Merge tag 'hw-misc-20240410' of https://github.com/philmd/qemu into staging
Misc HW patch queue
- Fix CXL Fixed Memory Window interleave-granularity typo
- Fix for DMA re-entrancy abuse with VirtIO devices (CVE-2024-3446)
- Fix out-of-bound access in NAND block buffer
- Fix memory leak in AppleSMC reset() handler
- Avoid VirtIO crypto backends abort o invalid session ID
- Fix overflow in LAN9118 MIL TX FIFO
- Fix overflow when abusing SDHCI TRNMOD register (CVE-2024-3447)
- Fix overrun in short fragmented packet SCTP checksum (CVE-2024-3567)
- Remove unused assignment in virtio-snd model (Coverity 1542933 & 1542934)
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmYWV94ACgkQ4+MsLN6t
# wN4+ew/+PqDmL4S8xXGQPi6Q8fxAogbwo1mPptDO2y8ChEjtc9LI5HOLu90EYz7A
# s62SPDsh3gx8vOthrJVEk0LqCbw4N3s5dFdmHNrnjXCsKQFifgucQ+yZy8ipy34N
# wWHSJ9nipBQLvkK23iCxkbl3cTyr44Rlweae/TZR4/FjFCEe3N555LQU0fruEqRo
# AHW1RjYhGvOfL9knLWzIQqW2QjcCnKky3bJhwHh3crfWE69nvVJTkbSF6oUxWSG0
# RzSToK3nN5tmvUlyvbTBE9u0K9JkOcbtMQiAgj39nR9xpsaUZZa0zSWOmliYIuBC
# kWuUY0/nAQk6gxHBKyu8q09ACBbzeCp+lVPOYXdxax8QMeURSa9fB1qY7JmI5QAZ
# bg0ypD2pvbxhidU5TWpw7araAYyBOJrEYjnOkhXB4oa01ZWu2d0uNhGWo83h3Wjy
# ahKrNDoVIQIdh8QkYy/ZqDwhCMoNM+pQcfUzsYxkqZC/JiiM/qxm87pTHQ/x2yQA
# l0MLzljGv90/dklokrqeg4REwMqfwzc74PUbKdCk43saemmatslK3ktu3xAzUlQW
# 2xmZQTnKwXDf+U3YnYryDddow2LsU7qlu8dlDGNd0WIrE5LRCCXzhv8la66O0jVE
# qMOHpBPkwMlACBwiXuxV6ucelk4vy+XvabeQUsizm0m+PR7TwJY=
# =9phd
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 10 Apr 2024 10:11:58 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'hw-misc-20240410' of https://github.com/philmd/qemu:
hw/audio/virtio-snd: Remove unused assignment
hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()
hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set
hw/net/lan9118: Fix overflow in MIL TX FIFO
hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition
backends/cryptodev: Do not abort for invalid session ID
hw/misc/applesmc: Fix memory leak in reset() handler
hw/misc/applesmc: Do not call DeviceReset from DeviceRealize
hw/block/nand: Fix out-of-bound access in NAND block buffer
hw/block/nand: Have blk_load() take unsigned offset and return boolean
hw/block/nand: Factor nand_load_iolen() method out
qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo
hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs
hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs
hw/display/virtio-gpu: Protect from DMA re-entrancy bugs
hw/virtio: Introduce virtio_bh_new_guarded() helper
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index 38c3400..9de0bc3 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -18,20 +18,14 @@
static void set_can_do_io(DisasContextBase *db, bool val)
{
- if (db->saved_can_do_io != val) {
- db->saved_can_do_io = val;
-
- QEMU_BUILD_BUG_ON(sizeof_field(CPUState, neg.can_do_io) != 1);
- tcg_gen_st8_i32(tcg_constant_i32(val), tcg_env,
- offsetof(ArchCPU, parent_obj.neg.can_do_io) -
- offsetof(ArchCPU, env));
- }
+ QEMU_BUILD_BUG_ON(sizeof_field(CPUState, neg.can_do_io) != 1);
+ tcg_gen_st8_i32(tcg_constant_i32(val), tcg_env,
+ offsetof(ArchCPU, parent_obj.neg.can_do_io) -
+ offsetof(ArchCPU, env));
}
bool translator_io_start(DisasContextBase *db)
{
- set_can_do_io(db, true);
-
/*
* Ensure that this instruction will be the last in the TB.
* The target may override this to something more forceful.
@@ -84,13 +78,6 @@
- offsetof(ArchCPU, env));
}
- /*
- * cpu->neg.can_do_io is set automatically here at the beginning of
- * each translation block. The cost is minimal, plus it would be
- * very easy to forget doing it in the translator.
- */
- set_can_do_io(db, db->max_insns == 1);
-
return icount_start_insn;
}
@@ -129,6 +116,7 @@
{
uint32_t cflags = tb_cflags(tb);
TCGOp *icount_start_insn;
+ TCGOp *first_insn_start = NULL;
bool plugin_enabled;
/* Initialize DisasContext */
@@ -139,7 +127,7 @@
db->num_insns = 0;
db->max_insns = *max_insns;
db->singlestep_enabled = cflags & CF_SINGLE_STEP;
- db->saved_can_do_io = -1;
+ db->insn_start = NULL;
db->host_addr[0] = host_pc;
db->host_addr[1] = NULL;
@@ -157,6 +145,10 @@
while (true) {
*max_insns = ++db->num_insns;
ops->insn_start(db, cpu);
+ db->insn_start = tcg_last_op();
+ if (first_insn_start == NULL) {
+ first_insn_start = db->insn_start;
+ }
tcg_debug_assert(db->is_jmp == DISAS_NEXT); /* no early exit */
if (plugin_enabled) {
@@ -169,10 +161,6 @@
* done next -- either exiting this loop or locate the start of
* the next instruction.
*/
- if (db->num_insns == db->max_insns) {
- /* Accept I/O on the last instruction. */
- set_can_do_io(db, true);
- }
ops->translate_insn(db, cpu);
/*
@@ -205,6 +193,21 @@
ops->tb_stop(db, cpu);
gen_tb_end(tb, cflags, icount_start_insn, db->num_insns);
+ /*
+ * Manage can_do_io for the translation block: set to false before
+ * the first insn and set to true before the last insn.
+ */
+ if (db->num_insns == 1) {
+ tcg_debug_assert(first_insn_start == db->insn_start);
+ } else {
+ tcg_debug_assert(first_insn_start != db->insn_start);
+ tcg_ctx->emit_before_op = first_insn_start;
+ set_can_do_io(db, false);
+ }
+ tcg_ctx->emit_before_op = db->insn_start;
+ set_can_do_io(db, true);
+ tcg_ctx->emit_before_op = NULL;
+
if (plugin_enabled) {
plugin_gen_tb_end(cpu, db->num_insns);
}
diff --git a/include/exec/translator.h b/include/exec/translator.h
index 51624fe..2c4fb81 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -74,6 +74,8 @@
* @singlestep_enabled: "Hardware" single stepping enabled.
* @saved_can_do_io: Known value of cpu->neg.can_do_io, or -1 for unknown.
* @plugin_enabled: TCG plugin enabled in this TB.
+ * @insn_start: The last op emitted by the insn_start hook,
+ * which is expected to be INDEX_op_insn_start.
*
* Architecture-agnostic disassembly context.
*/
@@ -85,8 +87,8 @@
int num_insns;
int max_insns;
bool singlestep_enabled;
- int8_t saved_can_do_io;
bool plugin_enabled;
+ struct TCGOp *insn_start;
void *host_addr[2];
} DisasContextBase;
diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index 451f3fe..05a1912 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -553,6 +553,12 @@
QTAILQ_HEAD(, TCGOp) ops, free_ops;
QSIMPLEQ_HEAD(, TCGLabel) labels;
+ /*
+ * When clear, new ops are added to the tail of @ops.
+ * When set, new ops are added in front of @emit_before_op.
+ */
+ TCGOp *emit_before_op;
+
/* Tells which temporary holds a given register.
It does not take into account fixed registers */
TCGTemp *reg_to_temp[TCG_TARGET_NB_REGS];
diff --git a/linux-user/main.c b/linux-user/main.c
index 9277df2..149e354 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -928,11 +928,7 @@
* Prepare copy of argv vector for target.
*/
target_argc = argc - optind;
- target_argv = calloc(target_argc + 1, sizeof (char *));
- if (target_argv == NULL) {
- (void) fprintf(stderr, "Unable to allocate memory for target_argv\n");
- exit(EXIT_FAILURE);
- }
+ target_argv = g_new0(char *, target_argc + 1);
/*
* If argv0 is specified (using '-0' switch) we replace
diff --git a/linux-user/signal.c b/linux-user/signal.c
index a93148a..05dc4af 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1173,6 +1173,7 @@
CPUState *cpu = env_cpu(cpu_env);
abi_ulong handler;
sigset_t set;
+ target_siginfo_t unswapped;
target_sigset_t target_old_set;
struct target_sigaction *sa;
TaskState *ts = get_task_state(cpu);
@@ -1182,9 +1183,14 @@
k->pending = 0;
/*
- * Writes out siginfo values byteswapped, accordingly to the target. It also
- * cleans the si_type from si_code making it correct for the target.
+ * Writes out siginfo values byteswapped, accordingly to the target.
+ * It also cleans the si_type from si_code making it correct for
+ * the target. We must hold on to the original unswapped copy for
+ * strace below, because si_type is still required there.
*/
+ if (unlikely(qemu_loglevel_mask(LOG_STRACE))) {
+ unswapped = k->info;
+ }
tswap_siginfo(&k->info, &k->info);
sig = gdb_handlesig(cpu, sig, NULL, &k->info, sizeof(k->info));
@@ -1197,7 +1203,7 @@
}
if (unlikely(qemu_loglevel_mask(LOG_STRACE))) {
- print_taken_signal(sig, &k->info);
+ print_taken_signal(sig, &unswapped);
}
if (handler == TARGET_SIG_DFL) {
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e12d969..3df2b94 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9272,14 +9272,24 @@
#ifdef TARGET_NR_waitid
case TARGET_NR_waitid:
{
+ struct rusage ru;
siginfo_t info;
- info.si_pid = 0;
- ret = get_errno(safe_waitid(arg1, arg2, &info, arg4, NULL));
- if (!is_error(ret) && arg3 && info.si_pid != 0) {
- if (!(p = lock_user(VERIFY_WRITE, arg3, sizeof(target_siginfo_t), 0)))
+
+ ret = get_errno(safe_waitid(arg1, arg2, (arg3 ? &info : NULL),
+ arg4, (arg5 ? &ru : NULL)));
+ if (!is_error(ret)) {
+ if (arg3) {
+ p = lock_user(VERIFY_WRITE, arg3,
+ sizeof(target_siginfo_t), 0);
+ if (!p) {
+ return -TARGET_EFAULT;
+ }
+ host_to_target_siginfo(p, &info);
+ unlock_user(p, arg3, sizeof(target_siginfo_t));
+ }
+ if (arg5 && host_to_target_rusage(arg5, &ru)) {
return -TARGET_EFAULT;
- host_to_target_siginfo(p, &info);
- unlock_user(p, arg3, sizeof(target_siginfo_t));
+ }
}
}
return ret;
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index 340265b..2666d52 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -14179,7 +14179,7 @@
pc_arg &= ~TARGET_PAGE_MASK;
}
tcg_gen_insn_start(pc_arg, 0, 0);
- dc->insn_start = tcg_last_op();
+ dc->insn_start_updated = false;
}
static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index 69585e6..dc49a8d 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -9273,7 +9273,7 @@
condexec_bits = (dc->condexec_cond << 4) | (dc->condexec_mask >> 1);
}
tcg_gen_insn_start(pc_arg, condexec_bits, 0);
- dc->insn_start = tcg_last_op();
+ dc->insn_start_updated = false;
}
static bool arm_check_kernelpage(DisasContext *dc)
diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
index 93be745..dc66ff2 100644
--- a/target/arm/tcg/translate.h
+++ b/target/arm/tcg/translate.h
@@ -165,10 +165,10 @@
uint8_t gm_blocksize;
/* True if this page is guarded. */
bool guarded_page;
+ /* True if the current insn_start has been updated. */
+ bool insn_start_updated;
/* Bottom two bits of XScale c15_cpar coprocessor access control reg */
int c15_cpar;
- /* TCG op of the current insn_start. */
- TCGOp *insn_start;
/* Offset from VNCR_EL2 when FEAT_NV2 redirects this reg to memory */
uint32_t nv2_redirect_offset;
} DisasContext;
@@ -276,10 +276,10 @@
syn &= ARM_INSN_START_WORD2_MASK;
syn >>= ARM_INSN_START_WORD2_SHIFT;
- /* We check and clear insn_start_idx to catch multiple updates. */
- assert(s->insn_start != NULL);
- tcg_set_insn_start_param(s->insn_start, 2, syn);
- s->insn_start = NULL;
+ /* Check for multiple updates. */
+ assert(!s->insn_start_updated);
+ s->insn_start_updated = true;
+ tcg_set_insn_start_param(s->base.insn_start, 2, syn);
}
static inline int curr_insn_len(DisasContext *s)
diff --git a/target/hppa/int_helper.c b/target/hppa/int_helper.c
index 90437a9..a667ee3 100644
--- a/target/hppa/int_helper.c
+++ b/target/hppa/int_helper.c
@@ -107,14 +107,10 @@
/* step 3 */
/*
- * For pa1.x, IIASQ is simply a copy of IASQ.
- * For pa2.0, IIASQ is the top bits of the virtual address,
- * or zero if translation is disabled.
+ * IIASQ is the top bits of the virtual address, or zero if translation
+ * is disabled -- with PSW_W == 0, this will reduce to the space.
*/
- if (!hppa_is_pa20(env)) {
- env->cr[CR_IIASQ] = env->iasq_f >> 32;
- env->cr_back[0] = env->iasq_b >> 32;
- } else if (old_psw & PSW_C) {
+ if (old_psw & PSW_C) {
env->cr[CR_IIASQ] =
hppa_form_gva_psw(old_psw, env->iasq_f, env->iaoq_f) >> 32;
env->cr_back[0] =
@@ -123,8 +119,14 @@
env->cr[CR_IIASQ] = 0;
env->cr_back[0] = 0;
}
- env->cr[CR_IIAOQ] = env->iaoq_f;
- env->cr_back[1] = env->iaoq_b;
+ /* IIAOQ is the full offset for wide mode, or 32 bits for narrow mode. */
+ if (old_psw & PSW_W) {
+ env->cr[CR_IIAOQ] = env->iaoq_f;
+ env->cr_back[1] = env->iaoq_b;
+ } else {
+ env->cr[CR_IIAOQ] = (uint32_t)env->iaoq_f;
+ env->cr_back[1] = (uint32_t)env->iaoq_b;
+ }
if (old_psw & PSW_Q) {
/* step 5 */
diff --git a/target/hppa/sys_helper.c b/target/hppa/sys_helper.c
index 208e51c..22d6c89 100644
--- a/target/hppa/sys_helper.c
+++ b/target/hppa/sys_helper.c
@@ -78,21 +78,21 @@
void HELPER(rfi)(CPUHPPAState *env)
{
- env->iasq_f = (uint64_t)env->cr[CR_IIASQ] << 32;
- env->iasq_b = (uint64_t)env->cr_back[0] << 32;
- env->iaoq_f = env->cr[CR_IIAOQ];
- env->iaoq_b = env->cr_back[1];
+ uint64_t mask;
+
+ cpu_hppa_put_psw(env, env->cr[CR_IPSW]);
/*
* For pa2.0, IIASQ is the top bits of the virtual address.
* To recreate the space identifier, remove the offset bits.
+ * For pa1.x, the mask reduces to no change to space.
*/
- if (hppa_is_pa20(env)) {
- env->iasq_f &= ~env->iaoq_f;
- env->iasq_b &= ~env->iaoq_b;
- }
+ mask = gva_offset_mask(env->psw);
- cpu_hppa_put_psw(env, env->cr[CR_IPSW]);
+ env->iaoq_f = env->cr[CR_IIAOQ];
+ env->iaoq_b = env->cr_back[1];
+ env->iasq_f = (env->cr[CR_IIASQ] << 32) & ~(env->iaoq_f & mask);
+ env->iasq_b = (env->cr_back[0] << 32) & ~(env->iaoq_b & mask);
}
static void getshadowregs(CPUHPPAState *env)
diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index 8a1a8bc..42fa480 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -44,7 +44,6 @@
typedef struct DisasContext {
DisasContextBase base;
CPUState *cs;
- TCGOp *insn_start;
uint64_t iaoq_f;
uint64_t iaoq_b;
@@ -62,6 +61,7 @@
int privilege;
bool psw_n_nonzero;
bool is_pa20;
+ bool insn_start_updated;
#ifdef CONFIG_USER_ONLY
MemOp unalign;
@@ -300,9 +300,9 @@
static void set_insn_breg(DisasContext *ctx, int breg)
{
- assert(ctx->insn_start != NULL);
- tcg_set_insn_start_param(ctx->insn_start, 2, breg);
- ctx->insn_start = NULL;
+ assert(!ctx->insn_start_updated);
+ ctx->insn_start_updated = true;
+ tcg_set_insn_start_param(ctx->base.insn_start, 2, breg);
}
static DisasCond cond_make_f(void)
@@ -4694,7 +4694,7 @@
DisasContext *ctx = container_of(dcbase, DisasContext, base);
tcg_gen_insn_start(ctx->iaoq_f, ctx->iaoq_b, 0);
- ctx->insn_start = tcg_last_op();
+ ctx->insn_start_updated = false;
}
static void hppa_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index 07f642d..76a42c6 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -139,6 +139,7 @@
TCGv_i64 tmp1_i64;
sigjmp_buf jmpbuf;
+ TCGOp *prev_insn_start;
TCGOp *prev_insn_end;
} DisasContext;
@@ -3123,6 +3124,7 @@
/* END TODO */
s->base.num_insns--;
tcg_remove_ops_after(s->prev_insn_end);
+ s->base.insn_start = s->prev_insn_start;
s->base.is_jmp = DISAS_TOO_MANY;
return false;
default:
@@ -6995,6 +6997,7 @@
DisasContext *dc = container_of(dcbase, DisasContext, base);
target_ulong pc_arg = dc->base.pc_next;
+ dc->prev_insn_start = dc->base.insn_start;
dc->prev_insn_end = tcg_last_op();
if (tb_cflags(dcbase->tb) & CF_PCREL) {
pc_arg &= ~TARGET_PAGE_MASK;
diff --git a/target/m68k/cpu.c b/target/m68k/cpu.c
index 7c8efbb..df49ff1 100644
--- a/target/m68k/cpu.c
+++ b/target/m68k/cpu.c
@@ -390,12 +390,19 @@
}
};
+static int fpu_pre_save(void *opaque)
+{
+ M68kCPU *s = opaque;
+
+ s->env.fpsr = cpu_m68k_get_fpsr(&s->env);
+ return 0;
+}
+
static int fpu_post_load(void *opaque, int version)
{
M68kCPU *s = opaque;
- cpu_m68k_restore_fp_status(&s->env);
-
+ cpu_m68k_set_fpsr(&s->env, s->env.fpsr);
return 0;
}
@@ -404,6 +411,7 @@
.version_id = 1,
.minimum_version_id = 1,
.needed = fpu_needed,
+ .pre_save = fpu_pre_save,
.post_load = fpu_post_load,
.fields = (const VMStateField[]) {
VMSTATE_UINT32(env.fpcr, M68kCPU),
diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 346427e..e184239 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -199,7 +199,8 @@
void cpu_m68k_set_sr(CPUM68KState *env, uint32_t);
void cpu_m68k_restore_fp_status(CPUM68KState *env);
void cpu_m68k_set_fpcr(CPUM68KState *env, uint32_t val);
-
+uint32_t cpu_m68k_get_fpsr(CPUM68KState *env);
+void cpu_m68k_set_fpsr(CPUM68KState *env, uint32_t val);
/*
* Instead of computing the condition codes after each m68k instruction,
diff --git a/target/m68k/fpu_helper.c b/target/m68k/fpu_helper.c
index ab120b5..8314791 100644
--- a/target/m68k/fpu_helper.c
+++ b/target/m68k/fpu_helper.c
@@ -164,6 +164,78 @@
cpu_m68k_set_fpcr(env, val);
}
+/* Convert host exception flags to cpu_m68k form. */
+static int cpu_m68k_exceptbits_from_host(int host_bits)
+{
+ int target_bits = 0;
+
+ if (host_bits & float_flag_invalid) {
+ target_bits |= 0x80;
+ }
+ if (host_bits & float_flag_overflow) {
+ target_bits |= 0x40;
+ }
+ if (host_bits & (float_flag_underflow | float_flag_output_denormal)) {
+ target_bits |= 0x20;
+ }
+ if (host_bits & float_flag_divbyzero) {
+ target_bits |= 0x10;
+ }
+ if (host_bits & float_flag_inexact) {
+ target_bits |= 0x08;
+ }
+ return target_bits;
+}
+
+/* Convert cpu_m68k exception flags to target form. */
+static int cpu_m68k_exceptbits_to_host(int target_bits)
+{
+ int host_bits = 0;
+
+ if (target_bits & 0x80) {
+ host_bits |= float_flag_invalid;
+ }
+ if (target_bits & 0x40) {
+ host_bits |= float_flag_overflow;
+ }
+ if (target_bits & 0x20) {
+ host_bits |= float_flag_underflow;
+ }
+ if (target_bits & 0x10) {
+ host_bits |= float_flag_divbyzero;
+ }
+ if (target_bits & 0x08) {
+ host_bits |= float_flag_inexact;
+ }
+ return host_bits;
+}
+
+uint32_t cpu_m68k_get_fpsr(CPUM68KState *env)
+{
+ int host_flags = get_float_exception_flags(&env->fp_status);
+ int target_flags = cpu_m68k_exceptbits_from_host(host_flags);
+ int except = (env->fpsr & ~(0xf8)) | target_flags;
+ return except;
+}
+
+uint32_t HELPER(get_fpsr)(CPUM68KState *env)
+{
+ return cpu_m68k_get_fpsr(env);
+}
+
+void cpu_m68k_set_fpsr(CPUM68KState *env, uint32_t val)
+{
+ env->fpsr = val;
+
+ int host_flags = cpu_m68k_exceptbits_to_host((int) env->fpsr);
+ set_float_exception_flags(host_flags, &env->fp_status);
+}
+
+void HELPER(set_fpsr)(CPUM68KState *env, uint32_t val)
+{
+ cpu_m68k_set_fpsr(env, val);
+}
+
#define PREC_BEGIN(prec) \
do { \
FloatX80RoundPrec old = \
diff --git a/target/m68k/helper.c b/target/m68k/helper.c
index 1a475f0..7a91f33 100644
--- a/target/m68k/helper.c
+++ b/target/m68k/helper.c
@@ -87,7 +87,7 @@
case 8: /* fpcontrol */
return gdb_get_reg32(mem_buf, env->fpcr);
case 9: /* fpstatus */
- return gdb_get_reg32(mem_buf, env->fpsr);
+ return gdb_get_reg32(mem_buf, cpu_m68k_get_fpsr(env));
case 10: /* fpiar, not implemented */
return gdb_get_reg32(mem_buf, 0);
}
@@ -109,7 +109,7 @@
cpu_m68k_set_fpcr(env, ldl_p(mem_buf));
return 4;
case 9: /* fpstatus */
- env->fpsr = ldl_p(mem_buf);
+ cpu_m68k_set_fpsr(env, ldl_p(mem_buf));
return 4;
case 10: /* fpiar, not implemented */
return 4;
diff --git a/target/m68k/helper.h b/target/m68k/helper.h
index 2bbe0dc..95aa5e5 100644
--- a/target/m68k/helper.h
+++ b/target/m68k/helper.h
@@ -54,6 +54,8 @@
DEF_HELPER_4(fddiv, void, env, fp, fp, fp)
DEF_HELPER_4(fsgldiv, void, env, fp, fp, fp)
DEF_HELPER_FLAGS_3(fcmp, TCG_CALL_NO_RWG, void, env, fp, fp)
+DEF_HELPER_2(set_fpsr, void, env, i32)
+DEF_HELPER_1(get_fpsr, i32, env)
DEF_HELPER_FLAGS_2(set_fpcr, TCG_CALL_NO_RWG, void, env, i32)
DEF_HELPER_FLAGS_2(ftst, TCG_CALL_NO_RWG, void, env, fp)
DEF_HELPER_3(fconst, void, env, fp, i32)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index 6ae3df4..8a194f2 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -4686,7 +4686,7 @@
tcg_gen_movi_i32(res, 0);
break;
case M68K_FPSR:
- tcg_gen_ld_i32(res, tcg_env, offsetof(CPUM68KState, fpsr));
+ gen_helper_get_fpsr(res, tcg_env);
break;
case M68K_FPCR:
tcg_gen_ld_i32(res, tcg_env, offsetof(CPUM68KState, fpcr));
@@ -4700,7 +4700,7 @@
case M68K_FPIAR:
break;
case M68K_FPSR:
- tcg_gen_st_i32(val, tcg_env, offsetof(CPUM68KState, fpsr));
+ gen_helper_set_fpsr(tcg_env, val);
break;
case M68K_FPCR:
gen_helper_set_fpcr(tcg_env, val);
diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index 4e52ef3..fc451be 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -62,9 +62,6 @@
DisasContextBase base;
const MicroBlazeCPUConfig *cfg;
- /* TCG op of the current insn_start. */
- TCGOp *insn_start;
-
TCGv_i32 r0;
bool r0_set;
@@ -699,14 +696,14 @@
static void record_unaligned_ess(DisasContext *dc, int rd,
MemOp size, bool store)
{
- uint32_t iflags = tcg_get_insn_start_param(dc->insn_start, 1);
+ uint32_t iflags = tcg_get_insn_start_param(dc->base.insn_start, 1);
iflags |= ESR_ESS_FLAG;
iflags |= rd << 5;
iflags |= store * ESR_S;
iflags |= (size == MO_32) * ESR_W;
- tcg_set_insn_start_param(dc->insn_start, 1, iflags);
+ tcg_set_insn_start_param(dc->base.insn_start, 1, iflags);
}
#endif
@@ -1624,7 +1621,6 @@
DisasContext *dc = container_of(dcb, DisasContext, base);
tcg_gen_insn_start(dc->base.pc_next, dc->tb_flags & ~MSR_TB_MASK);
- dc->insn_start = tcg_last_op();
}
static void mb_tr_translate_insn(DisasContextBase *dcb, CPUState *cs)
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 9d57089..9ff09eb 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -115,8 +115,7 @@
bool itrigger;
/* FRM is known to contain a valid value. */
bool frm_valid;
- /* TCG of the current insn_start */
- TCGOp *insn_start;
+ bool insn_start_updated;
} DisasContext;
static inline bool has_ext(DisasContext *ctx, uint32_t ext)
@@ -207,9 +206,9 @@
static void decode_save_opc(DisasContext *ctx)
{
- assert(ctx->insn_start != NULL);
- tcg_set_insn_start_param(ctx->insn_start, 1, ctx->opcode);
- ctx->insn_start = NULL;
+ assert(!ctx->insn_start_updated);
+ ctx->insn_start_updated = true;
+ tcg_set_insn_start_param(ctx->base.insn_start, 1, ctx->opcode);
}
static void gen_pc_plus_diff(TCGv target, DisasContext *ctx,
@@ -1224,7 +1223,7 @@
}
tcg_gen_insn_start(pc_next, 0);
- ctx->insn_start = tcg_last_op();
+ ctx->insn_start_updated = false;
}
static void riscv_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index 57b7db1..90a74ee 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -141,7 +141,6 @@
struct DisasContext {
DisasContextBase base;
const DisasInsn *insn;
- TCGOp *insn_start;
DisasFields fields;
uint64_t ex_value;
/*
@@ -6314,7 +6313,7 @@
insn = extract_insn(env, s);
/* Update insn_start now that we know the ILEN. */
- tcg_set_insn_start_param(s->insn_start, 2, s->ilen);
+ tcg_set_insn_start_param(s->base.insn_start, 2, s->ilen);
/* Not found means unimplemented/illegal opcode. */
if (insn == NULL) {
@@ -6468,7 +6467,6 @@
/* Delay the set of ilen until we've read the insn. */
tcg_gen_insn_start(dc->base.pc_next, dc->cc_op, 0);
- dc->insn_start = tcg_last_op();
}
static target_ulong get_next_pc(CPUS390XState *env, DisasContext *s,
diff --git a/target/sh4/cpu.h b/target/sh4/cpu.h
index 9211da6..d928bcf 100644
--- a/target/sh4/cpu.h
+++ b/target/sh4/cpu.h
@@ -155,12 +155,22 @@
uint32_t pc; /* program counter */
uint32_t delayed_pc; /* target of delayed branch */
uint32_t delayed_cond; /* condition of delayed branch */
- uint32_t mach; /* multiply and accumulate high */
- uint32_t macl; /* multiply and accumulate low */
uint32_t pr; /* procedure register */
uint32_t fpscr; /* floating point status/control register */
uint32_t fpul; /* floating point communication register */
+ /* multiply and accumulate: high, low and combined. */
+ union {
+ uint64_t mac;
+ struct {
+#if HOST_BIG_ENDIAN
+ uint32_t mach, macl;
+#else
+ uint32_t macl, mach;
+#endif
+ };
+ };
+
/* float point status register */
float_status fp_status;
diff --git a/target/sh4/helper.h b/target/sh4/helper.h
index 8d792f6..29011d3 100644
--- a/target/sh4/helper.h
+++ b/target/sh4/helper.h
@@ -11,8 +11,8 @@
DEF_HELPER_1(discard_movcal_backup, void, env)
DEF_HELPER_2(ocbi, void, env, i32)
-DEF_HELPER_3(macl, void, env, i32, i32)
-DEF_HELPER_3(macw, void, env, i32, i32)
+DEF_HELPER_3(macl, void, env, s32, s32)
+DEF_HELPER_3(macw, void, env, s32, s32)
DEF_HELPER_2(ld_fpscr, void, env, i32)
diff --git a/target/sh4/op_helper.c b/target/sh4/op_helper.c
index 4559d0d..99394b7 100644
--- a/target/sh4/op_helper.c
+++ b/target/sh4/op_helper.c
@@ -158,38 +158,47 @@
}
}
-void helper_macl(CPUSH4State *env, uint32_t arg0, uint32_t arg1)
+void helper_macl(CPUSH4State *env, int32_t arg0, int32_t arg1)
{
+ const int64_t min = -(1ll << 47);
+ const int64_t max = (1ll << 47) - 1;
+ int64_t mul = (int64_t)arg0 * arg1;
+ int64_t mac = env->mac;
int64_t res;
- res = ((uint64_t) env->mach << 32) | env->macl;
- res += (int64_t) (int32_t) arg0 *(int64_t) (int32_t) arg1;
- env->mach = (res >> 32) & 0xffffffff;
- env->macl = res & 0xffffffff;
- if (env->sr & (1u << SR_S)) {
- if (res < 0)
- env->mach |= 0xffff0000;
- else
- env->mach &= 0x00007fff;
+ if (!(env->sr & (1u << SR_S))) {
+ res = mac + mul;
+ } else if (sadd64_overflow(mac, mul, &res)) {
+ res = mac < 0 ? min : max;
+ } else {
+ res = MIN(MAX(res, min), max);
}
+
+ env->mac = res;
}
-void helper_macw(CPUSH4State *env, uint32_t arg0, uint32_t arg1)
+void helper_macw(CPUSH4State *env, int32_t arg0, int32_t arg1)
{
- int64_t res;
+ /* Inputs are already sign-extended from 16 bits. */
+ int32_t mul = arg0 * arg1;
- res = ((uint64_t) env->mach << 32) | env->macl;
- res += (int64_t) (int16_t) arg0 *(int64_t) (int16_t) arg1;
- env->mach = (res >> 32) & 0xffffffff;
- env->macl = res & 0xffffffff;
if (env->sr & (1u << SR_S)) {
- if (res < -0x80000000) {
+ /*
+ * In saturation arithmetic mode, the accumulator is 32-bit
+ * with carry. MACH is not considered during the addition
+ * operation nor the 32-bit saturation logic.
+ */
+ int32_t res, macl = env->macl;
+
+ if (sadd32_overflow(macl, mul, &res)) {
+ res = macl < 0 ? INT32_MIN : INT32_MAX;
+ /* If overflow occurs, the MACH register is set to 1. */
env->mach = 1;
- env->macl = 0x80000000;
- } else if (res > 0x000000007fffffff) {
- env->mach = 1;
- env->macl = 0x7fffffff;
}
+ env->macl = res;
+ } else {
+ /* In non-saturation arithmetic mode, the accumulator is 64-bit */
+ env->mac += mul;
}
}
diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index a9b1bc7..ebb6c90 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -523,6 +523,7 @@
tcg_gen_movi_i32(REG(B11_8), B7_0s);
return;
case 0x9000: /* mov.w @(disp,PC),Rn */
+ CHECK_NOT_DELAY_SLOT
{
TCGv addr = tcg_constant_i32(ctx->base.pc_next + 4 + B7_0 * 2);
tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx,
@@ -530,6 +531,7 @@
}
return;
case 0xd000: /* mov.l @(disp,PC),Rn */
+ CHECK_NOT_DELAY_SLOT
{
TCGv addr = tcg_constant_i32((ctx->base.pc_next + 4 + B7_0 * 4) & ~3);
tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx,
@@ -816,10 +818,10 @@
TCGv arg0, arg1;
arg0 = tcg_temp_new();
tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx,
- MO_TESL | MO_ALIGN);
+ MO_TESW | MO_ALIGN);
arg1 = tcg_temp_new();
tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx,
- MO_TESL | MO_ALIGN);
+ MO_TESW | MO_ALIGN);
gen_helper_macw(tcg_env, arg0, arg1);
tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 2);
tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 2);
@@ -1236,6 +1238,7 @@
}
return;
case 0xc700: /* mova @(disp,PC),R0 */
+ CHECK_NOT_DELAY_SLOT
tcg_gen_movi_i32(REG(0), ((ctx->base.pc_next & 0xfffffffc) +
4 + B7_0 * 4) & ~3);
return;
diff --git a/tcg/optimize.c b/tcg/optimize.c
index 275db77..2e9e572 100644
--- a/tcg/optimize.c
+++ b/tcg/optimize.c
@@ -1990,16 +1990,10 @@
return false;
}
-static bool fold_neg(OptContext *ctx, TCGOp *op)
+static bool fold_neg_no_const(OptContext *ctx, TCGOp *op)
{
- uint64_t z_mask;
-
- if (fold_const1(ctx, op)) {
- return true;
- }
-
/* Set to 1 all bits to the left of the rightmost. */
- z_mask = arg_info(op->args[1])->z_mask;
+ uint64_t z_mask = arg_info(op->args[1])->z_mask;
ctx->z_mask = -(z_mask & -z_mask);
/*
@@ -2010,6 +2004,11 @@
return true;
}
+static bool fold_neg(OptContext *ctx, TCGOp *op)
+{
+ return fold_const1(ctx, op) || fold_neg_no_const(ctx, op);
+}
+
static bool fold_nor(OptContext *ctx, TCGOp *op)
{
if (fold_const2_commutative(ctx, op) ||
@@ -2418,7 +2417,7 @@
if (have_neg) {
op->opc = neg_op;
op->args[1] = op->args[2];
- return fold_neg(ctx, op);
+ return fold_neg_no_const(ctx, op);
}
return false;
}
diff --git a/tcg/tcg.c b/tcg/tcg.c
index d667023..0c0bb9d 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -1521,6 +1521,7 @@
QTAILQ_INIT(&s->ops);
QTAILQ_INIT(&s->free_ops);
+ s->emit_before_op = NULL;
QSIMPLEQ_INIT(&s->labels);
tcg_debug_assert(s->addr_type == TCG_TYPE_I32 ||
@@ -2332,7 +2333,11 @@
op->args[pi++] = (uintptr_t)info;
tcg_debug_assert(pi == total_args);
- QTAILQ_INSERT_TAIL(&tcg_ctx->ops, op, link);
+ if (tcg_ctx->emit_before_op) {
+ QTAILQ_INSERT_BEFORE(tcg_ctx->emit_before_op, op, link);
+ } else {
+ QTAILQ_INSERT_TAIL(&tcg_ctx->ops, op, link);
+ }
tcg_debug_assert(n_extend < ARRAY_SIZE(extend_free));
for (i = 0; i < n_extend; ++i) {
@@ -3215,7 +3220,12 @@
TCGOp *tcg_emit_op(TCGOpcode opc, unsigned nargs)
{
TCGOp *op = tcg_op_alloc(opc, nargs);
- QTAILQ_INSERT_TAIL(&tcg_ctx->ops, op, link);
+
+ if (tcg_ctx->emit_before_op) {
+ QTAILQ_INSERT_BEFORE(tcg_ctx->emit_before_op, op, link);
+ } else {
+ QTAILQ_INSERT_TAIL(&tcg_ctx->ops, op, link);
+ }
return op;
}
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index 0efd565..70d728a 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -10,7 +10,7 @@
# Base architecture tests
AARCH64_TESTS=fcvt pcalign-a64 lse2-fault
-AARCH64_TESTS += test-2248
+AARCH64_TESTS += test-2248 test-2150
fcvt: LDFLAGS+=-lm
diff --git a/tests/tcg/aarch64/test-2150.c b/tests/tcg/aarch64/test-2150.c
new file mode 100644
index 0000000..fb86c11
--- /dev/null
+++ b/tests/tcg/aarch64/test-2150.c
@@ -0,0 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/* See https://gitlab.com/qemu-project/qemu/-/issues/2150 */
+
+int main()
+{
+ asm volatile(
+ "movi v6.4s, #1\n"
+ "movi v7.4s, #0\n"
+ "sub v6.2d, v7.2d, v6.2d\n"
+ : : : "v6", "v7");
+ return 0;
+}
diff --git a/tests/tcg/sh4/Makefile.target b/tests/tcg/sh4/Makefile.target
index 16eaa85..4d09291c 100644
--- a/tests/tcg/sh4/Makefile.target
+++ b/tests/tcg/sh4/Makefile.target
@@ -9,3 +9,11 @@
$(call skip-test, $<, "BROKEN")
run-plugin-signals-with-%:
$(call skip-test, $<, "BROKEN")
+
+VPATH += $(SRC_PATH)/tests/tcg/sh4
+
+test-macl: CFLAGS += -O -g
+TESTS += test-macl
+
+test-macw: CFLAGS += -O -g
+TESTS += test-macw
diff --git a/tests/tcg/sh4/test-macl.c b/tests/tcg/sh4/test-macl.c
new file mode 100644
index 0000000..b66c854
--- /dev/null
+++ b/tests/tcg/sh4/test-macl.c
@@ -0,0 +1,67 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#define MACL_S_MIN (-(1ll << 47))
+#define MACL_S_MAX ((1ll << 47) - 1)
+
+int64_t mac_l(int64_t mac, const int32_t *a, const int32_t *b)
+{
+ register uint32_t macl __asm__("macl") = mac;
+ register uint32_t mach __asm__("mach") = mac >> 32;
+
+ asm volatile("mac.l @%0+,@%1+"
+ : "+r"(a), "+r"(b), "+x"(macl), "+x"(mach));
+
+ return ((uint64_t)mach << 32) | macl;
+}
+
+typedef struct {
+ int64_t mac;
+ int32_t a, b;
+ int64_t res[2];
+} Test;
+
+__attribute__((noinline))
+void test(const Test *t, int sat)
+{
+ int64_t res;
+
+ if (sat) {
+ asm volatile("sets");
+ } else {
+ asm volatile("clrs");
+ }
+ res = mac_l(t->mac, &t->a, &t->b);
+
+ if (res != t->res[sat]) {
+ fprintf(stderr, "%#llx + (%#x * %#x) = %#llx -- got %#llx\n",
+ t->mac, t->a, t->b, t->res[sat], res);
+ abort();
+ }
+}
+
+int main()
+{
+ static const Test tests[] = {
+ { 0x00007fff12345678ll, INT32_MAX, INT32_MAX,
+ { 0x40007ffe12345679ll, MACL_S_MAX } },
+ { MACL_S_MIN, -1, 1,
+ { 0xffff7fffffffffffll, MACL_S_MIN } },
+ { INT64_MIN, -1, 1,
+ { INT64_MAX, MACL_S_MIN } },
+ { 0x00007fff00000000ll, INT32_MAX, INT32_MAX,
+ { 0x40007ffe00000001ll, MACL_S_MAX } },
+ { 4, 1, 2, { 6, 6 } },
+ { -4, -1, -2, { -2, -2 } },
+ };
+
+ for (int i = 0; i < sizeof(tests) / sizeof(tests[0]); ++i) {
+ for (int j = 0; j < 2; ++j) {
+ test(&tests[i], j);
+ }
+ }
+ return 0;
+}
diff --git a/tests/tcg/sh4/test-macw.c b/tests/tcg/sh4/test-macw.c
new file mode 100644
index 0000000..4eceec8
--- /dev/null
+++ b/tests/tcg/sh4/test-macw.c
@@ -0,0 +1,61 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int64_t mac_w(int64_t mac, const int16_t *a, const int16_t *b)
+{
+ register uint32_t macl __asm__("macl") = mac;
+ register uint32_t mach __asm__("mach") = mac >> 32;
+
+ asm volatile("mac.w @%0+,@%1+"
+ : "+r"(a), "+r"(b), "+x"(macl), "+x"(mach));
+
+ return ((uint64_t)mach << 32) | macl;
+}
+
+typedef struct {
+ int64_t mac;
+ int16_t a, b;
+ int64_t res[2];
+} Test;
+
+__attribute__((noinline))
+void test(const Test *t, int sat)
+{
+ int64_t res;
+
+ if (sat) {
+ asm volatile("sets");
+ } else {
+ asm volatile("clrs");
+ }
+ res = mac_w(t->mac, &t->a, &t->b);
+
+ if (res != t->res[sat]) {
+ fprintf(stderr, "%#llx + (%#x * %#x) = %#llx -- got %#llx\n",
+ t->mac, t->a, t->b, t->res[sat], res);
+ abort();
+ }
+}
+
+int main()
+{
+ static const Test tests[] = {
+ { 0, 2, 3, { 6, 6 } },
+ { 0x123456787ffffffell, 2, -3,
+ { 0x123456787ffffff8ll, 0x123456787ffffff8ll } },
+ { 0xabcdef127ffffffall, 2, 3,
+ { 0xabcdef1280000000ll, 0x000000017fffffffll } },
+ { 0xfffffffffll, INT16_MAX, INT16_MAX,
+ { 0x103fff0000ll, 0xf3fff0000ll } },
+ };
+
+ for (int i = 0; i < sizeof(tests) / sizeof(tests[0]); ++i) {
+ for (int j = 0; j < 2; ++j) {
+ test(&tests[i], j);
+ }
+ }
+ return 0;
+}
