Add emulation of SAVE16 and RESTORE.JRC16 instructions. Routines
gen_save(), gen_restore(), and gen_adjust_sp() are provided to support
this feature.
This patch at the same time provides function gen_op_addr_addi(). This
function will be used in emulation of some other nanoMIPS instructions.
Backports commit bf0718c59a4b27dd01346a7b5b9a183ed1b18fb7 from qemu
Add empty body and invocation of decode_nanomips_opc() if the bit
ISA_NANOMIPS32 is set in ctx->insn_flags.
Backports commit c533c0f4741be62501ef6c7f6ce77ffbfc2e4964 from qemu
Only if Config3.ISA is 3 (microMIPS), the mode should be switched in
cpu_state_reset(). Config3.ISA is 1 for nanoMIPS processors, and no mode
change should happen.
Backports commit 0bbc0396809f6caaaf96863dafe738e94f9b73ea from qemu
Add nanoMIPS opcodes. nanoMIPS instruction are organized by so-called
instruction pools. Each pool contains a set of opcodes, that in turn
can be instruction opcodes or instruction pool opcodes.
Backports commit 261c95a0e98e5e9b13c9c005a991b7e7dc27f38a from qemu
MFHC0 and MTHC0 used to handle EntryLo0 and EntryLo1 registers only,
and placing ELPA flag checks before switch statement were technically
correct. However, after adding handling more registers, these checks
should be moved to act only in cases of handling EntryLo0 and
EntryLo1.
Backports commit 59488dda1f16c0259bc2610d8d71686ef436c649 from qemu
Update CP0 registers Config0, Config1, Config2, Config3,
Config4, and Config5 bit definitions.
Some of these bits will be utilized by upcoming nanoMIPS changes.
Backports commit 0413d7a55a8161ebd33541ba1df4285bf180c583 from qemu
Fix two instances of shadow variables. This cleans up entire file
translate.c from shadow variables.
Backports commit e1555d7ddf2c86fb92165e47eb092f1f5fa9e8bd from qemu
Mark switch fallthroughs with comments, in cases fallthroughs
are intentional.
The comments "/* fall through */" are interpreted by compilers and
other tools, and they will not issue warnings in such cases. For gcc,
the warning is turnend on by -Wimplicit-fallthrough. With this patch,
there will be no such warnings in target/mips directory. If such
warning appears in future, it should be checked if it is intentional,
and, if yes, marked with a comment similar to those from this patch.
The comment must be just before next "case", otherwise gcc won't
understand it.
Backports commit 146dd620db815558938433eb9f57a571d424d2c6 from qemu
Remove "range style" case statements to make code analysis easier.
This patch handles cases when the values in the range in question
were not properly defined.
Backports commit c38a1d52233c85976eeed99c9015e881de8cd68e from qemu
Remove "range style" case statements to make code analysis easier.
This is needed also for some upcoming nanoMIPS-related refactorings.
Backports commit c2e19f3c2b1a1bb5f4fc3c55ee8cfa28dde9b810 from qemu
Offset can be larger than 16 bit from nanoMIPS,
and immediate field can be larger than 16 bits as well.
Backports commit 72e1f16f18fe62504f8f25d7a3f6813b24b221be from qemu
Fix to raise a Reserved Instruction exception when given fs is not
available from CTC1.
Backports commit f48a2cb21824217a61ec7be797860a0702e5325c from qemu
Do the cast to uintptr_t within the helper, so that the compiler
can type check the pointer argument. We can also do some more
sanity checking of the index argument.
Backports commit 07ea28b41830f946de3841b0ac61a3413679feb9 from qemu
Notes:
- DISAS_TOO_MANY replaces the former "break" in the translation loop.
However, care must be taken not to overwrite a previous condition
in is_jmp; that's why in translate_insn we first check is_jmp and
return if it's != DISAS_NEXT.
- Added an assert in translate_insn, before exiting due to an exception,
to make sure that is_jmp is set to DISAS_NORETURN (the exception
generation function always sets it.)
- Added an assert for the default case in is_jmp's switch.
Backports commit 18f440edfb974feaff8490d4861844b5a2b7a3b5 from qemu
No changes to the logic here; this is just to make the diff
that follows easier to read.
While at it, remove the unnecessary 'struct' in
'struct TranslationBlock'.
Note that checkpatch complains with a false positive:
ERROR: space prohibited after that '&' (ctx:WxW)
\#75: FILE: target/mips/translate.c:20220:
+ ctx->kscrexist = (env->CP0_Config4 >> CP0C4_KScrExist) & 0xff;
^
Backports commit 12be92588cf26a192f1b62846906983fc1e102a7 from qemu
Notes:
- BS_EXCP in generate_exception_err and after hen_helper_wait
becomes DISAS_NORETURN, because we do not return after
raising an exception.
- Some uses of BS_EXCP are misleading in that they're used
only as a "not BS_STOP" exit condition, i.e. they have nothing
to do with an actual exception. For those cases, define
and use DISAS_EXIT, which is clearer. With this and the
above change, BS_EXCP goes away completely.
- fix a comment typo (s/intetrupt/interrupt/).
Backports commit b28425babc2ad4b90cd87d07a1809d3322b9c065 from qemu
The TB after BS_STOP is not fixed (e.g. helper_mtc0_hwrena
changes hflags, which ends up changing the TB flags via
cpu_get_tb_cpu_state). This requires a full lookup (i.e.
with flags) via lookup_and_goto_ptr instead of gen_goto_tb,
since the latter only looks at the PC for in-page goto's. Fix it.
Backports commit cd314a7d0190a03122ca0606ecf71b4b873a22c6 from qemu.
If the PC is in the last page of the address space, next_page_start
overflows to 0. Fix it.
Backports commit 6cd79443d33e6ba6b4c5b787eb713ca1cec56328 from qemu
Add an Error argument to cpu_exec_init() to let users collect the
error. This is in preparation to change the CPU enumeration logic
in cpu_exec_init(). With the new enumeration logic, cpu_exec_init()
can fail if cpu_index values corresponding to max_cpus have already
been handed out.
Since all current callers of cpu_exec_init() are from instance_init,
use error_abort Error argument to abort in case of an error.
Backports commit 5a790cc4b942e651fec7edc597c19b637fad5a76 from qemu
cpu_init(cpu_model) were replaced by cpu_create(cpu_type) so
no users are left, remove it.
Backports commit 3f71e724e283233753f1b5b3d6a30948d3084636 from qemu
it will be used for providing to cpu name resolving class for
parsing cpu model for system and user emulation code.
Along with change add target to null-machine tests, so
that when switch to CPU_RESOLVING_TYPE happens,
it would ensure that null-machine usecase still works.
Backports commit 0dacec874fa3b3fd34b0d0670fa257efdcbbebd0 from qemu
Backports commits 2994fd96d986578a342f2342501b4ad30f6d0a85,
701e3c78ce45fa630ffc6826c4b9a4218954bc7f, and
d1853231c60d16af78cf4d1608d043614bfbac0b from qemuu
This function needs to be converted to QOM hook and virtualised for
multi-arch. This rename interferes, as cpu-qom will not have access
to the renaming causing name divergence. This rename doesn't really do
anything anyway so just delete it.
Backports commit 8642c1b81e0418df066a7960a7426d85a923a253 from qemu
Convert all machines to use DEFINE_MACHINE() instead of QEMUMachine
automatically using a script.
Backports commit e264d29de28c5b0be3d063307ce9fb613b427cc3 from qemu
The MC68040 MMU provides the size of the access that
triggers the page fault.
This size is set in the Special Status Word which
is written in the stack frame of the access fault
exception.
So we need the size in m68k_cpu_unassigned_access() and
m68k_cpu_handle_mmu_fault().
To be able to do that, this patch modifies the prototype of
handle_mmu_fault handler, tlb_fill() and probe_write().
do_unassigned_access() already includes a size parameter.
This patch also updates handle_mmu_fault handlers and
tlb_fill() of all targets (only parameter, no code change).
Backports commit 98670d47cd8d63a529ff230fd39ddaa186156f8c from qemu
It is more typical to provide the ';' by the caller of a macro
than to embed it in the macro itself; this is because syntax
highlight engines can get confused if a macro is called without
a semicolon before the closing '}'.
Backports commit 94f5c480e9b5ce95394026b3f025816470e23eaf from qemu
Rather than have a separate buffer of 10*max_ops entries,
give each opcode 10 entries. The result is actually a bit
smaller and should have slightly more cache locality.
Backports commit 75e8b9b7aa0b95a761b9add7e2f09248b101a392 from qemu
It is unlikely that we will ever want to call this helper passing
an argument other than the current PC. So just remove the argument,
and use the pc we already get from cpu_get_tb_cpu_state.
This change paves the way to having a common "tb_lookup" function.
Backports commit 7f11636dbee89b0e4d03e9e2b96e14649a7db778 from qemu
Although none of the existing macro call-sites were broken,
it's always better to write macros that properly parenthesize
arguments that can be complex expressions, so that the intended
order of operations is not broken.
Backports commit 2a2be359c4335607c7f746cf27c412c08ab89aff from qemu
now cpu_mips_init() reimplements subset of cpu_generic_init()
tasks, so just drop it and use cpu_generic_init() directly.
Backports commit c4c8146cfd0fc3f95418fbc82a2eded594675022 from qemu
Register separate QOM types for each mips cpu model,
so it would be possible to reuse generic CPU creation
routines.
Backports commit 41da212c9ce9482fcfd490170c2611470254f8dc from qemu
This changes the order between cpu_mips_realize_env() and
cpu_exec_initfn(), but cpu_exec_initfn() don't have anything that
depends on cpu_mips_realize_env() being called first.
Backports commit df4dc10284e1d871db8adb512816a561473ffe3e from qemu
no logical change, only code movement (and fix a comment typo).
Backports commit 26aa3d9aecbb6fe9bce808a1d127191bdf3cc3d2 from qemu
Also backports commit 5502b66fc7d0bebd08b9b7017cb7e8b5261c3a2d
RDHWR CC reads the CPU timer like MFC0 CP0_Count, so with icount enabled
it must set can_do_io while it calls the helper to avoid the "Bad icount
read" error. It should also break out of the translation loop to ensure
that timer interrupts are immediately handled.
Backports commit d673a68db6963e86536b125af464bb6ed03eba33 from qemu
DMTC0 CP0_Cause does a redundant gen_io_start() and gen_io_end() pair,
even though this is done for all DMTC0 operations outside of the switch
statement. Remove these redundant calls.
Backports commit 51ca717b079dccae5b6cc9f45153f5044abd34f0 from qemu
Commit e350d8ca3ac7 ("target/mips: optimize indirect branches") made
indirect branches able to directly find the next TB and jump straight to
it without breaking out of translated code and going around the main
execution loop. This breaks the assumption in target/mips/translate.c
that BS_STOP is sufficient to cause pending interrupts to be handled,
since interrupts are only checked in the main loop.
Fix a few of these assumptions by using gen_save_pc to update the saved
PC and using BS_EXCP instead of BS_STOP:
- [D]MFC0 CP0_Count may trigger a timer interrupt which should be
immediately handled.
- [D]MTC0 CP0_Cause may trigger an interrupt (but in fact translation
was only even being stopped in the DMTC0 case).
- [D]MTC0 CP0_<any> when icount is used is assumed could potentially
cause interrupts.
- EI may trigger an interrupt which was pending. I specifically hit
this case when running KVM nested in mipsel-softmmu. A timer
interrupt while the 2nd guest was executing is caught by KVM which
switches back to the normal Linux exception base and re-enables
interrupts with EI. Since the above commit QEMU doesn't leave
translated code until the nested KVM has already restored the KVM
exception base and returned to the 2nd guest, at which point it is
too late to check for pending interrupts and it gets stuck in an
infinite loop of unhandled interrupts.
Something similar was needed for ARM in commit b29fd33db578
("target/arm: use DISAS_EXIT for eret handling").
Backports commit b74cddcbf6063f684725e3f8bca49a68e30cba71 from qemu
Improve the segment definitions used by get_physical_address() to yield
target_ulong types, e.g. 0xffffffff80000000 instead of 0x80000000. This
is in preparation for enabling emulation of MIPS KVM T&E segments in TCG
MIPS targets, which unlike KVM could potentially have 64-bit
target_ulong. In such a case the offset guest KSEG0 address ends up at
e.g. 0x000000008xxxxxxx instead of 0xffffffff8xxxxxxx.
This also allows the casts to int32_t that force sign extension to be
removed, which removes any confusion due to relational comparison of
unsigned (target_ulong) and signed (int32_t) types.
Backports commit 6743334568933199927af4992a04bfb3c30610f5 from qemu
Writing to the MIPS DESAVE register (and now the KScratch registers)
will stop translation, supposedly due to risk of execution mode
switches. However these registers are basically RW scratch registers
with no side effects so there is no risk of them triggering execution
mode changes.
Drop the bstate = BS_STOP for these registers for both mtc0 and dmtc0.
Backports commit cb539fd241900f51de7d21244f7a55422ad0d40a from qemu
Enable the CP0_EBase.WG (write gate) on the I6400 and MIPS64R2-generic
CPUs. This allows 64-bit guests to run KVM itself, which uses
CP0_EBase.WG to point CP0_EBase at XKPhys.
Backports commit bad63a8008a0aaefcd00542c89bee01623d7c9de from qemu
Add the Enhanced Virtual Addressing (EVA) feature to the P5600 core
configuration, along with the related Segmentation Control (SC) feature
and writable CP0_EBase.WG bit.
This allows it to run Malta EVA kernels.
Backports commit 574da58e4678b3c09048f268821295422d8cde6d from qemu
Implement the optional segmentation control feature in the virtual to
physical address translation code.
The fixed legacy segment and xkphys handling is replaced with a dynamic
layout based on the segmentation control registers (which should be set
up even when the feature is not exposed to the guest).
Backports commit 480e79aedd322fcfac17052caff21626ea7c78e2 from qemu
The optional segmentation control registers CP0_SegCtl0, CP0_SegCtl1 &
CP0_SegCtl2 control the behaviour and required privilege of the legacy
virtual memory segments.
Add them to the CP0 interface so they can be read and written when
CP0_Config3.SC=1, and initialise them to describe the standard legacy
layout so they can be used in future patches regardless of whether they
are exposed to the guest.
Backports commit cec56a733dd2c3fa81dbedbecf03922258747f7d from qemu
The segmentation control feature allows a legacy memory segment to
become unmapped uncached at error level (according to CP0_Status.ERL),
and in fact the user segment is already treated in this way by QEMU.
Add a new MMU mode for this state so that QEMU's mappings don't persist
between ERL=0 and ERL=1.
Backports commit 42c86612d507c2a8789f2b8d920a244693c4ef7b from qemu
The MIPS mmu_idx is sometimes calculated from hflags without an env
pointer available as cpu_mmu_index() requires.
Create a common hflags_mmu_index() for the purpose of this calculation
which can operate on any hflags, not just with an env pointer, and
update cpu_mmu_index() itself and gen_intermediate_code() to use it.
Also update debug_post_eret() and helper_mtc0_status() to log the MMU
mode with the status change (SM, UM, or nothing for kernel mode) based
on cpu_mmu_index() rather than directly testing hflags.
This will also allow the logic to be more easily updated when a new MMU
mode is added.
Backports commit b0fc6003224543d2bdb172eca752656a6223e4a1 from qemu
When performing virtual to physical address translation, check the
required privilege level based on the mem_idx rather than the mode in
the hflags. This will allow EVA loads & stores to operate safely only on
user memory from kernel mode.
For the cases where the mmu_idx doesn't need to be overridden
(mips_cpu_get_phys_page_debug() and cpu_mips_translate_address()), we
calculate the required mmu_idx using cpu_mmu_index(). Note that this
only tests the MIPS_HFLAG_KSU bits rather than MIPS_HFLAG_MODE, so we
don't test the debug mode hflag MIPS_HFLAG_DM any longer. This should be
fine as get_physical_address() only compares against MIPS_HFLAG_UM and
MIPS_HFLAG_SM, neither of which should get set by compute_hflags() when
MIPS_HFLAG_DM is set.
Backports commit 9fbf4a58c90183b30bb2c8ad971ccce7e6716a16 from qemu
Implement decoding of microMIPS EVA load and store instruction groups in
the POOL31C pool. These use the same gen_ld(), gen_st(), gen_st_cond()
helpers as the MIPS32 decoding, passing the equivalent MIPS32 opcodes as
opc.
Backports commit 8fffc64696783b1ff1d17262d098976479895660 from qemu
Add CP0.ErrCtl register with WST, SPR and ITC bits. In 34K and interAptiv
processors these bits are used to enable CACHE instruction access to
different arrays. When WST=0, SPR=0 and ITC=1 the CACHE instruction will
access ITC tag values.
Generally we do not model caches and we have been treating the CACHE
instruction as NOP. But since CACHE can operate on ITC Tags new
MIPS_HFLAG_ITC_CACHE hflag is introduced to generate the helper only when
CACHE is in the ITC Access mode.
Backports commit 0d74a222c27e26fc40f4f6120c61c3f9ceaa3776 from qemu
Implement decoding of MIPS32 EVA loads and stores. These access the user
address space from kernel mode when implemented, so for each instruction
we need to check that EVA is available from Config5.EVA & check for
sufficient COP0 privilege (with the new check_eva()), and then override
the mem_idx used for the operation.
Unfortunately some Loongson 2E instructions use overlapping encodings,
so we must be careful not to prevent those from being decoded when EVA
is absent.
Backports commit 7696414729b2d0f870c80ad1dd637d854bc78847 from qemu
EVA load and store instructions access the user mode address map, so
they need to use mem_idx of MIPS_HFLAG_UM. Update the various utility
functions to allow mem_idx to be more easily overridden from the
decoding logic.
Specifically we add a mem_idx argument to the op_ld/st_* helpers used
for atomics, and a mem_idx local variable to gen_ld(), gen_st(), and
gen_st_cond().
Backports commit dd4096cd2ccc19384770f336c930259da7a54980 from qemu
Add support for the CP0_EBase.WG bit, which allows upper bits to be
written (bits 31:30 on MIPS32, or bits 63:30 on MIPS64), along with the
CP0_Config5.CV bit to control whether the exception vector for Cache
Error exceptions is forced into KSeg1.
This is necessary on MIPS32 to support Segmentation Control and Enhanced
Virtual Addressing (EVA) extensions (where KSeg1 addresses may not
represent an unmapped uncached segment).
It is also useful on MIPS64 to allow the exception base to reside in
XKPhys, and possibly out of range of KSEG0 and KSEG1.
Backports commit 74dbf824a1313b6064bbebb981a7440951d70896 from qemu
There is no need to invalidate any shadow TLB entries when the ASID
changes or when access to one of the 64-bit segments has been disabled,
since doing so doesn't reveal to software whether any TLB entries have
been evicted into the shadow half of the TLB.
Therefore weaken the tlb flushes in these cases to only flush the QEMU
TLB.
Backports commit 9658e4c342e6ae0d775101f8f6bb6efb16789af1 from qemu
Writing specific TLB entries with TLBWI flushes shadow TLB entries
unless an existing entry is having its access permissions upgraded. This
is necessary as software would from then on expect the previous mapping
in that entry to no longer be in effect (even if QEMU has quietly
evicted it to the shadow TLB on a TLBWR).
However it won't do this if only EHINV, XI, or RI bits have been set,
even if that results in a reduction of permissions, so add the necessary
checks to invoke the flush when these bits are set.
Backports commit eff6ff9431aa9776062a5f4a08d1f6503ca9995a from qemu
Using MFC0 to read CP0_UserLocal uses tcg_gen_ld32s_tl, however
CP0_UserLocal is a target_ulong. On a big endian host with a MIPS64
target this reads and sign extends the more significant half of the
64-bit register.
Fix this by using ld_tl to load the whole target_ulong and ext32s_tl to
sign extend it, as done for various other target_ulong COP0 registers.
Backports commit e40df9a80bb7cdb0a4ca650985fa9fe572097fa7 from qemu
This patch fixes setting DExcCode field of CP0 Debug register
when SDBBP instruction is executed. According to EJTAG specification,
this field must be set to the value 9 (Bp).
Backports commit c6c2c0fc32362ba234ae3bdad1a55c2d6aefaa12 from qemu
This patch fixes the msa copy_[s|u]_df instruction emulation when
the destination register rd is zero. Without this patch the zero
register would get clobbered, which should never happen because it
is supposed to be hardwired to 0.
Fix this corner case by explicitly checking rd = 0 and effectively
making these instructions emulation no-op in that case.
Backports commit cab4888136a92250fdd401402622824994f7ce0b from qemu
It is unnecessary to test R6 from delay/forbidden slot check
in gen_msa_branch().
https://bugs.launchpad.net/qemu/+bug/1663287
Backports commit 075a1fe788d36b271ec25507466c30b9a90b5d54 from qemu
this fixes many warnings like:
target/mips/translate.c:6253:13: warning: Value stored to 'rn' is never read
rn = "invalid sel";
^ ~~~~~~~~~~~~~
Backports commit 3570d7f6672836140f0a1ec9bf95dd5ea50a2aaa from qemu
static code analyzer complain:
target/mips/helper.c:453:5: warning: Function call argument is an uninitialized value
qemu_log_mask(CPU_LOG_MMU,
^~~~~~~~~~~~~~~~~~~~~~~~~~
'physical' and 'prot' are uninitialized if 'ret' is not TLBRET_MATCH.
Backports commit def74c0cf05722b2e502d4b4f1219966c5b0cbd3 from qemu
Provide a new cpu_supports_isa function which allows callers to
determine whether a CPU supports one of the ISA_ flags, by testing
whether the associated struct mips_def_t sets the ISA flags in its
insn_flags field.
An example use of this is to allow boards which generate bootloader code
to determine the properties of the CPU that will be used, for example
whether the CPU is 64 bit or which architecture revision it implements.
Backports commit bed9e5ceb158c886d548fe59675a6eba18baeaeb from qemu
