From: Axel Heider <axel.heider@hensoldt.net>
- fix #1263
- rework compare time handling
- The compare timer has to run even if CR.OCIEN is not set,
as SR.OCIF must be updated.
- The compare timer fires exactly once when the
compare value is less than the current value, but the
reload values is less than the compare value.
- The compare timer will never fire if the reload value is
less than the compare value. Disable it in this case.
Signed-off-by: Axel Heider <axel.heider@hensoldt.net>
---
hw/timer/imx_epit.c | 188 +++++++++++++++++++++++++++++---------------
1 file changed, 123 insertions(+), 65 deletions(-)
diff --git a/hw/timer/imx_epit.c b/hw/timer/imx_epit.c
index 77bd2b0a2b..cb2880cabc 100644
--- a/hw/timer/imx_epit.c
+++ b/hw/timer/imx_epit.c
@@ -6,6 +6,7 @@
* Originally written by Hans Jiang
* Updated by Peter Chubb
* Updated by Jean-Christophe Dubois <jcd@tribudubois.net>
+ * Updated by Axel Heider
*
* This code is licensed under GPL version 2 or later. See
* the COPYING file in the top-level directory.
@@ -110,33 +111,84 @@ static uint64_t imx_epit_read(void *opaque, hwaddr offset, unsigned size)
return reg_value;
}
-/* Must be called from ptimer_transaction_begin/commit block for s->timer_cmp */
-static void imx_epit_reload_compare_timer(IMXEPITState *s)
+/*
+ * Must be called from a ptimer_transaction_begin/commit block for
+ * s->timer_cmp, but outside of a transaction block of s->timer_reload,
+ * so the proper counter value is read.
+ */
+static void imx_epit_update_compare_timer(IMXEPITState *s)
{
- if ((s->cr & (CR_EN | CR_OCIEN)) == (CR_EN | CR_OCIEN)) {
- /* if the compare feature is on and timers are running */
- uint32_t tmp = ptimer_get_count(s->timer_reload);
- uint64_t next;
- if (tmp > s->cmp) {
- /* It'll fire in this round of the timer */
- next = tmp - s->cmp;
- } else { /* catch it next time around */
- next = tmp - s->cmp + ((s->cr & CR_RLD) ? EPIT_TIMER_MAX : s->lr);
+ uint64_t counter = 0;
+ bool is_oneshot = false;
+ /* The compare timer only has to run if the timer peripheral is active
+ * and there is an input clock, Otherwise it can be switched off.
+ */
+ bool is_active = (s->cr & CR_EN) && imx_epit_get_freq(s);
+ if (is_active)
+ {
+ /*
+ * Calculate next timeout for compare timer. Reading the reload
+ * counter returns proper results only if pending transactions
+ * on it are committed here. Otherwise stale values are be read.
+ */
+ counter = ptimer_get_count(s->timer_reload);
+ uint64_t limit = ptimer_get_limit(s->timer_cmp);
+ /* The compare timer is a periodic timer if the limit is at least
+ * the compare value. Otherwise it may fire at most once in the
+ * current round.
+ */
+ bool is_oneshot = (limit >= s->cmp);
+ if (counter >= s->cmp) {
+ /* The compare timer fires in the current round. */
+ counter -= s->cmp;
+ } else if (!is_oneshot) {
+ /*
+ * The compare timer fires after a reload, as it below the
+ * compare value already in this round. Note that the counter
+ * value calculated below can be above the 32-bit limit, which
+ * is legal here because the compare timer is an internal
+ * helper ptimer only.
+ */
+ counter += limit - s->cmp;
+ } else {
+ /*
+ * The compare timer wont fire in this round, and the limit is
+ * set to a value below the compare value. This practically means
+ * it will never fire, so it can be switched off.
+ */
+ is_active = false;
}
- ptimer_set_count(s->timer_cmp, next);
}
+
+ /*
+ * Set the compare timer and let it run, or stop it. This is agnostic
+ * of CR.OCIEN bit, as this only matters for interrupt generation. The
+ * compare timer needs to run in any case, as the SR.OCIF bit must be
+ * updated even if no interrupt in generated.
+ * Note that the timer might already be stopped or be running with
+ * counter values. However, finding out when an update is needed and
+ * when not is not trivial. It's much easier applying the setting again,
+ * as this does not harm either and the overhead is negligible.
+ */
+ if (is_active) {
+ ptimer_set_count(s->timer_cmp, counter);
+ ptimer_run(s->timer_cmp, is_oneshot ? 1 : 0);
+ } else {
+ ptimer_stop(s->timer_cmp);
+ }
+
}
static void imx_epit_write_cr(IMXEPITState *s, uint32_t value)
{
uint32_t freq = 0;
- uint32_t oldcr = s->cr;
+ bool set_limit = false;
+ bool set_counter = false;
/* SWR bit is never persisted, it clears itself once reset is done */
+ uint32_t old_cr = s->cr;
s->cr = (value & ~CR_SWR) & 0x03ffffff;
-
- ptimer_transaction_begin(s->timer_cmp);
- ptimer_transaction_begin(s->timer_reload);
+ uint32_t toggled_cr = old_cr ^ s->cr;
if (value & CR_SWR) {
/* Soft reset doesn't touch some bits; only a hard reset clears them */
@@ -149,49 +201,52 @@ static void imx_epit_write_cr(IMXEPITState *s, uint32_t value)
/* turn interrupt off since SR and the OCIEN bit got cleared */
qemu_irq_lower(s->irq);
/* reset timer limits, set timer values to these limits */
- ptimer_set_limit(s->timer_cmp, EPIT_TIMER_MAX, 1);
- ptimer_set_limit(s->timer_reload, EPIT_TIMER_MAX, 1);
+ set_limit = true;
+ set_counter = true;
} else {
- freq = imx_epit_get_freq(s);
- if (freq) {
- ptimer_set_freq(s->timer_reload, freq);
- ptimer_set_freq(s->timer_cmp, freq);
- }
+ /* re-initialize the limits if CR.RLD has changed */
+ set_limit = toggled_cr & CR_RLD;
+ /* set the counter if the timer got just enabled and CR.ENMOD is set */
+ set_counter = ((toggled_cr & s->cr) & CR_EN) && (s->cr & CR_ENMOD);
+ }
+
+ ptimer_transaction_begin(s->timer_cmp);
+ ptimer_transaction_begin(s->timer_reload);
+
+ freq = imx_epit_get_freq(s);
+ if (freq) {
+ ptimer_set_freq(s->timer_reload, freq);
+ ptimer_set_freq(s->timer_cmp, freq);
}
- if (freq && (s->cr & CR_EN) && !(oldcr & CR_EN)) {
- if (s->cr & CR_ENMOD) {
- if (s->cr & CR_RLD) {
- ptimer_set_limit(s->timer_reload, s->lr, 1);
- ptimer_set_limit(s->timer_cmp, s->lr, 1);
- } else {
- ptimer_set_limit(s->timer_reload, EPIT_TIMER_MAX, 1);
- ptimer_set_limit(s->timer_cmp, EPIT_TIMER_MAX, 1);
- }
+ if (set_limit || set_counter) {
+ uint64_t limit = (s->cr & CR_RLD) ? s->lr : EPIT_TIMER_MAX;
+ if (set_limit) {
+ ptimer_set_limit(s->timer_cmp, limit, 0);
}
+ ptimer_set_limit(s->timer_reload, limit, set_counter ? 1 : 0);
+ }
- imx_epit_reload_compare_timer(s);
+ /*
+ * If there is an input clock and the peripheral is enabled, then ensure
+ * the wall clock timer is ticking. Otherwise stop the timers. The compare
+ * timer will be updated later.
+ */
+ if (freq && (s->cr & CR_EN)) {
ptimer_run(s->timer_reload, 0);
- if (s->cr & CR_OCIEN) {
- ptimer_run(s->timer_cmp, 0);
- } else {
- ptimer_stop(s->timer_cmp);
- }
- } else if (!(s->cr & CR_EN)) {
- /* stop both timers */
- ptimer_stop(s->timer_reload);
- ptimer_stop(s->timer_cmp);
- } else if (s->cr & CR_OCIEN) {
- if (!(oldcr & CR_OCIEN)) {
- imx_epit_reload_compare_timer(s);
- ptimer_run(s->timer_cmp, 0);
- }
} else {
+ ptimer_stop(s->timer_reload);
+ /* Stop the compare timer also. This just plays safe, the call to
+ * imx_epit_update_compare_timer() below should also so this. */
ptimer_stop(s->timer_cmp);
}
- ptimer_transaction_commit(s->timer_cmp);
+ /* Commit the changes to s->timer_reload, so they can propagate. */
ptimer_transaction_commit(s->timer_reload);
+
+ /* Update the compare timer based on the committed reload timer value. */
+ imx_epit_update_compare_timer(s);
+ ptimer_transaction_commit(s->timer_cmp);
}
static void imx_epit_write_sr(IMXEPITState *s, uint32_t value)
@@ -218,14 +273,10 @@ static void imx_epit_write_lr(IMXEPITState *s, uint32_t value)
/* If IOVW bit is set then set the timer value */
ptimer_set_count(s->timer_reload, s->lr);
}
- /*
- * Commit the change to s->timer_reload, so it can propagate. Otherwise
- * the timer interrupt may not fire properly. The commit must happen
- * before calling imx_epit_reload_compare_timer(), which reads
- * s->timer_reload internally again.
- */
+ /* Commit the changes to s->timer_reload, so they can propagate. */
ptimer_transaction_commit(s->timer_reload);
- imx_epit_reload_compare_timer(s);
+ /* Update the compare timer based on the committed reload timer value. */
+ imx_epit_update_compare_timer(s);
ptimer_transaction_commit(s->timer_cmp);
}
@@ -233,8 +284,9 @@ static void imx_epit_write_cmp(IMXEPITState *s, uint32_t value)
{
s->cmp = value;
+ /* Update the compare timer based on the committed reload timer value. */
ptimer_transaction_begin(s->timer_cmp);
- imx_epit_reload_compare_timer(s);
+ imx_epit_update_compare_timer(s);
ptimer_transaction_commit(s->timer_cmp);
}
@@ -274,16 +326,22 @@ static void imx_epit_cmp(void *opaque)
{
IMXEPITState *s = IMX_EPIT(opaque);
- /* Set the interrupt status flag to signaled. */
- DPRINTF("sr was %d\n", s->sr);
- s->sr = 1;
+ if (s->cr & CR_EN) {
+ /* Set the interrupt status flag to signaled. */
+ DPRINTF("sr was %d\n", s->sr);
+ s->sr = 1;
- /*
- * An actual interrupt is generated only if the peripheral is enabled
- * and the interrupt generation is enabled.
- */
- if ((s->cr & (CR_EN | CR_OCIEN)) == (CR_EN | CR_OCIEN)) {
- qemu_irq_raise(s->irq);
+ /* If CR,OCIEN is set, an actual interrupt is generated */
+ if (s->cr & CR_OCIEN) {
+ qemu_irq_raise(s->irq);
+ }
+ } else {
+ /*
+ * The cmp ptimer is not supposed to be running when the
+ * peripheral is not enabled. Ignore this. However, it's
+ * worth investigating why this happened.
+ */
+ DPRINTF("compare trigger when timer not enabled\n");
}
}
--
2.34.5On Mon, 7 Nov 2022 at 16:42, ~axelheider <axelheider@git.sr.ht> wrote:
>
> From: Axel Heider <axel.heider@hensoldt.net>
>
> - fix #1263
> - rework compare time handling
> - The compare timer has to run even if CR.OCIEN is not set,
> as SR.OCIF must be updated.
> - The compare timer fires exactly once when the
> compare value is less than the current value, but the
> reload values is less than the compare value.
> - The compare timer will never fire if the reload value is
> less than the compare value. Disable it in this case.
If you're correcting behaviour of the timer use here,
you should start by fixing the way the timers are currently
created with PTIMER_POLICY_LEGACY. That setting is basically
"bug-for-bug-compatibility with very old QEMU, for devices
where nobody really knows what the hardware behaviour should
be". Where we do know what the hardware's supposed to do and
we have some way of testing we're not breaking guest code,
the right thing is to set the correct policy flags for
the desired behaviour. These are documented in a comment
near the top of include/hw/ptimer.h.
> Signed-off-by: Axel Heider <axel.heider@hensoldt.net>
> ---
> hw/timer/imx_epit.c | 188 +++++++++++++++++++++++++++++---------------
> 1 file changed, 123 insertions(+), 65 deletions(-)
>
> diff --git a/hw/timer/imx_epit.c b/hw/timer/imx_epit.c
> index 77bd2b0a2b..cb2880cabc 100644
> --- a/hw/timer/imx_epit.c
> +++ b/hw/timer/imx_epit.c
> @@ -6,6 +6,7 @@
> * Originally written by Hans Jiang
> * Updated by Peter Chubb
> * Updated by Jean-Christophe Dubois <jcd@tribudubois.net>
> + * Updated by Axel Heider
> *
> * This code is licensed under GPL version 2 or later. See
> * the COPYING file in the top-level directory.
> @@ -110,33 +111,84 @@ static uint64_t imx_epit_read(void *opaque, hwaddr offset, unsigned size)
> return reg_value;
> }
>
> -/* Must be called from ptimer_transaction_begin/commit block for s->timer_cmp */
> -static void imx_epit_reload_compare_timer(IMXEPITState *s)
> +/*
> + * Must be called from a ptimer_transaction_begin/commit block for
> + * s->timer_cmp, but outside of a transaction block of s->timer_reload,
> + * so the proper counter value is read.
> + */
> +static void imx_epit_update_compare_timer(IMXEPITState *s)
> {
> - if ((s->cr & (CR_EN | CR_OCIEN)) == (CR_EN | CR_OCIEN)) {
> - /* if the compare feature is on and timers are running */
> - uint32_t tmp = ptimer_get_count(s->timer_reload);
> - uint64_t next;
> - if (tmp > s->cmp) {
> - /* It'll fire in this round of the timer */
> - next = tmp - s->cmp;
> - } else { /* catch it next time around */
> - next = tmp - s->cmp + ((s->cr & CR_RLD) ? EPIT_TIMER_MAX : s->lr);
> + uint64_t counter = 0;
> + bool is_oneshot = false;
> + /* The compare timer only has to run if the timer peripheral is active
> + * and there is an input clock, Otherwise it can be switched off.
> + */
QEMU coding style wants the "/*" on a line of its own in multiline comments.
> + bool is_active = (s->cr & CR_EN) && imx_epit_get_freq(s);
> + if (is_active)
> + {
Brace goes on same line as "if".
> + /*
> + * Calculate next timeout for compare timer. Reading the reload
> + * counter returns proper results only if pending transactions
> + * on it are committed here. Otherwise stale values are be read.
> + */
> + counter = ptimer_get_count(s->timer_reload);
> + uint64_t limit = ptimer_get_limit(s->timer_cmp);
> + /* The compare timer is a periodic timer if the limit is at least
> + * the compare value. Otherwise it may fire at most once in the
> + * current round.
> + */
> + bool is_oneshot = (limit >= s->cmp);
> + if (counter >= s->cmp) {
> + /* The compare timer fires in the current round. */
> + counter -= s->cmp;
> + } else if (!is_oneshot) {
> + /*
> + * The compare timer fires after a reload, as it below the
> + * compare value already in this round. Note that the counter
> + * value calculated below can be above the 32-bit limit, which
> + * is legal here because the compare timer is an internal
> + * helper ptimer only.
> + */
> + counter += limit - s->cmp;
> + } else {
> + /*
> + * The compare timer wont fire in this round, and the limit is
"won't"
> + * set to a value below the compare value. This practically means
> + * it will never fire, so it can be switched off.
> + */
> + is_active = false;
> }
> - ptimer_set_count(s->timer_cmp, next);
> }
> +
> + /*
> + * Set the compare timer and let it run, or stop it. This is agnostic
> + * of CR.OCIEN bit, as this only matters for interrupt generation. The
> + * compare timer needs to run in any case, as the SR.OCIF bit must be
> + * updated even if no interrupt in generated.
"is generated"
> + * Note that the timer might already be stopped or be running with
> + * counter values. However, finding out when an update is needed and
> + * when not is not trivial. It's much easier applying the setting again,
> + * as this does not harm either and the overhead is negligible.
> + */
It is modestly harmful because the sequence
counter = ptimer_get_count(s->timer_reload);
...
ptimer_set_count(s->timer_cmp, counter);
will cause the counter to lose or gain time. This happens because when
you call "get" the ptimer code will look at the current exact
time in nanoseconds and tell you the counter value at that point.
That is probably somewhere in the middle of a timer-clock period
(which runs at whatever frequency you tell the ptimer to use):
for argument's sake, suppose the timer-clock counts every 1000ns.
Suppose at the point of the 'get' the next tick will be in 300ns time.
When you do a "set" that is assumed to be the result of a guest
register write of some kind, and will effectively start a new
timer-clock period. This means the next tick will not be for
a full 1000ns, and we just lost 300ns (or gained 700ns perhaps).
So it's better to avoid this kind of "get-and-then-set" code.
> + if (is_active) {
> + ptimer_set_count(s->timer_cmp, counter);
> + ptimer_run(s->timer_cmp, is_oneshot ? 1 : 0);
> + } else {
> + ptimer_stop(s->timer_cmp);
> + }
> +
> }
> @@ -274,16 +326,22 @@ static void imx_epit_cmp(void *opaque)
> {
> IMXEPITState *s = IMX_EPIT(opaque);
>
> - /* Set the interrupt status flag to signaled. */
> - DPRINTF("sr was %d\n", s->sr);
> - s->sr = 1;
> + if (s->cr & CR_EN) {
> + /* Set the interrupt status flag to signaled. */
> + DPRINTF("sr was %d\n", s->sr);
> + s->sr = 1;
>
> - /*
> - * An actual interrupt is generated only if the peripheral is enabled
> - * and the interrupt generation is enabled.
> - */
> - if ((s->cr & (CR_EN | CR_OCIEN)) == (CR_EN | CR_OCIEN)) {
> - qemu_irq_raise(s->irq);
> + /* If CR,OCIEN is set, an actual interrupt is generated */
> + if (s->cr & CR_OCIEN) {
> + qemu_irq_raise(s->irq);
> + }
> + } else {
> + /*
> + * The cmp ptimer is not supposed to be running when the
> + * peripheral is not enabled. Ignore this. However, it's
> + * worth investigating why this happened.
> + */
> + DPRINTF("compare trigger when timer not enabled\n");
Is this a "can't happen, it would be a bug in this code"? If so,
use assert(). If it's a "guest code can program the timer in
silly ways" situation then either do what the hardware does
or (if it's not clear what that is) do something plausible.
You can use qemu_log_mask(LOG_GUEST_ERROR, ...) to log things
which are "guest has done something silly" if you like.
More generally, please don't introduce new uses of the DPRINTF
macro. For cases which are "this can be useful to the user to
log for debugging either the driver or their guest code" we
have a trace-events facility, where you put a line into
hw/timer/trace-events that specifies the prototype and format
string for the trace event, and then call a corresponding
trace_whatever() function in the code. Some of the other timer
devices do this, if you want to look at how it works.
Older device models like this one still use debug-print macros,
but they're not good practice in new code.
thanks
-- PMM
Peter, > If you're correcting behaviour of the timer use here, > you should start by fixing the way the timers are currently > created with PTIMER_POLICY_LEGACY. That setting is basically > "bug-for-bug-compatibility with very old QEMU, for devices > where nobody really knows what the hardware behaviour should > be". Where we do know what the hardware's supposed to do and > we have some way of testing we're not breaking guest code, > the right thing is to set the correct policy flags for > the desired behaviour. These are documented in a comment > near the top of include/hw/ptimer.h. I would prefer to postpone changing PTIMER_POLICY_LEGACY to a separate patchset, which is on top of the current one, as this seems not to be an issue at the moment. Fixing the general isses on access and ensure the flags are correct seem more pressing, and this seem unrelated to the timer policy. > It is modestly harmful because the sequence > counter = ptimer_get_count(s->timer_reload); > ... > ptimer_set_count(s->timer_cmp, counter); > > will cause the counter to lose or gain time. This happens because > when you call "get" the ptimer code will look at the current exact > time in nanoseconds and tell you the counter value at that point. > That is probably somewhere in the middle of a timer-clock period > (which runs at whatever frequency you tell the ptimer to use): > for argument's sake, suppose the timer-clock counts every 1000ns. > Suppose at the point of the 'get' the next tick will be in 300ns time. > When you do a "set" that is assumed to be the result of a guest > register write of some kind, and will effectively start a new > timer-clock period. This means the next tick will not be for > a full 1000ns, and we just lost 300ns (or gained 700ns perhaps). > So it's better to avoid this kind of "get-and-then-set" code. I see you point. The "get-and-then-set" was already in the code, I did not really change this. I have tried to find a better way to implement this, but could not come up with something so far. Any suggestions here that is non trivial? Othereise I would prefer to look into this in a new patch-set, together with replacing the PTIMER_POLICY_LEGACY. Axel
© 2016 - 2026 Red Hat, Inc.