summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2018-05-12slirp: clean up guestfwd command executionslirp-fixesPeter Wu3-126/+58
The previous guestfwd command execution functionality created a TCP socket for communication with the child. Besides being convoluted, this also had a practical performance issue: communications with the child process (e.g. netcat) could stall for 40ms due to delayed ack. As fork_exec has a lot of cruft (unused telnetd/pty code, whitespace issues, racy connect/accept logic) and a buffer overflow while building argv in the child ("guestfwd=tcp:0.0.0.0:80-cmd:$(printf %300s)"), just rewrite the whole thing to use socketpair with a local socket. Tested with a Windows 7 guest, using guestfwd (+netcat) to connect to a SMB server. Executing an installer from the share now does not take ages and a packet capture shows no 40ms latency in the guest. Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2018-05-12slirp: fix memleak of guestfwd commandPeter Wu3-0/+18
Ensure that the command for the `-net user,smb=...` or `-net user,guestfwd=...-cmd:...` is freed. Reported by ASAN. Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2018-05-11Merge remote-tracking branch 'remotes/rth/tags/cota-target-pull-request' ↵HEADmasterPeter Maydell21-1584/+1546
into staging * Fix all next_page checks for overflow. * Convert six targets to the translator loop. # gpg: Signature made Wed 09 May 2018 18:20:43 BST # gpg: using RSA key 64DF38E8AF7E215F # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" # Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F * remotes/rth/tags/cota-target-pull-request: (28 commits) target/riscv: convert to TranslatorOps target/riscv: convert to DisasContextBase target/riscv: convert to DisasJumpType target/openrisc: convert to TranslatorOps target/openrisc: convert to DisasContextBase target/s390x: convert to TranslatorOps target/s390x: convert to DisasContextBase target/s390x: convert to DisasJumpType target/mips: convert to TranslatorOps target/mips: use *ctx for DisasContext target/mips: convert to DisasContextBase target/mips: convert to DisasJumpType target/mips: use lookup_and_goto_ptr on BS_STOP target/sparc: convert to TranslatorOps target/sparc: convert to DisasContextBase target/sparc: convert to DisasJumpType target/sh4: convert to TranslatorOps translator: merge max_insns into DisasContextBase target/mips: avoid integer overflow in next_page PC check target/s390x: avoid integer overflow in next_page PC check ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-11Merge remote-tracking branch 'remotes/rth/tags/tcg-next-pull-request' into ↵Peter Maydell3-4/+13
staging Queued TCG patches # gpg: Signature made Wed 09 May 2018 16:46:21 BST # gpg: using RSA key 64DF38E8AF7E215F # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" # Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F * remotes/rth/tags/tcg-next-pull-request: tcg: Limit the number of ops in a TB tcg/i386: Fix dup_vec in non-AVX2 codepath Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-11target/m68k: Fix build Werror with gcc 8.0.1Richard Henderson1-2/+3
Fedora 28 ships with the released gcc 8. The Werror stems from the compiler finding a path through the second switch via a missing default case in which src1 is uninitialized, and not being able to prove that the missing default case is unreachable due to the first switch. Simplify the second switch to merge default with OS_LONG, which returns directly. This removes the unreachable path. Cc: Laurent Vivier <laurent@vivier.eu> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Message-id: 20180508185520.23757-1-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-10Merge remote-tracking branch ↵Peter Maydell2-5/+9
'remotes/riscv/tags/riscv-qemu-2.13-minor-fixes-3' into staging RISC-V: QEMU 2.13 Minor Fixes * Require libfdt when configuring for 'riscv*-softmmu' * Increase HTIF priority and allow zero base address # gpg: Signature made Wed 09 May 2018 11:15:33 BST # gpg: using DSA key 6BF1D7B357EF3E4F # gpg: Good signature from "Michael Clark <michaeljclark@mac.com>" # gpg: aka "Michael Clark <mjc@sifive.com>" # gpg: aka "Michael Clark <michael@metaparadigm.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 7C99 930E B17C D8BA 073D 5EFA 6BF1 D7B3 57EF 3E4F * remotes/riscv/tags/riscv-qemu-2.13-minor-fixes-3: riscv: requires libfdt riscv: htif: increase the priority of the htif subregion riscv: spike: allow base == 0 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-09target/riscv: convert to TranslatorOpsEmilio G. Cota1-78/+80
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Michael Clark <mjc@sifive.com> Cc: Palmer Dabbelt <palmer@sifive.com> Cc: Sagar Karandikar <sagark@eecs.berkeley.edu> Cc: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/riscv: convert to DisasContextBaseEmilio G. Cota1-65/+64
Notes: - Did not convert {num,max}_insns, since the corresponding code will go away in the next patch. - ctx->pc becomes ctx->base.pc_next, and ctx->next_pc becomes ctx->pc_succ_insn. While at it, convert the remaining tb->cflags readers to tb_cflags(). Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Michael Clark <mjc@sifive.com> Cc: Palmer Dabbelt <palmer@sifive.com> Cc: Sagar Karandikar <sagark@eecs.berkeley.edu> Cc: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/riscv: convert to DisasJumpTypeEmilio G. Cota1-44/+28
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Michael Clark <mjc@sifive.com> Cc: Palmer Dabbelt <palmer@sifive.com> Cc: Sagar Karandikar <sagark@eecs.berkeley.edu> Cc: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/openrisc: convert to TranslatorOpsEmilio G. Cota1-84/+79
Notes: - Changed the num_insns test in insn_start to check for dc->base.num_insns > 1, since when tb_start is first called in a TB, base.num_insns is already set to 1. - Removed DISAS_NEXT from the switch in tb_stop; use DISAS_TOO_MANY instead. - Added an assert_not_reached on tb_stop for DISAS_NEXT and the default case. - Merged the two separate log_target_disas calls into the disas_log op. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Stafford Horne <shorne@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/openrisc: convert to DisasContextBaseEmilio G. Cota1-47/+46
While at it, set is_jmp to DISAS_NORETURN when generating an exception. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Cc: Stafford Horne <shorne@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/s390x: convert to TranslatorOpsEmilio G. Cota1-82/+80
Note: I looked into dropping dc->do_debug. However, I don't see an easy way to do it given that TOO_MANY is also valid when we just translate more than max_insns. Thus, the check for do_debug in "case DISAS_PC_CC_UPDATED" would still need additional state to know whether or not we came from breakpoint_check. Acked-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: David Hildenbrand <david@redhat.com> Cc: David Hildenbrand <david@redhat.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Alexander Graf <agraf@suse.de> Cc: qemu-s390x@nongnu.org Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/s390x: convert to DisasContextBaseEmilio G. Cota1-72/+76
Notes: - Did not convert {num,max}_insns and is_jmp, since the corresponding code will go away in the next patch. - Avoided a checkpatch error in use_exit_tb. - As suggested by David, (1) Drop ctx.pc and use ctx.base.pc_next instead, and (2) Rename ctx.next_pc to ctx.pc_tmp and add a comment about it. Acked-by: Cornelia Huck <cohuck@redhat.com> Suggested-by: David Hildenbrand <david@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: David Hildenbrand <david@redhat.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Alexander Graf <agraf@suse.de> Cc: qemu-s390x@nongnu.org Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/s390x: convert to DisasJumpTypeEmilio G. Cota1-635/+632
The only non-trivial modification is the use of DISAS_TOO_MANY in the same way is used by the generic translation loop. Acked-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: David Hildenbrand <david@redhat.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Alexander Graf <agraf@suse.de> Cc: qemu-s390x@nongnu.org Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/mips: convert to TranslatorOpsEmilio G. Cota1-114/+113
Notes: - DISAS_TOO_MANY replaces the former "break" in the translation loop. However, care must be taken not to overwrite a previous condition in is_jmp; that's why in translate_insn we first check is_jmp and return if it's != DISAS_NEXT. - Added an assert in translate_insn, before exiting due to an exception, to make sure that is_jmp is set to DISAS_NORETURN (the exception generation function always sets it.) - Added an assert for the default case in is_jmp's switch. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: Yongbok Kim <yongbok.kim@mips.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/mips: use *ctx for DisasContextEmilio G. Cota1-82/+83
No changes to the logic here; this is just to make the diff that follows easier to read. While at it, remove the unnecessary 'struct' in 'struct TranslationBlock'. Note that checkpatch complains with a false positive: ERROR: space prohibited after that '&' (ctx:WxW) #75: FILE: target/mips/translate.c:20220: + ctx->kscrexist = (env->CP0_Config4 >> CP0C4_KScrExist) & 0xff; ^ Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: Yongbok Kim <yongbok.kim@mips.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/mips: convert to DisasContextBaseEmilio G. Cota1-171/+175
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: Yongbok Kim <yongbok.kim@mips.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/mips: convert to DisasJumpTypeEmilio G. Cota1-95/+91
Notes: - BS_EXCP in generate_exception_err and after hen_helper_wait becomes DISAS_NORETURN, because we do not return after raising an exception. - Some uses of BS_EXCP are misleading in that they're used only as a "not BS_STOP" exit condition, i.e. they have nothing to do with an actual exception. For those cases, define and use DISAS_EXIT, which is clearer. With this and the above change, BS_EXCP goes away completely. - fix a comment typo (s/intetrupt/interrupt/). Suggested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: Yongbok Kim <yongbok.kim@mips.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/mips: use lookup_and_goto_ptr on BS_STOPEmilio G. Cota1-1/+2
The TB after BS_STOP is not fixed (e.g. helper_mtc0_hwrena changes hflags, which ends up changing the TB flags via cpu_get_tb_cpu_state). This requires a full lookup (i.e. with flags) via lookup_and_goto_ptr instead of gen_goto_tb, since the latter only looks at the PC for in-page goto's. Fix it. Reported-by: Richard Henderson <richard.henderson@linaro.org> Suggested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/sparc: convert to TranslatorOpsEmilio G. Cota1-88/+86
Notes: - Moved the cross-page check from the end of translate_insn to init_disas_context. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: Artyom Tarasenko <atar4qemu@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/sparc: convert to DisasContextBaseEmilio G. Cota1-47/+45
Notes: - pc and npc are left unmodified, since they can point to out-of-TB jump targets. - Got rid of last_pc in gen_intermediate_code(), using base.pc_next instead. Only update pc_next (1) on a breakpoint (so that tb->size includes the insn), and (2) after reading the current instruction from memory. This allows us to use base.pc_next in the BP check, which is what the translator loop does. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: Artyom Tarasenko <atar4qemu@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/sparc: convert to DisasJumpTypeEmilio G. Cota1-12/+15
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: Artyom Tarasenko <atar4qemu@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/sh4: convert to TranslatorOpsEmilio G. Cota1-85/+86
This was fairly straightforward since it had already been converted to DisasContextBase; just had to add TARGET_TOO_MANY to the switch in tb_stop. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09translator: merge max_insns into DisasContextBaseEmilio G. Cota8-42/+27
While at it, use int for both num_insns and max_insns to make sure we have same-type comparisons. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Michael Clark <mjc@sifive.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/mips: avoid integer overflow in next_page PC checkEmilio G. Cota1-3/+3
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: Yongbok Kim <yongbok.kim@mips.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/s390x: avoid integer overflow in next_page PC checkEmilio G. Cota1-3/+3
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Acked-by: Cornelia Huck <cohuck@redhat.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Alexander Graf <agraf@suse.de> Cc: David Hildenbrand <david@redhat.com> Cc: qemu-s390x@nongnu.org Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/arm: avoid integer overflow in next_page PC checkEmilio G. Cota2-7/+6
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/microblaze: avoid integer overflow in next_page PC checkEmilio G. Cota1-3/+3
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: "Edgar E. Iglesias" <edgar.iglesias@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/tilegx: avoid integer overflow in next_page PC checkEmilio G. Cota1-2/+2
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/unicore32: avoid integer overflow in next_page PC checkEmilio G. Cota1-3/+3
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Guan Xuetao <gxt@mprc.pku.edu.cn> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/xtensa: avoid integer overflow in next_page PC checkEmilio G. Cota1-5/+4
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Max Filippov <jcmvbkbc@gmail.com> Cc: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/lm32: avoid integer overflow in next_page PC checkEmilio G. Cota1-3/+3
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Michael Walle <michael@walle.cc> Cc: Michael Walle <michael@walle.cc> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/cris: avoid integer overflow in next_page PC checkEmilio G. Cota1-3/+3
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: "Edgar E. Iglesias" <edgar.iglesias@gmail.com> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09target/riscv: avoid integer overflow in next_page PC checkEmilio G. Cota1-3/+3
If the PC is in the last page of the address space, next_page_start overflows to 0. Fix it. Reported-by: Richard Henderson <richard.henderson@linaro.org> Suggested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Michael Clark <mjc@sifive.com> Acked-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Cc: Michael Clark <mjc@sifive.com> Cc: Palmer Dabbelt <palmer@sifive.com> Cc: Sagar Karandikar <sagark@eecs.berkeley.edu> Cc: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09tcg: Limit the number of ops in a TBRichard Henderson2-1/+10
In 6001f7729e12 we partially attempt to address the branch displacement overflow caused by 15fa08f845. However, gcc/testsuite/gcc.target/aarch64/advsimd-intrinsics/vqtbX.c is a testcase that contains a TB so large as to overflow anyway. The limit here of 8000 ops produces a maximum output TB size of 24112 bytes on a ppc64le host with that test case. This is still much less than the maximum forward branch distance of 32764 bytes. Cc: qemu-stable@nongnu.org Fixes: 15fa08f845 ("tcg: Dynamically allocate TCGOps") Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09tcg/i386: Fix dup_vec in non-AVX2 codepathPeter Maydell1-3/+3
The VPUNPCKLD* instructions are all "non-destructive source", indicated by "NDS" in the encoding string in the x86 ISA manual. This means that they take two source operands, one of which is encoded in the VEX.vvvv field. We were incorrectly treating them as if they were destructive-source and passing 0 as the 'v' argument of tcg_out_vex_modrm(). This meant we were always using %xmm0 as one of the source operands, causing incorrect results if the register allocator happened to want to use something else. For instance the input AArch64 insn: DUP v26.16b, w21 which becomes TCG IR ops: dup_vec v128,e8,tmp2,x21 st_vec v128,e8,tmp2,env,$0xa40 was assembled to: 0x607c568c: c4 c1 7a 7e 86 e8 00 00 vmovq 0xe8(%r14), %xmm0 0x607c5694: 00 0x607c5695: c5 f9 60 c8 vpunpcklbw %xmm0, %xmm0, %xmm1 0x607c5699: c5 f9 61 c9 vpunpcklwd %xmm1, %xmm0, %xmm1 0x607c569d: c5 f9 70 c9 00 vpshufd $0, %xmm1, %xmm1 0x607c56a2: c4 c1 7a 7f 8e 40 0a 00 vmovdqu %xmm1, 0xa40(%r14) 0x607c56aa: 00 when the vpunpcklwd insn should be "%xmm1, %xmm1, %xmm1". This resulted in our incorrectly setting the output vector to q26=0000320000003200:0000320000003200 when given an input of x21 == 0000000002803200 rather than the expected all-zeroes. Pass the correct source register number to tcg_out_vex_modrm() for these insns. Fixes: 770c2fc7bb70804a Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20180504153431.5169-1-peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-05-09riscv: requires libfdtKONRAD Frederic1-1/+1
When compiling on a machine without libfdt installed the configure script should try to get libfdt from the git or should die because otherwise CONFIG_LIBFDT is not set and the build process end in an error in the link phase.. eg: hw/riscv/virt.o: In function `riscv_virt_board_init': qemu/src/hw/riscv/virt.c:317: undefined reference to `qemu_fdt_setprop_cell' qemu/src/hw/riscv/virt.c:319: undefined reference to `qemu_fdt_setprop_cell' qemu/src/hw/riscv/virt.c:345: undefined reference to `qemu_fdt_dumpdtb' collect2: error: ld returned 1 exit status make[1]: *** [qemu-system-riscv64] Error 1 make: *** [subdir-riscv64-softmmu] Error 2 Cc: qemu-stable@nongnu.org Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Michael Clark <mjc@sifive.com> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Michael Clark <mjc@sifive.com> Message-Id: <1525360636-18229-4-git-send-email-frederic.konrad@adacore.com>
2018-05-09riscv: htif: increase the priority of the htif subregionKONRAD Frederic1-2/+3
The htif device is supposed to be mapped over an other subregion. So increase its priority to one to avoid any conflict. Here is the output of info mtree: Before: (qemu) info mtree address-space: memory 0000000000000000-ffffffffffffffff (prio 0, i/o): system 0000000000000000-000000000000000f (prio 0, i/o): riscv.htif.uart 0000000000000000-0000000000011fff (prio 0, ram): riscv.spike.bootrom 0000000002000000-000000000200ffff (prio 0, i/o): riscv.sifive.clint 0000000080000000-0000000087ffffff (prio 0, ram): riscv.spike.ram address-space: I/O 0000000000000000-000000000000ffff (prio 0, i/o): io address-space: cpu-memory-0 0000000000000000-ffffffffffffffff (prio 0, i/o): system 0000000000000000-000000000000000f (prio 0, i/o): riscv.htif.uart 0000000000000000-0000000000011fff (prio 0, ram): riscv.spike.bootrom 0000000002000000-000000000200ffff (prio 0, i/o): riscv.sifive.clint 0000000080000000-0000000087ffffff (prio 0, ram): riscv.spike.ram After: (qemu) info mtree address-space: memory 0000000000000000-ffffffffffffffff (prio 0, i/o): system 0000000000000000-000000000000000f (prio 1, i/o): riscv.htif.uart 0000000000000000-0000000000011fff (prio 0, ram): riscv.spike.bootrom 0000000002000000-000000000200ffff (prio 0, i/o): riscv.sifive.clint 0000000080000000-0000000087ffffff (prio 0, ram): riscv.spike.ram address-space: I/O 0000000000000000-000000000000ffff (prio 0, i/o): io address-space: cpu-memory-0 0000000000000000-ffffffffffffffff (prio 0, i/o): system 0000000000000000-000000000000000f (prio 1, i/o): riscv.htif.uart 0000000000000000-0000000000011fff (prio 0, ram): riscv.spike.bootrom 0000000002000000-000000000200ffff (prio 0, i/o): riscv.sifive.clint 0000000080000000-0000000087ffffff (prio 0, ram): riscv.spike.ram Reviewed-by: Michael Clark <mjc@sifive.com> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Michael Clark <mjc@sifive.com> Message-Id: <1525360636-18229-3-git-send-email-frederic.konrad@adacore.com>
2018-05-09riscv: spike: allow base == 0KONRAD Frederic1-2/+5
The sanity check on base doesn't allow htif to be mapped @0. Check if the symbol exists instead so we can map it where we want. Reviewed-by: Michael Clark <mjc@sifive.com> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Michael Clark <mjc@sifive.com> Message-Id: <1525360636-18229-2-git-send-email-frederic.konrad@adacore.com>
2018-05-08Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into stagingPeter Maydell6-6/+181
# gpg: Signature made Tue 08 May 2018 16:18:22 BST # gpg: using RSA key BDBE7B27C0DE3057 # gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>" # gpg: aka "Jeffrey Cody <jeff@codyprime.org>" # gpg: aka "Jeffrey Cody <codyprime@gmail.com>" # Primary key fingerprint: 9957 4B4D 3474 90E7 9D98 D624 BDBE 7B27 C0DE 3057 * remotes/cody/tags/block-pull-request: sheepdog: Fix sd_co_create_opts() memory leaks iotests: Add test for cancelling a mirror job block/mirror: Make cancel always cancel pre-READY block/mirror: honor ratelimit again Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-08sheepdog: Fix sd_co_create_opts() memory leaksKevin Wolf1-1/+3
Both the option string for the 'redundancy' option and the SheepdogRedundancy object that is created accordingly could be leaked in error paths. This fixes the memory leaks. Reported by Coverity (CID 1390614 and 1390641). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Message-id: 20180503153509.22223-1-kwolf@redhat.com Reviewed-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com>
2018-05-08iotests: Add test for cancelling a mirror jobMax Reitz3-0/+169
We already have an extensive mirror test (041) which does cover cancelling a mirror job, especially after it has emitted the READY event. However, it does not check what exact events are emitted after block-job-cancel is executed. More importantly, it does not use throttling to ensure that it covers the case of block-job-cancel before READY. It would be possible to add this case to 041, but considering it is already our largest test file, it makes sense to create a new file for these cases. Signed-off-by: Max Reitz <mreitz@redhat.com> Message-id: 20180501220509.14152-3-mreitz@redhat.com Signed-off-by: Jeff Cody <jcody@redhat.com>
2018-05-08block/mirror: Make cancel always cancel pre-READYMax Reitz1-1/+3
Commit b76e4458b1eb3c32e9824fe6aa51f67d2b251748 made the mirror block job respect block-job-cancel's @force flag: With that flag set, it would now always really cancel, even post-READY. Unfortunately, it had a side effect: Without that flag set, it would now never cancel, not even before READY. Considering that is an incompatible change and not noted anywhere in the commit or the description of block-job-cancel's @force parameter, this seems unintentional and we should revert to the previous behavior, which is to immediately cancel the job when block-job-cancel is called before source and target are in sync (i.e. before the READY event). Cc: qemu-stable@nongnu.org Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1572856 Reported-by: Yanan Fu <yfu@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 20180501220509.14152-2-mreitz@redhat.com Reviewed-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com>
2018-05-08block/mirror: honor ratelimit againStefan Hajnoczi2-4/+6
Commit b76e4458b1eb3c32e9824fe6aa51f67d2b251748 ("block/mirror: change the semantic of 'force' of block-job-cancel") accidentally removed the ratelimit in the mirror job. Reintroduce the ratelimit but keep the block-job-cancel force=true behavior that was added in commit b76e4458b1eb3c32e9824fe6aa51f67d2b251748. Note that block_job_sleep_ns() returns immediately when the job is cancelled. Therefore it's safe to unconditionally call block_job_sleep_ns() - a cancelled job does not sleep. This commit fixes the non-deterministic qemu-iotests 185 output. The test relies on the ratelimit to make the job sleep until the 'quit' command is processed. Previously the job could complete before the 'quit' command was received since there was no ratelimit. Cc: Liang Li <liliang.opensource@gmail.com> Cc: Jeff Cody <jcody@redhat.com> Cc: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 20180424123527.19168-1-stefanha@redhat.com Signed-off-by: Jeff Cody <jcody@redhat.com>
2018-05-08Merge remote-tracking branch ↵Peter Maydell19-358/+510
'remotes/ehabkost/tags/machine-next-pull-request' into staging Machine queue, 2018-05-07 * pc-dimm: factor out MemoryDevice (virtio-pmem and virtio-mem will make use of the new abstraction later) * scripts/device-crash-test: Removed fixed CAN entries # gpg: Signature made Mon 07 May 2018 18:01:42 BST # gpg: using RSA key 2807936F984DC5A6 # gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>" # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF D1AA 2807 936F 984D C5A6 * remotes/ehabkost/tags/machine-next-pull-request: scripts/device-crash-test: Removed fixed CAN entries vl: allow 'maxmem' without 'slot' spapr: rename "hotplug memory" terminology to "device memory" pc: rename "hotplug memory" terminology to "device memory" machine: rename MemoryHotplugState to DeviceMemoryState pc-dimm: move actual plug/unplug of a memory region to MemoryDevice pc-dimm: factor out capacity and slot checks into MemoryDevice pc-dimm: factor out address search into MemoryDevice code pc-dimm: pass in the machine and to the MemoryHotplugState pc-dimm: no need to pass the memory region machine: make MemoryHotplugState accessible via the machine pc-dimm: factor out MemoryDevice interface Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-08Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180507-pull-request' ↵Peter Maydell1-1/+2
into staging qxl: fix local renderer crash # gpg: Signature made Mon 07 May 2018 10:52:09 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/vga-20180507-pull-request: qxl: fix local renderer crash Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-08Merge remote-tracking branch ↵Peter Maydell17-318/+287
'remotes/riscv/tags/riscv-qemu-2.13-pull-20180506' into staging RISC-V: QEMU 2.13 Privileged ISA emulation updates Several code cleanups, minor specification conformance changes, fixes to make ROM read-only and add device-tree size checks. * Honour privileged ISA v1.10 counter enable CSRs. * Implements WARL behavior for CSRs that don't support writes * Past behavior of raising traps was non-conformant with the RISC-V Privileged ISA Specification v1.10. * Allow S-mode access to sstatus.MXR when priv ISA >= v1.10 * Sets mtval/stval to zero on exceptions without addresses * Past behavior of leaving the last value was non-conformant with the RISC-V Privileged ISA Specition v1.10. mtval/stval must be set on all exceptions; to zero if not supported. * Make ROMs read-only and implement device-tree size checks * Uses memory_region_init_rom and rom_add_blob_fixed_as * Adds hexidecimal instruction bytes to disassembly output. * Fixes missing break statement for rv128 disassembly. * Several code cleanups * Replacing hard-coded constants with enums * Dead-code elimination This is an incremental pull that contains 20 reviewed changes out of 38 changes currently queued in the qemu-2.13-for-upstream branch. # gpg: Signature made Sun 06 May 2018 00:27:37 BST # gpg: using DSA key 6BF1D7B357EF3E4F # gpg: Good signature from "Michael Clark <michaeljclark@mac.com>" # gpg: aka "Michael Clark <mjc@sifive.com>" # gpg: aka "Michael Clark <michael@metaparadigm.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 7C99 930E B17C D8BA 073D 5EFA 6BF1 D7B3 57EF 3E4F * remotes/riscv/tags/riscv-qemu-2.13-pull-20180506: RISC-V: Mark ROM read-only after copying in code RISC-V: No traps on writes to misa,minstret,mcycle RISC-V: Make mtvec/stvec ignore vectored traps RISC-V: Add mcycle/minstret support for -icount auto RISC-V: Use [ms]counteren CSRs when priv ISA >= v1.10 RISC-V: Allow S-mode mxr access when priv ISA >= v1.10 RISC-V: Clear mtval/stval on exceptions without info RISC-V: Hardwire satp to 0 for no-mmu case RISC-V: Update E and I extension order RISC-V: Remove erroneous comment from translate.c RISC-V: Remove EM_RISCV ELF_MACHINE indirection RISC-V: Make virt header comment title consistent RISC-V: Make some header guards more specific RISC-V: Fix missing break statement in disassembler RISC-V: Include instruction hex in disassembly RISC-V: Remove unused class definitions RISC-V: Remove identity_translate from load_elf RISC-V: Use ROM base address and size from memmap RISC-V: Make virt board description match spike RISC-V: Replace hardcoded constants with enum values Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-08Merge remote-tracking branch 'remotes/kraxel/tags/usb-20180507-pull-request' ↵Peter Maydell2-7/+15
into staging usb: fixes for mtp and host. # gpg: Signature made Mon 07 May 2018 10:44:26 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/usb-20180507-pull-request: usb-host: skip open on pending postload bh usb-mtp: Unconditionally check for the readonly bit usb-mtp: Add some NULL checks for issues pointed out by coverity Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-08ppc: e500: use g_strdup_printf() instead of snprintf()Greg Kurz1-16/+23
qemu-system-ppc fails to build with GCC 8.0.1: /home/hsp/src/qemu-master/hw/ppc/e500.c: In function ‘ppce500_load_device_tree’: /home/hsp/src/qemu-master/hw/ppc/e500.c:442:37: error: ‘/pic@’ directive output may be truncated writing 5 bytes into a region of size between 1 and 128 [-Werror=format-truncation=] snprintf(mpic, sizeof(mpic), "%s/pic@%llx", soc, MPC8544_MPIC_REGS_OFFSET); ^~~~~ In file included from /usr/include/stdio.h:862, from /home/hsp/src/qemu-master/include/qemu/osdep.h:68, from /home/hsp/src/qemu-master/hw/ppc/e500.c:17: /usr/include/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 11 and 138 bytes into a destination of size 128 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /home/hsp/src/qemu-master/hw/ppc/e500.c:470:39: error: ‘/global-utilities@’ directive output may be truncated writing 18 bytes into a region of size between 1 and 128 [-Werror=format-truncation=] snprintf(gutil, sizeof(gutil), "%s/global-utilities@%llx", soc, ^~~~~~~~~~~~~~~~~~ In file included from /usr/include/stdio.h:862, from /home/hsp/src/qemu-master/include/qemu/osdep.h:68, from /home/hsp/src/qemu-master/hw/ppc/e500.c:17: /usr/include/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 24 and 151 bytes into a destination of size 128 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /home/hsp/src/qemu-master/hw/ppc/e500.c:477:36: error: ‘/msi@’ directive output may be truncated writing 5 bytes into a region of size between 0 and 127 [-Werror=format-truncation=] snprintf(msi, sizeof(msi), "/%s/msi@%llx", soc, MPC8544_MSI_REGS_OFFSET); ^~~~~ In file included from /usr/include/stdio.h:862, from /home/hsp/src/qemu-master/include/qemu/osdep.h:68, from /home/hsp/src/qemu-master/hw/ppc/e500.c:17: /usr/include/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 12 and 139 bytes into a destination of size 128 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix this by converting e500 to use g_strdup_printf()+g_free() instead of snprintf(). This is done globally, even for call sites that don't break build, since this is the preferred practice in QEMU. Reported-by: Howard Spoelstra <hsp.cat7@gmail.com> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 152568372989.443627.900708381919207053.stgit@bahia.lan Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-05-07scripts/device-crash-test: Removed fixed CAN entriesThomas Huth1-3/+0
The CAN device crashes have been fixed with the commit 089eac81e1d34d202471c0a023284f47f4c5f00e already. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <1523900489-25950-1-git-send-email-thuth@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>