[Qemu-devel] [PATCH v2 0/2] PPC handles mcrfs incorrectly

[Qemu-devel] [PATCH v2 0/2] PPC handles mcrfs incorrectly

[James Clarke]

The first commit is because some FP_ macros needed to calculate
FP_EX_CLEAR_BITS did not exist, and I reordered all the FP_ macros so that they
are defined in the same order as the FPSCR_ macros. This has not changed since
the previous version.

The second commit stops bits in the FPSCR being cleared when read from with
mcrfs which shouldn't be, which includes the rounding mode being cleared by the
act of reading the current rounding mode. This has changed since the last
version to address compiler warnings; I don't actually know how it worked given
the warnings issued, but apologies for submitting such a broken patch.

James Clarke (2):
  target-ppc: Make every FPSCR_ macro have a corresponding FP_ macro
  target-ppc: mcrfs should always update FEX/VX and only clear exception
    bits

 target-ppc/cpu.h       | 37 ++++++++++++++++++++++++++++---------
 target-ppc/translate.c | 21 +++++++++++++++++----
 2 files changed, 45 insertions(+), 13 deletions(-)

-- 
2.7.0

[Qemu-devel] [PATCH v2 1/2] target-ppc: Make every FPSCR_ macro have a corresponding FP_ macro

[James Clarke]

Signed-off-by: James Clarke <jrtc27@jrtc27.com>
---
 target-ppc/cpu.h | 31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index 9706000..3a967b7 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -686,24 +686,37 @@ enum {
 
 #define FP_FX		(1ull << FPSCR_FX)
 #define FP_FEX		(1ull << FPSCR_FEX)
+#define FP_VX		(1ull << FPSCR_VX)
 #define FP_OX		(1ull << FPSCR_OX)
-#define FP_OE		(1ull << FPSCR_OE)
 #define FP_UX		(1ull << FPSCR_UX)
-#define FP_UE		(1ull << FPSCR_UE)
-#define FP_XX		(1ull << FPSCR_XX)
-#define FP_XE		(1ull << FPSCR_XE)
 #define FP_ZX		(1ull << FPSCR_ZX)
-#define FP_ZE		(1ull << FPSCR_ZE)
-#define FP_VX		(1ull << FPSCR_VX)
+#define FP_XX		(1ull << FPSCR_XX)
 #define FP_VXSNAN	(1ull << FPSCR_VXSNAN)
 #define FP_VXISI	(1ull << FPSCR_VXISI)
-#define FP_VXIMZ	(1ull << FPSCR_VXIMZ)
-#define FP_VXZDZ	(1ull << FPSCR_VXZDZ)
 #define FP_VXIDI	(1ull << FPSCR_VXIDI)
+#define FP_VXZDZ	(1ull << FPSCR_VXZDZ)
+#define FP_VXIMZ	(1ull << FPSCR_VXIMZ)
 #define FP_VXVC		(1ull << FPSCR_VXVC)
+#define FP_FR		(1ull << FSPCR_FR)
+#define FP_FI		(1ull << FPSCR_FI)
+#define FP_C		(1ull << FPSCR_C)
+#define FP_FL		(1ull << FPSCR_FL)
+#define FP_FG		(1ull << FPSCR_FG)
+#define FP_FE		(1ull << FPSCR_FE)
+#define FP_FU		(1ull << FPSCR_FU)
+#define FP_FPCC		(FP_FL | FP_FG | FP_FE | FP_FU)
+#define FP_FPRF		(FP_C  | FP_FL | FP_FG | FP_FE | FP_FU)
+#define FP_VXSOFT	(1ull << FPSCR_VXSOFT)
+#define FP_VXSQRT	(1ull << FPSCR_VXSQRT)
 #define FP_VXCVI	(1ull << FPSCR_VXCVI)
 #define FP_VE		(1ull << FPSCR_VE)
-#define FP_FI		(1ull << FPSCR_FI)
+#define FP_OE		(1ull << FPSCR_OE)
+#define FP_UE		(1ull << FPSCR_UE)
+#define FP_ZE		(1ull << FPSCR_ZE)
+#define FP_XE		(1ull << FPSCR_XE)
+#define FP_NI		(1ull << FPSCR_NI)
+#define FP_RN1		(1ull << FPSCR_RN1)
+#define FP_RN		(1ull << FPSCR_RN)
 
 /*****************************************************************************/
 /* Vector status and control register */
-- 
2.7.0

[Qemu-devel] [PATCH v2 2/2] target-ppc: mcrfs should always update FEX/VX and only clear exception bits

[James Clarke]

Here is the description of the mcrfs instruction from the PowerPC Architecture
Book, Version 2.02, Book I: PowerPC User Instruction Set Architecture
(http://www.ibm.com/developerworks/systems/library/es-archguide-v2.html), found
on page 120:

    The contents of FPSCR field BFA are copied to Condition Register field BF.
    All exception bits copied are set to 0 in the FPSCR. If the FX bit is
    copied, it is set to 0 in the FPSCR.

    Special Registers Altered:
        CR field BF
        FX OX                        (if BFA=0)
        UX ZX XX VXSNAN              (if BFA=1)
        VXISI VXIDI VXZDZ VXIMZ      (if BFA=2)
        VXVC                         (if BFA=3)
        VXSOFT VXSQRT VXCVI          (if BFA=5)

However, currently every bit in FPSCR field BFA is set to 0, including ones not
on that list.

This can be seen in the following simple C program:

    #include <fenv.h>
    #include <stdio.h>

    int main(int argc, char **argv) {
        int ret;
        ret = fegetround();
        printf("Current rounding: %d\n", ret);
        ret = fesetround(FE_UPWARD);
        printf("Setting to FE_UPWARD (%d): %d\n", FE_UPWARD, ret);
        ret = fegetround();
        printf("Current rounding: %d\n", ret);
        ret = fegetround();
        printf("Current rounding: %d\n", ret);
        return 0;
    }

which gave the output (before this commit):

    Current rounding: 0
    Setting to FE_UPWARD (2): 0
    Current rounding: 2
    Current rounding: 0

instead of (after this commit):

    Current rounding: 0
    Setting to FE_UPWARD (2): 0
    Current rounding: 2
    Current rounding: 2

The relevant disassembly is in fegetround(), which, on my system, is:

    __GI___fegetround:
    <+0>:   mcrfs  cr7, cr7
    <+4>:   mfcr   r3
    <+8>:   clrldi r3, r3, 62
    <+12>:  blr

What happens is that, the first time fegetround() is called, FPSCR field 7 is
retrieved. However, because of the bug in mcrfs, the entirety of field 7 is set
to 0, which includes the rounding mode.

There are other issues this will fix, such as condition flags not persisting
when they should if read, and if you were to read a specific field with some
exception bits set, but no others were set in the entire register, then the
bits would be cleared correctly, but FEX/VX would not be updated to 0 as they
should be.

Signed-off-by: James Clarke <jrtc27@jrtc27.com>
---
 target-ppc/cpu.h       |  6 ++++++
 target-ppc/translate.c | 21 +++++++++++++++++----
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index 3a967b7..d811bc9 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -718,6 +718,12 @@ enum {
 #define FP_RN1		(1ull << FPSCR_RN1)
 #define FP_RN		(1ull << FPSCR_RN)
 
+/* the exception bits which can be cleared by mcrfs - includes FX */
+#define FP_EX_CLEAR_BITS (FP_FX     | FP_OX     | FP_UX     | FP_ZX     | \
+                          FP_XX     | FP_VXSNAN | FP_VXISI  | FP_VXIDI  | \
+                          FP_VXZDZ  | FP_VXIMZ  | FP_VXVC   | FP_VXSOFT | \
+                          FP_VXSQRT | FP_VXCVI)
+
 /*****************************************************************************/
 /* Vector status and control register */
 #define VSCR_NJ		16 /* Vector non-java */
diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index 4be7eaa..ca10bd1 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -2500,18 +2500,31 @@ static void gen_fmrgow(DisasContext *ctx)
 static void gen_mcrfs(DisasContext *ctx)
 {
     TCGv tmp = tcg_temp_new();
+    TCGv_i32 tmask;
+    TCGv_i64 tnew_fpscr = tcg_temp_new_i64();
     int bfa;
+    int nibble;
+    int shift;
 
     if (unlikely(!ctx->fpu_enabled)) {
         gen_exception(ctx, POWERPC_EXCP_FPU);
         return;
     }
-    bfa = 4 * (7 - crfS(ctx->opcode));
-    tcg_gen_shri_tl(tmp, cpu_fpscr, bfa);
+    bfa = crfS(ctx->opcode);
+    nibble = 7 - bfa;
+    shift = 4 * nibble;
+    tcg_gen_shri_tl(tmp, cpu_fpscr, shift);
     tcg_gen_trunc_tl_i32(cpu_crf[crfD(ctx->opcode)], tmp);
-    tcg_temp_free(tmp);
     tcg_gen_andi_i32(cpu_crf[crfD(ctx->opcode)], cpu_crf[crfD(ctx->opcode)], 0xf);
-    tcg_gen_andi_tl(cpu_fpscr, cpu_fpscr, ~(0xF << bfa));
+    tcg_temp_free(tmp);
+    tcg_gen_extu_tl_i64(tnew_fpscr, cpu_fpscr);
+    /* Only the exception bits (including FX) should be cleared if read */
+    tcg_gen_andi_i64(tnew_fpscr, tnew_fpscr, ~((0xF << shift) & FP_EX_CLEAR_BITS));
+    /* FEX and VX need to be updated, so don't set fpscr directly */
+    tmask = tcg_const_i32(1 << nibble);
+    gen_helper_store_fpscr(cpu_env, tnew_fpscr, tmask);
+    tcg_temp_free_i32(tmask);
+    tcg_temp_free_i64(tnew_fpscr);
 }
 
 /* mffs */
-- 
2.7.0

Re: [Qemu-devel] [PATCH v2 2/2] target-ppc: mcrfs should always update FEX/VX and only clear exception bits

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 5632 bytes --]

On Fri, Jan 29, 2016 at 06:40:21PM +0000, James Clarke wrote:
> Here is the description of the mcrfs instruction from the PowerPC Architecture
> Book, Version 2.02, Book I: PowerPC User Instruction Set Architecture
> (http://www.ibm.com/developerworks/systems/library/es-archguide-v2.html), found
> on page 120:
> 
>     The contents of FPSCR field BFA are copied to Condition Register field BF.
>     All exception bits copied are set to 0 in the FPSCR. If the FX bit is
>     copied, it is set to 0 in the FPSCR.
> 
>     Special Registers Altered:
>         CR field BF
>         FX OX                        (if BFA=0)
>         UX ZX XX VXSNAN              (if BFA=1)
>         VXISI VXIDI VXZDZ VXIMZ      (if BFA=2)
>         VXVC                         (if BFA=3)
>         VXSOFT VXSQRT VXCVI          (if BFA=5)
> 
> However, currently every bit in FPSCR field BFA is set to 0, including ones not
> on that list.
> 
> This can be seen in the following simple C program:
> 
>     #include <fenv.h>
>     #include <stdio.h>
> 
>     int main(int argc, char **argv) {
>         int ret;
>         ret = fegetround();
>         printf("Current rounding: %d\n", ret);
>         ret = fesetround(FE_UPWARD);
>         printf("Setting to FE_UPWARD (%d): %d\n", FE_UPWARD, ret);
>         ret = fegetround();
>         printf("Current rounding: %d\n", ret);
>         ret = fegetround();
>         printf("Current rounding: %d\n", ret);
>         return 0;
>     }
> 
> which gave the output (before this commit):
> 
>     Current rounding: 0
>     Setting to FE_UPWARD (2): 0
>     Current rounding: 2
>     Current rounding: 0
> 
> instead of (after this commit):
> 
>     Current rounding: 0
>     Setting to FE_UPWARD (2): 0
>     Current rounding: 2
>     Current rounding: 2
> 
> The relevant disassembly is in fegetround(), which, on my system, is:
> 
>     __GI___fegetround:
>     <+0>:   mcrfs  cr7, cr7
>     <+4>:   mfcr   r3
>     <+8>:   clrldi r3, r3, 62
>     <+12>:  blr
> 
> What happens is that, the first time fegetround() is called, FPSCR field 7 is
> retrieved. However, because of the bug in mcrfs, the entirety of field 7 is set
> to 0, which includes the rounding mode.
> 
> There are other issues this will fix, such as condition flags not persisting
> when they should if read, and if you were to read a specific field with some
> exception bits set, but no others were set in the entire register, then the
> bits would be cleared correctly, but FEX/VX would not be updated to 0 as they
> should be.
> 
> Signed-off-by: James Clarke <jrtc27@jrtc27.com>

Thanks for the fixup.  It actually looks like helper_store_fpscr()
should really take a target_ulong instead of u64 and have the (single)
caller which wants to pass a 64 do the truncate.  But that can be a
cleanup for another day.

Applied to ppc-for-2.6.

> ---
>  target-ppc/cpu.h       |  6 ++++++
>  target-ppc/translate.c | 21 +++++++++++++++++----
>  2 files changed, 23 insertions(+), 4 deletions(-)
> 
> diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
> index 3a967b7..d811bc9 100644
> --- a/target-ppc/cpu.h
> +++ b/target-ppc/cpu.h
> @@ -718,6 +718,12 @@ enum {
>  #define FP_RN1		(1ull << FPSCR_RN1)
>  #define FP_RN		(1ull << FPSCR_RN)
>  
> +/* the exception bits which can be cleared by mcrfs - includes FX */
> +#define FP_EX_CLEAR_BITS (FP_FX     | FP_OX     | FP_UX     | FP_ZX     | \
> +                          FP_XX     | FP_VXSNAN | FP_VXISI  | FP_VXIDI  | \
> +                          FP_VXZDZ  | FP_VXIMZ  | FP_VXVC   | FP_VXSOFT | \
> +                          FP_VXSQRT | FP_VXCVI)
> +
>  /*****************************************************************************/
>  /* Vector status and control register */
>  #define VSCR_NJ		16 /* Vector non-java */
> diff --git a/target-ppc/translate.c b/target-ppc/translate.c
> index 4be7eaa..ca10bd1 100644
> --- a/target-ppc/translate.c
> +++ b/target-ppc/translate.c
> @@ -2500,18 +2500,31 @@ static void gen_fmrgow(DisasContext *ctx)
>  static void gen_mcrfs(DisasContext *ctx)
>  {
>      TCGv tmp = tcg_temp_new();
> +    TCGv_i32 tmask;
> +    TCGv_i64 tnew_fpscr = tcg_temp_new_i64();
>      int bfa;
> +    int nibble;
> +    int shift;
>  
>      if (unlikely(!ctx->fpu_enabled)) {
>          gen_exception(ctx, POWERPC_EXCP_FPU);
>          return;
>      }
> -    bfa = 4 * (7 - crfS(ctx->opcode));
> -    tcg_gen_shri_tl(tmp, cpu_fpscr, bfa);
> +    bfa = crfS(ctx->opcode);
> +    nibble = 7 - bfa;
> +    shift = 4 * nibble;
> +    tcg_gen_shri_tl(tmp, cpu_fpscr, shift);
>      tcg_gen_trunc_tl_i32(cpu_crf[crfD(ctx->opcode)], tmp);
> -    tcg_temp_free(tmp);
>      tcg_gen_andi_i32(cpu_crf[crfD(ctx->opcode)], cpu_crf[crfD(ctx->opcode)], 0xf);
> -    tcg_gen_andi_tl(cpu_fpscr, cpu_fpscr, ~(0xF << bfa));
> +    tcg_temp_free(tmp);
> +    tcg_gen_extu_tl_i64(tnew_fpscr, cpu_fpscr);
> +    /* Only the exception bits (including FX) should be cleared if read */
> +    tcg_gen_andi_i64(tnew_fpscr, tnew_fpscr, ~((0xF << shift) & FP_EX_CLEAR_BITS));
> +    /* FEX and VX need to be updated, so don't set fpscr directly */
> +    tmask = tcg_const_i32(1 << nibble);
> +    gen_helper_store_fpscr(cpu_env, tnew_fpscr, tmask);
> +    tcg_temp_free_i32(tmask);
> +    tcg_temp_free_i64(tnew_fpscr);
>  }
>  
>  /* mffs */

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Qemu-devel] [PATCH v2 2/2] target-ppc: mcrfs should always update FEX/VX and only clear exception bits

[James Clarke]

[-- Attachment #1: Type: text/plain, Size: 5969 bytes --]

> On 31 Jan 2016, at 23:50, David Gibson <david@gibson.dropbear.id.au> wrote:
> On Fri, Jan 29, 2016 at 06:40:21PM +0000, James Clarke wrote:
>> Here is the description of the mcrfs instruction from the PowerPC Architecture
>> Book, Version 2.02, Book I: PowerPC User Instruction Set Architecture
>> (http://www.ibm.com/developerworks/systems/library/es-archguide-v2.html), found
>> on page 120:
>> 
>>    The contents of FPSCR field BFA are copied to Condition Register field BF.
>>    All exception bits copied are set to 0 in the FPSCR. If the FX bit is
>>    copied, it is set to 0 in the FPSCR.
>> 
>>    Special Registers Altered:
>>        CR field BF
>>        FX OX                        (if BFA=0)
>>        UX ZX XX VXSNAN              (if BFA=1)
>>        VXISI VXIDI VXZDZ VXIMZ      (if BFA=2)
>>        VXVC                         (if BFA=3)
>>        VXSOFT VXSQRT VXCVI          (if BFA=5)
>> 
>> However, currently every bit in FPSCR field BFA is set to 0, including ones not
>> on that list.
>> 
>> This can be seen in the following simple C program:
>> 
>>    #include <fenv.h>
>>    #include <stdio.h>
>> 
>>    int main(int argc, char **argv) {
>>        int ret;
>>        ret = fegetround();
>>        printf("Current rounding: %d\n", ret);
>>        ret = fesetround(FE_UPWARD);
>>        printf("Setting to FE_UPWARD (%d): %d\n", FE_UPWARD, ret);
>>        ret = fegetround();
>>        printf("Current rounding: %d\n", ret);
>>        ret = fegetround();
>>        printf("Current rounding: %d\n", ret);
>>        return 0;
>>    }
>> 
>> which gave the output (before this commit):
>> 
>>    Current rounding: 0
>>    Setting to FE_UPWARD (2): 0
>>    Current rounding: 2
>>    Current rounding: 0
>> 
>> instead of (after this commit):
>> 
>>    Current rounding: 0
>>    Setting to FE_UPWARD (2): 0
>>    Current rounding: 2
>>    Current rounding: 2
>> 
>> The relevant disassembly is in fegetround(), which, on my system, is:
>> 
>>    __GI___fegetround:
>>    <+0>:   mcrfs  cr7, cr7
>>    <+4>:   mfcr   r3
>>    <+8>:   clrldi r3, r3, 62
>>    <+12>:  blr
>> 
>> What happens is that, the first time fegetround() is called, FPSCR field 7 is
>> retrieved. However, because of the bug in mcrfs, the entirety of field 7 is set
>> to 0, which includes the rounding mode.
>> 
>> There are other issues this will fix, such as condition flags not persisting
>> when they should if read, and if you were to read a specific field with some
>> exception bits set, but no others were set in the entire register, then the
>> bits would be cleared correctly, but FEX/VX would not be updated to 0 as they
>> should be.
>> 
>> Signed-off-by: James Clarke <jrtc27@jrtc27.com>
> 
> Thanks for the fixup.  It actually looks like helper_store_fpscr()
> should really take a target_ulong instead of u64 and have the (single)
> caller which wants to pass a 64 do the truncate.  But that can be a
> cleanup for another day.
> 
> Applied to ppc-for-2.6.

Great, thanks. I agree it seems odd, especially given the argument is cast to
target_ulong, but that’s a more invasive change.

> 
>> ---
>> target-ppc/cpu.h       |  6 ++++++
>> target-ppc/translate.c | 21 +++++++++++++++++----
>> 2 files changed, 23 insertions(+), 4 deletions(-)
>> 
>> diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
>> index 3a967b7..d811bc9 100644
>> --- a/target-ppc/cpu.h
>> +++ b/target-ppc/cpu.h
>> @@ -718,6 +718,12 @@ enum {
>> #define FP_RN1		(1ull << FPSCR_RN1)
>> #define FP_RN		(1ull << FPSCR_RN)
>> 
>> +/* the exception bits which can be cleared by mcrfs - includes FX */
>> +#define FP_EX_CLEAR_BITS (FP_FX     | FP_OX     | FP_UX     | FP_ZX     | \
>> +                          FP_XX     | FP_VXSNAN | FP_VXISI  | FP_VXIDI  | \
>> +                          FP_VXZDZ  | FP_VXIMZ  | FP_VXVC   | FP_VXSOFT | \
>> +                          FP_VXSQRT | FP_VXCVI)
>> +
>> /*****************************************************************************/
>> /* Vector status and control register */
>> #define VSCR_NJ		16 /* Vector non-java */
>> diff --git a/target-ppc/translate.c b/target-ppc/translate.c
>> index 4be7eaa..ca10bd1 100644
>> --- a/target-ppc/translate.c
>> +++ b/target-ppc/translate.c
>> @@ -2500,18 +2500,31 @@ static void gen_fmrgow(DisasContext *ctx)
>> static void gen_mcrfs(DisasContext *ctx)
>> {
>>     TCGv tmp = tcg_temp_new();
>> +    TCGv_i32 tmask;
>> +    TCGv_i64 tnew_fpscr = tcg_temp_new_i64();
>>     int bfa;
>> +    int nibble;
>> +    int shift;
>> 
>>     if (unlikely(!ctx->fpu_enabled)) {
>>         gen_exception(ctx, POWERPC_EXCP_FPU);
>>         return;
>>     }
>> -    bfa = 4 * (7 - crfS(ctx->opcode));
>> -    tcg_gen_shri_tl(tmp, cpu_fpscr, bfa);
>> +    bfa = crfS(ctx->opcode);
>> +    nibble = 7 - bfa;
>> +    shift = 4 * nibble;
>> +    tcg_gen_shri_tl(tmp, cpu_fpscr, shift);
>>     tcg_gen_trunc_tl_i32(cpu_crf[crfD(ctx->opcode)], tmp);
>> -    tcg_temp_free(tmp);
>>     tcg_gen_andi_i32(cpu_crf[crfD(ctx->opcode)], cpu_crf[crfD(ctx->opcode)], 0xf);
>> -    tcg_gen_andi_tl(cpu_fpscr, cpu_fpscr, ~(0xF << bfa));
>> +    tcg_temp_free(tmp);
>> +    tcg_gen_extu_tl_i64(tnew_fpscr, cpu_fpscr);
>> +    /* Only the exception bits (including FX) should be cleared if read */
>> +    tcg_gen_andi_i64(tnew_fpscr, tnew_fpscr, ~((0xF << shift) & FP_EX_CLEAR_BITS));
>> +    /* FEX and VX need to be updated, so don't set fpscr directly */
>> +    tmask = tcg_const_i32(1 << nibble);
>> +    gen_helper_store_fpscr(cpu_env, tnew_fpscr, tmask);
>> +    tcg_temp_free_i32(tmask);
>> +    tcg_temp_free_i64(tnew_fpscr);
>> }
>> 
>> /* mffs */
> 
> --
> David Gibson			| I'll have my music baroque, and my code
> david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
> 				| _way_ _around_!
> http://www.ozlabs.org/~dgibson

Regards,
James


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 801 bytes --]