Commit graph

2643 commits

Author SHA1 Message Date
Richard Henderson 23d8f5fba2
qemu/atomic: Loosen restrictions for 64-bit ILP32 hosts
We need to coordinate with the TCG_OVERSIZED_GUEST test in cputlb.c,
and allow 64-bit atomics even though sizeof(void *) == 4.

Backports commit 374aae653499f4d405caf32b7fff0c8639113fe4 from qemu
2018-03-02 20:06:39 -05:00
Luc MICHEL 393019de26
target/arm: add data cache invalidation cp15 instruction to cortex-r5
The cp15, CRn=15, opc1=0, CRm=5, opc2=0 instruction invalidates all the
data cache on the cortex-r5. Implementing it as a NOP.

Backports commit 95e9a242e2a393c7d4e5cc04340e39c3a9420f03 from qemu
2018-03-02 20:04:20 -05:00
Peter Maydell 565626ca63
armv7m: Raise correct kind of UsageFault for attempts to execute ARM code
M profile doesn't implement ARM, and the architecturally required
behaviour for attempts to execute with the Thumb bit clear is to
generate a UsageFault with the CFSR INVSTATE bit set. We were
incorrectly implementing this as generating an UNDEFINSTR UsageFault;
fix this.

Backports commit e13886e3a790b52f0b2e93cb5e84fdc2ada5471a from qemu
2018-03-02 20:00:58 -05:00
Peter Maydell fbfeca93b3
armv7m: Check exception return consistency
Implement the exception return consistency checks
described in the v7M pseudocode ExceptionReturn().

Inspired by a patch from Michael Davidsaver's series, but
this is a reimplementation from scratch based on the
ARM ARM pseudocode.

Backports commit aa488fe3bb5460c6675800ccd80f6dccbbd70159 from qemu
2018-03-02 19:59:18 -05:00
Peter Maydell 0736054d6d
armv7m: Extract "exception taken" code into functions
Extract the code from the tail end of arm_v7m_do_interrupt() which
enters the exception handler into a pair of utility functions
v7m_exception_taken() and v7m_push_stack(), which correspond roughly
to the pseudocode PushStack() and ExceptionTaken().

This also requires us to move the arm_v7m_load_vector() utility
routine up so we can call it.

Handling illegal exception returns has some cases where we want to
take a UsageFault either on an existing stack frame or with a new
stack frame but with a specific LR value, so we want to be able to
call these without having to go via arm_v7m_cpu_do_interrupt().

Backports commit 39ae2474e337247e5930e8be783b689adc9f6215 from qemu
2018-03-02 19:54:46 -05:00
Michael Davidsaver 5b9f53bd27
armv7m: Simpler and faster exception start
All the places in armv7m_cpu_do_interrupt() which pend an
exception in the NVIC are doing so for synchronous
exceptions. We know that we will always take some
exception in this case, so we can just acknowledge it
immediately, rather than returning and then immediately
being called again because the NVIC has raised its outbound
IRQ line.

Backports commit a25dc805e2e63a55029e787a52335e12dabf07dc from qemu
2018-03-02 19:52:01 -05:00
Peter Maydell 43ba76cb28
armv7m: Fix condition check for taking exceptions
The M profile condition for when we can take a pending exception or
interrupt is not the same as that for A/R profile. The code
originally copied from the A/R profile version of the
cpu_exec_interrupt function only worked by chance for the
very simple case of exceptions being masked by PRIMASK.
Replace it with a call to a function in the NVIC code that
correctly compares the priority of the pending exception
against the current execution priority of the CPU.

Backports commit 7ecdaa4a9635f1ded0dfa9218c25273b6d4dcd44 from qemu
2018-03-02 19:50:05 -05:00
Peter Maydell 5470bd1763
armv7m: Remove unused armv7m_nvic_acknowledge_irq() return value
Having armv7m_nvic_acknowledge_irq() return the new value of
env->v7m.exception and its one caller assign the return value
back to env->v7m.exception is pointless. Just make the return
type void instead.

Backports commit a5d8235545e98c1ce02560d5f4f57552d937efe9 from qemu
2018-03-02 19:36:07 -05:00
Peter Maydell 50c956db7e
arm: Implement HFNMIENA support for M profile MPU
Implement HFNMIENA support for the M profile MPU. This bit controls
whether the MPU is treated as enabled when executing at execution
priorities of less than zero (in NMI, HardFault or with the FAULTMASK
bit set).

Doing this requires us to use a different MMU index for "running
at execution priority < 0", because we will have different
access permissions for that case versus the normal case.

Backports commit 3bef7012560a7f0ea27b265105de5090ba117514 from qemu
2018-03-02 19:33:24 -05:00
Michael Davidsaver 611a711f7b
arm: add MPU support to M profile CPUs
The M series MPU is almost the same as the already implemented R
profile MPU (v7 PMSA). So all we need to implement here is the MPU
register interface in the system register space.

This implementation has the same restriction as the R profile MPU
that it doesn't permit regions to be sized down smaller than 1K.

We also do not yet implement support for MPU_CTRL.HFNMIENA; this
bit should if zero disable use of the MPU when running HardFault,
NMI or with FAULTMASK set to 1 (ie at an execution priority of
less than zero) -- if the MPU is enabled we don't treat these
cases any differently.

Backports commit 29c483a506070e8f554c77d22686f405e30b9114 from qemu
2018-03-02 19:30:20 -05:00
Michael Davidsaver 09d69209a0
armv7m: Classify faults as MemManage or BusFault
General logic is that operations stopped by the MPU are MemManage,
and those which go through the MPU and are caught by the unassigned
handle are BusFault. Distinguish these by looking at the
exception.fsr values, and set the CFSR bits and (if appropriate)
fill in the BFAR or MMFAR with the exception address.

Backports commit 5dd0641d234e355597be62e5279d8a519c831625 from qemu
2018-03-02 19:28:21 -05:00
Peter Maydell 9bc3050c51
arm: All M profile cores are PMSA
All M profile CPUs are PMSA, so set the feature bit.
(We haven't actually implemented the M profile MPU register
interface yet, but setting this feature bit gives us closer
to correct behaviour for the MPU-disabled case.)

Backports commit 790a11503cfb5e1dcd031ea2212bbebae4ca3cec from qemu
2018-03-02 19:26:41 -05:00
Michael Davidsaver 4d8ae4a2b2
armv7m: Implement M profile default memory map
Add support for the M profile default memory map which is used
if the MPU is not present or disabled.

The main differences in behaviour from implementing this
correctly are that we set the PAGE_EXEC attribute on
the right regions of memory, such that device regions
are not executable.

Backports commit 3a00d560bcfca7ad04327062c1986a016c104b1f from qemu
2018-03-02 19:25:02 -05:00
Michael Davidsaver 7c845dabe8
armv7m: Improve "-d mmu" tracing for PMSAv7 MPU
Improve the "-d mmu" tracing for the PMSAv7 MPU translation
process as an aid in debugging guest MPU configurations:
* fix a missing newline for a guest-error log
* report the region number with guest-error or unimp
logs of bad region register values
* add a log message for the overall result of the lookup
* print "0x" prefix for hex values

Backports commit c9f9f1246d630960bce45881e9c0d27b55be71e2 from qemu
2018-03-02 19:17:05 -05:00
Peter Maydell bfe99e9a0b
arm: Remove unnecessary check on cpu->pmsav7_dregion
Now that we enforce both:
* pmsav7_dregion == 0 implies has_mpu == false
* PMSA with has_mpu == false means SCTLR.M cannot be set
we can remove a check on pmsav7_dregion from get_phys_addr_pmsav7(),
because we can only reach this code path if the MPU is enabled
(and so region_translation_disabled() returned false).

Backports commit e9235c6983b261e04e897e8ff900b2b7a391e644 from qemu
2018-03-02 19:14:50 -05:00
Peter Maydell 349227bb05
arm: Don't let no-MPU PMSA cores write to SCTLR.M
If the CPU is a PMSA config with no MPU implemented, then the
SCTLR.M bit should be RAZ/WI, so that the guest can never
turn on the non-existent MPU.

Backports commit 06312febfb2d35367006ef23608ddd6a131214d4 from qemu
2018-03-02 19:13:37 -05:00
Peter Maydell e564ed6311
arm: Don't clear ARM_FEATURE_PMSA for no-mpu configs
Fix the handling of QOM properties for PMSA CPUs with no MPU:

Allow no-MPU to be specified by either:
* has-mpu = false
* pmsav7_dregion = 0
and make setting one imply the other. Don't clear the PMSA
feature bit in this situation.

Backports commit f50cd31413d8bc9d1eef8edd1f878324543bf65d from qemu
2018-03-02 19:12:20 -05:00
Peter Maydell 6614ba9615
arm: Clean up handling of no-MPU PMSA CPUs
ARM CPUs come in two flavours:
* proper MMU ("VMSA")
* only an MPU ("PMSA")
For PMSA, the MPU may be implemented, or not (in which case there
is default "always acts the same" behaviour, but it isn't guest
programmable).

QEMU is a bit confused about how we indicate this: we have an
ARM_FEATURE_MPU, but it's not clear whether this indicates
"PMSA, not VMSA" or "PMSA and MPU present" , and sometimes we
use it for one purpose and sometimes the other.

Currently trying to implement a PMSA-without-MPU core won't
work correctly because we turn off the ARM_FEATURE_MPU bit
and then a lot of things which should still exist get
turned off too.

As the first step in cleaning this up, rename the feature
bit to ARM_FEATURE_PMSA, which indicates a PMSA CPU (with
or without MPU).

Backports commit 452a095526a0537f16c271516a2200877a272ea8 from qemu
2018-03-02 19:05:31 -05:00
Peter Maydell b50d2da03c
arm: Use different ARMMMUIdx values for M profile
Make M profile use completely separate ARMMMUIdx values from
those that A profile CPUs use. This is a prelude to adding
support for the MPU and for v8M, which together will require
6 MMU indexes which don't map cleanly onto the A profile
uses:
non secure User
non secure Privileged
non secure Privileged, execution priority < 0
secure User
secure Privileged
secure Privileged, execution priority < 0

Backports commit e7b921c2d9efc249f99b9feb0e7dca82c96aa5c4 from qemu
2018-03-02 19:01:42 -05:00
Michael Davidsaver f532e80749
armv7m: Escalate exceptions to HardFault if necessary
The v7M exception architecture requires that if a synchronous
exception cannot be taken immediately (because it is disabled
or at too low a priority) then it should be escalated to
HardFault (and the HardFault exception is then taken).
Implement this escalation logic.

Backports commit a73c98e159d18155445d29b6044be6ad49fd802f from qemu
2018-03-02 18:59:13 -05:00
Peter Maydell b7bf752d3c
arm: Add support for M profile CPUs having different MMU index semantics
The M profile CPU's MPU has an awkward corner case which we
would like to implement with a different MMU index.

We can avoid having to bump the number of MMU modes ARM
uses, because some of our existing MMU indexes are only
used by non-M-profile CPUs, so we can borrow one.
To avoid that getting too confusing, clean up the code
to try to keep the two meanings of the index separate.

Instead of ARMMMUIdx enum values being identical to core QEMU
MMU index values, they are now the core index values with some
high bits set. Any particular CPU always uses the same high
bits (so eventually A profile cores and M profile cores will
use different bits). New functions arm_to_core_mmu_idx()
and core_to_arm_mmu_idx() convert between the two.

In general core index values are stored in 'int' types, and
ARM values are stored in ARMMMUIdx types.

Backports commit 8bd5c82030b2cb09d3eef6b444f1620911cc9fc5 from qemu
2018-03-02 18:59:13 -05:00
Wei Huang 19335c32c9
target/arm: clear PMUVER field of AA64DFR0 when vPMU=off
The PMUv3 driver of linux kernel (in arch/arm64/kernel/perf_event.c)
relies on the PMUVER field of id_aa64dfr0_el1 to decide if PMU support
is present or not. This patch clears the PMUVER field under TCG mode
when vPMU=off. Without it, PMUv3 will init insider guest VMs even
with vPMU=off. This patch also removes a redundant line inside the
if-statement.

Backports commit 2b3ffa929249b15a75d8bde3e8e57a744f52aff0 from qemu
2018-03-02 18:59:12 -05:00
Peter Maydell 4789e49c4d
arm: Use the mmu_idx we're passed in arm_cpu_do_unaligned_access()
When identifying the DFSR format for an alignment fault, use
the mmu index that we are passed, rather than calling cpu_mmu_index()
to get the mmu index for the current CPU state. This doesn't actually
make any difference since the only cases where the current MMU index
differs from the index used for the load are the "unprivileged
load/store" instructions, and in that case the mmu index may
differ but the translation regime is the same (apart from the
"use from Hyp mode" case which is UNPREDICTABLE).
However it's the more logical thing to do.

Backports commit e517d95b63427fae9f03958dbc005c36b4ebf2cf from qemu
2018-03-02 18:59:12 -05:00
Peter Xu fce1b469e5
memory: tune last param of iommu_ops.translate()
This patch converts the old "is_write" bool into IOMMUAccessFlags. The
difference is that "is_write" can only express either read/write, but
sometimes what we really want is "none" here (neither read nor write).
Replay is an good example - during replay, we should not check any RW
permission bits since thats not an actual IO at all.

Backports commit bf55b7afce53718ef96f4e6616da62c0ccac37dd from qemu
2018-03-02 18:59:12 -05:00
Peter Xu 5621c7e09f
exec: abstract address_space_do_translate()
This function is an abstraction helper for address_space_translate() and
address_space_get_iotlb_entry(). It does the lookup of address into
memory region section, then does proper IOMMU translation if necessary.
Refactor the two existing functions to use it.

This fixes vhost when IOMMU is disabled by guest.

Backports commit a764040cc831cfe5b8bf1c80e8341b9bf2de3ce8 from qemu
2018-03-02 18:59:12 -05:00
Nikunj A Dadhania d907423bac
cputlb: handle first atomic write to the page
In case where the conditional write is the first write to the page,
TLB_NOTDIRTY will be set and stop_the_world is triggered. Handle this as
a special case and set the dirty bit. After that fall through to the
actual atomic instruction below.

Backports commit 7f9af1abdcc69fd1d3d8d2be68464329600616d6 from qemu
2018-03-02 18:59:12 -05:00
Aurelien Jarno 00ebbae128
tcg/mips: fix field extraction opcode
The "msb" argument should correspond to (len - 1).

Backports commit 2f5a5f5774d95baacf86c03aa8a77a2d0390f2b2 from qemu
2018-03-02 18:59:12 -05:00
Richard Henderson 69116abafc
tcg: Initialize return value after exit_atomic
Users of tcg_gen_atomic_cmpxchg and do_atomic_op rightfully utilize
the output. Even though this code is dead, it gets translated, and
without the initialization we encounter a tcg_error.

Backports commit 79b1af906245558c30e0a5faf26cb52b63f83cce from qemu
2018-03-02 18:59:11 -05:00
Gerd Hoffmann 108354cc4a
bitmap: add bitmap_copy_and_clear_atomic
Backports commit d6eb1413920affb7be3df9982682dd183a805dd7 from qemu
2018-03-02 18:59:11 -05:00
Peter Maydell b8b70dfcd2
Drop QEMU_GNUC_PREREQ() checks for gcc older than 4.1
We already require gcc 4.1 or newer (for the atomic
support), so the fallback codepaths for older gcc
versions than that are now dead code and we can
just delete them.

NB: clang reports itself as gcc 4.2 (regardless of
clang version), so clang won't be using the fallbacks
either.

Backports commit fa54abb8c298f892639ffc4bc2f61448ac3be4a1 from qemu
2018-03-02 18:59:05 -05:00
Peter Maydell 2935a9af7a
arm: Remove workarounds for old M-profile exception return implementation
Now that we've rewritten M-profile exception return so that the magic
PC values are not visible to other parts of QEMU, we can delete the
special casing of them elsewhere.

Backports commit f4e8e4edda875cab9df91dc4ae9767f7cb1f50aa from qemu
2018-03-02 15:02:14 -05:00
Peter Maydell 44bf8985e5
arm: Implement M profile exception return properly
On M profile, return from exceptions happen when code in Handler mode
executes one of the following function call return instructions:
* POP or LDM which loads the PC
* LDR to PC
* BX register
and the new PC value is 0xFFxxxxxx.

QEMU tries to implement this by not treating the instruction
specially but then catching the attempt to execute from the magic
address value. This is not ideal, because:
* there are guest visible differences from the architecturally
specified behaviour (for instance jumping to 0xFFxxxxxx via a
different instruction should not cause an exception return but it
will in the QEMU implementation)
* we have to account for it in various places (like refusing to take
an interrupt if the PC is at a magic value, and making sure that
the MPU doesn't deny execution at the magic value addresses)

Drop these hacks, and instead implement exception return the way the
architecture specifies -- by having the relevant instructions check
for the magic value and raise the 'do an exception return' QEMU
internal exception immediately.

The effect on the generated code is minor:

bx lr, old code (and new code for Thread mode):
TCG:
mov_i32 tmp5,r14
movi_i32 tmp6,$0xfffffffffffffffe
and_i32 pc,tmp5,tmp6
movi_i32 tmp6,$0x1
and_i32 tmp5,tmp5,tmp6
st_i32 tmp5,env,$0x218
exit_tb $0x0
set_label $L0
exit_tb $0x7f2aabd61993
x86_64 generated code:
0x7f2aabe87019: mov %ebx,%ebp
0x7f2aabe8701b: and $0xfffffffffffffffe,%ebp
0x7f2aabe8701e: mov %ebp,0x3c(%r14)
0x7f2aabe87022: and $0x1,%ebx
0x7f2aabe87025: mov %ebx,0x218(%r14)
0x7f2aabe8702c: xor %eax,%eax
0x7f2aabe8702e: jmpq 0x7f2aabe7c016

bx lr, new code when in Handler mode:
TCG:
mov_i32 tmp5,r14
movi_i32 tmp6,$0xfffffffffffffffe
and_i32 pc,tmp5,tmp6
movi_i32 tmp6,$0x1
and_i32 tmp5,tmp5,tmp6
st_i32 tmp5,env,$0x218
movi_i32 tmp5,$0xffffffffff000000
brcond_i32 pc,tmp5,geu,$L1
exit_tb $0x0
set_label $L1
movi_i32 tmp5,$0x8
call exception_internal,$0x0,$0,env,tmp5
x86_64 generated code:
0x7fe8fa1264e3: mov %ebp,%ebx
0x7fe8fa1264e5: and $0xfffffffffffffffe,%ebx
0x7fe8fa1264e8: mov %ebx,0x3c(%r14)
0x7fe8fa1264ec: and $0x1,%ebp
0x7fe8fa1264ef: mov %ebp,0x218(%r14)
0x7fe8fa1264f6: cmp $0xff000000,%ebx
0x7fe8fa1264fc: jae 0x7fe8fa126509
0x7fe8fa126502: xor %eax,%eax
0x7fe8fa126504: jmpq 0x7fe8fa122016
0x7fe8fa126509: mov %r14,%rdi
0x7fe8fa12650c: mov $0x8,%esi
0x7fe8fa126511: mov $0x56095dbeccf5,%r10
0x7fe8fa12651b: callq *%r10

which is a difference of one cmp/branch-not-taken. This will
be lost in the noise of having to exit generated code and
look up the next TB anyway.

Backports commit 3bb8a96f5348913ee130169504f3642f501b113e from qemu
2018-03-02 14:58:14 -05:00
Peter Maydell cfc1611d6f
arm: Track M profile handler mode state in TB flags
For M profile exception-return handling we'd like to generate different
code for some instructions depending on whether we are in Handler
mode or Thread mode. This isn't the same as "are we privileged
or user", so we need an extra bit in the TB flags to distinguish.

Backports commit 064c379c99b835bdcc478d21a3849507ea07d53a from qemu
2018-03-02 14:54:16 -05:00
Peter Maydell 8233756382
arm: Move condition-failed codepath generation out of if()
Move the code to generate the "condition failed" instruction
codepath out of the if (singlestepping) {} else {}. This
will allow adding support for handling a new is_jmp type
which can't be neatly split into "singlestepping case"
versus "not singlestepping case".

Backports commit f021b2c4627890d82fbcc300db3bd782b37b7f8a from qemu

arm: Abstract out "are we singlestepping" test to utility function

We now test for "are we singlestepping" in several places and
it's not a trivial check because we need to care about both
architectural singlestep and QEMU gdbstub singlestep. We're
also about to add another place that needs to make this check,
so pull the condition out into a function.

Backports commit b636649f5a2e108413dd171edaf320f781f57942 from qemu
2018-03-02 14:52:30 -05:00
Peter Maydell 43d6e73fea
arm: Move gen_set_condexec() and gen_set_pc_im() up in the file
Move the utility routines gen_set_condexec() and gen_set_pc_im()
up in the file, as we will want to use them from a function
placed earlier in the file than their current location.

Backports commit 4d5e8c969a74c86124fc2284ea603cc6dd3c5dfa from qemu
2018-03-02 14:48:36 -05:00
Peter Maydell 23141d7620
arm: Factor out "generate right kind of step exception"
We currently have two places that do:
if (dc->ss_active) {
gen_step_complete_exception(dc);
} else {
gen_exception_internal(EXCP_DEBUG);
}

Factor this out into its own function, as we're about to add
a third place that needs the same logic.

Backports commit 5425415ebba5fa20558e1ef25e1997a6f5ea4c7c from qemu
2018-03-02 14:45:30 -05:00
Peter Maydell ddfe550411
arm: Thumb shift operations should not permit interworking branches
In Thumb mode, the only instructions which can cause an interworking
branch by writing the PC are BLX, BX, BXJ, LDR, POP and LDM. Unlike
ARM mode, data processing instructions which target the PC do not
cause interworking branches.

When we added support for doing interworking branches on writes to
PC from data processing instructions in commit 21aeb3430ce7ba, we
accidentally changed a Thumb instruction to have interworking
branch behaviour for writes to PC. (MOV, MOVS register-shifted
register, encoding T2; this is the standard encoding for
LSL/LSR/ASR/ROR (register).)

For this encoding, behaviour with Rd == R15 is specified as
UNPREDICTABLE, so allowing an interworking branch is within
spec, but it's confusing and differs from our handling of this
class of UNPREDICTABLE for other Thumb ALU operations. Make
it perform a simple (non-interworking) branch like the others.

Backports commit bedb8a6b09c1754c3b9f155750c62dc087706698 from qemu
2018-03-02 14:42:40 -05:00
Peter Maydell 9f938da9e1
arm: Don't implement BXJ on M-profile CPUs
For M-profile CPUs, the BXJ instruction does not exist at all, and
the encoding should always UNDEF. We were accidentally implementing
it to behave like A-profile BXJ; correct the error.

Backports commit 9d7c59c84d4530d05e8702b1c3a31e6da00a397e from qemu
2018-03-02 14:42:04 -05:00
Peter Maydell e9d507a193
target/arm: Add assertion about FSC format for syndrome registers
In tlb_fill() we construct a syndrome register value from a
fault status register value which is filled in by arm_tlb_fill().
arm_tlb_fill() returns FSR values which might be in the format
used with short-format page descriptors, or the format used
with long-format (LPAE) descriptors. The syndrome register
always uses LPAE-format FSR status codes.

It isn't actually possible to end up delivering a syndrome
register value to the guest for a fault which is reported
with a short-format FSR (that kind of stage 1 fault will only
happen for an AArch32 translation regime which doesn't have
a syndrome register, and can never be redirected to an AArch64
or Hyp exception level). Add an assertion which checks this,
and adjust the code so that we construct a syndrome with
an invalid status code, rather than allowing set bits in
the FSR input to randomly corrupt other fields in the syndrome.

Backports commit 65ed2ed90d9d81fd4b639029be850ea5651f919f from qemu
2018-03-02 14:41:07 -05:00
Peter Maydell 1cf80d7536
arm: Move excnames[] array into arm_log_exceptions()
The excnames[] array is defined in internals.h because we used
to use it from two different source files for handling logging
of AArch32 and AArch64 exception entry. Refactoring means that
it's now used only in arm_log_exception() in helper.c, so move
the array into that function.

Backports commit 2c4a7cc5afb1bfc1728a39abd951ddd7714c476e from qemu
2018-03-02 14:39:37 -05:00
Peter Maydell 1af1944903
target/arm: Add missing entries to excnames[] for log strings
Recent changes have added new EXCP_ values to ARM but forgot
to update the excnames[] array which is used to provide
human-readable strings when printing information about the
exception for debug logging. Add the missing entries, and
add a comment to the list of #defines to help avoid the mistake
being repeated in future.

Backports commit 32b81e620ea562d56ab2733421b5da1082b237a2 from qemu
2018-03-02 14:38:23 -05:00
Richard Henderson 13242af398
target/arm: Fix aa64 ldp register writeback
For "ldp x0, x1, [x0]", if the second load is on a second page and
the second page is unmapped, the exception would be raised with x0
already modified. This means the instruction couldn't be restarted.

Backports commit 2d1bbf51c2cb948da4b6fd5f91cf3ecc80b28156 from qemu
2018-03-02 14:35:46 -05:00
Paolo Bonzini c27870520a
exec: revert MemoryRegionCache
MemoryRegionCache did not know about virtio support for IOMMUs (because the
two features were developed at the same time). Revert MemoryRegionCache
to "normal" address_space_* operations for 2.9, as it is simpler than
undoing the virtio patches.

Backports commit 90c4fe5fc517a045e7a7cf2f23472e114042ca29 from qemu
2018-03-02 14:30:41 -05:00
Peter Maydell 008a235b5e
tcg/sparc: Zero extend address argument to ld/st helpers
The C store helper functions take the address argument as a
target_ulong type; if this is 32 bit but the host is 64 bit
then the SPARC calling convention requires that the caller
must zero extend the value. We weren't doing this, which
meant we could pass values to the caller with high bits set
and QEMU would crash if it was compiled with optimizations.
In particular, the i386 BIOS would not start.

Backports commit 5c32be5baf41aec4f4675d2bf24f9948756abf3c from qemu
2018-03-02 14:25:17 -05:00
Peter Maydell 40718df109
tcg/sparc: Zero extend data argument to store helpers
The C store helper functions take the data argument as a uint8_t,
uint16_t, etc depending on the store size. The SPARC calling
convention requires that data types smaller than the register
size must be extended by the caller. We weren't doing this,
which meant that if QEMU was compiled with optimizations enabled
we could end up storing incorrect values to guest memory.
(In particular the i386 guest BIOS would crash on startup.)

Add code to the trampolines that call the store helpers to
do the zero extension as required.

Backports commit 709a340d679d95a0c6cbb9b5f654498f04345b50 from qemu
2018-03-02 14:24:24 -05:00
Eduardo Habkost e71c7b7819
i386: Don't override -cpu options on -cpu host/max
The existing code for "host" and "max" CPU models overrides every
single feature in the CPU object at realize time, even the ones
that were explicitly enabled or disabled by the user using
"feat=on" or "feat=off", while features set using +feat/-feat are
kept.

This means "-cpu host,+invtsc" works as expected, while
"-cpu host,invtsc=on" doesn't.

This was a known bug, already documented in a comment inside
x86_cpu_expand_features(). What makes this bug worse now is that
libvirt 3.0.0 and newer now use "feat=on|off" instead of
+feat/-feat when it detects a QEMU version that supports it (see
libvirt commit d47db7b16dd5422c7e487c8c8ee5b181a2f9cd66).

Change the feature property getter/setter to set a
env->user_features field, to keep track of features that were
explicitly changed using QOM properties. Then make the
max_features code not override user features when handling "-cpu
host" and "-cpu max".

This will also allow us to remove the plus_features/minus_features
hack in the future, but I plan to do that after 2.9.0 is
released.

Backports commit d4a606b38b5d4b3689b86cc1575908e82179ecfb from qemu
2018-03-02 14:22:45 -05:00
Pranith Kumar 31b977ab3e
tcg/i386: Check the size of instruction being translated
This fixes the bug: 'user-to-root privesc inside VM via bad translation
caching' reported by Jann Horn here:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1122

Backports commit 30663fd26c0307e414622c7a8607fbc04f92ec14 from qemu
2018-03-02 14:19:35 -05:00
Paolo Bonzini b750ec2363
configure: remove Cygwin
The Cygwin target is really compiling for native Win32 with -mno-cygwin.
Except, GCC 4.7.0 has finally removed the long deprecated -mno-cygwin
option, and that happened about five years ago.

Let it rest in peace.

Backports commit c8645752ce31cc044ecc5f969a986fdcb6aab590 from qemu
2018-03-02 14:17:41 -05:00
Yongbok Kim ce3aecf263
target/mips: fix delay slot detection in gen_msa_branch()
It is unnecessary to test R6 from delay/forbidden slot check
in gen_msa_branch().

https://bugs.launchpad.net/qemu/+bug/1663287

Backports commit 075a1fe788d36b271ec25507466c30b9a90b5d54 from qemu
2018-03-02 14:15:50 -05:00
Philippe Mathieu-Daudé d17c07b548
target-mips: replace break by goto cp0_unimplemented
this fixes many warnings like:

target/mips/translate.c:6253:13: warning: Value stored to 'rn' is never read
rn = "invalid sel";
^ ~~~~~~~~~~~~~

Backports commit 3570d7f6672836140f0a1ec9bf95dd5ea50a2aaa from qemu
2018-03-02 14:14:57 -05:00
Philippe Mathieu-Daudé 5f78f3cd80
target-mips: log bad coprocessor0 register accesses with LOG_UNIMP
Backports commit 965447eecb6b98d6dfc4dbd97f836093c7e398a0 from qemu
2018-03-02 14:12:29 -05:00
Philippe Mathieu-Daudé e7176e6c85
target-mips: remove old & unuseful comments
Backports commit 989f2aa9af7f05c323761b66c0e299059a19b7b1 from qemu
2018-03-02 14:11:20 -05:00
Philippe Mathieu-Daudé 65c69e6ccb
target-mips: fix compiler warnings (clang 5)
static code analyzer complain:

target/mips/helper.c:453:5: warning: Function call argument is an uninitialized value
qemu_log_mask(CPU_LOG_MMU,
^~~~~~~~~~~~~~~~~~~~~~~~~~

'physical' and 'prot' are uninitialized if 'ret' is not TLBRET_MATCH.

Backports commit def74c0cf05722b2e502d4b4f1219966c5b0cbd3 from qemu
2018-03-02 14:09:55 -05:00
Peter Maydell 78303d4c1b
arm: Fix APSR writes via M profile MSR
Our implementation of writes to the APSR for M-profile via the MSR
instruction was badly broken.

First and worst, we had the sense wrong on the test of bit 2 of the
SYSm field -- this is supposed to request an APSR write if bit 2 is 0
but we were doing it if bit 2 was 1. This bug was introduced in
commit 58117c9bb429cd, so hasn't been in a QEMU release.

Secondly, the choice of exactly which parts of APSR should be written
is defined by bits in the 'mask' field. We were not passing these
through from instruction decode, making it impossible to check them
in the helper.

Pass the mask bits through from the instruction decode to the helper
function and process them appropriately; fix the wrong sense of the
SYSm bit 2 check.

Invalid mask values and invalid combinations of mask and register
number are UNPREDICTABLE; we choose to treat them as if the mask
values were valid.

Backports commit b28b3377d7e9ba35611d454d5a63ef50cab1f8c5 from qemu
2018-03-02 14:08:13 -05:00
Peter Maydell bb5819cbbc
armv7m: R14 should reset to 0xffffffff
For M profile (unlike A profile) the reset value of R14 is specified
as 0xffffffff. (The rationale is that this is an illegal exception
return value, so if guest code tries to return to it it will result
in a helpful exception.)

Registers r0 to r12 and the flags are architecturally UNKNOWN on
reset, so we leave those at zero.

Backports commit 056f43df9168413f304500b69c33158d66efb7cf from qemu
2018-03-02 13:56:36 -05:00
Michael Davidsaver f42f22ec02
armv7m: FAULTMASK should be 0 on reset
For M profile CPUs, FAULTMASK should be 0 on reset, like PRIMASK.
QEMU stores FAULTMASK in the PSTATE F bit, so (as with PRIMASK in the
I bit) we have to clear these to undo the A profile default of 1.

Update the comment accordingly and move it so that it's closer to the
code it's referring to.

Backports commit dc7abe4d65ad39390b2db120f5ad18f8f6576f8b from qemu
2018-03-02 13:55:59 -05:00
Peter Maydell 8a6d746aef
armv7m: Report no-coprocessor faults correctly
For v7M attempts to access a nonexistent coprocessor are reported
differently from plain undefined instructions (as UsageFaults of type
NOCP rather than type UNDEFINSTR). Split them out into a new
EXCP_NOCP so we can report the FSR value correctly.

Backports commit 7517748e3f71a3099e57915fba95c4c308e6d842 from qemu
2018-03-02 13:54:36 -05:00
Peter Maydell fce8138187
armv7m: Report no-coprocessor faults correctly
For v7M attempts to access a nonexistent coprocessor are reported
differently from plain undefined instructions (as UsageFaults of type
NOCP rather than type UNDEFINSTR). Split them out into a new
EXCP_NOCP so we can report the FSR value correctly.

Backports commit 7517748e3f71a3099e57915fba95c4c308e6d842 from qemu
2018-03-02 13:47:14 -05:00
Michael Davidsaver eaa080e232
armv7m: set CFSR.UNDEFINSTR on undefined instructions
When we take an exception for an undefined instruction, set the
appropriate CFSR bit.

Backports commit 81dd9648c69bb89afdd6f4bb3ed6f3efdac96524 from qemu
2018-03-02 13:45:56 -05:00
Michael Davidsaver 2297b8134b
armv7m: honour CCR.STACKALIGN on exception entry
The CCR.STACKALIGN bit controls whether the CPU is supposed to force
8-alignment of the stack pointer on entry to the exception handler.

Backports commit dc858c6633a9af8b80c1509cf6f825e4390d3ad1 from qemu
2018-03-02 13:45:06 -05:00
Peter Maydell 7870bcfcb0
armv7m: add state for v7M CCR, CFSR, HFSR, DFSR, MMFAR, BFAR
Add the structure fields, VMState fields, reset code and macros for
the v7M system control registers CCR, CFSR, HFSR, DFSR, MMFAR and
BFAR.

Backports commit 2c4da50d9477fb830d778bb5d6a11215aa359b44 from qemu
2018-03-02 13:43:55 -05:00
Michael Davidsaver 7f044bf8cc
armv7m: Clear FAULTMASK on return from non-NMI exceptions
FAULTMASK must be cleared on return from all
exceptions other than NMI.

Backports commit a20ee6005564590d33eabec11ed4dc7c432db36b from qemu
2018-03-02 13:41:16 -05:00
Michael Davidsaver cc9458cf59
armv7m: Explicit error for bad vector table
Give an explicit error and abort when a load
from the vector table fails. Architecturally this
should HardFault (which will then immediately
fail to load the HardFault vector and go into Lockup).
Since we don't model Lockup, just report this guest
error via cpu_abort(). This is more helpful than the
previous behaviour of reading a zero, which is the
address of the reset stack pointer and not a sensible
location to jump to.

Backports commit 1b9ea408fca1ce8caae67b792355b023c69c5ac5 from qemu
2018-03-02 13:38:08 -05:00
Michael Davidsaver 703489071f
armv7m: Replace armv7m.hack with unassigned_access handler
For v7m we need to catch attempts to execute from special
addresses at 0xfffffff0 and above. Previously we did this
with the aid of a hacky special purpose lump of memory
in the address space and a check in translate.c for whether
we were translating code at those addresses.

We can implement this more cleanly using a CPU
unassigned access handler which throws the exception
if the unassigned access is for one of the special addresses.

Backports commit 542b3478a00cb7ef51c259255b3ab1e2a7daada2 from qemu
2018-03-02 13:33:31 -05:00
Michael Davidsaver 8828b4e595
armv7m: MRS/MSR: handle unprivileged access
The MRS and MSR instruction handling has a number of flaws:
* unprivileged accesses should only be able to read
CONTROL and the xPSR subfields, and only write APSR
(others RAZ/WI)
* privileged access should not be able to write xPSR
subfields other than APSR
* accesses to unimplemented registers should log as
guest errors, not abort QEMU

Backports commit 58117c9bb429cd9552d998687aa99088eb1d8528 from qemu
2018-03-02 13:29:59 -05:00
Michael Davidsaver 2769c6ada0
armv7m: Fix reads of CONTROL register bit 1
The v7m CONTROL register bit 1 is SPSEL, which indicates
the stack being used. We were storing this information
not in v7m.control but in the separate v7m.other_sp
structure field. Unfortunately, the code handling reads
of the CONTROL register didn't take account of this, and
so if SPSEL was updated by an exception entry or exit then
a subsequent guest read of CONTROL would get the wrong value.

Using a separate structure field doesn't really gain us
anything in efficiency, so drop this unnecessary complexity
in favour of simply storing all the bits in v7m.control.

This is a migration compatibility break for M profile
CPUs only.

Backports commit abc24d86cc0364f402e438fae3acb14289b40734 from qemu
2018-03-02 13:26:38 -05:00
Peter Maydell d8eb259032
arm: Enforce should-be-1 bits in MRS decoding
The MRS instruction requires that bits [19..16] are all 1s, and for
A/R profile also that bits [7..0] are all 0s. At this point in the
decode tree we have checked all of the rest of the instruction but
were allowing these to be any value. If these bits are not set then
the result is architecturally UNPREDICTABLE, but choosing to UNDEF is
more helpful to the user and avoids unexpected odd behaviour if the
encodings are used for some purpose in future architecture versions.

Backports commit 3d54026fb06d1aea7ebb4e9825970b06bebcacac from qemu
2018-03-02 13:09:17 -05:00
Peter Maydell dc44eded51
arm: Don't decode MRS(banked) or MSR(banked) for M profile
M profile doesn't have the MSR(banked) and MRS(banked) instructions
and uses the encodings for different kinds of M-profile MRS/MSR.
Guard the relevant bits of the decode logic to make sure we don't
accidentally fall into them by accident on M-profile.

(The bit being checked for this (bit 5) is part of the SYSm field on
M-profile, but since no currently allocated system registers have
encodings with bit 5 of SYSm set, this hasn't been a problem in
practice.)

Backports commit 43ac65742319ef5ac4461daf43316b189cd21e89 from qemu
2018-03-02 13:08:20 -05:00
Peter Maydell cc2a6a2728
arm: HVC and SMC encodings don't exist for M profile
M profile doesn't have the HVC or SMC encodings, so make them always
UNDEF rather than generating calls to helper functions that assume
A/R profile.

Backports commit 001b3cab51ebfcb13e8dd03ea25bfa3bd0c517a3 from qemu
2018-03-02 13:07:31 -05:00
Dr. David Alan Gilbert 55d79cf4c0
RAMBlocks: qemu_ram_is_shared
Provide a helper to say whether a RAMBlock was created as a
shared mapping.

Backports commit 463a4ac23bcf0f0b65c850fa66f5ae6e43edd243 from qemu
2018-03-02 13:05:35 -05:00
Dr. David Alan Gilbert 5dfbee8930
memory_region: Fix name comments
The 'name' parameter to memory_region_init_* had been marked as debug
only, however vmstate_region_ram uses it as a parameter to
qemu_ram_set_idstr to set RAMBlock names and these form part of the
migration stream.

Backports commit e8f5fe2de125a0bfbefbaa6a69af81f4817cb7a0 from qemu
2018-03-02 13:01:23 -05:00
Andrew Jones 0139cbc2cd
target/arm/arm-powerctl: Fix psci info return values
The power state spec section 5.1.5 AFFINITY_INFO defines the
affinity info return values as

0 ON
1 OFF
2 ON_PENDING

I grepped QEMU for power_state to ensure that no assumptions
of OFF=0 were being made.

Backports commit d5affb0d8677e1a8a8fe03fa25005b669e7cdc02 from qemu
2018-03-02 12:59:49 -05:00
Andrew Baumann 76cd64dd7e
target/arm: implement armv8 PMUSERENR (user-mode enable bits)
In armv8, this register implements more than a single bit, with
fine-grained enables for read access to event counters, cycles
counters, and write access to the software increment. This change
implements those checks using custom access functions for the relevant
registers.

Backports commit 6ecd0b6ba0591ef280ed984103924d4bdca5ac32 from qemu
2018-03-02 12:55:46 -05:00
Eduardo Habkost 9ddce7c01d
i386: Change stepping of Haswell to non-blacklisted value
glibc blacklists TSX on Haswell CPUs with model==60 and
stepping < 4. To make the Haswell CPU model more useful, make
those guests actually use TSX by changing CPU stepping to 4.

References:
* glibc commit 2702856bf45c82cf8e69f2064f5aa15c0ceb6359
https://sourceware.org/git/?p=glibc.git;a=commit;h=2702856bf45c82cf8e69f2064f5aa15c0ceb6359

Backports commit ec56a4a7b07e2943f49da273a31e3195083b1f2e from qemu
2018-03-02 12:53:11 -05:00
Eduardo Habkost f865b17639
i386: host_vendor_fms() helper function
Helper function for code that needs to check the host CPU
vendor/family/model/stepping values.

Backports commit 20271d484069f154fb262507e63adc3a37e885d2 from qemu
2018-03-02 12:51:44 -05:00
Alex Bennée b8caaac110
target/arm/helper: make it clear the EC field is also in hex
..just like the rest of the displayed ESR register. Otherwise people
might scratch their heads if a not obviously hex number is displayed
for the EC field.

Backports commit 6568da459b611845ef55526cd23afc9fa9f4647f from qemu
2018-03-02 12:50:33 -05:00
Paolo Bonzini bc7a9ccfbd
target-i386: defer VMEXIT to do_interrupt
Paths through the softmmu code during code generation now need to be audited
to check for double locking of tb_lock. In particular, VMEXIT can take tb_lock
through cpu_vmexit -> cpu_x86_update_cr4 -> tlb_flush.

To avoid this, split VMEXIT delivery in two parts, similar to what is done with
exceptions. cpu_vmexit only records the VMEXIT exit code and information, and
cc->do_interrupt can then deliver it when it is safe to take the lock.

Backports commit 10cde894b63146139f981857e4eedf756fa53dcb from qemu
2018-03-02 12:49:18 -05:00
Alex Bennée ad548f8110
translate-all: exit cpu_restore_state early if translating
The translation code uses cpu_ld*_code which can trigger a tlb_fill
which if it fails will erroneously attempts a fault resolution. This
never works during translation as the TB being generated hasn't been
added yet. The target should have checked retaddr before calling
cpu_restore_state but for those that have yet to be fixed we do it
here to avoid a recursive tb_lock() under MTTCG's new locking regime

Backports commit d8b2239bcd8872a5c5f7534d1658fc2365caab2d from qemu
2018-03-02 12:46:16 -05:00
Alex Bennée a01496e6d9
target/i386/cpu.h: declare TCG_GUEST_DEFAULT_MO
This suppresses the incorrect warning when forcing MTTCG for x86
guests on x86 hosts. A future patch will still warn when
TARGET_SUPPORT_MTTCG hasn't been defined for the guest (which is still
pending for x86).

Backports commit 72c1701f62e8d44eb24a0583a958edc280105455 from qemu
2018-03-02 12:43:37 -05:00
Markus Armbruster 8a8dc93945
qapi: Improve qobject visitor documentation
Backports commit aa3a982e674b09ae32502940f93ba98b3a8ad50e from qemu
2018-03-02 12:24:21 -05:00
Markus Armbruster 67cb4b0900
qapi: Fix object input visit beyond end of list
Backports commit 1f41a645b65530859bf5984aa08e103bb452b473 from qemu
2018-03-02 12:22:50 -05:00
Markus Armbruster ac1a61af47
qapi: Make input visitors detect unvisited list tails
Fix the design flaw demonstrated in the previous commit: new method
check_list() lets input visitors report that unvisited input remains
for a list, exactly like check_struct() lets them report that
unvisited input remains for a struct or union.

Implement the method for the qobject input visitor (straightforward),
and the string input visitor (less so, due to the magic list syntax
there). The opts visitor's list magic is even more impenetrable, and
all I can do there today is a stub with a FIXME comment. No worse
than before.

Backports commit a4a1c70dc759e5b81627e96564f344ab43ea86eb from qemu
2018-03-02 12:21:04 -05:00
Markus Armbruster e0ee098c4a
qapi: Drop unused non-strict qobject input visitor
The split between tests/test-qobject-input-visitor.c and
tests/test-qobject-input-strict.c now makes less sense than ever. The
next commit will take care of that.

Backports commit 048abb7b20c9f822ad9d4b730bade73b3311a47a from qemu
2018-03-02 12:14:52 -05:00
Markus Armbruster 3e8b0c66a3
qom: Make object_property_set_qobject()'s input visitor strict
Commit 240f64b made all qobject input visitors created outside tests
strict, except for the one in object_property_set_qobject(). That one
was left behind only because Eric couldn't spare the time to figure
out whether making it strict would break anything, with a TODO
comment. Time to resolve it.

Strict makes a difference only for otherwise successful visits of QAPI
structs or unions. Let's examine what the callers of
object_property_set_qobject() visit:

* object_property_set_str(), object_property_set_bool(),
object_property_set_int() visit a QString, QBool, QInt,
respectively. Strictness can't matter.

* qmp_qom_set visits its @value argument. Comes straight from QMP and
can be anything ('any' in the QAPI schema). Strictness matters when
the property's set() method visits a struct or union QAPI type.

No such methods exist, thus switching to strict can't break
anything.

If we acquire such methods in the future, we'll *want* the visitor
to be strict, so that unexpected members get rejected as they should
be.

Switch to strict.

Backports commit 05601ed2de60df0e344d6b783a6bc0c1ff2b5d1f from qemu
2018-03-02 12:10:50 -05:00
Markus Armbruster 2b7daee13b
qapi: Make string input and opts visitor require non-null input
The string input visitor tries to cope with null input. Null input
isn't used anywhere, and isn't covered by tests. Unsurprisingly, it
doesn't fully work: start_list() crashes because it passes the input
via parse_str() to strtoll() unchecked.

Make string_input_visitor_new() assert its argument isn't null, and
drop the code trying to deal with null input.

The opts visitor crashes when you try to actually visit something with
null input. Make opts_visitor_new() assert its argument isn't null,
mostly for clarity.

qobject_input_visitor_new() already asserts its argument isn't null.

Backports commit f332e830e38b3ff3953ef02ac04e409ae53769c5 from qemu
2018-03-02 12:10:07 -05:00
Markus Armbruster 50e3cda49a
qapi: Drop string input visitor method optional()
visit_optional() is to be called only between visit_start_struct() and
visit_end_struct(). Visitors that don't support struct visits,
i.e. don't implement start_struct(), end_struct(), have no use for it.
Clarify documentation.

The string input visitor doesn't support struct visits. Its
parse_optional() is therefore useless. Drop it.

Backports commit a8aec6de2ac1a5e36989fdfba29067b361009b75 from qemu
2018-03-02 12:07:55 -05:00
Markus Armbruster 84e5261cdf
qapi: Improve qobject input visitor error reporting
Error messages refer to nodes of the QObject being visited by name.
Trouble is the names are sometimes less than helpful:

* The name of the root QObject is whatever @name argument got passed
to the visitor, except NULL gets mapped to "null". We commonly pass
NULL. Not good.

Avoiding errors "at the root" mitigates. For instance,
visit_start_struct() can only fail when the visited object is not a
dictionary, and we commonly ensure it is beforehand.

* The name of a QDict's member is the member key. Good enough only
when this happens to be unique.

* The name of a QList's member is "null". Not good.

Improve error messages by referring to nodes by path instead, as
follows:

* The path of the root QObject is whatever @name argument got passed
to the visitor, except NULL gets mapped to "<anonymous>".

* The path of a root QDict's member is the member key.

* The path of a root QList's member is "[%u]", where %u is the list
index, starting at zero.

* The path of a non-root QDict's member is the path of the QDict
concatenated with "." and the member key.

* The path of a non-root QList's member is the path of the QList
concatenated with "[%u]", where %u is the list index.

For example, the incorrect QMP command

{ "execute": "blockdev-add", "arguments": { "node-name": "foo", "driver": "raw", "file": {"driver": "file" } } }

now fails with

{"error": {"class": "GenericError", "desc": "Parameter 'file.filename' is missing"}}

instead of

{"error": {"class": "GenericError", "desc": "Parameter 'filename' is missing"}}

and

{ "execute": "input-send-event", "arguments": { "device": "bar", "events": [ [] ] } }

now fails with

{"error": {"class": "GenericError", "desc": "Invalid parameter type for 'events[0]', expected: object"}}

instead of

{"error": {"class": "GenericError", "desc": "Invalid parameter type for 'null', expected: QDict"}}

Aside: calling the thing "parameter" is suboptimal for QMP, because
the root object is "arguments" there.

The qobject output visitor doesn't have this problem because it should
not fail. Same for dealloc and clone visitors.

The string visitors don't have this problem because they visit just
one value, whose name needs to be passed to the visitor as @name. The
string output visitor shouldn't fail anyway.

The options visitor uses QemuOpts names. Their name space is flat, so
the use of QDict member keys as names is fine. NULL names used with
roots and lists could conceivably result in bad error messages. Left
for another day.

Backports commit a9fc37f6bc3f2ab90585cb16493da9f6dcfbfbcf from qemu
2018-03-02 12:05:53 -05:00
Markus Armbruster a5cf19858d
qapi: Make QObject input visitor set *list reliably
qobject_input_start_struct() sets *list, except when it fails because
qobject_input_get_object() fails, i.e. the input object doesn't exist.

All the other input visitor start_struct(), start_list(),
start_alternate() always set *obj / *list.

Change qobject_input_start_struct() to match.

Backports commit 58561c27669ddf1c6d39ff8ce25837c6f2d9d92c from qemu
2018-03-02 11:31:58 -05:00
Markus Armbruster fdf09c6d12
qapi: Clean up after commit 3d344c2
Drop unused QIV_STACK_SIZE and unused qobject_input_start_struct()
parameter errp.

Backports commit b8874fbfd329b5084463bcacd1418d493a93c383 from qemu
2018-03-02 11:30:38 -05:00
Markus Armbruster d7da652d4e
qapi: Improve a QObject input visitor error message
The QObject input visitor has three error message formats:

* Parameter '%s' is missing
* "Invalid parameter type for '%s', expected: %s"
* "QMP input object member '%s' is unexpected"

The '%s' are member names (or "null", but I'll fix that later).

The last error message calls the thing "QMP input object member"
instead of "parameter". Misleading when the visitor is used on
QObjects that don't come from QMP. Change it to "Parameter '%s' is
unexpected".

Backports commit 910f738b851a263396fc85b2052e47f884ffead3 from qemu
2018-03-02 11:29:02 -05:00
Markus Armbruster d07bcef231
qmp: Eliminate silly QERR_QMP_* macros
The QERR_ macros are leftovers from the days of "rich" error objects.

QERR_QMP_BAD_INPUT_OBJECT, QERR_QMP_BAD_INPUT_OBJECT_MEMBER,
QERR_QMP_EXTRA_MEMBER are used in just one place now, except for one
use that has crept into qobject-input-visitor.c.

Drop these macros, to make the (bad) error messages more visible.

Backports commit 99fb0c53c038105bae68b02a3d9f1cbf7951ba10 from qemu
2018-03-02 11:28:17 -05:00
Yongji Xie 23f5b17a08
memory: Introduce DEVICE_HOST_ENDIAN for ram device
At the moment ram device's memory regions are DEVICE_NATIVE_ENDIAN. It's
incorrect. This memory region is backed by a MMIO area in host, so the
uint64_t data that MemoryRegionOps read from/write to this area should be
host-endian rather than target-endian. Hence, current code does not work
when target and host endianness are different which is the most common case
on PPC64. To fix it, this introduces DEVICE_HOST_ENDIAN for the ram device.

This has been tested on PPC64 BE/LE host/guest in all possible combinations
including TCG.

Backports commit c99a29e702528698c0ce2590f06ca7ff239f7c39 from qemu
2018-03-02 11:24:32 -05:00
Paolo Bonzini 11709d0afa
cpu-exec: remove unnecessary check of cpu->exit_request
The cpu->exit_request check in cpu_loop_exec_tb is unnecessary,
because cpu->tcg_exit_req is always set after cpu->exit_request.
So let the TB exit and we will pick up the exit request later
in cpu_handle_interrupt.

Backports commit 55ac0a9bf4e1b1adfc7d73586a7aa085f58c9851 from qemu
2018-03-02 11:21:35 -05:00
Eduardo Habkost 33ab5f71c9
i386: Reorganize and document CPUID initialization steps
CPU runnability checks and CPU model expansion have slightly
different requirements. Document the steps involved in loading a
CPU model and realizing a CPU, so their requirements and purpose
are clearly defined.

This patch doesn't change any implementation. It just add
comments, rename the x86_cpu_load_features() function for clarity
(so it won't be confused with x86_cpu_load_def()), and move
x86_cpu_filter_features() closer to it.

Backports commit b8d834a00fa3ed4dad7d371e1a00938a126a54a0 from qemu
2018-03-02 10:55:00 -05:00
Eduardo Habkost be606acff9
i386: Rename X86CPU::host_features to X86CPU::max_features
Rename the field and add a small comment to make its purpose
clearer.

Backports commit 44bd8e530661be1d22ae0f461a5c9bdbcc3847ec from qemu
2018-03-02 10:51:40 -05:00
Pranith Kumar ee609fa59f
aarch64: Change ext type to TCGType to fix warnings
To fix the following warnings:

In file included from /users/pranith/qemu/tcg/tcg.c:255:
/users/pranith/qemu/tcg/aarch64/tcg-target.inc.c:879:24: warning: implicit conversion from enumeration type 'TCGMemOp' (aka 'enum TCGMemOp') to different enumeration type 'TCGType' (aka 'enum TCGType')
[-Wenum-conversion]
tcg_out_cmp(s, ext, a, b, b_const);
~~~~~~~~~~~ ^~~
/users/pranith/qemu/tcg/aarch64/tcg-target.inc.c:893:36: warning: implicit conversion from enumeration type 'TCGMemOp' (aka 'enum TCGMemOp') to different enumeration type 'TCGType' (aka 'enum TCGType')
[-Wenum-conversion]
tcg_out_insn(s, 3201, CBZ, ext, a, offset);
~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
/users/pranith/qemu/tcg/aarch64/tcg-target.inc.c:389:65: note: expanded from macro 'tcg_out_insn'
glue(tcg_out_insn_,FMT)(S, glue(glue(glue(I,FMT),_),OP), ## __VA_ARGS__)
^
/users/pranith/qemu/tcg/aarch64/tcg-target.inc.c:895:37: warning: implicit conversion from enumeration type 'TCGMemOp' (aka 'enum TCGMemOp') to different enumeration type 'TCGType' (aka 'enum TCGType')
[-Wenum-conversion]
tcg_out_insn(s, 3201, CBNZ, ext, a, offset);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
/users/pranith/qemu/tcg/aarch64/tcg-target.inc.c:389:65: note: expanded from macro 'tcg_out_insn'
glue(tcg_out_insn_,FMT)(S, glue(glue(glue(I,FMT),_),OP), ## __VA_ARGS__)
^
/users/pranith/qemu/tcg/aarch64/tcg-target.inc.c:1610:27: warning: implicit conversion from enumeration type 'TCGType' (aka 'enum TCGType') to different enumeration type 'TCGMemOp' (aka 'enum TCGMemOp')
[-Wenum-conversion]
tcg_out_brcond(s, ext, a2, a0, a1, const_args[1], arg_label(args[3]));
~~~~~~~~~~~~~~ ^~~

backports commit dc1eccd661ada3b746ca4438e444993c36a0f04f from qemu
2018-03-02 10:48:56 -05:00
Peter Maydell e141ea5dd2
softfloat: Use correct type in float64_to_uint64_round_to_zero()
In float64_to_uint64_round_to_zero() a typo meant that we were
taking the uint64_t return value from float64_to_uint64() and
putting it into an int64_t variable before returning it as
uint64_t again. Use uint64_t instead of pointlessly casting it
back and forth to int64_t.

Backports commit d000b477f2693dbca97cd8ea751c2e0b71890662 from qemu
2018-03-02 10:44:10 -05:00
Peter Maydell 0c9ef6f4b3
cputlb: Don't assume do_unassigned_access() never returns
In get_page_addr_code(), if the guest PC doesn't correspond to RAM
then we currently run the CPU's do_unassigned_access() hook if it has
one, and otherwise we give up and exit QEMU with a more-or-less
useful message. This code assumes that the do_unassigned_access hook
will never return, because if it does then we'll plough on attempting
to use a non-RAM TLB entry to get a RAM address and will abort() in
qemu_ram_addr_from_host_nofail(). Unfortunately some CPU
implementations of this hook do return: Microblaze, SPARC and the ARM
v7M.

Change the code to call report_bad_exec() if the hook returns, as
well as if it didn't have one. This means we can tidy it up to use
the cpu_unassigned_access() function which wraps the "get the CPU
class and call the hook if it has one" work, since we aren't trying
to distinguish "no hook" from "hook existed and returned" any more.

This brings the handling of this hook into line with the handling
used for data accesses, where "hook returned" is treated the
same as "no hook existed" and gets you the default behaviour.

Backports commit 44d7ce0ef39cb45e13d384574d79799eb3d39834 from qemu
2018-03-02 10:42:35 -05:00
Nick Reilly 4114fb2c0e
Add missing fp_access_check() to aarch64 crypto instructions
The aarch64 crypto instructions for AES and SHA are missing the
check for if the FPU is enabled.

Backports commit a4f5c5b72380deeccd53a6890ea3782f10ca8054 from qemu
2018-03-02 10:39:16 -05:00
Alex Bennée caba238b5a
tcg: enable MTTCG by default for ARM on x86 hosts
This enables the multi-threaded system emulation by default for ARMv7
and ARMv8 guests using the x86_64 TCG backend. This is because on the
guest side:

- The ARM translate.c/translate-64.c have been converted to
- use MTTCG safe atomic primitives
- emit the appropriate barrier ops
- The ARM machine has been updated to
- hold the BQL when modifying shared cross-vCPU state
- defer powerctl changes to async safe work

All the host backends support the barrier and atomic primitives but
need to provide same-or-better support for normal load/store
operations.

Backports commit ca759f9e387db87e1719911f019bc60c74be9ed8 from qemu
2018-03-02 10:32:47 -05:00
Alex Bennée ff0ff28939
target-arm: don't generate WFE/YIELD calls for MTTCG
The WFE and YIELD instructions are really only hints and in TCG's case
they were useful to move the scheduling on from one vCPU to the next. In
the parallel context (MTTCG) this just causes an unnecessary cpu_exit
and contention of the BQL.

Backports commit c22edfebff29f63d793032e4fbd42a035bb73e27 from qemu
2018-03-02 10:27:36 -05:00
Alex Bennée 157efaa8a9
cputlb: tweak qemu_ram_addr_from_host_nofail reporting
This moves the helper function closer to where it is called and updates
the error message to report via error_report instead of the deprecated
fprintf.

Backports commit 857baec1d9e80947f0c1007c3a3d2331d62b4b53 from qemu
2018-03-02 10:24:03 -05:00
Alex Bennée 454932263c
cputlb and arm/sparc targets: convert mmuidx flushes from varg to bitmap
While the vargs approach was flexible the original MTTCG ended up
having munge the bits to a bitmap so the data could be used in
deferred work helpers. Instead of hiding that in cputlb we push the
change to the API to make it take a bitmap of MMU indexes instead.

For ARM some the resulting flushes end up being quite long so to aid
readability I've tended to move the index shifting to a new line so
all the bits being or-ed together line up nicely, for example:

tlb_flush_page_by_mmuidx(other_cs, pageaddr,
(1 << ARMMMUIdx_S1SE1) |
(1 << ARMMMUIdx_S1SE0));

Backports commit 0336cbf8532935d8e23c2aabf3e2ce2c0697b6ac from qemu
2018-03-02 10:12:40 -05:00
Alex Bennée d56a4b0be4
tcg: handle EXCP_ATOMIC exception for system emulation
The patch enables handling atomic code in the guest. This should be
preferably done in cpu_handle_exception(), but the current assumptions
regarding when we can execute atomic sections cause a deadlock.

The current mechanism discards the flags which were set in atomic
execution. We ensure they are properly saved by calling the
cc->cpu_exec_enter/leave() functions around the loop.

As we are running cpu_exec_step_atomic() from the outermost loop we
need to avoid an abort() when single stepping over atomic code since
debug exception longjmp will point to the the setlongjmp in
cpu_exec(). We do this by setting a new jmp_env so that it jumps back
here on an exception.

Backports relevant parts of commit 08e73c48b053566bfe0c994f154f73991cd0ff0e from qemu
2018-03-02 09:56:43 -05:00
Alex Bennée 6760605e1c
tcg: enable thread-per-vCPU
There are a couple of changes that occur at the same time here:

- introduce a single vCPU qemu_tcg_cpu_thread_fn

One of these is spawned per vCPU with its own Thread and Condition
variables. qemu_tcg_rr_cpu_thread_fn is the new name for the old
single threaded function.

- the TLS current_cpu variable is now live for the lifetime of MTTCG
vCPU threads. This is for future work where async jobs need to know
the vCPU context they are operating in.

The user to switch on multi-thread behaviour and spawn a thread
per-vCPU. For a simple test kvm-unit-test like:

./arm/run ./arm/locking-test.flat -smp 4 -accel tcg,thread=multi

Will now use 4 vCPU threads and have an expected FAIL (instead of the
unexpected PASS) as the default mode of the test has no protection when
incrementing a shared variable.

We enable the parallel_cpus flag to ensure we generate correct barrier
and atomic code if supported by the front and backends. This doesn't
automatically enable MTTCG until default_mttcg_enabled() is updated to
check the configuration is supported.

Backports relevant parts of commit 372579427a5040a26dfee78464b50e2bdf27ef26
2018-03-02 09:43:14 -05:00
Alex Bennée 632b853761
tcg: remove global exit_request
There are now only two uses of the global exit_request left.

The first ensures we exit the run_loop when we first start to process
pending work and in the kick handler. This is just as easily done by
setting the first_cpu->exit_request flag.

The second use is in the round robin kick routine. The global
exit_request ensured every vCPU would set its local exit_request and
cause a full exit of the loop. Now the iothread isn't being held while
running we can just rely on the kick handler to push us out as intended.

We lightly re-factor the main vCPU thread to ensure cpu->exit_requests
cause us to exit the main loop and process any IO requests that might
come along. As an cpu->exit_request may legitimately get squashed
while processing the EXCP_INTERRUPT exception we also check
cpu->queued_work_first to ensure queued work is expedited as soon as
possible.

Backports commit e5143e30fb87fbf179029387f83f98a5a9b27f19 from qemu
2018-03-02 09:38:08 -05:00
Alex Bennée 4d90497d14
tcg: rename tcg_current_cpu to tcg_current_rr_cpu
..and make the definition local to cpus. In preparation for MTTCG the
concept of a global tcg_current_cpu will no longer make sense. However
we still need to keep track of it in the single-threaded case to be able
to exit quickly when required.

qemu_cpu_kick_no_halt() moves and becomes qemu_cpu_kick_rr_cpu() to
emphasise its use-case. qemu_cpu_kick now kicks the relevant cpu as
well as qemu_kick_rr_cpu() which will become a no-op in MTTCG.

For the time being the setting of the global exit_request remains.

Backports commit 791158d93b27f22a17c2ada06621831d54f09a2c from qemu

Also atomically sets the unicorn equivalents
2018-03-02 09:28:51 -05:00
Lioncash 18a229a69f
Resolve symbol errors with softfloat 2018-03-02 09:25:05 -05:00
KONRAD Frederic c5730ff194
tcg: add options for enabling MTTCG
We know there will be cases where MTTCG won't work until additional work
is done in the front/back ends to support. It will however be useful to
be able to turn it on.

As a result MTTCG will default to off unless the combination is
supported. However the user can turn it on for the sake of testing.

Backports commit 8d4e9146b3568022ea5730d92841345d41275d66 from qemu
2018-03-02 09:25:01 -05:00
Alex Bennée 8c89344517
tcg: move TCG_MO/BAR types into own file
We'll be using the memory ordering definitions to define values for
both the host and guest. To avoid fighting with circular header
dependencies just move these types into their own minimal header.

Backports commit 20937143145b8f5a4194e5c407731ba38797864e from qemu
2018-03-02 09:08:44 -05:00
Pranith Kumar 616becc2dc
mttcg: translate-all: Enable locking debug in a debug build
Enable tcg lock debug asserts in a debug build by default instead of
relying on DEBUG_LOCKING. None of the other DEBUG_* macros have
asserts, so this patch removes DEBUG_LOCKING and enable these asserts
in a debug build.

Backports commit 6ac3d7e845549f08473f020c1c70f14b8911a67e from qemu
2018-03-02 09:00:58 -05:00
Markus Armbruster 89d8e58718
util/cutils: Change qemu_strtosz*() from int64_t to uint64_t
This will permit its use in parse_option_size().

Backports commit f46bfdbfc8f95cf65d7818ef68a801e063c40332 from qemu
2018-03-02 08:58:55 -05:00
Markus Armbruster 8650d0213c
util/cutils: Return qemu_strtosz*() error and value separately
This makes qemu_strtosz(), qemu_strtosz_mebi() and
qemu_strtosz_metric() similar to qemu_strtoi64(), except negative
values are rejected.

Backports commit f17fd4fdf0df3d2f3444399d04c38d22b9a3e1b7 from qemu
2018-03-02 08:57:16 -05:00
Markus Armbruster 6093e67947
util/cutils: Let qemu_strtosz*() optionally reject trailing crap
Change the qemu_strtosz() & friends to return -EINVAL when @endptr is
null and the conversion doesn't consume the string completely.
Matches how qemu_strtol() & friends work.

Only test_qemu_strtosz_simple() passes a null @endptr. No functional
change there, because its conversion consumes the string.

Simplify callers that use @endptr only to fail when it doesn't point
to '\0' to pass a null @endptr instead.

Backports commit 4fcdf65ae2c00ae69f7625f26ed41f37d77b403c from qemu
2018-03-02 08:54:53 -05:00
Markus Armbruster f9c9eb7334
util/cutils: Drop QEMU_STRTOSZ_DEFSUFFIX_* macros
Writing QEMU_STRTOSZ_DEFSUFFIX_* instead of '*' gains nothing. Get
rid of these eyesores.

Backports commit 17f942560e54f8ee72996bc3276c697503606d7b from qemu
2018-03-02 08:53:15 -05:00
Markus Armbruster 858acd4142
util/cutils: New qemu_strtosz()
Most callers of qemu_strtosz_suffix() pass QEMU_STRTOSZ_DEFSUFFIX_B.
Capture the pattern in new qemu_strtosz().

Inline qemu_strtosz_suffix() into its only remaining caller.

Backports commit 466dea14e677555dd24465aca75d00a3537ad062 from qemu
2018-03-02 08:50:56 -05:00
Markus Armbruster a3358798d6
util/cutils: Rename qemu_strtosz() to qemu_strtosz_MiB()
With qemu_strtosz(), no suffix means mebibytes. It's used rarely.
I'm going to add a similar function where no suffix means bytes.
Rename qemu_strtosz() to qemu_strtosz_MiB() to make the name
qemu_strtosz() available for the new function.

Backports commit e591591b323772eea733de6027f5e8b50692d0ff from qemu
2018-03-02 08:49:26 -05:00
Markus Armbruster f656cd91ec
util/cutils: New qemu_strtosz_metric()
To parse numbers with metric suffixes, we use

qemu_strtosz_suffix_unit(nptr, &eptr, QEMU_STRTOSZ_DEFSUFFIX_B, 1000)

Capture this in a new function for legibility:

qemu_strtosz_metric(nptr, &eptr)

Replace test_qemu_strtosz_suffix_unit() by test_qemu_strtosz_metric().

Rename qemu_strtosz_suffix_unit() to do_strtosz() and give it internal
linkage.

Backports commit d2734d2629266006b0413433778474d5801c60be from qemu
2018-03-02 08:47:40 -05:00
Markus Armbruster fb962d2e74
util/cutils: Clean up control flow around qemu_strtol() a bit
Reorder check_strtox_error() to make it obvious that we always store
through a non-null @endptr.

Transform

if (some error) {
error case ...
err = value for error case;
} else {
normal case ...
err = value for normal case;
}
return err;

to

if (some error) {
error case ...
return value for error case;
}
normal case ...
return value for normal case;

Backports commit 4baef2679e029c76707be1e2ed54bf3dd21693fe from qemu
2018-03-02 08:45:18 -05:00
Markus Armbruster 9236950e61
util/cutils: Clean up variable names around qemu_strtol()
Name same things the same, different things differently.

* qemu_strtol()'s parameter @nptr is called @p in
check_strtox_error(). Rename the latter.

* qemu_strtol()'s parameter @endptr is called @next in
check_strtox_error(). Rename the latter.

* qemu_strtol()'s variable @p is called @endptr in
check_strtox_error(). Rename both to @ep.

* qemu_strtol()'s variable @err is *negative* errno,
check_strtox_error()'s parameter @err is *positive*. Rename the
latter to @libc_errno.

Same for qemu_strtoul(), qemu_strtoi64(), qemu_strtou64(), of course.

Backports commit 717adf960933da0650d995f050d457063d591914 from qemu
2018-03-02 08:41:47 -05:00
Markus Armbruster 41c2e1168f
util/cutils: Rename qemu_strtoll(), qemu_strtoull()
The name qemu_strtoll() suggests conversion to long long, but it
actually converts to int64_t. Rename to qemu_strtoi64().

The name qemu_strtoull() suggests conversion to unsigned long long,
but it actually converts to uint64_t. Rename to qemu_strtou64().

Backports commit b30d188677456b17c1cd68969e08ddc634cef644 from qemu
2018-03-02 08:39:45 -05:00
Markus Armbruster ac34d92d09
util/cutils: Rewrite documentation of qemu_strtol() & friends
Fixes the following documentation bugs:

* Fails to document that null @nptr is safe.

* Fails to document that we return -EINVAL when no conversion could be
performed (commit 47d4be1).

* Confuses long long with int64_t, and unsigned long long with
uint64_t.

* Claims the unsigned conversions can underflow. They can't.

While there, mark problematic assumptions that int64_t is long long,
and uint64_t is unsigned long long with FIXME comments.

Backports commit 4295f879becfbbb9f4330489311586b96915d920 from qemu
2018-03-02 08:37:57 -05:00
Markus Armbruster 9d1937f25d
qdict: Make qdict_get_qlist() safe like qdict_get_qdict()
Commit 89cad9f changed qdict_get_qdict() to return NULL instead of
crash when the key doesn't exist or its value isn't a QDict.
Commit 2d6421a neglected to do the same for qdict_get_qlist().
Correct that, and update the function comments.

qdict_get_obj() is now unused, remove.

Backports commit b25f23e7dbc6bc0dcda010222a4f178669d1aedc from qemu
2018-03-02 08:35:17 -05:00
Bharata B Rao 7fadaf0bc4
softfloat: Add float128_to_uint32_round_to_zero()
float128_to_uint32_round_to_zero() is needed by xscvqpuwz instruction
of PowerPC ISA 3.0.

Backports commit fd425037d25cecaaffdb3831697e0adc10ca2ba3 from qemu
2018-03-02 08:33:09 -05:00
Bharata B Rao 64d32a2237
softfloat: Add float128_to_uint64_round_to_zero()
Implement float128_to_uint64() and use that to implement
float128_to_uint64_round_to_zero()

This is required by xscvqpudz instruction of PowerPC ISA 3.0.

Backports commit 2e6d85683576c970c714c1cc071dca742835b9d4 from qemu
2018-03-02 08:32:02 -05:00
Bharata B Rao 80e522b499
softfloat: Add round-to-odd rounding mode
Power ISA 3.0 introduces a few quadruple precision floating point
instructions that support round-to-odd rounding mode. The
round-to-odd mode is explained as under:

Let Z be the intermediate arithmetic result or the operand of a convert
operation. If Z can be represented exactly in the target format, the
result is Z. Otherwise the result is either Z1 or Z2 whichever is odd.
Here Z1 and Z2 are the next larger and smaller numbers representable
in the target format respectively.

Backports commit 9ee6f678f473007e252934d6acd09c24490d9d42 from qemu
2018-03-02 08:25:00 -05:00
Paul Burton 411ddd16cf
target-mips: Provide function to test if a CPU supports an ISA
Provide a new cpu_supports_isa function which allows callers to
determine whether a CPU supports one of the ISA_ flags, by testing
whether the associated struct mips_def_t sets the ISA flags in its
insn_flags field.

An example use of this is to allow boards which generate bootloader code
to determine the properties of the CPU that will be used, for example
whether the CPU is 64 bit or which architecture revision it implements.

Backports commit bed9e5ceb158c886d548fe59675a6eba18baeaeb from qemu
2018-03-02 08:20:19 -05:00
Paolo Bonzini 37918ba5b0
exec: make address_space_cache_destroy idempotent
Clear cache->mr so that address_space_cache_destroy does nothing
the second time it is called.

Backports commit 91047df38dffa80222179f63fbb74c1dfefa25ed from qemu
2018-03-02 08:16:17 -05:00
Paolo Bonzini e66da21a56
cpu-exec: remove outermost infinite loop
Reorganize the sigsetjmp so that the restart case falls through
to cpu_handle_exception and the execution loop.

Backports commit 4515e58d60dc3aac53dbd5e53e4c3bec126967d8 from qemu
2018-03-02 08:13:43 -05:00
Paolo Bonzini af524401ad
cpu-exec: avoid repeated sigsetjmp on interrupts
The sigsetjmp only needs to be prepared once for the whole execution
of cpu_exec. This patch takes care of the "== 0" side, using a
nested loop so that cpu_handle_interrupt goes straight back to
cpu_handle_exception without doing another sigsetjmp.

Backports commit a42cf3f3f266a97ceb13e8b99bc7b13f7bf4192a from qemu
2018-03-02 08:09:50 -05:00
Paolo Bonzini 28b615a8b7
cpu-exec: avoid cpu_loop_exit in cpu_handle_interrupt
The siglongjmp goes straight back to the beginning of cpu_exec's
outermost loop. We do not need a siglongjmp, we can simply
leave the inner TB execution loop.

Backports commit 209b71b60ef3341246038e1c926c3b704969cdd3 from qemu
2018-03-02 08:03:18 -05:00
Paolo Bonzini b39acfc3c6
cpu-exec: tighten barrier on TCG_EXIT_REQUESTED
This seems to have worked just fine so far on weakly-ordered
architectures, but I don't see anything that prevents the
reordering from:

store 1 to exit_request
store 1 to tcg_exit_req
load tcg_exit_req
store 0 to tcg_exit_req
load exit_request
store 0 to exit_request
store 1 to exit_request
store 1 to tcg_exit_req

to this:

store 1 to exit_request
store 1 to tcg_exit_req
load tcg_exit_req
load exit_request
store 1 to exit_request
store 1 to tcg_exit_req
store 0 to tcg_exit_req
store 0 to exit_request

therefore losing a request. It's possible that other memory barriers
(e.g. in rcu_read_unlock) are hiding it, but better safe than
sorry.

Backports commit a70fe14b7dddcb944fbd6c9f3739cd3a22089af5 from qemu
2018-03-02 08:01:08 -05:00
Wei Huang c9bdf5e6c7
target-arm: Enable vPMU support under TCG mode
This patch contains several fixes to enable vPMU under TCG mode. It
first removes the checking of kvm_enabled() while unsetting
ARM_FEATURE_PMU. With it, the .pmu option can be used to turn on/off vPMU
under TCG mode. Secondly the PMU node of DT table is now created under TCG.
The last fix is to disable the masking of PMUver field of ID_AA64DFR0_EL1.

Backports commit d6f02ce3b8a43ddd8f83553fe754a34b26fb273f from qemu
2018-03-02 07:58:48 -05:00
Wei Huang 5e3349a818
target-arm: Add support for PMU register PMINTENSET_EL1
This patch adds access support for PMINTENSET_EL1.

Backports commit e6ec54571e424bb1d6e50e32fe317c616cde3e05 from qemu
2018-03-02 07:57:40 -05:00
Wei Huang 3b34b7f0f9
target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
In order to support Linux perf, which uses PMXEVTYPER register,
this patch adds read/write access support for PMXEVTYPER. The access
is CONSTRAINED UNPREDICTABLE when PMSELR is not 0x1f. Additionally
this patch adds support for PMXEVTYPER_EL0.

Backports commit fdb8665672ded05f650d18f8b62d5c8524b4385b from qemu
2018-03-02 07:53:05 -05:00
Wei Huang 1165020022
target-arm: Add support for PMU register PMSELR_EL0
This patch adds support for AArch64 register PMSELR_EL0. The existing
PMSELR definition is revised accordingly.

Backports commit 6b0407805d46bbeba70f4be426285d0a0e669750 from qemu
2018-03-02 07:39:43 -05:00
Peter Maydell bddeac4430
target/arm: A32, T32: Create Instruction Syndromes for Data Aborts
Add support for generating the ISS (Instruction Specific Syndrome)
for Data Abort exceptions taken from AArch32. These syndromes are
used by hypervisors for example to trap and emulate memory accesses.

This is the equivalent for AArch32 guests of the work done for AArch64
guests in commit aaa1f954d4cab243.

Backports commit 9bb6558a218bf7e466e5ac1100639517d8a30d33 from qemu
2018-03-02 00:37:06 -05:00
Peter Maydell 74d42aa939
target/arm: Abstract out pbit/wbit tests in ARM ldr/str decode
In the ARM ldr/str decode path, rather than directly testing
"insn & (1 << 21)" and "insn & (1 << 24)", abstract these
bits out into wbit and pbit local flags. (We will want to
do more tests against them to determine whether we need to
provide syndrome information.)

Backports commit 63f26fcfda8e19f94ce23336726d14805250a5b6 from qemu
2018-03-02 00:26:58 -05:00
Julian Brown cc217b0c90
arm: Correctly handle watchpoints for BE32 CPUs
In BE32 mode, sub-word size watchpoints can fail to trigger because the
address of the access is adjusted in the opcode helpers before being
compared with the watchpoint registers. This patch reverses the address
adjustment before performing the comparison with the help of a new CPUClass
hook.

This version of the patch augments and tidies up comments a little.

Backports commit 40612000599e52e792d23c998377a0fa429c4036 from qemu
2018-03-02 00:24:33 -05:00
Julian Brown 58059c3a35
Fix Thumb-1 BE32 execution and disassembly.
Thumb-1 code has some issues in BE32 mode (as currently implemented). In
short, since bytes are swapped within words at load time for BE32
executables, this also swaps pairs of adjacent Thumb-1 instructions.

This patch un-swaps those pairs of instructions again, both for execution,
and for disassembly. (The previous version of the patch always read four
bytes in arm_read_memory_func and then extracted the proper two bytes,
in a probably misguided attempt to match the behaviour of actual hardware
as described by e.g. the ARM9TDMI TRM, section 3.3 "Endian effects for
instruction fetches". It's less complicated to just read the correct
two bytes though.)

Backports commit f7478a92dd9ee2276bfaa5b7317140d3f9d6a53b from qemu
2018-03-02 00:20:11 -05:00
Julian Brown 1aedb26670
target/arm: Add cfgend parameter for ARM CPU selection.
Add a new "cfgend" property which selects whether the CPU resets into
big-endian mode or not. This setting affects whether we reset with
SCTLR_B (ARMv6 and earlier) or SCTLR_EE (ARMv7 and later) set.

Backports commit 3a062d5730266b2386eeda68b1a1c6e96451db31 from qemu
2018-03-02 00:18:18 -05:00
Bharata B Rao 4324d1e97e
softfloat: Fix the default qNAN for target-ppc
Currently float128_default_nan() returns 0xFFFF800000000000 in the
higher double word, but it should return 0x7FFF800000000000 which
is the correct higher double word for default qNAN on PowerPC.

Backports commit 5d51eaea84899d88cb161fab3f089168e3812e9e from qemu
2018-03-02 00:15:36 -05:00
Michael S. Tsirkin ad6873ec57
arm: better stub version for MISMATCH_CHECK
stub version of MISMATCH_CHECK is empty so it's easy to misuse for
people not building kvm on arm. Use QEMU_BUILD_BUG_ON similar to the
non-stub version to make it easier to catch bugs.

Backports commit 705ae59fecae341a4b1a45ce48b46de4b1bb3cf4 from qemu
2018-03-02 00:13:45 -05:00
Michael S. Tsirkin 4d1139f83f
arm: add trailing ; after MISMATCH_CHECK
Macro calls without a trailing ; look weird in C, this works as a side
effect of how QEMU_BUILD_BUG_ON is implemented. Fix this up.

Backports commit 1b28762a333bd238611103e9ed2348d7af93b0db from qemu
2018-03-02 00:12:04 -05:00
Michael S. Tsirkin 0455644974
ARRAY_SIZE: check that argument is an array
It's a familiar pattern: some code uses ARRAY_SIZE, then refactoring
changes the argument from an array to a pointer to a dynamically
allocated buffer. Code keeps compiling but any ARRAY_SIZE calls now
return the size of the pointer divided by element size.

Let's add build time checks to ARRAY_SIZE before we allow more
of these in the code-base.

Backports commit ed63ec0d22ccdce3b2222d9a514423b7fbba3a0d from qemu
2018-03-02 00:09:51 -05:00
Michael S. Tsirkin ac013df0a2
compiler: expression version of QEMU_BUILD_BUG_ON
QEMU_BUILD_BUG_ON uses a typedef in order to be safe
to use outside functions, but sometimes it's useful
to have a version that can be used within an expression.
Following what Linux does, introduce QEMU_BUILD_BUG_ON_ZERO
that return zero after checking condition at build time.

Backports commit d757573e69f2ef58a4a7b41f6c55d65fa1e1c5c2 from qemu
2018-03-02 00:07:33 -05:00
Michael S. Tsirkin 634a8094f1
compiler: rework BUG_ON using a struct
There are theoretical concerns that some compilers might not trigger
build failures on attempts to define an array of size (x ? -1 : 1) where
x is a variable and make it a variable sized array instead. Let rewrite
using a struct with a negative bit field size instead as there are no
dynamic bit field sizes. This is similar to what Linux does.

Backports commit f291887e8eef5d37d31484638f6e62401b4b99a2 from qemu
2018-03-02 00:05:07 -05:00
Michael S. Tsirkin 7f9fb3395c
QEMU_BUILD_BUG_ON: use __COUNTER__
Some headers use QEMU_BUILD_BUG_ON. This causes a problem
if the C file including that header happens to have
QEMU_BUILD_BUG_ON at the same line number.

Fix using a widely available extension: __COUNTER__.
If unavailable, provide a stub.

Backports commit 60abf0a5e05134187e274ce5f32524ccf0cae1a6 from qemu
2018-03-02 00:03:44 -05:00
Michael S. Tsirkin beca05eb5f
compiler: drop ; after BUILD_BUG_ON
All users include the trailing ; anyway, let's require that -
it seems cleaner.

Backports commit f29831828441318c7916ae28e6e16e4a1c4a6795 from qemu
2018-03-02 00:01:44 -05:00
Ladi Prosek babf848b82
memory: don't sign-extend 32-bit writes
ldl_p has a signed return type so assigning it to uint64_t implicitly
sign-extends the value. This results in devices with min_access_size = 8
seeing unexpected values passed to their write handlers.

Example: guest performs a 32-bit write of 0x80000000 to an mmio region
and the handler receives 0xFFFFFFFF80000000 in its value argument.

Backports commit 6da67de6803e93cbb7e93ac3497865832f8c00ea from qemu
2018-03-02 00:00:22 -05:00
Peter Maydell 48825c1be2
target/arm: Drop IS_M() macro
We only use the IS_M() macro in two places, and it's a bit of a
namespace grab to put in cpu.h. Drop it in favour of just explicitly
calling arm_feature() in the places where it was used.

Backports commit 531c60a97ab51618b4b9ccef1c5fe00607079706 from qemu
2018-03-01 23:59:09 -05:00
Cao jin f2a5ddf5dc
util/mmap-alloc: refactor a little bit for readability
1st mmap returns *ptr* which aligns to host page size,

| size + align |
------------------------------------------
ptr

input param *align* could be 1M, or 2M, or host page size. After
QEMU_ALIGN_UP, offset will >= 0

2nd mmap use flag MAP_FIXED, then it return ptr+offset, or else fail.
If it success, then we will have something like:

| offset | size |
--------------------------------------
ptr ptr1

*ptr1* is what we really want to return, it equals ptr+offset.

Backports commit 6e4c890e15b23f078650499fbde11760b8eccf10 from qemu
2018-03-01 23:55:15 -05:00
Cao jin 217c14ad3e
util/mmap-alloc: check parameter before using
Backports commit 4a3ecf201a1a49a804e8506df5906e446707c3b1 from qemu
2018-03-01 23:53:45 -05:00
Eduardo Habkost f424e16f24
i386: Remove AMD feature flag aliases from Opteron models
When CPU vendor is set to AMD, the AMD feature alias bits on
CPUID[0x80000001].EDX are already automatically copied from CPUID[1].EDX
on x86_cpu_realizefn(). When CPU vendor is Intel, those bits are
reserved and should be zero. On either case, those bits shouldn't be set
in the CPU model table.

Commit 726a8ff68677d8d5fba17eb0ffb85076bfb598dc removed those
bits from most CPU models, but the Opteron_* entries still have
them. Remove the alias bits from Opteron_* too.

Add an assert() to x86_register_cpudef_type() to ensure we don't
make the same mistake again.

Backports commit 2a923a293df95334fa22634016efdd138f49da7f from qemu
2018-03-01 23:49:04 -05:00
He Chen b37fa358f3
x86: add AVX512_VPOPCNTDQ features
AVX512_VPOPCNTDQ: Vector POPCNT instructions for word and qwords.
variable precision.

Backports commit f77543772dcd38fa438470d9b80bafbd3a3ebbd7 from qemu
2018-03-01 23:44:32 -05:00
Richard Henderson 5c4f79ac62
target-hppa: Add softfloat specializations
Like the original MIPS, HPPA has the MSB of an SNaN set.
However, it has different rules for silencing an SNaN:
(1) msb is cleared and (2) msb-1 must be set if the fraction
is now zero, and (implementation defined) may be set always.
I haven't checked real hardware but chose the set always
alternative because it's easy and within spec.

Backports commit 005fa38d86257d471ac461c066a5409a9f5ebb02 from qemu
2018-03-01 23:42:09 -05:00
Sascha Silbe 11c66029b7
error: error_setg_errno(): errno gets preserved
C11 allows errno to be clobbered by pretty much any library function
call, so in general callers need to take care to save errno before
calling other functions.

However, for error reporting functions this is rather awkward and can
make the code on the caller side more complicated than
necessary. error_setg_errno() already takes care of preserving errno
and some functions rely on that, so just promise that we continue to
do so in the future.

Backports commit 98cb89af4df7e1776ce418ed6167b6e214a64435 from qemu
2018-03-01 23:38:25 -05:00
Peter Maydell aca671b3b1
target-arm: Enable EL2 feature bit on A53 and A57
Enable the ARM_FEATURE_EL2 bit on Cortex-A52 and
Cortex-A57, since this is all now sufficiently implemented
to work with the GICv3. We provide the usual CPU property
to disable it for backwards compatibility with the older
virt boards.

In this commit, we disable the EL2 feature on the
virt and ZynpMP boards, so there is no overall effect.
Another commit will expose a board-level property to
allow the user to enable EL2.

Backports commit c25bd18a04c8bd0f19556d719864b7b08528222d from qemu
2018-03-01 23:36:44 -05:00
Peter Maydell a036c73de8
target/arm/psci.c: If EL2 implemented, start CPUs in EL2
The PSCI spec states that a CPU_ON call should cause the new
CPU to be started in the highest implemented Non-secure
exception level. We were incorrectly starting it at the
exception level of the caller, which happens to be correct
if EL2 is not implemented. Implement the correct logic
as described in the PSCI 1.0 spec section 6.4:
* if EL2 exists and SCR_EL3.HCE is set: start in EL2
* otherwise start in EL1

Backports commit 3f591a20221511c639cc7959755e570801a21cd2 from qemu
2018-03-01 23:34:57 -05:00
Jean-Christophe DUBOIS 0aa0b849c2
ARM: Factor out ARM on/off PSCI control functions
Split ARM on/off function from PSCI support code.

This will allow to reuse these functions in other code.

Backports commit 825482adde1f971cbddf27e15fb4453ab3fae994 from qemu
2018-03-01 23:31:47 -05:00
Peter Maydell 468e2849cd
target/arm: Implement DBGVCR32_EL2 system register
The DBGVCR_EL2 system register is needed to run a 32-bit
EL1 guest under a Linux EL2 64-bit hypervisor. Its only
purpose is to provide AArch64 with access to the state of
the DBGVCR AArch32 register. Since we only have a dummy
DBGVCR, implement a corresponding dummy DBGVCR32_EL2.

Backports commit 4d2ec4da1c2d60c9fd8bad137506870c2f980410 from qemu
2018-03-01 23:02:28 -05:00
Peter Maydell 0db334c0e4
target/arm: Handle VIRQ and VFIQ in arm_cpu_do_interrupt_aarch32()
To run a VM in 32-bit EL1 our AArch32 interrupt handling code
needs to be able to cope with VIRQ and VFIQ exceptions.
These behave like IRQ and FIQ except that we don't need to try
to route them to Monitor mode.

Backports commit 87a4b270348c69a446ebcddc039bfae31b1675cb from qemu
2018-03-01 22:59:08 -05:00
Lioncash ebae552174
mips: Build fix 2018-03-01 22:56:23 -05:00
Thomas Huth b2f1326437
Move target-* CPU file into a target/ folder
We've currently got 18 architectures in QEMU, and thus 18 target-xxx
folders in the root folder of the QEMU source tree. More architectures
(e.g. RISC-V, AVR) are likely to be included soon, too, so the main
folder of the QEMU sources slowly gets quite overcrowded with the
target-xxx folders.
To disburden the main folder a little bit, let's move the target-xxx
folders into a dedicated target/ folder, so that target-xxx/ simply
becomes target/xxx/ instead.

Backports commit fcf5ef2ab52c621a4617ebbef36bf43b4003f4c0 from qemu
2018-03-01 22:50:58 -05:00
Artyom Tarasenko 59ec6876bd
target-sparc: add ST_BLKINIT_ ASIs for UA2005+ CPUs
In OpenSPARC T1+ TWINX ASIs in store instructions are aliased
with Block Initializing Store ASIs.

"UltraSPARC T1 Supplement Draft D2.1, 14 May 2007" describes them
in the chapter "5.9 Block Initializing Store ASIs"

Integer stores of all sizes are allowed with these ASIs.

Backports commit 3390537b5df4014e24a30f9bdcfa05c2bd0cd6d8 from qemu
2018-03-01 22:29:21 -05:00
Artyom Tarasenko a6981c9b91
target-sparc: store the UA2005 entries in sun4u format
According to chapter 13.3 of the
UltraSPARC T1 Supplement to the UltraSPARC Architecture 2005,
only the sun4u format is available for data-access loads.

Store UA2005 entries in the sun4u format to simplify processing.

Backports commit 7285fba083de3f14f6e98abb4469173b56da9480 from qemu
2018-03-01 22:28:12 -05:00
Artyom Tarasenko aa24403d8a
target-sparc: implement UA2005 ASI_MMU (0x21)
Backports commit 7dd8c0760ee197420273a7dfeab13bf54f6bbd8d from qemu
2018-03-01 22:25:39 -05:00
Artyom Tarasenko aac6955197
target-sparc: add more registers to dump_mmu
Backports commit d00a2334433483d1751d94aabdf47985a68010d3 from qemu
2018-03-01 22:23:46 -05:00
Artyom Tarasenko 49e61dc62f
target-sparc: implement auto-demapping for UA2005 CPUs
Backports commit 70f44d2f4bce44fa04426def3290306fa8064b91 from qemu
2018-03-01 22:23:06 -05:00
Artyom Tarasenko b20b29fc8e
target-sparc: allow 256M sized pages
Backports commit 70f44d2f4bce44fa04426def3290306fa8064b91 from qem#u
2018-03-01 22:22:50 -05:00
Lioncash 92730d9626
target-sparc: simplify ultrasparc_tsb_pointer 2018-03-01 22:18:25 -05:00
Artyom Tarasenko 76d1612dcb
target-sparc: implement UA2005 TSB Pointers
Backports commit 15f746cedc6db2cc8fc7bcfe7692e02263caeeca from qemu
2018-03-01 21:31:47 -05:00
Artyom Tarasenko f3d96d19e5
target-sparc: use SparcV9MMU type for sparc64 I/D-MMUs
Backports commit 96df2bc99f9bdaf7a2f13550111f219b72b73708 from qemu
2018-03-01 21:28:43 -05:00
Artyom Tarasenko c61e580b2d
target-sparc: replace the last tlb entry when no free entries left
Implement the behavior described in the chapter 13.9.11 of
UltraSPARC T1™ Supplement to the UltraSPARC Architecture 2005:

"If a TLB Data-In replacement is attempted with all TLB
entries locked and valid, the last TLB entry (entry 63) is
replaced."

Backports commit 4797a6851975c1239df440c5f01d8566e63717bb from qemu
2018-03-01 21:26:05 -05:00
Artyom Tarasenko c43a89b2bc
target-sparc: ignore writes to UA2005 CPU mondo queue register
Backports commit 2f1b52920205863024cc86007e88557f4c2c898e from qemu
2018-03-01 21:25:28 -05:00
Artyom Tarasenko 0c5a21230f
target-sparc: allow priveleged ASIs in hyperprivileged mode
Backports commit 7cd39ef234a7e2eea45a08cd15f920da5f1ba008 from qemu
2018-03-01 21:24:10 -05:00
Artyom Tarasenko 3a5a9dd6cd
target-sparc: use direct address translation in hyperprivileged mode
Please note that QEMU doesn't impelement Real->Physical address
translation. The "Real Address" is always the "Physical Address".

Backports commit 84f8f5876628963e67f66edde8a71208c4274ac8 from qemu
2018-03-01 21:24:09 -05:00
Artyom Tarasenko f07be0ac3f
target-sparc: fix immediate UA2005 traps
Backports commit 5c65df364af0a2cc60af318e5a3011ae5fce293a from qemu
2018-03-01 21:24:09 -05:00
Artyom Tarasenko 2f2bde32bf
target-sparc: implement UA2005 rdhpstate and wrhpstate instructions
Backports commit f7f17ef75c9c90db63c44d11dc16fc085ca2c474 from qemu
2018-03-01 21:24:09 -05:00
Artyom Tarasenko 0a124b2199
target-sparc: implement UA2005 GL register
Backports commit cbc3a6a4cc675516328a2b0d3602355d68b6302d from qemu
2018-03-01 21:24:09 -05:00
Artyom Tarasenko 05e80b59af
target-sparc: implement UA2005 hypervisor traps
Backports commit 6e040755f12eba34d2fa3d56b18de32d63fea631 from qemu
2018-03-01 21:24:09 -05:00
Artyom Tarasenko 8710ef1128
target-sparc: hypervisor mode takes over nucleus mode
Accordinf to UA2005, 9.3.3 "Address Space Identifiers",

"In hyperprivileged mode, all instruction fetches and loads and stores with implicit
ASIs use a physical address, regardless of the value of TL".

Backports commit 9a10756d1204c3528e47892195349bf882069846 from qemu
2018-03-01 21:24:08 -05:00
Artyom Tarasenko 204a4dc1d3
target-sparc: implement UltraSPARC-T1 Strand status ASR
Backports commit b8e31b3cc6315bc5c6ec686c363c088c4fb1d0ea from qemu
2018-03-01 21:24:08 -05:00
Artyom Tarasenko 2f329af7ef
target-sparc: implement UA2005 scratchpad registers
Backports commit 4ec3e34654990868ad73a5a452a46d7f9f9dd378 from qemu
2018-03-01 21:24:08 -05:00
Artyom Tarasenko ec74c31ebf
target-sparc: simplify replace_tlb_entry by using TTE_PGSIZE
Backports commit e4d06ca74b751e486ca2a57f586fd4b858a13085 from qemu
2018-03-01 21:24:08 -05:00
Artyom Tarasenko 926247a35e
target-sparc: on UA2005 don't deliver Interrupt_level_n IRQs in hypervisor mode
As described in Chapter 5.7.6 of the UltraSPARC Architecture 2005,
outstanding disrupting exceptions that are destined for privileged mode can only
cause a trap when the virtual processor is in nonprivileged or privileged mode and
PSTATE.ie = 1. At all other times, they are held pending.

Backports commit 1a2aefae6627170fdee689b394a65f76080c068a from qemu
2018-03-01 21:24:08 -05:00
Artyom Tarasenko f486053ae0
target-sparc: add UltraSPARC T1 TLB #defines
Backports commit 5b5352b2f41e460f213a515e087c24dac1322f49 from qemu
2018-03-01 21:24:08 -05:00
Artyom Tarasenko b3f7d376cc
target-sparc: add UA2005 TTE bit #defines
Backports commit c2c7f864df16ed6ef7ef21d255c5593dbeaec261 from qemu
2018-03-01 21:24:07 -05:00
Artyom Tarasenko c1c88e147d
target-sparc: use explicit mmu register pointers
Use explicit register pointers while accessing D/I-MMU registers.
Call cpu_unassigned_access on access to missing registers.

Backports commit 20395e63375358bf6dd147057aaf998abf7abdb9 from qemu
2018-03-01 21:24:07 -05:00
Artyom Tarasenko be8357f8b5
target-sparc: store cpu super- and hypervisor flags in TB
Backports commit c9b459aab8c5775a21dd913fc8820b736181e7be from qemu
2018-03-01 21:24:00 -05:00
Artyom Tarasenko 96af2cfb58
target-sparc: ignore MMU-faults if MMU is disabled in hypervisor mode
while IMMU/DMMU is disabled
- ignore MMU-faults in hypervisorv mode or if CPU doesn't have hypervisor
- signal TT_INSN_REAL_TRANSLATION_MISS/TT_DATA_REAL_TRANSLATION_MISS otherwise

Backports commit 1ceca928538a3633b74a7dc718a05ce6767f2f76 from qemu
2018-03-01 20:25:32 -05:00
Lioncash d905278b86
Make unicorn happy with TLB execution 2018-03-01 20:13:37 -05:00
Alex Bennée e3e57ca08e
cputlb: drop flush_global flag from tlb_flush
We have never has the concept of global TLB entries which would avoid
the flush so we never actually use this flag. Drop it and make clear
that tlb_flush is the sledge-hammer it has always been.

Backports commit  d10eb08f5d8389c814b554d01aa2882ac58221bf from qemu
2018-03-01 19:36:04 -05:00
Alex Bennée 7e2cc86ad2
cpu_common_reset: wrap TCG specific code in tcg_enabled()
Both the cpu->tb_jmp_cache and SoftMMU TLB structures are only used
when running TCG code so we might as well skip them for anything else.

Backports commit ba7d3d1858c257e39b47f7f12fa2016ffd960b11 from qemu
2018-03-01 19:29:57 -05:00
Alex Bennée 780ed8722e
qom/cpu: move tlb_flush to cpu_common_reset
It is a common thing amongst the various cpu reset functions want to
flush the SoftMMU's TLB entries. This is done either by calling
tlb_flush directly or by way of a general memset of the CPU
structure (sometimes both).

This moves the tlb_flush call to the common reset function and
additionally ensures it is only done for the CONFIG_SOFTMMU case and
when tcg is enabled.

In some target cases we add an empty end_of_reset_fields structure to the
target vCPU structure so have a clear end point for any memset which
is resetting value in the structure before CPU_COMMON (where the TLB
structures are).

While this is a nice clean-up in general it is also a precursor for
changes coming to cputlb for MTTCG where the clearing of entries
can't be done arbitrarily across vCPUs. Currently the cpu_reset
function is usually called from the context of another vCPU as the
architectural power up sequence is run. By using the cputlb API
functions we can ensure the right behaviour in the future.

Backports commit 1f5c00cfdb8114c1e3a13426588ceb64f82c9ddb from qemu
2018-03-01 19:21:07 -05:00
Laurent Vivier 770989f36f
target-m68k: increment/decrement with SP
On 680x0 family only.

Address Register indirect With postincrement:

When using the stack pointer (A7) with byte size data, the register
is incremented by two.

Address Register indirect With predecrement:

When using the stack pointer (A7) with byte size data, the register
is decremented by two.

Backports commit 727d937b59f1f722f983e20f9cd23b0e7ef60165 from qemu
2018-03-01 19:16:22 -05:00
Laurent Vivier 6ff83aadab
target-m68k: CAS doesn't need aligned access
Backports commit b19578f42872aefef891e5804359af8d935a5487 from qemu
2018-03-01 19:15:20 -05:00
Laurent Vivier 636bf36272
target-m68k: manage pre-dec et post-inc in CAS
In these cases we must update the address register after
the operation.

Backports commit 308feb935249ad745ef763707e1db69bc10ba789 from qemu
2018-03-01 19:14:35 -05:00
Laurent Vivier 1197d778cc
target-m68k: fix gen_flush_flags()
gen_flush_flags() is setting unconditionally cc_op_synced to 1
and s->cc_op to CC_OP_FLAGS, whereas env->cc_op can be set
to something else by a previous tcg fragment.

We fix that by not setting cc_op_synced to 1
(except for gen_helper_flush_flags() that updates env->cc_op)

FIX: https://github.com/vivier/qemu-m68k/issues/19

Backports commit 695576db2daaf2bdc63e7f6d36038b61caed622a from qemu
2018-03-01 19:13:35 -05:00
Laurent Vivier b3c3cf84a5
target-m68k: fix bit operation with immediate value
M680x0 bit operations with an immediate value use 9 bits of the 16bit
value, while coldfire ones use only 8 bits.

Backports commit fe53c2be8c12da345bd788b949e0b2360e4b3db3 from qemu
2018-03-01 19:12:20 -05:00
Richard Henderson 6f5081314b
target-m68k: Implement bfffo
Backports commit a45f1763cc501861ea4f5eed06e6f58aa681a082 from qemu
2018-03-01 19:10:59 -05:00
Richard Henderson 797e5d44e9
target-m68k: Implement bitfield ops for memory
Backports commit f2224f2c9a9ed63edaed77ae21ffb1e501d7f247 from qemu
2018-03-01 19:07:06 -05:00
Richard Henderson 4f481b2c5a
target-m68k: Implement bitfield ops for registers
Backports commit ac815f46a325b5dabe2ebd6561e4244767c0a603 from qemu
2018-03-01 18:58:47 -05:00
Doug Evans 7bd3170ea5
target/i386: Fix bad patch application to translate.c
In commit c52ab08aee6f7d4717fc6b517174043126bd302f,
the patch snippet for the "syscall" insn got applied to "iret".

Backports commit 410e98146ffde201ab4c778823ac8beaa74c4c3f from qemu
2018-03-01 18:52:10 -05:00
Richard Henderson 4bec129626
tcg/i386: Handle ctpop opcode
Backports commit 993508e43e6d180e9ba9b747a9657eac69aec5bb from qemu
2018-03-01 18:49:43 -05:00
Richard Henderson 3a0fba32f3
tcg/ppc: Handle ctpop opcode
Backports commit 33e75fb9c8cc44165c8dad9093762ba728cc7596 from qemu
2018-03-01 18:46:43 -05:00
Richard Henderson 6d4fc1319a
tcg/ppc: Handle ctz and clz opcodes
Backports commit d0b07481fabb4dc4ed05d56d09718758f5f7a136 from qemu
2018-03-01 18:44:54 -05:00
Richard Henderson ff3512a045
tcg: Use ctpop to generate ctz if needed
Particularly when andc is also available, this is two insns
shorter than using clz to compute ctz.

Backports commit 14e99210f6c6cede461a54b2e0f9b4cd55175f00 from qemu
2018-03-01 18:39:20 -05:00
Richard Henderson 5ca8ac1aeb
qemu/host-utils.h: Reduce the operation count in the fallback ctpop
Backports commit 7bdcecb7b2d79c292d1256f7d6cf0f1da50d381f from qemu
2018-03-01 18:35:51 -05:00
Richard Henderson 8a62878523
target-i386: Use ctpop helper
Backports commit 4885c3c49531995d67e54907d01d5aa1350faaaf from qemu
2018-03-01 18:34:10 -05:00
Richard Henderson d072ea48e7
target-sparc: Use ctpop helper
Backports commit 08da3180dca8d41881b321d43944d97a838792fa from qemu
2018-03-01 18:28:54 -05:00
Richard Henderson 5f6e7bbdbd
tcg: Add opcode for ctpop
The number of actual invocations of ctpop itself does not warrent
an opcode, but it is very helpful for POWER7 to use in generating
an expansion for ctz.

Backports commit a768e4e99247911f00c5c0267c12d4e207d5f6cc from qemu
2018-03-01 18:26:41 -05:00
Richard Henderson 01b3c6273a
target-arm: Use clrsb helper
Backports commit bc21dbcc1203ae6bb536f832c46a3b5e22a73451 from qemu
2018-03-01 18:16:56 -05:00
Richard Henderson fff7ca4617
tcg: Add helpers for clrsb
The number of actual invocations does not warrent an opcode,
and the backends generating it. But at least we can eliminate
redundant helpers.

Backports commit 086920c2c8008f125fd38781072fa25c3ad158ea from qemu
2018-03-01 18:14:11 -05:00
Richard Henderson 246d891668
tcg/i386: Handle ctz and clz opcodes
Backports commit bbf25f90ba802a286fd72be9175a860ae5fec726 from qemu
2018-03-01 16:56:08 -05:00
Richard Henderson 73ab332185
tcg/i386: Allow bmi2 shiftx to have non-matching operands
Previously we could not have different constraints for different ISA levels,
which prevented us from eliding the matching constraint for shifts.

We do now have to make sure that the operands match for constant shifts.
We can also handle some small left shifts via lea.

Backports commit 6a5aed4bdc7078838a8098336588d56c9ce09d1d from qemu
2018-03-01 16:45:04 -05:00
Richard Henderson 9e3feebbfb
tcg/i386: Hoist common arguments in tcg_out_op
Backports commit 42d5b514928a8a0d2f55a4c243d1333f9675815b from qemu
2018-03-01 16:42:30 -05:00
Richard Henderson 142ca07077
tcg/i386: Fuly convert tcg_target_op_def
Use a switch instead of searching a table. Share constraints between
32-bit and 64-bit, when at all possible.

Backports commit cd26449a505f808e479af4fdd539e05767e09c06 from qemu
2018-03-01 16:32:31 -05:00
Richard Henderson 54ca83b900
tcg/s390: Handle clz opcode
Backports commit ce411066f4886cf3a4981fc0a070042a221a5fc8 from qemu
2018-03-01 16:24:29 -05:00
Richard Henderson a90e026c18
tcg/mips: Handle clz opcode
Backports commit 2a1d9d41aedd722d674b2a94d9b7dbea61469cac from qemu
2018-03-01 16:22:52 -05:00
Richard Henderson 303fc987ed
tcg/arm: Handle ctz and clz opcodes
Backports commit cc0fec8a4d2a8546fe236a09bfd80150af9cbe6b from qemu
2018-03-01 16:20:46 -05:00
Richard Henderson 2b87ddda35
tcg/aarch64: Handle ctz and clz opcodes
Backports commit 53c76c19904983d2c81e4f5e77027c241918a479 from qemu
2018-03-01 16:19:34 -05:00
Richard Henderson 22ebc5fcee
target-i386: Use clz and ctz opcodes
Backports commit e5143c90883cd32a432eb793cdcce6bee747834a from qemu
2018-03-01 16:17:42 -05:00
Richard Henderson 9cde8bfc44
target-arm: Use clz opcode
Backports commit 7539a012f614b724426ac9360238f3281d928a3f from qemu
2018-03-01 16:13:26 -05:00
Richard Henderson 9b2752b0a9
target-mips: Use clz opcode
Backports commit 1a0196c5c7f197fad7b079074d587b3204bcfb0f from qemu
2018-03-01 16:08:19 -05:00
Richard Henderson 2cf34e1b55
tcg: Add clz and ctz opcodes
Backports commit 0e28d0063bbd9e59a981ea2d20f82f30c5d956a8 from qemu
2018-03-01 16:04:11 -05:00
Richard Henderson b4b173615c
tcg: Allow an operand to be matching or a constant
This allows an output operand to match an input operand
only when the input operand needs a register.

Backports commit 17280ff4a5f264e01e55ae514ee6d3586f9577b2 from qemu
2018-03-01 15:49:05 -05:00
Richard Henderson 3f38611159
tcg: Pass the opcode width to target_parse_constraint
This will let us choose how to interpret a given constraint
depending on whether the opcode is 32- or 64-bit. Which will
let us share more constraint combinations between opcodes.

At the same time, change the interface to return the advanced
pointer instead of passing it in/out by reference.

Backports commit 069ea736b50b75fdec99c9b8cc603b97bd98419e from qemu
2018-03-01 15:45:40 -05:00
Richard Henderson b8c93597b4
tcg: Transition flat op_defs array to a target callback
This will allow the target to tailor the constraints to the
auto-detected ISA extensions.

Backports commit f69d277ece43c42c7ab0144c2ff05ba740f6706b from qemu
2018-03-01 15:40:11 -05:00
Richard Henderson 551ef0a9f7
tcg: Add markup for output requires new register
This is the same concept as, and same markup as, the
early clobber markup in gcc.

Backports commit 82790a870992bd87d5fd9e607f40859dcf4f82ac from qemu
2018-03-01 15:24:58 -05:00
Richard Henderson 199b3859c4
tcg/optimize: Fold movcond 0/1 into setcond
Backports commit 333b21b809fc80ce67c8f6a7d1c7cc66437d9791 from qemu
2018-03-01 14:41:38 -05:00
Richard Henderson b62743947f
target-mips: Use the new extract op
Use extract for EXT and DEXT.

Backports commit 6eebb7a438236fcf3fdadb013921ac597aaea911 fromq qemu
2018-03-01 14:39:20 -05:00
Richard Henderson e5acbeb86e
target-i386: Use new deposit and extract ops
A couple of places where it was easy to identify a right-shift
followed by an extract or and-with-immediate, and the obvious
sign-extract from a high byte register.

Backports commit 04fc2f1c8fc030a11e08e81bb926392c0991282a from qemu
2018-03-01 14:38:17 -05:00
Richard Henderson ce3c153bd8
target-arm: Use new deposit and extract ops
Use the new primitives for UBFX and SBFX.

Backports commits 59a71b4c5b4ef2ef6425b9e21c972dd5bf450275 and 86c9ab277615af4e0389eb80a83073873ff96c86 from qemu
2018-03-01 14:09:17 -05:00
Richard Henderson f0781470b4
tcg/s390: Support deposit into zero
Since we can no longer use matching constraints, this does
mean we must handle that data movement by hand.

Backports commit 752b1be94757de906b9c24ebc8f5e6aa54b96b23 from qemu
2018-03-01 13:47:20 -05:00
Richard Henderson a7462cc7bf
tcg/s390: Implement field extraction opcodes
Backports commit b0bf5fe82df93c180f69d439af59f1f546632f13 from qemu
2018-03-01 13:45:33 -05:00
Richard Henderson ab8871ea82
tcg/s390: Implement field extraction opcodes
Backports commit b0bf5fe82df93c180f69d439af59f1f546632f13 from qemu
2018-03-01 13:43:46 -05:00
Richard Henderson 348802286c
tcg/s390: Expose host facilities to tcg-target.h
This lets us expose facilities to TCG_TARGET_HAS_* defines
directly, rather than hiding behind function calls.

Backports commit b2c98d9d392c87c9b9e975d30f79924719d9cbbe from qemu
2018-03-01 13:43:00 -05:00
Richard Henderson db41c6f1d0
tcg/ppc: Implement field extraction opcodes
Backports commit c05021c3c8d6c976e4677d3010b9ef01488a4434 from qemu
2018-03-01 13:38:42 -05:00
Richard Henderson b10a4a9ee6
tcg/mips: Implement field extraction opcodes
Backports commit befbb3ced5869003ee2e806c4f36e306918d2374 from qemu
2018-03-01 13:37:24 -05:00
Richard Henderson 7a7a5c640d
tcg/i386: Implement field extraction opcodes
Backports commit 78fdbfb94616f0391834d2eccabd16ea29e37da5 from qemu
2018-03-01 13:35:41 -05:00
Richard Henderson cabb6f71a0
tcg/arm: Implement field extraction opcodes
Backports commit ec903af18418e0870af84f6036d7aca1e6a5dc0a from qemu
2018-03-01 13:33:55 -05:00
Richard Henderson c4f56ec541
tcg/arm: Move isa detection to tcg-target.h
This allows us to use this detection within the TCG_TARGET_HAS_*
macros, instead of requiring a function call into tcg-target.inc.c.

Backports commit 40b2ccb156534f5d5f1d110a6ce008d87ee10af1 from qemu
2018-03-01 13:32:39 -05:00
Richard Henderson fbea4130fc
tcg/aarch64: Implement field extraction opcodes
Backports commit e2179f94a17bf0933df29ce1b4f6bc93cbe7dbd3 from qemu
2018-03-01 13:30:55 -05:00
Richard Henderson 9f2fcaaf27
tcg: Add deposit_z expander
While we don't require a new opcode, it is handy to have an expander
that knows the first source is zero.

Backports commit 07cc68d52852bf47dea7c402b46ddd28248d4212 from qemu
2018-03-01 13:29:24 -05:00
Richard Henderson 8e0585dcb1
tcg: Add field extraction primitives
Adds tcg_gen_extract_* and tcg_gen_sextract_* for extraction of
fixed position bitfields, much like we already have for deposit.

Backports commit 7ec8bab3deae643b1ce579c2d65a244f30708330 from qemu
2018-03-01 13:21:30 -05:00
Jason Wang 29932d0719
memory: handle alias in memory_region_is_iommu()
Backports commit 12d37882f0c0def5dee1c21be5d8fea9c21baada from qemu
2018-03-01 13:06:18 -05:00
Jason Wang fdca6292a1
exec: introduce address_space_get_iotlb_entry()
This patch introduces a helper to query the iotlb entry for a
possible iova. This will be used by later device IOTLB API to enable
the capability for a dataplane (e.g vhost) to query the IOTLB.

Backports commit 052c8fa9983f553fdfa0d61034774070dd639c2b from qemu
2018-03-01 13:05:08 -05:00
Richard Henderson efad2631d2
translate-all: Avoid -Werror=switch-bool
gcc 5.3.0 diagnoses

translate-all.c: In function ‘alloc_code_gen_buffer’:
translate-all.c:756:17: error: switch condition has boolean value
switch (buf2 != MAP_FAILED) {
^

Backports commit f68808c7494b38764e1895a9852b994638b86536 from qemu
2018-03-01 13:01:50 -05:00
Jin Guojie 4ed2a37f6d
tcg-mips: Adjust qemu_ld/st for mips64
Backports commit f0d703314ecb0415d51425727ed73ad2c6e3238a from qemu
2018-03-01 13:01:05 -05:00
Jin Guojie 25b4e11814
tcg-mips: Adjust calling conventions for mips64
Backports commit 999b941633cabf2487d9bc77ce382b3fde3cd66d from qemu
2018-03-01 12:53:42 -05:00
Jin Guojie 3de761976c
tcg-mips: Adjust prologue for mips64
Take stack frame parameters out from the function body.

Backports commit 0973b1cff8b66f3561befb1f467b2ab4d1a7d55a from qemu
2018-03-01 12:51:36 -05:00
Jin Guojie b55b7403a8
tcg-mips: Adjust load/store functions for mips64
tcg_out_ldst: using a generic ALIAS_PADD to avoid ifdefs
tcg_out_ld: generates LD or LW
tcg_out_st: generates SD or SW

Backports commit 32b69707df3365aadaad1d058044a7704397ec62 from qemu
2018-03-01 12:50:12 -05:00
Jin Guojie 022ff3580e
tcg-mips: Adjust move functions for mips64
tcg_out_mov: using OPC_OR as most mips assemblers do;
tcg_out_movi: extended to 64-bit immediate.

Backports commit 2294d05dab503d11664e73712c7f250fd0bf9e3b from qemu
2018-03-01 12:49:19 -05:00
Jin Guojie 00ccf9cec7
tcg-mips: Add bswap32u and bswap64
Without the mips32r2 instructions to perform swapping, bswap is quite large,
dominating the size of each reverse-endian qemu_ld/qemu_st operation.

Create two subroutines in the prologue block. The subroutines require extra
reserved registers (TCG_TMP[2, 3]). Using these within qemu_ld means that
we need not place additional restrictions on the qemu_ld outputs.

Backports commit 7f54eaa3b78d71cb57e45a719980f9b5ff06d21c from qemu
2018-03-01 12:47:45 -05:00
Jin Guojie 397db1b046
tcg-mips: Support 64-bit opcodes
Bulk patch adding 64-bit opcodes into tcg_out_op. Note that
mips64 is as yet neither complete nor enabled.

Backports commit 0119b1927d531f3fac22b9b4da01dafc23644973 from qemu
2018-03-01 12:46:18 -05:00
Jin Guojie 286f3a9f70
tcg-mips: Add mips64 opcodes
Since the mips manual tables are in octal, reorg all of the opcodes
into that format for clarity. Note that the 64-bit opcodes are as
yet unused.

Backports commit 57a701fc2b34902310d4dbd1411088055616938a from qemu
2018-03-01 12:36:20 -05:00
Jin Guojie d2aa49e9d3
tcg-mips: Move bswap code to a subroutine
Without the mips32r2 instructions to perform swapping, bswap is quite large,
dominating the size of each reverse-endian qemu_ld/qemu_st operation.

Create a subroutine in the prologue block. The subroutine requires extra
reserved registers (TCG_TMP[2, 3]). Using these within qemu_ld means that
we need not place additional restrictions on the qemu_ld outputs.

Backports commit bb08afe9f0aee1a3f5c23508e2511b882ca31e1b from qemu
2018-03-01 12:35:20 -05:00
Laurent Vivier 5d4a5e9ba7
target-m68k: free TCG variables that are not
This is a cleanup patch. It adds call to tcg_temp_free()
when it is missing.

Backports commit 2b5e2170678af36df48ab4b05dff81fe40b41a65 from qemu
2018-03-01 12:27:43 -05:00
Laurent Vivier 74beed5a4d
target-m68k: add rol/ror/roxl/roxr instructions
Backports commit 0194cf31cfc84516d10eca354146673150e10410 from qemu
2018-03-01 12:21:02 -05:00
Richard Henderson cf9424d60d
target-m68k: Inline shifts
Also manage word and byte operands and fix the computation of
overflow in the case of M68000 arithmetic shifts.

Backports commit 367790cce8e14131426f5190dfd7d1bdbf656e4d from qemu
2018-03-01 12:11:10 -05:00
Richard Henderson 0c00b036be
target-m68k: Do not cpu_abort on undefined insns
Report this properly via exception and, importantly, allow
the disassembler the chance to tell us what insn is not handled.

Backports commit 72d2e4b6a437f11f97d3138f6b2ec177b78210c7 from qemu
2018-03-01 12:02:39 -05:00
Laurent Vivier 90b0b6d867
target-m68k: Implement 680x0 movem
680x0 movem can load/store words and long words and can use more
addressing modes. Coldfire can only use long words with (Ax) and
(d16,Ax) addressing modes.

Backports commit 7b542eb96d7d5d9266a9c0425f05d49c8e6df2f9 from qemu
2018-03-01 12:01:46 -05:00
Laurent Vivier 2d318da080
target-m68k: add cas/cas2 ops
Implement CAS using cmpxchg.
Implement CAS2 using helper and either cmpxchg when
the 32bit addresses are consecutive, or with
parallel_cpus+cpu_loop_exit_atomic() otherwise.

Backports commit 14f944063affbcc7bd6df42b060793dbfee8a822 from qemu
2018-03-01 11:56:26 -05:00
Laurent Vivier f602f9d40c
target-m68k: add abcd/sbcd/nbcd
Backports commit fb5543d820018a46b713911e7653594be727ca98 from qemu
2018-03-01 11:51:49 -05:00
Laurent Vivier 90b87b3580
target-m68k: add 680x0 divu/divs variants
Update helper to set the throwing location in case of div-by-0.
Cleanup divX.w and add quad word variants of divX.l.

Backports commit 0ccb9c1d8128a020720d5c6abf99a470742a1b94 from qemu
2018-03-01 11:42:30 -05:00
Laurent Vivier 77b8b2f3b8
target-m68k: add 680x0 divu/divs variants
Update helper to set the throwing location in case of div-by-0.
Cleanup divX.w and add quad word variants of divX.l.

Backports commit 0ccb9c1d8128a020720d5c6abf99a470742a1b94 from qemu
2018-03-01 11:38:53 -05:00
Laurent Vivier f3990e8f87
target-m68k: add 64bit mull
Backports commit 8be95defd6ab10d2c9f986879a0afa82417cb8e5 from qemu
2018-03-01 11:32:59 -05:00
Laurent Vivier e1c7d37556
target-m68k: add cmpm
Backports commit 817af1c72d227fd5759ef882bef61acee40679b1 from qemu
2018-03-01 11:29:35 -05:00
Richard Henderson e6ca471dda
target-m68k: Split gen_lea and gen_ea
Provide gen_lea_mode and gen_ea_mode, where the mode can be
specified manually, rather than taken from the instruction.

Backports commit f84aab269ddab8509b77408b886e9071bf5c48fb from qemu
2018-03-01 11:27:43 -05:00
Richard Henderson 5541553e8d
target-m68k: Delay autoinc writeback
Backports commit 8a1e52b69d2cd1c633f3c473a213d575931bf46d from qemu
2018-03-01 11:18:36 -05:00
Cédric Le Goater c7ab1e782b
target-arm: Add VBAR support to ARM1176 CPUs
ARM1176 CPUs have TrustZone support and can use the Vector Base
Address Register, but currently, qemu only adds VBAR support to ARMv7
CPUs. Fix this by adding a new feature ARM_FEATURE_VBAR which can used
for ARMv7 and ARM1176 CPUs.

The VBAR feature is always set for ARMv7 because some legacy boards
require it even if this is not architecturally correct.

Backports commit 91db4642f868cf2e591b62d31a19d35b02ea791e from qemu
2018-03-01 11:12:29 -05:00
Peter Maydell 554ad1f34e
target-arm: Log AArch64 exception returns
We already log exception entry; add logging of the AArch64 exception
return path as well.

Backports commit c9b61d9aa1ad234b0961f8add023cdc999cda3da from qemu
2018-03-01 11:08:35 -05:00
Julian Brown 86670028f7
Correct value of ARM Cortex-A8 MVFR1 register.
The value of the MVFR1 (Media and VFP Feature Register 1) register for
the Cortex-A8 appears to be incorrect (according to the TRM, DDI0344K),
with the "full denormal arithmetic" and "propagation of NaN" fields
holding both 0 instead of both 1.

I had a go tracing the history of the use of this value, and it seems
it's always just been wrong in QEMU: maybe it was derived from early
documentation, or guessed based on the use of a "VFP Lite" implementation
in the Cortex-A8.

Depending on the startup/early-boot code in use, this can manifest as
failure to perform denormal arithmetic properly: in our case, selecting
a Cortex-A8 CPU when using QEMU as an instruction-set simulator for
bare-metal GCC testing caused tests using denormal arithmetic to
fail. Problems might be masked (or not occur) when using a full OS kernel
with suitable trap handlers (I'm not sure).

Backports commit 0f1944735b6bac810b067e8a7a5154744536fd59 from qemu
2018-03-01 11:07:08 -05:00
Richard Henderson fcc05dc1ce
tcg/s390: Remove 'R' constraint
Since R0 is reserved, we don't need a special case constraint.

Backports commit e45d4ef6e345831c8d67a5bffe0d057efc20f4ff from qemu
2018-03-01 11:05:57 -05:00
Richard Henderson 7852cc600d
tcg/s390: Fix setcond expansion
We can't use LOAD AND TEST for unsigned data and then expect to
extract the result with ADD LOGICAL WITH CARRY. Fall through to
using COMPARE LOGICAL IMMEDIATE instead.

Backports commit 65839b56b9a740e6b898b5d81afc160502bd2935 from qemu
2018-03-01 11:04:40 -05:00
Kirill A. Shutemov eb489625b5
x86: implement la57 paging mode
The new paging more is extension of IA32e mode with more additional page
table level.

It brings support of 57-bit vitrual address space (128PB) and 52-bit
physical address space (4PB).

The structure of new page table level is identical to pml4.

The feature is enumerated with CPUID.(EAX=07H, ECX=0):ECX[bit 16].

CR4.LA57[bit 12] need to be set when pageing enables to activate 5-level
paging mode.

Backports commit 6c7c3c21f95dd9af8a0691c0dd29b07247984122 from qemu
2018-03-01 11:02:07 -05:00
Doug Evans 7c874b1b2b
target-i386: Fix eflags.TF/#DB handling of syscall/sysret insns
The syscall and sysret instructions behave a bit differently:
TF is checked after the instruction completes.
This allows the o/s to disable #DB at a syscall by adding TF to FMASK.
And then when the sysret is executed the #DB is taken "as if" the
syscall insn just completed.

Backports commit c52ab08aee6f7d4717fc6b517174043126bd302f from qemu
2018-03-01 10:56:22 -05:00
Yi Sun f6e624d97b
target-i386: Add Intel SHA_NI instruction support.
Add SHA_NI feature bit. Its spec can be found at:
https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf

Backports commit 638cbd452d3a92a2ab18caee73078483d90f64eb from qemu
2018-03-01 10:52:54 -05:00
Paolo Bonzini 81ad780e5e
exec: introduce MemoryRegionCache
Device models often have to perform multiple access to a single
memory region that is known in advance, but would to use "DMA-style"
functions instead of address_space_map/unmap. This can happen
for example when the data has to undergo endianness conversion.
Introduce a new data structure to cache the result of
address_space_translate without forcing usage of a host address
like address_space_map does.

Backports commit 1f4e496e1fc2eb6c8bf377a0f9695930c380bfd3 from qemu
2018-03-01 10:50:30 -05:00
Paolo Bonzini 03a9bbb3d3
exec: introduce address_space_extend_translation
This extracts the common part of address_space_map and
address_space_cache_init into a new function.

Backports commit 715c31ec8e12107f47ac74b464c97e813c76f898 from qemu
2018-03-01 10:06:43 -05:00
Paolo Bonzini 88ad0f4f6e
exec: introduce memory_ldst.inc.c
Templatize the address_space_* and *_phys functions, so that we can add
similar functions in the next patch that work with a lightweight,
cache-like version of address_space_map/unmap.

Backports commit 0ce265ffef87f19f4dd1ff0663e09a63d66ae408 from qemu
2018-03-01 09:59:34 -05:00
Paolo Bonzini f3cc489a72
exec: optimize remaining address_space_* cases
Do them right before the next patch generalizes them into a multi-included
file.

Backports commit 2651efe7f5f9d6dc89c8e54d7d63952b7b22597d from qemu
2018-03-01 09:40:29 -05:00
Richard Henderson 0f94929fa7
target-arm: Fix aarch64 vec_reg_offset
Since CPUARMState.vfp.regs is not 16 byte aligned, the ^ 8 fixup used
for a big-endian host doesn't do what's intended. Fix this by adding
in the vfp.regs offset after computing the inter-register offset.

Backports commit d437262fa8edd0d9fbe038a515dda3dbf7c5bb54 from qemu
2018-03-01 09:36:03 -05:00
Richard Henderson ce9dca9c5e
target-arm: Fix aarch64 disas_ldst_single_struct
We add s->be_data within do_vec_ld/st. Adding it here means that
we have the wrong bits set in SIZE for a big-endian host, leading
to g_assert_not_reached in write_vec_element and read_vec_element.

Backports commit 74b13f92c2428abae41a61c46a5cf47545da5fcb from qemu
2018-03-01 09:34:34 -05:00
Paolo Bonzini 560515941a
target-i386: correctly propagate retaddr into SVM helpers
Commit 2afbdf8 ("target-i386: exception handling for memory helpers",
2015-09-15) changed tlb_fill's cpu_restore_state+raise_exception_err
to raise_exception_err_ra. After this change, the cpu_restore_state
and raise_exception_err's cpu_loop_exit are merged into
raise_exception_err_ra's cpu_loop_exit_restore.

This actually fixed some bugs, but when SVM is enabled there is a
second path from raise_exception_err_ra to cpu_loop_exit. This is
the VMEXIT path, and now cpu_vmexit is called without a
cpu_restore_state before.

The fix is to pass the retaddr to cpu_vmexit (via
cpu_svm_check_intercept_param). All helpers can now use GETPC() to pass
the correct retaddr, too.

Backports commit 823fb688ebc52a7d79c1308acb28c92b56820167 from qemu
2018-03-01 09:31:16 -05:00
Richard Henderson f6a72d4dca
target/sparc: Restore ldstub of odd asis
Fixes the booting of ss20 roms.

Backports commit f61f76cb3ff9fea6ecbcb9696ed82b3e2c5b7364 from qemu
2018-03-01 09:21:44 -05:00
Paolo Bonzini 9404dbf74e
cpu-exec: fix icount out-of-bounds access
When icount is active, tb_add_jump is surprisingly called with an
out of bounds basic block index. I have no idea how that can work,
but it does not seem like a good idea. Clear *last_tb for all
TB_EXIT_ICOUNT_EXPIRED cases, even when all you have to do is
refill icount_extra.

Backports commit d8dea6fbcbed177ca5d23ab77b3834a9437f0e88 from qemu
2018-03-01 09:17:26 -05:00
Richard Henderson 6820964e2f
tcg/aarch64: Fix tcg_out_movi
There were some patterns, like 0x0000_ffff_ffff_00ff, for which we
would select to begin a multi-insn sequence with MOVN, but would
fail to set the 0x0000 lane back from 0xffff.

Backports commit 50b468d42107a2c646b1c566ed17d9ec362c51c4 from qemu
2018-03-01 09:15:34 -05:00
Richard Henderson a03666f2f2
tcg/aarch64: Fix addsub2 for 0+C
When al == xzr, we cannot use addi/subi because that encodes xsp.
Force a zero into the temp register for that (rare) case.

Backports commit 028fbea47713f909d6ea761a457779a82b276247 from qemu
2018-03-01 09:13:54 -05:00
Roman Kapl 337f57dd2c
exec: Add missing rcu_read_unlock
rcu_read_unlock was not called if the address_space_access_valid result is
negative.

This caused (at least) a problem when qemu on PPC/E500+TAP failed to terminate
properly and instead got stuck in a deadlock.

Backports commit 662a97d74f9b34cafe9aeb6d96620a97d768a1fa from qemu
2018-03-01 09:12:27 -05:00
Peter Maydell 488b6cc82b
exec.c: Fix breakpoint invalidation race
A bug (1647683) was reported showing a crash when removing
breakpoints. The reproducer was bisected to 3359baad when tb_flush
was finally made thread safe. While in MTTCG the locking in
breakpoint_invalidate would have prevented any problems, but
currently tb_lock() is a NOP for system emulation.

The race is between a tb_flush from the gdbstub and the
tb_invalidate_phys_addr() in breakpoint_invalidate().

Ideally we'd have actual locking here; for the moment the
simple fix is to do a full tb_flush() for a bp invalidate,
since that is thread-safe even if no lock is taken.

Backports commit a9353fe897ca2687e5b3385ed39e3db3927a90e0 from qemu
2018-03-01 09:10:59 -05:00
Alex Bennée f4c65739f3
target-arm/translate-a64: fix gen_load_exclusive
While testing rth's latest TCG patches with risu I found ldaxp was
broken. Investigating further I found it was broken by 1dd089d0 when
the cmpxchg atomic work was merged. As part of that change the code
attempted to be clever by doing a single 64 bit load and then shuffle
the data around to set the two 32 bit registers.

As I couldn't quite follow the endian magic I've simply partially
reverted the change to the original code gen_load_exclusive code. This
doesn't affect the cmpxchg functionality as that is all done on in
gen_store_exclusive part which is untouched.

I've also restored the comment that was removed (with a slight tweak
to mention cmpxchg).

Backports commit 5460da501a57cd72eda6fec736d76539122e2f99 from qemu
2018-03-01 09:09:16 -05:00
Marc-André Lureau b0e5d04813
qapi: add missing colon-ending for section name
The documentation parser we are going to add expects a section name to
end with ':', otherwise the comment is treated as free-form text body.

Backports commit 5072f7b38b1b9b26b8fbe1a89086386a420aded8 from qemu
2018-03-01 09:07:10 -05:00
Yongbok Kim 8575514f4c
target-mips: fix bad shifts in {dextp|dextpdp}
Fixed issues in the MIPSDSP64 instructions dextp and dextpdp.
Shifting can go out of 32 bit range.

https://bugs.launchpad.net/qemu/+bug/1631625

Backports commit e6e2784cacd4cfec149a7690976b9ff15e541c4d from qemu
2018-03-01 09:04:41 -05:00
Heiher b5468b4b22
target-mips: Fix Loongson multimedia instructions.
Needed to emit FPU exception on Loongson multimedia instructions
executing if Status:CU1 is clear. or FPR changes may be missed
on Linux.

Backports commit b5a587b613f6151c2ce164552579ae64f2ddfd1c from qemu
2018-03-01 09:03:49 -05:00
Heiher 12a8570cbe
target-mips: Fix Loongson multimedia 'or' instruction.
Backports commit bb7cab5f3466540f5603b209c0df2e27a02fbb95 from qemu
2018-03-01 09:03:10 -05:00
Heiher ba39cb4fcb
target-mips: Fix Loongson pandn instruction.
pandn FD, FS, FT
Operation: FD = ((NOT FS) AND FT)

Backports commit 9099a36b4bb81f84004b77f08e58ac2c67eed0e7 from qemu
2018-03-01 09:02:34 -05:00
Laurent Vivier 7055c38183
target-m68k: fix muluw/mulsw
"The multiplier and multiplicand are both word operands, and the result
is a long-word operand."

So compute flags on a long-word result, not on a word result.

Backports commit 4a18cd44f3c905d443c26e26bb9b09932606d1a3 from qemu
2018-03-01 08:59:42 -05:00
Laurent Vivier 527c68f40e
target-m68k: Fix cmpa operand size
"The size of the operation can be specified as word or long.
Word length source operands are sign-extended to 32 bits for
comparison."

So comparison is always done using OS_LONG.

Backports commit 5436c29d78957a6825a93f0eb79dfab388641017 from qemu
2018-03-01 08:58:59 -05:00