
+ctx->dis->read_memory_func(addr++, >bytes[i - 1], 1, ctx->dis);
+insn |= ctx->bytes[i - 1] << (32 - i * 8);
 }
+ctx->addr = addr;
+ctx->len = n;
+
 return insn;
 }
 
 static int32_t li(DisasContext *ctx, int sz)
 {
-int32_t addr;
-bfd_byte buf[4];
-addr = ctx->addr;
+uint32_t addr = ctx->addr;
+uintptr_t len = ctx->len;
 
 switch (sz) {
 case 1:
+g_assert(len + 1 <= ARRAY_SIZE(ctx->bytes));
 ctx->addr += 1;
-ctx->dis->read_memory_func(addr, buf, 1, ctx->dis);
-return (int8_t)buf[0];
+ctx->len += 1;
+ctx->dis->read_memory_func(addr, ctx->bytes + len, 1, ctx->dis);
+return (int8_t)ctx->bytes[len];
 case 2:
+g_assert(len + 2 <= ARRAY_SIZE(ctx->bytes));
 ctx->addr += 2;
-ctx->dis->read_memory_func(addr, buf, 2, ctx->dis);
-return ldsw_le_p(buf);
+ctx->len += 2;
+ctx->dis->read_memory_func(addr, ctx->bytes + len, 2, ctx->dis);
+return ldsw_le_p(ctx->bytes + len);
 case 3:
+g_assert(len + 3 <= ARRAY_SIZE(ctx->bytes));
 ctx->addr += 3;
-ctx->dis->read_memory_func(addr, buf, 3, ctx->dis);
-return (int8_t)buf[2] << 16 | lduw_le_p(buf);
+ctx->len += 3;
+ctx->dis->read_memory_func(addr, ctx->bytes + len, 3, ctx->dis);
+return (int8_t)ctx->bytes[len + 2] << 16 | lduw_le_p(ctx->bytes + len);
 case 0:
+g_assert(len + 4 <= ARRAY_SIZE(ctx->bytes));
 ctx->addr += 4;
-ctx->dis->read_memory_func(addr, buf, 4, ctx->dis);
-return ldl_le_p(buf);
+ctx->len += 4;
+ctx->dis->read_memory_func(addr, ctx->bytes + len, 4, ctx->dis);
+return ldl_le_p(ctx->bytes + len);
 default:
 g_assert_not_reached();
 }
@@ -110,7 +126,7 @@ static const char psw[] = {
 static void rx_index_addr(DisasContext *ctx, char out[8], int ld, int mi)
 {
 uint32_t addr = ctx->addr;
-uint8_t buf[2];
+uintptr_t len = ctx->len;
 uint16_t dsp;
 
 switch (ld) {
@@ -119,14 +135,18 @@ static void rx_index_addr(DisasContext *ctx, char out[8], 
int ld, int mi)
 out[0] = '\0';
 return;
 case 1:
+g_assert(len + 1 <= ARRAY_SIZE(ctx->bytes));
 ctx->addr += 1;
-ctx->dis->read_memory_func(addr, buf, 1, ctx->dis);
-dsp = buf[0];
+ctx->len += 1;
+ctx->dis->read_memory_func(addr, ctx->bytes + len, 1, ctx->dis);
+dsp = ctx->bytes[len];
 break;
 case 2:
+g_assert(len + 2 <= ARRAY_SIZE(ctx->bytes));
 ctx->addr += 2;
-ctx->dis->read_memory_func(addr, buf, 2, ctx->dis);
-dsp = lduw_le_p(buf);
+ctx->len += 2;
+ctx->dis->read_memory_func(addr, ctx->bytes + len, 2, ctx->dis);
+dsp = lduw_le_p(ctx->bytes + len);
 break;
 default:
 g_assert_not_reached();
@@ -1392,8 +1412,10 @@ int print_insn_rx(bfd_vma addr, disassemble_info *dis)
 DisasContext ctx;
 uint32_t insn;
 int i;
+
 ctx.dis = dis;
 ctx.pc = ctx.addr = addr;
+ctx.len = 0;
 
 insn = decode_load();
 if (!decode(, insn)) {
-- 
2.20.1

[PATCH RESEND v31 18/22] hw/rx: Honor -accel qtest

[Yoshinori Sato]

From: Richard Henderson 

Issue an error if no kernel, no bios, and not qtest'ing.
Fixes make check-qtest-rx: test/qom-test.

Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Yoshinori Sato 
Message-Id: <20190607091116.49044-16-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
We could squash this with the previous patch
---
 hw/rx/rx62n.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hw/rx/rx62n.c b/hw/rx/rx62n.c
index bd4cd4b6ea..c488934f09 100644
--- a/hw/rx/rx62n.c
+++ b/hw/rx/rx62n.c
@@ -21,12 +21,14 @@
 
 #include "qemu/osdep.h"
 #include "qapi/error.h"
+#include "qemu/error-report.h"
 #include "hw/hw.h"
 #include "hw/rx/rx62n.h"
 #include "hw/loader.h"
 #include "hw/sysbus.h"
 #include "hw/qdev-properties.h"
 #include "sysemu/sysemu.h"
+#include "sysemu/qtest.h"
 #include "cpu.h"
 
 /*
@@ -191,8 +193,14 @@ static void rx62n_realize(DeviceState *dev, Error **errp)
 memory_region_init_rom(>c_flash, NULL, "codeflash",
RX62N_CFLASH_SIZE, errp);
 memory_region_add_subregion(s->sysmem, RX62N_CFLASH_BASE, >c_flash);
+
 if (!s->kernel) {
-rom_add_file_fixed(bios_name, RX62N_CFLASH_BASE, 0);
+if (bios_name) {
+rom_add_file_fixed(bios_name, RX62N_CFLASH_BASE, 0);
+}  else if (!qtest_enabled()) {
+error_report("No bios or kernel specified");
+exit(1);
+}
 }
 
 /* Initialize CPU */
-- 
2.20.1

[PATCH RESEND v31 22/22] qemu-doc.texi: Add RX section.

[Yoshinori Sato]

Describe emulated target specification. And two examples.

Signed-off-by: Yoshinori Sato 
---
 qemu-doc.texi | 44 
 1 file changed, 44 insertions(+)

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 33b9597b1d..d80a9c64f7 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -1719,6 +1719,7 @@ differences are mentioned in the following sections.
 * Microblaze System emulator::
 * SH4 System emulator::
 * Xtensa System emulator::
+* RX System emulator::
 @end menu
 
 @node PowerPC System emulator
@@ -2487,6 +2488,49 @@ so should only be used with trusted guest OS.
 
 @c man end
 
+@node RX System emulator
+@section RX System emulator
+@cindex system emulation (RX)
+
+Use the executable @file{qemu-system-rx} to simulate a Virtual RX target.
+This target emulated following devices.
+
+@itemize @minus
+@item
+R5F562N8 MCU
+@item
+On-chip memory (ROM 512KB, RAM 96KB)
+@item
+Interrupt Control Unit (ICUa)
+@item
+8Bit Timer x 1CH (TMR0,1)
+@item
+Compare Match Timer x 2CH (CMT0,1)
+@item
+Serial Communication Interface x 1CH (SCI0)
+@item
+External memory 16MByte
+@end itemize
+
+Example of @file{qemu-system-rx} usage for rx is shown below:
+
+Download @code{u-boot_image} from 
@url{https://osdn.net/users/ysato/pf/qemu/dl/u-boot.bin.gz}
+
+Start emulation of rx-virt:
+@example
+qemu-system-rx -bios @code{u-boot_image}
+@end example
+
+Download @code{kernel_image} from 
@url{https://osdn.net/users/ysato/pf/qemu/dl/zImage}
+
+Download @code{device_tree_blob} from 
@url{https://osdn.net/users/ysato/pf/qemu/dl/rx-virt.dtb}
+
+Start emulation of rx-virt:
+@example
+qemu-system-rx -kernel @code{kernel_image} -dtb @code{device_tree_blob} \
+  -append "earlycon"
+@end example
+
 @node QEMU User space emulator
 @chapter QEMU User space emulator
 
-- 
2.20.1

[PATCH RESEND v31 13/22] target/rx: Dump bytes for each insn during disassembly

[Yoshinori Sato]

From: Richard Henderson 

There are so many different forms of each RX instruction
that it will be very useful to be able to look at the bytes
to see on which path a bug may lie.

Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Yoshinori Sato 
Signed-off-by: Yoshinori Sato 
Message-Id: <20190607091116.49044-24-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 target/rx/disas.c | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/target/rx/disas.c b/target/rx/disas.c
index 5a32a87534..d73b53db44 100644
--- a/target/rx/disas.c
+++ b/target/rx/disas.c
@@ -102,7 +102,21 @@ static int bdsp_s(DisasContext *ctx, int d)
 /* Include the auto-generated decoder.  */
 #include "decode.inc.c"
 
-#define prt(...) (ctx->dis->fprintf_func)((ctx->dis->stream), __VA_ARGS__)
+static void dump_bytes(DisasContext *ctx)
+{
+int i, len = ctx->len;
+
+for (i = 0; i < len; ++i) {
+ctx->dis->fprintf_func(ctx->dis->stream, "%02x ", ctx->bytes[i]);
+}
+ctx->dis->fprintf_func(ctx->dis->stream, "%*c", (8 - i) * 3, '\t');
+}
+
+#define prt(...) \
+do {\
+dump_bytes(ctx);\
+ctx->dis->fprintf_func(ctx->dis->stream, __VA_ARGS__);  \
+} while (0)
 
 #define RX_MEMORY_BYTE 0
 #define RX_MEMORY_WORD 1
-- 
2.20.1

[PATCH v31 23/23] fix warning.

[Yoshinori Sato]

Signed-off-by: Yoshinori Sato 
---
 hw/rx/rx-virt.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/rx/rx-virt.c b/hw/rx/rx-virt.c
index 6cf7936201..4ee6647728 100644
--- a/hw/rx/rx-virt.c
+++ b/hw/rx/rx-virt.c
@@ -90,8 +90,10 @@ static void rxvirt_init(MachineState *machine)
 
 /* Load kernel and dtb */
 if (kernel_filename) {
-/* The kernel image is loaded into
-   the latter half of the SDRAM space. */
+/*
+  The kernel image is loaded into
+  the latter half of the SDRAM space.
+*/
 kernel_offset = machine->ram_size / 2;
 rx_load_image(RXCPU(first_cpu), kernel_filename,
   SDRAM_BASE + kernel_offset, kernel_offset);
-- 
2.20.1

[PATCH RESEND v31 08/22] target/rx: Disassemble rx_index_addr into a string

[Yoshinori Sato]

From: Richard Henderson 

We were eliding all zero indexes.  It is only ld==0 that does
not have an index in the instruction.  This also allows us to
avoid breaking the final print into multiple pieces.

Reviewed-by: Yoshinori Sato 
Signed-off-by: Yoshinori Sato 
Message-Id: <20190607091116.49044-19-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 target/rx/disas.c | 154 +-
 1 file changed, 55 insertions(+), 99 deletions(-)

diff --git a/target/rx/disas.c b/target/rx/disas.c
index 8cada4825d..64342537ee 100644
--- a/target/rx/disas.c
+++ b/target/rx/disas.c
@@ -107,49 +107,42 @@ static const char psw[] = {
 'i', 'u', 0, 0, 0, 0, 0, 0,
 };
 
-static uint32_t rx_index_addr(int ld, int size, DisasContext *ctx)
+static void rx_index_addr(DisasContext *ctx, char out[8], int ld, int mi)
 {
-bfd_byte buf[2];
+uint32_t addr = ctx->addr;
+uint8_t buf[2];
+uint16_t dsp;
+
 switch (ld) {
 case 0:
-return 0;
+/* No index; return empty string.  */
+out[0] = '\0';
+return;
 case 1:
-ctx->dis->read_memory_func(ctx->addr, buf, 1, ctx->dis);
 ctx->addr += 1;
-return ((uint8_t)buf[0]) << size;
+ctx->dis->read_memory_func(addr, buf, 1, ctx->dis);
+dsp = buf[0];
+break;
 case 2:
-ctx->dis->read_memory_func(ctx->addr, buf, 2, ctx->dis);
 ctx->addr += 2;
-return lduw_le_p(buf) << size;
+ctx->dis->read_memory_func(addr, buf, 2, ctx->dis);
+dsp = lduw_le_p(buf);
+break;
+default:
+g_assert_not_reached();
 }
-g_assert_not_reached();
+
+sprintf(out, "%u", dsp << (mi < 3 ? mi : 4 - mi));
 }
 
 static void operand(DisasContext *ctx, int ld, int mi, int rs, int rd)
 {
-int dsp;
 static const char sizes[][4] = {".b", ".w", ".l", ".uw", ".ub"};
+char dsp[8];
+
 if (ld < 3) {
-switch (mi) {
-case 4:
-/* dsp[rs].ub */
-dsp = rx_index_addr(ld, RX_MEMORY_BYTE, ctx);
-break;
-case 3:
-/* dsp[rs].uw */
-dsp = rx_index_addr(ld, RX_MEMORY_WORD, ctx);
-break;
-default:
-/* dsp[rs].b */
-/* dsp[rs].w */
-/* dsp[rs].l */
-dsp = rx_index_addr(ld, mi, ctx);
-break;
-}
-if (dsp > 0) {
-prt("%d", dsp);
-}
-prt("[r%d]%s", rs, sizes[mi]);
+rx_index_addr(ctx, dsp, ld, mi);
+prt("%s[r%d]%s", dsp, rs, sizes[mi]);
 } else {
 prt("r%d", rs);
 }
@@ -235,7 +228,7 @@ static bool trans_MOV_ra(DisasContext *ctx, arg_MOV_ra *a)
 /* mov.[bwl] rs,rd */
 static bool trans_MOV_mm(DisasContext *ctx, arg_MOV_mm *a)
 {
-int dsp;
+char dspd[8], dsps[8];
 
 prt("mov.%c\t", size[a->sz]);
 if (a->lds == 3 && a->ldd == 3) {
@@ -244,29 +237,15 @@ static bool trans_MOV_mm(DisasContext *ctx, arg_MOV_mm *a)
 return true;
 }
 if (a->lds == 3) {
-prt("r%d, ", a->rd);
-dsp = rx_index_addr(a->ldd, a->sz, ctx);
-if (dsp > 0) {
-prt("%d", dsp);
-}
-prt("[r%d]", a->rs);
+rx_index_addr(ctx, dspd, a->ldd, a->sz);
+prt("r%d, %s[r%d]", a->rs, dspd, a->rd);
 } else if (a->ldd == 3) {
-dsp = rx_index_addr(a->lds, a->sz, ctx);
-if (dsp > 0) {
-prt("%d", dsp);
-}
-prt("[r%d], r%d", a->rs, a->rd);
+rx_index_addr(ctx, dsps, a->lds, a->sz);
+prt("%s[r%d], r%d", dsps, a->rs, a->rd);
 } else {
-dsp = rx_index_addr(a->lds, a->sz, ctx);
-if (dsp > 0) {
-prt("%d", dsp);
-}
-prt("[r%d], ", a->rs);
-dsp = rx_index_addr(a->ldd, a->sz, ctx);
-if (dsp > 0) {
-prt("%d", dsp);
-}
-prt("[r%d]", a->rd);
+rx_index_addr(ctx, dsps, a->lds, a->sz);
+rx_index_addr(ctx, dspd, a->ldd, a->sz);
+prt("%s[r%d], %s[r%d]", dsps, a->rs, dspd, a->rd);
 }
 return true;
 }
@@ -357,12 +336,10 @@ static bool trans_PUSH_r(DisasContext *ctx, arg_PUSH_r *a)
 /* push dsp[rs] */
 static bool trans_PUSH_m(DisasContext *ctx, arg_PUSH_m *a)
 {
-prt("push\t");
-int dsp = rx_index_addr(a->ld, a->sz, ctx);
-if (dsp > 0) {
-prt("%d", dsp);
-}
-prt("[r%d]", a->rs);
+char dsp[8];
+
+rx_index_addr(ctx, dsp, a->ld, a->sz);
+prt("push\t%s[r%d]", dsp, a->rs);
 return true;
 }
 
@@ -389,17 +366,13 @@ static bool trans_XCHG_rr(DisasContext *ctx, arg_XCHG_rr 
*a)
 /* xchg dsp[rs].,rd */
 static bool trans_XCHG_mr(DisasContext *ctx, arg_XCHG_mr *a)
 {
-int dsp;
 static const char msize[][4] = {
 "b", "w", "l", "ub", "uw",
 };
+char dsp[8];
 
-prt("xchg\t");
-dsp = rx_index_addr(a->ld, a->mi, ctx);
-if (dsp > 0) {
-prt("%d", dsp);
-}
-

[PATCH RESEND v31 03/22] hw/registerfields.h: Add 8bit and 16bit register macros

[Yoshinori Sato]

From: Philippe Mathieu-Daudé 

Some RX peripheral using 8bit and 16bit registers.
Added 8bit and 16bit APIs.

Signed-off-by: Yoshinori Sato 
Reviewed-by: Richard Henderson 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-11-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Alistair Francis 
Signed-off-by: Richard Henderson 
---
 include/hw/registerfields.h | 32 +++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/include/hw/registerfields.h b/include/hw/registerfields.h
index 2659a58737..a0bb0654d6 100644
--- a/include/hw/registerfields.h
+++ b/include/hw/registerfields.h
@@ -22,6 +22,14 @@
 enum { A_ ## reg = (addr) };  \
 enum { R_ ## reg = (addr) / 4 };
 
+#define REG8(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) };
+
+#define REG16(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) / 2 };
+
 /* Define SHIFT, LENGTH and MASK constants for a field within a register */
 
 /* This macro will define R_FOO_BAR_MASK, R_FOO_BAR_SHIFT and R_FOO_BAR_LENGTH
@@ -34,6 +42,12 @@
 MAKE_64BIT_MASK(shift, length)};
 
 /* Extract a field from a register */
+#define FIELD_EX8(storage, reg, field)\
+extract8((storage), R_ ## reg ## _ ## field ## _SHIFT,\
+  R_ ## reg ## _ ## field ## _LENGTH)
+#define FIELD_EX16(storage, reg, field)   \
+extract16((storage), R_ ## reg ## _ ## field ## _SHIFT,   \
+  R_ ## reg ## _ ## field ## _LENGTH)
 #define FIELD_EX32(storage, reg, field)   \
 extract32((storage), R_ ## reg ## _ ## field ## _SHIFT,   \
   R_ ## reg ## _ ## field ## _LENGTH)
@@ -49,6 +63,22 @@
  * Assigning values larger then the target field will result in
  * compilation warnings.
  */
+#define FIELD_DP8(storage, reg, field, val) ({\
+struct {  \
+unsigned int v:R_ ## reg ## _ ## field ## _LENGTH;\
+} v = { .v = val };   \
+uint8_t d;\
+d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,   \
+  R_ ## reg ## _ ## field ## _LENGTH, v.v);   \
+d; })
+#define FIELD_DP16(storage, reg, field, val) ({   \
+struct {  \
+unsigned int v:R_ ## reg ## _ ## field ## _LENGTH;\
+} v = { .v = val };   \
+uint16_t d;   \
+d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,   \
+  R_ ## reg ## _ ## field ## _LENGTH, v.v);   \
+d; })
 #define FIELD_DP32(storage, reg, field, val) ({   \
 struct {  \
 unsigned int v:R_ ## reg ## _ ## field ## _LENGTH;\
@@ -57,7 +87,7 @@
 d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,   \
   R_ ## reg ## _ ## field ## _LENGTH, v.v);   \
 d; })
-#define FIELD_DP64(storage, reg, field, val) ({   \
+#define FIELD_DP64(storage, reg, field, val) ({ \
 struct {  \
 unsigned int v:R_ ## reg ## _ ## field ## _LENGTH;\
 } v = { .v = val };   \
-- 
2.20.1

[PATCH RESEND v31 00/22] Add RX archtecture support

[Yoshinori Sato]

Sorry. I missed commit 1 changes.
Fixed it.

Hello.
This patch series is added Renesas RX target emulation.

Changes for v30.
Follow master changes.
Fix checkpatch error.

Changes for v29.
Add target description XML. It required gdb-9.1.
Follow git master changes.

Changes for v28.
Allow -m option.
With this option, 16 Mbytes or more can be specified.
Add example for qemu-doc.
Fix build error on latest master.

Changes for v27.
Added RX section to qemu-doc.
Rebase for master

Changes for v26.
Rebase for 5.0
Update machine.json for 5.0

Changes for v25.
Update commit message.
Squashed qapi/machine.json changes.

Changes for v24.
Add note for qapi/machine.json.
Added Acked-by for 6/22.
git rebase master.

Changes for v23.
Follow master changes.

Changes for v22.
Added some include.

Changes for v21.
rebase latest master.
Remove unneeded hmp_info_tlb.

Chanegs for v20.
Reorderd patches.
Squashed v19 changes.

Changes for v19.
Follow tcg changes.
Cleanup cpu.c.
simplify rx_cpu_class_by_name and rx_load_image move to rx-virt.

My git repository is bellow.
git://git.pf.osdn.net/gitroot/y/ys/ysato/qemu.git tags/rx-20200223

Testing binaries bellow.
u-boot
Download - https://osdn.net/users/ysato/pf/qemu/dl/u-boot.bin.gz

starting
$ gzip -d u-boot.bin.gz
$ qemu-system-rx -bios u-boot.bin

linux and pico-root (only sash)
Download - https://osdn.net/users/ysato/pf/qemu/dl/zImage (kernel)
   https://osdn.net/users/ysato/pf/qemu/dl/rx-virt.dtb (DeviceTree)

starting
$ qemu-system-rx -kernel zImage -dtb rx-virt.dtb -append "earlycon"

Philippe Mathieu-Daudé (3):
  hw/registerfields.h: Add 8bit and 16bit register macros
  hw/rx: Restrict the RX62N microcontroller to the RX62N CPU core
  BootLinuxConsoleTest: Test the RX-Virt machine

Richard Henderson (7):
  target/rx: Disassemble rx_index_addr into a string
  target/rx: Replace operand with prt_ldmi in disassembler
  target/rx: Use prt_ldmi for XCHG_mr disassembly
  target/rx: Emit all disassembly in one prt()
  target/rx: Collect all bytes during disassembly
  target/rx: Dump bytes for each insn during disassembly
  hw/rx: Honor -accel qtest

Yoshinori Sato (12):
  MAINTAINERS: Add RX
  qemu/bitops.h: Add extract8 and extract16
  target/rx: TCG translation
  target/rx: TCG helper
  target/rx: CPU definition
  target/rx: RX disassembler
  hw/intc: RX62N interrupt controller (ICUa)
  hw/timer: RX62N internal timer modules
  hw/char: RX62N serial communication interface (SCI)
  hw/rx: RX Target hardware definition
  Add rx-softmmu
  qemu-doc.texi: Add RX section.

 qemu-doc.texi  |   44 +
 configure  |   11 +-
 default-configs/rx-softmmu.mak |3 +
 qapi/machine.json  |2 +-
 include/disas/dis-asm.h|5 +
 include/exec/poison.h  |1 +
 include/hw/char/renesas_sci.h  |   45 +
 include/hw/intc/rx_icu.h   |   56 +
 include/hw/registerfields.h|   32 +-
 include/hw/rx/rx.h |7 +
 include/hw/rx/rx62n.h  |   91 +
 include/hw/timer/renesas_cmt.h |   38 +
 include/hw/timer/renesas_tmr.h |   53 +
 include/qemu/bitops.h  |   38 +
 include/sysemu/arch_init.h |1 +
 target/rx/cpu-param.h  |   31 +
 target/rx/cpu-qom.h|   42 +
 target/rx/cpu.h|  181 ++
 target/rx/helper.h |   31 +
 target/rx/insns.decode |  621 ++
 arch_init.c|2 +
 hw/char/renesas_sci.c  |  342 
 hw/intc/rx_icu.c   |  379 
 hw/rx/rx-virt.c|  144 ++
 hw/rx/rx62n.c  |  247 +++
 hw/timer/renesas_cmt.c |  278 +++
 hw/timer/renesas_tmr.c |  458 +
 target/rx/cpu.c|  218 +++
 target/rx/disas.c  | 1446 ++
 target/rx/gdbstub.c|  112 ++
 target/rx/helper.c |  149 ++
 target/rx/op_helper.c  |  470 +
 target/rx/translate.c  | 2432 
 tests/qtest/machine-none-test.c|1 +
 MAINTAINERS|   19 +
 gdb-xml/rx-core.xml|   70 +
 hw/Kconfig |1 +
 hw/char/Kconfig|3 +
 hw/char/Makefile.objs  |1 +
 hw/intc/Kconfig|3 +
 hw/intc/Makefile.objs  |1 +
 hw/rx/Kconfig  |   14 +
 hw/rx/Makefile.objs|2 +
 hw/timer/Kconfig   |6 +
 hw/timer/Makefile.objs |3 +
 target/rx/Makefile.objs|   11 +
 tests/acceptance/boot_linux_console.py |   46 +
 47 files changed, 8188 insertions(+), 3 deletions(-)
 create m

[PATCH RESEND v31 11/22] target/rx: Emit all disassembly in one prt()

[Yoshinori Sato]

From: Richard Henderson 

Many of the multi-part prints have been eliminated by previous
patches.  Eliminate the rest of them.

Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Yoshinori Sato 
Signed-off-by: Yoshinori Sato 
Message-Id: <20190607091116.49044-22-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 target/rx/disas.c | 75 ---
 1 file changed, 39 insertions(+), 36 deletions(-)

diff --git a/target/rx/disas.c b/target/rx/disas.c
index db10385fd0..ebc1a44249 100644
--- a/target/rx/disas.c
+++ b/target/rx/disas.c
@@ -228,24 +228,21 @@ static bool trans_MOV_ra(DisasContext *ctx, arg_MOV_ra *a)
 /* mov.[bwl] rs,rd */
 static bool trans_MOV_mm(DisasContext *ctx, arg_MOV_mm *a)
 {
-char dspd[8], dsps[8];
+char dspd[8], dsps[8], szc = size[a->sz];
 
-prt("mov.%c\t", size[a->sz]);
 if (a->lds == 3 && a->ldd == 3) {
 /* mov.[bwl] rs,rd */
-prt("r%d, r%d", a->rs, a->rd);
-return true;
-}
-if (a->lds == 3) {
+prt("mov.%c\tr%d, r%d", szc, a->rs, a->rd);
+} else if (a->lds == 3) {
 rx_index_addr(ctx, dspd, a->ldd, a->sz);
-prt("r%d, %s[r%d]", a->rs, dspd, a->rd);
+prt("mov.%c\tr%d, %s[r%d]", szc, a->rs, dspd, a->rd);
 } else if (a->ldd == 3) {
 rx_index_addr(ctx, dsps, a->lds, a->sz);
-prt("%s[r%d], r%d", dsps, a->rs, a->rd);
+prt("mov.%c\t%s[r%d], r%d", szc, dsps, a->rs, a->rd);
 } else {
 rx_index_addr(ctx, dsps, a->lds, a->sz);
 rx_index_addr(ctx, dspd, a->ldd, a->sz);
-prt("%s[r%d], %s[r%d]", dsps, a->rs, dspd, a->rd);
+prt("mov.%c\t%s[r%d], %s[r%d]", szc, dsps, a->rs, dspd, a->rd);
 }
 return true;
 }
@@ -254,8 +251,11 @@ static bool trans_MOV_mm(DisasContext *ctx, arg_MOV_mm *a)
 /* mov.[bwl] rs,[-rd] */
 static bool trans_MOV_rp(DisasContext *ctx, arg_MOV_rp *a)
 {
-prt("mov.%c\tr%d, ", size[a->sz], a->rs);
-prt((a->ad == 0) ? "[r%d+]" : "[-r%d]", a->rd);
+if (a->ad) {
+prt("mov.%c\tr%d, [-r%d]", size[a->sz], a->rs, a->rd);
+} else {
+prt("mov.%c\tr%d, [r%d+]", size[a->sz], a->rs, a->rd);
+}
 return true;
 }
 
@@ -263,9 +263,11 @@ static bool trans_MOV_rp(DisasContext *ctx, arg_MOV_rp *a)
 /* mov.[bwl] [-rd],rs */
 static bool trans_MOV_pr(DisasContext *ctx, arg_MOV_pr *a)
 {
-prt("mov.%c\t", size[a->sz]);
-prt((a->ad == 0) ? "[r%d+]" : "[-r%d]", a->rd);
-prt(", r%d", a->rs);
+if (a->ad) {
+prt("mov.%c\t[-r%d], r%d", size[a->sz], a->rd, a->rs);
+} else {
+prt("mov.%c\t[r%d+], r%d", size[a->sz], a->rd, a->rs);
+}
 return true;
 }
 
@@ -299,9 +301,11 @@ static bool trans_MOVU_ar(DisasContext *ctx, arg_MOVU_ar 
*a)
 /* movu.[bw] [-rs],rd */
 static bool trans_MOVU_pr(DisasContext *ctx, arg_MOVU_pr *a)
 {
-prt("movu.%c\t", size[a->sz]);
-prt((a->ad == 0) ? "[r%d+]" : "[-r%d]", a->rd);
-prt(", r%d", a->rs);
+if (a->ad) {
+prt("movu.%c\t[-r%d], r%d", size[a->sz], a->rd, a->rs);
+} else {
+prt("movu.%c\t[r%d+], r%d", size[a->sz], a->rd, a->rs);
+}
 return true;
 }
 
@@ -478,11 +482,11 @@ static bool trans_TST_mr(DisasContext *ctx, arg_TST_mr *a)
 /* not rs, rd */
 static bool trans_NOT_rr(DisasContext *ctx, arg_NOT_rr *a)
 {
-prt("not\t");
 if (a->rs != a->rd) {
-prt("r%d, ", a->rs);
+prt("not\tr%d, r%d", a->rs, a->rd);
+} else {
+prt("not\tr%d", a->rs);
 }
-prt("r%d", a->rd);
 return true;
 }
 
@@ -490,11 +494,11 @@ static bool trans_NOT_rr(DisasContext *ctx, arg_NOT_rr *a)
 /* neg rs, rd */
 static bool trans_NEG_rr(DisasContext *ctx, arg_NEG_rr *a)
 {
-prt("neg\t");
 if (a->rs != a->rd) {
-prt("r%d, ", a->rs);
+prt("neg\tr%d, r%d", a->rs, a->rd);
+} else {
+prt("neg\tr%d", a->rs);
 }
-prt("r%d", a->rd);
 return true;
 }
 
@@ -606,11 +610,10 @@ static bool trans_SBB_mr(DisasContext *ctx, arg_SBB_mr *a)
 /* abs rs, rd */
 static bool trans_ABS_rr(DisasContext *ctx, arg_ABS_rr *a)
 {
-prt("abs\t");
-if (a->rs == a->rd) {
-prt("r%d", a->rd);
+if (a->rs != a->rd) {
+prt("abs\tr%d, r%d", a->rs, a->rd);
 } else {
-prt("r%d, r%d", a->rs, a->rd);
+prt("abs\tr%d", a->rs);
 }
 return true;
 }
@@ -733,11 +736,11 @@ static bool trans_DIVU_mr(DisasContext *ctx, arg_DIVU_mr 
*a)
 /* shll #imm:5, rs, rd */
 static bool trans_SHLL_irr(DisasContext *ctx, arg_SHLL_irr *a)
 {
-prt("shll\t#%d, ", a->imm);
 if (a->rs2 != a->rd) {
-prt("r%d, ", a->rs2);
+prt("shll\t#%d, r%d, r%d", a->imm, a->rs2, a->rd);
+} else {
+prt("shll\t#%d, r%d", a->imm, a->rd);
 }
-prt("r%d", a->rd);
 return true;
 }
 
@@ -752,11 +755,11 @@ static bool trans_SHLL_rr(DisasContext *ctx, arg_SHLL_rr 
*a)
 /* shar #imm:5, rs, rd */
 static bool trans_SHAR_irr(DisasContext *ctx, 

[PATCH RESEND v31 10/22] target/rx: Use prt_ldmi for XCHG_mr disassembly

[Yoshinori Sato]

From: Richard Henderson 

Note that the ld == 3 case handled by prt_ldmi is decoded as
XCHG_rr and cannot appear here.

Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Yoshinori Sato 
Signed-off-by: Yoshinori Sato 
Message-Id: <20190607091116.49044-21-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 target/rx/disas.c | 8 +---
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/target/rx/disas.c b/target/rx/disas.c
index 515b365528..db10385fd0 100644
--- a/target/rx/disas.c
+++ b/target/rx/disas.c
@@ -366,13 +366,7 @@ static bool trans_XCHG_rr(DisasContext *ctx, arg_XCHG_rr 
*a)
 /* xchg dsp[rs].,rd */
 static bool trans_XCHG_mr(DisasContext *ctx, arg_XCHG_mr *a)
 {
-static const char msize[][4] = {
-"b", "w", "l", "ub", "uw",
-};
-char dsp[8];
-
-rx_index_addr(ctx, dsp, a->ld, a->mi);
-prt("xchg\t%s[r%d].%s, r%d", dsp, a->rs, msize[a->mi], a->rd);
+prt_ldmi(ctx, "xchg", a->ld, a->mi, a->rs, a->rd);
 return true;
 }
 
-- 
2.20.1

[PATCH RESEND v31 02/22] qemu/bitops.h: Add extract8 and extract16

[Yoshinori Sato]

Signed-off-by: Yoshinori Sato 
Reviewed-by: Richard Henderson 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-10-ys...@users.sourceforge.jp>
Tested-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 include/qemu/bitops.h | 38 ++
 1 file changed, 38 insertions(+)

diff --git a/include/qemu/bitops.h b/include/qemu/bitops.h
index 02c1ce6a5d..f55ce8b320 100644
--- a/include/qemu/bitops.h
+++ b/include/qemu/bitops.h
@@ -301,6 +301,44 @@ static inline uint32_t extract32(uint32_t value, int 
start, int length)
 return (value >> start) & (~0U >> (32 - length));
 }
 
+/**
+ * extract8:
+ * @value: the value to extract the bit field from
+ * @start: the lowest bit in the bit field (numbered from 0)
+ * @length: the length of the bit field
+ *
+ * Extract from the 8 bit input @value the bit field specified by the
+ * @start and @length parameters, and return it. The bit field must
+ * lie entirely within the 8 bit word. It is valid to request that
+ * all 8 bits are returned (ie @length 8 and @start 0).
+ *
+ * Returns: the value of the bit field extracted from the input value.
+ */
+static inline uint8_t extract8(uint8_t value, int start, int length)
+{
+assert(start >= 0 && length > 0 && length <= 8 - start);
+return extract32(value, start, length);
+}
+
+/**
+ * extract16:
+ * @value: the value to extract the bit field from
+ * @start: the lowest bit in the bit field (numbered from 0)
+ * @length: the length of the bit field
+ *
+ * Extract from the 16 bit input @value the bit field specified by the
+ * @start and @length parameters, and return it. The bit field must
+ * lie entirely within the 16 bit word. It is valid to request that
+ * all 16 bits are returned (ie @length 16 and @start 0).
+ *
+ * Returns: the value of the bit field extracted from the input value.
+ */
+static inline uint16_t extract16(uint16_t value, int start, int length)
+{
+assert(start >= 0 && length > 0 && length <= 16 - start);
+return extract32(value, start, length);
+}
+
 /**
  * extract64:
  * @value: the value to extract the bit field from
-- 
2.20.1

[PATCH RESEND v31 01/22] MAINTAINERS: Add RX

[Yoshinori Sato]

Signed-off-by: Yoshinori Sato 
Reviewed-by: Richard Henderson 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20190607091116.49044-18-ys...@users.sourceforge.jp>
Signed-off-by: Richard Henderson 
---
 MAINTAINERS | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 1740a4fddc..c5008f638d 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -274,6 +274,13 @@ F: include/hw/riscv/
 F: linux-user/host/riscv32/
 F: linux-user/host/riscv64/
 
+RENESAS RX CPUs
+M: Yoshinori Sato 
+S: Maintained
+F: target/rx/
+F: hw/rx/
+F: include/hw/rx/
+
 S390 TCG CPUs
 M: Richard Henderson 
 M: David Hildenbrand 
@@ -1167,6 +1174,18 @@ F: pc-bios/canyonlands.dt[sb]
 F: pc-bios/u-boot-sam460ex-20100605.bin
 F: roms/u-boot-sam460ex
 
+RX Machines
+---
+rx-virt
+M: Yoshinori Sato 
+S: Maintained
+F: hw/rx/rxqemu.c
+F: hw/intc/rx_icu.c
+F: hw/timer/renesas_*.c
+F: hw/char/renesas_sci.c
+F: include/hw/timer/renesas_*.h
+F: include/hw/char/renesas_sci.h
+
 SH4 Machines
 
 R2D
-- 
2.20.1

Re: [PATCH v4] Implement the Screamer sound chip for the mac99 machine type

[Andrew Randrianasulu]

Just thought I must share my uneducated guess on issue reported at

https://www.emaculation.com/forum/viewtopic.php?f=34=9820
> Please note that running with 1024Mb of memory will make sound stop working 
> in Mac OS 9.x. So run with less memory.
> As will running without virtual memory.

My guess this has something to do with device memory regions, may be because 
Linux  always uses Virtual memory
(MMU, address translation), as well as Mac OS X 10.x - this little issue was 
unnoticed until recently ?

Re: [PATCH v3 2/3] hw: Make MachineClass::is_default a boolean type

[Paolo Bonzini]

On 07/02/20 15:25, Michael S. Tsirkin wrote:
 @@ -841,7 +841,7 @@ static void sun4v_class_init(ObjectClass *oc, void 
 *data)
  mc->desc = "Sun4v platform";
  mc->init = sun4v_init;
  mc->block_default_type = IF_IDE;
 -mc->max_cpus = 1; /* XXX for now */
 +mc->max_cpus = true; /* XXX for now */
>>
>> and here ^^
>>
>> Thanks,
>> Laurent
> 
> Ooh good catch. Which probably means we don't have a unit test for these

"= true" just becomes "= 1".

Paolo

Re: [PATCH v7 03/11] scripts: add coccinelle script to use auto propagated errp

[Markus Armbruster]

Vladimir Sementsov-Ogievskiy  writes:

> Script adds ERRP_AUTO_PROPAGATE macro invocation where appropriate and
> does corresponding changes in code (look for details in
> include/qapi/error.h)
>
> Usage example:
> spatch --sp-file scripts/coccinelle/auto-propagated-errp.cocci \
>  --macro-file scripts/cocci-macro-file.h --in-place --no-show-diff \
>  blockdev-nbd.c qemu-nbd.c {block/nbd*,nbd/*,include/block/nbd*}.[hc]
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy 
> ---
>
> CC: Eric Blake 
> CC: Kevin Wolf 
> CC: Max Reitz 
> CC: Greg Kurz 
> CC: Stefano Stabellini 
> CC: Anthony Perard 
> CC: Paul Durrant 
> CC: Stefan Hajnoczi 
> CC: "Philippe Mathieu-Daudé" 
> CC: Laszlo Ersek 
> CC: Gerd Hoffmann 
> CC: Stefan Berger 
> CC: Markus Armbruster 
> CC: Michael Roth 
> CC: qemu-bl...@nongnu.org
> CC: xen-de...@lists.xenproject.org
>
>  include/qapi/error.h  |   3 +
>  scripts/coccinelle/auto-propagated-errp.cocci | 158 ++
>  2 files changed, 161 insertions(+)
>  create mode 100644 scripts/coccinelle/auto-propagated-errp.cocci
>
> diff --git a/include/qapi/error.h b/include/qapi/error.h
> index b9452d4806..79f8e95214 100644
> --- a/include/qapi/error.h
> +++ b/include/qapi/error.h
> @@ -141,6 +141,9 @@
>   * ...
>   * }
>   *
> + * For mass conversion use script
> + *   scripts/coccinelle/auto-propagated-errp.cocci
> + *
>   *
>   * Receive and accumulate multiple errors (first one wins):
>   * Error *err = NULL, *local_err = NULL;

Extra blank line.

> diff --git a/scripts/coccinelle/auto-propagated-errp.cocci 
> b/scripts/coccinelle/auto-propagated-errp.cocci
> new file mode 100644
> index 00..fb03c871cb
> --- /dev/null
> +++ b/scripts/coccinelle/auto-propagated-errp.cocci
> @@ -0,0 +1,158 @@
> +// Use ERRP_AUTO_PROPAGATE (see include/qapi/error.h)
> +//
> +// Copyright (c) 2020 Virtuozzo International GmbH.
> +//
> +// This program is free software; you can redistribute it and/or modify
> +// it under the terms of the GNU General Public License as published by
> +// the Free Software Foundation; either version 2 of the License, or
> +// (at your option) any later version.
> +//
> +// This program is distributed in the hope that it will be useful,
> +// but WITHOUT ANY WARRANTY; without even the implied warranty of
> +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +// GNU General Public License for more details.
> +//
> +// You should have received a copy of the GNU General Public License
> +// along with this program.  If not, see .
> +//
> +// Usage example:
> +// spatch --sp-file scripts/coccinelle/auto-propagated-errp.cocci \
> +//  --macro-file scripts/cocci-macro-file.h --in-place --no-show-diff \
> +//  blockdev-nbd.c qemu-nbd.c {block/nbd*,nbd/*,include/block/nbd*}.[hc]
> +
> +@rule0@
> +// Add invocation to errp-functions where necessary
> +// We should skip functions with "Error *const *errp"
> +// parameter, but how to do it with coccinelle?
> +// I don't know, so, I skip them by function name regex.
> +// It's safe: if we did not skip some functions with
> +// "Error *const *errp", ERRP_AUTO_PROPAGATE invocation
> +// will fail to compile, because of const violation.

Not skipping a function we should skip fails to compile.

What about skipping a function we should not skip?

> +identifier fn !~ "error_append_.*_hint";
> +identifier local_err, ERRP;

A few of our coccinelle scripts use ALL_CAPS for meta-variables.  Most
don't.  Either is fine with me.  Mixing the two styles feels a bit
confusing, though.

> +@@
> +
> + fn(..., Error **ERRP, ...)
> + {
> ++   ERRP_AUTO_PROPAGATE();
> +<+...
> +when != ERRP_AUTO_PROPAGATE();
> +(
> +error_append_hint(ERRP, ...);
> +|
> +error_prepend(ERRP, ...);
> +|
> +Error *local_err = NULL;
> +)
> +...+>
> + }

Misses error_vprepend().  Currently harmless, but as long as we commit
the script, we better make it as robust as we reasonably can.

The previous patch explains this Coccinelle script's intent:

  To achieve these goals, later patches will add invocations
  of this macro at the start of functions with either use
  error_prepend/error_append_hint (solving 1) or which use
  local_err+error_propagate to check errors, switching those
  functions to use *errp instead (solving 2 and 3).

This rule matches "use error_prepend/error_append_hint" directly.  It
appears to use presence of a local Error * variable as proxy for "use
local_err+error_propagate to check errors".  Hmm.

We obviously have such a variable when we use "local_err+error_propagate
to check errors".  But we could also have such variables without use of
error_propagate().  In fact, error.h documents such use:

 * Call a function and receive an error from it:
 * Error *err = NULL;
 * foo(arg, );
 * if (err) {
 * handle the error...
 * }

where "handle the error" frees it.

I figure such uses typically occur in functions without 

Re: [PATCH v31 00/22] Add RX archtecture support

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200223065102.61652-1-ys...@users.sourceforge.jp/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Subject: [PATCH v31 00/22] Add RX archtecture support
Message-id: 20200223065102.61652-1-ys...@users.sourceforge.jp
Type: series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

From https://github.com/patchew-project/qemu
 - [tag update]  patchew/20200223065102.61652-1-ys...@users.sourceforge.jp 
-> patchew/20200223065102.61652-1-ys...@users.sourceforge.jp
Switched to a new branch 'test'
e61bc34 qemu-doc.texi: Add RX section.
51c47be BootLinuxConsoleTest: Test the RX-Virt machine
081293e Add rx-softmmu
ecc34cc hw/rx: Restrict the RX62N microcontroller to the RX62N CPU core
8dd4bc3 hw/rx: Honor -accel qtest
c71def2 hw/rx: RX Target hardware definition
2688648 hw/char: RX62N serial communication interface (SCI)
e46e80e hw/timer: RX62N internal timer modules
a3bafbd hw/intc: RX62N interrupt controller (ICUa)
b5f8f99 target/rx: Dump bytes for each insn during disassembly
4baf95c target/rx: Collect all bytes during disassembly
493d694 target/rx: Emit all disassembly in one prt()
fb79793 target/rx: Use prt_ldmi for XCHG_mr disassembly
83895a6 target/rx: Replace operand with prt_ldmi in disassembler
57c13f4 target/rx: Disassemble rx_index_addr into a string
eac7966 target/rx: RX disassembler
4507bfa target/rx: CPU definition
70baa9c target/rx: TCG helper
9b4cfd9 target/rx: TCG translation
45b9c13 hw/registerfields.h: Add 8bit and 16bit register macros
def1cbc qemu/bitops.h: Add extract8 and extract16
99e018a MAINTAINERS: Add RX

=== OUTPUT BEGIN ===
1/22 Checking commit 99e018a6891a (MAINTAINERS: Add RX)
2/22 Checking commit def1cbc185ff (qemu/bitops.h: Add extract8 and extract16)
3/22 Checking commit 45b9c136bce4 (hw/registerfields.h: Add 8bit and 16bit 
register macros)
Use of uninitialized value in concatenation (.) or string at 
./scripts/checkpatch.pl line 2495.
ERROR: Macros with multiple statements should be enclosed in a do - while loop
#27: FILE: include/hw/registerfields.h:25:
+#define REG8(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) };

ERROR: Macros with multiple statements should be enclosed in a do - while loop
#31: FILE: include/hw/registerfields.h:29:
+#define REG16(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) / 2 };

total: 2 errors, 0 warnings, 56 lines checked

Patch 3/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

4/22 Checking commit 9b4cfd96470c (target/rx: TCG translation)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#20: 
new file mode 100644

total: 0 errors, 1 warnings, 3065 lines checked

Patch 4/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
5/22 Checking commit 70baa9c25adc (target/rx: TCG helper)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#21: 
new file mode 100644

total: 0 errors, 1 warnings, 650 lines checked

Patch 5/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
6/22 Checking commit 4507bfa603c1 (target/rx: CPU definition)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#22: 
new file mode 100644

total: 0 errors, 1 warnings, 659 lines checked

Patch 6/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
7/22 Checking commit eac796699693 (target/rx: RX disassembler)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#38: 
new file mode 100644

total: 0 errors, 1 warnings, 1497 lines checked

Patch 7/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
8/22 Checking commit 57c13f4d87e8 (target/rx: Disassemble rx_index_addr into a 
string)
9/22 Checking commit 83895a61feaa (target/rx: Replace operand with prt_ldmi in 
disassembler)
10/22 Checking commit fb797930f7c0 (target/rx: Use prt_ldmi for XCHG_mr 
disassembly)
11/22 Checking commit 493d69462444 (target/rx: Emit all disassembly in one 
prt())
12/22 Checking commit 4baf95c2aa5f (target/rx: Collect all bytes during 
disassembly)
13/22 Checking commit b5f8f9908936 (target/rx: Dump bytes for each insn 

Re: [PATCH v16 00/10] VIRTIO-IOMMU device

[Michael S. Tsirkin]

On Fri, Feb 21, 2020 at 02:27:30PM +, Peter Maydell wrote:
> On Fri, 14 Feb 2020 at 13:28, Eric Auger  wrote:
> >
> > This series implements the QEMU virtio-iommu device.
> >
> > This matches the v0.12 spec (voted) and the corresponding
> > virtio-iommu driver upstreamed in 5.3. All kernel dependencies
> > are resolved for DT integration. The virtio-iommu can be
> > instantiated in ARM virt using:
> >
> > "-device virtio-iommu-pci".
> >
> > Non DT mode is not yet supported as it has non resolved kernel
> > dependencies [1].
> >
> > This feature targets 5.0.
> >
> > Integration with vhost devices and vfio devices is not part
> > of this series. Please follow Bharat's respins [2].
> 
> I think everything here has reviewed-by tags now -- does
> anybody still want more time to review it, and what
> is the preference for how it goes into master?
> 
> thanks
> -- PMM

I guess I'll pick it up, most code seems to be virtio related.

Thanks everyone!

-- 
MST

Re: [PATCH v31 00/22] Add RX archtecture support

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200223065102.61652-1-ys...@users.sourceforge.jp/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Subject: [PATCH v31 00/22] Add RX archtecture support
Message-id: 20200223065102.61652-1-ys...@users.sourceforge.jp
Type: series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 - [tag update]  patchew/20200223065102.61652-1-ys...@users.sourceforge.jp 
-> patchew/20200223065102.61652-1-ys...@users.sourceforge.jp
Switched to a new branch 'test'
6792035 qemu-doc.texi: Add RX section.
e9b9c53 BootLinuxConsoleTest: Test the RX-Virt machine
e69f0fe Add rx-softmmu
543492d hw/rx: Restrict the RX62N microcontroller to the RX62N CPU core
790f86f hw/rx: Honor -accel qtest
f4de752 hw/rx: RX Target hardware definition
e56b953 hw/char: RX62N serial communication interface (SCI)
ca7613a hw/timer: RX62N internal timer modules
94ac051 hw/intc: RX62N interrupt controller (ICUa)
349328c target/rx: Dump bytes for each insn during disassembly
2a29d79 target/rx: Collect all bytes during disassembly
aa9b8f9 target/rx: Emit all disassembly in one prt()
b5eb1f9 target/rx: Use prt_ldmi for XCHG_mr disassembly
78a163c target/rx: Replace operand with prt_ldmi in disassembler
8e2cb45 target/rx: Disassemble rx_index_addr into a string
edb0e05 target/rx: RX disassembler
f6c4506 target/rx: CPU definition
fb85bb5 target/rx: TCG helper
96a6161 target/rx: TCG translation
19228d9 hw/registerfields.h: Add 8bit and 16bit register macros
ebb09d9 qemu/bitops.h: Add extract8 and extract16
5e82c32 MAINTAINERS: Add RX

=== OUTPUT BEGIN ===
1/22 Checking commit 5e82c320d820 (MAINTAINERS: Add RX)
2/22 Checking commit ebb09d904065 (qemu/bitops.h: Add extract8 and extract16)
3/22 Checking commit 19228d9dd8a0 (hw/registerfields.h: Add 8bit and 16bit 
register macros)
Use of uninitialized value in concatenation (.) or string at 
./scripts/checkpatch.pl line 2495.
ERROR: Macros with multiple statements should be enclosed in a do - while loop
#27: FILE: include/hw/registerfields.h:25:
+#define REG8(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) };

ERROR: Macros with multiple statements should be enclosed in a do - while loop
#31: FILE: include/hw/registerfields.h:29:
+#define REG16(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) / 2 };

total: 2 errors, 0 warnings, 56 lines checked

Patch 3/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

4/22 Checking commit 96a616132ea1 (target/rx: TCG translation)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#20: 
new file mode 100644

total: 0 errors, 1 warnings, 3065 lines checked

Patch 4/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
5/22 Checking commit fb85bb5bd6e4 (target/rx: TCG helper)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#21: 
new file mode 100644

total: 0 errors, 1 warnings, 650 lines checked

Patch 5/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
6/22 Checking commit f6c450601f6a (target/rx: CPU definition)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#22: 
new file mode 100644

total: 0 errors, 1 warnings, 659 lines checked

Patch 6/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
7/22 Checking commit edb0e05bcbbe (target/rx: RX disassembler)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#38: 
new file mode 100644

total: 0 errors, 1 warnings, 1497 lines checked

Patch 7/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
8/22 Checking commit 8e2cb450947e (target/rx: Disassemble rx_index_addr into a 
string)
9/22 Checking commit 78a163c7973e (target/rx: Replace operand with prt_ldmi in 
disassembler)
10/22 Checking commit b5eb1f90ab15 (target/rx: Use prt_ldmi for XCHG_mr 
disassembly)
11/22 Checking commit aa9b8f91a8ce (target/rx: Emit all disassembly in one 
prt())
12/22 Checking commit 2a29d797f728 (target/rx: Collect all bytes during 
disassembly)
13/22 Checking commit 

Re: [PATCH v31 00/22] Add RX archtecture support

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200223065102.61652-1-ys...@users.sourceforge.jp/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Subject: [PATCH v31 00/22] Add RX archtecture support
Message-id: 20200223065102.61652-1-ys...@users.sourceforge.jp
Type: series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 - [tag update]  patchew/20200223065102.61652-1-ys...@users.sourceforge.jp 
-> patchew/20200223065102.61652-1-ys...@users.sourceforge.jp
Switched to a new branch 'test'
433172d qemu-doc.texi: Add RX section.
c0c0863 BootLinuxConsoleTest: Test the RX-Virt machine
5dbb5d7 Add rx-softmmu
8bb88da hw/rx: Restrict the RX62N microcontroller to the RX62N CPU core
cf49ce3 hw/rx: Honor -accel qtest
32a72b7 hw/rx: RX Target hardware definition
eec292e hw/char: RX62N serial communication interface (SCI)
91c1557 hw/timer: RX62N internal timer modules
33e1d07 hw/intc: RX62N interrupt controller (ICUa)
ab11fd0 target/rx: Dump bytes for each insn during disassembly
6299441 target/rx: Collect all bytes during disassembly
d3c39ed target/rx: Emit all disassembly in one prt()
1f9bc5c target/rx: Use prt_ldmi for XCHG_mr disassembly
1665693 target/rx: Replace operand with prt_ldmi in disassembler
23259ca target/rx: Disassemble rx_index_addr into a string
779d660 target/rx: RX disassembler
4b81352 target/rx: CPU definition
8bc073b target/rx: TCG helper
f4c1c7b target/rx: TCG translation
cc41d5a hw/registerfields.h: Add 8bit and 16bit register macros
24fee16 qemu/bitops.h: Add extract8 and extract16
2848107 MAINTAINERS: Add RX

=== OUTPUT BEGIN ===
1/22 Checking commit 2848107d5e5a (MAINTAINERS: Add RX)
2/22 Checking commit 24fee169ad38 (qemu/bitops.h: Add extract8 and extract16)
3/22 Checking commit cc41d5a4ab76 (hw/registerfields.h: Add 8bit and 16bit 
register macros)
Use of uninitialized value in concatenation (.) or string at 
./scripts/checkpatch.pl line 2495.
ERROR: Macros with multiple statements should be enclosed in a do - while loop
#27: FILE: include/hw/registerfields.h:25:
+#define REG8(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) };

ERROR: Macros with multiple statements should be enclosed in a do - while loop
#31: FILE: include/hw/registerfields.h:29:
+#define REG16(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) / 2 };

total: 2 errors, 0 warnings, 56 lines checked

Patch 3/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

4/22 Checking commit f4c1c7b7c6a6 (target/rx: TCG translation)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#20: 
new file mode 100644

total: 0 errors, 1 warnings, 3065 lines checked

Patch 4/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
5/22 Checking commit 8bc073b2f5ff (target/rx: TCG helper)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#21: 
new file mode 100644

total: 0 errors, 1 warnings, 650 lines checked

Patch 5/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
6/22 Checking commit 4b8135204261 (target/rx: CPU definition)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#22: 
new file mode 100644

total: 0 errors, 1 warnings, 659 lines checked

Patch 6/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
7/22 Checking commit 779d66082061 (target/rx: RX disassembler)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#38: 
new file mode 100644

total: 0 errors, 1 warnings, 1497 lines checked

Patch 7/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
8/22 Checking commit 23259ca25efd (target/rx: Disassemble rx_index_addr into a 
string)
9/22 Checking commit 166569349e2b (target/rx: Replace operand with prt_ldmi in 
disassembler)
10/22 Checking commit 1f9bc5c6a4b9 (target/rx: Use prt_ldmi for XCHG_mr 
disassembly)
11/22 Checking commit d3c39ed17740 (target/rx: Emit all disassembly in one 
prt())
12/22 Checking commit 629944121f05 (target/rx: Collect all bytes during 
disassembly)
13/22 Checking commit