From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 06/22] target/arm: Default handling of BTYPE during translation
Date: Tue, 5 Feb 2019 17:04:54 +0000 [thread overview]
Message-ID: <20190205170510.21984-7-peter.maydell@linaro.org> (raw)
In-Reply-To: <20190205170510.21984-1-peter.maydell@linaro.org>
From: Richard Henderson <richard.henderson@linaro.org>
The branch target exception for guarded pages has high priority,
and only 8 instructions are valid for that case. Perform this
check before doing any other decode.
Clear BTYPE after all insns that neither set BTYPE nor exit via
exception (DISAS_NORETURN).
Not yet handled are insns that exit via DISAS_NORETURN for some
other reason, like direct branches.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190128223118.5255-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target/arm/internals.h | 6 ++
target/arm/translate.h | 9 ++-
target/arm/translate-a64.c | 139 +++++++++++++++++++++++++++++++++++++
3 files changed, 152 insertions(+), 2 deletions(-)
diff --git a/target/arm/internals.h b/target/arm/internals.h
index a6fd4582b2b..d01a3f9f44b 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -268,6 +268,7 @@ enum arm_exception_class {
EC_FPIDTRAP = 0x08,
EC_PACTRAP = 0x09,
EC_CP14RRTTRAP = 0x0c,
+ EC_BTITRAP = 0x0d,
EC_ILLEGALSTATE = 0x0e,
EC_AA32_SVC = 0x11,
EC_AA32_HVC = 0x12,
@@ -439,6 +440,11 @@ static inline uint32_t syn_pactrap(void)
return EC_PACTRAP << ARM_EL_EC_SHIFT;
}
+static inline uint32_t syn_btitrap(int btype)
+{
+ return (EC_BTITRAP << ARM_EL_EC_SHIFT) | btype;
+}
+
static inline uint32_t syn_insn_abort(int same_el, int ea, int s1ptw, int fsc)
{
return (EC_INSNABORT << ARM_EL_EC_SHIFT) | (same_el << ARM_EL_EC_SHIFT)
diff --git a/target/arm/translate.h b/target/arm/translate.h
index 3d5e8bacacb..f73939d7b4f 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -71,8 +71,13 @@ typedef struct DisasContext {
bool pauth_active;
/* True with v8.5-BTI and SCTLR_ELx.BT* set. */
bool bt;
- /* A copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI. */
- uint8_t btype;
+ /*
+ * >= 0, a copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI.
+ * < 0, set by the current instruction.
+ */
+ int8_t btype;
+ /* True if this page is guarded. */
+ bool guarded_page;
/* Bottom two bits of XScale c15_cpar coprocessor access control reg */
int c15_cpar;
/* TCG op of the current insn_start. */
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index a92fd433783..7034fb3d129 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -128,6 +128,16 @@ static inline int get_a64_user_mem_index(DisasContext *s)
return arm_to_core_mmu_idx(useridx);
}
+static void reset_btype(DisasContext *s)
+{
+ if (s->btype != 0) {
+ TCGv_i32 zero = tcg_const_i32(0);
+ tcg_gen_st_i32(zero, cpu_env, offsetof(CPUARMState, btype));
+ tcg_temp_free_i32(zero);
+ s->btype = 0;
+ }
+}
+
void aarch64_cpu_dump_state(CPUState *cs, FILE *f,
fprintf_function cpu_fprintf, int flags)
{
@@ -13756,6 +13766,90 @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
}
}
+/**
+ * is_guarded_page:
+ * @env: The cpu environment
+ * @s: The DisasContext
+ *
+ * Return true if the page is guarded.
+ */
+static bool is_guarded_page(CPUARMState *env, DisasContext *s)
+{
+#ifdef CONFIG_USER_ONLY
+ return false; /* FIXME */
+#else
+ uint64_t addr = s->base.pc_first;
+ int mmu_idx = arm_to_core_mmu_idx(s->mmu_idx);
+ unsigned int index = tlb_index(env, mmu_idx, addr);
+ CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
+
+ /*
+ * We test this immediately after reading an insn, which means
+ * that any normal page must be in the TLB. The only exception
+ * would be for executing from flash or device memory, which
+ * does not retain the TLB entry.
+ *
+ * FIXME: Assume false for those, for now. We could use
+ * arm_cpu_get_phys_page_attrs_debug to re-read the page
+ * table entry even for that case.
+ */
+ return (tlb_hit(entry->addr_code, addr) &&
+ env->iotlb[mmu_idx][index].attrs.target_tlb_bit0);
+#endif
+}
+
+/**
+ * btype_destination_ok:
+ * @insn: The instruction at the branch destination
+ * @bt: SCTLR_ELx.BT
+ * @btype: PSTATE.BTYPE, and is non-zero
+ *
+ * On a guarded page, there are a limited number of insns
+ * that may be present at the branch target:
+ * - branch target identifiers,
+ * - paciasp, pacibsp,
+ * - BRK insn
+ * - HLT insn
+ * Anything else causes a Branch Target Exception.
+ *
+ * Return true if the branch is compatible, false to raise BTITRAP.
+ */
+static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
+{
+ if ((insn & 0xfffff01fu) == 0xd503201fu) {
+ /* HINT space */
+ switch (extract32(insn, 5, 7)) {
+ case 0b011001: /* PACIASP */
+ case 0b011011: /* PACIBSP */
+ /*
+ * If SCTLR_ELx.BT, then PACI*SP are not compatible
+ * with btype == 3. Otherwise all btype are ok.
+ */
+ return !bt || btype != 3;
+ case 0b100000: /* BTI */
+ /* Not compatible with any btype. */
+ return false;
+ case 0b100010: /* BTI c */
+ /* Not compatible with btype == 3 */
+ return btype != 3;
+ case 0b100100: /* BTI j */
+ /* Not compatible with btype == 2 */
+ return btype != 2;
+ case 0b100110: /* BTI jc */
+ /* Compatible with any btype. */
+ return true;
+ }
+ } else {
+ switch (insn & 0xffe0001fu) {
+ case 0xd4200000u: /* BRK */
+ case 0xd4400000u: /* HLT */
+ /* Give priority to the breakpoint exception. */
+ return true;
+ }
+ }
+ return false;
+}
+
/* C3.1 A64 instruction index by encoding */
static void disas_a64_insn(CPUARMState *env, DisasContext *s)
{
@@ -13767,6 +13861,43 @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
s->fp_access_checked = false;
+ if (dc_isar_feature(aa64_bti, s)) {
+ if (s->base.num_insns == 1) {
+ /*
+ * At the first insn of the TB, compute s->guarded_page.
+ * We delayed computing this until successfully reading
+ * the first insn of the TB, above. This (mostly) ensures
+ * that the softmmu tlb entry has been populated, and the
+ * page table GP bit is available.
+ *
+ * Note that we need to compute this even if btype == 0,
+ * because this value is used for BR instructions later
+ * where ENV is not available.
+ */
+ s->guarded_page = is_guarded_page(env, s);
+
+ /* First insn can have btype set to non-zero. */
+ tcg_debug_assert(s->btype >= 0);
+
+ /*
+ * Note that the Branch Target Exception has fairly high
+ * priority -- below debugging exceptions but above most
+ * everything else. This allows us to handle this now
+ * instead of waiting until the insn is otherwise decoded.
+ */
+ if (s->btype != 0
+ && s->guarded_page
+ && !btype_destination_ok(insn, s->bt, s->btype)) {
+ gen_exception_insn(s, 4, EXCP_UDEF, syn_btitrap(s->btype),
+ default_exception_el(s));
+ return;
+ }
+ } else {
+ /* Not the first insn: btype must be 0. */
+ tcg_debug_assert(s->btype == 0);
+ }
+ }
+
switch (extract32(insn, 25, 4)) {
case 0x0: case 0x1: case 0x3: /* UNALLOCATED */
unallocated_encoding(s);
@@ -13803,6 +13934,14 @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
/* if we allocated any temporaries, free them here */
free_tmp_a64(s);
+
+ /*
+ * After execution of most insns, btype is reset to 0.
+ * Note that we set btype == -1 when the insn sets btype.
+ */
+ if (s->btype > 0 && s->base.is_jmp != DISAS_NORETURN) {
+ reset_btype(s);
+ }
}
static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
--
2.20.1
next prev parent reply other threads:[~2019-02-05 17:05 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-05 17:04 [Qemu-devel] [PULL 00/22] target-arm queue Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 01/22] target/arm: Introduce isar_feature_aa64_bti Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 02/22] target/arm: Add PSTATE.BTYPE Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 03/22] target/arm: Add BT and BTYPE to tb->flags Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 04/22] exec: Add target-specific tlb bits to MemTxAttrs Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 05/22] target/arm: Cache the GP bit for a page in MemTxAttrs Peter Maydell
2019-02-05 17:04 ` Peter Maydell [this message]
2019-02-05 17:04 ` [Qemu-devel] [PULL 07/22] target/arm: Reset btype for direct branches Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 08/22] target/arm: Set btype for indirect branches Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 09/22] target/arm: Enable BTI for -cpu max Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 10/22] linux-user: Implement PR_PAC_RESET_KEYS Peter Maydell
2019-02-05 17:04 ` [Qemu-devel] [PULL 11/22] tests/tcg/aarch64: Add pauth smoke test Peter Maydell
2019-02-11 15:52 ` Philippe Mathieu-Daudé
2019-02-11 16:04 ` Alex Bennée
2019-02-11 16:05 ` Philippe Mathieu-Daudé
2019-02-05 17:05 ` [Qemu-devel] [PULL 12/22] target/arm: Add TBFLAG_A64_TBID, split out gen_top_byte_ignore Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 13/22] target/arm: Clean TBI for data operations in the translator Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 14/22] target/arm: Compute TB_FLAGS for TBI for user-only Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 15/22] target/arm: Enable " Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 16/22] gdbstub: allow killing QEMU via vKill command Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 17/22] hw/arm/boot: Fix block comment style in arm_load_kernel() Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 18/22] hw/arm/boot: Factor out "direct kernel boot" code into its own function Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 19/22] hw/arm/boot: Factor out "set up firmware boot" code Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 20/22] hw/arm/boot: Clarify why arm_setup_firmware_boot() doesn't set env->boot_info Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 21/22] hw/arm/boot: Support DTB autoload for firmware-only boots Peter Maydell
2019-02-05 17:05 ` [Qemu-devel] [PULL 22/22] target/arm: Make FPSCR/FPCR trapped-exception bits RAZ/WI Peter Maydell
2019-02-05 18:03 ` [Qemu-devel] [PULL 00/22] target-arm queue no-reply
2019-02-05 18:04 ` no-reply
2019-02-05 18:27 ` no-reply
2019-02-05 19:36 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190205170510.21984-7-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.