The new paging more is extension of IA32e mode with more additional page
table level.
It brings support of 57-bit vitrual address space (128PB) and 52-bit
physical address space (4PB).
The structure of new page table level is identical to pml4.
The feature is enumerated with CPUID.(EAX=07H, ECX=0):ECX[bit 16].
CR4.LA57[bit 12] need to be set when pageing enables to activate 5-level
paging mode.
Backports commit 6c7c3c21f95dd9af8a0691c0dd29b07247984122 from qemu
The syscall and sysret instructions behave a bit differently:
TF is checked after the instruction completes.
This allows the o/s to disable #DB at a syscall by adding TF to FMASK.
And then when the sysret is executed the #DB is taken "as if" the
syscall insn just completed.
Backports commit c52ab08aee6f7d4717fc6b517174043126bd302f from qemu
Device models often have to perform multiple access to a single
memory region that is known in advance, but would to use "DMA-style"
functions instead of address_space_map/unmap. This can happen
for example when the data has to undergo endianness conversion.
Introduce a new data structure to cache the result of
address_space_translate without forcing usage of a host address
like address_space_map does.
Backports commit 1f4e496e1fc2eb6c8bf377a0f9695930c380bfd3 from qemu
This extracts the common part of address_space_map and
address_space_cache_init into a new function.
Backports commit 715c31ec8e12107f47ac74b464c97e813c76f898 from qemu
Templatize the address_space_* and *_phys functions, so that we can add
similar functions in the next patch that work with a lightweight,
cache-like version of address_space_map/unmap.
Backports commit 0ce265ffef87f19f4dd1ff0663e09a63d66ae408 from qemu
Since CPUARMState.vfp.regs is not 16 byte aligned, the ^ 8 fixup used
for a big-endian host doesn't do what's intended. Fix this by adding
in the vfp.regs offset after computing the inter-register offset.
Backports commit d437262fa8edd0d9fbe038a515dda3dbf7c5bb54 from qemu
We add s->be_data within do_vec_ld/st. Adding it here means that
we have the wrong bits set in SIZE for a big-endian host, leading
to g_assert_not_reached in write_vec_element and read_vec_element.
Backports commit 74b13f92c2428abae41a61c46a5cf47545da5fcb from qemu
Commit 2afbdf8 ("target-i386: exception handling for memory helpers",
2015-09-15) changed tlb_fill's cpu_restore_state+raise_exception_err
to raise_exception_err_ra. After this change, the cpu_restore_state
and raise_exception_err's cpu_loop_exit are merged into
raise_exception_err_ra's cpu_loop_exit_restore.
This actually fixed some bugs, but when SVM is enabled there is a
second path from raise_exception_err_ra to cpu_loop_exit. This is
the VMEXIT path, and now cpu_vmexit is called without a
cpu_restore_state before.
The fix is to pass the retaddr to cpu_vmexit (via
cpu_svm_check_intercept_param). All helpers can now use GETPC() to pass
the correct retaddr, too.
Backports commit 823fb688ebc52a7d79c1308acb28c92b56820167 from qemu
When icount is active, tb_add_jump is surprisingly called with an
out of bounds basic block index. I have no idea how that can work,
but it does not seem like a good idea. Clear *last_tb for all
TB_EXIT_ICOUNT_EXPIRED cases, even when all you have to do is
refill icount_extra.
Backports commit d8dea6fbcbed177ca5d23ab77b3834a9437f0e88 from qemu
There were some patterns, like 0x0000_ffff_ffff_00ff, for which we
would select to begin a multi-insn sequence with MOVN, but would
fail to set the 0x0000 lane back from 0xffff.
Backports commit 50b468d42107a2c646b1c566ed17d9ec362c51c4 from qemu
When al == xzr, we cannot use addi/subi because that encodes xsp.
Force a zero into the temp register for that (rare) case.
Backports commit 028fbea47713f909d6ea761a457779a82b276247 from qemu
rcu_read_unlock was not called if the address_space_access_valid result is
negative.
This caused (at least) a problem when qemu on PPC/E500+TAP failed to terminate
properly and instead got stuck in a deadlock.
Backports commit 662a97d74f9b34cafe9aeb6d96620a97d768a1fa from qemu
A bug (1647683) was reported showing a crash when removing
breakpoints. The reproducer was bisected to 3359baad when tb_flush
was finally made thread safe. While in MTTCG the locking in
breakpoint_invalidate would have prevented any problems, but
currently tb_lock() is a NOP for system emulation.
The race is between a tb_flush from the gdbstub and the
tb_invalidate_phys_addr() in breakpoint_invalidate().
Ideally we'd have actual locking here; for the moment the
simple fix is to do a full tb_flush() for a bp invalidate,
since that is thread-safe even if no lock is taken.
Backports commit a9353fe897ca2687e5b3385ed39e3db3927a90e0 from qemu
While testing rth's latest TCG patches with risu I found ldaxp was
broken. Investigating further I found it was broken by 1dd089d0 when
the cmpxchg atomic work was merged. As part of that change the code
attempted to be clever by doing a single 64 bit load and then shuffle
the data around to set the two 32 bit registers.
As I couldn't quite follow the endian magic I've simply partially
reverted the change to the original code gen_load_exclusive code. This
doesn't affect the cmpxchg functionality as that is all done on in
gen_store_exclusive part which is untouched.
I've also restored the comment that was removed (with a slight tweak
to mention cmpxchg).
Backports commit 5460da501a57cd72eda6fec736d76539122e2f99 from qemu
The documentation parser we are going to add expects a section name to
end with ':', otherwise the comment is treated as free-form text body.
Backports commit 5072f7b38b1b9b26b8fbe1a89086386a420aded8 from qemu
Fixed issues in the MIPSDSP64 instructions dextp and dextpdp.
Shifting can go out of 32 bit range.
https://bugs.launchpad.net/qemu/+bug/1631625
Backports commit e6e2784cacd4cfec149a7690976b9ff15e541c4d from qemu
Needed to emit FPU exception on Loongson multimedia instructions
executing if Status:CU1 is clear. or FPR changes may be missed
on Linux.
Backports commit b5a587b613f6151c2ce164552579ae64f2ddfd1c from qemu
"The multiplier and multiplicand are both word operands, and the result
is a long-word operand."
So compute flags on a long-word result, not on a word result.
Backports commit 4a18cd44f3c905d443c26e26bb9b09932606d1a3 from qemu
"The size of the operation can be specified as word or long.
Word length source operands are sign-extended to 32 bits for
comparison."
So comparison is always done using OS_LONG.
Backports commit 5436c29d78957a6825a93f0eb79dfab388641017 from qemu
In the user emulation code path, tlb_vaddr_to_host erronesously passed
vaddr as the guest address to be translated, instead of addr, the parameter
which actually contained the guest address.
This resulted in incorrect addresses being used when emulating block copy
(mvc/mvpg) and block clear (xc) instructions for the s390x target.
Backports commit c2a85316902e67530da9d6548139fcce73c0cac6 from qemu
Include sys/user.h for declaration of 'struct kinfo_proc'.
Add -lutil to qemu-ga link for kinfo_getproc.
Backports commit a7764f1548ef9946af30a8f96be9cef10761f0c1 from qemu
The spec can be found in Intel Software Developer Manual or in
Instruction Set Extensions Programming Reference.
Backports commit 95ea69fb46266aaa46d0c8b7f0ba8c4903dbe4e3 from qemu
The memory_dispatch field is meant to be protected by RCU so we should
use the correct primitives when accessing it. This race was flagged up
by the ThreadSanitizer.
Backports commit f35e44e7645edbb08e35b111c10c2fc57e2905c7 from qemu
The version of tcg_gen_ld8s_i64 for 32-bit systems does a load into
the low part of the return value - then attempts a sign extension into
the high part, but wrongly sets the high part to a sign extension of
itself rather than of the low part. This results in TCG internal
errors from the use of the uninitialized high part (in some GCC tests
of AArch64 NEON shift intrinsics, in particular). This patch corrects
the sign-extension logic, making it match other functions such as
tcg_gen_ld16s_i64.
Backports commit 3ff91d7e85176f8b4b131163d7fd801757a2c949 from qemu
The typedefs we use for the TCGv_i32, TCGv_i64 and TCGv_ptr
types are somewhat confusing, because we define them as
pointers to structs, but the structs themselves are never
defined. Explain in the comments a bit more clearly why
this is OK and what is going on under the hood.
Backports commit a40d4701bc9f6e6a3bbfb7b4fbe756a5b72b5df1 from qemu
This multiply has one signed input and one unsigned input,
producing the full double-width result.
Backports commit 5087abfb7dfd1d368ae6939420057036b4d8e509 from qemu
The cpu is allowed to require stricter alignment on these 8- and 16-byte
operations, and the OS is required to fix up the accesses as necessary,
so the previous code was not wrong.
However, we can easily handle this misalignment for all direct 8-byte
operations and for direct 16-byte loads.
We must retain 16-byte alignment for 16-byte stores, so that we don't have
to probe for writability of a second page before performing the first of
two 8-byte stores. We also retain 8-byte alignment for no-fault loads,
since they are rare and it's not worth extending the helpers for this.
Backports commit cb21b4da6cca1bb4e3f5fefb698fb9e4d00c8f66 from qemu
At the same time, fix a problem with stqf_asi, when
a write might access two pages.
Backports commit f939ffe5a022a8798824e2720ed5a14186fca6b6 from qemu
Now that we never call out to helpers when direct accesses can
handle an asi, remove the corresponding code in those helpers.
For ldda, this removes the entire helper.
Backports commit 918d9a2c9d36378a3cf6636018900a4731c83b9d from qemu
As used by HelenOS, presumably for ultra 2 and 3,
prior to the sun4v platform and the current twinx names.
Backports commit 34a6e13da70b2c798630a8dbd03d09f201c0198f from qemu
It's handy to have a mmu idx for physical addresses, so
that mmu disabled and physical access asis can use the
same path as normal accesses.
Backports commit af7a06bac7d3abb2da48ef3277d2a415772d2ae8 from qemu
Several helpers call helper_raise_exception directly, which requires
in turn that their callers have performed save_state. The new function
allows a TCG return address to be passed in so that we can restore
PC + NPC + flags data from that.
This fixes a bug in the usage of helper_check_align, whose callers had
not been calling save_state. It fixes another bug in which the divide
helpers used GETPC at a level other than the direct callee from TCG.
This allows the translator to avoid save_state prior to SAVE, RESTORE,
and FLUSHW instructions.
Backports commit 2f9d35fc4006122bad33f9ae3e2e51d2263e98ee from qemu
In the linux-user case all things that involve ''l1_map' and PageDesc
tweaks are protected by the memory lock (mmpa_lock). For SoftMMU mode
we previously relied on single threaded behaviour, with MTTCG we now use
the tb_lock().
As a result we need to do a little re-factoring and push the taking of
this lock up the call tree. This requires a slightly different entry for
the SoftMMU and user-mode cases from tb_invalidate_phys_range.
This also means user-mode breakpoint insertion needs to take two locks
but it hadn't taken any previously so this is an improvement.
Backpoirts commit ba051fb5e56d5ff5e4fa672d37954452e58543b2 from qemu
softmmu requires more functions to be thread-safe, because translation
blocks can be invalidated from e.g. notdirty callbacks. Probably the
same holds for user-mode emulation, it's just that no one has ever
tried to produce a coherent locking there.
This patch will guide the introduction of more tb_lock and tb_unlock
calls for system emulation.
Note that after this patch some (most) of the mentioned functions are
still called outside tb_lock/tb_unlock. The next one will rectify this.
Backports commit 7d7500d99895f888f97397ef32bb536bb0df3b74 from qemu
This adds asserts to check the locking on the various translation
engines structures. There are two sets of structures that are protected
by locks.
The first the l1map and PageDesc structures used to track which
translation blocks are associated with which physical addresses. In
user-mode this is covered by the mmap_lock.
The second case are TB context related structures which are protected by
tb_lock which is also user-mode only.
Currently the asserts do nothing in SoftMMU mode but this will change
for MTTCG.
Backports commit 301e40ed8005306c009978be295ed9a4b725178b from qemu
