From: Thiemo Seufer <ths@networkno.de>
To: Luke -Jr <luke@dashjr.org>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] MIPS emulation
Date: Sun, 6 Jul 2008 05:52:13 +0100 [thread overview]
Message-ID: <20080706045213.GA7875@networkno.de> (raw)
In-Reply-To: <200807052045.17038.luke@dashjr.org>
Luke -Jr wrote:
> I've attached a log of my qemu session... it gives the same results I expected
> from manual disassembly. Does anyone have any clues as to why this works on
> real hardware?
[snip]
> cpu_mips_handle_mmu_fault pc bfc008d8 ad 9fc00398 rw 0 mmu_idx 0 smmu 1
> cpu_mips_handle_mmu_fault address=9fc00398 ret 0 physical 1fc00398 prot 3
> cpu_mips_handle_mmu_fault pc bfc008d8 ad bfc00064 rw 0 mmu_idx 0 smmu 1
> cpu_mips_handle_mmu_fault address=bfc00064 ret 0 physical 1fc00064 prot 3
> ------------------------------------------------
> pc=0xbfc0096c HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc0096c 0
> GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
> GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
> GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
> GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
> GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
> GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
> GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
> GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
> CP0 Status 0x00400000 Cause 0x00000400 EPC 0x00000000
> Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
> IN:
> 0xbfc0096c: lhu t0,0(a1)
> 0xbfc00970: bne t0,a0,0xbfc009c4
> 0xbfc00974: nop
>
> ---------------- 2 00000090
> cpu_mips_handle_mmu_fault pc bfc0096c ad fffe0000 rw 0 mmu_idx 0 smmu 1
> cpu_mips_handle_mmu_fault address=fffe0000 ret -2 physical b7ceca12 prot 138223624
> search pc 1
Apparently it wants to read from 0xfffe0000, which is IIRC the EJTAG
address space. EJTAG debugging isn't implemented in Qemu. The address
space is reserved, therefore...
> ------------------------------------------------
> pc=0xbfc0096c HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc0096c 0
> GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
> GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
> GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
> GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
> GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
> GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
> GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
> GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
> CP0 Status 0x00400000 Cause 0x00000400 EPC 0x00000000
> Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
> IN:
> 0xbfc0096c: lhu t0,0(a1)
> 0xbfc00970: bne t0,a0,0xbfc009c4
> 0xbfc00974: nop
>
> ---------------- 2 00000090
> do_raise_exception_err: 26 1
> do_interrupt enter: PC bfc0096c EPC 00000000 TLB load exception
... a TLB exception occurs ...
> do_interrupt: PC bfc00200 EPC bfc0096c cause 2
> S 00400002 C 00000408 A fffe0000 D 00000000
> ------------------------------------------------
> pc=0xbfc00200 HI=0x08428ec4 LO=0x08428ed4 ds 0098 bfc0096c 0
> GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
> GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
> GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
> GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
> GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
> GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
> GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
> GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
> CP0 Status 0x00400002 Cause 0x00000408 EPC 0xbfc0096c
> Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
> IN:
> 0xbfc00200: lwu zero,984(s8)
> 0xbfc00204: 0x1ab3f00
> 0xbfc00208: lwu zero,2412(s8)
> 0xbfc0020c: lwu zero,2512(s8)
> 0xbfc00210: lwu zero,2684(s8)
> 0xbfc00214: alni.ob $f23,$f6,$f1,1
> 0xbfc00218: lwu zero,3404(s8)
> 0xbfc0021c: lwu zero,3008(s8)
> 0xbfc00220: lwu zero,3120(s8)
> 0xbfc00224: lwu zero,4124(s8)
> 0xbfc00228: nop
> 0xbfc0022c: ll zero,0(zero)
> 0xbfc00230: nop
> 0xbfc00234: j 0xb8180004
> 0xbfc00238: lwu zero,3496(s8)
>
> ---------------- 2 00000098
> do_raise_exception_err: 20 0
> do_interrupt enter: PC bfc00200 EPC bfc0096c reserved instruction exception
... which finally kills it because the firmware doesn't handle TLB
exceptions that early in the boot process (when the BEV bit is still set).
Thiemo
next prev parent reply other threads:[~2008-07-06 4:52 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-27 18:50 [Qemu-devel] MIPS emulation Luke -Jr
2008-06-28 14:01 ` Luke -Jr
2008-06-28 19:39 ` Thiemo Seufer
2008-06-28 22:12 ` Luke -Jr
2008-07-04 2:02 ` Luke -Jr
2008-07-04 2:44 ` Thiemo Seufer
2008-07-04 3:27 ` Luke -Jr
2008-07-06 1:45 ` Luke -Jr
2008-07-06 4:52 ` Thiemo Seufer [this message]
2008-07-06 5:12 ` Luke -Jr
2008-07-07 1:46 ` Luke -Jr
2008-07-07 18:08 ` Luke -Jr
2008-07-08 4:13 ` [Qemu-devel] mapping devices to 0xfffe0000+ Luke -Jr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080706045213.GA7875@networkno.de \
--to=ths@networkno.de \
--cc=luke@dashjr.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).