The TW and TSR fields should be bits 21 and 22 and not 30/29.
This was found while comparing QEMU behaviour against the sail formal
model (https://github.com/rems-project/sail-riscv/).
Backports 529577457cbba9e429af629c46204f63e50fa832
We found that the hypervisor virtual-machine load and store instructions,
included HLVX/HLV/HSV, couldn't access guest userspace memory.
In the riscv-privileged spec, HLVX/HLV/HSV is defined as follow:
"As usual when V=1, two-stage address translation is applied, and
the HS-level sstatus.SUM is ignored."
But get_physical_address() doesn't ignore sstatus.SUM, when HLVX/HLV/HSV
accesses guest userspace memory. So this patch fixes it.
Backports c63ca4ff7f81116c26984973052991ff0bd7caec
Split the hypervisor execute load functions into two seperate functions.
This avoids us having to pass the memop to the C helper functions.
Backports 7687537ab0c16e0b1e69e7707456573a64b8e13b
Remove the special Virtulisation load and store functions and just use
the standard tcg tcg_gen_qemu_ld_tl() and tcg_gen_qemu_st_tl() functions
instead.
As part of this change we ensure we still run an access check to make
sure we can perform the operations.
Backports 743077b35b1ed88ed243daefafe9403d88a958f6
The HS_TWO_STAGE flag is no longer required as the MMU index contains
the information if we are performing a two stage access.
Backports 1c1c060aa866986ef8b7eb334abbb8c104a46e5c
When performing the hypervisor load/store operations set the MMU mode to
indicate that we are virtualised.
Backports 3e5979046f3f5f65828d3950d0c3ec9846d63715
mstatus/mstatush and vsstatus/vsstatush are two halved for RISCV32.
This patch expands mstatus and vsstatus to uint64_t instead of
target_ulong so that it can be saved as one unit and reduce some
ifdefs in the code.
Backports 284d697c74ef3f4210cbccc5cd6b4894740e4ab3
VS-stage translation at get_physical_address needs to translate pte
address by G-stage translation. But the G-stage translation error
can not be distinguished from VS-stage translation error in
riscv_cpu_tlb_fill. On migration, destination needs to rebuild pte,
and this G-stage translation error must be handled by HS-mode. So
introduce TRANSLATE_STAGE2_FAIL so that riscv_cpu_tlb_fill could
distinguish and raise it to HS-mode.
Backports 33a9a57d2c31ec9ed68858911dc490b5de15f342
The HLVX.WU instruction is supposed to read a machine word,
but prior to this change it read a byte instead.
Fixes: 8c5362acb57 ("target/riscv: Allow generating hlv/hlvx/hsv instructions")
Backports 1da46012eaaeb2feb3aa6a5a8fc0a03200b673aa
When trapping from virt into HS mode, hstatus.SPVP was set to
the value of sstatus.SPP, as according to the specification both
flags should be set to the same value.
However, the assignment of SPVP takes place before SPP itself is
updated, which results in SPVP having an outdated value.
Backports ace544532c4064e995ef69ec9dc93aad62e19988
Currently we log interrupts and exceptions using the trace backend in
riscv_cpu_do_interrupt(). We also log exceptions using the interrupt log
mask (-d int) in riscv_raise_exception().
This patch converts riscv_cpu_do_interrupt() to log both interrupts and
exceptions with the interrupt log mask, so that both are printed when a
user runs QEMU with -d int.
Backports 69430111ab2fe3f32548a0e70437655d0d937a6a
clang's C11 atomic_fetch_*() functions only take a C11 atomic type
pointer argument. QEMU uses direct types (int, etc) and this causes a
compiler error when a QEMU code calls these functions in a source file
that also included <stdatomic.h> via a system header file:
$ CC=clang CXX=clang++ ./configure ... && make
../util/async.c:79:17: error: address argument to atomic operation must be a pointer to _Atomic type ('unsigned int *' invalid)
Avoid using atomic_*() names in QEMU's atomic.h since that namespace is
used by <stdatomic.h>. Prefix QEMU's APIs with 'q' so that atomic.h
and <stdatomic.h> can co-exist. I checked /usr/include on my machine and
searched GitHub for existing "qatomic_" users but there seem to be none.
This patch was generated using:
$ git grep -h -o '\<atomic\(64\)\?_[a-z0-9_]\+' include/qemu/atomic.h | \
sort -u >/tmp/changed_identifiers
$ for identifier in $(</tmp/changed_identifiers); do
sed -i "s%\<$identifier\>%q$identifier%g" \
$(git grep -I -l "\<$identifier\>")
done
I manually fixed line-wrap issues and misaligned rST tables.
Backports d73415a315471ac0b127ed3fad45c8ec5d711de1
At present the CLINT timestamp is using a hard-coded timebase
frequency value SIFIVE_CLINT_TIMEBASE_FREQ. This might not be
true for all boards.
Add a new 'timebase-freq' property to the CLINT device, and
update various functions to accept this as a parameter.
Backports a47ef6e93ab2ca1db8d5ecb61fda3c41f926a26b
Currently the reset vector address is hard-coded in a RISC-V CPU's
instance_init() routine. In a real world we can have 2 exact same
CPUs except for the reset vector address, which is pretty common in
the RISC-V core IP licensing business.
Normally reset vector address is a configurable parameter. Let's
create a 64-bit property to store the reset vector address which
covers both 32-bit and 64-bit CPUs.
Backports 9b4c9b2b2a50fe4eb90d0ac2d8723b46ecb42511
When performing a CSR access let's return a negative exception value on
an error instead of -1. This will allow us to specify the exception in
future patches.
Backports 57cb2083e638bb28616c059cbf067d99552a04bb
The minimum granularity of PMP is 4 bytes, it is small than 4KB page
size, therefore, the pmp checking would be ignored if its range doesn't
start from the alignment of one page. This patch detects the pmp entries
and sets the small page size to TLB if there is a PMP entry which cover
the page size.
Backports af3fc195e3c8e98b62eca3e4ee927f1965381dc3
The real physical address should add the 12 bits page offset. It also
causes the PMP wrong checking due to the minimum granularity of PMP is
4 byte, but we always get the physical address which is 4KB alignment,
that means, we always use the start address of the page to check PMP for
all addresses which in the same page.
Backports 9ef82119b10d996cef63af679af5c1a7a85e6c19
First, sizeof(target_ulong) equals to 4 on riscv32, so this change
does not change the function on riscv32. Second, sizeof(target_ulong)
equals to 8 on riscv64, and 'reg_index * 8 + i' is not a legal
pmp_index (we will explain later), which should be 'reg_index * 4 + i'.
If the parameter reg_index equals to 2 (means that we will change the
value of pmpcfg2, or the second pmpcfg on riscv64), then
pmpcfg_csr_write(env, 2, val) will map write tasks to
pmp_write_cfg(env, 2 * 8 + [0...7], val). However, no cfg csr is indexed
by value 16 or 23 on riscv64, so we consider it as a bug.
We are looking for constant (e.g., define a new constant named
RISCV_WORD_SIZE) in QEMU to help others understand code better,
but none was found. A possible good explanation of this literal is it is
the minimum word length on riscv is 4 bytes (32 bit).
Backports fdd33b86b20d153b131fc6259aea7a0084ab14b8
If a 32-bit input is not properly nanboxed, then the input is replaced
with the default qnan. The only inline expansion is for the sign-changing
set of instructions: FSGNJ.S, FSGNJX.S, FSGNJN.S.
Backports ffe70e4dfc9cf2a6934e674b81b69c847b403c4b
Make sure that all results from inline single-precision scalar
operations are properly nan-boxed to 64-bits.
Backports 40eaa473611936445ae9c63841445cfa6e36840b
Do not depend on the RVD extension, take input and output via
TCGv_i64 instead of fpu regno. Move the function to translate.c
so that it can be used in multiple trans_*.inc.c files.
Backports d36a86d01e67792c51dd2a82360cda012bde9442
The code currently fails to compile on 32-bit big endian hosts:
target/riscv/vector_helper.c: In function 'vext_clear':
target/riscv/vector_helper.c:154:16: error: cast to pointer from integer
of different size [-Werror=int-to-pointer-cast]
memset((void *)((uintptr_t)tail & ~(7ULL)), 0, part1);
^
target/riscv/vector_helper.c:155:16: error: cast to pointer from integer
of different size [-Werror=int-to-pointer-cast]
memset((void *)(((uintptr_t)tail + 8) & ~(7ULL)), 0, part2);
^
cc1: all warnings being treated as errors
We should not use "long long" (i.e. 64-bit) values here to avoid the
problem. Switch to our QEMU_ALIGN_PTR_DOWN/UP macros instead.
Backports 35c7f5254b608c0694b11fc9f0d2c1a4ffb216b4
Although not explicitly specified that the the destination
vector register groups cannot overlap the source vector register group,
it is still necessary.
And this constraint has been added to the v0.8 spec.
Backports 3e09396e36dff4234afd6f6fd51861949be383e1
The end address calculation for NA4 mode is wrong because the address
used isn't shifted.
It doesn't watch 4 bytes but a huge range because the end address
calculation is wrong.
The solution is to use the shifted address calculated for start address
variable.
Modifications are tested on Zephyr OS userspace test suite which works
for other RISC-V boards (E31 and E34 core).
Backports cfad709bceb629a4ebeb5d8a3acd1871b9a6436b
gvec should provide vecop_list to avoid:
"tcg_tcg_assert_listed_vecop: code should not be reached bug" assertion.
Backports 7acafcfa844fd93f5ff073077007627338bd6739
Section D6.7 of the ARM ARM states:
For the purpose of determining Tag Check Fault handling, unprivileged
load and store instructions are treated as if executed at EL0 when
executed at either:
- EL1, when the Effective value of PSTATE.UAO is 0.
- EL2, when both the Effective value of HCR_EL2.{E2H, TGE} is {1, 1}
and the Effective value of PSTATE.UAO is 0.
ARM has confirmed a defect in the pseudocode function
AArch64.TagCheckFault that makes it inconsistent with the above
wording. The remedy is to adjust references to PSTATE.EL in that
function to instead refer to AArch64.AccessUsesEL(acctype), so
that unprivileged instructions use SCTLR_EL1.TCF0 and TFSRE0_EL1.
The exception type for synchronous tag check faults remains unchanged.
This patch implements the described change by partially reverting
commits 50244cc76abc and cc97b0019bb5.
Backports 2d928adf8a9148510e1b2041145b8a873f4d26df
