[Qemu-devel] Virtual IOMMU is working for Windows VM?

[Jintack Lim]

Hi,

I wonder if vIOMMU is working for Windows VM?

I tried it with v2.11.0, but it didn't seem to work. I assume that seaBIOS
sets IOMMU on by default as is the case when I launched a Linux VM. But I
might be missing something. Can somebody shed some light on it?

Thanks,
Jintack

Re: [Qemu-devel] [PATCH] vhost-scsi: prevent using uninitialized vqs

[yuchenlin via Qemu-devel]

Ping?

On 2018-10-12 17:07, yuchen...@synology.com wrote:

From: yuchenlin 

There are 3 virtqueues (ctrl, event and cmd) for virtio scsi device,
but seabios will only set the physical address for the 3rd one (cmd).
Then in vhost_virtqueue_start(), virtio_queue_get_desc_addr()
will be 0 for ctrl and event vq.

In this case, ctrl and event vq are not initialized.
vhost_verify_ring_mappings may use uninitialized vhost_virtqueue
such that vhost_verify_ring_part_mapping returns ENOMEM.

When encountered this problem, we got the following logs:

qemu-system-x86_64: Unable to map available ring for ring 0
qemu-system-x86_64: Verify ring failure on region 0

Signed-off-by: Forrest Liu 
Signed-off-by: yuchenlin 
---
 hw/scsi/vhost-scsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/scsi/vhost-scsi.c b/hw/scsi/vhost-scsi.c
index becf550085..7f21b4f9d6 100644
--- a/hw/scsi/vhost-scsi.c
+++ b/hw/scsi/vhost-scsi.c
@@ -183,7 +183,7 @@ static void vhost_scsi_realize(DeviceState *dev,
Error **errp)
 }

 vsc->dev.nvqs = VHOST_SCSI_VQ_NUM_FIXED + vs->conf.num_queues;
-vsc->dev.vqs = g_new(struct vhost_virtqueue, vsc->dev.nvqs);
+vsc->dev.vqs = g_new0(struct vhost_virtqueue, vsc->dev.nvqs);
 vsc->dev.vq_index = 0;
 vsc->dev.backend_features = 0;

Re: [Qemu-devel] [PATCH 7/7] vfio: platform: destory mutex in error path

[Li Qiang]

Hello Auger,

Auger Eric  于2018年10月20日周六 上午12:41写道：

> Hi Li,
>
> On 10/19/18 7:20 AM, Li Qiang wrote:
> > Signed-off-by: Li Qiang 
> > ---
> >  hw/vfio/platform.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/vfio/platform.c b/hw/vfio/platform.c
> > index ba19143..e9d9e80 100644
> > --- a/hw/vfio/platform.c
> > +++ b/hw/vfio/platform.c
> > @@ -668,7 +668,7 @@ static void vfio_platform_realize(DeviceState *dev,
> Error **errp)
> >  error_setg(errp, "%s", gerr->message);
> >  g_error_free(gerr);
> >  g_free(path);
> > -return;
> > +goto out;
> You must set ret to != 0 otherwise the qemu_mutex_destroy will not be
> reached I think.

Also this will fix the fact we are not prepending the
> vfio error prefix in that case, as we should.
>
> Besides I am unsure about the cleanup strategy in case or error in
> vfio_platform_realize(). The qemu process should always exit in case of
> failure in vfio_platform_realize(). Platform devices can only be
> cold-plugged through the qemu CLI.


Got this.


> Cleaning all the allocated resources
> may add a substantial amount of code.


Agree.


Thanks,
Li Qiang


> For instance resources allocated
> in vfio_base_device_init() are not freed either. Comprehensive free in
> realize() functions may only be needed in case of hotplug I think.
>
> Thanks
>
> Eric
> >  }
> >  g_free(path);
> >  vdev->compat = contents;
> > @@ -691,6 +691,8 @@ out:
> >  return;
> >  }
> >
> > +qemu_mutex_destroy(>intp_mutex);
> > +
> >  if (vdev->vbasedev.name) {
> >  error_prepend(errp, ERR_PREFIX, vdev->vbasedev.name);
> >  } else {
> >
>

Re: [Qemu-devel] [PATCH] hw/arm/virt: remove unused header files

[Hongbo Zhang]

On 19 October 2018 at 19:59, Peter Maydell  wrote:
> On 19 October 2018 at 11:18, Hongbo Zhang  wrote:
>> Remove the unused herder files, 'virt' can be compiled and run without
>> including them.
>>
>> Signed-off-by: Hongbo Zhang 
>> ---
>>  hw/arm/virt.c | 8 
>>  1 file changed, 8 deletions(-)
>>
>> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
>> index 9f67782..f0066cb 100644
>> --- a/hw/arm/virt.c
>> +++ b/hw/arm/virt.c
>> @@ -30,9 +30,6 @@
>>
>>  #include "qemu/osdep.h"
>>  #include "qapi/error.h"
>> -#include "hw/sysbus.h"
>> -#include "hw/arm/arm.h"
>> -#include "hw/arm/primecell.h"
>
> Dropping primecell.h makes sense, we don't use what it provides.
> But I suspect the others are "unused" only because some other
> header we include drags them in implicitly. I think it's better
> to explicitly include what we need, in case that other header
> changes in future.
>
> How did you determine which #includes to drop here?
>
Well, while I was working on the 'sbsa-ref' machine, I believed I
could remove some header files because I deleted some functions for
that platform, so I did.
And later, I thought I can try to test to remove part of what I did
for 'sbsa-ref' for 'virt' too, tests showed me that 'virt'  can be
compiled and run without them.

> thanks
> -- PMM

Re: [Qemu-devel] [PATCH v3 3/4] hw/arm: versal: Add a model of Xilinx Versal SoC

[Peter Maydell]

On 21 October 2018 at 20:24, Edgar E. Iglesias
 wrote:
> On Fri, Oct 19, 2018 at 03:18:24PM +0100, Peter Maydell wrote:
>> On 17 October 2018 at 22:39, Edgar E. Iglesias  
>> wrote:
>> > From: "Edgar E. Iglesias" 
>> >
>> > Add a model of Xilinx Versal SoC.
>> >
>> > Signed-off-by: Edgar E. Iglesias 
>> > ---
>> >  default-configs/aarch64-softmmu.mak |   1 +
>> >  hw/arm/Makefile.objs|   1 +
>> >  hw/arm/xlnx-versal.c| 324 
>> >  include/hw/arm/xlnx-versal.h| 122 +++
>> >  4 files changed, 448 insertions(+)
>> >  create mode 100644 hw/arm/xlnx-versal.c
>> >  create mode 100644 include/hw/arm/xlnx-versal.h
>>
>> > +if (!kvm_irqchip_in_kernel()) {
>> > +qdev_prop_set_bit(gicdev, "has-security-extensions", true);
>> > +}
>>
>> Do you really support KVM for this board/SoC ?
>>
>
>
> I haven't tried yet, so probably not, but KVM is something we'd like to 
> support further down the road...
> If you prefer, we can remove this kvm specific check for now though.

I think there's other things you need to do to support KVM
(for instance, you need to disable EL2 and EL3 on all the CPUs,
and you need to either handle a GICv2 or error out properly
if the host system doesn't have a GICv3), so maybe it would
be better to add support properly later. This isn't a subtle
check we'll forget to add in later either -- if you set
has-security-extensions on a KVM GICv3 then the device will
fail its 'realize' method with a suitable error.

...which leads me to notice that here:

+object_property_set_bool(OBJECT(>fpd.apu.gic), true, "realized", errp);

we capture the possible error from realize in errp, but we
don't actually check whether it failed, so the rest of the
function will plough ahead and try to wire up IRQs and
MemoryRegions that won't have been created.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v3 2/2] slirp: Implement RFC2132 TFTP server name

[Samuel Thibault]

Hello,

Fam Zheng, le ven. 14 sept. 2018 15:26:16 +0800, a ecrit:
> This new usernet option can be used to add data for option 66 (tftp
> server name) in the BOOTP reply, which is useful in PXE based automatic
> OS install such as OpenBSD.

Applied to my tree, thanks!

Samuel

Re: [Qemu-devel] [PATCH v3 1/2] slirp: Add sanity check for str option length

[Samuel Thibault]

Hello,

Fam Zheng, le ven. 14 sept. 2018 15:26:15 +0800, a ecrit:
> When user provides a long domainname or hostname that doesn't fit in the
> DHCP packet, we mustn't overflow the response packet buffer. Instead,
> report errors, following the g_warning() in the slirp->vdnssearch
> branch.
> 
> Also check the strlen against 256 when initializing slirp, which limit
> is also from the protocol where one byte represents the string length.
> This gives an early error before the warning which is harder to notice
> or diagnose.

Applied to my tree, thanks!

Samuel

[Qemu-devel] [PULL 0/2] slirp updates

[Samuel Thibault]

The following changes since commit b312532fd03413d0e6ae6767ec793a3e30f487b8:

  Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging 
(2018-10-19 19:01:07 +0100)

are available in the Git repository at:

  https://people.debian.org/~sthibault/qemu.git tags/samuel-thibault

for you to fetch changes up to 0fca92b9077af9817c04545cdfc519fe95c6fde9:

  slirp: Implement RFC2132 TFTP server name (2018-10-21 21:24:55 +0200)


Fam Zheng (2):
  slirp: Add sanity check for str option length
  slirp: Implement RFC2132 TFTP server name


Fam Zheng (2):
  slirp: Add sanity check for str option length
  slirp: Implement RFC2132 TFTP server name

 net/slirp.c  | 21 +++--
 qapi/net.json|  5 -
 qemu-options.hx  |  7 ++-
 slirp/bootp.c| 45 +++--
 slirp/bootp.h|  1 +
 slirp/libslirp.h |  1 +
 slirp/slirp.c|  2 ++
 slirp/slirp.h|  1 +
 8 files changed, 69 insertions(+), 14 deletions(-)

Re: [Qemu-devel] [PATCH v3 3/4] hw/arm: versal: Add a model of Xilinx Versal SoC

[Edgar E. Iglesias]

On Fri, Oct 19, 2018 at 03:18:24PM +0100, Peter Maydell wrote:
> On 17 October 2018 at 22:39, Edgar E. Iglesias  
> wrote:
> > From: "Edgar E. Iglesias" 
> >
> > Add a model of Xilinx Versal SoC.
> >
> > Signed-off-by: Edgar E. Iglesias 
> > ---
> >  default-configs/aarch64-softmmu.mak |   1 +
> >  hw/arm/Makefile.objs|   1 +
> >  hw/arm/xlnx-versal.c| 324 
> >  include/hw/arm/xlnx-versal.h| 122 +++
> >  4 files changed, 448 insertions(+)
> >  create mode 100644 hw/arm/xlnx-versal.c
> >  create mode 100644 include/hw/arm/xlnx-versal.h
> 
> > +if (!kvm_irqchip_in_kernel()) {
> > +qdev_prop_set_bit(gicdev, "has-security-extensions", true);
> > +}
> 
> Do you really support KVM for this board/SoC ?
>


I haven't tried yet, so probably not, but KVM is something we'd like to support 
further down the road...
If you prefer, we can remove this kvm specific check for now though.

Cheers,
Edgar

[Qemu-devel] [PULL 1/2] slirp: Add sanity check for str option length

[Samuel Thibault]

From: Fam Zheng 

When user provides a long domainname or hostname that doesn't fit in the
DHCP packet, we mustn't overflow the response packet buffer. Instead,
report errors, following the g_warning() in the slirp->vdnssearch
branch.

Also check the strlen against 256 when initializing slirp, which limit
is also from the protocol where one byte represents the string length.
This gives an early error before the warning which is harder to notice
or diagnose.

Reported-by: Thomas Huth 
Reviewed-by: Thomas Huth 
Cc: qemu-sta...@nongnu.org
Signed-off-by: Fam Zheng 
Tested-by: Gerd Hoffmann 
Signed-off-by: Samuel Thibault 
---
 net/slirp.c   |  9 +
 slirp/bootp.c | 32 ++--
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/net/slirp.c b/net/slirp.c
index 99884de204..da6c0a1a5c 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -350,6 +350,15 @@ static int net_slirp_init(NetClientState *peer, const char 
*model,
 return -1;
 }
 
+if (vdomainname && strlen(vdomainname) > 255) {
+error_setg(errp, "'domainname' parameter cannot exceed 255 bytes");
+return -1;
+}
+
+if (vhostname && strlen(vhostname) > 255) {
+error_setg(errp, "'vhostname' parameter cannot exceed 255 bytes");
+return -1;
+}
 
 nc = qemu_new_net_client(_slirp_info, peer, model, name);
 
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 9e7b53ba94..1e8185f0ec 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -159,6 +159,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t 
*bp)
 struct in_addr preq_addr;
 int dhcp_msg_type, val;
 uint8_t *q;
+uint8_t *end;
 uint8_t client_ethaddr[ETH_ALEN];
 
 /* extract exact DHCP msg type */
@@ -240,6 +241,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t 
*bp)
 rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
 
 q = rbp->bp_vend;
+end = (uint8_t *)[1];
 memcpy(q, rfc1533_cookie, 4);
 q += 4;
 
@@ -292,24 +294,33 @@ static void bootp_reply(Slirp *slirp, const struct 
bootp_t *bp)
 
 if (*slirp->client_hostname) {
 val = strlen(slirp->client_hostname);
-*q++ = RFC1533_HOSTNAME;
-*q++ = val;
-memcpy(q, slirp->client_hostname, val);
-q += val;
+if (q + val + 2 >= end) {
+g_warning("DHCP packet size exceeded, "
+"omitting host name option.");
+} else {
+*q++ = RFC1533_HOSTNAME;
+*q++ = val;
+memcpy(q, slirp->client_hostname, val);
+q += val;
+}
 }
 
 if (slirp->vdomainname) {
 val = strlen(slirp->vdomainname);
-*q++ = RFC1533_DOMAINNAME;
-*q++ = val;
-memcpy(q, slirp->vdomainname, val);
-q += val;
+if (q + val + 2 >= end) {
+g_warning("DHCP packet size exceeded, "
+"omitting domain name option.");
+} else {
+*q++ = RFC1533_DOMAINNAME;
+*q++ = val;
+memcpy(q, slirp->vdomainname, val);
+q += val;
+}
 }
 
 if (slirp->vdnssearch) {
-size_t spaceleft = sizeof(rbp->bp_vend) - (q - rbp->bp_vend);
 val = slirp->vdnssearch_len;
-if (val + 1 > spaceleft) {
+if (q + val >= end) {
 g_warning("DHCP packet size exceeded, "
 "omitting domain-search option.");
 } else {
@@ -331,6 +342,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t 
*bp)
 memcpy(q, nak_msg, sizeof(nak_msg) - 1);
 q += sizeof(nak_msg) - 1;
 }
+assert(q < end);
 *q = RFC1533_END;
 
 daddr.sin_addr.s_addr = 0xu;
-- 
2.19.1

[Qemu-devel] [PULL 2/2] slirp: Implement RFC2132 TFTP server name

[Samuel Thibault]

From: Fam Zheng 

This new usernet option can be used to add data for option 66 (tftp
server name) in the BOOTP reply, which is useful in PXE based automatic
OS install such as OpenBSD.

Signed-off-by: Fam Zheng 
Reviewed-by: Thomas Huth 
Tested-by: Gerd Hoffmann 
Signed-off-by: Samuel Thibault 
---
 net/slirp.c  | 12 ++--
 qapi/net.json|  5 -
 qemu-options.hx  |  7 ++-
 slirp/bootp.c| 13 +
 slirp/bootp.h|  1 +
 slirp/libslirp.h |  1 +
 slirp/slirp.c|  2 ++
 slirp/slirp.h|  1 +
 8 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/net/slirp.c b/net/slirp.c
index da6c0a1a5c..f6dc03963a 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -150,6 +150,7 @@ static int net_slirp_init(NetClientState *peer, const char 
*model,
   const char *vnameserver, const char *vnameserver6,
   const char *smb_export, const char *vsmbserver,
   const char **dnssearch, const char *vdomainname,
+  const char *tftp_server_name,
   Error **errp)
 {
 /* default settings according to historic slirp */
@@ -360,6 +361,11 @@ static int net_slirp_init(NetClientState *peer, const char 
*model,
 return -1;
 }
 
+if (tftp_server_name && strlen(tftp_server_name) > 255) {
+error_setg(errp, "'tftp-server-name' parameter cannot exceed 255 
bytes");
+return -1;
+}
+
 nc = qemu_new_net_client(_slirp_info, peer, model, name);
 
 snprintf(nc->info_str, sizeof(nc->info_str),
@@ -370,7 +376,8 @@ static int net_slirp_init(NetClientState *peer, const char 
*model,
 
 s->slirp = slirp_init(restricted, ipv4, net, mask, host,
   ipv6, ip6_prefix, vprefix6_len, ip6_host,
-  vhostname, tftp_export, bootfile, dhcp,
+  vhostname, tftp_server_name,
+  tftp_export, bootfile, dhcp,
   dns, ip6_dns, dnssearch, vdomainname, s);
 QTAILQ_INSERT_TAIL(_stacks, s, entry);
 
@@ -907,7 +914,8 @@ int net_init_slirp(const Netdev *netdev, const char *name,
  user->ipv6_host, user->hostname, user->tftp,
  user->bootfile, user->dhcpstart,
  user->dns, user->ipv6_dns, user->smb,
- user->smbserver, dnssearch, user->domainname, errp);
+ user->smbserver, dnssearch, user->domainname,
+ user->tftp_server_name, errp);
 
 while (slirp_configs) {
 config = slirp_configs;
diff --git a/qapi/net.json b/qapi/net.json
index c86f351161..8f99fd911d 100644
--- a/qapi/net.json
+++ b/qapi/net.json
@@ -174,6 +174,8 @@
 #
 # @guestfwd: forward guest TCP connections
 #
+# @tftp-server-name: RFC2132 "TFTP server name" string (Since 3.1)
+#
 # Since: 1.2
 ##
 { 'struct': 'NetdevUserOptions',
@@ -198,7 +200,8 @@
 '*smb':   'str',
 '*smbserver': 'str',
 '*hostfwd':   ['String'],
-'*guestfwd':  ['String'] } }
+'*guestfwd':  ['String'],
+'*tftp-server-name': 'str' } }
 
 ##
 # @NetdevTapOptions:
diff --git a/qemu-options.hx b/qemu-options.hx
index 214ce396f9..08f8516a9a 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1823,7 +1823,7 @@ DEF("netdev", HAS_ARG, QEMU_OPTION_netdev,
 " [,ipv6[=on|off]][,ipv6-net=addr[/int]][,ipv6-host=addr]\n"
 " [,restrict=on|off][,hostname=host][,dhcpstart=addr]\n"
 " 
[,dns=addr][,ipv6-dns=addr][,dnssearch=domain][,domainname=domain]\n"
-" [,tftp=dir][,bootfile=f][,hostfwd=rule][,guestfwd=rule]"
+" 
[,tftp=dir][,tftp-server-name=name][,bootfile=f][,hostfwd=rule][,guestfwd=rule]"
 #ifndef _WIN32
  "[,smb=dir[,smbserver=addr]]\n"
 #endif
@@ -2060,6 +2060,11 @@ server. The files in @var{dir} will be exposed as the 
root of a TFTP server.
 The TFTP client on the guest must be configured in binary mode (use the command
 @code{bin} of the Unix TFTP client).
 
+@item tftp-server-name=@var{name}
+In BOOTP reply, broadcast @var{name} as the "TFTP server name" (RFC2132 option
+66). This can be used to advise the guest to load boot files or configurations
+from a different server than the host address.
+
 @item bootfile=@var{file}
 When using the user mode network stack, broadcast @var{file} as the BOOTP
 filename. In conjunction with @option{tftp}, this can be used to network boot
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 1e8185f0ec..7b1af73c95 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -318,6 +318,19 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t 
*bp)
 }
 }
 
+if (slirp->tftp_server_name) {
+val = strlen(slirp->tftp_server_name);
+if (q + val + 2 >= end) {
+g_warning("DHCP packet size exceeded, "
+"omitting tftp-server-name 

[Qemu-devel] [PATCH] ps2kbd: default to scan enabled after reset

[Hervé Poussineau]

A check for scan_enabled has been added to ps2_keyboard_event in commit
143c04c7e0639e53086519592ead15d2556bfbf2 to prevent stream corruption.
This works well as long as operating system is resetting keyboard, or enabling 
it.

This fixes IBM 40p firmware, which doesn't bother sending KBD_CMD_RESET,
KBD_CMD_ENABLE or KBD_CMD_RESET_ENABLE before trying to use the keyboard.

Signed-off-by: Hervé Poussineau 
---
 hw/input/ps2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/input/ps2.c b/hw/input/ps2.c
index fdfcadf9a1..eded4f0f8d 100644
--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
@@ -938,7 +938,7 @@ static void ps2_kbd_reset(void *opaque)
 
 trace_ps2_kbd_reset(opaque);
 ps2_common_reset(>common);
-s->scan_enabled = 0;
+s->scan_enabled = 1;
 s->translate = 0;
 s->scancode_set = 2;
 s->modifiers = 0;
-- 
2.11.0

Re: [Qemu-devel] [PULL 02/45] vl.c deprecate incorrect CPUs topology

[David Gibson]

On Thu, Oct 18, 2018 at 05:03:39PM -0300, Eduardo Habkost wrote:
> From: Igor Mammedov 
> 
> -smp [cpus],sockets/cores/threads[,maxcpus] should describe topology
> so that total number of logical CPUs [sockets * cores * threads]
> would be equal to [maxcpus], however historically we didn't have
> such check in QEMU and it is possible to start VM with an invalid
> topology.
> Deprecate invalid options combination so we can make sure that
> the topology VM started with is always correct in the future.
> Users with an invalid sockets/cores/threads/maxcpus values should
> fix their CLI to make sure that
>[sockets * cores * threads] == [maxcpus]
> 
> Signed-off-by: Igor Mammedov 
> Reviewed-by: Andrew Jones 
> Reviewed-by: Eduardo Habkost 
> Message-Id: <1536836762-273036-2-git-send-email-imamm...@redhat.com>
> Reviewed-by: Eric Blake 
> Signed-off-by: Eduardo Habkost 

Reviewed-by: David Gibson 

> ---
>  vl.c |  7 +++
>  qemu-deprecated.texi | 12 
>  2 files changed, 19 insertions(+)
> 
> diff --git a/vl.c b/vl.c
> index 4e25c78bff..027d04c7ca 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -1235,6 +1235,13 @@ static void smp_parse(QemuOpts *opts)
>  exit(1);
>  }
>  
> +if (sockets * cores * threads != max_cpus) {
> +warn_report("Invalid CPU topology deprecated: "
> +"sockets (%u) * cores (%u) * threads (%u) "
> +"!= maxcpus (%u)",
> +sockets, cores, threads, max_cpus);
> +}
> +
>  smp_cpus = cpus;
>  smp_cores = cores;
>  smp_threads = threads;
> diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
> index 11b870c5c1..5d2d7a3588 100644
> --- a/qemu-deprecated.texi
> +++ b/qemu-deprecated.texi
> @@ -86,6 +86,18 @@ for these file types is 'host_cdrom' or 'host_device' as 
> appropriate.
>  The @option{name} parameter of the @option{-net} option is a synonym
>  for the @option{id} parameter, which should now be used instead.
>  
> +@subsection -smp (invalid topologies) (since 3.1)
> +
> +CPU topology properties should describe whole machine topology including
> +possible CPUs.
> +
> +However, historically it was possible to start QEMU with an incorrect 
> topology
> +where @math{@var{n} <= @var{sockets} * @var{cores} * @var{threads} < 
> @var{maxcpus}},
> +which could lead to an incorrect topology enumeration by the guest.
> +Support for invalid topologies will be removed, the user must ensure
> +topologies described with -smp include all possible cpus, i.e.
> +  @math{@var{sockets} * @var{cores} * @var{threads} = @var{maxcpus}}.
> +
>  @section QEMU Machine Protocol (QMP) commands
>  
>  @subsection block-dirty-bitmap-add "autoload" parameter (since 2.12.0)

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PULL 01/45] hostmem-file: fixed the memory leak while get pmem path.

[David Gibson]

On Thu, Oct 18, 2018 at 05:03:38PM -0300, Eduardo Habkost wrote:
> From: Zhang Yi 
> 
> object_get_canonical_path_component() returns a string which
> must be freed using g_free().
> 
> Reported-by: Peter Maydell 
> Signed-off-by: Michael S. Tsirkin 
> Signed-off-by: Zhang Yi 
> Message-Id: 
> <7328fb16c394eaf5d65437d11c2a9343647b6d3d.1535471899.git.yi.z.zh...@linux.intel.com>
> Reviewed-by: Eduardo Habkost 
> Signed-off-by: Eduardo Habkost 

Reviewed-by: David Gibson 

> ---
>  backends/hostmem-file.c | 10 --
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/backends/hostmem-file.c b/backends/hostmem-file.c
> index e64074954f..639c8d4307 100644
> --- a/backends/hostmem-file.c
> +++ b/backends/hostmem-file.c
> @@ -145,20 +145,26 @@ static void file_memory_backend_set_pmem(Object *o, 
> bool value, Error **errp)
>  HostMemoryBackendFile *fb = MEMORY_BACKEND_FILE(o);
>  
>  if (host_memory_backend_mr_inited(backend)) {
> +char *path = object_get_canonical_path_component(o);
> +
>  error_setg(errp, "cannot change property 'pmem' of %s '%s'",
> object_get_typename(o),
> -   object_get_canonical_path_component(o));
> +   path);
> +g_free(path);
>  return;
>  }
>  
>  #ifndef CONFIG_LIBPMEM
>  if (value) {
>  Error *local_err = NULL;
> +char *path = object_get_canonical_path_component(o);
> +
>  error_setg(_err,
> "Lack of libpmem support while setting the 'pmem=on'"
> " of %s '%s'. We can't ensure data persistence.",
> object_get_typename(o),
> -   object_get_canonical_path_component(o));
> +   path);
> +g_free(path);
>  error_propagate(errp, local_err);
>  return;
>  }

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[Qemu-devel] [PATCH v1] bt: use size_t type for length parameters instead of int

[P J P]

From: Prasad J Pandit 

The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Add check to avoid it.

Reported-by: Arash TC 
Signed-off-by: Prasad J Pandit 
---
 bt-host.c  |  8 +++---
 bt-vhci.c  |  7 +++---
 hw/bt/core.c   |  2 +-
 hw/bt/hci-csr.c| 20 +++
 hw/bt/hci.c| 38 ++--
 hw/bt/hid.c| 10 
 hw/bt/l2cap.c  | 56 ++
 hw/bt/sdp.c|  6 ++---
 hw/usb/dev-bluetooth.c | 12 -
 include/hw/bt.h|  8 +++---
 include/sysemu/bt.h| 10 
 11 files changed, 90 insertions(+), 87 deletions(-)

Update v1: add assert check in vhci_host_send. Also check other places wherein
length is used with fixed size buffers.
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg03831.html

diff --git a/bt-host.c b/bt-host.c
index 2f8f631c25..b73a44d07d 100644
--- a/bt-host.c
+++ b/bt-host.c
@@ -43,7 +43,7 @@ struct bt_host_hci_s {
 };
 
 static void bt_host_send(struct HCIInfo *hci,
-int type, const uint8_t *data, int len)
+int type, const uint8_t *data, size_t len)
 {
 struct bt_host_hci_s *s = (struct bt_host_hci_s *) hci;
 uint8_t pkt = type;
@@ -63,17 +63,17 @@ static void bt_host_send(struct HCIInfo *hci,
 }
 }
 
-static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, size_t len)
 {
 bt_host_send(hci, HCI_COMMAND_PKT, data, len);
 }
 
-static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, size_t len)
 {
 bt_host_send(hci, HCI_ACLDATA_PKT, data, len);
 }
 
-static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, int len)
+static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, size_t len)
 {
 bt_host_send(hci, HCI_SCODATA_PKT, data, len);
 }
diff --git a/bt-vhci.c b/bt-vhci.c
index 9d277c32bf..39cb73ab1f 100644
--- a/bt-vhci.c
+++ b/bt-vhci.c
@@ -90,7 +90,7 @@ static void vhci_read(void *opaque)
 }
 
 static void vhci_host_send(void *opaque,
-int type, const uint8_t *data, int len)
+int type, const uint8_t *data, size_t len)
 {
 struct bt_vhci_s *s = (struct bt_vhci_s *) opaque;
 #if 0
@@ -113,6 +113,7 @@ static void vhci_host_send(void *opaque,
 static uint8_t buf[4096];
 
 buf[0] = type;
+assert(len <= sizeof(buf) - 1);
 memcpy(buf + 1, data, len);
 
 while (write(s->fd, buf, len + 1) < 0)
@@ -125,13 +126,13 @@ static void vhci_host_send(void *opaque,
 }
 
 static void vhci_out_hci_packet_event(void *opaque,
-const uint8_t *data, int len)
+const uint8_t *data, size_t len)
 {
 vhci_host_send(opaque, HCI_EVENT_PKT, data, len);
 }
 
 static void vhci_out_hci_packet_acl(void *opaque,
-const uint8_t *data, int len)
+const uint8_t *data, size_t len)
 {
 vhci_host_send(opaque, HCI_ACLDATA_PKT, data, len);
 }
diff --git a/hw/bt/core.c b/hw/bt/core.c
index 78370e64f5..62720d1663 100644
--- a/hw/bt/core.c
+++ b/hw/bt/core.c
@@ -45,7 +45,7 @@ static void bt_dummy_lmp_disconnect_master(struct bt_link_s 
*link)
 }
 
 static void bt_dummy_lmp_acl_resp(struct bt_link_s *link,
-const uint8_t *data, int start, int len)
+const uint8_t *data, int start, size_t len)
 {
 error_report("%s: stray ACL response PDU, fixme", __func__);
 exit(-1);
diff --git a/hw/bt/hci-csr.c b/hw/bt/hci-csr.c
index 0341ded50c..9f620d81c0 100644
--- a/hw/bt/hci-csr.c
+++ b/hw/bt/hci-csr.c
@@ -103,7 +103,7 @@ static inline void csrhci_fifo_wake(struct csrhci_s *s)
 }
 
 #define csrhci_out_packetz(s, len) memset(csrhci_out_packet(s, len), 0, len)
-static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len)
+static uint8_t *csrhci_out_packet(struct csrhci_s *s, size_t len)
 {
 int off = s->out_start + s->out_len;
 
@@ -112,14 +112,14 @@ static uint8_t *csrhci_out_packet(struct csrhci_s *s, int 
len)
 
 if (off < FIFO_LEN) {
 if (off + len > FIFO_LEN && (s->out_size = off + len) > FIFO_LEN * 2) {
-error_report("%s: can't alloc %i bytes", __func__, len);
+error_report("%s: can't alloc %zu bytes", __func__, len);
 exit(-1);
 }
 return s->outfifo + off;
 }
 
 if (s->out_len > s->out_size) {
-error_report("%s: can't alloc %i bytes", __func__, len);
+error_report("%s: can't alloc %zu bytes", __func__, len);
 exit(-1);
 }
 
@@ -127,7 +127,7 @@ static uint8_t *csrhci_out_packet(struct csrhci_s *s, int 
len)
 }
 
 static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s,
-int type, int len)
+ 

[Qemu-devel] [PATCH v3] scripts/qemu-binfmt-conf.sh: add bFLT handler registration

[Max Filippov]

bFLT format header doesn't have enough information to register a handler
for a specific architecture. Add switch -f / --flat that registers one
of the qemu binaries as a handler for bFLT executable images.

Signed-off-by: Max Filippov 
---
Changes v2->v3:
- fix bFLT in the patch subject

Changes v1->v2:
- drop unintended changes to dtc;

 scripts/qemu-binfmt-conf.sh | 32 ++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index b5a16742a149..39f61065c698 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -132,6 +132,9 @@ 
or1k_magic='\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\
 
or1k_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
 or1k_family=or1k
 
+flat_magic='bFLT\x00\x00\x00\x04'
+flat_mask='\xff\xff\xff\xff\xff\xff\xff\xff'
+
 qemu_get_family() {
 cpu=${HOST_ARCH:-$(uname -m)}
 case "$cpu" in
@@ -170,6 +173,7 @@ usage() {
 Usage: qemu-binfmt-conf.sh [--qemu-path PATH][--debian][--systemd CPU]
[--help][--credential yes|no][--exportdir PATH]
[--persistent yes|no][--qemu-suffix SUFFIX]
+   [--flat CPU]
 
Configure binfmt_misc to use qemu interpreter
 
@@ -188,7 +192,9 @@ Usage: qemu-binfmt-conf.sh [--qemu-path 
PATH][--debian][--systemd CPU]
   calculated according to the binary to interpret
--persistent:  if yes, the interpreter is loaded when binfmt is
   configured and remains in memory. All future uses
-  are cloned from the open file.
+  are cloned from the open file
+   --flat:register QEMU for this CPU architecture as a handler
+  for the bFLT executable format.
 
 To import templates with update-binfmts, use :
 
@@ -311,6 +317,13 @@ qemu_set_binfmts() {
 $BINFMT_SET
 fi
 done
+if [ -n "$QEMU_FLAT" ] ; then
+cpu="${QEMU_FLAT}_bflt"
+qemu="$QEMU_PATH/qemu-$QEMU_FLAT"
+magic=$flat_magic
+mask=$flat_mask
+$BINFMT_SET
+fi
 }
 
 CHECK=qemu_check_bintfmt_misc
@@ -324,7 +337,7 @@ CREDENTIAL=no
 PERSISTENT=no
 QEMU_SUFFIX=""
 
-options=$(getopt -o ds:Q:S:e:hc:p: -l 
debian,systemd:,qemu-path:,qemu-suffix:,exportdir:,help,credential:,persistent: 
-- "$@")
+options=$(getopt -o ds:Q:S:e:hc:p:f: -l 
debian,systemd:,qemu-path:,qemu-suffix:,exportdir:,help,credential:,persistent:,flat:
 -- "$@")
 eval set -- "$options"
 
 while true ; do
@@ -380,6 +393,21 @@ while true ; do
 shift
 PERSISTENT="$1"
 ;;
+-f|--flat)
+shift
+QEMU_FLAT="$1"
+for cpu in ${qemu_target_list} ; do
+if [ "$cpu" = "$1" ] ; then
+break
+fi
+done
+
+if [ "$cpu" != "$1" ] ; then
+echo "ERROR: unknown CPU \"$1\"" 1>&2
+usage
+exit 1
+fi
+;;
 *)
 break
 ;;
-- 
2.11.0

[Qemu-devel] [PATCH v8 34/38] tests/tcg/mips: Test R5900 three-operand MADD1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/madd.c | 43 +
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/tests/tcg/mips/mipsr5900/madd.c b/tests/tcg/mips/mipsr5900/madd.c
index 9ad2ea6dbb..f6f215e1c3 100644
--- a/tests/tcg/mips/mipsr5900/madd.c
+++ b/tests/tcg/mips/mipsr5900/madd.c
@@ -1,5 +1,5 @@
 /*
- * Test R5900-specific three-operand MADD.
+ * Test R5900-specific three-operand MADD and MADD1.
  */
 
 #include 
@@ -29,12 +29,45 @@ int64_t madd(int64_t a, int32_t rs, int32_t rt)
 return r;
 }
 
+int64_t madd1(int64_t a, int32_t rs, int32_t rt)
+{
+int32_t lo = a;
+int32_t hi = a >> 32;
+int32_t rd;
+int64_t r;
+
+__asm__ __volatile__ (
+"mtlo1 %5\n"
+"mthi1 %6\n"
+"madd1 %0, %3, %4\n"
+"mflo1 %1\n"
+"mfhi1 %2\n"
+: "=r" (rd), "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt), "r" (lo), "r" (hi));
+r = ((int64_t)hi << 32) | (uint32_t)lo;
+
+assert(a + (int64_t)rs * rt == r);
+assert(rd == lo);
+
+return r;
+}
+
+static int64_t madd_variants(int64_t a, int32_t rs, int32_t rt)
+{
+int64_t rd  = madd(a, rs, rt);
+int64_t rd1 = madd1(a, rs, rt);
+
+assert(rd == rd1);
+
+return rd;
+}
+
 static void verify_madd(int64_t a, int32_t rs, int32_t rt, int64_t expected)
 {
-assert(madd(a, rs, rt) == expected);
-assert(madd(a, -rs, rt) == a + a - expected);
-assert(madd(a, rs, -rt) == a + a - expected);
-assert(madd(a, -rs, -rt) == expected);
+assert(madd_variants(a, rs, rt) == expected);
+assert(madd_variants(a, -rs, rt) == a + a - expected);
+assert(madd_variants(a, rs, -rt) == a + a - expected);
+assert(madd_variants(a, -rs, -rt) == expected);
 }
 
 int main()
-- 
2.18.1

[Qemu-devel] [PATCH v8 32/38] tests/tcg/mips: Test R5900 DIVU1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/Makefile |  1 +
 tests/tcg/mips/mipsr5900/divu1.c  | 48 +++
 2 files changed, 49 insertions(+)
 create mode 100644 tests/tcg/mips/mipsr5900/divu1.c

diff --git a/tests/tcg/mips/mipsr5900/Makefile 
b/tests/tcg/mips/mipsr5900/Makefile
index 757eb83862..a1c388bc3c 100644
--- a/tests/tcg/mips/mipsr5900/Makefile
+++ b/tests/tcg/mips/mipsr5900/Makefile
@@ -9,6 +9,7 @@ CC  = $(CROSS)gcc
 CFLAGS  = -Wall -mabi=32 -march=r5900 -static
 
 TESTCASES = div1.tst
+TESTCASES += divu1.tst
 TESTCASES += mflohi1.tst
 TESTCASES += mtlohi1.tst
 TESTCASES += mult.tst
diff --git a/tests/tcg/mips/mipsr5900/divu1.c b/tests/tcg/mips/mipsr5900/divu1.c
new file mode 100644
index 00..72aeed31de
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/divu1.c
@@ -0,0 +1,48 @@
+/*
+ * Test R5900-specific DIVU1.
+ */
+
+#include 
+#include 
+#include 
+
+struct quotient_remainder { uint32_t quotient, remainder; };
+
+static struct quotient_remainder divu1(uint32_t rs, uint32_t rt)
+{
+uint32_t lo, hi;
+
+__asm__ __volatile__ (
+"divu1 $0, %2, %3\n"
+"mflo1 %0\n"
+"mfhi1 %1\n"
+: "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt));
+
+assert(rs / rt == lo);
+assert(rs % rt == hi);
+
+return (struct quotient_remainder) { .quotient = lo, .remainder = hi };
+}
+
+static void verify_divu1(uint32_t rs, uint32_t rt,
+ uint32_t expected_quotient,
+ uint32_t expected_remainder)
+{
+struct quotient_remainder qr = divu1(rs, rt);
+
+assert(qr.quotient == expected_quotient);
+assert(qr.remainder == expected_remainder);
+}
+
+int main()
+{
+verify_divu1(0, 1, 0, 0);
+verify_divu1(1, 1, 1, 0);
+verify_divu1(1, 2, 0, 1);
+verify_divu1(17, 19, 0, 17);
+verify_divu1(19, 17, 1, 2);
+verify_divu1(3, 101, 770, 3);
+
+return 0;
+}
-- 
2.18.1

[Qemu-devel] [PATCH v8 37/38] target/mips: Define the R5900 CPU

[Fredrik Noring]

The primary purpose of this change is to support programs compiled by
GCC for the R5900 target and thereby run R5900 Linux distributions, for
example Gentoo.

GCC in version 7.3, by itself, by inspection of the GCC source code
and inspection of the generated machine code, for the R5900 target,
only emits two instructions that are specific to the R5900: the three-
operand MULT and MULTU. GCC and libc also emit certain MIPS III
instructions that are not part of the R5900 ISA. They are normally
trapped and emulated by the Linux kernel, and therefore need to be
treated accordingly by QEMU.

A program compiled by GCC is taken to mean source code compiled by GCC
under the restrictions above. One can, with the apparent limitations,
with a bit of effort obtain a fully functioning operating system such
as R5900 Gentoo. Strictly speaking, programs need not be compiled by
GCC to make use of this change.

Instructions and other facilities of the R5900 not implemented by this
change are intended to signal provisional exceptions. One such example
is the FPU that is not compliant with IEEE 754-1985 in system mode. It
is therefore provisionally disabled. In user space the FPU is trapped
and emulated by IEEE 754-1985 compliant software in the kernel, and
this is handled accordingly by QEMU. Another example is the 93
multimedia instructions specific to the R5900 that generate provisional
reserved instruction exception signals.

One of the benefits of running a Linux distribution under QEMU is that
programs can be compiled with a native compiler, where the host and
target are the same, as opposed to a cross-compiler, where they are
not the same. This is especially important in cases where the target
hardware does not have the resources to run a native compiler.

Problems with cross-compilation are often related to host and target
differences in integer sizes, pointer sizes, endianness, machine code,
ABI, etc. Sometimes cross-compilation is not even supported by the
build script for a given package. One effective way to avoid those
problems is to replace the cross-compiler with a native compiler. This
change of compilation methods does not resolve the inherent problems
with cross-compilation.

The native compiler naturally replaces the cross-compiler, because one
typically uses one or the other, and preferably the native compiler
when the circumstances admit this. The native compiler is also a good
test case for the R5900 QEMU user mode. Additionally, Gentoo is well-
known for compiling and installing its packages from sources.

This change has been tested with Gentoo compiled for R5900, including
native compilation of several packages under QEMU.

Signed-off-by: Fredrik Noring 
Reviewed-by: Philippe Mathieu-Daudé 
---
 target/mips/translate_init.inc.c | 59 
 1 file changed, 59 insertions(+)

diff --git a/target/mips/translate_init.inc.c b/target/mips/translate_init.inc.c
index acab097820..07a6c81e68 100644
--- a/target/mips/translate_init.inc.c
+++ b/target/mips/translate_init.inc.c
@@ -410,6 +410,65 @@ const mips_def_t mips_defs[] =
 .insn_flags = CPU_MIPS32R5 | ASE_MSA,
 .mmu_type = MMU_TYPE_R4000,
 },
+{
+/*
+ * The Toshiba TX System RISC TX79 Core Architecture manual
+ *
+ * https://wiki.qemu.org/File:C790.pdf
+ *
+ * describes the C790 processor that is a follow-up to the R5900.
+ * There are a few notable differences in that the R5900 FPU
+ *
+ * - is not IEEE 754-1985 compliant,
+ * - does not implement double format, and
+ * - its machine code is nonstandard.
+ */
+.name = "R5900",
+.CP0_PRid = 0x2E00,
+/* No L2 cache, icache size 32k, dcache size 32k, uncached coherency. 
*/
+.CP0_Config0 = (0x3 << 9) | (0x3 << 6) | (0x2 << CP0C0_K0),
+.CP0_Status_rw_bitmask = 0xF4C79C1F,
+#ifdef CONFIG_USER_ONLY
+/*
+ * R5900 hardware traps to the Linux kernel for IEEE 754-1985 and LL/SC
+ * emulation. For user only, QEMU is the kernel, so we emulate the 
traps
+ * by simply emulating the instructions directly.
+ *
+ * Note: Config1 is only used internally, the R5900 has only Config0.
+ */
+.CP0_Config1 = (1 << CP0C1_FP) | (47 << CP0C1_MMU),
+.CP0_LLAddr_rw_bitmask = 0x,
+.CP0_LLAddr_shift = 4,
+.CP1_fcr0 = (0x38 << FCR0_PRID) | (0x0 << FCR0_REV),
+.CP1_fcr31 = 0,
+.CP1_fcr31_rw_bitmask = 0x0183,
+#else
+/*
+ * The R5900 COP1 FPU implements single-precision floating-point
+ * operations but is not entirely IEEE 754-1985 compatible. In
+ * particular,
+ *
+ * - NaN (not a number) and +/- infinities are not supported;
+ * - exception mechanisms are not fully supported;
+ * - denormalized numbers are not supported;
+ * - rounding towards nearest and +/- 

[Qemu-devel] [PATCH v8 29/38] tests/tcg/mips: Test R5900 MFLO1 and MFHI1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/Makefile  |  3 ++-
 tests/tcg/mips/mipsr5900/mflohi1.c | 35 ++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 tests/tcg/mips/mipsr5900/mflohi1.c

diff --git a/tests/tcg/mips/mipsr5900/Makefile 
b/tests/tcg/mips/mipsr5900/Makefile
index b3ddb9a7bf..fd8ee6b0e3 100644
--- a/tests/tcg/mips/mipsr5900/Makefile
+++ b/tests/tcg/mips/mipsr5900/Makefile
@@ -8,7 +8,8 @@ SIM_FLAGS=-cpu R5900
 CC  = $(CROSS)gcc
 CFLAGS  = -Wall -mabi=32 -march=r5900 -static
 
-TESTCASES = mult.tst
+TESTCASES = mflohi1.tst
+TESTCASES += mult.tst
 TESTCASES += multu.tst
 
 all: $(TESTCASES)
diff --git a/tests/tcg/mips/mipsr5900/mflohi1.c 
b/tests/tcg/mips/mipsr5900/mflohi1.c
new file mode 100644
index 00..eed3683dc5
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/mflohi1.c
@@ -0,0 +1,35 @@
+/*
+ * Test R5900-specific MFLO1 and MFHI1.
+ */
+
+#include 
+#include 
+#include 
+
+int main()
+{
+int32_t rs  = 12207031, rt  = 305175781;
+int32_t rs1 = 32452867, rt1 = 49979687;
+int64_t lo, hi, lo1, hi1;
+int64_t r, r1;
+
+/* Test both LO/HI and LO1/HI1 to verify separation. */
+__asm__ __volatile__ (
+"mult $0, %4, %5\n"
+"mult1 $0, %6, %7\n"
+"mflo %0\n"
+"mfhi %1\n"
+"mflo1 %2\n"
+"mfhi1 %3\n"
+: "=r" (lo),  "=r" (hi),
+  "=r" (lo1), "=r" (hi1)
+: "r" (rs),  "r" (rt),
+  "r" (rs1), "r" (rt1));
+r  = ((int64_t)hi  << 32) | (uint32_t)lo;
+r1 = ((int64_t)hi1 << 32) | (uint32_t)lo1;
+
+assert(r  == 3725290219116211);
+assert(r1 == 1621984134912629);
+
+return 0;
+}
-- 
2.18.1

[Qemu-devel] [PATCH v8 36/38] tests/tcg/mips: Test R5900 three-operand MADDU1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/maddu.c | 37 ++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/tests/tcg/mips/mipsr5900/maddu.c b/tests/tcg/mips/mipsr5900/maddu.c
index e4e552102d..30936fb2b4 100644
--- a/tests/tcg/mips/mipsr5900/maddu.c
+++ b/tests/tcg/mips/mipsr5900/maddu.c
@@ -1,5 +1,5 @@
 /*
- * Test R5900-specific three-operand MADDU.
+ * Test R5900-specific three-operand MADDU and MADDU1.
  */
 
 #include 
@@ -29,9 +29,42 @@ uint64_t maddu(uint64_t a, uint32_t rs, uint32_t rt)
 return r;
 }
 
+uint64_t maddu1(uint64_t a, uint32_t rs, uint32_t rt)
+{
+uint32_t lo = a;
+uint32_t hi = a >> 32;
+uint32_t rd;
+uint64_t r;
+
+__asm__ __volatile__ (
+"mtlo1  %5\n"
+"mthi1  %6\n"
+"maddu1 %0, %3, %4\n"
+"mflo1  %1\n"
+"mfhi1  %2\n"
+: "=r" (rd), "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt), "r" (lo), "r" (hi));
+r = ((uint64_t)hi << 32) | (uint32_t)lo;
+
+assert(a + (uint64_t)rs * rt == r);
+assert(rd == lo);
+
+return r;
+}
+
+static int64_t maddu_variants(int64_t a, int32_t rs, int32_t rt)
+{
+int64_t rd  = maddu(a, rs, rt);
+int64_t rd1 = maddu1(a, rs, rt);
+
+assert(rd == rd1);
+
+return rd;
+}
+
 int main()
 {
-assert(maddu(13, 17, 19) == 336);
+assert(maddu_variants(13, 17, 19) == 336);
 
 return 0;
 }
-- 
2.18.1

[Qemu-devel] [PATCH v8 26/38] tests/tcg/mips: Test R5900 three-operand MULTU

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/Makefile |  1 +
 tests/tcg/mips/mipsr5900/multu.c  | 39 +++
 2 files changed, 40 insertions(+)
 create mode 100644 tests/tcg/mips/mipsr5900/multu.c

diff --git a/tests/tcg/mips/mipsr5900/Makefile 
b/tests/tcg/mips/mipsr5900/Makefile
index 6757168fc9..b3ddb9a7bf 100644
--- a/tests/tcg/mips/mipsr5900/Makefile
+++ b/tests/tcg/mips/mipsr5900/Makefile
@@ -9,6 +9,7 @@ CC  = $(CROSS)gcc
 CFLAGS  = -Wall -mabi=32 -march=r5900 -static
 
 TESTCASES = mult.tst
+TESTCASES += multu.tst
 
 all: $(TESTCASES)
 
diff --git a/tests/tcg/mips/mipsr5900/multu.c b/tests/tcg/mips/mipsr5900/multu.c
new file mode 100644
index 00..3a59675395
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/multu.c
@@ -0,0 +1,39 @@
+/*
+ * Test R5900-specific three-operand MULTU.
+ */
+
+#include 
+#include 
+#include 
+
+static uint64_t multu(uint32_t rs, uint32_t rt)
+{
+uint32_t rd, lo, hi;
+uint64_t r;
+
+__asm__ __volatile__ (
+"multu %0, %3, %4\n"
+"mflo %1\n"
+"mfhi %2\n"
+: "=r" (rd), "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt));
+r = ((uint64_t)hi << 32) | (uint32_t)lo;
+
+assert((uint64_t)rs * rt == r);
+assert(rd == lo);
+
+return r;
+}
+
+int main()
+{
+assert(multu(17, 19) == 323);
+assert(multu(3, 1) == 7776600043);
+assert(multu(12207031, 305175781) == 3725290219116211);
+
+assert(multu(0x8000U, 0x7FFF) == 0x3FFF8000);
+assert(multu(0x8000U, 0x8000U) ==  0x4000);
+assert(multu(0xU, 0xU) ==  0xFFFE0001U);
+
+return 0;
+}
-- 
2.18.1

[Qemu-devel] [PATCH v8 30/38] tests/tcg/mips: Test R5900 MTLO1 and MTHI1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/Makefile  |  1 +
 tests/tcg/mips/mipsr5900/mtlohi1.c | 40 ++
 2 files changed, 41 insertions(+)
 create mode 100644 tests/tcg/mips/mipsr5900/mtlohi1.c

diff --git a/tests/tcg/mips/mipsr5900/Makefile 
b/tests/tcg/mips/mipsr5900/Makefile
index fd8ee6b0e3..287c248f6d 100644
--- a/tests/tcg/mips/mipsr5900/Makefile
+++ b/tests/tcg/mips/mipsr5900/Makefile
@@ -9,6 +9,7 @@ CC  = $(CROSS)gcc
 CFLAGS  = -Wall -mabi=32 -march=r5900 -static
 
 TESTCASES = mflohi1.tst
+TESTCASES += mtlohi1.tst
 TESTCASES += mult.tst
 TESTCASES += multu.tst
 
diff --git a/tests/tcg/mips/mipsr5900/mtlohi1.c 
b/tests/tcg/mips/mipsr5900/mtlohi1.c
new file mode 100644
index 00..7f3e72835a
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/mtlohi1.c
@@ -0,0 +1,40 @@
+/*
+ * Test R5900-specific MTLO1 and MTHI1.
+ */
+
+#include 
+#include 
+#include 
+
+int main()
+{
+int32_t tlo  = 12207031, thi  = 305175781;
+int32_t tlo1 = 32452867, thi1 = 49979687;
+int32_t flo, fhi, flo1, fhi1;
+
+/* Test both LO/HI and LO1/HI1 to verify separation. */
+__asm__ __volatile__ (
+"mtlo  %4\n"
+"mthi  %5\n"
+"mtlo1 %6\n"
+"mthi1 %7\n"
+"move  %0, $0\n"
+"move  %1, $0\n"
+"move  %2, $0\n"
+"move  %3, $0\n"
+"mflo  %0\n"
+"mfhi  %1\n"
+"mflo1 %2\n"
+"mfhi1 %3\n"
+: "=r" (flo),  "=r" (fhi),
+  "=r" (flo1), "=r" (fhi1)
+: "r" (tlo),  "r" (thi),
+  "r" (tlo1), "r" (thi1));
+
+assert(flo  == 12207031);
+assert(fhi  == 305175781);
+assert(flo1 == 32452867);
+assert(fhi1 == 49979687);
+
+return 0;
+}
-- 
2.18.1

[Qemu-devel] [PATCH v8 35/38] tests/tcg/mips: Test R5900 three-operand MADDU

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/Makefile |  1 +
 tests/tcg/mips/mipsr5900/maddu.c  | 37 +++
 2 files changed, 38 insertions(+)
 create mode 100644 tests/tcg/mips/mipsr5900/maddu.c

diff --git a/tests/tcg/mips/mipsr5900/Makefile 
b/tests/tcg/mips/mipsr5900/Makefile
index 97ca2a671c..27ee5d5f54 100644
--- a/tests/tcg/mips/mipsr5900/Makefile
+++ b/tests/tcg/mips/mipsr5900/Makefile
@@ -11,6 +11,7 @@ CFLAGS  = -Wall -mabi=32 -march=r5900 -static
 TESTCASES = div1.tst
 TESTCASES += divu1.tst
 TESTCASES += madd.tst
+TESTCASES += maddu.tst
 TESTCASES += mflohi1.tst
 TESTCASES += mtlohi1.tst
 TESTCASES += mult.tst
diff --git a/tests/tcg/mips/mipsr5900/maddu.c b/tests/tcg/mips/mipsr5900/maddu.c
new file mode 100644
index 00..e4e552102d
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/maddu.c
@@ -0,0 +1,37 @@
+/*
+ * Test R5900-specific three-operand MADDU.
+ */
+
+#include 
+#include 
+#include 
+
+uint64_t maddu(uint64_t a, uint32_t rs, uint32_t rt)
+{
+uint32_t lo = a;
+uint32_t hi = a >> 32;
+uint32_t rd;
+uint64_t r;
+
+__asm__ __volatile__ (
+"mtlo  %5\n"
+"mthi  %6\n"
+"maddu %0, %3, %4\n"
+"mflo  %1\n"
+"mfhi  %2\n"
+: "=r" (rd), "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt), "r" (lo), "r" (hi));
+r = ((uint64_t)hi << 32) | (uint32_t)lo;
+
+assert(a + (uint64_t)rs * rt == r);
+assert(rd == lo);
+
+return r;
+}
+
+int main()
+{
+assert(maddu(13, 17, 19) == 336);
+
+return 0;
+}
-- 
2.18.1

[Qemu-devel] [PATCH v8 27/38] tests/tcg/mips: Test R5900 three-operand MULT1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/mult.c | 45 +++--
 1 file changed, 37 insertions(+), 8 deletions(-)

diff --git a/tests/tcg/mips/mipsr5900/mult.c b/tests/tcg/mips/mipsr5900/mult.c
index 2c0c16d232..5710b395e6 100644
--- a/tests/tcg/mips/mipsr5900/mult.c
+++ b/tests/tcg/mips/mipsr5900/mult.c
@@ -1,5 +1,5 @@
 /*
- * Test R5900-specific three-operand MULT.
+ * Test R5900-specific three-operand MULT and MULT1.
  */
 
 #include 
@@ -25,12 +25,41 @@ static int64_t mult(int32_t rs, int32_t rt)
 return r;
 }
 
+static int64_t mult1(int32_t rs, int32_t rt)
+{
+int32_t rd, lo, hi;
+int64_t r;
+
+__asm__ __volatile__ (
+"mult1 %0, %3, %4\n"
+"mflo1 %1\n"
+"mfhi1 %2\n"
+: "=r" (rd), "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt));
+r = ((int64_t)hi << 32) | (uint32_t)lo;
+
+assert((int64_t)rs * rt == r);
+assert(rd == lo);
+
+return r;
+}
+
+static int64_t mult_variants(int32_t rs, int32_t rt)
+{
+int64_t rd  = mult(rs, rt);
+int64_t rd1 = mult1(rs, rt);
+
+assert(rd == rd1);
+
+return rd;
+}
+
 static void verify_mult_negations(int32_t rs, int32_t rt, int64_t expected)
 {
-assert(mult(rs, rt) == expected);
-assert(mult(-rs, rt) == -expected);
-assert(mult(rs, -rt) == -expected);
-assert(mult(-rs, -rt) == expected);
+assert(mult_variants(rs, rt) == expected);
+assert(mult_variants(-rs, rt) == -expected);
+assert(mult_variants(rs, -rt) == -expected);
+assert(mult_variants(-rs, -rt) == expected);
 }
 
 int main()
@@ -39,9 +68,9 @@ int main()
 verify_mult_negations(3, 1, 7776600043);
 verify_mult_negations(12207031, 305175781, 3725290219116211);
 
-assert(mult(-0x8000,  0x7FFF) == -0x3FFF8000);
-assert(mult(-0x8000, -0x7FFF) ==  0x3FFF8000);
-assert(mult(-0x8000, -0x8000) ==  0x4000);
+assert(mult_variants(-0x8000,  0x7FFF) == -0x3FFF8000);
+assert(mult_variants(-0x8000, -0x7FFF) ==  0x3FFF8000);
+assert(mult_variants(-0x8000, -0x8000) ==  0x4000);
 
 return 0;
 }
-- 
2.18.1

[Qemu-devel] [PATCH v8 24/38] target/mips: R5900 DMULT[U], DDIV[U], LL[D] and SC[D] are user only

[Fredrik Noring]

The Linux kernel traps certain reserved instruction exceptions to
emulate the corresponding instructions. QEMU is the kernel in user
mode, so those traps are emulated by accepting the instructions.

This change adds the function check_insn_opc_user_only to signal a
reserved instruction exception for flagged CPUs in QEMU system mode.

The MIPS III instructions DMULT[U], DDIV[U], LL[D] and SC[D] are not
implemented in R5900 hardware. They are trapped and emulated by the
Linux kernel and, accordingly, therefore QEMU user only instructions.

Signed-off-by: Fredrik Noring 
Reviewed-by: Philippe Mathieu-Daudé 
---
 target/mips/translate.c | 23 ++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 3977c57a22..066119c3e1 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2872,6 +2872,21 @@ static inline void check_insn_opc_removed(DisasContext 
*ctx, uint64_t flags)
 }
 }
 
+/*
+ * The Linux kernel traps certain reserved instruction exceptions to
+ * emulate the corresponding instructions. QEMU is the kernel in user
+ * mode, so those traps are emulated by accepting the instructions.
+ *
+ * A reserved instruction exception is generated for flagged CPUs if
+ * QEMU runs in system mode.
+ */
+static inline void check_insn_opc_user_only(DisasContext *ctx, uint64_t flags)
+{
+#ifndef CONFIG_USER_ONLY
+check_insn_opc_removed(ctx, flags);
+#endif
+}
+
 /* This code generates a "reserved instruction" exception if the
CPU does not support 64-bit paired-single (PS) floating point data type */
 static inline void check_ps(DisasContext *ctx)
@@ -23643,6 +23658,7 @@ static void decode_opc_special_legacy(CPUMIPSState 
*env, DisasContext *ctx)
 case OPC_DDIV:
 case OPC_DDIVU:
 check_insn(ctx, ISA_MIPS3);
+check_insn_opc_user_only(ctx, INSN_R5900);
 check_mips_64(ctx);
 gen_muldiv(ctx, op1, 0, rs, rt);
 break;
@@ -26398,6 +26414,7 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
  break;
 case OPC_LL: /* Load and stores */
 check_insn(ctx, ISA_MIPS2);
+check_insn_opc_user_only(ctx, INSN_R5900);
 /* Fallthrough */
 case OPC_LWL:
 case OPC_LWR:
@@ -26423,6 +26440,7 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 case OPC_SC:
 check_insn(ctx, ISA_MIPS2);
  check_insn_opc_removed(ctx, ISA_MIPS32R6);
+check_insn_opc_user_only(ctx, INSN_R5900);
  gen_st_cond(ctx, op, rt, rs, imm);
  break;
 case OPC_CACHE:
@@ -26689,9 +26707,11 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 
 #if defined(TARGET_MIPS64)
 /* MIPS64 opcodes */
+case OPC_LLD:
+check_insn_opc_user_only(ctx, INSN_R5900);
+/* fall through */
 case OPC_LDL:
 case OPC_LDR:
-case OPC_LLD:
 check_insn_opc_removed(ctx, ISA_MIPS32R6);
 /* fall through */
 case OPC_LWU:
@@ -26712,6 +26732,7 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 case OPC_SCD:
 check_insn_opc_removed(ctx, ISA_MIPS32R6);
 check_insn(ctx, ISA_MIPS3);
+check_insn_opc_user_only(ctx, INSN_R5900);
 check_mips_64(ctx);
 gen_st_cond(ctx, op, rt, rs, imm);
 break;
-- 
2.18.1

[Qemu-devel] [PATCH v8 31/38] tests/tcg/mips: Test R5900 DIV1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/Makefile |  3 +-
 tests/tcg/mips/mipsr5900/div1.c   | 73 +++
 2 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 tests/tcg/mips/mipsr5900/div1.c

diff --git a/tests/tcg/mips/mipsr5900/Makefile 
b/tests/tcg/mips/mipsr5900/Makefile
index 287c248f6d..757eb83862 100644
--- a/tests/tcg/mips/mipsr5900/Makefile
+++ b/tests/tcg/mips/mipsr5900/Makefile
@@ -8,7 +8,8 @@ SIM_FLAGS=-cpu R5900
 CC  = $(CROSS)gcc
 CFLAGS  = -Wall -mabi=32 -march=r5900 -static
 
-TESTCASES = mflohi1.tst
+TESTCASES = div1.tst
+TESTCASES += mflohi1.tst
 TESTCASES += mtlohi1.tst
 TESTCASES += mult.tst
 TESTCASES += multu.tst
diff --git a/tests/tcg/mips/mipsr5900/div1.c b/tests/tcg/mips/mipsr5900/div1.c
new file mode 100644
index 00..83dafa018b
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/div1.c
@@ -0,0 +1,73 @@
+/*
+ * Test R5900-specific DIV1.
+ */
+
+#include 
+#include 
+#include 
+
+struct quotient_remainder { int32_t quotient, remainder; };
+
+static struct quotient_remainder div1(int32_t rs, int32_t rt)
+{
+int32_t lo, hi;
+
+__asm__ __volatile__ (
+"div1 $0, %2, %3\n"
+"mflo1 %0\n"
+"mfhi1 %1\n"
+: "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt));
+
+assert(rs / rt == lo);
+assert(rs % rt == hi);
+
+return (struct quotient_remainder) { .quotient = lo, .remainder = hi };
+}
+
+static void verify_div1(int32_t rs, int32_t rt,
+int32_t expected_quotient,
+int32_t expected_remainder)
+{
+struct quotient_remainder qr = div1(rs, rt);
+
+assert(qr.quotient == expected_quotient);
+assert(qr.remainder == expected_remainder);
+}
+
+static void verify_div1_negations(int32_t rs, int32_t rt,
+  int32_t expected_quotient,
+  int32_t expected_remainder)
+{
+verify_div1(rs, rt, expected_quotient, expected_remainder);
+verify_div1(rs, -rt, -expected_quotient, expected_remainder);
+verify_div1(-rs, rt, -expected_quotient, -expected_remainder);
+verify_div1(-rs, -rt, expected_quotient, -expected_remainder);
+}
+
+int main()
+{
+verify_div1_negations(0, 1, 0, 0);
+verify_div1_negations(1, 1, 1, 0);
+verify_div1_negations(1, 2, 0, 1);
+verify_div1_negations(17, 19, 0, 17);
+verify_div1_negations(19, 17, 1, 2);
+verify_div1_negations(3, 101, 770, 3);
+
+verify_div1(-0x8000,  1, -0x8000, 0);
+
+/*
+ * Supplementary explanation from the Toshiba TX System RISC TX79 Core
+ * Architecture manual, A-38 and B-7, https://wiki.qemu.org/File:C790.pdf
+ *
+ * Normally, when 0x8000 (-2147483648) the signed minimum value is
+ * divided by 0x (-1), the operation will result in an overflow.
+ * However, in this instruction an overflow exception doesn't occur and
+ * the result will be as follows:
+ *
+ * Quotient is 0x8000 (-2147483648), and remainder is 0x (0).
+ */
+verify_div1(-0x8000, -1, -0x8000, 0);
+
+return 0;
+}
-- 
2.18.1

[Qemu-devel] [PATCH v8 23/38] target/mips: Support R5900 three-operand MADDU and MADDU1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 disas/mips.c|  2 ++
 target/mips/translate.c | 28 
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/disas/mips.c b/disas/mips.c
index 242bf68b9c..78c4fb6efa 100644
--- a/disas/mips.c
+++ b/disas/mips.c
@@ -2561,6 +2561,8 @@ const struct mips_opcode mips_builtin_opcodes[] =
 {"maddu",   "s,t",  0x7001, 0xfc00, RD_s|RD_t|WR_HILO|IS_M,  
0,G1  },
 {"maddu",   "7,s,t",   0x7001, 0xfc00e7ff, MOD_a|RD_s|RD_t, 0, 
D33 },
 {"maddu",   "d,s,t",0x7001, 0xfc0007ff, RD_s|RD_t|WR_HILO|WR_d|IS_M, 
0,G1  },
+{"maddu1",  "s,t",  0x7021, 0xfc00, RD_s|RD_t|WR_HILO|IS_M,  
0, EE  },
+{"maddu1",  "d,s,t",0x7021, 0xfc0007ff, RD_s|RD_t|WR_HILO|WR_d|IS_M, 
0, EE  },
 {"madd16",  "s,t",  0x0028, 0xfc00, RD_s|RD_t|MOD_HILO,0,  
N411},
 {"max.ob",  "X,Y,Q",   0x7807, 0xfc20003f, WR_D|RD_S|RD_T|FP_D,0,  
MX|SB1  },
 {"max.ob",  "D,S,T",   0x4ac7, 0xffe0003f, WR_D|RD_S|RD_T, 0,  
N54 },
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 153b7e869a..3977c57a22 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -4778,7 +4778,7 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
 }
 
 /*
- * These MULT[U] and MADD instructions implemented in for example
+ * These MULT[U] and MADD[U] instructions implemented in for example
  * the Toshiba/Sony R5900 and the Toshiba TX19, TX39 and TX79 core
  * architectures are special three-operand variants with the syntax
  *
@@ -4790,7 +4790,7 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
  *
  * and
  *
- * MADD[1]rd, rs, rt
+ * MADD[U][1] rd, rs, rt
  *
  * such that
  *
@@ -4872,6 +4872,26 @@ static void gen_mul_txx9(DisasContext *ctx, uint32_t opc,
 tcg_temp_free_i32(t3);
 }
 break;
+case TX79_MMI_MADDU1:
+acc = 1;
+/* Fall through */
+case TX79_MMI_MADDU:
+{
+TCGv_i32 t2 = tcg_temp_new_i32();
+TCGv_i32 t3 = tcg_temp_new_i32();
+tcg_gen_trunc_tl_i32(t2, t0);
+tcg_gen_trunc_tl_i32(t3, t1);
+tcg_gen_mulu2_i32(t2, t3, t2, t3);
+tcg_gen_add2_i32(t2, t3, cpu_LO[acc], cpu_HI[acc], t2, t3);
+if (rd) {
+tcg_gen_ext_i32_tl(cpu_gpr[rd], t2);
+}
+tcg_gen_ext_i32_tl(cpu_LO[acc], t2);
+tcg_gen_ext_i32_tl(cpu_HI[acc], t3);
+tcg_temp_free_i32(t2);
+tcg_temp_free_i32(t3);
+}
+break;
 default:
 MIPS_INVAL("mul/madd TXx9");
 generate_exception_end(ctx, EXCP_RI);
@@ -24697,6 +24717,8 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_MULTU1:
 case TX79_MMI_MADD:
 case TX79_MMI_MADD1:
+case TX79_MMI_MADDU:
+case TX79_MMI_MADDU1:
 gen_mul_txx9(ctx, opc, rd, rs, rt);
 break;
 case TX79_MMI_DIV1:
@@ -24711,9 +24733,7 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_MFHI1:
 gen_HILO(ctx, opc, 1, rd);
 break;
-case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
-case TX79_MMI_MADDU1:/* TODO: TX79_MMI_MADDU1 */
 case TX79_MMI_PMFHL: /* TODO: TX79_MMI_PMFHL */
 case TX79_MMI_PMTHL: /* TODO: TX79_MMI_PMTHL */
 case TX79_MMI_PSLLH: /* TODO: TX79_MMI_PSLLH */
-- 
2.18.1

[Qemu-devel] [PATCH v8 20/38] target/mips: Support R5900 DIV1 and DIVU1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 disas/mips.c|  4 
 target/mips/translate.c | 12 +---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/disas/mips.c b/disas/mips.c
index e86a2b8764..79bd119c51 100644
--- a/disas/mips.c
+++ b/disas/mips.c
@@ -2323,6 +2323,8 @@ const struct mips_opcode mips_builtin_opcodes[] =
 {"div", "z,t",  0x001a, 0xffe0, RD_s|RD_t|WR_HILO,  0, 
I1  },
 {"div", "d,v,t",   0,(int) M_DIV_3,INSN_MACRO, 0,  
I1  },
 {"div", "d,v,I",   0,(int) M_DIV_3I,   INSN_MACRO, 0,  
I1  },
+{"div1","z,s,t",0x701a, 0xfc00, RD_s|RD_t|WR_HILO,  0, 
 EE, },
+{"div1","z,t",  0x701a, 0xffe0, RD_s|RD_t|WR_HILO,  0, 
 EE, },
 {"div.d",   "D,V,T",   0x4623, 0xffe0003f, WR_D|RD_S|RD_T|FP_D,0,  
I1  },
 {"div.s",   "D,V,T",   0x4603, 0xffe0003f, WR_D|RD_S|RD_T|FP_S,0,  
I1  },
 {"div.ps",  "D,V,T",   0x46c3, 0xffe0003f, WR_D|RD_S|RD_T|FP_D,0,  
SB1 },
@@ -2331,6 +2333,8 @@ const struct mips_opcode mips_builtin_opcodes[] =
 {"divu","z,t",  0x001b, 0xffe0, RD_s|RD_t|WR_HILO,  0, 
I1  },
 {"divu","d,v,t",   0,(int) M_DIVU_3,   INSN_MACRO, 0,  
I1  },
 {"divu","d,v,I",   0,(int) M_DIVU_3I,  INSN_MACRO, 0,  
I1  },
+{"divu1",   "z,s,t",0x701b, 0xfc00, RD_s|RD_t|WR_HILO,  0, 
 EE  },
+{"divu1",   "z,t",  0x701b, 0xffe0, RD_s|WR_HILO,   0, 
 EE, },
 {"dla", "t,A(b)",  0,(int) M_DLA_AB,   INSN_MACRO, 0,  
I3  },
 {"dlca","t,A(b)",  0,(int) M_DLCA_AB,  INSN_MACRO, 0,  
I3  },
 {"dli", "t,j",  0x2400, 0xffe0, WR_t,  0,  
I3  }, /* addiu */
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 2cff740bac..e2ac401d42 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -4593,11 +4593,14 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
 gen_load_gpr(t1, rt);
 
 if (acc != 0) {
-check_dsp(ctx);
+if (!(ctx->insn_flags & INSN_R5900)) {
+check_dsp(ctx);
+}
 }
 
 switch (opc) {
 case OPC_DIV:
+case TX79_MMI_DIV1:
 {
 TCGv t2 = tcg_temp_new();
 TCGv t3 = tcg_temp_new();
@@ -4619,6 +4622,7 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
 }
 break;
 case OPC_DIVU:
+case TX79_MMI_DIVU1:
 {
 TCGv t2 = tcg_const_tl(0);
 TCGv t3 = tcg_const_tl(1);
@@ -24665,6 +24669,10 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_MULTU1:
 gen_mul_txx9(ctx, opc, rd, rs, rt);
 break;
+case TX79_MMI_DIV1:
+case TX79_MMI_DIVU1:
+gen_muldiv(ctx, opc, 1, rs, rt);
+break;
 case TX79_MMI_MTLO1:
 case TX79_MMI_MTHI1:
 gen_HILO(ctx, opc, 1, rs);
@@ -24676,8 +24684,6 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
 case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
-case TX79_MMI_DIV1:  /* TODO: TX79_MMI_DIV1 */
-case TX79_MMI_DIVU1: /* TODO: TX79_MMI_DIVU1 */
 case TX79_MMI_MADD1: /* TODO: TX79_MMI_MADD1 */
 case TX79_MMI_MADDU1:/* TODO: TX79_MMI_MADDU1 */
 case TX79_MMI_PMFHL: /* TODO: TX79_MMI_PMFHL */
-- 
2.18.1

[Qemu-devel] [PATCH v8 25/38] tests/tcg/mips: Test R5900 three-operand MULT

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/Makefile | 25 
 tests/tcg/mips/mipsr5900/mult.c   | 47 +++
 2 files changed, 72 insertions(+)
 create mode 100644 tests/tcg/mips/mipsr5900/Makefile
 create mode 100644 tests/tcg/mips/mipsr5900/mult.c

diff --git a/tests/tcg/mips/mipsr5900/Makefile 
b/tests/tcg/mips/mipsr5900/Makefile
new file mode 100644
index 00..6757168fc9
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/Makefile
@@ -0,0 +1,25 @@
+-include ../../config-host.mak
+
+CROSS=mipsr5900el-unknown-linux-gnu-
+
+SIM=qemu-mipsel
+SIM_FLAGS=-cpu R5900
+
+CC  = $(CROSS)gcc
+CFLAGS  = -Wall -mabi=32 -march=r5900 -static
+
+TESTCASES = mult.tst
+
+all: $(TESTCASES)
+
+%.tst: %.c
+   $(CC) $(CFLAGS) $< -o $@
+
+check: $(TESTCASES)
+   @for case in $(TESTCASES); do \
+echo $(SIM) $(SIM_FLAGS) ./$$case;\
+$(SIM) $(SIM_FLAGS) ./$$case; \
+   done
+
+clean:
+   $(RM) -rf $(TESTCASES)
diff --git a/tests/tcg/mips/mipsr5900/mult.c b/tests/tcg/mips/mipsr5900/mult.c
new file mode 100644
index 00..2c0c16d232
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/mult.c
@@ -0,0 +1,47 @@
+/*
+ * Test R5900-specific three-operand MULT.
+ */
+
+#include 
+#include 
+#include 
+
+static int64_t mult(int32_t rs, int32_t rt)
+{
+int32_t rd, lo, hi;
+int64_t r;
+
+__asm__ __volatile__ (
+"mult %0, %3, %4\n"
+"mflo %1\n"
+"mfhi %2\n"
+: "=r" (rd), "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt));
+r = ((int64_t)hi << 32) | (uint32_t)lo;
+
+assert((int64_t)rs * rt == r);
+assert(rd == lo);
+
+return r;
+}
+
+static void verify_mult_negations(int32_t rs, int32_t rt, int64_t expected)
+{
+assert(mult(rs, rt) == expected);
+assert(mult(-rs, rt) == -expected);
+assert(mult(rs, -rt) == -expected);
+assert(mult(-rs, -rt) == expected);
+}
+
+int main()
+{
+verify_mult_negations(17, 19, 323);
+verify_mult_negations(3, 1, 7776600043);
+verify_mult_negations(12207031, 305175781, 3725290219116211);
+
+assert(mult(-0x8000,  0x7FFF) == -0x3FFF8000);
+assert(mult(-0x8000, -0x7FFF) ==  0x3FFF8000);
+assert(mult(-0x8000, -0x8000) ==  0x4000);
+
+return 0;
+}
-- 
2.18.1

[Qemu-devel] [PATCH v8 21/38] target/mips: Support R5900 MOVN, MOVZ and PREF from MIPS IV

[Fredrik Noring]

The R5900 is taken to be MIPS III with certain modifications. From
MIPS IV it implements the instructions MOVN, MOVZ and PREF.

Signed-off-by: Fredrik Noring 
Reviewed-by: Philippe Mathieu-Daudé 
---
 target/mips/translate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index e2ac401d42..1f3dc3d406 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23552,7 +23552,7 @@ static void decode_opc_special_legacy(CPUMIPSState 
*env, DisasContext *ctx)
 case OPC_MOVN: /* Conditional move */
 case OPC_MOVZ:
 check_insn(ctx, ISA_MIPS4 | ISA_MIPS32 |
-   INSN_LOONGSON2E | INSN_LOONGSON2F);
+   INSN_LOONGSON2E | INSN_LOONGSON2F | INSN_R5900);
 gen_cond_move(ctx, op1, rd, rs, rt);
 break;
 case OPC_MFHI:  /* Move from HI/LO */
@@ -26388,7 +26388,8 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 break;
 case OPC_PREF:
 check_insn_opc_removed(ctx, ISA_MIPS32R6);
-check_insn(ctx, ISA_MIPS4 | ISA_MIPS32);
+check_insn(ctx, ISA_MIPS4 | ISA_MIPS32 |
+   INSN_R5900);
 /* Treat as NOP. */
 break;
 
-- 
2.18.1

[Qemu-devel] [PATCH v8 38/38] linux-user/mips: Recognise the R5900 CPU model

[Fredrik Noring]

This kind of ELF for the R5900 relies on an IEEE 754-1985 compliant FPU.
The R5900 FPU hardware is noncompliant and it is therefore emulated in
software by the Linux kernel. QEMU emulates a compliant FPU accordingly.

Signed-off-by: Fredrik Noring 
Reviewed-by: Philippe Mathieu-Daudé 
---
 linux-user/mips/target_elf.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/linux-user/mips/target_elf.h b/linux-user/mips/target_elf.h
index fa5d30bf99..a98c9bd6ad 100644
--- a/linux-user/mips/target_elf.h
+++ b/linux-user/mips/target_elf.h
@@ -12,6 +12,9 @@ static inline const char *cpu_get_model(uint32_t eflags)
 if ((eflags & EF_MIPS_ARCH) == EF_MIPS_ARCH_32R6) {
 return "mips32r6-generic";
 }
+if ((eflags & EF_MIPS_MACH) == EF_MIPS_MACH_5900) {
+return "R5900";
+}
 return "24Kf";
 }
 #endif
-- 
2.18.1

[Qemu-devel] [PATCH v8 15/38] target/mips: Placeholder for R5900 MMI2 instruction subclass

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 40 +++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 28137cdaf4..e5ac9f17e0 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24491,6 +24491,42 @@ static void decode_tx79_mmi1(CPUMIPSState *env, 
DisasContext *ctx)
 }
 }
 
+static void decode_tx79_mmi2(CPUMIPSState *env, DisasContext *ctx)
+{
+uint32_t opc = MASK_TX79_MMI2(ctx->opcode);
+
+switch (opc) {
+case TX79_MMI2_PMADDW:/* TODO: TX79_MMI2_PMADDW */
+case TX79_MMI2_PSLLVW:/* TODO: TX79_MMI2_PSLLVW */
+case TX79_MMI2_PSRLVW:/* TODO: TX79_MMI2_PSRLVW */
+case TX79_MMI2_PMSUBW:/* TODO: TX79_MMI2_PMSUBW */
+case TX79_MMI2_PMFHI: /* TODO: TX79_MMI2_PMFHI */
+case TX79_MMI2_PMFLO: /* TODO: TX79_MMI2_PMFLO */
+case TX79_MMI2_PINTH: /* TODO: TX79_MMI2_PINTH */
+case TX79_MMI2_PMULTW:/* TODO: TX79_MMI2_PMULTW */
+case TX79_MMI2_PDIVW: /* TODO: TX79_MMI2_PDIVW */
+case TX79_MMI2_PCPYLD:/* TODO: TX79_MMI2_PCPYLD */
+case TX79_MMI2_PMADDH:/* TODO: TX79_MMI2_PMADDH */
+case TX79_MMI2_PHMADH:/* TODO: TX79_MMI2_PHMADH */
+case TX79_MMI2_PAND:  /* TODO: TX79_MMI2_PAND */
+case TX79_MMI2_PXOR:  /* TODO: TX79_MMI2_PXOR */
+case TX79_MMI2_PMSUBH:/* TODO: TX79_MMI2_PMSUBH */
+case TX79_MMI2_PHMSBH:/* TODO: TX79_MMI2_PHMSBH */
+case TX79_MMI2_PEXEH: /* TODO: TX79_MMI2_PEXEH */
+case TX79_MMI2_PREVH: /* TODO: TX79_MMI2_PREVH */
+case TX79_MMI2_PMULTH:/* TODO: TX79_MMI2_PMULTH */
+case TX79_MMI2_PDIVBW:/* TODO: TX79_MMI2_PDIVBW */
+case TX79_MMI2_PEXEW: /* TODO: TX79_MMI2_PEXEW */
+case TX79_MMI2_PROT3W:/* TODO: TX79_MMI2_PROT3W */
+generate_exception_end(ctx, EXCP_RI); /* TODO: TX79_MMI_CLASS_MMI2 */
+break;
+default:
+MIPS_INVAL("TX79 MMI class MMI2");
+generate_exception_end(ctx, EXCP_RI);
+break;
+}
+}
+
 static void decode_tx79_mmi(CPUMIPSState *env, DisasContext *ctx)
 {
 uint32_t opc = MASK_TX79_MMI(ctx->opcode);
@@ -24502,10 +24538,12 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_CLASS_MMI1:
 decode_tx79_mmi1(env, ctx);
 break;
+case TX79_MMI_CLASS_MMI2:
+decode_tx79_mmi2(env, ctx);
+break;
 case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
 case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
-case TX79_MMI_CLASS_MMI2:/* TODO: TX79_MMI_CLASS_MMI2 */
 case TX79_MMI_MFHI1: /* TODO: TX79_MMI_MFHI1 */
 case TX79_MMI_MTHI1: /* TODO: TX79_MMI_MTHI1 */
 case TX79_MMI_MFLO1: /* TODO: TX79_MMI_MFLO1 */
-- 
2.18.1

[Qemu-devel] [PATCH v8 19/38] target/mips: Support R5900 MFLO1, MTLO1, MFHI1 and MTHI1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 disas/mips.c|  4 
 target/mips/translate.c | 23 +--
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/disas/mips.c b/disas/mips.c
index ae72059c46..e86a2b8764 100644
--- a/disas/mips.c
+++ b/disas/mips.c
@@ -2594,8 +2594,10 @@ const struct mips_opcode mips_builtin_opcodes[] =
 {"mfdr","t,G", 0x703d, 0xffe007ff, LCD|WR_t|RD_C0, 0,  
N5  },
 {"mfhi","d",   0x0010, 0x07ff, WR_d|RD_HI, 0,  
I1  },
 {"mfhi","d,9", 0x0010, 0xff9f07ff, WR_d|RD_HI, 0,  
D32 },
+{"mfhi1",   "d",0x7010, 0x07ff, WR_d|RD_HI, 0, 
 EE  },
 {"mflo","d",   0x0012, 0x07ff, WR_d|RD_LO, 0,  
I1  },
 {"mflo","d,9", 0x0012, 0xff9f07ff, WR_d|RD_LO, 0,  
D32 },
+{"mflo1",   "d",0x7012, 0x07ff, WR_d|RD_LO, 0, 
 EE  },
 {"mflhxu",  "d",   0x0052, 0x07ff, WR_d|MOD_HILO,  0,  
SMT },
 {"min.ob",  "X,Y,Q",   0x7806, 0xfc20003f, WR_D|RD_S|RD_T|FP_D,0,  
MX|SB1  },
 {"min.ob",  "D,S,T",   0x4ac6, 0xffe0003f, WR_D|RD_S|RD_T, 0,  
N54 },
@@ -2661,8 +2663,10 @@ const struct mips_opcode mips_builtin_opcodes[] =
 {"mtdr","t,G", 0x7080003d, 0xffe007ff, COD|RD_t|WR_C0, 0,  
N5  },
 {"mthi","s",   0x0011, 0xfc1f, RD_s|WR_HI, 0,  
I1  },
 {"mthi","s,7", 0x0011, 0xfc1fe7ff, RD_s|WR_HI, 0,  
D32 },
+{"mthi1",   "s",0x7011, 0xfc1f, RD_s|WR_HI, 0, 
 EE  },
 {"mtlo","s",   0x0013, 0xfc1f, RD_s|WR_LO, 0,  
I1  },
 {"mtlo","s,7", 0x0013, 0xfc1fe7ff, RD_s|WR_LO, 0,  
D32 },
+{"mtlo1",   "s",0x7013, 0xfc1f, RD_s|WR_LO, 0, 
 EE  },
 {"mtlhx",   "s",   0x0053, 0xfc1f, RD_s|MOD_HILO,  0,  
SMT },
 {"mttc0",   "t,G", 0x4180, 0xffe007ff, TRAP|COD|RD_t|WR_C0|WR_CC, 0,   
MT32},
 {"mttc0",   "t,+D",0x4180, 0xffe007f8, TRAP|COD|RD_t|WR_C0|WR_CC, 0,   
MT32},
diff --git a/target/mips/translate.c b/target/mips/translate.c
index df69fa0e9f..2cff740bac 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -4229,17 +4229,21 @@ static void gen_shift(DisasContext *ctx, uint32_t opc,
 /* Arithmetic on HI/LO registers */
 static void gen_HILO(DisasContext *ctx, uint32_t opc, int acc, int reg)
 {
-if (reg == 0 && (opc == OPC_MFHI || opc == OPC_MFLO)) {
+if (reg == 0 && (opc == OPC_MFHI || opc == TX79_MMI_MFHI1 ||
+ opc == OPC_MFLO || opc == TX79_MMI_MFLO1)) {
 /* Treat as NOP. */
 return;
 }
 
 if (acc != 0) {
-check_dsp(ctx);
+if (!(ctx->insn_flags & INSN_R5900)) {
+check_dsp(ctx);
+}
 }
 
 switch (opc) {
 case OPC_MFHI:
+case TX79_MMI_MFHI1:
 #if defined(TARGET_MIPS64)
 if (acc != 0) {
 tcg_gen_ext32s_tl(cpu_gpr[reg], cpu_HI[acc]);
@@ -4250,6 +4254,7 @@ static void gen_HILO(DisasContext *ctx, uint32_t opc, int 
acc, int reg)
 }
 break;
 case OPC_MFLO:
+case TX79_MMI_MFLO1:
 #if defined(TARGET_MIPS64)
 if (acc != 0) {
 tcg_gen_ext32s_tl(cpu_gpr[reg], cpu_LO[acc]);
@@ -4260,6 +4265,7 @@ static void gen_HILO(DisasContext *ctx, uint32_t opc, int 
acc, int reg)
 }
 break;
 case OPC_MTHI:
+case TX79_MMI_MTHI1:
 if (reg != 0) {
 #if defined(TARGET_MIPS64)
 if (acc != 0) {
@@ -4274,6 +4280,7 @@ static void gen_HILO(DisasContext *ctx, uint32_t opc, int 
acc, int reg)
 }
 break;
 case OPC_MTLO:
+case TX79_MMI_MTLO1:
 if (reg != 0) {
 #if defined(TARGET_MIPS64)
 if (acc != 0) {
@@ -24658,13 +24665,17 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_MULTU1:
 gen_mul_txx9(ctx, opc, rd, rs, rt);
 break;
+case TX79_MMI_MTLO1:
+case TX79_MMI_MTHI1:
+gen_HILO(ctx, opc, 1, rs);
+break;
+case TX79_MMI_MFLO1:
+case TX79_MMI_MFHI1:
+gen_HILO(ctx, opc, 1, rd);
+break;
 case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
 case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
-case TX79_MMI_MFHI1: /* TODO: TX79_MMI_MFHI1 */
-case TX79_MMI_MTHI1: /* TODO: TX79_MMI_MTHI1 */
-case TX79_MMI_MFLO1: /* TODO: TX79_MMI_MFLO1 */
-case TX79_MMI_MTLO1: /* TODO: TX79_MMI_MTLO1 */
 case TX79_MMI_DIV1:  /* 

[Qemu-devel] [PATCH v8 33/38] tests/tcg/mips: Test R5900 three-operand MADD

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/Makefile |  1 +
 tests/tcg/mips/mipsr5900/madd.c   | 45 +++
 2 files changed, 46 insertions(+)
 create mode 100644 tests/tcg/mips/mipsr5900/madd.c

diff --git a/tests/tcg/mips/mipsr5900/Makefile 
b/tests/tcg/mips/mipsr5900/Makefile
index a1c388bc3c..97ca2a671c 100644
--- a/tests/tcg/mips/mipsr5900/Makefile
+++ b/tests/tcg/mips/mipsr5900/Makefile
@@ -10,6 +10,7 @@ CFLAGS  = -Wall -mabi=32 -march=r5900 -static
 
 TESTCASES = div1.tst
 TESTCASES += divu1.tst
+TESTCASES += madd.tst
 TESTCASES += mflohi1.tst
 TESTCASES += mtlohi1.tst
 TESTCASES += mult.tst
diff --git a/tests/tcg/mips/mipsr5900/madd.c b/tests/tcg/mips/mipsr5900/madd.c
new file mode 100644
index 00..9ad2ea6dbb
--- /dev/null
+++ b/tests/tcg/mips/mipsr5900/madd.c
@@ -0,0 +1,45 @@
+/*
+ * Test R5900-specific three-operand MADD.
+ */
+
+#include 
+#include 
+#include 
+
+int64_t madd(int64_t a, int32_t rs, int32_t rt)
+{
+int32_t lo = a;
+int32_t hi = a >> 32;
+int32_t rd;
+int64_t r;
+
+__asm__ __volatile__ (
+"mtlo %5\n"
+"mthi %6\n"
+"madd %0, %3, %4\n"
+"mflo %1\n"
+"mfhi %2\n"
+: "=r" (rd), "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt), "r" (lo), "r" (hi));
+r = ((int64_t)hi << 32) | (uint32_t)lo;
+
+assert(a + (int64_t)rs * rt == r);
+assert(rd == lo);
+
+return r;
+}
+
+static void verify_madd(int64_t a, int32_t rs, int32_t rt, int64_t expected)
+{
+assert(madd(a, rs, rt) == expected);
+assert(madd(a, -rs, rt) == a + a - expected);
+assert(madd(a, rs, -rt) == a + a - expected);
+assert(madd(a, -rs, -rt) == expected);
+}
+
+int main()
+{
+verify_madd(13, 17, 19, 336);
+
+return 0;
+}
-- 
2.18.1

[Qemu-devel] [PATCH v8 12/38] target/mips: Placeholder for R5900 MMI instruction class

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 45 -
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 2318116d31..3b100f2d17 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24420,6 +24420,45 @@ static void decode_opc_special3_legacy(CPUMIPSState 
*env, DisasContext *ctx)
 }
 }
 
+static void decode_tx79_mmi(CPUMIPSState *env, DisasContext *ctx)
+{
+uint32_t opc = MASK_TX79_MMI(ctx->opcode);
+
+switch (opc) {
+case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
+case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
+case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
+case TX79_MMI_CLASS_MMI0:/* TODO: TX79_MMI_CLASS_MMI0 */
+case TX79_MMI_CLASS_MMI2:/* TODO: TX79_MMI_CLASS_MMI2 */
+case TX79_MMI_MFHI1: /* TODO: TX79_MMI_MFHI1 */
+case TX79_MMI_MTHI1: /* TODO: TX79_MMI_MTHI1 */
+case TX79_MMI_MFLO1: /* TODO: TX79_MMI_MFLO1 */
+case TX79_MMI_MTLO1: /* TODO: TX79_MMI_MTLO1 */
+case TX79_MMI_MULT1: /* TODO: TX79_MMI_MULT1 */
+case TX79_MMI_MULTU1:/* TODO: TX79_MMI_MULTU1 */
+case TX79_MMI_DIV1:  /* TODO: TX79_MMI_DIV1 */
+case TX79_MMI_DIVU1: /* TODO: TX79_MMI_DIVU1 */
+case TX79_MMI_MADD1: /* TODO: TX79_MMI_MADD1 */
+case TX79_MMI_MADDU1:/* TODO: TX79_MMI_MADDU1 */
+case TX79_MMI_CLASS_MMI1:/* TODO: TX79_MMI_CLASS_MMI1 */
+case TX79_MMI_CLASS_MMI3:/* TODO: TX79_MMI_CLASS_MMI3 */
+case TX79_MMI_PMFHL: /* TODO: TX79_MMI_PMFHL */
+case TX79_MMI_PMTHL: /* TODO: TX79_MMI_PMTHL */
+case TX79_MMI_PSLLH: /* TODO: TX79_MMI_PSLLH */
+case TX79_MMI_PSRLH: /* TODO: TX79_MMI_PSRLH */
+case TX79_MMI_PSRAH: /* TODO: TX79_MMI_PSRAH */
+case TX79_MMI_PSLLW: /* TODO: TX79_MMI_PSLLW */
+case TX79_MMI_PSRLW: /* TODO: TX79_MMI_PSRLW */
+case TX79_MMI_PSRAW: /* TODO: TX79_MMI_PSRAW */
+generate_exception_end(ctx, EXCP_RI);/* TODO: TX79_CLASS_MMI */
+break;
+default:
+MIPS_INVAL("TX79 MMI class");
+generate_exception_end(ctx, EXCP_RI);
+break;
+}
+}
+
 static void decode_tx79_lq(CPUMIPSState *env, DisasContext *ctx)
 {
 generate_exception_end(ctx, EXCP_RI);/* TODO: TX79_LQ */
@@ -25769,7 +25808,11 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 decode_opc_special(env, ctx);
 break;
 case OPC_SPECIAL2:
-decode_opc_special2_legacy(env, ctx);
+if (ctx->insn_flags & INSN_R5900) {
+decode_tx79_mmi(env, ctx);
+} else {
+decode_opc_special2_legacy(env, ctx);
+}
 break;
 case OPC_SPECIAL3:
 if (ctx->insn_flags & INSN_R5900) {
-- 
2.18.1

[Qemu-devel] [PATCH v8 17/38] target/mips: Support R5900 three-operand MULT and MULTU

[Fredrik Noring]

The three-operand MULT and MULTU are the only R5900-specific
instructions emitted by GCC 7.3. The R5900 also implements the three-
operand MADD and MADDU instructions, but they are omitted in QEMU for
now since they are absent in programs compiled by current GCC versions.

Likewise, the R5900-specific pipeline 1 instruction variants MULT1,
MULTU1, DIV1, DIVU1, MADD1, MADDU1, MFHI1, MFLO1, MTHI1 and MTLO1
are omitted here as well.

Signed-off-by: Fredrik Noring 
Reviewed-by: Philippe Mathieu-Daudé 
---
 target/mips/translate.c | 74 +
 1 file changed, 74 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 6d837082a9..eb7437cc09 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -4766,6 +4766,78 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
 tcg_temp_free(t1);
 }
 
+/*
+ * These MULT and MULTU instructions implemented in for example the
+ * Toshiba/Sony R5900 and the Toshiba TX19, TX39 and TX79 core
+ * architectures are special three-operand variants with the syntax
+ *
+ * MULT[U] rd, rs, rt
+ *
+ * such that
+ *
+ * (rd, LO, HI) <- rs * rt
+ *
+ * where the low-order 32-bits of the result is placed into both the
+ * GPR rd and the special register LO. The high-order 32-bits of the
+ * result is placed into the special register HI.
+ *
+ * If the GPR rd is omitted in assembly language, it is taken to be 0,
+ * which is the zero register that always reads as 0.
+ */
+static void gen_mul_txx9(DisasContext *ctx, uint32_t opc,
+ int rd, int rs, int rt)
+{
+TCGv t0 = tcg_temp_new();
+TCGv t1 = tcg_temp_new();
+int acc = 0;
+
+gen_load_gpr(t0, rs);
+gen_load_gpr(t1, rt);
+
+switch (opc) {
+case OPC_MULT:
+{
+TCGv_i32 t2 = tcg_temp_new_i32();
+TCGv_i32 t3 = tcg_temp_new_i32();
+tcg_gen_trunc_tl_i32(t2, t0);
+tcg_gen_trunc_tl_i32(t3, t1);
+tcg_gen_muls2_i32(t2, t3, t2, t3);
+if (rd) {
+tcg_gen_ext_i32_tl(cpu_gpr[rd], t2);
+}
+tcg_gen_ext_i32_tl(cpu_LO[acc], t2);
+tcg_gen_ext_i32_tl(cpu_HI[acc], t3);
+tcg_temp_free_i32(t2);
+tcg_temp_free_i32(t3);
+}
+break;
+case OPC_MULTU:
+{
+TCGv_i32 t2 = tcg_temp_new_i32();
+TCGv_i32 t3 = tcg_temp_new_i32();
+tcg_gen_trunc_tl_i32(t2, t0);
+tcg_gen_trunc_tl_i32(t3, t1);
+tcg_gen_mulu2_i32(t2, t3, t2, t3);
+if (rd) {
+tcg_gen_ext_i32_tl(cpu_gpr[rd], t2);
+}
+tcg_gen_ext_i32_tl(cpu_LO[acc], t2);
+tcg_gen_ext_i32_tl(cpu_HI[acc], t3);
+tcg_temp_free_i32(t2);
+tcg_temp_free_i32(t3);
+}
+break;
+default:
+MIPS_INVAL("mul TXx9");
+generate_exception_end(ctx, EXCP_RI);
+goto out;
+}
+
+ out:
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+}
+
 static void gen_mul_vr54xx (DisasContext *ctx, uint32_t opc,
 int rd, int rs, int rt)
 {
@@ -23490,6 +23562,8 @@ static void decode_opc_special_legacy(CPUMIPSState 
*env, DisasContext *ctx)
 check_insn(ctx, INSN_VR54XX);
 op1 = MASK_MUL_VR54XX(ctx->opcode);
 gen_mul_vr54xx(ctx, op1, rd, rs, rt);
+} else if (ctx->insn_flags & INSN_R5900) {
+gen_mul_txx9(ctx, op1, rd, rs, rt);
 } else {
 gen_muldiv(ctx, op1, rd & 3, rs, rt);
 }
-- 
2.18.1

[Qemu-devel] [PATCH v8 18/38] target/mips: Support R5900 three-operand MULT1 and MULTU1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 17 ++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index eb7437cc09..df69fa0e9f 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -4771,7 +4771,7 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
  * Toshiba/Sony R5900 and the Toshiba TX19, TX39 and TX79 core
  * architectures are special three-operand variants with the syntax
  *
- * MULT[U] rd, rs, rt
+ * MULT[U][1] rd, rs, rt
  *
  * such that
  *
@@ -4795,6 +4795,9 @@ static void gen_mul_txx9(DisasContext *ctx, uint32_t opc,
 gen_load_gpr(t1, rt);
 
 switch (opc) {
+case TX79_MMI_MULT1:
+acc = 1;
+/* Fall through */
 case OPC_MULT:
 {
 TCGv_i32 t2 = tcg_temp_new_i32();
@@ -4811,6 +4814,9 @@ static void gen_mul_txx9(DisasContext *ctx, uint32_t opc,
 tcg_temp_free_i32(t3);
 }
 break;
+case TX79_MMI_MULTU1:
+acc = 1;
+/* Fall through */
 case OPC_MULTU:
 {
 TCGv_i32 t2 = tcg_temp_new_i32();
@@ -24631,6 +24637,9 @@ static void decode_tx79_mmi3(CPUMIPSState *env, 
DisasContext *ctx)
 static void decode_tx79_mmi(CPUMIPSState *env, DisasContext *ctx)
 {
 uint32_t opc = MASK_TX79_MMI(ctx->opcode);
+int rs = extract32(ctx->opcode, 21, 5);
+int rt = extract32(ctx->opcode, 16, 5);
+int rd = extract32(ctx->opcode, 11, 5);
 
 switch (opc) {
 case TX79_MMI_CLASS_MMI0:
@@ -24645,6 +24654,10 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_CLASS_MMI3:
 decode_tx79_mmi3(env, ctx);
 break;
+case TX79_MMI_MULT1:
+case TX79_MMI_MULTU1:
+gen_mul_txx9(ctx, opc, rd, rs, rt);
+break;
 case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
 case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
@@ -24652,8 +24665,6 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_MTHI1: /* TODO: TX79_MMI_MTHI1 */
 case TX79_MMI_MFLO1: /* TODO: TX79_MMI_MFLO1 */
 case TX79_MMI_MTLO1: /* TODO: TX79_MMI_MTLO1 */
-case TX79_MMI_MULT1: /* TODO: TX79_MMI_MULT1 */
-case TX79_MMI_MULTU1:/* TODO: TX79_MMI_MULTU1 */
 case TX79_MMI_DIV1:  /* TODO: TX79_MMI_DIV1 */
 case TX79_MMI_DIVU1: /* TODO: TX79_MMI_DIVU1 */
 case TX79_MMI_MADD1: /* TODO: TX79_MMI_MADD1 */
-- 
2.18.1

[Qemu-devel] [PATCH v8 11/38] target/mips: Placeholder for R5900 MMI LQ

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 19a8abad54..2318116d31 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24420,6 +24420,11 @@ static void decode_opc_special3_legacy(CPUMIPSState 
*env, DisasContext *ctx)
 }
 }
 
+static void decode_tx79_lq(CPUMIPSState *env, DisasContext *ctx)
+{
+generate_exception_end(ctx, EXCP_RI);/* TODO: TX79_LQ */
+}
+
 static void gen_tx79_sq(DisasContext *ctx, int base, int rt, int offset)
 {
 generate_exception_end(ctx, EXCP_RI);/* TODO: TX79_SQ */
@@ -26425,8 +26430,12 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 }
 break;
 case OPC_MSA: /* OPC_MDMX */
-/* MDMX: Not implemented. */
-gen_msa(env, ctx);
+if (ctx->insn_flags & INSN_R5900) {
+decode_tx79_lq(env, ctx);/* TX79_LQ */
+} else {
+/* MDMX: Not implemented. */
+gen_msa(env, ctx);
+}
 break;
 case OPC_PCREL:
 check_insn(ctx, ISA_MIPS32R6);
-- 
2.18.1

[Qemu-devel] [PATCH v8 16/38] target/mips: Placeholder for R5900 MMI3 instruction subclass

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 31 ++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index e5ac9f17e0..6d837082a9 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24527,6 +24527,33 @@ static void decode_tx79_mmi2(CPUMIPSState *env, 
DisasContext *ctx)
 }
 }
 
+static void decode_tx79_mmi3(CPUMIPSState *env, DisasContext *ctx)
+{
+uint32_t opc = MASK_TX79_MMI3(ctx->opcode);
+
+switch (opc) {
+case TX79_MMI3_PMADDUW:/* TODO: TX79_MMI3_PMADDUW */
+case TX79_MMI3_PSRAVW: /* TODO: TX79_MMI3_PSRAVW */
+case TX79_MMI3_PMTHI:  /* TODO: TX79_MMI3_PMTHI */
+case TX79_MMI3_PMTLO:  /* TODO: TX79_MMI3_PMTLO */
+case TX79_MMI3_PINTEH: /* TODO: TX79_MMI3_PINTEH */
+case TX79_MMI3_PMULTUW:/* TODO: TX79_MMI3_PMULTUW */
+case TX79_MMI3_PDIVUW: /* TODO: TX79_MMI3_PDIVUW */
+case TX79_MMI3_PCPYUD: /* TODO: TX79_MMI3_PCPYUD */
+case TX79_MMI3_POR:/* TODO: TX79_MMI3_POR */
+case TX79_MMI3_PNOR:   /* TODO: TX79_MMI3_PNOR */
+case TX79_MMI3_PEXCH:  /* TODO: TX79_MMI3_PEXCH */
+case TX79_MMI3_PCPYH:  /* TODO: TX79_MMI3_PCPYH */
+case TX79_MMI3_PEXCW:  /* TODO: TX79_MMI3_PEXCW */
+generate_exception_end(ctx, EXCP_RI); /* TODO: TX79_MMI_CLASS_MMI3 */
+break;
+default:
+MIPS_INVAL("TX79 MMI class MMI3");
+generate_exception_end(ctx, EXCP_RI);
+break;
+}
+}
+
 static void decode_tx79_mmi(CPUMIPSState *env, DisasContext *ctx)
 {
 uint32_t opc = MASK_TX79_MMI(ctx->opcode);
@@ -24541,6 +24568,9 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_CLASS_MMI2:
 decode_tx79_mmi2(env, ctx);
 break;
+case TX79_MMI_CLASS_MMI3:
+decode_tx79_mmi3(env, ctx);
+break;
 case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
 case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
@@ -24554,7 +24584,6 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_DIVU1: /* TODO: TX79_MMI_DIVU1 */
 case TX79_MMI_MADD1: /* TODO: TX79_MMI_MADD1 */
 case TX79_MMI_MADDU1:/* TODO: TX79_MMI_MADDU1 */
-case TX79_MMI_CLASS_MMI3:/* TODO: TX79_MMI_CLASS_MMI3 */
 case TX79_MMI_PMFHL: /* TODO: TX79_MMI_PMFHL */
 case TX79_MMI_PMTHL: /* TODO: TX79_MMI_PMTHL */
 case TX79_MMI_PSLLH: /* TODO: TX79_MMI_PSLLH */
-- 
2.18.1

[Qemu-devel] [PATCH v8 28/38] tests/tcg/mips: Test R5900 three-operand MULTU1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 tests/tcg/mips/mipsr5900/multu.c | 43 ++--
 1 file changed, 36 insertions(+), 7 deletions(-)

diff --git a/tests/tcg/mips/mipsr5900/multu.c b/tests/tcg/mips/mipsr5900/multu.c
index 3a59675395..f043904d69 100644
--- a/tests/tcg/mips/mipsr5900/multu.c
+++ b/tests/tcg/mips/mipsr5900/multu.c
@@ -1,5 +1,5 @@
 /*
- * Test R5900-specific three-operand MULTU.
+ * Test R5900-specific three-operand MULTU and MULTU1.
  */
 
 #include 
@@ -25,15 +25,44 @@ static uint64_t multu(uint32_t rs, uint32_t rt)
 return r;
 }
 
+static uint64_t multu1(uint32_t rs, uint32_t rt)
+{
+uint32_t rd, lo, hi;
+uint64_t r;
+
+__asm__ __volatile__ (
+"multu1 %0, %3, %4\n"
+"mflo1 %1\n"
+"mfhi1 %2\n"
+: "=r" (rd), "=r" (lo), "=r" (hi)
+: "r" (rs), "r" (rt));
+r = ((uint64_t)hi << 32) | (uint32_t)lo;
+
+assert((uint64_t)rs * rt == r);
+assert(rd == lo);
+
+return r;
+}
+
+static uint64_t multu_variants(uint32_t rs, uint32_t rt)
+{
+uint64_t rd  = multu(rs, rt);
+uint64_t rd1 = multu1(rs, rt);
+
+assert(rd == rd1);
+
+return rd;
+}
+
 int main()
 {
-assert(multu(17, 19) == 323);
-assert(multu(3, 1) == 7776600043);
-assert(multu(12207031, 305175781) == 3725290219116211);
+assert(multu_variants(17, 19) == 323);
+assert(multu_variants(3, 1) == 7776600043);
+assert(multu_variants(12207031, 305175781) == 3725290219116211);
 
-assert(multu(0x8000U, 0x7FFF) == 0x3FFF8000);
-assert(multu(0x8000U, 0x8000U) ==  0x4000);
-assert(multu(0xU, 0xU) ==  0xFFFE0001U);
+assert(multu_variants(0x8000U, 0x7FFF) == 0x3FFF8000);
+assert(multu_variants(0x8000U, 0x8000U) ==  0x4000);
+assert(multu_variants(0xU, 0xU) ==  0xFFFE0001U);
 
 return 0;
 }
-- 
2.18.1

[Qemu-devel] [PATCH v8 14/38] target/mips: Placeholder for R5900 MMI1 instruction subclass

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 36 +++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index c8080844f1..28137cdaf4 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24459,6 +24459,38 @@ static void decode_tx79_mmi0(CPUMIPSState *env, 
DisasContext *ctx)
 }
 }
 
+static void decode_tx79_mmi1(CPUMIPSState *env, DisasContext *ctx)
+{
+uint32_t opc = MASK_TX79_MMI1(ctx->opcode);
+
+switch (opc) {
+case TX79_MMI1_PABSW: /* TODO: TX79_MMI1_PABSW */
+case TX79_MMI1_PCEQW: /* TODO: TX79_MMI1_PCEQW */
+case TX79_MMI1_PMINW: /* TODO: TX79_MMI1_PMINW */
+case TX79_MMI1_PADSBH:/* TODO: TX79_MMI1_PADSBH */
+case TX79_MMI1_PABSH: /* TODO: TX79_MMI1_PABSH */
+case TX79_MMI1_PCEQH: /* TODO: TX79_MMI1_PCEQH */
+case TX79_MMI1_PMINH: /* TODO: TX79_MMI1_PMINH */
+case TX79_MMI1_PCEQB: /* TODO: TX79_MMI1_PCEQB */
+case TX79_MMI1_PADDUW:/* TODO: TX79_MMI1_PADDUW */
+case TX79_MMI1_PSUBUW:/* TODO: TX79_MMI1_PSUBUW */
+case TX79_MMI1_PEXTUW:/* TODO: TX79_MMI1_PEXTUW */
+case TX79_MMI1_PADDUH:/* TODO: TX79_MMI1_PADDUH */
+case TX79_MMI1_PSUBUH:/* TODO: TX79_MMI1_PSUBUH */
+case TX79_MMI1_PEXTUH:/* TODO: TX79_MMI1_PEXTUH */
+case TX79_MMI1_PADDUB:/* TODO: TX79_MMI1_PADDUB */
+case TX79_MMI1_PSUBUB:/* TODO: TX79_MMI1_PSUBUB */
+case TX79_MMI1_PEXTUB:/* TODO: TX79_MMI1_PEXTUB */
+case TX79_MMI1_QFSRV: /* TODO: TX79_MMI1_QFSRV */
+generate_exception_end(ctx, EXCP_RI); /* TODO: TX79_MMI_CLASS_MMI1 */
+break;
+default:
+MIPS_INVAL("TX79 MMI class MMI1");
+generate_exception_end(ctx, EXCP_RI);
+break;
+}
+}
+
 static void decode_tx79_mmi(CPUMIPSState *env, DisasContext *ctx)
 {
 uint32_t opc = MASK_TX79_MMI(ctx->opcode);
@@ -24467,6 +24499,9 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_CLASS_MMI0:
 decode_tx79_mmi0(env, ctx);
 break;
+case TX79_MMI_CLASS_MMI1:
+decode_tx79_mmi1(env, ctx);
+break;
 case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
 case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
@@ -24481,7 +24516,6 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_DIVU1: /* TODO: TX79_MMI_DIVU1 */
 case TX79_MMI_MADD1: /* TODO: TX79_MMI_MADD1 */
 case TX79_MMI_MADDU1:/* TODO: TX79_MMI_MADDU1 */
-case TX79_MMI_CLASS_MMI1:/* TODO: TX79_MMI_CLASS_MMI1 */
 case TX79_MMI_CLASS_MMI3:/* TODO: TX79_MMI_CLASS_MMI3 */
 case TX79_MMI_PMFHL: /* TODO: TX79_MMI_PMFHL */
 case TX79_MMI_PMTHL: /* TODO: TX79_MMI_PMTHL */
-- 
2.18.1

[Qemu-devel] [PATCH v8 08/38] target/mips: Define R5900 MMI2 opcode constants

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 48 +
 1 file changed, 48 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index e233b87324..bd51443ac1 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2275,6 +2275,54 @@ enum {
 TX79_MMI1_QFSRV  = (0x1B << 6) | TX79_MMI_CLASS_MMI1,
 };
 
+/*
+ * TX79 Multimedia Instructions with opcode field = MMI and bits 5..0 = MMI2:
+ *
+ *  312610 6 5  0
+ * ++--+++
+ * |   MMI  |  |function|  MMI2  |
+ * ++--+++
+ *
+ * function  bits 7..6
+ * bits |   0   |   1   |   2   |   3
+ *10..8 |   00  |   01  |   10  |   11
+ *   ---+---+---+---+---
+ *0 000 | PMADDW|   *   | PSLLVW| PSRLVW
+ *1 001 | PMSUBW|   *   |   *   |   *
+ *2 010 | PMFHI | PMFLO | PINTH |   *
+ *3 011 | PMULTW| PDIVW | PCPYLD|   *
+ *4 100 | PMADDH| PHMADH|  PAND |  PXOR
+ *5 101 | PMSUBH| PHMSBH|   *   |   *
+ *6 110 |   *   |   *   | PEXEH | PREVH
+ *7 111 | PMULTH| PDIVBW| PEXEW | PROT3W
+ */
+
+#define MASK_TX79_MMI2(op) (MASK_OP_MAJOR(op) | ((op) & 0x7FF))
+enum {
+TX79_MMI2_PMADDW = (0x00 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PSLLVW = (0x02 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PSRLVW = (0x03 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PMSUBW = (0x04 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PMFHI  = (0x08 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PMFLO  = (0x09 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PINTH  = (0x0A << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PMULTW = (0x0C << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PDIVW  = (0x0D << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PCPYLD = (0x0E << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PMADDH = (0x10 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PHMADH = (0x11 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PAND   = (0x12 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PXOR   = (0x13 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PMSUBH = (0x14 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PHMSBH = (0x15 << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PEXEH  = (0x1A << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PREVH  = (0x1B << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PMULTH = (0x1C << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PDIVBW = (0x1D << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PEXEW  = (0x1E << 6) | TX79_MMI_CLASS_MMI2,
+TX79_MMI2_PROT3W = (0x1F << 6) | TX79_MMI_CLASS_MMI2,
+};
+
 /* global register indices */
 static TCGv cpu_gpr[32], cpu_PC;
 static TCGv cpu_HI[MIPS_DSP_ACC], cpu_LO[MIPS_DSP_ACC];
-- 
2.18.1

[Qemu-devel] [PATCH v8 22/38] target/mips: Support R5900 three-operand MADD and MADD1

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 disas/mips.c|  2 ++
 target/mips/translate.c | 38 +-
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/disas/mips.c b/disas/mips.c
index 79bd119c51..242bf68b9c 100644
--- a/disas/mips.c
+++ b/disas/mips.c
@@ -2553,6 +2553,8 @@ const struct mips_opcode mips_builtin_opcodes[] =
 {"madd","s,t",  0x7000, 0xfc00, RD_s|RD_t|WR_HILO|IS_M,  
0,G1  },
 {"madd","7,s,t",   0x7000, 0xfc00e7ff, MOD_a|RD_s|RD_t, 0, 
D33 },
 {"madd","d,s,t",0x7000, 0xfc0007ff, RD_s|RD_t|WR_HILO|WR_d|IS_M, 
0,G1  },
+{"madd1",   "s,t",  0x7020, 0xfc00, RD_s|RD_t|WR_HILO|IS_M,  
0, EE  },
+{"madd1",   "d,s,t",0x7020, 0xfc0007ff, RD_s|RD_t|WR_HILO|WR_d|IS_M, 
0, EE  },
 {"maddp",   "s,t",  0x7441, 0xfc00,RD_s|RD_t|MOD_HILO, 
 0, SMT },
 {"maddu",   "s,t",  0x001d, 0xfc00, RD_s|RD_t|WR_HILO,   
0,L1  },
 {"maddu",   "s,t",  0x7001, 0xfc00, RD_s|RD_t|MOD_HILO,  
0,I32|N55 },
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 1f3dc3d406..153b7e869a 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -4778,8 +4778,8 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
 }
 
 /*
- * These MULT and MULTU instructions implemented in for example the
- * Toshiba/Sony R5900 and the Toshiba TX19, TX39 and TX79 core
+ * These MULT[U] and MADD instructions implemented in for example
+ * the Toshiba/Sony R5900 and the Toshiba TX19, TX39 and TX79 core
  * architectures are special three-operand variants with the syntax
  *
  * MULT[U][1] rd, rs, rt
@@ -4788,6 +4788,14 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
  *
  * (rd, LO, HI) <- rs * rt
  *
+ * and
+ *
+ * MADD[1]rd, rs, rt
+ *
+ * such that
+ *
+ * (rd, LO, HI) <- (LO, HI) + rs * rt
+ *
  * where the low-order 32-bits of the result is placed into both the
  * GPR rd and the special register LO. The high-order 32-bits of the
  * result is placed into the special register HI.
@@ -4844,8 +4852,28 @@ static void gen_mul_txx9(DisasContext *ctx, uint32_t opc,
 tcg_temp_free_i32(t3);
 }
 break;
+case TX79_MMI_MADD1:
+acc = 1;
+/* Fall through */
+case TX79_MMI_MADD:
+{
+TCGv_i32 t2 = tcg_temp_new_i32();
+TCGv_i32 t3 = tcg_temp_new_i32();
+tcg_gen_trunc_tl_i32(t2, t0);
+tcg_gen_trunc_tl_i32(t3, t1);
+tcg_gen_muls2_i32(t2, t3, t2, t3);
+tcg_gen_add2_i32(t2, t3, cpu_LO[acc], cpu_HI[acc], t2, t3);
+if (rd) {
+tcg_gen_ext_i32_tl(cpu_gpr[rd], t2);
+}
+tcg_gen_ext_i32_tl(cpu_LO[acc], t2);
+tcg_gen_ext_i32_tl(cpu_HI[acc], t3);
+tcg_temp_free_i32(t2);
+tcg_temp_free_i32(t3);
+}
+break;
 default:
-MIPS_INVAL("mul TXx9");
+MIPS_INVAL("mul/madd TXx9");
 generate_exception_end(ctx, EXCP_RI);
 goto out;
 }
@@ -24667,6 +24695,8 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 break;
 case TX79_MMI_MULT1:
 case TX79_MMI_MULTU1:
+case TX79_MMI_MADD:
+case TX79_MMI_MADD1:
 gen_mul_txx9(ctx, opc, rd, rs, rt);
 break;
 case TX79_MMI_DIV1:
@@ -24681,10 +24711,8 @@ static void decode_tx79_mmi(CPUMIPSState *env, 
DisasContext *ctx)
 case TX79_MMI_MFHI1:
 gen_HILO(ctx, opc, 1, rd);
 break;
-case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
 case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
-case TX79_MMI_MADD1: /* TODO: TX79_MMI_MADD1 */
 case TX79_MMI_MADDU1:/* TODO: TX79_MMI_MADDU1 */
 case TX79_MMI_PMFHL: /* TODO: TX79_MMI_PMFHL */
 case TX79_MMI_PMTHL: /* TODO: TX79_MMI_PMTHL */
-- 
2.18.1

[Qemu-devel] [PATCH v8 13/38] target/mips: Placeholder for R5900 MMI0 instruction subclass

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 43 -
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 3b100f2d17..c8080844f1 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24420,15 +24420,56 @@ static void decode_opc_special3_legacy(CPUMIPSState 
*env, DisasContext *ctx)
 }
 }
 
+static void decode_tx79_mmi0(CPUMIPSState *env, DisasContext *ctx)
+{
+uint32_t opc = MASK_TX79_MMI0(ctx->opcode);
+
+switch (opc) {
+case TX79_MMI0_PADDW: /* TODO: TX79_MMI0_PADDW */
+case TX79_MMI0_PSUBW: /* TODO: TX79_MMI0_PSUBW */
+case TX79_MMI0_PCGTW: /* TODO: TX79_MMI0_PCGTW */
+case TX79_MMI0_PMAXW: /* TODO: TX79_MMI0_PMAXW */
+case TX79_MMI0_PADDH: /* TODO: TX79_MMI0_PADDH */
+case TX79_MMI0_PSUBH: /* TODO: TX79_MMI0_PSUBH */
+case TX79_MMI0_PCGTH: /* TODO: TX79_MMI0_PCGTH */
+case TX79_MMI0_PMAXH: /* TODO: TX79_MMI0_PMAXH */
+case TX79_MMI0_PADDB: /* TODO: TX79_MMI0_PADDB */
+case TX79_MMI0_PSUBB: /* TODO: TX79_MMI0_PSUBB */
+case TX79_MMI0_PCGTB: /* TODO: TX79_MMI0_PCGTB */
+case TX79_MMI0_PADDSW:/* TODO: TX79_MMI0_PADDSW */
+case TX79_MMI0_PSUBSW:/* TODO: TX79_MMI0_PSUBSW */
+case TX79_MMI0_PEXTLW:/* TODO: TX79_MMI0_PEXTLW */
+case TX79_MMI0_PPACW: /* TODO: TX79_MMI0_PPACW */
+case TX79_MMI0_PADDSH:/* TODO: TX79_MMI0_PADDSH */
+case TX79_MMI0_PSUBSH:/* TODO: TX79_MMI0_PSUBSH */
+case TX79_MMI0_PEXTLH:/* TODO: TX79_MMI0_PEXTLH */
+case TX79_MMI0_PPACH: /* TODO: TX79_MMI0_PPACH */
+case TX79_MMI0_PADDSB:/* TODO: TX79_MMI0_PADDSB */
+case TX79_MMI0_PSUBSB:/* TODO: TX79_MMI0_PSUBSB */
+case TX79_MMI0_PEXTLB:/* TODO: TX79_MMI0_PEXTLB */
+case TX79_MMI0_PPACB: /* TODO: TX79_MMI0_PPACB */
+case TX79_MMI0_PEXT5: /* TODO: TX79_MMI0_PEXT5 */
+case TX79_MMI0_PPAC5: /* TODO: TX79_MMI0_PPAC5 */
+generate_exception_end(ctx, EXCP_RI); /* TODO: TX79_MMI_CLASS_MMI0 */
+break;
+default:
+MIPS_INVAL("TX79 MMI class MMI0");
+generate_exception_end(ctx, EXCP_RI);
+break;
+}
+}
+
 static void decode_tx79_mmi(CPUMIPSState *env, DisasContext *ctx)
 {
 uint32_t opc = MASK_TX79_MMI(ctx->opcode);
 
 switch (opc) {
+case TX79_MMI_CLASS_MMI0:
+decode_tx79_mmi0(env, ctx);
+break;
 case TX79_MMI_MADD:  /* TODO: TX79_MMI_MADD */
 case TX79_MMI_MADDU: /* TODO: TX79_MMI_MADDU */
 case TX79_MMI_PLZCW: /* TODO: TX79_MMI_PLZCW */
-case TX79_MMI_CLASS_MMI0:/* TODO: TX79_MMI_CLASS_MMI0 */
 case TX79_MMI_CLASS_MMI2:/* TODO: TX79_MMI_CLASS_MMI2 */
 case TX79_MMI_MFHI1: /* TODO: TX79_MMI_MFHI1 */
 case TX79_MMI_MTHI1: /* TODO: TX79_MMI_MTHI1 */
-- 
2.18.1

[Qemu-devel] [PATCH v8 10/38] target/mips: Placeholder for R5900 MMI SQ, handle user mode RDHWR

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 53 -
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 3c6a2c99a6..19a8abad54 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24420,6 +24420,53 @@ static void decode_opc_special3_legacy(CPUMIPSState 
*env, DisasContext *ctx)
 }
 }
 
+static void gen_tx79_sq(DisasContext *ctx, int base, int rt, int offset)
+{
+generate_exception_end(ctx, EXCP_RI);/* TODO: TX79_SQ */
+}
+
+/*
+ * The TX79-specific instruction Store Quadword
+ *
+ * ++---+---++
+ * | 01 |  base |   rt  |   offset   | SQ
+ * ++---+---++
+ *  6   5   5 16
+ *
+ * has the same opcode as the Read Hardware Register instruction
+ *
+ * ++---+---+---+---++
+ * | 01 | 0 |   rt  |   rd  | 0 | 111011 | RDHWR
+ * ++---+---+---+---++
+ *  6   5   5   5   56
+ *
+ * that is required, trapped and emulated by the Linux kernel. However, all
+ * RDHWR encodings yield address error exceptions on the TX79 since the SQ
+ * offset is odd. Therefore all valid SQ instructions can execute normally.
+ * In user mode, QEMU must verify the upper and lower 11 bits to distinguish
+ * between SQ and RDHWR, as the Linux kernel does.
+ */
+static void decode_tx79_sq(CPUMIPSState *env, DisasContext *ctx)
+{
+int base = extract32(ctx->opcode, 21, 5);
+int rt = extract32(ctx->opcode, 16, 5);
+int offset = extract32(ctx->opcode, 0, 16);
+
+#ifdef CONFIG_USER_ONLY
+uint32_t op1 = MASK_SPECIAL3(ctx->opcode);
+uint32_t op2 = extract32(ctx->opcode, 6, 5);
+
+if (base == 0 && op2 == 0 && op1 == OPC_RDHWR) {
+int rd = extract32(ctx->opcode, 11, 5);
+
+gen_rdhwr(ctx, rt, rd, 0);
+return;
+}
+#endif
+
+gen_tx79_sq(ctx, base, rt, offset);
+}
+
 static void decode_opc_special3(CPUMIPSState *env, DisasContext *ctx)
 {
 int rs, rt, rd, sa;
@@ -25720,7 +25767,11 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 decode_opc_special2_legacy(env, ctx);
 break;
 case OPC_SPECIAL3:
-decode_opc_special3(env, ctx);
+if (ctx->insn_flags & INSN_R5900) {
+decode_tx79_sq(env, ctx);/* TX79_SQ */
+} else {
+decode_opc_special3(env, ctx);
+}
 break;
 case OPC_REGIMM:
 op1 = MASK_REGIMM(ctx->opcode);
-- 
2.18.1

[Qemu-devel] [PATCH v8 06/38] target/mips: Define R5900 MMI0 opcode constants

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 51 +
 1 file changed, 51 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index ae988177a1..242f2df2e2 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2180,6 +2180,57 @@ enum {
 TX79_MMI_PSRAW  = 0x3F | TX79_CLASS_MMI,
 };
 
+/*
+ * TX79 Multimedia Instructions with opcode field = MMI and bits 5..0 = MMI0:
+ *
+ *  312610 6 5  0
+ * ++--+++
+ * |   MMI  |  |function|  MMI0  |
+ * ++--+++
+ *
+ * function  bits 7..6
+ * bits |   0   |   1   |   2   |   3
+ *10..8 |   00  |   01  |   10  |   11
+ *   ---+---+---+---+---
+ *0 000 | PADDW | PSUBW | PCGTW | PMAXW
+ *1 001 | PADDH | PSUBH | PCGTH | PMAXH
+ *2 010 | PADDB | PSUBB | PCGTB |   *
+ *3 011 |   *   |   *   |   *   |   *
+ *4 100 | PADDSW| PSUBSW| PEXTLW| PPACW
+ *5 101 | PADDSH| PSUBSH| PEXTLH| PPACH
+ *6 110 | PADDSB| PSUBSB| PEXTLB| PPACB
+ *7 111 |   *   |   *   | PEXT5 | PPAC5
+ */
+
+#define MASK_TX79_MMI0(op) (MASK_OP_MAJOR(op) | ((op) & 0x7FF))
+enum {
+TX79_MMI0_PADDW  = (0x00 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PSUBW  = (0x01 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PCGTW  = (0x02 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PMAXW  = (0x03 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PADDH  = (0x04 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PSUBH  = (0x05 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PCGTH  = (0x06 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PMAXH  = (0x07 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PADDB  = (0x08 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PSUBB  = (0x09 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PCGTB  = (0x0A << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PADDSW = (0x10 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PSUBSW = (0x11 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PEXTLW = (0x12 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PPACW  = (0x13 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PADDSH = (0x14 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PSUBSH = (0x15 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PEXTLH = (0x16 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PPACH  = (0x17 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PADDSB = (0x18 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PSUBSB = (0x19 << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PEXTLB = (0x1A << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PPACB  = (0x1B << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PEXT5  = (0x1E << 6) | TX79_MMI_CLASS_MMI0,
+TX79_MMI0_PPAC5  = (0x1F << 6) | TX79_MMI_CLASS_MMI0,
+};
+
 /* global register indices */
 static TCGv cpu_gpr[32], cpu_PC;
 static TCGv cpu_HI[MIPS_DSP_ACC], cpu_LO[MIPS_DSP_ACC];
-- 
2.18.1

[Qemu-devel] [PATCH v8 09/38] target/mips: Define R5900 MMI3 opcode constants

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 39 +++
 1 file changed, 39 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index bd51443ac1..3c6a2c99a6 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2323,6 +2323,45 @@ enum {
 TX79_MMI2_PROT3W = (0x1F << 6) | TX79_MMI_CLASS_MMI2,
 };
 
+/*
+ * TX79 Multimedia Instructions with opcode field = MMI and bits 5..0 = MMI3:
+ *
+ *  312610 6 5  0
+ * ++--+++
+ * |   MMI  |  |function|  MMI3  |
+ * ++--+++
+ *
+ * function  bits 7..6
+ * bits |   0   |   1   |   2   |   3
+ *10..8 |   00  |   01  |   10  |   11
+ *   ---+---+---+---+---
+ *0 000 |PMADDUW|   *   |   *   | PSRAVW
+ *1 001 |   *   |   *   |   *   |   *
+ *2 010 | PMTHI | PMTLO | PINTEH|   *
+ *3 011 |PMULTUW| PDIVUW| PCPYUD|   *
+ *4 100 |   *   |   *   |  POR  |  PNOR
+ *5 101 |   *   |   *   |   *   |   *
+ *6 110 |   *   |   *   | PEXCH | PCPYH
+ *7 111 |   *   |   *   | PEXCW |   *
+ */
+
+#define MASK_TX79_MMI3(op) (MASK_OP_MAJOR(op) | ((op) & 0x7FF))
+enum {
+TX79_MMI3_PMADDUW = (0x00 << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PSRAVW  = (0x03 << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PMTHI   = (0x08 << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PMTLO   = (0x09 << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PINTEH  = (0x0A << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PMULTUW = (0x0C << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PDIVUW  = (0x0D << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PCPYUD  = (0x0E << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_POR = (0x12 << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PNOR= (0x13 << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PEXCH   = (0x1A << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PCPYH   = (0x1B << 6) | TX79_MMI_CLASS_MMI3,
+TX79_MMI3_PEXCW   = (0x1E << 6) | TX79_MMI_CLASS_MMI3,
+};
+
 /* global register indices */
 static TCGv cpu_gpr[32], cpu_PC;
 static TCGv cpu_HI[MIPS_DSP_ACC], cpu_LO[MIPS_DSP_ACC];
-- 
2.18.1

[Qemu-devel] [PATCH v8 03/38] target/mips: R5900 Multimedia Instruction overview note

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 161 
 1 file changed, 161 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 3a0bdd55c8..32d1d2d83f 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -1927,6 +1927,167 @@ enum {
 OPC_MXU_Q8MACSU  = 0x01,
 };
 
+/*
+ * Overview of the TX79-specific instruction set
+ * =
+ *
+ * The R5900 and the C790 have 128-bit wide GPRs, where the upper 64 bits
+ * are only used by the specific quadword (128-bit) LQ/SQ load/store
+ * instructions and certain multimedia instructions (MMIs). These MMIs
+ * configure the 128-bit data path as two 64-bit, four 32-bit, eight 16-bit
+ * or sixteen 8-bit paths.
+ *
+ * Reference:
+ *
+ * The Toshiba TX System RISC TX79 Core Architecture manual,
+ * https://wiki.qemu.org/File:C790.pdf
+ *
+ * Three-Operand Multiply and Multiply-Add (4 instructions)
+ * 
+ * MADD[rd,] rs, rt  Multiply/Add
+ * MADDU   [rd,] rs, rt  Multiply/Add Unsigned
+ * MULT[rd,] rs, rt  Multiply (3-operand)
+ * MULTU   [rd,] rs, rt  Multiply Unsigned (3-operand)
+ *
+ * Multiply Instructions for Pipeline 1 (10 instructions)
+ * --
+ * MULT1   [rd,] rs, rt  Multiply Pipeline 1
+ * MULTU1  [rd,] rs, rt  Multiply Unsigned Pipeline 1
+ * DIV1rs, rtDivide Pipeline 1
+ * DIVU1   rs, rtDivide Unsigned Pipeline 1
+ * MADD1   [rd,] rs, rt  Multiply-Add Pipeline 1
+ * MADDU1  [rd,] rs, rt  Multiply-Add Unsigned Pipeline 1
+ * MFHI1   rdMove From HI1 Register
+ * MFLO1   rdMove From LO1 Register
+ * MTHI1   rsMove To HI1 Register
+ * MTLO1   rsMove To LO1 Register
+ *
+ * Arithmetic (19 instructions)
+ * 
+ * PADDB   rd, rs, rtParallel Add Byte
+ * PSUBB   rd, rs, rtParallel Subtract Byte
+ * PADDH   rd, rs, rtParallel Add Halfword
+ * PSUBH   rd, rs, rtParallel Subtract Halfword
+ * PADDW   rd, rs, rtParallel Add Word
+ * PSUBW   rd, rs, rtParallel Subtract Word
+ * PADSBH  rd, rs, rtParallel Add/Subtract Halfword
+ * PADDSB  rd, rs, rtParallel Add with Signed Saturation Byte
+ * PSUBSB  rd, rs, rtParallel Subtract with Signed Saturation Byte
+ * PADDSH  rd, rs, rtParallel Add with Signed Saturation Halfword
+ * PSUBSH  rd, rs, rtParallel Subtract with Signed Saturation Halfword
+ * PADDSW  rd, rs, rtParallel Add with Signed Saturation Word
+ * PSUBSW  rd, rs, rtParallel Subtract with Signed Saturation Word
+ * PADDUB  rd, rs, rtParallel Add with Unsigned saturation Byte
+ * PSUBUB  rd, rs, rtParallel Subtract with Unsigned saturation Byte
+ * PADDUH  rd, rs, rtParallel Add with Unsigned saturation Halfword
+ * PSUBUH  rd, rs, rtParallel Subtract with Unsigned saturation 
Halfword
+ * PADDUW  rd, rs, rtParallel Add with Unsigned saturation Word
+ * PSUBUW  rd, rs, rtParallel Subtract with Unsigned saturation Word
+ *
+ * Min/Max (4 instructions)
+ * 
+ * PMAXH   rd, rs, rtParallel Maximum Halfword
+ * PMINH   rd, rs, rtParallel Minimum Halfword
+ * PMAXW   rd, rs, rtParallel Maximum Word
+ * PMINW   rd, rs, rtParallel Minimum Word
+ *
+ * Absolute (2 instructions)
+ * -
+ * PABSH   rd, rtParallel Absolute Halfword
+ * PABSW   rd, rtParallel Absolute Word
+ *
+ * Logical (4 instructions)
+ * 
+ * PANDrd, rs, rtParallel AND
+ * POR rd, rs, rtParallel OR
+ * PXORrd, rs, rtParallel XOR
+ * PNORrd, rs, rtParallel NOR
+ *
+ * Shift (9 instructions)
+ * --
+ * PSLLH   rd, rt, saParallel Shift Left Logical Halfword
+ * PSRLH   rd, rt, saParallel Shift Right Logical Halfword
+ * PSRAH   rd, rt, saParallel Shift Right Arithmetic Halfword
+ * PSLLW   rd, rt, saParallel Shift Left Logical Word
+ * PSRLW   rd, rt, saParallel Shift Right Logical Word
+ * PSRAW   rd, rt, saParallel Shift Right Arithmetic Word
+ * PSLLVW  rd, rt, rsParallel Shift Left Logical Variable Word
+ * PSRLVW  rd, rt, rsParallel Shift Right Logical Variable Word
+ * PSRAVW  rd, rt, rsParallel Shift Right Arithmetic Variable Word
+ *
+ * Compare (6 instructions)
+ * 
+ * PCGTB   rd, rs, rtParallel Compare for Greater Than Byte
+ * PCEQB   rd, rs, rtParallel Compare for Equal Byte
+ * PCGTH   rd, rs, rtParallel Compare for Greater Than Halfword
+ * PCEQH   rd, rs, rt 

[Qemu-devel] [PATCH v8 07/38] target/mips: Define R5900 MMI1 opcode constants

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 44 +
 1 file changed, 44 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 242f2df2e2..e233b87324 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2231,6 +2231,50 @@ enum {
 TX79_MMI0_PPAC5  = (0x1F << 6) | TX79_MMI_CLASS_MMI0,
 };
 
+/*
+ * TX79 Multimedia Instructions with opcode field = MMI and bits 5..0 = MMI1:
+ *
+ *  312610 6 5  0
+ * ++--+++
+ * |   MMI  |  |function|  MMI1  |
+ * ++--+++
+ *
+ * function  bits 7..6
+ * bits |   0   |   1   |   2   |   3
+ *10..8 |   00  |   01  |   10  |   11
+ *   ---+---+---+---+---
+ *0 000 |   *   | PABSW | PCEQW | PMINW
+ *1 001 | PADSBH| PABSH | PCEQH | PMINH
+ *2 010 |   *   |   *   | PCEQB |   *
+ *3 011 |   *   |   *   |   *   |   *
+ *4 100 | PADDUW| PSUBUW| PEXTUW|   *
+ *5 101 | PADDUH| PSUBUH| PEXTUH|   *
+ *6 110 | PADDUB| PSUBUB| PEXTUB| QFSRV
+ *7 111 |   *   |   *   |   *   |   *
+ */
+
+#define MASK_TX79_MMI1(op) (MASK_OP_MAJOR(op) | ((op) & 0x7FF))
+enum {
+TX79_MMI1_PABSW  = (0x01 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PCEQW  = (0x02 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PMINW  = (0x03 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PADSBH = (0x04 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PABSH  = (0x05 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PCEQH  = (0x06 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PMINH  = (0x07 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PCEQB  = (0x0A << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PADDUW = (0x10 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PSUBUW = (0x11 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PEXTUW = (0x12 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PADDUH = (0x14 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PSUBUH = (0x15 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PEXTUH = (0x16 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PADDUB = (0x18 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PSUBUB = (0x19 << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_PEXTUB = (0x1A << 6) | TX79_MMI_CLASS_MMI1,
+TX79_MMI1_QFSRV  = (0x1B << 6) | TX79_MMI_CLASS_MMI1,
+};
+
 /* global register indices */
 static TCGv cpu_gpr[32], cpu_PC;
 static TCGv cpu_HI[MIPS_DSP_ACC], cpu_LO[MIPS_DSP_ACC];
-- 
2.18.1

[Qemu-devel] [PATCH v8 05/38] target/mips: Define R5900 MMI{0, 1, 2, 3} subclasses and MMI opcode constants

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 51 +
 1 file changed, 51 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index e205c3eaef..ae988177a1 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2129,6 +2129,57 @@ enum {
 TX79_SQ= 0x1F << 26,/* Same as OPC_SPECIAL3 */
 };
 
+/*
+ * TX79 Multimedia Instructions with opcode field = MMI:
+ *
+ *  3126 5  0
+ * ++---++
+ * |   MMI  |   |function|
+ * ++---++
+ *
+ * function  bits 2..0
+ * bits |   0   |   1   |   2   |   3   |   4   |   5   |   6   |   7
+ * 5..3 |  000  |  001  |  010  |  011  |  100  |  101  |  110  |  111
+ *   ---+---+---+---+---+---+---+---+---
+ *0 000 |  MADD | MADDU |   *   |   *   | PLZCW |   *   |   *   |   *
+ *1 001 | MMI0% | MMI2% |   *   |   *   |   *   |   *   |   *   |   *
+ *2 010 | MFHI1 | MTHI1 | MFLO1 | MTLO1 |   *   |   *   |   *   |   *
+ *3 011 | MULT1 | MULTU1|  DIV1 | DIVU1 |   *   |   *   |   *   |   *
+ *4 100 | MADD1 | MADDU1|   *   |   *   |   *   |   *   |   *   |   *
+ *5 101 | MMI1% | MMI3% |   *   |   *   |   *   |   *   |   *   |   *
+ *6 110 | PMFHL | PMTHL |   *   |   *   | PSLLH |   *   | PSRLH | PSRAH
+ *7 111 |   *   |   *   |   *   |   *   | PSLLW |   *   | PSRLW | PSRAW
+ */
+
+#define MASK_TX79_MMI(op) (MASK_OP_MAJOR(op) | ((op) & 0x3F))
+enum {
+TX79_MMI_MADD   = 0x00 | TX79_CLASS_MMI, /* Same as OPC_MADD */
+TX79_MMI_MADDU  = 0x01 | TX79_CLASS_MMI, /* Same as OPC_MADDU */
+TX79_MMI_PLZCW  = 0x04 | TX79_CLASS_MMI,
+TX79_MMI_CLASS_MMI0 = 0x08 | TX79_CLASS_MMI,
+TX79_MMI_CLASS_MMI2 = 0x09 | TX79_CLASS_MMI,
+TX79_MMI_MFHI1  = 0x10 | TX79_CLASS_MMI, /* Same minor as OPC_MFHI */
+TX79_MMI_MTHI1  = 0x11 | TX79_CLASS_MMI, /* Same minor as OPC_MTHI */
+TX79_MMI_MFLO1  = 0x12 | TX79_CLASS_MMI, /* Same minor as OPC_MFLO */
+TX79_MMI_MTLO1  = 0x13 | TX79_CLASS_MMI, /* Same minor as OPC_MTLO */
+TX79_MMI_MULT1  = 0x18 | TX79_CLASS_MMI, /* Same minor as OPC_MULT */
+TX79_MMI_MULTU1 = 0x19 | TX79_CLASS_MMI, /* Same minor as OPC_MULTU */
+TX79_MMI_DIV1   = 0x1A | TX79_CLASS_MMI, /* Same minor as OPC_DIV */
+TX79_MMI_DIVU1  = 0x1B | TX79_CLASS_MMI, /* Same minor as OPC_DIVU */
+TX79_MMI_MADD1  = 0x20 | TX79_CLASS_MMI,
+TX79_MMI_MADDU1 = 0x21 | TX79_CLASS_MMI,
+TX79_MMI_CLASS_MMI1 = 0x28 | TX79_CLASS_MMI,
+TX79_MMI_CLASS_MMI3 = 0x29 | TX79_CLASS_MMI,
+TX79_MMI_PMFHL  = 0x30 | TX79_CLASS_MMI,
+TX79_MMI_PMTHL  = 0x31 | TX79_CLASS_MMI,
+TX79_MMI_PSLLH  = 0x34 | TX79_CLASS_MMI,
+TX79_MMI_PSRLH  = 0x36 | TX79_CLASS_MMI,
+TX79_MMI_PSRAH  = 0x37 | TX79_CLASS_MMI,
+TX79_MMI_PSLLW  = 0x3C | TX79_CLASS_MMI,
+TX79_MMI_PSRLW  = 0x3E | TX79_CLASS_MMI,
+TX79_MMI_PSRAW  = 0x3F | TX79_CLASS_MMI,
+};
+
 /* global register indices */
 static TCGv cpu_gpr[32], cpu_PC;
 static TCGv cpu_HI[MIPS_DSP_ACC], cpu_LO[MIPS_DSP_ACC];
-- 
2.18.1

[Qemu-devel] [PATCH v8 02/38] disas/mips: Define R5900 disassembly constants

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 disas/mips.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/disas/mips.c b/disas/mips.c
index 97f661a37e..ae72059c46 100644
--- a/disas/mips.c
+++ b/disas/mips.c
@@ -611,6 +611,9 @@ struct mips_opcode
 /* ST Microelectronics Loongson 2F.  */
 #define INSN_LOONGSON_2F  0x8000
 
+/* Sony/Toshiba R5900 */
+#define INSN_5900 0x1
+
 /* MIPS ISA defines, use instead of hardcoding ISA level.  */
 
 #define   ISA_UNKNOWN 0   /* Gas internal use.  */
@@ -646,6 +649,7 @@ struct mips_opcode
 #define CPU_R5000  5000
 #define CPU_VR5400 5400
 #define CPU_VR5500 5500
+#define CPU_R5900   5900
 #define CPU_R6000  6000
 #define CPU_RM7000 7000
 #define CPU_R8000  8000
@@ -1193,6 +1197,7 @@ extern const int bfd_mips16_num_opcodes;
 #define N5 (INSN_5400 | INSN_5500)
 #define N54INSN_5400
 #define N55INSN_5500
+#define EE  INSN_5900/* Emotion Engine */
 
 #define G1  (T3 \
  )
@@ -3861,6 +3866,7 @@ struct mips_arch_choice
 #define bfd_mach_mips5000  5000
 #define bfd_mach_mips5400  5400
 #define bfd_mach_mips5500  5500
+#define bfd_mach_mips5900  5900
 #define bfd_mach_mips6000  6000
 #define bfd_mach_mips7000  7000
 #define bfd_mach_mips8000  8000
@@ -3908,6 +3914,8 @@ static const struct mips_arch_choice mips_arch_choices[] =
 mips_cp0_names_numeric, NULL, 0, mips_hwr_names_numeric },
   { "vr5500",  1, bfd_mach_mips5500, CPU_VR5500, ISA_MIPS4,
 mips_cp0_names_numeric, NULL, 0, mips_hwr_names_numeric },
+  { "r5900",1, bfd_mach_mips5900, CPU_R5900, ISA_MIPS3,
+mips_cp0_names_numeric, NULL, 0, mips_hwr_names_numeric },
   { "r6000",   1, bfd_mach_mips6000, CPU_R6000, ISA_MIPS2,
 mips_cp0_names_numeric, NULL, 0, mips_hwr_names_numeric },
   { "rm7000",  1, bfd_mach_mips7000, CPU_RM7000, ISA_MIPS4,
-- 
2.18.1

[Qemu-devel] [PATCH v8 04/38] target/mips: Define R5900 MMI class, and LQ and SQ opcode constants

[Fredrik Noring]

Signed-off-by: Fredrik Noring 
---
 target/mips/translate.c | 40 
 1 file changed, 40 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 32d1d2d83f..e205c3eaef 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2087,8 +2087,48 @@ enum {
  * MTSAB   rs, immediate Move Byte Count to Shift Amount Register
  * MTSAH   rs, immediate Move Halfword Count to Shift Amount Register
  * PROT3W  rd, rtParallel Rotate 3 Words
+ *
+ * The TX79-specific Multimedia Instruction encodings
+ * ==
+ *
+ * TX79 Multimedia Instruction encoding table keys:
+ *
+ * *   This code is reserved for future use. An attempt to execute it
+ * causes a Reserved Instruction exception.
+ * %   This code indicates an instruction class. The instruction word
+ * must be further decoded by examining additional tables that show
+ * the values for other instruction fields.
+ * #   This code is reserved for the unsupported instructions DMULT,
+ * DMULTU, DDIV, DDIVU, LL, LLD, SC, SCD, LWC2 and SWC2. An attempt
+ * to execute it causes a Reserved Instruction exception.
+ *
+ * TX79 Multimedia Instructions encoded by opcode field (MMI, LQ, SQ):
+ *
+ *  31260
+ * +++
+ * | opcode ||
+ * +++
+ *
+ *   opcode  bits 28..26
+ * bits |   0   |   1   |   2   |   3   |   4   |   5   |   6   |   7
+ *   31..29 |  000  |  001  |  010  |  011  |  100  |  101  |  110  |  111
+ *   ---+---+---+---+---+---+---+---+---
+ *0 000 |SPECIAL| REGIMM|   J   |  JAL  |  BEQ  |  BNE  |  BLEZ |  BGTZ
+ *1 001 |  ADDI | ADDIU |  SLTI | SLTIU |  ANDI |  ORI  |  XORI |  LUI
+ *2 010 |  COP0 |  COP1 |   *   |   *   |  BEQL |  BNEL | BLEZL | BGTZL
+ *3 011 | DADDI | DADDIU|  LDL  |  LDR  |  MMI% |   *   |   LQ  |   SQ
+ *4 100 |   LB  |   LH  |  LWL  |   LW  |  LBU  |  LHU  |  LWR  |  LWU
+ *5 101 |   SB  |   SH  |  SWL  |   SW  |  SDL  |  SDR  |  SWR  | CACHE
+ *6 110 |   #   |  LWC1 |   #   |  PREF |   #   |  LDC1 |   #   |   LD
+ *7 111 |   #   |  SWC1 |   #   |   *   |   #   |  SDC1 |   #   |   SD
  */
 
+enum {
+TX79_CLASS_MMI = 0x1C << 26,/* Same as OPC_SPECIAL2 */
+TX79_LQ= 0x1E << 26,/* Same as OPC_MSA */
+TX79_SQ= 0x1F << 26,/* Same as OPC_SPECIAL3 */
+};
+
 /* global register indices */
 static TCGv cpu_gpr[32], cpu_PC;
 static TCGv cpu_HI[MIPS_DSP_ACC], cpu_LO[MIPS_DSP_ACC];
-- 
2.18.1

[Qemu-devel] [PATCH v8 01/38] target/mips: Define R5900 instructions and CPU preprocessor constants

[Fredrik Noring]

The R5900 implements the 64-bit MIPS III instruction set except DMULT,
DMULTU, DDIV, DDIVU, LL, SC, LLD and SCD. The MIPS IV instructions MOVN,
MOVZ and PREF are implemented. It has the R5900-specific three-operand
instructions MADD, MADDU, MULT and MULTU as well as pipeline 1 versions
MULT1, MULTU1, DIV1, DIVU1, MADD1, MADDU1, MFHI1, MFLO1, MTHI1 and
MTLO1. A set of 93 128-bit multimedia instructions specific to the
R5900 is also implemented.

The Toshiba TX System RISC TX79 Core Architecture manual

https://wiki.qemu.org/File:C790.pdf

describes the C790 processor that is a follow-up to the R5900. There
are a few notable differences in that the R5900 FPU

- is not IEEE 754-1985 compliant,
- does not implement double format, and
- its machine code is nonstandard.

Signed-off-by: Fredrik Noring 
Reviewed-by: Philippe Mathieu-Daudé 
---
 target/mips/mips-defs.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/mips/mips-defs.h b/target/mips/mips-defs.h
index 71ea4ef892..f017551e15 100644
--- a/target/mips/mips-defs.h
+++ b/target/mips/mips-defs.h
@@ -64,6 +64,7 @@
 #define INSN_LOONGSON2E   0x0001ULL
 #define INSN_LOONGSON2F   0x0002ULL
 #define INSN_VR54XX   0x0004ULL
+#define INSN_R59000x0008ULL
 /*
  *   bits 56-63: vendor-specific ASEs
  */
@@ -74,6 +75,7 @@
 #defineCPU_MIPS3   (CPU_MIPS2 | ISA_MIPS3)
 #defineCPU_MIPS4   (CPU_MIPS3 | ISA_MIPS4)
 #defineCPU_VR54XX  (CPU_MIPS4 | INSN_VR54XX)
+#define CPU_R5900   (CPU_MIPS3 | INSN_R5900)
 #defineCPU_LOONGSON2E  (CPU_MIPS3 | INSN_LOONGSON2E)
 #defineCPU_LOONGSON2F  (CPU_MIPS3 | INSN_LOONGSON2F)
 
-- 
2.18.1

[Qemu-devel] [PATCH v8 00/38] target/mips: Limited support for the R5900

[Fredrik Noring]

The primary purpose of these changes is to support programs compiled
by GCC for the R5900 target and thereby run R5900 Linux distributions,
for example Gentoo.

GCC in version 7.3, by itself, by inspection of the GCC source code
and inspection of the generated machine code, for the R5900 target,
only emits two instructions that are specific to the R5900: the three-
operand MULT and MULTU. GCC and libc also emit certain MIPS III
instructions that are not part of the R5900 ISA. They are normally
trapped and emulated by the Linux kernel, and therefore need to be
treated accordingly by QEMU. This is addressed, in turn, by the
patch series.

A program compiled by GCC is taken to mean source code compiled by GCC
under the restrictions above. One can, with the apparent limitations,
with a bit of effort obtain a fully functioning operating system such
as R5900 Gentoo. Strictly speaking, programs need not be compiled by
GCC to make use of this change.

Instructions and other facilities of the R5900 not implemented by these
changes are intended to signal provisional exceptions. One such example
is the FPU that is not compliant with IEEE 754-1985 in system mode. It
is therefore provisionally disabled. In user space the FPU is trapped
and emulated by IEEE 754-1985 compliant software in the kernel, and
this is handled accordingly by QEMU. Another example is the 93
multimedia instructions specific to the R5900 that generate provisional
reserved instruction exception signals.

One of the benefits of running a Linux distribution under QEMU is that
programs can be compiled with a native compiler, where the host and
target are the same, as opposed to a cross-compiler, where they are
not the same. This is especially important in cases where the target
hardware does not have the resources to run a native compiler.

Problems with cross-compilation are often related to host and target
differences in integer sizes, pointer sizes, endianness, machine code,
ABI, etc. Sometimes cross-compilation is not even supported by the
build script for a given package. One effective way to avoid those
problems is to replace the cross-compiler with a native compiler. This
change of compilation methods does not resolve the inherent problems
with cross-compilation.

The native compiler naturally replaces the cross-compiler, because one
typically uses one or the other, and preferably the native compiler
when the circumstances admit this. The native compiler is also a good
test case for the R5900 QEMU user mode. Additionally, Gentoo is well-
known for compiling and installing its packages from sources.

This change has been tested with Gentoo compiled for R5900, including
native compilation of several packages under QEMU. I used the Gentoo
sys-devel/crossdev package

https://wiki.gentoo.org/wiki/Crossdev

with patches mainly to simplify the handling of LL/SC and floating
point support, to avoid complications with additional configure and
compiler flags. Busybox

https://busybox.net/

can also be used to build a simple functional R5900 program. It can be
used to test the R5900 CPU in QEMU user mode.

The R5900 implements the 64-bit MIPS III instruction set except DMULT,
DMULTU, DDIV, DDIVU, LL, SC, LLD and SCD. The MIPS IV instructions MOVN,
MOVZ and PREF are implemented. It has the R5900 specific three-operand
instructions MADD, MADDU, MULT and MULTU as well as pipeline 1 versions
MULT1, MULTU1, DIV1, DIVU1, MADD1, MADDU1, MFHI1, MFLO1, MTHI1 and
MTLO1. A set of 93 128-bit multimedia instructions specific to the
R5900 is also implemented.

The Toshiba TX System RISC TX79 Core Architecture manual

https://wiki.qemu.org/File:C790.pdf

describes the C790 processor that is a follow-up to the R5900. There
are a few notable differences in that the R5900 FPU

- is not IEEE 754-1985 compliant,
- does not implement double format, and
- its machine code is nonstandard.

Changes in v8:
- Support, disassembly and tests for MADD, MADD1, MADDU and MADDU1
- Support, disassembly and tests for MTLO1, MTHI1, MFLO1 and MFHI1
- Support, disassembly and tests for MULT1, MULTU1, DIV1 and DIVU1
- Opcode definitions and placeholder code for all unsupported MMIs
- check_insn_opc_user_only flags parameter type is uint64_t
- Toshiba TX System RISC TX79 manual PDF QEMU wiki link
- Merge of [PATCH v7 7/7] with Toshiba/Sony rename

Changes in v7:
- Rename gen_mul_txxx to gen_mul_txx9
- Use MIPS_INVAL("mul TXx9")
- Reviewed-by: Philippe Mathieu-Daudé

Changes in v6:
- Set the CP0 PRId implementation number to 0x2E for the R5900
- Refer to the C790 follow-up in the definition of the R5900
- Define and use check_insn_opc_user_only in the same change
- Rename gen_mul_r5900 to gen_mul_txxx
- Enclose single statements in braces
- Expand and reword commit messages and notes
- Reword the cover letter subject line
- All changes build with GCC and Clang
- Approval from checkpatch.pl

Changes in v5:
- Reorder check_insn_opc_user_only calls
- Call check_insn_opc_removed in 

Re: [Qemu-devel] [PULL 00/21] tcg patch queue

[Peter Maydell]

On 21 October 2018 at 16:01, Peter Maydell  wrote:
> Any idea what's going on here? tcg/tcg.h has a comment saying
>  * The cmpxchg functions are only defined if HAVE_CMPXCHG128
> so presumably the issue is that the helper-a64 code is
> trying to refer to them anyway. There certainly doesn't
> seem to be any kind of #defining around the listed functions
> in helper-a64.c to stop them being compiled in this situation.
>
> NB: I build with --enable-debug in this tree -- are you
> perhaps accidentally relying on the compiler's optimisation
> to discard these functions if they're not needed?

Adding a #if HAVE_CMPXCHG128 around the helper-a64.c
functions just pushes the link error back a step to the
references to those helpers:
  LINKaarch64-softmmu/qemu-system-aarch64w.exe
tcg/tcg.o:tcg.c:(.rdata+0x9810): undefined reference to
`helper_paired_cmpxchg64_le_parallel'
tcg/tcg.o:tcg.c:(.rdata+0x9830): undefined reference to
`helper_paired_cmpxchg64_be_parallel'
tcg/tcg.o:tcg.c:(.rdata+0x9840): undefined reference to
`helper_casp_le_parallel'
tcg/tcg.o:tcg.c:(.rdata+0x9850): undefined reference to
`helper_casp_be_parallel'

which in turn I guess is because they're in the array
of all helpers in tcg.c, so we need to also #if out the
prototypes in helper-a64.h, which is awkward because
there we don't have the HAVE_CMPXCHG128 defined...

thanks
-- PMM

Re: [Qemu-devel] [PATCH v5 6/8] target/mips: Define the R5900 CPU

[Maciej W. Rozycki]

Hi Fredrik,

> >  The C790 is a follow-up to the R5900.  The R5900 has an FPU that is not 
> > compliant to the IEEE 754 standard for floating-point arithmetic.  It 
> > doesn't implement exceptions, infinities, NaNs or denormals.  It doesn't 
> > implement the the double format either, but that is really tangential, 
> > because the same was the case with the IDT R4650, which had a standard 
> > IEEE 754 FPU, but no double format either.  Finally it has some anomalies 
> > in the FP instruction set; not all opcode encodings are standard.
> 
> Do you know where one might find a list of the nonstandard FP instructions?
> 
> The command
> 
> % grep 'FP_.*EE' binutils/opcodes/mips-opc.c
> 
> gives a list of candidates, I suppose?

 Yeah, those that have EE in `membership' are extra and those that have EE 
in `exclusions' are missing.

 See also: .

  Maciej

Re: [Qemu-devel] qemu-trivial pull-request?

[Laurent Vivier]

On 19/10/2018 20:30, Michael Tokarev wrote:
> 19.10.2018 16:17, Laurent Vivier wrote:
>> Hi Michael,
>>
>> some people asked me if there will be any qemu-trivial pull request in
>> the near future.
>>
>> So you plan to do one?
>> Do you need help?
> 
> Hello!
> 
> I haven't done anything qemu-related in about 3 months in a row.
> That's due to some.. personal issues, so to say - I don't have
> time for anything hobby-ish, even for work, need to sort out
> other things first somehow.
> 
> So yes, I do need help with processing qemu-trivial queue, as
> nothing has been done in 3 whole months if not more. I can't
> do that in a near future.

Thank you for your answer.

I'm going to prepare a pull request for the qemu-trivial patches before
the next soft-freeze.

Laurent

Re: [Qemu-devel] [PULL 00/21] tcg patch queue

[Peter Maydell]

On 19 October 2018 at 07:10, Richard Henderson
 wrote:
> On 10/18/18 3:34 AM, Peter Maydell wrote:
>> The win32 build fails with:
>>
>> target/arm/helper-a64.o: In function `helper_paired_cmpxchg64_le_parallel':
>> /home/petmay01/qemu-for-merges/target/arm/helper-a64.c:573: undefined
>> reference to `helper_atomic_cmpxchgo_le_mmu'
>> target/arm/helper-a64.o: In function `helper_paired_cmpxchg64_be_parallel':
>> /home/petmay01/qemu-for-merges/target/arm/helper-a64.c:647: undefined
>> reference to `helper_atomic_cmpxchgo_be_mmu'
>> target/arm/helper-a64.o: In function `helper_casp_le_parallel':
>> /home/petmay01/qemu-for-merges/target/arm/helper-a64.c:669: undefined
>> reference to `helper_atomic_cmpxchgo_le_mmu'
>> target/arm/helper-a64.o: In function `helper_casp_be_parallel':
>> /home/petmay01/qemu-for-merges/target/arm/helper-a64.c:690: undefined
>> reference to `helper_atomic_cmpxchgo_be_mmu'
>
> This one I could not reproduce.  Tested with i686-w64-mingw32-gcc
> and x86_64-w64-mingw32-gcc, both version 6.2.
>
> I suspect configure misfired.  If you can, start this one over with a blank
> build directory.

Something odd is going on here. My merge test when I merged your v2
passed (unless I managed to miss a failure message first time around
which isn't impossible). But on a subsequent test for a later merge,
I get the same error:

  LINKaarch64-softmmu/qemu-system-aarch64w.exe
target/arm/helper-a64.o: In function `helper_paired_cmpxchg64_le_parallel':
/home/petmay01/qemu-for-merges/target/arm/helper-a64.c:573: undefined
reference to `helper_atomic_cmpxchgo_le_mmu'
target/arm/helper-a64.o: In function `helper_paired_cmpxchg64_be_parallel':
/home/petmay01/qemu-for-merges/target/arm/helper-a64.c:647: undefined
reference to `helper_atomic_cmpxchgo_be_mmu'
target/arm/helper-a64.o: In function `helper_casp_le_parallel':
/home/petmay01/qemu-for-merges/target/arm/helper-a64.c:669: undefined
reference to `helper_atomic_cmpxchgo_le_mmu'
target/arm/helper-a64.o: In function `helper_casp_be_parallel':
/home/petmay01/qemu-for-merges/target/arm/helper-a64.c:690: undefined
reference to `helper_atomic_cmpxchgo_be_mmu'
collect2: error: ld returned 1 exit status

I did a complete "blow away build/w32 entirely and
reconfigure" and the failure is still there.
config-host.mak defines neither CONFIG_ATOMIC128 nor CONFIG_CMPXCHG128,
which is what I'd expect for a w32 build. (The w64 build does
define CONFIG_ATOMIC128, and does build.)

Any idea what's going on here? tcg/tcg.h has a comment saying
 * The cmpxchg functions are only defined if HAVE_CMPXCHG128
so presumably the issue is that the helper-a64 code is
trying to refer to them anyway. There certainly doesn't
seem to be any kind of #defining around the listed functions
in helper-a64.c to stop them being compiled in this situation.

NB: I build with --enable-debug in this tree -- are you
perhaps accidentally relying on the compiler's optimisation
to discard these functions if they're not needed?

thanks
-- PMM

[Qemu-devel] [PATCH] icount: fix deadlock when all cpus are sleeping

[Clement Deschamps]

When all cpus are sleeping (e.g in WFI), to avoid a deadlock
in the main_loop, wake it up in order to start the warp timer.

Signed-off-by: Clement Deschamps 
---
 cpus.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/cpus.c b/cpus.c
index bb2a511483..798d43623a 100644
--- a/cpus.c
+++ b/cpus.c
@@ -1554,6 +1554,14 @@ static void *qemu_tcg_rr_cpu_thread_fn(void *arg)
 atomic_mb_set(>exit_request, 0);
 }
 
+if (use_icount && all_cpu_threads_idle()) {
+/*
+ * When all cpus are sleeping (e.g in WFI), to avoid a deadlock
+ * in the main_loop, wake it up in order to start the warp timer.
+ */
+qemu_notify_event();
+}
+
 qemu_tcg_rr_wait_io_event(cpu ? cpu : first_cpu);
 deal_with_unplugged_cpus();
 }
-- 
2.19.1

Re: [Qemu-devel] [PATCH v7 0/7] target/mips: Limited support for the R5900

[Fredrik Noring]

Hi Aleksandar,

> Your series is getting better and better with each version, which is very
> good. For a change, I don't have any objection about the title. :)

Good!

> Patch 7 will be integrated shortly in the MIPS queue, you don't need to
> worry about it.

Thanks!

> With this series you are not only supporting your prime use case, but you
> are introducing a new instruction set to QEMU. Try to step back and get
> wider perspective. No matter how limited the support for the new ISA is,
> its introduction to QEMU must have following elements:
> 
> (1) Definition of basic preprocessor constants for the new ISA.
> (2) All opcodes for the ISA.
> (3) Basic decoding engine for new instructions.
> 
> Your patch 1 adresses 1). However, there are no patches for (2) and (3) in
> this series. Let me walk though the details on how to implement (2) and (3).

Thank you for your detailed description, it was helpful.

> (2) All opcodes for the ISA.
> 
> Only if an R5900 instruction has the same name, opcode, and functionality,
> corresponding MIPS III/IV opcode can and must be reused for R5900. For all
> other cases, R5900-specific opcode must be supplied. I'll limit further
> consideration to MMI instructions, but you should consider the whole R5900
> instruction set.

I'm preparing v8 with (2) and (3) and other changes, to be posted shortly.

> Of course, you need to specify functions decode_ee_mmi0(),
> decode_ee_mmi1(), decode_ee_mmi2(), and decode_ee_mmi3() too.

Done.

> You can change format and naming in the code above, but I insist that each
> unimplemeted instuction has its own "TODO" and "generate_exception()".

They have TODOs, but it turns out that having individual generate_exception
calls is somewhat impractical, because instructions are typically grouped
and folded into other functions in various ways. I think this is reasonable
evident when looking at how the v8 patch series develops.

> FPU opcodes need such treatment too. This will affect your overall
> solution, hopefully it will be better after the reorganization.

I'm not sure whether the R5900 FPU opcode anomalies are documented. I will
have to investigate this.

Fredrik

Re: [Qemu-devel] [PATCH v2 06/29] target/riscv: Convert RVXI fence insns to decodetree

[Richard Henderson]

On 10/20/18 8:14 AM, Bastian Koppelmann wrote:
> Signed-off-by: Bastian Koppelmann 
> Signed-off-by: Peer Adelt 
> ---
> v1 -> v2:
> - simplified fence/fence_i as suggested by Richard
> 
>  target/riscv/insn32.decode  |  6 ++
>  target/riscv/insn_trans/trans_rvi.inc.c | 20 
>  target/riscv/translate.c| 14 --
>  3 files changed, 26 insertions(+), 14 deletions(-)
> 
> diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
> index cb7622e223..00e30dbc71 100644
> --- a/target/riscv/insn32.decode
> +++ b/target/riscv/insn32.decode
> @@ -24,6 +24,9 @@
>  %sh620:6
>  %sh520:5
>  
> +%pred   24:4
> +%succ   20:4

Unused.

> +static bool trans_fence(DisasContext *ctx, arg_fence *a, uint32_t insn)
> +{
> +#ifndef CONFIG_USER_ONLY
> +/* FENCE is a full memory barrier. */
> +tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
> +#endif
> +return true;
> +}
> +static bool trans_fence_i(DisasContext *ctx, arg_fence_i *a, uint32_t insn)

Spacing.

> +{
> +#ifndef CONFIG_USER_ONLY
> +/* FENCE_I is a no-op in QEMU,
> + * however we need to end the translation block */
> +tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
> +tcg_gen_exit_tb(NULL, 0);
> +ctx->base.is_jmp = DISAS_NORETURN;
> +#endif
> +return true;
> +}

I will note that both of these should apply to user-only as well...

> -case OPC_RISC_FENCE:
> -#ifndef CONFIG_USER_ONLY
> -if (ctx->opcode & 0x1000) {
> -/* FENCE_I is a no-op in QEMU,
> - * however we need to end the translation block */
> -tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
> -tcg_gen_exit_tb(NULL, 0);
> -ctx->base.is_jmp = DISAS_NORETURN;
> -} else {
> -/* FENCE is a full memory barrier. */
> -tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
> -}
> -#endif

... even though you're simply copying the bug.

I mentioned this twice during initial review of risc-v, but it seems to have
been missed during commit.

Also note that one can do better than TCG_MO_ALL by actually using the
pred/succ bits to select TCG_MO_{LD,ST}_{LD,ST}.

That said, no new bugs with this patch, so
Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 48/56] ppc: acquire the BQL in cpu_has_work

[Richard Henderson]

On 10/20/18 5:31 PM, Emilio G. Cota wrote:
> I like this. How does the appended look?
> 
> Thanks,
> 
>   Emilio
> ---8<---
> 
> [PATCH] cpu: introduce cpu_has_work_with_iothread_lock

I might just inline cpu_has_work_bql into the one caller.
You could even share has_cpu_lock with the code there.


r~

Re: [Qemu-devel] [RFC v3 07/56] target/m68k: rename cpu_halted to cpu_halt

[Richard Henderson]

On 10/21/18 1:53 PM, Richard Henderson wrote:
> On 10/19/18 2:05 AM, Emilio G. Cota wrote:
>> To avoid a name clash with the soon-to-be-defined cpu_halted() helper.
>>
>> Cc: Laurent Vivier 
>> Signed-off-by: Emilio G. Cota 
>> ---
>>  target/m68k/translate.c | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> Although for this usage it's probably better to avoid the
> tcg_global_mem_new_i32 and just use tcg_gen_st_i32.

And, as I read further, you need to convert this use to a helper call.
Otherwise you've still got an unlocked direct modification to cpu->halted
from within the TCG generated code.

There are several other targets that do the same thing: alpha, cris, hppa,
mips, microblaze, ppc.  And typically they will do exactly the same thing: set
the flag and then raise the halt exception.


r~

Re: [Qemu-devel] [RFC v3 44/56] unicore32: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Guan Xuetao 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/unicore32/cpu.c | 2 +-
>  target/unicore32/softmmu.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 43/56] openrisc: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Stafford Horne 
> Signed-off-by: Emilio G. Cota 
> ---
>  hw/openrisc/cputimer.c | 2 +-
>  target/openrisc/cpu.c  | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 42/56] sparc: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Mark Cave-Ayland 
> Cc: Artyom Tarasenko 
> Signed-off-by: Emilio G. Cota 
> ---
>  hw/sparc64/sparc64.c | 19 +--
>  target/sparc/cpu.c   |  2 +-
>  2 files changed, 14 insertions(+), 7 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 41/56] moxie: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Anthony Green 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/moxie/cpu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 46/56] accel/tcg: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> @@ -540,16 +540,16 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
>   */
>  atomic_mb_set(>icount_decr.u16.high, 0);
>  
> -if (unlikely(atomic_read(>interrupt_request))) {
> +if (unlikely(cpu_interrupt_request(cpu))) {
>  int interrupt_request;
>  qemu_mutex_lock_iothread();
> -interrupt_request = cpu->interrupt_request;
> +interrupt_request = cpu_interrupt_request(cpu);
>  if (unlikely(cpu->singlestep_enabled & SSTEP_NOIRQ)) {
>  /* Mask out external interrupts for this step. */
>  interrupt_request &= ~CPU_INTERRUPT_SSTEP_MASK;
>  }
>  if (interrupt_request & CPU_INTERRUPT_DEBUG) {
> -cpu->interrupt_request &= ~CPU_INTERRUPT_DEBUG;
> +cpu_reset_interrupt(cpu, CPU_INTERRUPT_DEBUG);
>  cpu->exception_index = EXCP_DEBUG;
>  qemu_mutex_unlock_iothread();
>  return true;

Multiple calls.


r~

Re: [Qemu-devel] [RFC v3 40/56] alpha: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Richard Henderson 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/alpha/cpu.c | 8 
>  1 file changed, 4 insertions(+), 4 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 37/56] mips: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> @@ -60,7 +60,7 @@ static bool mips_cpu_has_work(CPUState *cs)
>  /* Prior to MIPS Release 6 it is implementation dependent if non-enabled
> interrupts wake-up the CPU, however most of the implementations only
> check for interrupts that can be taken. */
> -if ((cs->interrupt_request & CPU_INTERRUPT_HARD) &&
> +if ((cpu_interrupt_request(cs) & CPU_INTERRUPT_HARD) &&
>  cpu_mips_hw_interrupts_pending(env)) {
>  if (cpu_mips_hw_interrupts_enabled(env) ||
>  (env->insn_flags & ISA_MIPS32R6)) {
> @@ -72,7 +72,7 @@ static bool mips_cpu_has_work(CPUState *cs)
>  if (env->CP0_Config3 & (1 << CP0C3_MT)) {
>  /* The QEMU model will issue an _WAKE request whenever the CPUs
> should be woken up.  */
> -if (cs->interrupt_request & CPU_INTERRUPT_WAKE) {
> +if (cpu_interrupt_request(cs) & CPU_INTERRUPT_WAKE) {
>  has_work = true;
>  }
>  
> @@ -82,7 +82,7 @@ static bool mips_cpu_has_work(CPUState *cs)
>  }
>  /* MIPS Release 6 has the ability to halt the CPU.  */
>  if (env->CP0_Config5 & (1 << CP0C5_VP)) {
> -if (cs->interrupt_request & CPU_INTERRUPT_WAKE) {
> +if (cpu_interrupt_request(cs) & CPU_INTERRUPT_WAKE) {
>  has_work = true;
>  }
>  if (!mips_vp_active(env)) {

Multiple calls.


r~

Re: [Qemu-devel] [RFC v3 39/56] s390x: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Cornelia Huck 
> Cc: Christian Borntraeger 
> Cc: Alexander Graf 
> Cc: Richard Henderson 
> Cc: David Hildenbrand 
> Cc: qemu-s3...@nongnu.org
> Signed-off-by: Emilio G. Cota 
> ---
>  hw/intc/s390_flic.c | 2 +-
>  target/s390x/cpu.c  | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 45/56] microblaze: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: "Edgar E. Iglesias" 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/microblaze/cpu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 36/56] m68k: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Laurent Vivier 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/m68k/cpu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 38/56] nios: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Chris Wulff 
> Cc: Marek Vasut 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/nios2/cpu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 35/56] lm32: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Michael Walle 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/lm32/cpu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 32/56] sh4: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Aurelien Jarno 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/sh4/cpu.c| 2 +-
>  target/sh4/helper.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 33/56] cris: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: "Edgar E. Iglesias" 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/cris/cpu.c| 2 +-
>  target/cris/helper.c | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 34/56] hppa: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> Cc: Richard Henderson 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/hppa/cpu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 30/56] i386: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> @@ -713,9 +713,9 @@ int hvf_vcpu_exec(CPUState *cpu)
>  switch (exit_reason) {
>  case EXIT_REASON_HLT: {
>  macvm_set_rip(cpu, rip + ins_len);
> -if (!((cpu->interrupt_request & CPU_INTERRUPT_HARD) &&
> +if (!((cpu_interrupt_request(cpu) & CPU_INTERRUPT_HARD) &&
>  (EFLAGS(env) & IF_MASK))
> -&& !(cpu->interrupt_request & CPU_INTERRUPT_NMI) &&
> +&& !(cpu_interrupt_request(cpu) & CPU_INTERRUPT_NMI) &&
>  !(idtvec_info & VMCS_IDT_VEC_VALID)) {
>  cpu_halted_set(cpu, 1);
>  ret = EXCP_HLT;

Likewise wrt multiple calls.

> @@ -400,7 +401,8 @@ bool hvf_inject_interrupts(CPUState *cpu_state)
>  };
>  }
>  
> -if (cpu_state->interrupt_request & CPU_INTERRUPT_NMI) {
> +cpu_mutex_lock(cpu_state);
> +if (cpu_interrupt_request(cpu_state) & CPU_INTERRUPT_NMI) {
>  if (!(env->hflags2 & HF2_NMI_MASK) && !(info & VMCS_INTR_VALID)) {
>  cpu_reset_interrupt(cpu_state, CPU_INTERRUPT_NMI);
>  info = VMCS_INTR_VALID | VMCS_INTR_T_NMI | NMI_VEC;
> @@ -411,7 +413,7 @@ bool hvf_inject_interrupts(CPUState *cpu_state)
>  }
>  
>  if (!(env->hflags & HF_INHIBIT_IRQ_MASK) &&
> -(cpu_state->interrupt_request & CPU_INTERRUPT_HARD) &&
> +(cpu_interrupt_request(cpu_state) & CPU_INTERRUPT_HARD) &&
>  (EFLAGS(env) & IF_MASK) && !(info & VMCS_INTR_VALID)) {
>  int line = cpu_get_pic_interrupt(>env);
>  cpu_reset_interrupt(cpu_state, CPU_INTERRUPT_HARD);

Likewise.

I think you need to be more careful about this in the conversions.  Previously,
the compiler would CSE these two loads; now you're taking a lock twice.

Or in the second instance, once, since you explicitly take the lock around a
big block.  But I think that's papering over the fact that you make 4 calls
when you should have made one, *and* not hold the lock across all that code.


r~

Re: [Qemu-devel] [RFC v3 24/56] ppc: use cpu_reset_interrupt

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> From: Paolo Bonzini 
> 
> Cc: David Gibson 
> Cc: Alexander Graf 
> Cc: qemu-...@nongnu.org
> Acked-by: David Gibson 
> Reviewed-by: Philippe Mathieu-Daudé 
> Signed-off-by: Paolo Bonzini 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/ppc/excp_helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 27/56] s390x: use cpu_reset_interrupt

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> From: Paolo Bonzini 
> 
> Cc: Cornelia Huck 
> Cc: Richard Henderson 
> Cc: Alexander Graf 
> Cc: David Hildenbrand 
> Cc: qemu-s3...@nongnu.org
> Reviewed-by: David Hildenbrand 
> Reviewed-by: Richard Henderson 
> Reviewed-by: Cornelia Huck 
> Signed-off-by: Paolo Bonzini 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/s390x/excp_helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 29/56] arm: convert to cpu_interrupt_request

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> +++ b/target/arm/helper.c
> @@ -1295,12 +1295,14 @@ static uint64_t isr_read(CPUARMState *env, const 
> ARMCPRegInfo *ri)
>  CPUState *cs = ENV_GET_CPU(env);
>  uint64_t ret = 0;
>  
> -if (cs->interrupt_request & CPU_INTERRUPT_HARD) {
> +cpu_mutex_lock(cs);
> +if (cpu_interrupt_request(cs) & CPU_INTERRUPT_HARD) {
>  ret |= CPSR_I;
>  }
> -if (cs->interrupt_request & CPU_INTERRUPT_FIQ) {
> +if (cpu_interrupt_request(cs) & CPU_INTERRUPT_FIQ) {
>  ret |= CPSR_F;
>  }
> +cpu_mutex_unlock(cs);
>  /* External aborts are not possible in QEMU so A bit is always clear */
>  return ret;
>  }

I think simply reading cpu_interrupt_request once into a local variable is
better, and no need for extra locking then.

Otherwise,
Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 26/56] i386: use cpu_reset_interrupt

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> From: Paolo Bonzini 
> 
> Cc: Richard Henderson 
> Cc: Eduardo Habkost 
> Reviewed-by: Richard Henderson 
> Signed-off-by: Paolo Bonzini 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/i386/hax-all.c|  4 ++--
>  target/i386/hvf/x86hvf.c |  8 
>  target/i386/kvm.c| 14 +++---
>  target/i386/seg_helper.c | 13 ++---
>  target/i386/svm_helper.c |  2 +-
>  target/i386/whpx-all.c   | 10 +-
>  6 files changed, 25 insertions(+), 26 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 23/56] cpu: define cpu_interrupt_request helpers

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Signed-off-by: Emilio G. Cota 
> ---
>  include/qom/cpu.h | 35 +++
>  1 file changed, 35 insertions(+)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 28/56] openrisc: use cpu_reset_interrupt

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> From: Paolo Bonzini 
> 
> Cc: Stafford Horne 
> Reviewed-by: Philippe Mathieu-Daudé 
> Signed-off-by: Paolo Bonzini 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/openrisc/sys_helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 21/56] openrisc: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Cc: Stafford Horne 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/openrisc/sys_helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 25/56] exec: use cpu_reset_interrupt

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> -cpu->interrupt_request &= ~0x01;
> +cpu_reset_interrupt(cpu, ~0x01);

cpu_reset_interrupt(cpu, 1);

Although this is during vmload, and I'm not sure what locks you really want to
play with here.  Perhaps it's ok...


r~

Re: [Qemu-devel] [RFC v3 07/56] target/m68k: rename cpu_halted to cpu_halt

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> To avoid a name clash with the soon-to-be-defined cpu_halted() helper.
> 
> Cc: Laurent Vivier 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/m68k/translate.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Although for this usage it's probably better to avoid the
tcg_global_mem_new_i32 and just use tcg_gen_st_i32.

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 19/56] xtensa: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Cc: Max Filippov 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/xtensa/cpu.c   | 2 +-
>  target/xtensa/helper.c| 2 +-
>  target/xtensa/op_helper.c | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 20/56] gdbstub: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Signed-off-by: Emilio G. Cota 
> ---
>  gdbstub.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 08/56] cpu: define cpu_halted helpers

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> cpu->halted will soon be protected by cpu->lock.
> We will use these helpers to ease the transition,
> since right now cpu->halted has many direct callers.
> 
> Signed-off-by: Emilio G. Cota 
> ---
>  include/qom/cpu.h | 24 
>  1 file changed, 24 insertions(+)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 12/56] i386: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Cc: Eduardo Habkost 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/i386/cpu.h |  2 +-
>  target/i386/cpu.c |  2 +-
>  target/i386/hax-all.c |  4 ++--
>  target/i386/helper.c  |  4 ++--
>  target/i386/hvf/hvf.c |  8 
>  target/i386/hvf/x86hvf.c  |  4 ++--
>  target/i386/kvm.c | 10 +-
>  target/i386/misc_helper.c |  2 +-
>  target/i386/whpx-all.c|  6 +++---
>  9 files changed, 21 insertions(+), 21 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 11/56] sh4: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Cc: Aurelien Jarno 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/sh4/op_helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 10/56] ppc: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> @@ -1088,11 +1088,13 @@ static target_ulong h_cede(PowerPCCPU *cpu, 
> sPAPRMachineState *spapr,
>  
>  env->msr |= (1ULL << MSR_EE);
>  hreg_compute_hflags(env);
> +cpu_mutex_lock(cs);
>  if (!cpu_has_work(cs)) {
> -cs->halted = 1;
> +cpu_halted_set(cs, 1);
>  cs->exception_index = EXCP_HLT;
>  cs->exit_request = 1;
>  }
> +cpu_mutex_unlock(cs);
>  return H_SUCCESS;

Why does this one get extra locking?


r~

Re: [Qemu-devel] [RFC v3 09/56] arm: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Cc: Andrzej Zaborowski 
> Cc: Peter Maydell 
> Cc: qemu-...@nongnu.org
> Signed-off-by: Emilio G. Cota 
> ---
>  hw/arm/omap1.c| 4 ++--
>  hw/arm/pxa2xx_gpio.c  | 2 +-
>  hw/arm/pxa2xx_pic.c   | 2 +-
>  target/arm/arm-powerctl.c | 4 ++--
>  target/arm/cpu.c  | 2 +-
>  target/arm/op_helper.c| 2 +-
>  6 files changed, 8 insertions(+), 8 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [RFC v3 13/56] lm32: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Cc: Michael Walle 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/lm32/op_helper.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Richard Henderson 

+++ b/target/lm32/op_helper.c
> @@ -31,7 +31,7 @@ void HELPER(hlt)(CPULM32State *env)
>  {
>  CPUState *cs = CPU(lm32_env_get_cpu(env));
>  
> -cs->halted = 1;
> +cpu_halted_set(cs, 1);
>  cs->exception_index = EXCP_HLT;
>  cpu_loop_exit(cs);

I am beginning to think this sequence of three should be its own helper...


r~

Re: [Qemu-devel] [RFC v3 17/56] s390x: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Cc: Cornelia Huck 
> Cc: Christian Borntraeger 
> Cc: Alexander Graf 
> Cc: David Hildenbrand 
> Cc: qemu-s3...@nongnu.org
> Signed-off-by: Emilio G. Cota 
> ---
>  hw/intc/s390_flic.c|  2 +-
>  target/s390x/cpu.c | 18 +++---
>  target/s390x/excp_helper.c |  2 +-
>  target/s390x/kvm.c |  2 +-
>  target/s390x/sigp.c|  8 
>  5 files changed, 18 insertions(+), 14 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [PULL v3 00/47] Miscellaneous patches for 2018-10-18

[Peter Maydell]

On 19 October 2018 at 12:49, Paolo Bonzini  wrote:
> The following changes since commit 77f7c747193662edfadeeb3118d63eed0eac51a6:
>
>   Merge remote-tracking branch 
> 'remotes/huth-gitlab/tags/pull-request-2018-10-17' into staging (2018-10-18 
> 13:40:19 +0100)
>
> are available in the git repository at:
>
>
>   git://github.com/bonzini/qemu.git tags/for-upstream
>
> for you to fetch changes up to 74c0b816adfc6aa1b01b4426fdf385e32e35cbac:
>
>   replay: pass raw icount value to replay_save_clock (2018-10-19 13:44:15 
> +0200)
>
> 
> * RTC fixes (Artem)
> * icount fixes (Artem)
> * rr fixes (Pavel, myself)
> * hotplug cleanup (Igor)
> * SCSI fixes (myself)
> * 4.20-rc1 KVM header update (myself)
> * coalesced PIO support (Peng Hao)
> * HVF fixes (Roman B.)
> * Hyper-V refactoring (Roman K.)
> * Support for Hyper-V IPI (Vitaly)

Applied, thanks.

-- PMM

Re: [Qemu-devel] [RFC v3 14/56] m68k: convert to cpu_halted

[Richard Henderson]

On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> Cc: Laurent Vivier 
> Signed-off-by: Emilio G. Cota 
> ---
>  target/m68k/op_helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 


r~