// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright 2019, Gustavo Romero, Michael Neuling, IBM Corp.
 *
 * This test will spawn two processes. Both will be attached to the same
 * CPU (CPU 0). The child will be in a loop writing to FP register f31 and
 * VMX/VEC/Altivec register vr31 a known value, called poison, calling
 * sched_yield syscall after to allow the parent to switch on the CPU.
 * Parent will set f31 and vr31 to 1 and in a loop will check if f31 and
 * vr31 remain 1 as expected until a given timeout (2m). If the issue is
 * present child's poison will leak into parent's f31 or vr31 registers,
 * otherwise, poison will never leak into parent's f31 and vr31 registers.
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <inttypes.h>
#include <sched.h>
#include <sys/types.h>
#include <signal.h>

#include "tm.h"

int tm_poison_test(void)
{
	int cpu, pid;
	cpu_set_t cpuset;
	uint64_t poison = 0xdeadbeefc0dec0fe;
	uint64_t unknown = 0;
	bool fail_fp = false;
	bool fail_vr = false;

	SKIP_IF(!have_htm());
	SKIP_IF(htm_is_synthetic());

	cpu = pick_online_cpu();
	FAIL_IF(cpu < 0);

	// Attach both Child and Parent to the same CPU
	CPU_ZERO(&cpuset);
	CPU_SET(cpu, &cpuset);
	FAIL_IF(sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0);

	pid = fork();
	if (!pid) {
		/**
		 * child
		 */
		while (1) {
			sched_yield();
			asm (
				"mtvsrd 31, %[poison];" // f31 = poison
				"mtvsrd 63, %[poison];" // vr31 = poison

				: : [poison] "r" (poison) : );
		}
	}

	/**
	 * parent
	 */
	asm (
		/*
		 * Set r3, r4, and f31 to known value 1 before entering
		 * in transaction. They won't be written after that.
		 */
		"       li      3, 0x1          ;"
		"       li      4, 0x1          ;"
		"       mtvsrd  31, 4           ;"

		/*
		 * The Time Base (TB) is a 64-bit counter register that is
		 * independent of the CPU clock and which is incremented
		 * at a frequency of 512000000 Hz, so every 1.953125ns.
		 * So it's necessary 120s/0.000000001953125s = 61440000000
		 * increments to get a 2 minutes timeout. Below we set that
		 * value in r5 and then use r6 to track initial TB value,
		 * updating TB values in r7 at every iteration and comparing it
		 * to r6. When r7 (current) - r6 (initial) > 61440000000 we bail
		 * out since for sure we spent already 2 minutes in the loop.
		 * SPR 268 is the TB register.
		 */
		"       lis     5, 14           ;"
		"       ori     5, 5, 19996     ;"
		"       sldi    5, 5, 16        ;" // r5 = 61440000000

		"       mfspr   6, 268          ;" // r6 (TB initial)
		"1:     mfspr   7, 268          ;" // r7 (TB current)
		"       subf    7, 6, 7         ;" // r7 - r6 > 61440000000 ?
		"       cmpd    7, 5            ;"
		"       bgt     3f              ;" // yes, exit

		/*
		 * Main loop to check f31
		 */
		"       tbegin.                 ;" // no, try again
		"       beq     1b              ;" // restart if no timeout
		"       mfvsrd  3, 31           ;" // read f31
		"       cmpd    3, 4            ;" // f31 == 1 ?
		"       bne     2f              ;" // broken :-(
		"       tabort. 3               ;" // try another transaction
		"2:     tend.                   ;" // commit transaction
		"3:     mr    %[unknown], 3     ;" // record r3

		: [unknown] "=r" (unknown)
		:
		: "cr0", "r3", "r4", "r5", "r6", "r7", "vs31"

		);

	/*
	 * On leak 'unknown' will contain 'poison' value from child,
	 * otherwise (no leak) 'unknown' will contain the same value
	 * as r3 before entering in transactional mode, i.e. 0x1.
	 */
	fail_fp = unknown != 0x1;
	if (fail_fp)
		printf("Unknown value %#"PRIx64" leaked into f31!\n", unknown);
	else
		printf("Good, no poison or leaked value into FP registers\n");

	asm (
		/*
		 * Set r3, r4, and vr31 to known value 1 before entering
		 * in transaction. They won't be written after that.
		 */
		"       li      3, 0x1          ;"
		"       li      4, 0x1          ;"
		"       mtvsrd  63, 4           ;"

		"       lis     5, 14           ;"
		"       ori     5, 5, 19996     ;"
		"       sldi    5, 5, 16        ;" // r5 = 61440000000

		"       mfspr   6, 268          ;" // r6 (TB initial)
		"1:     mfspr   7, 268          ;" // r7 (TB current)
		"       subf    7, 6, 7         ;" // r7 - r6 > 61440000000 ?
		"       cmpd    7, 5            ;"
		"       bgt     3f              ;" // yes, exit

		/*
		 * Main loop to check vr31
		 */
		"       tbegin.                 ;" // no, try again
		"       beq     1b              ;" // restart if no timeout
		"       mfvsrd  3, 63           ;" // read vr31
		"       cmpd    3, 4            ;" // vr31 == 1 ?
		"       bne     2f              ;" // broken :-(
		"       tabort. 3               ;" // try another transaction
		"2:     tend.                   ;" // commit transaction
		"3:     mr    %[unknown], 3     ;" // record r3

		: [unknown] "=r" (unknown)
		:
		: "cr0", "r3", "r4", "r5", "r6", "r7", "vs63"

		);

	/*
	 * On leak 'unknown' will contain 'poison' value from child,
	 * otherwise (no leak) 'unknown' will contain the same value
	 * as r3 before entering in transactional mode, i.e. 0x1.
	 */
	fail_vr = unknown != 0x1;
	if (fail_vr)
		printf("Unknown value %#"PRIx64" leaked into vr31!\n", unknown);
	else
		printf("Good, no poison or leaked value into VEC registers\n");

	kill(pid, SIGKILL);

	return (fail_fp | fail_vr);
}

int main(int argc, char *argv[])
{
	/* Test completes in about 4m */
	test_harness_set_timeout(250);
	return test_harness(tm_poison_test, "tm_poison_test");
}