Re: VirtioSound device emulation implementation

2021-01-07 Thread Shreyansh Chouhan 
On Thu, 7 Jan 2021 at 22:49, Alex Bennée  wrote:

>
> Shreyansh Chouhan  writes:
>
> > On Wed, 6 Jan 2021 at 17:12, Alex Bennée  wrote:
> >
> >>
> >> Shreyansh Chouhan  writes:
> >>
> >> > Hey everyone!
> >> >
> >> > I want to work on implementing the emulation for the VritioSound
> device.
> >> I
> >> > contacted the mentor for the project, (Greg), who said it's fine and
> >> that I
> >> > should declare it on the mailing list in order to find out if someone
> >> else
> >> > is already working on this project. That is what this mail is for. I
> >> tried
> >> > searching for "Virtio", "Sound", and "VirtioSound" in the qemu-devel
> >> > mailing archives but couldn't find anything. If someone is already
> >> working
> >> > on it, please let me know, and if not then I'll start working on it
> right
> >> > away.
> >>
> >> I'm not working on it but please feel free to CC me on discussion and
> >> patches. I have a general interest on Virtio IO implementations at the
> >> moment.
> >>
> >
> > Sure! (Though I should mention that I do not know a lot about the virtio
> > architecture yet. I am still reading up about it. So most of my mails
> might
> > be (silly) queries. Though I hope to learn about it soon and send in
> > some patches and tests :)
> >
> >
> >> Are you planning to make it an in-QEMU device or maybe a external
> >> vhost-user daemon?
> >
> > The project page states that we need to use the QEMU audio subsystem
> > for playing and capturing audio samples.
>
> Is this one of the QEMU internship projects?
>
Yes, it is one of the GSoC projects.

>
> > I am not entirely sure if this implies that the device should be an
> > in-QEMU device or if it could be an external daemon.
>
> I think it implies having the entire emulation in-QEMU.
>
I see, after reading yours and Gerd's response, I think I will study/think
about
the implementation details and then decide which will be the best route for
me.

>
> > What do you suggest?
> >
> > cc Gerd Hoffman
> >
> >
> >
> >
> >>
> >> --
> >> Alex Bennée
> >>
>
>
> --
> Alex Bennée
>

Re: [PATCH] configure: Add flags for MinGW32 standalone build

2021-01-07 Thread Thomas Huth 

On 07/01/2021 22.38, Joshua Watt wrote:

There are two cases that need to be accounted for when compiling QEMU
for MinGW32:
  1) A standalone distribution, where QEMU is self contained and
 extracted by the user, such as a user would download from the QEMU
 website. In this case, all of the QEMU files should be rooted in
 $prefix to ensure they can be easily packaged together for
 distribution
  2) QEMU integrated into a distribution image/sysroot/SDK and
 distributed with other programs. In this case, the provided
 arguments for bindir/datadir/etc. should be respected as they for a
 Linux build.

Add a configure time flags --enable-standalone-mingw and
--disable-standalone-mingw that allows the user to control this
behavior. The flag defaults to "enabled" if unspecified to retain the
existing build behavior

Signed-off-by: Joshua Watt 
---
  configure | 8 +++-
  1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/configure b/configure
index 5860bdb77b..5c83edb502 100755
--- a/configure
+++ b/configure
@@ -358,6 +358,7 @@ strip_opt="yes"
  tcg_interpreter="no"
  bigendian="no"
  mingw32="no"
+mingw32_standalone="yes"
  gcov="no"
  EXESUF="$default_feature"
  HOST_DSOSUF=".so"
@@ -1558,6 +1559,10 @@ for opt do
;;
--disable-fuse-lseek) fuse_lseek="disabled"
;;
+  --enable-standalone-mingw) mingw32_standalone="yes"
+  ;;
+  --disable-standalone-mingw) mingw32_standalone="no"
+  ;;
*)
echo "ERROR: unknown option $opt"
echo "Try '$0 --help' for more information"
@@ -1570,7 +1575,7 @@ libdir="${libdir:-$prefix/lib}"
  libexecdir="${libexecdir:-$prefix/libexec}"
  includedir="${includedir:-$prefix/include}"
  
-if test "$mingw32" = "yes" ; then

+if test "$mingw32" = "yes" && test "$mingw32_standalone" = "yes"; then
  mandir="$prefix"
  datadir="$prefix"
  docdir="$prefix"
@@ -1897,6 +1902,7 @@ disabled with --disable-FEATURE, default is enabled if 
available
libdaxctl   libdaxctl support
fuseFUSE block device export
fuse-lseek  SEEK_HOLE/SEEK_DATA support for FUSE exports
+  standalone-mingw  Build for standalone distribution on MinGW
  
  NOTE: The object files are built at the place where configure is launched

  EOF


I think this should maybe be done independently from MinGW, so that it could 
be used on other systems, too. Thus maybe rather name the switch 
"--enable-standalone-distribution" or "--enable-standalone-installation" or 
something like this? On MinGW, the value of the switch could then default to 
"yes" while on other systems it would be "no" by default.


 Thomas

Re: [PATCH] vnc: add qmp to support change authz

2021-01-07 Thread Zihao Chang 
Hi,

On 2021/1/8 0:04, Gerd Hoffmann wrote:
>   Hi,
> 
>> This patch add a new qmp 'change-vnc-authz' to support change the
>> tls/sasl authz of vm. If index='', unset tlsauthzid/sasl.authzid
>> {
>>"execute":"change-vnc-authz",
>>"arguments":{
>>   "index":"object-authz-id",
>>   "type":"tls/sasl"
>>}
>> }
> 
>> +##
>> +# @change-vnc-authz:
>> +#
>> +# Change the VNC server authz.
>> +#
>> +# @type:  the new authz type to use with VNC authentication
>> +# @index:  the new authz object index to use with VNC authentication
>> +#
>> +# Since: 5.2
>> +#
>> +##
>> +{ 'command': 'change-vnc-authz',
>> +  'data': { 'type' : 'str',
>> +'index': 'str'},
>> +  'if': 'defined(CONFIG_VNC_SASL)' }
> 
> type should be an enum I think.
It is a good idea to set type to enum, I will fix it in the next version.

> Also index should be an int (and possibly an optional argument so you
> can just not specify index to unset).
> 
Index is the id of authz object(myauthz, user can set it as they wanted), may 
not use int.
-object authz-simple,id=myauthz,identity=test1

> take care,
>   Gerd
> 
> .
> 
BTW, Daniel P . Berrangé suggests that all property set QMP commands should be 
integrated
as an general purpose "display_update" QMP command. That's really a good idea. 
This may
take longer time to design and code. Will we not think about adding new 
property set QMP
until the general purpose "display_update" QMP is ready?

https://lists.nongnu.org/archive/html/qemu-devel/2021-01/msg00941.html


Thanks,
Zihao

Re: [PATCH v11 00/13] hw/block/nvme: Support Namespace Types and Zoned Namespace Command Set

2021-01-07 Thread Klaus Jensen 
On Dec  9 10:57, Klaus Jensen wrote:
> Hi Dmitry,
> 
> By and large, this looks OK to me. There are still some issues here and
> there, and some comments of mine that you did not address, but I will
> follow up with patches to fix that. Let's get this merged.
> 
> It looks like the nvme-next you rebased on is slightly old and missing
> two commits:
> 
>   "hw/block/nvme: remove superfluous NvmeCtrl parameter" and
>   "hw/block/nvme: pull aio error handling"
> 
> It caused a couple of conflicts, but nothing that I couldn't fix up.
> 
> Since I didn't manage to convince anyone about the zsze and zcap
> parameters being in terms of LBAs, I'll revert that to be
> 'zoned.zone_size' and 'zoned.zone_capacity'.
> 
> Finally, would you accept that we skip "hw/block/nvme: Add injection of
> Offline/Read-Only zones" for now? I'd like to discuss it a bit since I
> think the random injects feels a bit ad-hoc. Back when I did OCSSD
> emulation with Hans, we did something like this for setting up state
> through a descriptor text file - I think we should explore something
> like that before we lock down the two parameters. I'll amend the final
> documentation commit to not include those parameters.
> 
> Sounds good?
> 
> Otherwise, I think this is mergeable to nvme-next. So, for the series
> (excluding "hw/block/nvme: Add injection of Offline/Read-Only zones"):
> 
> Reviewed-by: Klaus Jensen 
> 

I've applied this series to my local nvme-next. Our repo host is
unavailable this morning (infradead.org), but I will push as soon as
possible.


Thanks!
Klaus


signature.asc
Description: PGP signature

[PATCH v6 7/7] fuzz: heuristic split write based on past IOs

2021-01-07 Thread Qiuhao Li 
If previous write commands write the same length of data with the same step,
we view it as a hint.

Signed-off-by: Qiuhao Li 
Reviewed-by: Alexander Bulekov 
Tested-by: Alexander Bulekov 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 56 
 1 file changed, 56 insertions(+)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 8661116075..408ae2ac67 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -85,6 +85,43 @@ def check_if_trace_crashes(trace, path):
 return False
 
 
+# If previous write commands write the same length of data at the same
+# interval, we view it as a hint.
+def split_write_hint(newtrace, i):
+HINT_LEN = 3 # > 2
+if i <=(HINT_LEN-1):
+return None
+
+#find previous continuous write traces
+k = 0
+l = i-1
+writes = []
+while (k != HINT_LEN and l >= 0):
+if newtrace[l].startswith("write "):
+writes.append(newtrace[l])
+k += 1
+l -= 1
+elif newtrace[l] == "":
+l -= 1
+else:
+return None
+if k != HINT_LEN:
+return None
+
+length = int(writes[0].split()[2], 16)
+for j in range(1, HINT_LEN):
+if length != int(writes[j].split()[2], 16):
+return None
+
+step = int(writes[0].split()[1], 16) - int(writes[1].split()[1], 16)
+for j in range(1, HINT_LEN-1):
+if step != int(writes[j].split()[1], 16) - \
+int(writes[j+1].split()[1], 16):
+return None
+
+return (int(writes[0].split()[1], 16)+step, length)
+
+
 def remove_lines(newtrace, outpath):
 remove_step = 1
 i = 0
@@ -148,6 +185,25 @@ def remove_lines(newtrace, outpath):
 length = int(newtrace[i].split()[2], 16)
 data = newtrace[i].split()[3][2:]
 if length > 1:
+
+# Can we get a hint from previous writes?
+hint = split_write_hint(newtrace, i)
+if hint is not None:
+hint_addr = hint[0]
+hint_len = hint[1]
+if hint_addr >= addr and hint_addr+hint_len <= addr+length:
+newtrace[i] = "write {addr} {size} 0x{data}\n".format(
+addr=hex(hint_addr),
+size=hex(hint_len),
+data=data[(hint_addr-addr)*2:\
+(hint_addr-addr)*2+hint_len*2])
+if check_if_trace_crashes(newtrace, outpath):
+# next round
+i += 1
+continue
+newtrace[i] = prior[0]
+
+# Try splitting it using a binary approach
 leftlength = int(length/2)
 rightlength = length - leftlength
 newtrace.insert(i+1, "")
-- 
2.25.1

[PATCH v6 6/7] fuzz: add minimization options

2021-01-07 Thread Qiuhao Li 
-M1: remove IO commands iteratively
-M2: try setting bits in operand of write/out to zero

Signed-off-by: Qiuhao Li 
Reviewed-by: Alexander Bulekov 
Tested-by: Alexander Bulekov 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 30 
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 2325b38dbc..8661116075 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -16,6 +16,10 @@ QEMU_PATH = None
 TIMEOUT = 5
 CRASH_TOKEN = None
 
+# Minimization levels
+M1 = False # try removing IO commands iteratively
+M2 = False # try setting bits in operand of write/out to zero
+
 write_suffix_lookup = {"b": (1, "B"),
"w": (2, "H"),
"l": (4, "L"),
@@ -23,10 +27,20 @@ write_suffix_lookup = {"b": (1, "B"),
 
 def usage():
 sys.exit("""\
-Usage: QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} input_trace output_trace
+Usage:
+
+QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} [Options] input_trace 
output_trace
+
 By default, will try to use the second-to-last line in the output to identify
 whether the crash occred. Optionally, manually set a string that idenitifes the
 crash by setting CRASH_TOKEN=
+
+Options:
+
+-M1: enable a loop around the remove minimizer, which may help decrease some
+ timing dependant instructions. Off by default.
+-M2: try setting bits in operand of write/out to zero. Off by default.
+
 """.format((sys.argv[0])))
 
 deduplication_note = """\n\
@@ -213,24 +227,32 @@ def minimize_trace(inpath, outpath):
 print("Setting the timeout for {} seconds".format(TIMEOUT))
 
 newtrace = trace[:]
+global M1, M2
 
 # remove lines
 old_len = len(newtrace) + 1
 while(old_len > len(newtrace)):
 old_len = len(newtrace)
+print("trace lenth = ", old_len)
 remove_lines(newtrace, outpath)
+if not M1 and not M2:
+break
 newtrace = list(filter(lambda s: s != "", newtrace))
 assert(check_if_trace_crashes(newtrace, outpath))
 
 # set bits to zero
-clear_bits(newtrace, outpath)
+if M2:
+clear_bits(newtrace, outpath)
 assert(check_if_trace_crashes(newtrace, outpath))
 
 
 if __name__ == '__main__':
 if len(sys.argv) < 3:
 usage()
-
+if "-M1" in sys.argv:
+M1 = True
+if "-M2" in sys.argv:
+M2 = True
 QEMU_PATH = os.getenv("QEMU_PATH")
 QEMU_ARGS = os.getenv("QEMU_ARGS")
 if QEMU_PATH is None or QEMU_ARGS is None:
@@ -239,4 +261,4 @@ if __name__ == '__main__':
 # QEMU_ARGS += " -accel qtest"
 CRASH_TOKEN = os.getenv("CRASH_TOKEN")
 QEMU_ARGS += " -qtest stdio -monitor none -serial none "
-minimize_trace(sys.argv[1], sys.argv[2])
+minimize_trace(sys.argv[-2], sys.argv[-1])
-- 
2.25.1

[PATCH v6 5/7] fuzz: set bits in operand of write/out to zero

2021-01-07 Thread Qiuhao Li 
Simplifying the crash cases by opportunistically setting bits in operands of
out/write to zero may help to debug, since usually bit one means turn on or
trigger a function while zero is the default turn-off setting.

Tested Bug 1908062.

Signed-off-by: Qiuhao Li 
Reviewed-by: Alexander Bulekov 
Tested-by: Alexander Bulekov 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 39 
 1 file changed, 39 insertions(+)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 45c1627d32..2325b38dbc 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -164,6 +164,42 @@ def remove_lines(newtrace, outpath):
 i += 1
 
 
+def clear_bits(newtrace, outpath):
+# try setting bits in operands of out/write to zero
+i = 0
+while i < len(newtrace):
+if (not newtrace[i].startswith("write ") and not
+   newtrace[i].startswith("out")):
+   i += 1
+   continue
+# write ADDR SIZE DATA
+# outx ADDR VALUE
+print("\nzero setting bits: {}".format(newtrace[i]))
+
+prefix = " ".join(newtrace[i].split()[:-1])
+data = newtrace[i].split()[-1]
+data_bin = bin(int(data, 16))
+data_bin_list = list(data_bin)
+
+for j in range(2, len(data_bin_list)):
+prior = newtrace[i]
+if (data_bin_list[j] == '1'):
+data_bin_list[j] = '0'
+data_try = hex(int("".join(data_bin_list), 2))
+# It seems qtest only accepts padded hex-values.
+if len(data_try) % 2 == 1:
+data_try = data_try[:2] + "0" + data_try[2:-1]
+
+newtrace[i] = "{prefix} {data_try}\n".format(
+prefix=prefix,
+data_try=data_try)
+
+if not check_if_trace_crashes(newtrace, outpath):
+data_bin_list[j] = '1'
+newtrace[i] = prior
+i += 1
+
+
 def minimize_trace(inpath, outpath):
 global TIMEOUT
 with open(inpath) as f:
@@ -184,7 +220,10 @@ def minimize_trace(inpath, outpath):
 old_len = len(newtrace)
 remove_lines(newtrace, outpath)
 newtrace = list(filter(lambda s: s != "", newtrace))
+assert(check_if_trace_crashes(newtrace, outpath))
 
+# set bits to zero
+clear_bits(newtrace, outpath)
 assert(check_if_trace_crashes(newtrace, outpath))
 
 
-- 
2.25.1

[PATCH v6 4/7] fuzz: remove IO commands iteratively

2021-01-07 Thread Qiuhao Li 
Now we use a one-time scan and remove strategy in the minimizer,
which is not suitable for timing dependent instructions.

For example, instruction A will indicate an address where the config
chunk locates, and instruction B will make the configuration active.
If we have the following instruction sequence:

...
A1
B1
A2
B2
...

A2 and B2 are the actual instructions that trigger the bug.

If we scan from top to bottom, after we remove A1, the behavior of B1
might be unknowable, including not to crash the program. But we will
successfully remove B1 later cause A2 and B2 will crash the process
anyway:

...
A1
A2
B2
...

Now one more trimming will remove A1.

In the perfect case, we would need to be able to remove A and B (or C!) at
the same time. But for now, let's just add a loop around the minimizer.

Since we only remove instructions, this iterative algorithm is converging.

Tested with Bug 1908062.

Signed-off-by: Qiuhao Li 
Reviewed-by: Alexander Bulekov 
Tested-by: Alexander Bulekov 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++-
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 5cf39f4e6e..45c1627d32 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -71,21 +71,9 @@ def check_if_trace_crashes(trace, path):
 return False
 
 
-def minimize_trace(inpath, outpath):
-global TIMEOUT
-with open(inpath) as f:
-trace = f.readlines()
-start = time.time()
-if not check_if_trace_crashes(trace, outpath):
-sys.exit("The input qtest trace didn't cause a crash...")
-end = time.time()
-print("Crashed in {} seconds".format(end-start))
-TIMEOUT = (end-start)*5
-print("Setting the timeout for {} seconds".format(TIMEOUT))
-
-i = 0
-newtrace = trace[:]
+def remove_lines(newtrace, outpath):
 remove_step = 1
+i = 0
 while i < len(newtrace):
 # 1.) Try to remove lines completely and reproduce the crash.
 # If it works, we're done.
@@ -174,7 +162,30 @@ def minimize_trace(inpath, outpath):
 newtrace[i] = prior[0]
 del newtrace[i+1]
 i += 1
-check_if_trace_crashes(newtrace, outpath)
+
+
+def minimize_trace(inpath, outpath):
+global TIMEOUT
+with open(inpath) as f:
+trace = f.readlines()
+start = time.time()
+if not check_if_trace_crashes(trace, outpath):
+sys.exit("The input qtest trace didn't cause a crash...")
+end = time.time()
+print("Crashed in {} seconds".format(end-start))
+TIMEOUT = (end-start)*5
+print("Setting the timeout for {} seconds".format(TIMEOUT))
+
+newtrace = trace[:]
+
+# remove lines
+old_len = len(newtrace) + 1
+while(old_len > len(newtrace)):
+old_len = len(newtrace)
+remove_lines(newtrace, outpath)
+newtrace = list(filter(lambda s: s != "", newtrace))
+
+assert(check_if_trace_crashes(newtrace, outpath))
 
 
 if __name__ == '__main__':
-- 
2.25.1

[PATCH v6 3/7] fuzz: split write operand using binary approach

2021-01-07 Thread Qiuhao Li 
Currently, we split the write commands' data from the middle. If it does not
work, try to move the pivot left by one byte and retry until there is no
space.

But, this method has two flaws:

1. It may fail to trim all unnecessary bytes on the right side.

For example, there is an IO write command:

  write addr uuuu

u is the unnecessary byte for the crash. Unlike ram write commands, in most
case, a split IO write won't trigger the same crash, So if we split from the
middle, we will get:

  write addr uu (will be removed in next round)
  write addr uu

For uu, since split it from the middle and retry to the leftmost byte
won't get the same crash, we will be stopped from removing the last two
bytes.

2. The algorithm complexity is O(n) since we move the pivot byte by byte.

To solve the first issue, we can try a symmetrical position on the right if
we fail on the left. As for the second issue, instead moving by one byte, we
can approach the boundary exponentially, achieving O(log(n)).

Give an example:

   uu len=6
+
|
+
 xxx,xuu 6/2=3 fail
+
 +--+-+
 ||
 ++
  xx,xxuu 6/2^2=1 fail u,u 6-1=5 success
 +   +
 +--++   |
 |  |+-+ u removed
 +  +
   xx,xxu 5/2=2 fail  ,u 6-2=4 success
   +
   |
   +---+ u removed

In some rare cases, this algorithm will fail to trim all unnecessary bytes:

  xuxx
  -xuxx Fail
  -xuxx Fail
  xuxx- Fail
  ...

I think the trade-off is worth it.

Signed-off-by: Qiuhao Li 
Reviewed-by: Alexander Bulekov 
Tested-by: Alexander Bulekov 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 29 
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index cfe8f7854c..5cf39f4e6e 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -94,7 +94,7 @@ def minimize_trace(inpath, outpath):
 prior = newtrace[i:i+remove_step]
 for j in range(i, i+remove_step):
 newtrace[j] = ""
-print("Removing {lines} ...".format(lines=prior))
+print("Removing {lines} ...\n".format(lines=prior))
 if check_if_trace_crashes(newtrace, outpath):
 i += remove_step
 # Double the number of lines to remove for next round
@@ -107,9 +107,11 @@ def minimize_trace(inpath, outpath):
 remove_step = 1
 continue
 newtrace[i] = prior[0] # remove_step = 1
+
 # 2.) Try to replace write{bwlq} commands with a write addr, len
 # command. Since this can require swapping endianness, try both LE and
 # BE options. We do this, so we can "trim" the writes in (3)
+
 if (newtrace[i].startswith("write") and not
 newtrace[i].startswith("write ")):
 suffix = newtrace[i].split()[0][-1]
@@ -130,11 +132,15 @@ def minimize_trace(inpath, outpath):
 newtrace[i] = prior[0]
 
 # 3.) If it is a qtest write command: write addr len data, try to split
-# it into two separate write commands. If splitting the write down the
-# middle does not work, try to move the pivot "left" and retry, until
-# there is no space left. The idea is to prune unneccessary bytes from
-# long writes, while accommodating arbitrary MemoryRegion access sizes
-# and alignments.
+# it into two separate write commands. If splitting the data operand
+# from length/2^n bytes to the left does not work, try to move the 
pivot
+# to the right side, then add one to n, until length/2^n == 0. The idea
+# is to prune unneccessary bytes from long writes, while accommodating
+# arbitrary MemoryRegion access sizes and alignments.
+
+# This algorithm will fail under some rare situations.
+# e.g., xuxx (u is the unnecessary byte)
+
 if newtrace[i].startswith("write "):
 addr = int(newtrace[i].split()[1], 16)
 length = int(newtrace[i].split()[2], 16)
@@ -143,6 +149,7 @@ def minimize_trace(inpath, outpath):
 leftlength = int(length/2)
 rightlength = length - leftlength
 newtrace.insert(i+1, "")
+power = 1
 while leftlength > 0:
 newtrace[i] = "write {addr} {size} 0x{data}\n".format(
 addr=hex(addr),
@@ -154,9 +161,13 @@ def minimize_trace(inpath, outpath):

[PATCH v6 2/7] fuzz: double the IOs to remove for every loop

2021-01-07 Thread Qiuhao Li 
Instead of removing IO instructions one by one, we can try deleting multiple
instructions at once. According to the locality of reference, we double the
number of instructions to remove for the next round and recover it to one
once we fail.

This patch is usually significant for large input.

Test with quadrupled trace input at:
  https://bugs.launchpad.net/qemu/+bug/1890333/comments/1

Patched 1/6 version:
  real  0m45.904s
  user  0m16.874s
  sys   0m10.042s

Refined version:
  real  0m11.412s
  user  0m6.888s
  sys   0m3.325s

Signed-off-by: Qiuhao Li 
Reviewed-by: Alexander Bulekov 
Tested-by: Alexander Bulekov 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 33 +++-
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 57dcaaeba3..cfe8f7854c 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -85,19 +85,28 @@ def minimize_trace(inpath, outpath):
 
 i = 0
 newtrace = trace[:]
-# For each line
+remove_step = 1
 while i < len(newtrace):
-# 1.) Try to remove it completely and reproduce the crash. If it works,
-# we're done.
-prior = newtrace[i]
-print("Trying to remove {}".format(newtrace[i]))
-# Try to remove the line completely
-newtrace[i] = ""
+# 1.) Try to remove lines completely and reproduce the crash.
+# If it works, we're done.
+if (i+remove_step) >= len(newtrace):
+remove_step = 1
+prior = newtrace[i:i+remove_step]
+for j in range(i, i+remove_step):
+newtrace[j] = ""
+print("Removing {lines} ...".format(lines=prior))
 if check_if_trace_crashes(newtrace, outpath):
-i += 1
+i += remove_step
+# Double the number of lines to remove for next round
+remove_step *= 2
 continue
-newtrace[i] = prior
-
+# Failed to remove multiple IOs, fast recovery
+if remove_step > 1:
+for j in range(i, i+remove_step):
+newtrace[j] = prior[j-i]
+remove_step = 1
+continue
+newtrace[i] = prior[0] # remove_step = 1
 # 2.) Try to replace write{bwlq} commands with a write addr, len
 # command. Since this can require swapping endianness, try both LE and
 # BE options. We do this, so we can "trim" the writes in (3)
@@ -118,7 +127,7 @@ def minimize_trace(inpath, outpath):
 if(check_if_trace_crashes(newtrace, outpath)):
 break
 else:
-newtrace[i] = prior
+newtrace[i] = prior[0]
 
 # 3.) If it is a qtest write command: write addr len data, try to split
 # it into two separate write commands. If splitting the write down the
@@ -151,7 +160,7 @@ def minimize_trace(inpath, outpath):
 if check_if_trace_crashes(newtrace, outpath):
 i -= 1
 else:
-newtrace[i] = prior
+newtrace[i] = prior[0]
 del newtrace[i+1]
 i += 1
 check_if_trace_crashes(newtrace, outpath)
-- 
2.25.1

[PATCH v6 1/7] fuzz: accelerate non-crash detection

2021-01-07 Thread Qiuhao Li 
We spend much time waiting for the timeout program during the minimization
process until it passes a time limit. This patch hacks the CLOSED (indicates
the redirection file closed) notification in QTest's output if it doesn't
crash.

Test with quadrupled trace input at:
  https://bugs.launchpad.net/qemu/+bug/1890333/comments/1

Original version:
  real  1m37.246s
  user  0m13.069s
  sys   0m8.399s

Refined version:
  real  0m45.904s
  user  0m16.874s
  sys   0m10.042s

Signed-off-by: Qiuhao Li 
Reviewed-by: Alexander Bulekov 
Tested-by: Alexander Bulekov 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 39 
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 5e405a0d5f..57dcaaeba3 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -29,8 +29,14 @@ whether the crash occred. Optionally, manually set a string 
that idenitifes the
 crash by setting CRASH_TOKEN=
 """.format((sys.argv[0])))
 
+deduplication_note = """\n\
+Note: While trimming the input, sometimes the mutated trace triggers a 
different
+crash output but indicates the same bug. Under this situation, our minimizer is
+incapable of recognizing and stopped from removing it. In the future, we may
+use a more sophisticated crash case deduplication method.
+\n"""
+
 def check_if_trace_crashes(trace, path):
-global CRASH_TOKEN
 with open(path, "w") as tracefile:
 tracefile.write("".join(trace))
 
@@ -41,18 +47,28 @@ def check_if_trace_crashes(trace, path):
trace_path=path),
   shell=True,
   stdin=subprocess.PIPE,
-  stdout=subprocess.PIPE)
-stdo = rc.communicate()[0]
-output = stdo.decode('unicode_escape')
-if rc.returncode == 137:# Timed Out
-return False
-if len(output.splitlines()) < 2:
-return False
-
+  stdout=subprocess.PIPE,
+  encoding="utf-8")
+global CRASH_TOKEN
 if CRASH_TOKEN is None:
-CRASH_TOKEN = output.splitlines()[-2]
+try:
+outs, _ = rc.communicate(timeout=5)
+CRASH_TOKEN = outs.splitlines()[-2]
+except subprocess.TimeoutExpired:
+print("subprocess.TimeoutExpired")
+return False
+print("Identifying Crashes by this string: {}".format(CRASH_TOKEN))
+global deduplication_note
+print(deduplication_note)
+return True
 
-return CRASH_TOKEN in output
+for line in iter(rc.stdout.readline, b''):
+if "CLOSED" in line:
+return False
+if CRASH_TOKEN in line:
+return True
+
+return False
 
 
 def minimize_trace(inpath, outpath):
@@ -66,7 +82,6 @@ def minimize_trace(inpath, outpath):
 print("Crashed in {} seconds".format(end-start))
 TIMEOUT = (end-start)*5
 print("Setting the timeout for {} seconds".format(TIMEOUT))
-print("Identifying Crashes by this string: {}".format(CRASH_TOKEN))
 
 i = 0
 newtrace = trace[:]
-- 
2.25.1

[PATCH v6 0/7] fuzz: improve crash case minimization

2021-01-07 Thread Qiuhao Li 
Extend and refine the crash case minimization process.

Test input:
  Bug 1909261 full_reproducer
  6500 QTest instructions (write mostly)

Refined (-M1 minimization level) vs. Original version:
  real  38m31.942s  <-- real  532m57.192s
  user  28m18.188s  <-- user  89m0.536s
  sys   12m42.239s  <-- sys   50m33.074s
  2558 instructions <-- 2846 instructions

Test Enviroment:
  i7-8550U, 16GB LPDDR3, SSD 
  Ubuntu 20.04.1 5.4.0-58-generic x86_64
  Python 3.8.5

v6:
  Fix: add Reviewed-by and Tested-by tags

v5:
  Fix: send SIGKILL on timeout
  Fix: rename minimization functions

v4:
  Fix: messy diff in [PATCH v3 4/7]

v3:
  Fix: checkpatch.pl errors

v2: 
  New: [PATCH v2 1/7]
  New: [PATCH v2 2/7]
  New: [PATCH v2 4/7]
  New: [PATCH v2 6/7]
  New: [PATCH v2 7/7]
  Fix: [PATCH 2/4] split using binary approach
  Fix: [PATCH 3/4] typo in comments
  Discard: [PATCH 1/4] the hardcoded regex match for crash detection
  Discard: [PATCH 4/4] the delaying minimizer
  
Thanks for the suggestions from:
  Alexander Bulekov

Qiuhao Li (7):
  fuzz: accelerate non-crash detection
  fuzz: double the IOs to remove for every loop
  fuzz: split write operand using binary approach
  fuzz: remove IO commands iteratively
  fuzz: set bits in operand of write/out to zero
  fuzz: add minimization options
  fuzz: heuristic split write based on past IOs

 scripts/oss-fuzz/minimize_qtest_trace.py | 257 ++-
 1 file changed, 210 insertions(+), 47 deletions(-)

-- 
2.25.1

Re: [PATCH v5 0/7] fuzz: improve crash case minimization

2021-01-07 Thread Qiuhao Li 
On Thu, 2021-01-07 at 23:30 -0500, Alexander Bulekov wrote:
> Hi Qiuhao,
> Can you add my Reviewed-by: tags to the patches that I have reviewed?
> Thanks
> -Alex

Ok, fixed in version 6, thanks.

> 
> On 210108 1044, Qiuhao Li wrote:
> > Extend and refine the crash case minimization process.
> > 
> > Test input:
> >   Bug 1909261 full_reproducer
> >   6500 QTest instructions (write mostly)
> > 
> > Refined (-M1 minimization level) vs. Original version:
> >   real  38m31.942s  <-- real  532m57.192s
> >   user  28m18.188s  <-- user  89m0.536s
> >   sys   12m42.239s  <-- sys   50m33.074s
> >   2558 instructions <-- 2846 instructions
> > 
> > Test Enviroment:
> >   i7-8550U, 16GB LPDDR3, SSD 
> >   Ubuntu 20.04.1 5.4.0-58-generic x86_64
> >   Python 3.8.5
> > 
> > v5:
> >   Fix: send SIGKILL on timeout
> >   Fix: rename minimization functions
> > 
> > v4:
> >   Fix: messy diff in [PATCH v3 4/7]
> > 
> > v3:
> >   Fix: checkpatch.pl errors
> > 
> > v2: 
> >   New: [PATCH v2 1/7]
> >   New: [PATCH v2 2/7]
> >   New: [PATCH v2 4/7]
> >   New: [PATCH v2 6/7]
> >   New: [PATCH v2 7/7]
> >   Fix: [PATCH 2/4] split using binary approach
> >   Fix: [PATCH 3/4] typo in comments
> >   Discard: [PATCH 1/4] the hardcoded regex match for crash
> > detection
> >   Discard: [PATCH 4/4] the delaying minimizer
> >   
> > Thanks for the suggestions from:
> >   Alexander Bulekov
> > 
> > Qiuhao Li (7):
> >   fuzz: accelerate non-crash detection
> >   fuzz: double the IOs to remove for every loop
> >   fuzz: split write operand using binary approach
> >   fuzz: remove IO commands iteratively
> >   fuzz: set bits in operand of write/out to zero
> >   fuzz: add minimization options
> >   fuzz: heuristic split write based on past IOs
> > 
> >  scripts/oss-fuzz/minimize_qtest_trace.py | 257 ++-
> > 
> >  1 file changed, 210 insertions(+), 47 deletions(-)
> > 
> > -- 
> > 2.25.1
> >

Re: [Linuxarm] Re: [RFC PATCH v2 07/32] hw/cxl/device: Implement basic mailbox (8.2.8.4)

2021-01-07 Thread Ben Widawsky 
On 21-01-06 11:08:28, Ben Widawsky wrote:
> On 21-01-06 10:05:57, Ben Widawsky wrote:
> > On 21-01-06 17:40:14, Jonathan Cameron wrote:
> > > On Wed, 6 Jan 2021 13:21:23 +
> > > Jonathan Cameron  wrote:
> > > 
> > > > On Tue, 5 Jan 2021 08:52:58 -0800
> > > > Ben Widawsky  wrote:
> > > > 
> 
> [snip]
> 
> > 
> > I'm sorry you had to debug this. I had fixed this previously and it got 
> > lost.
> > I'm currently between test applications, so my regression testing isn't 
> > great.
> > 
> > I think the fix should be something like this, but I can't easily test at 
> > the
> > moment:
> > 
> > diff --git a/hw/cxl/cxl-device-utils.c b/hw/cxl/cxl-device-utils.c
> > index c515d45d20..b38e9b4c17 100644
> > --- a/hw/cxl/cxl-device-utils.c
> > +++ b/hw/cxl/cxl-device-utils.c
> > @@ -102,6 +102,9 @@ static void mailbox_reg_write(void *opaque, hwaddr 
> > offset, uint64_t value,
> >  {
> >  CXLDeviceState *cxl_dstate = opaque;
> > 
> > +if (offset >= A_CXL_DEV_CMD_PAYLOAD)
> > +stn_le_p(cxl_dstate->mbox_reg_state, size, value);
> > +
> >  /*
> >   * Lock is needed to prevent concurrent writes as well as to prevent 
> > writes
> >   * coming in while the firmware is processing. Without background 
> > commands
> > 
> > 
> > 
> 
> +if (offset >= A_CXL_DEV_CMD_PAYLOAD) {
> +stn_le_p(cxl_dstate->mbox_reg_state, size, value);
> +return;
> +}
> +

Last time's a charm
 stn_le_p(cxl_dstate->mbox_reg_state + offset, size, value);

> 
> [snip]
> 
> >

Re: [for-6.0 v5 03/13] securable guest memory: Handle memory encryption via interface

2021-01-07 Thread David Gibson 
On Fri, Dec 04, 2020 at 02:10:05PM +0100, Cornelia Huck wrote:
> On Fri,  4 Dec 2020 16:44:05 +1100
> David Gibson  wrote:
> 
> > At the moment AMD SEV sets a special function pointer, plus an opaque
> > handle in KVMState to let things know how to encrypt guest memory.
> > 
> > Now that we have a QOM interface for handling things related to securable
> > guest memory, use a QOM method on that interface, rather than a bare
> > function pointer for this.
> > 
> > Signed-off-by: David Gibson 
> > Reviewed-by: Richard Henderson 
> > ---
> >  accel/kvm/kvm-all.c   |  36 +---
> >  accel/kvm/sev-stub.c  |   9 +-
> >  include/exec/securable-guest-memory.h |   2 +
> >  include/sysemu/sev.h  |   5 +-
> >  target/i386/monitor.c |   1 -
> >  target/i386/sev.c | 116 ++
> >  6 files changed, 77 insertions(+), 92 deletions(-)
> > 
> 
> > @@ -224,7 +224,7 @@ int kvm_get_max_memslots(void)
> >  
> >  bool kvm_memcrypt_enabled(void)
> >  {
> > -if (kvm_state && kvm_state->memcrypt_handle) {
> > +if (kvm_state && kvm_state->sgm) {
> 
> If we want to generalize the concept, maybe check for encrypt_data in
> sgm here? There's probably room for different callbacks in the sgm
> structure.

I don't think it's worth changing here.  This gets changed again in
patch 6, I'll adjust to clarify a bit what's going on there.

> 
> >  return true;
> >  }
> >  
> 

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [for-6.0 v5 10/13] spapr: Add PEF based securable guest memory

2021-01-07 Thread David Gibson 
On Tue, Jan 05, 2021 at 03:34:38PM -0800, Ram Pai wrote:
> On Fri, Dec 04, 2020 at 04:44:12PM +1100, David Gibson wrote:
> > Some upcoming POWER machines have a system called PEF (Protected
> > Execution Facility) which uses a small ultravisor to allow guests to
> > run in a way that they can't be eavesdropped by the hypervisor.  The
> > effect is roughly similar to AMD SEV, although the mechanisms are
> > quite different.
> > 
> > Most of the work of this is done between the guest, KVM and the
> > ultravisor, with little need for involvement by qemu.  However qemu
> > does need to tell KVM to allow secure VMs.
> > 
> > Because the availability of secure mode is a guest visible difference
> > which depends on having the right hardware and firmware, we don't
> > enable this by default.  In order to run a secure guest you need to
> > create a "pef-guest" object and set the securable-guest-memory machine
> > property to point to it.
> > 
> > Note that this just *allows* secure guests, the architecture of PEF is
> > such that the guest still needs to talk to the ultravisor to enter
> > secure mode.  Qemu has no directl way of knowing if the guest is in
> > secure mode, and certainly can't know until well after machine
> > creation time.
> > 
> > To start a PEF-capable guest, use the command line options:
> > -object pef-guest,id=pef0 -machine securable-guest-memory=pef0
> > 
> > Signed-off-by: David Gibson 
> > Acked-by: Ram Pai 
> > ---
> >  hw/ppc/meson.build   |   1 +
> >  hw/ppc/pef.c | 115 +++
> >  hw/ppc/spapr.c   |  10 
> >  include/hw/ppc/pef.h |  26 ++
> >  target/ppc/kvm.c |  18 ---
> >  target/ppc/kvm_ppc.h |   6 ---
> >  6 files changed, 152 insertions(+), 24 deletions(-)
> >  create mode 100644 hw/ppc/pef.c
> >  create mode 100644 include/hw/ppc/pef.h
> > 
> > diff --git a/hw/ppc/meson.build b/hw/ppc/meson.build
> > index ffa2ec37fa..218631c883 100644
> > --- a/hw/ppc/meson.build
> > +++ b/hw/ppc/meson.build
> > @@ -27,6 +27,7 @@ ppc_ss.add(when: 'CONFIG_PSERIES', if_true: files(
> >'spapr_nvdimm.c',
> >'spapr_rtas_ddw.c',
> >'spapr_numa.c',
> > +  'pef.c',
> >  ))
> >  ppc_ss.add(when: 'CONFIG_SPAPR_RNG', if_true: files('spapr_rng.c'))
> >  ppc_ss.add(when: ['CONFIG_PSERIES', 'CONFIG_LINUX'], if_true: files(
> > diff --git a/hw/ppc/pef.c b/hw/ppc/pef.c
> > new file mode 100644
> > index 00..3ae3059cfe
> > --- /dev/null
> > +++ b/hw/ppc/pef.c
> > @@ -0,0 +1,115 @@
> > +/*
> > + * PEF (Protected Execution Facility) for POWER support
> > + *
> > + * Copyright David Gibson, Redhat Inc. 2020
> > + *
> > + * This work is licensed under the terms of the GNU GPL, version 2 or 
> > later.
> > + * See the COPYING file in the top-level directory.
> > + *
> > + */
> > +
> > +#include "qemu/osdep.h"
> > +
> > +#include "qapi/error.h"
> > +#include "qom/object_interfaces.h"
> > +#include "sysemu/kvm.h"
> > +#include "migration/blocker.h"
> > +#include "exec/securable-guest-memory.h"
> > +#include "hw/ppc/pef.h"
> > +
> > +#define TYPE_PEF_GUEST "pef-guest"
> > +#define PEF_GUEST(obj)  \
> > +OBJECT_CHECK(PefGuestState, (obj), TYPE_PEF_GUEST)
> > +
> > +typedef struct PefGuestState PefGuestState;
> > +
> > +/**
> > + * PefGuestState:
> > + *
> > + * The PefGuestState object is used for creating and managing a PEF
> > + * guest.
> > + *
> > + * # $QEMU \
> > + * -object pef-guest,id=pef0 \
> > + * -machine ...,securable-guest-memory=pef0
> > + */
> > +struct PefGuestState {
> > +Object parent_obj;
> > +};
> > +
> > +#ifdef CONFIG_KVM
> > +static int kvmppc_svm_init(Error **errp)
> > +{
> > +if (!kvm_check_extension(kvm_state, KVM_CAP_PPC_SECURABLE_GUEST)) {
>^^
> KVM defines this macro as KVM_CAP_PPC_SECURE_GUEST. Unless we patch KVM,
> we are stuck with KVM_CAP_PPC_SECURE_GUEST.

Oops, made an over-zealous search and replace.  Fixed now.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH v2 0/7] macio: remove PIC object property links

2021-01-07 Thread David Gibson 
On Thu, Jan 07, 2021 at 02:26:33PM +, Mark Cave-Ayland wrote:
> On 29/12/2020 17:56, Mark Cave-Ayland wrote:
> 
> > This patchset follows on from the dicussion at 
> > https://lists.gnu.org/archive/html/qemu-devel/2020-11/msg02630.html
> > where the user_creatable flag for the macio devices was set back to false 
> > just
> > before the 5.2 release.
> > 
> > The underlying cause was that the PIC object property links were not being 
> > set
> > before realise. Whilst this cannot happen when launching the g3beige and 
> > mac99
> > machines from qemu-system-ppc, it caused some automated tests to fail.
> > 
> > Here we fix the real problem which is to move the PIC for both machines 
> > into the
> > macio device, which not only matches real hardware but also enables the PIC 
> > object
> > property links to be completely removed.
> > 
> > Patch 6 rewires the macio gpios for the mac99 machine as per Ben's original 
> > comment
> > after the OpenPIC device has been moved into the macio-newworld device, and 
> > then
> > finally patch 7 removes setting the user_creatable flag to false on the 
> > macio devices
> > once again.
> > 
> > Signed-off-by: Mark Cave-Ayland 
> > 
> > v2:
> > - Add R-B tag for patch 1 from David
> > - Update commit messages to included more detail as requested by David
> > 
> > 
> > Mark Cave-Ayland (7):
> >mac_oldworld: remove duplicate bus check for PPC_INPUT(env)
> >mac_oldworld: move initialisation of grackle before heathrow
> >macio: move heathrow PIC inside macio-oldworld device
> >mac_newworld: delay wiring of PCI IRQs in New World machine
> >macio: move OpenPIC inside macio-newworld device
> >macio: wire macio GPIOs to OpenPIC using sysbus IRQs
> >macio: don't set user_creatable to false
> > 
> >   hw/misc/macio/gpio.c  | 24 +++
> >   hw/misc/macio/macio.c | 53 
> >   hw/ppc/mac_newworld.c | 71 
> >   hw/ppc/mac_oldworld.c | 76 ---
> >   include/hw/misc/macio/gpio.h  |  2 -
> >   include/hw/misc/macio/macio.h |  4 +-
> >   6 files changed, 104 insertions(+), 126 deletions(-)
> 
> Any further thoughts on this? David has reviewed patches 1-5 but I've had no
> other feedback to date. If everyone is happy then I don't mind including
> this in a qemu-macppc PR.

I'm happy for you to do that.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH v6 00/35] Hexagon patch series

2021-01-07 Thread no-reply 
Patchew URL: 
https://patchew.org/QEMU/1610080146-14968-1-git-send-email-tsimp...@quicinc.com/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 1610080146-14968-1-git-send-email-tsimp...@quicinc.com
Subject: [PATCH v6 00/35] Hexagon patch series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 * [new tag] 
patchew/1610080146-14968-1-git-send-email-tsimp...@quicinc.com -> 
patchew/1610080146-14968-1-git-send-email-tsimp...@quicinc.com
 - [tag update]  
patchew/me3p282mb17456b93ae422008f433c50dfc...@me3p282mb1745.ausp282.prod.outlook.com
 -> 
patchew/me3p282mb17456b93ae422008f433c50dfc...@me3p282mb1745.ausp282.prod.outlook.com
Switched to a new branch 'test'
4affae0 Add newline when generating Dockerfile
4dfa4fc Auto-import Docker support files
f6826f4 Add Dockerfile for hexagon
eab6033 Hexagon build infrastructure
2f874bd Hexagon (tests/tcg/hexagon) TCG tests
199c6a8 Hexagon (linux-user/hexagon) Linux user emulation
042fe41 Hexagon (target/hexagon) translation
64f32a2 Hexagon (target/hexagon) TCG for floating point instructions
abce063 Hexagon (target/hexagon) TCG for instructions with multiple definitions
fb62368 Hexagon (target/hexagon) TCG generation
e72f87e Hexagon (target/hexagon) instruction classes
5145d6f Hexagon (target/hexagon) macros
e2ba52e Hexagon (target/hexagon) opcode data structures
86ec014 Hexagon (target/hexagon) generater phase 4 - decode tree
0895ec5 Hexagon (target/hexagon) generator phase 3 - C preprocessor for decode 
tree
e2828ec Hexagon (target/hexagon) generator phase 2 - generate header files
7b8a96d Hexagon (target/hexagon) generator phase 1 - C preprocessor for 
semantics
df51f7b Hexagon (target/hexagon/imported) arch import
1340e17 Hexagon (target/hexagon/fma_emu.[ch]) utility functions
028bca3 Hexagon (target/hexagon/conv_emu.[ch]) utility functions
abc4cd4 Hexagon (target/hexagon/arch.[ch]) utility functions
4f0edc0 Hexagon (target/hexagon) instruction printing
84be801 Hexagon (target/hexagon) instruction/packet decode
eed40dd Hexagon (target/hexagon) instruction attributes
bb930be Hexagon (target/hexagon) register fields
4a0da26 Hexagon (target/hexagon) instruction and packet types
e5e7712 Hexagon (target/hexagon) architecture types
33d7340 Hexagon (target/hexagon) GDB Stub
ac40859 Hexagon (target/hexagon) scalar core helpers
0da88d6 Hexagon (target/hexagon) register names
888dc67 Hexagon (disas) disassembler
88f2553 Hexagon (target/hexagon) scalar core definition
310aa19 Hexagon (include/elf.h) ELF machine definition
ee760b0 Hexagon (target/hexagon) README
6b03a8f Hexagon Update MAINTAINERS file

=== OUTPUT BEGIN ===
1/35 Checking commit 6b03a8fcfcec (Hexagon Update MAINTAINERS file)
2/35 Checking commit ee760b04dfce (Hexagon (target/hexagon) README)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#13: 
new file mode 100644

total: 0 errors, 1 warnings, 235 lines checked

Patch 2/35 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
3/35 Checking commit 310aa193607a (Hexagon (include/elf.h) ELF machine 
definition)
4/35 Checking commit 88f255358f1c (Hexagon (target/hexagon) scalar core 
definition)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#13: 
new file mode 100644

total: 0 errors, 1 warnings, 595 lines checked

Patch 4/35 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
5/35 Checking commit 888dc67b6cba (Hexagon (disas) disassembler)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#15: 
new file mode 100644

total: 0 errors, 1 warnings, 82 lines checked

Patch 5/35 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
6/35 Checking commit 0da88d6baf42 (Hexagon (target/hexagon) register names)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#12: 
new file mode 100644

total: 0 errors, 1 warnings, 83 lines checked

Patch 6/35 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
7/35 Checking commit ac408596534c (Hexagon (target/hexagon) scalar core helpers)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#14: 
new file mode 100644

total: 0 errors, 1 warnings, 1101 lines checked

Patch 7/35 has style problems, please review.  If any of these errors
are false positives report them to the

Re: [PATCH v4 0/7] fuzz: improve crash case minimization

2021-01-07 Thread Alexander Bulekov 
On 201229 1239, Qiuhao Li wrote:
> Extend and refine the crash case minimization process.
> 

Hi Qiuhao,
For this whole series:
Tested-by: Alexander Bulekov 

Thank you for this effort! -  it is a big improvement over what we had.
-Alex

> Test input:
>   Bug 1909261 full_reproducer
>   6500 QTest instructions (write mostly)
> 
> Refined (-M1 minimization level) vs. Original version:
>   real  38m31.942s  <-- real  532m57.192s
>   user  28m18.188s  <-- user  89m0.536s
>   sys   12m42.239s  <-- sys   50m33.074s
>   2558 instructions <-- 2846 instructions
> 
> Test Enviroment:
>   i7-8550U, 16GB LPDDR3, SSD 
>   Ubuntu 20.04.1 5.4.0-58-generic x86_64
>   Python 3.8.5
> 
> v4:
>   Fix: messy diff in [PATCH v3 4/7]
> 
> v3:
>   Fix: checkpatch.pl errors
> 
> v2: 
>   New: [PATCH v2 1/7]
>   New: [PATCH v2 2/7]
>   New: [PATCH v2 4/7]
>   New: [PATCH v2 6/7]
>   New: [PATCH v2 7/7]
>   Fix: [PATCH 2/4] split using binary approach
>   Fix: [PATCH 3/4] typo in comments
>   Discard: [PATCH 1/4] the hardcoded regex match for crash detection
>   Discard: [PATCH 4/4] the delaying minimizer
>   
> Thanks for the suggestions from:
>   Alexander Bulekov
> 
> Qiuhao Li (7):
>   fuzz: accelerate non-crash detection
>   fuzz: double the IOs to remove for every loop
>   fuzz: split write operand using binary approach
>   fuzz: loop the remove minimizer and refactoring
>   fuzz: set bits in operand of write/out to zero
>   fuzz: add minimization options
>   fuzz: heuristic split write based on past IOs
> 
>  scripts/oss-fuzz/minimize_qtest_trace.py | 257 ++-
>  1 file changed, 209 insertions(+), 48 deletions(-)
> 
> -- 
> 2.25.1
>

[PATCH v6 28/35] Hexagon (target/hexagon) TCG for floating point instructions

2021-01-07 Thread Taylor Simpson 
The imported code uses host floating point.  We override them
to use qemu softfloat

Signed-off-by: Taylor Simpson 
---
 target/hexagon/gen_tcg.h | 121 +++
 1 file changed, 121 insertions(+)

diff --git a/target/hexagon/gen_tcg.h b/target/hexagon/gen_tcg.h
index 35568d1..d605b1e 100644
--- a/target/hexagon/gen_tcg.h
+++ b/target/hexagon/gen_tcg.h
@@ -195,4 +195,125 @@
 #define fGEN_TCG_S4_stored_locked(SHORTCODE) \
 do { SHORTCODE; READ_PREG(PdV, PdN); } while (0)
 
+/* Floating point */
+#define fGEN_TCG_F2_conv_sf2df(SHORTCODE) \
+gen_helper_conv_sf2df(RddV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_df2sf(SHORTCODE) \
+gen_helper_conv_df2sf(RdV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_uw2sf(SHORTCODE) \
+gen_helper_conv_uw2sf(RdV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_uw2df(SHORTCODE) \
+gen_helper_conv_uw2df(RddV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_w2sf(SHORTCODE) \
+gen_helper_conv_w2sf(RdV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_w2df(SHORTCODE) \
+gen_helper_conv_w2df(RddV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_ud2sf(SHORTCODE) \
+gen_helper_conv_ud2sf(RdV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_ud2df(SHORTCODE) \
+gen_helper_conv_ud2df(RddV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_d2sf(SHORTCODE) \
+gen_helper_conv_d2sf(RdV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_d2df(SHORTCODE) \
+gen_helper_conv_d2df(RddV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_sf2uw(SHORTCODE) \
+gen_helper_conv_sf2uw(RdV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_sf2w(SHORTCODE) \
+gen_helper_conv_sf2w(RdV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_sf2ud(SHORTCODE) \
+gen_helper_conv_sf2ud(RddV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_sf2d(SHORTCODE) \
+gen_helper_conv_sf2d(RddV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_df2uw(SHORTCODE) \
+gen_helper_conv_df2uw(RdV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_df2w(SHORTCODE) \
+gen_helper_conv_df2w(RdV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_df2ud(SHORTCODE) \
+gen_helper_conv_df2ud(RddV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_df2d(SHORTCODE) \
+gen_helper_conv_df2d(RddV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_sf2uw_chop(SHORTCODE) \
+gen_helper_conv_sf2uw_chop(RdV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_sf2w_chop(SHORTCODE) \
+gen_helper_conv_sf2w_chop(RdV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_sf2ud_chop(SHORTCODE) \
+gen_helper_conv_sf2ud_chop(RddV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_sf2d_chop(SHORTCODE) \
+gen_helper_conv_sf2d_chop(RddV, cpu_env, RsV)
+#define fGEN_TCG_F2_conv_df2uw_chop(SHORTCODE) \
+gen_helper_conv_df2uw_chop(RdV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_df2w_chop(SHORTCODE) \
+gen_helper_conv_df2w_chop(RdV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_df2ud_chop(SHORTCODE) \
+gen_helper_conv_df2ud_chop(RddV, cpu_env, RssV)
+#define fGEN_TCG_F2_conv_df2d_chop(SHORTCODE) \
+gen_helper_conv_df2d_chop(RddV, cpu_env, RssV)
+#define fGEN_TCG_F2_sfadd(SHORTCODE) \
+gen_helper_sfadd(RdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sfsub(SHORTCODE) \
+gen_helper_sfsub(RdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sfcmpeq(SHORTCODE) \
+gen_helper_sfcmpeq(PdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sfcmpgt(SHORTCODE) \
+gen_helper_sfcmpgt(PdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sfcmpge(SHORTCODE) \
+gen_helper_sfcmpge(PdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sfcmpuo(SHORTCODE) \
+gen_helper_sfcmpuo(PdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sfmax(SHORTCODE) \
+gen_helper_sfmax(RdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sfmin(SHORTCODE) \
+gen_helper_sfmin(RdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sfclass(SHORTCODE) \
+do { \
+TCGv imm = tcg_const_tl(uiV); \
+gen_helper_sfclass(PdV, cpu_env, RsV, imm); \
+tcg_temp_free(imm); \
+} while (0)
+#define fGEN_TCG_F2_sffixupn(SHORTCODE) \
+gen_helper_sffixupn(RdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sffixupd(SHORTCODE) \
+gen_helper_sffixupd(RdV, cpu_env, RsV, RtV)
+#define fGEN_TCG_F2_sffixupr(SHORTCODE) \
+gen_helper_sffixupr(RdV, cpu_env, RsV)
+#define fGEN_TCG_F2_dfadd(SHORTCODE) \
+gen_helper_dfadd(RddV, cpu_env, RssV, RttV)
+#define fGEN_TCG_F2_dfsub(SHORTCODE) \
+gen_helper_dfsub(RddV, cpu_env, RssV, RttV)
+#define fGEN_TCG_F2_dfmax(SHORTCODE) \
+gen_helper_dfmax(RddV, cpu_env, RssV, RttV)
+#define fGEN_TCG_F2_dfmin(SHORTCODE) \
+gen_helper_dfmin(RddV, cpu_env, RssV, RttV)
+#define fGEN_TCG_F2_dfcmpeq(SHORTCODE) \
+gen_helper_dfcmpeq(PdV, cpu_env, RssV, RttV)
+#define fGEN_TCG_F2_dfcmpgt(SHORTCODE) \
+gen_helper_dfcmpgt(PdV, cpu_env, RssV, RttV)
+#define fGEN_TCG_F2_dfcmpge(SHORTCODE) \
+gen_helper_dfcmpge(PdV, cpu_env, RssV, RttV)
+#define fGEN_TCG_F2_dfcmpuo(SHORTCODE) \
+gen_helper_dfcmpuo(PdV, cpu_env, RssV, RttV)
+#define fGEN_TCG_F2_dfclass(SHORTCODE) \
+do { \
+TCGv imm = tcg_const_tl(uiV); \
+

[PATCH v6 34/35] Auto-import Docker support files

2021-01-07 Thread Taylor Simpson 
From: Alessandro Di Federico 

Signed-off-by: Alessandro Di Federico 
---
 tests/docker/docker.py | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/docker/docker.py b/tests/docker/docker.py
index 36b7868..d473566 100755
--- a/tests/docker/docker.py
+++ b/tests/docker/docker.py
@@ -28,6 +28,7 @@ from io import StringIO, BytesIO
 from shutil import copy, rmtree
 from pwd import getpwuid
 from datetime import datetime, timedelta
+from glob import glob
 
 
 FILTERED_ENV_NAMES = ['ftp_proxy', 'http_proxy', 'https_proxy']
@@ -466,7 +467,8 @@ class BuildCommand(SubCommand):
 return 1
 
 # Is there a .pre file to run in the build context?
-docker_pre = os.path.splitext(args.dockerfile)[0]+".pre"
+basename = os.path.splitext(args.dockerfile)[0]
+docker_pre = basename + ".pre"
 if os.path.exists(docker_pre):
 stdout = DEVNULL if args.quiet else None
 rc = subprocess.call(os.path.realpath(docker_pre),
@@ -488,7 +490,9 @@ class BuildCommand(SubCommand):
 _copy_binary_with_libs(args.include_executable,
qpath, docker_dir)
 
-for filename in args.extra_files or []:
+extra_files = args.extra_files or []
+extra_files += glob(basename + ".*")
+for filename in extra_files:
 _copy_with_mkdir(filename, docker_dir)
 cksum += [(filename, _file_checksum(filename))]
 
-- 
2.7.4

[PATCH v6 22/35] Hexagon (target/hexagon) generater phase 4 - decode tree

2021-01-07 Thread Taylor Simpson 
Python script that emits the decode tree in dectree_generated.h.

Signed-off-by: Taylor Simpson 
---
 target/hexagon/dectree.py | 351 ++
 1 file changed, 351 insertions(+)
 create mode 100755 target/hexagon/dectree.py

diff --git a/target/hexagon/dectree.py b/target/hexagon/dectree.py
new file mode 100755
index 000..80b76ec
--- /dev/null
+++ b/target/hexagon/dectree.py
@@ -0,0 +1,351 @@
+#!/usr/bin/env python3
+
+##
+##  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+##
+##  This program is free software; you can redistribute it and/or modify
+##  it under the terms of the GNU General Public License as published by
+##  the Free Software Foundation; either version 2 of the License, or
+##  (at your option) any later version.
+##
+##  This program is distributed in the hope that it will be useful,
+##  but WITHOUT ANY WARRANTY; without even the implied warranty of
+##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+##  GNU General Public License for more details.
+##
+##  You should have received a copy of the GNU General Public License
+##  along with this program; if not, see .
+##
+
+import io
+import re
+
+import sys
+import iset
+
+encs = {tag : ''.join(reversed(iset.iset[tag]['enc'].replace(' ', '')))
+for tag in iset.tags if iset.iset[tag]['enc'] != 'MISSING ENCODING'}
+
+enc_classes = set([iset.iset[tag]['enc_class'] for tag in encs.keys()])
+subinsn_enc_classes = \
+set([enc_class for enc_class in enc_classes \
+if enc_class.startswith('SUBINSN_')])
+ext_enc_classes = \
+set([enc_class for enc_class in enc_classes \
+if enc_class not in ('NORMAL', '16BIT') and \
+   not enc_class.startswith('SUBINSN_')])
+
+try:
+subinsn_groupings = iset.subinsn_groupings
+except AttributeError:
+subinsn_groupings = {}
+
+for (tag, subinsn_grouping) in subinsn_groupings.items():
+encs[tag] = ''.join(reversed(subinsn_grouping['enc'].replace(' ', '')))
+
+dectree_normal = {'leaves' : set()}
+dectree_16bit = {'leaves' : set()}
+dectree_subinsn_groupings = {'leaves' : set()}
+dectree_subinsns = {name : {'leaves' : set()} for name in subinsn_enc_classes}
+dectree_extensions = {name : {'leaves' : set()} for name in ext_enc_classes}
+
+for tag in encs.keys():
+if tag in subinsn_groupings:
+dectree_subinsn_groupings['leaves'].add(tag)
+continue
+enc_class = iset.iset[tag]['enc_class']
+if enc_class.startswith('SUBINSN_'):
+if len(encs[tag]) != 32:
+encs[tag] = encs[tag] + '0' * (32 - len(encs[tag]))
+dectree_subinsns[enc_class]['leaves'].add(tag)
+elif  enc_class == '16BIT':
+if len(encs[tag]) != 16:
+raise Exception('Tag "{}" has enc_class "{}" and not an encoding ' 
+
+'width of 16 bits!'.format(tag, enc_class))
+dectree_16bit['leaves'].add(tag)
+else:
+if len(encs[tag]) != 32:
+raise Exception('Tag "{}" has enc_class "{}" and not an encoding ' 
+
+'width of 32 bits!'.format(tag, enc_class))
+if enc_class == 'NORMAL':
+dectree_normal['leaves'].add(tag)
+else:
+dectree_extensions[enc_class]['leaves'].add(tag)
+
+faketags = set()
+for (tag, enc) in iset.enc_ext_spaces.items():
+faketags.add(tag)
+encs[tag] = ''.join(reversed(enc.replace(' ', '')))
+dectree_normal['leaves'].add(tag)
+
+faketags |= set(subinsn_groupings.keys())
+
+def every_bit_counts(bitset):
+for i in range(1, len(next(iter(bitset:
+if len(set([bits[:i] + bits[i+1:] for bits in bitset])) == len(bitset):
+return False
+return True
+
+def auto_separate(node):
+tags = node['leaves']
+if len(tags) <= 1:
+return
+enc_width = len(encs[next(iter(tags))])
+opcode_bit_for_all = \
+[all([encs[tag][i] in '01' \
+for tag in tags]) for i in range(enc_width)]
+opcode_bit_is_0_for_all = \
+[opcode_bit_for_all[i] and all([encs[tag][i] == '0' \
+for tag in tags]) for i in range(enc_width)]
+opcode_bit_is_1_for_all = \
+[opcode_bit_for_all[i] and all([encs[tag][i] == '1' \
+for tag in tags]) for i in range(enc_width)]
+differentiator_opcode_bit = \
+[opcode_bit_for_all[i] and \
+ not (opcode_bit_is_0_for_all[i] or \
+ opcode_bit_is_1_for_all[i]) \
+for i in range(enc_width)]
+best_width = 0
+for width in range(4, 0, -1):
+for lsb in range(enc_width - width, -1, -1):
+bitset = set([encs[tag][lsb:lsb+width] for tag in tags])
+if all(differentiator_opcode_bit[lsb:lsb+width]) and \
+(len(bitset) == len(tags) or every_bit_counts(bitset)):
+best_width = width
+best_lsb = lsb
+caught_all_tags = len(bitset) == len(tags)
+

[PATCH v6 33/35] Add Dockerfile for hexagon

2021-01-07 Thread Taylor Simpson 
From: Alessandro Di Federico 

Signed-off-by: Alessandro Di Federico 
---
 .../debian-hexagon-cross.build-toolchain.sh| 141 +
 .../docker/dockerfiles/debian-hexagon-cross.docker |  18 +++
 tests/tcg/configure.sh |   4 +
 3 files changed, 163 insertions(+)
 create mode 100755 
tests/docker/dockerfiles/debian-hexagon-cross.build-toolchain.sh
 create mode 100644 tests/docker/dockerfiles/debian-hexagon-cross.docker

diff --git a/tests/docker/dockerfiles/debian-hexagon-cross.build-toolchain.sh 
b/tests/docker/dockerfiles/debian-hexagon-cross.build-toolchain.sh
new file mode 100755
index 000..a08c6cd
--- /dev/null
+++ b/tests/docker/dockerfiles/debian-hexagon-cross.build-toolchain.sh
@@ -0,0 +1,141 @@
+#!/bin/bash
+
+set -e
+
+BASE=$(readlink -f ${PWD})
+
+TOOLCHAIN_INSTALL=$(readlink -f "$TOOLCHAIN_INSTALL")
+ROOTFS=$(readlink -f "$ROOTFS")
+
+TOOLCHAIN_BIN=${TOOLCHAIN_INSTALL}/bin
+HEX_SYSROOT=${TOOLCHAIN_INSTALL}/hexagon-unknown-linux-musl
+HEX_TOOLS_TARGET_BASE=${HEX_SYSROOT}/usr
+
+function cdp() {
+  DIR="$1"
+  mkdir -p "$DIR"
+  cd "$DIR"
+}
+
+function fetch() {
+  DIR="$1"
+  URL="$2"
+  TEMP="$(readlink -f "$PWD/tmp.tar.gz")"
+  wget --quiet "$URL" -O "$TEMP"
+  cdp "$DIR"
+  tar xaf "$TEMP" --strip-components=1
+  rm "$TEMP"
+  cd -
+}
+
+build_llvm_clang() {
+  fetch "$BASE/llvm-project" "$LLVM_URL"
+  cdp "$BASE/build-llvm"
+
+  cmake -G Ninja \
+-DCMAKE_BUILD_TYPE=Release \
+-DCMAKE_INSTALL_PREFIX=${TOOLCHAIN_INSTALL} \
+-DLLVM_ENABLE_LLD=ON \
+-DLLVM_TARGETS_TO_BUILD="X86;Hexagon" \
+-DLLVM_ENABLE_PROJECTS="clang;lld" \
+"$BASE/llvm-project/llvm"
+  ninja all install
+  cd ${TOOLCHAIN_BIN}
+  ln -sf clang hexagon-unknown-linux-musl-clang
+  ln -sf clang++ hexagon-unknown-linux-musl-clang++
+  ln -sf llvm-ar hexagon-unknown-linux-musl-ar
+  ln -sf llvm-objdump hexagon-unknown-linux-musl-objdump
+  ln -sf llvm-objcopy hexagon-unknown-linux-musl-objcopy
+  ln -sf llvm-readelf hexagon-unknown-linux-musl-readelf
+  ln -sf llvm-ranlib hexagon-unknown-linux-musl-ranlib
+
+  # workaround for now:
+  cat < hexagon-unknown-linux-musl.cfg
+-G0 --sysroot=${HEX_SYSROOT}
+EOF
+}
+
+build_clang_rt() {
+  cdp "$BASE/build-clang_rt"
+  cmake -G Ninja \
+-DCMAKE_BUILD_TYPE=Release \
+-DLLVM_CONFIG_PATH="$BASE/build-llvm/bin/llvm-config" \
+-DCMAKE_ASM_FLAGS="-G0 -mlong-calls -fno-pic 
--target=hexagon-unknown-linux-musl " \
+-DCMAKE_SYSTEM_NAME=Linux \
+-DCMAKE_C_COMPILER="${TOOLCHAIN_BIN}/hexagon-unknown-linux-musl-clang" \
+-DCMAKE_ASM_COMPILER="${TOOLCHAIN_BIN}/hexagon-unknown-linux-musl-clang" \
+-DCMAKE_INSTALL_PREFIX=${HEX_TOOLS_TARGET_BASE} \
+-DCMAKE_CROSSCOMPILING=ON \
+-DCMAKE_C_COMPILER_FORCED=ON \
+-DCMAKE_CXX_COMPILER_FORCED=ON \
+-DCOMPILER_RT_BUILD_BUILTINS=ON \
+-DCOMPILER_RT_BUILTINS_ENABLE_PIC=OFF \
+-DCMAKE_SIZEOF_VOID_P=4 \
+-DCOMPILER_RT_OS_DIR= \
+-DCAN_TARGET_hexagon=1 \
+-DCAN_TARGET_x86_64=0 \
+-DCOMPILER_RT_SUPPORTED_ARCH=hexagon \
+-DLLVM_ENABLE_PROJECTS="compiler-rt" \
+"$BASE/llvm-project/compiler-rt"
+  ninja install-compiler-rt
+}
+
+build_musl_headers() {
+  fetch "$BASE/musl" "$MUSL_URL"
+  cd "$BASE/musl"
+  make clean
+  CC=${TOOLCHAIN_BIN}/hexagon-unknown-linux-musl-clang \
+CROSS_COMPILE=hexagon-unknown-linux-musl \
+LIBCC=${HEX_TOOLS_TARGET_BASE}/lib/libclang_rt.builtins-hexagon.a \
+CROSS_CFLAGS="-G0 -O0 -mv65 -fno-builtin -fno-rounding-math 
--target=hexagon-unknown-linux-musl" \
+./configure --target=hexagon --prefix=${HEX_TOOLS_TARGET_BASE}
+  PATH=${TOOLCHAIN_BIN}:$PATH make CROSS_COMPILE= install-headers
+
+  cd ${HEX_SYSROOT}/..
+  ln -sf hexagon-unknown-linux-musl hexagon
+}
+
+build_kernel_headers() {
+  fetch "$BASE/linux" "$LINUX_URL"
+  mkdir -p "$BASE/build-linux"
+  cd "$BASE/linux"
+  make O=../build-linux ARCH=hexagon \
+   KBUILD_CFLAGS_KERNEL="-mlong-calls" \
+   CC=${TOOLCHAIN_BIN}/hexagon-unknown-linux-musl-clang \
+   LD=${TOOLCHAIN_BIN}/ld.lld \
+   KBUILD_VERBOSE=1 comet_defconfig
+  make mrproper
+
+  cd "$BASE/build-linux"
+  make \
+ARCH=hexagon \
+CC=${TOOLCHAIN_BIN}/clang \
+INSTALL_HDR_PATH=${HEX_TOOLS_TARGET_BASE} \
+V=1 \
+headers_install
+}
+
+build_musl() {
+  cd "$BASE/musl"
+  make clean
+  CROSS_COMPILE=hexagon-unknown-linux-musl- \
+AR=llvm-ar \
+RANLIB=llvm-ranlib \
+STRIP=llvm-strip \
+CC=clang \
+LIBCC=${HEX_TOOLS_TARGET_BASE}/lib/libclang_rt.builtins-hexagon.a \
+CFLAGS="-G0 -O0 -mv65 -fno-builtin -fno-rounding-math 
--target=hexagon-unknown-linux-musl" \
+./configure --target=hexagon --prefix=${HEX_TOOLS_TARGET_BASE}
+  PATH=${TOOLCHAIN_BIN}/:$PATH make -j CROSS_COMPILE= install
+  cd ${HEX_TOOLS_TARGET_BASE}/lib
+  ln -sf libc.so ld-musl-hexagon.so
+  ln -sf ld-musl-hexagon.so ld-musl-hexagon.so.1
+  cdp ${HEX_TOOLS_TARGET_BASE}/../lib
+  ln -sf ../usr/lib/ld-musl-hexagon.so.1
+}
+
+build_llvm_clang

[PATCH v6 19/35] Hexagon (target/hexagon) generator phase 1 - C preprocessor for semantics

2021-01-07 Thread Taylor Simpson 
Run the C preprocessor across the instruction definition files and macro
definition file to expand macros and prepare the semantics_generated.pyinc
file.  The resulting file contains one entry with the semantics for each
instruction and one line with the instruction attributes associated with
each macro.

Signed-off-by: Taylor Simpson 
Reviewed-by: Philippe Mathieu-Daudé http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * This program generates the semantics file that is processed by
+ * the do_qemu.py script.  We use the C preporcessor to manipulate the
+ * files imported from the Hexagon architecture library.
+ */
+
+#include 
+#define STRINGIZE(X) #X
+
+int main(int argc, char *argv[])
+{
+FILE *outfile;
+
+if (argc != 2) {
+fprintf(stderr, "Usage: gen_semantics ouptputfile\n");
+return 1;
+}
+outfile = fopen(argv[1], "w");
+if (outfile == NULL) {
+fprintf(stderr, "Cannot open %s for writing\n", argv[1]);
+return 1;
+}
+
+/*
+ * Process the instruction definitions
+ * Scalar core instructions have the following form
+ * Q6INSN(A2_add,"Rd32=add(Rs32,Rt32)",ATTRIBS(),
+ * "Add 32-bit registers",
+ * { RdV=RsV+RtV;})
+ */
+#define Q6INSN(TAG, BEH, ATTRIBS, DESCR, SEM) \
+do { \
+fprintf(outfile, "SEMANTICS( \\\n" \
+ "\"%s\", \\\n" \
+ "%s, \\\n" \
+ "\"\"\"%s\"\"\" \\\n" \
+ ")\n", \
+#TAG, STRINGIZE(BEH), STRINGIZE(SEM)); \
+fprintf(outfile, "ATTRIBUTES( \\\n" \
+ "\"%s\", \\\n" \
+ "\"%s\" \\\n" \
+ ")\n", \
+#TAG, STRINGIZE(ATTRIBS)); \
+} while (0);
+#include "imported/allidefs.def"
+#undef Q6INSN
+
+/*
+ * Process the macro definitions
+ * Macros definitions have the following form
+ * DEF_MACRO(
+ * fLSBNEW0,
+ * predlog_read(thread,0),
+ * ()
+ * )
+ * The important part here is the attributes.  Whenever an instruction
+ * invokes a macro, we add the macro's attributes to the instruction.
+ */
+#define DEF_MACRO(MNAME, BEH, ATTRS) \
+fprintf(outfile, "MACROATTRIB( \\\n" \
+ "\"%s\", \\\n" \
+ "\"\"\"%s\"\"\", \\\n" \
+ "\"%s\" \\\n" \
+ ")\n", \
+#MNAME, STRINGIZE(BEH), STRINGIZE(ATTRS));
+#include "imported/macros.def"
+#undef DEF_MACRO
+
+fclose(outfile);
+return 0;
+}
-- 
2.7.4

[PATCH v6 25/35] Hexagon (target/hexagon) instruction classes

2021-01-07 Thread Taylor Simpson 
Determine legal VLIW slots for each instruction

Signed-off-by: Taylor Simpson 
---
 target/hexagon/iclass.h| 50 ++
 target/hexagon/iclass.c| 73 ++
 target/hexagon/imported/iclass.def | 51 ++
 3 files changed, 174 insertions(+)
 create mode 100644 target/hexagon/iclass.h
 create mode 100644 target/hexagon/iclass.c
 create mode 100644 target/hexagon/imported/iclass.def

diff --git a/target/hexagon/iclass.h b/target/hexagon/iclass.h
new file mode 100644
index 000..b57f11d
--- /dev/null
+++ b/target/hexagon/iclass.h
@@ -0,0 +1,50 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_ICLASS_H
+#define HEXAGON_ICLASS_H
+
+#include "opcodes.h"
+
+#define ICLASS_FROM_TYPE(TYPE) ICLASS_##TYPE
+
+enum {
+
+#define DEF_PP_ICLASS32(TYPE, SLOTS, UNITS)ICLASS_FROM_TYPE(TYPE),
+#define DEF_EE_ICLASS32(TYPE, SLOTS, UNITS)ICLASS_FROM_TYPE(TYPE),
+#include "imported/iclass.def"
+#undef DEF_PP_ICLASS32
+#undef DEF_EE_ICLASS32
+
+ICLASS_FROM_TYPE(COPROC_VX),
+ICLASS_FROM_TYPE(COPROC_VMEM),
+NUM_ICLASSES
+};
+
+typedef enum {
+SLOTS_0  = (1 << 0),
+SLOTS_1  = (1 << 1),
+SLOTS_2  = (1 << 2),
+SLOTS_3  = (1 << 3),
+SLOTS_01 = SLOTS_0 | SLOTS_1,
+SLOTS_23 = SLOTS_2 | SLOTS_3,
+SLOTS_0123   = SLOTS_0 | SLOTS_1 | SLOTS_2 | SLOTS_3,
+} SlotMask;
+
+extern SlotMask find_iclass_slots(Opcode opcode, int itype);
+
+#endif
diff --git a/target/hexagon/iclass.c b/target/hexagon/iclass.c
new file mode 100644
index 000..05117a9
--- /dev/null
+++ b/target/hexagon/iclass.c
@@ -0,0 +1,73 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "iclass.h"
+
+static const SlotMask iclass_info[] = {
+
+#define DEF_PP_ICLASS32(TYPE, SLOTS, UNITS) \
+[ICLASS_FROM_TYPE(TYPE)] = SLOTS_##SLOTS,
+#define DEF_EE_ICLASS32(TYPE, SLOTS, UNITS) \
+[ICLASS_FROM_TYPE(TYPE)] = SLOTS_##SLOTS,
+#include "imported/iclass.def"
+#undef DEF_PP_ICLASS32
+#undef DEF_EE_ICLASS32
+};
+
+SlotMask find_iclass_slots(Opcode opcode, int itype)
+{
+/* There are some exceptions to what the iclass dictates */
+if (GET_ATTRIB(opcode, A_ICOP)) {
+return SLOTS_2;
+} else if (GET_ATTRIB(opcode, A_RESTRICT_SLOT0ONLY)) {
+return SLOTS_0;
+} else if (GET_ATTRIB(opcode, A_RESTRICT_SLOT1ONLY)) {
+return SLOTS_1;
+} else if (GET_ATTRIB(opcode, A_RESTRICT_SLOT2ONLY)) {
+return SLOTS_2;
+} else if (GET_ATTRIB(opcode, A_RESTRICT_SLOT3ONLY)) {
+return SLOTS_3;
+} else if (GET_ATTRIB(opcode, A_COF) &&
+   GET_ATTRIB(opcode, A_INDIRECT) &&
+   !GET_ATTRIB(opcode, A_MEMLIKE) &&
+   !GET_ATTRIB(opcode, A_MEMLIKE_PACKET_RULES)) {
+return SLOTS_2;
+} else if (GET_ATTRIB(opcode, A_RESTRICT_NOSLOT1)) {
+return SLOTS_0;
+} else if ((opcode == J2_trap0) ||
+   (opcode == Y2_isync) ||
+   (opcode == J4_hintjumpr)) {
+return SLOTS_2;
+} else if ((itype == ICLASS_V2LDST) && (GET_ATTRIB(opcode, A_STORE))) {
+return SLOTS_01;
+} else if ((itype == ICLASS_V2LDST) && (!GET_ATTRIB(opcode, A_STORE))) {
+return SLOTS_01;
+} else if (GET_ATTRIB(opcode, A_CRSLOT23)) {
+return SLOTS_23;
+} else if (GET_ATTRIB(opcode, A_RESTRICT_PREFERSLOT0)) {
+return SLOTS_0;
+} else if (GET_ATTRIB(opcode, A_SUBINSN)) {
+return SLOTS_01;
+}

[PATCH v6 27/35] Hexagon (target/hexagon) TCG for instructions with multiple definitions

2021-01-07 Thread Taylor Simpson 
Helpers won't work if there are multiple definitions, so we override these
instructions using #define fGEN_TCG_.

Signed-off-by: Taylor Simpson 
---
 target/hexagon/gen_tcg.h | 198 +++
 1 file changed, 198 insertions(+)
 create mode 100644 target/hexagon/gen_tcg.h

diff --git a/target/hexagon/gen_tcg.h b/target/hexagon/gen_tcg.h
new file mode 100644
index 000..35568d1
--- /dev/null
+++ b/target/hexagon/gen_tcg.h
@@ -0,0 +1,198 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_GEN_TCG_H
+#define HEXAGON_GEN_TCG_H
+
+/*
+ * Here is a primer to understand the tag names for load/store instructions
+ *
+ * Data types
+ *  bsigned byte   r0 = memb(r2+#0)
+ * ubunsigned byte r0 = memub(r2+#0)
+ *  hsigned half word (16 bits)r0 = memh(r2+#0)
+ * uhunsigned half wordr0 = memuh(r2+#0)
+ *  iinteger (32 bits) r0 = memw(r2+#0)
+ *  ddouble word (64 bits) r1:0 = memd(r2+#0)
+ *
+ * Addressing modes
+ * _io   indirect with offset  r0 = memw(r1+#4)
+ * _ur   absolute with register offset r0 = memw(r1<<#4+##variable)
+ * _rr   indirect with register offset r0 = memw(r1+r4<<#2)
+ * gpglobal pointer relative   r0 = memw(gp+#200)
+ * _sp   stack pointer relativer0 = memw(r29+#12)
+ * _ap   absolute set  r0 = memw(r1=##variable)
+ * _pr   post increment register   r0 = memw(r1++m1)
+ * _pi   post increment immediate  r0 = memb(r1++#1)
+ */
+
+/* Macros for complex addressing modes */
+#define GET_EA_ap \
+do { \
+fEA_IMM(UiV); \
+tcg_gen_movi_tl(ReV, UiV); \
+} while (0)
+#define GET_EA_pr \
+do { \
+fEA_REG(RxV); \
+fPM_M(RxV, MuV); \
+} while (0)
+#define GET_EA_pi \
+do { \
+fEA_REG(RxV); \
+fPM_I(RxV, siV); \
+} while (0)
+
+
+/* Instructions with multiple definitions */
+#define fGEN_TCG_LOAD_AP(RES, SIZE, SIGN) \
+do { \
+fMUST_IMMEXT(UiV); \
+fEA_IMM(UiV); \
+fLOAD(1, SIZE, SIGN, EA, RES); \
+tcg_gen_movi_tl(ReV, UiV); \
+} while (0)
+
+#define fGEN_TCG_L4_loadrub_ap(SHORTCODE) \
+fGEN_TCG_LOAD_AP(RdV, 1, u)
+#define fGEN_TCG_L4_loadrb_ap(SHORTCODE) \
+fGEN_TCG_LOAD_AP(RdV, 1, s)
+#define fGEN_TCG_L4_loadruh_ap(SHORTCODE) \
+fGEN_TCG_LOAD_AP(RdV, 2, u)
+#define fGEN_TCG_L4_loadrh_ap(SHORTCODE) \
+fGEN_TCG_LOAD_AP(RdV, 2, s)
+#define fGEN_TCG_L4_loadri_ap(SHORTCODE) \
+fGEN_TCG_LOAD_AP(RdV, 4, u)
+#define fGEN_TCG_L4_loadrd_ap(SHORTCODE) \
+fGEN_TCG_LOAD_AP(RddV, 8, u)
+
+#define fGEN_TCG_L2_loadrub_pr(SHORTCODE)  SHORTCODE
+#define fGEN_TCG_L2_loadrub_pi(SHORTCODE)  SHORTCODE
+#define fGEN_TCG_L2_loadrb_pr(SHORTCODE)   SHORTCODE
+#define fGEN_TCG_L2_loadrb_pi(SHORTCODE)   SHORTCODE;
+#define fGEN_TCG_L2_loadruh_pr(SHORTCODE)  SHORTCODE
+#define fGEN_TCG_L2_loadruh_pi(SHORTCODE)  SHORTCODE;
+#define fGEN_TCG_L2_loadrh_pr(SHORTCODE)   SHORTCODE
+#define fGEN_TCG_L2_loadrh_pi(SHORTCODE)   SHORTCODE
+#define fGEN_TCG_L2_loadri_pr(SHORTCODE)   SHORTCODE
+#define fGEN_TCG_L2_loadri_pi(SHORTCODE)   SHORTCODE
+#define fGEN_TCG_L2_loadrd_pr(SHORTCODE)   SHORTCODE
+#define fGEN_TCG_L2_loadrd_pi(SHORTCODE)   SHORTCODE
+
+/*
+ * Predicated loads
+ * Here is a primer to understand the tag names
+ *
+ * Predicate used
+ *  ttrue "old" value  if (p0) r0 = memb(r2+#0)
+ *  ffalse "old" value if (!p0) r0 = memb(r2+#0)
+ *  tnew true "new" value  if (p0.new) r0 = memb(r2+#0)
+ *  fnew false "new" value if (!p0.new) r0 = 
memb(r2+#0)
+ */
+#define fGEN_TCG_PRED_LOAD(GET_EA, PRED, SIZE, SIGN) \
+do { \
+TCGv LSB = tcg_temp_local_new(); \
+TCGLabel *label = gen_new_label(); \
+GET_EA; \
+PRED;  \
+PRED_LOAD_CANCEL(LSB, EA); \
+tcg_gen_movi_tl(RdV, 0); \
+tcg_gen_brcondi_tl(TCG_COND_EQ, LSB, 0, label); \
+fLOAD(1,

[PATCH v6 20/35] Hexagon (target/hexagon) generator phase 2 - generate header files

2021-01-07 Thread Taylor Simpson 
Python scripts generate the following files
helper_protos_generated.h
For each instruction we create DEF_HELPER function prototype
helper_funcs_generated.h
For each instruction we create the helper function definition
tcg_funcs_generated.h
For each instruction we create TCG code to generate call to helper
tcg_func_table_generated.h
Table of function pointers indexed by opcode
shortcode_generated.h
Generate a table of instruction "shortcode" semantics
opcodes_def_generated.h
Gives a list of all the opcodes
op_attribs_generated.h
Lists all the attributes associated with each instruction
op_regs_generated.h
Lists the register and immediate operands for each instruction
printinsn_generated.h
Data for printing (disassembling) each instruction (format
string + operands)

Signed-off-by: Taylor Simpson 
---
 target/hexagon/gen_helper_funcs.py   | 220 +++
 target/hexagon/gen_helper_protos.py  | 150 ++
 target/hexagon/gen_op_attribs.py |  40 +++
 target/hexagon/gen_op_regs.py| 111 
 target/hexagon/gen_opcodes_def.py|  37 +++
 target/hexagon/gen_printinsn.py  | 174 
 target/hexagon/gen_shortcode.py  |  63 +
 target/hexagon/gen_tcg_func_table.py |  58 
 target/hexagon/gen_tcg_funcs.py  | 532 +++
 target/hexagon/hex_common.py | 216 ++
 10 files changed, 1601 insertions(+)
 create mode 100755 target/hexagon/gen_helper_funcs.py
 create mode 100755 target/hexagon/gen_helper_protos.py
 create mode 100755 target/hexagon/gen_op_attribs.py
 create mode 100755 target/hexagon/gen_op_regs.py
 create mode 100755 target/hexagon/gen_opcodes_def.py
 create mode 100755 target/hexagon/gen_printinsn.py
 create mode 100755 target/hexagon/gen_shortcode.py
 create mode 100755 target/hexagon/gen_tcg_func_table.py
 create mode 100755 target/hexagon/gen_tcg_funcs.py
 create mode 100755 target/hexagon/hex_common.py

diff --git a/target/hexagon/gen_helper_funcs.py 
b/target/hexagon/gen_helper_funcs.py
new file mode 100755
index 000..a893b3c
--- /dev/null
+++ b/target/hexagon/gen_helper_funcs.py
@@ -0,0 +1,220 @@
+#!/usr/bin/env python3
+
+##
+##  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+##
+##  This program is free software; you can redistribute it and/or modify
+##  it under the terms of the GNU General Public License as published by
+##  the Free Software Foundation; either version 2 of the License, or
+##  (at your option) any later version.
+##
+##  This program is distributed in the hope that it will be useful,
+##  but WITHOUT ANY WARRANTY; without even the implied warranty of
+##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+##  GNU General Public License for more details.
+##
+##  You should have received a copy of the GNU General Public License
+##  along with this program; if not, see .
+##
+
+import sys
+import re
+import string
+import hex_common
+
+##
+## Helpers for gen_helper_function
+##
+def gen_decl_ea(f):
+f.write("uint32_t EA;\n")
+
+def gen_helper_return_type(f,regtype,regid,regno):
+if regno > 1 : f.write(", ")
+f.write("int32_t")
+
+def gen_helper_return_type_pair(f,regtype,regid,regno):
+if regno > 1 : f.write(", ")
+f.write("int64_t")
+
+def gen_helper_arg(f,regtype,regid,regno):
+if regno > 0 : f.write(", " )
+f.write("int32_t %s%sV" % (regtype,regid))
+
+def gen_helper_arg_new(f,regtype,regid,regno):
+if regno >= 0 : f.write(", " )
+f.write("int32_t %s%sN" % (regtype,regid))
+
+def gen_helper_arg_pair(f,regtype,regid,regno):
+if regno >= 0 : f.write(", ")
+f.write("int64_t %s%sV" % (regtype,regid))
+
+def gen_helper_arg_opn(f,regtype,regid,i,tag):
+if (hex_common.is_pair(regid)):
+gen_helper_arg_pair(f,regtype,regid,i)
+elif (hex_common.is_single(regid)):
+if hex_common.is_old_val(regtype, regid, tag):
+gen_helper_arg(f,regtype,regid,i)
+elif hex_common.is_new_val(regtype, regid, tag):
+gen_helper_arg_new(f,regtype,regid,i)
+else:
+print("Bad register parse: ",regtype,regid,toss,numregs)
+else:
+print("Bad register parse: ",regtype,regid,toss,numregs)
+
+def gen_helper_arg_imm(f,immlett):
+f.write(", int32_t %s" % (hex_common.imm_name(immlett)))
+
+def gen_helper_dest_decl(f,regtype,regid,regno,subfield=""):
+f.write("int32_t %s%sV%s = 0;\n" % \
+(regtype,regid,subfield))
+
+def gen_helper_dest_decl_pair(f,regtype,regid,regno,subfield=""):
+f.write("int64_t %s%sV%s = 0;\n" % \
+(regtype,regid,subfield))
+
+def gen_helper_dest_decl_opn(f,regtype,regid,i):
+if (hex_common.is_pair(regid)):
+gen_helper_dest_decl_pair(f,regtype,regid,i)
+elif (hex_common.is_single(regid)):
+

[PATCH v6 13/35] Hexagon (target/hexagon) instruction/packet decode

2021-01-07 Thread Taylor Simpson 
Take the words from instruction memory and build a packet_t for TCG code
generation

The following operations are performed
Convert the .new encoded offset to the register number of the producer
Reorder the packet so .new producer is before consumer
Apply constant extenders
Separate subinsn's into two instructions
Break compare-jumps into two instructions
Create instructions for :endloop

Signed-off-by: Taylor Simpson 
---
 target/hexagon/decode.h |  32 +++
 target/hexagon/decode.c | 581 
 target/hexagon/q6v_decode.c | 385 +
 3 files changed, 998 insertions(+)
 create mode 100644 target/hexagon/decode.h
 create mode 100644 target/hexagon/decode.c
 create mode 100644 target/hexagon/q6v_decode.c

diff --git a/target/hexagon/decode.h b/target/hexagon/decode.h
new file mode 100644
index 000..38f597c
--- /dev/null
+++ b/target/hexagon/decode.h
@@ -0,0 +1,32 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_DECODE_H
+#define HEXAGON_DECODE_H
+
+#include "cpu.h"
+#include "opcodes.h"
+#include "insn.h"
+
+extern void decode_init(void);
+
+extern void decode_send_insn_to(Packet *packet, int start, int newloc);
+
+extern int decode_packet(int max_words, const uint32_t *words, Packet *pkt,
+ bool disas_only);
+
+#endif
diff --git a/target/hexagon/decode.c b/target/hexagon/decode.c
new file mode 100644
index 000..26c661c
--- /dev/null
+++ b/target/hexagon/decode.c
@@ -0,0 +1,581 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "iclass.h"
+#include "opcodes.h"
+#include "genptr.h"
+#include "decode.h"
+#include "insn.h"
+#include "printinsn.h"
+
+#define fZXTN(N, M, VAL) ((VAL) & ((1LL << (N)) - 1))
+
+enum {
+EXT_IDX_noext = 0,
+EXT_IDX_noext_AFTER = 4,
+EXT_IDX_mmvec = 4,
+EXT_IDX_mmvec_AFTER = 8,
+XX_LAST_EXT_IDX
+};
+
+/*
+ *  Certain operand types represent a non-contiguous set of values.
+ *  For example, the compound compare-and-jump instruction can only access
+ *  registers R0-R7 and R16-23.
+ *  This table represents the mapping from the encoding to the actual values.
+ */
+
+#define DEF_REGMAP(NAME, ELEMENTS, ...) \
+static const unsigned int DECODE_REGISTER_##NAME[ELEMENTS] = \
+{ __VA_ARGS__ };
+/* Name   Num Table */
+DEF_REGMAP(R_16,  16, 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, 23)
+DEF_REGMAP(R__8,  8,  0, 2, 4, 6, 16, 18, 20, 22)
+
+#define DECODE_MAPPED_REG(REGNO, NAME) \
+insn->regno[REGNO] = DECODE_REGISTER_##NAME[insn->regno[REGNO]];
+
+typedef struct {
+const struct DectreeTable *table_link;
+const struct DectreeTable *table_link_b;
+Opcode opcode;
+enum {
+DECTREE_ENTRY_INVALID,
+DECTREE_TABLE_LINK,
+DECTREE_SUBINSNS,
+DECTREE_EXTSPACE,
+DECTREE_TERMINAL
+} type;
+} DectreeEntry;
+
+typedef struct DectreeTable {
+unsigned int (*lookup_function)(int startbit, int width, uint32_t opcode);
+unsigned int size;
+unsigned int startbit;
+unsigned int width;
+const DectreeEntry table[];
+} DectreeTable;
+
+#define DECODE_NEW_TABLE(TAG, SIZE, WHATNOT) \
+static const DectreeTable dectree_table_##TAG;
+#define TABLE_LINK(TABLE) /* NOTHING */
+#define TERMINAL(TAG, ENC)/* NOTHING */
+#define SUBINSNS(TAG, CLASSA, CLASSB, ENC)/* NOTHING */
+#define EXTSPACE(TAG, ENC)/* NOTHING */
+#define

Re: [PATCH v4 7/7] fuzz: heuristic split write based on past IOs

2021-01-07 Thread Alexander Bulekov 
On 201229 1240, Qiuhao Li wrote:
> If previous write commands write the same length of data with the same step,
> we view it as a hint.
> 
> Signed-off-by: Qiuhao Li 

Reviewed-by: Alexander Bulekov 

> ---
>  scripts/oss-fuzz/minimize_qtest_trace.py | 56 
>  1 file changed, 56 insertions(+)
> 
> diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
> b/scripts/oss-fuzz/minimize_qtest_trace.py
> index a681984076..6cbf2b0419 100755
> --- a/scripts/oss-fuzz/minimize_qtest_trace.py
> +++ b/scripts/oss-fuzz/minimize_qtest_trace.py
> @@ -85,6 +85,43 @@ def check_if_trace_crashes(trace, path):
>  return False
>  
>  
> +# If previous write commands write the same length of data at the same
> +# interval, we view it as a hint.
> +def split_write_hint(newtrace, i):
> +HINT_LEN = 3 # > 2
> +if i <=(HINT_LEN-1):
> +return None
> +
> +#find previous continuous write traces
> +k = 0
> +l = i-1
> +writes = []
> +while (k != HINT_LEN and l >= 0):
> +if newtrace[l].startswith("write "):
> +writes.append(newtrace[l])
> +k += 1
> +l -= 1
> +elif newtrace[l] == "":
> +l -= 1
> +else:
> +return None
> +if k != HINT_LEN:
> +return None
> +
> +length = int(writes[0].split()[2], 16)
> +for j in range(1, HINT_LEN):
> +if length != int(writes[j].split()[2], 16):
> +return None
> +
> +step = int(writes[0].split()[1], 16) - int(writes[1].split()[1], 16)
> +for j in range(1, HINT_LEN-1):
> +if step != int(writes[j].split()[1], 16) - \
> +int(writes[j+1].split()[1], 16):
> +return None
> +
> +return (int(writes[0].split()[1], 16)+step, length)
> +
> +
>  def remove_minimizer(newtrace, outpath):
>  remove_step = 1
>  i = 0
> @@ -148,6 +185,25 @@ def remove_minimizer(newtrace, outpath):
>  length = int(newtrace[i].split()[2], 16)
>  data = newtrace[i].split()[3][2:]
>  if length > 1:
> +
> +# Can we get a hint from previous writes?
> +hint = split_write_hint(newtrace, i)
> +if hint is not None:
> +hint_addr = hint[0]
> +hint_len = hint[1]
> +if hint_addr >= addr and hint_addr+hint_len <= 
> addr+length:
> +newtrace[i] = "write {addr} {size} 
> 0x{data}\n".format(
> +addr=hex(hint_addr),
> +size=hex(hint_len),
> +data=data[(hint_addr-addr)*2:\
> +(hint_addr-addr)*2+hint_len*2])
> +if check_if_trace_crashes(newtrace, outpath):
> +# next round
> +i += 1
> +continue
> +newtrace[i] = prior[0]
> +
> +# Try splitting it using a binary approach
>  leftlength = int(length/2)
>  rightlength = length - leftlength
>  newtrace.insert(i+1, "")
> -- 
> 2.25.1
>

Re: [PATCH v5 0/7] fuzz: improve crash case minimization

2021-01-07 Thread Alexander Bulekov 
Hi Qiuhao,
Can you add my Reviewed-by: tags to the patches that I have reviewed?
Thanks
-Alex

On 210108 1044, Qiuhao Li wrote:
> Extend and refine the crash case minimization process.
> 
> Test input:
>   Bug 1909261 full_reproducer
>   6500 QTest instructions (write mostly)
> 
> Refined (-M1 minimization level) vs. Original version:
>   real  38m31.942s  <-- real  532m57.192s
>   user  28m18.188s  <-- user  89m0.536s
>   sys   12m42.239s  <-- sys   50m33.074s
>   2558 instructions <-- 2846 instructions
> 
> Test Enviroment:
>   i7-8550U, 16GB LPDDR3, SSD 
>   Ubuntu 20.04.1 5.4.0-58-generic x86_64
>   Python 3.8.5
> 
> v5:
>   Fix: send SIGKILL on timeout
>   Fix: rename minimization functions
> 
> v4:
>   Fix: messy diff in [PATCH v3 4/7]
> 
> v3:
>   Fix: checkpatch.pl errors
> 
> v2: 
>   New: [PATCH v2 1/7]
>   New: [PATCH v2 2/7]
>   New: [PATCH v2 4/7]
>   New: [PATCH v2 6/7]
>   New: [PATCH v2 7/7]
>   Fix: [PATCH 2/4] split using binary approach
>   Fix: [PATCH 3/4] typo in comments
>   Discard: [PATCH 1/4] the hardcoded regex match for crash detection
>   Discard: [PATCH 4/4] the delaying minimizer
>   
> Thanks for the suggestions from:
>   Alexander Bulekov
> 
> Qiuhao Li (7):
>   fuzz: accelerate non-crash detection
>   fuzz: double the IOs to remove for every loop
>   fuzz: split write operand using binary approach
>   fuzz: remove IO commands iteratively
>   fuzz: set bits in operand of write/out to zero
>   fuzz: add minimization options
>   fuzz: heuristic split write based on past IOs
> 
>  scripts/oss-fuzz/minimize_qtest_trace.py | 257 ++-
>  1 file changed, 210 insertions(+), 47 deletions(-)
> 
> -- 
> 2.25.1
>

[PATCH v6 11/35] Hexagon (target/hexagon) register fields

2021-01-07 Thread Taylor Simpson 
Declare bitfields within registers such as user status register (USR)

Signed-off-by: Taylor Simpson 
---
 target/hexagon/reg_fields.h | 36 
 target/hexagon/reg_fields_def.h | 41 +
 target/hexagon/reg_fields.c | 27 +++
 3 files changed, 104 insertions(+)
 create mode 100644 target/hexagon/reg_fields.h
 create mode 100644 target/hexagon/reg_fields_def.h
 create mode 100644 target/hexagon/reg_fields.c

diff --git a/target/hexagon/reg_fields.h b/target/hexagon/reg_fields.h
new file mode 100644
index 000..4ec7d7c
--- /dev/null
+++ b/target/hexagon/reg_fields.h
@@ -0,0 +1,36 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_REG_FIELDS_H
+#define HEXAGON_REG_FIELDS_H
+
+typedef struct {
+int offset;
+int width;
+} RegField;
+
+extern const RegField reg_field_info[];
+
+enum {
+#define DEF_REG_FIELD(TAG, START, WIDTH) \
+TAG,
+#include "reg_fields_def.h"
+NUM_REG_FIELDS
+#undef DEF_REG_FIELD
+};
+
+#endif
diff --git a/target/hexagon/reg_fields_def.h b/target/hexagon/reg_fields_def.h
new file mode 100644
index 000..27b2231
--- /dev/null
+++ b/target/hexagon/reg_fields_def.h
@@ -0,0 +1,41 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+/*
+ * For registers that have individual fields, explain them here
+ *   DEF_REG_FIELD(tag,
+ * bit start offset,
+ * width
+ */
+
+/* USR fields */
+DEF_REG_FIELD(USR_OVF,0, 1)
+DEF_REG_FIELD(USR_FPINVF, 1, 1)
+DEF_REG_FIELD(USR_FPDBZF, 2, 1)
+DEF_REG_FIELD(USR_FPOVFF, 3, 1)
+DEF_REG_FIELD(USR_FPUNFF, 4, 1)
+DEF_REG_FIELD(USR_FPINPF, 5, 1)
+
+DEF_REG_FIELD(USR_LPCFG,  8, 2)
+
+DEF_REG_FIELD(USR_FPRND, 22, 2)
+
+DEF_REG_FIELD(USR_FPINVE,25, 1)
+DEF_REG_FIELD(USR_FPDBZE,26, 1)
+DEF_REG_FIELD(USR_FPOVFE,27, 1)
+DEF_REG_FIELD(USR_FPUNFE,28, 1)
+DEF_REG_FIELD(USR_FPINPE,29, 1)
diff --git a/target/hexagon/reg_fields.c b/target/hexagon/reg_fields.c
new file mode 100644
index 000..65905d5
--- /dev/null
+++ b/target/hexagon/reg_fields.c
@@ -0,0 +1,27 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "reg_fields.h"
+
+const RegField reg_field_info[] = {
+#define DEF_REG_FIELD(TAG, START, WIDTH)\
+  { START, WIDTH },
+#include "reg_fields_def.h"
+  { 0, 0 }
+#undef DEF_REG_FIELD
+};
-- 
2.7.4

[PATCH v6 29/35] Hexagon (target/hexagon) translation

2021-01-07 Thread Taylor Simpson 
Read the instruction memory
Create a packet data structure
Generate TCG code for the start of the packet
Invoke the generate function for each instruction
Generate TCG code for the end of the packet

Signed-off-by: Taylor Simpson 
---
 target/hexagon/translate.h |  91 ++
 target/hexagon/translate.c | 687 +
 2 files changed, 778 insertions(+)
 create mode 100644 target/hexagon/translate.h
 create mode 100644 target/hexagon/translate.c

diff --git a/target/hexagon/translate.h b/target/hexagon/translate.h
new file mode 100644
index 000..9d78e0d
--- /dev/null
+++ b/target/hexagon/translate.h
@@ -0,0 +1,91 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_TRANSLATE_H
+#define HEXAGON_TRANSLATE_H
+
+#include "qemu/bitmap.h"
+#include "cpu.h"
+#include "exec/translator.h"
+#include "tcg/tcg-op.h"
+#include "internal.h"
+
+typedef struct DisasContext {
+DisasContextBase base;
+uint32_t mem_idx;
+int reg_log[REG_WRITES_MAX];
+int reg_log_idx;
+DECLARE_BITMAP(regs_written, TOTAL_PER_THREAD_REGS);
+int preg_log[PRED_WRITES_MAX];
+int preg_log_idx;
+uint8_t store_width[STORES_MAX];
+uint8_t s1_store_processed;
+} DisasContext;
+
+static inline void ctx_log_reg_write(DisasContext *ctx, int rnum)
+{
+#if HEX_DEBUG
+if (test_bit(rnum, ctx->regs_written)) {
+HEX_DEBUG_LOG("WARNING: Multiple writes to r%d\n", rnum);
+}
+#endif
+ctx->reg_log[ctx->reg_log_idx] = rnum;
+ctx->reg_log_idx++;
+set_bit(rnum, ctx->regs_written);
+}
+
+static inline void ctx_log_reg_write_pair(DisasContext *ctx, int rnum)
+{
+ctx_log_reg_write(ctx, rnum);
+ctx_log_reg_write(ctx, rnum + 1);
+}
+
+static inline void ctx_log_pred_write(DisasContext *ctx, int pnum)
+{
+ctx->preg_log[ctx->preg_log_idx] = pnum;
+ctx->preg_log_idx++;
+}
+
+static inline bool is_preloaded(DisasContext *ctx, int num)
+{
+return test_bit(num, ctx->regs_written);
+}
+
+extern TCGv hex_gpr[TOTAL_PER_THREAD_REGS];
+extern TCGv hex_pred[NUM_PREGS];
+extern TCGv hex_next_PC;
+extern TCGv hex_this_PC;
+extern TCGv hex_slot_cancelled;
+extern TCGv hex_branch_taken;
+extern TCGv hex_new_value[TOTAL_PER_THREAD_REGS];
+extern TCGv hex_reg_written[TOTAL_PER_THREAD_REGS];
+extern TCGv hex_new_pred_value[NUM_PREGS];
+extern TCGv hex_pred_written;
+extern TCGv hex_store_addr[STORES_MAX];
+extern TCGv hex_store_width[STORES_MAX];
+extern TCGv hex_store_val32[STORES_MAX];
+extern TCGv_i64 hex_store_val64[STORES_MAX];
+extern TCGv hex_dczero_addr;
+extern TCGv hex_llsc_addr;
+extern TCGv hex_llsc_val;
+extern TCGv_i64 hex_llsc_val_i64;
+
+extern void gen_exception(int excp);
+extern void gen_exception_debug(void);
+
+extern void process_store(DisasContext *ctx, int slot_num);
+#endif
diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
new file mode 100644
index 000..efc51ce
--- /dev/null
+++ b/target/hexagon/translate.c
@@ -0,0 +1,687 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#define QEMU_GENERATE
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "tcg/tcg-op.h"
+#include "exec/cpu_ldst.h"
+#include "exec/log.h"
+#include "internal.h"
+#include "attribs.h"
+#include "insn.h"
+#include "decode.h"
+#include "translate.h"
+#include "printinsn.h"
+
+TCGv hex_gpr[TOTAL_PER_THREAD_REGS];
+TCGv hex_pred[NUM_PREGS];
+TCGv hex_next_PC;
+TCGv hex_this_PC;
+TCGv hex_slot_cancelled;
+TCGv hex_branch_taken;
+TCGv hex_new_value[TOTAL_PER_THREAD_REGS];
+#if HEX_DEBUG
+TCGv hex_reg_written[TOTAL_PER_THREAD_REGS];

[PATCH v6 35/35] Add newline when generating Dockerfile

2021-01-07 Thread Taylor Simpson 
From: Alessandro Di Federico 

Signed-off-by: Alessandro Di Federico 
---
 tests/docker/docker.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/docker/docker.py b/tests/docker/docker.py
index d473566..5c318d9 100755
--- a/tests/docker/docker.py
+++ b/tests/docker/docker.py
@@ -333,9 +333,9 @@ class Docker(object):
  (uname, uid, uname))
 
 tmp_df.write("\n")
-tmp_df.write("LABEL com.qemu.dockerfile-checksum=%s" % (checksum))
+tmp_df.write("LABEL com.qemu.dockerfile-checksum=%s\n" % (checksum))
 for f, c in extra_files_cksum:
-tmp_df.write("LABEL com.qemu.%s-checksum=%s" % (f, c))
+tmp_df.write("LABEL com.qemu.%s-checksum=%s\n" % (f, c))
 
 tmp_df.flush()
 
-- 
2.7.4

[PATCH v6 21/35] Hexagon (target/hexagon) generator phase 3 - C preprocessor for decode tree

2021-01-07 Thread Taylor Simpson 
Run the C preprocessor across the instruction definition and encoding
files to expand macros and prepare the iset.py file.  The resulting
fill contains python data structures used to build the decode tree.

Signed-off-by: Taylor Simpson 
Reviewed-by: Philippe Mathieu-Daudé http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * This program generates the encodings file that is processed by
+ * the dectree.py script to produce the decoding tree.  We use the C
+ * preprocessor to manipulate the files imported from the Hexagon
+ * architecture library.
+ */
+#include "qemu/osdep.h"
+#include "opcodes.h"
+
+#define STRINGIZE(X)#X
+
+const char * const opcode_names[] = {
+#define OPCODE(IID) STRINGIZE(IID)
+#include "opcodes_def_generated.h"
+NULL
+#undef OPCODE
+};
+
+/*
+ * Process the instruction definitions
+ * Scalar core instructions have the following form
+ * Q6INSN(A2_add,"Rd32=add(Rs32,Rt32)",ATTRIBS(),
+ * "Add 32-bit registers",
+ * { RdV=RsV+RtV;})
+ */
+const char * const opcode_syntax[XX_LAST_OPCODE] = {
+#define Q6INSN(TAG, BEH, ATTRIBS, DESCR, SEM) \
+   [TAG] = BEH,
+#define EXTINSN(TAG, BEH, ATTRIBS, DESCR, SEM) \
+   [TAG] = BEH,
+#include "imported/allidefs.def"
+#undef Q6INSN
+#undef EXTINSN
+};
+
+const char * const opcode_rregs[] = {
+#define REGINFO(TAG, REGINFO, RREGS, WREGS) RREGS,
+#define IMMINFO(TAG, SIGN, SIZE, SHAMT, SIGN2, SIZE2, SHAMT2)  /* nothing */
+#include "op_regs_generated.h"
+NULL
+#undef REGINFO
+#undef IMMINFO
+};
+
+const char * const opcode_wregs[] = {
+#define REGINFO(TAG, REGINFO, RREGS, WREGS) WREGS,
+#define IMMINFO(TAG, SIGN, SIZE, SHAMT, SIGN2, SIZE2, SHAMT2)  /* nothing */
+#include "op_regs_generated.h"
+NULL
+#undef REGINFO
+#undef IMMINFO
+};
+
+const OpcodeEncoding opcode_encodings[] = {
+#define DEF_ENC32(TAG, ENCSTR) \
+[TAG] = { .encoding = ENCSTR },
+#define DEF_ENC_SUBINSN(TAG, CLASS, ENCSTR) \
+[TAG] = { .encoding = ENCSTR, .enc_class = CLASS },
+#define DEF_EXT_ENC(TAG, CLASS, ENCSTR) \
+[TAG] = { .encoding = ENCSTR, .enc_class = CLASS },
+#include "imported/encode.def"
+#undef DEF_ENC32
+#undef DEF_ENC_SUBINSN
+#undef DEF_EXT_ENC
+};
+
+static const char * const opcode_enc_class_names[XX_LAST_ENC_CLASS] = {
+"NORMAL",
+"16BIT",
+"SUBINSN_A",
+"SUBINSN_L1",
+"SUBINSN_L2",
+"SUBINSN_S1",
+"SUBINSN_S2",
+"EXT_noext",
+"EXT_mmvec",
+};
+
+static const char *get_opcode_enc(int opcode)
+{
+const char *tmp = opcode_encodings[opcode].encoding;
+if (tmp == NULL) {
+tmp = "MISSING ENCODING";
+}
+return tmp;
+}
+
+static const char *get_opcode_enc_class(int opcode)
+{
+return opcode_enc_class_names[opcode_encodings[opcode].enc_class];
+}
+
+static void gen_iset_table(FILE *out)
+{
+int i;
+
+fprintf(out, "iset = {\n");
+for (i = 0; i < XX_LAST_OPCODE; i++) {
+fprintf(out, "\t\'%s\' : {\n", opcode_names[i]);
+fprintf(out, "\t\t\'tag\' : \'%s\',\n", opcode_names[i]);
+fprintf(out, "\t\t\'syntax\' : \'%s\',\n", opcode_syntax[i]);
+fprintf(out, "\t\t\'rregs\' : \'%s\',\n", opcode_rregs[i]);
+fprintf(out, "\t\t\'wregs\' : \'%s\',\n", opcode_wregs[i]);
+fprintf(out, "\t\t\'enc\' : \'%s\',\n", get_opcode_enc(i));
+fprintf(out, "\t\t\'enc_class\' : \'%s\',\n", get_opcode_enc_class(i));
+fprintf(out, "\t},\n");
+}
+fprintf(out, "};\n\n");
+}
+
+static void gen_tags_list(FILE *out)
+{
+int i;
+
+fprintf(out, "tags = [\n");
+for (i = 0; i < XX_LAST_OPCODE; i++) {
+fprintf(out, "\t\'%s\',\n", opcode_names[i]);
+}
+fprintf(out, "];\n\n");
+}
+
+static void gen_enc_ext_spaces_table(FILE *out)
+{
+fprintf(out, "enc_ext_spaces = {\n");
+#define DEF_EXT_SPACE(SPACEID, ENCSTR) \
+fprintf(out, "\t\'%s\' : \'%s\',\n", #SPACEID, ENCSTR);
+#include "imported/encode.def"
+#undef DEF_EXT_SPACE
+fprintf(out, "};\n\n");
+}
+
+static void gen_subinsn_groupings_table(FILE *out)
+{
+fprintf(out, "subinsn_groupings = {\n");
+#define DEF_PACKED32(TAG, TYPEA, TYPEB, ENCSTR) \
+do { \
+fprintf(out, "\t\'%s\' : {\n", #TAG); \
+fprintf(out, "\t\t\'name\' : \'%s\',\n", #TAG); \
+fprintf(out, "\t\t\'class_a\' : \'%s\',\n", #TYPEA); \
+fprintf(out, "\t\t\'class_b\' : \'%s\',\n", #TYPEB); \
+fprintf(out, "\t\t\'enc\' : \'%s\',\n", ENCSTR); \
+fprintf(out, "\t},\n"); \
+} while (0);
+#include "imported/encode.def"
+#undef DEF_PACKED32
+fprintf(out, "};\n\n");
+}
+
+int main(int argc, char *argv[])
+{
+FILE *outfile;
+
+if (argc != 2) {
+fprintf(stderr, "Usage: gen_dectree_import ouptputfile\n");
+return 1;
+}
+outfile = fopen(argv[1], "w");
+if (outfile == NULL) {
+fprintf(stderr, "Cannot open %s for writing\n", argv[1]);
+return 1;
+}
+
+gen_iset_table(outfile);
+gen_tags_list(outfile);
+gen_enc_ext_spaces_table(outfile);
+

[PATCH v6 32/35] Hexagon build infrastructure

2021-01-07 Thread Taylor Simpson 
Add file to default-configs
Add hexagon to meson.build
Add hexagon to target/meson.build
Add target/hexagon/meson.build
Change scripts/qemu-binfmt-conf.sh

We can build a hexagon-linux-user target and run programs on the Hexagon
scalar core.  With hexagon-linux-clang installed, "make check-tcg" will
pass.

Signed-off-by: Taylor Simpson 
---
 default-configs/targets/hexagon-linux-user.mak |   1 +
 meson.build|   1 +
 scripts/qemu-binfmt-conf.sh|   6 +-
 target/hexagon/meson.build | 187 +
 target/meson.build |   1 +
 5 files changed, 195 insertions(+), 1 deletion(-)
 create mode 100644 default-configs/targets/hexagon-linux-user.mak
 create mode 100644 target/hexagon/meson.build

diff --git a/default-configs/targets/hexagon-linux-user.mak 
b/default-configs/targets/hexagon-linux-user.mak
new file mode 100644
index 000..003ed0a
--- /dev/null
+++ b/default-configs/targets/hexagon-linux-user.mak
@@ -0,0 +1 @@
+TARGET_ARCH=hexagon
diff --git a/meson.build b/meson.build
index 4a92213..3c692c8 100644
--- a/meson.build
+++ b/meson.build
@@ -884,6 +884,7 @@ disassemblers = {
   'arm' : ['CONFIG_ARM_DIS'],
   'avr' : ['CONFIG_AVR_DIS'],
   'cris' : ['CONFIG_CRIS_DIS'],
+  'hexagon' : ['CONFIG_HEXAGON_DIS'],
   'hppa' : ['CONFIG_HPPA_DIS'],
   'i386' : ['CONFIG_I386_DIS'],
   'x86_64' : ['CONFIG_I386_DIS'],
diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index 9f1580a..7b5d54b 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -4,7 +4,7 @@
 qemu_target_list="i386 i486 alpha arm armeb sparc sparc32plus sparc64 \
 ppc ppc64 ppc64le m68k mips mipsel mipsn32 mipsn32el mips64 mips64el \
 sh4 sh4eb s390x aarch64 aarch64_be hppa riscv32 riscv64 xtensa xtensaeb \
-microblaze microblazeel or1k x86_64"
+microblaze microblazeel or1k x86_64 hexagon"
 
 
i386_magic='\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00'
 
i386_mask='\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
@@ -136,6 +136,10 @@ 
or1k_magic='\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\
 
or1k_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
 or1k_family=or1k
 
+hexagon_magic='\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xa4\x00'
+hexagon_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
+hexagon_family=hexagon
+
 qemu_get_family() {
 cpu=${HOST_ARCH:-$(uname -m)}
 case "$cpu" in
diff --git a/target/hexagon/meson.build b/target/hexagon/meson.build
new file mode 100644
index 000..3d4d538
--- /dev/null
+++ b/target/hexagon/meson.build
@@ -0,0 +1,187 @@
+##
+##  Copyright(c) 2020 Qualcomm Innovation Center, Inc. All Rights Reserved.
+##
+##  This program is free software; you can redistribute it and/or modify
+##  it under the terms of the GNU General Public License as published by
+##  the Free Software Foundation; either version 2 of the License, or
+##  (at your option) any later version.
+##
+##  This program is distributed in the hope that it will be useful,
+##  but WITHOUT ANY WARRANTY; without even the implied warranty of
+##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+##  GNU General Public License for more details.
+##
+##  You should have received a copy of the GNU General Public License
+##  along with this program; if not, see .
+##
+
+hexagon_ss = ss.source_set()
+
+prog_python = import('python').find_installation('python3')
+
+hex_common_py = 'hex_common.py'
+attribs_def_h = meson.current_source_dir() / 'attribs_def.h'
+gen_tcg_h = meson.current_source_dir() / 'gen_tcg.h'
+
+#
+#  Step 1
+#  We use a C program to create semantics_generated.pyinc
+#
+gen_semantics = executable('gen_semantics', 'gen_semantics.c')
+
+semantics = custom_target(
+'semantics_generated.pyinc',
+output: 'semantics_generated.pyinc',
+input: gen_semantics,
+command: ['@INPUT@', '@OUTPUT@'],
+)
+hexagon_ss.add(semantics)
+
+#
+# Step 2
+# We use Python scripts to generate the following files
+# shortcode_generated.h
+# helper_protos_generated.h
+# tcg_funcs_generated.h
+# tcg_func_table_generated.h
+# helper_funcs_generated.h
+# printinsn_generated.h
+# op_regs_generated.h
+# op_attribs_generated.h
+# opcodes_def_generated.h
+#
+shortcode_h = custom_target(
+'shortcode_generated.h',
+output: 'shortcode_generated.h',
+input: 'gen_shortcode.py',
+depends: [semantics],
+depend_files: [hex_common_py, attribs_def_h],
+command: [prog_python, '@INPUT@', semantics, attribs_def_h, '@OUTPUT@'],
+)
+hexagon_ss.add(shortcode_h)
+
+helper_protos_h = custom_target(
+'helper_protos_generated.h',
+output: 'helper_protos_generated.h',
+input: 'gen_helper_protos.py',
+depends: [semantics],
+

[PATCH v6 07/35] Hexagon (target/hexagon) scalar core helpers

2021-01-07 Thread Taylor Simpson 
The majority of helpers are generated.  Define the helper functions needed
then include the generated file

Signed-off-by: Taylor Simpson 
---
 target/hexagon/helper.h|   85 
 target/hexagon/op_helper.c | 1016 
 2 files changed, 1101 insertions(+)
 create mode 100644 target/hexagon/helper.h
 create mode 100644 target/hexagon/op_helper.c

diff --git a/target/hexagon/helper.h b/target/hexagon/helper.h
new file mode 100644
index 000..df5ee53
--- /dev/null
+++ b/target/hexagon/helper.h
@@ -0,0 +1,85 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+DEF_HELPER_FLAGS_2(raise_exception, TCG_CALL_NO_RETURN, noreturn, env, i32)
+DEF_HELPER_1(debug_start_packet, void, env)
+DEF_HELPER_FLAGS_3(debug_check_store_width, TCG_CALL_NO_WG, void, env, int, 
int)
+DEF_HELPER_2(commit_store, void, env, int)
+DEF_HELPER_FLAGS_3(debug_commit_end, TCG_CALL_NO_WG, void, env, int, int)
+DEF_HELPER_FLAGS_4(fcircadd, TCG_CALL_NO_RWG_SE, s32, s32, s32, s32, s32)
+
+/* Floating point */
+DEF_HELPER_2(conv_sf2df, f64, env, f32)
+DEF_HELPER_2(conv_df2sf, f32, env, f64)
+DEF_HELPER_2(conv_uw2sf, f32, env, s32)
+DEF_HELPER_2(conv_uw2df, f64, env, s32)
+DEF_HELPER_2(conv_w2sf, f32, env, s32)
+DEF_HELPER_2(conv_w2df, f64, env, s32)
+DEF_HELPER_2(conv_ud2sf, f32, env, s64)
+DEF_HELPER_2(conv_ud2df, f64, env, s64)
+DEF_HELPER_2(conv_d2sf, f32, env, s64)
+DEF_HELPER_2(conv_d2df, f64, env, s64)
+DEF_HELPER_2(conv_sf2uw, s32, env, f32)
+DEF_HELPER_2(conv_sf2w, s32, env, f32)
+DEF_HELPER_2(conv_sf2ud, s64, env, f32)
+DEF_HELPER_2(conv_sf2d, s64, env, f32)
+DEF_HELPER_2(conv_df2uw, s32, env, f64)
+DEF_HELPER_2(conv_df2w, s32, env, f64)
+DEF_HELPER_2(conv_df2ud, s64, env, f64)
+DEF_HELPER_2(conv_df2d, s64, env, f64)
+DEF_HELPER_2(conv_sf2uw_chop, s32, env, f32)
+DEF_HELPER_2(conv_sf2w_chop, s32, env, f32)
+DEF_HELPER_2(conv_sf2ud_chop, s64, env, f32)
+DEF_HELPER_2(conv_sf2d_chop, s64, env, f32)
+DEF_HELPER_2(conv_df2uw_chop, s32, env, f64)
+DEF_HELPER_2(conv_df2w_chop, s32, env, f64)
+DEF_HELPER_2(conv_df2ud_chop, s64, env, f64)
+DEF_HELPER_2(conv_df2d_chop, s64, env, f64)
+DEF_HELPER_3(sfadd, f32, env, f32, f32)
+DEF_HELPER_3(sfsub, f32, env, f32, f32)
+DEF_HELPER_3(sfcmpeq, s32, env, f32, f32)
+DEF_HELPER_3(sfcmpgt, s32, env, f32, f32)
+DEF_HELPER_3(sfcmpge, s32, env, f32, f32)
+DEF_HELPER_3(sfcmpuo, s32, env, f32, f32)
+DEF_HELPER_3(sfmax, f32, env, f32, f32)
+DEF_HELPER_3(sfmin, f32, env, f32, f32)
+DEF_HELPER_3(sfclass, s32, env, f32, s32)
+DEF_HELPER_3(sffixupn, f32, env, f32, f32)
+DEF_HELPER_3(sffixupd, f32, env, f32, f32)
+DEF_HELPER_2(sffixupr, f32, env, f32)
+
+DEF_HELPER_3(dfadd, f64, env, f64, f64)
+DEF_HELPER_3(dfsub, f64, env, f64, f64)
+DEF_HELPER_3(dfmax, f64, env, f64, f64)
+DEF_HELPER_3(dfmin, f64, env, f64, f64)
+DEF_HELPER_3(dfcmpeq, s32, env, f64, f64)
+DEF_HELPER_3(dfcmpgt, s32, env, f64, f64)
+DEF_HELPER_3(dfcmpge, s32, env, f64, f64)
+DEF_HELPER_3(dfcmpuo, s32, env, f64, f64)
+DEF_HELPER_3(dfclass, s32, env, f64, s32)
+
+DEF_HELPER_3(sfmpy, f32, env, f32, f32)
+DEF_HELPER_4(sffma, f32, env, f32, f32, f32)
+DEF_HELPER_5(sffma_sc, f32, env, f32, f32, f32, f32)
+DEF_HELPER_4(sffms, f32, env, f32, f32, f32)
+DEF_HELPER_4(sffma_lib, f32, env, f32, f32, f32)
+DEF_HELPER_4(sffms_lib, f32, env, f32, f32, f32)
+
+DEF_HELPER_3(dfmpyfix, f64, env, f64, f64)
+DEF_HELPER_4(dfmpyhh, f64, env, f64, f64, f64)
+
+#include "helper_protos_generated.h"
diff --git a/target/hexagon/op_helper.c b/target/hexagon/op_helper.c
new file mode 100644
index 000..1da8557
--- /dev/null
+++ b/target/hexagon/op_helper.c
@@ -0,0 +1,1016 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU

[PATCH v6 30/35] Hexagon (linux-user/hexagon) Linux user emulation

2021-01-07 Thread Taylor Simpson 
Implementation of Linux user emulation for Hexagon
Some common files modified in addition to new files in linux-user/hexagon

Signed-off-by: Taylor Simpson 
Reviewed-by: Richard Henderson 
---
 linux-user/hexagon/sockbits.h   |  18 ++
 linux-user/hexagon/syscall_nr.h | 322 
 linux-user/hexagon/target_cpu.h |  44 +
 linux-user/hexagon/target_elf.h |  40 +
 linux-user/hexagon/target_fcntl.h   |  18 ++
 linux-user/hexagon/target_signal.h  |  34 
 linux-user/hexagon/target_structs.h |  46 ++
 linux-user/hexagon/target_syscall.h |  36 
 linux-user/hexagon/termbits.h   |  18 ++
 linux-user/qemu.h   |   2 +
 linux-user/syscall_defs.h   |  33 
 linux-user/elfload.c|  16 ++
 linux-user/hexagon/cpu_loop.c   |  99 +++
 linux-user/hexagon/signal.c | 276 +++
 scripts/gensyscalls.sh  |   1 +
 15 files changed, 1003 insertions(+)
 create mode 100644 linux-user/hexagon/sockbits.h
 create mode 100644 linux-user/hexagon/syscall_nr.h
 create mode 100644 linux-user/hexagon/target_cpu.h
 create mode 100644 linux-user/hexagon/target_elf.h
 create mode 100644 linux-user/hexagon/target_fcntl.h
 create mode 100644 linux-user/hexagon/target_signal.h
 create mode 100644 linux-user/hexagon/target_structs.h
 create mode 100644 linux-user/hexagon/target_syscall.h
 create mode 100644 linux-user/hexagon/termbits.h
 create mode 100644 linux-user/hexagon/cpu_loop.c
 create mode 100644 linux-user/hexagon/signal.c

diff --git a/linux-user/hexagon/sockbits.h b/linux-user/hexagon/sockbits.h
new file mode 100644
index 000..a6e8966
--- /dev/null
+++ b/linux-user/hexagon/sockbits.h
@@ -0,0 +1,18 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "../generic/sockbits.h"
diff --git a/linux-user/hexagon/syscall_nr.h b/linux-user/hexagon/syscall_nr.h
new file mode 100644
index 000..da1314f
--- /dev/null
+++ b/linux-user/hexagon/syscall_nr.h
@@ -0,0 +1,322 @@
+/*
+ * This file contains the system call numbers.
+ * Do not modify.
+ * This file is generated by scripts/gensyscalls.sh
+ */
+#ifndef LINUX_USER_HEXAGON_SYSCALL_NR_H
+#define LINUX_USER_HEXAGON_SYSCALL_NR_H
+
+#define TARGET_NR_io_setup 0
+#define TARGET_NR_io_destroy 1
+#define TARGET_NR_io_submit 2
+#define TARGET_NR_io_cancel 3
+#define TARGET_NR_io_getevents 4
+#define TARGET_NR_setxattr 5
+#define TARGET_NR_lsetxattr 6
+#define TARGET_NR_fsetxattr 7
+#define TARGET_NR_getxattr 8
+#define TARGET_NR_lgetxattr 9
+#define TARGET_NR_fgetxattr 10
+#define TARGET_NR_listxattr 11
+#define TARGET_NR_llistxattr 12
+#define TARGET_NR_flistxattr 13
+#define TARGET_NR_removexattr 14
+#define TARGET_NR_lremovexattr 15
+#define TARGET_NR_fremovexattr 16
+#define TARGET_NR_getcwd 17
+#define TARGET_NR_lookup_dcookie 18
+#define TARGET_NR_eventfd2 19
+#define TARGET_NR_epoll_create1 20
+#define TARGET_NR_epoll_ctl 21
+#define TARGET_NR_epoll_pwait 22
+#define TARGET_NR_dup 23
+#define TARGET_NR_dup3 24
+#define TARGET_NR_fcntl64 25
+#define TARGET_NR_inotify_init1 26
+#define TARGET_NR_inotify_add_watch 27
+#define TARGET_NR_inotify_rm_watch 28
+#define TARGET_NR_ioctl 29
+#define TARGET_NR_ioprio_set 30
+#define TARGET_NR_ioprio_get 31
+#define TARGET_NR_flock 32
+#define TARGET_NR_mknodat 33
+#define TARGET_NR_mkdirat 34
+#define TARGET_NR_unlinkat 35
+#define TARGET_NR_symlinkat 36
+#define TARGET_NR_linkat 37
+#define TARGET_NR_renameat 38
+#define TARGET_NR_umount2 39
+#define TARGET_NR_mount 40
+#define TARGET_NR_pivot_root 41
+#define TARGET_NR_nfsservctl 42
+#define TARGET_NR_statfs64 43
+#define TARGET_NR_fstatfs64 44
+#define TARGET_NR_truncate64 45
+#define TARGET_NR_ftruncate64 46
+#define TARGET_NR_fallocate 47
+#define TARGET_NR_faccessat 48
+#define TARGET_NR_chdir 49
+#define TARGET_NR_fchdir 50
+#define TARGET_NR_chroot 51
+#define TARGET_NR_fchmod 52
+#define TARGET_NR_fchmodat 53
+#define TARGET_NR_fchownat 54
+#define TARGET_NR_fchown 55
+#define TARGET_NR_openat 56
+#define TARGET_NR_close 57
+#define TARGET_NR_vhangup 58
+#define TARGET_NR_pipe2 59
+#define TARGET_NR_quotactl 60
+#define TARGET_NR_getdents64 61
+#define TARGET_NR_llseek 62
+#define TARGET_NR_read 63
+#define

[PATCH v6 24/35] Hexagon (target/hexagon) macros

2021-01-07 Thread Taylor Simpson 
macros to interface with the generator
macros referenced in instruction semantics

Signed-off-by: Taylor Simpson 
---
 target/hexagon/macros.h | 591 
 1 file changed, 591 insertions(+)
 create mode 100644 target/hexagon/macros.h

diff --git a/target/hexagon/macros.h b/target/hexagon/macros.h
new file mode 100644
index 000..c85a0df
--- /dev/null
+++ b/target/hexagon/macros.h
@@ -0,0 +1,591 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_MACROS_H
+#define HEXAGON_MACROS_H
+
+#include "cpu.h"
+#include "hex_regs.h"
+#include "reg_fields.h"
+
+#ifdef QEMU_GENERATE
+#define READ_REG(dest, NUM)  gen_read_reg(dest, NUM)
+#define READ_PREG(dest, NUM) gen_read_preg(dest, (NUM))
+#else
+#define READ_REG(NUM)(env->gpr[(NUM)])
+#define READ_PREG(NUM)   (env->pred[NUM])
+
+#define WRITE_RREG(NUM, VAL) log_reg_write(env, NUM, VAL, slot)
+#define WRITE_PREG(NUM, VAL) log_pred_write(env, NUM, VAL)
+#endif
+
+#define PCALIGN 4
+#define PCALIGN_MASK (PCALIGN - 1)
+
+#define GET_FIELD(FIELD, REGIN) \
+fEXTRACTU_BITS(REGIN, reg_field_info[FIELD].width, \
+   reg_field_info[FIELD].offset)
+
+#ifdef QEMU_GENERATE
+#define GET_USR_FIELD(FIELD, DST) \
+tcg_gen_extract_tl(DST, hex_gpr[HEX_REG_USR], \
+   reg_field_info[FIELD].offset, \
+   reg_field_info[FIELD].width)
+
+#define TYPE_INT(X)  __builtin_types_compatible_p(typeof(X), int)
+#define TYPE_TCGV(X) __builtin_types_compatible_p(typeof(X), TCGv)
+#define TYPE_TCGV_I64(X) __builtin_types_compatible_p(typeof(X), TCGv_i64)
+
+#define SET_USR_FIELD_FUNC(X) \
+__builtin_choose_expr(TYPE_INT(X), \
+gen_set_usr_fieldi, \
+__builtin_choose_expr(TYPE_TCGV(X), \
+gen_set_usr_field, (void)0))
+#define SET_USR_FIELD(FIELD, VAL) \
+SET_USR_FIELD_FUNC(VAL)(FIELD, VAL)
+#else
+#define GET_USR_FIELD(FIELD) \
+fEXTRACTU_BITS(env->gpr[HEX_REG_USR], reg_field_info[FIELD].width, \
+   reg_field_info[FIELD].offset)
+
+#define SET_USR_FIELD(FIELD, VAL) \
+fINSERT_BITS(env->gpr[HEX_REG_USR], reg_field_info[FIELD].width, \
+ reg_field_info[FIELD].offset, (VAL))
+#endif
+
+#ifdef QEMU_GENERATE
+/*
+ * Section 5.5 of the Hexagon V67 Programmer's Reference Manual
+ *
+ * Slot 1 store with slot 0 load
+ * A slot 1 store operation with a slot 0 load operation can appear in a 
packet.
+ * The packet attribute :mem_noshuf inhibits the instruction reordering that
+ * would otherwise be done by the assembler. For example:
+ * {
+ * memw(R5) = R2 // slot 1 store
+ * R3 = memh(R6) // slot 0 load
+ * }:mem_noshuf
+ * Unlike most packetized operations, these memory operations are not executed
+ * in parallel (Section 3.3.1). Instead, the store instruction in Slot 1
+ * effectively executes first, followed by the load instruction in Slot 0. If
+ * the addresses of the two operations are overlapping, the load will receive
+ * the newly stored data. This feature is supported in processor versions
+ * V65 or greater.
+ *
+ *
+ * For qemu, we look for a load in slot 0 when there is  a store in slot 1
+ * in the same packet.  When we see this, we call a helper that merges the
+ * bytes from the store buffer with the value loaded from memory.
+ */
+#define CHECK_NOSHUF \
+do { \
+if (insn->slot == 0 && pkt->pkt_has_store_s1) { \
+process_store(ctx, 1); \
+} \
+} while (0)
+
+#define MEM_LOAD1s(DST, VA) \
+do { \
+CHECK_NOSHUF; \
+tcg_gen_qemu_ld8s(DST, VA, ctx->mem_idx); \
+} while (0)
+#define MEM_LOAD1u(DST, VA) \
+do { \
+CHECK_NOSHUF; \
+tcg_gen_qemu_ld8u(DST, VA, ctx->mem_idx); \
+} while (0)
+#define MEM_LOAD2s(DST, VA) \
+do { \
+CHECK_NOSHUF; \
+tcg_gen_qemu_ld16s(DST, VA, ctx->mem_idx); \
+} while (0)
+#define MEM_LOAD2u(DST, VA) \
+do { \
+CHECK_NOSHUF; \
+tcg_gen_qemu_ld16u(DST, VA, ctx->mem_idx); \
+} while (0)
+#define MEM_LOAD4s(DST, VA) \
+do { \
+CHECK_NOSHUF; \
+tcg_gen_qemu_ld32s(DST, VA, ctx->mem_idx); \
+}

[PATCH v6 15/35] Hexagon (target/hexagon/arch.[ch]) utility functions

2021-01-07 Thread Taylor Simpson 
Signed-off-by: Taylor Simpson 
---
 target/hexagon/arch.h |  35 ++
 target/hexagon/arch.c | 294 ++
 2 files changed, 329 insertions(+)
 create mode 100644 target/hexagon/arch.h
 create mode 100644 target/hexagon/arch.c

diff --git a/target/hexagon/arch.h b/target/hexagon/arch.h
new file mode 100644
index 000..cf14480
--- /dev/null
+++ b/target/hexagon/arch.h
@@ -0,0 +1,35 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_ARCH_H
+#define HEXAGON_ARCH_H
+
+#include "qemu/osdep.h"
+#include "qemu/int128.h"
+
+extern uint64_t interleave(uint32_t odd, uint32_t even);
+extern uint64_t deinterleave(uint64_t src);
+extern uint32_t carry_from_add64(uint64_t a, uint64_t b, uint32_t c);
+extern int32_t conv_round(int32_t a, int n);
+extern void arch_fpop_start(CPUHexagonState *env);
+extern void arch_fpop_end(CPUHexagonState *env);
+extern int arch_sf_recip_common(float32 *Rs, float32 *Rt, float32 *Rd,
+int *adjust, float_status *fp_status);
+extern int arch_sf_invsqrt_common(float32 *Rs, float32 *Rd, int *adjust,
+  float_status *fp_status);
+
+#endif
diff --git a/target/hexagon/arch.c b/target/hexagon/arch.c
new file mode 100644
index 000..c46f6a7
--- /dev/null
+++ b/target/hexagon/arch.c
@@ -0,0 +1,294 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "fpu/softfloat.h"
+#include "cpu.h"
+#include "fma_emu.h"
+#include "arch.h"
+#include "macros.h"
+
+#define SF_BIAS127
+#define SF_MAXEXP  254
+#define SF_MANTBITS23
+#define float32_nanmake_float32(0x)
+
+#define BITS_MASK_8 0xULL
+#define PAIR_MASK_8 0xULL
+#define NYBL_MASK_8 0x0f0f0f0f0f0f0f0fULL
+#define BYTE_MASK_8 0x00ff00ff00ff00ffULL
+#define HALF_MASK_8 0xULL
+#define WORD_MASK_8 0xULL
+
+uint64_t interleave(uint32_t odd, uint32_t even)
+{
+/* Convert to long long */
+uint64_t myodd = odd;
+uint64_t myeven = even;
+/* First, spread bits out */
+myodd = (myodd | (myodd << 16)) & HALF_MASK_8;
+myeven = (myeven | (myeven << 16)) & HALF_MASK_8;
+myodd = (myodd | (myodd << 8)) & BYTE_MASK_8;
+myeven = (myeven | (myeven << 8)) & BYTE_MASK_8;
+myodd = (myodd | (myodd << 4)) & NYBL_MASK_8;
+myeven = (myeven | (myeven << 4)) & NYBL_MASK_8;
+myodd = (myodd | (myodd << 2)) & PAIR_MASK_8;
+myeven = (myeven | (myeven << 2)) & PAIR_MASK_8;
+myodd = (myodd | (myodd << 1)) & BITS_MASK_8;
+myeven = (myeven | (myeven << 1)) & BITS_MASK_8;
+/* Now OR together */
+return myeven | (myodd << 1);
+}
+
+uint64_t deinterleave(uint64_t src)
+{
+/* Get odd and even bits */
+uint64_t myodd = ((src >> 1) & BITS_MASK_8);
+uint64_t myeven = (src & BITS_MASK_8);
+
+/* Unspread bits */
+myeven = (myeven | (myeven >> 1)) & PAIR_MASK_8;
+myodd = (myodd | (myodd >> 1)) & PAIR_MASK_8;
+myeven = (myeven | (myeven >> 2)) & NYBL_MASK_8;
+myodd = (myodd | (myodd >> 2)) & NYBL_MASK_8;
+myeven = (myeven | (myeven >> 4)) & BYTE_MASK_8;
+myodd = (myodd | (myodd >> 4)) & BYTE_MASK_8;
+myeven = (myeven | (myeven >> 8)) & HALF_MASK_8;
+myodd = (myodd | (myodd >> 8)) & HALF_MASK_8;
+myeven = (myeven | (myeven >> 16)) & WORD_MASK_8;
+myodd = (myodd | (myodd >> 16)) & WORD_MASK_8;
+
+/* Return odd bits in upper half */
+return myeven | (myodd << 32);
+}
+
+uint32_t carry_from_add64(uint64_t a, uint64_t b,

[PATCH v6 06/35] Hexagon (target/hexagon) register names

2021-01-07 Thread Taylor Simpson 
Signed-off-by: Taylor Simpson 
Reviewed-by: Richard Henderson 
---
 target/hexagon/hex_regs.h | 83 +++
 1 file changed, 83 insertions(+)
 create mode 100644 target/hexagon/hex_regs.h

diff --git a/target/hexagon/hex_regs.h b/target/hexagon/hex_regs.h
new file mode 100644
index 000..3b4249a
--- /dev/null
+++ b/target/hexagon/hex_regs.h
@@ -0,0 +1,83 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_REGS_H
+#define HEXAGON_REGS_H
+
+enum {
+HEX_REG_R00  = 0,
+HEX_REG_R01  = 1,
+HEX_REG_R02  = 2,
+HEX_REG_R03  = 3,
+HEX_REG_R04  = 4,
+HEX_REG_R05  = 5,
+HEX_REG_R06  = 6,
+HEX_REG_R07  = 7,
+HEX_REG_R08  = 8,
+HEX_REG_R09  = 9,
+HEX_REG_R10  = 10,
+HEX_REG_R11  = 11,
+HEX_REG_R12  = 12,
+HEX_REG_R13  = 13,
+HEX_REG_R14  = 14,
+HEX_REG_R15  = 15,
+HEX_REG_R16  = 16,
+HEX_REG_R17  = 17,
+HEX_REG_R18  = 18,
+HEX_REG_R19  = 19,
+HEX_REG_R20  = 20,
+HEX_REG_R21  = 21,
+HEX_REG_R22  = 22,
+HEX_REG_R23  = 23,
+HEX_REG_R24  = 24,
+HEX_REG_R25  = 25,
+HEX_REG_R26  = 26,
+HEX_REG_R27  = 27,
+HEX_REG_R28  = 28,
+HEX_REG_R29  = 29,
+HEX_REG_SP   = 29,
+HEX_REG_FP   = 30,
+HEX_REG_R30  = 30,
+HEX_REG_LR   = 31,
+HEX_REG_R31  = 31,
+HEX_REG_SA0  = 32,
+HEX_REG_LC0  = 33,
+HEX_REG_SA1  = 34,
+HEX_REG_LC1  = 35,
+HEX_REG_P3_0 = 36,
+HEX_REG_M0   = 38,
+HEX_REG_M1   = 39,
+HEX_REG_USR  = 40,
+HEX_REG_PC   = 41,
+HEX_REG_UGP  = 42,
+HEX_REG_GP   = 43,
+HEX_REG_CS0  = 44,
+HEX_REG_CS1  = 45,
+HEX_REG_UPCYCLELO= 46,
+HEX_REG_UPCYCLEHI= 47,
+HEX_REG_FRAMELIMIT   = 48,
+HEX_REG_FRAMEKEY = 49,
+HEX_REG_PKTCNTLO = 50,
+HEX_REG_PKTCNTHI = 51,
+/* Use reserved control registers for qemu execution counts */
+HEX_REG_QEMU_PKT_CNT  = 52,
+HEX_REG_QEMU_INSN_CNT = 53,
+HEX_REG_UTIMERLO  = 62,
+HEX_REG_UTIMERHI  = 63,
+};
+
+#endif
-- 
2.7.4

[PATCH v6 05/35] Hexagon (disas) disassembler

2021-01-07 Thread Taylor Simpson 
Add hexagon to disas/meson.build
Add disas/hexagon.c
Add hexagon to include/disas/dis-asm.h

Signed-off-by: Taylor Simpson 
---
 include/disas/dis-asm.h |  1 +
 disas/hexagon.c | 68 +
 disas/meson.build   |  1 +
 3 files changed, 70 insertions(+)
 create mode 100644 disas/hexagon.c

diff --git a/include/disas/dis-asm.h b/include/disas/dis-asm.h
index 2164762..1f54fc0 100644
--- a/include/disas/dis-asm.h
+++ b/include/disas/dis-asm.h
@@ -459,6 +459,7 @@ int print_insn_xtensa   (bfd_vma, 
disassemble_info*);
 int print_insn_riscv32  (bfd_vma, disassemble_info*);
 int print_insn_riscv64  (bfd_vma, disassemble_info*);
 int print_insn_rx(bfd_vma, disassemble_info *);
+int print_insn_hexagon(bfd_vma, disassemble_info *);
 
 #ifdef CONFIG_CAPSTONE
 bool cap_disas_target(disassemble_info *info, uint64_t pc, size_t size);
diff --git a/disas/hexagon.c b/disas/hexagon.c
new file mode 100644
index 000..968f11c
--- /dev/null
+++ b/disas/hexagon.c
@@ -0,0 +1,68 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+/*
+ * QEMU Hexagon Disassembler
+ */
+
+#include "qemu/osdep.h"
+#include "disas/dis-asm.h"
+#include "target/hexagon/cpu_bits.h"
+
+/*
+ * We will disassemble a packet with up to 4 instructions, so we need
+ * a hefty size buffer.
+ */
+#define PACKET_BUFFER_LEN   1028
+
+int print_insn_hexagon(bfd_vma memaddr, struct disassemble_info *info)
+{
+uint32_t words[PACKET_WORDS_MAX];
+bool found_end = false;
+char buf[PACKET_BUFFER_LEN];
+int i;
+
+for (i = 0; i < PACKET_WORDS_MAX && !found_end; i++) {
+int status = (*info->read_memory_func)(memaddr + i * sizeof(uint32_t),
+   (bfd_byte *)[i],
+   sizeof(uint32_t), info);
+if (status) {
+if (i > 0) {
+break;
+}
+(*info->memory_error_func)(status, memaddr, info);
+return status;
+}
+if (is_packet_end(words[i])) {
+found_end = true;
+}
+}
+
+if (!found_end) {
+(*info->fprintf_func)(info->stream, "");
+return PACKET_WORDS_MAX * 4;
+}
+
+int len = disassemble_hexagon(words, i, memaddr, buf, PACKET_BUFFER_LEN);
+int slen = strlen(buf);
+if (buf[slen - 1] == '\n') {
+buf[slen - 1] = '\0';
+}
+(*info->fprintf_func)(info->stream, "%s", buf);
+
+return len;
+}
diff --git a/disas/meson.build b/disas/meson.build
index 09a8527..b7b659b 100644
--- a/disas/meson.build
+++ b/disas/meson.build
@@ -6,6 +6,7 @@ common_ss.add(when: 'CONFIG_ARM_A64_DIS', if_true: 
files('arm-a64.cc'))
 common_ss.add_all(when: 'CONFIG_ARM_A64_DIS', if_true: libvixl_ss)
 common_ss.add(when: 'CONFIG_ARM_DIS', if_true: files('arm.c'))
 common_ss.add(when: 'CONFIG_CRIS_DIS', if_true: files('cris.c'))
+common_ss.add(when: 'CONFIG_HEXAGON_DIS', if_true: files('hexagon.c'))
 common_ss.add(when: 'CONFIG_HPPA_DIS', if_true: files('hppa.c'))
 common_ss.add(when: 'CONFIG_I386_DIS', if_true: files('i386.c'))
 common_ss.add(when: 'CONFIG_LM32_DIS', if_true: files('lm32.c'))
-- 
2.7.4

[PATCH v6 23/35] Hexagon (target/hexagon) opcode data structures

2021-01-07 Thread Taylor Simpson 
Signed-off-by: Taylor Simpson 
---
 target/hexagon/opcodes.h |  63 +
 target/hexagon/opcodes.c | 142 +++
 2 files changed, 205 insertions(+)
 create mode 100644 target/hexagon/opcodes.h
 create mode 100644 target/hexagon/opcodes.c

diff --git a/target/hexagon/opcodes.h b/target/hexagon/opcodes.h
new file mode 100644
index 000..1aa2074
--- /dev/null
+++ b/target/hexagon/opcodes.h
@@ -0,0 +1,63 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_OPCODES_H
+#define HEXAGON_OPCODES_H
+
+#include "qemu/bitmap.h"
+#include "attribs.h"
+
+typedef enum {
+#define OPCODE(IID) IID
+#include "opcodes_def_generated.h"
+XX_LAST_OPCODE
+#undef OPCODE
+} Opcode;
+
+typedef enum {
+NORMAL,
+HALF,
+SUBINSN_A,
+SUBINSN_L1,
+SUBINSN_L2,
+SUBINSN_S1,
+SUBINSN_S2,
+EXT_noext,
+EXT_mmvec,
+XX_LAST_ENC_CLASS
+} EncClass;
+
+extern const char * const opcode_names[];
+
+extern const char * const opcode_reginfo[];
+extern const char * const opcode_rregs[];
+extern const char * const opcode_wregs[];
+
+typedef struct {
+const char * const encoding;
+const EncClass enc_class;
+} OpcodeEncoding;
+
+extern const OpcodeEncoding opcode_encodings[XX_LAST_OPCODE];
+
+extern DECLARE_BITMAP(opcode_attribs[XX_LAST_OPCODE], A_ZZ_LASTATTRIB);
+
+extern void opcode_init(void);
+
+extern int opcode_which_immediate_is_extended(Opcode opcode);
+
+#endif
diff --git a/target/hexagon/opcodes.c b/target/hexagon/opcodes.c
new file mode 100644
index 000..20400f5
--- /dev/null
+++ b/target/hexagon/opcodes.c
@@ -0,0 +1,142 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+/*
+ * opcodes.c
+ *
+ * data tables generated automatically
+ * Maybe some functions too
+ */
+
+#include "qemu/osdep.h"
+#include "opcodes.h"
+#include "decode.h"
+
+#define VEC_DESCR(A, B, C) DESCR(A, B, C)
+#define DONAME(X) #X
+
+const char * const opcode_names[] = {
+#define OPCODE(IID) DONAME(IID)
+#include "opcodes_def_generated.h"
+NULL
+#undef OPCODE
+};
+
+const char * const opcode_reginfo[] = {
+#define IMMINFO(TAG, SIGN, SIZE, SHAMT, SIGN2, SIZE2, SHAMT2)/* nothing */
+#define REGINFO(TAG, REGINFO, RREGS, WREGS) REGINFO,
+#include "op_regs_generated.h"
+NULL
+#undef REGINFO
+#undef IMMINFO
+};
+
+
+const char * const opcode_rregs[] = {
+#define IMMINFO(TAG, SIGN, SIZE, SHAMT, SIGN2, SIZE2, SHAMT2)/* nothing */
+#define REGINFO(TAG, REGINFO, RREGS, WREGS) RREGS,
+#include "op_regs_generated.h"
+NULL
+#undef REGINFO
+#undef IMMINFO
+};
+
+
+const char * const opcode_wregs[] = {
+#define IMMINFO(TAG, SIGN, SIZE, SHAMT, SIGN2, SIZE2, SHAMT2)/* nothing */
+#define REGINFO(TAG, REGINFO, RREGS, WREGS) WREGS,
+#include "op_regs_generated.h"
+NULL
+#undef REGINFO
+#undef IMMINFO
+};
+
+const char * const opcode_short_semantics[] = {
+#define DEF_SHORTCODE(TAG, SHORTCODE)  [TAG] = #SHORTCODE,
+#include "shortcode_generated.h"
+#undef DEF_SHORTCODE
+NULL
+};
+
+DECLARE_BITMAP(opcode_attribs[XX_LAST_OPCODE], A_ZZ_LASTATTRIB);
+
+static void init_attribs(int tag, ...)
+{
+va_list ap;
+int attr;
+va_start(ap, tag);
+while ((attr = va_arg(ap, int)) != 0) {
+set_bit(attr, opcode_attribs[tag]);
+}
+}
+
+const OpcodeEncoding opcode_encodings[] = {
+#define DEF_ENC32(OPCODE, ENCSTR) \
+[OPCODE] = { .encoding = ENCSTR },
+
+#define DEF_ENC_SUBINSN(OPCODE, CLASS, ENCSTR) \
+[OPCODE] = { .encoding = ENCSTR, .enc_class = CLASS },
+
+#define DEF_EXT_ENC(OPCODE, CLASS,

[PATCH v6 10/35] Hexagon (target/hexagon) instruction and packet types

2021-01-07 Thread Taylor Simpson 
The insn_t and packet_t are the interface between instruction decoding and
TCG code generation

Signed-off-by: Taylor Simpson 
---
 target/hexagon/insn.h | 74 +++
 1 file changed, 74 insertions(+)
 create mode 100644 target/hexagon/insn.h

diff --git a/target/hexagon/insn.h b/target/hexagon/insn.h
new file mode 100644
index 000..5f57ace
--- /dev/null
+++ b/target/hexagon/insn.h
@@ -0,0 +1,74 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_INSN_H
+#define HEXAGON_INSN_H
+
+#include "cpu.h"
+
+#define INSTRUCTIONS_MAX 7/* 2 pairs + loopend */
+#define REG_OPERANDS_MAX 5
+#define IMMEDS_MAX 2
+
+struct Instruction;
+struct Packet;
+struct DisasContext;
+
+typedef void (*SemanticInsn)(CPUHexagonState *env,
+ struct DisasContext *ctx,
+ struct Instruction *insn,
+ struct Packet *pkt);
+
+struct Instruction {
+SemanticInsn generate;/* pointer to genptr routine */
+uint8_t regno[REG_OPERANDS_MAX];/* reg operands including predicates */
+uint16_t opcode;
+
+uint32_t iclass:6;
+uint32_t slot:3;
+uint32_t part1:1;/*
+  * cmp-jumps are split into two insns.
+  * set for the compare and clear for the jump
+  */
+uint32_t extension_valid:1;   /* Has a constant extender attached */
+uint32_t which_extended:1;/* If has an extender, which immediate */
+uint32_t is_endloop:1;   /* This is an end of loop */
+uint32_t new_value_producer_slot:4;
+int32_t immed[IMMEDS_MAX];/* immediate field */
+};
+
+typedef struct Instruction Insn;
+
+struct Packet {
+uint16_t num_insns;
+uint16_t encod_pkt_size_in_bytes;
+
+/* Pre-decodes about COF */
+uint32_t pkt_has_cof:1;  /* Has any change-of-flow */
+uint32_t pkt_has_endloop:1;
+
+uint32_t pkt_has_dczeroa:1;
+
+uint32_t pkt_has_store_s0:1;
+uint32_t pkt_has_store_s1:1;
+
+Insn insn[INSTRUCTIONS_MAX];
+};
+
+typedef struct Packet Packet;
+
+#endif
-- 
2.7.4

[PATCH v6 02/35] Hexagon (target/hexagon) README

2021-01-07 Thread Taylor Simpson 
Gives an introduction and overview to the Hexagon target

Signed-off-by: Taylor Simpson 
---
 target/hexagon/README | 235 ++
 1 file changed, 235 insertions(+)
 create mode 100644 target/hexagon/README

diff --git a/target/hexagon/README b/target/hexagon/README
new file mode 100644
index 000..1d48eee
--- /dev/null
+++ b/target/hexagon/README
@@ -0,0 +1,235 @@
+Hexagon is Qualcomm's very long instruction word (VLIW) digital signal
+processor(DSP).
+
+The following versions of the Hexagon core are supported
+Scalar core: v67
+
https://developer.qualcomm.com/downloads/qualcomm-hexagon-v67-programmer-s-reference-manual
+
+We presented an overview of the project at the 2019 KVM Forum.
+
https://kvmforum2019.sched.com/event/Tmwc/qemu-hexagon-automatic-translation-of-the-isa-manual-pseudcode-to-tiny-code-instructions-of-a-vliw-architecture-niccolo-izzo-revng-taylor-simpson-qualcomm-innovation-center
+
+*** Tour of the code ***
+
+The qemu-hexagon implementation is a combination of qemu and the Hexagon
+architecture library (aka archlib).  The three primary directories with
+Hexagon-specific code are
+
+qemu/target/hexagon
+This has all the instruction and packet semantics
+qemu/target/hexagon/imported
+These files are imported with very little modification from archlib
+*.idef  Instruction semantics definition
+macros.def  Mapping of macros to instruction attributes
+encode*.def Encoding patterns for each instruction
+iclass.def  Instruction class definitions used to determine
+legal VLIW slots for each instruction
+qemu/linux-user/hexagon
+Helpers for loading the ELF file and making Linux system calls,
+signals, etc
+
+We start with scripts that generate a bunch of include files.  This
+is a two step process.  The first step is to use the C preprocessor to expand
+macros inside the architecture definition files.  This is done in
+target/hexagon/gen_semantics.c.  This step produces
+/target/hexagon/semantics_generated.pyinc.
+That file is consumed by the following python scripts to produce the indicated
+header files in /target/hexagon
+gen_opcodes_def.py  -> opcodes_def_generated.h
+gen_op_regs.py  -> op_regs_generated.h
+gen_printinsn.py-> printinsn_generated.h
+gen_op_attribs.py   -> op_attribs_generated.h
+gen_helper_protos.py-> helper_protos_generated.h
+gen_shortcode.py-> shortcode_generated.h
+gen_tcg_funcs.py-> tcg_funcs_generated.h
+gen_tcg_func_table.py   -> tcg_func_table_generated.h
+gen_helper_funcs.py -> helper_funcs_generated.h
+
+Qemu helper functions have 3 parts
+DEF_HELPER declaration indicates the signature of the helper
+gen_helper_ will generate a TCG call to the helper function
+The helper implementation
+
+Here's an example of the A2_add instruction.
+Instruction tagA2_add
+Assembly syntax"Rd32=add(Rs32,Rt32)"
+Instruction semantics  "{ RdV=RsV+RtV;}"
+
+By convention, the operands are identified by letter
+RdV is the destination register
+RsV, RtV are source registers
+
+The generator uses the operand naming conventions (see large comment in
+hex_common.py) to determine the signature of the helper function.  Here are the
+results for A2_add
+
+helper_protos_generated.h
+DEF_HELPER_3(A2_add, s32, env, s32, s32)
+
+tcg_funcs_generated.h
+static void generate_A2_add(
+CPUHexagonState *env,
+DisasContext *ctx,
+Insn *insn,
+Packet *pkt)
+{
+TCGv RdV = tcg_temp_local_new();
+const int RdN = insn->regno[0];
+TCGv RsV = hex_gpr[insn->regno[1]];
+TCGv RtV = hex_gpr[insn->regno[2]];
+gen_helper_A2_add(RdV, cpu_env, RsV, RtV);
+gen_log_reg_write(RdN, RdV);
+ctx_log_reg_write(ctx, RdN);
+tcg_temp_free(RdV);
+}
+
+helper_funcs_generated.h
+int32_t HELPER(A2_add)(CPUHexagonState *env, int32_t RsV, int32_t RtV)
+{
+uint32_t slot __attribute__((unused)) = 4;
+int32_t RdV = 0;
+{ RdV=RsV+RtV;}
+return RdV;
+}
+
+Note that generate_A2_add updates the disassembly context to be processed
+when the packet commits (see "Packet Semantics" below).
+
+The generator checks for fGEN_TCG_ macro.  This allows us to generate
+TCG code instead of a call to the helper.  If defined, the macro takes 1
+argument.
+C semantics (aka short code)
+
+This allows the code generator to override the auto-generated code.  In some
+cases this is necessary for correct execution.  We can also override for
+faster emulation.  For example, calling a helper for add is more

[PATCH v6 16/35] Hexagon (target/hexagon/conv_emu.[ch]) utility functions

2021-01-07 Thread Taylor Simpson 
Signed-off-by: Taylor Simpson 
---
 target/hexagon/conv_emu.h |  31 
 target/hexagon/conv_emu.c | 177 ++
 2 files changed, 208 insertions(+)
 create mode 100644 target/hexagon/conv_emu.h
 create mode 100644 target/hexagon/conv_emu.c

diff --git a/target/hexagon/conv_emu.h b/target/hexagon/conv_emu.h
new file mode 100644
index 000..d05e7cc
--- /dev/null
+++ b/target/hexagon/conv_emu.h
@@ -0,0 +1,31 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_CONV_EMU_H
+#define HEXAGON_CONV_EMU_H
+
+extern uint64_t conv_sf_to_8u(float32 in, float_status *fp_status);
+extern uint32_t conv_sf_to_4u(float32 in, float_status *fp_status);
+extern int64_t conv_sf_to_8s(float32 in, float_status *fp_status);
+extern int32_t conv_sf_to_4s(float32 in, float_status *fp_status);
+
+extern uint64_t conv_df_to_8u(float64 in, float_status *fp_status);
+extern uint32_t conv_df_to_4u(float64 in, float_status *fp_status);
+extern int64_t conv_df_to_8s(float64 in, float_status *fp_status);
+extern int32_t conv_df_to_4s(float64 in, float_status *fp_status);
+
+#endif
diff --git a/target/hexagon/conv_emu.c b/target/hexagon/conv_emu.c
new file mode 100644
index 000..b09ea63
--- /dev/null
+++ b/target/hexagon/conv_emu.c
@@ -0,0 +1,177 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/host-utils.h"
+#include "fpu/softfloat.h"
+#include "macros.h"
+#include "conv_emu.h"
+
+#define LL_MAX_POS 0x7fffULL
+#define MAX_POS 0x7fffU
+
+static uint64_t conv_f64_to_8u_n(float64 in, int will_negate,
+ float_status *fp_status)
+{
+uint8_t sign = float64_is_neg(in);
+if (float64_is_infinity(in)) {
+float_raise(float_flag_invalid, fp_status);
+if (float64_is_neg(in)) {
+return 0ULL;
+} else {
+return ~0ULL;
+}
+}
+if (float64_is_any_nan(in)) {
+float_raise(float_flag_invalid, fp_status);
+return ~0ULL;
+}
+if (float64_is_zero(in)) {
+return 0;
+}
+if (sign) {
+float_raise(float_flag_invalid, fp_status);
+return 0;
+}
+if (float64_lt(in, float64_half, fp_status)) {
+/* Near zero, captures large fracshifts, denorms, etc */
+float_raise(float_flag_inexact, fp_status);
+switch (get_float_rounding_mode(fp_status)) {
+case float_round_down:
+if (will_negate) {
+return 1;
+} else {
+return 0;
+}
+case float_round_up:
+if (!will_negate) {
+return 1;
+} else {
+return 0;
+}
+default:
+return 0;/* nearest or towards zero */
+}
+}
+return float64_to_uint64(in, fp_status);
+}
+
+static void clr_float_exception_flags(uint8_t flag, float_status *fp_status)
+{
+uint8_t flags = fp_status->float_exception_flags;
+flags &= ~flag;
+set_float_exception_flags(flags, fp_status);
+}
+
+static uint32_t conv_df_to_4u_n(float64 fp64, int will_negate,
+float_status *fp_status)
+{
+uint64_t tmp;
+tmp = conv_f64_to_8u_n(fp64, will_negate, fp_status);
+if (tmp > 0xULL) {
+clr_float_exception_flags(float_flag_inexact, fp_status);
+float_raise(float_flag_invalid, fp_status);
+return ~0U;
+}
+return (uint32_t)tmp;
+}
+
+uint64_t conv_df_to_8u(float64 in, float_status

[PATCH v6 12/35] Hexagon (target/hexagon) instruction attributes

2021-01-07 Thread Taylor Simpson 
Signed-off-by: Taylor Simpson 
---
 target/hexagon/attribs.h | 30 ++
 target/hexagon/attribs_def.h | 97 
 2 files changed, 127 insertions(+)
 create mode 100644 target/hexagon/attribs.h
 create mode 100644 target/hexagon/attribs_def.h

diff --git a/target/hexagon/attribs.h b/target/hexagon/attribs.h
new file mode 100644
index 000..e745135
--- /dev/null
+++ b/target/hexagon/attribs.h
@@ -0,0 +1,30 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_ATTRIBS_H
+#define HEXAGON_ATTRIBS_H
+
+enum {
+#define DEF_ATTRIB(NAME, ...) A_##NAME,
+#include "attribs_def.h"
+#undef DEF_ATTRIB
+};
+
+#define GET_ATTRIB(opcode, attrib) \
+test_bit(attrib, opcode_attribs[opcode])
+
+#endif /* ATTRIBS_H */
diff --git a/target/hexagon/attribs_def.h b/target/hexagon/attribs_def.h
new file mode 100644
index 000..12ceaf1
--- /dev/null
+++ b/target/hexagon/attribs_def.h
@@ -0,0 +1,97 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+/* Keep this as the first attribute: */
+DEF_ATTRIB(AA_DUMMY, "Dummy Zeroth Attribute", "", "")
+
+/* Misc */
+DEF_ATTRIB(EXTENSION, "Extension instruction", "", "")
+
+DEF_ATTRIB(PRIV, "Not available in user or guest mode", "", "")
+DEF_ATTRIB(GUEST, "Not available in user mode", "", "")
+
+DEF_ATTRIB(FPOP, "Floating Point Operation", "", "")
+
+DEF_ATTRIB(EXTENDABLE, "Immediate may be extended", "", "")
+
+DEF_ATTRIB(ARCHV2, "V2 architecture", "", "")
+DEF_ATTRIB(ARCHV3, "V3 architecture", "", "")
+DEF_ATTRIB(ARCHV4, "V4 architecture", "", "")
+DEF_ATTRIB(ARCHV5, "V5 architecture", "", "")
+
+DEF_ATTRIB(SUBINSN, "sub-instruction", "", "")
+
+/* Load and Store attributes */
+DEF_ATTRIB(LOAD, "Loads from memory", "", "")
+DEF_ATTRIB(STORE, "Stores to memory", "", "")
+DEF_ATTRIB(MEMLIKE, "Memory-like instruction", "", "")
+DEF_ATTRIB(MEMLIKE_PACKET_RULES, "follows Memory-like packet rules", "", "")
+
+
+/* Change-of-flow attributes */
+DEF_ATTRIB(JUMP, "Jump-type instruction", "", "")
+DEF_ATTRIB(INDIRECT, "Absolute register jump", "", "")
+DEF_ATTRIB(CALL, "Function call instruction", "", "")
+DEF_ATTRIB(COF, "Change-of-flow instruction", "", "")
+DEF_ATTRIB(CONDEXEC, "May be cancelled by a predicate", "", "")
+DEF_ATTRIB(DOTNEWVALUE, "Uses a register value generated in this pkt", "", "")
+DEF_ATTRIB(NEWCMPJUMP, "Compound compare and jump", "", "")
+
+/* access to implicit registers */
+DEF_ATTRIB(IMPLICIT_WRITES_LR, "Writes the link register", "", "UREG.LR")
+DEF_ATTRIB(IMPLICIT_WRITES_PC, "Writes the program counter", "", "UREG.PC")
+DEF_ATTRIB(IMPLICIT_WRITES_SP, "Writes the stack pointer", "", "UREG.SP")
+DEF_ATTRIB(IMPLICIT_WRITES_FP, "Writes the frame pointer", "", "UREG.FP")
+DEF_ATTRIB(IMPLICIT_WRITES_GP, "Writes the GP register", "", "UREG.GP")
+DEF_ATTRIB(IMPLICIT_WRITES_LC0, "Writes loop count for loop 0", "", "UREG.LC0")
+DEF_ATTRIB(IMPLICIT_WRITES_LC1, "Writes loop count for loop 1", "", "UREG.LC1")
+DEF_ATTRIB(IMPLICIT_WRITES_SA0, "Writes start addr for loop 0", "", "UREG.SA0")
+DEF_ATTRIB(IMPLICIT_WRITES_SA1, "Writes start addr for loop 1", "", "UREG.SA1")
+DEF_ATTRIB(IMPLICIT_WRITES_P0, "Writes Predicate 0", "", "UREG.P0")
+DEF_ATTRIB(IMPLICIT_WRITES_P1, "Writes Predicate 1", "", "UREG.P1")
+DEF_ATTRIB(IMPLICIT_WRITES_P2, "Writes Predicate 1", "", "UREG.P2")
+DEF_ATTRIB(IMPLICIT_WRITES_P3, "May write Predicate 3", "", "UREG.P3")
+
+DEF_ATTRIB(CRSLOT23, "Can execute in slot 2 or slot 3 (CR)", "", "")
+DEF_ATTRIB(IT_NOP, "nop instruction", "", "")
+DEF_ATTRIB(IT_EXTENDER, "constant extender

[PATCH v6 14/35] Hexagon (target/hexagon) instruction printing

2021-01-07 Thread Taylor Simpson 
Signed-off-by: Taylor Simpson 
---
 target/hexagon/printinsn.h |  28 
 target/hexagon/printinsn.c | 158 +
 2 files changed, 186 insertions(+)
 create mode 100644 target/hexagon/printinsn.h
 create mode 100644 target/hexagon/printinsn.c

diff --git a/target/hexagon/printinsn.h b/target/hexagon/printinsn.h
new file mode 100644
index 000..0e629b2
--- /dev/null
+++ b/target/hexagon/printinsn.h
@@ -0,0 +1,28 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_PRINTINSN_H
+#define HEXAGON_PRINTINSN_H
+
+#include "qemu/osdep.h"
+#include "insn.h"
+
+extern void snprint_a_pkt_disas(char *buf, int n, Packet *pkt, uint32_t *words,
+target_ulong pc);
+extern void snprint_a_pkt_debug(char *buf, int n, Packet *pkt);
+
+#endif
diff --git a/target/hexagon/printinsn.c b/target/hexagon/printinsn.c
new file mode 100644
index 000..8315d56
--- /dev/null
+++ b/target/hexagon/printinsn.c
@@ -0,0 +1,158 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "opcodes.h"
+#include "printinsn.h"
+#include "insn.h"
+#include "reg_fields.h"
+#include "internal.h"
+
+static const char *sreg2str(unsigned int reg)
+{
+if (reg < TOTAL_PER_THREAD_REGS) {
+return hexagon_regnames[reg];
+} else {
+return "???";
+}
+}
+
+static const char *creg2str(unsigned int reg)
+{
+return sreg2str(reg + HEX_REG_SA0);
+}
+
+static void snprintinsn(char *buf, int n, Insn * insn)
+{
+switch (insn->opcode) {
+#define DEF_VECX_PRINTINFO(TAG, FMT, ...) DEF_PRINTINFO(TAG, FMT, __VA_ARGS__)
+#define DEF_PRINTINFO(TAG, FMT, ...) \
+case TAG: \
+snprintf(buf, n, FMT, __VA_ARGS__);\
+break;
+#include "printinsn_generated.h"
+#undef DEF_VECX_PRINTINFO
+#undef DEF_PRINTINFO
+}
+}
+
+void snprint_a_pkt_disas(char *buf, int n, Packet *pkt, uint32_t *words,
+ target_ulong pc)
+{
+char tmpbuf[128];
+buf[0] = '\0';
+bool has_endloop0 = false;
+bool has_endloop1 = false;
+bool has_endloop01 = false;
+
+for (int i = 0; i < pkt->num_insns; i++) {
+if (pkt->insn[i].part1) {
+continue;
+}
+
+/* We'll print the endloop's at the end of the packet */
+if (pkt->insn[i].opcode == J2_endloop0) {
+has_endloop0 = true;
+continue;
+}
+if (pkt->insn[i].opcode == J2_endloop1) {
+has_endloop1 = true;
+continue;
+}
+if (pkt->insn[i].opcode == J2_endloop01) {
+has_endloop01 = true;
+continue;
+}
+
+snprintf(tmpbuf, 127, "0x" TARGET_FMT_lx "\t", words[i]);
+strncat(buf, tmpbuf, n);
+
+if (i == 0) {
+strncat(buf, "{", n);
+}
+
+snprintinsn(tmpbuf, 127, &(pkt->insn[i]));
+strncat(buf, "\t", n);
+strncat(buf, tmpbuf, n);
+
+if (i < pkt->num_insns - 1) {
+/*
+ * Subinstructions are two instructions encoded
+ * in the same word. Print them on the same line.
+ */
+if (GET_ATTRIB(pkt->insn[i].opcode, A_SUBINSN)) {
+strncat(buf, "; ", n);
+snprintinsn(tmpbuf, 127, &(pkt->insn[i + 1]));
+strncat(buf, tmpbuf, n);
+i++;
+} else if (pkt->insn[i + 1].opcode != J2_endloop0 &&
+   pkt->insn[i + 1].opcode != J2_endloop1 &&
+   pkt->insn[i + 1].opcode !=

[PATCH v6 01/35] Hexagon Update MAINTAINERS file

2021-01-07 Thread Taylor Simpson 
Add Taylor Simpson as the Hexagon target maintainer

Signed-off-by: Taylor Simpson 
Reviewed-by: Richard Henderson 
---
 MAINTAINERS | 8 
 1 file changed, 8 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 42fedf9..a884ad8 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -185,6 +185,14 @@ F: include/hw/cris/
 F: tests/tcg/cris/
 F: disas/cris.c
 
+Hexagon TCG CPUs
+M: Taylor Simpson 
+S: Supported
+F: target/hexagon/
+F: linux-user/hexagon/
+F: disas/hexagon.c
+F: default-configs/hexagon-linux-user.mak
+
 HPPA (PA-RISC) TCG CPUs
 M: Richard Henderson 
 S: Maintained
-- 
2.7.4

[PATCH v6 09/35] Hexagon (target/hexagon) architecture types

2021-01-07 Thread Taylor Simpson 
Define types used in files imported from the Hexagon architecture library

Signed-off-by: Taylor Simpson 
---
 target/hexagon/hex_arch_types.h | 38 ++
 1 file changed, 38 insertions(+)
 create mode 100644 target/hexagon/hex_arch_types.h

diff --git a/target/hexagon/hex_arch_types.h b/target/hexagon/hex_arch_types.h
new file mode 100644
index 000..57dc846
--- /dev/null
+++ b/target/hexagon/hex_arch_types.h
@@ -0,0 +1,38 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_ARCH_TYPES_H
+#define HEXAGON_ARCH_TYPES_H
+
+#include "qemu/osdep.h"
+#include "qemu/int128.h"
+
+/*
+ * These types are used by the code imported from the Hexagon
+ * architecture library.
+ */
+typedef uint8_t size1u_t;
+typedef int8_t  size1s_t;
+typedef uint16_tsize2u_t;
+typedef int16_t size2s_t;
+typedef uint32_tsize4u_t;
+typedef int32_t size4s_t;
+typedef uint64_tsize8u_t;
+typedef int64_t size8s_t;
+typedef Int128  size16s_t;
+
+#endif
-- 
2.7.4

[PATCH v6 08/35] Hexagon (target/hexagon) GDB Stub

2021-01-07 Thread Taylor Simpson 
GDB register read and write routines

Signed-off-by: Taylor Simpson 
Reviewed-by: Richard Henderson 
---
 target/hexagon/internal.h |  3 +++
 target/hexagon/cpu.c  |  2 ++
 target/hexagon/gdbstub.c  | 47 +++
 3 files changed, 52 insertions(+)
 create mode 100644 target/hexagon/gdbstub.c

diff --git a/target/hexagon/internal.h b/target/hexagon/internal.h
index 327bad9..961318a 100644
--- a/target/hexagon/internal.h
+++ b/target/hexagon/internal.h
@@ -29,6 +29,9 @@
 } \
 } while (0)
 
+extern int hexagon_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
+extern int hexagon_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
+
 extern void hexagon_debug(CPUHexagonState *env);
 
 extern const char * const hexagon_regnames[TOTAL_PER_THREAD_REGS];
diff --git a/target/hexagon/cpu.c b/target/hexagon/cpu.c
index 5e0da3f..32aa982 100644
--- a/target/hexagon/cpu.c
+++ b/target/hexagon/cpu.c
@@ -280,6 +280,8 @@ static void hexagon_cpu_class_init(ObjectClass *c, void 
*data)
 cc->dump_state = hexagon_dump_state;
 cc->set_pc = hexagon_cpu_set_pc;
 cc->synchronize_from_tb = hexagon_cpu_synchronize_from_tb;
+cc->gdb_read_register = hexagon_gdb_read_register;
+cc->gdb_write_register = hexagon_gdb_write_register;
 cc->gdb_num_core_regs = TOTAL_PER_THREAD_REGS;
 cc->gdb_stop_before_watchpoint = true;
 cc->disas_set_info = hexagon_cpu_disas_set_info;
diff --git a/target/hexagon/gdbstub.c b/target/hexagon/gdbstub.c
new file mode 100644
index 000..e8c10b2
--- /dev/null
+++ b/target/hexagon/gdbstub.c
@@ -0,0 +1,47 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "exec/gdbstub.h"
+#include "cpu.h"
+#include "internal.h"
+
+int hexagon_gdb_read_register(CPUState *cs, GByteArray *mem_buf, int n)
+{
+HexagonCPU *cpu = HEXAGON_CPU(cs);
+CPUHexagonState *env = >env;
+
+if (n < TOTAL_PER_THREAD_REGS) {
+return gdb_get_regl(mem_buf, env->gpr[n]);
+}
+
+g_assert_not_reached();
+}
+
+int hexagon_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n)
+{
+HexagonCPU *cpu = HEXAGON_CPU(cs);
+CPUHexagonState *env = >env;
+
+if (n < TOTAL_PER_THREAD_REGS) {
+env->gpr[n] = ldtul_p(mem_buf);
+return sizeof(target_ulong);
+}
+
+g_assert_not_reached();
+}
-- 
2.7.4

[PATCH v6 17/35] Hexagon (target/hexagon/fma_emu.[ch]) utility functions

2021-01-07 Thread Taylor Simpson 
Signed-off-by: Taylor Simpson 
---
 target/hexagon/fma_emu.h |  37 +++
 target/hexagon/fma_emu.c | 701 +++
 2 files changed, 738 insertions(+)
 create mode 100644 target/hexagon/fma_emu.h
 create mode 100644 target/hexagon/fma_emu.c

diff --git a/target/hexagon/fma_emu.h b/target/hexagon/fma_emu.h
new file mode 100644
index 000..9774975
--- /dev/null
+++ b/target/hexagon/fma_emu.h
@@ -0,0 +1,37 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_FMA_EMU_H
+#define HEXAGON_FMA_EMU_H
+
+static inline bool is_finite(float64 x)
+{
+return !float64_is_any_nan(x) && !float64_is_infinity(x);
+}
+
+extern int32_t float64_getexp(float64 f64);
+extern int32_t float32_getexp(float32 f32);
+extern float32 infinite_float32(uint8_t sign);
+extern float32 internal_fmafx(float32 a, float32 b, float32 c,
+  int scale, float_status *fp_status);
+extern float32 internal_mpyf(float32 a, float32 b,
+ float_status *fp_status);
+extern float64 internal_mpyhh(float64 a, float64 b,
+  unsigned long long int accumulated,
+  float_status *fp_status);
+
+#endif
diff --git a/target/hexagon/fma_emu.c b/target/hexagon/fma_emu.c
new file mode 100644
index 000..ef78364
--- /dev/null
+++ b/target/hexagon/fma_emu.c
@@ -0,0 +1,701 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/int128.h"
+#include "fpu/softfloat.h"
+#include "macros.h"
+#include "conv_emu.h"
+#include "fma_emu.h"
+
+#define DF_INF_EXP 0x7ff
+#define DF_BIAS1023
+#define DF_MANTBITS52
+#define DF_NAN 0xULL
+#define DF_INF 0x7ff0ULL
+#define DF_MINUS_INF   0xfff0ULL
+#define DF_MAXF0x7fefULL
+#define DF_MINUS_MAXF  0xffefULL
+
+#define SF_INF_EXP 0xff
+#define SF_BIAS127
+#define SF_MANTBITS23
+#define SF_INF 0x7f80
+#define SF_MINUS_INF   0xff80
+#define SF_MAXF0x7f7f
+#define SF_MINUS_MAXF  0xff7f
+
+#define HF_INF_EXP 0x1f
+#define HF_BIAS 15
+
+#define WAY_BIG_EXP 4096
+
+typedef union {
+double f;
+uint64_t i;
+struct {
+uint64_t mant:52;
+uint64_t exp:11;
+uint64_t sign:1;
+};
+} Double;
+
+typedef union {
+float f;
+uint32_t i;
+struct {
+uint32_t mant:23;
+uint32_t exp:8;
+uint32_t sign:1;
+};
+} Float;
+
+static inline uint64_t float64_getmant(float64 f64)
+{
+Double a = { .i = f64 };
+if (float64_is_normal(f64)) {
+return a.mant | 1ULL << 52;
+}
+if (float64_is_zero(f64)) {
+return 0;
+}
+if (float64_is_denormal(f64)) {
+return a.mant;
+}
+return ~0ULL;
+}
+
+int32_t float64_getexp(float64 f64)
+{
+Double a = { .i = f64 };
+if (float64_is_normal(f64)) {
+return a.exp;
+}
+if (float64_is_denormal(f64)) {
+return a.exp + 1;
+}
+return -1;
+}
+
+static inline uint64_t float32_getmant(float32 f32)
+{
+Float a = { .i = f32 };
+if (float32_is_normal(f32)) {
+return a.mant | 1ULL << 23;
+}
+if (float32_is_zero(f32)) {
+return 0;
+}
+if (float32_is_denormal(f32)) {
+return a.mant;
+}
+return ~0ULL;
+}
+
+int32_t float32_getexp(float32 f32)
+{
+Float a = { .i = f32 };
+if (float32_is_normal(f32)) {
+return a.exp;
+}
+if

[Bug 1639791] Re: early virtio console output is lost

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1639791

Title:
  early virtio console output is lost

Status in QEMU:
  Expired

Bug description:
  This is broken in git and reportedly in 2.5 through 2.7.

  Running a Linux kernel which includes a testsuite in initrd sometimes
  produces no output.

  Reportedly the console is sometimes not open when the early userspace
  tries to log output resulting in either the testsuite terminating
  early or not writing the output.

  Workaround patch is here:

  
https://git.zx2c4.com/WireGuard/commit/?id=d2de8b0862a7fbb51a7f2f958d58f0efe4648259

  reportedly you would get -EBADF there when no output is generated.

  Also this reportedly happens with virtio console only, not virtio
  serial port.

  It seems that the author of said testsuite did not report the problem
  so I write it down so it does not get lost.

  test (in bash):

  n=0 ; while [ $n -lt 100 ] && grep -m 1 -F "WireGuard Test Suite on
  Linux 4.8.6" <( /opt/qemu/bin/qemu-system-x86_64 -nodefaults
  -nographic -machine q35,accel=kvm -cpu host
  -smp 2 -m 64M -object rng-
  random,id=rng0,filename=/dev/urandom -device virtio-rng-
  pci,rng=rng0 -device virtio-serial,max_ports=2
  -chardev stdio,id=stdio -device virtconsole,chardev=stdio
  -chardev file,id=status,path=result.txt -device
  virtserialport,chardev=status -monitor none -kernel
  wireguard-testing-harness-bzImage-e87cb2a7-145c-4985-907f-17e81fae329b
  -append "console=hvc0 initcall_debug=1 loglevel=7" ) ; do echo $n ;
  n=$(expr $n + 1) ; pkill -f wireguard ; done

  This typically does 10-20 iterations but sometimes tens of iterations
  run without issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1639791/+subscriptions

[PATCH v6 03/35] Hexagon (include/elf.h) ELF machine definition

2021-01-07 Thread Taylor Simpson 
Define EM_HEXAGON 164

Signed-off-by: Taylor Simpson 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
---
 include/elf.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/elf.h b/include/elf.h
index 7a418ee..f4fa3c1 100644
--- a/include/elf.h
+++ b/include/elf.h
@@ -176,6 +176,7 @@ typedef struct mips_elf_abiflags_v0 {
 
 #define EM_UNICORE32110 /* UniCore32 */
 
+#define EM_HEXAGON  164 /* Qualcomm Hexagon */
 #define EM_RX   173 /* Renesas RX family */
 
 #define EM_RISCV243 /* RISC-V */
-- 
2.7.4

[PATCH v6 26/35] Hexagon (target/hexagon) TCG generation

2021-01-07 Thread Taylor Simpson 
Include the generated files and set up the data structures

Signed-off-by: Taylor Simpson 
---
 target/hexagon/genptr.h |  25 ++
 target/hexagon/genptr.c | 234 
 2 files changed, 259 insertions(+)
 create mode 100644 target/hexagon/genptr.h
 create mode 100644 target/hexagon/genptr.c

diff --git a/target/hexagon/genptr.h b/target/hexagon/genptr.h
new file mode 100644
index 000..4e8f903
--- /dev/null
+++ b/target/hexagon/genptr.h
@@ -0,0 +1,25 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_GENPTR_H
+#define HEXAGON_GENPTR_H
+
+#include "insn.h"
+
+extern const SemanticInsn opcode_genptr[];
+
+#endif
diff --git a/target/hexagon/genptr.c b/target/hexagon/genptr.c
new file mode 100644
index 000..ba233a4
--- /dev/null
+++ b/target/hexagon/genptr.c
@@ -0,0 +1,234 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#define QEMU_GENERATE
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "cpu.h"
+#include "internal.h"
+#include "tcg/tcg-op.h"
+#include "insn.h"
+#include "opcodes.h"
+#include "translate.h"
+#include "macros.h"
+#include "gen_tcg.h"
+
+static inline TCGv gen_read_reg(TCGv result, int num)
+{
+tcg_gen_mov_tl(result, hex_gpr[num]);
+return result;
+}
+
+static inline TCGv gen_read_preg(TCGv pred, uint8_t num)
+{
+tcg_gen_mov_tl(pred, hex_pred[num]);
+return pred;
+}
+
+static inline void gen_log_predicated_reg_write(int rnum, TCGv val, int slot)
+{
+TCGv one = tcg_const_tl(1);
+TCGv zero = tcg_const_tl(0);
+TCGv slot_mask = tcg_temp_new();
+
+tcg_gen_andi_tl(slot_mask, hex_slot_cancelled, 1 << slot);
+tcg_gen_movcond_tl(TCG_COND_EQ, hex_new_value[rnum], slot_mask, zero,
+   val, hex_new_value[rnum]);
+#if HEX_DEBUG
+/* Do this so HELPER(debug_commit_end) will know */
+tcg_gen_movcond_tl(TCG_COND_EQ, hex_reg_written[rnum], slot_mask, zero,
+   one, hex_reg_written[rnum]);
+#endif
+
+tcg_temp_free(one);
+tcg_temp_free(zero);
+tcg_temp_free(slot_mask);
+}
+
+static inline void gen_log_reg_write(int rnum, TCGv val)
+{
+tcg_gen_mov_tl(hex_new_value[rnum], val);
+#if HEX_DEBUG
+/* Do this so HELPER(debug_commit_end) will know */
+tcg_gen_movi_tl(hex_reg_written[rnum], 1);
+#endif
+}
+
+static void gen_log_predicated_reg_write_pair(int rnum, TCGv_i64 val, int slot)
+{
+TCGv val32 = tcg_temp_new();
+TCGv one = tcg_const_tl(1);
+TCGv zero = tcg_const_tl(0);
+TCGv slot_mask = tcg_temp_new();
+
+tcg_gen_andi_tl(slot_mask, hex_slot_cancelled, 1 << slot);
+/* Low word */
+tcg_gen_extrl_i64_i32(val32, val);
+tcg_gen_movcond_tl(TCG_COND_EQ, hex_new_value[rnum], slot_mask, zero,
+   val32, hex_new_value[rnum]);
+#if HEX_DEBUG
+/* Do this so HELPER(debug_commit_end) will know */
+tcg_gen_movcond_tl(TCG_COND_EQ, hex_reg_written[rnum],
+   slot_mask, zero,
+   one, hex_reg_written[rnum]);
+#endif
+
+/* High word */
+tcg_gen_extrh_i64_i32(val32, val);
+tcg_gen_movcond_tl(TCG_COND_EQ, hex_new_value[rnum + 1],
+   slot_mask, zero,
+   val32, hex_new_value[rnum + 1]);
+#if HEX_DEBUG
+/* Do this so HELPER(debug_commit_end) will know */
+tcg_gen_movcond_tl(TCG_COND_EQ, hex_reg_written[rnum + 1],
+   slot_mask, zero,
+   one, hex_reg_written[rnum + 1]);
+#endif
+
+tcg_temp_free(val32);
+tcg_temp_free(one);
+

[PATCH v6 04/35] Hexagon (target/hexagon) scalar core definition

2021-01-07 Thread Taylor Simpson 
Add target state header, target definitions and initialization routines

Signed-off-by: Taylor Simpson 
---
 target/hexagon/cpu-param.h |  29 +
 target/hexagon/cpu.h   | 159 +++
 target/hexagon/cpu_bits.h  |  59 +
 target/hexagon/internal.h  |  36 ++
 target/hexagon/cpu.c   | 312 +
 5 files changed, 595 insertions(+)
 create mode 100644 target/hexagon/cpu-param.h
 create mode 100644 target/hexagon/cpu.h
 create mode 100644 target/hexagon/cpu_bits.h
 create mode 100644 target/hexagon/internal.h
 create mode 100644 target/hexagon/cpu.c

diff --git a/target/hexagon/cpu-param.h b/target/hexagon/cpu-param.h
new file mode 100644
index 000..8796b69
--- /dev/null
+++ b/target/hexagon/cpu-param.h
@@ -0,0 +1,29 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_CPU_PARAM_H
+#define HEXAGON_CPU_PARAM_H
+
+#define TARGET_PAGE_BITS 16 /* 64K pages */
+#define TARGET_LONG_BITS 32
+
+#define TARGET_PHYS_ADDR_SPACE_BITS 36
+#define TARGET_VIRT_ADDR_SPACE_BITS 32
+
+#define NB_MMU_MODES 1
+
+#endif
diff --git a/target/hexagon/cpu.h b/target/hexagon/cpu.h
new file mode 100644
index 000..1b78d89
--- /dev/null
+++ b/target/hexagon/cpu.h
@@ -0,0 +1,159 @@
+/*
+ *  Copyright(c) 2019-2020 Qualcomm Innovation Center, Inc. All Rights 
Reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#ifndef HEXAGON_CPU_H
+#define HEXAGON_CPU_H
+
+/* Forward declaration needed by some of the header files */
+typedef struct CPUHexagonState CPUHexagonState;
+
+#include "fpu/softfloat-types.h"
+
+#include "qemu-common.h"
+#include "exec/cpu-defs.h"
+#include "hex_regs.h"
+
+#define NUM_PREGS 4
+#define TOTAL_PER_THREAD_REGS 64
+
+#define SLOTS_MAX 4
+#define STORES_MAX 2
+#define REG_WRITES_MAX 32
+#define PRED_WRITES_MAX 5   /* 4 insns + endloop */
+
+#define TYPE_HEXAGON_CPU "hexagon-cpu"
+
+#define HEXAGON_CPU_TYPE_SUFFIX "-" TYPE_HEXAGON_CPU
+#define HEXAGON_CPU_TYPE_NAME(name) (name HEXAGON_CPU_TYPE_SUFFIX)
+#define CPU_RESOLVING_TYPE TYPE_HEXAGON_CPU
+
+#define TYPE_HEXAGON_CPU_V67 HEXAGON_CPU_TYPE_NAME("v67")
+
+#define MMU_USER_IDX 0
+
+typedef struct {
+target_ulong va;
+uint8_t width;
+uint32_t data32;
+uint64_t data64;
+} MemLog;
+
+#define EXEC_STATUS_OK  0x
+#define EXEC_STATUS_STOP0x0002
+#define EXEC_STATUS_REPLAY  0x0010
+#define EXEC_STATUS_LOCKED  0x0020
+#define EXEC_STATUS_EXCEPTION   0x0100
+
+
+#define EXCEPTION_DETECTED  (env->status & EXEC_STATUS_EXCEPTION)
+#define REPLAY_DETECTED (env->status & EXEC_STATUS_REPLAY)
+#define CLEAR_EXCEPTION (env->status &= (~EXEC_STATUS_EXCEPTION))
+#define SET_EXCEPTION   (env->status |= EXEC_STATUS_EXCEPTION)
+
+struct CPUHexagonState {
+target_ulong gpr[TOTAL_PER_THREAD_REGS];
+target_ulong pred[NUM_PREGS];
+target_ulong branch_taken;
+target_ulong next_PC;
+
+/* For comparing with LLDB on target - see adjust_stack_ptrs function */
+target_ulong last_pc_dumped;
+target_ulong stack_start;
+
+uint8_t slot_cancelled;
+target_ulong new_value[TOTAL_PER_THREAD_REGS];
+
+/*
+ * Only used when HEX_DEBUG is on, but unconditionally included
+ * to reduce recompile time when turning HEX_DEBUG on/off.
+ */
+target_ulong this_PC;
+target_ulong reg_written[TOTAL_PER_THREAD_REGS];
+
+target_ulong new_pred_value[NUM_PREGS];
+target_ulong pred_written;
+
+MemLog mem_log_stores[STORES_MAX];
+target_ulong pkt_has_store_s1;
+target_ulong dczero_addr;
+
+float_status fp_status;
+
+target_ulong

[Bug 1649236] Re: Commit snapshot fails with Permission denied when daemonized

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1649236

Title:
  Commit snapshot fails with Permission denied when daemonized

Status in QEMU:
  Expired

Bug description:
  When running qemu with daemonize option it is impossible to run
  "commit all" in monitor.

  I run qemu 2.7.0 under gentoo 64 bit distribution with following
  command line:

  qemu-system-x86_64 -m 4096 -cpu host -smp 2 -enable-kvm -snapshot \
  -drive file=vm.img,if=virtio \
  -net nic,model=virtio,macaddr=11:11:11:11:11:11 \
  -net tap,ifname=tap$PORT,script=no,downscript=no \
  -vnc :1 -daemonize \
  -chardev vc,id=mon0 -mon chardev=mon0,mode=readline \
  -chardev socket,id=mon1,host=localhost,port=10001,server,nowait -mon 
chardev=mon1,mode=control 

  I connect to vm through VNC viewer and press CTRL+ALT+2 and run "commit all" 
command.
  Following error is shown:
  `commit` error for `all`: Permission denied

  When I run my VM without `daemonize` option the command "commit all"
  works without errors.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1649236/+subscriptions

[PATCH v6 00/35] Hexagon patch series

2021-01-07 Thread Taylor Simpson 
This series adds support for the Hexagon processor with Linux user support

See patch 02/33 Hexagon README for detailed information.

This series assumes int128_or() is implemented.
https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg06004.html

The series is also available at https://github.com/quic/qemu on branch
small_series_v6.


Once the series is applied, the Hexagon port will pass "make check-tcg".
The series also includes Hexagon-specific tests in tcg/tests/hexagon.

The final 3 patches in the series add docker support.  Thanks to Alessandro
Di Federico  and Brian Cain  for making this
happen.  The container files will build a Hexagon toolchain from source.
Alternatively, this command will get a pre-built container
docker pull revng/qemu:debian-hexagon-cross
Ultimately, we'll a method to create a container without building the toolchain.

Once the container is set up, here are the commands to verify the code:
mkdir build
cd build
../configure --target-list=hexagon-linux-user
make
make check-tcg DOCKER_IMAGE=debian-hexagon-cross \
DOCKER_CROSS_CC_GUEST=hexagon-unknown-linux-musl-clang


*** Known checkpatch issues ***

The following are known checkpatch errors in the series
target/hexagon/reg_fields.h Complex macro
target/hexagon/attribs.hComplex macro
target/hexagon/decode.c Complex macro
target/hexagon/q6v_decode.c Macro needs do - while
target/hexagon/printinsn.c  Macro needs do - while
target/hexagon/gen_semantics.c  Suspicious ; after while (0)
target/hexagon/gen_dectree_import.c Complex macro
target/hexagon/gen_dectree_import.c Suspicious ; after while (0)
target/hexagon/opcodes.cComplex macro
target/hexagon/iclass.h Complex macro
configure.shLine over 90 characters
tests/tcg/configure.sh  Line over 90 characters
scripts/qemu-binfmt-conf.sh Line over 90 characters

The following are known checkpatch warnings in the series
target/hexagon/fma_emu.cComments inside macro definition
target/hexagon/gen_tcg_funcs.py Line over 80 characters
scripts/qemu-binfmt-conf.sh Line over 80 characters

*** Changes in v6 ***
Correct QEMU_GENERATE implementations for fLSBNEW0/fLSBNEW1
Change Python file handling to use with statement
Change import hex_common to be explicit
Generator cleanup
Change N?N (new value) to value instead of register number for consistency
Fixed bud in reading control register pair
Add ctx_log_reg_write_pair
Clean up control reg offset from HEX_REG_SA0
Fix errors in FP instructions uncovered by musl libc-tests
Added unit tests

*** Changes in v5 ***
Bug fixes
Properly implement circular addressing
memw(r1++I:circ(m0)) = r2
Make gen_cmpnd_cmp_jmp execute in 2 parts

Address remaining blocker items from Richard Henderson's review.
Use qemu softfloat
Use const where appropriate
Break tcg_funcs_generated.h into two files - functions and table
Change struct and enum type names to CamelCase
Include packet in raw bytes in assembly
Use DEF_HELPER_FLAGS where possible
Fix merge_bytes endianness and overlap test by doing the store before load
Use bitmask instead of string in decoding
Add comments to decoder
Use qemu/int128.h
Use qemu/bitops.h for instruction attributes
Add bitmask for ctx->reg_log
Note we still have the array/idx for iteration during gen_commit_packet
Change opcode_syntax to be created at compile time in gen_dectree_import.c
Remove unused tmp variables
Isolate hex_arch_types to imported files
Fix git am whitespace warnings

Address items from Philippe Mathieu-Daud�'s review
Split utility functions patch into 3 digestable patches
Fixed type "definition"
Change all exit codes to be either 0 or 1
Validated build with gcc 4.8, 5.5, and *
Removed qemu/osdep.h and qemu/host-utils.h from macros.h

Address items from Laurent Vivier's review
Don't filter out __NR_syscalls
Remove syscall_nr_generators from linux-user/hexagon/meson.build
Remove subdir('hexagon') from linux-user/meson.build
Generate syscall_nr.h from 5.5 Linux kernel


*** Changes in v4 ***
Convert target/hexagon/Makefile.objs to meson.build

Address portions of feedback from Richard Henderson.  Here is the table
of items from Richard's review.
Patch   Item Blocker Status
Use qemu softfloat   Yes
Use qemu decodetree.py   No
Several Use const when appropriate   Yes
Several Remove anything after g_assert_not_reached   Yes DONE
Several Fix log_store32/64 add/remove/add in patch seriesYes DONE
Several Follow naming guidelines for structs and enums   Yes
4   Move

[Bug 1639983] Re: e1000 EEPROM have bad checksum

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1639983

Title:
  e1000 EEPROM have bad checksum

Status in QEMU:
  Expired

Bug description:
  I am using qemu-system-i386 to emulate FreeDOS with e1000 nic card.

  I am using Intel PRODOS v.19.0 (latest version with E1000ODI.COM file).
  E1000ODI.COM v.5.07 (140116)

  http://pclosmag.com/html/issues/201208/page11.html
  Suggest that v.4.75 (120212) was/is working.
  Oldest PRODOS available version seems now 18.5 (June 2013) which I have not 
tested yet.

  When running it, it detect: Slot 18, IRQ 11, Port C000.

  But complains:
  EEPROM checksum was incorrect.

  Contact your services network supplier for a replacement.

  paul@paul89473:~$ qemu-system-i386 --version
  QEMU emulator version 2.6.1 (Debian 1:2.6.1+dfsg-0ubuntu5), Copyright (c) 
2003-2008 Fabrice Bellard
  paul@paul89473:~$

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1639983/+subscriptions

[Bug 1649233] Re: scrolling does not work once mouse is grabbed

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1649233

Title:
  scrolling does not work once mouse is grabbed

Status in QEMU:
  Expired

Bug description:
  The title pretty much told it all. It occurs in Windows 10 RS1 on qemu
  2.7.0. Interestingly, I can scroll in the guest if the mouse is not
  grabbed. So using usb-tablet sort of works around it, but if I
  explicitly grab the mouse with Ctrl+Alt+G, scrolling will also stop
  working.

  The host is Arch Linux so the qemu build uses gtk(3) for GUI by
  default. I wanted to test with sdl but it seems sdl support in qemu is
  sort of broken that I can't even start the virtual machine properly
  with that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1649233/+subscriptions

[Bug 1644754] Re: gluster partial reads refusal conflicts with qcow2

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1644754

Title:
  gluster partial reads refusal conflicts with qcow2

Status in QEMU:
  Expired

Bug description:
  there is an inconsistency in how qemu creates qcow2 files, which
  causes an error in the gluster (and possibly other block drivers)

  the problem is that the gluster backend expects the filesize to be 512
  byte aligned, which is not the case anymore since 2.7.0 when using the
  file backend for qcow2 files with a backing file

  the error is then
  Could not open 'gluster://gluster01/gv0/bar2.qcow2': Could not read L1 table: 
Input/output error

  steps to reproduce:

   * create a.qcow2
   * create b.qcow2 with a.qcow2 as base via filesystem (without gluster)
 b.qcow2 filesize is not a multiple of 512 bytes
   * move both files to a gluster share
   * access to b.qcow2 via gluster block driver fails

  example:

  have a gluster server at 'gluster01' with a volume 'gv0' (gluster
  versions tested: 3.7.15,3.8.5,3.8.5)

  root@pc:~# mount -t glusterfs gluster01:/gv0 /mnt/gluster
  root@pc:~# qemu-img create -f qcow2 gluster://gluster01/gv0/foo.qcow2 100M
  Formatting 'gluster://gluster01/gv0/foo.qcow2', fmt=qcow2 size=104857600 
encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
  root@pc:~# qemu-img info /mnt/gluster/foo.qcow2 
  image: /mnt/gluster/foo.qcow2
  file format: qcow2
  virtual size: 100M (104857600 bytes)
  disk size: 193K
  cluster_size: 65536
  Format specific information:
  compat: 1.1
  lazy refcounts: false
  refcount bits: 16
  corrupt: false
  root@pc:~# qemu-img info gluster://gluster01/gv0/foo.qcow2
  image: gluster://gluster01/gv0/foo.qcow2
  file format: qcow2
  virtual size: 100M (104857600 bytes)
  disk size: 193K
  cluster_size: 65536
  Format specific information:
  compat: 1.1
  lazy refcounts: false
  refcount bits: 16
  corrupt: false
  root@pc:~# qemu-img create -f qcow2 -b foo.qcow2 
gluster://gluster01/gv0/bar.qcow2
  Formatting 'gluster://gluster01/gv0/bar.qcow2', fmt=qcow2 size=104857600 
backing_file=foo.qcow2 encryption=off cluster_size=65536 lazy_refcounts=off 
refcount_bits=16
  root@pc:~# qemu-img info /mnt/gluster/bar.qcow2
  image: /mnt/gluster/bar.qcow2
  file format: qcow2
  virtual size: 100M (104857600 bytes)
  disk size: 193K
  cluster_size: 65536
  backing file: foo.qcow2 (actual path: /mnt/gluster/foo.qcow2)
  Format specific information:
  compat: 1.1
  lazy refcounts: false
  refcount bits: 16
  corrupt: false
  root@pc:~# qemu-img info gluster://gluster01/gv0/bar.qcow2
  image: gluster://gluster01/gv0/bar.qcow2
  file format: qcow2
  virtual size: 100M (104857600 bytes)
  disk size: 193K
  cluster_size: 65536
  backing file: foo.qcow2 (actual path: gluster://gluster01/gv0/foo.qcow2)
  Format specific information:
  compat: 1.1
  lazy refcounts: false
  refcount bits: 16
  corrupt: false
  root@pc:~# qemu-img create -f qcow2 -b foo.qcow2 /mnt/gluster/bar2.qcow2
  Formatting '/mnt/gluster/bar2.qcow2', fmt=qcow2 size=104857600 
backing_file=foo.qcow2 encryption=off cluster_size=65536 lazy_refcounts=off 
refcount_bits=16
  root@pc:~# qemu-img info /mnt/gluster/bar2.qcow2
  image: /mnt/gluster/bar2.qcow2
  file format: qcow2
  virtual size: 100M (104857600 bytes)
  disk size: 193K
  cluster_size: 65536
  backing file: foo.qcow2 (actual path: /mnt/gluster/foo.qcow2)
  Format specific information:
  compat: 1.1
  lazy refcounts: false
  refcount bits: 16
  corrupt: false
  root@pc:~# qemu-img info gluster://gluster01/gv0/bar2.qcow2
  qemu-img: Could not open 'gluster://gluster01/gv0/bar2.qcow2': Could not read 
L1 table: Input/output error
  root@pc:~# ls -l /mnt/gluster/
  total 578
  -rw-r--r-- 1 root root 196616 Nov 25 09:07 bar2.qcow2
  -rw--- 1 root root 197120 Nov 25 09:07 bar.qcow2
  -rw--- 1 root root 197120 Nov 25 09:06 foo.qcow2
  drwxr-xr-x 6 root root 46 Nov 24 16:51 images

  here you can see that the file created with directory path is not 512
  byte aligned, while the one created through the gluster api is

  also, when creating a qcow2 with the nfs block driver, the filesize is
  also a multiple of 512, but reading a non aligned file with nfs works
  however

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1644754/+subscriptions

[Bug 1640073] Re: Guest pause because VMPTRLD failed in KVM

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1640073

Title:
  Guest pause because VMPTRLD failed in KVM

Status in QEMU:
  Expired

Bug description:
  1) Qemu command:
  /usr/bin/qemu-kvm -name omu1 -S -machine pc-i440fx-2.3,accel=kvm,usb=off -cpu 
host -m 15625 -realtime mlock=off -smp 8,sockets=1,cores=8,threads=1 -uuid 
a2aacfff-6583-48b4-b6a4-e6830e519931 -no-user-config -nodefaults -chardev 
socket,id=charmonitor,path=/var/lib/libvirt/qemu/omu1.monitor,server,nowait 
-mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown 
-boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device 
virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive 
file=/home/env/guest1.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,aio=native
 -device 
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0
 -drive 
file=/home/env/guest_300G.img,if=none,id=drive-virtio-disk1,format=raw,cache=none,aio=native
 -device 
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virtio-disk1,id=virtio-disk1
 -netdev tap,fd=25,id=hostnet0,vhost=on,vhostfd=26 -device 
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:00:80:05:00:00,bus=pci.0,addr=0x3 
-netdev tap,fd=27,id=hostnet1,vhost=on,vhostfd=28 -device 
virtio-net-pci,netdev=hostnet1,id=net1,mac=00:00:80:05:00:01,bus=pci.0,addr=0x4 
-chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 
-device usb-tablet,id=input0 -vnc 0.0.0.0:0 -device 
cirrus-vga,id=video0,vgamem_mb=16,bus=pci.0,addr=0x2 -device 
virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x8 -msg timestamp=on

  2) Qemu log:
  KVM: entry failed, hardware error 0x4
  RAX=ffed RBX=8803fa2d7fd8 RCX=0100 
RDX=
  RSI= RDI=0046 RBP=8803fa2d7e90 
RSP=8803fa2efe90
  R8 = R9 = R10= 
R11=b69a
  R12=0001 R13=81a25b40 R14= 
R15=8803fa2d7fd8
  RIP=81053e16 RFL=0286 [--S--P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
  ES =   00c0
  CS =0010   00a09b00 DPL=0 CS64 [-RA]
  SS =0018   00c09300 DPL=0 DS   [-WA]
  DS =   00c0
  FS =   00c0
  GS = 88040f54  00c0
  LDT=   00c0
  TR =0040 88040f550a40 2087 8b00 DPL=0 TSS64-busy
  GDT= 88040f549000 007f
  IDT= ff529000 0fff
  CR0=80050033 CR2=7f81ca0c5000 CR3=0003f5081000 CR4=000407e0
  DR0= DR1= DR2= 
DR3= 
  DR6=0ff0 DR7=0400
  EFER=0d01
  Code=?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? 
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

  3) Demsg
  [347315.028339] kvm: vmptrld 8817ec5f/17ec5f failed
  klogd 1.4.1, -- state change --
  [347315.039506] kvm: vmptrld 8817ec5f/17ec5f failed
  [347315.051728] kvm: vmptrld 8817ec5f/17ec5f failed
  [347315.057472] vmwrite error: reg 6c0a value 88307e66e480 (err 
2120672384)
  [347315.064567] Pid: 69523, comm: qemu-kvm Tainted: GF   X 
3.0.93-0.8-default #1
  [347315.064569] Call Trace:
  [347315.064587]  [] dump_trace+0x75/0x300
  [347315.064595]  [] dump_stack+0x69/0x6f
  [347315.064617]  [] vmx_vcpu_load+0x11e/0x1d0 [kvm_intel]
  [347315.064647]  [] kvm_arch_vcpu_load+0x44/0x1d0 [kvm]
  [347315.064669]  [] finish_task_switch+0x81/0xe0
  [347315.064676]  [] thread_return+0x3b/0x2a7
  [347315.064687]  [] kvm_vcpu_block+0x65/0xa0 [kvm]
  [347315.064703]  [] __vcpu_run+0xd1/0x260 [kvm]
  [347315.064732]  [] kvm_arch_vcpu_ioctl_run+0x68/0x1a0 [kvm]
  [347315.064759]  [] kvm_vcpu_ioctl+0x38e/0x580 [kvm]
  [347315.064771]  [] do_vfs_ioctl+0x8b/0x3b0
  [347315.064776]  [] sys_ioctl+0xa1/0xb0
  [347315.064783]  [] system_call_fastpath+0x16/0x1b
  [347315.064797]  [<7fee51969ce7>] 0x7fee51969ce6
  [347315.064799] vmwrite error: reg 6c0c value 88307e664000 (err 
2120630272)
  [347315.064802] Pid: 69523, comm: qemu-kvm Tainted: GF   X 
3.0.93-0.8-default #1
  [347315.064803] Call Trace:
  [347315.064807]  [] dump_trace+0x75/0x300
  [347315.064811]  [] dump_stack+0x69/0x6f
  [347315.064817]  [] vmx_vcpu_load+0x12c/0x1d0 [kvm_intel]
  [347315.064832]  [] kvm_arch_vcpu_load+0x44/0x1d0 [kvm]
  [347315.064851]  [] finish_task_switch+0x81/0xe0
  [347315.064855]  [] thread_return+0x3b/0x2a7
  [347315.064865]  [] kvm_vcpu_block+0x65/0xa0 [kvm]
  [347315.064880]  [] __vcpu_run+0xd1/0x260 [kvm]

[Bug 1642011] Re: Mouse wheel events not forwarded to guest using GTK display

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1642011

Title:
  Mouse wheel events not forwarded to guest using GTK display

Status in QEMU:
  Expired

Bug description:
  Using QEMU 2.7.0 with KVM enabled, when I launch the guest without
  options (using the default of gtk), the mouse wheel events are not
  propagated to the guest.

  When I start qemu using -display sdk, mouse wheel events are properly
  forwarded.

  I can determine that the guest is not receiving mouse wheel events by
  doing cat /dev/input/by-id/usb-QEMU_QEMU_USB_Mouse_42-event-mouse.
  When I scroll the wheel, no output is printed to the screen.

  The guest is ChromiumOS.

  The command line is:

  qemu-system-x86_64 -enable-kvm -m 2G -smp 4 -vga cirrus -usbdevice
  mouse -pidfile /tmp/kvm.pid -chardev
  pipe,id=control_pipe,path=/tmp/kvm.pipe -serial file:/tmp/kvm.serial
  -mon chardev=control_pipe -net nic,model=virtio -net
  user,hostfwd=tcp:127.0.0.1:9222-:22 -drive
  
file=chromiumos/src/build/images/amd64-generic/latest/chromiumos_qemu_image.bin,index=0,media=disk,cache=unsafe

  (Most of that invocation sets up Linux fifos for various and nefarious
  purposes and can be profitably ignored).

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1642011/+subscriptions

[Bug 1636770] Re: mouse wheel works only with -usbdevice tablet

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1636770

Title:
  mouse wheel works only with -usbdevice tablet

Status in QEMU:
  Expired

Bug description:
  2.7.0

  tested with windows 10 1607

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1636770/+subscriptions

[Bug 1653419] Re: SVM emulation fails due to EIP and FLAG register update optimization

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1653419

Title:
  SVM emulation fails due to EIP and FLAG register update optimization

Status in QEMU:
  Expired

Bug description:
  SVM emulation support has a bug due to which causes KVM emulation
  error when qemu-kvm is run over KVM installed on top of QEmu in
  software mode.

  Steps to reproduce
  
  1. Run KVM inside QEmu(software mode with SVM emulation support). Make sure 
kvm_amd is running.
  2. Run any guest OS on top of the KVM using qemu-kvm.
  3. Following KVM emulation error is thrown immediately.

  KVM internal error. Suberror: 1
  emulation failure
  EAX= EBX=404b ECX= EDX=000f5ea0
  ESI= EDI= EBP= ESP=6fd0
  EIP=4000 EFL=0086 [--S--P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
  ES =0010   00c09300 DPL=0 DS   [-WA]
  CS =0008   00c09b00 DPL=0 CS32 [-RA]
  SS =0010   00c09300 DPL=0 DS   [-WA]
  DS =0010   00c09300 DPL=0 DS   [-WA]
  FS =0010   00c09300 DPL=0 DS   [-WA]
  GS =0010   00c09300 DPL=0 DS   [-WA]
  LDT=   8200 DPL=0 LDT
  TR =   8b00 DPL=0 TSS32-busy
  GDT= 000f7180 0037
  IDT= 000f71be 
  CR0=0011 CR2= CR3= CR4=
  DR0= DR1= DR2= 
DR3=
  DR6=0ff0 DR7=0400
  EFER=
  Code=00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  Reason for the error
  
  Due to performance reasons, EIP and FLAG registers are not updated after 
executing every guest instructions. There are optimizations done to update 
these registers intelligently, for eg: EIP is updated at the end of translation 
block. This means EIP remains the address of the first instruction in the TB 
throughout the execution.

  In case of a VMEXIT because of a page fault happened after executing
  an instruction in the middle of the TB, the VMCB is updated with the
  wrong guest EIP and jumps to the address where host has left off. On
  the subsequent VMRUN by the host QEmu start executing some of the
  instructions that has already been executed. This can cause wrong
  execution flow.

  Following is the instruction execution trace of the above scenario.

  0x000f368f: callq 0xeecc4
  vmexit(0060, , , 000eecc4)!
  vmsave! b72e9000
  vmload! b72e9000
  vmrun! b72e9000
  0x000eecc4: push %rbx
  0x000eecc5: xor %ecx,%ecx
  0x000eecc7: mov (%rax,%rcx,1),%bl
  0x000eecca: cmp (%rdx,%rcx,1),%bl
  vmexit(004e, , 000f5ea0, 000eecc4)!

  Page fault happens at 0x000eecca which triggers a VMEXIT.
  vmcb->save->rip is updated with 0x000eecc4 instead of
  0x000eecca.

  vmsave! b72e9000
  vmload! b72e9000
  vmrun! b72e9000
  0x000eecc4: push %rbx
  0x000eecc5: xor %ecx,%ecx
  0x000eecc7: mov (%rax,%rcx,1),%bl
  0x000eecca: cmp (%rdx,%rcx,1),%bl
  0x000eeccd: je 0xeecdc
  0x000eeccf: setl %al
  0x000eecd2: movzbl %al,%eax
  0x000eecd5: neg %eax
  0x000eecd7: or $0x1,%eax
  0x000eecda: jmp 0xeece3
  0x000eece3: pop %rbx
  0x000eece4: retq
  vmexit(004e, , 4000, 4000)!

  The subsequent VMRUN again starts executing from 0x000eecc4
  which causes %rbx being pushed to the stack for the second time. The
  retq instruction picks wrong return address and jumps to an illegal
  location.

  Similar issue is there with updating FLAG register as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1653419/+subscriptions

[Bug 1661758] Re: qemu-nbd causes data corruption in VDI-format disk images

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1661758

Title:
  qemu-nbd causes data corruption in VDI-format disk images

Status in QEMU:
  Expired

Bug description:
  Hi,

  This is a duplicate of #1422307.  I can't figure out a way to re-open
  it--the status of "Fix Released" is changeable only by a project
  maintainer or bug supervisor--so I'm opening a new bug to make sure
  this gets looked at again.

  qemu-nbd will sometimes corrupt VDI disk images.  The bug was thought
  to be fixed in commit f0ab6f109630940146cbaf47d0cd3ddba824, but
  I'm able to reproduce it in both that commit and in the latest commit
  (a951316b8a5c3c63254f20a826afeed940dd4cba).  I just needed to run more
  iterations of the test.  It's possible that it was partially fixed, or
  that the added serialization made it harder to catch this
  non-deterministic bug, but the same symptoms persist: data corruption
  of VDI-format disk images.

  This affects at least qemu-nbd.  I haven't tried reproducing the issue
  with qemu proper or qemu-img, but the original bug report suggests
  that the bug in the common VDI backend may corrupt data written by
  those programs.

  Please let me know if I can provide any further information or help
  with testing.  Thank you very much for looking into this!

  Test procedure
  **

  The procedure used is the one given by Max Reitz (xanclic) in the
  original bug report, comment 3
  (https://bugs.launchpad.net/qemu/+bug/1422307/comments/3), in the
  section "VDI and NBD over /dev/nbd0", but with up to 1000 iterations
  instead of 10:

$ cd ~/qemu-origfix-f0ab6f1/bin
$ dd if=/dev/urandom of=blob.raw bs=1M count=64
64+0 records in
64+0 records out
67108864 bytes (67 MB) copied, 4.36475 s, 15.4 MB/s
$ sudo sh -c 'for i in $(seq 0 999); do ./qemu-img create -f vdi test.vdi 
64M > /dev/null; ./qemu-nbd -c /dev/nbd0 test.vdi; sleep 1; ./qemu-img convert 
-n blob.raw /dev/nbd0; ./qemu-img convert /dev/nbd0 test1.raw; sync; echo 1 > 
/proc/sys/vm/drop_caches; ./qemu-img convert /dev/nbd0 test2.raw; ./qemu-nbd -d 
/dev/nbd0 > /dev/null; if ! ./qemu-img compare -q test1.raw test2.raw; then 
md5sum test1.raw test2.raw; echo "$i failed"; break; fi; done; echo "done"'
  27a66c3a8ac2cf06f2c925968ea9e964  test1.raw
  2da9bf169041a7c2bd144c4ab3a29aea  test2.raw
  64 failed
  done

  I've run this process a handful of times, and I've seen it take as
  little as 10 iterations and as many as 161 (taking 32 minutes in the
  latter case).  Please be patient.  Putting the images on tmpfs will
  probably help it go faster, and I have successfully reproduced the
  issue on tmpfs in addition to ext4.

  Nothing different was needed to reproduce the issue in a directory
  containing a build of the latest commit.  It still takes somewhere
  around 1-200 iterations to find, in my testing.

  Build procedure
  ***

$ git clone git://git.qemu-project.org/qemu.git
[omitted]
$ git clone qemu qemu-origfix-f0ab6f1
Cloning into 'qemu-origfix-f0ab6f1'...
done.
$ cd qemu-origfix-f0ab6f1
$ git checkout f0ab6f109630940146cbaf47d0cd3ddba824
Note: checking out 'f0ab6f109630940146cbaf47d0cd3ddba824'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at f0ab6f1... block/vdi: Add locking for parallel requests
$ mkdir bin
$ cd bin
$ script -c'time (../configure --enable-debug --target-list=x86_64-softmmu 
&& make -j6; echo "result: $?")'
Script started, file is typescript
[omitted; the build typescript is attached separately]
  LINK  x86_64-softmmu/qemu-system-x86_64
result: 0

real1m5.733s
user2m3.904s
sys 0m13.828s
Script done, file is typescript

  Nothing different was done when building the latest commit (besides
  cloning to a different directory, and not running `git checkout`).

  Environment
  ***

* Machine: x86_64

* Hypervisor: Xen 4.4 (Debian package xen-hypervisor-4.4-amd64,
  version 4.4.1-9+deb8u8)

* A Xen domU (guest) for building QEMU and reproducing the issue.
  All testing was done within the virtual machine for convenience
  and access to better hardware than what I have for my development
  machine (I expected the build to take much longer than it really
  does).

- x86_64 architecture

[Bug 1652373] Re: User-mode QEMU is not deterministic

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1652373

Title:
  User-mode QEMU is not deterministic

Status in QEMU:
  Expired

Bug description:
  QEMU in user-mode (linux-user or bsd-user) has no way to get the
  equivalent of the "-icount" argument found in softmmu mode.

  It is true that some system calls in user-mode can prevent
  deterministic execution, but it would be very simple to patch time-
  related syscalls to return a number based on icount when in
  deterministic mode.

  Putting both changes together (icount + time-related syscalls) would
  cover the needs for deterministic execution of most benchmarks (i.e.,
  those not interacting with the network or other programs in the
  system).

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1652373/+subscriptions

[Bug 1654826] Re: Holding key down using input-linux freezes guest

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1654826

Title:
  Holding key down using input-linux freezes guest

Status in QEMU:
  Expired

Bug description:
  Qemu release version 2.8.0
  KVM, kernel 4.9.1

  When using the -object input-linux capability in qemu for passthrough
  of input/evdev devices, I found that when a key is held for a few
  seconds or more (such as ctrl key), the guest system freezes until the
  key is released. In some cases, mouse control is also lost following
  one of these "freezes". I also noticed that one of the four cpu cores
  I have the guest pinned to ramps to 100% during these freezes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1654826/+subscriptions

[Bug 1648726] Re: [usb-host] Passthrough of UAS devices fails with Windows (10) guests

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1648726

Title:
  [usb-host] Passthrough of UAS devices fails with Windows (10) guests

Status in QEMU:
  Expired

Bug description:
  Split off from https://bugs.launchpad.net/qemu/+bug/1579306 as this is
  a distinct issue.

  Physical USB storage devices that support the UAS protocol do not work
  correctly when passed through to Windows guests (I've only tested this
  with Windows 10 x64, build 1607).

  Passing through such a device results in the older BOT/MSC protocol
  being used:

  

  Using the same domain configuration with a Linux guest (tested with
  SystemRescueCD 4.8.0) works correctly:

  /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 5000M
  |__ Port 1: Dev 2, If 0, Class=Mass Storage, Driver=uas, 5000M
  /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 480M

  In both cases, the VM was launched via libvirt, which generated the
  following command line:

  /usr/bin/qemu-system-x86_64 -name guest=Win10-Edge-IE11,debug-
  threads=on -S -object
  secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-13-Win10
  -Edge-IE11/master-key.aes -machine
  pc-q35-2.7,accel=kvm,usb=off,vmport=off,dump-guest-core=off -cpu
  host,hv_time,hv_relaxed,hv_vapic,hv_spinlocks=0x1fff -m 4096 -realtime
  mlock=off -smp 8,sockets=1,cores=4,threads=2 -uuid 47c39707-088c-4edc-
  8b6a-a7856e09f43d -no-user-config -nodefaults -chardev
  socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-13-Win10-Edge-
  IE11/monitor.sock,server,nowait -mon
  chardev=charmonitor,id=monitor,mode=control -rtc
  base=localtime,driftfix=slew -global kvm-pit.lost_tick_policy=discard
  -no-hpet -no-shutdown -global ICH9-LPC.disable_s3=1 -global
  ICH9-LPC.disable_s4=1 -boot strict=on -device
  i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1e -device pci-
  bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x0 -device nec-usb-
  xhci,id=usb,bus=pci.2,addr=0x6 -device virtio-scsi-
  pci,id=scsi0,bus=pci.2,addr=0x3 -device virtio-serial-pci,id=virtio-
  serial0,bus=pci.2,addr=0x4 -drive file=/home/jack/IMG/Win10-Edge-
  IE11.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0,discard=unmap
  -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-
  scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -drive if=none,id=drive-
  scsi0-0-0-1,readonly=on -device scsi-cd,bus=scsi0.0,channel=0,scsi-
  id=0,lun=1,drive=drive-scsi0-0-0-1,id=scsi0-0-0-1 -netdev
  tap,fd=22,id=hostnet0,vhost=on,vhostfd=24 -device virtio-net-
  pci,netdev=hostnet0,id=net0,mac=52:54:00:27:94:5d,bus=pci.2,addr=0x1
  -chardev pty,id=charserial0 -device isa-
  serial,chardev=charserial0,id=serial0 -chardev
  spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus
  =virtio-
  serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0
  -device usb-tablet,id=input0,bus=usb.0,port=2 -spice
  port=5900,addr=127.0.0.1,disable-ticketing,image-compression=off
  ,seamless-migration=on -device qxl-
  
vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pcie.0,addr=0x1
  -device intel-hda,id=sound0,bus=pci.2,addr=0x2 -device hda-
  duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev
  spicevmc,id=charredir0,name=usbredir -device usb-
  redir,chardev=charredir0,id=redir0,bus=usb.0,port=3 -chardev
  spicevmc,id=charredir1,name=usbredir -device usb-
  redir,chardev=charredir1,id=redir1,bus=usb.0,port=4 -device usb-
  host,hostbus=4,hostaddr=4,id=hostdev0,bus=usb.0,port=1 -device virtio-
  balloon-pci,id=balloon0,bus=pci.2,addr=0x5 -msg timestamp=on

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1648726/+subscriptions

[Bug 1658141] Re: QEMU's default msrs handling causes Windows 10 64 bit to crash

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1658141

Title:
  QEMU's default msrs handling causes Windows 10 64 bit to crash

Status in QEMU:
  Expired

Bug description:
  Wine uses QEMU to run its conformance test suite on Windows virtual
  machines. Wine's conformance tests check the behavior of various
  Windows APIs and verify that they behave as expected.

  One such test checks handling of exceptions down. When run on Windows 10 64 
bit in QEMU it triggers a "KMOD_EXCEPTION_NOT_HANDLED" BSOD in the VM. See:
  https://bugs.winehq.org/show_bug.cgi?id=40240

  
  To reproduce this bug:
  * Pick a Windows 10 64 bit VM on an Intel host.

  * Start the VM. I'm pretty sure any qemu command will do but here's what I 
used:
qemu-system-x86_64 -machine pc-i440fx-2.1,accel=kvm -cpu core2duo,+nx -m 
2048 -hda /var/lib/libvirt/images/wtbw1064.qcow2

  * Grab the attached source code. The tar file is a bit big at 85KB
  because I had to include some Wine headers. However the source file
  proper, exception.c, is only 85 lines, including the LGPL header.

  * Compile the source code with MinGW by typing 'make'. This produces a
  32 bit exception.exe executable. I'll attach it for good measure.

  * Put exception.exe on the VM and run it.

  
  After investigation it turns out this happens:
   * Only for Windows 10 64 bit guests. Windows 10 32 bit and older Windows 
versions are unaffected.

   * Only on Intel hosts. At least both my Xeon E3-1226 v3 and i7-4790K
  hosts are impacted but not my Opteron 6128 one.

   * It does not seem to depend on the emulated CPU type: on the Intel hosts 
this happened with both 
  core2duo,nx and 'copy the host configuration' and did not depend on the 
number of emulated cpus/cores.

   * This happened with both QEMU 2.1 and 2.7, and both the 3.16.0 and
  4.8.11 Linux kernels, both on Debian 8.6 and Debian Testing.

  
  After searching for quite some time I discovered that the kvm kernel module 
was sneaking the following messages into /var/log/syslog precisely when the 
BSOD happens:

  Dec 16 13:43:48 vm3 kernel: [  191.624802] kvm [2064]: vcpu0, guest rIP: 
0xf803cb3c0bf3 kvm_set_msr_common: MSR_IA32_DEBUGCTLMSR 0x1, nop
  Dec 16 13:43:48 vm3 kernel: [  191.624835] kvm [2064]: vcpu0, guest rIP: 
0xf803cb3c0c5c unhandled rdmsr: 0x1c9

  A search on the Internet turned up a post suggesting to change kvm's
  ignore_msrs setting:

 echo 1 >/sys/module/kvm/parameters/ignore_msrs

  
https://www.reddit.com/r/VFIO/comments/42dj7n/some_games_crash_to_biosboot_on_launch/

  This does actually work and provides a workaround at least.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1658141/+subscriptions

[Bug 1671173] Re: OS started to crash with a message: "Trying to execute code outside RAM or ROM"

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1671173

Title:
  OS started to crash with a message: "Trying to execute code outside
  RAM or ROM"

Status in QEMU:
  Expired

Bug description:
  There is a project (https://github.com/narke/colorForth ) wich always
  worked with qemu up to version 2.5.1.1 but doesn't works from version
  2.6 onwards. It continues to work with bochs.

  Downlaod: git clone https://github.com/narke/colorForth.git
  Build: make
  Test: qemu-system-i386 -drive format=raw,file=cf2012.img,index=0,if=floppy

  
  System information: Ubuntu LTS 16.04 x86-64
  Affected qemu versions: 2.6 to present (2.8)

  
  I got the message:

  
  WARNING: Image format was not specified for 'cf2012.img' and probing guessed 
raw.
   Automatically detecting the format is dangerous for raw images, 
write operations on block 0 will be restricted.
   Specify the 'raw' format explicitly to remove the restrictions.
  qemu-system-i386: Trying to execute code outside RAM or ROM at 0x8998c426
  This usually means one of the following happened:

  (1) You told QEMU to execute a kernel for the wrong machine type, and it 
crashed on startup (eg trying to run a raspberry pi kernel on a versatilepb 
QEMU machine)
  (2) You didn't give QEMU a kernel or BIOS filename at all, and QEMU executed 
a ROM full of no-op instructions until it fell off the end
  (3) Your guest kernel has a bug and crashed by jumping off into nowhere

  This is almost always one of the first two, so check your command line and 
that you are using the right type of kernel for this machine.
  If you think option (3) is likely then you can try debugging your guest with 
the -d debug options; in particular -d guest_errors will cause the log to 
include a dump of the guest register state at this point.

  Execution cannot continue; stopping here.

  
  Thank you in advance.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1671173/+subscriptions

[Bug 1662600] Re: error while building from source on Ubuntu 16.04

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1662600

Title:
  error while building from source on Ubuntu 16.04

Status in QEMU:
  Expired

Bug description:
  I'm trying to build Qemu from source (from git) as specified here:
  http://www.qemu-project.org/download/#source

  Here is the git commit hash for the source:
  7d2c6c95511e42dffe2b263275e09957723d0ff4

  During the 'make' step, I get the following error:

  migration/rdma.c: In function ‘qemu_rdma_dump_id’:
  migration/rdma.c:749:21: error: ‘struct ibv_port_attr’ has no member named 
‘link_layer’
  migration/rdma.c:750:22: error: ‘struct ibv_port_attr’ has no member named 
‘link_layer’
  migration/rdma.c:750:37: error: ‘IBV_LINK_LAYER_INFINIBAND’ undeclared (first 
use in this function)
  migration/rdma.c:750:37: note: each undeclared identifier is reported only 
once for each function it appears in
  migration/rdma.c:751:24: error: ‘struct ibv_port_attr’ has no member named 
‘link_layer’
  migration/rdma.c:751:39: error: ‘IBV_LINK_LAYER_ETHERNET’ undeclared (first 
use in this function)
  migration/rdma.c: In function ‘qemu_rdma_broken_ipv6_kernel’:
  migration/rdma.c:850:26: error: ‘struct ibv_port_attr’ has no member named 
‘link_layer’
  migration/rdma.c:850:41: error: ‘IBV_LINK_LAYER_INFINIBAND’ undeclared (first 
use in this function)
  migration/rdma.c:852:33: error: ‘struct ibv_port_attr’ has no member named 
‘link_layer’
  migration/rdma.c:852:48: error: ‘IBV_LINK_LAYER_ETHERNET’ undeclared (first 
use in this function)
  migration/rdma.c:891:18: error: ‘struct ibv_port_attr’ has no member named 
‘link_layer’
  make: *** [migration/rdma.o] Error 1

  I searched around a bit, my problem seems related to this:
  https://patchwork.kernel.org/patch/992952/

  That issue makes me think my libibverbs may be out of date, but I
  checked and I have libibverbs-dev installed.  Is that the correct
  version?

  FYI, I installed libibverbs-dev as suggested here: http://wiki.qemu-
  project.org/index.php/Hosts/Linux#Recommended_additional_packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1662600/+subscriptions

[Bug 1656711] Re: GTK3 interface doesn't zoom-to-fit by default

2021-01-07 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1656711

Title:
  GTK3 interface doesn't zoom-to-fit by default

Status in QEMU:
  Expired

Bug description:
  The SDL interface automatically scales the video output to
  match the window size.  The GTK3 interface has an off-by-default option
  "Zoom To Fit" for that.  As far as I can tell, no command-line option
  exists to turn that option on.  That makes it harder to quickly zoom a
  freshly launched VM; instead of just hitting a maximize-window hotkey, I
  also have to navigate through the menu to select "Zoom To Fit".

  Given that VMs typically start out running in a much lower-resolution
  video mode than the host (and VMs not running a full graphical
  environment often stay that way), this seriously impacts the usability
  of qemu-system.

  (Observed in QEMU 2.8)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1656711/+subscriptions

Re: What's the correct way to implement rfi and related instruction.

2021-01-07 Thread Yonggang Luo 
On Fri, Jan 8, 2021 at 5:54 AM Cédric Le Goater  wrote:
>
> On 1/7/21 8:14 PM, 罗勇刚(Yonggang Luo) wrote:
> > This is the first patch,:
> > It's store MSR bits differntly for different rfi instructions:
> > [Qemu-devel] [PATCH] target-ppc: fix RFI by clearing some bits of MSR
> > https://lists.gnu.org/archive/html/qemu-devel/2010-05/msg02999.html <
https://lists.gnu.org/archive/html/qemu-devel/2010-05/msg02999.html>
> > Comes from  target-ppc: fix RFI by clearing some bits of MSR
> > SHA-1: c3d420ead1aee9fcfd12be11cbdf6b1620134773
> >  target-ppc/op_helper.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > ```
> > diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
> > index 8f2ee986bb..3c3aa60bc3 100644
> > --- a/target-ppc/op_helper.c
> > +++ b/target-ppc/op_helper.c
> > @@ -1646,20 +1646,20 @@ static inline void do_rfi(target_ulong nip,
target_ulong msr,
> >  void helper_rfi (void)
> >  {
> >  do_rfi(env->spr[SPR_SRR0], env->spr[SPR_SRR1],
> > -   ~((target_ulong)0x0), 1);
> > +   ~((target_ulong)0x783F), 1);
> >  }
> >
> >  #if defined(TARGET_PPC64)
> >  void helper_rfid (void)
> >  {
> >  do_rfi(env->spr[SPR_SRR0], env->spr[SPR_SRR1],
> > -   ~((target_ulong)0x0), 0);
> > +   ~((target_ulong)0x783F), 0);
> >  }
> >
> >  void helper_hrfid (void)
> >  {
> >  do_rfi(env->spr[SPR_HSRR0], env->spr[SPR_HSRR1],
> > -   ~((target_ulong)0x0), 0);
> > +   ~((target_ulong)0x783F), 0);
> >  }
> >  #endif
> >  #endif
> > ```
> >
> > This is the second patch,:
> > it's remove the parameter  `target_ulong msrm, int keep_msrh`
> > Comes from ppc: Fix rfi/rfid/hrfi/... emulation
> > SHA-1: a2e71b28e832346409efc795ecd1f0a2bcb705a3
> > ```
> >  target-ppc/excp_helper.c | 51
+++-
> >  1 file changed, 20 insertions(+), 31 deletions(-)
> >
> > diff --git a/target-ppc/excp_helper.c b/target-ppc/excp_helper.c
> > index 30e960e30b..aa0b63f4b0 100644
> > --- a/target-ppc/excp_helper.c
> > +++ b/target-ppc/excp_helper.c
> > @@ -922,25 +922,20 @@ void helper_store_msr(CPUPPCState *env,
target_ulong val)
> >  }
> >  }
> >
> > -static inline void do_rfi(CPUPPCState *env, target_ulong nip,
target_ulong msr,
> > -  target_ulong msrm, int keep_msrh)
> > +static inline void do_rfi(CPUPPCState *env, target_ulong nip,
target_ulong msr)
> >  {
> >  CPUState *cs = CPU(ppc_env_get_cpu(env));
> >
> > +/* MSR:POW cannot be set by any form of rfi */
> > +msr &= ~(1ULL << MSR_POW);
> > +
> >  #if defined(TARGET_PPC64)
> > -if (msr_is_64bit(env, msr)) {
> > -nip = (uint64_t)nip;
> > -msr &= (uint64_t)msrm;
> > -} else {
> > +/* Switching to 32-bit ? Crop the nip */
> > +if (!msr_is_64bit(env, msr)) {
> >  nip = (uint32_t)nip;
> > -msr = (uint32_t)(msr & msrm);
> > -if (keep_msrh) {
> > -msr |= env->msr & ~((uint64_t)0x);
> > -}
> >  }
> >  #else
> >  nip = (uint32_t)nip;
> > -msr &= (uint32_t)msrm;
> >  #endif
> >  /* XXX: beware: this is false if VLE is supported */
> >  env->nip = nip & ~((target_ulong)0x0003);
> > @@ -959,26 +954,24 @@ static inline void do_rfi(CPUPPCState *env,
target_ulong nip, target_ulong msr,
> >
> >  void helper_rfi(CPUPPCState *env)
> >  {
> > -if (env->excp_model == POWERPC_EXCP_BOOKE) {
> > -do_rfi(env, env->spr[SPR_SRR0], env->spr[SPR_SRR1],
> > -   ~((target_ulong)0), 0);
> > -} else {
> > -do_rfi(env, env->spr[SPR_SRR0], env->spr[SPR_SRR1],
> > -   ~((target_ulong)0x783F), 1);
> > -}
> > +do_rfi(env, env->spr[SPR_SRR0], env->spr[SPR_SRR1] & 0xul);
> >  }
> >
> > +#define MSR_BOOK3S_MASK
> >  #if defined(TARGET_PPC64)
> >  void helper_rfid(CPUPPCState *env)
> >  {
> > -do_rfi(env, env->spr[SPR_SRR0], env->spr[SPR_SRR1],
> > -   ~((target_ulong)0x783F), 0);
> > +/* The architeture defines a number of rules for which bits
> > + * can change but in practice, we handle this in hreg_store_msr()
> > + * which will be called by do_rfi(), so there is no need to filter
> > + * here
> > + */
> > +do_rfi(env, env->spr[SPR_SRR0], env->spr[SPR_SRR1]);
> >  }
> >
> >  void helper_hrfid(CPUPPCState *env)
> >  {
> > -do_rfi(env, env->spr[SPR_HSRR0], env->spr[SPR_HSRR1],
> > -   ~((target_ulong)0x783F), 0);
> > +do_rfi(env, env->spr[SPR_HSRR0], env->spr[SPR_HSRR1]);
> >  }
> >  #endif
> >
> > @@ -986,28 +979,24 @@ void helper_hrfid(CPUPPCState *env)
> >  /* Embedded PowerPC specific helpers */
> >  void helper_40x_rfci(CPUPPCState *env)
> >  {
> > -do_rfi(env, env->spr[SPR_40x_SRR2], env->spr[SPR_40x_SRR3],
> > -   ~((target_ulong)0x), 0);
> > +do_rfi(env, env->spr[SPR_40x_SRR2], env->spr[SPR_40x_SRR3]);
> >  }
> >
> >  void helper_rfci(CPUPPCState *env)
> >  {
> > -do_rfi(env,

[PATCH v5 7/7] fuzz: heuristic split write based on past IOs

2021-01-07 Thread Qiuhao Li 
If previous write commands write the same length of data with the same step,
we view it as a hint.

Signed-off-by: Qiuhao Li 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 56 
 1 file changed, 56 insertions(+)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 8661116075..408ae2ac67 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -85,6 +85,43 @@ def check_if_trace_crashes(trace, path):
 return False
 
 
+# If previous write commands write the same length of data at the same
+# interval, we view it as a hint.
+def split_write_hint(newtrace, i):
+HINT_LEN = 3 # > 2
+if i <=(HINT_LEN-1):
+return None
+
+#find previous continuous write traces
+k = 0
+l = i-1
+writes = []
+while (k != HINT_LEN and l >= 0):
+if newtrace[l].startswith("write "):
+writes.append(newtrace[l])
+k += 1
+l -= 1
+elif newtrace[l] == "":
+l -= 1
+else:
+return None
+if k != HINT_LEN:
+return None
+
+length = int(writes[0].split()[2], 16)
+for j in range(1, HINT_LEN):
+if length != int(writes[j].split()[2], 16):
+return None
+
+step = int(writes[0].split()[1], 16) - int(writes[1].split()[1], 16)
+for j in range(1, HINT_LEN-1):
+if step != int(writes[j].split()[1], 16) - \
+int(writes[j+1].split()[1], 16):
+return None
+
+return (int(writes[0].split()[1], 16)+step, length)
+
+
 def remove_lines(newtrace, outpath):
 remove_step = 1
 i = 0
@@ -148,6 +185,25 @@ def remove_lines(newtrace, outpath):
 length = int(newtrace[i].split()[2], 16)
 data = newtrace[i].split()[3][2:]
 if length > 1:
+
+# Can we get a hint from previous writes?
+hint = split_write_hint(newtrace, i)
+if hint is not None:
+hint_addr = hint[0]
+hint_len = hint[1]
+if hint_addr >= addr and hint_addr+hint_len <= addr+length:
+newtrace[i] = "write {addr} {size} 0x{data}\n".format(
+addr=hex(hint_addr),
+size=hex(hint_len),
+data=data[(hint_addr-addr)*2:\
+(hint_addr-addr)*2+hint_len*2])
+if check_if_trace_crashes(newtrace, outpath):
+# next round
+i += 1
+continue
+newtrace[i] = prior[0]
+
+# Try splitting it using a binary approach
 leftlength = int(length/2)
 rightlength = length - leftlength
 newtrace.insert(i+1, "")
-- 
2.25.1

[PATCH v5 6/7] fuzz: add minimization options

2021-01-07 Thread Qiuhao Li 
-M1: remove IO commands iteratively
-M2: try setting bits in operand of write/out to zero

Signed-off-by: Qiuhao Li 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 30 
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 2325b38dbc..8661116075 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -16,6 +16,10 @@ QEMU_PATH = None
 TIMEOUT = 5
 CRASH_TOKEN = None
 
+# Minimization levels
+M1 = False # try removing IO commands iteratively
+M2 = False # try setting bits in operand of write/out to zero
+
 write_suffix_lookup = {"b": (1, "B"),
"w": (2, "H"),
"l": (4, "L"),
@@ -23,10 +27,20 @@ write_suffix_lookup = {"b": (1, "B"),
 
 def usage():
 sys.exit("""\
-Usage: QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} input_trace output_trace
+Usage:
+
+QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} [Options] input_trace 
output_trace
+
 By default, will try to use the second-to-last line in the output to identify
 whether the crash occred. Optionally, manually set a string that idenitifes the
 crash by setting CRASH_TOKEN=
+
+Options:
+
+-M1: enable a loop around the remove minimizer, which may help decrease some
+ timing dependant instructions. Off by default.
+-M2: try setting bits in operand of write/out to zero. Off by default.
+
 """.format((sys.argv[0])))
 
 deduplication_note = """\n\
@@ -213,24 +227,32 @@ def minimize_trace(inpath, outpath):
 print("Setting the timeout for {} seconds".format(TIMEOUT))
 
 newtrace = trace[:]
+global M1, M2
 
 # remove lines
 old_len = len(newtrace) + 1
 while(old_len > len(newtrace)):
 old_len = len(newtrace)
+print("trace lenth = ", old_len)
 remove_lines(newtrace, outpath)
+if not M1 and not M2:
+break
 newtrace = list(filter(lambda s: s != "", newtrace))
 assert(check_if_trace_crashes(newtrace, outpath))
 
 # set bits to zero
-clear_bits(newtrace, outpath)
+if M2:
+clear_bits(newtrace, outpath)
 assert(check_if_trace_crashes(newtrace, outpath))
 
 
 if __name__ == '__main__':
 if len(sys.argv) < 3:
 usage()
-
+if "-M1" in sys.argv:
+M1 = True
+if "-M2" in sys.argv:
+M2 = True
 QEMU_PATH = os.getenv("QEMU_PATH")
 QEMU_ARGS = os.getenv("QEMU_ARGS")
 if QEMU_PATH is None or QEMU_ARGS is None:
@@ -239,4 +261,4 @@ if __name__ == '__main__':
 # QEMU_ARGS += " -accel qtest"
 CRASH_TOKEN = os.getenv("CRASH_TOKEN")
 QEMU_ARGS += " -qtest stdio -monitor none -serial none "
-minimize_trace(sys.argv[1], sys.argv[2])
+minimize_trace(sys.argv[-2], sys.argv[-1])
-- 
2.25.1

[PATCH v5 5/7] fuzz: set bits in operand of write/out to zero

2021-01-07 Thread Qiuhao Li 
Simplifying the crash cases by opportunistically setting bits in operands of
out/write to zero may help to debug, since usually bit one means turn on or
trigger a function while zero is the default turn-off setting.

Tested Bug 1908062.

Signed-off-by: Qiuhao Li 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 39 
 1 file changed, 39 insertions(+)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 45c1627d32..2325b38dbc 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -164,6 +164,42 @@ def remove_lines(newtrace, outpath):
 i += 1
 
 
+def clear_bits(newtrace, outpath):
+# try setting bits in operands of out/write to zero
+i = 0
+while i < len(newtrace):
+if (not newtrace[i].startswith("write ") and not
+   newtrace[i].startswith("out")):
+   i += 1
+   continue
+# write ADDR SIZE DATA
+# outx ADDR VALUE
+print("\nzero setting bits: {}".format(newtrace[i]))
+
+prefix = " ".join(newtrace[i].split()[:-1])
+data = newtrace[i].split()[-1]
+data_bin = bin(int(data, 16))
+data_bin_list = list(data_bin)
+
+for j in range(2, len(data_bin_list)):
+prior = newtrace[i]
+if (data_bin_list[j] == '1'):
+data_bin_list[j] = '0'
+data_try = hex(int("".join(data_bin_list), 2))
+# It seems qtest only accepts padded hex-values.
+if len(data_try) % 2 == 1:
+data_try = data_try[:2] + "0" + data_try[2:-1]
+
+newtrace[i] = "{prefix} {data_try}\n".format(
+prefix=prefix,
+data_try=data_try)
+
+if not check_if_trace_crashes(newtrace, outpath):
+data_bin_list[j] = '1'
+newtrace[i] = prior
+i += 1
+
+
 def minimize_trace(inpath, outpath):
 global TIMEOUT
 with open(inpath) as f:
@@ -184,7 +220,10 @@ def minimize_trace(inpath, outpath):
 old_len = len(newtrace)
 remove_lines(newtrace, outpath)
 newtrace = list(filter(lambda s: s != "", newtrace))
+assert(check_if_trace_crashes(newtrace, outpath))
 
+# set bits to zero
+clear_bits(newtrace, outpath)
 assert(check_if_trace_crashes(newtrace, outpath))
 
 
-- 
2.25.1

[PATCH v5 4/7] fuzz: remove IO commands iteratively

2021-01-07 Thread Qiuhao Li 
Now we use a one-time scan and remove strategy in the minimizer,
which is not suitable for timing dependent instructions.

For example, instruction A will indicate an address where the config
chunk locates, and instruction B will make the configuration active.
If we have the following instruction sequence:

...
A1
B1
A2
B2
...

A2 and B2 are the actual instructions that trigger the bug.

If we scan from top to bottom, after we remove A1, the behavior of B1
might be unknowable, including not to crash the program. But we will
successfully remove B1 later cause A2 and B2 will crash the process
anyway:

...
A1
A2
B2
...

Now one more trimming will remove A1.

In the perfect case, we would need to be able to remove A and B (or C!) at
the same time. But for now, let's just add a loop around the minimizer.

Since we only remove instructions, this iterative algorithm is converging.

Tested with Bug 1908062.

Signed-off-by: Qiuhao Li 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++-
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 5cf39f4e6e..45c1627d32 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -71,21 +71,9 @@ def check_if_trace_crashes(trace, path):
 return False
 
 
-def minimize_trace(inpath, outpath):
-global TIMEOUT
-with open(inpath) as f:
-trace = f.readlines()
-start = time.time()
-if not check_if_trace_crashes(trace, outpath):
-sys.exit("The input qtest trace didn't cause a crash...")
-end = time.time()
-print("Crashed in {} seconds".format(end-start))
-TIMEOUT = (end-start)*5
-print("Setting the timeout for {} seconds".format(TIMEOUT))
-
-i = 0
-newtrace = trace[:]
+def remove_lines(newtrace, outpath):
 remove_step = 1
+i = 0
 while i < len(newtrace):
 # 1.) Try to remove lines completely and reproduce the crash.
 # If it works, we're done.
@@ -174,7 +162,30 @@ def minimize_trace(inpath, outpath):
 newtrace[i] = prior[0]
 del newtrace[i+1]
 i += 1
-check_if_trace_crashes(newtrace, outpath)
+
+
+def minimize_trace(inpath, outpath):
+global TIMEOUT
+with open(inpath) as f:
+trace = f.readlines()
+start = time.time()
+if not check_if_trace_crashes(trace, outpath):
+sys.exit("The input qtest trace didn't cause a crash...")
+end = time.time()
+print("Crashed in {} seconds".format(end-start))
+TIMEOUT = (end-start)*5
+print("Setting the timeout for {} seconds".format(TIMEOUT))
+
+newtrace = trace[:]
+
+# remove lines
+old_len = len(newtrace) + 1
+while(old_len > len(newtrace)):
+old_len = len(newtrace)
+remove_lines(newtrace, outpath)
+newtrace = list(filter(lambda s: s != "", newtrace))
+
+assert(check_if_trace_crashes(newtrace, outpath))
 
 
 if __name__ == '__main__':
-- 
2.25.1

[PATCH v5 3/7] fuzz: split write operand using binary approach

2021-01-07 Thread Qiuhao Li 
Currently, we split the write commands' data from the middle. If it does not
work, try to move the pivot left by one byte and retry until there is no
space.

But, this method has two flaws:

1. It may fail to trim all unnecessary bytes on the right side.

For example, there is an IO write command:

  write addr uuuu

u is the unnecessary byte for the crash. Unlike ram write commands, in most
case, a split IO write won't trigger the same crash, So if we split from the
middle, we will get:

  write addr uu (will be removed in next round)
  write addr uu

For uu, since split it from the middle and retry to the leftmost byte
won't get the same crash, we will be stopped from removing the last two
bytes.

2. The algorithm complexity is O(n) since we move the pivot byte by byte.

To solve the first issue, we can try a symmetrical position on the right if
we fail on the left. As for the second issue, instead moving by one byte, we
can approach the boundary exponentially, achieving O(log(n)).

Give an example:

   uu len=6
+
|
+
 xxx,xuu 6/2=3 fail
+
 +--+-+
 ||
 ++
  xx,xxuu 6/2^2=1 fail u,u 6-1=5 success
 +   +
 +--++   |
 |  |+-+ u removed
 +  +
   xx,xxu 5/2=2 fail  ,u 6-2=4 success
   +
   |
   +---+ u removed

In some rare cases, this algorithm will fail to trim all unnecessary bytes:

  xuxx
  -xuxx Fail
  -xuxx Fail
  xuxx- Fail
  ...

I think the trade-off is worth it.

Signed-off-by: Qiuhao Li 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 29 
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index cfe8f7854c..5cf39f4e6e 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -94,7 +94,7 @@ def minimize_trace(inpath, outpath):
 prior = newtrace[i:i+remove_step]
 for j in range(i, i+remove_step):
 newtrace[j] = ""
-print("Removing {lines} ...".format(lines=prior))
+print("Removing {lines} ...\n".format(lines=prior))
 if check_if_trace_crashes(newtrace, outpath):
 i += remove_step
 # Double the number of lines to remove for next round
@@ -107,9 +107,11 @@ def minimize_trace(inpath, outpath):
 remove_step = 1
 continue
 newtrace[i] = prior[0] # remove_step = 1
+
 # 2.) Try to replace write{bwlq} commands with a write addr, len
 # command. Since this can require swapping endianness, try both LE and
 # BE options. We do this, so we can "trim" the writes in (3)
+
 if (newtrace[i].startswith("write") and not
 newtrace[i].startswith("write ")):
 suffix = newtrace[i].split()[0][-1]
@@ -130,11 +132,15 @@ def minimize_trace(inpath, outpath):
 newtrace[i] = prior[0]
 
 # 3.) If it is a qtest write command: write addr len data, try to split
-# it into two separate write commands. If splitting the write down the
-# middle does not work, try to move the pivot "left" and retry, until
-# there is no space left. The idea is to prune unneccessary bytes from
-# long writes, while accommodating arbitrary MemoryRegion access sizes
-# and alignments.
+# it into two separate write commands. If splitting the data operand
+# from length/2^n bytes to the left does not work, try to move the 
pivot
+# to the right side, then add one to n, until length/2^n == 0. The idea
+# is to prune unneccessary bytes from long writes, while accommodating
+# arbitrary MemoryRegion access sizes and alignments.
+
+# This algorithm will fail under some rare situations.
+# e.g., xuxx (u is the unnecessary byte)
+
 if newtrace[i].startswith("write "):
 addr = int(newtrace[i].split()[1], 16)
 length = int(newtrace[i].split()[2], 16)
@@ -143,6 +149,7 @@ def minimize_trace(inpath, outpath):
 leftlength = int(length/2)
 rightlength = length - leftlength
 newtrace.insert(i+1, "")
+power = 1
 while leftlength > 0:
 newtrace[i] = "write {addr} {size} 0x{data}\n".format(
 addr=hex(addr),
@@ -154,9 +161,13 @@ def minimize_trace(inpath, outpath):
 data=data[leftlength*2:])
 if

[PATCH v5 2/7] fuzz: double the IOs to remove for every loop

2021-01-07 Thread Qiuhao Li 
Instead of removing IO instructions one by one, we can try deleting multiple
instructions at once. According to the locality of reference, we double the
number of instructions to remove for the next round and recover it to one
once we fail.

This patch is usually significant for large input.

Test with quadrupled trace input at:
  https://bugs.launchpad.net/qemu/+bug/1890333/comments/1

Patched 1/6 version:
  real  0m45.904s
  user  0m16.874s
  sys   0m10.042s

Refined version:
  real  0m11.412s
  user  0m6.888s
  sys   0m3.325s

Signed-off-by: Qiuhao Li 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 33 +++-
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 57dcaaeba3..cfe8f7854c 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -85,19 +85,28 @@ def minimize_trace(inpath, outpath):
 
 i = 0
 newtrace = trace[:]
-# For each line
+remove_step = 1
 while i < len(newtrace):
-# 1.) Try to remove it completely and reproduce the crash. If it works,
-# we're done.
-prior = newtrace[i]
-print("Trying to remove {}".format(newtrace[i]))
-# Try to remove the line completely
-newtrace[i] = ""
+# 1.) Try to remove lines completely and reproduce the crash.
+# If it works, we're done.
+if (i+remove_step) >= len(newtrace):
+remove_step = 1
+prior = newtrace[i:i+remove_step]
+for j in range(i, i+remove_step):
+newtrace[j] = ""
+print("Removing {lines} ...".format(lines=prior))
 if check_if_trace_crashes(newtrace, outpath):
-i += 1
+i += remove_step
+# Double the number of lines to remove for next round
+remove_step *= 2
 continue
-newtrace[i] = prior
-
+# Failed to remove multiple IOs, fast recovery
+if remove_step > 1:
+for j in range(i, i+remove_step):
+newtrace[j] = prior[j-i]
+remove_step = 1
+continue
+newtrace[i] = prior[0] # remove_step = 1
 # 2.) Try to replace write{bwlq} commands with a write addr, len
 # command. Since this can require swapping endianness, try both LE and
 # BE options. We do this, so we can "trim" the writes in (3)
@@ -118,7 +127,7 @@ def minimize_trace(inpath, outpath):
 if(check_if_trace_crashes(newtrace, outpath)):
 break
 else:
-newtrace[i] = prior
+newtrace[i] = prior[0]
 
 # 3.) If it is a qtest write command: write addr len data, try to split
 # it into two separate write commands. If splitting the write down the
@@ -151,7 +160,7 @@ def minimize_trace(inpath, outpath):
 if check_if_trace_crashes(newtrace, outpath):
 i -= 1
 else:
-newtrace[i] = prior
+newtrace[i] = prior[0]
 del newtrace[i+1]
 i += 1
 check_if_trace_crashes(newtrace, outpath)
-- 
2.25.1

[PATCH v5 1/7] fuzz: accelerate non-crash detection

2021-01-07 Thread Qiuhao Li 
We spend much time waiting for the timeout program during the minimization
process until it passes a time limit. This patch hacks the CLOSED (indicates
the redirection file closed) notification in QTest's output if it doesn't
crash.

Test with quadrupled trace input at:
  https://bugs.launchpad.net/qemu/+bug/1890333/comments/1

Original version:
  real  1m37.246s
  user  0m13.069s
  sys   0m8.399s

Refined version:
  real  0m45.904s
  user  0m16.874s
  sys   0m10.042s

Signed-off-by: Qiuhao Li 
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 39 
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 5e405a0d5f..57dcaaeba3 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -29,8 +29,14 @@ whether the crash occred. Optionally, manually set a string 
that idenitifes the
 crash by setting CRASH_TOKEN=
 """.format((sys.argv[0])))
 
+deduplication_note = """\n\
+Note: While trimming the input, sometimes the mutated trace triggers a 
different
+crash output but indicates the same bug. Under this situation, our minimizer is
+incapable of recognizing and stopped from removing it. In the future, we may
+use a more sophisticated crash case deduplication method.
+\n"""
+
 def check_if_trace_crashes(trace, path):
-global CRASH_TOKEN
 with open(path, "w") as tracefile:
 tracefile.write("".join(trace))
 
@@ -41,18 +47,28 @@ def check_if_trace_crashes(trace, path):
trace_path=path),
   shell=True,
   stdin=subprocess.PIPE,
-  stdout=subprocess.PIPE)
-stdo = rc.communicate()[0]
-output = stdo.decode('unicode_escape')
-if rc.returncode == 137:# Timed Out
-return False
-if len(output.splitlines()) < 2:
-return False
-
+  stdout=subprocess.PIPE,
+  encoding="utf-8")
+global CRASH_TOKEN
 if CRASH_TOKEN is None:
-CRASH_TOKEN = output.splitlines()[-2]
+try:
+outs, _ = rc.communicate(timeout=5)
+CRASH_TOKEN = outs.splitlines()[-2]
+except subprocess.TimeoutExpired:
+print("subprocess.TimeoutExpired")
+return False
+print("Identifying Crashes by this string: {}".format(CRASH_TOKEN))
+global deduplication_note
+print(deduplication_note)
+return True
 
-return CRASH_TOKEN in output
+for line in iter(rc.stdout.readline, b''):
+if "CLOSED" in line:
+return False
+if CRASH_TOKEN in line:
+return True
+
+return False
 
 
 def minimize_trace(inpath, outpath):
@@ -66,7 +82,6 @@ def minimize_trace(inpath, outpath):
 print("Crashed in {} seconds".format(end-start))
 TIMEOUT = (end-start)*5
 print("Setting the timeout for {} seconds".format(TIMEOUT))
-print("Identifying Crashes by this string: {}".format(CRASH_TOKEN))
 
 i = 0
 newtrace = trace[:]
-- 
2.25.1

[PATCH v5 0/7] fuzz: improve crash case minimization

2021-01-07 Thread Qiuhao Li 
Extend and refine the crash case minimization process.

Test input:
  Bug 1909261 full_reproducer
  6500 QTest instructions (write mostly)

Refined (-M1 minimization level) vs. Original version:
  real  38m31.942s  <-- real  532m57.192s
  user  28m18.188s  <-- user  89m0.536s
  sys   12m42.239s  <-- sys   50m33.074s
  2558 instructions <-- 2846 instructions

Test Enviroment:
  i7-8550U, 16GB LPDDR3, SSD 
  Ubuntu 20.04.1 5.4.0-58-generic x86_64
  Python 3.8.5

v5:
  Fix: send SIGKILL on timeout
  Fix: rename minimization functions

v4:
  Fix: messy diff in [PATCH v3 4/7]

v3:
  Fix: checkpatch.pl errors

v2: 
  New: [PATCH v2 1/7]
  New: [PATCH v2 2/7]
  New: [PATCH v2 4/7]
  New: [PATCH v2 6/7]
  New: [PATCH v2 7/7]
  Fix: [PATCH 2/4] split using binary approach
  Fix: [PATCH 3/4] typo in comments
  Discard: [PATCH 1/4] the hardcoded regex match for crash detection
  Discard: [PATCH 4/4] the delaying minimizer
  
Thanks for the suggestions from:
  Alexander Bulekov

Qiuhao Li (7):
  fuzz: accelerate non-crash detection
  fuzz: double the IOs to remove for every loop
  fuzz: split write operand using binary approach
  fuzz: remove IO commands iteratively
  fuzz: set bits in operand of write/out to zero
  fuzz: add minimization options
  fuzz: heuristic split write based on past IOs

 scripts/oss-fuzz/minimize_qtest_trace.py | 257 ++-
 1 file changed, 210 insertions(+), 47 deletions(-)

-- 
2.25.1

Re: [PATCH v4 4/7] fuzz: loop the remove minimizer and refactoring

2021-01-07 Thread Qiuhao Li 
On Wed, 2021-01-06 at 23:53 -0500, Alexander Bulekov wrote:
> On 201229 1240, Qiuhao Li wrote:
> > Now we use a one-time scan and remove strategy in the remval
> > minimizer,
> > which is not suitable for timing dependent instructions.
> > 
> > For example, instruction A will indicate an address where the
> > config
> > chunk locates, and instruction B will make the configuration
> > active. If
> > we have the following instruction sequence:
> > 
> > ...
> > A1
> > B1
> > A2
> > B2
> > ...
> > 
> > A2 and B2 are the actual instructions that trigger the bug.
> > 
> > If we scan from top to bottom, after we remove A1, the behavior of
> > B1
> > might be unknowable, including not to crash the program. But we
> > will
> > successfully remove B1 later cause A2 and B2 will crash the process
> > anyway:
> > 
> > ...
> > A1
> > A2
> > B2
> > ...
> > 
> > Now one more trimming will remove A1.
> > 
> > In the perfect case, we would need to be able to remove A and B (or
> > C!) at
> > the same time. But for now, let's just add a loop around the
> > minimizer.
> > 
> > Since we only remove instructions, this iterative algorithm is
> > converging.
> > 
> > Tested with Bug 1908062.
> > 
> > Signed-off-by: Qiuhao Li 
> 
> Small note below, but otherwise:
> Reviewed-by: Alexander Bulekov 
> 
> > ---
> >  scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++-
> > 
> >  1 file changed, 26 insertions(+), 15 deletions(-)
> > 
> > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py
> > b/scripts/oss-fuzz/minimize_qtest_trace.py
> > index 1a26bf5b93..378a7ccec6 100755
> > --- a/scripts/oss-fuzz/minimize_qtest_trace.py
> > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py
> > @@ -71,21 +71,9 @@ def check_if_trace_crashes(trace, path):
> >  return False
> >  
> >  
> > -def minimize_trace(inpath, outpath):
> > -global TIMEOUT
> > -with open(inpath) as f:
> > -trace = f.readlines()
> > -start = time.time()
> > -if not check_if_trace_crashes(trace, outpath):
> > -sys.exit("The input qtest trace didn't cause a crash...")
> > -end = time.time()
> > -print("Crashed in {} seconds".format(end-start))
> > -TIMEOUT = (end-start)*5
> > -print("Setting the timeout for {} seconds".format(TIMEOUT))
> > -
> > -i = 0
> > -newtrace = trace[:]
> > +def remove_minimizer(newtrace, outpath):
> 
> Maybe a different name for this function?
> e.g. minimize_each_line or minimize_iter
> 
> -Alex

Ok, changed to remove_lines in version 5, thanks.

> 
> >  remove_step = 1
> > +i = 0
> >  while i < len(newtrace):
> >  # 1.) Try to remove lines completely and reproduce the
> > crash.
> >  # If it works, we're done.
> > @@ -174,7 +162,30 @@ def minimize_trace(inpath, outpath):
> >  newtrace[i] = prior[0]
> >  del newtrace[i+1]
> >  i += 1
> > -check_if_trace_crashes(newtrace, outpath)
> > +
> > +
> > +def minimize_trace(inpath, outpath):
> > +global TIMEOUT
> > +with open(inpath) as f:
> > +trace = f.readlines()
> > +start = time.time()
> > +if not check_if_trace_crashes(trace, outpath):
> > +sys.exit("The input qtest trace didn't cause a crash...")
> > +end = time.time()
> > +print("Crashed in {} seconds".format(end-start))
> > +TIMEOUT = (end-start)*5
> > +print("Setting the timeout for {} seconds".format(TIMEOUT))
> > +
> > +newtrace = trace[:]
> > +
> > +# remove minimizer
> > +old_len = len(newtrace) + 1
> > +while(old_len > len(newtrace)):
> > +old_len = len(newtrace)
> > +remove_minimizer(newtrace, outpath)
> > +newtrace = list(filter(lambda s: s != "", newtrace))
> > +
> > +assert(check_if_trace_crashes(newtrace, outpath))
> >  
> >  
> >  if __name__ == '__main__':
> > -- 
> > 2.25.1
> >

Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection

2021-01-07 Thread Qiuhao Li 
On Wed, 2021-01-06 at 23:18 -0500, Alexander Bulekov wrote:
> On 201229 1240, Qiuhao Li wrote:
> > We spend much time waiting for the timeout program during the
> > minimization
> > process until it passes a time limit. This patch hacks the CLOSED
> > (indicates
> > the redirection file closed) notification in QTest's output if it
> > doesn't
> > crash.
> > 
> > Test with quadrupled trace input at:
> >   https://bugs.launchpad.net/qemu/+bug/1890333/comments/1
> > 
> > Original version:
> >   real  1m37.246s
> >   user  0m13.069s
> >   sys   0m8.399s
> > 
> > Refined version:
> >   real  0m45.904s
> >   user  0m16.874s
> >   sys   0m10.042s
> > 
> > Signed-off-by: Qiuhao Li 
> > ---
> >  scripts/oss-fuzz/minimize_qtest_trace.py | 41 --
> > --
> >  1 file changed, 28 insertions(+), 13 deletions(-)
> > 
> > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py
> > b/scripts/oss-fuzz/minimize_qtest_trace.py
> > index 5e405a0d5f..aa69c7963e 100755
> > --- a/scripts/oss-fuzz/minimize_qtest_trace.py
> > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py
> > @@ -29,30 +29,46 @@ whether the crash occred. Optionally, manually
> > set a string that idenitifes the
> >  crash by setting CRASH_TOKEN=
> >  """.format((sys.argv[0])))
> >  
> > +deduplication_note = """\n\
> > +Note: While trimming the input, sometimes the mutated trace
> > triggers a different
> > +crash output but indicates the same bug. Under this situation, our
> > minimizer is
> > +incapable of recognizing and stopped from removing it. In the
> > future, we may
> > +use a more sophisticated crash case deduplication method.
> > +\n"""
> > +
> >  def check_if_trace_crashes(trace, path):
> > -global CRASH_TOKEN
> >  with open(path, "w") as tracefile:
> >  tracefile.write("".join(trace))
> >  
> > -rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path}
> > {qemu_args} 2>&1\
> > +proc = subprocess.Popen("timeout {timeout}s {qemu_path}
> > {qemu_args} 2>&1\
> 
> Why remove the -s 9 here? I ran into a case where the minimizer got
> stuck on one iteration. Adding back "sigkill" to the timeout can be a
> safety net to catch those bad cases.
> -Alex

Oops, I thought SIGKILL is the default signal timeout will send.
Fixed in version 5, thanks.

> 
> >  < {trace_path}".format(timeout=TIMEOUT,
> > qemu_path=QEMU_PATH,
> > qemu_args=QEMU_ARGS,
> > trace_path=path),
> >shell=True,
> >stdin=subprocess.PIPE,
> > -  stdout=subprocess.PIPE)
> > -stdo = rc.communicate()[0]
> > -output = stdo.decode('unicode_escape')
> > -if rc.returncode == 137:# Timed Out
> > -return False
> > -if len(output.splitlines()) < 2:
> > -return False
> > -
> > +  stdout=subprocess.PIPE,
> > +  encoding="utf-8")
> > +global CRASH_TOKEN
> >  if CRASH_TOKEN is None:
> > -CRASH_TOKEN = output.splitlines()[-2]
> > +try:
> > +outs, _ = proc.communicate(timeout=5)
> > +CRASH_TOKEN = outs.splitlines()[-2]
> > +except subprocess.TimeoutExpired:
> > +print("subprocess.TimeoutExpired")
> > +return False
> > +print("Identifying Crashes by this string:
> > {}".format(CRASH_TOKEN))
> > +global deduplication_note
> > +print(deduplication_note)
> > +return True
> >  
> > -return CRASH_TOKEN in output
> > +for line in iter(proc.stdout.readline, b''):
> > +if "CLOSED" in line:
> > +return False
> > +if CRASH_TOKEN in line:
> > +return True
> > +
> > +return False
> >  
> >  
> >  def minimize_trace(inpath, outpath):
> > @@ -66,7 +82,6 @@ def minimize_trace(inpath, outpath):
> >  print("Crashed in {} seconds".format(end-start))
> >  TIMEOUT = (end-start)*5
> >  print("Setting the timeout for {} seconds".format(TIMEOUT))
> > -print("Identifying Crashes by this string:
> > {}".format(CRASH_TOKEN))
> >  
> >  i = 0
> >  newtrace = trace[:]
> > -- 
> > 2.25.1
> >

Re: [PATCH v1] s390x/tcg: Fix RISBHG

2021-01-07 Thread Nick Desaulniers via 
On Thu, Jan 7, 2021 at 3:27 PM David Hildenbrand  wrote:
>
>
> > Am 08.01.2021 um 00:21 schrieb Nick Desaulniers :
> >
> > On Thu, Jan 7, 2021 at 3:13 PM David Hildenbrand  wrote:
> >>
> >> RISBHG is broken and currently hinders clang builds of upstream kernels
> >> from booting: the kernel crashes early, while decompressing the image.
> >>
> >>  [...]
> >>   Kernel fault: interruption code 0005 ilc:2
> >>   Kernel random base: 
> >>   PSW : 20018000 00017a1e
> >> R:0 T:0 IO:0 EX:0 Key:0 M:0 W:0 P:0 AS:0 CC:2 PM:0 RI:0 EA:3
> >>   GPRS: 0001 000c 0003fff4 fff0
> >>  fff4 000c fff0
> >> fffc  fff8 008e25a8
> >> 0009 0002 0008 bce0
> >>
> >> One example of a buggy instruction is:
> >>
> >>17dde:   ec 1e 00 9f 20 5d   risbhg  %r1,%r14,0,159,32
> >>
> >> With %r14 = 0x9 and %r1 = 0x7 should result in %r1 = 0x90007, however,
> >> results in %r1 = 0.
> >>
> >> Let's interpret values of i3/i4 as documented in the PoP and make
> >> computation of "mask" only based on i3 and i4 and use "pmask" only at the
> >> very end to make sure wrapping is only applied to the high/low doubleword.
> >>
> >> With this patch, I can successfully boot a v5.10 kernel built with
> >> clang, and gcc builds keep on working.
> >>
> >> Fixes: 2d6a869833d9 ("target-s390: Implement RISBG")
> >> Reported-by: Nick Desaulniers 
> >> Cc: Guenter Roeck 
> >> Cc: Christian Borntraeger 
> >> Signed-off-by: David Hildenbrand 
> >> ---
> >>
> >> This BUG was a nightmare to debug and the code a nightmare to understand.
> >>
> >> To make clang/gcc builds boot, the following fix is required as well on
> >> top of current master: "[PATCH] target/s390x: Fix ALGSI"
> >> https://lkml.kernel.org/r/20210107202135.52379-1-da...@redhat.com
> >
> > In that case, a huge thank you!!! for this work! ++beers_owed.
> >
>
> :) a kernel build for z13 should work with the (default) „-cpu qemu“ cpu type.

Hmm...so I don't think clang can build a Linux kernel image with
CONFIG_MARCH_Z13=y just yet; just defconfig.  Otherwise looks like
clang barfs on some of the inline asm constraints.

It looks like with your patch applied we get further into the boot!
I'm not seeing any output with:
$ /android0/qemu/build/qemu-system-s390x -cpu qemu -append
'conmode=sclp console=ttyS0' -display none -initrd
//boot-utils/images/s390/rootfs.cpio -kernel
arch/s390/boot/bzImage -m 512m -nodefaults -serial mon:stdio

(Based on a quick skim through
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.ludd/ludd_r_lmtkernelparameter.html).
Do I have all of those right?

If I attach GDB to QEMU running that kernel image, I was able to view
the print banner once via `lx-dmesg` gdb macro in the kernel, but it
seems on subsequent runs control flow gets diverted unexpected post
entry to start_kernel() always to `s390_base_pgm_handler` ...errr..at
least when I try to single step in GDB.  Tried with linux-5.10.y,
mainline, and linux-next.

qemu: 470dd6bd360782f5137f7e3376af6a44658eb1d3 + your patch
llvm: 106e66f3f555c8f887e82c5f04c3e77bdaf345e8
linux-5.10.y: d1988041d19dc8b532579bdbb7c4a978391c0011
linux: 71c061d2443814de15e177489d5cc00a4a253ef3
linux-next: f87684f6470f5f02bd47d4afb900366e5d2f31b6


(gdb) hbreak setup_arch
Hardware assisted breakpoint 1 at 0x142229e: file
arch/s390/kernel/setup.c, line 1091.
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x014222a0 in setup_arch (cmdline_p=0x11d7ed8) at
arch/s390/kernel/setup.c:1091
1091if (MACHINE_IS_VM)
(gdb) lx-dmesg
[0.376351] Linux version 5.11.0-rc2-00157-ga2885c701c30
(ndesaulni...@ndesaulniers1.mtv.corp.google.com) (Nick Desaulniers
clang version 12.0.0 (g...@github.com:llvm/llvm-project.git
e75fec2b238f0e26cfb7645f2208baebe3440d41), GNU ld (GNU Binutils for
Debian) 2.35.1) #81 SMP Thu Jan 7 17:57:34 PST 2021

>
> >>
> >> ---
> >> target/s390x/translate.c | 18 --
> >> 1 file changed, 8 insertions(+), 10 deletions(-)
> >>
> >> diff --git a/target/s390x/translate.c b/target/s390x/translate.c
> >> index 3d5c0d6106..39e33eeb67 100644
> >> --- a/target/s390x/translate.c
> >> +++ b/target/s390x/translate.c
> >> @@ -3815,22 +3815,23 @@ static DisasJumpType op_risbg(DisasContext *s, 
> >> DisasOps *o)
> >> pmask = 0xull;
> >> break;
> >> case 0x51: /* risblg */
> >> -i3 &= 31;
> >> -i4 &= 31;
> >> +i3 = (i3 & 31) + 32;
> >> +i4 = (i4 & 31) + 32;
> >> pmask = 0xull;
> >> break;
> >> default:
> >> g_assert_not_reached();
> >> }
> >>
> >> -/* MASK is the set of bits to be inserted from R2.
> >> -   Take care for I3/I4 wraparound.  */
> >> -mask = pmask >> i3;
> >> +

Re: [PATCH v1] s390x/tcg: Fix RISBHG

2021-01-07 Thread Nick Desaulniers via 
On Thu, Jan 7, 2021 at 3:13 PM David Hildenbrand  wrote:
>
> RISBHG is broken and currently hinders clang builds of upstream kernels
> from booting: the kernel crashes early, while decompressing the image.
>
>   [...]
>Kernel fault: interruption code 0005 ilc:2
>Kernel random base: 
>PSW : 20018000 00017a1e
>  R:0 T:0 IO:0 EX:0 Key:0 M:0 W:0 P:0 AS:0 CC:2 PM:0 RI:0 EA:3
>GPRS: 0001 000c 0003fff4 fff0
>   fff4 000c fff0
>  fffc  fff8 008e25a8
>  0009 0002 0008 bce0
>
> One example of a buggy instruction is:
>
> 17dde:   ec 1e 00 9f 20 5d   risbhg  %r1,%r14,0,159,32
>
> With %r14 = 0x9 and %r1 = 0x7 should result in %r1 = 0x90007, however,
> results in %r1 = 0.
>
> Let's interpret values of i3/i4 as documented in the PoP and make
> computation of "mask" only based on i3 and i4 and use "pmask" only at the
> very end to make sure wrapping is only applied to the high/low doubleword.
>
> With this patch, I can successfully boot a v5.10 kernel built with
> clang, and gcc builds keep on working.
>
> Fixes: 2d6a869833d9 ("target-s390: Implement RISBG")
> Reported-by: Nick Desaulniers 
> Cc: Guenter Roeck 
> Cc: Christian Borntraeger 
> Signed-off-by: David Hildenbrand 
> ---
>
> This BUG was a nightmare to debug and the code a nightmare to understand.
>
> To make clang/gcc builds boot, the following fix is required as well on
> top of current master: "[PATCH] target/s390x: Fix ALGSI"
> https://lkml.kernel.org/r/20210107202135.52379-1-da...@redhat.com

In that case, a huge thank you!!! for this work! ++beers_owed.

>
> ---
>  target/s390x/translate.c | 18 --
>  1 file changed, 8 insertions(+), 10 deletions(-)
>
> diff --git a/target/s390x/translate.c b/target/s390x/translate.c
> index 3d5c0d6106..39e33eeb67 100644
> --- a/target/s390x/translate.c
> +++ b/target/s390x/translate.c
> @@ -3815,22 +3815,23 @@ static DisasJumpType op_risbg(DisasContext *s, 
> DisasOps *o)
>  pmask = 0xull;
>  break;
>  case 0x51: /* risblg */
> -i3 &= 31;
> -i4 &= 31;
> +i3 = (i3 & 31) + 32;
> +i4 = (i4 & 31) + 32;
>  pmask = 0xull;
>  break;
>  default:
>  g_assert_not_reached();
>  }
>
> -/* MASK is the set of bits to be inserted from R2.
> -   Take care for I3/I4 wraparound.  */
> -mask = pmask >> i3;
> +/* MASK is the set of bits to be inserted from R2. */
>  if (i3 <= i4) {
> -mask ^= pmask >> i4 >> 1;
> +/* [0...i3---i4...63] */
> +mask = (-1ull >> i3) & (-1ull << (63 - i4));
>  } else {
> -mask |= ~(pmask >> i4 >> 1);
> +/* [0---i4...i3---63] */
> +mask = (-1ull >> i3) | (-1ull << (63 - i4));
>  }

The expression evaluated looks the same to me for both sides of the
conditional, but the comments differ. Intentional?

> +/* For RISBLG/RISBHG, the wrapping is limited to the high/low 
> doubleword. */
>  mask &= pmask;
>
>  /* IMASK is the set of bits to be kept from R1.  In the case of the 
> high/low
> @@ -3843,9 +3844,6 @@ static DisasJumpType op_risbg(DisasContext *s, DisasOps 
> *o)
>  len = i4 - i3 + 1;
>  pos = 63 - i4;
>  rot = i5 & 63;
> -if (s->fields.op2 == 0x5d) {
> -pos += 32;
> -}
>
>  /* In some cases we can implement this with extract.  */
>  if (imask == 0 && pos == 0 && len > 0 && len <= rot) {
> --
> 2.29.2
>


-- 
Thanks,
~Nick Desaulniers

Re: [PATCH v1] s390x/tcg: Fix RISBHG

2021-01-07 Thread David Hildenbrand 

> Am 08.01.2021 um 00:21 schrieb Nick Desaulniers :
> 
> On Thu, Jan 7, 2021 at 3:13 PM David Hildenbrand  wrote:
>> 
>> RISBHG is broken and currently hinders clang builds of upstream kernels
>> from booting: the kernel crashes early, while decompressing the image.
>> 
>>  [...]
>>   Kernel fault: interruption code 0005 ilc:2
>>   Kernel random base: 
>>   PSW : 20018000 00017a1e
>> R:0 T:0 IO:0 EX:0 Key:0 M:0 W:0 P:0 AS:0 CC:2 PM:0 RI:0 EA:3
>>   GPRS: 0001 000c 0003fff4 fff0
>>  fff4 000c fff0
>> fffc  fff8 008e25a8
>> 0009 0002 0008 bce0
>> 
>> One example of a buggy instruction is:
>> 
>>17dde:   ec 1e 00 9f 20 5d   risbhg  %r1,%r14,0,159,32
>> 
>> With %r14 = 0x9 and %r1 = 0x7 should result in %r1 = 0x90007, however,
>> results in %r1 = 0.
>> 
>> Let's interpret values of i3/i4 as documented in the PoP and make
>> computation of "mask" only based on i3 and i4 and use "pmask" only at the
>> very end to make sure wrapping is only applied to the high/low doubleword.
>> 
>> With this patch, I can successfully boot a v5.10 kernel built with
>> clang, and gcc builds keep on working.
>> 
>> Fixes: 2d6a869833d9 ("target-s390: Implement RISBG")
>> Reported-by: Nick Desaulniers 
>> Cc: Guenter Roeck 
>> Cc: Christian Borntraeger 
>> Signed-off-by: David Hildenbrand 
>> ---
>> 
>> This BUG was a nightmare to debug and the code a nightmare to understand.
>> 
>> To make clang/gcc builds boot, the following fix is required as well on
>> top of current master: "[PATCH] target/s390x: Fix ALGSI"
>> https://lkml.kernel.org/r/20210107202135.52379-1-da...@redhat.com
> 
> In that case, a huge thank you!!! for this work! ++beers_owed.
> 

:) a kernel build for z13 should work with the (default) „-cpu qemu“ cpu type.

>> 
>> ---
>> target/s390x/translate.c | 18 --
>> 1 file changed, 8 insertions(+), 10 deletions(-)
>> 
>> diff --git a/target/s390x/translate.c b/target/s390x/translate.c
>> index 3d5c0d6106..39e33eeb67 100644
>> --- a/target/s390x/translate.c
>> +++ b/target/s390x/translate.c
>> @@ -3815,22 +3815,23 @@ static DisasJumpType op_risbg(DisasContext *s, 
>> DisasOps *o)
>> pmask = 0xull;
>> break;
>> case 0x51: /* risblg */
>> -i3 &= 31;
>> -i4 &= 31;
>> +i3 = (i3 & 31) + 32;
>> +i4 = (i4 & 31) + 32;
>> pmask = 0xull;
>> break;
>> default:
>> g_assert_not_reached();
>> }
>> 
>> -/* MASK is the set of bits to be inserted from R2.
>> -   Take care for I3/I4 wraparound.  */
>> -mask = pmask >> i3;
>> +/* MASK is the set of bits to be inserted from R2. */
>> if (i3 <= i4) {
>> -mask ^= pmask >> i4 >> 1;
>> +/* [0...i3---i4...63] */
>> +mask = (-1ull >> i3) & (-1ull << (63 - i4));
>> } else {
>> -mask |= ~(pmask >> i4 >> 1);
>> +/* [0---i4...i3---63] */
>> +mask = (-1ull >> i3) | (-1ull << (63 - i4));
>> }
> 
> The expression evaluated looks the same to me for both sides of the
> conditional, but the comments differ. Intentional?

& vs |, so the result differs.

Cheers!

Re: [PULL 00/66] MIPS patches for 2021-01-07

2021-01-07 Thread no-reply 
Patchew URL: https://patchew.org/QEMU/2021010753.20382-1-f4...@amsat.org/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 2021010753.20382-1-f4...@amsat.org
Subject: [PULL 00/66] MIPS patches for 2021-01-07

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 * [new tag] patchew/2021010753.20382-1-f4...@amsat.org -> 
patchew/2021010753.20382-1-f4...@amsat.org
Switched to a new branch 'test'
dd377f9 docs/system: Remove deprecated 'fulong2e' machine alias
46b7515 target/mips: Convert Rel6 LL/SC opcodes to decodetree
30b29c5 target/mips: Convert Rel6 LLD/SCD opcodes to decodetree
a3a47cc target/mips: Convert Rel6 LDL/LDR/SDL/SDR opcodes to decodetree
d31fb71 target/mips: Convert Rel6 LWLE/LWRE/SWLE/SWRE opcodes to decodetree
4ef5b18 target/mips: Convert Rel6 LWL/LWR/SWL/SWR opcodes to decodetree
218216b target/mips: Convert Rel6 CACHE/PREF opcodes to decodetree
ce5072b target/mips: Convert Rel6 COP1X opcode to decodetree
1ac8160 target/mips: Convert Rel6 Special2 opcode to decodetree
02dbc3d target/mips: Remove now unreachable LSA/DLSA opcodes code
36d8c0e target/mips: Introduce decodetree helpers for Release6 LSA/DLSA opcodes
b862386 target/mips: Introduce decodetree helpers for MSA LSA/DLSA opcodes
992d01e target/mips: Extract LSA/DLSA translation generators
aa36e31 target/mips: Use decode_ase_msa() generated from decodetree
779aa4f target/mips: Introduce decode tree bindings for MSA ASE
e0b0e2b target/mips: Pass TCGCond argument to MSA gen_check_zero_element()
e844e9c target/mips: Extract MSA translation routines
574002a target/mips: Declare gen_msa/_branch() in 'translate.h'
e2ebaf4 target/mips: Extract MSA helper definitions
5c3ca1b target/mips: Extract MSA helpers from op_helper.c
ff8dd85 target/mips: Move msa_reset() to msa_helper.c
187fc34 target/mips: Explode gen_msa_branch() as gen_msa_BxZ_V/BxZ()
f6e81a3 target/mips: Remove CPUMIPSState* argument from gen_msa*() methods
5717a13 target/mips: Extract msa_translate_init() from mips_tcg_init()
b41e6f5 target/mips: Alias MSA vector registers on FPU scalar registers
5dca6da target/mips: Remove now unused ASE_MSA definition
279cca1 target/mips: Simplify MSA TCG logic
9be6e1d target/mips: Use CP0_Config3 to set MIPS_HFLAG_MSA
dd2ba3a target/mips: Simplify msa_reset()
a6f9803 target/mips: Introduce ase_msa_available() helper
154d914 target/mips/translate: Expose check_mips_64() to 32-bit mode
4ad62c0 target/mips/translate: Extract decode_opc_legacy() from decode_opc()
ae2962d target/mips: Only build TCG code when CONFIG_TCG is set
bf286b1 target/mips: Extract FPU specific definitions to translate.h
d664570 target/mips: Declare generic FPU functions in 'translate.h'
7d45714 target/mips: Replace gen_exception_end(EXCP_RI) by gen_rsvd_instruction
4a7f56f target/mips: Replace gen_exception_err(err=0) by gen_exception_end()
734af7c target/mips/translate: Add declarations for generic code
7dbaf2f target/mips/translate: Extract DisasContext structure
e31d0fb target/mips: Rename translate_init.c as cpu-defs.c
01c87b9 target/mips: Move mmu_init() functions to tlb_helper.c
bf9cbc3 target/mips: Fix code style for checkpatch.pl
597531a target/mips: Rename helper.c as tlb_helper.c
d1c9757 target/mips: Move common helpers from helper.c to cpu.c
514bb31 target/mips: Remove consecutive CONFIG_USER_ONLY ifdefs
0a0492f target/mips: Add !CONFIG_USER_ONLY comment after #endif
304a3f9 target/mips: Extract FPU helpers to 'fpu_helper.h'
8967642 target/mips: Inline cpu_state_reset() in mips_cpu_reset()
fd2629f target/mips/mips-defs: Rename ISA_MIPS32R6 as ISA_MIPS_R6
68cef79 target/mips/mips-defs: Rename ISA_MIPS32R5 as ISA_MIPS_R5
61f4a6e target/mips/mips-defs: Rename ISA_MIPS32R3 as ISA_MIPS_R3
befb8ce target/mips/mips-defs: Rename ISA_MIPS32R2 as ISA_MIPS_R2
cf55264 target/mips/mips-defs: Rename ISA_MIPS32 as ISA_MIPS_R1
6800c8b target/mips/mips-defs: Use ISA_MIPS32R6 definition to check Release 6
64d02b6 target/mips/mips-defs: Use ISA_MIPS32R5 definition to check Release 5
1917e3e target/mips/mips-defs: Use ISA_MIPS32R3 definition to check Release 3
3440107 target/mips/mips-defs: Use ISA_MIPS32R2 definition to check Release 2
b88e862 target/mips/mips-defs: Use ISA_MIPS32 definition to check Release 1
d34977c hw/mips/boston: Check 64-bit support with cpu_type_is_64bit()
43146ba target/mips/mips-defs: Introduce CPU_MIPS64 and cpu_type_is_64bit()
9be76d4 target/mips/mips-defs: Rename CPU_MIPSxx Release 1 as CPU_MIPSxxR1
58b6d94 target/mips/mips-defs: Reorder CPU_MIPS5 definition
b57df71 target/mips/mips-defs: Remove USE_HOST_FLOAT_REGS comment
aa10029 target/mips/addr: Add

[PATCH v1] s390x/tcg: Fix RISBHG

2021-01-07 Thread David Hildenbrand 
RISBHG is broken and currently hinders clang builds of upstream kernels
from booting: the kernel crashes early, while decompressing the image.

  [...]
   Kernel fault: interruption code 0005 ilc:2
   Kernel random base: 
   PSW : 20018000 00017a1e
 R:0 T:0 IO:0 EX:0 Key:0 M:0 W:0 P:0 AS:0 CC:2 PM:0 RI:0 EA:3
   GPRS: 0001 000c 0003fff4 fff0
  fff4 000c fff0
 fffc  fff8 008e25a8
 0009 0002 0008 bce0

One example of a buggy instruction is:

17dde:   ec 1e 00 9f 20 5d   risbhg  %r1,%r14,0,159,32

With %r14 = 0x9 and %r1 = 0x7 should result in %r1 = 0x90007, however,
results in %r1 = 0.

Let's interpret values of i3/i4 as documented in the PoP and make
computation of "mask" only based on i3 and i4 and use "pmask" only at the
very end to make sure wrapping is only applied to the high/low doubleword.

With this patch, I can successfully boot a v5.10 kernel built with
clang, and gcc builds keep on working.

Fixes: 2d6a869833d9 ("target-s390: Implement RISBG")
Reported-by: Nick Desaulniers 
Cc: Guenter Roeck 
Cc: Christian Borntraeger 
Signed-off-by: David Hildenbrand 
---

This BUG was a nightmare to debug and the code a nightmare to understand.

To make clang/gcc builds boot, the following fix is required as well on
top of current master: "[PATCH] target/s390x: Fix ALGSI"
https://lkml.kernel.org/r/20210107202135.52379-1-da...@redhat.com

---
 target/s390x/translate.c | 18 --
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/target/s390x/translate.c b/target/s390x/translate.c
index 3d5c0d6106..39e33eeb67 100644
--- a/target/s390x/translate.c
+++ b/target/s390x/translate.c
@@ -3815,22 +3815,23 @@ static DisasJumpType op_risbg(DisasContext *s, DisasOps 
*o)
 pmask = 0xull;
 break;
 case 0x51: /* risblg */
-i3 &= 31;
-i4 &= 31;
+i3 = (i3 & 31) + 32;
+i4 = (i4 & 31) + 32;
 pmask = 0xull;
 break;
 default:
 g_assert_not_reached();
 }
 
-/* MASK is the set of bits to be inserted from R2.
-   Take care for I3/I4 wraparound.  */
-mask = pmask >> i3;
+/* MASK is the set of bits to be inserted from R2. */
 if (i3 <= i4) {
-mask ^= pmask >> i4 >> 1;
+/* [0...i3---i4...63] */
+mask = (-1ull >> i3) & (-1ull << (63 - i4));
 } else {
-mask |= ~(pmask >> i4 >> 1);
+/* [0---i4...i3---63] */
+mask = (-1ull >> i3) | (-1ull << (63 - i4));
 }
+/* For RISBLG/RISBHG, the wrapping is limited to the high/low doubleword. 
*/
 mask &= pmask;
 
 /* IMASK is the set of bits to be kept from R1.  In the case of the 
high/low
@@ -3843,9 +3844,6 @@ static DisasJumpType op_risbg(DisasContext *s, DisasOps 
*o)
 len = i4 - i3 + 1;
 pos = 63 - i4;
 rot = i5 & 63;
-if (s->fields.op2 == 0x5d) {
-pos += 32;
-}
 
 /* In some cases we can implement this with extract.  */
 if (imask == 0 && pos == 0 && len > 0 && len <= rot) {
-- 
2.29.2

[Bug 1910605] [NEW] qemu-arm-static ioctl USBDEVFS_BULK return -1 (EFAULT) Bad address

2021-01-07 Thread Linh Hoang 
Public bug reported:


Snippet of code sample:

struct usbdevfs_bulktransfer Bulk;
Bulk.ep = hUsb->UsbOut;  
Bulk.len = Len;  
Bulk.data = (void *)pData;  
Bulk.timeout = Timeout;
Bytes = ioctl(hUsb->fd, USBDEVFS_BULK, )

The above code sample return -1 (EFAULT) Bad address when using qemu-
arm-static but is running ok when on qemu-aarch64-static.

I use a 64-bit intel laptop

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910605

Title:
  qemu-arm-static ioctl USBDEVFS_BULK return -1 (EFAULT) Bad address

Status in QEMU:
  New

Bug description:

  Snippet of code sample:

  struct usbdevfs_bulktransfer Bulk;
  Bulk.ep = hUsb->UsbOut;  
  Bulk.len = Len;  
  Bulk.data = (void *)pData;  
  Bulk.timeout = Timeout;
  Bytes = ioctl(hUsb->fd, USBDEVFS_BULK, )

  The above code sample return -1 (EFAULT) Bad address when using qemu-
  arm-static but is running ok when on qemu-aarch64-static.

  I use a 64-bit intel laptop

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910605/+subscriptions

Re: [PULL 00/66] MIPS patches for 2021-01-07

2021-01-07 Thread Philippe Mathieu-Daudé 
On 1/7/21 11:21 PM, Philippe Mathieu-Daudé wrote:
> The following changes since commit 470dd6bd360782f5137f7e3376af6a44658eb1d3:
> 
>   Merge remote-tracking branch 'remotes/stsquad/tags/pull-testing-060121-4' 
> into staging (2021-01-06 22:18:36 +)
> 
> are available in the Git repository at:
> 
>   https://gitlab.com/philmd/qemu.git tags/mips-20210107
> 
> for you to fetch changes up to f97d339d612b86d8d336a11f01719a10893d6707:
> 
>   docs/system: Remove deprecated 'fulong2e' machine alias (2021-01-07 
> 22:57:49 +0100)
> 
> 
> MIPS patches queue
> 
> - Simplify CPU/ISA definitions
> - Various maintenance code movements in translate.c
> - Convert part of the MSA ASE instructions to decodetree
> - Convert some instructions removed from Release 6 to decodetree
> - Remove deprecated 'fulong2e' machine alias
> 
> 

I forgot to mention there is a checkpatch.pl error with
patch 23 ("Move common helpers from helper.c to cpu.c")
due to code movement:

ERROR: space prohibited after that '&' (ctx:WxW)
#52: FILE: target/mips/cpu.c:53:
+cu = (v >> CP0St_CU0) & 0xf;
   ^

ERROR: space prohibited after that '&' (ctx:WxW)
#53: FILE: target/mips/cpu.c:54:
+mx = (v >> CP0St_MX) & 0x1;
  ^

ERROR: space prohibited after that '&' (ctx:WxW)
#54: FILE: target/mips/cpu.c:55:
+ksu = (v >> CP0St_KSU) & 0x3;
^

ERROR: space prohibited after that '&' (ctx:WxW)
#81: FILE: target/mips/cpu.c:82:
+uint32_t ksux = (1 << CP0St_KX) & val;
 ^

ERROR: space prohibited after that '&' (ctx:WxW)
#89: FILE: target/mips/cpu.c:90:
+mask &= ~(((1 << CP0St_SR) | (1 << CP0St_NMI)) & val);
^

ERROR: space prohibited after that '&' (ctx:WxW)
#116: FILE: target/mips/cpu.c:117:
+mask &= ~((1 << CP0Ca_WP) & val);
   ^

ERROR: space prohibited after that '&' (ctx:WxW)
#121: FILE: target/mips/cpu.c:122:
+if ((old ^ env->CP0_Cause) & (1 << CP0Ca_DC)) {
^

ERROR: space prohibited after that '&' (ctx:WxW)
#131: FILE: target/mips/cpu.c:132:
+if ((old ^ env->CP0_Cause) & (1 << (CP0Ca_IP + i))) {
^

total: 8 errors, 0 warnings, 433 lines checked

[PULL 64/66] target/mips: Convert Rel6 LLD/SCD opcodes to decodetree

2021-01-07 Thread Philippe Mathieu-Daudé 
LLD/SCD opcodes have been removed from the Release 6.

Add a single decodetree entry for the opcodes, triggering
Reserved Instruction if ever used.

Remove unreachable check_insn_opc_removed() calls.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20201208203704.243704-13-f4...@amsat.org>
---
 target/mips/mips64r6.decode | 3 +++
 target/mips/translate.c | 2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/mips/mips64r6.decode b/target/mips/mips64r6.decode
index 8c3fc5dae9c..609b8958d25 100644
--- a/target/mips/mips64r6.decode
+++ b/target/mips/mips64r6.decode
@@ -21,3 +21,6 @@ REMOVED 011010 - -  # 
LDL
 REMOVED 011011 - -  # LDR
 REMOVED 101100 - -  # SDL
 REMOVED 101101 - -  # SDR
+
+REMOVED 110100 - -  # LLD
+REMOVED 00 - -  # SCD
diff --git a/target/mips/translate.c b/target/mips/translate.c
index f46d7c5f80b..9f717aab287 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -28871,7 +28871,6 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
 if (ctx->insn_flags & INSN_R5900) {
 check_insn_opc_user_only(ctx, INSN_R5900);
 }
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
 /* fall through */
 case OPC_LDL:
 case OPC_LDR:
@@ -28889,7 +2,6 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
 gen_st(ctx, op, rt, rs, imm);
 break;
 case OPC_SCD:
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
 check_insn(ctx, ISA_MIPS3);
 if (ctx->insn_flags & INSN_R5900) {
 check_insn_opc_user_only(ctx, INSN_R5900);
-- 
2.26.2

[PULL 66/66] docs/system: Remove deprecated 'fulong2e' machine alias

2021-01-07 Thread Philippe Mathieu-Daudé 
The 'fulong2e' machine alias has been marked as deprecated since
QEMU v5.1 (commit c3a09ff68dd, the machine is renamed 'fuloong2e').
Time to remove it now.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Huacai Chen 
Reviewed-by: Thomas Huth 
Message-Id: <20210106184602.3771551-1-f4...@amsat.org>
---
 docs/system/deprecated.rst   | 5 -
 docs/system/removed-features.rst | 5 +
 hw/mips/fuloong2e.c  | 1 -
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index bacd76d7a58..e20bfcb17a4 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -309,11 +309,6 @@ The 'scsi-disk' device is deprecated. Users should use 
'scsi-hd' or
 System emulator machines
 
 
-mips ``fulong2e`` machine (since 5.1)
-'
-
-This machine has been renamed ``fuloong2e``.
-
 ``pc-1.0``, ``pc-1.1``, ``pc-1.2`` and ``pc-1.3`` (since 5.0)
 '
 
diff --git a/docs/system/removed-features.rst b/docs/system/removed-features.rst
index 8b20d78a4d0..430fc33ca18 100644
--- a/docs/system/removed-features.rst
+++ b/docs/system/removed-features.rst
@@ -120,6 +120,11 @@ mips ``r4k`` platform (removed in 5.2)
 This machine type was very old and unmaintained. Users should use the ``malta``
 machine type instead.
 
+mips ``fulong2e`` machine alias (removed in 6.0)
+
+
+This machine has been renamed ``fuloong2e``.
+
 Related binaries
 
 
diff --git a/hw/mips/fuloong2e.c b/hw/mips/fuloong2e.c
index 29805242caa..bac2adbd5ae 100644
--- a/hw/mips/fuloong2e.c
+++ b/hw/mips/fuloong2e.c
@@ -383,7 +383,6 @@ static void mips_fuloong2e_init(MachineState *machine)
 static void mips_fuloong2e_machine_init(MachineClass *mc)
 {
 mc->desc = "Fuloong 2e mini pc";
-mc->alias = "fulong2e"; /* Incorrect name used up to QEMU 4.2 
*/
 mc->init = mips_fuloong2e_init;
 mc->block_default_type = IF_IDE;
 mc->default_cpu_type = MIPS_CPU_TYPE_NAME("Loongson-2E");
-- 
2.26.2

[PULL 62/66] target/mips: Convert Rel6 LWLE/LWRE/SWLE/SWRE opcodes to decodetree

2021-01-07 Thread Philippe Mathieu-Daudé 
LWLE/LWRE/SWLE/SWRE (EVA) opcodes have been removed from
the Release 6. Add a single decodetree entry for the opcodes,
triggering Reserved Instruction if ever used.

Remove unreachable check_insn_opc_removed() calls.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20201208203704.243704-11-f4...@amsat.org>
---
 target/mips/mips32r6.decode | 5 +
 target/mips/translate.c | 4 
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/target/mips/mips32r6.decode b/target/mips/mips32r6.decode
index 89a0085fafd..3ec50704cf2 100644
--- a/target/mips/mips32r6.decode
+++ b/target/mips/mips32r6.decode
@@ -20,6 +20,11 @@ REMOVED 010011 - - - - --   
# COP1X (COP3)
 
 REMOVED 011100 - - - - --   # SPECIAL2
 
+REMOVED 01 - - --  011001   # LWLE
+REMOVED 01 - - --  011010   # LWRE
+REMOVED 01 - - --  11   # SWLE
+REMOVED 01 - - --  100010   # SWRE
+
 REMOVED 100010 - -  # LWL
 REMOVED 100110 - -  # LWR
 REMOVED 101010 - -  # SWL
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 0d729293f6b..73efbd24585 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -28122,8 +28122,6 @@ static void decode_opc_special3(CPUMIPSState *env, 
DisasContext *ctx)
 switch (op1) {
 case OPC_LWLE:
 case OPC_LWRE:
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
-/* fall through */
 case OPC_LBUE:
 case OPC_LHUE:
 case OPC_LBE:
@@ -28135,8 +28133,6 @@ static void decode_opc_special3(CPUMIPSState *env, 
DisasContext *ctx)
 return;
 case OPC_SWLE:
 case OPC_SWRE:
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
-/* fall through */
 case OPC_SBE:
 case OPC_SHE:
 case OPC_SWE:
-- 
2.26.2

[PULL 65/66] target/mips: Convert Rel6 LL/SC opcodes to decodetree

2021-01-07 Thread Philippe Mathieu-Daudé 
LL/SC opcodes have been removed from the Release 6.

Add a single decodetree entry for the opcodes, triggering
Reserved Instruction if ever used.

Remove unreachable check_insn_opc_removed() calls.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20201208203704.243704-14-f4...@amsat.org>
---
 target/mips/mips32r6.decode | 2 ++
 target/mips/translate.c | 2 --
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/mips/mips32r6.decode b/target/mips/mips32r6.decode
index 3ec50704cf2..489c20aa4e9 100644
--- a/target/mips/mips32r6.decode
+++ b/target/mips/mips32r6.decode
@@ -31,4 +31,6 @@ REMOVED 101010 - -  # 
SWL
 REMOVED 101110 - -  # SWR
 
 REMOVED 10 - -  # CACHE
+REMOVED 11 - -  # LL
 REMOVED 110011 - -  # PREF
+REMOVED 111000 - -  # SC
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 9f717aab287..b5b7706a7c2 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -28585,7 +28585,6 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
 if (ctx->insn_flags & INSN_R5900) {
 check_insn_opc_user_only(ctx, INSN_R5900);
 }
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
 /* Fallthrough */
 case OPC_LWL:
 case OPC_LWR:
@@ -28606,7 +28605,6 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
  break;
 case OPC_SC:
 check_insn(ctx, ISA_MIPS2);
- check_insn_opc_removed(ctx, ISA_MIPS_R6);
 if (ctx->insn_flags & INSN_R5900) {
 check_insn_opc_user_only(ctx, INSN_R5900);
 }
-- 
2.26.2

Re: [PATCH] target/s390x: Fix ALGSI

2021-01-07 Thread David Hildenbrand 
On 07.01.21 21:21, David Hildenbrand wrote:
> Looks like something went wrong while touching that line. Instead of "r1"
> we need a new temporary. Also, we have to pass MO_TEQ, to indicate that
> we are working with 64-bit values. Let's revert these changes.
> 
> Fixes: ff26d287bddc ("target/s390x: Improve cc computation for ADD LOGICAL")
> Signed-off-by: David Hildenbrand 
> ---
>  target/s390x/insn-data.def | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/target/s390x/insn-data.def b/target/s390x/insn-data.def
> index 26badb663a..eac5136ee5 100644
> --- a/target/s390x/insn-data.def
> +++ b/target/s390x/insn-data.def
> @@ -76,7 +76,7 @@
>  /* ADD LOGICAL WITH SIGNED IMMEDIATE */
>  D(0xeb6e, ALSI,SIY,   GIE, la1, i2_32u, new, 0, asi, addu32, MO_TEUL)
>  C(0xecda, ALHSIK,  RIE_d, DO,  r3_32u, i2_32u, new, r1_32, add, addu32)
> -C(0xeb7e, ALGSI,   SIY,   GIE, la1, i2, r1, 0, asiu64, addu64)
> +D(0xeb7e, ALGSI,   SIY,   GIE, la1, i2, new, 0, asiu64, addu64, MO_TEQ)
>  C(0xecdb, ALGHSIK, RIE_d, DO,  r3, i2, r1, 0, addu64, addu64)
>  /* ADD LOGICAL WITH SIGNED IMMEDIATE HIGH */
>  C(0xcc0a, ALSIH,   RIL_a, HW,  r1_sr32, i2_32u, new, r1_32h, add, addu32)
> 

Subject should be "s390x/tcg" ...

-- 
Thanks,

David / dhildenb

[PULL 61/66] target/mips: Convert Rel6 LWL/LWR/SWL/SWR opcodes to decodetree

2021-01-07 Thread Philippe Mathieu-Daudé 
LWL/LWR/SWL/SWR opcodes have been removed from the Release 6.

Add a single decodetree entry for the opcodes, triggering
Reserved Instruction if ever used.

Remove unreachable check_insn_opc_removed() calls.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20201208203704.243704-10-f4...@amsat.org>
---
 target/mips/mips32r6.decode | 5 +
 target/mips/translate.c | 5 +
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/target/mips/mips32r6.decode b/target/mips/mips32r6.decode
index e3b3934539a..89a0085fafd 100644
--- a/target/mips/mips32r6.decode
+++ b/target/mips/mips32r6.decode
@@ -20,5 +20,10 @@ REMOVED 010011 - - - - --   
# COP1X (COP3)
 
 REMOVED 011100 - - - - --   # SPECIAL2
 
+REMOVED 100010 - -  # LWL
+REMOVED 100110 - -  # LWR
+REMOVED 101010 - -  # SWL
+REMOVED 101110 - -  # SWR
+
 REMOVED 10 - -  # CACHE
 REMOVED 110011 - -  # PREF
diff --git a/target/mips/translate.c b/target/mips/translate.c
index e8389738c57..0d729293f6b 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -28589,11 +28589,10 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
 if (ctx->insn_flags & INSN_R5900) {
 check_insn_opc_user_only(ctx, INSN_R5900);
 }
+check_insn_opc_removed(ctx, ISA_MIPS_R6);
 /* Fallthrough */
 case OPC_LWL:
 case OPC_LWR:
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
- /* Fallthrough */
 case OPC_LB:
 case OPC_LH:
 case OPC_LW:
@@ -28604,8 +28603,6 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
  break;
 case OPC_SWL:
 case OPC_SWR:
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
-/* fall through */
 case OPC_SB:
 case OPC_SH:
 case OPC_SW:
-- 
2.26.2

[PULL 60/66] target/mips: Convert Rel6 CACHE/PREF opcodes to decodetree

2021-01-07 Thread Philippe Mathieu-Daudé 
CACHE/PREF opcodes have been removed from the Release 6.

Add a single decodetree entry for the opcodes, triggering
Reserved Instruction if ever used.

Remove unreachable check_insn_opc_removed() calls.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20201208203704.243704-9-f4...@amsat.org>
---
 target/mips/mips32r6.decode | 3 +++
 target/mips/translate.c | 2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/mips/mips32r6.decode b/target/mips/mips32r6.decode
index 7b12a1bff25..e3b3934539a 100644
--- a/target/mips/mips32r6.decode
+++ b/target/mips/mips32r6.decode
@@ -19,3 +19,6 @@ LSA 00 . . . 000 .. 000101  
@lsa
 REMOVED 010011 - - - - --   # COP1X (COP3)
 
 REMOVED 011100 - - - - --   # SPECIAL2
+
+REMOVED 10 - -  # CACHE
+REMOVED 110011 - -  # PREF
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 52397bce84b..e8389738c57 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -28620,7 +28620,6 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
 gen_st_cond(ctx, rt, rs, imm, MO_TESL, false);
 break;
 case OPC_CACHE:
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
 check_cp0_enabled(ctx);
 check_insn(ctx, ISA_MIPS3 | ISA_MIPS_R1);
 if (ctx->hflags & MIPS_HFLAG_ITC_CACHE) {
@@ -28629,7 +28628,6 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
 /* Treat as NOP. */
 break;
 case OPC_PREF:
-check_insn_opc_removed(ctx, ISA_MIPS_R6);
 if (ctx->insn_flags & INSN_R5900) {
 /* Treat as NOP. */
 } else {
-- 
2.26.2

[PULL 57/66] target/mips: Remove now unreachable LSA/DLSA opcodes code

2021-01-07 Thread Philippe Mathieu-Daudé 
Since we switched to decodetree-generated processing,
we can remove this now unreachable code.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20201208203704.243704-6-f4...@amsat.org>
---
 target/mips/translate.c | 29 +
 1 file changed, 5 insertions(+), 24 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index cd34b06faae..f4481afb8de 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -280,9 +280,6 @@ enum {
 R6_OPC_DCLZ = 0x12 | OPC_SPECIAL,
 R6_OPC_DCLO = 0x13 | OPC_SPECIAL,
 R6_OPC_SDBBP= 0x0e | OPC_SPECIAL,
-
-OPC_LSA  = 0x05 | OPC_SPECIAL,
-OPC_DLSA = 0x15 | OPC_SPECIAL,
 };
 
 /* Multiplication variants of the vr54xx. */
@@ -24319,9 +24316,6 @@ static void decode_opc_special_r6(CPUMIPSState *env, 
DisasContext *ctx)
 
 op1 = MASK_SPECIAL(ctx->opcode);
 switch (op1) {
-case OPC_LSA:
-gen_LSA(ctx, rd, rt, rs, extract32(ctx->opcode, 6, 2));
-break;
 case OPC_MULT:
 case OPC_MULTU:
 case OPC_DIV:
@@ -24372,10 +24366,6 @@ static void decode_opc_special_r6(CPUMIPSState *env, 
DisasContext *ctx)
 }
 break;
 #if defined(TARGET_MIPS64)
-case OPC_DLSA:
-check_mips_64(ctx);
-gen_DLSA(ctx, rd, rt, rs, extract32(ctx->opcode, 6, 2));
-break;
 case R6_OPC_DCLO:
 case R6_OPC_DCLZ:
 if (rt == 0 && sa == 1) {
@@ -24637,18 +24627,14 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 check_insn(ctx, ISA_MIPS2);
 gen_trap(ctx, op1, rs, rt, -1);
 break;
-case OPC_LSA: /* OPC_PMON */
-if ((ctx->insn_flags & ISA_MIPS_R6) || ase_msa_available(env)) {
-decode_opc_special_r6(env, ctx);
-} else {
-/* Pmon entry point, also R4010 selsl */
+case OPC_PMON:
+/* Pmon entry point, also R4010 selsl */
 #ifdef MIPS_STRICT_STANDARD
-MIPS_INVAL("PMON / selsl");
-gen_reserved_instruction(ctx);
+MIPS_INVAL("PMON / selsl");
+gen_reserved_instruction(ctx);
 #else
-gen_helper_0e0i(pmon, sa);
+gen_helper_0e0i(pmon, sa);
 #endif
-}
 break;
 case OPC_SYSCALL:
 generate_exception_end(ctx, EXCP_SYSCALL);
@@ -24739,11 +24725,6 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 break;
 }
 break;
-case OPC_DLSA:
-if ((ctx->insn_flags & ISA_MIPS_R6) || ase_msa_available(env)) {
-decode_opc_special_r6(env, ctx);
-}
-break;
 #endif
 default:
 if (ctx->insn_flags & ISA_MIPS_R6) {
-- 
2.26.2

[PULL 56/66] target/mips: Introduce decodetree helpers for Release6 LSA/DLSA opcodes

2021-01-07 Thread Philippe Mathieu-Daudé 
LSA and LDSA opcodes are also available with MIPS release 6.
Introduce the decodetree config files and call the decode()
helpers in the main decode_opc() loop.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20201215225757.764263-24-f4...@amsat.org>
---
 target/mips/translate.h  |  1 +
 target/mips/mips32r6.decode  | 17 +
 target/mips/mips64r6.decode  | 17 +
 target/mips/rel6_translate.c | 37 
 target/mips/translate.c  |  5 +
 target/mips/meson.build  |  3 +++
 6 files changed, 80 insertions(+)
 create mode 100644 target/mips/mips32r6.decode
 create mode 100644 target/mips/mips64r6.decode
 create mode 100644 target/mips/rel6_translate.c

diff --git a/target/mips/translate.h b/target/mips/translate.h
index 50281c93369..11730f5b2e6 100644
--- a/target/mips/translate.h
+++ b/target/mips/translate.h
@@ -162,6 +162,7 @@ extern TCGv bcond;
 void msa_translate_init(void);
 
 /* decodetree generated */
+bool decode_isa_rel6(DisasContext *ctx, uint32_t insn);
 bool decode_ase_msa(DisasContext *ctx, uint32_t insn);
 
 #endif
diff --git a/target/mips/mips32r6.decode b/target/mips/mips32r6.decode
new file mode 100644
index 000..027585ee042
--- /dev/null
+++ b/target/mips/mips32r6.decode
@@ -0,0 +1,17 @@
+# MIPS32 Release 6 instruction set
+#
+# Copyright (C) 2020  Philippe Mathieu-Daudé
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# Reference:
+#   MIPS Architecture for Programmers Volume II-A
+#   The MIPS32 Instruction Set Reference Manual, Revision 6.06
+#   (Document Number: MD00086-2B-MIPS32BIS-AFP-06.06)
+#
+
+rd rt rs sa
+
+@lsa.. rs:5 rt:5 rd:5 ... sa:2 ..   
+
+LSA 00 . . . 000 .. 000101  @lsa
diff --git a/target/mips/mips64r6.decode b/target/mips/mips64r6.decode
new file mode 100644
index 000..e812224341e
--- /dev/null
+++ b/target/mips/mips64r6.decode
@@ -0,0 +1,17 @@
+# MIPS64 Release 6 instruction set
+#
+# Copyright (C) 2020  Philippe Mathieu-Daudé
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# Reference:
+#   MIPS Architecture for Programmers Volume II-A
+#   The MIPS64 Instruction Set Reference Manual, Revision 6.06
+#   (Document Number: MD00087-2B-MIPS64BIS-AFP-6.06)
+#
+
+rd rt rs sa !extern
+
+@lsa.. rs:5 rt:5 rd:5 ... sa:2 ..   
+
+DLSA00 . . . 000 .. 010101  @lsa
diff --git a/target/mips/rel6_translate.c b/target/mips/rel6_translate.c
new file mode 100644
index 000..631d0b87748
--- /dev/null
+++ b/target/mips/rel6_translate.c
@@ -0,0 +1,37 @@
+/*
+ *  MIPS emulation for QEMU - # Release 6 translation routines
+ *
+ *  Copyright (c) 2004-2005 Jocelyn Mayer
+ *  Copyright (c) 2006 Marius Groeger (FPU operations)
+ *  Copyright (c) 2006 Thiemo Seufer (MIPS32R2 support)
+ *  Copyright (c) 2020 Philippe Mathieu-Daudé
+ *
+ * This code is licensed under the GNU GPLv2 and later.
+ */
+
+#include "qemu/osdep.h"
+#include "tcg/tcg-op.h"
+#include "exec/helper-gen.h"
+#include "translate.h"
+
+/* Include the auto-generated decoder.  */
+#include "decode-mips32r6.c.inc"
+#include "decode-mips64r6.c.inc"
+
+static bool trans_LSA(DisasContext *ctx, arg_LSA *a)
+{
+return gen_LSA(ctx, a->rd, a->rt, a->rs, a->sa);
+}
+
+static bool trans_DLSA(DisasContext *ctx, arg_LSA *a)
+{
+return gen_DLSA(ctx, a->rd, a->rt, a->rs, a->sa);
+}
+
+bool decode_isa_rel6(DisasContext *ctx, uint32_t insn)
+{
+if (TARGET_LONG_BITS == 64 && decode_mips64r6(ctx, insn)) {
+return true;
+}
+return decode_mips32r6(ctx, insn);
+}
diff --git a/target/mips/translate.c b/target/mips/translate.c
index e9730d95131..cd34b06faae 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -29027,6 +29027,11 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 return;
 }
 
+/* ISA (from latest to oldest) */
+if (cpu_supports_isa(env, ISA_MIPS_R6) && decode_isa_rel6(ctx, 
ctx->opcode)) {
+return;
+}
+
 if (!decode_opc_legacy(env, ctx)) {
 gen_reserved_instruction(ctx);
 }
diff --git a/target/mips/meson.build b/target/mips/meson.build
index 21b75254047..ab01123013a 100644
--- a/target/mips/meson.build
+++ b/target/mips/meson.build
@@ -1,4 +1,6 @@
 gen = [
+  decodetree.process('mips32r6.decode', extra_args: [ 
'--static-decode=decode_mips32r6' ]),
+  decodetree.process('mips64r6.decode', extra_args: [ 
'--static-decode=decode_mips64r6' ]),
   decodetree.process('msa32.decode', extra_args: [ 
'--static-decode=decode_msa32' ]),
   decodetree.process('msa64.decode', extra_args: [ 
'--static-decode=decode_msa64' ]),
 ]
@@ -16,6 +18,7 @@
   'msa_helper.c',
   'msa_translate.c',
   'op_helper.c',
+  'rel6_translate.c',
   'tlb_helper.c',
   'translate.c',
   'translate_addr_const.c',
-- 
2.26.2

[Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug

2021-01-07 Thread Alexander Bulekov 
Public bug reported:

=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF

=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted

#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5


OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910603

Title:
  [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug

Status in QEMU:
  New

Bug description:
  === Reproducer ===
  cat << EOF | ../build-system/qemu-system-i386 \
  -machine q35 -device sb16,audiodev=snd0 \
  -audiodev none,id=snd0 -nographic -nodefaults \
  -qtest stdio
  outw 0x22c 0x41
  outb 0x22c 0x0
  outw 0x22c 0x1004
  outw 0x22c 0x1c
  EOF

  === Stack Trace ===
  A bug was just triggered in audio_calloc
  Save all your work and restart without audio
  I am sorry
  Context:
  Aborted

  #0 raise
  #1 abort
  #2 audio_bug /src/qemu/audio/audio.c:119:9
  #3 audio_calloc /src/qemu/audio/audio.c:154:9
  #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
  #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
  #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
  #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
  #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
  #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
  #10 command /src/qemu/hw/audio/sb16.c:0
  #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
  #12 portio_write /src/qemu/softmmu/ioport.c:205:13
  #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
  #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
  #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
  #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
  #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
  #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
  #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5

  
  OSS-Fuzz Report:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions

  1   2   3   4   5   >