Commit graph

6101 commits

Author SHA1 Message Date
Peter Maydell 3fc86e1901
target/arm: Don't abort on M-profile exception return in linux-user mode
An attempt to do an exception-return (branch to one of the magic
addresses) in linux-user mode for M-profile should behave like
a normal branch, because linux-user mode is always going to be
in 'handler' mode. This used to work, but we broke it when we added
support for the M-profile security extension in commit d02a8698d7ae2bfed.

In that commit we allowed even handler-mode calls to magic return
values to be checked for and dealt with by causing an
EXCP_EXCEPTION_EXIT exception to be taken, because this is
needed for the FNC_RETURN return-from-non-secure-function-call
handling. For system mode we added a check in do_v7m_exception_exit()
to make any spurious calls from Handler mode behave correctly, but
forgot that linux-user mode would also be affected.

How an attempted return-from-non-secure-function-call in linux-user
mode should be handled is not clear -- on real hardware it would
result in return to secure code (not to the Linux kernel) which
could then handle the error in any way it chose. For QEMU we take
the simple approach of treating this erroneous return the same way
it would be handled on a CPU without the security extensions --
treat it as a normal branch.

The upshot of all this is that for linux-user mode we should never
do any of the bx_excret magic, so the code change is simple.

This ought to be a weird corner case that only affects broken guest
code (because Linux user processes should never be attempting to do
exception returns or NS function returns), except that the code that
assigns addresses in RAM for the process and stack in our linux-user
code does not attempt to avoid this magic address range, so
legitimate code attempting to return to a trampoline routine on the
stack can fall into this case. This change fixes those programs,
but we should also look at restricting the range of memory we
use for M-profile linux-user guests to the area that would be
real RAM in hardware.

Backports commit 9027d3fba605d8f6093342ebe4a1da450d374630 from qemu
2019-11-18 16:30:43 -05:00
Peter Maydell 8f7f19ce43
target/arm: Free TCG temps in trans_VMOV_64_sp()
The function neon_store_reg32() doesn't free the TCG temp that it
is passed, so the caller must do that. We got this right in most
places but forgot to free the TCG temps in trans_VMOV_64_sp().

Backports commit 38fb634853ac6547326d9f88b9a068d9fc6b4ad4 from qemu
2019-11-18 16:27:21 -05:00
Peter Maydell 96f2342a21
Update version for v4.1.0 release
Backports commit 9e06029aea3b2eca1d5261352e695edc1e7d7b8b from qemu
2019-11-18 16:25:50 -05:00
Peter Maydell 0f45c5565f
Update version for v4.1.0-rc5 release
Backports commit f28ed74fd116491e31329044d140fde4aa23b2a0 from qemu
2019-11-18 16:25:18 -05:00
naq 6768d02191
x86: setup FS & GS base
Backports commit b90427e8d8ac1c98f4817c0bcb5cd2a66c8eaed1 from unicorn.
2019-08-08 20:26:45 -04:00
Stephen 4db8802217
remove broken iOS builds (#1109)
Backports commit ca6cb2368fb8b669d083af5e893a2e294b65a246 from unicorn.
2019-08-08 20:09:05 -04:00
kj.xwings.l 038b4f3345
Removed hardcoded CP0C3_ULRI (#1098)
* activate CP0C3_ULRI for CONFIG3, mips

* updated with mips patches

* updated with mips patches

* remove hardcoded config3

* git ignore vscode

* fix spacing issue and turn on floating point

Backports most of commit 24f55a7973278f20f0de21b904851d99d4716263 from
unicorn. Ignores internal core modifications, as this would be
special-casing non-upstreamed behavior.
2019-08-08 20:08:57 -04:00
Ryan Houdek deeeb1d0b9
Fixes register reading and writing for XMM8-15 on x86-64 (#1090)
Backports commit ae6e3c193d569180c6ada3ac2b01c11aef34e714 from unicorn
2019-08-08 20:01:23 -04:00
Starlet Leonhart 3b3e4fc4ca
Add ARM64 Android support in make.sh (#1099)
* Add Android ARM64 support.

* Fix some things

Backports commit 0cd69ee03b3c4420e22653f752f0b0aec558805f from qemu
2019-08-08 19:59:37 -04:00
Peter Maydell 8ddcbd349a
Update version for v4.1.0-rc4 release
Backports commit 864ab314f1d924129d06ac7b571f105a2b76a4b2 from qemu
2019-08-08 19:57:53 -04:00
Peter Maydell c6041bf94b
target/arm: Avoid bogus NSACR traps on M-profile without Security Extension
In Arm v8.0 M-profile CPUs without the Security Extension and also in
v7M CPUs, there is no NSACR register. However, the code we have to handle
the FPU does not always check whether the ARM_FEATURE_M_SECURITY bit
is set before testing whether env->v7m.nsacr permits access to the
FPU. This means that for a CPU with an FPU but without the Security
Extension we would always take a bogus fault when trying to stack
the FPU registers on an exception entry.

We could fix this by adding extra feature bit checks for all uses,
but it is simpler to just make the internal value of nsacr 0xcff
("all non-secure accesses allowed"), since this is not guest
visible when the Security Extension is not present. This allows
us to continue to follow the Arm ARM pseudocode which takes a
similar approach. (In particular, in the v8.1 Arm ARM the register
is documented as reading as 0xcff in this configuration.)

Fixes: https://bugs.launchpad.net/qemu/+bug/1838475

Backports commit 02ac2f7f613b47f6a5b397b20ab0e6b2e7fb89fa from qemu
2019-08-08 19:56:56 -04:00
Peter Maydell db7053c382
Update version for v4.1.0-rc3 release
Backports commit 3bd6cbbb181b6ae60a1d1f33ccd325b45f71aa2a from qemu
2019-08-08 19:56:12 -04:00
Lioncash 59d808cf21
target/arm: Supply uc_struct instance to tcg_enabled() 2019-08-08 19:55:12 -04:00
Peter Maydell ecd3f0a5df
target/arm: Deliver BKPT/BRK exceptions to correct exception level
Most Arm architectural debug exceptions (eg watchpoints) are ignored
if the configured "debug exception level" is below the current
exception level (so for example EL1 can't arrange to get debug exceptions
for EL2 execution). Exceptions generated by the BRK or BPKT instructions
are a special case -- they must always cause an exception, so if
we're executing above the debug exception level then we
must take them to the current exception level.

This fixes a bug where executing BRK at EL2 could result in an
exception being taken at EL1 (which is strictly forbidden by the
architecture).

Fixes: https://bugs.launchpad.net/qemu/+bug/1838277

Backports commit 987a23224218fa3bb3aa0024ad236dcf29ebde9e from qemu
2019-08-08 19:53:30 -04:00
Paul Lai 3b8e2180e7
i386: Fix Snowridge CPU model name and features
Changing the name to Snowridge from SnowRidge-Server.
There is no client model of Snowridge, so "-Server" is unnecessary.

Removing CPUID_EXT_VMX from Snowridge cpu feature list.

Backports commit ff656fcd338a70c4d9783a800733c4ab3806e5b0 from qemu
2019-08-08 19:52:23 -04:00
Peter Maydell a89fe5e865
Update version for v4.1.0-rc2 release
Backports commit bf8b024372bf8abf5a9f40bfa65eeefad23ff988 from qemu
2019-08-08 19:51:38 -04:00
Aleksandar Markovic e2bc3161b4
target/mips: Fix emulation of MSA pack instructions on big endian hosts
Fix emulation of MSA pack instructions on big endian hosts.

Backports commit 51229582583a4b64e93f2655153d905e4d8583d2 from qemu
2019-08-08 19:51:34 -04:00
Aleksandar Markovic 812f3e4fed
target/mips: Add 'fall through' comments for handling nanoMips' SHXS, SWXS
This was found by GCC 8.3 static analysis.

Missed in commit fb32f8c8560.

Backports commit 45152d050213a1221a5a900283976454bf6308bf from qemu
2019-08-08 19:45:25 -04:00
Peter Maydell fbbd582fb9
target/arm: Limit ID register assertions to TCG
In arm_cpu_realizefn() we make several assertions about the values of
guest ID registers:
* if the CPU provides AArch32 v7VE or better it must advertise the
ARM_DIV feature
* if the CPU provides AArch32 A-profile v6 or better it must
advertise the Jazelle feature

These are essentially consistency checks that our ID register
specifications in cpu.c didn't accidentally miss out a feature,
because increasingly the TCG emulation gates features on the values
in ID registers rather than using old-style checks of ARM_FEATURE_FOO
bits.

Unfortunately, these asserts can cause problems if we're running KVM,
because in that case we don't control the values of the ID registers
-- we read them from the host kernel. In particular, if the host
kernel is older than 4.15 then it doesn't expose the ID registers via
the KVM_GET_ONE_REG ioctl, and we set up dummy values for some
registers and leave the rest at zero. (See the comment in
target/arm/kvm64.c kvm_arm_get_host_cpu_features().) This set of
dummy values is not sufficient to pass our assertions, and so on
those kernels running an AArch32 guest on AArch64 will assert.

We could provide a more sophisticated set of dummy ID registers in
this case, but that still leaves the possibility of a host CPU which
reports bogus ID register values that would cause us to assert. It's
more robust to only do these ID register checks if we're using TCG,
as that is the only case where this is truly a QEMU code bug.

Backports commit 8f4821d77e465bc2ef77302d47640d5a43d92b30 from qemu
2019-08-08 19:44:16 -04:00
Philippe Mathieu-Daudé 9bd010263a
target/arm: Add missing break statement for Hypervisor Trap Exception
Reported by GCC9 when building with -Wimplicit-fallthrough=2:

target/arm/helper.c: In function ‘arm_cpu_do_interrupt_aarch32_hyp’:
target/arm/helper.c:7958:14: error: this statement may fall through [-Werror=implicit-fallthrough=]
7958 | addr = 0x14;
| ~~~~~^~~~~~
target/arm/helper.c:7959:5: note: here
7959 | default:
| ^~~~~~~
cc1: all warnings being treated as errors

Backports commit 9bbb4ef991fa93323f87769a6e217c2b9273a128 from qemu
2019-08-08 19:43:01 -04:00
Denis V. Lunev 556806ad2b
i386: indicate that 'pconfig' feature was removed intentionally
pconfig feature was added in 5131dc433df and removed in 712f807e196.
This patch mark this feature as known to QEMU and removed by
intentinally. This follows the convention of 9ccb9784b57 and f1a23522b03
dealing with 'osxsave' and 'ospke'.

Backports commit 2924ab02c28ce8d32da144a6ae8bfc5a8d7e072b from qemu
2019-08-08 19:41:55 -04:00
Peter Maydell 19ed270ec4
Update version for v4.1.0-rc1 release
Backports commit 0b18cfb8f1828c905139b54c8644b0d8f4aad879 from qemu
2019-08-08 19:41:03 -04:00
King Wang f02b6492a5
memory: unref the memory region in simplify flatview
The memory region reference is increased when insert a range
into flatview range array, then decreased by destroy flatview.
If some flat range merged by flatview_simplify, the memory region
reference can not be decreased by destroy flatview any more.

In this case, start virtual machine by the command line:
qemu-system-x86_64
-name guest=ubuntu,debug-threads=on
-machine pc,accel=kvm,usb=off,dump-guest-core=off
-cpu host
-m 16384
-realtime mlock=off
-smp 8,sockets=2,cores=4,threads=1
-object memory-backend-file,id=ram-node0,prealloc=yes,mem-path=/dev/hugepages,share=yes,size=8589934592
-numa node,nodeid=0,cpus=0-3,memdev=ram-node0
-object memory-backend-file,id=ram-node1,prealloc=yes,mem-path=/dev/hugepages,share=yes,size=8589934592
-numa node,nodeid=1,cpus=4-7,memdev=ram-node1
-no-user-config
-nodefaults
-rtc base=utc
-no-shutdown
-boot strict=on
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2
-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2
-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x3
-drive file=ubuntu.qcow2,format=qcow2,if=none,id=drive-virtio-disk0,cache=none,aio=native
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
-chardev pty,id=charserial0
-device isa-serial,chardev=charserial0,id=serial0
-device usb-tablet,id=input0,bus=usb.0,port=1
-vnc 0.0.0.0:0
-device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x5
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6
-msg timestamp=on

And run the script in guest OS:
while true
do
setpci -s 00:06.0 04.b=03
setpci -s 00:06.0 04.b=07
done

I found the reference of node0 HostMemoryBackendFile is a big one.
(gdb) p numa_info[0]->node_memdev->parent.ref
$6 = 1636278
(gdb)

Backports commit 838ec1177c45812ff177a35ff93990e9eb7f70c3 from qemu
2019-08-08 19:39:34 -04:00
Aleksandar Markovic 572c95e709
target/mips: Add missing 'break' for certain cases of MTTR handling
This was found by GCC 8.3 static analysis.

Fixes: ead9360e2fb

Backports commit 0d0304f2c4967c892a3216638fc4cb078afa2b44 from qemu
2019-08-08 19:38:18 -04:00
Aleksandar Markovic 720aff63da
target/mips: Add missing 'break' for certain cases of MFTR handling
This was found by GCC 8.3 static analysis.

Fixes: ead9360e2fb

Backports commit f1fadbb27af04115c9d24e0902d88a38d0266854 from qemu
2019-08-08 19:37:34 -04:00
Aleksandar Markovic b2aa75be33
target/mips: Add missing 'break' for a case of MTHC0 handling
This was found by GCC 8.3 static analysis.

Fixes: 5fb2dcd1792

Backports commit ab8c34105a0ddd0c05159fb76919a18de8df4e8f from qemu
2019-08-08 19:36:39 -04:00
Peter Maydell cdb9422f3a
target/arm: NS BusFault on vector table fetch escalates to NS HardFault
In the M-profile architecture, when we do a vector table fetch and it
fails, we need to report a HardFault. Whether this is a Secure HF or
a NonSecure HF depends on several things. If AIRCR.BFHFNMINS is 0
then HF is always Secure, because there is no NonSecure HardFault.
Otherwise, the answer depends on whether the 'underlying exception'
(MemManage, BusFault, SecureFault) targets Secure or NonSecure. (In
the pseudocode, this is handled in the Vector() function: the final
exc.isSecure is calculated by looking at the exc.isSecure from the
exception returned from the memory access, not the isSecure input
argument.)

We weren't doing this correctly, because we were looking at
the target security domain of the exception we were trying to
load the vector table entry for. This produces errors of two kinds:
* a load from the NS vector table which hits the "NS access
to S memory" SecureFault should end up as a Secure HardFault,
but we were raising an NS HardFault
* a load from the S vector table which causes a BusFault
should raise an NS HardFault if BFHFNMINS == 1 (because
in that case all BusFaults are NonSecure), but we were raising
a Secure HardFault

Correct the logic.

We also fix a comment error where we claimed that we might
be escalating MemManage to HardFault, and forgot about SecureFault.
(Vector loads can never hit MPU access faults, because they're
always aligned and always use the default address map.)

Backports commit 51c9122e92b776a3f16af0b9282f1dc5012e2a19 from qemu
2019-08-08 19:32:53 -04:00
Peter Maydell 8ec683b874
target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
The ARMv5 architecture didn't specify detailed per-feature ID
registers. Now that we're using the MVFR0 register fields to
gate the existence of VFP instructions, we need to set up
the correct values in the cpu->isar structure so that we still
provide an FPU to the guest.

This fixes a regression in the arm926 and arm1026 CPUs, which
are the only ones that both have VFP and are ARMv5 or earlier.
This regression was introduced by the VFP refactoring, and more
specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
which accidentally disabled VFP short-vector support and
double-precision support on these CPUs.

Backports commit cb7cef8b32033f6284a47d797edd5c19c5491698 from qemu
2019-08-08 19:29:56 -04:00
Alex Bennée f893ff0b89
target/arm: report ARMv8-A FP support for AArch32 -cpu max
When we converted to using feature bits in 602f6e42cfbf we missed out
the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
-cpu max configurations. This caused a regression in the GCC test
suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
report ARMv8-A with FP support (but not ARMv8.2-FP16).

Fixes: https://bugs.launchpad.net/qemu/+bug/1836078

Backports commit 45b1a243b81a7c9ae56235937280711dd9914ca7 from qemu
2019-08-08 19:28:39 -04:00
Richard Henderson ec81aef8c0
include/qemu/atomic.h: Add signal_barrier
We have some potential race conditions vs our user-exec signal
handler that will be solved with this barrier.

Backports commit 359896dfa4e9707e1acea99129d324250fccab04 from qemu
2019-08-08 19:26:41 -04:00
Richard Henderson d291a311ee
tcg/aarch64: Fix output of extract2 opcodes
This patch fixes two problems:
(1) The inputs to the EXTR insn were reversed,
(2) The input constraints use rZ, which means that we need to use
the REG0 macro in order to supply XZR for a constant 0 input.

Fixes: 464c2969d5d

Backports commit 1789d4274b851fb8fdf4a947ce5474c63e813d0d from qemu
2019-08-08 19:25:37 -04:00
Richard Henderson b2d75f4955
tcg: Fix constant folding of INDEX_op_extract2_i32
On a 64-bit host, discard any replications of the 32-bit
sign bit when performing the shift and merge.

Backports commit 80f4d7c3ae216c191fb403e149bcba88d6aa40bb from qemu
2019-08-08 19:25:01 -04:00
Peter Maydell 3ee580d58f
Update version for v4.1.0-rc0 release
Backports commit 6df2cdf44a82426f7a59dcb03f0dd2181ed7fdfa from qemu
2019-08-08 19:23:58 -04:00
Richard Henderson 955661ad7b
tcg: Fix expansion of INDEX_op_not_vec
This operation can always be emitted, even if we need to
fall back to xor. Adjust the assertions to match.

Backports commit 11978f6f58f1d3d66429f7ff897524f693d823ce from qemu
2019-08-08 19:23:03 -04:00
Philippe Mathieu-Daudé 6f8c8046d8
target/arm/vfp_helper: Call set_fpscr_to_host before updating to FPSCR
In commit e9d652824b0 we extracted the vfp_set_fpscr_to_host()
function but failed at calling it in the correct place, we call
it after xregs[ARM_VFP_FPSCR] is modified.

Fix by calling this function before we update FPSCR.

Backports commit 85795187f416326f87177cabc39fae1911f04c50 from qemu
2019-08-08 19:21:28 -04:00
Richard Henderson c687259bf6
target/arm: Fix sve_zcr_len_for_el
Off by one error in the EL2 and EL3 tests. Remove the test
against EL3 entirely, since it must always be true.

Backports commit 6a02a73211c5bc634fccd652777230954b83ccba from qemu
2019-08-08 19:20:35 -04:00
Eduardo Habkost 9f2ff9a66f
i386: Add Cascadelake-Server-v2 CPU model
Add new version of Cascadelake-Server CPU model, setting
stepping=5 and enabling the IA32_ARCH_CAPABILITIES MSR
with some flags.

The new feature will introduce a new host software requirement,
breaking our CPU model runnability promises. This means we can't
enable the new CPU model version by default in QEMU 4.1, because
management software isn't ready yet to resolve CPU model aliases.
This is why "pc-*-4.1" will keep returning Cascadelake-Server-v1
if "-cpu Cascadelake-Server" is specified.

Includes a test case to ensure the right combinations of
machine-type + CPU model + command-line feature flags will work
as expected.

Backports commit fd63c6d1a5f77d689ee06f6561677c012a988223 from qemu
2019-08-08 19:18:21 -04:00
Eduardo Habkost 54993f7479
i386: Replace -noTSX, -IBRS, -IBPB CPU models with aliases
The old CPU models will be just aliases for specific versions of
the original CPU models.

Backports commit 53db89d93bebe70a3e7f4c45933deffcf3e7cb62 from qemu
2019-08-08 19:14:26 -04:00
Eduardo Habkost 0128e34fdf
i386: Define -IBRS, -noTSX, -IBRS versions of CPU models
Add versions of CPU models that are equivalent to their -IBRS,
-noTSX and -IBRS variants.

The separate variants will eventually be removed and become
aliases for these CPU versions.

Backports commit d86a708815c3bec0b934760e6bdab7eb647087b8 from qemu
2019-08-08 19:08:32 -04:00
Eduardo Habkost e5e5c2fd6c
i386: Register versioned CPU models
Add support for registration of multiple versions of CPU models.

The existing CPU models will be registered with a "-v1" suffix.

The -noTSX, -IBRS, and -IBPB CPU model variants will become
versions of the original models in a separate patch, so
make sure we register no versions for them.

Backports commit dcafd1ef0af227ef87f7a6dec8fc66d7d2e2442d from qemu
2019-08-08 19:01:35 -04:00
Paul Lai 1e48962847
i386: Introduce SnowRidge CPU model
SnowRidge CPU supports Accelerator Infrastrcture Architecture (MOVDIRI,
MOVDIR64B), CLDEMOTE and SPLIT_LOCK_DISABLE.

MOVDIRI, MOVDIR64B, and CLDEMOTE are found via CPUID.
The availability of SPLIT_LOCK_DISABLE is check via msr access

References can be found in either:
https://software.intel.com/en-us/articles/intel-sdm
https://software.intel.com/en-us/download/intel-architecture-instruction-set-extensions-and-future-features-programming-reference

Backports commit 0b18874bd216f3237740d5cbd64f39cf1e02addf from qemu
2019-08-08 18:26:09 -04:00
Like Xu 2c424e691c
target/i386: Add CPUID.1F generation support for multi-dies PCMachine
The CPUID.1F as Intel V2 Extended Topology Enumeration Leaf would be
exposed if guests want to emulate multiple software-visible die within
each package. Per Intel's SDM, the 0x1f is a superset of 0xb, thus they
can be generated by almost same code as 0xb except die_offset setting.

If the number of dies per package is greater than 1, the cpuid_min_level
would be adjusted to 0x1f regardless of whether the host supports CPUID.1F.
Likewise, the CPUID.1F wouldn't be exposed if env->nr_dies < 2.

Backports commit a94e1428991f741e2c6636e7c8df7f8d1905d983 from qemu
2019-08-08 18:24:46 -04:00
Like Xu d2410074d8
i386: Update new x86_apicid parsing rules with die_offset support
In new sockets/dies/cores/threads model, the apicid of logical cpu could
imply die level info of guest cpu topology thus x86_apicid_from_cpu_idx()
need to be refactored with #dies value, so does apicid_*_offset().

To keep semantic compatibility, the legacy pkg_offset which helps to
generate CPUIDs such as 0x3 for L3 cache should be mapping to die_offset.

Backports commit d65af288a84d8bf8c27e55d45545f52f016c08a7 from qemu
2019-08-08 18:22:03 -04:00
Lioncash a82e4efa24
i386/cpu: Consolidate die-id validity in smp context
The field die_id (default as 0) and has_die_id are introduced to X86CPU.
Following the legacy smp check rules, the die_id validity is added to
the same contexts as leagcy smp variables such as hmp_hotpluggable_cpus(),
machine_set_cpu_numa_node(), cpu_slot_to_string() and pc_cpu_pre_plug().

Backports relevant bits from 176d2cda0dee9f4f78f604ad72d6a111e8e38f3b
from qemu
2019-08-08 18:14:27 -04:00
Like Xu efd887b992
i386: Add die-level cpu topology to x86CPU on PCMachine
The die-level as the first PC-specific cpu topology is added to the leagcy
cpu topology model, which has one die per package implicitly and only the
numbers of sockets/cores/threads are configurable.

In the new model with die-level support, the total number of logical
processors (including offline) on board will be calculated as:

\#cpus = #sockets * #dies * #cores * #threads

and considering compatibility, the default value for #dies would be
initialized to one in x86_cpu_initfn() and pc_machine_initfn().

Backports commit c26ae610811e8d52f4fc73e3ae0a8bc4a24d6763 from qemu
2019-08-08 18:10:42 -04:00
Peter Maydell 1f4c3d6bcc
target/arm: Correct VMOV_imm_dp handling of short vectors
Coverity points out (CID 1402195) that the loop in trans_VMOV_imm_dp()
that iterates over the destination registers in a short-vector VMOV
accidentally throws away the returned updated register number
from vfp_advance_dreg(). Add the missing assignment. (We got this
correct in trans_VMOV_imm_sp().)

Backports commit 89a11ff756410aecb87d2c774df6e45dbf4105c1 from qemu
2019-08-08 18:08:55 -04:00
Peter Maydell 0d89bce217
target/arm: Execute Thumb instructions when their condbits are 0xf
Thumb instructions in an IT block are set up to be conditionally
executed depending on a set of condition bits encoded into the IT
bits of the CPSR/XPSR. The architecture specifies that if the
condition bits are 0b1111 this means "always execute" (like 0b1110),
not "never execute"; we were treating it as "never execute". (See
the ConditionHolds() pseudocode in both the A-profile and M-profile
Arm ARM.)

This is a bit of an obscure corner case, because the only legal
way to get to an 0b1111 set of condbits is to do an exception
return which sets the XPSR/CPSR up that way. An IT instruction
which encodes a condition sequence that would include an 0b1111 is
UNPREDICTABLE, and for v8A the CONSTRAINED UNPREDICTABLE choices
for such an IT insn are to NOP, UNDEF, or treat 0b1111 like 0b1110.
Add a comment noting that we take the latter option.

Backports commit 5529de1e5512c05276825fa8b922147663fd6eac from qemu
2019-08-08 18:07:57 -04:00
Peter Maydell 9d01d50db8
target/arm: Use _ra versions of cpu_stl_data() in v7M helpers
In the various helper functions for v7M/v8M instructions, use
the _ra versions of cpu_stl_data() and friends. Otherwise we
may get wrong behaviour or an assert() due to not being able
to locate the TB if there is an exception on the memory access
or if it performs an IO operation when in icount mode

Backports commit 2884fbb60412049ec92389039ae716b32057382e from qemu
2019-08-08 18:06:23 -04:00
Philippe Mathieu-Daudé bde186433d
target/arm/helper: Move M profile routines to m_helper.c
In preparation for supporting TCG disablement on ARM, we move most
of TCG related v7m/v8m helpers and APIs into their own file.

Note: It is easier to review this commit using the 'histogram'
diff algorithm:

$ git diff --diff-algorithm=histogram ...
or
$ git diff --histogram ...

Backports commit 7aab5a8c8bb525ea390b4ebc17ab82c0835cfdb6 from qemu
2019-08-08 18:04:08 -04:00
Philippe Mathieu-Daudé 199e2f8a7d
target/arm: Restrict semi-hosting to TCG
Semihosting hooks either SVC or HLT instructions, and inside KVM
both of those go to EL1, ie to the guest, and can't be trapped to
KVM.

Let check_for_semihosting() return False when not running on TCG.

backports commit 91f78c58da9ba78c8ed00f5d822b701765be8499 from qemu
2019-08-08 17:48:34 -04:00