Just a collection of bug fixes this time around...

The following changes since commit 2a6ae69154542caa91dd17c40fd3f5ffbec300de:

Merge tag 'pull-maintainer-ominbus-030723-1' of https://gitlab.com/stsquad/qemu into staging (2023-07-04 08:36:44 +0200)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230704

for you to fetch changes up to 86a78272f094857b4eda79d721c116e93942aa9a:

target/xtensa: Assert that interrupt level is within bounds (2023-07-04 14:27:08 +0100)

* Add raw_writes ops for register whose write induce TLB maintenance

* hw/arm/sbsa-ref: use XHCI to replace EHCI

* Avoid splitting Zregs across lines in dump

* Dump ZA[] when active

* Fix SME full tile indexing

* Handle IC IVAU to improve compatibility with JITs

* xlnx-canfd-test: Fix code coverity issues

* gdbstub: Guard M-profile code with CONFIG_TCG

* allwinner-sramc: Set class_size

* target/xtensa: Assert that interrupt level is within bounds

Akihiko Odaki (1):

hw: arm: allwinner-sramc: Set class_size

Eric Auger (1):

target/arm: Add raw_writes ops for register whose write induce TLB maintenance

Fabiano Rosas (1):

target/arm: gdbstub: Guard M-profile code with CONFIG_TCG

John Högberg (2):

target/arm: Handle IC IVAU to improve compatibility with JITs

tests/tcg/aarch64: Add testcases for IC IVAU and dual-mapped code

Peter Maydell (1):

target/xtensa: Assert that interrupt level is within bounds

Richard Henderson (3):

target/arm: Avoid splitting Zregs across lines in dump

target/arm: Dump ZA[] when active

target/arm: Fix SME full tile indexing

From: Eric Auger <eric.auger@redhat.com>

Some registers whose 'cooked' writefns induce TLB maintenance do

not have raw_writefn ops defined. If only the writefn ops is set

(ie. no raw_writefn is provided), it is assumed the cooked also

work as the raw one. For those registers it is not obvious the

tlb_flush works on KVM mode so better/safer setting the raw write.

Signed-off-by: Eric Auger <eric.auger@redhat.com>

Suggested-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

target/arm/helper.c | 23 +++++++++++++----------

1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/helper.c

+++ b/target/arm/helper.c

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {

.opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.fgt = FGT_TTBR0_EL1,

- .writefn = vmsa_ttbr_write, .resetvalue = 0,

+ .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),

offsetof(CPUARMState, cp15.ttbr0_ns) } },

{ .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.fgt = FGT_TTBR1_EL1,

- .writefn = vmsa_ttbr_write, .resetvalue = 0,

+ .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),

offsetof(CPUARMState, cp15.ttbr1_ns) } },

{ .name = "TCR_EL1", .state = ARM_CP_STATE_AA64,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lpae_cp_reginfo[] = {

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),

offsetof(CPUARMState, cp15.ttbr0_ns) },

- .writefn = vmsa_ttbr_write, },

+ .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },

{ .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),

offsetof(CPUARMState, cp15.ttbr1_ns) },

- .writefn = vmsa_ttbr_write, },

+ .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },

};

static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.type = ARM_CP_IO,

.opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),

- .writefn = hcr_write },

+ .writefn = hcr_write, .raw_writefn = raw_write },

{ .name = "HCR", .state = ARM_CP_STATE_AA32,

.type = ARM_CP_ALIAS | ARM_CP_IO,

.cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

{ .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,

.access = PL2_RW, .writefn = vmsa_tcr_el12_write,

+ .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.tcr_el[2]) },

{ .name = "VTCR", .state = ARM_CP_STATE_AA32,

.cp = 15, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.access = PL2_RW, .accessfn = access_el3_aa32ns,

.fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2),

- .writefn = vttbr_write },

+ .writefn = vttbr_write, .raw_writefn = raw_write },

{ .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,

- .access = PL2_RW, .writefn = vttbr_write,

+ .access = PL2_RW, .writefn = vttbr_write, .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2) },

{ .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[2]) },

{ .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,

- .access = PL2_RW, .resetvalue = 0, .writefn = vmsa_tcr_ttbr_el2_write,

+ .access = PL2_RW, .resetvalue = 0,

+ .writefn = vmsa_tcr_ttbr_el2_write, .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) },

{ .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,

.access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_cp_reginfo[] = {

{ .name = "SCR_EL3", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),

- .resetfn = scr_reset, .writefn = scr_write },

+ .resetfn = scr_reset, .writefn = scr_write, .raw_writefn = raw_write },

{ .name = "SCR", .type = ARM_CP_ALIAS | ARM_CP_NEWEL,

.cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL1_RW, .accessfn = access_trap_aa32s_el1,

.fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),

- .writefn = scr_write },

+ .writefn = scr_write, .raw_writefn = raw_write },

{ .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1,

.access = PL3_RW, .resetvalue = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vhe_reginfo[] = {

{ .name = "TTBR1_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 1,

.access = PL2_RW, .writefn = vmsa_tcr_ttbr_el2_write,

+ .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.ttbr1_el[2]) },

#ifndef CONFIG_USER_ONLY

{ .name = "CNTHV_CVAL_EL2", .state = ARM_CP_STATE_AA64,

2.34.1

From: Yuquan Wang <wangyuquan1236@phytium.com.cn>

The current sbsa-ref cannot use EHCI controller which is only

able to do 32-bit DMA, since sbsa-ref doesn't have RAM below 4GB.

Hence, this uses XHCI to provide a usb controller with 64-bit

DMA capablity instead of EHCI.

We bump the platform version to 0.3 with this change. Although the

hardware at the USB controller address changes, the firmware and

Linux can both cope with this -- on an older non-XHCI-aware

firmware/kernel setup the probe routine simply fails and the guest

proceeds without any USB. (This isn't a loss of functionality,

because the old USB controller never worked in the first place.) So

we can call this a backwards-compatible change and only bump the

minor version.

Signed-off-by: Yuquan Wang <wangyuquan1236@phytium.com.cn>

Message-id: 20230621103847.447508-2-wangyuquan1236@phytium.com.cn

[PMM: tweaked commit message; add line to docs about what

changes in platform version 0.3]

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

docs/system/arm/sbsa.rst | 5 ++++-

hw/arm/sbsa-ref.c | 23 +++++++++++++----------

hw/arm/Kconfig | 2 +-

3 files changed, 18 insertions(+), 12 deletions(-)

@@ -XXX,XX +XXX,XX @@ config SBSA_REF

select PL011 # UART

select PL031 # RTC

select PL061 # GPIO

- select USB_EHCI_SYSBUS

+ select USB_XHCI_SYSBUS

select WDT_SBSA

select BOCHS_DISPLAY

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Always print each matrix row whole, one per line, so that we

get the entire matrix in the proper shape.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20230622151201.1578522-3-richard.henderson@linaro.org

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

target/arm/cpu.c | 18 ++++++++++++++++++

1 file changed, 18 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

i, q[1], q[0], (i & 1 ? "\n" : " "));

}

+

+ if (cpu_isar_feature(aa64_sme, cpu) &&

+ FIELD_EX64(env->svcr, SVCR, ZA) &&

+ sme_exception_el(env, el) == 0) {

+ int zcr_len = sve_vqm1_for_el_sm(env, el, true);

+ int svl = (zcr_len + 1) * 16;

+ int svl_lg10 = svl < 100 ? 2 : 3;

+

+ for (i = 0; i < svl; i++) {

+ qemu_fprintf(f, "ZA[%0*d]=", svl_lg10, i);

+ for (j = zcr_len; j >= 0; --j) {

+ qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%c",

+ env->zarray[i].d[2 * j + 1],

+ env->zarray[i].d[2 * j],

+ j ? ':' : '\n');

+ }

#else

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

For the outer product set of insns, which take an entire matrix

tile as output, the argument is not a combined tile+column.

Therefore using get_tile_rowcol was incorrect, as we extracted

the tile number from itself.

The test case relies only on assembler support for SME, since

no release of GCC recognizes -march=armv9-a+sme yet.

Cc: qemu-stable@nongnu.org

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1620

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20230622151201.1578522-5-richard.henderson@linaro.org

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

target/arm/tcg/translate-sme.c | 24 ++++++---

tests/tcg/aarch64/sme-outprod1.c | 83 +++++++++++++++++++++++++++++++

tests/tcg/aarch64/Makefile.target | 10 ++--

3 files changed, 108 insertions(+), 9 deletions(-)

create mode 100644 tests/tcg/aarch64/sme-outprod1.c

diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/tcg/translate-sme.c

+++ b/target/arm/tcg/translate-sme.c

@@ -XXX,XX +XXX,XX @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,

return addr;

}

+/*

+ * Resolve tile.size[0] to a host pointer.

+ * Used by e.g. outer product insns where we require the entire tile.

+ */

+static TCGv_ptr get_tile(DisasContext *s, int esz, int tile)

+{

+ TCGv_ptr addr = tcg_temp_new_ptr();

+ int offset;

+

+ offset = tile * sizeof(ARMVectorReg) + offsetof(CPUARMState, zarray);

+

+ tcg_gen_addi_ptr(addr, cpu_env, offset);

+ return addr;

+}

+

static bool trans_ZERO(DisasContext *s, arg_ZERO *a)

{

if (!dc_isar_feature(aa64_sme, s)) {

@@ -XXX,XX +XXX,XX @@ static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

pn = pred_full_reg_ptr(s, a->pn);

pm = pred_full_reg_ptr(s, a->pm);

@@ -XXX,XX +XXX,XX @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

zm = vec_full_reg_ptr(s, a->zm);

pn = pred_full_reg_ptr(s, a->pn);

@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

zm = vec_full_reg_ptr(s, a->zm);

pn = pred_full_reg_ptr(s, a->pn);

diff --git a/tests/tcg/aarch64/sme-outprod1.c b/tests/tcg/aarch64/sme-outprod1.c

new file mode 100644

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/tcg/aarch64/sme-outprod1.c

@@ -XXX,XX +XXX,XX @@

+/*

+ * SME outer product, 1 x 1.

+ * SPDX-License-Identifier: GPL-2.0-or-later

+ */

+

+#include <stdio.h>

+

+extern void foo(float *dst);

+

+asm(

+"    .arch_extension sme\n"

+"    .type foo, @function\n"

+"foo:\n"

+"    stp x29, x30, [sp, -80]!\n"

+"    mov x29, sp\n"

+"    stp d8, d9, [sp, 16]\n"

+"    stp d10, d11, [sp, 32]\n"

+"    stp d12, d13, [sp, 48]\n"

+"    stp d14, d15, [sp, 64]\n"

+"    smstart\n"

+"    ptrue p0.s, vl4\n"

+"    fmov z0.s, #1.0\n"

+/*

+ * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.

+ * Note that we are using tile 1 here (za1.s) rather than tile 0.

+ */

+"    zero {za}\n"

+"    fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n"

+/*

+ * Read the first 4x4 sub-matrix of elements from tile 1:

+ * Note that za1h should be interchangable here.

+ */

+"    mov w12, #0\n"

+"    mova z0.s, p0/m, za1v.s[w12, #0]\n"

+"    mova z1.s, p0/m, za1v.s[w12, #1]\n"

+"    mova z2.s, p0/m, za1v.s[w12, #2]\n"

+"    mova z3.s, p0/m, za1v.s[w12, #3]\n"

+/*

+ * And store them to the input pointer (dst in the C code):

+ */

+"    st1w {z0.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z1.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z2.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z3.s}, p0, [x0]\n"

+"    smstop\n"

+"    ldp d8, d9, [sp, 16]\n"

+"    ldp d10, d11, [sp, 32]\n"

+"    ldp d12, d13, [sp, 48]\n"

+"    ldp d14, d15, [sp, 64]\n"

+"    ldp x29, x30, [sp], 80\n"

+"    ret\n"

+"    .size foo, . - foo"

+);

+

+int main()

+{

+ float dst[16];

+ int i, j;

+

+ foo(dst);

+

+ for (i = 0; i < 16; i++) {

+ if (dst[i] != 1.0f) {

+ break;

+ }

+ }

+

+ if (i == 16) {

+ return 0; /* success */

+ }

+

+ /* failure */

+ for (i = 0; i < 4; ++i) {

+ for (j = 0; j < 4; ++j) {

+ printf("%f ", (double)dst[i * 4 + j]);

+ }

+ printf("\n");

+ }

+ return 1;

+}

diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target

index XXXXXXX..XXXXXXX 100644

--- a/tests/tcg/aarch64/Makefile.target

+++ b/tests/tcg/aarch64/Makefile.target

@@ -XXX,XX +XXX,XX @@ config-cc.mak: Makefile

     $(call cc-option,-march=armv8.5-a, CROSS_CC_HAS_ARMV8_5); \

     $(call cc-option,-mbranch-protection=standard, CROSS_CC_HAS_ARMV8_BTI); \

     $(call cc-option,-march=armv8.5-a+memtag, CROSS_CC_HAS_ARMV8_MTE); \

-     $(call cc-option,-march=armv9-a+sme, CROSS_CC_HAS_ARMV9_SME)) 3> config-cc.mak

+     $(call cc-option,-Wa$(COMMA)-march=armv9-a+sme, CROSS_AS_HAS_ARMV9_SME)) 3> config-cc.mak

-include config-cc.mak

ifneq ($(CROSS_CC_HAS_ARMV8_2),)

@@ -XXX,XX +XXX,XX @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7

mte-%: CFLAGS += -march=armv8.5-a+memtag

endif

+ifneq ($(CROSS_AS_HAS_ARMV9_SME),)

+AARCH64_TESTS += sme-outprod1

+endif

+

ifneq ($(CROSS_CC_HAS_SVE),)

# System Registers Tests

AARCH64_TESTS += sysregs

-ifneq ($(CROSS_CC_HAS_ARMV9_SME),)

-sysregs: CFLAGS+=-march=armv9-a+sme -DHAS_ARMV9_SME

+ifneq ($(CROSS_AS_HAS_ARMV9_SME),)

+sysregs: CFLAGS+=-Wa,-march=armv9-a+sme -DHAS_ARMV9_SME

else

sysregs: CFLAGS+=-march=armv8.1-a+sve

endif

--

2.34.1

From: John Högberg <john.hogberg@ericsson.com>

Unlike architectures with precise self-modifying code semantics

(e.g. x86) ARM processors do not maintain coherency for instruction

execution and memory, requiring an instruction synchronization

barrier on every core that will execute the new code, and on many

models also the explicit use of cache management instructions.

target/arm/cpu.c | 11 +++++++++++

target/arm/helper.c | 47 ++++++++++++++++++++++++++++++++++++++++++---

2 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)

return;

}

+#ifdef CONFIG_USER_ONLY

+ /*

+ * User mode relies on IC IVAU instructions to catch modification of

+ * dual-mapped code.

+ *

+ * Clear CTR_EL0.DIC to ensure that software that honors these flags uses

+ * IC IVAU even if the emulated processor does not normally require it.

+ */

+ cpu->ctr = FIELD_DP64(cpu->ctr, CTR_EL0, DIC, 0);

+#endif

if (arm_feature(env, ARM_FEATURE_AARCH64) &&

cpu->has_vfp != cpu->has_neon) {

/*

diff --git a/target/arm/helper.c b/target/arm/helper.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/helper.c

+++ b/target/arm/helper.c

@@ -XXX,XX +XXX,XX @@ static void mdcr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,

}

2.34.1

From: John Högberg <john.hogberg@ericsson.com>

https://gitlab.com/qemu-project/qemu/-/issues/1034

Signed-off-by: John Högberg <john.hogberg@ericsson.com>

Message-id: 168778890374.24232.3402138851538068785-2@git.sr.ht

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

[PMM: fixed typo in comment]

tests/tcg/aarch64/icivau.c | 189 ++++++++++++++++++++++++++++++

tests/tcg/aarch64/Makefile.target | 3 +-

2 files changed, 191 insertions(+), 1 deletion(-)

create mode 100644 tests/tcg/aarch64/icivau.c

diff --git a/tests/tcg/aarch64/icivau.c b/tests/tcg/aarch64/icivau.c

new file mode 100644

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/tcg/aarch64/icivau.c

@@ -XXX,XX +XXX,XX @@

+/*

+ * Tests the IC IVAU-driven workaround for catching changes made to dual-mapped

+ * code that would otherwise go unnoticed in user mode.

+ *

+ * Copyright (c) 2023 Ericsson AB

+ * SPDX-License-Identifier: GPL-2.0-or-later

+ */

+

+#include <sys/mman.h>

+#include <sys/stat.h>

+#include <string.h>

+#include <stdint.h>

+#include <stdlib.h>

+#include <unistd.h>

+#include <fcntl.h>

+

+#define MAX_CODE_SIZE 128

+

+typedef int (SelfModTest)(uint32_t, uint32_t*);

+typedef int (BasicTest)(int);

+

+static void mark_code_modified(const uint32_t *exec_data, size_t length)

+{

+ int dc_required, ic_required;

+ unsigned long ctr_el0;

+

+ /*

+ * Clear the data/instruction cache, as indicated by the CTR_ELO.{DIC,IDC}

+ * flags.

+ *

+ * For completeness we might be tempted to assert that we should fail when

+ * the whole code update sequence is omitted, but that would make the test

+ * flaky as it can succeed by coincidence on actual hardware.

+ */

+ asm ("mrs %0, ctr_el0\n" : "=r"(ctr_el0));

+

+ /* CTR_EL0.IDC */

+ dc_required = !((ctr_el0 >> 28) & 1);

+

+ /* CTR_EL0.DIC */

+ ic_required = !((ctr_el0 >> 29) & 1);

+

+ if (dc_required) {

+ size_t dcache_stride, i;

+

+ /*

+ * Step according to the minimum cache size, as the cache maintenance

+ * instructions operate on the cache line of the given address.

+ *

+ * We assume that exec_data is properly aligned.

+ */

+ dcache_stride = (4 << ((ctr_el0 >> 16) & 0xF));

+

+ for (i = 0; i < length; i += dcache_stride) {

+ const char *dc_addr = &((const char *)exec_data)[i];

+ asm volatile ("dc cvau, %x[dc_addr]\n"

+ : /* no outputs */

+ : [dc_addr] "r"(dc_addr)

+ : "memory");

+ }

+

+ asm volatile ("dmb ish\n");

+ }

+

+ if (ic_required) {

+ size_t icache_stride, i;

+

+ icache_stride = (4 << (ctr_el0 & 0xF));

+

+ for (i = 0; i < length; i += icache_stride) {

+ const char *ic_addr = &((const char *)exec_data)[i];

+ asm volatile ("ic ivau, %x[ic_addr]\n"

+ : /* no outputs */

+ : [ic_addr] "r"(ic_addr)

+ : "memory");

+ }

+

+ asm volatile ("dmb ish\n");

+ }

+

+ asm volatile ("isb sy\n");

+}

+

+static int basic_test(uint32_t *rw_data, const uint32_t *exec_data)

+{

+ /*

+ * As user mode only misbehaved for dual-mapped code when previously

+ * translated code had been changed, we'll start off with this basic test

+ * function to ensure that there's already some translated code at

+ * exec_data before the next test. This should cause the next test to fail

+ * if `mark_code_modified` fails to invalidate the code.

+ *

+ * Note that the payload is in binary form instead of inline assembler

+ * because we cannot use __attribute__((naked)) on this platform and the

+ * workarounds are at least as ugly as this is.

+ */

+ static const uint32_t basic_payload[] = {

+ 0xD65F03C0 /* 0x00: RET */

+ };

+

+ BasicTest *copied_ptr = (BasicTest *)exec_data;

+

+ memcpy(rw_data, basic_payload, sizeof(basic_payload));

+ mark_code_modified(exec_data, sizeof(basic_payload));

+

+ return copied_ptr(1234) == 1234;

+}

+

+static int self_modification_test(uint32_t *rw_data, const uint32_t *exec_data)

+{

+ /*

+ * This test is self-modifying in an attempt to cover an edge case where

+ * the IC IVAU instruction invalidates itself.

+ *

+ * Note that the IC IVAU instruction is 16 bytes into the function, in what

+ * will be the same cache line as the modified instruction on machines with

+ * a cache line size >= 16 bytes.

+ */

+ static const uint32_t self_mod_payload[] = {

+ /* Overwrite the placeholder instruction with the new one. */

+ 0xB9001C20, /* 0x00: STR w0, [x1, 0x1C] */

+

+ /* Get the executable address of the modified instruction. */

+ 0x100000A8, /* 0x04: ADR x8, <0x1C> */

+

+ /* Mark the modified instruction as updated. */

+ 0xD50B7B28, /* 0x08: DC CVAU x8 */

+ 0xD5033BBF, /* 0x0C: DMB ISH */

+ 0xD50B7528, /* 0x10: IC IVAU x8 */

+ 0xD5033BBF, /* 0x14: DMB ISH */

+ 0xD5033FDF, /* 0x18: ISB */

+

+ /* Placeholder instruction, overwritten above. */

+ 0x52800000, /* 0x1C: MOV w0, 0 */

+

+ 0xD65F03C0 /* 0x20: RET */

+ };

+

+ SelfModTest *copied_ptr = (SelfModTest *)exec_data;

+ int i;

+

+ memcpy(rw_data, self_mod_payload, sizeof(self_mod_payload));

+ mark_code_modified(exec_data, sizeof(self_mod_payload));

+

+ for (i = 1; i < 10; i++) {

+ /* Replace the placeholder instruction with `MOV w0, i` */

+ uint32_t new_instr = 0x52800000 | (i << 5);

+

+ if (copied_ptr(new_instr, rw_data) != i) {

+ return 0;

+ }

+ }

+

+ return 1;

+}

+

+int main(int argc, char **argv)

+{

+ const char *shm_name = "qemu-test-tcg-aarch64-icivau";

+ int fd;

+

+ fd = shm_open(shm_name, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);

+

+ if (fd < 0) {

+ return EXIT_FAILURE;

+ }

+

+ /* Unlink early to avoid leaving garbage in case the test crashes. */

+ shm_unlink(shm_name);

+

+ if (ftruncate(fd, MAX_CODE_SIZE) == 0) {

+ const uint32_t *exec_data;

+ uint32_t *rw_data;

+

+ rw_data = mmap(0, MAX_CODE_SIZE, PROT_READ | PROT_WRITE,

+ MAP_SHARED, fd, 0);

+ exec_data = mmap(0, MAX_CODE_SIZE, PROT_READ | PROT_EXEC,

+ MAP_SHARED, fd, 0);

+

+ if (rw_data && exec_data) {

+ if (basic_test(rw_data, exec_data) &&

+ self_modification_test(rw_data, exec_data)) {

+ return EXIT_SUCCESS;

+ }

+ }

+ }

+

+ return EXIT_FAILURE;

+}

diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target

--- a/tests/tcg/aarch64/Makefile.target

+++ b/tests/tcg/aarch64/Makefile.target

@@ -XXX,XX +XXX,XX @@ AARCH64_SRC=$(SRC_PATH)/tests/tcg/aarch64

VPATH         += $(AARCH64_SRC)

# Base architecture tests

-AARCH64_TESTS=fcvt pcalign-a64

+AARCH64_TESTS=fcvt pcalign-a64 icivau

fcvt: LDFLAGS+=-lm

+icivau: LDFLAGS+=-lrt

run-fcvt: fcvt

    $(call run-test,$<,$(QEMU) $<, "$< on $(TARGET_NAME)")

2.34.1

From: Vikram Garhwal <vikram.garhwal@amd.com>

Following are done to fix the coverity issues:

1. Change read_data to fix the CID 1512899: Out-of-bounds access (OVERRUN)

2. Fix match_rx_tx_data to fix CID 1512900: Logically dead code (DEADCODE)

3. Replace rand() in generate_random_data() with g_rand_int()

Signed-off-by: Vikram Garhwal <vikram.garhwal@amd.com>

Message-id: 20230628202758.16398-1-vikram.garhwal@amd.com

tests/qtest/xlnx-canfd-test.c | 33 +++++++++++----------------------

1 file changed, 11 insertions(+), 22 deletions(-)

diff --git a/tests/qtest/xlnx-canfd-test.c b/tests/qtest/xlnx-canfd-test.c

--- a/tests/qtest/xlnx-canfd-test.c

+++ b/tests/qtest/xlnx-canfd-test.c

@@ -XXX,XX +XXX,XX @@ static void generate_random_data(uint32_t *buf_tx, bool is_canfd_frame)

/* Generate random TX data for CANFD frame. */

if (is_canfd_frame) {

for (int i = 0; i < CANFD_FRAME_SIZE - 2; i++) {

- buf_tx[2 + i] = rand();

+ buf_tx[2 + i] = g_random_int();

}

} else {

/* Generate random TX data for CAN frame. */

for (int i = 0; i < CAN_FRAME_SIZE - 2; i++) {

- buf_tx[2 + i] = rand();

+ buf_tx[2 + i] = g_random_int();

}

-static void read_data(QTestState *qts, uint64_t can_base_addr, uint32_t *buf_rx)

+static void read_data(QTestState *qts, uint64_t can_base_addr, uint32_t *buf_rx,

+ uint32_t frame_size)

{

uint32_t int_status;

uint32_t fifo_status_reg_value;

/* At which RX FIFO the received data is stored. */

uint8_t store_ind = 0;

- bool is_canfd_frame = false;

/* Read the interrupt on CANFD rx. */

int_status = qtest_readl(qts, can_base_addr + R_ISR_OFFSET) & ISR_RXOK;

@@ -XXX,XX +XXX,XX @@ static void read_data(QTestState *qts, uint64_t can_base_addr, uint32_t *buf_rx)

buf_rx[0] = qtest_readl(qts, can_base_addr + R_RX0_ID_OFFSET);

buf_rx[1] = qtest_readl(qts, can_base_addr + R_RX0_DLC_OFFSET);

- is_canfd_frame = (buf_rx[1] >> DLC_FD_BIT_SHIFT) & 1;

-

- if (is_canfd_frame) {

- for (int i = 0; i < CANFD_FRAME_SIZE - 2; i++) {

- buf_rx[i + 2] = qtest_readl(qts,

- can_base_addr + R_RX0_DATA1_OFFSET + 4 * i);

- }

- } else {

- buf_rx[2] = qtest_readl(qts, can_base_addr + R_RX0_DATA1_OFFSET);

- buf_rx[3] = qtest_readl(qts, can_base_addr + R_RX0_DATA2_OFFSET);

+ for (int i = 0; i < frame_size - 2; i++) {

+ buf_rx[i + 2] = qtest_readl(qts,

+ can_base_addr + R_RX0_DATA1_OFFSET + 4 * i);

/* Clear the RX interrupt. */

@@ -XXX,XX +XXX,XX @@ static void match_rx_tx_data(const uint32_t *buf_tx, const uint32_t *buf_rx,

g_assert_cmpint((buf_rx[size] & DLC_FD_BIT_MASK), ==,

(buf_tx[size] & DLC_FD_BIT_MASK));

} else {

- if (!is_canfd_frame && size == 4) {

- break;

- }

-

g_assert_cmpint(buf_rx[size], ==, buf_tx[size]);

}

@@ -XXX,XX +XXX,XX @@ static void test_can_data_transfer(void)