Re: [Qemu-devel] MIPS little endian - Bug when decoding physaddr

[Vinicius Maciel]

Hi everyone,

I'm having a problem similar to the reported in this email, but now I'm
trying to emulate a MIPS 24KEc,
ralink RT5350F.

Assembly Code:
0x802006a0 <reset+672>: lui t5,0xb011
0x802006a4 <reset+676>: ori t5,t5,0x168
0x802006a8 <reset+680>: li t6,23
0x802006ac <reset+684>: nop
0x802006b0 <reset+688>: sw t6,0(t5) <---

The instruction "sw t6,0(t5)" try to write to address 0xb0110168 (0x10110168),
but Qemu decodes
this address to 2952790112 (0xb0000060). Is this address right?

Qemu Debug:
#0  io_readx (env=0x5555566e4a78, iotlbentry=0x5555566ec348,
addr=2952790112,
    retaddr=140737129226144, size=4)
    at /home/vini/projs/emuladores/qemu-routers/cputlb.c:786
#1  0x00005555557c9a02 in io_readl (env=0x5555566e4a78, mmu_idx=0, index=0,
    addr=2952790112, retaddr=140737129226144)
    at /home/vini/projs/emuladores/qemu-routers/softmmu_template.h:104
#2  0x00005555557c9b89 in helper_le_ldul_mmu (env=0x5555566e4a78,
addr=2952790112, <----
    oi=32, retaddr=140737129226144)
    at /home/vini/projs/emuladores/qemu-routers/softmmu_template.h:141
#3  0x00007fffea982108 in code_gen_buffer ()

Thanks.


2017-05-13 19:10 GMT-03:00 Vinicius Maciel <address@hidden>:

> Hi Philippe and Aurelien,
>
> You are right. I have created a simple SYSBUS using sysbus_create_simple
> at 0x18000000 and now my read function works!
>
> Thanks for help. I am attaching my code if you are interested.
>
> Vinicius
>
> 2017-05-13 18:57 GMT-03:00 Philippe Mathieu-Daudé <address@hidden>:
>
>> Hi Vinicius,
>>
>> On 2017-05-12 19:52, Vinicius Maciel wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm trying to emulate a MIPS 74Kc using a custom machine in order to
>>>> run a
>>>> CFE bootloader from broadcom. The CPU is Broadcom BCM5357. The problem
>>>>
>>>
>> Here is your problem, there is no such model in QEMU.
>>
>> happens when Qemu calculates physaddr inside io_readx(), cputlb.c:line 784
>>>>
>>>> physaddr = (physaddr & TARGET_PAGE_MASK) + addr;
>>>>
>>>> After run this line the the value is 0x18000000, which is clearly wrong.
>>>>
>>>
>> The Broadcom BCM5357 is a WiSoc (Wireless System-On-Chip).
>>
>> A SoC (System-On-Chip) is not limited to a MIPS CPU but has a large set
>> of embedded peripherals.
>>
>> QEMU does models the MIPS 74Kf cpu, but not the BCM5357 peripherals.
>>
>> At this physical address this SoC family maps a bus called
>> SiliconBackplane (BP).
>> The first peripheral mapped in the BP region is the ChipCommon (CC).
>> Common meaning this core registers intend to be consistent between
>> different models/releases using this BP bus, so a firmware can check it is
>> running the correct hardware or check if peripherals/features are
>> available/enabled to configure/use them.
>>
>> My guess is your CFE function board_earlyinit() is trying to determine
>> the chip model by reading the ChipID from the CC it supposed is physically
>> mapped at 0x18000000, which is not modeled in QEMU.
>>
>> Phil.
>>
>>
>>
>>> I don't think it's wrong, see below:
>>>
>>> More informations:
>>>>
>>>> BUG function: io_readx
>>>> Assembly instruction: lw t1,0(a2)
>>>> Machine code: 0x8cc90000 (Little endian)
>>>> Access address: 0xb8000000
>>>>
>>>> Assembly code:
>>>> 80702f30 <board_earlyinit>:
>>>> 80702f30: 3c06b800 lui a2,0xb800
>>>>
>>>
>>> This load 0xb8000000 in a2
>>>
>>> 80702f34: 24075350 li a3,21328
>>>> 80702f38: 8cc90000 lw t1,0(a2) <----
>>>>
>>>
>>> Now this try to load a value from the virtual address 0xb8000000. This
>>> address corresponds to kseg1 (Kernel Unmapped Uncached) and is mapped
>>> to the physical address 0x18000000. See the MIPS32 Privileged Resource
>>> Architecture Manual for more details how the virtual to physical mapping
>>> works.
>>>
>>> Aurelien
>>>
>>>
>