Re: [PATCH v5 01/11] hw/misc: Add NPCM7xx System Global Control Registers device model

[Havard Skinnemoen]

ollowup
> > > patches before this series is merged, e.g. tests, bootrom
> > > submodule+blob, more peripherals, etc. Is it preferable to keep this
> > > series frozen (modulo API updates) since you spent a lot of time
> > > reviewing it, and post the new stuff separately, or is it better to
> > > add new patches to the end of the series and resend the whole thing?
> >
> > If you rework a peripheral, you need to reset the Reviewed-by/Tested-by
> > tags. If you add new peripherals, you only need to reset these tags on
> > the SoC patch. I'm fine either way, I use git-backport-diff to see the
> > SoC changes easily:
> >
> > https://github.com/codyprime/git-scripts/blob/master/git-backport-diff
>
> I've been adding new peripherals incrementally after the basic SoC
> support patch. Is that OK to do without resetting the tags?
>
> But it's more likely that I'll add other things than peripherals next,
> i.e. bootrom and tests.
>
> > >
> > >> But these are apparently not stable links (expire after 30 days?).
> > >
> > > Sorry, I'm too ignorant about Jenkins to know. I'll see if I can
> > > figure something out.
> >
> > What I do in that case is take the binary used for the test,
> > write a comment and push it in a stable branch to my own repo:
> > https://github.com/philmd/qemu-testing-blob/ and use the stable
> > url in the test.
> >
> > We know QEMU emulation worked with this particular binary at some
> > point. We want to avoid regressions in QEMU, so let's keep testing
> > what we know worked. We don't want to track 2 bugs at a time (one
> > in the updated guest and one in QEMU).
>
> Good point. I'll see if I can upload images to github. I might fork
> the openbmc repository and attach binaries to a github release, to
> make it clear where the binaries came from.
>
> I accidentally broke my test image and had some trouble recreating it,
> so I ended up reworking my various hacks a bit. The good news is that
> I got most of them turned into proper bug fixes that I can send
> upstream.
>
> It might take a little longer than I said previously, but I'll try to
> include acceptance tests in the next series.

I uploaded the images here:

https://github.com/hskinnemoen/openbmc/releases/tag/20200711-gsj-qemu-0

I used them to implement an acceptance test that I'll include in v6.

Re: [PATCH v5 09/11] hw/ssi: NPCM7xx Flash Interface Unit device model

[Havard Skinnemoen]

On Thu, Jul 9, 2020 at 10:00 AM Philippe Mathieu-Daudé  wrote:
>
> On 7/9/20 2:36 AM, Havard Skinnemoen wrote:
> > This implements a device model for the NPCM7xx SPI flash controller.
> >
> > Direct reads and writes, and user-mode transactions have been tested in
> > various modes. Protection features are not implemented yet.
> >
> > All the FIU instances are available in the SoC's address space,
> > regardless of whether or not they're connected to actual flash chips.
> >
> > Reviewed-by: Tyrone Ting 
> > Reviewed-by: Cédric Le Goater 
> > Signed-off-by: Havard Skinnemoen 
> > ---
> >  include/hw/arm/npcm7xx.h |   2 +
> >  include/hw/ssi/npcm7xx_fiu.h | 100 +++
> >  hw/arm/npcm7xx.c |  53 
> >  hw/ssi/npcm7xx_fiu.c | 510 +++
> >  hw/arm/Kconfig   |   1 +
> >  hw/ssi/Makefile.objs |   1 +
> >  hw/ssi/trace-events  |   9 +
> >  7 files changed, 676 insertions(+)
> >  create mode 100644 include/hw/ssi/npcm7xx_fiu.h
> >  create mode 100644 hw/ssi/npcm7xx_fiu.c
> >
> > diff --git a/include/hw/arm/npcm7xx.h b/include/hw/arm/npcm7xx.h
> > index 3ae9e5dca2..bc99f47286 100644
> > --- a/include/hw/arm/npcm7xx.h
> > +++ b/include/hw/arm/npcm7xx.h
> > @@ -23,6 +23,7 @@
> >  #include "hw/misc/npcm7xx_gcr.h"
> >  #include "hw/nvram/npcm7xx_otp.h"
> >  #include "hw/timer/npcm7xx_timer.h"
> > +#include "hw/ssi/npcm7xx_fiu.h"
> >  #include "target/arm/cpu.h"
> >
> >  #define NPCM7XX_MAX_NUM_CPUS(2)
> > @@ -73,6 +74,7 @@ typedef struct NPCM7xxState {
> >  NPCM7xxOTPState key_storage;
> >  NPCM7xxOTPState fuse_array;
> >  NPCM7xxMCState  mc;
> > +NPCM7xxFIUState fiu[2];
> >  } NPCM7xxState;
> >
> >  #define TYPE_NPCM7XX"npcm7xx"
> > diff --git a/include/hw/ssi/npcm7xx_fiu.h b/include/hw/ssi/npcm7xx_fiu.h
> > new file mode 100644
> > index 00..b867bd0429
> > --- /dev/null
> > +++ b/include/hw/ssi/npcm7xx_fiu.h
> > @@ -0,0 +1,100 @@
> > +/*
> > + * Nuvoton NPCM7xx Flash Interface Unit (FIU)
> > + *
> > + * Copyright 2020 Google LLC
> > + *
> > + * This program is free software; you can redistribute it and/or modify it
> > + * under the terms of the GNU General Public License as published by the
> > + * Free Software Foundation; either version 2 of the License, or
> > + * (at your option) any later version.
> > + *
> > + * This program is distributed in the hope that it will be useful, but 
> > WITHOUT
> > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> > + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> > + * for more details.
> > + */
> > +#ifndef NPCM7XX_FIU_H
> > +#define NPCM7XX_FIU_H
> > +
> > +#include "hw/ssi/ssi.h"
> > +#include "hw/sysbus.h"
> > +
> > +/**
> > + * enum NPCM7xxFIURegister - 32-bit FIU register indices.
> > + */
> > +enum NPCM7xxFIURegister {
> > +NPCM7XX_FIU_DRD_CFG,
> > +NPCM7XX_FIU_DWR_CFG,
> > +NPCM7XX_FIU_UMA_CFG,
> > +NPCM7XX_FIU_UMA_CTS,
> > +NPCM7XX_FIU_UMA_CMD,
> > +NPCM7XX_FIU_UMA_ADDR,
> > +NPCM7XX_FIU_PRT_CFG,
> > +NPCM7XX_FIU_UMA_DW0 = 0x0020 / sizeof(uint32_t),
> > +NPCM7XX_FIU_UMA_DW1,
> > +NPCM7XX_FIU_UMA_DW2,
> > +NPCM7XX_FIU_UMA_DW3,
> > +NPCM7XX_FIU_UMA_DR0,
> > +NPCM7XX_FIU_UMA_DR1,
> > +NPCM7XX_FIU_UMA_DR2,
> > +NPCM7XX_FIU_UMA_DR3,
> > +NPCM7XX_FIU_PRT_CMD0,
> > +NPCM7XX_FIU_PRT_CMD1,
> > +NPCM7XX_FIU_PRT_CMD2,
> > +NPCM7XX_FIU_PRT_CMD3,
> > +NPCM7XX_FIU_PRT_CMD4,
> > +NPCM7XX_FIU_PRT_CMD5,
> > +NPCM7XX_FIU_PRT_CMD6,
> > +NPCM7XX_FIU_PRT_CMD7,
> > +NPCM7XX_FIU_PRT_CMD8,
> > +NPCM7XX_FIU_PRT_CMD9,
> > +NPCM7XX_FIU_CFG = 0x78 / sizeof(uint32_t),
> > +NPCM7XX_FIU_NR_REGS,
> > +};
> > +
> > +typedef struct NPCM7xxFIUState NPCM7xxFIUState;
> > +
> > +/**
> > + * struct NPCM7xxFIUFlash - Per-chipselect flash controller state.
> > + * @direct_access: Memory region for direct flash access.
> > + * @fiu: Pointer to flash controller shared state.
> > + */
> > +typedef struct NPCM7xxFIUFlash {
> > +MemoryRegion direct_access;
> > +NPCM7xxFIUState *fiu;
> > +} NPCM7xxFIUFlash;
> > +
> > +/**
> > + * NPCM7xxFIUState - Device state for one Flash Interface Unit.
> > + * @parent: System bus device.
> > + * @mmio: Memory region for register access.
> > + * @cs_count: Number of flash chips that may be connected to this module.
> > + * @active_cs: Currently active chip select, or -1 if no chip is selected.
> > + * @cs_lines: GPIO lines that may be wired to flash chips.
> > + * @flash: Array of @cs_count per-flash-chip state objects.
> > + * @spi: The SPI bus mastered by this controller.
> > + * @regs: Register contents.
> > + *
> > + * Each FIU has a shared bank of registers, and controls up to four chip
> > + * selects. Each chip select has a dedicated memory region which may be 
> > used to
> > + * read and write the flash connected to that chip select as if it were 
> > memory.
> > + */
> > 

[PATCH] linux-user: syscall: ioctls: support DRM_IOCTL_I915_GETPARAM

[chengang]

From: Chen Gang 

It is for i915 drm command, and next, I shall send another i915 commands
implementations.

Signed-off-by: Chen Gang 
---
 linux-user/ioctls.h|  3 +++
 linux-user/syscall.c   | 39 ++
 linux-user/syscall_defs.h  |  9 +
 linux-user/syscall_types.h |  4 
 4 files changed, 55 insertions(+)

diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index f2e2fa9c87..83e045deba 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -577,6 +577,9 @@
 #ifdef HAVE_DRM_H
   IOCTL_SPECIAL(DRM_IOCTL_VERSION, IOC_RW, do_ioctl_drm,
 MK_PTR(MK_STRUCT(STRUCT_drm_version)))
+
+  IOCTL_SPECIAL(DRM_IOCTL_I915_GETPARAM, IOC_RW, do_ioctl_drm_i915,
+MK_PTR(MK_STRUCT(STRUCT_drm_i915_getparam)))
 #endif
 
 #ifdef TARGET_TIOCSTART
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 17ed7f8d6b..6fab9064af 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -114,6 +114,7 @@
 #include 
 #ifdef HAVE_DRM_H
 #include 
+#include 
 #endif
 #include "linux_loop.h"
 #include "uname.h"
@@ -5372,6 +5373,44 @@ static abi_long do_ioctl_drm(const IOCTLEntry *ie, 
uint8_t *buf_temp,
 return -TARGET_ENOSYS;
 }
 
+static abi_long do_ioctl_drm_i915_getparam(const IOCTLEntry *ie,
+   struct drm_i915_getparam *gparam,
+   int fd, abi_long arg)
+{
+abi_long ret;
+struct target_drm_i915_getparam *target_gparam;
+
+if (!lock_user_struct(VERIFY_READ, target_gparam, arg, 0)) {
+return -TARGET_EFAULT;
+}
+__get_user(gparam->param, _gparam->param);
+gparam->value = lock_user(VERIFY_WRITE, target_gparam->value,
+ sizeof(*gparam->value), 0);
+if (!gparam->value) {
+unlock_user_struct(target_gparam, arg, 0);
+return -TARGET_EFAULT;
+}
+
+ret = get_errno(safe_ioctl(fd, ie->host_cmd, gparam));
+
+unlock_user(gparam->value, target_gparam->value, sizeof(*gparam->value));
+unlock_user_struct(target_gparam, arg, 0);
+return ret;
+}
+
+static abi_long do_ioctl_drm_i915(const IOCTLEntry *ie, uint8_t *buf_temp,
+  int fd, int cmd, abi_long arg)
+{
+switch (ie->host_cmd) {
+case DRM_IOCTL_I915_GETPARAM:
+return do_ioctl_drm_i915_getparam(ie,
+  (struct drm_i915_getparam *)buf_temp,
+  fd, arg);
+default:
+return -TARGET_ENOSYS;
+}
+}
+
 #endif
 
 static IOCTLEntry ioctl_entries[] = {
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 3c261cff0e..9082f6c2bc 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -1170,6 +1170,9 @@ struct target_rtc_pll_info {
 /* drm ioctls */
 #define TARGET_DRM_IOCTL_VERSION  TARGET_IOWRU('d', 0x00)
 
+/* drm i915 ioctls */
+#define TARGET_DRM_IOCTL_I915_GETPARAM  TARGET_IOWRU('d', 0x46)
+
 /* from asm/termbits.h */
 
 #define TARGET_NCC 8
@@ -2613,6 +2616,12 @@ struct target_drm_version {
 abi_ulong desc;
 };
 
+struct target_drm_i915_getparam {
+int param;
+abi_ulong value;
+};
+
+
 #include "socket.h"
 
 #include "errno_defs.h"
diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h
index e2b0484f50..ef60d5f38c 100644
--- a/linux-user/syscall_types.h
+++ b/linux-user/syscall_types.h
@@ -303,6 +303,10 @@ STRUCT(drm_version,
TYPE_ULONG, /* desc_len */
TYPE_PTRVOID) /* desc */
 
+STRUCT(drm_i915_getparam,
+   TYPE_INT, /* param */
+   TYPE_PTRVOID) /* value */
+
 STRUCT(file_clone_range,
TYPE_LONGLONG, /* src_fd */
TYPE_ULONGLONG, /* src_offset */
-- 
2.24.0.308.g228f53135a

[PATCH] target: i386: mem_helper: Fix ldaxr instruction 64 bit alignment issue temporarily for stable-4.1

[chengang]

From: Chen Gang 

This fix does not consider about the lock feature which may cause
another issues, but excuse me, I don't know how to fix it. At present,
the fix runs OK for my case in windows oledb32.dll in wine.

Welcome anyone to fix it, thanks.

Signed-off-by: Chen Gang 
---
 target/i386/mem_helper.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/target/i386/mem_helper.c b/target/i386/mem_helper.c
index d50d4b0c40..8c37b05fae 100644
--- a/target/i386/mem_helper.c
+++ b/target/i386/mem_helper.c
@@ -68,7 +68,13 @@ void helper_cmpxchg8b(CPUX86State *env, target_ulong a0)
 uint64_t *haddr = g2h(a0);
 cmpv = cpu_to_le64(cmpv);
 newv = cpu_to_le64(newv);
-oldv = atomic_cmpxchg__nocheck(haddr, cmpv, newv);
+if ((unsigned long)haddr % 8) {
+volatile uint64_t tmp = *haddr; /* avoid compiler optimization */
+oldv = atomic_cmpxchg__nocheck(, cmpv, newv);
+*haddr = tmp;
+} else {
+oldv = atomic_cmpxchg__nocheck(haddr, cmpv, newv);
+}
 oldv = le64_to_cpu(oldv);
 }
 #else
-- 
2.24.0.308.g228f53135a

Re: [PATCH 2/2] hw/arm/palm.c: Encapsulate misc GPIO handling in a device

[Li Qiang]

Peter Maydell  于2020年6月29日周一 上午5:43写道：
>
> Replace the free-floating set of IRQs and palmte_onoff_gpios()
> function with a simple QOM device that encapsulates this
> behaviour.
>
> This fixes Coverity issue CID 1421944, which points out that
> the memory returned by qemu_allocate_irqs() is leaked.
>
> Signed-off-by: Peter Maydell 

Reviewed-by: Li Qiang 

> ---
>  hw/arm/palm.c | 61 +++
>  1 file changed, 52 insertions(+), 9 deletions(-)
>
> diff --git a/hw/arm/palm.c b/hw/arm/palm.c
> index 569836178f6..e7bc9ea4c6a 100644
> --- a/hw/arm/palm.c
> +++ b/hw/arm/palm.c
> @@ -124,6 +124,21 @@ static void palmte_button_event(void *opaque, int 
> keycode)
>  !(keycode & 0x80));
>  }
>
> +/*
> + * Encapsulation of some GPIO line behaviour for the Palm board
> + *
> + * QEMU interface:
> + *  + unnamed GPIO inputs 0..6: for the various miscellaneous input lines
> + */
> +
> +#define TYPE_PALM_MISC_GPIO "palm-misc-gpio"
> +#define PALM_MISC_GPIO(obj) \
> +OBJECT_CHECK(PalmMiscGPIOState, (obj), TYPE_PALM_MISC_GPIO)
> +
> +typedef struct PalmMiscGPIOState {
> +SysBusDevice parent_obj;
> +} PalmMiscGPIOState;
> +
>  static void palmte_onoff_gpios(void *opaque, int line, int level)
>  {
>  switch (line) {
> @@ -151,23 +166,44 @@ static void palmte_onoff_gpios(void *opaque, int line, 
> int level)
>  }
>  }
>
> +static void palm_misc_gpio_init(Object *obj)
> +{
> +DeviceState *dev = DEVICE(obj);
> +
> +qdev_init_gpio_in(dev, palmte_onoff_gpios, 7);
> +}
> +
> +static const TypeInfo palm_misc_gpio_info = {
> +.name = TYPE_PALM_MISC_GPIO,
> +.parent = TYPE_SYS_BUS_DEVICE,
> +.instance_size = sizeof(PalmMiscGPIOState),
> +.instance_init = palm_misc_gpio_init,
> +/*
> + * No class init required: device has no internal state so does not
> + * need to set up reset or vmstate, and has no realize method.
> + */
> +};
> +
>  static void palmte_gpio_setup(struct omap_mpu_state_s *cpu)
>  {
> -qemu_irq *misc_gpio;
> +DeviceState *misc_gpio;
> +
> +misc_gpio = sysbus_create_simple(TYPE_PALM_MISC_GPIO, -1, NULL);
>
>  omap_mmc_handlers(cpu->mmc,
>  qdev_get_gpio_in(cpu->gpio, PALMTE_MMC_WP_GPIO),
>  qemu_irq_invert(omap_mpuio_in_get(cpu->mpuio)
>  [PALMTE_MMC_SWITCH_GPIO]));
>
> -misc_gpio = qemu_allocate_irqs(palmte_onoff_gpios, cpu, 7);
> -qdev_connect_gpio_out(cpu->gpio, PALMTE_MMC_POWER_GPIO, 
> misc_gpio[0]);
> -qdev_connect_gpio_out(cpu->gpio, PALMTE_SPEAKER_GPIO,   
> misc_gpio[1]);
> -qdev_connect_gpio_out(cpu->gpio, 11,
> misc_gpio[2]);
> -qdev_connect_gpio_out(cpu->gpio, 12,
> misc_gpio[3]);
> -qdev_connect_gpio_out(cpu->gpio, 13,
> misc_gpio[4]);
> -omap_mpuio_out_set(cpu->mpuio, 1,   
> misc_gpio[5]);
> -omap_mpuio_out_set(cpu->mpuio, 3,   
> misc_gpio[6]);
> +qdev_connect_gpio_out(cpu->gpio, PALMTE_MMC_POWER_GPIO,
> +  qdev_get_gpio_in(misc_gpio, 0));
> +qdev_connect_gpio_out(cpu->gpio, PALMTE_SPEAKER_GPIO,
> +  qdev_get_gpio_in(misc_gpio, 1));
> +qdev_connect_gpio_out(cpu->gpio, 11, qdev_get_gpio_in(misc_gpio, 2));
> +qdev_connect_gpio_out(cpu->gpio, 12, qdev_get_gpio_in(misc_gpio, 3));
> +qdev_connect_gpio_out(cpu->gpio, 13, qdev_get_gpio_in(misc_gpio, 4));
> +omap_mpuio_out_set(cpu->mpuio, 1, qdev_get_gpio_in(misc_gpio, 5));
> +omap_mpuio_out_set(cpu->mpuio, 3, qdev_get_gpio_in(misc_gpio, 6));
>
>  /* Reset some inputs to initial state.  */
>  qemu_irq_lower(qdev_get_gpio_in(cpu->gpio, PALMTE_USBDETECT_GPIO));
> @@ -276,3 +312,10 @@ static void palmte_machine_init(MachineClass *mc)
>  }
>
>  DEFINE_MACHINE("cheetah", palmte_machine_init)
> +
> +static void palm_register_types(void)
> +{
> +type_register_static(_misc_gpio_info);
> +}
> +
> +type_init(palm_register_types)
> --
> 2.20.1
>
>

Re: [PATCH 1/2] hw/arm/palm.c: Detabify

[Li Qiang]

Peter Maydell  于2020年6月29日周一 上午5:45写道：
>
> Remove hard-tabs from palm.c.
>
> Signed-off-by: Peter Maydell 

Reviewed-by: Li Qiang 

> ---
>  hw/arm/palm.c | 64 +--
>  1 file changed, 32 insertions(+), 32 deletions(-)
>
> diff --git a/hw/arm/palm.c b/hw/arm/palm.c
> index 97ca105d297..569836178f6 100644
> --- a/hw/arm/palm.c
> +++ b/hw/arm/palm.c
> @@ -61,21 +61,21 @@ static const MemoryRegionOps static_ops = {
>  /* Palm Tunsgten|E support */
>
>  /* Shared GPIOs */
> -#define PALMTE_USBDETECT_GPIO  0
> -#define PALMTE_USB_OR_DC_GPIO  1
> -#define PALMTE_TSC_GPIO4
> -#define PALMTE_PINTDAV_GPIO6
> -#define PALMTE_MMC_WP_GPIO 8
> -#define PALMTE_MMC_POWER_GPIO  9
> -#define PALMTE_HDQ_GPIO11
> -#define PALMTE_HEADPHONES_GPIO 14
> -#define PALMTE_SPEAKER_GPIO15
> +#define PALMTE_USBDETECT_GPIO   0
> +#define PALMTE_USB_OR_DC_GPIO   1
> +#define PALMTE_TSC_GPIO 4
> +#define PALMTE_PINTDAV_GPIO 6
> +#define PALMTE_MMC_WP_GPIO  8
> +#define PALMTE_MMC_POWER_GPIO   9
> +#define PALMTE_HDQ_GPIO 11
> +#define PALMTE_HEADPHONES_GPIO  14
> +#define PALMTE_SPEAKER_GPIO 15
>  /* MPU private GPIOs */
> -#define PALMTE_DC_GPIO 2
> -#define PALMTE_MMC_SWITCH_GPIO 4
> -#define PALMTE_MMC1_GPIO   6
> -#define PALMTE_MMC2_GPIO   7
> -#define PALMTE_MMC3_GPIO   11
> +#define PALMTE_DC_GPIO  2
> +#define PALMTE_MMC_SWITCH_GPIO  4
> +#define PALMTE_MMC1_GPIO6
> +#define PALMTE_MMC2_GPIO7
> +#define PALMTE_MMC3_GPIO11
>
>  static MouseTransformInfo palmte_pointercal = {
>  .x = 320,
> @@ -100,17 +100,17 @@ static struct {
>  int column;
>  } palmte_keymap[0x80] = {
>  [0 ... 0x7f] = { -1, -1 },
> -[0x3b] = { 0, 0 }, /* F1   -> Calendar */
> -[0x3c] = { 1, 0 }, /* F2   -> Contacts */
> -[0x3d] = { 2, 0 }, /* F3   -> Tasks List */
> -[0x3e] = { 3, 0 }, /* F4   -> Note Pad */
> -[0x01] = { 4, 0 }, /* Esc  -> Power */
> -[0x4b] = { 0, 1 }, /* Left */
> -[0x50] = { 1, 1 }, /* Down */
> -[0x48] = { 2, 1 }, /* Up */
> -[0x4d] = { 3, 1 }, /* Right */
> -[0x4c] = { 4, 1 }, /* Centre */
> -[0x39] = { 4, 1 }, /* Spc  -> Centre */
> +[0x3b] = { 0, 0 },  /* F1   -> Calendar */
> +[0x3c] = { 1, 0 },  /* F2   -> Contacts */
> +[0x3d] = { 2, 0 },  /* F3   -> Tasks List */
> +[0x3e] = { 3, 0 },  /* F4   -> Note Pad */
> +[0x01] = { 4, 0 },  /* Esc  -> Power */
> +[0x4b] = { 0, 1 },  /* Left */
> +[0x50] = { 1, 1 },  /* Down */
> +[0x48] = { 2, 1 },  /* Up */
> +[0x4d] = { 3, 1 },  /* Right */
> +[0x4c] = { 4, 1 },  /* Centre */
> +[0x39] = { 4, 1 },  /* Spc  -> Centre */
>  };
>
>  static void palmte_button_event(void *opaque, int keycode)
> @@ -161,13 +161,13 @@ static void palmte_gpio_setup(struct omap_mpu_state_s 
> *cpu)
>  [PALMTE_MMC_SWITCH_GPIO]));
>
>  misc_gpio = qemu_allocate_irqs(palmte_onoff_gpios, cpu, 7);
> -qdev_connect_gpio_out(cpu->gpio, PALMTE_MMC_POWER_GPIO,misc_gpio[0]);
> -qdev_connect_gpio_out(cpu->gpio, PALMTE_SPEAKER_GPIO,  misc_gpio[1]);
> -qdev_connect_gpio_out(cpu->gpio, 11,   misc_gpio[2]);
> -qdev_connect_gpio_out(cpu->gpio, 12,   misc_gpio[3]);
> -qdev_connect_gpio_out(cpu->gpio, 13,   misc_gpio[4]);
> -omap_mpuio_out_set(cpu->mpuio, 1,  misc_gpio[5]);
> -omap_mpuio_out_set(cpu->mpuio, 3,  misc_gpio[6]);
> +qdev_connect_gpio_out(cpu->gpio, PALMTE_MMC_POWER_GPIO, 
> misc_gpio[0]);
> +qdev_connect_gpio_out(cpu->gpio, PALMTE_SPEAKER_GPIO,   
> misc_gpio[1]);
> +qdev_connect_gpio_out(cpu->gpio, 11,
> misc_gpio[2]);
> +qdev_connect_gpio_out(cpu->gpio, 12,
> misc_gpio[3]);
> +qdev_connect_gpio_out(cpu->gpio, 13,
> misc_gpio[4]);
> +omap_mpuio_out_set(cpu->mpuio, 1,   
> misc_gpio[5]);
> +omap_mpuio_out_set(cpu->mpuio, 3,   
> misc_gpio[6]);
>
>  /* Reset some inputs to initial state.  */
>  qemu_irq_lower(qdev_get_gpio_in(cpu->gpio, PALMTE_USBDETECT_GPIO));
> --
> 2.20.1
>
>

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Simon John]

Hi Mark, no that doesn't work sorry, same error.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Mark Cave-Ayland]

Thanks for the bisection, that's really helpful - that particular patch
fixes the way in which memory region access sizes are treated as valid.
The obvious device to look at here is isa-apple-smc since I suspect that
has less CI coverage.

Looking at the access sizes of all 3 MemoryRegions within
hw/misc/applesmc.c I think these would now reject all non-byte accesses
- does the following patch help at all?


diff --git a/hw/misc/applesmc.c b/hw/misc/applesmc.c
index 1c4addb201..7ca89e5e86 100644
--- a/hw/misc/applesmc.c
+++ b/hw/misc/applesmc.c
@@ -288,7 +288,7 @@ static const MemoryRegionOps applesmc_data_io_ops = {
 .endianness = DEVICE_NATIVE_ENDIAN,
 .impl = {
 .min_access_size = 1,
-.max_access_size = 1,
+.max_access_size = 4,
 },
 };
 
@@ -298,7 +298,7 @@ static const MemoryRegionOps applesmc_cmd_io_ops = {
 .endianness = DEVICE_NATIVE_ENDIAN,
 .impl = {
 .min_access_size = 1,
-.max_access_size = 1,
+.max_access_size = 4,
 },
 };
 
@@ -308,7 +308,7 @@ static const MemoryRegionOps applesmc_err_io_ops = {
 .endianness = DEVICE_NATIVE_ENDIAN,
 .impl = {
 .min_access_size = 1,
-.max_access_size = 1,
+.max_access_size = 4,
 },
 };
 

ATB,

Mark.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Simon John]

yup, building debian 5.0-6 package minus that single patch gives me
working macos catalina again.

now just got to figure out why any kernel newer than 5.5 crashes the
host when using pci passthrough - i don't fancy bisecting a whole
kernel!

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Simon John]

the debian patch is:

revert-memory-accept-mismatching-sizes-in-memory_region_access_valid-
CVE-2020-13754.patch

i'm currently building a deb package without it.

mailserver has a geoip block and doesn't use ipv6, synapticconsulting at
gmail dot com should work.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Michael Tokarev]

that's an interesting observation. Thank you for finding this one. It'd
be much faster to find one of about 10 debian patches which affects this
but full qemu bisect works too, ofcourse.

Simon, I can't reach you by email, your mailserver apparently
malfunctioning, - I sent you instructions about how and what to do, but
all my emails returned back - connections to your mailserver times out
from a few of networks I have access to.

This commit breaking macos guest is interesting, perhaps we should try
to fix that for 5.1.. :)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Simon John]

Woohoo! Simply reverting that one commit
5d971f9e672507210e77d020d89e0e89165c8fc9 from today's master gets me
running again.

Not sure where that leaves us though?

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

Re: [PATCH v1 08/13] plugins: expand the bb plugin to be thread safe and track per-cpu

[Emilio G. Cota]

On Thu, Jul 09, 2020 at 15:13:22 +0100, Alex Bennée wrote:
> While there isn't any easy way to make the inline counts thread safe

Why not? At least in 64-bit hosts TCG will emit a single write to
update the 64-bit counter.

> we can ensure the callback based ones are. While we are at it we can
> reduce introduce a new option ("idle") to dump a report of the current

s/reduce//

> bb and insn count each time a vCPU enters the idle state.
> 
> Signed-off-by: Alex Bennée 
> Cc: Dave Bort 
> 
> ---
> v2
>   - fixup for non-inline linux-user case
>   - minor cleanup and re-factor
> ---
>  tests/plugin/bb.c | 96 ---
>  1 file changed, 83 insertions(+), 13 deletions(-)
> 
> diff --git a/tests/plugin/bb.c b/tests/plugin/bb.c
> index df19fd359df3..89c373e19cd8 100644
> --- a/tests/plugin/bb.c
> +++ b/tests/plugin/bb.c
> @@ -16,24 +16,67 @@
>  
>  QEMU_PLUGIN_EXPORT int qemu_plugin_version = QEMU_PLUGIN_VERSION;
>  
> -static uint64_t bb_count;
> -static uint64_t insn_count;
> +typedef struct {
> +GMutex lock;
> +int index;
> +uint64_t bb_count;
> +uint64_t insn_count;
> +} CPUCount;

Why use a mutex?

Just have a per-vCPU struct that each vCPU thread updates with atomic_write.
Then when we want to print a report we just have to collect the counts
with atomic_read().

Also, consider just adding a comment to bb.c noting that it is not thread-safe,
and having a separate bb-threadsafe.c plugin for patch. The reason is that bb.c 
is
very simple, which is useful to understand the interface.

Thanks,
E.

Re: [PATCH v2 01/17] tcg: Introduce target-specific page data for user-only

[Richard Henderson]

On 6/25/20 9:20 AM, Peter Maydell wrote:
> On Fri, 5 Jun 2020 at 05:17, Richard Henderson
>  wrote:
>>
>> This data can be allocated by page_alloc_target_data() and
>> released by page_set_flags(start, end, prot | PAGE_RESET).
>>
>> This data will be used to hold tag memory for AArch64 MTE.
>>
>> Signed-off-by: Richard Henderson 
>> ---
> 
>> @@ -289,6 +295,8 @@ int walk_memory_regions(void *, walk_memory_regions_fn);
>>  int page_get_flags(target_ulong address);
>>  void page_set_flags(target_ulong start, target_ulong end, int flags);
>>  int page_check_range(target_ulong start, target_ulong len, int flags);
>> +void *page_get_target_data(target_ulong address);
>> +void *page_alloc_target_data(target_ulong address, size_t size);
> 
> Could we have a doc comment for any new function that's got
> global scope, please?
> 
>>  #endif
>>
>>  CPUArchState *cpu_copy(CPUArchState *env);
> 
>> +void *page_alloc_target_data(target_ulong address, size_t size)
>> +{
>> +PageDesc *p = page_find(address >> TARGET_PAGE_BITS);
>> +void *ret = NULL;
>> +
>> +if (p) {
>> +ret = p->target_data;
>> +if (!ret && (p->flags & PAGE_VALID)) {
>> +p->target_data = ret = g_malloc0(size);
>> +}
>> +}
>> +return ret;
> 
> Can a PageDesc validly have p->target_data != NULL but
> p->flags with PAGE_VALID not set ?

No.  But we can be called for a page that is not mapped (returning NULL) and
can be called for a page that already has associated data (returning the old
value).

> It's not clear to me why for a !PAGE_VALID page which
> has target_data already we return that pointer but
> if it doesn't have any we don't allocate: either
> "always allocate" or "always return NULL for non-valid pages"
> would seem more self-consistent.

I was expecting a non-valid page to have no data.  I will rearrange this to

ret = NULL;
if (p->flags & PAGE_VALID) {
ret = p->target_data;
if (!ret) {
p->target_data = ret = g_malloc0(size);
}
}

which is probably clearer.

>> +/* FIXME: Move page flags and target_data for each page.  */
> 
> Is this something we're going to address later in the patchset?

I had not, but I should.  Will fix.


r~

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Simon John]

Thanks Mark, what an interesting exercise that was - and sorry, didn't
know 5.1 was due.

So the git bisect revealed this:

$ git bisect good
5d971f9e672507210e77d020d89e0e89165c8fc9 is the first bad commit
commit 5d971f9e672507210e77d020d89e0e89165c8fc9
Author: Michael S. Tsirkin 
Date:   Wed Jun 10 09:47:49 2020 -0400

memory: Revert "memory: accept mismatching sizes in 
memory_region_access_valid"

Memory API documentation documents valid .min_access_size and 
.max_access_size
fields and explains that any access outside these boundaries is blocked.

This is what devices seem to assume.

However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.

Naturally, this breaks a bunch of devices.

Revert to the documented behaviour.

Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.

Cc: qemu-sta...@nongnu.org
Reviewed-by: Richard Henderson 
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd5a ("memory: accept mismatching sizes in 
memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin 
Message-Id: <20200610134731.1514409-1-...@redhat.com>
Signed-off-by: Paolo Bonzini 

 memory.c | 29 +
 1 file changed, 9 insertions(+), 20 deletions(-)


** Bug watch added: Red Hat Bugzilla #1842363
   https://bugzilla.redhat.com/show_bug.cgi?id=1842363

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13754

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

Re: [PATCH v1 04/13] cputlb: ensure we save the IOTLB data in case of reset

[Emilio G. Cota]

On Fri, Jul 10, 2020 at 14:03:27 -0700, Richard Henderson wrote:
> On 7/9/20 7:13 AM, Alex Bennée wrote:
> > Any write to a device might cause a re-arrangement of memory
> > triggering a TLB flush and potential re-size of the TLB invalidating
> > previous entries. This would cause users of qemu_plugin_get_hwaddr()
> > to see the warning:
> > 
> >   invalid use of qemu_plugin_get_hwaddr
> > 
> > because of the failed tlb_lookup which should always succeed. To
> > prevent this we save the IOTLB data in case it is later needed by a
> > plugin doing a lookup.
> > 
> > Signed-off-by: Alex Bennée 
> > 
> > ---
> > v2
> >   - save the entry instead of re-running the tlb_fill.
> > v3
> >   - don't abuse TLS, use CPUState to store data
> >   - just use g_free_rcu() to avoid ugliness
> >   - verify addr matches before returning data
> >   - ws fix
> > ---
> >  include/hw/core/cpu.h   |  4 +++
> >  include/qemu/typedefs.h |  1 +
> >  accel/tcg/cputlb.c  | 57 +++--
> >  3 files changed, 60 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
> > index b3f4b7931823..bedbf098dc57 100644
> > --- a/include/hw/core/cpu.h
> > +++ b/include/hw/core/cpu.h
> > @@ -417,7 +417,11 @@ struct CPUState {
> >  
> >  DECLARE_BITMAP(plugin_mask, QEMU_PLUGIN_EV_MAX);
> >  
> > +#ifdef CONFIG_PLUGIN
> >  GArray *plugin_mem_cbs;
> > +/* saved iotlb data from io_writex */
> > +SavedIOTLB *saved_iotlb;
> > +#endif
> >  
> >  /* TODO Move common fields from CPUArchState here. */
> >  int cpu_index;
> > diff --git a/include/qemu/typedefs.h b/include/qemu/typedefs.h
> > index 15f5047bf1dc..427027a9707a 100644
> > --- a/include/qemu/typedefs.h
> > +++ b/include/qemu/typedefs.h
> > @@ -116,6 +116,7 @@ typedef struct QObject QObject;
> >  typedef struct QString QString;
> >  typedef struct RAMBlock RAMBlock;
> >  typedef struct Range Range;
> > +typedef struct SavedIOTLB SavedIOTLB;
> >  typedef struct SHPCDevice SHPCDevice;
> >  typedef struct SSIBus SSIBus;
> >  typedef struct VirtIODevice VirtIODevice;
> > diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
> > index 1e815357c709..8636b66e036a 100644
> > --- a/accel/tcg/cputlb.c
> > +++ b/accel/tcg/cputlb.c
> > @@ -1073,6 +1073,42 @@ static uint64_t io_readx(CPUArchState *env, 
> > CPUIOTLBEntry *iotlbentry,
> >  return val;
> >  }
> >  
> > +#ifdef CONFIG_PLUGIN
> > +
> > +typedef struct SavedIOTLB {
> > +struct rcu_head rcu;
> > +hwaddr addr;
> > +MemoryRegionSection *section;
> > +hwaddr mr_offset;
> > +} SavedIOTLB;
> > +
> > +/*
> > + * Save a potentially trashed IOTLB entry for later lookup by plugin.
> > + *
> > + * We also need to track the thread storage address because the RCU
> > + * cleanup that runs when we leave the critical region (the current
> > + * execution) is actually in a different thread.
> > + */
> > +static void save_iotlb_data(CPUState *cs, hwaddr addr, MemoryRegionSection 
> > *section, hwaddr mr_offset)
> 
> Overlong line.
> 
> > +{
> > +SavedIOTLB *old, *new = g_new(SavedIOTLB, 1);
> > +new->addr = addr;
> > +new->section = section;
> > +new->mr_offset = mr_offset;
> > +old = atomic_rcu_read(>saved_iotlb);
> > +atomic_rcu_set(>saved_iotlb, new);
> > +if (old) {
> > +g_free_rcu(old, rcu);
> > +}
> > +}
> 
> I'm a bit confused by this.  Why all the multiple allocation?  How many
> consumers are you expecting, and more are you expecting multiple memory
> operations in flight at once?
> 
> If multiple memory operations in flight, then why aren't we chaining them
> together, so that you can search through multiple alternatives.
> 
> If only one memory operation in flight, why are you allocating memory at all,
> much less managing it with rcu?  Just put one structure (or a collection of
> fields) into CPUState and be done.

Oh I just saw this reply. I subscribe all of the above, please shelve my R-b
tag until these are resolved.

An alternative is to emit the hwaddr directly in the mem_cb -- IIRC this is
how I did it originally. The API is a larger/uglier (plugins can subscribe
to either hwaddr or vaddr callbacks) but there is no state to keep and
no overhead of calling several functions in a hot path.

Thanks,
E.

Re: [PATCH v1 04/13] cputlb: ensure we save the IOTLB data in case of reset

[Emilio G. Cota]

On Thu, Jul 09, 2020 at 15:13:18 +0100, Alex Bennée wrote:
> Any write to a device might cause a re-arrangement of memory
> triggering a TLB flush and potential re-size of the TLB invalidating
> previous entries. This would cause users of qemu_plugin_get_hwaddr()
> to see the warning:
> 
>   invalid use of qemu_plugin_get_hwaddr
> 
> because of the failed tlb_lookup which should always succeed. To
> prevent this we save the IOTLB data in case it is later needed by a
> plugin doing a lookup.
> 
> Signed-off-by: Alex Bennée 

Reviewed-by: Emilio G. Cota 

Some minor comments below.


> --- a/accel/tcg/cputlb.c
> +++ b/accel/tcg/cputlb.c
> @@ -1073,6 +1073,42 @@ static uint64_t io_readx(CPUArchState *env, 
> CPUIOTLBEntry *iotlbentry,
>  return val;
>  }
>  
> +#ifdef CONFIG_PLUGIN
> +
> +typedef struct SavedIOTLB {
> +struct rcu_head rcu;
> +hwaddr addr;
> +MemoryRegionSection *section;
> +hwaddr mr_offset;
> +} SavedIOTLB;
> +
> +/*
> + * Save a potentially trashed IOTLB entry for later lookup by plugin.
> + *
> + * We also need to track the thread storage address because the RCU
> + * cleanup that runs when we leave the critical region (the current
> + * execution) is actually in a different thread.

Mentioning the thread storage is now outdated -- I think this comment
(starting from 'We') can be removed.

> + */
> +static void save_iotlb_data(CPUState *cs, hwaddr addr, MemoryRegionSection 
> *section, hwaddr mr_offset)
> +{
> +SavedIOTLB *old, *new = g_new(SavedIOTLB, 1);
> +new->addr = addr;
> +new->section = section;
> +new->mr_offset = mr_offset;
> +old = atomic_rcu_read(>saved_iotlb);
> +atomic_rcu_set(>saved_iotlb, new);
> +if (old) {
> +g_free_rcu(old, rcu);
> +}

Using atomic_rcu_read here is not necessary (only this thread ever writes
to this field) and might confuse a reader when trying to find the
atomic_rcu_read that matches the atomic_rcu_set (that read is in
tlb_plugin_lookup).

Consider doing
old = cs->saved_iotlb;
instead.

Thanks,
Emilio

Re: [PATCH v1 02/13] docs/devel: add some notes on tcg-icount for developers

[Emilio G. Cota]

On Thu, Jul 09, 2020 at 15:13:16 +0100, Alex Bennée wrote:
> This attempts to bring together my understanding of the requirements
> for icount behaviour into one reference document for our developer
> notes.
> 
> Signed-off-by: Alex Bennée 
> Reviewed-by: Richard Henderson 

Reviewed-by: Emilio G. Cota 

Thanks,
Emilio

Re: [PATCH v1 01/13] docs/devel: convert and update MTTCG design document

[Emilio G. Cota]

On Thu, Jul 09, 2020 at 15:13:15 +0100, Alex Bennée wrote:
> @@ -92,6 +107,7 @@ including:
>  
>- debugging operations (breakpoint insertion/removal)
>- some CPU helper functions
> +  - linux-user spawning it's first thread

s/it's/its/

Reviewed-by: Emilio G. Cota 

Thanks,
E.

Re: [PATCH v2 06/17] linux-user: Do not use guest_addr_valid for h2g_valid

[Richard Henderson]

On 7/11/20 12:30 PM, Richard Henderson wrote:
>> The old implementation returns true for
>> HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
>> (because there's a different definition of guest_addr_valid() there)
>> but this one does a range check even in that case.
> 
> It's part and parcel with patch 1, wherein we are in fact attempting to limit
> the guest address space to GUEST_ADDR_MAX.
> 
> That's why I put patch 1 first, so the behaviour change happens there.

Ho hum.  I've just realized the messages are sorted oddly in the mbox here, and
that the behaviour change is actually coming later in patch 7.

So, to summarize, I am intending a change here, it's just a matter of sorting
things so that one thing happens at a time.


r~

Re: [PATCH v2 06/17] linux-user: Do not use guest_addr_valid for h2g_valid

[Richard Henderson]

On 6/25/20 9:34 AM, Peter Maydell wrote:
> On Fri, 5 Jun 2020 at 05:17, Richard Henderson
>  wrote:
>>
>> This is the only use of guest_addr_valid that does not begin
>> with a guest address, but a host address being transformed to
>> a guest address.
>>
>> We will shortly adjust guest_addr_valid to handle guest memory
>> tags, and the host address should not be subjected to that.
>>
>> Move h2g_valid adjacent to the other h2g macros.
>>
>> Signed-off-by: Richard Henderson 
>> ---
>>  include/exec/cpu_ldst.h | 5 +++--
>>  1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
>> index c14a48f65e..3930362e20 100644
>> --- a/include/exec/cpu_ldst.h
>> +++ b/include/exec/cpu_ldst.h
>> @@ -77,15 +77,16 @@ typedef uint64_t abi_ptr;
>>  #else
>>  #define guest_addr_valid(x) ((x) <= GUEST_ADDR_MAX)
>>  #endif
>> -#define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base)
>>
>>  static inline int guest_range_valid(unsigned long start, unsigned long len)
>>  {
>>  return len - 1 <= GUEST_ADDR_MAX && start <= GUEST_ADDR_MAX - len + 1;
>>  }
>>
>> +#define h2g_valid(x)  ((uintptr_t)(x) - guest_base <= GUEST_ADDR_MAX)
> 
> The old implementation returns true for
> HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
> (because there's a different definition of guest_addr_valid() there)
> but this one does a range check even in that case.

It's part and parcel with patch 1, wherein we are in fact attempting to limit
the guest address space to GUEST_ADDR_MAX.

That's why I put patch 1 first, so the behaviour change happens there.

>>  #define h2g_nocheck(x) ({ \
>> -unsigned long __ret = (unsigned long)(x) - guest_base; \
>> +uintptr_t __ret = (uintptr_t)(x) - guest_base; \
>>  (abi_ptr)__ret; \
>>  })
> 
> Why the type change? This seems unrelated.

Dropped.  Though at some point we should purge unsigned long, as there is
always a clearer type to use.


r~

Re: [PATCH v2 07/17] linux-user: Fix guest_addr_valid vs reserved_va

[Richard Henderson]

On 6/25/20 9:37 AM, Peter Maydell wrote:
> On Fri, 5 Jun 2020 at 05:17, Richard Henderson
>  wrote:
>>
>> We must always use GUEST_ADDR_MAX, because even 32-bit hosts can
>> use -R  to restrict the memory address of the guest.
>>
>> Signed-off-by: Richard Henderson 
>> ---
>>  include/exec/cpu_ldst.h | 9 -
>>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> Doesn't this run into trouble with the arm32 commpage?
> The reserved_va is set there to 0x (stopping
> at the commpage), but the addresses within the commpage
> themselves are still valid guest addresses.

Not really.  The commpage is Special, and gets allocated differently.  Normal
binaries work, e.g. our standard busybox ls.

I would imagine the corner case that doesn't work is that you couldn't issue a
syscall to the commpage, e.g.

write(1, 0xf000, 1);

because the commpage is now outside the normal address space.

But given that it only matters with an explicit -R command-line option, this
falls into the Well Don't Do That Then category. This is a generic option, and
works as expected with other 32-bit guests.


r~

[Bug 1777315] Re: Denial of service

[Alexander Bulekov]

Here's a qtest reproducer:

./i386-softmmu/qemu-system-i386 -M pc,accel=qtest \
-qtest null -nographic -vga qxl -qtest stdio \
-drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \
-drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw \
-device ide-cd,drive=drive0 -device ide-hd,drive=drive1 -nodefaults \
< attachment

With -trace ide*:

[R +0.020410] outw 0x171 0x
28186@1594494474.407743:ide_ioport_write IDE PIO wr @ 0x171 (Features); val 
0xff; bus 0x55e383419100 IDEState 0x55e383419188
28186@1594494474.407747:ide_ioport_write IDE PIO wr @ 0x172 (Sector Count); val 
0xff; bus 0x55e383419100 IDEState 0x55e383419188
OK
[S +0.020428] OK
[R +0.020433] outw 0x176 0x35fb
28186@1594494474.407756:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 
0xfb; bus 0x55e383419100 IDEState 0x55e383419188
28186@1594494474.407757:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 
0x35; bus 0x55e383419100 IDEState 0x55e383419558
28186@1594494474.407759:ide_exec_cmd IDE exec cmd: bus 0x55e383419100; state 
0x55e383419558; cmd 0x35

28186@1594494474.411019:ide_dma_cb IDEState 0x55e383419558; sector_num=1 n=511 
cmd=DMA WRITE
OK
[S +0.023732] OK
[R +0.023736] outb 0x376 0x8f
28186@1594494474.411060:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 
0x8f; bus 0x55e383419100
OK
[S +0.023741] OK
[R +0.023742] outw 0x376 0x2779
28186@1594494474.411064:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 
0x79; bus 0x55e383419100
OK
[S +0.023745] OK
qemu-system-i386: /home/alxndr/Development/qemu/hw/ide/core.c:880: void 
ide_dma_cb(void *, int): Assertion `n * 512 == s->sg.size' failed.


** Attachment added: "attachment"
   
https://bugs.launchpad.net/qemu/+bug/1777315/+attachment/5391760/+files/attachment

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315

Title:
  Denial of service

Status in QEMU:
  In Progress

Bug description:
  Hi,
  QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version 
qemu-2.12.0

  run the program in qemu-2.12.0:
  #define _GNU_SOURCE 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
  {
  if (a0 == 0xc || a0 == 0xb) {
  char buf[128];
  sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", 
(uint8_t)a1, (uint8_t)a2);
  return open(buf, O_RDWR, 0);
  } else {
  char buf[1024];
  char* hash;
  strncpy(buf, (char*)a0, sizeof(buf) - 1);
  buf[sizeof(buf) - 1] = 0;
  while ((hash = strchr(buf, '#'))) {
  *hash = '0' + (char)(a1 % 10);
  a1 /= 10;
  }
  return open(buf, a2, 0);
  }
  }

  uint64_t r[2] = {0x, 0x};
  void loop()
  {
  long res = 0;
  memcpy((void*)0x2000, "/dev/sg#", 9);
  res = syz_open_dev(0x2000, 0, 2);
  if (res != -1)
  r[0] = res;
  res = syscall(__NR_dup2, r[0], r[0]);
  if (res != -1)
  r[1] = res;
  *(uint8_t*)0x2ec0 = 0;
  *(uint8_t*)0x2ec1 = 0;
  *(uint8_t*)0x2ec2 = 0;
  *(uint8_t*)0x2ec3 = 0;
  *(uint32_t*)0x2ec8 = 0;
  *(uint8_t*)0x2ed8 = 0;
  *(uint8_t*)0x2ed9 = 0;
  *(uint8_t*)0x2eda = 0;
  *(uint8_t*)0x2edb = 0;
  memcpy((void*)0x2ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 
12);
  syscall(__NR_write, r[1], 0x2ec0, 0x323);
  }

  int main()
  {
  syscall(__NR_mmap, 0x2000, 0x100, 3, 0x32, -1, 0);
  loop();
  return 0;
  }
  this will crash qemu, output information:
   qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == 
s->sg.size' failed.

  
  Thanks 
  owl337

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions

Re: [PATCH v8 05/10] qcow2_format.py: Dump bitmap directory information

[Vladimir Sementsov-Ogievskiy]

03.07.2020 16:13, Andrey Shinkevich wrote:

Read and dump entries from the bitmap directory of QCOW2 image.
It extends the output in the test case #291.

Header extension:
magic 0x23852875 (Bitmaps)
...

Bitmap name   bitmap-1
bitmap_table_offset   0xf
bitmap_table_size 1
flags 0x2 (['auto'])
type  1
granularity_bits  16
name_size 8
extra_data_size   0

Suggested-by: Kevin Wolf 
Signed-off-by: Andrey Shinkevich 
---
  tests/qemu-iotests/291.out | 45 ++
  tests/qemu-iotests/qcow2_format.py | 44 +
  2 files changed, 89 insertions(+)

diff --git a/tests/qemu-iotests/291.out b/tests/qemu-iotests/291.out
index 08bfaaa..53a8eeb 100644
--- a/tests/qemu-iotests/291.out
+++ b/tests/qemu-iotests/291.out
@@ -33,6 +33,24 @@ reserved320
  bitmap_directory_size 0x40
  bitmap_directory_offset   0x51
  
+Bitmap name   b1

+bitmap_table_offset   0x4e
+bitmap_table_size 1
+flags 0x0 ([])
+type  1
+granularity_bits  19
+name_size 2
+extra_data_size   0
+
+Bitmap name   b2
+bitmap_table_offset   0x50
+bitmap_table_size 1
+flags 0x2 (['auto'])
+type  1
+granularity_bits  16
+name_size 2
+extra_data_size   0
+
  
  === Bitmap preservation not possible to non-qcow2 ===
  
@@ -98,6 +116,33 @@ reserved320

  bitmap_directory_size 0x60
  bitmap_directory_offset   0x52
  
+Bitmap name   b1

+bitmap_table_offset   0x47
+bitmap_table_size 1
+flags 0x0 ([])
+type  1
+granularity_bits  19
+name_size 2
+extra_data_size   0
+
+Bitmap name   b2
+bitmap_table_offset   0x49
+bitmap_table_size 1
+flags 0x2 (['auto'])
+type  1
+granularity_bits  16
+name_size 2
+extra_data_size   0
+
+Bitmap name   b0
+bitmap_table_offset   0x51
+bitmap_table_size 1
+flags 0x0 ([])
+type  1
+granularity_bits  16
+name_size 2
+extra_data_size   0
+
  
  === Check bitmap contents ===
  
diff --git a/tests/qemu-iotests/qcow2_format.py b/tests/qemu-iotests/qcow2_format.py

index d8c058d..7c0dc9a 100644
--- a/tests/qemu-iotests/qcow2_format.py
+++ b/tests/qemu-iotests/qcow2_format.py
@@ -132,6 +132,50 @@ class Qcow2BitmapExt(Qcow2Struct):
  
  def __init__(self, fd):

  super().__init__(fd=fd)
+self.read_bitmap_directory(fd)
+
+def read_bitmap_directory(self, fd):
+fd.seek(self.bitmap_directory_offset)
+self.bitmap_directory = \
+[Qcow2BitmapDirEntry(fd) for _ in range(self.nb_bitmaps)]


sounds good. I think, we should restore fd position after reading 
bitmap_directory, to point at the end of extension, to not break further 
extensions loading


+
+def dump(self):
+super().dump()
+for entry in self.bitmap_directory:
+print()
+entry.dump()
+
+
+class Qcow2BitmapDirEntry(Qcow2Struct):
+
+fields = (
+('u64', '{:#x}', 'bitmap_table_offset'),
+('u32', '{}', 'bitmap_table_size'),
+('u32', BitmapFlags, 'flags'),
+('u8',  '{}', 'type'),
+('u8',  '{}', 'granularity_bits'),
+('u16', '{}', 'name_size'),
+('u32', '{}', 'extra_data_size')
+)
+
+def __init__(self, fd):
+super().__init__(fd=fd)
+# Seek relative to the current position in the file
+fd.seek(self.extra_data_size, 1)
+bitmap_name = fd.read(self.name_size)
+self.name = bitmap_name.decode('ascii')
+# Move position to the end of the entry in the directory
+entry_raw_size = self.bitmap_dir_entry_raw_size()
+padding = ((entry_raw_size + 7) & ~7) - entry_raw_size
+fd.seek(padding, 1)
+
+def bitmap_dir_entry_raw_size(self):
+return struct.calcsize(self.fmt) + self.name_size + \
+self.extra_data_size
+
+def dump(self):
+print(f'{"Bitmap name":<25} {self.name}')
+super(Qcow2BitmapDirEntry, self).dump()
  
  
  QCOW2_EXT_MAGIC_BITMAPS = 0x23852875





--
Best regards,
Vladimir

Re: [PATCH v3 0/9] Build fixes for Haiku

[David CARLIER]

Alright thanks for the assistance. Regards.

On Sat, 11 Jul 2020 at 19:44, Peter Maydell 
wrote:

> On Fri, 3 Jul 2020 at 15:56, Peter Maydell 
> wrote:
> >
> > This patchset is essentially a resend of David Carlier's build fixes
> > for the Haiku platform. I've taken David's patches and put them together
> > into a set of emails threaded in the way our CI tools expect, as the
> > easiest way to get the patchew robot to run the build tests so we can
> > check they didn't accidentally break one of the BSDs. I've also put
> > in the patch from Gerd that fixes the drm.c issue. I've also expanded
> > on the commit messages for all the patches so that we have a record
> > of why we made the changes if we need to look back at it in future.
> >
> > Assuming no issues turn up, I'll arrange to get these into master
> > at some point before the 5.1 release.
>
> I've made the minor renames from CONFIG_ to HAVE_ where suggested
> and will put these into the tree via a target-arm pullreq I'm
> planning for Monday.
>
> thanks
> -- PMM
>

Re: [PATCH v2 1/4] target/nios2: add DISAS_NORETURN case for nothing more to generate

[Peter Maydell]

On Fri, 10 Jul 2020 at 16:46, Wentong Wu  wrote:
>
> Add DISAS_NORETURN case for nothing more to generate because at runtime
> execution will never return from some helper call. And at the same time
> replace DISAS_UPDATE in t_gen_helper_raise_exception and gen_exception
> with the newly added DISAS_NORETURN.
>
> Signed-off-by: Wentong Wu 

Hi; I'm going to pick these up and get them into master.

A couple of notes below for if you plan to submit more
patches to QEMU in future: these are really just minor
workflow things, but they do help make our lives easier
in getting code submissions into the tree.

If people provide you with a Reviewed-by: tag for a patch,
and you don't change it when you send out an updated
version, it's helpful if you include that tag in the commit
message of the revised version you send out. This saves
people having to remember whether they'd reviewed something
or not, and means that when applying I don't have to go
back and look at old versions to see who reviewed what.

Patch series are much easier for our tooling to deal
with if you send them out with a cover letter email
(a 0/n email which all the other emails are followups to;
git format-patch has a '--cover-letter' option which will
do the right thing here).

We document this kind of workflow stuff here:
https://wiki.qemu.org/Contribute/SubmitAPatch

thanks
-- PMM

Re: [PATCH v3 0/9] Build fixes for Haiku

[Peter Maydell]

On Fri, 3 Jul 2020 at 15:56, Peter Maydell  wrote:
>
> This patchset is essentially a resend of David Carlier's build fixes
> for the Haiku platform. I've taken David's patches and put them together
> into a set of emails threaded in the way our CI tools expect, as the
> easiest way to get the patchew robot to run the build tests so we can
> check they didn't accidentally break one of the BSDs. I've also put
> in the patch from Gerd that fixes the drm.c issue. I've also expanded
> on the commit messages for all the patches so that we have a record
> of why we made the changes if we need to look back at it in future.
>
> Assuming no issues turn up, I'll arrange to get these into master
> at some point before the 5.1 release.

I've made the minor renames from CONFIG_ to HAVE_ where suggested
and will put these into the tree via a target-arm pullreq I'm
planning for Monday.

thanks
-- PMM

[Bug 1681439] Re: qemu-system-x86_64: hw/ide/core.c:685: ide_cancel_dma_sync: Assertion `s->bus->dma->aiocb == NULL' failed.

[Alexander Bulekov]

Here's a qtest reproducer

cat << EOF | ./i386-softmmu/qemu-system-i386 \
-M pc,accel=qtest -qtest null -nographic -vga qxl -qtest stdio -nodefaults \
-drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \
-drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw  \
-device ide-cd,drive=drive0 -device ide-hd,drive=drive1 
writel 0x0 0x
outw 0x171 0x32a
outw 0x176 0x3570
outl 0xcf8 0x8903
outl 0xcfc 0x4e002700
outl 0xcf8 0x8920
outb 0xcfc 0x5e
outb 0x58 0xe1
outw 0x57 0x0
EOF

With -trace ide\*:
[I 1594492439.431181] OPENED
8666@1594492439.441003:ide_reset IDEstate 0x557f44953598
8666@1594492439.441084:ide_reset IDEstate 0x557f44953968
8666@1594492439.441407:ide_reset IDEstate 0x557f44953e88
8666@1594492439.441484:ide_reset IDEstate 0x557f44954258
8666@1594492439.442483:ide_reset IDEstate 0x557f44953e88
8666@1594492439.442548:ide_reset IDEstate 0x557f44954258
8666@1594492439.444817:ide_reset IDEstate 0x557f44953598
8666@1594492439.444822:ide_reset IDEstate 0x557f44953968
8666@1594492439.444824:ide_reset IDEstate 0x557f44953e88
8666@1594492439.444825:ide_reset IDEstate 0x557f44954258
[R +0.015229] writel 0x0 0x
OK
[S +0.015321] OK
[R +0.015328] outw 0x171 0x32a
8666@1594492439.446534:ide_ioport_write IDE PIO wr @ 0x171 (Features); val 
0x2a; bus 0x557f44953e00 IDEState 0x557f44953e88
8666@1594492439.446537:ide_ioport_write IDE PIO wr @ 0x172 (Sector Count); val 
0x03; bus 0x557f44953e00 IDEState 0x557f44953e88
OK
[S +0.015360] OK
[R +0.015377] outw 0x176 0x3570
8666@1594492439.446561:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 
0x70; bus 0x557f44953e00 IDEState 0x557f44953e88
8666@1594492439.446564:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x35; 
bus 0x557f44953e00 IDEState 0x557f44954258
8666@1594492439.446581:ide_exec_cmd IDE exec cmd: bus 0x557f44953e00; state 
0x557f44954258; cmd 0x35
OK
[S +0.015404] OK
[R +0.015410] outl 0xcf8 0x8903
OK
[S +0.015413] OK
[R +0.015429] outl 0xcfc 0x4e002700
OK
[S +0.01] OK
[R +0.015559] outl 0xcf8 0x8920
OK
[S +0.015561] OK
[R +0.015563] outb 0xcfc 0x5e
OK
[S +0.015663] OK
[R +0.015667] outb 0x58 0xe1
8666@1594492439.446896:ide_dma_cb IDEState 0x557f44954258; sector_num=1 n=259 
cmd=DMA WRITE
OK
[S +0.015801] OK
[R +0.015806] outw 0x57 0x0
8666@1594492439.447006:ide_cancel_dma_sync_remaining draining all remaining 
requests
qemu-system-i386: /home/alxndr/Development/qemu/hw/ide/core.c:724: void 
ide_cancel_dma_sync(IDEState *): Assertion `s->bus->dma->aiocb == NULL' failed.
Aborted

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1681439

Title:
  qemu-system-x86_64: hw/ide/core.c:685: ide_cancel_dma_sync: Assertion
  `s->bus->dma->aiocb == NULL' failed.

Status in QEMU:
  New

Bug description:
  Since upgrading to QEMU 2.8.0, my Windows 7 64-bit virtual machines
  started crashing due to the assertion quoted in the summary failing.
  The assertion in question was added by commit 9972354856 ("block: add
  BDS field to count in-flight requests").  My tests show that setting
  discard=unmap is needed to reproduce the issue.  Speaking of
  reproduction, it is a bit flaky, because I have been unable to come up
  with specific instructions that would allow the issue to be triggered
  outside of my environment, but I do have a semi-sane way of testing that
  appears to depend on a specific initial state of data on the underlying
  storage volume, actions taken within the VM and waiting for about 20
  minutes.

  Here is the shortest QEMU command line that I managed to reproduce the
  bug with:

  qemu-system-x86_64 \
  -machine pc-i440fx-2.7,accel=kvm \
  -m 3072 \
  -drive file=/dev/lvm/qemu,format=raw,if=ide,discard=unmap \
-netdev tap,id=hostnet0,ifname=tap0,script=no,downscript=no,vhost=on \
  -device virtio-net-pci,netdev=hostnet0 \
-vnc :0

  The underlying storage (/dev/lvm/qemu) is a thin LVM snapshot.

  QEMU was compiled using:

  ./configure --python=/usr/bin/python2.7 --target-list=x86_64-softmmu
  make -j3

  My virtualization environment is not really a critical one and
  reproduction is not that much of a hassle, so if you need me to gather
  further diagnostic information or test patches, I will be happy to help.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1681439/+subscriptions

Re: [PATCH 0/2] hw/arm/palm.c: Fix Coverity issue CID 1421944

[Peter Maydell]

On Sun, 28 Jun 2020 at 22:42, Peter Maydell  wrote:
>
> As for spitz and tosa, fix the Coverity issue CID 1421944 which
> points out that memory returned from qemu_allocate_irqs() is leaked
> by encapsulating the GPIO handling into a simple device.
> As with the other series, detabify the file first.
>
> thanks
> -- PMM
>
> Peter Maydell (2):
>   hw/arm/palm.c: Detabify
>   hw/arm/palm.c: Encapsulate misc GPIO handling in a device
>
>  hw/arm/palm.c | 111 ++
>  1 file changed, 77 insertions(+), 34 deletions(-)
>

ping for code review, anybody?

thanks
-- PMM

Re: [PULL v3 00/47] Misc patches for QEMU 5.1 soft freeze

[Peter Maydell]

On Sat, 11 Jul 2020 at 00:50, Paolo Bonzini  wrote:
>
> The following changes since commit 45db94cc90c286a9965a285ba19450f448760a09:
>
>   Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-20200707' 
> into staging (2020-07-10 16:43:40 +0100)
>
> are available in the Git repository at:
>
>   git://github.com/bonzini/qemu.git tags/for-upstream
>
> for you to fetch changes up to 56908dc5041aa424fd1495b6c6beb78c539d93e1:
>
>   linux-headers: update again to 5.8 (2020-07-10 19:26:55 -0400)
>
> 
> * Make checkpatch say 'qemu' instead of 'kernel' (Aleksandar)
> * Fix PSE guests with emulated NPT (Alexander B. #1)
> * Fix leak (Alexander B. #2)
> * HVF fixes (Roman, Cameron)
> * New Sapphire Rapids CPUID bits (Cathy)
> * cpus.c and softmmu/ cleanups (Claudio)
> * TAP driver tweaks (Daniel, Havard)
> * object-add bugfix and testcases (Eric A.)
> * Fix Coverity MIN_CONST and MAX_CONST (Eric B.)
> * "info lapic" improvement (Jan)
> * SSE fixes (Joseph)
> * "-msg guest-name" option (Mario)
> * support for AMD nested live migration (myself)
> * Small i386 TCG fixes (myself)
> * improved error reporting for Xen (myself)
> * fix "-cpu host -overcommit cpu-pm=on" (myself)
> * Add accel/Kconfig (Philippe)
> * iscsi sense handling fixes (Yongji)
> * Misc bugfixes
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.

-- PMM

Re: [PATCH] cpu: Add starts_halted() method

[Alex Bennée]

Thiago Jung Bauermann  writes:

> Alex Bennée  writes:
>
>> Thiago Jung Bauermann  writes:
>>
>>> Eduardo Habkost  writes:
>>>
 On Wed, Jul 08, 2020 at 09:11:55PM +0100, Peter Maydell wrote:
> On Wed, 8 Jul 2020 at 18:36, Eduardo Habkost  wrote:
> >
> > On Wed, Jul 08, 2020 at 06:09:49PM +0100, Peter Maydell wrote:
> > > Exactly. It appears that there's a bug in our mechanisms,
> > > which is why I'm suggesting that the right thing is
> > > to fix that bug rather than marking the CPU as halted
> > > earlier in the reset process so that the KVM_RUN happens
> > > to do nothing...
> >
> > I agree this is necessary, but it doesn't seem sufficient.
> >
> > Having cpu_reset() set halted=0 on spapr (and probably other
> > machines) is also a bug, as it could still trigger unwanted
> > KVM_RUN when cpu_reset() returns (and before machine code sets
> > halted=1).
>
> The Arm handling of starting-halted sets halted=1 within cpu_reset,
> based on whether the CPU object was created with a
> "start-powered-off" property.

 Making this mechanism generic sounds like a good idea.
>>>
>>> I'll take a stab at doing that and using it for the spapr machine.
>>>
> I'm not sure in practice that anything can get in asynchronously
> and cause a KVM_RUN in between spapr_reset_vcpu() calling
> cpu_reset() and it setting cs->halted (and the other stuff),
> though. This function ought to be called with the iothread
> lock held, so KVM_RUN will only happen if it calls some
> other function which incorrectly lets the CPU run.

 Yeah, maybe it won't happen in practice.  It just seems fragile.
 The same way ppc_cpu_reset() kicked the CPU by accident, code
 outside cpu_reset() might one day kick the CPU by accident before
 setting halted=1.
>>>
>>> I'm seeing the vcpu being KVM_RUN'd too early twice during hotplug.
>>> Both of them are before cpu_reset() and ppc_cpu_reset().
>>>
>>> Here's the backtrace for the first of them (redacted for clarity):
>>>
>>> #0  in cpu_resume ()
>>> #1  in cpu_common_realizefn ()
>>> #2  in ppc_cpu_realize ()
>>> #3  in device_set_realized ()
>>> #4  in property_set_bool ()
>>> #5  in object_property_set ()
>>> #6  in object_property_set_qobject ()
>>> #7  in object_property_set_bool ()
>>> #8  in qdev_realize ()
>> 
>>> #18 in qmp_device_add ()
>>
>> Is this a hotplug event?
>
> Yes, the way I reproduce the problem is starting a pseries guest with
> `-smp 2,maxcpus=32,sockets=1,cores=16,threads=2` and then use qmp-shell to
> send the command:
>
> device_add id=device-2 driver=host-spapr-cpu-core core-id=2 node-id=0
>
>>> Here's the second:
>>>
>>> #0  in qemu_cpu_kick_thread ()
>>> #1  in qemu_cpu_kick ()
>>> #2  in queue_work_on_cpu ()
>>> #3  in async_run_on_cpu ()
>>> #4  in tlb_flush_by_mmuidx ()
>>> #5  in tlb_flush ()
>>> #6  in ppc_tlb_invalidate_all ()
>>
>> FWIW tcg_flush_softmmu_tlb handles a tlb_flush in the common reset code.
>
> Ok, maybe KVM should be doing that too? Or maybe it does but pseries
> isn't relying on it. I'll dig further.

No tlb flush is a softmmu only thing.


-- 
Alex Bennée

Re: [PULL 10/41] python/qemu: Add ConsoleSocket for optional use in QEMUMachine

[Alex Bennée]

Robert Foley  writes:

> Hi,
> Thanks for the detailed feedback!  I will look at making these
> changes.

In the interest of getting the CI green I've submitted v2 as is but I'll
roll up Robert's cleanups in my rc0 series (which is hopefully a lot
smaller!).

-- 
Alex Bennée

Re: [PATCH v4 4/7] hw/riscv: Use pre-built bios image of generic platform for virt & sifive_u

[Alistair Francis]

On Thu, Jul 9, 2020 at 10:07 PM Bin Meng  wrote:
>
> From: Bin Meng 
>
> Update virt and sifive_u machines to use the opensbi fw_dynamic bios
> image built for the generic FDT platform.
>
> Remove the out-of-date no longer used bios images.
>
> Signed-off-by: Bin Meng 
> Reviewed-by: Anup Patel 
> Reviewed-by: Alistair Francis 

This patch seems to break 32-bit Linux boots on the sifive_u and virt machines.

Alistair

>
> ---
>
> Changes in v4:
> - Remove old binaries in the Makefile for `make install` bisection
>
> Changes in v3:
> - Change to fw_dynamic.bin for virt & sifive_u
>
>  Makefile   |   4 +---
>  hw/riscv/sifive_u.c|   4 ++--
>  hw/riscv/virt.c|   4 ++--
>  pc-bios/opensbi-riscv32-generic-fw_dynamic.bin | Bin 0 -> 62144 bytes
>  pc-bios/opensbi-riscv32-sifive_u-fw_jump.bin   | Bin 49520 -> 0 bytes
>  pc-bios/opensbi-riscv32-virt-fw_jump.bin   | Bin 49504 -> 0 bytes
>  pc-bios/opensbi-riscv64-generic-fw_dynamic.bin | Bin 0 -> 70792 bytes
>  pc-bios/opensbi-riscv64-sifive_u-fw_jump.bin   | Bin 57936 -> 0 bytes
>  pc-bios/opensbi-riscv64-virt-fw_jump.bin   | Bin 57920 -> 0 bytes
>  9 files changed, 5 insertions(+), 7 deletions(-)
>  create mode 100644 pc-bios/opensbi-riscv32-generic-fw_dynamic.bin
>  delete mode 100644 pc-bios/opensbi-riscv32-sifive_u-fw_jump.bin
>  delete mode 100644 pc-bios/opensbi-riscv32-virt-fw_jump.bin
>  create mode 100644 pc-bios/opensbi-riscv64-generic-fw_dynamic.bin
>  delete mode 100644 pc-bios/opensbi-riscv64-sifive_u-fw_jump.bin
>  delete mode 100644 pc-bios/opensbi-riscv64-virt-fw_jump.bin
>
> diff --git a/Makefile b/Makefile
> index b1b8a5a..f06b3ae 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -840,9 +840,7 @@ palcode-clipper \
>  u-boot.e500 u-boot-sam460-20100605.bin \
>  qemu_vga.ndrv \
>  edk2-licenses.txt \
> -hppa-firmware.img \
> -opensbi-riscv32-sifive_u-fw_jump.bin opensbi-riscv32-virt-fw_jump.bin \
> -opensbi-riscv64-sifive_u-fw_jump.bin opensbi-riscv64-virt-fw_jump.bin
> +hppa-firmware.img
>
>
>  DESCS=50-edk2-i386-secure.json 50-edk2-x86_64-secure.json \
> diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
> index b434fd3..dc46f64 100644
> --- a/hw/riscv/sifive_u.c
> +++ b/hw/riscv/sifive_u.c
> @@ -60,9 +60,9 @@
>  #include 
>
>  #if defined(TARGET_RISCV32)
> -# define BIOS_FILENAME "opensbi-riscv32-sifive_u-fw_jump.bin"
> +# define BIOS_FILENAME "opensbi-riscv32-generic-fw_dynamic.bin"
>  #else
> -# define BIOS_FILENAME "opensbi-riscv64-sifive_u-fw_jump.bin"
> +# define BIOS_FILENAME "opensbi-riscv64-generic-fw_dynamic.bin"
>  #endif
>
>  static const struct MemmapEntry {
> diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> index 85e17fe..5ca49c5 100644
> --- a/hw/riscv/virt.c
> +++ b/hw/riscv/virt.c
> @@ -43,9 +43,9 @@
>  #include "hw/pci-host/gpex.h"
>
>  #if defined(TARGET_RISCV32)
> -# define BIOS_FILENAME "opensbi-riscv32-virt-fw_jump.bin"
> +# define BIOS_FILENAME "opensbi-riscv32-generic-fw_dynamic.bin"
>  #else
> -# define BIOS_FILENAME "opensbi-riscv64-virt-fw_jump.bin"
> +# define BIOS_FILENAME "opensbi-riscv64-generic-fw_dynamic.bin"
>  #endif
>
>  static const struct MemmapEntry {
> diff --git a/pc-bios/opensbi-riscv32-generic-fw_dynamic.bin 
> b/pc-bios/opensbi-riscv32-generic-fw_dynamic.bin
> new file mode 100644
> index 000..23b4dfb
> Binary files /dev/null and b/pc-bios/opensbi-riscv32-generic-fw_dynamic.bin 
> differ
> diff --git a/pc-bios/opensbi-riscv32-sifive_u-fw_jump.bin 
> b/pc-bios/opensbi-riscv32-sifive_u-fw_jump.bin
> deleted file mode 100644
> index 3e0da54..000
> Binary files a/pc-bios/opensbi-riscv32-sifive_u-fw_jump.bin and /dev/null 
> differ
> diff --git a/pc-bios/opensbi-riscv32-virt-fw_jump.bin 
> b/pc-bios/opensbi-riscv32-virt-fw_jump.bin
> deleted file mode 100644
> index bc56ed6..000
> Binary files a/pc-bios/opensbi-riscv32-virt-fw_jump.bin and /dev/null differ
> diff --git a/pc-bios/opensbi-riscv64-generic-fw_dynamic.bin 
> b/pc-bios/opensbi-riscv64-generic-fw_dynamic.bin
> new file mode 100644
> index 000..16c0cf4
> Binary files /dev/null and b/pc-bios/opensbi-riscv64-generic-fw_dynamic.bin 
> differ
> diff --git a/pc-bios/opensbi-riscv64-sifive_u-fw_jump.bin 
> b/pc-bios/opensbi-riscv64-sifive_u-fw_jump.bin
> deleted file mode 100644
> index 1acee86..000
> Binary files a/pc-bios/opensbi-riscv64-sifive_u-fw_jump.bin and /dev/null 
> differ
> diff --git a/pc-bios/opensbi-riscv64-virt-fw_jump.bin 
> b/pc-bios/opensbi-riscv64-virt-fw_jump.bin
> deleted file mode 100644
> index c62f2b4..000
> Binary files a/pc-bios/opensbi-riscv64-virt-fw_jump.bin and /dev/null differ
> --
> 2.7.4
>
>

Re: [PATCH v4 7/7] Makefile: Ship the generic platform bios images for RISC-V

[Alistair Francis]

On Fri, Jul 10, 2020 at 11:36 AM Alistair Francis  wrote:
>
> On Thu, Jul 9, 2020 at 10:11 PM Bin Meng  wrote:
> >
> > From: Bin Meng 
> >
> > Update the install blob list to include the generic platform
> > fw_dynamic bios images.
> >
> > Signed-off-by: Bin Meng 
>
> You didn't address the comments in v3.
>
> Thinking about this more though it looks like we currently don't
> install anything, so this is an improvement.
>
> Reviewed-by: Alistair Francis 

Nope, I was wrong. This should be squashed into patch 4 where you
remove the installed binaries.

Alistair

>
> Alistair
>
> >
> > ---
> >
> > (no changes since v3)
> >
> > Changes in v3:
> > - change fw_jump to fw_dynamic in the Makefile
> >
> > Changes in v2:
> > - new patch: Makefile: Ship the generic platform bios images for RISC-V
> >
> >  Makefile | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/Makefile b/Makefile
> > index f06b3ae..05e05bb 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -840,7 +840,9 @@ palcode-clipper \
> >  u-boot.e500 u-boot-sam460-20100605.bin \
> >  qemu_vga.ndrv \
> >  edk2-licenses.txt \
> > -hppa-firmware.img
> > +hppa-firmware.img \
> > +opensbi-riscv32-generic-fw_dynamic.bin 
> > opensbi-riscv32-generic-fw_dynamic.elf \
> > +opensbi-riscv64-generic-fw_dynamic.bin 
> > opensbi-riscv64-generic-fw_dynamic.elf
> >
> >
> >  DESCS=50-edk2-i386-secure.json 50-edk2-x86_64-secure.json \
> > --
> > 2.7.4
> >
> >

[PULL v2 49/50] Revert "vga: build virtio-gpu as module"

[Alex Bennée]

From: Gerd Hoffmann 

This reverts commit 8d5a24c83dba90b08ef163bbf166d6dfbad9019b.

Compiling all virtio-gpu objects into a single module isn't a good plan
because the individual objects have different CONFIG_* dependencies.
Leads to module load failures on s390x due to vga support being
disabled, which in turn breaks '-device virtio-gpu-device' (flagged by
travis ci).

So back to the drawing board for modular virtio-gpu ...

Signed-off-by: Gerd Hoffmann 
Signed-off-by: Alex Bennée 
Message-Id: <20200710203652.9708-3-kra...@redhat.com>

diff --git a/util/module.c b/util/module.c
index 32b0547b82..90e9bd42c6 100644
--- a/util/module.c
+++ b/util/module.c
@@ -266,12 +266,6 @@ static struct {
 { "usb-redir", "hw-", "usb-redirect"  },
 { "qxl-vga",   "hw-", "display-qxl"   },
 { "qxl",   "hw-", "display-qxl"   },
-{ "virtio-gpu-device", "hw-", "display-virtio-gpu"},
-{ "virtio-gpu-pci","hw-", "display-virtio-gpu"},
-{ "virtio-vga","hw-", "display-virtio-gpu"},
-{ "vhost-user-gpu-device", "hw-", "display-virtio-gpu"},
-{ "vhost-user-gpu-pci","hw-", "display-virtio-gpu"},
-{ "vhost-user-vga","hw-", "display-virtio-gpu"},
 { "chardev-braille",   "chardev-", "baum" },
 };
 
diff --git a/hw/display/Makefile.objs b/hw/display/Makefile.objs
index e907f3182b..d619594ad4 100644
--- a/hw/display/Makefile.objs
+++ b/hw/display/Makefile.objs
@@ -49,19 +49,16 @@ common-obj-m += qxl.mo
 qxl.mo-objs = qxl.o qxl-logger.o qxl-render.o
 endif
 
-ifeq ($(CONFIG_VIRTIO_GPU),y)
-common-obj-m += virtio-gpu.mo
-virtio-gpu-obj-$(CONFIG_VIRTIO_GPU) += virtio-gpu-base.o virtio-gpu.o 
virtio-gpu-3d.o
-virtio-gpu-obj-$(CONFIG_VHOST_USER_GPU) += vhost-user-gpu.o
-virtio-gpu-obj-$(call land,$(CONFIG_VIRTIO_GPU),$(CONFIG_VIRTIO_PCI)) += 
virtio-gpu-pci.o
-virtio-gpu-obj-$(call land,$(CONFIG_VHOST_USER_GPU),$(CONFIG_VIRTIO_PCI)) += 
vhost-user-gpu-pci.o
-virtio-gpu-obj-$(CONFIG_VIRTIO_VGA) += virtio-vga.o
-virtio-gpu-obj-$(CONFIG_VHOST_USER_VGA) += vhost-user-vga.o
-virtio-gpu.mo-objs := $(virtio-gpu-obj-y)
-virtio-gpu.mo-cflags := $(VIRGL_CFLAGS)
-virtio-gpu.mo-libs := $(VIRGL_LIBS)
-endif
-
+common-obj-$(CONFIG_VIRTIO_GPU) += virtio-gpu-base.o virtio-gpu.o 
virtio-gpu-3d.o
+common-obj-$(CONFIG_VHOST_USER_GPU) += vhost-user-gpu.o
+common-obj-$(call land,$(CONFIG_VIRTIO_GPU),$(CONFIG_VIRTIO_PCI)) += 
virtio-gpu-pci.o
+common-obj-$(call land,$(CONFIG_VHOST_USER_GPU),$(CONFIG_VIRTIO_PCI)) += 
vhost-user-gpu-pci.o
+common-obj-$(CONFIG_VIRTIO_VGA) += virtio-vga.o
+common-obj-$(CONFIG_VHOST_USER_VGA) += vhost-user-vga.o
+virtio-gpu.o-cflags := $(VIRGL_CFLAGS)
+virtio-gpu.o-libs += $(VIRGL_LIBS)
+virtio-gpu-3d.o-cflags := $(VIRGL_CFLAGS)
+virtio-gpu-3d.o-libs += $(VIRGL_LIBS)
 common-obj-$(CONFIG_DPCD) += dpcd.o
 common-obj-$(CONFIG_XLNX_ZYNQMP_ARM) += xlnx_dp.o
 
-- 
2.20.1

[PULL v2 46/50] tests/docker: update toolchain set in debian-xtensa-cross

[Alex Bennée]

From: Max Filippov 

Switch to the prebuilt xtensa toolchains release 2020.07.
Drop csp toolchain as the csp core is not a part of QEMU.
Add de233_fpu and dsp3400 toolchains to enable DFPU and FPU2000 tests.

Signed-off-by: Max Filippov 
Signed-off-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
[AJB: fix path in configure.sh]
Signed-off-by: Alex Bennée 
Message-Id: <20200708082347.27318-1-jcmvb...@gmail.com>
Message-Id: <20200709141327.14631-13-alex.ben...@linaro.org>

diff --git a/tests/docker/dockerfiles/debian-xtensa-cross.docker 
b/tests/docker/dockerfiles/debian-xtensa-cross.docker
index beb73f46ba..ba4148299c 100644
--- a/tests/docker/dockerfiles/debian-xtensa-cross.docker
+++ b/tests/docker/dockerfiles/debian-xtensa-cross.docker
@@ -18,12 +18,12 @@ RUN apt-get update && \
 git \
 python3-minimal
 
-ENV CPU_LIST csp dc232b dc233c
-ENV TOOLCHAIN_RELEASE 2018.02
+ENV CPU_LIST dc232b dc233c de233_fpu dsp3400
+ENV TOOLCHAIN_RELEASE 2020.07
 
 RUN for cpu in $CPU_LIST; do \
 curl -#SL 
http://github.com/foss-xtensa/toolchain/releases/download/$TOOLCHAIN_RELEASE/x86_64-$TOOLCHAIN_RELEASE-xtensa-$cpu-elf.tar.gz
 \
 | tar -xzC /opt; \
 done
 
-ENV PATH 
$PATH:/opt/$TOOLCHAIN_RELEASE/xtensa-dc232b-elf/bin:/opt/$TOOLCHAIN_RELEASE/xtensa-dc233c-elf/bin:/opt/$TOOLCHAIN_RELEASE/xtensa-csp-elf/bin
+ENV PATH 
$PATH:/opt/$TOOLCHAIN_RELEASE/xtensa-dc232b-elf/bin:/opt/$TOOLCHAIN_RELEASE/xtensa-dc233c-elf/bin:/opt/$TOOLCHAIN_RELEASE/xtensa-de233_fpu-elf/bin:/opt/$TOOLCHAIN_RELEASE/xtensa-dsp3400-elf/bin
diff --git a/tests/tcg/configure.sh b/tests/tcg/configure.sh
index 37e49736ca..102578caa5 100755
--- a/tests/tcg/configure.sh
+++ b/tests/tcg/configure.sh
@@ -182,7 +182,7 @@ for target in $target_list; do
   container_image=debian-xtensa-cross
 
   # default to the dc232b cpu
-  
container_cross_cc=/opt/2018.02/xtensa-dc232b-elf/bin/xtensa-dc232b-elf-gcc
+  
container_cross_cc=/opt/2020.07/xtensa-dc232b-elf/bin/xtensa-dc232b-elf-gcc
   ;;
   esac
 
-- 
2.20.1

[PULL v2 50/50] iotests: Set LC_ALL=C for sort

[Alex Bennée]

From: Max Reitz 

Otherwise the result is basically unpredictable.

(Note that the precise environment variable to control sorting order is
LC_COLLATE, but LC_ALL overrides LC_COLLATE, and we do not want the
sorting order to be messed up if LC_ALL is set in the environment.)

Reported-by: John Snow 
Signed-off-by: Max Reitz 
Reviewed-by: Eric Blake 
Signed-off-by: Alex Bennée 
Message-Id: <20200710163253.381630-3-mre...@redhat.com>

diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter
index d967adc59a..c9f978abce 100644
--- a/tests/qemu-iotests/common.filter
+++ b/tests/qemu-iotests/common.filter
@@ -186,7 +186,7 @@ _filter_img_create()
 -e 's/^\(data_file\)/3-\1/' \
 -e 's/^\(encryption\)/4-\1/' \
 -e 's/^\(preallocation\)/8-\1/' \
-| sort \
+| LC_ALL=C sort \
 | $SED -e 's/^[0-9]-//' \
 | tr '\n\0' ' \n' \
 | $SED -e 's/^ *$//' -e 's/ *$//'
-- 
2.20.1

[PULL v2 45/50] tests/docker: fall back more gracefully when pull fails

[Alex Bennée]

I only spotted this in the small window between my testing with my
registry while waiting for the gitlab PR to go in. As we pre-pull the
registry image we know if that fails there isn't any point attempting
to use the cache. Fall back to the way we used to do it at that point.

Signed-off-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20200709141327.14631-12-alex.ben...@linaro.org>

diff --git a/tests/docker/docker.py b/tests/docker/docker.py
index 9684f07bde..2d67bbd15a 100755
--- a/tests/docker/docker.py
+++ b/tests/docker/docker.py
@@ -306,13 +306,14 @@ class Docker(object):
 checksum = _text_checksum(_dockerfile_preprocess(dockerfile))
 
 if registry is not None:
-dockerfile = dockerfile.replace("FROM qemu/",
-"FROM %s/qemu/" %
-(registry))
 # see if we can fetch a cache copy, may fail...
 pull_args = ["pull", "%s/%s" % (registry, tag)]
-self._do(pull_args, quiet=quiet)
-
+if self._do(pull_args, quiet=quiet) == 0:
+dockerfile = dockerfile.replace("FROM qemu/",
+"FROM %s/qemu/" %
+(registry))
+else:
+registry = None
 
 tmp_df = tempfile.NamedTemporaryFile(mode="w+t",
  encoding='utf-8',
-- 
2.20.1

[PULL v2 48/50] tests: fix "make check-qtest" for modular builds

[Alex Bennée]

From: Gerd Hoffmann 

Signed-off-by: Gerd Hoffmann 
Signed-off-by: Alex Bennée 
Message-Id: <20200710203652.9708-2-kra...@redhat.com>

diff --git a/tests/qtest/Makefile.include b/tests/qtest/Makefile.include
index 98af2c2d93..6a0276fd42 100644
--- a/tests/qtest/Makefile.include
+++ b/tests/qtest/Makefile.include
@@ -277,6 +277,7 @@ tests/qtest/tco-test$(EXESUF): tests/qtest/tco-test.o 
$(libqos-pc-obj-y)
 tests/qtest/virtio-ccw-test$(EXESUF): tests/qtest/virtio-ccw-test.o
 tests/qtest/display-vga-test$(EXESUF): tests/qtest/display-vga-test.o
 tests/qtest/qom-test$(EXESUF): tests/qtest/qom-test.o
+tests/qtest/modules-test$(EXESUF): tests/qtest/modules-test.o
 tests/qtest/test-hmp$(EXESUF): tests/qtest/test-hmp.o
 tests/qtest/machine-none-test$(EXESUF): tests/qtest/machine-none-test.o
 tests/qtest/device-plug-test$(EXESUF): tests/qtest/device-plug-test.o
-- 
2.20.1

[PULL v2 42/50] docs/devel: convert and update MTTCG design document

[Alex Bennée]

Do a light conversion to .rst and clean-up some of the language at the
start now MTTCG has been merged for a while.

Signed-off-by: Alex Bennée 
Reviewed-by: Richard Henderson 
Message-Id: <20200709141327.14631-2-alex.ben...@linaro.org>

diff --git a/docs/devel/index.rst b/docs/devel/index.rst
index bb8238c5d6..4ecaea3643 100644
--- a/docs/devel/index.rst
+++ b/docs/devel/index.rst
@@ -23,6 +23,7 @@ Contents:
decodetree
secure-coding-practices
tcg
+   multi-thread-tcg
tcg-plugins
bitops
reset
diff --git a/docs/devel/multi-thread-tcg.txt b/docs/devel/multi-thread-tcg.rst
similarity index 90%
rename from docs/devel/multi-thread-tcg.txt
rename to docs/devel/multi-thread-tcg.rst
index 3c85ac0eab..42158b77c7 100644
--- a/docs/devel/multi-thread-tcg.txt
+++ b/docs/devel/multi-thread-tcg.rst
@@ -1,15 +1,17 @@
-Copyright (c) 2015-2016 Linaro Ltd.
+..
+  Copyright (c) 2015-2020 Linaro Ltd.
 
-This work is licensed under the terms of the GNU GPL, version 2 or
-later. See the COPYING file in the top-level directory.
+  This work is licensed under the terms of the GNU GPL, version 2 or
+  later. See the COPYING file in the top-level directory.
 
 Introduction
 
 
-This document outlines the design for multi-threaded TCG system-mode
-emulation. The current user-mode emulation mirrors the thread
-structure of the translated executable. Some of the work will be
-applicable to both system and linux-user emulation.
+This document outlines the design for multi-threaded TCG (a.k.a MTTCG)
+system-mode emulation. user-mode emulation has always mirrored the
+thread structure of the translated executable although some of the
+changes done for MTTCG system emulation have improved the stability of
+linux-user emulation.
 
 The original system-mode TCG implementation was single threaded and
 dealt with multiple CPUs with simple round-robin scheduling. This
@@ -21,9 +23,18 @@ vCPU Scheduling
 ===
 
 We introduce a new running mode where each vCPU will run on its own
-user-space thread. This will be enabled by default for all FE/BE
-combinations that have had the required work done to support this
-safely.
+user-space thread. This is enabled by default for all FE/BE
+combinations where the host memory model is able to accommodate the
+guest (TCG_GUEST_DEFAULT_MO & ~TCG_TARGET_DEFAULT_MO is zero) and the
+guest has had the required work done to support this safely
+(TARGET_SUPPORTS_MTTCG).
+
+System emulation will fall back to the original round robin approach
+if:
+
+* forced by --accel tcg,thread=single
+* enabling --icount mode
+* 64 bit guests on 32 bit hosts (TCG_OVERSIZED_GUEST)
 
 In the general case of running translated code there should be no
 inter-vCPU dependencies and all vCPUs should be able to run at full
@@ -61,7 +72,9 @@ have their block-to-block jumps patched.
 Global TCG State
 
 
-### User-mode emulation
+User-mode emulation
+~~~
+
 We need to protect the entire code generation cycle including any post
 generation patching of the translated code. This also implies a shared
 translation buffer which contains code running on all cores. Any
@@ -78,9 +91,11 @@ patching.
 
 Code generation is serialised with mmap_lock().
 
-### !User-mode emulation
+!User-mode emulation
+
+
 Each vCPU has its own TCG context and associated TCG region, thereby
-requiring no locking.
+requiring no locking during translation.
 
 Translation Blocks
 --
@@ -92,6 +107,7 @@ including:
 
   - debugging operations (breakpoint insertion/removal)
   - some CPU helper functions
+  - linux-user spawning it's first thread
 
 This is done with the async_safe_run_on_cpu() mechanism to ensure all
 vCPUs are quiescent when changes are being made to shared global
@@ -250,8 +266,10 @@ to enforce a particular ordering of memory operations from 
the point
 of view of external observers (e.g. another processor core). They can
 apply to any memory operations as well as just loads or stores.
 
-The Linux kernel has an excellent write-up on the various forms of
-memory barrier and the guarantees they can provide [1].
+The Linux kernel has an excellent `write-up
+`
+on the various forms of memory barrier and the guarantees they can
+provide.
 
 Barriers are often wrapped around synchronisation primitives to
 provide explicit memory ordering semantics. However they can be used
@@ -352,7 +370,3 @@ an exclusive lock which ensures all emulation is serialised.
 While the atomic helpers look good enough for now there may be a need
 to look at solutions that can more closely model the guest
 architectures semantics.
-
-==
-
-[1] 
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/memory-barriers.txt
-- 
2.20.1

[PULL v2 04/50] tests/vm: Add configuration to basevm.py

[Alex Bennée]

From: Robert Foley 

Added use of a configuration to tests/vm/basevm.py.
The configuration provides parameters used to configure a VM.
This allows for providing alternate configurations to the VM being
created/launched. cpu, machine, memory, and NUMA configuration are all
examples of configuration which we might want to vary on the VM being created
or launched.
This will for example allow for creating an aarch64 vm.

Signed-off-by: Robert Foley 
Reviewed-by: Peter Puhov 
Reviewed-by: Alex Bennée 
Signed-off-by: Alex Bennée 
Message-Id: <20200601211421.1277-3-robert.fo...@linaro.org>
Message-Id: <20200701135652.1366-7-alex.ben...@linaro.org>

diff --git a/tests/vm/basevm.py b/tests/vm/basevm.py
index 5a58e6c393..5ae39ad113 100644
--- a/tests/vm/basevm.py
+++ b/tests/vm/basevm.py
@@ -29,16 +29,41 @@ import tempfile
 import shutil
 import multiprocessing
 import traceback
-
-SSH_KEY = open(os.path.join(os.path.dirname(__file__),
-   "..", "keys", "id_rsa")).read()
-SSH_PUB_KEY = open(os.path.join(os.path.dirname(__file__),
-   "..", "keys", "id_rsa.pub")).read()
-
+import shlex
+
+SSH_KEY_FILE = os.path.join(os.path.dirname(__file__),
+   "..", "keys", "id_rsa")
+SSH_PUB_KEY_FILE = os.path.join(os.path.dirname(__file__),
+   "..", "keys", "id_rsa.pub")
+
+# This is the standard configuration.
+# Any or all of these can be overridden by
+# passing in a config argument to the VM constructor.
+DEFAULT_CONFIG = {
+'cpu' : "max",
+'machine' : 'pc',
+'guest_user'  : "qemu",
+'guest_pass'  : "qemupass",
+'root_pass'   : "qemupass",
+'ssh_key_file': SSH_KEY_FILE,
+'ssh_pub_key_file': SSH_PUB_KEY_FILE,
+'memory'  : "4G",
+'extra_args'  : [],
+'qemu_args'   : "",
+'dns' : "",
+'ssh_port': 0,
+'install_cmds': "",
+'boot_dev_type'   : "block",
+'ssh_timeout' : 1,
+}
+BOOT_DEVICE = {
+'block' :  "-drive file={},if=none,id=drive0,cache=writeback "\
+   "-device virtio-blk,drive=drive0,bootindex=0",
+'scsi'  :  "-device virtio-scsi-device,id=scsi "\
+   "-drive file={},format=raw,if=none,id=hd0 "\
+   "-device scsi-hd,drive=hd0,bootindex=0",
+}
 class BaseVM(object):
-GUEST_USER = "qemu"
-GUEST_PASS = "qemupass"
-ROOT_PASS = "qemupass"
 
 envvars = [
 "https_proxy",
@@ -57,25 +82,38 @@ class BaseVM(object):
 poweroff = "poweroff"
 # enable IPv6 networking
 ipv6 = True
+# This is the timeout on the wait for console bytes.
+socket_timeout = 120
 # Scale up some timeouts under TCG.
 # 4 is arbitrary, but greater than 2,
 # since we found we need to wait more than twice as long.
 tcg_ssh_timeout_multiplier = 4
-def __init__(self, args):
+def __init__(self, args, config=None):
 self._guest = None
 self._genisoimage = args.genisoimage
 self._build_path = args.build_path
+# Allow input config to override defaults.
+self._config = DEFAULT_CONFIG.copy()
+if config != None:
+self._config.update(config)
+self.validate_ssh_keys()
 self._tmpdir = os.path.realpath(tempfile.mkdtemp(prefix="vm-test-",
  suffix=".tmp",
  dir="."))
 atexit.register(shutil.rmtree, self._tmpdir)
-
-self._ssh_key_file = os.path.join(self._tmpdir, "id_rsa")
-open(self._ssh_key_file, "w").write(SSH_KEY)
-subprocess.check_call(["chmod", "600", self._ssh_key_file])
-
-self._ssh_pub_key_file = os.path.join(self._tmpdir, "id_rsa.pub")
-open(self._ssh_pub_key_file, "w").write(SSH_PUB_KEY)
+# Copy the key files to a temporary directory.
+# Also chmod the key file to agree with ssh requirements.
+self._config['ssh_key'] = \
+open(self._config['ssh_key_file']).read().rstrip()
+self._config['ssh_pub_key'] = \
+open(self._config['ssh_pub_key_file']).read().rstrip()
+self._ssh_tmp_key_file = os.path.join(self._tmpdir, "id_rsa")
+open(self._ssh_tmp_key_file, "w").write(self._config['ssh_key'])
+subprocess.check_call(["chmod", "600", self._ssh_tmp_key_file])
+
+self._ssh_tmp_pub_key_file = os.path.join(self._tmpdir, "id_rsa.pub")
+open(self._ssh_tmp_pub_key_file,
+ "w").write(self._config['ssh_pub_key'])
 
 self.debug = args.debug
 self._stderr = sys.stderr
@@ -84,11 +122,14 @@ class BaseVM(object):
 self._stdout = sys.stdout
 else:
 self._stdout = self._devnull
+netdev = "user,id=vnet,hostfwd=:127.0.0.1:{}-:22"
 self._args = [ \
-"-nodefaults", "-m", "4G",
-"-cpu", "max",
-"-netdev", "user,id=vnet,hostfwd=:127.0.0.1:0-:22" +
-   

[PULL v2 44/50] docs: Add to gdbstub documentation the PhyMemMode

[Alex Bennée]

From: Jon Doron 

The PhyMemMode gdb extension command was missing from the gdb.rst
document.

Signed-off-by: Jon Doron 
Signed-off-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20200601171609.1665397-1-ari...@gmail.com>
Message-Id: <20200709141327.14631-4-alex.ben...@linaro.org>

diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst
index a40145fcf8..abda961e2b 100644
--- a/docs/system/gdb.rst
+++ b/docs/system/gdb.rst
@@ -87,3 +87,23 @@ three commands you can query and set the single step 
behavior:
   (gdb) maintenance packet Qqemu.sstep=0x5
   sending: "qemu.sstep=0x5"
   received: "OK"
+
+
+Another feature that QEMU gdbstub provides is to toggle the memory GDB
+works with, by default GDB will show the current process memory respecting
+the virtual address translation.
+
+If you want to examine/change the physical memory you can set the gdbstub
+to work with the physical memory rather with the virtual one.
+
+The memory mode can be checked by sending the following command:
+
+``maintenance packet qqemu.PhyMemMode``
+This will return either 0 or 1, 1 indicates you are currently in the
+physical memory mode.
+
+``maintenance packet Qqemu.PhyMemMode:1``
+This will change the memory mode to physical memory.
+
+``maintenance packet Qqemu.PhyMemMode:0``
+This will change it back to normal memory mode.
-- 
2.20.1

[PULL v2 47/50] .cirrus.yml: add bash to the brew packages

[Alex Bennée]

Like the sed we include earlier we want something more recent for
iotests to work.

Fixes: 57ee95ed
Cc: Max Reitz 
Signed-off-by: Alex Bennée 
Message-Id: <20200710182238.10675-1-alex.ben...@linaro.org>

diff --git a/.cirrus.yml b/.cirrus.yml
index 69342ae031..f287d23c5b 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -20,7 +20,7 @@ macos_task:
   osx_instance:
 image: mojave-base
   install_script:
-- brew install pkg-config python gnu-sed glib pixman make sdl2
+- brew install pkg-config python gnu-sed glib pixman make sdl2 bash
   script:
 - mkdir build
 - cd build
@@ -33,7 +33,7 @@ macos_xcode_task:
 # this is an alias for the latest Xcode
 image: mojave-xcode
   install_script:
-- brew install pkg-config gnu-sed glib pixman make sdl2
+- brew install pkg-config gnu-sed glib pixman make sdl2 bash
   script:
 - mkdir build
 - cd build
-- 
2.20.1

[PULL v2 00/50] testing updates (vm, gitlab, misc build fixes)

[Alex Bennée]

Fixed a few, dropped a few, added a few

---

The following changes since commit 827937158b72ce2265841ff528bba3c44a1bfbc8:

  Merge remote-tracking branch 'remotes/aperard/tags/pull-xen-20200710' into 
staging (2020-07-11 13:56:03 +0100)

are available in the Git repository at:

  https://github.com/stsquad/qemu.git tags/pull-testing-and-misc-110720-2

for you to fetch changes up to 4a40f561d5ebb5050a8c6dcbdcee85621056590a:

  iotests: Set LC_ALL=C for sort (2020-07-11 15:53:29 +0100)


Testing and misc build updates:

  - tests/vm support for aarch64 VMs
  - tests/tcg better cross-compiler detection
  - update docker tooling to support registries
  - update docker support for xtensa
  - gitlab build docker images and store in registry
  - gitlab use docker images for builds
  - a number of skipIf updates to support move
  - linux-user MAP_FIXED_NOREPLACE fix
  - qht-bench compiler tweaks
  - configure fix for secret keyring
  - tsan fiber annotation clean-up
  - doc updates for mttcg/icount/gdbstub
  - fix cirrus to use brew bash for iotests
  - revert virtio-gpu breakage
  - fix LC_ALL to avoid sorting changes in iotests


Alex Bennée (26):
  tests/vm: switch from optsparse to argparse
  tests/vm: allow us to take advantage of MTTCG
  tests/docker: check for an parameters not empty string
  tests/docker: change tag naming scheme of our images
  .gitignore: un-ignore .gitlab-ci.d
  gitlab: build containers with buildkit and metadata
  tests/docker: add --registry support to tooling
  tests/docker: add packages needed for check-acceptance
  tests/acceptance: skip s390x_ccw_vrtio_tcg on GitLab
  tests/acceptance: fix dtb path for machine_rx_gdbsim
  tests/acceptance: skip multicore mips_malta tests on GitLab
  tests/acceptance: skip LinuxInitrd 2gib with v4.16 on GitLab
  gitlab: add acceptance testing to system builds
  tests/tcg: add more default compilers to configure.sh
  tests/docker: add a linux-user testing focused image
  linux-user/elfload: use MAP_FIXED_NOREPLACE in pgb_reserved_va
  gitlab: enable check-tcg for linux-user tests
  gitlab: add avocado asset caching
  gitlab: limit re-builds of the containers
  containers.yml: build with docker.py tooling
  testing: add check-build target
  shippable: pull images from registry instead of building
  docs/devel: convert and update MTTCG design document
  docs/devel: add some notes on tcg-icount for developers
  tests/docker: fall back more gracefully when pull fails
  .cirrus.yml: add bash to the brew packages

Daniel P. Berrangé (4):
  gitlab: introduce explicit "container" and "build" stages
  gitlab: build all container images during CI
  gitlab: convert jobs to use custom built containers
  tests: improve performance of device-introspect-test

David Edmondson (1):
  crypto/linux_keyring: fix 'secret_keyring' configure test

Gerd Hoffmann (2):
  tests: fix "make check-qtest" for modular builds
  Revert "vga: build virtio-gpu as module"

Jon Doron (1):
  docs: Add to gdbstub documentation the PhyMemMode

Max Filippov (1):
  tests/docker: update toolchain set in debian-xtensa-cross

Max Reitz (1):
  iotests: Set LC_ALL=C for sort

Richard Henderson (2):
  tests/qht-bench: Adjust testing rate by -1
  tests/qht-bench: Adjust threshold computation

Robert Foley (10):
  util/coroutine: Cleanup start_switch_fiber_ for TSAN.
  tests/vm: pass args through to BaseVM's __init__
  tests/vm: Add configuration to basevm.py
  tests/vm: Added configuration file support
  tests/vm: Add common Ubuntu python module
  tests/vm: Added a new script for ubuntu.aarch64.
  tests/vm: Added a new script for centos.aarch64.
  tests/vm: change scripts to use self._config
  python/qemu: Add ConsoleSocket for optional use in QEMUMachine
  tests/vm: Add workaround to consume console

Thomas Huth (2):
  gitlab-ci: Fix the change rules after moving the YML files
  travis.yml: Test also the other targets on s390x

 docs/devel/index.rst   |   2 +
 .../{multi-thread-tcg.txt => multi-thread-tcg.rst} |  52 ++--
 docs/devel/tcg-icount.rst  |  97 ++
 docs/system/gdb.rst|  20 ++
 configure  |  31 +-
 linux-user/elfload.c   |  10 +-
 tests/qht-bench.c  |  40 ++-
 tests/qtest/device-introspect-test.c   |  60 ++--
 util/coroutine-ucontext.c  |  52 ++--
 util/module.c  |   6 -
 .cirrus.yml|   4 +-
 .gitignore |   1 +
 

[PULL v2 43/50] docs/devel: add some notes on tcg-icount for developers

[Alex Bennée]

This attempts to bring together my understanding of the requirements
for icount behaviour into one reference document for our developer
notes.

Signed-off-by: Alex Bennée 
Reviewed-by: Richard Henderson 
Cc: Paolo Bonzini 
Cc: Pavel Dovgalyuk 
Cc: Peter Maydell 
Message-Id: <20200709141327.14631-3-alex.ben...@linaro.org>

diff --git a/docs/devel/index.rst b/docs/devel/index.rst
index 4ecaea3643..ae6eac7c9c 100644
--- a/docs/devel/index.rst
+++ b/docs/devel/index.rst
@@ -23,6 +23,7 @@ Contents:
decodetree
secure-coding-practices
tcg
+   tcg-icount
multi-thread-tcg
tcg-plugins
bitops
diff --git a/docs/devel/tcg-icount.rst b/docs/devel/tcg-icount.rst
new file mode 100644
index 00..8d67b6c076
--- /dev/null
+++ b/docs/devel/tcg-icount.rst
@@ -0,0 +1,97 @@
+..
+   Copyright (c) 2020, Linaro Limited
+   Written by Alex Bennée
+
+
+
+TCG Instruction Counting
+
+
+TCG has long supported a feature known as icount which allows for
+instruction counting during execution. This should not be confused
+with cycle accurate emulation - QEMU does not attempt to emulate how
+long an instruction would take on real hardware. That is a job for
+other more detailed (and slower) tools that simulate the rest of a
+micro-architecture.
+
+This feature is only available for system emulation and is
+incompatible with multi-threaded TCG. It can be used to better align
+execution time with wall-clock time so a "slow" device doesn't run too
+fast on modern hardware. It can also provides for a degree of
+deterministic execution and is an essential part of the record/replay
+support in QEMU.
+
+Core Concepts
+=
+
+At its heart icount is simply a count of executed instructions which
+is stored in the TimersState of QEMU's timer sub-system. The number of
+executed instructions can then be used to calculate QEMU_CLOCK_VIRTUAL
+which represents the amount of elapsed time in the system since
+execution started. Depending on the icount mode this may either be a
+fixed number of ns per instruction or adjusted as execution continues
+to keep wall clock time and virtual time in sync.
+
+To be able to calculate the number of executed instructions the
+translator starts by allocating a budget of instructions to be
+executed. The budget of instructions is limited by how long it will be
+until the next timer will expire. We store this budget as part of a
+vCPU icount_decr field which shared with the machinery for handling
+cpu_exit(). The whole field is checked at the start of every
+translated block and will cause a return to the outer loop to deal
+with whatever caused the exit.
+
+In the case of icount, before the flag is checked we subtract the
+number of instructions the translation block would execute. If this
+would cause the instruction budget to go negative we exit the main
+loop and regenerate a new translation block with exactly the right
+number of instructions to take the budget to 0 meaning whatever timer
+was due to expire will expire exactly when we exit the main run loop.
+
+Dealing with MMIO
+-
+
+While we can adjust the instruction budget for known events like timer
+expiry we cannot do the same for MMIO. Every load/store we execute
+might potentially trigger an I/O event, at which point we will need an
+up to date and accurate reading of the icount number.
+
+To deal with this case, when an I/O access is made we:
+
+  - restore un-executed instructions to the icount budget
+  - re-compile a single [1]_ instruction block for the current PC
+  - exit the cpu loop and execute the re-compiled block
+
+The new block is created with the CF_LAST_IO compile flag which
+ensures the final instruction translation starts with a call to
+gen_io_start() so we don't enter a perpetual loop constantly
+recompiling a single instruction block. For translators using the
+common translator_loop this is done automatically.
+  
+.. [1] sometimes two instructions if dealing with delay slots  
+
+Other I/O operations
+
+
+MMIO isn't the only type of operation for which we might need a
+correct and accurate clock. IO port instructions and accesses to
+system registers are the common examples here. These instructions have
+to be handled by the individual translators which have the knowledge
+of which operations are I/O operations.
+
+When the translator is handling an instruction of this kind:
+
+* it must call gen_io_start() if icount is enabled, at some
+   point before the generation of the code which actually does
+   the I/O, using a code fragment similar to:
+
+.. code:: c
+
+if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
+
+* it must end the TB immediately after this instruction
+
+Note that some older front-ends call a "gen_io_end()" function:
+this is obsolete and should not be used.
-- 
2.20.1

QEMU | Pipeline #165544924 has failed for master | d4a6bab1

[GitLab via]

Your pipeline has failed.

Project: QEMU ( https://gitlab.com/qemu-project/qemu )
Branch: master ( https://gitlab.com/qemu-project/qemu/-/commits/master )

Commit: d4a6bab1 ( 
https://gitlab.com/qemu-project/qemu/-/commit/d4a6bab1ecf23d86e20e2f08a144e4e48643a6e4
 )
Commit Message: Merge remote-tracking branch 'remotes/gkurz/tag...
Commit Author: Peter Maydell ( https://gitlab.com/pm215 )

Pipeline #165544924 ( 
https://gitlab.com/qemu-project/qemu/-/pipelines/165544924 ) triggered by Alex 
Bennée ( https://gitlab.com/stsquad )
had 1 failed build.

Job #634366824 ( https://gitlab.com/qemu-project/qemu/-/jobs/634366824/raw )

Stage: test
Name: build-disabled
Trace: Could not access KVM kernel module: No such file or directory
qemu-system-i386: -accel kvm: failed to initialize kvm: No such file or 
directory
qemu-system-i386: falling back to tcg
Could not access KVM kernel module: No such file or directory
qemu-system-i386: -accel kvm: failed to initialize kvm: No such file or 
directory
qemu-system-i386: falling back to tcg
  TESTcheck-qtest-i386: tests/qtest/device-introspect-test
  TESTcheck-qtest-i386: tests/qtest/machine-none-test
  TESTcheck-qtest-i386: tests/qtest/qmp-test
  TESTcheck-qtest-i386: tests/qtest/qmp-cmd-test
  TESTcheck-qtest-i386: tests/qtest/qom-test
  TESTcheck-qtest-i386: tests/qtest/test-hmp
  TESTcheck-qtest-i386: tests/qtest/qos-test
  TESTcheck-qtest-mips64: tests/qtest/endianness-test
  TESTcheck-qtest-mips64: tests/qtest/display-vga-test
  TESTcheck-qtest-mips64: tests/qtest/cdrom-test
  TESTcheck-qtest-mips64: tests/qtest/device-introspect-test
  TESTcheck-qtest-mips64: tests/qtest/machine-none-test
  TESTcheck-qtest-mips64: tests/qtest/qmp-test
  TESTcheck-qtest-mips64: tests/qtest/qmp-cmd-test
  TESTcheck-qtest-mips64: tests/qtest/qom-test
  TESTcheck-qtest-mips64: tests/qtest/test-hmp
  TESTcheck-qtest-mips64: tests/qtest/qos-test
  TESTcheck-qtest-ppc64: tests/qtest/machine-none-test
  TESTcheck-qtest-ppc64: tests/qtest/qmp-test
  TESTcheck-qtest-ppc64: tests/qtest/qmp-cmd-test
  TESTcheck-qtest-ppc64: tests/qtest/qom-test
  TESTcheck-qtest-ppc64: tests/qtest/test-hmp
section_end:1594487050:step_script
ERROR: Job failed: execution took longer than 1h0m0s seconds



-- 
You're receiving this email because of your account on gitlab.com.

Re: [PATCH v8 04/10] qcow2_format.py: dump bitmap flags in human readable way.

[Vladimir Sementsov-Ogievskiy]

03.07.2020 16:13, Andrey Shinkevich wrote:

Introduce the class BitmapFlags that parses a bitmap flags mask.

Suggested-by: Vladimir Sementsov-Ogievskiy 
Signed-off-by: Andrey Shinkevich 
---
  tests/qemu-iotests/qcow2_format.py | 16 
  1 file changed, 16 insertions(+)

diff --git a/tests/qemu-iotests/qcow2_format.py 
b/tests/qemu-iotests/qcow2_format.py
index 1435e34..d8c058d 100644
--- a/tests/qemu-iotests/qcow2_format.py
+++ b/tests/qemu-iotests/qcow2_format.py
@@ -40,6 +40,22 @@ class Flags64(Qcow2Field):
  return str(bits)
  
  
+class BitmapFlags(Qcow2Field):

+
+flags = {
+0x1: 'in-use',
+0x2: 'auto'
+}
+
+def __str__(self):
+bits = []
+for bit in range(64):
+flag = self.value & (1 << bit)
+if flag:
+bits.append(self.flags.get(flag, '{:#x}'.format(flag)))


please use f-strings where possible, for consistency.

Also, more obvious notation for unknown bits would be f'bit-{bit}' I think, so 
you see number of bit, not big hex number.


+return f'{self.value:#x} ({bits})'
+
+
  class Enum(Qcow2Field):
  
  def __str__(self):





--
Best regards,
Vladimir

Re: [PATCH v8 03/10] qcow2_format.py: change Qcow2BitmapExt initialization method

[Vladimir Sementsov-Ogievskiy]

03.07.2020 16:13, Andrey Shinkevich wrote:

There are two ways to initialize a class derived from Qcow2Struct:
1. Pass a block of binary data to the constructor.
2. Pass the file descriptor to allow reading the file from constructor.
Let's change the Qcow2BitmapExt initialization method from 1 to 2 to
support a scattered reading in the initialization chain.
The implementation comes with the patch that follows.

Suggested-by: Vladimir Sementsov-Ogievskiy 
Signed-off-by: Andrey Shinkevich 
---
  tests/qemu-iotests/qcow2_format.py | 14 --
  1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/tests/qemu-iotests/qcow2_format.py 
b/tests/qemu-iotests/qcow2_format.py
index 2f3681b..1435e34 100644
--- a/tests/qemu-iotests/qcow2_format.py
+++ b/tests/qemu-iotests/qcow2_format.py
@@ -63,7 +63,8 @@ class Qcow2StructMeta(type):
  
  class Qcow2Struct(metaclass=Qcow2StructMeta):
  
-"""Qcow2Struct: base class for qcow2 data structures

+"""
+Qcow2Struct: base class for qcow2 data structures


Unrelated chunk. And why?

  
  Successors should define fields class variable, which is: list of tuples,

  each of three elements:
@@ -113,6 +114,9 @@ class Qcow2BitmapExt(Qcow2Struct):
  ('u64', '{:#x}', 'bitmap_directory_offset')
  )
  
+def __init__(self, fd):

+super().__init__(fd=fd)


this does nothing. We inherit the __init__ of super class, no need to define it 
just to call same __init__.


+
  
  QCOW2_EXT_MAGIC_BITMAPS = 0x23852875
  
@@ -173,7 +177,13 @@ class QcowHeaderExtension(Qcow2Struct):

  self.data_str = data_str
  
  if self.magic == QCOW2_EXT_MAGIC_BITMAPS:

-self.obj = Qcow2BitmapExt(data=self.data)
+assert fd is not None
+position = fd.tell()
+# Step back to reread data


This definitely shows that we are doing something wrong


+padded = (self.length + 7) & ~7
+fd.seek(-padded, 1)
+self.obj = Qcow2BitmapExt(fd=fd)
+fd.seek(position)
  else:
  self.obj = None
  




--
Best regards,
Vladimir

[PATCH 05/11] riscv: Add RV64D instructions description

[LIU Zhiwei]

For supporting multi-precison, split all 32 fp registers into two groups.
The RV64D instructions will use only the 16 fp registers selected by
gfp64().

Signed-off-by: LIU Zhiwei 
---
 rv64.risu | 100 ++
 1 file changed, 100 insertions(+)

diff --git a/rv64.risu b/rv64.risu
index 0dcc9a1..a6fa9fc 100644
--- a/rv64.risu
+++ b/rv64.risu
@@ -364,3 +364,103 @@ FCVT_S_L RISCV 1101000 00010 rs1:5 rm:3 rd:5 1010011 \
 
 FCVT_S_LU RISCV 1101000 00011 rs1:5 rm:3 rd:5 1010011 \
 !constraints { greg($rs1) && gfp32($rd) && grm($rm); }
+
+@RV64D
+
+FLD RISCV imm:12 rs1:5 011 rd:5 111 \
+!constraints { gbase($rs1) && gfp64($rd); } \
+!memory { align(8); reg_plus_imm($rs1, sextract($imm, 12)); }
+
+FSD RISCV imm5:7 rs2:5 rs1:5 010 imm:5 0100111 \
+!constraints { gbase($rs1) && gfp64($rs2); } \
+!memory { align(8); reg_plus_imm($rs1, sextract($imm5 << 5 | $imm, 12)); }
+
+FMADD_D RISCV rs3:5 01 rs2:5 rs1:5 rm:3 rd:5 111 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd) && grm($rm); }
+
+FMSUB_D RISCV rs3:5 01 rs2:5 rs1:5 rm:3 rd:5 1000111 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd) && grm($rm); }
+
+FNMSUB_D RISCV rs3:5 01 rs2:5 rs1:5 rm:3 rd:5 1001011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd) && grm($rm); }
+
+FNMADD_D RISCV rs3:5 01 rs2:5 rs1:5 rm:3 rd:5 100 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd) && grm($rm); }
+
+FADD_D RISCV 001 rs2:5 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd) && grm($rm); }
+
+FSUB_D RISCV 101 rs2:5 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd) && grm($rm); }
+
+FMUL_D RISCV 0001001 rs2:5 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd) && grm($rm); }
+
+FDIV_D RISCV 0001101 rs2:5 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd) && grm($rm); }
+
+FSQRT_D RISCV 0101101 0  rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rd) && grm($rm); }
+
+FSGNJ_D RISCV 0010001 rs2:5  rs1:5 000 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd); }
+
+FSGNJN_D RISCV 0010001 rs2:5  rs1:5 001 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd); }
+
+FSGNJX_D RISCV 0010001 rs2:5  rs1:5 010 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd); }
+
+FMIN_D RISCV 0010101 rs2:5  rs1:5 000 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd); }
+
+FMAX_D RISCV 0010101 rs2:5  rs1:5 001 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rs2) && gfp64($rd); }
+
+FCVT_S_D RISCV 010 1 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rd) && grm($rm); }
+
+FCVT_D_S RISCV 011 0 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp64($rs1) && gfp64($rd) && grm($rm); }
+
+FEQ_D RISCV 1010001 rs2:5 rs1:5 010 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1) && gfp64($rs1); }
+
+FLT_D RISCV 1010001 rs2:5 rs1:5 001 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1) && gfp64($rs1); }
+
+FLE_D RISCV 1010001 rs2:5 rs1:5 000 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1) && gfp64($rs1); }
+
+FCLASS_D RISCV 1110001 0 rs1:5 001 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1); }
+
+FCVT_W_D RISCV 111 0 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1) && grm($rm); }
+
+FCVT_WU_D RISCV 111 1 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1) && grm($rm); }
+
+FCVT_D_W RISCV 1101001 0 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rs1) && gfp64($rd) && grm($rm); }
+
+FCVT_D_WU RISCV 1101001 1 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rs1) && gfp64($rd) && grm($rm); }
+
+FCVT_L_D RISCV 111 00010 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1) && grm($rm); }
+
+FCVT_LU_D RISCV 111 00011 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1) && grm($rm); }
+
+FCVT_D_L RISCV 1101001 00010 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rs1) && gfp64($rd) && grm($rm); }
+
+FCVT_D_LU RISCV 1101001 00011 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rs1) && gfp64($rd) && grm($rm); }
+
+FMV_D_X RISCV 001 0 rs1:5 000 rd:5 1010011 \
+!constraints { greg($rs1) && gfp64($rd); }
+
+FMV_X_D RISCV 1110001 0 rs1:5 000 rd:5 1010011 \
+!constraints { greg($rd) && gfp64($rs1); }
-- 
2.23.0

[PATCH 01/11] riscv: Add RV64I instructions description

[LIU Zhiwei]

Avoid using stack pointer(x2), thread pointer(x3), global pointer(x4),
as they are not under control of risu.
Besides, avoid using x0 as base address register, because we can't
emit a valid random address by setting x0.

Signed-off-by: LIU Zhiwei 
---
 rv64.risu | 141 ++
 1 file changed, 141 insertions(+)
 create mode 100644 rv64.risu

diff --git a/rv64.risu b/rv64.risu
new file mode 100644
index 000..edf0d1f
--- /dev/null
+++ b/rv64.risu
@@ -0,0 +1,141 @@
+# Input file for risugen defining RISC-V instructions
+.mode riscv.rv64
+@RV64I
+
+# x2 stack pointer, x3 global pointer, x4 thread pointer
+# These registers should be reserved for signal handler.
+
+LUI RISCV imm:20 rd:5 0110111 \
+!constraints { greg($rd); }
+
+AUIPC RISCV imm:20 rd:5 0110111 \
+!constraints { greg($rd); }
+
+# Limit to current implementation, the base address register will be overide
+LB RISCV imm:12 rs1:5 000 rd:5 011 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(1); reg_plus_imm($rs1, sextract($imm, 12), $rd); }
+
+LH RISCV imm:12 rs1:5 001 rd:5 011 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(2); reg_plus_imm($rs1, sextract($imm, 12), $rd); }
+
+LW RISCV imm:12 rs1:5 010 rd:5 011 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(4); reg_plus_imm($rs1, sextract($imm, 12), $rd); }
+
+LBU RISCV imm:12 rs1:5 100 rd:5 011 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(1); reg_plus_imm($rs1, sextract($imm, 12), $rd); }
+
+LHU RISCV imm:12 rs1:5 101 rd:5 011 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(2); reg_plus_imm($rs1, sextract($imm, 12), $rd); }
+
+SB RISCV imm5:7 rs2:5 rs1:5 000 imm:5 0100011 \
+!constraints { greg($rs2) && gbase($rs1) && $rs2 != $rs1; } \
+!memory { align(1); reg_plus_imm($rs1, sextract($imm5 << 5 | $imm, 12)); }
+
+SH RISCV imm5:7 rs2:5 rs1:5 001 imm:5 0100011 \
+!constraints { greg($rs2) && gbase($rs1) && $rs2 != $rs1; } \
+!memory { align(2); reg_plus_imm($rs1, sextract($imm5 << 5 | $imm, 12)); }
+
+SW RISCV imm5:7 rs2:5 rs1:5 010 imm:5 0100011 \
+!constraints { greg($rs2) && gbase($rs1) && $rs2 != $rs1; } \
+!memory { align(4); reg_plus_imm($rs1, sextract($imm5 << 5 | $imm, 12)); }
+
+ADDI RISCV imm:12 rs1:5 000 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+SLTI RISCV imm:12 rs1:5 010 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+SLTIU RISCV imm:12 rs1:5 011 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+XORI RISCV imm:12 rs1:5 100 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+ORI RISCV imm:12 rs1:5 110 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+ANDI RISCV imm:12 rs1:5 111 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+ADD RISCV 000 rs2:5 rs1:5 000 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+SUB RISCV 010 rs2:5 rs1:5 000 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+SLL RISCV 000 rs2:5 rs1:5 001 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+SLT RISCV 000 rs2:5 rs1:5 010 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+SLTU  RISCV 000 rs2:5 rs1:5 011 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+XOR RISCV 000 rs2:5 rs1:5 100 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+SRL RISCV 000 rs2:5 rs1:5 101 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+SRA RISCV 010 rs2:5 rs1:5 101 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+OR RISCV 000 rs2:5 rs1:5 110 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+AND RISCV 000 rs2:5 rs1:5 111 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+LWU RISCV imm:12 rs1:5 110 rd:5 011 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(4); reg_plus_imm($rs1, sextract($imm, 12), $rd); }
+
+LD RISCV imm:12 rs1:5 011 rd:5 011 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(8); reg_plus_imm($rs1, sextract($imm, 12), $rd); }
+
+SD RISCV imm5:7 rs2:5 rs1:5 011 imm:5 0100011 \
+!constraints { greg($rs2) && gbase($rs1) && $rs2 != $rs1; } \
+!memory { align(8); reg_plus_imm($rs1, sextract($imm5 << 5 | $imm, 12)); }
+
+SLLI RISCV 0 sham5:7 rs1:5 001 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+SRLI RISCV 0 sham5:7 rs1:5 101 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+SRAI RISCV 01000 sham5:7 rs1:5 101 rd:5 0010011 \
+!constraints { greg($rd) && greg($rs1); }
+
+ADDIW RISCV imm:12 rs1:5 000 rd:5 0011011 \
+!constraints { greg($rd) && greg($rs1); }
+
+SLLIW RISCV 000 shamt:5 rs1:5 001 rd:5 0011011 \
+!constraints { greg($rd) && greg($rs1); }
+
+SRLIW RISCV 000 shamt:5 rs1:5 101 rd:5 0011011 \
+!constraints { greg($rd) && greg($rs1); }
+

[PATCH 09/11] riscv: Define riscv struct reginfo

[LIU Zhiwei]

Signed-off-by: LIU Zhiwei 
---
 risu_reginfo_riscv64.h | 28 
 1 file changed, 28 insertions(+)
 create mode 100644 risu_reginfo_riscv64.h

diff --git a/risu_reginfo_riscv64.h b/risu_reginfo_riscv64.h
new file mode 100644
index 000..4536480
--- /dev/null
+++ b/risu_reginfo_riscv64.h
@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) 2020 T-Head Semiconductor Co., Ltd.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * LIU Zhiwei(T-Head) - initial implementation
+ * based on Peter Maydell's risu_arm.c
+ */
+
+#ifndef RISU_REGINFO_RISCV64_H
+#define RISU_REGINFO_RISCV64_H
+
+struct reginfo {
+uint64_t fault_address;
+uint64_t regs[32];
+uint64_t fregs[32];
+uint64_t pc;
+uint32_t flags;
+uint32_t faulting_insn;
+
+/* FP */
+uint32_t fcsr;
+};
+
+#endif /* RISU_REGINFO_RISCV64_H */
-- 
2.23.0

[PATCH 08/11] riscv: Add standard test case

[LIU Zhiwei]

Signed-off-by: LIU Zhiwei 
Reviewed-by: Richard Henderson 
---
 test_riscv64.s | 85 ++
 1 file changed, 85 insertions(+)
 create mode 100644 test_riscv64.s

diff --git a/test_riscv64.s b/test_riscv64.s
new file mode 100644
index 000..22a22b6
--- /dev/null
+++ b/test_riscv64.s
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2020 T-Head Semiconductor Co., Ltd.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * LIU Zhiwei (T-Head) - initial implementation
+ * based on test_arm.s by Peter Maydell
+ */
+
+/* Initialise the gp regs */
+li x1, 1
+#li x2, 2  # stack pointer
+#li x3, 3  # global pointer
+#li x4, 4  # thread pointer
+li x5, 5
+li x6, 6
+li x7, 7
+li x8, 8
+li x9, 9
+li x10, 10
+li x11, 11
+li x12, 12
+li x13, 13
+li x14, 14
+li x15, 15
+li x16, 16
+li x17, 17
+li x18, 18
+li x19, 19
+li x20, 20
+li x21, 21
+li x22, 22
+li x23, 23
+li x24, 24
+li x25, 25
+li x26, 26
+li x27, 27
+li x28, 28
+li x29, 29
+li x30, 30
+li x31, 30
+
+/* Initialise the fp regs */
+fcvt.d.lu f0, x0
+fcvt.d.lu f1, x1
+fcvt.d.lu f2, x2
+fcvt.d.lu f3, x3
+fcvt.d.lu f4, x4
+fcvt.d.lu f5, x5
+fcvt.d.lu f6, x6
+fcvt.d.lu f7, x7
+fcvt.d.lu f8, x8
+fcvt.d.lu f9, x9
+fcvt.d.lu f10, x10
+fcvt.d.lu f11, x11
+fcvt.d.lu f12, x12
+fcvt.d.lu f13, x13
+fcvt.d.lu f14, x14
+fcvt.d.lu f15, x15
+fcvt.d.lu f16, x16
+fcvt.d.lu f17, x17
+fcvt.d.lu f18, x18
+fcvt.d.lu f19, x19
+fcvt.d.lu f20, x20
+fcvt.d.lu f21, x21
+fcvt.d.lu f22, x22
+fcvt.d.lu f23, x23
+fcvt.d.lu f24, x24
+fcvt.d.lu f25, x25
+fcvt.d.lu f26, x26
+fcvt.d.lu f27, x27
+fcvt.d.lu f28, x28
+fcvt.d.lu f29, x29
+fcvt.d.lu f30, x30
+fcvt.d.lu f31, x31
+
+/* do compare.
+ * The manual says instr with bits (6:0) == 1 1 0 1 0 1 1 are UNALLOCATED
+ */
+.int 0x006b
+/* exit test */
+.int 0x016b
-- 
2.23.0

[PATCH 02/11] riscv: Add RV64M instructions description

[LIU Zhiwei]

Signed-off-by: LIU Zhiwei 
---
 rv64.risu | 41 +
 1 file changed, 41 insertions(+)

diff --git a/rv64.risu b/rv64.risu
index edf0d1f..2c4154e 100644
--- a/rv64.risu
+++ b/rv64.risu
@@ -139,3 +139,44 @@ SRLW RISCV 000 rs2:5 rs1:5 101 rd:5 0011011 \
 
 SRAW RISCV 010 rs2:5 rs1:5 101 rd:5 0011011 \
 !constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+@RV64M
+
+MUL RISCV 001 rs2:5 rs1:5 000 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+MULH RISCV 001 rs2:5 rs1:5 001 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+MULHSU RISCV 001 rs2:5 rs1:5 010 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+MULHU RISCV 001 rs2:5 rs1:5 011 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+DIV RISCV 001 rs2:5 rs1:5 100 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+DIVU RISCV 001 rs2:5 rs1:5 101 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+REM RISCV 001 rs2:5 rs1:5 110 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+REMU RISCV 001 rs2:5 rs1:5 111 rd:5 0110011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+MULW RISCV 001 rs2:5 rs1:5 000 rd:5 0111011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+DIVW RISCV 001 rs2:5 rs1:5 100 rd:5 0111011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+DIVUW RISCV 001 rs2:5 rs1:5 101 rd:5 0111011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+REMW RISCV 001 rs2:5 rs1:5 110 rd:5 0111011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+REMUW RISCV 001 rs2:5 rs1:5 111 rd:5 0111011 \
+!constraints { greg($rd) && greg($rs1) && greg($rs2); }
-- 
2.23.0

[PATCH 07/11] riscv: Generate payload scripts

[LIU Zhiwei]

In general, generate payload.
1. Setup memory for load/store instructions.
2. Initialize the registers.
3. Emit instructions according to instruction format description.

Specially, modify according to RISC-V ISA.
1. Support multi-precision by dividing fp registers into two groups.
2. Use $bytecount to locate special float point values.
3. Use x10 as the special register pointing to the memory block.

Signed-off-by: LIU Zhiwei 
---
 risugen_riscv.pm | 643 +++
 1 file changed, 643 insertions(+)
 create mode 100644 risugen_riscv.pm

diff --git a/risugen_riscv.pm b/risugen_riscv.pm
new file mode 100644
index 000..79f7a67
--- /dev/null
+++ b/risugen_riscv.pm
@@ -0,0 +1,643 @@
+#!/usr/bin/perl -w
+###
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+# Contributors:
+# LIU Zhiwei (T-Head) - RISC-V implementation
+# based on Peter Maydell (Linaro) - initial implementation
+###
+
+# risugen -- generate a test binary file for use with risu
+# See 'risugen --help' for usage information.
+package risugen_riscv;
+
+use strict;
+use warnings;
+
+use risugen_common;
+
+require Exporter;
+
+our @ISA= qw(Exporter);
+our @EXPORT = qw(write_test_code);
+
+my $periodic_reg_random = 1;
+my $is_rvc = 0; # are we currently in RVC mode?
+
+#
+# Maximum alignment restriction permitted for a memory op.
+my $MAXALIGN = 64;
+sub ctz($)
+{
+my ($imm) = @_;
+my $cnt = 0;
+
+if ($imm == 0) {
+return 0;
+}
+while (($imm & 1) == 0) {
+$cnt++;
+$imm = $imm >> 1;
+}
+return $cnt;
+}
+
+sub decode_li($)
+{
+my ($imm) = @_;
+my $cnt = 0;
+my $idx = 0;
+my $part = 0;
+my $next = 0;
+my %result;
+
+$next = $imm;
+# only one lui can not hold
+while ((($next >> 12) != sextract(($next >> 12) & 0xf, 20)) ||
+   (($next & 0xfff) != 0)) {
+# at the first time, just eat the least 12 bits
+if ($idx == 0) {
+$part = sextract($imm & 0xfff, 12);
+$result{"first"} = $part;
+} else {
+$imm = $imm - $part; # clear the part before it
+$cnt = ctz($imm); # add a shift
+$imm >>= $cnt;
+$part = sextract($imm & 0xfff, 12);
+$result{"mid"}{$idx}{"part"} = $part;
+$result{"mid"}{$idx}{"cnt"} = $cnt;
+$next = $imm - $part;
+}
+$idx++;
+}
+# output a lui
+$result{"lui"} =  sextract(($next >> 12) & 0xf, 20);
+return %result;
+}
+
+# li is implements as Myraid sequences, just the common way here
+sub write_mov_ri($$)
+{
+my ($rd, $imm) = @_;
+
+# sequence of li rd, 0x1234567887654321
+#
+#  0:   002471b7lui rd,0x247
+#  4:   8ad1819baddiw   rd,rd,-1875
+#  8:   00c19193sllird,rd,0xc
+#  c:   f1118193addird,rd,-239 # 0x246f11
+# 10:   00d19193sllird,rd,0xd
+# 14:   d9518193addird,rd,-619
+# 18:   00e19193sllird,rd,0xe
+# 1c:   32118193addird,rd,801
+my %result = decode_li($imm);
+
+my $len = keys %{$result{"mid"}};
+my $i = 0;
+
+# output the last lui
+insn32(0x0037 | $rd << 7 | $result{"lui"} << 12);
+# output the sequence of slli and addi
+foreach my $key (reverse sort keys %{$result{"mid"}}) {
+$i++;
+if ($i == 1) {
+# output the last addiw
+insn32(0x001b | $rd << 7 | $rd << 15 |
+   $result{"mid"}{$key}{"part"} << 20);
+# slli rd, rd, $result{"mid"}{$key}{"part"}
+insn32(0x1013 | $rd << 7 | $rd << 15 |
+   $result{"mid"}{$key}{"cnt"}  << 20);
+} else {
+insn32(0x0013 | $rd << 7 | $rd << 15 |
+   ($result{"mid"}{$key}{"part"} & 0xfff) << 20);
+# slli rd, rd, $result{"mid"}{$key}{"part"}
+insn32(0x1013 | $rd << 7 | $rd << 15 |
+   $result{"mid"}{$key}{"cnt"}  << 20);
+}
+}
+# addi rd, rd, $result{"first"}
+insn32(0x0013 | $rd << 7 | $rd << 15 | ($imm & 0xfff) << 20);
+}
+
+sub write_mov_rr($$)
+{
+my ($rd, $rs1) = @_;
+
+# addi $rd, $rs1, 0
+insn32(0x0013 | $rd << 7 | $rs1 << 15);
+}
+
+sub write_sub_rrr($$$)
+{
+my ($rd, $rs1, $rs2) = @_;
+
+# sub $rd, $rs1, $rs2
+insn32(0x4033 |$rd << 7 | $rs1 << 15 | $rs2 << 20);
+}
+
+my $OP_COMPARE = 0;# compare registers
+my $OP_TESTEND = 1;# end of test, stop
+my 

[PATCH 03/11] riscv: Add RV64A instructions description

[LIU Zhiwei]

Ensure $rs2 != $rs1, so that the $rs2 register's value
will not be covered when setting the $rs1 register's value to get
a valid address.

Signed-off-by: LIU Zhiwei 
---
 rv64.risu | 90 +++
 1 file changed, 90 insertions(+)

diff --git a/rv64.risu b/rv64.risu
index 2c4154e..ad5dee9 100644
--- a/rv64.risu
+++ b/rv64.risu
@@ -180,3 +180,93 @@ REMW RISCV 001 rs2:5 rs1:5 110 rd:5 0111011 \
 
 REMUW RISCV 001 rs2:5 rs1:5 111 rd:5 0111011 \
 !constraints { greg($rd) && greg($rs1) && greg($rs2); }
+
+@RV64A
+
+LR_W RISCV 00010 imm:2 0 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(4); reg($rs1, $rd); }
+
+SC_W RISCV 00011 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOSWAP_W  RISCV 1 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOADD_W   RISCV 0 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOXOR_W   RISCV 00100 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOAND_W   RISCV 01100 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOOR_WRISCV 01000 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOMIN_W   RISCV 1 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOMAX_W   RISCV 10100 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOMINU_W  RISCV 11000 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+AMOMAXU_W  RISCV 11100 imm:2 rs2:5 rs1:5 010 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(4); reg($rs1, $rd); }
+
+LR_D   RISCV 00010 imm:2 0 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && gbase($rs1); } \
+!memory { align(8); reg($rs1, $rd); }
+
+SC_D   RISCV 00011 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOSWAP_D  RISCV 1 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOADD_D   RISCV 0 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOXOR_D   RISCV 00100 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOAND_D   RISCV 01100 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOOR_DRISCV 01000 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOMIN_D   RISCV 1 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOMAX_D   RISCV 10100 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOMINU_D  RISCV 11000 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
+
+AMOMAXU_D  RISCV 11100 imm:2 rs2:5 rs1:5 011 rd:5 010 \
+!constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
+!memory { align(8); reg($rs1, $rd); }
-- 
2.23.0

[PATCH 11/11] riscv: Add configure script

[LIU Zhiwei]

For RV64 risu, make CFLAGS="-march=rv64g"

Signed-off-by: LIU Zhiwei 
---
 configure  |   4 +-
 upstream/configure | 204 +
 2 files changed, 207 insertions(+), 1 deletion(-)
 create mode 100644 upstream/configure

diff --git a/configure b/configure
index ca2d7db..00624d3 100755
--- a/configure
+++ b/configure
@@ -58,6 +58,8 @@ guess_arch() {
 ARCH="m68k"
 elif check_define __powerpc64__ ; then
 ARCH="ppc64"
+elif check_define __riscv && check_define _LP64; then
+ARCH="riscv64"
 else
 echo "This cpu is not supported by risu. Try -h. " >&2
 exit 1
@@ -139,7 +141,7 @@ Some influential environment variables:
prefixed with the given string.
 
   ARCH force target architecture instead of trying to detect it.
-   Valid values=[arm|aarch64|ppc64|ppc64le|m68k]
+   Valid values=[arm|aarch64|ppc64|ppc64le|m68k|riscv64]
 
   CC   C compiler command
   CFLAGS   C compiler flags
diff --git a/upstream/configure b/upstream/configure
new file mode 100644
index 000..297cd3a
--- /dev/null
+++ b/upstream/configure
@@ -0,0 +1,204 @@
+#!/bin/sh
+# simple risu configure script
+#
+# Copyright (c) 2013 Linaro Limited
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+# Contributors:
+#  Claudio Fontana (Linaro) - initial implementation
+
+# Locate the directory where this configure script is
+SRCDIR="$(cd "$(dirname "$0")"; pwd)"
+
+# Temporary directory used for files created by this script.
+# Like autoconf (and like QEMU) we put this directory in the
+# build directory, which means we can just give it a fixed name and
+# blow it away when configure is run, and we don't need to jump
+# through complicated hoops to delete it when configure exits
+# abnormally (it may be useful for debug purposes on an
+# abnormal exit).
+tmp_dir="config-temp"
+rm -rf "$tmp_dir"
+mkdir -p "$tmp_dir"
+if [ $? -ne 0 ]; then
+echo "ERROR: could not create temporary directory"
+exit 1
+fi
+
+compile() {
+$CC $CFLAGS -c -o ${1}.o ${1}.c 2>/dev/null
+}
+
+link() {
+$LD $LDFLAGS -l${2} -o ${1} ${1}.o 2>/dev/null
+}
+
+check_define() {
+c=${tmp_dir}/check_define_${1}
+cat > ${c}.c <&2
+exit 1
+fi
+else
+echo "This cpu is not supported by risu. Try -h. " >&2
+exit 1
+fi
+}
+
+check_type() {
+c=${tmp_dir}/check_type_${1}
+cat > ${c}.c <
+#include 
+#include 
+#include 
+
+int main(void) { $1 thisone; return 0; }
+EOF
+compile $c
+}
+
+check_lib() {
+c=${tmp_dir}/check_lib${1}
+cat > ${c}.c <
+#include <$2.h>
+
+int main(void) { $3; return 0; }
+EOF
+compile $c && link $c $1
+}
+
+generate_config() {
+cfg=config.h
+echo "generating config.h..."
+
+echo "/* config.h - generated by the 'configure' script */" > $cfg
+echo "#ifndef CONFIG_H" >> $cfg
+echo "#define CONFIG_H 1" >> $cfg
+
+if check_lib z zlib "zlibVersion()"; then
+echo "#define HAVE_ZLIB 1" >> $cfg
+LDFLAGS=-lz
+fi
+
+echo "#endif /* CONFIG_H */" >> $cfg
+
+echo "...done"
+}
+
+generate_makefilein() {
+m=Makefile.in
+echo "generating Makefile.in..."
+
+echo "# Makefile.in - generated by the 'configure' script" > $m
+echo "ARCH:=${ARCH}" >> $m
+echo "CC:=${CC}" >> $m
+echo "CPPFLAGS:=${CPPFLAGS}" >> $m
+echo "LDFLAGS:=${LDFLAGS}" >> $m
+echo "AS:=${AS}" >> $m
+echo "OBJCOPY:=${OBJCOPY}" >> $m
+echo "OBJDUMP:=${OBJDUMP}" >> $m
+echo "STATIC:=${STATIC}" >> $m
+echo "SRCDIR:=${SRCDIR}" >> $m
+echo "BUILD_INC:=${BUILD_INC}" >> $m
+
+echo "...done"
+}
+
+usage() {
+cat <
+
+  AS   assembler command
+  OBJCOPY  object copy utility command
+  OBJDUMP  object dump utility command
+
+EOF
+}
+
+# STARTUP: entry point
+STATIC=""
+
+for opt do
+  case "$opt" in
+  --help | -h)
+  usage;
+  exit 0;;
+  --static | -s)
+  STATIC="-static"
+  ;;
+
+  esac
+done
+
+CC="${CC-${CROSS_PREFIX}gcc}"
+AS="${AS-${CROSS_PREFIX}as}"
+LD="${LD-${CROSS_PREFIX}ld}"
+OBJCOPY="${OBJCOPY-${CROSS_PREFIX}objcopy}"
+OBJDUMP="${OBJDUMP-${CROSS_PREFIX}objdump}"
+
+if test "x${ARCH}" = "x"; then
+guess_arch
+fi
+
+# Are we in a separate build tree? If so, link the Makefile
+# so that 'make' works.
+if test ! -e Makefile || test -s Makefile; then
+echo "linking Makefile..."
+BUILD_INC="-I $(pwd)"
+ln -sf "${SRCDIR}/Makefile" .
+fi
+
+generate_config
+generate_makefilein
+
+rm -r "$tmp_dir"
+
+echo "type 'make' to start the build"
+exit 0
+
-- 
2.23.0

[PATCH 06/11] riscv: Add RV64C instructions description

[LIU Zhiwei]

Make it a separate file, so that we can get subarch to recgonize the
instrcution length.

Signed-off-by: LIU Zhiwei 
---
 rv64c.risu | 97 ++
 1 file changed, 97 insertions(+)
 create mode 100644 rv64c.risu

diff --git a/rv64c.risu b/rv64c.risu
new file mode 100644
index 000..fdd8afb
--- /dev/null
+++ b/rv64c.risu
@@ -0,0 +1,97 @@
+# Input file for risugen defining RISC-V instructions
+.mode riscv.rv64c
+
+@RV64C
+
+# we borrow X11 to store stack register
+C_LWSP RISCV 010 imm5:1 rd:5 imm2:3 imm6:2 10 \
+!constraints { greg($rd) && $rd != 0 && $rd != 11; } \
+!memory { align(4); stack_plus_imm($imm5 * 32 + $imm2 * 4 + $imm6 * 64, $rd); }
+
+C_LDSP RISCV 011 imm5:1 rd:5 imm3:2 imm6:3 10 \
+!constraints { greg($rd) && $rd != 0 && $rd != 11; } \
+!memory { align(8); stack_plus_imm($imm5 * 32 + $imm3 * 8 + $imm6 * 64, $rd); }
+
+C_FLDSP RISCV 001 imm5:1 rd:5 imm3:2 imm6:3 10 \
+!memory { align(8); stack_plus_imm($imm5 * 32 + $imm3 * 8 + $imm6 * 64); }
+
+C_SWSP RISCV 110 imm2:4 imm6:2 rs2:5 10 \
+!constraints { greg($rs2) && $rs2 != 11; } \
+!memory { align(4); stack_plus_imm($imm2 * 4 + $imm6 * 64); }
+
+C_SDSP RISCV 111 imm3:3 imm6:3 rs2:5 10 \
+!constraints { greg($rs2) && $rs2 != 11; } \
+!memory { align(8); stack_plus_imm($imm3 * 8 + $imm6 * 64); }
+
+C_FSDSP RISCV 101 imm3:3 imm6:3 rs2:5 10 \
+!memory { align(8); stack_plus_imm($imm3 * 8 + $imm6 * 64); }
+
+# encode x11 into 0b011 in CL format
+C_LW RISCV 010 imm3:3 rs1:3 imm2:1 imm6:1 rd:3 00 \
+!memory { align(4); reg_plus_imm($rs1 + 8, $imm2 * 4 + $imm3 * 8 + $imm6 * 64, 
$rd + 8); }
+
+C_LD RISCV 011 imm3:3 rs1:3 imm6:2 rd:3 00 \
+!memory { align(8); reg_plus_imm($rs1 + 8, $imm3 * 8 + $imm6 * 64, $rd + 8); }
+
+C_FLD RISCV 001 imm3:3 rs1:3 imm6:2 rd:3 00 \
+!memory { align(8); reg_plus_imm($rs1 + 8, $imm3 * 8 + $imm6 * 64); }
+
+C_SW RISCV 110 imm3:3 rs1:3 imm2:1 imm6:1 rs2:3 00 \
+!constraints { $rs2 != $rs1; } \
+!memory { align(4); reg_plus_imm($rs1 + 8, $imm2 * 4 + $imm3 * 8 + $imm6 * 
64); }
+
+C_SD RISCV 111 imm3:3 rs1:3 imm6:2 rs2:3 00 \
+!constraints { $rs2 != $rs1; } \
+!memory { align(8); reg_plus_imm($rs1 + 8, $imm3 * 8 + $imm6 * 64); }
+
+C_FSD RISCV 101 imm3:3 rs1:3 imm6:2 rs2:3 00 \
+!memory { align(8); reg_plus_imm($rs1 + 8, $imm3 * 8 + $imm6 * 64); }
+
+C_LI RISCV 010 imm5:1 rd:5 imm:5 01 \
+!constraints { gbase($rd); }
+
+C_LUI RISCV 011 imm17:1 rd:5 imm12:5 01 \
+!constraints { gbase($rd) && ($imm17 != 0 || $imm12 != 0); }
+
+C_ADDI RISCV 000 imm5:1 rd:5 imm:5 01 \
+!constraints { gbase($rd) && ($imm5 != 0 || $imm != 0); }
+
+C_ADDIW RISCV 001 imm5:1 rd:5 imm:5 01 \
+!constraints { gbase($rd); }
+
+# Todo C_ADDI16SP, as it need stack as destination
+# Move sp to aother register through the memory address function.
+
+# C_ADDI4SPN RISCV 000 imm4:2 imm6:4 imm2:1 imm3:1 rd:3 00 \
+# !constraints { $imm4 != 0 || $imm6 != 0 || $imm2 != 0 || $imm3 != 0; }
+
+C_SLLI RISCV 000 shamt5:1 rd:5 shamt:5 10 \
+!constraints { gbase($rd) && ($shamt5 != 0 || $shamt != 0); }
+
+C_SRLI RISCV 100 shamt5:1 00 rd:3 shamt:5 01 \
+!constraints { ($shamt5 != 0 || $shamt != 0); }
+
+C_SRAI RISCV 100 shamt5:1 01 rd:3 shamt:5 01 \
+!constraints { ($shamt5 != 0 || $shamt != 0); }
+
+C_ANDI RISCV 100 imm5:1 10 rd:3 imm:5 01
+
+C_MV RISCV 100 0 rd:5 rs2:5 10 \
+!constraints { gbase($rd) && gbase($rs2); }
+
+C_ADD RISCV 100 1 rd:5 rs2:5 10 \
+!constraints { gbase($rd) && gbase($rs2); }
+
+C_AND RISCV 100 0 11 rd:3 11 rs2:3 01
+
+C_OR RISCV 100 0 11 rd:3 10 rs2:3 01
+
+C_XOR RISCV 100 0 11 rd:3 01 rs2:3 01
+
+C_SUB RISCV 100 0 11 rd:3 01 rs2:3 01
+
+C_SUBW RISCV 100 1 11 rd:3 00 rs2:3 01
+
+C_ADDW RISCV 100 1 11 rd:3 01 rs2:3 01
+
+C_NOP RISCV 0001
-- 
2.23.0

[PATCH 00/11] RISC-V risu porting

[LIU Zhiwei]

In contrast to the RFC, add more instructions description. Now it supports
RV64IMACFD. Some cross verifications have been done, such as comparison
between QEMU and TinyEMU, and comparison between QEMU and C906 FPGA.

Now it has some productive.

Features:
* support RV64IMACFD.
* support multi-precision float point.
* support accurate special values generation.

Todo:
* support RVV and RVP.


LIU Zhiwei (11):
  riscv: Add RV64I instructions description
  riscv: Add RV64M instructions description
  riscv: Add RV64A instructions description
  riscv: Add RV64F instructions description
  riscv: Add RV64D instructions description
  riscv: Add RV64C instructions description
  riscv: Generate payload scripts
  riscv: Add standard test case
  riscv: Define riscv struct reginfo
  riscv: Implement payload load interfaces
  riscv: Add configure script

 configure  |   4 +-
 risu_reginfo_riscv64.c | 132 +
 risu_reginfo_riscv64.h |  28 ++
 risu_riscv64.c |  47 +++
 risugen_riscv.pm   | 643 +
 rv64.risu  | 466 +
 rv64c.risu |  97 +++
 test_riscv64.s |  85 ++
 upstream/configure | 204 +
 9 files changed, 1705 insertions(+), 1 deletion(-)
 create mode 100644 risu_reginfo_riscv64.c
 create mode 100644 risu_reginfo_riscv64.h
 create mode 100644 risu_riscv64.c
 create mode 100644 risugen_riscv.pm
 create mode 100644 rv64.risu
 create mode 100644 rv64c.risu
 create mode 100644 test_riscv64.s
 create mode 100644 upstream/configure

-- 
2.23.0

[PATCH 10/11] riscv: Implement payload load interfaces

[LIU Zhiwei]

When a risu op emits, the signal handler wll take over execution before
running the payload again.

The signal handler need some interfaces, such as setting struct reginfo
and the comparison of struct reginfo.

Signed-off-by: LIU Zhiwei 
---
 risu_reginfo_riscv64.c | 132 +
 risu_riscv64.c |  47 +++
 2 files changed, 179 insertions(+)
 create mode 100644 risu_reginfo_riscv64.c
 create mode 100644 risu_riscv64.c

diff --git a/risu_reginfo_riscv64.c b/risu_reginfo_riscv64.c
new file mode 100644
index 000..763001f
--- /dev/null
+++ b/risu_reginfo_riscv64.c
@@ -0,0 +1,132 @@
+/**
+ * Copyright (c) 2020 T-Head Semiconductor Co., Ltd.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * LIU Zhiwei (T-Head) - initial implementation
+ * based on Peter Maydell's risu_arm.c
+ */
+
+#include 
+#include 
+#include 
+#include  /* for FPSIMD_MAGIC */
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "risu.h"
+#include "risu_reginfo_riscv64.h"
+
+const struct option * const arch_long_opts;
+const char * const arch_extra_help;
+
+void process_arch_opt(int opt, const char *arg)
+{
+abort();
+}
+
+const int reginfo_size(void)
+{
+return sizeof(struct reginfo);
+}
+
+/* reginfo_init: initialize with a ucontext */
+void reginfo_init(struct reginfo *ri, ucontext_t *uc)
+{
+int i;
+union __riscv_mc_fp_state *fp;
+/* necessary to be able to compare with memcmp later */
+memset(ri, 0, sizeof(*ri));
+
+for (i = 0; i < 32; i++) {
+ri->regs[i] = uc->uc_mcontext.__gregs[i];
+}
+
+ri->regs[2] = 0xdeadbeefdeadbeef;
+ri->regs[3] = 0xdeadbeefdeadbeef;
+ri->regs[4] = 0xdeadbeefdeadbeef;
+ri->pc = uc->uc_mcontext.__gregs[0] - image_start_address;
+ri->regs[0] = ri->pc;
+ri->faulting_insn = *((uint32_t *) uc->uc_mcontext.__gregs[0]);
+fp = >uc_mcontext.__fpregs;
+#if __riscv_flen == 64
+ri->fcsr = fp->__d.__fcsr;
+
+for (i = 0; i < 32; i++) {
+ri->fregs[i] = fp->__d.__f[i];
+}
+#else
+# error "Unsupported fp length"
+#endif
+}
+
+/* reginfo_is_eq: compare the reginfo structs, returns nonzero if equal */
+int reginfo_is_eq(struct reginfo *r1, struct reginfo *r2)
+{
+return memcmp(r1, r2, reginfo_size()) == 0;
+}
+
+/* reginfo_dump: print state to a stream, returns nonzero on success */
+int reginfo_dump(struct reginfo *ri, FILE * f)
+{
+int i;
+fprintf(f, "  faulting insn %08x\n", ri->faulting_insn);
+
+for (i = 1; i < 32; i++) {
+fprintf(f, "  X%-2d: %016" PRIx64 "\n", i, ri->regs[i]);
+}
+
+fprintf(f, "  pc : %016" PRIx64 "\n", ri->pc);
+fprintf(f, "  fcsr   : %08x\n", ri->fcsr);
+
+for (i = 0; i < 32; i++) {
+fprintf(f, "  F%-2d: %016" PRIx64 "\n", i, ri->fregs[i]);
+}
+
+return !ferror(f);
+}
+
+/* reginfo_dump_mismatch: print mismatch details to a stream, ret nonzero=ok */
+int reginfo_dump_mismatch(struct reginfo *m, struct reginfo *a, FILE * f)
+{
+int i;
+fprintf(f, "mismatch detail (master : apprentice):\n");
+if (m->faulting_insn != a->faulting_insn) {
+fprintf(f, "  faulting insn mismatch %08x vs %08x\n",
+m->faulting_insn, a->faulting_insn);
+}
+for (i = 1; i < 32; i++) {
+if (m->regs[i] != a->regs[i]) {
+fprintf(f, "  X%-2d: %016" PRIx64 " vs %016" PRIx64 "\n",
+i, m->regs[i], a->regs[i]);
+}
+}
+
+if (m->pc != a->pc) {
+fprintf(f, "  pc : %016" PRIx64 " vs %016" PRIx64 "\n",
+m->pc, a->pc);
+}
+
+if (m->fcsr != a->fcsr) {
+fprintf(f, "  fcsr   : %08x vs %08x\n", m->fcsr, a->fcsr);
+}
+
+for (i = 0; i < 32; i++) {
+if (m->fregs[i] != a->fregs[i]) {
+fprintf(f, "  F%-2d: "
+"%016" PRIx64 " vs "
+"%016" PRIx64 "\n", i,
+(uint64_t) m->fregs[i],
+(uint64_t) a->fregs[i]);
+}
+}
+
+return !ferror(f);
+}
diff --git a/risu_riscv64.c b/risu_riscv64.c
new file mode 100644
index 000..06dbb2d
--- /dev/null
+++ b/risu_riscv64.c
@@ -0,0 +1,47 @@
+/**
+ * Copyright (c) 2020 T-Head Semiconductor Co., Ltd.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *  

[PATCH 04/11] riscv: Add RV64F instructions description

[LIU Zhiwei]

For supporting multi-precision, split all 32 fp registers into two groups.
The RV64F instructions will use only 16 fp registers selected by gfp32().

Signed-off-by: LIU Zhiwei 
---
 rv64.risu | 94 +++
 1 file changed, 94 insertions(+)

diff --git a/rv64.risu b/rv64.risu
index ad5dee9..0dcc9a1 100644
--- a/rv64.risu
+++ b/rv64.risu
@@ -270,3 +270,97 @@ AMOMINU_D  RISCV 11000 imm:2 rs2:5 rs1:5 011 rd:5 010 \
 AMOMAXU_D  RISCV 11100 imm:2 rs2:5 rs1:5 011 rd:5 010 \
 !constraints { greg($rd) && greg($rs2) && gbase($rs1) && $rs2 != $rs1; }\
 !memory { align(8); reg($rs1, $rd); }
+
+@RV64F
+
+FLW RISCV imm:12 rs1:5 010 rd:5 111 \
+!constraints { gbase($rs1) && gfp32($rd); } \
+!memory { align(4); reg_plus_imm($rs1, sextract($imm, 12)); }
+
+FSW RISCV imm5:7 rs2:5 rs1:5 010 imm:5 0100111 \
+!constraints { gbase($rs1) && gfp32($rs2); } \
+!memory { align(4); reg_plus_imm($rs1, sextract($imm5 << 5 | $imm, 12)); }
+
+FMADD_S RISCV rs3:5 00 rs2:5 rs1:5 rm:3 rd:5 111 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd) && grm($rm); }
+
+FMSUB_S RISCV rs3:5 00 rs2:5 rs1:5 rm:3 rd:5 1000111 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd) && grm($rm); }
+
+FNMSUB_S RISCV rs3:5 00 rs2:5 rs1:5 rm:3 rd:5 1001011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd) && grm($rm); }
+
+FNMADD_S RISCV rs3:5 00 rs2:5 rs1:5 rm:3 rd:5 100 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd) && grm($rm); }
+
+FADD_S RISCV 000 rs2:5 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd) && grm($rm); }
+
+FSUB_S RISCV 100 rs2:5 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd) && grm($rm); }
+
+FMUL_S RISCV 0001000 rs2:5 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd) && grm($rm); }
+
+FDIV_S RISCV 0001100 rs2:5 rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd) && grm($rm); }
+
+FSQRT_S RISCV 0101100 0  rs1:5 rm:3 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rd) && grm($rm); }
+
+FSGNJ_S RISCV 001 rs2:5  rs1:5 000 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd); }
+
+FSGNJN_S RISCV 001 rs2:5  rs1:5 001 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd); }
+
+FSGNJX_S RISCV 001 rs2:5  rs1:5 010 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd); }
+
+FMIN_S RISCV 0010100 rs2:5  rs1:5 000 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd); }
+
+FMAX_S RISCV 0010100 rs2:5  rs1:5 001 rd:5 1010011 \
+!constraints { gfp32($rs1) && gfp32($rs2) && gfp32($rd); }
+
+FCVT_W_S RISCV 110 0 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1) && grm($rm); }
+
+FCVT_WU_S RISCV 110 1 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1) && grm($rm); }
+
+FMV_X_W RISCV 111 0 rs1:5 000 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1); }
+
+FEQ_S RISCV 101 rs2:5 rs1:5 010 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1) && gfp32($rs2); }
+
+FLT_S RISCV 101 rs2:5 rs1:5 001 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1) && gfp32($rs2); }
+
+FLE_S RISCV 101 rs2:5 rs1:5 000 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1) && gfp32($rs2); }
+
+FCLASS_S RISCV 111 0 rs1:5 001 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1); }
+
+FCVT_S_W RISCV 1101000 0 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rs1) && gfp32($rd) && grm($rm); }
+
+FCVT_S_WU RISCV 1101000 1 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rs1) && gfp32($rd) && grm($rm); }
+
+FMV_W_X RISCV 000 0 rs1:5 000 rd:5 1010011 \
+!constraints { greg($rs1) && gfp32($rd); }
+
+FCVT_L_S RISCV 110 00010 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1) && grm($rm); }
+
+FCVT_LU_S RISCV 110 00011 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rd) && gfp32($rs1) && grm($rm);  }
+
+FCVT_S_L RISCV 1101000 00010 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rs1) && gfp32($rd) && grm($rm); }
+
+FCVT_S_LU RISCV 1101000 00011 rs1:5 rm:3 rd:5 1010011 \
+!constraints { greg($rs1) && gfp32($rd) && grm($rm); }
-- 
2.23.0

Re: [PULL 10/41] python/qemu: Add ConsoleSocket for optional use in QEMUMachine

[Robert Foley]

Hi,
Thanks for the detailed feedback!  I will look at making these changes.

On Fri, 10 Jul 2020 at 15:20, John Snow  wrote:
>
>
>
> On 7/7/20 3:08 AM, Alex Bennée wrote:
> > From: Robert Foley 
> >
>

> > +def recv(self, n=1, sleep_delay_s=0.1):
> > +"""Return chars from in memory buffer"""
> > +start_time = time.time()
> > +while len(self._buffer) < n:
> > +time.sleep(sleep_delay_s)
> > +elapsed_sec = time.time() - start_time
> > +if elapsed_sec > self._recv_timeout_sec:
> > +raise socket.timeout
> > +chars = ''.join([self._buffer.popleft() for i in range(n)])
> > +# We choose to use latin1 to remain consistent with
> > +# handle_read() and give back the same data as the user would
> > +# receive if they were reading directly from the
> > +# socket w/o our intervention.
> > +return chars.encode("latin1")
> > +
>
> console_socket.py:89:4: W0221: Parameters differ from overridden 'recv'
> method (arguments-differ)
>
> Seems pretty different from the asyncore.dispatcher recv method, is that
> intentional?

The intention is that the API be the same as asyncore.dispatcher recv.
The sleep_delay_s can be removed, and n is the same as buffer_size in
asyncore.dispatcher recv.  Will plan to rename n -> buffer_size.

> https://github.com/python/cpython/blob/master/Lib/asyncore.py
>

> >  def __enter__(self):
> >  return self
> > @@ -580,7 +591,11 @@ class QEMUMachine:
> >  Returns a socket connected to the console
> >  """
> >  if self._console_socket is None:
> > -self._console_socket = socket.socket(socket.AF_UNIX,
> > - socket.SOCK_STREAM)
> > -self._console_socket.connect(self._console_address)
> > +if self._drain_console:
> > +self._console_socket = ConsoleSocket(self._console_address,
> > +
> > file=self._console_log_path)
>
> Needs one more space, but the line is already too long as-is.
>
> > +else:
> > +self._console_socket = socket.socket(socket.AF_UNIX,
> > + socket.SOCK_STREAM)
> > +self._console_socket.connect(self._console_address)
> >  return self._console_socket
> >
>
> This makes the typing for _console_socket really tough ... but
> technically not a regression as the mypy code isn't merged yet.

>From the comment on mypy, I understand that we need to return a
constant type?

One option to provide a constant type is to simply always return
ConsoleSocket here.

A few changes would be needed inside of ConsoleSocket,
but essentially ConsoleSocket would handle the detail
of draining the console (or not), and thus eliminate this
if/else above reducing it to something like this:

self._console_socket = ConsoleSocket(self._console_address,
 file=self._console_log_path,
 drain=self._drain_console)

How does this sound?

Thanks & Regards,
-Rob

>
> --js
>

Re: [PATCH v2 2/2] hw/riscv: sifive_u: Provide a reliable way for bootloader to detect whether it is running in QEMU

[Alistair Francis]

On Thu, Jul 9, 2020 at 5:50 PM Bin Meng  wrote:
>
> Hi Palmer,
>
> On Fri, Jul 10, 2020 at 8:45 AM Palmer Dabbelt  
> wrote:
> >
> > On Thu, 09 Jul 2020 15:09:18 PDT (-0700), alistai...@gmail.com wrote:
> > > On Thu, Jul 9, 2020 at 3:07 AM Bin Meng  wrote:
> > >>
> > >> From: Bin Meng 
> > >>
> > >> The reset vector codes are subject to change, e.g.: with recent
> > >> fw_dynamic type image support, it breaks oreboot again.
> > >
> > > This is a recurring problem, I have another patch for Oreboot to fix
> > > the latest breakage.
> > >
> > >>
> > >> Add a subregion in the MROM, with the size of machine RAM stored,
> > >> so that we can provide a reliable way for bootloader to detect
> > >> whether it is running in QEMU.
> > >
> > > I don't really like this though. I would prefer that we don't
> > > encourage guest software to behave differently on QEMU. I don't think
> > > other upstream boards do this.
> >
> > I agree.  If you want an explicitly virtual board, use the virt board.  
> > Users
> > of sifive_u are presumably trying to do their best to test against what the
> > hardware does without actually using the hardware.  Otherwise there should 
> > be
> > no reason to use the sifive_u board, as it's just sticking a layer of
> > complexity in the middle of everything.
>
> Understood. Then let's drop this patch.
>
> >
> > > Besides Oreboot setting up the clocks are there any other users of this?
> >
> > IIRC we have a scheme for handling the clock setup in QEMU where we accept
> > pretty much any control write and then just return reads that say the PLLs 
> > have
> > locked.  I'd be in favor of improving the scheme to improve compatibility 
> > with
> > the actual hardware, but adding some way for programs to skip the clocks
> > because they know they're in QEMU seems like the wrong way to go.
> >
>
> Yep, that's my question to Oreboot too.
>
> U-Boot SPL can boot with QEMU and no problem was seen with clock
> settings in PRCI model in QEMU.

I don't think it's an unsolvable problem. There is just little work on
Oreboot to run on QEMU. I can dig into it a bit and see if I can find
a better fix on the Oreboot side.

Alistair

>
> Regards,
> Bin

Re: [PATCH v2 2/2] hw/riscv: sifive_u: Provide a reliable way for bootloader to detect whether it is running in QEMU

[Alistair Francis]

On Thu, Jul 9, 2020 at 5:48 PM Bin Meng  wrote:
>
> Hi Alistair,
>
> On Fri, Jul 10, 2020 at 6:19 AM Alistair Francis  wrote:
> >
> > On Thu, Jul 9, 2020 at 3:07 AM Bin Meng  wrote:
> > >
> > > From: Bin Meng 
> > >
> > > The reset vector codes are subject to change, e.g.: with recent
> > > fw_dynamic type image support, it breaks oreboot again.
> >
> > This is a recurring problem, I have another patch for Oreboot to fix
> > the latest breakage.
> >
>
> Can Oreboot be updated to remove the QEMU detection?

In general I think it should be.

Right now it's not critical to do. I think from a QEMU perspective we
have finished changing the "ROM" code so after this release we can
update Oreboot and then it should settle down again.

>
> > >
> > > Add a subregion in the MROM, with the size of machine RAM stored,
> > > so that we can provide a reliable way for bootloader to detect
> > > whether it is running in QEMU.
> >
> > I don't really like this though. I would prefer that we don't
> > encourage guest software to behave differently on QEMU. I don't think
> > other upstream boards do this.
> >
> > Besides Oreboot setting up the clocks are there any other users of this?
>
> I don't really have any specific reason, except for testing U-Boot SPL
> by relaxing the requirement of hardcoding the memory to 8G "-m 8G" as
> I indicated in the commit message below:

Yeah, I think that's just something we will have to deal with. If the
guest expects 8GB and doesn't check the device tree passed to it then
the user has to create 8GB of memory.

Alistair

>
> commit 3eaea6eb4e534f7b87c6eca808149bb671976800
> Author: Bin Meng 
> Date:   Mon Jun 15 17:50:41 2020 -0700
>
> hw/riscv: sifive_u: Add a dummy DDR memory controller device
>
> It is enough to simply map the SiFive FU540 DDR memory controller
> into the MMIO space using create_unimplemented_device(), to make
> the upstream U-Boot v2020.07 DDR memory initialization codes happy.
>
> Note we do not generate device tree fragment for the DDR memory
> controller. Since the controller data in device tree consumes a
> very large space (see fu540-hifive-unleashed-a00-ddr.dtsi in the
> U-Boot source), and it is only needed by U-Boot SPL but not any
> operating system, we choose not to generate the fragment here.
> This also means when testing with U-Boot SPL, the device tree has
> to come from U-Boot SPL itself, but not the one generated by QEMU
> on the fly. The memory has to be set to 8GiB to match the real
> HiFive Unleashed board when invoking QEMU (-m 8G).
>
> Cc'ing Pragnesh and Sagar as they wanted to test U-Boot SPL with QEMU
> and talked to me the other day.
>
> Regards,
> Bin

Re: [PULL 0/1] 9p fixes for 5.1 2020-07-10

[Peter Maydell]

On Fri, 10 Jul 2020 at 17:35, Greg Kurz  wrote:
>
> The following changes since commit b6d7e9b66f59ca6ebc6e9b830cd5e7bf849d31cf:
>
>   Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' 
> into staging (2020-07-10 09:01:28 +0100)
>
> are available in the Git repository at:
>
>   https://github.com/gkurz/qemu.git tags/9p-fix-2020-07-10
>
> for you to fetch changes up to 353b5a91ccf2789b85967d19a8795816b8865562:
>
>   9p: null terminate fs driver options list (2020-07-10 12:48:06 +0200)
>
> 
> Add missing NULL terminating element in fsdev option lists. Never
> crashed QEMU by pure luck.
>
> 
> Prasad J Pandit (1):
>   9p: null terminate fs driver options list
>
>  fsdev/qemu-fsdev.c | 3 +++
>  1 file changed, 3 insertions(+)
> --


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.

-- PMM

[PATCH] hw/timer/renesas_tmr.c cleanup read operation.

[Yoshinori Sato]

Cleanup read operation.
This module different return of access size.

Signed-off-by: Yoshinori Sato 
---
 hw/timer/renesas_tmr.c | 106 ++---
 1 file changed, 57 insertions(+), 49 deletions(-)

diff --git a/hw/timer/renesas_tmr.c b/hw/timer/renesas_tmr.c
index 446f2eacdd..d7b21edf39 100644
--- a/hw/timer/renesas_tmr.c
+++ b/hw/timer/renesas_tmr.c
@@ -187,59 +187,67 @@ static uint64_t tmr_read(void *opaque, hwaddr addr, 
unsigned size)
   addr);
 return UINT64_MAX;
 }
-switch (addr & 0x0e) {
-case A_TCR:
-ret = 0;
-ret = FIELD_DP8(ret, TCR, CCLR,
-FIELD_EX8(tmr->tcr[ch], TCR, CCLR));
-ret = FIELD_DP8(ret, TCR, OVIE,
-FIELD_EX8(tmr->tcr[ch], TCR, OVIE));
-ret = FIELD_DP8(ret, TCR, CMIEA,
-FIELD_EX8(tmr->tcr[ch], TCR, CMIEA));
-ret = FIELD_DP8(ret, TCR, CMIEB,
-FIELD_EX8(tmr->tcr[ch], TCR, CMIEB));
-return ret;
-case A_TCSR:
-ret = 0;
-ret = FIELD_DP8(ret, TCSR, OSA,
-FIELD_EX8(tmr->tcsr[ch], TCSR, OSA));
-ret = FIELD_DP8(ret, TCSR, OSB,
-FIELD_EX8(tmr->tcsr[ch], TCSR, OSB));
-switch (ch) {
-case 0:
-ret = FIELD_DP8(ret, TCSR, ADTE,
-FIELD_EX8(tmr->tcsr[ch], TCSR, ADTE));
-break;
-case 1: /* CH1 ADTE unimplement always 1 */
-ret = FIELD_DP8(ret, TCSR, ADTE, 1);
-break;
-}
-return ret;
-case A_TCORA:
-if (size == 1) {
+switch (size) {
+case 1:
+switch (addr & 0x0e) {
+case A_TCR:
+ret = 0;
+ret = FIELD_DP8(ret, TCR, CCLR,
+FIELD_EX8(tmr->tcr[ch], TCR, CCLR));
+ret = FIELD_DP8(ret, TCR, OVIE,
+FIELD_EX8(tmr->tcr[ch], TCR, OVIE));
+ret = FIELD_DP8(ret, TCR, CMIEA,
+FIELD_EX8(tmr->tcr[ch], TCR, CMIEA));
+ret = FIELD_DP8(ret, TCR, CMIEB,
+FIELD_EX8(tmr->tcr[ch], TCR, CMIEB));
+return ret;
+case A_TCSR:
+ret = 0;
+ret = FIELD_DP8(ret, TCSR, OSA,
+FIELD_EX8(tmr->tcsr[ch], TCSR, OSA));
+ret = FIELD_DP8(ret, TCSR, OSB,
+FIELD_EX8(tmr->tcsr[ch], TCSR, OSB));
+switch (ch) {
+case 0:
+ret = FIELD_DP8(ret, TCSR, ADTE,
+FIELD_EX8(tmr->tcsr[ch], TCSR, ADTE));
+break;
+case 1: /* CH1 ADTE unimplement always 1 */
+ret = FIELD_DP8(ret, TCSR, ADTE, 1);
+break;
+}
+return ret;
+case A_TCORA:
 return tmr->tcora[ch];
-} else if (ch == 0) {
-return concat_reg(tmr->tcora);
-}
-case A_TCORB:
-if (size == 1) {
+case A_TCORB:
 return tmr->tcorb[ch];
-} else {
-return concat_reg(tmr->tcorb);
-}
-case A_TCNT:
-return read_tcnt(tmr, size, ch);
-case A_TCCR:
-if (size == 1) {
+case A_TCNT:
+return read_tcnt(tmr, size, ch);
+case A_TCCR:
 return read_tccr(tmr->tccr[ch]);
-} else {
-return read_tccr(tmr->tccr[0]) << 8 | read_tccr(tmr->tccr[1]);
+default:
+qemu_log_mask(LOG_UNIMP, "renesas_tmr: Register 0x%" HWADDR_PRIX
+  " not implemented\n",
+  addr);
+break;
+}
+case 2:
+switch (addr) {
+case A_TCORA:
+return concat_reg(tmr->tcora);
+case A_TCORB:
+return concat_reg(tmr->tcora);
+case A_TCNT:
+return read_tcnt(tmr, size, ch);
+case A_TCCR:
+return read_tccr(tmr->tccr[ch]) << 8 | read_tccr(tmr->tccr[1]);
+default:
+qemu_log_mask(LOG_GUEST_ERROR,
+  "renesas_tmr: Register 0x%" HWADDR_PRIX
+  " invalid access size\n",
+  addr);
+break;
 }
-default:
-qemu_log_mask(LOG_UNIMP, "renesas_tmr: Register 0x%" HWADDR_PRIX
- " not implemented\n",
-  addr);
-break;
 }
 return UINT64_MAX;
 }
-- 
2.20.1

QEMU | Pipeline #165534352 has failed for master | 82793715

[GitLab via]

Your pipeline has failed.

Project: QEMU ( https://gitlab.com/qemu-project/qemu )
Branch: master ( https://gitlab.com/qemu-project/qemu/-/commits/master )

Commit: 82793715 ( 
https://gitlab.com/qemu-project/qemu/-/commit/827937158b72ce2265841ff528bba3c44a1bfbc8
 )
Commit Message: Merge remote-tracking branch 'remotes/aperard/t...
Commit Author: Peter Maydell ( https://gitlab.com/pm215 )

Pipeline #165534352 ( 
https://gitlab.com/qemu-project/qemu/-/pipelines/165534352 ) triggered by Alex 
Bennée ( https://gitlab.com/stsquad )
had 1 failed build.

Job #634332364 ( https://gitlab.com/qemu-project/qemu/-/jobs/634332364/raw )

Stage: test
Name: build-disabled
Trace: qemu-system-i386: falling back to tcg
Could not access KVM kernel module: No such file or directory
qemu-system-i386: -accel kvm: failed to initialize kvm: No such file or 
directory
qemu-system-i386: falling back to tcg
Could not access KVM kernel module: No such file or directory
qemu-system-i386: -accel kvm: failed to initialize kvm: No such file or 
directory
qemu-system-i386: falling back to tcg
  TESTcheck-qtest-i386: tests/qtest/device-introspect-test
  TESTcheck-qtest-i386: tests/qtest/machine-none-test
  TESTcheck-qtest-i386: tests/qtest/qmp-test
  TESTcheck-qtest-i386: tests/qtest/qmp-cmd-test
  TESTcheck-qtest-i386: tests/qtest/qom-test
  TESTcheck-qtest-i386: tests/qtest/test-hmp
  TESTcheck-qtest-i386: tests/qtest/qos-test
  TESTcheck-qtest-mips64: tests/qtest/endianness-test
  TESTcheck-qtest-mips64: tests/qtest/display-vga-test
  TESTcheck-qtest-mips64: tests/qtest/cdrom-test
  TESTcheck-qtest-mips64: tests/qtest/device-introspect-test
  TESTcheck-qtest-mips64: tests/qtest/machine-none-test
  TESTcheck-qtest-mips64: tests/qtest/qmp-test
  TESTcheck-qtest-mips64: tests/qtest/qmp-cmd-test
  TESTcheck-qtest-mips64: tests/qtest/qom-test
  TESTcheck-qtest-mips64: tests/qtest/test-hmp
  TESTcheck-qtest-mips64: tests/qtest/qos-test
  TESTcheck-qtest-ppc64: tests/qtest/machine-none-test
  TESTcheck-qtest-ppc64: tests/qtest/qmp-test
  TESTcheck-qtest-ppc64: tests/qtest/qmp-cmd-test
  TESTcheck-qtest-ppc64: tests/qtest/qom-test
section_end:1594481559:step_script
ERROR: Job failed: execution took longer than 1h0m0s seconds



-- 
You're receiving this email because of your account on gitlab.com.

Re: [PATCH] linux-user: Add several IFTUN ioctls

[Laurent Vivier]

Le 10/07/2020 à 21:53, Josh Kunz a écrit :
> This change includes most widely-available if_tun ioctls that are
> integer typed.
> 
> Tested by compiling all linux-user emulators. This patch has also been
> used successfully to run several binaries that utilize these ioctls for
> several months.
> 
> Linux Header:
> https://github.com/torvalds/linux/blob/dcde237b9b0eb1d19306e6f48c0a4e058907619f/include/uapi/linux/if_tun.h#L31
> 
> Signed-off-by: Josh Kunz 
> ---
>  linux-user/ioctls.h   | 20 
>  linux-user/syscall.c  |  1 +
>  linux-user/syscall_defs.h | 21 +
>  3 files changed, 42 insertions(+)
> 
> diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
> index 0713ae1311..9b4a67fe84 100644
> --- a/linux-user/ioctls.h
> +++ b/linux-user/ioctls.h
> @@ -593,3 +593,23 @@
>IOCTL(KCOV_DISABLE, 0, TYPE_NULL)
>IOCTL(KCOV_INIT_TRACE, IOC_R, TYPE_ULONG)
>  #endif
> +
> +  IOCTL(TUNGETFEATURES  , IOC_R , TYPE_INT)
> +  IOCTL(TUNGETIFF   , IOC_R , TYPE_INT)
> +  IOCTL(TUNGETSNDBUF, IOC_R , TYPE_INT)
> +  IOCTL(TUNGETVNETHDRSZ , IOC_R , TYPE_INT)
> +  IOCTL(TUNGETVNETLE, IOC_R , TYPE_INT)
> +  IOCTL(TUNSETDEBUG , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETGROUP , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETIFF   , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETIFINDEX   , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETLINK  , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETNOCSUM, IOC_W , TYPE_INT)
> +  IOCTL(TUNSETOFFLOAD   , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETOWNER , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETPERSIST   , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETQUEUE , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETSNDBUF, IOC_W , TYPE_INT)
> +  IOCTL(TUNSETTXFILTER  , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETVNETHDRSZ , IOC_W , TYPE_INT)
> +  IOCTL(TUNSETVNETLE, IOC_W , TYPE_INT)
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 98ea86ca81..4ad4b36a84 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -58,6 +58,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  #ifdef CONFIG_TIMERFD
>  #include 
>  #endif
> diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
> index 3c261cff0e..833ef68faf 100644
> --- a/linux-user/syscall_defs.h
> +++ b/linux-user/syscall_defs.h
> @@ -859,6 +859,27 @@ struct target_rtc_pll_info {
>  #define TARGET_SIOCSIFPFLAGS   0x8934  /* set extended flags 
>  */
>  #define TARGET_SIOCGIFPFLAGS   0x8935  /* get extended flags 
>  */
>  
> +/* if_tun ioctls */
> +#define TARGET_TUNGETFEATURES   TARGET_IOR('T', 207, unsigned int)
> +#define TARGET_TUNGETIFFTARGET_IOR('T', 210, unsigned int)
> +#define TARGET_TUNGETSNDBUF TARGET_IOR('T', 211, int)
> +#define TARGET_TUNGETVNETHDRSZ  TARGET_IOR('T', 215, int)
> +#define TARGET_TUNGETVNETLE TARGET_IOR('T', 221, int)
> +#define TARGET_TUNSETDEBUG  TARGET_IOW('T', 201, int)
> +#define TARGET_TUNSETGROUP  TARGET_IOW('T', 206, int)
> +#define TARGET_TUNSETIFFTARGET_IOW('T', 202, int)
> +#define TARGET_TUNSETIFINDEXTARGET_IOW('T', 218, unsigned int)
> +#define TARGET_TUNSETLINK   TARGET_IOW('T', 205, int)
> +#define TARGET_TUNSETNOCSUM TARGET_IOW('T', 200, int)
> +#define TARGET_TUNSETOFFLOADTARGET_IOW('T', 208, unsigned int)
> +#define TARGET_TUNSETOWNER  TARGET_IOW('T', 204, int)
> +#define TARGET_TUNSETPERSISTTARGET_IOW('T', 203, int)
> +#define TARGET_TUNSETQUEUE  TARGET_IOW('T', 217, int)
> +#define TARGET_TUNSETSNDBUF TARGET_IOW('T', 212, int)
> +#define TARGET_TUNSETTXFILTER   TARGET_IOW('T', 209, unsigned int)
> +#define TARGET_TUNSETVNETHDRSZ  TARGET_IOW('T', 216, int)
> +#define TARGET_TUNSETVNETLE TARGET_IOW('T', 220, int)
> +
>  /* Bridging control calls */
>  #define TARGET_SIOCGIFBR   0x8940  /* Bridging support   
>   */
>  #define TARGET_SIOCSIFBR   0x8941  /* Set bridging options   
>   */
> 

Reviewed-by: Laurent Vivier 

usb-wacom-tablet failing to register

[Michael Nazzareno Trimarchi]

Hi all

On my 4.17.0-rc1 linux kernel i386 running on qemu, I can't register
the wacom driver emulation
QEMU emulator version 4.2.0 (Debian 1:4.2-3ubuntu6.3)
Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers

[0.395368] ata2.00: configured for MWDMA2
[0.397049] scsi 1:0:0:0: CD-ROMQEMU QEMU DVD-ROM
  2.5+ PQ: 0 ANSI: 5
[0.584135] usb 2-1: new full-speed USB device number 2 using xhci_hcd
[0.734449] usb 2-1: New USB device found, idVendor=056a,
idProduct=, bcdDevice=42.10
[0.734461] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[0.734466] usb 2-1: Product: Wacom PenPartner
[0.734470] usb 2-1: Manufacturer: QEMU
[0.734474] usb 2-1: SerialNumber: 1-:00:04.0-1
[0.737347] usbhid 2-1:1.0: can't add hid device: -32
[0.737366] usbhid: probe of 2-1:1.0 failed with error -32

I get back an error. Any suggestions?

Michael

[PATCH for-5.1 1/3] qdev: Move doc comments from qdev.c to qdev-core.h

[Peter Maydell]

The doc-comments which document the qdev API are split between the
header file and the C source files, because as a project we haven't
been consistent about where we put them.

Move all the doc-comments in qdev.c to the header files, so that
users of the APIs don't have to look at the implementation files for
this information.

In the process, unify them into our doc-comment format and expand on
them in some cases to clarify expected use cases.

Signed-off-by: Peter Maydell 
---
 include/hw/qdev-core.h   | 57 
 include/hw/qdev-properties.h | 13 
 hw/core/qdev.c   | 33 -
 3 files changed, 70 insertions(+), 33 deletions(-)

diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index fe78073c708..2d441d1fb2e 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -320,9 +320,66 @@ compat_props_add(GPtrArray *arr,
 
 /*** Board API.  This should go away once we have a machine config file.  ***/
 
+/**
+ * qdev_new: Create a device on the heap
+ * @name: device type to create (we assert() that this type exists)
+ *
+ * This only allocates the memory and initializes the device state
+ * structure, ready for the caller to set properties if they wish.
+ * The device still needs to be realized.
+ * The returned object has a reference count of 1.
+ */
 DeviceState *qdev_new(const char *name);
+/**
+ * qdev_try_new: Try to create a device on the heap
+ * @name: device type to create
+ *
+ * This is like qdev_new(), except it returns %NULL when type @name
+ * does not exist, rather than asserting.
+ */
 DeviceState *qdev_try_new(const char *name);
+/**
+ * qdev_realize: Realize @dev.
+ * @dev: device to realize
+ * @bus: bus to plug it into (may be NULL)
+ * @errp: pointer to error object
+ *
+ * "Realize" the device, i.e. perform the second phase of device
+ * initialization.
+ * @dev must not be plugged into a bus already.
+ * If @bus, plug @dev into @bus.  This takes a reference to @dev.
+ * If @dev has no QOM parent, make one up, taking another reference.
+ * On success, return true.
+ * On failure, store an error through @errp and return false.
+ *
+ * If you created @dev using qdev_new(), you probably want to use
+ * qdev_realize_and_unref() instead.
+ */
 bool qdev_realize(DeviceState *dev, BusState *bus, Error **errp);
+/**
+ * qdev_realize_and_unref: Realize @dev and drop a reference
+ * @dev: device to realize
+ * @bus: bus to plug it into (may be NULL)
+ * @errp: pointer to error object
+ *
+ * Realize @dev and drop a reference.
+ * This is like qdev_realize(), except the caller must hold a
+ * (private) reference, which is dropped on return regardless of
+ * success or failure.  Intended use::
+ *
+ * dev = qdev_new();
+ * [...]
+ * qdev_realize_and_unref(dev, bus, errp);
+ *
+ * Now @dev can go away without further ado.
+ *
+ * If you are embedding the device into some other QOM device and
+ * initialized it via some variant on object_initialize_child() then
+ * do not use this function, because that family of functions arrange
+ * for the only reference to the child device to be held by the parent
+ * via the child<> property, and so the reference-count-drop done here
+ * would be incorrect. For that use case you want qdev_realize().
+ */
 bool qdev_realize_and_unref(DeviceState *dev, BusState *bus, Error **errp);
 void qdev_unrealize(DeviceState *dev);
 void qdev_set_legacy_instance_id(DeviceState *dev, int alias_id,
diff --git a/include/hw/qdev-properties.h b/include/hw/qdev-properties.h
index 587e5b7d317..8f3a98cba69 100644
--- a/include/hw/qdev-properties.h
+++ b/include/hw/qdev-properties.h
@@ -282,6 +282,19 @@ void error_set_from_qdev_prop_error(Error **errp, int ret, 
DeviceState *dev,
  */
 void qdev_property_add_static(DeviceState *dev, Property *prop);
 
+/**
+ * qdev_alias_all_properties: Create aliases on source for all target 
properties
+ * @target: Device which has properties to be aliased
+ * @source: Object to add alias properties to
+ *
+ * Add alias properties to the @source object for all qdev properties on
+ * the @target DeviceState.
+ *
+ * This is useful when @target is an internal implementation object
+ * owned by @source, and you want to expose all the properties of that
+ * implementation object as properties on the @source object so that users
+ * of @source can set them.
+ */
 void qdev_alias_all_properties(DeviceState *target, Object *source);
 
 /**
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 01796823b41..96772a15bd5 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -128,13 +128,6 @@ void qdev_set_parent_bus(DeviceState *dev, BusState *bus)
 }
 }
 
-/*
- * Create a device on the heap.
- * A type @name must exist.
- * This only initializes the device state structure and allows
- * properties to be set.  The device still needs to be realized.  See
- * qdev-core.h.
- */
 DeviceState *qdev_new(const char *name)
 {
 if (!object_class_by_name(name)) {

[PATCH for-5.1 0/3] Move and improve qdev API doc comments

[Peter Maydell]

This patchset adds documentation comments to qdev-core.h (and in a few
cases qdev-properties.h) to functions (but not all functions!) which
were missing them.

The prompt for this was Markus' recent welcome cleanup and correction
of the qdev realize functions to get reference count and bus parenting
handling right. Markus put doc comments for new/changed functions in
the qdev.c file. This is something where I have a fairly strong opinion:
 * the right place for doc comments for functions which expose API
   to the rest of QEMU is in the header file, not the .c file
 * we should be consistent about this, especially within a single
   header file but more generally as a project

So patch 1 moves doc comments from qdev.c to qdev-core.h (or
for a few functions qdev-properties.h) to join the doc comments
that were already in those header files. I have expanded on the
comments in some places where I thought that summaries of the
intended use case for the API was helpful.

Because I didn't want to send out a patch that was moving doc
comments around to fit my asserted preferred style and nothing else,
I have attempted to sweeten the pot a bit with patches 2 and 3, which
provide new doc comments for previously undocumented functions:
qdev_unrealize(), and also all the GPIO creation/connection APIs.

thanks
-- PMM

Peter Maydell (3):
  qdev: Move doc comments from qdev.c to qdev-core.h
  qdev: Document qdev_unrealize()
  qdev: Document GPIO related functions

 include/hw/qdev-core.h   | 267 ++-
 include/hw/qdev-properties.h |  13 ++
 hw/core/qdev.c   |  33 -
 3 files changed, 278 insertions(+), 35 deletions(-)

-- 
2.20.1

[PATCH for-5.1 3/3] qdev: Document GPIO related functions

[Peter Maydell]

Add documentation comments for the various qdev functions
related to creating and connecting GPIO lines.

Signed-off-by: Peter Maydell 
---
 include/hw/qdev-core.h | 191 -
 1 file changed, 189 insertions(+), 2 deletions(-)

diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 1d2bf5f37da..ea3f73a282d 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -424,13 +424,132 @@ void qdev_simple_device_unplug_cb(HotplugHandler 
*hotplug_dev,
 void qdev_machine_creation_done(void);
 bool qdev_machine_modified(void);
 
+/**
+ * qdev_get_gpio_in: Get one of a device's anonymous input GPIO lines
+ * @dev: Device whose GPIO we want
+ * @n: Number of the anonymous GPIO line (which must be in range)
+ *
+ * Returns the qemu_irq corresponding to an anonymous input GPIO line
+ * (which the device has set up with qdev_init_gpio_in()). The index
+ * @n of the GPIO line must be valid (i.e. be at least 0 and less than
+ * the total number of anonymous input GPIOs the device has); this
+ * function will assert() if passed an invalid index.
+ *
+ * This function is intended to be used by board code or SoC "container"
+ * device models to wire up the GPIO lines; usually the return value
+ * will be passed to qdev_connect_gpio_out() or a similar function to
+ * connect another device's output GPIO line to this input.
+ *
+ * For named input GPIO lines, use qdev_get_gpio_in_named().
+ */
 qemu_irq qdev_get_gpio_in(DeviceState *dev, int n);
+/**
+ * qdev_get_gpio_in_named: Get one of a device's named input GPIO lines
+ * @dev: Device whose GPIO we want
+ * @name: Name of the input GPIO array
+ * @n: Number of the GPIO line in that array (which must be in range)
+ *
+ * Returns the qemu_irq corresponding to a named input GPIO line
+ * (which the device has set up with qdev_init_gpio_in_named()).
+ * The @name string must correspond to an input GPIO array which exists on
+ * the device, and the index @n of the GPIO line must be valid (i.e.
+ * be at least 0 and less than the total number of input GPIOs in that
+ * array); this function will assert() if passed an invalid name or index.
+ *
+ * For anonymous input GPIO lines, use qdev_get_gpio_in().
+ */
 qemu_irq qdev_get_gpio_in_named(DeviceState *dev, const char *name, int n);
 
+/**
+ * qdev_connect_gpio_out: Connect one of a device's anonymous output GPIO lines
+ * @dev: Device whose GPIO to connect
+ * @n: Number of the anonymous output GPIO line (which must be in range)
+ * @pin: qemu_irq to connect the output line to
+ *
+ * This function connects an anonymous output GPIO line on a device
+ * up to an arbitrary qemu_irq, so that when the device asserts that
+ * output GPIO line, the qemu_irq's callback is invoked.
+ * The index @n of the GPIO line must be valid (i.e. be at least 0 and
+ * less than the total number of anonymous output GPIOs the device has
+ * created with qdev_init_gpio_out()); otherwise this function will assert().
+ *
+ * Outbound GPIO lines can be connected to any qemu_irq, but the common
+ * case is connecting them to another device's inbound GPIO line, using
+ * the qemu_irq returned by qdev_get_gpio_in() or qdev_get_gpio_in_named().
+ *
+ * It is not valid to try to connect one outbound GPIO to multiple
+ * qemu_irqs at once, or to connect multiple outbound GPIOs to the
+ * same qemu_irq. (Warning: there is no assertion or other guard to
+ * catch this error: the model will just not do the right thing.)
+ * Instead, for fan-out you can use the TYPE_IRQ_SPLIT device: connect
+ * a device's outbound GPIO to the splitter's input, and connect each
+ * of the splitter's outputs to a different device.  For fan-in you
+ * can use the TYPE_OR_IRQ device, which is a model of a logical OR
+ * gate with multiple inputs and one output.
+ *
+ * For named output GPIO lines, use qdev_connect_gpio_out_named().
+ */
 void qdev_connect_gpio_out(DeviceState *dev, int n, qemu_irq pin);
+/**
+ * qdev_connect_gpio_out: Connect one of a device's anonymous output GPIO lines
+ * @dev: Device whose GPIO to connect
+ * @name: Name of the output GPIO array
+ * @n: Number of the anonymous output GPIO line (which must be in range)
+ * @pin: qemu_irq to connect the output line to
+ *
+ * This function connects an anonymous output GPIO line on a device
+ * up to an arbitrary qemu_irq, so that when the device asserts that
+ * output GPIO line, the qemu_irq's callback is invoked.
+ * The @name string must correspond to an output GPIO array which exists on
+ * the device, and the index @n of the GPIO line must be valid (i.e.
+ * be at least 0 and less than the total number of input GPIOs in that
+ * array); this function will assert() if passed an invalid name or index.
+ *
+ * Outbound GPIO lines can be connected to any qemu_irq, but the common
+ * case is connecting them to another device's inbound GPIO line, using
+ * the qemu_irq returned by qdev_get_gpio_in() or qdev_get_gpio_in_named().
+ *
+ * It is not valid to 

[PATCH for-5.1 2/3] qdev: Document qdev_unrealize()

[Peter Maydell]

Add a doc comment for qdev_unrealize(), to go with the new
documentation for the realize part of the qdev lifecycle.

Signed-off-by: Peter Maydell 
---
 include/hw/qdev-core.h | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 2d441d1fb2e..1d2bf5f37da 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -381,6 +381,25 @@ bool qdev_realize(DeviceState *dev, BusState *bus, Error 
**errp);
  * would be incorrect. For that use case you want qdev_realize().
  */
 bool qdev_realize_and_unref(DeviceState *dev, BusState *bus, Error **errp);
+/**
+ * qdev_unrealize: Unrealize a device
+ * @dev: device to unrealize
+ *
+ * This function will "unrealize" a device, which is the first phase
+ * of correctly destroying a device that has been realized. It will:
+ *
+ *  - unrealize any child buses by calling qbus_unrealize()
+ *(this will recursively unrealize any devices on those buses)
+ *  - call the the unrealize method of @dev
+ *
+ * The device can then be freed by causing its reference count to go
+ * to zero.
+ *
+ * Warning: most devices in QEMU do not expect to be unrealized.  Only
+ * devices which are hot-unpluggable should be unrealized (as part of
+ * the unplugging process); all other devices are expected to last for
+ * the life of the simulation and should not be unrealized and freed.
+ */
 void qdev_unrealize(DeviceState *dev);
 void qdev_set_legacy_instance_id(DeviceState *dev, int alias_id,
  int required_for_version);
-- 
2.20.1

Re: [PULL 0/2] xen queue 2020-07-10

[Peter Maydell]

On Fri, 10 Jul 2020 at 14:11, Anthony PERARD  wrote:
>
> The following changes since commit b6d7e9b66f59ca6ebc6e9b830cd5e7bf849d31cf:
>
>   Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' 
> into staging (2020-07-10 09:01:28 +0100)
>
> are available in the Git repository at:
>
>   https://xenbits.xen.org/git-http/people/aperard/qemu-dm.git 
> tags/pull-xen-20200710
>
> for you to fetch changes up to dd29b5c30cd2a13f8c12376a8de84cb090c338bf:
>
>   xen: cleanup unrealized flash devices (2020-07-10 13:49:16 +0100)
>
> 
> xen patches
>
> Fixes following harden checks in qdev.
>
> 


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.

-- PMM

Re: [PATCH v2] scripts/simplebench: compare write request performance

[Vladimir Sementsov-Ogievskiy]

26.06.2020 17:31, Andrey Shinkevich wrote:

The script 'bench_write_req.py' allows comparing performances of write
request for two qemu-img binary files.
An example with (qemu-img binary 1) and without (qemu-img binary 2) the
applied patch "qcow2: skip writing zero buffers to empty COW areas"
(git commit ID: c8bb23cbdbe32f5)
The  case does not involve the COW optimization.

SSD:
-  ---  ---
  
  2.72 +- 0.00 11.67 +- 1.04
 0.34 +- 0.00 8.64 +- 1.55
   0.33 +- 0.01 8.13 +- 2.05
  8.46 +- 0.06 12.97 +- 1.07
9.27 +- 2.04 8.83 +- 0.84
-  ---  ---
HDD:
-  ---  ---
  
  617.86 +- 6.78   608.84 +- 10.72
 57.53 +- 3.5652.99 +- 7.48
   60.50 +- 1.9256.11 +- 5.20
  12.10 +- 1.1015.16 +- 2.56
6.23 +- 0.05 6.40 +- 0.07
-  ---  ---



Good, this proves that c8bb23cbdbe32f5 makes sense.


Suggested-by: Denis V. Lunev 
Suggested-by: Vladimir Sementsov-Ogievskiy 
Signed-off-by: Andrey Shinkevich 
---
v2:
   01: Three more test cases added to the script:
   
   
   

  scripts/simplebench/bench_write_req.py | 201 +
  1 file changed, 201 insertions(+)
  create mode 100755 scripts/simplebench/bench_write_req.py

diff --git a/scripts/simplebench/bench_write_req.py 
b/scripts/simplebench/bench_write_req.py
new file mode 100755
index 000..fe92d01
--- /dev/null
+++ b/scripts/simplebench/bench_write_req.py
@@ -0,0 +1,201 @@
+#!/usr/bin/env python3
+#
+# Test to compare performance of write requests for two qemu-img binary files.
+#
+# Copyright (c) 2020 Virtuozzo International GmbH.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+
+
+import sys
+import os
+import subprocess
+import simplebench
+
+
+def bench_func(env, case):
+""" Handle one "cell" of benchmarking table. """
+return bench_write_req(env['qemu_img'], env['image_name'],
+   case['block_size'], case['block_offset'],
+   case['requests'], case['empty_image'])
+
+
+def qemu_img_pipe(*args):
+'''Run qemu-img and return its output'''
+subp = subprocess.Popen(list(args),
+stdout=subprocess.PIPE,
+stderr=subprocess.STDOUT,
+universal_newlines=True)
+exitcode = subp.wait()
+if exitcode < 0:
+sys.stderr.write('qemu-img received signal %i: %s\n'
+ % (-exitcode, ' '.join(list(args
+return subp.communicate()[0]


I understand that it's duplicated from iotests.py.. Hmm, we probably should 
move most of its functionality into python/ and reuse here, but I don't ask you 
do it, this patch my keep the copy I think.


+
+
+def bench_write_req(qemu_img, image_name, block_size, block_offset, requests,
+empty_image):
+"""Benchmark write requests
+
+qemu_img -- path to qemu_img executable file
+image_name   -- QCOW2 image name to create
+block_size   -- size of a block to write to clusters
+block_offset -- offset of the block in clusters
+requests -- number of write requests per cluster, customize if zero
+empty_image  -- if True, fill image with random data
+


Some comment on the behavior of the function won't hurt.


+Returns {'seconds': int} on success and {'error': str} on failure.
+Return value is compatible with simplebench lib.
+"""
+
+if not os.path.isfile(qemu_img):
+print('File not found: {}'.format(qemu_img))
+sys.exit(1)
+
+image_dir = os.path.dirname(os.path.abspath(image_name))
+if not os.path.isdir(image_dir):
+print('Path not found: {}'.format(image_name))
+sys.exit(1)
+
+cluster_size = 1024 * 1024
+image_size = 1024 * cluster_size
+seek = 4
+dd_count = int(image_size / cluster_size) - seek
+
+args_create = [qemu_img, 'create', '-f', 'qcow2', '-o',
+   'cluster_size={}'.format(cluster_size),
+   image_name, str(image_size)]
+
+if requests:
+count = requests * int(image_size / cluster_size)
+step = str(cluster_size)
+

cve patch wanted

[林奕帆]

Hello
   I am a student from Fudan University in China. I am doing research on CVE 
patch recently. But i can not find the PATCH COMMIT of CVE-2019-12247 
cve-2019-12155 cve-2019-6778.Can you give me the commit fix this cve?

Re: [PULL 0/1] virtio: bugfix

[Peter Maydell]

On Fri, 10 Jul 2020 at 00:04, Michael S. Tsirkin  wrote:
>
> Fixes a single bug in vdpa.
>
> The following changes since commit eb2c66b10efd2b914b56b20ae90655914310c925:
>
>   Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-07-06' 
> into staging (2020-07-07 19:47:26 +0100)
>
> are available in the Git repository at:
>
>   git://git.kernel.org/pub/scm/virt/kvm/mst/qemu.git tags/for_upstream
>
> for you to fetch changes up to 4dc5acc07e88b2776513db75944f2e240116ebda:
>
>   vhost-vdpa: fix the compile issue without kvm (2020-07-08 06:16:48 -0400)
>
> 
> virtio: bugfix
>
> fixes vdpa on non-kvm platforms
>
> Signed-off-by: Michael S. Tsirkin 
>
> 


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.

-- PMM

Re: [PATCH 3/3] cpu-timers, icount: new modules

[Claudio Fontana]

On 7/11/20 2:19 PM, Paolo Bonzini wrote:
> On 11/07/20 13:49, Claudio Fontana wrote:
>>> Apart from the name, icount is more like deterministic execution than
>>
>> Maybe we should start choosing names more carefully in a way to express what 
>> we mean?
> 
> I don't disagree.  For icount in particular however we're about 12 years
> too late.
> 
>>>  qtests need to be deterministic and
>>> describe which qtest instructions run before a given timer fires and
>>> which run after.
>>>
>>> And in both cases, determinism is achieved by controlling the
>>> advancement of QEMU_CLOCK_VIRTUAL.  It's only this central component of
>>> icount that is shared by qtest and TCG, and I think the problem is that
>>> this patch conflates all of them together:
>>
>> I think that the existing code in master conflates them together actually.
>> Qtest can have its own counter, it does not need to be the icount
>> instruction counter.
> 
> If you want you can add to your accelerator ops series one for
> qemu_get_clock_ns(QEMU_CLOCK_VIRTUAL), cpu_get_ticks() and
> qemu_start_warp_timer(), that would certainly work for me; those three
> are the only non-TCG-specific functions that read use_icount, as far as
> I can see.  qemu_start_warp_timer() does have an "if (qtest_enabled())"
> even, so it's clearly fishy.
> 
> It may even be a good idea for TCG to have three sets of accelerator ops
> for respectively multi-threaded, round-robin and icount.
> 
> My point is that this patch is not the right way to start the
> refactoring because *for now* it's wrong to treat icount as a TCG-only
> concept.  Having more separation between accelerators, as well as a
> clear interface between core and accelerators is certainly a laudable
> goal though.
> 
>>> - the basic "is QEMU_CLOCK_VIRTUAL software-driven" part is embedded in
>>> qemu-timer and should not be carved out into a separate module.  This
>>> includes the use_icount variable, which should be kept in core QEMU code.
>>
>> I don't see how this follows, how is using a global use_icount variable 
>> better than having this checked using icount_enabled()?
> 
> If you can get rid of use_icount using a new accelerator ops member, it
> would be even better. :)
> 
>> I will come back to this later on, this patch seems to have uncovered an 
>> underlying issue, which shows on s390.
>>
>> I'd rather now continue investigating that, choosing to try to
>> actually understand the issue, rather than hiding it under the
>> carpet.
> 
> Thanks.  But I don't think it's sweeping anything under the carpet; it's
> great if we find a currently latent s390 bug, but it is orthogonal to
> the design of that core<->accelerator interface.

Yes, absolutely this is what I wanted to express.

I would like to find out what the problem is that appears in s390,
I am not sure though that it is actually an s390-specific problem, it could 
even be a migration qemu-file issue,
as apparently just flushing with qemu_fflush(f) "fixes" it.

My patch made the stream a bit smaller, and changed the layout of the 
s390-skeys, which have an interesting field length (32768),
I wonder if I got just the right alignment to trigger a bug where the qemu-file 
buffer is not properly flushed.

> 
> (And by the way, my suggested patch to icount_enabled() was completely
> wrong!).
> 
> Paolo
> 
> 

We will come back to this later, thanks a lot for the exchange!

Ciao,

Claudio

Re: [PATCH 3/3] cpu-timers, icount: new modules

[Paolo Bonzini]

On 11/07/20 13:49, Claudio Fontana wrote:
>> Apart from the name, icount is more like deterministic execution than
> 
> Maybe we should start choosing names more carefully in a way to express what 
> we mean?

I don't disagree.  For icount in particular however we're about 12 years
too late.

>>  qtests need to be deterministic and
>> describe which qtest instructions run before a given timer fires and
>> which run after.
>>
>> And in both cases, determinism is achieved by controlling the
>> advancement of QEMU_CLOCK_VIRTUAL.  It's only this central component of
>> icount that is shared by qtest and TCG, and I think the problem is that
>> this patch conflates all of them together:
> 
> I think that the existing code in master conflates them together actually.
> Qtest can have its own counter, it does not need to be the icount
> instruction counter.

If you want you can add to your accelerator ops series one for
qemu_get_clock_ns(QEMU_CLOCK_VIRTUAL), cpu_get_ticks() and
qemu_start_warp_timer(), that would certainly work for me; those three
are the only non-TCG-specific functions that read use_icount, as far as
I can see.  qemu_start_warp_timer() does have an "if (qtest_enabled())"
even, so it's clearly fishy.

It may even be a good idea for TCG to have three sets of accelerator ops
for respectively multi-threaded, round-robin and icount.

My point is that this patch is not the right way to start the
refactoring because *for now* it's wrong to treat icount as a TCG-only
concept.  Having more separation between accelerators, as well as a
clear interface between core and accelerators is certainly a laudable
goal though.

>> - the basic "is QEMU_CLOCK_VIRTUAL software-driven" part is embedded in
>> qemu-timer and should not be carved out into a separate module.  This
>> includes the use_icount variable, which should be kept in core QEMU code.
> 
> I don't see how this follows, how is using a global use_icount variable 
> better than having this checked using icount_enabled()?

If you can get rid of use_icount using a new accelerator ops member, it
would be even better. :)

> I will come back to this later on, this patch seems to have uncovered an 
> underlying issue, which shows on s390.
> 
> I'd rather now continue investigating that, choosing to try to
> actually understand the issue, rather than hiding it under the
> carpet.

Thanks.  But I don't think it's sweeping anything under the carpet; it's
great if we find a currently latent s390 bug, but it is orthogonal to
the design of that core<->accelerator interface.

(And by the way, my suggested patch to icount_enabled() was completely
wrong!).

Paolo

[Bug 1885332] Re: Error in user-mode calculation of ELF aux vector's AT_PHDR

[Dmitry]

When I switch to armv7 the issue goes away

$ cat Dockerfile.armv7 
FROM arm32v7/ubuntu
RUN apt-get update && \
apt-get install -y \
gcc make libpcre3-dev libreadline-dev git

RUN cd /home && git clone https://github.com/nginx/njs

RUN cd /home/njs && ./configure --cc-opt='-O0 -static -lm -lrt -pthread
-Wl,--whole-archive -lpthread -ltinfo -Wl,--no-whole-archive' && make
njs

$ docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
$ docker build -t njs/armv7 -f Dockerfile.armv7 .
$ docker run -v `pwd`:/m -ti njs/armv7 cp /home/njs/build/njs /m/njs-armv7

$ readelf -l ./njs-armv7

Elf file type is EXEC (Executable file)
Entry point 0x12fb9
There are 7 program headers, starting at offset 52

Program Headers:
  Type   Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  EXIDX  0x1be338 0x001ce338 0x001ce338 0x009b8 0x009b8 R   0x4
  LOAD   0x00 0x0001 0x0001 0x1becf4 0x1becf4 R E 0x1
  LOAD   0x1bedfc 0x001dedfc 0x001dedfc 0x17674 0x1c2cc RW  0x1
  NOTE   0x000114 0x00010114 0x00010114 0x00044 0x00044 R   0x4
  TLS0x1bedfc 0x001dedfc 0x001dedfc 0x00038 0x00060 R   0x4
  GNU_STACK  0x00 0x 0x 0x0 0x0 RW  0x10
  GNU_RELRO  0x1bedfc 0x001dedfc 0x001dedfc 0x0e204 0x0e204 R   0x1

 Section to Segment mapping:
  Segment Sections...
   00 .ARM.exidx 
   01 .note.ABI-tag .note.gnu.build-id .rel.dyn .init .iplt .text 
__libc_freeres_fn __libc_thread_freeres_fn .fini .rodata .stapsdt.base 
__libc_subfreeres __libc_IO_vtables __libc_atexit __libc_thread_subfreeres 
.ARM.extab .ARM.exidx .eh_frame 
   02 .tdata .init_array .fini_array .data.rel.ro .got .data .bss 
__libc_freeres_ptrs 
   03 .note.ABI-tag .note.gnu.build-id 
   04 .tdata .tbss 
   05 
   06 .tdata .init_array .fini_array .data.rel.ro 

$ readelf -h ./njs-armv7
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00 
  Class: ELF32
  Data:  2's complement, little endian
  Version:   1 (current)
  OS/ABI:UNIX - GNU
  ABI Version:   0
  Type:  EXEC (Executable file)
  Machine:   ARM
  Version:   0x1
  Entry point address:   0x12fb9
  Start of program headers:  52 (bytes into file)
  Start of section headers:  5696248 (bytes into file)
  Flags: 0x5000400, Version5 EABI, hard-float ABI
  Size of this header:   52 (bytes)
  Size of program headers:   32 (bytes)
  Number of program headers: 7
  Size of section headers:   40 (bytes)
  Number of section headers: 42
  Section header string table index: 41

$ qemu-arm -g 12345 ./njs-armv7 -c 'console.log("HH")'

$ gdb-multiarch ./njs-armv7 -ex 'source showstack.py'
ARGUMENTS
-
argc = 3
arg 0 = ./njs-armv7
arg 1 = -c
arg 2 = console.log("HH")

...

AUX VECTOR
--
AT_PHDR = 10034
AT_PHENT = 20
AT_PHNUM = 7
AT_PAGESZ = 1000
AT_BASE = 0
AT_FLAGS = 0
AT_ENTRY = 12fb9
AT_UID = 3e9
AT_EUID = 3e9
AT_GID = 3e9
AT_EGID = 3e9
AT_HWCAP = 1fb8d7
AT_CLKTCK = 64
AT_RANDOM = -104a0
AT_HWCAP2 = 1f
AT_NULL = 0

$ qemu-arm --version
qemu-arm version 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.28)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1885332

Title:
  Error in user-mode calculation of ELF aux vector's AT_PHDR

Status in QEMU:
  New

Bug description:
  
  I have an (admittedly strange) statically-linked ELF binary for Linux that 
runs just fine on top of the Linux kernel in QEMU full-system emulation, but 
crashes before main in user-mode emulation. Specifically, it crashes when 
initializing thread-local storage in glibc's _dl_aux_init, because it reads out 
a strange value from the AT_PHDR entry of the ELF aux vector.

  The binary has these program headers:

Program Headers:
  Type   Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  EXIDX  0x065874 0x00075874 0x00075874 0x00570 0x00570 R   0x4
  PHDR   0x0a3000 0x0090 0x0090 0x00160 0x00160 R   0x1000
  LOAD   0x0a3000 0x0090 0x0090 0x00160 0x00160 R   0x1000
  LOAD   0x00 0x0001 0x0001 0x65de8 0x65de8 R E 0x1
  LOAD   0x066b7c 0x00086b7c 0x00086b7c 0x02384 0x02384 RW  0x1
  NOTE   0x000114 0x00010114 0x00010114 0x00044 0x00044 R   0x4
  TLS0x066b7c 0x00086b7c 0x00086b7c 0x00010 0x00030 R   0x4
  GNU_STACK  0x00 0x 0x 0x0 0x0 RW  0x8
  GNU_RELRO  0x066b7c 0x00086b7c 0x00086b7c 0x00484 0x00484 R   0x1
  LOAD   0x07e000 

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Mark Cave-Ayland]

Indeed it is, but bear in mind it was QEMU 5.1 release feature freeze
this week so most developers are busy rebasing and fixing up bugs from
the resulting merge.

Given that you have already built QEMU from source, what would help
enormously is if you can do a "git bisect" between the v5.0.0 tag
(working) and your current master (not working) and provide the output
of "git bisect log" in this bug report. By identifying the individual
commit that broke your test case, it is much easier for developers to
understand the issue and propose a fix.


ATB,

Mark.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

Re: [PATCH 3/3] cpu-timers, icount: new modules

[Claudio Fontana]

On 7/11/20 11:39 AM, Paolo Bonzini wrote:
> On 11/07/20 11:14, Claudio Fontana wrote:
>> On 7/11/20 12:45 AM, Paolo Bonzini wrote:
>>> On 10/07/20 06:36, Thomas Huth wrote:

 In short this goes away if I again set icount to enabled for qtest,
 basically ensuring that --enable-tcg is there and then reenabling icount.

 qtest was forcing icount and shift=0 by creating qemu options, in order to 
 misuse its counter feature,
 instead of using a separate counter.
>>>
>>> Why would it need a separate counter?  In both cases it's a
>>> manually-updated counter that is used for QEMU_CLOCK_VIRTUAL.  The only
>>> difference is that shift > 0 doesn't make sense for qtest.
>>
>> I think I would reverse the question. Why reuse for qtest a counter that has 
>> absolutely nothing to do with it?
>>
>> qtest has nothing to do with instruction counting.
> 
> Apart from the name, icount is more like deterministic execution than

Maybe we should start choosing names more carefully in a way to express what we 
mean?

> instruction counting (it's not a coincidence that record/replay is
> fundamentally based on icount).

record/replay is tcg-only.

>  qtests need to be deterministic and
> describe which qtest instructions run before a given timer fires and
> which run after.
> 
> And in both cases, determinism is achieved by controlling the
> advancement of QEMU_CLOCK_VIRTUAL.  It's only this central component of
> icount that is shared by qtest and TCG, and I think the problem is that
> this patch conflates all of them together:

I think that the existing code in master conflates them together actually.
Qtest can have its own counter, it does not need to be the icount instruction 
counter.


> 
> - the basic "is QEMU_CLOCK_VIRTUAL software-driven" part is embedded in
> qemu-timer and should not be carved out into a separate module.  This
> includes the use_icount variable, which should be kept in core QEMU code.

I don't see how this follows, how is using a global use_icount variable better 
than having this checked using icount_enabled()?

> 
> - the fact qtest uses -icount instead of configuring the variables
> directly is definitely a hack and can be removed.
> 
> - the adaptive frequency adjustment is definitely TCG specific, and so
> are the particular functions in cpus.c that test icount_enabled() and
> broke with this patch.  All this code should be included in the TCG
> module only or, before that, should be made conditional on $(CONFIG_TCG).
> 
> So I think this patch should have been the last, not the first. :)  Once
> you move all the accelerator runtime code from cpus.c to separate files,
> it will be possible to move the frequency adjustment and deadline
> management code into accel/tcg.  And then it will be obvious which code
> is not TCG-specific and can be extracted for convenience into a
> cpu-timers.c file.
> 
> Thanks,
> 
> Paolo
> 

I will come back to this later on, this patch seems to have uncovered an 
underlying issue, which shows on s390.

I'd rather now continue investigating that, choosing to try to actually 
understand the issue, rather than hiding it under the carpet.

Thanks,

Claudio

Re: [PATCH 3/3] cpu-timers, icount: new modules

[Claudio Fontana]

On 7/10/20 8:33 AM, Cornelia Huck wrote:
> On Thu, 9 Jul 2020 20:46:56 +0200
> Claudio Fontana  wrote:
> 
>> On 7/9/20 8:38 PM, Claudio Fontana wrote:
>>> On 7/8/20 5:05 PM, Paolo Bonzini wrote:  
 On 08/07/20 17:00, Claudio Fontana wrote:  
>> Bisectable, 100% failure rate, etc. :(  Can you split the patch in
>> multiple parts, specifically separating any rename or introducing of
>> includes from the final file move?  
> Hi Paolo,
>
> will take a look!
>
> Is this captured by some travis / cirrus-ci / anything I can easily see 
> the result of?
>
>  

 Nope, unfortunately we don't have an s390 CI.  But if you can get your
 hands on one, just "./configure --target-list=s390x-softmmu && make &&
 make check-block" will show it.  
>>>
>>> So this is tricky, but I am making some progress after getting my hands on 
>>> one.
>>> Maybe if someone understands s390 keys better, I could be clued in.  
>>
>>
>> Also adding Cornelia to Cc:.
>>
>> Maybe the savevm_s390_storage_keys SaveVMHandlers etc assume that the icount 
>> state part of the vmstate is there?
> 
> I don't see anything that would deal with icount here. Adding Jason to
> cc: in case he has an idea. (I assume it would behave the same under
> KVM, as the only thing different are the internal callbacks.)
> 


I found out something that for me shows that more investigation here is 
warranted.


Here is my latest workaround for the problem:



diff --git a/hw/s390x/s390-skeys.c b/hw/s390x/s390-skeys.c
index 1e036cc602..47c9a015af 100644
--- a/hw/s390x/s390-skeys.c
+++ b/hw/s390x/s390-skeys.c
@@ -252,6 +252,8 @@ static const TypeInfo qemu_s390_skeys_info = {
 .class_size= sizeof(S390SKeysClass),
 };
 
+extern void qemu_fflush(QEMUFile *f);
+
 static void s390_storage_keys_save(QEMUFile *f, void *opaque)
 {
 S390SKeysState *ss = S390_SKEYS(opaque);
@@ -302,6 +304,7 @@ static void s390_storage_keys_save(QEMUFile *f, void 
*opaque)
 g_free(buf);
 end_stream:
 qemu_put_be64(f, eos);
+qemu_fflush(f);
 }
 
 static int s390_storage_keys_load(QEMUFile *f, void *opaque, int version_id)



I think that this might imply that my patch changing the migration stream has 
only triggered an existing problem.

The sympthom is: the load keys code does not see the EOS (byte value 1).
It does see the keys (which are all empty in the test, ie 32678 times the byte 
value 0). 

The workaround for the sympthom: flush the qemu file after putting the EOS in 
there.


Any ideas on where to investigate next?

Thanks,

Claudio



>>
>>
>>>
>>> In short this goes away if I again set icount to enabled for qtest,
>>> basically ensuring that --enable-tcg is there and then reenabling icount.
>>>
>>> qtest was forcing icount and shift=0 by creating qemu options, in order to 
>>> misuse its counter feature,
>>> instead of using a separate counter.
>>>
>>> Removing that ugliness we end up with different behavior of save/load, 
>>> because vmstate will now suddenly not contain icount-related values anymore.
>>> What I do not understand is why this causes a problem because save should 
>>> just not store the icount state and load should just not load the icount 
>>> state,
>>> and why we die on the load of s390 keys state (it works just fine for other 
>>> architectures).
> 
> Yes, I don't really see why skeys is so special. No endianness stuff, I
> assume?
> 
>>>
>>> Here is a diff that makes the problem disappear, but needs --enable-tcg:
>>>
>>>
>>> 
>>> diff --git a/accel/qtest.c b/accel/qtest.c
>>> index 119d0f16a4..4cb16abc2c 100644
>>> --- a/accel/qtest.c
>>> +++ b/accel/qtest.c
>>> @@ -23,6 +23,12 @@
>>>  
>>>  static int qtest_init_accel(MachineState *ms)
>>>  {
>>> +QemuOpts *opts = qemu_opts_create(qemu_find_opts("icount"), NULL, 0,
>>> +  _abort);
>>> +qemu_opt_set(opts, "shift", "0", _abort);
>>> +icount_configure(opts, _abort);
>>> +qemu_opts_del(opts);
>>> +
>>>  return 0;
>>>  }
>>>  
>>> diff --git a/softmmu/vl.c b/softmmu/vl.c
>>> index f39fd5270b..a5e788c86a 100644
>>> --- a/softmmu/vl.c
>>> +++ b/softmmu/vl.c
>>> @@ -2786,10 +2786,12 @@ static void configure_accelerators(const char 
>>> *progname)
>>>  error_report("falling back to %s", ac->name);
>>>  }
>>>  
>>> +/*
>>>  if (icount_enabled() && !tcg_enabled()) {
>>>  error_report("-icount is not allowed with hardware 
>>> virtualization");
>>>  exit(1);
>>> }
>>> +*/
>>>  }
>>>  
>>>  static void create_default_memdev(MachineState *ms, const char *path)
>>> 
>>>
>>> Without this patch, here is the full failure, maybe someone has a good 
>>> hint, otherwise I'll 

[Bug 1886318] Re: Qemu after v5.0.0 breaks macos guests

[Simon John]

qemu console screenshot, this is as far as it gets after clover:
https://i.imgur.com/HWY96Kq.png

same result with or without usb/pci passthrough, qxl/vnc, git master
HEAD or debian 5.0-6

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886318

Title:
  Qemu after v5.0.0 breaks macos guests

Status in QEMU:
  New

Bug description:
  The Debian Sid 5.0-6 qemu-kvm package can no longer get further than
  the Clover bootloader whereas 5.0-6 and earlier worked fine.

  So I built qemu master from github and it has the same problem,
  whereas git tag v5.0.0 (or 4.2.1) does not, so something between
  v5.0.0 release and the last few days has caused the problem.

  Here's my qemu script, pretty standard macOS-Simple-KVM setup on a
  Xeon host:

  qemu-system-x86_64 \
  -enable-kvm \
  -m 4G \
  -machine q35,accel=kvm \
  -smp 4,sockets=1,cores=2,threads=2 \
  -cpu 
  
Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc
 
  \
  -device 
  
isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
 
  \
  -smbios type=2 \
  -drive if=pflash,format=raw,readonly,file="/tmp/OVMF_CODE.fd" \
  -drive if=pflash,format=raw,file="/tmp/macos_catalina_VARS.fd" \
  -vga qxl \
  -device ich9-ahci,id=sata \
  -drive id=ESP,if=none,format=raw,file=/tmp/ESP.img \
  -device ide-hd,bus=sata.2,drive=ESP \
  -drive id=InstallMedia,format=raw,if=none,file=/tmp/BaseSystem.img \
  -device ide-hd,bus=sata.3,drive=InstallMedia \
  -drive id=SystemDisk,if=none,format=raw,file=/tmp/macos_catalina.img \
  -device ide-hd,bus=sata.4,drive=SystemDisk \
  -usb -device usb-kbd -device usb-mouse

  Perhaps something has changed in Penryn support recently, as that's
  required for macos?

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247

  Also on a related note, kernel 5.6/5.7 (on Debian) hard crashes the
  host when I try GPU passthrough on macos, whereas Ubuntu20/Win10 work
  fine - as does 5.5 kernel.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961676

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886318/+subscriptions

[PATCH v4 17/22] tests/tcg/xtensa: update test_lsc for DFPU

[Max Filippov]

DFPU doesn't have pre-increment FP load/store opcodes, it has
post-increment opcodes instead. Test increment opcodes present in the
current config.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_lsc.S | 47 +++--
 1 file changed, 34 insertions(+), 13 deletions(-)

diff --git a/tests/tcg/xtensa/test_lsc.S b/tests/tcg/xtensa/test_lsc.S
index 0578bf19e72e..9d59c1815a9e 100644
--- a/tests/tcg/xtensa/test_lsc.S
+++ b/tests/tcg/xtensa/test_lsc.S
@@ -1,4 +1,5 @@
 #include "macros.inc"
+#include "fpu.h"
 
 test_suite lsc
 
@@ -9,9 +10,14 @@ test lsi
 wsr a2, cpenable
 
 movia2, 1f
-lsi f0, a2, 0
 lsi f1, a2, 4
+#if DFPU
+lsi f2, a2, 8
+lsipf0, a2, 8
+#else
+lsi f0, a2, 0
 lsiuf2, a2, 8
+#endif
 movia3, 1f + 8
 assert  eq, a2, a3
 rfr a2, f0
@@ -34,13 +40,18 @@ test ssi
 movia2, 1f
 movia3, 0x4080
 wfr f3, a3
-ssi f3, a2, 0
 movia3, 0x40a0
 wfr f4, a3
-ssi f4, a2, 4
 movia3, 0x40c0
 wfr f5, a3
+ssi f4, a2, 4
+#if DFPU
+ssi f5, a2, 8
+ssipf3, a2, 8
+#else
+ssi f3, a2, 0
 ssiuf5, a2, 8
+#endif
 movia3, 1f + 8
 assert  eq, a2, a3
 l32ia4, a2, -8
@@ -62,11 +73,16 @@ test_end
 test lsx
 movia2, 1f
 movia3, 0
+movia4, 4
+movia5, 8
+lsx f7, a2, a4
+#if DFPU
+lsx f8, a2, a5
+lsxpf6, a2, a5
+#else
 lsx f6, a2, a3
-movia3, 4
-lsx f7, a2, a3
-movia3, 8
-lsxuf8, a2, a3
+lsxuf8, a2, a5
+#endif
 movia3, 1f + 8
 assert  eq, a2, a3
 rfr a2, f6
@@ -87,18 +103,23 @@ test_end
 
 test ssx
 movia2, 1f
-movia3, 0
 movia4, 0x4120
 wfr f9, a4
-ssx f9, a2, a3
-movia3, 4
 movia4, 0x4130
 wfr f10, a4
-ssx f10, a2, a3
-movia3, 8
 movia4, 0x4140
 wfr f11, a4
-ssxuf11, a2, a3
+movia3, 0
+movia4, 4
+movia5, 8
+ssx f10, a2, a4
+#if DFPU
+ssx f11, a2, a5
+ssxpf9, a2, a5
+#else
+ssx f9, a2, a3
+ssxuf11, a2, a5
+#endif
 movia3, 1f + 8
 assert  eq, a2, a3
 l32ia4, a2, -8
-- 
2.20.1

[PATCH v4 19/22] tests/tcg/xtensa: test double precision load/store

[Max Filippov]

Add ldi[p]/sdi[p]/ldx[p]/sdx[p] opcode tests to test_lsc.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_lsc.S | 123 
 1 file changed, 123 insertions(+)

diff --git a/tests/tcg/xtensa/test_lsc.S b/tests/tcg/xtensa/test_lsc.S
index 9d59c1815a9e..348822bdd359 100644
--- a/tests/tcg/xtensa/test_lsc.S
+++ b/tests/tcg/xtensa/test_lsc.S
@@ -140,4 +140,127 @@ test_end
 
 #endif
 
+#if XCHAL_HAVE_DFP
+
+#if XCHAL_HAVE_BE
+#define F64_HIGH_OFF 0
+#else
+#define F64_HIGH_OFF 4
+#endif
+
+.macro movdf fr, hi, lo
+movia2, \hi
+movia3, \lo
+wfrd\fr, a2, a3
+.endm
+
+test ldi
+movia2, 1
+wsr a2, cpenable
+
+movia2, 1f
+ldi f1, a2, 8
+ldi f2, a2, 16
+ldipf0, a2, 16
+movia3, 1f + 16
+assert  eq, a2, a3
+rfrda2, f0
+movia3, 0x3ff0
+assert  eq, a2, a3
+rfrda2, f1
+movia3, 0x4000
+assert  eq, a2, a3
+rfrda2, f2
+movia3, 0x4008
+assert  eq, a2, a3
+.data
+.align  8
+1:
+.double 1, 2, 3
+.text
+test_end
+
+test sdi
+movdf   f3, 0x4080, 0
+movdf   f4, 0x40a0, 0
+movdf   f5, 0x40c0, 0
+movia2, 1f
+sdi f4, a2, 8
+sdi f5, a2, 16
+sdipf3, a2, 16
+movia3, 1f + 16
+assert  eq, a2, a3
+l32ia4, a2, -16 + F64_HIGH_OFF
+movia3, 0x4080
+assert  eq, a4, a3
+l32ia4, a2, -8 + F64_HIGH_OFF
+movia3, 0x40a0
+assert  eq, a4, a3
+l32ia4, a2, F64_HIGH_OFF
+movia3, 0x40c0
+assert  eq, a4, a3
+.data
+.align  8
+1:
+.double 0, 0, 0
+.text
+test_end
+
+test ldx
+movia2, 1f
+movia3, 0
+movia4, 8
+movia5, 16
+ldx f7, a2, a4
+ldx f8, a2, a5
+ldxpf6, a2, a5
+movia3, 1f + 16
+assert  eq, a2, a3
+rfrda2, f6
+movia3, 0x401c
+assert  eq, a2, a3
+rfrda2, f7
+movia3, 0x4020
+assert  eq, a2, a3
+rfrda2, f8
+movia3, 0x4022
+assert  eq, a2, a3
+.data
+.align  8
+1:
+.double 7, 8, 9
+.text
+test_end
+
+test sdx
+movdf   f9, 0x4120, 0
+movdf   f10, 0x4130, 0
+movdf   f11, 0x4140, 0
+movia2, 1f
+movia3, 0
+movia4, 8
+movia5, 16
+sdx f10, a2, a4
+sdx f11, a2, a5
+sdxpf9, a2, a5
+movia3, 1f + 16
+assert  eq, a2, a3
+l32ia4, a2, -16 + F64_HIGH_OFF
+movia3, 0x4120
+assert  eq, a4, a3
+l32ia4, a2, -8 + F64_HIGH_OFF
+movia3, 0x4130
+assert  eq, a4, a3
+l32ia4, a2, F64_HIGH_OFF
+movia3, 0x4140
+assert  eq, a4, a3
+.data
+.align  8
+1:
+.double 0, 0, 0
+.text
+test_end
+
+#endif
+
 test_suite_end
-- 
2.20.1

[PATCH v4 18/22] tests/tcg/xtensa: add fp0 div and sqrt tests

[Max Filippov]

Test exact division/sqrt DFPU sequences.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_fp0_div.S  | 82 
 tests/tcg/xtensa/test_fp0_sqrt.S | 76 +
 2 files changed, 158 insertions(+)
 create mode 100644 tests/tcg/xtensa/test_fp0_div.S
 create mode 100644 tests/tcg/xtensa/test_fp0_sqrt.S

diff --git a/tests/tcg/xtensa/test_fp0_div.S b/tests/tcg/xtensa/test_fp0_div.S
new file mode 100644
index ..c3e7ad7bb5b3
--- /dev/null
+++ b/tests/tcg/xtensa/test_fp0_div.S
@@ -0,0 +1,82 @@
+#include "macros.inc"
+#include "fpu.h"
+
+test_suite fp0_div
+
+#if XCHAL_HAVE_FP_DIV
+
+.macro  divs_seq q, a, b, r, y, y0, an, bn, e, ex
+div0.s  \y0, \b
+nexp01.s\bn, \b
+const.s \e, 1
+maddn.s \e, \bn, \y0
+mov.s   \y, \y0
+mov.s   \ex, \b
+nexp01.s\an, \a
+maddn.s \y, \e, \y0
+const.s \e, 1
+const.s \q, 0
+neg.s   \r, \an
+maddn.s \e, \bn, \y
+maddn.s \q, \r, \y0
+mkdadj.s\ex, \a
+maddn.s \y, \e, \y
+maddn.s \r, \bn, \q
+const.s \e, 1
+maddn.s \e, \bn, \y
+maddn.s \q, \r, \y
+neg.s   \r, \an
+maddn.s \y, \e, \y
+maddn.s \r, \bn, \q
+addexpm.s   \q, \ex
+addexp.s\y, \ex
+divn.s  \q, \r, \y
+.endm
+
+.macro div_s fr0, fr1, fr2
+divs_seq\fr0, \fr1, \fr2, f9, f10, f11, f12, f13, f14, f15
+.endm
+
+.macro movfp fr, v
+movia2, \v
+wfr \fr, a2
+.endm
+
+.macro check_res fr, r, sr
+rfr a2, \fr
+dumpa2
+movia3, \r
+assert  eq, a2, a3
+rur a2, fsr
+movia3, \sr
+assert  eq, a2, a3
+.endm
+
+test div_s
+movia2, 1
+wsr a2, cpenable
+
+test_op2div_s, f0, f1, f2, 0x4000, 0x4040, \
+0x3f2b, 0x3f2a, 0x3f2b, 0x3f2a, \
+ FSR_I,  FSR_I,  FSR_I,  FSR_I
+test_op2div_s, f3, f4, f5, F32_1, F32_0, \
+F32_PINF, F32_PINF, F32_PINF, F32_PINF, \
+   FSR_Z,FSR_Z,FSR_Z,FSR_Z
+test_op2div_s, f6, f7, f8, F32_0, F32_0, \
+F32_DNAN, F32_DNAN, F32_DNAN, F32_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+
+/* MAX_FLOAT / 0.5 = +inf/MAX_FLOAT  */
+test_op2div_s, f0, f1, f2, F32_MAX, F32_0_5, \
+F32_PINF, F32_MAX, F32_PINF, F32_MAX, \
+  FSR_OI,  FSR_OI,   FSR_OI,  FSR_OI
+
+/* 0.5 / MAX_FLOAT = denorm  */
+test_op2div_s, f0, f1, f2, F32_0_5, F32_MAX, \
+0x0010, 0x0010, 0x0011, 0x0010, \
+FSR_UI, FSR_UI, FSR_UI, FSR_UI
+test_end
+
+#endif
+
+test_suite_end
diff --git a/tests/tcg/xtensa/test_fp0_sqrt.S b/tests/tcg/xtensa/test_fp0_sqrt.S
new file mode 100644
index ..585973dce6bc
--- /dev/null
+++ b/tests/tcg/xtensa/test_fp0_sqrt.S
@@ -0,0 +1,76 @@
+#include "macros.inc"
+#include "fpu.h"
+
+test_suite fp0_sqrt
+
+#if XCHAL_HAVE_FP_SQRT
+
+.macro  sqrt_seq r, a, y, t1, hn, h2, t5, h
+sqrt0.s \y, \a
+const.s \t1, 0
+maddn.s \t1, \y, \y
+nexp01.s\hn, \a
+const.s \r, 3
+addexp.s\hn, \r
+maddn.s \r, \t1, \hn
+nexp01.s\t1, \a
+neg.s   \h2, \t1
+maddn.s \y, \r, \y
+const.s \r, 0
+const.s \t5, 0
+const.s \h, 0
+maddn.s \r, \h2, \y
+maddn.s \t5, \y, \hn
+const.s \hn, 3
+maddn.s \h, \hn, \y
+maddn.s \t1, \r, \r
+maddn.s \hn, \t5, \y
+neg.s   \y, \h
+maddn.s \r, \t1, \y
+maddn.s \h, \hn, \h
+mksadj.s\y, \a
+nexp01.s\a, \a
+maddn.s \a, \r, \r
+neg.s   \t1, \h
+addexpm.s   \r, \y
+addexp.s\t1, \y
+divn.s  \r, \a, \t1
+.endm
+
+.macro sqrt_s fr0, fr1
+sqrt_seq\fr0, \fr1, f10, f11, f12, f13, f14, f15
+.endm
+
+.macro movfp fr, v
+movia2, \v
+wfr \fr, a2
+.endm
+
+.macro check_res fr, r, sr
+rfr a2, \fr
+dumpa2
+movia3, \r
+assert  eq, a2, a3
+rur a2, fsr
+movia3, \sr
+assert  eq, a2, a3
+.endm
+
+test sqrt_s
+movia2, 1
+wsr a2, cpenable
+
+test_op1sqrt_s, f0, f1, 0x4000, \
+0x3fb504f3, 0x3fb504f3, 0x3fb504f4, 0x3fb504f3, \
+ FSR_I,  FSR_I,  FSR_I,  FSR_I
+test_op1sqrt_s, f3, f4, F32_1, \
+F32_1, F32_1, F32_1, F32_1, \
+FSR__, FSR__, FSR__, FSR__
+test_op1sqrt_s, f6, f7, F32_MINUS | F32_1, \
+F32_DNAN, F32_DNAN, F32_DNAN, F32_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+test_end
+
+#endif
+
+test_suite_end
-- 
2.20.1

[PATCH v4 15/22] tests/tcg/xtensa: update test_fp0_conv for DFPU

[Max Filippov]

DFPU conversion opcodes update FSR flags. Add FSR parameters and
expected FSR register values for the conversion tests.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_fp0_conv.S | 299 ---
 1 file changed, 155 insertions(+), 144 deletions(-)

diff --git a/tests/tcg/xtensa/test_fp0_conv.S b/tests/tcg/xtensa/test_fp0_conv.S
index 147e3d5062df..cfee6e51790c 100644
--- a/tests/tcg/xtensa/test_fp0_conv.S
+++ b/tests/tcg/xtensa/test_fp0_conv.S
@@ -1,4 +1,5 @@
 #include "macros.inc"
+#include "fpu.h"
 
 test_suite fp0_conv
 
@@ -9,7 +10,7 @@ test_suite fp0_conv
 wfr \fr, a2
 .endm
 
-.macro test_ftoi_ex op, r0, fr0, v, c, r
+.macro test_ftoi_ex op, r0, fr0, v, c, r, sr
 movia2, 0
 wur a2, fsr
 movfp   \fr0, \v
@@ -18,20 +19,25 @@ test_suite fp0_conv
 movia3, \r
 assert  eq, \r0, a3
 rur a2, fsr
+#if DFPU
+movia3, \sr
+assert  eq, a2, a3
+#else
 assert  eqi, a2, 0
+#endif
 .endm
 
-.macro test_ftoi op, r0, fr0, v, c, r
+.macro test_ftoi op, r0, fr0, v, c, r, sr
 movia2, 0
 wur a2, fcr
-test_ftoi_ex \op, \r0, \fr0, \v, \c, \r
+test_ftoi_ex \op, \r0, \fr0, \v, \c, \r, \sr
 movia2, 0x7c
 wur a2, fcr
-test_ftoi_ex \op, \r0, \fr0, \v, \c, \r
+test_ftoi_ex \op, \r0, \fr0, \v, \c, \r, \sr
 .endm
 
 
-.macro test_itof_ex op, fr0, ar0, v, c, r
+.macro test_itof_ex op, fr0, ar0, v, c, r, sr
 movia2, 0
 wur a2, fsr
 movi\ar0, \v
@@ -42,23 +48,28 @@ test_suite fp0_conv
 movia3, \r
 assert  eq, a2, a3
 rur a2, fsr
+#if DFPU
+movia3, \sr
+assert  eq, a2, a3
+#else
 assert  eqi, a2, 0
+#endif
 .endm
 
-.macro test_itof_rm op, fr0, ar0, v, c, rm, r
+.macro test_itof_rm op, fr0, ar0, v, c, rm, r, sr
 movia2, \rm
 wur a2, fcr
-test_itof_ex \op, \fr0, \ar0, \v, \c, \r
+test_itof_ex \op, \fr0, \ar0, \v, \c, \r, \sr
 movia2, (\rm) | 0x7c
 wur a2, fcr
-test_itof_ex \op, \fr0, \ar0, \v, \c, \r
+test_itof_ex \op, \fr0, \ar0, \v, \c, \r, \sr
 .endm
 
-.macro test_itof op, fr0, ar0, v, c, r0, r1, r2, r3
-test_itof_rm \op, \fr0, \ar0, \v, \c, 0, \r0
-test_itof_rm \op, \fr0, \ar0, \v, \c, 1, \r1
-test_itof_rm \op, \fr0, \ar0, \v, \c, 2, \r2
-test_itof_rm \op, \fr0, \ar0, \v, \c, 3, \r3
+.macro test_itof op, fr0, ar0, v, c, r0, r1, r2, r3, sr
+test_itof_rm \op, \fr0, \ar0, \v, \c, 0, \r0, \sr
+test_itof_rm \op, \fr0, \ar0, \v, \c, 1, \r1, \sr
+test_itof_rm \op, \fr0, \ar0, \v, \c, 2, \r2, \sr
+test_itof_rm \op, \fr0, \ar0, \v, \c, 3, \r3, \sr
 .endm
 
 test round_s
@@ -66,237 +77,237 @@ test round_s
 wsr a2, cpenable
 
 /* NaN */
-test_ftoi round.s, a2, f0, 0xffc1, 0, 0x7fff
-test_ftoi round.s, a2, f0, 0xff81, 0, 0x7fff
+test_ftoi round.s, a2, f0, 0xffc1, 0, 0x7fff, FSR_V
+test_ftoi round.s, a2, f0, 0xff81, 0, 0x7fff, FSR_V
 
 /* -inf */
-test_ftoi round.s, a2, f0, 0xff80, 0, 0x8000
+test_ftoi round.s, a2, f0, 0xff80, 0, 0x8000, FSR_V
 
 /* negative overflow */
-test_ftoi round.s, a2, f0, 0xceff, 1, 0x8000
-test_ftoi round.s, a2, f0, 0xcf00, 0, 0x8000
-test_ftoi round.s, a2, f0, 0xceff, 0, 0x8080
+test_ftoi round.s, a2, f0, 0xceff, 1, 0x8000, FSR_V
+test_ftoi round.s, a2, f0, 0xcf00, 0, 0x8000, FSR__
+test_ftoi round.s, a2, f0, 0xceff, 0, 0x8080, FSR__
 
 /* negative */
-test_ftoi round.s, a2, f0, 0xbfa0, 1, -2 /* -1.25 * 2 */
-test_ftoi round.s, a2, f0, 0xbfc0, 0, -2 /* -1.5 */
-test_ftoi round.s, a2, f0, 0xbf80, 1, -2 /* -1 * 2 */
-test_ftoi round.s, a2, f0, 0xbf80, 0, -1 /* -1 */
-test_ftoi round.s, a2, f0, 0xbf40, 0, -1 /* -0.75 */
-test_ftoi round.s, a2, f0, 0xbf00, 0, 0  /* -0.5 */
+test_ftoi round.s, a2, f0, 0xbfa0, 1, -2, FSR_I  /* -1.25 * 2 */
+test_ftoi round.s, a2, f0, 0xbfc0, 0, -2, FSR_I  /* -1.5 */
+test_ftoi round.s, a2, f0, 0xbf80, 1, -2, FSR__  /* -1 * 2 */
+test_ftoi round.s, a2, f0, 0xbf80, 0, -1, FSR__  /* -1 */
+test_ftoi round.s, a2, f0, 0xbf40, 0, -1, FSR_I  /* -0.75 */
+test_ftoi round.s, a2, f0, 0xbf00, 0,  0, FSR_I  /* -0.5 */
 
 /* positive */
-test_ftoi round.s, a2, f0, 0x3f00, 0, 0 /* 0.5 */
-test_ftoi round.s, a2, f0, 0x3f40, 0, 1 /* 0.75 */
-test_ftoi round.s, a2, f0, 0x3f80, 0, 1 /* 1 */
-test_ftoi round.s, a2, f0, 0x3f80, 1, 2 /* 1 * 2 */
-test_ftoi round.s, a2, f0, 0x3fc0, 0, 2 /* 1.5 */
-test_ftoi round.s, a2, f0, 0x3fa0, 1, 2 /* 1.25 * 2 */
+test_ftoi round.s, a2, f0, 0x3f00, 0, 0, FSR_I /* 0.5 */
+test_ftoi round.s, a2, f0, 0x3f40, 0, 1, FSR_I /* 0.75 */
+test_ftoi round.s, a2, f0, 0x3f80, 0, 1, FSR__ /* 1 */
+test_ftoi round.s, a2, f0, 0x3f80, 1, 2, FSR__ /* 1 * 2 */
+

[PATCH v4 13/22] tests/tcg/xtensa: update test_fp0_arith for DFPU

[Max Filippov]

DFPU arithmetic opcodes update FSR flags. Add FSR parameters and
expected FSR register values for the arithmetic tests.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/fpu.h| 142 
 tests/tcg/xtensa/test_fp0_arith.S | 178 ++
 2 files changed, 223 insertions(+), 97 deletions(-)
 create mode 100644 tests/tcg/xtensa/fpu.h

diff --git a/tests/tcg/xtensa/fpu.h b/tests/tcg/xtensa/fpu.h
new file mode 100644
index ..42e321747304
--- /dev/null
+++ b/tests/tcg/xtensa/fpu.h
@@ -0,0 +1,142 @@
+#if XCHAL_HAVE_DFP || XCHAL_HAVE_FP_DIV
+#define DFPU 1
+#else
+#define DFPU 0
+#endif
+
+#define FCR_RM_NEAREST 0
+#define FCR_RM_TRUNC   1
+#define FCR_RM_CEIL2
+#define FCR_RM_FLOOR   3
+
+#define FSR__ 0x
+#define FSR_I 0x0080
+#define FSR_U 0x0100
+#define FSR_O 0x0200
+#define FSR_Z 0x0400
+#define FSR_V 0x0800
+
+#define FSR_UI (FSR_U | FSR_I)
+#define FSR_OI (FSR_O | FSR_I)
+
+#define F32_0   0x
+#define F32_0_5 0x3f00
+#define F32_1   0x3f80
+#define F32_MAX 0x7f7f
+#define F32_PINF0x7f80
+#define F32_NINF0xff80
+
+#define F32_DNAN0x7fc0
+#define F32_SNAN(v) (0x7f80 | (v))
+#define F32_QNAN(v) (0x7fc0 | (v))
+
+#define F32_MINUS   0x8000
+
+#define F64_0   0x
+#define F64_MIN_NORM0x0010
+#define F64_1   0x3ff0
+#define F64_MAX_2   0x7fe0
+#define F64_MAX 0x7fef
+#define F64_PINF0x7ff0
+#define F64_NINF0xfff0
+
+#define F64_DNAN0x7ff8
+#define F64_SNAN(v) (0x7ff0 | (v))
+#define F64_QNAN(v) (0x7ff8 | (v))
+
+#define F64_MINUS   0x8000
+
+.macro test_op1_rm op, fr0, fr1, v0, r, sr
+movia2, 0
+wur a2, fsr
+movfp   \fr0, \v0
+\op \fr1, \fr0
+check_res \fr1, \r, \sr
+.endm
+
+.macro test_op2_rm op, fr0, fr1, fr2, v0, v1, r, sr
+movia2, 0
+wur a2, fsr
+movfp   \fr0, \v0
+movfp   \fr1, \v1
+\op \fr2, \fr0, \fr1
+check_res \fr2, \r, \sr
+.endm
+
+.macro test_op3_rm op, fr0, fr1, fr2, fr3, v0, v1, v2, r, sr
+movia2, 0
+wur a2, fsr
+movfp   \fr0, \v0
+movfp   \fr1, \v1
+movfp   \fr2, \v2
+\op \fr0, \fr1, \fr2
+check_res \fr3, \r, \sr
+.endm
+
+.macro test_op1_ex op, fr0, fr1, v0, rm, r, sr
+movia2, \rm
+wur a2, fcr
+test_op1_rm \op, \fr0, \fr1, \v0, \r, \sr
+movia2, (\rm) | 0x7c
+wur a2, fcr
+test_op1_rm \op, \fr0, \fr1, \v0, \r, \sr
+.endm
+
+.macro test_op2_ex op, fr0, fr1, fr2, v0, v1, rm, r, sr
+movia2, \rm
+wur a2, fcr
+test_op2_rm \op, \fr0, \fr1, \fr2, \v0, \v1, \r, \sr
+movia2, (\rm) | 0x7c
+wur a2, fcr
+test_op2_rm \op, \fr0, \fr1, \fr2, \v0, \v1, \r, \sr
+.endm
+
+.macro test_op3_ex op, fr0, fr1, fr2, fr3, v0, v1, v2, rm, r, sr
+movia2, \rm
+wur a2, fcr
+test_op3_rm \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, \r, \sr
+movia2, (\rm) | 0x7c
+wur a2, fcr
+test_op3_rm \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, \r, \sr
+.endm
+
+.macro test_op1 op, fr0, fr1, v0, r0, r1, r2, r3, sr0, sr1, sr2, sr3
+test_op1_ex \op, \fr0, \fr1, \v0, 0, \r0, \sr0
+test_op1_ex \op, \fr0, \fr1, \v0, 1, \r1, \sr1
+test_op1_ex \op, \fr0, \fr1, \v0, 2, \r2, \sr2
+test_op1_ex \op, \fr0, \fr1, \v0, 3, \r3, \sr3
+.endm
+
+.macro test_op2 op, fr0, fr1, fr2, v0, v1, r0, r1, r2, r3, sr0, sr1, sr2, sr3
+test_op2_ex \op, \fr0, \fr1, \fr2, \v0, \v1, 0, \r0, \sr0
+test_op2_ex \op, \fr0, \fr1, \fr2, \v0, \v1, 1, \r1, \sr1
+test_op2_ex \op, \fr0, \fr1, \fr2, \v0, \v1, 2, \r2, \sr2
+test_op2_ex \op, \fr0, \fr1, \fr2, \v0, \v1, 3, \r3, \sr3
+.endm
+
+.macro test_op3 op, fr0, fr1, fr2, fr3, v0, v1, v2, r0, r1, r2, r3, sr0, sr1, 
sr2, sr3
+test_op3_ex \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, 0, \r0, \sr0
+test_op3_ex \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, 1, \r1, \sr1
+test_op3_ex \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, 2, \r2, \sr2
+test_op3_ex \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, 3, \r3, \sr3
+.endm
+
+.macro test_op2_cpe op
+set_vector  kernel, 2f
+movia2, 0
+wsr a2, cpenable
+1:
+\op f2, f0, f1
+test_fail
+2:
+rsr a2, excvaddr
+movia3, 1b
+assert  eq, a2, a3
+rsr a2, exccause
+movia3, 32
+assert  eq, a2, a3
+
+set_vector  kernel, 0
+movia2, 1
+wsr a2, cpenable
+.endm
diff --git a/tests/tcg/xtensa/test_fp0_arith.S 
b/tests/tcg/xtensa/test_fp0_arith.S
index 253d033a3398..df870eb7a013 100644
--- a/tests/tcg/xtensa/test_fp0_arith.S
+++ b/tests/tcg/xtensa/test_fp0_arith.S
@@ -1,4 +1,5 @@
 #include "macros.inc"
+#include "fpu.h"
 
 test_suite fp0_arith
 
@@ -9,84 

[PATCH v4 16/22] tests/tcg/xtensa: update test_fp1 for DFPU

[Max Filippov]

DFPU sets Invalid flag in FSR when at least one argument of FP
comparison opcodes is NaN, SNaN for most opcodes, any NaN for olt/ole.
Add checks for FSR and expected FSR values.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_fp1.S | 62 -
 1 file changed, 34 insertions(+), 28 deletions(-)

diff --git a/tests/tcg/xtensa/test_fp1.S b/tests/tcg/xtensa/test_fp1.S
index 6e182e5964bd..77336a3fcf2c 100644
--- a/tests/tcg/xtensa/test_fp1.S
+++ b/tests/tcg/xtensa/test_fp1.S
@@ -1,4 +1,5 @@
 #include "macros.inc"
+#include "fpu.h"
 
 test_suite fp1
 
@@ -9,7 +10,7 @@ test_suite fp1
 wfr \fr, a2
 .endm
 
-.macro test_ord_ex op, br, fr0, fr1, v0, v1, r
+.macro test_ord_ex op, br, fr0, fr1, v0, v1, r, sr
 movia2, 0
 wur a2, fsr
 movfp   \fr0, \v0
@@ -20,65 +21,70 @@ test_suite fp1
 movta2, a3, \br
 assert  eqi, a2, \r
 rur a2, fsr
+#if DFPU
+movia3, \sr
+assert  eq, a2, a3
+#else
 assert  eqi, a2, 0
+#endif
 .endm
 
-.macro test_ord op, br, fr0, fr1, v0, v1, r
+.macro test_ord op, br, fr0, fr1, v0, v1, r, sr
 movia2, 0
 wur a2, fcr
-test_ord_ex \op, \br, \fr0, \fr1, \v0, \v1, \r
+test_ord_ex \op, \br, \fr0, \fr1, \v0, \v1, \r, \sr
 movia2, 0x7c
 wur a2, fcr
-test_ord_ex \op, \br, \fr0, \fr1, \v0, \v1, \r
+test_ord_ex \op, \br, \fr0, \fr1, \v0, \v1, \r, \sr
 .endm
 
-.macro test_ord_all op, aa, ab, ba, aPI, PIa, aN, Na, II, IN, NI
-test_ord \op  b0,  f0,  f1, 0x3f80, 0x3f80, \aa
-test_ord \op  b1,  f2,  f3, 0x3f80, 0x3fc0, \ab
-test_ord \op  b2,  f4,  f5, 0x3fc0, 0x3f80, \ba
-test_ord \op  b3,  f6,  f7, 0x3f80, 0x7f80, \aPI
-test_ord \op  b4,  f8,  f9, 0x7f80, 0x3f80, \PIa
-test_ord \op  b5, f10, f11, 0x3f80, 0xffc1, \aN
-test_ord \op  b6, f12, f13, 0x3f80, 0xff81, \aN
-test_ord \op  b7, f14, f15, 0x3f80, 0x7f81, \aN
-test_ord \op  b8,  f0,  f1, 0x3f80, 0x7fc0, \aN
-test_ord \op  b9,  f2,  f3, 0xffc1, 0x3f80, \Na
-test_ord \op b10,  f4,  f5, 0xff81, 0x3f80, \Na
-test_ord \op b11,  f6,  f7, 0x7f81, 0x3f80, \Na
-test_ord \op b12,  f8,  f9, 0x7fc0, 0x3f80, \Na
-test_ord \op b13, f10, f11, 0x7f80, 0x7f80, \II
-test_ord \op b14, f12, f13, 0x7f80, 0x7fc0, \IN
-test_ord \op b15, f14, f15, 0x7fc0, 0x7f80, \NI
+.macro test_ord_all op, aa, ab, ba, aPI, PIa, aN, Na, II, IN, NI, qnan_sr
+test_ord \op  b0,  f0,  f1, 0x3f80, 0x3f80, \aa,  FSR__/*   
ord == ord */
+test_ord \op  b1,  f2,  f3, 0x3f80, 0x3fc0, \ab,  FSR__/*   
ord <  ord */
+test_ord \op  b2,  f4,  f5, 0x3fc0, 0x3f80, \ba,  FSR__/*   
ord >  ord */
+test_ord \op  b3,  f6,  f7, 0x3f80, 0x7f80, \aPI, FSR__/*   
ord   +INF */
+test_ord \op  b4,  f8,  f9, 0x7f80, 0x3f80, \PIa, FSR__/*  
+INFord */
+test_ord \op  b5, f10, f11, 0x3f80, 0xffc1, \aN,  \qnan_sr /*   
ord  -QNaN */
+test_ord \op  b6, f12, f13, 0x3f80, 0xff81, \aN,  FSR_V/*   
ord  -SNaN */
+test_ord \op  b7, f14, f15, 0x3f80, 0x7f81, \aN,  FSR_V/*   
ord  +SNaN */
+test_ord \op  b8,  f0,  f1, 0x3f80, 0x7fc0, \aN,  \qnan_sr /*   
ord  +QNaN */
+test_ord \op  b9,  f2,  f3, 0xffc1, 0x3f80, \Na,  \qnan_sr /* 
-QNaNord */
+test_ord \op b10,  f4,  f5, 0xff81, 0x3f80, \Na,  FSR_V/* 
-SNaNord */
+test_ord \op b11,  f6,  f7, 0x7f81, 0x3f80, \Na,  FSR_V/* 
+SNaNord */
+test_ord \op b12,  f8,  f9, 0x7fc0, 0x3f80, \Na,  \qnan_sr /* 
+QNaNord */
+test_ord \op b13, f10, f11, 0x7f80, 0x7f80, \II,  FSR__/*  
+INF   +INF */
+test_ord \op b14, f12, f13, 0x7f80, 0x7fc0, \IN,  \qnan_sr /*  
+INF  +QNaN */
+test_ord \op b15, f14, f15, 0x7fc0, 0x7f80, \NI,  \qnan_sr /* 
+QNaN   +INF */
 .endm
 
 test un_s
 movia2, 1
 wsr a2, cpenable
-test_ord_all un.s, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1
+test_ord_all un.s, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1, FSR__
 test_end
 
 test oeq_s
-test_ord_all oeq.s, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0
+test_ord_all oeq.s, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, FSR__
 test_end
 
 test ueq_s
-test_ord_all ueq.s, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1
+test_ord_all ueq.s, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, FSR__
 test_end
 
 test olt_s
-test_ord_all olt.s, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0
+test_ord_all olt.s, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, FSR_V
 test_end
 
 test ult_s
-test_ord_all ult.s, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1
+test_ord_all ult.s, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, FSR__
 test_end
 
 test ole_s
-test_ord_all ole.s, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0
+test_ord_all ole.s, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, FSR_V
 test_end
 
 test ule_s
-test_ord_all ule.s, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1
+test_ord_all ule.s, 

[PATCH v4 14/22] tests/tcg/xtensa: expand madd tests

[Max Filippov]

Test that madd doesn't do rounding after multiplication.
Test NaN propagation rules for FPU2000 and DFPU madd opcode.

Signed-off-by: Max Filippov 
---
Changes v2->v3:
- add more infzero tests for FPU2000 and DFPU

 tests/tcg/xtensa/test_fp0_arith.S | 104 ++
 1 file changed, 104 insertions(+)

diff --git a/tests/tcg/xtensa/test_fp0_arith.S 
b/tests/tcg/xtensa/test_fp0_arith.S
index df870eb7a013..7eefc1da409d 100644
--- a/tests/tcg/xtensa/test_fp0_arith.S
+++ b/tests/tcg/xtensa/test_fp0_arith.S
@@ -146,6 +146,110 @@ test madd_s
  FSR_I,  FSR_I,  FSR_I,  FSR_I
 test_end
 
+test madd_s_precision
+test_op3 madd.s, f0, f1, f2, f0, 0xbf82, 0x3f81, 0x3f81, \
+0x2880, 0x2880, 0x2880, 0x2880, \
+ FSR__,  FSR__,  FSR__,  FSR__
+test_end
+
+#if DFPU
+test madd_s_nan_dfpu
+/* DFPU madd/msub NaN1, NaN2, NaN3 priority: NaN1, NaN3, NaN2 */
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_1, F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_QNAN(2), F32_1, \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_1, F32_QNAN(3), \
+F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_QNAN(2), F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_1, F32_QNAN(3), \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_QNAN(2), F32_QNAN(3), \
+F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_QNAN(2), F32_QNAN(3), \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+/* inf * 0 = default NaN */
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_PINF, F32_0, \
+F32_DNAN, F32_DNAN, F32_DNAN, F32_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+/* inf * 0 + SNaN1 = QNaN1 */
+test_op3 madd.s, f0, f1, f2, f0, F32_SNAN(1), F32_PINF, F32_0, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+/* inf * 0 + QNaN1 = QNaN1 */
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_PINF, F32_0, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+
+/* madd/msub SNaN turns to QNaN and sets Invalid flag */
+test_op3 madd.s, f0, f1, f2, f0, F32_SNAN(1), F32_1, F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_SNAN(2), F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+test_end
+#else
+test madd_s_nan_fpu2k
+/* FPU2000 madd/msub NaN1, NaN2, NaN3 priority: NaN2, NaN3, NaN1 */
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_1, F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_QNAN(2), F32_1, \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_1, F32_QNAN(3), \
+F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_QNAN(2), F32_1, \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_1, F32_QNAN(3), \
+F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_QNAN(2), F32_QNAN(3), \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_QNAN(2), F32_QNAN(3), \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+/* inf * 0 = default NaN */
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_PINF, F32_0, 

[PATCH v4 10/22] target/xtensa: add DFPU registers and opcodes

[Max Filippov]

DFPU may be configured with 32-bit or with 64-bit registers. Xtensa ISA
does not specify how single-precision values are stored in 64-bit
registers. Existing implementations store them in the low half of the
registers.
Add value extraction and write back to single-precision opcodes.
Add new double precision opcodes. Add 64-bit register file.
Add 64-bit values dumping to the xtensa_cpu_dump_state.

Signed-off-by: Max Filippov 
---
Changes v3->v4:
- split into two patches
- add single-precision helpers that call set_use_first_nan
- call fpu2k helpers or the new helper depending on whether DFPU has
  only single precision configured.

 target/xtensa/cpu.c  |5 +
 target/xtensa/cpu.h  |3 +
 target/xtensa/fpu_helper.c   |  278 -
 target/xtensa/helper.h   |   34 +-
 target/xtensa/overlay_tool.h |1 +
 target/xtensa/translate.c| 1126 +-
 6 files changed, 1413 insertions(+), 34 deletions(-)

diff --git a/target/xtensa/cpu.c b/target/xtensa/cpu.c
index 82c2ee0679f8..6a033e778c95 100644
--- a/target/xtensa/cpu.c
+++ b/target/xtensa/cpu.c
@@ -31,6 +31,7 @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "cpu.h"
+#include "fpu/softfloat.h"
 #include "qemu/module.h"
 #include "migration/vmstate.h"
 
@@ -73,6 +74,8 @@ static void xtensa_cpu_reset(DeviceState *dev)
 XtensaCPU *cpu = XTENSA_CPU(s);
 XtensaCPUClass *xcc = XTENSA_CPU_GET_CLASS(cpu);
 CPUXtensaState *env = >env;
+bool dfpu = xtensa_option_enabled(env->config,
+  XTENSA_OPTION_DFP_COPROCESSOR);
 
 xcc->parent_reset(dev);
 
@@ -104,6 +107,8 @@ static void xtensa_cpu_reset(DeviceState *dev)
 reset_mmu(env);
 s->halted = env->runstall;
 #endif
+set_no_signaling_nans(!dfpu, >fp_status);
+set_use_first_nan(!dfpu, >fp_status);
 }
 
 static ObjectClass *xtensa_cpu_class_by_name(const char *cpu_model)
diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 6fc1565000b6..3bd4f691c1a0 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -422,6 +422,7 @@ typedef struct XtensaOpcodeTranslators {
 
 extern const XtensaOpcodeTranslators xtensa_core_opcodes;
 extern const XtensaOpcodeTranslators xtensa_fpu2000_opcodes;
+extern const XtensaOpcodeTranslators xtensa_fpu_opcodes;
 
 struct XtensaConfig {
 const char *name;
@@ -484,6 +485,8 @@ struct XtensaConfig {
 unsigned n_mpu_fg_segments;
 unsigned n_mpu_bg_segments;
 const xtensa_mpu_entry *mpu_bg;
+
+bool use_first_nan;
 };
 
 typedef struct XtensaConfigList {
diff --git a/target/xtensa/fpu_helper.c b/target/xtensa/fpu_helper.c
index 35dacbd14d68..b5faf34ad080 100644
--- a/target/xtensa/fpu_helper.c
+++ b/target/xtensa/fpu_helper.c
@@ -33,6 +33,30 @@
 #include "exec/exec-all.h"
 #include "fpu/softfloat.h"
 
+enum {
+XTENSA_FP_I = 0x1,
+XTENSA_FP_U = 0x2,
+XTENSA_FP_O = 0x4,
+XTENSA_FP_Z = 0x8,
+XTENSA_FP_V = 0x10,
+};
+
+enum {
+XTENSA_FCR_FLAGS_SHIFT = 2,
+XTENSA_FSR_FLAGS_SHIFT = 7,
+};
+
+static const struct {
+uint32_t xtensa_fp_flag;
+int softfloat_fp_flag;
+} xtensa_fp_flag_map[] = {
+{ XTENSA_FP_I, float_flag_inexact, },
+{ XTENSA_FP_U, float_flag_underflow, },
+{ XTENSA_FP_O, float_flag_overflow, },
+{ XTENSA_FP_Z, float_flag_divbyzero, },
+{ XTENSA_FP_V, float_flag_invalid, },
+};
+
 void HELPER(wur_fpu2k_fcr)(CPUXtensaState *env, uint32_t v)
 {
 static const int rounding_mode[] = {
@@ -46,11 +70,72 @@ void HELPER(wur_fpu2k_fcr)(CPUXtensaState *env, uint32_t v)
 set_float_rounding_mode(rounding_mode[v & 3], >fp_status);
 }
 
+void HELPER(wur_fpu_fcr)(CPUXtensaState *env, uint32_t v)
+{
+static const int rounding_mode[] = {
+float_round_nearest_even,
+float_round_to_zero,
+float_round_up,
+float_round_down,
+};
+
+if (v & 0xf000) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "MBZ field of FCR is written non-zero: %08x\n", v);
+}
+env->uregs[FCR] = v & 0x007f;
+set_float_rounding_mode(rounding_mode[v & 3], >fp_status);
+}
+
+void HELPER(wur_fpu_fsr)(CPUXtensaState *env, uint32_t v)
+{
+uint32_t flags = v >> XTENSA_FSR_FLAGS_SHIFT;
+int fef = 0;
+unsigned i;
+
+if (v & 0xf000) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "MBZ field of FSR is written non-zero: %08x\n", v);
+}
+env->uregs[FSR] = v & 0x0f80;
+for (i = 0; i < ARRAY_SIZE(xtensa_fp_flag_map); ++i) {
+if (flags & xtensa_fp_flag_map[i].xtensa_fp_flag) {
+fef |= xtensa_fp_flag_map[i].softfloat_fp_flag;
+}
+}
+set_float_exception_flags(fef, >fp_status);
+}
+
+uint32_t HELPER(rur_fpu_fsr)(CPUXtensaState *env)
+{
+uint32_t flags = 0;
+int fef = get_float_exception_flags(>fp_status);
+unsigned i;
+
+for (i = 0; i < ARRAY_SIZE(xtensa_fp_flag_map); ++i) {
+if (fef & xtensa_fp_flag_map[i].softfloat_fp_flag) {
+

[PATCH v4 12/22] tests/tcg/xtensa: fix test execution on ISS

[Max Filippov]

Space for test results may be allocated in IRAM which is only
word-accessible. Use full 32-bit words to access test results.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/macros.inc | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/tcg/xtensa/macros.inc b/tests/tcg/xtensa/macros.inc
index aa8f95bce879..f88937c7bf82 100644
--- a/tests/tcg/xtensa/macros.inc
+++ b/tests/tcg/xtensa/macros.inc
@@ -3,7 +3,7 @@
 .macro test_suite name
 .data
 status: .word result
-result: .space 256
+result: .space 1024
 .text
 .global main
 .align 4
@@ -25,9 +25,9 @@ main:
 movia3, 0
 beqza2, 2f
 1:
-l8uia1, a0, 0
+l32ia1, a0, 0
 or  a3, a3, a1
-addia0, a0, 1
+addia0, a0, 4
 addia2, a2, -1
 bneza2, 1b
 2:
@@ -65,7 +65,7 @@ test_\name:
 reset_ps
 movia2, status
 l32ia3, a2, 0
-addia3, a3, 1
+addia3, a3, 4
 s32ia3, a2, 0
 .endm
 
@@ -78,7 +78,7 @@ test_\name:
 movia2, status
 l32ia2, a2, 0
 movia3, 1
-s8i a3, a2, 0
+s32ia3, a2, 0
 #ifdef DEBUG
 print   failed
 #endif
-- 
2.20.1

[PATCH v4 20/22] tests/tcg/xtensa: add DFP0 arithmetic tests

[Max Filippov]

Add test for basic double precision opcode properties.

Signed-off-by: Max Filippov 
---
Changes v2->v3:
- add more infzero tests for DFPU
- fix test names in test_dfp0_arith.S

 tests/tcg/xtensa/test_dfp0_arith.S | 162 +
 1 file changed, 162 insertions(+)
 create mode 100644 tests/tcg/xtensa/test_dfp0_arith.S

diff --git a/tests/tcg/xtensa/test_dfp0_arith.S 
b/tests/tcg/xtensa/test_dfp0_arith.S
new file mode 100644
index ..53bf8122d082
--- /dev/null
+++ b/tests/tcg/xtensa/test_dfp0_arith.S
@@ -0,0 +1,162 @@
+#include "macros.inc"
+#include "fpu.h"
+
+test_suite fp0_arith
+
+#if XCHAL_HAVE_DFP
+
+.macro movfp fr, v
+movia2, ((\v) >> 32) & 0x
+movia3, ((\v) & 0x)
+wfrd\fr, a2, a3
+.endm
+
+.macro check_res fr, r, sr
+rfrda2, \fr
+dumpa2
+movia3, ((\r) >> 32) & 0x
+assert  eq, a2, a3
+rfra2, \fr
+dumpa2
+movia3, ((\r) & 0x)
+assert  eq, a2, a3
+rur a2, fsr
+movia3, \sr
+assert  eq, a2, a3
+.endm
+
+test add_d
+movia2, 1
+wsr a2, cpenable
+
+/* MAX_FLOAT + MAX_FLOAT = +inf/MAX_FLOAT  */
+test_op2 add.d, f6, f7, f8, F64_MAX, F64_MAX, \
+F64_PINF, F64_MAX, F64_PINF, F64_MAX, \
+  FSR_OI,  FSR_OI,   FSR_OI,  FSR_OI
+test_end
+
+test add_d_inf
+/* 1 + +inf = +inf  */
+test_op2 add.d, f6, f7, f8, F64_1, F64_PINF, \
+F64_PINF, F64_PINF, F64_PINF, F64_PINF, \
+   FSR__,FSR__,FSR__,FSR__
+
+/* +inf + -inf = default NaN */
+test_op2 add.d, f0, f1, f2, F64_PINF, F64_NINF, \
+F64_DNAN, F64_DNAN, F64_DNAN, F64_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+test_end
+
+test add_d_nan_dfpu
+/* 1 + QNaN = QNaN  */
+test_op2 add.d, f9, f10, f11, F64_1, F64_QNAN(1), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+/* 1 + SNaN = QNaN  */
+test_op2 add.d, f12, f13, f14, F64_1, F64_SNAN(1), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+
+/* SNaN1 + SNaN2 = QNaN2 */
+test_op2 add.d, f15, f0, f1, F64_SNAN(1), F64_SNAN(2), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+/* QNaN1 + SNaN2 = QNaN2 */
+test_op2 add.d, f5, f6, f7, F64_QNAN(1), F64_SNAN(2), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+/* SNaN1 + QNaN2 = QNaN2 */
+test_op2 add.d, f8, f9, f10, F64_SNAN(1), F64_QNAN(2), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+test_end
+
+test sub_d
+/* norm - norm = denorm */
+test_op2 sub.d, f6, f7, f8, F64_MIN_NORM | 1, F64_MIN_NORM, \
+0x0001, 0x0001, 0x0001, 0x0001, \
+ FSR__,  FSR__,  FSR__,  FSR__
+test_end
+
+test mul_d
+test_op2 mul.d, f0, f1, f2, F64_1 | 1, F64_1 | 1, \
+F64_1 | 2, F64_1 | 2, F64_1 | 3, F64_1 | 2, \
+FSR_I, FSR_I, FSR_I, FSR_I
+/* MAX_FLOAT/2 * MAX_FLOAT/2 = +inf/MAX_FLOAT  */
+test_op2 mul.d, f6, f7, f8, F64_MAX_2, F64_MAX_2, \
+F64_PINF, F64_MAX, F64_PINF, F64_MAX, \
+  FSR_OI,  FSR_OI,   FSR_OI,  FSR_OI
+/* min norm * min norm = 0/denorm */
+test_op2 mul.d, f6, f7, f8, F64_MIN_NORM, F64_MIN_NORM, \
+ F64_0,  F64_0, 0x0001,  F64_0, \
+FSR_UI, FSR_UI, FSR_UI, FSR_UI
+/* inf * 0 = default NaN */
+test_op2 mul.d, f6, f7, f8, F64_PINF, F64_0, \
+F64_DNAN, F64_DNAN, F64_DNAN, F64_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+test_end
+
+test madd_d
+test_op3 madd.d, f0, f1, f2, f0, F64_0, F64_1 | 1, F64_1 | 1, \
+F64_1 | 2, F64_1 | 2, F64_1 | 3, F64_1 | 2, \
+FSR_I, FSR_I, FSR_I, FSR_I
+test_end
+
+test madd_d_precision
+test_op3 madd.d, f0, f1, f2, f0, \
+F64_MINUS | F64_1 | 2, F64_1 | 1, F64_1 | 1, \
+0x3970, 0x3970, 0x3970, 
0x3970, \
+ FSR__,  FSR__,  FSR__,  FSR__
+test_end
+
+test madd_d_nan_dfpu
+/* DFPU madd/msub NaN1, NaN2, NaN3 priority: NaN1, NaN3, NaN2 */
+test_op3 madd.d, f0, f1, f2, f0, F64_QNAN(1), F64_1, F64_1, \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.d, f0, f1, f2, f0, F64_1, F64_QNAN(2), F64_1, \
+F64_QNAN(2), F64_QNAN(2), F64_QNAN(2), F64_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.d, f0, f1, f2, f0, F64_1, F64_1, F64_QNAN(3), \
+F64_QNAN(3), F64_QNAN(3), F64_QNAN(3), F64_QNAN(3), \
+  FSR__,   FSR__,   FSR__, 

[PATCH v4 08/22] target/xtensa: don't access BR regfile directly

[Max Filippov]

BR registers used in FPU comparison opcodes are available as opcode
arguments for translators. Use them. This simplifies comparison helpers
interface and makes them usable in FLIX bundles.

Reviewed-by: Richard Henderson 
Signed-off-by: Max Filippov 
---
 target/xtensa/fpu_helper.c | 42 +-
 target/xtensa/helper.h | 14 ++---
 target/xtensa/translate.c  | 20 ++
 3 files changed, 42 insertions(+), 34 deletions(-)

diff --git a/target/xtensa/fpu_helper.c b/target/xtensa/fpu_helper.c
index 46e231bdaa51..35dacbd14d68 100644
--- a/target/xtensa/fpu_helper.c
+++ b/target/xtensa/fpu_helper.c
@@ -120,49 +120,45 @@ float32 HELPER(uitof_s)(CPUXtensaState *env, uint32_t v, 
uint32_t scale)
   (int32_t)scale, >fp_status);
 }
 
-static inline void set_br(CPUXtensaState *env, bool v, uint32_t br)
+uint32_t HELPER(un_s)(CPUXtensaState *env, float32 a, float32 b)
 {
-if (v) {
-env->sregs[BR] |= br;
-} else {
-env->sregs[BR] &= ~br;
-}
-}
-
-void HELPER(un_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
-{
-set_br(env, float32_unordered_quiet(a, b, >fp_status), br);
+return float32_unordered_quiet(a, b, >fp_status);
 }
 
-void HELPER(oeq_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(oeq_s)(CPUXtensaState *env, float32 a, float32 b)
 {
-set_br(env, float32_eq_quiet(a, b, >fp_status), br);
+return float32_eq_quiet(a, b, >fp_status);
 }
 
-void HELPER(ueq_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(ueq_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 FloatRelation v = float32_compare_quiet(a, b, >fp_status);
-set_br(env, v == float_relation_equal || v == float_relation_unordered, 
br);
+
+return v == float_relation_equal ||
+   v == float_relation_unordered;
 }
 
-void HELPER(olt_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(olt_s)(CPUXtensaState *env, float32 a, float32 b)
 {
-set_br(env, float32_lt_quiet(a, b, >fp_status), br);
+return float32_lt_quiet(a, b, >fp_status);
 }
 
-void HELPER(ult_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(ult_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 FloatRelation v = float32_compare_quiet(a, b, >fp_status);
-set_br(env, v == float_relation_less || v == float_relation_unordered, br);
+
+return v == float_relation_less ||
+   v == float_relation_unordered;
 }
 
-void HELPER(ole_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(ole_s)(CPUXtensaState *env, float32 a, float32 b)
 {
-set_br(env, float32_le_quiet(a, b, >fp_status), br);
+return float32_le_quiet(a, b, >fp_status);
 }
 
-void HELPER(ule_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(ule_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 FloatRelation v = float32_compare_quiet(a, b, >fp_status);
-set_br(env, v != float_relation_greater, br);
+
+return v != float_relation_greater;
 }
diff --git a/target/xtensa/helper.h b/target/xtensa/helper.h
index bce31cbd9ff1..02c00d8461c0 100644
--- a/target/xtensa/helper.h
+++ b/target/xtensa/helper.h
@@ -59,13 +59,13 @@ DEF_HELPER_FLAGS_3(ftoui_s, TCG_CALL_NO_RWG_SE, i32, f32, 
i32, i32)
 DEF_HELPER_3(itof_s, f32, env, i32, i32)
 DEF_HELPER_3(uitof_s, f32, env, i32, i32)
 
-DEF_HELPER_4(un_s, void, env, i32, f32, f32)
-DEF_HELPER_4(oeq_s, void, env, i32, f32, f32)
-DEF_HELPER_4(ueq_s, void, env, i32, f32, f32)
-DEF_HELPER_4(olt_s, void, env, i32, f32, f32)
-DEF_HELPER_4(ult_s, void, env, i32, f32, f32)
-DEF_HELPER_4(ole_s, void, env, i32, f32, f32)
-DEF_HELPER_4(ule_s, void, env, i32, f32, f32)
+DEF_HELPER_3(un_s,  i32, env, f32, f32)
+DEF_HELPER_3(oeq_s, i32, env, f32, f32)
+DEF_HELPER_3(ueq_s, i32, env, f32, f32)
+DEF_HELPER_3(olt_s, i32, env, f32, f32)
+DEF_HELPER_3(ult_s, i32, env, f32, f32)
+DEF_HELPER_3(ole_s, i32, env, f32, f32)
+DEF_HELPER_3(ule_s, i32, env, f32, f32)
 
 DEF_HELPER_2(rer, i32, env, i32)
 DEF_HELPER_3(wer, void, env, i32, i32)
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index 1b643881e6e9..67a92379f9dc 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -6319,7 +6319,7 @@ enum {
 static void translate_compare_s(DisasContext *dc, const OpcodeArg arg[],
 const uint32_t par[])
 {
-static void (* const helper[])(TCGv_env env, TCGv_i32 bit,
+static void (* const helper[])(TCGv_i32 res, TCGv_env env,
TCGv_i32 s, TCGv_i32 t) = {
 [COMPARE_UN] = gen_helper_un_s,
 [COMPARE_OEQ] = gen_helper_oeq_s,
@@ -6329,10 +6329,22 @@ static void translate_compare_s(DisasContext *dc, const 
OpcodeArg arg[],
 [COMPARE_OLE] = gen_helper_ole_s,
 [COMPARE_ULE] = gen_helper_ule_s,
 };
-TCGv_i32 bit = tcg_const_i32(1 << arg[0].imm);
+TCGv_i32 zero = 

[PATCH v4 09/22] target/xtensa: add DFPU option

[Max Filippov]

Double precision floating point unit is a FPU implementation different
from the FPU2000 in the following ways:
- it may be configured with only single or with both single and double
  precision operations support;
- it may be configured with division and square root opcodes;
- FSR register accumulates inValid, division by Zero, Overflow,
  Underflow and Inexact result flags of operations;
- QNaNs and SNaNs are handled properly;
- NaN propagation rules are different.

Signed-off-by: Max Filippov 
---
Changes v3->v4:
- new patch split from the next one

 target/xtensa/cpu.h  |  2 ++
 target/xtensa/overlay_tool.h | 23 +++
 2 files changed, 25 insertions(+)

diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 960f6573447f..6fc1565000b6 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -52,6 +52,8 @@ enum {
 XTENSA_OPTION_COPROCESSOR,
 XTENSA_OPTION_BOOLEAN,
 XTENSA_OPTION_FP_COPROCESSOR,
+XTENSA_OPTION_DFP_COPROCESSOR,
+XTENSA_OPTION_DFPU_SINGLE_ONLY,
 XTENSA_OPTION_MP_SYNCHRO,
 XTENSA_OPTION_CONDITIONAL_STORE,
 XTENSA_OPTION_ATOMCTL,
diff --git a/target/xtensa/overlay_tool.h b/target/xtensa/overlay_tool.h
index eb9f08af0bf6..9f0846c86b65 100644
--- a/target/xtensa/overlay_tool.h
+++ b/target/xtensa/overlay_tool.h
@@ -39,6 +39,26 @@
 #define XCHAL_HAVE_DEPBITS 0
 #endif
 
+#ifndef XCHAL_HAVE_DFP
+#define XCHAL_HAVE_DFP 0
+#endif
+
+#ifndef XCHAL_HAVE_DFPU_SINGLE_ONLY
+#define XCHAL_HAVE_DFPU_SINGLE_ONLY 0
+#endif
+
+#ifndef XCHAL_HAVE_DFPU_SINGLE_DOUBLE
+#define XCHAL_HAVE_DFPU_SINGLE_DOUBLE XCHAL_HAVE_DFP
+#endif
+
+/*
+ * We need to know the type of FP unit, not only its precision.
+ * Unfortunately XCHAL macros don't tell this explicitly.
+ */
+#define XCHAL_HAVE_DFPU (XCHAL_HAVE_DFP || \
+ XCHAL_HAVE_DFPU_SINGLE_ONLY || \
+ XCHAL_HAVE_DFPU_SINGLE_DOUBLE)
+
 #ifndef XCHAL_HAVE_DIV32
 #define XCHAL_HAVE_DIV32 0
 #endif
@@ -99,6 +119,9 @@
 XCHAL_OPTION(XCHAL_HAVE_CP, XTENSA_OPTION_COPROCESSOR) | \
 XCHAL_OPTION(XCHAL_HAVE_BOOLEANS, XTENSA_OPTION_BOOLEAN) | \
 XCHAL_OPTION(XCHAL_HAVE_FP, XTENSA_OPTION_FP_COPROCESSOR) | \
+XCHAL_OPTION(XCHAL_HAVE_DFPU, XTENSA_OPTION_DFP_COPROCESSOR) | \
+XCHAL_OPTION(XCHAL_HAVE_DFPU_SINGLE_ONLY, \
+ XTENSA_OPTION_DFPU_SINGLE_ONLY) | \
 XCHAL_OPTION(XCHAL_HAVE_RELEASE_SYNC, XTENSA_OPTION_MP_SYNCHRO) | \
 XCHAL_OPTION(XCHAL_HAVE_S32C1I, XTENSA_OPTION_CONDITIONAL_STORE) | \
 XCHAL_OPTION(((XCHAL_HAVE_S32C1I && XCHAL_HW_VERSION >= 23) || \
-- 
2.20.1

[PATCH v4 11/22] target/xtensa: implement FPU division and square root

[Max Filippov]

This does not implement all opcodes related to div/sqrt as specified in
the xtensa ISA, partly because the official specification is not
complete and partly because precise implementation is unnecessarily
complex. Instead instructions specific to the div/sqrt sequences are
implemented differently, most of them as nops, but the results of
div/sqrt sequences is preserved.

Signed-off-by: Max Filippov 
---
 target/xtensa/fpu_helper.c |  24 +
 target/xtensa/helper.h |   4 ++
 target/xtensa/translate.c  | 104 +
 3 files changed, 132 insertions(+)

diff --git a/target/xtensa/fpu_helper.c b/target/xtensa/fpu_helper.c
index b5faf34ad080..ba3c29d19d91 100644
--- a/target/xtensa/fpu_helper.c
+++ b/target/xtensa/fpu_helper.c
@@ -231,6 +231,30 @@ float32 HELPER(msub_s)(CPUXtensaState *env, float32 a, 
float32 b, float32 c)
   >fp_status);
 }
 
+float64 HELPER(mkdadj_d)(CPUXtensaState *env, float64 a, float64 b)
+{
+set_use_first_nan(true, >fp_status);
+return float64_div(b, a, >fp_status);
+}
+
+float32 HELPER(mkdadj_s)(CPUXtensaState *env, float32 a, float32 b)
+{
+set_use_first_nan(env->config->use_first_nan, >fp_status);
+return float32_div(b, a, >fp_status);
+}
+
+float64 HELPER(mksadj_d)(CPUXtensaState *env, float64 v)
+{
+set_use_first_nan(true, >fp_status);
+return float64_sqrt(v, >fp_status);
+}
+
+float32 HELPER(mksadj_s)(CPUXtensaState *env, float32 v)
+{
+set_use_first_nan(env->config->use_first_nan, >fp_status);
+return float32_sqrt(v, >fp_status);
+}
+
 uint32_t HELPER(ftoi_d)(CPUXtensaState *env, float64 v,
 uint32_t rounding_mode, uint32_t scale)
 {
diff --git a/target/xtensa/helper.h b/target/xtensa/helper.h
index 095f754671ce..ae938ceedb80 100644
--- a/target/xtensa/helper.h
+++ b/target/xtensa/helper.h
@@ -83,6 +83,10 @@ DEF_HELPER_4(madd_d, f64, env, f64, f64, f64)
 DEF_HELPER_4(madd_s, f32, env, f32, f32, f32)
 DEF_HELPER_4(msub_d, f64, env, f64, f64, f64)
 DEF_HELPER_4(msub_s, f32, env, f32, f32, f32)
+DEF_HELPER_3(mkdadj_d, f64, env, f64, f64)
+DEF_HELPER_3(mkdadj_s, f32, env, f32, f32)
+DEF_HELPER_2(mksadj_d, f64, env, f64)
+DEF_HELPER_2(mksadj_s, f32, env, f32)
 DEF_HELPER_4(ftoi_d, i32, env, f64, i32, i32)
 DEF_HELPER_4(ftoui_d, i32, env, f64, i32, i32)
 DEF_HELPER_3(itof_d, f64, env, i32, i32)
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index fff29cc25dd1..944a157747cd 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -7314,6 +7314,38 @@ static void translate_sub_s(DisasContext *dc, const 
OpcodeArg arg[],
 }
 }
 
+static void translate_mkdadj_d(DisasContext *dc, const OpcodeArg arg[],
+   const uint32_t par[])
+{
+gen_helper_mkdadj_d(arg[0].out, cpu_env, arg[0].in, arg[1].in);
+}
+
+static void translate_mkdadj_s(DisasContext *dc, const OpcodeArg arg[],
+   const uint32_t par[])
+{
+OpcodeArg arg32[2];
+
+get_f32_o1_i2(arg, arg32, 0, 0, 1);
+gen_helper_mkdadj_s(arg32[0].out, cpu_env, arg32[0].in, arg32[1].in);
+put_f32_o1_i2(arg, arg32, 0, 0, 1);
+}
+
+static void translate_mksadj_d(DisasContext *dc, const OpcodeArg arg[],
+   const uint32_t par[])
+{
+gen_helper_mksadj_d(arg[0].out, cpu_env, arg[1].in);
+}
+
+static void translate_mksadj_s(DisasContext *dc, const OpcodeArg arg[],
+   const uint32_t par[])
+{
+OpcodeArg arg32[2];
+
+get_f32_o1_i1(arg, arg32, 0, 1);
+gen_helper_mksadj_s(arg32[0].out, cpu_env, arg32[1].in);
+put_f32_o1_i1(arg, arg32, 0, 1);
+}
+
 static void translate_wur_fpu_fcr(DisasContext *dc, const OpcodeArg arg[],
   const uint32_t par[])
 {
@@ -7349,6 +7381,22 @@ static const XtensaOpcodeOps fpu_ops[] = {
 .name = "add.s",
 .translate = translate_add_s,
 .coprocessor = 0x1,
+}, {
+.name = "addexp.d",
+.translate = translate_nop,
+.coprocessor = 0x1,
+}, {
+.name = "addexp.s",
+.translate = translate_nop,
+.coprocessor = 0x1,
+}, {
+.name = "addexpm.d",
+.translate = translate_mov_s,
+.coprocessor = 0x1,
+}, {
+.name = "addexpm.s",
+.translate = translate_mov_s,
+.coprocessor = 0x1,
 }, {
 .name = "ceil.d",
 .translate = translate_ftoi_d,
@@ -7375,6 +7423,22 @@ static const XtensaOpcodeOps fpu_ops[] = {
 .name = "cvts.d",
 .translate = translate_cvts_d,
 .coprocessor = 0x1,
+}, {
+.name = "div0.d",
+.translate = translate_nop,
+.coprocessor = 0x1,
+}, {
+.name = "div0.s",
+.translate = translate_nop,
+.coprocessor = 0x1,
+}, {
+.name = "divn.d",
+.translate = translate_nop,
+.coprocessor = 0x1,
+}, {
+.name = "divn.s",
+.translate = 

[PATCH v4 07/22] target/xtensa: move FSR/FCR register accessors

[Max Filippov]

Move FSR/FCR register accessors from core opcodes to FPU2000 opcodes as
they are FPU2000-specific.

Reviewed-by: Richard Henderson 
Signed-off-by: Max Filippov 
---
 target/xtensa/translate.c | 64 +++
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index 47951acd1669..1b643881e6e9 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -2813,18 +2813,6 @@ static void translate_wur(DisasContext *dc, const 
OpcodeArg arg[],
 tcg_gen_mov_i32(cpu_UR[par[0]], arg[0].in);
 }
 
-static void translate_wur_fpu2k_fcr(DisasContext *dc, const OpcodeArg arg[],
-const uint32_t par[])
-{
-gen_helper_wur_fpu2k_fcr(cpu_env, arg[0].in);
-}
-
-static void translate_wur_fsr(DisasContext *dc, const OpcodeArg arg[],
-  const uint32_t par[])
-{
-tcg_gen_andi_i32(cpu_UR[par[0]], arg[0].in, 0xff80);
-}
-
 static void translate_xor(DisasContext *dc, const OpcodeArg arg[],
   const uint32_t par[])
 {
@@ -4665,16 +4653,6 @@ static const XtensaOpcodeOps core_ops[] = {
 .name = "rur.expstate",
 .translate = translate_rur,
 .par = (const uint32_t[]){EXPSTATE},
-}, {
-.name = "rur.fcr",
-.translate = translate_rur,
-.par = (const uint32_t[]){FCR},
-.coprocessor = 0x1,
-}, {
-.name = "rur.fsr",
-.translate = translate_rur,
-.par = (const uint32_t[]){FSR},
-.coprocessor = 0x1,
 }, {
 .name = "rur.threadptr",
 .translate = translate_rur,
@@ -5581,16 +5559,6 @@ static const XtensaOpcodeOps core_ops[] = {
 .name = "wur.expstate",
 .translate = translate_wur,
 .par = (const uint32_t[]){EXPSTATE},
-}, {
-.name = "wur.fcr",
-.translate = translate_wur_fpu2k_fcr,
-.par = (const uint32_t[]){FCR},
-.coprocessor = 0x1,
-}, {
-.name = "wur.fsr",
-.translate = translate_wur_fsr,
-.par = (const uint32_t[]){FSR},
-.coprocessor = 0x1,
 }, {
 .name = "wur.threadptr",
 .translate = translate_wur,
@@ -6510,6 +6478,18 @@ static void translate_wfr_s(DisasContext *dc, const 
OpcodeArg arg[],
 tcg_gen_mov_i32(arg[0].out, arg[1].in);
 }
 
+static void translate_wur_fpu2k_fcr(DisasContext *dc, const OpcodeArg arg[],
+const uint32_t par[])
+{
+gen_helper_wur_fpu2k_fcr(cpu_env, arg[0].in);
+}
+
+static void translate_wur_fpu2k_fsr(DisasContext *dc, const OpcodeArg arg[],
+const uint32_t par[])
+{
+tcg_gen_andi_i32(cpu_UR[par[0]], arg[0].in, 0xff80);
+}
+
 static const XtensaOpcodeOps fpu2000_ops[] = {
 {
 .name = "abs.s",
@@ -6632,6 +6612,16 @@ static const XtensaOpcodeOps fpu2000_ops[] = {
 .translate = translate_ftoi_s,
 .par = (const uint32_t[]){float_round_nearest_even, false},
 .coprocessor = 0x1,
+}, {
+.name = "rur.fcr",
+.translate = translate_rur,
+.par = (const uint32_t[]){FCR},
+.coprocessor = 0x1,
+}, {
+.name = "rur.fsr",
+.translate = translate_rur,
+.par = (const uint32_t[]){FSR},
+.coprocessor = 0x1,
 }, {
 .name = "ssi",
 .translate = translate_ldsti,
@@ -6699,6 +6689,16 @@ static const XtensaOpcodeOps fpu2000_ops[] = {
 .name = "wfr",
 .translate = translate_wfr_s,
 .coprocessor = 0x1,
+}, {
+.name = "wur.fcr",
+.translate = translate_wur_fpu2k_fcr,
+.par = (const uint32_t[]){FCR},
+.coprocessor = 0x1,
+}, {
+.name = "wur.fsr",
+.translate = translate_wur_fpu2k_fsr,
+.par = (const uint32_t[]){FSR},
+.coprocessor = 0x1,
 },
 };
 
-- 
2.20.1

[PATCH v4 05/22] target/xtensa: support copying registers up to 64 bits wide

[Max Filippov]

FLIX dependency breaking code assumes that all registers are 32 bit
wide. This may not always be correct.
Extract actual register width from the associated register file and use
it to create temporaries of correct width and generate correct data
movement instructions.

Signed-off-by: Max Filippov 
---
 target/xtensa/cpu.h   |  1 +
 target/xtensa/translate.c | 26 +-
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 0409aa6189cf..960f6573447f 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -359,6 +359,7 @@ typedef struct opcode_arg {
 uint32_t raw_imm;
 void *in;
 void *out;
+uint32_t num_bits;
 } OpcodeArg;
 
 typedef struct DisasContext DisasContext;
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index 9838bf6b3ec5..bc01a720719d 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -943,10 +943,10 @@ static void disas_xtensa_insn(CPUXtensaState *env, 
DisasContext *dc)
 
 for (opnd = vopnd = 0; opnd < opnds; ++opnd) {
 void **register_file = NULL;
+xtensa_regfile rf;
 
 if (xtensa_operand_is_register(isa, opc, opnd)) {
-xtensa_regfile rf = xtensa_operand_regfile(isa, opc, opnd);
-
+rf = xtensa_operand_regfile(isa, opc, opnd);
 register_file = dc->config->regfile[rf];
 
 if (rf == dc->config->a_regfile) {
@@ -972,6 +972,9 @@ static void disas_xtensa_insn(CPUXtensaState *env, 
DisasContext *dc)
 if (register_file) {
 arg[vopnd].in = register_file[v];
 arg[vopnd].out = register_file[v];
+arg[vopnd].num_bits = xtensa_regfile_num_bits(isa, rf);
+} else {
+arg[vopnd].num_bits = 32;
 }
 ++vopnd;
 }
@@ -,8 +1114,15 @@ static void disas_xtensa_insn(CPUXtensaState *env, 
DisasContext *dc)
 for (i = j = 0; i < n_arg_copy; ++i) {
 if (i == 0 || arg_copy[i].resource != resource) {
 resource = arg_copy[i].resource;
-temp = tcg_temp_local_new();
-tcg_gen_mov_i32(temp, arg_copy[i].arg->in);
+if (arg_copy[i].arg->num_bits <= 32) {
+temp = tcg_temp_local_new_i32();
+tcg_gen_mov_i32(temp, arg_copy[i].arg->in);
+} else if (arg_copy[i].arg->num_bits <= 64) {
+temp = tcg_temp_local_new_i64();
+tcg_gen_mov_i64(temp, arg_copy[i].arg->in);
+} else {
+g_assert_not_reached();
+}
 arg_copy[i].temp = temp;
 
 if (i != j) {
@@ -1143,7 +1153,13 @@ static void disas_xtensa_insn(CPUXtensaState *env, 
DisasContext *dc)
 }
 
 for (i = 0; i < n_arg_copy; ++i) {
-tcg_temp_free(arg_copy[i].temp);
+if (arg_copy[i].arg->num_bits <= 32) {
+tcg_temp_free_i32(arg_copy[i].temp);
+} else if (arg_copy[i].arg->num_bits <= 64) {
+tcg_temp_free_i64(arg_copy[i].temp);
+} else {
+g_assert_not_reached();
+}
 }
 
 if (dc->base.is_jmp == DISAS_NEXT) {
-- 
2.20.1

[PATCH v4 06/22] target/xtensa: rename FPU2000 translators and helpers

[Max Filippov]

Add _s suffix to all FPU2000 opcode translators and helpers that also
have double-precision variant to unify naming and allow adding DFPU
implementations. Add _fpu2k_ to the names of helpers that will have
different implementation for the DFPU .

Reviewed-by: Richard Henderson 
Signed-off-by: Max Filippov 
---
Changes v3->v4:
- add _fpu2k_ to single-precision arithmetic helpers that do NaN
  selection to make space for helpers that will have to call
  set_use_first_nan

 target/xtensa/fpu_helper.c | 22 ++--
 target/xtensa/helper.h | 20 +--
 target/xtensa/translate.c  | 70 +++---
 3 files changed, 57 insertions(+), 55 deletions(-)

diff --git a/target/xtensa/fpu_helper.c b/target/xtensa/fpu_helper.c
index 87487293f9a1..46e231bdaa51 100644
--- a/target/xtensa/fpu_helper.c
+++ b/target/xtensa/fpu_helper.c
@@ -33,7 +33,7 @@
 #include "exec/exec-all.h"
 #include "fpu/softfloat.h"
 
-void HELPER(wur_fcr)(CPUXtensaState *env, uint32_t v)
+void HELPER(wur_fpu2k_fcr)(CPUXtensaState *env, uint32_t v)
 {
 static const int rounding_mode[] = {
 float_round_nearest_even,
@@ -56,33 +56,35 @@ float32 HELPER(neg_s)(float32 v)
 return float32_chs(v);
 }
 
-float32 HELPER(add_s)(CPUXtensaState *env, float32 a, float32 b)
+float32 HELPER(fpu2k_add_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 return float32_add(a, b, >fp_status);
 }
 
-float32 HELPER(sub_s)(CPUXtensaState *env, float32 a, float32 b)
+float32 HELPER(fpu2k_sub_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 return float32_sub(a, b, >fp_status);
 }
 
-float32 HELPER(mul_s)(CPUXtensaState *env, float32 a, float32 b)
+float32 HELPER(fpu2k_mul_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 return float32_mul(a, b, >fp_status);
 }
 
-float32 HELPER(madd_s)(CPUXtensaState *env, float32 a, float32 b, float32 c)
+float32 HELPER(fpu2k_madd_s)(CPUXtensaState *env,
+ float32 a, float32 b, float32 c)
 {
 return float32_muladd(b, c, a, 0, >fp_status);
 }
 
-float32 HELPER(msub_s)(CPUXtensaState *env, float32 a, float32 b, float32 c)
+float32 HELPER(fpu2k_msub_s)(CPUXtensaState *env,
+ float32 a, float32 b, float32 c)
 {
 return float32_muladd(b, c, a, float_muladd_negate_product,
   >fp_status);
 }
 
-uint32_t HELPER(ftoi)(float32 v, uint32_t rounding_mode, uint32_t scale)
+uint32_t HELPER(ftoi_s)(float32 v, uint32_t rounding_mode, uint32_t scale)
 {
 float_status fp_status = {0};
 
@@ -90,7 +92,7 @@ uint32_t HELPER(ftoi)(float32 v, uint32_t rounding_mode, 
uint32_t scale)
 return float32_to_int32(float32_scalbn(v, scale, _status), _status);
 }
 
-uint32_t HELPER(ftoui)(float32 v, uint32_t rounding_mode, uint32_t scale)
+uint32_t HELPER(ftoui_s)(float32 v, uint32_t rounding_mode, uint32_t scale)
 {
 float_status fp_status = {0};
 float32 res;
@@ -106,13 +108,13 @@ uint32_t HELPER(ftoui)(float32 v, uint32_t rounding_mode, 
uint32_t scale)
 }
 }
 
-float32 HELPER(itof)(CPUXtensaState *env, uint32_t v, uint32_t scale)
+float32 HELPER(itof_s)(CPUXtensaState *env, uint32_t v, uint32_t scale)
 {
 return float32_scalbn(int32_to_float32(v, >fp_status),
   (int32_t)scale, >fp_status);
 }
 
-float32 HELPER(uitof)(CPUXtensaState *env, uint32_t v, uint32_t scale)
+float32 HELPER(uitof_s)(CPUXtensaState *env, uint32_t v, uint32_t scale)
 {
 return float32_scalbn(uint32_to_float32(v, >fp_status),
   (int32_t)scale, >fp_status);
diff --git a/target/xtensa/helper.h b/target/xtensa/helper.h
index 8532de0b35f5..bce31cbd9ff1 100644
--- a/target/xtensa/helper.h
+++ b/target/xtensa/helper.h
@@ -46,18 +46,18 @@ DEF_HELPER_3(wsr_dbreaka, void, env, i32, i32)
 DEF_HELPER_3(wsr_dbreakc, void, env, i32, i32)
 #endif
 
-DEF_HELPER_2(wur_fcr, void, env, i32)
+DEF_HELPER_2(wur_fpu2k_fcr, void, env, i32)
 DEF_HELPER_FLAGS_1(abs_s, TCG_CALL_NO_RWG_SE, f32, f32)
 DEF_HELPER_FLAGS_1(neg_s, TCG_CALL_NO_RWG_SE, f32, f32)
-DEF_HELPER_3(add_s, f32, env, f32, f32)
-DEF_HELPER_3(sub_s, f32, env, f32, f32)
-DEF_HELPER_3(mul_s, f32, env, f32, f32)
-DEF_HELPER_4(madd_s, f32, env, f32, f32, f32)
-DEF_HELPER_4(msub_s, f32, env, f32, f32, f32)
-DEF_HELPER_FLAGS_3(ftoi, TCG_CALL_NO_RWG_SE, i32, f32, i32, i32)
-DEF_HELPER_FLAGS_3(ftoui, TCG_CALL_NO_RWG_SE, i32, f32, i32, i32)
-DEF_HELPER_3(itof, f32, env, i32, i32)
-DEF_HELPER_3(uitof, f32, env, i32, i32)
+DEF_HELPER_3(fpu2k_add_s, f32, env, f32, f32)
+DEF_HELPER_3(fpu2k_sub_s, f32, env, f32, f32)
+DEF_HELPER_3(fpu2k_mul_s, f32, env, f32, f32)
+DEF_HELPER_4(fpu2k_madd_s, f32, env, f32, f32, f32)
+DEF_HELPER_4(fpu2k_msub_s, f32, env, f32, f32, f32)
+DEF_HELPER_FLAGS_3(ftoi_s, TCG_CALL_NO_RWG_SE, i32, f32, i32, i32)
+DEF_HELPER_FLAGS_3(ftoui_s, TCG_CALL_NO_RWG_SE, i32, f32, i32, i32)
+DEF_HELPER_3(itof_s, f32, env, i32, i32)
+DEF_HELPER_3(uitof_s, f32, env, i32, i32)
 
 DEF_HELPER_4(un_s, void, env, i32, f32, f32)
 

[PATCH v4 04/22] target/xtensa: add geometry to xtensa_get_regfile_by_name

[Max Filippov]

Register file name may not uniquely identify a register file in the set
of configurations. E.g. floating point registers may have different size
in different configurations. Use register file geometry as additional
identifier.

Signed-off-by: Max Filippov 
---
 target/xtensa/cpu.h   |  2 +-
 target/xtensa/helper.c|  4 +++-
 target/xtensa/translate.c | 35 +++
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 0c96181212a5..0409aa6189cf 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -598,7 +598,7 @@ void xtensa_cpu_do_unaligned_access(CPUState *cpu, vaddr 
addr,
 
 void xtensa_collect_sr_names(const XtensaConfig *config);
 void xtensa_translate_init(void);
-void **xtensa_get_regfile_by_name(const char *name);
+void **xtensa_get_regfile_by_name(const char *name, int entries, int bits);
 void xtensa_breakpoint_handler(CPUState *cs);
 void xtensa_register_core(XtensaConfigList *node);
 void xtensa_sim_open_console(Chardev *chr);
diff --git a/target/xtensa/helper.c b/target/xtensa/helper.c
index 7073381f03b2..05e2b7f70a1e 100644
--- a/target/xtensa/helper.c
+++ b/target/xtensa/helper.c
@@ -133,8 +133,10 @@ static void init_libisa(XtensaConfig *config)
 config->regfile = g_new(void **, regfiles);
 for (i = 0; i < regfiles; ++i) {
 const char *name = xtensa_regfile_name(config->isa, i);
+int entries = xtensa_regfile_num_entries(config->isa, i);
+int bits = xtensa_regfile_num_bits(config->isa, i);
 
-config->regfile[i] = xtensa_get_regfile_by_name(name);
+config->regfile[i] = xtensa_get_regfile_by_name(name, entries, bits);
 #ifdef DEBUG
 if (config->regfile[i] == NULL) {
 fprintf(stderr, "regfile '%s' not found for %s\n",
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index 03d796d7a1ed..9838bf6b3ec5 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -227,24 +227,43 @@ void xtensa_translate_init(void)
"exclusive_val");
 }
 
-void **xtensa_get_regfile_by_name(const char *name)
+void **xtensa_get_regfile_by_name(const char *name, int entries, int bits)
 {
+char *geometry_name;
+void **res;
+
 if (xtensa_regfile_table == NULL) {
 xtensa_regfile_table = g_hash_table_new(g_str_hash, g_str_equal);
+/*
+ * AR is special. Xtensa translator uses it as a current register
+ * window, but configuration overlays represent it as a complete
+ * physical register file.
+ */
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"AR", (void *)cpu_R);
+(void *)"AR 16x32", (void *)cpu_R);
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"MR", (void *)cpu_MR);
+(void *)"AR 32x32", (void *)cpu_R);
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"FR", (void *)cpu_FR);
+(void *)"AR 64x32", (void *)cpu_R);
+
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"BR", (void *)cpu_BR);
+(void *)"MR 4x32", (void *)cpu_MR);
+
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"BR4", (void *)cpu_BR4);
+(void *)"FR 16x32", (void *)cpu_FR);
+
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"BR8", (void *)cpu_BR8);
+(void *)"BR 16x1", (void *)cpu_BR);
+g_hash_table_insert(xtensa_regfile_table,
+(void *)"BR4 4x4", (void *)cpu_BR4);
+g_hash_table_insert(xtensa_regfile_table,
+(void *)"BR8 2x8", (void *)cpu_BR8);
 }
-return (void **)g_hash_table_lookup(xtensa_regfile_table, (void *)name);
+
+geometry_name = g_strdup_printf("%s %dx%d", name, entries, bits);
+res = (void **)g_hash_table_lookup(xtensa_regfile_table, geometry_name);
+g_free(geometry_name);
+return res;
 }
 
 static inline bool option_enabled(DisasContext *dc, int opt)
-- 
2.20.1