QEMU currently crashes when introspecting the cgthree device from the
command line interface:
$ ./qemu-system-sparc -device cgthree,help
Segmentation fault (core dumped)
This happens because the memory_region_init_rom() function internally
calls qemu_ram_alloc_internal() that needs the current_machine pointer
to be set up - which is not the case here since the machine has not
been created yet.
There does not seem to be a compelling reason for initializing the
memory regions from the instance_init function, so let's simply move
the code into the realize() function instead to fix this issue.
Tested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260317080623.438230-1-thuth@redhat.com>
QEMU currently crashes when introspecting raven-pcihost from the command
line interface:
$ ./qemu-system-ppc -device raven-pcihost,help
Segmentation fault (core dumped)
This happens because the raven_pcihost_initfn instance init function
calls get_system_memory(), but that is not available here yet.
There does not seem to be a compelling reason for initializing the
memory regions from the instance init function, so let's simply move
the code into the realize() function instead to fix this issue.
Tested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260317074049.436460-1-thuth@redhat.com>
Test for predicated .new branches with non-standard predicate values
(non-all-0, non-all-1). Hexagon predicates are 8 bits wide but conditional
branches evaluate only the LSB.
Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com>
Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Replace TCG_COND_EQ/NE comparisons against 0 with TCG_COND_TSTEQ/TSTNE
comparisons against 1 for all predicate-conditional branches. This tests
bit 0 of the predicate register directly, eliminating redundant andi
operations that previously extracted the LSB before the comparison.
For predicate-conditional jumps (jumpt, jumpf, jumptnew, etc.) and
jump-register variants (jumprt, jumprf, etc.), pass the raw predicate
value directly instead of going through fLSBOLD/fLSBNEW extraction.
For callers that produce a 0/1 result via setcond (compare-and-jump,
jumprz, etc.), the TSTEQ/TSTNE test on bit 0 is equivalent to the
previous EQ/NE test against 0.
Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com>
Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
J2_jumptnew and J2_jumptnewpt passed the raw predicate value to
gen_cond_jump(), checking if the full 8-bit value was non-zero.
Refer to PRM Section 6.1.2 "predicate-consuming instructions examine
only the least-significant bit".
This inconsistency caused if (p0.new) jumps and if (p0.new) loads
within the same packet to disagree when the predicate had values
other than the ones generated by predicate-generating instructions
(e.g. 0x80 or 0xAA where bit 0 is clear but the value is
non-zero): the jump would be taken while the loads were skipped.
Fix by routing both macros through fGEN_TCG_cond_jumpt(fLSBNEW(PuN)),
matching the pattern used by every other predicated jump.
Discovered-by: Alexey Karyakin <akaryaki@qti.qualcomm.com>
Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com>
Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
HPPA fixes for v11
Some late fixes for QEMU-v11
Various fixes in SeaBIOS-hppa and qemu code, most importantly
this fixes boot of the C3700, which broke while we added
support for CPUs with 40 and 44 bits physical address space.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCabxmmwAKCRD3ErUQojoP
# X5z0AP4h0hBe/jDlQ8VLs0LtdG4bBnyPSVl+4rahw10mmgkvZwD7B/wimiCUBOJZ
# Jj9nKpNWtgZRXwRIM4XOl/a6pYcbCw8=
# =MzWS
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Mar 19 21:11:55 2026 GMT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-fixes-for-v11-pull-request' of https://github.com/hdeller/qemu-hppa:
target/hppa: Update SeaBIOS-hppa to version 23
hw/hppa: Fix crash of 64-bit HP-UX 11 while flushing caches
hw/pci-host/astro: Use proper region names
target/hppa: Always map 64-bit firmware at 0xfffffff0f0000000
hw/hppa: Adjust physical addresses of Astro and Elroy
hw/hppa: Fix description of the HP A400-44 server
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
mem pull for 11.0-rc1
Two fixes included:
- Xiaoyao's fix on recent coco guest boot failure
- BALATON's fix on recent sparce device-introspect-test failure
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCabwC2xIccGV0ZXJ4QHJl
# ZGhhdC5jb20ACgkQO1/MzfOr1wYozgEAg32MCV/R9xs5krn9mSpBLLoVZCAIDp2C
# 4hLW7aEnf4UBALeUmJY/pLWEGwFc6LVzPe4kZ5BLl0j72jtcVP1BcmoG
# =Zd1r
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Mar 19 14:06:19 2026 GMT
# gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706
# gpg: issuer "peterx@redhat.com"
# gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [marginal]
# gpg: aka "Peter Xu <peterx@redhat.com>" [marginal]
# gpg: WARNING: The key's User ID is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706
* tag 'staging-pull-request' of https://gitlab.com/peterx/qemu:
hw/display/tcx: Init memory regions in realize
memory: Set mr->ram before RAM Block allocation
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit 17288e38be ("optimize the memory probing for vector
fault-only-first loads") introduced an optimization that moved from
per-element probing to a fast-path broad probe. Unfortunately it
introduced following bugs in cross-page handling:
- Wrong condition for second page probing: checked "env->vl > elems"
instead of "env->vl > elems + env->vstart", failing to account for
the vstart offset.
- Incorrect second page address calculation: used
"addr + (elems << log2_esz)" instead of "addr + page_split".
For segment loads (nf > 1), this would probe the wrong address,not
at the page boundary.
- Wrong second page probe size: used "elems * msize" (the first page
size) instead of calculating the remaining size as
"(env->vl - env->vstart) * msize - page_split". This would probe
too little memory and could miss faults.
This commit fixes these bugs by leveraging the probe_pages helper
which automatically handles cross-page memory accesses correctly.
Fixes: 17288e38be ("optimize the memory probing for vector fault-only-first loads.")
Signed-off-by: Max Chou <max.chou@sifive.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-3-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
When probe_pages probes a memory region that spans two pages, it calls
probe_access_flags twice - once for each page. However, the flags from
the second page probe were overwriting the flags from the first page
instead of being merged together.
Signed-off-by: Max Chou <max.chou@sifive.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-2-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Currently, the txwm interrupt pending status is only updated when the
asynchronous transmit handler runs. This can cause the txwm interrupt
state to become unsynchronized between the SiFive UART and the
interrupt controller.
For example, when a txwm interrupt is raised, the corresponding APLIC
pending bit is also set. However, if software later enqueues additional
characters into the TX FIFO exceeding the transmit watermark, the
APLIC pending bit may remain set because the txwm interrupt pending
status is not updated at enqueue time.
This issue has been observed on resource-constrained machines, where
Linux reports spurious IRQ errors. In these cases, the asynchronous
transmit handler is unable to drain the TX FIFO quickly enough to update
the txwm pending status before software reads the ip register, which
derives the txwm pending state directly from the actual number of
characters in the TX FIFO.
This commit fixes the issue by updating the txwm interrupt pending
status immediately after enqueuing data into the TX FIFO, ensuring that
the interrupt pending status between the SiFive UART and the interrupt
controller remains synchronized.
Signed-off-by: Frank Chang <frank.chang@sifive.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260312033201.1619554-3-frank.chang@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Implement txctrl.txen and rxctrl.rxen as follows:
* txctrl.txen
The txen bit controls whether the Tx channel is active. When cleared,
transmission of Tx FIFO contents is suppressed, and the txd pin is
driven high.
* rxctrl.rxen:
The rxen bit controls whether the Rx channel is active. When cleared,
the state of the rxd pin is ignored, and no characters will be
enqueued into the Rx FIFO.
Therefore, the Tx FIFO should not be dequeued when txctrl.txen is
cleared, and the Rx FIFO should not be enqueued when rxctrl.rxen is
cleared.
Signed-off-by: Frank Chang <frank.chang@sifive.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260312033201.1619554-2-frank.chang@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
New SeaBIOS-hppa v23 release with various fixes for qemu-v11:
- Various fixes to support CPUs with 40 and 44 bits physical address
- Fix PAT_CPU call when asking for current CPU
- Add function to stop CPU in PDC_PROC
- Prevent execution of some functions when running as PAT firmware
- Tune cache parameters to speed up cache flushes in operating systems
- Revert resetting LSI SCSI with ODE on HP3000
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Anton Johansson <anjo@rev.ng>
HP-UX 11 64-bit reads at bootup a word from address CPU_HPA + 0x500
while flushing the the cache of a T600.
Add a memory handler to avoid crashing while reading this word.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Anton Johansson <anjo@rev.ng>
All 64-bit hppa machines have at least 4 Elroy PCI busses in the system.
Make sure to use proper names in the qemu device tree, e.g. "elroy0" or
"elroy2-pci-mmio", to be able to distinguish between the various chips.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
I checked on a physical A500, C3700 and C8000 machine and all load their
64-bit PDC (Firmware) at 0xfffffff0f0000000, independed if the CPU uses
40 or 44 physical address bits.
For qemu we will do the same and load the 64-bit SeaBIOS-hppa at the
same address for our emulated machines.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Anton Johansson <anjo@rev.ng>
Adjust the addresses of the Astro and Elroy PCI chips to a
44-bit physical address space when running a PA8700 CPU.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Anton Johansson <anjo@rev.ng>
The HP A400-44 machine has a height of 2U and is a noisy server machine
which was usually running in the datacenter.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Anton Johansson <anjo@rev.ng>
Thomas reported test failure:
$ export QTEST_QEMU_BINARY=./qemu-system-sparc
$ tests/qtest/device-introspect-test -m thorough
...
# Testing device 'sun-tcx'
RAMBlock "tcx.prom" already registered, abort!
Broken pipe
../../devel/qemu/tests/qtest/libqtest.c:210: kill_qemu() detected QEMU
death from signal 6 (Aborted) (core dumped)
Aborted (core dumped)
Issue is the qom introspect test will create yet another sun-tcx device
causing double register of the memory region.
Fix it by removing the init method and move memory region creation in
realize.
Reported-by: Thomas Huth <thuth@redhat.com>
Link: https://lore.kernel.org/r/3b87e6d9-a027-4dcd-a995-857e16c8b2e6@redhat.com
Fixes: 653c4fa5b0 hw/display/{cg3.tcx}: Do not use memory_region_init_rom_nomigrate
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Link: https://lore.kernel.org/r/20260316130651.5C8735968DE@zero.eik.bme.hu
[peterx: amend commit message, fix tag, add link]
Signed-off-by: Peter Xu <peterx@redhat.com>
The riscv-iommu device makes various allocations in its
instance_init method. These will leak when QMP inits an
object of this type to introspect it, as can be seen if you
run 'make check' with the address sanitizer enabled:
Direct leak of 4096 byte(s) in 1 object(s) allocated from:
#0 0x5d8415b6ed9d in calloc (/home/pm215/qemu/build/san/qemu-system-riscv32+0x1832d9d) (BuildId: fedcc313e48ba803d63837329c37fd609dd50849)
#1 0x75c0502f1771 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63771) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x5d8416d09391 in riscv_iommu_instance_init /home/pm215/qemu/build/san/../../hw/riscv/riscv-iommu.c:2463:18
#3 0x5d841710483f in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#4 0x5d8417104ee9 in object_initialize /home/pm215/qemu/build/san/../../qom/object.c:578:5
#5 0x5d8417104ee9 in object_initialize_child_with_propsv /home/pm215/qemu/build/san/../../qom/object.c:608:5
#6 0x5d8417104db1 in object_initialize_child_with_props /home/pm215/qemu/build/san/../../qom/object.c:591:10
#7 0x5d8417106506 in object_initialize_child_internal /home/pm215/qemu/build/san/../../qom/object.c:645:5
#8 0x5d8416d16a12 in riscv_iommu_sys_init /home/pm215/qemu/build/san/../../hw/riscv/riscv-iommu-sys.c:199:5
#9 0x5d841710483f in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#10 0x5d841710661f in object_new_with_type /home/pm215/qemu/build/san/../../qom/object.c:774:5
#11 0x5d841755d956 in qmp_device_list_properties /home/pm215/qemu/build/san/../../qom/qom-qmp-cmds.c:206:11
(and other similar backtraces).
Fix these by freeing the resources we allocate in instance_init in
instance_finalize. In some cases we were freeing these in unrealize,
and in some cases not at all.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260307125222.3656140-1-peter.maydell@linaro.org>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Infinity is a special case distinct from numeric overflow:
- Numeric overflow: finite value exceeds format's max normal
-> overflow|inexact
- Infinity conversion: input is already infinite
-> no flags
This commit fixes the unexpect exception flags by relocating the float
exception flag update flow to be outside the uncanon_e4m3_overflow.
And raising the overflow|inexact for numeric overflow in uncanon_normal.
Fixes: 27e989f99c ("fpu: Add conversion routines for OCP FP8 E4M3")
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260226071817.1417875-3-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
In the uncanonical step, the input FloatParts will be repacked to the
target FloatFmt. This commit fixes following issues after calling
uncanon_e4m3_overflow in the uncanon/uncanon_normal functions.
- Add the local exp update after calling uncanon_e4m3_overflow in the
parts_uncanon_normal function.
- Add the fraction shift after calling uncanon_e4m3_overflow in the
parts_uncanon function.
Fixes: 27e989f99c ("fpu: Add conversion routines for OCP FP8 E4M3")
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260226071817.1417875-2-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Without the option, cargo will try using the latest version of the
dependencies of bindgen-cli. While it will obviously respect the
constraints in Cargo.toml, old versions of Cargo do not have
version-constrained resolution and will choke on dependencies
that need Rust 2024.
Cc: Daniel P. Berrangé <berrange@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Move stubs to the global stub_ss[] source set. These files
are now built once for all binaries, instead of one time
per system binary.
Add pixman to qemuutil library dependencies since pixman is
transitively included, which is needed to be able to include
prototypes for stubs we declared:
In file included from include/ui/console.h:4,
include/ui/qemu-pixman.h:10:10: fatal error: pixman.h: No such file or directory
10 | #include <pixman.h>
| ^~~~~~~~~~
On OpenBSD, opengl headers are not available in default
include path, and thus we need to add opengl to list of
qemuutil dependencies, otherwise we get:
In file included from ../hw/display/acpi-vga-stub.c:4:
In file included from ../hw/display/vga_int.h:28:
In file included from include/ui/console.h:9:
include/ui/surface.h:11:11: fatal error: 'epoxy/gl.h' file not found
# include <epoxy/gl.h>
^~~~~~~~~~~~
1 error generated.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260225035739.42848-8-philmd@linaro.org>
Co-developed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-Id: <20260315070834.198331-4-pierrick.bouvier@linaro.org>
