[Qemu-devel] [PULL 00/13] target-arm queue

[Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

target-arm queue:
 * mostly my latest v8M stuff, plus a couple of minor patches

The following changes since commit a0b261db8c030813e30a39eae47359ac2a37f7e2:

  Merge remote-tracking branch 'remotes/ehabkost/tags/python-next-pull-request' into staging (2017-10-12 10:02:09 +0100)

are available in the git repository at:

  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20171012

for you to fetch changes up to cf5f7937b05c84d5565134f058c00cd48304a117:

  nvic: Fix miscalculation of offsets into ITNS array (2017-10-12 16:33:16 +0100)

----------------------------------------------------------------
target-arm queue:
 * v8M: SG, BLXNS, secure-return
 * v8M: fixes for coverity issues in previous patches
 * arm: fix armv7m_init() declaration to match definition
 * watchdog/aspeed: fix variable type to store reload value

----------------------------------------------------------------
Cédric Le Goater (1):
      watchdog/aspeed: fix variable type to store reload value

Igor Mammedov (1):
      arm: fix armv7m_init() declaration to match definition

Peter Maydell (11):
      target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()
      target/arm: Implement SG instruction
      target/arm: Implement BLXNS
      target/arm: Implement secure function return
      target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1
      target/arm: Pull Thumb insn word loads up to top level
      target-arm: Simplify insn_crosses_page()
      target/arm: Support some Thumb insns being always unconditional
      target/arm: Implement SG instruction corner cases
      nvic: Add missing 'break'
      nvic: Fix miscalculation of offsets into ITNS array

 include/hw/arm/arm.h     |   2 +-
 target/arm/helper.h      |   1 +
 target/arm/internals.h   |   8 ++
 hw/intc/armv7m_nvic.c    |   5 +-
 hw/watchdog/wdt_aspeed.c |   4 +-
 target/arm/helper.c      | 306 ++++++++++++++++++++++++++++++++++++++++++++--
 target/arm/translate.c   | 310 ++++++++++++++++++++++++++++++++---------------
 7 files changed, 521 insertions(+), 115 deletions(-)

[Qemu-devel] [PULL 01/13] watchdog/aspeed: fix variable type to store reload value

[Peter Maydell]

From: Cédric Le Goater <clg@kaod.org>

Initially from Anton D. Kachalov" <mouse@yandex-team.ru> but the SoB was
missing.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Acked-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 20170920064915.30027-1-clg@kaod.org
[clg: change commit log and subject
      replace UL suffix by ULL ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/watchdog/wdt_aspeed.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
index 22bce36..95f6ad1 100644
--- a/hw/watchdog/wdt_aspeed.c
+++ b/hw/watchdog/wdt_aspeed.c
@@ -100,13 +100,13 @@ static uint64_t aspeed_wdt_read(void *opaque, hwaddr offset, unsigned size)
 
 static void aspeed_wdt_reload(AspeedWDTState *s, bool pclk)
 {
-    uint32_t reload;
+    uint64_t reload;
 
     if (pclk) {
         reload = muldiv64(s->regs[WDT_RELOAD_VALUE], NANOSECONDS_PER_SECOND,
                           s->pclk_freq);
     } else {
-        reload = s->regs[WDT_RELOAD_VALUE] * 1000;
+        reload = s->regs[WDT_RELOAD_VALUE] * 1000ULL;
     }
 
     if (aspeed_wdt_is_enabled(s)) {
-- 
2.7.4

[Qemu-devel] [PULL 02/13] arm: fix armv7m_init() declaration to match definition

[Peter Maydell]

From: Igor Mammedov <imammedo@redhat.com>

s/cpu_model/cpu_type/ that has been forgotten during
conversion (ba1ba5cc), while touching the line also
fixup alignment.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-id: 1507710805-221721-1-git-send-email-imammedo@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/arm.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/hw/arm/arm.h b/include/hw/arm/arm.h
index a3f79d3..ce769bd 100644
--- a/include/hw/arm/arm.h
+++ b/include/hw/arm/arm.h
@@ -25,7 +25,7 @@ typedef enum {
 
 /* armv7m.c */
 DeviceState *armv7m_init(MemoryRegion *system_memory, int mem_size, int num_irq,
-                      const char *kernel_filename, const char *cpu_model);
+                         const char *kernel_filename, const char *cpu_type);
 /**
  * armv7m_load_kernel:
  * @cpu: CPU
-- 
2.7.4

[Qemu-devel] [PULL 03/13] target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()

[Peter Maydell]

Add the M profile secure MMU index values to the switch in
get_a32_user_mem_index() so that LDRT/STRT work correctly
rather than asserting at translate time.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-2-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index fdc46cc..61fd0ef 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -165,6 +165,10 @@ static inline int get_a32_user_mem_index(DisasContext *s)
     case ARMMMUIdx_MPriv:
     case ARMMMUIdx_MNegPri:
         return arm_to_core_mmu_idx(ARMMMUIdx_MUser);
+    case ARMMMUIdx_MSUser:
+    case ARMMMUIdx_MSPriv:
+    case ARMMMUIdx_MSNegPri:
+        return arm_to_core_mmu_idx(ARMMMUIdx_MSUser);
     case ARMMMUIdx_S2NS:
     default:
         g_assert_not_reached();
-- 
2.7.4

[Qemu-devel] [PULL 04/13] target/arm: Implement SG instruction

[Peter Maydell]

Implement the SG instruction, which we emulate 'by hand' in the
exception handling code path.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-3-git-send-email-peter.maydell@linaro.org
---
 target/arm/helper.c | 132 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 127 insertions(+), 5 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 1d689f0..9cc881e 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -41,6 +41,10 @@ typedef struct V8M_SAttributes {
     bool irvalid;
 } V8M_SAttributes;
 
+static void v8m_security_lookup(CPUARMState *env, uint32_t address,
+                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                                V8M_SAttributes *sattrs);
+
 /* Definitions for the PMCCNTR and PMCR registers */
 #define PMCRD   0x8
 #define PMCRC   0x4
@@ -6736,6 +6740,126 @@ static void arm_log_exception(int idx)
     }
 }
 
+static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
+                               uint32_t addr, uint16_t *insn)
+{
+    /* Load a 16-bit portion of a v7M instruction, returning true on success,
+     * or false on failure (in which case we will have pended the appropriate
+     * exception).
+     * We need to do the instruction fetch's MPU and SAU checks
+     * like this because there is no MMU index that would allow
+     * doing the load with a single function call. Instead we must
+     * first check that the security attributes permit the load
+     * and that they don't mismatch on the two halves of the instruction,
+     * and then we do the load as a secure load (ie using the security
+     * attributes of the address, not the CPU, as architecturally required).
+     */
+    CPUState *cs = CPU(cpu);
+    CPUARMState *env = &cpu->env;
+    V8M_SAttributes sattrs = {};
+    MemTxAttrs attrs = {};
+    ARMMMUFaultInfo fi = {};
+    MemTxResult txres;
+    target_ulong page_size;
+    hwaddr physaddr;
+    int prot;
+    uint32_t fsr;
+
+    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
+    if (!sattrs.nsc || sattrs.ns) {
+        /* This must be the second half of the insn, and it straddles a
+         * region boundary with the second half not being S&NSC.
+         */
+        env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+        qemu_log_mask(CPU_LOG_INT,
+                      "...really SecureFault with SFSR.INVEP\n");
+        return false;
+    }
+    if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
+                      &physaddr, &attrs, &prot, &page_size, &fsr, &fi)) {
+        /* the MPU lookup failed */
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
+        qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
+        return false;
+    }
+    *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,
+                                 attrs, &txres);
+    if (txres != MEMTX_OK) {
+        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
+        qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
+        return false;
+    }
+    return true;
+}
+
+static bool v7m_handle_execute_nsc(ARMCPU *cpu)
+{
+    /* Check whether this attempt to execute code in a Secure & NS-Callable
+     * memory region is for an SG instruction; if so, then emulate the
+     * effect of the SG instruction and return true. Otherwise pend
+     * the correct kind of exception and return false.
+     */
+    CPUARMState *env = &cpu->env;
+    ARMMMUIdx mmu_idx;
+    uint16_t insn;
+
+    /* We should never get here unless get_phys_addr_pmsav8() caused
+     * an exception for NS executing in S&NSC memory.
+     */
+    assert(!env->v7m.secure);
+    assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
+
+    /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
+    mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
+
+    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
+        return false;
+    }
+
+    if (!env->thumb) {
+        goto gen_invep;
+    }
+
+    if (insn != 0xe97f) {
+        /* Not an SG instruction first half (we choose the IMPDEF
+         * early-SG-check option).
+         */
+        goto gen_invep;
+    }
+
+    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
+        return false;
+    }
+
+    if (insn != 0xe97f) {
+        /* Not an SG instruction second half (yes, both halves of the SG
+         * insn have the same hex value)
+         */
+        goto gen_invep;
+    }
+
+    /* OK, we have confirmed that we really have an SG instruction.
+     * We know we're NS in S memory so don't need to repeat those checks.
+     */
+    qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
+                  ", executing it\n", env->regs[15]);
+    env->regs[14] &= ~1;
+    switch_v7m_security_state(env, true);
+    xpsr_write(env, 0, XPSR_IT);
+    env->regs[15] += 4;
+    return true;
+
+gen_invep:
+    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
+    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+    qemu_log_mask(CPU_LOG_INT,
+                  "...really SecureFault with SFSR.INVEP\n");
+    return false;
+}
+
 void arm_v7m_cpu_do_interrupt(CPUState *cs)
 {
     ARMCPU *cpu = ARM_CPU(cs);
@@ -6778,12 +6902,10 @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
              * the SG instruction have the same security attributes.)
              * Everything else must generate an INVEP SecureFault, so we
              * emulate the SG instruction here.
-             * TODO: actually emulate SG.
              */
-            env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-            qemu_log_mask(CPU_LOG_INT,
-                          "...really SecureFault with SFSR.INVEP\n");
+            if (v7m_handle_execute_nsc(cpu)) {
+                return;
+            }
             break;
         case M_FAKE_FSR_SFAULT:
             /* Various flavours of SecureFault for attempts to execute or
-- 
2.7.4

[Qemu-devel] [PULL 05/13] target/arm: Implement BLXNS

[Peter Maydell]

Implement the BLXNS instruction, which allows secure code to
call non-secure code.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-4-git-send-email-peter.maydell@linaro.org
---
 target/arm/helper.h    |  1 +
 target/arm/internals.h |  1 +
 target/arm/helper.c    | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
 target/arm/translate.c | 17 +++++++++++++--
 4 files changed, 76 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index 64afbac..2cf6f74 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -64,6 +64,7 @@ DEF_HELPER_3(v7m_msr, void, env, i32, i32)
 DEF_HELPER_2(v7m_mrs, i32, env, i32)
 
 DEF_HELPER_2(v7m_bxns, void, env, i32)
+DEF_HELPER_2(v7m_blxns, void, env, i32)
 
 DEF_HELPER_4(access_check_cp_reg, void, env, ptr, i32, i32)
 DEF_HELPER_3(set_cp_reg, void, env, ptr, i32)
diff --git a/target/arm/internals.h b/target/arm/internals.h
index fd9a7e8..1746737 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -60,6 +60,7 @@ static inline bool excp_is_internal(int excp)
 FIELD(V7M_CONTROL, NPRIV, 0, 1)
 FIELD(V7M_CONTROL, SPSEL, 1, 1)
 FIELD(V7M_CONTROL, FPCA, 2, 1)
+FIELD(V7M_CONTROL, SFPA, 3, 1)
 
 /* Bit definitions for v7M exception return payload */
 FIELD(V7M_EXCRET, ES, 0, 1)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 9cc881e..47c5767 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -5897,6 +5897,12 @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
     g_assert_not_reached();
 }
 
+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
+{
+    /* translate.c should never generate calls here in user-only mode */
+    g_assert_not_reached();
+}
+
 void switch_mode(CPUARMState *env, int mode)
 {
     ARMCPU *cpu = arm_env_get_cpu(env);
@@ -6189,6 +6195,59 @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
     env->regs[15] = dest & ~1;
 }
 
+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
+{
+    /* Handle v7M BLXNS:
+     *  - bit 0 of the destination address is the target security state
+     */
+
+    /* At this point regs[15] is the address just after the BLXNS */
+    uint32_t nextinst = env->regs[15] | 1;
+    uint32_t sp = env->regs[13] - 8;
+    uint32_t saved_psr;
+
+    /* translate.c will have made BLXNS UNDEF unless we're secure */
+    assert(env->v7m.secure);
+
+    if (dest & 1) {
+        /* target is Secure, so this is just a normal BLX,
+         * except that the low bit doesn't indicate Thumb/not.
+         */
+        env->regs[14] = nextinst;
+        env->thumb = 1;
+        env->regs[15] = dest & ~1;
+        return;
+    }
+
+    /* Target is non-secure: first push a stack frame */
+    if (!QEMU_IS_ALIGNED(sp, 8)) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "BLXNS with misaligned SP is UNPREDICTABLE\n");
+    }
+
+    saved_psr = env->v7m.exception;
+    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
+        saved_psr |= XPSR_SFPA;
+    }
+
+    /* Note that these stores can throw exceptions on MPU faults */
+    cpu_stl_data(env, sp, nextinst);
+    cpu_stl_data(env, sp + 4, saved_psr);
+
+    env->regs[13] = sp;
+    env->regs[14] = 0xfeffffff;
+    if (arm_v7m_is_handler_mode(env)) {
+        /* Write a dummy value to IPSR, to avoid leaking the current secure
+         * exception number to non-secure code. This is guaranteed not
+         * to cause write_v7m_exception() to actually change stacks.
+         */
+        write_v7m_exception(env, 1);
+    }
+    switch_v7m_security_state(env, 0);
+    env->thumb = 1;
+    env->regs[15] = dest;
+}
+
 static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
                                 bool spsel)
 {
diff --git a/target/arm/translate.c b/target/arm/translate.c
index 61fd0ef..caf0d58 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -1017,6 +1017,20 @@ static inline void gen_bxns(DisasContext *s, int rm)
     s->base.is_jmp = DISAS_EXIT;
 }
 
+static inline void gen_blxns(DisasContext *s, int rm)
+{
+    TCGv_i32 var = load_reg(s, rm);
+
+    /* We don't need to sync condexec state, for the same reason as bxns.
+     * We do however need to set the PC, because the blxns helper reads it.
+     * The blxns helper may throw an exception.
+     */
+    gen_set_pc_im(s, s->pc);
+    gen_helper_v7m_blxns(cpu_env, var);
+    tcg_temp_free_i32(var);
+    s->base.is_jmp = DISAS_EXIT;
+}
+
 /* Variant of store_reg which uses branch&exchange logic when storing
    to r15 in ARM architecture v7 and above. The source must be a temporary
    and will be marked as dead. */
@@ -11222,8 +11236,7 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
                         goto undef;
                     }
                     if (link) {
-                        /* BLXNS: not yet implemented */
-                        goto undef;
+                        gen_blxns(s, rm);
                     } else {
                         gen_bxns(s, rm);
                     }
-- 
2.7.4

[Qemu-devel] [PULL 06/13] target/arm: Implement secure function return

[Peter Maydell]

Secure function return happens when a non-secure function has been
called using BLXNS and so has a particular magic LR value (either
0xfefffffe or 0xfeffffff). The function return via BX behaves
specially when the new PC value is this magic value, in the same
way that exception returns are handled.

Adjust our BX excret guards so that they recognize the function
return magic number as well, and perform the function-return
unstacking in do_v7m_exception_exit().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-5-git-send-email-peter.maydell@linaro.org
---
 target/arm/internals.h |   7 +++
 target/arm/helper.c    | 115 +++++++++++++++++++++++++++++++++++++++++++++----
 target/arm/translate.c |  14 +++++-
 3 files changed, 126 insertions(+), 10 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 1746737..43106a2 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -72,6 +72,13 @@ FIELD(V7M_EXCRET, DCRS, 5, 1)
 FIELD(V7M_EXCRET, S, 6, 1)
 FIELD(V7M_EXCRET, RES1, 7, 25) /* including the must-be-1 prefix */
 
+/* Minimum value which is a magic number for exception return */
+#define EXC_RETURN_MIN_MAGIC 0xff000000
+/* Minimum number which is a magic number for function or exception return
+ * when using v8M security extension
+ */
+#define FNC_RETURN_MIN_MAGIC 0xfefffffe
+
 /* We use a few fake FSR values for internal purposes in M profile.
  * M profile cores don't have A/R format FSRs, but currently our
  * get_phys_addr() code assumes A/R profile and reports failures via
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 47c5767..96113fe 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6174,7 +6174,17 @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
      *  - if the return value is a magic value, do exception return (like BX)
      *  - otherwise bit 0 of the return value is the target security state
      */
-    if (dest >= 0xff000000) {
+    uint32_t min_magic;
+
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        /* Covers FNC_RETURN and EXC_RETURN magic */
+        min_magic = FNC_RETURN_MIN_MAGIC;
+    } else {
+        /* EXC_RETURN magic only */
+        min_magic = EXC_RETURN_MIN_MAGIC;
+    }
+
+    if (dest >= min_magic) {
         /* This is an exception return magic value; put it where
          * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
          * Note that if we ever add gen_ss_advance() singlestep support to
@@ -6470,12 +6480,19 @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     bool exc_secure = false;
     bool return_to_secure;
 
-    /* We can only get here from an EXCP_EXCEPTION_EXIT, and
-     * gen_bx_excret() enforces the architectural rule
-     * that jumps to magic addresses don't have magic behaviour unless
-     * we're in Handler mode (compare pseudocode BXWritePC()).
+    /* If we're not in Handler mode then jumps to magic exception-exit
+     * addresses don't have magic behaviour. However for the v8M
+     * security extensions the magic secure-function-return has to
+     * work in thread mode too, so to avoid doing an extra check in
+     * the generated code we allow exception-exit magic to also cause the
+     * internal exception and bring us here in thread mode. Correct code
+     * will never try to do this (the following insn fetch will always
+     * fault) so we the overhead of having taken an unnecessary exception
+     * doesn't matter.
      */
-    assert(arm_v7m_is_handler_mode(env));
+    if (!arm_v7m_is_handler_mode(env)) {
+        return;
+    }
 
     /* In the spec pseudocode ExceptionReturn() is called directly
      * from BXWritePC() and gets the full target PC value including
@@ -6765,6 +6782,78 @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
 }
 
+static bool do_v7m_function_return(ARMCPU *cpu)
+{
+    /* v8M security extensions magic function return.
+     * We may either:
+     *  (1) throw an exception (longjump)
+     *  (2) return true if we successfully handled the function return
+     *  (3) return false if we failed a consistency check and have
+     *      pended a UsageFault that needs to be taken now
+     *
+     * At this point the magic return value is split between env->regs[15]
+     * and env->thumb. We don't bother to reconstitute it because we don't
+     * need it (all values are handled the same way).
+     */
+    CPUARMState *env = &cpu->env;
+    uint32_t newpc, newpsr, newpsr_exc;
+
+    qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
+
+    {
+        bool threadmode, spsel;
+        TCGMemOpIdx oi;
+        ARMMMUIdx mmu_idx;
+        uint32_t *frame_sp_p;
+        uint32_t frameptr;
+
+        /* Pull the return address and IPSR from the Secure stack */
+        threadmode = !arm_v7m_is_handler_mode(env);
+        spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
+
+        frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
+        frameptr = *frame_sp_p;
+
+        /* These loads may throw an exception (for MPU faults). We want to
+         * do them as secure, so work out what MMU index that is.
+         */
+        mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
+        oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));
+        newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);
+        newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);
+
+        /* Consistency checks on new IPSR */
+        newpsr_exc = newpsr & XPSR_EXCP;
+        if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
+              (env->v7m.exception == 1 && newpsr_exc != 0))) {
+            /* Pend the fault and tell our caller to take it */
+            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                    env->v7m.secure);
+            qemu_log_mask(CPU_LOG_INT,
+                          "...taking INVPC UsageFault: "
+                          "IPSR consistency check failed\n");
+            return false;
+        }
+
+        *frame_sp_p = frameptr + 8;
+    }
+
+    /* This invalidates frame_sp_p */
+    switch_v7m_security_state(env, true);
+    env->v7m.exception = newpsr_exc;
+    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
+    if (newpsr & XPSR_SFPA) {
+        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
+    }
+    xpsr_write(env, 0, XPSR_IT);
+    env->thumb = newpc & 1;
+    env->regs[15] = newpc & ~1;
+
+    qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
+    return true;
+}
+
 static void arm_log_exception(int idx)
 {
     if (qemu_loglevel_mask(CPU_LOG_INT)) {
@@ -7049,8 +7138,18 @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
     case EXCP_IRQ:
         break;
     case EXCP_EXCEPTION_EXIT:
-        do_v7m_exception_exit(cpu);
-        return;
+        if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
+            /* Must be v8M security extension function return */
+            assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
+            assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
+            if (do_v7m_function_return(cpu)) {
+                return;
+            }
+        } else {
+            do_v7m_exception_exit(cpu);
+            return;
+        }
+        break;
     default:
         cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
         return; /* Never happens.  Keep compiler happy.  */
diff --git a/target/arm/translate.c b/target/arm/translate.c
index caf0d58..5c6f9fe 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -964,7 +964,8 @@ static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
      * s->base.is_jmp that we need to do the rest of the work later.
      */
     gen_bx(s, var);
-    if (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M)) {
+    if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY) ||
+        (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M))) {
         s->base.is_jmp = DISAS_BX_EXCRET;
     }
 }
@@ -973,9 +974,18 @@ static inline void gen_bx_excret_final_code(DisasContext *s)
 {
     /* Generate the code to finish possible exception return and end the TB */
     TCGLabel *excret_label = gen_new_label();
+    uint32_t min_magic;
+
+    if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY)) {
+        /* Covers FNC_RETURN and EXC_RETURN magic */
+        min_magic = FNC_RETURN_MIN_MAGIC;
+    } else {
+        /* EXC_RETURN magic only */
+        min_magic = EXC_RETURN_MIN_MAGIC;
+    }
 
     /* Is the new PC value in the magic range indicating exception return? */
-    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], 0xff000000, excret_label);
+    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
     /* No: end the TB as we would for a DISAS_JMP */
     if (is_singlestepping(s)) {
         gen_singlestep_exception(s);
-- 
2.7.4

[Qemu-devel] [PULL 07/13] target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1

[Peter Maydell]

The code which implements the Thumb1 split BL/BLX instructions
is guarded by a check on "not M or THUMB2". All we really need
to check here is "not THUMB2" (and we assume that elsewhere too,
eg in the ARCH(6T2) test that UNDEFs the Thumb2 insns).

This doesn't change behaviour because all M profile cores
have Thumb2 and so ARM_FEATURE_M implies ARM_FEATURE_THUMB2.
(v6M implements a very restricted subset of Thumb2, but we
can cross that bridge when we get to it with appropriate
feature bits.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-6-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index 5c6f9fe..530a5c4 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -9719,8 +9719,7 @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
     int conds;
     int logic_cc;
 
-    if (!(arm_dc_feature(s, ARM_FEATURE_THUMB2)
-          || arm_dc_feature(s, ARM_FEATURE_M))) {
+    if (!arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
         /* Thumb-1 cores may need to treat bl and blx as a pair of
            16-bit instructions to get correct prefetch abort behavior.  */
         insn = insn_hw1;
-- 
2.7.4

[Qemu-devel] [PULL 08/13] target/arm: Pull Thumb insn word loads up to top level

[Peter Maydell]

Refactor the Thumb decode to do the loads of the instruction words at
the top level rather than only loading the second half of a 32-bit
Thumb insn in the middle of the decode.

This is simple apart from the awkward case of Thumb1, where the
BL/BLX prefix and suffix instructions live in what in Thumb2 is the
32-bit insn space.  To handle these we decode enough to identify
whether we're looking at a prefix/suffix that we handle as a 16 bit
insn, or a prefix that we're going to merge with the following suffix
to consider as a 32 bit insn.  The translation of the 16 bit cases
then moves from disas_thumb2_insn() to disas_thumb_insn().

The refactoring has the benefit that we don't need to pass the
CPUARMState* down into the decoder code any more, but the major
reason for doing this is that some Thumb instructions must be always
unconditional regardless of the IT state bits, so we need to know the
whole insn before we emit the "skip this insn if the IT bits and cond
state tell us to" code.  (The always unconditional insns are BKPT,
HLT and SG; the last of these is 32 bits.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-7-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 178 ++++++++++++++++++++++++++++++-------------------
 1 file changed, 108 insertions(+), 70 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index 530a5c4..19c136c 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -9620,6 +9620,44 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
     }
 }
 
+static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
+{
+    /* Return true if this is a 16 bit instruction. We must be precise
+     * about this (matching the decode).  We assume that s->pc still
+     * points to the first 16 bits of the insn.
+     */
+    if ((insn >> 11) < 0x1d) {
+        /* Definitely a 16-bit instruction */
+        return true;
+    }
+
+    /* Top five bits 0b11101 / 0b11110 / 0b11111 : this is the
+     * first half of a 32-bit Thumb insn. Thumb-1 cores might
+     * end up actually treating this as two 16-bit insns, though,
+     * if it's half of a bl/blx pair that might span a page boundary.
+     */
+    if (arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
+        /* Thumb2 cores (including all M profile ones) always treat
+         * 32-bit insns as 32-bit.
+         */
+        return false;
+    }
+
+    if ((insn >> 11) == 0x1e && (s->pc < s->next_page_start - 3)) {
+        /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix, and the suffix
+         * is not on the next page; we merge this into a 32-bit
+         * insn.
+         */
+        return false;
+    }
+    /* 0b1110_1xxx_xxxx_xxxx : BLX suffix (or UNDEF);
+     * 0b1111_1xxx_xxxx_xxxx : BL suffix;
+     * 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix on the end of a page
+     *  -- handle as single 16 bit insn
+     */
+    return true;
+}
+
 /* Return true if this is a Thumb-2 logical op.  */
 static int
 thumb2_logic_op(int op)
@@ -9705,9 +9743,9 @@ gen_thumb2_data_op(DisasContext *s, int op, int conds, uint32_t shifter_out,
 
 /* Translate a 32-bit thumb instruction.  Returns nonzero if the instruction
    is not legal.  */
-static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw1)
+static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
 {
-    uint32_t insn, imm, shift, offset;
+    uint32_t imm, shift, offset;
     uint32_t rd, rn, rm, rs;
     TCGv_i32 tmp;
     TCGv_i32 tmp2;
@@ -9719,51 +9757,9 @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
     int conds;
     int logic_cc;
 
-    if (!arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
-        /* Thumb-1 cores may need to treat bl and blx as a pair of
-           16-bit instructions to get correct prefetch abort behavior.  */
-        insn = insn_hw1;
-        if ((insn & (1 << 12)) == 0) {
-            ARCH(5);
-            /* Second half of blx.  */
-            offset = ((insn & 0x7ff) << 1);
-            tmp = load_reg(s, 14);
-            tcg_gen_addi_i32(tmp, tmp, offset);
-            tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
-
-            tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc | 1);
-            store_reg(s, 14, tmp2);
-            gen_bx(s, tmp);
-            return 0;
-        }
-        if (insn & (1 << 11)) {
-            /* Second half of bl.  */
-            offset = ((insn & 0x7ff) << 1) | 1;
-            tmp = load_reg(s, 14);
-            tcg_gen_addi_i32(tmp, tmp, offset);
-
-            tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc | 1);
-            store_reg(s, 14, tmp2);
-            gen_bx(s, tmp);
-            return 0;
-        }
-        if ((s->pc & ~TARGET_PAGE_MASK) == 0) {
-            /* Instruction spans a page boundary.  Implement it as two
-               16-bit instructions in case the second half causes an
-               prefetch abort.  */
-            offset = ((int32_t)insn << 21) >> 9;
-            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + offset);
-            return 0;
-        }
-        /* Fall through to 32-bit decode.  */
-    }
-
-    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
-    s->pc += 2;
-    insn |= (uint32_t)insn_hw1 << 16;
-
+    /* The only 32 bit insn that's allowed for Thumb1 is the combined
+     * BL/BLX prefix and suffix.
+     */
     if ((insn & 0xf800e800) != 0xf000e800) {
         ARCH(6T2);
     }
@@ -11078,27 +11074,15 @@ illegal_op:
     return 1;
 }
 
-static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
+static void disas_thumb_insn(DisasContext *s, uint32_t insn)
 {
-    uint32_t val, insn, op, rm, rn, rd, shift, cond;
+    uint32_t val, op, rm, rn, rd, shift, cond;
     int32_t offset;
     int i;
     TCGv_i32 tmp;
     TCGv_i32 tmp2;
     TCGv_i32 addr;
 
-    if (s->condexec_mask) {
-        cond = s->condexec_cond;
-        if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
-          s->condlabel = gen_new_label();
-          arm_gen_test_cc(cond ^ 1, s->condlabel);
-          s->condjmp = 1;
-        }
-    }
-
-    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
-    s->pc += 2;
-
     switch (insn >> 12) {
     case 0: case 1:
 
@@ -11829,8 +11813,21 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
 
     case 14:
         if (insn & (1 << 11)) {
-            if (disas_thumb2_insn(env, s, insn))
-              goto undef32;
+            /* thumb_insn_is_16bit() ensures we can't get here for
+             * a Thumb2 CPU, so this must be a thumb1 split BL/BLX:
+             * 0b1110_1xxx_xxxx_xxxx : BLX suffix (or UNDEF)
+             */
+            assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
+            ARCH(5);
+            offset = ((insn & 0x7ff) << 1);
+            tmp = load_reg(s, 14);
+            tcg_gen_addi_i32(tmp, tmp, offset);
+            tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
+
+            tmp2 = tcg_temp_new_i32();
+            tcg_gen_movi_i32(tmp2, s->pc | 1);
+            store_reg(s, 14, tmp2);
+            gen_bx(s, tmp);
             break;
         }
         /* unconditional branch */
@@ -11841,15 +11838,30 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
         break;
 
     case 15:
-        if (disas_thumb2_insn(env, s, insn))
-            goto undef32;
+        /* thumb_insn_is_16bit() ensures we can't get here for
+         * a Thumb2 CPU, so this must be a thumb1 split BL/BLX.
+         */
+        assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
+
+        if (insn & (1 << 11)) {
+            /* 0b1111_1xxx_xxxx_xxxx : BL suffix */
+            offset = ((insn & 0x7ff) << 1) | 1;
+            tmp = load_reg(s, 14);
+            tcg_gen_addi_i32(tmp, tmp, offset);
+
+            tmp2 = tcg_temp_new_i32();
+            tcg_gen_movi_i32(tmp2, s->pc | 1);
+            store_reg(s, 14, tmp2);
+            gen_bx(s, tmp);
+        } else {
+            /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix */
+            uint32_t uoffset = ((int32_t)insn << 21) >> 9;
+
+            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + uoffset);
+        }
         break;
     }
     return;
-undef32:
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
-    return;
 illegal_op:
 undef:
     gen_exception_insn(s, 2, EXCP_UDEF, syn_uncategorized(),
@@ -12119,12 +12131,38 @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUARMState *env = cpu->env_ptr;
+    uint32_t insn;
+    bool is_16bit;
 
     if (arm_pre_translate_insn(dc)) {
         return;
     }
 
-    disas_thumb_insn(env, dc);
+    insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
+    is_16bit = thumb_insn_is_16bit(dc, insn);
+    dc->pc += 2;
+    if (!is_16bit) {
+        uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
+
+        insn = insn << 16 | insn2;
+        dc->pc += 2;
+    }
+
+    if (dc->condexec_mask) {
+        uint32_t cond = dc->condexec_cond;
+
+        if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
+            dc->condlabel = gen_new_label();
+            arm_gen_test_cc(cond ^ 1, dc->condlabel);
+            dc->condjmp = 1;
+        }
+    }
+
+    if (is_16bit) {
+        disas_thumb_insn(dc, insn);
+    } else {
+        disas_thumb2_insn(dc, insn);
+    }
 
     /* Advance the Thumb condexec condition.  */
     if (dc->condexec_mask) {
-- 
2.7.4

[Qemu-devel] [PULL 09/13] target-arm: Simplify insn_crosses_page()

[Peter Maydell]

Recent changes have left insn_crosses_page() more complicated
than it needed to be:
 * it's only called from thumb_tr_translate_insn() so we know
   for certain that we're looking at a Thumb insn
 * the caller's check for dc->pc >= dc->next_page_start - 3
   means that dc->pc can't possibly be 4 aligned, so there's
   no need to check that (the check was partly there to ensure
   that we didn't treat an ARM insn as Thumb, I think)
 * we now have thumb_insn_is_16bit() which lets us do a precise
   check of the length of the next insn, rather than opencoding
   an inaccurate check

Simplify it down to just loading the first half of the insn
and calling thumb_insn_is_16bit() on it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-8-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 27 ++++++---------------------
 1 file changed, 6 insertions(+), 21 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index 19c136c..a5abdfa 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -11872,29 +11872,14 @@ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 {
     /* Return true if the insn at dc->pc might cross a page boundary.
      * (False positives are OK, false negatives are not.)
+     * We know this is a Thumb insn, and our caller ensures we are
+     * only called if dc->pc is less than 4 bytes from the page
+     * boundary, so we cross the page if the first 16 bits indicate
+     * that this is a 32 bit insn.
      */
-    uint16_t insn;
+    uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 
-    if ((s->pc & 3) == 0) {
-        /* At a 4-aligned address we can't be crossing a page */
-        return false;
-    }
-
-    /* This must be a Thumb insn */
-    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
-
-    if ((insn >> 11) >= 0x1d) {
-        /* Top five bits 0b11101 / 0b11110 / 0b11111 : this is the
-         * First half of a 32-bit Thumb insn. Thumb-1 cores might
-         * end up actually treating this as two 16-bit insns (see the
-         * code at the start of disas_thumb2_insn()) but we don't bother
-         * to check for that as it is unlikely, and false positives here
-         * are harmless.
-         */
-        return true;
-    }
-    /* Definitely a 16-bit insn, can't be crossing a page. */
-    return false;
+    return !thumb_insn_is_16bit(s, insn);
 }
 
 static int arm_tr_init_disas_context(DisasContextBase *dcbase,
-- 
2.7.4

[Qemu-devel] [PULL 10/13] target/arm: Support some Thumb insns being always unconditional

[Peter Maydell]

A few Thumb instructions are always unconditional even inside an
IT block (as opposed to being UNPREDICTABLE if used inside an
IT block): BKPT, the v8M SG instruction, and the A profile
HLT (debug halt) instruction.

This means we need to suppress the jump-over-instruction-on-condfail
code generation (though the IT state still advances as usual and
subsequent insns in the IT block may be conditional).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-9-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index a5abdfa..6634bad 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -12112,6 +12112,52 @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
        in init_disas_context by adjusting max_insns.  */
 }
 
+static bool thumb_insn_is_unconditional(DisasContext *s, uint32_t insn)
+{
+    /* Return true if this Thumb insn is always unconditional,
+     * even inside an IT block. This is true of only a very few
+     * instructions: BKPT, HLT, and SG.
+     *
+     * A larger class of instructions are UNPREDICTABLE if used
+     * inside an IT block; we do not need to detect those here, because
+     * what we do by default (perform the cc check and update the IT
+     * bits state machine) is a permitted CONSTRAINED UNPREDICTABLE
+     * choice for those situations.
+     *
+     * insn is either a 16-bit or a 32-bit instruction; the two are
+     * distinguishable because for the 16-bit case the top 16 bits
+     * are zeroes, and that isn't a valid 32-bit encoding.
+     */
+    if ((insn & 0xffffff00) == 0xbe00) {
+        /* BKPT */
+        return true;
+    }
+
+    if ((insn & 0xffffffc0) == 0xba80 && arm_dc_feature(s, ARM_FEATURE_V8) &&
+        !arm_dc_feature(s, ARM_FEATURE_M)) {
+        /* HLT: v8A only. This is unconditional even when it is going to
+         * UNDEF; see the v8A ARM ARM DDI0487B.a H3.3.
+         * For v7 cores this was a plain old undefined encoding and so
+         * honours its cc check. (We might be using the encoding as
+         * a semihosting trap, but we don't change the cc check behaviour
+         * on that account, because a debugger connected to a real v7A
+         * core and emulating semihosting traps by catching the UNDEF
+         * exception would also only see cases where the cc check passed.
+         * No guest code should be trying to do a HLT semihosting trap
+         * in an IT block anyway.
+         */
+        return true;
+    }
+
+    if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_V8) &&
+        arm_dc_feature(s, ARM_FEATURE_M)) {
+        /* SG: v8M only */
+        return true;
+    }
+
+    return false;
+}
+
 static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -12133,7 +12179,7 @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         dc->pc += 2;
     }
 
-    if (dc->condexec_mask) {
+    if (dc->condexec_mask && !thumb_insn_is_unconditional(dc, insn)) {
         uint32_t cond = dc->condexec_cond;
 
         if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
-- 
2.7.4

[Qemu-devel] [PULL 11/13] target/arm: Implement SG instruction corner cases

[Peter Maydell]

The common situation of the SG instruction is that it is
executed from S&NSC memory by a CPU in NS state. That case
is handled by v7m_handle_execute_nsc(). However the instruction
also has defined behaviour in a couple of other cases:
 * SG instruction in NS memory (behaves as a NOP)
 * SG in S memory but CPU already secure (clears IT bits and
   does nothing else)
 * SG instruction in v8M without Security Extension (NOP)

These can be implemented in translate.c.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-10-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index 6634bad..4da1a4c 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -9778,7 +9778,28 @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
              * - load/store doubleword, load/store exclusive, ldacq/strel,
              *   table branch.
              */
-            if (insn & 0x01200000) {
+            if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_M) &&
+                arm_dc_feature(s, ARM_FEATURE_V8)) {
+                /* 0b1110_1001_0111_1111_1110_1001_0111_111
+                 *  - SG (v8M only)
+                 * The bulk of the behaviour for this instruction is implemented
+                 * in v7m_handle_execute_nsc(), which deals with the insn when
+                 * it is executed by a CPU in non-secure state from memory
+                 * which is Secure & NonSecure-Callable.
+                 * Here we only need to handle the remaining cases:
+                 *  * in NS memory (including the "security extension not
+                 *    implemented" case) : NOP
+                 *  * in S memory but CPU already secure (clear IT bits)
+                 * We know that the attribute for the memory this insn is
+                 * in must match the current CPU state, because otherwise
+                 * get_phys_addr_pmsav8 would have generated an exception.
+                 */
+                if (s->v8m_secure) {
+                    /* Like the IT insn, we don't need to generate any code */
+                    s->condexec_cond = 0;
+                    s->condexec_mask = 0;
+                }
+            } else if (insn & 0x01200000) {
                 /* 0b1110_1000_x11x_xxxx_xxxx_xxxx_xxxx_xxxx
                  *  - load/store dual (post-indexed)
                  * 0b1111_1001_x10x_xxxx_xxxx_xxxx_xxxx_xxxx
-- 
2.7.4

[Qemu-devel] [PULL 12/13] nvic: Add missing 'break'

[Peter Maydell]

Coverity points out that we forgot the 'break' for
the SAU_CTRL write case (CID1381683). This has
no actual visible consequences because it happens
that the following case is effectively a no-op.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1507742676-9908-1-git-send-email-peter.maydell@linaro.org
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 hw/intc/armv7m_nvic.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index 22d5e6e..a42961c 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -1447,6 +1447,7 @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
             return;
         }
         cpu->env.sau.ctrl = value & 3;
+        break;
     case 0xdd4: /* SAU_TYPE */
         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
             goto bad_offset;
-- 
2.7.4

[Qemu-devel] [PULL 13/13] nvic: Fix miscalculation of offsets into ITNS array

[Peter Maydell]

This calculation of the first exception vector in
the ITNS<n> register being accessed:
        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;

is incorrect, because offset is in bytes, so we only want
to multiply by 8.

Spotted by Coverity (CID 1381484, CID 1381488), though it is
not correct that it actually overflows the buffer, because
we have a 'startvec + i < s->num_irq' guard.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507650856-11718-1-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index a42961c..be46639 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -698,7 +698,7 @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
     {
-        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
         int i;
 
         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
@@ -1102,7 +1102,7 @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
     switch (offset) {
     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
     {
-        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
         int i;
 
         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
-- 
2.7.4

Re: [Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

On 12 October 2017 at 17:03, Peter Maydell <peter.maydell@linaro.org> wrote:
> target-arm queue:
>  * mostly my latest v8M stuff, plus a couple of minor patches
>
> The following changes since commit a0b261db8c030813e30a39eae47359ac2a37f7e2:
>
>   Merge remote-tracking branch 'remotes/ehabkost/tags/python-next-pull-request' into staging (2017-10-12 10:02:09 +0100)
>
> are available in the git repository at:
>
>   git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20171012
>
> for you to fetch changes up to cf5f7937b05c84d5565134f058c00cd48304a117:
>
>   nvic: Fix miscalculation of offsets into ITNS array (2017-10-12 16:33:16 +0100)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * v8M: SG, BLXNS, secure-return
>  * v8M: fixes for coverity issues in previous patches
>  * arm: fix armv7m_init() declaration to match definition
>  * watchdog/aspeed: fix variable type to store reload value
>

Applied, thanks.

-- PMM

Re: [Qemu-devel] [PULL 08/13] target/arm: Pull Thumb insn word loads up to top level

[Emilio G. Cota]

On Thu, Oct 12, 2017 at 17:03:31 +0100, Peter Maydell wrote:
> Refactor the Thumb decode to do the loads of the instruction words at
> the top level rather than only loading the second half of a 32-bit
> Thumb insn in the middle of the decode.
> 
> This is simple apart from the awkward case of Thumb1, where the
> BL/BLX prefix and suffix instructions live in what in Thumb2 is the
> 32-bit insn space.  To handle these we decode enough to identify
> whether we're looking at a prefix/suffix that we handle as a 16 bit
> insn, or a prefix that we're going to merge with the following suffix
> to consider as a 32 bit insn.  The translation of the 16 bit cases
> then moves from disas_thumb2_insn() to disas_thumb_insn().
> 
> The refactoring has the benefit that we don't need to pass the
> CPUARMState* down into the decoder code any more, but the major
> reason for doing this is that some Thumb instructions must be always
> unconditional regardless of the IT state bits, so we need to know the
> whole insn before we emit the "skip this insn if the IT bits and cond
> state tell us to" code.  (The always unconditional insns are BKPT,
> HLT and SG; the last of these is 32 bits.)
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
> Message-id: 1507556919-24992-7-git-send-email-peter.maydell@linaro.org

This commit breaks the debian-arm boot test (see [1]), boot dies at:

> random: systemd urandom read with 4 bits of entropy available
> systemd[1]: Caught <SEGV>, core dump failed.
> systemd[1]: Freezing execution.

Sorry I noticed this so late (-rc4), for a while I thought my development
was causing this and didn't pay much attention to it. However, just realised
the problem is present on master. Bisect log below.

Thanks,

		Emilio

[1] https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg04085.html

$ git bisect log
git bisect start
# bad: [2babfe0c9241c239272a03fec785165a50e8288c] Update version for v2.11.0-rc4 release
git bisect bad 2babfe0c9241c239272a03fec785165a50e8288c
# good: [1ab5eb4efb91a3d4569b0df6e824cc08ab4bd8ec] Update version for v2.10.0 release
git bisect good 1ab5eb4efb91a3d4569b0df6e824cc08ab4bd8ec
# good: [62a2554ec2630896d1299e1a282a64c7f3b00da0] 390x/css: introduce maximum data address checking
git bisect good 62a2554ec2630896d1299e1a282a64c7f3b00da0
# bad: [f51f315a676ec913a55ac27be4ef857f9f7ddc5c] translate-all: use qemu_protect_rwx/none helpers
git bisect bad f51f315a676ec913a55ac27be4ef857f9f7ddc5c
# bad: [9f99c85c4a364f8de8134eb53b0cc1b84ded4b3f] Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
git bisect bad 9f99c85c4a364f8de8134eb53b0cc1b84ded4b3f
# good: [3637cf58f9441ad277fd70299a29d0e39b32c96c] util: move qemu_real_host_page_size/mask to osdep.h
git bisect good 3637cf58f9441ad277fd70299a29d0e39b32c96c
# bad: [b81b948ecc8659d78066f374c787ed12379d21dd] virtio/pci/migration: Convert to VMState
git bisect bad b81b948ecc8659d78066f374c787ed12379d21dd
# good: [43851b5bd48d952561610d0d6d6c314c97eff543] iotests: Set up Python logging
git bisect good 43851b5bd48d952561610d0d6d6c314c97eff543
# bad: [76eff04d166b8fe747adbe82de8b7e060e668ff9] target/arm: Implement SG instruction corner cases
git bisect bad 76eff04d166b8fe747adbe82de8b7e060e668ff9
# good: [b9f587d62cebed427206539750ebf59bde4df422] target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()
git bisect good b9f587d62cebed427206539750ebf59bde4df422
# good: [6b8acf256df09c8a8dd7dcaa79b06eaff4ad63f7] target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1
git bisect good 6b8acf256df09c8a8dd7dcaa79b06eaff4ad63f7
# bad: [5b8d7289e9e92a0d7bcecb93cd189e245fef10cd] target-arm: Simplify insn_crosses_page()
git bisect bad 5b8d7289e9e92a0d7bcecb93cd189e245fef10cd
# bad: [296e5a0a6c393553079a641c50521ae33ff89324] target/arm: Pull Thumb insn word loads up to top level
git bisect bad 296e5a0a6c393553079a641c50521ae33ff89324
# first bad commit: [296e5a0a6c393553079a641c50521ae33ff89324] target/arm: Pull Thumb insn word loads up to top level

Re: [Qemu-devel] [PULL 08/13] target/arm: Pull Thumb insn word loads up to top level

[Peter Maydell]

On 8 December 2017 at 23:09, Emilio G. Cota <cota@braap.org> wrote:
> On Thu, Oct 12, 2017 at 17:03:31 +0100, Peter Maydell wrote:
>> Refactor the Thumb decode to do the loads of the instruction words at
>> the top level rather than only loading the second half of a 32-bit
>> Thumb insn in the middle of the decode.

> This commit breaks the debian-arm boot test (see [1]), boot dies at:
>
>> random: systemd urandom read with 4 bits of entropy available
>> systemd[1]: Caught <SEGV>, core dump failed.
>> systemd[1]: Freezing execution.
>
> Sorry I noticed this so late (-rc4), for a while I thought my development
> was causing this and didn't pay much attention to it. However, just realised
> the problem is present on master. Bisect log below.

It's missed the deadline for getting fixed in 2.11, but I'll have
a look at what's going on here.

thanks
-- PMM

Re: [Qemu-devel] [PULL 08/13] target/arm: Pull Thumb insn word loads up to top level

[Peter Maydell]

On 10 December 2017 at 18:24, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 8 December 2017 at 23:09, Emilio G. Cota <cota@braap.org> wrote:
>> On Thu, Oct 12, 2017 at 17:03:31 +0100, Peter Maydell wrote:
>>> Refactor the Thumb decode to do the loads of the instruction words at
>>> the top level rather than only loading the second half of a 32-bit
>>> Thumb insn in the middle of the decode.
>
>> This commit breaks the debian-arm boot test (see [1]), boot dies at:
>>
>>> random: systemd urandom read with 4 bits of entropy available
>>> systemd[1]: Caught <SEGV>, core dump failed.
>>> systemd[1]: Freezing execution.
>>
>> Sorry I noticed this so late (-rc4), for a while I thought my development
>> was causing this and didn't pay much attention to it. However, just realised
>> the problem is present on master. Bisect log below.
>
> It's missed the deadline for getting fixed in 2.11, but I'll have
> a look at what's going on here.

This is a really bad bug -- we accidentally stopped generating UNDEF
for 32-bit Thumb2 instructions that should UNDEF (including things
like "first use of FPU with FPU disabled", which is probably why
systemd falls over). I wish we'd noticed this a week ago :-(

Patch coming in a moment, anyway.

thanks
-- PMM

Re: [Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

On 19 March 2018 at 18:34, Peter Maydell <peter.maydell@linaro.org> wrote:
> Arm patch queue -- these are all bug fix patches but we might
> as well put them in to rc0...
>
> thanks
> -- PMM
>
> The following changes since commit 2c8cfc0b52b5a4d123c26c0b5fdf941be24805be:
>
>   Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2018-03-19 11:44:26 +0000)
>
> are available in the Git repository at:
>
>   git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180319
>
> for you to fetch changes up to ff72cb6b46b95bb530787add5277c211af3d31c6:
>
>   hw/arm/raspi: Provide spin-loop code for AArch64 CPUs (2018-03-19 18:23:24 +0000)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * fsl-imx6: Fix incorrect Ethernet interrupt defines
>  * dump: Update correct kdump phys_base field for AArch64
>  * char: i.MX: Add support for "TX complete" interrupt
>  * bcm2836/raspi: Fix various bugs resulting in panics trying
>    to boot a Debian Linux kernel on raspi3
>

Applied, thanks.

-- PMM

[Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

Arm patch queue -- these are all bug fix patches but we might
as well put them in to rc0...

thanks
-- PMM

The following changes since commit 2c8cfc0b52b5a4d123c26c0b5fdf941be24805be:

  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2018-03-19 11:44:26 +0000)

are available in the Git repository at:

  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180319

for you to fetch changes up to ff72cb6b46b95bb530787add5277c211af3d31c6:

  hw/arm/raspi: Provide spin-loop code for AArch64 CPUs (2018-03-19 18:23:24 +0000)

----------------------------------------------------------------
target-arm queue:
 * fsl-imx6: Fix incorrect Ethernet interrupt defines
 * dump: Update correct kdump phys_base field for AArch64
 * char: i.MX: Add support for "TX complete" interrupt
 * bcm2836/raspi: Fix various bugs resulting in panics trying
   to boot a Debian Linux kernel on raspi3

----------------------------------------------------------------
Andrey Smirnov (2):
      char: i.MX: Simplify imx_update()
      char: i.MX: Add support for "TX complete" interrupt

Guenter Roeck (1):
      fsl-imx6: Swap Ethernet interrupt defines

Peter Maydell (9):
      hw/arm/raspi: Don't do board-setup or secure-boot for raspi3
      hw/arm/boot: assert that secure_boot and secure_board_setup are false for AArch64
      hw/arm/boot: If booting a kernel in EL2, set SCR_EL3.HCE
      hw/arm/bcm2386: Fix parent type of bcm2386
      hw/arm/bcm2836: Rename bcm2836 type/struct to bcm283x
      hw/arm/bcm2836: Create proper bcm2837 device
      hw/arm/bcm2836: Use correct affinity values for BCM2837
      hw/arm/bcm2836: Hardcode correct CPU type
      hw/arm/raspi: Provide spin-loop code for AArch64 CPUs

Wei Huang (1):
      dump: Update correct kdump phys_base field for AArch64

 include/hw/arm/bcm2836.h     | 31 +++++++++++++---
 include/hw/arm/fsl-imx6.h    |  4 +-
 include/hw/char/imx_serial.h |  3 ++
 dump.c                       | 14 +++++--
 hw/arm/bcm2836.c             | 87 +++++++++++++++++++++++++++++++-------------
 hw/arm/boot.c                | 12 ++++++
 hw/arm/raspi.c               | 77 +++++++++++++++++++++++++++++++--------
 hw/char/imx_serial.c         | 44 ++++++++++++++++------
 hw/net/imx_fec.c             | 28 +++++++++++++-
 9 files changed, 237 insertions(+), 63 deletions(-)

Re: [Qemu-devel] [PULL 00/13] target-arm queue

[no-reply]

Hi,

Your series seems to have some coding style problems. See output below for
more information:

Type: series
Subject: [Qemu-devel] [PULL 00/13] target-arm queue
Message-id: 1486492645-27803-1-git-send-email-peter.maydell@linaro.org

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

# Useful git options
git config --local diff.renamelimit 0
git config --local diff.renames True

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
    echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
    if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
        failed=1
        echo
    fi
    n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 - [tag update]      patchew/1486454676-29112-1-git-send-email-bharata@linux.vnet.ibm.com -> patchew/1486454676-29112-1-git-send-email-bharata@linux.vnet.ibm.com
 * [new tag]         patchew/1486492645-27803-1-git-send-email-peter.maydell@linaro.org -> patchew/1486492645-27803-1-git-send-email-peter.maydell@linaro.org
 - [tag update]      patchew/20170203160651.19917-1-dgilbert@redhat.com -> patchew/20170203160651.19917-1-dgilbert@redhat.com
 - [tag update]      patchew/20170206112953.16993-1-berrange@redhat.com -> patchew/20170206112953.16993-1-berrange@redhat.com
 - [tag update]      patchew/20170207135211.15870-1-marcandre.lureau@redhat.com -> patchew/20170207135211.15870-1-marcandre.lureau@redhat.com
Switched to a new branch 'test'
42d6adc stellaris: Use the 'unimplemented' device for parts we don't implement
437dc39 hw/misc: New "unimplemented" sysbus device
cf763a0 stellaris: Document memory map and which SoC devices are unimplemented
f9d8179 target/arm: A32, T32: Create Instruction Syndromes for Data Aborts
9a7aa9e target/arm: Abstract out pbit/wbit tests in ARM ldr/str decode
9d362c5 arm: Correctly handle watchpoints for BE32 CPUs
a454865 Fix Thumb-1 BE32 execution and disassembly.
753a1d2 target/arm: Add cfgend parameter for ARM CPU selection.
7ddb3c4 hw/arm/integratorcp: Support specifying features via -cpu
49b034d sd: sdhci: check data length during dma_memory_read
0ae81e4 aspeed: add a watchdog controller
d7e9de5 wdt: Add Aspeed watchdog device model
e677809 integratorcp: adding vmstate for save/restore

=== OUTPUT BEGIN ===
Checking PATCH 1/13: integratorcp: adding vmstate for save/restore...
Checking PATCH 2/13: wdt: Add Aspeed watchdog device model...
Checking PATCH 3/13: aspeed: add a watchdog controller...
Checking PATCH 4/13: sd: sdhci: check data length during dma_memory_read...
Checking PATCH 5/13: hw/arm/integratorcp: Support specifying features via -cpu...
Checking PATCH 6/13: target/arm: Add cfgend parameter for ARM CPU selection....
Checking PATCH 7/13: Fix Thumb-1 BE32 execution and disassembly....
ERROR: code indent should never use tabs
#44: FILE: include/disas/bfd.h:298:
+#define INSN_ARM_BE32^I0x00010000$

total: 1 errors, 0 warnings, 77 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

Checking PATCH 8/13: arm: Correctly handle watchpoints for BE32 CPUs...
ERROR: space prohibited between function name and open parenthesis '('
#49: FILE: include/qom/cpu.h:200:
+    vaddr (*adjust_watchpoint_address)(CPUState *cpu, vaddr addr, int len);

total: 1 errors, 0 warnings, 88 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

Checking PATCH 9/13: target/arm: Abstract out pbit/wbit tests in ARM ldr/str decode...
Checking PATCH 10/13: target/arm: A32, T32: Create Instruction Syndromes for Data Aborts...
Checking PATCH 11/13: stellaris: Document memory map and which SoC devices are unimplemented...
Checking PATCH 12/13: hw/misc: New "unimplemented" sysbus device...
Checking PATCH 13/13: stellaris: Use the 'unimplemented' device for parts we don't implement...
=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-devel@freelists.org

Re: [Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

On 7 February 2017 at 18:37, Peter Maydell <peter.maydell@linaro.org> wrote:
> A random mix of items here, nothing very major.
>
> thanks
> -- PMM
>
>
> The following changes since commit d0dff238a87fa81393ed72754d4dc8b09e50b08b:
>
>   Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20170206' into staging (2017-02-07 15:29:26 +0000)
>
> are available in the git repository at:
>
>   git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170207
>
> for you to fetch changes up to 7727b832886fafbdec7299eb7773dc9071bf4cdd:
>
>   stellaris: Use the 'unimplemented' device for parts we don't implement (2017-02-07 18:30:00 +0000)
>
> ----------------------------------------------------------------
> target-arm:
>  * new "unimplemented" device for stubbing out devices in a
>    system model so accesses can be logged
>  * stellaris: document the SoC memory map
>  * arm: create instruction syndromes for AArch32 data aborts
>  * arm: Correctly handle watchpoints for BE32 CPUs
>  * Fix Thumb-1 BE32 execution and disassembly
>  * arm: Add cfgend parameter for ARM CPU selection
>  * sd: sdhci: check data length during dma_memory_read
>  * aspeed: add a watchdog controller
>  * integratorcp: adding vmstate for save/restore

Clang complains about unused functions; will squash in:

diff --git a/target/arm/translate.c b/target/arm/translate.c
index a14f74c..4436d8f 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -982,7 +982,7 @@ static inline void
gen_aa32_ld##SUFF##_iss(DisasContext *s,              \
                                            TCGv_i32 a32, int index,      \
                                            ISSInfo issinfo)              \
 {                                                                        \
-    gen_aa32_ld_i32(s, val, a32, index, OPC | s->be_data);               \
+    gen_aa32_ld##SUFF(s, val, a32, index);                               \
     disas_set_da_iss(s, OPC, issinfo);                                   \
 }

@@ -997,7 +997,7 @@ static inline void
gen_aa32_st##SUFF##_iss(DisasContext *s,              \
                                            TCGv_i32 a32, int index,      \
                                            ISSInfo issinfo)              \
 {                                                                        \
-    gen_aa32_st_i32(s, val, a32, index, OPC | s->be_data);               \
+    gen_aa32_st##SUFF(s, val, a32, index);                               \
     disas_set_da_iss(s, OPC, issinfo | ISSIsWrite);                      \
 }


(which avoids the problem by having the _iss() versions of the
function call the non-iss versions rather than duplicating
their function body; seems like better code anyway.)

thanks
-- PMM

[Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

A random mix of items here, nothing very major.

thanks
-- PMM


The following changes since commit d0dff238a87fa81393ed72754d4dc8b09e50b08b:

  Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20170206' into staging (2017-02-07 15:29:26 +0000)

are available in the git repository at:

  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170207

for you to fetch changes up to 7727b832886fafbdec7299eb7773dc9071bf4cdd:

  stellaris: Use the 'unimplemented' device for parts we don't implement (2017-02-07 18:30:00 +0000)

----------------------------------------------------------------
target-arm:
 * new "unimplemented" device for stubbing out devices in a
   system model so accesses can be logged
 * stellaris: document the SoC memory map
 * arm: create instruction syndromes for AArch32 data aborts
 * arm: Correctly handle watchpoints for BE32 CPUs
 * Fix Thumb-1 BE32 execution and disassembly
 * arm: Add cfgend parameter for ARM CPU selection
 * sd: sdhci: check data length during dma_memory_read
 * aspeed: add a watchdog controller
 * integratorcp: adding vmstate for save/restore

----------------------------------------------------------------
Cédric Le Goater (2):
      wdt: Add Aspeed watchdog device model
      aspeed: add a watchdog controller

Julian Brown (4):
      hw/arm/integratorcp: Support specifying features via -cpu
      target/arm: Add cfgend parameter for ARM CPU selection.
      Fix Thumb-1 BE32 execution and disassembly.
      arm: Correctly handle watchpoints for BE32 CPUs

Pavel Dovgalyuk (1):
      integratorcp: adding vmstate for save/restore

Peter Maydell (5):
      target/arm: Abstract out pbit/wbit tests in ARM ldr/str decode
      target/arm: A32, T32: Create Instruction Syndromes for Data Aborts
      stellaris: Document memory map and which SoC devices are unimplemented
      hw/misc: New "unimplemented" sysbus device
      stellaris: Use the 'unimplemented' device for parts we don't implement

Prasad J Pandit (1):
      sd: sdhci: check data length during dma_memory_read

 hw/misc/Makefile.objs            |   2 +
 hw/watchdog/Makefile.objs        |   1 +
 include/disas/bfd.h              |   7 ++
 include/hw/arm/aspeed_soc.h      |   2 +
 include/hw/misc/unimp.h          |  39 +++++++
 include/hw/watchdog/wdt_aspeed.h |  32 ++++++
 include/qom/cpu.h                |   3 +
 target/arm/arm_ldst.h            |  10 +-
 target/arm/cpu.h                 |   7 ++
 target/arm/internals.h           |   5 +
 target/arm/translate.h           |  14 +++
 disas.c                          |   1 +
 exec.c                           |   1 +
 hw/arm/aspeed_soc.c              |  13 +++
 hw/arm/integratorcp.c            |  78 +++++++++++++-
 hw/arm/stellaris.c               |  48 +++++++++
 hw/misc/unimp.c                  | 107 +++++++++++++++++++
 hw/sd/sdhci.c                    |   2 +-
 hw/watchdog/wdt_aspeed.c         | 225 +++++++++++++++++++++++++++++++++++++++
 qom/cpu.c                        |   6 ++
 target/arm/cpu.c                 |  39 +++++++
 target/arm/op_helper.c           |  22 ++++
 target/arm/translate-a64.c       |  14 ---
 target/arm/translate.c           | 193 ++++++++++++++++++++++++---------
 24 files changed, 801 insertions(+), 70 deletions(-)
 create mode 100644 include/hw/misc/unimp.h
 create mode 100644 include/hw/watchdog/wdt_aspeed.h
 create mode 100644 hw/misc/unimp.c
 create mode 100644 hw/watchdog/wdt_aspeed.c

Re: [Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

On 3 November 2015 at 14:13, Peter Maydell <peter.maydell@linaro.org> wrote:
> Here's the target-arm queue for 2.5: a few minor cleanups, one or
> two small new features, and a pile of bug fixes.
>
> Still on my to-review list for 2.5:
>  * the breakpoint/singlestep fixes
>  * highbank boot blob patchset
>  * zynq ADC controller (maybe)
>
> so I expect to do another pullreq before rc0.
>
> thanks
> -- PMM
>
> The following changes since commit 130d0bc6594d0cc6591d00312841891b3c187b07:
>
>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20151103-1' into staging (2015-11-03 10:20:04 +0000)
>
> are available in the git repository at:
>
>
>   git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20151103
>
> for you to fetch changes up to 5d9c1756140d680e66e5b45005a1fb7078b74ee1:
>
>   ARM: ACPI: Fix MPIDR value in ACPI table (2015-11-03 13:49:42 +0000)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * code cleanup to use symbolic constants for register bank numbers
>  * fix direct booting of modern Linux kernels on xilinx_zynq by setting
>    SCLR values to what the kernel expects firmware to have done
>  * implement SYSRESETREQ for ARMv7M CPU (stellaris boards)
>  * update MAINTAINERS to mention new qemu-arm mailing list
>  * clean up display of PSTATE in AArch64 debug logs
>  * report Secure/Nonsecure status in CPU debug logs
>  * fix a missing _CCA attribute in ACPI tables
>  * add support for GICv3 to ACPI tables
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM

[Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

Here's the target-arm queue for 2.5: a few minor cleanups, one or
two small new features, and a pile of bug fixes.

Still on my to-review list for 2.5:
 * the breakpoint/singlestep fixes
 * highbank boot blob patchset
 * zynq ADC controller (maybe)

so I expect to do another pullreq before rc0.

thanks
-- PMM

The following changes since commit 130d0bc6594d0cc6591d00312841891b3c187b07:

  Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20151103-1' into staging (2015-11-03 10:20:04 +0000)

are available in the git repository at:


  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20151103

for you to fetch changes up to 5d9c1756140d680e66e5b45005a1fb7078b74ee1:

  ARM: ACPI: Fix MPIDR value in ACPI table (2015-11-03 13:49:42 +0000)

----------------------------------------------------------------
target-arm queue:
 * code cleanup to use symbolic constants for register bank numbers
 * fix direct booting of modern Linux kernels on xilinx_zynq by setting
   SCLR values to what the kernel expects firmware to have done
 * implement SYSRESETREQ for ARMv7M CPU (stellaris boards)
 * update MAINTAINERS to mention new qemu-arm mailing list
 * clean up display of PSTATE in AArch64 debug logs
 * report Secure/Nonsecure status in CPU debug logs
 * fix a missing _CCA attribute in ACPI tables
 * add support for GICv3 to ACPI tables

----------------------------------------------------------------
Graeme Gregory (1):
      hw/arm/virt-acpi-build: _CCA attribute is compulsory

Michael Davidsaver (3):
      armv7-m: Return DeviceState* from armv7m_init()
      armv7-m: Implement SYSRESETREQ
      arm: stellaris: exit on external reset request

Peter Crosthwaite (3):
      arm: boot: Adjust indentation of FIXUP comments
      arm: boot: Add board specific setup code API
      arm: xilinx_zynq: Add linux pre-boot

Peter Maydell (3):
      MAINTAINERS: Add new qemu-arm mailing list to ARM related entries
      target-arm: Bring AArch64 debug CPU display of PSTATE into line with AArch32
      target-arm: Report S/NS status in the CPU debug logs

Shannon Zhao (2):
      hw/arm/virt-acpi-build: Add GICC ACPI subtable for GICv3
      ARM: ACPI: Fix MPIDR value in ACPI table

Soren Brinkmann (1):
      target-arm: Add and use symbolic names for register banks

 MAINTAINERS                | 23 +++++++++++++++++++++++
 hw/arm/armv7m.c            |  9 ++-------
 hw/arm/boot.c              | 36 +++++++++++++++++++++++++++---------
 hw/arm/stellaris.c         | 41 ++++++++++++++++++++++++++++++-----------
 hw/arm/stm32f205_soc.c     | 15 ++++++++-------
 hw/arm/virt-acpi-build.c   | 33 +++++++++++++++++++--------------
 hw/arm/xilinx_zynq.c       | 42 ++++++++++++++++++++++++++++++++++++++++++
 hw/intc/armv7m_nvic.c      |  9 ++++++++-
 include/hw/arm/arm.h       | 12 +++++++++++-
 target-arm/helper.c        | 37 ++++++++++++++++++++++---------------
 target-arm/internals.h     | 16 +++++++++++++---
 target-arm/kvm32.c         | 34 +++++++++++++++++-----------------
 target-arm/op_helper.c     |  8 ++++----
 target-arm/translate-a64.c | 17 ++++++++++++++---
 target-arm/translate.c     | 12 +++++++++++-
 15 files changed, 251 insertions(+), 93 deletions(-)

Re: [Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

On 16 October 2015 at 14:57, Peter Maydell <peter.maydell@linaro.org> wrote:
> Flushing the target-arm queue for softfreeze. I still have stuff
> in my to-review queue but it mostly looked too RFC-ish/otherwise
> not really 2.5 material, or just needs a bit more time on list for
> review.
>
> thanks
> -- PMM
>
>
>
> The following changes since commit c49d3411faae8ffaab8f7e5db47405a008411c10:
>
>   Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-12' into staging (2015-10-13 10:42:06 +0100)
>
> are available in the git repository at:
>
>
>   git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20151016
>
> for you to fetch changes up to 5d98bf8f38c17a348ab6e8af196088cd4953acd0:
>
>   target-arm: Fix CPU breakpoint handling (2015-10-16 14:48:56 +0100)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * break TBs after ISB instructions
>  * more support code for future implementation of EL2 and 64-bit EL3
>  * tell guest if KVM is enabled in SMBIOS version string
>  * implement OSLAR/OSLSR system registers
>  * provide better help text for Sharp PDA machine names
>  * rename imx25_pdk to imx25-pdk (since it has never been released
>    with the underscore-version name)
>  * fix MMIO writes in zynq_slcr
>  * implement MDCR_EL2
>  * virt: allow the guest to configure PCI BARs with zero PCI addresses
>  * fix breakpoint handling code
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM

[Qemu-devel] [PULL 00/13] target-arm queue

[Peter Maydell]

Flushing the target-arm queue for softfreeze. I still have stuff
in my to-review queue but it mostly looked too RFC-ish/otherwise
not really 2.5 material, or just needs a bit more time on list for
review.

thanks
-- PMM



The following changes since commit c49d3411faae8ffaab8f7e5db47405a008411c10:

  Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-12' into staging (2015-10-13 10:42:06 +0100)

are available in the git repository at:


  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20151016

for you to fetch changes up to 5d98bf8f38c17a348ab6e8af196088cd4953acd0:

  target-arm: Fix CPU breakpoint handling (2015-10-16 14:48:56 +0100)

----------------------------------------------------------------
target-arm queue:
 * break TBs after ISB instructions
 * more support code for future implementation of EL2 and 64-bit EL3
 * tell guest if KVM is enabled in SMBIOS version string
 * implement OSLAR/OSLSR system registers
 * provide better help text for Sharp PDA machine names
 * rename imx25_pdk to imx25-pdk (since it has never been released
   with the underscore-version name)
 * fix MMIO writes in zynq_slcr
 * implement MDCR_EL2
 * virt: allow the guest to configure PCI BARs with zero PCI addresses
 * fix breakpoint handling code

----------------------------------------------------------------
Alexander Gordeev (1):
      hw/arm/virt: Allow zero address for PCI IO space

Andrew Jones (1):
      hw/arm/virt: smbios: inform guest of kvm

Davorin Mista (1):
      target-arm: Implement AArch64 OSLAR/OSLSR_EL1 sysregs

Peter Crosthwaite (2):
      arm: imx25-pdk: Fix machine name
      misc: zynq_slcr: Fix MMIO writes

Ryo ONODERA (1):
      target-arm: Provide model numbers for Sharp PDAs

Sergey Fedorov (4):
      target-arm: Add MDCR_EL2
      target-arm: implement arm_debug_target_el()
      target-arm: Fix GDB breakpoint handling
      target-arm: Fix CPU breakpoint handling

Sergey Sorokin (2):
      target-arm: Break the TB after ISB to execute self-modified code correctly
      target-arm: Avoid calling arm_el_is_aa64() function for unimplemented EL

Stefan Weil (1):
      target-arm: Add missing 'static' attribute

 hw/arm/collie.c            |  2 +-
 hw/arm/imx25_pdk.c         |  2 +-
 hw/arm/spitz.c             |  8 +++----
 hw/arm/tosa.c              |  2 +-
 hw/arm/virt.c              |  8 ++++++-
 hw/misc/zynq_slcr.c        |  8 +++----
 target-arm/cpu.h           | 30 +++++++++++++++++++----
 target-arm/helper.c        | 60 +++++++++++++++++++++++++++++++++++++++++-----
 target-arm/helper.h        |  2 ++
 target-arm/op_helper.c     | 35 ++++++++++++++++++---------
 target-arm/translate-a64.c | 25 ++++++++++++++-----
 target-arm/translate.c     | 36 ++++++++++++++++++++++------
 tests/ds1338-test.c        |  2 +-
 13 files changed, 173 insertions(+), 47 deletions(-)