[Qemu-devel] [PATCH 1/9] ppc: Properly tag the translation cache based on MMU mode

[Qemu-devel] [PATCH 1/9] ppc: Properly tag the translation cache based on MMU mode

[Benjamin Herrenschmidt]

We used to always flush the TLB when changing relocation mode in
MSR:IR and MSR:DR (ie. MMU on/off for Instructions and Data).

We don't anymore since we have split mmu_idx for instruction and data.

However, since we hard code the mmu_idx in the translated code, we
now need to also make sure MSR:IR and MSR:DR are part of the hflags
used to tag translated code, so that we use different translated
code for different MMU settings.

Darwin gets hurt by this problem.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/helper_regs.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-ppc/helper_regs.h b/target-ppc/helper_regs.h
index 12af61c..104b690 100644
--- a/target-ppc/helper_regs.h
+++ b/target-ppc/helper_regs.h
@@ -95,7 +95,7 @@ static inline void hreg_compute_hflags(CPUPPCState *env)
     /* We 'forget' FE0 & FE1: we'll never generate imprecise exceptions */
     hflags_mask = (1 << MSR_VR) | (1 << MSR_AP) | (1 << MSR_SA) |
         (1 << MSR_PR) | (1 << MSR_FP) | (1 << MSR_SE) | (1 << MSR_BE) |
-        (1 << MSR_LE) | (1 << MSR_VSX);
+        (1 << MSR_LE) | (1 << MSR_VSX) | (1 << MSR_IR) | (1 << MSR_DR);
     hflags_mask |= (1ULL << MSR_CM) | (1ULL << MSR_SF) | MSR_HVB;
     hreg_compute_mem_idx(env);
     env->hflags = env->msr & hflags_mask;
-- 
2.5.5

[Qemu-devel] [PATCH 2/9] ppc: Fix tlb invalidations on 6xx/7xx/7xxx 32-bit processors

[Benjamin Herrenschmidt]

The processor only uses some bits of the address and invalidates an
entire congruence class. Some OSes such as Darwin and HelenOS take
advantage of this and occasionally invalidate the entire TLB by just
doing a series of 64 consecutive tlbie for example.

Our code tries to be too smart here only invalidating a segment
congruence class (ie, allowing more address bits to be relevant
in the invalidation), this fails miserably on those OSes.

Instead don't bother, do like ppc64 and blow the whole tlb when tlbie
is executed.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/mmu_helper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target-ppc/mmu_helper.c b/target-ppc/mmu_helper.c
index f5c4e69..a5e3878 100644
--- a/target-ppc/mmu_helper.c
+++ b/target-ppc/mmu_helper.c
@@ -1969,6 +1969,11 @@ void ppc_tlb_invalidate_one(CPUPPCState *env, target_ulong addr)
         /* XXX: this case should be optimized,
          * giving a mask to tlb_flush_page
          */
+        /* This is broken, some CPUs invalidate a whole congruence
+         * class on an even smaller subset of bits and some OSes take
+         * advantage of this. Just blow the whole thing away.
+         */
+#if 0
         tlb_flush_page(cs, addr | (0x0 << 28));
         tlb_flush_page(cs, addr | (0x1 << 28));
         tlb_flush_page(cs, addr | (0x2 << 28));
@@ -1985,6 +1990,9 @@ void ppc_tlb_invalidate_one(CPUPPCState *env, target_ulong addr)
         tlb_flush_page(cs, addr | (0xD << 28));
         tlb_flush_page(cs, addr | (0xE << 28));
         tlb_flush_page(cs, addr | (0xF << 28));
+#else
+        tlb_flush(cs, 1);
+#endif
         break;
 #if defined(TARGET_PPC64)
     case POWERPC_MMU_64B:
-- 
2.5.5

[Qemu-devel] [PATCH 3/9] ppc: Batch TLB flushes on 32-bit 6xx/7xx/7xxx in hash mode

[Benjamin Herrenschmidt]

This ports the existing 64-bit mechanism to 32-bit, thus series
of 64 tlbie's followed by a sync like some versions of Darwin
(ab)use will result in a single flush.

We apply a pending flush on any sync instruction though, as Darwin
doesn't use tlbsync on non-SMP systems.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/cpu.h         |  2 +-
 target-ppc/helper_regs.h |  2 +-
 target-ppc/mmu_helper.c  | 44 ++++++++------------------------------------
 target-ppc/translate.c   | 27 +++++++++++++++++++++------
 4 files changed, 31 insertions(+), 44 deletions(-)

diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index d8f8f7e..c2962d7 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -959,7 +959,6 @@ struct CPUPPCState {
     ppc_slb_t slb[MAX_SLB_ENTRIES];
     int32_t slb_nr;
     /* tcg TLB needs flush (deferred slb inval instruction typically) */
-    uint32_t tlb_need_flush;
 #endif
     /* segment registers */
     hwaddr htab_base;
@@ -985,6 +984,7 @@ struct CPUPPCState {
     target_ulong pb[4];
     bool tlb_dirty;   /* Set to non-zero when modifying TLB                  */
     bool kvm_sw_tlb;  /* non-zero if KVM SW TLB API is active                */
+    uint32_t tlb_need_flush; /* Delayed flush needed */
 #endif
 
     /* Other registers */
diff --git a/target-ppc/helper_regs.h b/target-ppc/helper_regs.h
index 104b690..8fc0934 100644
--- a/target-ppc/helper_regs.h
+++ b/target-ppc/helper_regs.h
@@ -151,7 +151,7 @@ static inline int hreg_store_msr(CPUPPCState *env, target_ulong value,
     return excp;
 }
 
-#if !defined(CONFIG_USER_ONLY) && defined(TARGET_PPC64)
+#if !defined(CONFIG_USER_ONLY)
 static inline void check_tlb_flush(CPUPPCState *env)
 {
     CPUState *cs = CPU(ppc_env_get_cpu(env));
diff --git a/target-ppc/mmu_helper.c b/target-ppc/mmu_helper.c
index a5e3878..485d5b8 100644
--- a/target-ppc/mmu_helper.c
+++ b/target-ppc/mmu_helper.c
@@ -1935,8 +1935,8 @@ void ppc_tlb_invalidate_all(CPUPPCState *env)
     case POWERPC_MMU_2_06a:
     case POWERPC_MMU_2_07:
     case POWERPC_MMU_2_07a:
-        env->tlb_need_flush = 0;
 #endif /* defined(TARGET_PPC64) */
+        env->tlb_need_flush = 0;
         tlb_flush(CPU(cpu), 1);
         break;
     default:
@@ -1949,9 +1949,6 @@ void ppc_tlb_invalidate_all(CPUPPCState *env)
 void ppc_tlb_invalidate_one(CPUPPCState *env, target_ulong addr)
 {
 #if !defined(FLUSH_ALL_TLBS)
-    PowerPCCPU *cpu = ppc_env_get_cpu(env);
-    CPUState *cs;
-
     addr &= TARGET_PAGE_MASK;
     switch (env->mmu_model) {
     case POWERPC_MMU_SOFT_6xx:
@@ -1963,36 +1960,12 @@ void ppc_tlb_invalidate_one(CPUPPCState *env, target_ulong addr)
         break;
     case POWERPC_MMU_32B:
     case POWERPC_MMU_601:
-        /* tlbie invalidate TLBs for all segments */
-        addr &= ~((target_ulong)-1ULL << 28);
-        cs = CPU(cpu);
-        /* XXX: this case should be optimized,
-         * giving a mask to tlb_flush_page
-         */
-        /* This is broken, some CPUs invalidate a whole congruence
-         * class on an even smaller subset of bits and some OSes take
-         * advantage of this. Just blow the whole thing away.
+        /* Actual CPUs invalidate entire congruence classes based on the
+         * geometry of their TLBs and some OSes take that into account,
+         * we just mark the TLB to be flushed later (context synchronizing
+         * event or sync instruction on 32-bit).
          */
-#if 0
-        tlb_flush_page(cs, addr | (0x0 << 28));
-        tlb_flush_page(cs, addr | (0x1 << 28));
-        tlb_flush_page(cs, addr | (0x2 << 28));
-        tlb_flush_page(cs, addr | (0x3 << 28));
-        tlb_flush_page(cs, addr | (0x4 << 28));
-        tlb_flush_page(cs, addr | (0x5 << 28));
-        tlb_flush_page(cs, addr | (0x6 << 28));
-        tlb_flush_page(cs, addr | (0x7 << 28));
-        tlb_flush_page(cs, addr | (0x8 << 28));
-        tlb_flush_page(cs, addr | (0x9 << 28));
-        tlb_flush_page(cs, addr | (0xA << 28));
-        tlb_flush_page(cs, addr | (0xB << 28));
-        tlb_flush_page(cs, addr | (0xC << 28));
-        tlb_flush_page(cs, addr | (0xD << 28));
-        tlb_flush_page(cs, addr | (0xE << 28));
-        tlb_flush_page(cs, addr | (0xF << 28));
-#else
-        tlb_flush(cs, 1);
-#endif
+        env->tlb_need_flush = 1;
         break;
 #if defined(TARGET_PPC64)
     case POWERPC_MMU_64B:
@@ -2058,13 +2031,12 @@ target_ulong helper_load_sr(CPUPPCState *env, target_ulong sr_num)
 
 void helper_store_sr(CPUPPCState *env, target_ulong srnum, target_ulong value)
 {
-    PowerPCCPU *cpu = ppc_env_get_cpu(env);
-
     qemu_log_mask(CPU_LOG_MMU,
             "%s: reg=%d " TARGET_FMT_lx " " TARGET_FMT_lx "\n", __func__,
             (int)srnum, value, env->sr[srnum]);
 #if defined(TARGET_PPC64)
     if (env->mmu_model & POWERPC_MMU_64) {
+        PowerPCCPU *cpu = ppc_env_get_cpu(env);
         uint64_t esid, vsid;
 
         /* ESID = srnum */
@@ -2093,7 +2065,7 @@ void helper_store_sr(CPUPPCState *env, target_ulong srnum, target_ulong value)
             }
         }
 #else
-        tlb_flush(CPU(cpu), 1);
+        env->tlb_need_flush = 1;
 #endif
     }
 }
diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index 7763431..ab5862f 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -193,6 +193,7 @@ struct DisasContext {
     uint32_t exception;
     /* Routine used to access memory */
     bool pr, hv;
+    bool lazy_tlb_flush;
     int mem_idx;
     int access_type;
     /* Translation flags */
@@ -3290,12 +3291,17 @@ static void gen_eieio(DisasContext *ctx)
 {
 }
 
-#if !defined(CONFIG_USER_ONLY) && defined(TARGET_PPC64)
+#if !defined(CONFIG_USER_ONLY)
 static inline void gen_check_tlb_flush(DisasContext *ctx)
 {
-    TCGv_i32 t = tcg_temp_new_i32();
-    TCGLabel *l = gen_new_label();
+    TCGv_i32 t;
+    TCGLabel *l;
 
+    if (!ctx->lazy_tlb_flush) {
+        return;
+    }
+    l = gen_new_label();
+    t = tcg_temp_new_i32();
     tcg_gen_ld_i32(t, cpu_env, offsetof(CPUPPCState, tlb_need_flush));
     tcg_gen_brcondi_i32(TCG_COND_EQ, t, 0, l);
     gen_helper_check_tlb_flush(cpu_env);
@@ -3475,10 +3481,14 @@ static void gen_sync(DisasContext *ctx)
     uint32_t l = (ctx->opcode >> 21) & 3;
 
     /*
-     * For l == 2, it's a ptesync, We need to check for a pending TLB flush.
-     * This can only happen in kernel mode however so check MSR_PR as well.
+     * We may need to check for a pending TLB flush.
+     *
+     * We do this on ptesync (l == 2) on ppc64 and any sync pn ppc32.
+     *
+     * Additionally, this can only happen in kernel mode however so
+     * check MSR_PR as well.
      */
-    if (l == 2 && !ctx->pr) {
+    if (((l == 2) || !(ctx->insns_flags & PPC_64B)) && !ctx->pr) {
         gen_check_tlb_flush(ctx);
     }
 }
@@ -11491,6 +11501,11 @@ void gen_intermediate_code(CPUPPCState *env, struct TranslationBlock *tb)
     ctx.sf_mode = msr_is_64bit(env, env->msr);
     ctx.has_cfar = !!(env->flags & POWERPC_FLAG_CFAR);
 #endif
+    if (env->mmu_model == POWERPC_MMU_32B ||
+        env->mmu_model == POWERPC_MMU_601 ||
+        (env->mmu_model & POWERPC_MMU_64B))
+            ctx.lazy_tlb_flush = true;
+
     ctx.fpu_enabled = msr_fp;
     if ((env->flags & POWERPC_FLAG_SPE) && msr_spe)
         ctx.spe_enabled = msr_spe;
-- 
2.5.5

[Qemu-devel] [PATCH 4/9] ppc: POWER7 had ACOP and PID registers

[Benjamin Herrenschmidt]

We only had them on POWER8, add them to POWER7 as well

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/translate_init.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 55f8553..ad6f2f3 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -8024,6 +8024,21 @@ static void gen_spr_power8_book4(CPUPPCState *env)
 #endif
 }
 
+static void gen_spr_power7_book4(CPUPPCState *env)
+{
+    /* Add a number of P7 book4 registers */
+#if !defined(CONFIG_USER_ONLY)
+    spr_register_kvm(env, SPR_ACOP, "ACOP",
+                     SPR_NOACCESS, SPR_NOACCESS,
+                     &spr_read_generic, &spr_write_generic,
+                     KVM_REG_PPC_ACOP, 0);
+    spr_register_kvm(env, SPR_BOOKS_PID, "PID",
+                     SPR_NOACCESS, SPR_NOACCESS,
+                     &spr_read_generic, &spr_write_generic,
+                     KVM_REG_PPC_PID, 0);
+#endif
+}
+
 static void init_proc_book3s_64(CPUPPCState *env, int version)
 {
     gen_spr_ne_601(env);
@@ -8066,6 +8081,9 @@ static void init_proc_book3s_64(CPUPPCState *env, int version)
         gen_spr_power6_common(env);
         gen_spr_power6_dbg(env);
     }
+    if (version == BOOK3S_CPU_POWER7) {
+        gen_spr_power7_book4(env);
+    }
     if (version >= BOOK3S_CPU_POWER8) {
         gen_spr_power8_tce_address_control(env);
         gen_spr_power8_ids(env);
-- 
2.5.5

[Qemu-devel] [PATCH 5/9] ppc: POWER7 has lq/stq instructions and stq need to check ISA

[Benjamin Herrenschmidt]

The PPC_64BX instruction flag is used for a couple of newer
instructions currently on POWER8 but our implementation for
them works for POWER7 too (and already does the proper checking
of what is permitted) with one exception: stq needs to check
the ISA version.

This fixes the latter and add the instructions to POWER7

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/translate.c      | 5 ++++-
 target-ppc/translate_init.c | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index ab5862f..b34289f 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -3047,10 +3047,13 @@ static void gen_std(DisasContext *ctx)
 
     rs = rS(ctx->opcode);
     if ((ctx->opcode & 0x3) == 0x2) { /* stq */
-
         bool legal_in_user_mode = (ctx->insns_flags2 & PPC2_LSQ_ISA207) != 0;
         bool le_is_supported = (ctx->insns_flags2 & PPC2_LSQ_ISA207) != 0;
 
+        if (!(ctx->insns_flags & PPC_64BX)) {
+            gen_inval_exception(ctx, POWERPC_EXCP_INVAL_INVAL);
+        }
+
         if (!legal_in_user_mode && ctx->pr) {
             gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
             return;
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index ad6f2f3..a1db500 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -8377,7 +8377,7 @@ POWERPC_FAMILY(POWER7)(ObjectClass *oc, void *data)
                        PPC_CACHE | PPC_CACHE_ICBI | PPC_CACHE_DCBZ |
                        PPC_MEM_SYNC | PPC_MEM_EIEIO |
                        PPC_MEM_TLBIE | PPC_MEM_TLBSYNC |
-                       PPC_64B | PPC_64H | PPC_ALTIVEC |
+                       PPC_64B | PPC_64H | PPC_64BX | PPC_ALTIVEC |
                        PPC_SEGMENT_64B | PPC_SLBI |
                        PPC_POPCNTB | PPC_POPCNTWD;
     pcc->insns_flags2 = PPC2_VSX | PPC2_DFP | PPC2_DBRX | PPC2_ISA205 |
-- 
2.5.5

[Qemu-devel] [PATCH 6/9] ppc: Fix mtmsr decoding

[Benjamin Herrenschmidt]

We had code to handle the L bit in the opcode but we didn't
allow it in the decode mask.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index b34289f..3255184 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -9944,7 +9944,7 @@ GEN_HANDLER(mtcrf, 0x1F, 0x10, 0x04, 0x00000801, PPC_MISC),
 #if defined(TARGET_PPC64)
 GEN_HANDLER(mtmsrd, 0x1F, 0x12, 0x05, 0x001EF801, PPC_64B),
 #endif
-GEN_HANDLER(mtmsr, 0x1F, 0x12, 0x04, 0x001FF801, PPC_MISC),
+GEN_HANDLER(mtmsr, 0x1F, 0x12, 0x04, 0x001EF801, PPC_MISC),
 GEN_HANDLER(mtspr, 0x1F, 0x13, 0x0E, 0x00000000, PPC_MISC),
 GEN_HANDLER(dcbf, 0x1F, 0x16, 0x02, 0x03C00001, PPC_CACHE),
 GEN_HANDLER(dcbi, 0x1F, 0x16, 0x0E, 0x03E00001, PPC_CACHE),
-- 
2.5.5

[Qemu-devel] [PATCH 7/9] ppc: Fix slbia decode

[Benjamin Herrenschmidt]

Since at least the 2.05 architecture, the slbia instruction takes an
IH field in the opcode to provide some control on the effect of the
slbia on the ERATs (level-1 TLB).

We can safely ignore it as we always flush the whole qemu TLB but
we should allow the bits in the decode.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index 3255184..33a9223 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -9980,7 +9980,7 @@ GEN_HANDLER(tlbiel, 0x1F, 0x12, 0x08, 0x001F0001, PPC_MEM_TLBIE),
 GEN_HANDLER(tlbie, 0x1F, 0x12, 0x09, 0x001F0001, PPC_MEM_TLBIE),
 GEN_HANDLER(tlbsync, 0x1F, 0x16, 0x11, 0x03FFF801, PPC_MEM_TLBSYNC),
 #if defined(TARGET_PPC64)
-GEN_HANDLER(slbia, 0x1F, 0x12, 0x0F, 0x03FFFC01, PPC_SLBI),
+GEN_HANDLER(slbia, 0x1F, 0x12, 0x0F, 0x031FFC01, PPC_SLBI),
 GEN_HANDLER(slbie, 0x1F, 0x12, 0x0D, 0x03FF0001, PPC_SLBI),
 #endif
 GEN_HANDLER(eciwx, 0x1F, 0x16, 0x0D, 0x00000001, PPC_EXTERN),
-- 
2.5.5

[Qemu-devel] [PATCH 8/9] ppc: Add missing slbfee. instruction on ppc64 BookS processors

[Benjamin Herrenschmidt]

Used to lookup SLB entries by address, for some reason it was missing.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/helper.h     |  1 +
 target-ppc/mmu-hash64.c | 30 ++++++++++++++++++++++++++++++
 target-ppc/translate.c  | 26 ++++++++++++++++++++++++++
 3 files changed, 57 insertions(+)

diff --git a/target-ppc/helper.h b/target-ppc/helper.h
index 0526322..f4410a8 100644
--- a/target-ppc/helper.h
+++ b/target-ppc/helper.h
@@ -550,6 +550,7 @@ DEF_HELPER_FLAGS_2(tlbiva, TCG_CALL_NO_RWG, void, env, tl)
 DEF_HELPER_FLAGS_3(store_slb, TCG_CALL_NO_RWG, void, env, tl, tl)
 DEF_HELPER_2(load_slb_esid, tl, env, tl)
 DEF_HELPER_2(load_slb_vsid, tl, env, tl)
+DEF_HELPER_2(find_slb_vsid, tl, env, tl)
 DEF_HELPER_FLAGS_1(slbia, TCG_CALL_NO_RWG, void, env)
 DEF_HELPER_FLAGS_2(slbie, TCG_CALL_NO_RWG, void, env, tl)
 #endif
diff --git a/target-ppc/mmu-hash64.c b/target-ppc/mmu-hash64.c
index ea6e99a..668da5e 100644
--- a/target-ppc/mmu-hash64.c
+++ b/target-ppc/mmu-hash64.c
@@ -219,6 +219,24 @@ static int ppc_load_slb_vsid(PowerPCCPU *cpu, target_ulong rb,
     return 0;
 }
 
+static int ppc_find_slb_vsid(PowerPCCPU *cpu, target_ulong rb,
+                             target_ulong *rt)
+{
+    CPUPPCState *env = &cpu->env;
+    ppc_slb_t *slb;
+
+    if (!msr_is_64bit(env, env->msr)) {
+        rb &= 0xffffffff;
+    }
+    slb = slb_lookup(cpu, rb);
+    if (slb == NULL) {
+        *rt = (target_ulong)-1ul;
+    } else {
+        *rt = slb->vsid;
+    }
+    return 0;
+}
+
 void helper_store_slb(CPUPPCState *env, target_ulong rb, target_ulong rs)
 {
     PowerPCCPU *cpu = ppc_env_get_cpu(env);
@@ -241,6 +259,18 @@ target_ulong helper_load_slb_esid(CPUPPCState *env, target_ulong rb)
     return rt;
 }
 
+target_ulong helper_find_slb_vsid(CPUPPCState *env, target_ulong rb)
+{
+    PowerPCCPU *cpu = ppc_env_get_cpu(env);
+    target_ulong rt = 0;
+
+    if (ppc_find_slb_vsid(cpu, rb, &rt) < 0) {
+        helper_raise_exception_err(env, POWERPC_EXCP_PROGRAM,
+                                   POWERPC_EXCP_INVAL);
+    }
+    return rt;
+}
+
 target_ulong helper_load_slb_vsid(CPUPPCState *env, target_ulong rb)
 {
     PowerPCCPU *cpu = ppc_env_get_cpu(env);
diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index 33a9223..a3de142 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -4847,6 +4847,31 @@ static void gen_slbmfev(DisasContext *ctx)
                              cpu_gpr[rB(ctx->opcode)]);
 #endif
 }
+
+static void gen_slbfee_(DisasContext *ctx)
+{
+#if defined(CONFIG_USER_ONLY)
+    gen_inval_exception(ctx, POWERPC_EXCP_PRIV_REG);
+#else
+    TCGLabel *l1, *l2;
+
+    if (unlikely(ctx->pr)) {
+        gen_inval_exception(ctx, POWERPC_EXCP_PRIV_REG);
+        return;
+    }
+    gen_helper_find_slb_vsid(cpu_gpr[rS(ctx->opcode)], cpu_env,
+                             cpu_gpr[rB(ctx->opcode)]);
+    l1 = gen_new_label();
+    l2 = gen_new_label();
+    tcg_gen_trunc_tl_i32(cpu_crf[0], cpu_so);
+    tcg_gen_brcondi_tl(TCG_COND_EQ, cpu_gpr[rS(ctx->opcode)], -1, l1);
+    tcg_gen_ori_i32(cpu_crf[0], cpu_crf[0], 1 << CRF_EQ);
+    tcg_gen_br(l2);
+    gen_set_label(l1);
+    tcg_gen_movi_tl(cpu_gpr[rS(ctx->opcode)], 0);
+    gen_set_label(l2);
+#endif
+}
 #endif /* defined(TARGET_PPC64) */
 
 /***                      Lookaside buffer management                      ***/
@@ -9972,6 +9997,7 @@ GEN_HANDLER2(mtsrin_64b, "mtsrin", 0x1F, 0x12, 0x07, 0x001F0001,
 GEN_HANDLER2(slbmte, "slbmte", 0x1F, 0x12, 0x0C, 0x001F0001, PPC_SEGMENT_64B),
 GEN_HANDLER2(slbmfee, "slbmfee", 0x1F, 0x13, 0x1C, 0x001F0001, PPC_SEGMENT_64B),
 GEN_HANDLER2(slbmfev, "slbmfev", 0x1F, 0x13, 0x1A, 0x001F0001, PPC_SEGMENT_64B),
+GEN_HANDLER2(slbfee_, "slbfee.", 0x1F, 0x13, 0x1E, 0x001F0000, PPC_SEGMENT_64B),
 #endif
 GEN_HANDLER(tlbia, 0x1F, 0x12, 0x0B, 0x03FFFC01, PPC_MEM_TLBIA),
 /* XXX Those instructions will need to be handled differently for
-- 
2.5.5

[Qemu-devel] [PATCH 9/9] ppc: Do not take exceptions on unknown SPRs in privileged mode

[Benjamin Herrenschmidt]

The architecture specifies that mtspr/mfspr on an unknown SPR number
should act as a nop in privileged mode.

I haven't removed the warning however as it can be useful for
diagnosing.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---
 target-ppc/translate.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index a3de142..dd0ecc8 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -4351,7 +4351,10 @@ static inline void gen_op_mfspr(DisasContext *ctx)
             qemu_log("Trying to read invalid spr %d (0x%03x) at "
                      TARGET_FMT_lx "\n", sprn, sprn, ctx->nip - 4);
         }
-        gen_inval_exception(ctx, POWERPC_EXCP_INVAL_SPR);
+        /* Only generate an exception in user space, otherwise this is a nop */
+        if (ctx->pr) {
+            gen_inval_exception(ctx, POWERPC_EXCP_INVAL_SPR);
+        }
     }
 }
 
@@ -4503,7 +4506,11 @@ static void gen_mtspr(DisasContext *ctx)
         }
         fprintf(stderr, "Trying to write invalid spr %d (0x%03x) at "
                 TARGET_FMT_lx "\n", sprn, sprn, ctx->nip - 4);
-        gen_inval_exception(ctx, POWERPC_EXCP_INVAL_SPR);
+
+        /* Only generate an exception in user space, otherwise this is a nop */
+        if (ctx->pr) {
+            gen_inval_exception(ctx, POWERPC_EXCP_INVAL_SPR);
+        }
     }
 }
 
-- 
2.5.5

Re: [Qemu-devel] [Qemu-ppc] [PATCH 8/9] ppc: Add missing slbfee. instruction on ppc64 BookS processors

[Cédric Le Goater]

On 06/07/2016 04:50 AM, Benjamin Herrenschmidt wrote:
> Used to lookup SLB entries by address, for some reason it was missing.
> 
> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> ---
>  target-ppc/helper.h     |  1 +
>  target-ppc/mmu-hash64.c | 30 ++++++++++++++++++++++++++++++
>  target-ppc/translate.c  | 26 ++++++++++++++++++++++++++
>  3 files changed, 57 insertions(+)
> 
> diff --git a/target-ppc/helper.h b/target-ppc/helper.h
> index 0526322..f4410a8 100644
> --- a/target-ppc/helper.h
> +++ b/target-ppc/helper.h
> @@ -550,6 +550,7 @@ DEF_HELPER_FLAGS_2(tlbiva, TCG_CALL_NO_RWG, void, env, tl)
>  DEF_HELPER_FLAGS_3(store_slb, TCG_CALL_NO_RWG, void, env, tl, tl)
>  DEF_HELPER_2(load_slb_esid, tl, env, tl)
>  DEF_HELPER_2(load_slb_vsid, tl, env, tl)
> +DEF_HELPER_2(find_slb_vsid, tl, env, tl)
>  DEF_HELPER_FLAGS_1(slbia, TCG_CALL_NO_RWG, void, env)
>  DEF_HELPER_FLAGS_2(slbie, TCG_CALL_NO_RWG, void, env, tl)
>  #endif
> diff --git a/target-ppc/mmu-hash64.c b/target-ppc/mmu-hash64.c
> index ea6e99a..668da5e 100644
> --- a/target-ppc/mmu-hash64.c
> +++ b/target-ppc/mmu-hash64.c
> @@ -219,6 +219,24 @@ static int ppc_load_slb_vsid(PowerPCCPU *cpu, target_ulong rb,
>      return 0;
>  }
> 
> +static int ppc_find_slb_vsid(PowerPCCPU *cpu, target_ulong rb,
> +                             target_ulong *rt)
> +{
> +    CPUPPCState *env = &cpu->env;
> +    ppc_slb_t *slb;
> +
> +    if (!msr_is_64bit(env, env->msr)) {
> +        rb &= 0xffffffff;
> +    }
> +    slb = slb_lookup(cpu, rb);
> +    if (slb == NULL) {
> +        *rt = (target_ulong)-1ul;


So, I was trying today to reconciliate the powernv patchset with 
the current HEAD of qemu when I bumped into the old version of this 
patch. I checked the specs and when no slb are found, rt should 
just be 0. The machine check is only generated when multiple matching 
entries are found. So the above probably needs a fix, at least for 
the NULL case ? 

C.

> +    } else {
> +        *rt = slb->vsid;
> +    }
> +    return 0;
> +}
> +
>  void helper_store_slb(CPUPPCState *env, target_ulong rb, target_ulong rs)
>  {
>      PowerPCCPU *cpu = ppc_env_get_cpu(env);
> @@ -241,6 +259,18 @@ target_ulong helper_load_slb_esid(CPUPPCState *env, target_ulong rb)
>      return rt;
>  }
> 
> +target_ulong helper_find_slb_vsid(CPUPPCState *env, target_ulong rb)
> +{
> +    PowerPCCPU *cpu = ppc_env_get_cpu(env);
> +    target_ulong rt = 0;
> +
> +    if (ppc_find_slb_vsid(cpu, rb, &rt) < 0) {
> +        helper_raise_exception_err(env, POWERPC_EXCP_PROGRAM,
> +                                   POWERPC_EXCP_INVAL);
> +    }
> +    return rt;
> +}
> +
>  target_ulong helper_load_slb_vsid(CPUPPCState *env, target_ulong rb)
>  {
>      PowerPCCPU *cpu = ppc_env_get_cpu(env);
> diff --git a/target-ppc/translate.c b/target-ppc/translate.c
> index 33a9223..a3de142 100644
> --- a/target-ppc/translate.c
> +++ b/target-ppc/translate.c
> @@ -4847,6 +4847,31 @@ static void gen_slbmfev(DisasContext *ctx)
>                               cpu_gpr[rB(ctx->opcode)]);
>  #endif
>  }
> +
> +static void gen_slbfee_(DisasContext *ctx)
> +{
> +#if defined(CONFIG_USER_ONLY)
> +    gen_inval_exception(ctx, POWERPC_EXCP_PRIV_REG);
> +#else
> +    TCGLabel *l1, *l2;
> +
> +    if (unlikely(ctx->pr)) {
> +        gen_inval_exception(ctx, POWERPC_EXCP_PRIV_REG);
> +        return;
> +    }
> +    gen_helper_find_slb_vsid(cpu_gpr[rS(ctx->opcode)], cpu_env,
> +                             cpu_gpr[rB(ctx->opcode)]);
> +    l1 = gen_new_label();
> +    l2 = gen_new_label();
> +    tcg_gen_trunc_tl_i32(cpu_crf[0], cpu_so);
> +    tcg_gen_brcondi_tl(TCG_COND_EQ, cpu_gpr[rS(ctx->opcode)], -1, l1);
> +    tcg_gen_ori_i32(cpu_crf[0], cpu_crf[0], 1 << CRF_EQ);
> +    tcg_gen_br(l2);
> +    gen_set_label(l1);
> +    tcg_gen_movi_tl(cpu_gpr[rS(ctx->opcode)], 0);
> +    gen_set_label(l2);
> +#endif
> +}
>  #endif /* defined(TARGET_PPC64) */
> 
>  /***                      Lookaside buffer management                      ***/
> @@ -9972,6 +9997,7 @@ GEN_HANDLER2(mtsrin_64b, "mtsrin", 0x1F, 0x12, 0x07, 0x001F0001,
>  GEN_HANDLER2(slbmte, "slbmte", 0x1F, 0x12, 0x0C, 0x001F0001, PPC_SEGMENT_64B),
>  GEN_HANDLER2(slbmfee, "slbmfee", 0x1F, 0x13, 0x1C, 0x001F0001, PPC_SEGMENT_64B),
>  GEN_HANDLER2(slbmfev, "slbmfev", 0x1F, 0x13, 0x1A, 0x001F0001, PPC_SEGMENT_64B),
> +GEN_HANDLER2(slbfee_, "slbfee.", 0x1F, 0x13, 0x1E, 0x001F0000, PPC_SEGMENT_64B),
>  #endif
>  GEN_HANDLER(tlbia, 0x1F, 0x12, 0x0B, 0x03FFFC01, PPC_MEM_TLBIA),
>  /* XXX Those instructions will need to be handled differently for
> 

Re: [Qemu-devel] [Qemu-ppc] [PATCH 8/9] ppc: Add missing slbfee. instruction on ppc64 BookS processors

[Benjamin Herrenschmidt]

On Tue, 2016-07-05 at 19:23 +0200, Cédric Le Goater wrote:
> 
> 
> So, I was trying today to reconciliate the powernv patchset with 
> the current HEAD of qemu when I bumped into the old version of this 
> patch. I checked the specs and when no slb are found, rt should 
> just be 0. The machine check is only generated when multiple
> matching 
> entries are found. So the above probably needs a fix, at least for 
> the NULL case ? 

Yes the old patch was broken but I wrote (and already merged) a better
one since then. Check upstream qemu :-)

The -1 result is now handled in the JITed code to do the right thing
(well, afaik).

Cheers,
Ben.

Re: [Qemu-devel] [Qemu-ppc] [PATCH 8/9] ppc: Add missing slbfee. instruction on ppc64 BookS processors

[Cédric Le Goater]

On 07/06/2016 12:10 AM, Benjamin Herrenschmidt wrote:
> On Tue, 2016-07-05 at 19:23 +0200, Cédric Le Goater wrote:
>>
>>
>> So, I was trying today to reconciliate the powernv patchset with 
>> the current HEAD of qemu when I bumped into the old version of this 
>> patch. I checked the specs and when no slb are found, rt should 
>> just be 0. The machine check is only generated when multiple
>> matching 
>> entries are found. So the above probably needs a fix, at least for 
>> the NULL case ? 
> 
> Yes the old patch was broken but I wrote (and already merged) a better
> one since then. Check upstream qemu :-)

Yes much better :) I saw that when trying to apply the original powernv 
patchset on top of current qemu.
 
> The -1 result is now handled in the JITed code to do the right thing
> (well, afaik).

well, no. It should be a 0 when the slb is not found, and thus no 
machine check. That is how I understand : 

	The SLB is searched for an entry that matches the
	effective address specified by register RB. The search
	is performed as if it were being performed for purposes
	of address translation. That is, in order for a given entry
	to satisfy the search, the entry must be valid (V=1),
	(RB)0:63-s must equal SLBE[ESID0:63-s] (where 2s is
	the segment size selected by the B field in the entry),
	and RB39 must be equal to SLBTA. If exactly one
	matching entry is found, the contents of the B, VSID,
	Ks, Kp, N, L, C, TA, and LP fields of the entry are placed
	into register RT. If no matching entry is found, register
	RT is set to 0. If more than one matching entry is found,
	either one of the matching entries is used, as if it were
	the only matching entry, or a Machine Check occurs. If
	a Machine Check occurs, register RT, CR Field 0, and,
	in tags active mode, the FXCC are set to undefined values,
	and the description below of how this register and
	these fields are set does not apply.

but do we care that much in qemu ? May be the machine check is 
better to have.

Cheers,

C.

Re: [Qemu-devel] [Qemu-ppc] [PATCH 8/9] ppc: Add missing slbfee. instruction on ppc64 BookS processors

[Benjamin Herrenschmidt]

On Wed, 2016-07-06 at 08:57 +0200, Cédric Le Goater wrote:
> 
> > The -1 result is now handled in the JITed code to do the right
> thing
> > (well, afaik).
> 
> well, no. It should be a 0 when the slb is not found, and thus no 
> machine check. That is how I understand : 

Right, which is afaik what the current qemu code does no ?

The -1 isn't the function return, it's the pointer-argument
return, which goes into rT. This is then handled in the
generated code:

    gen_helper_find_slb_vsid(cpu_gpr[rS(ctx->opcode)], cpu_env,
                             cpu_gpr[rB(ctx->opcode)]);
    l1 = gen_new_label();
    l2 = gen_new_label();
    tcg_gen_trunc_tl_i32(cpu_crf[0], cpu_so);

We clear CR (except so)

    tcg_gen_brcondi_tl(TCG_COND_EQ, cpu_gpr[rS(ctx->opcode)], -1, l1);

We branch to l1 if rT is -1
 
    tcg_gen_ori_i32(cpu_crf[0], cpu_crf[0], 1 << CRF_EQ);

We set EQ if we didn't branch

    tcg_gen_br(l2);

Then go to l2 (skip the next bit)

    gen_set_label(l1);
    tcg_gen_movi_tl(cpu_gpr[rS(ctx->opcode)], 0);

We clear rS if it was -1

    gen_set_label(l2);

Re: [Qemu-devel] [Qemu-ppc] [PATCH 8/9] ppc: Add missing slbfee. instruction on ppc64 BookS processors

[Cédric Le Goater]

On 07/06/2016 09:24 AM, Benjamin Herrenschmidt wrote:
> On Wed, 2016-07-06 at 08:57 +0200, Cédric Le Goater wrote:
>>
>>> The -1 result is now handled in the JITed code to do the right
>> thing
>>> (well, afaik).
>>
>> well, no. It should be a 0 when the slb is not found, and thus no 
>> machine check. That is how I understand : 
> 
> Right, which is afaik what the current qemu code does no ?
> 
> The -1 isn't the function return, it's the pointer-argument
> return, which goes into rT. 

ah yes. the :

 *rt = (target_ulong)-1ul;

confused me.

> This is then handled in the generated code:
> 
>     gen_helper_find_slb_vsid(cpu_gpr[rS(ctx->opcode)], cpu_env,
>                              cpu_gpr[rB(ctx->opcode)]);
>     l1 = gen_new_label();
>     l2 = gen_new_label();
>     tcg_gen_trunc_tl_i32(cpu_crf[0], cpu_so);
> 
> We clear CR (except so)
> 
>     tcg_gen_brcondi_tl(TCG_COND_EQ, cpu_gpr[rS(ctx->opcode)], -1, l1);
> 
> We branch to l1 if rT is -1
>  
>     tcg_gen_ori_i32(cpu_crf[0], cpu_crf[0], 1 << CRF_EQ);
> 
> We set EQ if we didn't branch
> 
>     tcg_gen_br(l2);
> 
> Then go to l2 (skip the next bit)
> 
>     gen_set_label(l1);
>     tcg_gen_movi_tl(cpu_gpr[rS(ctx->opcode)], 0);
> 
> We clear rS if it was -1
> 
>     gen_set_label(l2);
> 

Thanks for the details, sorry for the noise :/

Are there any OSes using it ? 

C.

Re: [Qemu-devel] [Qemu-ppc] [PATCH 8/9] ppc: Add missing slbfee. instruction on ppc64 BookS processors

[Benjamin Herrenschmidt]

On Wed, 2016-07-06 at 09:53 +0200, Cédric Le Goater wrote:
> 
> Thanks for the details, sorry for the noise :/
> 
> Are there any OSes using it ? 

I initially found the problem with trying to run some AIX diag CD
images that were floating around ;-) I think I re-found it at some
point with some version of Darwin.

Cheers,
Ben.