Re: [RFC PATCH v6 00/11] hw/ssi: imx_spi: Fix various bugs in the imx_spi model

[Philippe Mathieu-Daudé]

Hi Ben,

On 1/13/21 4:29 AM, Bin Meng wrote:
> On Wed, Jan 13, 2021 at 2:35 AM Philippe Mathieu-Daudé  
> wrote:
>>
>> Hi,
>>
>> As it is sometimes harder for me to express myself in plain
>> English, I found it easier to write the patches I was thinking
>> about. I know this doesn't scale.
>>
>> So this is how I understand the ecSPI reset works, after
>> looking at the IMX6DQRM.pdf datasheet.
>>
>> This is a respin of Ben's v5 series [*].
>> Tagged RFC because I have not tested it :)
> 
> Unfortunately this series breaks SPI flash testing under both U-Boot
> and VxWorks 7.

Thanks for testing :) Can you provide the binary tested and the command
line used? At least one, so I can have a look.

>> Sometimes changing device reset to better match hardware gives
>> trouble when using '-kernel ...' because there is no bootloader
>> setting the device in the state Linux expects it.
>>
> 
> Given most of the new changes in this RFC series are clean-ups, I
> suggest we apply the v5 series unless there is anything seriously
> wrong in v5, IOW, don't fix it unless it's broken.
> 
> Thoughts?

Up to the maintainer :)

The IMX6DQRM datasheet is available here:
https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/i-MX-6DQ-Reference-Manual-IMX6DQRM-R2-Part-1/ta-p/1115983
https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/i-MX-6DQ-Reference-Manual-IMX6DQRM-R2-Part-2/ta-p/1118510

Regards,

Phil.

Re: absolute firmware path made relocatable in qemu 5.2.0

[Dave]

This is my qemu binary compiled with --prefix=/nonexistent


bash-5.1# ./qemu-system-x86_64 -L help
/usr/share/qemu
/usr/share/qemu-firmware
/usr/src/sources/qemu-5.2.0/build/pc-bios

bash-5.1# ./qemu-system-x86_64 --help|grep helper

[,br=bridge][,helper=helper][,sndbuf=nbytes][,vnet_hdr=on|off][,vhost=on|off]
use network helper 'helper' 
(default=/nonexistent/libexec/qemu-bridge-helper) to

-netdev bridge,id=str[,br=bridge][,helper=helper]
using the program 'helper 
(default=/nonexistent/libexec/qemu-bridge-helper)


See that it will call /nonexistent/libexec/qemu-bridge-helper by default.

Dave

On 12/01/2021 23:53, Paolo Bonzini wrote:

On 12/01/21 18:04, Dave wrote:

Thanks Paola,

We are still in testing and that's the only thing we've uncovered so 
far with the new 5.2.0. I will post if the ops guys find anything else.


Hmm, that's weird though.  The path to the default bridge helper is 
relocated:


net/tap.c:    helper = default_helper = 
get_relocated_path(DEFAULT_BRIDGE_HELPER);


Paolo

Re: [PATCH 6/9] hw/block/nand: Rename PAGE_SIZE to NAND_PAGE_SIZE

[Thomas Huth]

On 21/12/2020 01.53, Jiaxun Yang wrote:

As per POSIX specification of limits.h [1], OS libc may define
PAGE_SIZE in limits.h.

To prevent collosion of definition, we rename PAGE_SIZE here.

[1]: https://pubs.opengroup.org/onlinepubs/7908799/xsh/limits.h.html

Signed-off-by: Jiaxun Yang 
---
  hw/block/nand.c | 40 
  1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/hw/block/nand.c b/hw/block/nand.c
index 1d7a48a2ec..17645667d8 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -114,24 +114,24 @@ static void mem_and(uint8_t *dest, const uint8_t *src, 
size_t n)
  # define NAND_IO
  
  # define PAGE(addr)		((addr) >> ADDR_SHIFT)

-# define PAGE_START(page)  (PAGE(page) * (PAGE_SIZE + OOB_SIZE))
+# define PAGE_START(page)  (PAGE(page) * (NAND_PAGE_SIZE + OOB_SIZE))
  # define PAGE_MASK((1 << ADDR_SHIFT) - 1)
  # define OOB_SHIFT(PAGE_SHIFT - 5)
  # define OOB_SIZE (1 << OOB_SHIFT)
  # define SECTOR(addr) ((addr) >> (9 + ADDR_SHIFT - PAGE_SHIFT))
  # define SECTOR_OFFSET(addr)  ((addr) & ((511 >> PAGE_SHIFT) << 8))
  
-# define PAGE_SIZE		256

+# define NAND_PAGE_SIZE 256
  # define PAGE_SHIFT   8
  # define PAGE_SECTORS 1
  # define ADDR_SHIFT   8
  # include "nand.c"
-# define PAGE_SIZE 512
+# define NAND_PAGE_SIZE 512
  # define PAGE_SHIFT   9
  # define PAGE_SECTORS 1
  # define ADDR_SHIFT   8
  # include "nand.c"
-# define PAGE_SIZE 2048
+# define NAND_PAGE_SIZE2048
  # define PAGE_SHIFT   11
  # define PAGE_SECTORS 4
  # define ADDR_SHIFT   16
@@ -661,7 +661,7 @@ type_init(nand_register_types)
  #else
  
  /* Program a single page */

-static void glue(nand_blk_write_, PAGE_SIZE)(NANDFlashState *s)
+static void glue(nand_blk_write_, NAND_PAGE_SIZE)(NANDFlashState *s)
  {
  uint64_t off, page, sector, soff;
  uint8_t iobuf[(PAGE_SECTORS + 2) * 0x200];
@@ -681,11 +681,11 @@ static void glue(nand_blk_write_, 
PAGE_SIZE)(NANDFlashState *s)
  return;
  }
  
-mem_and(iobuf + (soff | off), s->io, MIN(s->iolen, PAGE_SIZE - off));

-if (off + s->iolen > PAGE_SIZE) {
+mem_and(iobuf + (soff | off), s->io, MIN(s->iolen, NAND_PAGE_SIZE - 
off));
+if (off + s->iolen > NAND_PAGE_SIZE) {
  page = PAGE(s->addr);
-mem_and(s->storage + (page << OOB_SHIFT), s->io + PAGE_SIZE - off,
-MIN(OOB_SIZE, off + s->iolen - PAGE_SIZE));
+mem_and(s->storage + (page << OOB_SHIFT), s->io + NAND_PAGE_SIZE - 
off,
+MIN(OOB_SIZE, off + s->iolen - NAND_PAGE_SIZE));
  }
  
  if (blk_pwrite(s->blk, sector << BDRV_SECTOR_BITS, iobuf,

@@ -713,7 +713,7 @@ static void glue(nand_blk_write_, PAGE_SIZE)(NANDFlashState 
*s)
  }
  
  /* Erase a single block */

-static void glue(nand_blk_erase_, PAGE_SIZE)(NANDFlashState *s)
+static void glue(nand_blk_erase_, NAND_PAGE_SIZE)(NANDFlashState *s)
  {
  uint64_t i, page, addr;
  uint8_t iobuf[0x200] = { [0 ... 0x1ff] = 0xff, };
@@ -725,7 +725,7 @@ static void glue(nand_blk_erase_, PAGE_SIZE)(NANDFlashState 
*s)
  
  if (!s->blk) {

  memset(s->storage + PAGE_START(addr),
-0xff, (PAGE_SIZE + OOB_SIZE) << s->erase_shift);
+0xff, (NAND_PAGE_SIZE + OOB_SIZE) << s->erase_shift);
  } else if (s->mem_oob) {
  memset(s->storage + (PAGE(addr) << OOB_SHIFT),
  0xff, OOB_SIZE << s->erase_shift);
@@ -751,7 +751,7 @@ static void glue(nand_blk_erase_, PAGE_SIZE)(NANDFlashState 
*s)
  
  memset(iobuf, 0xff, 0x200);

  i = (addr & ~0x1ff) + 0x200;
-for (addr += ((PAGE_SIZE + OOB_SIZE) << s->erase_shift) - 0x200;
+for (addr += ((NAND_PAGE_SIZE + OOB_SIZE) << s->erase_shift) - 0x200;
  i < addr; i += 0x200) {
  if (blk_pwrite(s->blk, i, iobuf, BDRV_SECTOR_SIZE, 0) < 0) {
  printf("%s: write error in sector %" PRIu64 "\n",
@@ -772,7 +772,7 @@ static void glue(nand_blk_erase_, PAGE_SIZE)(NANDFlashState 
*s)
  }
  }
  
-static void glue(nand_blk_load_, PAGE_SIZE)(NANDFlashState *s,

+static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
  uint64_t addr, int offset)
  {
  if (PAGE(addr) >= s->pages) {
@@ -786,7 +786,7 @@ static void glue(nand_blk_load_, PAGE_SIZE)(NANDFlashState 
*s,
  printf("%s: read error in sector %" PRIu64 "\n",
  __func__, SECTOR(addr));
  }
-memcpy(s->io + SECTOR_OFFSET(s->addr) + PAGE_SIZE,
+memcpy(s->io + SECTOR_OFFSET(s->addr) + NAND_PAGE_SIZE,
  s->storage + (PAGE(s->addr) << OOB_SHIFT),
  OOB_SIZE);
  s->ioaddr = s->io + 

[RFC v4 15/16] target/riscv: rvb: add/shift with prefix zero-extend

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32-64.decode   |  3 +++
 target/riscv/insn_trans/trans_rvb.c.inc | 22 ++
 target/riscv/translate.c|  6 ++
 3 files changed, 31 insertions(+)

diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index 2f80b0c07ae..01b28718af5 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -107,6 +107,7 @@ gorcw  0010100 .. 101 . 0111011 @r
 sh1add_uw  001 .. 010 . 0111011 @r
 sh2add_uw  001 .. 100 . 0111011 @r
 sh3add_uw  001 .. 110 . 0111011 @r
+add_uw 100 .. 000 . 0111011 @r
 
 bsetiw 0010100 .. 001 . 0011011 @sh5
 bclriw 0100100 .. 001 . 0011011 @sh5
@@ -116,3 +117,5 @@ sroiw  001 .. 101 . 0011011 @sh5
 roriw  011 .. 101 . 0011011 @sh5
 greviw 0110100 .. 101 . 0011011 @sh5
 gorciw 0010100 .. 101 . 0011011 @sh5
+
+slli_uw1. ... 001 . 0011011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index ca987f2705f..94fcf822a36 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -390,4 +390,26 @@ GEN_TRANS_SHADD_UW(1)
 GEN_TRANS_SHADD_UW(2)
 GEN_TRANS_SHADD_UW(3)
 
+static bool trans_add_uw(DisasContext *ctx, arg_add_uw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, gen_add_uw);
+}
+
+static bool trans_slli_uw(DisasContext *ctx, arg_slli_uw *a)
+{
+TCGv source1 = tcg_temp_new();
+gen_get_gpr(source1, a->rs1);
+
+if (a->shamt < 32) {
+tcg_gen_deposit_z_i64(source1, source1, a->shamt, 32);
+} else {
+tcg_gen_shli_i64(source1, source1, a->shamt);
+}
+
+gen_set_gpr(a->rd, source1);
+tcg_temp_free(source1);
+return true;
+}
+
 #endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 7365e591eb7..dbcc15ed73f 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -930,6 +930,12 @@ GEN_SHADD_UW(1)
 GEN_SHADD_UW(2)
 GEN_SHADD_UW(3)
 
+static void gen_add_uw(TCGv ret, TCGv arg1, TCGv arg2)
+{
+tcg_gen_ext32u_tl(arg1, arg1);
+tcg_gen_add_tl(ret, arg1, arg2);
+}
+
 #endif
 
 static bool gen_arith(DisasContext *ctx, arg_r *a,
-- 
2.17.1

[RFC v4 11/16] target/riscv: rvb: rotate (left/right)

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32-64.decode   |  3 +++
 target/riscv/insn32.decode  |  3 +++
 target/riscv/insn_trans/trans_rvb.c.inc | 36 +
 target/riscv/translate.c| 36 +
 4 files changed, 78 insertions(+)

diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index 8c3ed33077e..8f9ba21b352 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -100,9 +100,12 @@ binvw  0110100 .. 001 . 0111011 @r
 bextw  0100100 .. 101 . 0111011 @r
 slow   001 .. 001 . 0111011 @r
 srow   001 .. 101 . 0111011 @r
+rorw   011 .. 101 . 0111011 @r
+rolw   011 .. 001 . 0111011 @r
 
 bsetiw 0010100 .. 001 . 0011011 @sh5
 bclriw 0100100 .. 001 . 0011011 @sh5
 binviw 0110100 .. 001 . 0011011 @sh5
 sloiw  001 .. 001 . 0011011 @sh5
 sroiw  001 .. 101 . 0011011 @sh5
+roriw  011 .. 101 . 0011011 @sh5
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 0ea92312372..6d1b604c800 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -617,6 +617,8 @@ binv   0110100 .. 001 . 0110011 @r
 bext   0100100 .. 101 . 0110011 @r
 slo001 .. 001 . 0110011 @r
 sro001 .. 101 . 0110011 @r
+ror011 .. 101 . 0110011 @r
+rol011 .. 001 . 0110011 @r
 
 bseti  00101. ... 001 . 0010011 @sh
 bclri  01001. ... 001 . 0010011 @sh
@@ -624,3 +626,4 @@ binvi  01101. ... 001 . 0010011 @sh
 bexti  01001. ... 101 . 0010011 @sh
 sloi   00100. ... 001 . 0010011 @sh
 sroi   00100. ... 101 . 0010011 @sh
+rori   01100. ... 101 . 0010011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 44f9f639240..8a46fde4767 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -179,6 +179,24 @@ static bool trans_sroi(DisasContext *ctx, arg_sroi *a)
 return gen_shifti(ctx, a, gen_sro);
 }
 
+static bool trans_ror(DisasContext *ctx, arg_ror *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, tcg_gen_rotr_tl);
+}
+
+static bool trans_rori(DisasContext *ctx, arg_rori *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shifti(ctx, a, tcg_gen_rotr_tl);
+}
+
+static bool trans_rol(DisasContext *ctx, arg_rol *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, tcg_gen_rotl_tl);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
@@ -278,4 +296,22 @@ static bool trans_sroiw(DisasContext *ctx, arg_sroiw *a)
 return gen_shiftiw(ctx, a, gen_sro);
 }
 
+static bool trans_rorw(DisasContext *ctx, arg_rorw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_rorw);
+}
+
+static bool trans_roriw(DisasContext *ctx, arg_roriw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftiw(ctx, a, gen_rorw);
+}
+
+static bool trans_rolw(DisasContext *ctx, arg_rolw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_rolw);
+}
+
 #endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 678c3dca81f..eee69e6bba9 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -828,6 +828,42 @@ static void gen_packuw(TCGv ret, TCGv arg1, TCGv arg2)
 tcg_temp_free(t);
 }
 
+static void gen_rorw(TCGv ret, TCGv arg1, TCGv arg2)
+{
+TCGv_i32 t1 = tcg_temp_new_i32();
+TCGv_i32 t2 = tcg_temp_new_i32();
+
+/* truncate to 32-bits */
+tcg_gen_trunc_tl_i32(t1, arg1);
+tcg_gen_trunc_tl_i32(t2, arg2);
+
+tcg_gen_rotr_i32(t1, t1, t2);
+
+/* sign-extend 64-bits */
+tcg_gen_ext_i32_tl(ret, t1);
+
+tcg_temp_free_i32(t1);
+tcg_temp_free_i32(t2);
+}
+
+static void gen_rolw(TCGv ret, TCGv arg1, TCGv arg2)
+{
+TCGv_i32 t1 = tcg_temp_new_i32();
+TCGv_i32 t2 = tcg_temp_new_i32();
+
+/* truncate to 32-bits */
+tcg_gen_trunc_tl_i32(t1, arg1);
+tcg_gen_trunc_tl_i32(t2, arg2);
+
+tcg_gen_rotl_i32(t1, t1, t2);
+
+/* sign-extend 64-bits */
+tcg_gen_ext_i32_tl(ret, t1);
+
+tcg_temp_free_i32(t1);
+tcg_temp_free_i32(t2);
+}
+
 #endif
 
 static bool gen_arith(DisasContext *ctx, arg_r *a,
-- 
2.17.1

Re: [PATCHv4 2/2] arm-virt: add secure pl061 for reset/power down

[Maxim Uvarov]

- the same size for secure and non secure gpio. Arm doc says that
secure memory is also split on 4k pages. So one page here has to be
ok.
- will add dtb.
- I think then less options is better. So I will remove
vmc->secure_gpio flag and keep only vmc flag.

Regards,
Maxim.

On Tue, 12 Jan 2021 at 19:28, Andrew Jones  wrote:
>
> On Tue, Jan 12, 2021 at 11:25:30AM -0500, Andrew Jones wrote:
> > On Tue, Jan 12, 2021 at 04:00:23PM +, Peter Maydell wrote:
> > > On Tue, 12 Jan 2021 at 15:35, Andrew Jones  wrote:
> > > >
> > > > On Tue, Jan 12, 2021 at 05:30:58PM +0300, Maxim Uvarov wrote:
> > > > > Add secure pl061 for reset/power down machine from
> > > > > the secure world (Arm Trusted Firmware). Connect it
> > > > > with gpio-pwr driver.
> > >
> > > > > +/* connect secure pl061 to gpio-pwr */
> > > > > +qdev_connect_gpio_out(pl061_dev, ATF_GPIO_POWEROFF,
> > > > > +  qdev_get_gpio_in_named(gpio_pwr_dev, 
> > > > > "reset", 0));
> > > > > +qdev_connect_gpio_out(pl061_dev, ATF_GPIO_REBOOT,
> > > > > +  qdev_get_gpio_in_named(gpio_pwr_dev, 
> > > > > "shutdown", 0));
> > > >
> > > > I don't know anything about secure world, but it seems odd that we don't
> > > > need to add anything to the DTB.
> > >
> > > We should be adding something to the DTB, yes. Look at
> > > how create_uart() does this -- you set the 'status' and
> > > 'secure-status' properties to indicate that the device is
> > > secure-world only.
> > >
> > >
> > >
> > > > > +if (vmc->no_secure_gpio) {
> > > > > +vms->secure_gpio = false;
> > > > > +}  else {
> > > > > +vms->secure_gpio = true;
> > > > > +}
> > > >
> > > > nit: vms->secure_gpio = !vmc->no_secure_gpio
> > > >
> > > > But do we even need vms->secure_gpio? Why not just do
> > > >
> > > >  if (vms->secure && !vmc->no_secure_gpio) {
> > > >  create_gpio_secure(vms, secure_sysmem);
> > > >  }
> > > >
> > > > in machvirt_init() ?
> > >
> > > We're just following the same pattern as vmc->no_its/vms->its,
> > > aren't we ?
> > >
> >
> > 'its' is a property that can be changed on the command line. Unless
> > we want to be able to manage 'secure-gpio' separately from 'secure',
> > then I think vmc->its plus 'secure' should be sufficient. We don't
>
> I meant to write 'vmc->no_secure_gpio and vms->secure' here.
>
> Thanks,
> drew
>
> > always need both vmc and vms state, see 'no_ged'.
> >
> > Thanks,
> > drew
>

[RFC v4 10/16] target/riscv: rvb: shift ones

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32-64.decode   |  4 +++
 target/riscv/insn32.decode  |  4 +++
 target/riscv/insn_trans/trans_rvb.c.inc | 48 +
 target/riscv/translate.c| 14 
 4 files changed, 70 insertions(+)

diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index f6c63c31b03..8c3ed33077e 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -98,7 +98,11 @@ bsetw  0010100 .. 001 . 0111011 @r
 bclrw  0100100 .. 001 . 0111011 @r
 binvw  0110100 .. 001 . 0111011 @r
 bextw  0100100 .. 101 . 0111011 @r
+slow   001 .. 001 . 0111011 @r
+srow   001 .. 101 . 0111011 @r
 
 bsetiw 0010100 .. 001 . 0011011 @sh5
 bclriw 0100100 .. 001 . 0011011 @sh5
 binviw 0110100 .. 001 . 0011011 @sh5
+sloiw  001 .. 001 . 0011011 @sh5
+sroiw  001 .. 101 . 0011011 @sh5
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 64d2b057764..0ea92312372 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -615,8 +615,12 @@ bset   0010100 .. 001 . 0110011 @r
 bclr   0100100 .. 001 . 0110011 @r
 binv   0110100 .. 001 . 0110011 @r
 bext   0100100 .. 101 . 0110011 @r
+slo001 .. 001 . 0110011 @r
+sro001 .. 101 . 0110011 @r
 
 bseti  00101. ... 001 . 0010011 @sh
 bclri  01001. ... 001 . 0010011 @sh
 binvi  01101. ... 001 . 0010011 @sh
 bexti  01001. ... 101 . 0010011 @sh
+sloi   00100. ... 001 . 0010011 @sh
+sroi   00100. ... 101 . 0010011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 0c41f135dc6..44f9f639240 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -155,6 +155,30 @@ static bool trans_bexti(DisasContext *ctx, arg_bexti *a)
 return gen_shifti(ctx, a, gen_bext);
 }
 
+static bool trans_slo(DisasContext *ctx, arg_slo *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, gen_slo);
+}
+
+static bool trans_sloi(DisasContext *ctx, arg_sloi *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shifti(ctx, a, gen_slo);
+}
+
+static bool trans_sro(DisasContext *ctx, arg_sro *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, gen_sro);
+}
+
+static bool trans_sroi(DisasContext *ctx, arg_sroi *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shifti(ctx, a, gen_sro);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
@@ -230,4 +254,28 @@ static bool trans_bextw(DisasContext *ctx, arg_bextw *a)
 return gen_shiftw(ctx, a, gen_bext);
 }
 
+static bool trans_slow(DisasContext *ctx, arg_slow *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_slo);
+}
+
+static bool trans_sloiw(DisasContext *ctx, arg_sloiw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftiw(ctx, a, gen_slo);
+}
+
+static bool trans_srow(DisasContext *ctx, arg_srow *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_sro);
+}
+
+static bool trans_sroiw(DisasContext *ctx, arg_sroiw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftiw(ctx, a, gen_sro);
+}
+
 #endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 7ea434ffa8d..678c3dca81f 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -776,6 +776,20 @@ static void gen_bext(TCGv ret, TCGv arg1, TCGv shamt)
 tcg_gen_andi_tl(ret, ret, 1);
 }
 
+static void gen_slo(TCGv ret, TCGv arg1, TCGv arg2)
+{
+tcg_gen_not_tl(ret, arg1);
+tcg_gen_shl_tl(ret, ret, arg2);
+tcg_gen_not_tl(ret, ret);
+}
+
+static void gen_sro(TCGv ret, TCGv arg1, TCGv arg2)
+{
+tcg_gen_not_tl(ret, arg1);
+tcg_gen_shr_tl(ret, ret, arg2);
+tcg_gen_not_tl(ret, ret);
+}
+
 #ifdef TARGET_RISCV64
 
 static void gen_ctzw(TCGv ret, TCGv arg1)
-- 
2.17.1

Re: [PATCH 8/9] tests: Rename PAGE_SIZE definitions

[Thomas Huth]

On 21/12/2020 01.53, Jiaxun Yang wrote:

As per POSIX specification of limits.h [1], OS libc may define
PAGE_SIZE in limits.h.

Self defined PAGE_SIZE is frequently used in tests, to prevent
collosion of definition, we give PAGE_SIZE definitons reasonable
prefixs.

[1]: https://pubs.opengroup.org/onlinepubs/7908799/xsh/limits.h.html

Signed-off-by: Jiaxun Yang 
---
  tests/migration/stress.c| 10 ++---
  tests/qtest/libqos/malloc-pc.c  |  4 +-
  tests/qtest/libqos/malloc-spapr.c   |  4 +-
  tests/qtest/m25p80-test.c   | 54 +++---
  tests/tcg/multiarch/system/memory.c |  6 +--
  tests/test-xbzrle.c | 70 ++---
  6 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/tests/migration/stress.c b/tests/migration/stress.c
index de45e8e490..b7240a15c8 100644
--- a/tests/migration/stress.c
+++ b/tests/migration/stress.c
@@ -27,7 +27,7 @@
  
  const char *argv0;
  
-#define PAGE_SIZE 4096

+#define RAM_PAGE_SIZE 4096
  
  #ifndef CONFIG_GETTID

  static int gettid(void)
@@ -158,11 +158,11 @@ static unsigned long long now(void)
  
  static void stressone(unsigned long long ramsizeMB)

  {
-size_t pagesPerMB = 1024 * 1024 / PAGE_SIZE;
+size_t pagesPerMB = 1024 * 1024 / RAM_PAGE_SIZE;
  g_autofree char *ram = g_malloc(ramsizeMB * 1024 * 1024);
  char *ramptr;
  size_t i, j, k;
-g_autofree char *data = g_malloc(PAGE_SIZE);
+g_autofree char *data = g_malloc(RAM_PAGE_SIZE);
  char *dataptr;
  size_t nMB = 0;
  unsigned long long before, after;
@@ -174,7 +174,7 @@ static void stressone(unsigned long long ramsizeMB)
   * calloc instead :-) */
  memset(ram, 0xfe, ramsizeMB * 1024 * 1024);
  
-if (random_bytes(data, PAGE_SIZE) < 0) {

+if (random_bytes(data, RAM_PAGE_SIZE) < 0) {
  return;
  }
  
@@ -186,7 +186,7 @@ static void stressone(unsigned long long ramsizeMB)

  for (i = 0; i < ramsizeMB; i++, nMB++) {
  for (j = 0; j < pagesPerMB; j++) {
  dataptr = data;
-for (k = 0; k < PAGE_SIZE; k += sizeof(long long)) {
+for (k = 0; k < RAM_PAGE_SIZE; k += sizeof(long long)) {
  ramptr += sizeof(long long);
  dataptr += sizeof(long long);
  *(unsigned long long *)ramptr ^= *(unsigned long long 
*)dataptr;
diff --git a/tests/qtest/libqos/malloc-pc.c b/tests/qtest/libqos/malloc-pc.c
index 16ff9609cc..f1e3b392a5 100644
--- a/tests/qtest/libqos/malloc-pc.c
+++ b/tests/qtest/libqos/malloc-pc.c
@@ -18,7 +18,7 @@
  
  #include "qemu-common.h"
  
-#define PAGE_SIZE (4096)

+#define ALLOC_PAGE_SIZE (4096)
  
  void pc_alloc_init(QGuestAllocator *s, QTestState *qts, QAllocOpts flags)

  {
@@ -26,7 +26,7 @@ void pc_alloc_init(QGuestAllocator *s, QTestState *qts, 
QAllocOpts flags)
  QFWCFG *fw_cfg = pc_fw_cfg_init(qts);
  
  ram_size = qfw_cfg_get_u64(fw_cfg, FW_CFG_RAM_SIZE);

-alloc_init(s, flags, 1 << 20, MIN(ram_size, 0xE000), PAGE_SIZE);
+alloc_init(s, flags, 1 << 20, MIN(ram_size, 0xE000), ALLOC_PAGE_SIZE);
  
  /* clean-up */

  pc_fw_cfg_uninit(fw_cfg);
diff --git a/tests/qtest/libqos/malloc-spapr.c 
b/tests/qtest/libqos/malloc-spapr.c
index 84862e4876..05b306c191 100644
--- a/tests/qtest/libqos/malloc-spapr.c
+++ b/tests/qtest/libqos/malloc-spapr.c
@@ -10,7 +10,7 @@
  
  #include "qemu-common.h"
  
-#define PAGE_SIZE 4096

+#define SPAPR_PAGE_SIZE 4096
  
  /* Memory must be a multiple of 256 MB,

   * so we have at least 256MB
@@ -19,5 +19,5 @@
  
  void spapr_alloc_init(QGuestAllocator *s, QTestState *qts, QAllocOpts flags)

  {
-alloc_init(s, flags, 1 << 20, SPAPR_MIN_SIZE, PAGE_SIZE);
+alloc_init(s, flags, 1 << 20, SPAPR_MIN_SIZE, SPAPR_PAGE_SIZE);
  }
diff --git a/tests/qtest/m25p80-test.c b/tests/qtest/m25p80-test.c
index 50c6b79fb3..f860cef5f0 100644
--- a/tests/qtest/m25p80-test.c
+++ b/tests/qtest/m25p80-test.c
@@ -62,7 +62,7 @@ enum {
  #define FLASH_JEDEC 0x20ba19  /* n25q256a */
  #define FLASH_SIZE  (32 * 1024 * 1024)
  
-#define PAGE_SIZE   256

+#define FLASH_PAGE_SIZE   256
  
  /*

   * Use an explicit bswap for the values read/wrote to the flash region
@@ -165,7 +165,7 @@ static void read_page(uint32_t addr, uint32_t *page)
  writel(ASPEED_FLASH_BASE, make_be32(addr));
  
  /* Continuous read are supported */

-for (i = 0; i < PAGE_SIZE / 4; i++) {
+for (i = 0; i < FLASH_PAGE_SIZE / 4; i++) {
  page[i] = make_be32(readl(ASPEED_FLASH_BASE));
  }
  spi_ctrl_stop_user();
@@ -178,15 +178,15 @@ static void read_page_mem(uint32_t addr, uint32_t *page)
  /* move out USER mode to use direct reads from the AHB bus */
  spi_ctrl_setmode(CTRL_READMODE, READ);
  
-for (i = 0; i < PAGE_SIZE / 4; i++) {

+for (i = 0; i < FLASH_PAGE_SIZE / 4; i++) {
  page[i] = make_be32(readl(ASPEED_FLASH_BASE + addr + i * 4));
  }
 

Re: [PATCH 5/9] elf2dmp: Rename PAGE_SIZE to ELF2DMP_PAGE_SIZE

[Thomas Huth]

On 21/12/2020 01.53, Jiaxun Yang wrote:

As per POSIX specification of limits.h [1], OS libc may define
PAGE_SIZE in limits.h.

To prevent collosion of definition, we rename PAGE_SIZE here.

[1]: https://pubs.opengroup.org/onlinepubs/7908799/xsh/limits.h.html

Signed-off-by: Jiaxun Yang 
---
  contrib/elf2dmp/addrspace.c |  4 ++--
  contrib/elf2dmp/addrspace.h |  6 +++---
  contrib/elf2dmp/main.c  | 18 +-
  3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/contrib/elf2dmp/addrspace.c b/contrib/elf2dmp/addrspace.c
index 8a76069cb5..53ded17061 100644
--- a/contrib/elf2dmp/addrspace.c
+++ b/contrib/elf2dmp/addrspace.c
@@ -207,8 +207,8 @@ int va_space_rw(struct va_space *vs, uint64_t addr,
  void *buf, size_t size, int is_write)
  {
  while (size) {
-uint64_t page = addr & PFN_MASK;
-size_t s = (page + PAGE_SIZE) - addr;
+uint64_t page = addr & ELF2DMP_PFN_MASK;
+size_t s = (page + ELF2DMP_PAGE_SIZE) - addr;
  void *ptr;
  
  s = (s > size) ? size : s;

diff --git a/contrib/elf2dmp/addrspace.h b/contrib/elf2dmp/addrspace.h
index d87f6a18c6..00b44c1218 100644
--- a/contrib/elf2dmp/addrspace.h
+++ b/contrib/elf2dmp/addrspace.h
@@ -10,9 +10,9 @@
  
  #include "qemu_elf.h"
  
-#define PAGE_BITS 12

-#define PAGE_SIZE (1ULL << PAGE_BITS)
-#define PFN_MASK (~(PAGE_SIZE - 1))
+#define ELF2DMP_PAGE_BITS 12
+#define ELF2DMP_PAGE_SIZE (1ULL << ELF2DMP_PAGE_BITS)
+#define ELF2DMP_PFN_MASK (~(ELF2DMP_PAGE_SIZE - 1))
  
  #define INVALID_PA  UINT64_MAX
  
diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c

index ac746e49e0..20b477d582 100644
--- a/contrib/elf2dmp/main.c
+++ b/contrib/elf2dmp/main.c
@@ -244,8 +244,8 @@ static int fill_header(WinDumpHeader64 *hdr, struct 
pa_space *ps,
  WinDumpHeader64 h;
  size_t i;
  
-QEMU_BUILD_BUG_ON(KUSD_OFFSET_SUITE_MASK >= PAGE_SIZE);

-QEMU_BUILD_BUG_ON(KUSD_OFFSET_PRODUCT_TYPE >= PAGE_SIZE);
+QEMU_BUILD_BUG_ON(KUSD_OFFSET_SUITE_MASK >= ELF2DMP_PAGE_SIZE);
+QEMU_BUILD_BUG_ON(KUSD_OFFSET_PRODUCT_TYPE >= ELF2DMP_PAGE_SIZE);
  
  if (!suite_mask || !product_type) {

  return 1;
@@ -281,14 +281,14 @@ static int fill_header(WinDumpHeader64 *hdr, struct 
pa_space *ps,
  };
  
  for (i = 0; i < ps->block_nr; i++) {

-h.PhysicalMemoryBlock.NumberOfPages += ps->block[i].size / PAGE_SIZE;
+h.PhysicalMemoryBlock.NumberOfPages += ps->block[i].size / 
ELF2DMP_PAGE_SIZE;
  h.PhysicalMemoryBlock.Run[i] = (WinDumpPhyMemRun64) {
-.BasePage = ps->block[i].paddr / PAGE_SIZE,
-.PageCount = ps->block[i].size / PAGE_SIZE,
+.BasePage = ps->block[i].paddr / ELF2DMP_PAGE_SIZE,
+.PageCount = ps->block[i].size / ELF2DMP_PAGE_SIZE,
  };
  }
  
-h.RequiredDumpSpace += h.PhysicalMemoryBlock.NumberOfPages << PAGE_BITS;

+h.RequiredDumpSpace += h.PhysicalMemoryBlock.NumberOfPages << 
ELF2DMP_PAGE_BITS;
  
  *hdr = h;
  
@@ -379,7 +379,7 @@ static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr,

  size_t pdb_name_sz;
  size_t i;
  
-QEMU_BUILD_BUG_ON(sizeof(*dos_hdr) >= PAGE_SIZE);

+QEMU_BUILD_BUG_ON(sizeof(*dos_hdr) >= ELF2DMP_PAGE_SIZE);
  
  if (memcmp(_hdr->e_magic, e_magic, sizeof(e_magic))) {

  return 1;
@@ -509,10 +509,10 @@ int main(int argc, char *argv[])
  }
  printf("CPU #0 IDT[0] -> 0x%016"PRIx64"\n", 
idt_desc_addr(first_idt_desc));
  
-KernBase = idt_desc_addr(first_idt_desc) & ~(PAGE_SIZE - 1);

+KernBase = idt_desc_addr(first_idt_desc) & ~(ELF2DMP_PAGE_SIZE - 1);
  printf("Searching kernel downwards from 0x%016"PRIx64"...\n", KernBase);
  
-for (; KernBase >= 0xf780; KernBase -= PAGE_SIZE) {

+for (; KernBase >= 0xf780; KernBase -= ELF2DMP_PAGE_SIZE) {
  nt_start_addr = va_space_resolve(, KernBase);
  if (!nt_start_addr) {
  continue;



Reviewed-by: Thomas Huth 

Re: [PATCH 7/9] accel/kvm: avoid using predefined PAGE_SIZE

[Thomas Huth]

On 21/12/2020 01.53, Jiaxun Yang wrote:

As per POSIX specification of limits.h [1], OS libc may define
PAGE_SIZE in limits.h.

To prevent collosion of definition, we discard PAGE_SIZE from
defined by libc and take QEMU's variable.

[1]: https://pubs.opengroup.org/onlinepubs/7908799/xsh/limits.h.html

Signed-off-by: Jiaxun Yang 
---
  accel/kvm/kvm-all.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 389eaace72..3feb17d965 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -58,6 +58,9 @@
  /* KVM uses PAGE_SIZE in its definition of KVM_COALESCED_MMIO_MAX. We
   * need to use the real host PAGE_SIZE, as that's what KVM will use.
   */
+#ifdef PAGE_SIZE
+#undef PAGE_SIZE
+#endif
  #define PAGE_SIZE qemu_real_host_page_size


If I get that right, the PAGE_SIZE macro is only used one time in this 
file... so it's maybe easier to get rid of the macro completely and replace 
the single occurance with qemu_real_host_page_size directly?


 Thomas

[RFC v4 08/16] target/riscv: add gen_shifti() and gen_shiftiw() helper functions

[frank . chang]

From: Frank Chang 

Add gen_shifti() and gen_shiftiw() helper functions to reuse the same
interfaces for immediate shift instructions.

Signed-off-by: Frank Chang 
---
 target/riscv/insn_trans/trans_rvi.c.inc | 54 ++---
 target/riscv/translate.c| 43 
 2 files changed, 47 insertions(+), 50 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvi.c.inc 
b/target/riscv/insn_trans/trans_rvi.c.inc
index d04ca0394cf..7b894201840 100644
--- a/target/riscv/insn_trans/trans_rvi.c.inc
+++ b/target/riscv/insn_trans/trans_rvi.c.inc
@@ -261,54 +261,17 @@ static bool trans_andi(DisasContext *ctx, arg_andi *a)
 }
 static bool trans_slli(DisasContext *ctx, arg_slli *a)
 {
-if (a->shamt >= TARGET_LONG_BITS) {
-return false;
-}
-
-if (a->rd != 0) {
-TCGv t = tcg_temp_new();
-gen_get_gpr(t, a->rs1);
-
-tcg_gen_shli_tl(t, t, a->shamt);
-
-gen_set_gpr(a->rd, t);
-tcg_temp_free(t);
-} /* NOP otherwise */
-return true;
+return gen_shifti(ctx, a, tcg_gen_shl_tl);
 }
 
 static bool trans_srli(DisasContext *ctx, arg_srli *a)
 {
-if (a->shamt >= TARGET_LONG_BITS) {
-return false;
-}
-
-if (a->rd != 0) {
-TCGv t = tcg_temp_new();
-gen_get_gpr(t, a->rs1);
-
-tcg_gen_shri_tl(t, t, a->shamt);
-gen_set_gpr(a->rd, t);
-tcg_temp_free(t);
-} /* NOP otherwise */
-return true;
+return gen_shifti(ctx, a, tcg_gen_shr_tl);
 }
 
 static bool trans_srai(DisasContext *ctx, arg_srai *a)
 {
-if (a->shamt >= TARGET_LONG_BITS) {
-return false;
-}
-
-if (a->rd != 0) {
-TCGv t = tcg_temp_new();
-gen_get_gpr(t, a->rs1);
-
-tcg_gen_sari_tl(t, t, a->shamt);
-gen_set_gpr(a->rd, t);
-tcg_temp_free(t);
-} /* NOP otherwise */
-return true;
+return gen_shifti(ctx, a, tcg_gen_sar_tl);
 }
 
 static bool trans_add(DisasContext *ctx, arg_add *a)
@@ -369,16 +332,7 @@ static bool trans_addiw(DisasContext *ctx, arg_addiw *a)
 
 static bool trans_slliw(DisasContext *ctx, arg_slliw *a)
 {
-TCGv source1;
-source1 = tcg_temp_new();
-gen_get_gpr(source1, a->rs1);
-
-tcg_gen_shli_tl(source1, source1, a->shamt);
-tcg_gen_ext32s_tl(source1, source1);
-gen_set_gpr(a->rd, source1);
-
-tcg_temp_free(source1);
-return true;
+return gen_shiftiw(ctx, a, tcg_gen_shl_tl);
 }
 
 static bool trans_srliw(DisasContext *ctx, arg_srliw *a)
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 53c0c34ce16..8459b6bcf54 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -810,6 +810,49 @@ static bool gen_shift(DisasContext *ctx, arg_r *a,
 return true;
 }
 
+static bool gen_shifti(DisasContext *ctx, arg_shift *a,
+   void(*func)(TCGv, TCGv, TCGv))
+{
+if (a->shamt >= TARGET_LONG_BITS) {
+return false;
+}
+
+TCGv source1 = tcg_temp_new();
+TCGv source2 = tcg_temp_new();
+
+gen_get_gpr(source1, a->rs1);
+
+tcg_gen_movi_tl(source2, a->shamt);
+(*func)(source1, source1, source2);
+
+gen_set_gpr(a->rd, source1);
+tcg_temp_free(source1);
+tcg_temp_free(source2);
+return true;
+}
+
+#ifdef TARGET_RISCV64
+
+static bool gen_shiftiw(DisasContext *ctx, arg_shift *a,
+void(*func)(TCGv, TCGv, TCGv))
+{
+TCGv source1 = tcg_temp_new();
+TCGv source2 = tcg_temp_new();
+
+gen_get_gpr(source1, a->rs1);
+tcg_gen_movi_tl(source2, a->shamt);
+
+(*func)(source1, source1, source2);
+tcg_gen_ext32s_tl(source1, source1);
+
+gen_set_gpr(a->rd, source1);
+tcg_temp_free(source1);
+tcg_temp_free(source2);
+return true;
+}
+
+#endif
+
 static void gen_ctz(TCGv ret, TCGv arg1)
 {
 tcg_gen_ctzi_tl(ret, arg1, TARGET_LONG_BITS);
-- 
2.17.1

[RFC v4 16/16] target/riscv: rvb: support and turn on B-extension from command line

[frank . chang]

From: Kito Cheng 

B-extension is default off, use cpu rv32 or rv64 with x-b=true to
enable B-extension.

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Alistair Francis 
Reviewed-by: Richard Henderson 
---
 target/riscv/cpu.c | 4 
 target/riscv/cpu.h | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 8227d7aea9d..7379a0abc6c 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -472,6 +472,9 @@ static void riscv_cpu_realize(DeviceState *dev, Error 
**errp)
 if (cpu->cfg.ext_h) {
 target_misa |= RVH;
 }
+if (cpu->cfg.ext_b) {
+target_misa |= RVB;
+}
 if (cpu->cfg.ext_v) {
 target_misa |= RVV;
 if (!is_power_of_2(cpu->cfg.vlen)) {
@@ -542,6 +545,7 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_BOOL("s", RISCVCPU, cfg.ext_s, true),
 DEFINE_PROP_BOOL("u", RISCVCPU, cfg.ext_u, true),
 /* This is experimental so mark with 'x-' */
+DEFINE_PROP_BOOL("x-b", RISCVCPU, cfg.ext_b, false),
 DEFINE_PROP_BOOL("x-h", RISCVCPU, cfg.ext_h, false),
 DEFINE_PROP_BOOL("x-v", RISCVCPU, cfg.ext_v, false),
 DEFINE_PROP_BOOL("Counters", RISCVCPU, cfg.ext_counters, true),
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 6339e848192..d5271906db4 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -72,6 +72,7 @@
 #define RVS RV('S')
 #define RVU RV('U')
 #define RVH RV('H')
+#define RVB RV('B')
 
 /* S extension denotes that Supervisor mode exists, however it is possible
to have a core that support S mode but does not have an MMU and there
@@ -282,6 +283,7 @@ struct RISCVCPU {
 bool ext_f;
 bool ext_d;
 bool ext_c;
+bool ext_b;
 bool ext_s;
 bool ext_u;
 bool ext_h;
-- 
2.17.1

[RFC v4 07/16] target/riscv: rvb: sign-extend instructions

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Reviewed-by: Richard Henderson 
Signed-off-by: Frank Chang 
---
 target/riscv/insn32.decode  |  2 ++
 target/riscv/insn_trans/trans_rvb.c.inc | 12 
 2 files changed, 14 insertions(+)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index d64326fd864..938c23088eb 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -598,6 +598,8 @@ vsetvl  100 . . 111 . 1010111  @r
 clz011000 00 . 001 . 0010011 @r2
 ctz011000 01 . 001 . 0010011 @r2
 cpop   011000 10 . 001 . 0010011 @r2
+sext_b 011000 000100 . 001 . 0010011 @r2
+sext_h 011000 000101 . 001 . 0010011 @r2
 
 andn   010 .. 111 . 0110011 @r
 orn010 .. 110 . 0110011 @r
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 2aa4515fe31..1496996a660 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -95,6 +95,18 @@ static bool trans_maxu(DisasContext *ctx, arg_maxu *a)
 return gen_arith(ctx, a, tcg_gen_umax_tl);
 }
 
+static bool trans_sext_b(DisasContext *ctx, arg_sext_b *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_unary(ctx, a, tcg_gen_ext8s_tl);
+}
+
+static bool trans_sext_h(DisasContext *ctx, arg_sext_h *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_unary(ctx, a, tcg_gen_ext16s_tl);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
-- 
2.17.1

[RFC v4 13/16] target/riscv: rvb: generalized or-combine

[frank . chang]

From: Frank Chang 

Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/bitmanip_helper.c  | 31 +
 target/riscv/helper.h   |  2 ++
 target/riscv/insn32-64.decode   |  2 ++
 target/riscv/insn32.decode  |  2 ++
 target/riscv/insn_trans/trans_rvb.c.inc | 24 +++
 target/riscv/translate.c|  6 +
 6 files changed, 67 insertions(+)

diff --git a/target/riscv/bitmanip_helper.c b/target/riscv/bitmanip_helper.c
index 1d3235bc0d6..389b52eccd9 100644
--- a/target/riscv/bitmanip_helper.c
+++ b/target/riscv/bitmanip_helper.c
@@ -69,3 +69,34 @@ target_ulong HELPER(grevw)(target_ulong rs1, target_ulong 
rs2)
 }
 
 #endif
+
+static target_ulong do_gorc(target_ulong rs1,
+target_ulong rs2,
+int bits)
+{
+target_ulong x = rs1;
+int i, shift;
+
+for (i = 0, shift = 1; shift < bits; i++, shift <<= 1) {
+if (rs2 & shift) {
+x |= do_swap(x, adjacent_masks[i], shift);
+}
+}
+
+return x;
+}
+
+target_ulong HELPER(gorc)(target_ulong rs1, target_ulong rs2)
+{
+return do_gorc(rs1, rs2, TARGET_LONG_BITS);
+}
+
+/* RV64-only instruction */
+#ifdef TARGET_RISCV64
+
+target_ulong HELPER(gorcw)(target_ulong rs1, target_ulong rs2)
+{
+return do_gorc(rs1, rs2, 32);
+}
+
+#endif
diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index db8b770f1aa..7ddaea61798 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -60,9 +60,11 @@ DEF_HELPER_FLAGS_1(fclass_d, TCG_CALL_NO_RWG_SE, tl, i64)
 
 /* Bitmanip */
 DEF_HELPER_FLAGS_2(grev, TCG_CALL_NO_RWG_SE, tl, tl, tl)
+DEF_HELPER_FLAGS_2(gorc, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 
 #if defined(TARGET_RISCV64)
 DEF_HELPER_FLAGS_2(grevw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
+DEF_HELPER_FLAGS_2(gorcw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 #endif
 
 /* Special functions */
diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index 38ceadd4553..894db5e3abf 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -103,6 +103,7 @@ srow   001 .. 101 . 0111011 @r
 rorw   011 .. 101 . 0111011 @r
 rolw   011 .. 001 . 0111011 @r
 grevw  0110100 .. 101 . 0111011 @r
+gorcw  0010100 .. 101 . 0111011 @r
 
 bsetiw 0010100 .. 001 . 0011011 @sh5
 bclriw 0100100 .. 001 . 0011011 @sh5
@@ -111,3 +112,4 @@ sloiw  001 .. 001 . 0011011 @sh5
 sroiw  001 .. 101 . 0011011 @sh5
 roriw  011 .. 101 . 0011011 @sh5
 greviw 0110100 .. 101 . 0011011 @sh5
+gorciw 0010100 .. 101 . 0011011 @sh5
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index fa4bba4f0ee..0756ea5cc28 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -620,6 +620,7 @@ sro001 .. 101 . 0110011 @r
 ror011 .. 101 . 0110011 @r
 rol011 .. 001 . 0110011 @r
 grev   0110100 .. 101 . 0110011 @r
+gorc   0010100 .. 101 . 0110011 @r
 
 bseti  00101. ... 001 . 0010011 @sh
 bclri  01001. ... 001 . 0010011 @sh
@@ -629,3 +630,4 @@ sloi   00100. ... 001 . 0010011 @sh
 sroi   00100. ... 101 . 0010011 @sh
 rori   01100. ... 101 . 0010011 @sh
 grevi  01101. ... 101 . 0010011 @sh
+gorci  00101. ... 101 . 0010011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 286643cd183..a4181dbf0de 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -214,6 +214,18 @@ static bool trans_grevi(DisasContext *ctx, arg_grevi *a)
 return gen_grevi(ctx, a);
 }
 
+static bool trans_gorc(DisasContext *ctx, arg_gorc *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, gen_helper_gorc);
+}
+
+static bool trans_gorci(DisasContext *ctx, arg_gorci *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shifti(ctx, a, gen_helper_gorc);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
@@ -343,4 +355,16 @@ static bool trans_greviw(DisasContext *ctx, arg_greviw *a)
 return gen_shiftiw(ctx, a, gen_grevw);
 }
 
+static bool trans_gorcw(DisasContext *ctx, arg_gorcw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_gorcw);
+}
+
+static bool trans_gorciw(DisasContext *ctx, arg_gorciw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftiw(ctx, a, gen_gorcw);
+}
+
 #endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index cb040a15003..e845b311a3d 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -892,6 +892,12 @@ static void gen_grevw(TCGv ret, TCGv arg1, TCGv arg2)
 

[RFC v4 06/16] target/riscv: rvb: min/max instructions

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Reviewed-by: Richard Henderson 
Signed-off-by: Frank Chang 
---
 target/riscv/insn32.decode  |  4 
 target/riscv/insn_trans/trans_rvb.c.inc | 24 
 2 files changed, 28 insertions(+)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 7f32b8c6d15..d64326fd864 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -605,3 +605,7 @@ xnor   010 .. 100 . 0110011 @r
 pack   100 .. 100 . 0110011 @r
 packu  0100100 .. 100 . 0110011 @r
 packh  100 .. 111 . 0110011 @r
+min101 .. 100 . 0110011 @r
+minu   101 .. 101 . 0110011 @r
+max101 .. 110 . 0110011 @r
+maxu   101 .. 111 . 0110011 @r
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 2d24dafac09..2aa4515fe31 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -71,6 +71,30 @@ static bool trans_packh(DisasContext *ctx, arg_packh *a)
 return gen_arith(ctx, a, gen_packh);
 }
 
+static bool trans_min(DisasContext *ctx, arg_min *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, tcg_gen_smin_tl);
+}
+
+static bool trans_max(DisasContext *ctx, arg_max *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, tcg_gen_smax_tl);
+}
+
+static bool trans_minu(DisasContext *ctx, arg_minu *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, tcg_gen_umin_tl);
+}
+
+static bool trans_maxu(DisasContext *ctx, arg_maxu *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, tcg_gen_umax_tl);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
-- 
2.17.1

[RFC v4 12/16] target/riscv: rvb: generalized reverse

[frank . chang]

From: Frank Chang 

Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/bitmanip_helper.c  | 71 +
 target/riscv/helper.h   |  7 +++
 target/riscv/insn32-64.decode   |  2 +
 target/riscv/insn32.decode  |  2 +
 target/riscv/insn_trans/trans_rvb.c.inc | 29 ++
 target/riscv/meson.build|  1 +
 target/riscv/translate.c| 28 ++
 7 files changed, 140 insertions(+)
 create mode 100644 target/riscv/bitmanip_helper.c

diff --git a/target/riscv/bitmanip_helper.c b/target/riscv/bitmanip_helper.c
new file mode 100644
index 000..1d3235bc0d6
--- /dev/null
+++ b/target/riscv/bitmanip_helper.c
@@ -0,0 +1,71 @@
+/*
+ * RISC-V Bitmanip Extension Helpers for QEMU.
+ *
+ * Copyright (c) 2020 Kito Cheng, kito.ch...@sifive.com
+ * Copyright (c) 2020 Frank Chang, frank.ch...@sifive.com
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/host-utils.h"
+#include "exec/exec-all.h"
+#include "exec/helper-proto.h"
+#include "tcg/tcg.h"
+
+static const uint64_t adjacent_masks[] = {
+dup_const(MO_8, 0x55),
+dup_const(MO_8, 0x33),
+dup_const(MO_8, 0x0f),
+dup_const(MO_16, 0xff),
+dup_const(MO_32, 0x),
+#ifdef TARGET_RISCV64
+UINT32_MAX
+#endif
+};
+
+static inline target_ulong do_swap(target_ulong x, uint64_t mask, int shift)
+{
+return ((x & mask) << shift) | ((x & ~mask) >> shift);
+}
+
+static target_ulong do_grev(target_ulong rs1,
+target_ulong rs2,
+int bits)
+{
+target_ulong x = rs1;
+int i, shift;
+
+for (i = 0, shift = 1; shift < bits; i++, shift <<= 1) {
+if (rs2 & shift) {
+x = do_swap(x, adjacent_masks[i], shift);
+}
+}
+
+return x;
+}
+
+target_ulong HELPER(grev)(target_ulong rs1, target_ulong rs2)
+{
+return do_grev(rs1, rs2, TARGET_LONG_BITS);
+}
+
+/* RV64-only instruction */
+#ifdef TARGET_RISCV64
+
+target_ulong HELPER(grevw)(target_ulong rs1, target_ulong rs2)
+{
+return do_grev(rs1, rs2, 32);
+}
+
+#endif
diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index e3f3f41e891..db8b770f1aa 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -58,6 +58,13 @@ DEF_HELPER_FLAGS_2(fcvt_d_l, TCG_CALL_NO_RWG, i64, env, i64)
 DEF_HELPER_FLAGS_2(fcvt_d_lu, TCG_CALL_NO_RWG, i64, env, i64)
 DEF_HELPER_FLAGS_1(fclass_d, TCG_CALL_NO_RWG_SE, tl, i64)
 
+/* Bitmanip */
+DEF_HELPER_FLAGS_2(grev, TCG_CALL_NO_RWG_SE, tl, tl, tl)
+
+#if defined(TARGET_RISCV64)
+DEF_HELPER_FLAGS_2(grevw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
+#endif
+
 /* Special functions */
 DEF_HELPER_3(csrrw, tl, env, tl, tl)
 DEF_HELPER_4(csrrs, tl, env, tl, tl, tl)
diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index 8f9ba21b352..38ceadd4553 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -102,6 +102,7 @@ slow   001 .. 001 . 0111011 @r
 srow   001 .. 101 . 0111011 @r
 rorw   011 .. 101 . 0111011 @r
 rolw   011 .. 001 . 0111011 @r
+grevw  0110100 .. 101 . 0111011 @r
 
 bsetiw 0010100 .. 001 . 0011011 @sh5
 bclriw 0100100 .. 001 . 0011011 @sh5
@@ -109,3 +110,4 @@ binviw 0110100 .. 001 . 0011011 @sh5
 sloiw  001 .. 001 . 0011011 @sh5
 sroiw  001 .. 101 . 0011011 @sh5
 roriw  011 .. 101 . 0011011 @sh5
+greviw 0110100 .. 101 . 0011011 @sh5
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 6d1b604c800..fa4bba4f0ee 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -619,6 +619,7 @@ slo001 .. 001 . 0110011 @r
 sro001 .. 101 . 0110011 @r
 ror011 .. 101 . 0110011 @r
 rol011 .. 001 . 0110011 @r
+grev   0110100 .. 101 . 0110011 @r
 
 bseti  00101. ... 001 . 0010011 @sh
 bclri  01001. ... 001 . 0010011 @sh
@@ -627,3 +628,4 @@ bexti  01001. ... 101 . 0010011 @sh
 sloi   00100. ... 001 . 0010011 @sh
 sroi   00100. ... 101 . 0010011 @sh
 rori   01100. ... 

[RFC v4 14/16] target/riscv: rvb: address calculation

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32-64.decode   |  3 +++
 target/riscv/insn32.decode  |  3 +++
 target/riscv/insn_trans/trans_rvb.c.inc | 23 ++
 target/riscv/translate.c| 32 +
 4 files changed, 61 insertions(+)

diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index 894db5e3abf..2f80b0c07ae 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -104,6 +104,9 @@ rorw   011 .. 101 . 0111011 @r
 rolw   011 .. 001 . 0111011 @r
 grevw  0110100 .. 101 . 0111011 @r
 gorcw  0010100 .. 101 . 0111011 @r
+sh1add_uw  001 .. 010 . 0111011 @r
+sh2add_uw  001 .. 100 . 0111011 @r
+sh3add_uw  001 .. 110 . 0111011 @r
 
 bsetiw 0010100 .. 001 . 0011011 @sh5
 bclriw 0100100 .. 001 . 0011011 @sh5
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 0756ea5cc28..b90c1c0a350 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -621,6 +621,9 @@ ror011 .. 101 . 0110011 @r
 rol011 .. 001 . 0110011 @r
 grev   0110100 .. 101 . 0110011 @r
 gorc   0010100 .. 101 . 0110011 @r
+sh1add 001 .. 010 . 0110011 @r
+sh2add 001 .. 100 . 0110011 @r
+sh3add 001 .. 110 . 0110011 @r
 
 bseti  00101. ... 001 . 0010011 @sh
 bclri  01001. ... 001 . 0010011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index a4181dbf0de..ca987f2705f 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -226,6 +226,17 @@ static bool trans_gorci(DisasContext *ctx, arg_gorci *a)
 return gen_shifti(ctx, a, gen_helper_gorc);
 }
 
+#define GEN_TRANS_SHADD(SHAMT) \
+static bool trans_sh##SHAMT##add(DisasContext *ctx, arg_sh##SHAMT##add *a) \
+{  \
+REQUIRE_EXT(ctx, RVB); \
+return gen_arith(ctx, a, gen_sh##SHAMT##add);  \
+}
+
+GEN_TRANS_SHADD(1)
+GEN_TRANS_SHADD(2)
+GEN_TRANS_SHADD(3)
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
@@ -367,4 +378,16 @@ static bool trans_gorciw(DisasContext *ctx, arg_gorciw *a)
 return gen_shiftiw(ctx, a, gen_gorcw);
 }
 
+#define GEN_TRANS_SHADD_UW(SHAMT) \
+static bool trans_sh##SHAMT##add_uw(DisasContext *ctx,\
+arg_sh##SHAMT##add_uw *a) \
+{ \
+REQUIRE_EXT(ctx, RVB);\
+return gen_arith(ctx, a, gen_sh##SHAMT##add_uw);  \
+}
+
+GEN_TRANS_SHADD_UW(1)
+GEN_TRANS_SHADD_UW(2)
+GEN_TRANS_SHADD_UW(3)
+
 #endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index e845b311a3d..7365e591eb7 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -812,6 +812,21 @@ static bool gen_grevi(DisasContext *ctx, arg_grevi *a)
 return true;
 }
 
+#define GEN_SHADD(SHAMT)   \
+static void gen_sh##SHAMT##add(TCGv ret, TCGv arg1, TCGv arg2) \
+{  \
+TCGv t = tcg_temp_new();   \
+   \
+tcg_gen_shli_tl(t, arg1, SHAMT);   \
+tcg_gen_add_tl(ret, t, arg2);  \
+   \
+tcg_temp_free(t);  \
+}
+
+GEN_SHADD(1)
+GEN_SHADD(2)
+GEN_SHADD(3)
+
 #ifdef TARGET_RISCV64
 
 static void gen_ctzw(TCGv ret, TCGv arg1)
@@ -898,6 +913,23 @@ static void gen_gorcw(TCGv ret, TCGv arg1, TCGv arg2)
 gen_helper_gorcw(ret, arg1, arg2);
 }
 
+#define GEN_SHADD_UW(SHAMT)   \
+static void gen_sh##SHAMT##add_uw(TCGv ret, TCGv arg1, TCGv arg2) \
+{ \
+TCGv t = tcg_temp_new();  \
+  \
+tcg_gen_ext32u_tl(t, arg1);   \
+  \
+tcg_gen_shli_tl(t, t, SHAMT); \
+tcg_gen_add_tl(ret, t, arg2); \
+  \
+

[RFC v4 03/16] target/riscv: rvb: count bits set

[frank . chang]

From: Frank Chang 

Signed-off-by: Kito Cheng 
Reviewed-by: Richard Henderson 
Signed-off-by: Frank Chang 
---
 target/riscv/insn32-64.decode   |  1 +
 target/riscv/insn32.decode  |  1 +
 target/riscv/insn_trans/trans_rvb.c.inc | 12 
 target/riscv/translate.c|  6 ++
 4 files changed, 20 insertions(+)

diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index f4c42720fc7..89498a9a28a 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -90,3 +90,4 @@ hsv_d 0110111  .   . 100 0 1110011 @r2_s
 # *** RV64B Standard Extension (in addition to RV32B) ***
 clzw   011 0 . 001 . 0011011 @r2
 ctzw   011 1 . 001 . 0011011 @r2
+cpopw  011 00010 . 001 . 0011011 @r2
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 8fe838cf0d0..0e321da37f4 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -597,3 +597,4 @@ vsetvl  100 . . 111 . 1010111  @r
 # *** RV32B Standard Extension ***
 clz011000 00 . 001 . 0010011 @r2
 ctz011000 01 . 001 . 0010011 @r2
+cpop   011000 10 . 001 . 0010011 @r2
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 76788c2f353..dbbd94e1015 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -29,6 +29,12 @@ static bool trans_ctz(DisasContext *ctx, arg_ctz *a)
 return gen_unary(ctx, a, gen_ctz);
 }
 
+static bool trans_cpop(DisasContext *ctx, arg_cpop *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_unary(ctx, a, tcg_gen_ctpop_tl);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
@@ -44,4 +50,10 @@ static bool trans_ctzw(DisasContext *ctx, arg_ctzw *a)
 return gen_unary(ctx, a, gen_ctzw);
 }
 
+static bool trans_cpopw(DisasContext *ctx, arg_cpopw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_unary(ctx, a, gen_cpopw);
+}
+
 #endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index fac111d465c..3a14bdba194 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -726,6 +726,12 @@ static void gen_clzw(TCGv ret, TCGv arg1)
 tcg_gen_subi_i64(ret, ret, 32);
 }
 
+static void gen_cpopw(TCGv ret, TCGv arg1)
+{
+tcg_gen_ext32u_tl(arg1, arg1);
+tcg_gen_ctpop_tl(ret, arg1);
+}
+
 #endif
 
 static bool gen_arith(DisasContext *ctx, arg_r *a,
-- 
2.17.1

[RFC v4 09/16] target/riscv: rvb: single-bit instructions

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32-64.decode   |  8 +++
 target/riscv/insn32.decode  |  9 +++
 target/riscv/insn_trans/trans_rvb.c.inc | 90 +
 target/riscv/translate.c| 61 +
 4 files changed, 168 insertions(+)

diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index d28c0bcf2c1..f6c63c31b03 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -94,3 +94,11 @@ cpopw  011 00010 . 001 . 0011011 @r2
 
 packw  100 .. 100 . 0111011 @r
 packuw 0100100 .. 100 . 0111011 @r
+bsetw  0010100 .. 001 . 0111011 @r
+bclrw  0100100 .. 001 . 0111011 @r
+binvw  0110100 .. 001 . 0111011 @r
+bextw  0100100 .. 101 . 0111011 @r
+
+bsetiw 0010100 .. 001 . 0011011 @sh5
+bclriw 0100100 .. 001 . 0011011 @sh5
+binviw 0110100 .. 001 . 0011011 @sh5
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 938c23088eb..64d2b057764 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -611,3 +611,12 @@ min101 .. 100 . 0110011 @r
 minu   101 .. 101 . 0110011 @r
 max101 .. 110 . 0110011 @r
 maxu   101 .. 111 . 0110011 @r
+bset   0010100 .. 001 . 0110011 @r
+bclr   0100100 .. 001 . 0110011 @r
+binv   0110100 .. 001 . 0110011 @r
+bext   0100100 .. 101 . 0110011 @r
+
+bseti  00101. ... 001 . 0010011 @sh
+bclri  01001. ... 001 . 0010011 @sh
+binvi  01101. ... 001 . 0010011 @sh
+bexti  01001. ... 101 . 0010011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 1496996a660..0c41f135dc6 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -107,6 +107,54 @@ static bool trans_sext_h(DisasContext *ctx, arg_sext_h *a)
 return gen_unary(ctx, a, tcg_gen_ext16s_tl);
 }
 
+static bool trans_bset(DisasContext *ctx, arg_bset *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, gen_bset);
+}
+
+static bool trans_bseti(DisasContext *ctx, arg_bseti *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shifti(ctx, a, gen_bset);
+}
+
+static bool trans_bclr(DisasContext *ctx, arg_bclr *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, gen_bclr);
+}
+
+static bool trans_bclri(DisasContext *ctx, arg_bclri *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shifti(ctx, a, gen_bclr);
+}
+
+static bool trans_binv(DisasContext *ctx, arg_binv *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, gen_binv);
+}
+
+static bool trans_binvi(DisasContext *ctx, arg_binvi *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shifti(ctx, a, gen_binv);
+}
+
+static bool trans_bext(DisasContext *ctx, arg_bext *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shift(ctx, a, gen_bext);
+}
+
+static bool trans_bexti(DisasContext *ctx, arg_bexti *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shifti(ctx, a, gen_bext);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
@@ -140,4 +188,46 @@ static bool trans_packuw(DisasContext *ctx, arg_packuw *a)
 return gen_arith(ctx, a, gen_packuw);
 }
 
+static bool trans_bsetw(DisasContext *ctx, arg_bsetw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_bset);
+}
+
+static bool trans_bsetiw(DisasContext *ctx, arg_bsetiw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftiw(ctx, a, gen_bset);
+}
+
+static bool trans_bclrw(DisasContext *ctx, arg_bclrw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_bclr);
+}
+
+static bool trans_bclriw(DisasContext *ctx, arg_bclriw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftiw(ctx, a, gen_bclr);
+}
+
+static bool trans_binvw(DisasContext *ctx, arg_binvw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_binv);
+}
+
+static bool trans_binviw(DisasContext *ctx, arg_binviw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftiw(ctx, a, gen_binv);
+}
+
+static bool trans_bextw(DisasContext *ctx, arg_bextw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_shiftw(ctx, a, gen_bext);
+}
+
 #endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 8459b6bcf54..7ea434ffa8d 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -734,6 +734,48 @@ static void gen_packh(TCGv ret, TCGv arg1, TCGv arg2)
 tcg_temp_free(t);
 }
 
+static void gen_sbop_mask(TCGv ret, TCGv shamt)
+{
+tcg_gen_movi_tl(ret, 1);
+tcg_gen_shl_tl(ret, ret, shamt);
+}
+
+static void gen_bset(TCGv ret, TCGv arg1, TCGv shamt)
+{
+TCGv t = 

[RFC v4 05/16] target/riscv: rvb: pack two words into one register

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32-64.decode   |  3 ++
 target/riscv/insn32.decode  |  3 ++
 target/riscv/insn_trans/trans_rvb.c.inc | 30 +++
 target/riscv/translate.c| 40 +
 4 files changed, 76 insertions(+)

diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index 89498a9a28a..d28c0bcf2c1 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -91,3 +91,6 @@ hsv_d 0110111  .   . 100 0 1110011 @r2_s
 clzw   011 0 . 001 . 0011011 @r2
 ctzw   011 1 . 001 . 0011011 @r2
 cpopw  011 00010 . 001 . 0011011 @r2
+
+packw  100 .. 100 . 0111011 @r
+packuw 0100100 .. 100 . 0111011 @r
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index d0b3f109b4e..7f32b8c6d15 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -602,3 +602,6 @@ cpop   011000 10 . 001 . 0010011 @r2
 andn   010 .. 111 . 0110011 @r
 orn010 .. 110 . 0110011 @r
 xnor   010 .. 100 . 0110011 @r
+pack   100 .. 100 . 0110011 @r
+packu  0100100 .. 100 . 0110011 @r
+packh  100 .. 111 . 0110011 @r
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 73c4693a263..2d24dafac09 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -53,6 +53,24 @@ static bool trans_xnor(DisasContext *ctx, arg_xnor *a)
 return gen_arith(ctx, a, tcg_gen_eqv_tl);
 }
 
+static bool trans_pack(DisasContext *ctx, arg_pack *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, gen_pack);
+}
+
+static bool trans_packu(DisasContext *ctx, arg_packu *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, gen_packu);
+}
+
+static bool trans_packh(DisasContext *ctx, arg_packh *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, gen_packh);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
@@ -74,4 +92,16 @@ static bool trans_cpopw(DisasContext *ctx, arg_cpopw *a)
 return gen_unary(ctx, a, gen_cpopw);
 }
 
+static bool trans_packw(DisasContext *ctx, arg_packw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, gen_packw);
+}
+
+static bool trans_packuw(DisasContext *ctx, arg_packuw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, gen_packuw);
+}
+
 #endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 3a14bdba194..53c0c34ce16 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -711,6 +711,29 @@ static bool gen_arith_div_uw(DisasContext *ctx, arg_r *a,
 
 #endif
 
+static void gen_pack(TCGv ret, TCGv arg1, TCGv arg2)
+{
+tcg_gen_deposit_tl(ret, arg1, arg2,
+   TARGET_LONG_BITS / 2,
+   TARGET_LONG_BITS / 2);
+}
+
+static void gen_packu(TCGv ret, TCGv arg1, TCGv arg2)
+{
+TCGv t = tcg_temp_new();
+tcg_gen_shri_tl(t, arg1, TARGET_LONG_BITS / 2);
+tcg_gen_deposit_tl(ret, arg2, t, 0, TARGET_LONG_BITS / 2);
+tcg_temp_free(t);
+}
+
+static void gen_packh(TCGv ret, TCGv arg1, TCGv arg2)
+{
+TCGv t = tcg_temp_new();
+tcg_gen_ext8u_tl(t, arg2);
+tcg_gen_deposit_tl(ret, arg1, t, 8, TARGET_LONG_BITS - 8);
+tcg_temp_free(t);
+}
+
 #ifdef TARGET_RISCV64
 
 static void gen_ctzw(TCGv ret, TCGv arg1)
@@ -732,6 +755,23 @@ static void gen_cpopw(TCGv ret, TCGv arg1)
 tcg_gen_ctpop_tl(ret, arg1);
 }
 
+static void gen_packw(TCGv ret, TCGv arg1, TCGv arg2)
+{
+TCGv t = tcg_temp_new();
+tcg_gen_ext16s_i64(t, arg2);
+tcg_gen_deposit_i64(ret, arg1, t, 16, 48);
+tcg_temp_free(t);
+}
+
+static void gen_packuw(TCGv ret, TCGv arg1, TCGv arg2)
+{
+TCGv t = tcg_temp_new();
+tcg_gen_shri_i64(t, arg1, 16);
+tcg_gen_deposit_i64(ret, arg2, t, 0, 16);
+tcg_gen_ext32s_i64(ret, ret);
+tcg_temp_free(t);
+}
+
 #endif
 
 static bool gen_arith(DisasContext *ctx, arg_r *a,
-- 
2.17.1

[RFC v4 01/16] target/riscv: reformat @sh format encoding for B-extension

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32.decode | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 84080dd18ca..3823b3ea800 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -22,7 +22,7 @@
 %rs1   15:5
 %rd7:5
 
-%sh1020:10
+%sh720:7
 %csr20:12
 %rm 12:3
 %nf 29:3 !function=ex_plus_1
@@ -58,7 +58,7 @@
 @u     . ...   imm=%imm_u  
%rd
 @j     . ...   imm=%imm_j  
%rd
 
-@sh  ..  .. .  ... . ...   shamt=%sh10  %rs1 
%rd
+@sh  ..  .. .  ... . ...   shamt=%sh7 %rs1 
%rd
 @csr    .  ... . ...   %csr %rs1 
%rd
 
 @atom_ld . aq:1 rl:1 .  . ...  rs2=0 %rs1 
%rd
@@ -122,9 +122,9 @@ sltiu . 011 . 0010011 @i
 xori  . 100 . 0010011 @i
 ori   . 110 . 0010011 @i
 andi  . 111 . 0010011 @i
-slli 00 ... 001 . 0010011 @sh
-srli 00 ... 101 . 0010011 @sh
-srai 01 ... 101 . 0010011 @sh
+slli 0. ... 001 . 0010011 @sh
+srli 0. ... 101 . 0010011 @sh
+srai 01000. ... 101 . 0010011 @sh
 add  000 .. 000 . 0110011 @r
 sub  010 .. 000 . 0110011 @r
 sll  000 .. 001 . 0110011 @r
-- 
2.17.1

[RFC v4 02/16] target/riscv: rvb: count leading/trailing zeros

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32-64.decode   |  4 +++
 target/riscv/insn32.decode  |  7 +++-
 target/riscv/insn_trans/trans_rvb.c.inc | 47 +
 target/riscv/translate.c| 42 ++
 4 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 target/riscv/insn_trans/trans_rvb.c.inc

diff --git a/target/riscv/insn32-64.decode b/target/riscv/insn32-64.decode
index 8157dee8b7c..f4c42720fc7 100644
--- a/target/riscv/insn32-64.decode
+++ b/target/riscv/insn32-64.decode
@@ -86,3 +86,7 @@ fmv_d_x001  0 . 000 . 1010011 @r2
 hlv_wu0110100  1   . 100 . 1110011 @r2
 hlv_d 0110110  0   . 100 . 1110011 @r2
 hsv_d 0110111  .   . 100 0 1110011 @r2_s
+
+# *** RV64B Standard Extension (in addition to RV32B) ***
+clzw   011 0 . 001 . 0011011 @r2
+ctzw   011 1 . 001 . 0011011 @r2
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 3823b3ea800..8fe838cf0d0 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -40,6 +40,7 @@
 imm rs1 rd
 imm rd
 rd rs1 rs2
+   rd rs1
 imm rs1 rs2
 imm rd
  shamt rs1 rd
@@ -67,7 +68,7 @@
 @r4_rm   . ..  . . ... . ... %rs3 %rs2 %rs1 %rm %rd
 @r_rm...   . . ... . ... %rs2 %rs1 %rm %rd
 @r2_rm   ...   . . ... . ... %rs1 %rm %rd
-@r2  ...   . . ... . ... %rs1 %rd
+@r2  ...   . . ... . ...  %rs1 %rd
 @r2_nfvm ... ... vm:1 . . ... . ...  %nf %rs1 %rd
 @r2_vm   .. vm:1 . . ... . ...  %rs2 %rd
 @r1_vm   .. vm:1 . . ... . ... %rd
@@ -592,3 +593,7 @@ vcompress_vm010111 - . . 010 . 1010111 @r
 
 vsetvli 0 ... . 111 . 1010111  @r2_zimm
 vsetvl  100 . . 111 . 1010111  @r
+
+# *** RV32B Standard Extension ***
+clz011000 00 . 001 . 0010011 @r2
+ctz011000 01 . 001 . 0010011 @r2
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
new file mode 100644
index 000..76788c2f353
--- /dev/null
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -0,0 +1,47 @@
+/*
+ * RISC-V translation routines for the RVB Standard Extension.
+ *
+ * Copyright (c) 2020 Kito Cheng, kito.ch...@sifive.com
+ * Copyright (c) 2020 Frank Chang, frank.ch...@sifive.com
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+static bool trans_clz(DisasContext *ctx, arg_clz *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_unary(ctx, a, gen_clz);
+}
+
+static bool trans_ctz(DisasContext *ctx, arg_ctz *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_unary(ctx, a, gen_ctz);
+}
+
+/* RV64-only instructions */
+#ifdef TARGET_RISCV64
+
+static bool trans_clzw(DisasContext *ctx, arg_clzw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_unary(ctx, a, gen_clzw);
+}
+
+static bool trans_ctzw(DisasContext *ctx, arg_ctzw *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_unary(ctx, a, gen_ctzw);
+}
+
+#endif
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 554d52a4be3..fac111d465c 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -711,6 +711,23 @@ static bool gen_arith_div_uw(DisasContext *ctx, arg_r *a,
 
 #endif
 
+#ifdef TARGET_RISCV64
+
+static void gen_ctzw(TCGv ret, TCGv arg1)
+{
+tcg_gen_ori_i64(ret, arg1, MAKE_64BIT_MASK(32, 32));
+tcg_gen_ctzi_i64(ret, ret, 64);
+}
+
+static void gen_clzw(TCGv ret, TCGv arg1)
+{
+tcg_gen_ext32u_i64(ret, arg1);
+tcg_gen_clzi_i64(ret, ret, 64);
+tcg_gen_subi_i64(ret, ret, 32);
+}
+
+#endif
+
 static bool gen_arith(DisasContext *ctx, arg_r *a,
   void(*func)(TCGv, TCGv, TCGv))
 {
@@ -747,6 +764,30 @@ static bool gen_shift(DisasContext *ctx, arg_r *a,
 return true;
 }
 
+static void gen_ctz(TCGv ret, TCGv arg1)
+{
+tcg_gen_ctzi_tl(ret, arg1, TARGET_LONG_BITS);
+}
+
+static void gen_clz(TCGv ret, TCGv arg1)
+{
+tcg_gen_clzi_tl(ret, arg1, TARGET_LONG_BITS);
+}
+
+static bool gen_unary(DisasContext *ctx, arg_r2 *a,
+  void(*func)(TCGv, TCGv))
+{
+TCGv source = tcg_temp_new();

[RFC v4 04/16] target/riscv: rvb: logic-with-negate

[frank . chang]

From: Kito Cheng 

Signed-off-by: Kito Cheng 
Signed-off-by: Frank Chang 
Reviewed-by: Richard Henderson 
---
 target/riscv/insn32.decode  |  4 
 target/riscv/insn_trans/trans_rvb.c.inc | 18 ++
 2 files changed, 22 insertions(+)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 0e321da37f4..d0b3f109b4e 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -598,3 +598,7 @@ vsetvl  100 . . 111 . 1010111  @r
 clz011000 00 . 001 . 0010011 @r2
 ctz011000 01 . 001 . 0010011 @r2
 cpop   011000 10 . 001 . 0010011 @r2
+
+andn   010 .. 111 . 0110011 @r
+orn010 .. 110 . 0110011 @r
+xnor   010 .. 100 . 0110011 @r
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index dbbd94e1015..73c4693a263 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -35,6 +35,24 @@ static bool trans_cpop(DisasContext *ctx, arg_cpop *a)
 return gen_unary(ctx, a, tcg_gen_ctpop_tl);
 }
 
+static bool trans_andn(DisasContext *ctx, arg_andn *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, tcg_gen_andc_tl);
+}
+
+static bool trans_orn(DisasContext *ctx, arg_orn *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, tcg_gen_orc_tl);
+}
+
+static bool trans_xnor(DisasContext *ctx, arg_xnor *a)
+{
+REQUIRE_EXT(ctx, RVB);
+return gen_arith(ctx, a, tcg_gen_eqv_tl);
+}
+
 /* RV64-only instructions */
 #ifdef TARGET_RISCV64
 
-- 
2.17.1

[RFC v4 00/16] support subsets of bitmanip extension

[frank . chang]

From: Frank Chang 

This patchset implements RISC-V B-extension 0.93 version Zbb, Zbs and
Zba subset instructions. Some Zbp instructions are also implemented as
they have similar behavior with their Zbb-, Zbs- and Zba-family
instructions or for Zbb pseudo instructions (e.g. rev8, orc.b).

Specification:
https://github.com/riscv/riscv-bitmanip/blob/master/bitmanip-0.93.pdf

The port is available here:
https://github.com/sifive/qemu/tree/rvb-upstream-v4

To test rvb implementation, specify cpu argument with 'x-b=true' to
enable B-extension support.

Changelog:

v4:
 * Remove 'rd != 0' checks from immediate shift instructions.

v3:
 * Convert existing immediate shift instructions to use gen_shifti()
   and gen_shiftiw() interfaces.
 * Rename *u.w instructions to *.uw.
 * Rename sb* instructions to b*.
 * Rename pcnt* instructions to cpop*.

v2:
 * Add gen_shifti(), gen_shiftw(), gen_shiftiw() helper functions.
 * Remove addwu, subwu and addiwu instructions as they are not longer
   exist in latest draft.
 * Optimize implementation with cleaner tcg ops.

Frank Chang (4):
  target/riscv: rvb: count bits set
  target/riscv: add gen_shifti() and gen_shiftiw() helper functions
  target/riscv: rvb: generalized reverse
  target/riscv: rvb: generalized or-combine

Kito Cheng (12):
  target/riscv: reformat @sh format encoding for B-extension
  target/riscv: rvb: count leading/trailing zeros
  target/riscv: rvb: logic-with-negate
  target/riscv: rvb: pack two words into one register
  target/riscv: rvb: min/max instructions
  target/riscv: rvb: sign-extend instructions
  target/riscv: rvb: single-bit instructions
  target/riscv: rvb: shift ones
  target/riscv: rvb: rotate (left/right)
  target/riscv: rvb: address calculation
  target/riscv: rvb: add/shift with prefix zero-extend
  target/riscv: rvb: support and turn on B-extension from command line

 target/riscv/bitmanip_helper.c  | 102 ++
 target/riscv/cpu.c  |   4 +
 target/riscv/cpu.h  |   2 +
 target/riscv/helper.h   |   9 +
 target/riscv/insn32-64.decode   |  33 ++
 target/riscv/insn32.decode  |  54 ++-
 target/riscv/insn_trans/trans_rvb.c.inc | 415 
 target/riscv/insn_trans/trans_rvi.c.inc |  54 +--
 target/riscv/meson.build|   1 +
 target/riscv/translate.c| 314 ++
 10 files changed, 932 insertions(+), 56 deletions(-)
 create mode 100644 target/riscv/bitmanip_helper.c
 create mode 100644 target/riscv/insn_trans/trans_rvb.c.inc

--
2.17.1

Re: [PATCH] crypto: Fix some code style problems, add spaces around operator

[shiliyang]

Kindly ping. This patch still not on the master branch.
Please take it on your tree.

Thanks.

On 2020/12/7 18:10, Philippe Mathieu-Daudé wrote:
> On 12/7/20 9:37 AM, shiliyang wrote:
>> This patch fixes error style problems found by checkpatch.pl:
>> ERROR: spaces required around that '*'
>> ERROR: space required after that ','
>> ERROR: spaces required around that '|'
>>
>> Signed-off-by: Liyang Shi 
>> ---
>>  crypto/aes.c  | 2 +-
>>  crypto/desrfb.c   | 2 +-
>>  crypto/tlscredsx509.c | 2 +-
>>  3 files changed, 3 insertions(+), 3 deletions(-)
> 
> Reviewed-by: Philippe Mathieu-Daudé 
> 
> .
> 

Re: [PATCH 4/9] libvhost-user: Include poll.h instead of sys/poll.h

[Thomas Huth]

On 21/12/2020 01.53, Jiaxun Yang wrote:

Musl libc complains about it's wrong usage.

In file included from ../subprojects/libvhost-user/libvhost-user.h:20,
  from ../subprojects/libvhost-user/libvhost-user-glib.h:19,
  from ../subprojects/libvhost-user/libvhost-user-glib.c:15:
/usr/include/sys/poll.h:1:2: error: #warning redirecting incorrect #include 
 to  [-Werror=cpp]
 1 | #warning redirecting incorrect #include  to 
   |  ^~~

Signed-off-by: Jiaxun Yang 
---
  subprojects/libvhost-user/libvhost-user.h | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/subprojects/libvhost-user/libvhost-user.h 
b/subprojects/libvhost-user/libvhost-user.h
index 7d47f1364a..3d13dfadde 100644
--- a/subprojects/libvhost-user/libvhost-user.h
+++ b/subprojects/libvhost-user/libvhost-user.h
@@ -17,7 +17,7 @@
  #include 
  #include 
  #include 
-#include 
+#include 
  #include 
  #include 
  #include "standard-headers/linux/virtio_ring.h"



Reviewed-by: Thomas Huth 

Re: [PATCH 3/9] configure/meson: Only check sys/signal.h on non-Linux

[Thomas Huth]

On 21/12/2020 01.53, Jiaxun Yang wrote:

signal.h is equlevant of sys/signal.h on Linux, musl would complain
wrong usage of sys/signal.h.

In file included from /builds/FlyGoat/qemu/include/qemu/osdep.h:108,
  from ../tests/qemu-iotests/socket_scm_helper.c:13:
/usr/include/sys/signal.h:1:2: error: #warning redirecting incorrect #include 
 to  [-Werror=cpp]
 1 | #warning redirecting incorrect #include  to 
   |  ^~~

Signed-off-by: Jiaxun Yang 
---
  meson.build | 5 -
  1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meson.build b/meson.build
index 372576f82c..1ef8722b3a 100644
--- a/meson.build
+++ b/meson.build
@@ -841,7 +841,10 @@ config_host_data.set('HAVE_DRM_H', 
cc.has_header('libdrm/drm.h'))
  config_host_data.set('HAVE_PTY_H', cc.has_header('pty.h'))
  config_host_data.set('HAVE_SYS_IOCCOM_H', cc.has_header('sys/ioccom.h'))
  config_host_data.set('HAVE_SYS_KCOV_H', cc.has_header('sys/kcov.h'))
-config_host_data.set('HAVE_SYS_SIGNAL_H', cc.has_header('sys/signal.h'))
+if targetos != 'linux'
+  # signal.h is equlevant of sys/signal.h on Linux
+  config_host_data.set('HAVE_SYS_SIGNAL_H', cc.has_header('sys/signal.h'))
+endif


Seems like it sys/signal.h was introduced for OpenBSD once (see commit 
128ab2ff50a), so this new check should be fine.


Reviewed-by: Thomas Huth 

Re: [PATCH 2/9] configure: Add sys/timex.h to probe clk_adjtime

[Thomas Huth]

In the subject:

s/clk_adjtime/clock_adjtime/

On 21/12/2020 01.53, Jiaxun Yang wrote:

It is not a part of standard time.h. Glibc put it under
time.h however musl treat it as a sys timex extension.

Signed-off-by: Jiaxun Yang 
---
  configure | 1 +
  1 file changed, 1 insertion(+)

diff --git a/configure b/configure
index c228f7c21e..990f37e123 100755
--- a/configure
+++ b/configure
@@ -4374,6 +4374,7 @@ fi
  clock_adjtime=no
  cat > $TMPC <
+#include 
  
  int main(void)

  {



According to the man page:

 http://www.tin.org/bin/man.cgi?section=2=clock_adjtime

sys/timex.h is indeed the right header here.

Reviewed-by: Thomas Huth 

Re: [PATCH v6 13/13] s390: Recognize confidential-guest-support option

[Christian Borntraeger]

On 13.01.21 01:57, David Gibson wrote:
> On Tue, Jan 12, 2021 at 12:36:07PM +0100, Cornelia Huck wrote:
> 65;6201;1c> On Tue, 12 Jan 2021 09:15:26 +0100
>> Christian Borntraeger  wrote:
>>
>>> On 12.01.21 05:45, David Gibson wrote:
 At least some s390 cpu models support "Protected Virtualization" (PV),
 a mechanism to protect guests from eavesdropping by a compromised
 hypervisor.

 This is similar in function to other mechanisms like AMD's SEV and
 POWER's PEF, which are controlled by the "confidential-guest-support"
 machine option.  s390 is a slightly special case, because we already
 supported PV, simply by using a CPU model with the required feature
 (S390_FEAT_UNPACK).

 To integrate this with the option used by other platforms, we
 implement the following compromise:

  - When the confidential-guest-support option is set, s390 will
recognize it, verify that the CPU can support PV (failing if not)
and set virtio default options necessary for encrypted or protected
guests, as on other platforms.  i.e. if confidential-guest-support
is set, we will either create a guest capable of entering PV mode,
or fail outright.

  - If confidential-guest-support is not set, guests might still be
able to enter PV mode, if the CPU has the right model.  This may be
a little surprising, but shouldn't actually be harmful.

 To start a guest supporting Protected Virtualization using the new
 option use the command line arguments:
 -object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0  
>>>
>>>
>>> This results in
>>>
>>> [cborntra@t35lp61 qemu]$ qemu-system-s390x -enable-kvm -nographic -m 2G 
>>> -kernel ~/full.normal 
>>> **
>>> ERROR:../qom/object.c:317:type_initialize: assertion failed: 
>>> (parent->instance_size <= ti->instance_size)
>>> Bail out! ERROR:../qom/object.c:317:type_initialize: assertion failed: 
>>> (parent->instance_size <= ti->instance_size)
>>> Aborted (core dumped)
>>>
>>
 +static const TypeInfo s390_pv_guest_info = {
 +.parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT,
 +.name = TYPE_S390_PV_GUEST,
 +.instance_size = sizeof(S390PVGuestState),
 +.interfaces = (InterfaceInfo[]) {
 +{ TYPE_USER_CREATABLE },
 +{ }
 +}
 +};
>>
>> I think this needs TYPE_OBJECT in .parent and
>> TYPE_CONFIDENTIAL_GUEST_SUPPORT as an interface to fix the crash.
> 
> No, that was true of an earlier revision, but parent is correct in the
> current version.

right now parent is obviously wrong as it triggers the above warning (and all 
other
variants in the previous patches also use TYPE_OBJECT). It is probably the right
thing when you fix

+struct S390PVGuestState {
+Object parent_obj;
+};
+

and change Object to the proper type I guess. 

Ping: [PATCH v2 0/5] Fix some style problems in contrib

[zhouyang (T)]

Hi Peter,

Friendly ping again, It's been more than a month since I submitted the 
patch,did I miss any response?

On 2020/12/31 10:26, zhouyang (T) wrote:
> kindly ping
> 
> On 2020/12/17 11:44, zhouyang (T) wrote:
>> kindly ping
>>
>>> v1 -> v2:
>>> Changed the "From:" and "Signed-off-by:" lines from "zhouyang (T)"
>>> to my real name "zhouyang".
>>>
>>> I found some style problems while check the code using checkpatch.pl
>>> and fixed them, please review.
>>>
>>> zhouyang (5):
>>>  contrib: Don't use '#' flag of printf format
>>>  contrib: Fix some code style problems, ERROR: "foo * bar" should be
>>>"foo *bar"
>>>  contrib: Add spaces around operator
>>>  contrib: space required after that ','
>>>  contrib: Open brace '{' following struct go on the same line
>>>
>>> contrib/ivshmem-server/main.c |  2 +-
>>> contrib/plugins/hotblocks.c   |  2 +-
>>> contrib/plugins/hotpages.c|  2 +-
>>> contrib/plugins/howvec.c  | 19 +--
>>> contrib/plugins/lockstep.c|  6 +++---
>>> 5 files changed, 15 insertions(+), 16 deletions(-)
>>>
>>> --
>>> 2.23.0
>>

Re: minimal "zero conf" build dockerfiles for fedora:latest and alpine:latest

[Thomas Huth]

On 12/01/2021 23.37, John Snow wrote:
I wanted to know what the minimal setup required was to replicate the 
compilation instructions featured on https://www.qemu.org/download/#source

[...]
>  pixman-devel \

pixman is only required for the softmmu and tools targets. If you just build 
the linux-user targets, you can even get rid of this.


[...]

Notes:

- our configure file suggests bzip2 is an optional dependency (It's set to 
'auto') but meson will error out if it is not present at configuration time:


     ../pc-bios/meson.build:5:2: ERROR: Program 'bzip2' not found


IIRC it's required for compressing the edk2 firmware images, so if you 
compile without x86 and arm, you don't need it. Maybe it would be good to 
add a check for this to the configure script, too?



- diffutils is required for the qapi-schema test, which runs at build time.


We should maybe add a check for "diff" to the configure script?

- early on in the build process, an error "bash: find: command not found" 
can be seen, but it doesn't seem to cause a failure otherwise.


- perl is not declared as a hard pre-requisite during configure time, but 
the build will error out if it is not present:


[254/8314] Generating texture-blit-frag.h with a meson_exe.py custom command
FAILED: ui/shader/texture-blit-frag.h
/usr/bin/python3 /qemu-5.2.0/meson/meson.py --internal exe --capture 
ui/shader/texture-blit-frag.h -- /usr/bin/env perl 
/qemu-5.2.0/scripts/shaderinclude.pl ../ui/shader/texture-blit.frag

/usr/bin/env: ‘perl’: No such file or directory


shaderinclude.pl seems to be pretty small, maybe it could be rewritten in 
python?


- bash has to be installed explicitly. configure/meson do not check for it, 
but the build will fail if they aren't present.


IIRC we were able to compile without bash before the meson conversion, just 
some parts like the iotests needed the bash (at least that's why we have a 
check for bash in tests/check-block.sh for example). Where is it failing now?


- musl seems to work alright, but does throw a ton of warnings. I didn't 
actually run any tests, since they require more dependencies.


- linux-user binaries can't be compiled because alpine's usage of musl; I 
didn't look much more closely.


There were some related patches on the list recently, look for the "Alpine 
Linux build fix and CI pipeline" patch series.


 Thomas

[PATCH v2 4/4] target/arm: Update REV, PUNPK for pred_desc

[Richard Henderson]

Update all users of do_perm_pred2 for the new
predicate descriptor field definitions.

Cc: qemu-sta...@nongnu.org
Buglink: https://bugs.launchpad.net/bugs/1908551
Signed-off-by: Richard Henderson 
---
 target/arm/sve_helper.c|  8 
 target/arm/translate-sve.c | 13 -
 2 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index 7eec4b6b73..844db08bd5 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -2036,8 +2036,8 @@ static uint8_t reverse_bits_8(uint8_t x, int n)
 
 void HELPER(sve_rev_p)(void *vd, void *vn, uint32_t pred_desc)
 {
-intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
-int esz = extract32(pred_desc, SIMD_DATA_SHIFT, 2);
+intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+int esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
 intptr_t i, oprsz_2 = oprsz / 2;
 
 if (oprsz <= 8) {
@@ -2066,8 +2066,8 @@ void HELPER(sve_rev_p)(void *vd, void *vn, uint32_t 
pred_desc)
 
 void HELPER(sve_punpk_p)(void *vd, void *vn, uint32_t pred_desc)
 {
-intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
-intptr_t high = extract32(pred_desc, SIMD_DATA_SHIFT + 2, 1);
+intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+intptr_t high = FIELD_EX32(pred_desc, PREDDESC, DATA);
 uint64_t *d = vd;
 intptr_t i;
 
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index 0baca176a0..27402af23c 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -2145,19 +2145,14 @@ static bool do_perm_pred2(DisasContext *s, arg_rr_esz 
*a, bool high_odd,
 TCGv_ptr t_d = tcg_temp_new_ptr();
 TCGv_ptr t_n = tcg_temp_new_ptr();
 TCGv_i32 t_desc;
-int desc;
+uint32_t desc = 0;
 
 tcg_gen_addi_ptr(t_d, cpu_env, pred_full_reg_offset(s, a->rd));
 tcg_gen_addi_ptr(t_n, cpu_env, pred_full_reg_offset(s, a->rn));
 
-/* Predicate sizes may be smaller and cannot use simd_desc.
-   We cannot round up, as we do elsewhere, because we need
-   the exact size for ZIP2 and REV.  We retain the style for
-   the other helpers for consistency.  */
-
-desc = vsz - 2;
-desc = deposit32(desc, SIMD_DATA_SHIFT, 2, a->esz);
-desc = deposit32(desc, SIMD_DATA_SHIFT + 2, 2, high_odd);
+desc = FIELD_DP32(desc, PREDDESC, OPRSZ, vsz);
+desc = FIELD_DP32(desc, PREDDESC, ESZ, a->esz);
+desc = FIELD_DP32(desc, PREDDESC, DATA, high_odd);
 t_desc = tcg_const_i32(desc);
 
 fn(t_d, t_n, t_desc);
-- 
2.25.1

[PATCH v2 3/4] target/arm: Update ZIP, UZP, TRN for pred_desc

[Richard Henderson]

Update all users of do_perm_pred3 for the new
predicate descriptor field definitions.

Cc: qemu-sta...@nongnu.org
Signed-off-by: Richard Henderson 
---
 target/arm/sve_helper.c| 18 +-
 target/arm/translate-sve.c | 12 
 2 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index ff01851bf2..7eec4b6b73 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -1868,9 +1868,9 @@ static uint64_t compress_bits(uint64_t x, int n)
 
 void HELPER(sve_zip_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
 {
-intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
-int esz = extract32(pred_desc, SIMD_DATA_SHIFT, 2);
-intptr_t high = extract32(pred_desc, SIMD_DATA_SHIFT + 2, 1);
+intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+int esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
+intptr_t high = FIELD_EX32(pred_desc, PREDDESC, DATA);
 uint64_t *d = vd;
 intptr_t i;
 
@@ -1929,9 +1929,9 @@ void HELPER(sve_zip_p)(void *vd, void *vn, void *vm, 
uint32_t pred_desc)
 
 void HELPER(sve_uzp_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
 {
-intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
-int esz = extract32(pred_desc, SIMD_DATA_SHIFT, 2);
-int odd = extract32(pred_desc, SIMD_DATA_SHIFT + 2, 1) << esz;
+intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+int esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
+int odd = FIELD_EX32(pred_desc, PREDDESC, DATA) << esz;
 uint64_t *d = vd, *n = vn, *m = vm;
 uint64_t l, h;
 intptr_t i;
@@ -1986,9 +1986,9 @@ void HELPER(sve_uzp_p)(void *vd, void *vn, void *vm, 
uint32_t pred_desc)
 
 void HELPER(sve_trn_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
 {
-intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
-uintptr_t esz = extract32(pred_desc, SIMD_DATA_SHIFT, 2);
-bool odd = extract32(pred_desc, SIMD_DATA_SHIFT + 2, 1);
+intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+int esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
+int odd = FIELD_EX32(pred_desc, PREDDESC, DATA);
 uint64_t *d = vd, *n = vn, *m = vm;
 uint64_t mask;
 int shr, shl;
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index efcb646f72..0baca176a0 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -2110,19 +2110,15 @@ static bool do_perm_pred3(DisasContext *s, arg_rrr_esz 
*a, bool high_odd,
 
 unsigned vsz = pred_full_reg_size(s);
 
-/* Predicate sizes may be smaller and cannot use simd_desc.
-   We cannot round up, as we do elsewhere, because we need
-   the exact size for ZIP2 and REV.  We retain the style for
-   the other helpers for consistency.  */
 TCGv_ptr t_d = tcg_temp_new_ptr();
 TCGv_ptr t_n = tcg_temp_new_ptr();
 TCGv_ptr t_m = tcg_temp_new_ptr();
 TCGv_i32 t_desc;
-int desc;
+uint32_t desc = 0;
 
-desc = vsz - 2;
-desc = deposit32(desc, SIMD_DATA_SHIFT, 2, a->esz);
-desc = deposit32(desc, SIMD_DATA_SHIFT + 2, 2, high_odd);
+desc = FIELD_DP32(desc, PREDDESC, OPRSZ, vsz);
+desc = FIELD_DP32(desc, PREDDESC, ESZ, a->esz);
+desc = FIELD_DP32(desc, PREDDESC, DATA, high_odd);
 
 tcg_gen_addi_ptr(t_d, cpu_env, pred_full_reg_offset(s, a->rd));
 tcg_gen_addi_ptr(t_n, cpu_env, pred_full_reg_offset(s, a->rn));
-- 
2.25.1

[PATCH v2 1/4] target/arm: Introduce PREDDESC field definitions

[Richard Henderson]

SVE predicate operations cannot use the "usual" simd_desc
encoding, because the lengths are not a multiple of 8.
But we were abusing the SIMD_* fields to store values anyway.
This abuse broke when SIMD_OPRSZ_BITS was modified in e2e7168a214.

Introduce a new set of field definitions for exclusive use
of predicates, so that it is obvious what kind of predicate
we are manipulating.  To be used in future patches.

Cc: qemu-sta...@nongnu.org
Signed-off-by: Richard Henderson 
---
 target/arm/internals.h | 9 +
 1 file changed, 9 insertions(+)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 5460678756..73698587d6 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1312,6 +1312,15 @@ void arm_log_exception(int idx);
 #define LOG2_TAG_GRANULE 4
 #define TAG_GRANULE  (1 << LOG2_TAG_GRANULE)
 
+/*
+ * SVE predicates are 1/8 the size of SVE vectors, and cannot use
+ * the same simd_desc() encoding due to restrictions on size.
+ * Use these instead.
+ */
+FIELD(PREDDESC, OPRSZ, 0, 6)
+FIELD(PREDDESC, ESZ, 6, 2)
+FIELD(PREDDESC, DATA, 8, 24)
+
 /*
  * The SVE simd_data field, for memory ops, contains either
  * rd (5 bits) or a shift count (2 bits).
-- 
2.25.1

[PATCH v2 2/4] target/arm: Update PFIRST, PNEXT for pred_desc

[Richard Henderson]

These two were odd, in that do_pfirst_pnext passed the
count of 64-bit words rather than bytes.  Change to pass
the standard pred_full_reg_size to avoid confusion.

Cc: qemu-sta...@nongnu.org
Signed-off-by: Richard Henderson 
---
 target/arm/sve_helper.c| 7 ---
 target/arm/translate-sve.c | 6 +++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index 5f037c3a8f..ff01851bf2 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -889,8 +889,9 @@ static intptr_t last_active_element(uint64_t *g, intptr_t 
words, intptr_t esz)
 return (intptr_t)-1 << esz;
 }
 
-uint32_t HELPER(sve_pfirst)(void *vd, void *vg, uint32_t words)
+uint32_t HELPER(sve_pfirst)(void *vd, void *vg, uint32_t pred_desc)
 {
+intptr_t words = DIV_ROUND_UP(FIELD_EX32(pred_desc, PREDDESC, OPRSZ), 8);
 uint32_t flags = PREDTEST_INIT;
 uint64_t *d = vd, *g = vg;
 intptr_t i = 0;
@@ -914,8 +915,8 @@ uint32_t HELPER(sve_pfirst)(void *vd, void *vg, uint32_t 
words)
 
 uint32_t HELPER(sve_pnext)(void *vd, void *vg, uint32_t pred_desc)
 {
-intptr_t words = extract32(pred_desc, 0, SIMD_OPRSZ_BITS);
-intptr_t esz = extract32(pred_desc, SIMD_DATA_SHIFT, 2);
+intptr_t words = DIV_ROUND_UP(FIELD_EX32(pred_desc, PREDDESC, OPRSZ), 8);
+intptr_t esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
 uint32_t flags = PREDTEST_INIT;
 uint64_t *d = vd, *g = vg, esz_mask;
 intptr_t i, next;
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index 0c3a6d2121..efcb646f72 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -1494,10 +1494,10 @@ static bool do_pfirst_pnext(DisasContext *s, arg_rr_esz 
*a,
 TCGv_ptr t_pd = tcg_temp_new_ptr();
 TCGv_ptr t_pg = tcg_temp_new_ptr();
 TCGv_i32 t;
-unsigned desc;
+unsigned desc = 0;
 
-desc = DIV_ROUND_UP(pred_full_reg_size(s), 8);
-desc = deposit32(desc, SIMD_DATA_SHIFT, 2, a->esz);
+desc = FIELD_DP32(desc, PREDDESC, OPRSZ, pred_full_reg_size(s));
+desc = FIELD_DP32(desc, PREDDESC, ESZ, a->esz);
 
 tcg_gen_addi_ptr(t_pd, cpu_env, pred_full_reg_offset(s, a->rd));
 tcg_gen_addi_ptr(t_pg, cpu_env, pred_full_reg_offset(s, a->rn));
-- 
2.25.1

[PATCH v2 0/4] target/arm: Fix sve pred_desc decoding

[Richard Henderson]

There was an inconsistency between encoding, which uses
SIMD_DATA_SHIFT, and decoding which used SIMD_OPRSZ_BITS.
This happened to be ok, until e2e7168a214, which reduced
the size of SIMD_OPRSZ_BITS, which lead to truncating all
predicate vector lengths.

Changes in v2:
  * Introduce and use PREDDESC field definitions, rather
than abusing a different SIMD_* macro.


r~


Richard Henderson (4):
  target/arm: Introduce PREDDESC field definitions
  target/arm: Update PFIRST, PNEXT for pred_desc
  target/arm: Update ZIP, UZP, TRN for pred_desc
  target/arm: Update REV, PUNPK for pred_desc

 target/arm/internals.h |  9 +
 target/arm/sve_helper.c| 33 +
 target/arm/translate-sve.c | 31 +++
 3 files changed, 37 insertions(+), 36 deletions(-)

-- 
2.25.1

[PATCH v3] hvf: guard xgetbv call.

[Hill Ma]

This prevents illegal instruction on cpus do not support xgetbv.

Buglink: https://bugs.launchpad.net/qemu/+bug/1758819
Signed-off-by: Hill Ma 
---
v3: addressed feedback.
v2: xgetbv() modified based on feedback.

 target/i386/hvf/x86_cpuid.c | 34 ++
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
index a6842912f5..32b0d131df 100644
--- a/target/i386/hvf/x86_cpuid.c
+++ b/target/i386/hvf/x86_cpuid.c
@@ -27,15 +27,22 @@
 #include "vmx.h"
 #include "sysemu/hvf.h"
 
-static uint64_t xgetbv(uint32_t xcr)
+static bool xgetbv(uint32_t cpuid_ecx, uint32_t idx, uint64_t *xcr)
 {
-uint32_t eax, edx;
+uint32_t xcrl, xcrh;
 
-__asm__ volatile ("xgetbv"
-  : "=a" (eax), "=d" (edx)
-  : "c" (xcr));
+if (cpuid_ecx & CPUID_EXT_OSXSAVE) {
+/*
+ * The xgetbv instruction is not available to older versions of
+ * the assembler, so we encode the instruction manually.
+ */
+asm(".byte 0x0f, 0x01, 0xd0" : "=a" (xcrl), "=d" (xcrh) : "c" (idx));
 
-return (((uint64_t)edx) << 32) | eax;
+*xcr = (((uint64_t)xcrh) << 32) | xcrl;
+return true;
+}
+
+return false;
 }
 
 uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
@@ -100,12 +107,15 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t 
idx,
 break;
 case 0xD:
 if (idx == 0) {
-uint64_t host_xcr0 = xgetbv(0);
-uint64_t supp_xcr0 = host_xcr0 & (XSTATE_FP_MASK | XSTATE_SSE_MASK 
|
-  XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK |
-  XSTATE_BNDCSR_MASK | XSTATE_OPMASK_MASK |
-  XSTATE_ZMM_Hi256_MASK | 
XSTATE_Hi16_ZMM_MASK);
-eax &= supp_xcr0;
+uint64_t host_xcr0;
+if (xgetbv(ecx, 0, _xcr0)) {
+uint64_t supp_xcr0 = host_xcr0 & (XSTATE_FP_MASK |
+  XSTATE_SSE_MASK | XSTATE_YMM_MASK |
+  XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK |
+  XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK |
+  XSTATE_Hi16_ZMM_MASK);
+eax &= supp_xcr0;
+}
 } else if (idx == 1) {
 hv_vmx_read_capability(HV_VMX_CAP_PROCBASED2, );
 eax &= CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XGETBV1;
-- 
2.20.1 (Apple Git-117)

Re: [PATCH] hw/scsi/megasas: check for NULL frame in megasas_command_cancelled()

[Alexander Bulekov]

Looks like one reported by OSS-Fuzz:
Here's a reproducer

cat << EOF | ./qemu-system-i386 -qtest stdio -display none \
-machine q35,accel=qtest -m 512M  -nodefaults \
-device megasas -device scsi-cd,drive=null0 \
-blockdev driver=null-co,read-zeroes=on,node-name=null0 
outl 0xcf8 0x8801
outl 0xcfc 0x1500
outl 0xcf8 0x8817
outl 0xcfc 0x1e
write 0x40 0x1 0x01
write 0x47 0x1 0x03
write 0x50 0x1 0x12
write 0x55 0x1 0x10
write 0x6a 0x1 0x20
write 0x70 0x1 0x10
write 0x7b 0x1 0x10
write 0x7f 0x1 0x10
write 0x86 0x1 0x10
write 0x8b 0x1 0x10
outb 0x1e40 0x40
write 0x1a 0x1 0x0
write 0x6a000f 0x1 0x0
outb 0x1e40 0x0
outl 0x1e40 0x0
write 0x6f1 0x1 0x00
write 0x6f9 0x1 0x00
write 0x6fd 0x1 0x01
write 0x701 0x1 0x00
write 0x705 0x1 0x06
write 0x730 0x1 0x00
write 0x738 0x1 0x00
write 0x73c 0x1 0x01
write 0x740 0x1 0x00
write 0x744 0x1 0x06
write 0x75c 0x1 0x00
write 0x760 0x1 0x01
write 0x76f 0x1 0x00
write 0x770 0x1 0x20
write 0x77c 0x1 0x20
write 0x780 0x1 0x00
write 0x79b 0x1 0x00
write 0x79f 0x1 0x01
write 0x7ae 0x1 0x00
write 0x7af 0x1 0x20
write 0x7bb 0x1 0x20
write 0x7bf 0x1 0x00
write 0x7cf 0x1 0x10
write 0x7db 0x1 0x00
write 0x7df 0x1 0x20
write 0x7ee 0x1 0x20
write 0x7ef 0x1 0x06
write 0x7fb 0x1 0x10
write 0x7ff 0x1 0x00
outb 0x1e40 0x0
outl 0x1e1f 0x4200
EOF

-Alex

On 201224 1854, Mauro Matteo Cascella wrote:
> Ensure that 'cmd->frame' is not NULL before accessing the 'header' field.
> This check prevents a potential NULL pointer dereference issue.
> 
> RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
> Signed-off-by: Mauro Matteo Cascella 
> Reported-by: Cheolwoo Myung 
> ---
>  hw/scsi/megasas.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
> index 1a5fc5857d..77510e120c 100644
> --- a/hw/scsi/megasas.c
> +++ b/hw/scsi/megasas.c
> @@ -1893,7 +1893,7 @@ static void megasas_command_cancelled(SCSIRequest *req)
>  {
>  MegasasCmd *cmd = req->hba_private;
>  
> -if (!cmd) {
> +if (!cmd || !cmd->frame) {
>  return;
>  }
>  cmd->frame->header.cmd_status = MFI_STAT_SCSI_IO_FAILED;
> -- 
> 2.29.2
> 
> 

Re: [PATCH v2] configure: MinGW respect --bindir argument

[Thomas Huth]

On 12/01/2021 22.02, Joshua Watt wrote:

There are two cases that need to be accounted for when compiling QEMU
for MinGW32:
  1) A standalone distribution, where QEMU is self contained and
 extracted by the user, such as a user would download from the QEMU
 website. In this case, all the QEMU executable files should be
 rooted in $prefix to ensure they can be easily found by the user
  2) QEMU integrated into a distribution image/sysroot/SDK and
 distributed with other programs. In this case, the provided
 arguments for bindir/datadir/etc. should be respected as they for a
 Linux build.

Restructures the MinGW path configuration so that all of the paths
except bindir use the same rules as when building for other platforms.
This satisfies #2 and #1 since these files do not need to be directly in
$prefix anyway.

The handling for --bindir is changed so that it defaults to $prefix on
MinGW (maintaining the compatibility with #1), but if the user specifies
a specific path when configuring it can also satisfy #2.

Signed-off-by: Joshua Watt 
---
  configure | 17 ++---
  1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/configure b/configure
index 5860bdb77b..092e2926bc 100755
--- a/configure
+++ b/configure
@@ -1571,20 +1571,15 @@ libexecdir="${libexecdir:-$prefix/libexec}"
  includedir="${includedir:-$prefix/include}"
  
  if test "$mingw32" = "yes" ; then

-mandir="$prefix"
-datadir="$prefix"
-docdir="$prefix"
-bindir="$prefix"
-sysconfdir="$prefix"
-local_statedir="$prefix"
+bindir="${bindir:-$prefix}"
  else
-mandir="${mandir:-$prefix/share/man}"
-datadir="${datadir:-$prefix/share}"
-docdir="${docdir:-$prefix/share/doc}"
  bindir="${bindir:-$prefix/bin}"
-sysconfdir="${sysconfdir:-$prefix/etc}"
-local_statedir="${local_statedir:-$prefix/var}"
  fi
+mandir="${mandir:-$prefix/share/man}"
+datadir="${datadir:-$prefix/share}"
+docdir="${docdir:-$prefix/share/doc}"
+sysconfdir="${sysconfdir:-$prefix/etc}"
+local_statedir="${local_statedir:-$prefix/var}"
  firmwarepath="${firmwarepath:-$datadir/qemu-firmware}"
  localedir="${localedir:-$datadir/locale}"


Yes, I think this makes most sense, thanks for the update!

Reviewed-by: Thomas Huth 

Re: [PATCH 1/3] tests/acceptance: Move the pseries test to a separate file

[Thomas Huth]

On 12/01/2021 19.50, Wainer dos Santos Moschetta wrote:

Hi,

On 1/12/21 1:40 PM, Thomas Huth wrote:

Let's gather the POWER-related tests in a separate file.



Did you consider having others ppc/ppc64 boot tests together too?

Some candidates:

tests/acceptance/boot_linux.py:BootLinuxPPC64.test_pseries_tcg
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_ppc64_e500
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_ppc_g3beige
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_ppc_mac99


The e500, g3beige and mac99 tests are depending on the do_test_advcal_2018() 
function in that file, so I think they should rather stay there.


tests/acceptance/ppc_prep_40p.py:IbmPrep40pMachine.test_factory_firmware_and_netbsd 
tests/acceptance/ppc_prep_40p.py:IbmPrep40pMachine.test_openbios_192m

tests/acceptance/ppc_prep_40p.py:IbmPrep40pMachine.test_openbios_and_netbsd


That's a good point, I did not notice that file when writing my patches. 
Philippe, since you've created this ppc_prep_40p.py file, what do you think, 
should it be merged with the other ppc tests, or shall we rather keep this 
separate?


 Thomas

[Bug 1791796] Re: unimplemented thread syscalls in nios2 user-mode emulation

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1791796

Title:
  unimplemented thread syscalls in nios2 user-mode emulation

Status in QEMU:
  Expired

Bug description:
  This bug is reported against the 3.0 release.

  I noticed that the GCC test gcc.dg/torture/tls/tls-test.c is failing
  when run in user-mode qemu for nios2 target.  The problem appears to
  be that the thread-related syscalls are unimplemented in qemu.  Here
  is output from running with -strace:

  22484 brk(NULL) = 0x5000
  22484 uname(0x7fffef5a) = 0
  22484 faccessat(AT_FDCWD,"/etc/ld.so.preload",R_OK,0x5) = -1 errno=2 (No such 
file or directory)
  22484 
openat(AT_FDCWD,"/scratch/sandra/nios2-linux-trunk3/obj/test-2018.11-99-nios2-linux-gnu/host-x86_64-linux-gnu/sourceryg++-2018.11/nios2-linux-gnu/libc/./lib/./tls/libm.so.6",O_RDONLY|O_LARGEFILE|O_CLOEXEC)
 = -1 errno=2 (No such file or directory)
  22484 
fstatat64(AT_FDCWD,"/scratch/sandra/nios2-linux-trunk3/obj/test-2018.11-99-nios2-linux-gnu/host-x86_64-linux-gnu/sourceryg++-2018.11/nios2-linux-gnu/libc/./lib/./tls",0x7fffe870,0)
 = -1 errno=2 (No such file or directory)
  22484 
openat(AT_FDCWD,"/scratch/sandra/nios2-linux-trunk3/obj/test-2018.11-99-nios2-linux-gnu/host-x86_64-linux-gnu/sourceryg++-2018.11/nios2-linux-gnu/libc/./lib/./libm.so.6",O_RDONLY|O_LARGEFILE|O_CLOEXEC)
 = 3
  22484 read(3,0x7fffe954,512) = 512
  22484 fstat64(3,0x7fffe870) = 0
  22484 mmap2(NULL,803596,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 
0x7f716000
  22484 
mmap2(0x7f7d8000,12288,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_DENYWRITE|MAP_FIXED,3,0xc1)
 = 0x7f7d8000
  22484 close(3) = 0
  22484 
openat(AT_FDCWD,"/scratch/sandra/nios2-linux-trunk3/obj/test-2018.11-99-nios2-linux-gnu/host-x86_64-linux-gnu/sourceryg++-2018.11/nios2-linux-gnu/libc/./lib/./libpthread.so.0",O_RDONLY|O_LARGEFILE|O_CLOEXEC)
 = 3
  22484 read(3,0x7fffe948,512) = 512
  22484 mmap2(NULL,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 
0x7f714000
  22484 fstat64(3,0x7fffe864) = 0
  22484 mmap2(NULL,120700,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 
0x7f6f6000
  22484 mprotect(0x7f70e000,4096,PROT_NONE) = 0
  22484 
mmap2(0x7f70f000,12288,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_DENYWRITE|MAP_FIXED,3,0x18)
 = 0x7f70f000
  22484 
mmap2(0x7f712000,6012,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED,-1,0)
 = 0x7f712000
  22484 close(3) = 0
  22484 
openat(AT_FDCWD,"/scratch/sandra/nios2-linux-trunk3/obj/test-2018.11-99-nios2-linux-gnu/host-x86_64-linux-gnu/sourceryg++-2018.11/nios2-linux-gnu/libc/./lib/./libc.so.6",O_RDONLY|O_LARGEFILE|O_CLOEXEC)
 = 3
  22484 read(3,0x7fffe93c,512) = 512
  22484 fstat64(3,0x7fffe858) = 0
  22484 mmap2(NULL,1491048,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 
0x7f589000
  22484 
mmap2(0x7f6de000,86016,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_DENYWRITE|MAP_FIXED,3,0x154)
 = 0x7f6de000
  22484 
mmap2(0x7f6f3000,8296,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED,-1,0)
 = 0x7f6f3000
  22484 close(3) = 0
  22484 mprotect(0x7f6de000,65536,PROT_READ) = 0
  22484 mprotect(0x7f70f000,8192,PROT_READ) = 0
  22484 mprotect(0x7f7d8000,4096,PROT_READ) = 0
  22484 mprotect(0x3000,4096,PROT_READ) = 0
  22484 mprotect(0x7f7fc000,4096,PROT_READ) = 0
  22484 set_tid_address(2138131700,2147480980,2147480988,2147480988,87148,47) = 
22484
  22484 set_robust_list(2138131708,12,2147480988,0,87148,47) = -1 errno=38 
(Function not implemented)
  22484 rt_sigaction(32,0x736c,NULL) = 0
  22484 rt_sigaction(33,0x736c,NULL) = -1 errno=22 (Invalid argument)
  22484 rt_sigprocmask(SIG_UNBLOCK,0x74a8,NULL) = 0
  22484 getrlimit(3,2147480732,3,0,62512,47) = 0
  22484 mmap2(NULL,8392704,PROT_NONE,MAP_PRIVATE|MAP_ANONYMOUS|0x2,-1,0) = 
0x7ed88000
  22484 mprotect(0x7ed89000,8388608,PROT_READ|PROT_WRITE) = 0
  22484 brk(NULL) = 0x5000
  22484 brk(0x00026000) = 0x00026000
  22484 
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x7f588018,parent_tidptr=0x7f5884fc,tls=0x7f58f928,child_tidptr=0x7f5884fc)
 = 22503
  22484 io_setup(4001536,2136506392,2136507644,2136507644,2136537384,4100) = -1 
errno=38 (Function not implemented)
  22484 futex(0x7f5884fc,FUTEX_WAIT,22503,NULL,NULL,0)22484 
set_robust_list(2136507652,12,0,4100,2136508076,4100) = -1 errno=38 (Function 
not implemented)
  22484 madvise(2128117760,8372224,4,2136507672,528660,4100) = 0
  22484 exit(0)
   = 0
  22484 fstat64(1,0x7fffef48) = 0
  22484 write(1,0x51e8,42)FAIL: a= 10, thr_a = 10 Addr = 0x7f715120
   = 42
  22484 exit_group(1)
  sandra@build2-trusty-cs:/scratch/sandra/nios2-linux-trunk3$ 
  22484 

[Bug 1787070] Re: Guests using the qxl-vga are freezing

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1787070

Title:
  Guests using the qxl-vga are freezing

Status in QEMU:
  Expired

Bug description:
  I have noticed that guests using qxl-vga are freezing. They may freeze
  after a few minutes or after many hours. The freeze consists of the
  entire system hanging, except the cursor, but the cursor animation
  stops too. Changing to tty is not possible after this. There are three
  things noticed in common on the guests when they freeze:

  -The guest is using the QXL VGA (freezes weren't observed with other VGAs);
  -A new workload is starting;
  -The mouse cursor is the animated as the one of loading. For example, 
https://i.imgur.com/raQFteG.png
   
  The host is Xubuntu 18.04 amd64, QEMU version is 3.0.0-dirty. The guests 
tested were:

  -openSUSE Tumbleweed;
  -openSUSE Leap 15;
  -Xubuntu 18.04 Bionic Beaver;
  -CentOS 7.

  With openSUSE guests, the install process couldn't even be finished,
  as the installer would freeze. There were 2 GB of available memory
  (checked in a tty before the freeze) and netconsole was enabled.
  Unfortunately, it was impossible to obtain any information from them.
  This is an image of one openSUSE guest frozen:
  https://i.imgur.com/ZP0eQKq.png

  The command line used was:

  qemu-system-x86_64 -nodefaults -m 3072 -M pc,usb=true -accel kvm -cpu
  host -smp cores=2,threads=2 -device qemu-xhci -drive
  id=centusb,if=none,file=leap.qcow2 -device usb-
  storage,id=centusb,drive=centusb -netdev user,id=n0 -device usb-
  tablet,id=usbtablet -device e1000,netdev=n0 -device usb-
  audio,id=usbaudio -device qxl-vga,xres=1366,yres=768 -display gtk
  -monitor vc -serial vc  -cdrom "openSUSE-Leap-15.0-DVD-x86_64.iso"
  -boot d

  With CentOS guests, the install process fail sometimes, but sometimes
  it's able to install. However, on the yum update, it would freeze too.
  In one instance it froze while updating glibc, which made the guest
  unbootable. https://i.imgur.com/B3WhSDX.png

  The command line used was:

  qemu-system-x86_64 -nodefaults -m 2048 -M pc,usb=true -accel kvm -cpu
  host -smp cores=2,threads=2 -device qemu-xhci -drive
  id=centusb,if=none,file=centos.qcow2 -device usb-
  storage,id=centusb,drive=centusb -netdev user,id=n0 -device usb-
  tablet,id=usbtablet -device e1000,netdev=n0 -device usb-
  audio,id=usbaudio -device virtio-vga,virgl=true -display gtk -monitor
  vc -serial vc -cdrom "CentOS-7-livecd-GNOME-x86_64.iso" -bios
  /usr/share/ovmf/OVMF.fd

  With Xubuntu 18.04 guests, the system worked for many hours until the
  freeze happened. On this case it happened when opening Audacious.
  Fortunately, the logging services worked for some time, which allowed
  me to get a relevant message which can be seen at
  http://termbin.com/nuof . It repeated a few times, but then the
  logging stopped. https://i.imgur.com/2zckqj5.png shows the guest
  screen in the moment it froze.

  The command line used was:

  qemu-system-x86_64 -nodefaults -m 1024 -M pc,usb=true -accel kvm -cpu
  host -smp cores=2,threads=2 -device qemu-xhci -drive
  id=centusb,if=none,file=xubmini -device usb-
  storage,id=centusb,drive=centusb -netdev user,id=n0 -device usb-
  tablet,id=usbtablet -device e1000,netdev=n0 -device usb-
  audio,id=usbaudio -device qxl-vga,xres=1366,yres=768 -display gtk
  -monitor vc -serial vc

  I'm sorry for not having more detailed information but, even setting
  netconsole, openSUSE and CentOS guests were unable to print any
  information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1787070/+subscriptions

[Bug 1759337] Re: 'Failed to get "write" lock' error when trying to run a VM with disk image file on an SMB share

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1759337

Title:
  'Failed to get "write" lock' error when trying to run a VM with disk
  image file on an SMB share

Status in QEMU:
  Expired

Bug description:
  This has been reported and discussed downstream:

  https://bugzilla.redhat.com/show_bug.cgi?id=1484130

  but doesn't seem to be getting a lot of traction there.

  Basically, with qemu since at least 2.10, you cannot use a disk image
  on an SMB share that's mounted with protocol version 3 (I think
  possibly 2 or higher). This is made much more serious because kernel
  4.13 upstream made version 3 the *default* for SMB mounts, because
  version 1 is insecure and should not be used.

  So basically, anyone with a recent qemu and kernel cannot use disk
  images stored on an SMB share. This is a major inconvenience for me
  because, well, an SMB share is exactly where I store my VM disk
  images, usually: I have a big NAS drive where I keep them all, only
  now I can't because of this bug, and I'm manually swapping them in and
  out of the very limited space I have on my system drive (SSD).

  The error you get is:

  qemu-system-x86_64: -drive 
file=/share/data/isos/vms/desktop_test_1.qcow2,format=qcow2,if=none,id=drive-virtio-disk0:
 Failed to get "write" lock
  Is another process using the image?

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1759337/+subscriptions

[Bug 1788701] Re: "Zoom to fit" doesn't work with -display gtk -vga virtio

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1788701

Title:
  "Zoom to fit" doesn't work  with -display gtk -vga virtio

Status in QEMU:
  Expired

Bug description:
  qemu version: 2.12.1, 3.0.0

  When using -display gtk for all -vga options (std,qxl,vmware,cirrus)
  the option "Zoom To Fit" is unchecked by default and thus auto-
  resizing of the window works well; except for -vga virtio: here "Zoom
  To Fit" is checked and auto-resizing doesn't work.

  Proposal: make "Zoom To Fit" unchecked by default for virtio as well
  Extended proposal: make GTK window options configurable via parameters

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1788701/+subscriptions

[Bug 1787002] Re: disas/i386.c compile error

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1787002

Title:
  disas/i386.c compile error

Status in QEMU:
  Expired

Bug description:
  QEMU Version: 2.12.1, 3.0.0-rc4
  Compiling with GCC 8.2.0
  System: Plop Linux, 32 bit 

  Error:
CC  disas/i386.o
  /tmp/ccK8tHRs.s: Assembler messages:
  /tmp/ccK8tHRs.s:53353: Error: can't resolve `L0
' {*ABS* section} - `obuf' 
{.bss section}

  
  The problematic line is in 'disas/i386.c' in the function 'INVLPG_Fixup (int 
bytemode, int sizeflag)':
  strcpy (obuf + strlen (obuf) - 6, alt);

  If I comment out this line, then compiling works without problems.

  
  The error comes only on 32 bit. On 64 bit, compiling works without problems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1787002/+subscriptions

[Bug 1788275] Re: -cpu ...,+topoext works only with EPYC CPU model

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1788275

Title:
  -cpu ...,+topoext works only with EPYC CPU model

Status in QEMU:
  Expired

Bug description:
  See bug report at:
  https://bugzilla.redhat.com/show_bug.cgi?id=1615682

  Probably this is caused by the inconsistent legacy cache information
  on all CPU models except EPYC.

  -
  Description of problem:
  Guest should get 2 threads per core and all of them should be on-line when 
booting guest with old amd cpu model + smt

  Steps to Reproduce:
  1.Boot rhel7.6 guest with cli:
  /usr/libexec/qemu-kvm -name rhel7.6 -m 16G -machine pc,accel=kvm \
  -S \
  -cpu Opteron_G3,+topoext,xlevel=0x801e,enforce \
  -smp 2,threads=2 \
  -monitor stdio \
  -qmp unix:/tmp/qmp2,server,nowait \
  -device VGA \
  -vnc :0 \
  -serial unix:/tmp/console2,server,nowait \
  -uuid 115e11b2-a869-41b5-91cd-6a32a907be7f \
  -drive 
file=rhel7.6-20180812.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop
 -device ide-hd,drive=drive-scsi-disk0,id=scsi-disk0 \
  -netdev tap,id=idinWyYY,vhost=on -device 
virtio-net-pci,mac=2e:39:fa:ff:88:a1,id=idlbq7eA,netdev=idinWyYY \

  2.check cpu info inside guest
  3.

  Actual results:
  Guest gets one online cpu, one offline cpu and one thread per core:
  # lscpu
  lscpu
  Architecture:  x86_64
  CPU op-mode(s):32-bit, 64-bit
  Byte Order:Little Endian
  CPU(s):2
  On-line CPU(s) list:   0
  Off-line CPU(s) list:  1
  Thread(s) per core:1
  Core(s) per socket:1
  Socket(s): 1
  NUMA node(s):  1
  Vendor ID: AuthenticAMD
  CPU family:16
  Model: 2
  Model name:AMD Opteron 23xx (Gen 3 Class Opteron)
  Stepping:  3
  CPU MHz:   2096.060
  BogoMIPS:  4192.12
  Hypervisor vendor: KVM
  Virtualization type:   full
  L1d cache: 64K
  L1i cache: 64K
  L2 cache:  512K
  L3 cache:  16384K
  NUMA node0 CPU(s): 0
  Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 
mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx lm art rep_good nopl 
extd_apicid pni cx16 x2apic popcnt hypervisor lahf_lm cmp_legacy abm sse4a 
misalignsse topoext retpoline_amd ibp_disable vmmcall

  
  Expected results:
  Guest should get 2 threads per core and all of them should be on-line

  -

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1788275/+subscriptions

[Bug 1800401] Re: efifb on Linux guest fails to load when using VGA passthrough

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1800401

Title:
  efifb on Linux guest fails to load when using VGA passthrough

Status in QEMU:
  Expired

Bug description:
  The EFI framebuffer fails to load when booting a Gentoo guest using
  ovmf + vga_passthrough.  I retested using they system rescue CD and
  saw the same issue, but also noticed that when a second framebuffer
  loads, nouveaufb in my case, the terminal appears.  I have also
  verified that the Gentoo min CD is not hanging at boot as I can type
  'poweroff' after waiting a few minutes and the system responds by
  powering off.  I am unable to reproduce with seabios as I have been
  unable to get vga passthrough to work with that BIOS.

  Steps to Reproduce:
  1. Install qemu and ovmf
  2. Download systemrescuecd-x86-5.3.1.iso
  3. Run qemu using one of the configurations below
  4. Select first boot option in GRUB menu
  5. Wait 30 seconds
  6. Press enter # System rescue is prompting for the keymap between steps 
5 and 6
  7. Wait 2 minutes
  8. Observe fb console
  9. Note lack of output until very late in boot process
 10. Check dmesg
 11. Note efifb failed to load (invalid address)
 12. Note nouveaufb started late in boot process 

  Expected Results:
 The EFI FB to load and display output to monitor.  This is the behavior I 
see when booting the host system via UEFI.

  Actual Results:
 The EFI FB fails to load and display output.  System fails to display any 
output until nouveaufb loads.  When booting using the Gentoo minCD, this makes 
the system largely unusable.

  Additional information:

  Tested using Gentoo's app-emulation/qemu-3.0.0 version.  Bug report:
  https://bugs.gentoo.org/669880

  I also tested qemu at git commit
  179f9ac887973c818b2578bd79fa3ed2522657d4.  Configuration log for the
  build will be attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1800401/+subscriptions

[Bug 1800088] Re: Assertion fail while usb camera redirect

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1800088

Title:
  Assertion fail while usb camera redirect

Status in QEMU:
  Expired

Bug description:
  This may happen during usb camera redirect. But if i move the camera
  lens from left to right or up to down, this always happen. My qemu-
  version is 2.10.0 and following is the error information:

  2018-10-26T03:37:54.925231Z qemu-kvm: usbredirparser: error unexpected extra 
data ep 00
  qemu-kvm: hw/usb/redirect.c:1313: usbredir_chardev_read: Assertion 
`dev->read_buf == ((void *)0)' failed.
  2018-10-26 03:37:57.120+: shutting down, reason=crashed

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1800088/+subscriptions

Re: [PATCH v6 02/13] confidential guest support: Introduce new confidential guest support class

[David Gibson]

On Tue, Jan 12, 2021 at 09:46:17AM +, Daniel P. Berrangé wrote:
> On Tue, Jan 12, 2021 at 03:44:57PM +1100, David Gibson wrote:
> > Several architectures have mechanisms which are designed to protect guest
> > memory from interference or eavesdropping by a compromised hypervisor.  AMD
> > SEV does this with in-chip memory encryption and Intel's MKTME can do
> > similar things.  POWER's Protected Execution Framework (PEF) accomplishes a
> > similar goal using an ultravisor and new memory protection features,
> > instead of encryption.
> > 
> > To (partially) unify handling for these, this introduces a new
> > ConfidentialGuestSupport QOM base class.  "Confidential" is kind of vague,
> > but "confidential computing" seems to be the buzzword about these schemes,
> > and "secure" or "protected" are often used in connection to unrelated
> > things (such as hypervisor-from-guest or guest-from-guest security).
> > 
> > The "support" in the name is significant because in at least some of the
> > cases it requires the guest to take specific actions in order to protect
> > itself from hypervisor eavesdropping.
> > 
> > Signed-off-by: David Gibson 
> > ---
> >  backends/confidential-guest-support.c | 30 +++
> >  backends/meson.build  |  1 +
> >  include/exec/confidential-guest-support.h | 46 +++
> >  include/qemu/typedefs.h   |  1 +
> >  target/i386/sev.c |  3 +-
> >  5 files changed, 80 insertions(+), 1 deletion(-)
> >  create mode 100644 backends/confidential-guest-support.c
> >  create mode 100644 include/exec/confidential-guest-support.h
> > 
> > diff --git a/backends/confidential-guest-support.c 
> > b/backends/confidential-guest-support.c
> > new file mode 100644
> > index 00..2c7793c74f
> > --- /dev/null
> > +++ b/backends/confidential-guest-support.c
> > @@ -0,0 +1,30 @@
> > +/*
> > + * QEMU Confidential Guest support
> > + *
> > + * Copyright: David Gibson, Red Hat Inc. 2020
> > + *
> > + * Authors:
> > + *  David Gibson 
> > + *
> > + * This work is licensed under the terms of the GNU GPL, version 2 or
> > + * later.  See the COPYING file in the top-level directory.
> > + *
> > + */
> > +
> > +#include "qemu/osdep.h"
> > +
> > +#include "exec/confidential-guest-support.h"
> > +
> > +static const TypeInfo confidential_guest_support_info = {
> > +.parent = TYPE_OBJECT,
> > +.name = TYPE_CONFIDENTIAL_GUEST_SUPPORT,
> > +.class_size = sizeof(ConfidentialGuestSupportClass),
> > +.instance_size = sizeof(ConfidentialGuestSupport),
> > +};
> > +
> > +static void confidential_guest_support_register_types(void)
> > +{
> > +type_register_static(_guest_support_info);
> > +}
> > +
> > +type_init(confidential_guest_support_register_types)
> 
> This should all be replaced by OBJECT_DEFINE_TYPE

Ah, didn't know about that one.  I also appear to be the first user...

> > diff --git a/backends/meson.build b/backends/meson.build
> > index 484456ece7..d4221831fc 100644
> > --- a/backends/meson.build
> > +++ b/backends/meson.build
> > @@ -6,6 +6,7 @@ softmmu_ss.add([files(
> >'rng-builtin.c',
> >'rng-egd.c',
> >'rng.c',
> > +  'confidential-guest-support.c',
> >  ), numa])
> >  
> >  softmmu_ss.add(when: 'CONFIG_POSIX', if_true: files('rng-random.c'))
> > diff --git a/include/exec/confidential-guest-support.h 
> > b/include/exec/confidential-guest-support.h
> > new file mode 100644
> > index 00..f9cf170802
> > --- /dev/null
> > +++ b/include/exec/confidential-guest-support.h
> > @@ -0,0 +1,46 @@
> > +/*
> > + * QEMU Confidential Guest support
> > + *   This interface describes the common pieces between various
> > + *   schemes for protecting guest memory or other state against a
> > + *   compromised hypervisor.  This includes memory encryption (AMD's
> > + *   SEV and Intel's MKTME) or special protection modes (PEF on POWER,
> > + *   or PV on s390x).
> > + *
> > + * Copyright: David Gibson, Red Hat Inc. 2020
> > + *
> > + * Authors:
> > + *  David Gibson 
> > + *
> > + * This work is licensed under the terms of the GNU GPL, version 2 or
> > + * later.  See the COPYING file in the top-level directory.
> > + *
> > + */
> > +#ifndef QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
> > +#define QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
> > +
> > +#ifndef CONFIG_USER_ONLY
> > +
> > +#include "qom/object.h"
> > +
> > +#define TYPE_CONFIDENTIAL_GUEST_SUPPORT "confidential-guest-support"
> > +#define CONFIDENTIAL_GUEST_SUPPORT(obj)
> > \
> > +OBJECT_CHECK(ConfidentialGuestSupport, (obj),  
> > \
> > + TYPE_CONFIDENTIAL_GUEST_SUPPORT)
> > +#define CONFIDENTIAL_GUEST_SUPPORT_CLASS(klass)
> > \
> > +OBJECT_CLASS_CHECK(ConfidentialGuestSupportClass, (klass), 
> > \
> > +   TYPE_CONFIDENTIAL_GUEST_SUPPORT)
> > +#define CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(obj)  

[PATCH v3] tcg: Fix execution on Apple Silicon

[Roman Bolshakov]

Pages can't be both write and executable at the same time on Apple
Silicon. macOS provides public API to switch write protection [1] for
JIT applications, like TCG.

1. 
https://developer.apple.com/documentation/apple_silicon/porting_just-in-time_compilers_to_apple_silicon

Signed-off-by: Roman Bolshakov 
---
v2: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg00146.html
Changes since v2:
 - Wrapped pthread_jit_write_protect_np() with __builtin_available() [1]
   to allow build with modern SDK while targeting older macOS (Joelle)
 - Dropped redundant calls to pthread_jit_write_protect_supported_np()
   (Alex)

v1: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg00073.html
Changes since v1:

 - Pruned not needed fiddling with W^X and dropped symmetry from write
   lock/unlock and renamed related functions.
   Similar approach is used in JavaScriptCore [2].

 - Moved jit helper functions to util/osdep

  As outlined 
in osdep.h, this matches to (2):
   * In an ideal world this header would contain only:
   *  (1) things which everybody needs
   *  (2) things without which code would work on most platforms but
   *  fail to compile or misbehave on a minority of host OSes

 - Fixed a checkpatch error

 - Limit new behaviour only to macOS 11.0 and above, because of the
   following declarations:

   __API_AVAILABLE(macos(11.0))
   __API_UNAVAILABLE(ios, tvos, watchos)
   void pthread_jit_write_protect_np(int enabled);

   __API_AVAILABLE(macos(11.0))
   __API_UNAVAILABLE(ios, tvos, watchos)
   int pthread_jit_write_protect_supported_np(void);

 1. https://developer.apple.com/videos/play/wwdc2017/411/
 2. https://bugs.webkit.org/attachment.cgi?id=402515=prettypatch

 accel/tcg/cpu-exec.c  |  2 ++
 accel/tcg/translate-all.c |  9 +
 include/qemu/osdep.h  |  7 +++
 tcg/tcg.c |  1 +
 util/osdep.c  | 20 
 5 files changed, 39 insertions(+)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index e0df9b6a1d..014810bf0a 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -185,6 +185,7 @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int 
*tb_exit)
 }
 #endif /* DEBUG_DISAS */
 
+qemu_thread_jit_execute();
 ret = tcg_qemu_tb_exec(env, tb_ptr);
 cpu->can_do_io = 1;
 /*
@@ -405,6 +406,7 @@ static inline void tb_add_jump(TranslationBlock *tb, int n,
 {
 uintptr_t old;
 
+qemu_thread_jit_write();
 assert(n < ARRAY_SIZE(tb->jmp_list_next));
 qemu_spin_lock(_next->jmp_lock);
 
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index e9de6ff9dd..f5f4c7cc17 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -1083,6 +1083,12 @@ static bool alloc_code_gen_buffer_anon(size_t size, int 
prot,
 {
 void *buf;
 
+#if defined(MAC_OS_VERSION_11_0) && \
+MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_11_0
+if (__builtin_available(macOS 11.0, *)) {
+flags |= MAP_JIT;
+}
+#endif
 buf = mmap(NULL, size, prot, flags, -1, 0);
 if (buf == MAP_FAILED) {
 error_setg_errno(errp, errno,
@@ -1669,7 +1675,9 @@ static void do_tb_phys_invalidate(TranslationBlock *tb, 
bool rm_from_page_list)
 
 static void tb_phys_invalidate__locked(TranslationBlock *tb)
 {
+qemu_thread_jit_write();
 do_tb_phys_invalidate(tb, true);
+qemu_thread_jit_execute();
 }
 
 /* invalidate one TB
@@ -1871,6 +1879,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
 #endif
 
 assert_memory_lock();
+qemu_thread_jit_write();
 
 phys_pc = get_page_addr_code(env, pc);
 
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index f9ec8c84e9..929e970b0e 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -123,6 +123,10 @@ extern int daemon(int, int);
 #include "sysemu/os-posix.h"
 #endif
 
+#ifdef __APPLE__
+#include 
+#endif
+
 #include "glib-compat.h"
 #include "qemu/typedefs.h"
 
@@ -686,4 +690,7 @@ char *qemu_get_host_name(Error **errp);
  */
 size_t qemu_get_host_physmem(void);
 
+void qemu_thread_jit_write(void);
+void qemu_thread_jit_execute(void);
+
 #endif
diff --git a/tcg/tcg.c b/tcg/tcg.c
index 472bf1755b..16b044eae7 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -1112,6 +1112,7 @@ void tcg_prologue_init(TCGContext *s)
 s->pool_labels = NULL;
 #endif
 
+qemu_thread_jit_write();
 /* Generate the prologue.  */
 tcg_target_qemu_prologue(s);
 
diff --git a/util/osdep.c b/util/osdep.c
index 66d01b9160..e211939a0c 100644
--- a/util/osdep.c
+++ b/util/osdep.c
@@ -606,3 +606,23 @@ writev(int fd, const struct iovec *iov, int iov_cnt)
 return readv_writev(fd, iov, iov_cnt, true);
 }
 #endif
+
+#if defined(MAC_OS_VERSION_11_0) && \
+MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_11_0
+void qemu_thread_jit_execute(void)
+{
+if (__builtin_available(macOS 11.0, 

Re: [RFC PATCH v6 00/11] hw/ssi: imx_spi: Fix various bugs in the imx_spi model

[Bin Meng]

Hi Philippe,

On Wed, Jan 13, 2021 at 2:35 AM Philippe Mathieu-Daudé  wrote:
>
> Hi,
>
> As it is sometimes harder for me to express myself in plain
> English, I found it easier to write the patches I was thinking
> about. I know this doesn't scale.
>
> So this is how I understand the ecSPI reset works, after
> looking at the IMX6DQRM.pdf datasheet.
>
> This is a respin of Ben's v5 series [*].
> Tagged RFC because I have not tested it :)

Unfortunately this series breaks SPI flash testing under both U-Boot
and VxWorks 7.

> Sometimes changing device reset to better match hardware gives
> trouble when using '-kernel ...' because there is no bootloader
> setting the device in the state Linux expects it.
>

Given most of the new changes in this RFC series are clean-ups, I
suggest we apply the v5 series unless there is anything seriously
wrong in v5, IOW, don't fix it unless it's broken.

Thoughts?

Regards,
Bin

[PATCH 10/10] Fixed calculation error of pkt->header_size in fill_pkt_tcp_info()

[leirao]

From: "Rao, Lei" 

The data pointer has skipped vnet_hdr_len in the function of
parse_packet_early().So, we can not subtract vnet_hdr_len again
when calculating pkt->header_size in fill_pkt_tcp_info(). Otherwise,
it will cause network packet comparsion errors and greatly increase
the frequency of checkpoints.

Signed-off-by: Lei Rao 
Signed-off-by: Zhang Chen 
---
 net/colo-compare.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index 06f2c28..af30490 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -211,7 +211,7 @@ static void fill_pkt_tcp_info(void *data, uint32_t *max_ack)
 pkt->tcp_ack = ntohl(tcphd->th_ack);
 *max_ack = *max_ack > pkt->tcp_ack ? *max_ack : pkt->tcp_ack;
 pkt->header_size = pkt->transport_header - (uint8_t *)pkt->data
-   + (tcphd->th_off << 2) - pkt->vnet_hdr_len;
+   + (tcphd->th_off << 2);
 pkt->payload_size = pkt->size - pkt->header_size;
 pkt->seq_end = pkt->tcp_seq + pkt->payload_size;
 pkt->flags = tcphd->th_flags;
-- 
1.8.3.1

[PATCH 09/10] Add the function of colo_bitmap_clear_diry

[leirao]

From: "Rao, Lei" 

When we use continuous dirty memory copy for flushing ram cache on
secondary VM, we can also clean up the bitmap of contiguous dirty
page memory. This also can reduce the VM stop time during checkpoint.

Signed-off-by: Lei Rao 
---
 migration/ram.c | 29 +
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index d875e9a..0f43b79 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -839,6 +839,30 @@ unsigned long colo_bitmap_find_dirty(RAMState *rs, 
RAMBlock *rb,
 return first;
 }
 
+/**
+ * colo_bitmap_clear_dirty:when we flush ram cache to ram, we will use
+ * continuous memory copy, so we can also clean up the bitmap of contiguous
+ * dirty memory.
+ */
+static inline bool colo_bitmap_clear_dirty(RAMState *rs,
+   RAMBlock *rb,
+   unsigned long start,
+   unsigned long num)
+{
+bool ret;
+unsigned long i = 0;
+
+qemu_mutex_lock(>bitmap_mutex);
+for (i = 0; i < num; i++) {
+ret = test_and_clear_bit(start + i, rb->bmap);
+if (ret) {
+rs->migration_dirty_pages--;
+}
+}
+qemu_mutex_unlock(>bitmap_mutex);
+return ret;
+}
+
 static inline bool migration_bitmap_clear_dirty(RAMState *rs,
 RAMBlock *rb,
 unsigned long page)
@@ -3406,7 +3430,6 @@ void colo_flush_ram_cache(void)
 void *src_host;
 unsigned long offset = 0;
 unsigned long num = 0;
-unsigned long i = 0;
 
 memory_global_dirty_log_sync();
 WITH_RCU_READ_LOCK_GUARD() {
@@ -3428,9 +3451,7 @@ void colo_flush_ram_cache(void)
 num = 0;
 block = QLIST_NEXT_RCU(block, next);
 } else {
-for (i = 0; i < num; i++) {
-migration_bitmap_clear_dirty(ram_state, block, offset + i);
-}
+colo_bitmap_clear_dirty(ram_state, block, offset, num);
 dst_host = block->host
  + (((ram_addr_t)offset) << TARGET_PAGE_BITS);
 src_host = block->colo_cache
-- 
1.8.3.1

[PATCH 08/10] Reduce the PVM stop time during Checkpoint

[leirao]

From: "Rao, Lei" 

When flushing memory from ram cache to ram during every checkpoint
on secondary VM, we can copy continuous chunks of memory instead of
4096 bytes per time to reduce the time of VM stop during checkpoint.

Signed-off-by: Lei Rao 
---
 migration/ram.c | 44 +---
 1 file changed, 41 insertions(+), 3 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index 7811cde..d875e9a 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -806,6 +806,39 @@ unsigned long migration_bitmap_find_dirty(RAMState *rs, 
RAMBlock *rb,
 return next;
 }
 
+/*
+ * colo_bitmap_find_diry:find contiguous dirty pages from start
+ *
+ * Returns the page offset within memory region of the start of the contiguout
+ * dirty page
+ *
+ * @rs: current RAM state
+ * @rb: RAMBlock where to search for dirty pages
+ * @start: page where we start the search
+ * @num: the number of contiguous dirty pages
+ */
+static inline
+unsigned long colo_bitmap_find_dirty(RAMState *rs, RAMBlock *rb,
+ unsigned long start, unsigned long *num)
+{
+unsigned long size = rb->used_length >> TARGET_PAGE_BITS;
+unsigned long *bitmap = rb->bmap;
+unsigned long first, next;
+
+if (ramblock_is_ignored(rb)) {
+return size;
+}
+
+first = find_next_bit(bitmap, size, start);
+if (first >= size) {
+return first;
+}
+next = find_next_zero_bit(bitmap, size, first + 1);
+assert(next >= first);
+*num = next - first;
+return first;
+}
+
 static inline bool migration_bitmap_clear_dirty(RAMState *rs,
 RAMBlock *rb,
 unsigned long page)
@@ -3372,6 +3405,8 @@ void colo_flush_ram_cache(void)
 void *dst_host;
 void *src_host;
 unsigned long offset = 0;
+unsigned long num = 0;
+unsigned long i = 0;
 
 memory_global_dirty_log_sync();
 WITH_RCU_READ_LOCK_GUARD() {
@@ -3385,19 +3420,22 @@ void colo_flush_ram_cache(void)
 block = QLIST_FIRST_RCU(_list.blocks);
 
 while (block) {
-offset = migration_bitmap_find_dirty(ram_state, block, offset);
+offset = colo_bitmap_find_dirty(ram_state, block, offset, );
 
 if (((ram_addr_t)offset) << TARGET_PAGE_BITS
 >= block->used_length) {
 offset = 0;
+num = 0;
 block = QLIST_NEXT_RCU(block, next);
 } else {
-migration_bitmap_clear_dirty(ram_state, block, offset);
+for (i = 0; i < num; i++) {
+migration_bitmap_clear_dirty(ram_state, block, offset + i);
+}
 dst_host = block->host
  + (((ram_addr_t)offset) << TARGET_PAGE_BITS);
 src_host = block->colo_cache
  + (((ram_addr_t)offset) << TARGET_PAGE_BITS);
-memcpy(dst_host, src_host, TARGET_PAGE_SIZE);
+memcpy(dst_host, src_host, TARGET_PAGE_SIZE * num);
 }
 }
 }
-- 
1.8.3.1

[PATCH 04/10] Remove migrate_set_block_enabled in checkpoint

[leirao]

From: "Rao, Lei" 

We can detect disk migration in migrate_prepare, if disk migration
is enabled in COLO mode, we can directly report an error.and there
is no need to disable block migration at every checkpoint.

Signed-off-by: Lei Rao 
Signed-off-by: Zhang Chen 
---
 migration/colo.c  | 6 --
 migration/migration.c | 4 
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/migration/colo.c b/migration/colo.c
index de27662..1aaf316 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -435,12 +435,6 @@ static int colo_do_checkpoint_transaction(MigrationState 
*s,
 if (failover_get_state() != FAILOVER_STATUS_NONE) {
 goto out;
 }
-
-/* Disable block migration */
-migrate_set_block_enabled(false, _err);
-if (local_err) {
-goto out;
-}
 qemu_mutex_lock_iothread();
 
 #ifdef CONFIG_REPLICATION
diff --git a/migration/migration.c b/migration/migration.c
index a5da718..31417ce 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -2107,6 +2107,10 @@ static bool migrate_prepare(MigrationState *s, bool blk, 
bool blk_inc,
 }
 
 if (blk || blk_inc) {
+if (migrate_colo_enabled()) {
+error_setg(errp, "No disk migration is required in COLO mode");
+return false;
+}
 if (migrate_use_block() || migrate_use_block_incremental()) {
 error_setg(errp, "Command options are incompatible with "
"current migration capabilities");
-- 
1.8.3.1

[PATCH 03/10] Optimize the function of filter_send

[leirao]

From: "Rao, Lei" 

The iov_size has been calculated in filter_send(). we can directly
return the size.In this way, this is no need to repeat calculations
in filter_redirector_receive_iov();

Signed-off-by: Lei Rao 
---
 net/filter-mirror.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index f8e6500..7fa2eb3 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -88,7 +88,7 @@ static int filter_send(MirrorState *s,
 goto err;
 }
 
-return 0;
+return size;
 
 err:
 return ret < 0 ? ret : -EIO;
@@ -159,7 +159,7 @@ static ssize_t filter_mirror_receive_iov(NetFilterState *nf,
 int ret;
 
 ret = filter_send(s, iov, iovcnt);
-if (ret) {
+if (ret <= 0) {
 error_report("filter mirror send failed(%s)", strerror(-ret));
 }
 
@@ -182,10 +182,10 @@ static ssize_t 
filter_redirector_receive_iov(NetFilterState *nf,
 
 if (qemu_chr_fe_backend_connected(>chr_out)) {
 ret = filter_send(s, iov, iovcnt);
-if (ret) {
+if (ret <= 0) {
 error_report("filter redirector send failed(%s)", strerror(-ret));
 }
-return iov_size(iov, iovcnt);
+return ret;
 } else {
 return 0;
 }
-- 
1.8.3.1

[PATCH 06/10] Add the function of colo_compare_cleanup

[leirao]

From: "Rao, Lei" 

This patch fixes the following:
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x7f6ae4559859 in __GI_abort () at abort.c:79
#2  0x559aaa386720 in error_exit (err=16, msg=0x559aaa5973d0 
<__func__.16227> "qemu_mutex_destroy") at util/qemu-thread-posix.c:36
#3  0x559aaa3868c5 in qemu_mutex_destroy (mutex=0x559aabffe828) at 
util/qemu-thread-posix.c:69
#4  0x559aaa2f93a8 in char_finalize (obj=0x559aabffe800) at 
chardev/char.c:285
#5  0x559aaa23318a in object_deinit (obj=0x559aabffe800, 
type=0x559aabfd7d20) at qom/object.c:606
#6  0x559aaa2331b8 in object_deinit (obj=0x559aabffe800, 
type=0x559aabfd9060) at qom/object.c:610
#7  0x559aaa233200 in object_finalize (data=0x559aabffe800) at 
qom/object.c:620
#8  0x559aaa234202 in object_unref (obj=0x559aabffe800) at 
qom/object.c:1074
#9  0x559aaa2356b6 in object_finalize_child_property 
(obj=0x559aac0dac10, name=0x559aac778760 "compare0-0", opaque=0x559aabffe800) 
at qom/object.c:1584
#10 0x559aaa232f70 in object_property_del_all (obj=0x559aac0dac10) at 
qom/object.c:557
#11 0x559aaa2331ed in object_finalize (data=0x559aac0dac10) at 
qom/object.c:619
#12 0x559aaa234202 in object_unref (obj=0x559aac0dac10) at 
qom/object.c:1074
#13 0x559aaa2356b6 in object_finalize_child_property 
(obj=0x559aac0c75c0, name=0x559aac0dadc0 "chardevs", opaque=0x559aac0dac10) at 
qom/object.c:1584
#14 0x559aaa233071 in object_property_del_child (obj=0x559aac0c75c0, 
child=0x559aac0dac10, errp=0x0) at qom/object.c:580
#15 0x559aaa233155 in object_unparent (obj=0x559aac0dac10) at 
qom/object.c:599
#16 0x559aaa2fb721 in qemu_chr_cleanup () at chardev/char.c:1159
#17 0x559aa9f9b110 in main (argc=54, argv=0x7ffeb62fa998, 
envp=0x7ffeb62fab50) at vl.c:4539

When chardev is cleaned up, chr_write_lock needs to be destroyed. But
the colo-compare module is not cleaned up normally before it when the
guest poweroff. It is holding chr_write_lock at this time. This will
cause qemu crash.So we add the function of colo_compare_cleanup() before
qemu_chr_cleanup() to fix the bug.

Signed-off-by: Lei Rao 
---
 net/colo-compare.c | 10 ++
 net/colo-compare.h |  1 +
 net/net.c  |  4 
 3 files changed, 15 insertions(+)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index 8bdf5a8..06f2c28 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -1404,6 +1404,16 @@ static void colo_compare_init(Object *obj)
  compare_set_vnet_hdr);
 }
 
+void colo_compare_cleanup(void)
+{
+CompareState *tmp = NULL;
+CompareState *n = NULL;
+
+QTAILQ_FOREACH_SAFE(tmp, _compares, next, n) {
+object_unparent(OBJECT(tmp));
+}
+}
+
 static void colo_compare_finalize(Object *obj)
 {
 CompareState *s = COLO_COMPARE(obj);
diff --git a/net/colo-compare.h b/net/colo-compare.h
index 22ddd51..b055270 100644
--- a/net/colo-compare.h
+++ b/net/colo-compare.h
@@ -20,5 +20,6 @@
 void colo_notify_compares_event(void *opaque, int event, Error **errp);
 void colo_compare_register_notifier(Notifier *notify);
 void colo_compare_unregister_notifier(Notifier *notify);
+void colo_compare_cleanup(void);
 
 #endif /* QEMU_COLO_COMPARE_H */
diff --git a/net/net.c b/net/net.c
index e1035f2..f69db4b 100644
--- a/net/net.c
+++ b/net/net.c
@@ -53,6 +53,7 @@
 #include "sysemu/qtest.h"
 #include "sysemu/runstate.h"
 #include "sysemu/sysemu.h"
+#include "net/colo-compare.h"
 #include "net/filter.h"
 #include "qapi/string-output-visitor.h"
 
@@ -1366,6 +1367,9 @@ void net_cleanup(void)
 {
 NetClientState *nc;
 
+/*cleanup colo compare module for COLO*/
+colo_compare_cleanup();
+
 /* We may del multiple entries during qemu_del_net_client(),
  * so QTAILQ_FOREACH_SAFE() is also not safe here.
  */
-- 
1.8.3.1

[PATCH 05/10] Optimize the function of packet_new

[leirao]

From: "Rao, Lei" 

if we put the data copy outside the packet_new(), then for the
filter-rewrite module, there will be one less memory copy in the
processing of each network packet.

Signed-off-by: Lei Rao 
---
 net/colo-compare.c| 7 +--
 net/colo.c| 4 ++--
 net/colo.h| 2 +-
 net/filter-rewriter.c | 1 -
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index 9e18baa..8bdf5a8 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -247,14 +247,17 @@ static int packet_enqueue(CompareState *s, int mode, 
Connection **con)
 ConnectionKey key;
 Packet *pkt = NULL;
 Connection *conn;
+char *data = NULL;
 int ret;
 
 if (mode == PRIMARY_IN) {
-pkt = packet_new(s->pri_rs.buf,
+data = g_memdup(s->pri_rs.buf, s->pri_rs.packet_len);
+pkt = packet_new(data,
  s->pri_rs.packet_len,
  s->pri_rs.vnet_hdr_len);
 } else {
-pkt = packet_new(s->sec_rs.buf,
+data = g_memdup(s->sec_rs.buf, s->sec_rs.packet_len);
+pkt = packet_new(data,
  s->sec_rs.packet_len,
  s->sec_rs.vnet_hdr_len);
 }
diff --git a/net/colo.c b/net/colo.c
index ef00609..08fb37e 100644
--- a/net/colo.c
+++ b/net/colo.c
@@ -155,11 +155,11 @@ void connection_destroy(void *opaque)
 g_slice_free(Connection, conn);
 }
 
-Packet *packet_new(const void *data, int size, int vnet_hdr_len)
+Packet *packet_new(void *data, int size, int vnet_hdr_len)
 {
 Packet *pkt = g_slice_new(Packet);
 
-pkt->data = g_memdup(data, size);
+pkt->data = data;
 pkt->size = size;
 pkt->creation_ms = qemu_clock_get_ms(QEMU_CLOCK_HOST);
 pkt->vnet_hdr_len = vnet_hdr_len;
diff --git a/net/colo.h b/net/colo.h
index 573ab91..bd2d719 100644
--- a/net/colo.h
+++ b/net/colo.h
@@ -100,7 +100,7 @@ Connection *connection_get(GHashTable 
*connection_track_table,
 bool connection_has_tracked(GHashTable *connection_track_table,
 ConnectionKey *key);
 void connection_hashtable_reset(GHashTable *connection_track_table);
-Packet *packet_new(const void *data, int size, int vnet_hdr_len);
+Packet *packet_new(void *data, int size, int vnet_hdr_len);
 void packet_destroy(void *opaque, void *user_data);
 void packet_destroy_partial(void *opaque, void *user_data);
 
diff --git a/net/filter-rewriter.c b/net/filter-rewriter.c
index fc0e64c..e24afe5 100644
--- a/net/filter-rewriter.c
+++ b/net/filter-rewriter.c
@@ -271,7 +271,6 @@ static ssize_t colo_rewriter_receive_iov(NetFilterState *nf,
 }
 
 pkt = packet_new(buf, size, vnet_hdr_len);
-g_free(buf);
 
 /*
  * if we get tcp packet
-- 
1.8.3.1

[PATCH 00/10] Fixed some bugs and optimized some codes for COLO

[leirao]

The series of patches include:
Fixed some bugs of qemu crash.
Optimized some code to reduce the time of checkpoint.
Remove some unnecessary code to improve COLO.

Rao, Lei (10):
  Remove some duplicate trace code.
  Fix the qemu crash when guest shutdown during checkpoint
  Optimize the function of filter_send
  Remove migrate_set_block_enabled in checkpoint
  Optimize the function of packet_new
  Add the function of colo_compare_cleanup
  Disable auto-coverge before entering COLO mode.
  Reduce the PVM stop time during Checkpoint
  Add the function of colo_bitmap_clear_diry
  Fixed calculation error of pkt->header_size in fill_pkt_tcp_info()

 migration/colo.c  |  6 -
 migration/migration.c | 20 +++-
 migration/ram.c   | 65 ---
 net/colo-compare.c| 32 -
 net/colo-compare.h|  1 +
 net/colo.c|  4 ++--
 net/colo.h|  2 +-
 net/filter-mirror.c   |  8 +++
 net/filter-rewriter.c |  1 -
 net/net.c |  4 
 softmmu/runstate.c|  1 +
 11 files changed, 110 insertions(+), 34 deletions(-)

-- 
1.8.3.1

[PATCH 07/10] Disable auto-coverge before entering COLO mode.

[leirao]

From: "Rao, Lei" 

If we don't disable the feature of auto-converge for live migration
before entering COLO mode, it will continue to run with COLO running,
and eventually the system will hang due to the CPU throttle reaching
DEFAULT_MIGRATE_MAX_CPU_THROTTLE.

Signed-off-by: Lei Rao 
---
 migration/migration.c | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/migration/migration.c b/migration/migration.c
index 31417ce..6ab37e5 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -1673,6 +1673,20 @@ void migrate_set_block_enabled(bool value, Error **errp)
 qapi_free_MigrationCapabilityStatusList(cap);
 }
 
+static void colo_auto_converge_enabled(bool value, Error **errp)
+{
+MigrationCapabilityStatusList *cap = NULL;
+
+if (migrate_colo_enabled() && migrate_auto_converge()) {
+QAPI_LIST_PREPEND(cap,
+  migrate_cap_add(MIGRATION_CAPABILITY_AUTO_CONVERGE,
+  value));
+qmp_migrate_set_capabilities(cap, errp);
+qapi_free_MigrationCapabilityStatusList(cap);
+}
+cpu_throttle_stop();
+}
+
 static void migrate_set_block_incremental(MigrationState *s, bool value)
 {
 s->parameters.block_incremental = value;
@@ -3401,7 +3415,7 @@ static MigIterateState 
migration_iteration_run(MigrationState *s)
 static void migration_iteration_finish(MigrationState *s)
 {
 /* If we enabled cpu throttling for auto-converge, turn it off. */
-cpu_throttle_stop();
+colo_auto_converge_enabled(false, _abort);
 
 qemu_mutex_lock_iothread();
 switch (s->state) {
-- 
1.8.3.1

[PATCH 02/10] Fix the qemu crash when guest shutdown during checkpoint

[leirao]

From: "Rao, Lei" 

This patch fixes the following:
qemu-system-x86_64: invalid runstate transition: 'colo' ->'shutdown'
Aborted (core dumped)

Signed-off-by: Lei Rao 
---
 softmmu/runstate.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/softmmu/runstate.c b/softmmu/runstate.c
index 636aab0..455ad0d 100644
--- a/softmmu/runstate.c
+++ b/softmmu/runstate.c
@@ -125,6 +125,7 @@ static const RunStateTransition runstate_transitions_def[] 
= {
 { RUN_STATE_RESTORE_VM, RUN_STATE_PRELAUNCH },
 
 { RUN_STATE_COLO, RUN_STATE_RUNNING },
+{ RUN_STATE_COLO, RUN_STATE_SHUTDOWN},
 
 { RUN_STATE_RUNNING, RUN_STATE_DEBUG },
 { RUN_STATE_RUNNING, RUN_STATE_INTERNAL_ERROR },
-- 
1.8.3.1

[PATCH 01/10] Remove some duplicate trace code.

[leirao]

From: "Rao, Lei" 

There is the same trace code in the colo_compare_packet_payload.

Signed-off-by: Lei Rao 
---
 net/colo-compare.c | 13 -
 1 file changed, 13 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index 84db497..9e18baa 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -590,19 +590,6 @@ static int colo_packet_compare_other(Packet *spkt, Packet 
*ppkt)
 uint16_t offset = ppkt->vnet_hdr_len;
 
 trace_colo_compare_main("compare other");
-if (trace_event_get_state_backends(TRACE_COLO_COMPARE_IP_INFO)) {
-char pri_ip_src[20], pri_ip_dst[20], sec_ip_src[20], sec_ip_dst[20];
-
-strcpy(pri_ip_src, inet_ntoa(ppkt->ip->ip_src));
-strcpy(pri_ip_dst, inet_ntoa(ppkt->ip->ip_dst));
-strcpy(sec_ip_src, inet_ntoa(spkt->ip->ip_src));
-strcpy(sec_ip_dst, inet_ntoa(spkt->ip->ip_dst));
-
-trace_colo_compare_ip_info(ppkt->size, pri_ip_src,
-   pri_ip_dst, spkt->size,
-   sec_ip_src, sec_ip_dst);
-}
-
 if (ppkt->size != spkt->size) {
 trace_colo_compare_main("Other: payload size of packets are 
different");
 return -1;
-- 
1.8.3.1

Re: [PATCH v2 05/13] vt82c686: Set user_creatable=false for VT82C686B_PM

[Jiaxun Yang]

在 2021/1/10 上午4:16, BALATON Zoltan 写道:

This device is part of the multifunction VIA superio/south bridge chip
so not useful in itself.

Signed-off-by: BALATON Zoltan 

Reviewed-by: Jiaxun Yang 

---
  hw/isa/vt82c686.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index fc2a1f4430..9b16660e9d 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -200,8 +200,9 @@ static void via_pm_class_init(ObjectClass *klass, void 
*data)
  k->revision = 0x40;
  dc->reset = vt82c686b_pm_reset;
  dc->desc = "PM";
+/* Reason: part of VIA south bridge, does not exist stand alone */
+dc->user_creatable = false;
  dc->vmsd = _acpi;
-set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
  }
  
  static const TypeInfo via_pm_info = {

Re: [PATCH v2 01/13] vt82c686: Move superio memory region to SuperIOConfig struct

[Jiaxun Yang]

在 2021/1/10 上午4:16, BALATON Zoltan 写道:

The superio memory region holds the io space index/data registers used
to access the superio config registers that are implemented in struct
SuperIOConfig. To keep these related things together move the memory
region to SuperIOConfig and rename it accordingly.
Also remove the unused "data" member of SuperIOConfig which is not
needed as we store actual data values in the regs array.

Signed-off-by: BALATON Zoltan 


Reviewed-by: Jiaxun Yang 


---
  hw/isa/vt82c686.c | 16 
  1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index a6f5a0843d..30fe02f4c6 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -29,12 +29,11 @@
  typedef struct SuperIOConfig {
  uint8_t regs[0x100];
  uint8_t index;
-uint8_t data;
+MemoryRegion io;
  } SuperIOConfig;
  
  struct VT82C686BISAState {

  PCIDevice dev;
-MemoryRegion superio;
  SuperIOConfig superio_cfg;
  };
  
@@ -128,8 +127,9 @@ static void vt82c686b_write_config(PCIDevice *d, uint32_t addr,
  
  trace_via_isa_write(addr, val, len);

  pci_default_write_config(d, addr, val, len);
-if (addr == 0x85) {  /* enable or disable super IO configure */
-memory_region_set_enabled(>superio, val & 0x2);
+if (addr == 0x85) {
+/* BIT(1): enable or disable superio config io ports */
+memory_region_set_enabled(>superio_cfg.io, val & BIT(1));
  }
  }
  
@@ -311,15 +311,15 @@ static void vt82c686b_realize(PCIDevice *d, Error **errp)

  }
  }
  
-memory_region_init_io(>superio, OBJECT(d), _cfg_ops,

-  >superio_cfg, "superio", 2);
-memory_region_set_enabled(>superio, false);
+memory_region_init_io(>superio_cfg.io, OBJECT(d), _cfg_ops,
+  >superio_cfg, "superio_cfg", 2);
+memory_region_set_enabled(>superio_cfg.io, false);
  /*
   * The floppy also uses 0x3f0 and 0x3f1.
   * But we do not emulate a floppy, so just set it here.
   */
  memory_region_add_subregion(isa_bus->address_space_io, 0x3f0,
->superio);
+>superio_cfg.io);
  }
  
  static void via_class_init(ObjectClass *klass, void *data)

Re: [PATCH v2 03/13] vt82c686: Fix SMBus IO base and configuration registers

[Jiaxun Yang]

在 2021/1/13 上午6:25, BALATON Zoltan 写道:

On Tue, 12 Jan 2021, Jiaxun Yang wrote:

在 2021/1/10 上午4:16, BALATON Zoltan 写道:

The base address of the SMBus io ports and its enabled status is set
by registers in the PCI config space but this was not correctly
emulated. Instead the SMBus registers were mapped on realize to the
base address set by a property to the address expected by fuloong2e
firmware.

Fix the base and config register handling to more closely model
hardware which allows to remove the property and allows the guest to
control this mapping. Do all this in reset instead of realize so it's
correctly updated on reset.


Hi,

Thanks for your patch!



Signed-off-by: BALATON Zoltan 
---
  hw/isa/vt82c686.c   | 49 
+

  hw/mips/fuloong2e.c |  4 +---
  2 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index fe8961b057..9c4d153022 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -22,6 +22,7 @@
  #include "hw/i2c/pm_smbus.h"
  #include "qapi/error.h"
  #include "qemu/module.h"
+#include "qemu/range.h"
  #include "qemu/timer.h"
  #include "exec/address-spaces.h"
  #include "trace.h"
@@ -34,7 +35,6 @@ struct VT686PMState {
  ACPIREGS ar;
  APMState apm;
  PMSMBus smb;
-    uint32_t smb_io_base;
  };
    static void pm_io_space_update(VT686PMState *s)
@@ -50,11 +50,22 @@ static void pm_io_space_update(VT686PMState *s)
  memory_region_transaction_commit();
  }
  +static void smb_io_space_update(VT686PMState *s)
+{
+    uint32_t smbase = pci_get_long(s->dev.config + 0x90) & 0xfff0UL;
+
+    memory_region_transaction_begin();
+    memory_region_set_address(>smb.io, smbase);
+    memory_region_set_enabled(>smb.io, s->dev.config[0xd2] & 
BIT(0));

+    memory_region_transaction_commit();
+}
+
  static int vmstate_acpi_post_load(void *opaque, int version_id)
  {
  VT686PMState *s = opaque;
    pm_io_space_update(s);
+    smb_io_space_update(s);
  return 0;
  }
  @@ -77,8 +88,18 @@ static const VMStateDescription vmstate_acpi = {
    static void pm_write_config(PCIDevice *d, uint32_t addr, 
uint32_t val, int len)

  {
+    VT686PMState *s = VT82C686B_PM(d);
+
  trace_via_pm_write(addr, val, len);
  pci_default_write_config(d, addr, val, len);
+    if (ranges_overlap(addr, len, 0x90, 4)) {
+    uint32_t v = pci_get_long(s->dev.config + 0x90);
+    pci_set_long(s->dev.config + 0x90, (v & 0xfff0UL) | 1);


What does this "or 1" do?
The datasheet I found only mentioned the default value of BASE is 
 0001

but didn't say anything about it's function :-/


It says that in the summary table but later in data sheet there's also 
detailed description of registers for each part where it says:


Offset 93-90 – SMBus I/O Base ... RW
3-0 Fixed ... always reads 0001b

The above mask and | 1 ensures this. I don't know why lowest bit is 
always 1 but that seems to be the case for all such regs. Maybe 
internally these are implemented like PCI BARs where lowest bit means 
IO space.


Thanks!

In this case:

Reviewed-by: Jiaxun Yang 




+    }
+    if (range_covers_byte(addr, len, 0xd2)) {
+    s->dev.config[0xd2] &= 0xf;
+    smb_io_space_update(s);
+    }
  }
    static void pm_update_sci(VT686PMState *s)
@@ -103,6 +124,17 @@ static void pm_tmr_timer(ACPIREGS *ar)
  pm_update_sci(s);
  }
  +static void vt82c686b_pm_reset(DeviceState *d)
+{
+    VT686PMState *s = VT82C686B_PM(d);
+
+    /* SMBus IO base */
+    pci_set_long(s->dev.config + 0x90, 1);


Theoretically this kind of magic number should be avoided but
as the rest of the file was written in such style it seems fine for me.


I could add defines for register offsets but did not think that would 
make it much more readable to have random names instead of random 
numbers. Likely you'll have to consult the data sheet to find out 
their meaning anyway.


Agreed.

- Jiaxun



Regards,
BALATON Zoltan

Re: [PATCH 0/6] target/mips: Convert Loongson LEXT opcodes to decodetree

[Jiaxun Yang]

在 2021/1/13 上午5:54, Philippe Mathieu-Daudé 写道:

Loongson is next step in the "MIPS decodetree conversion" epic.
Start with the simplest extension.

The diffstat addition comes from the TCG functions expanded.
The code is easier to review now.
IMO this is also a good template to show how easy a decodetree
conversion can be (and how nice the .decode file is to review) :P

Please review,

Phil.

Based-on: <20210112184156.2014305-1-f4...@amsat.org>
   "decodetree: Allow 'dot' in opcode names"

Philippe Mathieu-Daudé (6):
   target/mips: Re-introduce OPC_ADDUH_QB_DSP and OPC_MUL_PH_DSP
   target/mips: Convert Loongson DDIV.G opcodes to decodetree
   target/mips: Convert Loongson DIV.G opcodes to decodetree
   target/mips: Convert Loongson [D]DIVU.G opcodes to decodetree
   target/mips: Convert Loongson [D]MOD[U].G opcodes to decodetree
   target/mips: Convert Loongson [D]MULT[U].G opcodes to decodetree

  target/mips/translate.h   |   1 +
  target/mips/godson2.decode|  29 +++
  target/mips/loong-ext.decode  |  30 +++


Hi Philippe,

Thanks for the template!

Just a small question, where should we perform ISA availability check?
Before calling generated decoder or after decoded?

Loong-EXT is a super set of Loongson2F's Godson2 and MMI instructions,
how could we tell it?

Thanks.

- Jiaxun


  target/mips/loong_translate.c | 334 ++
  target/mips/translate.c   | 287 ++---
  target/mips/meson.build   |   3 +
  6 files changed, 409 insertions(+), 275 deletions(-)
  create mode 100644 target/mips/godson2.decode
  create mode 100644 target/mips/loong-ext.decode
  create mode 100644 target/mips/loong_translate.c

Re: [PATCH 1/6] target/mips: Re-introduce OPC_ADDUH_QB_DSP and OPC_MUL_PH_DSP

[Jiaxun Yang]

在 2021/1/13 上午5:54, Philippe Mathieu-Daudé 写道:

There is no issue having multiple enum declarations with
the same value. As we are going to remove the OPC_MULT_G_2E
definition in few commits, restore the OPC_ADDUH_QB_DSP and
OPC_MUL_PH_DSP definitions and use them where they belong.

Signed-off-by: Philippe Mathieu-Daudé 


Reviewed-by: Jiaxun Yang 


---
  target/mips/translate.c | 18 +-
  1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index a2b3026132d..cbd152eff50 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -399,16 +399,14 @@ enum {
  OPC_ADDU_OB_DSP= 0x14 | OPC_SPECIAL3,
  OPC_ABSQ_S_PH_DSP  = 0x12 | OPC_SPECIAL3,
  OPC_ABSQ_S_QH_DSP  = 0x16 | OPC_SPECIAL3,
-/* OPC_ADDUH_QB_DSP is same as OPC_MULT_G_2E.  */
-/* OPC_ADDUH_QB_DSP   = 0x18 | OPC_SPECIAL3,  */
+OPC_ADDUH_QB_DSP   = 0x18 | OPC_SPECIAL3,
  OPC_CMPU_EQ_QB_DSP = 0x11 | OPC_SPECIAL3,
  OPC_CMPU_EQ_OB_DSP = 0x15 | OPC_SPECIAL3,
  /* MIPS DSP GPR-Based Shift Sub-class */
  OPC_SHLL_QB_DSP= 0x13 | OPC_SPECIAL3,
  OPC_SHLL_OB_DSP= 0x17 | OPC_SPECIAL3,
  /* MIPS DSP Multiply Sub-class insns */
-/* OPC_MUL_PH_DSP is same as OPC_ADDUH_QB_DSP.  */
-/* OPC_MUL_PH_DSP = 0x18 | OPC_SPECIAL3,  */
+OPC_MUL_PH_DSP = 0x18 | OPC_SPECIAL3,
  OPC_DPA_W_PH_DSP   = 0x30 | OPC_SPECIAL3,
  OPC_DPAQ_W_QH_DSP  = 0x34 | OPC_SPECIAL3,
  /* DSP Bit/Manipulation Sub-class */
@@ -566,7 +564,6 @@ enum {
  OPC_MULQ_S_PH  = (0x1E << 6) | OPC_ADDU_QB_DSP,
  };
  
-#define OPC_ADDUH_QB_DSP OPC_MULT_G_2E

  #define MASK_ADDUH_QB(op)   (MASK_SPECIAL3(op) | (op & (0x1F << 6)))
  enum {
  /* MIPS DSP Arithmetic Sub-class */
@@ -22681,8 +22678,7 @@ static void gen_mipsdsp_arith(DisasContext *ctx, 
uint32_t op1, uint32_t op2,
  gen_load_gpr(v2_t, v2);
  
  switch (op1) {

-/* OPC_MULT_G_2E is equal OPC_ADDUH_QB_DSP */
-case OPC_MULT_G_2E:
+case OPC_ADDUH_QB_DSP:
  check_dsp_r2(ctx);
  switch (op2) {
  case OPC_ADDUH_QB:
@@ -23376,11 +23372,7 @@ static void gen_mipsdsp_multiply(DisasContext *ctx, 
uint32_t op1, uint32_t op2,
  gen_load_gpr(v2_t, v2);
  
  switch (op1) {

-/*
- * OPC_MULT_G_2E, OPC_ADDUH_QB_DSP, OPC_MUL_PH_DSP have
- * the same mask and op1.
- */
-case OPC_MULT_G_2E:
+case OPC_MUL_PH_DSP:
  check_dsp_r2(ctx);
  switch (op2) {
  case  OPC_MUL_PH:
@@ -27337,7 +27329,7 @@ static void decode_opc_special3_legacy(CPUMIPSState 
*env, DisasContext *ctx)
   * OPC_MULT_G_2E, OPC_ADDUH_QB_DSP, OPC_MUL_PH_DSP have
   * the same mask and op1.
   */
-if ((ctx->insn_flags & ASE_DSP_R2) && (op1 == OPC_MULT_G_2E)) {
+if ((ctx->insn_flags & ASE_DSP_R2) && (op1 == OPC_MUL_PH_DSP)) {
  op2 = MASK_ADDUH_QB(ctx->opcode);
  switch (op2) {
  case OPC_ADDUH_QB:

[Bug 1878651] Re: Assertion failure in e1000e_write_to_rx_buffers

[Alexander Bulekov]

This was reported by OSS-Fuzz as Issue 27389
Here is a minimized reproducer:

=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none\
 -machine accel=qtest -m 512M -machine q35 -nodefaults \
-device e1000e,netdev=net0 -netdev user,id=net0 -qtest stdio
outl 0xcf8 0x8811
outl 0xcfc 0xc600
outl 0xcf8 0x8813
outl 0xcfc 0x9d
outl 0xcf8 0x8801
outl 0xcfc 0x1600
write 0x9dc6500a 0x2 0x2080
write 0x9dc6011a 0x2 0x1040
write 0x9dc60120 0x1 0xa0
write 0x9dc60102 0x2 0x4e04
outl 0xcf8 0x8811
outl 0xcfc 0x5ac600
write 0x5ac6042a 0x2 0x00ff
write 0x5ac60402 0x2 0x020
write 0x10 0x1 0xff
write 0x11 0x1 0x01
write 0x19 0x1 0xe7
write 0x1b 0x1 0x11
write 0x20b 0x1 0x08
write 0x20d 0x1 0x15
write 0xac7 0x1 0x10
write 0x5ac6043a 0x1 0x10
EOF

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878651

Title:
  Assertion failure in e1000e_write_to_rx_buffers

Status in QEMU:
  New

Bug description:
  Hello,
  While fuzzing, I found an input which triggers an assertion failure in 
e1000e_write_to_rx_buffers:
  /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424: void 
e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *, 
const char *, dma_addr_t): Assertion `bastate->cur_idx < MAX_PS_BUFFERS' failed.
  #0  0x7686d761 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:50
  #1  0x7685755b in __GI_abort () at abort.c:79
  #2  0x7685742f in __assert_fail_base (fmt=0x769bdb48 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=0x57f691e0  
"bastate->cur_idx < MAX_PS_BUFFERS", file=0x57f5a080  
"/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x590, 
function=) at assert.c:92
  #3  0x76866092 in __GI___assert_fail (assertion=0x57f691e0  
"bastate->cur_idx < MAX_PS_BUFFERS", file=0x57f5a080  
"/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x590, 
function=0x57f69240 <__PRETTY_FUNCTION__.e1000e_write_to_rx_buffers> "void 
e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *, 
const char *, dma_addr_t)") at assert.c:101
  #4  0x56f8fbcd in e1000e_write_to_rx_buffers (core=0x7fffee07c4e0, 
ba=0x7fff8860, bastate=0x7fff88a0, data=0x7fffe61b8021 "", 
data_len=0x2000) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424
  #5  0x56f82f14 in e1000e_write_packet_to_guest (core=0x7fffee07c4e0, 
pkt=0x6114b900, rxr=0x7fff8d10, rss_info=0x7fff8d30) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1582
  #6  0x56f80960 in e1000e_receive_iov (core=0x7fffee07c4e0, 
iov=0x6194e780, iovcnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1709
  #7  0x56f7d457 in e1000e_nc_receive_iov (nc=0x61407460, 
iov=0x6194e780, iovcnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e.c:213
  #8  0x56f64738 in net_tx_pkt_sendv (pkt=0x63128800, 
nc=0x61407460, iov=0x6194e780, iov_cnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:544
  #9  0x56f63f0e in net_tx_pkt_send (pkt=0x63128800, 
nc=0x61407460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620
  #10 0x56f650e5 in net_tx_pkt_send_loopback (pkt=0x63128800, 
nc=0x61407460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:633
  #11 0x56fb026a in e1000e_tx_pkt_send (core=0x7fffee07c4e0, 
tx=0x7fffee09c748, queue_index=0x0) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:664
  #12 0x56faebf6 in e1000e_process_tx_desc (core=0x7fffee07c4e0, 
tx=0x7fffee09c748, dp=0x7fff9520, queue_index=0x0) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
  #13 0x56fadfa8 in e1000e_start_xmit (core=0x7fffee07c4e0, 
txr=0x7fff9720) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
  #14 0x56fa308b in e1000e_set_tdt (core=0x7fffee07c4e0, index=0xe06, 
val=0x563) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451
  #15 0x56f84d7e in e1000e_core_write (core=0x7fffee07c4e0, addr=0x438, 
val=0x563, size=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
  #16 0x56f79497 in e1000e_mmio_write (opaque=0x7fffee079800, 
addr=0x438, val=0x563, size=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e.c:109
  #17 0x564938b5 in memory_region_write_accessor (mr=0x7fffee07c110, 
addr=0x438, value=0x7fff9d90, size=0x4, shift=0x0, mask=0x, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:483
  #18 0x5649328a in access_with_adjusted_size (addr=0x438, 
value=0x7fff9d90, size=0x2, access_size_min=0x4, access_size_max=0x4, 
access_fn=0x56493360 , mr=0x7fffee07c110, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
  #19 0x56491df6 in memory_region_dispatch_write (mr=0x7fffee07c110, 
addr=0x438, data=0x563, op=MO_16, attrs=...) at 

Re: [PATCH 3/3] tests/acceptance: Add a test for the virtex-ml507 ppc machine

[David Gibson]

On Tue, Jan 12, 2021 at 05:40:45PM +0100, Thomas Huth wrote:
> The "And a hippo new year" image from the QEMU advent calendar 2020
> can be used to test the virtex-ml507 ppc machine.
> 
> Signed-off-by: Thomas Huth 

Acked-by: David Gibson 

> ---
>  tests/acceptance/machine_ppc.py | 18 ++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/tests/acceptance/machine_ppc.py b/tests/acceptance/machine_ppc.py
> index 71025d296c..a836e2496f 100644
> --- a/tests/acceptance/machine_ppc.py
> +++ b/tests/acceptance/machine_ppc.py
> @@ -49,3 +49,21 @@ class PpcMachine(Test):
>  self.vm.launch()
>  wait_for_console_pattern(self, 'QEMU advent calendar 2020',
>   self.panic_message)
> +
> +def test_ppc_virtex_ml507(self):
> +"""
> +:avocado: tags=arch:ppc
> +:avocado: tags=machine:virtex-ml507
> +"""
> +tar_url = ('https://www.qemu-advent-calendar.org'
> +   '/2020/download/hippo.tar.gz')
> +tar_hash = '306b95bfe7d147f125aa176a877e266db8ef914a'
> +file_path = self.fetch_asset(tar_url, asset_hash=tar_hash)
> +archive.extract(file_path, self.workdir)
> +self.vm.set_console()
> +self.vm.add_args('-kernel', self.workdir + '/hippo/hippo.linux',
> + '-dtb', self.workdir + '/hippo/virtex440-ml507.dtb',
> + '-m', '512')
> +self.vm.launch()
> +wait_for_console_pattern(self, 'QEMU advent calendar 2020',
> + self.panic_message)

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH 1/3] tests/acceptance: Move the pseries test to a separate file

[David Gibson]

On Tue, Jan 12, 2021 at 05:40:43PM +0100, Thomas Huth wrote:
> Let's gather the POWER-related tests in a separate file.
> 
> Signed-off-by: Thomas Huth 

Acked-by: David Gibson 

> ---
>  MAINTAINERS|  1 +
>  tests/acceptance/boot_linux_console.py | 19 --
>  tests/acceptance/machine_ppc.py| 34 ++
>  3 files changed, 35 insertions(+), 19 deletions(-)
>  create mode 100644 tests/acceptance/machine_ppc.py
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 4be087b88e..189776a036 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -280,6 +280,7 @@ F: target/ppc/
>  F: hw/ppc/
>  F: include/hw/ppc/
>  F: disas/ppc.c
> +F: tests/acceptance/machine_ppc.py
>  
>  RISC-V TCG CPUs
>  M: Palmer Dabbelt 
> diff --git a/tests/acceptance/boot_linux_console.py 
> b/tests/acceptance/boot_linux_console.py
> index fb41bb7144..41d2c86e98 100644
> --- a/tests/acceptance/boot_linux_console.py
> +++ b/tests/acceptance/boot_linux_console.py
> @@ -976,25 +976,6 @@ class BootLinuxConsole(LinuxKernelTest):
>  console_pattern = 'Kernel command line: %s' % kernel_command_line
>  self.wait_for_console_pattern(console_pattern)
>  
> -def test_ppc64_pseries(self):
> -"""
> -:avocado: tags=arch:ppc64
> -:avocado: tags=machine:pseries
> -"""
> -kernel_url = ('https://archives.fedoraproject.org/pub/archive'
> -  '/fedora-secondary/releases/29/Everything/ppc64le/os'
> -  '/ppc/ppc64/vmlinuz')
> -kernel_hash = '3fe04abfc852b66653b8c3c897a59a689270bc77'
> -kernel_path = self.fetch_asset(kernel_url, asset_hash=kernel_hash)
> -
> -self.vm.set_console()
> -kernel_command_line = self.KERNEL_COMMON_COMMAND_LINE + 
> 'console=hvc0'
> -self.vm.add_args('-kernel', kernel_path,
> - '-append', kernel_command_line)
> -self.vm.launch()
> -console_pattern = 'Kernel command line: %s' % kernel_command_line
> -self.wait_for_console_pattern(console_pattern)
> -
>  def test_m68k_q800(self):
>  """
>  :avocado: tags=arch:m68k
> diff --git a/tests/acceptance/machine_ppc.py b/tests/acceptance/machine_ppc.py
> new file mode 100644
> index 00..51bbfd411c
> --- /dev/null
> +++ b/tests/acceptance/machine_ppc.py
> @@ -0,0 +1,34 @@
> +# Test that Linux kernel boots on ppc machines and check the console
> +#
> +# Copyright (c) 2018, 2020 Red Hat, Inc.
> +#
> +# This work is licensed under the terms of the GNU GPL, version 2 or
> +# later.  See the COPYING file in the top-level directory.
> +
> +from avocado_qemu import Test
> +from avocado_qemu import wait_for_console_pattern
> +
> +class PpcMachine(Test):
> +
> +timeout = 90
> +KERNEL_COMMON_COMMAND_LINE = 'printk.time=0 '
> +panic_message = 'Kernel panic - not syncing'
> +
> +def test_ppc64_pseries(self):
> +"""
> +:avocado: tags=arch:ppc64
> +:avocado: tags=machine:pseries
> +"""
> +kernel_url = ('https://archives.fedoraproject.org/pub/archive'
> +  '/fedora-secondary/releases/29/Everything/ppc64le/os'
> +  '/ppc/ppc64/vmlinuz')
> +kernel_hash = '3fe04abfc852b66653b8c3c897a59a689270bc77'
> +kernel_path = self.fetch_asset(kernel_url, asset_hash=kernel_hash)
> +
> +self.vm.set_console()
> +kernel_command_line = self.KERNEL_COMMON_COMMAND_LINE + 
> 'console=hvc0'
> +self.vm.add_args('-kernel', kernel_path,
> + '-append', kernel_command_line)
> +self.vm.launch()
> +console_pattern = 'Kernel command line: %s' % kernel_command_line
> +wait_for_console_pattern(self, console_pattern, self.panic_message)

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH] spapr: Improve handling of memory unplug with old guests

[David Gibson]

On Fri, Jan 08, 2021 at 06:31:27PM +0100, Greg Kurz wrote:
> Since commit 1e8b5b1aa16b ("spapr: Allow memory unplug to always succeed")
> trying to unplug memory from a guest that doesn't support it (eg. rhel6)
> no longer generates an error like it used to. Instead, it leaves the
> memory around : only a subsequent reboot or manual use of drmgr within
> the guest can complete the hot-unplug sequence. A flag was added to
> SpaprMachineClass so that this new behavior only applies to the default
> machine type.
> 
> We can do better. CAS processes all pending hot-unplug requests. This
> means that we don't really care about what the guest supports if
> the hot-unplug request happens before CAS.
> 
> All guests that we care for, even old ones, set enough bits in OV5
> that lead to a non-empty bitmap in spapr->ov5_cas. Use that as a
> heuristic to decide if CAS has already occured or not.
> 
> Always accept unplug requests that happen before CAS since CAS will
> process them. Restore the previous behavior of rejecting them after
> CAS when we know that the guest doesn't support memory hot-unplug.
> 
> This behavior is suitable for all machine types : this allows to
> drop the pre_6_0_memory_unplug flag.
> 
> Fixes: 1e8b5b1aa16b ("spapr: Allow memory unplug to always succeed")
> Signed-off-by: Greg Kurz 

Applied, sorry it too me so long.

> ---
>  hw/ppc/spapr.c  |   24 +---
>  hw/ppc/spapr_events.c   |3 +--
>  hw/ppc/spapr_ovec.c |7 +++
>  include/hw/ppc/spapr.h  |2 +-
>  include/hw/ppc/spapr_ovec.h |1 +
>  5 files changed, 23 insertions(+), 14 deletions(-)
> 
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index 2c403b574e37..6c47466fc2f1 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -4048,6 +4048,18 @@ static void spapr_machine_device_unplug(HotplugHandler 
> *hotplug_dev,
>  }
>  }
>  
> +bool spapr_memory_hot_unplug_supported(SpaprMachineState *spapr)
> +{
> +return spapr_ovec_test(spapr->ov5_cas, OV5_HP_EVT) ||
> +/*
> + * CAS will process all pending unplug requests.
> + *
> + * HACK: a guest could theoretically have cleared all bits in OV5,
> + * but none of the guests we care for do.
> + */

Hrm.  This is pretty ugly - I thought we had a better canonical way of
determining if CAS had already happened this boot, but it appears
not.  I don't want to delay this patch, since it is an important fix,
but it would be nice if you could do a later cleanup to have a nicer
way of detecting CAS-hasn't-happened.

> +spapr_ovec_empty(spapr->ov5_cas);
> +}
> +
>  static void spapr_machine_device_unplug_request(HotplugHandler *hotplug_dev,
>  DeviceState *dev, Error 
> **errp)
>  {
> @@ -4056,16 +4068,9 @@ static void 
> spapr_machine_device_unplug_request(HotplugHandler *hotplug_dev,
>  SpaprMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
>  
>  if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
> -if (!smc->pre_6_0_memory_unplug ||
> -spapr_ovec_test(sms->ov5_cas, OV5_HP_EVT)) {
> +if (spapr_memory_hot_unplug_supported(sms)) {
>  spapr_memory_unplug_request(hotplug_dev, dev, errp);
>  } else {
> -/* NOTE: this means there is a window after guest reset, prior to
> - * CAS negotiation, where unplug requests will fail due to the
> - * capability not being detected yet. This is a bit different 
> than
> - * the case with PCI unplug, where the events will be queued and
> - * eventually handled by the guest after boot
> - */
>  error_setg(errp, "Memory hot unplug not supported for this 
> guest");
>  }
>  } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_CPU_CORE)) {
> @@ -4543,11 +4548,8 @@ DEFINE_SPAPR_MACHINE(6_0, "6.0", true);
>   */
>  static void spapr_machine_5_2_class_options(MachineClass *mc)
>  {
> -SpaprMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
> -
>  spapr_machine_6_0_class_options(mc);
>  compat_props_add(mc->compat_props, hw_compat_5_2, hw_compat_5_2_len);
> -smc->pre_6_0_memory_unplug = true;
>  }
>  
>  DEFINE_SPAPR_MACHINE(5_2, "5.2", false);
> diff --git a/hw/ppc/spapr_events.c b/hw/ppc/spapr_events.c
> index 6aedd988b3d0..d51daedfa6e0 100644
> --- a/hw/ppc/spapr_events.c
> +++ b/hw/ppc/spapr_events.c
> @@ -658,8 +658,7 @@ static void spapr_hotplug_req_event(uint8_t hp_id, 
> uint8_t hp_action,
>  /* we should not be using count_indexed value unless the guest
>   * supports dedicated hotplug event source
>   */
> -g_assert(!SPAPR_MACHINE_GET_CLASS(spapr)->pre_6_0_memory_unplug ||
> - spapr_ovec_test(spapr->ov5_cas, OV5_HP_EVT));
> +g_assert(spapr_memory_hot_unplug_supported(spapr));
>  hp->drc_id.count_indexed.count =
>  cpu_to_be32(drc_id->count_indexed.count);
>   

Re: [PATCH 2/3] tests/acceptance: Test the mpc8544ds machine

[David Gibson]

On Tue, Jan 12, 2021 at 05:40:44PM +0100, Thomas Huth wrote:
> We can use the "Stupid creek" image to test the mpc8544ds ppc machine.
> 
> Signed-off-by: Thomas Huth 

Acked-by: David Gibson 

> ---
>  tests/acceptance/machine_ppc.py | 17 +
>  1 file changed, 17 insertions(+)
> 
> diff --git a/tests/acceptance/machine_ppc.py b/tests/acceptance/machine_ppc.py
> index 51bbfd411c..71025d296c 100644
> --- a/tests/acceptance/machine_ppc.py
> +++ b/tests/acceptance/machine_ppc.py
> @@ -5,6 +5,7 @@
>  # This work is licensed under the terms of the GNU GPL, version 2 or
>  # later.  See the COPYING file in the top-level directory.
>  
> +from avocado.utils import archive
>  from avocado_qemu import Test
>  from avocado_qemu import wait_for_console_pattern
>  
> @@ -32,3 +33,19 @@ class PpcMachine(Test):
>  self.vm.launch()
>  console_pattern = 'Kernel command line: %s' % kernel_command_line
>  wait_for_console_pattern(self, console_pattern, self.panic_message)
> +
> +def test_ppc_mpc8544ds(self):
> +"""
> +:avocado: tags=arch:ppc
> +:avocado: tags=machine:mpc8544ds
> +"""
> +tar_url = ('https://www.qemu-advent-calendar.org'
> +   '/2020/download/day17.tar.gz')
> +tar_hash = '7a5239542a7c4257aa4d3b7f6ddf08fb6775c494'
> +file_path = self.fetch_asset(tar_url, asset_hash=tar_hash)
> +archive.extract(file_path, self.workdir)
> +self.vm.set_console()
> +self.vm.add_args('-kernel', self.workdir + '/creek/creek.bin')
> +self.vm.launch()
> +wait_for_console_pattern(self, 'QEMU advent calendar 2020',
> + self.panic_message)

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [RFC PATCH] rtl8139: fix stack overflow if RxBuf overlaps MMIO

[Qiuhao Li]

On Tue, 2021-01-12 at 16:02 +, Peter Maydell wrote:
> On Tue, 12 Jan 2021 at 15:23, Qiuhao Li 
> wrote:
> > Fix Bug 1910826 [1] / OSS-Fuzz Issue 29224 [2].
> > 
> > In rtl8139.c, the function rtl8139_RxBuf_write, which sets the
> > RxBuf
> > (Receive Buffer Start Address), doesn't check if this buffer
> > overlaps our
> > MMIO region. So if the guest machine set the transmit mode to
> > loopback, put
> > the RxBuf at the address of TSD (Transmit Status of Descriptor,
> > MMIO), and
> > trigger a frame transfer by directly writing to the TSD, an
> > infinite
> > recursion will occur:
> > 
> > rtl8139_ioport_write (to TSD) -> rtl8139_io_writel ->
> > rtl8139_transmit ->
> > rtl8139_transmit_one -> rtl8139_transfer_frame ->
> > rtl8139_do_receive ->
> > rtl8139_write_buffer -> pci_dma_write (to TSD) -> ... ->
> > rtl8139_ioport_write (to TSD)
> > 
> > This patch adds a check to ensure the maximum possible RxBuf [3]
> > won't
> > overlap the MMIO region.
> > 
> > P.S. There is a more concise reproducer with comments [4], which
> > may help :)
> > 
> > [1] https://bugs.launchpad.net/bugs/1910826
> > [2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224
> > [3] https://www.cs.usfca.edu/~cruse/cs326f04/RTL8139D_DataSheet.pdf
> > 5.7 Transmit Configuration Register
> > [4] https://bugs.launchpad.net/qemu/+bug/1910826/comments/1
> > 
> > Signed-off-by: Qiuhao Li 
> > Reported-by: Alexander Bulekov 
> 
> This looks like a single-device workaround for the generic
> class of problems where a device can be configured to
> do DMA to itself. Why is rtl8139 special ?

Understand. I thought it is the device's duty to avoid doing DMA to
itself.

Thank you.
  Qiuhao Li
> 
> (I have on my todo list to think about the general problem.)
> 
> thanks
> -- PMM

Re: [PATCH v6 13/13] s390: Recognize confidential-guest-support option

[David Gibson]

On Tue, Jan 12, 2021 at 12:36:07PM +0100, Cornelia Huck wrote:
65;6201;1c> On Tue, 12 Jan 2021 09:15:26 +0100
> Christian Borntraeger  wrote:
> 
> > On 12.01.21 05:45, David Gibson wrote:
> > > At least some s390 cpu models support "Protected Virtualization" (PV),
> > > a mechanism to protect guests from eavesdropping by a compromised
> > > hypervisor.
> > > 
> > > This is similar in function to other mechanisms like AMD's SEV and
> > > POWER's PEF, which are controlled by the "confidential-guest-support"
> > > machine option.  s390 is a slightly special case, because we already
> > > supported PV, simply by using a CPU model with the required feature
> > > (S390_FEAT_UNPACK).
> > > 
> > > To integrate this with the option used by other platforms, we
> > > implement the following compromise:
> > > 
> > >  - When the confidential-guest-support option is set, s390 will
> > >recognize it, verify that the CPU can support PV (failing if not)
> > >and set virtio default options necessary for encrypted or protected
> > >guests, as on other platforms.  i.e. if confidential-guest-support
> > >is set, we will either create a guest capable of entering PV mode,
> > >or fail outright.
> > > 
> > >  - If confidential-guest-support is not set, guests might still be
> > >able to enter PV mode, if the CPU has the right model.  This may be
> > >a little surprising, but shouldn't actually be harmful.
> > > 
> > > To start a guest supporting Protected Virtualization using the new
> > > option use the command line arguments:
> > > -object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0  
> > 
> > 
> > This results in
> > 
> > [cborntra@t35lp61 qemu]$ qemu-system-s390x -enable-kvm -nographic -m 2G 
> > -kernel ~/full.normal 
> > **
> > ERROR:../qom/object.c:317:type_initialize: assertion failed: 
> > (parent->instance_size <= ti->instance_size)
> > Bail out! ERROR:../qom/object.c:317:type_initialize: assertion failed: 
> > (parent->instance_size <= ti->instance_size)
> > Aborted (core dumped)
> > 
> 
> > > +static const TypeInfo s390_pv_guest_info = {
> > > +.parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT,
> > > +.name = TYPE_S390_PV_GUEST,
> > > +.instance_size = sizeof(S390PVGuestState),
> > > +.interfaces = (InterfaceInfo[]) {
> > > +{ TYPE_USER_CREATABLE },
> > > +{ }
> > > +}
> > > +};
> 
> I think this needs TYPE_OBJECT in .parent and
> TYPE_CONFIDENTIAL_GUEST_SUPPORT as an interface to fix the crash.

No, that was true of an earlier revision, but parent is correct in the
current version.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH v6 10/13] spapr: Add PEF based confidential guest support

[David Gibson]

On Tue, Jan 12, 2021 at 09:56:12AM +, Daniel P. Berrangé wrote:
> On Tue, Jan 12, 2021 at 03:45:05PM +1100, David Gibson wrote:
> > Some upcoming POWER machines have a system called PEF (Protected
> > Execution Facility) which uses a small ultravisor to allow guests to
> > run in a way that they can't be eavesdropped by the hypervisor.  The
> > effect is roughly similar to AMD SEV, although the mechanisms are
> > quite different.
> > 
> > Most of the work of this is done between the guest, KVM and the
> > ultravisor, with little need for involvement by qemu.  However qemu
> > does need to tell KVM to allow secure VMs.
> > 
> > Because the availability of secure mode is a guest visible difference
> > which depends on having the right hardware and firmware, we don't
> > enable this by default.  In order to run a secure guest you need to
> > create a "pef-guest" object and set the confidential-guest-support
> > property to point to it.
> > 
> > Note that this just *allows* secure guests, the architecture of PEF is
> > such that the guest still needs to talk to the ultravisor to enter
> > secure mode.  Qemu has no directl way of knowing if the guest is in
> > secure mode, and certainly can't know until well after machine
> > creation time.
> > 
> > To start a PEF-capable guest, use the command line options:
> > -object pef-guest,id=pef0 -machine confidential-guest-support=pef0
> > 
> > Signed-off-by: David Gibson 
> > ---
> >  docs/confidential-guest-support.txt |   2 +
> >  docs/papr-pef.txt   |  30 
> >  hw/ppc/meson.build  |   1 +
> >  hw/ppc/pef.c| 115 
> >  hw/ppc/spapr.c  |  10 +++
> >  include/hw/ppc/pef.h|  26 +++
> >  target/ppc/kvm.c|  18 -
> >  target/ppc/kvm_ppc.h|   6 --
> >  8 files changed, 184 insertions(+), 24 deletions(-)
> >  create mode 100644 docs/papr-pef.txt
> >  create mode 100644 hw/ppc/pef.c
> >  create mode 100644 include/hw/ppc/pef.h
> > 
> 
> > +static const TypeInfo pef_guest_info = {
> > +.parent = TYPE_OBJECT,
> > +.name = TYPE_PEF_GUEST,
> > +.instance_size = sizeof(PefGuestState),
> > +.interfaces = (InterfaceInfo[]) {
> > +{ TYPE_CONFIDENTIAL_GUEST_SUPPORT },
> > +{ TYPE_USER_CREATABLE },
> > +{ }
> > +}
> > +};
> 
> IIUC, the earlier patch defines TYPE_CONFIDENTIAL_GUEST_SUPPORT
> as a object, but you're using it as an interface here. The later
> s390 patch uses it as a parent, which makes more sense given it
> is a declared as an object.

Oops, that's a holdover from an earlier version that used an
interface.  Fixed.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH v6 05/13] confidential guest support: Rework the "memory-encryption" property

[David Gibson]

On Tue, Jan 12, 2021 at 11:59:59AM +0100, Greg Kurz wrote:
> On Tue, 12 Jan 2021 15:45:00 +1100
> David Gibson  wrote:
> 
> > Currently the "memory-encryption" property is only looked at once we
> > get to kvm_init().  Although protection of guest memory from the
> > hypervisor isn't something that could really ever work with TCG, it's
> > not conceptually tied to the KVM accelerator.
> > 
> > In addition, the way the string property is resolved to an object is
> > almost identical to how a QOM link property is handled.
> > 
> > So, create a new "confidential-guest-support" link property which sets
> > this QOM interface link directly in the machine.  For compatibility we
> > keep the "memory-encryption" property, but now implemented in terms of
> > the new property.
> 
> Do we really want to keep "memory-encryption" in the long term ? If
> not, then maybe engage the deprecation process and add a warning in
> machine_set_memory_encryption() ?

Hmm.. I kind of think that's up to the SEV people to decide on the
timetable (if any) for deprecation - it's their existing option.  In
any case I'd prefer to leave that to a separate patch.

Dave (Gilbert), any opinions?

> Apart from that, LGTM:
> 
> Reviewed-by: Greg Kurz 
> 
> > Signed-off-by: David Gibson 
> > ---
> >  accel/kvm/kvm-all.c  |  5 +++--
> >  accel/kvm/sev-stub.c |  5 +++--
> >  hw/core/machine.c| 43 +--
> >  include/hw/boards.h  |  2 +-
> >  include/sysemu/sev.h |  2 +-
> >  target/i386/sev.c| 32 ++--
> >  6 files changed, 47 insertions(+), 42 deletions(-)
> > 
> > diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> > index 260ed73ffe..28ab126f70 100644
> > --- a/accel/kvm/kvm-all.c
> > +++ b/accel/kvm/kvm-all.c
> > @@ -2181,8 +2181,9 @@ static int kvm_init(MachineState *ms)
> >   * if memory encryption object is specified then initialize the memory
> >   * encryption context.
> >   */
> > -if (ms->memory_encryption) {
> > -ret = sev_guest_init(ms->memory_encryption);
> > +if (ms->cgs) {
> > +/* FIXME handle mechanisms other than SEV */
> > +ret = sev_kvm_init(ms->cgs);
> >  if (ret < 0) {
> >  goto err;
> >  }
> > diff --git a/accel/kvm/sev-stub.c b/accel/kvm/sev-stub.c
> > index 5db9ab8f00..3d4787ae4a 100644
> > --- a/accel/kvm/sev-stub.c
> > +++ b/accel/kvm/sev-stub.c
> > @@ -15,7 +15,8 @@
> >  #include "qemu-common.h"
> >  #include "sysemu/sev.h"
> >  
> > -int sev_guest_init(const char *id)
> > +int sev_kvm_init(ConfidentialGuestSupport *cgs)
> >  {
> > -return -1;
> > +/* SEV can't be selected if it's not compiled */
> > +g_assert_not_reached();
> >  }
> > diff --git a/hw/core/machine.c b/hw/core/machine.c
> > index 8909117d80..94194ab82d 100644
> > --- a/hw/core/machine.c
> > +++ b/hw/core/machine.c
> > @@ -32,6 +32,7 @@
> >  #include "hw/mem/nvdimm.h"
> >  #include "migration/global_state.h"
> >  #include "migration/vmstate.h"
> > +#include "exec/confidential-guest-support.h"
> >  
> >  GlobalProperty hw_compat_5_2[] = {};
> >  const size_t hw_compat_5_2_len = G_N_ELEMENTS(hw_compat_5_2);
> > @@ -427,16 +428,37 @@ static char *machine_get_memory_encryption(Object 
> > *obj, Error **errp)
> >  {
> >  MachineState *ms = MACHINE(obj);
> >  
> > -return g_strdup(ms->memory_encryption);
> > +if (ms->cgs) {
> > +return 
> > g_strdup(object_get_canonical_path_component(OBJECT(ms->cgs)));
> > +}
> > +
> > +return NULL;
> >  }
> >  
> >  static void machine_set_memory_encryption(Object *obj, const char *value,
> >  Error **errp)
> >  {
> > -MachineState *ms = MACHINE(obj);
> > +Object *cgs =
> > +object_resolve_path_component(object_get_objects_root(), value);
> > +
> > +if (!cgs) {
> > +error_setg(errp, "No such memory encryption object '%s'", value);
> > +return;
> > +}
> >  
> > -g_free(ms->memory_encryption);
> > -ms->memory_encryption = g_strdup(value);
> > +object_property_set_link(obj, "confidential-guest-support", cgs, errp);
> > +}
> > +
> > +static void machine_check_confidential_guest_support(const Object *obj,
> > + const char *name,
> > + Object *new_target,
> > + Error **errp)
> > +{
> > +/*
> > + * So far the only constraint is that the target has the
> > + * TYPE_CONFIDENTIAL_GUEST_SUPPORT interface, and that's checked
> > + * by the QOM core
> > + */
> >  }
> >  
> >  static bool machine_get_nvdimm(Object *obj, Error **errp)
> > @@ -836,6 +858,15 @@ static void machine_class_init(ObjectClass *oc, void 
> > *data)
> >  object_class_property_set_description(oc, "suppress-vmdesc",
> >  "Set on to disable self-describing migration");
> >  
> > +

Re: [PATCH v6 10/13] spapr: Add PEF based confidential guest support

[David Gibson]

On Tue, Jan 12, 2021 at 12:27:50PM +0100, Greg Kurz wrote:
> On Tue, 12 Jan 2021 15:45:05 +1100
> David Gibson  wrote:
> 
> > Some upcoming POWER machines have a system called PEF (Protected
> > Execution Facility) which uses a small ultravisor to allow guests to
> > run in a way that they can't be eavesdropped by the hypervisor.  The
> > effect is roughly similar to AMD SEV, although the mechanisms are
> > quite different.
> > 
> > Most of the work of this is done between the guest, KVM and the
> > ultravisor, with little need for involvement by qemu.  However qemu
> > does need to tell KVM to allow secure VMs.
> > 
> > Because the availability of secure mode is a guest visible difference
> > which depends on having the right hardware and firmware, we don't
> > enable this by default.  In order to run a secure guest you need to
> > create a "pef-guest" object and set the confidential-guest-support
> > property to point to it.
> > 
> > Note that this just *allows* secure guests, the architecture of PEF is
> > such that the guest still needs to talk to the ultravisor to enter
> > secure mode.  Qemu has no directl way of knowing if the guest is in
> > secure mode, and certainly can't know until well after machine
> > creation time.
> > 
> > To start a PEF-capable guest, use the command line options:
> > -object pef-guest,id=pef0 -machine confidential-guest-support=pef0
> > 
> > Signed-off-by: David Gibson 
> > ---
> >  docs/confidential-guest-support.txt |   2 +
> >  docs/papr-pef.txt   |  30 
> >  hw/ppc/meson.build  |   1 +
> >  hw/ppc/pef.c| 115 
> >  hw/ppc/spapr.c  |  10 +++
> >  include/hw/ppc/pef.h|  26 +++
> >  target/ppc/kvm.c|  18 -
> >  target/ppc/kvm_ppc.h|   6 --
> >  8 files changed, 184 insertions(+), 24 deletions(-)
> >  create mode 100644 docs/papr-pef.txt
> >  create mode 100644 hw/ppc/pef.c
> >  create mode 100644 include/hw/ppc/pef.h
> > 
> > diff --git a/docs/confidential-guest-support.txt 
> > b/docs/confidential-guest-support.txt
> > index 2790425b38..d466aa79d5 100644
> > --- a/docs/confidential-guest-support.txt
> > +++ b/docs/confidential-guest-support.txt
> > @@ -40,4 +40,6 @@ Currently supported confidential guest mechanisms are:
> >  AMD Secure Encrypted Virtualization (SEV)
> >  docs/amd-memory-encryption.txt
> >  
> > +POWER Protected Execution Facility (PEF)
> 
> Maybe add:
> 
> /docs/papr-pef.txt

Good idea, added.

> > +
> >  Other mechanisms may be supported in future.
> > diff --git a/docs/papr-pef.txt b/docs/papr-pef.txt
> > new file mode 100644
> > index 00..798e39f3ed
> > --- /dev/null
> > +++ b/docs/papr-pef.txt
> > @@ -0,0 +1,30 @@
> > +POWER (PAPR) Protected Execution Facility (PEF)
> > +===
> > +
> > +Protected Execution Facility (PEF), also known as Secure Guest support
> > +is a feature found on IBM POWER9 and POWER10 processors.
> > +
> > +If a suitable firmware including an Ultravisor is installed, it adds
> > +an extra memory protection mode to the CPU.  The ultravisor manages a
> > +pool of secure memory which cannot be accessed by the hypervisor.
> > +
> > +When this feature is enabled in qemu, a guest can use ultracalls to
> > +enter "secure mode".  This transfers most of its memory to secure
> > +memory, where it cannot be eavesdropped by a compromised hypervisor.
> > +
> > +Launching
> > +-
> > +
> > +To launch a guest which will be permitted to enter PEF secure mode:
> > +
> > +# ${QEMU} \
> > +-object pef-guest \
> 
> Add missing id=pef0

Done.

> > +-machine confidential-guest-support=pef0 \
> > +...
> > +
> > +Live Migration
> > +
> > +
> > +Live migration is not yet implemented for PEF guests.  For
> > +consistency, we currently prevent migration if the PEF feature is
> > +enabled, whether or not the guest has actuall entered secure mode.
> 
> actually

Fixed, thanks.

> 
> > diff --git a/hw/ppc/meson.build b/hw/ppc/meson.build
> > index ffa2ec37fa..218631c883 100644
> > --- a/hw/ppc/meson.build
> > +++ b/hw/ppc/meson.build
> > @@ -27,6 +27,7 @@ ppc_ss.add(when: 'CONFIG_PSERIES', if_true: files(
> >'spapr_nvdimm.c',
> >'spapr_rtas_ddw.c',
> >'spapr_numa.c',
> > +  'pef.c',
> >  ))
> >  ppc_ss.add(when: 'CONFIG_SPAPR_RNG', if_true: files('spapr_rng.c'))
> >  ppc_ss.add(when: ['CONFIG_PSERIES', 'CONFIG_LINUX'], if_true: files(
> > diff --git a/hw/ppc/pef.c b/hw/ppc/pef.c
> > new file mode 100644
> > index 00..b227dc6905
> > --- /dev/null
> > +++ b/hw/ppc/pef.c
> > @@ -0,0 +1,115 @@
> > +/*
> > + * PEF (Protected Execution Facility) for POWER support
> > + *
> > + * Copyright David Gibson, Redhat Inc. 2020
> > + *
> > + * This work is licensed under the terms of the GNU GPL, version 2 or 
> > later.
> > + * See the COPYING file in the top-level directory.
> > + *
> > 

[Bug 1911351] Re: x86-64 MTTCG Does not update page table entries atomically

[Marco]

** Description changed:

  It seems like the qemu tcg code for x86-64 doesn't write the access and
- dirty flags of the page table entries atomically. Instead, they first
+ dirty bits of the page table entries atomically. Instead, they first
  read the entry, see if they need to set the page table entry, and then
- overwrite the entry. So if you have two threads running at the same
- time, one accessing the virtual address over and over again, and the
- other modifying the page table entry, it is possible that after the
- second thread modifies the page table entry, qemu overwrites the value
- with the old page table entry value, with the access/dirty flags set.
+ write back the updated page table entry. So if you have two threads
+ running at the same time, one accessing the virtual address over and
+ over again, and the other modifying the page table entry, it is possible
+ that after the second thread modifies the page table entry, qemu
+ overwrites the value with the old page table entry value, with the
+ access/dirty flags set.
  
  Here's a unit test that reproduces this behavior:
  
  https://github.com/mvanotti/kvm-unit-
  tests/commit/09f9722807271226a714b04f25174776454b19cd
  
  You can run it with:
  
  ```
  /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults \
  -device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 \
  -vnc none -serial stdio -device pci-testdev \
  -smp 4 -machine q35 --accel tcg,thread=multi \
  -kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
  ```
  
  Expected output (failure):
  
  ```
  kvm-unit-tests$ make && /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults 
-device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none 
-serial stdio -device pci-testdev -smp 4 -machine q35 --accel tcg,thread=multi  
-kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
  enabling apic
  enabling apic
  enabling apic
  enabling apic
  paging enabled
  cr0 = 80010011
  cr3 = 627000
  cr4 = 20
  found 4 cpus
  PASS: Need more than 1 CPU
  Detected overwritten PTE:
- want: 0x0062e007
- got:  0x0062d027
+ want: 0x0062e007
+ got:  0x0062d027
  FAIL: PTE not overwritten
  PASS: All Reads were zero
  SUMMARY: 3 tests, 1 unexpected failures
  ```
  
- This bug has allows user-to-root privilege escalation inside the guest
- VM: if the user is able overwrite an entry that belongs to a second-to-
- last level page table, and is able to allocate the referenced page, then
- the user would be in control of a last-level page table, being able to
- map any memory they want. This is not uncommon in situations where
- memory is being decomitted.
+ This bug allows user-to-root privilege escalation inside the guest VM:
+ if the user is able overwrite an entry that belongs to a second-to-last
+ level page table, and is able to allocate the referenced page, then the
+ user would be in control of a last-level page table, being able to map
+ any memory they want. This is not uncommon in situations where memory is
+ being decomitted.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911351

Title:
  x86-64 MTTCG Does not update page table entries atomically

Status in QEMU:
  Confirmed

Bug description:
  It seems like the qemu tcg code for x86-64 doesn't write the access
  and dirty bits of the page table entries atomically. Instead, they
  first read the entry, see if they need to set the page table entry,
  and then write back the updated page table entry. So if you have two
  threads running at the same time, one accessing the virtual address
  over and over again, and the other modifying the page table entry, it
  is possible that after the second thread modifies the page table
  entry, qemu overwrites the value with the old page table entry value,
  with the access/dirty flags set.

  Here's a unit test that reproduces this behavior:

  https://github.com/mvanotti/kvm-unit-
  tests/commit/09f9722807271226a714b04f25174776454b19cd

  You can run it with:

  ```
  /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults \
  -device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 \
  -vnc none -serial stdio -device pci-testdev \
  -smp 4 -machine q35 --accel tcg,thread=multi \
  -kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
  ```

  Expected output (failure):

  ```
  kvm-unit-tests$ make && /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults 
-device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none 
-serial stdio -device pci-testdev -smp 4 -machine q35 --accel tcg,thread=multi  
-kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
  enabling apic
  enabling apic
  enabling apic
  enabling apic
  paging enabled
  cr0 = 80010011
  cr3 = 627000
  cr4 = 20
  found 4 cpus
  PASS: Need more than 1 CPU
  Detected overwritten PTE:
  want: 0x0062e007
  got:  

Re: [PATCH] decodetree: Open files with encoding='utf-8'

[Philippe Mathieu-Daudé]

On 1/13/21 12:35 AM, John Snow wrote:
> On 1/12/21 4:11 PM, Eduardo Habkost wrote:
>> [CCing John, Wainer]
>>
>> On Fri, Jan 08, 2021 at 05:51:41PM -0500, Daniele Buono wrote:
>>> I had a similar issue in the past with the acceptance tests.
>>> Some VMs send UTF-8 output in their console and the acceptance test
>>> script would bail out if the locale was not UTF-8.
>>>
>>> I sent a patch on the ml but it probably got lost:
>>> https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg06086.html
>>>
>>> I can re-spin it if you guys are interested
>>
>> The mbox at
>> https://lore.kernel.org/qemu-devel/20200721125522.20511-1-dbu...@linux.vnet.ibm.com/
>>
>> can still be applied cleanly, I don't think you need to resubmit.
>>
>> However, we have no owner for tests/acceptance/avocado_qemu in
>> MAINTAINERS.  Is anybody currently taking care of
>> tests/acceptance patches and making sure they are merged?

[1] The answer to this question is below in [2]...

> I touch these tests sometimes, but I know very little about avocado
> overall, so I don't think it's going to be me taking point here.
> 
> (I don't mind taking a reviewer stanza for something like *.py, though.)
> 
> Acceptance (Integration) Testing with the Avocado framework
> W: https://trello.com/b/6Qi1pxVn/avocado-qemu
> R: Cleber Rosa 
> R: Philippe Mathieu-Daudé 
> R: Wainer dos Santos Moschetta 
> S: Odd Fixes
> F: tests/acceptance/
> 
> Why is this only "Odd Fixes"? Isn't it new within the last ~2y? The
> avocado_qemu module itself was largely written by Cleber, Philippe and
> Caio.

[2] The answer to this question is above in [1] :)

> 
> --js
> 
> 

Re: [PATCH] decodetree: Open files with encoding='utf-8'

[John Snow]

On 1/12/21 4:11 PM, Eduardo Habkost wrote:

[CCing John, Wainer]

On Fri, Jan 08, 2021 at 05:51:41PM -0500, Daniele Buono wrote:

I had a similar issue in the past with the acceptance tests.
Some VMs send UTF-8 output in their console and the acceptance test
script would bail out if the locale was not UTF-8.

I sent a patch on the ml but it probably got lost:
https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg06086.html

I can re-spin it if you guys are interested


The mbox at
https://lore.kernel.org/qemu-devel/20200721125522.20511-1-dbu...@linux.vnet.ibm.com/
can still be applied cleanly, I don't think you need to resubmit.

However, we have no owner for tests/acceptance/avocado_qemu in
MAINTAINERS.  Is anybody currently taking care of
tests/acceptance patches and making sure they are merged?



I touch these tests sometimes, but I know very little about avocado 
overall, so I don't think it's going to be me taking point here.


(I don't mind taking a reviewer stanza for something like *.py, though.)

Acceptance (Integration) Testing with the Avocado framework
W: https://trello.com/b/6Qi1pxVn/avocado-qemu
R: Cleber Rosa 
R: Philippe Mathieu-Daudé 
R: Wainer dos Santos Moschetta 
S: Odd Fixes
F: tests/acceptance/

Why is this only "Odd Fixes"? Isn't it new within the last ~2y? The 
avocado_qemu module itself was largely written by Cleber, Philippe and Caio.


--js

[Bug 1911351] Re: x86-64 MTTCG Does not update page table entries atomically

[Peter Maydell]

Yeah, it's a long standing API deficiency inside QEMU that we don't have
a way to do atomic modifications in things like page-table-walk code:
mostly you don't notice unless you go looking for it, but we really
ought to fix this. Thanks for the unit test.


** Changed in: qemu
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911351

Title:
  x86-64 MTTCG Does not update page table entries atomically

Status in QEMU:
  Confirmed

Bug description:
  It seems like the qemu tcg code for x86-64 doesn't write the access
  and dirty flags of the page table entries atomically. Instead, they
  first read the entry, see if they need to set the page table entry,
  and then overwrite the entry. So if you have two threads running at
  the same time, one accessing the virtual address over and over again,
  and the other modifying the page table entry, it is possible that
  after the second thread modifies the page table entry, qemu overwrites
  the value with the old page table entry value, with the access/dirty
  flags set.

  Here's a unit test that reproduces this behavior:

  https://github.com/mvanotti/kvm-unit-
  tests/commit/09f9722807271226a714b04f25174776454b19cd

  You can run it with:

  ```
  /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults \
  -device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 \
  -vnc none -serial stdio -device pci-testdev \
  -smp 4 -machine q35 --accel tcg,thread=multi \
  -kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
  ```

  Expected output (failure):

  ```
  kvm-unit-tests$ make && /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults 
-device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none 
-serial stdio -device pci-testdev -smp 4 -machine q35 --accel tcg,thread=multi  
-kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
  enabling apic
  enabling apic
  enabling apic
  enabling apic
  paging enabled
  cr0 = 80010011
  cr3 = 627000
  cr4 = 20
  found 4 cpus
  PASS: Need more than 1 CPU
  Detected overwritten PTE:
  want: 0x0062e007
  got:  0x0062d027
  FAIL: PTE not overwritten
  PASS: All Reads were zero
  SUMMARY: 3 tests, 1 unexpected failures
  ```

  This bug has allows user-to-root privilege escalation inside the guest
  VM: if the user is able overwrite an entry that belongs to a second-
  to-last level page table, and is able to allocate the referenced page,
  then the user would be in control of a last-level page table, being
  able to map any memory they want. This is not uncommon in situations
  where memory is being decomitted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911351/+subscriptions

Re: [PULL v2 00/20] target-arm queue

[Peter Maydell]

On Tue, 12 Jan 2021 at 21:23, Peter Maydell  wrote:
>
> v2: drop the 'merge the manuals' patch: it breaks the gitlab job which tries
> to publish the docs on gitlab, and I also realised I forgot to update the
> Windows installer scripts.
>
> -- PMM
>
> The following changes since commit b3f846c59d8405bb87c551187721fc92ff2f1b92:
>
>   Merge remote-tracking branch 
> 'remotes/huth-gitlab/tags/pull-request-2021-01-11v2' into staging (2021-01-11 
> 15:15:35 +)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git 
> tags/pull-target-arm-20210112-1
>
> for you to fetch changes up to 1ff5a063d60c7737de11465516331b8ca8700865:
>
>   ui/cocoa: Fix openFile: deprecation on Big Sur (2021-01-12 21:19:02 +)
>
> 
> target-arm queue:
>  * arm: Support emulation of ARMv8.4-TTST extension
>  * arm: Update cpu.h ID register field definitions
>  * arm: Fix breakage of XScale instruction emulation
>  * hw/net/lan9118: Fix RX Status FIFO PEEK value
>  * npcm7xx: Add ADC and PWM emulation
>  * ui/cocoa: Make "open docs" help menu entry work again when binary
>is run from the build tree
>  * ui/cocoa: Fix openFile: deprecation on Big Sur
>  * docs: Add qemu-storage-daemon(1) manpage to meson.build


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.0
for any user-visible changes.

-- PMM

[Bug 1911351] [NEW] x86-64 MTTCG Does not update page table entries atomically

[Marco]

Public bug reported:

It seems like the qemu tcg code for x86-64 doesn't write the access and
dirty flags of the page table entries atomically. Instead, they first
read the entry, see if they need to set the page table entry, and then
overwrite the entry. So if you have two threads running at the same
time, one accessing the virtual address over and over again, and the
other modifying the page table entry, it is possible that after the
second thread modifies the page table entry, qemu overwrites the value
with the old page table entry value, with the access/dirty flags set.

Here's a unit test that reproduces this behavior:

https://github.com/mvanotti/kvm-unit-
tests/commit/09f9722807271226a714b04f25174776454b19cd

You can run it with:

```
/usr/bin/qemu-system-x86_64 --no-reboot -nodefaults \
-device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 \
-vnc none -serial stdio -device pci-testdev \
-smp 4 -machine q35 --accel tcg,thread=multi \
-kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
```

Expected output (failure):

```
kvm-unit-tests$ make && /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults 
-device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none 
-serial stdio -device pci-testdev -smp 4 -machine q35 --accel tcg,thread=multi  
-kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
enabling apic
enabling apic
enabling apic
enabling apic
paging enabled
cr0 = 80010011
cr3 = 627000
cr4 = 20
found 4 cpus
PASS: Need more than 1 CPU
Detected overwritten PTE:
want: 0x0062e007
got:  0x0062d027
FAIL: PTE not overwritten
PASS: All Reads were zero
SUMMARY: 3 tests, 1 unexpected failures
```

This bug has allows user-to-root privilege escalation inside the guest
VM: if the user is able overwrite an entry that belongs to a second-to-
last level page table, and is able to allocate the referenced page, then
the user would be in control of a last-level page table, being able to
map any memory they want. This is not uncommon in situations where
memory is being decomitted.

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911351

Title:
  x86-64 MTTCG Does not update page table entries atomically

Status in QEMU:
  New

Bug description:
  It seems like the qemu tcg code for x86-64 doesn't write the access
  and dirty flags of the page table entries atomically. Instead, they
  first read the entry, see if they need to set the page table entry,
  and then overwrite the entry. So if you have two threads running at
  the same time, one accessing the virtual address over and over again,
  and the other modifying the page table entry, it is possible that
  after the second thread modifies the page table entry, qemu overwrites
  the value with the old page table entry value, with the access/dirty
  flags set.

  Here's a unit test that reproduces this behavior:

  https://github.com/mvanotti/kvm-unit-
  tests/commit/09f9722807271226a714b04f25174776454b19cd

  You can run it with:

  ```
  /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults \
  -device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 \
  -vnc none -serial stdio -device pci-testdev \
  -smp 4 -machine q35 --accel tcg,thread=multi \
  -kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
  ```

  Expected output (failure):

  ```
  kvm-unit-tests$ make && /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults 
-device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none 
-serial stdio -device pci-testdev -smp 4 -machine q35 --accel tcg,thread=multi  
-kernel x86/mmu-race.flat # -initrd /tmp/tmp.avvPpezMFf
  enabling apic
  enabling apic
  enabling apic
  enabling apic
  paging enabled
  cr0 = 80010011
  cr3 = 627000
  cr4 = 20
  found 4 cpus
  PASS: Need more than 1 CPU
  Detected overwritten PTE:
  want: 0x0062e007
  got:  0x0062d027
  FAIL: PTE not overwritten
  PASS: All Reads were zero
  SUMMARY: 3 tests, 1 unexpected failures
  ```

  This bug has allows user-to-root privilege escalation inside the guest
  VM: if the user is able overwrite an entry that belongs to a second-
  to-last level page table, and is able to allocate the referenced page,
  then the user would be in control of a last-level page table, being
  able to map any memory they want. This is not uncommon in situations
  where memory is being decomitted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911351/+subscriptions

Re: [PATCH] decodetree: Allow 'dot' in opcode names

[Philippe Mathieu-Daudé]

On 1/12/21 11:28 PM, Eduardo Habkost wrote:
> On Tue, Jan 12, 2021 at 11:15:38PM +0100, Philippe Mathieu-Daudé wrote:
>> On 1/12/21 9:44 PM, Richard Henderson wrote:
>>> On 1/12/21 8:41 AM, Philippe Mathieu-Daudé wrote:
 Some ISA use a dot in their opcodes. Allow the decodetree
 script to process them. The dot is replaced by an underscore
 in the generated code.
>>>
>>> Given that you then have to remember to use '_' on the C side, what 
>>> advantage
>>> does this give?
>>
>> The direct advantage is you can copy/paste the opcode in a PDF viewer
>> without having to edit it :)
>>
>> See i.e. some Loongson opcodes [*]:
>>
>> MULT.G  011100 . . . 0 01   @rs_rt_rd
>> DMULT.G 011100 . . . 0 010001   @rs_rt_rd
>> MULTU.G 011100 . . . 0 010010   @rs_rt_rd
>> DMULTU.G011100 . . . 0 010011   @rs_rt_rd
>>
>> DIV.G   011100 . . . 0 010100   @rs_rt_rd
>> DDIV.G  011100 . . . 0 010101   @rs_rt_rd
>> DIVU.G  011100 . . . 0 010110   @rs_rt_rd
>> DDIVU.G 011100 . . . 0 010111   @rs_rt_rd
>>
>> MOD.G   011100 . . . 0 011100   @rs_rt_rd
>> DMOD.G  011100 . . . 0 011101   @rs_rt_rd
>> MODU.G  011100 . . . 0 00   @rs_rt_rd
>> DMODU.G 011100 . . . 0 01   @rs_rt_rd
>>
>> The other - remote - advantage I see is when using a disassembler
>> based on decodetree (as AVR does), the opcode displayed also matches
>> the specs. We are not yet there with MIPS, but I have something in
>> progress...
> 
> Interesting.  So, the decodetree format is not used exclusively
> inside the QEMU source tree, but also by other projects?  Is
> there a specification somewhere else?

"as AVR does in QEMU", see commit 9d8caa67a24
("target/avr: Add support for disassembling via option '-d in_asm'").

What seduces me with decodetree is we don't need to match QEMU
instruction class with each CPU capabilities. IOW we can use the
same decoder for TCG and disassembly, and the disassembly matches
the instruction set of the CPU (with all the specific instructions).

Currently some specific opcodes are displayed as generic ones (or
as unknown via hexadecimal value). Unfortunately not something we
can show with QEMU AVR target because the ISA is very simple.

Regards,

Phil.

Re: [PATCH v6 3/7] qemu: add support for iOS host

[Joelle van Dyne]

On Tue, Jan 12, 2021 at 7:03 AM Peter Maydell  wrote:
>
> On Tue, 5 Jan 2021 at 02:25, Joelle van Dyne  wrote:
> >
> > This introduces support for building for iOS hosts. When the correct Xcode
> > toolchain is used, iOS host will be detected automatically.
> >
> > * block: disable features not supported by iOS sandbox
> > * slirp: disable SMB features for iOS
> > * osdep: disable system() calls for iOS
> >
> > Signed-off-by: Joelle van Dyne 
> > ---
> >  docs/devel/index.rst|  1 +
> >  docs/devel/ios.rst  | 28 +++
> >  configure   | 43 -
> >  meson.build |  2 +-
> >  include/qemu/osdep.h| 11 +++
> >  block.c |  2 +-
> >  block/file-posix.c  | 31 +
> >  net/slirp.c | 16 +++
> >  qga/commands-posix.c|  6 ++
> >  MAINTAINERS |  7 +++
> >  tests/qtest/meson.build |  7 +++
> >  11 files changed, 127 insertions(+), 27 deletions(-)
> >  create mode 100644 docs/devel/ios.rst
> >
> > diff --git a/docs/devel/index.rst b/docs/devel/index.rst
> > index f10ed77e4c..2cc8a13ebe 100644
> > --- a/docs/devel/index.rst
> > +++ b/docs/devel/index.rst
> > @@ -35,3 +35,4 @@ Contents:
> > clocks
> > qom
> > block-coroutine-wrapper
> > +   ios
> > diff --git a/docs/devel/ios.rst b/docs/devel/ios.rst
> > new file mode 100644
> > index 00..b4ab11bec1
> > --- /dev/null
> > +++ b/docs/devel/ios.rst
> > @@ -0,0 +1,28 @@
> > +===
> > +iOS Support
> > +===
> > +
> > +To run qemu on the iOS platform, some modifications were required. Most of 
> > the
>
> QEMU is upper-cased.
>
> > +modifications are conditioned on the ``CONFIG_IOS`` and configuration 
> > variable.
> > +
> > +Build support
> > +-
> > +
> > +For the code to compile, certain changes in the block driver and the slirp
> > +driver had to be made. There is no ``system()`` call, so it has been 
> > replaced
> > +with an assertion error. There should be no code path that call system() 
> > from
>
> "calls"
>
> > +iOS.
> > +
> > +``ucontext`` support is broken on iOS. The implementation from 
> > ``libucontext``
> > +is used instead.
> > +
> > +JIT support
> > +---
> > +
> > +On iOS, allocating RWX pages require special entitlements not usually 
> > granted to
>
> "requires"
>
> > +apps. However, it is possible to use `bulletproof JIT`_ with a development
> > +certificate. This means that we need to allocate one chunk of memory with 
> > RX
> > +permissions and then mirror map the same memory with RW permissions. We 
> > generate
> > +code to the mirror mapping and execute the original mapping.
> > +
> > +.. _bulletproof JIT: 
> > https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf
> > diff --git a/configure b/configure
> > index 744d1990be..c1a08f0171 100755
> > --- a/configure
> > +++ b/configure
> > @@ -560,6 +560,19 @@ EOF
> >compile_object
> >  }
> >
> > +check_ios() {
> > +  cat > $TMPC < > +#ifdef __APPLE__
> > +#import "TargetConditionals.h"
> > +#if !TARGET_OS_IPHONE
> > +#error TARGET_OS_IPHONE not true
> > +#endif
> > +#endif
> > +int main(void) { return 0; }
> > +EOF
> > +  compile_object
> > +}
> > +
> >  check_include() {
> >  cat > $TMPC < >  #include <$1>
> > @@ -602,7 +615,11 @@ elif check_define __DragonFly__ ; then
> >  elif check_define __NetBSD__; then
> >targetos='NetBSD'
> >  elif check_define __APPLE__; then
> > -  targetos='Darwin'
> > +  if check_ios ; then
> > +targetos='iOS'
> > +  else
> > +targetos='Darwin'
> > +  fi
> >  else
> ># This is a fatal error, but don't report it yet, because we
> ># might be going to just print the --help text, or it might
>
> So here targetos=iOS and targetos=Darwin are separate things...
>
> > @@ -6974,6 +7012,9 @@ if test "$cross_compile" = "yes"; then
> >  if test "$linux" = "yes" ; then
> >  echo "system = 'linux'" >> $cross
> >  fi
> > +if test "$darwin" = "yes" ; then
> > +echo "system = 'darwin'" >> $cross
> > +fi
>
> ...so why is this needed if we're not "darwin", but "iOS"...
iOS and macOS being treated the same works in 99% of the cases which
is why this patch is relatively small. For the 1% of time the two
systems behave differently, I added CONFIG_IOS. It's a bit of a hack,
but the alternative is to include  and check for
"TARGET_OS_IPHONE" (which is how it's usually done).

>
> >  case "$ARCH" in
> >  i386|x86_64)
> >  echo "cpu_family = 'x86'" >> $cross
> > diff --git a/meson.build b/meson.build
> > index 9a640d3407..ee333b7a94 100644
> > --- a/meson.build
> > +++ b/meson.build
> > @@ -181,7 +181,7 @@ if targetos == 'windows'
> >include_directories: 
> > include_directories('.'))
> >  elif targetos == 'darwin'
> >coref = dependency('appleframeworks', modules: 'CoreFoundation')
> > -  iokit = 

minimal "zero conf" build dockerfiles for fedora:latest and alpine:latest

[John Snow]

I wanted to know what the minimal setup required was to replicate the 
compilation instructions featured on https://www.qemu.org/download/#source


> wget https://download.qemu.org/qemu-5.2.0.tar.xz
> tar xvJf qemu-5.2.0.tar.xz
> cd qemu-5.2.0
> ./configure
> make

For fedora:latest, I found that to be:



FROM fedora:latest

ENV PACKAGES \
  wget \
  xz \
  ninja-build \
  gcc \
  glib2-devel \
  pixman-devel \
  bzip2 \
  diffutils \
  perl

ENV QEMU_CONFIGURE_OPTS ""

RUN dnf install -y $PACKAGES && \
rpm -q $PACKAGES | sort > /packages.txt

RUN wget https://download.qemu.org/qemu-5.2.0.tar.xz && \
tar xvJf qemu-5.2.0.tar.xz

WORKDIR /qemu-5.2.0
RUN ./configure $QEMU_CONFIGURE_OPTS && \
make -j9



Notes:

- our configure file suggests bzip2 is an optional dependency (It's set 
to 'auto') but meson will error out if it is not present at 
configuration time:


../pc-bios/meson.build:5:2: ERROR: Program 'bzip2' not found

- diffutils is required for the qapi-schema test, which runs at build time.

- early on in the build process, an error "bash: find: command not 
found" can be seen, but it doesn't seem to cause a failure otherwise.


- perl is not declared as a hard pre-requisite during configure time, 
but the build will error out if it is not present:


[254/8314] Generating texture-blit-frag.h with a meson_exe.py custom command
FAILED: ui/shader/texture-blit-frag.h
/usr/bin/python3 /qemu-5.2.0/meson/meson.py --internal exe --capture 
ui/shader/texture-blit-frag.h -- /usr/bin/env perl 
/qemu-5.2.0/scripts/shaderinclude.pl ../ui/shader/texture-blit.frag

/usr/bin/env: ‘perl’: No such file or directory



I wanted to try with alpine for the sake of a dependency audit. It isn't 
quite "zero conf", but I did get it working by disabling linux-user:




FROM alpine:latest

ENV PACKAGES \
wget \
xz \
python3 \
ninja \
gcc \
musl-dev \
pkgconfig \
glib-dev \
pixman-dev \
make \
bash \
perl

ENV QEMU_CONFIGURE_OPTS --disable-linux-user

RUN apk add $PACKAGES

RUN wget https://download.qemu.org/qemu-5.2.0.tar.xz && \
tar xvJf qemu-5.2.0.tar.xz

WORKDIR /qemu-5.2.0
RUN ./configure $QEMU_CONFIGURE_OPTS && \
make -j9



Notes:

- "ninja" actually installs "samurai", but it appears to work.

- musl seems to work alright, but does throw a ton of warnings. I didn't 
actually run any tests, since they require more dependencies.


- bash has to be installed explicitly. configure/meson do not check for 
it, but the build will fail if they aren't present.


- linux-user binaries can't be compiled because alpine's usage of musl; 
I didn't look much more closely.




Takeaways:

- You really don't need a lot to build a minimal QEMU. Even the alpine 
package list is pretty small.


- meson seems to be handling "absolutely everything is missing" 
environments pretty well.


- There are a scant handful of dependencies that could be added to 
configure, but you are very likely not to be missing them, so it's low 
priority.



--js

Re: [PATCH] decodetree: Allow 'dot' in opcode names

[Eduardo Habkost]

On Tue, Jan 12, 2021 at 11:19:49PM +0100, Philippe Mathieu-Daudé wrote:
> On 1/12/21 10:05 PM, Eduardo Habkost wrote:
[...]
> >> diff --git a/scripts/decodetree.py b/scripts/decodetree.py
> >> index 47aa9caf6d1..b7572589e64 100644
> >> --- a/scripts/decodetree.py
> >> +++ b/scripts/decodetree.py
> >> @@ -49,7 +49,7 @@
> >>  re_arg_ident = '&[a-zA-Z0-9_]*'
> >>  re_fld_ident = '%[a-zA-Z0-9_]*'
> >>  re_fmt_ident = '@[a-zA-Z0-9_]*'
> >> -re_pat_ident = '[a-zA-Z0-9_]*'
> >> +re_pat_ident = '[a-zA-Z0-9_.]*'
> > 
> > If pattern identifiers are going to follow different rules,
> > doesn't this need to be documented at docs/devel/decodetree.rst?
> 
> I checked and luckily for me the opcode pattern identifiers is
> not documented <:)

The format is not documented, but the specification grammar
implies the same rules apply to all identifiers.

-- 
Eduardo

Re: [PATCH] decodetree: Allow 'dot' in opcode names

[Eduardo Habkost]

On Tue, Jan 12, 2021 at 11:15:38PM +0100, Philippe Mathieu-Daudé wrote:
> On 1/12/21 9:44 PM, Richard Henderson wrote:
> > On 1/12/21 8:41 AM, Philippe Mathieu-Daudé wrote:
> >> Some ISA use a dot in their opcodes. Allow the decodetree
> >> script to process them. The dot is replaced by an underscore
> >> in the generated code.
> > 
> > Given that you then have to remember to use '_' on the C side, what 
> > advantage
> > does this give?
> 
> The direct advantage is you can copy/paste the opcode in a PDF viewer
> without having to edit it :)
> 
> See i.e. some Loongson opcodes [*]:
> 
> MULT.G  011100 . . . 0 01   @rs_rt_rd
> DMULT.G 011100 . . . 0 010001   @rs_rt_rd
> MULTU.G 011100 . . . 0 010010   @rs_rt_rd
> DMULTU.G011100 . . . 0 010011   @rs_rt_rd
> 
> DIV.G   011100 . . . 0 010100   @rs_rt_rd
> DDIV.G  011100 . . . 0 010101   @rs_rt_rd
> DIVU.G  011100 . . . 0 010110   @rs_rt_rd
> DDIVU.G 011100 . . . 0 010111   @rs_rt_rd
> 
> MOD.G   011100 . . . 0 011100   @rs_rt_rd
> DMOD.G  011100 . . . 0 011101   @rs_rt_rd
> MODU.G  011100 . . . 0 00   @rs_rt_rd
> DMODU.G 011100 . . . 0 01   @rs_rt_rd
> 
> The other - remote - advantage I see is when using a disassembler
> based on decodetree (as AVR does), the opcode displayed also matches
> the specs. We are not yet there with MIPS, but I have something in
> progress...

Interesting.  So, the decodetree format is not used exclusively
inside the QEMU source tree, but also by other projects?  Is
there a specification somewhere else?

> 
> [*] https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg02509.html
> 

-- 
Eduardo

Re: [PATCH v2 03/13] vt82c686: Fix SMBus IO base and configuration registers

[BALATON Zoltan]

On Tue, 12 Jan 2021, Jiaxun Yang wrote:

在 2021/1/10 上午4:16, BALATON Zoltan 写道:

The base address of the SMBus io ports and its enabled status is set
by registers in the PCI config space but this was not correctly
emulated. Instead the SMBus registers were mapped on realize to the
base address set by a property to the address expected by fuloong2e
firmware.

Fix the base and config register handling to more closely model
hardware which allows to remove the property and allows the guest to
control this mapping. Do all this in reset instead of realize so it's
correctly updated on reset.


Hi,

Thanks for your patch!



Signed-off-by: BALATON Zoltan 
---
  hw/isa/vt82c686.c   | 49 +
  hw/mips/fuloong2e.c |  4 +---
  2 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index fe8961b057..9c4d153022 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -22,6 +22,7 @@
  #include "hw/i2c/pm_smbus.h"
  #include "qapi/error.h"
  #include "qemu/module.h"
+#include "qemu/range.h"
  #include "qemu/timer.h"
  #include "exec/address-spaces.h"
  #include "trace.h"
@@ -34,7 +35,6 @@ struct VT686PMState {
  ACPIREGS ar;
  APMState apm;
  PMSMBus smb;
-uint32_t smb_io_base;
  };
static void pm_io_space_update(VT686PMState *s)
@@ -50,11 +50,22 @@ static void pm_io_space_update(VT686PMState *s)
  memory_region_transaction_commit();
  }
  +static void smb_io_space_update(VT686PMState *s)
+{
+uint32_t smbase = pci_get_long(s->dev.config + 0x90) & 0xfff0UL;
+
+memory_region_transaction_begin();
+memory_region_set_address(>smb.io, smbase);
+memory_region_set_enabled(>smb.io, s->dev.config[0xd2] & BIT(0));
+memory_region_transaction_commit();
+}
+
  static int vmstate_acpi_post_load(void *opaque, int version_id)
  {
  VT686PMState *s = opaque;
pm_io_space_update(s);
+smb_io_space_update(s);
  return 0;
  }
  @@ -77,8 +88,18 @@ static const VMStateDescription vmstate_acpi = {
static void pm_write_config(PCIDevice *d, uint32_t addr, uint32_t val, 
int len)

  {
+VT686PMState *s = VT82C686B_PM(d);
+
  trace_via_pm_write(addr, val, len);
  pci_default_write_config(d, addr, val, len);
+if (ranges_overlap(addr, len, 0x90, 4)) {
+uint32_t v = pci_get_long(s->dev.config + 0x90);
+pci_set_long(s->dev.config + 0x90, (v & 0xfff0UL) | 1);


What does this "or 1" do?
The datasheet I found only mentioned the default value of BASE is  0001
but didn't say anything about it's function :-/


It says that in the summary table but later in data sheet there's also 
detailed description of registers for each part where it says:


Offset 93-90 – SMBus I/O Base ... RW
3-0 Fixed ... always reads 0001b

The above mask and | 1 ensures this. I don't know why lowest bit is always 
1 but that seems to be the case for all such regs. Maybe internally these 
are implemented like PCI BARs where lowest bit means IO space.



+}
+if (range_covers_byte(addr, len, 0xd2)) {
+s->dev.config[0xd2] &= 0xf;
+smb_io_space_update(s);
+}
  }
static void pm_update_sci(VT686PMState *s)
@@ -103,6 +124,17 @@ static void pm_tmr_timer(ACPIREGS *ar)
  pm_update_sci(s);
  }
  +static void vt82c686b_pm_reset(DeviceState *d)
+{
+VT686PMState *s = VT82C686B_PM(d);
+
+/* SMBus IO base */
+pci_set_long(s->dev.config + 0x90, 1);


Theoretically this kind of magic number should be avoided but
as the rest of the file was written in such style it seems fine for me.


I could add defines for register offsets but did not think that would make 
it much more readable to have random names instead of random numbers. 
Likely you'll have to consult the data sheet to find out their meaning 
anyway.


Regards,
BALATON Zoltan

Re: [PATCH v6 3/7] qemu: add support for iOS host

[Joelle van Dyne]

I think this was discussed before but the main issue right now is that
there's no packaging system (like homebrew) for iOS cross building on
Mac. Stefan suggested caching built libraries in an external location
to use with the CI. I think this can be done but would require some
thought to it. I am open to other ideas as well (like pretending to
build for iOS while actually building for macOS).

-j

On Tue, Jan 12, 2021 at 3:56 AM Philippe Mathieu-Daudé
 wrote:
>
> Hi Joelle,
>
> On 1/5/21 3:20 AM, Joelle van Dyne wrote:
> > This introduces support for building for iOS hosts. When the correct Xcode
> > toolchain is used, iOS host will be detected automatically.
> >
> > * block: disable features not supported by iOS sandbox
> > * slirp: disable SMB features for iOS
> > * osdep: disable system() calls for iOS
> >
> > Signed-off-by: Joelle van Dyne 
> > ---
> >  docs/devel/index.rst|  1 +
> >  docs/devel/ios.rst  | 28 +++
> >  configure   | 43 -
> >  meson.build |  2 +-
> >  include/qemu/osdep.h| 11 +++
> >  block.c |  2 +-
> >  block/file-posix.c  | 31 +
> >  net/slirp.c | 16 +++
> >  qga/commands-posix.c|  6 ++
> >  MAINTAINERS |  7 +++
> >  tests/qtest/meson.build |  7 +++
> >  11 files changed, 127 insertions(+), 27 deletions(-)
> >  create mode 100644 docs/devel/ios.rst
>
> >
> > diff --git a/docs/devel/index.rst b/docs/devel/index.rst
> > index f10ed77e4c..2cc8a13ebe 100644
> > --- a/docs/devel/index.rst
> > +++ b/docs/devel/index.rst
> > @@ -35,3 +35,4 @@ Contents:
> > clocks
> > qom
> > block-coroutine-wrapper
> > +   ios
> > diff --git a/docs/devel/ios.rst b/docs/devel/ios.rst
> > new file mode 100644
> > index 00..b4ab11bec1
> > --- /dev/null
> > +++ b/docs/devel/ios.rst
> > @@ -0,0 +1,28 @@
> > +===
> > +iOS Support
> > +===
> > +
> > +To run qemu on the iOS platform, some modifications were required. Most of 
> > the
> > +modifications are conditioned on the ``CONFIG_IOS`` and configuration 
> > variable.
> > +
> > +Build support
> > +-
> > +
> > +For the code to compile, certain changes in the block driver and the slirp
> > +driver had to be made. There is no ``system()`` call, so it has been 
> > replaced
> > +with an assertion error. There should be no code path that call system() 
> > from
> > +iOS.
> > +
> > +``ucontext`` support is broken on iOS. The implementation from 
> > ``libucontext``
> > +is used instead.
>
> Do you have a CI testing plan for these builds?
>
> Is it possible to add a Gitlab-CI job? If not, on Cirrus-CI?
>
> Thanks,
>
> Phil.
>
>

Re: [PATCH] decodetree: Allow 'dot' in opcode names

[Philippe Mathieu-Daudé]

On 1/12/21 10:05 PM, Eduardo Habkost wrote:
> On Tue, Jan 12, 2021 at 07:41:56PM +0100, Philippe Mathieu-Daudé wrote:
>> Some ISA use a dot in their opcodes. Allow the decodetree
>> script to process them. The dot is replaced by an underscore
>> in the generated code.
> 
> Will something break if we just use underscores instead of dots
> in the input file?

No, but then the opcode doesn't really match the spec.

> 
>>
>> Signed-off-by: Philippe Mathieu-Daudé 
>> ---
>>  scripts/decodetree.py | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/scripts/decodetree.py b/scripts/decodetree.py
>> index 47aa9caf6d1..b7572589e64 100644
>> --- a/scripts/decodetree.py
>> +++ b/scripts/decodetree.py
>> @@ -49,7 +49,7 @@
>>  re_arg_ident = '&[a-zA-Z0-9_]*'
>>  re_fld_ident = '%[a-zA-Z0-9_]*'
>>  re_fmt_ident = '@[a-zA-Z0-9_]*'
>> -re_pat_ident = '[a-zA-Z0-9_]*'
>> +re_pat_ident = '[a-zA-Z0-9_.]*'
> 
> If pattern identifiers are going to follow different rules,
> doesn't this need to be documented at docs/devel/decodetree.rst?

I checked and luckily for me the opcode pattern identifiers is
not documented <:)

> 
>>  
>>  def error_with_file(file, lineno, *args):
>>  """Print an error message from file:line and args and exit."""
>> @@ -1082,6 +1082,7 @@ def parse_file(f, parent_pat):
>>  elif re.fullmatch(re_fmt_ident, name):
>>  parse_generic(start_lineno, None, name[1:], toks)
>>  elif re.fullmatch(re_pat_ident, name):
>> +name = name.replace('.', '_')
>>  parse_generic(start_lineno, parent_pat, name, toks)
> 
> Do we want error messages generated by the script to use the
> modified identifier with underscores, or the original identifier
> with dots?  (This patch does the former)

You are right, we want the former in the error message (the input
format).

Thanks,

Phil.

Re: [PATCH] decodetree: Allow 'dot' in opcode names

[Philippe Mathieu-Daudé]

On 1/12/21 9:44 PM, Richard Henderson wrote:
> On 1/12/21 8:41 AM, Philippe Mathieu-Daudé wrote:
>> Some ISA use a dot in their opcodes. Allow the decodetree
>> script to process them. The dot is replaced by an underscore
>> in the generated code.
> 
> Given that you then have to remember to use '_' on the C side, what advantage
> does this give?

The direct advantage is you can copy/paste the opcode in a PDF viewer
without having to edit it :)

See i.e. some Loongson opcodes [*]:

MULT.G  011100 . . . 0 01   @rs_rt_rd
DMULT.G 011100 . . . 0 010001   @rs_rt_rd
MULTU.G 011100 . . . 0 010010   @rs_rt_rd
DMULTU.G011100 . . . 0 010011   @rs_rt_rd

DIV.G   011100 . . . 0 010100   @rs_rt_rd
DDIV.G  011100 . . . 0 010101   @rs_rt_rd
DIVU.G  011100 . . . 0 010110   @rs_rt_rd
DDIVU.G 011100 . . . 0 010111   @rs_rt_rd

MOD.G   011100 . . . 0 011100   @rs_rt_rd
DMOD.G  011100 . . . 0 011101   @rs_rt_rd
MODU.G  011100 . . . 0 00   @rs_rt_rd
DMODU.G 011100 . . . 0 01   @rs_rt_rd

The other - remote - advantage I see is when using a disassembler
based on decodetree (as AVR does), the opcode displayed also matches
the specs. We are not yet there with MIPS, but I have something in
progress...

[*] https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg02509.html

Re: [PATCH v6 0/7] iOS and Apple Silicon host support

[Joelle van Dyne]

After decoupling the MAP_JIT and APRR patches, this should only be for
iOS support. I didn't change the title because I didn't know if
patchew would be smart enough to group it with the older patches.

-j

On Tue, Jan 12, 2021 at 3:01 AM Peter Maydell  wrote:
>
> On Tue, 5 Jan 2021 at 02:23, Joelle van Dyne  wrote:
> >
> > Based-on: 20201214140314.18544-1-richard.hender...@linaro.org
> > ([PATCH v4 00/43] Mirror map JIT memory for TCG)
> >
> > These set of changes brings QEMU TCG to iOS devices and future Apple Silicon
> > devices. They were originally developed last year and have been working in 
> > the
> > UTM app. Recently, we ported the changes to master, re-wrote a lot of the 
> > build
> > script changes for meson, and broke up the patches into more distinct units.
> >
> > A summary of the changes:
> >
> > * `CONFIG_IOS` defined when building for iOS and iOS specific changes (as 
> > well
> >   as unsupported code) are gated behind it.
> > * A new dependency, libucontext is added since iOS does not have native 
> > ucontext
> >   and broken support for sigaltstack. libucontext is available as a new 
> > option
> >   for coroutine backend.
> >
> > Since v6:
> >
> > * Dropped the Apple Silicon JIT support patch (superseded by another 
> > patchset)
> > * Changed libucontext to be a Meson subproject
> > * Cache availablity check for preadv/pwritev on macOS 11 and iOS 14
>
> So is this series now purely iOS support, or are there still
> some pieces of it that are needed for Mac systems with Apple silicon ?
>
> thanks
> -- PMM

[PATCH 5/6] target/mips: Convert Loongson [D]MOD[U].G opcodes to decodetree

[Philippe Mathieu-Daudé]

Convert the following opcodes to decodetree:

- MOD.G - mod 32-bit signed integers
- MODU.G - mod 32-bit unsigned integers
- DMOD.G - mod 64-bit signed integers
- DMODU.G - mod 64-bit unsigned integers

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/godson2.decode|   5 ++
 target/mips/loong-ext.decode  |   5 ++
 target/mips/loong_translate.c | 116 ++
 target/mips/translate.c   |  86 -
 4 files changed, 126 insertions(+), 86 deletions(-)

diff --git a/target/mips/godson2.decode b/target/mips/godson2.decode
index 0d5a72064d2..805452fa975 100644
--- a/target/mips/godson2.decode
+++ b/target/mips/godson2.decode
@@ -17,3 +17,8 @@ DIV.G   01 . . . 0 011010   
@rs_rt_rd
 DIVU.G  01 . . . 0 011011   @rs_rt_rd
 DDIV.G  01 . . . 0 00   @rs_rt_rd
 DDIVU.G 01 . . . 0 01   @rs_rt_rd
+
+MOD.G   01 . . . 0 100010   @rs_rt_rd
+MODU.G  01 . . . 0 100011   @rs_rt_rd
+DMOD.G  01 . . . 0 100110   @rs_rt_rd
+DMODU.G 01 . . . 0 100111   @rs_rt_rd
diff --git a/target/mips/loong-ext.decode b/target/mips/loong-ext.decode
index 2e98262b81d..b0715894ee1 100644
--- a/target/mips/loong-ext.decode
+++ b/target/mips/loong-ext.decode
@@ -18,3 +18,8 @@ DIV.G   011100 . . . 0 010100   
@rs_rt_rd
 DDIV.G  011100 . . . 0 010101   @rs_rt_rd
 DIVU.G  011100 . . . 0 010110   @rs_rt_rd
 DDIVU.G 011100 . . . 0 010111   @rs_rt_rd
+
+MOD.G   011100 . . . 0 011100   @rs_rt_rd
+DMOD.G  011100 . . . 0 011101   @rs_rt_rd
+MODU.G  011100 . . . 0 00   @rs_rt_rd
+DMODU.G 011100 . . . 0 01   @rs_rt_rd
diff --git a/target/mips/loong_translate.c b/target/mips/loong_translate.c
index 7b3304ec749..50609ce4178 100644
--- a/target/mips/loong_translate.c
+++ b/target/mips/loong_translate.c
@@ -147,6 +147,122 @@ static bool trans_DDIVU_G(DisasContext *s, arg_muldiv *a)
 return gen_lext_DIVU_G(s, a->rt, a->rs, a->rd, true);
 }
 
+static bool gen_lext_MOD_G(DisasContext *s, int rd, int rs, int rt,
+   bool is_double)
+{
+TCGv t0, t1;
+TCGLabel *l1, *l2, *l3;
+
+if (is_double) {
+if (TARGET_LONG_BITS != 64) {
+return false;
+}
+check_mips_64(s);
+}
+
+if (rd == 0) {
+/* Treat as NOP. */
+return true;
+}
+
+t0 = tcg_temp_local_new();
+t1 = tcg_temp_local_new();
+l1 = gen_new_label();
+l2 = gen_new_label();
+l3 = gen_new_label();
+
+gen_load_gpr(t0, rs);
+gen_load_gpr(t1, rt);
+
+if (!is_double) {
+tcg_gen_ext32u_tl(t0, t0);
+tcg_gen_ext32u_tl(t1, t1);
+}
+tcg_gen_brcondi_tl(TCG_COND_EQ, t1, 0, l1);
+tcg_gen_brcondi_tl(TCG_COND_NE, t0, is_double ? -1LL << 63 : INT_MIN, l2);
+tcg_gen_brcondi_tl(TCG_COND_NE, t1, -1LL, l2);
+gen_set_label(l1);
+tcg_gen_movi_tl(cpu_gpr[rd], 0);
+tcg_gen_br(l3);
+gen_set_label(l2);
+tcg_gen_rem_tl(cpu_gpr[rd], t0, t1);
+if (!is_double) {
+tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
+}
+gen_set_label(l3);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+
+return true;
+}
+
+static bool trans_MOD_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_MOD_G(s, a->rt, a->rs, a->rd, false);
+}
+
+static bool trans_DMOD_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_MOD_G(s, a->rt, a->rs, a->rd, true);
+}
+
+static bool gen_lext_MODU_G(DisasContext *s, int rd, int rs, int rt,
+bool is_double)
+{
+TCGv t0, t1;
+TCGLabel *l1, *l2;
+
+if (is_double) {
+if (TARGET_LONG_BITS != 64) {
+return false;
+}
+check_mips_64(s);
+}
+
+if (rd == 0) {
+/* Treat as NOP. */
+return true;
+}
+
+t0 = tcg_temp_local_new();
+t1 = tcg_temp_local_new();
+l1 = gen_new_label();
+l2 = gen_new_label();
+
+gen_load_gpr(t0, rs);
+gen_load_gpr(t1, rt);
+
+if (!is_double) {
+tcg_gen_ext32u_tl(t0, t0);
+tcg_gen_ext32u_tl(t1, t1);
+}
+tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1);
+tcg_gen_movi_tl(cpu_gpr[rd], 0);
+tcg_gen_br(l2);
+gen_set_label(l1);
+tcg_gen_remu_tl(cpu_gpr[rd], t0, t1);
+if (!is_double) {
+tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
+}
+gen_set_label(l2);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+
+return true;
+}
+
+static bool trans_MODU_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_MODU_G(s, a->rt, a->rs, a->rd, false);
+}
+
+static bool trans_DMODU_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_MODU_G(s, a->rt, 

Re: [PATCH 3/6] target/mips: Convert Loongson DIV.G opcodes to decodetree

[Philippe Mathieu-Daudé]

On Tue, Jan 12, 2021 at 10:55 PM Philippe Mathieu-Daudé  wrote:
>
> DIV.G and DDIV.G are very similar. Provide gen_lext_DIV_G() a
> 'is_double' argument so it can generate DIV.G (divide 32-bit
> signed integers).
>
> With this commit we explicit the template used to generate
> opcode for 32/64-bit word variants. Next commits will be less
> verbose by providing both variants at once.
>
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  target/mips/godson2.decode|  1 +
>  target/mips/loong-ext.decode  |  1 +
>  target/mips/loong_translate.c | 28 ++--
>  target/mips/translate.c   | 26 --
>  4 files changed, 24 insertions(+), 32 deletions(-)
...
> @@ -51,18 +54,26 @@ static bool gen_lext_DIV_G(DisasContext *s, int rd, int 
> rs, int rt)
>  gen_load_gpr(t0, rs);
>  gen_load_gpr(t1, rt);
>
> +if (!is_double) {
> +tcg_gen_ext32s_tl(t0, t0);
> +tcg_gen_ext32s_tl(t0, t0);

Oops copy/paste problem...

> +tcg_gen_ext32s_tl(t1, t1);
> +}
>  tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1);
>  tcg_gen_movi_tl(cpu_gpr[rd], 0);
>  tcg_gen_br(l3);
>  gen_set_label(l1);
...

[PATCH 3/6] target/mips: Convert Loongson DIV.G opcodes to decodetree

[Philippe Mathieu-Daudé]

DIV.G and DDIV.G are very similar. Provide gen_lext_DIV_G() a
'is_double' argument so it can generate DIV.G (divide 32-bit
signed integers).

With this commit we explicit the template used to generate
opcode for 32/64-bit word variants. Next commits will be less
verbose by providing both variants at once.

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/godson2.decode|  1 +
 target/mips/loong-ext.decode  |  1 +
 target/mips/loong_translate.c | 28 ++--
 target/mips/translate.c   | 26 --
 4 files changed, 24 insertions(+), 32 deletions(-)

diff --git a/target/mips/godson2.decode b/target/mips/godson2.decode
index cbe22285740..b56a93a1999 100644
--- a/target/mips/godson2.decode
+++ b/target/mips/godson2.decode
@@ -13,4 +13,5 @@
 
 @rs_rt_rd   .. rs:5  rt:5  rd:5  . ..   
 
+DIV.G   01 . . . 0 011010   @rs_rt_rd
 DDIV.G  01 . . . 0 00   @rs_rt_rd
diff --git a/target/mips/loong-ext.decode b/target/mips/loong-ext.decode
index 557fe06c14a..331c2226ae3 100644
--- a/target/mips/loong-ext.decode
+++ b/target/mips/loong-ext.decode
@@ -14,4 +14,5 @@
 
 @rs_rt_rd   .. rs:5  rt:5  rd:5  . ..   
 
+DIV.G   011100 . . . 0 010100   @rs_rt_rd
 DDIV.G  011100 . . . 0 010101   @rs_rt_rd
diff --git a/target/mips/loong_translate.c b/target/mips/loong_translate.c
index c452472e7a7..634d4ba8031 100644
--- a/target/mips/loong_translate.c
+++ b/target/mips/loong_translate.c
@@ -27,15 +27,18 @@
  * into general-purpose registers.
  */
 
-static bool gen_lext_DIV_G(DisasContext *s, int rd, int rs, int rt)
+static bool gen_lext_DIV_G(DisasContext *s, int rd, int rs, int rt,
+   bool is_double)
 {
 TCGv t0, t1;
 TCGLabel *l1, *l2, *l3;
 
-if (TARGET_LONG_BITS != 64) {
-return false;
+if (is_double) {
+if (TARGET_LONG_BITS != 64) {
+return false;
+}
+check_mips_64(s);
 }
-check_mips_64(s);
 
 if (rd == 0) {
 /* Treat as NOP. */
@@ -51,18 +54,26 @@ static bool gen_lext_DIV_G(DisasContext *s, int rd, int rs, 
int rt)
 gen_load_gpr(t0, rs);
 gen_load_gpr(t1, rt);
 
+if (!is_double) {
+tcg_gen_ext32s_tl(t0, t0);
+tcg_gen_ext32s_tl(t0, t0);
+tcg_gen_ext32s_tl(t1, t1);
+}
 tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1);
 tcg_gen_movi_tl(cpu_gpr[rd], 0);
 tcg_gen_br(l3);
 gen_set_label(l1);
 
-tcg_gen_brcondi_tl(TCG_COND_NE, t0, -1LL << 63, l2);
+tcg_gen_brcondi_tl(TCG_COND_NE, t0, is_double ? -1LL << 63 : INT_MIN, l2);
 tcg_gen_brcondi_tl(TCG_COND_NE, t1, -1LL, l2);
 tcg_gen_mov_tl(cpu_gpr[rd], t0);
 
 tcg_gen_br(l3);
 gen_set_label(l2);
 tcg_gen_div_tl(cpu_gpr[rd], t0, t1);
+if (!is_double) {
+tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
+}
 gen_set_label(l3);
 
 tcg_temp_free(t0);
@@ -71,9 +82,14 @@ static bool gen_lext_DIV_G(DisasContext *s, int rd, int rs, 
int rt)
 return true;
 }
 
+static bool trans_DIV_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_DIV_G(s, a->rt, a->rs, a->rd, false);
+}
+
 static bool trans_DDIV_G(DisasContext *s, arg_muldiv *a)
 {
-return gen_lext_DIV_G(s, a->rt, a->rs, a->rd);
+return gen_lext_DIV_G(s, a->rt, a->rs, a->rd, true);
 }
 
 bool decode_loongson(DisasContext *ctx, uint32_t insn)
diff --git a/target/mips/translate.c b/target/mips/translate.c
index c427ea98952..7cefff44d74 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -342,7 +342,6 @@ enum {
 OPC_DMULT_G_2F  = 0x11 | OPC_SPECIAL2,
 OPC_MULTU_G_2F  = 0x12 | OPC_SPECIAL2,
 OPC_DMULTU_G_2F = 0x13 | OPC_SPECIAL2,
-OPC_DIV_G_2F= 0x14 | OPC_SPECIAL2,
 OPC_DIVU_G_2F   = 0x16 | OPC_SPECIAL2,
 OPC_DDIVU_G_2F  = 0x17 | OPC_SPECIAL2,
 OPC_MOD_G_2F= 0x1c | OPC_SPECIAL2,
@@ -380,7 +379,6 @@ enum {
 /* Loongson 2E */
 OPC_MULT_G_2E   = 0x18 | OPC_SPECIAL3,
 OPC_MULTU_G_2E  = 0x19 | OPC_SPECIAL3,
-OPC_DIV_G_2E= 0x1A | OPC_SPECIAL3,
 OPC_DIVU_G_2E   = 0x1B | OPC_SPECIAL3,
 OPC_DMULT_G_2E  = 0x1C | OPC_SPECIAL3,
 OPC_DMULTU_G_2E = 0x1D | OPC_SPECIAL3,
@@ -5023,28 +5021,6 @@ static void gen_loongson_integer(DisasContext *ctx, 
uint32_t opc,
 tcg_gen_mul_tl(cpu_gpr[rd], t0, t1);
 tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
 break;
-case OPC_DIV_G_2E:
-case OPC_DIV_G_2F:
-{
-TCGLabel *l1 = gen_new_label();
-TCGLabel *l2 = gen_new_label();
-TCGLabel *l3 = gen_new_label();
-tcg_gen_ext32s_tl(t0, t0);
-tcg_gen_ext32s_tl(t1, t1);
-tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1);
-tcg_gen_movi_tl(cpu_gpr[rd], 0);
-tcg_gen_br(l3);
-gen_set_label(l1);
-tcg_gen_brcondi_tl(TCG_COND_NE, t0, INT_MIN, l2);
- 

[PATCH 4/6] target/mips: Convert Loongson [D]DIVU.G opcodes to decodetree

[Philippe Mathieu-Daudé]

Convert DIVU.G (divide 32-bit unsigned integers) and DDIVU.G
(divide 64-bit unsigned integers) opcodes to decodetree.

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/godson2.decode|  2 ++
 target/mips/loong-ext.decode  |  2 ++
 target/mips/loong_translate.c | 55 +++
 target/mips/translate.c   | 37 ---
 4 files changed, 59 insertions(+), 37 deletions(-)

diff --git a/target/mips/godson2.decode b/target/mips/godson2.decode
index b56a93a1999..0d5a72064d2 100644
--- a/target/mips/godson2.decode
+++ b/target/mips/godson2.decode
@@ -14,4 +14,6 @@
 @rs_rt_rd   .. rs:5  rt:5  rd:5  . ..   
 
 DIV.G   01 . . . 0 011010   @rs_rt_rd
+DIVU.G  01 . . . 0 011011   @rs_rt_rd
 DDIV.G  01 . . . 0 00   @rs_rt_rd
+DDIVU.G 01 . . . 0 01   @rs_rt_rd
diff --git a/target/mips/loong-ext.decode b/target/mips/loong-ext.decode
index 331c2226ae3..2e98262b81d 100644
--- a/target/mips/loong-ext.decode
+++ b/target/mips/loong-ext.decode
@@ -16,3 +16,5 @@
 
 DIV.G   011100 . . . 0 010100   @rs_rt_rd
 DDIV.G  011100 . . . 0 010101   @rs_rt_rd
+DIVU.G  011100 . . . 0 010110   @rs_rt_rd
+DDIVU.G 011100 . . . 0 010111   @rs_rt_rd
diff --git a/target/mips/loong_translate.c b/target/mips/loong_translate.c
index 634d4ba8031..7b3304ec749 100644
--- a/target/mips/loong_translate.c
+++ b/target/mips/loong_translate.c
@@ -92,6 +92,61 @@ static bool trans_DDIV_G(DisasContext *s, arg_muldiv *a)
 return gen_lext_DIV_G(s, a->rt, a->rs, a->rd, true);
 }
 
+static bool gen_lext_DIVU_G(DisasContext *s, int rd, int rs, int rt,
+bool is_double)
+{
+TCGv t0, t1;
+TCGLabel *l1, *l2;
+
+if (is_double) {
+if (TARGET_LONG_BITS != 64) {
+return false;
+}
+check_mips_64(s);
+}
+
+if (rd == 0) {
+/* Treat as NOP. */
+return true;
+}
+
+t0 = tcg_temp_local_new();
+t1 = tcg_temp_local_new();
+l1 = gen_new_label();
+l2 = gen_new_label();
+
+gen_load_gpr(t0, rs);
+gen_load_gpr(t1, rt);
+
+if (!is_double) {
+tcg_gen_ext32u_tl(t0, t0);
+tcg_gen_ext32u_tl(t1, t1);
+}
+tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1);
+tcg_gen_movi_tl(cpu_gpr[rd], 0);
+
+tcg_gen_br(l2);
+gen_set_label(l1);
+tcg_gen_divu_tl(cpu_gpr[rd], t0, t1);
+tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
+gen_set_label(l2);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+
+return true;
+}
+
+static bool trans_DIVU_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_DIVU_G(s, a->rt, a->rs, a->rd, false);
+}
+
+static bool trans_DDIVU_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_DIVU_G(s, a->rt, a->rs, a->rd, true);
+}
+
 bool decode_loongson(DisasContext *ctx, uint32_t insn)
 {
 if ((ctx->insn_flags & INSN_LOONGSON2E)
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 7cefff44d74..69463e3b42d 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -342,8 +342,6 @@ enum {
 OPC_DMULT_G_2F  = 0x11 | OPC_SPECIAL2,
 OPC_MULTU_G_2F  = 0x12 | OPC_SPECIAL2,
 OPC_DMULTU_G_2F = 0x13 | OPC_SPECIAL2,
-OPC_DIVU_G_2F   = 0x16 | OPC_SPECIAL2,
-OPC_DDIVU_G_2F  = 0x17 | OPC_SPECIAL2,
 OPC_MOD_G_2F= 0x1c | OPC_SPECIAL2,
 OPC_DMOD_G_2F   = 0x1d | OPC_SPECIAL2,
 OPC_MODU_G_2F   = 0x1e | OPC_SPECIAL2,
@@ -379,10 +377,8 @@ enum {
 /* Loongson 2E */
 OPC_MULT_G_2E   = 0x18 | OPC_SPECIAL3,
 OPC_MULTU_G_2E  = 0x19 | OPC_SPECIAL3,
-OPC_DIVU_G_2E   = 0x1B | OPC_SPECIAL3,
 OPC_DMULT_G_2E  = 0x1C | OPC_SPECIAL3,
 OPC_DMULTU_G_2E = 0x1D | OPC_SPECIAL3,
-OPC_DDIVU_G_2E  = 0x1F | OPC_SPECIAL3,
 OPC_MOD_G_2E= 0x22 | OPC_SPECIAL3,
 OPC_MODU_G_2E   = 0x23 | OPC_SPECIAL3,
 OPC_DMOD_G_2E   = 0x26 | OPC_SPECIAL3,
@@ -5021,22 +5017,6 @@ static void gen_loongson_integer(DisasContext *ctx, 
uint32_t opc,
 tcg_gen_mul_tl(cpu_gpr[rd], t0, t1);
 tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
 break;
-case OPC_DIVU_G_2E:
-case OPC_DIVU_G_2F:
-{
-TCGLabel *l1 = gen_new_label();
-TCGLabel *l2 = gen_new_label();
-tcg_gen_ext32u_tl(t0, t0);
-tcg_gen_ext32u_tl(t1, t1);
-tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1);
-tcg_gen_movi_tl(cpu_gpr[rd], 0);
-tcg_gen_br(l2);
-gen_set_label(l1);
-tcg_gen_divu_tl(cpu_gpr[rd], t0, t1);
-tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
-gen_set_label(l2);
-}
-break;
 case OPC_MOD_G_2E:
 case OPC_MOD_G_2F:
 {
@@ -5082,19 +5062,6 @@ static void gen_loongson_integer(DisasContext *ctx, 
uint32_t opc,
 case 

[PATCH 6/6] target/mips: Convert Loongson [D]MULT[U].G opcodes to decodetree

[Philippe Mathieu-Daudé]

Convert the following opcodes to decodetree:

- MULT.G - multiply 32-bit signed integers
- MULTU.G - multiply 32-bit unsigned integers
- DMULT.G - multiply 64-bit signed integers
- DMULTU.G - multiply 64-bit unsigned integers

Now that all opcodes from the extension have been converted, we
can remove completely gen_loongson_integer() and its 2 calls in
decode_opc_special2_legacy() and decode_opc_special3_legacy().

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/godson2.decode|  5 ++
 target/mips/loong-ext.decode  |  5 ++
 target/mips/loong_translate.c | 58 ++
 target/mips/translate.c   | 92 +--
 4 files changed, 70 insertions(+), 90 deletions(-)

diff --git a/target/mips/godson2.decode b/target/mips/godson2.decode
index 805452fa975..cf12d9072ec 100644
--- a/target/mips/godson2.decode
+++ b/target/mips/godson2.decode
@@ -13,6 +13,11 @@
 
 @rs_rt_rd   .. rs:5  rt:5  rd:5  . ..   
 
+MULT.G  01 . . . 0 011000   @rs_rt_rd
+MULTU.G 01 . . . 0 011001   @rs_rt_rd
+DMULT.G 01 . . . 0 011100   @rs_rt_rd
+DMULTU.G01 . . . 0 011101   @rs_rt_rd
+
 DIV.G   01 . . . 0 011010   @rs_rt_rd
 DIVU.G  01 . . . 0 011011   @rs_rt_rd
 DDIV.G  01 . . . 0 00   @rs_rt_rd
diff --git a/target/mips/loong-ext.decode b/target/mips/loong-ext.decode
index b0715894ee1..2281afaad95 100644
--- a/target/mips/loong-ext.decode
+++ b/target/mips/loong-ext.decode
@@ -14,6 +14,11 @@
 
 @rs_rt_rd   .. rs:5  rt:5  rd:5  . ..   
 
+MULT.G  011100 . . . 0 01   @rs_rt_rd
+DMULT.G 011100 . . . 0 010001   @rs_rt_rd
+MULTU.G 011100 . . . 0 010010   @rs_rt_rd
+DMULTU.G011100 . . . 0 010011   @rs_rt_rd
+
 DIV.G   011100 . . . 0 010100   @rs_rt_rd
 DDIV.G  011100 . . . 0 010101   @rs_rt_rd
 DIVU.G  011100 . . . 0 010110   @rs_rt_rd
diff --git a/target/mips/loong_translate.c b/target/mips/loong_translate.c
index 50609ce4178..2af94535921 100644
--- a/target/mips/loong_translate.c
+++ b/target/mips/loong_translate.c
@@ -263,6 +263,64 @@ static bool trans_DMODU_G(DisasContext *s, arg_muldiv *a)
 return gen_lext_MODU_G(s, a->rt, a->rs, a->rd, true);
 }
 
+static bool gen_lext_MULT_G(DisasContext *s, int rd, int rs, int rt,
+bool is_double, bool is_unsigned)
+{
+TCGv t0, t1;
+
+if (is_double) {
+if (TARGET_LONG_BITS != 64) {
+return false;
+}
+check_mips_64(s);
+}
+
+if (rd == 0) {
+/* Treat as NOP. */
+return true;
+}
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+
+gen_load_gpr(t0, rs);
+gen_load_gpr(t1, rt);
+
+if (is_unsigned && !is_double) {
+tcg_gen_ext32u_tl(t0, t0);
+tcg_gen_ext32u_tl(t1, t1);
+}
+tcg_gen_mul_tl(cpu_gpr[rd], t0, t1);
+if (!is_double) {
+tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
+}
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+
+return true;
+}
+
+static bool trans_MULT_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_MULT_G(s, a->rt, a->rs, a->rd, false, false);
+}
+
+static bool trans_MULTU_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_MULT_G(s, a->rt, a->rs, a->rd, false, true);
+}
+
+static bool trans_DMULT_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_MULT_G(s, a->rt, a->rs, a->rd, true, false);
+}
+
+static bool trans_DMULTU_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_MULT_G(s, a->rt, a->rs, a->rd, true, true);
+}
+
 bool decode_loongson(DisasContext *ctx, uint32_t insn)
 {
 if ((ctx->insn_flags & INSN_LOONGSON2E)
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 144e51b063a..5b5fe31c534 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -337,11 +337,6 @@ enum {
 OPC_MUL  = 0x02 | OPC_SPECIAL2,
 OPC_MSUB = 0x04 | OPC_SPECIAL2,
 OPC_MSUBU= 0x05 | OPC_SPECIAL2,
-/* Loongson 2F */
-OPC_MULT_G_2F   = 0x10 | OPC_SPECIAL2,
-OPC_DMULT_G_2F  = 0x11 | OPC_SPECIAL2,
-OPC_MULTU_G_2F  = 0x12 | OPC_SPECIAL2,
-OPC_DMULTU_G_2F = 0x13 | OPC_SPECIAL2,
 /* Misc */
 OPC_CLZ  = 0x20 | OPC_SPECIAL2,
 OPC_CLO  = 0x21 | OPC_SPECIAL2,
@@ -370,12 +365,6 @@ enum {
 OPC_RDHWR= 0x3B | OPC_SPECIAL3,
 OPC_GINV = 0x3D | OPC_SPECIAL3,
 
-/* Loongson 2E */
-OPC_MULT_G_2E   = 0x18 | OPC_SPECIAL3,
-OPC_MULTU_G_2E  = 0x19 | OPC_SPECIAL3,
-OPC_DMULT_G_2E  = 0x1C | OPC_SPECIAL3,
-OPC_DMULTU_G_2E = 0x1D | OPC_SPECIAL3,
-
 /* MIPS DSP Load */
 OPC_LX_DSP = 0x0A | OPC_SPECIAL3,
 /* MIPS DSP Arithmetic */
@@ -4962,65 +4951,6 @@ 

[PATCH 2/6] target/mips: Convert Loongson DDIV.G opcodes to decodetree

[Philippe Mathieu-Daudé]

Introduce decode_loongson() to decode all Loongson vendor
specific opcodes. Start converting a single opcode: DDIV.G
(divide 64-bit signed integers).

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/translate.h   |  1 +
 target/mips/godson2.decode| 16 +++
 target/mips/loong-ext.decode  | 17 +++
 target/mips/loong_translate.c | 89 +++
 target/mips/translate.c   | 28 ++-
 target/mips/meson.build   |  3 ++
 6 files changed, 131 insertions(+), 23 deletions(-)
 create mode 100644 target/mips/godson2.decode
 create mode 100644 target/mips/loong-ext.decode
 create mode 100644 target/mips/loong_translate.c

diff --git a/target/mips/translate.h b/target/mips/translate.h
index 11730f5b2e6..b67c45012b8 100644
--- a/target/mips/translate.h
+++ b/target/mips/translate.h
@@ -164,5 +164,6 @@ void msa_translate_init(void);
 /* decodetree generated */
 bool decode_isa_rel6(DisasContext *ctx, uint32_t insn);
 bool decode_ase_msa(DisasContext *ctx, uint32_t insn);
+bool decode_loongson(DisasContext *ctx, uint32_t insn);
 
 #endif
diff --git a/target/mips/godson2.decode b/target/mips/godson2.decode
new file mode 100644
index 000..cbe22285740
--- /dev/null
+++ b/target/mips/godson2.decode
@@ -0,0 +1,16 @@
+# Godson2 Integer instructions
+#
+# Copyright (C) 2021  Philippe Mathieu-Daudé
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# Reference:
+#   Godson-2E Software Manual
+#   (Document Number: godson2e-user-manual-V0.6)
+#
+
+ rs rt rd
+
+@rs_rt_rd   .. rs:5  rt:5  rd:5  . ..   
+
+DDIV.G  01 . . . 0 00   @rs_rt_rd
diff --git a/target/mips/loong-ext.decode b/target/mips/loong-ext.decode
new file mode 100644
index 000..557fe06c14a
--- /dev/null
+++ b/target/mips/loong-ext.decode
@@ -0,0 +1,17 @@
+# Loongson Extension instructions
+#
+# Copyright (C) 2021  Philippe Mathieu-Daudé
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# Reference:
+#   STLS2F01 User Manual
+#   Appendix A: new integer instructions
+#   (Document Number: UM0447)
+#
+
+ rs rt rd !extern
+
+@rs_rt_rd   .. rs:5  rt:5  rd:5  . ..   
+
+DDIV.G  011100 . . . 0 010101   @rs_rt_rd
diff --git a/target/mips/loong_translate.c b/target/mips/loong_translate.c
new file mode 100644
index 000..c452472e7a7
--- /dev/null
+++ b/target/mips/loong_translate.c
@@ -0,0 +1,89 @@
+/*
+ * MIPS Loongson translation routines
+ *
+ *  Copyright (c) 2004-2005 Jocelyn Mayer
+ *  Copyright (c) 2006 Marius Groeger (FPU operations)
+ *  Copyright (c) 2006 Thiemo Seufer (MIPS32R2 support)
+ *  Copyright (c) 2011 Richard Henderson 
+ *  Copyright (c) 2021 Philippe Mathieu-Daudé
+ *
+ * This code is licensed under the GNU GPLv2 and later.
+ */
+
+#include "qemu/osdep.h"
+#include "tcg/tcg-op.h"
+#include "exec/helper-gen.h"
+#include "translate.h"
+
+/* Include the auto-generated decoder.  */
+#include "decode-godson2.c.inc"
+#include "decode-loong-ext.c.inc"
+
+/*
+ * Word or double-word Fixed-point instructions.
+ * 
+ *
+ * Fixed-point multiplies and divisions write only one result
+ * into general-purpose registers.
+ */
+
+static bool gen_lext_DIV_G(DisasContext *s, int rd, int rs, int rt)
+{
+TCGv t0, t1;
+TCGLabel *l1, *l2, *l3;
+
+if (TARGET_LONG_BITS != 64) {
+return false;
+}
+check_mips_64(s);
+
+if (rd == 0) {
+/* Treat as NOP. */
+return true;
+}
+
+t0 = tcg_temp_local_new();
+t1 = tcg_temp_local_new();
+l1 = gen_new_label();
+l2 = gen_new_label();
+l3 = gen_new_label();
+
+gen_load_gpr(t0, rs);
+gen_load_gpr(t1, rt);
+
+tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1);
+tcg_gen_movi_tl(cpu_gpr[rd], 0);
+tcg_gen_br(l3);
+gen_set_label(l1);
+
+tcg_gen_brcondi_tl(TCG_COND_NE, t0, -1LL << 63, l2);
+tcg_gen_brcondi_tl(TCG_COND_NE, t1, -1LL, l2);
+tcg_gen_mov_tl(cpu_gpr[rd], t0);
+
+tcg_gen_br(l3);
+gen_set_label(l2);
+tcg_gen_div_tl(cpu_gpr[rd], t0, t1);
+gen_set_label(l3);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+
+return true;
+}
+
+static bool trans_DDIV_G(DisasContext *s, arg_muldiv *a)
+{
+return gen_lext_DIV_G(s, a->rt, a->rs, a->rd);
+}
+
+bool decode_loongson(DisasContext *ctx, uint32_t insn)
+{
+if ((ctx->insn_flags & INSN_LOONGSON2E)
+&& decode_godson2(ctx, ctx->opcode)) {
+return true;
+}
+if ((ctx->insn_flags & ASE_LEXT) && decode_loong_ext(ctx, ctx->opcode)) {
+return true;
+}
+return false;
+}
diff --git a/target/mips/translate.c b/target/mips/translate.c
index cbd152eff50..c427ea98952 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -343,7 +343,6 @@ enum {
 OPC_MULTU_G_2F  = 0x12 | OPC_SPECIAL2,
 OPC_DMULTU_G_2F = 0x13 | OPC_SPECIAL2,
 OPC_DIV_G_2F= 0x14 | OPC_SPECIAL2,
-

[PATCH 1/6] target/mips: Re-introduce OPC_ADDUH_QB_DSP and OPC_MUL_PH_DSP

[Philippe Mathieu-Daudé]

There is no issue having multiple enum declarations with
the same value. As we are going to remove the OPC_MULT_G_2E
definition in few commits, restore the OPC_ADDUH_QB_DSP and
OPC_MUL_PH_DSP definitions and use them where they belong.

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/translate.c | 18 +-
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index a2b3026132d..cbd152eff50 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -399,16 +399,14 @@ enum {
 OPC_ADDU_OB_DSP= 0x14 | OPC_SPECIAL3,
 OPC_ABSQ_S_PH_DSP  = 0x12 | OPC_SPECIAL3,
 OPC_ABSQ_S_QH_DSP  = 0x16 | OPC_SPECIAL3,
-/* OPC_ADDUH_QB_DSP is same as OPC_MULT_G_2E.  */
-/* OPC_ADDUH_QB_DSP   = 0x18 | OPC_SPECIAL3,  */
+OPC_ADDUH_QB_DSP   = 0x18 | OPC_SPECIAL3,
 OPC_CMPU_EQ_QB_DSP = 0x11 | OPC_SPECIAL3,
 OPC_CMPU_EQ_OB_DSP = 0x15 | OPC_SPECIAL3,
 /* MIPS DSP GPR-Based Shift Sub-class */
 OPC_SHLL_QB_DSP= 0x13 | OPC_SPECIAL3,
 OPC_SHLL_OB_DSP= 0x17 | OPC_SPECIAL3,
 /* MIPS DSP Multiply Sub-class insns */
-/* OPC_MUL_PH_DSP is same as OPC_ADDUH_QB_DSP.  */
-/* OPC_MUL_PH_DSP = 0x18 | OPC_SPECIAL3,  */
+OPC_MUL_PH_DSP = 0x18 | OPC_SPECIAL3,
 OPC_DPA_W_PH_DSP   = 0x30 | OPC_SPECIAL3,
 OPC_DPAQ_W_QH_DSP  = 0x34 | OPC_SPECIAL3,
 /* DSP Bit/Manipulation Sub-class */
@@ -566,7 +564,6 @@ enum {
 OPC_MULQ_S_PH  = (0x1E << 6) | OPC_ADDU_QB_DSP,
 };
 
-#define OPC_ADDUH_QB_DSP OPC_MULT_G_2E
 #define MASK_ADDUH_QB(op)   (MASK_SPECIAL3(op) | (op & (0x1F << 6)))
 enum {
 /* MIPS DSP Arithmetic Sub-class */
@@ -22681,8 +22678,7 @@ static void gen_mipsdsp_arith(DisasContext *ctx, 
uint32_t op1, uint32_t op2,
 gen_load_gpr(v2_t, v2);
 
 switch (op1) {
-/* OPC_MULT_G_2E is equal OPC_ADDUH_QB_DSP */
-case OPC_MULT_G_2E:
+case OPC_ADDUH_QB_DSP:
 check_dsp_r2(ctx);
 switch (op2) {
 case OPC_ADDUH_QB:
@@ -23376,11 +23372,7 @@ static void gen_mipsdsp_multiply(DisasContext *ctx, 
uint32_t op1, uint32_t op2,
 gen_load_gpr(v2_t, v2);
 
 switch (op1) {
-/*
- * OPC_MULT_G_2E, OPC_ADDUH_QB_DSP, OPC_MUL_PH_DSP have
- * the same mask and op1.
- */
-case OPC_MULT_G_2E:
+case OPC_MUL_PH_DSP:
 check_dsp_r2(ctx);
 switch (op2) {
 case  OPC_MUL_PH:
@@ -27337,7 +27329,7 @@ static void decode_opc_special3_legacy(CPUMIPSState 
*env, DisasContext *ctx)
  * OPC_MULT_G_2E, OPC_ADDUH_QB_DSP, OPC_MUL_PH_DSP have
  * the same mask and op1.
  */
-if ((ctx->insn_flags & ASE_DSP_R2) && (op1 == OPC_MULT_G_2E)) {
+if ((ctx->insn_flags & ASE_DSP_R2) && (op1 == OPC_MUL_PH_DSP)) {
 op2 = MASK_ADDUH_QB(ctx->opcode);
 switch (op2) {
 case OPC_ADDUH_QB:
-- 
2.26.2