G5 qemu attempts.

[darthnVader]

Am I looping?

Code: [Select]

(gdb) break *0x20F0A4
Breakpoint 1 at 0x20f0a4
(gdb) target remote localhost:1234
Remote debugging using localhost:1234
0x00000000fff00100 in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x000000000020f0a4 in ?? ()
(gdb)  display/i $pc
1: x/i $pc
=> 0x20f0a4: lwz     r16,28(r3)
(gdb) stepi
0x000000000020f0a8 in ?? ()
1: x/i $pc
=> 0x20f0a8: mtsrr0  r5
(gdb) stepi
0x000000000020f0ac in ?? ()
1: x/i $pc
=> 0x20f0ac: li      r0,12288
(gdb) stepi
0x000000000020f0b0 in ?? ()
1: x/i $pc
=> 0x20f0b0: mtsrr1  r0
(gdb) stepi
0x000000000020f0b4 in ?? ()
1: x/i $pc
=> 0x20f0b4: rfi
(gdb) stepi
0x0000000000000104 in ?? ()
1: x/i $pc
=> 0x104: lis     r1,-32768
(gdb) stepi
0x0000000000000108 in ?? ()
1: x/i $pc
=> 0x108: add.    r1,r1,r1
(gdb) stepi
0x000000000000010c in ?? ()
1: x/i $pc
=> 0x10c: beq     0x11c
(gdb) stepi
0x0000000000000110 in ?? ()
1: x/i $pc
=> 0x110: mfmsr   r1
(gdb) stepi
0x0000000000000114 in ?? ()
1: x/i $pc
=> 0x114: clrldi  r1,r1,1
(gdb) stepi
0x0000000000000118 in ?? ()
1: x/i $pc
=> 0x118: mtmsrd  r1
(gdb) stepi
0x000000000000011c in ?? ()
1: x/i $pc
=> 0x11c: mflr    r3
(gdb) stepi
0x0000000000000120 in ?? ()
1: x/i $pc
=> 0x120: lis     r4,-15
(gdb) stepi
0x0000000000000124 in ?? ()
1: x/i $pc
=> 0x124: addi    r4,r4,-27012
(gdb) stepi
0x0000000000000128 in ?? ()
1: x/i $pc
=> 0x128: mtctr   r4
(gdb) stepi
0x000000000000012c in ?? ()
1: x/i $pc
=> 0x12c: bctr
(gdb) stepi
0x00000000fff0967c in ?? ()
1: x/i $pc
=> 0xfff0967c: stwu    r1,-16(r1)
(gdb) stepi
0x00000000fff09680 in ?? ()
1: x/i $pc
=> 0xfff09680: mr      r4,r3
(gdb) stepi
0x00000000fff09684 in ?? ()
1: x/i $pc
=> 0xfff09684: lis     r3,-13
(gdb) stepi
0x00000000fff09688 in ?? ()
1: x/i $pc
=> 0xfff09688: mflr    r0
(gdb) stepi
0x00000000fff0968c in ?? ()
1: x/i $pc
=> 0xfff0968c: addi    r3,r3,30014
(gdb) stepi
0x00000000fff09690 in ?? ()
1: x/i $pc
=> 0xfff09690: stw     r0,20(r1)
(gdb) stepi
0x00000000fff09694 in ?? ()
1: x/i $pc
=> 0xfff09694: bl      0xfff08c88
(gdb) stepi
0x00000000fff08c88 in ?? ()
1: x/i $pc
=> 0xfff08c88: stwu    r1,-1104(r1)
(gdb) stepi
0x00000000fff08c8c in ?? ()
1: x/i $pc
=> 0xfff08c8c: mflr    r0
(gdb) stepi
0x00000000fff08c90 in ?? ()
1: x/i $pc
=> 0xfff08c90: stw     r9,1072(r1)
(gdb) stepi
0x00000000fff08c94 in ?? ()
1: x/i $pc
=> 0xfff08c94: li      r9,1
(gdb) stepi
0x00000000fff08c98 in ?? ()
1: x/i $pc
=> 0xfff08c98: stb     r9,1032(r1)
(gdb) stepi
0x00000000fff08c9c in ?? ()
1: x/i $pc
=> 0xfff08c9c: li      r9,0
(gdb) stepi
0x00000000fff08ca0 in ?? ()
1: x/i $pc
=> 0xfff08ca0: stmw    r27,1084(r1)
(gdb) stepi
0x00000000fff08ca4 in ?? ()
1: x/i $pc
=> 0xfff08ca4: addi    r30,r1,8
(gdb) stepi
0x00000000fff08ca8 in ?? ()
1: x/i $pc
=> 0xfff08ca8: li      r31,0
(gdb) stepi
0x00000000fff08cac in ?? ()
1: x/i $pc
=> 0xfff08cac: stb     r9,1033(r1)
(gdb) stepi
0x00000000fff08cb0 in ?? ()
1: x/i $pc
=> 0xfff08cb0: addi    r9,r1,1112
(gdb) stepi
0x00000000fff08cb4 in ?? ()
1: x/i $pc
=> 0xfff08cb4: lis     r29,-4
(gdb) stepi
0x00000000fff08cb8 in ?? ()
1: x/i $pc
=> 0xfff08cb8: stw     r4,1052(r1)
(gdb) stepi
0x00000000fff08cbc in ?? ()
1: x/i $pc
=> 0xfff08cbc: li      r4,1024
(gdb) stepi
0x00000000fff08cc0 in ?? ()
1: x/i $pc
=> 0xfff08cc0: li      r27,0
(gdb) stepi
0x00000000fff08cc4 in ?? ()
1: x/i $pc
=> 0xfff08cc4: stw     r5,1056(r1)
(gdb) stepi
0x00000000fff08cc8 in ?? ()
1: x/i $pc
=> 0xfff08cc8: mr      r5,r3
(gdb) stepi
0x00000000fff08ccc in ?? ()
1: x/i $pc
=> 0xfff08ccc: mr      r3,r30
(gdb) stepi
0x00000000fff08cd0 in ?? ()
1: x/i $pc
=> 0xfff08cd0: stw     r6,1060(r1)
(gdb) stepi
0x00000000fff08cd4 in ?? ()
1: x/i $pc
=> 0xfff08cd4: addi    r6,r1,1032
(gdb) stepi
0x00000000fff08cd8 in ?? ()
1: x/i $pc
=> 0xfff08cd8: stw     r9,1036(r1)
(gdb) stepi
0x00000000fff08cdc in ?? ()
1: x/i $pc
=> 0xfff08cdc: addi    r9,r1,1048
(gdb) stepi
0x00000000fff08ce0 in ?? ()
1: x/i $pc
=> 0xfff08ce0: stw     r0,1108(r1)
(gdb) stepi
0x00000000fff08ce4 in ?? ()
1: x/i $pc
=> 0xfff08ce4: stw     r7,1064(r1)
(gdb) stepi
0x00000000fff08ce8 in ?? ()
1: x/i $pc
=> 0xfff08ce8: stw     r8,1068(r1)
(gdb) stepi
0x00000000fff08cec in ?? ()
1: x/i $pc
=> 0xfff08cec: stw     r10,1076(r1)
(gdb) stepi
0x00000000fff08cf0 in ?? ()
1: x/i $pc
=> 0xfff08cf0: stw     r9,1040(r1)
(gdb) stepi
0x00000000fff08cf4 in ?? ()
1: x/i $pc
=> 0xfff08cf4: bl      0xfff2c92c
(gdb) stepi
0x00000000fff2c92c in ?? ()
1: x/i $pc
=> 0xfff2c92c: stwu    r1,-64(r1)
(gdb) stepi
0x00000000fff2c930 in ?? ()
1: x/i $pc
=> 0xfff2c930: addi    r9,r3,-1
(gdb) stepi
0x00000000fff2c934 in ?? ()
1: x/i $pc
=> 0xfff2c934: mflr    r0
(gdb) stepi
0x00000000fff2c938 in ?? ()
1: x/i $pc
=> 0xfff2c938: stmw    r22,24(r1)
(gdb) stepi
0x00000000fff2c93c in ?? ()
1: x/i $pc
=> 0xfff2c93c: addi    r28,r4,-1
(gdb) stepi
0x00000000fff2c940 in ?? ()
1: x/i $pc
=> 0xfff2c940: mr      r30,r3
(gdb) stepi
0x00000000fff2c944 in ?? ()
1: x/i $pc
=> 0xfff2c944: add     r28,r3,r28
(gdb) stepi
0x00000000fff2c948 in ?? ()
1: x/i $pc
=> 0xfff2c948: stw     r0,68(r1)
(gdb) stepi
0x00000000fff2c94c in ?? ()
1: x/i $pc
=> 0xfff2c94c: mr      r31,r6
(gdb) stepi
0x00000000fff2c950 in ?? ()
1: x/i $pc
=> 0xfff2c950: cmplw   cr7,r28,r9
(gdb) stepi
0x00000000fff2c954 in ?? ()
1: x/i $pc
=> 0xfff2c954: stw     r5,8(r1)
(gdb) stepi
0x00000000fff2c958 in ?? ()
1: x/i $pc
=> 0xfff2c958: mr      r23,r3
(gdb) stepi
0x00000000fff2c95c in ?? ()
1: x/i $pc
=> 0xfff2c95c: mr      r27,r4
(gdb) stepi
0x00000000fff2c960 in ?? ()
1: x/i $pc
=> 0xfff2c960: bge     cr7,0xfff2c96c
(gdb) stepi
0x00000000fff2c96c in ?? ()
1: x/i $pc
=> 0xfff2c96c: lis     r26,-13
(gdb) stepi
0x00000000fff2c970 in ?? ()
1: x/i $pc
=> 0xfff2c970: lis     r24,-12
(gdb) stepi
0x00000000fff2c974 in ?? ()
1: x/i $pc
=> 0xfff2c974: addi    r26,r26,29232
(gdb) stepi
0x00000000fff2c978 in ?? ()
1: x/i $pc
=> 0xfff2c978: li      r22,37
(gdb) stepi
0x00000000fff2c97c in ?? ()
1: x/i $pc
=> 0xfff2c97c: li      r25,32
(gdb) stepi
0x00000000fff2c980 in ?? ()
1: x/i $pc
=> 0xfff2c980: addi    r24,r24,-21720
(gdb) stepi
0x00000000fff2c984 in ?? ()
1: x/i $pc
=> 0xfff2c984: b       0xfff2cd6c
(gdb) stepi
0x00000000fff2cd6c in ?? ()
1: x/i $pc
=> 0xfff2cd6c: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd70 in ?? ()
1: x/i $pc
=> 0xfff2cd70: lbz     r9,0(r9)
(gdb) stepi
0x00000000fff2cd74 in ?? ()
1: x/i $pc
=> 0xfff2cd74: cmpwi   cr7,r9,0
(gdb) stepi
0x00000000fff2cd78 in ?? ()
1: x/i $pc
=> 0xfff2cd78: bne     cr7,0xfff2c988
(gdb) stepi
0x00000000fff2c988 in ?? ()
1: x/i $pc
=> 0xfff2c988: cmplwi  cr7,r9,37
(gdb) stepi
0x00000000fff2c98c in ?? ()
1: x/i $pc
=> 0xfff2c98c: beq     cr7,0xfff2c9a4
(gdb) stepi
0x00000000fff2c990 in ?? ()
1: x/i $pc
=> 0xfff2c990: cmplw   cr7,r30,r28
(gdb) stepi
0x00000000fff2c994 in ?? ()
1: x/i $pc
=> 0xfff2c994: bgt     cr7,0xfff2c99c
(gdb) stepi
0x00000000fff2c998 in ?? ()
1: x/i $pc
=> 0xfff2c998: stb     r9,0(r30)
(gdb) stepi
0x00000000fff2c99c in ?? ()
1: x/i $pc
=> 0xfff2c99c: addi    r30,r30,1
(gdb) stepi
0x00000000fff2c9a0 in ?? ()
1: x/i $pc
=> 0xfff2c9a0: b       0xfff2cd60
(gdb) stepi
0x00000000fff2cd60 in ?? ()
1: x/i $pc
=> 0xfff2cd60: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd64 in ?? ()
1: x/i $pc
=> 0xfff2cd64: addi    r9,r9,1
(gdb) stepi
0x00000000fff2cd68 in ?? ()
1: x/i $pc
=> 0xfff2cd68: stw     r9,8(r1)
(gdb) stepi
0x00000000fff2cd6c in ?? ()
1: x/i $pc
=> 0xfff2cd6c: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd70 in ?? ()
1: x/i $pc
=> 0xfff2cd70: lbz     r9,0(r9)
(gdb) stepi
0x00000000fff2cd74 in ?? ()
1: x/i $pc
=> 0xfff2cd74: cmpwi   cr7,r9,0
(gdb) stepi
0x00000000fff2cd78 in ?? ()
1: x/i $pc
=> 0xfff2cd78: bne     cr7,0xfff2c988
(gdb) stepi
0x00000000fff2c988 in ?? ()
1: x/i $pc
=> 0xfff2c988: cmplwi  cr7,r9,37
(gdb) stepi
0x00000000fff2c98c in ?? ()
1: x/i $pc
=> 0xfff2c98c: beq     cr7,0xfff2c9a4
(gdb) stepi
0x00000000fff2c990 in ?? ()
1: x/i $pc
=> 0xfff2c990: cmplw   cr7,r30,r28
(gdb) stepi
0x00000000fff2c994 in ?? ()
1: x/i $pc
=> 0xfff2c994: bgt     cr7,0xfff2c99c
(gdb) stepi
0x00000000fff2c998 in ?? ()
1: x/i $pc
=> 0xfff2c998: stb     r9,0(r30)
(gdb) stepi
0x00000000fff2c99c in ?? ()
1: x/i $pc
=> 0xfff2c99c: addi    r30,r30,1
(gdb) stepi
0x00000000fff2c9a0 in ?? ()
1: x/i $pc
=> 0xfff2c9a0: b       0xfff2cd60
(gdb) stepi
0x00000000fff2cd60 in ?? ()
1: x/i $pc
=> 0xfff2cd60: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd64 in ?? ()
1: x/i $pc
=> 0xfff2cd64: addi    r9,r9,1
(gdb) stepi
0x00000000fff2cd68 in ?? ()
1: x/i $pc
=> 0xfff2cd68: stw     r9,8(r1)
(gdb) stepi
0x00000000fff2cd6c in ?? ()
1: x/i $pc
=> 0xfff2cd6c: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd70 in ?? ()
1: x/i $pc
=> 0xfff2cd70: lbz     r9,0(r9)
(gdb) stepi
0x00000000fff2cd74 in ?? ()
1: x/i $pc
=> 0xfff2cd74: cmpwi   cr7,r9,0
(gdb) stepi
0x00000000fff2cd78 in ?? ()
1: x/i $pc
=> 0xfff2cd78: bne     cr7,0xfff2c988
(gdb) stepi
0x00000000fff2c988 in ?? ()
1: x/i $pc
=> 0xfff2c988: cmplwi  cr7,r9,37
(gdb) stepi
0x00000000fff2c98c in ?? ()
1: x/i $pc
=> 0xfff2c98c: beq     cr7,0xfff2c9a4
(gdb) stepi
0x00000000fff2c990 in ?? ()
1: x/i $pc
=> 0xfff2c990: cmplw   cr7,r30,r28
(gdb) stepi
0x00000000fff2c994 in ?? ()
1: x/i $pc
=> 0xfff2c994: bgt     cr7,0xfff2c99c
(gdb) stepi
0x00000000fff2c998 in ?? ()
1: x/i $pc
=> 0xfff2c998: stb     r9,0(r30)
(gdb) stepi
0x00000000fff2c99c in ?? ()
1: x/i $pc
=> 0xfff2c99c: addi    r30,r30,1
(gdb) stepi
0x00000000fff2c9a0 in ?? ()
1: x/i $pc
=> 0xfff2c9a0: b       0xfff2cd60
(gdb) stepi
0x00000000fff2cd60 in ?? ()
1: x/i $pc
=> 0xfff2cd60: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd64 in ?? ()
1: x/i $pc
=> 0xfff2cd64: addi    r9,r9,1
(gdb) stepi
0x00000000fff2cd68 in ?? ()
1: x/i $pc
=> 0xfff2cd68: stw     r9,8(r1)
(gdb) stepi
0x00000000fff2cd6c in ?? ()
1: x/i $pc
=> 0xfff2cd6c: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd70 in ?? ()
1: x/i $pc
=> 0xfff2cd70: lbz     r9,0(r9)
(gdb) stepi
0x00000000fff2cd74 in ?? ()
1: x/i $pc
=> 0xfff2cd74: cmpwi   cr7,r9,0
(gdb) stepi
0x00000000fff2cd78 in ?? ()
1: x/i $pc
=> 0xfff2cd78: bne     cr7,0xfff2c988
(gdb) stepi
0x00000000fff2c988 in ?? ()
1: x/i $pc
=> 0xfff2c988: cmplwi  cr7,r9,37
(gdb) stepi
0x00000000fff2c98c in ?? ()
1: x/i $pc
=> 0xfff2c98c: beq     cr7,0xfff2c9a4
(gdb) stepi
0x00000000fff2c990 in ?? ()
1: x/i $pc
=> 0xfff2c990: cmplw   cr7,r30,r28
(gdb) stepi
0x00000000fff2c994 in ?? ()
1: x/i $pc
=> 0xfff2c994: bgt     cr7,0xfff2c99c
(gdb) stepi
0x00000000fff2c998 in ?? ()
1: x/i $pc
=> 0xfff2c998: stb     r9,0(r30)
(gdb) stepi
0x00000000fff2c99c in ?? ()
1: x/i $pc
=> 0xfff2c99c: addi    r30,r30,1
(gdb) stepi
0x00000000fff2c9a0 in ?? ()
1: x/i $pc
=> 0xfff2c9a0: b       0xfff2cd60
(gdb) stepi
0x00000000fff2cd60 in ?? ()
1: x/i $pc
=> 0xfff2cd60: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd64 in ?? ()
1: x/i $pc
=> 0xfff2cd64: addi    r9,r9,1
(gdb) stepi
0x00000000fff2cd68 in ?? ()
1: x/i $pc
=> 0xfff2cd68: stw     r9,8(r1)
(gdb) stepi
0x00000000fff2cd6c in ?? ()
1: x/i $pc
=> 0xfff2cd6c: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd70 in ?? ()
1: x/i $pc
=> 0xfff2cd70: lbz     r9,0(r9)
(gdb) stepi
0x00000000fff2cd74 in ?? ()
1: x/i $pc
=> 0xfff2cd74: cmpwi   cr7,r9,0
(gdb) stepi
0x00000000fff2cd78 in ?? ()
1: x/i $pc
=> 0xfff2cd78: bne     cr7,0xfff2c988
(gdb) stepi
0x00000000fff2c988 in ?? ()
1: x/i $pc
=> 0xfff2c988: cmplwi  cr7,r9,37
(gdb) stepi
0x00000000fff2c98c in ?? ()
1: x/i $pc
=> 0xfff2c98c: beq     cr7,0xfff2c9a4
(gdb) stepi
0x00000000fff2c990 in ?? ()
1: x/i $pc
=> 0xfff2c990: cmplw   cr7,r30,r28
(gdb) stepi
0x00000000fff2c994 in ?? ()
1: x/i $pc
=> 0xfff2c994: bgt     cr7,0xfff2c99c
(gdb) stepi
0x00000000fff2c998 in ?? ()
1: x/i $pc
=> 0xfff2c998: stb     r9,0(r30)
(gdb) stepi
0x00000000fff2c99c in ?? ()
1: x/i $pc
=> 0xfff2c99c: addi    r30,r30,1
(gdb) stepi
0x00000000fff2c9a0 in ?? ()
1: x/i $pc
=> 0xfff2c9a0: b       0xfff2cd60
(gdb) stepi
0x00000000fff2cd60 in ?? ()
1: x/i $pc
=> 0xfff2cd60: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd64 in ?? ()
1: x/i $pc
=> 0xfff2cd64: addi    r9,r9,1
(gdb) stepi
0x00000000fff2cd68 in ?? ()
1: x/i $pc
=> 0xfff2cd68: stw     r9,8(r1)
(gdb) stepi
0x00000000fff2cd6c in ?? ()
1: x/i $pc
=> 0xfff2cd6c: lwz     r9,8(r1)
(gdb) stepi
0x00000000fff2cd70 in ?? ()
1: x/i $pc
=> 0xfff2cd70: lbz     r9,0(r9)
(gdb) stepi
0x00000000fff2cd74 in ?? ()
1: x/i $pc
=> 0xfff2cd74: cmpwi   cr7,r9,0
(gdb) stepi
0x00000000fff2cd78 in ?? ()
1: x/i $pc
=> 0xfff2cd78: bne     cr7,0xfff2c988
(gdb) stepi
0x00000000fff2c988 in ?? ()
1: x/i $pc
=> 0xfff2c988: cmplwi  cr7,r9,37
(gdb)


[darthnVader]

Unfortunately, that RTASFairyDust function in the Mac OS ROM's exception table trys to clear the BATs before jumping into the NK. Even if the RelocationEngine finishes correctly, the loaded Mac OS ROM will have crashed before a single instruction in the NK is executed.

Is that going to be a problem on the 970, ELN stated that it does have BAT registers?

Neither have BATs.

Neither the 970, 970fx, nor the 970mp have BAT?

[powermax]

Code: [Select]

[quote author=darthnVader link=topic=4600.msg33493#msg33493 date=1540038532]
Breakpoint 1, 0x000000000020f0a4 in ?? ()
(gdb)  display/i $pc
1: x/i $pc
=> 0x20f0a4: lwz     r16,28(r3)
(gdb) stepi
0x000000000020f0a8 in ?? ()
1: x/i $pc
=> 0x20f0a8: mtsrr0  r5
(gdb) stepi
0x000000000020f0ac in ?? ()
1: x/i $pc
=> 0x20f0ac: li      r0,12288
(gdb) stepi
0x000000000020f0b0 in ?? ()
1: x/i $pc
=> 0x20f0b0: mtsrr1  r0
(gdb) stepi
0x000000000020f0b4 in ?? ()
1: x/i $pc
=> 0x20f0b4: rfi
[/quote]

Can you show me the value of R5 at 0x20f0b4 (before executing rfi)?

[darthnVader]

Code: [Select]

[quote author=darthnVader link=topic=4600.msg33493#msg33493 date=1540038532]
Breakpoint 1, 0x000000000020f0a4 in ?? ()
(gdb)  display/i $pc
1: x/i $pc
=> 0x20f0a4: lwz     r16,28(r3)
(gdb) stepi
0x000000000020f0a8 in ?? ()
1: x/i $pc
=> 0x20f0a8: mtsrr0  r5
(gdb) stepi
0x000000000020f0ac in ?? ()
1: x/i $pc
=> 0x20f0ac: li      r0,12288
(gdb) stepi
0x000000000020f0b0 in ?? ()
1: x/i $pc
=> 0x20f0b0: mtsrr1  r0
(gdb) stepi
0x000000000020f0b4 in ?? ()
1: x/i $pc
=> 0x20f0b4: rfi


Can you show me the value of R5 at 0x20f0b4 (before executing rfi)?
[/quote]

Code: [Select]

(gdb) stepi
0x000000000020f0b4 in ?? ()
1: x/i $pc
=> 0x20f0b4: rfi
(gdb) p/x $r5
$1 = 0x20f0b8
(gdb)


[darthnVader]

I believe it's bit 56 and/or 57.

I finally got my hands on the 970FX manual.

There are actually two forms of the dcbz instruction on 970FX: dcbz and dcbzl. The opcode of the former has bit 10 always unset. Setting bit 10 to '1' turns dcbz to dcbzl on G5.
The opcode & 0x00200000 expression in the above mentioned code snippet checks for this precise form.

Bits of the HID5 related to dcbz are 56 and 57. They have the following meaning:

Code: [Select]

HID5[57] value     HID5[56] value     Meaning
--------------     --------------     -------
1                  ignored            makes dcbz an illegal instruction
0                  0                  cache block size = 128 bytes
0                  1                  cache block size = 32 bytes


I think this code checks if KVM is enabled:

Code: [Select]

#if defined(TARGET_PPC64)
I don't have any G5 hardware to test on, do you think I should remove that if case, as I did before, it doesn't seem to change anything, but that doesn't mean it doesn't/won't?

[darthnVader]

Unfortunately, that RTASFairyDust function in the Mac OS ROM's exception table trys to clear the BATs before jumping into the NK. Even if the RelocationEngine finishes correctly, the loaded Mac OS ROM will have crashed before a single instruction in the NK is executed.

Is that going to be a problem on the 970, ELN stated that it does have BAT registers?

Neither have BATs.

Neither the 970, 970fx, nor the 970mp have BAT?

1.2.6 PowerPC Memory Management Model
The PowerPC memory management unit (MMU) specifications are provided by the PowerPC OEA. The
primary functions of the MMU in a PowerPC processor are to translate logical (effective) addresses to phys-
ical addresses for memory accesses and I/O accesses (most I/O accesses are assumed to be memory-
mapped), and to provide access protection on a block or page basis.
Note: 
Many aspects of memory management are implementation-dependent. The description in
Chapter 7,
Memory Management
 describes the conceptual model of a PowerPC MMU; however, PowerPC processors
may differ in the specific hardware used to implement the MMU model of the OEA.
PowerPC processors require address translation for two types of transactions—instruction accesses and
data accesses to memory (typically generated by load and store instructions).
The memory management specification of the PowerPC OEA includes models for both 32 and 64-bit imple-
mentations. The MMU of a 64-bit PowerPC processor provides 264 bytes of effective address space acces-sible to supervisor and user programs with support for two page sizes; a 4-Kbyte page size (212) and a large page whose size is implementation dependent (2p where 13 ≤p ≤28). PowerPC 32-bit processors also have
a block address translation (BAT) mechanism for mapping large blocks of memory. Block sizes range from
128 Kbyte to 256 Mbyte and are software-selectable. The MMU of 64-bit PowerPC processors uses an
interim virtual address (between 65 and 80 bits) and hashed page tables in the generation of physical
addresses that are ≤62 bits in length.

https://wiki.alcf.anl.gov/images/f/fb/PowerPC_-_Assembly_-_IBM_Programming_Environment_2.3.pdf

[powermax]

Code: [Select]

(gdb) stepi
0x000000000020f0b4 in ?? ()
1: x/i $pc
=> 0x20f0b4: rfi
(gdb) p/x $r5
$1 = 0x20f0b8
(gdb)


Try to set a breakpoint at 0x20f0b8, then "cont". Does execution halt there?

[darthnVader]

Code: [Select]

(gdb) stepi
0x000000000020f0b4 in ?? ()
1: x/i $pc
=> 0x20f0b4: rfi
(gdb) p/x $r5
$1 = 0x20f0b8
(gdb)


Try to set a breakpoint at 0x20f0b8, then "cont". Does execution halt there?

Doesn't break there just "continuing".

[powermax]

Code: [Select]

(gdb) stepi
0x000000000020f0b4 in ?? ()
1: x/i $pc
=> 0x20f0b4: rfi
(gdb) p/x $r5
$1 = 0x20f0b8
(gdb)


Try to set a breakpoint at 0x20f0b8, then "cont". Does execution halt there?

Doesn't break there just "continuing".

This is bad. That means that "rfi" doesn't work as expected. RFI (return from interrupt) can be understand as an unconditional jump with MSR update and context synchronization in this precise case. We're going to arrive at 0x20f0b8 with another CPU state (MSR=0x3000, i.e. external exceptions off, floating point and machine check exceptions turned on). For this purpose, we placed the destination address 0x20f0b8 into SSR0 and the new MSR value into SRR1 and, finally, invoke "rfi" that should wait for all CPU's internal processing to be completed (just think about the superscalar architecture executing several instructions per clock cycle, see https://en.wikipedia.org/wiki/Superscalar_processor), update the MSR and transfer control to the destination address.

If I interpret your debug output correctly, the program will never get to 0x20f0b8 but will be dropped into an exception handler at 0x104? Anyway, it looks odd...

Can you check how the corresponding code behaves on G4? Does it arrive at 0x20f0b8 when tracing past "rfi"? Does the breakpoint at 0x20f0b8 work?

[darthnVader]

Yes, on the G4 it breaks there:

Code: [Select]

gdb) target remote localhost:1234
Remote debugging using localhost:1234
0x00000000fff00100 in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x000000000020f0b8 in ?? ()
(gdb)


[Daniel]

I recently read the 64-bit PowerPC spec. You are not supposed to use rfi on those systems. Use rfid instead. Any instruction that writes to a 64-bit register will have a "d" at the end of it.

[powermax]

I recently read the 64-bit PowerPC spec. You are not supposed to use rfi on those systems. Use rfid instead. Any instruction that writes to a 64-bit register will have a "d" at the end of it.

Thank you. That explains the issue. We don't even need BAT to shoot ourselves to the dark side of the moon

[powermax]

I recently read the 64-bit PowerPC spec. You are not supposed to use rfi on those systems. Use rfid instead. Any instruction that writes to a 64-bit register will have a "d" at the end of it.

Thank you. That explains the issue. We don't even need BAT to shoot ourselves to the dark side of the moon

I'm curious what happens when attempting to execute "rfi" on a real G5. Unfortunately, neither 970fx manual nor 970mp manual describe this case. My feeling is that "rfi" should be treated as an illegal instruction and trigger the program exception.

What QEMU does (jumping to 0x104) cannot be called a predicable behavior...

[Daniel]

I recently read the 64-bit PowerPC spec. You are not supposed to use rfi on those systems. Use rfid instead. Any instruction that writes to a 64-bit register will have a "d" at the end of it.

Thank you. That explains the issue. We don't even need BAT to shoot ourselves to the dark side of the moon

I'm curious what happens when attempting to execute "rfi" on a real G5. Unfortunately, neither 970fx manual nor 970mp manual describe this case. My feeling is that "rfi" should be treated as an illegal instruction and trigger the program exception.

What QEMU does (jumping to 0x104) cannot be called a predicable behavior...

The PowerPC 64-bit OEA doesn't even mention rfi at all. It only talks about rfid. I guess changing this is yet another thing we have to do to get the G5 working.

[Naiw]

Unfortunately, that RTASFairyDust function in the Mac OS ROM's exception table trys to clear the BATs before jumping into the NK. Even if the RelocationEngine finishes correctly, the loaded Mac OS ROM will have crashed before a single instruction in the NK is executed.

Is that going to be a problem on the 970, ELN stated that it does have BAT registers?

Neither have BATs.

Neither the 970, 970fx, nor the 970mp have BAT?

Correct, none of the "G5s" have BAT registers, nor do they follow the PowerPC specification (the absence of pseudo little endian mode is the most well known divergation)

It doesn't matter what data sheets or general PowerPC docs say, the 970 and it's siblings are not PPC compliant outside of UISA.

[powermax]

Correct, none of the "G5s" have BAT registers, nor do they follow the PowerPC specification (the absence of pseudo little endian mode is the most well known divergation)

It doesn't matter what data sheets or general PowerPC docs say, the 970 and it's siblings are not PPC compliant outside of UISA.

Well, this implies that all supervisor-level code must be redesigned for G5 and provided as switchable alternative to the existing PowerPC32 code in order to run on newer hardware. Fortunately, the amount of supervisor-level code in MacOS9 isn't large compared to the XNU kernel. The only component allowed to be executed as supervisor is the Nanokernel. All others run either under emulation or in user mode (including the emulator itself)...

[Naiw]

Correct, none of the "G5s" have BAT registers, nor do they follow the PowerPC specification (the absence of pseudo little endian mode is the most well known divergation)

It doesn't matter what data sheets or general PowerPC docs say, the 970 and it's siblings are not PPC compliant outside of UISA.

Well, this implies that all supervisor-level code must be redesigned for G5 and provided as switchable alternative to the existing PowerPC32 code in order to run on newer hardware. Fortunately, the amount of supervisor-level code in MacOS9 isn't large compared to the XNU kernel. The only component allowed to be executed as supervisor is the Nanokernel. All others run either under emulation or in user mode (including the emulator itself)...

Yes. And add to that basically no peripheral would work on the G5 even if the nanokernel is fixed.

Mac OS certainly don't know how to deal with PCI-X or PCIe either so it's a long road ahead if going that path.

I think it would be more interesting doing something similar to Classic but with Linux and a nanokernel shim (but at the same time MacOnLinux is there already)

[ELN]

I stand corrected about the 970 having BATs. For some reason I though that Amit Singh had made that claim in Mac OS X Internals. Oops!

[powermax]

I think it would be more interesting doing something similar to Classic but with Linux and a nanokernel shim (but at the same time MacOnLinux is there already)

Classic have had a lot of performance and compatibility related issues. I remember not being able to use DAW software under Classic at all. I doubt we could do it better than Apple...

[darthnVader]

I stand corrected about the 970 having BATs. For some reason I though that Amit Singh had made that claim in Mac OS X Internals. Oops!

No worries, we all have selective memory sometimes

If we want OS 9 to run on the G5 CPU we're going to have to find a way to patch 'rfi', not a small task.

Unfortunately outside my wheel house, but at least we have some understanding of what we need to do. 'rfi'>BAT patches. That's further along than we were when this thread started. I know I learned a lot, and hopefully we can come up with some ideas on how to move forward with this, maybe on day we'll get over the hump, as it were.

Thanks for everyone's input, very interesting stuff.