[PULL 0/5] misc patch queue

[PULL 0/5] misc patch queue

[Richard Henderson]

The following changes since commit 917ac07f9aef579b9538a81d45f45850aba42906:

  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2025-11-05 16:07:18 +0100)

are available in the Git repository at:

  https://gitlab.com/rth7680/qemu.git tags/pull-misc-20251110

for you to fetch changes up to 4f503afc7eb503997fedad84f24e2cdf696a7a0e:

  target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns (2025-11-10 12:02:45 +0100)

----------------------------------------------------------------
accel/tcg: Trace tb_flush() calls
accel/tcg: Trace tb_gen_code() buffer overflow
qapi/parser: Mollify mypy
tests/functional: Mark another MIPS replay test as flaky
target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns

----------------------------------------------------------------
Markus Armbruster (1):
      qapi/parser: Mollify mypy

Peter Maydell (1):
      target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns

Philippe Mathieu-Daudé (3):
      accel/tcg: Trace tb_flush() calls
      accel/tcg: Trace tb_gen_code() buffer overflow
      tests/functional: Mark another MIPS replay test as flaky

 accel/tcg/tb-maint.c                     | 3 ++-
 accel/tcg/translate-all.c                | 3 +++
 accel/tcg/trace-events                   | 4 ++++
 scripts/qapi/parser.py                   | 2 +-
 target/i386/tcg/decode-new.c.inc         | 2 ++
 tests/functional/mips64el/test_replay.py | 1 +
 6 files changed, 13 insertions(+), 2 deletions(-)

[PULL 1/5] accel/tcg: Trace tb_flush() calls

[Richard Henderson]

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250925035610.80605-2-philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/tb-maint.c   | 3 ++-
 accel/tcg/trace-events | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
index 5a8d0784e7..cd7c32361b 100644
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@@ -40,7 +40,7 @@
 #else
 #include "system/runstate.h"
 #endif
-
+#include "trace.h"
 
 /* List iterators for lists of tagged pointers in TranslationBlock. */
 #define TB_FOR_EACH_TAGGED(head, tb, n, field)                          \
@@ -771,6 +771,7 @@ void tb_flush__exclusive_or_serial(void)
 {
     CPUState *cpu;
 
+    trace_tb_flush();
     assert(tcg_enabled());
     /* Note that cpu_in_serial_context checks cpu_in_exclusive_context. */
     assert(!runstate_is_running() ||
diff --git a/accel/tcg/trace-events b/accel/tcg/trace-events
index 14f638810c..121d6b5081 100644
--- a/accel/tcg/trace-events
+++ b/accel/tcg/trace-events
@@ -24,3 +24,6 @@ store_atom2_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIx
 store_atom4_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIxPTR""
 store_atom8_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIxPTR""
 store_atom16_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIxPTR""
+
+# tb-maint.c
+tb_flush(void) ""
-- 
2.43.0

[PULL 2/5] accel/tcg: Trace tb_gen_code() buffer overflow

[Richard Henderson]

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250925035610.80605-3-philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/translate-all.c | 3 +++
 accel/tcg/trace-events    | 1 +
 2 files changed, 4 insertions(+)

diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index da9d7f1675..fba4e9dc21 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -290,6 +290,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu, TCGTBCPUState s)
     if (unlikely(!tb)) {
         /* flush must be done */
         if (cpu_in_serial_context(cpu)) {
+            trace_tb_gen_code_buffer_overflow("tcg_tb_alloc");
             tb_flush__exclusive_or_serial();
             goto buffer_overflow;
         }
@@ -325,6 +326,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu, TCGTBCPUState s)
     if (unlikely(gen_code_size < 0)) {
         switch (gen_code_size) {
         case -1:
+            trace_tb_gen_code_buffer_overflow("setjmp_gen_code");
             /*
              * Overflow of code_gen_buffer, or the current slice of it.
              *
@@ -389,6 +391,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu, TCGTBCPUState s)
 
     search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
     if (unlikely(search_size < 0)) {
+        trace_tb_gen_code_buffer_overflow("encode_search");
         tb_unlock_pages(tb);
         goto buffer_overflow;
     }
diff --git a/accel/tcg/trace-events b/accel/tcg/trace-events
index 121d6b5081..0816cafd33 100644
--- a/accel/tcg/trace-events
+++ b/accel/tcg/trace-events
@@ -12,6 +12,7 @@ memory_notdirty_set_dirty(uint64_t vaddr) "0x%" PRIx64
 
 # translate-all.c
 translate_block(void *tb, uintptr_t pc, const void *tb_code) "tb:%p, pc:0x%"PRIxPTR", tb_code:%p"
+tb_gen_code_buffer_overflow(const char *reason) "reason: %s"
 
 # ldst_atomicity
 load_atom2_fallback(uint32_t memop, uintptr_t ra) "mop:0x%"PRIx32", ra:0x%"PRIxPTR""
-- 
2.43.0

[PULL 3/5] qapi/parser: Mollify mypy

[Richard Henderson]

From: Markus Armbruster <armbru@redhat.com>

re.match(r'^ *', ...) can't fail, but mypy doesn't know that and
complains:

    scripts/qapi/parser.py:444: error: Item "None" of "Match[str] | None" has no attribute "end"  [union-attr]

Work around by using must_match() instead.

Fixes: 8107ba47fd78 (qapi: Add documentation format validation)
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20251105152219.311154-1-armbru@redhat.com>
---
 scripts/qapi/parser.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/qapi/parser.py b/scripts/qapi/parser.py
index 1bb1af7051..c3cf33904e 100644
--- a/scripts/qapi/parser.py
+++ b/scripts/qapi/parser.py
@@ -441,7 +441,7 @@ def get_doc_line(self) -> Optional[str]:
             self._literal_mode = True
             self._literal_mode_indent = 0
         elif self._literal_mode and line:
-            indent = re.match(r'^ *', line).end()
+            indent = must_match(r'\s*', line).end()
             if self._literal_mode_indent == 0:
                 self._literal_mode_indent = indent
             elif indent < self._literal_mode_indent:
-- 
2.43.0

[PULL 4/5] tests/functional: Mark another MIPS replay test as flaky

[Richard Henderson]

From: Philippe Mathieu-Daudé <philmd@linaro.org>

When disabling MIPS tests on commit 1c11aa18071
("tests/functional: Mark the MIPS replay tests as flaky")
we missed the 5KEc test.

Reported-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20251104145955.84091-1-philmd@linaro.org>
---
 tests/functional/mips64el/test_replay.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/functional/mips64el/test_replay.py b/tests/functional/mips64el/test_replay.py
index 05cc585f85..e9318448fa 100755
--- a/tests/functional/mips64el/test_replay.py
+++ b/tests/functional/mips64el/test_replay.py
@@ -40,6 +40,7 @@ def test_replay_mips64el_malta(self):
         '75ba10cd35fb44e32948eeb26974f061b703c81c4ba2fab1ebcacf1d1bec3b61')
 
     @skipUntrustedTest()
+    @skipFlakyTest("https://gitlab.com/qemu-project/qemu/-/issues/2013")
     def test_replay_mips64el_malta_5KEc_cpio(self):
         self.set_machine('malta')
         self.cpu = '5KEc'
-- 
2.43.0

[PULL 5/5] target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns

[Richard Henderson]

From: Peter Maydell <peter.maydell@linaro.org>

In the decode_group9() function, if we don't recognise the insn as
one that we should handle, we leave the 'entry' pointer unaltered.
Because the X86OpEntry struct has a union for the gen and decode
pointers, this means that the top level code will call decode.e.gen()
which tries to use the decode function pointer (still set to
decode_group9) as a gen function pointer.

This is undefined behaviour, but seems to be mostly harmless in
practice (we call decode_group9() again with bogus arguments and it
does nothing).  If you have CFI enabled then it will trip the CFI
check:

../target/i386/tcg/decode-new.c.inc:2862:9: runtime error: control flow integrity check for type 'void (struct DisasContext *, struct X86DecodedInsn *)' failed during indirect function call

Set *entry to UNKNOWN_OPCODE to provoke the #UD exception, as we do
in decode_group1A() and decode_group11() for similar situations.

Thanks to the bug reporter for the clear description and analysis of
the bug and the simple reproducer.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3172
Fixes: fcd16539ebfe2 ("target/i386: convert CMPXCHG8B/CMPXCHG16B to new decoder")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20251021173152.1695997-1-peter.maydell@linaro.org>
---
 target/i386/tcg/decode-new.c.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
index a50f57dbaa..f4192f1006 100644
--- a/target/i386/tcg/decode-new.c.inc
+++ b/target/i386/tcg/decode-new.c.inc
@@ -335,6 +335,8 @@ static void decode_group9(DisasContext *s, CPUX86State *env, X86OpEntry *entry,
         *entry = group9_reg;
     } else if (op == 1) {
         *entry = REX_W(s) ? cmpxchg16b : cmpxchg8b;
+    } else {
+        *entry = UNKNOWN_OPCODE;
     }
 }
 
-- 
2.43.0

Re: [PULL 0/5] misc patch queue

[Richard Henderson]

On 11/10/25 12:10, Richard Henderson wrote:
> The following changes since commit 917ac07f9aef579b9538a81d45f45850aba42906:
> 
>    Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2025-11-05 16:07:18 +0100)
> 
> are available in the Git repository at:
> 
>    https://gitlab.com/rth7680/qemu.git tags/pull-misc-20251110
> 
> for you to fetch changes up to 4f503afc7eb503997fedad84f24e2cdf696a7a0e:
> 
>    target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns (2025-11-10 12:02:45 +0100)
> 
> ----------------------------------------------------------------
> accel/tcg: Trace tb_flush() calls
> accel/tcg: Trace tb_gen_code() buffer overflow
> qapi/parser: Mollify mypy
> tests/functional: Mark another MIPS replay test as flaky
> target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns
> 

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/10.2 as appropriate.

r~