ec82764bef
RTL (GS rasterizer, EE core stub, platform bridge, LPDDR4B path), sim regression (272 TBs), docs, and tooling. Copyrighted PS2 content (BIOS, game code, GS dumps, and all dump-derived textures/traces) is excluded via .gitignore and stays local. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
151 lines
5.5 KiB
Markdown
151 lines
5.5 KiB
Markdown
# Ch289 closeout — syscall 0x78 HLE + runner-side observer; next is syscall 0x12 (handler install)
|
|
|
|
**Status:** Closed. **Verdict from re-running qbert.elf:**
|
|
`elf_first_unhandled_syscall (pc=0x00112A54 $v1=0x12 (=18))`.
|
|
qbert advanced 27,920 → **27,930 retires (+10)** through the
|
|
Ch289 syscall and into the next one. The new runner-side observer
|
|
worked first try:
|
|
|
|
```
|
|
syscall_0x78 = seen=1 count=1 first_pc=0x00112aa4
|
|
$a0=0x00000000 $a1=0x00130000 $a2=0x20000000 $a3=0x001328c0 → $v0=0
|
|
```
|
|
|
|
count=1 means qbert called syscall 0x78 exactly once, took our
|
|
$v0=0 return, and continued. No tight loop or error branch — the
|
|
return shape is good for at least the first occurrence.
|
|
|
|
## What landed
|
|
|
|
### Dispatcher case — `rtl/ee/ee_core_stub.sv`
|
|
|
|
One new case in the existing Ch273 HLE switch, identical shape to
|
|
Ch285's 0x40 case:
|
|
|
|
```sv
|
|
32'h0000_0078: begin
|
|
regfile[2] <= 32'd0;
|
|
gpr128[2] <= 128'd0;
|
|
pc <= pc + 32'd4;
|
|
retire_pulse <= 1'b1;
|
|
state <= S_IFETCH_REQ;
|
|
end
|
|
```
|
|
|
|
### Focused TB extension — `tb_ee_core_syscall_hle.sv`
|
|
|
|
The same mechanical pattern used for the Ch285 0x40 extension:
|
|
4 new BIOS slots (`S_ORI_V1_78` / `S_SYS_78` / `S_BNE_78` /
|
|
`S_DS_78`), a new latch group (`v0_after_78` / `seen_78_return`),
|
|
a new init in the initial block, a new arm in the trace
|
|
always_ff, a new post-halt assertion, and a new field in the final
|
|
display. The UN/FAIL slot indices bumped by 4. The TB now covers
|
|
five known syscall numbers (3C / 3D / 40 / 64 / 78) plus the
|
|
unknown-halt path.
|
|
|
|
Result: `retired=25 halt=1 trap=0 errors=0 PASS`. Final display:
|
|
```
|
|
$v0_after_3C=0x001e0000 $v0_after_3D=0x00000000 $v0_after_64=0x00000000 $v0_after_40=0x00000000 $v0_after_78=0x00000000 $v1_at_halt=0x00007777
|
|
```
|
|
|
|
### Runner-side observer — `tb_ee_core_elf_runner.sv`
|
|
|
|
Per Codex's "named trace/log line for syscall 0x78" ask, a small
|
|
observer block captures the first occurrence of the syscall during
|
|
the qbert run:
|
|
|
|
```sv
|
|
if (core_ev_valid && u_core.retired_instr == 32'h0000_000C
|
|
&& u_core.regfile[3] == 32'h0000_0078) begin
|
|
syscall_0x78_count <= syscall_0x78_count + 1;
|
|
if (!seen_syscall_0x78) begin
|
|
seen_syscall_0x78 <= 1'b1;
|
|
syscall_0x78_first_pc <= u_core.retired_pc;
|
|
syscall_0x78_first_a0 <= u_core.regfile[4];
|
|
...
|
|
end
|
|
end
|
|
```
|
|
|
|
And a SUMMARY line:
|
|
```
|
|
[tb_ee_core_elf_runner] syscall_0x78 = seen=1 count=1 first_pc=0x00112aa4
|
|
$a0=0x00000000 $a1=0x00130000 $a2=0x20000000 $a3=0x001328c0 → $v0=0
|
|
```
|
|
|
|
Pattern is extensible: any future HLE'd syscall whose arg shape
|
|
matters can drop a parallel observer block in. Each new tracked
|
|
syscall costs ~10 LOC: declarations, init, observer, summary line.
|
|
|
|
## qbert progression
|
|
|
|
| Chapter | Blocker | retire_count |
|
|
|---|---|---|
|
|
| Post-Ch286 (EI) | unmapped 0x1000E010 D_STAT | 27,907 |
|
|
| Post-Ch287 (DMAC ctrl) | unmapped 0x1000C000 ch4 | 27,912 |
|
|
| Post-Ch288 (DMAC passive) | syscall $v1=0x78 at 0x00112AA4 | 27,920 |
|
|
| **Post-Ch289 (syscall 0x78)** | **syscall $v1=0x12 at 0x00112A54** | **27,930** |
|
|
|
|
Three chapters in a row each in the +5 to +10 range — qbert is
|
|
sweeping through its kernel-init sequence one HLE call at a time.
|
|
|
|
## Ch290 framing — syscall 0x12
|
|
|
|
Args at halt (the new blocker):
|
|
- `$v1 = 0x12` (= 18 decimal)
|
|
- `$a0 = 0x00000005` — small int. Likely an IRQ number, priority,
|
|
or handler slot index.
|
|
- `$a1 = 0x00112AB0` — falls in code segment (qbert main range
|
|
was around 0x00112xxx). Almost certainly a **function pointer**.
|
|
- `$a2 = 0x00000000` — null/context.
|
|
- `$a3 = 0x001328C0` — data pointer (consistent with the
|
|
$a3 seen in 0x78 and earlier syscalls — looks like a global
|
|
context block).
|
|
|
|
Shape: `(int small_id, fn_ptr handler, void* ctx0, void* ctx1)` —
|
|
this is the classic **handler-install** pattern. PS2 standard
|
|
syscall table cites names like `AddIntcHandler` (syscall 16/0x10),
|
|
`RemoveIntcHandler` (syscall 17/0x11), and **`AddDmacHandler`**
|
|
(syscall 18/0x12) in this range — so $a0=5 is plausibly a DMAC
|
|
channel number (we landed in the DMAC region last chapter; channel
|
|
5 = SIF0).
|
|
|
|
Per the Ch285 precedent: first pass returns `$v0 = 0` ("handler
|
|
installed OK") and PC += 4. If qbert misbranches downstream, the
|
|
fallback shapes to try are: $v0 = $a0 (returns the slot index for
|
|
later RemoveIntcHandler), or $v0 = some non-zero handle. The
|
|
runner-side observer pattern from Ch289 makes the diagnostic cheap.
|
|
|
|
## Files changed
|
|
|
|
- `rtl/ee/ee_core_stub.sv` — one new HLE case (~10 LOC).
|
|
- `sim/tb/integration/tb_ee_core_syscall_hle.sv` — extended with
|
|
syscall 0x78 case (slots / latch / assertion / display).
|
|
- `sim/tb/integration/tb_ee_core_elf_runner.sv` — syscall_0x78
|
|
observer + SUMMARY line.
|
|
|
|
No new TB, no new Makefile target; regression count unchanged at
|
|
**175/175**.
|
|
|
|
## Pattern review (19 chapters)
|
|
|
|
| Ch | Blocker | Pattern |
|
|
|-----|--------------|---------|
|
|
| 271..286 | opcodes | opcode-era |
|
|
| 287 | DMAC ctrl MMIO | NEW MMIO stub |
|
|
| 288 | DMAC passive | REUSE Ch287 pattern |
|
|
| **289** | **syscall 0x78** | **REUSE Ch273/285 dispatcher** |
|
|
|
|
Two narrow HLE extensions in five chapters (Ch285 + Ch289). The
|
|
Ch273 dispatcher's switch-by-$v1 architecture continues to absorb
|
|
new cases with minimal cost. The new runner-side observer pattern
|
|
is a small upgrade that pays for itself the first time a syscall
|
|
return value is wrong — instead of re-reading the trace file, the
|
|
SUMMARY block tells you immediately what qbert handed the kernel.
|
|
|
|
## Regression
|
|
|
|
**175/175 PASS** (unchanged from Ch288; no new TB added in this
|
|
chapter, existing tb_ee_core_syscall_hle extended in place and
|
|
runner observer added).
|