Fix a TCG crash due to attempting an atomic increment
operation without having set up the address first.
This is a similar case to that dealt with in commit
e84fcd7f662a0d8198703, and we fix it in the same way.
Fixes: https://bugs.launchpad.net/qemu/+bug/1807675
Backports commit 8cb2ca3d7479748587313f0b34034a3f8aa08c92 from qemu
While running the GCC test suite against 4.0.0-rc0, Kito found a
regression introduced by the decodetree conversion that caused divuw and
remuw to sign-extend their inputs. The ISA manual says they are
supposed to be zero extended:
DIVW and DIVUW instructions are only valid for RV64, and divide the
lower 32 bits of rs1 by the lower 32 bits of rs2, treating them as
signed and unsigned integers respectively, placing the 32-bit
quotient in rd, sign-extended to 64 bits. REMW and REMUW
instructions are only valid for RV64, and provide the corresponding
signed and unsigned remainder operations respectively. Both REMW
and REMUW always sign-extend the 32-bit result to 64 bits, including
on a divide by zero.
Here's Kito's reduced test case from the GCC test suite
unsigned calc_mp(unsigned mod)
{
unsigned a,b,c;
c=-1;
a=c/mod;
b=0-a*mod;
if (b > mod) { a += 1; b-=mod; }
return b;
}
int main(int argc, char *argv[])
{
unsigned x = 1234;
unsigned y = calc_mp(x);
if ((sizeof (y) == 4 && y != 680)
|| (sizeof (y) == 2 && y != 134))
abort ();
exit (0);
}
I haven't done any other testing on this, but it does fix the test case.
Backports commit f17e02cd3731bdfe2942d1d0b2a92f26da02408c from qemu
cortex-a7 and cortex-a15 have pmus (PMUv2) and they advertise
them in ID_DFR0. Let's allow them to function. This also enables
the pmu cpu property to work with these cpu types, i.e. we can
now do '-cpu cortex-a15,pmu=off' to remove the pmu.
Backports commit a46118fc16537a593119e5b316052a98514046bb from qemu
Fix a QEMU NULL derefence that occurs when the guest attempts to
enable PMU counters with a non-v8 cpu model or a v8 cpu model
which has not configured a PMU.
Backports commit cbbb3041fe2f57a475cef5d6b0ef836118aad106 from qemu
The second word has been loaded from the unincremented
address since the first commit.
Backports commit a036f5302c13634f3d375615b2949fd1fa1657b6 from qemu
Currently, the Cascadelake-Server, Icelake-Client, and
Icelake-Server are always generating the following warning:
qemu-system-x86_64: warning: \
host doesn't support requested feature: CPUID.07H:ECX [bit 4]
This happens because OSPKE was never returned by
GET_SUPPORTED_CPUID or x86_cpu_get_supported_feature_word().
OSPKE is a runtime flag automatically set by the KVM module or by
TCG code, was always cleared by x86_cpu_filter_features(), and
was not supposed to appear on the CPU model table.
Remove the OSPKE flag from the CPU model table entries, to avoid
the bogus warning and avoid returning invalid feature data on
query-cpu-* QMP commands. As OSPKE was always cleared by
x86_cpu_filter_features(), this won't have any guest-visible
impact.
Include a test case that should detect the problem if we introduce
a similar bug again.
Fixes: c7a88b52f62b ("i386: Add new model of Cascadelake-Server")
Fixes: 8a11c62da914 ("i386: Add new CPU model Icelake-{Server,Client}")
Backports commit bb4928c7cafe50ab2137a0034e350ef1bfa044d9 from qemu
Now that kvm_arch_get_supported_cpuid() will only return
arch_capabilities if QEMU is able to initialize the MSR properly,
we know that the feature is safely migratable.
Backports commit 014018e19b3c54dd1bf5072bc912ceffea40abe8 from qemu
If vectored interrupts are enabled (bits[1:0]
of mtvec/stvec == 1) then use the following
logic for trap entry address calculation:
pc = mtvec + cause * 4
In addition to adding support for vectored interrupts
this patch simplifies the interrupt delivery logic
by making sync/async cause decoding and encoding
steps distinct.
The cause code and the sign bit indicating sync/async
is split at the beginning of the function and fixed
cause is renamed to cause. The MSB setting for async
traps is delayed until setting mcause/scause to allow
redundant variables to be eliminated. Some variables
are renamed for conciseness and moved so that decls
are at the start of the block.
Backports commit acbbb94e5730c9808830938e869d243014e2923a from qemu
This effectively changes riscv_cpu_update_mip
from edge to level. i.e. cpu_interrupt or
cpu_reset_interrupt are called regardless of
the current interrupt level.
Fixes WFI doesn't return when a IPI is issued:
- https://github.com/riscv/riscv-qemu/issues/132
To test:
1) Apply RISC-V Linux CPU hotplug patch:
- http://lists.infradead.org/pipermail/linux-riscv/2018-May/000603.html
2) Enable CONFIG_CPU_HOTPLUG in linux .config
3) Try to offline and online cpus:
echo 1 > /sys/devices/system/cpu/cpu2/online
echo 0 > /sys/devices/system/cpu/cpu2/online
echo 1 > /sys/devices/system/cpu/cpu2/online
Backports commit d26f5a423438e579d3ff0ca35e44edb966a36233 from qemu
This change checks elf_flags for EF_RISCV_RVE and if
present uses the RVE linux syscall ABI which uses t0
for the syscall number instead of a7.
Warn and exit if a non-RVE ABI binary is run on a
cpu with the RVE extension as it is incompatible.
Backports relevant parts of 5836c3eccedb6dfab16b8f606f2de24b8938b69c
from qemu
We can't allow the supervisor to control SEIP as this would allow the
supervisor to clear a pending external interrupt which will result in
lost a interrupt in the case a PLIC is attached. The SEIP bit must be
hardware controlled when a PLIC is attached.
This logic was previously hard-coded so SEIP was always masked even
if no PLIC was attached. This patch adds riscv_cpu_claim_interrupts
so that the PLIC can register control of SEIP. In the case of models
without a PLIC (spike), the SEIP bit remains software controlled.
This interface allows for hardware control of supervisor timer and
software interrupts by other interrupt controller models.
Backports commit e3e7039cc24ecf47d81c091e8bb04552d6564ad8 from qemu
Add a debugger field to CPURISCVState. Add riscv_csrrw_debug function
to set it. Disable mode checks when debugger field true.
Backports commit 753e3fe207db08ce0ef0405e8452c3397c9b9308 from qemu
This adds some missing CSR_* register macros, and documents some as being
priv v1.9.1 specific.
Backports commit 8e73df6aa3f2f0e5c26c03a94a88406616291815 from qemu
during the refactor to decodetree we removed the manual decoding that is
necessary for c.jal/c.addiw and removed the translation of c.flw/c.ld
and c.fsw/c.sd. This reintroduces the manual parsing and the
omited implementation.
Backports commit f330433b3633647b047cfa418c2ca4d18fda69c7 from qemu
These instructions do not trap when SVE is disabled in EL0,
causing them to be executed with wrong size information.
Backports commit 5de56742a3c91de3d646326bec43a989bba83ca4 from qemu
Some generic arch timer registers are Config-RW in the EL0,
which means the EL0 exception level can have write permission
if it is appropriately configured.
When VM access registers, QEMU firstly checks whether they have RW
permission, then check whether it is appropriately configured.
If they are defined to read only in EL0, even though they have been
appropriately configured, they still do not have write permission.
So need to add the write permission according to ARMV8 spec when
define it.
Backports commit daf1dc5f82cefe2a57f184d5053e8b274ad2ba9a from qemu
with all 16 bit insns moved to decodetree no path is falling back to
gen_system(), so we can remove it.
Backports commit 8f7bc273868939f0821e07fb23792db63d45bffb from qemu
manual decoding in gen_arith() is not necessary with decodetree. For now
the function is called trans_arith as the original gen_arith still
exists. The former will be renamed to gen_arith as soon as the old
gen_arith can be removed.
Backports commit f2ab1728675772cd475a33f4df3d2f68a22c188f from qemu
gen_arith_imm() does a lot of decoding manually, which was hard to read
in case of the shift instructions and is not necessary anymore with
decodetree.
Backports commit 7a50d3e2ae7f13b24fe55990ea0b8ddcbbb43130 from qemu
With decodetree we don't need to convert RISC-V opcodes into to MemOps
as the old gen_store() did.
Backports commit bce8a342a1f0919479d18ec812b100136daa746b from qemu
With decodetree we don't need to convert RISC-V opcodes into to MemOps
as the old gen_load() did.
Backports commit 98898b20e9cca462843c22ad952c216ffd57d654 from qemu
We now utilizes argument-sets of decodetree such that no manual
decoding is necessary.
Backports commit 090cc2c898a04e42350eabf1bcf7d245471603f9 from qemu
we cannot remove the call to gen_arith() in decode_RV32_64G() since it
is used to translate multiply instructions.
Backports commit b73a987b09ad5081123dc6b1e8e6c8305a1c8673 from qemu
this splits the 64-bit only instructions into its own decode file such
that we generate the decoder for these instructions only for the RISC-V
64 bit target.
Backports commit 7e45a682edc32ba90d6955215f062210531b835b from qemu
for now only LUI & AUIPC are decoded and translated. If decodetree fails, we
fall back to the old decoder.
Backports commit 2a53cff418335ccb4719e9a94fde55f6ebcc895d from qemu
Intel Processor Trace required CPUID[0x14] but the cpuid_level
have no change when create a kvm guest with
e.g. "-cpu qemu64,+intel-pt
Backports relevant bits of commit
f24c3a79a415042f6dc195f029a2ba7247d14cac from qemu
This ports over the RISC-V architecture from Qemu. This is currently a
very barebones transition. No code hooking or any fancy stuff.
Currently, you can feed it instructions and query the CPU state itself.
This also allows choosing whether or not RISC-V 32-bit or RISC-V 64-bit
is desirable through Unicorn's interface as well.
Extremely basic examples of executing a single instruction have been
added to the samples directory to help demonstrate how to use the basic
functionality.
These changes were mostly made in upstream unicorn for what I can guess,
was to support old versions of MSVC's compiler.
This is also a pain to maintain, since everything needs to be done
manually and can be a source of errors. It also makes it take more work
than it needs to, to backport changes from qemu.
Because of that, this change restores Qemu's organization of the
coprocessor registers.
This decoding more closely matches the ARMv8.4 Table C4-6,
Encoding table for Data Processing - Register Group.
In particular, op2 == 0 is now more than just Add/sub (with carry).
Backports commit 2fba34f70d9a81bab56e61bb99a4d6632bdfe531 from qemu
We do not need an out-of-line helper for manipulating bits in pstate.
While changing things, share the implementation of gen_ss_advance.
Backports commit 22ac3c49641f6eed93dca5b852030b4d3eacf6c4 from qemu
The EL0+UMA check is unique to DAIF. While SPSel had avoided the
check by nature of already checking EL >= 1, the other post v8.0
extensions to MSR (imm) allow EL0 and do not require UMA. Avoid
the unconditional write to pc and use raise_exception_ra to unwind.
Backports commit ff730e9666a716b669ac4a8ca7c521177d1d2b15 from qemu
Minimize the number of places that will need updating when
the virtual host extensions are added.
Backports commit 64e40755cd41fbe8cd266cf387e42ddc57a449ef from qemu
Found by inspection: Rn is the base register against which the
load began; I is the register within the mask being processed.
The exception return should of course be processed from the loaded PC.
Backports commit 9d090d17234058f55c3c439d285db78c94d7d4de from qemu
Previously we weren't even initializing the instruction table, so any
attempt at emulation would cause a segmentation fault.
This also moves the end address check after the decoding to correctly
perform exiting behavior with the new translator model.
Previously we'd be checking prior to the actual decoding if we were at
the ending address. This worked fine using the old model of the
translation process in qemu. However, this causes the wrong behavior to
occur in both ARM and Thumb/Thumb-2 modes using the newer translator
model.
Given the translator itself checks for the end address already, this
needs to be placed within arm_post_translate_insn().
This prevents the emulation process being off-by-one as well when it
comes to actually executing the instructions.
1. Create an enum name for the IPSR register.
2. Implement read and write of the IPSR via the xpsr helper functions.
Fixes#1065
Backports commit 6c319941a5462ee3a4af4593c371f5674394d6ce from unicorn.
* Added MXCSR register for reading and writing
* Changed writing for fpucw register, now the qemu rounding status is updated as well
Backports commit 256e7782ceafb1f8915da167040d5368c38f9585 from unicorn
Set up MMI code to be compiled only for TARGET_MIPS64. This is
needed so that GPRs are 64 bit, and combined with MMI registers,
they will form full 128 bit registers.
Backports commit 37b9aae2e6e005e6df206a0b4804972460806166 from qemu
Note that float16_to_float32 rightly squashes SNaN to QNaN.
But of course pickNaNMulAdd, for ARM, selects SNaNs first.
So we have to preserve SNaN long enough for the correct NaN
to be selected. Thus float16_to_float32_by_bits.
Backports commit a4e943a716d5fac923d82df3eabc65d1e3624019 from qemu
There is a set of VFP instructions which we implement in
disas_vfp_v8_insn() and gate on the ARM_FEATURE_V8 bit.
These were all first introduced in v8 for A-profile, but in
M-profile they appeared in v7M. Gate them on the MVFR2
FPMisc field instead, and rename the function appropriately.
Backports commit c0c760afe800b60b48c80ddf3509fec413594778 from qemu
Instead of gating the A32/T32 FP16 conversion instructions on
the ARM_FEATURE_VFP_FP16 flag, switch to our new approach of
looking at ID register bits. In this case MVFR1 fields FPHP
and SIMDHP indicate the presence of these insns.
This change doesn't alter behaviour for any of our CPUs.
Backports commit 602f6e42cfbfe9278be34e9b91d2ceb695837e02 from qemu
There are lots of special cases within these insns. Split the
major argument decode/loading/saving into no_output (compares),
rd_is_dp, and rm_is_dp.
We still need to special case argument load for compare (rd as
input, rm as zero) and vcvt fixed (rd as input+output), but lots
of special cases do disappear.
Now that we have a full switch at the beginning, hoist the ISA
checks from the code generation.
Backports commit e80941bd64cc388554770fd72334e9e7d459a1ef from qemu
Move all of the fp helpers out of helper.c into a new file.
This is code movement only. Since helper.c has no copyright
header, take the one from cpu.h for the new file.
Backports commit 37356079fcdb34e13abbed8ea0c00ca880c31247 from qemu
For opcodes 0-5, move some if conditions into the structure
of a switch statement. For opcodes 6 & 7, decode everything
at once with a second switch.
Backports commit 3c3ff68492c2d00bd8cb39ed2d02bdaf5caf5cb8 from qemu
This was introduced by
commit bf8d09694ccc07487cd73d7562081fdaec3370c8
target/arm: Don't clear supported PMU events when initializing PMCEID1
and identified by Coverity (CID 1398645).
Backports commit 67da43d668320e1bcb0a0195aaf2de4ff2a001a0 from qemu
The "background region" for a v8M MPU is a default which will be used
(if enabled, and if the access is privileged) if the access does
not match any specific MPU region. We were incorrectly using it
always (by putting the condition at the wrong nesting level). This
meant that we would always return the default background permissions
rather than the correct permissions for a specific region, and also
that we would not return the right information in response to a
TT instruction.
Move the check for the background region to the same place in the
logic as the equivalent v8M MPUCheck() pseudocode puts it.
This in turn means we must adjust the condition we use to detect
matches in multiple regions to avoid false-positives.
Backports commit cff21316c666c8053b1f425577e324038d0ca30d from qemu
Fortunately, the functions affected are so far only called from SVE,
so there is no tail to be cleared. But as we convert more of AdvSIMD
to gvec, this will matter.
Backports commit d8efe78e8039511b95c23d75bb48eca6873fbb0f from qemu
For same-sign saturation, we have tcg vector operations. We can
compute the QC bit by comparing the saturated value against the
unsaturated value.
Backports commit 89e68b575e138d0af1435f11a8ffcd8779c237bd from qemu
Change the representation of this field such that it is easy
to set from vector code.
Backports commit a4d5846245c5e029e5aa3945a9bda1de1c3fedbf from qemu
Given that we mask bits properly on set, there is no reason
to mask them again on get. We failed to clear the exception
status bits, 0x9f, which means that the wrong value would be
returned on get. Except in the (probably normal) case in which
the set clears all of the bits.
Simplify the code in set to also clear the RES0 bits.
Backports commit 18aaa59c622208743565307668a2100ab24f7de9 from qemu
Minimize the code within a macro by splitting out a helper function.
Use deposit32 instead of manual bit manipulation.
Backports commit 55a889456ef78f3f9b8eae9846c2f1453b1dd77b from qemu
The 32-bit PMIN/PMAX has been decomposed to scalars,
and so can be trivially expanded inline.
Backports commit 9ecd3c5c1651fa7f9adbedff4806a2da0b50490c from qemu