Cleanup in the boilerplate that each target must define.
Replace arm_env_get_cpu with env_archcpu. The combination
CPU(arm_env_get_cpu) should have used ENV_GET_CPU to begin;
use env_cpu now.
Backports commit 2fc0cc0e1e034582f4718b1a2d57691474ccb6aa from qemu
Now that we have both ArchCPU and CPUArchState, we can define
this generically instead of via macro in each target's cpu.h.
Backports commit 29a0af618ddd21f55df5753c3e16b0625f534b3c from qemu
For all targets, into this new file move TARGET_LONG_BITS,
TARGET_PAGE_BITS, TARGET_PHYS_ADDR_SPACE_BITS,
TARGET_VIRT_ADDR_SPACE_BITS, and NB_MMU_MODES.
Include this new file from exec/cpu-defs.h.
This now removes the somewhat odd requirement that target/arch/cpu.h
defines TARGET_LONG_BITS before including exec/cpu-defs.h, so push the
bulk of the includes within target/arch/cpu.h to the top.
Backports commit 74433bf083b0766aba81534f92de13194f23ff3e from qemu
Outline places for future MSA helpers to follow the same organization
as in MSA tests.
Backports commit 7471df9f9eaca7c4495d77265864d56644a08b23 from qemu
The CPUID.01H:ECX[bit 3] ought to mirror the value of the MSR
IA32_MISC_ENABLE MWAIT bit and as userspace has control of them
both, it is userspace's job to configure both bits to match on
the initial setup.
Backports commit 4cfd7bab3f5564f6c1a23b06f73d5aa2f957cd16 from qemu
Add emulation of MMI instruction PCPYUD. The emulation is implemented
using TCG front end operations directly to achieve better performance.
Backports commit fd487f83ea92d790559813c5a0a719c30ca9ecde from qemu
Add emulation of MMI instruction PCPYLD. The emulation is implemented
using TCG front end operations directly to achieve better performance.
Backports commit b87eef31f2f8047077d79c3180e9c8e762d2a50f from qemu
Add emulation of MMI instruction PCPYH. The emulation is implemented
using TCG front end operations directly to achieve better performance.
Backports commit d3434d9f785ddaf40e0fd521ded400643ac4be09 from qemu
Realign comments to fix warnings issued by checkpatc.pl tool
"WARNING: Block comments use a leading /* on a separate line"
within "target/mips/cpu.h" file.
Backports commit 9e72f33d854b0a817c0d2fe4bca693b76f0fe776 from qemu
Add or remove space to fix errors issued by checkpatch.pl tool
"ERROR: spaces required around that..."
"ERROR: space required after that..."
"ERROR: space required before the open parenthesis"
"ERROR: space required after that..."
"ERROR: space prohibited between function name and open parenthesis"
"ERROR: code indent should never use tabs"
"ERROR: line over 90 characters"
within "target/mips/cpu.h" file.
Backports commit 8ebf2e1a68408068c0bcd0d02a783fd12f6a9cb5 from qemu
This commit addresses QEMU Bug #1825311:
mips_cpu_handle_mmu_fault renders all accessed pages executable
It allows finer-grained control over whether the accessed page should
be executable by moving the decision to the underlying map_address
function, which has more information for this.
As a result, pages that have the XI bit set in the TLB and are accessed
for read/write, don't suddenly end up being executable.
Fixes: https://bugs.launchpad.net/qemu/+bug/1825311
Fixes: 2fb58b73746e ('target-mips: add RI and XI fields to TLB entry')
Backports commit 7353113fa482e697a77575086a41f429a01f8dc0 from qemu
The old version of the helper for the INSERT.<B|H|W|D> MSA instructions
has been replaced with four helpers that don't use switch, and change
the endianness of the given index, when executed on a big endian host.
Backports commit c1c9a10fb1f7a6782711817c167a2c20b000fc12 from qemu
The old version of the helper for the COPY_U.<B|H|W> MSA instructions
has been replaced with four helpers that don't use switch, and change
the endianness of the given index, when executed on a big endian host.
Backports commit 41d288582782cf8d63241ecb6efa1e4160fe78f7 from qemu
The old version of the helper for the COPY_S.<B|H|W|D> MSA instructions
has been replaced with four helpers that don't use switch, and change
the endianness of the given index, when executed on a big endian host.
Backports commit 631c467461496dcf6d6a3e4c3d27a1433e96868e from qemu
Fix the case when the host is a big endian machine, and change
the approach toward ST.<B|H|W|D> instruction helpers.
Backports commit 6decc572dcedbf298ae30f8213b39c8b842a595a from qemu
Fix the case when the host is a big endian machine, and change
the approach toward LD.<B|H|W|D> instruction helpers.
Backports commit 83be6b54123a8f3c529554139f1d1e43356edf8d from qemu
MSA instructions MOD_<U|S>.<B|H|W|D> when dividing by zero,
didn't return the same value when executed on a referent hardware
(FPGA MIPS 64 r6, little endian) and when executed on QEMU, which
is not a real bug, because the result when dividing by zero is
UNPREDICTABLE [1] (page 255, 256).
[1] MIPS Architecture for Programmers
Volume IV-j: The MIPS64 SIMD
Architecture Module, Revision 1.12
Backports commit cf122bf8d2732d5d8647901ebaea596668aaaa3a from qemu
MSA instructions DIV_<U|S>.<B|H|W|D> when dividing by zero,
didn't return the same value when executed on a referent hardware
(FPGA MIPS 64 r6, little endian) and when executed on QEMU, which
is not a real bug, because the result when dividing by zero is
UNPREDICTABLE [1] (page 141, 142).
[1] MIPS Architecture for Programmers
Volume IV-j: The MIPS64 SIMD
Architecture Module, Revision 1.12
Backports commit d2a40a5f6938f30f44b536e997e1e89bb62b971c from qemu
According to the spec, "All bits besides SSIP, USIP, and UEIP in the sip
register are read-only." Further, if an interrupt is not delegated to mode x,
then "the corresponding bits in xip [...] should appear to be hardwired to
zero. This patch implements both of those requirements.
Backports commit 087b051a51a0c2a5bc1e8d435a484a8896b4176b from qemu
C.ADDI16SP, C.LWSP, C.JR, C.ADDIW, C.LDSP all have reserved
operands that were not diagnosed.
Backports commit 4cc16b3b9282e04fab8e84d136540757e82af019 from qemu
At the same time deprecate the ISA string CPUs.
It is dobtful anyone specifies the CPUs, but we are keeping them for the
Spike machine (which is about to be depreated) so we may as well just
mark them as deprecated.
Backports commit 8903bf6e6d73d03b988b4a8197132de2ad681ff5 from qemu
The tcg_gen_fooi_tl functions have some immediate constant
folding built in, which match up with some of the riscv asm
builtin macros, like mv and not.
Backports commit 598aa1160c3d17ab9271daf1f69d093ebada3f25 from qemu
This eliminates all functions in insn_trans/trans_rvc.inc.c,
so the entire file can be removed.
Backports commit 0e68e240a9bd3b44a91cd6012f0e2bf2a43b9fe2 from qemu
This eliminates about half of the complicated decode
bits within insn_trans/trans_rvc.inc.c.
Backports commit c2cfb97c01a3636867c1a4a24f8a99fd8c6bed28 from qemu
Special handling for IMM==0 is the only difference between
RVC shifti and RVI shifti. This can be handled with !function.
Backports commit 6cafec92f1c862a9754ef6a28be68ba7178a284d from qemu
In some cases this allows us to directly use the insn32
translator function. In some cases we still need a shim.
Backports commit e1d455dd91c935c714412dafeb24db947429a929 from qemu
The generated functions are only used within translate.c
and do not need to be global, or declared.
Backports commit 81770255581bd210c57b86a6e808628ab8d0c543 from qemu
This patch introduces wrappers around the tcg_gen_exit_tb() and
tcg_gen_lookup_and_goto_ptr() functions that handle single stepping,
i.e. call gen_exception_debug() when single stepping is enabled.
Theses functions are then used instead of the originals, bringing single
stepping handling in places where it was previously ignored such as jalr
and system branch instructions (ecall, mret, sret, etc.).
Backports commit 6e2716d8ca4edf3597307accef7af36e8ad966eb from qemu
The 'sfence.vma' instruction is privileged, and should only ever be allowed
when executing in supervisor mode or higher.
Backports commit b86f4167630802128d94f3c89043d97d2f4c2546 from qemu
Commit 89e68b575 "target/arm: Use vector operations for saturation"
causes this abort() when booting QEMU ARM with a Cortex-A15:
0 0x00007ffff4c2382f in raise () at /usr/lib/libc.so.6
1 0x00007ffff4c0e672 in abort () at /usr/lib/libc.so.6
2 0x00005555559c1839 in disas_neon_data_insn (insn=<optimized out>, s=<optimized out>) at ./target/arm/translate.c:6673
3 0x00005555559c1839 in disas_neon_data_insn (s=<optimized out>, insn=<optimized out>) at ./target/arm/translate.c:6386
4 0x00005555559cd8a4 in disas_arm_insn (insn=4081107068, s=0x7fffe59a9510) at ./target/arm/translate.c:9289
5 0x00005555559cd8a4 in arm_tr_translate_insn (dcbase=0x7fffe59a9510, cpu=<optimized out>) at ./target/arm/translate.c:13612
6 0x00005555558d1d39 in translator_loop (ops=0x5555561cc580 <arm_translator_ops>, db=0x7fffe59a9510, cpu=0x55555686a2f0, tb=<optimized out>, max_insns=<optimized out>) at ./accel/tcg/translator.c:96
7 0x00005555559d10d4 in gen_intermediate_code (cpu=cpu@entry=0x55555686a2f0, tb=tb@entry=0x7fffd7840080 <code_gen_buffer+126091347>, max_insns=max_insns@entry=512) at ./target/arm/translate.c:13901
8 0x00005555558d06b9 in tb_gen_code (cpu=cpu@entry=0x55555686a2f0, pc=3067096216, cs_base=0, flags=192, cflags=-16252928, cflags@entry=524288) at ./accel/tcg/translate-all.c:1736
9 0x00005555558ce467 in tb_find (cf_mask=524288, tb_exit=1, last_tb=0x7fffd783e640 <code_gen_buffer+126084627>, cpu=0x1) at ./accel/tcg/cpu-exec.c:407
10 0x00005555558ce467 in cpu_exec (cpu=cpu@entry=0x55555686a2f0) at ./accel/tcg/cpu-exec.c:728
11 0x000055555588b0cf in tcg_cpu_exec (cpu=0x55555686a2f0) at ./cpus.c:1431
12 0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=0x55555686a2f0) at ./cpus.c:1735
13 0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=arg@entry=0x55555686a2f0) at ./cpus.c:1709
14 0x0000555555d2629a in qemu_thread_start (args=<optimized out>) at ./util/qemu-thread-posix.c:502
15 0x00007ffff4db8a92 in start_thread () at /usr/lib/libpthread.
This patch ensures that we don't hit the abort() in the second switch
case in disas_neon_data_insn() as we will return from the first case.
Backports commit 2f143d3ad1c05e91cf2cdf5de06d59a80a95e6c8 from qemu
The mask implied by the extract is redundant with the one
implied by the deposit. Also, fix spelling of BFXIL.
Backports commit 87eb65a3c45c788a309986d48170a54a0d1c0705 from qemu
We now have an interface for guest visible random numbers.
Backports commit 369fd5ca66810b2ddb16e23a497eabe59385eceb from qemu with
the actual RNG portion disabled for the time being.
Use the newly introduced infrastructure for guest random numbers.
Backports commit de390645675966cce113bf5394445bc1f8d07c85 from qemu
(with the actual RNG portion disabled to preserve determinism for the
time being).
Microarchitectural Data Sampling is a hardware vulnerability which allows
unprivileged speculative access to data which is available in various CPU
internal buffers.
Some Intel processors use the ARCH_CAP_MDS_NO bit in the
IA32_ARCH_CAPABILITIES
MSR to report that they are not vulnerable, make it available to
guests.
Backports commit 20140a82c67467f53814ca197403d5e1b561a5e5 from qemu
md-clear is a new CPUID bit which is set when microcode provides the
mechanism to invoke a flush of various exploitable CPU buffers by invoking
the VERW instruction.
Backports commit b2ae52101fca7f9547ac2f388085dbc58f8fe1c0 from qemu
Optimize rotate_x() using tcg_gen_extract_i32(). We can now free the
'sz' tcg_temp earlier. Since it is allocated with tcg_const_i32(),
free it with tcg_temp_free_i32().
Backports commit 60d3d0cfeb1658d2827d6a4f0df27252bb36baba from qemu
The function gen_get_ccr() returns a tcg_temp created with
tcg_temp_new(). Free it with tcg_temp_free().
Backports commit 44c64e90950adf9efe7f4235a32eb868d1290ebb from qemu
Switch the m68k target from the old unassigned_access hook
to the transaction_failed hook.
The notable difference is that rather than it being called
for all physical memory accesses which fail (including
those made by DMA devices or by the gdbstub), it is only
called for those made by the CPU via its MMU. (In previous
commits we put in explicit checks for the direct physical
loads made by the target/m68k code which will no longer
be handled by calling the unassigned_access hook.)
Backports commit e1aaf3a88e95ab007445281e2b2f6e3c8da47f22 from qemu
In get_physical_address(), use address_space_ldl() and
address_space_stl() instead of ldl_phys() and stl_phys().
This allows us to check whether the memory access failed.
For the moment, we simply return -1 in this case;
add a TODO comment that we should ideally generate the
appropriate kind of fault.
Backports commit adcf0bf017351776510121e47b9226095836023c from qemu
Most of the existing users would continue around a loop which
would fault the tlb entry in via a normal load/store.
But for AArch64 SVE we have an existing emulation bug wherein we
would mark the first element of a no-fault vector load as faulted
(within the FFR, not via exception) just because we did not have
its address in the TLB. Now we can properly only mark it as faulted
if there really is no valid, readable translation, while still not
raising an exception. (Note that beyond the first element of the
vector, the hardware may report a fault for any reason whatsoever;
with at least one element loaded, forward progress is guaranteed.)
Backports commit 4811e9095c0491bc6f5450e5012c9c4796b9e59d from qemu
We can now use the CPUClass hook instead of a named function.
Create a static tlb_fill function to avoid other changes within
cputlb.c. This also isolates the asserts within. Remove the
named tlb_fill function from all of the targets.
Backports commit c319dc13579a92937bffe02ad2c9f1a550e73973 from qemu
Note that env->pc is removed from the qemu_log as that value is garbage.
The PC isn't recovered until cpu_restore_state, called from
cpu_loop_exit_restore, called from riscv_raise_exception.
Backports commit 8a4ca3c10a96be6ed7f023b685b688c4d409bbcb from qemu
Note that env->active_tc.PC is removed from the qemu_log as that value
is garbage. The PC isn't recovered until cpu_restore_state, called from
cpu_loop_exit_restore, called from do_raise_exception_err.
Backports commit 931d019f5b2e7bbacb162869497123be402ddd86 from qemu
Since the only non-negative TLBRET_* value is TLBRET_MATCH,
the subsequent test for ret < 0 is useless. Use early return
to allow subsequent blocks to be unindented.
Backports commit e38f4eb63020075432cb77bf48398187809cf4a3 from qemu
At present we give ret = 0, or TLBRET_MATCH. This gets matched
by the default case, which falls through to TLBRET_BADADDR.
However, it makes more sense to use a proper value. All of the
tlb-related exceptions are handled identically in cpu_loop.c,
so TLBRET_BADADDR is as good as any other. Retain it.
Backports commit 995ffde9622c01f5b307cab47f9bd7962ac09db2 from qemu
Remove a function of the same name from target/arm/.
Use a branchless implementation of abs gleaned from gcc.
Backports commit ff1f11f7f8710a768f9313f24bd7f509d3db27e5 from qemu
Replace the single opcode in .opc with a null-terminated
array in .opt_opc. We still require that all opcodes be
used with the same .vece.
Validate the contents of this list with CONFIG_DEBUG_TCG.
All tcg_gen_*_vec functions will check any list active
during .fniv expansion. Swap the active list in and out
as we expand other opcodes, or take control away from the
front-end function.
Convert all existing vector aware front ends.
Backports commit 53229a7703eeb2bbe101a19a33ef22aaf960c65b from qemu
Leading underscores are ill-advised because such identifiers are
reserved. Trailing underscores are merely ugly. Strip both.
Our header guards commonly end in _H. Normalize the exceptions.
Done with scripts/clean-header-guards.pl.
Backports commit a8b991b52dcde75ab5065046653626951aac666d from qemu
Currently the dc_zva helper function uses a variable length
array. In fact we know (as the comment above remarks) that
the length of this array is bounded because the architecture
limits the block size and QEMU limits the target page size.
Use a fixed array size and assert that we don't run off it.
Backports commit 63159601fb3e396b28da14cbb71e50ed3f5a0331 from qemu
In the M-profile architecture, if the CPU implements the DSP extension
then the XPSR has GE bits, in the same way as the A-profile CPSR. When
we added DSP extension support we forgot to add support for reading
and writing the GE bits, which are stored in env->GE. We did put in
the code to add XPSR_GE to the mask of bits to update in the v7m_msr
helper, but forgot it in v7m_mrs. We also must not allow the XPSR we
pull off the stack on exception return to set the nonexistent GE bits.
Correct these errors:
* read and write env->GE in xpsr_read() and xpsr_write()
* only set GE bits on exception return if DSP present
* read GE bits for MRS if DSP present
Backports commit f1e2598c46d480c9e21213a244bc514200762828 from qemu
Thereby decoupling the resulting translated code from the current state
of the system.
Backports commit 87d757d60d66d5ee1608460b0f1e07e2b758db9c from qemu
Thereby decoupling the resulting translated code from the current state
of the system.
Backports commit f0ddf11b23260f0af84fb529486a8f9ba2d19401 from qemu
Thereby decoupling the resulting translated code from the current state
of the system.
Backports commit b5e3b4c2aca8eb5a9cfeedfb273af623f17c3731 from qemu
Thereby decoupling the resulting translated code from the current state
of the system.
Backports commit 2399d4e7cec22ecf1c51062d2ebfd45220dbaace from qemu
The M-profile architecture floating point system supports
lazy FP state preservation, where FP registers are not
pushed to the stack when an exception occurs but are instead
only saved if and when the first FP instruction in the exception
handler is executed. Implement this in QEMU, corresponding
to the check of LSPACT in the pseudocode ExecuteFPCheck().
Backports commit e33cf0f8d8c9998a7616684f9d6aa0d181b88803 from qemu
Pushing registers to the stack for v7M needs to handle three cases:
* the "normal" case where we pend exceptions
* an "ignore faults" case where we set FSR bits but
do not pend exceptions (this is used when we are
handling some kinds of derived exception on exception entry)
* a "lazy FP stacking" case, where different FSR bits
are set and the exception is pended differently
Implement this by changing the existing flag argument that
tells us whether to ignore faults or not into an enum that
specifies which of the 3 modes we should handle.
Backports commit a356dacf647506bccdf8ecd23574246a8bf615ac from qemu
In the v7M architecture, if an exception is generated in the process
of doing the lazy stacking of FP registers, the handling of
possible escalation to HardFault is treated differently to the normal
approach: it works based on the saved information about exception
readiness that was stored in the FPCCR when the stack frame was
created. Provide a new function armv7m_nvic_set_pending_lazyfp()
which pends exceptions during lazy stacking, and implements
this logic.
This corresponds to the pseudocode TakePreserveFPException().
Backports the relevant parts of commit
a99ba8ab1601904e0fa20325192fc850362ce80e from qemu
Add a new helper function which returns the MMU index to use
for v7M, where the caller specifies all of the security
state, privilege level and whether the execution priority
is negative, and reimplement the existing
arm_v7m_mmu_idx_for_secstate_and_priv() in terms of it.
We are going to need this for the lazy-FP-stacking code.
Backports commit fa6252a988dbe440cd6087bf93cbe0887f0c401b from qemu
The M-profile FPCCR.ASPEN bit indicates that automatic floating-point
context preservation is enabled. Before executing any floating-point
instruction, if FPCCR.ASPEN is set and the CONTROL FPCA/SFPA bits
indicate that there is no active floating point context then we
must create a new context (by initializing FPSCR and setting
FPCA/SFPA to indicate that the context is now active). In the
pseudocode this is handled by ExecuteFPCheck().
Implement this with a new TB flag which tracks whether we
need to create a new FP context.
Backports commit 6000531e19964756673a5f4b694a649ef883605a from qemu
The M-profile FPCCR.S bit indicates the security status of
the floating point context. In the pseudocode ExecuteFPCheck()
function it is unconditionally set to match the current
security state whenever a floating point instruction is
executed.
Implement this by adding a new TB flag which tracks whether
FPCCR.S is different from the current security state, so
that we only need to emit the code to update it in the
less-common case when it is not already set correctly.
Note that we will add the handling for the other work done
by ExecuteFPCheck() in later commits.
Backports commit 6d60c67a1a03be32c3342aff6604cdc5095088d1 from qemu
We are close to running out of TB flags for AArch32; we could
start using the cs_base word, but before we do that we can
economise on our usage by sharing the same bits for the VFP
VECSTRIDE field and the XScale XSCALE_CPAR field. This
works because no XScale CPU ever had VFP.
Backports commit ea7ac69d124c94c6e5579145e727adec9ccbefef from qemu
Move the NS TBFLAG down from bit 19 to bit 6, which has not
been used since commit c1e3781090b9d36c60 in 2015, when we
started passing the entire MMU index in the TB flags rather
than just a 'privilege level' bit.
This rearrangement is not strictly necessary, but means that
we can put M-profile-only bits next to each other rather
than scattered across the flag word.
Backports commit 7fbb535f7aeb22896fedfcf18a1eeff48165f1d7 from qemu
Handle floating point registers in exception return.
This corresponds to pseudocode functions ValidateExceptionReturn(),
ExceptionReturn(), PopStack() and ConsumeExcStackFrame().
Backports commit 6808c4d2d2826920087533f517472c09edc7b0d2 from qemu
The magic value pushed onto the callee stack as an integrity
check is different if floating point is present.
Backports commit 0dc51d66fcfcc4c72011cdafb401fd876ca216e7 from qemu
The TailChain() pseudocode specifies that a tail chaining
exception should sanitize the excReturn all-ones bits and
(if there is no FPU) the excReturn FType bits; we weren't
doing this.
Backports commit 60fba59a2f9a092a44b688df5d058cdd6dd9c276 from qemu
For v8M floating point support, transitions from Secure
to Non-secure state via BLNS and BLXNS must clear the
CONTROL.SFPA bit. (This corresponds to the pseudocode
BranchToNS() function.)
Backports commit 3cd6726f0ba7cc77342ee721bd86094e13b2a42a from qemu
Implement the code which updates the FPCCR register on an
exception entry where we are going to use lazy FP stacking.
We have to defer to the NVIC to determine whether the
various exceptions are currently ready or not.
Backports commit b593c2b81287040ab6f452afec6281e2f7ee487b from qemu
Handle floating point registers in exception entry.
This corresponds to the FP-specific parts of the pseudocode
functions ActivateException() and PushStack().
We defer the code corresponding to UpdateFPCCR() to a later patch.
Backports commit 0ed377a8013f40653a83f6ad2c9693897522d7dc from qemu
Currently the code in v7m_push_stack() which detects a violation
of the v8M stack limit simply returns early if it does so. This
is OK for the current integer-only code, but won't work for the
floating point handling we're about to add. We need to continue
executing the rest of the function so that we check for other
exceptions like not having permission to use the FPU and so
that we correctly set the FPCCR state if we are doing lazy
stacking. Refactor to avoid the early return.
Backports commit 3432c79a4e7345818d2defcf9e61a1bcb2907f9f from qemu
The M-profile CONTROL register has two bits -- SFPA and FPCA --
which relate to floating-point support, and should be RES0 otherwise.
Handle them correctly in the MSR/MRS register access code.
Neither is banked between security states, so they are stored
in v7m.control[M_REG_S] regardless of current security state.
Backports commit 2e1c5bcd32014c9ede1b604ae6c2c653de17fc53 from qemu
If the floating point extension is present, then the SG instruction
must clear the CONTROL_S.SFPA bit. Implement this.
(On a no-FPU system the bit will always be zero, so we don't need
to make the clearing of the bit conditional on ARM_FEATURE_VFP.)
Backports commit 1702071302934af77a072b7ee7c5eadc45b37573 from qemu
Correct the decode of the M-profile "coprocessor and
floating-point instructions" space:
* op0 == 0b11 is always unallocated
* if the CPU has an FPU then all insns with op1 == 0b101
are floating point and go to disas_vfp_insn()
For the moment we leave VLLDM and VLSTM as NOPs; in
a later commit we will fill in the proper implementation
for the case where an FPU is present.
Backports commit 8859ba3c9625e7ceb5599f457a344bcd7c5e112b from qemu
Like AArch64, M-profile floating point has no FPEXC enable
bit to gate floating point; so always set the VFPEN TB flag.
M-profile also has CPACR and NSACR similar to A-profile;
they behave slightly differently:
* the CPACR is banked between Secure and Non-Secure
* if the NSACR forces a trap then this is taken to
the Secure state, not the Non-Secure state
Honour the CPACR and NSACR settings. The NSACR handling
requires us to borrow the exception.target_el field
(usually meaningless for M profile) to distinguish the
NOCP UsageFault taken to Secure state from the more
usual fault taken to the current security state.
Backports commit d87513c0abcbcd856f8e1dee2f2d18903b2c3ea2 from qemu
The only "system register" that M-profile floating point exposes
via the VMRS/VMRS instructions is FPSCR, and it does not have
the odd special case for rd==15. Add a check to ensure we only
expose FPSCR.
Backports commit ef9aae2522c22c05df17dd898099dd5c3f20d688 from qemu
The M-profile floating point support has three associated config
registers: FPCAR, FPCCR and FPDSCR. It also makes the registers
CPACR and NSACR have behaviour other than reads-as-zero.
Add support for all of these as simple reads-as-written registers.
We will hook up actual functionality later.
The main complexity here is handling the FPCCR register, which
has a mix of banked and unbanked bits.
Note that we don't share storage with the A-profile
cpu->cp15.nsacr and cpu->cp15.cpacr_el1, though the behaviour
is quite similar, for two reasons:
* the M profile CPACR is banked between security states
* it preserves the invariant that M profile uses no state
inside the cp15 substruct
Backports commit d33abe82c7c9847284a23e575e1078cccab540b5 from qemu
Enforce that for M-profile various FPSCR bits which are RES0 there
but have defined meanings on A-profile are never settable. This
ensures that M-profile code can't enable the A-profile behaviour
(notably vector length/stride handling) by accident.
Backports commit 5bcf8ed9401e62c73158ba110864ee1375558bf7 from qemu
In order to handle TB's that translate to too much code, we
need to place the control of the length of the translation
in the hands of the code gen master loop.
Backports commit 8b86d6d25807e13a63ab6ea879f976b9f18cc45a from qemu
Add a new base CPU model called 'Dhyana' to model processors from Hygon
Dhyana(family 18h), which derived from AMD EPYC(family 17h).
The following features bits have been removed compare to AMD EPYC:
aes, pclmulqdq, sha_ni
The Hygon Dhyana support to KVM in Linux is already accepted upstream[1].
So add Hygon Dhyana support to Qemu is necessary to create Hygon's own
CPU model.
Reference:
[1] https://git.kernel.org/tip/fec98069fb72fb656304a3e52265e0c2fc9adf87
Backports commit 8d031cec366f26669807eb43f61eb335973b7053 from qemu
Use inline functions rather than macros for cpu_ld/st accessors
for the *-user configurations, as we already do for softmmu.
This has a two advantages:
* we can actually typecheck our arguments
* we don't need to leak the _raw macros everywhere
Since the _kernel functions were only used by target-i386/seg_helper.c,
put the definitions for them in that file too. (It already has the
similar template include code to define them for the softmmu case,
so it makes sense to have it deal with defining them for user-only.)
Backports commit 9220fe54c679d145232a28df6255e166ebf91bab from qemu
This wasn't subtracting the size of the instruction off the PC like how
the ARM mode tracing was performing the tracing. This simplifies it and
makes the behavior identical.
Allows non-AArch64 environments to always access coprocessors initially.
Removes the need to do avoidable register management when testing
floating-point code.
Fix a TCG crash due to attempting an atomic increment
operation without having set up the address first.
This is a similar case to that dealt with in commit
e84fcd7f662a0d8198703, and we fix it in the same way.
Fixes: https://bugs.launchpad.net/qemu/+bug/1807675
Backports commit 8cb2ca3d7479748587313f0b34034a3f8aa08c92 from qemu
While running the GCC test suite against 4.0.0-rc0, Kito found a
regression introduced by the decodetree conversion that caused divuw and
remuw to sign-extend their inputs. The ISA manual says they are
supposed to be zero extended:
DIVW and DIVUW instructions are only valid for RV64, and divide the
lower 32 bits of rs1 by the lower 32 bits of rs2, treating them as
signed and unsigned integers respectively, placing the 32-bit
quotient in rd, sign-extended to 64 bits. REMW and REMUW
instructions are only valid for RV64, and provide the corresponding
signed and unsigned remainder operations respectively. Both REMW
and REMUW always sign-extend the 32-bit result to 64 bits, including
on a divide by zero.
Here's Kito's reduced test case from the GCC test suite
unsigned calc_mp(unsigned mod)
{
unsigned a,b,c;
c=-1;
a=c/mod;
b=0-a*mod;
if (b > mod) { a += 1; b-=mod; }
return b;
}
int main(int argc, char *argv[])
{
unsigned x = 1234;
unsigned y = calc_mp(x);
if ((sizeof (y) == 4 && y != 680)
|| (sizeof (y) == 2 && y != 134))
abort ();
exit (0);
}
I haven't done any other testing on this, but it does fix the test case.
Backports commit f17e02cd3731bdfe2942d1d0b2a92f26da02408c from qemu
cortex-a7 and cortex-a15 have pmus (PMUv2) and they advertise
them in ID_DFR0. Let's allow them to function. This also enables
the pmu cpu property to work with these cpu types, i.e. we can
now do '-cpu cortex-a15,pmu=off' to remove the pmu.
Backports commit a46118fc16537a593119e5b316052a98514046bb from qemu
Fix a QEMU NULL derefence that occurs when the guest attempts to
enable PMU counters with a non-v8 cpu model or a v8 cpu model
which has not configured a PMU.
Backports commit cbbb3041fe2f57a475cef5d6b0ef836118aad106 from qemu
The second word has been loaded from the unincremented
address since the first commit.
Backports commit a036f5302c13634f3d375615b2949fd1fa1657b6 from qemu
Currently, the Cascadelake-Server, Icelake-Client, and
Icelake-Server are always generating the following warning:
qemu-system-x86_64: warning: \
host doesn't support requested feature: CPUID.07H:ECX [bit 4]
This happens because OSPKE was never returned by
GET_SUPPORTED_CPUID or x86_cpu_get_supported_feature_word().
OSPKE is a runtime flag automatically set by the KVM module or by
TCG code, was always cleared by x86_cpu_filter_features(), and
was not supposed to appear on the CPU model table.
Remove the OSPKE flag from the CPU model table entries, to avoid
the bogus warning and avoid returning invalid feature data on
query-cpu-* QMP commands. As OSPKE was always cleared by
x86_cpu_filter_features(), this won't have any guest-visible
impact.
Include a test case that should detect the problem if we introduce
a similar bug again.
Fixes: c7a88b52f62b ("i386: Add new model of Cascadelake-Server")
Fixes: 8a11c62da914 ("i386: Add new CPU model Icelake-{Server,Client}")
Backports commit bb4928c7cafe50ab2137a0034e350ef1bfa044d9 from qemu
Now that kvm_arch_get_supported_cpuid() will only return
arch_capabilities if QEMU is able to initialize the MSR properly,
we know that the feature is safely migratable.
Backports commit 014018e19b3c54dd1bf5072bc912ceffea40abe8 from qemu
If vectored interrupts are enabled (bits[1:0]
of mtvec/stvec == 1) then use the following
logic for trap entry address calculation:
pc = mtvec + cause * 4
In addition to adding support for vectored interrupts
this patch simplifies the interrupt delivery logic
by making sync/async cause decoding and encoding
steps distinct.
The cause code and the sign bit indicating sync/async
is split at the beginning of the function and fixed
cause is renamed to cause. The MSB setting for async
traps is delayed until setting mcause/scause to allow
redundant variables to be eliminated. Some variables
are renamed for conciseness and moved so that decls
are at the start of the block.
Backports commit acbbb94e5730c9808830938e869d243014e2923a from qemu
This effectively changes riscv_cpu_update_mip
from edge to level. i.e. cpu_interrupt or
cpu_reset_interrupt are called regardless of
the current interrupt level.
Fixes WFI doesn't return when a IPI is issued:
- https://github.com/riscv/riscv-qemu/issues/132
To test:
1) Apply RISC-V Linux CPU hotplug patch:
- http://lists.infradead.org/pipermail/linux-riscv/2018-May/000603.html
2) Enable CONFIG_CPU_HOTPLUG in linux .config
3) Try to offline and online cpus:
echo 1 > /sys/devices/system/cpu/cpu2/online
echo 0 > /sys/devices/system/cpu/cpu2/online
echo 1 > /sys/devices/system/cpu/cpu2/online
Backports commit d26f5a423438e579d3ff0ca35e44edb966a36233 from qemu
This change checks elf_flags for EF_RISCV_RVE and if
present uses the RVE linux syscall ABI which uses t0
for the syscall number instead of a7.
Warn and exit if a non-RVE ABI binary is run on a
cpu with the RVE extension as it is incompatible.
Backports relevant parts of 5836c3eccedb6dfab16b8f606f2de24b8938b69c
from qemu
We can't allow the supervisor to control SEIP as this would allow the
supervisor to clear a pending external interrupt which will result in
lost a interrupt in the case a PLIC is attached. The SEIP bit must be
hardware controlled when a PLIC is attached.
This logic was previously hard-coded so SEIP was always masked even
if no PLIC was attached. This patch adds riscv_cpu_claim_interrupts
so that the PLIC can register control of SEIP. In the case of models
without a PLIC (spike), the SEIP bit remains software controlled.
This interface allows for hardware control of supervisor timer and
software interrupts by other interrupt controller models.
Backports commit e3e7039cc24ecf47d81c091e8bb04552d6564ad8 from qemu
Add a debugger field to CPURISCVState. Add riscv_csrrw_debug function
to set it. Disable mode checks when debugger field true.
Backports commit 753e3fe207db08ce0ef0405e8452c3397c9b9308 from qemu
This adds some missing CSR_* register macros, and documents some as being
priv v1.9.1 specific.
Backports commit 8e73df6aa3f2f0e5c26c03a94a88406616291815 from qemu
during the refactor to decodetree we removed the manual decoding that is
necessary for c.jal/c.addiw and removed the translation of c.flw/c.ld
and c.fsw/c.sd. This reintroduces the manual parsing and the
omited implementation.
Backports commit f330433b3633647b047cfa418c2ca4d18fda69c7 from qemu
These instructions do not trap when SVE is disabled in EL0,
causing them to be executed with wrong size information.
Backports commit 5de56742a3c91de3d646326bec43a989bba83ca4 from qemu
Some generic arch timer registers are Config-RW in the EL0,
which means the EL0 exception level can have write permission
if it is appropriately configured.
When VM access registers, QEMU firstly checks whether they have RW
permission, then check whether it is appropriately configured.
If they are defined to read only in EL0, even though they have been
appropriately configured, they still do not have write permission.
So need to add the write permission according to ARMV8 spec when
define it.
Backports commit daf1dc5f82cefe2a57f184d5053e8b274ad2ba9a from qemu
with all 16 bit insns moved to decodetree no path is falling back to
gen_system(), so we can remove it.
Backports commit 8f7bc273868939f0821e07fb23792db63d45bffb from qemu
manual decoding in gen_arith() is not necessary with decodetree. For now
the function is called trans_arith as the original gen_arith still
exists. The former will be renamed to gen_arith as soon as the old
gen_arith can be removed.
Backports commit f2ab1728675772cd475a33f4df3d2f68a22c188f from qemu
gen_arith_imm() does a lot of decoding manually, which was hard to read
in case of the shift instructions and is not necessary anymore with
decodetree.
Backports commit 7a50d3e2ae7f13b24fe55990ea0b8ddcbbb43130 from qemu
With decodetree we don't need to convert RISC-V opcodes into to MemOps
as the old gen_store() did.
Backports commit bce8a342a1f0919479d18ec812b100136daa746b from qemu
With decodetree we don't need to convert RISC-V opcodes into to MemOps
as the old gen_load() did.
Backports commit 98898b20e9cca462843c22ad952c216ffd57d654 from qemu
We now utilizes argument-sets of decodetree such that no manual
decoding is necessary.
Backports commit 090cc2c898a04e42350eabf1bcf7d245471603f9 from qemu
we cannot remove the call to gen_arith() in decode_RV32_64G() since it
is used to translate multiply instructions.
Backports commit b73a987b09ad5081123dc6b1e8e6c8305a1c8673 from qemu
this splits the 64-bit only instructions into its own decode file such
that we generate the decoder for these instructions only for the RISC-V
64 bit target.
Backports commit 7e45a682edc32ba90d6955215f062210531b835b from qemu
for now only LUI & AUIPC are decoded and translated. If decodetree fails, we
fall back to the old decoder.
Backports commit 2a53cff418335ccb4719e9a94fde55f6ebcc895d from qemu
Intel Processor Trace required CPUID[0x14] but the cpuid_level
have no change when create a kvm guest with
e.g. "-cpu qemu64,+intel-pt
Backports relevant bits of commit
f24c3a79a415042f6dc195f029a2ba7247d14cac from qemu
This ports over the RISC-V architecture from Qemu. This is currently a
very barebones transition. No code hooking or any fancy stuff.
Currently, you can feed it instructions and query the CPU state itself.
This also allows choosing whether or not RISC-V 32-bit or RISC-V 64-bit
is desirable through Unicorn's interface as well.
Extremely basic examples of executing a single instruction have been
added to the samples directory to help demonstrate how to use the basic
functionality.
These changes were mostly made in upstream unicorn for what I can guess,
was to support old versions of MSVC's compiler.
This is also a pain to maintain, since everything needs to be done
manually and can be a source of errors. It also makes it take more work
than it needs to, to backport changes from qemu.
Because of that, this change restores Qemu's organization of the
coprocessor registers.
This decoding more closely matches the ARMv8.4 Table C4-6,
Encoding table for Data Processing - Register Group.
In particular, op2 == 0 is now more than just Add/sub (with carry).
Backports commit 2fba34f70d9a81bab56e61bb99a4d6632bdfe531 from qemu
We do not need an out-of-line helper for manipulating bits in pstate.
While changing things, share the implementation of gen_ss_advance.
Backports commit 22ac3c49641f6eed93dca5b852030b4d3eacf6c4 from qemu
The EL0+UMA check is unique to DAIF. While SPSel had avoided the
check by nature of already checking EL >= 1, the other post v8.0
extensions to MSR (imm) allow EL0 and do not require UMA. Avoid
the unconditional write to pc and use raise_exception_ra to unwind.
Backports commit ff730e9666a716b669ac4a8ca7c521177d1d2b15 from qemu
Minimize the number of places that will need updating when
the virtual host extensions are added.
Backports commit 64e40755cd41fbe8cd266cf387e42ddc57a449ef from qemu
Found by inspection: Rn is the base register against which the
load began; I is the register within the mask being processed.
The exception return should of course be processed from the loaded PC.
Backports commit 9d090d17234058f55c3c439d285db78c94d7d4de from qemu
Previously we weren't even initializing the instruction table, so any
attempt at emulation would cause a segmentation fault.
This also moves the end address check after the decoding to correctly
perform exiting behavior with the new translator model.
Previously we'd be checking prior to the actual decoding if we were at
the ending address. This worked fine using the old model of the
translation process in qemu. However, this causes the wrong behavior to
occur in both ARM and Thumb/Thumb-2 modes using the newer translator
model.
Given the translator itself checks for the end address already, this
needs to be placed within arm_post_translate_insn().
This prevents the emulation process being off-by-one as well when it
comes to actually executing the instructions.
1. Create an enum name for the IPSR register.
2. Implement read and write of the IPSR via the xpsr helper functions.
Fixes#1065
Backports commit 6c319941a5462ee3a4af4593c371f5674394d6ce from unicorn.
* Added MXCSR register for reading and writing
* Changed writing for fpucw register, now the qemu rounding status is updated as well
Backports commit 256e7782ceafb1f8915da167040d5368c38f9585 from unicorn
Set up MMI code to be compiled only for TARGET_MIPS64. This is
needed so that GPRs are 64 bit, and combined with MMI registers,
they will form full 128 bit registers.
Backports commit 37b9aae2e6e005e6df206a0b4804972460806166 from qemu
Note that float16_to_float32 rightly squashes SNaN to QNaN.
But of course pickNaNMulAdd, for ARM, selects SNaNs first.
So we have to preserve SNaN long enough for the correct NaN
to be selected. Thus float16_to_float32_by_bits.
Backports commit a4e943a716d5fac923d82df3eabc65d1e3624019 from qemu
There is a set of VFP instructions which we implement in
disas_vfp_v8_insn() and gate on the ARM_FEATURE_V8 bit.
These were all first introduced in v8 for A-profile, but in
M-profile they appeared in v7M. Gate them on the MVFR2
FPMisc field instead, and rename the function appropriately.
Backports commit c0c760afe800b60b48c80ddf3509fec413594778 from qemu
Instead of gating the A32/T32 FP16 conversion instructions on
the ARM_FEATURE_VFP_FP16 flag, switch to our new approach of
looking at ID register bits. In this case MVFR1 fields FPHP
and SIMDHP indicate the presence of these insns.
This change doesn't alter behaviour for any of our CPUs.
Backports commit 602f6e42cfbfe9278be34e9b91d2ceb695837e02 from qemu
There are lots of special cases within these insns. Split the
major argument decode/loading/saving into no_output (compares),
rd_is_dp, and rm_is_dp.
We still need to special case argument load for compare (rd as
input, rm as zero) and vcvt fixed (rd as input+output), but lots
of special cases do disappear.
Now that we have a full switch at the beginning, hoist the ISA
checks from the code generation.
Backports commit e80941bd64cc388554770fd72334e9e7d459a1ef from qemu
Move all of the fp helpers out of helper.c into a new file.
This is code movement only. Since helper.c has no copyright
header, take the one from cpu.h for the new file.
Backports commit 37356079fcdb34e13abbed8ea0c00ca880c31247 from qemu
For opcodes 0-5, move some if conditions into the structure
of a switch statement. For opcodes 6 & 7, decode everything
at once with a second switch.
Backports commit 3c3ff68492c2d00bd8cb39ed2d02bdaf5caf5cb8 from qemu
This was introduced by
commit bf8d09694ccc07487cd73d7562081fdaec3370c8
target/arm: Don't clear supported PMU events when initializing PMCEID1
and identified by Coverity (CID 1398645).
Backports commit 67da43d668320e1bcb0a0195aaf2de4ff2a001a0 from qemu
The "background region" for a v8M MPU is a default which will be used
(if enabled, and if the access is privileged) if the access does
not match any specific MPU region. We were incorrectly using it
always (by putting the condition at the wrong nesting level). This
meant that we would always return the default background permissions
rather than the correct permissions for a specific region, and also
that we would not return the right information in response to a
TT instruction.
Move the check for the background region to the same place in the
logic as the equivalent v8M MPUCheck() pseudocode puts it.
This in turn means we must adjust the condition we use to detect
matches in multiple regions to avoid false-positives.
Backports commit cff21316c666c8053b1f425577e324038d0ca30d from qemu
Fortunately, the functions affected are so far only called from SVE,
so there is no tail to be cleared. But as we convert more of AdvSIMD
to gvec, this will matter.
Backports commit d8efe78e8039511b95c23d75bb48eca6873fbb0f from qemu
For same-sign saturation, we have tcg vector operations. We can
compute the QC bit by comparing the saturated value against the
unsaturated value.
Backports commit 89e68b575e138d0af1435f11a8ffcd8779c237bd from qemu
Change the representation of this field such that it is easy
to set from vector code.
Backports commit a4d5846245c5e029e5aa3945a9bda1de1c3fedbf from qemu
Given that we mask bits properly on set, there is no reason
to mask them again on get. We failed to clear the exception
status bits, 0x9f, which means that the wrong value would be
returned on get. Except in the (probably normal) case in which
the set clears all of the bits.
Simplify the code in set to also clear the RES0 bits.
Backports commit 18aaa59c622208743565307668a2100ab24f7de9 from qemu
Minimize the code within a macro by splitting out a helper function.
Use deposit32 instead of manual bit manipulation.
Backports commit 55a889456ef78f3f9b8eae9846c2f1453b1dd77b from qemu
The 32-bit PMIN/PMAX has been decomposed to scalars,
and so can be trivially expanded inline.
Backports commit 9ecd3c5c1651fa7f9adbedff4806a2da0b50490c from qemu
Since we're now handling a == b generically, we no longer need
to do it by hand within target/arm/.
Backports commit 2900847ff4c862887af750935a875059615f509a from qemu
There are a whole bunch more registers in the CPUID space which are
currently not used but are exposed as RAZ. To avoid too much
duplication we expand ARMCPRegUserSpaceInfo to understand glob
patterns so we only need one entry to tweak whole ranges of registers.
Backports commit d040242effe47850060d2ef1c461ff637d88a84d from qemu
As this is a single register we could expose it with a simple ifdef
but we use the existing modify_arm_cp_regs mechanism for consistency.
Backports commit 522641660c3de64ed8322b8636c58625cd564a3f from qemu
A number of CPUID registers are exposed to userspace by modern Linux
kernels thanks to the "ARM64 CPU Feature Registers" ABI. For QEMU's
user-mode emulation we don't need to emulate the kernels trap but just
return the value the trap would have done. To avoid too much #ifdef
hackery we process ARMCPRegInfo with a new helper (modify_arm_cp_regs)
before defining the registers. The modify routine is driven by a
simple data structure which describes which bits are exported and
which are fixed.
Backports commit 6c5c0fec29bbfe36c64eca1edfd8455be46b77c6 from qemu
Although technically not visible to userspace the kernel does make
them visible via a trap and emulate ABI. We provide a new permission
mask (PL0U_R) which maps to PL0_R for CONFIG_USER builds and adjust
the minimum permission check accordingly.
Backports commit b5bd7440422bb66deaceb812bb9287a6a3cdf10c from qemu
The lo,hi order is different from the comments. And in commit
1ec182c33379 ("target/arm: Convert to HAVE_CMPXCHG128"), it changes
the original code logic. So just restore the old code logic before this
commit:
do_paired_cmpxchg64_be():
cmpv = int128_make128(env->exclusive_high, env->exclusive_val);
newv = int128_make128(new_hi, new_lo);
This fixes a bug that would only be visible for big-endian
AArch64 guest code.
Fixes: 1ec182c33379 ("target/arm: Convert to HAVE_CMPXCHG128")
Backports commit abd5abc58c5d4c9bd23427b0998a44eb87ed47a2 from qemu
HACR_EL2 is a register with IMPDEF behaviour, which allows
implementation specific trapping to EL2. Implement it as RAZ/WI,
since QEMU's implementation has no extra traps. This also
matches what h/w implementations like Cortex-A53 and A57 do.
Backports commit 831a2fca343ebcd6651eab9102bd7a36b77da65d from qemu
This bug was introduced in:
commit 5ecdd3e47cadae83a62dc92b472f1fe163b56f59
target/arm: Finish implementation of PM[X]EVCNTR and PM[X]EVTYPER
Backports commit 62c7ec3488fe0dcbabffd543f458914e27736115 from qemu
Completely rewrite conditional stores handling. Use cmpxchg.
This eliminates need for separate implementations of SC instruction
emulation for user and system emulation.
Backports commit 33a07fa2db66376e6ee780d4a8b064dc5118cf34 from qemu
Do only virtual addresses comaprisons in LL/SC sequence emulations.
Until this patch, physical addresses had been compared in SC part of
LL/SC sequence, even though such comparisons could be avoided. Getting
rid of them allows throwing away SC helpers and having common SC
implementations in user and system mode, avoiding the need for two
separate implementations selected by #ifdef CONFIG_USER_ONLY.
Correct guest software should not rely on LL/SC if they accesses the
same physical address via different virtual addresses or if page
mapping gets changed between LL/SC due to manipulating TLB entries.
MIPS Instruction Set Manual clearly says that an RMW sequence must
use the same address in the LL and SC (virtual address, physical
address, cacheability and coherency attributes must be identical).
Otherwise, the result of the SC is not predictable. This patch takes
advantage of this fact and removes the virtual->physical address
translation from SC helper.
lladdr served as Coprocessor 0 LLAddr register which captures physical
address of the most recent LL instruction, and also lladdr was used
for comparison with following SC physical address. This patch changes
the meaning of lladdr - now it will only keep the virtual address of
the most recent LL. Additionally, CP0_LLAddr field is introduced which
is the actual Coperocessor 0 LLAddr register that guest can access.
Backports commit c7c7e1e9a5e3f0a8a1dbff6e4ccfd21c2dc9f845 from qemu
This reverts commit 5131dc433df54b37e8e918d8fba7fe10344e7a7b.
For new instruction 'PCONFIG' will not be exposed to guest.
Backports commit 712f807e1965c8f1f1da5bbec2b92a8c540e6631 from qemu
Processor tracing is not yet implemented for KVM and it will be an
opt in feature requiring a special module parameter.
Disable it, because it is wrong to enable it by default and
it is impossible that no one has ever used it.
Backports commit 4c257911dcc7c4189768e9651755c849ce9db4e8 from qemu
PCONFIG is not available to guests; it must be specifically enabled
using the PCONFIG_ENABLE execution control. Disable it, because
no one can ever use it.
Backports commit 76e5a4d58357b9d077afccf7f7c82e17f733b722 from qemu
The {IOE, DZE, OFE, UFE, IXE, IDE} bits in the FPSCR/FPCR are for
enabling trapped IEEE floating point exceptions (where IEEE exception
conditions cause a CPU exception rather than updating the FPSR status
bits). QEMU doesn't implement this (and nor does the hardware we're
modelling), but for implementations which don't implement trapped
exception handling these control bits are supposed to be RAZ/WI.
This allows guest code to test for whether the feature is present
by trying to write to the bit and checking whether it sticks.
QEMU is incorrectly making these bits read as written. Make them
RAZ/WI as the architecture requires.
In particular this was causing problems for the NetBSD automatic
test suite.
Backports commit a15945d98d3a3390c3da344d1b47218e91e49d8b from qemu
This has been enabled in the linux kernel since v3.11
(commit d50240a5f6cea, 2013-09-03,
"arm64: mm: permit use of tagged pointers at EL0").
Backports commit f6a148fef63698826e69ca91cc11877ab1ed786f from qemu
This will allow TBI to be used in user-only mode, as well as
avoid ping-ponging the softmmu TLB when TBI is in use. It
will also enable other armv8 extensions.
Backports commit 3a471103ac1823bafc907962dcaf6bd4fc0942a2 from qemu
Split out gen_top_byte_ignore in preparation of handling these
data accesses; the new tbflags field is not yet honored.
Backports commit 4a9ee99db38ba513bf1e8f43665b79c60accd017 from qemu
The branch target exception for guarded pages has high priority,
and only 8 instructions are valid for that case. Perform this
check before doing any other decode.
Clear BTYPE after all insns that neither set BTYPE nor exit via
exception (DISAS_NORETURN).
Not yet handled are insns that exit via DISAS_NORETURN for some
other reason, like direct branches.
Backports commit 51bf0d7aa91a9d4e2563240a42e6cb705cef84aa from qemu
Caching the bit means that we will not have to re-walk the
page tables to look up the bit during translation.
Backports commit 1bafc2ba7e6bfe89fff3503fdac8db39c973de48 from qemu
Place this in its own field within ENV, as that will
make it easier to reset from within TCG generated code.
With the change to pstate_read/write, exception entry
and return are automatically handled.
Backports commit f6e52eaac13b6947f4406c127e3090c898e439c9 from qemu
A flawed test lead to the instructions always being treated as
unallocated encodings.
Fixes: https://bugs.launchpad.net/bugs/1813460
Backports commit 1cf86a8618644beb860951ff4383457ee88a7f4a from qemu
Since QEMU does not support the ARMv8.2-LVA, Large Virtual Address,
extension (yet), the VA address space is 48-bits plus a sign bit. User
mode can only handle the positive half of the address space, so that
makes a limit of 48 bits.
(With LVA, it would be 53 and 52 bits respectively.)
The incorrectly large address space conflicts with PAuth instructions,
which use bits 48-54 and 56-63 for the pointer authentication code. This
also conflicts with (as yet unsupported by QEMU) data tagging and with
the ARMv8.5-MTE extension.
Backports commit f6768aa1b4c6a80448eabd22bb9b4123c709caea from qemu
Drop the pac properties. This approach cannot work as written
because the properties are applied before arm_cpu_reset, which
zeros SCTLR_EL1 (amongst everything else).
We can re-introduce the properties if they turn out to be useful.
But since linux 5.0 enables all of the keys, they may not be.
Backports commit 276c6e813719568bdc9743e87ff8f42115006206 from qemu
Until now, the set_pc logic was unclear, which raised questions about
whether it should be used directly, applying a value to PC or adding
additional checks, for example, set the Thumb bit in Arm cpu. Let's set
the set_pc logic for “Configure the PC, as was done in the ELF file”
and implement synchronize_with_tb hook for preserving PC to cpu_tb_exec.
Backports commit 42f6ed919325413392bea247a1e6f135deb469cd from qemu
Whenever we notice that a counter overflow has occurred, send an
interrupt. This is made more reliable with the addition of a timer in a
follow-on commit.
Backports commit f4efb4b2a17528837cb445f9bdfaef8df4a5acf7 from qemu
In disas_simd_indexed(), for the case of "complex fp", each indexable
element is a complex pair, so the total size is twice that indicated
in the 'size' field in the encoding. We were trying to do this
"double the size" operation with a left shift by 1, but this is
incorrect because the 'size' field is a MO_8/MO_16/MO_32/MO_64
value, and doubling the size should be done by a simple increment.
This meant we were mishandling FCMLA (by element) of values where
the real and imaginary parts are 32-bit floats, and would incorrectly
UNDEF this encoding. (No other insns take this code path, and for
16-bit floats it happens that 1 << 1 and 1 + 1 are both the same).
Backports commit eaefb97a8b97dbf42c016fe65b68b92f99a346f6 from qemu
The FCMLA (by element) instruction exists in the
"vector x indexed element" encoding group, but not in
the "scalar x indexed element" group. Correctly UNDEF
the unallocated encodings.
Backports commit 4dfabb6d568e6b315594d7d464dacaf3368aff60 from qemu
In the AdvSIMD scalar x indexed element and vector x indexed element
encoding group, the SDOT and UDOT instructions are vector only,
and their opcode is unallocated in the scalar group. Correctly
UNDEF this unallocated encoding.
Backports commit 4977986ca38fb1d5357532e1a8032b984047a369 from qemu
In the encoding groups
* floating-point data-processing (1 source)
* floating-point data-processing (2 source)
* floating-point data-processing (3 source)
* floating-point immediate
* floating-point compare
* floating-ponit conditional compare
* floating-point conditional select
bit 31 is M and bit 29 is S (and bit 30 is 0, already checked at
this point in the decode). None of these groups allocate any
encoding for M=1 or S=1. We checked this in disas_fp_compare(),
disas_fp_ccomp() and disas_fp_csel(), but missed it in disas_fp_1src(),
disas_fp_2src(), disas_fp_3src() and disas_fp_imm().
We also missed that in the fp immediate encoding the imm5 field
must be all zeroes.
Correctly UNDEF the unallocated encodings here.
Backports commit c1e20801f5ee53472dbf2757df605543f3f4ce0b from qemu
In the "add/subtract (extended register)" encoding group, the "opt"
field in bits [23:22] must be zero. Correctly UNDEF the unallocated
encodings where this field is not zero.
Backports commit 4f61106614410945b1d1c93081544ad5b13044fc from qemu
In the AdvSIMD load/store single structure encodings, the
non-post-indexed case should have zeroes in [20:16] (which is the
Rm field for the post-indexed case). Bit 31 must also be zero
(a check we got right in ldst_multiple but not here). Correctly
UNDEF these unallocated encodings.
Backports commit 9c72b68ad746a51f63822cffab4d144b5957823a from qemu
In the AdvSIMD load/store multiple structures encodings,
the non-post-indexed case should have zeroes in [20:16]
(which is the Rm field for the post-indexed case).
Correctly UNDEF the currently unallocated encodings which
have non-zeroes in those bits.
Backports commit e1f220811dbd5d85fb02ff286358f9ee6188938f from qemu
The PRFM prefetch insn in the load/store with imm9 encodings
requires idx field 0b00; we were underdecoding this by
only checking !is_unpriv (which is equivalent to idx != 2).
Correctly UNDEF the unallocated encodings where idx == 0b01
and 0b11 as well as 0b10.
Backports commit a80c4256543987ca88407349ee012a673a10a2ae from qemu
The "system instructions" and "system register move" subcategories
of "branches, exception generating and system instructions" for A64
only apply if bits [23:22] are zero; other values are currently
unallocated. Correctly UNDEF these unallocated encodings.
Backports commit 08d5e3bde6b4ad32996bf69d93aa66ae43d3f3ff from qemu
It's either "GNU *Library* General Public License version 2" or
"GNU Lesser General Public License version *2.1*", but there was
no "version 2.0" of the "Lesser" license. So assume that version
2.1 is meant here.
Also some files mention the GPL instead of the LGPL after declaring
that the files are licensed under the LGPL, so change these spots to
use LGPL, too.
Backports commit d749fb85bd35f2f175a4ed3d170561e4f54f7297 from qemu
Modern AMD CPUs support NPT and NRIPSAVE features and KVM exposes these
when present. NRIPSAVE apeared somewhere in Opteron_G3 lifetime (e.g.
QuadCore AMD Opteron 2378 has is but QuadCore AMD Opteron HE 2344 doesn't),
NPT was introduced a bit earlier.
Add the FEAT_SVM leaf to Opteron_G4/G5 and EPYC/EPYC-IBPB cpu models.
Backports commit 9fe8b7be17eaac4cfde4083000cc96747d7cf4f8 from qemu
Update the stepping from 5 to 6, in order that
the Cascadelake-Server CPU model can support AVX512VNNI
and MSR based features exposed by ARCH_CAPABILITIES.
Backports commit b0a1980384fc265d91de7e09aa5fe531a69e6288 from qemu
A bug was introduced during a respin of:
commit 57a4a11b2b281bb548b419ca81bfafb214e4c77a
target/arm: Add array for supported PMU events, generate PMCEID[01]_EL0
This patch introduced two calls to get_pmceid() during CPU
initialization - one each for PMCEID0 and PMCEID1. In addition to
building the register values, get_pmceid() clears an internal array
mapping event numbers to their implementations (supported_event_map)
before rebuilding it. This is an optimization since much of the logic is
shared. However, since it was called twice, the contents of
supported_event_map reflect only the events in PMCEID1 (the second call
to get_pmceid()).
Fix this bug by moving the initialization of PMCEID0 and PMCEID1 back
into a single function call, and name it more appropriately since it is
doing more than simply generating the contents of the PMCEID[01]
registers.
Backports commit bf8d09694ccc07487cd73d7562081fdaec3370c8 from qemu
When tsz == 0, aarch32 selects the address space via exclusion,
and there are no "top_bits" remaining that require validation.
Fixes: ba97be9f4a4
Backports commit 36d820af0eddf4fc6a533579b052d8f0085a9fb8 from qemu
Add I6500 core configuration. Note that this configuration is
supported only on best-effort basis due to the lack of certain
features in QEMU.
Backports commit ca1ffd14ed8a11ad88619c0478e5ea58f0af5137 from qemu
Extend gen_scwp() functionality to support EVA by adding an
additional argument, modify internals of the function to handle
new functionality, and accordingly change its invocations.
Backports commit 8d5388c1de8bf207316369213bd950bafa6badda from qemu
"insn_flags" bitfield was expanded from 32-bit to 64-bit in commit
f9c9cd63e3. However, this was not reflected on the second argument
of the function cpu_supports_isa(). By chance, this did not create
some wrong behavior, since the left-most halves of all instances of
the second argument are currently all zeros. However, this is still
a bug waiting to happen. Correct this by changing the type of the
second argument to be always 64-bit.
Backports commit 5b1e098128367d6ef7cb2d1e99a55fcf4fa9cdde from qemu
Rename macros for extracting 3-bit-coded GPR numbers, to achieve
better consistency with the nanoMIPS documentation.
Backports commit 99e49abf119f700bf8664b7dfc60c22d9eaf9159 from qemu
Several macros were defined twice, with identical values, so
remove duplicates.
Previously added in 80845edf37b.
This reverts commit 6bfa9f4c9cf24d6cfaaa227722e9cdcca1ad6fe9.
Backports commit 362d2e72546923f8f410733cc286ae5528c7811a from qemu
The 32 R5900 128-bit registers are split into two 64-bit halves:
the lower halves are the GPRs and the upper halves are accessible
by the R5900-specific multimedia instructions.
Backports commit a168a796e1c251787fcdf2d9ca1e9e69cb86ffcd from qemu
Add CP0 register MemoryMapID. Only data field is added.
The corresponding functionality will be added in future
patches.
Backports commit 3ef521ee9fe2d01d4bbcf3e4d5c91ed982bf3f60 from qemu
Correct existing CP0-related preprocessor constants (replace
"CPO" with "CP0" (form letter "O" to digit "0", when needed).
Besides, add preprocessor constants for CP0 subregisters.
The names of the subregisters were chosen to be in sync with
the table of corresponding assembler mnemonics found in the
documentation for I6500 and I6400 (release 1.0).
Backports commit 04992c8cd1c43ecdba39dd8c916db092db6ebae0 from qemu
Move comment containing summary of CP0 registers. Checkpatch
script reported some tabs in the resutling diff, so convert
these tabs to spaces too.
Backports commit ea9c5e836e205a87038c8153282d0b6d9234cda2 from qemu
This both advertises that we support four counters and enables them
because the pmu_num_counters() reads this value from PMCR.
Backports commit ac689a2e5155d129acaa39603e2a7a29abd90d89 from qemu
The instruction event is only enabled when icount is used, cycles are
always supported. Always defining get_cycle_count (but altering its
behavior depending on CONFIG_USER_ONLY) allows us to remove some
CONFIG_USER_ONLY #defines throughout the rest of the code.
Backports commit b2e2372511946fae86fbb8709edec7a41c6f3167 from qemu
Add arrays to hold the registers, the definitions themselves, access
functions, and logic to reset counters when PMCR.P is set. Update
filtering code to support counters other than PMCCNTR. Support migration
with raw read/write functions.
Backports commit 5ecdd3e47cadae83a62dc92b472f1fe163b56f59 from qemu
This commit doesn't add any supported events, but provides the framework
for adding them. We store the pm_event structs in a simple array, and
provide the mapping from the event numbers to array indexes in the
supported_event_map array. Because the value of PMCEID[01] depends upon
which events are supported at runtime, generate it dynamically.
Backports commit 57a4a11b2b281bb548b419ca81bfafb214e4c77a from qemu
This is immediately necessary for the PMUv3 implementation to check
ID_DFR0.PerfMon to enable/disable specific features, but defines the
full complement of fields for possible future use elsewhere.
Backports commit beceb99c0c1218d0b55cc04ce6ef77579d3416cb from qemu
Rename arm_ccnt_enabled to pmu_counter_enabled, and add logic to only
return 'true' if the specified counter is enabled and neither prohibited
or filtered.
Backports commit 033614c47de78409ad3fb39bb7bd1483b71c6789 from qemu
Because of the PMU's design, many register accesses have side effects
which are inter-related, meaning that the normal method of saving CP
registers can result in inconsistent state. These side-effects are
largely handled in pmu_op_start/finish functions which can be called
before and after the state is saved/restored. By doing this and adding
raw read/write functions for the affected registers, we avoid
migration-related inconsistencies.
Backports relevant parts of commit
980ebe87053792a5bdefaa87777c40914fd4f673 from qemu
pmccntr_read and pmccntr_write contained duplicate code that was already
being handled by pmccntr_sync. Consolidate the duplicated code into two
functions: pmccntr_op_start and pmccntr_op_finish. Add a companion to
c15_ccnt in CPUARMState so that we can simultaneously save both the
architectural register value and the last underlying cycle count - this
ensures time isn't lost and will also allow us to access the 'old'
architectural register value in order to detect overflows in later
patches.
Backports commit 5d05b9d462666ed21b7fef61aa45dec9aaa9f0ff from qemu
Add 4 attributes that controls the EL1 enable bits, as we may not
always want to turn on pointer authentication with -cpu max.
However, by default they are enabled.
Backports relevant parts of commit
1ae9cfbd470bffb8d9bacd761344e9b5e8adecb6 from qemu.
This is the main crypto routine, an implementation of QARMA.
This matches, as much as possible, ARM pseudocode.
Backports commit 990870b205ddfdba3fd3c1321e6083005ef59d1a from qemu
This is not really functional yet, because the crypto is not yet
implemented. This, however follows the AddPAC pseudo function.
Backports commit 63ff0ca94cb84764d2aee45b37c5502a54811dab from qemu
This is not really functional yet, because the crypto is not yet
implemented. This, however follows the Auth pseudo function.
Backports commit a7bfa086c973a51fc18116c9d2e22a0e0069edba from qemu
Stripping out the authentication data does not require any crypto,
it merely requires the virtual address parameters.
Backports commit 04d13549fa10bb9775a90701e4e6fd0a2cbf83cb from qemu
The arm_regime_tbi{0,1} functions are replacable with the new function
by giving the lowest and highest address.
Backports commit 5d8634f5a3a8474525edcfd581a659830e9e97c0 from qemu
Use TBID in aa64_va_parameters depending on the data parameter.
This automatically updates all existing users of the function.
Backports commit 8220af7e4d34c858898fbfe55943aeea8f4e875f from qemu
We need to reuse this from helper-a64.c. Provide a stub
definition for CONFIG_USER_ONLY. This matches the stub
definitions that we removed for arm_regime_tbi{0,1} before.
Backports commit bf0be433878935e824479e8ae890493e1fb646ed from qemu
We will shortly want to talk about TBI as it relates to data.
Passing around a pair of variables is less convenient than a
single variable.
Backports commit 476a4692f06e381117fb7ad0d04d37c9c2612198 from qemu
Split out functions to extract the virtual address parameters.
Let the functions choose T0 or T1 address space half, if present.
Extract (most of) the control bits that vary between EL or Tx.
Backports commit ba97be9f4a4ecaf16a1454dc669e5f3d935d3b63 from qemu
While we could expose stage_1_mmu_idx, the combination is
probably going to be more useful.
Backports commit 64be86ab1b5ef10b660a4230ee7f27c0da499043 from qemu
The pattern
ARMMMUIdx mmu_idx = core_to_arm_mmu_idx(env, cpu_mmu_index(env, false));
is computing the full ARMMMUIdx, stripping off the ARM bits,
and then putting them back.
Avoid the extra two steps with the appropriate helper function.
Backports commit 50494a279dab22a015aba9501a94fcc3cd52140e from qemu
Not that there are any stores involved, but why argue with ARM's
naming convention.
Backports commit bd889f4810839a2b68e339696ccf7c406cd62879 from qemu
Now properly signals unallocated for REV64 with SF=0.
Allows for the opcode2 field to be decoded shortly.
Backports commit 18de2813c35e359621a24a0a2a77570e83cb73b9 from qemu
The cryptographic internals are stubbed out for now,
but the enable and trap bits are checked.
Backports commit 0d43e1a2d29a05f7b0d5629caaff18733cbdf3bb from qemu
There are 5 bits of state that could be added, but to save
space within tbflags, add only a single enable bit.
Helpers will determine the rest of the state at runtime.
Backports commit 0816ef1bfcd3ac53e7454b62ca436727887f6056 from qemu
In U-boot, we switch from S-SVC -> Mon -> Hyp mode when we want to
enter Hyp mode. The change into Hyp mode is done by doing an
exception return from Mon. This doesn't work with current QEMU.
The problem is that in bad_mode_switch() we refuse to allow
the change of mode.
Note that bad_mode_switch() is used to do validation for two situations:
(1) changes to mode by instructions writing to CPSR.M
(ie not exception take/return) -- this corresponds to the
Armv8 Arm ARM pseudocode Arch32.WriteModeByInstr
(2) changes to mode by exception return
Attempting to enter or leave Hyp mode via case (1) is forbidden in
v8 and UNPREDICTABLE in v7, and QEMU is correct to disallow it
there. However, we're already doing that check at the top of the
bad_mode_switch() function, so if that passes then we should allow
the case (2) exception return mode changes to switch into Hyp mode.
We want to test whether we're trying to return to the nonexistent
"secure Hyp" mode, so we need to look at arm_is_secure_below_el3()
rather than arm_is_secure(), since the latter is always true if
we're in Mon (EL3).
Backports commit 2d2a4549cc29850aab891495685a7b31f5254b12 from qemu
Hyper-V .feat_names are, unlike hardware features, commented out and it is
not obvious why we do that. Document the current status quo.
Backports commit abd5fc4c862d033a989552914149f01c9476bb16 from qemu
It was found that QMP users of QEMU (e.g. libvirt) may need
HV_CPUID_ENLIGHTMENT_INFO.EAX/HV_CPUID_NESTED_FEATURES.EAX information. In
particular, 'hv_tlbflush' and 'hv_evmcs' enlightenments are only exposed in
HV_CPUID_ENLIGHTMENT_INFO.EAX.
HV_CPUID_NESTED_FEATURES.EAX is exposed for two reasons: convenience
(we don't need to export it from hyperv_handle_properties() and as
future-proof for Enlightened MSR-Bitmap, PV EPT invalidation and
direct virtual flush features.
Backports commit a2b107dbbd342ff2077aa5af705efaf68c375459 from qemu
MPX support is being phased out by Intel; GCC has dropped it, Linux
is also going to do that. Even though KVM will have special code
to support MPX after the kernel proper stops enabling it in XCR0,
we probably also want to deprecate that in a few years. As a start,
do not enable it by default for any named CPU model starting with
the 4.0 machine types; this include Skylake, Icelake and Cascadelake.
Backports commit ecb85fe48cacb2f8740186e81f2f38a2e02bd963 from qemu
The missing functionality was added ~3 years ago with the Linux commit
46896c73c1a4 ("KVM: svm: add support for RDTSCP")
so reenable RDTSCP support on those CPU models.
Opteron_G2 - being family 15, model 6, doesn't have RDTSCP support
(the real hardware doesn't have it. K8 got RDTSCP support with the NPT
models, i.e., models >= 0x40).
Document the host's minimum required kernel version, while at it.
Backports commit 483c6ad426dbab72d912fe4793d7d558671aa727 from qemu
Now that MTTCG is here, the comment in the 32-bit Arm decoder that
"Since the emulation does not have barriers, the acquire/release
semantics need no special handling" is no longer true. Emit the
correct barriers for the load-acquire/store-release insns, as
we already do in the A64 decoder.
Backports commit 96c552958dbb63453b5f02bea6e704006d50e39a from qemu
While brk[ab] zeroing has a flags setting option, the merging variant
does not. Retain the same argument structure, to share expansion but
force the flag zero and do not decode bit 22.
Backports commit 407e6ce7f1f428cb242d424cd35381a77b5b2071 from qemu
Use "register" TBFLAG_ANY to indicate shared state between
A32 and A64, and "registers" TBFLAG_A32 & TBFLAG_A64 for
fields that are specific to the given cpu state.
Move ARM_TBFLAG_BE_DATA to shared state, instead of its current
placement within "Bit usage when in AArch32 state".
Backports commit aad821ac4faad369fad8941d25e59edf2514246b from qemu
The three-operand MADD and MADDU are specific to Sony R5900 core,
and Toshiba TX19/TX39/TX79 cores as well.
The "32-Bit TX System RISC TX39 Family Architecture manual"
is available at https://wiki.qemu.org/File:DSAE0022432.pdf
Backports commit 3b948f053fc588154d95228da8a6561c61c66104 from qemu
Add translation handlers for four logic MXU instructions.
It should be noted that there is an error in MXU documentation (dated
June 2017) regarding opcodes for this group of instructions. This was
confirmed by running tests on hardware, and also by looking up other
related public source trees (binutils, Android NDK). In initial MXU
patches to QEMU, opcodes for MXU logic instructions were created to
be in accordance with the MXU documentation, therefore the error from
was propagated. This patch corrects that, changing the involved code.
Besides that, as MXU was designed and implemented only for 32-bit
CPUs, corresponding preprosessor conditions were added around MXU
code, which allows more flexible implementation of MXU handlers.
Backports commit b621f0187ef789aeef733cf79e5ac83984752394 from qemu
Improve textual description of MXU extension. These are mostly
comment formatting changes.
Backports commit 84e2c895b12fb7056daeb7e5094656eae7b50d3d from qemu
Add generic naming involving generig suffixes OPTN0, OPTN1, OPTN2,
OPTN3 for four optn2 constants. Existing suffixes WW, LW, HW, XW
are not quite appropriate for some instructions using optn2.
Add missing opcodes and decoding engine for LXB, LXH, LXW, LXBU,
and LXHU instructions. They were for some reason forgotten in
previous commits. The MXU opcode list and decoding engine should
be now complete.
Backports commit c233bf07af7cf2358b69c38150dbd2e3e4a399b6 from qemu
When we add a new entry to the ARMCPRegInfo hash table in
add_cpreg_to_hashtable(), we allocate memory for tehe
ARMCPRegInfo struct itself, and we also g_strdup() the
name string. So the hashtable's value destructor function
must free the name string as well as the struct.
Spotted by clang's leak sanitizer. The leak here is a
small one-off leak at startup, because we don't support
CPU hotplug, and so the only time when we destroy
hash table entries is for the case where ARM_CP_OVERRIDE
means we register a wildcard entry and then override it later.
Backports commit ac87e5072e2cbfcf8e80caac7ef43ceb6914c7af from qemu
Provide a trivial implementation with zero limited ordering regions,
which causes the LDLAR and STLLR instructions to devolve into the
LDAR and STLR instructions from the base ARMv8.0 instruction set.
Backports commit 2d7137c10fafefe40a0a049ff8a7bd78b66e661f from qemu
Since arm_hcr_el2_eff includes a check against
arm_is_secure_below_el3, we can often remove a
nearby check against secure state.
In some cases, sort the call to arm_hcr_el2_eff
to the end of a short-circuit logical sequence.
Backports commit 7c208e0f4171c9e2cc35efc12e1bf264a45c229f from qemu
Replace arm_hcr_el2_{fmo,imo,amo} with a more general routine
that also takes SCR_EL3.NS (aka arm_is_secure_below_el3) into
account, as documented for the plethora of bits in HCR_EL2.
Backports commit f77784446045231f7dfa46c9b872091241fa1557 from qemu
The bulk of the work here, beyond base HPD, is defining the
TTBCR2 register. In addition we must check TTBCR.T2E, which
is not present (RES0) for AArch64.
Backports commit ab638a328fd099ba0b23c8c818eb39f2c35414f3 from qemu
Since the TCR_*.HPD bits were RES0 in ARMv8.0, we can simply
interpret the bits as if ARMv8.1-HPD is present without checking.
We will need a slightly different check for hpd for aarch32.
Backports commit 037c13c5904f5fc67bb0ab7dd91ae07347aedee9 from qemu
Because EL3 has a fixed execution mode, we can properly decide
which of the bits are RES{0,1}.
Backports commit ea22747c63c9a894777aa41a7af85c3d08e39f81 from qemu
The enable for TGE has already occurred within arm_hcr_el2_amo
and friends. Moreover, when E2H is also set, the sense is
supposed to be reversed, which has also already occurred within
the helpers.
Backports commit 619959c3583dad325c36f09ce670e7d091382cae from qemu
At the same time, define the fields for these registers,
and use those defines in arm_pamax().
Backports commit 3dc91ddbc68391f934bf6945853e99cf6810fc00 from qemu
The STIBP flag may be supported by the host KVM module, so QEMU
can allow it to be configured manually, and it can be exposed to
guests when using "-cpu host".
No additional migration code is required because the whole
contents of spec_ctrl is already migrated in the "cpu/spec_ctrl"
section.
Backports commit 0e8916582991b9fd0b94850a8444b8b80d0a0955 from qemu
MOVDIR64B moves 64-bytes as direct-store with 64-bytes write atomicity.
Direct store is implemented by using write combining (WC) for writing
data directly into memory without caching the data.
The bit definition:
CPUID.(EAX=7,ECX=0):ECX[bit 28] MOVDIR64B
The release document ref below link:
https://software.intel.com/sites/default/files/managed/c5/15/\
architecture-instruction-set-extensions-programming-reference.pdf
Backports commit 1c65775ffc2dbd276a8bffe592feba0e186a151c from qemu
MOVDIRI moves doubleword or quadword from register to memory through
direct store which is implemented by using write combining (WC) for
writing data directly into memory without caching the data.
The bit definition:
CPUID.(EAX=7,ECX=0):ECX[bit 27] MOVDIRI
The release document ref below link:
https://software.intel.com/sites/default/files/managed/c5/15/\
architecture-instruction-set-extensions-programming-reference.pdf
Backports commit 24261de4916596d8ab5f5fee67e9e7a19e8325a5 from qemu
Fixes a TCG crash due to attempting the atomic operation without
having set up the address first. This does not attempt to fix
all of the other missing checks for LOCK.
Fixes: a7cee522f35
Fixes: https://bugs.launchpad.net/qemu/+bug/1803160
Backports commit e84fcd7f662a0d8198703f6f89416d7ac2c32767 from qemu
This commit fixes a case where the CPU would try to go to EL3 when
executing an smc instruction, even though ARM_FEATURE_EL3 is false. This
case is raised when the PSCI conduit is set to smc, but the smc
instruction does not lead to a valid PSCI call.
QEMU crashes with an assertion failure latter on because of incoherent
mmu_idx.
This commit refactors the pre_smc helper by enumerating all the possible
way of handling an scm instruction, and covering the previously missing
case leading to the crash.
The following minimal test would crash before this commit:
.global _start
.text
_start:
ldr x0, =0xdeadbeef ; invalid PSCI call
smc #0
run with the following command line:
aarch64-linux-gnu-gcc -nostdinc -nostdlib -Wl,-Ttext=40000000 \
-o test test.s
qemu-system-aarch64 -M virt,virtualization=on,secure=off \
-cpu cortex-a57 -kernel test
Backports commit 7760da729ac88f112f98f36395ac3b55fc9e4211 from qemu
Disable R5900 support. There are some outstanding issues related
to ABI support and emulation accuracy, that were not understood
well during review process. Disable to avoid backward compatibility
issues.
Reverts commit ed4f49ba9bb56ebca6987b1083255daf6c89b5de.
Backports commit 823f2897bdd78185f3ba33292a25105ba8bad1b5 from qemu
Explicitely mark handling of PREF instruction for R5900 as
treating the same as NOP.
Backports commit 992e8176d36882983bb04f0259f7151a36d003a1 from qemu
Avoid using check_opc_user_only() as a decision making code wrt
various architectures. Use ctx->insn_flags checks instead.
Backports commit 55fc7a69aa38f5ec726e862caf4e4394caca04a8 from qemu
MOVN, MOVZ, MFHI, MFLO, MTHI, MTLO, MULT, MULTU, DIV, DIVU, DMULT,
DMULTU, DDIV, DDIVU and JR are decoded in decode_opc_special_tx79
instead of the generic decode_opc_special_legacy.
Backports commit 9dc324ce66807cc231fe890d4031de595ad1cf72 from qemu
MFLO1, MFHI1, MTLO1 and MTHI1 are generated in gen_HILO1_tx79 instead of
the generic gen_HILO.
Backports commit 86efbfb619a42061ac6439c074cfbf52df2ef2c2 from qemu
The Cortex-A15 and Cortex-A7 both have EL2; now we've implemented
it properly we can enable the feature bit.
Backports commit 436c0cbbeb38dd97c02fe921a7cb253a18afdd86 from qemu
Hyp mode is an exception to the general rule that each AArch32
mode has its own r13, r14 and SPSR -- it has a banked r13 and
SPSR but shares its r14 with User and System mode. We were
incorrectly implementing it as banked, which meant that on
entry to Hyp mode r14 was 0 rather than the USR/SYS r14.
We provide a new function r14_bank_number() which is like
the existing bank_number() but provides the index into
env->banked_r14[]; bank_number() provides the index to use
for env->banked_r13[] and env->banked_cpsr[].
All the points in the code that were using bank_number()
to index into env->banked_r14[] are updated for consintency:
* switch_mode() -- this is the only place where we fix
an actual bug
* aarch64_sync_32_to_64() and aarch64_sync_64_to_32():
no behavioural change as we already special-cased Hyp R14
* kvm32.c: no behavioural change since the guest can't ever
be in Hyp mode, but conceptually the right thing to do
* msr_banked()/mrs_banked(): we can never get to the case
that accesses banked_r14[] with tgtmode == ARM_CPU_MODE_HYP,
so no behavioural change
Backports commit 593cfa2b637b92d37eef949653840dc065cdb960 from qemu
In commit 8a0fc3a29fc2315325400 we tried to implement HCR_EL2.{VI,VF},
but we got it wrong and had to revert it.
In that commit we implemented them as simply tracking whether there
is a pending virtual IRQ or virtual FIQ. This is not correct -- these
bits cause a software-generated VIRQ/VFIQ, which is distinct from
whether there is a hardware-generated VIRQ/VFIQ caused by the
external interrupt controller. So we need to track separately
the HCR_EL2 bit state and the external virq/vfiq line state, and
OR the two together to get the actual pending VIRQ/VFIQ state.
Fixes: 8a0fc3a29fc2315325400c738f807d0d4ae0ab7f
Backports commit 89430fc6f80a5aef1d4cbd6fc26b40c30793786c from qemu
Currently we track the state of the four irq lines from the GIC
only via the cs->interrupt_request or KVM irq state. That means
that we assume that an interrupt is asserted if and only if the
external line is set. This assumption is incorrect for VIRQ
and VFIQ, because the HCR_EL2.{VI,VF} bits allow assertion
of VIRQ and VFIQ separately from the state of the external line.
To handle this, start tracking the state of the external lines
explicitly in a CPU state struct field, as is common practice
for devices.
The complicated part of this is dealing with inbound migration
from an older QEMU which didn't have this state. We assume in
that case that the older QEMU did not implement the HCR_EL2.{VI,VF}
bits as generating interrupts, and so the line state matches
the current state in cs->interrupt_request. (This is not quite
true between commit 8a0fc3a29fc2315325400c7 and its revert, but
that commit is broken and never made it into any released QEMU
version.)
Backports relevant parts of commit ed89f078ff3d6684ce3e538e4777a3bb4ec3e2b1 from qemu
This reverts commit 8a0fc3a29fc2315325400c738f807d0d4ae0ab7f.
The implementation of HCR.VI and VF in that commit is not
correct -- they do not track the overall "is there a pending
VIRQ or VFIQ" status, but whether there is a pending interrupt
due to "this mechanism", ie the hypervisor having set the VI/VF
bits. The overall pending state for VIRQ and VFIQ is effectively
the logical OR of the inbound lines from the GIC with the
VI and VF bits. Commit 8a0fc3a29fc231 would result in pending
VIRQ/VFIQ possibly being lost when the hypervisor wrote to HCR.
As a preliminary to implementing the HCR.VI/VF feature properly,
revert the broken one entirely.
Backports commit c624ea0fa7ffc9e2cc3e2b36c92b5c960954489f from qemu
The test was incomplete and incorrectly caused debug exceptions to be
generated when returning to EL2 after a failed attempt to single-step
an EL1 instruction. Fix this while cleaning up the function a little.
Backports commit 22af90255ec2100a44cbbb7f0460ba15eed79538 from qemu
Before we supported direct execution from MMIO regions, we
implemented workarounds in commit 720424359917887c926a33d2
which let us avoid doing so, even if the SAU or MPU region
was less than page-sized.
Once we implemented execute-from-MMIO, we removed part
of those workarounds in commit d4b6275df320cee76; but
we forgot the one in get_phys_addr_pmsav8() which
suppressed use of small SAU regions in executable regions.
Remove that workaround now.
Backports commit 521ed6b4015ba39a2e39c65a94643f3e6412edc4 from qemu
Now that we have full support for small regions, including execution,
we can remove the workarounds where we marked all small regions as
non-executable for the M-profile MPU and SAU.
Backports commit d4b6275df320cee764d56b194b1898547f545857 from qemu
Remove a TODO comment about implementing the vectored interrupt
controller. We have had an implementation of that for a decade;
it's in hw/intc/pl190.c.
Backports commit e24ad484909e7a00ca4f6332f3698facf0ba3394 from qemu
Fix the SYSCALL instruction in 64-bit (long mode). The RF flag
should be cleared in R11 as well as in the RFLAGS. Intel
and AMD CPUs behave same. AMD has this documented in the
APM vol 3.
Backports commit 1a1435dd61e28c1e3b70971107d72a7d05b28d03 from qemu
ATS1HR and ATS1HW (which allow AArch32 EL2 to do address translations
on the EL2 translation regime) were implemented in commit 14db7fe09a2c8.
However, we got them wrong: these should do stage 1 address translations
as defined for NS-EL2, which is ARMMMUIdx_S1E2. We were incorrectly
making them perform stage 2 translations.
A few years later in commit 1313e2d7e2cd we forgot entirely that
we'd implemented ATS1Hx, and added a comment that ATS1Hx were
"not supported yet". Remove the comment; there is no extra code
needed to handle these operations in do_ats_write(), because
arm_s1_regime_using_lpae_format() returns true for ARMMMUIdx_S1E2,
which forces 64-bit PAR format.
Backports commit 23463e0e4aeb2f0a9c60549a2c163f4adc0b8512 from qemu
In do_ats_write() we construct a PAR value based on the result
of the translation. A comment says "S2WLK and FSTAGE are always
zero, because we don't implement virtualization".
Since we do in fact now implement virtualization, add the missing
code that sets these bits based on the reported ARMMMUFaultInfo.
(These bits are named PTW and S in ARMv8, so we follow that
convention in the new comments in this patch.)
Backports commit 0f7b791b35f24cb1333f779705a3f6472e6935de from qemu
In handle_vec_simd_shli() we have a check:
if (size > 3 && !is_q) {
unallocated_encoding(s);
return;
}
However this can never be true, because we calculate
int size = 32 - clz32(immh) - 1;
where immh is a 4 bit field which we know cannot be all-zeroes.
So the clz32() return must be in {28,29,30,31} and the resulting
size is in {0,1,2,3}, and "size > 3" is never true.
This unnecessary code confuses Coverity's analysis:
in CID 1396476 it thinks we might later index off the
end of an array because the condition implies that we
might have a size > 3.
Remove the code, and instead assert that the size is in [0..3],
since the decode that enforces that is somewhat distant from
this function.
Backports commit f6c98f91f56031141a47f86225fdc30f0f9f84fb from qemu
When populating id registers from kvm, on a host that doesn't support
aarch32 mode at all, neither arm_div nor jazelle will be supported either.
Backports commit 0f8d06f16c9d1041d728d09d464462ebe713c662 from qemu
Coldfire defines an "Unsupported instruction" exception if execution
of a valid instruction is attempted but the required hardware is not
present in the processor.
We use it with instructions that are in fact undefined or illegal,
and the exception expected in this case by the kernel is the
illegal exception, so this patch fixes that.
Backports commit b9f8e55bf7e994e192ab7360830731580384b813 from qemu
This allows trans_* expanders to be shared between decoders
for 32 and 16-bit insns, by not tying the expander to the
size of the insn that produced it.
This change requires adjusting the two existing users to match.
Backports commit 3a7be5546506be62d5c6c4b804119cedf9e367d6 from qemu
As the release document ref below link (page 13):
https://software.intel.com/sites/default/files/managed/c5/15/\
architecture-instruction-set-extensions-programming-reference.pdf
PKU is supported in Skylake Server (Only Server) and later, and
on Intel(R) Xeon(R) Processor Scalable Family. So PKU is supposed
to be in Skylake-Server CPU model. And PKU's CPUID has been
exposed to QEMU. But PKU can't be find in Skylake-Server CPU
model in the code. So this patch will fix this issue in
Skylake-Server CPU model.
Backports commit 09b9ee643f90ef95e30e594df2a3c83ccaf75b1f from qemu
New CPU models mostly inherit features from ancestor Skylake-Server,
while addin new features: AVX512_VNNI, Intel PT.
SSBD support for speculative execution
side channel mitigations.
Note:
On Cascadelake, some capabilities (RDCL_NO, IBRS_ALL, RSBA,
SKIP_L1DFL_VMENTRY and SSB_NO) are enumerated by MSR.
These features rely on MSR based feature support patch.
Will be added later after that patch's in.
http://lists.nongnu.org/archive/html/qemu-devel/2018-09/msg00074.html
Backports commit c7a88b52f62b30c04158eeb07f73e3f72221b6a8 from qemu
Note RSBA is specially treated -- no matter host support it or not, qemu
pretends it is supported.
Backports commit d86f963694df27f11b3681ffd225c9362de1b634 from qemu
Intel SDM says for CPUID function 0DH, sub-function 0:
| • ECX enumerates the size (in bytes) required by the XSAVE instruction for an
| XSAVE area containing all the user state components supported by this
| processor.
| • EBX enumerates the size (in bytes) required by the XSAVE instruction for an
| XSAVE area containing all the user state components corresponding to bits
| currently set in XCR0.
Backports commit de2e68c902f7b6e438b0fa3cfedd74a06a20704f from qemu
Add prefix, suffix, operation descriptions, and other corrections
and amendments to the comment that describes MXU ASE.
Backports commit 093ade12179b6a3f679c100c0fe2a0a7d72068ba from qemu
Move MUL, S32M2I, S32I2M handling out of switch. These are all
instructions that do not depend on MXU_EN flag of MXU_CR.
Backports commit 87860df5511b972f0234a6b2cfaad5227c79b6b4 from qemu
Add support for emulating the S32I2M and S32M2I MXU instructions.
This commit also contains utility functions for reading/writing
to MXU registers. This is required for overall MXU instruction
support.
Backports commit 96992d1aa1b250c0fffc1ff2dad5e6e4f0b9815b from qemu
Add MXU decoding engine: add handlers for all instruction pools,
and main decode handler. The handlers, for now, for the purpose
of this patch, contain only sceleton in the form of a single
switch statement.
Backports commit 03f400883a1dd92fac5b0d9127b38e34c9a722d7 from qemu
Amend MXU instruction opcodes. Pool04 is actually only instruction
OPC_MXU_S16MAD. Two cases within S16MAD are recognized by 1-bit
subfield 'aptn1'.
Backports commit eab0bdb07cbed1131be2d1f541059c7b96b05e32 from qemu
Define a bit for MXU in insn_flags. This is the first non-MIPS
(third party) ASE supported in QEMU for MIPS, so it is placed in
the section "bits 56-63: vendor-specific ASEs".
Backports commit a031ac61619294ae473a78d1834e757fad8b59e5 from qemu
Define and initialize the 16 MXU registers - 15 general computational
register, and 1 control register). There is also a zero register, but
it does not have any corresponding variable.
Backports commit eb5559f67dc8dc12335dd996877bb6daaea32eb2 from qemu.
Implement emulation of nanoMIPS EVA instructions. They are all
part of P.LS.E0 instruction pool, or one of its subpools.
Backports commit d046a9ea1b8877a570a8b12a2d0125ec59fe5b22 from qemu
Opcode for ALIGN and DALIGN must be in fact ranges of opcodes, to
allow paremeter 'bp' to occupy two and three bits, respectively.
Backports commit 373ecd3823f949fd550ec49685299e287af5753e from qemu
Replace MIPS32 with MIPS, since the file covers all generations
of MIPS architectures.
Backports commit ab99e0e44bc7b0e2e52d9083a673866b18470536 from qemu
The primary purpose of this change is to support programs compiled by
GCC for the R5900 target and thereby run R5900 Linux distributions, for
example Gentoo.
GCC in version 7.3, by itself, by inspection of the GCC source code
and inspection of the generated machine code, for the R5900 target,
only emits two instructions that are specific to the R5900: the three-
operand MULT and MULTU. GCC and libc also emit certain MIPS III
instructions that are not part of the R5900 ISA. They are normally
trapped and emulated by the Linux kernel, and therefore need to be
treated accordingly by QEMU.
A program compiled by GCC is taken to mean source code compiled by GCC
under the restrictions above. One can, with the apparent limitations,
with a bit of effort obtain a fully functioning operating system such
as R5900 Gentoo. Strictly speaking, programs need not be compiled by
GCC to make use of this change.
Instructions and other facilities of the R5900 not implemented by this
change are intended to signal provisional exceptions. One such example
is the FPU that is not compliant with IEEE 754-1985 in system mode. It
is therefore provisionally disabled. In user space the FPU is trapped
and emulated by IEEE 754-1985 compliant software in the kernel, and
this is handled accordingly by QEMU. Another example is the 93
multimedia instructions specific to the R5900 that generate provisional
reserved instruction exception signals.
One of the benefits of running a Linux distribution under QEMU is that
programs can be compiled with a native compiler, where the host and
target are the same, as opposed to a cross-compiler, where they are
not the same. This is especially important in cases where the target
hardware does not have the resources to run a native compiler.
Problems with cross-compilation are often related to host and target
differences in integer sizes, pointer sizes, endianness, machine code,
ABI, etc. Sometimes cross-compilation is not even supported by the
build script for a given package. One effective way to avoid those
problems is to replace the cross-compiler with a native compiler. This
change of compilation methods does not resolve the inherent problems
with cross-compilation.
The native compiler naturally replaces the cross-compiler, because one
typically uses one or the other, and preferably the native compiler
when the circumstances admit this. The native compiler is also a good
test case for the R5900 QEMU user mode. Additionally, Gentoo is well-
known for compiling and installing its packages from sources.
This change has been tested with Gentoo compiled for R5900, including
native compilation of several packages under QEMU.
Backports commit ed4f49ba9bb56ebca6987b1083255daf6c89b5de from qemu.
The Linux kernel traps certain reserved instruction exceptions to
emulate the corresponding instructions. QEMU plays the role of the
kernel in user mode, so those traps are emulated by accepting the
instructions.
This change adds the function check_insn_opc_user_only to signal a
reserved instruction exception for flagged CPUs in QEMU system mode.
The MIPS III instructions DMULT[U], DDIV[U], LL[D] and SC[D] are not
implemented in R5900 hardware. They are trapped and emulated by the
Linux kernel and, accordingly, therefore QEMU user only instructions.
Backports commit 96631327be14c4f54cc31f873c278d9ffedd1e00 from qemu
The R5900 is taken to be MIPS III with certain modifications. From
MIPS IV it implements the instructions MOVN, MOVZ and PREF.
Backports commit 5601e6217d90ed322b4b9a6d68e8db607db91842 from qemu
The three-operand MULT and MULTU are the only R5900-specific
instructions emitted by GCC 7.3. The R5900 also implements the three-
operand MADD and MADDU instructions, but they are omitted in QEMU for
now since they are absent in programs compiled by current GCC versions.
Likewise, the R5900-specific pipeline 1 instruction variants MULT1,
MULTU1, DIV1, DIVU1, MADD1, MADDU1, MFHI1, MFLO1, MTHI1 and MTLO1
are omitted here as well.
Backports commit 21e8e8b230af38b6bd8c953fa5f31e4a5a128e1c from qemu
The R5900 implements the 64-bit MIPS III instruction set except
DMULT, DMULTU, DDIV, DDIVU, LL, SC, LLD and SCD. The MIPS IV
instructions MOVN, MOVZ and PREF are implemented. It has the
R5900-specific three-operand instructions MADD, MADDU, MULT and
MULTU as well as pipeline 1 versions MULT1, MULTU1, DIV1, DIVU1,
MADD1, MADDU1, MFHI1, MFLO1, MTHI1 and MTLO1. A set of 93 128-bit
multimedia instructions specific to the R5900 is also implemented.
The Toshiba TX System RISC TX79 Core Architecture manual:
https://wiki.qemu.org/File:C790.pdf
describes the C790 processor that is a follow-up to the R5900. There
are a few notable differences in that the R5900 FPU
- is not IEEE 754-1985 compliant,
- does not implement double format, and
- its machine code is nonstandard.
Backports commit 6f692818a7b53630702d25a709cd61282fd139ad from qemu
Since QEMU does not implement ASIDs, changes to the ASID must flush the
tlb. However, if the ASID does not change there is no reason to flush.
In testing a boot of the Ubuntu installer to the first menu, this reduces
the number of flushes by 30%, or nearly 600k instances.
Backports commit 93f379b0c43617b1361f742f261479eaed4959cb from qemu
The EL3 version of this register does not include an ASID,
and so the tlb_flush performed by vmsa_ttbr_write is not needed.
Backports commit f478847f1ee0df9397f561025ab2f687fd923571 from qemu
Instead of shifts and masks, use direct loads and stores from
the neon register file.
Backports commit 2d6ac920837f558be214ad2ddd28cad7f3b15e5c from qemu
For a sequence of loads or stores from a single register,
little-endian operations can be promoted to an 8-byte op.
This can reduce the number of operations by a factor of 8.
Backports commit e23f12b3a252352b575908ca7b94587acd004641 from qemu
Instead of shifts and masks, use direct loads and stores from the neon
register file. Mirror the iteration structure of the ARM pseudocode
more closely. Correct the parameters of the VLD2 A2 insn.
Note that this includes a bugfix for handling of the insn
"VLD2 (multiple 2-element structures)" -- we were using an
incorrect stride value.
Backports commit ac55d00709e78cd39dfa298dcaac7aecb58762e8 from qemu
Also introduces neon_element_offset to find the env offset
of a specific element within a neon register.
Backports commit 32f91fb71f4c32113ec8c2af5f74f14abe6c7162 from qemu
For a sequence of loads or stores from a single register,
little-endian operations can be promoted to an 8-byte op.
This can reduce the number of operations by a factor of 8.
Backports commit 87f9a7f0c8d5122c36743885158782c2348a6d21 from qemu
This can reduce the number of opcodes required for certain
complex forms of load-multiple (e.g. ld4.16b).
Backports commit a7d8143aed2268f147cc1abfebc848ed6282a313 from qemu
For traps of FP/SIMD instructions to AArch32 Hyp mode, the syndrome
provided in HSR has more information than is reported to AArch64.
Specifically, there are extra fields TA and coproc which indicate
whether the trapped instruction was FP or SIMD. Add this extra
information to the syndromes we construct, and mask it out when
taking the exception to AArch64.
Backports commit 4be42f4013fa1a9df47b48aae5148767bed8e80c from qemu
For the v7 version of the Arm architecture, the IL bit in
syndrome register values where the field is not valid was
defined to be UNK/SBZP. In v8 this is RES1, which is what
QEMU currently implements. Handle the desired v7 behaviour
by squashing the IL bit for the affected cases:
* EC == EC_UNCATEGORIZED
* prefetch aborts
* data aborts where ISV is 0
(The fourth case listed in the v8 Arm ARM DDI 0487C.a in
section G7.2.70, "illegal state exception", can't happen
on a v7 CPU.)
This deals with a corner case noted in a comment.
Backports commit 2ed08180db096ea5e44573529b85e09b1ed10b08 from qemu
Create and use a utility function to extract the EC field
from a syndrome, rather than open-coding the shift.
Backports commit 64b91e3f890a8c221b65c6820a5ee39107ee40f5 from qemu
If the HCR_EL2 PTW virtualizaiton configuration register bit
is set, then this means that a stage 2 Permission fault must
be generated if a stage 1 translation table access is made
to an address that is mapped as Device memory in stage 2.
Implement this.
Backports commit eadb2febf05452bd8062c4c7823d7d789142500c from qemu
The HCR_EL2 VI and VF bits are supposed to track whether there is
a pending virtual IRQ or virtual FIQ. For QEMU we store the
pending VIRQ/VFIQ status in cs->interrupt_request, so this means:
* if the register is read we must get these bit values from
cs->interrupt_request
* if the register is written then we must write the bit
values back into cs->interrupt_request
Backports commit 8a0fc3a29fc2315325400c738f807d0d4ae0ab7f from qemu
The A/I/F bits in ISR_EL1 should track the virtual interrupt
status, not the physical interrupt status, if the associated
HCR_EL2.AMO/IMO/FMO bit is set. Implement this, rather than
always showing the physical interrupt status.
We don't currently implement anything to do with external
aborts, so this applies only to the I and F bits (though it
ought to be possible for the outer guest to present a virtual
external abort to the inner guest, even if QEMU doesn't
emulate physical external aborts, so there is missing
functionality in this area).
Backports commit 636540e9c40bd0931ef3022cb953bb7dbecd74ed from qemu
The HCR.DC virtualization configuration register bit has the
following effects:
* SCTLR.M behaves as if it is 0 for all purposes except
direct reads of the bit
* HCR.VM behaves as if it is 1 for all purposes except
direct reads of the bit
* the memory type produced by the first stage of the EL1&EL0
translation regime is Normal Non-Shareable,
Inner Write-Back Read-Allocate Write-Allocate,
Outer Write-Back Read-Allocate Write-Allocate.
Implement this behaviour.
Backports commit 9d1bab337caf2324a233e5937f415fad4ce1641b from qemu
The HCR.FB virtualization configuration register bit requests that
TLB maintenance, branch predictor invalidate-all and icache
invalidate-all operations performed in NS EL1 should be upgraded
from "local CPU only to "broadcast within Inner Shareable domain".
For QEMU we NOP the branch predictor and icache operations, so
we only need to upgrade the TLB invalidates:
AArch32 TLBIALL, TLBIMVA, TLBIASID, DTLBIALL, DTLBIMVA, DTLBIASID,
ITLBIALL, ITLBIMVA, ITLBIASID, TLBIMVAA, TLBIMVAL, TLBIMVAAL
AArch64 TLBI VMALLE1, TLBI VAE1, TLBI ASIDE1, TLBI VAAE1,
TLBI VALE1, TLBI VAALE1
Backports commit b4ab8ce98b8c482c8986785800f238d32a1578a9 from qemu
For AArch32, exception return happens through certain kinds
of CPSR write. We don't currently have any CPU_LOG_INT logging
of these events (unlike AArch64, where we log in the ERET
instruction). Add some suitable logging.
This will log exception returns like this:
Exception return from AArch32 hyp to usr PC 0x80100374
paralleling the existing logging in the exception_return
helper for AArch64 exception returns:
Exception return from AArch64 EL2 to AArch64 EL0 PC 0x8003045c
Exception return from AArch64 EL2 to AArch32 EL0 PC 0x8003045c
(Note that an AArch32 exception return can only be
AArch32->AArch32, never to AArch64.)
Backports commit 81e3728407bf4a12f83e14fd410d5f0a7d29b5b4 from qemu
Having V6 alone imply jazelle was wrong for cortex-m0.
Change to an assertion for V6 & !M.
This was harmless, because the only place we tested ARM_FEATURE_JAZELLE
was for 'bxj' in disas_arm(), which is unreachable for M-profile cores.
Backports commit 09cbd50198d5dcac8bea2e47fa5dd641ec505fae from qemu
Both arm and thumb2 division are controlled by the same ISAR field,
which takes care of the arm implies thumb case. Having M imply
thumb2 division was wrong for cortex-m0, which is v6m and does not
have thumb2 at all, much less thumb2 division.
Backports commit 7e0cf8b47f0e67cebbc3dfa73f304e56ad1a090f from qemu
Most of the v8 extensions are self-contained within the ISAR
registers and are not implied by other feature bits, which
makes them the easiest to convert.
Backports commit 962fcbf2efe57231a9f5df0ae0f40c05e35628ba from qemu
Instantiating mps2-an505 (cortex-m33) will fail make check when
V7VE asserts that ID_ISAR0.Divide includes ARM division. It is
also wrong to include ARM_FEATURE_LPAE.
Backports commit 5256df880d1312a58472af3fb0a3c51e708f2161 from qemu
This patch extends the qemu-kvm state sync logic with support for
KVM_GET/SET_VCPU_EVENTS, giving access to yet missing SError exception.
And also it can support the exception state migration.
The SError exception states include SError pending state and ESR value,
the kvm_put/get_vcpu_events() will be called when set or get system
registers. When do migration, if source machine has SError pending,
QEMU will do this migration regardless whether the target machine supports
to specify guest ESR value, because if target machine does not support that,
it can also inject the SError with zero ESR value.
Backports the relevant parts of commit
202ccb6bab5fe26bca2c82bff23302f7acfd1940 from qemu
Fix misplaced 'break' in handling of NM_SHRA_R_PH. Found by
Coverity (CID 1395627).
Backports commit d5ebcbaf09e8c14e62b2966446195be5eeabcbab from qemu
Fix emulation of microMIPS R6 <SELEQZ|SELNEZ>.<D|S> instructions.
Their handling was permuted.
Backports commit fdac60cd0458f34b2e79d74a55bec10836e26471 from qemu
Implement hardware page table walker. This implementation is
limiter only to MIPS32.
Backports commit 074cfcb4daedf59ccbbbc83c24eee80e0e8f4c71 from qemu
Add reset state for PWSize and PWField registers. The reset state
is different for pre-R6 and R6 (and post-R6) ISAa
Backports commit 630107955757b9dfc5c09f105caa267eded2e3b1 from qemu
Add PWCtl register (CP0 Register 5, Select 6).
The PWCtl register configures hardware page table walking for TLB
refills.
This register is required for the hardware page walker feature. It
exists only if Config3 PW bit is set to 1. It contains following
fields:
PWEn (31) - Hardware Page Table walker enable
PWDirExt (30) - If 1, 4-th level implemented (MIPS64 only)
XK (28) - If 1, walker handles xkseg (MIPS64 only)
XS (27) - If 1, walker handles xsseg (MIPS64 only)
XU (26) - If 1, walker handles xuseg (MIPS64 only)
DPH (7) - Dual Page format of Huge Page support
HugePg (6) - Huge Page PTE supported in Directory levels
PSn (5..0) - Bit position of PTEvld in Huge Page PTE
Backports commit 103be64c26c166f12b3e1308edadef3443723ff1 from qemu
Add PWSize register (CP0 Register 5, Select 7).
The PWSize register configures hardware page table walking for TLB
refills.
This register is required for the hardware page walker feature. It
exists only if Config3 PW bit is set to 1. It contains following
fields:
BDW (37..32) Base Directory index width (MIPS64 only)
GDW (29..24) Global Directory index width
UDW (23..18) Upper Directory index width
MDW (17..12) Middle Directory index width
PTW (11..6 ) Page Table index width
PTEW ( 5..0 ) Left shift applied to the Page Table index
Backports commit 20b28ebc49945583d7191b57755cfd92433de9ff from qemu
Add PWField register (CP0 Register 5, Select 6).
The PWField register configures hardware page table walking for TLB
refills.
This register is required for the hardware page walker feature. It
exists only if Config3 PW bit is set to 1. It contains following
fields:
MIPS64:
BDI (37..32) - Base Directory index
GDI (29..24) - Global Directory index
UDI (23..18) - Upper Directory index
MDI (17..12) - Middle Directory index
PTI (11..6 ) - Page Table index
PTEI ( 5..0 ) - Page Table Entry shift
MIPS32:
GDW (29..24) - Global Directory index
UDW (23..18) - Upper Directory index
MDW (17..12) - Middle Directory index
PTW (11..6 ) - Page Table index
PTEW ( 5..0 ) - Page Table Entry shift
Backports commit fa75ad1459f4f6abbeb6d375a812dfad61320f58 from qemu
Add PWBase register (CP0 Register 5, Select 5).
The PWBase register contains the Page Table Base virtual address.
This register is required for the hardware page walker feature. It
exists only if Config3 PW bit is set to 1.
Backports commit 5e31fdd59fda5c4ba9eb0daadc2a26273a29a0b6 from qemu
Add field corresponding to CP0 Config2 to DisasContext. This is
needed for availability control via Config2 bits.
Backports commit 49735f76db25bf10f57973d5249f17151b801760 from qemu
Do following replacements:
ASE_DSPR2 -> ASE_DSP_R2
ASE_DSPR3 -> ASE_DSP_R3
MIPS_HFLAG_DSPR2 -> MIPS_HFLAG_DSP_R2
MIPS_HFLAG_DSPR3 -> MIPS_HFLAG_DSP_R3
check_dspr2() -> check_dsp_r2()
check_dspr3() -> check_dsp_r3()
and several other similar minor replacements.
Backports commit 908f6be1b9cbc270470230f805d6f7474ab3178d from qemu
Add infrastructure for availability control for DSP R3 ASE MIPS
instructions. Only BPOSGE32C currently belongs to DSP R3 ASE, but
this is likely to be changed in near future.
Backports commit 59e781fbf13a2dede15437d055b09d7ea120dcac from qemu
Increase the size of insn_flags holder size to 64 bits. This is
needed for future extensions since existing bits are almost all used.
Backports commit f9c9cd63e3dd84c5f052deec880ec92046bbe305 from qemu
Add a comment that contains a list all MXU instructions,
expressed in assembler mnemonics.
Backports commit 1d0e663c5f25345a6702d8a83c051b83f3462299 from qemu
Add a comment before each CP0 register section in CPUMIPSState
definition, thus visually separating these sections.
Backports commit 50e7edc5ac25af2faaacd1f91e177c7de7d696c3 from qemu
Add a comment with an overview of CP0 registers close to the
definition of their corresponding fields in CPUMIPSState.
Backports commit a86d421e18d58b32d6eaba1e79160e2b4e5a0a6c from qemu
The get_phys_addr() functions take a pointer to an ARMMMUFaultInfo
struct, which they fill in only if a fault occurs. This means that
the caller must always zero-initialize the struct before passing
it in. We forgot to do this in v7m_stack_read() and v7m_stack_write().
Correct the error.
Backports commit ab44c7b71fa683b9402bea0d367b87c881704188 from qemu
This is an amendment to my earlier patch:
commit 7ece99b17e832065236c07a158dfac62619ef99b
Backports commit 599b71e277ac7e92807191b20b7163a28c5450ad from qemu
When QEMU provides the equivalent of the EL3 firmware, we
need to enable HVCs in scr_el3 when turning on CPUs that
target EL2.
Backports commit 86278c33d1d71196f5e22ce3ce82a1b34a199754 from qemu
At present we assert:
arm_el_is_aa64: Assertion `el >= 1 && el <= 3' failed.
The comment in arm_el_is_aa64 explains why asking about EL0 without
extra information is impossible. Add an extra argument to provide
it from the surrounding context.
Fixes: 0ab5953b00b3
Backports commit 9a05f7b67436abdc52bce899f56acfde2e831454 from qemu
Updating the NS stack pointer via MSR to SP_NS should include
a check whether the new SP value is below the stack limit.
No other kinds of update to the various stack pointer and
limit registers via MSR should perform a check.
Backports commit 167765f0739e4a108e8c2e2ff2f37917df5658f9 from qemu
Add the v8M stack checks for the VLDM/VSTM
(aka VPUSH/VPOP) instructions. This code is currently
unreachable because we haven't yet implemented M profile
floating point support, but since the change is simple,
we add it now because otherwise we're likely to forget to
do it later.
Backports commit 8a954faf5412d5073d585d85a1da63a09bb5d84e from qemu
Add v8M stack checks for the 16-bit Thumb push/pop
encodings: STMDB, STMFD, LDM, LDMIA, LDMFD.
Backports commit aa369e5c08bbe2748d2be96f13f4ef469a4d3080 from qemu
Add v8M stack checks for the instructions in the T32
"load/store single" encoding class: these are the
"immediate pre-indexed" and "immediate, post-indexed"
LDR and STR instructions.
Backports commit 0bc003bad9752afc61624cb680226c922f34f82c from qemu
Add the v8M stack checks for:
* LDM (T2 encoding)
* STM (T2 encoding)
This includes the 32-bit encodings of the instructions listed
in v8M ARM ARM rule R_YVWT as
* LDM, LDMIA, LDMFD
* LDMDB, LDMEA
* POP (multiple registers)
* PUSH (muliple registers)
* STM, STMIA, STMEA
* STMDB, STMFD
We perform the stack limit before doing any other part
of the load or store.
Backports commit 7c0ed88e7d6bee3e55c3d8935c46226cb544191a from qemu
Add the v8M stack checks for:
* LDRD (immediate)
* STRD (immediate)
Loads and stores are more complicated than ADD/SUB/MOV, because we
must ensure that memory accesses below the stack limit are not
performed, so we can't simply do the check when we actually update
SP.
For these instructions, if the stack limit check triggers
we must not:
* perform any memory access below the SP limit
* update PC, SP or the load/store base register
but it is IMPDEF whether we:
* perform any accesses above or equal to the SP limit
* update destination registers for loads
For QEMU we choose to always check the limit before doing any other
part of the load or store, so we won't update any registers or
perform any memory accesses.
It is UNKNOWN whether the limit check triggers for a load or store
where the initial SP value is below the limit and one of the stores
would be below the limit, but the writeback moves SP to above the
limit. For QEMU we choose to trigger the check in this situation.
Note that limit checks happen only for loads and stores which update
SP via writeback; they do not happen for loads and stores which
simply use SP as a base register.
Backports commit 910d7692e5b60f2c2d08cc3d6d36076e85b6a69d from qemu
Add checks for breaches of the v8M stack limit when the
stack pointer is decremented to push the exception frame
for exception entry.
Note that the exception-entry case is unique in that the
stack pointer is updated to be the limit value if the limit
is hit (per rule R_ZLZG).
Backports commit c32da7aa6205a5ff62ae8d5062f7cad0eae4c1fd from qemu
Add some comments to the Thumb decoder indicating what bits
of the instruction have been decoded at various points in
the code.
This is not an exhaustive set of comments; we're gradually
adding comments as we work with particular bits of the code.
Backports commit a2d12f0f34e9c5ef8a193556fde983aa186fa73a from qemu
Add code to insert calls to a helper function to do the stack
limit checking when we handle these forms of instruction
that write to SP:
* ADD (SP plus immediate)
* ADD (SP plus register)
* SUB (SP minus immediate)
* SUB (SP minus register)
* MOV (register)
Backports commit 5520318939fea5d659bf808157cd726cb967b761 from qemu
We're going to want v7m_using_psp() in op_helper.c in the
next patch, so move it from helper.c to internals.h.
Backports commit 5529bf188d996391ff52a0e1801daf9c6a6bfcb0 from qemu
Define EXCP_STKOF, and arrange for it to cause us to take
a UsageFault with CFSR.STKOF set.
Backports commit 86f026de22d8854eecc004af44895de74225794f from qemu
The Arm v8M architecture includes hardware stack limit checking.
When certain instructions update the stack pointer, if the new
value of SP is below the limit set in the associated limit register
then an exception is taken. Add a TB flag that tracks whether
the limit-checking code needs to be emitted.
Backports commit 4730fb85035e99c909db7d14ef76cd17f28f4423 from qemu
There is quite a lot of code required to compute cpu_mem_index,
or even put together the full TCGMemOpIdx. This can easily be
done at translation time.
Backports commit 500d04843ba953dc4560e44f04001efec38c14a6 from qemu
This implements the feature for softmmu, and moves the
main loop out of a macro and into a function.
Backports commit 116347ce20bb7b5cac17bf2b0e6f607530b50862 from qemu
We can choose the endianness at translation time, rather than
re-computing it at execution time.
Backports commit 28d57f2dc59c287e1c40239509b0a325fd00e32f from qemu
We can choose the endianness at translation time, rather than
re-computing it at execution time.
Backports commit 7d0a57a2e1cea188b9023261a404d7a211117230 from qemu
This fixes the endianness problem for softmmu, and moves
the main loop out of a macro and into an inlined function.
Backports commit 78cf1b886aa1b95c97fc5114641515c2892bb240 from qemu
This fixes the endianness problem for softmmu, and moves
the main loop out of a macro and into an inlined function.
Backports commit d4f75f25b43041e7a46d12352b3c70ae457d8cea from qemu
This fixes the endianness problem for softmmu, and moves the
main loop out of a macro and into an inlined function
Backports commit 9fd46c8362e0a45d04ccceae7051d06dd65c1d57 from qemu
Use the same *_tlb primitives as we use for ld1.
For linux-user, this hoists the set of helper_retaddr. For softmmu,
hoists the computation of the current mmu_idx outside the loop,
fixes the endianness problem, and moves the main loop out of a
macro and into an inlined function.
Backports commit f27d4dc2af0de9b7b45c955882b8420905c6efe8 from qemu
Uses tlb_vaddr_to_host for correct operation with softmmu.
Optimize for accesses within a single page or pair of pages.
Backports commit 9123aeb6fcb14e0955ebe4e2a613802cfa0503ea from qemu
The 16-byte load only uses 16 predicate bits. But while
reusing the other load infrastructure, we find other bits
that are set and trigger an assert. To avoid this and
retain the assert, zero-extend the predicate that we pass
to the LD1 helper.
Backports commit 2a99ab2b3545133961de034df27e24f4c22e3707 from qemu
Use the existing helpers to determine if (1) the fpu is enabled,
(2) sve state is enabled, and (3) the current sve vector length.
Backports commit ced3155141755ba244c988c72c4bde32cc819670 from qemu
SVE vector length can change when changing EL, or when writing
to one of the ZCR_ELn registers.
For correctness, our implementation requires that predicate bits
that are inaccessible are never set. Which means noticing length
changes and zeroing the appropriate register bits.
Backports commit 0ab5953b00b3165877d00cf75de628c51670b550 from qemu
We are going to want to determine whether sve is enabled
for EL other than current.
Backports commit 2de7ace292cf7846b0cda0e940272d2cb0e06859 from qemu
Check for EL3 before testing CPTR_EL3.EZ. Return 0 when the exception
should be routed via AdvSIMDFPAccessTrap. Mirror the structure of
CheckSVEEnabled more closely.
Fixes: 5be5e8eda78
Backports commit 60eed0869d68b91eff71cc0a0facb01983726a5d from qemu
Given that the only field defined for this new register may only
be 0, we don't actually need to change anything except the name.
Backports commit 9516d7725ec1deaa6ef5ccc5a26d005650d6c524 from qemu
A cut-and-paste error meant we were reading r4 from the v8M
callee-saves exception stack frame twice. This is harmless
since it just meant we did two memory accesses to the same
location, but it's unnecessary. Delete it.
Backports commit e5ae4d0c063fbcca4cbbd26bcefbf1760cfac2aa from qemu
In v7m_exception_taken() we were incorrectly using a
"LR bit EXCRET.ES is 1" check when it should be 0
(compare the pseudocode ExceptionTaken() function).
This meant we didn't stack the callee-saved registers
when tailchaining from a NonSecure to a Secure exception.
Backports commit 7b73a1ca05b33d42278ce29cea4652e22d408165 from qemu
* Prevents abort with m68K
Raises exception instead
* M68K remove one uses of abort
* Less aborts and logs instead for M68K
Backports commit 910999d3969b682d8376db1266f9885866cd785c from unicorn
This patch fixes the checking of boundary crossing instructions.
In icount mode only first instruction of the block may cross
the page boundary to keep the translation deterministic.
These conditions already existed, but compared the wrong variable.
Backports commit 41d54dc09f1f327dedc79d5ba0b1b437ab7b0e94 from qemu
This flag will be used for KVM's nested VMX migration; the HF_GUEST_MASK name
is already used in KVM, adopt it in QEMU as well.
Backports commit f8dc4c645ec2956a6cd97e0ca0fdd4753181f735 from qemu
Interrupt handling depends on various flags in env->hflags or env->hflags2,
and the exact detail were not exactly replicated between x86_cpu_has_work
and x86_cpu_exec_interrupt. Create a new function that extracts the
highest-priority non-masked interrupt, and use it in both functions.
Backports commit 92d5f1a4147c3722b5e9a8bcfb7dc261b7a8b855 from qemu
The ARMv8 architecture defines that an AArch32 CPU starts
in SVC mode, unless EL2 is the highest available EL, in
which case it starts in Hyp mode. (In ARMv7 a CPU with EL2
but not EL3 was not a valid configuration, but we don't
specifically reject this if the user asks for one.)
Backports commit 060a65df056a5d6ca3a6a91e7bf150ca1fbccddf from qemu
Not only are the sve-related tb_flags fields unused when SVE is
disabled, but not all of the cpu registers are initialized properly
for computing same. This can corrupt other fields by ORing in -1,
which might result in QEMU crashing.
This bug was not present in 3.0, but this patch is cc'd to
stable because adf92eab90e3f5f34c285 where the bug was
introduced was marked for stable.
Backports commit e79b445d896deb61909be52b61b87c98a9ed96f7 from qemu
This was intentionally broken to make updating qemu as quick as possible
when it was woefully out of date, particularly because the interface of
qemu's TCG changed quite a bit, so this code would have needed to be
changed anyways.
Now that qemu is up to date for this variant of Unicorn, we can repair
this functionality and also--and I put massive emphasis on this, since
this wasn't done in the original Unicorn repo--*actually document what
the heck we're doing in this case*, so it's not a pain to change in the
future if we actually need to do that. It makes it much, much, simpler
for people not involved with qemu to understand what is going on in this
case.
These used to be necessary, as the relevant variables used to be void*,
thus making the casts necessary. Given they were changed to concrete
types over the course of backporting, these are unnecessary.
Adds SYSENTER to the whitelist of supported hookable instructions in unicorn
as well as fixes up the existing sysenter_hook_x86 regression test which was
previously failing
Fixesunicorn-engine/unicorn#995
Backports commit 0f14c473445661a633ca5bda3a91ba1a87c35c64 from unicorn
Update BadInstr and BadInstrX registers for nanoMIPS. The same
support for pre-nanoMIPS remains unimplemented.
Backports commit 7a5f784aa215df6bf5d674b4003f8df43bf3b2d4 from qemu
Use bits from configuration registers for availability control
of MT ASE instructions, rather than only ISA_MT bit in insn_flags.
This is done by adding a field in hflags for MT bit, and adding
functions check_mt() and check_cp0_mt().
Backports commit 9affc1c59279f482ff145e0371926f79b6448e3e from qemu
Implement support for nanoMIPS LLWP/SCWP instructions. Beside
adding core functionality of these instructions, this patch adds
support for availability control via configuration bit XNP.
Backports commit 0b16dcd180bdbe3add9edea42c2374d427882661 from qemu
Add CP0_Config3 and CP0_Config5 to DisasContext structure. This is
needed for implementing availability control of various instructions.
Backports commit ab77fc611bf004dfd25ecad5b2c11261e32012e9 from qemu
Implement emulation of nanoMIPS EXTW instruction. EXTW instruction
is similar to the MIPS r6 ALIGN instruction, except that it counts
the other way and in bits instead of bytes. We therefore generalise
gen_align() function into a new gen_align_bits() function (which
counts in bits instead of bytes and optimises when bits = size of
the word), and implement gen_align() and a new gen_ext() based on
that. Since we need to know the word size to check for when the
number of bits == the word size, the opc argument is replaced with
a wordsz argument (either 32 or 64).
Backports commit 821f2008c3c708e0e33158039ab55673a0f04519 from qemu
Added a helper for ROTX based on the pseudocode from the
architecture spec. This instraction was not present in previous
MIPS instruction sets.
Backports commit e222f5067269392af489731221750976d0cf3c05 from qemu
Add emulation of nanoMIPS instructions situated in pool p_lsx, and
emulation of LSA instruction as well.
Backports commit eac5266459fb83e70fbf33f95c7c846f89df5c6a from qemu
Add emulation of SAVE16 and RESTORE.JRC16 instructions. Routines
gen_save(), gen_restore(), and gen_adjust_sp() are provided to support
this feature.
This patch at the same time provides function gen_op_addr_addi(). This
function will be used in emulation of some other nanoMIPS instructions.
Backports commit bf0718c59a4b27dd01346a7b5b9a183ed1b18fb7 from qemu
Add empty body and invocation of decode_nanomips_opc() if the bit
ISA_NANOMIPS32 is set in ctx->insn_flags.
Backports commit c533c0f4741be62501ef6c7f6ce77ffbfc2e4964 from qemu
Only if Config3.ISA is 3 (microMIPS), the mode should be switched in
cpu_state_reset(). Config3.ISA is 1 for nanoMIPS processors, and no mode
change should happen.
Backports commit 0bbc0396809f6caaaf96863dafe738e94f9b73ea from qemu
Add nanoMIPS opcodes. nanoMIPS instruction are organized by so-called
instruction pools. Each pool contains a set of opcodes, that in turn
can be instruction opcodes or instruction pool opcodes.
Backports commit 261c95a0e98e5e9b13c9c005a991b7e7dc27f38a from qemu
Following the bulk conversion of the iwMMXt code, there are
just a handful of hard coded tabs in target/arm; fix them.
This is a whitespace-only patch.
Backports commit 6e0fafe2ef02378c696e7cf84ef41511e3b3b81a from qemu
Untabify the arm iwmmxt_helper.c. This affects only the iwMMXt code.
We've never touched that code in years, so it's not going to get
fixed up by our "change when touched" process, and a bulk change is
not going to be too disruptive.
This commit was produced using Emacs "untabify" (plus one
by-hand removal of a space to fix a checkpatch nit); it is
a whitespace-only change.
Backports commit 67aed15551f9814712d5ac25a155919b34fbd627 from qemu
On 32-bit exception entry, CPSR.J must always be set to 0
(see v7A Arm ARM DDI0406C.c B1.8.5). CPSR.IL must also
be cleared on 32-bit exception entry (see v8A Arm ARM
DDI0487C.a G1.10).
Clear these bits. (This fixes a bug which will never be noticed
by non-buggy guests.)
Backports commit 829f9fd394ab082753308cbda165c13eaf8fae49 from qemu
Factor out the code which changes the CPU state so as to
actually take an exception to AArch32. We're going to want
to use this for handling exception entry to Hyp mode.
Backports commit dea8378bb3e86f2c6bd05afb3927619f7c51bb47 from qemu
The AArch32 HCR and HCR2 registers alias HCR_EL2
bits [31:0] and [63:32]; implement them.
Since HCR2 exists in ARMv8 but not ARMv7, we need new
regdef arrays for "we have EL3, not EL2, we're ARMv8"
and "we have EL2, we're ARMv8" to hold the definitions.
Backports commit ce4afed8396aabaf87cd42fbe8a4c14f7a9d5c10 from qemu
The v8 AArch32 HACTLR2 register maps to bits [63:32] of ACTLR_EL2.
We implement ACTLR_EL2 as RAZ/WI, so make HACTLR2 also RAZ/WI.
(We put the regdef next to ACTLR_EL2 as a reminder in case we
ever make ACTLR_EL2 something other than RAZ/WI).
Backports commit 0e0456ab8895a5e85998904549e331d36c2692a5 from qemu
The current implementation has three bugs,
* segment limits are not enforced in protected mode if the L bit is set
in the target segment descriptor
* segment limits are not enforced in compatibility mode (ljmp to 32-bit
code segment in long mode)
* #GP(new_cs) is generated rather than #GP(0)
Now the segment limits are enforced if we're not in long mode OR the
target code segment doesn't have the L bit set.
Backports commit db7196db5d5d932f388643baae6835f8dcda6921 from qemu
Currently call gates are always treated as 32-bit gates. In IA-32e mode
(either compatibility or 64-bit submode), system segment descriptors are
always 64-bit. Treating them as 32-bit has the expected unfortunate
effect: only the lower 32 bits of the offset are loaded, the stack
pointer is truncated, a bad new stack pointer is loaded from the TSS (if
switching privilege levels), etc.
This change adds support for 64-bit call gate to the lcall and ljmp
instructions. Additionally, there should be a check for non-canonical
stack pointers, but I've omitted that since there doesn't seem to be
checks for non-canonical addresses in this code elsewhere.
I've left the raise_exception_err_ra lines unwapped at 80 columns to
match the style in the rest of the file.
Backports commit 0aca060526d3ff9632aaed66e8611814580c13de from qemu
ARMv7VE introduced the ERET instruction, which is necessary to
return from an exception taken to Hyp mode. Implement this.
In A32 encoding it is a completely new encoding; in T32 it
is an adjustment of the behaviour of the existing
"SUBS PC, LR, #<imm8>" instruction.
Backports commit 55c544ed2709bd202e71e77ddfe3ea0327852211 from qemu
The MSR (banked) and MRS (banked) instructions allow accesses to ELR_Hyp
from either Monitor or Hyp mode. Our translate time check
was overly strict and only permitted access from Monitor mode.
The runtime check we do in msr_mrs_banked_exc_checks() had the
correct code in it, but never got there because of the earlier
"currmode == tgtmode" check. Special case ELR_Hyp.
Backports commit aec4dd09f172ee64c19222b78269d5952fd9c1dc from qemu
The AArch32 HSR is the equivalent of AArch64 ESR_EL2;
we can implement it by marking our existing ESR_EL2 regdef
as STATE_BOTH. It also needs to be "RES0 from EL3 if
EL2 not implemented", so add the missing stanza to
el3_no_el2_cp_reginfo.
Backports commit 68e78e332cb1c3f8b0317a0443acb2b5e190f0dd from qemu
The AArch32 virtualization extensions support these fault address
registers:
* HDFAR: aliased with AArch64 FAR_EL2[31:0] and AArch32 DFAR(S)
* HIFAR: aliased with AArch64 FAR_EL2[63:32] and AArch32 IFAR(S)
Implement the accessors for these. This fixes in passing a bug
where we weren't implementing the "RES0 from EL3 if EL2 not
implemented" behaviour for AArch64 FAR_EL2.
Backports commit cba517c31e7df8932c4473c477a0f01d8a0adc48 from qemu
Implement the AArch32 HVBAR register; we can do this just by
making the existing VBAR_EL2 regdefs be STATE_BOTH.
Backports commit d79e0c0608899428281a17c414ccf1a82d86ab85 from qemu
ARMCPRegInfo structs will default to .cp = 15 if they
are ARM_CP_STATE_BOTH, but not if they are ARM_CP_STATE_AA32
(because a coprocessor number of 0 is valid for AArch32).
We forgot to explicitly set .cp = 15 for the HMAIR1 and
HAMAIR1 regdefs, which meant they would UNDEF when the guest
tried to access them under cp15.
Backports commit b5ede85bfb7ba1a8f6086494c82f400b29969f65 from qemu
We implement the HAMAIR1 register as RAZ/WI; we had a typo in the
regdef, though, and were incorrectly naming it HMAIR1 (which is
a different register which we also implement as RAZ/WI).
Backports commit 55b53c718b2f684793eeefcf1c1a548ee97e23aa from qemu
If an instruction is conditional (like CBZ) and it is executed
conditionally (using the ITx instruction), a jump to an undefined
label is generated, and QEMU crashes.
CBZ in IT block is an UNPREDICTABLE behavior, but we should not
crash. Honouring the condition code is allowed by the spec in this
case (constrained unpredictable, ARMv8, section K1.1.7), and matches
what we do for other "UNPREDICTABLE inside an IT block" instructions.
Fix the 'skip on condition' code to create a new label only if it
does not already exist. Previously multiple labels were created, but
only the last one of them was set.
Backports commit c2d9644e6d517170bf6520f633628259a8460d48 from qemu
