Subject: Re: mips3 problem on todays kernel?
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Michael L. Hitch <>
List: port-pmax
Date: 01/27/1999 19:50:44
On Wed, 27 Jan 1999, Jonathan Stone wrote:

> I'm seeing what looks like the same thing Michael Hitch mentioned last
> week. (trace below). What's the most recent source from which anyone's
> built a mips3 pmax kernel that acutally booted?

  Yep - it's the same thing.  Here's a message I have been trying to get

The R4x00 support on DECstations since January 16 appears to be broken. 
I was able to boot a kernel built from the January 9 sources, but it
fails since the January 16 sources.

The problem appears to be the TLB miss handling.  It fails in memset()
when uvm_anon_init() is clearing 'anon', and appears to occur when
memset() crosses a page boundary.  The failing virtual address doesn't
match what's in the register containing the destination address of the
store word.

It took me a while to figure out exactly how the TLB miss handler was
supposed to work, and several times I thought I saw something that
didn't seem right, but after closer examination of the code, it appeared
like it should be working.

Finally I started putting DDB breakpoints in the TLB miss handler to try
to figure out if it was even getting called, and exactly what was
getting executed.  [Thanks much to Jonathan for adding the capability of
entering DDB early in the kernel boot.]

What I found was that the TLB miss handler was taking the code path for
a USEG miss even though the fault occurred on a KSEG2 address.

After further examination of how the handler determines if the fault is
a kernel or user address, I think I finally determined what the problem

        .set    noat
        dmfc0   k0, MIPS_COP_0_TLB_XCONTEXT
        addu    k1, $0, k0              # Pick up up sign of k0 for user/kernel
        bltz    k1, 4f

The dmfc0 loads the 64-bit contents of the 'xcontext' register into k0.
The upper 31 bits is the address of the segtab for the current user
process, the next 2 bits is the "region" field (bits 63-62 of the
virtual address), and the rest of the lower bits are from the VPN
(virtual page number) of the virtual address.  The addu appears to be
trying to get to bit 31 of k0, which is the low bit of the "region"
field [00 = user, 01 = supervisor, and 11 = kernel].  I think this addu
instruction is where this fails.

For the ADDU instructions, one manual I have [MIPS RE4000 Microprocessor
User's Manual, 2nd edition, by Joe Heinrich] states:
  "In 64-bit mode, the operands must be valid sign-extended, 32-bit values."

Another manual [IDT MIPS Microprocessor Family Software Reference Manual,
version 2] states:
  "On 64 bit processors, if either GRP 'rt' or GRP 'rs' do not contain
  sign-extended 32-bit values (bits 63..31 equal), the result of the
  operation is undefined."

The 64-bit value of k0 at this point does not contain a valid
sign-extended 32-bit value [bits 63-33 are 0, but bit 32 and bit 31 are
both 1 since it's a KSEG2 address].  Since that's "undefined" or "not
valid" for the ADDU instruction, the k1 contents won't be valid and the
test for a kernel/user TLB miss may fail [and does on my R4400].

The same thing is done in mips3_TLBInvalidException.

Here's how I fixed it:

--- /c/src/sys/arch/mips/mips/locore_mips3.S	Sat Jan 16 05:20:31 1999
+++ ./locore_mips3.S	Wed Jan 27 19:38:15 1999
@@ -141,15 +141,15 @@
 	.globl	_C_LABEL(mips3_TLBMiss)
 	.set	noat
-	addu	k1, $0, k0		# Pick up up sign of k0 for user/kernel
-	bltz	k1, 4f
-	srl	k1, k0, (SEGSHIFT - 2 - (PGSHIFT - 3))
-	andi	k1, k1, 0x7fc		# index of segment table
-	dsra	k0, k0, 32		# Tricky -- The lower bit is
+	dmfc0	k0, MIPS_COP_0_BAD_VADDR	# get the virtual address
+	bltz	k0, 4f
+	srl	k0, k0, SEGSHIFT - 2	# compute segment table index
+	andi	k0, k0, 0x7fc		# index of segment table
+	dsra	k1, k1, 32		# Tricky -- The lower bit is
 					# actually part of KSU but we must
 					# be a user address
-	add	k1, k0, k1		
+	add	k1, k0, k1
 	lw	k1, 0(k1)		
 	dmfc0	k0, MIPS_COP_0_BAD_VADDR	# get the virtual address
 	beq	k1, zero, 5f			# invalid segment map
@@ -179,7 +179,7 @@
-	j	mips3_TLBMissException
+	j	_C_LABEL(mips3_TLBMissException)
 	j	mips3_SlowFault
@@ -1030,11 +1030,9 @@
 	.set	noat
-	addu	k1, k0, 0			# Get User/Kernel mode bit
-	bgez	k1, _C_LABEL(mips3_KernGenException)	# full trap processing
 	dmfc0	k0, MIPS_COP_0_BAD_VADDR	# get the fault address
 	li	k1, VM_MIN_KERNEL_ADDRESS	# compute index
+	bgez	k0, _C_LABEL(mips3_KernGenException)	# full trap processing
 	subu	k0, k0, k1
 	lw	k1, _C_LABEL(Sysmapsize)	# index within range?
 	srl	k0, k0, PGSHIFT