Work Completed on the HP 2100 Simulator ======================================= General ------- + Add SET ALL ENABLED/DISABLED command. + Add "io_initialize" function pointer to DIB. Modify all DIBs to add routine or null pointer. + Change the _boot (unitno, dptr) calling sequences: - LOAD CPU: (select_code, NULL) --> S unchanged - LOAD DC: (-1, &dc_dev) --> S contains unit, SC merged - LOAD DC0: (0, &dc_dev) --> unit from DC0, SC merged + Executing a DO file (typically) sets sim_quiet to suppress noise during diagnostic runs. But if the DO file runs RTE, then stopping at a breakpoint set in concurrent mode DOES NOT report the breakpoint message. The general problem is that breakpoint and step messages are suppressed during DO file execution to avoid noise. But a breakpoint that returns control to the user because a RUN was the last command in the file DOES want to be reported, so that the user knows why execution stopped. + Executing a DO file (typically) sets sim_quiet to suppress noise during diagnostic runs. But if the DO file runs RTE, then attaching a non-existent file interactively DOES NOT report file creation if done concurrently but DOES report it if simulation stopped first. Concurrent commands should temporarily revert to global sim_quiet setting and then restore after completion. + First lines in a trace are typically not properly aligned. Alignment occurs when "initialize_io" is called during the instruction prelude. However, tracing often occurs when a RUN or BOOT causes the CPU to send PRESET to all devices before "initialize_io" is called. Fix by doing an alignment scan in the SET command extension (to pick up SET DEBUG, SET NODEBUG, and SET CONSOLE DEBUG commands that affect alignment) and then calling a VM hook (vm_align_trace) to set the alignment sizes of the device and flag names. + DEP LPT OVPCHR 'X fails (stores '); wants plain X. 3000 is opposite! DEP LP OVPCHR X fails (Invalid argument); wants 'X. 3000 is correct: ' is same as -A. + Remove REG_FIT and REG_UNIT flags (obsolete). + Arrayed uint32 registers don't work with widths <= 16. Needs an SCP change. + Add POWER FAIL / RESTORE commands. + "hp_trace" should detect output to stdout and change LF to CR LF in the format string. Console is in raw mode, and on Unix that means that LF is output as LF, so lines march across the page. On Windows, LF through a stream write is converted to CR LF, so it's not needed but is visually OK. Must not do unilateral change, as output to a file would produce CR CR LF on Windows, CR LF on Unix -- both are wrong. + Eliminate simulator reliance on common (i.e., weak external) variables. This affects sim_vm_release, vm_console_input_unit, vm_console_output_unit, and vm_sim_vm_init. Set the hooks explicitly in the one-time startup routine, which should be keyed to USE_VM_INIT. + Remove SCP 4.x accommodations (CONST, tmxr_set_get_, hp2100_disclib, etc). + Eliminate dual-version software kit command files. + Add logical operators to the IF command (4.x) if "%1" != "" if "%1" != "2100" if -I "%1" != "21MX" if "%1" != "7900" if "%1" != "2883" if "%1" != "2766" set env ERROR=Y if -I "%1" != "" && "%1" != "2100" && "%1" != "21MX" && "%1" != "7900" && "%1" != "2883" && "%1" != "2766" set env ERROR=Y if -I "%1" not in "","2100","21MX","21MX-E","7900","7905","7920","2883" set env ERROR=1 + 4.x makefile add: hp2100_cpu_fp.c, hp2100_cpu_fpp.c, hp2100_dma.c, hp2100_mc.c, hp2100_mem.c, hp2100_pt.c, hp2100_tbg.c, hp2100_tty.c + 4.x makefile delete: hp2100_fp.c, hp2100_fp1.c, hp2100_stddev.c + 4.x file delete: hp2100_cpu1.h, hp2100_fp.c, hp2100_fp.h, hp2100_fp1.c, hp2100_fp1.h, hp2100_stddev.c + HP2100 VC project file must be updated. + Replace the "Revised I/O Simulation for the HP 21xx/1000" paper. + SCP: command line -V makes sub-DOs verbose in 4.0 but not in 3.99. + Add an MC device (microcircuit) to serve as a diagnostic target and as an example I/O device. + Rearrange include files into: * defs.h (included by every module) * cpu.h (included by cpu[n].c, fp.c) * cpu_fp.h (included by cpu[n].c, fp.c) * cpu_cdm.h (included by cpu[n].c, dma.c, mem.c) * io.h (included by I/O devices [+cpu.c, dma.c, mem.c]) + Merge and hp2100_fp1.c/h into hp2100_fp.c/h. + Redo cnPOPIO so that it doesn't call io_initialize each time for RESET ALL. + Add IOBUS trace to all devices that currently do have tracing to provide at least a minimal capability. + Split hp2100_stddev.c into tbg.c, tty.c, and pt.c (PTR and PTP) code modules. + Decide on LPS DIAG. + Add GO UNTIL and REPLY as synonyms for SET CONSOLE HALT and SET CONSOLE REPLY to permit interchange with SIMH 4.x. Applicable 4.x syntax: * GO [ ] [ UNTIL ] * SEND [ AFTER= ] [ ] is delineated by single or double quotes. Escapes within are "\r" for CR, "\n" for LF, "\n[n[n]]" for octal values. Proposed 3.x replacements: * GO UNTIL for SET CONSOLE HALT= (temporary) * BREAK "string" for SET CONSOLE HALT= (permanent) * NOBREAK "" for SET CONSOLE NOHALT * BREAK AFTER= for SET CONSOLE DELAY= * REPLY AFTER= for set the (new) response delay * REPLY for SET CONSOLE REPLY= Will need to accept either 3.x or 4.x escapes. 4.x halt is always immediate; EOL halt requires specifying the "\r\n" in the string. Is this OK? Also, 4.x GO UNTIL clears the string after a match. Also need to add these dummies that are ignored in 3.x: * IF ... * :label These types of interactions must be handled: 1. Prompt and action after a halt (H142 PROTECT U/D,PUSH RUN). no delays required 2. Prompt and reply (H25 WISH TO CHANGE?). requires a reply delay or a halt delay 3. Prompt and action (H115 PRESS HALT-PRESET-RUN IN LESS THAN 10 SECONDS). requires a halt delay 4. No prompt and action (press CR to start MPE). requires a reply delay 5. Prompt and two actions (H054 PLACE LOOP IN READER-PRESS RUN TO START READ, SET BIT0 TO 1 TO EXIT TEST, SET BIT0 TO 0) requires STEP to halt some time after setting bit 0 to 1. 6. Prompt and reply after a boot (SET TIME). Option 1: - DEPOSIT S 051202 - IBL or SET CPU IBL - RUN UNTIL "SET TIME\R" Option 2: - DEPOSIT 0 HLT - RUN 0 UNTIL "SET TIME\r" - DEPOSIT S 000000 - BOOT DS0 + Ignore multiple consecutive CRSes. The 12920A mux requires 128K CLC 0 executions. If IOBUS tracing is on, that generates 50 MB of trace data! Either suppress consecutive CRS traces, or suppress consecutive dispatches (multiple CRSes are required in hardware but are redundant in software). + Add the -I (case-insensitive) switch to the IF command, so that a test for "21MX-E" also catches "21mx-e" and "21mx-E", etc. [4.0 compat]. + Add SET ENV and environment expansions [4.0 compat]. + 2000F SP and IOP command files must sync after IOP is loaded. SP loader detects IOP completion by time out on sending (because IOP is halted). However, if SP tracing is enabled, the timeout won't occur because the IOP is immediately started after the halt and enables the PI link to receive while the SP is still sending PTR trailer. IOP absorbs, so SP runs out of trailer and then spins on SFS PTR. Must have IOP wait after halt until SP completes before starting IOP. + Revise all _boot routines to use the correct binary loader for the CPU. Currently, the PTR (e.g.) uses the 12992K 1000 boot loader ROM even when the CPU is set to 2116 or 2100. It should use the BBL for these machines and the 12992K when the CPU is a 1000. Invalid combinations, e.g., doing BOOT DRC on a 1000 or BOOT DA on a 2100, fail with "Command not allowed." + Extend the LOAD command to load built-in boot loaders into memory. Revised syntax is "LOAD [ | [ ] ]". LOAD calls the boot routine associated with to read the loader into memory and configure it with the device's select code. [Alternate is new IBL command, but then we have separate commands for loading external vs. internal bootstraps. Alternate is SET CPU IBL, but then we need a SET IBL for every bootable device. LOAD is a reasonable analog to BOOT .] + DO -V causes string breaks to print "Console halt" and stop command file execution. + Should any symbolic register defaults be REG_A/C/M instead of REG_X? Note that Mark has added -2 for binary, so REG_X not needed just to get binary interpretation. + Change HP_WORD from uint16 to uint32 and add MEMORY_WORD as uint16. + STOP_IOE isn't really useful except in cases where there is no equivalent status available to the target OS. For example, LPT returns out-of-paper status when the unit is not attached, so stopping and returning SCPE_UNATT is redundant. On the other hand, PTR does not give any indication that the tape is missing (not attached), so STOP_IOE would help here vs. just hanging the device. STOP_IOE currently returns errors for: - DR (not attached [drum]) - IPL (not used; errors are returned unconditionally) - LPS (not attached, offline, power off) - MSC (not attached, parity error [SCPE_IOERR]) - MTC (not attached, parity error [SCPE_IOERR]) - PTR (not attached, end of tape [SCPE_IOERR]) - PTP (not attached) Of these, only IPL and PTR do not supply equivalent status. Implement STOP_IOERR for these. Options are to detect at STC and return status from dev_interface or detect at dev_service and return status there. Advantage of the former is that the sim stop shows the select code of the device (STC nn), and the instruction may be re-run after the problem is corrected, but it fails to catch, e.g., a detach between STC and service entry unless also detected at service. Advantage of latter is only one detection needed, but stop is disassociated with the select code of the device (although it could be saved and printed as part of the VM stop message), and the error cannot be fixed and re-run (but then it couldn't if the detach occurred between the STC and service entry). Might mitigate latter by scheduling service with zero delay and decrementing P by two for these errors, but that requires duplicate detection at STC. + The interpretive switches for EXAMINE and DEPOSIT (B, D, H, O, A, C, and M) should be mutually exclusive and should return an error (SCPE_INVSW, "Invalid switch") if more than one are entered. In particular, the radix switches modify the mnemonic instruction operand interpretation (so, e.g., "DEPOSIT -O -M 1000 RRL 10" interprets the rotate count as octal rather than decimal). In the absence of switches, the lead character (numeric, alpha, ", or ') determines the interpretation, so, e.g., "DEPOSIT 1000 CCE" deposits 002300 (the CCE opcode), whereas "DEPOSIT -H 1000 CCE" deposits 006316 (the value 0xCCE). Alpha values are always interpreted as mnemonics, even if SET CPU HEX is in effect; otherwise DEP 1000 CCE would be interpreted differently, depending on the setting. + Need to define meaning of "DEP -H CCE" vs. "DEP -M CCE" vs. "DEP -M -H CCE". Should DEPOSIT -H 0 CCE deposit 0x0cce, even though CCE is a valid mnemonic, or does the -H apply to numeric operands (e.g., RRR F vs. RRR 17 vs. RRR 15)? Seems as though -D/-O/-H should apply to any /numbers/ specified, or to the numeric operands of mnemonic instructions if -M is included. + Add VIS, SIGNAL, etc. opcodes to the mnemonic display and parser. + Improve mnemonic display lookup for better tracing performance. + Convert all trace calls to use hp_trace(). + Debug flag definitions should be universal. We try to have a consistent set across all devices; the #defines should be in hp2100_defs.h. + Allow binary deposition. + Addresses > 32K should be entered and displayed in . form rather than the linear form used now. DMS maps contain page numbers, which currently must be translated to linear addresses to access. + EXAMINE -M with addresses > 32K have no direct meaning; they are only meaningful when mapped to the lower 32K. Currently, MRG instruction operands are entered and displayed modulo 32K (so DEP 170001 026020 and EX -M 170001 displays JMP 70020, whereas DEP 200001 026020 displays JMP 20). MRG operands should be entered and displayed in C/Z format for addresses > 32K. + Restrict the LOAD command to the protected loader range. Modify the command format to LOAD {}. To accommodate the 12992x source files that either ORG 7700B or ORG 77700B, we mask the load addresses to 7777B and verify that the resulting addresses are between 7700B and 7777B. The file is loaded into a 64-word buffer, which is then installed at the current memory top after the load and check are complete. If the optional select code is provided, the loader is configured to that code; otherwise, the loader is used as-is. Modify ibl_copy() to return SCPE_OK and skip configuration if the select code is < 10B. + The 21xx computers load the BBL (not the 12992K ROM) into protected loader memory. Configuration should be to the current PTR select code. RESET -P CPU will reload. + Implement the DUMP command to dump the protected loader to an absolute binary file. Note that records must be <= 60 word total length. + BUG: halt instructions 1060xx and 1070xx are not displayed. + Should DEB_IOBUS be universal (= 1) and "received/returned" trace be done in iogrp() routine at point of call to device interface (rather than in each interface routine separately)? + Incorporate "fmt_char", "fmt_bitset", "hp_debug", "dprintf", etc. from the 3000 simulator and restructure the debug traces to conform with the 3000 usage, i.e., from overview to detail. Implement as modules are modified for other reasons. + Add an "hp2100_release.txt" file to point people to the manuals and the RTE-6/VM kit on Bitsavers (under /bits/HP/tapes/rte-6vm/rte6200) and the RTE-IVB and diagnostics kits on the HP Computer Museum. Also to the HP 1000 software collection. + change program counter register name PC to PR (fixes external name clash with readline library) (PR is analogous to AR, BR, XR, etc.) x Change mnemonic output to print decimal for EAU and octal with B for MRG? How about input? This would match ASMB but would be a change in behavior (e.g., entering LDA 1000 would load 1000 decimal not 1000 octal). Want 0 and 1 to be printed without B (maybe 0-7). Note that MACRO uses the same numeric convention as ASMB; in particular, there is no hex input. x Change C/Z position from "JMP Z 100,I" to "JMPZ 100,I" or "JMP 100,I,Z" ? CPU --- + Split "initialize_io" into "setup_io_table" and "cpu_initialize". Former sets up iot only and checks for conflicts. Latter walks iot and calls "io_initializer" and "io_dispatch" to set up IRQ and SRQ vectors. + Clean up comments. + Add MP, PWR, and DMA initializers + The E-Series TIMER instruction (100060) should execute as LSL 16 on a 2100 per Alan Tibbetts in Communicator/1000 November 1977. Test program: 100: CLA,CCE 101: ERA 102: CCB 103: 100060 104: NOP 105: HLT 0 Input is B = 177777, A = 100000; output should be B = 100000, A = 000000. + BUG: 21XX protected loader is not SAVEd/RESTOREd if the loader is disabled. The copy of the loader is placed in a local static array, so any changes are not SAVEd. Also, the loader enable/disable state is not saved, because the state is not in a DEVICE flag, where it belongs, but in the difference between "mem_size" and "mem_end". "cpu_set_size" is called prior to RESTORing memory, but it disables the loader unilaterally. + BUG: restoring larger memory size (e.g., 64K) into base machine (32K) fails with SCPE_NXMEM because sim_rest calls dptr->deposit which checks against "mem_size" which hasn't been changed (RESTORE restores "capac" but hasn't called anything that would let the CPU know that the memory size has changed). + Add the power-fail/auto-restart interface. + A trace that includes a simulation stop with a VM error doesn't print an extended message. For example, detaching the IPL device while interconnected prints "Cable not connected to the IPLI device, P: 14365 (ADA 21,I)" on the console but only "simulation stop: Cable not connected to" in the trace log. Must check "cpu_ioerr_uptr" and process as in "fprint_stopped" in the instruction postlude printer. + BUG: Interrupted .ENTR writes wrong return address. Problem is "resolve" may return NOTE_INDINT and .ENTR correctly backs out. However, [P-1] is changed from "address of address of return point" to "address of return point" before params are resolved. Interrupt causes .ENTR to be re-run, but [P-1] has been changed, so return point is invalid. Firmware changes [P-1] only after resolving all addresses. + Rearrange modules within cpu0-cpu7.c to avoid shared ownership and to eliminate the need for global cpu_ema_* helper declarations, as follows: 0 = [jdb] uig dispatcher, user microcode, unimplemented stubs 1 = [rms] eau, fp, iop 2 = [rms] dms, eig 3 = [jdb] ffp, dbi 4 = [jdb] fpp, sis 5 = [hv] ema, vis (vis uses ema routines) 6 = [jdb] os 7 = [hv] vma, signal + Split hp2100_cpu.c into cpu.c (CPU and I/O, OVF, and PF), mem.c (memory, MP, and MEM), and dma.c (DMA) code modules. + Change "cpu_copy_loader" to "mem_copy_loader" and return PR value? Then wouldn't need to include both cpu.h and mem.h. + Remove IOADDSIR and add the ioSIR signal in the "io_dispatch" routine, where the signals originate. For instance, using an ioSTC signal automatically needs an ioSIR signal as well, so add both at the point of origin rather than testing for ioSTC in each interface handler and adding it there. + A device must set its flag by setting the flag buffer flip-flop and then calling "io_dispatch" with the "ioENF" signal. Calling the interface routine directly bypasses the interrupt detection code, as well as the IOBUS trace routines. + Change I/O interface routines to return SIGNALS_DATA instead of STAT_DATA. Currently, IPL returns SCPE errors (no connection, unattached, I/O error) from the interface routine in the high word. The shared-memory IPL no longer does, so the change is feasible. This would allow outbound signals to be displayed (currently, SKF is encoded in the outbound data word half for ioSFS and ioSFC incoming signals, even though the HP 1000 defines only five outbound signals: PRL, FLG, IRQ, SRQ, and SKF). Other devices that would be affected are DS, which returns the value from "dl_clear_controller" (which may be SCPE_IERR only if the supplied unit is not part of any device), and CPU, which returns stop codes from "io_dispatch" to "cpu_iog" (so change interfaces to return SIGNALS_DATA to "io_dispatch" and change "io_dispatch" to return STAT_DATA to "cpu_iog"). All other devices return SCPE_OK always. + cpu_configuration options MUST NOT depend on value of UNIT_V_UF, i.e., must be (unitflags >> UNIT_V_UF << 16). + Prior to the 1000 nomenclature, "21MX" indicated an M-Series, and "21MX-E" (also 21MXE and 21XE) indicated an E-Series. However, doing SET CPU 21MX configures the simulator for an E-Series. This is historical behavior but is arguably a bug and should be changed to configure as an M-Series. + Extend "cpu_copy_loader" and the boot routines to configure both the paper tape and disc portions of the BBDL/BMDL. If the start_index is > 0, then the paper tape reader select code is used to configure I/O instructions below the index, and the supplied device select code configures instructions at or above the index. If the start_index is 0 (e.g. BBL and all 1000 boot loader ROMs), then all instructions are configured to the supplied device select code. + Implement the loader ROM selection in the 1000. SET CPU ROMn=PTR would install the PTR (12992K) loader ROM into socket . SHOW CPU ROMS would show the installed ROMs (by device, perhaps with 12992 translation too). CPU would store ROMs in a four-element array of DPTRs, with each ROM represented by its device pointer. Loading the ROM would be done by calling dptr->boot. + [F] CID 1455441 (hp2100_cpu5.c:628): Logically dead code BUG: The conclusion is incorrect, as the "uint16" cast causes wraparound from 65536 to 0. However, this depends on "uint16" being exactly 16 bits, which is poor practice. An explicit mask is now used instead. + SET CPU IDLE=10 does not change the idle stability period. sim_set_idle wants to parse the "10" from the command line, but we don't pass cptr! + Implement STOP_UNDEF for TIMER/MPY (M-Series). + Remove STOP_UNIMPL special cases: TIMER, RRR, .FLUN, and the 105200 (FFP), 105353 (OS), 105477 (VMA), and 105617 (SIGNAL) self-tests. Change the STOP_UNIMPL default to disabled. + Recast stop_inst, etc. into SET CPU STOP=UNIMPL, UNDEF, UNSC, and IOERR, plus SET CPU INDIR=. set_stop should set value of (e.g.) cpu_ss_unimpl to SCPE_OK or STOP_UNIMPL. Instruction executors return cpu_ss_unimpl for unimplemented instructions, which will either ignore or stop as indicated. + Update MR and TR during execution to reflect memory accesses for front panel. + Export ion for front panel. + [T] CID 1415639 (hp2100_cpu5.c:441): Logically dead code. BUG: At condition p31 ^ 0xfc00, the value of p31 must be equal to 0. The condition !(p31 ^ 0xfc00) cannot be true. + BUG: Shifts and rotates of 16 bits are defined by HP CPUs, but the C standard says that they are undefined. Need to special-case the 16-bit operations. + [T] CID 1415404 (hp2100_cpu1.c:316): Bad bit shift operation. BUG: the C standard says shifting by a count greater or EQUAL to the word width is undefined. Reimplement EAU shifts/rotates as 32-bit operations. + BUG: SET CPU 1000-F,128K and DEP 40.0 1 and SET CPU 2116 and "NO" to "Really truncate memory" leaves 1000-F CPU but with no EAU and no FP! Problem is option changes are done before memory size change. + DEB_EXEC should OR all debug flags to set them on, so that DEB_NOS isn't altered by the action. + Change VIS, etc. debug routines to OPND. + Add NOS debug flag for 6/VM $OTST instruction. SET CPU DEBUG=NOS will return X = 0 so RTE will not use OS firmware. + Change ReadPW, WritePW to mem_examine, mem_deposit (fast access). + Change read/write byte routines to use cpu_read/write_memory. + Implement instruction tracing: M p.pg l.adr m.data - ---- ----- ------ >>CPU instr: U 0045 10341 016200 LDA 1200 >>CPU data: U 0013 01200 123003 data read >>CPU reg: P 0000 00000 000000 A 123003, B 001340, X 000000, Y 000000, e O I >>CPU data: B 0177 01200 123003 dma read phys addr 0000000-3777777 (1 MW), phys page 0000-1777, log addr 00000-77777 dms M field: - S/U/- : sys map/user map/mem disabled - P/- : protect enabled/disabled - A/B : port A/B map enabled (dcpc access) + Two and three-word instructions should classify extra words as fetch. How do we classify multi-word instruction accesses? As: >>CPU instr: S 0001 02551 126465 JMP 2465,I >>CPU data: S 0001 02465 007572 data read >>CPU instr: S 0003 07572 105736 UJP 7503,I >>CPU data: S 0003 07573 107503 data read >>CPU data: S 0003 07503 007737 data read ...or as: >>CPU instr: S 0001 02551 126465 JMP 2465,I >>CPU data: S 0001 02465 007572 data read >>CPU instr: S 0003 07572 105736 UJP 7503,I >>CPU fetch: S 0003 07573 107503 instruction fetch >>CPU data: S 0003 07503 007737 data read How about JRS? As: >>CPU instr: S 0003 07472 105715 JRS 7420 7421,I >>CPU data: S 0003 07473 007420 data read >>CPU data: S 0003 07420 154047 data read >>CPU data: S 0003 07474 107421 data read >>CPU data: S 0003 07421 010115 data read ...or as: >>CPU instr: S 0003 07472 105715 JRS 7420 7421,I >>CPU fetch: S 0003 07473 007420 instruction fetch >>CPU data: S 0003 07420 154047 data read >>CPU fetch: S 0003 07474 107421 instruction fetch >>CPU data: S 0003 07421 010115 data read UJP is a two-word instruction: opcode and jump address. JRS is a three-word instruction: opcode, status word address, and jump address. + Implement EXEC. + Implement MP/MEM REG display triggers. Note that MPV is set to P for each instruction, so flag is not set for this. + Add the DMS fence register to the std reg display (in logical address field). + DEPOSIT 2000 JMP 2001 is rejected. It should be accepted as a current-page reference (026646). Problem seems to be in parse_sym (hp2100_sys.c) here: else if (cflag && !k && (((addr ^ d) & I_PAGENO) == 0)) val[0] = val[0] | (d & (I_IA | I_DISP)) | I_CP; ...where "k" is 0 ONLY if "C" or "Z" is specified. This test should be done if they are NOT specified, i.e., to check for CP reference via the addresses. + DEPOSIT 2000 JMP C 2001 is accepted. It should be rejected, because the legal address range is 0-1777 if C/Z is explicitly specified. x Remove the "dibptr" parameter from the INTERFACE spec and replace it with "card_index". Most interface routines never use "dibptr", and those that do use it simply to get "dibptr->card_index". NO!!! Using dibptr allows for future DIB expansion without modifications to every device! Memory ------ DMA --- MEU --- + BUG: "dm_violation" routine updates the VR even if CTL5 is clear. But MEM schematic shows VR clock is inhibited by -MEV until CTL5 goes low and then high again. With CTL5 low, VR should not update. Observed that a DM abort reports a different VR value than is reported at the time of the MP interrupt by a CPU trace. Comment says, "A MEM violation will report the cause in the violation register. This occurs even if the MEM is not in the protected mode (i.e., MP is not enabled)," but this is not correct. Note that "dm_violation" calls "meu_update_violation", whose comments say, "The register is not clocked when MP is disabled by an MP or MEM error (i.e., when MEVFF sets or CTL5FF clears), in order to capture the state of the MEM." Indeed, "meu_violation" is not changed if "mp_control" is clear or "mp_mevff" is set, which is correct. + Add a MEM device that can be disabled to hold the MEU registers. + Change MP operation to follow the hardware when an interrupt occurs. BACI ---- + Add LOCALACK/REMOTEACK unit property to do ENQ/ACK locally. Use device FASTTIME to transfer Telnet in blocks and do breakmode delay. Default is FASTTIME and LOCALACK, so characteristic is the same as before. + FASTTIME doesn't change the service times; they are still calculated as in REALTIME mode. But note that FASTTIME cannot be less than 1500 instructions, or a race condition in the RTE driver occurs. + Increase the input poll rate to the current output baud rate when waiting for an ACK after an ENQ. + DETACH ALL fails with "Unit not attachable" if the BACI is attached. Note that DETACH ALL does NOT fail with MPX attached! + SHOW BACI starts with "not attached". After ATTACH BACI COM1, it says "attached to com1". After DETACH BACI, it no longer mentions attachment. UNIT_ATTABLE was not being restored after a serial detach. + Must reschedule output if SCPE_STALL occurs. Currently, SCPE_STALL is returned from service call, producing "Console stall" sim stop. A stall should drop out of the transmission loop, just as if REALTIME mode is being used. + baci_poll_svc should call txmr_poll_conn even when already connected (so that "all lines busy" is printed to connecting terminal) DA -- + Normalize tracing with DC. + Revise all disc devices (DA, DP, DQ, DR, and DS) to create full-sized image files when ATTACH -N is specified. Needs to write a zero to the last byte of the file and then flush. If a full-size file is not wanted, then attach without -N and specify a new filename. This creates a zero-length file that will assume a size dictated by the highest location written. [An alternative of specifying -F ("Format") with -N to get a full-size file preserves the existing behavior of creating a zero-length file but must be ignored if it is specified without -N to avoid writing over the last sector of an existing file; the latter action must report an error. This has only limited advantages over the new behavior, which is probably what is desired in most cases.] + hp2100_di_da.c uses a BRDATA register to hold the controller array. An SVDATA register would be better. DC -- + ATTACH -X does not extend. Call to initialize_media NOPs if new state = current state (both Certified) because initializing a tape that is already initialized just updates the system blocks. + ATTACH -X should extend a short cart to long. + BOOT DC1 not allowed, but DEP S 1 and BOOT DC is. Should pick up bus address and CS/80 unit number from SIMH unit number, allowing only bus address 0. + Add Utility C8 (ERT) to support TAPE exerciser CERT command. + Use a private data marker to represent "initialized but not read" tape blocks; change to "extended SIMH format". + REALTIME and 67MB init media times out. If a timeout occurs while a long-executing command is in progress, DVM33 does an Identify to see if the device is still responsive. If it responds, DVM33 just goes back to waiting for the command to complete, e.g., with EPPR. That means that Identify CANNOT USE the same unit as is scheduled!!! Can Identify send off both bytes within the command? NO, because we have to wait for ATN to deny (the card has to clear the FIFO and turn itself around), Need a dedicated unit? Not if Identify saves the unit state (remaining time, current opcode, and current state) in the UNIT structure, cancels the service before setting up the Identify, and then restores the prior service when it completes. The main deal is that Identify must not change device state, else the eventual expected entry into service will see wrong state!!! + ATTACH -S doesn't set short cartridge unless -N included. So, e.g., ATTACH -S NEW.CART will create 0-length file but still set to 66 MB. + Bus tracing wants to output a header line before the first trace line. Currently, that's handled in the PON startup initialization, but then multiple lines are printed if the program uses GO UNTIL / REPLY or the user enters a concurrent command. Is there a way of printing this just once per trace? Note it cannot be done at SET DEBUG time because the debug log may not be enabled yet. + Set up EX/DEP handler (16-bit vs. 8-bit). + Clean up comments. + Establish the register contents. + Implement the remainder of the CS/80 commands. DP -- + Change DIB card description to match card configuration (12557 or 13210). + BUG: The Nov 74 manual says that a Check Status command clears the status register, which consists of status word bits 14, 13, 11, 10, 8, 5, 4, 3, 1, and 0 (i.e., all except bits 6 (not ready) and 2 (drive busy), which are direct pass-throughs from the drive. However, the schematic shows that the register is cleared on STC assertion for any command /other/ than Check Status. In other words, every command except Check Status clears the old status in order to assert new status (so two successive Check Status commands will return the same status word, contrary to the manual). + BUG: The Nov 74 schematic shows that CRS does not clear the status register, but examining the hardware PCA shows that it does. + BUG: The Nov 74 schematic shows that CRS clears the attention register, but examining the hardware PCA shows that it does not. The signal marked CRS is actually the XFER CYL signal from the sequencer, so the register is actually cleared when a Check Status or Seek command is issued. However, later PCAs did add CRS to the other two clearing conditions. + BUG: first status is cleared with attention by read, write, check data, and initialize, as well as by request status. It is not cleared by seek or address record. + An RTE-I system with the 2870A disc will not boot. It seems as though the the initial seek doesn't schedule when using the ROM boot loader. Also, it is unclear whether the 12992F ROM will work with the 2870A. Maybe the BMDL should be installed for BOOT DPC when SET DPC 12557A. On the other hand, the 7900 BMDL is used for the 2870 as well, per the "loader loader" source. ==> NOT A BUG! ACTUALLY, THE RTE-I MANUAL SAYS THAT MH BOOT REQUIRES THE PAPER TAPE BOOTSTRAP! BMDL IS VALID ONLY FOR RTE-II AND ABOVE. + Running the RTE-I paper tape bootstrap ends with a HLT 11B (disc error). The reason is that the disc returns FIRST STATUS and ANY ERROR on the first access. Pressing RUN to try again succeeds (because it's not the first time). It's not clear whether this is a bug or a feature; the RTE-II paper tape bootstrap checks explicitly for this condition (status = 040001) and auto-retries. Also, the 7900/2870 BMDL starts and then aborts a null read "TO CLEAR 1ST STATUS." ==> NOT A BUG. DQ -- DR -- + Change DIB card description to match card configuration (12606 or 12610). + Boot loader DMA isn't configured properly, because the config word is in the wrong location for the ibl_copy routine. Set up the BBDL here and make it work. DS -- + [T] CID 1415433 (hp_disclib.c:2103): Unchecked return value from library. Modify "position_sector" (hp2100_disclib.c) to test the "sim_fseek" call for error status and to simulate a Drive Fault (AGC error) if the call fails. IPL --- + Establish interlock delay needed to avoid DMA race condition. IOP interrupt to STC is 34 instructions. SP DMA completion to CLC is 4 instructions, but last word is picked up 63 instructions after previous one, due to adaptive poll (1 + 2 + 4 + 8 + 16 + 32 = 63). + Input poll delay should not exceed the interlock value, else an output by the second instance may not be picked up by the first during its time slice. x Send Device Table command seems to get first word twice in SP. It's only sent once from IOP. NO, SP loader always gets response with LIA, even when none is expected. So gets first word once with LIA, again with DMA. + Add USE_FALLBACK to override regular event routines and use fallback routines. + Add instruction interlocking. + Add SP/IOP command tracing. + Printing a long listing (~300 pages of Access source) to the line printer hangs part-way through. The hang point is variable, and the system and terminal are still responsive, but pressing BREAK to stop execution is the only recourse. Problem occurs when SP requests a print buffer, but the IOP replies with "buffer not available" status. Normally, the IOP will send "wake up user" once the buffer becomes available. In the failing case, the buffer appears to become available between the two words of the "request buffer" command. The "WUU" is sent immediately after the second "ALB" word is acknowledged. But because of the adaptive servicing of the IPL cards, polling picks up the "WUU" command before the second "ALB" acknowledgement. The SP appears to miss this, and so it waits forever for the IOP to send the "WUU" that has already been received. + Speed up polling if a transfer is active and slow down if it is not. + Implement shared memory in addition to network. ATTACH -S for SP, -I for IOP. is a number used only to identify the pair of processes and is used to name the shared memory area. Only one attach (IPLI) is permitted if -S or -I is used, and process control and memory are allocated then. Before allocation, IPLI and IPLO data access pointers point at a local pair of structures. Shared memory area is two structures containing DEV OUT, DEV IN, DEV CONTROL, and DEV FLAG representing signals. The two structures are mirrors, i.e., DEV OUT on one corresponds to DEV IN on the other. For SP, IPLI points to one (e.g., struct A) and IPLO points to the other. For IOP, they are reversed, i.e., IPLI points to B, IPLO to A. This performs cross-coupling. Setting DIAG on IPLI or IPLO sets up loopback on that one interface. Setting DIAG on both sets up cross-connection (IPLI and IPLO pointers point at the same memory structure). + The -W option to -C does not work. Doing "ATTACH -CW IPLO 4020" says "Connecting to IP address 127.0.0.1, port 4020" and "Waiting for connection" but following with "ATTACH -L IPLI 4020" on the other instance does not establish a connection. It appears that -W is only reasonable with -L. + If ATTACH -C does not connect initially, it never will, even when polling starts. Apparently, the "connect" call fails with WOULDBLOCK but then fails unconditionally some time later. The "sim_check_conn" returns with -1 to indicate an unexpected error, but "ipl_check_conn" makes no distinction between this and the WOULDBLOCK case. This must be documented in the manual. x Implement STOP_IOERR. Currently, iplio (ioSTC) returns SCPE_UNATT if not attached, STOP_NOCONN if attached but not established, and SCPE_IOERR if the socket write fails. Also, ipl_svc returns SCPE_OK if not attached or not established, and SCPE_IOERR if the socket read fails. Because the write is done in the STC handler, there's no way to retry after attaching or establishing the connection. STOP_IOERR should permit retries by correcting the problem and resuming. x IPL is the only interface dependent on returning a SCPE status code. IPL returns STOP_NOCONN, SCPE_IOERR, and SCPE_UNATT in response to setup errors following an STC. It would be better to schedule service at zero time and return these status codes there. Doing so would also allow STOP=IOERR to retry after correction. LPS --- + PAGE_SIZE is already defined in limits.h + Add COMPACT/EXPANDED mode for usable text file output. + Service isn't right. STC counts char/line and schedules service without checking if unit is attached, online, or powered on. Service shouldn't be entered if conditions aren't correct. Current tests used are just workarounds for bad design. + Review operation now that we have a manual for the interface. + Remove DMA diagnostic support. SET DIAGNOSTIC should configure for GPREG only. LPT --- + Add COMPACT/EXPANDED mode for usable text file output. + Add the 2613/17/18 as options. Default to the existing 2607. MC -- + BUG: restoring says MC1 has no units and no registers, but regs are saved, so fiole pointer is off trying to read MC2 device name MP -- + Add 12584 multiplexer (MPT, MPD). Clean up comments. MPX --- + Change REALTIME/FASTTIME from a unit property to a device property (MPX is the only device that has this attached to the units). Add LOCALACK/REMOTEACK unit property to do ENQ/ACK locally. Use device FASTTIME to transfer Telnet in blocks and do destructive backspace. Default is FASTTIME and LOCALACK, so characteristic is the same as before. + FASTTIME doesn't change the service times; they are still calculated as in REALTIME mode. + Increase the input poll rate to the current output baud rate when waiting for an ACK after an ENQ. + Writing to a disconnected port should be permitted (used by ICA-FFP to initialize all terminal ports including ones not currently connected), but now fails with SCPE_LOST when tmxr_putc_ln() is called. Ditto for BACI. + Must reschedule output if SCPE_STALL occurs. Currently, stalls produce lost characters. A stall should drop out of the transmission loop, just as if REALTIME mode is being used. Also, might use "tmxr_linemsg" instead of three successive "tmxr_putc_ln" calls to output BS-space-BS and \-CR-LF sequences. + gcc 6.3.0 objects to the unused "static const uint32" values generated by the BITFIELD macro. BITFIELD is an experiment that didn't really work out advantageously. Change to standard #defines used by all other modules. + [T] CID 1415546 (hp2100_mpx.c:1240): Negative array index write. [T] CID 1415751 (hp2100_mpx.c:1142): Out-of-bounds access. Modify "exec_command" (hp2100_mpx.c) to ignore the Set Flow Control and Cancel commands if the port key has not been set (the compound statement braces are missing). + There is a bug in the MPX's handling of buffer overflows. A large packet fills the first 254-byte buffer, informs RTE that it's available to be read, and then starts filling the second 254-byte buffer, which is all as it should be. Partway through that, RTE starts reading the first buffer, and when that's done, starts reading the second buffer. The latter shouldn't occur until that second buffer has been terminated, either by an EOR (a CR character) or by a buffer-full condition. Problem seems to be in mpx_cntl_svc/CMD_READ: when read completes, a call to buf_avail indicates one buffer free (the one just completed) and one occupied (the one that is filling), but this sets FL_HAVEBUF, which causes UI_RDBUF_AVAIL, which causes an unsolicited interrupt, which DVM00 interprets as "a buffer is available to be read". It also needs a "mpx_flags [port] & FL_RDFILL" test for buffer filling. + Kermit cannot use 1024-byte windows. Transmission failures occur. Problem seems to be buffer overflow. See "status = 060..." in debug file. Transfer starts at line 5427. After first buffer fills, mpx does UI, reason = 5. Previously, RTE does 104 (ack) and 307 (read). This time, RTE does 104 (ack) and 102 (enable UI), and then second buffer fills. After second buffer fills, additional received chars are discarded, leading to xfer error. Then RTE does 103 (disable UI) and 307 (read). Problem is that second buffer fill beats read of first buffer, because with FASTTIME control remains within mpx_line_svc until Telnet buffer empty, and therefore CPU/DCPC get no cycles to read the first buffer. Conclusion: must use REALTIME with transfers > 508 bytes. + Enhancement: for FASTTIME, instead of transferring all available Telnet characters as a block, do block transfer only if a free buffer exists (i.e., filling first buffer). Revert to baud rate service when there is a full buffer awaiting unloading. That allows CPU/DCPC time to unload it. If this takes only a few character times, and more Telnet characters are available, then resume block transfer once the first buffer has been released (i.e., when there is again one free buffer). This should allow large Kermit buffers to work with FASTTIME. MS -- + Change DIB card description to match card configuration (13181 or 13183). + Handle MTSE_RUNAWAY. MT -- + Note that the manual says Reject is set for (a) motion with card busy, or (b) backward motion at load point, or (c) write with no write ring. Reject FF sets on these conditions * motion * IOO. An undefined command does not cause a reject. I gather that such a command would be interpreted by the drive with unknown results. + Add tracing for commands and status (TRACE_CSRW) and data (TRACE_XFER). + 2000A hangs when SLEEPing to a 3030. Problem is that after the first record is written, TSB sends a command of 000 to the drive and then waits for the flag from the end of the write. The 000 is expected to do nothing; the point is to wait for the flag and then get the status (subroutine CMAND). But the 000 is rejected, so TSB does a BSR and GAP (which does nothing because the density is not set) and then rewrites the record forever. Schematic shows that IOO is gated with IOBO0 (motion), so commands without bit 0 set are ignored (CLR, octal 300, is decoded separately and is gated with IOO). + 2000A SLEEP with 3030 writes OK, but verify hangs on SFS DC when reading the first tape mark. Tape mark is a character, so data flag must set, followed by the command flag. MUX --- + DETACH ALL fails with "Unit not attachable" if the mux is attached. Note that DETACH ALL does NOT fail with MPX attached! + SET DIAGNOSTIC disconnects Telnet connections but not serial connections. + SET DIAG does not prevent ATTACH MUXLn . It does prevent net attach. + [T] CID 1469633 (#1 of 1): Missing comma in a string array initialization In the initialization of upper_status_names, a suspicious concatenated string "breaklost" is produced ==> Add the missing comma + SET MUX DEBUG=IOBUS only records MUX, not MUXL or MUXC. But maybe this is correct. Other two-card devices probably want to have separate command and data channel IOBUS settings, e.g., so that SET DPC DEBUG doesn't record every data channel I/O operation. PIF --- + Change DIB card description to match card configuration (12620 or 12936). PTR --- + Extract PTR and PTP into new "hp2100_pt.c" file (they use the same interface card). + Add a REALTIME mode for the diagnostic (currently uses REG deposit; fasttime = 100, realtime = 2 msec). + Extend DIAGNOSTIC mode to install a loopback connector if the PTR is not attached. DIAGNOSTIC mode with an attachment continues to simulate a tape loop. This allows both the paper tape diagnostic and the GPR diagnostic. + Add tracing. + Implemented STOP_IOERR. PTP --- + Add a REALTIME mode for the diagnostic (currently uses REG deposit; fasttime = 100, realtime = 13.333 msec). + Add DIAGNOSTIC mode to install a loopback connector. This allows the GPR diagnostic. + Add tracing. + Attaching the punch without -N should append, rather than overwriting. TBG --- + Separate the jumper change from the DIAG setting to allow REALTIME vs. CALTIME mode independent of the diagnostic setting. TTY --- + Add a new POLL device that runs the poll timer (10 msec caltime). Change TTY to coschedule with POLL device. + Permit the TTY to be disabled. The 2000 IOP does not have a TTY interface. + Revise to use a single unit for keyboard/printer (as BACI and MPX do)? >>NO: separate units allows separate filter modes for input and output! + Add a REALTIME mode for the diagnostic (currently uses REG deposit; fasttime = 200, realtime = 100 msec). + Add tracing. + Permit device DISABLE. + Move the poll timer to a separate POLL device. + Must reschedule output if SCPE_STALL occurs. + Attaching the punch without -N should append, rather than overwriting. + STOP_IOE (ttp_stopioe) is no longer used. Had been an error to output to the punch when it was not attached. Now if punch is not attached, it assumes that output should go to the printer (i.e., a 2752 with punch turned off). + Print/Punch FFs only affect 2754 teleprinter. Current implementation does not print on screen if Print FF is not set. DOS-III DVR00 sets Punch FF for binary output, Print FF for ASCII output (2000F BASIC does binary output). Need model-specific output, or SET [NO]PUNCH, or SET 12531/12880, or maybe print if punch requested and punch unit not attached. Last is probably best bet, although ASR33 can't punch without printing also; is this a problem? User's Manual ------------- + Add SET ALL command. + Change schematic command FF to not-Q for -DEVICECOMMAND (or Q for +DEV...). Add "io_initializer" and remove PON init. + Note that variable expansions in breakpoint command lists are performed when the breakpoint is set, not when the command is executed. If deferred expansion is desired, the breakpoint command list must use double percent signs, e.g., IF "%%A%%" == "0" .... This evaluates to IF "%A%" when it is placed in the breakpoint table and will be further expanded when it is executed. + Add the MEM device. + PTR DIAGNOSTIC (attached and unattached), REALTIME/FASTTIME, tracing. + PTP DIAGNOSTIC, REALTIME/FASTTIME, tracing. + TTY REALTIME/FASTTIME, tracing, MODE now radix 2 width 3 (control word bits 14-12), DISABLED/ENABLED. + IOBUS tracing added to all devices that otherwise had no trace capability. + IOBUS examples now have different format (output signals). + Document the new process sync commands, IPL ATTACH. + Mention that only one instance of each device is supported. + Refer Access users to the "Running TSB" paper? + CPU / DMA tracing FETCH, INSTR, DATA, REG, OPND, EXEC + OPND handles "extra" debug reports in OS, VMA, etc. + OS trace is replaced by EXEC=105340;177760. Note that this includes TBG instructions; the old OSTBG flag is no longer supported. + VMA and EMA traces are both replaced by EXEC=105240;177760 (the opcodes are shared). + VIS trace is replaced by EXEC=101460;173760. + SIGNAL trace is replaced by EXEC=105600;177760. + Replace "HALT instruction 102000" with a more descriptive message. + Rewrite the manual to me more inline with the style of the 3000 manual. Mention that RUN resets the CPU and I/O system and that LOAD should not be used, except to load loaders. Software Kits ------------- + Add SHOW CPU IOCAGE to startups. + Integrate SET ALL DISABLED commands. + Complete 2000A kits. + RTE-II kit is missing the "installation.tape" file. + Ensure fallback mechanism works. + Ensure all TSB scripts work on single core. + 2000 Access "tsb-reload.sim" needs "ARE YOU SURE THAT'S TODAY'S DATE?" check. Otherwise, file responds "SLEEP" to that question! + Add a command file to load the 2000 Access file converter. + Add ALGOL to the RTE-II distribution. List the preloaded programs in the README file. + Add SNOBOL3 and 2000F BASIC to the DOS-III distribution. List the preloaded programs in the README file. False Positives --------------- - [F] CID 1455441 (hp2100_cpu5.c:628): Logically dead code (DEADCODE) dead_error_begin: Execution cannot reach this statement: offset += 1024U; claims: "At condition suit == 0U, the value of suit must be between 1 and 65536. dead_error_condition: The condition suit == 0U cannot be true" ==> The conclusion is incorrect, as the "uint16" cast causes wraparound from 65536 to 0. However, this depends on "uint16" being exactly 16 bits, which is poor practice. An explicit mask will be used instead. - [F] CID 1455443 (hp2100_sys.c:3377): Copy into fixed size buffer (STRING_OVERFLOW)9. fixed_size_dest: You might overrun the 1024-character fixed-size string header_fmt by copying format without checking the length. ==> "header_fmt" has been declared sufficiently large to accommodate all possible "format" sizes, as explained in the implementation note preceding the function. - [F] CID 1455444 (hp2100_sys.c:4616): Copy into fixed size buffer (STRING_OVERFLOW)9. fixed_size_dest: You might overrun the 4224-character fixed-size string gbuf by copying mptr without checking the length. ==> "mptr" points at the instruction mnemonic that had been placed in "gbuf" by the first "get_glyph" call, so it is guaranteed to fit when it is copied back. - [F] CID 1415780 (hp2100_cpu1.c:919): Copy into fixed size buffer (STRING_OVERFLOW)5. fixed_size_dest: You might overrun the 20-character fixed-size string &format[6] by copying formats[i] without checking the length. ==> but maximum size of copied string is 4 + NUL. - [F] CID 1415810 (hp2100_cpu2.c:723): Uninitialized scalar variable (UNINIT)5. uninit_use_in_call: Using uninitialized value op[0].word when calling mp_dms_jmp Claims "3. Condition op_eig[entry] != (0U /* 0 << 0 * 4 */), taking false branch." ==> but entry == 18, and op_eig [18] == OP_A. - [F] CID 1415812 (hp2100_cpu2.c:524): Uninitialized scalar variable (UNINIT)6. uninit_use_in_call: Using uninitialized value op[0].word when calling mp_dms_jmp Claims "3. Condition op_eig[entry] != (0U /* 0 << 0 * 4 */), taking false branch." ==> but entry == 30, and op_eig [30] == OP_A. - [F] CID 1415851 (hp2100_cpu2.c:1110): Uninitialized scalar variable (UNINIT)13. uninit_use_in_call: Using uninitialized value op[0].word when calling iogrp Claims "11. Condition op_iop[entry] != (0U /* 0 << 0 * 4 */), taking false branch" ==> but entry == 11, and op_iop [11] == OP_CV. - [F] CID 1415820 (hp2100_cpu3.c:805): Uninitialized scalar variable (UNINIT)4. uninit_use_in_call: Using uninitialized value op[0].word when calling WriteOp. Claims "2. Condition op_dbi[entry] != (0U /* 0 << 0 * 4 */), taking false branch." ==> but entry == 11, and op_dbi [11] == OP_A. - [F] CID 1415848 (hp2100_cpu3.c:535): Uninitialized scalar variable (UNINIT)7. uninit_use_in_call: Using uninitialized value op[0] when calling fp_nrpack Claims "3. Condition op_ffp_e[entry] != (0U /* 0 << 0 * 4 */), taking false branch." ==> but entry == 24, and op_ffp_e [24] = OP_RC. - [F] CID 1415834 (hp2100_cpu4.c:424): Uninitialized scalar variable (UNINIT)6. uninit_use_in_call: Using uninitialized value op[1].word when calling WriteOp Claims "4. Condition op_fpp[entry] != (0U /* 0 << 0 * 4 */), taking false branch." ==> but entry == 81, and op_fpp [81] = OP_IA. - [F] CID 1415852 (hp2100_cpu4.c:1057): Uninitialized scalar variable (UNINIT)4. uninit_use_in_call: Using uninitialized value op[0].word when calling ReadOp - [F] CID 1415845 (hp2100_cpu5.c:779): Uninitialized scalar variable (UNINIT)5. uninit_use_in_call: Using uninitialized value op[0].word when calling ReadOp - [F] CID 1415850 (hp2100_cpu5.c:1411): Uninitialized scalar variable (UNINIT)5. uninit_use_in_call: Using uninitialized value op[1].word when calling cpu_ema_mmap - [F] CID 1415839 (hp2100_cpu6.c:668): Uninitialized scalar variable (UNINIT)11. uninit_use: Using uninitialized value op[0].word - [F] CID 1415809 (hp2100_cpu7.c:467): Uninitialized scalar variable (UNINIT)9. uninit_use_in_call: Using uninitialized value rtn when calling cpu_ema_vset Claims "5. Condition op_ftnret[entry], taking false branch." ==> but entry == 14, and op_ftnret[14] == TRUE. - [F] CID 1415831 (hp2100_cpu7.c:458): Uninitialized scalar variable (UNINIT)7. uninit_use_in_call: Using uninitialized value op[0].word when calling cpu_ema_eseg - [F] CID 1415854 (hp2100_cpu7.c:925): Uninitialized scalar variable (UNINIT)5. uninit_use: Using uninitialized value op[1].word - [F] CID 1415778 (hp2100_di.c:1910): Copy into fixed size buffer (STRING_OVERFLOW)5. fixed_size_dest: You might overrun the 40-character fixed-size string mnemonics by copying cntl_names[signal] without checking the length. ==> but the maximum possible string length is 34. - [F] CID 1415637 (hp2100_disclib.c:877): Explicit null dereferenced (FORWARD_NULL)15. var_deref_op: Dereferencing null pointer rptr Claims "14. Condition drive_status(rptr) & (2 /* 1 << 1 */), taking false branch." ==> but if rptr == NULL, then drive_status returns DL_S2NR, so the TRUE branch is taken. - [F] CID 1415689 (hp2100_disclib.c:817): Dereference after null check (FORWARD_NULL)14. var_deref_op: Dereferencing null pointer uptr. Claims "12. Switch case value Cold_Load_Read" and "2. Condition props->unit_field, taking true branch." and "4. Condition unit > unit_limit, taking true branch." ==> but Cold_Load_Read's unit_field is FALSE, so unit = 0, so unit > unit_limit CANNOT be true. - [F] CID 1415559 (hp2100_dp.c:646): Missing break in switch (MISSING_BREAK)unterminated_case: The case for value 0 is not terminated by a 'break' statement ==> but the fall through execution is is correct; status request schedules a data channel transfer. - [F] CID 1415732 (hp2100_ms.c:871): Out-of-bounds write (OVERRUN)7. overrun-local: Overrunning array msxb of 65536 bytes at byte offset 65536 using index ms_ptr + 1U (which evaluates to 65536). Claims "6. cond_at_most: Checking ms_ptr < 65536U implies that ms_ptr may be up to 65535 on the true branch." ==> but ms_ptr is always an even count (starts at 0, always incremented by 2). - [F] CID 1439491 (sim_tape.c:1776): Unchecked return value from library (CHECKED_RETURN) Claims "Calling sim_fread(&metadatum, 4UL, 1UL, uptr->fileref) without checking return value. It wraps a library function that may fail and return an error code." ==> but ferror() is called immedately after, and feof() cannot be true because of the sim_tape_bot check preceding.