[PATCH v3 0/5] target/mips: Reintroduce the R5900 CPU

[PATCH v3 0/5] target/mips: Reintroduce the R5900 CPU

[Philippe Mathieu-Daudé]

I'm running out of time to address Richard's comments on the new
opcodes, so let's KISS and only fix RDHWR (after adding LQ/SQ).

Missing review: 3 & 5
- target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()
- tests/tcg/mips: Test user mode DMULT for the R5900

Based-on: mips-next
Supersedes: <20210309145653.743937-1-f4bug@amsat.org>

Fredrik Noring (1):
  tests/tcg/mips: Test user mode DMULT for the R5900

Philippe Mathieu-Daudé (4):
  target/mips/tx79: Introduce LQ opcode (Load Quadword)
  target/mips/tx79: Introduce SQ opcode (Store Quadword)
  target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()
  target/mips: Reintroduce the R5900 CPU

 target/mips/tx79.decode           | 12 ++++
 target/mips/translate.c           | 72 +-----------------------
 target/mips/tx79_translate.c      | 93 +++++++++++++++++++++++++++++++
 tests/tcg/mips/test-r5900-dmult.c | 40 +++++++++++++
 target/mips/cpu-defs.c.inc        | 59 ++++++++++++++++++++
 tests/tcg/mips/Makefile.target    | 11 +++-
 6 files changed, 214 insertions(+), 73 deletions(-)
 create mode 100644 tests/tcg/mips/test-r5900-dmult.c

-- 
2.26.2

[PATCH v3 1/5] target/mips/tx79: Introduce LQ opcode (Load Quadword)

[Philippe Mathieu-Daudé]

Introduce the LQ opcode (Load Quadword) and remove unreachable code.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210214175912.732946-26-f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 target/mips/tx79.decode      |  8 ++++++++
 target/mips/translate.c      | 16 ++--------------
 target/mips/tx79_translate.c | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 14 deletions(-)

diff --git a/target/mips/tx79.decode b/target/mips/tx79.decode
index 0f748b53a64..f1f17470a00 100644
--- a/target/mips/tx79.decode
+++ b/target/mips/tx79.decode
@@ -13,6 +13,8 @@
 
 &rtype           rs rt rd sa
 
+&itype           base rt offset
+
 ###########################################################################
 # Named instruction formats.  These are generally used to
 # reduce the amount of duplication between instruction patterns.
@@ -22,6 +24,8 @@
 @rs             ...... rs:5  ..... ..........  ......   &rtype rt=0 rd=0 sa=0
 @rd             ...... ..........  rd:5  ..... ......   &rtype rs=0 rt=0 sa=0
 
+@ldst            ...... base:5 rt:5 offset:16            &itype
+
 ###########################################################################
 
 MFHI1           011100 0000000000  ..... 00000 010000   @rd
@@ -37,3 +41,7 @@ PCPYLD          011100 ..... ..... ..... 01110 001001   @rs_rt_rd
 
 PCPYUD          011100 ..... ..... ..... 01110 101001   @rs_rt_rd
 PCPYH           011100 00000 ..... ..... 11011 101001   @rt_rd
+
+# SPECIAL
+
+LQ              011110 ..... ..... ................     @ldst
diff --git a/target/mips/translate.c b/target/mips/translate.c
index c518bf3963b..c822083f031 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -1167,7 +1167,6 @@ enum {
 
 enum {
     MMI_OPC_CLASS_MMI = 0x1C << 26,    /* Same as OPC_SPECIAL2 */
-    MMI_OPC_LQ        = 0x1E << 26,    /* Same as OPC_MSA */
     MMI_OPC_SQ        = 0x1F << 26,    /* Same as OPC_SPECIAL3 */
 };
 
@@ -24429,11 +24428,6 @@ static void decode_mmi(CPUMIPSState *env, DisasContext *ctx)
     }
 }
 
-static void gen_mmi_lq(CPUMIPSState *env, DisasContext *ctx)
-{
-    gen_reserved_instruction(ctx);    /* TODO: MMI_OPC_LQ */
-}
-
 static void gen_mmi_sq(DisasContext *ctx, int base, int rt, int offset)
 {
     gen_reserved_instruction(ctx);    /* TODO: MMI_OPC_SQ */
@@ -25332,14 +25326,8 @@ static bool decode_opc_legacy(CPUMIPSState *env, DisasContext *ctx)
             gen_compute_branch(ctx, op, 4, rs, rt, offset, 4);
         }
         break;
-    case OPC_MDMX: /* MMI_OPC_LQ */
-        if (ctx->insn_flags & INSN_R5900) {
-#if defined(TARGET_MIPS64)
-            gen_mmi_lq(env, ctx);
-#endif
-        } else {
-            /* MDMX: Not implemented. */
-        }
+    case OPC_MDMX:
+        /* MDMX: Not implemented. */
         break;
     case OPC_PCREL:
         check_insn(ctx, ISA_MIPS_R6);
diff --git a/target/mips/tx79_translate.c b/target/mips/tx79_translate.c
index ad83774b977..b5a9eb3de76 100644
--- a/target/mips/tx79_translate.c
+++ b/target/mips/tx79_translate.c
@@ -177,6 +177,41 @@ static bool trans_MTLO1(DisasContext *ctx, arg_rtype *a)
  * SQ      rt, offset(base)  Store Quadword
  */
 
+static bool trans_LQ(DisasContext *ctx, arg_itype *a)
+{
+    TCGv_i64 t0;
+    TCGv addr;
+
+    if (a->rt == 0) {
+        /* nop */
+        return true;
+    }
+
+    t0 = tcg_temp_new_i64();
+    addr = tcg_temp_new();
+
+    gen_base_offset_addr(ctx, addr, a->base, a->offset);
+    /*
+     * Clear least-significant four bits of the effective
+     * address, effectively creating an aligned address.
+     */
+    tcg_gen_andi_tl(addr, addr, ~0xf);
+
+    /* Lower half */
+    tcg_gen_qemu_ld_i64(t0, addr, ctx->mem_idx, MO_TEQ);
+    gen_store_gpr(t0, a->rt);
+
+    /* Upper half */
+    tcg_gen_addi_i64(addr, addr, 8);
+    tcg_gen_qemu_ld_i64(t0, addr, ctx->mem_idx, MO_TEQ);
+    gen_store_gpr_hi(t0, a->rt);
+
+    tcg_temp_free(t0);
+    tcg_temp_free(addr);
+
+    return true;
+}
+
 /*
  *     Multiply and Divide (19 instructions)
  *     -------------------------------------
-- 
2.26.2

[PATCH v3 2/5] target/mips/tx79: Introduce SQ opcode (Store Quadword)

[Philippe Mathieu-Daudé]

Introduce the SQ opcode (Store Quadword).

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210214175912.732946-27-f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 target/mips/tx79.decode      |  1 +
 target/mips/tx79_translate.c | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/target/mips/tx79.decode b/target/mips/tx79.decode
index f1f17470a00..0756b13149e 100644
--- a/target/mips/tx79.decode
+++ b/target/mips/tx79.decode
@@ -45,3 +45,4 @@ PCPYH           011100 00000 ..... ..... 11011 101001   @rt_rd
 # SPECIAL
 
 LQ              011110 ..... ..... ................     @ldst
+SQ              011111 ..... ..... ................     @ldst
diff --git a/target/mips/tx79_translate.c b/target/mips/tx79_translate.c
index b5a9eb3de76..d840dfdb9cc 100644
--- a/target/mips/tx79_translate.c
+++ b/target/mips/tx79_translate.c
@@ -212,6 +212,33 @@ static bool trans_LQ(DisasContext *ctx, arg_itype *a)
     return true;
 }
 
+static bool trans_SQ(DisasContext *ctx, arg_itype *a)
+{
+    TCGv_i64 t0 = tcg_temp_new_i64();
+    TCGv addr = tcg_temp_new();
+
+    gen_base_offset_addr(ctx, addr, a->base, a->offset);
+    /*
+     * Clear least-significant four bits of the effective
+     * address, effectively creating an aligned address.
+     */
+    tcg_gen_andi_tl(addr, addr, ~0xf);
+
+    /* Lower half */
+    gen_load_gpr(t0, a->rt);
+    tcg_gen_qemu_st_i64(t0, addr, ctx->mem_idx, MO_TEQ);
+
+    /* Upper half */
+    tcg_gen_addi_i64(addr, addr, 8);
+    gen_load_gpr_hi(t0, a->rt);
+    tcg_gen_qemu_st_i64(t0, addr, ctx->mem_idx, MO_TEQ);
+
+    tcg_temp_free(addr);
+    tcg_temp_free(t0);
+
+    return true;
+}
+
 /*
  *     Multiply and Divide (19 instructions)
  *     -------------------------------------
-- 
2.26.2

[PATCH v3 3/5] target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()

[Philippe Mathieu-Daudé]

Now than SQ is properly implemented, we can move the RDHWR
kludge required to have usermode working with recent glibc.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
v2: { RDHWR_user } (rth)

Fredrik, I'm not understanding fully your discussion with Maciej:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg783053.html
So any help welcome to get your patch merged into mainstream.
---
 target/mips/tx79.decode      |  5 +++-
 target/mips/translate.c      | 56 ------------------------------------
 target/mips/tx79_translate.c | 31 ++++++++++++++++++++
 3 files changed, 35 insertions(+), 57 deletions(-)

diff --git a/target/mips/tx79.decode b/target/mips/tx79.decode
index 0756b13149e..25ddaa92bbd 100644
--- a/target/mips/tx79.decode
+++ b/target/mips/tx79.decode
@@ -45,4 +45,7 @@ PCPYH           011100 00000 ..... ..... 11011 101001   @rt_rd
 # SPECIAL
 
 LQ              011110 ..... ..... ................     @ldst
-SQ              011111 ..... ..... ................     @ldst
+{
+  RDHWR_user    011111 00000 ..... ..... 00000 111011   @rt_rd
+  SQ            011111 ..... ..... ................     @ldst
+}
diff --git a/target/mips/translate.c b/target/mips/translate.c
index c822083f031..671c67f5fc7 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -1167,7 +1167,6 @@ enum {
 
 enum {
     MMI_OPC_CLASS_MMI = 0x1C << 26,    /* Same as OPC_SPECIAL2 */
-    MMI_OPC_SQ        = 0x1F << 26,    /* Same as OPC_SPECIAL3 */
 };
 
 /*
@@ -24428,53 +24427,6 @@ static void decode_mmi(CPUMIPSState *env, DisasContext *ctx)
     }
 }
 
-static void gen_mmi_sq(DisasContext *ctx, int base, int rt, int offset)
-{
-    gen_reserved_instruction(ctx);    /* TODO: MMI_OPC_SQ */
-}
-
-/*
- * The TX79-specific instruction Store Quadword
- *
- * +--------+-------+-------+------------------------+
- * | 011111 |  base |   rt  |           offset       | SQ
- * +--------+-------+-------+------------------------+
- *      6       5       5                 16
- *
- * has the same opcode as the Read Hardware Register instruction
- *
- * +--------+-------+-------+-------+-------+--------+
- * | 011111 | 00000 |   rt  |   rd  | 00000 | 111011 | RDHWR
- * +--------+-------+-------+-------+-------+--------+
- *      6       5       5       5       5        6
- *
- * that is required, trapped and emulated by the Linux kernel. However, all
- * RDHWR encodings yield address error exceptions on the TX79 since the SQ
- * offset is odd. Therefore all valid SQ instructions can execute normally.
- * In user mode, QEMU must verify the upper and lower 11 bits to distinguish
- * between SQ and RDHWR, as the Linux kernel does.
- */
-static void decode_mmi_sq(CPUMIPSState *env, DisasContext *ctx)
-{
-    int base = extract32(ctx->opcode, 21, 5);
-    int rt = extract32(ctx->opcode, 16, 5);
-    int offset = extract32(ctx->opcode, 0, 16);
-
-#ifdef CONFIG_USER_ONLY
-    uint32_t op1 = MASK_SPECIAL3(ctx->opcode);
-    uint32_t op2 = extract32(ctx->opcode, 6, 5);
-
-    if (base == 0 && op2 == 0 && op1 == OPC_RDHWR) {
-        int rd = extract32(ctx->opcode, 11, 5);
-
-        gen_rdhwr(ctx, rt, rd, 0);
-        return;
-    }
-#endif
-
-    gen_mmi_sq(ctx, base, rt, offset);
-}
-
 #endif
 
 static void decode_opc_special3(CPUMIPSState *env, DisasContext *ctx)
@@ -24664,15 +24616,7 @@ static bool decode_opc_legacy(CPUMIPSState *env, DisasContext *ctx)
         decode_opc_special2_legacy(env, ctx);
         break;
     case OPC_SPECIAL3:
-#if defined(TARGET_MIPS64)
-        if (ctx->insn_flags & INSN_R5900) {
-            decode_mmi_sq(env, ctx);    /* MMI_OPC_SQ */
-        } else {
-            decode_opc_special3(env, ctx);
-        }
-#else
         decode_opc_special3(env, ctx);
-#endif
         break;
     case OPC_REGIMM:
         op1 = MASK_REGIMM(ctx->opcode);
diff --git a/target/mips/tx79_translate.c b/target/mips/tx79_translate.c
index d840dfdb9cc..3b1ef05e95b 100644
--- a/target/mips/tx79_translate.c
+++ b/target/mips/tx79_translate.c
@@ -239,6 +239,37 @@ static bool trans_SQ(DisasContext *ctx, arg_itype *a)
     return true;
 }
 
+/*
+ * The TX79-specific instruction Store Quadword
+ *
+ * +--------+-------+-------+------------------------+
+ * | 011111 |  base |   rt  |           offset       | SQ
+ * +--------+-------+-------+------------------------+
+ *      6       5       5                 16
+ *
+ * has the same opcode as the Read Hardware Register instruction
+ *
+ * +--------+-------+-------+-------+-------+--------+
+ * | 011111 | 00000 |   rt  |   rd  | 00000 | 111011 | RDHWR
+ * +--------+-------+-------+-------+-------+--------+
+ *      6       5       5       5       5        6
+ *
+ * that is required, trapped and emulated by the Linux kernel. However, all
+ * RDHWR encodings yield address error exceptions on the TX79 since the SQ
+ * offset is odd. Therefore all valid SQ instructions can execute normally.
+ * In user mode, QEMU must verify the upper and lower 11 bits to distinguish
+ * between SQ and RDHWR, as the Linux kernel does.
+ */
+static bool trans_RDHWR_user(DisasContext *ctx, arg_rtype *a)
+{
+#if defined(CONFIG_USER_ONLY)
+    gen_rdhwr(ctx, a->rt, a->rd, 0);
+    return true;
+#else
+    return false;
+#endif
+}
+
 /*
  *     Multiply and Divide (19 instructions)
  *     -------------------------------------
-- 
2.26.2

[PATCH v3 4/5] target/mips: Reintroduce the R5900 CPU

[Philippe Mathieu-Daudé]

Now that we have the minimum prerequisites to support the
R5900 CPU, we can reintroduce it.

While we are reverting commit 823f2897bdd ("Disable R5900
support"), we effectively cherry-pick commit ed4f49ba9bb
("target/mips: Define the R5900 CPU").

This reverts commit 823f2897bdd78185f3ba33292a25105ba8bad1b5.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210214175912.732946-31-f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 target/mips/cpu-defs.c.inc | 59 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/target/mips/cpu-defs.c.inc b/target/mips/cpu-defs.c.inc
index e03b2a998cd..1a73b5409f0 100644
--- a/target/mips/cpu-defs.c.inc
+++ b/target/mips/cpu-defs.c.inc
@@ -411,6 +411,65 @@ const mips_def_t mips_defs[] =
         .insn_flags = CPU_MIPS32R5,
         .mmu_type = MMU_TYPE_R4000,
     },
+    {
+        /*
+         * The Toshiba TX System RISC TX79 Core Architecture manual
+         *
+         * https://wiki.qemu.org/File:C790.pdf
+         *
+         * describes the C790 processor that is a follow-up to the R5900.
+         * There are a few notable differences in that the R5900 FPU
+         *
+         * - is not IEEE 754-1985 compliant,
+         * - does not implement double format, and
+         * - its machine code is nonstandard.
+         */
+        .name = "R5900",
+        .CP0_PRid = 0x00002E00,
+        /* No L2 cache, icache size 32k, dcache size 32k, uncached coherency. */
+        .CP0_Config0 = (0x3 << 9) | (0x3 << 6) | (0x2 << CP0C0_K0),
+        .CP0_Status_rw_bitmask = 0xF4C79C1F,
+#ifdef CONFIG_USER_ONLY
+        /*
+         * R5900 hardware traps to the Linux kernel for IEEE 754-1985 and LL/SC
+         * emulation. For user only, QEMU is the kernel, so we emulate the traps
+         * by simply emulating the instructions directly.
+         *
+         * Note: Config1 is only used internally, the R5900 has only Config0.
+         */
+        .CP0_Config1 = (1 << CP0C1_FP) | (47 << CP0C1_MMU),
+        .CP0_LLAddr_rw_bitmask = 0xFFFFFFFF,
+        .CP0_LLAddr_shift = 4,
+        .CP1_fcr0 = (0x38 << FCR0_PRID) | (0x0 << FCR0_REV),
+        .CP1_fcr31 = 0,
+        .CP1_fcr31_rw_bitmask = 0x0183FFFF,
+#else
+        /*
+         * The R5900 COP1 FPU implements single-precision floating-point
+         * operations but is not entirely IEEE 754-1985 compatible. In
+         * particular,
+         *
+         * - NaN (not a number) and +/- infinities are not supported;
+         * - exception mechanisms are not fully supported;
+         * - denormalized numbers are not supported;
+         * - rounding towards nearest and +/- infinities are not supported;
+         * - computed results usually differs in the least significant bit;
+         * - saturations can differ more than the least significant bit.
+         *
+         * Since only rounding towards zero is supported, the two least
+         * significant bits of FCR31 are hardwired to 01.
+         *
+         * FPU emulation is disabled here until it is implemented.
+         *
+         * Note: Config1 is only used internally, the R5900 has only Config0.
+         */
+        .CP0_Config1 = (47 << CP0C1_MMU),
+#endif /* !CONFIG_USER_ONLY */
+        .SEGBITS = 32,
+        .PABITS = 32,
+        .insn_flags = CPU_MIPS3 | INSN_R5900 | ASE_MMI,
+        .mmu_type = MMU_TYPE_R4000,
+    },
     {
         /* A generic CPU supporting MIPS32 Release 6 ISA.
            FIXME: Support IEEE 754-2008 FP.
-- 
2.26.2

[PATCH v3 5/5] tests/tcg/mips: Test user mode DMULT for the R5900

[Philippe Mathieu-Daudé]

From: Fredrik Noring <noring@nocrew.org>

The R5900 reports itself as MIPS III but does not implement DMULT.
Verify that DMULT is emulated properly in user mode by multiplying
two 64-bit numbers to produce a 128-bit number.

Signed-off-by: Fredrik Noring <noring@nocrew.org>
Message-Id: <b04427024562b10c852a5519b57033e094fcdc3b.1541701393.git.noring@nocrew.org>
[PMD: Moved to tests/tcg/mips/]
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 tests/tcg/mips/test-r5900-dmult.c | 40 +++++++++++++++++++++++++++++++
 tests/tcg/mips/Makefile.target    | 11 ++++++---
 2 files changed, 48 insertions(+), 3 deletions(-)
 create mode 100644 tests/tcg/mips/test-r5900-dmult.c

diff --git a/tests/tcg/mips/test-r5900-dmult.c b/tests/tcg/mips/test-r5900-dmult.c
new file mode 100644
index 00000000000..2827ab5358f
--- /dev/null
+++ b/tests/tcg/mips/test-r5900-dmult.c
@@ -0,0 +1,40 @@
+/*
+ * Test DMULT.
+ */
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <assert.h>
+
+struct hi_lo { int64_t hi; uint64_t lo; };
+
+static struct hi_lo dmult(int64_t rs, int64_t rt)
+{
+    int64_t hi;
+    uint64_t lo;
+
+    /*
+     * The R5900 reports itself as MIPS III but does not implement DMULT.
+     * Verify that DMULT is emulated properly in user mode.
+     */
+    __asm__ __volatile__ (
+            "    .set  mips3\n"
+            "    dmult %2, %3\n"
+            "    mfhi  %0\n"
+            "    mflo  %1\n"
+            : "=r" (hi), "=r" (lo)
+            : "r" (rs), "r" (rt));
+
+    return (struct hi_lo) { .hi = hi, .lo = lo };
+}
+
+int main()
+{
+    /* Verify that multiplying two 64-bit numbers yields a 128-bit number. */
+    struct hi_lo r = dmult(2760727302517, 5665449960167);
+
+    assert(r.hi == 847887);
+    assert(r.lo == 7893651516417804947);
+
+    return 0;
+}
diff --git a/tests/tcg/mips/Makefile.target b/tests/tcg/mips/Makefile.target
index 1a994d5525e..59e9d6fb76a 100644
--- a/tests/tcg/mips/Makefile.target
+++ b/tests/tcg/mips/Makefile.target
@@ -11,9 +11,14 @@ VPATH 		+= $(MIPS_SRC)
 # hello-mips is 32 bit only
 ifeq ($(findstring 64,$(TARGET_NAME)),)
 MIPS_TESTS=hello-mips
-
-TESTS += $(MIPS_TESTS)
-
 hello-mips: CFLAGS+=-mno-abicalls -fno-PIC -mabi=32
 hello-mips: LDFLAGS+=-nostdlib
 endif
+
+# r5900 is only 64 bit little-endian
+ifneq ($(findstring 64el,$(TARGET_NAME)),)
+MIPS_TESTS += test-r5900-dmult
+test-r5900-dmult: CFLAGS += -mabi=n32 -march=r5900
+endif
+
+TESTS += $(MIPS_TESTS)
-- 
2.26.2

Re: [PATCH v3 3/5] target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()

[Fredrik Noring]

On Friday, 12 March 2021, Philippe Mathieu-Daudé wrote:
> Now than SQ is properly implemented, we can move the RDHWR
> kludge required to have usermode working with recent glibc.
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> v2: { RDHWR_user } (rth)
> 
> Fredrik, I'm not understanding fully your discussion with Maciej:
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg783053.html
> So any help welcome to get your patch merged into mainstream.

So the most important change is that rd is always $29 which for SQ
always corresponds to -6085(zero). Other values of rd are ignored,
as they were not intended to be used although the Linux kernel has
some code for a few cases as Maciej explained.

> ---
>  target/mips/tx79.decode      |  5 +++-
>  target/mips/translate.c      | 56 ------------------------------------
>  target/mips/tx79_translate.c | 31 ++++++++++++++++++++
>  3 files changed, 35 insertions(+), 57 deletions(-)
> 
> diff --git a/target/mips/tx79.decode b/target/mips/tx79.decode
> index 0756b13149e..25ddaa92bbd 100644
> --- a/target/mips/tx79.decode
> +++ b/target/mips/tx79.decode
> @@ -45,4 +45,7 @@ PCPYH           011100 00000 ..... ..... 11011 101001   @rt_rd
>  # SPECIAL
>  
>  LQ              011110 ..... ..... ................     @ldst
> -SQ              011111 ..... ..... ................     @ldst
> +{
> +  RDHWR_user    011111 00000 ..... ..... 00000 111011   @rt_rd
                                      ^^^^^
I assume that the "rd" field would be 11101 here? Notice that the
highest bit is set, which explains why the SQ offset is negative and
why that last rather than the first (null) page is referenced.

> +  SQ            011111 ..... ..... ................     @ldst
> +}
> diff --git a/target/mips/translate.c b/target/mips/translate.c
> index c822083f031..671c67f5fc7 100644
> --- a/target/mips/translate.c
> +++ b/target/mips/translate.c
> @@ -1167,7 +1167,6 @@ enum {
>  
>  enum {
>      MMI_OPC_CLASS_MMI = 0x1C << 26,    /* Same as OPC_SPECIAL2 */
> -    MMI_OPC_SQ        = 0x1F << 26,    /* Same as OPC_SPECIAL3 */
>  };
>  
>  /*
> @@ -24428,53 +24427,6 @@ static void decode_mmi(CPUMIPSState *env, DisasContext *ctx)
>      }
>  }
>  
> -static void gen_mmi_sq(DisasContext *ctx, int base, int rt, int offset)
> -{
> -    gen_reserved_instruction(ctx);    /* TODO: MMI_OPC_SQ */
> -}
> -
> -/*
> - * The TX79-specific instruction Store Quadword
> - *
> - * +--------+-------+-------+------------------------+
> - * | 011111 |  base |   rt  |           offset       | SQ
> - * +--------+-------+-------+------------------------+
> - *      6       5       5                 16
> - *
> - * has the same opcode as the Read Hardware Register instruction
> - *
> - * +--------+-------+-------+-------+-------+--------+
> - * | 011111 | 00000 |   rt  |   rd  | 00000 | 111011 | RDHWR
> - * +--------+-------+-------+-------+-------+--------+
> - *      6       5       5       5       5        6
> - *
> - * that is required, trapped and emulated by the Linux kernel. However, all
> - * RDHWR encodings yield address error exceptions on the TX79 since the SQ
> - * offset is odd. Therefore all valid SQ instructions can execute normally.
> - * In user mode, QEMU must verify the upper and lower 11 bits to distinguish
> - * between SQ and RDHWR, as the Linux kernel does.
> - */
> -static void decode_mmi_sq(CPUMIPSState *env, DisasContext *ctx)
> -{
> -    int base = extract32(ctx->opcode, 21, 5);
> -    int rt = extract32(ctx->opcode, 16, 5);
> -    int offset = extract32(ctx->opcode, 0, 16);
> -
> -#ifdef CONFIG_USER_ONLY
> -    uint32_t op1 = MASK_SPECIAL3(ctx->opcode);
> -    uint32_t op2 = extract32(ctx->opcode, 6, 5);
> -
> -    if (base == 0 && op2 == 0 && op1 == OPC_RDHWR) {
> -        int rd = extract32(ctx->opcode, 11, 5);
> -
> -        gen_rdhwr(ctx, rt, rd, 0);
> -        return;
> -    }
> -#endif
> -
> -    gen_mmi_sq(ctx, base, rt, offset);
> -}
> -
>  #endif
>  
>  static void decode_opc_special3(CPUMIPSState *env, DisasContext *ctx)
> @@ -24664,15 +24616,7 @@ static bool decode_opc_legacy(CPUMIPSState *env, DisasContext *ctx)
>          decode_opc_special2_legacy(env, ctx);
>          break;
>      case OPC_SPECIAL3:
> -#if defined(TARGET_MIPS64)
> -        if (ctx->insn_flags & INSN_R5900) {
> -            decode_mmi_sq(env, ctx);    /* MMI_OPC_SQ */
> -        } else {
> -            decode_opc_special3(env, ctx);
> -        }
> -#else
>          decode_opc_special3(env, ctx);
> -#endif
>          break;
>      case OPC_REGIMM:
>          op1 = MASK_REGIMM(ctx->opcode);
> diff --git a/target/mips/tx79_translate.c b/target/mips/tx79_translate.c
> index d840dfdb9cc..3b1ef05e95b 100644
> --- a/target/mips/tx79_translate.c
> +++ b/target/mips/tx79_translate.c
> @@ -239,6 +239,37 @@ static bool trans_SQ(DisasContext *ctx, arg_itype *a)
>      return true;
>  }
>  
> +/*
> + * The TX79-specific instruction Store Quadword
> + *
> + * +--------+-------+-------+------------------------+
> + * | 011111 |  base |   rt  |           offset       | SQ
> + * +--------+-------+-------+------------------------+
> + *      6       5       5                 16
> + *
> + * has the same opcode as the Read Hardware Register instruction
> + *
> + * +--------+-------+-------+-------+-------+--------+
> + * | 011111 | 00000 |   rt  |   rd  | 00000 | 111011 | RDHWR
> + * +--------+-------+-------+-------+-------+--------+
> + *      6       5       5       5       5        6
> + *
> + * that is required, trapped and emulated by the Linux kernel. However, all
> + * RDHWR encodings yield address error exceptions on the TX79 since the SQ
> + * offset is odd. Therefore all valid SQ instructions can execute normally.
> + * In user mode, QEMU must verify the upper and lower 11 bits to distinguish
> + * between SQ and RDHWR, as the Linux kernel does.
> + */

The "SQ offset is odd" should be replaced with something like "SQ asserts
an address exception since -6085(zero) always resolves to 0xffffe83b in
32-bit KSEG2", as seen in the Linux kernel comment about RDHWR:

	/*
	 * On the R5900, a valid RDHWR instruction
	 *
	 *     +--------+-------+----+----+-------+--------+
	 *     | 011111 | 00000 | rt | rd | 00000 | 111011 |
	 *     +--------+-------+----+----+-------+--------+
	 *          6       5      5    5     5        6
	 *
	 * having rd $29 (MIPS_HWR_ULR) is interpreted as
	 * the R5900 specific SQ instruction
	 *
	 *     +--------+-------+----+---------------------+
	 *     | 011111 |  base | rt |        offset       |
	 *     +--------+-------+----+---------------------+
	 *          6       5      5            16
	 *
	 * being (where rd usually is $3)
	 *
	 *     sq v1,-6085(zero)
	 *
	 * that asserts an address exception since -6085(zero)
	 * always resolves to 0xffffe83b in 32-bit KSEG2.
	 *
	 * Other legacy values of rd, such as MIPS_HWR_CPUNUM,
	 * are ignored.
	 */

Fredrik

> +static bool trans_RDHWR_user(DisasContext *ctx, arg_rtype *a)
> +{
> +#if defined(CONFIG_USER_ONLY)
> +    gen_rdhwr(ctx, a->rt, a->rd, 0);
> +    return true;
> +#else
> +    return false;
> +#endif
> +}
> +
>  /*
>   *     Multiply and Divide (19 instructions)
>   *     -------------------------------------
> -- 
> 2.26.2
> 

Re: [PATCH v3 0/5] target/mips: Reintroduce the R5900 CPU

[Philippe Mathieu-Daudé]

On 3/12/21 5:24 PM, Philippe Mathieu-Daudé wrote:
> I'm running out of time to address Richard's comments on the new
> opcodes, so let's KISS and only fix RDHWR (after adding LQ/SQ).
> 
> Missing review: 3 & 5
> - target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()
> - tests/tcg/mips: Test user mode DMULT for the R5900
> 
> Based-on: mips-next
> Supersedes: <20210309145653.743937-1-f4bug@amsat.org>
> 
> Fredrik Noring (1):
>   tests/tcg/mips: Test user mode DMULT for the R5900
> 
> Philippe Mathieu-Daudé (4):
>   target/mips/tx79: Introduce LQ opcode (Load Quadword)
>   target/mips/tx79: Introduce SQ opcode (Store Quadword)
>   target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()
>   target/mips: Reintroduce the R5900 CPU

Patches 1 & 2 queued to mips-next.