Re: [PATCH] hw/block: m25p80: Fix fast read for SST flashes

[Bin Meng]

Hi Francisco,

On Sat, Dec 12, 2020 at 12:11 AM Francisco Iglesias
 wrote:
>
> Hello Bin,
>
> On [2020 Dec 11] Fri 23:29:16, Bin Meng wrote:
> > Hi Francisco,
> >
> > On Fri, Dec 11, 2020 at 11:16 PM Francisco Iglesias
> >  wrote:
> > >
> > > Hello Bin,
> > >
> > > On [2020 Dec 11] Fri 14:07:21, Bin Meng wrote:
> > > > Hi Francisco,
> > > >
> > > > On Fri, Dec 4, 2020 at 7:28 PM Francisco Iglesias
> > > >  wrote:
> > > > >
> > > > > Hello Bin,
> > > > >
> > > > > On [2020 Dec 04] Fri 18:52:50, Bin Meng wrote:
> > > > > > Hi Francisco,
> > > > > >
> > > > > > On Fri, Dec 4, 2020 at 6:46 PM Francisco Iglesias
> > > > > >  wrote:
> > > > > > >
> > > > > > > Hello Bin,
> > > > > > >
> > > > > > > On [2020 Dec 04] Fri 15:52:12, Bin Meng wrote:
> > > > > > > > Hi Francisco,
> > > > > > > >
> > > > > > > > On Thu, Dec 3, 2020 at 4:38 PM Francisco Iglesias
> > > > > > > >  wrote:
> > > > > > > > >
> > > > > > > > > Hi Bin and Alistair,
> > > > > > > > >
> > > > > > > > > On [2020 Dec 02] Wed 11:40:11, Alistair Francis wrote:
> > > > > > > > > > On Sun, Nov 29, 2020 at 6:55 PM Bin Meng 
> > > > > > > > > >  wrote:
> > > > > > > > > > >
> > > > > > > > > > > From: Bin Meng 
> > > > > > > > > > >
> > > > > > > > > > > SST flashes require a dummy byte after the address bits.
> > > > > > > > > > >
> > > > > > > > > > > Signed-off-by: Bin Meng 
> > > > > > > > > >
> > > > > > > > > > I couldn't find a datasheet that says this... But the 
> > > > > > > > > > actual code
> > > > > > > > > > change looks fine, so:
> > > > > > > > > >
> > > > > > > > > > Acked-by: Alistair Francis 
> > > > > > > > > >
> > > > > > > > > > Alistair
> > > > > > > > > >
> > > > > > > > > > > ---
> > > > > > > > > > >
> > > > > > > > > > >  hw/block/m25p80.c | 3 +++
> > > > > > > > > > >  1 file changed, 3 insertions(+)
> > > > > > > > > > >
> > > > > > > > > > > diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
> > > > > > > > > > > index 483925f..9b36762 100644
> > > > > > > > > > > --- a/hw/block/m25p80.c
> > > > > > > > > > > +++ b/hw/block/m25p80.c
> > > > > > > > > > > @@ -825,6 +825,9 @@ static void 
> > > > > > > > > > > decode_fast_read_cmd(Flash *s)
> > > > > > > > > > >  s->needed_bytes = get_addr_length(s);
> > > > > > > > > > >  switch (get_man(s)) {
> > > > > > > > > > >  /* Dummy cycles - modeled with bytes writes instead 
> > > > > > > > > > > of bits */
> > > > > > > > > > > +case MAN_SST:
> > > > > > > > > > > +s->needed_bytes += 1;
> > > > > > > > >
> > > > > > > > > 1 dummy clk cycle is modelled as 1 byte write (see the 
> > > > > > > > > comment above), so 1
> > > > > > > > > dummy byte (8 dummy clk cycles) will need +8 above.
> > > > > > > >
> > > > > > > > I think you were confused by the WINBOND codes. The comments are
> > > > > > > > correct. It is modeled with bytes instead of bits, so we should 
> > > > > > > > +=1.
> > > > > > >
> > > > > > > What the comment says is (perhaps not superclear) that 1 dummy 
> > > > > > > clock cycle
> > > > > > > is modeled as one 1 byte write into the flash (meaining that 8 
> > > > > > > byte writes
> > > > > > > are needed for 1 dummy byte). Perhaps it is easier to understand
> > > > > > > looking into how the controllers issue the command towards the 
> > > > > > > flash model
> > > > > > > (for example the xilinx_spips), the start of the FAST_READ cmd is 
> > > > > > > issued
> > > > > > > as writing the following into the flash: 1 byte (cmd), 3 bytes 
> > > > > > > (address),
> > > > > > > 8 bytes (8 dummy cycles -> 1 dummy byte).
> > > > > > >
> > > > > >
> > > > > > My interpretation of the comments are opposite: one cycle is a bit,
> > > > > > but we are not using bits, instead we are using bytes.
> > > > >
> > > > > Yes, the mentioning of 'bits' in the comment makes it not very clear 
> > > > > at first read.
> > > > > Maybe just bellow would have been better:
> > > > >
> > > > > /* Dummy clock cycles - modeled with bytes writes */
> > > > >
> > > > > >
> > > > > > Testing shows that +=1 is the correct way with the imx_spi 
> > > > > > controller,
> > > > > > and with my SiFive SPI model in my local tree (not upstreamed yet)
> > > > >
> > > > > Perhaps an option could be to look into how the aspeed_smc, 
> > > > > xilinx_spips or the
> > > > > npcm7xx_fiu generate dummy clock cycles and see if a similar solution 
> > > > > to one of
> > > > > those could work aswell for the imx_spi?
> > > > >
> > > >
> > > > Thanks for pointing this out. So there is some inconsistency among
> > > > different SPI controller modeling.
> > >
> > > I'm not sure I understand you correctly but the controllers supporting
> > > commands with dummy clock cycles can only do it following the modeled
> > > approach, so I would rather say it is pretty consistent across the
> > > controllers (not all controllers support these commands though).
> >
> > I mean there are 2 approaches to emulate the dummy cycles for
>
> There is currently only 1 way of modeling dummy clock cycles. All c

Re: [PATCH 3/4] default-configs: Support o32 ABI with 64-bit MIPS CPUs

[Fredrik Noring]

Hi Philippe,

[ My apologies for the late reply, somehow this thread was treated as spam. ]

On Thu, Nov 19, 2020 at 06:13:20PM +0100, Philippe Mathieu-Daudé wrote:
> Hi Maciej,
> 
> On 11/19/20 5:45 PM, Maciej W. Rozycki wrote:
> > On Thu, 19 Nov 2020, Philippe Mathieu-Daudé wrote:
> > 
> >> MIPS o32 ABI on 64-bit CPUs looks like a ILP32-on-64bit data
> >> model, allowing 64-bit arithmetic and data movement instructions.
> >>
> >> This is the default ABI used by the "Sony Linux Toolkit for
> >> Playstation 2".
> > 
> >  Please don't, not at least with a generic configuration (i.e. make it 
> > unambiguous that this is R5900-specific).  This only works with R5900 
> > because it does not implement the MIPS ISA correctly (e.g. see what $ra is 
> > set to with JAL/JALR/etc. in the kernel mode), and it is not supported by 
> > the standard Linux ABI.  Use n32 instead, which has the same functionality 
> > and is standard (and is also a better ABI in terms of performance).
> 
> I think there are 2 different interests with the R5900. Fredrik sent a
> series to run recent userland/kernel on a PS2. For QEMU, it would be
> easier if these uses the n32 ABI indeed.

Modern (4.x and 5.x) R5900 Linux kernels only support o32, due to R5900
complications with n32. The plan is to reintroduce n32 once o32 is usable.
The R5900 MMI set is another complication for both ABIs (not mentioning
its vector coprocessors).

> This series allows me to run unmodified binaries from the PS2 (built
> maybe 20 years ago, apparently for a kernel 2.2).

Programs in the Debian Black Rhino distribution? I have the impression that
there are at least some R5900 specific instructions in some of them, no?

The 2.x R5900 Linux kernel does (to some degree) support both o32 and n32,
but the implementation had to be reworked (almost entirely) to update it
through Linux 3.x, 4.x and 5.x, and n32 was provisionally dropped to
simplify this. The GNU C library will have to be updated for n32 too.

I'm presently implementing device drivers, that involve the companion
MIPS 3000A I/O processor.

> >  You'd probably need to implement all the R5900 addressing quirks for your 
> > proposed hack to match hardware, or otherwise you'll end up with emulation 
> > that creates its own reality.
> 
> QEMU doesn't model well non-MIPS32 ISA, so the R5900 needs work indeed.
> 
> Laurent, maybe instead of 'mips64o32el-linux-user' we can call this
> target 'r5900o32-linux-user', 'ps2-linux-user' or even 'r5900-ps2-user'
> as Maciej said "it is not supported by the standard Linux ABI."

Would "ps2" in the name imply emulating all PlayStation 2 hardware, as
opposed to "r5900" that is only its main processor? There are also two
interesting vector coprocessors (VPU0 and VPU1) to go with it. :)

> Also I'll see to mark it deprecated so it isn't built by default.

Presently o32 is the main use case for modern 5.x R5900 Linux, and so
regardless of deprecation I have a copy of QEMU supporting it here:

https://github.com/frno7/qemu

We are building modern Gentoo Linux for the R5900, as described in

https://github.com/frno7/linux/issues/33

where R5900 QEMU having o32 is a requirement.

Fredrik

[PATCH] libvhost-user: add a link-static option

[marcandre . lureau]

From: Marc-André Lureau 

Fix linking vhost-user binaries with with ./configure -static.

Fixes: 0df750e9d3a5fea5e1 ("libvhost-user: make it a meson subproject")
Reported-by: Peter Maydell 
Signed-off-by: Marc-André Lureau 
---
 configure   | 1 +
 subprojects/libvhost-user/meson.build   | 3 ++-
 subprojects/libvhost-user/meson_options.txt | 5 +
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 subprojects/libvhost-user/meson_options.txt

diff --git a/configure b/configure
index 18c26e0389..465f7bb150 100755
--- a/configure
+++ b/configure
@@ -7014,6 +7014,7 @@ NINJA=$ninja $meson setup \
 -Diconv=$iconv -Dcurses=$curses -Dlibudev=$libudev\
 -Ddocs=$docs -Dsphinx_build=$sphinx_build -Dinstall_blobs=$blobs \
 -Dvhost_user_blk_server=$vhost_user_blk_server \
+-Dlibvhost-user:link-static=$(if test "$static" = yes; then echo true; 
else echo false; fi) \
 $cross_arg \
 "$PWD" "$source_path"
 
diff --git a/subprojects/libvhost-user/meson.build 
b/subprojects/libvhost-user/meson.build
index c5d85c11d7..5a9cc8675e 100644
--- a/subprojects/libvhost-user/meson.build
+++ b/subprojects/libvhost-user/meson.build
@@ -2,7 +2,8 @@ project('libvhost-user', 'c',
 license: 'GPL-2.0-or-later',
 default_options: ['c_std=gnu99'])
 
-glib = dependency('glib-2.0')
+link_static = get_option('link-static')
+glib = dependency('glib-2.0', static: link_static)
 inc = include_directories('../../include', '../../linux-headers')
 
 vhost_user = static_library('vhost-user',
diff --git a/subprojects/libvhost-user/meson_options.txt 
b/subprojects/libvhost-user/meson_options.txt
new file mode 100644
index 00..03fe088e36
--- /dev/null
+++ b/subprojects/libvhost-user/meson_options.txt
@@ -0,0 +1,5 @@
+option('link-static',
+  type: 'boolean',
+  value: false,
+)
+
-- 
2.29.0

RE: [PATCH 12/12] configure: Compile with -Wimplicit-fallthrough=2

[Chenqun (kuhn)]

> -Original Message-
> From: Thomas Huth [mailto:th...@redhat.com]
> Sent: Friday, December 11, 2020 11:24 PM
> To: Peter Maydell ; qemu-devel@nongnu.org
> Cc: Chenqun (kuhn) ; Richard Henderson
> ; Paolo Bonzini 
> Subject: [PATCH 12/12] configure: Compile with -Wimplicit-fallthrough=2
> 
> Coverity always complains about switch-case statements that fall through the
> next one when there is no comment in between - which could indicate a
> forgotten "break" statement. Instead of handling these issues after they have
> been committed, it would be better to avoid them in the build process already.
> Thus let's enable the -Wimplicit-fallthrough warning now.
> 
> Signed-off-by: Thomas Huth 

Reviewed-by: Chen Qun 

Good job, we'll never see such warnings again.

Thanks,
Chen Qun
> ---
>  configure | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/configure b/configure
> index 18c26e0389..dc2bc3c2f0 100755
> --- a/configure
> +++ b/configure
> @@ -2007,6 +2007,7 @@ add_to warn_flags -Wempty-body  add_to
> warn_flags -Wnested-externs  add_to warn_flags -Wendif-labels  add_to
> warn_flags -Wexpansion-to-defined
> +add_to warn_flags -Wimplicit-fallthrough=2
> 
>  nowarn_flags=
>  add_to nowarn_flags -Wno-initializer-overrides
> --
> 2.27.0

Re: [PATCH] hw/block: m25p80: Fix fast read for SST flashes

[Francisco Iglesias]

Hi bin,

On [2020 Dec 12] Sat 16:16:59, Bin Meng wrote:
> Hi Francisco,
> 
> On Sat, Dec 12, 2020 at 12:11 AM Francisco Iglesias
>  wrote:
> >
> > Hello Bin,
> >
> > On [2020 Dec 11] Fri 23:29:16, Bin Meng wrote:
> > > Hi Francisco,
> > >
> > > On Fri, Dec 11, 2020 at 11:16 PM Francisco Iglesias
> > >  wrote:
> > > >
> > > > Hello Bin,
> > > >
> > > > On [2020 Dec 11] Fri 14:07:21, Bin Meng wrote:
> > > > > Hi Francisco,
> > > > >
> > > > > On Fri, Dec 4, 2020 at 7:28 PM Francisco Iglesias
> > > > >  wrote:
> > > > > >
> > > > > > Hello Bin,
> > > > > >
> > > > > > On [2020 Dec 04] Fri 18:52:50, Bin Meng wrote:
> > > > > > > Hi Francisco,
> > > > > > >
> > > > > > > On Fri, Dec 4, 2020 at 6:46 PM Francisco Iglesias
> > > > > > >  wrote:
> > > > > > > >
> > > > > > > > Hello Bin,
> > > > > > > >
> > > > > > > > On [2020 Dec 04] Fri 15:52:12, Bin Meng wrote:
> > > > > > > > > Hi Francisco,
> > > > > > > > >
> > > > > > > > > On Thu, Dec 3, 2020 at 4:38 PM Francisco Iglesias
> > > > > > > > >  wrote:
> > > > > > > > > >
> > > > > > > > > > Hi Bin and Alistair,
> > > > > > > > > >
> > > > > > > > > > On [2020 Dec 02] Wed 11:40:11, Alistair Francis wrote:
> > > > > > > > > > > On Sun, Nov 29, 2020 at 6:55 PM Bin Meng 
> > > > > > > > > > >  wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > From: Bin Meng 
> > > > > > > > > > > >
> > > > > > > > > > > > SST flashes require a dummy byte after the address bits.
> > > > > > > > > > > >
> > > > > > > > > > > > Signed-off-by: Bin Meng 
> > > > > > > > > > >
> > > > > > > > > > > I couldn't find a datasheet that says this... But the 
> > > > > > > > > > > actual code
> > > > > > > > > > > change looks fine, so:
> > > > > > > > > > >
> > > > > > > > > > > Acked-by: Alistair Francis 
> > > > > > > > > > >
> > > > > > > > > > > Alistair
> > > > > > > > > > >
> > > > > > > > > > > > ---
> > > > > > > > > > > >
> > > > > > > > > > > >  hw/block/m25p80.c | 3 +++
> > > > > > > > > > > >  1 file changed, 3 insertions(+)
> > > > > > > > > > > >
> > > > > > > > > > > > diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
> > > > > > > > > > > > index 483925f..9b36762 100644
> > > > > > > > > > > > --- a/hw/block/m25p80.c
> > > > > > > > > > > > +++ b/hw/block/m25p80.c
> > > > > > > > > > > > @@ -825,6 +825,9 @@ static void 
> > > > > > > > > > > > decode_fast_read_cmd(Flash *s)
> > > > > > > > > > > >  s->needed_bytes = get_addr_length(s);
> > > > > > > > > > > >  switch (get_man(s)) {
> > > > > > > > > > > >  /* Dummy cycles - modeled with bytes writes 
> > > > > > > > > > > > instead of bits */
> > > > > > > > > > > > +case MAN_SST:
> > > > > > > > > > > > +s->needed_bytes += 1;
> > > > > > > > > >
> > > > > > > > > > 1 dummy clk cycle is modelled as 1 byte write (see the 
> > > > > > > > > > comment above), so 1
> > > > > > > > > > dummy byte (8 dummy clk cycles) will need +8 above.
> > > > > > > > >
> > > > > > > > > I think you were confused by the WINBOND codes. The comments 
> > > > > > > > > are
> > > > > > > > > correct. It is modeled with bytes instead of bits, so we 
> > > > > > > > > should +=1.
> > > > > > > >
> > > > > > > > What the comment says is (perhaps not superclear) that 1 dummy 
> > > > > > > > clock cycle
> > > > > > > > is modeled as one 1 byte write into the flash (meaining that 8 
> > > > > > > > byte writes
> > > > > > > > are needed for 1 dummy byte). Perhaps it is easier to understand
> > > > > > > > looking into how the controllers issue the command towards the 
> > > > > > > > flash model
> > > > > > > > (for example the xilinx_spips), the start of the FAST_READ cmd 
> > > > > > > > is issued
> > > > > > > > as writing the following into the flash: 1 byte (cmd), 3 bytes 
> > > > > > > > (address),
> > > > > > > > 8 bytes (8 dummy cycles -> 1 dummy byte).
> > > > > > > >
> > > > > > >
> > > > > > > My interpretation of the comments are opposite: one cycle is a 
> > > > > > > bit,
> > > > > > > but we are not using bits, instead we are using bytes.
> > > > > >
> > > > > > Yes, the mentioning of 'bits' in the comment makes it not very 
> > > > > > clear at first read.
> > > > > > Maybe just bellow would have been better:
> > > > > >
> > > > > > /* Dummy clock cycles - modeled with bytes writes */
> > > > > >
> > > > > > >
> > > > > > > Testing shows that +=1 is the correct way with the imx_spi 
> > > > > > > controller,
> > > > > > > and with my SiFive SPI model in my local tree (not upstreamed yet)
> > > > > >
> > > > > > Perhaps an option could be to look into how the aspeed_smc, 
> > > > > > xilinx_spips or the
> > > > > > npcm7xx_fiu generate dummy clock cycles and see if a similar 
> > > > > > solution to one of
> > > > > > those could work aswell for the imx_spi?
> > > > > >
> > > > >
> > > > > Thanks for pointing this out. So there is some inconsistency among
> > > > > different SPI controller modeling.
> > > >
> > > > I'm not sure I understand you correctly but the controllers supporting
> > > > commands with dummy

Re: [PATCH v11 05/25] i386: move whpx accel files into whpx/

[Claudio Fontana]

On 12/11/20 9:41 PM, Eduardo Habkost wrote:
> On Fri, Dec 11, 2020 at 09:31:23AM +0100, Claudio Fontana wrote:
>> Signed-off-by: Claudio Fontana 
>> Reviewed-by: Alex Bennée 
>> ---
>>  target/i386/{ => whpx}/whp-dispatch.h | 0
>>  target/i386/{ => whpx}/whpx-cpus.h| 0
>>  target/i386/{ => whpx}/whpx-all.c | 0
>>  target/i386/{ => whpx}/whpx-cpus.c| 0
>>  MAINTAINERS   | 5 +
>>  target/i386/meson.build   | 5 +
>>  target/i386/whpx/meson.build  | 4 
>>  7 files changed, 6 insertions(+), 8 deletions(-)
>>  rename target/i386/{ => whpx}/whp-dispatch.h (100%)
>>  rename target/i386/{ => whpx}/whpx-cpus.h (100%)
>>  rename target/i386/{ => whpx}/whpx-all.c (100%)
>>  rename target/i386/{ => whpx}/whpx-cpus.c (100%)
>>  create mode 100644 target/i386/whpx/meson.build
>>
> 
> Unfortunately this conflicts with commit faf20793b5af ("WHPX:
> support for the kernel-irqchip on/off") and needs to be redone.
> 

Hi Eduardo, I saw some conflict yesterday yes, it's minor, np.

Ciao,

Claudoi

Re: [PATCH] hw/block: m25p80: Fix fast read for SST flashes

[Bin Meng]

Hi Francisco,

On Sat, Dec 12, 2020 at 5:24 PM Francisco Iglesias
 wrote:
>
> Hi bin,
>
> On [2020 Dec 12] Sat 16:16:59, Bin Meng wrote:
> > Hi Francisco,
> >
> > On Sat, Dec 12, 2020 at 12:11 AM Francisco Iglesias
> >  wrote:
> > >
> > > Hello Bin,
> > >
> > > On [2020 Dec 11] Fri 23:29:16, Bin Meng wrote:
> > > > Hi Francisco,
> > > >
> > > > On Fri, Dec 11, 2020 at 11:16 PM Francisco Iglesias
> > > >  wrote:
> > > > >
> > > > > Hello Bin,
> > > > >
> > > > > On [2020 Dec 11] Fri 14:07:21, Bin Meng wrote:
> > > > > > Hi Francisco,
> > > > > >
> > > > > > On Fri, Dec 4, 2020 at 7:28 PM Francisco Iglesias
> > > > > >  wrote:
> > > > > > >
> > > > > > > Hello Bin,
> > > > > > >
> > > > > > > On [2020 Dec 04] Fri 18:52:50, Bin Meng wrote:
> > > > > > > > Hi Francisco,
> > > > > > > >
> > > > > > > > On Fri, Dec 4, 2020 at 6:46 PM Francisco Iglesias
> > > > > > > >  wrote:
> > > > > > > > >
> > > > > > > > > Hello Bin,
> > > > > > > > >
> > > > > > > > > On [2020 Dec 04] Fri 15:52:12, Bin Meng wrote:
> > > > > > > > > > Hi Francisco,
> > > > > > > > > >
> > > > > > > > > > On Thu, Dec 3, 2020 at 4:38 PM Francisco Iglesias
> > > > > > > > > >  wrote:
> > > > > > > > > > >
> > > > > > > > > > > Hi Bin and Alistair,
> > > > > > > > > > >
> > > > > > > > > > > On [2020 Dec 02] Wed 11:40:11, Alistair Francis wrote:
> > > > > > > > > > > > On Sun, Nov 29, 2020 at 6:55 PM Bin Meng 
> > > > > > > > > > > >  wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > From: Bin Meng 
> > > > > > > > > > > > >
> > > > > > > > > > > > > SST flashes require a dummy byte after the address 
> > > > > > > > > > > > > bits.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Signed-off-by: Bin Meng 
> > > > > > > > > > > >
> > > > > > > > > > > > I couldn't find a datasheet that says this... But the 
> > > > > > > > > > > > actual code
> > > > > > > > > > > > change looks fine, so:
> > > > > > > > > > > >
> > > > > > > > > > > > Acked-by: Alistair Francis 
> > > > > > > > > > > >
> > > > > > > > > > > > Alistair
> > > > > > > > > > > >
> > > > > > > > > > > > > ---
> > > > > > > > > > > > >
> > > > > > > > > > > > >  hw/block/m25p80.c | 3 +++
> > > > > > > > > > > > >  1 file changed, 3 insertions(+)
> > > > > > > > > > > > >
> > > > > > > > > > > > > diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
> > > > > > > > > > > > > index 483925f..9b36762 100644
> > > > > > > > > > > > > --- a/hw/block/m25p80.c
> > > > > > > > > > > > > +++ b/hw/block/m25p80.c
> > > > > > > > > > > > > @@ -825,6 +825,9 @@ static void 
> > > > > > > > > > > > > decode_fast_read_cmd(Flash *s)
> > > > > > > > > > > > >  s->needed_bytes = get_addr_length(s);
> > > > > > > > > > > > >  switch (get_man(s)) {
> > > > > > > > > > > > >  /* Dummy cycles - modeled with bytes writes 
> > > > > > > > > > > > > instead of bits */
> > > > > > > > > > > > > +case MAN_SST:
> > > > > > > > > > > > > +s->needed_bytes += 1;
> > > > > > > > > > >
> > > > > > > > > > > 1 dummy clk cycle is modelled as 1 byte write (see the 
> > > > > > > > > > > comment above), so 1
> > > > > > > > > > > dummy byte (8 dummy clk cycles) will need +8 above.
> > > > > > > > > >
> > > > > > > > > > I think you were confused by the WINBOND codes. The 
> > > > > > > > > > comments are
> > > > > > > > > > correct. It is modeled with bytes instead of bits, so we 
> > > > > > > > > > should +=1.
> > > > > > > > >
> > > > > > > > > What the comment says is (perhaps not superclear) that 1 
> > > > > > > > > dummy clock cycle
> > > > > > > > > is modeled as one 1 byte write into the flash (meaining that 
> > > > > > > > > 8 byte writes
> > > > > > > > > are needed for 1 dummy byte). Perhaps it is easier to 
> > > > > > > > > understand
> > > > > > > > > looking into how the controllers issue the command towards 
> > > > > > > > > the flash model
> > > > > > > > > (for example the xilinx_spips), the start of the FAST_READ 
> > > > > > > > > cmd is issued
> > > > > > > > > as writing the following into the flash: 1 byte (cmd), 3 
> > > > > > > > > bytes (address),
> > > > > > > > > 8 bytes (8 dummy cycles -> 1 dummy byte).
> > > > > > > > >
> > > > > > > >
> > > > > > > > My interpretation of the comments are opposite: one cycle is a 
> > > > > > > > bit,
> > > > > > > > but we are not using bits, instead we are using bytes.
> > > > > > >
> > > > > > > Yes, the mentioning of 'bits' in the comment makes it not very 
> > > > > > > clear at first read.
> > > > > > > Maybe just bellow would have been better:
> > > > > > >
> > > > > > > /* Dummy clock cycles - modeled with bytes writes */
> > > > > > >
> > > > > > > >
> > > > > > > > Testing shows that +=1 is the correct way with the imx_spi 
> > > > > > > > controller,
> > > > > > > > and with my SiFive SPI model in my local tree (not upstreamed 
> > > > > > > > yet)
> > > > > > >
> > > > > > > Perhaps an option could be to look into how the aspeed_smc, 
> > > > > > > xilinx_spips or the
> > > > > > > npcm7xx_fiu generate dummy cl

Re: [PATCH v11 18/25] cpu: Move synchronize_from_tb() to tcg_ops

[Claudio Fontana]

On 12/11/20 9:02 PM, Eduardo Habkost wrote:
> On Fri, Dec 11, 2020 at 07:51:54PM +0100, Claudio Fontana wrote:
>> On 12/11/20 7:26 PM, Philippe Mathieu-Daudé wrote:
>>> On 12/11/20 7:22 PM, Richard Henderson wrote:
 On 12/11/20 12:15 PM, Claudio Fontana wrote:
> Should I return this file to the original state (without the extra 
> #includes that pretend it to be a standalone header file,
> and call it
>
> tcg-cpu-ops.h.inc
>
> ?

 If this header can work with qemu/typedefs.h, then no, because the 
 circularity
 has been resolved.  Otherwise, yes.
>>>
>>> My editor got confused with TranslationBlock, which is why I asked
>>> to include its declaration.
>>>
>>> Easier to forward-declare TranslationBlock in qemu/typedefs.h?
>>>
>>> Regards,
>>>
>>> Phil.
>>>
>>
>> Hello Philippe,
>>
>> ok you propose to move the existing fwd declaration of TranslationBlock from 
>> cpu.h to qemu/typedefs.h .
> 
> It seems simpler to just add a
> 
> typedef struct TranslationBlock TranslationBlock;
> 
> line to tcg-cpu-ops.h.
> 
> Or, an even simpler solution: just use `struct TranslationBlock`
> instead of `TranslationBlock` in the declarations being moved to
> tcg-cpu-ops.h.
> 
> We don't need to move declarations to typedefs.h anymore, because
> now the compilers we support don't warn about typedef
> redefinitions:
> https://lore.kernel.org/qemu-devel/20200914134636.gz1618...@habkost.net/
> 
> 
>>
>> And what about #include "exec/memattrs.h"?
>>
>> I assume you propose to put struct MemTxAttrs there as a fwd declaration too,
> 
> This can't be done, because MemTxAttrs can't be an incomplete
> type in the code you are moving (the methods get a MemTxAttrs
> value, not a pointer).



I'm confused now on what we are trying to do: if we want the file to be a 
"proper header" or just a TCG-ops-only convenience split of cpu.h.

I thought that we were only solving a highlighting issue in some editor 
(Philippe),
and I wonder if these changes in qemu/typedef.h help with that?

I tried adding both to qemu/typedef.h, and since cpu.h is the only user of the 
file, and it already includes memattrs.h, everything is fine.

But here maybe you are proposing to make it a regular header, and include this 
instead of just hw/core/cpu.h in the targets?

I am thinking whether it is the case to scrap this whole mess, make TCGCPUOps a 
pointer in CPUClass, and in the targets say for example:

#include "tcg-cpu-ops.h"

...

+static struct TCGCPUOps cris_tcg_ops = {
+.initialize = cris_initialize_tcg,
+};
+
 static void cris_cpu_class_init(ObjectClass *oc, void *data)
 {
 DeviceClass *dc = DEVICE_CLASS(oc);
@@ -284,7 +292,7 @@ static void cris_cpu_class_init(ObjectClass *oc, void *data)
 cc->gdb_stop_before_watchpoint = true;
 
 cc->disas_set_info = cris_disas_set_info;
-cc->tcg_ops.initialize = cris_initialize_tcg;
+cc->tcg_ops = &cris_tcg_ops;
 }


What do you all think of this?

Thanks,

Claudio


> 
>>
>> and this concludes our experiment here?
>>
>> Thanks,
>>
>> Claudio
>>
> 

Re: [Qemu-devel] [PULL 8/8] target/mips: Preparing for adding MMI instructions

[Fredrik Noring]

On Fri, Nov 13, 2020 at 10:39:42AM +0100, Philippe Mathieu-Daudé wrote:
> On 2/27/19 3:00 PM, Aleksandar Markovic wrote:
> > From: Mateja Marjanovic 
> > 
> > Set up MMI code to be compiled only for TARGET_MIPS64. This is
> > needed so that GPRs are 64 bit, and combined with MMI registers,
> > they will form full 128 bit registers.
> > 
> > Signed-off-by: Mateja Marjanovic 
> > Signed-off-by: Aleksandar Markovic 
> > Reviewed-by: Aleksandar Rikalo 
> > Message-Id: <1551183797-13570-2-git-send-email-mateja.marjano...@rt-rk.com>
> > ---
> >  target/mips/translate.c | 43 +--
> >  1 file changed, 41 insertions(+), 2 deletions(-)
> ...
> 
> >  static void decode_opc_special3(CPUMIPSState *env, DisasContext *ctx)
> >  {
> >  int rs, rt, rd, sa;
> > @@ -28796,10 +28828,11 @@ static void decode_opc(CPUMIPSState *env, 
> > DisasContext *ctx)
> >  decode_opc_special(env, ctx);
> >  break;
> >  case OPC_SPECIAL2:
> > +#if defined(TARGET_MIPS64)
> >  if ((ctx->insn_flags & INSN_R5900) && (ctx->insn_flags & ASE_MMI)) 
> > {
> >  decode_mmi(env, ctx);
> 
> This change is incorrect, you removed support for the
> MADD[U] and MULT[U] instructions on TXx9 32-bit targets
> (TX79 still works).

The 128-bit MMIs and R5900 specific registers are always valid on R5900
hardware regardless of 32- and 64-bit operation modes[1]. CP0.Status.UX
isn't implemented[2]. In other MIPS ISA implementations, attempting to
execute 64-bit operations in 32-bit user or supervisor mode may cause a
reserved instruction exception.

It would be wise to limit any R5900 specific psABIs, while permitting
useful features such as the MMIs. GCC emits MULT[U] for R5900 o32.

Fredrik

References:

[1] "EE Core User's Manual", version 6.0, Sony Computer Entertainment Inc.,
p. 107.

[2] "TX System RISC TX79 Core Architecture" manual, revision 2.0,
Toshiba Corporation, p. 4-16, https://wiki.qemu.org/File:C790.pdf

Re: [Qemu-devel] [PULL v2 12/12] target/mips: Introduce 32 R5900 multimedia registers

[Fredrik Noring]

On Sat, Nov 14, 2020 at 07:23:10PM +0100, Philippe Mathieu-Daudé wrote:
> Hi Fredrik and Aleksandar,
> 
> On Fri, Jan 18, 2019 at 6:10 PM Aleksandar Markovic
>  wrote:
> >
> > From: Fredrik Noring 
> >
> > The 32 R5900 128-bit registers are split into two 64-bit halves:
> > the lower halves are the GPRs and the upper halves are accessible
> > by the R5900-specific multimedia instructions.
> >
> > Reviewed-by: Aleksandar Markovic 
> > Signed-off-by: Fredrik Noring 
> > Signed-off-by: Aleksandar Markovic 
> > ---
> >  target/mips/cpu.h   |  3 +++
> >  target/mips/translate.c | 16 
> >  2 files changed, 19 insertions(+)
> >
> > diff --git a/target/mips/cpu.h b/target/mips/cpu.h
> > index 21daf50..c4da7df 100644
> > --- a/target/mips/cpu.h
> > +++ b/target/mips/cpu.h
> > @@ -429,6 +429,9 @@ struct TCState {
> >
> >  float_status msa_fp_status;
> >
> > +/* Upper 64-bit MMRs (multimedia registers); the lower 64-bit are GPRs 
> > */
> > +uint64_t mmr[32];
> 
> FYI using MMI then migrating fails because these registers are not migrated.

We can postpone the R5900 MMIs, in my opinion, because they are not (yet)
supported by modern 5.x R5900 Linux kernels anyway. The details of R5900
psABIs having them need to be sorted out too.

Fredrik

Re: [PATCH 5/8] hw/ppc/sam460ex: Drop use of ppcuic_init()

[Peter Maydell]

On Sat, 12 Dec 2020 at 17:17, BALATON Zoltan  wrote:
>
> On Sat, 12 Dec 2020, Peter Maydell wrote:
> > Switch the sam460ex board to directly creating and configuring the
> > UIC, rather than doing it via the old ppcuic_init() helper function.
> >
> > Signed-off-by: Peter Maydell 
> > ---
> > hw/ppc/sam460ex.c | 70 ---
> > 1 file changed, 54 insertions(+), 16 deletions(-)
>
> More than 3 times as much than before, qdev seems to be overly verbose and
> less readable but if that's the preferred way then be it.

Yeah, the boilerplate is sometimes a bit clunky; but the benefits
come from devices all behaving in the same way, being introspectable,
having support for things like VM state save/load, etc.

> > diff --git a/hw/ppc/sam460ex.c b/hw/ppc/sam460ex.c
> > index 14e6583eb0d..9cf7aad3833 100644
> > --- a/hw/ppc/sam460ex.c
> > +++ b/hw/ppc/sam460ex.c
> > @@ -39,6 +39,7 @@
> > #include "hw/usb/hcd-ehci.h"
> > #include "hw/ppc/fdt.h"
> > #include "hw/qdev-properties.h"
> > +#include "hw/intc/ppc-uic.h"
> >
> > #include 
> >
> > @@ -281,7 +282,6 @@ static void sam460ex_init(MachineState *machine)
> > hwaddr ram_bases[SDRAM_NR_BANKS] = {0};
> > hwaddr ram_sizes[SDRAM_NR_BANKS] = {0};
> > MemoryRegion *l2cache_ram = g_new(MemoryRegion, 1);
> > -qemu_irq *irqs, *uic[4];
> > PCIBus *pci_bus;
> > PowerPCCPU *cpu;
> > CPUPPCState *env;
> > @@ -293,6 +293,9 @@ static void sam460ex_init(MachineState *machine)
> > struct boot_info *boot_info;
> > uint8_t *spd_data;
> > int success;
> > +qemu_irq mal_irqs[4];
> > +DeviceState *uic[4];
> > +int i;
>
> Maybe keep this where it was above instead of moving to the end and keep
> DeviceState *uic[4]; first so the two others that would be removed later
> are next to each other (just to make patches simpler and keep the order of
> variables which may be roughly as they appear below).

Sure, I can do that.

> > cpu = POWERPC_CPU(cpu_create(machine->cpu_type));
> > env = &cpu->env;
> > @@ -312,13 +315,35 @@ static void sam460ex_init(MachineState *machine)
> > ppc4xx_plb_init(env);
> >
> > /* interrupt controllers */
> > -irqs = g_new0(qemu_irq, PPCUIC_OUTPUT_NB);
> > -irqs[PPCUIC_OUTPUT_INT] = ((qemu_irq 
> > *)env->irq_inputs)[PPC40x_INPUT_INT];
> > -irqs[PPCUIC_OUTPUT_CINT] = ((qemu_irq 
> > *)env->irq_inputs)[PPC40x_INPUT_CINT];
>
> Unrelated to this, but I wonder why do we need these casts? Could we just
> define env->irq_inputs as qemu_irq array in the first place? It's now void
> ** which according to the comment next to it may be because once it may
> have been used for different implementations but by now maybe it's only
> used for what its name implies? I haven't checked though if it could be
> cleaned up just raising it if anyone's interested to have a look as there
> are such casts at a lot of other places too.

I mentioned this in the cover letter. The irq_inputs stuff seems
to be an old workaround for not being able to have gpio inputs
to the CPU object. Now that CPUs inherit from TYPE_DEVICE, they
can just create gpio inputs like any other device, and this
code would be able to wire them up without having to dig into
the internals of the CPUPPCState structure.

> > -uic[0] = ppcuic_init(env, irqs, 0xc0, 0, 1);
> > -uic[1] = ppcuic_init(env, &uic[0][30], 0xd0, 0, 1);
> > -uic[2] = ppcuic_init(env, &uic[0][10], 0xe0, 0, 1);
> > -uic[3] = ppcuic_init(env, &uic[0][16], 0xf0, 0, 1);
> > +for (i = 0; i < ARRAY_SIZE(uic); i++) {
> > +SysBusDevice *sbd;
>
> There's already a SysBusDevice *sbdev; defined for similar cases that you
> could reuse here.
>
> > +/*
> > + * Number of the first of the two consecutive IRQ inputs on UIC 0
> > + * to connect the INT and CINT outputs of UIC n to. The entry
>
> This comment confused me a bit, while it's precise is it possible to say
> it in a simpler way? I think these are how uic[1-3] are cascaded through
> uic[0] similar to how the PICs in a PC are cascaded.

Yes, it's the cascading -- it's saying "which inputs on UIC 0 should
UIC n's outputs connect to". What would be a helpful way to phrase
this more clearly ?

> > + * for UIC 0 is ignored, because it connects to the CPU.
> > + */
> > +const int input_ints[] = { -1, 30, 10, 16 };

> > /* MAL */
> > -ppc4xx_mal_init(env, 4, 16, &uic[2][3]);
> > +/*
> > + * TODO if the MAL were a proper QOM device we would not need to
> > + * copy its qemu_irqs into an array for ppc4xx_mal_init()'s benefit.
> > + */
>
> It's not a todo for sam460ex so maybe put it in the file where mal is if
> you want to note it somewhere? (Other sites using the mal may also need
> updating not just this one when this is cleaned up.)

Yeah. I discovered later that one of the other files that creates
the MAL is doing exactly the same thing with a local mal_irqs[]
type array. So I think we could just 

[PATCH v12 17/23] cpu: Move cpu_exec_* to tcg_ops

[Claudio Fontana]

From: Eduardo Habkost 

Signed-off-by: Eduardo Habkost 

[claudio: wrapped in CONFIG_TCG]
Signed-off-by: Claudio Fontana 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 include/hw/core/cpu.h |  6 --
 accel/tcg/cpu-exec.c  | 12 ++--
 target/alpha/cpu.c|  2 +-
 target/arm/cpu.c  |  2 +-
 target/arm/cpu64.c|  5 -
 target/arm/cpu_tcg.c  |  7 ++-
 target/avr/cpu.c  |  2 +-
 target/cris/cpu.c |  2 +-
 target/hppa/cpu.c |  2 +-
 target/i386/tcg/tcg-cpu.c |  6 +++---
 target/lm32/cpu.c |  2 +-
 target/m68k/cpu.c |  2 +-
 target/microblaze/cpu.c   |  2 +-
 target/mips/cpu.c |  2 +-
 target/nios2/cpu.c|  2 +-
 target/openrisc/cpu.c |  2 +-
 target/riscv/cpu.c|  2 +-
 target/rx/cpu.c   |  2 +-
 target/s390x/cpu.c|  2 +-
 target/sh4/cpu.c  |  2 +-
 target/sparc/cpu.c|  2 +-
 target/tilegx/cpu.c   |  2 +-
 target/unicore32/cpu.c|  2 +-
 target/xtensa/cpu.c   |  2 +-
 include/hw/core/tcg-cpu-ops.h.inc |  6 ++
 target/ppc/translate_init.c.inc   | 16 ++--
 26 files changed, 54 insertions(+), 42 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index 1c0f523b5b..fcc86662c0 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -146,9 +146,6 @@ struct TranslationBlock;
  * @gdb_get_dynamic_xml: Callback to return dynamically generated XML for the
  *   gdb stub. Returns a pointer to the XML contents for the specified XML file
  *   or NULL if the CPU doesn't have a dynamically generated content for it.
- * @cpu_exec_enter: Callback for cpu_exec preparation.
- * @cpu_exec_exit: Callback for cpu_exec cleanup.
- * @cpu_exec_interrupt: Callback for processing interrupts in cpu_exec.
  * @disas_set_info: Setup architecture specific components of disassembly info
  * @adjust_watchpoint_address: Perform a target-specific adjustment to an
  * address before attempting to match it against watchpoints.
@@ -211,9 +208,6 @@ struct CPUClass {
 const char *gdb_core_xml_file;
 gchar * (*gdb_arch_name)(CPUState *cpu);
 const char * (*gdb_get_dynamic_xml)(CPUState *cpu, const char *xmlname);
-void (*cpu_exec_enter)(CPUState *cpu);
-void (*cpu_exec_exit)(CPUState *cpu);
-bool (*cpu_exec_interrupt)(CPUState *cpu, int interrupt_request);
 
 void (*disas_set_info)(CPUState *cpu, disassemble_info *info);
 vaddr (*adjust_watchpoint_address)(CPUState *cpu, vaddr addr, int len);
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 05dba7f2cc..502f6a53ae 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -240,8 +240,8 @@ static void cpu_exec_enter(CPUState *cpu)
 {
 CPUClass *cc = CPU_GET_CLASS(cpu);
 
-if (cc->cpu_exec_enter) {
-cc->cpu_exec_enter(cpu);
+if (cc->tcg_ops.cpu_exec_enter) {
+cc->tcg_ops.cpu_exec_enter(cpu);
 }
 }
 
@@ -249,8 +249,8 @@ static void cpu_exec_exit(CPUState *cpu)
 {
 CPUClass *cc = CPU_GET_CLASS(cpu);
 
-if (cc->cpu_exec_exit) {
-cc->cpu_exec_exit(cpu);
+if (cc->tcg_ops.cpu_exec_exit) {
+cc->tcg_ops.cpu_exec_exit(cpu);
 }
 }
 
@@ -625,8 +625,8 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
True when it is, and we should restart on a new TB,
and via longjmp via cpu_loop_exit.  */
 else {
-if (cc->cpu_exec_interrupt &&
-cc->cpu_exec_interrupt(cpu, interrupt_request)) {
+if (cc->tcg_ops.cpu_exec_interrupt &&
+cc->tcg_ops.cpu_exec_interrupt(cpu, interrupt_request)) {
 if (need_replay_interrupt(interrupt_request)) {
 replay_interrupt();
 }
diff --git a/target/alpha/cpu.c b/target/alpha/cpu.c
index d66f0351a9..d9ced1635a 100644
--- a/target/alpha/cpu.c
+++ b/target/alpha/cpu.c
@@ -218,7 +218,7 @@ static void alpha_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->class_by_name = alpha_cpu_class_by_name;
 cc->has_work = alpha_cpu_has_work;
 cc->do_interrupt = alpha_cpu_do_interrupt;
-cc->cpu_exec_interrupt = alpha_cpu_exec_interrupt;
+cc->tcg_ops.cpu_exec_interrupt = alpha_cpu_exec_interrupt;
 cc->dump_state = alpha_cpu_dump_state;
 cc->set_pc = alpha_cpu_set_pc;
 cc->gdb_read_register = alpha_cpu_gdb_read_register;
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 3c1a44a5b3..d00999708d 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -2244,7 +2244,6 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 
 cc->class_by_name = arm_cpu_class_by_name;
 cc->has_work = arm_cpu_has_work;
-cc->cpu_exec_interrupt = arm_cpu_exec_interrupt;
 cc->dump_

Re: [PATCH 0/8] hw/ppc: Convert UIC device to QOM

[Peter Maydell]

On Sat, 12 Dec 2020 at 17:43, BALATON Zoltan  wrote:
> Interestingly the firmware does not use irqs at all, it just polls for
> them it seems. AROS and AmigaOS does seem to break though. With AROS I get
> this exception after your series but it's not very helpful:

> AmigaOS also fails to boot but could not get useful logs from it yet so
> not sure what could be broken.

Thanks for testing this. Do you have pointers to images
and command lines that I can use to reproduce the failure so
I can debug ?

-- PMM

[PATCH v12 01/23] i386: move kvm accel files into kvm/

[Claudio Fontana]

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 meson.build  | 1 +
 target/i386/cpu.h| 2 +-
 target/i386/{ => kvm}/hyperv-proto.h | 0
 target/i386/{ => kvm}/hyperv.h   | 0
 target/i386/{ => kvm}/kvm_i386.h | 0
 target/i386/kvm/trace.h  | 1 +
 hw/i386/fw_cfg.c | 2 +-
 hw/i386/intel_iommu.c| 2 +-
 hw/i386/kvm/apic.c   | 2 +-
 hw/i386/kvm/clock.c  | 2 +-
 hw/i386/microvm.c| 2 +-
 hw/i386/pc.c | 2 +-
 hw/i386/x86.c| 2 +-
 target/i386/cpu.c| 2 +-
 target/i386/helper.c | 2 +-
 target/i386/{ => kvm}/hyperv-stub.c  | 0
 target/i386/{ => kvm}/hyperv.c   | 0
 target/i386/{ => kvm}/kvm-stub.c | 0
 target/i386/{ => kvm}/kvm.c  | 0
 target/i386/machine.c| 4 ++--
 MAINTAINERS  | 2 +-
 target/i386/kvm/meson.build  | 3 +++
 target/i386/kvm/trace-events | 7 +++
 target/i386/meson.build  | 4 +---
 target/i386/trace-events | 6 --
 25 files changed, 26 insertions(+), 22 deletions(-)
 rename target/i386/{ => kvm}/hyperv-proto.h (100%)
 rename target/i386/{ => kvm}/hyperv.h (100%)
 rename target/i386/{ => kvm}/kvm_i386.h (100%)
 create mode 100644 target/i386/kvm/trace.h
 rename target/i386/{ => kvm}/hyperv-stub.c (100%)
 rename target/i386/{ => kvm}/hyperv.c (100%)
 rename target/i386/{ => kvm}/kvm-stub.c (100%)
 rename target/i386/{ => kvm}/kvm.c (100%)
 create mode 100644 target/i386/kvm/meson.build
 create mode 100644 target/i386/kvm/trace-events

diff --git a/meson.build b/meson.build
index 9ea05ab49f..a5e2e73b31 100644
--- a/meson.build
+++ b/meson.build
@@ -1468,6 +1468,7 @@ trace_events_subdirs += [
   'target/arm',
   'target/hppa',
   'target/i386',
+  'target/i386/kvm',
   'target/mips',
   'target/ppc',
   'target/riscv',
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index c4a49c06a8..d6bb053837 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -22,7 +22,7 @@
 
 #include "sysemu/tcg.h"
 #include "cpu-qom.h"
-#include "hyperv-proto.h"
+#include "kvm/hyperv-proto.h"
 #include "exec/cpu-defs.h"
 #include "qapi/qapi-types-common.h"
 
diff --git a/target/i386/hyperv-proto.h b/target/i386/kvm/hyperv-proto.h
similarity index 100%
rename from target/i386/hyperv-proto.h
rename to target/i386/kvm/hyperv-proto.h
diff --git a/target/i386/hyperv.h b/target/i386/kvm/hyperv.h
similarity index 100%
rename from target/i386/hyperv.h
rename to target/i386/kvm/hyperv.h
diff --git a/target/i386/kvm_i386.h b/target/i386/kvm/kvm_i386.h
similarity index 100%
rename from target/i386/kvm_i386.h
rename to target/i386/kvm/kvm_i386.h
diff --git a/target/i386/kvm/trace.h b/target/i386/kvm/trace.h
new file mode 100644
index 00..46b75c6942
--- /dev/null
+++ b/target/i386/kvm/trace.h
@@ -0,0 +1 @@
+#include "trace/trace-target_i386_kvm.h"
diff --git a/hw/i386/fw_cfg.c b/hw/i386/fw_cfg.c
index b87f0e5070..e48a54fa36 100644
--- a/hw/i386/fw_cfg.c
+++ b/hw/i386/fw_cfg.c
@@ -21,7 +21,7 @@
 #include "hw/timer/hpet.h"
 #include "hw/nvram/fw_cfg.h"
 #include "e820_memory_layout.h"
-#include "kvm_i386.h"
+#include "kvm/kvm_i386.h"
 #include CONFIG_DEVICES
 
 struct hpet_fw_config hpet_cfg = {.count = UINT8_MAX};
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 0cc71e4057..b4f5094259 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -37,7 +37,7 @@
 #include "sysemu/kvm.h"
 #include "sysemu/sysemu.h"
 #include "hw/i386/apic_internal.h"
-#include "kvm_i386.h"
+#include "kvm/kvm_i386.h"
 #include "migration/vmstate.h"
 #include "trace.h"
 
diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c
index b226b674e8..3dbff2be2e 100644
--- a/hw/i386/kvm/apic.c
+++ b/hw/i386/kvm/apic.c
@@ -17,7 +17,7 @@
 #include "hw/pci/msi.h"
 #include "sysemu/hw_accel.h"
 #include "sysemu/kvm.h"
-#include "target/i386/kvm_i386.h"
+#include "kvm/kvm_i386.h"
 
 static inline void kvm_apic_set_reg(struct kvm_lapic_state *kapic,
 int reg_id, uint32_t val)
diff --git a/hw/i386/kvm/clock.c b/hw/i386/kvm/clock.c
index 24fe5091b6..2d8a366369 100644
--- a/hw/i386/kvm/clock.c
+++ b/hw/i386/kvm/clock.c
@@ -20,7 +20,7 @@
 #include "sysemu/kvm.h"
 #include "sysemu/runstate.h"
 #include "sysemu/hw_accel.h"
-#include "kvm_i386.h"
+#include "kvm/kvm_i386.h"
 #include "migration/vmstate.h"
 #include "hw/sysbus.h"
 #include "hw/kvm/clock.h"
diff --git a/hw/i386/microvm.c b/hw/i386/microvm.c
index f111ef87d8..edf2b0f061 100644
--- a/hw/i386/microvm.c
+++ b/hw/i386/microvm.c
@@ -51,7 +51,7 @@
 
 #include "cpu.h"
 #include "elf.h"
-#include "kvm_i386.h"
+#include "kvm/kvm_i386.h"
 #include "hw/xen/start_info.h"
 
 #define MICROVM_QBOOT_FILENAME "qboot.rom"
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 640fb5b0b7..5458f61d10 100644
--- a

[PATCH v12 05/23] i386: move TCG accel files into tcg/

[Claudio Fontana]

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 

[claudio: moved cc_helper_template.h to tcg/ too]
Signed-off-by: Claudio Fontana 
---
 target/i386/{ => tcg}/cc_helper_template.h |  0
 target/i386/{ => tcg}/bpt_helper.c |  0
 target/i386/{ => tcg}/cc_helper.c  |  0
 target/i386/{ => tcg}/excp_helper.c|  0
 target/i386/{ => tcg}/fpu_helper.c |  0
 target/i386/{ => tcg}/int_helper.c |  0
 target/i386/{ => tcg}/mem_helper.c |  0
 target/i386/{ => tcg}/misc_helper.c|  0
 target/i386/{ => tcg}/mpx_helper.c |  0
 target/i386/{ => tcg}/seg_helper.c |  0
 target/i386/{ => tcg}/smm_helper.c |  0
 target/i386/{ => tcg}/svm_helper.c |  0
 target/i386/{ => tcg}/tcg-stub.c   |  0
 target/i386/{ => tcg}/translate.c  |  0
 target/i386/meson.build| 14 +-
 target/i386/tcg/meson.build| 13 +
 16 files changed, 14 insertions(+), 13 deletions(-)
 rename target/i386/{ => tcg}/cc_helper_template.h (100%)
 rename target/i386/{ => tcg}/bpt_helper.c (100%)
 rename target/i386/{ => tcg}/cc_helper.c (100%)
 rename target/i386/{ => tcg}/excp_helper.c (100%)
 rename target/i386/{ => tcg}/fpu_helper.c (100%)
 rename target/i386/{ => tcg}/int_helper.c (100%)
 rename target/i386/{ => tcg}/mem_helper.c (100%)
 rename target/i386/{ => tcg}/misc_helper.c (100%)
 rename target/i386/{ => tcg}/mpx_helper.c (100%)
 rename target/i386/{ => tcg}/seg_helper.c (100%)
 rename target/i386/{ => tcg}/smm_helper.c (100%)
 rename target/i386/{ => tcg}/svm_helper.c (100%)
 rename target/i386/{ => tcg}/tcg-stub.c (100%)
 rename target/i386/{ => tcg}/translate.c (100%)
 create mode 100644 target/i386/tcg/meson.build

diff --git a/target/i386/cc_helper_template.h 
b/target/i386/tcg/cc_helper_template.h
similarity index 100%
rename from target/i386/cc_helper_template.h
rename to target/i386/tcg/cc_helper_template.h
diff --git a/target/i386/bpt_helper.c b/target/i386/tcg/bpt_helper.c
similarity index 100%
rename from target/i386/bpt_helper.c
rename to target/i386/tcg/bpt_helper.c
diff --git a/target/i386/cc_helper.c b/target/i386/tcg/cc_helper.c
similarity index 100%
rename from target/i386/cc_helper.c
rename to target/i386/tcg/cc_helper.c
diff --git a/target/i386/excp_helper.c b/target/i386/tcg/excp_helper.c
similarity index 100%
rename from target/i386/excp_helper.c
rename to target/i386/tcg/excp_helper.c
diff --git a/target/i386/fpu_helper.c b/target/i386/tcg/fpu_helper.c
similarity index 100%
rename from target/i386/fpu_helper.c
rename to target/i386/tcg/fpu_helper.c
diff --git a/target/i386/int_helper.c b/target/i386/tcg/int_helper.c
similarity index 100%
rename from target/i386/int_helper.c
rename to target/i386/tcg/int_helper.c
diff --git a/target/i386/mem_helper.c b/target/i386/tcg/mem_helper.c
similarity index 100%
rename from target/i386/mem_helper.c
rename to target/i386/tcg/mem_helper.c
diff --git a/target/i386/misc_helper.c b/target/i386/tcg/misc_helper.c
similarity index 100%
rename from target/i386/misc_helper.c
rename to target/i386/tcg/misc_helper.c
diff --git a/target/i386/mpx_helper.c b/target/i386/tcg/mpx_helper.c
similarity index 100%
rename from target/i386/mpx_helper.c
rename to target/i386/tcg/mpx_helper.c
diff --git a/target/i386/seg_helper.c b/target/i386/tcg/seg_helper.c
similarity index 100%
rename from target/i386/seg_helper.c
rename to target/i386/tcg/seg_helper.c
diff --git a/target/i386/smm_helper.c b/target/i386/tcg/smm_helper.c
similarity index 100%
rename from target/i386/smm_helper.c
rename to target/i386/tcg/smm_helper.c
diff --git a/target/i386/svm_helper.c b/target/i386/tcg/svm_helper.c
similarity index 100%
rename from target/i386/svm_helper.c
rename to target/i386/tcg/svm_helper.c
diff --git a/target/i386/tcg-stub.c b/target/i386/tcg/tcg-stub.c
similarity index 100%
rename from target/i386/tcg-stub.c
rename to target/i386/tcg/tcg-stub.c
diff --git a/target/i386/translate.c b/target/i386/tcg/translate.c
similarity index 100%
rename from target/i386/translate.c
rename to target/i386/tcg/translate.c
diff --git a/target/i386/meson.build b/target/i386/meson.build
index 284d52ab81..750471c9f3 100644
--- a/target/i386/meson.build
+++ b/target/i386/meson.build
@@ -5,19 +5,6 @@ i386_ss.add(files(
   'helper.c',
   'xsave_helper.c',
 ))
-i386_ss.add(when: 'CONFIG_TCG', if_true: files(
-  'bpt_helper.c',
-  'cc_helper.c',
-  'excp_helper.c',
-  'fpu_helper.c',
-  'int_helper.c',
-  'mem_helper.c',
-  'misc_helper.c',
-  'mpx_helper.c',
-  'seg_helper.c',
-  'smm_helper.c',
-  'svm_helper.c',
-  'translate.c'), if_false: files('tcg-stub.c'))
 i386_ss.add(when: 'CONFIG_SEV', if_true: files('sev.c'), if_false: 
files('sev-stub.c'))
 
 i386_softmmu_ss = ss.source_set()
@@ -32,6 +19,7 @@ subdir('kvm')
 subdir('hax')
 subdir('whpx')
 subdir('hvf')
+subdir('tcg')
 
 target_arch += {'i386': i386_ss}
 target_softmmu_arch += {'i386': i386_

[PATCH v12 15/23] accel/tcg: split TCG-only code from cpu_exec_realizefn

[Claudio Fontana]

move away TCG-only code, make it compile only on TCG.

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 include/hw/core/cpu.h |  8 +
 accel/tcg/cpu-exec.c  | 28 +
 cpu.c | 70 ---
 hw/core/cpu.c |  6 +++-
 4 files changed, 74 insertions(+), 38 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index c93b08a0fb..ea648d52ad 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -1119,10 +1119,18 @@ AddressSpace *cpu_get_address_space(CPUState *cpu, int 
asidx);
 void QEMU_NORETURN cpu_abort(CPUState *cpu, const char *fmt, ...)
 GCC_FMT_ATTR(2, 3);
 extern Property cpu_common_props[];
+
+/* $(top_srcdir)/cpu.c */
 void cpu_exec_initfn(CPUState *cpu);
 void cpu_exec_realizefn(CPUState *cpu, Error **errp);
 void cpu_exec_unrealizefn(CPUState *cpu);
 
+#ifdef CONFIG_TCG
+/* accel/tcg/cpu-exec.c */
+void tcg_exec_realizefn(CPUState *cpu, Error **errp);
+void tcg_exec_unrealizefn(CPUState *cpu);
+#endif /* CONFIG_TCG */
+
 /**
  * target_words_bigendian:
  * Returns true if the (default) endianness of the target is big endian,
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 64cba89356..50eb92d217 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -801,6 +801,34 @@ int cpu_exec(CPUState *cpu)
 return ret;
 }
 
+void tcg_exec_realizefn(CPUState *cpu, Error **errp)
+{
+static bool tcg_target_initialized;
+CPUClass *cc = CPU_GET_CLASS(cpu);
+
+if (!tcg_target_initialized) {
+cc->tcg_ops.initialize();
+tcg_target_initialized = true;
+}
+tlb_init(cpu);
+qemu_plugin_vcpu_init_hook(cpu);
+
+#ifndef CONFIG_USER_ONLY
+tcg_iommu_init_notifier_list(cpu);
+#endif /* !CONFIG_USER_ONLY */
+}
+
+/* undo the initializations in reverse order */
+void tcg_exec_unrealizefn(CPUState *cpu)
+{
+#ifndef CONFIG_USER_ONLY
+tcg_iommu_free_notifier_list(cpu);
+#endif /* !CONFIG_USER_ONLY */
+
+qemu_plugin_vcpu_exit_hook(cpu);
+tlb_destroy(cpu);
+}
+
 #ifndef CONFIG_USER_ONLY
 
 void dump_drift_info(void)
diff --git a/cpu.c b/cpu.c
index 27ad096cc4..5cc8f181be 100644
--- a/cpu.c
+++ b/cpu.c
@@ -124,13 +124,35 @@ const VMStateDescription vmstate_cpu_common = {
 };
 #endif
 
+void cpu_exec_realizefn(CPUState *cpu, Error **errp)
+{
+CPUClass *cc = CPU_GET_CLASS(cpu);
+
+cpu_list_add(cpu);
+
+#ifdef CONFIG_TCG
+/* NB: errp parameter is unused currently */
+if (tcg_enabled()) {
+tcg_exec_realizefn(cpu, errp);
+}
+#endif /* CONFIG_TCG */
+
+#ifdef CONFIG_USER_ONLY
+assert(cc->vmsd == NULL);
+#else
+if (qdev_get_vmsd(DEVICE(cpu)) == NULL) {
+vmstate_register(NULL, cpu->cpu_index, &vmstate_cpu_common, cpu);
+}
+if (cc->vmsd != NULL) {
+vmstate_register(NULL, cpu->cpu_index, cc->vmsd, cpu);
+}
+#endif /* CONFIG_USER_ONLY */
+}
+
 void cpu_exec_unrealizefn(CPUState *cpu)
 {
 CPUClass *cc = CPU_GET_CLASS(cpu);
 
-tlb_destroy(cpu);
-cpu_list_remove(cpu);
-
 #ifdef CONFIG_USER_ONLY
 assert(cc->vmsd == NULL);
 #else
@@ -140,8 +162,15 @@ void cpu_exec_unrealizefn(CPUState *cpu)
 if (qdev_get_vmsd(DEVICE(cpu)) == NULL) {
 vmstate_unregister(NULL, &vmstate_cpu_common, cpu);
 }
-tcg_iommu_free_notifier_list(cpu);
 #endif
+#ifdef CONFIG_TCG
+/* NB: errp parameter is unused currently */
+if (tcg_enabled()) {
+tcg_exec_unrealizefn(cpu);
+}
+#endif /* CONFIG_TCG */
+
+cpu_list_remove(cpu);
 }
 
 Property cpu_common_props[] = {
@@ -171,39 +200,6 @@ void cpu_exec_initfn(CPUState *cpu)
 #endif
 }
 
-void cpu_exec_realizefn(CPUState *cpu, Error **errp)
-{
-CPUClass *cc = CPU_GET_CLASS(cpu);
-#ifdef CONFIG_TCG
-static bool tcg_target_initialized;
-#endif /* CONFIG_TCG */
-
-cpu_list_add(cpu);
-
-#ifdef CONFIG_TCG
-if (tcg_enabled() && !tcg_target_initialized) {
-tcg_target_initialized = true;
-cc->tcg_ops.initialize();
-}
-#endif /* CONFIG_TCG */
-tlb_init(cpu);
-
-qemu_plugin_vcpu_init_hook(cpu);
-
-#ifdef CONFIG_USER_ONLY
-assert(cc->vmsd == NULL);
-#else /* !CONFIG_USER_ONLY */
-if (qdev_get_vmsd(DEVICE(cpu)) == NULL) {
-vmstate_register(NULL, cpu->cpu_index, &vmstate_cpu_common, cpu);
-}
-if (cc->vmsd != NULL) {
-vmstate_register(NULL, cpu->cpu_index, cc->vmsd, cpu);
-}
-
-tcg_iommu_init_notifier_list(cpu);
-#endif
-}
-
 const char *parse_cpu_option(const char *cpu_option)
 {
 ObjectClass *oc;
diff --git a/hw/core/cpu.c b/hw/core/cpu.c
index 994a12cb35..1f04aab16b 100644
--- a/hw/core/cpu.c
+++ b/hw/core/cpu.c
@@ -199,6 +199,10 @@ static bool cpu_common_virtio_is_big_endian(CPUState *cpu)
 return target_words_bigendian();
 }
 
+/*
+ * XXX the following #if is always true because this is a common_ss
+ * module, so target CONFIG_* is never defined.
+ */
 #if !defined(CONFIG_USER_ONLY)
 GuestPanicInformatio

Re: [PATCH] icount: improve exec nocache usage

[Richard Henderson]

On 12/12/20 12:22 AM, Pavel Dovgalyuk wrote:
> However, we can't cache them directly, because hash table can include only one
> block with the specific pc.

That's not true at all.


r~

[PATCH v12 08/23] i386: tcg: remove inline from cpu_load_eflags

[Claudio Fontana]

make it a regular function.

Suggested-by: Richard Henderson 
Signed-off-by: Claudio Fontana 
---
 target/i386/tcg/helper-tcg.h  | 15 ++-
 target/i386/tcg/misc_helper.c | 13 +
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/target/i386/tcg/helper-tcg.h b/target/i386/tcg/helper-tcg.h
index 148edf49a3..c133c63555 100644
--- a/target/i386/tcg/helper-tcg.h
+++ b/target/i386/tcg/helper-tcg.h
@@ -78,19 +78,8 @@ void QEMU_NORETURN raise_interrupt(CPUX86State *nenv, int 
intno, int is_int,
 /* cc_helper.c */
 extern const uint8_t parity_table[256];
 
-/*
- * NOTE: the translator must set DisasContext.cc_op to CC_OP_EFLAGS
- * after generating a call to a helper that uses this.
- */
-static inline void cpu_load_eflags(CPUX86State *env, int eflags,
-   int update_mask)
-{
-CC_SRC = eflags & (CC_O | CC_S | CC_Z | CC_A | CC_P | CC_C);
-CC_OP = CC_OP_EFLAGS;
-env->df = 1 - (2 * ((eflags >> 10) & 1));
-env->eflags = (env->eflags & ~update_mask) |
-(eflags & update_mask) | 0x2;
-}
+/* misc_helper.c */
+void cpu_load_eflags(CPUX86State *env, int eflags, int update_mask);
 
 /* svm_helper.c */
 void QEMU_NORETURN cpu_vmexit(CPUX86State *nenv, uint32_t exit_code,
diff --git a/target/i386/tcg/misc_helper.c b/target/i386/tcg/misc_helper.c
index c99370e5e3..0bd6c95749 100644
--- a/target/i386/tcg/misc_helper.c
+++ b/target/i386/tcg/misc_helper.c
@@ -26,6 +26,19 @@
 #include "exec/address-spaces.h"
 #include "helper-tcg.h"
 
+/*
+ * NOTE: the translator must set DisasContext.cc_op to CC_OP_EFLAGS
+ * after generating a call to a helper that uses this.
+ */
+void cpu_load_eflags(CPUX86State *env, int eflags, int update_mask)
+{
+CC_SRC = eflags & (CC_O | CC_S | CC_Z | CC_A | CC_P | CC_C);
+CC_OP = CC_OP_EFLAGS;
+env->df = 1 - (2 * ((eflags >> 10) & 1));
+env->eflags = (env->eflags & ~update_mask) |
+(eflags & update_mask) | 0x2;
+}
+
 void helper_outb(CPUX86State *env, uint32_t port, uint32_t data)
 {
 #ifdef CONFIG_USER_ONLY
-- 
2.26.2

Re: [PATCH 0/2] m68k/q800: make the GLUE chip a QOM device

[Laurent Vivier]

Le 07/11/2020 à 00:51, Peter Maydell a écrit :
> This series is 6.0 material really I think.  It's a bit of cleanup
> prompted by a Coverity issue, CID 1421883.  There are another half
> dozen or so similar issues, where Coverity is complaining that we
> allocate an array of qemu_irqs with qemu_allocate_irqs() in a board
> init function -- in this case the 'pic' array in q800_init() -- and
> then we return from the board init function and the memory is leaked,
> in the sense that nobody has a pointer to it any more.
> 
> The leak isn't real, in that board init functions are called only
> once, and the array of qemu_irqs really does need to stay around for
> the life of the simulation, so these are pretty much insignificant
> as Coverity issues go. But this coding style which uses a free-floating
> set of qemu_irqs is not very "modern QEMU", so the issues act as
> a nudge that we should clean the code up by encapsulating the
> interrupt-line behaviour in a QOM device. In the q800 case there
> actually is already a GLUEState struct, it just needs to be turned
> into a QOM device with GPIO input lines. Patch 2 does that.
> 
> Patch 1 fixes a bug I noticed while doing this work -- it's
> not valid to connect two qemu_irq lines directly to the same
> input (here both ESCC irq lines go to pic[3]) because it produces
> weird behaviour like "both lines are asserted but the device
> consuming the interrupt sees the line deassert when one of the
> two inputs goes low, rather than only when they both go low".
> You need to put an explicit OR gate in, assuming that logical-OR
> is the desired behaviour, which it usually is.
> 
> Tested only with 'make check' and 'make check-acceptance',
> but the latter does have a q800 bootup test.
> 
> thanks
> -- PMM
> 
> Peter Maydell (2):
>   hw/m68k/q800: Don't connect two qemu_irqs directly to the same input
>   hw/m68k/q800.c: Make the GLUE chip an actual QOM device
> 
>  hw/m68k/q800.c  | 92 ++---
>  hw/m68k/Kconfig |  1 +
>  2 files changed, 80 insertions(+), 13 deletions(-)
> 

Applied to my m68k-for-6.0 branch

Thanks,
Laurent

[PATCH v12 11/23] tcg: Make CPUClass.debug_excp_handler optional

[Claudio Fontana]

From: Eduardo Habkost 

Signed-off-by: Eduardo Habkost 
Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
---
 accel/tcg/cpu-exec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 890b88861a..64cba89356 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -482,7 +482,9 @@ static inline void cpu_handle_debug_exception(CPUState *cpu)
 }
 }
 
-cc->debug_excp_handler(cpu);
+if (cc->debug_excp_handler) {
+cc->debug_excp_handler(cpu);
+}
 }
 
 static inline bool cpu_handle_exception(CPUState *cpu, int *ret)
-- 
2.26.2

[PATCH v12 22/23] cpu: move cc->transaction_failed to tcg_ops

[Claudio Fontana]

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
---
 include/hw/core/cpu.h | 18 --
 hw/mips/jazz.c|  9 +++--
 target/alpha/cpu.c|  2 +-
 target/arm/cpu.c  |  4 ++--
 target/m68k/cpu.c |  2 +-
 target/microblaze/cpu.c   |  2 +-
 target/mips/cpu.c |  4 +++-
 target/riscv/cpu.c|  2 +-
 target/riscv/cpu_helper.c |  2 +-
 target/sparc/cpu.c|  2 +-
 target/xtensa/cpu.c   |  2 +-
 target/xtensa/helper.c|  4 ++--
 include/hw/core/tcg-cpu-ops.h.inc | 13 +
 13 files changed, 42 insertions(+), 24 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index e7eb0397e4..30e4854305 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -89,8 +89,6 @@ struct TranslationBlock;
  * @has_work: Callback for checking if there is work to do.
  * @do_unaligned_access: Callback for unaligned access handling, if
  * the target defines #TARGET_ALIGNED_ONLY.
- * @do_transaction_failed: Callback for handling failed memory transactions
- * (ie bus faults or external aborts; not MMU faults)
  * @virtio_is_big_endian: Callback to return %true if a CPU which supports
  * runtime configurable endianness is currently big-endian. Non-configurable
  * CPUs can use the default implementation of this method. This method should
@@ -159,10 +157,6 @@ struct CPUClass {
 void (*do_unaligned_access)(CPUState *cpu, vaddr addr,
 MMUAccessType access_type,
 int mmu_idx, uintptr_t retaddr);
-void (*do_transaction_failed)(CPUState *cpu, hwaddr physaddr, vaddr addr,
-  unsigned size, MMUAccessType access_type,
-  int mmu_idx, MemTxAttrs attrs,
-  MemTxResult response, uintptr_t retaddr);
 bool (*virtio_is_big_endian)(CPUState *cpu);
 int (*memory_rw_debug)(CPUState *cpu, vaddr addr,
uint8_t *buf, int len, bool is_write);
@@ -849,6 +843,7 @@ static inline void cpu_unaligned_access(CPUState *cpu, 
vaddr addr,
 cc->do_unaligned_access(cpu, addr, access_type, mmu_idx, retaddr);
 }
 
+#ifdef CONFIG_TCG
 static inline void cpu_transaction_failed(CPUState *cpu, hwaddr physaddr,
   vaddr addr, unsigned size,
   MMUAccessType access_type,
@@ -858,12 +853,15 @@ static inline void cpu_transaction_failed(CPUState *cpu, 
hwaddr physaddr,
 {
 CPUClass *cc = CPU_GET_CLASS(cpu);
 
-if (!cpu->ignore_memory_transaction_failures && cc->do_transaction_failed) 
{
-cc->do_transaction_failed(cpu, physaddr, addr, size, access_type,
-  mmu_idx, attrs, response, retaddr);
+if (!cpu->ignore_memory_transaction_failures &&
+cc->tcg_ops.do_transaction_failed) {
+cc->tcg_ops.do_transaction_failed(cpu, physaddr, addr, size,
+  access_type, mmu_idx, attrs,
+  response, retaddr);
 }
 }
-#endif
+#endif /* CONFIG_TCG */
+#endif /* CONFIG_SOFTMMU */
 
 #endif /* NEED_CPU_H */
 
diff --git a/hw/mips/jazz.c b/hw/mips/jazz.c
index f9442731dd..46c71a0ac8 100644
--- a/hw/mips/jazz.c
+++ b/hw/mips/jazz.c
@@ -116,6 +116,8 @@ static const MemoryRegionOps dma_dummy_ops = {
 #define MAGNUM_BIOS_SIZE_MAX 0x7e000
 #define MAGNUM_BIOS_SIZE   
\
 (BIOS_SIZE < MAGNUM_BIOS_SIZE_MAX ? BIOS_SIZE : MAGNUM_BIOS_SIZE_MAX)
+
+#if defined(CONFIG_TCG) && !defined(CONFIG_USER_ONLY)
 static void (*real_do_transaction_failed)(CPUState *cpu, hwaddr physaddr,
   vaddr addr, unsigned size,
   MMUAccessType access_type,
@@ -137,6 +139,7 @@ static void mips_jazz_do_transaction_failed(CPUState *cs, 
hwaddr physaddr,
 (*real_do_transaction_failed)(cs, physaddr, addr, size, access_type,
   mmu_idx, attrs, response, retaddr);
 }
+#endif /* CONFIG_TCG && !CONFIG_USER_ONLY */
 
 static void mips_jazz_init(MachineState *machine,
enum jazz_model_e jazz_model)
@@ -205,8 +208,10 @@ static void mips_jazz_init(MachineState *machine,
  * memory region that catches all memory accesses, as we do on Malta.
  */
 cc = CPU_GET_CLASS(cpu);
-real_do_transaction_failed = cc->do_transaction_failed;
-cc->do_transaction_failed = mips_jazz_do_transaction_failed;
+#if defined(CONFIG_TCG) && !defined(CONFIG_USER_ONLY)
+real_do_transaction_failed = cc->tcg_ops.do_transaction_failed;
+cc->tcg_ops.do_transaction_failed = mips_jazz_do_transaction_failed;
+#endif /* CONFIG_TCG && !CONFIG_USER

[PATCH v12 06/23] i386: move cpu dump out of helper.c into cpu-dump.c

[Claudio Fontana]

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 target/i386/cpu.h   |   1 +
 target/i386/cpu-dump.c  | 537 
 target/i386/helper.c| 514 --
 target/i386/meson.build |   1 +
 4 files changed, 539 insertions(+), 514 deletions(-)
 create mode 100644 target/i386/cpu-dump.c

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index d6bb053837..343e51baab 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -2236,6 +2236,7 @@ void enable_compat_apic_id_mode(void);
 #define APIC_DEFAULT_ADDRESS 0xfee0
 #define APIC_SPACE_SIZE  0x10
 
+/* cpu-dump.c */
 void x86_cpu_dump_local_apic_state(CPUState *cs, int flags);
 
 /* cpu.c */
diff --git a/target/i386/cpu-dump.c b/target/i386/cpu-dump.c
new file mode 100644
index 00..aac21f1f60
--- /dev/null
+++ b/target/i386/cpu-dump.c
@@ -0,0 +1,537 @@
+/*
+ *  i386 CPU dump to FILE
+ *
+ *  Copyright (c) 2003 Fabrice Bellard
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "qemu/qemu-print.h"
+#ifndef CONFIG_USER_ONLY
+#include "hw/i386/apic_internal.h"
+#endif
+
+/***/
+/* x86 debug */
+
+static const char *cc_op_str[CC_OP_NB] = {
+"DYNAMIC",
+"EFLAGS",
+
+"MULB",
+"MULW",
+"MULL",
+"MULQ",
+
+"ADDB",
+"ADDW",
+"ADDL",
+"ADDQ",
+
+"ADCB",
+"ADCW",
+"ADCL",
+"ADCQ",
+
+"SUBB",
+"SUBW",
+"SUBL",
+"SUBQ",
+
+"SBBB",
+"SBBW",
+"SBBL",
+"SBBQ",
+
+"LOGICB",
+"LOGICW",
+"LOGICL",
+"LOGICQ",
+
+"INCB",
+"INCW",
+"INCL",
+"INCQ",
+
+"DECB",
+"DECW",
+"DECL",
+"DECQ",
+
+"SHLB",
+"SHLW",
+"SHLL",
+"SHLQ",
+
+"SARB",
+"SARW",
+"SARL",
+"SARQ",
+
+"BMILGB",
+"BMILGW",
+"BMILGL",
+"BMILGQ",
+
+"ADCX",
+"ADOX",
+"ADCOX",
+
+"CLR",
+};
+
+static void
+cpu_x86_dump_seg_cache(CPUX86State *env, FILE *f,
+   const char *name, struct SegmentCache *sc)
+{
+#ifdef TARGET_X86_64
+if (env->hflags & HF_CS64_MASK) {
+qemu_fprintf(f, "%-3s=%04x %016" PRIx64 " %08x %08x", name,
+ sc->selector, sc->base, sc->limit,
+ sc->flags & 0x0000);
+} else
+#endif
+{
+qemu_fprintf(f, "%-3s=%04x %08x %08x %08x", name, sc->selector,
+ (uint32_t)sc->base, sc->limit,
+ sc->flags & 0x0000);
+}
+
+if (!(env->hflags & HF_PE_MASK) || !(sc->flags & DESC_P_MASK))
+goto done;
+
+qemu_fprintf(f, " DPL=%d ",
+ (sc->flags & DESC_DPL_MASK) >> DESC_DPL_SHIFT);
+if (sc->flags & DESC_S_MASK) {
+if (sc->flags & DESC_CS_MASK) {
+qemu_fprintf(f, (sc->flags & DESC_L_MASK) ? "CS64" :
+ ((sc->flags & DESC_B_MASK) ? "CS32" : "CS16"));
+qemu_fprintf(f, " [%c%c", (sc->flags & DESC_C_MASK) ? 'C' : '-',
+ (sc->flags & DESC_R_MASK) ? 'R' : '-');
+} else {
+qemu_fprintf(f, (sc->flags & DESC_B_MASK
+ || env->hflags & HF_LMA_MASK)
+ ? "DS  " : "DS16");
+qemu_fprintf(f, " [%c%c", (sc->flags & DESC_E_MASK) ? 'E' : '-',
+ (sc->flags & DESC_W_MASK) ? 'W' : '-');
+}
+qemu_fprintf(f, "%c]", (sc->flags & DESC_A_MASK) ? 'A' : '-');
+} else {
+static const char *sys_type_name[2][16] = {
+{ /* 32 bit mode */
+"Reserved", "TSS16-avl", "LDT", "TSS16-busy",
+"CallGate16", "TaskGate", "IntGate16", "TrapGate16",
+"Reserved", "TSS32-avl", "Reserved", "TSS32-busy",
+"CallGate32", "Reserved", "IntGate32", "TrapGate32"
+},
+{ /* 64 bit mode */
+"", "Reserved", "LDT", "Reserved", "Reserved",
+"Reserved", "Reserved", "Reserved", "Reserved",
+"TSS64-avl", "Reserved", "TSS64-busy", "CallGate64",
+"Reserved", "IntGate64", "TrapGate64"
+}
+};
+qemu_fprintf(f, "%s",
+ sys_type_name[(env->hflags & HF

[PATCH v12 23/23] cpu: move do_unaligned_access to tcg_ops

[Claudio Fontana]

make it consistently SOFTMMU-only.

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
---
 include/hw/core/cpu.h | 17 +++--
 target/alpha/cpu.c|  2 +-
 target/arm/cpu.c  |  2 +-
 target/hppa/cpu.c |  4 +++-
 target/microblaze/cpu.c   |  2 +-
 target/mips/cpu.c |  3 ++-
 target/nios2/cpu.c|  2 +-
 target/riscv/cpu.c|  2 +-
 target/s390x/cpu.c|  2 +-
 target/s390x/excp_helper.c|  2 +-
 target/sh4/cpu.c  |  2 +-
 target/sparc/cpu.c|  2 +-
 target/xtensa/cpu.c   |  2 +-
 include/hw/core/tcg-cpu-ops.h.inc |  6 ++
 target/ppc/translate_init.c.inc   |  2 +-
 15 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index 30e4854305..6fee4d5d19 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -87,8 +87,6 @@ struct TranslationBlock;
  * @parse_features: Callback to parse command line arguments.
  * @reset_dump_flags: #CPUDumpFlags to use for reset logging.
  * @has_work: Callback for checking if there is work to do.
- * @do_unaligned_access: Callback for unaligned access handling, if
- * the target defines #TARGET_ALIGNED_ONLY.
  * @virtio_is_big_endian: Callback to return %true if a CPU which supports
  * runtime configurable endianness is currently big-endian. Non-configurable
  * CPUs can use the default implementation of this method. This method should
@@ -154,9 +152,6 @@ struct CPUClass {
 
 int reset_dump_flags;
 bool (*has_work)(CPUState *cpu);
-void (*do_unaligned_access)(CPUState *cpu, vaddr addr,
-MMUAccessType access_type,
-int mmu_idx, uintptr_t retaddr);
 bool (*virtio_is_big_endian)(CPUState *cpu);
 int (*memory_rw_debug)(CPUState *cpu, vaddr addr,
uint8_t *buf, int len, bool is_write);
@@ -831,19 +826,16 @@ CPUState *cpu_by_arch_id(int64_t id);
 
 void cpu_interrupt(CPUState *cpu, int mask);
 
-#ifdef NEED_CPU_H
-
-#ifdef CONFIG_SOFTMMU
+#if !defined(CONFIG_USER_ONLY) && defined(CONFIG_TCG)
 static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr,
 MMUAccessType access_type,
 int mmu_idx, uintptr_t retaddr)
 {
 CPUClass *cc = CPU_GET_CLASS(cpu);
 
-cc->do_unaligned_access(cpu, addr, access_type, mmu_idx, retaddr);
+cc->tcg_ops.do_unaligned_access(cpu, addr, access_type, mmu_idx, retaddr);
 }
 
-#ifdef CONFIG_TCG
 static inline void cpu_transaction_failed(CPUState *cpu, hwaddr physaddr,
   vaddr addr, unsigned size,
   MMUAccessType access_type,
@@ -860,10 +852,7 @@ static inline void cpu_transaction_failed(CPUState *cpu, 
hwaddr physaddr,
   response, retaddr);
 }
 }
-#endif /* CONFIG_TCG */
-#endif /* CONFIG_SOFTMMU */
-
-#endif /* NEED_CPU_H */
+#endif /* !CONFIG_USER_ONLY && CONFIG_TCG */
 
 /**
  * cpu_set_pc:
diff --git a/target/alpha/cpu.c b/target/alpha/cpu.c
index a1696bebeb..0710298e5a 100644
--- a/target/alpha/cpu.c
+++ b/target/alpha/cpu.c
@@ -226,7 +226,7 @@ static void alpha_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->tcg_ops.tlb_fill = alpha_cpu_tlb_fill;
 #ifndef CONFIG_USER_ONLY
 cc->tcg_ops.do_transaction_failed = alpha_cpu_do_transaction_failed;
-cc->do_unaligned_access = alpha_cpu_do_unaligned_access;
+cc->tcg_ops.do_unaligned_access = alpha_cpu_do_unaligned_access;
 cc->get_phys_page_debug = alpha_cpu_get_phys_page_debug;
 dc->vmsd = &vmstate_alpha_cpu;
 #endif
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 525f9311dc..2e6f516355 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -2269,9 +2269,9 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->tcg_ops.tlb_fill = arm_cpu_tlb_fill;
 cc->tcg_ops.debug_excp_handler = arm_debug_excp_handler;
 cc->debug_check_watchpoint = arm_debug_check_watchpoint;
-cc->do_unaligned_access = arm_cpu_do_unaligned_access;
 #if !defined(CONFIG_USER_ONLY)
 cc->tcg_ops.do_transaction_failed = arm_cpu_do_transaction_failed;
+cc->tcg_ops.do_unaligned_access = arm_cpu_do_unaligned_access;
 cc->adjust_watchpoint_address = arm_adjust_watchpoint_address;
 cc->tcg_ops.do_interrupt = arm_cpu_do_interrupt;
 #endif /* CONFIG_TCG && !CONFIG_USER_ONLY */
diff --git a/target/hppa/cpu.c b/target/hppa/cpu.c
index cce6ae6213..0985b3661f 100644
--- a/target/hppa/cpu.c
+++ b/target/hppa/cpu.c
@@ -70,6 +70,7 @@ static void hppa_cpu_disas_set_info(CPUState *cs, 
disassemble_info *info)
 info->print_insn = print_insn_hppa;
 }
 
+#ifndef CONFIG_USER_ONLY
 static void hppa_cpu_do_unaligned_access(CPUState *cs,

[PATCH v12 18/23] cpu: Move tlb_fill to tcg_ops

[Claudio Fontana]

From: Eduardo Habkost 

Signed-off-by: Eduardo Habkost 
[claudio: wrapped in CONFIG_TCG]
Signed-off-by: Claudio Fontana 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 include/hw/core/cpu.h |  9 -
 accel/tcg/cputlb.c|  7 ---
 accel/tcg/user-exec.c |  6 +++---
 target/alpha/cpu.c|  2 +-
 target/arm/cpu.c  |  2 +-
 target/avr/cpu.c  |  2 +-
 target/cris/cpu.c |  2 +-
 target/hppa/cpu.c |  2 +-
 target/i386/tcg/tcg-cpu.c |  2 +-
 target/lm32/cpu.c |  2 +-
 target/m68k/cpu.c |  2 +-
 target/microblaze/cpu.c   |  2 +-
 target/mips/cpu.c |  2 +-
 target/moxie/cpu.c|  2 +-
 target/nios2/cpu.c|  2 +-
 target/openrisc/cpu.c |  2 +-
 target/riscv/cpu.c|  2 +-
 target/rx/cpu.c   |  2 +-
 target/s390x/cpu.c|  2 +-
 target/sh4/cpu.c  |  2 +-
 target/sparc/cpu.c|  2 +-
 target/tilegx/cpu.c   |  2 +-
 target/tricore/cpu.c  |  2 +-
 target/unicore32/cpu.c|  2 +-
 target/xtensa/cpu.c   |  2 +-
 include/hw/core/tcg-cpu-ops.h.inc | 12 
 target/ppc/translate_init.c.inc   |  2 +-
 27 files changed, 42 insertions(+), 38 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index fcc86662c0..2f33b6b8f0 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -110,12 +110,6 @@ struct TranslationBlock;
  *   If the target behaviour here is anything other than "set
  *   the PC register to the value passed in" then the target must
  *   also implement the synchronize_from_tb hook.
- * @tlb_fill: Callback for handling a softmmu tlb miss or user-only
- *   address fault.  For system mode, if the access is valid, call
- *   tlb_set_page and return true; if the access is invalid, and
- *   probe is true, return false; otherwise raise an exception and
- *   do not return.  For user-only mode, always raise an exception
- *   and do not return.
  * @get_phys_page_debug: Callback for obtaining a physical address.
  * @get_phys_page_attrs_debug: Callback for obtaining a physical address and 
the
  *   associated memory transaction attributes to use for the access.
@@ -183,9 +177,6 @@ struct CPUClass {
 void (*get_memory_mapping)(CPUState *cpu, MemoryMappingList *list,
Error **errp);
 void (*set_pc)(CPUState *cpu, vaddr value);
-bool (*tlb_fill)(CPUState *cpu, vaddr address, int size,
- MMUAccessType access_type, int mmu_idx,
- bool probe, uintptr_t retaddr);
 hwaddr (*get_phys_page_debug)(CPUState *cpu, vaddr addr);
 hwaddr (*get_phys_page_attrs_debug)(CPUState *cpu, vaddr addr,
 MemTxAttrs *attrs);
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index 42ab79c1a5..c0d99c6fd1 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -1286,7 +1286,8 @@ static void tlb_fill(CPUState *cpu, target_ulong addr, 
int size,
  * This is not a probe, so only valid return is success; failure
  * should result in exception + longjmp to the cpu loop.
  */
-ok = cc->tlb_fill(cpu, addr, size, access_type, mmu_idx, false, retaddr);
+ok = cc->tcg_ops.tlb_fill(cpu, addr, size,
+  access_type, mmu_idx, false, retaddr);
 assert(ok);
 }
 
@@ -1557,8 +1558,8 @@ static int probe_access_internal(CPUArchState *env, 
target_ulong addr,
 CPUState *cs = env_cpu(env);
 CPUClass *cc = CPU_GET_CLASS(cs);
 
-if (!cc->tlb_fill(cs, addr, fault_size, access_type,
-  mmu_idx, nonfault, retaddr)) {
+if (!cc->tcg_ops.tlb_fill(cs, addr, fault_size, access_type,
+  mmu_idx, nonfault, retaddr)) {
 /* Non-faulting page table read failed.  */
 *phost = NULL;
 return TLB_INVALID_MASK;
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index 4ebe25461a..7f53992251 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -186,7 +186,7 @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t 
*info,
 clear_helper_retaddr();
 
 cc = CPU_GET_CLASS(cpu);
-cc->tlb_fill(cpu, address, 0, access_type, MMU_USER_IDX, false, pc);
+cc->tcg_ops.tlb_fill(cpu, address, 0, access_type, MMU_USER_IDX, false, 
pc);
 g_assert_not_reached();
 }
 
@@ -216,8 +216,8 @@ static int probe_access_internal(CPUArchState *env, 
target_ulong addr,
 } else {
 CPUState *cpu = env_cpu(env);
 CPUClass *cc = CPU_GET_CLASS(cpu);
-cc->tlb_fill(cpu, addr, fault_size, access_type,
- MMU

[PATCH v12 04/23] i386: hvf: remove stale MAINTAINERS entry for old hvf stubs

[Claudio Fontana]

Signed-off-by: Claudio Fontana 
Reviewed-by: Roman Bolshakov 
Reviewed-by: Alex Bennée 
---
 MAINTAINERS | 1 -
 1 file changed, 1 deletion(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index d643f59e37..da29938c0b 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -444,7 +444,6 @@ M: Cameron Esfahani 
 M: Roman Bolshakov 
 W: https://wiki.qemu.org/Features/HVF
 S: Maintained
-F: accel/stubs/hvf-stub.c
 F: target/i386/hvf/
 F: include/sysemu/hvf.h
 
-- 
2.26.2

[PATCH v12 20/23] target/arm: do not use cc->do_interrupt for KVM directly

[Claudio Fontana]

cc->do_interrupt is in theory a TCG callback used in accel/tcg only,
to prepare the emulated architecture to take an interrupt as defined
in the hardware specifications,

but in reality the _do_interrupt style of functions in targets are
also occasionally reused by KVM to prepare the architecture state in a
similar way where userspace code has identified that it needs to
deliver an exception to the guest.

In the case of ARM, that includes:

1) the vcpu thread got a SIGBUS indicating a memory error,
   and we need to deliver a Synchronous External Abort to the guest to
   let it know about the error.
2) the kernel told us about a debug exception (breakpoint, watchpoint)
   but it is not for one of QEMU's own gdbstub breakpoints/watchpoints
   so it must be a breakpoint the guest itself has set up, therefore
   we need to deliver it to the guest.

So in order to reuse code, the same arm_do_interrupt function is used.
This is all fine, but we need to avoid calling it using the callback
registered in CPUClass, since that one is now TCG-only.

Fortunately this is easily solved by replacing calls to
CPUClass::do_interrupt() with explicit calls to arm_do_interrupt().

Signed-off-by: Claudio Fontana 
Cc: Peter Maydell 
Reviewed-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
---
 target/arm/helper.c | 4 
 target/arm/kvm64.c  | 6 ++
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 7b8bcd6903..fcef942eb8 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -9895,6 +9895,10 @@ static void handle_semihosting(CPUState *cs)
  * Do any appropriate logging, handle PSCI calls, and then hand off
  * to the AArch64-entry or AArch32-entry function depending on the
  * target exception level's register width.
+ *
+ * Note: this is used for both TCG (as the do_interrupt tcg op),
+ *   and KVM to re-inject guest debug exceptions, and to
+ *   inject a Synchronous-External-Abort.
  */
 void arm_cpu_do_interrupt(CPUState *cs)
 {
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index f74bac2457..3728b3a336 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -944,7 +944,6 @@ static void kvm_inject_arm_sea(CPUState *c)
 {
 ARMCPU *cpu = ARM_CPU(c);
 CPUARMState *env = &cpu->env;
-CPUClass *cc = CPU_GET_CLASS(c);
 uint32_t esr;
 bool same_el;
 
@@ -960,7 +959,7 @@ static void kvm_inject_arm_sea(CPUState *c)
 
 env->exception.syndrome = esr;
 
-cc->do_interrupt(c);
+arm_cpu_do_interrupt(c);
 }
 
 #define AARCH64_CORE_REG(x)   (KVM_REG_ARM64 | KVM_REG_SIZE_U64 | \
@@ -1491,7 +1490,6 @@ bool kvm_arm_handle_debug(CPUState *cs, struct 
kvm_debug_exit_arch *debug_exit)
 {
 int hsr_ec = syn_get_ec(debug_exit->hsr);
 ARMCPU *cpu = ARM_CPU(cs);
-CPUClass *cc = CPU_GET_CLASS(cs);
 CPUARMState *env = &cpu->env;
 
 /* Ensure PC is synchronised */
@@ -1545,7 +1543,7 @@ bool kvm_arm_handle_debug(CPUState *cs, struct 
kvm_debug_exit_arch *debug_exit)
 env->exception.vaddress = debug_exit->far;
 env->exception.target_el = 1;
 qemu_mutex_lock_iothread();
-cc->do_interrupt(cs);
+arm_cpu_do_interrupt(cs);
 qemu_mutex_unlock_iothread();
 
 return false;
-- 
2.26.2

[PATCH v12 00/23] i386 cleanup PART 1

[Claudio Fontana]

Hello, this is version 12 of the cleanup (PART 1)

The series has been split into two separate parts,
and this is PART 1.

v11 -> v12:

* "cpu: Move synchronize_from_tb() to tcg_ops":
  removed review tags, as there is currently a bunch of conflicting
  requirements (Eduardo, Richard, Philippe).

  in this iteration, tcg-cpu-ops.h is renamed to tcg-cpu-ops.h.inc,
  and it is not expected to be included standalone as a header file,
  instead it is just a split of cpu.h for the TCG-specific ops.

* "i386: move whpx accel files into whpx/" rebased on master
  (trivial change) -> added whpx/apic.c

* "i386: move kvm accel files into kvm/" rebased on master
  (trivial change) -> added some code and a default kvm parameter
  to kvm/kvm-cpu.c

* "i386: move TCG accel files into tcg/":
  (trivial change) -> moved cc_helper_template.h to tcg/ as well.

* "i386: move TCG cpu class initialization to tcg/":

  comment better the additional moves of TCG specific defines
  from cpu.h to helper-tcg.h.

  cpu.h: do not touch CC_SRC and friends,
  move FT0 and friends to tcg/fpu_helper.c.

  create a new patch
  "i386: tcg: remove inline from cpu_load_eflags".
  (Richard)

* "cpu: Move tlb_fill to tcg_ops":
  (trivial change) -> break line longer than 80 char

* "cpu: move cc->transaction_failed to tcg_ops:
  (trivial change) -> break line longer than 80 char


v10 -> v11: split off PART 2,

no further changes to PART 2 other than the split.

v9 -> v10: minor tweaks and fixes

* in "i386: split cpu accelerators from cpu.c",

use kvm/kvm-cpu.c, hvf/hvf-cpu.c, tcg/tcg-cpu.c.
Easier to understand compared to editing multiple cpu.c files,
and matches the header files if needed (kvm-cpu.h).

* in "accel: replace struct CpusAccel with AccelOpsClass",

make it a bit more consistent, by naming the files defining
the AccelOpsClass types "...-accel-ops.c" instead of the old
naming "...-cpus.c".

* in "cpu: move cc->transaction_failed to tcg_ops",

protect with CONFIG_TCG the use of tcg_ops for hw/misc/jazz.c,

 #include "exec/memattrs.h" (Philippe, Eduardo)

* in "cpu: Move synchronize_from_tb() to tcg_ops",

 #include "hw/core/cpu.h" (Philippe, Eduardo)

do not remove the comment about struct TcgCpuOperations (Philippe)

* in "accel/tcg: split TCG-only code from cpu_exec_realizefn",

invert tcg_target_initialized set order (Alex)

* in "i386: move TCG cpu class initialization out of helper.c",

extract helper-tcg.h, tcg-cpu.c, and tcg-cpu.h directly into
tcg/, avoiding the extra move later to tcg/ (Alex)



v8 -> v9: move additional methods to CPUClass->tcg_ops

do_unaligned_access, transaction_failed and do_interrupt.

do_interrupt is a bit tricky, as the same code is reused
(albeit not usually directly) for KVM under certain odd conditions.

Change arm, as the only user of do_interrupt callback for KVM,
to instead call the target function directly arm_do_interrupt.

v7 -> v8: add missing CONFIG_TCGs, fix bugs

* add the prerequisite patches for "3 tcg" at the beginning of the
  series for convenience (already reviewed, queued by RH).

* add CONFIG_TCG to TCGCpuOperations and tcg_ops variable use

* reduce the scope of the realizefn refactoring, do not
  introduce a separate cpu_accel_realize, and instead use the
  existing cpu_exec_realizefn, there is not enough benefit
  to introduce a new function.

* fix bugs in user mode due to attempt to move the tcg_region_init()
  early, so it could be done just once in tcg_init() for both
  softmmu and user mode. Unfortunately it needs to remain deferred
  for user mode, as it needs to be done after prologue init and
  after the GUEST_BASE has been set.

v6 -> v7: integrate TCGCpuOperations, refactored cpu_exec_realizefn

* integrate TCGCpuOperations (Eduardo)

Taken some refactoring from Eduardo for Tcg-only operations on
CPUClass.

* refactored cpu_exec_realizefn

The other main change is a refactoring of cpu_exec_realizefn,
directly linked to the effort of making many cpu_exec operations
TCG-only (Eduardo series above):

cpu_exec_realizefn is actually a TCG-only thing, with the
exception of a couple things that can be done in base cpu code.

This changes all targets realizefn, so I guess I have to Cc:
the Multiverse? (Universe was already CCed for all accelerators).


v5 -> v6: remove MODULE_INIT_ACCEL_CPU


instead, use a call to accel_init_interfaces().

* The class lookups are now general and performed in accel/

  new AccelCPUClass for new archs are supported as new
  ones appear in the class hierarchy, no need for stubs.

* Split the code a bit better


v4 -> v5: centralized and simplified initializations

I put in Cc: Emilio G. Cota, specifically because in patch 8
I (re)moved for user-mode the call to tcg_regions_init().

The call happens now inside the tcg AccelClass machine_init,
(so earlier). This seems to work fine, but thought to get the
author opinion on this.

Rebased on "tcg-cpus: split into 3 tcg variants" series
(queued by Richard), to avoid some code churn:


https://

[PATCH v12 13/23] cpu: Introduce TCGCpuOperations struct

[Claudio Fontana]

From: Eduardo Habkost 

The TCG-specific CPU methods will be moved to a separate struct,
to make it easier to move accel-specific code outside generic CPU
code in the future.  Start by moving tcg_initialize().

The new CPUClass.tcg_opts field may eventually become a pointer,
but keep it an embedded struct for now, to make code conversion
easier.

Signed-off-by: Eduardo Habkost 

[claudio: make the tcg code build for CONFIG_TCG only]

Signed-off-by: Claudio Fontana 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 include/hw/core/cpu.h   |  9 -
 include/hw/core/tcg-cpu-ops.h   | 25 +
 cpu.c   |  6 +-
 target/alpha/cpu.c  |  2 +-
 target/arm/cpu.c|  2 +-
 target/avr/cpu.c|  2 +-
 target/cris/cpu.c   | 12 ++--
 target/hppa/cpu.c   |  2 +-
 target/i386/tcg/tcg-cpu.c   |  2 +-
 target/lm32/cpu.c   |  2 +-
 target/m68k/cpu.c   |  2 +-
 target/microblaze/cpu.c |  2 +-
 target/mips/cpu.c   |  2 +-
 target/moxie/cpu.c  |  2 +-
 target/nios2/cpu.c  |  2 +-
 target/openrisc/cpu.c   |  2 +-
 target/riscv/cpu.c  |  2 +-
 target/rx/cpu.c |  2 +-
 target/s390x/cpu.c  |  2 +-
 target/sh4/cpu.c|  2 +-
 target/sparc/cpu.c  |  2 +-
 target/tilegx/cpu.c |  2 +-
 target/tricore/cpu.c|  2 +-
 target/unicore32/cpu.c  |  2 +-
 target/xtensa/cpu.c |  2 +-
 MAINTAINERS |  1 +
 target/ppc/translate_init.c.inc |  2 +-
 27 files changed, 67 insertions(+), 30 deletions(-)
 create mode 100644 include/hw/core/tcg-cpu-ops.h

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index 3d92c967ff..c93b08a0fb 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -76,6 +76,10 @@ typedef struct CPUWatchpoint CPUWatchpoint;
 
 struct TranslationBlock;
 
+#ifdef CONFIG_TCG
+#include "tcg-cpu-ops.h"
+#endif /* CONFIG_TCG */
+
 /**
  * CPUClass:
  * @class_by_name: Callback to map -cpu command line model name to an
@@ -221,12 +225,15 @@ struct CPUClass {
 
 void (*disas_set_info)(CPUState *cpu, disassemble_info *info);
 vaddr (*adjust_watchpoint_address)(CPUState *cpu, vaddr addr, int len);
-void (*tcg_initialize)(void);
 
 const char *deprecation_note;
 /* Keep non-pointer data at the end to minimize holes.  */
 int gdb_num_core_regs;
 bool gdb_stop_before_watchpoint;
+
+#ifdef CONFIG_TCG
+TcgCpuOperations tcg_ops;
+#endif /* CONFIG_TCG */
 };
 
 /*
diff --git a/include/hw/core/tcg-cpu-ops.h b/include/hw/core/tcg-cpu-ops.h
new file mode 100644
index 00..4475ef0996
--- /dev/null
+++ b/include/hw/core/tcg-cpu-ops.h
@@ -0,0 +1,25 @@
+/*
+ * TCG-Specific operations that are not meaningful for hardware accelerators
+ *
+ * Copyright 2020 SUSE LLC
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef TCG_CPU_OPS_H
+#define TCG_CPU_OPS_H
+
+/**
+ * struct TcgCpuOperations: TCG operations specific to a CPU class
+ */
+typedef struct TcgCpuOperations {
+/**
+ * @initialize: Initalize TCG state
+ *
+ * Called when the first CPU is realized.
+ */
+void (*initialize)(void);
+} TcgCpuOperations;
+
+#endif /* TCG_CPU_OPS_H */
diff --git a/cpu.c b/cpu.c
index 0be5dcb6f3..27ad096cc4 100644
--- a/cpu.c
+++ b/cpu.c
@@ -174,14 +174,18 @@ void cpu_exec_initfn(CPUState *cpu)
 void cpu_exec_realizefn(CPUState *cpu, Error **errp)
 {
 CPUClass *cc = CPU_GET_CLASS(cpu);
+#ifdef CONFIG_TCG
 static bool tcg_target_initialized;
+#endif /* CONFIG_TCG */
 
 cpu_list_add(cpu);
 
+#ifdef CONFIG_TCG
 if (tcg_enabled() && !tcg_target_initialized) {
 tcg_target_initialized = true;
-cc->tcg_initialize();
+cc->tcg_ops.initialize();
 }
+#endif /* CONFIG_TCG */
 tlb_init(cpu);
 
 qemu_plugin_vcpu_init_hook(cpu);
diff --git a/target/alpha/cpu.c b/target/alpha/cpu.c
index b3fd6643e8..d66f0351a9 100644
--- a/target/alpha/cpu.c
+++ b/target/alpha/cpu.c
@@ -231,7 +231,7 @@ static void alpha_cpu_class_init(ObjectClass *oc, void 
*data)
 dc->vmsd = &vmstate_alpha_cpu;
 #endif
 cc->disas_set_info = alpha_cpu_disas_set_info;
-cc->tcg_initialize = alpha_translate_init;
+cc->tcg_ops.initialize = alpha_translate_init;
 
 cc->gdb_num_core_regs = 67;
 }
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index d6188f6566..61237d9885 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -2264,7 +2264,7 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->gdb_stop_before_watchpoint = true;
 cc->disas_set_info = arm_disas_set_info;
 #ifdef CONFIG_TCG
-cc->tcg_initialize = arm_translate_init;
+cc->tcg_ops.initialize = arm_trans

[PATCH v12 14/23] target/riscv: remove CONFIG_TCG, as it is always TCG

[Claudio Fontana]

for now only TCG is allowed as an accelerator for riscv,
so remove the CONFIG_TCG use.

Signed-off-by: Claudio Fontana 
Reviewed-by: Alistair Francis 
---
 target/riscv/cpu.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index a52e0ce466..27dd1645c9 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -561,10 +561,9 @@ static void riscv_cpu_class_init(ObjectClass *c, void 
*data)
 /* For now, mark unmigratable: */
 cc->vmsd = &vmstate_riscv_cpu;
 #endif
-#ifdef CONFIG_TCG
 cc->tcg_ops.initialize = riscv_translate_init;
 cc->tlb_fill = riscv_cpu_tlb_fill;
-#endif
+
 device_class_set_props(dc, riscv_cpu_properties);
 }
 
-- 
2.26.2

Re: [PATCH 0/2] target/m68k: add vmstate structure to migrate M68kCPU

[Laurent Vivier]

Le 22/10/2020 à 22:29, Laurent Vivier a écrit :
> First patch is a cleanup patch.
> 
> The second patch defines the vmstate structure for M68kCPU.
> 
> I have tested the migration with my experimental machine virt-m68k.
> 
> I didn't check if q800 machine type has all the needed vmstates
> for all the hardware devices it uses.
> 
> Thanks,
> Laurent
> 
> Laurent Vivier (2):
>   target/m68k: remove useless qregs array
>   target/m68k: Add vmstate definition for M68kCPU
> 
>  target/m68k/cpu.h|   5 +-
>  target/m68k/cpu.c| 193 ++-
>  target/m68k/fpu_helper.c |  10 +-
>  3 files changed, 198 insertions(+), 10 deletions(-)
> 

Applied to my m68k-for-6.0 branch

Thanks,
Laurent

[PATCH v12 12/23] cpu: Remove unnecessary noop methods

[Claudio Fontana]

From: Eduardo Habkost 

In the previous commits we made cpu_exec_* and debug_excp_handler
optional, so we can now remove these no-op handlers.

Signed-off-by: Eduardo Habkost 
Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
---
 hw/core/cpu.c | 13 -
 1 file changed, 13 deletions(-)

diff --git a/hw/core/cpu.c b/hw/core/cpu.c
index 576fa1d7ba..994a12cb35 100644
--- a/hw/core/cpu.c
+++ b/hw/core/cpu.c
@@ -199,15 +199,6 @@ static bool cpu_common_virtio_is_big_endian(CPUState *cpu)
 return target_words_bigendian();
 }
 
-static void cpu_common_noop(CPUState *cpu)
-{
-}
-
-static bool cpu_common_exec_interrupt(CPUState *cpu, int int_req)
-{
-return false;
-}
-
 #if !defined(CONFIG_USER_ONLY)
 GuestPanicInformation *cpu_get_crash_info(CPUState *cpu)
 {
@@ -410,11 +401,7 @@ static void cpu_class_init(ObjectClass *klass, void *data)
 k->gdb_read_register = cpu_common_gdb_read_register;
 k->gdb_write_register = cpu_common_gdb_write_register;
 k->virtio_is_big_endian = cpu_common_virtio_is_big_endian;
-k->debug_excp_handler = cpu_common_noop;
 k->debug_check_watchpoint = cpu_common_debug_check_watchpoint;
-k->cpu_exec_enter = cpu_common_noop;
-k->cpu_exec_exit = cpu_common_noop;
-k->cpu_exec_interrupt = cpu_common_exec_interrupt;
 k->adjust_watchpoint_address = cpu_adjust_watchpoint_address;
 set_bit(DEVICE_CATEGORY_CPU, dc->categories);
 dc->realize = cpu_common_realizefn;
-- 
2.26.2

[PULL 0/5] M68k for 6.0 patches

[Laurent Vivier]

The following changes since commit ad717e6da3852b5729217d7938eecdb81c546114:

  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging=
 (2020-12-12 00:20:46 +)

are available in the Git repository at:

  git://github.com/vivier/qemu-m68k.git tags/m68k-for-6.0-pull-request

for you to fetch changes up to ce00ff729ee8461dc94a1593d25ceda65d973d3c:

  m68k: fix some comment spelling errors (2020-12-12 18:12:43 +0100)


m68k pull request 20201212

Fix for Coverity CID 1421883
Fix some comment spelling errors
Add m68k vmstate



Laurent Vivier (2):
  target/m68k: remove useless qregs array
  target/m68k: Add vmstate definition for M68kCPU

Peter Maydell (2):
  hw/m68k/q800: Don't connect two qemu_irqs directly to the same input
  hw/m68k/q800.c: Make the GLUE chip an actual QOM device

zhaolichang (1):
  m68k: fix some comment spelling errors

 target/m68k/cpu.h|   5 +-
 hw/m68k/q800.c   |  92 ---
 target/m68k/cpu.c| 193 ++-
 target/m68k/fpu_helper.c |  10 +-
 target/m68k/translate.c  |  16 ++--
 hw/m68k/Kconfig  |   1 +
 6 files changed, 286 insertions(+), 31 deletions(-)

--=20
2.29.2

[PATCH v12 16/23] cpu: Move synchronize_from_tb() to tcg_ops

[Claudio Fontana]

From: Eduardo Habkost 

since tcg_cpu_ops.h is only included in cpu.h,
and as a standalone header it is not really useful,
as tcg_cpu_ops.h starts requiring cpu.h defines,
enums, etc, as well as (later on in the series),
additional definitions coming from memattr.h.

Therefore rename it to tcg_cpu_ops.h.inc, to warn
any potential user that this file is not a standalone
header, but rather a partition of cpu.h that is
included conditionally if CONFIG_TCG is true.

Signed-off-by: Eduardo Habkost 

[claudio: wrapped in CONFIG_TCG, renamed .h to .inc]
Signed-off-by: Claudio Fontana 
---
 include/hw/core/cpu.h| 10 +-
 accel/tcg/cpu-exec.c |  4 ++--
 target/arm/cpu.c |  4 +++-
 target/avr/cpu.c |  2 +-
 target/hppa/cpu.c|  2 +-
 target/i386/tcg/tcg-cpu.c|  2 +-
 target/microblaze/cpu.c  |  2 +-
 target/mips/cpu.c|  4 +++-
 target/riscv/cpu.c   |  2 +-
 target/rx/cpu.c  |  2 +-
 target/sh4/cpu.c |  2 +-
 target/sparc/cpu.c   |  2 +-
 target/tricore/cpu.c |  2 +-
 include/hw/core/{tcg-cpu-ops.h => tcg-cpu-ops.h.inc} | 10 ++
 14 files changed, 28 insertions(+), 22 deletions(-)
 rename include/hw/core/{tcg-cpu-ops.h => tcg-cpu-ops.h.inc} (55%)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index ea648d52ad..1c0f523b5b 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -77,7 +77,7 @@ typedef struct CPUWatchpoint CPUWatchpoint;
 struct TranslationBlock;
 
 #ifdef CONFIG_TCG
-#include "tcg-cpu-ops.h"
+#include "tcg-cpu-ops.h.inc"
 #endif /* CONFIG_TCG */
 
 /**
@@ -110,13 +110,6 @@ struct TranslationBlock;
  *   If the target behaviour here is anything other than "set
  *   the PC register to the value passed in" then the target must
  *   also implement the synchronize_from_tb hook.
- * @synchronize_from_tb: Callback for synchronizing state from a TCG
- *   #TranslationBlock. This is called when we abandon execution
- *   of a TB before starting it, and must set all parts of the CPU
- *   state which the previous TB in the chain may not have updated.
- *   This always includes at least the program counter; some targets
- *   will need to do more. If this hook is not implemented then the
- *   default is to call @set_pc(tb->pc).
  * @tlb_fill: Callback for handling a softmmu tlb miss or user-only
  *   address fault.  For system mode, if the access is valid, call
  *   tlb_set_page and return true; if the access is invalid, and
@@ -193,7 +186,6 @@ struct CPUClass {
 void (*get_memory_mapping)(CPUState *cpu, MemoryMappingList *list,
Error **errp);
 void (*set_pc)(CPUState *cpu, vaddr value);
-void (*synchronize_from_tb)(CPUState *cpu, struct TranslationBlock *tb);
 bool (*tlb_fill)(CPUState *cpu, vaddr address, int size,
  MMUAccessType access_type, int mmu_idx,
  bool probe, uintptr_t retaddr);
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 50eb92d217..05dba7f2cc 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -192,8 +192,8 @@ static inline tcg_target_ulong cpu_tb_exec(CPUState *cpu, 
TranslationBlock *itb)
TARGET_FMT_lx "] %s\n",
last_tb->tc.ptr, last_tb->pc,
lookup_symbol(last_tb->pc));
-if (cc->synchronize_from_tb) {
-cc->synchronize_from_tb(cpu, last_tb);
+if (cc->tcg_ops.synchronize_from_tb) {
+cc->tcg_ops.synchronize_from_tb(cpu, last_tb);
 } else {
 assert(cc->set_pc);
 cc->set_pc(cpu, last_tb->pc);
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 61237d9885..3c1a44a5b3 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -54,6 +54,7 @@ static void arm_cpu_set_pc(CPUState *cs, vaddr value)
 }
 }
 
+#ifdef CONFIG_TCG
 static void arm_cpu_synchronize_from_tb(CPUState *cs, TranslationBlock *tb)
 {
 ARMCPU *cpu = ARM_CPU(cs);
@@ -69,6 +70,7 @@ static void arm_cpu_synchronize_from_tb(CPUState *cs, 
TranslationBlock *tb)
 env->regs[15] = tb->pc;
 }
 }
+#endif /* CONFIG_TCG */
 
 static bool arm_cpu_has_work(CPUState *cs)
 {
@@ -2245,7 +2247,6 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->cpu_exec_interrupt = arm_cpu_exec_interrupt;
 cc->dump_state = arm_cpu_dump_state;
 cc->set_pc = arm_cpu_set_pc;
-cc->synchronize_from_tb = arm_cpu_synchronize_from_tb;
 cc->gdb_read_register = arm_cpu_gdb_read_register;
 cc->gdb_write_register = arm_cpu_gdb_write_regi

[PATCH v12 02/23] i386: move whpx accel files into whpx/

[Claudio Fontana]

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 target/i386/{ => whpx}/whp-dispatch.h | 0
 target/i386/{ => whpx}/whpx-cpus.h| 0
 target/i386/{ => whpx}/whpx-all.c | 0
 target/i386/{ => whpx}/whpx-apic.c| 0
 target/i386/{ => whpx}/whpx-cpus.c| 0
 MAINTAINERS   | 6 +-
 target/i386/meson.build   | 6 +-
 target/i386/whpx/meson.build  | 5 +
 8 files changed, 7 insertions(+), 10 deletions(-)
 rename target/i386/{ => whpx}/whp-dispatch.h (100%)
 rename target/i386/{ => whpx}/whpx-cpus.h (100%)
 rename target/i386/{ => whpx}/whpx-all.c (100%)
 rename target/i386/{ => whpx}/whpx-apic.c (100%)
 rename target/i386/{ => whpx}/whpx-cpus.c (100%)
 create mode 100644 target/i386/whpx/meson.build

diff --git a/target/i386/whp-dispatch.h b/target/i386/whpx/whp-dispatch.h
similarity index 100%
rename from target/i386/whp-dispatch.h
rename to target/i386/whpx/whp-dispatch.h
diff --git a/target/i386/whpx-cpus.h b/target/i386/whpx/whpx-cpus.h
similarity index 100%
rename from target/i386/whpx-cpus.h
rename to target/i386/whpx/whpx-cpus.h
diff --git a/target/i386/whpx-all.c b/target/i386/whpx/whpx-all.c
similarity index 100%
rename from target/i386/whpx-all.c
rename to target/i386/whpx/whpx-all.c
diff --git a/target/i386/whpx-apic.c b/target/i386/whpx/whpx-apic.c
similarity index 100%
rename from target/i386/whpx-apic.c
rename to target/i386/whpx/whpx-apic.c
diff --git a/target/i386/whpx-cpus.c b/target/i386/whpx/whpx-cpus.c
similarity index 100%
rename from target/i386/whpx-cpus.c
rename to target/i386/whpx/whpx-cpus.c
diff --git a/MAINTAINERS b/MAINTAINERS
index cd98510884..0e8dfd7ea6 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -451,11 +451,7 @@ F: include/sysemu/hvf.h
 WHPX CPUs
 M: Sunil Muthuswamy 
 S: Supported
-F: target/i386/whpx-all.c
-F: target/i386/whpx-apic.c
-F: target/i386/whpx-cpus.c
-F: target/i386/whp-dispatch.h
-F: accel/stubs/whpx-stub.c
+F: target/i386/whpx/
 F: include/sysemu/whpx.h
 
 Guest CPU Cores (Xen)
diff --git a/target/i386/meson.build b/target/i386/meson.build
index 5363757131..62cd042915 100644
--- a/target/i386/meson.build
+++ b/target/i386/meson.build
@@ -27,11 +27,6 @@ i386_softmmu_ss.add(files(
   'machine.c',
   'monitor.c',
 ))
-i386_softmmu_ss.add(when: 'CONFIG_WHPX', if_true: files(
-  'whpx-all.c',
-  'whpx-cpus.c',
-  'whpx-apic.c',
-))
 i386_softmmu_ss.add(when: 'CONFIG_HAX', if_true: files(
   'hax-all.c',
   'hax-mem.c',
@@ -41,6 +36,7 @@ i386_softmmu_ss.add(when: ['CONFIG_HAX', 'CONFIG_POSIX'], 
if_true: files('hax-po
 i386_softmmu_ss.add(when: ['CONFIG_HAX', 'CONFIG_WIN32'], if_true: 
files('hax-windows.c'))
 
 subdir('kvm')
+subdir('whpx')
 subdir('hvf')
 
 target_arch += {'i386': i386_ss}
diff --git a/target/i386/whpx/meson.build b/target/i386/whpx/meson.build
new file mode 100644
index 00..d8aa683999
--- /dev/null
+++ b/target/i386/whpx/meson.build
@@ -0,0 +1,5 @@
+i386_softmmu_ss.add(when: 'CONFIG_WHPX', if_true: files(
+  'whpx-all.c',
+  'whpx-apic.c',
+  'whpx-cpus.c',
+))
-- 
2.26.2

Re: [PATCH 0/8] hw/ppc: Convert UIC device to QOM

[BALATON Zoltan via]

On Sat, 12 Dec 2020, Peter Maydell wrote:

This patchseries converts the PPC UIC "Universal Interrupt
Controller" to a QOM device.  My main reason for doing it is that


Thanks for doing this clean up.


this fixes a couple of long-standing trivial Coverity issues -- the
current ppcuic_init() function allocates an array of qemu_irqs which
the callers then leak.  (The leak is trivial because it happens once
when QEMU starts.)

The patchseries converts the UIC to a QOM device but initially leaves
the old ppcuic_init() creation function with its old API intact.  It
then goes through converting the various boards that were using
ppcuic_init() to instead directly create the UIC using the usual qdev
APIs, so that it can delete the ppcuic_init() function entirely.

The patchset includes one patch which deletes 350 lines of dead code
-- the ppc405cr_init() function seems to have never been used since
it was added in 2007, so rather than converting this user of
ppcuic_init() it seemed more sensible to delete it.

I have tested with 'make check' and 'make check-acceptance' but I
don't think the latter really exercises the affected boards, which
are:

bamboo
ref405ep
sam460ex
taihu
virtex-ml507


Thanks to Thomas, commit 99b336cdd90 added check for sam460ex but that 
only checks it the firmware runs.



I found instructions on how to boot an AROS image on sam460ex, so I
have tested that: it works as well after this series as it did before
(gets to "Libs/workbench.library" and stops); it does seem to


That seems to be a problem with AROS that nobody noticed yet. I've 
reported it to them but there seems to be nobody maintaining the PPC 
version, AROS is mostly focused on m86k, ARM and x86. On PPC AmigaOS and 
MorphOS seem to be more popular. I have an AROS test image I've build back 
in 2018 that still works, I'll send it off-list.



successfully do things like scanning the USB bus and responding to
keyboard input at the boot menu, which suggests that IRQs must be
working.


Interestingly the firmware does not use irqs at all, it just polls for 
them it seems. AROS and AmigaOS does seem to break though. With AROS I get 
this exception after your series but it's not very helpful:


[KRN] Exception 0 handler. Context @ ff7ffb28, SysBase @ 00a60410, KernelBase @ 
01000154
[KRN] SRR0=ff9e3d78, SRR1=0002f000 DEAR= ESR=
[KRN] CTR=ff9e48dc LR=ff9e2db4 XER=2000 CCR=4848
[KRN] DAR= DSISR=
[KRN] GPR00=0006 GPR01=01075d10 GPR02=00a60410 GPR03=
[KRN] GPR04=0001 GPR05=0001 GPR06=010538b4 GPR07=ff9e48dc
[KRN] GPR08=0100 GPR09=0054 GPR10=ef00 GPR11=0001
[KRN] GPR12=4844 GPR13= GPR14= GPR15=
[KRN] GPR16= GPR17= GPR18= GPR19=
[KRN] GPR20= GPR21= GPR22= GPR23=0106bde0
[KRN] GPR24=00031000 GPR25=010596e0 GPR26=01058980 GPR27=ff7f
[KRN] GPR28=010596b8 GPR29=0105a0a8 GPR30=01053770 GPR31=01076564
[KRN] Instruction dump:
[KRN] ff9e3d78: 80010064 82e1003c 83010040 7c0803a6
[KRN] ff9e3d88: 83210044 83410048 8361004c 83810050
[KRN] Stackdump:
[KRN] 01075d10: 01075d70 010596e0 09021900 010103c0
[KRN] 01075d20: 00090400 00010900 00040705 81030800
[KRN] 01075d30: 01075d50 ff7f  0105a0d8
[KRN] 01075d40: 01075d60 ff9ea1cc 00ff 0106bde0
[KRN] 01075d50: 00031000 010596e0 01058980 ff7f
[KRN] 01075d60: 010596b8 0105a0a8 01053770 0105a0d8
[KRN] 01075d70: 01075d80 ff9e2db4 01059448 ff7f7858
[KRN] 01075d80: 01075e30 ff9e9418 80004722 01075dfc
[KRN] 01075d90: 80004721 01075df8 80004725 01075df4
[KRN] 01075da0: 80004723 01075dec 80004724 01075de8
[KRN] 01075db0: 80004726 01075df0 80004731 01075de4
[KRN] 01075dc0: 80004732 01075de0  
[KRN] 01075dd0:    
[KRN] 01075de0: 0001 0220 0003 0001
[KRN] 01075df0: ff9e8568 ff9e8530 ff9e8520 01076738
[KRN] 01075e00:    
[KRN] Backtrace:  Devs/USBHardware/pciusb.device cmdControlXFerRootHub+0xd8
[KRN] LR=ff9e2db4 Devs/USBHardware/pciusb.device pciusb_5_devBeginIO+0x148
[KRN]ff9e2db4 Devs/USBHardware/pciusb.device pciusb_5_devBeginIO+0x148
[KRN]ff9e9418 Libs/poseidon.library pDeviceTask+0x5c8
[KRN]ff845edc boot/sam440/kernel Exec_2_close+0x18
SAD(-1,-1)>

AmigaOS also fails to boot but could not get useful logs from it yet so 
not sure what could be broken.


Regards,
BALATON Zoltan


Side note: the 'irq_inputs' hacks in the PPC CPU I think would really
benefit from conversion to being qdev gpio inputs now that CPUs are
real devices. There are also a lot of non-QOM devices in this
ppc4xx code if anybody is interested in working on more QOM
conversions for these boards.

thanks
-- PMM

Peter Maydell (8):
 hw/ppc/ppc4xx_devs: Make code style fixes to UIC code
 ppc: Convert PPC UIC to a QOM device
 hw/ppc/virtex_ml507: Drop use of ppcuic_init()
 hw/ppc/ppc440_bamboo: Drop use of ppcuic_init()
 hw/ppc/sam460ex: Drop use of ppcuic_init

[PATCH v12 19/23] cpu: Move debug_excp_handler to tcg_ops

[Claudio Fontana]

From: Eduardo Habkost 

Signed-off-by: Eduardo Habkost 
Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 include/hw/core/cpu.h | 2 --
 accel/tcg/cpu-exec.c  | 4 ++--
 target/arm/cpu.c  | 2 +-
 target/i386/tcg/tcg-cpu.c | 2 +-
 target/lm32/cpu.c | 2 +-
 target/s390x/cpu.c| 2 +-
 target/xtensa/cpu.c   | 2 +-
 include/hw/core/tcg-cpu-ops.h.inc | 2 ++
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index 2f33b6b8f0..b5a0615d06 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -121,7 +121,6 @@ struct TranslationBlock;
  * @gdb_write_register: Callback for letting GDB write a register.
  * @debug_check_watchpoint: Callback: return true if the architectural
  *   watchpoint whose address has matched should really fire.
- * @debug_excp_handler: Callback for handling debug exceptions.
  * @write_elf64_note: Callback for writing a CPU-specific ELF note to a
  * 64-bit VM coredump.
  * @write_elf32_qemunote: Callback for writing a CPU- and QEMU-specific ELF
@@ -184,7 +183,6 @@ struct CPUClass {
 int (*gdb_read_register)(CPUState *cpu, GByteArray *buf, int reg);
 int (*gdb_write_register)(CPUState *cpu, uint8_t *buf, int reg);
 bool (*debug_check_watchpoint)(CPUState *cpu, CPUWatchpoint *wp);
-void (*debug_excp_handler)(CPUState *cpu);
 
 int (*write_elf64_note)(WriteCoreDumpFunction f, CPUState *cpu,
 int cpuid, void *opaque);
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 502f6a53ae..17dc86af50 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -482,8 +482,8 @@ static inline void cpu_handle_debug_exception(CPUState *cpu)
 }
 }
 
-if (cc->debug_excp_handler) {
-cc->debug_excp_handler(cpu);
+if (cc->tcg_ops.debug_excp_handler) {
+cc->tcg_ops.debug_excp_handler(cpu);
 }
 }
 
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index f99a523393..10eb465581 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -2268,7 +2268,7 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->tcg_ops.cpu_exec_interrupt = arm_cpu_exec_interrupt;
 cc->tcg_ops.synchronize_from_tb = arm_cpu_synchronize_from_tb;
 cc->tcg_ops.tlb_fill = arm_cpu_tlb_fill;
-cc->debug_excp_handler = arm_debug_excp_handler;
+cc->tcg_ops.debug_excp_handler = arm_debug_excp_handler;
 cc->debug_check_watchpoint = arm_debug_check_watchpoint;
 cc->do_unaligned_access = arm_cpu_do_unaligned_access;
 #if !defined(CONFIG_USER_ONLY)
diff --git a/target/i386/tcg/tcg-cpu.c b/target/i386/tcg/tcg-cpu.c
index 8606dd6a3e..38ed8bf6d3 100644
--- a/target/i386/tcg/tcg-cpu.c
+++ b/target/i386/tcg/tcg-cpu.c
@@ -66,6 +66,6 @@ void tcg_cpu_common_class_init(CPUClass *cc)
 cc->tcg_ops.initialize = tcg_x86_init;
 cc->tcg_ops.tlb_fill = x86_cpu_tlb_fill;
 #ifndef CONFIG_USER_ONLY
-cc->debug_excp_handler = breakpoint_handler;
+cc->tcg_ops.debug_excp_handler = breakpoint_handler;
 #endif
 }
diff --git a/target/lm32/cpu.c b/target/lm32/cpu.c
index 76dc728858..bbe1405e32 100644
--- a/target/lm32/cpu.c
+++ b/target/lm32/cpu.c
@@ -235,7 +235,7 @@ static void lm32_cpu_class_init(ObjectClass *oc, void *data)
 #endif
 cc->gdb_num_core_regs = 32 + 7;
 cc->gdb_stop_before_watchpoint = true;
-cc->debug_excp_handler = lm32_debug_excp_handler;
+cc->tcg_ops.debug_excp_handler = lm32_debug_excp_handler;
 cc->disas_set_info = lm32_cpu_disas_set_info;
 cc->tcg_ops.initialize = lm32_translate_init;
 }
diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
index 6cd2b30192..04856076b3 100644
--- a/target/s390x/cpu.c
+++ b/target/s390x/cpu.c
@@ -506,7 +506,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
 cc->write_elf64_note = s390_cpu_write_elf64_note;
 #ifdef CONFIG_TCG
 cc->tcg_ops.cpu_exec_interrupt = s390_cpu_exec_interrupt;
-cc->debug_excp_handler = s390x_cpu_debug_excp_handler;
+cc->tcg_ops.debug_excp_handler = s390x_cpu_debug_excp_handler;
 cc->do_unaligned_access = s390x_cpu_do_unaligned_access;
 #endif
 #endif
diff --git a/target/xtensa/cpu.c b/target/xtensa/cpu.c
index e764dbeb73..b6f13ceb32 100644
--- a/target/xtensa/cpu.c
+++ b/target/xtensa/cpu.c
@@ -207,7 +207,7 @@ static void xtensa_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->get_phys_page_debug = xtensa_cpu_get_phys_page_debug;
 cc->do_transaction_failed = xtensa_cpu_do_transaction_failed;
 #endif
-cc->debug_excp_handler = xtensa_breakpoint_handler;
+cc->tcg_ops.debug_excp_handler = xtensa_breakpoint_handler;
 cc->disas_set_info = xtensa_cpu_disas_set_info;
 cc->tcg_ops.initialize = xtensa_translate_init;
 dc->vmsd = &vmstate_xtensa_cpu;
diff --git a/include/hw/core/tcg-cpu-ops.h.inc 
b/include/hw/core/tcg-cpu-ops.h.inc
index 615d449cd8..4903998e79 100644
--- a

Slow video output from webcam with qemu-xhci but smooth with usb-ehci

[Diego Viola]

Hi,

I'm experiencing a lot of choppiness in the video output when I pass
through my USB webcam to the guest using qemu-xhci as follows:

qemu-system-x86_64 -enable-kvm -hda arch-zoom.qcow2 -m 4G -vga virtio
-device qemu-xhci,id=xhci -device
usb-host,bus=xhci.0,hostdevice=/dev/bus/usb/002/004

My webcam is:

Bus 002 Device 004: ID 04f2:b449 Chicony Electronics Co., Ltd Integrated Camera

I am using mpv /dev/video0 from the guest.

It works fine if I use usb-ehci instead, e.g.:

qemu-system-x86_64 -enable-kvm -hda arch-zoom.qcow2 -m 4G -vga virtio
-device usb-ehci,id=ehci -device
usb-host,bus=ehci.0,hostdevice=/dev/bus/usb/002/004

In this case, the video output from mpv /dev/video0 is not choppy.

My QEMU version is 5.2.0 -- I am running Arch Linux on the host and guest.

Any ideas please?

Thanks,
Diego

[PATCH v12 21/23] cpu: move cc->do_interrupt to tcg_ops

[Claudio Fontana]

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 include/hw/core/cpu.h |  2 --
 accel/tcg/cpu-exec.c  |  4 ++--
 target/alpha/cpu.c|  2 +-
 target/arm/cpu.c  |  4 ++--
 target/arm/cpu_tcg.c  |  9 -
 target/avr/cpu.c  |  2 +-
 target/avr/helper.c   |  4 ++--
 target/cris/cpu.c | 12 ++--
 target/cris/helper.c  |  4 ++--
 target/hppa/cpu.c |  2 +-
 target/i386/tcg/tcg-cpu.c |  2 +-
 target/lm32/cpu.c |  2 +-
 target/m68k/cpu.c |  2 +-
 target/microblaze/cpu.c   |  2 +-
 target/mips/cpu.c |  4 ++--
 target/moxie/cpu.c|  2 +-
 target/nios2/cpu.c|  2 +-
 target/openrisc/cpu.c |  2 +-
 target/riscv/cpu.c|  2 +-
 target/rx/cpu.c   |  2 +-
 target/s390x/cpu.c|  2 +-
 target/sh4/cpu.c  |  2 +-
 target/sparc/cpu.c|  2 +-
 target/tilegx/cpu.c   |  2 +-
 target/unicore32/cpu.c|  2 +-
 target/xtensa/cpu.c   |  2 +-
 include/hw/core/tcg-cpu-ops.h.inc |  3 +++
 target/ppc/translate_init.c.inc   |  2 +-
 28 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index b5a0615d06..e7eb0397e4 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -87,7 +87,6 @@ struct TranslationBlock;
  * @parse_features: Callback to parse command line arguments.
  * @reset_dump_flags: #CPUDumpFlags to use for reset logging.
  * @has_work: Callback for checking if there is work to do.
- * @do_interrupt: Callback for interrupt handling.
  * @do_unaligned_access: Callback for unaligned access handling, if
  * the target defines #TARGET_ALIGNED_ONLY.
  * @do_transaction_failed: Callback for handling failed memory transactions
@@ -157,7 +156,6 @@ struct CPUClass {
 
 int reset_dump_flags;
 bool (*has_work)(CPUState *cpu);
-void (*do_interrupt)(CPUState *cpu);
 void (*do_unaligned_access)(CPUState *cpu, vaddr addr,
 MMUAccessType access_type,
 int mmu_idx, uintptr_t retaddr);
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 17dc86af50..eafd600085 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -517,7 +517,7 @@ static inline bool cpu_handle_exception(CPUState *cpu, int 
*ret)
loop */
 #if defined(TARGET_I386)
 CPUClass *cc = CPU_GET_CLASS(cpu);
-cc->do_interrupt(cpu);
+cc->tcg_ops.do_interrupt(cpu);
 #endif
 *ret = cpu->exception_index;
 cpu->exception_index = -1;
@@ -526,7 +526,7 @@ static inline bool cpu_handle_exception(CPUState *cpu, int 
*ret)
 if (replay_exception()) {
 CPUClass *cc = CPU_GET_CLASS(cpu);
 qemu_mutex_lock_iothread();
-cc->do_interrupt(cpu);
+cc->tcg_ops.do_interrupt(cpu);
 qemu_mutex_unlock_iothread();
 cpu->exception_index = -1;
 
diff --git a/target/alpha/cpu.c b/target/alpha/cpu.c
index 9f36f824fd..66f1166672 100644
--- a/target/alpha/cpu.c
+++ b/target/alpha/cpu.c
@@ -217,7 +217,7 @@ static void alpha_cpu_class_init(ObjectClass *oc, void 
*data)
 
 cc->class_by_name = alpha_cpu_class_by_name;
 cc->has_work = alpha_cpu_has_work;
-cc->do_interrupt = alpha_cpu_do_interrupt;
+cc->tcg_ops.do_interrupt = alpha_cpu_do_interrupt;
 cc->tcg_ops.cpu_exec_interrupt = alpha_cpu_exec_interrupt;
 cc->dump_state = alpha_cpu_dump_state;
 cc->set_pc = alpha_cpu_set_pc;
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 10eb465581..ed552a7bb5 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -589,7 +589,7 @@ bool arm_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
  found:
 cs->exception_index = excp_idx;
 env->exception.target_el = target_el;
-cc->do_interrupt(cs);
+cc->tcg_ops.do_interrupt(cs);
 return true;
 }
 
@@ -2249,7 +2249,6 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->gdb_read_register = arm_cpu_gdb_read_register;
 cc->gdb_write_register = arm_cpu_gdb_write_register;
 #ifndef CONFIG_USER_ONLY
-cc->do_interrupt = arm_cpu_do_interrupt;
 cc->get_phys_page_attrs_debug = arm_cpu_get_phys_page_attrs_debug;
 cc->asidx_from_attrs = arm_asidx_from_attrs;
 cc->vmsd = &vmstate_arm_cpu;
@@ -2274,6 +2273,7 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 #if !defined(CONFIG_USER_ONLY)
 cc->do_transaction_failed = arm_cpu_do_transaction_failed;
 cc->adjust_watchpoint_address = arm_adjust_watchpoint_address;
+cc->tcg_ops.do_interrupt = arm_cpu_do_interrupt;
 #endif /* CONFIG_TCG && !CONFIG_USER_ONLY */
 #endif
 }
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index e261839d08.

[PATCH v12 09/23] tcg: cpu_exec_{enter,exit} helpers

[Claudio Fontana]

From: Eduardo Habkost 

Move invocation of CPUClass.cpu_exec_*() to separate helpers,
to make it easier to refactor that code later.

Signed-off-by: Eduardo Habkost 
Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 accel/tcg/cpu-exec.c | 23 ++-
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 58aea605d8..8d31145ad2 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -236,9 +236,22 @@ static void cpu_exec_nocache(CPUState *cpu, int max_cycles,
 }
 #endif
 
+static void cpu_exec_enter(CPUState *cpu)
+{
+CPUClass *cc = CPU_GET_CLASS(cpu);
+
+cc->cpu_exec_enter(cpu);
+}
+
+static void cpu_exec_exit(CPUState *cpu)
+{
+CPUClass *cc = CPU_GET_CLASS(cpu);
+
+cc->cpu_exec_exit(cpu);
+}
+
 void cpu_exec_step_atomic(CPUState *cpu)
 {
-CPUClass *cc = CPU_GET_CLASS(cpu);
 TranslationBlock *tb;
 target_ulong cs_base, pc;
 uint32_t flags;
@@ -257,11 +270,11 @@ void cpu_exec_step_atomic(CPUState *cpu)
 
 /* Since we got here, we know that parallel_cpus must be true.  */
 parallel_cpus = false;
-cc->cpu_exec_enter(cpu);
+cpu_exec_enter(cpu);
 /* execute the generated code */
 trace_exec_tb(tb, pc);
 cpu_tb_exec(cpu, tb);
-cc->cpu_exec_exit(cpu);
+cpu_exec_exit(cpu);
 } else {
 /*
  * The mmap_lock is dropped by tb_gen_code if it runs out of
@@ -713,7 +726,7 @@ int cpu_exec(CPUState *cpu)
 
 rcu_read_lock();
 
-cc->cpu_exec_enter(cpu);
+cpu_exec_enter(cpu);
 
 /* Calculate difference between guest clock and host clock.
  * This delay includes the delay of the last cycle, so
@@ -775,7 +788,7 @@ int cpu_exec(CPUState *cpu)
 }
 }
 
-cc->cpu_exec_exit(cpu);
+cpu_exec_exit(cpu);
 rcu_read_unlock();
 
 return ret;
-- 
2.26.2

[PATCH v12 07/23] i386: move TCG cpu class initialization to tcg/

[Claudio Fontana]

to do this, we need to take code out of cpu.c and helper.c,
and also move some prototypes from cpu.h, for code that is
needed in tcg/xxx_helper.c, and which in turn is part of the
callbacks registered by the class initialization.

Therefore, do some shuffling of the parts of cpu.h that
are only relevant for tcg/, and put them in tcg/helper-tcg.h

For FT0 and similar macros, put them in tcg/fpu-helper.c
since they are used only there.

Signed-off-by: Claudio Fontana 
---
 target/i386/cpu.h |  86 ---
 target/i386/tcg/helper-tcg.h  | 106 ++
 target/i386/tcg/tcg-cpu.h |  15 +
 target/i386/cpu.c |  33 ---
 target/i386/helper.c  |  23 
 target/i386/tcg/bpt_helper.c  |   1 +
 target/i386/tcg/cc_helper.c   |   1 +
 target/i386/tcg/excp_helper.c |   1 +
 target/i386/tcg/fpu_helper.c  |  39 +++--
 target/i386/tcg/int_helper.c  |   1 +
 target/i386/tcg/mem_helper.c  |   1 +
 target/i386/tcg/misc_helper.c |   1 +
 target/i386/tcg/mpx_helper.c  |   1 +
 target/i386/tcg/seg_helper.c  |   1 +
 target/i386/tcg/smm_helper.c  |   2 +
 target/i386/tcg/svm_helper.c  |   1 +
 target/i386/tcg/tcg-cpu.c |  71 +++
 target/i386/tcg/translate.c   |   1 +
 target/i386/tcg/meson.build   |   1 +
 19 files changed, 238 insertions(+), 148 deletions(-)
 create mode 100644 target/i386/tcg/helper-tcg.h
 create mode 100644 target/i386/tcg/tcg-cpu.h
 create mode 100644 target/i386/tcg/tcg-cpu.c

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 343e51baab..4b8e8e2f39 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -31,9 +31,6 @@
 
 #define KVM_HAVE_MCE_INJECTION 1
 
-/* Maximum instruction code size */
-#define TARGET_MAX_INSN_SIZE 16
-
 /* support for self modifying code even if the modified instruction is
close to the modifying instruction */
 #define TARGET_HAS_PRECISE_SMC
@@ -1769,12 +1766,6 @@ struct X86CPU {
 extern VMStateDescription vmstate_x86_cpu;
 #endif
 
-/**
- * x86_cpu_do_interrupt:
- * @cpu: vCPU the interrupt is to be handled by.
- */
-void x86_cpu_do_interrupt(CPUState *cpu);
-bool x86_cpu_exec_interrupt(CPUState *cpu, int int_req);
 int x86_cpu_pending_interrupt(CPUState *cs, int interrupt_request);
 
 int x86_cpu_write_elf64_note(WriteCoreDumpFunction f, CPUState *cpu,
@@ -1797,9 +1788,6 @@ hwaddr x86_cpu_get_phys_page_attrs_debug(CPUState *cpu, 
vaddr addr,
 int x86_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
 int x86_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
 
-void x86_cpu_exec_enter(CPUState *cpu);
-void x86_cpu_exec_exit(CPUState *cpu);
-
 void x86_cpu_list(void);
 int cpu_x86_support_mca_broadcast(CPUX86State *env);
 
@@ -1924,9 +1912,6 @@ void host_cpuid(uint32_t function, uint32_t count,
 void host_vendor_fms(char *vendor, int *family, int *model, int *stepping);
 
 /* helper.c */
-bool x86_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
-  MMUAccessType access_type, int mmu_idx,
-  bool probe, uintptr_t retaddr);
 void x86_cpu_set_a20(X86CPU *cpu, int a20_state);
 
 #ifndef CONFIG_USER_ONLY
@@ -1951,8 +1936,6 @@ void x86_stl_phys(CPUState *cs, hwaddr addr, uint32_t 
val);
 void x86_stq_phys(CPUState *cs, hwaddr addr, uint64_t val);
 #endif
 
-void breakpoint_handler(CPUState *cs);
-
 /* will be suppressed */
 void cpu_x86_update_cr0(CPUX86State *env, uint32_t new_cr0);
 void cpu_x86_update_cr3(CPUX86State *env, target_ulong new_cr3);
@@ -1962,16 +1945,6 @@ void cpu_x86_update_dr7(CPUX86State *env, uint32_t 
new_dr7);
 /* hw/pc.c */
 uint64_t cpu_get_tsc(CPUX86State *env);
 
-/* XXX: This value should match the one returned by CPUID
- * and in exec.c */
-# if defined(TARGET_X86_64)
-# define TCG_PHYS_ADDR_BITS 40
-# else
-# define TCG_PHYS_ADDR_BITS 36
-# endif
-
-#define PHYS_ADDR_MASK MAKE_64BIT_MASK(0, TCG_PHYS_ADDR_BITS)
-
 #define X86_CPU_TYPE_SUFFIX "-" TYPE_X86_CPU
 #define X86_CPU_TYPE_NAME(name) (name X86_CPU_TYPE_SUFFIX)
 #define CPU_RESOLVING_TYPE TYPE_X86_CPU
@@ -2008,25 +1981,6 @@ static inline int cpu_mmu_index_kernel(CPUX86State *env)
 #define CC_SRC2 (env->cc_src2)
 #define CC_OP   (env->cc_op)
 
-/* n must be a constant to be efficient */
-static inline target_long lshift(target_long x, int n)
-{
-if (n >= 0) {
-return x << n;
-} else {
-return x >> (-n);
-}
-}
-
-/* float macros */
-#define FT0(env->ft0)
-#define ST0(env->fpregs[env->fpstt].d)
-#define ST(n)  (env->fpregs[(env->fpstt + (n)) & 7].d)
-#define ST1ST(1)
-
-/* translate.c */
-void tcg_x86_init(void);
-
 typedef CPUX86State CPUArchState;
 typedef X86CPU ArchCPU;
 
@@ -2056,19 +2010,6 @@ void cpu_x86_inject_mce(Monitor *mon, X86CPU *cpu, int 
bank,
 uint64_t status, uint64_t mcg_status, uint64_t addr,
 uint64_t misc, int flags);
 
-/* excp_helper.c */
-void QEMU_NORETURN raise_exception(CPUX86State *env, i

[PATCH v12 10/23] tcg: make CPUClass.cpu_exec_* optional

[Claudio Fontana]

From: Eduardo Habkost 

This will let us simplify the code that initializes CPU class
methods, when we move cpu_exec_*() to a separate struct.

Signed-off-by: Eduardo Habkost 
Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
---
 accel/tcg/cpu-exec.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 8d31145ad2..890b88861a 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -240,14 +240,18 @@ static void cpu_exec_enter(CPUState *cpu)
 {
 CPUClass *cc = CPU_GET_CLASS(cpu);
 
-cc->cpu_exec_enter(cpu);
+if (cc->cpu_exec_enter) {
+cc->cpu_exec_enter(cpu);
+}
 }
 
 static void cpu_exec_exit(CPUState *cpu)
 {
 CPUClass *cc = CPU_GET_CLASS(cpu);
 
-cc->cpu_exec_exit(cpu);
+if (cc->cpu_exec_exit) {
+cc->cpu_exec_exit(cpu);
+}
 }
 
 void cpu_exec_step_atomic(CPUState *cpu)
@@ -619,7 +623,8 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
True when it is, and we should restart on a new TB,
and via longjmp via cpu_loop_exit.  */
 else {
-if (cc->cpu_exec_interrupt(cpu, interrupt_request)) {
+if (cc->cpu_exec_interrupt &&
+cc->cpu_exec_interrupt(cpu, interrupt_request)) {
 if (need_replay_interrupt(interrupt_request)) {
 replay_interrupt();
 }
-- 
2.26.2

[PULL 4/5] target/m68k: Add vmstate definition for M68kCPU

[Laurent Vivier]

Signed-off-by: Laurent Vivier 
Message-Id: <20201022203000.1922749-3-laur...@vivier.eu>
---
 target/m68k/cpu.h|   1 +
 target/m68k/cpu.c| 193 ++-
 target/m68k/fpu_helper.c |  10 +-
 3 files changed, 198 insertions(+), 6 deletions(-)

diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 9a6f0400fcfe..de5b9875fea3 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -179,6 +179,7 @@ int cpu_m68k_signal_handler(int host_signum, void *pinfo,
 uint32_t cpu_m68k_get_ccr(CPUM68KState *env);
 void cpu_m68k_set_ccr(CPUM68KState *env, uint32_t);
 void cpu_m68k_set_sr(CPUM68KState *env, uint32_t);
+void cpu_m68k_restore_fp_status(CPUM68KState *env);
 void cpu_m68k_set_fpcr(CPUM68KState *env, uint32_t val);
 
 
diff --git a/target/m68k/cpu.c b/target/m68k/cpu.c
index 72c545149e9b..b811a0bdde2d 100644
--- a/target/m68k/cpu.c
+++ b/target/m68k/cpu.c
@@ -260,10 +260,198 @@ static void m68k_cpu_initfn(Object *obj)
 cpu_set_cpustate_pointers(cpu);
 }
 
+#if defined(CONFIG_SOFTMMU)
+static bool fpu_needed(void *opaque)
+{
+M68kCPU *s = opaque;
+
+return m68k_feature(&s->env, M68K_FEATURE_CF_FPU) ||
+   m68k_feature(&s->env, M68K_FEATURE_FPU);
+}
+
+typedef struct m68k_FPReg_tmp {
+FPReg *parent;
+uint64_t tmp_mant;
+uint16_t tmp_exp;
+} m68k_FPReg_tmp;
+
+static void cpu_get_fp80(uint64_t *pmant, uint16_t *pexp, floatx80 f)
+{
+CPU_LDoubleU temp;
+
+temp.d = f;
+*pmant = temp.l.lower;
+*pexp = temp.l.upper;
+}
+
+static floatx80 cpu_set_fp80(uint64_t mant, uint16_t upper)
+{
+CPU_LDoubleU temp;
+
+temp.l.upper = upper;
+temp.l.lower = mant;
+return temp.d;
+}
+
+static int freg_pre_save(void *opaque)
+{
+m68k_FPReg_tmp *tmp = opaque;
+
+cpu_get_fp80(&tmp->tmp_mant, &tmp->tmp_exp, tmp->parent->d);
+
+return 0;
+}
+
+static int freg_post_load(void *opaque, int version)
+{
+m68k_FPReg_tmp *tmp = opaque;
+
+tmp->parent->d = cpu_set_fp80(tmp->tmp_mant, tmp->tmp_exp);
+
+return 0;
+}
+
+static const VMStateDescription vmstate_freg_tmp = {
+.name = "freg_tmp",
+.post_load = freg_post_load,
+.pre_save  = freg_pre_save,
+.fields = (VMStateField[]) {
+VMSTATE_UINT64(tmp_mant, m68k_FPReg_tmp),
+VMSTATE_UINT16(tmp_exp, m68k_FPReg_tmp),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static const VMStateDescription vmstate_freg = {
+.name = "freg",
+.fields = (VMStateField[]) {
+VMSTATE_WITH_TMP(FPReg, m68k_FPReg_tmp, vmstate_freg_tmp),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static int fpu_post_load(void *opaque, int version)
+{
+M68kCPU *s = opaque;
+
+cpu_m68k_restore_fp_status(&s->env);
+
+return 0;
+}
+
+const VMStateDescription vmmstate_fpu = {
+.name = "cpu/fpu",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = fpu_needed,
+.post_load = fpu_post_load,
+.fields = (VMStateField[]) {
+VMSTATE_UINT32(env.fpcr, M68kCPU),
+VMSTATE_UINT32(env.fpsr, M68kCPU),
+VMSTATE_STRUCT_ARRAY(env.fregs, M68kCPU, 8, 0, vmstate_freg, FPReg),
+VMSTATE_STRUCT(env.fp_result, M68kCPU, 0, vmstate_freg, FPReg),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static bool cf_spregs_needed(void *opaque)
+{
+M68kCPU *s = opaque;
+
+return m68k_feature(&s->env, M68K_FEATURE_CF_ISA_A);
+}
+
+const VMStateDescription vmstate_cf_spregs = {
+.name = "cpu/cf_spregs",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = cf_spregs_needed,
+.fields = (VMStateField[]) {
+VMSTATE_UINT64_ARRAY(env.macc, M68kCPU, 4),
+VMSTATE_UINT32(env.macsr, M68kCPU),
+VMSTATE_UINT32(env.mac_mask, M68kCPU),
+VMSTATE_UINT32(env.rambar0, M68kCPU),
+VMSTATE_UINT32(env.mbar, M68kCPU),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static bool cpu_68040_mmu_needed(void *opaque)
+{
+M68kCPU *s = opaque;
+
+return m68k_feature(&s->env, M68K_FEATURE_M68040);
+}
+
+const VMStateDescription vmstate_68040_mmu = {
+.name = "cpu/68040_mmu",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = cpu_68040_mmu_needed,
+.fields = (VMStateField[]) {
+VMSTATE_UINT32(env.mmu.ar, M68kCPU),
+VMSTATE_UINT32(env.mmu.ssw, M68kCPU),
+VMSTATE_UINT16(env.mmu.tcr, M68kCPU),
+VMSTATE_UINT32(env.mmu.urp, M68kCPU),
+VMSTATE_UINT32(env.mmu.srp, M68kCPU),
+VMSTATE_BOOL(env.mmu.fault, M68kCPU),
+VMSTATE_UINT32_ARRAY(env.mmu.ttr, M68kCPU, 4),
+VMSTATE_UINT32(env.mmu.mmusr, M68kCPU),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static bool cpu_68040_spregs_needed(void *opaque)
+{
+M68kCPU *s = opaque;
+
+return m68k_feature(&s->env, M68K_FEATURE_M68040);
+}
+
+const VMStateDescription vmstate_68040_spregs = {
+.name = "cpu/68040_spregs",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = cpu_68040_spregs_needed,
+.fields = (VMStateField[]) {
+VMSTATE_UINT32(env.v

[PATCH v12 03/23] i386: move hax accel files into hax/

[Claudio Fontana]

Signed-off-by: Claudio Fontana 
Reviewed-by: Alex Bennée 
Reviewed-by: Richard Henderson 
---
 target/i386/{ => hax}/hax-cpus.h  | 0
 target/i386/{ => hax}/hax-i386.h  | 6 +++---
 target/i386/{ => hax}/hax-interface.h | 0
 target/i386/{ => hax}/hax-posix.h | 0
 target/i386/{ => hax}/hax-windows.h   | 0
 target/i386/{ => hax}/hax-all.c   | 0
 target/i386/{ => hax}/hax-cpus.c  | 0
 target/i386/{ => hax}/hax-mem.c   | 0
 target/i386/{ => hax}/hax-posix.c | 0
 target/i386/{ => hax}/hax-windows.c   | 0
 MAINTAINERS   | 2 +-
 target/i386/hax/meson.build   | 7 +++
 target/i386/meson.build   | 8 +---
 13 files changed, 12 insertions(+), 11 deletions(-)
 rename target/i386/{ => hax}/hax-cpus.h (100%)
 rename target/i386/{ => hax}/hax-i386.h (95%)
 rename target/i386/{ => hax}/hax-interface.h (100%)
 rename target/i386/{ => hax}/hax-posix.h (100%)
 rename target/i386/{ => hax}/hax-windows.h (100%)
 rename target/i386/{ => hax}/hax-all.c (100%)
 rename target/i386/{ => hax}/hax-cpus.c (100%)
 rename target/i386/{ => hax}/hax-mem.c (100%)
 rename target/i386/{ => hax}/hax-posix.c (100%)
 rename target/i386/{ => hax}/hax-windows.c (100%)
 create mode 100644 target/i386/hax/meson.build

diff --git a/target/i386/hax-cpus.h b/target/i386/hax/hax-cpus.h
similarity index 100%
rename from target/i386/hax-cpus.h
rename to target/i386/hax/hax-cpus.h
diff --git a/target/i386/hax-i386.h b/target/i386/hax/hax-i386.h
similarity index 95%
rename from target/i386/hax-i386.h
rename to target/i386/hax/hax-i386.h
index 48c4abe14e..efbb346238 100644
--- a/target/i386/hax-i386.h
+++ b/target/i386/hax/hax-i386.h
@@ -84,13 +84,13 @@ void hax_memory_init(void);
 
 
 #ifdef CONFIG_POSIX
-#include "target/i386/hax-posix.h"
+#include "hax-posix.h"
 #endif
 
 #ifdef CONFIG_WIN32
-#include "target/i386/hax-windows.h"
+#include "hax-windows.h"
 #endif
 
-#include "target/i386/hax-interface.h"
+#include "hax-interface.h"
 
 #endif
diff --git a/target/i386/hax-interface.h b/target/i386/hax/hax-interface.h
similarity index 100%
rename from target/i386/hax-interface.h
rename to target/i386/hax/hax-interface.h
diff --git a/target/i386/hax-posix.h b/target/i386/hax/hax-posix.h
similarity index 100%
rename from target/i386/hax-posix.h
rename to target/i386/hax/hax-posix.h
diff --git a/target/i386/hax-windows.h b/target/i386/hax/hax-windows.h
similarity index 100%
rename from target/i386/hax-windows.h
rename to target/i386/hax/hax-windows.h
diff --git a/target/i386/hax-all.c b/target/i386/hax/hax-all.c
similarity index 100%
rename from target/i386/hax-all.c
rename to target/i386/hax/hax-all.c
diff --git a/target/i386/hax-cpus.c b/target/i386/hax/hax-cpus.c
similarity index 100%
rename from target/i386/hax-cpus.c
rename to target/i386/hax/hax-cpus.c
diff --git a/target/i386/hax-mem.c b/target/i386/hax/hax-mem.c
similarity index 100%
rename from target/i386/hax-mem.c
rename to target/i386/hax/hax-mem.c
diff --git a/target/i386/hax-posix.c b/target/i386/hax/hax-posix.c
similarity index 100%
rename from target/i386/hax-posix.c
rename to target/i386/hax/hax-posix.c
diff --git a/target/i386/hax-windows.c b/target/i386/hax/hax-windows.c
similarity index 100%
rename from target/i386/hax-windows.c
rename to target/i386/hax/hax-windows.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 0e8dfd7ea6..d643f59e37 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -491,7 +491,7 @@ W: https://github.com/intel/haxm/issues
 S: Maintained
 F: accel/stubs/hax-stub.c
 F: include/sysemu/hax.h
-F: target/i386/hax-*
+F: target/i386/hax/
 
 Hosts
 -
diff --git a/target/i386/hax/meson.build b/target/i386/hax/meson.build
new file mode 100644
index 00..77ea431b30
--- /dev/null
+++ b/target/i386/hax/meson.build
@@ -0,0 +1,7 @@
+i386_softmmu_ss.add(when: 'CONFIG_HAX', if_true: files(
+  'hax-all.c',
+  'hax-mem.c',
+  'hax-cpus.c',
+))
+i386_softmmu_ss.add(when: ['CONFIG_HAX', 'CONFIG_POSIX'], if_true: 
files('hax-posix.c'))
+i386_softmmu_ss.add(when: ['CONFIG_HAX', 'CONFIG_WIN32'], if_true: 
files('hax-windows.c'))
diff --git a/target/i386/meson.build b/target/i386/meson.build
index 62cd042915..284d52ab81 100644
--- a/target/i386/meson.build
+++ b/target/i386/meson.build
@@ -27,15 +27,9 @@ i386_softmmu_ss.add(files(
   'machine.c',
   'monitor.c',
 ))
-i386_softmmu_ss.add(when: 'CONFIG_HAX', if_true: files(
-  'hax-all.c',
-  'hax-mem.c',
-  'hax-cpus.c',
-))
-i386_softmmu_ss.add(when: ['CONFIG_HAX', 'CONFIG_POSIX'], if_true: 
files('hax-posix.c'))
-i386_softmmu_ss.add(when: ['CONFIG_HAX', 'CONFIG_WIN32'], if_true: 
files('hax-windows.c'))
 
 subdir('kvm')
+subdir('hax')
 subdir('whpx')
 subdir('hvf')
 
-- 
2.26.2

Re: [PATCH 26/26] MAINTAINERS: Add entry for MIPS Toshiba TCG

[Fredrik Noring]

On Fri, Nov 20, 2020 at 10:08:44PM +0100, Philippe Mathieu-Daudé wrote:
> Add an entry for the TCG core related to Toshiba TXx9.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
> Adding Fredrik Noring in case he wants to be notified of changes,
> patch conditional to his approval.

I may be able to help on the TX79 that is an R5900, but unless commit
823f2897bdd7 ("target/mips: Disable R5900 support") is reverted, it
remains shut off in QEMU. To obtain n32, in addition to o32, one may
want to apply something similar to this:

diff --git a/linux-user/mips64/target_elf.h b/linux-user/mips64/target_elf.h
index ec55d8542a..5f2f2df29f 100644
--- a/linux-user/mips64/target_elf.h
+++ b/linux-user/mips64/target_elf.h
@@ -12,6 +12,9 @@ static inline const char *cpu_get_model(uint32_t eflags)
 if ((eflags & EF_MIPS_ARCH) == EF_MIPS_ARCH_64R6) {
 return "I6400";
 }
+if ((eflags & EF_MIPS_MACH) == EF_MIPS_MACH_5900) {
+return "R5900";
+}
 return "5KEf";
 }
 #endif

> ---
>  MAINTAINERS | 6 ++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index b6d98b95c47..d97f0f1d66e 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -253,6 +253,12 @@ R: Craig Janeczek 
>  S: Odd Fixes
>  F: target/mips/vendor-xburst*
>  
> +MIPS TCG CPUs (Toshiba TX)
> +M: Philippe Mathieu-Daudé 
> +R: Fredrik Noring 
> +S: Odd Fixes
> +F: target/mips/vendor-tx*
> +
>  MIPS TCG CPUs (nanoMIPS ISA)
>  S: Orphan
>  F: disas/nanomips.*
> -- 
> 2.26.2
> 

Fredrik

[PULL 5/5] m68k: fix some comment spelling errors

[Laurent Vivier]

From: zhaolichang 

I found that there are many spelling errors in the comments of qemu/target/m68k.
I used spellcheck to check the spelling errors and found some errors in the 
folder.

Signed-off-by: zhaolichang 
Reviewed-by: David Edmondson 
Reviewed-by: Philippe Mathieu-Daude
Reviewed-by: Laurent Vivier
Message-Id: <20201009064449.2336-9-zhaolich...@huawei.com>
Signed-off-by: Laurent Vivier 
---
 target/m68k/translate.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index 3fc67aa45261..133a4049191e 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -438,7 +438,7 @@ static TCGv gen_addr_index(DisasContext *s, uint16_t ext, 
TCGv tmp)
 }
 
 /*
- * Handle a base + index + displacement effective addresss.
+ * Handle a base + index + displacement effective address.
  * A NULL_QREG base means pc-relative.
  */
 static TCGv gen_lea_indexed(CPUM68KState *env, DisasContext *s, TCGv base)
@@ -1696,7 +1696,7 @@ static void bcd_add(TCGv dest, TCGv src)
 
 /*
  * t1 = (src + 0x066) + dest + X
- *= result with some possible exceding 0x6
+ *= result with some possible exceeding 0x6
  */
 
 t0 = tcg_const_i32(0x066);
@@ -1706,7 +1706,7 @@ static void bcd_add(TCGv dest, TCGv src)
 tcg_gen_add_i32(t1, t0, dest);
 tcg_gen_add_i32(t1, t1, QREG_CC_X);
 
-/* we will remove exceding 0x6 where there is no carry */
+/* we will remove exceeding 0x6 where there is no carry */
 
 /*
  * t0 = (src + 0x0066) ^ dest
@@ -1736,7 +1736,7 @@ static void bcd_add(TCGv dest, TCGv src)
 tcg_temp_free(t0);
 
 /*
- * remove the exceding 0x6
+ * remove the exceeding 0x6
  * for digits that have not generated a carry
  */
 
@@ -2638,7 +2638,7 @@ DISAS_INSN(negx)
 gen_flush_flags(s); /* compute old Z */
 
 /*
- * Perform substract with borrow.
+ * Perform subtract with borrow.
  * (X, N) =  -(src + X);
  */
 
@@ -2653,7 +2653,7 @@ DISAS_INSN(negx)
 /*
  * Compute signed-overflow for negation.  The normal formula for
  * subtraction is (res ^ src) & (src ^ dest), but with dest==0
- * this simplies to res & src.
+ * this simplifies to res & src.
  */
 
 tcg_gen_and_i32(QREG_CC_V, QREG_CC_N, src);
@@ -3159,7 +3159,7 @@ static inline void gen_subx(DisasContext *s, TCGv src, 
TCGv dest, int opsize)
 gen_flush_flags(s); /* compute old Z */
 
 /*
- * Perform substract with borrow.
+ * Perform subtract with borrow.
  * (X, N) = dest - (src + X);
  */
 
@@ -3169,7 +3169,7 @@ static inline void gen_subx(DisasContext *s, TCGv src, 
TCGv dest, int opsize)
 gen_ext(QREG_CC_N, QREG_CC_N, opsize, 1);
 tcg_gen_andi_i32(QREG_CC_X, QREG_CC_X, 1);
 
-/* Compute signed-overflow for substract.  */
+/* Compute signed-overflow for subtract.  */
 
 tcg_gen_xor_i32(QREG_CC_V, QREG_CC_N, dest);
 tcg_gen_xor_i32(tmp, dest, src);
-- 
2.29.2

Re: [PATCH 2/8] ppc: Convert PPC UIC to a QOM device

[Peter Maydell]

On Sat, 12 Dec 2020 at 18:27, BALATON Zoltan  wrote:
>
> On Sat, 12 Dec 2020, Peter Maydell wrote:
> > Currently the PPC UIC ("Universal Interrupt Controller") is implemented
> > as a non-QOM device in ppc4xx_devs.c. Convert it to a proper QOM device
> > in hw/intc.
> >
> > The ppcuic_init() function is retained for the moment with its current
> > interface; in subsequent commits this will be tidied up to avoid the
> > allocation of an irq array.
> >
> > This conversion adds VMState support.
> >
> > It leaves the LOG_UIC() macro as-is to maximise the extent to which
> > this is simply code-movement rather than a rewrite (in new code it
> > would be better to use tracepoints).
> >
> > The default property values for dcr-base and use-vectors are set to
> > match those use by most of our boards with a UIC.
>
> Would this be easier to review if it's split into two patches, first doing
> the conversion in place, then another just doing code moving? Maybe we
> could spot some problem that way easier?

That didn't really feel very feasible to me. You can see that
mostly it's code motion using the git diff --color-moved option
if you look at the commit.

thanks
-- PMM

Re: [PATCH 2/8] ppc: Convert PPC UIC to a QOM device

[BALATON Zoltan via]

On Sat, 12 Dec 2020, Peter Maydell wrote:

Currently the PPC UIC ("Universal Interrupt Controller") is implemented
as a non-QOM device in ppc4xx_devs.c. Convert it to a proper QOM device
in hw/intc.

The ppcuic_init() function is retained for the moment with its current
interface; in subsequent commits this will be tidied up to avoid the
allocation of an irq array.

This conversion adds VMState support.

It leaves the LOG_UIC() macro as-is to maximise the extent to which
this is simply code-movement rather than a rewrite (in new code it
would be better to use tracepoints).

The default property values for dcr-base and use-vectors are set to
match those use by most of our boards with a UIC.

Signed-off-by: Peter Maydell 
---
include/hw/intc/ppc-uic.h |  73 +
hw/intc/ppc-uic.c | 321 ++
hw/ppc/ppc4xx_devs.c  | 267 ---
MAINTAINERS   |   2 +
hw/intc/Kconfig   |   3 +
hw/intc/meson.build   |   1 +
hw/ppc/Kconfig|   1 +
7 files changed, 431 insertions(+), 237 deletions(-)
create mode 100644 include/hw/intc/ppc-uic.h
create mode 100644 hw/intc/ppc-uic.c


Underscore seems to be more common in file names so maybe ppc_uid.[ch], 
that also better matches function and config option names.


Regards,
BALATON Zoltan


diff --git a/include/hw/intc/ppc-uic.h b/include/hw/intc/ppc-uic.h
new file mode 100644
index 000..e614e2ffd80
--- /dev/null
+++ b/include/hw/intc/ppc-uic.h
@@ -0,0 +1,73 @@
+/*
+ * "Universal" Interrupt Controller for PowerPPC 4xx embedded processors
+ *
+ * Copyright (c) 2007 Jocelyn Mayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef HW_INTC_PPC_UIC_H
+#define HW_INTC_PPC_UIC_H
+
+#include "hw/sysbus.h"
+#include "qom/object.h"
+
+#define TYPE_PPC_UIC "ppc-uic"
+OBJECT_DECLARE_SIMPLE_TYPE(PPCUIC, PPC_UIC)
+
+/*
+ * QEMU interface:
+ * QOM property "cpu": link to the PPC CPU
+ *(no default, must be set)
+ * QOM property "dcr-base": base of the bank of DCR registers for the UIC
+ *(default 0x30)
+ * QOM property "use-vectors": true if the UIC has vector registers
+ *(default true)
+ * unnamed GPIO inputs 0..UIC_MAX_IRQ: input IRQ lines
+ * sysbus IRQs:
+ *  0 (PPCUIC_OUTPUT_INT): output INT line to the CPU
+ *  1 (PPCUIC_OUTPUT_CINT): output CINT line to the CPU
+ */
+
+#define UIC_MAX_IRQ 32
+
+struct PPCUIC {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+qemu_irq output_int;
+qemu_irq output_cint;
+
+/* properties */
+CPUState *cpu;
+uint32_t dcr_base;
+bool use_vectors;
+
+uint32_t level;  /* Remembers the state of level-triggered interrupts. */
+uint32_t uicsr;  /* Status register */
+uint32_t uicer;  /* Enable register */
+uint32_t uiccr;  /* Critical register */
+uint32_t uicpr;  /* Polarity register */
+uint32_t uictr;  /* Triggering register */
+uint32_t uicvcr; /* Vector configuration register */
+uint32_t uicvr;
+};
+
+#endif
diff --git a/hw/intc/ppc-uic.c b/hw/intc/ppc-uic.c
new file mode 100644
index 000..b21951eea83
--- /dev/null
+++ b/hw/intc/ppc-uic.c
@@ -0,0 +1,321 @@
+/*
+ * "Universal" Interrupt Controller for PowerPPC 4xx embedded processors
+ *
+ * Copyright (c) 2007 Jocelyn Mayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", W

[PULL 2/5] hw/m68k/q800.c: Make the GLUE chip an actual QOM device

[Laurent Vivier]

From: Peter Maydell 

The handling of the GLUE (General Logic Unit) device is
currently open-coded. Make this into a proper QOM device.

This minor piece of modernisation gets rid of the free
floating qemu_irq array 'pic', which Coverity points out
is technically leaked when we exit the machine init function.
(The replacement glue device is not leaked because it gets
added to the sysbus, so it's accessible via that.)

Fixes: Coverity CID 1421883
Signed-off-by: Peter Maydell 
Reviewed-by: Laurent vivier 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20201106235109.7066-3-peter.mayd...@linaro.org>
Signed-off-by: Laurent Vivier 
---
 hw/m68k/q800.c | 82 ++
 1 file changed, 70 insertions(+), 12 deletions(-)

diff --git a/hw/m68k/q800.c b/hw/m68k/q800.c
index f9a2be776eb0..2af0e2532eb2 100644
--- a/hw/m68k/q800.c
+++ b/hw/m68k/q800.c
@@ -48,6 +48,7 @@
 #include "sysemu/qtest.h"
 #include "sysemu/runstate.h"
 #include "sysemu/reset.h"
+#include "migration/vmstate.h"
 
 #define MACROM_ADDR 0x4080
 #define MACROM_SIZE 0x0010
@@ -95,10 +96,14 @@
  * CPU.
  */
 
-typedef struct {
+#define TYPE_GLUE "q800-glue"
+OBJECT_DECLARE_SIMPLE_TYPE(GLUEState, GLUE)
+
+struct GLUEState {
+SysBusDevice parent_obj;
 M68kCPU *cpu;
 uint8_t ipr;
-} GLUEState;
+};
 
 static void GLUE_set_irq(void *opaque, int irq, int level)
 {
@@ -120,6 +125,58 @@ static void GLUE_set_irq(void *opaque, int irq, int level)
 m68k_set_irq_level(s->cpu, 0, 0);
 }
 
+static void glue_reset(DeviceState *dev)
+{
+GLUEState *s = GLUE(dev);
+
+s->ipr = 0;
+}
+
+static const VMStateDescription vmstate_glue = {
+.name = "q800-glue",
+.version_id = 0,
+.minimum_version_id = 0,
+.fields = (VMStateField[]) {
+VMSTATE_UINT8(ipr, GLUEState),
+VMSTATE_END_OF_LIST(),
+},
+};
+
+/*
+ * If the m68k CPU implemented its inbound irq lines as GPIO lines
+ * rather than via the m68k_set_irq_level() function we would not need
+ * this cpu link property and could instead provide outbound IRQ lines
+ * that the board could wire up to the CPU.
+ */
+static Property glue_properties[] = {
+DEFINE_PROP_LINK("cpu", GLUEState, cpu, TYPE_M68K_CPU, M68kCPU *),
+DEFINE_PROP_END_OF_LIST(),
+};
+
+static void glue_init(Object *obj)
+{
+DeviceState *dev = DEVICE(obj);
+
+qdev_init_gpio_in(dev, GLUE_set_irq, 8);
+}
+
+static void glue_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+
+dc->vmsd = &vmstate_glue;
+dc->reset = glue_reset;
+device_class_set_props(dc, glue_properties);
+}
+
+static const TypeInfo glue_info = {
+.name = TYPE_GLUE,
+.parent = TYPE_SYS_BUS_DEVICE,
+.instance_size = sizeof(GLUEState),
+.instance_init = glue_init,
+.class_init = glue_class_init,
+};
+
 static void main_cpu_reset(void *opaque)
 {
 M68kCPU *cpu = opaque;
@@ -180,8 +237,7 @@ static void q800_init(MachineState *machine)
 SysBusDevice *sysbus;
 BusState *adb_bus;
 NubusBus *nubus;
-GLUEState *irq;
-qemu_irq *pic;
+DeviceState *glue;
 DriveInfo *dinfo;
 
 linux_boot = (kernel_filename != NULL);
@@ -215,10 +271,9 @@ static void q800_init(MachineState *machine)
 }
 
 /* IRQ Glue */
-
-irq = g_new0(GLUEState, 1);
-irq->cpu = cpu;
-pic = qemu_allocate_irqs(GLUE_set_irq, irq, 8);
+glue = qdev_new(TYPE_GLUE);
+object_property_set_link(OBJECT(glue), "cpu", OBJECT(cpu), &error_abort);
+sysbus_realize_and_unref(SYS_BUS_DEVICE(glue), &error_fatal);
 
 /* VIA */
 
@@ -230,8 +285,10 @@ static void q800_init(MachineState *machine)
 sysbus = SYS_BUS_DEVICE(via_dev);
 sysbus_realize_and_unref(sysbus, &error_fatal);
 sysbus_mmio_map(sysbus, 0, VIA_BASE);
-qdev_connect_gpio_out_named(DEVICE(sysbus), "irq", 0, pic[0]);
-qdev_connect_gpio_out_named(DEVICE(sysbus), "irq", 1, pic[1]);
+qdev_connect_gpio_out_named(DEVICE(sysbus), "irq", 0,
+qdev_get_gpio_in(glue, 0));
+qdev_connect_gpio_out_named(DEVICE(sysbus), "irq", 1,
+qdev_get_gpio_in(glue, 1));
 
 
 adb_bus = qdev_get_child_bus(via_dev, "adb.0");
@@ -272,7 +329,7 @@ static void q800_init(MachineState *machine)
 sysbus_realize_and_unref(sysbus, &error_fatal);
 sysbus_mmio_map(sysbus, 0, SONIC_BASE);
 sysbus_mmio_map(sysbus, 1, SONIC_PROM_BASE);
-sysbus_connect_irq(sysbus, 0, pic[2]);
+sysbus_connect_irq(sysbus, 0, qdev_get_gpio_in(glue, 2));
 
 /* SCC */
 
@@ -294,7 +351,7 @@ static void q800_init(MachineState *machine)
 qdev_realize_and_unref(escc_orgate, NULL, &error_fatal);
 sysbus_connect_irq(sysbus, 0, qdev_get_gpio_in(escc_orgate, 0));
 sysbus_connect_irq(sysbus, 1, qdev_get_gpio_in(escc_orgate, 1));
-qdev_connect_gpio_out(DEVICE(escc_orgate), 0, pic[3]);
+qdev_connect_gpio_out(DEVICE(escc_orgate), 0, qdev_get_gpio_in(glue, 3));
 sysbus_mmi

[PULL 1/5] hw/m68k/q800: Don't connect two qemu_irqs directly to the same input

[Laurent Vivier]

From: Peter Maydell 

The q800 board code connects both of the IRQ outputs of the ESCC
to the same pic[3] qemu_irq. Connecting two qemu_irqs outputs directly
to the same input is not valid as it produces subtly wrong behaviour
(for instance if both the IRQ lines are high, and then one goes
low, the PIC input will see this as a high-to-low transition
even though the second IRQ line should still be holding it high).

This kind of wiring needs an explicitly created OR gate; add one.

Signed-off-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Laurent Vivier 
Message-Id: <20201106235109.7066-2-peter.mayd...@linaro.org>
Signed-off-by: Laurent Vivier 
---
 hw/m68k/q800.c  | 12 ++--
 hw/m68k/Kconfig |  1 +
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/hw/m68k/q800.c b/hw/m68k/q800.c
index 4db2b9bbc7b4..f9a2be776eb0 100644
--- a/hw/m68k/q800.c
+++ b/hw/m68k/q800.c
@@ -29,6 +29,7 @@
 #include "hw/hw.h"
 #include "hw/boards.h"
 #include "hw/irq.h"
+#include "hw/or-irq.h"
 #include "elf.h"
 #include "hw/loader.h"
 #include "ui/console.h"
@@ -173,6 +174,7 @@ static void q800_init(MachineState *machine)
 CPUState *cs;
 DeviceState *dev;
 DeviceState *via_dev;
+DeviceState *escc_orgate;
 SysBusESPState *sysbus_esp;
 ESPState *esp;
 SysBusDevice *sysbus;
@@ -285,8 +287,14 @@ static void q800_init(MachineState *machine)
 qdev_prop_set_uint32(dev, "chnAtype", 0);
 sysbus = SYS_BUS_DEVICE(dev);
 sysbus_realize_and_unref(sysbus, &error_fatal);
-sysbus_connect_irq(sysbus, 0, pic[3]);
-sysbus_connect_irq(sysbus, 1, pic[3]);
+
+/* Logically OR both its IRQs together */
+escc_orgate = DEVICE(object_new(TYPE_OR_IRQ));
+object_property_set_int(OBJECT(escc_orgate), "num-lines", 2, &error_fatal);
+qdev_realize_and_unref(escc_orgate, NULL, &error_fatal);
+sysbus_connect_irq(sysbus, 0, qdev_get_gpio_in(escc_orgate, 0));
+sysbus_connect_irq(sysbus, 1, qdev_get_gpio_in(escc_orgate, 1));
+qdev_connect_gpio_out(DEVICE(escc_orgate), 0, pic[3]);
 sysbus_mmio_map(sysbus, 0, SCC_BASE);
 
 /* SCSI */
diff --git a/hw/m68k/Kconfig b/hw/m68k/Kconfig
index c757e7dfa48b..60d7bcfb8f2b 100644
--- a/hw/m68k/Kconfig
+++ b/hw/m68k/Kconfig
@@ -22,3 +22,4 @@ config Q800
 select ESCC
 select ESP
 select DP8393X
+select OR_IRQ
-- 
2.29.2

[PULL 3/5] target/m68k: remove useless qregs array

[Laurent Vivier]

They are unused since the target has been converted to TCG.

Fixes: e1f3808e03f7 ("Convert m68k target to TCG.")
Signed-off-by: Laurent Vivier 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Thomas Huth 
Message-Id: <20201022203000.1922749-2-laur...@vivier.eu>
---
 target/m68k/cpu.h | 4 
 1 file changed, 4 deletions(-)

diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 521ac67cdd04..9a6f0400fcfe 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -33,8 +33,6 @@
 #define OS_PACKED   6
 #define OS_UNSIZED  7
 
-#define MAX_QREGS 32
-
 #define EXCP_ACCESS 2   /* Access (MMU) error.  */
 #define EXCP_ADDRESS3   /* Address error.  */
 #define EXCP_ILLEGAL4   /* Illegal instruction.  */
@@ -139,8 +137,6 @@ typedef struct CPUM68KState {
 int pending_vector;
 int pending_level;
 
-uint32_t qregs[MAX_QREGS];
-
 /* Fields up to this point are cleared by a CPU reset */
 struct {} end_reset_fields;
 
-- 
2.29.2

Re: [RFC PATCH v4] compiler.h: remove GCC < 3 __builtin_expect fallback

[Marc-André Lureau]

Hi

On Fri, Dec 11, 2020 at 5:41 PM Philippe Mathieu-Daudé 
wrote:

> On 12/11/20 2:33 PM, Peter Maydell wrote:
> > On Fri, 11 Dec 2020 at 13:13, Philippe Mathieu-Daudé 
> wrote:
> >>
> >> Since commit efc6c07 ("configure: Add a test for the minimum compiler
> >> version"), QEMU explicitely depends on GCC >= 4.8.
> >>
> >> (clang >= 3.4 advertizes itself as GCC >= 4.2 compatible and supports
> >> __builtin_expect too)
> >>
> >> Signed-off-by: Marc-André Lureau 
> >> [PMD: #error if likely/unlikely already defined]
> >> Signed-off-by: Philippe Mathieu-Daudé 
> >> ---
> >> Supersedes: <20201210134752.780923-4-marcandre.lur...@redhat.com>
> >> ---
> >>  include/qemu/compiler.h | 7 ++-
> >>  1 file changed, 2 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/include/qemu/compiler.h b/include/qemu/compiler.h
> >> index c76281f3540..ae1aee79c8d 100644
> >> --- a/include/qemu/compiler.h
> >> +++ b/include/qemu/compiler.h
> >> @@ -43,14 +43,11 @@
> >>  #define tostring(s)#s
> >>  #endif
> >>
> >> -#ifndef likely
> >> -#if __GNUC__ < 3
> >> -#define __builtin_expect(x, n) (x)
> >> +#if defined(likely) || defined(unlikely)
> >> +#error building with likely/unlikely is not supported
> >
> > When exactly will the system headers have 'likely' defined,
> > and when would they define it to something other than the
> > obvious __builtin_expect() definition the way we do?
>
> Since there was a check, I tried to be extra-cautious
> (better safe than sorry).
>
> > likely() and unlikely() in my view fall into a category of
> > macros like "container_of()" which aren't defined by a system
> > header but which do have a standard known set of semantics.
> >
> > I think there are two reasonable approaches:
> >  (1) just define the macro, on the assumption that the
> > system headers won't have done (because these aren't standard
> > macros)
> >  (2) as we do with container_of() currently, wrap our
> > definitions in #ifndef whatever, so that we assume that
> > whatever version we might have got from the system is fine
> >
> > I don't think there's any point in explicitly #error-ing here:
> > in fact, it makes the diagnostic to the user less useful,
> > because instead of the compiler complaining about the macro
> > being defined twice and giving both locations where it was
> > defined, now it won't tell the user where the other definition
> > was...
>
> "diagnostic less useful" is a good reason (to invalidate this
> patch).
>
> > I think my preference would be "just drop the ifdef", but
> > there isn't much in it really.
>
> Yes, let's stick to Marc-André v3.
>
> Thanks for your review!
>

Ok to r-b v3 then?
thanks



-- 
Marc-André Lureau

Re: [PATCH V2 08/14] m68k/: fix some comment spelling errors

[Laurent Vivier]

Le 09/10/2020 à 08:44, zhaolichang a écrit :
> I found that there are many spelling errors in the comments of 
> qemu/target/m68k.
> I used spellcheck to check the spelling errors and found some errors in the 
> folder.
> 
> Signed-off-by: zhaolichang 
> Reviewed-by: David Edmondson 
> Reviewed-by: Philippe Mathieu-Daude
> Reviewed-by: Laurent Vivier
> ---
>  target/m68k/translate.c | 16 
>  1 file changed, 8 insertions(+), 8 deletions(-)
> 

Applied to my m68k-for-6.0 branch

Thanks,
Laurent

Re: [PATCH v3 11/13] compiler: remove GNUC check

[Marc-André Lureau]

On Thu, Dec 10, 2020 at 6:14 PM  wrote:

> From: Marc-André Lureau 
>
> QEMU requires Clang or GCC, that define and support __GNUC__ extensions.
>
> Signed-off-by: Marc-André Lureau 
> ---
>  include/qemu/compiler.h | 8 +---
>  1 file changed, 1 insertion(+), 7 deletions(-)
>
> diff --git a/include/qemu/compiler.h b/include/qemu/compiler.h
> index 6212295e52..5e6cf2c8e8 100644
> --- a/include/qemu/compiler.h
> +++ b/include/qemu/compiler.h
> @@ -64,14 +64,10 @@
>  (offsetof(container, field) + sizeof_field(container, field))
>
>  /* Convert from a base type to a parent type, with compile time
> checking.  */
> -#ifdef __GNUC__
>  #define DO_UPCAST(type, field, dev) ( __extension__ ( { \
>  char __attribute__((unused)) offset_must_be_zero[ \
>  -offsetof(type, field)]; \
>  container_of(dev, type, field);}))
> -#else
> -#define DO_UPCAST(type, field, dev) container_of(dev, type, field)
> -#endif
>
>  #define typeof_field(type, field) typeof(((type *)0)->field)
>  #define type_check(t1,t2) ((t1*)0 - (t2*)0)
> @@ -102,7 +98,7 @@
>  #if defined(__clang__)
>  /* clang doesn't support gnu_printf, so use printf. */
>  # define GCC_FMT_ATTR(n, m) __attribute__((format(printf, n, m)))
> -#elif defined(__GNUC__)
> +#else
>  /* Use gnu_printf (qemu uses standard format strings). */
>  # define GCC_FMT_ATTR(n, m) __attribute__((format(gnu_printf, n, m)))
>  # if defined(_WIN32)
> @@ -112,8 +108,6 @@
>   */
>  #  define __printf__ __gnu_printf__
>  # endif
> -#else
> -#define GCC_FMT_ATTR(n, m)
>  #endif
>
>  #ifndef __has_warning
> --
> 2.29.0
>
>
>
Peter, Paolo, anyone to give a review?
thanks


-- 
Marc-André Lureau

Re: [PATCH 3/4] default-configs: Support o32 ABI with 64-bit MIPS CPUs

[Fredrik Noring]

On Thu, Nov 19, 2020 at 04:45:29PM +, Maciej W. Rozycki wrote:
> On Thu, 19 Nov 2020, Philippe Mathieu-Daudé wrote:
> 
> > MIPS o32 ABI on 64-bit CPUs looks like a ILP32-on-64bit data
> > model, allowing 64-bit arithmetic and data movement instructions.
> > 
> > This is the default ABI used by the "Sony Linux Toolkit for
> > Playstation 2".
> 
>  Please don't, not at least with a generic configuration (i.e. make it 
> unambiguous that this is R5900-specific).  This only works with R5900 
> because it does not implement the MIPS ISA correctly (e.g. see what $ra is 
> set to with JAL/JALR/etc. in the kernel mode), and it is not supported by 
> the standard Linux ABI.  Use n32 instead, which has the same functionality 
> and is standard (and is also a better ABI in terms of performance).
> 
>  You'd probably need to implement all the R5900 addressing quirks for your 
> proposed hack to match hardware, or otherwise you'll end up with emulation 
> that creates its own reality.

I agree. Modern Linux kernel and GCC are important too. It seems both o32
and n32, with quirks, are generally accepted, but R5900 MMIs and other
special features are less clear:

For example, given the fact that the 128-bit MMIs are unconditionally
executable on R5900 hardware, a user may be forgiven to believe that they
always work. But unless the Linux kernel restores 128-bit registers in its
operating mode switches, which could be o32, there will be silent data
corruption (and ensuing frustration).

(For this reason I favour full register restores in all operating modes.)

Fredrik

Re: [PATCH V2 08/14] m68k/: fix some comment spelling errors

[Philippe Mathieu-Daudé]

Hi Laurent,

On Sat, Dec 12, 2020 at 6:11 PM Laurent Vivier  wrote:
> Le 09/10/2020 à 08:44, zhaolichang a écrit :
> > I found that there are many spelling errors in the comments of 
> > qemu/target/m68k.
> > I used spellcheck to check the spelling errors and found some errors in the 
> > folder.
> >
> > Signed-off-by: zhaolichang 
> > Reviewed-by: David Edmondson 
> > Reviewed-by: Philippe Mathieu-Daude

Do you mind replacing this line by:
Reviewed-by: Philippe Mathieu-Daudé 

Thanks,

Phil.

> > Reviewed-by: Laurent Vivier
> > ---
> >  target/m68k/translate.c | 16 
> >  1 file changed, 8 insertions(+), 8 deletions(-)
> >
>
> Applied to my m68k-for-6.0 branch
>
> Thanks,
> Laurent
>

Re: [PATCH 5/8] hw/ppc/sam460ex: Drop use of ppcuic_init()

[BALATON Zoltan via]

On Sat, 12 Dec 2020, Peter Maydell wrote:

Switch the sam460ex board to directly creating and configuring the
UIC, rather than doing it via the old ppcuic_init() helper function.

Signed-off-by: Peter Maydell 
---
hw/ppc/sam460ex.c | 70 ---
1 file changed, 54 insertions(+), 16 deletions(-)


More than 3 times as much than before, qdev seems to be overly verbose and 
less readable but if that's the preferred way then be it.



diff --git a/hw/ppc/sam460ex.c b/hw/ppc/sam460ex.c
index 14e6583eb0d..9cf7aad3833 100644
--- a/hw/ppc/sam460ex.c
+++ b/hw/ppc/sam460ex.c
@@ -39,6 +39,7 @@
#include "hw/usb/hcd-ehci.h"
#include "hw/ppc/fdt.h"
#include "hw/qdev-properties.h"
+#include "hw/intc/ppc-uic.h"

#include 

@@ -281,7 +282,6 @@ static void sam460ex_init(MachineState *machine)
hwaddr ram_bases[SDRAM_NR_BANKS] = {0};
hwaddr ram_sizes[SDRAM_NR_BANKS] = {0};
MemoryRegion *l2cache_ram = g_new(MemoryRegion, 1);
-qemu_irq *irqs, *uic[4];
PCIBus *pci_bus;
PowerPCCPU *cpu;
CPUPPCState *env;
@@ -293,6 +293,9 @@ static void sam460ex_init(MachineState *machine)
struct boot_info *boot_info;
uint8_t *spd_data;
int success;
+qemu_irq mal_irqs[4];
+DeviceState *uic[4];
+int i;


Maybe keep this where it was above instead of moving to the end and keep 
DeviceState *uic[4]; first so the two others that would be removed later 
are next to each other (just to make patches simpler and keep the order of 
variables which may be roughly as they appear below).



cpu = POWERPC_CPU(cpu_create(machine->cpu_type));
env = &cpu->env;
@@ -312,13 +315,35 @@ static void sam460ex_init(MachineState *machine)
ppc4xx_plb_init(env);

/* interrupt controllers */
-irqs = g_new0(qemu_irq, PPCUIC_OUTPUT_NB);
-irqs[PPCUIC_OUTPUT_INT] = ((qemu_irq *)env->irq_inputs)[PPC40x_INPUT_INT];
-irqs[PPCUIC_OUTPUT_CINT] = ((qemu_irq 
*)env->irq_inputs)[PPC40x_INPUT_CINT];


Unrelated to this, but I wonder why do we need these casts? Could we just 
define env->irq_inputs as qemu_irq array in the first place? It's now void 
** which according to the comment next to it may be because once it may 
have been used for different implementations but by now maybe it's only 
used for what its name implies? I haven't checked though if it could be 
cleaned up just raising it if anyone's interested to have a look as there 
are such casts at a lot of other places too.



-uic[0] = ppcuic_init(env, irqs, 0xc0, 0, 1);
-uic[1] = ppcuic_init(env, &uic[0][30], 0xd0, 0, 1);
-uic[2] = ppcuic_init(env, &uic[0][10], 0xe0, 0, 1);
-uic[3] = ppcuic_init(env, &uic[0][16], 0xf0, 0, 1);
+for (i = 0; i < ARRAY_SIZE(uic); i++) {
+SysBusDevice *sbd;


There's already a SysBusDevice *sbdev; defined for similar cases that you 
could reuse here.



+/*
+ * Number of the first of the two consecutive IRQ inputs on UIC 0
+ * to connect the INT and CINT outputs of UIC n to. The entry


This comment confused me a bit, while it's precise is it possible to say 
it in a simpler way? I think these are how uic[1-3] are cascaded through 
uic[0] similar to how the PICs in a PC are cascaded.



+ * for UIC 0 is ignored, because it connects to the CPU.
+ */
+const int input_ints[] = { -1, 30, 10, 16 };
+
+uic[i] = qdev_new(TYPE_PPC_UIC);
+sbd = SYS_BUS_DEVICE(uic[i]);
+
+qdev_prop_set_uint32(uic[i], "dcr-base", 0xc0 + i * 0x10);
+object_property_set_link(OBJECT(uic[i]), "cpu", OBJECT(cpu),
+ &error_fatal);
+sysbus_realize_and_unref(sbd, &error_fatal);
+
+if (i == 0) {
+sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,
+   ((qemu_irq 
*)env->irq_inputs)[PPC40x_INPUT_INT]);
+sysbus_connect_irq(sbd, PPCUIC_OUTPUT_CINT,
+   ((qemu_irq 
*)env->irq_inputs)[PPC40x_INPUT_CINT]);
+} else {
+sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,
+   qdev_get_gpio_in(uic[0], input_ints[i]));
+sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,
+   qdev_get_gpio_in(uic[0], input_ints[i] + 1));
+}
+}

/* SDRAM controller */
/* put all RAM on first bank because board has one slot
@@ -331,7 +356,8 @@ static void sam460ex_init(MachineState *machine)
  ram_bases, ram_sizes, 1);

/* IIC controllers and devices */
-dev = sysbus_create_simple(TYPE_PPC4xx_I2C, 0x4ef600700, uic[0][2]);
+dev = sysbus_create_simple(TYPE_PPC4xx_I2C, 0x4ef600700,
+   qdev_get_gpio_in(uic[0], 2));
i2c = PPC4xx_I2C(dev)->bus;
/* SPD EEPROM on RAM module */
spd_data = spd_data_generate(ram_sizes[0] < 128 * MiB ? DDR : DDR2,
@@ -341,7 +367,8 @@ static void sam460ex_init(MachineState *machine)
/* RTC */
i2c_slave_create_simple(i2c, "m41t80", 0x68);

Re: [PATCH 2/8] ppc: Convert PPC UIC to a QOM device

[BALATON Zoltan via]

On Sat, 12 Dec 2020, Peter Maydell wrote:

Currently the PPC UIC ("Universal Interrupt Controller") is implemented
as a non-QOM device in ppc4xx_devs.c. Convert it to a proper QOM device
in hw/intc.

The ppcuic_init() function is retained for the moment with its current
interface; in subsequent commits this will be tidied up to avoid the
allocation of an irq array.

This conversion adds VMState support.

It leaves the LOG_UIC() macro as-is to maximise the extent to which
this is simply code-movement rather than a rewrite (in new code it
would be better to use tracepoints).

The default property values for dcr-base and use-vectors are set to
match those use by most of our boards with a UIC.


Would this be easier to review if it's split into two patches, first doing 
the conversion in place, then another just doing code moving? Maybe we 
could spot some problem that way easier?


Regards,
BALATON Zoltan


Signed-off-by: Peter Maydell 
---
include/hw/intc/ppc-uic.h |  73 +
hw/intc/ppc-uic.c | 321 ++
hw/ppc/ppc4xx_devs.c  | 267 ---
MAINTAINERS   |   2 +
hw/intc/Kconfig   |   3 +
hw/intc/meson.build   |   1 +
hw/ppc/Kconfig|   1 +
7 files changed, 431 insertions(+), 237 deletions(-)
create mode 100644 include/hw/intc/ppc-uic.h
create mode 100644 hw/intc/ppc-uic.c

diff --git a/include/hw/intc/ppc-uic.h b/include/hw/intc/ppc-uic.h
new file mode 100644
index 000..e614e2ffd80
--- /dev/null
+++ b/include/hw/intc/ppc-uic.h
@@ -0,0 +1,73 @@
+/*
+ * "Universal" Interrupt Controller for PowerPPC 4xx embedded processors
+ *
+ * Copyright (c) 2007 Jocelyn Mayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef HW_INTC_PPC_UIC_H
+#define HW_INTC_PPC_UIC_H
+
+#include "hw/sysbus.h"
+#include "qom/object.h"
+
+#define TYPE_PPC_UIC "ppc-uic"
+OBJECT_DECLARE_SIMPLE_TYPE(PPCUIC, PPC_UIC)
+
+/*
+ * QEMU interface:
+ * QOM property "cpu": link to the PPC CPU
+ *(no default, must be set)
+ * QOM property "dcr-base": base of the bank of DCR registers for the UIC
+ *(default 0x30)
+ * QOM property "use-vectors": true if the UIC has vector registers
+ *(default true)
+ * unnamed GPIO inputs 0..UIC_MAX_IRQ: input IRQ lines
+ * sysbus IRQs:
+ *  0 (PPCUIC_OUTPUT_INT): output INT line to the CPU
+ *  1 (PPCUIC_OUTPUT_CINT): output CINT line to the CPU
+ */
+
+#define UIC_MAX_IRQ 32
+
+struct PPCUIC {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+qemu_irq output_int;
+qemu_irq output_cint;
+
+/* properties */
+CPUState *cpu;
+uint32_t dcr_base;
+bool use_vectors;
+
+uint32_t level;  /* Remembers the state of level-triggered interrupts. */
+uint32_t uicsr;  /* Status register */
+uint32_t uicer;  /* Enable register */
+uint32_t uiccr;  /* Critical register */
+uint32_t uicpr;  /* Polarity register */
+uint32_t uictr;  /* Triggering register */
+uint32_t uicvcr; /* Vector configuration register */
+uint32_t uicvr;
+};
+
+#endif
diff --git a/hw/intc/ppc-uic.c b/hw/intc/ppc-uic.c
new file mode 100644
index 000..b21951eea83
--- /dev/null
+++ b/hw/intc/ppc-uic.c
@@ -0,0 +1,321 @@
+/*
+ * "Universal" Interrupt Controller for PowerPPC 4xx embedded processors
+ *
+ * Copyright (c) 2007 Jocelyn Mayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of 

Re: [PATCH v3 11/13] compiler: remove GNUC check

[Peter Maydell]

On Thu, 10 Dec 2020 at 13:50,  wrote:
>
> From: Marc-André Lureau 
>
> QEMU requires Clang or GCC, that define and support __GNUC__ extensions.
>
> Signed-off-by: Marc-André Lureau 
> ---
>  include/qemu/compiler.h | 8 +---
>  1 file changed, 1 insertion(+), 7 deletions(-)


Reviewed-by: Peter Maydell 

thanks
-- PMM

Re: [PATCH V2 08/14] m68k/: fix some comment spelling errors

[Laurent Vivier]

Le 12/12/2020 à 18:56, Philippe Mathieu-Daudé a écrit :
> Hi Laurent,
> 
> On Sat, Dec 12, 2020 at 6:11 PM Laurent Vivier  wrote:
>> Le 09/10/2020 à 08:44, zhaolichang a écrit :
>>> I found that there are many spelling errors in the comments of 
>>> qemu/target/m68k.
>>> I used spellcheck to check the spelling errors and found some errors in the 
>>> folder.
>>>
>>> Signed-off-by: zhaolichang 
>>> Reviewed-by: David Edmondson 
>>> Reviewed-by: Philippe Mathieu-Daude
> 
> Do you mind replacing this line by:
> Reviewed-by: Philippe Mathieu-Daudé 
> 

Sorry, too late...

Laurent

[PATCH 0/2] sparc/leon3: Make grlib-irqmp handle its own inbound IRQ lines

[Peter Maydell]

Currently the GRLIB_IRQMP device is used in one place (the leon3
board), but instead of the device providing inbound gpio lines for
the board to wire up, the board code itself calls
qemu_allocate_irqs() with the handler function being a set_irq
function defined in the code for the device.

Patch one in this series refactors this into the standard setup of a
device having input gpio lines.  The main motivation here is that it
squashes a trivial Coverity memory leak warning.  Patch two just
removes a stray unused typedef that I noticed in passing.

Incidentally I suspect the irqmp_ack logic could also be done more
neatly, but I didn't feel like getting into that at this point.

Tested by booting the 'buildroot' image downloadable from
https://www.gaisler.com/anonftp/linux/linux-2.6/images/leon-linux-4.9/leon-linux-4.9-1.0/up/
and runnable with
 ./build/sparc-all/qemu-system-sparc -M leon3_generic -display none -serial 
stdio -kernel image.ram


thanks
-- PMM

Peter Maydell (2):
  hw/sparc: Make grlib-irqmp device handle its own inbound IRQ lines
  include/hw/sparc/grlib.h: Remove unused set_pil_in_fn typedef

 include/hw/sparc/grlib.h |  4 
 hw/intc/grlib_irqmp.c|  5 -
 hw/sparc/leon3.c | 21 +
 3 files changed, 13 insertions(+), 17 deletions(-)

-- 
2.20.1

Re: [PATCH V2 08/14] m68k/: fix some comment spelling errors

[Philippe Mathieu-Daudé]

On Sat, Dec 12, 2020 at 8:58 PM Laurent Vivier  wrote:
> Le 12/12/2020 à 18:56, Philippe Mathieu-Daudé a écrit :
> > Hi Laurent,
> >
> > On Sat, Dec 12, 2020 at 6:11 PM Laurent Vivier  wrote:
> >> Le 09/10/2020 à 08:44, zhaolichang a écrit :
> >>> I found that there are many spelling errors in the comments of 
> >>> qemu/target/m68k.
> >>> I used spellcheck to check the spelling errors and found some errors in 
> >>> the folder.
> >>>
> >>> Signed-off-by: zhaolichang 
> >>> Reviewed-by: David Edmondson 
> >>> Reviewed-by: Philippe Mathieu-Daude
> >
> > Do you mind replacing this line by:
> > Reviewed-by: Philippe Mathieu-Daudé 
> >
>
> Sorry, too late...

No problem, mojibake happens, not a big deal.

Thanks anyway :)

Phil.

[PATCH 2/2] include/hw/sparc/grlib.h: Remove unused set_pil_in_fn typedef

[Peter Maydell]

The grlib.h header defines a set_pil_in_fn typedef which is never
used; remove it.

Signed-off-by: Peter Maydell 
---
 include/hw/sparc/grlib.h | 2 --
 1 file changed, 2 deletions(-)

diff --git a/include/hw/sparc/grlib.h b/include/hw/sparc/grlib.h
index e1d1beaa73f..2104f493f32 100644
--- a/include/hw/sparc/grlib.h
+++ b/include/hw/sparc/grlib.h
@@ -34,8 +34,6 @@
 /* IRQMP */
 #define TYPE_GRLIB_IRQMP "grlib,irqmp"
 
-typedef void (*set_pil_in_fn) (void *opaque, uint32_t pil_in);
-
 void grlib_irqmp_ack(DeviceState *dev, int intno);
 
 /* GPTimer */
-- 
2.20.1

Re: [PATCH v12 00/23] i386 cleanup PART 1

[no-reply]

Patchew URL: https://patchew.org/QEMU/20201212155530.23098-1-cfont...@suse.de/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 20201212155530.23098-1-cfont...@suse.de
Subject: [PATCH v12 00/23] i386 cleanup PART 1

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
   a4b307b..ad717e6  master -> master
 - [tag update]  
patchew/20201210134752.780923-1-marcandre.lur...@redhat.com -> 
patchew/20201210134752.780923-1-marcandre.lur...@redhat.com
 - [tag update]  patchew/20201211152426.350966-1-th...@redhat.com -> 
patchew/20201211152426.350966-1-th...@redhat.com
 * [new tag] patchew/20201212155530.23098-1-cfont...@suse.de -> 
patchew/20201212155530.23098-1-cfont...@suse.de
Switched to a new branch 'test'
c993002 cpu: move do_unaligned_access to tcg_ops
1fcfced cpu: move cc->transaction_failed to tcg_ops
cee04d2 cpu: move cc->do_interrupt to tcg_ops
958a66b target/arm: do not use cc->do_interrupt for KVM directly
d6f1e88 cpu: Move debug_excp_handler to tcg_ops
6bd0b6d cpu: Move tlb_fill to tcg_ops
dceed35 cpu: Move cpu_exec_* to tcg_ops
a26bcc5 cpu: Move synchronize_from_tb() to tcg_ops
d2b9509 accel/tcg: split TCG-only code from cpu_exec_realizefn
f9929c6 target/riscv: remove CONFIG_TCG, as it is always TCG
69f0499 cpu: Introduce TCGCpuOperations struct
8b288bd cpu: Remove unnecessary noop methods
a661f58 tcg: Make CPUClass.debug_excp_handler optional
fd59765 tcg: make CPUClass.cpu_exec_* optional
df0bced tcg: cpu_exec_{enter,exit} helpers
302f7ca i386: tcg: remove inline from cpu_load_eflags
c043739 i386: move TCG cpu class initialization to tcg/
cdaa57f i386: move cpu dump out of helper.c into cpu-dump.c
b0ec6c2 i386: move TCG accel files into tcg/
7157bb9 i386: hvf: remove stale MAINTAINERS entry for old hvf stubs
e35e8ed i386: move hax accel files into hax/
8f492a2 i386: move whpx accel files into whpx/
6af631f i386: move kvm accel files into kvm/

=== OUTPUT BEGIN ===
1/23 Checking commit 6af631fd810a (i386: move kvm accel files into kvm/)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#169: 
rename from target/i386/hyperv-proto.h

total: 0 errors, 1 warnings, 150 lines checked

Patch 1/23 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
2/23 Checking commit 8f492a2bf426 (i386: move whpx accel files into whpx/)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#54: 
new file mode 100644

total: 0 errors, 1 warnings, 35 lines checked

Patch 2/23 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
3/23 Checking commit e35e8eda6f11 (i386: move hax accel files into hax/)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#27: 
rename from target/i386/hax-all.c

total: 0 errors, 1 warnings, 47 lines checked

Patch 3/23 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
4/23 Checking commit 7157bb9b1377 (i386: hvf: remove stale MAINTAINERS entry 
for old hvf stubs)
5/23 Checking commit b0ec6c29e4b7 (i386: move TCG accel files into tcg/)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#49: 
rename from target/i386/bpt_helper.c

total: 0 errors, 1 warnings, 39 lines checked

Patch 5/23 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
6/23 Checking commit cdaa57f74dd0 (i386: move cpu dump out of helper.c into 
cpu-dump.c)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#13: 
new file mode 100644

ERROR: braces {} are necessary for all arms of this statement
#130: FILE: target/i386/cpu-dump.c:113:
+if (!(env->hflags & HF_PE_MASK) || !(sc->flags & DESC_P_MASK))
[...]

WARNING: Block comments use a leading /* on a separate line
#174: FILE: target/i386/cpu-dump.c:157:
+/* ARRAY_SIZE check is not required because

WARNING: Block comments use a leading /* on a separate line
#213: FILE: target/i386/cpu-dump.c:196:
+/* ARRAY_SIZE check is not required because

ERROR: line over 90 characters
#375: FILE: target/i386/cpu-dump.c:358:
+qemu_fprintf(f, "RAX=%016" PRIx64 " RBX=%016" PRIx64 " RCX=%016" 
PRIx64 " RDX=%016" PRIx64 "\n"

ERROR: line over 90 characters
#376: FILE: target/i386/cpu-dump.c:359:
+ "RSI=%016" PRIx64 " RDI=%016" PRIx64 " RBP=%016" PRIx64 " 
RSP=%016" PRIx64 "\n"

ERROR: line over 90 characters
#

[PATCH 1/2] hw/sparc: Make grlib-irqmp device handle its own inbound IRQ lines

[Peter Maydell]

Currently the GRLIB_IRQMP device is used in one place (the leon3 board),
but instead of the device providing inbound gpio lines for the board
to wire up, the board code itself calls qemu_allocate_irqs() with
the handler function being a set_irq function defined in the code
for the device.

Refactor this into the standard setup of a device having input
gpio lines.

This fixes a trivial Coverity memory leak report (the leon3
board code leaks the IRQ array returned from qemu_allocate_irqs()).

Fixes: Coverity CID 1421922
Signed-off-by: Peter Maydell 
---
 include/hw/sparc/grlib.h |  2 --
 hw/intc/grlib_irqmp.c|  5 -
 hw/sparc/leon3.c | 21 +
 3 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/include/hw/sparc/grlib.h b/include/hw/sparc/grlib.h
index 78b6178fcd8..e1d1beaa73f 100644
--- a/include/hw/sparc/grlib.h
+++ b/include/hw/sparc/grlib.h
@@ -36,8 +36,6 @@
 
 typedef void (*set_pil_in_fn) (void *opaque, uint32_t pil_in);
 
-void grlib_irqmp_set_irq(void *opaque, int irq, int level);
-
 void grlib_irqmp_ack(DeviceState *dev, int intno);
 
 /* GPTimer */
diff --git a/hw/intc/grlib_irqmp.c b/hw/intc/grlib_irqmp.c
index ffec4a07eec..984334fa7bf 100644
--- a/hw/intc/grlib_irqmp.c
+++ b/hw/intc/grlib_irqmp.c
@@ -51,6 +51,8 @@
 #define FORCE_OFFSET 0x80
 #define EXTENDED_OFFSET  0xC0
 
+#define MAX_PILS 16
+
 OBJECT_DECLARE_SIMPLE_TYPE(IRQMP, GRLIB_IRQMP)
 
 typedef struct IRQMPState IRQMPState;
@@ -126,7 +128,7 @@ void grlib_irqmp_ack(DeviceState *dev, int intno)
 grlib_irqmp_ack_mask(state, mask);
 }
 
-void grlib_irqmp_set_irq(void *opaque, int irq, int level)
+static void grlib_irqmp_set_irq(void *opaque, int irq, int level)
 {
 IRQMP  *irqmp = GRLIB_IRQMP(opaque);
 IRQMPState *s;
@@ -328,6 +330,7 @@ static void grlib_irqmp_init(Object *obj)
 IRQMP *irqmp = GRLIB_IRQMP(obj);
 SysBusDevice *dev = SYS_BUS_DEVICE(obj);
 
+qdev_init_gpio_in(DEVICE(obj), grlib_irqmp_set_irq, MAX_PILS);
 qdev_init_gpio_out_named(DEVICE(obj), &irqmp->irq, "grlib-irq", 1);
 memory_region_init_io(&irqmp->iomem, obj, &grlib_irqmp_ops, irqmp,
   "irqmp", IRQMP_REG_SIZE);
diff --git a/hw/sparc/leon3.c b/hw/sparc/leon3.c
index 4bc4ebea841..7e16eea9e67 100644
--- a/hw/sparc/leon3.c
+++ b/hw/sparc/leon3.c
@@ -52,8 +52,6 @@
 #define LEON3_PROM_OFFSET(0x)
 #define LEON3_RAM_OFFSET (0x4000)
 
-#define MAX_PILS 16
-
 #define LEON3_UART_OFFSET  (0x8100)
 #define LEON3_UART_IRQ (3)
 
@@ -194,11 +192,10 @@ static void leon3_generic_hw_init(MachineState *machine)
 MemoryRegion *prom = g_new(MemoryRegion, 1);
 int ret;
 char   *filename;
-qemu_irq   *cpu_irqs = NULL;
 int bios_size;
 int prom_size;
 ResetData  *reset_info;
-DeviceState *dev;
+DeviceState *dev, *irqmpdev;
 int i;
 AHBPnp *ahb_pnp;
 APBPnp *apb_pnp;
@@ -230,16 +227,15 @@ static void leon3_generic_hw_init(MachineState *machine)
 GRLIB_AHB_SLAVE, GRLIB_AHBMEM_AREA);
 
 /* Allocate IRQ manager */
-dev = qdev_new(TYPE_GRLIB_IRQMP);
+irqmpdev = qdev_new(TYPE_GRLIB_IRQMP);
 qdev_init_gpio_in_named_with_opaque(DEVICE(cpu), leon3_set_pil_in,
 env, "pil", 1);
-qdev_connect_gpio_out_named(dev, "grlib-irq", 0,
+qdev_connect_gpio_out_named(irqmpdev, "grlib-irq", 0,
 qdev_get_gpio_in_named(DEVICE(cpu), "pil", 0));
-sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
-sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, LEON3_IRQMP_OFFSET);
-env->irq_manager = dev;
+sysbus_realize_and_unref(SYS_BUS_DEVICE(irqmpdev), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(irqmpdev), 0, LEON3_IRQMP_OFFSET);
+env->irq_manager = irqmpdev;
 env->qemu_irq_ack = leon3_irq_manager;
-cpu_irqs = qemu_allocate_irqs(grlib_irqmp_set_irq, dev, MAX_PILS);
 grlib_apb_pnp_add_entry(apb_pnp, LEON3_IRQMP_OFFSET, 0xFFF,
 GRLIB_VENDOR_GAISLER, GRLIB_IRQMP_DEV,
 2, 0, GRLIB_APBIO_AREA);
@@ -330,7 +326,7 @@ static void leon3_generic_hw_init(MachineState *machine)
 sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, LEON3_TIMER_OFFSET);
 for (i = 0; i < LEON3_TIMER_COUNT; i++) {
 sysbus_connect_irq(SYS_BUS_DEVICE(dev), i,
-   cpu_irqs[LEON3_TIMER_IRQ + i]);
+   qdev_get_gpio_in(irqmpdev, LEON3_TIMER_IRQ + i));
 }
 
 grlib_apb_pnp_add_entry(apb_pnp, LEON3_TIMER_OFFSET, 0xFFF,
@@ -342,7 +338,8 @@ static void leon3_generic_hw_init(MachineState *machine)
 qdev_prop_set_chr(dev, "chrdev", serial_hd(0));
 sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
 sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, LEON3_UART_OFFSET);
-sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, cpu_irqs[LEON3_UART_IRQ]);
+sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0,

Re: [PULL 00/34] Block layer patches

[Peter Maydell]

On Fri, 11 Dec 2020 at 17:08, Kevin Wolf  wrote:
>
> The following changes since commit b785d25e91718a660546a6550f64b3c543af7754:
>
>   Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' 
> into staging (2020-12-11 13:50:35 +)
>
> are available in the Git repository at:
>
>   git://repo.or.cz/qemu/kevin.git tags/for-upstream
>
> for you to fetch changes up to 960d5fb3e8ee09bc5f1a5c84f66dce42a6cef920:
>
>   block: Fix deadlock in bdrv_co_yield_to_drain() (2020-12-11 17:52:40 +0100)
>
> 
> Block layer patches:
>
> - Support for FUSE exports
> - Fix deadlock in bdrv_co_yield_to_drain()
> - Use lock guard macros
> - Some preparational patches for 64 bit block layer
> - file-posix: Fix request extension to INT64_MAX in raw_do_pwrite_zeroes()
>



Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.0
for any user-visible changes.

-- PMM

Re: [PATCH v11 18/25] cpu: Move synchronize_from_tb() to tcg_ops

[Claudio Fontana]

On 12/12/20 11:00 AM, Claudio Fontana wrote:
> On 12/11/20 9:02 PM, Eduardo Habkost wrote:
>> On Fri, Dec 11, 2020 at 07:51:54PM +0100, Claudio Fontana wrote:
>>> On 12/11/20 7:26 PM, Philippe Mathieu-Daudé wrote:
 On 12/11/20 7:22 PM, Richard Henderson wrote:
> On 12/11/20 12:15 PM, Claudio Fontana wrote:
>> Should I return this file to the original state (without the extra 
>> #includes that pretend it to be a standalone header file,
>> and call it
>>
>> tcg-cpu-ops.h.inc
>>
>> ?
>
> If this header can work with qemu/typedefs.h, then no, because the 
> circularity
> has been resolved.  Otherwise, yes.

 My editor got confused with TranslationBlock, which is why I asked
 to include its declaration.

 Easier to forward-declare TranslationBlock in qemu/typedefs.h?

 Regards,

 Phil.

>>>
>>> Hello Philippe,
>>>
>>> ok you propose to move the existing fwd declaration of TranslationBlock 
>>> from cpu.h to qemu/typedefs.h .
>>
>> It seems simpler to just add a
>>
>> typedef struct TranslationBlock TranslationBlock;
>>
>> line to tcg-cpu-ops.h.
>>
>> Or, an even simpler solution: just use `struct TranslationBlock`
>> instead of `TranslationBlock` in the declarations being moved to
>> tcg-cpu-ops.h.
>>
>> We don't need to move declarations to typedefs.h anymore, because
>> now the compilers we support don't warn about typedef
>> redefinitions:
>> https://lore.kernel.org/qemu-devel/20200914134636.gz1618...@habkost.net/
>>
>>
>>>
>>> And what about #include "exec/memattrs.h"?
>>>
>>> I assume you propose to put struct MemTxAttrs there as a fwd declaration 
>>> too,
>>
>> This can't be done, because MemTxAttrs can't be an incomplete
>> type in the code you are moving (the methods get a MemTxAttrs
>> value, not a pointer).
> 
> 
> 
> I'm confused now on what we are trying to do: if we want the file to be a 
> "proper header" or just a TCG-ops-only convenience split of cpu.h.
> 
> I thought that we were only solving a highlighting issue in some editor 
> (Philippe),
> and I wonder if these changes in qemu/typedef.h help with that?
> 
> I tried adding both to qemu/typedef.h, and since cpu.h is the only user of 
> the file, and it already includes memattrs.h, everything is fine.
> 
> But here maybe you are proposing to make it a regular header, and include 
> this instead of just hw/core/cpu.h in the targets?
> 
> I am thinking whether it is the case to scrap this whole mess, make TCGCPUOps 
> a pointer in CPUClass, and in the targets say for example:
> 
> #include "tcg-cpu-ops.h"
> 
> ...
> 
> +static struct TCGCPUOps cris_tcg_ops = {
> +.initialize = cris_initialize_tcg,
> +};
> +
>  static void cris_cpu_class_init(ObjectClass *oc, void *data)
>  {
>  DeviceClass *dc = DEVICE_CLASS(oc);
> @@ -284,7 +292,7 @@ static void cris_cpu_class_init(ObjectClass *oc, void 
> *data)
>  cc->gdb_stop_before_watchpoint = true;
>  
>  cc->disas_set_info = cris_disas_set_info;
> -cc->tcg_ops.initialize = cris_initialize_tcg;
> +cc->tcg_ops = &cris_tcg_ops;
>  }
> 
> 
> What do you all think of this?
> 
> Thanks,
> 
> Claudio

Not sure it solves all problems: the MMUAccessType is still a cpu.h enum, so we 
are back to the circular dependency.
Will try the .inc in the next spin, and I hope that the discussion can go on 
from there, with Eduardo, Philippe and Richard laying out more clearly what 
your requirements are.

Thanks,

Claudio

Re: [PATCH 5/8] hw/ppc/sam460ex: Drop use of ppcuic_init()

[BALATON Zoltan via]

On Sat, 12 Dec 2020, Peter Maydell wrote:

Switch the sam460ex board to directly creating and configuring the
UIC, rather than doing it via the old ppcuic_init() helper function.

Signed-off-by: Peter Maydell 
---
hw/ppc/sam460ex.c | 70 ---
1 file changed, 54 insertions(+), 16 deletions(-)

diff --git a/hw/ppc/sam460ex.c b/hw/ppc/sam460ex.c
index 14e6583eb0d..9cf7aad3833 100644
--- a/hw/ppc/sam460ex.c
+++ b/hw/ppc/sam460ex.c
@@ -39,6 +39,7 @@
#include "hw/usb/hcd-ehci.h"
#include "hw/ppc/fdt.h"
#include "hw/qdev-properties.h"
+#include "hw/intc/ppc-uic.h"

#include 

@@ -281,7 +282,6 @@ static void sam460ex_init(MachineState *machine)
hwaddr ram_bases[SDRAM_NR_BANKS] = {0};
hwaddr ram_sizes[SDRAM_NR_BANKS] = {0};
MemoryRegion *l2cache_ram = g_new(MemoryRegion, 1);
-qemu_irq *irqs, *uic[4];
PCIBus *pci_bus;
PowerPCCPU *cpu;
CPUPPCState *env;
@@ -293,6 +293,9 @@ static void sam460ex_init(MachineState *machine)
struct boot_info *boot_info;
uint8_t *spd_data;
int success;
+qemu_irq mal_irqs[4];
+DeviceState *uic[4];
+int i;

cpu = POWERPC_CPU(cpu_create(machine->cpu_type));
env = &cpu->env;
@@ -312,13 +315,35 @@ static void sam460ex_init(MachineState *machine)
ppc4xx_plb_init(env);

/* interrupt controllers */
-irqs = g_new0(qemu_irq, PPCUIC_OUTPUT_NB);
-irqs[PPCUIC_OUTPUT_INT] = ((qemu_irq *)env->irq_inputs)[PPC40x_INPUT_INT];
-irqs[PPCUIC_OUTPUT_CINT] = ((qemu_irq 
*)env->irq_inputs)[PPC40x_INPUT_CINT];
-uic[0] = ppcuic_init(env, irqs, 0xc0, 0, 1);
-uic[1] = ppcuic_init(env, &uic[0][30], 0xd0, 0, 1);
-uic[2] = ppcuic_init(env, &uic[0][10], 0xe0, 0, 1);
-uic[3] = ppcuic_init(env, &uic[0][16], 0xf0, 0, 1);
+for (i = 0; i < ARRAY_SIZE(uic); i++) {
+SysBusDevice *sbd;
+/*
+ * Number of the first of the two consecutive IRQ inputs on UIC 0
+ * to connect the INT and CINT outputs of UIC n to. The entry
+ * for UIC 0 is ignored, because it connects to the CPU.
+ */
+const int input_ints[] = { -1, 30, 10, 16 };
+
+uic[i] = qdev_new(TYPE_PPC_UIC);
+sbd = SYS_BUS_DEVICE(uic[i]);
+
+qdev_prop_set_uint32(uic[i], "dcr-base", 0xc0 + i * 0x10);
+object_property_set_link(OBJECT(uic[i]), "cpu", OBJECT(cpu),
+ &error_fatal);
+sysbus_realize_and_unref(sbd, &error_fatal);
+
+if (i == 0) {
+sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,
+   ((qemu_irq 
*)env->irq_inputs)[PPC40x_INPUT_INT]);
+sysbus_connect_irq(sbd, PPCUIC_OUTPUT_CINT,
+   ((qemu_irq 
*)env->irq_inputs)[PPC40x_INPUT_CINT]);
+} else {
+sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,
+   qdev_get_gpio_in(uic[0], input_ints[i]));
+sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,


OK got it, there's a typo here, this one should be CINT, with that it 
seems to work better.


Regards,
BALATON Zoltan


+   qdev_get_gpio_in(uic[0], input_ints[i] + 1));
+}
+}

/* SDRAM controller */
/* put all RAM on first bank because board has one slot
@@ -331,7 +356,8 @@ static void sam460ex_init(MachineState *machine)
  ram_bases, ram_sizes, 1);

/* IIC controllers and devices */
-dev = sysbus_create_simple(TYPE_PPC4xx_I2C, 0x4ef600700, uic[0][2]);
+dev = sysbus_create_simple(TYPE_PPC4xx_I2C, 0x4ef600700,
+   qdev_get_gpio_in(uic[0], 2));
i2c = PPC4xx_I2C(dev)->bus;
/* SPD EEPROM on RAM module */
spd_data = spd_data_generate(ram_sizes[0] < 128 * MiB ? DDR : DDR2,
@@ -341,7 +367,8 @@ static void sam460ex_init(MachineState *machine)
/* RTC */
i2c_slave_create_simple(i2c, "m41t80", 0x68);

-dev = sysbus_create_simple(TYPE_PPC4xx_I2C, 0x4ef600800, uic[0][3]);
+dev = sysbus_create_simple(TYPE_PPC4xx_I2C, 0x4ef600800,
+   qdev_get_gpio_in(uic[0], 3));

/* External bus controller */
ppc405_ebc_init(env);
@@ -356,7 +383,14 @@ static void sam460ex_init(MachineState *machine)
ppc4xx_sdr_init(env);

/* MAL */
-ppc4xx_mal_init(env, 4, 16, &uic[2][3]);
+/*
+ * TODO if the MAL were a proper QOM device we would not need to
+ * copy its qemu_irqs into an array for ppc4xx_mal_init()'s benefit.
+ */
+for (i = 0; i < ARRAY_SIZE(mal_irqs); i++) {
+mal_irqs[0] = qdev_get_gpio_in(uic[2], 3 + i);
+}
+ppc4xx_mal_init(env, 4, 16, mal_irqs);

/* DMA */
ppc4xx_dma_init(env, 0x200);
@@ -369,21 +403,23 @@ static void sam460ex_init(MachineState *machine)
memory_region_add_subregion(address_space_mem, 0x4LL, l2cache_ram);

/* USB */
-sysbus_create_simple(TYPE_PPC4xx_EHCI, 0x4bffd0400, uic[2][29]);
+sysbus_create_simple(TYPE_PPC4xx_EHCI, 0x4bffd0400,
+   

[Bug 1907909] [NEW] assertion failure in am53c974

[Cheol-Woo,Myung]

Public bug reported:

Hello,

Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
am53c974 emulator.

A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.

This was found in version 5.2.0 (master)


qemu-system-i386: ../hw/scsi/esp.c:402: void esp_do_dma(ESPState *): Assertion 
`s->cmdlen <= sizeof(s->cmdbuf) && len <= sizeof(s->cmdbuf) - s->cmdlen' failed.

#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fdd25dc4700 (LWP 28983))]
gdb-peda$ bt
#0  0x7fdd3f8b5f47 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:51
#1  0x7fdd3f8b78b1 in __GI_abort () at abort.c:79
#2  0x7fdd3f8a742a in __assert_fail_base (fmt=0x7fdd3fa2ea38 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x55b3e11a51c6 
"s->cmdlen <= sizeof(s->cmdbuf) && len <= sizeof(s->cmdbuf) - s->cmdlen", 
file=file@entry=0x55b3e11a4f73 "../hw/scsi/esp.c", line=line@entry=0x192, 
function=function@entry=0x55b3e11a520d "void esp_do_dma(ESPState *)") at 
assert.c:92
#3  0x7fdd3f8a74a2 in __GI___assert_fail (assertion=0x55b3e11a51c6 
"s->cmdlen <= sizeof(s->cmdbuf) && len <= sizeof(s->cmdbuf) - s->cmdlen", 
file=0x55b3e11a4f73 "../hw/scsi/esp.c", line=0x192, function=0x55b3e11a520d 
"void esp_do_dma(ESPState *)") at assert.c:101
#4  0x55b3e0941441 in esp_do_dma (s=0x55b3e49d1c88) at ../hw/scsi/esp.c:401
#5  0x55b3e0944261 in handle_ti (s=0x55b3e49d1c88) at ../hw/scsi/esp.c:549
#6  0x55b3e093fdf9 in esp_dma_enable (s=0x55b3e49d1c88, irq=, level=)
at ../hw/scsi/esp.c:79
#7  0x55b3e0897930 in esp_pci_dma_write (pci=, 
saddr=, val=) at ../hw/scsi/esp-pci.c:83
#8  0x55b3e0897930 in esp_pci_io_write (opaque=, 
addr=, val=0xcf, size=0x4) at ../hw/scsi/esp-pci.c:209
#9  0x55b3e0e8f798 in memory_region_write_accessor (mr=, 
addr=, value=, size=, 
shift=, mask=, attrs=...)
at ../softmmu/memory.c:491
#10 0x55b3e0e8f58e in access_with_adjusted_size (addr=, 
value=, size=, access_size_min=, 
access_size_max=, access_fn=, mr=, 
attrs=...) at ../softmmu/memory.c:552
#11 0x55b3e0e8f58e in memory_region_dispatch_write (mr=0x55b3e49d1b70, 
addr=, data=, op=, attrs=...) at 
../softmmu/memory.c:1501
#12 0x55b3e0e21541 in address_space_stb (as=, 
addr=, val=0xffcf, attrs=..., result=0x0) at 
../memory_ldst.c.inc:382
#13 0x7fdcd84a4a7f in code_gen_buffer ()
#14 0x55b3e0e57da0 in cpu_tb_exec (cpu=0x55b3e3c33650, itb=)
at ../accel/tcg/cpu-exec.c:178
#15 0x55b3e0e589eb in cpu_loop_exec_tb (tb=, cpu=, last_tb=, tb_exit=) at ../accel/tcg/cpu-exec.c:658
#16 0x55b3e0e589eb in cpu_exec (cpu=0x55b3e3c33650) at 
../accel/tcg/cpu-exec.c:771
#17 0x55b3e0e87b9f in tcg_cpu_exec (cpu=) at 
../accel/tcg/tcg-cpus.c:243
#18 0x55b3e0e87b9f in tcg_cpu_thread_fn (arg=0x55b3e3c33650) at 
../accel/tcg/tcg-cpus.c:427
#19 0x55b3e115f775 in qemu_thread_start (args=) at 
../util/qemu-thread-posix.c:521
#20 0x7fdd3fc6f6db in start_thread (arg=0x7fdd25dc4700) at 
pthread_create.c:463
#21 0x7fdd3f998a3f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

To reproduce the assertion failure, please run the QEMU with the
following command line.


$ ./qemu-system-i386 -m 512 -drive 
file=./hyfuzz.img,index=0,media=disk,format=raw -device am53c974,id=scsi 
-device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img

Please let me know if I can provide any further info.

Thank you.

- Cheolwoo, Myung (Seoul National University)

** Affects: qemu
 Importance: Undecided
 Status: New

** Attachment added: "attachment.zip"
   
https://bugs.launchpad.net/bugs/1907909/+attachment/5443000/+files/attachment.zip

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907909

Title:
  assertion failure in am53c974

Status in QEMU:
  New

Bug description:
  Hello,

  Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
  am53c974 emulator.

  A malicious guest user/process could use this flaw to abort the QEMU
  process on the host, resulting in a denial of service.

  This was found in version 5.2.0 (master)

  
  qemu-system-i386: ../hw/scsi/esp.c:402: void esp_do_dma(ESPState *): 
Assertion `s->cmdlen <= sizeof(s->cmdbuf) && len <= sizeof(s->cmdbuf) - 
s->cmdlen' failed.

  #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
  51  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  [Current thread is 1 (Thread 0x7fdd25dc4700 (LWP 28983))]
  gdb-peda$ bt
  #0  0x7fdd3f8b5f47 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x7fdd3f8b78b1 in __GI_abort () at abort.c:79
  #2  0x7fdd3f8a742a in __assert_fail_base (fmt=0x7fdd3fa2ea38 "%s%

Re: [PATCH 5/8] hw/ppc/sam460ex: Drop use of ppcuic_init()

[Peter Maydell]

On Sat, 12 Dec 2020 at 19:53, BALATON Zoltan  wrote:
>
> On Sat, 12 Dec 2020, Peter Maydell wrote:
> > Switch the sam460ex board to directly creating and configuring the
> > UIC, rather than doing it via the old ppcuic_init() helper function.
> >
> > Signed-off-by: Peter Maydell 
> > ---
> > hw/ppc/sam460ex.c | 70 ---
> > 1 file changed, 54 insertions(+), 16 deletions(-)

> > +if (i == 0) {
> > +sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,
> > +   ((qemu_irq 
> > *)env->irq_inputs)[PPC40x_INPUT_INT]);
> > +sysbus_connect_irq(sbd, PPCUIC_OUTPUT_CINT,
> > +   ((qemu_irq 
> > *)env->irq_inputs)[PPC40x_INPUT_CINT]);
> > +} else {
> > +sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,
> > +   qdev_get_gpio_in(uic[0], input_ints[i]));
> > +sysbus_connect_irq(sbd, PPCUIC_OUTPUT_INT,
>
> OK got it, there's a typo here, this one should be CINT, with that it
> seems to work better.

Oops, yes. Thanks for taking the time to find my bug, I appreciate it.

-- PMM

Re: [PATCH 5/8] hw/ppc/sam460ex: Drop use of ppcuic_init()

[BALATON Zoltan via]

On Sat, 12 Dec 2020, Peter Maydell wrote:

On Sat, 12 Dec 2020 at 17:17, BALATON Zoltan  wrote:


On Sat, 12 Dec 2020, Peter Maydell wrote:

Switch the sam460ex board to directly creating and configuring the
UIC, rather than doing it via the old ppcuic_init() helper function.

Signed-off-by: Peter Maydell 
---
hw/ppc/sam460ex.c | 70 ---
1 file changed, 54 insertions(+), 16 deletions(-)


More than 3 times as much than before, qdev seems to be overly verbose and
less readable but if that's the preferred way then be it.


Yeah, the boilerplate is sometimes a bit clunky; but the benefits
come from devices all behaving in the same way, being introspectable,
having support for things like VM state save/load, etc.


And disadvantage is that a typo can easier hide in there as we've just 
seen. Recent changes to simplify object creation did improve boiler plate 
somewhat but gpios still seem to be a bit obscure and hard to use so maybe 
if somebody has some idea to improve it that could help. I have no idea 
how it could be made simpler though. Maybe less verbose names or some 
helpers/macros for common ops that hide the verbosity could help 
readability.



diff --git a/hw/ppc/sam460ex.c b/hw/ppc/sam460ex.c
index 14e6583eb0d..9cf7aad3833 100644
--- a/hw/ppc/sam460ex.c
+++ b/hw/ppc/sam460ex.c
@@ -39,6 +39,7 @@
#include "hw/usb/hcd-ehci.h"
#include "hw/ppc/fdt.h"
#include "hw/qdev-properties.h"
+#include "hw/intc/ppc-uic.h"

#include 

@@ -281,7 +282,6 @@ static void sam460ex_init(MachineState *machine)
hwaddr ram_bases[SDRAM_NR_BANKS] = {0};
hwaddr ram_sizes[SDRAM_NR_BANKS] = {0};
MemoryRegion *l2cache_ram = g_new(MemoryRegion, 1);
-qemu_irq *irqs, *uic[4];
PCIBus *pci_bus;
PowerPCCPU *cpu;
CPUPPCState *env;
@@ -293,6 +293,9 @@ static void sam460ex_init(MachineState *machine)
struct boot_info *boot_info;
uint8_t *spd_data;
int success;
+qemu_irq mal_irqs[4];
+DeviceState *uic[4];
+int i;


Maybe keep this where it was above instead of moving to the end and keep
DeviceState *uic[4]; first so the two others that would be removed later
are next to each other (just to make patches simpler and keep the order of
variables which may be roughly as they appear below).


Sure, I can do that.


cpu = POWERPC_CPU(cpu_create(machine->cpu_type));
env = &cpu->env;
@@ -312,13 +315,35 @@ static void sam460ex_init(MachineState *machine)
ppc4xx_plb_init(env);

/* interrupt controllers */
-irqs = g_new0(qemu_irq, PPCUIC_OUTPUT_NB);
-irqs[PPCUIC_OUTPUT_INT] = ((qemu_irq *)env->irq_inputs)[PPC40x_INPUT_INT];
-irqs[PPCUIC_OUTPUT_CINT] = ((qemu_irq 
*)env->irq_inputs)[PPC40x_INPUT_CINT];


Unrelated to this, but I wonder why do we need these casts? Could we just
define env->irq_inputs as qemu_irq array in the first place? It's now void
** which according to the comment next to it may be because once it may
have been used for different implementations but by now maybe it's only
used for what its name implies? I haven't checked though if it could be
cleaned up just raising it if anyone's interested to have a look as there
are such casts at a lot of other places too.


I mentioned this in the cover letter. The irq_inputs stuff seems
to be an old workaround for not being able to have gpio inputs
to the CPU object. Now that CPUs inherit from TYPE_DEVICE, they
can just create gpio inputs like any other device, and this
code would be able to wire them up without having to dig into
the internals of the CPUPPCState structure.


Yes, noticed that after I've answered this.


-uic[0] = ppcuic_init(env, irqs, 0xc0, 0, 1);
-uic[1] = ppcuic_init(env, &uic[0][30], 0xd0, 0, 1);
-uic[2] = ppcuic_init(env, &uic[0][10], 0xe0, 0, 1);
-uic[3] = ppcuic_init(env, &uic[0][16], 0xf0, 0, 1);
+for (i = 0; i < ARRAY_SIZE(uic); i++) {
+SysBusDevice *sbd;


There's already a SysBusDevice *sbdev; defined for similar cases that you
could reuse here.


+/*
+ * Number of the first of the two consecutive IRQ inputs on UIC 0
+ * to connect the INT and CINT outputs of UIC n to. The entry


This comment confused me a bit, while it's precise is it possible to say
it in a simpler way? I think these are how uic[1-3] are cascaded through
uic[0] similar to how the PICs in a PC are cascaded.


Yes, it's the cascading -- it's saying "which inputs on UIC 0 should
UIC n's outputs connect to". What would be a helpful way to phrase
this more clearly ?


Hah, you're the native English speaker so I hoped you could reformulate it 
in a simpler way. (But maybe that's what makes it more difficult because 
the current version already makes perfect sense to you.) Maybe something 
like "Interrupt numbers in uic[0] where INT outputs of uic[1]-uic[3] are 
connected for cascading. The CINT output is connected to the next 
interrupt number. The entry for uic[0] is ignored because it connects to 
the CPU."


Regards,
BALATON 

[Bug 1906948] Re: Enabling OpenGL for GUI doesn't work on old laptop

[johannes]

I installed Qemu 5.0.0 from Debian Buster backports and I still get this
error.


qemu_gl_create_compile_shader: compile vertex error
0:2(10): error: GLSL ES 3.00 is not supported. Supported versions are: 1.10, 
1.20, and 1.00 ES

qemu_gl_create_compile_shader: compile fragment error
0:2(10): error: GLSL ES 3.00 is not supported. Supported versions are: 1.10, 
1.20, and 1.00 ES

qemu_gl_create_compile_shader: compile vertex error
0:2(10): error: GLSL ES 3.00 is not supported. Supported versions are: 1.10, 
1.20, and 1.00 ES

qemu_gl_create_compile_shader: compile fragment error
0:2(10): error: GLSL ES 3.00 is not supported. Supported versions are: 1.10, 
1.20, and 1.00 ES

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1906948

Title:
  Enabling OpenGL for GUI doesn't work on old laptop

Status in QEMU:
  Incomplete

Bug description:
  QEMU start command is:

  qemu-system-x86_64 -enable-kvm -m 2G -cpu host -smp 2 -cdrom
  ./linuxmint-20-mate-64bit.iso -boot d -vga virtio -soundhw hda
  -display gtk,gl=on

  
  and QEMU crashes immediately on startup and gives these error messages:

  
  qemu_gl_create_compile_shader: compile vertex error
  0:2(10): error: GLSL ES 3.00 is not supported. Supported versions are: 1.10, 
1.20, and 1.00 ES

  qemu_gl_create_compile_shader: compile fragment error
  0:2(10): error: GLSL ES 3.00 is not supported. Supported versions are: 1.10, 
1.20, and 1.00 ES

  qemu_gl_create_compile_shader: compile vertex error
  0:2(10): error: GLSL ES 3.00 is not supported. Supported versions are: 1.10, 
1.20, and 1.00 ES

  qemu_gl_create_compile_shader: compile fragment error
  0:2(10): error: GLSL ES 3.00 is not supported. Supported versions are: 1.10, 
1.20, and 1.00 ES

  
  If I remove "gl=on" it will boot. Does this just mean that this hardware is 
too old to run QEMU with OpenGL enabled in GUI, or is this a bug? 

  Host OS is Debian 10, computer is a Lenovo laptop with Core i5-520M
  CPU and its integrated Intel HD graphics GPU.

  QEMU version is 3.1.0 from Debian repositories.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1906948/+subscriptions

Re: [PATCH 2/8] ppc: Convert PPC UIC to a QOM device

[BALATON Zoltan via]

On Sat, 12 Dec 2020, Peter Maydell wrote:

On Sat, 12 Dec 2020 at 18:27, BALATON Zoltan  wrote:


On Sat, 12 Dec 2020, Peter Maydell wrote:

Currently the PPC UIC ("Universal Interrupt Controller") is implemented
as a non-QOM device in ppc4xx_devs.c. Convert it to a proper QOM device
in hw/intc.

The ppcuic_init() function is retained for the moment with its current
interface; in subsequent commits this will be tidied up to avoid the
allocation of an irq array.

This conversion adds VMState support.

It leaves the LOG_UIC() macro as-is to maximise the extent to which
this is simply code-movement rather than a rewrite (in new code it
would be better to use tracepoints).

The default property values for dcr-base and use-vectors are set to
match those use by most of our boards with a UIC.


Would this be easier to review if it's split into two patches, first doing
the conversion in place, then another just doing code moving? Maybe we
could spot some problem that way easier?


That didn't really feel very feasible to me. You can see that
mostly it's code motion using the git diff --color-moved option
if you look at the commit.


Thanks this helped a bit, at least to confirm the bug is not in here.

Regards,
BALATON Zoltan

Re: [PULL 0/5] M68k for 6.0 patches

[Peter Maydell]

On Sat, 12 Dec 2020 at 18:32, Laurent Vivier  wrote:
>
> The following changes since commit ad717e6da3852b5729217d7938eecdb81c546114:
>
>   Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging=
>  (2020-12-12 00:20:46 +)
>
> are available in the Git repository at:
>
>   git://github.com/vivier/qemu-m68k.git tags/m68k-for-6.0-pull-request
>
> for you to fetch changes up to ce00ff729ee8461dc94a1593d25ceda65d973d3c:
>
>   m68k: fix some comment spelling errors (2020-12-12 18:12:43 +0100)
>
> ----
> m68k pull request 20201212
>
> Fix for Coverity CID 1421883
> Fix some comment spelling errors
> Add m68k vmstate


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.0
for any user-visible changes.

-- PMM

[Bug 1907926] [NEW] Implement TPM2 configuration for emulators that provide TCP interface

[Anatol Pomozov]

Public bug reported:

swtpm provides several interfaces for its emulated device: unix socket
(can be used by qemu), chardev. swtpm also provides TCP interface for
the device which is very convenient for testing as it does not require
root permissions.

It would be very useful to have QEMU to work with TPM devices emulated
via TCP.

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907926

Title:
  Implement TPM2 configuration for emulators that provide TCP interface

Status in QEMU:
  New

Bug description:
  swtpm provides several interfaces for its emulated device: unix socket
  (can be used by qemu), chardev. swtpm also provides TCP interface for
  the device which is very convenient for testing as it does not require
  root permissions.

  It would be very useful to have QEMU to work with TPM devices emulated
  via TCP.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907926/+subscriptions

Re: [PATCH v3 1/9] fuzz: Make fork_fuzz.ld compatible with LLVM's LLD

[Alexander Bulekov]

On 201119 1706, Daniele Buono wrote:
> Thanks Alex,
> do you think you could also give it a try linking with LLD?
> 
> just add --extra-ldflags="-fuse-ld=lld"
> 
> I do see some small differences when moving from BFD ro LLD, but they should
> not be of importance. The position of the data.fuzz* is kept.
> 
> size -A on qemu-fuzz-i386, LTO DISABLED:
> 
> BFD
> section  size   addr
> [...]
> .got10704   29849128
> .data 1160800   29859840
> __sancov_pcs  3362992   31020640
> .data.fuzz_start   210187   34385920
> .data.fuzz_ordered 211456   34596352
> .bss  9659608   34807808
> .comment  225  0
> [...]
> 
> BFD
> section  size   addr
> [...]
> .got  816   27824632
> .got.plt 9992   27825448
> .data 1160808   27839536
> .data.fuzz_start   210187   29003776
> .data.fuzz_ordered 211456   29214208
> .data.fuzz_end  0   29425664
> .tm_clone_table 0   29425664
> __sancov_pcs  3362992   29425664
> .bss  9659624   32788672
> 
> I tried running the fuzzer and didn't seem to have any issues, but I
> haven't tried a test-build with OSS-Fuzz. Is there a info somewhere
> on how to do that?
> 
> Thanks,
> Daniele
> 

Hi Daniele,
Sorry for the late response. I tried linking the fuzzer with lld, and
everything looks good. 

OSS-Fuzz just runs scripts/oss-fuzz/build.sh with some environment
variables set (CC, CXX, CFLAGS, LIB_FUZZING_ENGINE ...). To get this to
work with that script, we would just need to pass the corresponding
arguments to ./configure and find a way to locate and specify
llvm-ar-{11,12,...}.

So far I haven't noticed too much of a performance increase with -flto,
but I need to run some more tests. We probably spend too much time in
the kernel (fork()-ing for each input, etc) for the gains to show up.
-Alex

> On 11/6/2020 9:50 AM, Alexander Bulekov wrote:
> > On 201105 1718, Daniele Buono wrote:
> > > LLVM's linker, LLD, supports the keyword "INSERT AFTER", starting with
> > > version 11.
> > > However, when multiple sections are defined in the same "INSERT AFTER",
> > > they are added in a reversed order, compared to BFD's LD.
> > > 
> > > This patch makes fork_fuzz.ld generic enough to work with both linkers.
> > > Each section now has its own "INSERT AFTER" keyword, so proper ordering is
> > > defined between the sections added.
> > > 
> > 
> > Hi Daniele,
> > Good to know that LLVM now has support for "INSERT AFTER" :)
> > 
> > I compared the resulting symbols between __FUZZ_COUNTERS_{START,END}
> > (after linking with BFD) before/after this patch, and they look good. I
> > also ran a test-build with OSS-Fuzz container and confirmed that the
> > resulting binary also had proper symbols.
> > 
> > Reviewed-by: Alexander Bulekov 
> > Tested-by: Alexander Bulekov 
> > 
> > Thanks
> > 
> > > Signed-off-by: Daniele Buono 
> > > ---
> > >   tests/qtest/fuzz/fork_fuzz.ld | 12 +++-
> > >   1 file changed, 11 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/tests/qtest/fuzz/fork_fuzz.ld b/tests/qtest/fuzz/fork_fuzz.ld
> > > index bfb667ed06..cfb88b7fdb 100644
> > > --- a/tests/qtest/fuzz/fork_fuzz.ld
> > > +++ b/tests/qtest/fuzz/fork_fuzz.ld
> > > @@ -16,6 +16,11 @@ SECTIONS
> > > /* Lowest stack counter */
> > > *(__sancov_lowest_stack);
> > > }
> > > +}
> > > +INSERT AFTER .data;
> > > +
> > > +SECTIONS
> > > +{
> > > .data.fuzz_ordered :
> > > {
> > > /*
> > > @@ -34,6 +39,11 @@ SECTIONS
> > >  */
> > >  *(.bss._ZN6fuzzer3TPCE);
> > > }
> > > +}
> > > +INSERT AFTER .data.fuzz_start;
> > > +
> > > +SECTIONS
> > > +{
> > > .data.fuzz_end : ALIGN(4K)
> > > {
> > > __FUZZ_COUNTERS_END = .;
> > > @@ -43,4 +53,4 @@ SECTIONS
> > >* Don't overwrite the SECTIONS in the default linker script. Instead 
> > > insert the
> > >* above into the default script
> > >*/
> > > -INSERT AFTER .data;
> > > +INSERT AFTER .data.fuzz_ordered;
> > > -- 
> > > 2.17.1
> > > 
> > 

Re: [PATCH v4 4/5] configure,meson: support Control-Flow Integrity

[Alexander Bulekov]

On 201204 1806, Daniele Buono wrote:
> This patch adds a flag to enable/disable control flow integrity checks
> on indirect function calls.
> This feature only allows indirect function calls at runtime to functions
> with compatible signatures.
> 
> This feature is only provided by LLVM/Clang, and depends on link-time
> optimization which is currently supported only with LLVM/Clang >= 6.0
> 
> We also add an option to enable a debugging version of cfi, with verbose
> output in case of a CFI violation.
> 
> CFI on indirect function calls does not support calls to functions in
> shared libraries (since they were not known at compile time), and such
> calls are forbidden. QEMU relies on dlopen/dlsym when using modules,
> so we make modules incompatible with CFI.
> 
> All the checks are performed in meson.build. configure is only used to
> forward the flags to meson
> 
> Signed-off-by: Daniele Buono 
> ---
>  configure | 21 -
>  meson.build   | 45 +
>  meson_options.txt |  4 
>  3 files changed, 69 insertions(+), 1 deletion(-)
> 
> diff --git a/configure b/configure
> index fee118518b..c4e5d92167 100755
> --- a/configure
> +++ b/configure
> @@ -400,6 +400,8 @@ coroutine=""
>  coroutine_pool=""
>  debug_stack_usage="no"
>  crypto_afalg="no"
> +cfi="disabled"
> +cfi_debug="disabled"
>  seccomp=""
>  glusterfs=""
>  glusterfs_xlator_opt="no"
> @@ -1180,6 +1182,16 @@ for opt do
>;;
>--disable-safe-stack) safe_stack="no"
>;;
> +  --enable-cfi)
> +  cfi="enabled";
> +  lto="true";
> +  ;;
> +  --disable-cfi) cfi="disabled"
> +  ;;
> +  --enable-cfi-debug) cfi_debug="enabled"
> +  ;;
> +  --disable-cfi-debug) cfi_debug="disabled"
> +  ;;
>--disable-curses) curses="disabled"
>;;
>--enable-curses) curses="enabled"
> @@ -1760,6 +1772,13 @@ disabled with --disable-FEATURE, default is enabled if 
> available:
>sparse  sparse checker
>safe-stack  SafeStack Stack Smash Protection. Depends on
>clang/llvm >= 3.7 and requires coroutine backend ucontext.
> +  cfi Enable Control-Flow Integrity for indirect function calls.
> +  In case of a cfi violation, QEMU is terminated with SIGILL
> +  Depends on lto and is incompatible with modules
> +  Automatically enables Link-Time Optimization (lto)
> +  cfi-debug   In case of a cfi violation, a message containing the line 
> that
> +  triggered the error is written to stderr. After the error,
> +  QEMU is still terminated with SIGILL
>  
>gnutls  GNUTLS cryptography support
>nettle  nettle cryptography support
> @@ -7020,7 +7039,7 @@ NINJA=$ninja $meson setup \
>  -Diconv=$iconv -Dcurses=$curses -Dlibudev=$libudev\
>  -Ddocs=$docs -Dsphinx_build=$sphinx_build -Dinstall_blobs=$blobs \
>  -Dvhost_user_blk_server=$vhost_user_blk_server \
> --Db_lto=$lto \
> +-Db_lto=$lto -Dcfi=$cfi -Dcfi_debug=$cfi_debug \
>  $cross_arg \
>  "$PWD" "$source_path"
>  
> diff --git a/meson.build b/meson.build
> index ebd1c690e0..e1ae6521e0 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -773,6 +773,48 @@ elif get_option('vhost_user_blk_server').disabled() or 
> not have_system
>  have_vhost_user_blk_server = false
>  endif
>  
> +if get_option('cfi').enabled()
> +  cfi_flags=[]
> +  # Check for dependency on LTO
> +  if not get_option('b_lto')
> +error('Selected Control-Flow Integrity but LTO is disabled')
> +  endif
> +  if config_host.has_key('CONFIG_MODULES')
> +error('Selected Control-Flow Integrity is not compatible with modules')
> +  endif
> +  # Check for cfi flags. CFI requires LTO so we can't use
> +  # get_supported_arguments, but need a more complex "compiles" which allows
> +  # custom arguments
> +  if cc.compiles('int main () { return 0; }', name: '-fsanitize=cfi-icall',
> + args: ['-flto', '-fsanitize=cfi-icall'] )
> +cfi_flags += '-fsanitize=cfi-icall'
> +  else
> +error('-fsanitize=cfi-icall is not supported by the compiler')
> +  endif
> +  if cc.compiles('int main () { return 0; }',
> + name: '-fsanitize-cfi-icall-generalize-pointers',
> + args: ['-flto', '-fsanitize=cfi-icall',
> +'-fsanitize-cfi-icall-generalize-pointers'] )
> +cfi_flags += '-fsanitize-cfi-icall-generalize-pointers'
> +  else
> +error('-fsanitize-cfi-icall-generalize-pointers is not supported by the 
> compiler')
> +  endif
> +  if get_option('cfi_debug').enabled()
> +if cc.compiles('int main () { return 0; }',
> +   name: '-fno-sanitize-trap=cfi-icall',
> +   args: ['-flto', '-fsanitize=cfi-icall',
> +  '-fno-sanitize-trap=cfi-icall'] )
> +  cfi_flags += '-fno-sanitize-trap=cfi-icall'
> +else
> +  error('-fno-sanitize-trap=

Re: [PATCH v4 5/5] docs: Add CFI Documentation

[Alexander Bulekov]

On 201204 1806, Daniele Buono wrote:
> Document how to compile with CFI and how to maintain CFI-safe code
> 
> Signed-off-by: Daniele Buono 

Reviewed-by: Alexander Bulekov 

Thanks

> ---
>  docs/devel/control-flow-integrity.rst | 137 ++
>  1 file changed, 137 insertions(+)
>  create mode 100644 docs/devel/control-flow-integrity.rst
> 
> diff --git a/docs/devel/control-flow-integrity.rst 
> b/docs/devel/control-flow-integrity.rst
> new file mode 100644
> index 00..ec54d16a42
> --- /dev/null
> +++ b/docs/devel/control-flow-integrity.rst
> @@ -0,0 +1,137 @@
> +
> +Control-Flow Integrity (CFI)
> +
> +
> +This document describes the current control-flow integrity (CFI) mechanism in
> +QEMU. How it can be enabled, its benefits and deficiencies, and how it 
> affects
> +new and existing code in QEMU
> +
> +Basics
> +--
> +
> +CFI is a hardening technique that focusing on guaranteeing that indirect
> +function calls have not been altered by an attacker.
> +The type used in QEMU is a forward-edge control-flow integrity that ensures
> +function calls performed through function pointers, always call a 
> "compatible"
> +function. A compatible function is a function with the same signature of the
> +function pointer declared in the source code.
> +
> +This type of CFI is entirely compiler-based and relies on the compiler 
> knowing
> +the signature of every function and every function pointer used in the code.
> +As of now, the only compiler that provides support for CFI is Clang.
> +
> +CFI is best used on production binaries, to protect against unknown attack
> +vectors.
> +
> +In case of a CFI violation (i.e. call to a non-compatible function) QEMU will
> +terminate abruptly, to stop the possible attack.
> +
> +Building with CFI
> +-
> +
> +NOTE: CFI requires the use of link-time optimization. Therefore, when CFI is
> +selected, LTO will be automatically enabled.
> +
> +To build with CFI, the minimum requirement is Clang 6+. If you
> +are planning to also enable fuzzing, then Clang 11+ is needed (more on this
> +later).
> +
> +Given the use of LTO, a version of AR that supports LLVM IR is required.
> +The easies way of doing this is by selecting the AR provided by LLVM::
> +
> + AR=llvm-ar-9 CC=clang-9 CXX=lang++-9 /path/to/configure --enable-cfi
> +
> +CFI is enabled on every binary produced.
> +
> +If desired, an additional flag to increase the verbosity of the output in 
> case
> +of a CFI violation is offered (``--enable-debug-cfi``).
> +
> +Using QEMU built with CFI
> +-
> +
> +A binary with CFI will work exactly like a standard binary. In case of a CFI
> +violation, the binary will terminate with an illegal instruction signal.
> +
> +Incompatible code with CFI
> +--
> +
> +As mentioned above, CFI is entirely compiler-based and therefore relies on
> +compile-time knowledge of the code. This means that, while generally 
> supported
> +for most code, some specific use pattern can break CFI compatibility, and
> +create false-positives. The two main patterns that can cause issues are:
> +
> +* Just-in-time compiled code: since such code is created at runtime, the jump
> +  to the buffer containing JIT code will fail.
> +
> +* Libraries loaded dynamically, e.g. with dlopen/dlsym, since the library was
> +  not known at compile time.
> +
> +Current areas of QEMU that are not entirely compatible with CFI are:
> +
> +1. TCG, since the idea of TCG is to pre-compile groups of instructions at
> +   runtime to speed-up interpretation, quite similarly to a JIT compiler
> +
> +2. TCI, where the interpreter has to interpret the generic *call* operation
> +
> +3. Plugins, since a plugin is implemented as an external library
> +
> +4. Modules, since they are implemented as an external library
> +
> +5. Directly calling signal handlers from the QEMU source code, since the
> +   signal handler may have been provided by an external library or even 
> plugged
> +   at runtime.
> +
> +Disabling CFI for a specific function
> +-
> +
> +If you are working on function that is performing a call using an
> +incompatible way, as described before, you can selectively disable CFI checks
> +for such function by using the decorator ``QEMU_DISABLE_CFI`` at function
> +definition, and add an explanation on why the function is not compatible
> +with CFI. An example of the use of ``QEMU_DISABLE_CFI`` is provided here::
> +
> + /*
> +  * Disable CFI checks.
> +  * TCG creates binary blobs at runtime, with the transformed code.
> +  * A TB is a blob of binary code, created at runtime and called with an
> +  * indirect function call. Since such function did not exist at compile 
> time,
> +  * the CFI runtime has no way to verify its signature and would fail.
> +  * TCG is not considered a security-sensitive part of QEMU so this do

[Bug 1883733] Re: FIXME xhci_alloc_device_streams:972 guest streams config not identical for all eps

[Alexander Bulekov]

OSS-Fuzz reported this:

=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none \
-machine accel=qtest, -m 512M -machine q35 -nodefaults \
-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
-device usb-tablet -device usb-wacom-tablet -device usb-audio \
-qtest stdio
outl 0xcf8 0x8803
outl 0xcfc 0x18ff
outl 0xcf8 0x8813
outb 0xcfc 0x5e
write 0x5e74 0x4 0x5a636c6f
writel 0x5e40 0x5adeb005
write 0xd 0x1 0x24
write 0x1d 0x1 0x2e
write 0x2d 0x1 0xff
write 0x3d 0x1 0x24
write 0x4d 0x1 0x2e
write 0x5d 0x1 0xff
write 0x6d 0x1 0x24
write 0x7d 0x1 0x2e
write 0x8d 0x1 0xff
write 0x9d 0x1 0x24
write 0xad 0x1 0x2e
write 0xbd 0x1 0xff
write 0xcd 0x1 0x24
write 0xdd 0x1 0x2e
write 0x6d04 0x1 0x03
write 0x6d26 0x1 0x04
write 0xed 0x1 0xff
write 0xfd 0x1 0x24
write 0x10d 0x1 0x2e
write 0x11d 0x1 0xff
write 0x12d 0x1 0x24
write 0x13d 0x1 0x2e
write 0x14d 0x1 0xff
write 0x15d 0x1 0x24
write 0x16d 0x1 0x2e
write 0x17d 0x1 0xff
write 0x18d 0x1 0x24
write 0x19d 0x1 0x2e
write 0x1ad 0x1 0xff
write 0x1bd 0x1 0x24
write 0x1cd 0x1 0x2e
write 0x1dd 0x1 0xff
write 0x1ed 0x1 0x24
write 0x1fd 0x1 0x2e
write 0x20d 0x1 0xff
write 0x21d 0x1 0x24
write 0x22d 0x1 0x2e
write 0x23d 0x1 0xff
write 0x24d 0x1 0x24
write 0x25d 0x1 0x2e
write 0x26d 0x1 0xff
write 0x27d 0x1 0x24
write 0x28d 0x1 0x2e
write 0x29d 0x1 0xff
write 0x2ad 0x1 0x24
write 0x2bd 0x1 0x2e
write 0x2cd 0x1 0xff
write 0x2dd 0x1 0x24
write 0x2ed 0x1 0x2e
write 0x2fd 0x1 0xff
write 0x30d 0x1 0x24
write 0x31d 0x1 0x2e
write 0x32d 0x1 0xff
write 0x33d 0x1 0x24
write 0x34d 0x1 0x2e
write 0x35d 0x1 0xff
write 0x36d 0x1 0x24
write 0x37d 0x1 0x2e
write 0x38d 0x1 0xff
write 0x39d 0x1 0x24
write 0x3ad 0x1 0x2e
write 0x3bd 0x1 0xff
write 0x3cd 0x1 0x24
write 0x3dd 0x1 0x2e
write 0x3ed 0x1 0xff
write 0x3fd 0x1 0x24
write 0x40d 0x1 0x2e
write 0x41d 0x1 0xff
write 0x42d 0x1 0x24
write 0x43d 0x1 0x2e
write 0x44d 0x1 0xff
write 0x45d 0x1 0x24
write 0x46d 0x1 0x2e
write 0x47d 0x1 0xff
write 0x48d 0x1 0x24
write 0x49d 0x1 0x2e
write 0x4ad 0x1 0xff
write 0x4bd 0x1 0x24
write 0x4cd 0x1 0x2e
write 0x4dd 0x1 0xff
write 0x4ed 0x1 0x24
write 0x4fd 0x1 0x2e
write 0x50d 0x1 0xff
write 0x51d 0x1 0x24
write 0x52d 0x1 0x2e
write 0x53d 0x1 0xff
write 0x54d 0x1 0x24
write 0x55d 0x1 0x2e
write 0x56d 0x1 0xff
write 0x57d 0x1 0x24
write 0x58d 0x1 0x2e
write 0x59d 0x1 0xff
write 0x5ad 0x1 0x24
write 0x5bd 0x1 0x2e
write 0x5cd 0x1 0xff
write 0x5dd 0x1 0x24
write 0x5ed 0x1 0x2e
write 0x5fd 0x1 0xff
write 0x60d 0x1 0x24
write 0x61d 0x1 0x2e
write 0x62d 0x1 0xff
write 0x63d 0x1 0x24
write 0x64d 0x1 0x2e
write 0x65d 0x1 0xff
write 0x66d 0x1 0x24
write 0x67d 0x1 0x2e
write 0x68d 0x1 0xff
write 0x69d 0x1 0x24
write 0x6ad 0x1 0x2e
write 0x6bd 0x1 0xff
write 0x6cd 0x1 0x24
write 0x6dd 0x1 0x2e
write 0x6ed 0x1 0xff
write 0x6fd 0x1 0x24
write 0x70d 0x1 0x2e
write 0x71d 0x1 0xff
write 0x72d 0x1 0x24
write 0x73d 0x1 0x2e
write 0x74d 0x1 0xff
write 0x75d 0x1 0x24
write 0x76d 0x1 0x2e
write 0x77d 0x1 0xff
write 0x78d 0x1 0x24
write 0x79d 0x1 0x2e
write 0x7ad 0x1 0xff
write 0x7bd 0x1 0x24
write 0x7cd 0x1 0x2e
write 0x7dd 0x1 0xff
write 0x7ed 0x1 0x24
write 0x7fd 0x1 0x2e
write 0x80d 0x1 0xff
write 0x81d 0x1 0x24
write 0x82d 0x1 0x2e
write 0x83d 0x1 0xff
write 0x84d 0x1 0x24
write 0x85d 0x1 0x2e
write 0x86d 0x1 0xff
write 0x87d 0x1 0x24
write 0x88d 0x1 0x2e
write 0x89d 0x1 0xff
write 0x8ad 0x1 0x24
write 0x8bd 0x1 0x2e
write 0x8cd 0x1 0xff
write 0x8dd 0x1 0x24
write 0x8ed 0x1 0x2e
write 0x8fd 0x1 0xff
write 0x90d 0x1 0x24
write 0x91d 0x1 0x2e
write 0x92d 0x1 0xff
write 0x93d 0x1 0x24
write 0x94d 0x1 0x2e
write 0x95d 0x1 0xff
write 0x96d 0x1 0x24
write 0x97d 0x1 0x2e
write 0x98d 0x1 0xff
write 0x99d 0x1 0x24
write 0x9ad 0x1 0x2e
write 0x9bd 0x1 0xff
write 0x9cd 0x1 0x24
write 0x9dd 0x1 0x2e
write 0x9ed 0x1 0xff
write 0x9fd 0x1 0x24
write 0xa0d 0x1 0x2e
write 0xa1d 0x1 0xff
write 0xa2d 0x1 0x24
write 0xa3d 0x1 0x2e
write 0xa4d 0x1 0xff
write 0xa5d 0x1 0x24
write 0xa6d 0x1 0x2e
write 0xa7d 0x1 0xff
write 0xa8d 0x1 0x24
write 0xa9d 0x1 0x2e
write 0xaad 0x1 0xff
write 0xabd 0x1 0x24
write 0xacd 0x1 0x2e
write 0xadd 0x1 0xff
write 0xaed 0x1 0x24
write 0xafd 0x1 0x2e
write 0xb0d 0x1 0xff
write 0xb1d 0x1 0x24
write 0xb2d 0x1 0x2e
write 0xb3d 0x1 0xff
write 0xb4d 0x1 0x24
write 0xb5d 0x1 0x2e
write 0xb6d 0x1 0xff
write 0xb7d 0x1 0x24
write 0xb8d 0x1 0x2e
write 0xb9d 0x1 0xff
write 0xbad 0x1 0x24
write 0xbbd 0x1 0x2e
write 0xbcd 0x1 0xff
write 0xbdd 0x1 0x24
write 0xbed 0x1 0x2e
write 0xbfd 0x1 0xff
write 0xc0d 0x1 0x24
write 0xc1d 0x1 0x2e
write 0xc2d 0x1 0xff
write 0xc3d 0x1 0x24
write 0xc4d 0x1 0x2e
write 0xc5d 0x1 0xff
write 0xc6d 0x1 0x24
write 0xc7d 0x1 0x2e
write 0xc8d 0x1 0xff
write 0xc9d 0x1 0x24
write 0xcad 0x1 0x2e
write 0xcbd 0x1 0xff
write 0xccd 0x1 0x24
write 0xcdd 0x1 0x2e
write 0xced 0x1 0xff
write 0xcfd 0x1 0x24
write 0xd0d 0x1 0x2e
write 0xd1d 0x1 0xff
write 0xd2d 0x1 0x24
write 0xd3d 0x1 0x2e
write 0xd4d 0x1 0xff
write 0xd5d 0x1 0x24
write 0xd6d 0x1 0x2e
write 0xd7d 0x1 0xff
write 0xd

[Bug 1907938] [NEW] [OSS-Fuzz] Issue 28524 virtio-blk: ASSERT: !s->dataplane_started

[Alexander Bulekov]

Public bug reported:

 affects qemu

=== Reproducer ===

cat << EOF |./qemu-system-i386 -display none -m 512M -machine q35 \
-device virtio-blk,drive=disk0 \
-drive file=null-co://,id=disk0,if=none,format=raw -qtest stdio
outl 0xcf8 0x8000181f
outl 0xcfc 0xa044d79
outl 0xcf8 0x80001802
outl 0xcf8 0x80001804
outl 0xcfc 0xb9045dff
outl 0xcf8 0x8000180e
outl 0xcfc 0xfb9465a
outl 0xf85 0x9e1ea5c2
write 0x9f002 0x1 0x04
write 0x9f004 0x1 0x04
write 0x9e040 0x1 0x04
write 0x9e043 0x1 0x01
write 0x9e048 0x1 0x10
write 0x9e04c 0x1 0x01
write 0x9e04e 0x1 0x6e
write 0x104 0x1 0x01
write 0x9e6e3 0x1 0x01
write 0x9e6eb 0x1 0x04
write 0x9e6ec 0x1 0x6e
write 0x9f006 0x1 0x04
write 0x9f008 0x1 0x04
write 0x9f00a 0x1 0x04
outl 0xf8f 0xc
EOF

=== Stack Trace ===

qemu-fuzz-i386: ../hw/block/virtio-blk.c:917: void 
virtio_blk_reset(VirtIODevice *): Assertion `!s->dataplane_started' failed.
==702068== ERROR: libFuzzer: deadly signal
#0 0x55bd6fc9f311 in __sanitizer_print_stack_trace (fuzz-i386+0x2b16311)
#1 0x55bd6fbe83d8 in fuzzer::PrintStackTrace() (fuzz-i386+0x2a5f3d8)
#2 0x55bd6fbce413 in fuzzer::Fuzzer::CrashCallback() (fuzz-i386+0x2a45413)
#3 0x7ff5241b813f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1413f)
#4 0x7ff523feddb0 in __libc_signal_restore_set 
signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
#5 0x7ff523feddb0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7ff523fd7536 in abort stdlib/abort.c:79:7
#7 0x7ff523fd740e in __assert_fail_base assert/assert.c:92:3
#8 0x7ff523fe65b1 in __assert_fail assert/assert.c:101:3
#9 0x55bd7116c435 in virtio_blk_reset hw/block/virtio-blk.c:917:5
#10 0x55bd710c94a2 in virtio_reset hw/virtio/virtio.c:2001:9
#11 0x55bd6ff0e0a5 in virtio_pci_reset hw/virtio/virtio-pci.c:1886:5
#12 0x55bd6ff10686 in virtio_ioport_write hw/virtio/virtio-pci.c:339:13
#13 0x55bd6ff10686 in virtio_pci_config_write hw/virtio/virtio-pci.c:456:9
#14 0x55bd713fd025 in memory_region_write_accessor softmmu/memory.c:491:5
#15 0x55bd713fca93 in access_with_adjusted_size softmmu/memory.c:552:18
#16 0x55bd713fc2f0 in memory_region_dispatch_write softmmu/memory.c
#17 0x55bd70e4bf36 in flatview_write_continue softmmu/physmem.c:2759:23
#18 0x55bd70e41bbb in flatview_write softmmu/physmem.c:2799:14
#19 0x55bd70e41bbb in address_space_write softmmu/physmem.c:2891:18
#20 0x55bd71153462 in cpu_outl softmmu/ioport.c:80:5
#21 0x55bd712d586e in qtest_process_command softmmu/qtest.c:483:13
#22 0x55bd712d35bf in qtest_process_inbuf softmmu/qtest.c:797:9
#23 0x55bd712d3315 in qtest_server_inproc_recv softmmu/qtest.c:904:9
#24 0x55bd71910df8 in qtest_sendf tests/qtest/libqtest.c:438:5
#25 0x55bd71911fae in qtest_out tests/qtest/libqtest.c:952:5
#26 0x55bd71911fae in qtest_outl tests/qtest/libqtest.c:968:5
#27 0x55bd6fcd1aa2 in op_out tests/qtest/fuzz/generic_fuzz.c:395:13
#28 0x55bd6fcd04e9 in generic_fuzz tests/qtest/fuzz/generic_fuzz.c:680:17
#29 0x55bd6fcc9723 in LLVMFuzzerTestOneInput tests/qtest/fuzz/fuzz.c:151:5

OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28524

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907938

Title:
  [OSS-Fuzz] Issue 28524 virtio-blk: ASSERT: !s->dataplane_started

Status in QEMU:
  New

Bug description:
   affects qemu

  === Reproducer ===

  cat << EOF |./qemu-system-i386 -display none -m 512M -machine q35 \
  -device virtio-blk,drive=disk0 \
  -drive file=null-co://,id=disk0,if=none,format=raw -qtest stdio
  outl 0xcf8 0x8000181f
  outl 0xcfc 0xa044d79
  outl 0xcf8 0x80001802
  outl 0xcf8 0x80001804
  outl 0xcfc 0xb9045dff
  outl 0xcf8 0x8000180e
  outl 0xcfc 0xfb9465a
  outl 0xf85 0x9e1ea5c2
  write 0x9f002 0x1 0x04
  write 0x9f004 0x1 0x04
  write 0x9e040 0x1 0x04
  write 0x9e043 0x1 0x01
  write 0x9e048 0x1 0x10
  write 0x9e04c 0x1 0x01
  write 0x9e04e 0x1 0x6e
  write 0x104 0x1 0x01
  write 0x9e6e3 0x1 0x01
  write 0x9e6eb 0x1 0x04
  write 0x9e6ec 0x1 0x6e
  write 0x9f006 0x1 0x04
  write 0x9f008 0x1 0x04
  write 0x9f00a 0x1 0x04
  outl 0xf8f 0xc
  EOF

  === Stack Trace ===

  qemu-fuzz-i386: ../hw/block/virtio-blk.c:917: void 
virtio_blk_reset(VirtIODevice *): Assertion `!s->dataplane_started' failed.
  ==702068== ERROR: libFuzzer: deadly signal
  #0 0x55bd6fc9f311 in __sanitizer_print_stack_trace (fuzz-i386+0x2b16311)
  #1 0x55bd6fbe83d8 in fuzzer::PrintStackTrace() (fuzz-i386+0x2a5f3d8)
  #2 0x55bd6fbce413 in fuzzer::Fuzzer::CrashCallback() (fuzz-i386+0x2a45413)
  #3 0x7ff5241b813f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1413f)
  #4 0x7ff523feddb0 in __libc_signal_restore_set 
signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
  #5 0x7ff523feddb0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
  #6 0x7ff523fd7536 in abort stdlib/abort.c:79:7
  #7 0x7ff523fd740e in __assert_fail_base assert/assert.c:92:3
  #8 0x7ff523fe65b1 in __assert_fail assert/ass