[Qemu-devel] PowerPC CPU tester

[Qemu-devel] PowerPC CPU tester

[Gwenole Beauchesne]

Hi,

I have finally glued QEMU to my test engine. Extra patches to QEMU core
are appended below.

You can find the files here:
<http://gwenole.beauchesne.free.fr/kheperix/>
* test-powerpc.cpp
* kheperix-0.2-ppc-results.dat.bz2: results file for non PPC platforms

The tester is old but covers around 690K variations (1.3M nowadays):
154656 errors out of 689408 tests

Most of them are due to miscalculation of the overflow flag. "neg" is 
probably mis-decoded thus not handling CR or XER updates. Should be pretty 
simple to fix.

Hope this helps.

Index: cpu-all.h
===================================================================
RCS file: /cvsroot/qemu/qemu/cpu-all.h,v
retrieving revision 1.14
diff -u -r1.14 cpu-all.h
--- cpu-all.h	23 Nov 2003 17:05:30 -0000	1.14
+++ cpu-all.h	2 Dec 2003 14:50:19 -0000
@@ -213,7 +213,7 @@
 {
     uint32_t a,b;
     a = ldl_raw(ptr);
-    b = ldl_raw(ptr+4);
+    b = ldl_raw((uint8_t *)ptr+4);
     return (((uint64_t)a<<32)|b);
 }
 
@@ -236,7 +236,7 @@
 static inline void stq_raw(void *ptr, uint64_t v)
 {
     stl_raw(ptr, v);
-    stl_raw(ptr+4, v >> 32);
+    stl_raw((uint8_t *)ptr+4, v >> 32);
 }
 
 #else
Index: target-ppc/cpu.h
===================================================================
RCS file: /cvsroot/qemu/qemu/target-ppc/cpu.h,v
retrieving revision 1.2
diff -u -r1.2 cpu.h
--- target-ppc/cpu.h	23 Nov 2003 16:58:07 -0000	1.2
+++ target-ppc/cpu.h	2 Dec 2003 14:50:19 -0000
@@ -29,7 +29,7 @@
 /* 8 to 32 bits */
 static inline int32_t s_ext8 (uint8_t value)
 {
-    int8_t *tmp = &value;
+    int8_t *tmp = (int8_t *)&value;
 
     return *tmp;
 }
@@ -37,7 +37,7 @@
 /* 16 to 32 bits */
 static inline int32_t s_ext16 (uint16_t value)
 {
-    int16_t *tmp = &value;
+    int16_t *tmp = (int16_t *)&value;
 
     return *tmp;
 }
@@ -46,7 +46,7 @@
 static inline int32_t s_ext24 (uint32_t value)
 {
     uint16_t utmp = (value >> 8) & 0xFFFF;
-    int16_t *tmp = &utmp;
+    int16_t *tmp = (int16_t *)&utmp;
 
     return (*tmp << 8) | (value & 0xFF);
 }
Index: target-ppc/translate.c
===================================================================
RCS file: /cvsroot/qemu/qemu/target-ppc/translate.c,v
retrieving revision 1.2
diff -u -r1.2 translate.c
--- target-ppc/translate.c	23 Nov 2003 16:58:08 -0000	1.2
+++ target-ppc/translate.c	2 Dec 2003 14:50:20 -0000
@@ -22,6 +22,7 @@
 #include "exec.h"
 #include "disas.h"
 
+#define DO_EXEC_RETURN
 //#define DO_SINGLE_STEP
 //#define DO_STEP_FLUSH
 
@@ -2336,6 +2337,12 @@
                 handler = table[opc3(ctx.opcode)];
             }
         }
+#ifdef DO_EXEC_RETURN
+		if (ctx.opcode == 0x18000000) {
+		  gen_op_raise_exception(EXCP_HLT);
+		  break;
+		}
+#endif
         /* Is opcode *REALLY* valid ? */
         if ((ctx.opcode & handler->inval) != 0) {
             if (loglevel > 0) {

Re: [Qemu-devel] PowerPC CPU tester

[J. Mayer]

On Tue, 2003-12-02 at 16:13, Gwenole Beauchesne wrote:
> Hi,
> 
> I have finally glued QEMU to my test engine. Extra patches to QEMU core
> are appended below.
> 
> You can find the files here:
> <http://gwenole.beauchesne.free.fr/kheperix/>
> * test-powerpc.cpp
> * kheperix-0.2-ppc-results.dat.bz2: results file for non PPC platforms
> 
> The tester is old but covers around 690K variations (1.3M nowadays):
> 154656 errors out of 689408 tests
> 
> Most of them are due to miscalculation of the overflow flag. "neg" is 
> probably mis-decoded thus not handling CR or XER updates. Should be pretty 
> simple to fix.
>
Hi, 

Thanks for testing.
I'm surprised that you have problems with standard arithmetics and
logical tests, as I did test a lot of cases with my ppc-test programs
which gives the same result on a real PPC (G3 & G4) and under qemu.
Would it be possible to get a readable description of the problems
encountered ?
I can do nothing of you .dat file.
I also pass the U-boot cpu post test, 
with some fixes for string load/store and
rlwmi instructions.

I did ran your test, and the translation stops for "neg" instruction
because you generate invalid forms of this instruction:

> Testing neg
> invalid bits: 00002800 for opcode: 1f -08 - 03 (0x7c6428d0) (0x80031890)
According to PPC specification, bits 16 to 20 (in IBM/Motorola notation) have
always to be zero, has neg have no rB operand.
This can be fixed easily in your program, replacing rB with zero for neg variants
tests.
With that fix, I get this result (with the version I work on, not the commited one):
0 errors out of 663056 tests
I did fix only string/multiple load & store and rlwimi instruction...

> Index: target-ppc/translate.c
> ===================================================================
> RCS file: /cvsroot/qemu/qemu/target-ppc/translate.c,v
> retrieving revision 1.2
> diff -u -r1.2 translate.c
> --- target-ppc/translate.c	23 Nov 2003 16:58:08 -0000	1.2
> +++ target-ppc/translate.c	2 Dec 2003 14:50:20 -0000
> @@ -22,6 +22,7 @@
>  #include "exec.h"
>  #include "disas.h"
>  
> +#define DO_EXEC_RETURN
>  //#define DO_SINGLE_STEP
>  //#define DO_STEP_FLUSH
>  
> @@ -2336,6 +2337,12 @@
>                  handler = table[opc3(ctx.opcode)];
>              }
>          }
> +#ifdef DO_EXEC_RETURN
> +		if (ctx.opcode == 0x18000000) {
> +		  gen_op_raise_exception(EXCP_HLT);
> +		  break;
> +		}
> +#endif
>          /* Is opcode *REALLY* valid ? */
>          if ((ctx.opcode & handler->inval) != 0) {
>              if (loglevel > 0) {
> 
What does this mean ?
I cannot see this opcode either in the 32 bits PPC spec, or in the PPC
750 one... Did I miss
something ?

Regards.

-- 
J. Mayer <l_indien@magic.fr>
Never organized

Re: [Qemu-devel] PowerPC CPU tester

[Gwenole Beauchesne]

Hi,

> Would it be possible to get a readable description of the problems
> encountered ?

Hmm, wait, I read XER the wrong way. It seems you used the normal 
numbering way with 0 being LSB. I have uploaded a new version of 
test-powerpc.cpp. Sorry, for the inconvience. Only "rlwimi" were wrong 
indeed.
30698 errors out of 689408 tests

>> Testing neg
>> invalid bits: 00002800 for opcode: 1f -08 - 03 (0x7c6428d0) 
>> (0x80031890)
> According to PPC specification, bits 16 to 20 (in IBM/Motorola 
> notation) have
> always to be zero, has neg have no rB operand.

Indeed, copy-paste propagation. ;-) Thanks, for noticing.

>> +#ifdef DO_EXEC_RETURN
>> +		if (ctx.opcode == 0x18000000) {
>> +		  gen_op_raise_exception(EXCP_HLT);
>> +		  break;
>> +		}
>> +#endif
>>          /* Is opcode *REALLY* valid ? */
>>          if ((ctx.opcode & handler->inval) != 0) {
>>              if (loglevel > 0) {
>>
> What does this mean ?

That's for the tester, it's simply an extra opcode to get out of 
emulation code, if you know a better way...

Bye,
Gwenole.

Re: [Qemu-devel] PowerPC CPU tester

[J. Mayer]

On Wed, 2003-12-03 at 08:10, Gwenole Beauchesne wrote:
> Hi,

Hi !

> > Would it be possible to get a readable description of the problems
> > encountered ?
> 
> Hmm, wait, I read XER the wrong way. It seems you used the normal 
> numbering way with 0 being LSB. I have uploaded a new version of 
> test-powerpc.cpp. Sorry, for the inconvience. Only "rlwimi" were wrong 
> indeed.
> 30698 errors out of 689408 tests

Well, I understand. I hate the IBM/Motorola notation....
Can you please give me a detailed report of rlwimi problem ? I think I
found it (missing parenthesis in micro-op).
You may try to replace in translate-ppc/op.c:

Index: target-ppc/op.c
===================================================================
RCS file: /cvsroot/qemu/qemu/target-ppc/op.c,v
retrieving revision 1.2
diff -u -d -w -B -b -d -p -r1.2 op.c
--- target-ppc/op.c     23 Nov 2003 16:58:08 -0000      1.2
+++ target-ppc/op.c     3 Dec 2003 08:55:51 -0000
@@ -988,7 +1143,7 @@ PPC_OP(xori)
 /* rotate left word immediate then mask insert */
 PPC_OP(rlwimi)
 {
-    T0 = rotl(T0, PARAM(1) & PARAM(2)) | (T0 & PARAM(3));
+    T0 = (rotl(T0, PARAM(1)) & PARAM(2)) | (T1 & PARAM(3));
     RETURN();
 }

In between, I read more of your code and I now understand better how is
your .dat file to be used.

> >> Testing neg
> >> invalid bits: 00002800 for opcode: 1f -08 - 03 (0x7c6428d0) 
> >> (0x80031890)
> > According to PPC specification, bits 16 to 20 (in IBM/Motorola 
> > notation) have
> > always to be zero, has neg have no rB operand.
> 
> Indeed, copy-paste propagation. ;-) Thanks, for noticing.

Quite common problem :=)
In fact, I noticed that a G4 doesn't report an invalid opcode but I want
to check bad bits in opcodes, at least for testing...

> That's for the tester, it's simply an extra opcode to get out of 
> emulation code, if you know a better way...

All right, I will recode it the same way regular opcodes are. That can
be usefull...

-- 
J. Mayer <l_indien@magic.fr>
Never organized