hw/intc: Fix incorrect calculation of core in liointc_read() and liointc_write()

According to the loongson spec
(http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
that the ISR size of per CORE is 8, so here we need to divide
(addr - R_PERCORE_ISR(0)) by 8, not 4.

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Alex Chen <alex.chen@huawei.com>
---
 hw/intc/loongson_liointc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

在 2020/11/3 17:32, AlexChen 写道:
> According to the loongson spec
> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
> that the ISR size of per CORE is 8, so here we need to divide
> (addr - R_PERCORE_ISR(0)) by 8, not 4.
Hi Alex

Thanks!

That was my fault.. Per Core ISA is rarely used by kernel..

Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
> Reported-by: Euler Robot <euler.robot@huawei.com>
Btw:
How can you discover this by robot?
Huawei owns real artifical intelligence technology lol :-）


- Jiaxun
> Signed-off-by: Alex Chen <alex.chen@huawei.com>
> ---
>   hw/intc/loongson_liointc.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/intc/loongson_liointc.c b/hw/intc/loongson_liointc.c
> index 30fb375b72..fbbfb57ee9 100644
> --- a/hw/intc/loongson_liointc.c
> +++ b/hw/intc/loongson_liointc.c
> @@ -130,7 +130,7 @@ liointc_read(void *opaque, hwaddr addr, unsigned int size)
>
>       if (addr >= R_PERCORE_ISR(0) &&
>           addr < R_PERCORE_ISR(NUM_CORES)) {
> -        int core = (addr - R_PERCORE_ISR(0)) / 4;
> +        int core = (addr - R_PERCORE_ISR(0)) / 8;
>           r = p->per_core_isr[core];
>           goto out;
>       }
> @@ -173,7 +173,7 @@ liointc_write(void *opaque, hwaddr addr,
>
>       if (addr >= R_PERCORE_ISR(0) &&
>           addr < R_PERCORE_ISR(NUM_CORES)) {
> -        int core = (addr - R_PERCORE_ISR(0)) / 4;
> +        int core = (addr - R_PERCORE_ISR(0)) / 8;
>           p->per_core_isr[core] = value;
>           goto out;
>       }

On 11/3/20 10:32 AM, AlexChen wrote:
> According to the loongson spec
> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
> that the ISR size of per CORE is 8, so here we need to divide
> (addr - R_PERCORE_ISR(0)) by 8, not 4.
> 
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Alex Chen <alex.chen@huawei.com>
> ---
>  hw/intc/loongson_liointc.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

For a model added in 2020, its code style is a bit
disappointing (leading to that kind of hidden bugs).
I'm even surprised it passed the review process.

Thanks for the fix.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

On 11/3/20 10:32 AM, AlexChen wrote:
> According to the loongson spec
> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
> that the ISR size of per CORE is 8, so here we need to divide
> (addr - R_PERCORE_ISR(0)) by 8, not 4.
> 
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Alex Chen <alex.chen@huawei.com>
> ---
>  hw/intc/loongson_liointc.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Thanks, applied to mips-next.

On 2020/11/3 17:53, Jiaxun Yang wrote:
> 
> 
> 在 2020/11/3 17:32, AlexChen 写道:
>> According to the loongson spec
>> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
>> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
>> that the ISR size of per CORE is 8, so here we need to divide
>> (addr - R_PERCORE_ISR(0)) by 8, not 4.
> Hi Alex
> 
> Thanks!
> 
> That was my fault.. Per Core ISA is rarely used by kernel..
> 
> Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
>> Reported-by: Euler Robot <euler.robot@huawei.com>
> Btw:
> How can you discover this by robot?
> Huawei owns real artifical intelligence technology lol :-）
> 
> 

Thanks for your review.
EulerRobot is a virtualization software quality automation project that
integrates some tools and test suites such as gcc/clang make test, qemu ut,
qtest, coccinelle scripts and avocado-vt.
The code checking tool found there was a potential array out of bounds at
'r = p->per_core_isr[core]', since 'core' may be 7 which is bigger than
'per_core_isr' array size 3.
So we found this bug.

Thanks,
Alex

> - Jiaxun
>> Signed-off-by: Alex Chen <alex.chen@huawei.com>
>> ---
>>   hw/intc/loongson_liointc.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/intc/loongson_liointc.c b/hw/intc/loongson_liointc.c
>> index 30fb375b72..fbbfb57ee9 100644
>> --- a/hw/intc/loongson_liointc.c
>> +++ b/hw/intc/loongson_liointc.c
>> @@ -130,7 +130,7 @@ liointc_read(void *opaque, hwaddr addr, unsigned int size)
>>
>>       if (addr >= R_PERCORE_ISR(0) &&
>>           addr < R_PERCORE_ISR(NUM_CORES)) {
>> -        int core = (addr - R_PERCORE_ISR(0)) / 4;
>> +        int core = (addr - R_PERCORE_ISR(0)) / 8;
>>           r = p->per_core_isr[core];
>>           goto out;
>>       }
>> @@ -173,7 +173,7 @@ liointc_write(void *opaque, hwaddr addr,
>>
>>       if (addr >= R_PERCORE_ISR(0) &&
>>           addr < R_PERCORE_ISR(NUM_CORES)) {
>> -        int core = (addr - R_PERCORE_ISR(0)) / 4;
>> +        int core = (addr - R_PERCORE_ISR(0)) / 8;
>>           p->per_core_isr[core] = value;
>>           goto out;
>>       }
> .
>

On 11/3/20 3:05 PM, AlexChen wrote:
> On 2020/11/3 17:53, Jiaxun Yang wrote:
>>
>>
>> 閸︼拷 2020/11/3 17:32, AlexChen 閸愭瑩浜�:
>>> According to the loongson spec
>>> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
>>> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
>>> that the ISR size of per CORE is 8, so here we need to divide
>>> (addr - R_PERCORE_ISR(0)) by 8, not 4.
>> Hi Alex
>>
>> Thanks!
>>
>> That was my fault.. Per Core ISA is rarely used by kernel..

No board in QEMU use this device. So we are safe =)

>>
>> Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
>>> Reported-by: Euler Robot <euler.robot@huawei.com>
>> Btw:
>> How can you discover this by robot?
>> Huawei owns real artifical intelligence technology lol :-閿涳拷
>>
>>
> 
> Thanks for your review.
> EulerRobot is a virtualization software quality automation project that
> integrates some tools and test suites such as gcc/clang make test, qemu ut,
> qtest, coccinelle scripts and avocado-vt.
> The code checking tool found there was a potential array out of bounds at
> 'r = p->per_core_isr[core]', since 'core' may be 7 which is bigger than
> 'per_core_isr' array size 3.
> So we found this bug.
> 
> Thanks,
> Alex
> 
>> - Jiaxun
>>> Signed-off-by: Alex Chen <alex.chen@huawei.com>
>>> ---
>>>   hw/intc/loongson_liointc.c | 4 ++--
>>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/hw/intc/loongson_liointc.c b/hw/intc/loongson_liointc.c
>>> index 30fb375b72..fbbfb57ee9 100644
>>> --- a/hw/intc/loongson_liointc.c
>>> +++ b/hw/intc/loongson_liointc.c
>>> @@ -130,7 +130,7 @@ liointc_read(void *opaque, hwaddr addr, unsigned int size)
>>>
>>>       if (addr >= R_PERCORE_ISR(0) &&
>>>           addr < R_PERCORE_ISR(NUM_CORES)) {
>>> -        int core = (addr - R_PERCORE_ISR(0)) / 4;
>>> +        int core = (addr - R_PERCORE_ISR(0)) / 8;
>>>           r = p->per_core_isr[core];
>>>           goto out;
>>>       }
>>> @@ -173,7 +173,7 @@ liointc_write(void *opaque, hwaddr addr,
>>>
>>>       if (addr >= R_PERCORE_ISR(0) &&
>>>           addr < R_PERCORE_ISR(NUM_CORES)) {
>>> -        int core = (addr - R_PERCORE_ISR(0)) / 4;
>>> +        int core = (addr - R_PERCORE_ISR(0)) / 8;
>>>           p->per_core_isr[core] = value;
>>>           goto out;
>>>       }
>> .
>>
> 
>

于 2020年11月3日 GMT+08:00 下午8:28:27, "Philippe Mathieu-Daudé" <f4bug@amsat.org> 写到:
>On 11/3/20 10:32 AM, AlexChen wrote:
>> According to the loongson spec
>> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
>> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
>> that the ISR size of per CORE is 8, so here we need to divide
>> (addr - R_PERCORE_ISR(0)) by 8, not 4.
>> 
>> Reported-by: Euler Robot <euler.robot@huawei.com>
>> Signed-off-by: Alex Chen <alex.chen@huawei.com>
>> ---
>>  hw/intc/loongson_liointc.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>
>For a model added in 2020, its code style is a bit
>disappointing (leading to that kind of hidden bugs).
>I'm even surprised it passed the review process.
>
>Thanks for the fix.
>
>Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

It was my proof of concept code.

Any suggestions on enhancement?
I'll have some free time afterwards so probably can do something.

Thanks.

-Jiaxun

On 11/3/20 4:40 PM, Jiaxun Yang wrote:
> 于 2020年11月3日 GMT+08:00 下午8:28:27, "Philippe Mathieu-Daudé" <f4bug@amsat.org> 写到:
>> On 11/3/20 10:32 AM, AlexChen wrote:
>>> According to the loongson spec
>>> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
>>> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
>>> that the ISR size of per CORE is 8, so here we need to divide
>>> (addr - R_PERCORE_ISR(0)) by 8, not 4.
>>>
>>> Reported-by: Euler Robot <euler.robot@huawei.com>
>>> Signed-off-by: Alex Chen <alex.chen@huawei.com>
>>> ---
>>>  hw/intc/loongson_liointc.c | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> For a model added in 2020, its code style is a bit
>> disappointing (leading to that kind of hidden bugs).
>> I'm even surprised it passed the review process.
>>
>> Thanks for the fix.
>>
>> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> 
> It was my proof of concept code.

Don't worry Jiaxun, this comment is not to you, but to
the QEMU community as a whole. We should have asked
improvements during review, and explain what could be
improve, what is not the best style but acceptable,
and what is good.

> Any suggestions on enhancement?
> I'll have some free time afterwards so probably can do something.

It is a bit awkward to not comment on a patch (diff).
Comment I'd have made:

- Add definition for 0x8 magic value in R_PERCORE_ISR()
- Replace R_PERCORE_ISR() macro my function
- Replace dead D() code by trace events
- Use a simple 32-bit implementation (pic_ops.impl.min/max = 4)
  to let the generic memory code deal with the 8-bit accesses
  to mapper[].

If you have time, today what would be more useful is to have
tests for the Loongson-3 board.

You can see some examples with the Malta board in the repository:

$ git-grep malta tests/acceptance/

Regards,

Phil.

Hi, Philippe and Jiaxun,

On Wed, Nov 4, 2020 at 1:17 AM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> On 11/3/20 4:40 PM, Jiaxun Yang wrote:
> > 于 2020年11月3日 GMT+08:00 下午8:28:27, "Philippe Mathieu-Daudé" <f4bug@amsat.org> 写到:
> >> On 11/3/20 10:32 AM, AlexChen wrote:
> >>> According to the loongson spec
> >>> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
> >>> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
> >>> that the ISR size of per CORE is 8, so here we need to divide
> >>> (addr - R_PERCORE_ISR(0)) by 8, not 4.
> >>>
> >>> Reported-by: Euler Robot <euler.robot@huawei.com>
> >>> Signed-off-by: Alex Chen <alex.chen@huawei.com>
> >>> ---
> >>>  hw/intc/loongson_liointc.c | 4 ++--
> >>>  1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> For a model added in 2020, its code style is a bit
> >> disappointing (leading to that kind of hidden bugs).
> >> I'm even surprised it passed the review process.
> >>
> >> Thanks for the fix.
> >>
> >> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> >
> > It was my proof of concept code.
>
> Don't worry Jiaxun, this comment is not to you, but to
> the QEMU community as a whole. We should have asked
> improvements during review, and explain what could be
> improve, what is not the best style but acceptable,
> and what is good.
>
> > Any suggestions on enhancement?
> > I'll have some free time afterwards so probably can do something.
>
> It is a bit awkward to not comment on a patch (diff).
> Comment I'd have made:
>
> - Add definition for 0x8 magic value in R_PERCORE_ISR()
> - Replace R_PERCORE_ISR() macro my function
> - Replace dead D() code by trace events
> - Use a simple 32-bit implementation (pic_ops.impl.min/max = 4)
>   to let the generic memory code deal with the 8-bit accesses
>   to mapper[].
>
> If you have time, today what would be more useful is to have
> tests for the Loongson-3 board.
As you suggested, LOONGSON_LIOINTC will be used in loongson3_virt.c
and it is defined in a .c file now, so this is a chance for me to
rework liointc.

Huacai
>
> You can see some examples with the Malta board in the repository:
>
> $ git-grep malta tests/acceptance/
>
> Regards,
>
> Phil.
>

Hi, Philippe,

On Wed, Nov 4, 2020 at 12:17 PM chen huacai <zltjiangshi@gmail.com> wrote:
>
> Hi, Philippe and Jiaxun,
>
> On Wed, Nov 4, 2020 at 1:17 AM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> >
> > On 11/3/20 4:40 PM, Jiaxun Yang wrote:
> > > 于 2020年11月3日 GMT+08:00 下午8:28:27, "Philippe Mathieu-Daudé" <f4bug@amsat.org> 写到:
> > >> On 11/3/20 10:32 AM, AlexChen wrote:
> > >>> According to the loongson spec
> > >>> (http://www.loongson.cn/uploadfile/cpu/3B1500/Loongson_3B1500_cpu_user_1.pdf)
> > >>> and the macro definition(#define R_PERCORE_ISR(x) (0x40 + 0x8 * x)), we know
> > >>> that the ISR size of per CORE is 8, so here we need to divide
> > >>> (addr - R_PERCORE_ISR(0)) by 8, not 4.
> > >>>
> > >>> Reported-by: Euler Robot <euler.robot@huawei.com>
> > >>> Signed-off-by: Alex Chen <alex.chen@huawei.com>
> > >>> ---
> > >>>  hw/intc/loongson_liointc.c | 4 ++--
> > >>>  1 file changed, 2 insertions(+), 2 deletions(-)
> > >>
> > >> For a model added in 2020, its code style is a bit
> > >> disappointing (leading to that kind of hidden bugs).
> > >> I'm even surprised it passed the review process.
> > >>
> > >> Thanks for the fix.
> > >>
> > >> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> > >
> > > It was my proof of concept code.
> >
> > Don't worry Jiaxun, this comment is not to you, but to
> > the QEMU community as a whole. We should have asked
> > improvements during review, and explain what could be
> > improve, what is not the best style but acceptable,
> > and what is good.
> >
> > > Any suggestions on enhancement?
> > > I'll have some free time afterwards so probably can do something.
> >
> > It is a bit awkward to not comment on a patch (diff).
> > Comment I'd have made:
> >
> > - Add definition for 0x8 magic value in R_PERCORE_ISR()
> > - Replace R_PERCORE_ISR() macro my function
> > - Replace dead D() code by trace events
> > - Use a simple 32-bit implementation (pic_ops.impl.min/max = 4)
> >   to let the generic memory code deal with the 8-bit accesses
> >   to mapper[].
I have reworked, but I haven't take the last suggestion (Use a simple
32-bit implementation). Because the mapper[] are naturely accessed in
8-bit, if use 32-bit implementation, the data type of mapper[] should
also be changed, which looks very strange.

Huacai
> >
> > If you have time, today what would be more useful is to have
> > tests for the Loongson-3 board.
> As you suggested, LOONGSON_LIOINTC will be used in loongson3_virt.c
> and it is defined in a .c file now, so this is a chance for me to
> rework liointc.
>
> Huacai
> >
> > You can see some examples with the Malta board in the repository:
> >
> > $ git-grep malta tests/acceptance/
> >
> > Regards,
> >
> > Phil.
> >
>
>
> --
> Huacai Chen