Commit graph

82 commits

Author SHA1 Message Date
Onur Sahin 18e6b1549f
target-arm: Check undefined opcodes for SWP in A32 decoder
Make sure we are not treating architecturally Undefined instructions
as a SWP, by verifying the opcodes as per section A8.8.229 of ARMv7-A
specification. Bits [21:20] must be zero for this to be a SWP or SWPB.
We also choose to UNDEF for the architecturally UNPREDICTABLE case of
bits [11:8] not being zero.

Backports commit c4869ca630a57f4269bb932ec7f719cef5bc79b8 from qemu
2018-04-11 19:30:50 -04:00
Peter Maydell 7a3ee5fd95
target/arm: Honour MDCR_EL2.TDE when routing exceptions due to BKPT/BRK
The MDCR_EL2.TDE bit allows the exception level targeted by debug
exceptions to be set to EL2 for code executing at EL0. We handle
this in the arm_debug_target_el() function, but this is only used for
hardware breakpoint and watchpoint exceptions, not for the exception
generated when the guest executes an AArch32 BKPT or AArch64 BRK
instruction. We don't have enough information for a translate-time
equivalent of arm_debug_target_el(), so instead make BKPT and BRK
call a special purpose helper which can do the routing, rather than
the generic exception_with_syndrome helper.

Backports commit c900a2e62dd6dde11c8f5249b638caad05bb15be from qemu
2018-03-25 16:33:04 -04:00
Lioncash 14c1fcd5bf
target/arm/translate: Correct bad merge 2018-03-12 11:17:37 -04:00
Richard Henderson 85cfb78ea2
target/arm: Decode t32 simd 3reg and 2reg_scalar extension
Happily, the bits are in the same places compared to a32.

Backports commit 0052087efb8a5c0e29ddc2f59f8476fcdc6495b2 from qemu
2018-03-09 01:11:14 -05:00
Richard Henderson e5da25aaf8
target/arm: Decode aa32 armv8.3 2-reg-index
Backports commit 638808ff8a0c0d62333822d3756e5d98f9f369c3 from qemu
2018-03-09 01:09:59 -05:00
Richard Henderson 69890ae145
target/arm: Decode aa32 armv8.3 3-same
Backports commit 8b7209fae730813d722b17a8a13b6a16c84616c8 from qemu
2018-03-09 01:08:26 -05:00
Richard Henderson 78b0b9c523
target/arm: Decode aa32 armv8.1 two reg and a scalar
Backports commit 61adacc8f589539ac6b25cfcbd6e099357188974 from qemu
2018-03-09 00:24:14 -05:00
Richard Henderson ca4ceb2dd7
target/arm: Decode aa32 armv8.1 three same
Backports commit 36a719348a9744d17c6ef6bac01bcb5fcd279753 from qemu
2018-03-09 00:18:31 -05:00
Alex Bennée 27d8d01566
target/arm/helper: pass explicit fpst to set_rmode
As the rounding mode is now split between FP16 and the rest of
floating point we need to be explicit when tweaking it. Instead of
passing the CPU env we now pass the appropriate fpst pointer directly.

Backports commit 9b04991686785e18b18a36d193b68f08f7c91648 from qemu
2018-03-08 12:41:54 -05:00
Peter Maydell 8e7ecd89a4
target/arm/translate.c: Fix missing 'break' for TT insns
The code where we added the TT instruction was accidentally
missing a 'break', which meant that after generating the code
to execute the TT we would fall through to 'goto illegal_op'
and generate code to take an UNDEF insn.

Backports commit 384c6c03fb687bea239a5990a538c4bc50fdcecb from qemu
2018-03-07 11:45:39 -05:00
Richard Henderson 834e3a1d04
target/arm: Expand vector registers for SVE
Change vfp.regs as a uint64_t to vfp.zregs as an ARMVectorReg.
The previous patches have made the change in representation
relatively painless.

Backports commit c39c2b9043ec59516c80f2c6f3e8193e99d04d4b from qemu
2018-03-07 11:33:49 -05:00
Richard Henderson 404fa33c4b
target/arm: Use pointers in neon tbl helper
Rather than passing a regno to the helper, pass pointers to the
vector register directly. This eliminates the need to pass in
the environment pointer and reduces the number of places that
directly access env->vfp.regs[].

Backports commit e7c06c4e4c98c47899417f154df1f2ef4e8d09a0 from qemu
2018-03-06 10:20:21 -05:00
Richard Henderson 0bc07dd6be
target/arm: Use pointers in neon zip/uzp helpers
Rather than passing regnos to the helpers, pass pointers to the
vector registers directly. This eliminates the need to pass in
the environment pointer and reduces the number of places that
directly access env->vfp.regs[].

Backports commit b13708bbbdda54c7f7e28222b22453986c026391 from qemu
2018-03-06 10:17:51 -05:00
Richard Henderson b0578edcf7
target/arm: Use pointers in crypto helpers
Rather than passing regnos to the helpers, pass pointers to the
vector registers directly. This eliminates the need to pass in
the environment pointer and reduces the number of places that
directly access env->vfp.regs[].

Backports commit 1a66ac61af45af04688d1d15896737310e366c06 from qemu
2018-03-06 10:10:06 -05:00
Peter Maydell bfd6d3e59b
target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
Refactor disas_thumb2_insn() so that it generates the code for raising
an UNDEF exception for invalid insns, rather than returning a flag
which the caller must check to see if it needs to generate the UNDEF
code. This brings the function in to line with the behaviour of
disas_thumb_insn() and disas_arm_insn().

Backports commit 2eea841c11096e8dcc457b80e21f3fbdc32d2590 from qemu
2018-03-06 08:50:18 -05:00
Richard Henderson 7fe5f620df
tcg: Dynamically allocate TCGOps
With no fixed array allocation, we can't overflow a buffer.
This will be important as optimizations related to host vectors
may expand the number of ops used.

Use QTAILQ to link the ops together.

Backports commit 15fa08f8451babc88d733bd411d4c94976f9d0f8 from qemu
2018-03-05 16:34:40 -05:00
Richard Henderson 5f074f09ab
tcg: Remove TCGV_UNUSED* and TCGV_IS_UNUSED*
These are now trivial sets and tests against NULL. Unwrap.

Backports commit f764718d0cb30af9f1f8e1d6a33622cc05ca4155 from qemu
2018-03-05 15:58:15 -05:00
Peter Maydell 8fe6b6c308
target/arm: Implement TT instruction
Implement the TT instruction which queries the security
state and access permissions of a memory location.

Backports commit 5158de241b0fb344a6c948dfcbc4e611ab5fafbe from qemu
2018-03-05 13:48:31 -05:00
Peter Maydell 89acdeb9af
target/arm: Split M profile MNegPri mmu index into user and priv
For M profile, we currently have an mmu index MNegPri for
"requested execution priority negative". This fails to
distinguish "requested execution priority negative, privileged"
from "requested execution priority negative, usermode", but
the two can return different results for MPU lookups. Fix this
by splitting MNegPri into MNegPriPriv and MNegPriUser, and
similarly for the Secure equivalent MSNegPri.

This takes us from 6 M profile MMU modes to 8, which means
we need to bump NB_MMU_MODES; this is OK since the point
where we are forced to reduce TLB sizes is 9 MMU modes.

(It would in theory be possible to stick with 6 MMU indexes:
{mpu-disabled,user,privileged} x {secure,nonsecure} since
in the MPU-disabled case the result of an MPU lookup is
always the same for both user and privileged code. However
we would then need to rework the TB flags handling to put
user/priv into the TB flags separately from the mmuidx.
Adding an extra couple of mmu indexes is simpler.)

Backports commit 62593718d77c06ad2b5e942727cead40775d2395 from qemu
2018-03-05 13:48:31 -05:00
Peter Maydell 352a7b2501
target/arm: Generate UNDEF for 32-bit Thumb2 insns
The refactoring of commit 296e5a0a6c3935 has a nasty bug:
it accidentally dropped the generation of code to raise
the UNDEF exception when disas_thumb2_insn() returns nonzero.
This means that 32-bit Thumb2 instruction patterns that
ought to UNDEF just act like nops instead. This is likely
to break any number of things, including the kernel's "disable
the FPU and use the UNDEF exception to identify when to turn
it back on again" trick.

Backports commit 7472e2efb049ea65a6a5e7261b78ebf5c561bc2f from qemu
2018-03-05 13:48:29 -05:00
Peter Maydell 33d42df60c
translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD
For AArch32 LDREXD and STREXD, architecturally the 32-bit word at the
lowest address is always Rt and the one at addr+4 is Rt2, even if the
CPU is big-endian. Our implementation does these with a single
64-bit store, so if we're big-endian then we need to put the two
32-bit halves together in the opposite order to little-endian,
so that they end up in the right places. We were trying to do
this with the gen_aa32_frob64() function, but that is not correct
for the usermode emulator, because there there is a distinction
between "load a 64 bit value" (which does a BE 64-bit access
and doesn't need swapping) and "load two 32 bit values as one
64 bit access" (where we still need to do the swapping, like
system mode BE32).

Backports commit 3448d47b3172015006b79197eb5a69826c6a7b6d from qemu
2018-03-05 11:39:29 -05:00
Stefano Stabellini 1212c9b73c
fix WFI/WFE length in syndrome register
WFI/E are often, but not always, 4 bytes long. When they are, we need to
set ARM_EL_IL_SHIFT in the syndrome register.

Pass the instruction length to HELPER(wfi), use it to decrement pc
appropriately and to pass an is_16bit flag to syn_wfx, which sets
ARM_EL_IL_SHIFT if needed.

Set dc->insn in both arm_tr_translate_insn and thumb_tr_translate_insn.

Backports commit 58803318e5a546b2eb0efd7a053ed36b6c29ae6f from qemu
2018-03-05 11:21:51 -05:00
Peter Maydell 0c06666800
target/arm: Implement SG instruction corner cases
The common situation of the SG instruction is that it is
executed from S&NSC memory by a CPU in NS state. That case
is handled by v7m_handle_execute_nsc(). However the instruction
also has defined behaviour in a couple of other cases:
* SG instruction in NS memory (behaves as a NOP)
* SG in S memory but CPU already secure (clears IT bits and
does nothing else)
* SG instruction in v8M without Security Extension (NOP)

These can be implemented in translate.c.

Backports commit 76eff04d166b8fe747adbe82de8b7e060e668ff9 from qemu
2018-03-05 03:47:20 -05:00
Peter Maydell 272427b4a0
target/arm: Support some Thumb insns being always unconditional
A few Thumb instructions are always unconditional even inside an
IT block (as opposed to being UNPREDICTABLE if used inside an
IT block): BKPT, the v8M SG instruction, and the A profile
HLT (debug halt) instruction.

This means we need to suppress the jump-over-instruction-on-condfail
code generation (though the IT state still advances as usual and
subsequent insns in the IT block may be conditional).

Backports commit dcf14dfb704519846f396a376339ebdb93eaf049 from qemu
2018-03-05 03:46:10 -05:00
Peter Maydell 7a293cd7cc
target-arm: Simplify insn_crosses_page()
Recent changes have left insn_crosses_page() more complicated
than it needed to be:
* it's only called from thumb_tr_translate_insn() so we know
for certain that we're looking at a Thumb insn
* the caller's check for dc->pc >= dc->next_page_start - 3
means that dc->pc can't possibly be 4 aligned, so there's
no need to check that (the check was partly there to ensure
that we didn't treat an ARM insn as Thumb, I think)
* we now have thumb_insn_is_16bit() which lets us do a precise
check of the length of the next insn, rather than opencoding
an inaccurate check

Simplify it down to just loading the first half of the insn
and calling thumb_insn_is_16bit() on it.

Backports commit 5b8d7289e9e92a0d7bcecb93cd189e245fef10cd from qemu
2018-03-05 03:44:54 -05:00
Peter Maydell 96f86f472a
target/arm: Pull Thumb insn word loads up to top level
Refactor the Thumb decode to do the loads of the instruction words at
the top level rather than only loading the second half of a 32-bit
Thumb insn in the middle of the decode.

This is simple apart from the awkward case of Thumb1, where the
BL/BLX prefix and suffix instructions live in what in Thumb2 is the
32-bit insn space. To handle these we decode enough to identify
whether we're looking at a prefix/suffix that we handle as a 16 bit
insn, or a prefix that we're going to merge with the following suffix
to consider as a 32 bit insn. The translation of the 16 bit cases
then moves from disas_thumb2_insn() to disas_thumb_insn().

The refactoring has the benefit that we don't need to pass the
CPUARMState* down into the decoder code any more, but the major
reason for doing this is that some Thumb instructions must be always
unconditional regardless of the IT state bits, so we need to know the
whole insn before we emit the "skip this insn if the IT bits and cond
state tell us to" code. (The always unconditional insns are BKPT,
HLT and SG; the last of these is 32 bits.)

Backports commit 296e5a0a6c393553079a641c50521ae33ff89324 from qemu
2018-03-05 03:43:38 -05:00
Peter Maydell b85d617bda
target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1
The code which implements the Thumb1 split BL/BLX instructions
is guarded by a check on "not M or THUMB2". All we really need
to check here is "not THUMB2" (and we assume that elsewhere too,
eg in the ARCH(6T2) test that UNDEFs the Thumb2 insns).

This doesn't change behaviour because all M profile cores
have Thumb2 and so ARM_FEATURE_M implies ARM_FEATURE_THUMB2.
(v6M implements a very restricted subset of Thumb2, but we
can cross that bridge when we get to it with appropriate
feature bits.)

Backports commit 6b8acf256df09c8a8dd7dcaa79b06eaff4ad63f7 from qemu
2018-03-05 03:34:48 -05:00
Peter Maydell ee9b8a20c9
target/arm: Implement secure function return
Secure function return happens when a non-secure function has been
called using BLXNS and so has a particular magic LR value (either
0xfefffffe or 0xfeffffff). The function return via BX behaves
specially when the new PC value is this magic value, in the same
way that exception returns are handled.

Adjust our BX excret guards so that they recognize the function
return magic number as well, and perform the function-return
unstacking in do_v7m_exception_exit().

Backports commit d02a8698d7ae2bfed3b11fe5b064cb0aa406863b from qemu
2018-03-05 03:33:42 -05:00
Peter Maydell e312993f1f
target/arm: Implement BLXNS
Implement the BLXNS instruction, which allows secure code to
call non-secure code.

Backports commit 3e3fa230e3b8ffe119f14ba57a6bc677a411be57 from qemu
2018-03-05 03:31:59 -05:00
Peter Maydell 19ecd4f732
target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()
Add the M profile secure MMU index values to the switch in
get_a32_user_mem_index() so that LDRT/STRT work correctly
rather than asserting at translate time.

Backports commit b9f587d62cebed427206539750ebf59bde4df422 from qemu
2018-03-05 03:25:54 -05:00
Emilio G. Cota 5fae6dd433
tcg: remove addr argument from lookup_tb_ptr
It is unlikely that we will ever want to call this helper passing
an argument other than the current PC. So just remove the argument,
and use the pc we already get from cpu_get_tb_cpu_state.

This change paves the way to having a common "tb_lookup" function.

Backports commit 7f11636dbee89b0e4d03e9e2b96e14649a7db778 from qemu
2018-03-05 02:16:34 -05:00
Peter Maydell 4b816fe0aa
target/arm: Implement BXNS, and banked stack pointers
Implement the BXNS v8M instruction, which is like BX but will do a
jump-and-switch-to-NonSecure if the branch target address has bit 0
clear.

This is the first piece of code which implements "switch to the
other security state", so the commit also includes the code to
switch the stack pointers around, which is the only complicated
part of switching security state.

BLXNS is more complicated than just "BXNS but set the link register",
so we leave it for a separate commit.

Backports commit fb602cb726b3ebdd01ef3b1732d74baf9fee7ec9 from qemu
2018-03-04 21:21:23 -05:00
Peter Maydell 59c6845ada
target/arm: Make CONTROL register banked for v8M
Make the CONTROL register banked if v8M security extensions are enabled.

Backports commit 8bfc26ea302ec03585d7258a7cf8938f76512730 from qemu
2018-03-04 21:00:58 -05:00
Peter Maydell 8ce42ad30c
target/arm: Add state field, feature bit and migration for v8M secure state
As the first step in implementing ARM v8M's security extension:
* add a new feature bit ARM_FEATURE_M_SECURITY
* add the CPU state field that indicates whether the CPU is
currently in the secure state
* add a migration subsection for this new state
(we will add the Secure copies of banked register state
to this subsection in later patches)
* add a #define for the one new-in-v8M exception type
* make the CPU debug log print S/NS status

Backports commit 1e577cc7cffd3de14dbd321de5c3ef191c6ab07f from qemu
2018-03-04 20:50:04 -05:00
Richard Henderson 6d2bcf6ed8
target/arm: Perform per-insn cross-page check only for Thumb
ARM is a fixed-length ISA and we can compute the page crossing
condition exactly once during init_disas_context.

Backports commit d0264d86b026e9d948de577b05ff86d708658576 from qemu
2018-03-04 20:42:22 -05:00
Richard Henderson ab21785d3f
target/arm: Split out thumb_tr_translate_insn
We need not check for ARM vs Thumb state in order to dispatch
disassembly of every instruction.

Backports commit 722ef0a562a8cd810297b00516e36380e2f33353 from qemu
2018-03-04 20:41:07 -05:00
Richard Henderson 23d769c856
target/arm: Move ss check to init_disas_context
We can check for single-step just once.

Backports commit f7708456aac23a8bb8864b12bcf1f20c6e4b7045 from qemu
2018-03-04 20:34:33 -05:00
Lluís Vilanova 74d437827b
target/arm: [tcg] Port to generic translation framework
Backports commit 2316922420da6fd0d1ffb5557d0cdcc5958bcf44 from qemu
2018-03-04 20:28:06 -05:00
Lluís Vilanova cc00feb2df
target/arm: [tcg,a64] Port to disas_log
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 58350fa4b2852fede96cfebad0b26bf79bca419c from qemu
2018-03-04 20:09:39 -05:00
Lluís Vilanova 5d3ff533a1
target/arm: [tcg] Port to disas_log
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 4013f7fc811e90b89da3a516dc71b01ca0e7e54e from qemu
2018-03-04 20:05:16 -05:00
Lluís Vilanova d8def0cdb5
target/arm: [tcg] Port to tb_stop
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 70d3c035ae36a2c5c0f991ba958526127c92bb67 from qemu
2018-03-04 20:02:32 -05:00
Lluís Vilanova 0c4909738d
target/arm: [tcg] Port to translate_insn
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 13189a9080b35b13af23f2be4806fa0cdbb31af3 from qemu
2018-03-04 19:44:01 -05:00
Lluís Vilanova 67e0d99080
target/arm: [tcg,a64] Port to insn_start
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit a68956ad7f8510bdc0b54793c65c62c6a94570a4 from qemu
2018-03-04 19:31:22 -05:00
Lluís Vilanova b9df4e0ca0
target/arm: [tcg] Port to insn_start
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit f62bd897e64c6fb1f93e8795e835980516fe53b5 from qemu
2018-03-04 19:25:29 -05:00
Lluís Vilanova b3878f117e
target/arm: [tcg] Port to tb_start
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit b14768544fd715a3f1742c10fc36ae81c703cbc1 from qemu
2018-03-04 19:22:20 -05:00
Lluís Vilanova 5e5c722359
target/arm: [tcg] Port to init_disas_context
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 1d8a5535238fc5976e0542a413f4ad88f5d4b233 from qemu
2018-03-04 19:10:55 -05:00
Lluís Vilanova 8581e6f6fe
target/arm: [tcg] Port to DisasContextBase
Incrementally paves the way towards using the generic
instruction translation loop.

Backports commit dcba3a8d443842f7a30a2c52d50a6b50b6982b35 from qemu
2018-03-04 19:00:06 -05:00
Paolo Bonzini 6997a5a090
gen-icount: check cflags instead of use_icount global
Backports commit cd42d5b23691ad73edfd6dbcfc935a960a9c5a65 from qemu
2018-03-04 14:26:26 -05:00
Richard Henderson cbb20881a2
target/arm: Delay check for magic kernel page
There's nothing magic about the exception that we generate in order
to execute the magic kernel page. We can and should allow gdb to
set a breakpoint at this location.

Backports commit 3805c2eba8999049bbbea29fdcdea4d47d943c88 from qemu
2018-03-04 14:09:09 -05:00
Lluís Vilanova 3a196c62ae
target: [tcg] Use a generic enum for DISAS_ values
Used later. An enum makes expected values explicit and
bounds the value space of switches.

Backports commit 77fc6f5e28667634916f114ae04c6029cd7b9c45 from qemu
2018-03-04 14:08:43 -05:00