Commit graph

1982 commits

Author SHA1 Message Date
Lioncash b5e765d562
target-mips: Silence unused function warning 2018-02-25 21:47:22 -05:00
Richard Henderson 1547048a22
tcg: Reorg TCGOp chaining
Instead of using -1 as end of chain, use 0, and link through the 0
entry as a fully circular double-linked list.

Backports commit dcb8e75870e2de199db853697f8839cb603beefe from qemu
2018-02-25 21:44:50 -05:00
Richard Henderson b2e6e351c2
tcg: Compress liveness data to 16 bits
This reduces both memory usage and per-insn cacheline usage
during code generation.

Backports commit a1b3c48d2b23d6eaeb4529d3e1183d2648731bf8 from qemu
2018-02-25 21:27:24 -05:00
Eric Blake 30cbcafc05
osdep: Document differences in rounding macros
Make it obvious which macros are safe in which situations.

Useful since QEMU_ALIGN_UP and ROUND_UP both purport to do
the same thing, but differ on whether the alignment must be
a power of 2.
2018-02-25 21:05:21 -05:00
Leon Alrae bc434da124
target-mips: fix EntryHi.EHINV being cleared on TLB exception
While implementing TLB invalidation feature we forgot to modify
part of code responsible for updating EntryHi during TLB exception.
Consequently EntryHi.EHINV is unexpectedly cleared on the exception.

Backports commit 701074a6fc7470d0ed54e4a4bcd4d491ad8da22e from qemu
2018-02-25 21:02:31 -05:00
Igor Mammedov 943b9fc261
qdev: Fix object reference leak in case device.realize() fails
If device doesn't have parent assined before its realize
is called, device_set_realized() will implicitly set parent
to '/machine/unattached'.

However device_set_realized() may fail after that point at
several other points leaving not realized object dangling
in '/machine/unattached' and as result caller of

obj = object_new()
obj->ref == 1
object_property_set_bool(obj,..., true, "realized",...)
obj->ref == 2
if (fail)
object_unref(obj);
obj->ref == 1

will get object leak instead of expected object destruction.

Fix it by making device_set_realized() to cleanup after itself
in case of failure.

Backports commit 69382d8b3e8600b349c191394d761dcb480502cf from qemu
2018-02-25 21:00:26 -05:00
Igor Mammedov 62c89b9cd4
exec: Reduce CONFIG_USER_ONLY ifdeffenery
Backports commit 1bc7e522d9cf1b58f2de9c8f1737be0bb5129c35 from qemu
2018-02-25 20:57:48 -05:00
Igor Mammedov d30410dc9a
target-i386: Add x86_cpu_unrealizefn()
First remove VCPU from exec loop and only then remove lapic.

Backports commit c884776e9dc947105827bd6c22192863f97267d2 from qemu
2018-02-25 20:54:13 -05:00
Igor Mammedov 298b0e6529
target-i386: Fix apic object leak when CPU is deleted
Backports commit 67e55caa6dcb91c80428cee6fe463f8dd8a755ab from qemu
2018-02-25 20:48:40 -05:00
Igor Mammedov e15fb246ab
target-i386: cpu: Do not ignore error and fix apic parent
object_property_add_child() silently fails with error that it can't
create duplicate propery 'apic' as we already have 'apic' property
registered for 'apic' feature. As result generic device_realize puts
apic into unattached container.

As it's programming error, abort if name collision happens in future
and fix property name for apic_state to 'lapic', this way apic is
a child of cpu instance.

Backports commit 6816b1b3811e839540df22855d975b6d76ae438b from qemu
2018-02-25 20:47:46 -05:00
Paolo Bonzini 403021183d
target-i386: Add support for UMIP and RDPID CPUID bits
These are both stored in CPUID[EAX=7,EBX=0].ECX. KVM is going to
be able to emulate both (albeit with a performance loss in the case
of RDPID, which therefore will be in KVM_GET_EMULATED_CPUID rather
than KVM_GET_SUPPORTED_CPUID).

It's also possible to implement both in TCG, but this is for 2.8.

Backports commit c2f193b538032accb9db504998bf2ea7c0ef65af from qemu
2018-02-25 20:46:40 -05:00
Igor Mammedov 6714284211
target-i386: Add socket/core/thread properties to X86CPU
These properties will be used by as address where to plug
CPU with help -device/device_add commands.

Backports commit d89c2b8b98e097b9cad5104b0f178bde1cfa011b from qemu
2018-02-25 20:45:35 -05:00
Igor Mammedov 2ac9df3633
target-i386: Replace custom apic-id setter/getter with static property
Custom apic-id setter/getter doesn't do any property specific
checks anymore, so clean it up and use more compact static
property DEFINE_PROP_UINT32 instead.

Backports commit 2da00e3176abac34ca7a6aab1f5bbb94a0d03fc5 from qemu
2018-02-25 20:44:18 -05:00
Igor Mammedov 0525a9c9fa
pc: cpu: Consolidate apic-id validity checks in pc_cpu_pre_plug()
Machine code knows about all possible APIC IDs so use that
instead of hack which does O(n^2) complexity duplicate
checks, interating over global CPUs list.
As result duplicate check is done only once with O(log n) complexity.

Backports commit 4ec60c76d5ab513e375f17b043d2b9cb849adf6c from qemu
2018-02-25 20:38:43 -05:00
Dr. David Alan Gilbert 9ee1a82185
target-i386: Set physical address bits based on host
Add the host-phys-bits boolean property, if true, take phys-bits
from the hosts physical bits value, overriding either the default
or the user specified value.

We can also use the value we read from the host to check the users
explicitly set value and warn them if it doesn't match.

Note:
a) We only read the hosts value in KVM mode (because on non-x86
we get an abort if we try)
b) We don't warn about trying to use host-phys-bits in TCG mode,
we just fall back to the TCG default. This allows the machine
type to set the host-phys-bits flag if it wants and then to
work in both TCG and KVM.

Backports commit 11f6fee576680a2d482123535da920f8ceb33eb5 from qemu
2018-02-25 20:36:12 -05:00
Igor Mammedov 95cced34fb
pc: Add x86_topo_ids_from_apicid()
It's reverse of apicid_from_topo_ids() and will be used in follow up
patches to fill in data structures for query-hotpluggable-cpus and
for user friendly error reporting.

Backports commit 9f3aab58539b4cc716e42e772be8116dc2e7d159 from qemu
2018-02-25 20:31:36 -05:00
Igor Mammedov bc8dbd862d
target-i386: Use uint32_t for X86CPU.apic_id
Redo 9886e834 (target-i386: Require APIC ID to be explicitly set before
CPU realize) in another way that doesn't use int64_t to detect
if apic-id property has been set.

Use the fact that 0xFFFFFFFF is the broadcast
value that a CPU can't have and set default
uint32_t apic_id to it instead of using int64_t.

Later uint32_t apic_id will be used to drop custom
property setter/getter in favor of static property.

Backports commit d9c84f196970f78d4b55ab87e03cbcad7c65f86f from qemu
2018-02-25 20:30:31 -05:00
Dr. David Alan Gilbert 54851f7d74
target-i386: Fill high bits of mtrr mask
Fill the bits between 51..number-of-physical-address-bits in the
MTRR_PHYSMASKn variable range mtrr masks so that they're consistent
in the migration stream irrespective of the physical address space
of the source VM in a migration.

Backports commit fcc35e7ccaed771790940524f3b0eef7aebfc9b1 from qemu
2018-02-25 20:29:20 -05:00
Dr. David Alan Gilbert 78254267ff
target-i386: Allow physical address bits to be set
Currently QEMU sets the x86 number of physical address bits to the
magic number 40. This is only correct on some small AMD systems;
Intel systems tend to have 36, 39, 46 bits, and large AMD systems
tend to have 48.

Having the value different from your actual hardware is detectable
by the guest and in principal can cause problems;
The current limit of 40 stops TB VMs being created by those lucky
enough to have that much.

This patch lets you set the physical bits by a cpu property but
defaults to the same 40bits which matches TCGs setup.

I've removed the ancient warning about the 42 bit limit in exec.c;
I can't find that limit in there and no one else seems to know where
it is.

We use a magic value of 0 as the property default so that we can
later distinguish between the default and a user set value.

Backports commit af45907a132857cfd47acc998bf5f7c26cd13071 from qemu
2018-02-25 20:28:38 -05:00
Dr. David Alan Gilbert 7cb359cc19
target-i386: Provide TCG_PHYS_ADDR_BITS
Provide a constant for the number of address bits supported under TCG.

Backports commit 709787ee997f0a0ccab78e0edaf10d48929151ee from qemu
2018-02-25 20:23:25 -05:00
Eric Blake 23ab6d81f9
qapi: Implement boxed types for commands/events
Turn on the ability to pass command and event arguments in
a single boxed parameter, which must name a non-empty type
(although the type can be a struct with all optional members).
For structs, it makes it possible to pass a single qapi type
instead of a breakout of all struct members (useful if the
arguments are already in a struct or if the number of members
is large); for other complex types, it is now possible to use
a union or alternate as the data for a command or event.

The empty type may be technically feasible if needed down the
road, but it's easier to forbid it now and relax things to allow
it later, than it is to allow it now and have to special case
how the generated 'q_empty' type is handled (see commit 7ce106a9
for reasons why nothing is generated for the empty type). An
alternate type is never considered empty, but now that a boxed
type can be either an object or an alternate, we have to provide
a trivial QAPISchemaAlternateType.is_empty(). The new call to
arg_type.is_empty() during QAPISchemaCommand.check() requires
that we first check the type in question; but there is no chance
of introducing a cycle since objects do not refer back to commands.

We still have a split in syntax checking between ad-hoc parsing
up front (merely validates that 'boxed' has a sane value) and
during .check() methods (if 'boxed' is set, then 'data' must name
a non-empty user-defined type).

Generated code is unchanged, as long as no client uses the
new feature.

Backports commit c818408e449ea55371253bd4def1c1dc87b7bb03 from qemu
2018-02-25 20:22:03 -05:00
Eric Blake c65f056fbe
qapi: Plumb in 'boxed' to qapi generator lower levels
The next patch will add support for passing a qapi union type
as the 'data' of a command. But to do that, the user function
for implementing the command, as called by the generated
marshal command, must take the corresponding C struct as a
single boxed pointer, rather than a breakdown into one
parameter per member. Even without a union, being able to use
a C struct rather than a list of parameters can make it much
easier to handle coding with QAPI.

This patch adds the internal plumbing of a 'boxed' flag
associated with each command and event. In several cases,
this means adding indentation, with one new dead branch and
the remaining branch being the original code more deeply
nested; this was done so that the new implementation in the
next patch is easier to review without also being mixed with
indentation changes.

For this patch, no behavior or generated output changes, other
than the testsuite outputting the value of the new flag
(always False for now).

Backports commit 48825ca419fd9c8140d4fecb24e982d68ebca74f from qemu
2018-02-25 20:17:01 -05:00
Eric Blake 6ff318b839
qapi-event: Simplify visit of non-implicit data
Commit 7ce106a9 documented why we don't generated a visit_type_FOO()
for implicit types; and therefore events with an anonymous type for
'data' have to open-code a visit. Note that the open-coded visit in
qapi-event.c is slightly different from what is done in
qapi-visit.c for normal types, in part because we don't have to
check for *obj being NULL or free things on error. But where the
type is not implicit, it is nicer to reuse the normal visit instead
of open-coding a duplicate.

At the moment, the only event with a non-implicit 'data' is in the
testsuite, where test-qapi-event.c changes as follows:

|@@ -155,6 +155,7 @@ void qapi_event_send___org_qemu_x_event(
| __org_qemu_x_Struct param = {
| __org_qemu_x_member1, (char *)__org_qemu_x_member2, has_q_wchar_t, q_wchar_t
| };
|+ __org_qemu_x_Struct *arg = &param;
|
| emit = qmp_event_get_func_emit();
| if (!emit) {
|@@ -164,16 +165,7 @@ void qapi_event_send___org_qemu_x_event(
| qmp = qmp_event_build_dict("__ORG.QEMU_X-EVENT");
|
| v = qmp_output_visitor_new(&obj);
|-
|- visit_start_struct(v, "__ORG.QEMU_X-EVENT", NULL, 0, &err);
|- if (err) {
|- goto out;
|- }
|- visit_type___org_qemu_x_Struct_members(v, &param, &err);
|- if (!err) {
|- if (!err) {
|- visit_check_struct(v, &err);
|- }
|- visit_end_struct(v, NULL);
|+ visit_type___org_qemu_x_Struct(v, "__ORG.QEMU_X-EVENT", &arg, &err);
| if (err) {
| goto out;
| }

Backports commit 4d0b268fdb17a1fed10fe980e77fd388e5427bfd from qemu
2018-02-25 20:12:34 -05:00
Eric Blake b5220a6867
qapi: Drop useless gen_err_check()
Ever since commit 12f254f removed the last parameterization
of gen_err_check(), it no longer makes sense to hide the three
lines of generated C code behind a macro call. Just inline it
into the remaining users.

No change to generated code.

Backports commit fa274ed6fb788866ed3a2cfd54a2ddf78f04f2c0 from qemu
2018-02-25 20:10:45 -05:00
Eric Blake d7014c66df
qapi: Add type.is_empty() helper
In the near future, we want to lift our artificial restriction of
no variants at the top level of an event, at which point the
currently open-coded check for empty members will become
insufficient. Factor it out into a new helper method is_empty()
now, and future-proof it by checking variants, too, along with an
assert that it is not used prior to the completion of .check().
Update places that were checking for (non-)empty .members to use
the new helper.

All of the current callers assert that there are no variants (either
directly, or by qapi.py asserting that base types have no variants),
so this is not a semantic change.

No change to generated code.

Backports commit b6167706829c6e0d3572daa2b6769594ced276f7 from qemu
2018-02-25 20:07:43 -05:00
Eric Blake 4b39eaae33
qapi: Hide tag_name data member of variants
Clean up the only remaining external use of the tag_name field of
QAPISchemaObjectTypeVariants, by explicitly listing the generated
'type' tag for all variants in the testsuite (you can still tell
simple unions by the -wrapper types). Then we can mark the
tag_name field as private by adding a leading underscore to prevent
any further use.

Backports commit da9cb19385fc66b2cb2584bbbbcbf50246d057e2 from qemu
2018-02-25 20:06:15 -05:00
Eric Blake febeea5f4b
qapi: Special case c_name() for empty type
Commit 7ce106a rendered QAPISchemaObjectType.c_name() redundant,
since it now does nothing more than delegate to its superclass.
However, rather than deleting it, we can restore part of the
assertion that was removed in that commit, to prove that we never
emit the empty type directly in generated code, but rather
special-case it as a built-in that makes other aspects of code
generation easier to reason about.

Backports commit cd50a2564560986e865ff64fa73b59d2564076f0 from qemu
2018-02-25 20:05:16 -05:00
Eric Blake 8ccfff95fe
qapi: Require all branches of flat union enum to be covered
We were previously enforcing that all flat union branches were
found in the corresponding enum, but not that all enum values
were covered by branches. The resulting generated code would
abort() if the user passes the uncovered enum value.

We don't automatically treat non-present branches in a flat
union as empty types, for symmetry with simple unions (there,
the enum type is generated from the list of all branches, so
there is no way to omit a branch but still have it be part of
the union).

A later patch will add shorthand so that branches that are empty
in flat unions can be declared as 'branch':{} instead of
'branch':'Empty', to avoid the need for an otherwise useless
explicit empty type. [Such shorthand for simple unions is a bit
harder to justify, since we would still have to generate a
wrapper type that parses 'data':{}, rather than truly being an
empty branch with no additional siblings to the 'type' member.]

Backports commit d0b182392d0281ef780e3effcb82677a004f1f97 from qemu
2018-02-25 20:04:18 -05:00
Paolo Bonzini 674805745b
qapi: change QmpInputVisitor to QSLIST
This saves a lot of memory compared to a statically-sized array,
or at least 24kb could be considered a lot on an Atari ST.
It also makes the code more similar to QmpOutputVisitor.

This removes the limit on the depth of a QObject that can be processed
into a QAPI tree. This is not a problem because QObjects can be
considered trusted; the text received on the QMP wire is untrusted
input, but the JSON parser already takes pains to limit the QObject tree
it creates. We don't need the QMP input visitor to limit it again.

Backports commit 3d344c2aabb7bc9b414321e3c52872901edebdda from qemu
2018-02-25 20:02:09 -05:00
Paolo Bonzini b14f1d7a80
qapi: change QmpOutputVisitor to QSLIST
This saves a little memory compared to the doubly-linked QTAILQ.

Backports commit fc76ae8b38783e82c109834573ba5d6f080440b5 from qemu
2018-02-25 19:59:16 -05:00
Sergey Fedorov e39b9d0391
target-i386: Remove redundant HF_SOFTMMU_MASK
'HF_SOFTMMU_MASK' is only set when 'CONFIG_SOFTMMU' is defined. So
there's no need in this flag: test 'CONFIG_SOFTMMU' instead.

Backports commit da6d48e3348bbc266896cf8adf0c33f1eaf5b31f from qemu
2018-02-25 19:59:15 -05:00
Sergey Sorokin 4a904baaf5
target-arm: Add missed AArch32 TLBI sytem registers
Some PL2 related TLBI system registers are missed in AArch32
implementation. The patch fixes it.

Backports commit 541ef8c2e73fb99d173b125bef7c262fdd2fe33c from qemu
2018-02-25 19:59:15 -05:00
Peter Lieven 799bf1c3a5
exec: avoid realloc in phys_map_node_reserve
this is the first step in reducing the brk heap fragmentation
created by the map->nodes memory allocation. Since the introduction
of RCU the freeing of the PhysPageMaps is delayed so that sometimes
several hundred are allocated at the same time.

Even worse the memory for map->nodes is allocated and shortly
afterwards reallocated. Since the number of nodes it grows
to in the end is the same for all PhysPageMaps remember this value
and at least avoid the reallocation.

The large number of simultaneous allocations (about 450 x 70kB in
my configuration) has to be addressed later.

Backports commit 101420b886eec36990419bc9ed5b503622af8a0d from qemu
2018-02-25 19:32:40 -05:00
Paolo Bonzini a47c68164d
compiler: never omit assertions if using a static analysis tool
Assertions help both Coverity and the clang static analyzer avoid
false positives, but on the other hand both are confused when
the condition is compiled as (void)(x != FOO). Always expand
assertion macros when using Coverity or clang, through a new
QEMU_STATIC_ANALYSIS preprocessor symbol.

This fixes a couple false positives in TCG.

Backports commit 8bff06a0bbf257a2083223534c1607bf87d913e6 from qemu
2018-02-25 19:19:28 -05:00
Vijay 5608b53b6f
target-arm: Use Neon for zero checking
Use Neon instructions to perform zero checking of
buffer. This is helps in reducing total migration time.

Use case: Idle VM live migration with 4 VCPUS and 8GB ram
running CentOS 7.

Without Neon, the Total migration time is 3.5 Sec

Migration status: completed
total time: 3560 milliseconds
downtime: 33 milliseconds
setup: 5 milliseconds
transferred ram: 297907 kbytes
throughput: 685.76 mbps
remaining ram: 0 kbytes
total ram: 8519872 kbytes
duplicate: 2062760 pages
skipped: 0 pages
normal: 69808 pages
normal bytes: 279232 kbytes
dirty sync count: 3

With Neon, the total migration time is 2.9 Sec

Migration status: completed
total time: 2960 milliseconds
downtime: 65 milliseconds
setup: 4 milliseconds
transferred ram: 299869 kbytes
throughput: 830.19 mbps
remaining ram: 0 kbytes
total ram: 8519872 kbytes
duplicate: 2064313 pages
skipped: 0 pages
normal: 70294 pages
normal bytes: 281176 kbytes
dirty sync count: 3

Backports commit 7069532e3b944c25707d4f69998e68a739eabff9 from qemu
2018-02-25 19:17:38 -05:00
Richard Henderson d17dc29d2e
target-sparc: Elide duplicate updates to fprs
Backports commit f9c816c00cf4242542472ae6b2a579b11b7e86f1 from qemu
2018-02-25 19:14:59 -05:00
Richard Henderson 2215ef7e21
target-sparc: Use cpu_loop_exit_restore from helper_check_ieee_exceptions
This avoids needing to save state before every FP operation.

Backports commit 02c79d78853f07d519b3272d06e43041eb4a4105 from qemu
2018-02-25 19:12:36 -05:00
Richard Henderson 524e4af5ca
target-sparc: Use cpu_fsr in stfsr
Backports commit ba2397d1ca6546e8cf5bd9e2939923546ac3091a from qemu
2018-02-25 19:10:27 -05:00
Lioncash 17c54e2702
header_gen: alphabetize general symbols 2018-02-25 19:07:20 -05:00
Lioncash 4b8cae3f61
header_gen: alphabetize ARM symbols 2018-02-25 19:00:31 -05:00
Lioncash fa10382007
header_gen: alphabetize aarch64 symbols 2018-02-25 19:00:01 -05:00
Lioncash 3f8802fcf5
header_gen: alphabetize MIPS symbols 2018-02-25 18:59:49 -05:00
Richard Henderson 12eecc4939
target-sparc: Use explicit writes to cpu_fsr
By arranging for explicit writes to cpu_fsr after floating point
operations, we are able to mark the helpers as not writing to
tcg globals, which means that we don't need to invalidate the
integer register set across said calls.

Backports commit 7385aed20db5d83979f683b9d0048674411e963c from qemu
2018-02-25 18:55:07 -05:00
Richard Henderson 2e24c09db3
target-sparc: Remove helper_ldf_asi, helper_stf_asi
We've now implemented all fp asis inline, except for the no-fault
memory reads. The latter can be passed directly to helper_ld_asi.

Backports commit f2fe396f0fae6b389169f65abf294df9ae6cfee5 from qemu
2018-02-25 18:32:35 -05:00
Richard Henderson a921273a6c
target-sparc: Directly implement block and short ldf/stf asis
Backports commit ca5ce5723fb1ee3445f690004f63c209c15fb813 from qemu
2018-02-25 18:27:52 -05:00
Richard Henderson 333d88c9e6
target-sparc: Directly implement easy ldf/stf asis
Backports commit 7705091ca4a20c8c2d20e2af5d0a1bcb17296657 from qemu
2018-02-25 18:23:45 -05:00
Richard Henderson 9d47cda44c
target-sparc: Pass TCGMemOp constants to helper_ld/st_asi
Reduces the argument count for helper_ld_asi; do helper_st_asi
for consistency.

Backports commit 6850811e7c56403b0d225a1bffd096abf2ff06f9 from qemu
2018-02-25 18:19:42 -05:00
Richard Henderson 950aa89c7a
target-sparc: Fix obvious error in ASI_M_BFILL
Backports commit c095b83f9836cef80f64b32603fea240762a824b from qemu
2018-02-25 18:08:40 -05:00
Richard Henderson eb285aa281
target-sparc: Directly implement easy ldd/std asis
Backports commit e4dc0052a40d3e7b00ca0b008f345e2ed644aa20 from qemu
2018-02-25 18:07:51 -05:00
Richard Henderson 1ed7df7720
target-sparc: Introduce gen_check_align
Backports commit 35e94905ce4b39b358a673995f9bee11f46ec8be from qemu
2018-02-25 17:59:47 -05:00
Richard Henderson cef4ae5ca8
target-sparc: Use QT0 to return results from ldda
Also implement a few more twinx asis.

Backports commit 3f4288ebf6fca7b266fa42a74d9d99b961ba6844 from qemu
2018-02-25 17:56:08 -05:00
Richard Henderson 9e402493a9
target-sparc: Directly implement easy ld/st asis
Backports commit f0913be04be13cfb4f9341ae79e035fc8479fd28 from qemu
2018-02-25 17:49:16 -05:00
Richard Henderson e2d0ee1286
target-sparc: Use defines from asi.h
Backports commit 0cc1f4bf76a20c7fee0bab5c9bba9ad7302198b5 from qemu
2018-02-25 17:44:36 -05:00
Richard Henderson bd3b7a2537
target-sparc: Add UA2005 defines to asi.h
Backports commit 1d854963ea340855efe3f8a5b99c95a75bd717ae from qemu
2018-02-25 17:32:46 -05:00
Richard Henderson b9a65e0e79
target-sparc: Import linux/arch/sparc/include/uapi/asm/asi.h
Copied from tag v4.2, 64291f7db5bd8150a74ad2036f1037e6a0428df2.

Backports commit 68a03b8c8853c66724c6f200af3f821ae0d7e934 from qemu
2018-02-25 17:29:51 -05:00
Richard Henderson c509a5562d
target-sparc: Pass TCGMemOp to gen_ld/st_asi
Backports commit 1d65b0f5bb8f32500bbce09d922d226bb7cf4c68 from qemu
2018-02-25 17:26:34 -05:00
Richard Henderson 4bc53f223c
target-sparc: Introduce get_asi
Replace gen_get_asi, and use it for both 32-bit and 64-bit.
For v8, do supervisor and immediate checks here.

Also, move save_state and TB ending into the respective
subroutines, out of disas_sparc_insn.

Backports commit 7ec1e5ea4bd0700fa48da86bffa2fcc6146c410a from qemu
2018-02-25 17:23:20 -05:00
Richard Henderson 1dcd14d434
target-sparc: Store %asi in TB flags
Knowing the value of %asi at translation time means that we
can handle the common settings without a function call.

The steady state appears to be %asi == ASI_P, so that sparcv9
code can use offset forms of lda/sta. The %asi register gets
pushed and popped on entry to certain functions, but it rarely
takes on values other than ASI_P or ASI_AIUP. Therefore we're
unlikely to be expanding the set of TBs created.

Backports commit a6d567e523ed7e928861f3caa5d49368af3f330d from qemu
2018-02-25 05:17:21 -05:00
Richard Henderson 080281bc9c
target-sparc: Unify asi handling between 32 and 64-bit
We now have a single copy of gen_ld_asi, gen_st_asi,
gen_swap_asi, and everything uses gen_get_asi.

Backports commit 22e700607aeaff5f5e139d0fdc3d861e5502040c from qemu
2018-02-25 05:11:52 -05:00
Richard Henderson 847d65258b
target-sparc: Create gen_exception
This unifies quite a few duplicate code fragments.

Backports commit 4fbe00679000f9fd0c509c2d548d957b08ec6057 from qemu
2018-02-25 04:55:16 -05:00
Richard Henderson 39d1657fc3
target-sparc: Store mmu index in TB flags
Doing this instead of saving the raw PS_PRIV and TL. This means
that all nucleus mode TBs (TL > 0) can be shared. This fixes a
bug in that we didn't include HS_PRIV in the TB flags, and so could
produce incorrect TB matches for hypervisor state.

The LSU and DMMU states were unused by the translator. Including
them in TB flags meant unnecessary mismatches from tb_find_fast.

Backports commit 99a230638a3674e921224dbe628159c867d734b1 from qemu
2018-02-25 04:51:50 -05:00
Richard Henderson 395e00cdc5
target-sparc: Remove softint as a TCG global
The global is only ever read for one insn; we can just as well
use a load from env instead and generate the same code. This
also allows us to indicate the the associated helpers do not
touch TCG globals.

Backports commit e86ceb0d652baa5738e05a59ee0e7989dafbeaa1 from qemu
2018-02-25 04:49:27 -05:00
Richard Henderson dcd1d6f8ce
target-sparc: Mark more flags for helpers
Quite a few helpers do not modify tcg globals but did not so indicate.

Backports commit be72f9fcca742c5e9a949f5eac901ed6cc26a2a0 from qemu
2018-02-25 04:28:54 -05:00
Markus Armbruster c2ffbc575d
Clean up decorations and whitespace around header guards
Cleaned up with scripts/clean-header-guards.pl.

Backports commit 175de52487ce0b0c78daa4cdf41a5a465a168a25 from qemu
2018-02-25 04:26:02 -05:00
Markus Armbruster 1275b9b459
Clean up ill-advised or unusual header guards
Cleaned up with scripts/clean-header-guards.pl.

Backports commit 2a6a4076e117113ebec97b1821071afccfdfbc96 from qemu
2018-02-25 04:22:46 -05:00
Markus Armbruster 9ae2fc4d9e
Clean up header guards that don't match their file name
Header guard symbols should match their file name to make guard
collisions less likely. Offenders found with
scripts/clean-header-guards.pl -vn.

Cleaned up with scripts/clean-header-guards.pl, followed by some
renaming of new guard symbols picked by the script to better ones.

Backports commit 121d07125bb6d7079c7ebafdd3efe8c3a01cc440 from qemu
2018-02-25 04:18:42 -05:00
Markus Armbruster 25ec9ab016
tcg: Clean up tcg-target.h header guards
These use guard symbols like TCG_TARGET_$target.
scripts/clean-header-guards.pl doesn't like them because they don't
match their file name (they should, to make guard collisions less
likely).

Clean them up: use guard symbol $target_TCG_TARGET_H for
tcg/$target/tcg-target.h.

Backports commit 14e54f8ecfe9c5e17348f456781344737ed10b3b from qemu
2018-02-25 04:15:08 -05:00
Markus Armbruster 2b65f98538
target-*: Clean up cpu.h header guards
Most of them use guard symbols like CPU_$target_H, but we also have
__MIPS_CPU_H__ and __TRICORE_CPU_H__. They all upset
scripts/clean-header-guards.pl.

The script dislikes CPU_$target_H because they don't match their file
name (they should, to make guard collisions less likely). The others
are reserved identifiers.

Clean them all up: use guard symbol $target_CPU_H for
target-$target/cpu.h.

Backports commit 07f5a258750b3b9a6e10fd5ec3e29c9a943b650e from qemu
2018-02-25 04:12:46 -05:00
Markus Armbruster 60e8836b74
Use #include "..." for our own headers, <...> for others
Tracked down with an ugly, brittle and probably buggy Perl script.

Also move includes converted to <...> up so they get included before
ours where that's obviously okay.

Backports commit a9c94277f07d19d3eb14f199c3e93491aa3eae0e from qemu
2018-02-25 04:10:33 -05:00
Peter Maydell f6f843b4d4
bswap.h: Document cpu_to_* and *_to_cpu conversion functions
Add a documentation comment describing the functions for
converting between the cpu and little or bigendian formats.

Backports commit 7d820b766a2049f33ca7e078aa51018f2335f8c5 from qemu
2018-02-25 04:06:28 -05:00
Peter Maydell 1d7f813942
bswap.h: Remove unused cpu_to_*w() and *_to_cpup()
Now that all uses of cpu_to_*w() and *_to_cpup() have been replaced
with either ld*_p()/st*_p() or by doing direct dereferences and
using the cpu_to_*()/*_to_cpu() byteswap functions, we can remove
the unused implementations.

Backports commit f76bde702916d0230bf359d478bcac8d7f3b30ae from qemu
2018-02-25 04:04:46 -05:00
Sergey Sorokin d1e4ac0451
Fix confusing argument names in some common functions
There are functions tlb_fill(), cpu_unaligned_access() and
do_unaligned_access() that are called with access type and mmu index
arguments. But these arguments are named 'is_write' and 'is_user' in their
declarations. The patches fix the arguments to avoid a confusion.

Backports commit b35399bb4e9968296a12303b00f9f2066470e987 from qemu
2018-02-25 03:58:27 -05:00
Leon Alrae a465707a47
target-mips: enable 10-bit ASIDs in I6400 CPU
Backports commit cdc46fab07a122dfcc8a1054510a68d936ae3440 from qemu
2018-02-25 03:50:58 -05:00
Paul Burton 002b392a15
target-mips: support CP0.Config4.AE bit
The read-only Config4.AE bit set denotes extended 10 bits ASID.

Backports commit a0c8060841f2d56fb3504292c18522b957972e4c from qemu
2018-02-25 03:49:36 -05:00
Paul Burton ba4dcc8c2f
target-mips: change ASID type to hold more than 8 bits
ASID currently has uint8_t type which is too small since some processors
support more than 8 bits ASID. Therefore change its type to uint16_t.

Backports commit 2d72e7b047d800c9f99262466f65a98684ecca14 from qemu
2018-02-25 03:48:10 -05:00
Paul Burton ac27c881ff
target-mips: add ASID mask field and replace magic values
Backports commit 6ec98bd7b64ad75870c8e9d87a90fcd1a64b4942 from qemu
2018-02-25 03:44:26 -05:00
Leon Alrae 7e589c117b
target-mips: replace MIPS64R6-generic with the real I6400 CPU model
MIPS64R6-generic gradually gets closer to I6400 CPU, feature-wise. Rename
it to make it clear which MIPS processor it is supposed to emulate.

Backports commit 8f95ad1c79b4166350b982a6defe0e21faa04dac from qemu
2018-02-25 03:35:55 -05:00
Leon Alrae c0b3938b88
target-mips: add exception base to MIPS CPU
Replace hardcoded 0xbfc00000 with exception_base which is initialized with
this default address so there is no functional change here.
However, it is now exposed and consequently it will be possible to modify
it from outside of the CPU.

Backports commit 89777fd10fc3dd573c3b4d1b2efdd10af823c001 from qemu
2018-02-25 03:22:10 -05:00
Stanislav Shmarov 6f20d35cd1
translate-all: Fix user-mode self-modifying code in 2 page long TB
In user-mode emulation Translation Block can consist of 2 guest pages.
In that case QEMU also mprotects 2 host pages that are dedicated for
guest memory, containing instructions. QEMU detects self-modifying code
with SEGFAULT signal processing.

In case if instruction in 1st page is modifying memory of 2nd
page (or vice versa) QEMU will mark 2nd page with PAGE_WRITE,
invalidate TB, generate new TB contatining 1 guest instruction and
exit to CPU loop. QEMU won't call mprotect, and new TB will cause
same SEGFAULT. Page will have both PAGE_WRITE_ORG and PAGE_WRITE
flags, so QEMU will handle the signal as guest binary problem,
and exit with guest SEGFAULT.

Solution is to do following: In case if current TB was invalidated
continue to invalidate TBs from remaining guest pages and mark pages
as PAGE_WRITE. After that disable host page protection with mprotect.
If current tb was invalidated longjmp to main loop. That is more
efficient, since we won't get SEGFAULT when executing new TB.

Backports commit 7399a337e4126f7c8c8af3336726f001378c4798 from qemu
2018-02-25 03:14:22 -05:00
Samuel Damashek 670d81367b
cputlb: Fix for self-modifying writes across page boundaries
As it currently stands, QEMU does not properly handle self-modifying code
when the write is unaligned and crosses a page boundary. The procedure
for handling a write to the current translation block is to write-protect
the current translation block, catch the write, split up the translation
block into the current instruction (which remains write-protected so that
the current instruction is not modified) and the remaining instructions
in the translation block, and then restore the CPU state to before the
write occurred so the write will be retried and successfully executed.
However, since unaligned writes across pages are split into one-byte
writes for simplicity, writes to the second page (which is not the
current TB) may succeed before a write to the current TB is attempted,
and since these writes are not invalidated before resuming state after
splitting the TB, these writes will be performed a second time, thus
corrupting the second page. Credit goes to Patrick Hulin for
discovering this.

In recent 64-bit versions of Windows running in emulated mode, this
results in either being very unstable (a BSOD after a couple minutes of
uptime), or being entirely unable to boot. Windows performs one or more
8-byte unaligned self-modifying writes (xors) which intersect the end
of the current TB and the beginning of the next TB, which runs into the
aforementioned issue. This commit fixes that issue by making the
unaligned write loop perform the writes in forwards order, instead of
reverse order. This way, QEMU immediately tries to write to the current
TB, and splits the TB before any write to the second page is executed.
The write then proceeds as intended. With this patch applied, I am able
to boot and use Windows 7 64-bit and Windows 10 64-bit in QEMU without
KVM.

Per Richard Henderson's input, this patch also ensures the second page
is in the TLB before executing the write loop, to ensure the second
page is mapped.

The original discussion of the issue is located at
http://lists.nongnu.org/archive/html/qemu-devel/2014-08/msg02161.html.

Backports commit 81daabaf7a572f138a8b88ba6eea556bdb0cce46 from qemu
2018-02-25 03:12:11 -05:00
Samuel Damashek 04c423b081
cputlb: Add address parameter to VICTIM_TLB_HIT
Backports commit a390284b80d2b6581143cdb40666674e60e635ae from qemu
2018-02-25 03:03:36 -05:00
Richard Henderson 9e2422032a
cputlb: Move VICTIM_TLB_HIT out of line
There are currently 22 invocations of this function,
and we're about to increase that number.

Backports commit 7e9a7c50d9a400ef51242d661a261123c2cc9485 from qemu
2018-02-25 02:58:47 -05:00
Haozhong Zhang 2893a1c381
target-i386: Publish advised value of MSR_IA32_FEATURE_CONTROL via fw_cfg
It's a prerequisite that certain bits of MSR_IA32_FEATURE_CONTROL should
be set before some features (e.g. VMX and LMCE) can be used, which is
usually done by the firmware. This patch adds a fw_cfg file
"etc/msr_feature_control" which contains the advised value of
MSR_IA32_FEATURE_CONTROL and can be used by guest firmware (e.g. SeaBIOS).

Backports commit 217f1b4a72153cf8d556e9d45919e9222c38d25e from qemu
2018-02-25 02:49:42 -05:00
Ashok Raj b58f1fccce
target-i386: kvm: Add basic Intel LMCE support
This patch adds the support to inject SRAR and SRAO as LMCE, i.e. they
are injected to only one VCPU rather than broadcast to all VCPUs. As KVM
reports LMCE support on Intel platforms, this features is only available
on Intel platforms.

LMCE is disabled by default and can be enabled/disabled by cpu option
'lmce=on/off'.

Backports commit 87f8b626041ceaea9adcfdbd549359f0ca7b871d from qemu
2018-02-25 02:48:22 -05:00
Evgeny Yakovlev 49fdd75329
target-i386: Report hyperv feature words through qom
This change adds hyperv feature words report through qom rpc.

When VM is configured with hyperv features enabled
libvirt will check that required feature words are set
in cpuid leaf 40000003 through qom request.

Currently qemu does not report hyperv feature words
which prevents windows guests from starting with libvirt.

To avoid conflicting with current hyperv properties all added feature
words cannot be set directly with -cpu +feature yet.

Backports commit c35bd19a5c9140bce8b913cc5cefe6f071135bdb from qemu
2018-02-25 02:45:20 -05:00
Paolo Bonzini f39cc9e3b9
target-i386: Avoid using locals outside their scope
x86_cpu_parse_featurestr has a "val = num;" assignment just before num
goes out of scope. Push num up to fix the issue.

Backports commit cf2887c9738451eb989c6c102af070dee2dc172a from qemu
2018-02-25 02:30:06 -05:00
Paolo Bonzini 1be92ac243
target-i386: TCG can support CPUID.07H:EBX.erms
ERMS just says "rep movsb" and "rep stosb" are fast. It does not
imply any new instruction, so we can support it easily.

Backports commit 7eb24386dbfb0b66464c7f856c1074c606efccda from qemu
2018-02-25 02:29:00 -05:00
Igor Mammedov 78f9128dbb
target-sparc: Use sparc_cpu_parse_features() directly
Make SPARC target use sparc_cpu_parse_features() directly
so it won't get in the way of switching other propertified
targets to handling features as global properties.

Backports commit fb02d56e96d553088c5b4267a3c954a3e952a50a from qemu
2018-02-25 02:27:23 -05:00
Sergey Sorokin e4d123caa9
tcg: Improve the alignment check infrastructure
Some architectures (e.g. ARMv8) need the address which is aligned
to a size more than the size of the memory access.
To support such check it's enough the current costless alignment
check implementation in QEMU, but we need to support
an alignment size specifying.

Backports commit 1f00b27f17518a1bcb4cedca49eaec96a4d560bd from qemu
2018-02-25 02:23:28 -05:00
Richard Henderson 23586e2674
tcg: Optimize spills of constants
While we can store constants via constrants on INDEX_op_st_i32 et al,
we weren't able to spill constants to backing store.

Add a new backend interface, tcg_out_sti, which may store the constant
(and is allowed to fail). Rearrange the temp_* helpers so that we only
attempt to directly store a constant when the temp is becoming dead/free.

Backports commit 59d7c14eeff8d2ad7f61aed86ce5a176113bc153 from qemu
2018-02-25 01:45:29 -05:00
Richard Henderson 64fda683b1
tcg: Fix name for high-half register 2018-02-25 01:36:35 -05:00
Lioncash 532f840dc3
qapi: Add new clone visitor
We have a couple places in the code base that want to deep-clone
one QAPI object into another, and they were resorting to serializing
the struct out to QObject then reparsing it. A much more efficient
version can be done by adding a new clone visitor.

Since cloning is still relatively uncommon, expose the use of the
new visitor via a QAPI_CLONE() macro that takes care of type-punning
the underlying function pointer, rather than generating lots of
unused functions for types that won't be cloned. And yes, we're
relying on the compiler treating all pointers equally, even though
a strict C program cannot portably do so - but we're not the first
one in the qemu code base to expect it to work (hello, glib!).

The choice of adding a fourth visitor type deserves some explanation.
On the surface, the clone visitor is mostly an input visitor (it
takes arbitrary input - in this case, another QAPI object - and
creates a new QAPI object during the course of the visit). But
ever since commit da72ab0 consolidated enum visits based on the
visitor type, using VISITOR_INPUT would cause us to run
visit_type_str(), even though for cloning there is nothing to do
(we just copy the enum value across, without regards to its mapping
to strings). Also, since our input happens to be a QAPI object,
we can also satisfy the internal checks for VISITOR_OUTPUT. So in
the end, I settled with a new VISITOR_CLONE, and chose its value
such that many internal checks can use 'v->type & mask', sticking
to 'v->type == value' where the difference matters.

Note that we can only clone objects (including alternates) and lists,
not built-ins or enums. The visitor core hides integer width from
the actual visitor (since commit 04e070d), and as long as that's the
case, we can't clone top-level integers. Then again, those can
always be cloned by direct copy, since they are not objects with
deep pointers, so it's no real loss. And restricting cloning to
just objects and lists is cleaner than restricting it to non-integers.
As such, I documented that the clone visitor is for direct use only
by code internal to QAPI, and should not be used on incomplete objects
(other than a hack to work around the fact that we allow NULL in place
of "" in visit_type_str() in other output visitors). Note that as
written, the clone visitor will never fail on a complete object.

Scalars (including enums) not at the root of the clone copy just fine
with no additional effort while visiting the scalar, by virtue of a
g_memdup() each time we push another struct onto the stack. Cloning
a string requires deduplication of a pointer, which means it can also
provide the guarantee of an input visitor of never producing NULL
even when still accepting NULL in place of "" the way the QMP output
visitor does.

Cloning an 'any' type could be possible by incrementing the QObject
refcnt, but it's not obvious whether that is better than implementing
a QObject deep clone. So for now, we document it as unsupported,
and intentionally omit the .type_any() callback to let a developer
know their usage needs implementation.

Add testsuite coverage for several different clone situations, to
ensure that the code is working. I also tested that valgrind was
happy with the test.

Backports commit a15fcc3cf69ee3d408f60d6cc316488d2b0249b4 from qemu
2018-02-25 01:34:12 -05:00
Eric Blake 85af4b2030
qapi: Add new visit_complete() function
Making each output visitor provide its own output collection
function was the only remaining reason for exposing visitor
sub-types to the rest of the code base. Add a polymorphic
visit_complete() function which is a no-op for input visitors,
and which populates an opaque pointer for output visitors. For
maximum type-safety, also add a parameter to the output visitor
constructors with a type-correct version of the output pointer,
and assert that the two uses match.

This approach was considered superior to either passing the
output parameter only during construction (action at a distance
during visit_free() feels awkward) or only during visit_complete()
(defeating type safety makes it easier to use incorrectly).

Most callers were function-local, and therefore a mechanical
conversion; the testsuite was a bit trickier, but the previous
cleanup patch minimized the churn here.

The visit_complete() function may be called at most once; doing
so lets us use transfer semantics rather than duplication or
ref-count semantics to get the just-built output back to the
caller, even though it means our behavior is not idempotent.

Generated code is simplified as follows for events:

|@@ -26,7 +26,7 @@ void qapi_event_send_acpi_device_ost(ACP
| QDict *qmp;
| Error *err = NULL;
| QMPEventFuncEmit emit;
|- QmpOutputVisitor *qov;
|+ QObject *obj;
| Visitor *v;
| q_obj_ACPI_DEVICE_OST_arg param = {
| info
|@@ -39,8 +39,7 @@ void qapi_event_send_acpi_device_ost(ACP
|
| qmp = qmp_event_build_dict("ACPI_DEVICE_OST");
|
|- qov = qmp_output_visitor_new();
|- v = qmp_output_get_visitor(qov);
|+ v = qmp_output_visitor_new(&obj);
|
| visit_start_struct(v, "ACPI_DEVICE_OST", NULL, 0, &err);
| if (err) {
|@@ -55,7 +54,8 @@ void qapi_event_send_acpi_device_ost(ACP
| goto out;
| }
|
|- qdict_put_obj(qmp, "data", qmp_output_get_qobject(qov));
|+ visit_complete(v, &obj);
|+ qdict_put_obj(qmp, "data", obj);
| emit(QAPI_EVENT_ACPI_DEVICE_OST, qmp, &err);

and for commands:

| {
| Error *err = NULL;
|- QmpOutputVisitor *qov = qmp_output_visitor_new();
| Visitor *v;
|
|- v = qmp_output_get_visitor(qov);
|+ v = qmp_output_visitor_new(ret_out);
| visit_type_AddfdInfo(v, "unused", &ret_in, &err);
|- if (err) {
|- goto out;
|+ if (!err) {
|+ visit_complete(v, ret_out);
| }
|- *ret_out = qmp_output_get_qobject(qov);
|-
|-out:
| error_propagate(errp, err);

Backports commit 3b098d56979d2f7fd707c5be85555d114353a28d from qemu
2018-02-25 01:20:03 -05:00
Eric Blake ec53301cda
qmp-output-visitor: Favor new visit_free() function
Now that we have a polymorphic visit_free(), we no longer need
qmp_output_visitor_cleanup(); however, we still need to
expose the subtype for qmp_output_get_qobject().

Backports commit 1830f22a6777cedaccd67a08f675d30f7a85ebfd from qemu
2018-02-25 01:12:27 -05:00
Eric Blake f008d93ac0
qmp-input-visitor: Favor new visit_free() function
Now that we have a polymorphic visit_free(), we no longer need
qmp_input_visitor_cleanup(); which in turn means we no longer
need to return a subtype from qmp_input_visitor_new() nor a
public upcast function.

Generated code changes to qmp-marshal.c look like:

|@@ -52,11 +52,10 @@ void qmp_marshal_add_fd(QDict *args, QOb
| {
| Error *err = NULL;
| AddfdInfo *retval;
|- QmpInputVisitor *qiv = qmp_input_visitor_new(QOBJECT(args), true);
| Visitor *v;
| q_obj_add_fd_arg arg = {0};
|
|- v = qmp_input_get_visitor(qiv);
|+ v = qmp_input_visitor_new(QOBJECT(args), true);
| visit_start_struct(v, NULL, NULL, 0, &err);
| if (err) {
| goto out;

Backports commit b70ce1018a251c0c33498d9c927a07cade655a5e from qemu
2018-02-25 01:10:53 -05:00
Eric Blake e88a7e260b
string-input-visitor: Favor new visit_free() function
Now that we have a polymorphic visit_free(), we no longer need
string_input_visitor_cleanup(); which in turn means we no longer
need to return a subtype from string_input_visitor_new() nor a
public upcast function.

Backports commit 7a0525c7be6b38d32d586e3fd12e7377ded21faa from qemu
2018-02-25 01:08:04 -05:00
Eric Blake 7f741a6c9b
qapi: Add new visit_free() function
Making each visitor provide its own (awkwardly-named) FOO_cleanup()
is unusual, when we can instead have a polymorphic visit_free()
interface. Over the next few patches, we can use the polymorphic
functions to eliminate the need for a FOO_get_visitor() function
for accessing specific visitor functionality, once everything can
be accessed directly through the Visitor* interfaces.

The dealloc visitor is the first one converted to completely use
the new entry point, since qapi_dealloc_visitor_cleanup() was the
only reason that qapi_dealloc_get_visitor() existed, and only
generated and testsuite code was even using it. With the new
visit_free() entry point in place, we no longer need to expose
the QapiDeallocVisitor subtype through qapi_dealloc_visitor_new(),
and can get by with less generated code, with diffs that look like:

| void qapi_free_ACPIOSTInfo(ACPIOSTInfo *obj)
| {
|- QapiDeallocVisitor *qdv;
| Visitor *v;
|
| if (!obj) {
| return;
| }
|
|- qdv = qapi_dealloc_visitor_new();
|- v = qapi_dealloc_get_visitor(qdv);
|+ v = qapi_dealloc_visitor_new();
| visit_type_ACPIOSTInfo(v, NULL, &obj, NULL);
|- qapi_dealloc_visitor_cleanup(qdv);
|+ visit_free(v);
|}

Backports commit 2c0ef9f411ae6081efa9eca5b3eab2dbeee45a6c from qemu
2018-02-25 01:05:41 -05:00
Eric Blake 37ae4dfdfd
qapi: Add parameter to visit_end_*
Rather than making the dealloc visitor track of stack of pointers
remembered during visit_start_* in order to free them during
visit_end_*, it's a lot easier to just make all callers pass the
same pointer to visit_end_*. The generated code has access to the
same pointer, while all other users are doing virtual walks and
can pass NULL. The dealloc visitor is then greatly simplified.

All three visit_end_*() functions intentionally take a void**,
even though the visit_start_*() functions differ between void**,
GenericList**, and GenericAlternate**. This is done for several
reasons: when doing a virtual walk, passing NULL doesn't care
what the type is, but when doing a generated walk, we already
have to cast the caller's specific FOO* to call visit_start,
while using void** lets us use visit_end without a cast. Also,
an upcoming patch will add a clone visitor that wants to use
the same implementation for all three visit_end callbacks,
which is made easier if all three share the same signature.

For visitors with already track per-object state (the QMP visitors
via a stack, and the string visitors which do not allow nesting),
add an assertion that the caller is indeed passing the same
pointer to paired calls.

Backports commit 1158bb2a058fcdd0c8fc3e60dc77f7a57ddbb271 from qemu
2018-02-25 00:57:54 -05:00
Changlong Xie 2ca07642f1
qom: Fix comment typo
It's qom_unref, not qdef_unref.

Backports commit ada03a0e8423ef8950e30d216f56a9661a4070e2 from qemu
2018-02-25 00:46:15 -05:00
Markus Armbruster eeef227560
range: Replace internal representation of Range
Range represents a range as follows. Member @start is the inclusive
lower bound, member @end is the exclusive upper bound. Zero @end is
special: if @start is also zero, the range is empty, else @end is to
be interpreted as 2^64. No other empty ranges may occur.

The range [0,2^64-1] cannot be represented. If you try to create it
with range_set_bounds1(), you get the empty range instead. If you try
to create it with range_set_bounds() or range_extend(), assertions
fail. Before range_set_bounds() existed, the open-coded creation
usually got you the empty range instead. Open deathtrap.

Moreover, the code dealing with the janus-faced @end is too clever by
half.

Dumb this down to a more pedestrian representation: members @lob and
@upb are inclusive lower and upper bounds. The empty range is encoded
as @lob = 1, @upb = 0.

Backports commit 6dd726a2bf1b800289d90a84d5fcb5ce7b78a8e1 from qemu
2018-02-25 00:44:36 -05:00
Markus Armbruster 8b2a0c4ece
range: Eliminate direct Range member access
Users of struct Range mess liberally with its members, which makes
refactoring hard. Create a set of methods, and convert all users to
call them instead of accessing members. The methods have carefully
worded contracts, and use assertions to check them.

Backports commit a0efbf16604770b9d805bcf210ec29942321134f from qemu
2018-02-25 00:39:43 -05:00
Alistair Francis fbb0645fb3
bitops: Add MAKE_64BIT_MASK macro
Add a macro that creates a 64bit value which has length number of ones
shifted across by the value of shift.

Backports commit ae2923b5c20a21c6457680330506a9c13873485c from qemu
2018-02-25 00:30:39 -05:00
Peter Maydell efc6cc2b83
memory: Assert that memory_region_init_rom_device() ops aren't NULL
It doesn't make sense to pass a NULL ops argument to
memory_region_init_rom_device(), because the effect will
be that if the guest tries to write to the memory region
then QEMU will segfault. Catch the bug earlier by sanity
checking the arguments to this function, and remove the
misleading documentation that suggests that passing NULL
might be sensible.

Backports commit 39e0b03dec518254fabd2acff29548d3f1d2b754 from qemu
2018-02-25 00:29:52 -05:00
Peter Maydell 334e951ec1
memory: Provide memory_region_init_rom()
Provide a new helper function memory_region_init_rom() for memory
regions which are read-only (and unlike those created by
memory_region_init_rom_device() don't have special behaviour
for writes). This has the same behaviour as calling
memory_region_init_ram() and then memory_region_set_readonly()
(which is what we do today in boards with pure ROMs) but is a
more easily discoverable API for the purpose.

Backports commit a1777f7f6462c66e1ee6e98f0d5c431bfe988aa5 from qemu
2018-02-25 00:28:17 -05:00
Alexey Kardashevskiy 7187d77cfa
memory: Add MemoryRegionIOMMUOps.notify_started/stopped callbacks
The IOMMU driver may change behavior depending on whether a notifier
client is present. In the case of POWER, this represents a change in
the visibility of the IOTLB, for other drivers such as intel-iommu and
future AMD-Vi emulation, notifier support is not yet enabled and this
provides the opportunity to flag that incompatibility.

Backports commit d22d8956b185c002b50a4d0883aff61f857347ef from qemu
2018-02-25 00:23:00 -05:00
Eric Blake c14d8226ab
qapi: Fix memleak in string visitors on int lists
Commit 7f8f9ef1 introduced the ability to store a list of
integers as a sorted list of ranges, but when merging ranges,
it leaks one or more ranges. It was also using range_get_last()
incorrectly within range_compare() (a range is a start/end pair,
but range_get_last() is for start/len pairs), and will also
mishandle a range ending in UINT64_MAX (remember, we document
that no range covers 2**64 bytes, but that ranges that end on
UINT64_MAX have end < begin).

The whole merge algorithm was rather complex, and included
unnecessary passes over data within glib functions, and enough
indirection to make it hard to easily plug the data leaks.
Since we are already hard-coding things to a list of ranges,
just rewrite the thing to open-code the traversal and
comparisons, by making the range_compare() helper function give
us an answer that is easier to use, at which point we avoid the
need to pass any callbacks to g_list_*(). Then by reusing
range_extend() instead of duplicating effort with range_merge(),
we cover the corner cases correctly.

Drop the now-unused range_merge() and ranges_can_merge().

Doing this lets test-string-{input,output}-visitor pass under
valgrind without leaks.

Backports commit db486cc334aafd3dbdaf107388e37fc3d6d3e171 from qemu
2018-02-25 00:20:34 -05:00
Eric Blake ef357d06bc
qapi: Simplify use of range.h
Calling our function g_list_insert_sorted_merged is a misnomer,
since we are NOT writing a glib function. Furthermore, we are
making every caller pass the same comparator function of
range_merge(): any caller that would try otherwise would break
in weird ways since our internal call to ranges_can_merge() is
hard-coded to operate only on ranges, rather than paying
attention to the caller's comparator.

Better is to fix things so that callers don't have to care about
our internal comparator, by picking a function name and updating
the parameter type away from a gratuitous use of void*, to make
it obvious that we are operating specifically on a list of ranges
and not a generic list. Plus, refactoring the code here will
make it easier to plug a memory leak in the next patch.

range_compare() is now internal only, and moves to the .c file.

Backports commit 7c47959d0cb05db43014141a156ada0b6d53a750 from qemu
2018-02-25 00:02:42 -05:00
Eric Blake 5e22c7e180
range: Create range.c for code that should not be inline
g_list_insert_sorted_merged() is rather large to be an inline
function; move it to its own file. range_merge() and
ranges_can_merge() can likewise move, as they are only used
internally. Also, it becomes obvious that the condition within
range_merge() is already satisfied by its caller, and that the
return value is not used.

The diffstat is misleading, because of the copyright boilerplate.

Backports commit fec0fc0a13ac7f1a1130433a6740cd850c3db34a from qemu
2018-02-24 23:59:13 -05:00
Eric Blake ebeb0e46f8
qapi: Fix crash on missing alternate member of QAPI struct
If a QAPI struct has a mandatory alternate member which is not
present on input, the input visitor reports an error for the
missing alternate without setting the discriminator, but the
cleanup code for the struct still tries to use the dealloc
visitor to clean up the alternate.

Commit dbf11922 changed visit_start_alternate to set *obj to NULL
when an error occurs, where it was previously left untouched.
Thus, before the patch, the dealloc visitor is blindly trying to
cleanup whatever branch corresponds to (*obj)->type == 0 (that is,
QTYPE_NONE, because *obj still pointed to zeroed memory), which
selects the default branch of the switch and sets an error, but
this second error is ignored by the way the dealloc visitor is
used; but after the patch, the attempt to switch dereferences NULL.

When cleaning up after a partial object parse, we specifically
check for !*obj after visit_start_struct() (see gen_visit_object());
doing the same for alternates fixes the crash. Enhance the testsuite
to give coverage for both missing struct and missing alternate
members.

Also add an abort - we expect visit_start_alternate() to either set an
error or to set (*obj)->type to a valid QType that corresponds to
actual user input, and QTYPE_NONE should never be reachable from valid
input. Had the abort() been in place earlier, we might have noticed
the dealloc visitor dereferencing bogus zeroed memory prior to when
commit dbf11922 forced our hand by setting *obj to NULL and causing a
fault.

Test case:

{'execute':'blockdev-add', 'arguments':{'options':{'driver':'raw'}}}

The choice of 'driver':'raw' selects a BlockdevOptionsGenericFormat
struct, which has a mandatory 'file':'BlockdevRef' in QAPI. Since
'file' is missing as a sibling of 'driver', this should report a
graceful error rather than fault. After this patch, we are back to:

{"error": {"class": "GenericError", "desc": "Parameter 'file' is missing"}}

Generated code in qapi-visit.c changes as:

|@@ -2444,6 +2444,9 @@ void visit_type_BlockdevRef(Visitor *v,
| if (err) {
| goto out;
| }
|+ if (!*obj) {
|+ goto out_obj;
|+ }
| switch ((*obj)->type) {
| case QTYPE_QDICT:
| visit_start_struct(v, name, NULL, 0, &err);
|@@ -2459,10 +2462,13 @@ void visit_type_BlockdevRef(Visitor *v,
| case QTYPE_QSTRING:
| visit_type_str(v, name, &(*obj)->u.reference, &err);
| break;
|+ case QTYPE_NONE:
|+ abort();
| default:
| error_setg(&err, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
| "BlockdevRef");
| }
|+out_obj:
| visit_end_alternate(v);

Backports commit 9b4e38fe6a35890bb1d995316d7be08de0b30ee5 from qemu
2018-02-24 23:53:29 -05:00
Aleksandar Markovic f95e0e9e98
target-mips: Add FCR31's FS bit definition
Add preprocessor definition of FCR31's FS bit, and update related
code for setting this bit.

Backports commit 77be419980114d75605811e1681115d0919cfa1a from qemu
2018-02-24 21:32:10 -05:00
Aleksandar Markovic 4a540f88de
target-mips: Implement FCR31's R/W bitmask and related functionalities
This patch implements read and write access rules for Mips floating
point control and status register (FCR31). The change can be divided
into following parts:

- Add fields that will keep FCR31's R/W bitmask in procesor
definitions and processor float_status structure.

- Add appropriate value for FCR31's R/W bitmask for each supported
processor.

- Add function for setting snan_bit_is_one, and integrate it in
appropriate places.

- Modify handling of CTC1 (case 31) instruction to use FCR31's R/W
bitmask.

- Modify handling user mode executables for Mips, in relation to the
bit EF_MIPS_NAN2008 from ELF header, that is in turn related to
reading and writing to FCR31.

- Modify gdb behavior in relation to FCR31.

Backports commit 599bc5e89c46f95f86ccad0d747d041c89a28806 from qemu
2018-02-24 21:30:24 -05:00
Aleksandar Markovic 84b516d9db
target-mips: Add nan2008 flavor of <CEIL|CVT|FLOOR|ROUND|TRUNC>.<L|W>.<S|D>
New set of helpers for handling nan2008-syle versions of instructions
<CEIL|CVT|FLOOR|ROUND|TRUNC>.<L|W>.<S|D>, for Mips R6.

All involved instructions have float operand and integer result. Their
core functionality is implemented via invocations of appropriate SoftFloat
functions. The problematic cases are when the operand is a NaN, and also
when the operand (float) is out of the range of the result.

Here one can distinguish three cases:

CASE MIPS-A: (FCR31.NAN2008 == 1)

1. Operand is a NaN, result should be 0;
2. Operand is larger than INT_MAX, result should be INT_MAX;
3. Operand is smaller than INT_MIN, result should be INT_MIN.

CASE MIPS-B: (FCR31.NAN2008 == 0)

1. Operand is a NaN, result should be INT_MAX;
2. Operand is larger than INT_MAX, result should be INT_MAX;
3. Operand is smaller than INT_MIN, result should be INT_MAX.

CASE SoftFloat:

1. Operand is a NaN, result is INT_MAX;
2. Operand is larger than INT_MAX, result is INT_MAX;
3. Operand is smaller than INT_MIN, result is INT_MIN.

Current implementation of <CEIL|CVT|FLOOR|ROUND|TRUNC>.<L|W>.<S|D>
implements case MIPS-B. This patch relates to case MIPS-A. For case
MIPS-A, only return value for NaN-operands should be corrected after
appropriate SoftFloat library function is called.

Related MSA instructions FTRUNC_S and FTINT_S already handle well
all cases, in the fashion similar to the code from this patch.

Backports commit 87552089b62fa229d2ff86906e4e779177fb5835 from qemu
2018-02-24 21:14:04 -05:00
Aleksandar Markovic a411a12170
target-mips: Add abs2008 flavor of <ABS|NEG>.<S|D>
Updated handling of instructions <ABS|NEG>.<S|D>. Note that legacy
(pre-abs2008) ABS and NEG instructions are arithmetic (and, therefore,
any NaN operand causes signaling invalid operation), while abs2008
ones are non-arithmetic, always and only changing the sign bit, even
for NaN-like operands. Details on these instructions are documented
in [1] p. 35 and 359.

Implementation-wise, abs2008 versions are implemented without helpers,
for simplicity and performance sake.

[1] "MIPS Architecture For Programmers Volume II-A:
The MIPS64 Instruction Set Reference Manual",
Imagination Technologies LTD, Revision 6.04, November 13, 2015

Backports commit 6be77480052b1a71557081896e7080363a8a2f95 from qemu
2018-02-24 20:45:06 -05:00
Aleksandar Markovic ef9f33a345
target-mips: Activate IEEE 754-2008 signaling NaN bit meaning for MSA
Function msa_reset() is updated so that flag snan_bit_is_one is
properly set to 0.

By applying this patch, a number of incorrect MSA behaviors that
require IEEE 754-2008 compliance will be fixed. Those are behaviors
that (up to the moment of applying this patch) did not get the desired
functionality from SoftFloat library with respect to distinguishing
between quiet and signaling NaN, getting default NaN values (both
quiet and signaling), establishing if a floating point number is NaN
or not, etc.

Two examples:

* FMAX, FMIN will now correctly detect and propagate NaNs.
* FCLASS.D ans FCLASS.S will now correcty detect NaN flavors

Backports commit 40bd6dd456e61a36e454fb9dd2cc739b67c224cf from qemu
2018-02-24 20:41:48 -05:00
Aleksandar Markovic 3e9325f1e9
softfloat: Handle snan_bit_is_one == 0 in MIPS pickNaNMulAdd()
Only for Mips platform, and only for cases when snan_bit_is_one is 0,
correct the order of argument comparisons in pickNaNMulAdd().

For more info, see [1], page 53, section "3.5.3 NaN Propagation".

[1] "MIPS Architecture for Programmers Volume IV-j:
The MIPS32 SIMD Architecture Module",
Imagination Technologies LTD, Revision 1.12, February 3, 2016

Backports commit c27644f0e9659471e1c9355da5b667960d311937 from qemu
2018-02-24 20:40:11 -05:00
Aleksandar Markovic 33833b6605
softfloat: For Mips only, correct default NaN values
Only for Mips platform, and only for cases when snan_bit_is_one is 0,
correct default NaN values (in their 16-, 32-, and 64-bit flavors).

For more info, see [1], page 84, Table 6.3 "Value Supplied When a New
Quiet NaN Is Created", and [2], page 52, Table 3.7 "Default NaN
Encodings".

[1] "MIPS Architecture For Programmers Volume II-A:
The MIPS64 Instruction Set Reference Manual",
Imagination Technologies LTD, Revision 6.04, November 13, 2015

[2] "MIPS Architecture for Programmers Volume IV-j:
The MIPS32 SIMD Architecture Module",
Imagination Technologies LTD, Revision 1.12, February 3, 2016

Backports commit a7c04d545a97126c9df9d96623747d8613aaf7db from qemu
2018-02-24 20:38:23 -05:00
Aleksandar Markovic 33ee9429b2
softfloat: Clean code format in fpu/softfloat-specialize.h
fpu/softfloat-specialize.h is the most critical file in SoftFloat
library, since it handles numerous differences between platforms in
relation to floating point arithmetics. This patch makes the code
in this file more consistent format-wise, and hopefully easier to
debug and maintain.

Backports commit a59eaea64686c8966b7653303660f8c26f285c77 from qemu
2018-02-24 20:35:05 -05:00
Aleksandar Markovic 6eb4fa54f6
softfloat: Implement run-time-configurable meaning of signaling NaN bit
This patch modifies SoftFloat library so that it can be configured in
run-time in relation to the meaning of signaling NaN bit, while, at the
same time, strictly preserving its behavior on all existing platforms.

Background:

In floating-point calculations, there is a need for denoting undefined or
unrepresentable values. This is achieved by defining certain floating-point
numerical values to be NaNs (which stands for "not a number"). For additional
reasons, virtually all modern floating-point unit implementations use two
kinds of NaNs: quiet and signaling. The binary representations of these two
kinds of NaNs, as a rule, differ only in one bit (that bit is, traditionally,
the first bit of mantissa).

Up to 2008, standards for floating-point did not specify all details about
binary representation of NaNs. More specifically, the meaning of the bit
that is used for distinguishing between signaling and quiet NaNs was not
strictly prescribed. (IEEE 754-2008 was the first floating-point standard
that defined that meaning clearly, see [1], p. 35) As a result, different
platforms took different approaches, and that presented considerable
challenge for multi-platform emulators like QEMU.

Mips platform represents the most complex case among QEMU-supported
platforms regarding signaling NaN bit. Up to the Release 6 of Mips
architecture, "1" in signaling NaN bit denoted signaling NaN, which is
opposite to IEEE 754-2008 standard. From Release 6 on, Mips architecture
adopted IEEE standard prescription, and "0" denotes signaling NaN. On top of
that, Mips architecture for SIMD (also known as MSA, or vector instructions)
also specifies signaling bit in accordance to IEEE standard. MSA unit can be
implemented with both pre-Release 6 and Release 6 main processor units.

QEMU uses SoftFloat library to implement various floating-point-related
instructions on all platforms. The current QEMU implementation allows for
defining meaning of signaling NaN bit during build time, and is implemented
via preprocessor macro called SNAN_BIT_IS_ONE.

On the other hand, the change in this patch enables SoftFloat library to be
configured in run-time. This configuration is meant to occur during CPU
initialization, at the moment when it is definitely known what desired
behavior for particular CPU (or any additional FPUs) is.

The change is implemented so that it is consistent with existing
implementation of similar cases. This means that structure float_status is
used for passing the information about desired signaling NaN bit on each
invocation of SoftFloat functions. The additional field in float_status is
called snan_bit_is_one, which supersedes macro SNAN_BIT_IS_ONE.

IMPORTANT:

This change is not meant to create any change in emulator behavior or
functionality on any platform. It just provides the means for SoftFloat
library to be used in a more flexible way - in other words, it will just
prepare SoftFloat library for usage related to Mips platform and its
specifics regarding signaling bit meaning, which is done in some of
subsequent patches from this series.

Further break down of changes:

1) Added field snan_bit_is_one to the structure float_status, and
correspondent setter function set_snan_bit_is_one().

2) Constants <float16|float32|float64|floatx80|float128>_default_nan
(used both internally and externally) converted to functions
<float16|float32|float64|floatx80|float128>_default_nan(float_status*).
This is necessary since they are dependent on signaling bit meaning.
At the same time, for the sake of code cleanup and simplicity, constants
<floatx80|float128>_default_nan_<low|high> (used only internally within
SoftFloat library) are removed, as not needed.

3) Added a float_status* argument to SoftFloat library functions
XXX_is_quiet_nan(XXX a_), XXX_is_signaling_nan(XXX a_),
XXX_maybe_silence_nan(XXX a_). This argument must be present in
order to enable correct invocation of new version of functions
XXX_default_nan(). (XXX is <float16|float32|float64|floatx80|float128>
here)

4) Updated code for all platforms to reflect changes in SoftFloat library.
This change is twofolds: it includes modifications of SoftFloat library
functions invocations, and an addition of invocation of function
set_snan_bit_is_one() during CPU initialization, with arguments that
are appropriate for each particular platform. It was established that
all platforms zero their main CPU data structures, so snan_bit_is_one(0)
in appropriate places is not added, as it is not needed.

[1] "IEEE Standard for Floating-Point Arithmetic",
IEEE Computer Society, August 29, 2008.

Backports commit af39bc8c49224771ec0d38f1b693ea78e221d7bc from qemu
2018-02-24 20:27:12 -05:00
Alexey Kardashevskiy 096ca207af
memory: Add reporting of supported page sizes
Every IOMMU has some granularity which MemoryRegionIOMMUOps::translate
uses when translating, however this information is not available outside
the translate context for various checks.

This adds a get_min_page_size callback to MemoryRegionIOMMUOps and
a wrapper for it so IOMMU users (such as VFIO) can know the minimum
actual page size supported by an IOMMU.

As IOMMU MR represents a guest IOMMU, this uses TARGET_PAGE_SIZE
as fallback.

This removes vfio_container_granularity() and uses new helper in
memory_region_iommu_replay() when replaying IOMMU mappings on added
IOMMU memory region.

Backports the relevant parts of commit f682e9c244af7166225f4a50cc18ff296bb9d43e from qemu
2018-02-24 19:23:28 -05:00
Lluís Vilanova 2297527755
exec: [tcg] Track which vCPU is performing translation and execution
Information is tracked inside the TCGContext structure, and later used
by tracing events with the 'tcg' and 'vcpu' properties.

The 'cpu' field is used to check tracing of translation-time
events ("*_trans"). The 'tcg_env' field is used to pass it to
execution-time events ("*_exec").

Backports commit 7c2550432abe62f53e6df878ceba6ceaf71f0e7e from qemu
2018-02-24 19:21:39 -05:00
Eduardo Habkost 0f6513ef62
error: Remove unnecessary local_err variables
This patch simplifies code that uses a local_err variable just to
immediately use it for an error_propagate() call.

Coccinelle patch used to perform the changes added to
scripts/coccinelle/remove_local_err.cocci.

Backports commit 6b62d961373e0327f2af8fb77d6d5d6308864180 from qemu
2018-02-24 19:12:25 -05:00
Peter Maydell 5ae787f895
target-arm: Provide hook to tell GICv3 about changes of security state
The GICv3 CPU interface needs to know when the CPU it is attached
to makes an exception level or mode transition that changes the
security state, because whether it is asserting IRQ or FIQ can change
depending on these things. Provide a mechanism for letting the GICv3
device register a hook to be called on such changes.

Backports commit bd7d00fc50c9960876dd194ebf0c88889b53e765 from qemu
2018-02-24 19:09:22 -05:00
Peter Maydell eec3a5f843
target-arm: Define new arm_is_el3_or_mon() function
The GICv3 system registers need to know if the CPU is AArch64
in EL3 or AArch32 in Monitor mode. This happens to be the first
part of the check for arm_is_secure(), so factor it out into a
new arm_is_el3_or_mon() function that the GIC can also use.

Backports commit 712058764da29b2908f6fbf56760ca4f15980709 from qemu
2018-02-24 19:04:27 -05:00
Peter Maydell f893dacef0
bitops.h: Implement half-shuffle and half-unshuffle ops
A half-shuffle operation takes a word with zeros in the high half:
0000 0000 0000 0000 ABCD EFGH IJKL MNOP
and spreads the bits out so they are in every other bit of the word:
0A0B 0C0D 0E0F 0G0H 0I0J 0K0L 0M0N 0O0P
A half-unshuffle performs the reverse operation.

Provide functions in bitops.h which implement these operations
for 32-bit and 64-bit inputs, and add tests for them.

Backports commit b355438de52d0782983bf4bdc47936189a0c988b from qemu
2018-02-24 19:02:36 -05:00
Bharata B Rao 851dec945d
qom: API to get instance_size of a type
Add an API object_type_get_size(const char *typename) that returns the
instance_size of the give typename.

Backports commit 3f97b53a682d2595747c926c00d78b9d406f1be0 from qemu
2018-02-24 19:00:16 -05:00
Thomas Huth aee5c93f58
configure: Enable -Werror for MinGW builds, too
MinGW seems to compile currently without warnings, so it should
be safe to enable -Werror now for this environment, too.

Backports commit e4650c81b3d15ba67236815defbb475c4bdf8690 from qemu
2018-02-24 18:56:05 -05:00
Eduardo Habkost b918dd95f3
target-i386: Consolidate calls of object_property_parse() in x86_cpu_parse_featurestr
Backports commit f6750e959a397dea988efd4e488e1ff813011065 from qemu
2018-02-24 18:53:55 -05:00
Igor Mammedov 800b28483b
target-i386: Move features logic that requires CPUState to realize time
Making x86_cpu_parse_featurestr() a pure convertor
of legacy feature string into global properties, needs
it to be called before a CPU instance is created so
parser shouldn't modify CPUState directly or access
it at all. Hence move current hack that directly pokes
into CPUState, to set/unset +-feats, from parser to
CPU's realize method.

Backports commit dc15c0517b010a9444a2c05794dae980f2a2cbd9 from qemu
2018-02-24 18:47:46 -05:00
Eduardo Habkost b9ca5c4d33
target-i386: Remove xlevel & hv-spinlocks option fixups
The "fixup will be removed in future versions" warnings are
present since QEMU 1.7.0, at least, so users should have fixed
their scripts and configurations, already.

In the case of libvirt users, libvirt doesn't use the "xlevel"
option, and already rejects HyperV spinlock retry count < 0xFFF.

Backports commit c19b85216b5d47d922ac010931d4c7b2d79b2f68 from qemu
2018-02-24 18:33:32 -05:00
Radim Krčmář 610a52e9c7
target-i386: Implement CPUID[0xB] (Extended Topology Enumeration)
I looked at a dozen Intel CPU that have this CPUID and all of them
always had Core offset as 1 (a wasted bit when hyperthreading is
disabled) and Package offset at least 4 (wasted bits at <= 4 cores).

QEMU uses more compact IDs and it doesn't make much sense to change it
now. I keep the SMT and Core sub-leaves even if there is just one
thread/core; it makes the code simpler and there should be no harm.

Backports commit 5232d00a041c8f3628b3532ef35d703a1f0dac19 from qemu
2018-02-24 18:31:14 -05:00
Eduardo Habkost 8991e8bf0b
target-i386: add Skylake-Client cpu model
Introduce Skylake-Client cpu mode which inherits the features from
Broadwell and supports some additional features that are: MPX,
XSAVEC, and XGETBV1.

Backports commit f6f949e9295889fb272698aea763dcea77d616ce from qemu
2018-02-24 18:25:50 -05:00
Peter Maydell 9bdf310d49
target-arm: Don't permit ARMv8-only Neon insns on ARMv7
The Neon instructions VCVTA, VCVTM, VCVTN, VCVTP, VRINTA, VRINTM,
VRINTN, VRINTP, VRINTX, and VRINTZ were only introduced with ARMv8,
so they need a guard to make them UNDEF if the CPU only supports ARMv7.
(We got this right for all the other new-in-v8 insns, but forgot
it for these Neon 2-reg-misc ops.)

Backports commit fe8fcf3d642b4de1369841bf6acac13e0ec8770d from qemu
2018-02-24 18:20:00 -05:00
Peter Maydell a9fb399490
target-arm: Fix reset and migration of TTBCR(S)
Commit 6459b94c26dd666badb3 broke reset and migration of the AArch32
TTBCR(S) register if the guest used non-LPAE page tables. This is
because the AArch32 TTBCR register definition is marked as ARM_CP_ALIAS,
meaning that the AArch64 variant has to handle migration and reset.
Although AArch64 TCR_EL3 doesn't need to care about the mask and
base_mask fields, AArch32 may do so, and so we must use the special
TTBCR reset and raw write functions to ensure they are set correctly.

This doesn't affect TCR_EL2, because the AArch32 equivalent of that
is HTCR, which never uses the non-LPAE page table variant.

Backports commit 811595a2d4ab8c6354857a50ffd29fafce52a892 from qemu
2018-02-24 18:18:24 -05:00
Shannon Zhao 51c9e12605
target-arm: kvm64: set guest PMUv3 feature bit if supported
Check if kvm supports guest PMUv3. If so, set the corresponding feature
bit for vcpu.

Backports commit 5c0a3819f009639f67ce0453dff6ec7211bfee54 from qemu
2018-02-24 18:17:11 -05:00
Emilio G. Cota ae3e22a689
tb hash: hash phys_pc, pc, and flags with xxhash
For some workloads such as arm bootup, tb_phys_hash is performance-critical.
The is due to the high frequency of accesses to the hash table, originated
by (frequent) TLB flushes that wipe out the cpu-private tb_jmp_cache's.
More info:
https://lists.nongnu.org/archive/html/qemu-devel/2016-03/msg05098.html

To dig further into this I modified an arm image booting debian jessie to
immediately shut down after boot. Analysis revealed that quite a bit of time
is unnecessarily spent in tb_phys_hash: the cause is poor hashing that
results in very uneven loading of chains in the hash table's buckets;
the longest observed chain had ~550 elements.

The appended addresses this with two changes:

1) Use xxhash as the hash table's hash function. xxhash is a fast,
high-quality hashing function.

2) Feed the hashing function with not just tb_phys, but also pc and flags.

This improves performance over using just tb_phys for hashing, since that
resulted in some hash buckets having many TB's, while others getting very few;
with these changes, the longest observed chain on a single hash bucket is
brought down from ~550 to ~40.

Tests show that the other element checked for in tb_find_physical,
cs_base, is always a match when tb_phys+pc+flags are a match,
so hashing cs_base is wasteful. It could be that this is an ARM-only
thing, though. UPDATE:
On Tue, Apr 05, 2016 at 08:41:43 -0700, Richard Henderson wrote:
> The cs_base field is only used by i386 (in 16-bit modes), and sparc (for a TB
> consisting of only a delay slot).
> It may well still turn out to be reasonable to ignore cs_base for hashing.

BTW, after this change the hash table should not be called "tb_hash_phys"
anymore; this is addressed later in this series.

This change gives consistent bootup time improvements. I tested two
host machines:
- Intel Xeon E5-2690: 11.6% less time
- Intel i7-4790K: 19.2% less time

Increasing the number of hash buckets yields further improvements. However,
using a larger, fixed number of buckets can degrade performance for other
workloads that do not translate as many blocks (600K+ for debian-jessie arm
bootup). This is dealt with later in this series.

Backports commit 42bd32287f3a18d823f2258b813824a39ed7c6d9 from qemu
2018-02-24 18:00:14 -05:00
Emilio G. Cota 9ef9de9cf8
exec: add tb_hash_func5, derived from xxhash
This will be used by upcoming changes for hashing the tb hash.

Add this into a separate file to include the copyright notice from
xxhash.

Backports commit dc8b295d05ec35a8c032f9abca421772347ba5d4 from qemu
2018-02-24 17:36:35 -05:00
Emilio G. Cota 8518f55df7
compiler.h: add QEMU_ALIGNED() to enforce struct alignment
Backports commit 911a4d2215b05267b16925503218f49d607c6b29 from qemu
2018-02-24 17:32:43 -05:00
Peter Maydell 48539e54da
target-i386: Move user-mode exception actions out of user-exec.c
The exception_action() function in user-exec.c is just a call to
cpu_loop_exit() for every target CPU except i386. Since this
function is only called if the target's handle_mmu_fault() hook has
indicated an MMU fault, and that hook is only called from the
handle_cpu_signal() code path, we can simply move the x86-specific
setup into that hook, which allows us to remove the TARGET_I386
ifdef from user-exec.c.

Of the actions that were done by the call to raise_interrupt_err():
* cpu_svm_check_intercept_param() is a no-op in user mode
* check_exception() is a no-op since double faults are impossible
for user-mode
* assignments to cs->exception_index and env->error_code are no-ops
* assigning to env->exception_next_eip is unnecessary because it
is not used unless env->exception_is_int is true
* cpu_loop_exit_restore() is equivalent to cpu_loop_exit() since
pc is 0
which leaves just setting env_>exception_is_int as the action that
needs to be added to x86_cpu_handle_mmu_fault().

Backports commit 0c33682d5f29b0a4ae53bdec4c8e52e4fae37b34 from qemu
2018-02-24 17:27:08 -05:00
Peter Maydell fa2679ba96
target-i386: Add comment about do_interrupt_user() next_eip argument
Add a comment to do_interrupt_user() along the same lines as the
existing one for do_interrupt_all() noting that the next_eip
argument is not used unless is_int is true or intno is EXCP_SYSCALL.

Backports commit 33271823323483b4ede1ae99de83d33b25875402 from qemu
2018-02-24 17:26:18 -05:00
Peter Maydell d7dccff836
cpu-exec: Rename cpu_resume_from_signal() to cpu_loop_exit_noexc()
The function cpu_resume_from_signal() is now always called with a
NULL puc argument, and is rather misnamed since it is never called
from a signal handler. It is essentially forcing an exit to the
top level cpu loop but without raising any exception, so rename
it to cpu_loop_exit_noexc() and drop the useless unused argument.

Backports commit 6886b98036a8f8f5bce8b10756ce080084cef11b from qemu
2018-02-24 17:25:28 -05:00
Peter Maydell b2013255aa
user-exec: Push resume-from-signal code out to handle_cpu_signal()
Since the only caller of page_unprotect() which might cause it to
need to call cpu_resume_from_signal() is handle_cpu_signal() in
the user-mode code, push the longjump handling out to that function.

Since this is the only caller of cpu_resume_from_signal() which
passes a non-NULL puc argument, split the non-NULL handling into
a new cpu_exit_tb_from_sighandler() function. This allows us
to merge the softmmu and usermode implementations of the
cpu_resume_from_signal() function, which are now identical.

Backports commit f213e72f2356b77768b9cb73814a3b26ad5a0099 from qemu
2018-02-24 17:21:06 -05:00
Peter Maydell 37b7538d85
translate-all.c: Don't pass puc, locked to tb_invalidate_phys_page()
The user-mode-only function tb_invalidate_phys_page() is only
called from two places:
* page_unprotect(), which passes in a non-zero pc, a puc pointer
and the value 'true' for the locked argument
* page_set_flags(), which passes in a zero pc, a NULL puc pointer
and a 'false' locked argument

If the pc is non-zero then we may call cpu_resume_from_signal(),
which does a longjmp out of the calling code (and out of the
signal handler); this is to cover the case of a target CPU with
"precise self-modifying code" (currently only x86) executing
a store instruction which modifies code in the same TB as the
store itself. Rather than doing the longjump directly here,
return a flag to the caller which indicates whether the current
TB was modified, and move the longjump to page_unprotect.

Backports commit 75809229bbf28b371afce14921ff5be98ddc5faa from qemu
2018-02-24 17:11:30 -05:00
Paolo Bonzini 1db22b5889
Makefile: add dependency on scripts/create_config
Make sure that config-host.h and config-target.h are rebuilt whenever
there is a change in the scripts that generates them; add the dependency
to the pattern rule as suggested by Peter.

Backports commit 553350156d80c18d0127c742f47b7adbd642f3ef from qemu
2018-02-24 17:05:03 -05:00
Fam Zheng c17a3070ea
Makefile: Add a FORCE target
Backports commit d41d4da3c5d702b505d74265900a13fae2c8d0e0 from qemu
2018-02-24 17:03:51 -05:00
Peter Maydell 8d0faac1dc
qemu-common.h: Drop WORDS_ALIGNED define
The WORDS_ALIGNED #define is not used anywhere, and hasn't been since
2013 when commit 612d590ebc6cef rewrote the various ld<type>_<endian>_p
functions to not use it. Remove the #define and the comment describing it.
Also remove the line in the comment about TARGET_WORDS_ALIGNED, since
it has never actually existed.

Backports commit 0d5c21f2b3bf1e0b562a2c74e353d2e03f2f50ef from qemu
2018-02-24 17:01:55 -05:00
Stefan Weil 4470900f3b
configure: Use instead of deprecated
This fixes these warnings from shellcheck:

^-- SC2006: Use $(..) instead of deprecated `..`

Backports commit 89138857619b2a023c32200e9af780792ccaa8c3 from qemu
2018-02-24 16:59:40 -05:00
Sergey Sorokin c05902eddd
target-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation
Address size is 40-bit for the AArch32 stage 2 translation,
and t0sz can be negative (from -8 to 7),
so we need to adjust it to use the existing TTBR selecting logic.

Backports commit 6e99f762612827afeff54add2e4fc2c3b2657fed from qemu
2018-02-24 16:54:32 -05:00
Peter Maydell 806d72035e
target-arm: Don't try to set ESR IL bit in arm_cpu_do_interrupt_aarch64()
Remove some incorrect code from arm_cpu_do_interrupt_aarch64()
which attempts to set the IL bit in the syndrome register based
on the value of env->thumb. This is wrong in several ways:
* IL doesn't indicate Thumb-vs-ARM, it indicates instruction
length (which may be 16 or 32 for Thumb and is always 32 for ARM)
* not every syndrome format uses IL like this -- for some IL is
always set, and for some it is always clear
* the code is changing esr_el[new_el] even for interrupt entry,
which is not supposed to modify ESR_ELx at all

Delete the code, and instead rely on the syndrome value in
env->exception.syndrome having already been set up with the
correct value of IL.

Backports commit 78f1edb19fe11fa0c5d0bf484db59a384f455d3c from qemu
2018-02-24 16:49:53 -05:00
Peter Maydell dc8bf22d88
target-arm: Set IL bit in syndromes for insn abort, watchpoint, swstep
For some exception syndrome types, the IL bit should always be set.
This includes the instruction abort, watchpoint and software step
syndrome types; add the missing ARM_EL_IL bit to the syndrome
values returned by syn_insn_abort(), syn_swstep() and syn_watchpoint().

Backports commit 04ce861ea545477425ad9e045eec3f61c8a27df9 from qemu
2018-02-24 16:48:59 -05:00
Edgar E. Iglesias 8aee797956
target-arm: A64: Create Instruction Syndromes for Data Aborts
Add support for generating the ISS (Instruction Specific Syndrome) for
Data Abort exceptions taken from AArch64.
These syndromes are used by hypervisors for example to trap and emulate
memory accesses.

We save the decoded data out-of-band with the TBs at translation time.
When exceptions hit, the extra data attached to the TB is used to
recreate the state needed to encode instruction syndromes.
This avoids the need to emit moves with every load/store.

Based on a suggestion from Peter Maydell.

Backports commit aaa1f954d4cab243e3d5337a72bc6d104e1c4808 from qemu
2018-02-24 16:46:44 -05:00