arc: Allow IO on AUX reg handling (fixes icount on ARC) #11
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Cupertino Miranda <cmiranda@synopsys.com>
The decoder and the disassembler inspired by ARC GNU binutils. Signed-off-by: Claudiu Zissulescu <claziss@synopsys.com>
Signed-off-by: Claudiu Zissulescu <claziss@synopsys.com>
Signed-off-by: Cupertino Miranda <cmiranda@synopsys.com>
Add the most generic parts of TCG constructions. It contains the basic infrastructure for fundamental ARC features, such as ZOL (zero overhead loops) and delay-slots. Also includes hand crafted TCG for more intricate instructions, such as vector instructions. Signed-off-by: Shahab Vahedi <shahab@synopsys.com>
TCG definitions as defined by our domain-specific-language (DSL) ISA infrastructure. Signed-off-by: Cupertino Miranda <cmiranda@synopsys.com>
Add the infrastructure to define build configuration (BCR) and auxiliary registers allowing independent modules (MMU, MPU, etc.) to use and extend them. Signed-off-by: Cupertino Miranda <cmiranda@synopsys.com>
Signed-off-by: Claudiu Zissulescu <claziss@synopsys.com>
Add Synopsys ARC MMU version 4 support. The implementation is restricted to 8K page size support. Signed-off-by: Cupertino Miranda <cmiranda@synopsys.com>
Add memory implementation for Synopsys MPU unit version 3. Synopsys MPU allows to create memory regions against unauthorized execution/read/writes accesses. Signed-off-by: Shahab Vahedi <shahab@synopsys.com>
Register layout for the target and the mechanisms to read and set them. Signed-off-by: Shahab Vahedi <shahab@synopsys.com>
Add the Synopsys ARC boards, arc_sim for testing, sim-hs main emulation board using standard UART and nsim which includes a Synopsys ARC specific UART implementation. Signed-off-by: Claudiu Zissulescu <claziss@synopsys.com>
Add remaining bits of the Synopsys ARCv2 (EM/HS) support into QEMU, configure bits, arch_init and configuration files for softmmu (hardware emulation). Signed-off-by: Shahab Vahedi <shahab@synopsys.com> Signed-off-by: Cupertino Miranda <cmiranda@synopsys.com>
The added tests verify basic instructions execution as well as more advanced features such as zero overhead loops interrupt system, memory management unit and memory protection unit. Signed-off-by: Claudiu Zissulescu <claziss@synopsys.com> Signed-off-by: Cupertino Miranda <cmiranda@synopsys.com>
Just an acceptance test with ARC Linux booting. Signed-off-by: Cupertino Miranda <cmiranda@synopsys.com>
Nuke the qemu internal translation cache on a TLBWriteNI cmd, otherwise we can end up with stale TLB entries. Linux does this on an ASID rollover (when 8-bit ASID overflows) The problem shows up on a kernel where TLB flush interfaces were dumbed down to actually flush the TLB (with the TLBWriteNi cmd) as opposed to more optimal ASID increment for large flush ranges as that is quicker on real hardware (vs. iterating through the TLB and nuking entries one page worth at a time). Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Moves in_delar_slot variable to DisasCtxt structure that is thread safe. This issue fixes assert happening in glibc testsuite execution.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
abrodkin
changed the title
AUX registers are used in ARC processors to deal with settings or
internal states of different internals like built-in timers, interrupt
controller(s), caches etc.
Though for us here interrupts and timers are of the main interest as
those are very good examples of IO operations and we do need explicitly
allow it to make "icount" subsystem happy, as otherwise on the first
attempt to set ARC built-in timer LIMIT register we see icount_get_raw_locked()
barking: "qemu-system-arc: Bad icount read", and that's because:
------------------>8-----------------
| gdb --args ./build/qemu-system-arc ... -icount auto
|
| ...
|
| (gdb) b icount.c:116
| Breakpoint 1 at 0x54178a: file ../softmmu/icount.c, line 116.
|
| (gdb) r
|
| Thread 3 "qemu-system-arc" hit Breakpoint 1, icount_get_raw_locked () at ../softmmu/icount.c:116
| 116 error_report("Bad icount read");
| (gdb) bt
| #0 icount_get_raw_locked () at ../softmmu/icount.c:116
| #1 0x0000555555a957d5 in icount_get_locked () at ../softmmu/icount.c:128
| #2 0x0000555555a9586d in icount_get () at ../softmmu/icount.c:154
| #3 0x0000555555a901fd in tcg_get_virtual_clock () at ../accel/tcg/tcg-cpus.c:524
| #4 0x0000555555a0fe05 in cpus_get_virtual_clock () at ../softmmu/cpus.c:211
| #5 0x0000555555c88fd4 in qemu_clock_get_ns (type=QEMU_CLOCK_VIRTUAL) at ../util/qemu-timer.c:638
| #6 0x00005555559aa8eb in cpu_arc_timer_update (env=0x5555565280a0, timer=0) at ../target/arc/timer.c:42
| #7 0x00005555559ab272 in cpu_arc_store_limit (env=0x5555565280a0, timer=0, value=500000) at ../target/arc/timer.c:246
| #8 0x00005555559aba04 in aux_timer_set (aux_reg_detail=0x5555562eedb0 <arc_aux_regs_detail+2352>, val=500000, data=0x5555565280a0) at ../target/arc/timer.c:436
| #9 0x00005555559a4cb2 in helper_sr (env=0x5555565280a0, val=500000, aux=35) at ../target/arc/op_helper.c:209
| #10 0x00007fffb041dc6a in code_gen_buffer ()
| #11 0x0000555555a2f6c8 in cpu_tb_exec (cpu=0x55555651f960, itb=0x7fffb041db00 <code_gen_buffer+4315859>) at ../accel/tcg/cpu-exec.c:178
| #12 0x0000555555a304ae in cpu_loop_exec_tb (cpu=0x55555651f960, tb=0x7fffb041db00 <code_gen_buffer+4315859>, last_tb=0x7ffff6013928, tb_exit=0x7ffff6013920)
| at ../accel/tcg/cpu-exec.c:658
| #13 0x0000555555a307a6 in cpu_exec (cpu=0x55555651f960) at ../accel/tcg/cpu-exec.c:771
| #14 0x0000555555a8f911 in tcg_cpu_exec (cpu=0x55555651f960) at ../accel/tcg/tcg-cpus.c:243
| #15 0x0000555555a8fc12 in tcg_rr_cpu_thread_fn (arg=0x55555651f960) at ../accel/tcg/tcg-cpus.c:346
| #16 0x0000555555c9562e in qemu_thread_start (args=0x5555565339e0) at ../util/qemu-thread-posix.c:521
| #17 0x00007ffff7899609 in start_thread (arg=<optimized out>) at pthread_create.c:477
| #18 0x00007ffff77c0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
------------------>8-----------------
Fix that, hinting QEMU about possible IO on access of AUX regs,
which are only possible via LR & SR instructions.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
abrodkin
force-pushed
the
abrodkin-icount
branch
from
add909c
to
4c100aa
Compare
|
FWIW here's a nice high-level explanation of |
|
Based on the link which you shared, your patch is not OK. |
|
Accordingly to ur link: |
|
@claziss well, the first question is how that action of "ending of the TB" should be done? |
|
@claziss what about existing usage of that same static void arc_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
{
DisasContext *dc = container_of(dcbase, DisasContext, base);
tcg_gen_insn_start(dc->base.pc_next);
dc->cpc = dc->base.pc_next;
if (dc->base.num_insns == dc->base.max_insns &&
(dc->base.tb->cflags & CF_LAST_IO)) {
gen_io_start();
}
}Does TB immediately ends there? |
cupertinomiranda
force-pushed
the
master
branch
2 times, most recently
from
3bd198c
to
aed9f67
Compare
cupertinomiranda
pushed a commit
that referenced
this pull request
Apr 5, 2021
Incoming enabled bitmaps are busy, because we do bdrv_dirty_bitmap_create_successor() for them. But disabled bitmaps being migrated are not marked busy, and user can remove them during the incoming migration. Then we may crash in cancel_incoming_locked() when try to remove the bitmap that was already removed by user, like this: #0 qemu_mutex_lock_impl (mutex=0x5593d88c50d1, file=0x559680554b20 "../block/dirty-bitmap.c", line=64) at ../util/qemu-thread-posix.c:77 #1 bdrv_dirty_bitmaps_lock (bs=0x5593d88c0ee9) at ../block/dirty-bitmap.c:64 #2 bdrv_release_dirty_bitmap (bitmap=0x5596810e9570) at ../block/dirty-bitmap.c:362 #3 cancel_incoming_locked (s=0x559680be8208 <dbm_state+40>) at ../migration/block-dirty-bitmap.c:918 #4 dirty_bitmap_load (f=0x559681d02b10, opaque=0x559680be81e0 <dbm_state>, version_id=1) at ../migration/block-dirty-bitmap.c:1194 #5 vmstate_load (f=0x559681d02b10, se=0x559680fb5810) at ../migration/savevm.c:908 #6 qemu_loadvm_section_part_end (f=0x559681d02b10, mis=0x559680fb4a30) at ../migration/savevm.c:2473 #7 qemu_loadvm_state_main (f=0x559681d02b10, mis=0x559680fb4a30) at ../migration/savevm.c:2626 #8 postcopy_ram_listen_thread (opaque=0x0) at ../migration/savevm.c:1871 #9 qemu_thread_start (args=0x5596817ccd10) at ../util/qemu-thread-posix.c:521 #10 start_thread () at /lib64/libpthread.so.0 #11 clone () at /lib64/libc.so.6 Note bs pointer taken from bitmap: it's definitely bad aligned. That's because we are in use after free, bitmap is already freed. So, let's make disabled bitmaps (being migrated) busy during incoming migration. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20210322094906.5079-2-vsementsov@virtuozzo.com>
cupertinomiranda
pushed a commit
that referenced
this pull request
Apr 5, 2021
When building with --enable-sanitizers we get:
Direct leak of 32 byte(s) in 2 object(s) allocated from:
#0 0x5618479ec7cf in malloc (qemu-system-aarch64+0x233b7cf)
#1 0x7f675745f958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958)
#2 0x561847f02ca2 in usb_packet_init hw/usb/core.c:531:5
#3 0x561848df4df4 in usb_ehci_init hw/usb/hcd-ehci.c:2575:5
#4 0x561847c119ac in ehci_sysbus_init hw/usb/hcd-ehci-sysbus.c:73:5
#5 0x56184a5bdab8 in object_init_with_type qom/object.c:375:9
#6 0x56184a5bd955 in object_init_with_type qom/object.c:371:9
#7 0x56184a5a2bda in object_initialize_with_type qom/object.c:517:5
#8 0x56184a5a24d5 in object_initialize qom/object.c:536:5
#9 0x56184a5a2f6c in object_initialize_child_with_propsv qom/object.c:566:5
#10 0x56184a5a2e60 in object_initialize_child_with_props qom/object.c:549:10
#11 0x56184a5a3a1e in object_initialize_child_internal qom/object.c:603:5
#12 0x561849542d18 in npcm7xx_init hw/arm/npcm7xx.c:427:5
Similarly to commit d710e1e ("usb: ehci: fix memory leak in
ehci"), fix by calling usb_ehci_finalize() to free the USBPacket.
Fixes: 7341ea0
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210323183701.281152-1-f4bug@amsat.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
cupertinomiranda
pushed a commit
that referenced
this pull request
Jul 21, 2021
Incoming enabled bitmaps are busy, because we do bdrv_dirty_bitmap_create_successor() for them. But disabled bitmaps being migrated are not marked busy, and user can remove them during the incoming migration. Then we may crash in cancel_incoming_locked() when try to remove the bitmap that was already removed by user, like this: #0 qemu_mutex_lock_impl (mutex=0x5593d88c50d1, file=0x559680554b20 "../block/dirty-bitmap.c", line=64) at ../util/qemu-thread-posix.c:77 #1 bdrv_dirty_bitmaps_lock (bs=0x5593d88c0ee9) at ../block/dirty-bitmap.c:64 #2 bdrv_release_dirty_bitmap (bitmap=0x5596810e9570) at ../block/dirty-bitmap.c:362 #3 cancel_incoming_locked (s=0x559680be8208 <dbm_state+40>) at ../migration/block-dirty-bitmap.c:918 #4 dirty_bitmap_load (f=0x559681d02b10, opaque=0x559680be81e0 <dbm_state>, version_id=1) at ../migration/block-dirty-bitmap.c:1194 #5 vmstate_load (f=0x559681d02b10, se=0x559680fb5810) at ../migration/savevm.c:908 #6 qemu_loadvm_section_part_end (f=0x559681d02b10, mis=0x559680fb4a30) at ../migration/savevm.c:2473 #7 qemu_loadvm_state_main (f=0x559681d02b10, mis=0x559680fb4a30) at ../migration/savevm.c:2626 #8 postcopy_ram_listen_thread (opaque=0x0) at ../migration/savevm.c:1871 #9 qemu_thread_start (args=0x5596817ccd10) at ../util/qemu-thread-posix.c:521 #10 start_thread () at /lib64/libpthread.so.0 #11 clone () at /lib64/libc.so.6 Note bs pointer taken from bitmap: it's definitely bad aligned. That's because we are in use after free, bitmap is already freed. So, let's make disabled bitmaps (being migrated) busy during incoming migration. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20210322094906.5079-2-vsementsov@virtuozzo.com>
cupertinomiranda
pushed a commit
that referenced
this pull request
Jul 21, 2021
When building with --enable-sanitizers we get:
Direct leak of 32 byte(s) in 2 object(s) allocated from:
#0 0x5618479ec7cf in malloc (qemu-system-aarch64+0x233b7cf)
#1 0x7f675745f958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958)
#2 0x561847f02ca2 in usb_packet_init hw/usb/core.c:531:5
#3 0x561848df4df4 in usb_ehci_init hw/usb/hcd-ehci.c:2575:5
#4 0x561847c119ac in ehci_sysbus_init hw/usb/hcd-ehci-sysbus.c:73:5
#5 0x56184a5bdab8 in object_init_with_type qom/object.c:375:9
#6 0x56184a5bd955 in object_init_with_type qom/object.c:371:9
#7 0x56184a5a2bda in object_initialize_with_type qom/object.c:517:5
#8 0x56184a5a24d5 in object_initialize qom/object.c:536:5
#9 0x56184a5a2f6c in object_initialize_child_with_propsv qom/object.c:566:5
#10 0x56184a5a2e60 in object_initialize_child_with_props qom/object.c:549:10
#11 0x56184a5a3a1e in object_initialize_child_internal qom/object.c:603:5
#12 0x561849542d18 in npcm7xx_init hw/arm/npcm7xx.c:427:5
Similarly to commit d710e1e ("usb: ehci: fix memory leak in
ehci"), fix by calling usb_ehci_finalize() to free the USBPacket.
Fixes: 7341ea0
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210323183701.281152-1-f4bug@amsat.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
@evgeniy-paltsev that's my dirty hack to enable Note it should be usable for both ARCv2 & ARCv3 64-bit QEMU binaries. diff --git a/target/arc/semfunc-v3.c b/target/arc/semfunc-v3.c
index 20f7d76955..5755f90456 100644
--- a/target/arc/semfunc-v3.c
+++ b/target/arc/semfunc-v3.c
@@ -21,6 +21,7 @@
#include "qemu/osdep.h"
#include "translate.h"
#include "semfunc-v3.h"
+#include "exec/gen-icount.h"
@@ -4229,6 +4230,8 @@ int
arc_gen_LR (DisasCtxt *ctx, TCGv dest, TCGv src)
{
int ret = DISAS_NEXT;
+ if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT)
+ gen_io_start();
TCGv temp_1 = tcg_temp_local_new();
readAuxReg(temp_1, src);
tcg_gen_andi_tl(temp_1, temp_1, 0xffffffff);
@@ -12016,6 +12019,8 @@ int
arc_gen_LRL (DisasCtxt *ctx, TCGv dest, TCGv src)
{
int ret = DISAS_NEXT;
+ if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT)
+ gen_io_start();
TCGv temp_1 = tcg_temp_local_new();
readAuxReg(temp_1, src);
tcg_gen_mov_tl(dest, temp_1);
diff --git a/target/arc/semfunc.c b/target/arc/semfunc.c
index 2ee63398c4..755a90967d 100644
--- a/target/arc/semfunc.c
+++ b/target/arc/semfunc.c
@@ -22,6 +22,7 @@
#include "qemu/osdep.h"
#include "translate.h"
#include "target/arc/semfunc.h"
+#include "exec/gen-icount.h"
/*
* FLAG
@@ -3830,6 +3831,10 @@ int
arc_gen_LR(DisasCtxt *ctx, TCGv dest, TCGv src)
{
int ret = DISAS_NEXT;
+
+ if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT)
+ gen_io_start();
+
TCGv temp_1 = tcg_temp_local_new();
readAuxReg(temp_1, src);
tcg_gen_mov_tl(dest, temp_1);
diff --git a/target/arc/translate.c b/target/arc/translate.c
index 7c2e45dede..301b446ad4 100644
--- a/target/arc/translate.c
+++ b/target/arc/translate.c
@@ -24,6 +24,7 @@
#include "tcg/tcg-op-gvec.h"
#include "target/arc/semfunc.h"
#include "target/arc/arc-common.h"
+#include "exec/gen-icount.h"
/* Globals */
TCGv cpu_S1f;
@@ -745,6 +746,8 @@ arc_gen_SR(DisasCtxt *ctx, TCGv src2, TCGv src1)
{
int ret = DISAS_NEXT;
+ if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT)
+ gen_io_start();
#if defined(TARGET_ARCV2)
writeAuxReg(src2, src1);
#elif defined(TARGET_ARCV3)
@@ -760,6 +763,8 @@ arc_gen_SRL(DisasCtxt *ctx, TCGv src2, TCGv src1)
{
int ret = DISAS_NEXT;
+ if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT)
+ gen_io_start();
writeAuxReg(src2, src1);
return ret;
} |
cupertinomiranda
force-pushed
the
master
branch
from
a2fa829
to
a3005c6
Compare
cupertinomiranda
force-pushed
the
master
branch
from
bfb057c
to
3930980
Compare
|
QEMU support for icount has been done. This pull request is outdated based on current state. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
AUX registers are used in ARC processors to deal with settings or internal states of different internals like built-in timers, interrupt controller(s), caches etc.
Though for us here interrupts and timers are of the main interest as those are very good examples of IO operations and we do need explicitly allow it to make
icountsubsystem happy, as otherwise on the first attempt to set ARC built-in timer LIMIT register we seeicount_get_raw_locked()barking:qemu-system-arc: Bad icount read, and that's because:Fix that, hinting QEMU about possible IO on access of AUX regs, which are only possible via LR & SR instructions.