qemu/target-sh4
Markus Armbruster 4c315c2766 qdev: Protect device-list-properties against broken devices
Several devices don't survive object_unref(object_new(T)): they crash
or hang during cleanup, or they leave dangling pointers behind.

This breaks at least device-list-properties, because
qmp_device_list_properties() needs to create a device to find its
properties.  Broken in commit f4eb32b "qmp: show QOM properties in
device-list-properties", v2.1.  Example reproducer:

    $ qemu-system-aarch64 -nodefaults -display none -machine none -S -qmp stdio
    {"QMP": {"version": {"qemu": {"micro": 50, "minor": 4, "major": 2}, "package": ""}, "capabilities": []}}
    { "execute": "qmp_capabilities" }
    {"return": {}}
    { "execute": "device-list-properties", "arguments": { "typename": "pxa2xx-pcmcia" } }
    qemu-system-aarch64: /home/armbru/work/qemu/memory.c:1307: memory_region_finalize: Assertion `((&mr->subregions)->tqh_first == ((void *)0))' failed.
    Aborted (core dumped)
    [Exit 134 (SIGABRT)]

Unfortunately, I can't fix the problems in these devices right now.
Instead, add DeviceClass member cannot_destroy_with_object_finalize_yet
to mark them:

* Hang during cleanup (didn't debug, so I can't say why):
  "realview_pci", "versatile_pci".

* Dangling pointer in cpus: most CPUs, plus "allwinner-a10", "digic",
  "fsl,imx25", "fsl,imx31", "xlnx,zynqmp", because they create such
  CPUs

* Assert kvm_enabled(): "host-x86_64-cpu", host-i386-cpu",
  "host-powerpc64-cpu", "host-embedded-powerpc-cpu",
  "host-powerpc-cpu" (the powerpc ones can't currently reach the
  assertion, because the CPUs are only registered when KVM is enabled,
  but the assertion is arguably in the wrong place all the same)

Make qmp_device_list_properties() fail cleanly when the device is so
marked.  This improves device-list-properties from "crashes, hangs or
leaves dangling pointers behind" to "fails".  Not a complete fix, just
a better-than-nothing work-around.  In the above reproducer,
device-list-properties now fails with "Can't list properties of device
'pxa2xx-pcmcia'".

This also protects -device FOO,help, which uses the same machinery
since commit ef52358 "qdev-monitor: include QOM properties in -device
FOO, help output", v2.2.  Example reproducer:

    $ qemu-system-aarch64 -machine none -device pxa2xx-pcmcia,help

Before:

    qemu-system-aarch64: .../memory.c:1307: memory_region_finalize: Assertion `((&mr->subregions)->tqh_first == ((void *)0))' failed.

After:

    Can't list properties of device 'pxa2xx-pcmcia'

Cc: "Andreas Färber" <afaerber@suse.de>
Cc: "Edgar E. Iglesias" <edgar.iglesias@gmail.com>
Cc: Alexander Graf <agraf@suse.de>
Cc: Anthony Green <green@moxielogic.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
Cc: Jia Liu <proljc@gmail.com>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Cc: Michael Walle <michael@walle.cc>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Richard Henderson <rth@twiddle.net>
Cc: qemu-ppc@nongnu.org
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <1443689999-12182-10-git-send-email-armbru@redhat.com>
2015-10-09 15:25:57 +02:00
..
Makefile.objs monitor: remove target-specific code from monitor.c 2015-09-16 17:33:32 +02:00
README.sh4 Replace assert(0) with abort() or cpu_abort() 2010-03-18 18:41:57 +00:00
cpu-qom.h target-sh4: Use cpu_exec_interrupt qom hook 2014-09-25 18:54:22 +01:00
cpu.c qdev: Protect device-list-properties against broken devices 2015-10-09 15:25:57 +02:00
cpu.h target-*: Drop cpu_gen_code define 2015-10-07 20:36:50 +11:00
gdbstub.c target-sh4: Split out T from SR 2015-06-12 12:02:48 +02:00
helper.c typofixes - v4 2015-09-11 10:45:43 +03:00
helper.h target-sh4: add flags markups for FP helpers 2015-09-13 23:08:51 +02:00
monitor.c monitor: remove target-specific code from monitor.c 2015-09-16 17:33:32 +02:00
op_helper.c maint: remove unused include for assert.h 2015-09-11 10:21:38 +03:00
translate.c tcg: Remove gen_intermediate_code_pc 2015-10-07 20:36:52 +11:00

README.sh4

qemu target:   sh4
author:        Samuel Tardieu <sam@rfc1149.net>
last modified: Tue Dec  6 07:22:44 CET 2005

The sh4 target is not ready at all yet for integration in qemu. This
file describes the current state of implementation.

Most places requiring attention and/or modification can be detected by
looking for "XXXXX" or "abort()".

The sh4 core is located in target-sh4/*, while the 7750 peripheral
features (IO ports for example) are located in hw/sh7750.[ch]. The
main board description is in hw/shix.c, and the NAND flash in
hw/tc58128.[ch].

All the shortcomings indicated here will eventually be resolved. This
is a work in progress. Features are added in a semi-random order: if a
point is blocking to progress on booting the Linux kernel for the shix
board, it is addressed first; if feedback is necessary and no progress
can be made on blocking points until it is received, a random feature
is worked on.

Goals
-----

The primary model being worked on is the soft MMU target to be able to
emulate the Shix 2.0 board by Alexis Polti, described at
http://perso.enst.fr/~polti/realisations/shix20/

Ultimately, qemu will be coupled with a system C or a verilog
simulator to simulate the whole board functionalities.

A sh4 user-mode has also somewhat started but will be worked on
afterwards. The goal is to automate tests for GNAT (GNU Ada) compiler
that I ported recently to the sh4-linux target.

Registers
---------

16 general purpose registers are available at any time. The first 8
registers are banked and the non-directly visible ones can be accessed
by privileged instructions. In qemu, we define 24 general purpose
registers and the code generation use either [0-7]+[8-15] or
[16-23]+[8-15] depending on the MD and RB flags in the sr
configuration register.

Instructions
------------

Most sh4 instructions have been implemented. The missing ones at this
time are:
  - FPU related instructions
  - LDTLB to load a new MMU entry
  - SLEEP to put the processor in sleep mode

Most instructions could be optimized a lot. This will be worked on
after the current model is fully functional unless debugging
convenience requires that it is done early.

Many instructions did not have a chance to be tested yet. The plan is
to implement unit and regression testing of those in the future.

MMU
---

The MMU is implemented in the sh4 core. MMU management has not been
tested at all yet. In the sh7750, it can be manipulated through memory
mapped registers and this part has not yet been implemented.

Exceptions
----------

Exceptions are implemented as described in the sh4 reference manual
but have not been tested yet. They do not use qemu EXCP_ features
yet.

IRQ
---

IRQ are not implemented yet.

Peripheral features
-------------------

  + Serial ports

Configuration and use of the first serial port (SCI) without
interrupts is supported. Input has not yet been tested.

Configuration of the second serial port (SCIF) is supported. FIFO
handling infrastructure has been started but is not completed yet.

  + GPIO ports

GPIO ports have been implemented. A registration function allows
external modules to register interest in some port changes (see
hw/tc58128.[ch] for an example) and will be called back. Interrupt
generation is not yet supported but some infrastructure is in place
for this purpose. Note that in the current model a peripheral module
cannot directly simulate a H->L->H input port transition and have an
interrupt generated on the low level.

  + TC58128 NAND flash

TC58128 NAND flash is partially implemented through GPIO ports. It
supports reading from flash.

GDB
---

GDB remote target support has been implemented and lightly tested.

Files
-----

File names are hardcoded at this time. The bootloader must be stored in
shix_bios.bin in the current directory. The initial Linux image must
be stored in shix_linux_nand.bin in the current directory in NAND
format. Test files can be obtained from
http://perso.enst.fr/~polti/robot/ as well as the various datasheets I
use.

qemu disk parameter on the command line is unused. You can supply any
existing image and it will be ignored. As the goal is to simulate an
embedded target, it is not clear how this parameter will be handled in
the future.

To build an ELF kernel image from the NAND image, 16 bytes have to be
stripped off the end of every 528 bytes, keeping only 512 of them. The
following Python code snippet does it:

#! /usr/bin/python

def denand (infd, outfd):
    while True:
        d = infd.read (528)
        if not d: return
        outfd.write (d[:512])

if __name__ == '__main__':
    import sys
    denand (open (sys.argv[1], 'rb'),
            open (sys.argv[2], 'wb'))

Style isssues
-------------

There is currently a mix between my style (space before opening
parenthesis) and qemu style. This will be resolved before final
integration is proposed.