[OpenBIOS] Running client with MMU off
BALATON Zoltan
balaton at eik.bme.hu
Tue Jun 17 02:01:54 CEST 2014
On Mon, 9 Jun 2014, BALATON Zoltan wrote:
>> Therefore for a load/store not to fault on real hardware then that means
>> the entry is already in the TLB, i.e. it must have already been accessed
>> AND also not been previously evicted by hash collision (see hash_page32).
>
> Unfortunately PPC has many other ways to translate an address not only via
> the TLB so this is not that simple. I suspect the TLB is not used on Macs
> during boot but BAT translation is because MorphOS only disables the MMU
> during replacing the BAT registers.
In the tests I wrote about here:
http://lists.nongnu.org/archive/html/qemu-devel/2014-06/msg02828.html
I've also tried to find answers to these questions. The results so far are
here:
http://goliat.eik.bme.hu/~balaton/oftest/results/
It seems BAT registers are not used only a TLB which is near the end of
the memory like in OpenBIOS.
>> Hence you need to trace through previous accesses to the addresses that
>> fault and determine why the entry is no longer in the TLB in QEMU/OpenBIOS
>> when it should be there on real hardware.
>
> The vectors are only accessed by OpenBIOS during the inital copying of the
> vectors before setting up the MMU then by MorphOS when copying it's vectors
> that cause the exception which crashes. No other access inbetween so it's not
> evicted from TLB as it never gets into it.
>
>>> Actually after writing the sr0-sr15 and sdr1 registers it clears the MMU
>>> bits and then writes to the ibat and dbat registers and seems to set up
>>> the TLB and then enable the bits in the MSR. So maybe Apple relies on
>>> translations in these registers and that's why it works there.
>>
>> Not that I have the definitive answer, but I can't see why on earth Apple
>> would map the trap table with an IBAT/DBAT. My understanding is that these
>> are designed for optimally mapping large blocks of memory, e.g. kernels, so
>> why would you implement a second form of translation in a BIOS environment
>> when you already have limited resources? It just doesn't make any sense.
>> Plus you still get a fault once you effectively "preload" the trap table
>> into the TLB with your fake access above, so something else is still
>> missing from the picture.
The fake access would still be needed I think because otherwise a
translation for the page starting at 0x1000 would not be in the TLB. The
fault I got with the fake access was not when writing to 0x1000 like
without it but accessing the stack that the fake access did not preload.
> With 128MB it will overwrite the stack as I've found earlier here:
> http://www.openfirmware.info/pipermail/openbios/2014-March/008186.html
>
> With 512MB it will freeze after clearing the TLB and replacing BAT registers
> with it's own values like this:
>
> Set IBAT0l to 00000000 (0041ce54)
> Set IBAT0u to 00000000 (0041ce54)
> Flush BAT from 00000000 to 00020000 (00000000)
> Flush done
> Flush BAT from 00000000 to 00020000 (00000000)
> Flush done
> Set IBAT1l to f0000012 (0041ce54)
> Set IBAT1u to f0001ffe (0041ce54)
> Flush BAT from 00000000 to 10000000 (0ffe0000)
> Flush done
> Flush BAT from f0000000 to 00000000 (0ffe0000)
> Flush done
> Set IBAT2l to 00000000 (0041ce54)
> Set IBAT2u to 00000000 (0041ce54)
> Set IBAT3l to 00000012 (0041ce54)
> Set IBAT3u to 00000ffe (0041ce54)
> Flush BAT from 00000000 to 08000000 (07fe0000)
> Flush done
> Flush BAT from 00000000 to 08000000 (07fe0000)
> Flush done
> Set DBAT0l to f000002a (0041ce54)
> Set DBAT0u to f0001ffe (0041ce54)
> Flush BAT from 00000000 to 10000000 (0ffe0000)
> Flush done
> Flush BAT from f0000000 to 00000000 (0ffe0000)
> Flush done
> Set DBAT1l to 00000012 (0041ce54)
> Set DBAT1u to 00001ffe (0041ce54)
> Flush BAT from 1fdc0000 to 2fdc0000 (0ffe0000)
> Flush done
> Flush BAT from 00000000 to 10000000 (0ffe0000)
> Flush done
> Set DBAT2l to 00000000 (0041ce54)
> Set DBAT2u to 00000000 (0041ce54)
> Set DBAT3l to 8000002a (0041ce54)
> Set DBAT3u to 80001ffe (0041ce54)
>
> and then trying to access a variable on the stack:
>
> 0x0041cf40: lmw r13,20(r1)
> 0x0041cf44: addi r1,r1,96
> 0x0041cf48: blr
>
> htab_base 0000000000000000 htab_mask 000000000000ffff hash 000000000000fde7
> 0 htab=0000000000000000/000000000000ffff vsid=0 ptem=3f hash=000000000000fde7
> 1 htab=0000000000000000/000000000000ffff vsid=0 api=3f hash=ffffffffffff0218
> Raise exception at 0041cf40 => 00000002 (00)
>
> r0 0x3030 12336
> r1 0x1fde7e70 534675056
>
> which is not covered by any translation now. So I think the stack must be in
> the first 256MB to which a translation is added to the BAT and this is why it
> works with 256MB of memory. Thus to be complete the stack should be moved
> from the end of the memory where it is now (described in a comment in
> arch/ppc/qemu/start.S) to somwhere else. But where? There's another comment
> in arch/ppc/qemu/ofmem.c that seems to originate from here:
>
> http://opensource.apple.com/source/BootX/BootX-81/bootx.tproj/include.subproj/sl.h
>
> but seems it has changed at the origin since it was copied. Does anyone know
> a good location that is left free by the boot loaders we care about where the
> stack could be placed within the first 256MB? MoprhOS seems to start using
> memory from the end so maybe the stack should not be there.
> Any more ideas?
>From the test results it seems that Apple puts the stack after the image
(and probably clears it or otherwise adds a mapping in the TLB for it so
accessing it will not generate exceptions). How could this be implemented
in OpenBIOS? I've tried to look at the code to find a good place but there
seems to be different cases for different architectures and using
preloaded kernel image seems to be an additional complication. Could the
file-size stored in saved-program-state be used as a base to place the
stack in call_elf? (this would need adding an additional parameter to it
in the ppc/qemu case because accessing Forth from assembly is not
something I'd try).
Or are my conclusions wrong or you have a better idea? (Also what about my
other patches on the list? This place seemed abandoned for the last week.)
Regards,
BALATON Zoltan
More information about the OpenBIOS
mailing list