From 6a0e8bb4956c34328f4624e20bd3a6c2b1d90adc Mon Sep 17 00:00:00 2001 From: Laurent Vivier Date: Sun, 31 May 2020 13:02:31 +0200 Subject: [PATCH 1/2] target/m68k: implement fmove.l #,FPCR The immediate value mode was ignored and instruction execution ends to an invalid access mode. This was found running 'R' that set FPSR to 0 at startup with a 'fmove.l #0,FPSR' in qemu-system-m68k emulation and triggers a kernel crash: [ 56.640000] *** ADDRESS ERROR *** FORMAT=2 [ 56.640000] Current process id is 728 [ 56.640000] BAD KERNEL TRAP: 00000000 [ 56.640000] Modules linked in: sg evdev mac_hid ip_tables x_tables sha1_generic hmac ipv6 nf_defrag_ipv6 autofs4 ext4 crc16 mbcache jbd2 crc32c_generic sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common sr_mod cdrom mac_esp macsonic esp_scsi [ 56.640000] PC: [<00016a2c>] X_UNSUPP+0x2c/0x3c [ 56.640000] SR: 2004 SP: 3eb5e68c a2: c02e239a [ 56.640000] d0: 00000040 d1: 00000002 d2: 8002adec d3: 8002ad50 [ 56.640000] d4: 8002c768 d5: 0000000d a0: ffffffc2 a1: ffffffc1 [ 56.640000] Process R (pid: 728, task=a3dfda5d) [ 56.640000] Frame format=2 instr addr=00000000 [ 56.650000] Stack from 3a4d9f30: [ 56.650000] 41000000 00000002 00000002 ffffffc2 ffffffc1 1fff0000 80000000 00000000 [ 56.650000] 3fbf0000 80000000 00000000 00000000 20000000 00000000 7fff0000 ffffffff [ 56.650000] ffffffff 00000000 00050008 00000000 8000067c c02c2000 efffee20 000002d8 [ 56.650000] 00002a28 3a4d9f98 00000002 00000014 fffffffe 8002c768 00000002 00000041 [ 56.650000] 00000002 c041fc58 c0743758 ffffffff 00000000 0008c075 00002b24 00000012 [ 56.650000] 000007d0 00000024 00000002 c05bef04 c05bef04 0000005e 00000077 c28aca70 [ 56.650000] Call Trace: [<00050008>] copy_overflow+0x10/0x28 [ 56.650000] [<00002a28>] buserr+0x20/0x28 [ 56.650000] [<0008c075>] bpf_check+0x57f/0x1cfa [ 56.650000] [<00002b24>] syscall+0x8/0xc [ 56.650000] [<0000c019>] dn_sched_init+0x75/0x88 [ 56.650000] Code: 1017 0200 00f0 0c00 0040 66ff 0000 05ac 8800 0000 0000 f23c 9000 0000 0000 222e ff84 082e 0005 ff1c 6600 000a 0281 [ 56.650000] Disabling lock debugging due to kernel taint ... Reported-by: John Paul Adrian Glaubitz Signed-off-by: Laurent Vivier Tested-by: John Paul Adrian Glaubitz Reviewed-by: Richard Henderson Message-Id: <20200531110231.620711-1-laurent@vivier.eu> Signed-off-by: Laurent Vivier --- target/m68k/translate.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/target/m68k/translate.c b/target/m68k/translate.c index 0f80888203..c093f6c683 100644 --- a/target/m68k/translate.c +++ b/target/m68k/translate.c @@ -4936,6 +4936,20 @@ static void gen_op_fmove_fcr(CPUM68KState *env, DisasContext *s, gen_store_fcr(s, AREG(insn, 0), mask); } return; + case 7: /* Immediate */ + if (REG(insn, 0) == 4) { + if (is_write || + (mask != M68K_FPIAR && mask != M68K_FPSR && + mask != M68K_FPCR)) { + gen_exception(s, s->base.pc_next, EXCP_ILLEGAL); + return; + } + tmp = tcg_const_i32(read_im32(env, s)); + gen_store_fcr(s, tmp, mask); + tcg_temp_free(tmp); + return; + } + break; default: break; } From 250b1da35d579f42319af234f36207902ca4baa4 Mon Sep 17 00:00:00 2001 From: Laurent Vivier Date: Sun, 31 May 2020 15:19:51 +0200 Subject: [PATCH 2/2] target/m68k: implement opcode fetoxm1 Example provided in the launchpad bug fails with: qemu: uncaught target signal 4 (Illegal instruction) - core dumped Illegal instruction (core dumped) It appears fetoxm1 is not implemented: IN: expm1f 0x800005cc: fetoxm1x %fp2,%fp0 Disassembler disagrees with translator over instruction decoding Please report this to qemu-devel@nongnu.org (gdb) x/2hx 0x800005cc 0x800005cc: 0xf200 0x0808 This patch adds the instruction. Bug: https://bugs.launchpad.net/qemu/+bug/1881450 Signed-off-by: Laurent Vivier Reviewed-by: Richard Henderson Message-Id: <20200531131951.631902-1-laurent@vivier.eu> Signed-off-by: Laurent Vivier --- target/m68k/fpu_helper.c | 5 +++++ target/m68k/helper.h | 1 + target/m68k/translate.c | 3 +++ 3 files changed, 9 insertions(+) diff --git a/target/m68k/fpu_helper.c b/target/m68k/fpu_helper.c index 36e6c704d1..9acf60dfd4 100644 --- a/target/m68k/fpu_helper.c +++ b/target/m68k/fpu_helper.c @@ -641,6 +641,11 @@ void HELPER(fatanh)(CPUM68KState *env, FPReg *res, FPReg *val) res->d = floatx80_atanh(val->d, &env->fp_status); } +void HELPER(fetoxm1)(CPUM68KState *env, FPReg *res, FPReg *val) +{ + res->d = floatx80_etoxm1(val->d, &env->fp_status); +} + void HELPER(ftanh)(CPUM68KState *env, FPReg *res, FPReg *val) { res->d = floatx80_tanh(val->d, &env->fp_status); diff --git a/target/m68k/helper.h b/target/m68k/helper.h index feee7be626..77808497a9 100644 --- a/target/m68k/helper.h +++ b/target/m68k/helper.h @@ -83,6 +83,7 @@ DEF_HELPER_3(fatan, void, env, fp, fp) DEF_HELPER_3(fasin, void, env, fp, fp) DEF_HELPER_3(facos, void, env, fp, fp) DEF_HELPER_3(fatanh, void, env, fp, fp) +DEF_HELPER_3(fetoxm1, void, env, fp, fp) DEF_HELPER_3(ftanh, void, env, fp, fp) DEF_HELPER_3(fsinh, void, env, fp, fp) DEF_HELPER_3(fcosh, void, env, fp, fp) diff --git a/target/m68k/translate.c b/target/m68k/translate.c index c093f6c683..3fc67aa452 100644 --- a/target/m68k/translate.c +++ b/target/m68k/translate.c @@ -5160,6 +5160,9 @@ DISAS_INSN(fpu) case 0x06: /* flognp1 */ gen_helper_flognp1(cpu_env, cpu_dest, cpu_src); break; + case 0x08: /* fetoxm1 */ + gen_helper_fetoxm1(cpu_env, cpu_dest, cpu_src); + break; case 0x09: /* ftanh */ gen_helper_ftanh(cpu_env, cpu_dest, cpu_src); break;