Commit graph

2633 commits

Author SHA1 Message Date
Richard Henderson d248e38ec7 target/arm: Check PAGE_WRITE_ORG for MTE writeability
We can remove PAGE_WRITE when (internally) marking a page
read-only because it contains translated code.

This can be triggered by tests/tcg/aarch64/bti-2, after
having serviced SIGILL trampolines on the stack.

Backports ff38bca7d633868ac094ef86f3b246e8f57181d4
2021-04-19 11:52:58 -04:00
Richard Henderson 988bf2f458 target/i386: Verify memory operand for lcall and ljmp
These two opcodes only allow a memory operand.

Lacking the check for a register operand, we used the A0 temp
without initialization, which led to a tcg abort.

Backports 10b8eb94c0902b58d83df84a9eeae709a3480e82
2021-04-01 16:04:05 -04:00
Peter Maydell 82ce9221a0 target/arm: Make number of counters in PMCR follow the CPU
Currently we give all the v7-and-up CPUs a PMU with 4 counters. This
means that we don't provide the 6 counters that are required by the
Arm BSA (Base System Architecture) specification if the CPU supports
the Virtualization extensions.

Instead of having a single PMCR_NUM_COUNTERS, make each CPU type
specify the PMCR reset value (obtained from the appropriate TRM), and
use the 'N' field of that value to define the number of counters
provided.

This means that we now supply 6 counters for Cortex-A53, A57, A72,
A15 and A9 as well as '-cpu max'; Cortex-A7 and A8 stay at 4; and
Cortex-R5 goes down to 3.

Note that because we now use the PMCR reset value of the specific
implementation, we no longer set the LC bit out of reset. This has
an UNKNOWN value out of reset for all cores with any AArch32 support,
so guest software should be setting it anyway if it wants it.

Backports f7fb73b8cdd3f77e26f9fcff8cf24ff1b58d200f
2021-03-30 15:30:31 -04:00
Peter Maydell 250e263ae3 target/arm: Make M-profile VTOR loads on reset handle memory aliasing
For Arm M-profile CPUs, on reset the CPU must load its initial PC and
SP from a vector table in guest memory. Because we can't guarantee
reset ordering, we have to handle the possibility that the ROM blob
loader's reset function has not yet run when the CPU resets, in which
case the data in an ELF file specified by the user won't be in guest
memory to be read yet.

We work around the reset ordering problem by checking whether the ROM
blob loader has any data for the address where the vector table is,
using rom_ptr(). Unfortunately this does not handle the possibility
of memory aliasing. For many M-profile boards, memory can be
accessed via multiple possible physical addresses; if the board has
the vector table at address X but the user's ELF file loads data via
a different address Y which is an alias to the same underlying guest
RAM then rom_ptr() will not find it.

Use the new rom_ptr_for_as() function, which deals with memory
aliasing when locating a relevant ROM blob.

Backports 75ce72b785a7c9fcb9af2779854142a34825da59
2021-03-30 15:24:23 -04:00
Georg Kotheimer 83116e69b5 target/riscv: Prevent lost illegal instruction exceptions
When decode_insn16() fails, we fall back to decode_RV32_64C() for
further compressed instruction decoding. However, prior to this change,
we did not raise an illegal instruction exception, if decode_RV32_64C()
fails to decode the instruction. This means that we skipped illegal
compressed instructions instead of raising an illegal instruction
exception.

Instead of patching decode_RV32_64C(), we can just remove it,
as it is dead code since f330433b363 anyway.

Backports 9a27f69bd668d9d71674407badc412ce1231c7d5
2021-03-30 15:23:00 -04:00
Georg Kotheimer a1edab5abf target/riscv: Add proper two-stage lookup exception detection
The current two-stage lookup detection in riscv_cpu_do_interrupt falls
short of its purpose, as all it checks is whether two-stage address
translation either via the hypervisor-load store instructions or the
MPRV feature would be allowed.

What we really need instead is whether two-stage address translation was
active when the exception was raised. However, in riscv_cpu_do_interrupt
we do not have the information to reliably detect this. Therefore, when
we raise a memory fault exception we have to record whether two-stage
address translation is active.

Backports ec352d0cab58a7bf66019057d0dfcffd9e7785a8
2021-03-30 15:21:26 -04:00
Georg Kotheimer d18b402732 target/riscv: Fix read and write accesses to vsip and vsie
The previous implementation was broken in many ways:
- Used mideleg instead of hideleg to mask accesses
- Used MIP_VSSIP instead of VS_MODE_INTERRUPTS to mask writes to vsie
- Did not shift between S bits and VS bits (VSEIP <-> SEIP, ...)

Backports 9d5451e077cd84809bcdf460c39b5f4fec17fc79
2021-03-30 15:16:10 -04:00
Georg Kotheimer e74588a57f target/riscv: Use background registers also for MSTATUS_MPV
The current condition for the use of background registers only
considers the hypervisor load and store instructions,
but not accesses from M mode via MSTATUS_MPRV+MPV.

Backports db9ab38b81058b41e5f469165067feea46762eee
2021-03-30 15:14:13 -04:00
Georg Kotheimer a392976e77 target/riscv: Make VSTIP and VSEIP read-only in hip
Backports e89b631cf44d590dbd2c250358f4130f64b5d890
2021-03-30 15:13:20 -04:00
Georg Kotheimer eb778614fb target/riscv: Adjust privilege level for HLV(X)/HSV instructions
According to the specification the "field SPVP of hstatus controls the
privilege level of the access" for the hypervisor virtual-machine load
and store instructions HLV, HLVX and HSV.

Backports 90ec1cff768fcbe1fa2870d2018f378376f4f744
2021-03-30 15:10:49 -04:00
Jim Shu 85ccd1a71e target/riscv: flush TLB pages if PMP permission has been changed
If PMP permission of any address has been changed by updating PMP entry,
flush all TLB pages to prevent from getting old permission.

Backports 2c2e0f2842520bcd25472285cfce39696e52e662
2021-03-30 15:09:12 -04:00
Jim Shu 7dad65cea1 target/riscv: add log of PMP permission checking
Like MMU translation, add qemu log of PMP permission checking for
debugging.

Backports 663e119317d77780949830226f5575305405ab75
2021-03-30 15:07:52 -04:00
Jim Shu d1ee86a6b2 target/riscv: propagate PMP permission to TLB page
Currently, PMP permission checking of TLB page is bypassed if TLB hits
Fix it by propagating PMP permission to TLB page permission.

PMP permission checking also use MMU-style API to change TLB permission
and size.

Backports b297129ae19e26d3cc0e376d2bfc33d76b06d83b
2021-03-30 15:05:40 -04:00
Frank Chang da652cb603 target/riscv: fix vs() to return proper error code
vs() should return -RISCV_EXCP_ILLEGAL_INST instead of -1 if rvv feature
is not enabled.

If -1 is returned, exception will be raised and cs->exception_index will
be set to the negative return value. The exception will then be treated
as an instruction access fault instead of illegal instruction fault.

Backports 5e437d3ccdccfd85f6e69ca60f921be2dab62c3c
2021-03-30 14:59:37 -04:00
Richard Henderson ebacc7febd target/arm: Update sve reduction vs simd_desc
With the reduction operations, we intentionally increase maxsz to
the next power of 2, so as to fill out the reduction tree correctly.
Since e2e7168a214b, oprsz must equal maxsz, with exceptions for small
vectors, so this triggers an assertion for vector sizes > 32 that are
not themselves a power of 2.

Pass the power-of-two value in the simd_data field instead.

Backports c648c9b7e1ccff94b51ecbebe86a206952c47e75
2021-03-30 14:44:53 -04:00
Richard Henderson 1b05fd82b7 target/arm: Update WHILE for PREDDESC
Since b64ee454a4a0, all predicate operations should be
using these field macros for predicates.

Backports e610906c56f98c76888d45beb7f579935dd61a70
2021-03-30 14:42:40 -04:00
Richard Henderson c374bdc9ca target/arm: Update CNTP for PREDDESC
Since b64ee454a4a0, all predicate operations should be
using these field macros for predicates.

Backports f556a201b5bbeb59841b37247969fcfc1ab7bd5d
2021-03-30 14:41:01 -04:00
Richard Henderson 7e26827ea5 target/arm: Update BRKA, BRKB, BRKN for PREDDESC
Since b64ee454a4a0, all predicate operations should be
using these field macros for predicates.

Backports 04c774a25da78eb07d505ee5923167c2010b9f8c
2021-03-30 14:38:02 -04:00
Richard Henderson 452891c530 target/arm: Update find_last_active for PREDDESC
Since b64ee454a4a0, all predicate operations should be
using these field macros for predicates.

Backports 2acbfbe4313daf43b6653ee5d82bcaeaa155e895
2021-03-30 14:34:12 -04:00
Richard Henderson e7cec52fac target/arm: Fix sve_punpk_p vs odd vector lengths
Wrote too much with punpk1 with vl % 512 != 0.

Backports fd911a21414b5a17663fa2b97f1059fb11cee99d
2021-03-30 14:32:44 -04:00
Richard Henderson 78c016ef83 target/arm: Fix sve_zip_p vs odd vector lengths
Wrote too much with low-half zip (zip1) with vl % 512 != 0.

Adjust all of the x + (y << s) to x | (y << s) as a style fix.

We only ever have exact overlap between D, M, and N. Therefore
we only need a single temporary, and we do not need to check for
partial overlap.

Backports 8e7fefed1bdcc0f7e722ccf2a2fc2b4f79fe725e
2021-03-30 14:29:33 -04:00
Richard Henderson 1aed8cee64 target/arm: Fix sve_uzp_p vs odd vector lengths
Missed out on compressing the second half of a predicate
with length vl % 512 > 256.

Adjust all of the x + (y << s) to x | (y << s) as a
general style fix. Drop the extract64 because the input
uint64_t are known to be already zero-extended from the
current size of the predicate.

Backports 226e6c046c0fce8da32575aad020ca56a5a8064d
2021-03-30 14:27:58 -04:00
Mark Cave-Ayland 9777741703 target/m68k: add M68K_FEATURE_UNALIGNED_DATA feature
According to the M68040UM Appendix D the requirement for data accesses to be
word aligned is only for the 68000, 68008 and 68010 CPUs. Later CPUs from the
68020 onwards will allow unaligned data accesses but at the cost of being less
efficient.

Add a new M68K_FEATURE_UNALIGNED_DATA feature to specify that data accesses are
not required to be word aligned, and don't perform the alignment on the stack
pointer when taking an exception if this feature is not selected.

This is required because the MacOS DAFB driver attempts to call an A-trap
with a byte-aligned stack pointer during initialisation and without this the
stack pointer is off by one when the A-trap returns.

Backports a9431a03f70c8c711a870d4c1a0439bdbb4703cf
2021-03-12 14:55:43 -05:00
Lucien Murray-Pitts 7d5dfd6b53 m68k: add MSP detection support for stack pointer swap helpers
On m68k there are two varities of stack pointers: USP with SSP or ISP/MSP.

Only the 68020/30/40 support the MSP register the stack swap helpers don't
support this feature.

This patch adds this support, as well as comments to CPUM68KState to
make it clear how stacks are handled

Backports 7525a9b94c0c5733b8450c9451ca1de334f71ed8
2021-03-12 14:53:48 -05:00
Lucien Murray-Pitts f0846b7c34 m68k: MOVEC insn. should generate exception if wrong CR is accessed
Add CPU class detection for each CR type in the m68k_move_to/from helpers,
so that it throws and exception if an unsupported register is requested
for that CPU class.

Reclassified MOVEC insn. as only supported from 68010.

Backports 8df0e6aedad33c6746f4bc2a4d0cfdd432877084
2021-03-12 14:50:16 -05:00
Lucien Murray-Pitts 0e992c16fd m68k: add missing BUSCR/PCR CR defines, and BUSCR/PCR/CAAR CR to m68k_move_to/from
The BUSCR/PCR CR defines were missing for 68060, and the move_to/from helper
functions were also missing a decode for the 68060 M68K_CR_CAAR CR register.

Added missing defines, and respective decodes for all three CR registers to
the helpers.

Although this patch defines them, the implementation is empty in this patch
and these registers will result in a cpu abort - which is the default prior
to this patch.

This patch aims to reach full coverage of all CR registers within the helpers.

Backports 5736526ce2da32205022b10dcdf9807e735e451a
2021-03-12 14:40:00 -05:00
Lucien Murray-Pitts c6d5eea686 m68k: improve comments on m68k_move_to/from helpers
Add more detailed comments to each case of m68k_move_to/from helpers to list
the supported CPUs for that CR as they were wrong in some cases, and
missing some cpu classes in other cases.

Backports 60d8e96453d090f71027f95e47e5ddbe17f670e3
2021-03-12 14:38:49 -05:00
Lucien Murray-Pitts 32e9e17576 m68k: improve cpu instantiation comments
Improvement in comments for the instantiation functions.
This is to highlight what each cpu class, in the 68000 series, contains
in terms of instructions/features.

Backports ee2fc6c6da8b2d6f961c8559d62e990c65f67736
2021-03-12 14:34:21 -05:00
Mark Cave-Ayland 8f391fe579 target/m68k: reformat m68k_features enum
Move the feature comment from after the feature name to the preceding line to
allow for longer feature names and descriptions without hitting the 80
character line limit.

Backports 469949c90252d80693aa70652d8251d1d602557e
2021-03-12 14:31:23 -05:00
Mark Cave-Ayland 0be85bf91a target/m68k: don't set SSW ATC bit for physical bus errors
If a NuBus slot doesn't contain a card, the Quadra hardware generates a physical
bus error if the CPU attempts to access the slot address space. Both Linux and
MacOS use a separate bus error handler during NuBus accesses in order to detect
and recover when addressing empty slots.

According to the MC68040 users manual the ATC bit of the SSW is used to
distinguish between ATC faults and physical bus errors. MacOS specifically checks
the stack frame generated by a NuBus error and panics if the SSW ATC bit is set.

Update m68k_cpu_transaction_failed() so that the SSW ATC bit is not set if the
memory API returns MEMTX_DECODE_ERROR which will be used to indicate that an
access to an empty NuBus slot occurred.

Backports d6cbd8f7a19e6f0fd22a598aad992c4913f481f2
2021-03-12 14:29:37 -05:00
Laurent Vivier 945dd6fba9 target/m68k: implement rtr instruction
This is needed to boot MacOS ROM.

Pull the condition code and the program counter from the stack.

Operation:

(SP) -> CCR
SP + 2 -> SP
(SP) -> PC
SP + 4 -> SP

This operation is not privileged.

Backports 6abcec36741e589c855084e59195fc3454bf4be6
2021-03-12 14:28:33 -05:00
Atish Patra e54d0916ef target/riscv/pmp: Raise exception if no PMP entry is configured
As per the privilege specification, any access from S/U mode should fail
if no pmp region is configured.

Backports d102f19a2085ac931cb998e6153b73248cca49f1
2021-03-08 15:39:55 -05:00
Alistair Francis 037b9e3bd1 target/riscv: csr: Remove compile time XLEN checks
Backports 8987cdc48120c268568cdf87ba38591809d3efd1
2021-03-08 15:34:30 -05:00
Alistair Francis 90abfa7c11 target/riscv: cpu_helper: Remove compile time XLEN checks
Backports f08c7ff3dc552d423439284a725f384b85b99062
2021-03-08 15:29:13 -05:00
Alistair Francis ea716ff2db target/riscv: Add a riscv_cpu_is_32bit() helper function
Backports 51ae0cabc67c418264d5ae28214603aabc88b9b6
2021-03-08 15:26:57 -05:00
Alistair Francis 5973588ac0 target/riscv: fpu_helper: Match function defs in HELPER macros
Update the function definitions generated in helper.h to match the
actual function implementations.

Also remove all compile time XLEN checks when building.

Backports 5b6c291b8db8effff625db321be232e0c4dcdb6c
2021-03-08 15:25:30 -05:00
Alistair Francis 19c937f2cc target/riscv: Add a TYPE_RISCV_CPU_BASE CPU
Backports c0a635f3973d974befb954463287786fd988bb64
2021-03-08 15:18:00 -05:00
Alex Richardson 8e4e0a6993 target/riscv: Fix definition of MSTATUS_TW and MSTATUS_TSR
The TW and TSR fields should be bits 21 and 22 and not 30/29.
This was found while comparing QEMU behaviour against the sail formal
model (https://github.com/rems-project/sail-riscv/).

Backports 529577457cbba9e429af629c46204f63e50fa832
2021-03-08 15:16:50 -05:00
Yifei Jiang c50f8c9d93 target/riscv: Fix the bug of HLVX/HLV/HSV
We found that the hypervisor virtual-machine load and store instructions,
included HLVX/HLV/HSV, couldn't access guest userspace memory.

In the riscv-privileged spec, HLVX/HLV/HSV is defined as follow:
"As usual when V=1, two-stage address translation is applied, and
the HS-level sstatus.SUM is ignored."

But get_physical_address() doesn't ignore sstatus.SUM, when HLVX/HLV/HSV
accesses guest userspace memory. So this patch fixes it.

Backports c63ca4ff7f81116c26984973052991ff0bd7caec
2021-03-08 15:16:06 -05:00
Alistair Francis 416b2a0077 target/riscv: Split the Hypervisor execute load helpers
Split the hypervisor execute load functions into two seperate functions.
This avoids us having to pass the memop to the C helper functions.

Backports 7687537ab0c16e0b1e69e7707456573a64b8e13b
2021-03-08 15:14:47 -05:00
Alistair Francis 4762dcda3c target/riscv: Remove the hyp load and store functions
Remove the special Virtulisation load and store functions and just use
the standard tcg tcg_gen_qemu_ld_tl() and tcg_gen_qemu_st_tl() functions
instead.

As part of this change we ensure we still run an access check to make
sure we can perform the operations.

Backports 743077b35b1ed88ed243daefafe9403d88a958f6
2021-03-08 15:11:11 -05:00
Alistair Francis bd81c057ed target/riscv: Remove the HS_TWO_STAGE flag
The HS_TWO_STAGE flag is no longer required as the MMU index contains
the information if we are performing a two stage access.

Backports 1c1c060aa866986ef8b7eb334abbb8c104a46e5c
2021-03-08 15:03:15 -05:00
Alistair Francis e5a9b8fc17 target/riscv: Set the virtualised MMU mode when doing hyp accesses
When performing the hypervisor load/store operations set the MMU mode to
indicate that we are virtualised.

Backports 3e5979046f3f5f65828d3950d0c3ec9846d63715
2021-03-08 14:57:58 -05:00
Alistair Francis a998c18ad8 target/riscv: Add a virtualised MMU Mode
Add a new MMU mode that includes the current virt mode.

Backports c445593d30037d0c82241e8ec23eb845bca476e9
2021-03-08 14:56:14 -05:00
Xinhao Zhang 757608b77c target/riscv/csr.c : add space before the open parenthesis '('
Fix code style. Space required before the open parenthesis '('.

Backports 422819776101520cb56658ee5facf926526cf870
2021-03-08 14:54:03 -05:00
Yifei Jiang 9d47840784 target/riscv: Merge m/vsstatus and m/vsstatush into one uint64_t unit
mstatus/mstatush and vsstatus/vsstatush are two halved for RISCV32.
This patch expands mstatus and vsstatus to uint64_t instead of
target_ulong so that it can be saved as one unit and reduce some
ifdefs in the code.

Backports 284d697c74ef3f4210cbccc5cd6b4894740e4ab3
2021-03-08 14:52:44 -05:00
Yifei Jiang 281d851303 target/riscv: raise exception to HS-mode at get_physical_address
VS-stage translation at get_physical_address needs to translate pte
address by G-stage translation. But the G-stage translation error
can not be distinguished from VS-stage translation error in
riscv_cpu_tlb_fill. On migration, destination needs to rebuild pte,
and this G-stage translation error must be handled by HS-mode. So
introduce TRANSLATE_STAGE2_FAIL so that riscv_cpu_tlb_fill could
distinguish and raise it to HS-mode.

Backports 33a9a57d2c31ec9ed68858911dc490b5de15f342
2021-03-08 14:43:00 -05:00
Georg Kotheimer d2cea344f0 target/riscv: Fix implementation of HLVX.WU instruction
The HLVX.WU instruction is supposed to read a machine word,
but prior to this change it read a byte instead.

Fixes: 8c5362acb57 ("target/riscv: Allow generating hlv/hlvx/hsv instructions")

Backports 1da46012eaaeb2feb3aa6a5a8fc0a03200b673aa
2021-03-08 14:40:28 -05:00
Georg Kotheimer 7351f09919 target/riscv: Fix update of hstatus.GVA in riscv_cpu_do_interrupt
The hstatus.GVA bit was not set if the faulting guest virtual address
was zero.

Backports 4aeb9e26c219a85f465eb2cc7ef6939a3c71944f
2021-03-08 14:39:31 -05:00
Georg Kotheimer 640a26bf58 target/riscv: Fix update of hstatus.SPVP
When trapping from virt into HS mode, hstatus.SPVP was set to
the value of sstatus.SPP, as according to the specification both
flags should be set to the same value.
However, the assignment of SPVP takes place before SPP itself is
updated, which results in SPVP having an outdated value.

Backports ace544532c4064e995ef69ec9dc93aad62e19988
2021-03-08 14:38:23 -05:00