Series comparison

-[Qemu-devel] [PULL for-4.1 0/7] tcg patch queue
+[PULL 0/4] tcg patch queue
-The following changes since commit 1316b1ddc8a05e418c8134243f8bff8cccbbccb1:
+The following changes since commit 67e41fe0cfb62e6cdfa659f0155417d17e5274ea:
-  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2019-07-12 15:38:22 +0100)
+  Merge tag 'pull-ppc-20220104' of https://github.com/legoater/qemu into staging (2022-01-04 07:23:27 -0800)
 are available in the Git repository at:
-  https://github.com/rth7680/qemu.git tags/pull-tcg-20190714
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220104
-for you to fetch changes up to 52ba13f042714c4086416973fb88e2465e0888a1:
+for you to fetch changes up to d7478d4229f0a2b2817a55487e6b17081099fae4:
-  tcg: Release mmap_lock on translation fault (2019-07-14 12:19:01 +0200)
+  common-user: Fix tail calls to safe_syscall_set_errno_tail (2022-01-04 15:41:03 -0800)
 ----------------------------------------------------------------
-Fixes for 3 tcg bugs
+Fix for safe_syscall_base.
 Fix for folding of vector add/sub.
 Fix build on loongarch64 with gcc 8.
 Remove decl for qemu_run_machine_init_done_notifiers.
 ----------------------------------------------------------------
-Richard Henderson (7):
+Philippe Mathieu-Daudé (1):
-      tcg: Fix constant folding of INDEX_op_extract2_i32
+      linux-user: Fix trivial build error on loongarch64 hosts
       tcg/aarch64: Fix output of extract2 opcodes
       include/qemu/atomic.h: Add signal_barrier
       tcg: Introduce set/clear_helper_retaddr
       tcg: Remove cpu_ld*_code_ra
       tcg: Remove duplicate #if !defined(CODE_ACCESS)
       tcg: Release mmap_lock on translation fault
- include/exec/cpu_ldst.h                   | 20 ++++++++
+Richard Henderson (2):
- include/exec/cpu_ldst_useronly_template.h | 40 ++++++++++------
+      tcg/optimize: Fix folding of vector ops
- include/qemu/atomic.h                     | 11 +++++
+      common-user: Fix tail calls to safe_syscall_set_errno_tail
  accel/tcg/user-exec.c                     | 77 +++++++++++++++++++++----------
  target/arm/helper-a64.c                   |  8 ++--
  target/arm/sve_helper.c                   | 43 +++++++++--------
  tcg/aarch64/tcg-target.inc.c              |  2 +-
  tcg/optimize.c                            |  4 +-
 files changed, 139 insertions(+), 66 deletions(-)
+Xiaoyao Li (1):
+      sysemu: Cleanup qemu_run_machine_init_done_notifiers()
+ include/sysemu/sysemu.h                    |  1 -
+ linux-user/host/loongarch64/host-signal.h  |  4 +--
+ tcg/optimize.c                             | 49 +++++++++++++++++++++++-------
+ common-user/host/i386/safe-syscall.inc.S   |  1 +
+ common-user/host/mips/safe-syscall.inc.S   |  1 +
+ common-user/host/x86_64/safe-syscall.inc.S |  1 +
+files changed, 42 insertions(+), 15 deletions(-)

-[Qemu-devel] [PULL for-4.1 1/7] tcg: Fix constant folding of INDEX_op_extract2_i32
+[PULL 1/4] tcg/optimize: Fix folding of vector ops
-On a 64-bit host, discard any replications of the 32-bit
+Bitwise operations are easy to fold, because the operation is
-sign bit when performing the shift and merge.
+identical regardless of element size.  But add and sub need
 extra element size info that is not currently propagated.
-Fixes: https://bugs.launchpad.net/bugs/1834496
+Fixes: 2f9f08ba43d
-Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
+Cc: qemu-stable@nongnu.org
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/799
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- tcg/optimize.c | 4 ++--
+ tcg/optimize.c | 49 ++++++++++++++++++++++++++++++++++++++-----------
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 38 insertions(+), 11 deletions(-)
 diff --git a/tcg/optimize.c b/tcg/optimize.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/optimize.c
 +++ b/tcg/optimize.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t do_constant_folding_2(TCGOpcode op, uint64_t x, uint64_t y)
+     CASE_OP_32_64(mul):
+         return x * y;
+-    CASE_OP_32_64(and):
++    CASE_OP_32_64_VEC(and):
+         return x & y;
+-    CASE_OP_32_64(or):
++    CASE_OP_32_64_VEC(or):
+         return x | y;
+-    CASE_OP_32_64(xor):
++    CASE_OP_32_64_VEC(xor):
+         return x ^ y;
+     case INDEX_op_shl_i32:
+@@ -XXX,XX +XXX,XX @@ static uint64_t do_constant_folding_2(TCGOpcode op, uint64_t x, uint64_t y)
+     case INDEX_op_rotl_i64:
+         return rol64(x, y & 63);
+-    CASE_OP_32_64(not):
++    CASE_OP_32_64_VEC(not):
+         return ~x;
+     CASE_OP_32_64(neg):
+         return -x;
+-    CASE_OP_32_64(andc):
++    CASE_OP_32_64_VEC(andc):
+         return x & ~y;
+-    CASE_OP_32_64(orc):
++    CASE_OP_32_64_VEC(orc):
+         return x | ~y;
+     CASE_OP_32_64(eqv):
+@@ -XXX,XX +XXX,XX @@ static bool fold_const2(OptContext *ctx, TCGOp *op)
+     return false;
+ }
++static bool fold_commutative(OptContext *ctx, TCGOp *op)
++{
++    swap_commutative(op->args[0], &op->args[1], &op->args[2]);
++    return false;
++}
++
+ static bool fold_const2_commutative(OptContext *ctx, TCGOp *op)
+ {
+     swap_commutative(op->args[0], &op->args[1], &op->args[2]);
+@@ -XXX,XX +XXX,XX @@ static bool fold_add(OptContext *ctx, TCGOp *op)
+     return false;
+ }
++/* We cannot as yet do_constant_folding with vectors. */
++static bool fold_add_vec(OptContext *ctx, TCGOp *op)
++{
++    if (fold_commutative(ctx, op) ||
++        fold_xi_to_x(ctx, op, 0)) {
++        return true;
++    }
++    return false;
++}
++
+ static bool fold_addsub2(OptContext *ctx, TCGOp *op, bool add)
+ {
+     if (arg_is_const(op->args[2]) && arg_is_const(op->args[3]) &&
+@@ -XXX,XX +XXX,XX @@ static bool fold_sub_to_neg(OptContext *ctx, TCGOp *op)
+     return false;
+ }
+-static bool fold_sub(OptContext *ctx, TCGOp *op)
++/* We cannot as yet do_constant_folding with vectors. */
++static bool fold_sub_vec(OptContext *ctx, TCGOp *op)
+ {
+-    if (fold_const2(ctx, op) ||
+-        fold_xx_to_i(ctx, op, 0) ||
++    if (fold_xx_to_i(ctx, op, 0) ||
+         fold_xi_to_x(ctx, op, 0) ||
+         fold_sub_to_neg(ctx, op)) {
+         return true;
+@@ -XXX,XX +XXX,XX @@ static bool fold_sub(OptContext *ctx, TCGOp *op)
+     return false;
+ }
++static bool fold_sub(OptContext *ctx, TCGOp *op)
++{
++    return fold_const2(ctx, op) || fold_sub_vec(ctx, op);
++}
++
+ static bool fold_sub2(OptContext *ctx, TCGOp *op)
+ {
+     return fold_addsub2(ctx, op, false);
 @@ -XXX,XX +XXX,XX @@ void tcg_optimize(TCGContext *s)
-                 if (opc == INDEX_op_extract2_i64) {
+          * Sorted alphabetically by opcode as much as possible.
-                     tmp = (v1 >> op->args[3]) | (v2 << (64 - op->args[3]));
+          */
-                 } else {
+         switch (opc) {
--                    tmp = (v1 >> op->args[3]) | (v2 << (32 - op->args[3]));
+-        CASE_OP_32_64_VEC(add):
--                    tmp = (int32_t)tmp;
++        CASE_OP_32_64(add):
-+                    tmp = (int32_t)(((uint32_t)v1 >> op->args[3]) |
+             done = fold_add(&ctx, op);
-+                                    ((uint32_t)v2 << (32 - op->args[3])));
+             break;
-                 }
++        case INDEX_op_add_vec:
-                 tcg_opt_gen_movi(s, op, op->args[0], tmp);
++            done = fold_add_vec(&ctx, op);
-                 break;
++            break;
          CASE_OP_32_64(add2):
              done = fold_add2(&ctx, op);
              break;
@@ -XXX,XX +XXX,XX @@ void tcg_optimize(TCGContext *s)
          CASE_OP_32_64(sextract):
              done = fold_sextract(&ctx, op);
              break;
 -        CASE_OP_32_64_VEC(sub):
 +        CASE_OP_32_64(sub):
              done = fold_sub(&ctx, op);
              break;
 +        case INDEX_op_sub_vec:
 +            done = fold_sub_vec(&ctx, op);
 +            break;
          CASE_OP_32_64(sub2):
              done = fold_sub2(&ctx, op);
              break;
 --
-.17.1
+.25.1

-[Qemu-devel] [PULL for-4.1 2/7] tcg/aarch64: Fix output of extract2 opcodes
+Deleted patch
-This patch fixes two problems:
-(1) The inputs to the EXTR insn were reversed,
-(2) The input constraints use rZ, which means that we need to use
-    the REG0 macro in order to supply XZR for a constant 0 input.
-Fixes: 464c2969d5d
-Reported-by: Peter Maydell <peter.maydell@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- tcg/aarch64/tcg-target.inc.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/tcg/aarch64/tcg-target.inc.c b/tcg/aarch64/tcg-target.inc.c
-index XXXXXXX..XXXXXXX 100644
---- a/tcg/aarch64/tcg-target.inc.c
-+++ b/tcg/aarch64/tcg-target.inc.c
-@@ -XXX,XX +XXX,XX @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc,
-     case INDEX_op_extract2_i64:
-     case INDEX_op_extract2_i32:
--        tcg_out_extr(s, ext, a0, a1, a2, args[3]);
-+        tcg_out_extr(s, ext, a0, REG0(2), REG0(1), args[3]);
-         break;
-     case INDEX_op_add2_i32:
---
-.17.1

-[Qemu-devel] [PULL for-4.1 3/7] include/qemu/atomic.h: Add signal_barrier
+Deleted patch
-We have some potential race conditions vs our user-exec signal
-handler that will be solved with this barrier.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- include/qemu/atomic.h | 11 +++++++++++
-file changed, 11 insertions(+)
-diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/qemu/atomic.h
-+++ b/include/qemu/atomic.h
-@@ -XXX,XX +XXX,XX @@
- #define smp_read_barrier_depends()   barrier()
- #endif
-+/*
-+ * A signal barrier forces all pending local memory ops to be observed before
-+ * a SIGSEGV is delivered to the *same* thread.  In practice this is exactly
-+ * the same as barrier(), but since we have the correct builtin, use it.
-+ */
-+#define signal_barrier()    __atomic_signal_fence(__ATOMIC_SEQ_CST)
-+
- /* Sanity check that the size of an atomic operation isn't "overly large".
-  * Despite the fact that e.g. i686 has 64-bit atomic operations, we do not
-  * want to use them because we ought not need them, and this lets us do a
-@@ -XXX,XX +XXX,XX @@
- #define smp_read_barrier_depends()   barrier()
- #endif
-+#ifndef signal_barrier
-+#define signal_barrier()    barrier()
-+#endif
-+
- /* These will only be atomic if the processor does the fetch or store
-  * in a single issue memory operation
-  */
---
-.17.1

-[Qemu-devel] [PULL for-4.1 4/7] tcg: Introduce set/clear_helper_retaddr
+Deleted patch
-At present we have a potential error in that helper_retaddr contains
-data for handle_cpu_signal, but we have not ensured that those stores
-will be scheduled properly before the operation that may fault.
-It might be that these races are not in practice observable, due to
-our use of -fno-strict-aliasing, but better safe than sorry.
-Adjust all of the setters of helper_retaddr.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- include/exec/cpu_ldst.h                   | 20 +++++++++++
- include/exec/cpu_ldst_useronly_template.h | 12 +++----
- accel/tcg/user-exec.c                     | 11 +++---
- target/arm/helper-a64.c                   |  8 ++---
- target/arm/sve_helper.c                   | 43 +++++++++++------------
-files changed, 57 insertions(+), 37 deletions(-)
-diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu_ldst.h
-+++ b/include/exec/cpu_ldst.h
-@@ -XXX,XX +XXX,XX @@ typedef target_ulong abi_ptr;
- extern __thread uintptr_t helper_retaddr;
-+static inline void set_helper_retaddr(uintptr_t ra)
-+{
-+    helper_retaddr = ra;
-+    /*
-+     * Ensure that this write is visible to the SIGSEGV handler that
-+     * may be invoked due to a subsequent invalid memory operation.
-+     */
-+    signal_barrier();
-+}
-+
-+static inline void clear_helper_retaddr(void)
-+{
-+    /*
-+     * Ensure that previous memory operations have succeeded before
-+     * removing the data visible to the signal handler.
-+     */
-+    signal_barrier();
-+    helper_retaddr = 0;
-+}
-+
- /* In user-only mode we provide only the _code and _data accessors. */
- #define MEMSUFFIX _data
-diff --git a/include/exec/cpu_ldst_useronly_template.h b/include/exec/cpu_ldst_useronly_template.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu_ldst_useronly_template.h
-+++ b/include/exec/cpu_ldst_useronly_template.h
-@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_ld, USUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
-                                                   uintptr_t retaddr)
- {
-     RES_TYPE ret;
--    helper_retaddr = retaddr;
-+    set_helper_retaddr(retaddr);
-     ret = glue(glue(cpu_ld, USUFFIX), MEMSUFFIX)(env, ptr);
--    helper_retaddr = 0;
-+    clear_helper_retaddr();
-     return ret;
- }
-@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_lds, SUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
-                                                   uintptr_t retaddr)
- {
-     int ret;
--    helper_retaddr = retaddr;
-+    set_helper_retaddr(retaddr);
-     ret = glue(glue(cpu_lds, SUFFIX), MEMSUFFIX)(env, ptr);
--    helper_retaddr = 0;
-+    clear_helper_retaddr();
-     return ret;
- }
- #endif
-@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_st, SUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
-                                                   RES_TYPE v,
-                                                   uintptr_t retaddr)
- {
--    helper_retaddr = retaddr;
-+    set_helper_retaddr(retaddr);
-     glue(glue(cpu_st, SUFFIX), MEMSUFFIX)(env, ptr, v);
--    helper_retaddr = 0;
-+    clear_helper_retaddr();
- }
- #endif
-diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/user-exec.c
-+++ b/accel/tcg/user-exec.c
-@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
-              * currently executing TB was modified and must be exited
-              * immediately.  Clear helper_retaddr for next execution.
-              */
--            helper_retaddr = 0;
-+            clear_helper_retaddr();
-             cpu_exit_tb_from_sighandler(cpu, old_set);
-             /* NORETURN */
-@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
-      * an exception.  Undo signal and retaddr state prior to longjmp.
-      */
-     sigprocmask(SIG_SETMASK, old_set, NULL);
--    helper_retaddr = 0;
-+    clear_helper_retaddr();
-     cc = CPU_GET_CLASS(cpu);
-     access_type = is_write ? MMU_DATA_STORE : MMU_DATA_LOAD;
-@@ -XXX,XX +XXX,XX @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
-     if (unlikely(addr & (size - 1))) {
-         cpu_loop_exit_atomic(env_cpu(env), retaddr);
-     }
--    helper_retaddr = retaddr;
--    return g2h(addr);
-+    void *ret = g2h(addr);
-+    set_helper_retaddr(retaddr);
-+    return ret;
- }
- /* Macro to call the above, with local variables from the use context.  */
- #define ATOMIC_MMU_DECLS do {} while (0)
- #define ATOMIC_MMU_LOOKUP  atomic_mmu_lookup(env, addr, DATA_SIZE, GETPC())
--#define ATOMIC_MMU_CLEANUP do { helper_retaddr = 0; } while (0)
-+#define ATOMIC_MMU_CLEANUP do { clear_helper_retaddr(); } while (0)
- #define ATOMIC_NAME(X)   HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
- #define EXTRA_ARGS
-diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.c
-+++ b/target/arm/helper-a64.c
-@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_le)(CPUARMState *env, uint64_t addr,
-     /* ??? Enforce alignment.  */
-     uint64_t *haddr = g2h(addr);
--    helper_retaddr = ra;
-+    set_helper_retaddr(ra);
-     o0 = ldq_le_p(haddr + 0);
-     o1 = ldq_le_p(haddr + 1);
-     oldv = int128_make128(o0, o1);
-@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_le)(CPUARMState *env, uint64_t addr,
-         stq_le_p(haddr + 0, int128_getlo(newv));
-         stq_le_p(haddr + 1, int128_gethi(newv));
-     }
--    helper_retaddr = 0;
-+    clear_helper_retaddr();
- #else
-     int mem_idx = cpu_mmu_index(env, false);
-     TCGMemOpIdx oi0 = make_memop_idx(MO_LEQ | MO_ALIGN_16, mem_idx);
-@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_be)(CPUARMState *env, uint64_t addr,
-     /* ??? Enforce alignment.  */
-     uint64_t *haddr = g2h(addr);
--    helper_retaddr = ra;
-+    set_helper_retaddr(ra);
-     o1 = ldq_be_p(haddr + 0);
-     o0 = ldq_be_p(haddr + 1);
-     oldv = int128_make128(o0, o1);
-@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_be)(CPUARMState *env, uint64_t addr,
-         stq_be_p(haddr + 0, int128_gethi(newv));
-         stq_be_p(haddr + 1, int128_getlo(newv));
-     }
--    helper_retaddr = 0;
-+    clear_helper_retaddr();
- #else
-     int mem_idx = cpu_mmu_index(env, false);
-     TCGMemOpIdx oi0 = make_memop_idx(MO_BEQ | MO_ALIGN_16, mem_idx);
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
-+++ b/target/arm/sve_helper.c
-@@ -XXX,XX +XXX,XX @@ static intptr_t max_for_page(target_ulong base, intptr_t mem_off,
-     return MIN(split, mem_max - mem_off) + mem_off;
- }
--static inline void set_helper_retaddr(uintptr_t ra)
--{
--#ifdef CONFIG_USER_ONLY
--    helper_retaddr = ra;
-+#ifndef CONFIG_USER_ONLY
-+/* These are normally defined only for CONFIG_USER_ONLY in <exec/cpu_ldst.h> */
-+static inline void set_helper_retaddr(uintptr_t ra) { }
-+static inline void clear_helper_retaddr(void) { }
- #endif
--}
- /*
-  * The result of tlb_vaddr_to_host for user-only is just g2h(x),
-@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
-         if (test_host_page(host)) {
-             mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
-             tcg_debug_assert(mem_off == mem_max);
--            set_helper_retaddr(0);
-+            clear_helper_retaddr();
-             /* After having taken any fault, zero leading inactive elements. */
-             swap_memzero(vd, reg_off);
-             return;
-@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
-     }
- #endif
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
-     memcpy(vd, &scratch, reg_max);
- }
-@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
-             addr += 2 * size;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
-     /* Wait until all exceptions have been raised to write back.  */
-     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
-@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
-             addr += 3 * size;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
-     /* Wait until all exceptions have been raised to write back.  */
-     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
-@@ -XXX,XX +XXX,XX @@ static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
-             addr += 4 * size;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
-     /* Wait until all exceptions have been raised to write back.  */
-     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
-@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
-         if (test_host_page(host)) {
-             mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
-             tcg_debug_assert(mem_off == mem_max);
--            set_helper_retaddr(0);
-+            clear_helper_retaddr();
-             /* After any fault, zero any leading inactive elements.  */
-             swap_memzero(vd, reg_off);
-             return;
-@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
-     }
- #endif
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
-     record_fault(env, reg_off, reg_max);
- }
-@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
-             addr += msize;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
- }
- static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
-@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
-             addr += 2 * msize;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
- }
- static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
-@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
-             addr += 3 * msize;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
- }
- static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
-@@ -XXX,XX +XXX,XX @@ static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
-             addr += 4 * msize;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
- }
- #define DO_STN_1(N, NAME, ESIZE) \
-@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
-             i += 4, pg >>= 4;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
-     /* Wait until all exceptions have been raised to write back.  */
-     memcpy(vd, &scratch, oprsz);
-@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
-             tlb_fn(env, &scratch, i * 8, base + (off << scale), oi, ra);
-         }
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
-     /* Wait until all exceptions have been raised to write back.  */
-     memcpy(vd, &scratch, oprsz * 8);
-@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
-         tlb_fn(env, vd, reg_off, addr, oi, ra);
-         /* The rest of the reads will be non-faulting.  */
--        set_helper_retaddr(0);
-+        clear_helper_retaddr();
-     }
-     /* After any fault, zero the leading predicated false elements.  */
-@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
-         tlb_fn(env, vd, reg_off, addr, oi, ra);
-         /* The rest of the reads will be non-faulting.  */
--        set_helper_retaddr(0);
-+        clear_helper_retaddr();
-     }
-     /* After any fault, zero the leading predicated false elements.  */
-@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
-             i += 4, pg >>= 4;
-         } while (i & 15);
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
- }
- static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
-@@ -XXX,XX +XXX,XX @@ static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
-             tlb_fn(env, vd, i * 8, base + (off << scale), oi, ra);
-         }
-     }
--    set_helper_retaddr(0);
-+    clear_helper_retaddr();
- }
- #define DO_ST1_ZPZ_S(MEM, OFS) \
---
-.17.1

-[Qemu-devel] [PULL for-4.1 7/7] tcg: Release mmap_lock on translation fault
+[PULL 2/4] linux-user: Fix trivial build error on loongarch64 hosts
-Turn helper_retaddr into a multi-state flag that may now also
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
 indicate when we're performing a read on behalf of the translator.
 In this case, release the mmap_lock before the longjmp back to
 the main cpu loop, and thereby avoid a failing assert therein.
-Fixes: https://bugs.launchpad.net/qemu/+bug/1832353
+When building using GCC 8.3.0 on loongarch64 (Loongnix) we get:
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+  In file included from ../linux-user/signal.c:33:
   ../linux-user/host/loongarch64/host-signal.h: In function ‘host_signal_write’:
   ../linux-user/host/loongarch64/host-signal.h:57:9: error: a label can only be part of a statement and a declaration is not a statement
          uint32_t sel = (insn >> 15) & 0b11111111111;
          ^~~~~~~~
 We don't use the 'sel' variable more than once, so drop it.
 Meson output for the record:
   Host machine cpu family: loongarch64
   Host machine cpu: loongarch64
   C compiler for the host machine: cc (gcc 8.3.0 "cc (Loongnix 8.3.0-6.lnd.vec.27) 8.3.0")
   C linker for the host machine: cc ld.bfd 2.31.1-system
 Fixes: ad812c3bd65 ("linux-user: Implement CPU-specific signal handler for loongarch64 hosts")
 Reported-by: Song Gao <gaosong@loongson.cn>
 Suggested-by: Song Gao <gaosong@loongson.cn>
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: WANG Xuerui <git@xen0n.name>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-Id: <20220104215027.2180972-1-f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/cpu_ldst_useronly_template.h | 20 +++++--
+ linux-user/host/loongarch64/host-signal.h | 4 +---
- accel/tcg/user-exec.c                     | 66 ++++++++++++++++-------
+file changed, 1 insertion(+), 3 deletions(-)
 files changed, 63 insertions(+), 23 deletions(-)
-diff --git a/include/exec/cpu_ldst_useronly_template.h b/include/exec/cpu_ldst_useronly_template.h
+diff --git a/linux-user/host/loongarch64/host-signal.h b/linux-user/host/loongarch64/host-signal.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu_ldst_useronly_template.h
+--- a/linux-user/host/loongarch64/host-signal.h
-+++ b/include/exec/cpu_ldst_useronly_template.h
++++ b/linux-user/host/loongarch64/host-signal.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static inline bool host_signal_write(siginfo_t *info, ucontext_t *uc)
- static inline RES_TYPE
+         }
- glue(glue(cpu_ld, USUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr)
+         break;
- {
+     case 0b001110: /* indexed, atomic, bounds-checking memory operations */
--#if !defined(CODE_ACCESS)
+-        uint32_t sel = (insn >> 15) & 0b11111111111;
-+#ifdef CODE_ACCESS
+-
-+    RES_TYPE ret;
+-        switch (sel) {
-+    set_helper_retaddr(1);
++        switch ((insn >> 15) & 0b11111111111) {
-+    ret = glue(glue(ld, USUFFIX), _p)(g2h(ptr));
+         case 0b00000100000: /* stx.b */
-+    clear_helper_retaddr();
+         case 0b00000101000: /* stx.h */
-+    return ret;
+         case 0b00000110000: /* stx.w */
 +#else
      trace_guest_mem_before_exec(
          env_cpu(env), ptr,
          trace_mem_build_info(SHIFT, false, MO_TE, false));
 -#endif
      return glue(glue(ld, USUFFIX), _p)(g2h(ptr));
 +#endif
  }
  #ifndef CODE_ACCESS
@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_ld, USUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
  static inline int
  glue(glue(cpu_lds, SUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr)
  {
 -#if !defined(CODE_ACCESS)
 +#ifdef CODE_ACCESS
 +    int ret;
 +    set_helper_retaddr(1);
 +    ret = glue(glue(lds, SUFFIX), _p)(g2h(ptr));
 +    clear_helper_retaddr();
 +    return ret;
 +#else
      trace_guest_mem_before_exec(
          env_cpu(env), ptr,
          trace_mem_build_info(SHIFT, true, MO_TE, false));
 -#endif
      return glue(glue(lds, SUFFIX), _p)(g2h(ptr));
 +#endif
  }
  #ifndef CODE_ACCESS
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
      CPUState *cpu = current_cpu;
      CPUClass *cc;
      unsigned long address = (unsigned long)info->si_addr;
 -    MMUAccessType access_type;
 +    MMUAccessType access_type = is_write ? MMU_DATA_STORE : MMU_DATA_LOAD;
 -    /* We must handle PC addresses from two different sources:
 -     * a call return address and a signal frame address.
 -     *
 -     * Within cpu_restore_state_from_tb we assume the former and adjust
 -     * the address by -GETPC_ADJ so that the address is within the call
 -     * insn so that addr does not accidentally match the beginning of the
 -     * next guest insn.
 -     *
 -     * However, when the PC comes from the signal frame, it points to
 -     * the actual faulting host insn and not a call insn.  Subtracting
 -     * GETPC_ADJ in that case may accidentally match the previous guest insn.
 -     *
 -     * So for the later case, adjust forward to compensate for what
 -     * will be done later by cpu_restore_state_from_tb.
 -     */
 -    if (helper_retaddr) {
 +    switch (helper_retaddr) {
 +    default:
 +        /*
 +         * Fault during host memory operation within a helper function.
 +         * The helper's host return address, saved here, gives us a
 +         * pointer into the generated code that will unwind to the
 +         * correct guest pc.
 +         */
          pc = helper_retaddr;
 -    } else {
 +        break;
 +
 +    case 0:
 +        /*
 +         * Fault during host memory operation within generated code.
 +         * (Or, a unrelated bug within qemu, but we can't tell from here).
 +         *
 +         * We take the host pc from the signal frame.  However, we cannot
 +         * use that value directly.  Within cpu_restore_state_from_tb, we
 +         * assume PC comes from GETPC(), as used by the helper functions,
 +         * so we adjust the address by -GETPC_ADJ to form an address that
 +         * is within the call insn, so that the address does not accidentially
 +         * match the beginning of the next guest insn.  However, when the
 +         * pc comes from the signal frame it points to the actual faulting
 +         * host memory insn and not the return from a call insn.
 +         *
 +         * Therefore, adjust to compensate for what will be done later
 +         * by cpu_restore_state_from_tb.
 +         */
          pc += GETPC_ADJ;
 +        break;
 +
 +    case 1:
 +        /*
 +         * Fault during host read for translation, or loosely, "execution".
 +         *
 +         * The guest pc is already pointing to the start of the TB for which
 +         * code is being generated.  If the guest translator manages the
 +         * page crossings correctly, this is exactly the correct address
 +         * (and if the translator doesn't handle page boundaries correctly
 +         * there's little we can do about that here).  Therefore, do not
 +         * trigger the unwinder.
 +         *
 +         * Like tb_gen_code, release the memory lock before cpu_loop_exit.
 +         */
 +        pc = 0;
 +        access_type = MMU_INST_FETCH;
 +        mmap_unlock();
 +        break;
      }
      /* For synchronous signals we expect to be coming from the vCPU
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
      clear_helper_retaddr();
      cc = CPU_GET_CLASS(cpu);
 -    access_type = is_write ? MMU_DATA_STORE : MMU_DATA_LOAD;
      cc->tlb_fill(cpu, address, 0, access_type, MMU_USER_IDX, false, pc);
      g_assert_not_reached();
  }
 --
-.17.1
+.25.1

-[Qemu-devel] [PULL for-4.1 5/7] tcg: Remove cpu_ld*_code_ra
+[PULL 3/4] sysemu: Cleanup qemu_run_machine_init_done_notifiers()
-These functions are not used, and are not usable in the
+From: Xiaoyao Li <xiaoyao.li@intel.com>
 context of code generation, because we never have a helper
 return address to pass in to them.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Remove qemu_run_machine_init_done_notifiers() since no implementation
 and user.
 Fixes: f66dc8737c9 ("vl: move all generic initialization out of vl.c")
 Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-Id: <20220104024136.1433545-1-xiaoyao.li@intel.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/cpu_ldst_useronly_template.h | 6 +++++-
+ include/sysemu/sysemu.h | 1 -
-file changed, 5 insertions(+), 1 deletion(-)
+file changed, 1 deletion(-)
-diff --git a/include/exec/cpu_ldst_useronly_template.h b/include/exec/cpu_ldst_useronly_template.h
+diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu_ldst_useronly_template.h
+--- a/include/sysemu/sysemu.h
-+++ b/include/exec/cpu_ldst_useronly_template.h
++++ b/include/sysemu/sysemu.h
-@@ -XXX,XX +XXX,XX @@ glue(glue(cpu_ld, USUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr)
+@@ -XXX,XX +XXX,XX @@ extern bool qemu_uuid_set;
-     return glue(glue(ld, USUFFIX), _p)(g2h(ptr));
+ void qemu_add_exit_notifier(Notifier *notify);
- }
+ void qemu_remove_exit_notifier(Notifier *notify);
-+#ifndef CODE_ACCESS
+-void qemu_run_machine_init_done_notifiers(void);
- static inline RES_TYPE
+ void qemu_add_machine_init_done_notifier(Notifier *notify);
- glue(glue(glue(cpu_ld, USUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
+ void qemu_remove_machine_init_done_notifier(Notifier *notify);
-                                                   abi_ptr ptr,
@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_ld, USUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
      clear_helper_retaddr();
      return ret;
  }
 +#endif
  #if DATA_SIZE <= 2
  static inline int
@@ -XXX,XX +XXX,XX @@ glue(glue(cpu_lds, SUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr)
      return glue(glue(lds, SUFFIX), _p)(g2h(ptr));
  }
 +#ifndef CODE_ACCESS
  static inline int
  glue(glue(glue(cpu_lds, SUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
                                                    abi_ptr ptr,
@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_lds, SUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
      clear_helper_retaddr();
      return ret;
  }
 -#endif
 +#endif /* CODE_ACCESS */
 +#endif /* DATA_SIZE <= 2 */
  #ifndef CODE_ACCESS
  static inline void
 --
-.17.1
+.25.1

-[Qemu-devel] [PULL for-4.1 6/7] tcg: Remove duplicate #if !defined(CODE_ACCESS)
+[PULL 4/4] common-user: Fix tail calls to safe_syscall_set_errno_tail
-This code block is already surrounded by #ifndef CODE_ACCESS.
+For the ABIs in which the syscall return register is not
 also the first function argument register, move the errno
 value into the correct place.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Fixes: a3310c0397e2 ("linux-user: Move syscall error detection into safe_syscall_base")
 Reported-by: Laurent Vivier <laurent@vivier.eu>
 Tested-by: Laurent Vivier <laurent@vivier.eu>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20220104190454.542225-1-richard.henderson@linaro.org>
 ---
- include/exec/cpu_ldst_useronly_template.h | 2 --
+ common-user/host/i386/safe-syscall.inc.S   | 1 +
-file changed, 2 deletions(-)
+ common-user/host/mips/safe-syscall.inc.S   | 1 +
  common-user/host/x86_64/safe-syscall.inc.S | 1 +
 files changed, 3 insertions(+)
-diff --git a/include/exec/cpu_ldst_useronly_template.h b/include/exec/cpu_ldst_useronly_template.h
+diff --git a/common-user/host/i386/safe-syscall.inc.S b/common-user/host/i386/safe-syscall.inc.S
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu_ldst_useronly_template.h
+--- a/common-user/host/i386/safe-syscall.inc.S
-+++ b/include/exec/cpu_ldst_useronly_template.h
++++ b/common-user/host/i386/safe-syscall.inc.S
-@@ -XXX,XX +XXX,XX @@ static inline void
+@@ -XXX,XX +XXX,XX @@ safe_syscall_end:
- glue(glue(cpu_st, SUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr,
+         pop     %ebp
-                                       RES_TYPE v)
+         .cfi_adjust_cfa_offset -4
- {
+         .cfi_restore ebp
--#if !defined(CODE_ACCESS)
++        mov     %eax, (%esp)
-     trace_guest_mem_before_exec(
+         jmp     safe_syscall_set_errno_tail
-         env_cpu(env), ptr,
-         trace_mem_build_info(SHIFT, false, MO_TE, true));
+         .cfi_endproc
--#endif
+diff --git a/common-user/host/mips/safe-syscall.inc.S b/common-user/host/mips/safe-syscall.inc.S
-     glue(glue(st, SUFFIX), _p)(g2h(ptr), v);
+index XXXXXXX..XXXXXXX 100644
- }
+--- a/common-user/host/mips/safe-syscall.inc.S
 +++ b/common-user/host/mips/safe-syscall.inc.S
@@ -XXX,XX +XXX,XX @@ safe_syscall_end:
 :      USE_ALT_CP(t0)
          SETUP_GPX(t1)
          SETUP_GPX64(t0, t1)
 +        move    a0, v0
          PTR_LA  t9, safe_syscall_set_errno_tail
          jr      t9
 diff --git a/common-user/host/x86_64/safe-syscall.inc.S b/common-user/host/x86_64/safe-syscall.inc.S
 index XXXXXXX..XXXXXXX 100644
 --- a/common-user/host/x86_64/safe-syscall.inc.S
 +++ b/common-user/host/x86_64/safe-syscall.inc.S
@@ -XXX,XX +XXX,XX @@ safe_syscall_end:
 :      pop     %rbp
          .cfi_def_cfa_offset 8
          .cfi_restore rbp
 +        mov     %eax, %edi
          jmp     safe_syscall_set_errno_tail
          .cfi_endproc
 --
-.17.1
+.25.1

The following changes since commit 1316b1ddc8a05e418c8134243f8bff8cccbbccb1:

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2019-07-12 15:38:22 +0100)

are available in the Git repository at:

https://github.com/rth7680/qemu.git tags/pull-tcg-20190714

for you to fetch changes up to 52ba13f042714c4086416973fb88e2465e0888a1:

tcg: Release mmap_lock on translation fault (2019-07-14 12:19:01 +0200)

----------------------------------------------------------------
Fixes for 3 tcg bugs

----------------------------------------------------------------
Richard Henderson (7):
      tcg: Fix constant folding of INDEX_op_extract2_i32
      tcg/aarch64: Fix output of extract2 opcodes
      include/qemu/atomic.h: Add signal_barrier
      tcg: Introduce set/clear_helper_retaddr
      tcg: Remove cpu_ld*_code_ra
      tcg: Remove duplicate #if !defined(CODE_ACCESS)
      tcg: Release mmap_lock on translation fault

On a 64-bit host, discard any replications of the 32-bit
sign bit when performing the shift and merge.

Fixes: https://bugs.launchpad.net/bugs/1834496
Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/optimize.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tcg/optimize.c b/tcg/optimize.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/optimize.c
+++ b/tcg/optimize.c
@@ -XXX,XX +XXX,XX @@ void tcg_optimize(TCGContext *s)
                 if (opc == INDEX_op_extract2_i64) {
                     tmp = (v1 >> op->args[3]) | (v2 << (64 - op->args[3]));
                 } else {
-                    tmp = (v1 >> op->args[3]) | (v2 << (32 - op->args[3]));
-                    tmp = (int32_t)tmp;
+                    tmp = (int32_t)(((uint32_t)v1 >> op->args[3]) |
+                                    ((uint32_t)v2 << (32 - op->args[3])));
                 }
                 tcg_opt_gen_movi(s, op, op->args[0], tmp);
                 break;
-- 
2.17.1

This patch fixes two problems:
(1) The inputs to the EXTR insn were reversed,
(2) The input constraints use rZ, which means that we need to use
    the REG0 macro in order to supply XZR for a constant 0 input.

Fixes: 464c2969d5d
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/aarch64/tcg-target.inc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tcg/aarch64/tcg-target.inc.c b/tcg/aarch64/tcg-target.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/aarch64/tcg-target.inc.c
+++ b/tcg/aarch64/tcg-target.inc.c
@@ -XXX,XX +XXX,XX @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc,
 
     case INDEX_op_extract2_i64:
     case INDEX_op_extract2_i32:
-        tcg_out_extr(s, ext, a0, a1, a2, args[3]);
+        tcg_out_extr(s, ext, a0, REG0(2), REG0(1), args[3]);
         break;
 
     case INDEX_op_add2_i32:
-- 
2.17.1

We have some potential race conditions vs our user-exec signal
handler that will be solved with this barrier.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/qemu/atomic.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/atomic.h
+++ b/include/qemu/atomic.h
@@ -XXX,XX +XXX,XX @@
 #define smp_read_barrier_depends()   barrier()
 #endif
 
+/*
+ * A signal barrier forces all pending local memory ops to be observed before
+ * a SIGSEGV is delivered to the *same* thread.  In practice this is exactly
+ * the same as barrier(), but since we have the correct builtin, use it.
+ */
+#define signal_barrier()    __atomic_signal_fence(__ATOMIC_SEQ_CST)
+
 /* Sanity check that the size of an atomic operation isn't "overly large".
  * Despite the fact that e.g. i686 has 64-bit atomic operations, we do not
  * want to use them because we ought not need them, and this lets us do a
@@ -XXX,XX +XXX,XX @@
 #define smp_read_barrier_depends()   barrier()
 #endif
 
+#ifndef signal_barrier
+#define signal_barrier()    barrier()
+#endif
+
 /* These will only be atomic if the processor does the fetch or store
  * in a single issue memory operation
  */
-- 
2.17.1

At present we have a potential error in that helper_retaddr contains
data for handle_cpu_signal, but we have not ensured that those stores
will be scheduled properly before the operation that may fault.

It might be that these races are not in practice observable, due to
our use of -fno-strict-aliasing, but better safe than sorry.

Adjust all of the setters of helper_retaddr.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu_ldst.h                   | 20 +++++++++++
 include/exec/cpu_ldst_useronly_template.h | 12 +++----
 accel/tcg/user-exec.c                     | 11 +++---
 target/arm/helper-a64.c                   |  8 ++---
 target/arm/sve_helper.c                   | 43 +++++++++++------------
 5 files changed, 57 insertions(+), 37 deletions(-)

diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@ typedef target_ulong abi_ptr;
 
 extern __thread uintptr_t helper_retaddr;
 
+static inline void set_helper_retaddr(uintptr_t ra)
+{
+    helper_retaddr = ra;
+    /*
+     * Ensure that this write is visible to the SIGSEGV handler that
+     * may be invoked due to a subsequent invalid memory operation.
+     */
+    signal_barrier();
+}
+
+static inline void clear_helper_retaddr(void)
+{
+    /*
+     * Ensure that previous memory operations have succeeded before
+     * removing the data visible to the signal handler.
+     */
+    signal_barrier();
+    helper_retaddr = 0;
+}
+
 /* In user-only mode we provide only the _code and _data accessors. */
 
 #define MEMSUFFIX _data
diff --git a/include/exec/cpu_ldst_useronly_template.h b/include/exec/cpu_ldst_useronly_template.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst_useronly_template.h
+++ b/include/exec/cpu_ldst_useronly_template.h
@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_ld, USUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
                                                   uintptr_t retaddr)
 {
     RES_TYPE ret;
-    helper_retaddr = retaddr;
+    set_helper_retaddr(retaddr);
     ret = glue(glue(cpu_ld, USUFFIX), MEMSUFFIX)(env, ptr);
-    helper_retaddr = 0;
+    clear_helper_retaddr();
     return ret;
 }
 
@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_lds, SUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
                                                   uintptr_t retaddr)
 {
     int ret;
-    helper_retaddr = retaddr;
+    set_helper_retaddr(retaddr);
     ret = glue(glue(cpu_lds, SUFFIX), MEMSUFFIX)(env, ptr);
-    helper_retaddr = 0;
+    clear_helper_retaddr();
     return ret;
 }
 #endif
@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_st, SUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
                                                   RES_TYPE v,
                                                   uintptr_t retaddr)
 {
-    helper_retaddr = retaddr;
+    set_helper_retaddr(retaddr);
     glue(glue(cpu_st, SUFFIX), MEMSUFFIX)(env, ptr, v);
-    helper_retaddr = 0;
+    clear_helper_retaddr();
 }
 #endif
 
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
              * currently executing TB was modified and must be exited
              * immediately.  Clear helper_retaddr for next execution.
              */
-            helper_retaddr = 0;
+            clear_helper_retaddr();
             cpu_exit_tb_from_sighandler(cpu, old_set);
             /* NORETURN */
 
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
      * an exception.  Undo signal and retaddr state prior to longjmp.
      */
     sigprocmask(SIG_SETMASK, old_set, NULL);
-    helper_retaddr = 0;
+    clear_helper_retaddr();
 
     cc = CPU_GET_CLASS(cpu);
     access_type = is_write ? MMU_DATA_STORE : MMU_DATA_LOAD;
@@ -XXX,XX +XXX,XX @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
     if (unlikely(addr & (size - 1))) {
         cpu_loop_exit_atomic(env_cpu(env), retaddr);
     }
-    helper_retaddr = retaddr;
-    return g2h(addr);
+    void *ret = g2h(addr);
+    set_helper_retaddr(retaddr);
+    return ret;
 }
 
 /* Macro to call the above, with local variables from the use context.  */
 #define ATOMIC_MMU_DECLS do {} while (0)
 #define ATOMIC_MMU_LOOKUP  atomic_mmu_lookup(env, addr, DATA_SIZE, GETPC())
-#define ATOMIC_MMU_CLEANUP do { helper_retaddr = 0; } while (0)
+#define ATOMIC_MMU_CLEANUP do { clear_helper_retaddr(); } while (0)
 
 #define ATOMIC_NAME(X)   HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
 #define EXTRA_ARGS
diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_le)(CPUARMState *env, uint64_t addr,
     /* ??? Enforce alignment.  */
     uint64_t *haddr = g2h(addr);
 
-    helper_retaddr = ra;
+    set_helper_retaddr(ra);
     o0 = ldq_le_p(haddr + 0);
     o1 = ldq_le_p(haddr + 1);
     oldv = int128_make128(o0, o1);
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_le)(CPUARMState *env, uint64_t addr,
         stq_le_p(haddr + 0, int128_getlo(newv));
         stq_le_p(haddr + 1, int128_gethi(newv));
     }
-    helper_retaddr = 0;
+    clear_helper_retaddr();
 #else
     int mem_idx = cpu_mmu_index(env, false);
     TCGMemOpIdx oi0 = make_memop_idx(MO_LEQ | MO_ALIGN_16, mem_idx);
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_be)(CPUARMState *env, uint64_t addr,
     /* ??? Enforce alignment.  */
     uint64_t *haddr = g2h(addr);
 
-    helper_retaddr = ra;
+    set_helper_retaddr(ra);
     o1 = ldq_be_p(haddr + 0);
     o0 = ldq_be_p(haddr + 1);
     oldv = int128_make128(o0, o1);
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_be)(CPUARMState *env, uint64_t addr,
         stq_be_p(haddr + 0, int128_gethi(newv));
         stq_be_p(haddr + 1, int128_getlo(newv));
     }
-    helper_retaddr = 0;
+    clear_helper_retaddr();
 #else
     int mem_idx = cpu_mmu_index(env, false);
     TCGMemOpIdx oi0 = make_memop_idx(MO_BEQ | MO_ALIGN_16, mem_idx);
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ static intptr_t max_for_page(target_ulong base, intptr_t mem_off,
     return MIN(split, mem_max - mem_off) + mem_off;
 }
 
-static inline void set_helper_retaddr(uintptr_t ra)
-{
-#ifdef CONFIG_USER_ONLY
-    helper_retaddr = ra;
+#ifndef CONFIG_USER_ONLY
+/* These are normally defined only for CONFIG_USER_ONLY in <exec/cpu_ldst.h> */
+static inline void set_helper_retaddr(uintptr_t ra) { }
+static inline void clear_helper_retaddr(void) { }
 #endif
-}
 
 /*
  * The result of tlb_vaddr_to_host for user-only is just g2h(x),
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
         if (test_host_page(host)) {
             mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
             tcg_debug_assert(mem_off == mem_max);
-            set_helper_retaddr(0);
+            clear_helper_retaddr();
             /* After having taken any fault, zero leading inactive elements. */
             swap_memzero(vd, reg_off);
             return;
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
     }
 #endif
 
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
     memcpy(vd, &scratch, reg_max);
 }
 
@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 2 * size;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 3 * size;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 4 * size;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
         if (test_host_page(host)) {
             mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
             tcg_debug_assert(mem_off == mem_max);
-            set_helper_retaddr(0);
+            clear_helper_retaddr();
             /* After any fault, zero any leading inactive elements.  */
             swap_memzero(vd, reg_off);
             return;
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
     }
 #endif
 
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
     record_fault(env, reg_off, reg_max);
 }
 
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += msize;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 }
 
 static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 2 * msize;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 }
 
 static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 3 * msize;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 }
 
 static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 4 * msize;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 }
 
 #define DO_STN_1(N, NAME, ESIZE) \
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
             i += 4, pg >>= 4;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(vd, &scratch, oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
             tlb_fn(env, &scratch, i * 8, base + (off << scale), oi, ra);
         }
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(vd, &scratch, oprsz * 8);
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
         tlb_fn(env, vd, reg_off, addr, oi, ra);
 
         /* The rest of the reads will be non-faulting.  */
-        set_helper_retaddr(0);
+        clear_helper_retaddr();
     }
 
     /* After any fault, zero the leading predicated false elements.  */
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
         tlb_fn(env, vd, reg_off, addr, oi, ra);
 
         /* The rest of the reads will be non-faulting.  */
-        set_helper_retaddr(0);
+        clear_helper_retaddr();
     }
 
     /* After any fault, zero the leading predicated false elements.  */
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
             i += 4, pg >>= 4;
         } while (i & 15);
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 }
 
 static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
             tlb_fn(env, vd, i * 8, base + (off << scale), oi, ra);
         }
     }
-    set_helper_retaddr(0);
+    clear_helper_retaddr();
 }
 
 #define DO_ST1_ZPZ_S(MEM, OFS) \
-- 
2.17.1

These functions are not used, and are not usable in the
context of code generation, because we never have a helper
return address to pass in to them.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu_ldst_useronly_template.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Turn helper_retaddr into a multi-state flag that may now also
indicate when we're performing a read on behalf of the translator.
In this case, release the mmap_lock before the longjmp back to
the main cpu loop, and thereby avoid a failing assert therein.

Fixes: https://bugs.launchpad.net/qemu/+bug/1832353
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu_ldst_useronly_template.h | 20 +++++--
 accel/tcg/user-exec.c                     | 66 ++++++++++++++++-------
 2 files changed, 63 insertions(+), 23 deletions(-)

diff --git a/include/exec/cpu_ldst_useronly_template.h b/include/exec/cpu_ldst_useronly_template.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst_useronly_template.h
+++ b/include/exec/cpu_ldst_useronly_template.h
@@ -XXX,XX +XXX,XX @@
 static inline RES_TYPE
 glue(glue(cpu_ld, USUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr)
 {
-#if !defined(CODE_ACCESS)
+#ifdef CODE_ACCESS
+    RES_TYPE ret;
+    set_helper_retaddr(1);
+    ret = glue(glue(ld, USUFFIX), _p)(g2h(ptr));
+    clear_helper_retaddr();
+    return ret;
+#else
     trace_guest_mem_before_exec(
         env_cpu(env), ptr,
         trace_mem_build_info(SHIFT, false, MO_TE, false));
-#endif
     return glue(glue(ld, USUFFIX), _p)(g2h(ptr));
+#endif
 }
 
 #ifndef CODE_ACCESS
@@ -XXX,XX +XXX,XX @@ glue(glue(glue(cpu_ld, USUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
 static inline int
 glue(glue(cpu_lds, SUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr)
 {
-#if !defined(CODE_ACCESS)
+#ifdef CODE_ACCESS
+    int ret;
+    set_helper_retaddr(1);
+    ret = glue(glue(lds, SUFFIX), _p)(g2h(ptr));
+    clear_helper_retaddr();
+    return ret;
+#else
     trace_guest_mem_before_exec(
         env_cpu(env), ptr,
         trace_mem_build_info(SHIFT, true, MO_TE, false));
-#endif
     return glue(glue(lds, SUFFIX), _p)(g2h(ptr));
+#endif
 }
 
 #ifndef CODE_ACCESS
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
     CPUState *cpu = current_cpu;
     CPUClass *cc;
     unsigned long address = (unsigned long)info->si_addr;
-    MMUAccessType access_type;
+    MMUAccessType access_type = is_write ? MMU_DATA_STORE : MMU_DATA_LOAD;
 
-    /* We must handle PC addresses from two different sources:
-     * a call return address and a signal frame address.
-     *
-     * Within cpu_restore_state_from_tb we assume the former and adjust
-     * the address by -GETPC_ADJ so that the address is within the call
-     * insn so that addr does not accidentally match the beginning of the
-     * next guest insn.
-     *
-     * However, when the PC comes from the signal frame, it points to
-     * the actual faulting host insn and not a call insn.  Subtracting
-     * GETPC_ADJ in that case may accidentally match the previous guest insn.
-     *
-     * So for the later case, adjust forward to compensate for what
-     * will be done later by cpu_restore_state_from_tb.
-     */
-    if (helper_retaddr) {
+    switch (helper_retaddr) {
+    default:
+        /*
+         * Fault during host memory operation within a helper function.
+         * The helper's host return address, saved here, gives us a
+         * pointer into the generated code that will unwind to the
+         * correct guest pc.
+         */
         pc = helper_retaddr;
-    } else {
+        break;
+
+    case 0:
+        /*
+         * Fault during host memory operation within generated code.
+         * (Or, a unrelated bug within qemu, but we can't tell from here).
+         *
+         * We take the host pc from the signal frame.  However, we cannot
+         * use that value directly.  Within cpu_restore_state_from_tb, we
+         * assume PC comes from GETPC(), as used by the helper functions,
+         * so we adjust the address by -GETPC_ADJ to form an address that
+         * is within the call insn, so that the address does not accidentially
+         * match the beginning of the next guest insn.  However, when the
+         * pc comes from the signal frame it points to the actual faulting
+         * host memory insn and not the return from a call insn.
+         *
+         * Therefore, adjust to compensate for what will be done later
+         * by cpu_restore_state_from_tb.
+         */
         pc += GETPC_ADJ;
+        break;
+
+    case 1:
+        /*
+         * Fault during host read for translation, or loosely, "execution".
+         *
+         * The guest pc is already pointing to the start of the TB for which
+         * code is being generated.  If the guest translator manages the
+         * page crossings correctly, this is exactly the correct address
+         * (and if the translator doesn't handle page boundaries correctly
+         * there's little we can do about that here).  Therefore, do not
+         * trigger the unwinder.
+         *
+         * Like tb_gen_code, release the memory lock before cpu_loop_exit.
+         */
+        pc = 0;
+        access_type = MMU_INST_FETCH;
+        mmap_unlock();
+        break;
     }
 
     /* For synchronous signals we expect to be coming from the vCPU
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
     clear_helper_retaddr();
 
     cc = CPU_GET_CLASS(cpu);
-    access_type = is_write ? MMU_DATA_STORE : MMU_DATA_LOAD;
     cc->tlb_fill(cpu, address, 0, access_type, MMU_USER_IDX, false, pc);
     g_assert_not_reached();
 }
-- 
2.17.1

The following changes since commit 67e41fe0cfb62e6cdfa659f0155417d17e5274ea:

Merge tag 'pull-ppc-20220104' of https://github.com/legoater/qemu into staging (2022-01-04 07:23:27 -0800)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220104

for you to fetch changes up to d7478d4229f0a2b2817a55487e6b17081099fae4:

common-user: Fix tail calls to safe_syscall_set_errno_tail (2022-01-04 15:41:03 -0800)

----------------------------------------------------------------
Fix for safe_syscall_base.
Fix for folding of vector add/sub.
Fix build on loongarch64 with gcc 8.
Remove decl for qemu_run_machine_init_done_notifiers.

----------------------------------------------------------------
Philippe Mathieu-Daudé (1):
      linux-user: Fix trivial build error on loongarch64 hosts

Richard Henderson (2):
      tcg/optimize: Fix folding of vector ops
      common-user: Fix tail calls to safe_syscall_set_errno_tail

Xiaoyao Li (1):
      sysemu: Cleanup qemu_run_machine_init_done_notifiers()

include/sysemu/sysemu.h                    |  1 -
 linux-user/host/loongarch64/host-signal.h  |  4 +--
 tcg/optimize.c                             | 49 +++++++++++++++++++++++-------
 common-user/host/i386/safe-syscall.inc.S   |  1 +
 common-user/host/mips/safe-syscall.inc.S   |  1 +
 common-user/host/x86_64/safe-syscall.inc.S |  1 +
 6 files changed, 42 insertions(+), 15 deletions(-)

Bitwise operations are easy to fold, because the operation is
identical regardless of element size.  But add and sub need
extra element size info that is not currently propagated.

Fixes: 2f9f08ba43d
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/799
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/optimize.c | 49 ++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 38 insertions(+), 11 deletions(-)

diff --git a/tcg/optimize.c b/tcg/optimize.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/optimize.c
+++ b/tcg/optimize.c
@@ -XXX,XX +XXX,XX @@ static uint64_t do_constant_folding_2(TCGOpcode op, uint64_t x, uint64_t y)
     CASE_OP_32_64(mul):
         return x * y;
 
-    CASE_OP_32_64(and):
+    CASE_OP_32_64_VEC(and):
         return x & y;
 
-    CASE_OP_32_64(or):
+    CASE_OP_32_64_VEC(or):
         return x | y;
 
-    CASE_OP_32_64(xor):
+    CASE_OP_32_64_VEC(xor):
         return x ^ y;
 
     case INDEX_op_shl_i32:
@@ -XXX,XX +XXX,XX @@ static uint64_t do_constant_folding_2(TCGOpcode op, uint64_t x, uint64_t y)
     case INDEX_op_rotl_i64:
         return rol64(x, y & 63);
 
-    CASE_OP_32_64(not):
+    CASE_OP_32_64_VEC(not):
         return ~x;
 
     CASE_OP_32_64(neg):
         return -x;
 
-    CASE_OP_32_64(andc):
+    CASE_OP_32_64_VEC(andc):
         return x & ~y;
 
-    CASE_OP_32_64(orc):
+    CASE_OP_32_64_VEC(orc):
         return x | ~y;
 
     CASE_OP_32_64(eqv):
@@ -XXX,XX +XXX,XX @@ static bool fold_const2(OptContext *ctx, TCGOp *op)
     return false;
 }
 
+static bool fold_commutative(OptContext *ctx, TCGOp *op)
+{
+    swap_commutative(op->args[0], &op->args[1], &op->args[2]);
+    return false;
+}
+
 static bool fold_const2_commutative(OptContext *ctx, TCGOp *op)
 {
     swap_commutative(op->args[0], &op->args[1], &op->args[2]);
@@ -XXX,XX +XXX,XX @@ static bool fold_add(OptContext *ctx, TCGOp *op)
     return false;
 }
 
+/* We cannot as yet do_constant_folding with vectors. */
+static bool fold_add_vec(OptContext *ctx, TCGOp *op)
+{
+    if (fold_commutative(ctx, op) ||
+        fold_xi_to_x(ctx, op, 0)) {
+        return true;
+    }
+    return false;
+}
+
 static bool fold_addsub2(OptContext *ctx, TCGOp *op, bool add)
 {
     if (arg_is_const(op->args[2]) && arg_is_const(op->args[3]) &&
@@ -XXX,XX +XXX,XX @@ static bool fold_sub_to_neg(OptContext *ctx, TCGOp *op)
     return false;
 }
 
-static bool fold_sub(OptContext *ctx, TCGOp *op)
+/* We cannot as yet do_constant_folding with vectors. */
+static bool fold_sub_vec(OptContext *ctx, TCGOp *op)
 {
-    if (fold_const2(ctx, op) ||
-        fold_xx_to_i(ctx, op, 0) ||
+    if (fold_xx_to_i(ctx, op, 0) ||
         fold_xi_to_x(ctx, op, 0) ||
         fold_sub_to_neg(ctx, op)) {
         return true;
@@ -XXX,XX +XXX,XX @@ static bool fold_sub(OptContext *ctx, TCGOp *op)
     return false;
 }
 
+static bool fold_sub(OptContext *ctx, TCGOp *op)
+{
+    return fold_const2(ctx, op) || fold_sub_vec(ctx, op);
+}
+
 static bool fold_sub2(OptContext *ctx, TCGOp *op)
 {
     return fold_addsub2(ctx, op, false);
@@ -XXX,XX +XXX,XX @@ void tcg_optimize(TCGContext *s)
          * Sorted alphabetically by opcode as much as possible.
          */
         switch (opc) {
-        CASE_OP_32_64_VEC(add):
+        CASE_OP_32_64(add):
             done = fold_add(&ctx, op);
             break;
+        case INDEX_op_add_vec:
+            done = fold_add_vec(&ctx, op);
+            break;
         CASE_OP_32_64(add2):
             done = fold_add2(&ctx, op);
             break;
@@ -XXX,XX +XXX,XX @@ void tcg_optimize(TCGContext *s)
         CASE_OP_32_64(sextract):
             done = fold_sextract(&ctx, op);
             break;
-        CASE_OP_32_64_VEC(sub):
+        CASE_OP_32_64(sub):
             done = fold_sub(&ctx, op);
             break;
+        case INDEX_op_sub_vec:
+            done = fold_sub_vec(&ctx, op);
+            break;
         CASE_OP_32_64(sub2):
             done = fold_sub2(&ctx, op);
             break;
-- 
2.25.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

When building using GCC 8.3.0 on loongarch64 (Loongnix) we get:

In file included from ../linux-user/signal.c:33:
  ../linux-user/host/loongarch64/host-signal.h: In function ‘host_signal_write’:
  ../linux-user/host/loongarch64/host-signal.h:57:9: error: a label can only be part of a statement and a declaration is not a statement
         uint32_t sel = (insn >> 15) & 0b11111111111;
         ^~~~~~~~

We don't use the 'sel' variable more than once, so drop it.

Meson output for the record:

Host machine cpu family: loongarch64
  Host machine cpu: loongarch64
  C compiler for the host machine: cc (gcc 8.3.0 "cc (Loongnix 8.3.0-6.lnd.vec.27) 8.3.0")
  C linker for the host machine: cc ld.bfd 2.31.1-system

Fixes: ad812c3bd65 ("linux-user: Implement CPU-specific signal handler for loongarch64 hosts")
Reported-by: Song Gao <gaosong@loongson.cn>
Suggested-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: WANG Xuerui <git@xen0n.name>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220104215027.2180972-1-f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/host/loongarch64/host-signal.h | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/linux-user/host/loongarch64/host-signal.h b/linux-user/host/loongarch64/host-signal.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/host/loongarch64/host-signal.h
+++ b/linux-user/host/loongarch64/host-signal.h
@@ -XXX,XX +XXX,XX @@ static inline bool host_signal_write(siginfo_t *info, ucontext_t *uc)
         }
         break;
     case 0b001110: /* indexed, atomic, bounds-checking memory operations */
-        uint32_t sel = (insn >> 15) & 0b11111111111;
-
-        switch (sel) {
+        switch ((insn >> 15) & 0b11111111111) {
         case 0b00000100000: /* stx.b */
         case 0b00000101000: /* stx.h */
         case 0b00000110000: /* stx.w */
-- 
2.25.1

For the ABIs in which the syscall return register is not
also the first function argument register, move the errno
value into the correct place.

Fixes: a3310c0397e2 ("linux-user: Move syscall error detection into safe_syscall_base")
Reported-by: Laurent Vivier <laurent@vivier.eu>
Tested-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220104190454.542225-1-richard.henderson@linaro.org>
---
 common-user/host/i386/safe-syscall.inc.S   | 1 +
 common-user/host/mips/safe-syscall.inc.S   | 1 +
 common-user/host/x86_64/safe-syscall.inc.S | 1 +
 3 files changed, 3 insertions(+)

diff --git a/common-user/host/i386/safe-syscall.inc.S b/common-user/host/i386/safe-syscall.inc.S
index XXXXXXX..XXXXXXX 100644
--- a/common-user/host/i386/safe-syscall.inc.S
+++ b/common-user/host/i386/safe-syscall.inc.S
@@ -XXX,XX +XXX,XX @@ safe_syscall_end:
         pop     %ebp
         .cfi_adjust_cfa_offset -4
         .cfi_restore ebp
+        mov     %eax, (%esp)
         jmp     safe_syscall_set_errno_tail
 
         .cfi_endproc
diff --git a/common-user/host/mips/safe-syscall.inc.S b/common-user/host/mips/safe-syscall.inc.S
index XXXXXXX..XXXXXXX 100644
--- a/common-user/host/mips/safe-syscall.inc.S
+++ b/common-user/host/mips/safe-syscall.inc.S
@@ -XXX,XX +XXX,XX @@ safe_syscall_end:
 1:      USE_ALT_CP(t0)
         SETUP_GPX(t1)
         SETUP_GPX64(t0, t1)
+        move    a0, v0
         PTR_LA  t9, safe_syscall_set_errno_tail
         jr      t9
 
diff --git a/common-user/host/x86_64/safe-syscall.inc.S b/common-user/host/x86_64/safe-syscall.inc.S
index XXXXXXX..XXXXXXX 100644
--- a/common-user/host/x86_64/safe-syscall.inc.S
+++ b/common-user/host/x86_64/safe-syscall.inc.S
@@ -XXX,XX +XXX,XX @@ safe_syscall_end:
 1:      pop     %rbp
         .cfi_def_cfa_offset 8
         .cfi_restore rbp
+        mov     %eax, %edi
         jmp     safe_syscall_set_errno_tail
         .cfi_endproc
 
-- 
2.25.1