Re: IRQ affinity not working on Xen pci-platform device^W^W^W QEMU split-irqchip I/O APIC.

[David Woodhouse]

On Sat, 2023-03-04 at 01:28 +0100, Thomas Gleixner wrote:
> David!
> 
> On Fri, Mar 03 2023 at 16:54, David Woodhouse wrote:
> > On Fri, 2023-03-03 at 17:51 +0100, Thomas Gleixner wrote:
> > > > 
> > > > [    0.577173] ACPI: \_SB_.LNKC: Enabled at IRQ 11
> > > > [    0.578149] The affinity mask was 0-3
> > > > [    0.579081] The affinity mask is 0-3 and the handler is on 2
> > > > [    0.580288] The affinity mask is 0 and the handler is on 2
> > > 
> > > What happens is that once the interrupt is requested, the affinity
> > > setting is deferred to the first interrupt. See the marvelous dance in
> > > arch/x86/kernel/apic/msi.c::msi_set_affinity().
> > > 
> > > If you do the setting before request_irq() then the startup will assign
> > > it to the target mask right away.
> > > 
> > > Btw, you are using irq_get_affinity_mask(), which gives you the desired
> > > target mask. irq_get_effective_affinity_mask() gives you the real one.
> > > 
> > > Can you verify that the thing moves over after the first interrupt or is
> > > that too late already?
> > 
> > It doesn't seem to move. The hack to just return IRQ_NONE if invoked on
> > CPU != 0 was intended to do just that. It's a level-triggered interrupt
> > so when the handler does nothing on the "wrong" CPU, it ought to get
> > invoked again on the *correct* CPU and actually work that time.
> 
> So much for the theory. This is virt after all so it does not
> necessarily behave like real hardware.

I think you're right. This looks like a QEMU bug with the "split
irqchip" I/OAPIC.

For reasons I'm unclear about, and which lack a comment in the code,
QEMU still injects I/OAPIC events into the kernel with kvm_set_irq().
(I think it's do to with caching, because QEMU doesn't cache interrupt-
remapping translations anywhere *except* in the KVM IRQ routing table,
so if it just synthesised an MSI message every time it'd have to
retranslate it every time?)

Tracing the behaviour here shows:

 • First interrupt happens on CPU2.
 • Linux updates the I/OAPIC RTE to point to CPU0, but QEMU doesn't
   update the KVM IRQ routing table yet.
 * QEMU retriggers the (still-high, level triggered) IRQ.
 • QEMU calls kvm_set_irq(11), delivering it to CPU2 again.
 • QEMU *finally* calls ioapic_update_kvm_routes().
 • Linux sees the interrupt on CPU2 again.

  $ qemu-system-x86_64 -display none -serial mon:stdio \
 -accel kvm,xen-version=0x4000a,kernel-irqchip=split \
 -kernel ~/git/linux/arch/x86/boot//bzImage \
 -append "console=ttyS0,115200 xen_no_vector_callback" \
 -smp 4 --trace ioapic\* --trace xenstore\*


...

xenstore_read tx 0 path control/platform-feature-xs_reset_watches
ioapic_set_irq vector: 11 level: 1
ioapic_set_remote_irr set remote irr for pin 11
ioapic_service: trigger KVM IRQ 11
[0.523627] The affinity mask was 0-3 and the handler is on 2
ioapic_mem_write ioapic mem write addr 0x0 regsel: 0x27 size 0x4 val 0x26
ioapic_update_kvm_routes: update KVM route for IRQ 11: fee02000 8021
ioapic_mem_write ioapic mem write addr 0x10 regsel: 0x26 size 0x4 val 0x18021
xenstore_reset_watches 
ioapic_set_irq vector: 11 level: 1
ioapic_mem_read ioapic mem read addr 0x10 regsel: 0x26 size 0x4 retval 0x1c021
[0.524569] ioapic_ack_level IRQ 11 moveit = 1
ioapic_eoi_broadcast EOI broadcast for vector 33
ioapic_clear_remote_irr clear remote irr for pin 11 vector 33
ioapic_mem_write ioapic mem write addr 0x0 regsel: 0x26 size 0x4 val 0x26
ioapic_mem_read ioapic mem read addr 0x10 regsel: 0x26 size 0x4 retval 0x18021
[0.525235] ioapic_finish_move IRQ 11 calls irq_move_masked_irq()
[0.526147] irq_do_set_affinity for IRQ 11, 0
[0.526732] ioapic_set_affinity for IRQ 11, 0
[0.527330] ioapic_setup_msg_from_msi for IRQ11 target 0
ioapic_mem_write ioapic mem write addr 0x0 regsel: 0x26 size 0x4 val 0x27
ioapic_mem_write ioapic mem write addr 0x10 regsel: 0x27 size 0x4 val 0x0
ioapic_mem_write ioapic mem write addr 0x0 regsel: 0x27 size 0x4 val 0x26
ioapic_mem_write ioapic mem write addr 0x10 regsel: 0x26 size 0x4 val 0x18021
[0.527623] ioapic_set_affinity returns 0
[0.527623] ioapic_finish_move IRQ 11 calls unmask_ioapic_irq()
ioapic_mem_write ioapic mem write addr 0x0 regsel: 0x26 size 0x4 val 0x26
ioapic_mem_write ioapic mem write addr 0x10 regsel: 0x26 size 0x4 val 0x8021
ioapic_set_remote_irr set remote irr for pin 11
ioapic_service: trigger KVM IRQ 11
ioapic_update_kvm_routes: update KVM route for IRQ 11: fee0 8021
[0.529571] The affinity mask was 0 and the handler is on 2
[xenstore_watch path memory/target token 92847D40
xenstore_watch_event path memory/target token 92847D40
ioapic_set_irq vector: 11 level: 1
0.530486] ioapic_ack_level IRQ 11 moveit = 0


This is with Linux doing basically nothing when the handler is invoked
on the 'wrong' CPU, and just waiting for it to be right.

Commenting out the kvm_set_irq() calls in ioapic_service() and letting
QEMU synthesise an MSI every time works. Better still, so does 

Re: IRQ affinity not working on Xen pci-platform device^W^W^W QEMU split-irqchip I/O APIC.

[David Woodhouse]

On Sat, 2023-03-04 at 09:57 +, David Woodhouse wrote:
> I wonder if the EOI is going missing because it's coming
> from the wrong CPU? Note no 'EOI broadcast' after the last line in the
> log I showed above; it isn't just that I trimmed it there.

I'm running on a host kernel without commit fceb3a36c29a so that's
probably it.

https://git.kernel.org/torvalds/c/fceb3a36c29a


smime.p7s
Description: S/MIME cryptographic signature

[PATCH 1/5] hw/isa/vt82c686: Fix wiring of PIC -> CPU interrupt

[Bernhard Beschow]

Commit bb98e0f59cde ("hw/isa/vt82c686: Remove intermediate IRQ forwarder")
passes s->cpu_intr to i8259_init() in via_isa_realize() directly. However,
s->cpu_intr isn't initialized yet since that happens after the south
bridge's pci_realize_and_unref() in board code. Fix this by initializing s-
>cpu_intr before realizing the south bridge.

Fixes: bb98e0f59cde ("hw/isa/vt82c686: Remove intermediate IRQ forwarder")
Signed-off-by: Bernhard Beschow 
---
 hw/isa/vt82c686.c   |  3 ++-
 hw/mips/fuloong2e.c |  9 +
 hw/ppc/pegasos2.c   | 10 ++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index f4c40965cd..8900d87f59 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -578,6 +578,8 @@ static void via_isa_init(Object *obj)
 object_initialize_child(obj, "uhci2", &s->uhci[1], 
TYPE_VT82C686B_USB_UHCI);
 object_initialize_child(obj, "ac97", &s->ac97, TYPE_VIA_AC97);
 object_initialize_child(obj, "mc97", &s->mc97, TYPE_VIA_MC97);
+
+qdev_init_gpio_out(DEVICE(obj), &s->cpu_intr, 1);
 }
 
 static const TypeInfo via_isa_info = {
@@ -606,7 +608,6 @@ static void via_isa_realize(PCIDevice *d, Error **errp)
 ISABus *isa_bus;
 int i;
 
-qdev_init_gpio_out(dev, &s->cpu_intr, 1);
 isa_bus = isa_bus_new(dev, pci_address_space(d), pci_address_space_io(d),
   errp);
 
diff --git a/hw/mips/fuloong2e.c b/hw/mips/fuloong2e.c
index cfc8ca6ae4..30944f8fe7 100644
--- a/hw/mips/fuloong2e.c
+++ b/hw/mips/fuloong2e.c
@@ -295,14 +295,15 @@ static void mips_fuloong2e_init(MachineState *machine)
 pci_bus = bonito_init((qemu_irq *)&(env->irq[2]));
 
 /* South bridge -> IP5 */
-pci_dev = pci_create_simple_multifunction(pci_bus,
-  PCI_DEVFN(FULOONG2E_VIA_SLOT, 0),
-  true, TYPE_VT82C686B_ISA);
+pci_dev = pci_new_multifunction(PCI_DEVFN(FULOONG2E_VIA_SLOT, 0), true,
+TYPE_VT82C686B_ISA);
+qdev_connect_gpio_out(DEVICE(pci_dev), 0, env->irq[5]);
+pci_realize_and_unref(pci_dev, pci_bus, &error_fatal);
+
 object_property_add_alias(OBJECT(machine), "rtc-time",
   object_resolve_path_component(OBJECT(pci_dev),
 "rtc"),
   "date");
-qdev_connect_gpio_out(DEVICE(pci_dev), 0, env->irq[5]);
 
 dev = DEVICE(object_resolve_path_component(OBJECT(pci_dev), "ide"));
 pci_ide_create_devs(PCI_DEVICE(dev));
diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
index 7cc375df05..b0ada9c963 100644
--- a/hw/ppc/pegasos2.c
+++ b/hw/ppc/pegasos2.c
@@ -159,13 +159,15 @@ static void pegasos2_init(MachineState *machine)
 pci_bus = mv64361_get_pci_bus(pm->mv, 1);
 
 /* VIA VT8231 South Bridge (multifunction PCI device) */
-via = OBJECT(pci_create_simple_multifunction(pci_bus, PCI_DEVFN(12, 0),
- true, TYPE_VT8231_ISA));
+via = OBJECT(pci_new_multifunction(PCI_DEVFN(12, 0), true,
+   TYPE_VT8231_ISA));
+qdev_connect_gpio_out(DEVICE(via), 0,
+  qdev_get_gpio_in_named(pm->mv, "gpp", 31));
+pci_realize_and_unref(PCI_DEVICE(via), pci_bus, &error_fatal);
+
 object_property_add_alias(OBJECT(machine), "rtc-time",
   object_resolve_path_component(via, "rtc"),
   "date");
-qdev_connect_gpio_out(DEVICE(via), 0,
-  qdev_get_gpio_in_named(pm->mv, "gpp", 31));
 
 dev = PCI_DEVICE(object_resolve_path_component(via, "ide"));
 pci_ide_create_devs(dev);
-- 
2.39.2

[PATCH 4/5] hw/pci/pci: Remove multifunction parameter from pci_create_simple_multifunction()

[Bernhard Beschow]

There is also pci_create_simple() which creates non-multifunction PCI
devices. Accordingly the parameter is always set to true when a multi
function PCI device is to be created.

The reason for the parameter's existence seems to be that it is used in the
internal PCI code as well which is the only location where it gets set to
false. This one usage can be replaced by trivial code.

Remove this redundant, error-prone parameter.

Signed-off-by: Bernhard Beschow 
---
 include/hw/pci/pci.h | 1 -
 hw/i386/pc_piix.c| 2 +-
 hw/i386/pc_q35.c | 4 ++--
 hw/mips/boston.c | 3 +--
 hw/mips/malta.c  | 2 +-
 hw/pci/pci.c | 7 ---
 6 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index d5a40cd058..830407a5b9 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -578,7 +578,6 @@ PCIDevice *pci_new(int devfn, const char *name);
 bool pci_realize_and_unref(PCIDevice *dev, PCIBus *bus, Error **errp);
 
 PCIDevice *pci_create_simple_multifunction(PCIBus *bus, int devfn,
-   bool multifunction,
const char *name);
 PCIDevice *pci_create_simple(PCIBus *bus, int devfn, const char *name);
 
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 2f16011bab..0cd430ccc5 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -235,7 +235,7 @@ static void pc_init1(MachineState *machine,
: pc_pci_slot_get_pirq);
 pcms->bus = pci_bus;
 
-pci_dev = pci_create_simple_multifunction(pci_bus, -1, true, type);
+pci_dev = pci_create_simple_multifunction(pci_bus, -1, type);
 piix3 = PIIX3_PCI_DEVICE(pci_dev);
 piix3->pic = x86ms->gsi;
 piix3_devfn = piix3->dev.devfn;
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 797ba347fd..65a862b66d 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -299,7 +299,7 @@ static void pc_q35_init(MachineState *machine)
 ahci = pci_create_simple_multifunction(host_bus,
PCI_DEVFN(ICH9_SATA1_DEV,
  ICH9_SATA1_FUNC),
-   true, "ich9-ahci");
+   "ich9-ahci");
 idebus[0] = qdev_get_child_bus(&ahci->qdev, "ide.0");
 idebus[1] = qdev_get_child_bus(&ahci->qdev, "ide.1");
 g_assert(MAX_SATA_PORTS == ahci_get_num_ports(ahci));
@@ -321,7 +321,7 @@ static void pc_q35_init(MachineState *machine)
 smb = pci_create_simple_multifunction(host_bus,
   PCI_DEVFN(ICH9_SMB_DEV,
 ICH9_SMB_FUNC),
-  true, TYPE_ICH9_SMB_DEVICE);
+  TYPE_ICH9_SMB_DEVICE);
 pcms->smbus = I2C_BUS(qdev_get_child_bus(DEVICE(smb), "i2c"));
 
 smbus_eeprom_init(pcms->smbus, 8, NULL, 0);
diff --git a/hw/mips/boston.c b/hw/mips/boston.c
index a9d87f3437..2539606549 100644
--- a/hw/mips/boston.c
+++ b/hw/mips/boston.c
@@ -770,8 +770,7 @@ static void boston_mach_init(MachineState *machine)
  boston_lcd_event, NULL, s, NULL, true);
 
 ahci = pci_create_simple_multifunction(&PCI_BRIDGE(&pcie2->root)->sec_bus,
-   PCI_DEVFN(0, 0),
-   true, TYPE_ICH9_AHCI);
+   PCI_DEVFN(0, 0), TYPE_ICH9_AHCI);
 g_assert(ARRAY_SIZE(hd) == ahci_get_num_ports(ahci));
 ide_drive_get(hd, ahci_get_num_ports(ahci));
 ahci_ide_create_devs(ahci, hd);
diff --git a/hw/mips/malta.c b/hw/mips/malta.c
index ec172b111a..d4c79d263d 100644
--- a/hw/mips/malta.c
+++ b/hw/mips/malta.c
@@ -1254,7 +1254,7 @@ void mips_malta_init(MachineState *machine)
 pci_bus_map_irqs(pci_bus, malta_pci_slot_get_pirq);
 
 /* Southbridge */
-piix4 = pci_create_simple_multifunction(pci_bus, PIIX4_PCI_DEVFN, true,
+piix4 = pci_create_simple_multifunction(pci_bus, PIIX4_PCI_DEVFN,
 TYPE_PIIX4_PCI_DEVICE);
 isa_bus = ISA_BUS(qdev_get_child_bus(DEVICE(piix4), "isa.0"));
 
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 034fe49e9a..c2e14f000e 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -2111,17 +2111,18 @@ bool pci_realize_and_unref(PCIDevice *dev, PCIBus *bus, 
Error **errp)
 }
 
 PCIDevice *pci_create_simple_multifunction(PCIBus *bus, int devfn,
-   bool multifunction,
const char *name)
 {
-PCIDevice *dev = pci_new_multifunction(devfn, multifunction, name);
+PCIDevice *dev = pci_new_multifunction(devfn, true, name);
 pci_realize_and_unref(dev, bus, &error_fatal);
 return dev;
 }
 
 PCIDevice *pci_

[PATCH 3/5] hw/ppc/prep: Fix wiring of PIC -> CPU interrupt

[Bernhard Beschow]

Commit cef2e7148e32 ("hw/isa/i82378: Remove intermediate IRQ forwarder")
passes s->cpu_intr to i8259_init() in i82378_realize() directly. However, s-
>cpu_intr isn't initialized yet since that happens after the south bridge's
pci_realize_and_unref() in board code. Fix this by initializing s->cpu_intr
before realizing the south bridge.

Fixes: cef2e7148e32 ("hw/isa/i82378: Remove intermediate IRQ forwarder")
Signed-off-by: Bernhard Beschow 
---
 hw/ppc/prep.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/ppc/prep.c b/hw/ppc/prep.c
index d00280c0f8..cfa47c1e44 100644
--- a/hw/ppc/prep.c
+++ b/hw/ppc/prep.c
@@ -270,9 +270,11 @@ static void ibm_40p_init(MachineState *machine)
 }
 
 /* PCI -> ISA bridge */
-i82378_dev = DEVICE(pci_create_simple(pci_bus, PCI_DEVFN(11, 0), 
"i82378"));
+i82378_dev = DEVICE(pci_new(PCI_DEVFN(11, 0), "i82378"));
 qdev_connect_gpio_out(i82378_dev, 0,
   qdev_get_gpio_in(DEVICE(cpu), PPC6xx_INPUT_INT));
+qdev_realize_and_unref(i82378_dev, BUS(pci_bus), &error_fatal);
+
 sysbus_connect_irq(pcihost, 0, qdev_get_gpio_in(i82378_dev, 15));
 isa_bus = ISA_BUS(qdev_get_child_bus(i82378_dev, "isa.0"));
 
-- 
2.39.2

[PATCH 0/5] Fix recent PIC -> CPU interrupt wiring regressions

[Bernhard Beschow]

A recent series [1] attempted to remove some PIC -> CPU interrupt indirections.
This inadvertantly caused NULL qemu_irqs to be passed to the i8259 because the
qemu_irqs aren't initialized at that time yet. This series provides a fix by
initializing the qemu_irq of the respective south bridges before they
are passed to i2859_init().

Furthermore -- as an optional extension -- this series also fixes some usability
issues in the API for creating multifunction PCI devices.

The series is structured as follows: The first three commits fix the
regressions, the last two fix the public API for creating multifunction PCI
devices.

[1] https://lore.kernel.org/qemu-devel/20230302224058.43315-1-phi...@linaro.org/

Bernhard Beschow (5):
  hw/isa/vt82c686: Fix wiring of PIC -> CPU interrupt
  hw/alpha/dp264: Fix wiring of PIC -> CPU interrupt
  hw/ppc/prep: Fix wiring of PIC -> CPU interrupt
  hw/pci/pci: Remove multifunction parameter from
pci_create_simple_multifunction()
  hw/pci/pci: Remove multifunction parameter from
pci_new_multifunction()

 include/hw/pci/pci.h |  4 +---
 hw/alpha/dp264.c |  8 +---
 hw/i386/pc_piix.c|  2 +-
 hw/i386/pc_q35.c | 10 +-
 hw/isa/vt82c686.c|  3 ++-
 hw/mips/boston.c |  3 +--
 hw/mips/fuloong2e.c  |  9 +
 hw/mips/malta.c  |  2 +-
 hw/pci-host/sabre.c  |  6 ++
 hw/pci/pci.c | 18 --
 hw/ppc/pegasos2.c|  9 +
 hw/ppc/prep.c|  4 +++-
 hw/sparc64/sun4u.c   |  5 ++---
 13 files changed, 45 insertions(+), 38 deletions(-)

-- 
2.39.2

[PATCH 5/5] hw/pci/pci: Remove multifunction parameter from pci_new_multifunction()

[Bernhard Beschow]

There is also pci_new() which creates non-multifunction PCI devices.
Accordingly the parameter is always set to true when a multi function PCI
device is to be created.

The reason for the parameter's existence seems to be that it is used in the
internal PCI code as well which is the only location where it gets set to
false. This one usage can be resolved by factoring out an internal helper
function.

Remove this redundant, error-prone parameter.

Signed-off-by: Bernhard Beschow 
---
 include/hw/pci/pci.h |  3 +--
 hw/i386/pc_q35.c |  6 +++---
 hw/mips/fuloong2e.c  |  2 +-
 hw/pci-host/sabre.c  |  6 ++
 hw/pci/pci.c | 13 +
 hw/ppc/pegasos2.c|  3 +--
 hw/sparc64/sun4u.c   |  5 ++---
 7 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index 830407a5b9..cbf3ebea4e 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -572,8 +572,7 @@ pci_set_quad_by_mask(uint8_t *config, uint64_t mask, 
uint64_t reg)
 pci_set_quad(config, (~mask & val) | (mask & rval));
 }
 
-PCIDevice *pci_new_multifunction(int devfn, bool multifunction,
-const char *name);
+PCIDevice *pci_new_multifunction(int devfn, const char *name);
 PCIDevice *pci_new(int devfn, const char *name);
 bool pci_realize_and_unref(PCIDevice *dev, PCIBus *bus, Error **errp);
 
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 65a862b66d..b41fc2b879 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -99,12 +99,12 @@ static int ehci_create_ich9_with_companions(PCIBus *bus, 
int slot)
 return -1;
 }
 
-ehci = pci_new_multifunction(PCI_DEVFN(slot, 7), true, name);
+ehci = pci_new_multifunction(PCI_DEVFN(slot, 7), name);
 pci_realize_and_unref(ehci, bus, &error_fatal);
 usbbus = QLIST_FIRST(&ehci->qdev.child_bus);
 
 for (i = 0; i < 3; i++) {
-uhci = pci_new_multifunction(PCI_DEVFN(slot, comp[i].func), true,
+uhci = pci_new_multifunction(PCI_DEVFN(slot, comp[i].func),
  comp[i].name);
 qdev_prop_set_string(&uhci->qdev, "masterbus", usbbus->name);
 qdev_prop_set_uint32(&uhci->qdev, "firstport", comp[i].port);
@@ -236,7 +236,7 @@ static void pc_q35_init(MachineState *machine)
 phb = PCI_HOST_BRIDGE(q35_host);
 host_bus = phb->bus;
 /* create ISA bus */
-lpc = pci_new_multifunction(PCI_DEVFN(ICH9_LPC_DEV, ICH9_LPC_FUNC), true,
+lpc = pci_new_multifunction(PCI_DEVFN(ICH9_LPC_DEV, ICH9_LPC_FUNC),
 TYPE_ICH9_LPC_DEVICE);
 qdev_prop_set_bit(DEVICE(lpc), "smm-enabled",
   x86_machine_is_smm_enabled(x86ms));
diff --git a/hw/mips/fuloong2e.c b/hw/mips/fuloong2e.c
index 30944f8fe7..0d4a45bd4f 100644
--- a/hw/mips/fuloong2e.c
+++ b/hw/mips/fuloong2e.c
@@ -295,7 +295,7 @@ static void mips_fuloong2e_init(MachineState *machine)
 pci_bus = bonito_init((qemu_irq *)&(env->irq[2]));
 
 /* South bridge -> IP5 */
-pci_dev = pci_new_multifunction(PCI_DEVFN(FULOONG2E_VIA_SLOT, 0), true,
+pci_dev = pci_new_multifunction(PCI_DEVFN(FULOONG2E_VIA_SLOT, 0),
 TYPE_VT82C686B_ISA);
 qdev_connect_gpio_out(DEVICE(pci_dev), 0, env->irq[5]);
 pci_realize_and_unref(pci_dev, pci_bus, &error_fatal);
diff --git a/hw/pci-host/sabre.c b/hw/pci-host/sabre.c
index 949ecc21f2..dcb2e230b6 100644
--- a/hw/pci-host/sabre.c
+++ b/hw/pci-host/sabre.c
@@ -387,14 +387,12 @@ static void sabre_realize(DeviceState *dev, Error **errp)
 pci_setup_iommu(phb->bus, sabre_pci_dma_iommu, s->iommu);
 
 /* APB secondary busses */
-pci_dev = pci_new_multifunction(PCI_DEVFN(1, 0), true,
-TYPE_SIMBA_PCI_BRIDGE);
+pci_dev = pci_new_multifunction(PCI_DEVFN(1, 0), TYPE_SIMBA_PCI_BRIDGE);
 s->bridgeB = PCI_BRIDGE(pci_dev);
 pci_bridge_map_irq(s->bridgeB, "pciB", pci_simbaB_map_irq);
 pci_realize_and_unref(pci_dev, phb->bus, &error_fatal);
 
-pci_dev = pci_new_multifunction(PCI_DEVFN(1, 1), true,
-TYPE_SIMBA_PCI_BRIDGE);
+pci_dev = pci_new_multifunction(PCI_DEVFN(1, 1), TYPE_SIMBA_PCI_BRIDGE);
 s->bridgeA = PCI_BRIDGE(pci_dev);
 pci_bridge_map_irq(s->bridgeA, "pciA", pci_simbaA_map_irq);
 pci_realize_and_unref(pci_dev, phb->bus, &error_fatal);
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index c2e14f000e..09907c966e 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -2089,8 +2089,8 @@ static void pci_qdev_realize(DeviceState *qdev, Error 
**errp)
 pci_dev->msi_trigger = pci_msi_trigger;
 }
 
-PCIDevice *pci_new_multifunction(int devfn, bool multifunction,
- const char *name)
+static PCIDevice *pci_new_internal(int devfn, bool multifunction,
+   const char *name)
 {
 DeviceState *dev;
 
@@ -2100,9 +2100,14 @@ PCIDevice *pci_new_multifunction(int devfn, bool 
multifunction,
   

[PATCH 2/5] hw/alpha/dp264: Fix wiring of PIC -> CPU interrupt

[Bernhard Beschow]

Commit cef2e7148e32 ("hw/isa/i82378: Remove intermediate IRQ forwarder")
passes s->cpu_intr to i8259_init() in i82378_realize() directly. However, s-
>cpu_intr isn't initialized yet since that happens after the south bridge's
pci_realize_and_unref() in board code. Fix this by initializing s->cpu_intr
before realizing the south bridge.

Fixes: cef2e7148e32 ("hw/isa/i82378: Remove intermediate IRQ forwarder")
Signed-off-by: Bernhard Beschow 
---
 hw/alpha/dp264.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/alpha/dp264.c b/hw/alpha/dp264.c
index 4161f559a7..e92295ac86 100644
--- a/hw/alpha/dp264.c
+++ b/hw/alpha/dp264.c
@@ -16,6 +16,7 @@
 #include "hw/ide/pci.h"
 #include "hw/isa/superio.h"
 #include "net/net.h"
+#include "qapi/error.h"
 #include "qemu/cutils.h"
 #include "qemu/datadir.h"
 
@@ -110,11 +111,12 @@ static void clipper_init(MachineState *machine)
  * Importantly, we need to provide a PCI device node for it, otherwise
  * some operating systems won't notice there's an ISA bus to configure.
  */
-i82378_dev = DEVICE(pci_create_simple(pci_bus, PCI_DEVFN(7, 0), "i82378"));
-isa_bus = ISA_BUS(qdev_get_child_bus(i82378_dev, "isa.0"));
-
+i82378_dev = DEVICE(pci_new(PCI_DEVFN(7, 0), "i82378"));
 /* Connect the ISA PIC to the Typhoon IRQ used for ISA interrupts. */
 qdev_connect_gpio_out(i82378_dev, 0, isa_irq);
+qdev_realize_and_unref(i82378_dev, BUS(pci_bus), &error_fatal);
+
+isa_bus = ISA_BUS(qdev_get_child_bus(i82378_dev, "isa.0"));
 
 /* Since we have an SRM-compatible PALcode, use the SRM epoch.  */
 mc146818_rtc_init(isa_bus, 1900, rtc_irq);
-- 
2.39.2

Re: [PATCH v3 00/18] hw/ide: Untangle ISA/PCI abuses of ide_init_ioport()

[Bernhard Beschow]

Am 3. März 2023 07:46:31 UTC schrieb Mark Cave-Ayland
:
>On 03/03/2023 06:58, David Woodhouse wrote:
>
>> On 2 March 2023 22:40:40 GMT, "Philippe Mathieu-Daudé"  
>> wrote:
>>> Since v2: rebased
>>>
>>> I'm posting this series as it to not block Bernhard's PIIX
>>> cleanup work. I don't have code change planned, but eventually
>>> reword / improve commit descriptions.
>>>
>>> Tested commit after commit to be sure it is bisectable. Sadly
>>> this was before Zoltan & Thomas report a problem with commit
>>> bb98e0f59c ("hw/isa/vt82c686: Remove intermediate IRQ forwarder").
>>
>> However much I stare at the partial revert which fixes it, I just cannot 
>> believe that the change could make any difference at all. There's got to be 
>> something weird going on there.
>>
>> I was going to ask if the level mode for the PIT made any difference, but 
>> this is the output IRQ from the PIT to the CPU itself so I don't see how it 
>> would.
>>
>> Would like to see a report with tracing from pic_update_irq, the CPU 
>> interrupt "handler" and the intermediate IRQ handler. With the intermediate 
>> present and without it. To compare the two.
>
>I suspect it's related to the removal of the allocation of the qemu_irq: qdev 
>gpios work by adding a child IRQ object to the device, so it could be possible 
>that something in the gpio internals isn't being updated correctly when the 
>value is overwritten directly.

I've just sent a series fixing the issue.

The problem was that cpu_intr gets populated by
qdev_connect_gpio_out() in board code which happens after via's
realize method has been executed. So in via's realize method cpu_intr
is still NULL which causes a NULL qemu_irq to be passed to the i8259.

One way to fix this is to move qdev_connect_gpio_out() in board code
between pci_new_multifunction() and pci_realize_and_unref().

By having an intermediate IRQ handler the problem didn't appear since
the (non-NULL) qemu_irq holding the intermediate handler is passed to
the i8259. The intermediate handler delays reading cpu_intr to
runtime, so initializing it after realize() is no problem. The price,
however, is that an indirection occurs at runtime every time cpu_intr
is triggered.

BTW, the PIC proxy in my PIIX consolidation series attempted to solve
the same problem: The ISABus IRQs need to be already populated in
piix-ide's realize method, otherwise NULL qemu_irqs are used. As long
as piix-ide is realized in board code, separately from the piix south
bridge, the ISABus IRQs can be populated in between. However, once
piix-ide is realized in the south bridge, the ISA IRQs must be
populated before the south bridge's realize(). The PIC proxy solved
this by introducing intermediate ISA IRQs while the latest incarnation
of the PIIX consolidation series uses the same approach as described
above.

Best regards,
Bernhard
>
>Is the problem picked up when running a binary built with --enable-sanitizers? 
>That's normally quite good at detecting this kind of issue.
>
>
>ATB,
>
>Mark.

Re: [PATCH 0/5] Fix recent PIC -> CPU interrupt wiring regressions

[Bernhard Beschow]

On Sat, Mar 4, 2023 at 12:40 PM Bernhard Beschow  wrote:

> A recent series [1] attempted to remove some PIC -> CPU interrupt
> indirections.
> This inadvertantly caused NULL qemu_irqs to be passed to the i8259 because
> the
> qemu_irqs aren't initialized at that time yet. This series provides a fix
> by
> initializing the qemu_irq of the respective south bridges before they
> are passed to i2859_init().
>
> Furthermore -- as an optional extension -- this series also fixes some
> usability
> issues in the API for creating multifunction PCI devices.
>
> The series is structured as follows: The first three commits fix the
> regressions, the last two fix the public API for creating multifunction PCI
> devices.
>

Testing done:
* `make check`
* `make check-avocado`
* Start MorphOS ISO

>
> [1]
> https://lore.kernel.org/qemu-devel/20230302224058.43315-1-phi...@linaro.org/
>
> Bernhard Beschow (5):
>   hw/isa/vt82c686: Fix wiring of PIC -> CPU interrupt
>   hw/alpha/dp264: Fix wiring of PIC -> CPU interrupt
>   hw/ppc/prep: Fix wiring of PIC -> CPU interrupt
>   hw/pci/pci: Remove multifunction parameter from
> pci_create_simple_multifunction()
>   hw/pci/pci: Remove multifunction parameter from
> pci_new_multifunction()
>
>  include/hw/pci/pci.h |  4 +---
>  hw/alpha/dp264.c |  8 +---
>  hw/i386/pc_piix.c|  2 +-
>  hw/i386/pc_q35.c | 10 +-
>  hw/isa/vt82c686.c|  3 ++-
>  hw/mips/boston.c |  3 +--
>  hw/mips/fuloong2e.c  |  9 +
>  hw/mips/malta.c  |  2 +-
>  hw/pci-host/sabre.c  |  6 ++
>  hw/pci/pci.c | 18 --
>  hw/ppc/pegasos2.c|  9 +
>  hw/ppc/prep.c|  4 +++-
>  hw/sparc64/sun4u.c   |  5 ++---
>  13 files changed, 45 insertions(+), 38 deletions(-)
>
> --
> 2.39.2
>
>

Re: hexagon: check-tcg rebuilding up to date image

[Alex Bennée]

Fabiano Rosas  writes:

> Matheus Tavares Bernardino  writes:
>
>> Hi,
>>
>> We noticed that local `make check-tcg` is rebuilding the docker image
>> for qemu-hexagon at every run, whereas previously it would say "Image is
>> up to date" and move on.
>>
>> This was changed at 0b1a649047 (tests/docker: use direct RUNC call to
>> build containers, 2023-02-28), where we started to no longer use
>> docker.py and its image_matches_dockerfile() to skip image builds.
>>
>> Is this new behavior by design? Or perhaps do we have some local
>> docker misconfiguration that is not correctly using caches?
>
> Hi,
>
> We started relying on docker for the cache. Are you using docker or
> podman? There should be a RUNC variable in config-host.mak that you can
> check.
>
> And for the record, which version of either podman or docker?
>
>
> Alex, 
>
> I think we might need to add DOCKER_BUILDKIT=1 $(RUNC) ... to properly
> make use of caching with docker. As for podman, I'm seeing conflicting
> information on the web as to whether it even supports caching.

As opposed to --build-arg BUILDKIT_INLINE_CACHE=1 or both?


-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro

Re: [PATCH 1/5] hw/isa/vt82c686: Fix wiring of PIC -> CPU interrupt

[BALATON Zoltan]

On Sat, 4 Mar 2023, Bernhard Beschow wrote:

Commit bb98e0f59cde ("hw/isa/vt82c686: Remove intermediate IRQ forwarder")
passes s->cpu_intr to i8259_init() in via_isa_realize() directly. However,
s->cpu_intr isn't initialized yet since that happens after the south
bridge's pci_realize_and_unref() in board code. Fix this by initializing s-

cpu_intr before realizing the south bridge.


Fixes: bb98e0f59cde ("hw/isa/vt82c686: Remove intermediate IRQ forwarder")
Signed-off-by: Bernhard Beschow 
---
hw/isa/vt82c686.c   |  3 ++-
hw/mips/fuloong2e.c |  9 +
hw/ppc/pegasos2.c   | 10 ++
3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index f4c40965cd..8900d87f59 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -578,6 +578,8 @@ static void via_isa_init(Object *obj)
object_initialize_child(obj, "uhci2", &s->uhci[1], TYPE_VT82C686B_USB_UHCI);
object_initialize_child(obj, "ac97", &s->ac97, TYPE_VIA_AC97);
object_initialize_child(obj, "mc97", &s->mc97, TYPE_VIA_MC97);
+
+qdev_init_gpio_out(DEVICE(obj), &s->cpu_intr, 1);
}

static const TypeInfo via_isa_info = {
@@ -606,7 +608,6 @@ static void via_isa_realize(PCIDevice *d, Error **errp)
ISABus *isa_bus;
int i;

-qdev_init_gpio_out(dev, &s->cpu_intr, 1);


I'm not a fan of useless asserts but in this case it's not useless and 
you'd need an assert here to make sure board code already connected the 
intertupt if that's required for this to work.


Regards,
BALATON Zoltan


isa_bus = isa_bus_new(dev, pci_address_space(d), pci_address_space_io(d),
  errp);

diff --git a/hw/mips/fuloong2e.c b/hw/mips/fuloong2e.c
index cfc8ca6ae4..30944f8fe7 100644
--- a/hw/mips/fuloong2e.c
+++ b/hw/mips/fuloong2e.c
@@ -295,14 +295,15 @@ static void mips_fuloong2e_init(MachineState *machine)
pci_bus = bonito_init((qemu_irq *)&(env->irq[2]));

/* South bridge -> IP5 */
-pci_dev = pci_create_simple_multifunction(pci_bus,
-  PCI_DEVFN(FULOONG2E_VIA_SLOT, 0),
-  true, TYPE_VT82C686B_ISA);
+pci_dev = pci_new_multifunction(PCI_DEVFN(FULOONG2E_VIA_SLOT, 0), true,
+TYPE_VT82C686B_ISA);
+qdev_connect_gpio_out(DEVICE(pci_dev), 0, env->irq[5]);
+pci_realize_and_unref(pci_dev, pci_bus, &error_fatal);
+
object_property_add_alias(OBJECT(machine), "rtc-time",
  object_resolve_path_component(OBJECT(pci_dev),
"rtc"),
  "date");
-qdev_connect_gpio_out(DEVICE(pci_dev), 0, env->irq[5]);

dev = DEVICE(object_resolve_path_component(OBJECT(pci_dev), "ide"));
pci_ide_create_devs(PCI_DEVICE(dev));
diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
index 7cc375df05..b0ada9c963 100644
--- a/hw/ppc/pegasos2.c
+++ b/hw/ppc/pegasos2.c
@@ -159,13 +159,15 @@ static void pegasos2_init(MachineState *machine)
pci_bus = mv64361_get_pci_bus(pm->mv, 1);

/* VIA VT8231 South Bridge (multifunction PCI device) */
-via = OBJECT(pci_create_simple_multifunction(pci_bus, PCI_DEVFN(12, 0),
- true, TYPE_VT8231_ISA));
+via = OBJECT(pci_new_multifunction(PCI_DEVFN(12, 0), true,
+   TYPE_VT8231_ISA));
+qdev_connect_gpio_out(DEVICE(via), 0,
+  qdev_get_gpio_in_named(pm->mv, "gpp", 31));
+pci_realize_and_unref(PCI_DEVICE(via), pci_bus, &error_fatal);
+
object_property_add_alias(OBJECT(machine), "rtc-time",
  object_resolve_path_component(via, "rtc"),
  "date");
-qdev_connect_gpio_out(DEVICE(via), 0,
-  qdev_get_gpio_in_named(pm->mv, "gpp", 31));

dev = PCI_DEVICE(object_resolve_path_component(via, "ide"));
pci_ide_create_devs(dev);

Re: [PATCH 0/5] Fix recent PIC -> CPU interrupt wiring regressions

[BALATON Zoltan]

On Sat, 4 Mar 2023, Bernhard Beschow wrote:

A recent series [1] attempted to remove some PIC -> CPU interrupt indirections.
This inadvertantly caused NULL qemu_irqs to be passed to the i8259 because the
qemu_irqs aren't initialized at that time yet. This series provides a fix by
initializing the qemu_irq of the respective south bridges before they
are passed to i2859_init().

Furthermore -- as an optional extension -- this series also fixes some usability
issues in the API for creating multifunction PCI devices.

The series is structured as follows: The first three commits fix the
regressions, the last two fix the public API for creating multifunction PCI
devices.

[1] https://lore.kernel.org/qemu-devel/20230302224058.43315-1-phi...@linaro.org/

Bernhard Beschow (5):
 hw/isa/vt82c686: Fix wiring of PIC -> CPU interrupt
 hw/alpha/dp264: Fix wiring of PIC -> CPU interrupt
 hw/ppc/prep: Fix wiring of PIC -> CPU interrupt
 hw/pci/pci: Remove multifunction parameter from
   pci_create_simple_multifunction()
 hw/pci/pci: Remove multifunction parameter from
   pci_new_multifunction()


I'd postopne the last two API change patches to the next release. Ideally 
the device itself should know if it's multifunction or not and the board 
instantiating it should not do anything different than instantiating a 
single function device so we's only need pci_new or pci_create_simple 
without multifunction parameter or variant. So my question is why do we 
need these at all and could this be simplified more? But there's not 
enough time to answer that now so I'd ask to leave these alone for now and 
come back to this in next devel cycle.


The other 3 patches fix a breakaga in current master so can be considered 
but I'd need to know a decision if this will be taken or a revert as I 
need to rebase my pending patches accordingly. A maintainer please speak 
up here.


Regards,
BALATON Zoltan


include/hw/pci/pci.h |  4 +---
hw/alpha/dp264.c |  8 +---
hw/i386/pc_piix.c|  2 +-
hw/i386/pc_q35.c | 10 +-
hw/isa/vt82c686.c|  3 ++-
hw/mips/boston.c |  3 +--
hw/mips/fuloong2e.c  |  9 +
hw/mips/malta.c  |  2 +-
hw/pci-host/sabre.c  |  6 ++
hw/pci/pci.c | 18 --
hw/ppc/pegasos2.c|  9 +
hw/ppc/prep.c|  4 +++-
hw/sparc64/sun4u.c   |  5 ++---
13 files changed, 45 insertions(+), 38 deletions(-)

--
2.39.2

Re: [PATCH v6] audio/pwaudio.c: Add Pipewire audio backend for QEMU

[Marc-André Lureau]

Hi

On Fri, Mar 3, 2023 at 8:00 PM Dorinda Bassey  wrote:
>
> This commit adds a new audiodev backend to allow QEMU to use Pipewire as
> both an audio sink and source. This backend is available on most systems
>
> Add Pipewire entry points for QEMU Pipewire audio backend
> Add wrappers for QEMU Pipewire audio backend in qpw_pcm_ops()
> qpw_write function returns the current state of the stream to pwaudio
> and Writes some data to the server for playback streams using pipewire
> spa_ringbuffer implementation.
> qpw_read function returns the current state of the stream to pwaudio and
> reads some data from the server for capture streams using pipewire
> spa_ringbuffer implementation. These functions qpw_write and qpw_read
> are called during playback and capture.
> Added some functions that convert pw audio formats to QEMU audio format
> and vice versa which would be needed in the pipewire audio sink and
> source functions qpw_init_in() & qpw_init_out().
> These methods that implement playback and recording will create streams
> for playback and capture that will start processing and will result in
> the on_process callbacks to be called.
> Built a connection to the Pipewire sound system server in the
> qpw_audio_init() method.
>
> Signed-off-by: Dorinda Bassey 
> ---
> v6:
> use error_report()
> use trace instead of pw debug

Ah, I meant from QEMU tracing infrastructure:
https://gitlab.com/qemu-project/qemu/-/blob/master/docs/devel/tracing.rst

thanks

> remove double lock and unlock
> handle error loggings
>
>  audio/audio.c |   3 +
>  audio/audio_template.h|   4 +
>  audio/meson.build |   1 +
>  audio/pwaudio.c   | 822 ++
>  meson.build   |   8 +
>  meson_options.txt |   4 +-
>  qapi/audio.json   |  45 ++
>  qemu-options.hx   |  17 +
>  scripts/meson-buildoptions.sh |   8 +-
>  9 files changed, 909 insertions(+), 3 deletions(-)
>  create mode 100644 audio/pwaudio.c
>
> diff --git a/audio/audio.c b/audio/audio.c
> index 4290309d18..aa55e41ad8 100644
> --- a/audio/audio.c
> +++ b/audio/audio.c
> @@ -2069,6 +2069,9 @@ void audio_create_pdos(Audiodev *dev)
>  #ifdef CONFIG_AUDIO_PA
>  CASE(PA, pa, Pa);
>  #endif
> +#ifdef CONFIG_AUDIO_PIPEWIRE
> +CASE(PIPEWIRE, pipewire, Pipewire);
> +#endif
>  #ifdef CONFIG_AUDIO_SDL
>  CASE(SDL, sdl, Sdl);
>  #endif
> diff --git a/audio/audio_template.h b/audio/audio_template.h
> index 42b4712acb..0f02afb921 100644
> --- a/audio/audio_template.h
> +++ b/audio/audio_template.h
> @@ -355,6 +355,10 @@ AudiodevPerDirectionOptions *glue(audio_get_pdo_, 
> TYPE)(Audiodev *dev)
>  case AUDIODEV_DRIVER_PA:
>  return qapi_AudiodevPaPerDirectionOptions_base(dev->u.pa.TYPE);
>  #endif
> +#ifdef CONFIG_AUDIO_PIPEWIRE
> +case AUDIODEV_DRIVER_PIPEWIRE:
> +return 
> qapi_AudiodevPipewirePerDirectionOptions_base(dev->u.pipewire.TYPE);
> +#endif
>  #ifdef CONFIG_AUDIO_SDL
>  case AUDIODEV_DRIVER_SDL:
>  return qapi_AudiodevSdlPerDirectionOptions_base(dev->u.sdl.TYPE);
> diff --git a/audio/meson.build b/audio/meson.build
> index 074ba9..65a49c1a10 100644
> --- a/audio/meson.build
> +++ b/audio/meson.build
> @@ -19,6 +19,7 @@ foreach m : [
>['sdl', sdl, files('sdlaudio.c')],
>['jack', jack, files('jackaudio.c')],
>['sndio', sndio, files('sndioaudio.c')],
> +  ['pipewire', pipewire, files('pwaudio.c')],
>['spice', spice, files('spiceaudio.c')]
>  ]
>if m[1].found()
> diff --git a/audio/pwaudio.c b/audio/pwaudio.c
> new file mode 100644
> index 00..cb89d7a568
> --- /dev/null
> +++ b/audio/pwaudio.c
> @@ -0,0 +1,822 @@
> +/*
> + * QEMU Pipewire audio driver
> + *
> + * Copyright (c) 2023 Red Hat Inc.
> + *
> + * Author: Dorinda Bassey   
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qemu/module.h"
> +#include "audio.h"
> +#include 
> +#include "qemu/error-report.h"
> +#include 
> +#include 
> +#include 
> +
> +#include 
> +
> +#define AUDIO_CAP "pipewire"
> +#define RINGBUFFER_SIZE(1u << 22)
> +#define RINGBUFFER_MASK(RINGBUFFER_SIZE - 1)
> +#define BUFFER_SAMPLES512
> +
> +/* #define PW_DEBUG */
> +
> +#ifdef PW_DEBUG
> +#define TRACE(fmt, ...) fprintf(stderr, "%s@%d: " fmt "\n", __func__, \
> +__LINE__, ##__VA_ARGS__)
> +#else
> +#define TRACE(...)
> +#endif
> +
> +#include "audio_int.h"
> +
> +enum {
> +MODE_SINK,
> +MODE_SOURCE
> +};
> +
> +typedef struct pwaudio {
> +Audiodev *dev;
> +struct pw_thread_loop *thread_loop;
> +struct pw_context *context;
> +
> +struct pw_core *core;
> +struct spa_hook core_listener;
> +int seq;
> +} pwaudio;
> +
> +typedef struct PWVoice {
> +pwaudio *g;
> +bool enabled;
> +struct pw_stream *stream;
> +struct spa_hook stream_listener;
> +struct spa_audio_info_raw info;
> +uint32_t 

Re: [PULL 0/2] Migration 20230302 patches

[Peter Maydell]

On Thu, 2 Mar 2023 at 16:21, Juan Quintela  wrote:
>
> The following changes since commit 262312d7ba6e2966acedb4f9c134fd19176b4083:
>
>   Merge tag 'pull-testing-next-010323-1' of https://gitlab.com/stsquad/qemu 
> into staging (2023-03-02 13:02:53 +)
>
> are available in the Git repository at:
>
>   https://gitlab.com/juan.quintela/qemu.git 
> tags/migration-20230302-pull-request
>
> for you to fetch changes up to c31772ad6883533757d2a7dfe9ce24325e3ec16c:
>
>   Fix exec migration on Windows (w32+w64). (2023-03-02 17:06:27 +0100)
>
> 
> Migraiton Pull request
>
> Hi
>
> This pull requests include:
> - use-after-free in test-vmstate (eric)
> - fix exec migration in windows (berberian)
>
> Please apply.
>
> 
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

Re: [PULL 0/5] loongarch-to-apply queue

[Peter Maydell]

On Fri, 3 Mar 2023 at 02:41, Song Gao  wrote:
>
> The following changes since commit 262312d7ba6e2966acedb4f9c134fd19176b4083:
>
>   Merge tag 'pull-testing-next-010323-1' of https://gitlab.com/stsquad/qemu 
> into staging (2023-03-02 13:02:53 +)
>
> are available in the Git repository at:
>
>   https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20230303
>
> for you to fetch changes up to 0d588c4f999699a430b32c563fe9ccc1710b8fd7:
>
>   hw/loongarch/virt: add system_powerdown hmp command support (2023-03-03 
> 09:37:30 +0800)
>
> 
> pull-loongarch-20230303
>
> 
> Bibo Mao (1):
>   hw/loongarch/virt: rename PCH_PIC_IRQ_OFFSET with VIRT_GSI_BASE
>
> Song Gao (4):
>   loongarch: Add smbios command line option.
>   docs/system/loongarch: update loongson3.rst and rename it to virt.rst
>   target/loongarch: Implement Chip Configuraiton Version Register(0x)
>   hw/loongarch/virt: add system_powerdown hmp command support


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

Re: [PULL 00/11] aspeed queue

[Peter Maydell]

On Thu, 2 Mar 2023 at 17:42, Cédric Le Goater  wrote:
>
> The following changes since commit a2b5f8b8ab7b2c947823088103a40f0ff11fe06b:
>
>   Merge tag 'pull-tcg-20230301' of https://gitlab.com/rth7680/qemu into 
> staging (2023-03-01 19:19:20 +)
>
> are available in the Git repository at:
>
>   https://github.com/legoater/qemu/ tags/pull-aspeed-20230302
>
> for you to fetch changes up to b22a2d409b1acfdf0d63d1bb3595194ceb3d94da:
>
>   aspeed/smc: Replace SysBus IRQs with GPIO lines (2023-03-02 13:57:50 +0100)
>
> 
> aspeed queue:
>
> * fix for the Aspeed I2C slave mode
> * a new I2C echo device from Klaus and its associated test in avocado.
> * initial SoC cleanups to allow the use of block devices instead of
>   drives on the command line.
> * new facebook machines and eeprom fixes for the Fuji
> * readline fix


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

Re: [PATCH 1/4] apic: add support for x2APIC mode

[Bui Quang Minh]

On 2/28/23 23:39, Igor Mammedov wrote:

On Tue, 28 Feb 2023 21:34:33 +0700
Bui Quang Minh  wrote:


On 2/27/23 23:07, Igor Mammedov wrote:

On Sat, 25 Feb 2023 17:15:17 +0700
Bui Quang Minh  wrote:
   

On 2/24/23 21:29, Igor Mammedov wrote:

On Tue, 21 Feb 2023 23:04:57 +0700
Bui Quang Minh  wrote:
  

This commit refactors APIC registers read/write function to support both
MMIO read/write in xAPIC mode and MSR read/write in x2APIC mode. Also,
support larger APIC ID, self IPI, new IPI destination determination in
x2APIC mode.

Signed-off-by: Bui Quang Minh 
---
hw/intc/apic.c  | 211 +---
hw/intc/apic_common.c   |   2 +-
include/hw/i386/apic.h  |   5 +-
include/hw/i386/apic_internal.h |   2 +-
4 files changed, 172 insertions(+), 48 deletions(-)

diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index 2d3e55f4e2..205d5923ec 100644
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@@ -30,6 +30,7 @@
#include "hw/i386/apic-msidef.h"
#include "qapi/error.h"
#include "qom/object.h"
+#include "tcg/helper-tcg.h"

#define MAX_APICS 255


I'm curious how does it work without increasing ^^^?


Hmm, my commit message is not entirely correct. In this series, some
operations (send IPI, IPI destination determination) have been updated
to support x2APIC mode. However, the emulated APIC still doesn't support
APIC ID larger than 255 because currently, we use a fixed length (255 +
1) array to manage local APICs. So to support larger APIC ID, I think we
need to find any way to manage those, as the possible allocated APIC ID
range is large and maybe the allocated APIC ID is sparse which makes
fixed length array so wasteful.

how much sparse it is?


As far as I know, QEMU allows to set CPU's APIC ID, so user can pass a
very sparse APIC ID array.


I don't think that it does permit this (if it does it's a bug that should be 
fixed).

As far as I'm aware QEMU derives apic_id from '-smp' and possibly cpu type
(there was some differences between Intel and AMD in how apic id was encoded
notably AMD having threads or cores that lead to sparse apic id), though I don't
remember current state of affairs in x86 cpu topo code.


benefits of simple static array is simplicity in management and O(1) access 
time.
QEMU does know in advance max apic id so we can size array by dynamically
allocating it when 1st apic is created. Or if IDs are too sparse
switch to another structure to keep mapping.


I totally agree with this.

I admit that my main focus on this series is to make x2APIC mode
function correctly with TCG accelerator, so I skip the part of extending
the support for higher APIC ID.

the tricky part in such half approach is making sure that the code is
'correct' and won't lead to exploits.
It would be easier to review if it was completed solution instead of partial.


I looked around and found the way to dynamically allocate local_apics array

void x86_cpus_init(X86MachineState *x86ms, int default_cpu_version)
{
if (!kvm_irqchip_in_kernel()) {
apic_set_max_apic_id(x86ms->apic_id_limit);
}

}

We already calculated apic_id_limit before creating CPU and local APIC 
so we can use that number to dynamically allocated local_apics.


However, there are still problems while trying to extending support to 
APIC ID larger than 255 because there are many places assume APIC ID is 
8-bit long. One of that is interrupt remapping which returns 32-bit 
destination ID but uses MSI (which has 8-bit destination) to send to 
APIC. I will look more into this.


Thanks,
Quang Minh.

Re: [PATCH RESEND v7 5/9] tests/avocado: Pass parameters to migration test

[Peter Maydell]

On Fri, 3 Mar 2023 at 20:59, Fabiano Rosas  wrote:
>
> Peter Maydell  writes:
>
> > On Tue, 28 Feb 2023 at 19:28, Fabiano Rosas  wrote:
> >>
> >> The migration tests are currently broken for an aarch64 host because
> >> the tests pass no 'machine' and 'cpu' options on the QEMU command
> >> line.
> >>
> >> Add a separate class to each architecture so that we can specify
> >> 'machine' and 'cpu' options instead of relying on defaults.
> >>
> >> Add a skip decorator to keep the current behavior of only running
> >> migration tests when the qemu target matches the host architecture.
> >
> > I still don't understand this patch. Don't we run the
> > migration-test on all hosts already? David ?
> >
>
> We run on all hosts but for each host we only take the QEMU binary that
> matches the host architecture. So if you want to test aarch64 migration,
> you need an aarch64 host.
>
> If you run on an x86_64 host (without this patch):
> $ ../configure #all targets
> $ make check-avocado AVOCADO_TESTS=../tests/avocado/migration.py
>
> You'll see:
>
>  (1/3) ... migration.py:Migration.test_migration_with_tcp_localhost: PASS 
> (0.21 s)
>  (2/3) ... migration.py:Migration.test_migration_with_unix: PASS (0.18 s)
>  (3/3) ... migration.py:Migration.test_migration_with_exec: PASS (0.21 s)
>
> All three tests ran using qemu-system-x86_64.
>
> The issue I'm trying to solve is that when run on a aarch64 host, the
> test will fail because (being generic) it doesn't pass the '-machine
> virt' option and there is no architecture-specific information in it at
> all.

But my point is that we already CI on aarch64 hosts, so what is
happening there that means the test doesn't fail already ?

-- PMM

Re: [PATCH 0/5] Fix recent PIC -> CPU interrupt wiring regressions

[Peter Maydell]

On Sat, 4 Mar 2023 at 13:30, BALATON Zoltan  wrote:
>
> On Sat, 4 Mar 2023, Bernhard Beschow wrote:
> > A recent series [1] attempted to remove some PIC -> CPU interrupt 
> > indirections.
> > This inadvertantly caused NULL qemu_irqs to be passed to the i8259 because 
> > the
> > qemu_irqs aren't initialized at that time yet. This series provides a fix by
> > initializing the qemu_irq of the respective south bridges before they
> > are passed to i2859_init().
> >
> > Furthermore -- as an optional extension -- this series also fixes some 
> > usability
> > issues in the API for creating multifunction PCI devices.
> >
> > The series is structured as follows: The first three commits fix the
> > regressions, the last two fix the public API for creating multifunction PCI
> > devices.
> >
> > [1] 
> > https://lore.kernel.org/qemu-devel/20230302224058.43315-1-phi...@linaro.org/
> >
> > Bernhard Beschow (5):
> >  hw/isa/vt82c686: Fix wiring of PIC -> CPU interrupt
> >  hw/alpha/dp264: Fix wiring of PIC -> CPU interrupt
> >  hw/ppc/prep: Fix wiring of PIC -> CPU interrupt
> >  hw/pci/pci: Remove multifunction parameter from
> >pci_create_simple_multifunction()
> >  hw/pci/pci: Remove multifunction parameter from
> >pci_new_multifunction()
>
> I'd postopne the last two API change patches to the next release. Ideally
> the device itself should know if it's multifunction or not and the board
> instantiating it should not do anything different than instantiating a
> single function device so we's only need pci_new or pci_create_simple
> without multifunction parameter or variant. So my question is why do we
> need these at all and could this be simplified more? But there's not
> enough time to answer that now so I'd ask to leave these alone for now and
> come back to this in next devel cycle.
>
> The other 3 patches fix a breakaga in current master so can be considered
> but I'd need to know a decision if this will be taken or a revert as I
> need to rebase my pending patches accordingly. A maintainer please speak
> up here.

If we're happy that patches 1-3 fix the regressions and look OK
code-wise then applying them is probably the simplest thing.

thanks
-- PMM

[PATCH v6 5/7] hw/usb/vt82c686-uhci-pci: Use PCI IRQ routing

[BALATON Zoltan]

From: Bernhard Beschow 

According to the PCI specification, PCI_INTERRUPT_LINE shall have no
effect on hardware operations. Now that the VIA south bridges implement
the internal PCI interrupt router let's be more conformant to the PCI
specification.

Signed-off-by: Bernhard Beschow 
Signed-off-by: BALATON Zoltan 
Tested-by: Rene Engel 
---
 hw/usb/vt82c686-uhci-pci.c | 12 
 1 file changed, 12 deletions(-)

diff --git a/hw/usb/vt82c686-uhci-pci.c b/hw/usb/vt82c686-uhci-pci.c
index 46a901f56f..b4884c9011 100644
--- a/hw/usb/vt82c686-uhci-pci.c
+++ b/hw/usb/vt82c686-uhci-pci.c
@@ -1,17 +1,7 @@
 #include "qemu/osdep.h"
-#include "hw/irq.h"
 #include "hw/isa/vt82c686.h"
 #include "hcd-uhci.h"
 
-static void uhci_isa_set_irq(void *opaque, int irq_num, int level)
-{
-UHCIState *s = opaque;
-uint8_t irq = pci_get_byte(s->dev.config + PCI_INTERRUPT_LINE);
-if (irq > 0 && irq < 15) {
-via_isa_set_irq(pci_get_function_0(&s->dev), irq, level);
-}
-}
-
 static void usb_uhci_vt82c686b_realize(PCIDevice *dev, Error **errp)
 {
 UHCIState *s = UHCI(dev);
@@ -25,8 +15,6 @@ static void usb_uhci_vt82c686b_realize(PCIDevice *dev, Error 
**errp)
 pci_set_long(pci_conf + 0xc0, 0x2000);
 
 usb_uhci_common_realize(dev, errp);
-object_unref(s->irq);
-s->irq = qemu_allocate_irq(uhci_isa_set_irq, s, 0);
 }
 
 static UHCIInfo uhci_info[] = {
-- 
2.30.8

[PATCH v6 4/7] hw/ppc/pegasos2: Fix PCI interrupt routing

[BALATON Zoltan]

According to the PegasosII schematics the PCI interrupt lines are
connected to both the gpp pins of the Mv64361 north bridge and the
PINT pins of the VT8231 south bridge so guests can get interrupts from
either of these. So far we only had the MV64361 connections which
worked for on board devices but for additional PCI devices (such as
network or sound card added with -device) guest OSes expect interrupt
from the ISA IRQ 9 where the firmware routes these PCI interrupts in
VT8231 ISA bridge. After the previous patches we can now model this
and also remove the board specific connection from mv64361. Also
configure routing of these lines when using Virtual Open Firmware to
match board firmware for guests that expect this.

This fixes PCI interrupts on pegasos2 under Linux, MorphOS and AmigaOS.

Signed-off-by: BALATON Zoltan 
Reviewed-by: Daniel Henrique Barboza 
Tested-by: Rene Engel 
---
 hw/pci-host/mv64361.c |  4 
 hw/ppc/pegasos2.c | 26 +-
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/hw/pci-host/mv64361.c b/hw/pci-host/mv64361.c
index 298564f1f5..19e8031a3f 100644
--- a/hw/pci-host/mv64361.c
+++ b/hw/pci-host/mv64361.c
@@ -873,10 +873,6 @@ static void mv64361_realize(DeviceState *dev, Error **errp)
 }
 sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->cpu_irq);
 qdev_init_gpio_in_named(dev, mv64361_gpp_irq, "gpp", 32);
-/* FIXME: PCI IRQ connections may be board specific */
-for (i = 0; i < PCI_NUM_PINS; i++) {
-s->pci[1].irq[i] = qdev_get_gpio_in_named(dev, "gpp", 12 + i);
-}
 }
 
 static void mv64361_reset(DeviceState *dev)
diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
index 7cc375df05..f1650be5ee 100644
--- a/hw/ppc/pegasos2.c
+++ b/hw/ppc/pegasos2.c
@@ -73,6 +73,8 @@ struct Pegasos2MachineState {
 MachineState parent_obj;
 PowerPCCPU *cpu;
 DeviceState *mv;
+qemu_irq mv_pirq[PCI_NUM_PINS];
+qemu_irq via_pirq[PCI_NUM_PINS];
 Vof *vof;
 void *fdt_blob;
 uint64_t kernel_addr;
@@ -95,6 +97,15 @@ static void pegasos2_cpu_reset(void *opaque)
 }
 }
 
+static void pegasos2_pci_irq(void *opaque, int n, int level)
+{
+Pegasos2MachineState *pm = opaque;
+
+/* PCI interrupt lines are connected to both MV64361 and VT8231 */
+qemu_set_irq(pm->mv_pirq[n], level);
+qemu_set_irq(pm->via_pirq[n], level);
+}
+
 static void pegasos2_init(MachineState *machine)
 {
 Pegasos2MachineState *pm = PEGASOS2_MACHINE(machine);
@@ -106,7 +117,7 @@ static void pegasos2_init(MachineState *machine)
 I2CBus *i2c_bus;
 const char *fwname = machine->firmware ?: PROM_FILENAME;
 char *filename;
-int sz;
+int i, sz;
 uint8_t *spd_data;
 
 /* init CPU */
@@ -156,11 +167,18 @@ static void pegasos2_init(MachineState *machine)
 /* Marvell Discovery II system controller */
 pm->mv = DEVICE(sysbus_create_simple(TYPE_MV64361, -1,
   qdev_get_gpio_in(DEVICE(pm->cpu), 
PPC6xx_INPUT_INT)));
+for (i = 0; i < PCI_NUM_PINS; i++) {
+pm->mv_pirq[i] = qdev_get_gpio_in_named(pm->mv, "gpp", 12 + i);
+}
 pci_bus = mv64361_get_pci_bus(pm->mv, 1);
+pci_bus_irqs(pci_bus, pegasos2_pci_irq, pm, PCI_NUM_PINS);
 
 /* VIA VT8231 South Bridge (multifunction PCI device) */
 via = OBJECT(pci_create_simple_multifunction(pci_bus, PCI_DEVFN(12, 0),
  true, TYPE_VT8231_ISA));
+for (i = 0; i < PCI_NUM_PINS; i++) {
+pm->via_pirq[i] = qdev_get_gpio_in_named(DEVICE(via), "pirq", i);
+}
 object_property_add_alias(OBJECT(machine), "rtc-time",
   object_resolve_path_component(via, "rtc"),
   "date");
@@ -267,6 +285,12 @@ static void pegasos2_machine_reset(MachineState *machine, 
ShutdownCause reason)
   PCI_INTERRUPT_LINE, 2, 0x9);
 pegasos2_pci_config_write(pm, 1, (PCI_DEVFN(12, 0) << 8) |
   0x50, 1, 0x2);
+pegasos2_pci_config_write(pm, 1, (PCI_DEVFN(12, 0) << 8) |
+  0x55, 1, 0x90);
+pegasos2_pci_config_write(pm, 1, (PCI_DEVFN(12, 0) << 8) |
+  0x56, 1, 0x99);
+pegasos2_pci_config_write(pm, 1, (PCI_DEVFN(12, 0) << 8) |
+  0x57, 1, 0x90);
 
 pegasos2_pci_config_write(pm, 1, (PCI_DEVFN(12, 1) << 8) |
   PCI_INTERRUPT_LINE, 2, 0x109);
-- 
2.30.8

[PATCH v6 6/7] hw/audio/via-ac97: Basic implementation of audio playback

[BALATON Zoltan]

Add basic implementation of the AC'97 sound part used in VIA south
bridge chips. Not all features of the device is emulated, only one
playback channel is supported for now but this is enough to get sound
output from some guests using this device on pegasos2.

Signed-off-by: BALATON Zoltan 
Reviewed-by: Volker Rümelin 
Tested-by: Rene Engel 
---
 hw/audio/trace-events |   6 +
 hw/audio/via-ac97.c   | 455 +-
 hw/isa/trace-events   |   1 +
 hw/isa/vt82c686.c |   2 +-
 include/hw/isa/vt82c686.h |  25 +++
 5 files changed, 482 insertions(+), 7 deletions(-)

diff --git a/hw/audio/trace-events b/hw/audio/trace-events
index e0e71cd9b1..4dec48a4fd 100644
--- a/hw/audio/trace-events
+++ b/hw/audio/trace-events
@@ -11,3 +11,9 @@ hda_audio_running(const char *stream, int nr, bool running) 
"st %s, nr %d, run %
 hda_audio_format(const char *stream, int chan, const char *fmt, int freq) "st 
%s, %d x %s @ %d Hz"
 hda_audio_adjust(const char *stream, int pos) "st %s, pos %d"
 hda_audio_overrun(const char *stream) "st %s"
+
+#via-ac97.c
+via_ac97_codec_write(uint8_t addr, uint16_t val) "0x%x <- 0x%x"
+via_ac97_sgd_fetch(uint32_t curr, uint32_t addr, char stop, char eol, char 
flag, uint32_t len) "curr=0x%x addr=0x%x %c%c%c len=%d"
+via_ac97_sgd_read(uint64_t addr, unsigned size, uint64_t val) "0x%"PRIx64" %d 
-> 0x%"PRIx64
+via_ac97_sgd_write(uint64_t addr, unsigned size, uint64_t val) "0x%"PRIx64" %d 
<- 0x%"PRIx64
diff --git a/hw/audio/via-ac97.c b/hw/audio/via-ac97.c
index d1a856f63d..676254b7a4 100644
--- a/hw/audio/via-ac97.c
+++ b/hw/audio/via-ac97.c
@@ -1,39 +1,482 @@
 /*
  * VIA south bridges sound support
  *
+ * Copyright (c) 2022-2023 BALATON Zoltan
+ *
  * This work is licensed under the GNU GPL license version 2 or later.
  */
 
 /*
- * TODO: This is entirely boiler plate just registering empty PCI devices
- * with the right ID guests expect, functionality should be added here.
+ * TODO: This is only a basic implementation of one audio playback channel
+ *   more functionality should be added here.
  */
 
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "hw/isa/vt82c686.h"
-#include "hw/pci/pci_device.h"
+#include "ac97.h"
+#include "trace.h"
+
+#define CLEN_IS_EOL(x)  ((x)->clen & BIT(31))
+#define CLEN_IS_FLAG(x) ((x)->clen & BIT(30))
+#define CLEN_IS_STOP(x) ((x)->clen & BIT(29))
+#define CLEN_LEN(x) ((x)->clen & 0xff)
+
+#define STAT_ACTIVE BIT(7)
+#define STAT_PAUSED BIT(6)
+#define STAT_TRIG   BIT(3)
+#define STAT_STOP   BIT(2)
+#define STAT_EOLBIT(1)
+#define STAT_FLAG   BIT(0)
+
+#define CNTL_START  BIT(7)
+#define CNTL_TERM   BIT(6)
+#define CNTL_PAUSE  BIT(3)
+
+static void open_voice_out(ViaAC97State *s);
+
+static uint16_t codec_rates[] = { 8000, 11025, 16000, 22050, 32000, 44100,
+  48000 };
+
+#define CODEC_REG(s, o)  ((s)->codec_regs[(o) / 2])
+#define CODEC_VOL(vol, mask)  ((255 * ((vol) & mask)) / mask)
+
+static void codec_volume_set_out(ViaAC97State *s)
+{
+int lvol, rvol, mute;
+
+lvol = 255 - CODEC_VOL(CODEC_REG(s, AC97_Master_Volume_Mute) >> 8, 0x1f);
+lvol *= 255 - CODEC_VOL(CODEC_REG(s, AC97_PCM_Out_Volume_Mute) >> 8, 0x1f);
+lvol /= 255;
+rvol = 255 - CODEC_VOL(CODEC_REG(s, AC97_Master_Volume_Mute), 0x1f);
+rvol *= 255 - CODEC_VOL(CODEC_REG(s, AC97_PCM_Out_Volume_Mute), 0x1f);
+rvol /= 255;
+mute = CODEC_REG(s, AC97_Master_Volume_Mute) >> MUTE_SHIFT;
+mute |= CODEC_REG(s, AC97_PCM_Out_Volume_Mute) >> MUTE_SHIFT;
+AUD_set_volume_out(s->vo, mute, lvol, rvol);
+}
+
+static void codec_reset(ViaAC97State *s)
+{
+memset(s->codec_regs, 0, sizeof(s->codec_regs));
+CODEC_REG(s, AC97_Reset) = 0x6a90;
+CODEC_REG(s, AC97_Master_Volume_Mute) = 0x8000;
+CODEC_REG(s, AC97_Headphone_Volume_Mute) = 0x8000;
+CODEC_REG(s, AC97_Master_Volume_Mono_Mute) = 0x8000;
+CODEC_REG(s, AC97_Phone_Volume_Mute) = 0x8008;
+CODEC_REG(s, AC97_Mic_Volume_Mute) = 0x8008;
+CODEC_REG(s, AC97_Line_In_Volume_Mute) = 0x8808;
+CODEC_REG(s, AC97_CD_Volume_Mute) = 0x8808;
+CODEC_REG(s, AC97_Video_Volume_Mute) = 0x8808;
+CODEC_REG(s, AC97_Aux_Volume_Mute) = 0x8808;
+CODEC_REG(s, AC97_PCM_Out_Volume_Mute) = 0x8808;
+CODEC_REG(s, AC97_Record_Gain_Mute) = 0x8000;
+CODEC_REG(s, AC97_Powerdown_Ctrl_Stat) = 0x000f;
+CODEC_REG(s, AC97_Extended_Audio_ID) = 0x0a05;
+CODEC_REG(s, AC97_Extended_Audio_Ctrl_Stat) = 0x0400;
+CODEC_REG(s, AC97_PCM_Front_DAC_Rate) = 48000;
+CODEC_REG(s, AC97_PCM_LR_ADC_Rate) = 48000;
+/* Sigmatel 9766 (STAC9766) */
+CODEC_REG(s, AC97_Vendor_ID1) = 0x8384;
+CODEC_REG(s, AC97_Vendor_ID2) = 0x7666;
+}
+
+static uint16_t codec_read(ViaAC97State *s, uint8_t addr)
+{
+return CODEC_REG(s, addr);
+}
+
+static void codec_write(ViaAC97State *s, uint8_t addr, uint16_t val)
+{
+trace_via_ac97_codec_write(addr, val);
+switch (addr) {
+case AC97_Reset:
+codec_reset(s);
+

[PATCH v6 0/7] Pegasos2 fixes and audio output support

[BALATON Zoltan]

Latest version of series with the following changes since v5:

v6:
- Replaced work around for level sensitive interrupt needed by MorphOS
with patch from David Woodhouse that implements it in i8259 model
- Added R-b, T-b tags
- Moved revert patch to the end so it's easier to drop it to help
merging with alternative fixes

Regards,
BALATON Zoltan

BALATON Zoltan (5):
  hw/display/sm501: Add debug property to control pixman usage
  hw/isa/vt82c686: Implement PCI IRQ routing
  hw/ppc/pegasos2: Fix PCI interrupt routing
  hw/audio/via-ac97: Basic implementation of audio playback
  Revert "hw/isa/vt82c686: Remove intermediate IRQ forwarder"

Bernhard Beschow (1):
  hw/usb/vt82c686-uhci-pci: Use PCI IRQ routing

David Woodhouse (1):
  hw/intc/i8259: Implement legacy LTIM Edge/Level Bank Select

 hw/audio/trace-events   |   6 +
 hw/audio/via-ac97.c | 455 +++-
 hw/display/sm501.c  |  18 +-
 hw/intc/i8259.c |  10 +-
 hw/intc/i8259_common.c  |  24 +-
 hw/isa/trace-events |   1 +
 hw/isa/vt82c686.c   |  50 +++-
 hw/pci-host/mv64361.c   |   4 -
 hw/ppc/pegasos2.c   |  26 +-
 hw/usb/vt82c686-uhci-pci.c  |  12 -
 include/hw/isa/i8259_internal.h |   1 +
 include/hw/isa/vt82c686.h   |  25 ++
 12 files changed, 597 insertions(+), 35 deletions(-)

-- 
2.30.8

[PATCH v6 3/7] hw/isa/vt82c686: Implement PCI IRQ routing

[BALATON Zoltan]

The real VIA south bridges implement a PCI IRQ router which is configured
by the BIOS or the OS. In order to respect these configurations, QEMU
needs to implement it as well. The real chip may allow routing IRQs from
internal functions independently of PCI interrupts but since guests
usually configute it to a single shared interrupt we don't model that
here for simplicity.

Note: The implementation was taken from piix4_set_irq() in hw/isa/piix4.

Suggested-by: Bernhard Beschow 
Signed-off-by: BALATON Zoltan 
Tested-by: Rene Engel 
---
 hw/isa/vt82c686.c | 38 ++
 1 file changed, 38 insertions(+)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index f4c40965cd..51c0dd4c41 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -598,6 +598,42 @@ void via_isa_set_irq(PCIDevice *d, int n, int level)
 qemu_set_irq(s->isa_irqs_in[n], level);
 }
 
+static int via_isa_get_pci_irq(const ViaISAState *s, int irq_num)
+{
+switch (irq_num) {
+case 0:
+return s->dev.config[0x55] >> 4;
+case 1:
+return s->dev.config[0x56] & 0xf;
+case 2:
+return s->dev.config[0x56] >> 4;
+case 3:
+return s->dev.config[0x57] >> 4;
+}
+return 0;
+}
+
+static void via_isa_set_pci_irq(void *opaque, int irq_num, int level)
+{
+ViaISAState *s = opaque;
+PCIBus *bus = pci_get_bus(&s->dev);
+int i, pic_level, pic_irq = via_isa_get_pci_irq(s, irq_num);
+
+if (unlikely(pic_irq == 0 || pic_irq == 2 || pic_irq > 14)) {
+return;
+}
+
+/* The pic level is the logical OR of all the PCI irqs mapped to it. */
+pic_level = 0;
+for (i = 0; i < PCI_NUM_PINS; i++) {
+if (pic_irq == via_isa_get_pci_irq(s, i)) {
+pic_level |= pci_bus_get_irq_level(bus, i);
+}
+}
+/* Now we change the pic irq level according to the via irq mappings. */
+qemu_set_irq(s->isa_irqs_in[pic_irq], pic_level);
+}
+
 static void via_isa_realize(PCIDevice *d, Error **errp)
 {
 ViaISAState *s = VIA_ISA(d);
@@ -619,6 +655,8 @@ static void via_isa_realize(PCIDevice *d, Error **errp)
 i8254_pit_init(isa_bus, 0x40, 0, NULL);
 i8257_dma_init(isa_bus, 0);
 
+qdev_init_gpio_in_named(dev, via_isa_set_pci_irq, "pirq", PCI_NUM_PINS);
+
 /* RTC */
 qdev_prop_set_int32(DEVICE(&s->rtc), "base_year", 2000);
 if (!qdev_realize(DEVICE(&s->rtc), BUS(isa_bus), errp)) {
-- 
2.30.8

[PATCH v6 7/7] Revert "hw/isa/vt82c686: Remove intermediate IRQ forwarder"

[BALATON Zoltan]

This partially reverts commit bb98e0f59cde84d9fddc60ae74ef7ddfca17
keeping the rename of a state field but reverting other cahanges which
break interrupts on pegasos2.

Signed-off-by: BALATON Zoltan 
Tested-by: Rene Engel 
---
 hw/isa/vt82c686.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index 147ac78051..ec108d992b 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -598,6 +598,12 @@ void via_isa_set_irq(PCIDevice *d, int n, int level)
 qemu_set_irq(s->isa_irqs_in[n], level);
 }
 
+static void via_isa_request_i8259_irq(void *opaque, int irq, int level)
+{
+ViaISAState *s = opaque;
+qemu_set_irq(s->cpu_intr, level);
+}
+
 static int via_isa_get_pci_irq(const ViaISAState *s, int irq_num)
 {
 switch (irq_num) {
@@ -639,10 +645,12 @@ static void via_isa_realize(PCIDevice *d, Error **errp)
 ViaISAState *s = VIA_ISA(d);
 DeviceState *dev = DEVICE(d);
 PCIBus *pci_bus = pci_get_bus(d);
+qemu_irq *isa_irq;
 ISABus *isa_bus;
 int i;
 
 qdev_init_gpio_out(dev, &s->cpu_intr, 1);
+isa_irq = qemu_allocate_irqs(via_isa_request_i8259_irq, s, 1);
 isa_bus = isa_bus_new(dev, pci_address_space(d), pci_address_space_io(d),
   errp);
 
@@ -650,7 +658,7 @@ static void via_isa_realize(PCIDevice *d, Error **errp)
 return;
 }
 
-s->isa_irqs_in = i8259_init(isa_bus, s->cpu_intr);
+s->isa_irqs_in = i8259_init(isa_bus, *isa_irq);
 isa_bus_register_input_irqs(isa_bus, s->isa_irqs_in);
 i8254_pit_init(isa_bus, 0x40, 0, NULL);
 i8257_dma_init(isa_bus, 0);
-- 
2.30.8

[PATCH v6 2/7] hw/intc/i8259: Implement legacy LTIM Edge/Level Bank Select

[BALATON Zoltan]

From: David Woodhouse 

Back in the mists of time, before EISA came along and required per-pin
level control in the ELCR register, the i8259 had a single chip-wide
level-mode control in bit 3 of ICW1.

Even in the PIIX3 datasheet from 1996 this is documented as 'This bit is
disabled', but apparently MorphOS is using it in the version of the
i8259 which is in the Pegasos2 board as part of the VT8231 chipset.

It's easy enough to implement, and I think it's harmless enough to do so
unconditionally.

Signed-off-by: David Woodhouse 
[balaton: updated commit message as asked by author]
Tested-by: BALATON Zoltan 
Signed-off-by: BALATON Zoltan 
---
 hw/intc/i8259.c | 10 --
 hw/intc/i8259_common.c  | 24 +++-
 include/hw/isa/i8259_internal.h |  1 +
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/hw/intc/i8259.c b/hw/intc/i8259.c
index 17910f3bcb..bbae2d87f4 100644
--- a/hw/intc/i8259.c
+++ b/hw/intc/i8259.c
@@ -133,7 +133,7 @@ static void pic_set_irq(void *opaque, int irq, int level)
 }
 #endif
 
-if (s->elcr & mask) {
+if (s->ltim || (s->elcr & mask)) {
 /* level triggered */
 if (level) {
 s->irr |= mask;
@@ -167,7 +167,7 @@ static void pic_intack(PICCommonState *s, int irq)
 s->isr |= (1 << irq);
 }
 /* We don't clear a level sensitive interrupt here */
-if (!(s->elcr & (1 << irq))) {
+if (!s->ltim && !(s->elcr & (1 << irq))) {
 s->irr &= ~(1 << irq);
 }
 pic_update_irq(s);
@@ -224,6 +224,7 @@ static void pic_reset(DeviceState *dev)
 PICCommonState *s = PIC_COMMON(dev);
 
 s->elcr = 0;
+s->ltim = 0;
 pic_init_reset(s);
 }
 
@@ -243,10 +244,7 @@ static void pic_ioport_write(void *opaque, hwaddr addr64,
 s->init_state = 1;
 s->init4 = val & 1;
 s->single_mode = val & 2;
-if (val & 0x08) {
-qemu_log_mask(LOG_UNIMP,
-  "i8259: level sensitive irq not supported\n");
-}
+s->ltim = val & 8;
 } else if (val & 0x08) {
 if (val & 0x04) {
 s->poll = 1;
diff --git a/hw/intc/i8259_common.c b/hw/intc/i8259_common.c
index af2e4a2241..c931dc2d07 100644
--- a/hw/intc/i8259_common.c
+++ b/hw/intc/i8259_common.c
@@ -51,7 +51,7 @@ void pic_reset_common(PICCommonState *s)
 s->special_fully_nested_mode = 0;
 s->init4 = 0;
 s->single_mode = 0;
-/* Note: ELCR is not reset */
+/* Note: ELCR and LTIM are not reset */
 }
 
 static int pic_dispatch_pre_save(void *opaque)
@@ -144,6 +144,24 @@ static void pic_print_info(InterruptStatsProvider *obj, 
Monitor *mon)
s->special_fully_nested_mode);
 }
 
+static bool ltim_state_needed(void *opaque)
+{
+PICCommonState *s = PIC_COMMON(opaque);
+
+return !!s->ltim;
+}
+
+static const VMStateDescription vmstate_pic_ltim = {
+.name = "i8259/ltim",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = ltim_state_needed,
+.fields = (VMStateField[]) {
+VMSTATE_UINT8(ltim, PICCommonState),
+VMSTATE_END_OF_LIST()
+}
+};
+
 static const VMStateDescription vmstate_pic_common = {
 .name = "i8259",
 .version_id = 1,
@@ -168,6 +186,10 @@ static const VMStateDescription vmstate_pic_common = {
 VMSTATE_UINT8(single_mode, PICCommonState),
 VMSTATE_UINT8(elcr, PICCommonState),
 VMSTATE_END_OF_LIST()
+},
+.subsections = (const VMStateDescription*[]) {
+&vmstate_pic_ltim,
+NULL
 }
 };
 
diff --git a/include/hw/isa/i8259_internal.h b/include/hw/isa/i8259_internal.h
index 155b098452..f9dcc4163e 100644
--- a/include/hw/isa/i8259_internal.h
+++ b/include/hw/isa/i8259_internal.h
@@ -61,6 +61,7 @@ struct PICCommonState {
 uint8_t single_mode; /* true if slave pic is not initialized */
 uint8_t elcr; /* PIIX edge/trigger selection*/
 uint8_t elcr_mask;
+uint8_t ltim; /* Edge/Level Bank Select (pre-PIIX, chip-wide) */
 qemu_irq int_out[1];
 uint32_t master; /* reflects /SP input pin */
 uint32_t iobase;
-- 
2.30.8

[PATCH v6 1/7] hw/display/sm501: Add debug property to control pixman usage

[BALATON Zoltan]

Add a property to allow disabling pixman and always use the fallbacks
for different operations which is useful for testing different drawing
methods or debugging pixman related issues.

Signed-off-by: BALATON Zoltan 
Tested-by: Rene Engel 
---
 hw/display/sm501.c | 18 +++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index 17835159fc..dbabbc4339 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -465,6 +465,7 @@ typedef struct SM501State {
 uint32_t last_width;
 uint32_t last_height;
 bool do_full_update; /* perform a full update next time */
+uint8_t use_pixman;
 I2CBus *i2c_bus;
 
 /* mmio registers */
@@ -827,7 +828,7 @@ static void sm501_2d_operation(SM501State *s)
 de = db + (width + (height - 1) * dst_pitch) * bypp;
 overlap = (db < se && sb < de);
 }
-if (overlap) {
+if (overlap && (s->use_pixman & BIT(2))) {
 /* pixman can't do reverse blit: copy via temporary */
 int tmp_stride = DIV_ROUND_UP(width * bypp, sizeof(uint32_t));
 uint32_t *tmp = tmp_buf;
@@ -852,13 +853,15 @@ static void sm501_2d_operation(SM501State *s)
 if (tmp != tmp_buf) {
 g_free(tmp);
 }
-} else {
+} else if (!overlap && (s->use_pixman & BIT(1))) {
 fallback = !pixman_blt((uint32_t *)&s->local_mem[src_base],
(uint32_t *)&s->local_mem[dst_base],
src_pitch * bypp / sizeof(uint32_t),
dst_pitch * bypp / sizeof(uint32_t),
8 * bypp, 8 * bypp, src_x, src_y,
dst_x, dst_y, width, height);
+} else {
+fallback = true;
 }
 if (fallback) {
 uint8_t *sp = s->local_mem + src_base;
@@ -891,7 +894,7 @@ static void sm501_2d_operation(SM501State *s)
 color = cpu_to_le16(color);
 }
 
-if ((width == 1 && height == 1) ||
+if (!(s->use_pixman & BIT(0)) || (width == 1 && height == 1) ||
 !pixman_fill((uint32_t *)&s->local_mem[dst_base],
  dst_pitch * bypp / sizeof(uint32_t), 8 * bypp,
  dst_x, dst_y, width, height, color)) {
@@ -2035,6 +2038,7 @@ static void sm501_realize_sysbus(DeviceState *dev, Error 
**errp)
 
 static Property sm501_sysbus_properties[] = {
 DEFINE_PROP_UINT32("vram-size", SM501SysBusState, vram_size, 0),
+DEFINE_PROP_UINT8("x-pixman", SM501SysBusState, state.use_pixman, 7),
 DEFINE_PROP_END_OF_LIST(),
 };
 
@@ -2122,6 +2126,7 @@ static void sm501_realize_pci(PCIDevice *dev, Error 
**errp)
 
 static Property sm501_pci_properties[] = {
 DEFINE_PROP_UINT32("vram-size", SM501PCIState, vram_size, 64 * MiB),
+DEFINE_PROP_UINT8("x-pixman", SM501PCIState, state.use_pixman, 7),
 DEFINE_PROP_END_OF_LIST(),
 };
 
@@ -2162,11 +2167,18 @@ static void sm501_pci_class_init(ObjectClass *klass, 
void *data)
 dc->vmsd = &vmstate_sm501_pci;
 }
 
+static void sm501_pci_init(Object *o)
+{
+object_property_set_description(o, "x-pixman", "Use pixman for: "
+"1: fill, 2: blit, 4: overlap blit");
+}
+
 static const TypeInfo sm501_pci_info = {
 .name  = TYPE_PCI_SM501,
 .parent= TYPE_PCI_DEVICE,
 .instance_size = sizeof(SM501PCIState),
 .class_init= sm501_pci_class_init,
+.instance_init = sm501_pci_init,
 .interfaces = (InterfaceInfo[]) {
 { INTERFACE_CONVENTIONAL_PCI_DEVICE },
 { },
-- 
2.30.8

[GSoC 23] RDB Server Proposal Qustions

[Ayush Singh]

Hello everyone

I was thinking about working on the RDB Server project, and thus just
wanted clarification of IronRDB status. The GSoC Project description [1]
states that IronRDB [2] lacks some server support. So what are the
essential features that IronRDB is missing?

Also, another possibility is using FreeRDB [3] from another language. This
other language itself can also be Rust due to its excellent C FFI. So is it
preferable to improve IronRDB or just use FreeRDB?

Yours Sincerely
Ayush Singh

[1]: https://wiki.qemu.org/Google_Summer_of_Code_2023#RDP_server
[2]: https://github.com/Devolutions/IronRDP
[3]: https://www.freerdp.com/

[PATCH v2 09/13] hw/pci-host/q35: Turn PCI hole properties into class properties

[Bernhard Beschow]

These properties are class properties in i440fx. No need to handle them
differently in q35.

Signed-off-by: Bernhard Beschow 
---
 hw/pci-host/q35.c | 32 
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 23df52a256..afd192cc2a 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -207,6 +207,22 @@ static void q35_host_class_init(ObjectClass *klass, void 
*data)
 dc->user_creatable = false;
 set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
 dc->fw_name = "pci";
+
+object_class_property_add(klass, PCI_HOST_PROP_PCI_HOLE_START, "uint32",
+  q35_host_get_pci_hole_start,
+  NULL, NULL, NULL);
+
+object_class_property_add(klass, PCI_HOST_PROP_PCI_HOLE_END, "uint32",
+  q35_host_get_pci_hole_end,
+  NULL, NULL, NULL);
+
+object_class_property_add(klass, PCI_HOST_PROP_PCI_HOLE64_START, "uint64",
+  q35_host_get_pci_hole64_start,
+  NULL, NULL, NULL);
+
+object_class_property_add(klass, PCI_HOST_PROP_PCI_HOLE64_END, "uint64",
+  q35_host_get_pci_hole64_end,
+  NULL, NULL, NULL);
 }
 
 static void q35_host_initfn(Object *obj)
@@ -224,22 +240,6 @@ static void q35_host_initfn(Object *obj)
 qdev_prop_set_int32(DEVICE(&s->mch), "addr", PCI_DEVFN(0, 0));
 qdev_prop_set_bit(DEVICE(&s->mch), "multifunction", false);
 
-object_property_add(obj, PCI_HOST_PROP_PCI_HOLE_START, "uint32",
-q35_host_get_pci_hole_start,
-NULL, NULL, NULL);
-
-object_property_add(obj, PCI_HOST_PROP_PCI_HOLE_END, "uint32",
-q35_host_get_pci_hole_end,
-NULL, NULL, NULL);
-
-object_property_add(obj, PCI_HOST_PROP_PCI_HOLE64_START, "uint64",
-q35_host_get_pci_hole64_start,
-NULL, NULL, NULL);
-
-object_property_add(obj, PCI_HOST_PROP_PCI_HOLE64_END, "uint64",
-q35_host_get_pci_hole64_end,
-NULL, NULL, NULL);
-
 object_property_add_uint64_ptr(obj, PCIE_HOST_MCFG_SIZE,
&pehb->size, OBJ_PROP_FLAG_READ);
 
-- 
2.39.2

[PATCH v2 10/13] hw/pci-host/q35: Rename local variable to more idiomatic "phb"

[Bernhard Beschow]

Variables of type PCIHostState* are typically named "phb" in QEMU.
Follow this convention here as well for consistency.

Signed-off-by: Bernhard Beschow 
---
 hw/pci-host/q35.c | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index afd192cc2a..cf9fb35064 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -46,21 +46,21 @@
 
 static void q35_host_realize(DeviceState *dev, Error **errp)
 {
-PCIHostState *pci = PCI_HOST_BRIDGE(dev);
 Q35PCIHost *s = Q35_HOST_DEVICE(dev);
+PCIHostState *phb = PCI_HOST_BRIDGE(dev);
 SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
 memory_region_add_subregion(s->mch.address_space_io,
-MCH_HOST_BRIDGE_CONFIG_ADDR, &pci->conf_mem);
+MCH_HOST_BRIDGE_CONFIG_ADDR, &phb->conf_mem);
 sysbus_init_ioports(sbd, MCH_HOST_BRIDGE_CONFIG_ADDR, 4);
 
 memory_region_add_subregion(s->mch.address_space_io,
-MCH_HOST_BRIDGE_CONFIG_DATA, &pci->data_mem);
+MCH_HOST_BRIDGE_CONFIG_DATA, &phb->data_mem);
 sysbus_init_ioports(sbd, MCH_HOST_BRIDGE_CONFIG_DATA, 4);
 
 /* register q35 0xcf8 port as coalesced pio */
-memory_region_set_flush_coalesced(&pci->data_mem);
-memory_region_add_coalescing(&pci->conf_mem, 0, 4);
+memory_region_set_flush_coalesced(&phb->data_mem);
+memory_region_add_coalescing(&phb->conf_mem, 0, 4);
 
 /*
  * pci hole goes from end-of-low-ram to io-apic.
@@ -69,12 +69,12 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
 range_set_bounds(&s->pci_hole, s->mch.below_4g_mem_size,
  IO_APIC_DEFAULT_ADDRESS - 1);
 
-pci->bus = pci_root_bus_new(DEVICE(s), "pcie.0",
+phb->bus = pci_root_bus_new(DEVICE(s), "pcie.0",
 s->mch.pci_address_space,
 s->mch.address_space_io,
 0, TYPE_PCIE_BUS);
 
-qdev_realize(DEVICE(&s->mch), BUS(pci->bus), &error_fatal);
+qdev_realize(DEVICE(&s->mch), BUS(phb->bus), &error_fatal);
 }
 
 static const char *q35_host_root_bus_path(PCIHostState *host_bridge,
-- 
2.39.2

[PATCH v2 08/13] hw/pci-host/q35: Initialize PCI hole boundaries just once

[Bernhard Beschow]

The boundaries of the PCI hole depend on a property only which doesn't
change at runtime. There is no need to reevaluate the boundaries
whenever the PCI configuration space changes.

While at it, move the pci_hole attribute into the host device since it
is only used there.

Signed-off-by: Bernhard Beschow 
---
 include/hw/pci-host/q35.h |  2 +-
 hw/pci-host/q35.c | 21 +
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/include/hw/pci-host/q35.h b/include/hw/pci-host/q35.h
index 93e41ffbee..a04d5f1a17 100644
--- a/include/hw/pci-host/q35.h
+++ b/include/hw/pci-host/q35.h
@@ -51,7 +51,6 @@ struct MCHPCIState {
 MemoryRegion tseg_blackhole, tseg_window;
 MemoryRegion smbase_blackhole, smbase_window;
 bool has_smram_at_smbase;
-Range pci_hole;
 uint64_t below_4g_mem_size;
 uint64_t above_4g_mem_size;
 uint16_t ext_tseg_mbytes;
@@ -62,6 +61,7 @@ struct Q35PCIHost {
 PCIExpressHost parent_obj;
 /*< public >*/
 
+Range pci_hole;
 uint64_t pci_hole64_size;
 uint32_t short_root_bus;
 bool pci_hole64_fix;
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index f20e092516..23df52a256 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -62,6 +62,13 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
 memory_region_set_flush_coalesced(&pci->data_mem);
 memory_region_add_coalescing(&pci->conf_mem, 0, 4);
 
+/*
+ * pci hole goes from end-of-low-ram to io-apic.
+ * mmconfig will be excluded by the dsdt builder.
+ */
+range_set_bounds(&s->pci_hole, s->mch.below_4g_mem_size,
+ IO_APIC_DEFAULT_ADDRESS - 1);
+
 pci->bus = pci_root_bus_new(DEVICE(s), "pcie.0",
 s->mch.pci_address_space,
 s->mch.address_space_io,
@@ -90,8 +97,7 @@ static void q35_host_get_pci_hole_start(Object *obj, Visitor 
*v,
 uint64_t val64;
 uint32_t value;
 
-val64 = range_is_empty(&s->mch.pci_hole)
-? 0 : range_lob(&s->mch.pci_hole);
+val64 = range_is_empty(&s->pci_hole) ? 0 : range_lob(&s->pci_hole);
 value = val64;
 assert(value == val64);
 visit_type_uint32(v, name, &value, errp);
@@ -105,8 +111,7 @@ static void q35_host_get_pci_hole_end(Object *obj, Visitor 
*v,
 uint64_t val64;
 uint32_t value;
 
-val64 = range_is_empty(&s->mch.pci_hole)
-? 0 : range_upb(&s->mch.pci_hole) + 1;
+val64 = range_is_empty(&s->pci_hole) ? 0 : range_upb(&s->pci_hole) + 1;
 value = val64;
 assert(value == val64);
 visit_type_uint32(v, name, &value, errp);
@@ -506,14 +511,6 @@ static void mch_update(MCHPCIState *mch)
 mch_update_smram(mch);
 mch_update_ext_tseg_mbytes(mch);
 mch_update_smbase_smram(mch);
-
-/*
- * pci hole goes from end-of-low-ram to io-apic.
- * mmconfig will be excluded by the dsdt builder.
- */
-range_set_bounds(&mch->pci_hole,
- mch->below_4g_mem_size,
- IO_APIC_DEFAULT_ADDRESS - 1);
 }
 
 static int mch_post_load(void *opaque, int version_id)
-- 
2.39.2

[PATCH v2 04/13] hw/pci-host/q35: Initialize PCMachineState::bus in board code

[Bernhard Beschow]

The Q35 PCI host currently sets the PC machine's PCI bus attribute
through global state, thereby assuming the machine to be a PC machine.
The Q35 machine code already holds on to Q35's pci bus attribute, so can
easily set its own property while preserving encapsulation.

Signed-off-by: Bernhard Beschow 
---
 hw/i386/pc_q35.c  | 4 +++-
 hw/pci-host/q35.c | 1 -
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 68097bea55..42e79433a5 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -231,10 +231,12 @@ static void pc_q35_init(MachineState *machine)
 x86ms->below_4g_mem_size, NULL);
 object_property_set_int(phb, PCI_HOST_ABOVE_4G_MEM_SIZE,
 x86ms->above_4g_mem_size, NULL);
+sysbus_realize_and_unref(SYS_BUS_DEVICE(phb), &error_fatal);
 
 /* pci */
-sysbus_realize_and_unref(SYS_BUS_DEVICE(phb), &error_fatal);
 host_bus = PCI_BUS(qdev_get_child_bus(DEVICE(phb), "pcie.0"));
+pcms->bus = host_bus;
+
 /* create ISA bus */
 lpc = pci_new_multifunction(PCI_DEVFN(ICH9_LPC_DEV, ICH9_LPC_FUNC), true,
 TYPE_ICH9_LPC_DEVICE);
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 0497194983..9d21915a55 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -66,7 +66,6 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
 s->mch.pci_address_space,
 s->mch.address_space_io,
 0, TYPE_PCIE_BUS);
-PC_MACHINE(qdev_get_machine())->bus = pci->bus;
 pci->bypass_iommu =
 PC_MACHINE(qdev_get_machine())->default_bus_bypass_iommu;
 qdev_realize(DEVICE(&s->mch), BUS(pci->bus), &error_fatal);
-- 
2.39.2

[PATCH v2 11/13] hw/pci-host/q35: Propagate to errp rather than doing error_fatal

[Bernhard Beschow]

q35_host_realize() has an errp parameter. Use that to be able to
propagate the error instead of terminating abruptly.

Signed-off-by: Bernhard Beschow 
---
 hw/pci-host/q35.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index cf9fb35064..39d70b9f59 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -46,6 +46,7 @@
 
 static void q35_host_realize(DeviceState *dev, Error **errp)
 {
+ERRP_GUARD();
 Q35PCIHost *s = Q35_HOST_DEVICE(dev);
 PCIHostState *phb = PCI_HOST_BRIDGE(dev);
 SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
@@ -74,7 +75,7 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
 s->mch.address_space_io,
 0, TYPE_PCIE_BUS);
 
-qdev_realize(DEVICE(&s->mch), BUS(phb->bus), &error_fatal);
+qdev_realize(DEVICE(&s->mch), BUS(phb->bus), errp);
 }
 
 static const char *q35_host_root_bus_path(PCIHostState *host_bridge,
-- 
2.39.2

[PATCH v2 01/13] hw/i386/pc_q35: Resolve redundant q35_host variable

[Bernhard Beschow]

The variable is redundant to "phb" and is never used by its real type.

Signed-off-by: Bernhard Beschow 
Reviewed-by: Thomas Huth 
---
 hw/i386/pc_q35.c | 29 ++---
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 5a1e4976ce..68097bea55 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -119,8 +119,7 @@ static void pc_q35_init(MachineState *machine)
 PCMachineState *pcms = PC_MACHINE(machine);
 PCMachineClass *pcmc = PC_MACHINE_GET_CLASS(pcms);
 X86MachineState *x86ms = X86_MACHINE(machine);
-Q35PCIHost *q35_host;
-PCIHostState *phb;
+Object *phb;
 PCIBus *host_bus;
 PCIDevice *lpc;
 DeviceState *lpc_dev;
@@ -206,10 +205,10 @@ static void pc_q35_init(MachineState *machine)
 }
 
 /* create pci host bus */
-q35_host = Q35_HOST_DEVICE(qdev_new(TYPE_Q35_HOST_DEVICE));
+phb = OBJECT(qdev_new(TYPE_Q35_HOST_DEVICE));
 
 if (pcmc->pci_enabled) {
-pci_hole64_size = object_property_get_uint(OBJECT(q35_host),
+pci_hole64_size = object_property_get_uint(phb,

PCI_HOST_PROP_PCI_HOLE64_SIZE,
&error_abort);
 }
@@ -217,25 +216,25 @@ static void pc_q35_init(MachineState *machine)
 /* allocate ram and load rom/bios */
 pc_memory_init(pcms, system_memory, rom_memory, pci_hole64_size);
 
-object_property_add_child(OBJECT(machine), "q35", OBJECT(q35_host));
-object_property_set_link(OBJECT(q35_host), MCH_HOST_PROP_RAM_MEM,
+object_property_add_child(OBJECT(machine), "q35", phb);
+object_property_set_link(phb, MCH_HOST_PROP_RAM_MEM,
  OBJECT(machine->ram), NULL);
-object_property_set_link(OBJECT(q35_host), MCH_HOST_PROP_SMRAM_MEM,
+object_property_set_link(phb, MCH_HOST_PROP_SMRAM_MEM,
  OBJECT(&x86ms->smram), NULL);
-object_property_set_link(OBJECT(q35_host), MCH_HOST_PROP_PCI_MEM,
+object_property_set_link(phb, MCH_HOST_PROP_PCI_MEM,
  OBJECT(pci_memory), NULL);
-object_property_set_link(OBJECT(q35_host), MCH_HOST_PROP_SYSTEM_MEM,
+object_property_set_link(phb, MCH_HOST_PROP_SYSTEM_MEM,
  OBJECT(system_memory), NULL);
-object_property_set_link(OBJECT(q35_host), MCH_HOST_PROP_IO_MEM,
+object_property_set_link(phb, MCH_HOST_PROP_IO_MEM,
  OBJECT(system_io), NULL);
-object_property_set_int(OBJECT(q35_host), PCI_HOST_BELOW_4G_MEM_SIZE,
+object_property_set_int(phb, PCI_HOST_BELOW_4G_MEM_SIZE,
 x86ms->below_4g_mem_size, NULL);
-object_property_set_int(OBJECT(q35_host), PCI_HOST_ABOVE_4G_MEM_SIZE,
+object_property_set_int(phb, PCI_HOST_ABOVE_4G_MEM_SIZE,
 x86ms->above_4g_mem_size, NULL);
+
 /* pci */
-sysbus_realize_and_unref(SYS_BUS_DEVICE(q35_host), &error_fatal);
-phb = PCI_HOST_BRIDGE(q35_host);
-host_bus = phb->bus;
+sysbus_realize_and_unref(SYS_BUS_DEVICE(phb), &error_fatal);
+host_bus = PCI_BUS(qdev_get_child_bus(DEVICE(phb), "pcie.0"));
 /* create ISA bus */
 lpc = pci_new_multifunction(PCI_DEVFN(ICH9_LPC_DEV, ICH9_LPC_FUNC), true,
 TYPE_ICH9_LPC_DEVICE);
-- 
2.39.2

[PATCH v2 00/13] Q35 PCI host fixes and QOM cleanup

[Bernhard Beschow]

This series mostly cleans up QOM-related initialization code. It also performs
some modernization and fixing.

The first patch originates from "PC and ICH9 clanups" series [1] which has been
dropped in v3 in favor of another series [2]. Review comments in [2] suggest it
needs more work, so bring the patch back here.

Patch 2 fixes a clangd warning and patch 3 modernizes usage of the memory API.

Patches 4-9 clean up initialization code.

The last four patches also clean up initialization code with the last patch
doing the actual cleanup.

Testing done:
* `make check`
* `make check-avocado`
* `qemu-system-x86_64 -M q35 -m 2G -cdrom \
 manjaro-kde-21.3.2-220704-linux515.iso`

v2 (addresses Michael's comments):
- Patch "hw/pci-host/q35: Fix double, contradicting .endianness assignment"
  - Fix Fixes tag
  - Switch to native endian
  - Add clang warning
- Patch "Use memory_region_set_address() also for tseg_blackhole"
  - Rephrase commit message to avoid pseudo "Ammends" tag
- Introduce PCI_HOST_BYPASS_IOMMU macro to avoid duplicating the property name
- Patch "hw/pci-host/q35: Initialize properties just once"
  - Mention manual reassignment in commit message as the problem being fixed

Based-on: <20230213162004.2797-1-shen...@gmail.com>
 "[PATCH v4 0/9] PC cleanups"

[1] https://lore.kernel.org/qemu-devel/20230131115326.12454-1-shen...@gmail.com/
[2] https://lore.kernel.org/qemu-devel/20230203180914.49112-1-phi...@linaro.org/

Bernhard Beschow (13):
  hw/i386/pc_q35: Resolve redundant q35_host variable
  hw/pci-host/q35: Fix double, contradicting .endianness assignment
  hw/pci-host/q35: Use memory_region_set_address() also for
tseg_blackhole
  hw/pci-host/q35: Initialize PCMachineState::bus in board code
  hw/pci/pci_host: Introduce PCI_HOST_BYPASS_IOMMU macro
  hw/pci-host/q35: Initialize "bypass-iommu" property from board code
  hw/pci-host/q35: Initialize properties just once
  hw/pci-host/q35: Initialize PCI hole boundaries just once
  hw/pci-host/q35: Turn PCI hole properties into class properties
  hw/pci-host/q35: Rename local variable to more idiomatic "phb"
  hw/pci-host/q35: Propagate to errp rather than doing error_fatal
  hw/pci-host/q35: Merge mch_realize() into q35_host_realize()
  hw/pci-host/q35: Move MemoryRegion pointers to host device

 include/hw/pci-host/q35.h |  17 +-
 include/hw/pci/pci_host.h |   2 +
 hw/i386/pc_q35.c  |  33 ++--
 hw/pci-host/q35.c | 317 ++
 hw/pci/pci_host.c |   2 +-
 5 files changed, 181 insertions(+), 190 deletions(-)

-- 
2.39.2

[PATCH v2 12/13] hw/pci-host/q35: Merge mch_realize() into q35_host_realize()

[Bernhard Beschow]

This patch prepares movement of the MemoryRegion pointers (which are set
through properties) into the host state. Moreover, it's usually the
parent device which maps the memory regions of its child devices into
its address space. Do the same in q35.

Signed-off-by: Bernhard Beschow 
---
 hw/pci-host/q35.c | 209 ++
 1 file changed, 101 insertions(+), 108 deletions(-)

diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 39d70b9f59..1e0f5b4fbf 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -44,12 +44,40 @@
 
 #define Q35_PCI_HOST_HOLE64_SIZE_DEFAULT (1ULL << 35)
 
+static uint64_t blackhole_read(void *ptr, hwaddr reg, unsigned size)
+{
+return 0x;
+}
+
+static void blackhole_write(void *opaque, hwaddr addr, uint64_t val,
+unsigned width)
+{
+/* nothing */
+}
+
+static const MemoryRegionOps blackhole_ops = {
+.read = blackhole_read,
+.write = blackhole_write,
+.endianness = DEVICE_NATIVE_ENDIAN,
+.valid.min_access_size = 1,
+.valid.max_access_size = 4,
+.impl.min_access_size = 4,
+.impl.max_access_size = 4,
+};
+
 static void q35_host_realize(DeviceState *dev, Error **errp)
 {
 ERRP_GUARD();
 Q35PCIHost *s = Q35_HOST_DEVICE(dev);
 PCIHostState *phb = PCI_HOST_BRIDGE(dev);
 SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+int i;
+
+if (s->mch.ext_tseg_mbytes > MCH_HOST_BRIDGE_EXT_TSEG_MBYTES_MAX) {
+error_setg(errp, "invalid extended-tseg-mbytes value: %" PRIu16,
+   s->mch.ext_tseg_mbytes);
+return;
+}
 
 memory_region_add_subregion(s->mch.address_space_io,
 MCH_HOST_BRIDGE_CONFIG_ADDR, &phb->conf_mem);
@@ -70,6 +98,79 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
 range_set_bounds(&s->pci_hole, s->mch.below_4g_mem_size,
  IO_APIC_DEFAULT_ADDRESS - 1);
 
+/* setup pci memory mapping */
+pc_pci_as_mapping_init(s->mch.system_memory, s->mch.pci_address_space);
+
+/* if *disabled* show SMRAM to all CPUs */
+memory_region_init_alias(&s->mch.smram_region, OBJECT(s), "smram-region",
+ s->mch.pci_address_space, 
MCH_HOST_BRIDGE_SMRAM_C_BASE,
+ MCH_HOST_BRIDGE_SMRAM_C_SIZE);
+memory_region_add_subregion_overlap(s->mch.system_memory, 
MCH_HOST_BRIDGE_SMRAM_C_BASE,
+&s->mch.smram_region, 1);
+memory_region_set_enabled(&s->mch.smram_region, true);
+
+memory_region_init_alias(&s->mch.open_high_smram, OBJECT(s), 
"smram-open-high",
+ s->mch.ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
+ MCH_HOST_BRIDGE_SMRAM_C_SIZE);
+memory_region_add_subregion_overlap(s->mch.system_memory, 0xfeda,
+&s->mch.open_high_smram, 1);
+memory_region_set_enabled(&s->mch.open_high_smram, false);
+
+/* smram, as seen by SMM CPUs */
+memory_region_init_alias(&s->mch.low_smram, OBJECT(s), "smram-low",
+ s->mch.ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
+ MCH_HOST_BRIDGE_SMRAM_C_SIZE);
+memory_region_set_enabled(&s->mch.low_smram, true);
+memory_region_add_subregion(s->mch.smram, MCH_HOST_BRIDGE_SMRAM_C_BASE,
+&s->mch.low_smram);
+memory_region_init_alias(&s->mch.high_smram, OBJECT(s), "smram-high",
+ s->mch.ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
+ MCH_HOST_BRIDGE_SMRAM_C_SIZE);
+memory_region_set_enabled(&s->mch.high_smram, true);
+memory_region_add_subregion(s->mch.smram, 0xfeda, &s->mch.high_smram);
+
+memory_region_init_io(&s->mch.tseg_blackhole, OBJECT(s),
+  &blackhole_ops, NULL, "tseg-blackhole", 0);
+memory_region_set_enabled(&s->mch.tseg_blackhole, false);
+memory_region_add_subregion_overlap(s->mch.system_memory,
+s->mch.below_4g_mem_size,
+&s->mch.tseg_blackhole, 1);
+
+memory_region_init_alias(&s->mch.tseg_window, OBJECT(s), "tseg-window",
+ s->mch.ram_memory, s->mch.below_4g_mem_size, 0);
+memory_region_set_enabled(&s->mch.tseg_window, false);
+memory_region_add_subregion(s->mch.smram, s->mch.below_4g_mem_size,
+&s->mch.tseg_window);
+
+/*
+ * This is not what hardware does, so it's QEMU specific hack.
+ * See commit message for details.
+ */
+memory_region_init_io(&s->mch.smbase_blackhole, OBJECT(s), &blackhole_ops,
+  NULL, "smbase-blackhole",
+  MCH_HOST_BRIDGE_SMBASE_SIZE);
+memory_region_set_enabled(&s->mch.smbase_blackhole, false);
+memory_region_add_subregion_overlap(s->mch.system_memory,
+   

[PATCH v2 03/13] hw/pci-host/q35: Use memory_region_set_address() also for tseg_blackhole

[Bernhard Beschow]

Commit bafc90bdc594 ("q35: implement TSEG") uses
memory_region_set_address() for updating the address of mch->tseg_window
but uses memory_region_del_subregion() and
memory_region_add_subregion_overlap() for doing the same on mch-
>tseg_blackhole. The latter seems to be the old, cumbersome
way of changing a memory region's address. So make the code more
comprehensible by modernizing it.

Signed-off-by: Bernhard Beschow 
---
 hw/pci-host/q35.c | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 40bfe99910..0497194983 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -404,12 +404,11 @@ static void mch_update_smram(MCHPCIState *mch)
 } else {
 tseg_size = 0;
 }
-memory_region_del_subregion(mch->system_memory, &mch->tseg_blackhole);
+
 memory_region_set_enabled(&mch->tseg_blackhole, tseg_size);
 memory_region_set_size(&mch->tseg_blackhole, tseg_size);
-memory_region_add_subregion_overlap(mch->system_memory,
-mch->below_4g_mem_size - tseg_size,
-&mch->tseg_blackhole, 1);
+memory_region_set_address(&mch->tseg_blackhole,
+  mch->below_4g_mem_size - tseg_size);
 
 memory_region_set_enabled(&mch->tseg_window, tseg_size);
 memory_region_set_size(&mch->tseg_window, tseg_size);
-- 
2.39.2

[PATCH v2 02/13] hw/pci-host/q35: Fix double, contradicting .endianness assignment

[Bernhard Beschow]

Fixes the following clangd warning (-Winitializer-overrides):

  q35.c:297:19: Initializer overrides prior initialization of this subobject
  q35.c:292:19: previous initialization is here

Settle on native endian which causes the least overhead.

Fixes: bafc90bdc594 ("q35: implement TSEG")
Signed-off-by: Bernhard Beschow 
---
 hw/pci-host/q35.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 83f2a98c71..40bfe99910 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -294,7 +294,6 @@ static const MemoryRegionOps blackhole_ops = {
 .valid.max_access_size = 4,
 .impl.min_access_size = 4,
 .impl.max_access_size = 4,
-.endianness = DEVICE_LITTLE_ENDIAN,
 };
 
 /* PCIe MMCFG */
-- 
2.39.2

[PATCH v2 13/13] hw/pci-host/q35: Move MemoryRegion pointers to host device

[Bernhard Beschow]

The pointers are set through the host device's properties and are only
used during its realization phase.

Signed-off-by: Bernhard Beschow 
---
 include/hw/pci-host/q35.h | 10 +++
 hw/pci-host/q35.c | 56 +++
 2 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/include/hw/pci-host/q35.h b/include/hw/pci-host/q35.h
index a04d5f1a17..9b9ce48ca8 100644
--- a/include/hw/pci-host/q35.h
+++ b/include/hw/pci-host/q35.h
@@ -40,11 +40,6 @@ struct MCHPCIState {
 PCIDevice parent_obj;
 /*< public >*/
 
-MemoryRegion *ram_memory;
-MemoryRegion *pci_address_space;
-MemoryRegion *system_memory;
-MemoryRegion *address_space_io;
-MemoryRegion *smram;
 PAMMemoryRegion pam_regions[PAM_REGIONS_COUNT];
 MemoryRegion smram_region, open_high_smram;
 MemoryRegion low_smram, high_smram;
@@ -61,6 +56,11 @@ struct Q35PCIHost {
 PCIExpressHost parent_obj;
 /*< public >*/
 
+MemoryRegion *ram_memory;
+MemoryRegion *pci_address_space;
+MemoryRegion *system_memory;
+MemoryRegion *address_space_io;
+MemoryRegion *smram;
 Range pci_hole;
 uint64_t pci_hole64_size;
 uint32_t short_root_bus;
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 1e0f5b4fbf..769bdffcc2 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -79,11 +79,11 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
 return;
 }
 
-memory_region_add_subregion(s->mch.address_space_io,
+memory_region_add_subregion(s->address_space_io,
 MCH_HOST_BRIDGE_CONFIG_ADDR, &phb->conf_mem);
 sysbus_init_ioports(sbd, MCH_HOST_BRIDGE_CONFIG_ADDR, 4);
 
-memory_region_add_subregion(s->mch.address_space_io,
+memory_region_add_subregion(s->address_space_io,
 MCH_HOST_BRIDGE_CONFIG_DATA, &phb->data_mem);
 sysbus_init_ioports(sbd, MCH_HOST_BRIDGE_CONFIG_DATA, 4);
 
@@ -99,47 +99,47 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
  IO_APIC_DEFAULT_ADDRESS - 1);
 
 /* setup pci memory mapping */
-pc_pci_as_mapping_init(s->mch.system_memory, s->mch.pci_address_space);
+pc_pci_as_mapping_init(s->system_memory, s->pci_address_space);
 
 /* if *disabled* show SMRAM to all CPUs */
 memory_region_init_alias(&s->mch.smram_region, OBJECT(s), "smram-region",
- s->mch.pci_address_space, 
MCH_HOST_BRIDGE_SMRAM_C_BASE,
+ s->pci_address_space, 
MCH_HOST_BRIDGE_SMRAM_C_BASE,
  MCH_HOST_BRIDGE_SMRAM_C_SIZE);
-memory_region_add_subregion_overlap(s->mch.system_memory, 
MCH_HOST_BRIDGE_SMRAM_C_BASE,
+memory_region_add_subregion_overlap(s->system_memory, 
MCH_HOST_BRIDGE_SMRAM_C_BASE,
 &s->mch.smram_region, 1);
 memory_region_set_enabled(&s->mch.smram_region, true);
 
 memory_region_init_alias(&s->mch.open_high_smram, OBJECT(s), 
"smram-open-high",
- s->mch.ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
+ s->ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
  MCH_HOST_BRIDGE_SMRAM_C_SIZE);
-memory_region_add_subregion_overlap(s->mch.system_memory, 0xfeda,
+memory_region_add_subregion_overlap(s->system_memory, 0xfeda,
 &s->mch.open_high_smram, 1);
 memory_region_set_enabled(&s->mch.open_high_smram, false);
 
 /* smram, as seen by SMM CPUs */
 memory_region_init_alias(&s->mch.low_smram, OBJECT(s), "smram-low",
- s->mch.ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
+ s->ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
  MCH_HOST_BRIDGE_SMRAM_C_SIZE);
 memory_region_set_enabled(&s->mch.low_smram, true);
-memory_region_add_subregion(s->mch.smram, MCH_HOST_BRIDGE_SMRAM_C_BASE,
+memory_region_add_subregion(s->smram, MCH_HOST_BRIDGE_SMRAM_C_BASE,
 &s->mch.low_smram);
 memory_region_init_alias(&s->mch.high_smram, OBJECT(s), "smram-high",
- s->mch.ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
+ s->ram_memory, MCH_HOST_BRIDGE_SMRAM_C_BASE,
  MCH_HOST_BRIDGE_SMRAM_C_SIZE);
 memory_region_set_enabled(&s->mch.high_smram, true);
-memory_region_add_subregion(s->mch.smram, 0xfeda, &s->mch.high_smram);
+memory_region_add_subregion(s->smram, 0xfeda, &s->mch.high_smram);
 
 memory_region_init_io(&s->mch.tseg_blackhole, OBJECT(s),
   &blackhole_ops, NULL, "tseg-blackhole", 0);
 memory_region_set_enabled(&s->mch.tseg_blackhole, false);
-memory_region_add_subregion_overlap(s->mch.system_memory,
+memory_region_add_subregion_overlap(s->system_memory,
 s->mch

[PATCH v2 05/13] hw/pci/pci_host: Introduce PCI_HOST_BYPASS_IOMMU macro

[Bernhard Beschow]

Introduce a macro to avoid copy and pasting strings which can easily
cause typos.

Suggested-by: Michael S. Tsirkin
Signed-off-by: Bernhard Beschow 
---
 include/hw/pci/pci_host.h | 2 ++
 hw/pci/pci_host.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/hw/pci/pci_host.h b/include/hw/pci/pci_host.h
index c6f4eb4585..e52d8ec2cd 100644
--- a/include/hw/pci/pci_host.h
+++ b/include/hw/pci/pci_host.h
@@ -31,6 +31,8 @@
 #include "hw/sysbus.h"
 #include "qom/object.h"
 
+#define PCI_HOST_BYPASS_IOMMU "bypass-iommu"
+
 #define TYPE_PCI_HOST_BRIDGE "pci-host-bridge"
 OBJECT_DECLARE_TYPE(PCIHostState, PCIHostBridgeClass, PCI_HOST_BRIDGE)
 
diff --git a/hw/pci/pci_host.c b/hw/pci/pci_host.c
index dfd185bbb4..7af8afdcbe 100644
--- a/hw/pci/pci_host.c
+++ b/hw/pci/pci_host.c
@@ -232,7 +232,7 @@ const VMStateDescription vmstate_pcihost = {
 static Property pci_host_properties_common[] = {
 DEFINE_PROP_BOOL("x-config-reg-migration-enabled", PCIHostState,
  mig_enabled, true),
-DEFINE_PROP_BOOL("bypass-iommu", PCIHostState, bypass_iommu, false),
+DEFINE_PROP_BOOL(PCI_HOST_BYPASS_IOMMU, PCIHostState, bypass_iommu, false),
 DEFINE_PROP_END_OF_LIST(),
 };
 
-- 
2.39.2

[PATCH v2 06/13] hw/pci-host/q35: Initialize "bypass-iommu" property from board code

[Bernhard Beschow]

The Q35 PCI host already has a "bypass-iommu" property. However, the
host initializes this property itself by accessing global machine state,
thereby assuming it to be a PC machine. Avoid this by having board code
set this property.

Signed-off-by: Bernhard Beschow 
---
 hw/i386/pc_q35.c  | 2 ++
 hw/pci-host/q35.c | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 42e79433a5..d620d92214 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -231,6 +231,8 @@ static void pc_q35_init(MachineState *machine)
 x86ms->below_4g_mem_size, NULL);
 object_property_set_int(phb, PCI_HOST_ABOVE_4G_MEM_SIZE,
 x86ms->above_4g_mem_size, NULL);
+object_property_set_bool(phb, PCI_HOST_BYPASS_IOMMU,
+ pcms->default_bus_bypass_iommu, NULL);
 sysbus_realize_and_unref(SYS_BUS_DEVICE(phb), &error_fatal);
 
 /* pci */
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 9d21915a55..f070842312 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -66,8 +66,7 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
 s->mch.pci_address_space,
 s->mch.address_space_io,
 0, TYPE_PCIE_BUS);
-pci->bypass_iommu =
-PC_MACHINE(qdev_get_machine())->default_bus_bypass_iommu;
+
 qdev_realize(DEVICE(&s->mch), BUS(pci->bus), &error_fatal);
 }
 
-- 
2.39.2

[PATCH v2 07/13] hw/pci-host/q35: Initialize properties just once

[Bernhard Beschow]

Although not used there, the attributes for Q35's "pci-hole64-size" and
"short_root_bus" properties currently reside in its child device. This
causes the default values to be overwritten during the child's
object_initialize() phase, requiring the host to re-assign the default
values manually again. Avoid this by moving both attributes into the
host device.

Signed-off-by: Bernhard Beschow 
---
 include/hw/pci-host/q35.h |  5 +++--
 hw/pci-host/q35.c | 12 +---
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/include/hw/pci-host/q35.h b/include/hw/pci-host/q35.h
index fcbe57b42d..93e41ffbee 100644
--- a/include/hw/pci-host/q35.h
+++ b/include/hw/pci-host/q35.h
@@ -54,8 +54,6 @@ struct MCHPCIState {
 Range pci_hole;
 uint64_t below_4g_mem_size;
 uint64_t above_4g_mem_size;
-uint64_t pci_hole64_size;
-uint32_t short_root_bus;
 uint16_t ext_tseg_mbytes;
 };
 
@@ -64,7 +62,10 @@ struct Q35PCIHost {
 PCIExpressHost parent_obj;
 /*< public >*/
 
+uint64_t pci_hole64_size;
+uint32_t short_root_bus;
 bool pci_hole64_fix;
+
 MCHPCIState mch;
 };
 
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index f070842312..f20e092516 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -76,7 +76,7 @@ static const char *q35_host_root_bus_path(PCIHostState 
*host_bridge,
 Q35PCIHost *s = Q35_HOST_DEVICE(host_bridge);
 
  /* For backwards compat with old device paths */
-if (s->mch.short_root_bus) {
+if (s->short_root_bus) {
 return "";
 }
 return ":00";
@@ -161,7 +161,7 @@ static void q35_host_get_pci_hole64_end(Object *obj, 
Visitor *v,
 
 pci_bus_get_w64_range(h->bus, &w64);
 value = range_is_empty(&w64) ? 0 : range_upb(&w64) + 1;
-hole64_end = ROUND_UP(hole64_start + s->mch.pci_hole64_size, 1ULL << 30);
+hole64_end = ROUND_UP(hole64_start + s->pci_hole64_size, 1ULL << 30);
 if (s->pci_hole64_fix && value < hole64_end) {
 value = hole64_end;
 }
@@ -180,8 +180,8 @@ static Property q35_host_props[] = {
 DEFINE_PROP_UINT64(PCIE_HOST_MCFG_BASE, Q35PCIHost, parent_obj.base_addr,
 MCH_HOST_BRIDGE_PCIEXBAR_DEFAULT),
 DEFINE_PROP_SIZE(PCI_HOST_PROP_PCI_HOLE64_SIZE, Q35PCIHost,
- mch.pci_hole64_size, Q35_PCI_HOST_HOLE64_SIZE_DEFAULT),
-DEFINE_PROP_UINT32("short_root_bus", Q35PCIHost, mch.short_root_bus, 0),
+ pci_hole64_size, Q35_PCI_HOST_HOLE64_SIZE_DEFAULT),
+DEFINE_PROP_UINT32("short_root_bus", Q35PCIHost, short_root_bus, 0),
 DEFINE_PROP_SIZE(PCI_HOST_BELOW_4G_MEM_SIZE, Q35PCIHost,
  mch.below_4g_mem_size, 0),
 DEFINE_PROP_SIZE(PCI_HOST_ABOVE_4G_MEM_SIZE, Q35PCIHost,
@@ -218,9 +218,7 @@ static void q35_host_initfn(Object *obj)
 object_initialize_child(OBJECT(s), "mch", &s->mch, TYPE_MCH_PCI_DEVICE);
 qdev_prop_set_int32(DEVICE(&s->mch), "addr", PCI_DEVFN(0, 0));
 qdev_prop_set_bit(DEVICE(&s->mch), "multifunction", false);
-/* mch's object_initialize resets the default value, set it again */
-qdev_prop_set_uint64(DEVICE(s), PCI_HOST_PROP_PCI_HOLE64_SIZE,
- Q35_PCI_HOST_HOLE64_SIZE_DEFAULT);
+
 object_property_add(obj, PCI_HOST_PROP_PCI_HOLE_START, "uint32",
 q35_host_get_pci_hole_start,
 NULL, NULL, NULL);
-- 
2.39.2

Re: [PATCH] tests/qtest/migration-test: Disable migration/multifd/tcp/plain/cancel

[Peter Maydell]

On Thu, 2 Mar 2023 at 17:22, Peter Maydell  wrote:
>
> migration-test has been flaky for a long time, both in CI and
> otherwise:
>


> In the cases where I've looked at the underlying log, this seems to
> be in the migration/multifd/tcp/plain/cancel subtest.  Disable that
> specific subtest by default until somebody can track down the
> underlying cause. Enthusiasts can opt back in by setting
> QEMU_TEST_FLAKY_TESTS=1 in their environment.

So I'm going to apply this, because hopefully it will improve
the reliability a bit, but it's clearly not all of the
issues with migration-test, because in the course of the
run I was doing to test it before applying it I got this
error from the OpenBSD VM:

 32/646 qemu:qtest+qtest-aarch64 / qtest-aarch64/migration-test
   ERROR  134.73s   killed by signal 6 SIGABRT
― ✀  ―
stderr:
qemu-system-aarch64: multifd_send_sync_main: channel 15 has already quit
qemu-system-aarch64: failed to save SaveStateEntry with id(name): 2(ram): -1
qemu-system-aarch64: Failed to connect to '127.0.0.1:19581': Address
already in use
query-migrate shows failed migration: Failed to connect to
'127.0.0.1:19581': Address already in use
**
ERROR:../src/tests/qtest/migration-helpers.c:151:migrate_query_not_failed:
assertion failed: (!g_str_equal(status, "failed"))

(test program exited with status code -6)

thanks
-- PMM

Re: [PULL 0/5] ppc queue

[Peter Maydell]

On Fri, 3 Mar 2023 at 21:28, Daniel Henrique Barboza
 wrote:
>
> The following changes since commit 66577e9e1caee48c6ebc1a2161b5d9857fcde8b3:
>
>   Merge tag 'for_upstream' of 
> https://git.kernel.org/pub/scm/virt/kvm/mst/qemu into staging (2023-03-03 
> 13:35:54 +)
>
> are available in the Git repository at:
>
>   https://gitlab.com/danielhb/qemu.git tags/pull-ppc-20230303
>
> for you to fetch changes up to ddf0676f1ade90026483a91823d86db4096a40ef:
>
>   pnv_phb4_pec: Simplify/align code to parent user-created PHBs (2023-03-03 
> 16:50:17 -0300)
>
> 
> ppc patch queue for 2023-03-03:
>
> This queue includes a stub implementation for the dcblc instruction to
> avoid an illegal instrunction exception when using u-boot with mpc85xx.
> It also includes a PHB fix with user-created pnv-phb devices and
> Skiboot.
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

Re: [PATCH] configure: Disable thread-safety warnings on macOS

[Peter Maydell]

On Wed, 1 Mar 2023 at 13:33, Kevin Wolf  wrote:
>
> Am 01.03.2023 um 12:34 hat Thomas Huth geschrieben:
> > The enablement of -Wthread-safety broke compilation on macOS (if
> > -Werror is enabled, like in our CI). Disable it there by default
> > until the problems are resolved.
> >
> > Signed-off-by: Thomas Huth 
>
> This is simpler than what I attempted (test compiling something using
> the same TSA features as the failing code), but didn't actually work.
> Since I don't have access to macOS, it's hard for me to improve the
> configure test. So I'm fine with just doing this instead.
>
> Acked-by: Kevin Wolf 

I've applied this to master because it fixes the CI job, but
we should probably look more closely at what's going on,
because it seems plausible to me that it's something that we could
hit on Linux too with either a newer or older version of clang.

thanks
-- PMM

[PATCH v3 10/20] target/mips: Fix trans_mult_acc return

[Richard Henderson]

Success from trans_* subroutines should be true.

Fixes: 5fa38eedbd ("target/mips: Convert Vr54xx MACC* opcodes to decodetree")
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Richard Henderson 
---
 target/mips/tcg/vr54xx_translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/mips/tcg/vr54xx_translate.c 
b/target/mips/tcg/vr54xx_translate.c
index 3e2c98f2c6..a7d241e4e7 100644
--- a/target/mips/tcg/vr54xx_translate.c
+++ b/target/mips/tcg/vr54xx_translate.c
@@ -53,7 +53,7 @@ static bool trans_mult_acc(DisasContext *ctx, arg_r *a,
 tcg_temp_free(t0);
 tcg_temp_free(t1);
 
-return false;
+return true;
 }
 
 TRANS(MACC, trans_mult_acc, gen_helper_macc);
-- 
2.34.1

[PATCH v3 20/20] tcg: Create tcg/tcg-temp-internal.h

[Richard Henderson]

Move the tcg_temp_free_* and tcg_temp_ebb_new_* declarations
and inlines to the new header.  These are private to the
implementation, and will prevent tcg_temp_free_* from creeping
back into the guest front ends.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
---
 include/tcg/tcg-temp-internal.h | 83 +
 include/tcg/tcg.h   | 54 -
 accel/tcg/plugin-gen.c  |  1 +
 tcg/tcg-op-gvec.c   |  1 +
 tcg/tcg-op-vec.c|  1 +
 tcg/tcg-op.c|  1 +
 tcg/tcg.c   |  1 +
 7 files changed, 88 insertions(+), 54 deletions(-)
 create mode 100644 include/tcg/tcg-temp-internal.h

diff --git a/include/tcg/tcg-temp-internal.h b/include/tcg/tcg-temp-internal.h
new file mode 100644
index 00..dded2917e5
--- /dev/null
+++ b/include/tcg/tcg-temp-internal.h
@@ -0,0 +1,83 @@
+/*
+ * TCG internals related to TCG temp allocation
+ *
+ * Copyright (c) 2008 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef TCG_TEMP_INTERNAL_H
+#define TCG_TEMP_INTERNAL_H
+
+/*
+ * Allocation and freeing of EBB temps is reserved to TCG internals
+ */
+
+void tcg_temp_free_internal(TCGTemp *);
+
+static inline void tcg_temp_free_i32(TCGv_i32 arg)
+{
+tcg_temp_free_internal(tcgv_i32_temp(arg));
+}
+
+static inline void tcg_temp_free_i64(TCGv_i64 arg)
+{
+tcg_temp_free_internal(tcgv_i64_temp(arg));
+}
+
+static inline void tcg_temp_free_i128(TCGv_i128 arg)
+{
+tcg_temp_free_internal(tcgv_i128_temp(arg));
+}
+
+static inline void tcg_temp_free_ptr(TCGv_ptr arg)
+{
+tcg_temp_free_internal(tcgv_ptr_temp(arg));
+}
+
+static inline void tcg_temp_free_vec(TCGv_vec arg)
+{
+tcg_temp_free_internal(tcgv_vec_temp(arg));
+}
+
+static inline TCGv_i32 tcg_temp_ebb_new_i32(void)
+{
+TCGTemp *t = tcg_temp_new_internal(TCG_TYPE_I32, TEMP_EBB);
+return temp_tcgv_i32(t);
+}
+
+static inline TCGv_i64 tcg_temp_ebb_new_i64(void)
+{
+TCGTemp *t = tcg_temp_new_internal(TCG_TYPE_I64, TEMP_EBB);
+return temp_tcgv_i64(t);
+}
+
+static inline TCGv_i128 tcg_temp_ebb_new_i128(void)
+{
+TCGTemp *t = tcg_temp_new_internal(TCG_TYPE_I128, TEMP_EBB);
+return temp_tcgv_i128(t);
+}
+
+static inline TCGv_ptr tcg_temp_ebb_new_ptr(void)
+{
+TCGTemp *t = tcg_temp_new_internal(TCG_TYPE_PTR, TEMP_EBB);
+return temp_tcgv_ptr(t);
+}
+
+#endif /* TCG_TEMP_FREE_H */
diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index e8f73115ec..43ce4bfa7d 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -855,35 +855,9 @@ void tcg_set_frame(TCGContext *s, TCGReg reg, intptr_t 
start, intptr_t size);
 TCGTemp *tcg_global_mem_new_internal(TCGType, TCGv_ptr,
  intptr_t, const char *);
 TCGTemp *tcg_temp_new_internal(TCGType, TCGTempKind);
-void tcg_temp_free_internal(TCGTemp *);
 TCGv_vec tcg_temp_new_vec(TCGType type);
 TCGv_vec tcg_temp_new_vec_matching(TCGv_vec match);
 
-static inline void tcg_temp_free_i32(TCGv_i32 arg)
-{
-tcg_temp_free_internal(tcgv_i32_temp(arg));
-}
-
-static inline void tcg_temp_free_i64(TCGv_i64 arg)
-{
-tcg_temp_free_internal(tcgv_i64_temp(arg));
-}
-
-static inline void tcg_temp_free_i128(TCGv_i128 arg)
-{
-tcg_temp_free_internal(tcgv_i128_temp(arg));
-}
-
-static inline void tcg_temp_free_ptr(TCGv_ptr arg)
-{
-tcg_temp_free_internal(tcgv_ptr_temp(arg));
-}
-
-static inline void tcg_temp_free_vec(TCGv_vec arg)
-{
-tcg_temp_free_internal(tcgv_vec_temp(arg));
-}
-
 static inline TCGv_i32 tcg_global_mem_new_i32(TCGv_ptr reg, intptr_t offset,
   const char *name)
 {
@@ -891,13 +865,6 @@ static inline TCGv_i32 tcg_global_mem_new_i32(TCGv_ptr 
reg, intptr_t offset,
 return temp_tcgv_i32(t);
 }
 
-/* Used only by tcg infrastructure: tcg-op.c or plugin-gen.c */
-static inline TCGv_i32 tcg_temp_ebb_new_i32(void)
-{
-TCGTe

[PATCH v3 04/20] target/mips: Drop tcg_temp_free from msa_translate.c

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/msa_translate.c | 9 -
 1 file changed, 9 deletions(-)

diff --git a/target/mips/tcg/msa_translate.c b/target/mips/tcg/msa_translate.c
index 1bcdbb1121..220cd3b048 100644
--- a/target/mips/tcg/msa_translate.c
+++ b/target/mips/tcg/msa_translate.c
@@ -217,8 +217,6 @@ static void gen_check_zero_element(TCGv tresult, uint8_t 
df, uint8_t wt,
 /* if some bit is non-zero then some element is zero */
 tcg_gen_setcondi_i64(cond, t0, t0, 0);
 tcg_gen_trunc_i64_tl(tresult, t0);
-tcg_temp_free_i64(t0);
-tcg_temp_free_i64(t1);
 }
 
 static bool gen_msa_BxZ_V(DisasContext *ctx, int wt, int sa, TCGCond cond)
@@ -237,7 +235,6 @@ static bool gen_msa_BxZ_V(DisasContext *ctx, int wt, int 
sa, TCGCond cond)
 tcg_gen_or_i64(t0, msa_wr_d[wt << 1], msa_wr_d[(wt << 1) + 1]);
 tcg_gen_setcondi_i64(cond, t0, t0, 0);
 tcg_gen_trunc_i64_tl(bcond, t0);
-tcg_temp_free_i64(t0);
 
 ctx->btarget = ctx->base.pc_next + (sa << 2) + 4;
 
@@ -545,8 +542,6 @@ static bool trans_CTCMSA(DisasContext *ctx, arg_msa_elm *a)
 gen_load_gpr(telm, a->ws);
 gen_helper_msa_ctcmsa(cpu_env, telm, tcg_constant_i32(a->wd));
 
-tcg_temp_free(telm);
-
 return true;
 }
 
@@ -563,8 +558,6 @@ static bool trans_CFCMSA(DisasContext *ctx, arg_msa_elm *a)
 gen_helper_msa_cfcmsa(telm, cpu_env, tcg_constant_i32(a->ws));
 gen_store_gpr(telm, a->wd);
 
-tcg_temp_free(telm);
-
 return true;
 }
 
@@ -782,8 +775,6 @@ static bool trans_msa_ldst(DisasContext *ctx, arg_msa_i *a,
 gen_base_offset_addr(ctx, taddr, a->ws, a->sa << a->df);
 gen_msa_ldst(cpu_env, tcg_constant_i32(a->wd), taddr);
 
-tcg_temp_free(taddr);
-
 return true;
 }
 
-- 
2.34.1

[PATCH v3 12/20] target/mips: Drop tcg_temp_free from translate.c

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/translate.c | 537 +---
 1 file changed, 14 insertions(+), 523 deletions(-)

diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index 8cad3d15a0..0f27ca6149 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -1274,11 +1274,8 @@ static inline void gen_load_srsgpr(int from, int to)
 tcg_gen_add_ptr(addr, cpu_env, addr);
 
 tcg_gen_ld_tl(t0, addr, sizeof(target_ulong) * from);
-tcg_temp_free_ptr(addr);
-tcg_temp_free_i32(t2);
 }
 gen_store_gpr(t0, to);
-tcg_temp_free(t0);
 }
 
 static inline void gen_store_srsgpr(int from, int to)
@@ -1297,9 +1294,6 @@ static inline void gen_store_srsgpr(int from, int to)
 tcg_gen_add_ptr(addr, cpu_env, addr);
 
 tcg_gen_st_tl(t0, addr, sizeof(target_ulong) * to);
-tcg_temp_free_ptr(addr);
-tcg_temp_free_i32(t2);
-tcg_temp_free(t0);
 }
 }
 
@@ -1396,7 +1390,6 @@ void gen_store_fpr32(DisasContext *ctx, TCGv_i32 t, int 
reg)
 t64 = tcg_temp_new_i64();
 tcg_gen_extu_i32_i64(t64, t);
 tcg_gen_deposit_i64(fpu_f64[reg], fpu_f64[reg], t64, 0, 32);
-tcg_temp_free_i64(t64);
 }
 
 static void gen_load_fpr32h(DisasContext *ctx, TCGv_i32 t, int reg)
@@ -1414,7 +1407,6 @@ static void gen_store_fpr32h(DisasContext *ctx, TCGv_i32 
t, int reg)
 TCGv_i64 t64 = tcg_temp_new_i64();
 tcg_gen_extu_i32_i64(t64, t);
 tcg_gen_deposit_i64(fpu_f64[reg], fpu_f64[reg], t64, 32, 32);
-tcg_temp_free_i64(t64);
 } else {
 gen_store_fpr32(ctx, t, reg | 1);
 }
@@ -1439,7 +1431,6 @@ void gen_store_fpr64(DisasContext *ctx, TCGv_i64 t, int 
reg)
 t0 = tcg_temp_new_i64();
 tcg_gen_shri_i64(t0, t, 32);
 tcg_gen_deposit_i64(fpu_f64[reg | 1], fpu_f64[reg | 1], t0, 0, 32);
-tcg_temp_free_i64(t0);
 }
 }
 
@@ -1852,8 +1843,6 @@ static inline void gen_cmp ## type ## _ ## 
fmt(DisasContext *ctx, int n,  \
 default:  \
 abort();  \
 } \
-tcg_temp_free_i##bits(fp0);   \
-tcg_temp_free_i##bits(fp1);   \
 }
 
 FOP_CONDS(, 0, d, FMT_D, 64)
@@ -1946,8 +1935,6 @@ static inline void gen_r6_cmp_ ## fmt(DisasContext *ctx, 
int n, \
 abort();\
 }   \
 STORE;  \
-tcg_temp_free_i ## bits(fp0);   \
-tcg_temp_free_i ## bits(fp1);   \
 }
 
 FOP_CONDNS(d, FMT_D, 64, gen_store_fpr64(ctx, fp0, fd))
@@ -1967,7 +1954,6 @@ static inline void op_ld_##insn(TCGv ret, TCGv arg1, int 
mem_idx,  \
 tcg_gen_qemu_##fname(ret, arg1, ctx->mem_idx); \
 tcg_gen_st_tl(t0, cpu_env, offsetof(CPUMIPSState, lladdr));\
 tcg_gen_st_tl(ret, cpu_env, offsetof(CPUMIPSState, llval));\
-tcg_temp_free(t0); \
 }
 #else
 #define OP_LD_ATOMIC(insn, fname)  \
@@ -2065,9 +2051,7 @@ static void gen_ld(DisasContext *ctx, uint32_t opc,
 tcg_gen_shl_tl(t2, t2, t1);
 gen_load_gpr(t1, rt);
 tcg_gen_andc_tl(t1, t1, t2);
-tcg_temp_free(t2);
 tcg_gen_or_tl(t0, t0, t1);
-tcg_temp_free(t1);
 gen_store_gpr(t0, rt);
 break;
 case OPC_LDR:
@@ -2090,15 +2074,12 @@ static void gen_ld(DisasContext *ctx, uint32_t opc,
 tcg_gen_shl_tl(t2, t2, t1);
 gen_load_gpr(t1, rt);
 tcg_gen_and_tl(t1, t1, t2);
-tcg_temp_free(t2);
 tcg_gen_or_tl(t0, t0, t1);
-tcg_temp_free(t1);
 gen_store_gpr(t0, rt);
 break;
 case OPC_LDPC:
 t1 = tcg_const_tl(pc_relative_pc(ctx));
 gen_op_addr_add(ctx, t0, t0, t1);
-tcg_temp_free(t1);
 tcg_gen_qemu_ld_tl(t0, t0, mem_idx, MO_TEUQ);
 gen_store_gpr(t0, rt);
 break;
@@ -2106,7 +2087,6 @@ static void gen_ld(DisasContext *ctx, uint32_t opc,
 case OPC_LWPC:
 t1 = tcg_const_tl(pc_relative_pc(ctx));
 gen_op_addr_add(ctx, t0, t0, t1);
-tcg_temp_free(t1);
 tcg_gen_qemu_ld_tl(t0, t0, mem_idx, MO_TESL);
 gen_store_gpr(t0, rt);
 break;
@@ -2170,9 +2150,7 @@ static void gen_ld(DisasContext *ctx, uint32_t opc,
 tcg_gen_shl_tl(t2, t2, t

[PATCH v3 13/20] target/s390x: Drop free_compare

[Richard Henderson]

Translators are no longer required to free tcg temporaries.
Remove the g1 and g2 members of DisasCompare, as they were
used to track which temps needed to be freed.

Signed-off-by: Richard Henderson 
---
Cc: David Hildenbrand 
Cc: Ilya Leoshkevich 
Cc: Thomas Huth 
Cc: qemu-s3...@nongnu.org
---
 target/s390x/tcg/translate.c | 46 +---
 1 file changed, 1 insertion(+), 45 deletions(-)

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index 811049ea28..76a1233946 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -156,8 +156,6 @@ struct DisasContext {
 typedef struct {
 TCGCond cond:8;
 bool is_64;
-bool g1;
-bool g2;
 union {
 struct { TCGv_i64 a, b; } s64;
 struct { TCGv_i32 a, b; } s32;
@@ -722,7 +720,6 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 c->cond = (mask ? TCG_COND_ALWAYS : TCG_COND_NEVER);
 c->u.s32.a = cc_op;
 c->u.s32.b = cc_op;
-c->g1 = c->g2 = true;
 c->is_64 = false;
 return;
 }
@@ -839,7 +836,6 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 
 /* Load up the arguments of the comparison.  */
 c->is_64 = true;
-c->g1 = c->g2 = false;
 switch (old_cc_op) {
 case CC_OP_LTGT0_32:
 c->is_64 = false;
@@ -861,13 +857,11 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 case CC_OP_FLOGR:
 c->u.s64.a = cc_dst;
 c->u.s64.b = tcg_constant_i64(0);
-c->g1 = true;
 break;
 case CC_OP_LTGT_64:
 case CC_OP_LTUGTU_64:
 c->u.s64.a = cc_src;
 c->u.s64.b = cc_dst;
-c->g1 = c->g2 = true;
 break;
 
 case CC_OP_TM_32:
@@ -882,7 +876,6 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 case CC_OP_SUBU:
 c->is_64 = true;
 c->u.s64.b = tcg_constant_i64(0);
-c->g1 = true;
 switch (mask) {
 case 8 | 2:
 case 4 | 1: /* result */
@@ -900,7 +893,6 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 case CC_OP_STATIC:
 c->is_64 = false;
 c->u.s32.a = cc_op;
-c->g1 = true;
 switch (mask) {
 case 0x8 | 0x4 | 0x2: /* cc != 3 */
 cond = TCG_COND_NE;
@@ -916,7 +908,6 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 break;
 case 0x8 | 0x2: /* cc == 0 || cc == 2 => (cc & 1) == 0 */
 cond = TCG_COND_EQ;
-c->g1 = false;
 c->u.s32.a = tcg_temp_new_i32();
 c->u.s32.b = tcg_constant_i32(0);
 tcg_gen_andi_i32(c->u.s32.a, cc_op, 1);
@@ -935,7 +926,6 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 break;
 case 0x4 | 0x1: /* cc == 1 || cc == 3 => (cc & 1) != 0 */
 cond = TCG_COND_NE;
-c->g1 = false;
 c->u.s32.a = tcg_temp_new_i32();
 c->u.s32.b = tcg_constant_i32(0);
 tcg_gen_andi_i32(c->u.s32.a, cc_op, 1);
@@ -959,7 +949,6 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 default:
 /* CC is masked by something else: (8 >> cc) & mask.  */
 cond = TCG_COND_NE;
-c->g1 = false;
 c->u.s32.a = tcg_temp_new_i32();
 c->u.s32.b = tcg_constant_i32(0);
 tcg_gen_shr_i32(c->u.s32.a, tcg_constant_i32(8), cc_op);
@@ -974,24 +963,6 @@ static void disas_jcc(DisasContext *s, DisasCompare *c, 
uint32_t mask)
 c->cond = cond;
 }
 
-static void free_compare(DisasCompare *c)
-{
-if (!c->g1) {
-if (c->is_64) {
-tcg_temp_free_i64(c->u.s64.a);
-} else {
-tcg_temp_free_i32(c->u.s32.a);
-}
-}
-if (!c->g2) {
-if (c->is_64) {
-tcg_temp_free_i64(c->u.s64.b);
-} else {
-tcg_temp_free_i32(c->u.s32.b);
-}
-}
-}
-
 /* == */
 /* Define the insn format enumeration.  */
 #define F0(N) FMT_##N,
@@ -1302,7 +1273,6 @@ static DisasJumpType help_branch(DisasContext *s, 
DisasCompare *c,
 }
 
  egress:
-free_compare(c);
 return ret;
 }
 
@@ -1612,8 +1582,6 @@ static DisasJumpType op_bct32(DisasContext *s, DisasOps 
*o)
 
 c.cond = TCG_COND_NE;
 c.is_64 = false;
-c.g1 = false;
-c.g2 = false;
 
 t = tcg_temp_new_i64();
 tcg_gen_subi_i64(t, regs[r1], 1);
@@ -1635,8 +1603,6 @@ static DisasJumpType op_bcth(DisasContext *s, DisasOps *o)
 
 c.cond = TCG_COND_NE;
 c.is_64 = false;
-c.g1 = false;
-c.g2 = false;
 
 t = tcg_temp_new_i64();
 tcg_gen_shri_i64(t, regs[r1], 32);
@@ -1659,8 +1625,6 @@ static DisasJumpType op_bct64(DisasContext *s, DisasOps 
*o)
 
 c.cond = TCG_COND_NE;
 c.is_64 = t

[PATCH v3 03/20] target/mips: Drop tcg_temp_free from mips16e_translate.c.inc

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/mips16e_translate.c.inc | 6 --
 1 file changed, 6 deletions(-)

diff --git a/target/mips/tcg/mips16e_translate.c.inc 
b/target/mips/tcg/mips16e_translate.c.inc
index 918b15d55c..602f5f0c02 100644
--- a/target/mips/tcg/mips16e_translate.c.inc
+++ b/target/mips/tcg/mips16e_translate.c.inc
@@ -280,9 +280,6 @@ static void gen_mips16_save(DisasContext *ctx,
 
 tcg_gen_movi_tl(t2, -framesize);
 gen_op_addr_add(ctx, cpu_gpr[29], cpu_gpr[29], t2);
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-tcg_temp_free(t2);
 }
 
 static void gen_mips16_restore(DisasContext *ctx,
@@ -386,9 +383,6 @@ static void gen_mips16_restore(DisasContext *ctx,
 
 tcg_gen_movi_tl(t2, framesize);
 gen_op_addr_add(ctx, cpu_gpr[29], cpu_gpr[29], t2);
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-tcg_temp_free(t2);
 }
 
 #if defined(TARGET_MIPS64)
-- 
2.34.1

[PATCH v3 18/20] target/tricore: Drop tcg_temp_free

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Bastian Koppelmann 
---
 target/tricore/translate.c | 540 +
 1 file changed, 4 insertions(+), 536 deletions(-)

diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index 176ea96b2b..127f9a989a 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -126,7 +126,6 @@ void tricore_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 #define gen_helper_1arg(name, arg) do {   \
 TCGv_i32 helper_tmp = tcg_const_i32(arg); \
 gen_helper_##name(cpu_env, helper_tmp);   \
-tcg_temp_free_i32(helper_tmp);\
 } while (0)
 
 #define GEN_HELPER_LL(name, ret, arg0, arg1, n) do { \
@@ -137,9 +136,6 @@ void tricore_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 tcg_gen_ext16s_tl(arg01, arg0);  \
 tcg_gen_ext16s_tl(arg11, arg1);  \
 gen_helper_##name(ret, arg00, arg01, arg11, arg11, n);   \
-tcg_temp_free(arg00);\
-tcg_temp_free(arg01);\
-tcg_temp_free(arg11);\
 } while (0)
 
 #define GEN_HELPER_LU(name, ret, arg0, arg1, n) do { \
@@ -152,10 +148,6 @@ void tricore_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 tcg_gen_sari_tl(arg11, arg1, 16);\
 tcg_gen_ext16s_tl(arg10, arg1);  \
 gen_helper_##name(ret, arg00, arg01, arg10, arg11, n);   \
-tcg_temp_free(arg00);\
-tcg_temp_free(arg01);\
-tcg_temp_free(arg10);\
-tcg_temp_free(arg11);\
 } while (0)
 
 #define GEN_HELPER_UL(name, ret, arg0, arg1, n) do { \
@@ -168,10 +160,6 @@ void tricore_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 tcg_gen_sari_tl(arg10, arg1, 16);\
 tcg_gen_ext16s_tl(arg11, arg1);  \
 gen_helper_##name(ret, arg00, arg01, arg10, arg11, n);   \
-tcg_temp_free(arg00);\
-tcg_temp_free(arg01);\
-tcg_temp_free(arg10);\
-tcg_temp_free(arg11);\
 } while (0)
 
 #define GEN_HELPER_UU(name, ret, arg0, arg1, n) do { \
@@ -182,9 +170,6 @@ void tricore_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 tcg_gen_ext16s_tl(arg00, arg0);  \
 tcg_gen_sari_tl(arg11, arg1, 16);\
 gen_helper_##name(ret, arg00, arg01, arg11, arg11, n);   \
-tcg_temp_free(arg00);\
-tcg_temp_free(arg01);\
-tcg_temp_free(arg11);\
 } while (0)
 
 #define GEN_HELPER_RRR(name, rl, rh, al1, ah1, arg2) do {\
@@ -194,9 +179,6 @@ void tricore_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 tcg_gen_concat_i32_i64(arg1, al1, ah1);  \
 gen_helper_##name(ret, arg1, arg2);  \
 tcg_gen_extr_i64_i32(rl, rh, ret);   \
- \
-tcg_temp_free_i64(ret);  \
-tcg_temp_free_i64(arg1); \
 } while (0)
 
 #define GEN_HELPER_RR(name, rl, rh, arg1, arg2) do {\
@@ -204,8 +186,6 @@ void tricore_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 \
 gen_helper_##name(ret, cpu_env, arg1, arg2);\
 tcg_gen_extr_i64_i32(rl, rh, ret);  \
-\
-tcg_temp_free_i64(ret); \
 } while (0)
 
 #define EA_ABS_FORMAT(con) (((con & 0x3C000) << 14) + (con & 0x3FFF))
@@ -229,7 +209,6 @@ static inline void gen_offset_ld(DisasContext *ctx, TCGv 
r1, TCGv r2,
 TCGv temp = tcg_temp_new();
 tcg_gen_addi_tl(temp, r2, con);
 tcg_gen_qemu_ld_tl(r1, temp, ctx->mem_idx, mop);
-tcg_temp_free(temp);
 }
 
 static inline void gen_offset_st(DisasContext *ctx, TCGv r1, TCGv r2,
@@ -238,7 +217,6 @@ static inline void gen_offset_st(DisasContext *ctx, TCGv 
r1, TCGv r2,
 TCGv temp = tcg_temp_new();
 tcg_gen_addi_tl(temp, r2, con);
 tcg_gen_qemu_st_tl(r1, temp, ctx->mem_idx, mop);
-tcg_temp_free(temp);
 }
 
 static void gen_st_2regs_64(TCGv rh, TCGv rl, TCGv address, DisasContext *ctx)
@@ -247,8 +225,6 @@ static void gen_st_2regs_64(TCGv rh, TCGv rl, TCGv address, 
DisasContext *ctx)
 
 tcg_gen_concat_i32_i64(temp, rl, rh);

[PATCH v3 06/20] target/mips: Drop tcg_temp_free from nanomips_translate.c.inc

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/nanomips_translate.c.inc | 127 ++-
 1 file changed, 10 insertions(+), 117 deletions(-)

diff --git a/target/mips/tcg/nanomips_translate.c.inc 
b/target/mips/tcg/nanomips_translate.c.inc
index faf6d679bd..b3df7fec40 100644
--- a/target/mips/tcg/nanomips_translate.c.inc
+++ b/target/mips/tcg/nanomips_translate.c.inc
@@ -1005,13 +1005,9 @@ static void gen_llwp(DisasContext *ctx, uint32_t base, 
int16_t offset,
 tcg_gen_extr_i64_tl(tmp1, tmp2, tval);
 }
 gen_store_gpr(tmp1, reg1);
-tcg_temp_free(tmp1);
 gen_store_gpr(tmp2, reg2);
-tcg_temp_free(tmp2);
 tcg_gen_st_i64(tval, cpu_env, offsetof(CPUMIPSState, llval_wp));
-tcg_temp_free_i64(tval);
 tcg_gen_st_tl(taddr, cpu_env, offsetof(CPUMIPSState, lladdr));
-tcg_temp_free(taddr);
 }
 
 static void gen_scwp(DisasContext *ctx, uint32_t base, int16_t offset,
@@ -1084,9 +1080,6 @@ static void gen_save(DisasContext *ctx, uint8_t rt, 
uint8_t count,
 
 /* adjust stack pointer */
 gen_adjust_sp(ctx, -u);
-
-tcg_temp_free(t0);
-tcg_temp_free(va);
 }
 
 static void gen_restore(DisasContext *ctx, uint8_t rt, uint8_t count,
@@ -1110,9 +1103,6 @@ static void gen_restore(DisasContext *ctx, uint8_t rt, 
uint8_t count,
 
 /* adjust stack pointer */
 gen_adjust_sp(ctx, u);
-
-tcg_temp_free(t0);
-tcg_temp_free(va);
 }
 
 static void gen_compute_branch_nm(DisasContext *ctx, uint32_t opc,
@@ -1232,8 +1222,6 @@ static void gen_compute_branch_nm(DisasContext *ctx, 
uint32_t opc,
 if (insn_bytes == 2) {
 ctx->hflags |= MIPS_HFLAG_B16;
 }
-tcg_temp_free(t0);
-tcg_temp_free(t1);
 }
 
 static void gen_pool16c_nanomips_insn(DisasContext *ctx)
@@ -1358,7 +1346,6 @@ static void gen_pool32a0_nanomips_insn(CPUMIPSState *env, 
DisasContext *ctx)
 }
 break;
 }
-tcg_temp_free(t0);
 #endif
 } else {
 gen_slt(ctx, OPC_SLTU, rd, rs, rt);
@@ -1381,10 +1368,6 @@ static void gen_pool32a0_nanomips_insn(CPUMIPSState 
*env, DisasContext *ctx)
 /* operands of same sign, result different sign */
 tcg_gen_setcondi_tl(TCG_COND_LT, t0, t1, 0);
 gen_store_gpr(t0, rd);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-tcg_temp_free(t2);
 }
 break;
 case NM_MUL:
@@ -1427,7 +1410,6 @@ static void gen_pool32a0_nanomips_insn(CPUMIPSState *env, 
DisasContext *ctx)
 
 gen_load_gpr(t0, rt);
 gen_mtc0(ctx, t0, rs, extract32(ctx->opcode, 11, 3));
-tcg_temp_free(t0);
 }
 break;
 case NM_D_E_MT_VPE:
@@ -1467,8 +1449,6 @@ static void gen_pool32a0_nanomips_insn(CPUMIPSState *env, 
DisasContext *ctx)
 }
 break;
 }
-
-tcg_temp_free(t0);
 }
 break;
 case NM_FORK:
@@ -1480,8 +1460,6 @@ static void gen_pool32a0_nanomips_insn(CPUMIPSState *env, 
DisasContext *ctx)
 gen_load_gpr(t0, rt);
 gen_load_gpr(t1, rs);
 gen_helper_fork(t0, t1);
-tcg_temp_free(t0);
-tcg_temp_free(t1);
 }
 break;
 case NM_MFTR:
@@ -1508,7 +1486,6 @@ static void gen_pool32a0_nanomips_insn(CPUMIPSState *env, 
DisasContext *ctx)
 gen_load_gpr(t0, rs);
 gen_helper_yield(t0, cpu_env, t0);
 gen_store_gpr(t0, rt);
-tcg_temp_free(t0);
 }
 break;
 #endif
@@ -1557,11 +1534,6 @@ static void gen_pool32axf_1_5_nanomips_insn(DisasContext 
*ctx, uint32_t opc,
 gen_reserved_instruction(ctx);
 break;
 }
-
-tcg_temp_free_i32(t0);
-
-tcg_temp_free(v0_t);
-tcg_temp_free(v1_t);
 }
 
 
@@ -1682,10 +1654,6 @@ static void gen_pool32axf_1_nanomips_insn(DisasContext 
*ctx, uint32_t opc,
 gen_reserved_instruction(ctx);
 break;
 }
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-tcg_temp_free(v0_t);
 }
 
 static void gen_pool32axf_2_multiply(DisasContext *ctx, uint32_t opc,
@@ -1802,8 +1770,6 @@ static void gen_pool32axf_2_multiply(DisasContext *ctx, 
uint32_t opc,
 gen_reserved_instruction(ctx);
 break;
 }
-
-tcg_temp_free_i32(t0);
 }
 
 static void gen_pool32axf_2_nanomips_insn(DisasContext *ctx, uint32_t opc,
@@ -1855,10 +1821,8 @@ static void gen_pool32axf_2_nanomips_insn(DisasContext 
*ctx, uint32_t opc,
 tcg_gen_mul_i64(t2, t2, t3);
 tcg_gen_concat_tl_i64(t3, cpu_LO[acc], cpu_HI[acc]);
 tcg_gen_add_i64(t2, t2, t3);
-tcg_temp_free_i64(t3);
 gen_move_low32(cpu_LO[acc], t2);
 gen_move_high32(cpu_HI[acc], t2);
-tcg_temp_free_i64(t2);
 

[PATCH v3 09/20] target/mips: Drop tcg_temp_free from tx79_translate.c

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/tx79_translate.c | 41 
 1 file changed, 41 deletions(-)

diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index 4e479c2d10..d46bc73972 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -138,10 +138,6 @@ static bool trans_parallel_arith(DisasContext *ctx, arg_r 
*a,
 gen_load_gpr_hi(ax, a->rs);
 gen_load_gpr_hi(bx, a->rt);
 gen_logic_i64(cpu_gpr_hi[a->rd], ax, bx);
-
-tcg_temp_free(bx);
-tcg_temp_free(ax);
-
 return true;
 }
 
@@ -273,15 +269,6 @@ static bool trans_parallel_compare(DisasContext *ctx, 
arg_r *a,
 tcg_gen_movcond_i64(cond, t2, t1, t0, c1, c0);
 tcg_gen_deposit_i64(cpu_gpr_hi[a->rd], cpu_gpr_hi[a->rd], t2, wlen * 
i, wlen);
 }
-
-tcg_temp_free(t2);
-tcg_temp_free(t1);
-tcg_temp_free(t0);
-tcg_temp_free(bx);
-tcg_temp_free(ax);
-tcg_temp_free(c1);
-tcg_temp_free(c0);
-
 return true;
 }
 
@@ -362,10 +349,6 @@ static bool trans_LQ(DisasContext *ctx, arg_i *a)
 tcg_gen_addi_i64(addr, addr, 8);
 tcg_gen_qemu_ld_i64(t0, addr, ctx->mem_idx, MO_TEUQ);
 gen_store_gpr_hi(t0, a->rt);
-
-tcg_temp_free(t0);
-tcg_temp_free(addr);
-
 return true;
 }
 
@@ -389,10 +372,6 @@ static bool trans_SQ(DisasContext *ctx, arg_i *a)
 tcg_gen_addi_i64(addr, addr, 8);
 gen_load_gpr_hi(t0, a->rt);
 tcg_gen_qemu_st_i64(t0, addr, ctx->mem_idx, MO_TEUQ);
-
-tcg_temp_free(addr);
-tcg_temp_free(t0);
-
 return true;
 }
 
@@ -458,11 +437,6 @@ static bool trans_PPACW(DisasContext *ctx, arg_r *a)
 
 gen_load_gpr_hi(t0, a->rs); /* a1 */
 tcg_gen_deposit_i64(cpu_gpr_hi[a->rd], a0, t0, 32, 32);
-
-tcg_temp_free(t0);
-tcg_temp_free(b0);
-tcg_temp_free(a0);
-
 return true;
 }
 
@@ -506,10 +480,6 @@ static bool trans_PEXTLx(DisasContext *ctx, arg_r *a, 
unsigned wlen)
 tcg_gen_shri_i64(bx, bx, wlen);
 tcg_gen_shri_i64(ax, ax, wlen);
 }
-
-tcg_temp_free(bx);
-tcg_temp_free(ax);
-
 return true;
 }
 
@@ -541,10 +511,6 @@ static bool trans_PEXTLW(DisasContext *ctx, arg_r *a)
 gen_load_gpr(ax, a->rs);
 gen_load_gpr(bx, a->rt);
 gen_pextw(cpu_gpr[a->rd], cpu_gpr_hi[a->rd], ax, bx);
-
-tcg_temp_free(bx);
-tcg_temp_free(ax);
-
 return true;
 }
 
@@ -564,10 +530,6 @@ static bool trans_PEXTUW(DisasContext *ctx, arg_r *a)
 gen_load_gpr_hi(ax, a->rs);
 gen_load_gpr_hi(bx, a->rt);
 gen_pextw(cpu_gpr[a->rd], cpu_gpr_hi[a->rd], ax, bx);
-
-tcg_temp_free(bx);
-tcg_temp_free(ax);
-
 return true;
 }
 
@@ -678,8 +640,5 @@ static bool trans_PROT3W(DisasContext *ctx, arg_r *a)
 
 tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rt], ax, 0, 32);
 tcg_gen_rotri_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], 32);
-
-tcg_temp_free(ax);
-
 return true;
 }
-- 
2.34.1

[PATCH v3 00/20] tcg: drop tcg_temp_free from translators

[Richard Henderson]

I've queued the reviewed patches from v2 to tcg-next; these are
the ones that remain.  Please review.

Just in case, the tree is
  https://gitlab.com/rth7680/qemu.git tcg-free


r~


Richard Henderson (20):
  target/i386: Drop tcg_temp_free
  target/mips: Drop tcg_temp_free from micromips_translate.c.inc
  target/mips: Drop tcg_temp_free from mips16e_translate.c.inc
  target/mips: Drop tcg_temp_free from msa_translate.c
  target/mips: Drop tcg_temp_free from mxu_translate.c
  target/mips: Drop tcg_temp_free from nanomips_translate.c.inc
  target/mips: Drop tcg_temp_free from octeon_translate.c
  target/mips: Drop tcg_temp_free from translate_addr_const.c
  target/mips: Drop tcg_temp_free from tx79_translate.c
  target/mips: Fix trans_mult_acc return
  target/mips: Drop tcg_temp_free from vr54xx_translate.c
  target/mips: Drop tcg_temp_free from translate.c
  target/s390x: Drop free_compare
  target/s390x: Drop tcg_temp_free from translate_vx.c.inc
  target/s390x: Drop tcg_temp_free from translate.c
  target/s390x: Remove assert vs g_in2
  target/s390x: Remove g_out, g_out2, g_in1, g_in2 from DisasContext
  target/tricore: Drop tcg_temp_free
  tracing: remove transform.py
  tcg: Create tcg/tcg-temp-internal.h

 meson.build   |   1 -
 include/tcg/tcg-temp-internal.h   |  83 
 include/tcg/tcg.h |  54 ---
 accel/tcg/plugin-gen.c|   1 +
 target/i386/tcg/translate.c   |  41 --
 target/mips/tcg/msa_translate.c   |   9 -
 target/mips/tcg/mxu_translate.c   |  51 --
 target/mips/tcg/octeon_translate.c|  23 -
 target/mips/tcg/translate.c   | 537 +
 target/mips/tcg/translate_addr_const.c|   7 -
 target/mips/tcg/tx79_translate.c  |  41 --
 target/mips/tcg/vr54xx_translate.c|   6 +-
 target/s390x/tcg/translate.c  | 188 +---
 target/tricore/translate.c| 540 +-
 tcg/tcg-op-gvec.c |   1 +
 tcg/tcg-op-vec.c  |   1 +
 tcg/tcg-op.c  |   1 +
 tcg/tcg.c |   1 +
 target/i386/tcg/decode-new.c.inc  |  15 -
 target/i386/tcg/emit.c.inc|   6 -
 target/mips/tcg/micromips_translate.c.inc |   8 -
 target/mips/tcg/mips16e_translate.c.inc   |   6 -
 target/mips/tcg/nanomips_translate.c.inc  | 127 +
 target/s390x/tcg/translate_vx.c.inc   | 143 --
 scripts/tracetool/__init__.py |  23 -
 scripts/tracetool/transform.py| 168 ---
 26 files changed, 128 insertions(+), 1954 deletions(-)
 create mode 100644 include/tcg/tcg-temp-internal.h
 delete mode 100644 scripts/tracetool/transform.py

-- 
2.34.1

[PATCH v3 11/20] target/mips: Drop tcg_temp_free from vr54xx_translate.c

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/vr54xx_translate.c | 4 
 1 file changed, 4 deletions(-)

diff --git a/target/mips/tcg/vr54xx_translate.c 
b/target/mips/tcg/vr54xx_translate.c
index a7d241e4e7..804672f84c 100644
--- a/target/mips/tcg/vr54xx_translate.c
+++ b/target/mips/tcg/vr54xx_translate.c
@@ -49,10 +49,6 @@ static bool trans_mult_acc(DisasContext *ctx, arg_r *a,
 gen_helper_mult_acc(t0, cpu_env, t0, t1);
 
 gen_store_gpr(t0, a->rd);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-
 return true;
 }
 
-- 
2.34.1

[PATCH v3 01/20] target/i386: Drop tcg_temp_free

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Paolo Bonzini 
Cc: Eduardo Habkost 
---
 target/i386/tcg/translate.c  | 41 
 target/i386/tcg/decode-new.c.inc | 15 
 target/i386/tcg/emit.c.inc   |  6 -
 3 files changed, 62 deletions(-)

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index defbc43deb..2f3842663d 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -899,10 +899,6 @@ static void gen_compute_eflags(DisasContext *s)
 gen_update_cc_op(s);
 gen_helper_cc_compute_all(cpu_cc_src, dst, src1, src2, cpu_cc_op);
 set_cc_op(s, CC_OP_EFLAGS);
-
-if (dead) {
-tcg_temp_free(zero);
-}
 }
 
 typedef struct CCPrepare {
@@ -1650,7 +1646,6 @@ static void gen_shift_flags(DisasContext *s, MemOp ot, 
TCGv result,
 } else {
 tcg_gen_mov_tl(cpu_cc_src, shm1);
 }
-tcg_temp_free(z_tl);
 
 /* Get the two potential CC_OP values into temporaries.  */
 tcg_gen_movi_i32(s->tmp2_i32, (is_right ? CC_OP_SARB : CC_OP_SHLB) + ot);
@@ -1666,8 +1661,6 @@ static void gen_shift_flags(DisasContext *s, MemOp ot, 
TCGv result,
 s32 = tcg_temp_new_i32();
 tcg_gen_trunc_tl_i32(s32, count);
 tcg_gen_movcond_i32(TCG_COND_NE, cpu_cc_op, s32, z32, s->tmp2_i32, oldop);
-tcg_temp_free_i32(z32);
-tcg_temp_free_i32(s32);
 
 /* The CC_OP value is no longer predictable.  */
 set_cc_op(s, CC_OP_DYNAMIC);
@@ -1827,8 +1820,6 @@ static void gen_rot_rm_T1(DisasContext *s, MemOp ot, int 
op1, int is_right)
 tcg_gen_movi_i32(s->tmp3_i32, CC_OP_EFLAGS);
 tcg_gen_movcond_i32(TCG_COND_NE, cpu_cc_op, t1, t0,
 s->tmp2_i32, s->tmp3_i32);
-tcg_temp_free_i32(t0);
-tcg_temp_free_i32(t1);
 
 /* The CC_OP value is no longer predictable.  */
 set_cc_op(s, CC_OP_DYNAMIC);
@@ -2049,7 +2040,6 @@ static void gen_shiftd_rm_T1(DisasContext *s, MemOp ot, 
int op1,
 gen_op_st_rm_T0_A0(s, ot, op1);
 
 gen_shift_flags(s, ot, s->T0, s->tmp0, count, is_right);
-tcg_temp_free(count);
 }
 
 static void gen_shift(DisasContext *s1, int op, MemOp ot, int d, int s)
@@ -2513,13 +2503,6 @@ static void gen_cmovcc1(CPUX86State *env, DisasContext 
*s, MemOp ot, int b,
 tcg_gen_movcond_tl(cc.cond, s->T0, cc.reg, cc.reg2,
s->T0, cpu_regs[reg]);
 gen_op_mov_reg_v(s, ot, reg, s->T0);
-
-if (cc.mask != -1) {
-tcg_temp_free(cc.reg);
-}
-if (!cc.use_reg2) {
-tcg_temp_free(cc.reg2);
-}
 }
 
 static inline void gen_op_movl_T0_seg(DisasContext *s, X86Seg seg_reg)
@@ -2748,7 +2731,6 @@ static void gen_set_hflag(DisasContext *s, uint32_t mask)
 tcg_gen_ld_i32(t, cpu_env, offsetof(CPUX86State, hflags));
 tcg_gen_ori_i32(t, t, mask);
 tcg_gen_st_i32(t, cpu_env, offsetof(CPUX86State, hflags));
-tcg_temp_free_i32(t);
 s->flags |= mask;
 }
 }
@@ -2760,7 +2742,6 @@ static void gen_reset_hflag(DisasContext *s, uint32_t 
mask)
 tcg_gen_ld_i32(t, cpu_env, offsetof(CPUX86State, hflags));
 tcg_gen_andi_i32(t, t, ~mask);
 tcg_gen_st_i32(t, cpu_env, offsetof(CPUX86State, hflags));
-tcg_temp_free_i32(t);
 s->flags &= ~mask;
 }
 }
@@ -2772,7 +2753,6 @@ static void gen_set_eflags(DisasContext *s, target_ulong 
mask)
 tcg_gen_ld_tl(t, cpu_env, offsetof(CPUX86State, eflags));
 tcg_gen_ori_tl(t, t, mask);
 tcg_gen_st_tl(t, cpu_env, offsetof(CPUX86State, eflags));
-tcg_temp_free(t);
 }
 
 static void gen_reset_eflags(DisasContext *s, target_ulong mask)
@@ -2782,7 +2762,6 @@ static void gen_reset_eflags(DisasContext *s, 
target_ulong mask)
 tcg_gen_ld_tl(t, cpu_env, offsetof(CPUX86State, eflags));
 tcg_gen_andi_tl(t, t, ~mask);
 tcg_gen_st_tl(t, cpu_env, offsetof(CPUX86State, eflags));
-tcg_temp_free(t);
 }
 
 /* Clear BND registers during legacy branches.  */
@@ -3015,13 +2994,11 @@ static void gen_cmpxchg8b(DisasContext *s, CPUX86State 
*env, int modrm)
 tcg_gen_nonatomic_cmpxchg_i64(old, s->A0, cmp, val,
   s->mem_index, MO_TEUQ);
 }
-tcg_temp_free_i64(val);
 
 /* Set tmp0 to match the required value of Z. */
 tcg_gen_setcond_i64(TCG_COND_EQ, cmp, old, cmp);
 Z = tcg_temp_new();
 tcg_gen_trunc_i64_tl(Z, cmp);
-tcg_temp_free_i64(cmp);
 
 /*
  * Extract the result values for the register pair.
@@ -3042,12 +3019,10 @@ static void gen_cmpxchg8b(DisasContext *s, CPUX86State 
*env, int modrm)
 tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EDX], Z, zero,
s->T1, cpu_regs[R_EDX]);
 }
-tcg_temp_free_i64(old);
 
 /* Update Z. */
 gen_compute_eflags(s);
 tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, Z, ctz32(CC_Z), 1);
-tcg_temp_free(Z);
 }
 
 #ifdef TARGET_X86_64
@@ -3072,8 +3047,6 @@ static void gen_cmpxchg16b(DisasCo

[PATCH v3 16/20] target/s390x: Remove assert vs g_in2

[Richard Henderson]

These were trying to determine if o->in2 was available for
use as a temporary.  It's better to just allocate a new one.

Signed-off-by: Richard Henderson 
---
Cc: David Hildenbrand 
Cc: Ilya Leoshkevich 
Cc: Thomas Huth 
Cc: qemu-s3...@nongnu.org
---
 target/s390x/tcg/translate.c | 20 ++--
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index beccd3429e..c431903c67 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -1428,11 +1428,11 @@ static DisasJumpType op_andi(DisasContext *s, DisasOps 
*o)
 int shift = s->insn->data & 0xff;
 int size = s->insn->data >> 8;
 uint64_t mask = ((1ull << size) - 1) << shift;
+TCGv_i64 t = tcg_temp_new_i64();
 
-assert(!o->g_in2);
-tcg_gen_shli_i64(o->in2, o->in2, shift);
-tcg_gen_ori_i64(o->in2, o->in2, ~mask);
-tcg_gen_and_i64(o->out, o->in1, o->in2);
+tcg_gen_shli_i64(t, o->in2, shift);
+tcg_gen_ori_i64(t, t, ~mask);
+tcg_gen_and_i64(o->out, o->in1, t);
 
 /* Produce the CC from only the bits manipulated.  */
 tcg_gen_andi_i64(cc_dst, o->out, mask);
@@ -3520,10 +3520,10 @@ static DisasJumpType op_ori(DisasContext *s, DisasOps 
*o)
 int shift = s->insn->data & 0xff;
 int size = s->insn->data >> 8;
 uint64_t mask = ((1ull << size) - 1) << shift;
+TCGv_i64 t = tcg_temp_new_i64();
 
-assert(!o->g_in2);
-tcg_gen_shli_i64(o->in2, o->in2, shift);
-tcg_gen_or_i64(o->out, o->in1, o->in2);
+tcg_gen_shli_i64(t, o->in2, shift);
+tcg_gen_or_i64(o->out, o->in1, t);
 
 /* Produce the CC from only the bits manipulated.  */
 tcg_gen_andi_i64(cc_dst, o->out, mask);
@@ -4832,10 +4832,10 @@ static DisasJumpType op_xori(DisasContext *s, DisasOps 
*o)
 int shift = s->insn->data & 0xff;
 int size = s->insn->data >> 8;
 uint64_t mask = ((1ull << size) - 1) << shift;
+TCGv_i64 t = tcg_temp_new_i64();
 
-assert(!o->g_in2);
-tcg_gen_shli_i64(o->in2, o->in2, shift);
-tcg_gen_xor_i64(o->out, o->in1, o->in2);
+tcg_gen_shli_i64(t, o->in2, shift);
+tcg_gen_xor_i64(o->out, o->in1, t);
 
 /* Produce the CC from only the bits manipulated.  */
 tcg_gen_andi_i64(cc_dst, o->out, mask);
-- 
2.34.1

[PATCH v3 19/20] tracing: remove transform.py

[Richard Henderson]

This file, and a couple of uses, got left behind when the
tcg stuff was removed from tracetool.

Fixes: 126d4123c50a ("tracing: excise the tcg related from tracetool")
Signed-off-by: Richard Henderson 
---
Cc: Stefan Hajnoczi 
---
 meson.build|   1 -
 scripts/tracetool/__init__.py  |  23 -
 scripts/tracetool/transform.py | 168 -
 3 files changed, 192 deletions(-)
 delete mode 100644 scripts/tracetool/transform.py

diff --git a/meson.build b/meson.build
index e533d6c95b..6bcab8bf0d 100644
--- a/meson.build
+++ b/meson.build
@@ -2861,7 +2861,6 @@ tracetool_depends = files(
   'scripts/tracetool/format/log_stap.py',
   'scripts/tracetool/format/stap.py',
   'scripts/tracetool/__init__.py',
-  'scripts/tracetool/transform.py',
   'scripts/tracetool/vcpu.py'
 )
 
diff --git a/scripts/tracetool/__init__.py b/scripts/tracetool/__init__.py
index 5393c7fc5c..33cf85e2b0 100644
--- a/scripts/tracetool/__init__.py
+++ b/scripts/tracetool/__init__.py
@@ -18,7 +18,6 @@
 
 import tracetool.format
 import tracetool.backend
-import tracetool.transform
 
 
 def error_write(*lines):
@@ -190,18 +189,6 @@ def casted(self):
 """List of argument names casted to their type."""
 return ["(%s)%s" % (type_, name) for type_, name in self._args]
 
-def transform(self, *trans):
-"""Return a new Arguments instance with transformed types.
-
-The types in the resulting Arguments instance are transformed according
-to tracetool.transform.transform_type.
-"""
-res = []
-for type_, name in self._args:
-res.append((tracetool.transform.transform_type(type_, *trans),
-name))
-return Arguments(res)
-
 
 class Event(object):
 """Event description.
@@ -358,16 +345,6 @@ def api(self, fmt=None):
 fmt = Event.QEMU_TRACE
 return fmt % {"name": self.name, "NAME": self.name.upper()}
 
-def transform(self, *trans):
-"""Return a new Event with transformed Arguments."""
-return Event(self.name,
- list(self.properties),
- self.fmt,
- self.args.transform(*trans),
- self.lineno,
- self.filename,
- self)
-
 
 def read_events(fobj, fname):
 """Generate the output for the given (format, backends) pair.
diff --git a/scripts/tracetool/transform.py b/scripts/tracetool/transform.py
deleted file mode 100644
index ea8b27799d..00
--- a/scripts/tracetool/transform.py
+++ /dev/null
@@ -1,168 +0,0 @@
-# -*- coding: utf-8 -*-
-
-"""
-Type-transformation rules.
-"""
-
-__author__ = "Lluís Vilanova "
-__copyright__  = "Copyright 2012-2016, Lluís Vilanova "
-__license__= "GPL version 2 or (at your option) any later version"
-
-__maintainer__ = "Stefan Hajnoczi"
-__email__  = "stefa...@redhat.com"
-
-
-def _transform_type(type_, trans):
-if isinstance(trans, str):
-return trans
-elif isinstance(trans, dict):
-if type_ in trans:
-return _transform_type(type_, trans[type_])
-elif None in trans:
-return _transform_type(type_, trans[None])
-else:
-return type_
-elif callable(trans):
-return trans(type_)
-else:
-raise ValueError("Invalid type transformation rule: %s" % trans)
-
-
-def transform_type(type_, *trans):
-"""Return a new type transformed according to the given rules.
-
-Applies each of the transformation rules in trans in order.
-
-If an element of trans is a string, return it.
-
-If an element of trans is a function, call it with type_ as its only
-argument.
-
-If an element of trans is a dict, search type_ in its keys. If type_ is
-a key, use the value as a transformation rule for type_. Otherwise, if
-None is a key use the value as a transformation rule for type_.
-
-Otherwise, return type_.
-
-Parameters
---
-type_ : str
-Type to transform.
-trans : list of function or dict
-Type transformation rules.
-"""
-if len(trans) == 0:
-raise ValueError
-res = type_
-for t in trans:
-res = _transform_type(res, t)
-return res
-
-
-##
-# tcg -> host
-
-def _tcg_2_host(type_):
-if type_ == "TCGv":
-# force a fixed-size type (target-independent)
-return "uint64_t"
-else:
-return type_
-
-TCG_2_HOST = {
-"TCGv_i32": "uint32_t",
-"TCGv_i64": "uint64_t",
-"TCGv_ptr": "void *",
-None: _tcg_2_host,
-}
-
-
-##
-# host -> host compatible with tcg sizes
-
-HOST_2_TCG_COMPAT = {
-"uint8_t": "uint32_t",
-"uint16_t": "uint32_t",
-}
-
-
-##
-# host/tcg -> tcg
-
-def _host_2_tcg(type_):
-if type_.startswith("TCGv"):
-re

[PATCH v3 05/20] target/mips: Drop tcg_temp_free from mxu_translate.c

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/mxu_translate.c | 51 -
 1 file changed, 51 deletions(-)

diff --git a/target/mips/tcg/mxu_translate.c b/target/mips/tcg/mxu_translate.c
index f52244e1b2..8703b0cef4 100644
--- a/target/mips/tcg/mxu_translate.c
+++ b/target/mips/tcg/mxu_translate.c
@@ -513,8 +513,6 @@ static void gen_mxu_s32i2m(DisasContext *ctx)
 } else if (XRa == 16) {
 gen_store_mxu_cr(t0);
 }
-
-tcg_temp_free(t0);
 }
 
 /*
@@ -537,8 +535,6 @@ static void gen_mxu_s32m2i(DisasContext *ctx)
 }
 
 gen_store_gpr(t0, Rb);
-
-tcg_temp_free(t0);
 }
 
 /*
@@ -613,9 +609,6 @@ static void gen_mxu_s8ldd(DisasContext *ctx)
 }
 
 gen_store_mxu_gpr(t0, XRa);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
 }
 
 /*
@@ -664,11 +657,6 @@ static void gen_mxu_d16mul(DisasContext *ctx)
 }
 gen_store_mxu_gpr(t3, XRa);
 gen_store_mxu_gpr(t2, XRd);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-tcg_temp_free(t2);
-tcg_temp_free(t3);
 }
 
 /*
@@ -741,11 +729,6 @@ static void gen_mxu_d16mac(DisasContext *ctx)
 }
 gen_store_mxu_gpr(t3, XRa);
 gen_store_mxu_gpr(t2, XRd);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-tcg_temp_free(t2);
-tcg_temp_free(t3);
 }
 
 /*
@@ -821,15 +804,6 @@ static void gen_mxu_q8mul_q8mulsu(DisasContext *ctx)
 
 gen_store_mxu_gpr(t0, XRd);
 gen_store_mxu_gpr(t1, XRa);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-tcg_temp_free(t2);
-tcg_temp_free(t3);
-tcg_temp_free(t4);
-tcg_temp_free(t5);
-tcg_temp_free(t6);
-tcg_temp_free(t7);
 }
 
 /*
@@ -860,9 +834,6 @@ static void gen_mxu_s32ldd_s32lddr(DisasContext *ctx)
 tcg_gen_qemu_ld_tl(t1, t1, ctx->mem_idx, MO_TESL ^ (sel * MO_BSWAP));
 
 gen_store_mxu_gpr(t1, XRa);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
 }
 
 
@@ -1125,9 +1096,6 @@ static void gen_mxu_D16MAX_D16MIN(DisasContext *ctx)
 tcg_gen_shri_i32(t0, t0, 16);
 /* finally update the destination */
 tcg_gen_or_i32(mxu_gpr[XRa - 1], mxu_gpr[XRa - 1], t0);
-
-tcg_temp_free(t1);
-tcg_temp_free(t0);
 } else if (unlikely(XRb == XRc)) {
 /* both operands same -> just set destination to one of them */
 tcg_gen_mov_i32(mxu_gpr[XRa - 1], mxu_gpr[XRb - 1]);
@@ -1161,9 +1129,6 @@ static void gen_mxu_D16MAX_D16MIN(DisasContext *ctx)
 tcg_gen_shri_i32(t0, t0, 16);
 /* finally update the destination */
 tcg_gen_or_i32(mxu_gpr[XRa - 1], mxu_gpr[XRa - 1], t0);
-
-tcg_temp_free(t1);
-tcg_temp_free(t0);
 }
 }
 
@@ -1226,9 +1191,6 @@ static void gen_mxu_Q8MAX_Q8MIN(DisasContext *ctx)
 /* finally update the destination */
 tcg_gen_or_i32(mxu_gpr[XRa - 1], mxu_gpr[XRa - 1], t0);
 }
-
-tcg_temp_free(t1);
-tcg_temp_free(t0);
 } else if (unlikely(XRb == XRc)) {
 /* both operands same -> just set destination to one of them */
 tcg_gen_mov_i32(mxu_gpr[XRa - 1], mxu_gpr[XRb - 1]);
@@ -1266,9 +1228,6 @@ static void gen_mxu_Q8MAX_Q8MIN(DisasContext *ctx)
 /* finally update the destination */
 tcg_gen_or_i32(mxu_gpr[XRa - 1], mxu_gpr[XRa - 1], t0);
 }
-
-tcg_temp_free(t1);
-tcg_temp_free(t0);
 }
 }
 
@@ -1384,9 +1343,6 @@ static void gen_mxu_S32ALNI(DisasContext *ctx)
 tcg_gen_shri_i32(t1, t1, 24);
 
 tcg_gen_or_i32(mxu_gpr[XRa - 1], t0, t1);
-
-tcg_temp_free(t1);
-tcg_temp_free(t0);
 }
 break;
 case MXU_OPTN3_PTN2:
@@ -1410,9 +1366,6 @@ static void gen_mxu_S32ALNI(DisasContext *ctx)
 tcg_gen_shri_i32(t1, t1, 16);
 
 tcg_gen_or_i32(mxu_gpr[XRa - 1], t0, t1);
-
-tcg_temp_free(t1);
-tcg_temp_free(t0);
 }
 break;
 case MXU_OPTN3_PTN3:
@@ -1436,9 +1389,6 @@ static void gen_mxu_S32ALNI(DisasContext *ctx)
 tcg_gen_shri_i32(t1, t1, 8);
 
 tcg_gen_or_i32(mxu_gpr[XRa - 1], t0, t1);
-
-tcg_temp_free(t1);
-tcg_temp_free(t0);
 }
 break;
 case MXU_OPTN3_PTN4:
@@ -1598,7 +1548,6 @@ bool decode_ase_mxu(DisasContext *ctx, uint32_t insn)
 }
 
 gen_set_label(l_exit);
-tcg_temp_free(t_mxu_cr);
 }
 
 return true;
-- 
2.34.1

[PATCH v3 14/20] target/s390x: Drop tcg_temp_free from translate_vx.c.inc

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: David Hildenbrand 
Cc: Ilya Leoshkevich 
Cc: Thomas Huth 
Cc: qemu-s3...@nongnu.org
---
 target/s390x/tcg/translate_vx.c.inc | 143 
 1 file changed, 143 deletions(-)

diff --git a/target/s390x/tcg/translate_vx.c.inc 
b/target/s390x/tcg/translate_vx.c.inc
index 3fadc82e5c..43dfbfd03f 100644
--- a/target/s390x/tcg/translate_vx.c.inc
+++ b/target/s390x/tcg/translate_vx.c.inc
@@ -183,8 +183,6 @@ static void get_vec_element_ptr_i64(TCGv_ptr ptr, uint8_t 
reg, TCGv_i64 enr,
 /* generate the final ptr by adding cpu_env */
 tcg_gen_trunc_i64_ptr(ptr, tmp);
 tcg_gen_add_ptr(ptr, ptr, cpu_env);
-
-tcg_temp_free_i64(tmp);
 }
 
 #define gen_gvec_2(v1, v2, gen) \
@@ -272,13 +270,6 @@ static void gen_gvec128_3_i64(gen_gvec128_3_i64_fn fn, 
uint8_t d, uint8_t a,
 fn(dl, dh, al, ah, bl, bh);
 write_vec_element_i64(dh, d, 0, ES_64);
 write_vec_element_i64(dl, d, 1, ES_64);
-
-tcg_temp_free_i64(dh);
-tcg_temp_free_i64(dl);
-tcg_temp_free_i64(ah);
-tcg_temp_free_i64(al);
-tcg_temp_free_i64(bh);
-tcg_temp_free_i64(bl);
 }
 
 typedef void (*gen_gvec128_4_i64_fn)(TCGv_i64 dl, TCGv_i64 dh, TCGv_i64 al,
@@ -305,15 +296,6 @@ static void gen_gvec128_4_i64(gen_gvec128_4_i64_fn fn, 
uint8_t d, uint8_t a,
 fn(dl, dh, al, ah, bl, bh, cl, ch);
 write_vec_element_i64(dh, d, 0, ES_64);
 write_vec_element_i64(dl, d, 1, ES_64);
-
-tcg_temp_free_i64(dh);
-tcg_temp_free_i64(dl);
-tcg_temp_free_i64(ah);
-tcg_temp_free_i64(al);
-tcg_temp_free_i64(bh);
-tcg_temp_free_i64(bl);
-tcg_temp_free_i64(ch);
-tcg_temp_free_i64(cl);
 }
 
 static void gen_addi2_i64(TCGv_i64 dl, TCGv_i64 dh, TCGv_i64 al, TCGv_i64 ah,
@@ -351,7 +333,6 @@ static DisasJumpType op_vge(DisasContext *s, DisasOps *o)
 
 tcg_gen_qemu_ld_i64(tmp, o->addr1, get_mem_index(s), MO_TE | es);
 write_vec_element_i64(tmp, get_field(s, v1), enr, es);
-tcg_temp_free_i64(tmp);
 return DISAS_NEXT;
 }
 
@@ -386,7 +367,6 @@ static DisasJumpType op_vgbm(DisasContext *s, DisasOps *o)
 write_vec_element_i64(t, get_field(s, v1), 0, ES_64);
 tcg_gen_movi_i64(t, generate_byte_mask(i2));
 write_vec_element_i64(t, get_field(s, v1), 1, ES_64);
-tcg_temp_free_i64(t);
 }
 return DISAS_NEXT;
 }
@@ -427,8 +407,6 @@ static DisasJumpType op_vl(DisasContext *s, DisasOps *o)
 tcg_gen_qemu_ld_i64(t1, o->addr1, get_mem_index(s), MO_TEUQ);
 write_vec_element_i64(t0, get_field(s, v1), 0, ES_64);
 write_vec_element_i64(t1, get_field(s, v1), 1, ES_64);
-tcg_temp_free(t0);
-tcg_temp_free(t1);
 return DISAS_NEXT;
 }
 
@@ -451,7 +429,6 @@ static DisasJumpType op_vlrep(DisasContext *s, DisasOps *o)
 tmp = tcg_temp_new_i64();
 tcg_gen_qemu_ld_i64(tmp, o->addr1, get_mem_index(s), MO_TE | es);
 gen_gvec_dup_i64(es, get_field(s, v1), tmp);
-tcg_temp_free_i64(tmp);
 return DISAS_NEXT;
 }
 
@@ -469,7 +446,6 @@ static DisasJumpType op_vlebr(DisasContext *s, DisasOps *o)
 tmp = tcg_temp_new_i64();
 tcg_gen_qemu_ld_i64(tmp, o->addr1, get_mem_index(s), MO_LE | es);
 write_vec_element_i64(tmp, get_field(s, v1), enr, es);
-tcg_temp_free_i64(tmp);
 return DISAS_NEXT;
 }
 
@@ -486,7 +462,6 @@ static DisasJumpType op_vlbrrep(DisasContext *s, DisasOps 
*o)
 tmp = tcg_temp_new_i64();
 tcg_gen_qemu_ld_i64(tmp, o->addr1, get_mem_index(s), MO_LE | es);
 gen_gvec_dup_i64(es, get_field(s, v1), tmp);
-tcg_temp_free_i64(tmp);
 return DISAS_NEXT;
 }
 
@@ -518,7 +493,6 @@ static DisasJumpType op_vllebrz(DisasContext *s, DisasOps 
*o)
 
 write_vec_element_i64(tmp, get_field(s, v1), 0, ES_64);
 write_vec_element_i64(tcg_constant_i64(0), get_field(s, v1), 1, ES_64);
-tcg_temp_free_i64(tmp);
 return DISAS_NEXT;
 }
 
@@ -572,9 +546,6 @@ static DisasJumpType op_vlbr(DisasContext *s, DisasOps *o)
 write:
 write_vec_element_i64(t0, get_field(s, v1), 0, ES_64);
 write_vec_element_i64(t1, get_field(s, v1), 1, ES_64);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
 return DISAS_NEXT;
 }
 
@@ -592,7 +563,6 @@ static DisasJumpType op_vle(DisasContext *s, DisasOps *o)
 tmp = tcg_temp_new_i64();
 tcg_gen_qemu_ld_i64(tmp, o->addr1, get_mem_index(s), MO_TE | es);
 write_vec_element_i64(tmp, get_field(s, v1), enr, es);
-tcg_temp_free_i64(tmp);
 return DISAS_NEXT;
 }
 
@@ -647,8 +617,6 @@ static DisasJumpType op_vler(DisasContext *s, DisasOps *o)
 
 write_vec_element_i64(t0, get_field(s, v1), 0, ES_64);
 write_vec_element_i64(t1, get_field(s, v1), 1, ES_64);
-tcg_temp_free(t0);
-tcg_temp_free(t1);
 return DISAS_NEXT;
 }
 
@@ -688,8 +656,6 @@ static DisasJumpType op_vlgv(DisasContext *s, DisasOps *o)
 default:
 g_assert_not_reached();
 }
-t

[PATCH v3 02/20] target/mips: Drop tcg_temp_free from micromips_translate.c.inc

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/micromips_translate.c.inc | 8 
 1 file changed, 8 deletions(-)

diff --git a/target/mips/tcg/micromips_translate.c.inc 
b/target/mips/tcg/micromips_translate.c.inc
index 632895cc9e..23f80d4315 100644
--- a/target/mips/tcg/micromips_translate.c.inc
+++ b/target/mips/tcg/micromips_translate.c.inc
@@ -724,9 +724,6 @@ static void gen_ldst_multiple(DisasContext *ctx, uint32_t 
opc, int reglist,
 break;
 #endif
 }
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-tcg_temp_free_i32(t2);
 }
 
 
@@ -1018,8 +1015,6 @@ static void gen_ldst_pair(DisasContext *ctx, uint32_t 
opc, int rd,
 break;
 #endif
 }
-tcg_temp_free(t0);
-tcg_temp_free(t1);
 }
 
 static void gen_pool32axf(CPUMIPSState *env, DisasContext *ctx, int rt, int rs)
@@ -1067,7 +1062,6 @@ static void gen_pool32axf(CPUMIPSState *env, DisasContext 
*ctx, int rt, int rs)
 
 gen_load_gpr(t0, rt);
 gen_mtc0(ctx, t0, rs, (ctx->opcode >> 11) & 0x7);
-tcg_temp_free(t0);
 }
 break;
 #endif
@@ -1276,7 +1270,6 @@ static void gen_pool32axf(CPUMIPSState *env, DisasContext 
*ctx, int rt, int rs)
  * mode.
  */
 ctx->base.is_jmp = DISAS_STOP;
-tcg_temp_free(t0);
 }
 break;
 case EI:
@@ -1293,7 +1286,6 @@ static void gen_pool32axf(CPUMIPSState *env, DisasContext 
*ctx, int rt, int rs)
  */
 gen_save_pc(ctx->base.pc_next + 4);
 ctx->base.is_jmp = DISAS_EXIT;
-tcg_temp_free(t0);
 }
 break;
 default:
-- 
2.34.1

[PATCH v3 17/20] target/s390x: Remove g_out, g_out2, g_in1, g_in2 from DisasContext

[Richard Henderson]

These fields are no longer read, so remove them and the writes.

Signed-off-by: Richard Henderson 
---
Cc: David Hildenbrand 
Cc: Ilya Leoshkevich 
Cc: Thomas Huth 
Cc: qemu-s3...@nongnu.org
---
 target/s390x/tcg/translate.c | 17 -
 1 file changed, 17 deletions(-)

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index c431903c67..9974162527 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -1061,7 +1061,6 @@ static const DisasFormatInfo format_info[] = {
them, and store them back.  See the "in1", "in2", "prep", "wout" sets
of routines below for more details.  */
 typedef struct {
-bool g_out, g_out2, g_in1, g_in2;
 TCGv_i64 out, out2, in1, in2;
 TCGv_i64 addr1;
 TCGv_i128 out_128, in1_128, in2_128;
@@ -3159,9 +3158,7 @@ static DisasJumpType op_mc(DisasContext *s, DisasOps *o)
 static DisasJumpType op_mov2(DisasContext *s, DisasOps *o)
 {
 o->out = o->in2;
-o->g_out = o->g_in2;
 o->in2 = NULL;
-o->g_in2 = false;
 return DISAS_NEXT;
 }
 
@@ -3171,9 +3168,7 @@ static DisasJumpType op_mov2e(DisasContext *s, DisasOps 
*o)
 TCGv ar1 = tcg_temp_new_i64();
 
 o->out = o->in2;
-o->g_out = o->g_in2;
 o->in2 = NULL;
-o->g_in2 = false;
 
 switch (s->base.tb->flags & FLAG_MASK_ASC) {
 case PSW_ASC_PRIMARY >> FLAG_MASK_PSW_SHIFT:
@@ -3202,11 +3197,8 @@ static DisasJumpType op_movx(DisasContext *s, DisasOps 
*o)
 {
 o->out = o->in1;
 o->out2 = o->in2;
-o->g_out = o->g_in1;
-o->g_out2 = o->g_in2;
 o->in1 = NULL;
 o->in2 = NULL;
-o->g_in1 = o->g_in2 = false;
 return DISAS_NEXT;
 }
 
@@ -3708,7 +3700,6 @@ static DisasJumpType op_rosbg(DisasContext *s, DisasOps 
*o)
 /* If this is a test-only form, arrange to discard the result.  */
 if (i3 & 0x80) {
 o->out = tcg_temp_new_i64();
-o->g_out = false;
 }
 
 i3 &= 63;
@@ -4874,7 +4865,6 @@ static DisasJumpType op_zero2(DisasContext *s, DisasOps 
*o)
 {
 o->out = tcg_const_i64(0);
 o->out2 = o->out;
-o->g_out2 = true;
 return DISAS_NEXT;
 }
 
@@ -5142,7 +5132,6 @@ static void prep_new_x(DisasContext *s, DisasOps *o)
 static void prep_r1(DisasContext *s, DisasOps *o)
 {
 o->out = regs[get_field(s, r1)];
-o->g_out = true;
 }
 #define SPEC_prep_r1 0
 
@@ -5151,7 +5140,6 @@ static void prep_r1_P(DisasContext *s, DisasOps *o)
 int r1 = get_field(s, r1);
 o->out = regs[r1];
 o->out2 = regs[r1 + 1];
-o->g_out = o->g_out2 = true;
 }
 #define SPEC_prep_r1_P SPEC_r1_even
 
@@ -5375,7 +5363,6 @@ static void in1_r1(DisasContext *s, DisasOps *o)
 static void in1_r1_o(DisasContext *s, DisasOps *o)
 {
 o->in1 = regs[get_field(s, r1)];
-o->g_in1 = true;
 }
 #define SPEC_in1_r1_o 0
 
@@ -5409,7 +5396,6 @@ static void in1_r1p1(DisasContext *s, DisasOps *o)
 static void in1_r1p1_o(DisasContext *s, DisasOps *o)
 {
 o->in1 = regs[get_field(s, r1) + 1];
-o->g_in1 = true;
 }
 #define SPEC_in1_r1p1_o SPEC_r1_even
 
@@ -5464,7 +5450,6 @@ static void in1_r3(DisasContext *s, DisasOps *o)
 static void in1_r3_o(DisasContext *s, DisasOps *o)
 {
 o->in1 = regs[get_field(s, r3)];
-o->g_in1 = true;
 }
 #define SPEC_in1_r3_o 0
 
@@ -5595,7 +5580,6 @@ static void in1_m1_64(DisasContext *s, DisasOps *o)
 static void in2_r1_o(DisasContext *s, DisasOps *o)
 {
 o->in2 = regs[get_field(s, r1)];
-o->g_in2 = true;
 }
 #define SPEC_in2_r1_o 0
 
@@ -5630,7 +5614,6 @@ static void in2_r2(DisasContext *s, DisasOps *o)
 static void in2_r2_o(DisasContext *s, DisasOps *o)
 {
 o->in2 = regs[get_field(s, r2)];
-o->g_in2 = true;
 }
 #define SPEC_in2_r2_o 0
 
-- 
2.34.1

[PATCH v3 15/20] target/s390x: Drop tcg_temp_free from translate.c

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: David Hildenbrand 
Cc: Ilya Leoshkevich 
Cc: Thomas Huth 
Cc: qemu-s3...@nongnu.org
---
 target/s390x/tcg/translate.c | 105 ---
 1 file changed, 105 deletions(-)

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index 76a1233946..beccd3429e 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -306,8 +306,6 @@ static TCGv_i128 load_freg_128(int reg)
 TCGv_i128 r = tcg_temp_new_i128();
 
 tcg_gen_concat_i64_i128(r, l, h);
-tcg_temp_free_i64(h);
-tcg_temp_free_i64(l);
 return r;
 }
 
@@ -1263,10 +1261,8 @@ static DisasJumpType help_branch(DisasContext *s, 
DisasCompare *c,
 TCGv_i64 z = tcg_constant_i64(0);
 tcg_gen_setcond_i32(c->cond, t0, c->u.s32.a, c->u.s32.b);
 tcg_gen_extu_i32_i64(t1, t0);
-tcg_temp_free_i32(t0);
 tcg_gen_movcond_i64(TCG_COND_NE, psw_addr, t1, z, cdest, next);
 per_branch_cond(s, TCG_COND_NE, t1, z);
-tcg_temp_free_i64(t1);
 }
 
 ret = DISAS_PC_UPDATED;
@@ -1525,7 +1521,6 @@ static void save_link_info(DisasContext *s, DisasOps *o)
 tcg_gen_extu_i32_i64(t, cc_op);
 tcg_gen_shli_i64(t, t, 28);
 tcg_gen_or_i64(o->out, o->out, t);
-tcg_temp_free_i64(t);
 }
 
 static DisasJumpType op_bal(DisasContext *s, DisasOps *o)
@@ -1589,7 +1584,6 @@ static DisasJumpType op_bct32(DisasContext *s, DisasOps 
*o)
 c.u.s32.a = tcg_temp_new_i32();
 c.u.s32.b = tcg_constant_i32(0);
 tcg_gen_extrl_i64_i32(c.u.s32.a, t);
-tcg_temp_free_i64(t);
 
 return help_branch(s, &c, is_imm, imm, o->in2);
 }
@@ -1611,7 +1605,6 @@ static DisasJumpType op_bcth(DisasContext *s, DisasOps *o)
 c.u.s32.a = tcg_temp_new_i32();
 c.u.s32.b = tcg_constant_i32(0);
 tcg_gen_extrl_i64_i32(c.u.s32.a, t);
-tcg_temp_free_i64(t);
 
 return help_branch(s, &c, 1, imm, o->in2);
 }
@@ -1652,7 +1645,6 @@ static DisasJumpType op_bx32(DisasContext *s, DisasOps *o)
 tcg_gen_extrl_i64_i32(c.u.s32.a, t);
 tcg_gen_extrl_i64_i32(c.u.s32.b, regs[r3 | 1]);
 store_reg32_i64(r1, t);
-tcg_temp_free_i64(t);
 
 return help_branch(s, &c, is_imm, imm, o->in2);
 }
@@ -1971,11 +1963,9 @@ static DisasJumpType op_cksm(DisasContext *s, DisasOps 
*o)
 gen_helper_cksm(pair, cpu_env, o->in1, o->in2, regs[r2 + 1]);
 set_cc_static(s);
 tcg_gen_extr_i128_i64(o->out, len, pair);
-tcg_temp_free_i128(pair);
 
 tcg_gen_add_i64(regs[r2], regs[r2], len);
 tcg_gen_sub_i64(regs[r2 + 1], regs[r2 + 1], len);
-tcg_temp_free_i64(len);
 
 return DISAS_NEXT;
 }
@@ -2077,7 +2067,6 @@ static DisasJumpType op_clm(DisasContext *s, DisasOps *o)
 tcg_gen_extrl_i64_i32(t1, o->in1);
 gen_helper_clm(cc_op, cpu_env, t1, m3, o->in2);
 set_cc_static(s);
-tcg_temp_free_i32(t1);
 return DISAS_NEXT;
 }
 
@@ -2087,7 +2076,6 @@ static DisasJumpType op_clst(DisasContext *s, DisasOps *o)
 
 gen_helper_clst(pair, cpu_env, regs[0], o->in1, o->in2);
 tcg_gen_extr_i128_i64(o->in2, o->in1, pair);
-tcg_temp_free_i128(pair);
 
 set_cc_static(s);
 return DISAS_NEXT;
@@ -2099,7 +2087,6 @@ static DisasJumpType op_cps(DisasContext *s, DisasOps *o)
 tcg_gen_andi_i64(t, o->in1, 0x8000ull);
 tcg_gen_andi_i64(o->out, o->in2, 0x7fffull);
 tcg_gen_or_i64(o->out, o->out, t);
-tcg_temp_free_i64(t);
 return DISAS_NEXT;
 }
 
@@ -2115,14 +2102,12 @@ static DisasJumpType op_cs(DisasContext *s, DisasOps *o)
 addr = get_address(s, 0, b2, d2);
 tcg_gen_atomic_cmpxchg_i64(o->out, addr, o->in2, o->in1,
get_mem_index(s), s->insn->data | MO_ALIGN);
-tcg_temp_free_i64(addr);
 
 /* Are the memory and expected values (un)equal?  Note that this setcond
produces the output CC value, thus the NE sense of the test.  */
 cc = tcg_temp_new_i64();
 tcg_gen_setcond_i64(TCG_COND_NE, cc, o->in2, o->out);
 tcg_gen_extrl_i64_i32(cc_op, cc);
-tcg_temp_free_i64(cc);
 set_cc_static(s);
 
 return DISAS_NEXT;
@@ -2182,7 +2167,6 @@ static DisasJumpType op_csp(DisasContext *s, DisasOps *o)
 tcg_gen_andi_i64(addr, o->in2, -1ULL << (mop & MO_SIZE));
 tcg_gen_atomic_cmpxchg_i64(old, addr, o->in1, o->out2,
get_mem_index(s), mop | MO_ALIGN);
-tcg_temp_free_i64(addr);
 
 /* Are the memory and expected values (un)equal?  */
 cc = tcg_temp_new_i64();
@@ -2196,14 +2180,12 @@ static DisasJumpType op_csp(DisasContext *s, DisasOps 
*o)
 } else {
 tcg_gen_mov_i64(o->out, old);
 }
-tcg_temp_free_i64(old);
 
 /* If the comparison was equal, and the LSB of R2 was set,
then we need to flush the TLB (for all cpus).  */
 tcg_gen_xori_i64(cc, cc, 1);
 tcg_gen_and_i64(cc, cc, o->in2);
 tcg_gen_brcondi_i64(TCG_COND

[PATCH v3 07/20] target/mips: Drop tcg_temp_free from octeon_translate.c

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/octeon_translate.c | 23 ---
 1 file changed, 23 deletions(-)

diff --git a/target/mips/tcg/octeon_translate.c 
b/target/mips/tcg/octeon_translate.c
index 6a207d2e7e..103c304d10 100644
--- a/target/mips/tcg/octeon_translate.c
+++ b/target/mips/tcg/octeon_translate.c
@@ -40,8 +40,6 @@ static bool trans_BBIT(DisasContext *ctx, arg_BBIT *a)
 ctx->hflags |= MIPS_HFLAG_BC;
 ctx->btarget = ctx->base.pc_next + 4 + a->offset * 4;
 ctx->hflags |= MIPS_HFLAG_BDS32;
-
-tcg_temp_free(t0);
 return true;
 }
 
@@ -61,10 +59,6 @@ static bool trans_BADDU(DisasContext *ctx, arg_BADDU *a)
 
 tcg_gen_add_tl(t0, t0, t1);
 tcg_gen_andi_i64(cpu_gpr[a->rd], t0, 0xff);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-
 return true;
 }
 
@@ -83,10 +77,6 @@ static bool trans_DMUL(DisasContext *ctx, arg_DMUL *a)
 gen_load_gpr(t1, a->rt);
 
 tcg_gen_mul_i64(cpu_gpr[a->rd], t0, t1);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-
 return true;
 }
 
@@ -103,8 +93,6 @@ static bool trans_EXTS(DisasContext *ctx, arg_EXTS *a)
 gen_load_gpr(t0, a->rs);
 tcg_gen_sextract_tl(t0, t0, a->p, a->lenm1 + 1);
 gen_store_gpr(t0, a->rt);
-tcg_temp_free(t0);
-
 return true;
 }
 
@@ -121,8 +109,6 @@ static bool trans_CINS(DisasContext *ctx, arg_CINS *a)
 gen_load_gpr(t0, a->rs);
 tcg_gen_deposit_z_tl(t0, t0, a->p, a->lenm1 + 1);
 gen_store_gpr(t0, a->rt);
-tcg_temp_free(t0);
-
 return true;
 }
 
@@ -142,8 +128,6 @@ static bool trans_POP(DisasContext *ctx, arg_POP *a)
 }
 tcg_gen_ctpop_tl(t0, t0);
 gen_store_gpr(t0, a->rd);
-tcg_temp_free(t0);
-
 return true;
 }
 
@@ -167,10 +151,6 @@ static bool trans_SEQNE(DisasContext *ctx, arg_SEQNE *a)
 } else {
 tcg_gen_setcond_tl(TCG_COND_EQ, cpu_gpr[a->rd], t1, t0);
 }
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-
 return true;
 }
 
@@ -194,8 +174,5 @@ static bool trans_SEQNEI(DisasContext *ctx, arg_SEQNEI *a)
 } else {
 tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_gpr[a->rt], t0, imm);
 }
-
-tcg_temp_free(t0);
-
 return true;
 }
-- 
2.34.1

[PATCH v3 08/20] target/mips: Drop tcg_temp_free from translate_addr_const.c

[Richard Henderson]

Translators are no longer required to free tcg temporaries.

Signed-off-by: Richard Henderson 
---
Cc: Philippe Mathieu-Daudé 
Cc: Aurelien Jarno 
Cc: Jiaxun Yang 
Cc: Aleksandar Rikalo 
---
 target/mips/tcg/translate_addr_const.c | 7 ---
 1 file changed, 7 deletions(-)

diff --git a/target/mips/tcg/translate_addr_const.c 
b/target/mips/tcg/translate_addr_const.c
index 96f483418e..a510da406c 100644
--- a/target/mips/tcg/translate_addr_const.c
+++ b/target/mips/tcg/translate_addr_const.c
@@ -30,10 +30,6 @@ bool gen_lsa(DisasContext *ctx, int rd, int rt, int rs, int 
sa)
 tcg_gen_shli_tl(t0, t0, sa + 1);
 tcg_gen_add_tl(cpu_gpr[rd], t0, t1);
 tcg_gen_ext32s_tl(cpu_gpr[rd], cpu_gpr[rd]);
-
-tcg_temp_free(t1);
-tcg_temp_free(t0);
-
 return true;
 }
 
@@ -54,8 +50,5 @@ bool gen_dlsa(DisasContext *ctx, int rd, int rt, int rs, int 
sa)
 gen_load_gpr(t1, rt);
 tcg_gen_shli_tl(t0, t0, sa + 1);
 tcg_gen_add_tl(cpu_gpr[rd], t0, t1);
-tcg_temp_free(t1);
-tcg_temp_free(t0);
-
 return true;
 }
-- 
2.34.1

Re: [PATCH v2] tcg: Include "qemu/timer.h" for profile_getclock

[Richard Henderson]

On 3/3/23 00:49, Richard W.M. Jones wrote:

When CONFIG_PROFILER is set there are various undefined references to
profile_getclock.  Include the header which defines this function.

For example:

../tcg/tcg.c: In function ‘tcg_gen_code’:
../tcg/tcg.c:4905:51: warning: implicit declaration of function 
‘profile_getclock’ [-Wimplicit-function-declaration]
  4905 | qatomic_set(&prof->opt_time, prof->opt_time - profile_getclock());
   |   ^~~~

Thanks: Philippe Mathieu-Daudé
Signed-off-by: Richard W.M. Jones
---
  accel/tcg/tcg-accel-ops.c | 1 +
  accel/tcg/translate-all.c | 1 +
  softmmu/runstate.c| 1 +
  tcg/tcg.c | 1 +
  4 files changed, 4 insertions(+)


Reviewed-by: Richard Henderson 

And queued to tcg-next.


r~

Re: [PATCH 1/2] tcg: Link branches to the labels

[Richard Henderson]

On 3/3/23 15:26, Taylor Simpson wrote:

+/* Generic ops.  */
+
+static void last_is_label_use(TCGLabel *l) {


It would be more clear to name this function "add_label_use".


I've used "add_last_as_label_use" to emphasize where the use is coming from.
Thanks.

r~

Re: [PATCH 0/2] tcg: Merge two sequential labels

[Richard Henderson]

On 3/3/23 16:27, Taylor Simpson wrote:

You need this series of patches to see this pattern from Hexagon
https://patchew.org/QEMU/20230131225647.25274-1-tsimp...@quicinc.com/

I have an update to that series for your tcg_temp_local_* series, but I'm 
wondering if I should wait for your tcg_temp_free patches to land first.  
Please advise.


I'm hoping to get the tcg_temp_free patches in asap, as the potential conflicts are 
legion.  Thanks for the test pointer and quick review.



r~

Re: [PULL 14/53] virtio-rng-pci: fix transitional migration compat for vectors

[Michael Tokarev]

02.03.2023 11:25, Michael S. Tsirkin wrote:

From: "Dr. David Alan Gilbert" 

In bad9c5a516 ("virtio-rng-pci: fix migration compat for vectors") I
fixed the virtio-rng-pci migration compatibility, but it was discovered
that we also need to fix the other aliases of the device for the
transitional cases.

Fixes: 9ea02e8f1 ('virtio-rng-pci: Allow setting nvectors, so we can use MSI-X')
bz: https://bugzilla.redhat.com/show_bug.cgi?id=2162569
Signed-off-by: Dr. David Alan Gilbert 
Message-Id: <20230207174944.138255-1-dgilb...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
  hw/core/machine.c | 2 ++
  1 file changed, 2 insertions(+)

diff --git a/hw/core/machine.c b/hw/core/machine.c
index f29e700ee4..1cf6822e06 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -47,6 +47,8 @@ const size_t hw_compat_7_2_len = G_N_ELEMENTS(hw_compat_7_2);
  GlobalProperty hw_compat_7_1[] = {
  { "virtio-device", "queue_reset", "false" },
  { "virtio-rng-pci", "vectors", "0" },
+{ "virtio-rng-pci-transitional", "vectors", "0" },
+{ "virtio-rng-pci-non-transitional", "vectors", "0" },
  };


If we consider this one for 7.2 stable, the previous change here, which
added "virtio-rng-pci" right before the lines being added, should also
be picked up, which is bad9c5a5166fd5e3a892b7b0477cf2f4bd3a959a:
 From: "Dr. David Alan Gilbert" 
 Date: Mon, 9 Jan 2023 10:58:09 +
 Subject: virtio-rng-pci: fix migration compat for vectors

Should the two both be included in -stable, or both omitted?

Thanks,

/mjt

Re: [PATCH v5] Emulate dip switch language layout settings on SUN keyboard

[Henrik Carlqvist]

On Wed, 1 Mar 2023 11:52:42 +
Mark Cave-Ayland  wrote:
> I've done a quick grep for similar examples for serial devices that use
> keyboard_layout but it looks like this would be the first. 

Thanks again for your reply!

It is probably not a very common solution with hardware in the keyboard
telling the computer about its language layout. Maybe it is even less common
with such hardware possible to adjust with a dip switch to choose language
layout. But that was the solution Sun selected for their keybords back in the
days and back then (and even still today) it was common for keyboards to
communicate with the computer by some kind of serial interface.

> My first instinct is that you'd want to make this a device property that is
> configured during machine init using keyboard_layout (rather than using
> keyboard_layout directly),

If it does matter in any way, my patch will only at first call to the
sun_keyboard_layout_dip_switch function look at the keyboard_layout variable.
Once the static "ret" variable has gotten a valid value (the initial value
0xff is not valid for a 6-bit dip swithc) the ret value assigned at the
initial call will be immediately returned without any more evaluations of the
keyboard_layout string.

> but I'd be interested to hear what Paolo and Marc-André think about what the
> best approach should be.

As I found your latest reply only on
https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00097.html and
can't see the email addresses of any receiver of that post this reply does not
go to Paolo or Marc-André, only to you and the mailing list.

I must admit that I am not very failiar with qemu programming and device
properties. 

> Another aspect to consider is whether keyboard_layout should just use
> standard strings, in which case it may not make sense to accept numeric hex
> values. 

I agree that those standard strings will make most sense to most people.

However, as the choices of valid keyboard layouts are limited by the 64 values
allowed by the 6 bits on the dip switch I initially did choose to also truly
emulate the dip switch value as decimal or hexadecimal number to the -k
option. It might also be worth noting that the sun keyboard layouts have
multiple dip switch settings for a single language, probably with some minor
differences in keyboard layout or keyboard type. So both value 8 and 40 (0x28)
will give some norwegian keyboard layout. if someone, for some reason, would
want to emulate for example one of the four possible US keyboard layouts (0x0,
0x1, 0x21 or 0x22) it would be harder to do without being able to give those
numerical values to the -k switch.

best regards Henrik

Re: [PATCH v3 03/20] target/mips: Drop tcg_temp_free from mips16e_translate.c.inc

[Jiaxun Yang]

> 2023年3月4日 18:18，Richard Henderson  写道：
> 
> Translators are no longer required to free tcg temporaries.
> 
> Signed-off-by: Richard Henderson 

Reviewed-by: Jiaxun Yang 

Thanks.

> ---
> 2.34.1
> 

[PATCH v2 1/2] hw/misc: Add MIPS Trickbox device

[Jiaxun Yang]

MIPS Trickbox is a emulated device present in MIPS's IASIM simulator
for decades. It's capable of managing simulator status, signaling
interrupts, doing DMA and EJTAG signal stimulations.

For now we just use definition of this device and implement power
management related functions.

Signed-off-by: Jiaxun Yang 
---
v1: Rewording commit message
---
 hw/misc/Kconfig |  3 +
 hw/misc/meson.build |  1 +
 hw/misc/mips_trickbox.c | 97 +
 hw/misc/trace-events|  4 ++
 include/hw/misc/mips_trickbox.h | 41 ++
 5 files changed, 146 insertions(+)
 create mode 100644 hw/misc/mips_trickbox.c
 create mode 100644 include/hw/misc/mips_trickbox.h

diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
index 2ef5781ef87b..9f09da23c191 100644
--- a/hw/misc/Kconfig
+++ b/hw/misc/Kconfig
@@ -85,6 +85,9 @@ config STM32F4XX_EXTI
 config MIPS_ITU
 bool
 
+config MIPS_TRICKBOX
+bool
+
 config MPS2_FPGAIO
 bool
 select LED
diff --git a/hw/misc/meson.build b/hw/misc/meson.build
index fe869b98ca4d..1b58fd7df7b2 100644
--- a/hw/misc/meson.build
+++ b/hw/misc/meson.build
@@ -134,6 +134,7 @@ specific_ss.add(when: 'CONFIG_MAC_VIA', if_true: 
files('mac_via.c'))
 
 specific_ss.add(when: 'CONFIG_MIPS_CPS', if_true: files('mips_cmgcr.c', 
'mips_cpc.c'))
 specific_ss.add(when: 'CONFIG_MIPS_ITU', if_true: files('mips_itu.c'))
+specific_ss.add(when: 'CONFIG_MIPS_TRICKBOX', if_true: 
files('mips_trickbox.c'))
 
 softmmu_ss.add(when: 'CONFIG_SBSA_REF', if_true: files('sbsa_ec.c'))
 
diff --git a/hw/misc/mips_trickbox.c b/hw/misc/mips_trickbox.c
new file mode 100644
index ..20349b774b2f
--- /dev/null
+++ b/hw/misc/mips_trickbox.c
@@ -0,0 +1,97 @@
+/*
+ * SPDX-License-Identifier: LGPL-2.0-or-later
+ *
+ * MIPS Trickbox
+ */
+
+#include "qemu/osdep.h"
+#include "hw/sysbus.h"
+#include "qapi/error.h"
+#include "qemu/log.h"
+#include "qemu/module.h"
+#include "trace.h"
+#include "sysemu/runstate.h"
+#include "hw/misc/mips_trickbox.h"
+
+static uint64_t mips_trickbox_read(void *opaque, hwaddr addr, unsigned int 
size)
+{
+uint64_t value = 0;
+
+qemu_log_mask(LOG_UNIMP,
+"%s: unimplemented register read 0x%02"HWADDR_PRIx"\n",
+__func__, addr);
+trace_mips_trickbox_read(size, value);
+
+return 0;
+}
+
+static void mips_trickbox_write(void *opaque, hwaddr addr,
+   uint64_t val64, unsigned int size)
+{
+trace_mips_trickbox_write(size, val64);
+
+switch (addr) {
+case REG_SIM_CMD:
+switch (val64 & 0x) {
+case TRICK_PANIC:
+qemu_system_shutdown_request(SHUTDOWN_CAUSE_GUEST_PANIC);
+break;
+case TRICK_HALT:
+qemu_system_shutdown_request(SHUTDOWN_CAUSE_GUEST_SHUTDOWN);
+break;
+case TRICK_SUSPEND:
+qemu_system_suspend_request();
+break;
+case TRICK_RESET:
+qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+break;
+case TRICK_PASS_MIPS:
+case TRICK_PASS_NANOMIPS:
+exit(EXIT_SUCCESS);
+break;
+case TRICK_FAIL_MIPS:
+case TRICK_FAIL_NANOMIPS:
+exit(EXIT_FAILURE);
+break;
+}
+break;
+default:
+qemu_log_mask(LOG_UNIMP,
+  "%s: unimplemented register write 0x%02"HWADDR_PRIx"\n",
+  __func__, addr);
+break;
+}
+}
+
+static const MemoryRegionOps mips_trickbox_ops = {
+.read = mips_trickbox_read,
+.write = mips_trickbox_write,
+.endianness = DEVICE_NATIVE_ENDIAN,
+.valid = {
+.min_access_size = 2,
+.max_access_size = 4
+}
+};
+
+static void mips_trickbox_init(Object *obj)
+{
+MIPSTrickboxState *s = MIPS_TRICKBOX(obj);
+
+memory_region_init_io(&s->mmio, obj, &mips_trickbox_ops, s,
+  TYPE_MIPS_TRICKBOX, 0x100);
+sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->mmio);
+}
+
+static const TypeInfo mips_trickbox_info = {
+.name  = TYPE_MIPS_TRICKBOX,
+.parent= TYPE_SYS_BUS_DEVICE,
+.instance_size = sizeof(MIPSTrickboxState),
+.instance_init = mips_trickbox_init,
+};
+
+static void mips_trickbox_register_types(void)
+{
+type_register_static(&mips_trickbox_info);
+}
+
+type_init(mips_trickbox_register_types)
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
index c47876a90262..8603cf0d5ad2 100644
--- a/hw/misc/trace-events
+++ b/hw/misc/trace-events
@@ -279,3 +279,7 @@ virt_ctrl_instance_init(void *dev) "ctrl: %p"
 lasi_chip_mem_valid(uint64_t addr, uint32_t val) "access to addr 0x%"PRIx64" 
is %d"
 lasi_chip_read(uint64_t addr, uint32_t val) "addr 0x%"PRIx64" val 0x%08x"
 lasi_chip_write(uint64_t addr, uint32_t val) "addr 0x%"PRIx64" val 0x%08x"
+
+# mips_trickbox.c
+mips_trickbox_read(uint64_t addr, uint32_t val) "addr 0x%"PRIx64" val 0x%08x"
+mips_trickbox_write(uint64_t addr, u

[PATCH v2 2/2] hw/mips: Add MIPS virt board

[Jiaxun Yang]

MIPS virt board is design to utilize existing VirtIO infrastures
but also comptitable with MIPS's existing internal simulation tools.

It includes virtio-pci, virtio-mmio, pcie gpex, flash rom, fw_cfg,
goldfish-rtc and MIPS CPS system.

It should be able to cooperate with any MIPS CPU cores.

Signed-off-by: Jiaxun Yang 
---
v1:
 - Rename to virt board
 - Convert BIOS flash to ROM
 - Cleanups
v2:
 - Fix fdt flash
 - Remove UP variant
---
 MAINTAINERS |   7 +
 configs/devices/mips-softmmu/common.mak |   1 +
 docs/system/target-mips.rst |  22 +
 hw/mips/Kconfig |  17 +
 hw/mips/meson.build |   1 +
 hw/mips/virt.c  | 916 
 6 files changed, 964 insertions(+)
 create mode 100644 hw/mips/virt.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 9adb6286279d..6884eaa78a76 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1296,6 +1296,13 @@ F: hw/mips/boston.c
 F: hw/pci-host/xilinx-pcie.c
 F: include/hw/pci-host/xilinx-pcie.h
 
+Virt
+M: Jiaxun Yang 
+S: Maintained
+F: hw/mips/virt.c
+F: hw/misc/mips_trickbox.c
+F: include/hw/misc/mips_trickbox.h
+
 OpenRISC Machines
 -
 or1k-sim
diff --git a/configs/devices/mips-softmmu/common.mak 
b/configs/devices/mips-softmmu/common.mak
index 7da99327a779..eb2c32b7c175 100644
--- a/configs/devices/mips-softmmu/common.mak
+++ b/configs/devices/mips-softmmu/common.mak
@@ -24,6 +24,7 @@ CONFIG_I8259=y
 CONFIG_MC146818RTC=y
 CONFIG_MIPS_CPS=y
 CONFIG_MIPS_ITU=y
+CONFIG_MIPS_VIRT=y
 CONFIG_MALTA=y
 CONFIG_PCNET_PCI=y
 CONFIG_MIPSSIM=y
diff --git a/docs/system/target-mips.rst b/docs/system/target-mips.rst
index 138441bdec1c..a11f08ab00a3 100644
--- a/docs/system/target-mips.rst
+++ b/docs/system/target-mips.rst
@@ -10,6 +10,8 @@ machine types are emulated:
 
 -  A generic ISA PC-like machine \"mips\"
 
+-  Generic Virtual Platform \"virt\"
+
 -  The MIPS Malta prototype board \"malta\"
 
 -  An ACER Pica \"pica61\". This machine needs the 64-bit emulator.
@@ -31,6 +33,26 @@ emulated:
 
 -  NE2000 network card
 
+The virt machine supports the following devices:
+
+- A range of MIPS CPUs, default is the P5600 (32-bit) or I6400 (64-bit)
+
+- MIPS CM (Coherence Manager)
+
+- CFI parallel NOR flash memory
+
+- 1 NS16550 compatible UART
+
+- 1 Google Goldfish RTC
+
+- 1 MIPS Trickbox device
+
+- 8 virtio-mmio transport devices
+
+- 1 generic PCIe host bridge
+
+- The fw_cfg device that allows a guest to obtain data from QEMU
+
 The Malta emulation supports the following devices:
 
 -  Core board with MIPS 24Kf CPU and Galileo system controller
diff --git a/hw/mips/Kconfig b/hw/mips/Kconfig
index da3a37e215ec..8a753ec2aee2 100644
--- a/hw/mips/Kconfig
+++ b/hw/mips/Kconfig
@@ -59,5 +59,22 @@ config MIPS_BOSTON
 select AHCI_ICH9
 select SERIAL
 
+config MIPS_VIRT
+bool
+imply PCI_DEVICES
+imply VIRTIO_VGA
+imply TEST_DEVICES
+select MIPS_CPS
+select MIPS_TRICKBOX
+select SERIAL
+select FW_CFG_MIPS
+select GOLDFISH_RTC
+select PCI
+select PCI_EXPRESS_GENERIC_BRIDGE
+select PFLASH_CFI01
+select VIRTIO_MMIO
+select FW_CFG_DMA
+select PLATFORM_BUS
+
 config FW_CFG_MIPS
 bool
diff --git a/hw/mips/meson.build b/hw/mips/meson.build
index 900613fc087f..5670c939fa7b 100644
--- a/hw/mips/meson.build
+++ b/hw/mips/meson.build
@@ -1,6 +1,7 @@
 mips_ss = ss.source_set()
 mips_ss.add(files('bootloader.c', 'mips_int.c'))
 mips_ss.add(when: 'CONFIG_FW_CFG_MIPS', if_true: files('fw_cfg.c'))
+mips_ss.add(when: 'CONFIG_MIPS_VIRT', if_true: files('virt.c'))
 mips_ss.add(when: 'CONFIG_LOONGSON3V', if_true: files('loongson3_bootp.c', 
'loongson3_virt.c'))
 mips_ss.add(when: 'CONFIG_MALTA', if_true: files('malta.c'))
 mips_ss.add(when: 'CONFIG_MIPS_CPS', if_true: files('cps.c'))
diff --git a/hw/mips/virt.c b/hw/mips/virt.c
new file mode 100644
index ..e4359f930104
--- /dev/null
+++ b/hw/mips/virt.c
@@ -0,0 +1,916 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+/*
+ * QEMU MIPS Virt Board
+ * Copyright (C) 2022 Jiaxun Yang 
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qemu/datadir.h"
+
+#include "chardev/char.h"
+#include "hw/block/flash.h"
+#include "hw/boards.h"
+#include "hw/char/serial.h"
+#include "hw/core/sysbus-fdt.h"
+#include "hw/display/ramfb.h"
+#include "hw/intc/goldfish_pic.h"
+#include "hw/loader-fit.h"
+#include "hw/loader.h"
+#include "hw/mips/bootloader.h"
+#include "hw/mips/cps.h"
+#include "hw/mips/cpudevs.h"
+#include "hw/mips/mips.h"
+#include "hw/misc/mips_trickbox.h"
+#include "hw/pci-host/gpex.h"
+#include "hw/pci/pci.h"
+#include "hw/platform-bus.h"
+#include "hw/qdev-clock.h"
+#include "hw/qdev-properties.h"
+#include "hw/rtc/goldfish_rtc.h"
+#include "hw/sysbus.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "qemu/guest-random.h"
+#include "qemu/log.h"
+#include "sysemu/device_tree.h"
+#include "sysemu/kvm.h"
+#include "

[PATCH v2 0/2] MIPS Virt machine

[Jiaxun Yang]

Hi there,

This patchset is to add a new machine type for MIPS architecture, which
is purely a VirtIO machine.

It is design to utilize existing VirtIO infrastures but also comptitable
with MIPS's existing internal simulation tools.

It should be able to cooperate with any MIPS core and boot Generic MIPS
kernel.

Kernel patch available at: 
https://lore.kernel.org/linux-mips/20230304221524.47160-1-jiaxun.y...@flygoat.com/

Thanks

Jiaxun Yang (2):
  hw/misc: Add MIPS Trickbox device
  hw/mips: Add MIPS virt board

 MAINTAINERS |   7 +
 configs/devices/mips-softmmu/common.mak |   1 +
 docs/system/target-mips.rst |  22 +
 hw/mips/Kconfig |  17 +
 hw/mips/meson.build |   1 +
 hw/mips/virt.c  | 916 
 hw/misc/Kconfig |   3 +
 hw/misc/meson.build |   1 +
 hw/misc/mips_trickbox.c |  97 +++
 hw/misc/trace-events|   4 +
 include/hw/misc/mips_trickbox.h |  41 ++
 11 files changed, 1110 insertions(+)
 create mode 100644 hw/mips/virt.c
 create mode 100644 hw/misc/mips_trickbox.c
 create mode 100644 include/hw/misc/mips_trickbox.h

-- 
2.37.1 (Apple Git-137.1)

Re: [PATCH v2 0/2] QGA installer fixes

[Brian Wiltse]

Hello,

I think this patch is sufficient to remediate the priv ledge escalation via the 
repair and catching the VSS com registration boxes that were being invoked 
frivolously.


Long term the repair function not validating if the user has admin should be 
addressed as well since their is still a potential for abuse. I dont see any 
other easy privledge elevation vulns at the moment other then an potential 
arbitrary file create where the creation of C:\programdata\qemu\qemu-ga.pid 
could be potentially be redirected via symbolic links to another file, but I 
have not been able to find time to fully prove that out. If we could get wixl 
support for the user privilege checks this would close abuse via the installer 
repair.


Thanks,

Brian


From: Philippe Mathieu-Daudé 
Sent: Thursday, March 2, 2023 5:06 AM
To: Brian Wiltse ; Konstantin Kostiuk 

Cc: qemu-devel@nongnu.org ; Daniel P . Berrangé 
; Bin Meng ; Stefan Weil 
; Yonggang Luo ; Markus Armbruster 
; Alex Bennée ; Peter Maydell 
; Gerd Hoffmann ; Michael S. 
Tsirkin ; Thomas Huth ; Marc-André Lureau 
; Michael Roth ; Mauro 
Matteo Cascella ; Yan Vugenfirer ; 
Evgeny Iakovlev ; Andrey Drobyshev 
; Xuzhou Cheng 
Subject: Re: [PATCH v2 0/2] QGA installer fixes

Hi Brian, Konstantin,

On 28/2/23 23:48, Brian Wiltse wrote:
> Microsoft has a list of best practices for MSI creation which covers
> custom actions
> https://learn.microsoft.com/en-us/windows/win32/msi/windows-installer-best-practices#if-you-use-custom-actions-follow-good-custom-action-practices
>  
> ,
>  The change to the custom action from an interactive command shell to a 
> silent invocation of rundll32.exe keeps the interactive shell from being 
> easily caught and abused, but this does not fully solve the repair from being 
> triggered from a non admin user. There is still the potential for abuse 
> indirectly via attacks like the Mitre documented Hijack Execution Flow 
> technique - Path Interception by PATH Environment Variable 
> (https://attack.mitre.org/techniques/T1574/007/ 
> ), or even the abuse of 
> potential arbitrary folder creates, file writes and deletes in 
> user-controlled areas such as C:\ProgramData.
>
> The Change button was removed from "Programs and Features", but the
> cached installer in c:\windows\installer can be leveraged directly to
> start a privileged repair with msiexec.exe as a non-administrative user.
> Ideally, the MSI would be compiled with the Privileged property
> https://learn.microsoft.com/en-us/windows/win32/msi/privileged
>  or
> AdminUser property
> https://learn.microsoft.com/en-us/windows/win32/msi/adminuser
>  or
> InstallPrivileges="Elevated"
> https://wixtoolset.org/docs/v3/xsd/wix/package/
>  or similar privilege
> check that which would help ensure the user has proper privileges to
> perform the repair or change action. However, since the QEMU build
> process leverages WiXL from msitools, many of the WiX property types are
> not currently supported to leverage as solutions ( i.e. (wixl:1077):
> GLib-GObject-WARNING **: 17:49:05.477: g_object_set_is_valid_property:
> object class 'WixlWixPackage' has no property named 'InstallPrivileges'
> ). This similar to wixl issue 40
> https://gitlab.gnome.org/GNOME/msitools/-/issues/40
> .
>
> I do see that Wixl appears to support the custom action JScriptCall.
> This might provide for a facility for a script could be run to check if
> the user has the proper privileges before privileged actions are taken
> in the repair process, but this is not an ideal solution.

Does that mean this patchset is, although "not ideal", sufficient
to fix CVE-2023-0664? Or does this need more work?
(IOW, do we feel happy enough and want to merge this and forget about it?)

Konstantin, you use "Fixes: CVE-2023-0664" in two different patches.
I'm worried a downstream distrib only pick one and feel safe. Maybe
use something like "Fixes: CVE-2023-0664 (part 1 of 2)".

Re: [PATCH v6 3/7] hw/isa/vt82c686: Implement PCI IRQ routing

[Bernhard Beschow]

Am 4. März 2023 14:48:20 UTC schrieb BALATON Zoltan :
>The real VIA south bridges implement a PCI IRQ router which is configured
>by the BIOS or the OS. In order to respect these configurations, QEMU
>needs to implement it as well. The real chip may allow routing IRQs from
>internal functions independently of PCI interrupts but since guests
>usually configute it to a single shared interrupt we don't model that
>here for simplicity.
>
>Note: The implementation was taken from piix4_set_irq() in hw/isa/piix4.
>
>Suggested-by: Bernhard Beschow 
>Signed-off-by: BALATON Zoltan 
>Tested-by: Rene Engel 
>---
> hw/isa/vt82c686.c | 38 ++
> 1 file changed, 38 insertions(+)
>
>diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
>index f4c40965cd..51c0dd4c41 100644
>--- a/hw/isa/vt82c686.c
>+++ b/hw/isa/vt82c686.c
>@@ -598,6 +598,42 @@ void via_isa_set_irq(PCIDevice *d, int n, int level)
> qemu_set_irq(s->isa_irqs_in[n], level);
> }
> 
>+static int via_isa_get_pci_irq(const ViaISAState *s, int irq_num)
>+{
>+switch (irq_num) {
>+case 0:
>+return s->dev.config[0x55] >> 4;
>+case 1:
>+return s->dev.config[0x56] & 0xf;
>+case 2:
>+return s->dev.config[0x56] >> 4;
>+case 3:
>+return s->dev.config[0x57] >> 4;
>+}
>+return 0;
>+}
>+
>+static void via_isa_set_pci_irq(void *opaque, int irq_num, int level)
>+{
>+ViaISAState *s = opaque;
>+PCIBus *bus = pci_get_bus(&s->dev);
>+int i, pic_level, pic_irq = via_isa_get_pci_irq(s, irq_num);
>+
>+if (unlikely(pic_irq == 0 || pic_irq == 2 || pic_irq > 14)) {

In the previous iteration I already mentioned this: Why "pic_irq > 14"? Please 
either remove or put a comment in the code since the datasheet allows it. 
Otherwise this leads to hard to comprehend and therefore hard to maintain code.

Moreover, "pic_irq == 2" is reserved which we should log a guest error for. 
Otherwise, misbehaving guests will go unnoticed, which is exactly what guest 
errors should prevent. Also, logging a guest error here makes the code more 
self documenting.

Note that excess logging can always be filtered out using grep.

Best regards,
Bernhard

>+return;
>+}
>+
>+/* The pic level is the logical OR of all the PCI irqs mapped to it. */
>+pic_level = 0;
>+for (i = 0; i < PCI_NUM_PINS; i++) {
>+if (pic_irq == via_isa_get_pci_irq(s, i)) {
>+pic_level |= pci_bus_get_irq_level(bus, i);
>+}
>+}
>+/* Now we change the pic irq level according to the via irq mappings. */
>+qemu_set_irq(s->isa_irqs_in[pic_irq], pic_level);
>+}
>+
> static void via_isa_realize(PCIDevice *d, Error **errp)
> {
> ViaISAState *s = VIA_ISA(d);
>@@ -619,6 +655,8 @@ static void via_isa_realize(PCIDevice *d, Error **errp)
> i8254_pit_init(isa_bus, 0x40, 0, NULL);
> i8257_dma_init(isa_bus, 0);
> 
>+qdev_init_gpio_in_named(dev, via_isa_set_pci_irq, "pirq", PCI_NUM_PINS);
>+
> /* RTC */
> qdev_prop_set_int32(DEVICE(&s->rtc), "base_year", 2000);
> if (!qdev_realize(DEVICE(&s->rtc), BUS(isa_bus), errp)) {

Re: [PATCH v6 5/7] hw/usb/vt82c686-uhci-pci: Use PCI IRQ routing

[Bernhard Beschow]

Am 4. März 2023 14:48:23 UTC schrieb BALATON Zoltan :
>From: Bernhard Beschow 
>
>According to the PCI specification, PCI_INTERRUPT_LINE shall have no
>effect on hardware operations. Now that the VIA south bridges implement
>the internal PCI interrupt router let's be more conformant to the PCI
>specification.
>
>Signed-off-by: Bernhard Beschow 
>Signed-off-by: BALATON Zoltan 
>Tested-by: Rene Engel 

Reviewed-by: Mark Cave-Ayland 

See 
https://lore.kernel.org/qemu-devel/69ca8f8f-7b6c-f746-c414-1f121a31e...@ilande.co.uk/

>---
> hw/usb/vt82c686-uhci-pci.c | 12 
> 1 file changed, 12 deletions(-)
>
>diff --git a/hw/usb/vt82c686-uhci-pci.c b/hw/usb/vt82c686-uhci-pci.c
>index 46a901f56f..b4884c9011 100644
>--- a/hw/usb/vt82c686-uhci-pci.c
>+++ b/hw/usb/vt82c686-uhci-pci.c
>@@ -1,17 +1,7 @@
> #include "qemu/osdep.h"
>-#include "hw/irq.h"
> #include "hw/isa/vt82c686.h"
> #include "hcd-uhci.h"
> 
>-static void uhci_isa_set_irq(void *opaque, int irq_num, int level)
>-{
>-UHCIState *s = opaque;
>-uint8_t irq = pci_get_byte(s->dev.config + PCI_INTERRUPT_LINE);
>-if (irq > 0 && irq < 15) {
>-via_isa_set_irq(pci_get_function_0(&s->dev), irq, level);
>-}
>-}
>-
> static void usb_uhci_vt82c686b_realize(PCIDevice *dev, Error **errp)
> {
> UHCIState *s = UHCI(dev);
>@@ -25,8 +15,6 @@ static void usb_uhci_vt82c686b_realize(PCIDevice *dev, Error 
>**errp)
> pci_set_long(pci_conf + 0xc0, 0x2000);
> 
> usb_uhci_common_realize(dev, errp);
>-object_unref(s->irq);
>-s->irq = qemu_allocate_irq(uhci_isa_set_irq, s, 0);
> }
> 
> static UHCIInfo uhci_info[] = {

Re: [PATCH 00/12] Q35 PCI host fixes and QOM cleanup

[Bernhard Beschow]

Am 2. März 2023 21:54:56 UTC schrieb Bernhard Beschow :
>
>
>Am 1. März 2023 21:49:37 UTC schrieb "Michael S. Tsirkin" :
>>On Tue, Feb 21, 2023 at 03:39:28PM +, Bernhard Beschow wrote:
>>> 
>>> 
>>> Am 14. Februar 2023 13:14:29 UTC schrieb Bernhard Beschow 
>>> :
>>> >This series mostly cleans up QOM-related initialization code. It also 
>>> >performs
>>> >
>>> >some modernization and fixing.
>>> >
>>> >
>>> >
>>> >The first patch originates from "PC and ICH9 clanups" series [1] which has 
>>> >been
>>> >
>>> >dropped in v3 in favor of another series [2]. Review comments in [2] 
>>> >suggest it
>>> >
>>> >needs more work, so bring the patch back here.
>>> >
>>> >
>>> >
>>> >Patch 2 fixes a clangd warning and patch 3 modernizes usage of the memory 
>>> >API.
>>> >
>>> >
>>> >
>>> >Patches 4-9 clean up initialization code.
>>> >
>>> >
>>> >
>>> >The last four patches also clean up initialization code with the last patch
>>> >
>>> >doing the actual cleanup.
>>> >
>>> 
>>> Ping
>>
>>
>>sent some comments.
>
>I'll look into it over the weekend. I'm quite busy right now.

Forgot to mention: v2 is out!

>
>Best regards,
>Bernhard
>
>>Philippe was reviewing related patches maybe
>>he wants to poke at these too.
>>
>>> >
>>> >
>>> >Based-on: <20230213162004.2797-1-shen...@gmail.com>
>>> >
>>> > "[PATCH v4 0/9] PC cleanups"
>>> >
>>> >
>>> >
>>> >Testing done:
>>> >
>>> >* `make check`
>>> >
>>> >* `make check-avocado`
>>> >
>>> >* `qemu-system-x86_64 -M q35 -m 2G -cdrom \
>>> >
>>> > manjaro-kde-21.3.2-220704-linux515.iso`
>>> >
>>> >
>>> >
>>> >[1] 
>>> >https://lore.kernel.org/qemu-devel/20230131115326.12454-1-shen...@gmail.com/
>>> >
>>> >[2] 
>>> >https://lore.kernel.org/qemu-devel/20230203180914.49112-1-phi...@linaro.org/
>>> >
>>> >
>>> >
>>> >Bernhard Beschow (12):
>>> >
>>> >  hw/i386/pc_q35: Resolve redundant q35_host variable
>>> >
>>> >  hw/pci-host/q35: Fix contradicting .endianness assignment
>>> >
>>> >  hw/pci-host/q35: Use memory_region_set_address() also for
>>> >
>>> >tseg_blackhole
>>> >
>>> >  hw/pci-host/q35: Initialize PCMachineState::bus in board code
>>> >
>>> >  hw/pci-host/q35: Initialize "bypass-iommu" property from board code
>>> >
>>> >  hw/pci-host/q35: Initialize properties just once
>>> >
>>> >  hw/pci-host/q35: Initialize PCI hole boundaries just once
>>> >
>>> >  hw/pci-host/q35: Turn PCI hole properties into class properties
>>> >
>>> >  hw/pci-host/q35: Rename local variable to more idiomatic "phb"
>>> >
>>> >  hw/pci-host/q35: Propagate to errp rather than doing error_fatal
>>> >
>>> >  hw/pci-host/q35: Merge mch_realize() into q35_host_realize()
>>> >
>>> >  hw/pci-host/q35: Move MemoryRegion pointers to host device
>>> >
>>> >
>>> >
>>> > include/hw/pci-host/q35.h |  17 +-
>>> >
>>> > hw/i386/pc_q35.c  |  33 ++--
>>> >
>>> > hw/pci-host/q35.c | 325 ++
>>> >
>>> > 3 files changed, 178 insertions(+), 197 deletions(-)
>>> >
>>> >
>>> >
>>> >-- >
>>> >2.39.1
>>> >
>>> >
>>> >
>>

Re: [PATCH v4 0/9] PC cleanups

[Bernhard Beschow]

Am 13. Februar 2023 16:45:05 UTC schrieb Bernhard Beschow :
>
>
>Am 13. Februar 2023 16:19:55 UTC schrieb Bernhard Beschow :
>>This series contains some cleanups I came across when working on the PC
>>
>>machines. It consists of reducing the usage of global variables and 
>>eliminating
>>
>>some redundancies.
>>
>>
>>
>>One notable change is that the SMRAM memory region gets moved from the i440fx
>>
>>and q35 host bridges into the x86 machine. This will simplify cleaning up 
>>these
>>
>>host bridges which will be done in a separate series. Note that the movement 
>>of
>>
>>the SMRAM memory region apparently doesn't change migration ABI for the pc and
>>
>>q35 machines (see below).
>>
>>
>>
>>Testing done:
>>
>>* `make check`
>>
>>' `make check-avocado`
>>
>>* `qemu-system-x86_64 -M q35 -m 2G -cdrom \
>>
>>   manjaro-kde-21.3.2-220704-linux515.iso`
>>
>>* `qemu-system-x86_64 -M pc -m 2G -cdrom 
>>manjaro-kde-21.3.2-220704-linux515.iso`
>>
>>* Confirm that JSON representation of migration files (pc & q35) are empty:
>>
>>  1. Create four migration files {pc,q35}-{before,after}.mig by running
>>
>> `qemu-system-x86_64 -M {pc,q35} -S` with QEMU built from master and from
>>
>> this series.
>>
>>  2. Run `./scripts/analyze-migration.py -d desc -f *.mig > *.json` on the 
>> four
>>
>> files
>>
>>  3. Compare the diffs -> both are empty
>>
>>
>>
>>v4:
>>
>>* Remove ram_memory variable in pc_q35 completely (Zoltan)
>>
>
>The last two patches still need review. Comments welcome!

Ping

Can we queue the reviewed patches (all but the last two) already?

Thanks,
Bernhard

>
>>
>>
>>v3:
>>
>>* Add three patches regarding init_pam() and SMRAM.
>>
>>* Drop 'hw/i386/pc_q35: Resolve redundant q35_host variable' since Phil posted
>>
>>  a similar patch in a more comprehensive series:
>>
>>  
>> https://lore.kernel.org/qemu-devel/20230203180914.49112-13-phi...@linaro.org/
>>
>>* Drop 'hw/isa/lpc_ich9: Reuse memory and io address space of PCI bus' since
>>
>>  it inadvertantly changed the memory hierarchy.
>>
>>* Drop ICH9 cleanups again in favor of a separate series.
>>
>>
>>
>>v2:
>>
>>* Factor out 'hw/i386/pc_q35: Reuse machine parameter' from 'hw/i386/pc_q35:
>>
>>  Resolve redundant q35_host variable' (Zoltan)
>>
>>* Lower type of phb to Object in 'hw/i386/pc_q35: Resolve redundant q35_host
>>
>>  variable' (Zoltan)
>>
>>* Add ICH9 cleanups
>>
>>
>>
>>Bernhard Beschow (9):
>>
>>  hw/pci-host/i440fx: Inline sysbus_add_io()
>>
>>  hw/pci-host/q35: Inline sysbus_add_io()
>>
>>  hw/i386/pc_q35: Reuse machine parameter
>>
>>  hw/i386/pc_{q35,piix}: Reuse MachineClass::desc as SMB product name
>>
>>  hw/i386/pc_{q35,piix}: Minimize usage of get_system_memory()
>>
>>  hw/i386/pc: Initialize ram_memory variable directly
>>
>>  hw/pci-host/pam: Make init_pam() usage more readable
>>
>>  hw/i386/x86: Make TYPE_X86_MACHINE the owner of smram
>>
>>  target/i386/tcg/sysemu/tcg-cpu: Avoid own opinion about smram size
>>
>>
>>
>> include/hw/i386/pc.h |  1 -
>>
>> include/hw/i386/x86.h|  2 ++
>>
>> include/hw/pci-host/i440fx.h |  7 ---
>>
>> include/hw/pci-host/pam.h|  5 +++--
>>
>> include/hw/pci-host/q35.h|  4 +++-
>>
>> hw/i386/pc.c |  2 --
>>
>> hw/i386/pc_piix.c| 10 +-
>>
>> hw/i386/pc_q35.c | 17 +
>>
>> hw/i386/x86.c|  4 
>>
>> hw/pci-host/i440fx.c | 28 +---
>>
>> hw/pci-host/pam.c| 12 ++--
>>
>> hw/pci-host/q35.c| 31 ---
>>
>> target/i386/tcg/sysemu/tcg-cpu.c |  3 +--
>>
>> 13 files changed, 66 insertions(+), 60 deletions(-)
>>
>>
>>
>>-- >
>>2.39.1
>>
>>
>>