Experimental fork of QEMU with video encoding patches https://git.openslx.org/bwlp/qemu.git/atom/target/s390x/translate.c?h=spice_video_codecs 2021-07-07T12:01:56+00:00 2021-07-07T12:01:56+00:00 Cho, Yu-Chen 2021-07-07T10:53:17+00:00 urn:sha1:c9274b6bf0571ecbaaed3e9c3b229e17607a0ea2 move everything related to translate, as well as HELPER code in tcg/ mmu_helper.c stays put for now, as it contains both TCG and KVM code. After the reshuffling, update MAINTAINERS accordingly. Make use of the new directory: target/s390x/tcg/ Signed-off-by: Claudio Fontana <cfontana@suse.de> Signed-off-by: Cho, Yu-Chen <acho@suse.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210707105324.23400-8-acho@suse.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> 2021-07-07T12:01:56+00:00 Cho, Yu-Chen 2021-07-07T10:53:16+00:00 urn:sha1:b6b4722307f31491ee553c674ded2a8bba6173e1 The internal.h file is renamed to s390x-internal.h, because of the risk of collision with other files with the same name. Signed-off-by: Claudio Fontana <cfontana@suse.de> Signed-off-by: Cho, Yu-Chen <acho@suse.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210707105324.23400-7-acho@suse.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> 2021-07-07T11:57:25+00:00 Ulrich Weigand 2021-06-30T10:50:58+00:00 urn:sha1:28761057043aa234b33a3301b39c8707984bb0a0 The FP-to-integer conversion instructions need to set CC 3 whenever a "special case" occurs; this is the case whenever the instruction also signals the IEEE invalid exception. (See e.g. figure 19-18 in the Principles of Operation.) However, qemu currently will set CC 3 only in the case where the input was a NaN. This is indeed one of the special cases, but there are others, most notably the case where the input is out of range of the target data type. This patch fixes the problem by switching these instructions to the "static" CC method and computing the correct result directly in the helper. (It cannot be re-computed later as the information about the invalid exception is no longer available.) This fixes a bug observed when running the wasmtime test suite under the s390x-linux-user target. Signed-off-by: Ulrich Weigand <ulrich.weigand@de.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20210630105058.GA29130@oc3748833570.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> 2021-06-29T17:04:57+00:00 Richard Henderson 2021-06-13T21:58:05+00:00 urn:sha1:2b836c2ac1d040bbe2e47fd000924083fbcef414 Implement the new semantics in the fallback expansion. Change all callers to supply the flags that keep the semantics unchanged locally. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> 2021-05-20T12:19:30+00:00 Ilya Leoshkevich 2021-04-16T15:49:36+00:00 urn:sha1:86131c71b13257e095d8c4f4453d52cbc6553c07 Hitting an uretprobe in a s390x TCG guest causes a SIGSEGV. What happens is: * uretprobe maps a userspace page containing an invalid instruction. * uretprobe replaces the target function's return address with the address of that page. * When tb_gen_code() is called on that page, tb->size ends up being 0 (because the page starts with the invalid instruction), which causes virt_page2 to point to the previous page. * The previous page is not mapped, so this causes a spurious translation exception. tb->size must never be 0: even if there is an illegal instruction, the instruction bytes that have been looked at must count towards tb->size. So adjust s390x's translate_one() to act this way for both illegal instructions and instructions that are known to generate exceptions. Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Message-Id: <20210416154939.32404-2-iii@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> 2021-03-15T10:03:20+00:00 David Hildenbrand 2021-03-15T08:54:49+00:00 urn:sha1:1a3c443c43e81e32a05d6995039e0f356b8f60cb The PoP states: When EDAT-1 does not apply, and a program interruption due to a page-translation exception is recognized by the MOVE PAGE instruction, the contents of the R1 field of the instruction are stored in bit positions 0-3 of location 162, and the contents of the R2 field are stored in bit positions 4-7. If [...] an ASCE-type, region-first-translation, region-second-translation, region-third-translation, or segment-translation exception was recognized, the contents of location 162 are unpredictable. So we have to write r1/r2 into the lowcore on page-translation exceptions. Simply handle all exceptions inside our mvpg helper now. Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210315085449.34676-3-david@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> 2021-01-21T10:19:45+00:00 David Hildenbrand 2021-01-11T16:38:43+00:00 urn:sha1:401bf46779d7628438337007d82969da7b7e396f Using get_address() with register identifiers comming from an "r" field is wrong: if the "r" field designates "r0", we don't read the content and instead assume 0 - which should only be applied when the register was specified via "b" or "x". PoP 5-11 "Operand-Address Generation": "A zero in any of the B1, B2, X2, B3, or B4 fields indicates the absence of the corresponding address component. For the absent component, a zero is used in forming the intermediate sum, regardless of the contents of general register 0. A displacement of zero has no special significance." This BUG became visible for CSPG as generated by LLVM-12 in the upstream Linux kernel (v5.11-rc2), used while creating the linear mapping in vmem_map_init(): Trying to store to address 0 results in a Low Address Protection exception. Debugging this was more complicated than it could have been: The program interrupt handler in the kernel will try to crash the kernel: doing so, it will enable DAT. As the linear mapping is not created yet (asce=0), we run into an addressing exception while tring to walk non-existant DAT tables, resulting in a program exception loop. This allows for booting upstream Linux kernels compiled by clang-12. Most of these cases seem to be broken forever. Reported-by: Nick Desaulniers <ndesaulniers@google.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Nick Desaulniers <ndesaulniers@google.com> Tested-by: Guenter Roeck <linux@roeck-us.net> Cc: Guenter Roeck <linux@roeck-us.net> Cc: Christian Borntraeger <borntraeger@de.ibm.com> Cc: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: David Hildenbrand <david@redhat.com> Message-Id: <20210111163845.18148-4-david@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> 2021-01-21T10:19:45+00:00 David Hildenbrand 2021-01-11T16:38:42+00:00 urn:sha1:c23908305b3ce7a547b0981eae549f36f756b950 RISBHG is broken and currently hinders clang-11 builds of upstream kernels from booting: the kernel crashes early, while decompressing the image. [...] Kernel fault: interruption code 0005 ilc:2 Kernel random base: 0000000000000000 PSW : 0000200180000000 0000000000017a1e R:0 T:0 IO:0 EX:0 Key:0 M:0 W:0 P:0 AS:0 CC:2 PM:0 RI:0 EA:3 GPRS: 0000000000000001 0000000c00000000 00000003fffffff4 00000000fffffff0 0000000000000000 00000000fffffff4 000000000000000c 00000000fffffff0 00000000fffffffc 0000000000000000 00000000fffffff8 00000000008e25a8 0000000000000009 0000000000000002 0000000000000008 000000000000bce0 One example of a buggy instruction is: 17dde: ec 1e 00 9f 20 5d risbhg %r1,%r14,0,159,32 With %r14 = 0x9 and %r1 = 0x7 should result in %r1 = 0x900000007, however, results in %r1 = 0. Let's interpret values of i3/i4 as documented in the PoP and make computation of "mask" only based on i3 and i4 and use "pmask" only at the very end to make sure wrapping is only applied to the high/low doubleword. With this patch, I can successfully boot a v5.11-rc2 kernel built with clang-11, and gcc builds keep on working. Fixes: 2d6a869833d9 ("target-s390: Implement RISBG") Reported-by: Nick Desaulniers <ndesaulniers@google.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Nick Desaulniers <ndesaulniers@google.com> Cc: Guenter Roeck <linux@roeck-us.net> Cc: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: David Hildenbrand <david@redhat.com> Message-Id: <20210111163845.18148-3-david@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> 2020-12-21T17:11:33+00:00 Richard Henderson 2020-12-14T22:13:56+00:00 urn:sha1:1a9aaa4b735e62fab5e72153ee84757e0e5fd467 Now that SUB LOGICAL outputs borrow, we can use that as input directly. It also means we can re-use CC_OP_SUBU and produce an output borrow directly from SUB LOGICAL WITH BORROW. Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20201214221356.68039-5-richard.henderson@linaro.org> Signed-off-by: Cornelia Huck <cohuck@redhat.com> 2020-12-21T17:11:33+00:00 Richard Henderson 2020-12-14T22:13:55+00:00 urn:sha1:a2db06da7dff662159c809059cda5e2aa302ec86 The resulting cc is only dependent on the result and the carry-out. Carry-out and borrow-out are inverses, so are trivially converted. With tcg ops, it is easier to compute borrow-out than carry-out, so save result and borrow-out rather than the inputs. Borrow-out for 64-bit inputs is had via tcg_gen_sub2_i64 directly into cc_src. Borrow-out for 32-bit inputs is had via extraction from a normal 64-bit sub (with zero-extended inputs). Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20201214221356.68039-4-richard.henderson@linaro.org> Signed-off-by: Cornelia Huck <cohuck@redhat.com>