diff options
55 files changed, 2240 insertions, 996 deletions
diff --git a/MAINTAINERS b/MAINTAINERS index 5e4be6b..25fc49d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1773,6 +1773,7 @@ S: Supported F: include/hw/scsi/* F: hw/scsi/* F: tests/qtest/virtio-scsi-test.c +F: tests/qtest/fuzz-virtio-scsi-test.c T: git https://github.com/bonzini/qemu.git scsi-next SSI @@ -1984,6 +1985,7 @@ S: Supported F: hw/scsi/megasas.c F: hw/scsi/mfi.h F: tests/qtest/megasas-test.c +F: tests/qtest/fuzz-megasas-test.c Network packet abstractions M: Dmitry Fleytman <dmitry.fleytman@gmail.com> @@ -2647,7 +2649,9 @@ R: Stefan Hajnoczi <stefanha@redhat.com> R: Thomas Huth <thuth@redhat.com> S: Maintained F: tests/qtest/fuzz/ +F: tests/qtest/fuzz-*test.c F: scripts/oss-fuzz/ +F: hw/mem/sparse-mem.c F: docs/devel/fuzzing.rst Register API diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index 37b0a18..b6d9f92 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -673,10 +673,6 @@ out: #define KVM_CLEAR_LOG_ALIGN (qemu_real_host_page_size << KVM_CLEAR_LOG_SHIFT) #define KVM_CLEAR_LOG_MASK (-KVM_CLEAR_LOG_ALIGN) -/* - * As the granule of kvm dirty log is qemu_real_host_page_size, - * @start and @size are expected and restricted to align to it. - */ static int kvm_log_clear_one_slot(KVMSlot *mem, int as_id, uint64_t start, uint64_t size) { @@ -686,9 +682,6 @@ static int kvm_log_clear_one_slot(KVMSlot *mem, int as_id, uint64_t start, unsigned long *bmap_clear = NULL, psize = qemu_real_host_page_size; int ret; - /* Make sure start and size are qemu_real_host_page_size aligned */ - assert(QEMU_IS_ALIGNED(start | size, psize)); - /* * We need to extend either the start or the size or both to * satisfy the KVM interface requirement. Firstly, do the start @@ -465,6 +465,7 @@ fuse_lseek="auto" multiprocess="auto" malloc_trim="auto" +gio="$default_feature" # parse CC options second for opt do @@ -1560,6 +1561,10 @@ for opt do ;; --disable-multiprocess) multiprocess="disabled" ;; + --enable-gio) gio=yes + ;; + --disable-gio) gio=no + ;; *) echo "ERROR: unknown option $opt" echo "Try '$0 --help' for more information" @@ -1913,6 +1918,7 @@ disabled with --disable-FEATURE, default is enabled if available fuse FUSE block device export fuse-lseek SEEK_HOLE/SEEK_DATA support for FUSE exports multiprocess Out of process device emulation support + gio libgio support NOTE: The object files are built at the place where configure is launched EOF @@ -3319,17 +3325,19 @@ if test "$static" = yes && test "$mingw32" = yes; then glib_cflags="-DGLIB_STATIC_COMPILATION $glib_cflags" fi -if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then - gio_cflags=$($pkg_config --cflags gio-2.0) - gio_libs=$($pkg_config --libs gio-2.0) - gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0) - if [ ! -x "$gdbus_codegen" ]; then - gdbus_codegen= - fi - # Check that the libraries actually work -- Ubuntu 18.04 ships - # with pkg-config --static --libs data for gio-2.0 that is missing - # -lblkid and will give a link error. - cat > $TMPC <<EOF +if ! test "$gio" = "no"; then + pass=no + if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then + gio_cflags=$($pkg_config --cflags gio-2.0) + gio_libs=$($pkg_config --libs gio-2.0) + gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0) + if [ ! -x "$gdbus_codegen" ]; then + gdbus_codegen= + fi + # Check that the libraries actually work -- Ubuntu 18.04 ships + # with pkg-config --static --libs data for gio-2.0 that is missing + # -lblkid and will give a link error. + cat > $TMPC <<EOF #include <gio/gio.h> int main(void) { @@ -3337,18 +3345,28 @@ int main(void) return 0; } EOF - if compile_prog "$gio_cflags" "$gio_libs" ; then - gio=yes - else - gio=no + if compile_prog "$gio_cflags" "$gio_libs" ; then + pass=yes + else + pass=no + fi + + if test "$pass" = "yes" && + $pkg_config --atleast-version=$glib_req_ver gio-unix-2.0; then + gio_cflags="$gio_cflags $($pkg_config --cflags gio-unix-2.0)" + gio_libs="$gio_libs $($pkg_config --libs gio-unix-2.0)" + fi fi -else - gio=no -fi -if $pkg_config --atleast-version=$glib_req_ver gio-unix-2.0; then - gio_cflags="$gio_cflags $($pkg_config --cflags gio-unix-2.0)" - gio_libs="$gio_libs $($pkg_config --libs gio-unix-2.0)" + if test "$pass" = "no"; then + if test "$gio" = "yes"; then + feature_not_found "gio" "Install libgio >= 2.0" + else + gio=no + fi + else + gio=yes + fi fi # Sanity check that the current size_t matches the diff --git a/contrib/plugins/hotpages.c b/contrib/plugins/hotpages.c index eacc678..bf53267 100644 --- a/contrib/plugins/hotpages.c +++ b/contrib/plugins/hotpages.c @@ -122,7 +122,7 @@ static void vcpu_haddr(unsigned int cpu_index, qemu_plugin_meminfo_t meminfo, } } else { if (hwaddr && !qemu_plugin_hwaddr_is_io(hwaddr)) { - page = (uint64_t) qemu_plugin_hwaddr_device_offset(hwaddr); + page = (uint64_t) qemu_plugin_hwaddr_phys_addr(hwaddr); } else { page = vaddr; } diff --git a/contrib/plugins/hwprofile.c b/contrib/plugins/hwprofile.c index 6dac1d5..faf216a 100644 --- a/contrib/plugins/hwprofile.c +++ b/contrib/plugins/hwprofile.c @@ -201,7 +201,7 @@ static void vcpu_haddr(unsigned int cpu_index, qemu_plugin_meminfo_t meminfo, return; } else { const char *name = qemu_plugin_hwaddr_device_name(hwaddr); - uint64_t off = qemu_plugin_hwaddr_device_offset(hwaddr); + uint64_t off = qemu_plugin_hwaddr_phys_addr(hwaddr); bool is_write = qemu_plugin_mem_is_store(meminfo); DeviceCounts *counts; diff --git a/disas/tci.c b/disas/tci.c deleted file mode 100644 index f1d6c6b..0000000 --- a/disas/tci.c +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Tiny Code Interpreter for QEMU - disassembler - * - * Copyright (c) 2011 Stefan Weil - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ - -#include "qemu/osdep.h" -#include "qemu-common.h" -#include "disas/dis-asm.h" -#include "tcg/tcg.h" - -/* Disassemble TCI bytecode. */ -int print_insn_tci(bfd_vma addr, disassemble_info *info) -{ - int length; - uint8_t byte; - int status; - TCGOpcode op; - - status = info->read_memory_func(addr, &byte, 1, info); - if (status != 0) { - info->memory_error_func(status, addr, info); - return -1; - } - op = byte; - - addr++; - status = info->read_memory_func(addr, &byte, 1, info); - if (status != 0) { - info->memory_error_func(status, addr, info); - return -1; - } - length = byte; - - if (op >= tcg_op_defs_max) { - info->fprintf_func(info->stream, "illegal opcode %d", op); - } else { - const TCGOpDef *def = &tcg_op_defs[op]; - int nb_oargs = def->nb_oargs; - int nb_iargs = def->nb_iargs; - int nb_cargs = def->nb_cargs; - /* TODO: Improve disassembler output. */ - info->fprintf_func(info->stream, "%s\to=%d i=%d c=%d", - def->name, nb_oargs, nb_iargs, nb_cargs); - } - - return length; -} diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst index 97797c4..2749bb9 100644 --- a/docs/devel/fuzzing.rst +++ b/docs/devel/fuzzing.rst @@ -210,6 +210,62 @@ Build details: - The script responsible for building the fuzzers can be found in the QEMU source tree at ``scripts/oss-fuzz/build.sh`` +Building Crash Reproducers +----------------------------------------- +When we find a crash, we should try to create an independent reproducer, that +can be used on a non-fuzzer build of QEMU. This filters out any potential +false-positives, and improves the debugging experience for developers. +Here are the steps for building a reproducer for a crash found by the +generic-fuzz target. + +- Ensure the crash reproduces:: + + qemu-fuzz-i386 --fuzz-target... ./crash-... + +- Gather the QTest output for the crash:: + + QEMU_FUZZ_TIMEOUT=0 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \ + qemu-fuzz-i386 --fuzz-target... ./crash-... &> /tmp/trace + +- Reorder and clean-up the resulting trace:: + + scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py /tmp/trace > /tmp/reproducer + +- Get the arguments needed to start qemu, and provide a path to qemu:: + + less /tmp/trace # The args should be logged at the top of this file + export QEMU_ARGS="-machine ..." + export QEMU_PATH="path/to/qemu-system" + +- Ensure the crash reproduces in qemu-system:: + + $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer + +- From the crash output, obtain some string that identifies the crash. This + can be a line in the stack-trace, for example:: + + export CRASH_TOKEN="hw/usb/hcd-xhci.c:1865" + +- Minimize the reproducer:: + + scripts/oss-fuzz/minimize_qtest_trace.py -M1 -M2 \ + /tmp/reproducer /tmp/reproducer-minimized + +- Confirm that the minimized reproducer still crashes:: + + $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer-minimized + +- Create a one-liner reproducer that can be sent over email:: + + ./scripts/oss-fuzz/output_reproducer.py -bash /tmp/reproducer-minimized + +- Output the C source code for a test case that will reproduce the bug:: + + ./scripts/oss-fuzz/output_reproducer.py -owner "John Smith <john@smith.com>"\ + -name "test_function_name" /tmp/reproducer-minimized + +- Report the bug and send a patch with the C reproducer upstream + Implementation Details / Fuzzer Lifecycle ----------------------------------------- diff --git a/hw/core/Kconfig b/hw/core/Kconfig index fdf0351..9397503 100644 --- a/hw/core/Kconfig +++ b/hw/core/Kconfig @@ -11,6 +11,11 @@ config GENERIC_LOADER bool default y +config GUEST_LOADER + bool + default y + depends on TCG + config OR_IRQ bool diff --git a/hw/core/meson.build b/hw/core/meson.build index 9cd72ed..59f1605 100644 --- a/hw/core/meson.build +++ b/hw/core/meson.build @@ -16,6 +16,7 @@ hwcore_files = files( common_ss.add(files('cpu.c')) common_ss.add(when: 'CONFIG_FITLOADER', if_true: files('loader-fit.c')) common_ss.add(when: 'CONFIG_GENERIC_LOADER', if_true: files('generic-loader.c')) +common_ss.add(when: ['CONFIG_GUEST_LOADER', fdt], if_true: files('guest-loader.c')) common_ss.add(when: 'CONFIG_OR_IRQ', if_true: files('or-irq.c')) common_ss.add(when: 'CONFIG_PLATFORM_BUS', if_true: files('platform-bus.c')) common_ss.add(when: 'CONFIG_PTIMER', if_true: files('ptimer.c')) @@ -37,8 +38,6 @@ softmmu_ss.add(files( 'clock-vmstate.c', )) -softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('guest-loader.c')) - specific_ss.add(when: 'CONFIG_SOFTMMU', if_true: files( 'machine-qmp-cmds.c', 'numa.c', diff --git a/hw/mem/meson.build b/hw/mem/meson.build index 0d22f2b..ef79e04 100644 --- a/hw/mem/meson.build +++ b/hw/mem/meson.build @@ -1,5 +1,6 @@ mem_ss = ss.source_set() mem_ss.add(files('memory-device.c')) +mem_ss.add(when: 'CONFIG_FUZZ', if_true: files('sparse-mem.c')) mem_ss.add(when: 'CONFIG_DIMM', if_true: files('pc-dimm.c')) mem_ss.add(when: 'CONFIG_NPCM7XX', if_true: files('npcm7xx_mc.c')) mem_ss.add(when: 'CONFIG_NVDIMM', if_true: files('nvdimm.c')) diff --git a/hw/mem/sparse-mem.c b/hw/mem/sparse-mem.c new file mode 100644 index 0000000..a13ac74 --- /dev/null +++ b/hw/mem/sparse-mem.c @@ -0,0 +1,151 @@ +/* + * A sparse memory device. Useful for fuzzing + * + * Copyright Red Hat Inc., 2021 + * + * Authors: + * Alexander Bulekov <alxndr@bu.edu> + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "exec/address-spaces.h" +#include "hw/qdev-properties.h" +#include "hw/sysbus.h" +#include "qapi/error.h" +#include "qemu/units.h" +#include "sysemu/qtest.h" +#include "hw/mem/sparse-mem.h" + +#define SPARSE_MEM(obj) OBJECT_CHECK(SparseMemState, (obj), TYPE_SPARSE_MEM) +#define SPARSE_BLOCK_SIZE 0x1000 + +typedef struct SparseMemState { + SysBusDevice parent_obj; + MemoryRegion mmio; + uint64_t baseaddr; + uint64_t length; + uint64_t size_used; + uint64_t maxsize; + GHashTable *mapped; +} SparseMemState; + +typedef struct sparse_mem_block { + uint8_t data[SPARSE_BLOCK_SIZE]; +} sparse_mem_block; + +static uint64_t sparse_mem_read(void *opaque, hwaddr addr, unsigned int size) +{ + SparseMemState *s = opaque; + uint64_t ret = 0; + size_t pfn = addr / SPARSE_BLOCK_SIZE; + size_t offset = addr % SPARSE_BLOCK_SIZE; + sparse_mem_block *block; + + block = g_hash_table_lookup(s->mapped, (void *)pfn); + if (block) { + assert(offset + size <= sizeof(block->data)); + memcpy(&ret, block->data + offset, size); + } + return ret; +} + +static void sparse_mem_write(void *opaque, hwaddr addr, uint64_t v, + unsigned int size) +{ + SparseMemState *s = opaque; + size_t pfn = addr / SPARSE_BLOCK_SIZE; + size_t offset = addr % SPARSE_BLOCK_SIZE; + sparse_mem_block *block; + + if (!g_hash_table_lookup(s->mapped, (void *)pfn) && + s->size_used + SPARSE_BLOCK_SIZE < s->maxsize && v) { + g_hash_table_insert(s->mapped, (void *)pfn, + g_new0(sparse_mem_block, 1)); + s->size_used += sizeof(block->data); + } + block = g_hash_table_lookup(s->mapped, (void *)pfn); + if (!block) { + return; + } + + assert(offset + size <= sizeof(block->data)); + + memcpy(block->data + offset, &v, size); + +} + +static const MemoryRegionOps sparse_mem_ops = { + .read = sparse_mem_read, + .write = sparse_mem_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 1, + .max_access_size = 8, + .unaligned = false, + }, +}; + +static Property sparse_mem_properties[] = { + /* The base address of the memory */ + DEFINE_PROP_UINT64("baseaddr", SparseMemState, baseaddr, 0x0), + /* The length of the sparse memory region */ + DEFINE_PROP_UINT64("length", SparseMemState, length, UINT64_MAX), + /* Max amount of actual memory that can be used to back the sparse memory */ + DEFINE_PROP_UINT64("maxsize", SparseMemState, maxsize, 10 * MiB), + DEFINE_PROP_END_OF_LIST(), +}; + +MemoryRegion *sparse_mem_init(uint64_t addr, uint64_t length) +{ + DeviceState *dev; + + dev = qdev_new(TYPE_SPARSE_MEM); + qdev_prop_set_uint64(dev, "baseaddr", addr); + qdev_prop_set_uint64(dev, "length", length); + sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); + sysbus_mmio_map_overlap(SYS_BUS_DEVICE(dev), 0, addr, -10000); + return &SPARSE_MEM(dev)->mmio; +} + +static void sparse_mem_realize(DeviceState *dev, Error **errp) +{ + SparseMemState *s = SPARSE_MEM(dev); + SysBusDevice *sbd = SYS_BUS_DEVICE(dev); + + if (!qtest_enabled()) { + error_setg(errp, "sparse_mem device should only be used " + "for testing with QTest"); + return; + } + + assert(s->baseaddr + s->length > s->baseaddr); + + s->mapped = g_hash_table_new(NULL, NULL); + memory_region_init_io(&s->mmio, OBJECT(s), &sparse_mem_ops, s, + "sparse-mem", s->length); + sysbus_init_mmio(sbd, &s->mmio); +} + +static void sparse_mem_class_init(ObjectClass *klass, void *data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + + device_class_set_props(dc, sparse_mem_properties); + + dc->desc = "Sparse Memory Device"; + dc->realize = sparse_mem_realize; +} + +static const TypeInfo sparse_mem_types[] = { + { + .name = TYPE_SPARSE_MEM, + .parent = TYPE_SYS_BUS_DEVICE, + .instance_size = sizeof(SparseMemState), + .class_init = sparse_mem_class_init, + }, +}; +DEFINE_TYPES(sparse_mem_types); diff --git a/hw/misc/mac_via.c b/hw/misc/mac_via.c index ca2f939..ff0156d 100644 --- a/hw/misc/mac_via.c +++ b/hw/misc/mac_via.c @@ -279,6 +279,12 @@ #define VIA_TIMER_FREQ (783360) #define VIA_ADB_POLL_FREQ 50 /* XXX: not real */ +/* + * Guide to the Macintosh Family Hardware ch. 12 "Displays" p. 401 gives the + * precise 60Hz interrupt frequency as ~60.15Hz with a period of 16625.8 us + */ +#define VIA_60HZ_TIMER_PERIOD_NS 16625800 + /* VIA returns time offset from Jan 1, 1904, not 1970 */ #define RTC_OFFSET 2082844800 @@ -297,44 +303,32 @@ enum { REG_EMPTY = 0xff, }; -static void via1_VBL_update(MOS6522Q800VIA1State *v1s) +static void via1_sixty_hz_update(MOS6522Q800VIA1State *v1s) { - MOS6522State *s = MOS6522(v1s); - /* 60 Hz irq */ - v1s->next_VBL = (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 16630) / - 16630 * 16630; - - if (s->ier & VIA1_IRQ_VBLANK) { - timer_mod(v1s->VBL_timer, v1s->next_VBL); - } else { - timer_del(v1s->VBL_timer); - } + v1s->next_sixty_hz = (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + + VIA_60HZ_TIMER_PERIOD_NS) / + VIA_60HZ_TIMER_PERIOD_NS * VIA_60HZ_TIMER_PERIOD_NS; + timer_mod(v1s->sixty_hz_timer, v1s->next_sixty_hz); } static void via1_one_second_update(MOS6522Q800VIA1State *v1s) { - MOS6522State *s = MOS6522(v1s); - v1s->next_second = (qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + 1000) / 1000 * 1000; - if (s->ier & VIA1_IRQ_ONE_SECOND) { - timer_mod(v1s->one_second_timer, v1s->next_second); - } else { - timer_del(v1s->one_second_timer); - } + timer_mod(v1s->one_second_timer, v1s->next_second); } -static void via1_VBL(void *opaque) +static void via1_sixty_hz(void *opaque) { MOS6522Q800VIA1State *v1s = opaque; MOS6522State *s = MOS6522(v1s); MOS6522DeviceClass *mdc = MOS6522_GET_CLASS(s); - s->ifr |= VIA1_IRQ_VBLANK; + s->ifr |= VIA1_IRQ_60HZ; mdc->update_irq(s); - via1_VBL_update(v1s); + via1_sixty_hz_update(v1s); } static void via1_one_second(void *opaque) @@ -609,7 +603,6 @@ static void adb_via_poll(void *opaque) uint8_t obuf[9]; uint8_t *data = &s->sr; int olen; - uint16_t pending; /* * Setting vADBInt below indicates that an autopoll reply has been @@ -618,36 +611,36 @@ static void adb_via_poll(void *opaque) */ adb_autopoll_block(adb_bus); - m->adb_data_in_index = 0; - m->adb_data_out_index = 0; - olen = adb_poll(adb_bus, obuf, adb_bus->autopoll_mask); - - if (olen > 0) { - /* Autopoll response */ - *data = obuf[0]; - olen--; - memcpy(m->adb_data_in, &obuf[1], olen); - m->adb_data_in_size = olen; + if (m->adb_data_in_size > 0 && m->adb_data_in_index == 0) { + /* + * For older Linux kernels that switch to IDLE mode after sending the + * ADB command, detect if there is an existing response and return that + * as a a "fake" autopoll reply or bus timeout accordingly + */ + *data = m->adb_data_out[0]; + olen = m->adb_data_in_size; s->b &= ~VIA1B_vADBInt; qemu_irq_raise(m->adb_data_ready); - } else if (olen < 0) { - /* Bus timeout (device does not exist) */ - *data = 0xff; - s->b |= VIA1B_vADBInt; - adb_autopoll_unblock(adb_bus); } else { - pending = adb_bus->pending & ~(1 << (m->adb_autopoll_cmd >> 4)); + /* + * Otherwise poll as normal + */ + m->adb_data_in_index = 0; + m->adb_data_out_index = 0; + olen = adb_poll(adb_bus, obuf, adb_bus->autopoll_mask); + + if (olen > 0) { + /* Autopoll response */ + *data = obuf[0]; + olen--; + memcpy(m->adb_data_in, &obuf[1], olen); + m->adb_data_in_size = olen; - if (pending) { - /* - * Bus timeout (device exists but another device has data). Block - * autopoll so the OS can read out the first EVEN and first ODD - * byte to determine bus timeout and SRQ status - */ - *data = m->adb_autopoll_cmd; s->b &= ~VIA1B_vADBInt; - + qemu_irq_raise(m->adb_data_ready); + } else { + *data = m->adb_autopoll_cmd; obuf[0] = 0xff; obuf[1] = 0xff; olen = 2; @@ -655,12 +648,8 @@ static void adb_via_poll(void *opaque) memcpy(m->adb_data_in, obuf, olen); m->adb_data_in_size = olen; + s->b &= ~VIA1B_vADBInt; qemu_irq_raise(m->adb_data_ready); - } else { - /* Bus timeout (device exists but no other device has data) */ - *data = 0; - s->b |= VIA1B_vADBInt; - adb_autopoll_unblock(adb_bus); } } @@ -783,27 +772,8 @@ static void adb_via_receive(MacVIAState *s, int state, uint8_t *data) return; case ADB_STATE_IDLE: - /* - * Since adb_request() will have already consumed the data from the - * device, we must detect this extra state change and re-inject the - * reponse as either a "fake" autopoll reply or bus timeout - * accordingly - */ - if (s->adb_data_in_index == 0) { - if (adb_bus->status & ADB_STATUS_BUSTIMEOUT) { - *data = 0xff; - ms->b |= VIA1B_vADBInt; - qemu_irq_raise(s->adb_data_ready); - } else if (s->adb_data_in_size > 0) { - adb_bus->status = ADB_STATUS_POLLREPLY; - *data = s->adb_autopoll_cmd; - ms->b &= ~VIA1B_vADBInt; - qemu_irq_raise(s->adb_data_ready); - } - } else { - ms->b |= VIA1B_vADBInt; - adb_autopoll_unblock(adb_bus); - } + ms->b |= VIA1B_vADBInt; + adb_autopoll_unblock(adb_bus); trace_via1_adb_receive("IDLE", *data, (ms->b & VIA1B_vADBInt) ? "+" : "-", adb_bus->status, @@ -816,33 +786,37 @@ static void adb_via_receive(MacVIAState *s, int state, uint8_t *data) switch (s->adb_data_in_index) { case 0: /* First EVEN byte: vADBInt indicates bus timeout */ - trace_via1_adb_receive(state == ADB_STATE_EVEN ? "EVEN" : " ODD", - *data, (ms->b & VIA1B_vADBInt) ? "+" : "-", - adb_bus->status, s->adb_data_in_index, - s->adb_data_in_size); - - *data = s->adb_data_in[s->adb_data_in_index++]; + *data = s->adb_data_in[s->adb_data_in_index]; if (adb_bus->status & ADB_STATUS_BUSTIMEOUT) { ms->b &= ~VIA1B_vADBInt; } else { ms->b |= VIA1B_vADBInt; } - break; - case 1: - /* First ODD byte: vADBInt indicates SRQ */ trace_via1_adb_receive(state == ADB_STATE_EVEN ? "EVEN" : " ODD", *data, (ms->b & VIA1B_vADBInt) ? "+" : "-", adb_bus->status, s->adb_data_in_index, s->adb_data_in_size); - *data = s->adb_data_in[s->adb_data_in_index++]; + s->adb_data_in_index++; + break; + + case 1: + /* First ODD byte: vADBInt indicates SRQ */ + *data = s->adb_data_in[s->adb_data_in_index]; pending = adb_bus->pending & ~(1 << (s->adb_autopoll_cmd >> 4)); if (pending) { ms->b &= ~VIA1B_vADBInt; } else { ms->b |= VIA1B_vADBInt; } + + trace_via1_adb_receive(state == ADB_STATE_EVEN ? "EVEN" : " ODD", + *data, (ms->b & VIA1B_vADBInt) ? "+" : "-", + adb_bus->status, s->adb_data_in_index, + s->adb_data_in_size); + + s->adb_data_in_index++; break; default: @@ -852,14 +826,9 @@ static void adb_via_receive(MacVIAState *s, int state, uint8_t *data) * end of the poll reply, so provide these extra bytes below to * keep it happy */ - trace_via1_adb_receive(state == ADB_STATE_EVEN ? "EVEN" : " ODD", - *data, (ms->b & VIA1B_vADBInt) ? "+" : "-", - adb_bus->status, s->adb_data_in_index, - s->adb_data_in_size); - if (s->adb_data_in_index < s->adb_data_in_size) { /* Next data byte */ - *data = s->adb_data_in[s->adb_data_in_index++]; + *data = s->adb_data_in[s->adb_data_in_index]; ms->b |= VIA1B_vADBInt; } else if (s->adb_data_in_index == s->adb_data_in_size) { if (adb_bus->status & ADB_STATUS_BUSTIMEOUT) { @@ -869,7 +838,6 @@ static void adb_via_receive(MacVIAState *s, int state, uint8_t *data) /* Return 0x0 after reply */ *data = 0; } - s->adb_data_in_index++; ms->b &= ~VIA1B_vADBInt; } else { /* Bus timeout (no more data) */ @@ -878,6 +846,15 @@ static void adb_via_receive(MacVIAState *s, int state, uint8_t *data) adb_bus->status = 0; adb_autopoll_unblock(adb_bus); } + + trace_via1_adb_receive(state == ADB_STATE_EVEN ? "EVEN" : " ODD", + *data, (ms->b & VIA1B_vADBInt) ? "+" : "-", + adb_bus->status, s->adb_data_in_index, + s->adb_data_in_size); + + if (s->adb_data_in_index <= s->adb_data_in_size) { + s->adb_data_in_index++; + } break; } @@ -910,21 +887,6 @@ static uint64_t mos6522_q800_via1_read(void *opaque, hwaddr addr, unsigned size) { MOS6522Q800VIA1State *s = MOS6522_Q800_VIA1(opaque); MOS6522State *ms = MOS6522(s); - int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); - - /* - * If IRQs are disabled, timers are disabled, but we need to update - * VIA1_IRQ_VBLANK and VIA1_IRQ_ONE_SECOND bits in the IFR - */ - - if (now >= s->next_VBL) { - ms->ifr |= VIA1_IRQ_VBLANK; - via1_VBL_update(s); - } - if (now >= s->next_second) { - ms->ifr |= VIA1_IRQ_ONE_SECOND; - via1_one_second_update(s); - } addr = (addr >> 9) & 0xf; return mos6522_read(ms, addr, size); @@ -948,9 +910,6 @@ static void mos6522_q800_via1_write(void *opaque, hwaddr addr, uint64_t val, v1s->last_b = ms->b; break; } - - via1_one_second_update(v1s); - via1_VBL_update(v1s); } static const MemoryRegionOps mos6522_q800_via1_ops = { @@ -959,7 +918,7 @@ static const MemoryRegionOps mos6522_q800_via1_ops = { .endianness = DEVICE_BIG_ENDIAN, .valid = { .min_access_size = 1, - .max_access_size = 1, + .max_access_size = 4, }, }; @@ -988,23 +947,17 @@ static const MemoryRegionOps mos6522_q800_via2_ops = { .endianness = DEVICE_BIG_ENDIAN, .valid = { .min_access_size = 1, - .max_access_size = 1, + .max_access_size = 4, }, }; static void mac_via_reset(DeviceState *dev) { MacVIAState *m = MAC_VIA(dev); - MOS6522Q800VIA1State *v1s = &m->mos6522_via1; ADBBusState *adb_bus = &m->adb_bus; adb_set_autopoll_enabled(adb_bus, true); - timer_del(v1s->VBL_timer); - v1s->next_VBL = 0; - timer_del(v1s->one_second_timer); - v1s->next_second = 0; - m->cmd = REG_EMPTY; m->alt = REG_EMPTY; } @@ -1043,8 +996,11 @@ static void mac_via_realize(DeviceState *dev, Error **errp) m->mos6522_via1.one_second_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, via1_one_second, &m->mos6522_via1); - m->mos6522_via1.VBL_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, via1_VBL, - &m->mos6522_via1); + via1_one_second_update(&m->mos6522_via1); + m->mos6522_via1.sixty_hz_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, + via1_sixty_hz, + &m->mos6522_via1); + via1_sixty_hz_update(&m->mos6522_via1); qemu_get_timedate(&tm, 0); m->tick_offset = (uint32_t)mktimegm(&tm) + RTC_OFFSET; @@ -1133,8 +1089,8 @@ static const VMStateDescription vmstate_mac_via = { VMSTATE_BUFFER(mos6522_via1.PRAM, MacVIAState), VMSTATE_TIMER_PTR(mos6522_via1.one_second_timer, MacVIAState), VMSTATE_INT64(mos6522_via1.next_second, MacVIAState), - VMSTATE_TIMER_PTR(mos6522_via1.VBL_timer, MacVIAState), - VMSTATE_INT64(mos6522_via1.next_VBL, MacVIAState), + VMSTATE_TIMER_PTR(mos6522_via1.sixty_hz_timer, MacVIAState), + VMSTATE_INT64(mos6522_via1.next_sixty_hz, MacVIAState), VMSTATE_STRUCT(mos6522_via2.parent_obj, MacVIAState, 0, vmstate_mos6522, MOS6522State), /* RTC */ diff --git a/hw/misc/trace-events b/hw/misc/trace-events index 3d44978..d0a89eb 100644 --- a/hw/misc/trace-events +++ b/hw/misc/trace-events @@ -233,8 +233,8 @@ via1_rtc_cmd_test_write(int value) "value=0x%02x" via1_rtc_cmd_wprotect_write(int value) "value=0x%02x" via1_rtc_cmd_pram_read(int addr, int value) "addr=%u value=0x%02x" via1_rtc_cmd_pram_write(int addr, int value) "addr=%u value=0x%02x" -via1_rtc_cmd_pram_sect_read(int sector, int offset, int addr, int value) "sector=%u offset=%u addr=%d value=0x%02x" -via1_rtc_cmd_pram_sect_write(int sector, int offset, int addr, int value) "sector=%u offset=%u addr=%d value=0x%02x" +via1_rtc_cmd_pram_sect_read(int sector, int offset, int addr, int value) "sector=%u offset=%u addr=0x%x value=0x%02x" +via1_rtc_cmd_pram_sect_write(int sector, int offset, int addr, int value) "sector=%u offset=%u addr=0x%x value=0x%02x" via1_adb_send(const char *state, uint8_t data, const char *vadbint) "state %s data=0x%02x vADBInt=%s" via1_adb_receive(const char *state, uint8_t data, const char *vadbint, int status, int index, int size) "state %s data=0x%02x vADBInt=%s status=0x%x index=%d size=%d" via1_adb_poll(uint8_t data, const char *vadbint, int status, int index, int size) "data=0x%02x vADBInt=%s status=0x%x index=%d size=%d" diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c index c01ee2c..c8388ea 100644 --- a/hw/timer/i8254.c +++ b/hw/timer/i8254.c @@ -324,7 +324,7 @@ static void pit_post_load(PITCommonState *s) { PITChannelState *sc = &s->channels[0]; - if (sc->next_transition_time != -1) { + if (sc->next_transition_time != -1 && !sc->irq_disabled) { timer_mod(sc->irq_timer, sc->next_transition_time); } else { timer_del(sc->irq_timer); diff --git a/include/hw/mem/sparse-mem.h b/include/hw/mem/sparse-mem.h new file mode 100644 index 0000000..f9863b1 --- /dev/null +++ b/include/hw/mem/sparse-mem.h @@ -0,0 +1,19 @@ +/* + * A sparse memory device. Useful for fuzzing + * + * Copyright Red Hat Inc., 2021 + * + * Authors: + * Alexander Bulekov <alxndr@bu.edu> + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#ifndef SPARSE_MEM_H +#define SPARSE_MEM_H +#define TYPE_SPARSE_MEM "sparse-mem" + +MemoryRegion *sparse_mem_init(uint64_t addr, uint64_t length); + +#endif diff --git a/include/hw/misc/mac_via.h b/include/hw/misc/mac_via.h index a59f0bd..3058b30 100644 --- a/include/hw/misc/mac_via.h +++ b/include/hw/misc/mac_via.h @@ -17,7 +17,7 @@ /* VIA 1 */ #define VIA1_IRQ_ONE_SECOND_BIT 0 -#define VIA1_IRQ_VBLANK_BIT 1 +#define VIA1_IRQ_60HZ_BIT 1 #define VIA1_IRQ_ADB_READY_BIT 2 #define VIA1_IRQ_ADB_DATA_BIT 3 #define VIA1_IRQ_ADB_CLOCK_BIT 4 @@ -25,7 +25,7 @@ #define VIA1_IRQ_NB 8 #define VIA1_IRQ_ONE_SECOND (1 << VIA1_IRQ_ONE_SECOND_BIT) -#define VIA1_IRQ_VBLANK (1 << VIA1_IRQ_VBLANK_BIT) +#define VIA1_IRQ_60HZ (1 << VIA1_IRQ_60HZ_BIT) #define VIA1_IRQ_ADB_READY (1 << VIA1_IRQ_ADB_READY_BIT) #define VIA1_IRQ_ADB_DATA (1 << VIA1_IRQ_ADB_DATA_BIT) #define VIA1_IRQ_ADB_CLOCK (1 << VIA1_IRQ_ADB_CLOCK_BIT) @@ -45,8 +45,8 @@ struct MOS6522Q800VIA1State { /* external timers */ QEMUTimer *one_second_timer; int64_t next_second; - QEMUTimer *VBL_timer; - int64_t next_VBL; + QEMUTimer *sixty_hz_timer; + int64_t next_sixty_hz; }; diff --git a/include/qapi/qmp/dispatch.h b/include/qapi/qmp/dispatch.h index 1486cac..135dfde 100644 --- a/include/qapi/qmp/dispatch.h +++ b/include/qapi/qmp/dispatch.h @@ -36,6 +36,7 @@ typedef struct QmpCommand QmpCommandOptions options; QTAILQ_ENTRY(QmpCommand) node; bool enabled; + const char *disable_reason; } QmpCommand; typedef QTAILQ_HEAD(QmpCommandList, QmpCommand) QmpCommandList; @@ -44,7 +45,8 @@ void qmp_register_command(QmpCommandList *cmds, const char *name, QmpCommandFunc *fn, QmpCommandOptions options); const QmpCommand *qmp_find_command(const QmpCommandList *cmds, const char *name); -void qmp_disable_command(QmpCommandList *cmds, const char *name); +void qmp_disable_command(QmpCommandList *cmds, const char *name, + const char *err_msg); void qmp_enable_command(QmpCommandList *cmds, const char *name); bool qmp_command_is_enabled(const QmpCommand *cmd); diff --git a/include/qemu/qemu-plugin.h b/include/qemu/qemu-plugin.h index c66507f..97cdfd7 100644 --- a/include/qemu/qemu-plugin.h +++ b/include/qemu/qemu-plugin.h @@ -32,6 +32,9 @@ #define QEMU_PLUGIN_LOCAL __attribute__((visibility("hidden"))) #endif +/** + * typedef qemu_plugin_id_t - Unique plugin ID + */ typedef uint64_t qemu_plugin_id_t; /* @@ -47,24 +50,32 @@ typedef uint64_t qemu_plugin_id_t; extern QEMU_PLUGIN_EXPORT int qemu_plugin_version; -#define QEMU_PLUGIN_VERSION 0 +#define QEMU_PLUGIN_VERSION 1 -typedef struct { - /* string describing architecture */ +/** + * struct qemu_info_t - system information for plugins + * + * This structure provides for some limited information about the + * system to allow the plugin to make decisions on how to proceed. For + * example it might only be suitable for running on some guest + * architectures or when under full system emulation. + */ +typedef struct qemu_info_t { + /** @target_name: string describing architecture */ const char *target_name; + /** @version: minimum and current plugin API level */ struct { int min; int cur; } version; - /* is this a full system emulation? */ + /** @system_emulation: is this a full system emulation? */ bool system_emulation; union { - /* - * smp_vcpus may change if vCPUs can be hot-plugged, max_vcpus - * is the system-wide limit. - */ + /** @system: information relevant to system emulation */ struct { + /** @system.smp_vcpus: initial number of vCPUs */ int smp_vcpus; + /** @system.max_vcpus: maximum possible number of vCPUs */ int max_vcpus; } system; }; @@ -77,31 +88,50 @@ typedef struct { * @argc: number of arguments * @argv: array of arguments (@argc elements) * - * All plugins must export this symbol. - * - * Note: Calling qemu_plugin_uninstall() from this function is a bug. To raise - * an error during install, return !0. + * All plugins must export this symbol which is called when the plugin + * is first loaded. Calling qemu_plugin_uninstall() from this function + * is a bug. * * Note: @info is only live during the call. Copy any information we - * want to keep. + * want to keep. @argv remains valid throughout the lifetime of the + * loaded plugin. * - * Note: @argv remains valid throughout the lifetime of the loaded plugin. + * Return: 0 on successful loading, !0 for an error. */ QEMU_PLUGIN_EXPORT int qemu_plugin_install(qemu_plugin_id_t id, const qemu_info_t *info, int argc, char **argv); -/* - * Prototypes for the various callback styles we will be registering - * in the following functions. +/** + * typedef qemu_plugin_simple_cb_t - simple callback + * @id: the unique qemu_plugin_id_t + * + * This callback passes no information aside from the unique @id. */ typedef void (*qemu_plugin_simple_cb_t)(qemu_plugin_id_t id); +/** + * typedef qemu_plugin_udata_cb_t - callback with user data + * @id: the unique qemu_plugin_id_t + * @userdata: a pointer to some user data supplied when the callback + * was registered. + */ typedef void (*qemu_plugin_udata_cb_t)(qemu_plugin_id_t id, void *userdata); +/** + * typedef qemu_plugin_vcpu_simple_cb_t - vcpu callback + * @id: the unique qemu_plugin_id_t + * @vcpu_index: the current vcpu context + */ typedef void (*qemu_plugin_vcpu_simple_cb_t)(qemu_plugin_id_t id, unsigned int vcpu_index); +/** + * typedef qemu_plugin_vcpu_udata_cb_t - vcpu callback + * @vcpu_index: the current vcpu context + * @userdata: a pointer to some user data supplied when the callback + * was registered. + */ typedef void (*qemu_plugin_vcpu_udata_cb_t)(unsigned int vcpu_index, void *userdata); @@ -175,17 +205,25 @@ void qemu_plugin_register_vcpu_idle_cb(qemu_plugin_id_t id, void qemu_plugin_register_vcpu_resume_cb(qemu_plugin_id_t id, qemu_plugin_vcpu_simple_cb_t cb); -/* - * Opaque types that the plugin is given during the translation and - * instrumentation phase. - */ +/** struct qemu_plugin_tb - Opaque handle for a translation block */ struct qemu_plugin_tb; +/** struct qemu_plugin_insn - Opaque handle for a translated instruction */ struct qemu_plugin_insn; +/** + * enum qemu_plugin_cb_flags - type of callback + * + * @QEMU_PLUGIN_CB_NO_REGS: callback does not access the CPU's regs + * @QEMU_PLUGIN_CB_R_REGS: callback reads the CPU's regs + * @QEMU_PLUGIN_CB_RW_REGS: callback reads and writes the CPU's regs + * + * Note: currently unused, plugins cannot read or change system + * register state. + */ enum qemu_plugin_cb_flags { - QEMU_PLUGIN_CB_NO_REGS, /* callback does not access the CPU's regs */ - QEMU_PLUGIN_CB_R_REGS, /* callback reads the CPU's regs */ - QEMU_PLUGIN_CB_RW_REGS, /* callback reads and writes the CPU's regs */ + QEMU_PLUGIN_CB_NO_REGS, + QEMU_PLUGIN_CB_R_REGS, + QEMU_PLUGIN_CB_RW_REGS, }; enum qemu_plugin_mem_rw { @@ -195,6 +233,14 @@ enum qemu_plugin_mem_rw { }; /** + * typedef qemu_plugin_vcpu_tb_trans_cb_t - translation callback + * @id: unique plugin id + * @tb: opaque handle used for querying and instrumenting a block. + */ +typedef void (*qemu_plugin_vcpu_tb_trans_cb_t)(qemu_plugin_id_t id, + struct qemu_plugin_tb *tb); + +/** * qemu_plugin_register_vcpu_tb_trans_cb() - register a translate cb * @id: plugin ID * @cb: callback function @@ -206,14 +252,11 @@ enum qemu_plugin_mem_rw { * callbacks to be triggered when the block or individual instruction * executes. */ -typedef void (*qemu_plugin_vcpu_tb_trans_cb_t)(qemu_plugin_id_t id, - struct qemu_plugin_tb *tb); - void qemu_plugin_register_vcpu_tb_trans_cb(qemu_plugin_id_t id, qemu_plugin_vcpu_tb_trans_cb_t cb); /** - * qemu_plugin_register_vcpu_tb_trans_exec_cb() - register execution callback + * qemu_plugin_register_vcpu_tb_exec_cb() - register execution callback * @tb: the opaque qemu_plugin_tb handle for the translation * @cb: callback function * @flags: does the plugin read or write the CPU's registers? @@ -226,12 +269,20 @@ void qemu_plugin_register_vcpu_tb_exec_cb(struct qemu_plugin_tb *tb, enum qemu_plugin_cb_flags flags, void *userdata); +/** + * enum qemu_plugin_op - describes an inline op + * + * @QEMU_PLUGIN_INLINE_ADD_U64: add an immediate value uint64_t + * + * Note: currently only a single inline op is supported. + */ + enum qemu_plugin_op { QEMU_PLUGIN_INLINE_ADD_U64, }; /** - * qemu_plugin_register_vcpu_tb_trans_exec_inline() - execution inline op + * qemu_plugin_register_vcpu_tb_exec_inline() - execution inline op * @tb: the opaque qemu_plugin_tb handle for the translation * @op: the type of qemu_plugin_op (e.g. ADD_U64) * @ptr: the target memory location for the op @@ -240,6 +291,9 @@ enum qemu_plugin_op { * Insert an inline op to every time a translated unit executes. * Useful if you just want to increment a single counter somewhere in * memory. + * + * Note: ops are not atomic so in multi-threaded/multi-smp situations + * you will get inexact results. */ void qemu_plugin_register_vcpu_tb_exec_inline(struct qemu_plugin_tb *tb, enum qemu_plugin_op op, @@ -262,7 +316,6 @@ void qemu_plugin_register_vcpu_insn_exec_cb(struct qemu_plugin_insn *insn, /** * qemu_plugin_register_vcpu_insn_exec_inline() - insn execution inline op * @insn: the opaque qemu_plugin_insn handle for an instruction - * @cb: callback function * @op: the type of qemu_plugin_op (e.g. ADD_U64) * @ptr: the target memory location for the op * @imm: the op data (e.g. 1) @@ -274,41 +327,114 @@ void qemu_plugin_register_vcpu_insn_exec_inline(struct qemu_plugin_insn *insn, enum qemu_plugin_op op, void *ptr, uint64_t imm); -/* - * Helpers to query information about the instructions in a block +/** + * qemu_plugin_tb_n_insns() - query helper for number of insns in TB + * @tb: opaque handle to TB passed to callback + * + * Returns: number of instructions in this block */ size_t qemu_plugin_tb_n_insns(const struct qemu_plugin_tb *tb); +/** + * qemu_plugin_tb_vaddr() - query helper for vaddr of TB start + * @tb: opaque handle to TB passed to callback + * + * Returns: virtual address of block start + */ uint64_t qemu_plugin_tb_vaddr(const struct qemu_plugin_tb *tb); +/** + * qemu_plugin_tb_get_insn() - retrieve handle for instruction + * @tb: opaque handle to TB passed to callback + * @idx: instruction number, 0 indexed + * + * The returned handle can be used in follow up helper queries as well + * as when instrumenting an instruction. It is only valid for the + * lifetime of the callback. + * + * Returns: opaque handle to instruction + */ struct qemu_plugin_insn * qemu_plugin_tb_get_insn(const struct qemu_plugin_tb *tb, size_t idx); +/** + * qemu_plugin_insn_data() - return ptr to instruction data + * @insn: opaque instruction handle from qemu_plugin_tb_get_insn() + * + * Note: data is only valid for duration of callback. See + * qemu_plugin_insn_size() to calculate size of stream. + * + * Returns: pointer to a stream of bytes containing the value of this + * instructions opcode. + */ const void *qemu_plugin_insn_data(const struct qemu_plugin_insn *insn); +/** + * qemu_plugin_insn_size() - return size of instruction + * @insn: opaque instruction handle from qemu_plugin_tb_get_insn() + * + * Returns: size of instruction in bytes + */ size_t qemu_plugin_insn_size(const struct qemu_plugin_insn *insn); +/** + * qemu_plugin_insn_vaddr() - return vaddr of instruction + * @insn: opaque instruction handle from qemu_plugin_tb_get_insn() + * + * Returns: virtual address of instruction + */ uint64_t qemu_plugin_insn_vaddr(const struct qemu_plugin_insn *insn); + +/** + * qemu_plugin_insn_haddr() - return hardware addr of instruction + * @insn: opaque instruction handle from qemu_plugin_tb_get_insn() + * + * Returns: hardware (physical) target address of instruction + */ void *qemu_plugin_insn_haddr(const struct qemu_plugin_insn *insn); -/* - * Memory Instrumentation +/** + * typedef qemu_plugin_meminfo_t - opaque memory transaction handle * - * The anonymous qemu_plugin_meminfo_t and qemu_plugin_hwaddr types - * can be used in queries to QEMU to get more information about a - * given memory access. + * This can be further queried using the qemu_plugin_mem_* query + * functions. */ typedef uint32_t qemu_plugin_meminfo_t; +/** struct qemu_plugin_hwaddr - opaque hw address handle */ struct qemu_plugin_hwaddr; -/* meminfo queries */ +/** + * qemu_plugin_mem_size_shift() - get size of access + * @info: opaque memory transaction handle + * + * Returns: size of access in ^2 (0=byte, 1=16bit, 2=32bit etc...) + */ unsigned int qemu_plugin_mem_size_shift(qemu_plugin_meminfo_t info); +/** + * qemu_plugin_mem_is_sign_extended() - was the access sign extended + * @info: opaque memory transaction handle + * + * Returns: true if it was, otherwise false + */ bool qemu_plugin_mem_is_sign_extended(qemu_plugin_meminfo_t info); +/** + * qemu_plugin_mem_is_big_endian() - was the access big endian + * @info: opaque memory transaction handle + * + * Returns: true if it was, otherwise false + */ bool qemu_plugin_mem_is_big_endian(qemu_plugin_meminfo_t info); +/** + * qemu_plugin_mem_is_store() - was the access a store + * @info: opaque memory transaction handle + * + * Returns: true if it was, otherwise false + */ bool qemu_plugin_mem_is_store(qemu_plugin_meminfo_t info); -/* - * qemu_plugin_get_hwaddr(): +/** + * qemu_plugin_get_hwaddr() - return handle for memory operation + * @info: opaque memory info structure * @vaddr: the virtual address of the memory operation * * For system emulation returns a qemu_plugin_hwaddr handle to query @@ -323,12 +449,30 @@ struct qemu_plugin_hwaddr *qemu_plugin_get_hwaddr(qemu_plugin_meminfo_t info, uint64_t vaddr); /* - * The following additional queries can be run on the hwaddr structure - * to return information about it. For non-IO accesses the device - * offset will be into the appropriate block of RAM. + * The following additional queries can be run on the hwaddr structure to + * return information about it - namely whether it is for an IO access and the + * physical address associated with the access. + */ + +/** + * qemu_plugin_hwaddr_is_io() - query whether memory operation is IO + * @haddr: address handle from qemu_plugin_get_hwaddr() + * + * Returns true if the handle's memory operation is to memory-mapped IO, or + * false if it is to RAM */ bool qemu_plugin_hwaddr_is_io(const struct qemu_plugin_hwaddr *haddr); -uint64_t qemu_plugin_hwaddr_device_offset(const struct qemu_plugin_hwaddr *haddr); + +/** + * qemu_plugin_hwaddr_phys_addr() - query physical address for memory operation + * @haddr: address handle from qemu_plugin_get_hwaddr() + * + * Returns the physical address associated with the memory operation + * + * Note that the returned physical address may not be unique if you are dealing + * with multiple address spaces. + */ +uint64_t qemu_plugin_hwaddr_phys_addr(const struct qemu_plugin_hwaddr *haddr); /* * Returns a string representing the device. The string is valid for diff --git a/include/qemu/timer.h b/include/qemu/timer.h index 5e76e3f..301fa47 100644 --- a/include/qemu/timer.h +++ b/include/qemu/timer.h @@ -629,8 +629,10 @@ void timer_del(QEMUTimer *ts); */ static inline void timer_free(QEMUTimer *ts) { - timer_del(ts); - g_free(ts); + if (ts) { + timer_del(ts); + g_free(ts); + } } /** diff --git a/include/tcg/tcg-opc.h b/include/tcg/tcg-opc.h index 900984c..bbb0884 100644 --- a/include/tcg/tcg-opc.h +++ b/include/tcg/tcg-opc.h @@ -278,10 +278,8 @@ DEF(last_generic, 0, 0, 0, TCG_OPF_NOT_PRESENT) #ifdef TCG_TARGET_INTERPRETER /* These opcodes are only for use between the tci generator and interpreter. */ DEF(tci_movi_i32, 1, 0, 1, TCG_OPF_NOT_PRESENT) -#if TCG_TARGET_REG_BITS == 64 DEF(tci_movi_i64, 1, 0, 1, TCG_OPF_64BIT | TCG_OPF_NOT_PRESENT) #endif -#endif #undef TLADDR_ARGS #undef DATA64_ARGS diff --git a/meson.build b/meson.build index a7d2dd4..5c85a15 100644 --- a/meson.build +++ b/meson.build @@ -1943,7 +1943,7 @@ specific_ss.add(when: 'CONFIG_TCG', if_true: files( 'tcg/tcg-op.c', 'tcg/tcg.c', )) -specific_ss.add(when: 'CONFIG_TCG_INTERPRETER', if_true: files('disas/tci.c', 'tcg/tci.c')) +specific_ss.add(when: 'CONFIG_TCG_INTERPRETER', if_true: files('tcg/tci.c')) subdir('backends') subdir('disas') diff --git a/plugins/api.c b/plugins/api.c index 0b04380..b22998c 100644 --- a/plugins/api.c +++ b/plugins/api.c @@ -40,6 +40,7 @@ #include "sysemu/sysemu.h" #include "tcg/tcg.h" #include "exec/exec-all.h" +#include "exec/ram_addr.h" #include "disas/disas.h" #include "plugin.h" #ifndef CONFIG_USER_ONLY @@ -265,10 +266,12 @@ bool qemu_plugin_mem_is_store(qemu_plugin_meminfo_t info) #ifdef CONFIG_SOFTMMU static __thread struct qemu_plugin_hwaddr hwaddr_info; +#endif struct qemu_plugin_hwaddr *qemu_plugin_get_hwaddr(qemu_plugin_meminfo_t info, uint64_t vaddr) { +#ifdef CONFIG_SOFTMMU CPUState *cpu = current_cpu; unsigned int mmu_idx = info >> TRACE_MEM_MMU_SHIFT; hwaddr_info.is_store = info & TRACE_MEM_ST; @@ -280,14 +283,10 @@ struct qemu_plugin_hwaddr *qemu_plugin_get_hwaddr(qemu_plugin_meminfo_t info, } return &hwaddr_info; -} #else -struct qemu_plugin_hwaddr *qemu_plugin_get_hwaddr(qemu_plugin_meminfo_t info, - uint64_t vaddr) -{ return NULL; -} #endif +} bool qemu_plugin_hwaddr_is_io(const struct qemu_plugin_hwaddr *haddr) { @@ -298,19 +297,25 @@ bool qemu_plugin_hwaddr_is_io(const struct qemu_plugin_hwaddr *haddr) #endif } -uint64_t qemu_plugin_hwaddr_device_offset(const struct qemu_plugin_hwaddr *haddr) +uint64_t qemu_plugin_hwaddr_phys_addr(const struct qemu_plugin_hwaddr *haddr) { #ifdef CONFIG_SOFTMMU if (haddr) { if (!haddr->is_io) { - ram_addr_t ram_addr = qemu_ram_addr_from_host((void *) haddr->v.ram.hostaddr); - if (ram_addr == RAM_ADDR_INVALID) { + RAMBlock *block; + ram_addr_t offset; + void *hostaddr = (void *) haddr->v.ram.hostaddr; + + block = qemu_ram_block_from_host(hostaddr, false, &offset); + if (!block) { error_report("Bad ram pointer %"PRIx64"", haddr->v.ram.hostaddr); abort(); } - return ram_addr; + + return block->offset + offset + block->mr->addr; } else { - return haddr->v.io.offset; + MemoryRegionSection *mrs = haddr->v.io.section; + return haddr->v.io.offset + mrs->mr->addr; } } #endif diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c index 0a2b20a..5e597c7 100644 --- a/qapi/qmp-dispatch.c +++ b/qapi/qmp-dispatch.c @@ -157,8 +157,10 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request, } if (!cmd->enabled) { error_set(&err, ERROR_CLASS_COMMAND_NOT_FOUND, - "The command %s has been disabled for this instance", - command); + "Command %s has been disabled%s%s", + command, + cmd->disable_reason ? ": " : "", + cmd->disable_reason ?: ""); goto out; } if (oob && !(cmd->options & QCO_ALLOW_OOB)) { diff --git a/qapi/qmp-registry.c b/qapi/qmp-registry.c index 58c65b5..f78c064 100644 --- a/qapi/qmp-registry.c +++ b/qapi/qmp-registry.c @@ -43,26 +43,28 @@ const QmpCommand *qmp_find_command(const QmpCommandList *cmds, const char *name) } static void qmp_toggle_command(QmpCommandList *cmds, const char *name, - bool enabled) + bool enabled, const char *disable_reason) { QmpCommand *cmd; QTAILQ_FOREACH(cmd, cmds, node) { if (strcmp(cmd->name, name) == 0) { cmd->enabled = enabled; + cmd->disable_reason = disable_reason; return; } } } -void qmp_disable_command(QmpCommandList *cmds, const char *name) +void qmp_disable_command(QmpCommandList *cmds, const char *name, + const char *disable_reason) { - qmp_toggle_command(cmds, name, false); + qmp_toggle_command(cmds, name, false, disable_reason); } void qmp_enable_command(QmpCommandList *cmds, const char *name) { - qmp_toggle_command(cmds, name, true); + qmp_toggle_command(cmds, name, true, NULL); } bool qmp_command_is_enabled(const QmpCommand *cmd) diff --git a/qga/channel-win32.c b/qga/channel-win32.c index 4f04868..779007e 100644 --- a/qga/channel-win32.c +++ b/qga/channel-win32.c @@ -292,9 +292,9 @@ static gboolean ga_channel_open(GAChannel *c, GAChannelMethod method, return false; } - if (method == GA_CHANNEL_ISA_SERIAL){ + if (method == GA_CHANNEL_ISA_SERIAL) { snprintf(newpath, sizeof(newpath), "\\\\.\\%s", path); - }else { + } else { g_strlcpy(newpath, path, sizeof(newpath)); } @@ -307,7 +307,8 @@ static gboolean ga_channel_open(GAChannel *c, GAChannelMethod method, return false; } - if (method == GA_CHANNEL_ISA_SERIAL && !SetCommTimeouts(c->handle,&comTimeOut)) { + if (method == GA_CHANNEL_ISA_SERIAL + && !SetCommTimeouts(c->handle, &comTimeOut)) { g_autofree gchar *emsg = g_win32_error_message(GetLastError()); g_critical("error setting timeout for com port: %s", emsg); CloseHandle(c->handle); diff --git a/qga/commands-posix.c b/qga/commands-posix.c index 3f18df1..4299ebd 100644 --- a/qga/commands-posix.c +++ b/qga/commands-posix.c @@ -110,7 +110,7 @@ void qmp_guest_shutdown(bool has_mode, const char *mode, Error **errp) reopen_fd_to_null(2); execle("/sbin/shutdown", "shutdown", "-h", shutdown_flag, "+0", - "hypervisor initiated shutdown", (char*)NULL, environ); + "hypervisor initiated shutdown", (char *)NULL, environ); _exit(EXIT_FAILURE); } else if (pid < 0) { error_setg_errno(errp, errno, "failed to create child process"); @@ -479,7 +479,7 @@ GuestFileRead *guest_file_read_unsafe(GuestFileHandle *gfh, gfh->state = RW_STATE_NEW; } - buf = g_malloc0(count+1); + buf = g_malloc0(count + 1); read_count = fread(buf, 1, count, fh); if (ferror(fh)) { error_setg_errno(errp, errno, "failed to read file"); @@ -2370,24 +2370,6 @@ error: return NULL; } -#define SYSCONF_EXACT(name, errp) sysconf_exact((name), #name, (errp)) - -static long sysconf_exact(int name, const char *name_str, Error **errp) -{ - long ret; - - errno = 0; - ret = sysconf(name); - if (ret == -1) { - if (errno == 0) { - error_setg(errp, "sysconf(%s): value indefinite", name_str); - } else { - error_setg_errno(errp, errno, "sysconf(%s)", name_str); - } - } - return ret; -} - /* Transfer online/offline status between @vcpu and the guest system. * * On input either @errp or *@errp must be NULL. @@ -2458,30 +2440,33 @@ static void transfer_vcpu(GuestLogicalProcessor *vcpu, bool sys2vcpu, GuestLogicalProcessorList *qmp_guest_get_vcpus(Error **errp) { - int64_t current; GuestLogicalProcessorList *head, **tail; - long sc_max; + const char *cpu_dir = "/sys/devices/system/cpu"; + const gchar *line; + g_autoptr(GDir) cpu_gdir = NULL; Error *local_err = NULL; - current = 0; head = NULL; tail = &head; - sc_max = SYSCONF_EXACT(_SC_NPROCESSORS_CONF, &local_err); + cpu_gdir = g_dir_open(cpu_dir, 0, NULL); - while (local_err == NULL && current < sc_max) { - GuestLogicalProcessor *vcpu; - int64_t id = current++; - char *path = g_strdup_printf("/sys/devices/system/cpu/cpu%" PRId64 "/", - id); + if (cpu_gdir == NULL) { + error_setg_errno(errp, errno, "failed to list entries: %s", cpu_dir); + return NULL; + } - if (g_file_test(path, G_FILE_TEST_EXISTS)) { + while (local_err == NULL && (line = g_dir_read_name(cpu_gdir)) != NULL) { + GuestLogicalProcessor *vcpu; + int64_t id; + if (sscanf(line, "cpu%" PRId64, &id)) { + g_autofree char *path = g_strdup_printf("/sys/devices/system/cpu/" + "cpu%" PRId64 "/", id); vcpu = g_malloc0(sizeof *vcpu); vcpu->logical_id = id; vcpu->has_can_offline = true; /* lolspeak ftw */ transfer_vcpu(vcpu, true, path, &local_err); QAPI_LIST_APPEND(tail, vcpu); } - g_free(path); } if (local_err == NULL) { diff --git a/qga/commands-win32.c b/qga/commands-win32.c index a00e6cb..27baf17 100644 --- a/qga/commands-win32.c +++ b/qga/commands-win32.c @@ -110,15 +110,15 @@ static OpenFlags guest_file_open_modes[] = { {"w", GENERIC_WRITE, CREATE_ALWAYS}, {"wb", GENERIC_WRITE, CREATE_ALWAYS}, {"a", FILE_GENERIC_APPEND, OPEN_ALWAYS }, - {"r+", GENERIC_WRITE|GENERIC_READ, OPEN_EXISTING}, - {"rb+", GENERIC_WRITE|GENERIC_READ, OPEN_EXISTING}, - {"r+b", GENERIC_WRITE|GENERIC_READ, OPEN_EXISTING}, - {"w+", GENERIC_WRITE|GENERIC_READ, CREATE_ALWAYS}, - {"wb+", GENERIC_WRITE|GENERIC_READ, CREATE_ALWAYS}, - {"w+b", GENERIC_WRITE|GENERIC_READ, CREATE_ALWAYS}, - {"a+", FILE_GENERIC_APPEND|GENERIC_READ, OPEN_ALWAYS }, - {"ab+", FILE_GENERIC_APPEND|GENERIC_READ, OPEN_ALWAYS }, - {"a+b", FILE_GENERIC_APPEND|GENERIC_READ, OPEN_ALWAYS } + {"r+", GENERIC_WRITE | GENERIC_READ, OPEN_EXISTING}, + {"rb+", GENERIC_WRITE | GENERIC_READ, OPEN_EXISTING}, + {"r+b", GENERIC_WRITE | GENERIC_READ, OPEN_EXISTING}, + {"w+", GENERIC_WRITE | GENERIC_READ, CREATE_ALWAYS}, + {"wb+", GENERIC_WRITE | GENERIC_READ, CREATE_ALWAYS}, + {"w+b", GENERIC_WRITE | GENERIC_READ, CREATE_ALWAYS}, + {"a+", FILE_GENERIC_APPEND | GENERIC_READ, OPEN_ALWAYS }, + {"ab+", FILE_GENERIC_APPEND | GENERIC_READ, OPEN_ALWAYS }, + {"a+b", FILE_GENERIC_APPEND | GENERIC_READ, OPEN_ALWAYS } }; #define debug_error(msg) do { \ @@ -280,7 +280,7 @@ static void acquire_privilege(const char *name, Error **errp) Error *local_err = NULL; if (OpenProcessToken(GetCurrentProcess(), - TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &token)) + TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token)) { if (!LookupPrivilegeValue(NULL, name, &priv.Privileges[0].Luid)) { error_setg(&local_err, QERR_QGA_COMMAND_FAILED, @@ -1116,7 +1116,7 @@ static GuestFilesystemInfo *build_guest_fsinfo(char *guid, Error **errp) len = strlen(mnt_point); mnt_point[len] = '\\'; - mnt_point[len+1] = 0; + mnt_point[len + 1] = 0; if (!GetVolumeInformationByHandleW(hLocalDiskHandle, vol_info, sizeof(vol_info), NULL, NULL, NULL, @@ -1323,7 +1323,7 @@ qmp_guest_fstrim(bool has_minimum, int64_t minimum, Error **errp) DWORD char_count = 0; char *path, *out; GError *gerr = NULL; - gchar * argv[4]; + gchar *argv[4]; GetVolumePathNamesForVolumeNameW(guid, NULL, 0, &char_count); @@ -2174,7 +2174,7 @@ static ga_win_10_0_server_t const WIN_10_0_SERVER_VERSION_MATRIX[3] = { static void ga_get_win_version(RTL_OSVERSIONINFOEXW *info, Error **errp) { - typedef NTSTATUS(WINAPI * rtl_get_version_t)( + typedef NTSTATUS(WINAPI *rtl_get_version_t)( RTL_OSVERSIONINFOEXW *os_version_info_ex); info->dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW); diff --git a/qga/commands.c b/qga/commands.c index e866fc7..a6491d2 100644 --- a/qga/commands.c +++ b/qga/commands.c @@ -22,9 +22,9 @@ #include "commands-common.h" /* Maximum captured guest-exec out_data/err_data - 16MB */ -#define GUEST_EXEC_MAX_OUTPUT (16*1024*1024) +#define GUEST_EXEC_MAX_OUTPUT (16 * 1024 * 1024) /* Allocation and I/O buffer for reading guest-exec out_data/err_data - 4KB */ -#define GUEST_EXEC_IO_SIZE (4*1024) +#define GUEST_EXEC_IO_SIZE (4 * 1024) /* * Maximum file size to read - 48MB * @@ -279,20 +279,20 @@ QEMU_HELP_BOTTOM "\n" static const char *ga_log_level_str(GLogLevelFlags level) { switch (level & G_LOG_LEVEL_MASK) { - case G_LOG_LEVEL_ERROR: - return "error"; - case G_LOG_LEVEL_CRITICAL: - return "critical"; - case G_LOG_LEVEL_WARNING: - return "warning"; - case G_LOG_LEVEL_MESSAGE: - return "message"; - case G_LOG_LEVEL_INFO: - return "info"; - case G_LOG_LEVEL_DEBUG: - return "debug"; - default: - return "user"; + case G_LOG_LEVEL_ERROR: + return "error"; + case G_LOG_LEVEL_CRITICAL: + return "critical"; + case G_LOG_LEVEL_WARNING: + return "warning"; + case G_LOG_LEVEL_MESSAGE: + return "message"; + case G_LOG_LEVEL_INFO: + return "info"; + case G_LOG_LEVEL_DEBUG: + return "debug"; + default: + return "user"; } } @@ -375,7 +375,7 @@ static void ga_disable_non_whitelisted(const QmpCommand *cmd, void *opaque) } if (!whitelisted) { g_debug("disabling command: %s", name); - qmp_disable_command(&ga_commands, name); + qmp_disable_command(&ga_commands, name, "the agent is in frozen state"); } } @@ -586,7 +586,7 @@ end: static gboolean channel_event_cb(GIOCondition condition, gpointer data) { GAState *s = data; - gchar buf[QGA_READ_COUNT_DEFAULT+1]; + gchar buf[QGA_READ_COUNT_DEFAULT + 1]; gsize count; GIOStatus status = ga_channel_read(s->channel, buf, QGA_READ_COUNT_DEFAULT, &count); switch (status) { @@ -610,7 +610,7 @@ static gboolean channel_event_cb(GIOCondition condition, gpointer data) * host-side chardev. sleep a bit to mitigate this */ if (s->virtio) { - usleep(100*1000); + usleep(100 * 1000); } return true; default: @@ -686,21 +686,20 @@ DWORD WINAPI service_ctrl_handler(DWORD ctrl, DWORD type, LPVOID data, DWORD ret = NO_ERROR; GAService *service = &ga_state->service; - switch (ctrl) - { - case SERVICE_CONTROL_STOP: - case SERVICE_CONTROL_SHUTDOWN: - quit_handler(SIGTERM); - SetEvent(ga_state->wakeup_event); - service->status.dwCurrentState = SERVICE_STOP_PENDING; - SetServiceStatus(service->status_handle, &service->status); - break; - case SERVICE_CONTROL_DEVICEEVENT: - handle_serial_device_events(type, data); - break; + switch (ctrl) { + case SERVICE_CONTROL_STOP: + case SERVICE_CONTROL_SHUTDOWN: + quit_handler(SIGTERM); + SetEvent(ga_state->wakeup_event); + service->status.dwCurrentState = SERVICE_STOP_PENDING; + SetServiceStatus(service->status_handle, &service->status); + break; + case SERVICE_CONTROL_DEVICEEVENT: + handle_serial_device_events(type, data); + break; - default: - ret = ERROR_CALL_NOT_IMPLEMENTED; + default: + ret = ERROR_CALL_NOT_IMPLEMENTED; } return ret; } @@ -1329,7 +1328,7 @@ static GAState *initialize_agent(GAConfig *config, int socket_activation) s->blacklist = config->blacklist; do { g_debug("disabling command: %s", (char *)l->data); - qmp_disable_command(&ga_commands, l->data); + qmp_disable_command(&ga_commands, l->data, NULL); l = g_list_next(l); } while (l); } diff --git a/scripts/oss-fuzz/output_reproducer.py b/scripts/oss-fuzz/output_reproducer.py new file mode 100755 index 0000000..3608b06 --- /dev/null +++ b/scripts/oss-fuzz/output_reproducer.py @@ -0,0 +1,160 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +Convert plain qtest traces to C or Bash reproducers + +Use this to help build bug-reports or create in-tree reproducers for bugs. +Note: This will not format C code for you. Pipe the output through +clang-format -style="{BasedOnStyle: llvm, IndentWidth: 4, ColumnLimit: 90}" +or similar +""" + +import sys +import os +import argparse +import textwrap +from datetime import date + +__author__ = "Alexander Bulekov <alxndr@bu.edu>" +__copyright__ = "Copyright (C) 2021, Red Hat, Inc." +__license__ = "GPL version 2 or (at your option) any later version" + +__maintainer__ = "Alexander Bulekov" +__email__ = "alxndr@bu.edu" + + +def c_header(owner): + return """/* + * Autogenerated Fuzzer Test Case + * + * Copyright (c) {date} {owner} + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + + """.format(date=date.today().year, owner=owner) + +def c_comment(s): + """ Return a multi-line C comment. Assume the text is already wrapped """ + return "/*\n * " + "\n * ".join(s.splitlines()) + "\n*/" + +def print_c_function(s): + print("/* ") + for l in s.splitlines(): + print(" * {}".format(l)) + +def bash_reproducer(path, args, trace): + result = '\\\n'.join(textwrap.wrap("cat << EOF | {} {}".format(path, args), + 72, break_on_hyphens=False, + drop_whitespace=False)) + for l in trace.splitlines(): + result += "\n" + '\\\n'.join(textwrap.wrap(l,72,drop_whitespace=False)) + result += "\nEOF" + return result + +def c_reproducer(name, args, trace): + result = [] + result.append("""static void {}(void)\n{{""".format(name)) + + # libqtest will add its own qtest args, so get rid of them + args = args.replace("-accel qtest","") + args = args.replace(",accel=qtest","") + args = args.replace("-machine accel=qtest","") + args = args.replace("-qtest stdio","") + result.append("""QTestState *s = qtest_init("{}");""".format(args)) + for l in trace.splitlines(): + param = l.split() + cmd = param[0] + if cmd == "write": + buf = param[3][2:] #Get the 0x... buffer and trim the "0x" + assert len(buf)%2 == 0 + bufbytes = [buf[i:i+2] for i in range(0, len(buf), 2)] + bufstring = '\\x'+'\\x'.join(bufbytes) + addr = param[1] + size = param[2] + result.append("""qtest_bufwrite(s, {}, "{}", {});""".format( + addr, bufstring, size)) + elif cmd.startswith("in") or cmd.startswith("read"): + result.append("qtest_{}(s, {});".format( + cmd, param[1])) + elif cmd.startswith("out") or cmd.startswith("write"): + result.append("qtest_{}(s, {}, {});".format( + cmd, param[1], param[2])) + elif cmd == "clock_step": + if len(param) ==1: + result.append("qtest_clock_step_next(s);") + else: + result.append("qtest_clock_step(s, {});".format(param[1])) + result.append("qtest_quit(s);\n}") + return "\n".join(result) + +def c_main(name, arch): + return """int main(int argc, char **argv) +{{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "{arch}") == 0) {{ + qtest_add_func("fuzz/{name}",{name}); + }} + + return g_test_run(); +}}""".format(name=name, arch=arch) + +def main(): + parser = argparse.ArgumentParser() + group = parser.add_mutually_exclusive_group() + group.add_argument("-bash", help="Only output a copy-pastable bash command", + action="store_true") + group.add_argument("-c", help="Only output a c function", + action="store_true") + parser.add_argument('-owner', help="If generating complete C source code, \ + this specifies the Copyright owner", + nargs='?', default="<name of author>") + parser.add_argument("-no_comment", help="Don't include a bash reproducer \ + as a comment in the C reproducers", + action="store_true") + parser.add_argument('-name', help="The name of the c function", + nargs='?', default="test_fuzz") + parser.add_argument('input_trace', help="input QTest command sequence \ + (stdin by default)", + nargs='?', type=argparse.FileType('r'), + default=sys.stdin) + args = parser.parse_args() + + qemu_path = os.getenv("QEMU_PATH") + qemu_args = os.getenv("QEMU_ARGS") + if not qemu_args or not qemu_path: + print("Please set QEMU_PATH and QEMU_ARGS environment variables") + sys.exit(1) + + bash_args = qemu_args + if " -qtest stdio" not in qemu_args: + bash_args += " -qtest stdio" + + arch = qemu_path.split("-")[-1] + trace = args.input_trace.read().strip() + + if args.bash : + print(bash_reproducer(qemu_path, bash_args, trace)) + else: + output = "" + if not args.c: + output += c_header(args.owner) + "\n" + if not args.no_comment: + output += c_comment(bash_reproducer(qemu_path, bash_args, trace)) + output += c_reproducer(args.name, qemu_args, trace) + if not args.c: + output += c_main(args.name, arch) + print(output) + + +if __name__ == '__main__': + main() diff --git a/scsi/utils.c b/scsi/utils.c index 873e05a..357b036 100644 --- a/scsi/utils.c +++ b/scsi/utils.c @@ -589,7 +589,7 @@ int scsi_sense_from_errno(int errno_value, SCSISense *sense) return TASK_SET_FULL; #ifdef CONFIG_LINUX /* These errno mapping are specific to Linux. For more information: - * - scsi_decide_disposition in drivers/scsi/scsi_error.c + * - scsi_check_sense and scsi_decide_disposition in drivers/scsi/scsi_error.c * - scsi_result_to_blk_status in drivers/scsi/scsi_lib.c * - blk_errors[] in block/blk-core.c */ @@ -599,7 +599,7 @@ int scsi_sense_from_errno(int errno_value, SCSISense *sense) *sense = SENSE_CODE(READ_ERROR); return CHECK_CONDITION; case EREMOTEIO: - *sense = SENSE_CODE(LUN_COMM_FAILURE); + *sense = SENSE_CODE(TARGET_FAILURE); return CHECK_CONDITION; #endif case ENOMEDIUM: diff --git a/softmmu/memory.c b/softmmu/memory.c index 9db47b7..c4730ec 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -1440,7 +1440,6 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr, unsigned size = memop_size(op); MemTxResult r; - fuzz_dma_read_cb(addr, size, mr); if (!memory_region_access_valid(mr, addr, size, false, attrs)) { *pval = unassigned_mem_read(mr, addr, size); return MEMTX_DECODE_ERROR; diff --git a/softmmu/physmem.c b/softmmu/physmem.c index 9e5ef48..85034d9 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -2801,6 +2801,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, bool release_lock = false; uint8_t *buf = ptr; + fuzz_dma_read_cb(addr, len, mr); for (;;) { if (!memory_access_is_direct(mr, false)) { /* I/O case */ @@ -2811,7 +2812,6 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, stn_he_p(buf, l, val); } else { /* RAM case */ - fuzz_dma_read_cb(addr, len, mr); ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false); memcpy(buf, ram_ptr, l); } diff --git a/tcg/aarch64/tcg-target.c.inc b/tcg/aarch64/tcg-target.c.inc index fcaa5af..f07ba98 100644 --- a/tcg/aarch64/tcg-target.c.inc +++ b/tcg/aarch64/tcg-target.c.inc @@ -2286,7 +2286,8 @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc, static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, unsigned vecl, unsigned vece, - const TCGArg *args, const int *const_args) + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { static const AArch64Insn cmp_vec_insn[16] = { [TCG_COND_EQ] = I3616_CMEQ, diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc index 40326c2..415c5c0 100644 --- a/tcg/i386/tcg-target.c.inc +++ b/tcg/i386/tcg-target.c.inc @@ -2177,7 +2177,8 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, bool is64) } static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, - const TCGArg *args, const int *const_args) + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { TCGArg a0, a1, a2; int c, const_a2, vexop, rexw = 0; @@ -2613,7 +2614,8 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, unsigned vecl, unsigned vece, - const TCGArg *args, const int *const_args) + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { static int const add_insn[4] = { OPC_PADDB, OPC_PADDW, OPC_PADDD, OPC_PADDQ diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc index ab55f31..8738a3a 100644 --- a/tcg/mips/tcg-target.c.inc +++ b/tcg/mips/tcg-target.c.inc @@ -1651,7 +1651,8 @@ static void tcg_out_clz(TCGContext *s, MIPSInsn opcv2, MIPSInsn opcv6, } static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, - const TCGArg *args, const int *const_args) + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { MIPSInsn i1, i2; TCGArg a0, a1, a2; diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc index 4377d15..838ccfa 100644 --- a/tcg/ppc/tcg-target.c.inc +++ b/tcg/ppc/tcg-target.c.inc @@ -2319,8 +2319,9 @@ static void tcg_target_qemu_prologue(TCGContext *s) tcg_out32(s, BCLR | BO_ALWAYS); } -static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args, - const int *const_args) +static void tcg_out_op(TCGContext *s, TCGOpcode opc, + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { TCGArg a0, a1, a2; int c; @@ -3115,7 +3116,8 @@ static bool tcg_out_dupm_vec(TCGContext *s, TCGType type, unsigned vece, static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, unsigned vecl, unsigned vece, - const TCGArg *args, const int *const_args) + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { static const uint32_t add_op[4] = { VADDUBM, VADDUHM, VADDUWM, VADDUDM }, diff --git a/tcg/riscv/tcg-target.c.inc b/tcg/riscv/tcg-target.c.inc index e700c52..ef43147 100644 --- a/tcg/riscv/tcg-target.c.inc +++ b/tcg/riscv/tcg-target.c.inc @@ -1212,7 +1212,8 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, bool is_64) static const tcg_insn_unit *tb_ret_addr; static void tcg_out_op(TCGContext *s, TCGOpcode opc, - const TCGArg *args, const int *const_args) + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { TCGArg a0 = args[0]; TCGArg a1 = args[1]; diff --git a/tcg/s390/tcg-target.c.inc b/tcg/s390/tcg-target.c.inc index 695d7ee..af8dfe8 100644 --- a/tcg/s390/tcg-target.c.inc +++ b/tcg/s390/tcg-target.c.inc @@ -1705,7 +1705,8 @@ static void tcg_out_qemu_st(TCGContext* s, TCGReg data_reg, TCGReg addr_reg, case glue(glue(INDEX_op_,x),_i64) static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, - const TCGArg *args, const int *const_args) + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { S390Opcode op, op2; TCGArg a0, a1, a2; @@ -107,8 +107,9 @@ static void tcg_out_ld(TCGContext *s, TCGType type, TCGReg ret, TCGReg arg1, static bool tcg_out_mov(TCGContext *s, TCGType type, TCGReg ret, TCGReg arg); static void tcg_out_movi(TCGContext *s, TCGType type, TCGReg ret, tcg_target_long arg); -static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args, - const int *const_args); +static void tcg_out_op(TCGContext *s, TCGOpcode opc, + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]); #if TCG_TARGET_MAYBE_vec static bool tcg_out_dup_vec(TCGContext *s, TCGType type, unsigned vece, TCGReg dst, TCGReg src); @@ -116,9 +117,10 @@ static bool tcg_out_dupm_vec(TCGContext *s, TCGType type, unsigned vece, TCGReg dst, TCGReg base, intptr_t offset); static void tcg_out_dupi_vec(TCGContext *s, TCGType type, unsigned vece, TCGReg dst, int64_t arg); -static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, unsigned vecl, - unsigned vece, const TCGArg *args, - const int *const_args); +static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, + unsigned vecl, unsigned vece, + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]); #else static inline bool tcg_out_dup_vec(TCGContext *s, TCGType type, unsigned vece, TCGReg dst, TCGReg src) @@ -135,9 +137,10 @@ static inline void tcg_out_dupi_vec(TCGContext *s, TCGType type, unsigned vece, { g_assert_not_reached(); } -static inline void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, unsigned vecl, - unsigned vece, const TCGArg *args, - const int *const_args) +static inline void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, + unsigned vecl, unsigned vece, + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { g_assert_not_reached(); } @@ -24,7 +24,7 @@ #if defined(CONFIG_DEBUG_TCG) # define tci_assert(cond) assert(cond) #else -# define tci_assert(cond) ((void)0) +# define tci_assert(cond) ((void)(cond)) #endif #include "qemu-common.h" @@ -66,22 +66,32 @@ tci_write_reg(tcg_target_ulong *regs, TCGReg index, tcg_target_ulong value) regs[index] = value; } -#if TCG_TARGET_REG_BITS == 32 static void tci_write_reg64(tcg_target_ulong *regs, uint32_t high_index, uint32_t low_index, uint64_t value) { tci_write_reg(regs, low_index, value); tci_write_reg(regs, high_index, value >> 32); } -#endif -#if TCG_TARGET_REG_BITS == 32 /* Create a 64 bit value from two 32 bit values. */ static uint64_t tci_uint64(uint32_t high, uint32_t low) { return ((uint64_t)high << 32) + low; } -#endif + +/* Read constant byte from bytecode. */ +static uint8_t tci_read_b(const uint8_t **tb_ptr) +{ + return *(tb_ptr[0]++); +} + +/* Read register number from bytecode. */ +static TCGReg tci_read_r(const uint8_t **tb_ptr) +{ + uint8_t regno = tci_read_b(tb_ptr); + tci_assert(regno < TCG_TARGET_NB_REGS); + return regno; +} /* Read constant (native size) from bytecode. */ static tcg_target_ulong tci_read_i(const uint8_t **tb_ptr) @@ -107,59 +117,239 @@ static int32_t tci_read_s32(const uint8_t **tb_ptr) return value; } +static tcg_target_ulong tci_read_label(const uint8_t **tb_ptr) +{ + return tci_read_i(tb_ptr); +} + +/* + * Load sets of arguments all at once. The naming convention is: + * tci_args_<arguments> + * where arguments is a sequence of + * + * b = immediate (bit position) + * c = condition (TCGCond) + * i = immediate (uint32_t) + * I = immediate (tcg_target_ulong) + * l = label or pointer + * m = immediate (TCGMemOpIdx) + * r = register + * s = signed ldst offset + */ + +static void check_size(const uint8_t *start, const uint8_t **tb_ptr) +{ + const uint8_t *old_code_ptr = start - 2; + uint8_t op_size = old_code_ptr[1]; + tci_assert(*tb_ptr == old_code_ptr + op_size); +} + +static void tci_args_l(const uint8_t **tb_ptr, void **l0) +{ + const uint8_t *start = *tb_ptr; + + *l0 = (void *)tci_read_label(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_rr(const uint8_t **tb_ptr, + TCGReg *r0, TCGReg *r1) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_ri(const uint8_t **tb_ptr, + TCGReg *r0, tcg_target_ulong *i1) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *i1 = tci_read_i32(tb_ptr); + + check_size(start, tb_ptr); +} + #if TCG_TARGET_REG_BITS == 64 -/* Read constant (64 bit) from bytecode. */ -static uint64_t tci_read_i64(const uint8_t **tb_ptr) +static void tci_args_rI(const uint8_t **tb_ptr, + TCGReg *r0, tcg_target_ulong *i1) { - uint64_t value = *(const uint64_t *)(*tb_ptr); - *tb_ptr += sizeof(value); - return value; + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *i1 = tci_read_i(tb_ptr); + + check_size(start, tb_ptr); } #endif -/* Read indexed register (native size) from bytecode. */ -static tcg_target_ulong -tci_read_r(const tcg_target_ulong *regs, const uint8_t **tb_ptr) +static void tci_args_rrm(const uint8_t **tb_ptr, + TCGReg *r0, TCGReg *r1, TCGMemOpIdx *m2) { - tcg_target_ulong value = tci_read_reg(regs, **tb_ptr); - *tb_ptr += 1; - return value; + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *m2 = tci_read_i32(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_rrr(const uint8_t **tb_ptr, + TCGReg *r0, TCGReg *r1, TCGReg *r2) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_rrs(const uint8_t **tb_ptr, + TCGReg *r0, TCGReg *r1, int32_t *i2) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *i2 = tci_read_s32(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_rrcl(const uint8_t **tb_ptr, + TCGReg *r0, TCGReg *r1, TCGCond *c2, void **l3) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *c2 = tci_read_b(tb_ptr); + *l3 = (void *)tci_read_label(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_rrrc(const uint8_t **tb_ptr, + TCGReg *r0, TCGReg *r1, TCGReg *r2, TCGCond *c3) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + *c3 = tci_read_b(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_rrrm(const uint8_t **tb_ptr, + TCGReg *r0, TCGReg *r1, TCGReg *r2, TCGMemOpIdx *m3) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + *m3 = tci_read_i32(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_rrrbb(const uint8_t **tb_ptr, TCGReg *r0, TCGReg *r1, + TCGReg *r2, uint8_t *i3, uint8_t *i4) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + *i3 = tci_read_b(tb_ptr); + *i4 = tci_read_b(tb_ptr); + + check_size(start, tb_ptr); +} + +static void tci_args_rrrrm(const uint8_t **tb_ptr, TCGReg *r0, TCGReg *r1, + TCGReg *r2, TCGReg *r3, TCGMemOpIdx *m4) +{ + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + *r3 = tci_read_r(tb_ptr); + *m4 = tci_read_i32(tb_ptr); + + check_size(start, tb_ptr); } #if TCG_TARGET_REG_BITS == 32 -/* Read two indexed registers (2 * 32 bit) from bytecode. */ -static uint64_t tci_read_r64(const tcg_target_ulong *regs, - const uint8_t **tb_ptr) +static void tci_args_rrrr(const uint8_t **tb_ptr, + TCGReg *r0, TCGReg *r1, TCGReg *r2, TCGReg *r3) { - uint32_t low = tci_read_r(regs, tb_ptr); - return tci_uint64(tci_read_r(regs, tb_ptr), low); + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + *r3 = tci_read_r(tb_ptr); + + check_size(start, tb_ptr); } -#elif TCG_TARGET_REG_BITS == 64 -/* Read indexed register (64 bit) from bytecode. */ -static uint64_t tci_read_r64(const tcg_target_ulong *regs, - const uint8_t **tb_ptr) + +static void tci_args_rrrrcl(const uint8_t **tb_ptr, TCGReg *r0, TCGReg *r1, + TCGReg *r2, TCGReg *r3, TCGCond *c4, void **l5) { - return tci_read_r(regs, tb_ptr); + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + *r3 = tci_read_r(tb_ptr); + *c4 = tci_read_b(tb_ptr); + *l5 = (void *)tci_read_label(tb_ptr); + + check_size(start, tb_ptr); } -#endif -/* Read indexed register(s) with target address from bytecode. */ -static target_ulong -tci_read_ulong(const tcg_target_ulong *regs, const uint8_t **tb_ptr) +static void tci_args_rrrrrc(const uint8_t **tb_ptr, TCGReg *r0, TCGReg *r1, + TCGReg *r2, TCGReg *r3, TCGReg *r4, TCGCond *c5) { - target_ulong taddr = tci_read_r(regs, tb_ptr); -#if TARGET_LONG_BITS > TCG_TARGET_REG_BITS - taddr += (uint64_t)tci_read_r(regs, tb_ptr) << 32; -#endif - return taddr; + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + *r3 = tci_read_r(tb_ptr); + *r4 = tci_read_r(tb_ptr); + *c5 = tci_read_b(tb_ptr); + + check_size(start, tb_ptr); } -static tcg_target_ulong tci_read_label(const uint8_t **tb_ptr) +static void tci_args_rrrrrr(const uint8_t **tb_ptr, TCGReg *r0, TCGReg *r1, + TCGReg *r2, TCGReg *r3, TCGReg *r4, TCGReg *r5) { - tcg_target_ulong label = tci_read_i(tb_ptr); - tci_assert(label != 0); - return label; + const uint8_t *start = *tb_ptr; + + *r0 = tci_read_r(tb_ptr); + *r1 = tci_read_r(tb_ptr); + *r2 = tci_read_r(tb_ptr); + *r3 = tci_read_r(tb_ptr); + *r4 = tci_read_r(tb_ptr); + *r5 = tci_read_r(tb_ptr); + + check_size(start, tb_ptr); } +#endif static bool tci_compare32(uint32_t u0, uint32_t u1, TCGCond condition) { @@ -299,7 +489,6 @@ uintptr_t QEMU_DISABLE_CFI tcg_qemu_tb_exec(CPUArchState *env, tcg_target_ulong regs[TCG_TARGET_NB_REGS]; long tcg_temps[CPU_TEMP_BUF_NLONGS]; uintptr_t sp_value = (uintptr_t)(tcg_temps + CPU_TEMP_BUF_NLONGS); - uintptr_t ret = 0; regs[TCG_AREG0] = (tcg_target_ulong)env; regs[TCG_REG_CALL_STACK] = sp_value; @@ -307,494 +496,378 @@ uintptr_t QEMU_DISABLE_CFI tcg_qemu_tb_exec(CPUArchState *env, for (;;) { TCGOpcode opc = tb_ptr[0]; -#if defined(CONFIG_DEBUG_TCG) && !defined(NDEBUG) - uint8_t op_size = tb_ptr[1]; - const uint8_t *old_code_ptr = tb_ptr; -#endif - tcg_target_ulong t0; + TCGReg r0, r1, r2, r3; tcg_target_ulong t1; - tcg_target_ulong t2; - tcg_target_ulong label; TCGCond condition; target_ulong taddr; - uint8_t tmp8; - uint16_t tmp16; + uint8_t pos, len; uint32_t tmp32; uint64_t tmp64; #if TCG_TARGET_REG_BITS == 32 - uint64_t v64; + TCGReg r4, r5; + uint64_t T1, T2; #endif TCGMemOpIdx oi; + int32_t ofs; + void *ptr; /* Skip opcode and size entry. */ tb_ptr += 2; switch (opc) { case INDEX_op_call: - t0 = tci_read_i(&tb_ptr); + tci_args_l(&tb_ptr, &ptr); tci_tb_ptr = (uintptr_t)tb_ptr; #if TCG_TARGET_REG_BITS == 32 - tmp64 = ((helper_function)t0)(tci_read_reg(regs, TCG_REG_R0), - tci_read_reg(regs, TCG_REG_R1), - tci_read_reg(regs, TCG_REG_R2), - tci_read_reg(regs, TCG_REG_R3), - tci_read_reg(regs, TCG_REG_R4), - tci_read_reg(regs, TCG_REG_R5), - tci_read_reg(regs, TCG_REG_R6), - tci_read_reg(regs, TCG_REG_R7), - tci_read_reg(regs, TCG_REG_R8), - tci_read_reg(regs, TCG_REG_R9), - tci_read_reg(regs, TCG_REG_R10), - tci_read_reg(regs, TCG_REG_R11)); + tmp64 = ((helper_function)ptr)(tci_read_reg(regs, TCG_REG_R0), + tci_read_reg(regs, TCG_REG_R1), + tci_read_reg(regs, TCG_REG_R2), + tci_read_reg(regs, TCG_REG_R3), + tci_read_reg(regs, TCG_REG_R4), + tci_read_reg(regs, TCG_REG_R5), + tci_read_reg(regs, TCG_REG_R6), + tci_read_reg(regs, TCG_REG_R7), + tci_read_reg(regs, TCG_REG_R8), + tci_read_reg(regs, TCG_REG_R9), + tci_read_reg(regs, TCG_REG_R10), + tci_read_reg(regs, TCG_REG_R11)); tci_write_reg(regs, TCG_REG_R0, tmp64); tci_write_reg(regs, TCG_REG_R1, tmp64 >> 32); #else - tmp64 = ((helper_function)t0)(tci_read_reg(regs, TCG_REG_R0), - tci_read_reg(regs, TCG_REG_R1), - tci_read_reg(regs, TCG_REG_R2), - tci_read_reg(regs, TCG_REG_R3), - tci_read_reg(regs, TCG_REG_R4), - tci_read_reg(regs, TCG_REG_R5)); + tmp64 = ((helper_function)ptr)(tci_read_reg(regs, TCG_REG_R0), + tci_read_reg(regs, TCG_REG_R1), + tci_read_reg(regs, TCG_REG_R2), + tci_read_reg(regs, TCG_REG_R3), + tci_read_reg(regs, TCG_REG_R4), + tci_read_reg(regs, TCG_REG_R5)); tci_write_reg(regs, TCG_REG_R0, tmp64); #endif break; case INDEX_op_br: - label = tci_read_label(&tb_ptr); - tci_assert(tb_ptr == old_code_ptr + op_size); - tb_ptr = (uint8_t *)label; + tci_args_l(&tb_ptr, &ptr); + tb_ptr = ptr; continue; case INDEX_op_setcond_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - condition = *tb_ptr++; - tci_write_reg(regs, t0, tci_compare32(t1, t2, condition)); + tci_args_rrrc(&tb_ptr, &r0, &r1, &r2, &condition); + regs[r0] = tci_compare32(regs[r1], regs[r2], condition); break; #if TCG_TARGET_REG_BITS == 32 case INDEX_op_setcond2_i32: - t0 = *tb_ptr++; - tmp64 = tci_read_r64(regs, &tb_ptr); - v64 = tci_read_r64(regs, &tb_ptr); - condition = *tb_ptr++; - tci_write_reg(regs, t0, tci_compare64(tmp64, v64, condition)); + tci_args_rrrrrc(&tb_ptr, &r0, &r1, &r2, &r3, &r4, &condition); + T1 = tci_uint64(regs[r2], regs[r1]); + T2 = tci_uint64(regs[r4], regs[r3]); + regs[r0] = tci_compare64(T1, T2, condition); break; #elif TCG_TARGET_REG_BITS == 64 case INDEX_op_setcond_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - condition = *tb_ptr++; - tci_write_reg(regs, t0, tci_compare64(t1, t2, condition)); + tci_args_rrrc(&tb_ptr, &r0, &r1, &r2, &condition); + regs[r0] = tci_compare64(regs[r1], regs[r2], condition); break; #endif CASE_32_64(mov) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = regs[r1]; break; case INDEX_op_tci_movi_i32: - t0 = *tb_ptr++; - t1 = tci_read_i32(&tb_ptr); - tci_write_reg(regs, t0, t1); + tci_args_ri(&tb_ptr, &r0, &t1); + regs[r0] = t1; break; /* Load/store operations (32 bit). */ CASE_32_64(ld8u) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - tci_write_reg(regs, t0, *(uint8_t *)(t1 + t2)); + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + regs[r0] = *(uint8_t *)ptr; break; CASE_32_64(ld8s) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - tci_write_reg(regs, t0, *(int8_t *)(t1 + t2)); + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + regs[r0] = *(int8_t *)ptr; break; CASE_32_64(ld16u) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - tci_write_reg(regs, t0, *(uint16_t *)(t1 + t2)); + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + regs[r0] = *(uint16_t *)ptr; break; CASE_32_64(ld16s) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - tci_write_reg(regs, t0, *(int16_t *)(t1 + t2)); + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + regs[r0] = *(int16_t *)ptr; break; case INDEX_op_ld_i32: CASE_64(ld32u) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - tci_write_reg(regs, t0, *(uint32_t *)(t1 + t2)); + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + regs[r0] = *(uint32_t *)ptr; break; CASE_32_64(st8) - t0 = tci_read_r(regs, &tb_ptr); - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - *(uint8_t *)(t1 + t2) = t0; + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + *(uint8_t *)ptr = regs[r0]; break; CASE_32_64(st16) - t0 = tci_read_r(regs, &tb_ptr); - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - *(uint16_t *)(t1 + t2) = t0; + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + *(uint16_t *)ptr = regs[r0]; break; case INDEX_op_st_i32: CASE_64(st32) - t0 = tci_read_r(regs, &tb_ptr); - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - *(uint32_t *)(t1 + t2) = t0; + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + *(uint32_t *)ptr = regs[r0]; break; /* Arithmetic operations (mixed 32/64 bit). */ CASE_32_64(add) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1 + t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = regs[r1] + regs[r2]; break; CASE_32_64(sub) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1 - t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = regs[r1] - regs[r2]; break; CASE_32_64(mul) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1 * t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = regs[r1] * regs[r2]; break; CASE_32_64(and) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1 & t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = regs[r1] & regs[r2]; break; CASE_32_64(or) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1 | t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = regs[r1] | regs[r2]; break; CASE_32_64(xor) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1 ^ t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = regs[r1] ^ regs[r2]; break; /* Arithmetic operations (32 bit). */ case INDEX_op_div_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (int32_t)t1 / (int32_t)t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (int32_t)regs[r1] / (int32_t)regs[r2]; break; case INDEX_op_divu_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint32_t)t1 / (uint32_t)t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (uint32_t)regs[r1] / (uint32_t)regs[r2]; break; case INDEX_op_rem_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (int32_t)t1 % (int32_t)t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (int32_t)regs[r1] % (int32_t)regs[r2]; break; case INDEX_op_remu_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint32_t)t1 % (uint32_t)t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (uint32_t)regs[r1] % (uint32_t)regs[r2]; break; /* Shift/rotate operations (32 bit). */ case INDEX_op_shl_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint32_t)t1 << (t2 & 31)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (uint32_t)regs[r1] << (regs[r2] & 31); break; case INDEX_op_shr_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint32_t)t1 >> (t2 & 31)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (uint32_t)regs[r1] >> (regs[r2] & 31); break; case INDEX_op_sar_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (int32_t)t1 >> (t2 & 31)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (int32_t)regs[r1] >> (regs[r2] & 31); break; #if TCG_TARGET_HAS_rot_i32 case INDEX_op_rotl_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, rol32(t1, t2 & 31)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = rol32(regs[r1], regs[r2] & 31); break; case INDEX_op_rotr_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, ror32(t1, t2 & 31)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = ror32(regs[r1], regs[r2] & 31); break; #endif #if TCG_TARGET_HAS_deposit_i32 case INDEX_op_deposit_i32: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tmp16 = *tb_ptr++; - tmp8 = *tb_ptr++; - tmp32 = (((1 << tmp8) - 1) << tmp16); - tci_write_reg(regs, t0, (t1 & ~tmp32) | ((t2 << tmp16) & tmp32)); + tci_args_rrrbb(&tb_ptr, &r0, &r1, &r2, &pos, &len); + regs[r0] = deposit32(regs[r1], pos, len, regs[r2]); break; #endif case INDEX_op_brcond_i32: - t0 = tci_read_r(regs, &tb_ptr); - t1 = tci_read_r(regs, &tb_ptr); - condition = *tb_ptr++; - label = tci_read_label(&tb_ptr); - if (tci_compare32(t0, t1, condition)) { - tci_assert(tb_ptr == old_code_ptr + op_size); - tb_ptr = (uint8_t *)label; - continue; + tci_args_rrcl(&tb_ptr, &r0, &r1, &condition, &ptr); + if (tci_compare32(regs[r0], regs[r1], condition)) { + tb_ptr = ptr; } break; #if TCG_TARGET_REG_BITS == 32 case INDEX_op_add2_i32: - t0 = *tb_ptr++; - t1 = *tb_ptr++; - tmp64 = tci_read_r64(regs, &tb_ptr); - tmp64 += tci_read_r64(regs, &tb_ptr); - tci_write_reg64(regs, t1, t0, tmp64); + tci_args_rrrrrr(&tb_ptr, &r0, &r1, &r2, &r3, &r4, &r5); + T1 = tci_uint64(regs[r3], regs[r2]); + T2 = tci_uint64(regs[r5], regs[r4]); + tci_write_reg64(regs, r1, r0, T1 + T2); break; case INDEX_op_sub2_i32: - t0 = *tb_ptr++; - t1 = *tb_ptr++; - tmp64 = tci_read_r64(regs, &tb_ptr); - tmp64 -= tci_read_r64(regs, &tb_ptr); - tci_write_reg64(regs, t1, t0, tmp64); + tci_args_rrrrrr(&tb_ptr, &r0, &r1, &r2, &r3, &r4, &r5); + T1 = tci_uint64(regs[r3], regs[r2]); + T2 = tci_uint64(regs[r5], regs[r4]); + tci_write_reg64(regs, r1, r0, T1 - T2); break; case INDEX_op_brcond2_i32: - tmp64 = tci_read_r64(regs, &tb_ptr); - v64 = tci_read_r64(regs, &tb_ptr); - condition = *tb_ptr++; - label = tci_read_label(&tb_ptr); - if (tci_compare64(tmp64, v64, condition)) { - tci_assert(tb_ptr == old_code_ptr + op_size); - tb_ptr = (uint8_t *)label; + tci_args_rrrrcl(&tb_ptr, &r0, &r1, &r2, &r3, &condition, &ptr); + T1 = tci_uint64(regs[r1], regs[r0]); + T2 = tci_uint64(regs[r3], regs[r2]); + if (tci_compare64(T1, T2, condition)) { + tb_ptr = ptr; continue; } break; case INDEX_op_mulu2_i32: - t0 = *tb_ptr++; - t1 = *tb_ptr++; - t2 = tci_read_r(regs, &tb_ptr); - tmp64 = (uint32_t)tci_read_r(regs, &tb_ptr); - tci_write_reg64(regs, t1, t0, (uint32_t)t2 * tmp64); + tci_args_rrrr(&tb_ptr, &r0, &r1, &r2, &r3); + tci_write_reg64(regs, r1, r0, (uint64_t)regs[r2] * regs[r3]); break; #endif /* TCG_TARGET_REG_BITS == 32 */ #if TCG_TARGET_HAS_ext8s_i32 || TCG_TARGET_HAS_ext8s_i64 CASE_32_64(ext8s) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (int8_t)t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = (int8_t)regs[r1]; break; #endif #if TCG_TARGET_HAS_ext16s_i32 || TCG_TARGET_HAS_ext16s_i64 CASE_32_64(ext16s) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (int16_t)t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = (int16_t)regs[r1]; break; #endif #if TCG_TARGET_HAS_ext8u_i32 || TCG_TARGET_HAS_ext8u_i64 CASE_32_64(ext8u) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint8_t)t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = (uint8_t)regs[r1]; break; #endif #if TCG_TARGET_HAS_ext16u_i32 || TCG_TARGET_HAS_ext16u_i64 CASE_32_64(ext16u) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint16_t)t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = (uint16_t)regs[r1]; break; #endif #if TCG_TARGET_HAS_bswap16_i32 || TCG_TARGET_HAS_bswap16_i64 CASE_32_64(bswap16) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, bswap16(t1)); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = bswap16(regs[r1]); break; #endif #if TCG_TARGET_HAS_bswap32_i32 || TCG_TARGET_HAS_bswap32_i64 CASE_32_64(bswap32) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, bswap32(t1)); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = bswap32(regs[r1]); break; #endif #if TCG_TARGET_HAS_not_i32 || TCG_TARGET_HAS_not_i64 CASE_32_64(not) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, ~t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = ~regs[r1]; break; #endif #if TCG_TARGET_HAS_neg_i32 || TCG_TARGET_HAS_neg_i64 CASE_32_64(neg) - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, -t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = -regs[r1]; break; #endif #if TCG_TARGET_REG_BITS == 64 case INDEX_op_tci_movi_i64: - t0 = *tb_ptr++; - t1 = tci_read_i64(&tb_ptr); - tci_write_reg(regs, t0, t1); + tci_args_rI(&tb_ptr, &r0, &t1); + regs[r0] = t1; break; /* Load/store operations (64 bit). */ case INDEX_op_ld32s_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - tci_write_reg(regs, t0, *(int32_t *)(t1 + t2)); + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + regs[r0] = *(int32_t *)ptr; break; case INDEX_op_ld_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - tci_write_reg(regs, t0, *(uint64_t *)(t1 + t2)); + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + regs[r0] = *(uint64_t *)ptr; break; case INDEX_op_st_i64: - t0 = tci_read_r(regs, &tb_ptr); - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_s32(&tb_ptr); - *(uint64_t *)(t1 + t2) = t0; + tci_args_rrs(&tb_ptr, &r0, &r1, &ofs); + ptr = (void *)(regs[r1] + ofs); + *(uint64_t *)ptr = regs[r0]; break; /* Arithmetic operations (64 bit). */ case INDEX_op_div_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (int64_t)t1 / (int64_t)t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (int64_t)regs[r1] / (int64_t)regs[r2]; break; case INDEX_op_divu_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint64_t)t1 / (uint64_t)t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (uint64_t)regs[r1] / (uint64_t)regs[r2]; break; case INDEX_op_rem_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (int64_t)t1 % (int64_t)t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (int64_t)regs[r1] % (int64_t)regs[r2]; break; case INDEX_op_remu_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint64_t)t1 % (uint64_t)t2); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (uint64_t)regs[r1] % (uint64_t)regs[r2]; break; /* Shift/rotate operations (64 bit). */ case INDEX_op_shl_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1 << (t2 & 63)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = regs[r1] << (regs[r2] & 63); break; case INDEX_op_shr_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, t1 >> (t2 & 63)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = regs[r1] >> (regs[r2] & 63); break; case INDEX_op_sar_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, ((int64_t)t1 >> (t2 & 63))); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = (int64_t)regs[r1] >> (regs[r2] & 63); break; #if TCG_TARGET_HAS_rot_i64 case INDEX_op_rotl_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, rol64(t1, t2 & 63)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = rol64(regs[r1], regs[r2] & 63); break; case INDEX_op_rotr_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, ror64(t1, t2 & 63)); + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + regs[r0] = ror64(regs[r1], regs[r2] & 63); break; #endif #if TCG_TARGET_HAS_deposit_i64 case INDEX_op_deposit_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - t2 = tci_read_r(regs, &tb_ptr); - tmp16 = *tb_ptr++; - tmp8 = *tb_ptr++; - tmp64 = (((1ULL << tmp8) - 1) << tmp16); - tci_write_reg(regs, t0, (t1 & ~tmp64) | ((t2 << tmp16) & tmp64)); + tci_args_rrrbb(&tb_ptr, &r0, &r1, &r2, &pos, &len); + regs[r0] = deposit64(regs[r1], pos, len, regs[r2]); break; #endif case INDEX_op_brcond_i64: - t0 = tci_read_r(regs, &tb_ptr); - t1 = tci_read_r(regs, &tb_ptr); - condition = *tb_ptr++; - label = tci_read_label(&tb_ptr); - if (tci_compare64(t0, t1, condition)) { - tci_assert(tb_ptr == old_code_ptr + op_size); - tb_ptr = (uint8_t *)label; - continue; + tci_args_rrcl(&tb_ptr, &r0, &r1, &condition, &ptr); + if (tci_compare64(regs[r0], regs[r1], condition)) { + tb_ptr = ptr; } break; -#if TCG_TARGET_HAS_ext32s_i64 case INDEX_op_ext32s_i64: -#endif case INDEX_op_ext_i32_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (int32_t)t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = (int32_t)regs[r1]; break; -#if TCG_TARGET_HAS_ext32u_i64 case INDEX_op_ext32u_i64: -#endif case INDEX_op_extu_i32_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, (uint32_t)t1); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = (uint32_t)regs[r1]; break; #if TCG_TARGET_HAS_bswap64_i64 case INDEX_op_bswap64_i64: - t0 = *tb_ptr++; - t1 = tci_read_r(regs, &tb_ptr); - tci_write_reg(regs, t0, bswap64(t1)); + tci_args_rr(&tb_ptr, &r0, &r1); + regs[r0] = bswap64(regs[r1]); break; #endif #endif /* TCG_TARGET_REG_BITS == 64 */ @@ -802,21 +875,22 @@ uintptr_t QEMU_DISABLE_CFI tcg_qemu_tb_exec(CPUArchState *env, /* QEMU specific operations. */ case INDEX_op_exit_tb: - ret = *(uint64_t *)tb_ptr; - goto exit; - break; + tci_args_l(&tb_ptr, &ptr); + return (uintptr_t)ptr; + case INDEX_op_goto_tb: - /* Jump address is aligned */ - tb_ptr = QEMU_ALIGN_PTR_UP(tb_ptr, 4); - t0 = qatomic_read((int32_t *)tb_ptr); - tb_ptr += sizeof(int32_t); - tci_assert(tb_ptr == old_code_ptr + op_size); - tb_ptr += (int32_t)t0; - continue; + tci_args_l(&tb_ptr, &ptr); + tb_ptr = *(void **)ptr; + break; + case INDEX_op_qemu_ld_i32: - t0 = *tb_ptr++; - taddr = tci_read_ulong(regs, &tb_ptr); - oi = tci_read_i(&tb_ptr); + if (TARGET_LONG_BITS <= TCG_TARGET_REG_BITS) { + tci_args_rrm(&tb_ptr, &r0, &r1, &oi); + taddr = regs[r1]; + } else { + tci_args_rrrm(&tb_ptr, &r0, &r1, &r2, &oi); + taddr = tci_uint64(regs[r2], regs[r1]); + } switch (get_memop(oi) & (MO_BSWAP | MO_SSIZE)) { case MO_UB: tmp32 = qemu_ld_ub; @@ -845,15 +919,20 @@ uintptr_t QEMU_DISABLE_CFI tcg_qemu_tb_exec(CPUArchState *env, default: g_assert_not_reached(); } - tci_write_reg(regs, t0, tmp32); + regs[r0] = tmp32; break; + case INDEX_op_qemu_ld_i64: - t0 = *tb_ptr++; - if (TCG_TARGET_REG_BITS == 32) { - t1 = *tb_ptr++; + if (TCG_TARGET_REG_BITS == 64) { + tci_args_rrm(&tb_ptr, &r0, &r1, &oi); + taddr = regs[r1]; + } else if (TARGET_LONG_BITS <= TCG_TARGET_REG_BITS) { + tci_args_rrrm(&tb_ptr, &r0, &r1, &r2, &oi); + taddr = regs[r2]; + } else { + tci_args_rrrrm(&tb_ptr, &r0, &r1, &r2, &r3, &oi); + taddr = tci_uint64(regs[r3], regs[r2]); } - taddr = tci_read_ulong(regs, &tb_ptr); - oi = tci_read_i(&tb_ptr); switch (get_memop(oi) & (MO_BSWAP | MO_SSIZE)) { case MO_UB: tmp64 = qemu_ld_ub; @@ -894,39 +973,58 @@ uintptr_t QEMU_DISABLE_CFI tcg_qemu_tb_exec(CPUArchState *env, default: g_assert_not_reached(); } - tci_write_reg(regs, t0, tmp64); if (TCG_TARGET_REG_BITS == 32) { - tci_write_reg(regs, t1, tmp64 >> 32); + tci_write_reg64(regs, r1, r0, tmp64); + } else { + regs[r0] = tmp64; } break; + case INDEX_op_qemu_st_i32: - t0 = tci_read_r(regs, &tb_ptr); - taddr = tci_read_ulong(regs, &tb_ptr); - oi = tci_read_i(&tb_ptr); + if (TARGET_LONG_BITS <= TCG_TARGET_REG_BITS) { + tci_args_rrm(&tb_ptr, &r0, &r1, &oi); + taddr = regs[r1]; + } else { + tci_args_rrrm(&tb_ptr, &r0, &r1, &r2, &oi); + taddr = tci_uint64(regs[r2], regs[r1]); + } + tmp32 = regs[r0]; switch (get_memop(oi) & (MO_BSWAP | MO_SIZE)) { case MO_UB: - qemu_st_b(t0); + qemu_st_b(tmp32); break; case MO_LEUW: - qemu_st_lew(t0); + qemu_st_lew(tmp32); break; case MO_LEUL: - qemu_st_lel(t0); + qemu_st_lel(tmp32); break; case MO_BEUW: - qemu_st_bew(t0); + qemu_st_bew(tmp32); break; case MO_BEUL: - qemu_st_bel(t0); + qemu_st_bel(tmp32); break; default: g_assert_not_reached(); } break; + case INDEX_op_qemu_st_i64: - tmp64 = tci_read_r64(regs, &tb_ptr); - taddr = tci_read_ulong(regs, &tb_ptr); - oi = tci_read_i(&tb_ptr); + if (TCG_TARGET_REG_BITS == 64) { + tci_args_rrm(&tb_ptr, &r0, &r1, &oi); + taddr = regs[r1]; + tmp64 = regs[r0]; + } else { + if (TARGET_LONG_BITS <= TCG_TARGET_REG_BITS) { + tci_args_rrrm(&tb_ptr, &r0, &r1, &r2, &oi); + taddr = regs[r2]; + } else { + tci_args_rrrrm(&tb_ptr, &r0, &r1, &r2, &r3, &oi); + taddr = tci_uint64(regs[r3], regs[r2]); + } + tmp64 = tci_uint64(regs[r1], regs[r0]); + } switch (get_memop(oi) & (MO_BSWAP | MO_SIZE)) { case MO_UB: qemu_st_b(tmp64); @@ -953,6 +1051,7 @@ uintptr_t QEMU_DISABLE_CFI tcg_qemu_tb_exec(CPUArchState *env, g_assert_not_reached(); } break; + case INDEX_op_mb: /* Ensure ordering for all kinds */ smp_mb(); @@ -960,8 +1059,288 @@ uintptr_t QEMU_DISABLE_CFI tcg_qemu_tb_exec(CPUArchState *env, default: g_assert_not_reached(); } - tci_assert(tb_ptr == old_code_ptr + op_size); } -exit: - return ret; +} + +/* + * Disassembler that matches the interpreter + */ + +static const char *str_r(TCGReg r) +{ + static const char regs[TCG_TARGET_NB_REGS][4] = { + "r0", "r1", "r2", "r3", "r4", "r5", "r6", "r7", + "r8", "r9", "r10", "r11", "r12", "r13", "env", "sp" + }; + + QEMU_BUILD_BUG_ON(TCG_AREG0 != TCG_REG_R14); + QEMU_BUILD_BUG_ON(TCG_REG_CALL_STACK != TCG_REG_R15); + + assert((unsigned)r < TCG_TARGET_NB_REGS); + return regs[r]; +} + +static const char *str_c(TCGCond c) +{ + static const char cond[16][8] = { + [TCG_COND_NEVER] = "never", + [TCG_COND_ALWAYS] = "always", + [TCG_COND_EQ] = "eq", + [TCG_COND_NE] = "ne", + [TCG_COND_LT] = "lt", + [TCG_COND_GE] = "ge", + [TCG_COND_LE] = "le", + [TCG_COND_GT] = "gt", + [TCG_COND_LTU] = "ltu", + [TCG_COND_GEU] = "geu", + [TCG_COND_LEU] = "leu", + [TCG_COND_GTU] = "gtu", + }; + + assert((unsigned)c < ARRAY_SIZE(cond)); + assert(cond[c][0] != 0); + return cond[c]; +} + +/* Disassemble TCI bytecode. */ +int print_insn_tci(bfd_vma addr, disassemble_info *info) +{ + uint8_t buf[256]; + int length, status; + const TCGOpDef *def; + const char *op_name; + TCGOpcode op; + TCGReg r0, r1, r2, r3; +#if TCG_TARGET_REG_BITS == 32 + TCGReg r4, r5; +#endif + tcg_target_ulong i1; + int32_t s2; + TCGCond c; + TCGMemOpIdx oi; + uint8_t pos, len; + void *ptr; + const uint8_t *tb_ptr; + + status = info->read_memory_func(addr, buf, 2, info); + if (status != 0) { + info->memory_error_func(status, addr, info); + return -1; + } + op = buf[0]; + length = buf[1]; + + if (length < 2) { + info->fprintf_func(info->stream, "invalid length %d", length); + return 1; + } + + status = info->read_memory_func(addr + 2, buf + 2, length - 2, info); + if (status != 0) { + info->memory_error_func(status, addr + 2, info); + return -1; + } + + def = &tcg_op_defs[op]; + op_name = def->name; + tb_ptr = buf + 2; + + switch (op) { + case INDEX_op_br: + case INDEX_op_call: + case INDEX_op_exit_tb: + case INDEX_op_goto_tb: + tci_args_l(&tb_ptr, &ptr); + info->fprintf_func(info->stream, "%-12s %p", op_name, ptr); + break; + + case INDEX_op_brcond_i32: + case INDEX_op_brcond_i64: + tci_args_rrcl(&tb_ptr, &r0, &r1, &c, &ptr); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %p", + op_name, str_r(r0), str_r(r1), str_c(c), ptr); + break; + + case INDEX_op_setcond_i32: + case INDEX_op_setcond_i64: + tci_args_rrrc(&tb_ptr, &r0, &r1, &r2, &c); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %s", + op_name, str_r(r0), str_r(r1), str_r(r2), str_c(c)); + break; + + case INDEX_op_tci_movi_i32: + tci_args_ri(&tb_ptr, &r0, &i1); + info->fprintf_func(info->stream, "%-12s %s, 0x%" TCG_PRIlx, + op_name, str_r(r0), i1); + break; + +#if TCG_TARGET_REG_BITS == 64 + case INDEX_op_tci_movi_i64: + tci_args_rI(&tb_ptr, &r0, &i1); + info->fprintf_func(info->stream, "%-12s %s, 0x%" TCG_PRIlx, + op_name, str_r(r0), i1); + break; +#endif + + case INDEX_op_ld8u_i32: + case INDEX_op_ld8u_i64: + case INDEX_op_ld8s_i32: + case INDEX_op_ld8s_i64: + case INDEX_op_ld16u_i32: + case INDEX_op_ld16u_i64: + case INDEX_op_ld16s_i32: + case INDEX_op_ld16s_i64: + case INDEX_op_ld32u_i64: + case INDEX_op_ld32s_i64: + case INDEX_op_ld_i32: + case INDEX_op_ld_i64: + case INDEX_op_st8_i32: + case INDEX_op_st8_i64: + case INDEX_op_st16_i32: + case INDEX_op_st16_i64: + case INDEX_op_st32_i64: + case INDEX_op_st_i32: + case INDEX_op_st_i64: + tci_args_rrs(&tb_ptr, &r0, &r1, &s2); + info->fprintf_func(info->stream, "%-12s %s, %s, %d", + op_name, str_r(r0), str_r(r1), s2); + break; + + case INDEX_op_mov_i32: + case INDEX_op_mov_i64: + case INDEX_op_ext8s_i32: + case INDEX_op_ext8s_i64: + case INDEX_op_ext8u_i32: + case INDEX_op_ext8u_i64: + case INDEX_op_ext16s_i32: + case INDEX_op_ext16s_i64: + case INDEX_op_ext16u_i32: + case INDEX_op_ext32s_i64: + case INDEX_op_ext32u_i64: + case INDEX_op_ext_i32_i64: + case INDEX_op_extu_i32_i64: + case INDEX_op_bswap16_i32: + case INDEX_op_bswap16_i64: + case INDEX_op_bswap32_i32: + case INDEX_op_bswap32_i64: + case INDEX_op_bswap64_i64: + case INDEX_op_not_i32: + case INDEX_op_not_i64: + case INDEX_op_neg_i32: + case INDEX_op_neg_i64: + tci_args_rr(&tb_ptr, &r0, &r1); + info->fprintf_func(info->stream, "%-12s %s, %s", + op_name, str_r(r0), str_r(r1)); + break; + + case INDEX_op_add_i32: + case INDEX_op_add_i64: + case INDEX_op_sub_i32: + case INDEX_op_sub_i64: + case INDEX_op_mul_i32: + case INDEX_op_mul_i64: + case INDEX_op_and_i32: + case INDEX_op_and_i64: + case INDEX_op_or_i32: + case INDEX_op_or_i64: + case INDEX_op_xor_i32: + case INDEX_op_xor_i64: + case INDEX_op_div_i32: + case INDEX_op_div_i64: + case INDEX_op_rem_i32: + case INDEX_op_rem_i64: + case INDEX_op_divu_i32: + case INDEX_op_divu_i64: + case INDEX_op_remu_i32: + case INDEX_op_remu_i64: + case INDEX_op_shl_i32: + case INDEX_op_shl_i64: + case INDEX_op_shr_i32: + case INDEX_op_shr_i64: + case INDEX_op_sar_i32: + case INDEX_op_sar_i64: + case INDEX_op_rotl_i32: + case INDEX_op_rotl_i64: + case INDEX_op_rotr_i32: + case INDEX_op_rotr_i64: + tci_args_rrr(&tb_ptr, &r0, &r1, &r2); + info->fprintf_func(info->stream, "%-12s %s, %s, %s", + op_name, str_r(r0), str_r(r1), str_r(r2)); + break; + + case INDEX_op_deposit_i32: + case INDEX_op_deposit_i64: + tci_args_rrrbb(&tb_ptr, &r0, &r1, &r2, &pos, &len); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %d, %d", + op_name, str_r(r0), str_r(r1), str_r(r2), pos, len); + break; + +#if TCG_TARGET_REG_BITS == 32 + case INDEX_op_setcond2_i32: + tci_args_rrrrrc(&tb_ptr, &r0, &r1, &r2, &r3, &r4, &c); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %s, %s, %s", + op_name, str_r(r0), str_r(r1), str_r(r2), + str_r(r3), str_r(r4), str_c(c)); + break; + + case INDEX_op_brcond2_i32: + tci_args_rrrrcl(&tb_ptr, &r0, &r1, &r2, &r3, &c, &ptr); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %s, %s, %p", + op_name, str_r(r0), str_r(r1), + str_r(r2), str_r(r3), str_c(c), ptr); + break; + + case INDEX_op_mulu2_i32: + tci_args_rrrr(&tb_ptr, &r0, &r1, &r2, &r3); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %s", + op_name, str_r(r0), str_r(r1), + str_r(r2), str_r(r3)); + break; + + case INDEX_op_add2_i32: + case INDEX_op_sub2_i32: + tci_args_rrrrrr(&tb_ptr, &r0, &r1, &r2, &r3, &r4, &r5); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %s, %s, %s", + op_name, str_r(r0), str_r(r1), str_r(r2), + str_r(r3), str_r(r4), str_r(r5)); + break; +#endif + + case INDEX_op_qemu_ld_i64: + case INDEX_op_qemu_st_i64: + len = DIV_ROUND_UP(64, TCG_TARGET_REG_BITS); + goto do_qemu_ldst; + case INDEX_op_qemu_ld_i32: + case INDEX_op_qemu_st_i32: + len = 1; + do_qemu_ldst: + len += DIV_ROUND_UP(TARGET_LONG_BITS, TCG_TARGET_REG_BITS); + switch (len) { + case 2: + tci_args_rrm(&tb_ptr, &r0, &r1, &oi); + info->fprintf_func(info->stream, "%-12s %s, %s, %x", + op_name, str_r(r0), str_r(r1), oi); + break; + case 3: + tci_args_rrrm(&tb_ptr, &r0, &r1, &r2, &oi); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %x", + op_name, str_r(r0), str_r(r1), str_r(r2), oi); + break; + case 4: + tci_args_rrrrm(&tb_ptr, &r0, &r1, &r2, &r3, &oi); + info->fprintf_func(info->stream, "%-12s %s, %s, %s, %s, %x", + op_name, str_r(r0), str_r(r1), + str_r(r2), str_r(r3), oi); + break; + default: + g_assert_not_reached(); + } + break; + + default: + info->fprintf_func(info->stream, "illegal opcode %d", op); + break; + } + + return length; } diff --git a/tcg/tci/tcg-target-con-set.h b/tcg/tci/tcg-target-con-set.h index f51b7bc..316730f 100644 --- a/tcg/tci/tcg-target-con-set.h +++ b/tcg/tci/tcg-target-con-set.h @@ -13,7 +13,6 @@ C_O0_I2(r, r) C_O0_I3(r, r, r) C_O0_I4(r, r, r, r) C_O1_I1(r, r) -C_O1_I2(r, 0, r) C_O1_I2(r, r, r) C_O1_I4(r, r, r, r, r) C_O2_I1(r, r, r) diff --git a/tcg/tci/tcg-target.c.inc b/tcg/tci/tcg-target.c.inc index c79f9c3..ee6cdfe 100644 --- a/tcg/tci/tcg-target.c.inc +++ b/tcg/tci/tcg-target.c.inc @@ -126,11 +126,9 @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op) case INDEX_op_rotr_i64: case INDEX_op_setcond_i32: case INDEX_op_setcond_i64: - return C_O1_I2(r, r, r); - case INDEX_op_deposit_i32: case INDEX_op_deposit_i64: - return C_O1_I2(r, 0, r); + return C_O1_I2(r, r, r); case INDEX_op_brcond_i32: case INDEX_op_brcond_i64: @@ -255,16 +253,6 @@ static bool patch_reloc(tcg_insn_unit *code_ptr, int type, return true; } -#if defined(CONFIG_DEBUG_TCG_INTERPRETER) -/* Show current bytecode. Used by tcg interpreter. */ -void tci_disas(uint8_t opc) -{ - const TCGOpDef *def = &tcg_op_defs[opc]; - fprintf(stderr, "TCG %s %u, %u, %u\n", - def->name, def->nb_oargs, def->nb_iargs, def->nb_cargs); -} -#endif - /* Write value (native size). */ static void tcg_out_i(TCGContext *s, tcg_target_ulong v) { @@ -309,67 +297,300 @@ static void stack_bounds_check(TCGReg base, target_long offset) } } -static void tcg_out_ld(TCGContext *s, TCGType type, TCGReg ret, TCGReg arg1, - intptr_t arg2) +static void tcg_out_op_l(TCGContext *s, TCGOpcode op, TCGLabel *l0) { uint8_t *old_code_ptr = s->code_ptr; - stack_bounds_check(arg1, arg2); - if (type == TCG_TYPE_I32) { - tcg_out_op_t(s, INDEX_op_ld_i32); - tcg_out_r(s, ret); - tcg_out_r(s, arg1); - tcg_out32(s, arg2); - } else { - tcg_debug_assert(type == TCG_TYPE_I64); + tcg_out_op_t(s, op); + tci_out_label(s, l0); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_p(TCGContext *s, TCGOpcode op, void *p0) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_i(s, (uintptr_t)p0); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_v(TCGContext *s, TCGOpcode op) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_ri(TCGContext *s, TCGOpcode op, TCGReg r0, int32_t i1) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out32(s, i1); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + #if TCG_TARGET_REG_BITS == 64 - tcg_out_op_t(s, INDEX_op_ld_i64); - tcg_out_r(s, ret); - tcg_out_r(s, arg1); - tcg_debug_assert(arg2 == (int32_t)arg2); - tcg_out32(s, arg2); -#else - TODO(); +static void tcg_out_op_rI(TCGContext *s, TCGOpcode op, + TCGReg r0, uint64_t i1) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out64(s, i1); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} #endif - } + +static void tcg_out_op_rr(TCGContext *s, TCGOpcode op, TCGReg r0, TCGReg r1) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + old_code_ptr[1] = s->code_ptr - old_code_ptr; } -static bool tcg_out_mov(TCGContext *s, TCGType type, TCGReg ret, TCGReg arg) +static void tcg_out_op_rrm(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGArg m2) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out32(s, m2); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrr(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGReg r2) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrs(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, intptr_t i2) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_debug_assert(i2 == (int32_t)i2); + tcg_out32(s, i2); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrcl(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGCond c2, TCGLabel *l3) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out8(s, c2); + tci_out_label(s, l3); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrrc(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGReg r2, TCGCond c3) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + tcg_out8(s, c3); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrrm(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGReg r2, TCGArg m3) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + tcg_out32(s, m3); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrrbb(TCGContext *s, TCGOpcode op, TCGReg r0, + TCGReg r1, TCGReg r2, uint8_t b3, uint8_t b4) { uint8_t *old_code_ptr = s->code_ptr; - tcg_debug_assert(ret != arg); + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + tcg_out8(s, b3); + tcg_out8(s, b4); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrrrm(TCGContext *s, TCGOpcode op, TCGReg r0, + TCGReg r1, TCGReg r2, TCGReg r3, TCGArg m4) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + tcg_out_r(s, r3); + tcg_out32(s, m4); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + #if TCG_TARGET_REG_BITS == 32 - tcg_out_op_t(s, INDEX_op_mov_i32); -#else - tcg_out_op_t(s, INDEX_op_mov_i64); -#endif - tcg_out_r(s, ret); - tcg_out_r(s, arg); +static void tcg_out_op_rrrr(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGReg r2, TCGReg r3) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + tcg_out_r(s, r3); + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrrrcl(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGReg r2, TCGReg r3, + TCGCond c4, TCGLabel *l5) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + tcg_out_r(s, r3); + tcg_out8(s, c4); + tci_out_label(s, l5); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrrrrc(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGReg r2, + TCGReg r3, TCGReg r4, TCGCond c5) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + tcg_out_r(s, r3); + tcg_out_r(s, r4); + tcg_out8(s, c5); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} + +static void tcg_out_op_rrrrrr(TCGContext *s, TCGOpcode op, + TCGReg r0, TCGReg r1, TCGReg r2, + TCGReg r3, TCGReg r4, TCGReg r5) +{ + uint8_t *old_code_ptr = s->code_ptr; + + tcg_out_op_t(s, op); + tcg_out_r(s, r0); + tcg_out_r(s, r1); + tcg_out_r(s, r2); + tcg_out_r(s, r3); + tcg_out_r(s, r4); + tcg_out_r(s, r5); + + old_code_ptr[1] = s->code_ptr - old_code_ptr; +} +#endif + +static void tcg_out_ld(TCGContext *s, TCGType type, TCGReg val, TCGReg base, + intptr_t offset) +{ + stack_bounds_check(base, offset); + switch (type) { + case TCG_TYPE_I32: + tcg_out_op_rrs(s, INDEX_op_ld_i32, val, base, offset); + break; +#if TCG_TARGET_REG_BITS == 64 + case TCG_TYPE_I64: + tcg_out_op_rrs(s, INDEX_op_ld_i64, val, base, offset); + break; +#endif + default: + g_assert_not_reached(); + } +} + +static bool tcg_out_mov(TCGContext *s, TCGType type, TCGReg ret, TCGReg arg) +{ + switch (type) { + case TCG_TYPE_I32: + tcg_out_op_rr(s, INDEX_op_mov_i32, ret, arg); + break; +#if TCG_TARGET_REG_BITS == 64 + case TCG_TYPE_I64: + tcg_out_op_rr(s, INDEX_op_mov_i64, ret, arg); + break; +#endif + default: + g_assert_not_reached(); + } return true; } static void tcg_out_movi(TCGContext *s, TCGType type, - TCGReg t0, tcg_target_long arg) + TCGReg ret, tcg_target_long arg) { - uint8_t *old_code_ptr = s->code_ptr; - uint32_t arg32 = arg; - if (type == TCG_TYPE_I32 || arg == arg32) { - tcg_out_op_t(s, INDEX_op_tci_movi_i32); - tcg_out_r(s, t0); - tcg_out32(s, arg32); - } else { - tcg_debug_assert(type == TCG_TYPE_I64); + switch (type) { + case TCG_TYPE_I32: + tcg_out_op_ri(s, INDEX_op_tci_movi_i32, ret, arg); + break; #if TCG_TARGET_REG_BITS == 64 - tcg_out_op_t(s, INDEX_op_tci_movi_i64); - tcg_out_r(s, t0); - tcg_out64(s, arg); -#else - TODO(); + case TCG_TYPE_I64: + tcg_out_op_rI(s, INDEX_op_tci_movi_i64, ret, arg); + break; #endif + default: + g_assert_not_reached(); } - old_code_ptr[1] = s->code_ptr - old_code_ptr; } static inline void tcg_out_call(TCGContext *s, const tcg_insn_unit *arg) @@ -392,52 +613,34 @@ static inline void tcg_out_call(TCGContext *s, const tcg_insn_unit *arg) # define CASE_64(x) #endif -static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args, - const int *const_args) +static void tcg_out_op(TCGContext *s, TCGOpcode opc, + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { - uint8_t *old_code_ptr = s->code_ptr; - - tcg_out_op_t(s, opc); - switch (opc) { case INDEX_op_exit_tb: - tcg_out64(s, args[0]); + tcg_out_op_p(s, opc, (void *)args[0]); break; case INDEX_op_goto_tb: - if (s->tb_jmp_insn_offset) { - /* Direct jump method. */ - /* Align for atomic patching and thread safety */ - s->code_ptr = QEMU_ALIGN_PTR_UP(s->code_ptr, 4); - s->tb_jmp_insn_offset[args[0]] = tcg_current_code_size(s); - tcg_out32(s, 0); - } else { - /* Indirect jump method. */ - TODO(); - } + tcg_debug_assert(s->tb_jmp_insn_offset == 0); + /* indirect jump method. */ + tcg_out_op_p(s, opc, s->tb_jmp_target_addr + args[0]); set_jmp_reset_offset(s, args[0]); break; case INDEX_op_br: - tci_out_label(s, arg_label(args[0])); + tcg_out_op_l(s, opc, arg_label(args[0])); break; CASE_32_64(setcond) - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_out_r(s, args[2]); - tcg_out8(s, args[3]); /* condition */ + tcg_out_op_rrrc(s, opc, args[0], args[1], args[2], args[3]); break; #if TCG_TARGET_REG_BITS == 32 case INDEX_op_setcond2_i32: - /* setcond2_i32 cond, t0, t1_low, t1_high, t2_low, t2_high */ - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_out_r(s, args[2]); - tcg_out_r(s, args[3]); - tcg_out_r(s, args[4]); - tcg_out8(s, args[5]); /* condition */ + tcg_out_op_rrrrrc(s, opc, args[0], args[1], args[2], + args[3], args[4], args[5]); break; #endif @@ -455,10 +658,7 @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args, CASE_64(st32) CASE_64(st) stack_bounds_check(args[1], args[2]); - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_debug_assert(args[2] == (int32_t)args[2]); - tcg_out32(s, args[2]); + tcg_out_op_rrs(s, opc, args[0], args[1], args[2]); break; CASE_32_64(add) @@ -481,26 +681,23 @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args, CASE_32_64(divu) /* Optional (TCG_TARGET_HAS_div_*). */ CASE_32_64(rem) /* Optional (TCG_TARGET_HAS_div_*). */ CASE_32_64(remu) /* Optional (TCG_TARGET_HAS_div_*). */ - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_out_r(s, args[2]); + tcg_out_op_rrr(s, opc, args[0], args[1], args[2]); break; CASE_32_64(deposit) /* Optional (TCG_TARGET_HAS_deposit_*). */ - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_out_r(s, args[2]); - tcg_debug_assert(args[3] <= UINT8_MAX); - tcg_out8(s, args[3]); - tcg_debug_assert(args[4] <= UINT8_MAX); - tcg_out8(s, args[4]); + { + TCGArg pos = args[3], len = args[4]; + TCGArg max = opc == INDEX_op_deposit_i32 ? 32 : 64; + + tcg_debug_assert(pos < max); + tcg_debug_assert(pos + len <= max); + + tcg_out_op_rrrbb(s, opc, args[0], args[1], args[2], pos, len); + } break; CASE_32_64(brcond) - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_out8(s, args[2]); /* condition */ - tci_out_label(s, arg_label(args[3])); + tcg_out_op_rrcl(s, opc, args[0], args[1], args[2], arg_label(args[3])); break; CASE_32_64(neg) /* Optional (TCG_TARGET_HAS_neg_*). */ @@ -516,60 +713,47 @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args, CASE_32_64(bswap16) /* Optional (TCG_TARGET_HAS_bswap16_*). */ CASE_32_64(bswap32) /* Optional (TCG_TARGET_HAS_bswap32_*). */ CASE_64(bswap64) /* Optional (TCG_TARGET_HAS_bswap64_i64). */ - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); + tcg_out_op_rr(s, opc, args[0], args[1]); break; #if TCG_TARGET_REG_BITS == 32 case INDEX_op_add2_i32: case INDEX_op_sub2_i32: - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_out_r(s, args[2]); - tcg_out_r(s, args[3]); - tcg_out_r(s, args[4]); - tcg_out_r(s, args[5]); + tcg_out_op_rrrrrr(s, opc, args[0], args[1], args[2], + args[3], args[4], args[5]); break; case INDEX_op_brcond2_i32: - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_out_r(s, args[2]); - tcg_out_r(s, args[3]); - tcg_out8(s, args[4]); /* condition */ - tci_out_label(s, arg_label(args[5])); + tcg_out_op_rrrrcl(s, opc, args[0], args[1], args[2], + args[3], args[4], arg_label(args[5])); break; case INDEX_op_mulu2_i32: - tcg_out_r(s, args[0]); - tcg_out_r(s, args[1]); - tcg_out_r(s, args[2]); - tcg_out_r(s, args[3]); + tcg_out_op_rrrr(s, opc, args[0], args[1], args[2], args[3]); break; #endif case INDEX_op_qemu_ld_i32: case INDEX_op_qemu_st_i32: - tcg_out_r(s, *args++); - tcg_out_r(s, *args++); - if (TARGET_LONG_BITS > TCG_TARGET_REG_BITS) { - tcg_out_r(s, *args++); + if (TARGET_LONG_BITS <= TCG_TARGET_REG_BITS) { + tcg_out_op_rrm(s, opc, args[0], args[1], args[2]); + } else { + tcg_out_op_rrrm(s, opc, args[0], args[1], args[2], args[3]); } - tcg_out_i(s, *args++); break; case INDEX_op_qemu_ld_i64: case INDEX_op_qemu_st_i64: - tcg_out_r(s, *args++); - if (TCG_TARGET_REG_BITS == 32) { - tcg_out_r(s, *args++); - } - tcg_out_r(s, *args++); - if (TARGET_LONG_BITS > TCG_TARGET_REG_BITS) { - tcg_out_r(s, *args++); + if (TCG_TARGET_REG_BITS == 64) { + tcg_out_op_rrm(s, opc, args[0], args[1], args[2]); + } else if (TARGET_LONG_BITS <= TCG_TARGET_REG_BITS) { + tcg_out_op_rrrm(s, opc, args[0], args[1], args[2], args[3]); + } else { + tcg_out_op_rrrrm(s, opc, args[0], args[1], + args[2], args[3], args[4]); } - tcg_out_i(s, *args++); break; case INDEX_op_mb: + tcg_out_op_v(s, opc); break; case INDEX_op_mov_i32: /* Always emitted via tcg_out_mov. */ @@ -578,32 +762,24 @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args, default: tcg_abort(); } - old_code_ptr[1] = s->code_ptr - old_code_ptr; } -static void tcg_out_st(TCGContext *s, TCGType type, TCGReg arg, TCGReg arg1, - intptr_t arg2) +static void tcg_out_st(TCGContext *s, TCGType type, TCGReg val, TCGReg base, + intptr_t offset) { - uint8_t *old_code_ptr = s->code_ptr; - - stack_bounds_check(arg1, arg2); - if (type == TCG_TYPE_I32) { - tcg_out_op_t(s, INDEX_op_st_i32); - tcg_out_r(s, arg); - tcg_out_r(s, arg1); - tcg_out32(s, arg2); - } else { - tcg_debug_assert(type == TCG_TYPE_I64); + stack_bounds_check(base, offset); + switch (type) { + case TCG_TYPE_I32: + tcg_out_op_rrs(s, INDEX_op_st_i32, val, base, offset); + break; #if TCG_TARGET_REG_BITS == 64 - tcg_out_op_t(s, INDEX_op_st_i64); - tcg_out_r(s, arg); - tcg_out_r(s, arg1); - tcg_out32(s, arg2); -#else - TODO(); + case TCG_TYPE_I64: + tcg_out_op_rrs(s, INDEX_op_st_i64, val, base, offset); + break; #endif + default: + g_assert_not_reached(); } - old_code_ptr[1] = s->code_ptr - old_code_ptr; } static inline bool tcg_out_sti(TCGContext *s, TCGType type, TCGArg val, diff --git a/tcg/tci/tcg-target.h b/tcg/tci/tcg-target.h index 9c0021a..52af6d8 100644 --- a/tcg/tci/tcg-target.h +++ b/tcg/tci/tcg-target.h @@ -87,7 +87,7 @@ #define TCG_TARGET_HAS_muluh_i32 0 #define TCG_TARGET_HAS_mulsh_i32 0 #define TCG_TARGET_HAS_goto_ptr 0 -#define TCG_TARGET_HAS_direct_jump 1 +#define TCG_TARGET_HAS_direct_jump 0 #define TCG_TARGET_HAS_qemu_st8_i32 0 #if TCG_TARGET_REG_BITS == 64 @@ -163,8 +163,6 @@ typedef enum { #define TCG_TARGET_CALL_STACK_OFFSET 0 #define TCG_TARGET_STACK_ALIGN 16 -void tci_disas(uint8_t opc); - #define HAVE_TCG_QEMU_TB_EXEC /* We could notice __i386__ or __s390x__ and reduce the barriers depending @@ -174,12 +172,7 @@ void tci_disas(uint8_t opc); #define TCG_TARGET_HAS_MEMORY_BSWAP 1 -static inline void tb_target_set_jmp_target(uintptr_t tc_ptr, uintptr_t jmp_rx, - uintptr_t jmp_rw, uintptr_t addr) -{ - /* patch the branch destination */ - qatomic_set((int32_t *)jmp_rw, addr - (jmp_rx + 4)); - /* no need to flush icache explicitly */ -} +/* not defined -- call should be eliminated at compile time */ +void tb_target_set_jmp_target(uintptr_t, uintptr_t, uintptr_t, uintptr_t); #endif /* TCG_TARGET_H */ diff --git a/tests/acceptance/avocado_qemu/__init__.py b/tests/acceptance/avocado_qemu/__init__.py index df167b1..83b1741 100644 --- a/tests/acceptance/avocado_qemu/__init__.py +++ b/tests/acceptance/avocado_qemu/__init__.py @@ -93,11 +93,12 @@ def _console_interaction(test, success_message, failure_message, if not msg: continue console_logger.debug(msg) - if success_message in msg: + if success_message is None or success_message in msg: break if failure_message and failure_message in msg: console.close() - fail = 'Failure message found in console: %s' % failure_message + fail = 'Failure message found in console: "%s". Expected: "%s"' % \ + (failure_message, success_message) test.fail(fail) def interrupt_interactive_console_until_pattern(test, success_message, @@ -139,6 +140,18 @@ def wait_for_console_pattern(test, success_message, failure_message=None, """ _console_interaction(test, success_message, failure_message, None, vm=vm) +def exec_command(test, command): + """ + Send a command to a console (appending CRLF characters), while logging + the content. + + :param test: an Avocado test containing a VM. + :type test: :class:`avocado_qemu.Test` + :param command: the command to send + :type command: str + """ + _console_interaction(test, None, None, command + '\r') + def exec_command_and_wait_for_pattern(test, command, success_message, failure_message=None): """ @@ -304,8 +317,10 @@ class LinuxTest(Test): try: cloudinit_iso = os.path.join(self.workdir, 'cloudinit.iso') self.phone_home_port = network.find_free_port() - with open(ssh_pubkey) as pubkey: - pubkey_content = pubkey.read() + pubkey_content = None + if ssh_pubkey: + with open(ssh_pubkey) as pubkey: + pubkey_content = pubkey.read() cloudinit.iso(cloudinit_iso, self.name, username='root', password='password', diff --git a/tests/acceptance/multiprocess.py b/tests/acceptance/multiprocess.py new file mode 100644 index 0000000..96627f0 --- /dev/null +++ b/tests/acceptance/multiprocess.py @@ -0,0 +1,95 @@ +# Test for multiprocess qemu +# +# This work is licensed under the terms of the GNU GPL, version 2 or +# later. See the COPYING file in the top-level directory. + + +import os +import socket + +from avocado_qemu import Test +from avocado_qemu import wait_for_console_pattern +from avocado_qemu import exec_command +from avocado_qemu import exec_command_and_wait_for_pattern + +class Multiprocess(Test): + """ + :avocado: tags=multiprocess + """ + KERNEL_COMMON_COMMAND_LINE = 'printk.time=0 ' + + def do_test(self, kernel_url, initrd_url, kernel_command_line, + machine_type): + """Main test method""" + self.require_accelerator('kvm') + + # Create socketpair to connect proxy and remote processes + proxy_sock, remote_sock = socket.socketpair(socket.AF_UNIX, + socket.SOCK_STREAM) + os.set_inheritable(proxy_sock.fileno(), True) + os.set_inheritable(remote_sock.fileno(), True) + + kernel_path = self.fetch_asset(kernel_url) + initrd_path = self.fetch_asset(initrd_url) + + # Create remote process + remote_vm = self.get_vm() + remote_vm.add_args('-machine', 'x-remote') + remote_vm.add_args('-nodefaults') + remote_vm.add_args('-device', 'lsi53c895a,id=lsi1') + remote_vm.add_args('-object', 'x-remote-object,id=robj1,' + 'devid=lsi1,fd='+str(remote_sock.fileno())) + remote_vm.launch() + + # Create proxy process + self.vm.set_console() + self.vm.add_args('-machine', machine_type) + self.vm.add_args('-accel', 'kvm') + self.vm.add_args('-cpu', 'host') + self.vm.add_args('-object', + 'memory-backend-memfd,id=sysmem-file,size=2G') + self.vm.add_args('--numa', 'node,memdev=sysmem-file') + self.vm.add_args('-m', '2048') + self.vm.add_args('-kernel', kernel_path, + '-initrd', initrd_path, + '-append', kernel_command_line) + self.vm.add_args('-device', + 'x-pci-proxy-dev,' + 'id=lsi1,fd='+str(proxy_sock.fileno())) + self.vm.launch() + wait_for_console_pattern(self, 'as init process', + 'Kernel panic - not syncing') + exec_command(self, 'mount -t sysfs sysfs /sys') + exec_command_and_wait_for_pattern(self, + 'cat /sys/bus/pci/devices/*/uevent', + 'PCI_ID=1000:0012') + + def test_multiprocess_x86_64(self): + """ + :avocado: tags=arch:x86_64 + """ + kernel_url = ('https://archives.fedoraproject.org/pub/archive/fedora' + '/linux/releases/31/Everything/x86_64/os/images' + '/pxeboot/vmlinuz') + initrd_url = ('https://archives.fedoraproject.org/pub/archive/fedora' + '/linux/releases/31/Everything/x86_64/os/images' + '/pxeboot/initrd.img') + kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE + + 'console=ttyS0 rdinit=/bin/bash') + machine_type = 'pc' + self.do_test(kernel_url, initrd_url, kernel_command_line, machine_type) + + def test_multiprocess_aarch64(self): + """ + :avocado: tags=arch:aarch64 + """ + kernel_url = ('https://archives.fedoraproject.org/pub/archive/fedora' + '/linux/releases/31/Everything/aarch64/os/images' + '/pxeboot/vmlinuz') + initrd_url = ('https://archives.fedoraproject.org/pub/archive/fedora' + '/linux/releases/31/Everything/aarch64/os/images' + '/pxeboot/initrd.img') + kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE + + 'rdinit=/bin/bash console=ttyAMA0') + machine_type = 'virt,gic-version=3' + self.do_test(kernel_url, initrd_url, kernel_command_line, machine_type) diff --git a/tests/migration/guestperf/engine.py b/tests/migration/guestperf/engine.py index 5c96514..e399447 100644 --- a/tests/migration/guestperf/engine.py +++ b/tests/migration/guestperf/engine.py @@ -409,6 +409,13 @@ class Engine(object): vcpu_timings = ret[2] if uri[0:5] == "unix:": os.remove(uri[5:]) + + if os.path.exists(srcmonaddr): + os.remove(srcmonaddr) + + if self._dst_host == "localhost" and os.path.exists(dstmonaddr): + os.remove(dstmonaddr) + if self._verbose: print("Finished migration") diff --git a/tests/plugin/meson.build b/tests/plugin/meson.build index 1eacfa6..2bbfc4b 100644 --- a/tests/plugin/meson.build +++ b/tests/plugin/meson.build @@ -1,5 +1,5 @@ t = [] -foreach i : ['bb', 'empty', 'insn', 'mem'] +foreach i : ['bb', 'empty', 'insn', 'mem', 'syscall'] t += shared_module(i, files(i + '.c'), include_directories: '../../include/qemu', dependencies: glib) diff --git a/tests/plugin/syscall.c b/tests/plugin/syscall.c new file mode 100644 index 0000000..53ee2ab --- /dev/null +++ b/tests/plugin/syscall.c @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2020, Matthias Weckbecker <matthias@weckbecker.name> + * + * License: GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ +#include <inttypes.h> +#include <assert.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <stdio.h> +#include <glib.h> + +#include <qemu-plugin.h> + +QEMU_PLUGIN_EXPORT int qemu_plugin_version = QEMU_PLUGIN_VERSION; + +static void vcpu_syscall(qemu_plugin_id_t id, unsigned int vcpu_index, + int64_t num, uint64_t a1, uint64_t a2, + uint64_t a3, uint64_t a4, uint64_t a5, + uint64_t a6, uint64_t a7, uint64_t a8) +{ + g_autofree gchar *out = g_strdup_printf("syscall #%" PRIi64 "\n", num); + qemu_plugin_outs(out); +} + +static void vcpu_syscall_ret(qemu_plugin_id_t id, unsigned int vcpu_idx, + int64_t num, int64_t ret) +{ + g_autofree gchar *out; + out = g_strdup_printf("syscall #%" PRIi64 " returned -> %" PRIi64 "\n", + num, ret); + qemu_plugin_outs(out); +} + +/* ************************************************************************* */ + +static void plugin_exit(qemu_plugin_id_t id, void *p) {} + +QEMU_PLUGIN_EXPORT int qemu_plugin_install(qemu_plugin_id_t id, + const qemu_info_t *info, + int argc, char **argv) +{ + qemu_plugin_register_vcpu_syscall_cb(id, vcpu_syscall); + qemu_plugin_register_vcpu_syscall_ret_cb(id, vcpu_syscall_ret); + qemu_plugin_register_atexit_cb(id, plugin_exit, NULL); + return 0; +} diff --git a/tests/qtest/fuzz-megasas-test.c b/tests/qtest/fuzz-megasas-test.c new file mode 100644 index 0000000..940a76b --- /dev/null +++ b/tests/qtest/fuzz-megasas-test.c @@ -0,0 +1,49 @@ +/* + * QTest fuzzer-generated testcase for megasas device + * + * Copyright (c) 2020 Li Qiang <liq3ea@gmail.com> + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * This used to trigger the assert in scsi_dma_complete + * https://bugs.launchpad.net/qemu/+bug/1878263 + */ +static void test_lp1878263_megasas_zero_iov_cnt(void) +{ + QTestState *s; + + s = qtest_init("-nographic -monitor none -serial none " + "-M q35 -device megasas -device scsi-cd,drive=null0 " + "-blockdev driver=null-co,read-zeroes=on,node-name=null0"); + qtest_outl(s, 0xcf8, 0x80001818); + qtest_outl(s, 0xcfc, 0xc101); + qtest_outl(s, 0xcf8, 0x8000181c); + qtest_outl(s, 0xcf8, 0x80001804); + qtest_outw(s, 0xcfc, 0x7); + qtest_outl(s, 0xcf8, 0x8000186a); + qtest_writeb(s, 0x14, 0xfe); + qtest_writeb(s, 0x0, 0x02); + qtest_outb(s, 0xc1c0, 0x17); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { + qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt", + test_lp1878263_megasas_zero_iov_cnt); + } + + return g_test_run(); +} diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c index 6f161c9..00149ab 100644 --- a/tests/qtest/fuzz-test.c +++ b/tests/qtest/fuzz-test.c @@ -11,29 +11,6 @@ #include "libqos/libqtest.h" -/* - * This used to trigger the assert in scsi_dma_complete - * https://bugs.launchpad.net/qemu/+bug/1878263 - */ -static void test_lp1878263_megasas_zero_iov_cnt(void) -{ - QTestState *s; - - s = qtest_init("-nographic -monitor none -serial none " - "-M q35 -device megasas -device scsi-cd,drive=null0 " - "-blockdev driver=null-co,read-zeroes=on,node-name=null0"); - qtest_outl(s, 0xcf8, 0x80001818); - qtest_outl(s, 0xcfc, 0xc101); - qtest_outl(s, 0xcf8, 0x8000181c); - qtest_outl(s, 0xcf8, 0x80001804); - qtest_outw(s, 0xcfc, 0x7); - qtest_outl(s, 0xcf8, 0x8000186a); - qtest_writeb(s, 0x14, 0xfe); - qtest_writeb(s, 0x0, 0x02); - qtest_outb(s, 0xc1c0, 0x17); - qtest_quit(s); -} - static void test_lp1878642_pci_bus_get_irq_level_assert(void) { QTestState *s; @@ -47,55 +24,6 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void) qtest_quit(s); } -/* - * Here a MemoryRegionCache pointed to an MMIO region but had a - * larger size than the underlying region. - */ -static void test_mmio_oob_from_memory_region_cache(void) -{ - QTestState *s; - - s = qtest_init("-M pc-q35-5.2 -display none -m 512M " - "-device virtio-scsi,num_queues=8,addr=03.0 "); - - qtest_outl(s, 0xcf8, 0x80001811); - qtest_outb(s, 0xcfc, 0x6e); - qtest_outl(s, 0xcf8, 0x80001824); - qtest_outl(s, 0xcf8, 0x80001813); - qtest_outl(s, 0xcfc, 0xa080000); - qtest_outl(s, 0xcf8, 0x80001802); - qtest_outl(s, 0xcfc, 0x5a175a63); - qtest_outb(s, 0x6e08, 0x9e); - qtest_writeb(s, 0x9f003, 0xff); - qtest_writeb(s, 0x9f004, 0x01); - qtest_writeb(s, 0x9e012, 0x0e); - qtest_writeb(s, 0x9e01b, 0x0e); - qtest_writeb(s, 0x9f006, 0x01); - qtest_writeb(s, 0x9f008, 0x01); - qtest_writeb(s, 0x9f00a, 0x01); - qtest_writeb(s, 0x9f00c, 0x01); - qtest_writeb(s, 0x9f00e, 0x01); - qtest_writeb(s, 0x9f010, 0x01); - qtest_writeb(s, 0x9f012, 0x01); - qtest_writeb(s, 0x9f014, 0x01); - qtest_writeb(s, 0x9f016, 0x01); - qtest_writeb(s, 0x9f018, 0x01); - qtest_writeb(s, 0x9f01a, 0x01); - qtest_writeb(s, 0x9f01c, 0x01); - qtest_writeb(s, 0x9f01e, 0x01); - qtest_writeb(s, 0x9f020, 0x01); - qtest_writeb(s, 0x9f022, 0x01); - qtest_writeb(s, 0x9f024, 0x01); - qtest_writeb(s, 0x9f026, 0x01); - qtest_writeb(s, 0x9f028, 0x01); - qtest_writeb(s, 0x9f02a, 0x01); - qtest_writeb(s, 0x9f02c, 0x01); - qtest_writeb(s, 0x9f02e, 0x01); - qtest_writeb(s, 0x9f030, 0x01); - qtest_outb(s, 0x6e10, 0x00); - qtest_quit(s); -} - int main(int argc, char **argv) { const char *arch = qtest_get_arch(); @@ -103,12 +31,8 @@ int main(int argc, char **argv) g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { - qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt", - test_lp1878263_megasas_zero_iov_cnt); qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert", test_lp1878642_pci_bus_get_irq_level_assert); - qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache", - test_mmio_oob_from_memory_region_cache); } return g_test_run(); diff --git a/tests/qtest/fuzz-virtio-scsi-test.c b/tests/qtest/fuzz-virtio-scsi-test.c new file mode 100644 index 0000000..aaf6d10 --- /dev/null +++ b/tests/qtest/fuzz-virtio-scsi-test.c @@ -0,0 +1,75 @@ +/* + * QTest fuzzer-generated testcase for virtio-scsi device + * + * Copyright (c) 2020 Li Qiang <liq3ea@gmail.com> + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * Here a MemoryRegionCache pointed to an MMIO region but had a + * larger size than the underlying region. + */ +static void test_mmio_oob_from_memory_region_cache(void) +{ + QTestState *s; + + s = qtest_init("-M pc-q35-5.2 -display none -m 512M " + "-device virtio-scsi,num_queues=8,addr=03.0 "); + + qtest_outl(s, 0xcf8, 0x80001811); + qtest_outb(s, 0xcfc, 0x6e); + qtest_outl(s, 0xcf8, 0x80001824); + qtest_outl(s, 0xcf8, 0x80001813); + qtest_outl(s, 0xcfc, 0xa080000); + qtest_outl(s, 0xcf8, 0x80001802); + qtest_outl(s, 0xcfc, 0x5a175a63); + qtest_outb(s, 0x6e08, 0x9e); + qtest_writeb(s, 0x9f003, 0xff); + qtest_writeb(s, 0x9f004, 0x01); + qtest_writeb(s, 0x9e012, 0x0e); + qtest_writeb(s, 0x9e01b, 0x0e); + qtest_writeb(s, 0x9f006, 0x01); + qtest_writeb(s, 0x9f008, 0x01); + qtest_writeb(s, 0x9f00a, 0x01); + qtest_writeb(s, 0x9f00c, 0x01); + qtest_writeb(s, 0x9f00e, 0x01); + qtest_writeb(s, 0x9f010, 0x01); + qtest_writeb(s, 0x9f012, 0x01); + qtest_writeb(s, 0x9f014, 0x01); + qtest_writeb(s, 0x9f016, 0x01); + qtest_writeb(s, 0x9f018, 0x01); + qtest_writeb(s, 0x9f01a, 0x01); + qtest_writeb(s, 0x9f01c, 0x01); + qtest_writeb(s, 0x9f01e, 0x01); + qtest_writeb(s, 0x9f020, 0x01); + qtest_writeb(s, 0x9f022, 0x01); + qtest_writeb(s, 0x9f024, 0x01); + qtest_writeb(s, 0x9f026, 0x01); + qtest_writeb(s, 0x9f028, 0x01); + qtest_writeb(s, 0x9f02a, 0x01); + qtest_writeb(s, 0x9f02c, 0x01); + qtest_writeb(s, 0x9f02e, 0x01); + qtest_writeb(s, 0x9f030, 0x01); + qtest_outb(s, 0x6e10, 0x00); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { + qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache", + test_mmio_oob_from_memory_region_cache); + } + + return g_test_run(); +} diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c index ee8c17a..b5fe27a 100644 --- a/tests/qtest/fuzz/generic_fuzz.c +++ b/tests/qtest/fuzz/generic_fuzz.c @@ -28,6 +28,7 @@ #include "hw/pci/pci.h" #include "hw/boards.h" #include "generic_fuzz_configs.h" +#include "hw/mem/sparse-mem.h" /* * SEPARATOR is used to separate "operations" in the fuzz input @@ -64,6 +65,8 @@ static useconds_t timeout = DEFAULT_TIMEOUT_US; static bool qtest_log_enabled; +MemoryRegion *sparse_mem_mr; + /* * A pattern used to populate a DMA region or perform a memwrite. This is * useful for e.g. populating tables of unique addresses. @@ -191,8 +194,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr) */ if (dma_patterns->len == 0 || len == 0 - || mr != current_machine->ram - || addr > current_machine->ram_size) { + || (mr != current_machine->ram && mr != sparse_mem_mr)) { return; } @@ -238,7 +240,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr) MEMTXATTRS_UNSPECIFIED); if (!(memory_region_is_ram(mr1) || - memory_region_is_romd(mr1))) { + memory_region_is_romd(mr1)) && mr1 != sparse_mem_mr) { l = memory_access_size(mr1, l, addr1); } else { /* ROM/RAM case */ @@ -583,6 +585,21 @@ static void handle_timeout(int sig) fprintf(stderr, "[Timeout]\n"); fflush(stderr); } + + /* + * If there is a crash, libfuzzer/ASAN forks a child to run an + * "llvm-symbolizer" process for printing out a pretty stacktrace. It + * communicates with this child using a pipe. If we timeout+Exit, while + * libfuzzer is still communicating with the llvm-symbolizer child, we will + * be left with an orphan llvm-symbolizer process. Sometimes, this appears + * to lead to a deadlock in the forkserver. Use waitpid to check if there + * are any waitable children. If so, exit out of the signal-handler, and + * let libfuzzer finish communicating with the child, and exit, on its own. + */ + if (waitpid(-1, NULL, WNOHANG) == 0) { + return; + } + _Exit(0); } @@ -799,6 +816,12 @@ static void generic_pre_fuzz(QTestState *s) } qts_global = s; + /* + * Create a special device that we can use to back DMA buffers at very + * high memory addresses + */ + sparse_mem_mr = sparse_mem_init(0, UINT64_MAX); + dma_regions = g_array_new(false, false, sizeof(address_range)); dma_patterns = g_array_new(false, false, sizeof(pattern)); diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h b/tests/qtest/fuzz/generic_fuzz_configs.h index 5d59976..8b8c7ac 100644 --- a/tests/qtest/fuzz/generic_fuzz_configs.h +++ b/tests/qtest/fuzz/generic_fuzz_configs.h @@ -177,7 +177,7 @@ const generic_fuzz_config predefined_configs[] = { .name = "i82550", .args = "-machine q35 -nodefaults " "-device i82550,netdev=net0 -netdev user,id=net0", - .objects = "eepro*" + .objects = "i8255*" },{ .name = "sdhci-v3", .args = "-nodefaults -device sdhci-pci,sd-spec-version=3 " @@ -209,6 +209,12 @@ const generic_fuzz_config predefined_configs[] = { "-blockdev driver=null-co,read-zeroes=on,node-name=null0", .objects = "megasas*", },{ + .name = "am53c974", + .args = "-device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw " + "-nodefaults", + .objects = "*esp* *scsi* *am53c974*", + },{ .name = "ac97", .args = "-machine q35 -nodefaults " "-device ac97,audiodev=snd0 -audiodev none,id=snd0 -nodefaults", diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 66ee9fb..6e87107 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -17,7 +17,10 @@ slow_qtests = { 'test-hmp' : 120, } -qtests_generic = [ +qtests_generic = \ + (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ + (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ + [ 'cdrom-test', 'device-introspect-test', 'machine-none-test', |