Series comparison

-[Qemu-devel] [PULL 00/31] target-arm queue
+[Qemu-devel] [PULL 00/25] target-arm queue
-ARM queue: mostly patches from me, but also the Smartfusion2 board.
+target-arm queue. This has the "plumb txattrs through various
 bits of exec.c" patches, and a collection of bug fixes from
 various people.
 thanks
 -- PMM
-The following changes since commit 9ee660e7c138595224b65ddc1c5712549f0a278c:
-  Merge remote-tracking branch 'remotes/yongbok/tags/mips-20170921' into staging (2017-09-21 14:40:32 +0100)
-are available in the git repository at:
+The following changes since commit a3ac12fba028df90f7b3dbec924995c126c41022:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170921
+  Merge remote-tracking branch 'remotes/ehabkost/tags/numa-next-pull-request' into staging (2018-05-31 11:12:36 +0100)
-for you to fetch changes up to 6d262dcb7d108eda93813574c2061398084dc795:
+are available in the Git repository at:
-  msf2: Add Emcraft's Smartfusion2 SOM kit (2017-09-21 16:36:56 +0100)
+  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180531
 for you to fetch changes up to 49d1dca0520ea71bc21867fab6647f474fcf857b:
   KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice (2018-05-31 14:52:53 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * more preparatory work for v8M support
+ * target/arm: Honour FPCR.FZ in FRECPX
- * convert some omap devices away from old_mmio
+ * MAINTAINERS: Add entries for newer MPS2 boards and devices
- * remove out of date ARM ARM section references in comments
+ * hw/intc/arm_gicv3: Fix APxR<n> register dispatching
- * add the Smartfusion2 board
+ * arm_gicv3_kvm: fix bug in writing zero bits back to the in-kernel
    GIC state
  * tcg: Fix helper function vs host abi for float16
  * arm: fix qemu crash on startup with -bios option
  * arm: fix malloc type mismatch
  * xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
  * Correct CPACR reset value for v7 cores
  * memory.h: Improve IOMMU related documentation
  * exec: Plumb transaction attributes through various functions in
    preparation for allowing IOMMUs to see them
  * vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
  * ARM: ACPI: Fix use-after-free due to memory realloc
  * KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
 ----------------------------------------------------------------
-Peter Maydell (26):
+Francisco Iglesias (1):
-      target/arm: Implement MSR/MRS access to NS banked registers
+      xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
       nvic: Add banked exception states
       nvic: Add cached vectpending_is_s_banked state
       nvic: Add cached vectpending_prio state
       nvic: Implement AIRCR changes for v8M
       nvic: Make ICSR.RETTOBASE handle banked exceptions
       nvic: Implement NVIC_ITNS<n> registers
       nvic: Handle banked exceptions in nvic_recompute_state()
       nvic: Make set_pending and clear_pending take a secure parameter
       nvic: Make SHPR registers banked
       nvic: Compare group priority for escalation to HF
       nvic: In escalation to HardFault, support HF not being priority -1
       nvic: Implement v8M changes to fixed priority exceptions
       nvic: Disable the non-secure HardFault if AIRCR.BFHFNMINS is clear
       nvic: Handle v8M changes in nvic_exec_prio()
       target/arm: Handle banking in negative-execution-priority check in cpu_mmu_index()
       nvic: Make ICSR banked for v8M
       nvic: Make SHCSR banked for v8M
       nvic: Support banked exceptions in acknowledge and complete
       target/arm: Remove out of date ARM ARM section references in A64 decoder
       hw/arm/palm.c: Don't use old_mmio for static_ops
       hw/gpio/omap_gpio.c: Don't use old_mmio
       hw/timer/omap_synctimer.c: Don't use old_mmio
       hw/timer/omap_gptimer: Don't use old_mmio
       hw/i2c/omap_i2c.c: Don't use old_mmio
       hw/arm/omap2.c: Don't use old_mmio
-Subbaraya Sundeep (5):
+Igor Mammedov (1):
-      msf2: Add Smartfusion2 System timer
+      arm: fix qemu crash on startup with -bios option
       msf2: Microsemi Smartfusion2 System Register block
       msf2: Add Smartfusion2 SPI controller
       msf2: Add Smartfusion2 SoC
       msf2: Add Emcraft's Smartfusion2 SOM kit
- hw/arm/Makefile.objs            |   1 +
+Jan Kiszka (1):
- hw/misc/Makefile.objs           |   1 +
+      hw/intc/arm_gicv3: Fix APxR<n> register dispatching
  hw/ssi/Makefile.objs            |   1 +
  hw/timer/Makefile.objs          |   1 +
  include/hw/arm/msf2-soc.h       |  67 +++
  include/hw/intc/armv7m_nvic.h   |  33 +-
  include/hw/misc/msf2-sysreg.h   |  77 ++++
  include/hw/ssi/mss-spi.h        |  58 +++
  include/hw/timer/mss-timer.h    |  64 +++
  target/arm/cpu.h                |  62 ++-
  hw/arm/msf2-soc.c               | 238 +++++++++++
  hw/arm/msf2-som.c               | 105 +++++
  hw/arm/omap2.c                  |  49 ++-
  hw/arm/palm.c                   |  30 +-
  hw/gpio/omap_gpio.c             |  26 +-
  hw/i2c/omap_i2c.c               |  44 +-
  hw/intc/armv7m_nvic.c           | 913 ++++++++++++++++++++++++++++++++++------
  hw/misc/msf2-sysreg.c           | 160 +++++++
  hw/ssi/mss-spi.c                | 404 ++++++++++++++++++
  hw/timer/mss-timer.c            | 289 +++++++++++++
  hw/timer/omap_gptimer.c         |  49 ++-
  hw/timer/omap_synctimer.c       |  35 +-
  target/arm/cpu.c                |   7 +
  target/arm/helper.c             | 142 ++++++-
  target/arm/translate-a64.c      | 227 +++++-----
  default-configs/arm-softmmu.mak |   1 +
  hw/intc/trace-events            |  13 +-
  hw/misc/trace-events            |   5 +
 files changed, 2735 insertions(+), 367 deletions(-)
  create mode 100644 include/hw/arm/msf2-soc.h
  create mode 100644 include/hw/misc/msf2-sysreg.h
  create mode 100644 include/hw/ssi/mss-spi.h
  create mode 100644 include/hw/timer/mss-timer.h
  create mode 100644 hw/arm/msf2-soc.c
  create mode 100644 hw/arm/msf2-som.c
  create mode 100644 hw/misc/msf2-sysreg.c
  create mode 100644 hw/ssi/mss-spi.c
  create mode 100644 hw/timer/mss-timer.c
+Paolo Bonzini (1):
+      arm: fix malloc type mismatch
+Peter Maydell (17):
+      target/arm: Honour FPCR.FZ in FRECPX
+      MAINTAINERS: Add entries for newer MPS2 boards and devices
+      Correct CPACR reset value for v7 cores
+      memory.h: Improve IOMMU related documentation
+      Make tb_invalidate_phys_addr() take a MemTxAttrs argument
+      Make address_space_translate{, _cached}() take a MemTxAttrs argument
+      Make address_space_map() take a MemTxAttrs argument
+      Make address_space_access_valid() take a MemTxAttrs argument
+      Make flatview_extend_translation() take a MemTxAttrs argument
+      Make memory_region_access_valid() take a MemTxAttrs argument
+      Make MemoryRegion valid.accepts callback take a MemTxAttrs argument
+      Make flatview_access_valid() take a MemTxAttrs argument
+      Make flatview_translate() take a MemTxAttrs argument
+      Make address_space_get_iotlb_entry() take a MemTxAttrs argument
+      Make flatview_do_translate() take a MemTxAttrs argument
+      Make address_space_translate_iommu take a MemTxAttrs argument
+      vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
+Richard Henderson (1):
+      tcg: Fix helper function vs host abi for float16
+Shannon Zhao (3):
+      arm_gicv3_kvm: increase clroffset accordingly
+      ARM: ACPI: Fix use-after-free due to memory realloc
+      KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
+ include/exec/exec-all.h        |   5 +-
+ include/exec/helper-head.h     |   2 +-
+ include/exec/memory-internal.h |   3 +-
+ include/exec/memory.h          | 128 +++++++++++++++++++++++++++++++++++------
+ include/migration/vmstate.h    |   3 +
+ include/sysemu/dma.h           |   6 +-
+ accel/tcg/translate-all.c      |   4 +-
+ exec.c                         |  95 ++++++++++++++++++------------
+ hw/arm/boot.c                  |  18 +++---
+ hw/arm/virt-acpi-build.c       |  20 +++++--
+ hw/dma/xlnx-zdma.c             |  10 +++-
+ hw/hppa/dino.c                 |   3 +-
+ hw/intc/arm_gic_kvm.c          |   1 -
+ hw/intc/arm_gicv3_cpuif.c      |  12 ++--
+ hw/intc/arm_gicv3_kvm.c        |   2 +-
+ hw/nvram/fw_cfg.c              |  12 ++--
+ hw/s390x/s390-pci-inst.c       |   3 +-
+ hw/scsi/esp.c                  |   3 +-
+ hw/vfio/common.c               |   3 +-
+ hw/virtio/vhost.c              |   3 +-
+ hw/xen/xen_pt_msi.c            |   3 +-
+ memory.c                       |  12 ++--
+ memory_ldst.inc.c              |  18 +++---
+ target/arm/gdbstub.c           |   3 +-
+ target/arm/helper-a64.c        |  41 +++++++------
+ target/arm/helper.c            |  90 ++++++++++++++++-------------
+ target/ppc/mmu-hash64.c        |   3 +-
+ target/riscv/helper.c          |   2 +-
+ target/s390x/diag.c            |   6 +-
+ target/s390x/excp_helper.c     |   3 +-
+ target/s390x/mmu_helper.c      |   3 +-
+ target/s390x/sigp.c            |   3 +-
+ target/xtensa/op_helper.c      |   3 +-
+ MAINTAINERS                    |   9 ++-
+files changed, 353 insertions(+), 182 deletions(-)

-[Qemu-devel] [PULL 14/31] nvic: Disable the non-secure HardFault if AIRCR.BFHFNMINS is clear
+[Qemu-devel] [PULL 01/25] target/arm: Honour FPCR.FZ in FRECPX
-If AIRCR.BFHFNMINS is clear, then although NonSecure HardFault
+The FRECPX instructions should (like most other floating point operations)
-can still be pended via SHCSR.HARDFAULTPENDED it mustn't actually
+honour the FPCR.FZ bit which specifies whether input denormals should
-preempt execution. The simple way to achieve this is to clear the
+be flushed to zero (or FZ16 for the half-precision version).
-enable bit for it, since the enable bit isn't guest visible.
+We forgot to implement this, which doesn't affect the results (since
 the calculation doesn't actually care about the mantissa bits) but did
 mean we were failing to set the FPSR.IDC bit.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-15-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521172712.19930-1-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 12 ++++++++++--
+ target/arm/helper-a64.c | 6 ++++++
-file changed, 10 insertions(+), 2 deletions(-)
+file changed, 6 insertions(+)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/target/arm/helper-a64.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/target/arm/helper-a64.c
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
+@@ -XXX,XX +XXX,XX @@ float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
-                     (R_V7M_AIRCR_SYSRESETREQS_MASK |
+         return nan;
                       R_V7M_AIRCR_BFHFNMINS_MASK |
                       R_V7M_AIRCR_PRIS_MASK);
 -                /* BFHFNMINS changes the priority of Secure HardFault */
 +                /* BFHFNMINS changes the priority of Secure HardFault, and
 +                 * allows a pending Non-secure HardFault to preempt (which
 +                 * we implement by marking it enabled).
 +                 */
                  if (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
                      s->sec_vectors[ARMV7M_EXCP_HARD].prio = -3;
 +                    s->vectors[ARMV7M_EXCP_HARD].enabled = 1;
                  } else {
                      s->sec_vectors[ARMV7M_EXCP_HARD].prio = -1;
 +                    s->vectors[ARMV7M_EXCP_HARD].enabled = 0;
                  }
              }
              nvic_irq_update(s);
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
      NVICState *s = NVIC(dev);
      s->vectors[ARMV7M_EXCP_NMI].enabled = 1;
 -    s->vectors[ARMV7M_EXCP_HARD].enabled = 1;
      /* MEM, BUS, and USAGE are enabled through
       * the System Handler Control register
       */
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
          /* AIRCR.BFHFNMINS resets to 0 so Secure HF is priority -1 (R_CMTC) */
          s->sec_vectors[ARMV7M_EXCP_HARD].prio = -1;
 +        /* If AIRCR.BFHFNMINS is 0 then NS HF is (effectively) disabled */
 +        s->vectors[ARMV7M_EXCP_HARD].enabled = 0;
 +    } else {
 +        s->vectors[ARMV7M_EXCP_HARD].enabled = 1;
      }
-     /* Strictly speaking the reset handler should be enabled.
++    a = float16_squash_input_denormal(a, fpst);
 +
      val16 = float16_val(a);
      sbit = 0x8000 & val16;
      exp = extract32(val16, 10, 5);
@@ -XXX,XX +XXX,XX @@ float32 HELPER(frecpx_f32)(float32 a, void *fpstp)
          return nan;
      }
 +    a = float32_squash_input_denormal(a, fpst);
 +
      val32 = float32_val(a);
      sbit = 0x80000000ULL & val32;
      exp = extract32(val32, 23, 8);
@@ -XXX,XX +XXX,XX @@ float64 HELPER(frecpx_f64)(float64 a, void *fpstp)
          return nan;
      }
 +    a = float64_squash_input_denormal(a, fpst);
 +
      val64 = float64_val(a);
      sbit = 0x8000000000000000ULL & val64;
      exp = extract64(float64_val(a), 52, 11);
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 26/31] hw/arm/omap2.c: Don't use old_mmio
+[Qemu-devel] [PULL 02/25] MAINTAINERS: Add entries for newer MPS2 boards and devices
-Don't use old_mmio in the memory region ops struct.
+Add entries to MAINTAINERS to cover the newer MPS2 boards and
 the new devices they use.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20180518153157.14899-1-peter.maydell@linaro.org
 Message-id: 1505580378-9044-7-git-send-email-peter.maydell@linaro.org
 ---
- hw/arm/omap2.c | 49 +++++++++++++++++++++++++++++++++++++------------
+ MAINTAINERS | 9 +++++++--
-file changed, 37 insertions(+), 12 deletions(-)
+file changed, 7 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
+diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/omap2.c
+--- a/MAINTAINERS
-+++ b/hw/arm/omap2.c
++++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ static void omap_sysctl_write(void *opaque, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ F: hw/timer/cmsdk-apb-timer.c
-     }
+ F: include/hw/timer/cmsdk-apb-timer.h
- }
+ F: hw/char/cmsdk-apb-uart.c
+ F: include/hw/char/cmsdk-apb-uart.h
-+static uint64_t omap_sysctl_readfn(void *opaque, hwaddr addr,
++F: hw/misc/tz-ppc.c
-+                                   unsigned size)
++F: include/hw/misc/tz-ppc.h
-+{
-+    switch (size) {
+ ARM cores
-+    case 1:
+ M: Peter Maydell <peter.maydell@linaro.org>
-+        return omap_sysctl_read8(opaque, addr);
+@@ -XXX,XX +XXX,XX @@ M: Peter Maydell <peter.maydell@linaro.org>
-+    case 2:
+ L: qemu-arm@nongnu.org
-+        return omap_badwidth_read32(opaque, addr); /* TODO */
+ S: Maintained
-+    case 4:
+ F: hw/arm/mps2.c
-+        return omap_sysctl_read(opaque, addr);
+-F: hw/misc/mps2-scc.c
-+    default:
+-F: include/hw/misc/mps2-scc.h
-+        g_assert_not_reached();
++F: hw/arm/mps2-tz.c
-+    }
++F: hw/misc/mps2-*.c
-+}
++F: include/hw/misc/mps2-*.h
-+
++F: hw/arm/iotkit.c
-+static void omap_sysctl_writefn(void *opaque, hwaddr addr,
++F: include/hw/arm/iotkit.h
-+                                uint64_t value, unsigned size)
-+{
+ Musicpal
-+    switch (size) {
+ M: Jan Kiszka <jan.kiszka@web.de>
 +    case 1:
 +        omap_sysctl_write8(opaque, addr, value);
 +        break;
 +    case 2:
 +        omap_badwidth_write32(opaque, addr, value); /* TODO */
 +        break;
 +    case 4:
 +        omap_sysctl_write(opaque, addr, value);
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
  static const MemoryRegionOps omap_sysctl_ops = {
 -    .old_mmio = {
 -        .read = {
 -            omap_sysctl_read8,
 -            omap_badwidth_read32,    /* TODO */
 -            omap_sysctl_read,
 -        },
 -        .write = {
 -            omap_sysctl_write8,
 -            omap_badwidth_write32,    /* TODO */
 -            omap_sysctl_write,
 -        },
 -    },
 +    .read = omap_sysctl_readfn,
 +    .write = omap_sysctl_writefn,
 +    .valid.min_access_size = 1,
 +    .valid.max_access_size = 4,
      .endianness = DEVICE_NATIVE_ENDIAN,
  };
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 31/31] msf2: Add Emcraft's Smartfusion2 SOM kit
+[Qemu-devel] [PULL 03/25] hw/intc/arm_gicv3: Fix APxR<n> register dispatching
-From: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+From: Jan Kiszka <jan.kiszka@siemens.com>
-Emulated Emcraft's Smartfusion2 System On Module starter
+There was a nasty flip in identifying which register group an access is
-kit.
+targeting. The issue caused spuriously raised priorities of the guest
 when handing CPUs over in the Jailhouse hypervisor.
-Signed-off-by: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+Cc: qemu-stable@nongnu.org
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
-Message-id: 20170920201737.25723-6-f4bug@amsat.org
+Message-id: 28b927d3-da58-bce4-cc13-bfec7f9b1cb9@siemens.com
-[PMD: drop cpu_model to directly use cpu type]
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs |   2 +-
+ hw/intc/arm_gicv3_cpuif.c | 12 ++++++------
- hw/arm/msf2-som.c    | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++
+file changed, 6 insertions(+), 6 deletions(-)
 files changed, 106 insertions(+), 1 deletion(-)
  create mode 100644 hw/arm/msf2-som.c
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/hw/intc/arm_gicv3_cpuif.c
-+++ b/hw/arm/Makefile.objs
++++ b/hw/intc/arm_gicv3_cpuif.c
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_FSL_IMX31) += fsl-imx31.o kzm.o
+@@ -XXX,XX +XXX,XX @@ static uint64_t icv_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
- obj-$(CONFIG_FSL_IMX6) += fsl-imx6.o sabrelite.o
+ {
- obj-$(CONFIG_ASPEED_SOC) += aspeed_soc.o aspeed.o
+     GICv3CPUState *cs = icc_cs_from_env(env);
- obj-$(CONFIG_MPS2) += mps2.o
+     int regno = ri->opc2 & 3;
--obj-$(CONFIG_MSF2) += msf2-soc.o
+-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
-+obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
++    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
-diff --git a/hw/arm/msf2-som.c b/hw/arm/msf2-som.c
+     uint64_t value = cs->ich_apr[grp][regno];
-new file mode 100644
-index XXXXXXX..XXXXXXX
+     trace_gicv3_icv_ap_read(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
---- /dev/null
+@@ -XXX,XX +XXX,XX @@ static void icv_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+++ b/hw/arm/msf2-som.c
+ {
-@@ -XXX,XX +XXX,XX @@
+     GICv3CPUState *cs = icc_cs_from_env(env);
-+/*
+     int regno = ri->opc2 & 3;
-+ * SmartFusion2 SOM starter kit(from Emcraft) emulation.
+-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
-+ *
++    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
-+ * Copyright (c) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
-+ *
+     trace_gicv3_icv_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
-+ * of this software and associated documentation files (the "Software"), to deal
+@@ -XXX,XX +XXX,XX @@ static uint64_t icc_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
-+ * in the Software without restriction, including without limitation the rights
+     uint64_t value;
-+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-+ * copies of the Software, and to permit persons to whom the Software is
+     int regno = ri->opc2 & 3;
-+ * furnished to do so, subject to the following conditions:
+-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
-+ *
++    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
-+ * The above copyright notice and this permission notice shall be included in
-+ * all copies or substantial portions of the Software.
+     if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
-+ *
+         return icv_ap_read(env, ri);
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+@@ -XXX,XX +XXX,XX @@ static void icc_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+     GICv3CPUState *cs = icc_cs_from_env(env);
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+     int regno = ri->opc2 & 3;
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
-+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
-+ * THE SOFTWARE.
-+ */
+     if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
-+
+         icv_ap_write(env, ri, value);
-+#include "qemu/osdep.h"
+@@ -XXX,XX +XXX,XX @@ static uint64_t ich_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
-+#include "qapi/error.h"
+ {
-+#include "qemu/error-report.h"
+     GICv3CPUState *cs = icc_cs_from_env(env);
-+#include "hw/boards.h"
+     int regno = ri->opc2 & 3;
-+#include "hw/arm/arm.h"
+-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
-+#include "exec/address-spaces.h"
++    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
-+#include "qemu/cutils.h"
+     uint64_t value;
-+#include "hw/arm/msf2-soc.h"
-+#include "cpu.h"
+     value = cs->ich_apr[grp][regno];
-+
+@@ -XXX,XX +XXX,XX @@ static void ich_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+#define DDR_BASE_ADDRESS      0xA0000000
+ {
-+#define DDR_SIZE              (64 * M_BYTE)
+     GICv3CPUState *cs = icc_cs_from_env(env);
-+
+     int regno = ri->opc2 & 3;
-+#define M2S010_ENVM_SIZE      (256 * K_BYTE)
+-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
-+#define M2S010_ESRAM_SIZE     (64 * K_BYTE)
++    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
-+
-+static void emcraft_sf2_s2s010_init(MachineState *machine)
+     trace_gicv3_ich_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
-+{
 +    DeviceState *dev;
 +    DeviceState *spi_flash;
 +    MSF2State *soc;
 +    MachineClass *mc = MACHINE_GET_CLASS(machine);
 +    DriveInfo *dinfo = drive_get_next(IF_MTD);
 +    qemu_irq cs_line;
 +    SSIBus *spi_bus;
 +    MemoryRegion *sysmem = get_system_memory();
 +    MemoryRegion *ddr = g_new(MemoryRegion, 1);
 +
 +    if (strcmp(machine->cpu_type, mc->default_cpu_type) != 0) {
 +        error_report("This board can only be used with CPU %s",
 +                     mc->default_cpu_type);
 +    }
 +
 +    memory_region_init_ram(ddr, NULL, "ddr-ram", DDR_SIZE,
 +                           &error_fatal);
 +    memory_region_add_subregion(sysmem, DDR_BASE_ADDRESS, ddr);
 +
 +    dev = qdev_create(NULL, TYPE_MSF2_SOC);
 +    qdev_prop_set_string(dev, "part-name", "M2S010");
 +    qdev_prop_set_string(dev, "cpu-type", mc->default_cpu_type);
 +
 +    qdev_prop_set_uint64(dev, "eNVM-size", M2S010_ENVM_SIZE);
 +    qdev_prop_set_uint64(dev, "eSRAM-size", M2S010_ESRAM_SIZE);
 +
 +    /*
 +     * CPU clock and peripheral clocks(APB0, APB1)are configurable
 +     * in Libero. CPU clock is divided by APB0 and APB1 divisors for
 +     * peripherals. Emcraft's SoM kit comes with these settings by default.
 +     */
 +    qdev_prop_set_uint32(dev, "m3clk", 142 * 1000000);
 +    qdev_prop_set_uint32(dev, "apb0div", 2);
 +    qdev_prop_set_uint32(dev, "apb1div", 2);
 +
 +    object_property_set_bool(OBJECT(dev), true, "realized", &error_fatal);
 +
 +    soc = MSF2_SOC(dev);
 +
 +    /* Attach SPI flash to SPI0 controller */
 +    spi_bus = (SSIBus *)qdev_get_child_bus(dev, "spi0");
 +    spi_flash = ssi_create_slave_no_init(spi_bus, "s25sl12801");
 +    qdev_prop_set_uint8(spi_flash, "spansion-cr2nv", 1);
 +    if (dinfo) {
 +        qdev_prop_set_drive(spi_flash, "drive", blk_by_legacy_dinfo(dinfo),
 +                                    &error_fatal);
 +    }
 +    qdev_init_nofail(spi_flash);
 +    cs_line = qdev_get_gpio_in_named(spi_flash, SSI_GPIO_CS, 0);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&soc->spi[0]), 1, cs_line);
 +
 +    armv7m_load_kernel(ARM_CPU(first_cpu), machine->kernel_filename,
 +                       soc->envm_size);
 +}
 +
 +static void emcraft_sf2_machine_init(MachineClass *mc)
 +{
 +    mc->desc = "SmartFusion2 SOM kit from Emcraft (M2S010)";
 +    mc->init = emcraft_sf2_s2s010_init;
 +    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-m3");
 +}
 +
 +DEFINE_MACHINE("emcraft-sf2", emcraft_sf2_machine_init)
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 30/31] msf2: Add Smartfusion2 SoC
+[Qemu-devel] [PULL 04/25] arm_gicv3_kvm: increase clroffset accordingly
-From: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+From: Shannon Zhao <zhaoshenglong@huawei.com>
-Smartfusion2 SoC has hardened Microcontroller subsystem
+It forgot to increase clroffset during the loop. So it only clear the
-and flash based FPGA fabric. This patch adds support for
+first 4 bytes.
 Microcontroller subsystem in the SoC.
-Signed-off-by: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+Fixes: 367b9f527becdd20ddf116e17a3c0c2bbc486920
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
+Cc: qemu-stable@nongnu.org
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
-Message-id: 20170920201737.25723-5-f4bug@amsat.org
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-[PMD: drop cpu_model to directly use cpu type, check m3clk non null]
+Message-id: 1527047633-12368-1-git-send-email-zhaoshenglong@huawei.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs            |   1 +
+ hw/intc/arm_gicv3_kvm.c | 1 +
- include/hw/arm/msf2-soc.h       |  67 +++++++++++
+file changed, 1 insertion(+)
  hw/arm/msf2-soc.c               | 238 ++++++++++++++++++++++++++++++++++++++++
  default-configs/arm-softmmu.mak |   1 +
 files changed, 307 insertions(+)
  create mode 100644 include/hw/arm/msf2-soc.h
  create mode 100644 hw/arm/msf2-soc.c
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/hw/intc/arm_gicv3_kvm.c
-+++ b/hw/arm/Makefile.objs
++++ b/hw/intc/arm_gicv3_kvm.c
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_FSL_IMX31) += fsl-imx31.o kzm.o
+@@ -XXX,XX +XXX,XX @@ static void kvm_dist_putbmp(GICv3State *s, uint32_t offset,
- obj-$(CONFIG_FSL_IMX6) += fsl-imx6.o sabrelite.o
+         if (clroffset != 0) {
- obj-$(CONFIG_ASPEED_SOC) += aspeed_soc.o aspeed.o
+             reg = 0;
- obj-$(CONFIG_MPS2) += mps2.o
+             kvm_gicd_access(s, clroffset, &reg, true);
-+obj-$(CONFIG_MSF2) += msf2-soc.o
++            clroffset += 4;
-diff --git a/include/hw/arm/msf2-soc.h b/include/hw/arm/msf2-soc.h
+         }
-new file mode 100644
+         reg = *gic_bmp_ptr32(bmp, irq);
-index XXXXXXX..XXXXXXX
+         kvm_gicd_access(s, offset, &reg, true);
 --- /dev/null
 +++ b/include/hw/arm/msf2-soc.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Microsemi Smartfusion2 SoC
 + *
 + * Copyright (c) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#ifndef HW_ARM_MSF2_SOC_H
 +#define HW_ARM_MSF2_SOC_H
 +
 +#include "hw/arm/armv7m.h"
 +#include "hw/timer/mss-timer.h"
 +#include "hw/misc/msf2-sysreg.h"
 +#include "hw/ssi/mss-spi.h"
 +
 +#define TYPE_MSF2_SOC     "msf2-soc"
 +#define MSF2_SOC(obj)     OBJECT_CHECK(MSF2State, (obj), TYPE_MSF2_SOC)
 +
 +#define MSF2_NUM_SPIS         2
 +#define MSF2_NUM_UARTS        2
 +
 +/*
 + * System timer consists of two programmable 32-bit
 + * decrementing counters that generate individual interrupts to
 + * the Cortex-M3 processor
 + */
 +#define MSF2_NUM_TIMERS       2
 +
 +typedef struct MSF2State {
 +    /*< private >*/
 +    SysBusDevice parent_obj;
 +    /*< public >*/
 +
 +    ARMv7MState armv7m;
 +
 +    char *cpu_type;
 +    char *part_name;
 +    uint64_t envm_size;
 +    uint64_t esram_size;
 +
 +    uint32_t m3clk;
 +    uint8_t apb0div;
 +    uint8_t apb1div;
 +
 +    MSF2SysregState sysreg;
 +    MSSTimerState timer;
 +    MSSSpiState spi[MSF2_NUM_SPIS];
 +} MSF2State;
 +
 +#endif
 diff --git a/hw/arm/msf2-soc.c b/hw/arm/msf2-soc.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/msf2-soc.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * SmartFusion2 SoC emulation.
 + *
 + * Copyright (c) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "qemu-common.h"
 +#include "hw/arm/arm.h"
 +#include "exec/address-spaces.h"
 +#include "hw/char/serial.h"
 +#include "hw/boards.h"
 +#include "sysemu/block-backend.h"
 +#include "qemu/cutils.h"
 +#include "hw/arm/msf2-soc.h"
 +#include "hw/misc/unimp.h"
 +
 +#define MSF2_TIMER_BASE       0x40004000
 +#define MSF2_SYSREG_BASE      0x40038000
 +
 +#define ENVM_BASE_ADDRESS     0x60000000
 +
 +#define SRAM_BASE_ADDRESS     0x20000000
 +
 +#define MSF2_ENVM_MAX_SIZE    (512 * K_BYTE)
 +
 +/*
 + * eSRAM max size is 80k without SECDED(Single error correction and
 + * dual error detection) feature and 64k with SECDED.
 + * We do not support SECDED now.
 + */
 +#define MSF2_ESRAM_MAX_SIZE       (80 * K_BYTE)
 +
 +static const uint32_t spi_addr[MSF2_NUM_SPIS] = { 0x40001000 , 0x40011000 };
 +static const uint32_t uart_addr[MSF2_NUM_UARTS] = { 0x40000000 , 0x40010000 };
 +
 +static const int spi_irq[MSF2_NUM_SPIS] = { 2, 3 };
 +static const int uart_irq[MSF2_NUM_UARTS] = { 10, 11 };
 +static const int timer_irq[MSF2_NUM_TIMERS] = { 14, 15 };
 +
 +static void m2sxxx_soc_initfn(Object *obj)
 +{
 +    MSF2State *s = MSF2_SOC(obj);
 +    int i;
 +
 +    object_initialize(&s->armv7m, sizeof(s->armv7m), TYPE_ARMV7M);
 +    qdev_set_parent_bus(DEVICE(&s->armv7m), sysbus_get_default());
 +
 +    object_initialize(&s->sysreg, sizeof(s->sysreg), TYPE_MSF2_SYSREG);
 +    qdev_set_parent_bus(DEVICE(&s->sysreg), sysbus_get_default());
 +
 +    object_initialize(&s->timer, sizeof(s->timer), TYPE_MSS_TIMER);
 +    qdev_set_parent_bus(DEVICE(&s->timer), sysbus_get_default());
 +
 +    for (i = 0; i < MSF2_NUM_SPIS; i++) {
 +        object_initialize(&s->spi[i], sizeof(s->spi[i]),
 +                          TYPE_MSS_SPI);
 +        qdev_set_parent_bus(DEVICE(&s->spi[i]), sysbus_get_default());
 +    }
 +}
 +
 +static void m2sxxx_soc_realize(DeviceState *dev_soc, Error **errp)
 +{
 +    MSF2State *s = MSF2_SOC(dev_soc);
 +    DeviceState *dev, *armv7m;
 +    SysBusDevice *busdev;
 +    Error *err = NULL;
 +    int i;
 +
 +    MemoryRegion *system_memory = get_system_memory();
 +    MemoryRegion *nvm = g_new(MemoryRegion, 1);
 +    MemoryRegion *nvm_alias = g_new(MemoryRegion, 1);
 +    MemoryRegion *sram = g_new(MemoryRegion, 1);
 +
 +    memory_region_init_rom(nvm, NULL, "MSF2.eNVM", s->envm_size,
 +                           &error_fatal);
 +    /*
 +     * On power-on, the eNVM region 0x60000000 is automatically
 +     * remapped to the Cortex-M3 processor executable region
 +     * start address (0x0). We do not support remapping other eNVM,
 +     * eSRAM and DDR regions by guest(via Sysreg) currently.
 +     */
 +    memory_region_init_alias(nvm_alias, NULL, "MSF2.eNVM",
 +                             nvm, 0, s->envm_size);
 +
 +    memory_region_add_subregion(system_memory, ENVM_BASE_ADDRESS, nvm);
 +    memory_region_add_subregion(system_memory, 0, nvm_alias);
 +
 +    memory_region_init_ram(sram, NULL, "MSF2.eSRAM", s->esram_size,
 +                           &error_fatal);
 +    memory_region_add_subregion(system_memory, SRAM_BASE_ADDRESS, sram);
 +
 +    armv7m = DEVICE(&s->armv7m);
 +    qdev_prop_set_uint32(armv7m, "num-irq", 81);
 +    qdev_prop_set_string(armv7m, "cpu-type", s->cpu_type);
 +    object_property_set_link(OBJECT(&s->armv7m), OBJECT(get_system_memory()),
 +                                     "memory", &error_abort);
 +    object_property_set_bool(OBJECT(&s->armv7m), true, "realized", &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +
 +    if (!s->m3clk) {
 +        error_setg(errp, "Invalid m3clk value");
 +        error_append_hint(errp, "m3clk can not be zero\n");
 +        return;
 +    }
 +    system_clock_scale = NANOSECONDS_PER_SECOND / s->m3clk;
 +
 +    for (i = 0; i < MSF2_NUM_UARTS; i++) {
 +        if (serial_hds[i]) {
 +            serial_mm_init(get_system_memory(), uart_addr[i], 2,
 +                           qdev_get_gpio_in(armv7m, uart_irq[i]),
 +                           115200, serial_hds[i], DEVICE_NATIVE_ENDIAN);
 +        }
 +    }
 +
 +    dev = DEVICE(&s->timer);
 +    /* APB0 clock is the timer input clock */
 +    qdev_prop_set_uint32(dev, "clock-frequency", s->m3clk / s->apb0div);
 +    object_property_set_bool(OBJECT(&s->timer), true, "realized", &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    busdev = SYS_BUS_DEVICE(dev);
 +    sysbus_mmio_map(busdev, 0, MSF2_TIMER_BASE);
 +    sysbus_connect_irq(busdev, 0,
 +                           qdev_get_gpio_in(armv7m, timer_irq[0]));
 +    sysbus_connect_irq(busdev, 1,
 +                           qdev_get_gpio_in(armv7m, timer_irq[1]));
 +
 +    dev = DEVICE(&s->sysreg);
 +    qdev_prop_set_uint32(dev, "apb0divisor", s->apb0div);
 +    qdev_prop_set_uint32(dev, "apb1divisor", s->apb1div);
 +    object_property_set_bool(OBJECT(&s->sysreg), true, "realized", &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    busdev = SYS_BUS_DEVICE(dev);
 +    sysbus_mmio_map(busdev, 0, MSF2_SYSREG_BASE);
 +
 +    for (i = 0; i < MSF2_NUM_SPIS; i++) {
 +        gchar *bus_name;
 +
 +        object_property_set_bool(OBJECT(&s->spi[i]), true, "realized", &err);
 +        if (err != NULL) {
 +            error_propagate(errp, err);
 +            return;
 +        }
 +
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0, spi_addr[i]);
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->spi[i]), 0,
 +                           qdev_get_gpio_in(armv7m, spi_irq[i]));
 +
 +        /* Alias controller SPI bus to the SoC itself */
 +        bus_name = g_strdup_printf("spi%d", i);
 +        object_property_add_alias(OBJECT(s), bus_name,
 +                                  OBJECT(&s->spi[i]), "spi",
 +                                  &error_abort);
 +        g_free(bus_name);
 +    }
 +
 +    /* Below devices are not modelled yet. */
 +    create_unimplemented_device("i2c_0", 0x40002000, 0x1000);
 +    create_unimplemented_device("dma", 0x40003000, 0x1000);
 +    create_unimplemented_device("watchdog", 0x40005000, 0x1000);
 +    create_unimplemented_device("i2c_1", 0x40012000, 0x1000);
 +    create_unimplemented_device("gpio", 0x40013000, 0x1000);
 +    create_unimplemented_device("hs-dma", 0x40014000, 0x1000);
 +    create_unimplemented_device("can", 0x40015000, 0x1000);
 +    create_unimplemented_device("rtc", 0x40017000, 0x1000);
 +    create_unimplemented_device("apb_config", 0x40020000, 0x10000);
 +    create_unimplemented_device("emac", 0x40041000, 0x1000);
 +    create_unimplemented_device("usb", 0x40043000, 0x1000);
 +}
 +
 +static Property m2sxxx_soc_properties[] = {
 +    /*
 +     * part name specifies the type of SmartFusion2 device variant(this
 +     * property is for information purpose only.
 +     */
 +    DEFINE_PROP_STRING("cpu-type", MSF2State, cpu_type),
 +    DEFINE_PROP_STRING("part-name", MSF2State, part_name),
 +    DEFINE_PROP_UINT64("eNVM-size", MSF2State, envm_size, MSF2_ENVM_MAX_SIZE),
 +    DEFINE_PROP_UINT64("eSRAM-size", MSF2State, esram_size,
 +                        MSF2_ESRAM_MAX_SIZE),
 +    /* Libero GUI shows 100Mhz as default for clocks */
 +    DEFINE_PROP_UINT32("m3clk", MSF2State, m3clk, 100 * 1000000),
 +    /* default divisors in Libero GUI */
 +    DEFINE_PROP_UINT8("apb0div", MSF2State, apb0div, 2),
 +    DEFINE_PROP_UINT8("apb1div", MSF2State, apb1div, 2),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static void m2sxxx_soc_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->realize = m2sxxx_soc_realize;
 +    dc->props = m2sxxx_soc_properties;
 +}
 +
 +static const TypeInfo m2sxxx_soc_info = {
 +    .name          = TYPE_MSF2_SOC,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(MSF2State),
 +    .instance_init = m2sxxx_soc_initfn,
 +    .class_init    = m2sxxx_soc_class_init,
 +};
 +
 +static void m2sxxx_soc_types(void)
 +{
 +    type_register_static(&m2sxxx_soc_info);
 +}
 +
 +type_init(m2sxxx_soc_types)
 diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/default-configs/arm-softmmu.mak
 +++ b/default-configs/arm-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_ACPI=y
  CONFIG_SMBIOS=y
  CONFIG_ASPEED_SOC=y
  CONFIG_GPIO_KEY=y
 +CONFIG_MSF2=y
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 01/31] target/arm: Implement MSR/MRS access to NS banked registers
+[Qemu-devel] [PULL 05/25] tcg: Fix helper function vs host abi for float16
-In v8M the MSR and MRS instructions have extra register value
+From: Richard Henderson <richard.henderson@linaro.org>
-encodings to allow secure code to access the non-secure banked
-version of various special registers.
+Depending on the host abi, float16, aka uint16_t, values are
+passed and returned either zero-extended in the host register
-(We don't implement the MSPLIM_NS or PSPLIM_NS aliases, because
+or with garbage at the top of the host register.
-we don't currently implement the stack limit registers at all.)
+The tcg code generator has so far been assuming garbage, as that
 matches the x86 abi, but this is incorrect for other host abis.
 Further, target/arm has so far been assuming zero-extended results,
 so that it may store the 16-bit value into a 32-bit slot with the
 high 16-bits already clear.
 Rectify both problems by mapping "f16" in the helper definition
 to uint32_t instead of (a typedef for) uint16_t.  This forces
 the host compiler to assume garbage in the upper 16 bits on input
 and to zero-extend the result on output.
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
 Message-id: 20180522175629.24932-1-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-2-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ include/exec/helper-head.h |  2 +-
-file changed, 110 insertions(+)
+ target/arm/helper-a64.c    | 35 +++++++++--------
+ target/arm/helper.c        | 80 +++++++++++++++++++-------------------
 files changed, 59 insertions(+), 58 deletions(-)
 diff --git a/include/exec/helper-head.h b/include/exec/helper-head.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/helper-head.h
 +++ b/include/exec/helper-head.h
@@ -XXX,XX +XXX,XX @@
  #define dh_ctype_int int
  #define dh_ctype_i64 uint64_t
  #define dh_ctype_s64 int64_t
 -#define dh_ctype_f16 float16
 +#define dh_ctype_f16 uint32_t
  #define dh_ctype_f32 float32
  #define dh_ctype_f64 float64
  #define dh_ctype_ptr void *
 diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper-a64.c
 +++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t float_rel_to_flags(int res)
      return flags;
  }
 -uint64_t HELPER(vfp_cmph_a64)(float16 x, float16 y, void *fp_status)
 +uint64_t HELPER(vfp_cmph_a64)(uint32_t x, uint32_t y, void *fp_status)
  {
      return float_rel_to_flags(float16_compare_quiet(x, y, fp_status));
  }
 -uint64_t HELPER(vfp_cmpeh_a64)(float16 x, float16 y, void *fp_status)
 +uint64_t HELPER(vfp_cmpeh_a64)(uint32_t x, uint32_t y, void *fp_status)
  {
      return float_rel_to_flags(float16_compare(x, y, fp_status));
  }
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_cgt_f64)(float64 a, float64 b, void *fpstp)
  #define float64_three make_float64(0x4008000000000000ULL)
  #define float64_one_point_five make_float64(0x3FF8000000000000ULL)
 -float16 HELPER(recpsf_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(recpsf_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ float64 HELPER(recpsf_f64)(float64 a, float64 b, void *fpstp)
      return float64_muladd(a, b, float64_two, 0, fpst);
  }
 -float16 HELPER(rsqrtsf_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(rsqrtsf_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_addlp_u16)(uint64_t a)
  }
  /* Floating-point reciprocal exponent - see FPRecpX in ARM ARM */
 -float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
 +uint32_t HELPER(frecpx_f16)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
      uint16_t val16, sbit;
@@ -XXX,XX +XXX,XX @@ void HELPER(casp_be_parallel)(CPUARMState *env, uint32_t rs, uint64_t addr,
  #define ADVSIMD_HELPER(name, suffix) HELPER(glue(glue(advsimd_, name), suffix))
  #define ADVSIMD_HALFOP(name) \
 -float16 ADVSIMD_HELPER(name, h)(float16 a, float16 b, void *fpstp) \
 +uint32_t ADVSIMD_HELPER(name, h)(uint32_t a, uint32_t b, void *fpstp) \
  { \
      float_status *fpst = fpstp; \
      return float16_ ## name(a, b, fpst);    \
@@ -XXX,XX +XXX,XX @@ ADVSIMD_HALFOP(mulx)
  ADVSIMD_TWOHALFOP(mulx)
  /* fused multiply-accumulate */
 -float16 HELPER(advsimd_muladdh)(float16 a, float16 b, float16 c, void *fpstp)
 +uint32_t HELPER(advsimd_muladdh)(uint32_t a, uint32_t b, uint32_t c,
 +                                 void *fpstp)
  {
      float_status *fpst = fpstp;
      return float16_muladd(a, b, c, 0, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_muladd2h)(uint32_t two_a, uint32_t two_b,
  #define ADVSIMD_CMPRES(test) (test) ? 0xffff : 0
 -uint32_t HELPER(advsimd_ceq_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_ceq_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare_quiet(a, b, fpst);
      return ADVSIMD_CMPRES(compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_cge_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare(a, b, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
                            compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_cgt_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_cgt_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare(a, b, fpst);
      return ADVSIMD_CMPRES(compare == float_relation_greater);
  }
 -uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_acge_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
                            compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_acgt_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
  }
  /* round to integral */
 -float16 HELPER(advsimd_rinth_exact)(float16 x, void *fp_status)
 +uint32_t HELPER(advsimd_rinth_exact)(uint32_t x, void *fp_status)
  {
      return float16_round_to_int(x, fp_status);
  }
 -float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
 +uint32_t HELPER(advsimd_rinth)(uint32_t x, void *fp_status)
  {
      int old_flags = get_float_exception_flags(fp_status), new_flags;
      float16 ret;
@@ -XXX,XX +XXX,XX @@ float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
   * setting the mode appropriately before calling the helper.
   */
 -uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
 +uint32_t HELPER(advsimd_f16tosinth)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
      return float16_to_int16(a, fpst);
  }
 -uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
 +uint32_t HELPER(advsimd_f16touinth)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
   * Square Root and Reciprocal square root
   */
 -float16 HELPER(sqrt_f16)(float16 a, void *fpstp)
 +uint32_t HELPER(sqrt_f16)(uint32_t a, void *fpstp)
  {
      float_status *s = fpstp;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
+@@ -XXX,XX +XXX,XX @@ DO_VFP_cmp(d, float64)
-         break;
-     case 20: /* CONTROL */
+ /* Integer to float and float to integer conversions */
-         return env->v7m.control[env->v7m.secure];
-+    case 0x94: /* CONTROL_NS */
+-#define CONV_ITOF(name, fsz, sign) \
-+        /* We have to handle this here because unprivileged Secure code
+-    float##fsz HELPER(name)(uint32_t x, void *fpstp) \
-+         * can read the NS CONTROL register.
+-{ \
-+         */
+-    float_status *fpst = fpstp; \
-+        if (!env->v7m.secure) {
+-    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst); \
-+            return 0;
++#define CONV_ITOF(name, ftype, fsz, sign)                           \
-+        }
++ftype HELPER(name)(uint32_t x, void *fpstp)                         \
-+        return env->v7m.control[M_REG_NS];
++{                                                                   \
 +    float_status *fpst = fpstp;                                     \
 +    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst);     \
  }
 -#define CONV_FTOI(name, fsz, sign, round) \
 -uint32_t HELPER(name)(float##fsz x, void *fpstp) \
 -{ \
 -    float_status *fpst = fpstp; \
 -    if (float##fsz##_is_any_nan(x)) { \
 -        float_raise(float_flag_invalid, fpst); \
 -        return 0; \
 -    } \
 -    return float##fsz##_to_##sign##int32##round(x, fpst); \
 +#define CONV_FTOI(name, ftype, fsz, sign, round)                \
 +uint32_t HELPER(name)(ftype x, void *fpstp)                     \
 +{                                                               \
 +    float_status *fpst = fpstp;                                 \
 +    if (float##fsz##_is_any_nan(x)) {                           \
 +        float_raise(float_flag_invalid, fpst);                  \
 +        return 0;                                               \
 +    }                                                           \
 +    return float##fsz##_to_##sign##int32##round(x, fpst);       \
  }
 -#define FLOAT_CONVS(name, p, fsz, sign) \
 -CONV_ITOF(vfp_##name##to##p, fsz, sign) \
 -CONV_FTOI(vfp_to##name##p, fsz, sign, ) \
 -CONV_FTOI(vfp_to##name##z##p, fsz, sign, _round_to_zero)
 +#define FLOAT_CONVS(name, p, ftype, fsz, sign)            \
 +    CONV_ITOF(vfp_##name##to##p, ftype, fsz, sign)        \
 +    CONV_FTOI(vfp_to##name##p, ftype, fsz, sign, )        \
 +    CONV_FTOI(vfp_to##name##z##p, ftype, fsz, sign, _round_to_zero)
 -FLOAT_CONVS(si, h, 16, )
 -FLOAT_CONVS(si, s, 32, )
 -FLOAT_CONVS(si, d, 64, )
 -FLOAT_CONVS(ui, h, 16, u)
 -FLOAT_CONVS(ui, s, 32, u)
 -FLOAT_CONVS(ui, d, 64, u)
 +FLOAT_CONVS(si, h, uint32_t, 16, )
 +FLOAT_CONVS(si, s, float32, 32, )
 +FLOAT_CONVS(si, d, float64, 64, )
 +FLOAT_CONVS(ui, h, uint32_t, 16, u)
 +FLOAT_CONVS(ui, s, float32, 32, u)
 +FLOAT_CONVS(ui, d, float64, 64, u)
  #undef CONV_ITOF
  #undef CONV_FTOI
@@ -XXX,XX +XXX,XX @@ static float16 do_postscale_fp16(float64 f, int shift, float_status *fpst)
      return float64_to_float16(float64_scalbn(f, -shift, fpst), true, fpst);
  }
 -float16 HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(int32_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(uint32_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(int64_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(uint64_to_float64(x, fpst), shift, fpst);
  }
@@ -XXX,XX +XXX,XX @@ static float64 do_prescale_fp16(float16 f, int shift, float_status *fpst)
      }
+ }
-     if (el == 0) {
-         return 0; /* unprivileged reads others as zero */
+-uint32_t HELPER(vfp_toshh)(float16 x, uint32_t shift, void *fpst)
-     }
++uint32_t HELPER(vfp_toshh)(uint32_t x, uint32_t shift, void *fpst)
+ {
-+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+     return float64_to_int16(do_prescale_fp16(x, shift, fpst), fpst);
-+        switch (reg) {
+ }
-+        case 0x88: /* MSP_NS */
-+            if (!env->v7m.secure) {
+-uint32_t HELPER(vfp_touhh)(float16 x, uint32_t shift, void *fpst)
-+                return 0;
++uint32_t HELPER(vfp_touhh)(uint32_t x, uint32_t shift, void *fpst)
-+            }
+ {
-+            return env->v7m.other_ss_msp;
+     return float64_to_uint16(do_prescale_fp16(x, shift, fpst), fpst);
-+        case 0x89: /* PSP_NS */
+ }
-+            if (!env->v7m.secure) {
-+                return 0;
+-uint32_t HELPER(vfp_toslh)(float16 x, uint32_t shift, void *fpst)
-+            }
++uint32_t HELPER(vfp_toslh)(uint32_t x, uint32_t shift, void *fpst)
-+            return env->v7m.other_ss_psp;
+ {
-+        case 0x90: /* PRIMASK_NS */
+     return float64_to_int32(do_prescale_fp16(x, shift, fpst), fpst);
-+            if (!env->v7m.secure) {
+ }
-+                return 0;
-+            }
+-uint32_t HELPER(vfp_toulh)(float16 x, uint32_t shift, void *fpst)
-+            return env->v7m.primask[M_REG_NS];
++uint32_t HELPER(vfp_toulh)(uint32_t x, uint32_t shift, void *fpst)
-+        case 0x91: /* BASEPRI_NS */
+ {
-+            if (!env->v7m.secure) {
+     return float64_to_uint32(do_prescale_fp16(x, shift, fpst), fpst);
-+                return 0;
+ }
-+            }
-+            return env->v7m.basepri[M_REG_NS];
+-uint64_t HELPER(vfp_tosqh)(float16 x, uint32_t shift, void *fpst)
-+        case 0x93: /* FAULTMASK_NS */
++uint64_t HELPER(vfp_tosqh)(uint32_t x, uint32_t shift, void *fpst)
-+            if (!env->v7m.secure) {
+ {
-+                return 0;
+     return float64_to_int64(do_prescale_fp16(x, shift, fpst), fpst);
-+            }
+ }
-+            return env->v7m.faultmask[M_REG_NS];
-+        case 0x98: /* SP_NS */
+-uint64_t HELPER(vfp_touqh)(float16 x, uint32_t shift, void *fpst)
-+        {
++uint64_t HELPER(vfp_touqh)(uint32_t x, uint32_t shift, void *fpst)
-+            /* This gives the non-secure SP selected based on whether we're
+ {
-+             * currently in handler mode or not, using the NS CONTROL.SPSEL.
+     return float64_to_uint64(do_prescale_fp16(x, shift, fpst), fpst);
-+             */
+ }
-+            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
+@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(set_neon_rmode)(uint32_t rmode, CPUARMState *env)
-+
+ }
-+            if (!env->v7m.secure) {
-+                return 0;
+ /* Half precision conversions.  */
-+            }
+-float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
-+            if (!arm_v7m_is_handler_mode(env) && spsel) {
++float32 HELPER(vfp_fcvt_f16_to_f32)(uint32_t a, void *fpstp, uint32_t ahp_mode)
-+                return env->v7m.other_ss_psp;
+ {
-+            } else {
+     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
-+                return env->v7m.other_ss_msp;
+      * it would affect flushing input denormals.
-+            }
+@@ -XXX,XX +XXX,XX @@ float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
-+        }
+     return r;
-+        default:
+ }
-+            break;
-+        }
+-float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
-+    }
++uint32_t HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
-+
+ {
-     switch (reg) {
+     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
-     case 8: /* MSP */
+      * it would affect flushing output denormals.
-         return (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_SPSEL_MASK) ?
+@@ -XXX,XX +XXX,XX @@ float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
+     return r;
-         return;
+ }
-     }
+-float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
-+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
++float64 HELPER(vfp_fcvt_f16_to_f64)(uint32_t a, void *fpstp, uint32_t ahp_mode)
-+        switch (reg) {
+ {
-+        case 0x88: /* MSP_NS */
+     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
-+            if (!env->v7m.secure) {
+      * it would affect flushing input denormals.
-+                return;
+@@ -XXX,XX +XXX,XX @@ float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
-+            }
+     return r;
-+            env->v7m.other_ss_msp = val;
+ }
-+            return;
-+        case 0x89: /* PSP_NS */
+-float16 HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
-+            if (!env->v7m.secure) {
++uint32_t HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
-+                return;
+ {
-+            }
+     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
-+            env->v7m.other_ss_psp = val;
+      * it would affect flushing output denormals.
-+            return;
+@@ -XXX,XX +XXX,XX @@ static bool round_to_inf(float_status *fpst, bool sign_bit)
-+        case 0x90: /* PRIMASK_NS */
+     g_assert_not_reached();
-+            if (!env->v7m.secure) {
+ }
-+                return;
-+            }
+-float16 HELPER(recpe_f16)(float16 input, void *fpstp)
-+            env->v7m.primask[M_REG_NS] = val & 1;
++uint32_t HELPER(recpe_f16)(uint32_t input, void *fpstp)
-+            return;
+ {
-+        case 0x91: /* BASEPRI_NS */
+     float_status *fpst = fpstp;
-+            if (!env->v7m.secure) {
+     float16 f16 = float16_squash_input_denormal(input, fpst);
-+                return;
+@@ -XXX,XX +XXX,XX @@ static uint64_t recip_sqrt_estimate(int *exp , int exp_off, uint64_t frac)
-+            }
+     return extract64(estimate, 0, 8) << 44;
-+            env->v7m.basepri[M_REG_NS] = val & 0xff;
+ }
-+            return;
-+        case 0x93: /* FAULTMASK_NS */
+-float16 HELPER(rsqrte_f16)(float16 input, void *fpstp)
-+            if (!env->v7m.secure) {
++uint32_t HELPER(rsqrte_f16)(uint32_t input, void *fpstp)
-+                return;
+ {
-+            }
+     float_status *s = fpstp;
-+            env->v7m.faultmask[M_REG_NS] = val & 1;
+     float16 f16 = float16_squash_input_denormal(input, s);
 +            return;
 +        case 0x98: /* SP_NS */
 +        {
 +            /* This gives the non-secure SP selected based on whether we're
 +             * currently in handler mode or not, using the NS CONTROL.SPSEL.
 +             */
 +            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
 +
 +            if (!env->v7m.secure) {
 +                return;
 +            }
 +            if (!arm_v7m_is_handler_mode(env) && spsel) {
 +                env->v7m.other_ss_psp = val;
 +            } else {
 +                env->v7m.other_ss_msp = val;
 +            }
 +            return;
 +        }
 +        default:
 +            break;
 +        }
 +    }
 +
      switch (reg) {
      case 0 ... 7: /* xPSR sub-fields */
          /* only APSR is actually writable */
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 02/31] nvic: Add banked exception states
+Deleted patch
-For the v8M security extension, some exceptions must be banked
-between security states. Add the new vecinfo array which holds
-the state for the banked exceptions and migrate it if the
-CPU the NVIC is attached to implements the security extension.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
----
- include/hw/intc/armv7m_nvic.h | 14 ++++++++++++
- hw/intc/armv7m_nvic.c         | 53 ++++++++++++++++++++++++++++++++++++++++++-
-files changed, 66 insertions(+), 1 deletion(-)
-diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/intc/armv7m_nvic.h
-+++ b/include/hw/intc/armv7m_nvic.h
-@@ -XXX,XX +XXX,XX @@
- /* Highest permitted number of exceptions (architectural limit) */
- #define NVIC_MAX_VECTORS 512
-+/* Number of internal exceptions */
-+#define NVIC_INTERNAL_VECTORS 16
- typedef struct VecInfo {
-     /* Exception priorities can range from -3 to 255; only the unmodifiable
-@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
-     ARMCPU *cpu;
-     VecInfo vectors[NVIC_MAX_VECTORS];
-+    /* If the v8M security extension is implemented, some of the internal
-+     * exceptions are banked between security states (ie there exists both
-+     * a Secure and a NonSecure version of the exception and its state):
-+     *  HardFault, MemManage, UsageFault, SVCall, PendSV, SysTick (R_PJHV)
-+     * The rest (including all the external exceptions) are not banked, though
-+     * they may be configurable to target either Secure or NonSecure state.
-+     * We store the secure exception state in sec_vectors[] for the banked
-+     * exceptions, and otherwise use only vectors[] (including for exceptions
-+     * like SecureFault that unconditionally target Secure state).
-+     * Entries in sec_vectors[] for non-banked exception numbers are unused.
-+     */
-+    VecInfo sec_vectors[NVIC_INTERNAL_VECTORS];
-     uint32_t prigroup;
-     /* vectpending and exception_prio are both cached state that can
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@
-  * For historical reasons QEMU tends to use "interrupt" and
-  * "exception" more or less interchangeably.
-  */
--#define NVIC_FIRST_IRQ 16
-+#define NVIC_FIRST_IRQ NVIC_INTERNAL_VECTORS
- #define NVIC_MAX_IRQ (NVIC_MAX_VECTORS - NVIC_FIRST_IRQ)
- /* Effective running priority of the CPU when no exception is active
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_VecInfo = {
-     }
- };
-+static bool nvic_security_needed(void *opaque)
-+{
-+    NVICState *s = opaque;
-+
-+    return arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY);
-+}
-+
-+static int nvic_security_post_load(void *opaque, int version_id)
-+{
-+    NVICState *s = opaque;
-+    int i;
-+
-+    /* Check for out of range priority settings */
-+    if (s->sec_vectors[ARMV7M_EXCP_HARD].prio != -1) {
-+        return 1;
-+    }
-+    for (i = ARMV7M_EXCP_MEM; i < ARRAY_SIZE(s->sec_vectors); i++) {
-+        if (s->sec_vectors[i].prio & ~0xff) {
-+            return 1;
-+        }
-+    }
-+    return 0;
-+}
-+
-+static const VMStateDescription vmstate_nvic_security = {
-+    .name = "nvic/m-security",
-+    .version_id = 1,
-+    .minimum_version_id = 1,
-+    .needed = nvic_security_needed,
-+    .post_load = &nvic_security_post_load,
-+    .fields = (VMStateField[]) {
-+        VMSTATE_STRUCT_ARRAY(sec_vectors, NVICState, NVIC_INTERNAL_VECTORS, 1,
-+                             vmstate_VecInfo, VecInfo),
-+        VMSTATE_END_OF_LIST()
-+    }
-+};
-+
- static const VMStateDescription vmstate_nvic = {
-     .name = "armv7m_nvic",
-     .version_id = 4,
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nvic = {
-                              vmstate_VecInfo, VecInfo),
-         VMSTATE_UINT32(prigroup, NVICState),
-         VMSTATE_END_OF_LIST()
-+    },
-+    .subsections = (const VMStateDescription*[]) {
-+        &vmstate_nvic_security,
-+        NULL
-     }
- };
-@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
-     s->vectors[ARMV7M_EXCP_NMI].prio = -2;
-     s->vectors[ARMV7M_EXCP_HARD].prio = -1;
-+    if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) {
-+        s->sec_vectors[ARMV7M_EXCP_HARD].enabled = 1;
-+        s->sec_vectors[ARMV7M_EXCP_SVC].enabled = 1;
-+        s->sec_vectors[ARMV7M_EXCP_PENDSV].enabled = 1;
-+        s->sec_vectors[ARMV7M_EXCP_SYSTICK].enabled = 1;
-+
-+        /* AIRCR.BFHFNMINS resets to 0 so Secure HF is priority -1 (R_CMTC) */
-+        s->sec_vectors[ARMV7M_EXCP_HARD].prio = -1;
-+    }
-+
-     /* Strictly speaking the reset handler should be enabled.
-      * However, we don't simulate soft resets through the NVIC,
-      * and the reset vector should never be pended.
---
-.7.4

-[Qemu-devel] [PULL 03/31] nvic: Add cached vectpending_is_s_banked state
+Deleted patch
-With banked exceptions, just the exception number in
-s->vectpending is no longer sufficient to uniquely identify
-the pending exception. Add a vectpending_is_s_banked bool
-which is true if the exception is using the sec_vectors[]
-array.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1505240046-11454-4-git-send-email-peter.maydell@linaro.org
----
- include/hw/intc/armv7m_nvic.h | 11 +++++++++--
- hw/intc/armv7m_nvic.c         |  1 +
-files changed, 10 insertions(+), 2 deletions(-)
-diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/intc/armv7m_nvic.h
-+++ b/include/hw/intc/armv7m_nvic.h
-@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
-     VecInfo sec_vectors[NVIC_INTERNAL_VECTORS];
-     uint32_t prigroup;
--    /* vectpending and exception_prio are both cached state that can
--     * be recalculated from the vectors[] array and the prigroup field.
-+    /* The following fields are all cached state that can be recalculated
-+     * from the vectors[] and sec_vectors[] arrays and the prigroup field:
-+     *  - vectpending
-+     *  - vectpending_is_secure
-+     *  - exception_prio
-      */
-     unsigned int vectpending; /* highest prio pending enabled exception */
-+    /* true if vectpending is a banked secure exception, ie it is in
-+     * sec_vectors[] rather than vectors[]
-+     */
-+    bool vectpending_is_s_banked;
-     int exception_prio; /* group prio of the highest prio active exception */
-     MemoryRegion sysregmem;
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
-     s->exception_prio = NVIC_NOEXC_PRIO;
-     s->vectpending = 0;
-+    s->vectpending_is_s_banked = false;
- }
- static void nvic_systick_trigger(void *opaque, int n, int level)
---
-.7.4

-[Qemu-devel] [PULL 29/31] msf2: Add Smartfusion2 SPI controller
+[Qemu-devel] [PULL 06/25] arm: fix qemu crash on startup with -bios option
-From: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+From: Igor Mammedov <imammedo@redhat.com>
-Modelled Microsemi's Smartfusion2 SPI controller.
+When QEMU is started with following CLI
  -machine virt,gic-version=3,accel=kvm -cpu host -bios AAVMF_CODE.fd
 it crashes with abort at
  accel/kvm/kvm-all.c:2164:
  KVM_SET_DEVICE_ATTR failed: Group 6 attr 0x000000000000c665: Invalid argument
-Signed-off-by: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+Which is caused by implicit dependency of kvm_arm_gicv3_reset() on
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
+arm_gicv3_icc_reset() where the later is called by CPU reset
-Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+reset callback.
-Message-id: 20170920201737.25723-4-f4bug@amsat.org
 However commit:
 b77f6c arm/boot: split load_dtb() from arm_load_kernel()
 broke CPU reset callback registration in case
   arm_load_kernel()
       ...
       if (!info->kernel_filename || info->firmware_loaded)
 branch is taken, i.e. it's sufficient to provide a firmware
 or do not provide kernel on CLI to skip cpu reset callback
 registration, where before offending commit the callback
 has been registered unconditionally.
 Fix it by registering the callback right at the beginning of
 arm_load_kernel() unconditionally instead of doing it at the end.
 NOTE:
  we probably should eliminate that dependency anyways as well as
  separate arch CPU reset parts from arm_load_kernel() into CPU
  itself, but that refactoring that I probably would have to do
  anyways later for CPU hotplug to work.
 Reported-by: Auger Eric <eric.auger@redhat.com>
 Signed-off-by: Igor Mammedov <imammedo@redhat.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1527070950-208350-1-git-send-email-imammedo@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/Makefile.objs     |   1 +
+ hw/arm/boot.c | 18 +++++++++---------
- include/hw/ssi/mss-spi.h |  58 +++++++
+file changed, 9 insertions(+), 9 deletions(-)
  hw/ssi/mss-spi.c         | 404 +++++++++++++++++++++++++++++++++++++++++++++++
 files changed, 463 insertions(+)
  create mode 100644 include/hw/ssi/mss-spi.h
  create mode 100644 hw/ssi/mss-spi.c
-diff --git a/hw/ssi/Makefile.objs b/hw/ssi/Makefile.objs
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/Makefile.objs
+--- a/hw/arm/boot.c
-+++ b/hw/ssi/Makefile.objs
++++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_XILINX_SPI) += xilinx_spi.o
+@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
- common-obj-$(CONFIG_XILINX_SPIPS) += xilinx_spips.o
+     static const ARMInsnFixup *primary_loader;
- common-obj-$(CONFIG_ASPEED_SOC) += aspeed_smc.o
+     AddressSpace *as = arm_boot_address_space(cpu, info);
- common-obj-$(CONFIG_STM32F2XX_SPI) += stm32f2xx_spi.o
-+common-obj-$(CONFIG_MSF2) += mss-spi.o
++    /* CPU objects (unlike devices) are not automatically reset on system
++     * reset, so we must always register a handler to do so. If we're
- obj-$(CONFIG_OMAP) += omap_spi.o
++     * actually loading a kernel, the handler is also responsible for
- obj-$(CONFIG_IMX) += imx_spi.o
++     * arranging that we start it correctly.
 diff --git a/include/hw/ssi/mss-spi.h b/include/hw/ssi/mss-spi.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/include/hw/ssi/mss-spi.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Microsemi SmartFusion2 SPI
 + *
 + * Copyright (c) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#ifndef HW_MSS_SPI_H
 +#define HW_MSS_SPI_H
 +
 +#include "hw/sysbus.h"
 +#include "hw/ssi/ssi.h"
 +#include "qemu/fifo32.h"
 +
 +#define TYPE_MSS_SPI   "mss-spi"
 +#define MSS_SPI(obj)   OBJECT_CHECK(MSSSpiState, (obj), TYPE_MSS_SPI)
 +
 +#define R_SPI_MAX             16
 +
 +typedef struct MSSSpiState {
 +    SysBusDevice parent_obj;
 +
 +    MemoryRegion mmio;
 +
 +    qemu_irq irq;
 +
 +    qemu_irq cs_line;
 +
 +    SSIBus *spi;
 +
 +    Fifo32 rx_fifo;
 +    Fifo32 tx_fifo;
 +
 +    int fifo_depth;
 +    uint32_t frame_count;
 +    bool enabled;
 +
 +    uint32_t regs[R_SPI_MAX];
 +} MSSSpiState;
 +
 +#endif /* HW_MSS_SPI_H */
 diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/ssi/mss-spi.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Block model of SPI controller present in
 + * Microsemi's SmartFusion2 and SmartFusion SoCs.
 + *
 + * Copyright (C) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "hw/ssi/mss-spi.h"
 +#include "qemu/log.h"
 +
 +#ifndef MSS_SPI_ERR_DEBUG
 +#define MSS_SPI_ERR_DEBUG   0
 +#endif
 +
 +#define DB_PRINT_L(lvl, fmt, args...) do { \
 +    if (MSS_SPI_ERR_DEBUG >= lvl) { \
 +        qemu_log("%s: " fmt "\n", __func__, ## args); \
 +    } \
 +} while (0);
 +
 +#define DB_PRINT(fmt, args...) DB_PRINT_L(1, fmt, ## args)
 +
 +#define FIFO_CAPACITY         32
 +
 +#define R_SPI_CONTROL         0
 +#define R_SPI_DFSIZE          1
 +#define R_SPI_STATUS          2
 +#define R_SPI_INTCLR          3
 +#define R_SPI_RX              4
 +#define R_SPI_TX              5
 +#define R_SPI_CLKGEN          6
 +#define R_SPI_SS              7
 +#define R_SPI_MIS             8
 +#define R_SPI_RIS             9
 +
 +#define S_TXDONE             (1 << 0)
 +#define S_RXRDY              (1 << 1)
 +#define S_RXCHOVRF           (1 << 2)
 +#define S_RXFIFOFUL          (1 << 4)
 +#define S_RXFIFOFULNXT       (1 << 5)
 +#define S_RXFIFOEMP          (1 << 6)
 +#define S_RXFIFOEMPNXT       (1 << 7)
 +#define S_TXFIFOFUL          (1 << 8)
 +#define S_TXFIFOFULNXT       (1 << 9)
 +#define S_TXFIFOEMP          (1 << 10)
 +#define S_TXFIFOEMPNXT       (1 << 11)
 +#define S_FRAMESTART         (1 << 12)
 +#define S_SSEL               (1 << 13)
 +#define S_ACTIVE             (1 << 14)
 +
 +#define C_ENABLE             (1 << 0)
 +#define C_MODE               (1 << 1)
 +#define C_INTRXDATA          (1 << 4)
 +#define C_INTTXDATA          (1 << 5)
 +#define C_INTRXOVRFLO        (1 << 6)
 +#define C_SPS                (1 << 26)
 +#define C_BIGFIFO            (1 << 29)
 +#define C_RESET              (1 << 31)
 +
 +#define FRAMESZ_MASK         0x1F
 +#define FMCOUNT_MASK         0x00FFFF00
 +#define FMCOUNT_SHIFT        8
 +
 +static void txfifo_reset(MSSSpiState *s)
 +{
 +    fifo32_reset(&s->tx_fifo);
 +
 +    s->regs[R_SPI_STATUS] &= ~S_TXFIFOFUL;
 +    s->regs[R_SPI_STATUS] |= S_TXFIFOEMP;
 +}
 +
 +static void rxfifo_reset(MSSSpiState *s)
 +{
 +    fifo32_reset(&s->rx_fifo);
 +
 +    s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
 +    s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
 +}
 +
 +static void set_fifodepth(MSSSpiState *s)
 +{
 +    unsigned int size = s->regs[R_SPI_DFSIZE] & FRAMESZ_MASK;
 +
 +    if (size <= 8) {
 +        s->fifo_depth = 32;
 +    } else if (size <= 16) {
 +        s->fifo_depth = 16;
 +    } else if (size <= 32) {
 +        s->fifo_depth = 8;
 +    } else {
 +        s->fifo_depth = 4;
 +    }
 +}
 +
 +static void update_mis(MSSSpiState *s)
 +{
 +    uint32_t reg = s->regs[R_SPI_CONTROL];
 +    uint32_t tmp;
 +
 +    /*
 +     * form the Control register interrupt enable bits
 +     * same as RIS, MIS and Interrupt clear registers for simplicity
 +     */
-+    tmp = ((reg & C_INTRXOVRFLO) >> 4) | ((reg & C_INTRXDATA) >> 3) |
++    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
-+           ((reg & C_INTTXDATA) >> 5);
++        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
 +    s->regs[R_SPI_MIS] |= tmp & s->regs[R_SPI_RIS];
 +}
 +
 +static void spi_update_irq(MSSSpiState *s)
 +{
 +    int irq;
 +
 +    update_mis(s);
 +    irq = !!(s->regs[R_SPI_MIS]);
 +
 +    qemu_set_irq(s->irq, irq);
 +}
 +
 +static void mss_spi_reset(DeviceState *d)
 +{
 +    MSSSpiState *s = MSS_SPI(d);
 +
 +    memset(s->regs, 0, sizeof s->regs);
 +    s->regs[R_SPI_CONTROL] = 0x80000102;
 +    s->regs[R_SPI_DFSIZE] = 0x4;
 +    s->regs[R_SPI_STATUS] = S_SSEL | S_TXFIFOEMP | S_RXFIFOEMP;
 +    s->regs[R_SPI_CLKGEN] = 0x7;
 +    s->regs[R_SPI_RIS] = 0x0;
 +
 +    s->fifo_depth = 4;
 +    s->frame_count = 1;
 +    s->enabled = false;
 +
 +    rxfifo_reset(s);
 +    txfifo_reset(s);
 +}
 +
 +static uint64_t
 +spi_read(void *opaque, hwaddr addr, unsigned int size)
 +{
 +    MSSSpiState *s = opaque;
 +    uint32_t ret = 0;
 +
 +    addr >>= 2;
 +    switch (addr) {
 +    case R_SPI_RX:
 +        s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
 +        s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
 +        ret = fifo32_pop(&s->rx_fifo);
 +        if (fifo32_is_empty(&s->rx_fifo)) {
 +            s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
 +        }
 +        break;
 +
 +    case R_SPI_MIS:
 +        update_mis(s);
 +        ret = s->regs[R_SPI_MIS];
 +        break;
 +
 +    default:
 +        if (addr < ARRAY_SIZE(s->regs)) {
 +            ret = s->regs[addr];
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                         "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__,
 +                         addr * 4);
 +            return ret;
 +        }
 +        break;
 +    }
 +
-+    DB_PRINT("addr=0x%" HWADDR_PRIx " = 0x%" PRIx32, addr * 4, ret);
+     /* The board code is not supposed to set secure_board_setup unless
-+    spi_update_irq(s);
+      * running its code in secure mode is actually possible, and KVM
-+    return ret;
+      * doesn't support secure.
-+}
+@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
-+
+         ARM_CPU(cs)->env.boot_info = info;
-+static void assert_cs(MSSSpiState *s)
+     }
-+{
-+    qemu_set_irq(s->cs_line, 0);
+-    /* CPU objects (unlike devices) are not automatically reset on system
-+}
+-     * reset, so we must always register a handler to do so. If we're
-+
+-     * actually loading a kernel, the handler is also responsible for
-+static void deassert_cs(MSSSpiState *s)
+-     * arranging that we start it correctly.
-+{
+-     */
-+    qemu_set_irq(s->cs_line, 1);
+-    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
-+}
+-        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
-+
+-    }
-+static void spi_flush_txfifo(MSSSpiState *s)
+-
-+{
+     if (!info->skip_dtb_autoload && have_dtb(info)) {
-+    uint32_t tx;
+         if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as) < 0) {
-+    uint32_t rx;
+             exit(1);
 +    bool sps = !!(s->regs[R_SPI_CONTROL] & C_SPS);
 +
 +    /*
 +     * Chip Select(CS) is automatically controlled by this controller.
 +     * If SPS bit is set in Control register then CS is asserted
 +     * until all the frames set in frame count of Control register are
 +     * transferred. If SPS is not set then CS pulses between frames.
 +     * Note that Slave Select register specifies which of the CS line
 +     * has to be controlled automatically by controller. Bits SS[7:1] are for
 +     * masters in FPGA fabric since we model only Microcontroller subsystem
 +     * of Smartfusion2 we control only one CS(SS[0]) line.
 +     */
 +    while (!fifo32_is_empty(&s->tx_fifo) && s->frame_count) {
 +        assert_cs(s);
 +
 +        s->regs[R_SPI_STATUS] &= ~(S_TXDONE | S_RXRDY);
 +
 +        tx = fifo32_pop(&s->tx_fifo);
 +        DB_PRINT("data tx:0x%" PRIx32, tx);
 +        rx = ssi_transfer(s->spi, tx);
 +        DB_PRINT("data rx:0x%" PRIx32, rx);
 +
 +        if (fifo32_num_used(&s->rx_fifo) == s->fifo_depth) {
 +            s->regs[R_SPI_STATUS] |= S_RXCHOVRF;
 +            s->regs[R_SPI_RIS] |= S_RXCHOVRF;
 +        } else {
 +            fifo32_push(&s->rx_fifo, rx);
 +            s->regs[R_SPI_STATUS] &= ~S_RXFIFOEMP;
 +            if (fifo32_num_used(&s->rx_fifo) == (s->fifo_depth - 1)) {
 +                s->regs[R_SPI_STATUS] |= S_RXFIFOFULNXT;
 +            } else if (fifo32_num_used(&s->rx_fifo) == s->fifo_depth) {
 +                s->regs[R_SPI_STATUS] |= S_RXFIFOFUL;
 +            }
 +        }
 +        s->frame_count--;
 +        if (!sps) {
 +            deassert_cs(s);
 +        }
 +    }
 +
 +    if (!s->frame_count) {
 +        s->frame_count = (s->regs[R_SPI_CONTROL] & FMCOUNT_MASK) >>
 +                            FMCOUNT_SHIFT;
 +        deassert_cs(s);
 +        s->regs[R_SPI_RIS] |= S_TXDONE | S_RXRDY;
 +        s->regs[R_SPI_STATUS] |= S_TXDONE | S_RXRDY;
 +   }
 +}
 +
 +static void spi_write(void *opaque, hwaddr addr,
 +            uint64_t val64, unsigned int size)
 +{
 +    MSSSpiState *s = opaque;
 +    uint32_t value = val64;
 +
 +    DB_PRINT("addr=0x%" HWADDR_PRIx " =0x%" PRIx32, addr, value);
 +    addr >>= 2;
 +
 +    switch (addr) {
 +    case R_SPI_TX:
 +        /* adding to already full FIFO */
 +        if (fifo32_num_used(&s->tx_fifo) == s->fifo_depth) {
 +            break;
 +        }
 +        s->regs[R_SPI_STATUS] &= ~S_TXFIFOEMP;
 +        fifo32_push(&s->tx_fifo, value);
 +        if (fifo32_num_used(&s->tx_fifo) == (s->fifo_depth - 1)) {
 +            s->regs[R_SPI_STATUS] |= S_TXFIFOFULNXT;
 +        } else if (fifo32_num_used(&s->tx_fifo) == s->fifo_depth) {
 +            s->regs[R_SPI_STATUS] |= S_TXFIFOFUL;
 +        }
 +        if (s->enabled) {
 +            spi_flush_txfifo(s);
 +        }
 +        break;
 +
 +    case R_SPI_CONTROL:
 +        s->regs[R_SPI_CONTROL] = value;
 +        if (value & C_BIGFIFO) {
 +            set_fifodepth(s);
 +        } else {
 +            s->fifo_depth = 4;
 +        }
 +        s->enabled = value & C_ENABLE;
 +        s->frame_count = (value & FMCOUNT_MASK) >> FMCOUNT_SHIFT;
 +        if (value & C_RESET) {
 +            mss_spi_reset(DEVICE(s));
 +        }
 +        break;
 +
 +    case R_SPI_DFSIZE:
 +        if (s->enabled) {
 +            break;
 +        }
 +        s->regs[R_SPI_DFSIZE] = value;
 +        break;
 +
 +    case R_SPI_INTCLR:
 +        s->regs[R_SPI_INTCLR] = value;
 +        if (value & S_TXDONE) {
 +            s->regs[R_SPI_RIS] &= ~S_TXDONE;
 +        }
 +        if (value & S_RXRDY) {
 +            s->regs[R_SPI_RIS] &= ~S_RXRDY;
 +        }
 +        if (value & S_RXCHOVRF) {
 +            s->regs[R_SPI_RIS] &= ~S_RXCHOVRF;
 +        }
 +        break;
 +
 +    case R_SPI_MIS:
 +    case R_SPI_STATUS:
 +    case R_SPI_RIS:
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                         "%s: Write to read only register 0x%" HWADDR_PRIx "\n",
 +                         __func__, addr * 4);
 +        break;
 +
 +    default:
 +        if (addr < ARRAY_SIZE(s->regs)) {
 +            s->regs[addr] = value;
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                         "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__,
 +                         addr * 4);
 +        }
 +        break;
 +    }
 +
 +    spi_update_irq(s);
 +}
 +
 +static const MemoryRegionOps spi_ops = {
 +    .read = spi_read,
 +    .write = spi_write,
 +    .endianness = DEVICE_NATIVE_ENDIAN,
 +    .valid = {
 +        .min_access_size = 1,
 +        .max_access_size = 4
 +    }
 +};
 +
 +static void mss_spi_realize(DeviceState *dev, Error **errp)
 +{
 +    MSSSpiState *s = MSS_SPI(dev);
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 +
 +    s->spi = ssi_create_bus(dev, "spi");
 +
 +    sysbus_init_irq(sbd, &s->irq);
 +    ssi_auto_connect_slaves(dev, &s->cs_line, s->spi);
 +    sysbus_init_irq(sbd, &s->cs_line);
 +
 +    memory_region_init_io(&s->mmio, OBJECT(s), &spi_ops, s,
 +                          TYPE_MSS_SPI, R_SPI_MAX * 4);
 +    sysbus_init_mmio(sbd, &s->mmio);
 +
 +    fifo32_create(&s->tx_fifo, FIFO_CAPACITY);
 +    fifo32_create(&s->rx_fifo, FIFO_CAPACITY);
 +}
 +
 +static const VMStateDescription vmstate_mss_spi = {
 +    .name = TYPE_MSS_SPI,
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_FIFO32(tx_fifo, MSSSpiState),
 +        VMSTATE_FIFO32(rx_fifo, MSSSpiState),
 +        VMSTATE_UINT32_ARRAY(regs, MSSSpiState, R_SPI_MAX),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static void mss_spi_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->realize = mss_spi_realize;
 +    dc->reset = mss_spi_reset;
 +    dc->vmsd = &vmstate_mss_spi;
 +}
 +
 +static const TypeInfo mss_spi_info = {
 +    .name           = TYPE_MSS_SPI,
 +    .parent         = TYPE_SYS_BUS_DEVICE,
 +    .instance_size  = sizeof(MSSSpiState),
 +    .class_init     = mss_spi_class_init,
 +};
 +
 +static void mss_spi_register_types(void)
 +{
 +    type_register_static(&mss_spi_info);
 +}
 +
 +type_init(mss_spi_register_types)
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 28/31] msf2: Microsemi Smartfusion2 System Register block
+[Qemu-devel] [PULL 07/25] arm: fix malloc type mismatch
-From: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+From: Paolo Bonzini <pbonzini@redhat.com>
-Added Sytem register block of Smartfusion2.
+cpregs_keys is an uint32_t* so the allocation should use uint32_t.
-This block has PLL registers which are accessed by guest.
+g_new is even better because it is type-safe.
-Signed-off-by: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20170920201737.25723-3-f4bug@amsat.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/misc/Makefile.objs         |   1 +
+ target/arm/gdbstub.c | 3 +--
- include/hw/misc/msf2-sysreg.h |  77 ++++++++++++++++++++
+file changed, 1 insertion(+), 2 deletions(-)
  hw/misc/msf2-sysreg.c         | 160 ++++++++++++++++++++++++++++++++++++++++++
  hw/misc/trace-events          |   5 ++
 files changed, 243 insertions(+)
  create mode 100644 include/hw/misc/msf2-sysreg.h
  create mode 100644 hw/misc/msf2-sysreg.c
-diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
+diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/Makefile.objs
+--- a/target/arm/gdbstub.c
-+++ b/hw/misc/Makefile.objs
++++ b/target/arm/gdbstub.c
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_HYPERV_TESTDEV) += hyperv_testdev.o
+@@ -XXX,XX +XXX,XX @@ int arm_gen_dynamic_xml(CPUState *cs)
- obj-$(CONFIG_AUX) += auxbus.o
+     RegisterSysregXmlParam param = {cs, s};
- obj-$(CONFIG_ASPEED_SOC) += aspeed_scu.o aspeed_sdmc.o
- obj-y += mmio_interface.o
+     cpu->dyn_xml.num_cpregs = 0;
-+obj-$(CONFIG_MSF2) += msf2-sysreg.o
+-    cpu->dyn_xml.cpregs_keys = g_malloc(sizeof(uint32_t *) *
-diff --git a/include/hw/misc/msf2-sysreg.h b/include/hw/misc/msf2-sysreg.h
+-                                        g_hash_table_size(cpu->cp_regs));
-new file mode 100644
++    cpu->dyn_xml.cpregs_keys = g_new(uint32_t, g_hash_table_size(cpu->cp_regs));
-index XXXXXXX..XXXXXXX
+     g_string_printf(s, "<?xml version=\"1.0\"?>");
---- /dev/null
+     g_string_append_printf(s, "<!DOCTYPE target SYSTEM \"gdb-target.dtd\">");
-+++ b/include/hw/misc/msf2-sysreg.h
+     g_string_append_printf(s, "<feature name=\"org.qemu.gdb.arm.sys.regs\">");
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Microsemi SmartFusion2 SYSREG
 + *
 + * Copyright (c) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#ifndef HW_MSF2_SYSREG_H
 +#define HW_MSF2_SYSREG_H
 +
 +#include "hw/sysbus.h"
 +
 +enum {
 +    ESRAM_CR        = 0x00 / 4,
 +    ESRAM_MAX_LAT,
 +    DDR_CR,
 +    ENVM_CR,
 +    ENVM_REMAP_BASE_CR,
 +    ENVM_REMAP_FAB_CR,
 +    CC_CR,
 +    CC_REGION_CR,
 +    CC_LOCK_BASE_ADDR_CR,
 +    CC_FLUSH_INDX_CR,
 +    DDRB_BUF_TIMER_CR,
 +    DDRB_NB_ADDR_CR,
 +    DDRB_NB_SIZE_CR,
 +    DDRB_CR,
 +
 +    SOFT_RESET_CR  = 0x48 / 4,
 +    M3_CR,
 +
 +    GPIO_SYSRESET_SEL_CR = 0x58 / 4,
 +
 +    MDDR_CR = 0x60 / 4,
 +
 +    MSSDDR_PLL_STATUS_LOW_CR = 0x90 / 4,
 +    MSSDDR_PLL_STATUS_HIGH_CR,
 +    MSSDDR_FACC1_CR,
 +    MSSDDR_FACC2_CR,
 +
 +    MSSDDR_PLL_STATUS = 0x150 / 4,
 +};
 +
 +#define MSF2_SYSREG_MMIO_SIZE     0x300
 +
 +#define TYPE_MSF2_SYSREG          "msf2-sysreg"
 +#define MSF2_SYSREG(obj)  OBJECT_CHECK(MSF2SysregState, (obj), TYPE_MSF2_SYSREG)
 +
 +typedef struct MSF2SysregState {
 +    SysBusDevice parent_obj;
 +
 +    MemoryRegion iomem;
 +
 +    uint8_t apb0div;
 +    uint8_t apb1div;
 +
 +    uint32_t regs[MSF2_SYSREG_MMIO_SIZE / 4];
 +} MSF2SysregState;
 +
 +#endif /* HW_MSF2_SYSREG_H */
 diff --git a/hw/misc/msf2-sysreg.c b/hw/misc/msf2-sysreg.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/misc/msf2-sysreg.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * System Register block model of Microsemi SmartFusion2.
 + *
 + * Copyright (c) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
 + *
 + * This program is free software; you can redistribute it and/or
 + * modify it under the terms of the GNU General Public License
 + * as published by the Free Software Foundation; either version
 + * 2 of the License, or (at your option) any later version.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "qemu/log.h"
 +#include "hw/misc/msf2-sysreg.h"
 +#include "qemu/error-report.h"
 +#include "trace.h"
 +
 +static inline int msf2_divbits(uint32_t div)
 +{
 +    int r = ctz32(div);
 +
 +    return (div < 8) ? r : r + 1;
 +}
 +
 +static void msf2_sysreg_reset(DeviceState *d)
 +{
 +    MSF2SysregState *s = MSF2_SYSREG(d);
 +
 +    s->regs[MSSDDR_PLL_STATUS_LOW_CR] = 0x021A2358;
 +    s->regs[MSSDDR_PLL_STATUS] = 0x3;
 +    s->regs[MSSDDR_FACC1_CR] = msf2_divbits(s->apb0div) << 5 |
 +                               msf2_divbits(s->apb1div) << 2;
 +}
 +
 +static uint64_t msf2_sysreg_read(void *opaque, hwaddr offset,
 +    unsigned size)
 +{
 +    MSF2SysregState *s = opaque;
 +    uint32_t ret = 0;
 +
 +    offset >>= 2;
 +    if (offset < ARRAY_SIZE(s->regs)) {
 +        ret = s->regs[offset];
 +        trace_msf2_sysreg_read(offset << 2, ret);
 +    } else {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                    "%s: Bad offset 0x%08" HWADDR_PRIx "\n", __func__,
 +                    offset << 2);
 +    }
 +
 +    return ret;
 +}
 +
 +static void msf2_sysreg_write(void *opaque, hwaddr offset,
 +                          uint64_t val, unsigned size)
 +{
 +    MSF2SysregState *s = opaque;
 +    uint32_t newval = val;
 +
 +    offset >>= 2;
 +
 +    switch (offset) {
 +    case MSSDDR_PLL_STATUS:
 +        trace_msf2_sysreg_write_pll_status();
 +        break;
 +
 +    case ESRAM_CR:
 +    case DDR_CR:
 +    case ENVM_REMAP_BASE_CR:
 +        if (newval != s->regs[offset]) {
 +            qemu_log_mask(LOG_UNIMP,
 +                       TYPE_MSF2_SYSREG": remapping not supported\n");
 +        }
 +        break;
 +
 +    default:
 +        if (offset < ARRAY_SIZE(s->regs)) {
 +            trace_msf2_sysreg_write(offset << 2, newval, s->regs[offset]);
 +            s->regs[offset] = newval;
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                        "%s: Bad offset 0x%08" HWADDR_PRIx "\n", __func__,
 +                        offset << 2);
 +        }
 +        break;
 +    }
 +}
 +
 +static const MemoryRegionOps sysreg_ops = {
 +    .read = msf2_sysreg_read,
 +    .write = msf2_sysreg_write,
 +    .endianness = DEVICE_NATIVE_ENDIAN,
 +};
 +
 +static void msf2_sysreg_init(Object *obj)
 +{
 +    MSF2SysregState *s = MSF2_SYSREG(obj);
 +
 +    memory_region_init_io(&s->iomem, obj, &sysreg_ops, s, TYPE_MSF2_SYSREG,
 +                          MSF2_SYSREG_MMIO_SIZE);
 +    sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->iomem);
 +}
 +
 +static const VMStateDescription vmstate_msf2_sysreg = {
 +    .name = TYPE_MSF2_SYSREG,
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT32_ARRAY(regs, MSF2SysregState, MSF2_SYSREG_MMIO_SIZE / 4),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static Property msf2_sysreg_properties[] = {
 +    /* default divisors in Libero GUI */
 +    DEFINE_PROP_UINT8("apb0divisor", MSF2SysregState, apb0div, 2),
 +    DEFINE_PROP_UINT8("apb1divisor", MSF2SysregState, apb1div, 2),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static void msf2_sysreg_realize(DeviceState *dev, Error **errp)
 +{
 +    MSF2SysregState *s = MSF2_SYSREG(dev);
 +
 +    if ((s->apb0div > 32 || !is_power_of_2(s->apb0div))
 +        || (s->apb1div > 32 || !is_power_of_2(s->apb1div))) {
 +        error_setg(errp, "Invalid apb divisor value");
 +        error_append_hint(errp, "apb divisor must be a power of 2"
 +                           " and maximum value is 32\n");
 +    }
 +}
 +
 +static void msf2_sysreg_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->vmsd = &vmstate_msf2_sysreg;
 +    dc->reset = msf2_sysreg_reset;
 +    dc->props = msf2_sysreg_properties;
 +    dc->realize = msf2_sysreg_realize;
 +}
 +
 +static const TypeInfo msf2_sysreg_info = {
 +    .name  = TYPE_MSF2_SYSREG,
 +    .parent = TYPE_SYS_BUS_DEVICE,
 +    .class_init = msf2_sysreg_class_init,
 +    .instance_size  = sizeof(MSF2SysregState),
 +    .instance_init = msf2_sysreg_init,
 +};
 +
 +static void msf2_sysreg_register_types(void)
 +{
 +    type_register_static(&msf2_sysreg_info);
 +}
 +
 +type_init(msf2_sysreg_register_types)
 diff --git a/hw/misc/trace-events b/hw/misc/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/trace-events
 +++ b/hw/misc/trace-events
@@ -XXX,XX +XXX,XX @@ mps2_scc_reset(void) "MPS2 SCC: reset"
  mps2_scc_leds(char led7, char led6, char led5, char led4, char led3, char led2, char led1, char led0) "MPS2 SCC LEDs: %c%c%c%c%c%c%c%c"
  mps2_scc_cfg_write(unsigned function, unsigned device, uint32_t value) "MPS2 SCC config write: function %d device %d data 0x%" PRIx32
  mps2_scc_cfg_read(unsigned function, unsigned device, uint32_t value) "MPS2 SCC config read: function %d device %d data 0x%" PRIx32
 +
 +# hw/misc/msf2-sysreg.c
 +msf2_sysreg_write(uint64_t offset, uint32_t val, uint32_t prev) "msf2-sysreg write: addr 0x%08" HWADDR_PRIx " data 0x%" PRIx32 " prev 0x%" PRIx32
 +msf2_sysreg_read(uint64_t offset, uint32_t val) "msf2-sysreg read: addr 0x%08" HWADDR_PRIx " data 0x%08" PRIx32
 +msf2_sysreg_write_pll_status(void) "Invalid write to read only PLL status register"
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 27/31] msf2: Add Smartfusion2 System timer
+[Qemu-devel] [PULL 08/25] xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
-From: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+From: Francisco Iglesias <frasse.iglesias@gmail.com>
-Modelled System Timer in Microsemi's Smartfusion2 Soc.
+Coverity found that the string return by 'object_get_canonical_path' was not
-Timer has two 32bit down counters and two interrupts.
+being freed at two locations in the model (CID 1391294 and CID 1391293) and
 also that a memset was being called with a value greater than the max of a byte
 on the second argument (CID 1391286). This patch corrects this by adding the
 freeing of the strings and also changing to memset to zero instead on
 descriptor unaligned errors.
-Signed-off-by: Subbaraya Sundeep <sundeep.lkml@gmail.com>
+Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20180528184859.3530-1-frasse.iglesias@gmail.com
-Message-id: 20170920201737.25723-2-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/timer/Makefile.objs       |   1 +
+ hw/dma/xlnx-zdma.c | 10 +++++++---
- include/hw/timer/mss-timer.h |  64 ++++++++++
+file changed, 7 insertions(+), 3 deletions(-)
  hw/timer/mss-timer.c         | 289 +++++++++++++++++++++++++++++++++++++++++++
 files changed, 354 insertions(+)
  create mode 100644 include/hw/timer/mss-timer.h
  create mode 100644 hw/timer/mss-timer.c
-diff --git a/hw/timer/Makefile.objs b/hw/timer/Makefile.objs
+diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/Makefile.objs
+--- a/hw/dma/xlnx-zdma.c
-+++ b/hw/timer/Makefile.objs
++++ b/hw/dma/xlnx-zdma.c
-@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_ASPEED_SOC) += aspeed_timer.o
+@@ -XXX,XX +XXX,XX @@ static bool zdma_load_descriptor(XlnxZDMA *s, uint64_t addr, void *buf)
+         qemu_log_mask(LOG_GUEST_ERROR,
- common-obj-$(CONFIG_SUN4V_RTC) += sun4v-rtc.o
+                       "zdma: unaligned descriptor at %" PRIx64,
- common-obj-$(CONFIG_CMSDK_APB_TIMER) += cmsdk-apb-timer.o
+                       addr);
-+common-obj-$(CONFIG_MSF2) += mss-timer.o
+-        memset(buf, 0xdeadbeef, sizeof(XlnxZDMADescr));
-diff --git a/include/hw/timer/mss-timer.h b/include/hw/timer/mss-timer.h
++        memset(buf, 0x0, sizeof(XlnxZDMADescr));
-new file mode 100644
+         s->error = true;
-index XXXXXXX..XXXXXXX
+         return false;
---- /dev/null
+     }
-+++ b/include/hw/timer/mss-timer.h
+@@ -XXX,XX +XXX,XX @@ static uint64_t zdma_read(void *opaque, hwaddr addr, unsigned size)
-@@ -XXX,XX +XXX,XX @@
+     RegisterInfo *r = &s->regs_info[addr / 4];
-+/*
-+ * Microsemi SmartFusion2 Timer.
+     if (!r->data) {
-+ *
++        gchar *path = object_get_canonical_path(OBJECT(s));
-+ * Copyright (c) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
+         qemu_log("%s: Decode error: read from %" HWADDR_PRIx "\n",
-+ *
+-                 object_get_canonical_path(OBJECT(s)),
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
++                 path,
-+ * of this software and associated documentation files (the "Software"), to deal
+                  addr);
-+ * in the Software without restriction, including without limitation the rights
++        g_free(path);
-+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
-+ * copies of the Software, and to permit persons to whom the Software is
+         zdma_ch_imr_update_irq(s);
-+ * furnished to do so, subject to the following conditions:
+         return 0;
-+ *
+@@ -XXX,XX +XXX,XX @@ static void zdma_write(void *opaque, hwaddr addr, uint64_t value,
-+ * The above copyright notice and this permission notice shall be included in
+     RegisterInfo *r = &s->regs_info[addr / 4];
-+ * all copies or substantial portions of the Software.
-+ *
+     if (!r->data) {
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++        gchar *path = object_get_canonical_path(OBJECT(s));
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+         qemu_log("%s: Decode error: write to %" HWADDR_PRIx "=%" PRIx64 "\n",
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+-                 object_get_canonical_path(OBJECT(s)),
-+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++                 path,
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+                  addr, value);
-+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++        g_free(path);
-+ * THE SOFTWARE.
+         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
-+ */
+         zdma_ch_imr_update_irq(s);
-+
+         return;
 +#ifndef HW_MSS_TIMER_H
 +#define HW_MSS_TIMER_H
 +
 +#include "hw/sysbus.h"
 +#include "hw/ptimer.h"
 +
 +#define TYPE_MSS_TIMER     "mss-timer"
 +#define MSS_TIMER(obj)     OBJECT_CHECK(MSSTimerState, \
 +                              (obj), TYPE_MSS_TIMER)
 +
 +/*
 + * There are two 32-bit down counting timers.
 + * Timers 1 and 2 can be concatenated into a single 64-bit Timer
 + * that operates either in Periodic mode or in One-shot mode.
 + * Writing 1 to the TIM64_MODE register bit 0 sets the Timers in 64-bit mode.
 + * In 64-bit mode, writing to the 32-bit registers has no effect.
 + * Similarly, in 32-bit mode, writing to the 64-bit mode registers
 + * has no effect. Only two 32-bit timers are supported currently.
 + */
 +#define NUM_TIMERS        2
 +
 +#define R_TIM1_MAX        6
 +
 +struct Msf2Timer {
 +    QEMUBH *bh;
 +    ptimer_state *ptimer;
 +
 +    uint32_t regs[R_TIM1_MAX];
 +    qemu_irq irq;
 +};
 +
 +typedef struct MSSTimerState {
 +    SysBusDevice parent_obj;
 +
 +    MemoryRegion mmio;
 +    uint32_t freq_hz;
 +    struct Msf2Timer timers[NUM_TIMERS];
 +} MSSTimerState;
 +
 +#endif /* HW_MSS_TIMER_H */
 diff --git a/hw/timer/mss-timer.c b/hw/timer/mss-timer.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/timer/mss-timer.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Block model of System timer present in
 + * Microsemi's SmartFusion2 and SmartFusion SoCs.
 + *
 + * Copyright (c) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>.
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qemu/main-loop.h"
 +#include "qemu/log.h"
 +#include "hw/timer/mss-timer.h"
 +
 +#ifndef MSS_TIMER_ERR_DEBUG
 +#define MSS_TIMER_ERR_DEBUG  0
 +#endif
 +
 +#define DB_PRINT_L(lvl, fmt, args...) do { \
 +    if (MSS_TIMER_ERR_DEBUG >= lvl) { \
 +        qemu_log("%s: " fmt "\n", __func__, ## args); \
 +    } \
 +} while (0);
 +
 +#define DB_PRINT(fmt, args...) DB_PRINT_L(1, fmt, ## args)
 +
 +#define R_TIM_VAL         0
 +#define R_TIM_LOADVAL     1
 +#define R_TIM_BGLOADVAL   2
 +#define R_TIM_CTRL        3
 +#define R_TIM_RIS         4
 +#define R_TIM_MIS         5
 +
 +#define TIMER_CTRL_ENBL     (1 << 0)
 +#define TIMER_CTRL_ONESHOT  (1 << 1)
 +#define TIMER_CTRL_INTR     (1 << 2)
 +#define TIMER_RIS_ACK       (1 << 0)
 +#define TIMER_RST_CLR       (1 << 6)
 +#define TIMER_MODE          (1 << 0)
 +
 +static void timer_update_irq(struct Msf2Timer *st)
 +{
 +    bool isr, ier;
 +
 +    isr = !!(st->regs[R_TIM_RIS] & TIMER_RIS_ACK);
 +    ier = !!(st->regs[R_TIM_CTRL] & TIMER_CTRL_INTR);
 +    qemu_set_irq(st->irq, (ier && isr));
 +}
 +
 +static void timer_update(struct Msf2Timer *st)
 +{
 +    uint64_t count;
 +
 +    if (!(st->regs[R_TIM_CTRL] & TIMER_CTRL_ENBL)) {
 +        ptimer_stop(st->ptimer);
 +        return;
 +    }
 +
 +    count = st->regs[R_TIM_LOADVAL];
 +    ptimer_set_limit(st->ptimer, count, 1);
 +    ptimer_run(st->ptimer, 1);
 +}
 +
 +static uint64_t
 +timer_read(void *opaque, hwaddr offset, unsigned int size)
 +{
 +    MSSTimerState *t = opaque;
 +    hwaddr addr;
 +    struct Msf2Timer *st;
 +    uint32_t ret = 0;
 +    int timer = 0;
 +    int isr;
 +    int ier;
 +
 +    addr = offset >> 2;
 +    /*
 +     * Two independent timers has same base address.
 +     * Based on address passed figure out which timer is being used.
 +     */
 +    if ((addr >= R_TIM1_MAX) && (addr < NUM_TIMERS * R_TIM1_MAX)) {
 +        timer = 1;
 +        addr -= R_TIM1_MAX;
 +    }
 +
 +    st = &t->timers[timer];
 +
 +    switch (addr) {
 +    case R_TIM_VAL:
 +        ret = ptimer_get_count(st->ptimer);
 +        break;
 +
 +    case R_TIM_MIS:
 +        isr = !!(st->regs[R_TIM_RIS] & TIMER_RIS_ACK);
 +        ier = !!(st->regs[R_TIM_CTRL] & TIMER_CTRL_INTR);
 +        ret = ier & isr;
 +        break;
 +
 +    default:
 +        if (addr < R_TIM1_MAX) {
 +            ret = st->regs[addr];
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                        TYPE_MSS_TIMER": 64-bit mode not supported\n");
 +            return ret;
 +        }
 +        break;
 +    }
 +
 +    DB_PRINT("timer=%d 0x%" HWADDR_PRIx "=0x%" PRIx32, timer, offset,
 +            ret);
 +    return ret;
 +}
 +
 +static void
 +timer_write(void *opaque, hwaddr offset,
 +            uint64_t val64, unsigned int size)
 +{
 +    MSSTimerState *t = opaque;
 +    hwaddr addr;
 +    struct Msf2Timer *st;
 +    int timer = 0;
 +    uint32_t value = val64;
 +
 +    addr = offset >> 2;
 +    /*
 +     * Two independent timers has same base address.
 +     * Based on addr passed figure out which timer is being used.
 +     */
 +    if ((addr >= R_TIM1_MAX) && (addr < NUM_TIMERS * R_TIM1_MAX)) {
 +        timer = 1;
 +        addr -= R_TIM1_MAX;
 +    }
 +
 +    st = &t->timers[timer];
 +
 +    DB_PRINT("addr=0x%" HWADDR_PRIx " val=0x%" PRIx32 " (timer=%d)", offset,
 +            value, timer);
 +
 +    switch (addr) {
 +    case R_TIM_CTRL:
 +        st->regs[R_TIM_CTRL] = value;
 +        timer_update(st);
 +        break;
 +
 +    case R_TIM_RIS:
 +        if (value & TIMER_RIS_ACK) {
 +            st->regs[R_TIM_RIS] &= ~TIMER_RIS_ACK;
 +        }
 +        break;
 +
 +    case R_TIM_LOADVAL:
 +        st->regs[R_TIM_LOADVAL] = value;
 +        if (st->regs[R_TIM_CTRL] & TIMER_CTRL_ENBL) {
 +            timer_update(st);
 +        }
 +        break;
 +
 +    case R_TIM_BGLOADVAL:
 +        st->regs[R_TIM_BGLOADVAL] = value;
 +        st->regs[R_TIM_LOADVAL] = value;
 +        break;
 +
 +    case R_TIM_VAL:
 +    case R_TIM_MIS:
 +        break;
 +
 +    default:
 +        if (addr < R_TIM1_MAX) {
 +            st->regs[addr] = value;
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                        TYPE_MSS_TIMER": 64-bit mode not supported\n");
 +            return;
 +        }
 +        break;
 +    }
 +    timer_update_irq(st);
 +}
 +
 +static const MemoryRegionOps timer_ops = {
 +    .read = timer_read,
 +    .write = timer_write,
 +    .endianness = DEVICE_NATIVE_ENDIAN,
 +    .valid = {
 +        .min_access_size = 1,
 +        .max_access_size = 4
 +    }
 +};
 +
 +static void timer_hit(void *opaque)
 +{
 +    struct Msf2Timer *st = opaque;
 +
 +    st->regs[R_TIM_RIS] |= TIMER_RIS_ACK;
 +
 +    if (!(st->regs[R_TIM_CTRL] & TIMER_CTRL_ONESHOT)) {
 +        timer_update(st);
 +    }
 +    timer_update_irq(st);
 +}
 +
 +static void mss_timer_init(Object *obj)
 +{
 +    MSSTimerState *t = MSS_TIMER(obj);
 +    int i;
 +
 +    /* Init all the ptimers.  */
 +    for (i = 0; i < NUM_TIMERS; i++) {
 +        struct Msf2Timer *st = &t->timers[i];
 +
 +        st->bh = qemu_bh_new(timer_hit, st);
 +        st->ptimer = ptimer_init(st->bh, PTIMER_POLICY_DEFAULT);
 +        ptimer_set_freq(st->ptimer, t->freq_hz);
 +        sysbus_init_irq(SYS_BUS_DEVICE(obj), &st->irq);
 +    }
 +
 +    memory_region_init_io(&t->mmio, OBJECT(t), &timer_ops, t, TYPE_MSS_TIMER,
 +                          NUM_TIMERS * R_TIM1_MAX * 4);
 +    sysbus_init_mmio(SYS_BUS_DEVICE(obj), &t->mmio);
 +}
 +
 +static const VMStateDescription vmstate_timers = {
 +    .name = "mss-timer-block",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_PTIMER(ptimer, struct Msf2Timer),
 +        VMSTATE_UINT32_ARRAY(regs, struct Msf2Timer, R_TIM1_MAX),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static const VMStateDescription vmstate_mss_timer = {
 +    .name = TYPE_MSS_TIMER,
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT32(freq_hz, MSSTimerState),
 +        VMSTATE_STRUCT_ARRAY(timers, MSSTimerState, NUM_TIMERS, 0,
 +                vmstate_timers, struct Msf2Timer),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static Property mss_timer_properties[] = {
 +    /* Libero GUI shows 100Mhz as default for clocks */
 +    DEFINE_PROP_UINT32("clock-frequency", MSSTimerState, freq_hz,
 +                      100 * 1000000),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static void mss_timer_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->props = mss_timer_properties;
 +    dc->vmsd = &vmstate_mss_timer;
 +}
 +
 +static const TypeInfo mss_timer_info = {
 +    .name          = TYPE_MSS_TIMER,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(MSSTimerState),
 +    .instance_init = mss_timer_init,
 +    .class_init    = mss_timer_class_init,
 +};
 +
 +static void mss_timer_register_types(void)
 +{
 +    type_register_static(&mss_timer_info);
 +}
 +
 +type_init(mss_timer_register_types)
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 25/31] hw/i2c/omap_i2c.c: Don't use old_mmio
+[Qemu-devel] [PULL 09/25] Correct CPACR reset value for v7 cores
-Don't use old_mmio in the memory region ops struct.
+In commit f0aff255700 we made cpacr_write() enforce that some CPACR
 bits are RAZ/WI and some are RAO/WI for ARMv7 cores. Unfortunately
 we forgot to also update the register's reset value. The effect
 was that (a) a guest that read CPACR on reset would not see ones in
 the RAO bits, and (b) if you did a migration before the guest did
 a write to the CPACR then the migration would fail because the
 destination would enforce the RAO bits and then complain that they
 didn't match the zero value from the source.
+Implement reset for the CPACR using a custom reset function
+that just calls cpacr_write(), to avoid having to duplicate
+the logic for which bits are RAO.
+This bug would affect migration for TCG CPUs which are ARMv7
+with VFP but without one of Neon or VFPv3.
+Reported-by: Cédric Le Goater <clg@kaod.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Tested-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 1505580378-9044-6-git-send-email-peter.maydell@linaro.org
+Message-id: 20180522173713.26282-1-peter.maydell@linaro.org
 ---
- hw/i2c/omap_i2c.c | 44 ++++++++++++++++++++++++++++++++------------
+ target/arm/helper.c | 10 +++++++++-
-file changed, 32 insertions(+), 12 deletions(-)
+file changed, 9 insertions(+), 1 deletion(-)
-diff --git a/hw/i2c/omap_i2c.c b/hw/i2c/omap_i2c.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/i2c/omap_i2c.c
+--- a/target/arm/helper.c
-+++ b/hw/i2c/omap_i2c.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void omap_i2c_writeb(void *opaque, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-     }
+     env->cp15.cpacr_el1 = value;
  }
-+static uint64_t omap_i2c_readfn(void *opaque, hwaddr addr,
++static void cpacr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
 +                                unsigned size)
 +{
-+    switch (size) {
++    /* Call cpacr_write() so that we reset with the correct RAO bits set
-+    case 2:
++     * for our CPU features.
-+        return omap_i2c_read(opaque, addr);
++     */
-+    default:
++    cpacr_write(env, ri, 0);
 +        return omap_badwidth_read16(opaque, addr);
 +    }
 +}
 +
-+static void omap_i2c_writefn(void *opaque, hwaddr addr,
+ static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
-+                             uint64_t value, unsigned size)
+                                    bool isread)
-+{
+ {
-+    switch (size) {
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
-+    case 1:
+     { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
-+        /* Only the last fifo write can be 8 bit. */
+       .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
-+        omap_i2c_writeb(opaque, addr, value);
+       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
-+        break;
+-      .resetvalue = 0, .writefn = cpacr_write },
-+    case 2:
++      .resetfn = cpacr_reset, .writefn = cpacr_write },
-+        omap_i2c_write(opaque, addr, value);
+     REGINFO_SENTINEL
 +        break;
 +    default:
 +        omap_badwidth_write16(opaque, addr, value);
 +        break;
 +    }
 +}
 +
  static const MemoryRegionOps omap_i2c_ops = {
 -    .old_mmio = {
 -        .read = {
 -            omap_badwidth_read16,
 -            omap_i2c_read,
 -            omap_badwidth_read16,
 -        },
 -        .write = {
 -            omap_i2c_writeb, /* Only the last fifo write can be 8 bit.  */
 -            omap_i2c_write,
 -            omap_badwidth_write16,
 -        },
 -    },
 +    .read = omap_i2c_readfn,
 +    .write = omap_i2c_writefn,
 +    .valid.min_access_size = 1,
 +    .valid.max_access_size = 4,
      .endianness = DEVICE_NATIVE_ENDIAN,
  };
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 24/31] hw/timer/omap_gptimer: Don't use old_mmio
+[Qemu-devel] [PULL 10/25] memory.h: Improve IOMMU related documentation
-Don't use the old_mmio struct in memory region ops.
+Add more detail to the documentation for memory_region_init_iommu()
 and other IOMMU-related functions and data structures.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505580378-9044-5-git-send-email-peter.maydell@linaro.org
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 20180521140402.23318-2-peter.maydell@linaro.org
 ---
- hw/timer/omap_gptimer.c | 49 +++++++++++++++++++++++++++++++++++++------------
+ include/exec/memory.h | 105 ++++++++++++++++++++++++++++++++++++++----
-file changed, 37 insertions(+), 12 deletions(-)
+file changed, 95 insertions(+), 10 deletions(-)
-diff --git a/hw/timer/omap_gptimer.c b/hw/timer/omap_gptimer.c
+diff --git a/include/exec/memory.h b/include/exec/memory.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/omap_gptimer.c
+--- a/include/exec/memory.h
-+++ b/hw/timer/omap_gptimer.c
++++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@ static void omap_gp_timer_writeh(void *opaque, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ enum IOMMUMemoryRegionAttr {
-         s->writeh = (uint16_t) value;
+     IOMMU_ATTR_SPAPR_TCE_FD
  }
 +static uint64_t omap_gp_timer_readfn(void *opaque, hwaddr addr,
 +                                     unsigned size)
 +{
 +    switch (size) {
 +    case 1:
 +        return omap_badwidth_read32(opaque, addr);
 +    case 2:
 +        return omap_gp_timer_readh(opaque, addr);
 +    case 4:
 +        return omap_gp_timer_readw(opaque, addr);
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
 +static void omap_gp_timer_writefn(void *opaque, hwaddr addr,
 +                                  uint64_t value, unsigned size)
 +{
 +    switch (size) {
 +    case 1:
 +        omap_badwidth_write32(opaque, addr, value);
 +        break;
 +    case 2:
 +        omap_gp_timer_writeh(opaque, addr, value);
 +        break;
 +    case 4:
 +        omap_gp_timer_write(opaque, addr, value);
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
  static const MemoryRegionOps omap_gp_timer_ops = {
 -    .old_mmio = {
 -        .read = {
 -            omap_badwidth_read32,
 -            omap_gp_timer_readh,
 -            omap_gp_timer_readw,
 -        },
 -        .write = {
 -            omap_badwidth_write32,
 -            omap_gp_timer_writeh,
 -            omap_gp_timer_write,
 -        },
 -    },
 +    .read = omap_gp_timer_readfn,
 +    .write = omap_gp_timer_writefn,
 +    .valid.min_access_size = 1,
 +    .valid.max_access_size = 4,
      .endianness = DEVICE_NATIVE_ENDIAN,
  };
++/**
++ * IOMMUMemoryRegionClass:
++ *
++ * All IOMMU implementations need to subclass TYPE_IOMMU_MEMORY_REGION
++ * and provide an implementation of at least the @translate method here
++ * to handle requests to the memory region. Other methods are optional.
++ *
++ * The IOMMU implementation must use the IOMMU notifier infrastructure
++ * to report whenever mappings are changed, by calling
++ * memory_region_notify_iommu() (or, if necessary, by calling
++ * memory_region_notify_one() for each registered notifier).
++ */
+ typedef struct IOMMUMemoryRegionClass {
+     /* private */
+     struct DeviceClass parent_class;
+     /*
+-     * Return a TLB entry that contains a given address. Flag should
+-     * be the access permission of this translation operation. We can
+-     * set flag to IOMMU_NONE to mean that we don't need any
+-     * read/write permission checks, like, when for region replay.
++     * Return a TLB entry that contains a given address.
++     *
++     * The IOMMUAccessFlags indicated via @flag are optional and may
++     * be specified as IOMMU_NONE to indicate that the caller needs
++     * the full translation information for both reads and writes. If
++     * the access flags are specified then the IOMMU implementation
++     * may use this as an optimization, to stop doing a page table
++     * walk as soon as it knows that the requested permissions are not
++     * allowed. If IOMMU_NONE is passed then the IOMMU must do the
++     * full page table walk and report the permissions in the returned
++     * IOMMUTLBEntry. (Note that this implies that an IOMMU may not
++     * return different mappings for reads and writes.)
++     *
++     * The returned information remains valid while the caller is
++     * holding the big QEMU lock or is inside an RCU critical section;
++     * if the caller wishes to cache the mapping beyond that it must
++     * register an IOMMU notifier so it can invalidate its cached
++     * information when the IOMMU mapping changes.
++     *
++     * @iommu: the IOMMUMemoryRegion
++     * @hwaddr: address to be translated within the memory region
++     * @flag: requested access permissions
+      */
+     IOMMUTLBEntry (*translate)(IOMMUMemoryRegion *iommu, hwaddr addr,
+                                IOMMUAccessFlags flag);
+-    /* Returns minimum supported page size */
++    /* Returns minimum supported page size in bytes.
++     * If this method is not provided then the minimum is assumed to
++     * be TARGET_PAGE_SIZE.
++     *
++     * @iommu: the IOMMUMemoryRegion
++     */
+     uint64_t (*get_min_page_size)(IOMMUMemoryRegion *iommu);
+-    /* Called when IOMMU Notifier flag changed */
++    /* Called when IOMMU Notifier flag changes (ie when the set of
++     * events which IOMMU users are requesting notification for changes).
++     * Optional method -- need not be provided if the IOMMU does not
++     * need to know exactly which events must be notified.
++     *
++     * @iommu: the IOMMUMemoryRegion
++     * @old_flags: events which previously needed to be notified
++     * @new_flags: events which now need to be notified
++     */
+     void (*notify_flag_changed)(IOMMUMemoryRegion *iommu,
+                                 IOMMUNotifierFlag old_flags,
+                                 IOMMUNotifierFlag new_flags);
+-    /* Set this up to provide customized IOMMU replay function */
++    /* Called to handle memory_region_iommu_replay().
++     *
++     * The default implementation of memory_region_iommu_replay() is to
++     * call the IOMMU translate method for every page in the address space
++     * with flag == IOMMU_NONE and then call the notifier if translate
++     * returns a valid mapping. If this method is implemented then it
++     * overrides the default behaviour, and must provide the full semantics
++     * of memory_region_iommu_replay(), by calling @notifier for every
++     * translation present in the IOMMU.
++     *
++     * Optional method -- an IOMMU only needs to provide this method
++     * if the default is inefficient or produces undesirable side effects.
++     *
++     * Note: this is not related to record-and-replay functionality.
++     */
+     void (*replay)(IOMMUMemoryRegion *iommu, IOMMUNotifier *notifier);
+-    /* Get IOMMU misc attributes */
+-    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr,
++    /* Get IOMMU misc attributes. This is an optional method that
++     * can be used to allow users of the IOMMU to get implementation-specific
++     * information. The IOMMU implements this method to handle calls
++     * by IOMMU users to memory_region_iommu_get_attr() by filling in
++     * the arbitrary data pointer for any IOMMUMemoryRegionAttr values that
++     * the IOMMU supports. If the method is unimplemented then
++     * memory_region_iommu_get_attr() will always return -EINVAL.
++     *
++     * @iommu: the IOMMUMemoryRegion
++     * @attr: attribute being queried
++     * @data: memory to fill in with the attribute data
++     *
++     * Returns 0 on success, or a negative errno; in particular
++     * returns -EINVAL for unrecognized or unimplemented attribute types.
++     */
++    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr attr,
+                     void *data);
+ } IOMMUMemoryRegionClass;
+@@ -XXX,XX +XXX,XX @@ static inline void memory_region_init_reservation(MemoryRegion *mr,
+  * An IOMMU region translates addresses and forwards accesses to a target
+  * memory region.
+  *
++ * The IOMMU implementation must define a subclass of TYPE_IOMMU_MEMORY_REGION.
++ * @_iommu_mr should be a pointer to enough memory for an instance of
++ * that subclass, @instance_size is the size of that subclass, and
++ * @mrtypename is its name. This function will initialize @_iommu_mr as an
++ * instance of the subclass, and its methods will then be called to handle
++ * accesses to the memory region. See the documentation of
++ * #IOMMUMemoryRegionClass for further details.
++ *
+  * @_iommu_mr: the #IOMMUMemoryRegion to be initialized
+  * @instance_size: the IOMMUMemoryRegion subclass instance size
+  * @mrtypename: the type name of the #IOMMUMemoryRegion
+@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
+  * a notifier with the minimum page granularity returned by
+  * mr->iommu_ops->get_page_size().
+  *
++ * Note: this is not related to record-and-replay functionality.
++ *
+  * @iommu_mr: the memory region to observe
+  * @n: the notifier to which to replay iommu mappings
+  */
+@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
+  * memory_region_iommu_replay_all: replay existing IOMMU translations
+  * to all the notifiers registered.
+  *
++ * Note: this is not related to record-and-replay functionality.
++ *
+  * @iommu_mr: the memory region to observe
+  */
+ void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
+@@ -XXX,XX +XXX,XX @@ void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
+  * memory_region_iommu_get_attr: return an IOMMU attr if get_attr() is
+  * defined on the IOMMU.
+  *
+- * Returns 0 if succeded, error code otherwise.
++ * Returns 0 on success, or a negative errno otherwise. In particular,
++ * -EINVAL indicates that the IOMMU does not support the requested
++ * attribute.
+  *
+  * @iommu_mr: the memory region
+  * @attr: the requested attribute
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 09/31] nvic: Make set_pending and clear_pending take a secure parameter
+[Qemu-devel] [PULL 11/25] Make tb_invalidate_phys_addr() take a MemTxAttrs argument
-Make the armv7m_nvic_set_pending() and armv7m_nvic_clear_pending()
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-functions take a bool indicating whether to pend the secure
+add MemTxAttrs as an argument to tb_invalidate_phys_addr().
-or non-secure version of a banked interrupt, and update the
+Its callers either have an attrs value to hand, or don't care
-callsites accordingly.
+and can use MEMTXATTRS_UNSPECIFIED.
 In most callsites we can simply pass the correct security
 state in; in a couple of cases we use TODO comments to indicate
 that we will return the code in a subsequent commit.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-10-git-send-email-peter.maydell@linaro.org
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Message-id: 20180521140402.23318-3-peter.maydell@linaro.org
 ---
- target/arm/cpu.h      | 14 ++++++++++-
+ include/exec/exec-all.h   | 5 +++--
- hw/intc/armv7m_nvic.c | 64 ++++++++++++++++++++++++++++++++++++++-------------
+ accel/tcg/translate-all.c | 2 +-
- target/arm/helper.c   | 24 +++++++++++--------
+ exec.c                    | 2 +-
- hw/intc/trace-events  |  4 ++--
+ target/xtensa/op_helper.c | 3 ++-
-files changed, 77 insertions(+), 29 deletions(-)
+files changed, 7 insertions(+), 5 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/include/exec/exec-all.h
-+++ b/target/arm/cpu.h
++++ b/include/exec/exec-all.h
-@@ -XXX,XX +XXX,XX @@ static inline bool armv7m_nvic_can_take_pending_exception(void *opaque)
+@@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
-     return true;
+ void tlb_set_page(CPUState *cpu, target_ulong vaddr,
                    hwaddr paddr, int prot,
                    int mmu_idx, target_ulong size);
 -void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr);
 +void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
  void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
                   uintptr_t retaddr);
  #else
@@ -XXX,XX +XXX,XX @@ static inline void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *cpu,
                                                         uint16_t idxmap)
  {
  }
 -static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
 +static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr,
 +                                           MemTxAttrs attrs)
  {
  }
  #endif
--void armv7m_nvic_set_pending(void *opaque, int irq);
+diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 +/**
 + * armv7m_nvic_set_pending: mark the specified exception as pending
 + * @opaque: the NVIC
 + * @irq: the exception number to mark pending
 + * @secure: false for non-banked exceptions or for the nonsecure
 + * version of a banked exception, true for the secure version of a banked
 + * exception.
 + *
 + * Marks the specified exception as pending. Note that we will assert()
 + * if @secure is true and @irq does not specify one of the fixed set
 + * of architecturally banked exceptions.
 + */
 +void armv7m_nvic_set_pending(void *opaque, int irq, bool secure);
  void armv7m_nvic_acknowledge_irq(void *opaque);
  /**
   * armv7m_nvic_complete_irq: complete specified interrupt or exception
 diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/accel/tcg/translate-all.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/accel/tcg/translate-all.c
-@@ -XXX,XX +XXX,XX @@ static void nvic_irq_update(NVICState *s)
+@@ -XXX,XX +XXX,XX @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
      qemu_set_irq(s->excpout, lvl);
  }
--static void armv7m_nvic_clear_pending(void *opaque, int irq)
+ #if !defined(CONFIG_USER_ONLY)
-+/**
+-void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
-+ * armv7m_nvic_clear_pending: mark the specified exception as not pending
++void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
 + * @opaque: the NVIC
 + * @irq: the exception number to mark as not pending
 + * @secure: false for non-banked exceptions or for the nonsecure
 + * version of a banked exception, true for the secure version of a banked
 + * exception.
 + *
 + * Marks the specified exception as not pending. Note that we will assert()
 + * if @secure is true and @irq does not specify one of the fixed set
 + * of architecturally banked exceptions.
 + */
 +static void armv7m_nvic_clear_pending(void *opaque, int irq, bool secure)
  {
-     NVICState *s = (NVICState *)opaque;
+     ram_addr_t ram_addr;
-     VecInfo *vec;
+     MemoryRegion *mr;
+diff --git a/exec.c b/exec.c
-     assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);
+index XXXXXXX..XXXXXXX 100644
+--- a/exec.c
--    vec = &s->vectors[irq];
++++ b/exec.c
--    trace_nvic_clear_pending(irq, vec->enabled, vec->prio);
+@@ -XXX,XX +XXX,XX @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
-+    if (secure) {
+     if (phys != -1) {
-+        assert(exc_is_banked(irq));
+         /* Locks grabbed by tb_invalidate_phys_addr */
-+        vec = &s->sec_vectors[irq];
+         tb_invalidate_phys_addr(cpu->cpu_ases[asidx].as,
-+    } else {
+-                                phys | (pc & ~TARGET_PAGE_MASK));
-+        vec = &s->vectors[irq];
++                                phys | (pc & ~TARGET_PAGE_MASK), attrs);
 +    }
 +    trace_nvic_clear_pending(irq, secure, vec->enabled, vec->prio);
      if (vec->pending) {
          vec->pending = 0;
          nvic_irq_update(s);
      }
  }
+ #endif
--void armv7m_nvic_set_pending(void *opaque, int irq)
+diff --git a/target/xtensa/op_helper.c b/target/xtensa/op_helper.c
-+void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
+index XXXXXXX..XXXXXXX 100644
- {
+--- a/target/xtensa/op_helper.c
-     NVICState *s = (NVICState *)opaque;
++++ b/target/xtensa/op_helper.c
-+    bool banked = exc_is_banked(irq);
+@@ -XXX,XX +XXX,XX @@ static void tb_invalidate_virtual_addr(CPUXtensaState *env, uint32_t vaddr)
-     VecInfo *vec;
+     int ret = xtensa_get_physical_addr(env, false, vaddr, 2, 0,
+             &paddr, &page_size, &access);
-     assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);
+     if (ret == 0) {
-+    assert(!secure || banked);
+-        tb_invalidate_phys_addr(&address_space_memory, paddr);
++        tb_invalidate_phys_addr(&address_space_memory, paddr,
--    vec = &s->vectors[irq];
++                                MEMTXATTRS_UNSPECIFIED);
 -    trace_nvic_set_pending(irq, vec->enabled, vec->prio);
 +    vec = (banked && secure) ? &s->sec_vectors[irq] : &s->vectors[irq];
 +    trace_nvic_set_pending(irq, secure, vec->enabled, vec->prio);
      if (irq >= ARMV7M_EXCP_HARD && irq < ARMV7M_EXCP_PENDSV) {
          /* If a synchronous exception is pending then it may be
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq)
                            "(current priority %d)\n", irq, running);
              }
 -            /* We can do the escalation, so we take HardFault instead */
 +            /* We can do the escalation, so we take HardFault instead.
 +             * If BFHFNMINS is set then we escalate to the banked HF for
 +             * the target security state of the original exception; otherwise
 +             * we take a Secure HardFault.
 +             */
              irq = ARMV7M_EXCP_HARD;
 -            vec = &s->vectors[irq];
 +            if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY) &&
 +                (secure ||
 +                 !(s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK))) {
 +                vec = &s->sec_vectors[irq];
 +            } else {
 +                vec = &s->vectors[irq];
 +            }
 +            /* HF may be banked but there is only one shared HFSR */
              s->cpu->env.v7m.hfsr |= R_V7M_HFSR_FORCED_MASK;
          }
      }
@@ -XXX,XX +XXX,XX @@ static void set_irq_level(void *opaque, int n, int level)
      if (level != vec->level) {
          vec->level = level;
          if (level) {
 -            armv7m_nvic_set_pending(s, n);
 +            armv7m_nvic_set_pending(s, n, false);
          }
      }
  }
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
      }
      case 0xd04: /* Interrupt Control State.  */
          if (value & (1 << 31)) {
 -            armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI);
 +            armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI, false);
          }
          if (value & (1 << 28)) {
 -            armv7m_nvic_set_pending(s, ARMV7M_EXCP_PENDSV);
 +            armv7m_nvic_set_pending(s, ARMV7M_EXCP_PENDSV, attrs.secure);
          } else if (value & (1 << 27)) {
 -            armv7m_nvic_clear_pending(s, ARMV7M_EXCP_PENDSV);
 +            armv7m_nvic_clear_pending(s, ARMV7M_EXCP_PENDSV, attrs.secure);
          }
          if (value & (1 << 26)) {
 -            armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK);
 +            armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK, attrs.secure);
          } else if (value & (1 << 25)) {
 -            armv7m_nvic_clear_pending(s, ARMV7M_EXCP_SYSTICK);
 +            armv7m_nvic_clear_pending(s, ARMV7M_EXCP_SYSTICK, attrs.secure);
          }
          break;
      case 0xd08: /* Vector Table Offset.  */
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
      {
          int excnum = (value & 0x1ff) + NVIC_FIRST_IRQ;
          if (excnum < s->num_irq) {
 -            armv7m_nvic_set_pending(s, excnum);
 +            armv7m_nvic_set_pending(s, excnum, false);
          }
          break;
      }
@@ -XXX,XX +XXX,XX @@ static void nvic_systick_trigger(void *opaque, int n, int level)
          /* SysTick just asked us to pend its exception.
           * (This is different from an external interrupt line's
           * behaviour.)
 +         * TODO: when we implement the banked systicks we must make
 +         * this pend the correct banked exception.
           */
 -        armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK);
 +        armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK, false);
      }
  }
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
           * stack, directly take a usage fault on the current stack.
           */
          env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
          v7m_exception_taken(cpu, excret);
          qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
                        "stackframe: failed exception return integrity check\n");
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
       * exception return excret specified then this is a UsageFault.
       */
      if (return_to_handler != arm_v7m_is_handler_mode(env)) {
 -        /* Take an INVPC UsageFault by pushing the stack again. */
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
 +        /* Take an INVPC UsageFault by pushing the stack again.
 +         * TODO: the v8M version of this code should target the
 +         * background state for this exception.
 +         */
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, false);
          env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
          v7m_push_stack(cpu);
          v7m_exception_taken(cpu, excret);
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
         handle it.  */
      switch (cs->exception_index) {
      case EXCP_UDEF:
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
          env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNDEFINSTR_MASK;
          break;
      case EXCP_NOCP:
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
          env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_NOCP_MASK;
          break;
      case EXCP_INVSTATE:
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
          env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVSTATE_MASK;
          break;
      case EXCP_SWI:
          /* The PC already points to the next instruction.  */
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC);
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC, env->v7m.secure);
          break;
      case EXCP_PREFETCH_ABORT:
      case EXCP_DATA_ABORT:
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
                                env->v7m.bfar);
                  break;
              }
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS);
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
              break;
          default:
              /* All other FSR values are either MPU faults or "can't happen
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
                                env->v7m.mmfar[env->v7m.secure]);
                  break;
              }
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM);
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM,
 +                                    env->v7m.secure);
              break;
          }
          break;
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
                  return;
              }
          }
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG);
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG, false);
          break;
      case EXCP_IRQ:
          break;
 diff --git a/hw/intc/trace-events b/hw/intc/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/trace-events
 +++ b/hw/intc/trace-events
@@ -XXX,XX +XXX,XX @@ nvic_set_prio(int irq, uint8_t prio) "NVIC set irq %d priority %d"
  nvic_irq_update(int vectpending, int pendprio, int exception_prio, int level) "NVIC vectpending %d pending prio %d exception_prio %d: setting irq line to %d"
  nvic_escalate_prio(int irq, int irqprio, int runprio) "NVIC escalating irq %d to HardFault: insufficient priority %d >= %d"
  nvic_escalate_disabled(int irq) "NVIC escalating irq %d to HardFault: disabled"
 -nvic_set_pending(int irq, int en, int prio) "NVIC set pending irq %d (enabled: %d priority %d)"
 -nvic_clear_pending(int irq, int en, int prio) "NVIC clear pending irq %d (enabled: %d priority %d)"
 +nvic_set_pending(int irq, bool secure, int en, int prio) "NVIC set pending irq %d secure-bank %d (enabled: %d priority %d)"
 +nvic_clear_pending(int irq, bool secure, int en, int prio) "NVIC clear pending irq %d secure-bank %d (enabled: %d priority %d)"
  nvic_set_pending_level(int irq) "NVIC set pending: irq %d higher prio than vectpending: setting irq line to 1"
  nvic_acknowledge_irq(int irq, int prio) "NVIC acknowledge IRQ: %d now active (prio %d)"
  nvic_complete_irq(int irq) "NVIC complete IRQ %d"
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 23/31] hw/timer/omap_synctimer.c: Don't use old_mmio
+[Qemu-devel] [PULL 12/25] Make address_space_translate{, _cached}() take a MemTxAttrs argument
-Don't use the old_mmio in the memory region ops struct.
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
 add MemTxAttrs as an argument to address_space_translate()
 and address_space_translate_cached(). Callers either have an
 attrs value to hand, or don't care and can use MEMTXATTRS_UNSPECIFIED.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505580378-9044-4-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-4-peter.maydell@linaro.org
 ---
- hw/timer/omap_synctimer.c | 35 +++++++++++++++++++++--------------
+ include/exec/memory.h     |  4 +++-
-file changed, 21 insertions(+), 14 deletions(-)
+ accel/tcg/translate-all.c |  2 +-
+ exec.c                    | 14 +++++++++-----
-diff --git a/hw/timer/omap_synctimer.c b/hw/timer/omap_synctimer.c
+ hw/vfio/common.c          |  3 ++-
-index XXXXXXX..XXXXXXX 100644
+ memory_ldst.inc.c         | 18 +++++++++---------
---- a/hw/timer/omap_synctimer.c
+ target/riscv/helper.c     |  2 +-
-+++ b/hw/timer/omap_synctimer.c
+files changed, 25 insertions(+), 18 deletions(-)
-@@ -XXX,XX +XXX,XX @@ static uint32_t omap_synctimer_readh(void *opaque, hwaddr addr)
-     }
+diff --git a/include/exec/memory.h b/include/exec/memory.h
- }
+index XXXXXXX..XXXXXXX 100644
+--- a/include/exec/memory.h
--static void omap_synctimer_write(void *opaque, hwaddr addr,
++++ b/include/exec/memory.h
--                uint32_t value)
+@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
-+static uint64_t omap_synctimer_readfn(void *opaque, hwaddr addr,
+  * #MemoryRegion.
-+                                      unsigned size)
+  * @len: pointer to length
-+{
+  * @is_write: indicates the transfer direction
-+    switch (size) {
++ * @attrs: memory attributes
-+    case 1:
+  */
-+        return omap_badwidth_read32(opaque, addr);
+ MemoryRegion *flatview_translate(FlatView *fv,
-+    case 2:
+                                  hwaddr addr, hwaddr *xlat,
-+        return omap_synctimer_readh(opaque, addr);
+@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv,
-+    case 4:
-+        return omap_synctimer_readw(opaque, addr);
+ static inline MemoryRegion *address_space_translate(AddressSpace *as,
-+    default:
+                                                     hwaddr addr, hwaddr *xlat,
-+        g_assert_not_reached();
+-                                                    hwaddr *len, bool is_write)
-+    }
++                                                    hwaddr *len, bool is_write,
-+}
++                                                    MemTxAttrs attrs)
 +
 +static void omap_synctimer_writefn(void *opaque, hwaddr addr,
 +                                   uint64_t value, unsigned size)
  {
-     OMAP_BAD_REG(addr);
+     return flatview_translate(address_space_to_flatview(as),
- }
+                               addr, xlat, len, is_write);
+diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
- static const MemoryRegionOps omap_synctimer_ops = {
+index XXXXXXX..XXXXXXX 100644
--    .old_mmio = {
+--- a/accel/tcg/translate-all.c
--        .read = {
++++ b/accel/tcg/translate-all.c
--            omap_badwidth_read32,
+@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
--            omap_synctimer_readh,
+     hwaddr l = 1;
--            omap_synctimer_readw,
--        },
+     rcu_read_lock();
--        .write = {
+-    mr = address_space_translate(as, addr, &addr, &l, false);
--            omap_badwidth_write32,
++    mr = address_space_translate(as, addr, &addr, &l, false, attrs);
--            omap_synctimer_write,
+     if (!(memory_region_is_ram(mr)
--            omap_synctimer_write,
+           || memory_region_is_romd(mr))) {
--        },
+         rcu_read_unlock();
--    },
+diff --git a/exec.c b/exec.c
-+    .read = omap_synctimer_readfn,
+index XXXXXXX..XXXXXXX 100644
-+    .write = omap_synctimer_writefn,
+--- a/exec.c
-+    .valid.min_access_size = 1,
++++ b/exec.c
-+    .valid.max_access_size = 4,
+@@ -XXX,XX +XXX,XX @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
-     .endianness = DEVICE_NATIVE_ENDIAN,
+     rcu_read_lock();
- };
+     while (len > 0) {
+         l = len;
 -        mr = address_space_translate(as, addr, &addr1, &l, true);
 +        mr = address_space_translate(as, addr, &addr1, &l, true,
 +                                     MEMTXATTRS_UNSPECIFIED);
          if (!(memory_region_is_ram(mr) ||
                memory_region_is_romd(mr))) {
@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache)
   */
  static inline MemoryRegion *address_space_translate_cached(
      MemoryRegionCache *cache, hwaddr addr, hwaddr *xlat,
 -    hwaddr *plen, bool is_write)
 +    hwaddr *plen, bool is_write, MemTxAttrs attrs)
  {
      MemoryRegionSection section;
      MemoryRegion *mr;
@@ -XXX,XX +XXX,XX @@ address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr,
      MemoryRegion *mr;
      l = len;
 -    mr = address_space_translate_cached(cache, addr, &addr1, &l, false);
 +    mr = address_space_translate_cached(cache, addr, &addr1, &l, false,
 +                                        MEMTXATTRS_UNSPECIFIED);
      flatview_read_continue(cache->fv,
                             addr, MEMTXATTRS_UNSPECIFIED, buf, len,
                             addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr,
      MemoryRegion *mr;
      l = len;
 -    mr = address_space_translate_cached(cache, addr, &addr1, &l, true);
 +    mr = address_space_translate_cached(cache, addr, &addr1, &l, true,
 +                                        MEMTXATTRS_UNSPECIFIED);
      flatview_write_continue(cache->fv,
                              addr, MEMTXATTRS_UNSPECIFIED, buf, len,
                              addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ bool cpu_physical_memory_is_io(hwaddr phys_addr)
      rcu_read_lock();
      mr = address_space_translate(&address_space_memory,
 -                                 phys_addr, &phys_addr, &l, false);
 +                                 phys_addr, &phys_addr, &l, false,
 +                                 MEMTXATTRS_UNSPECIFIED);
      res = !(memory_region_is_ram(mr) || memory_region_is_romd(mr));
      rcu_read_unlock();
 diff --git a/hw/vfio/common.c b/hw/vfio/common.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/vfio/common.c
 +++ b/hw/vfio/common.c
@@ -XXX,XX +XXX,XX @@ static bool vfio_get_vaddr(IOMMUTLBEntry *iotlb, void **vaddr,
       */
      mr = address_space_translate(&address_space_memory,
                                   iotlb->translated_addr,
 -                                 &xlat, &len, writable);
 +                                 &xlat, &len, writable,
 +                                 MEMTXATTRS_UNSPECIFIED);
      if (!memory_region_is_ram(mr)) {
          error_report("iommu map to non memory area %"HWADDR_PRIx"",
                       xlat);
 diff --git a/memory_ldst.inc.c b/memory_ldst.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/memory_ldst.inc.c
 +++ b/memory_ldst.inc.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, false);
 +    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
      if (l < 4 || !IS_DIRECT(mr, false)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, false);
 +    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
      if (l < 8 || !IS_DIRECT(mr, false)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, false);
 +    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
      if (!IS_DIRECT(mr, false)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, false);
 +    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
      if (l < 2 || !IS_DIRECT(mr, false)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ void glue(address_space_stl_notdirty, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (l < 4 || !IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stl_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (l < 4 || !IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ void glue(address_space_stb, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (!IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
          r = memory_region_dispatch_write(mr, addr1, val, 1, attrs);
@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stw_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (l < 2 || !IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ static void glue(address_space_stq_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (l < 8 || !IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
 diff --git a/target/riscv/helper.c b/target/riscv/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/helper.c
 +++ b/target/riscv/helper.c
@@ -XXX,XX +XXX,XX @@ restart:
                  MemoryRegion *mr;
                  hwaddr l = sizeof(target_ulong), addr1;
                  mr = address_space_translate(cs->as, pte_addr,
 -                    &addr1, &l, false);
 +                    &addr1, &l, false, MEMTXATTRS_UNSPECIFIED);
                  if (memory_access_is_direct(mr, true)) {
                      target_ulong *pte_pa =
                          qemu_map_ram_ptr(mr->ram_block, addr1);
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 08/31] nvic: Handle banked exceptions in nvic_recompute_state()
+[Qemu-devel] [PULL 13/25] Make address_space_map() take a MemTxAttrs argument
-Update the nvic_recompute_state() code to handle the security
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-extension and its associated banked registers.
+add MemTxAttrs as an argument to address_space_map().
+Its callers either have an attrs value to hand, or don't care
-Code that uses the resulting cached state (ie the irq
+and can use MEMTXATTRS_UNSPECIFIED.
 acknowledge and complete code) will be updated in a later
 commit.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-9-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-5-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 151 ++++++++++++++++++++++++++++++++++++++++++++++++--
+ include/exec/memory.h   | 3 ++-
- hw/intc/trace-events  |   1 +
+ include/sysemu/dma.h    | 3 ++-
-files changed, 147 insertions(+), 5 deletions(-)
+ exec.c                  | 6 ++++--
  target/ppc/mmu-hash64.c | 3 ++-
 files changed, 10 insertions(+), 5 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/include/exec/memory.h b/include/exec/memory.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/include/exec/memory.h
-+++ b/hw/intc/armv7m_nvic.c
++++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_
-  * (higher than the highest possible priority value)
+  * @addr: address within that address space
   * @plen: pointer to length of buffer; updated on return
   * @is_write: indicates the transfer direction
 + * @attrs: memory attributes
   */
- #define NVIC_NOEXC_PRIO 0x100
+ void *address_space_map(AddressSpace *as, hwaddr addr,
-+/* Maximum priority of non-secure exceptions when AIRCR.PRIS is set */
+-                        hwaddr *plen, bool is_write);
-+#define NVIC_NS_PRIO_LIMIT 0x80
++                        hwaddr *plen, bool is_write, MemTxAttrs attrs);
- static const uint8_t nvic_id[] = {
+ /* address_space_unmap: Unmaps a memory region previously mapped by address_space_map()
-x00, 0xb0, 0x1b, 0x00, 0x0d, 0xe0, 0x05, 0xb1
+  *
-@@ -XXX,XX +XXX,XX @@ static bool nvic_isrpending(NVICState *s)
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
-     return false;
+index XXXXXXX..XXXXXXX 100644
 --- a/include/sysemu/dma.h
 +++ b/include/sysemu/dma.h
@@ -XXX,XX +XXX,XX @@ static inline void *dma_memory_map(AddressSpace *as,
      hwaddr xlen = *len;
      void *p;
 -    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE);
 +    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE,
 +                          MEMTXATTRS_UNSPECIFIED);
      *len = xlen;
      return p;
  }
+diff --git a/exec.c b/exec.c
-+static bool exc_is_banked(int exc)
+index XXXXXXX..XXXXXXX 100644
-+{
+--- a/exec.c
-+    /* Return true if this is one of the limited set of exceptions which
++++ b/exec.c
-+     * are banked (and thus have state in sec_vectors[])
+@@ -XXX,XX +XXX,XX @@ flatview_extend_translation(FlatView *fv, hwaddr addr,
-+     */
+ void *address_space_map(AddressSpace *as,
-+    return exc == ARMV7M_EXCP_HARD ||
+                         hwaddr addr,
-+        exc == ARMV7M_EXCP_MEM ||
+                         hwaddr *plen,
-+        exc == ARMV7M_EXCP_USAGE ||
+-                        bool is_write)
-+        exc == ARMV7M_EXCP_SVC ||
++                        bool is_write,
-+        exc == ARMV7M_EXCP_PENDSV ||
++                        MemTxAttrs attrs)
 +        exc == ARMV7M_EXCP_SYSTICK;
 +}
 +
  /* Return a mask word which clears the subpriority bits from
   * a priority value for an M-profile exception, leaving only
   * the group priority.
   */
 -static inline uint32_t nvic_gprio_mask(NVICState *s)
 +static inline uint32_t nvic_gprio_mask(NVICState *s, bool secure)
 +{
 +    return ~0U << (s->prigroup[secure] + 1);
 +}
 +
 +static bool exc_targets_secure(NVICState *s, int exc)
 +{
 +    /* Return true if this non-banked exception targets Secure state. */
 +    if (!arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) {
 +        return false;
 +    }
 +
 +    if (exc >= NVIC_FIRST_IRQ) {
 +        return !s->itns[exc];
 +    }
 +
 +    /* Function shouldn't be called for banked exceptions. */
 +    assert(!exc_is_banked(exc));
 +
 +    switch (exc) {
 +    case ARMV7M_EXCP_NMI:
 +    case ARMV7M_EXCP_BUS:
 +        return !(s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
 +    case ARMV7M_EXCP_SECURE:
 +        return true;
 +    case ARMV7M_EXCP_DEBUG:
 +        /* TODO: controlled by DEMCR.SDME, which we don't yet implement */
 +        return false;
 +    default:
 +        /* reset, and reserved (unused) low exception numbers.
 +         * We'll get called by code that loops through all the exception
 +         * numbers, but it doesn't matter what we return here as these
 +         * non-existent exceptions will never be pended or active.
 +         */
 +        return true;
 +    }
 +}
 +
 +static int exc_group_prio(NVICState *s, int rawprio, bool targets_secure)
 +{
 +    /* Return the group priority for this exception, given its raw
 +     * (group-and-subgroup) priority value and whether it is targeting
 +     * secure state or not.
 +     */
 +    if (rawprio < 0) {
 +        return rawprio;
 +    }
 +    rawprio &= nvic_gprio_mask(s, targets_secure);
 +    /* AIRCR.PRIS causes us to squash all NS priorities into the
 +     * lower half of the total range
 +     */
 +    if (!targets_secure &&
 +        (s->cpu->env.v7m.aircr & R_V7M_AIRCR_PRIS_MASK)) {
 +        rawprio = (rawprio >> 1) + NVIC_NS_PRIO_LIMIT;
 +    }
 +    return rawprio;
 +}
 +
 +/* Recompute vectpending and exception_prio for a CPU which implements
 + * the Security extension
 + */
 +static void nvic_recompute_state_secure(NVICState *s)
  {
--    return ~0U << (s->prigroup[M_REG_NS] + 1);
+     hwaddr len = *plen;
-+    int i, bank;
+     hwaddr l, xlat;
-+    int pend_prio = NVIC_NOEXC_PRIO;
+@@ -XXX,XX +XXX,XX @@ void *cpu_physical_memory_map(hwaddr addr,
-+    int active_prio = NVIC_NOEXC_PRIO;
+                               hwaddr *plen,
-+    int pend_irq = 0;
+                               int is_write)
-+    bool pending_is_s_banked = false;
+ {
-+
+-    return address_space_map(&address_space_memory, addr, plen, is_write);
-+    /* R_CQRV: precedence is by:
++    return address_space_map(&address_space_memory, addr, plen, is_write,
-+     *  - lowest group priority; if both the same then
++                             MEMTXATTRS_UNSPECIFIED);
 +     *  - lowest subpriority; if both the same then
 +     *  - lowest exception number; if both the same (ie banked) then
 +     *  - secure exception takes precedence
 +     * Compare pseudocode RawExecutionPriority.
 +     * Annoyingly, now we have two prigroup values (for S and NS)
 +     * we can't do the loop comparison on raw priority values.
 +     */
 +    for (i = 1; i < s->num_irq; i++) {
 +        for (bank = M_REG_S; bank >= M_REG_NS; bank--) {
 +            VecInfo *vec;
 +            int prio;
 +            bool targets_secure;
 +
 +            if (bank == M_REG_S) {
 +                if (!exc_is_banked(i)) {
 +                    continue;
 +                }
 +                vec = &s->sec_vectors[i];
 +                targets_secure = true;
 +            } else {
 +                vec = &s->vectors[i];
 +                targets_secure = !exc_is_banked(i) && exc_targets_secure(s, i);
 +            }
 +
 +            prio = exc_group_prio(s, vec->prio, targets_secure);
 +            if (vec->enabled && vec->pending && prio < pend_prio) {
 +                pend_prio = prio;
 +                pend_irq = i;
 +                pending_is_s_banked = (bank == M_REG_S);
 +            }
 +            if (vec->active && prio < active_prio) {
 +                active_prio = prio;
 +            }
 +        }
 +    }
 +
 +    s->vectpending_is_s_banked = pending_is_s_banked;
 +    s->vectpending = pend_irq;
 +    s->vectpending_prio = pend_prio;
 +    s->exception_prio = active_prio;
 +
 +    trace_nvic_recompute_state_secure(s->vectpending,
 +                                      s->vectpending_is_s_banked,
 +                                      s->vectpending_prio,
 +                                      s->exception_prio);
  }
- /* Recompute vectpending and exception_prio */
+ void cpu_physical_memory_unmap(void *buffer, hwaddr len,
-@@ -XXX,XX +XXX,XX @@ static void nvic_recompute_state(NVICState *s)
+diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
-     int active_prio = NVIC_NOEXC_PRIO;
+index XXXXXXX..XXXXXXX 100644
-     int pend_irq = 0;
+--- a/target/ppc/mmu-hash64.c
++++ b/target/ppc/mmu-hash64.c
-+    /* In theory we could write one function that handled both
+@@ -XXX,XX +XXX,XX @@ const ppc_hash_pte64_t *ppc_hash64_map_hptes(PowerPCCPU *cpu,
-+     * the "security extension present" and "not present"; however
+         return NULL;
 +     * the security related changes significantly complicate the
 +     * recomputation just by themselves and mixing both cases together
 +     * would be even worse, so we retain a separate non-secure-only
 +     * version for CPUs which don't implement the security extension.
 +     */
 +    if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) {
 +        nvic_recompute_state_secure(s);
 +        return;
 +    }
 +
      for (i = 1; i < s->num_irq; i++) {
          VecInfo *vec = &s->vectors[i];
@@ -XXX,XX +XXX,XX @@ static void nvic_recompute_state(NVICState *s)
      }
-     if (active_prio > 0) {
+-    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false);
--        active_prio &= nvic_gprio_mask(s);
++    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false,
-+        active_prio &= nvic_gprio_mask(s, false);
++                              MEMTXATTRS_UNSPECIFIED);
      if (plen < (n * HASH_PTE_SIZE_64)) {
          hw_error("%s: Unable to map all requested HPTEs\n", __func__);
      }
-     if (pend_prio > 0) {
--        pend_prio &= nvic_gprio_mask(s);
-+        pend_prio &= nvic_gprio_mask(s, false);
-     }
-     s->vectpending = pend_irq;
-@@ -XXX,XX +XXX,XX @@ static inline int nvic_exec_prio(NVICState *s)
-     } else if (env->v7m.primask[env->v7m.secure]) {
-         running = 0;
-     } else if (env->v7m.basepri[env->v7m.secure] > 0) {
--        running = env->v7m.basepri[env->v7m.secure] & nvic_gprio_mask(s);
-+        running = env->v7m.basepri[env->v7m.secure] &
-+            nvic_gprio_mask(s, env->v7m.secure);
-     } else {
-         running = NVIC_NOEXC_PRIO; /* lower than any possible priority */
-     }
-diff --git a/hw/intc/trace-events b/hw/intc/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/trace-events
-+++ b/hw/intc/trace-events
-@@ -XXX,XX +XXX,XX @@ gicv3_redist_send_sgi(uint32_t cpu, int irq) "GICv3 redistributor 0x%x pending S
- # hw/intc/armv7m_nvic.c
- nvic_recompute_state(int vectpending, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d vectpending_prio %d exception_prio %d"
-+nvic_recompute_state_secure(int vectpending, bool vectpending_is_s_banked, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d is_s_banked %d vectpending_prio %d exception_prio %d"
- nvic_set_prio(int irq, uint8_t prio) "NVIC set irq %d priority %d"
- nvic_irq_update(int vectpending, int pendprio, int exception_prio, int level) "NVIC vectpending %d pending prio %d exception_prio %d: setting irq line to %d"
- nvic_escalate_prio(int irq, int irqprio, int runprio) "NVIC escalating irq %d to HardFault: insufficient priority %d >= %d"
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 20/31] target/arm: Remove out of date ARM ARM section references in A64 decoder
+[Qemu-devel] [PULL 14/25] Make address_space_access_valid() take a MemTxAttrs argument
-In the A64 decoder, we have a lot of references to section numbers
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-from version A.a of the v8A ARM ARM (DDI0487). This version of the
+add MemTxAttrs as an argument to address_space_access_valid().
-document is now long obsolete (we are currently on revision B.a),
+Its callers either have an attrs value to hand, or don't care
-and various intervening versions renumbered all the sections.
+and can use MEMTXATTRS_UNSPECIFIED.
 The most recent B.a version of the document doesn't assign
 section numbers at all to the individual instruction classes
 in the way that the various A.x versions did. The simplest thing
 to do is just to delete all the out of date C.x.x references.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20170915150849.23557-1-peter.maydell@linaro.org
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20180521140402.23318-6-peter.maydell@linaro.org
 ---
- target/arm/translate-a64.c | 227 +++++++++++++++++++++++----------------------
+ include/exec/memory.h      | 4 +++-
-file changed, 114 insertions(+), 113 deletions(-)
+ include/sysemu/dma.h       | 3 ++-
  exec.c                     | 3 ++-
  target/s390x/diag.c        | 6 ++++--
  target/s390x/excp_helper.c | 3 ++-
  target/s390x/mmu_helper.c  | 3 ++-
  target/s390x/sigp.c        | 3 ++-
 files changed, 17 insertions(+), 8 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/include/exec/memory.h b/include/exec/memory.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/include/exec/memory.h
-+++ b/target/arm/translate-a64.c
++++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
+@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
   * @addr: address within that address space
   * @len: length of the area to be checked
   * @is_write: indicates the transfer direction
 + * @attrs: memory attributes
   */
 -bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_write);
 +bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len,
 +                                bool is_write, MemTxAttrs attrs);
  /* address_space_map: map a physical memory region into a host virtual address
   *
 diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/sysemu/dma.h
 +++ b/include/sysemu/dma.h
@@ -XXX,XX +XXX,XX @@ static inline bool dma_memory_valid(AddressSpace *as,
                                      DMADirection dir)
  {
      return address_space_access_valid(as, addr, len,
 -                                      dir == DMA_DIRECTION_FROM_DEVICE);
 +                                      dir == DMA_DIRECTION_FROM_DEVICE,
 +                                      MEMTXATTRS_UNSPECIFIED);
  }
- /*
+ static inline int dma_memory_rw_relaxed(AddressSpace *as, dma_addr_t addr,
-- * the instruction disassembly implemented here matches
+diff --git a/exec.c b/exec.c
-- * the instruction encoding classifications in chapter 3 (C3)
+index XXXXXXX..XXXXXXX 100644
-- * of the ARM Architecture Reference Manual (DDI0487A_a)
+--- a/exec.c
-+ * The instruction disassembly implemented here matches
++++ b/exec.c
-+ * the instruction encoding classifications in chapter C4
+@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
 + * of the ARM Architecture Reference Manual (DDI0487B_a);
 + * classification names and decode diagrams here should generally
 + * match up with those in the manual.
   */
 -/* C3.2.7 Unconditional branch (immediate)
 +/* Unconditional branch (immediate)
   *   31  30       26 25                                  0
   * +----+-----------+-------------------------------------+
   * | op | 0 0 1 0 1 |                 imm26               |
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
      uint64_t addr = s->pc + sextract32(insn, 0, 26) * 4 - 4;
      if (insn & (1U << 31)) {
 -        /* C5.6.26 BL Branch with link */
 +        /* BL Branch with link */
          tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
      }
 -    /* C5.6.20 B Branch / C5.6.26 BL Branch with link */
 +    /* B Branch / BL Branch with link */
      gen_goto_tb(s, 0, addr);
  }
--/* C3.2.1 Compare & branch (immediate)
+ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
-+/* Compare and branch (immediate)
+-                                int len, bool is_write)
-  *   31  30         25  24  23                  5 4      0
++                                int len, bool is_write,
-  * +----+-------------+----+---------------------+--------+
++                                MemTxAttrs attrs)
   * | sf | 0 1 1 0 1 0 | op |         imm19       |   Rt   |
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
      gen_goto_tb(s, 1, addr);
  }
 -/* C3.2.5 Test & branch (immediate)
 +/* Test and branch (immediate)
   *   31  30         25  24  23   19 18          5 4    0
   * +----+-------------+----+-------+-------------+------+
   * | b5 | 0 1 1 0 1 1 | op |  b40  |    imm14    |  Rt  |
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
      gen_goto_tb(s, 1, addr);
  }
 -/* C3.2.2 / C5.6.19 Conditional branch (immediate)
 +/* Conditional branch (immediate)
   *  31           25  24  23                  5   4  3    0
   * +---------------+----+---------------------+----+------+
   * | 0 1 0 1 0 1 0 | o1 |         imm19       | o0 | cond |
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
      }
  }
 -/* C5.6.68 HINT */
 +/* HINT instruction group, including various allocated HINTs */
  static void handle_hint(DisasContext *s, uint32_t insn,
                          unsigned int op1, unsigned int op2, unsigned int crm)
  {
-@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
+     FlatView *fv;
-     }
+     bool result;
- }
+diff --git a/target/s390x/diag.c b/target/s390x/diag.c
+index XXXXXXX..XXXXXXX 100644
--/* C5.6.130 MSR (immediate) - move immediate to processor state field */
+--- a/target/s390x/diag.c
-+/* MSR (immediate) - move immediate to processor state field */
++++ b/target/s390x/diag.c
- static void handle_msr_i(DisasContext *s, uint32_t insn,
+@@ -XXX,XX +XXX,XX @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
                           unsigned int op1, unsigned int op2, unsigned int crm)
  {
@@ -XXX,XX +XXX,XX @@ static void gen_set_nzcv(TCGv_i64 tcg_rt)
      tcg_temp_free_i32(nzcv);
  }
 -/* C5.6.129 MRS - move from system register
 - * C5.6.131 MSR (register) - move to system register
 - * C5.6.204 SYS
 - * C5.6.205 SYSL
 +/* MRS - move from system register
 + * MSR (register) - move to system register
 + * SYS
 + * SYSL
   * These are all essentially the same insn in 'read' and 'write'
   * versions, with varying op0 fields.
   */
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
      }
  }
 -/* C3.2.4 System
 +/* System
   *  31                 22 21  20 19 18 16 15   12 11    8 7   5 4    0
   * +---------------------+---+-----+-----+-------+-------+-----+------+
   * | 1 1 0 1 0 1 0 1 0 0 | L | op0 | op1 |  CRn  |  CRm  | op2 |  Rt  |
@@ -XXX,XX +XXX,XX @@ static void disas_system(DisasContext *s, uint32_t insn)
              return;
          }
-         switch (crn) {
+         if (!address_space_access_valid(&address_space_memory, addr,
--        case 2: /* C5.6.68 HINT */
+-                                        sizeof(IplParameterBlock), false)) {
-+        case 2: /* HINT (including allocated hints like NOP, YIELD, etc) */
++                                        sizeof(IplParameterBlock), false,
-             handle_hint(s, insn, op1, op2, crm);
++                                        MEMTXATTRS_UNSPECIFIED)) {
-             break;
+             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
-         case 3: /* CLREX, DSB, DMB, ISB */
+             return;
-             handle_sync(s, insn, op1, op2, crm);
+         }
-             break;
+@@ -XXX,XX +XXX,XX @@ out:
--        case 4: /* C5.6.130 MSR (immediate) */
+             return;
-+        case 4: /* MSR (immediate) */
+         }
-             handle_msr_i(s, insn, op1, op2, crm);
+         if (!address_space_access_valid(&address_space_memory, addr,
-             break;
+-                                        sizeof(IplParameterBlock), true)) {
-         default:
++                                        sizeof(IplParameterBlock), true,
-@@ -XXX,XX +XXX,XX @@ static void disas_system(DisasContext *s, uint32_t insn)
++                                        MEMTXATTRS_UNSPECIFIED)) {
-     handle_sys(s, insn, l, op0, op1, op2, crn, crm, rt);
+             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
- }
+             return;
+         }
--/* C3.2.3 Exception generation
+diff --git a/target/s390x/excp_helper.c b/target/s390x/excp_helper.c
-+/* Exception generation
+index XXXXXXX..XXXXXXX 100644
-  *
+--- a/target/s390x/excp_helper.c
-  *  31             24 23 21 20                     5 4   2 1  0
++++ b/target/s390x/excp_helper.c
-  * +-----------------+-----+------------------------+-----+----+
+@@ -XXX,XX +XXX,XX @@ int s390_cpu_handle_mmu_fault(CPUState *cs, vaddr orig_vaddr, int size,
-@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
      /* check out of RAM access */
      if (!address_space_access_valid(&address_space_memory, raddr,
 -                                    TARGET_PAGE_SIZE, rw)) {
 +                                    TARGET_PAGE_SIZE, rw,
 +                                    MEMTXATTRS_UNSPECIFIED)) {
          DPRINTF("%s: raddr %" PRIx64 " > ram_size %" PRIx64 "\n", __func__,
                  (uint64_t)raddr, (uint64_t)ram_size);
          trigger_pgm_exception(env, PGM_ADDRESSING, ILEN_AUTO);
 diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/mmu_helper.c
 +++ b/target/s390x/mmu_helper.c
@@ -XXX,XX +XXX,XX @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages,
              return ret;
          }
          if (!address_space_access_valid(&address_space_memory, pages[i],
 -                                        TARGET_PAGE_SIZE, is_write)) {
 +                                        TARGET_PAGE_SIZE, is_write,
 +                                        MEMTXATTRS_UNSPECIFIED)) {
              trigger_access_exception(env, PGM_ADDRESSING, ILEN_AUTO, 0);
              return -EFAULT;
          }
 diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/sigp.c
 +++ b/target/s390x/sigp.c
@@ -XXX,XX +XXX,XX @@ static void sigp_set_prefix(CPUState *cs, run_on_cpu_data arg)
      cpu_synchronize_state(cs);
      if (!address_space_access_valid(&address_space_memory, addr,
 -                                    sizeof(struct LowCore), false)) {
 +                                    sizeof(struct LowCore), false,
 +                                    MEMTXATTRS_UNSPECIFIED)) {
          set_sigp_status(si, SIGP_STAT_INVALID_PARAMETER);
          return;
      }
- }
--/* C3.2.7 Unconditional branch (register)
-+/* Unconditional branch (register)
-  *  31           25 24   21 20   16 15   10 9    5 4     0
-  * +---------------+-------+-------+-------+------+-------+
-  * | 1 1 0 1 0 1 1 |  opc  |  op2  |  op3  |  Rn  |  op4  |
-@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
-     s->base.is_jmp = DISAS_JUMP;
- }
--/* C3.2 Branches, exception generating and system instructions */
-+/* Branches, exception generating and system instructions */
- static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
- {
-     switch (extract32(insn, 25, 7)) {
-@@ -XXX,XX +XXX,XX @@ static bool disas_ldst_compute_iss_sf(int size, bool is_signed, int opc)
-     return regsize == 64;
- }
--/* C3.3.6 Load/store exclusive
-+/* Load/store exclusive
-  *
-  *  31 30 29         24  23  22   21  20  16  15  14   10 9    5 4    0
-  * +-----+-------------+----+---+----+------+----+-------+------+------+
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_excl(DisasContext *s, uint32_t insn)
- }
- /*
-- * C3.3.5 Load register (literal)
-+ * Load register (literal)
-  *
-  *  31 30 29   27  26 25 24 23                5 4     0
-  * +-----+-------+---+-----+-------------------+-------+
-@@ -XXX,XX +XXX,XX @@ static void disas_ld_lit(DisasContext *s, uint32_t insn)
- }
- /*
-- * C5.6.80 LDNP (Load Pair - non-temporal hint)
-- * C5.6.81 LDP (Load Pair - non vector)
-- * C5.6.82 LDPSW (Load Pair Signed Word - non vector)
-- * C5.6.176 STNP (Store Pair - non-temporal hint)
-- * C5.6.177 STP (Store Pair - non vector)
-- * C6.3.165 LDNP (Load Pair of SIMD&FP - non-temporal hint)
-- * C6.3.165 LDP (Load Pair of SIMD&FP)
-- * C6.3.284 STNP (Store Pair of SIMD&FP - non-temporal hint)
-- * C6.3.284 STP (Store Pair of SIMD&FP)
-+ * LDNP (Load Pair - non-temporal hint)
-+ * LDP (Load Pair - non vector)
-+ * LDPSW (Load Pair Signed Word - non vector)
-+ * STNP (Store Pair - non-temporal hint)
-+ * STP (Store Pair - non vector)
-+ * LDNP (Load Pair of SIMD&FP - non-temporal hint)
-+ * LDP (Load Pair of SIMD&FP)
-+ * STNP (Store Pair of SIMD&FP - non-temporal hint)
-+ * STP (Store Pair of SIMD&FP)
-  *
-  *  31 30 29   27  26  25 24   23  22 21   15 14   10 9    5 4    0
-  * +-----+-------+---+---+-------+---+-----------------------------+
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_pair(DisasContext *s, uint32_t insn)
- }
- /*
-- * C3.3.8 Load/store (immediate post-indexed)
-- * C3.3.9 Load/store (immediate pre-indexed)
-- * C3.3.12 Load/store (unscaled immediate)
-+ * Load/store (immediate post-indexed)
-+ * Load/store (immediate pre-indexed)
-+ * Load/store (unscaled immediate)
-  *
-  * 31 30 29   27  26 25 24 23 22 21  20    12 11 10 9    5 4    0
-  * +----+-------+---+-----+-----+---+--------+-----+------+------+
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_reg_imm9(DisasContext *s, uint32_t insn,
- }
- /*
-- * C3.3.10 Load/store (register offset)
-+ * Load/store (register offset)
-  *
-  * 31 30 29   27  26 25 24 23 22 21  20  16 15 13 12 11 10 9  5 4  0
-  * +----+-------+---+-----+-----+---+------+-----+--+-----+----+----+
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_reg_roffset(DisasContext *s, uint32_t insn,
- }
- /*
-- * C3.3.13 Load/store (unsigned immediate)
-+ * Load/store (unsigned immediate)
-  *
-  * 31 30 29   27  26 25 24 23 22 21        10 9     5
-  * +----+-------+---+-----+-----+------------+-------+------+
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_reg(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.3.1 AdvSIMD load/store multiple structures
-+/* AdvSIMD load/store multiple structures
-  *
-  *  31  30  29           23 22  21         16 15    12 11  10 9    5 4    0
-  * +---+---+---------------+---+-------------+--------+------+------+------+
-  * | 0 | Q | 0 0 1 1 0 0 0 | L | 0 0 0 0 0 0 | opcode | size |  Rn  |  Rt  |
-  * +---+---+---------------+---+-------------+--------+------+------+------+
-  *
-- * C3.3.2 AdvSIMD load/store multiple structures (post-indexed)
-+ * AdvSIMD load/store multiple structures (post-indexed)
-  *
-  *  31  30  29           23 22  21  20     16 15    12 11  10 9    5 4    0
-  * +---+---+---------------+---+---+---------+--------+------+------+------+
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_multiple_struct(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_addr);
- }
--/* C3.3.3 AdvSIMD load/store single structure
-+/* AdvSIMD load/store single structure
-  *
-  *  31  30  29           23 22 21 20       16 15 13 12  11  10 9    5 4    0
-  * +---+---+---------------+-----+-----------+-----+---+------+------+------+
-  * | 0 | Q | 0 0 1 1 0 1 0 | L R | 0 0 0 0 0 | opc | S | size |  Rn  |  Rt  |
-  * +---+---+---------------+-----+-----------+-----+---+------+------+------+
-  *
-- * C3.3.4 AdvSIMD load/store single structure (post-indexed)
-+ * AdvSIMD load/store single structure (post-indexed)
-  *
-  *  31  30  29           23 22 21 20       16 15 13 12  11  10 9    5 4    0
-  * +---+---+---------------+-----+-----------+-----+---+------+------+------+
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_single_struct(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_addr);
- }
--/* C3.3 Loads and stores */
-+/* Loads and stores */
- static void disas_ldst(DisasContext *s, uint32_t insn)
- {
-     switch (extract32(insn, 24, 6)) {
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.4.6 PC-rel. addressing
-+/* PC-rel. addressing
-  *   31  30   29 28       24 23                5 4    0
-  * +----+-------+-----------+-------------------+------+
-  * | op | immlo | 1 0 0 0 0 |       immhi       |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
- }
- /*
-- * C3.4.1 Add/subtract (immediate)
-+ * Add/subtract (immediate)
-  *
-  *  31 30 29 28       24 23 22 21         10 9   5 4   0
-  * +--+--+--+-----------+-----+-------------+-----+-----+
-@@ -XXX,XX +XXX,XX @@ static bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
-     return true;
- }
--/* C3.4.4 Logical (immediate)
-+/* Logical (immediate)
-  *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
-  * +----+-----+-------------+---+------+------+------+------+
-  * | sf | opc | 1 0 0 1 0 0 | N | immr | imms |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_logic_imm(DisasContext *s, uint32_t insn)
- }
- /*
-- * C3.4.5 Move wide (immediate)
-+ * Move wide (immediate)
-  *
-  *  31 30 29 28         23 22 21 20             5 4    0
-  * +--+-----+-------------+-----+----------------+------+
-@@ -XXX,XX +XXX,XX @@ static void disas_movw_imm(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.4.2 Bitfield
-+/* Bitfield
-  *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
-  * +----+-----+-------------+---+------+------+------+------+
-  * | sf | opc | 1 0 0 1 1 0 | N | immr | imms |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_bitfield(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.4.3 Extract
-+/* Extract
-  *   31  30  29 28         23 22   21  20  16 15    10 9    5 4    0
-  * +----+------+-------------+---+----+------+--------+------+------+
-  * | sf | op21 | 1 0 0 1 1 1 | N | o0 |  Rm  |  imms  |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.4 Data processing - immediate */
-+/* Data processing - immediate */
- static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
- {
-     switch (extract32(insn, 23, 6)) {
-@@ -XXX,XX +XXX,XX @@ static void shift_reg_imm(TCGv_i64 dst, TCGv_i64 src, int sf,
-     }
- }
--/* C3.5.10 Logical (shifted register)
-+/* Logical (shifted register)
-  *   31  30 29 28       24 23   22 21  20  16 15    10 9    5 4    0
-  * +----+-----+-----------+-------+---+------+--------+------+------+
-  * | sf | opc | 0 1 0 1 0 | shift | N |  Rm  |  imm6  |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_logic_reg(DisasContext *s, uint32_t insn)
- }
- /*
-- * C3.5.1 Add/subtract (extended register)
-+ * Add/subtract (extended register)
-  *
-  *  31|30|29|28       24|23 22|21|20   16|15  13|12  10|9  5|4  0|
-  * +--+--+--+-----------+-----+--+-------+------+------+----+----+
-@@ -XXX,XX +XXX,XX @@ static void disas_add_sub_ext_reg(DisasContext *s, uint32_t insn)
- }
- /*
-- * C3.5.2 Add/subtract (shifted register)
-+ * Add/subtract (shifted register)
-  *
-  *  31 30 29 28       24 23 22 21 20   16 15     10 9    5 4    0
-  * +--+--+--+-----------+-----+--+-------+---------+------+------+
-@@ -XXX,XX +XXX,XX @@ static void disas_add_sub_reg(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_result);
- }
--/* C3.5.9 Data-processing (3 source)
--
--   31 30  29 28       24 23 21  20  16  15  14  10 9    5 4    0
--  +--+------+-----------+------+------+----+------+------+------+
--  |sf| op54 | 1 1 0 1 1 | op31 |  Rm  | o0 |  Ra  |  Rn  |  Rd  |
--  +--+------+-----------+------+------+----+------+------+------+
--
-+/* Data-processing (3 source)
-+ *
-+ *    31 30  29 28       24 23 21  20  16  15  14  10 9    5 4    0
-+ *  +--+------+-----------+------+------+----+------+------+------+
-+ *  |sf| op54 | 1 1 0 1 1 | op31 |  Rm  | o0 |  Ra  |  Rn  |  Rd  |
-+ *  +--+------+-----------+------+------+----+------+------+------+
-  */
- static void disas_data_proc_3src(DisasContext *s, uint32_t insn)
- {
-@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_3src(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_tmp);
- }
--/* C3.5.3 - Add/subtract (with carry)
-+/* Add/subtract (with carry)
-  *  31 30 29 28 27 26 25 24 23 22 21  20  16  15   10  9    5 4   0
-  * +--+--+--+------------------------+------+---------+------+-----+
-  * |sf|op| S| 1  1  0  1  0  0  0  0 |  rm  | opcode2 |  Rn  |  Rd |
-@@ -XXX,XX +XXX,XX @@ static void disas_adc_sbc(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.5.4 - C3.5.5 Conditional compare (immediate / register)
-+/* Conditional compare (immediate / register)
-  *  31 30 29 28 27 26 25 24 23 22 21  20    16 15  12  11  10  9   5  4 3   0
-  * +--+--+--+------------------------+--------+------+----+--+------+--+-----+
-  * |sf|op| S| 1  1  0  1  0  0  1  0 |imm5/rm | cond |i/r |o2|  Rn  |o3|nzcv |
-@@ -XXX,XX +XXX,XX @@ static void disas_cc(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i32(tcg_t2);
- }
--/* C3.5.6 Conditional select
-+/* Conditional select
-  *   31   30  29  28             21 20  16 15  12 11 10 9    5 4    0
-  * +----+----+---+-----------------+------+------+-----+------+------+
-  * | sf | op | S | 1 1 0 1 0 1 0 0 |  Rm  | cond | op2 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_rbit(DisasContext *s, unsigned int sf,
-     }
- }
--/* C5.6.149 REV with sf==1, opcode==3 ("REV64") */
-+/* REV with sf==1, opcode==3 ("REV64") */
- static void handle_rev64(DisasContext *s, unsigned int sf,
-                          unsigned int rn, unsigned int rd)
- {
-@@ -XXX,XX +XXX,XX @@ static void handle_rev64(DisasContext *s, unsigned int sf,
-     tcg_gen_bswap64_i64(cpu_reg(s, rd), cpu_reg(s, rn));
- }
--/* C5.6.149 REV with sf==0, opcode==2
-- * C5.6.151 REV32 (sf==1, opcode==2)
-+/* REV with sf==0, opcode==2
-+ * REV32 (sf==1, opcode==2)
-  */
- static void handle_rev32(DisasContext *s, unsigned int sf,
-                          unsigned int rn, unsigned int rd)
-@@ -XXX,XX +XXX,XX @@ static void handle_rev32(DisasContext *s, unsigned int sf,
-     }
- }
--/* C5.6.150 REV16 (opcode==1) */
-+/* REV16 (opcode==1) */
- static void handle_rev16(DisasContext *s, unsigned int sf,
-                          unsigned int rn, unsigned int rd)
- {
-@@ -XXX,XX +XXX,XX @@ static void handle_rev16(DisasContext *s, unsigned int sf,
-     tcg_temp_free_i64(tcg_tmp);
- }
--/* C3.5.7 Data-processing (1 source)
-+/* Data-processing (1 source)
-  *   31  30  29  28             21 20     16 15    10 9    5 4    0
-  * +----+---+---+-----------------+---------+--------+------+------+
-  * | sf | 1 | S | 1 1 0 1 0 1 1 0 | opcode2 | opcode |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_div(DisasContext *s, bool is_signed, unsigned int sf,
-     }
- }
--/* C5.6.115 LSLV, C5.6.118 LSRV, C5.6.17 ASRV, C5.6.154 RORV */
-+/* LSLV, LSRV, ASRV, RORV */
- static void handle_shift_reg(DisasContext *s,
-                              enum a64_shift_type shift_type, unsigned int sf,
-                              unsigned int rm, unsigned int rn, unsigned int rd)
-@@ -XXX,XX +XXX,XX @@ static void handle_crc32(DisasContext *s,
-     tcg_temp_free_i32(tcg_bytes);
- }
--/* C3.5.8 Data-processing (2 source)
-+/* Data-processing (2 source)
-  *   31   30  29 28             21 20  16 15    10 9    5 4    0
-  * +----+---+---+-----------------+------+--------+------+------+
-  * | sf | 0 | S | 1 1 0 1 0 1 1 0 |  Rm  | opcode |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_2src(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.5 Data processing - register */
-+/* Data processing - register */
- static void disas_data_proc_reg(DisasContext *s, uint32_t insn)
- {
-     switch (extract32(insn, 24, 5)) {
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_compare(DisasContext *s, bool is_double,
-     tcg_temp_free_i64(tcg_flags);
- }
--/* C3.6.22 Floating point compare
-+/* Floating point compare
-  *   31  30  29 28       24 23  22  21 20  16 15 14 13  10    9    5 4     0
-  * +---+---+---+-----------+------+---+------+-----+---------+------+-------+
-  * | M | 0 | S | 1 1 1 1 0 | type | 1 |  Rm  | op  | 1 0 0 0 |  Rn  |  op2  |
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_compare(DisasContext *s, uint32_t insn)
-     handle_fp_compare(s, type, rn, rm, opc & 1, opc & 2);
- }
--/* C3.6.23 Floating point conditional compare
-+/* Floating point conditional compare
-  *   31  30  29 28       24 23  22  21 20  16 15  12 11 10 9    5  4   3    0
-  * +---+---+---+-----------+------+---+------+------+-----+------+----+------+
-  * | M | 0 | S | 1 1 1 1 0 | type | 1 |  Rm  | cond | 0 1 |  Rn  | op | nzcv |
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_ccomp(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.24 Floating point conditional select
-+/* Floating point conditional select
-  *   31  30  29 28       24 23  22  21 20  16 15  12 11 10 9    5 4    0
-  * +---+---+---+-----------+------+---+------+------+-----+------+------+
-  * | M | 0 | S | 1 1 1 1 0 | type | 1 |  Rm  | cond | 1 1 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(t_true);
- }
--/* C3.6.25 Floating-point data-processing (1 source) - single precision */
-+/* Floating-point data-processing (1 source) - single precision */
- static void handle_fp_1src_single(DisasContext *s, int opcode, int rd, int rn)
- {
-     TCGv_ptr fpst;
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_1src_single(DisasContext *s, int opcode, int rd, int rn)
-     tcg_temp_free_i32(tcg_res);
- }
--/* C3.6.25 Floating-point data-processing (1 source) - double precision */
-+/* Floating-point data-processing (1 source) - double precision */
- static void handle_fp_1src_double(DisasContext *s, int opcode, int rd, int rn)
- {
-     TCGv_ptr fpst;
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_fcvt(DisasContext *s, int opcode,
-     }
- }
--/* C3.6.25 Floating point data-processing (1 source)
-+/* Floating point data-processing (1 source)
-  *   31  30  29 28       24 23  22  21 20    15 14       10 9    5 4    0
-  * +---+---+---+-----------+------+---+--------+-----------+------+------+
-  * | M | 0 | S | 1 1 1 1 0 | type | 1 | opcode | 1 0 0 0 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_1src(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.26 Floating-point data-processing (2 source) - single precision */
-+/* Floating-point data-processing (2 source) - single precision */
- static void handle_fp_2src_single(DisasContext *s, int opcode,
-                                   int rd, int rn, int rm)
- {
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_2src_single(DisasContext *s, int opcode,
-     tcg_temp_free_i32(tcg_res);
- }
--/* C3.6.26 Floating-point data-processing (2 source) - double precision */
-+/* Floating-point data-processing (2 source) - double precision */
- static void handle_fp_2src_double(DisasContext *s, int opcode,
-                                   int rd, int rn, int rm)
- {
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_2src_double(DisasContext *s, int opcode,
-     tcg_temp_free_i64(tcg_res);
- }
--/* C3.6.26 Floating point data-processing (2 source)
-+/* Floating point data-processing (2 source)
-  *   31  30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
-  * +---+---+---+-----------+------+---+------+--------+-----+------+------+
-  * | M | 0 | S | 1 1 1 1 0 | type | 1 |  Rm  | opcode | 1 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_2src(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.27 Floating-point data-processing (3 source) - single precision */
-+/* Floating-point data-processing (3 source) - single precision */
- static void handle_fp_3src_single(DisasContext *s, bool o0, bool o1,
-                                   int rd, int rn, int rm, int ra)
- {
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_3src_single(DisasContext *s, bool o0, bool o1,
-     tcg_temp_free_i32(tcg_res);
- }
--/* C3.6.27 Floating-point data-processing (3 source) - double precision */
-+/* Floating-point data-processing (3 source) - double precision */
- static void handle_fp_3src_double(DisasContext *s, bool o0, bool o1,
-                                   int rd, int rn, int rm, int ra)
- {
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_3src_double(DisasContext *s, bool o0, bool o1,
-     tcg_temp_free_i64(tcg_res);
- }
--/* C3.6.27 Floating point data-processing (3 source)
-+/* Floating point data-processing (3 source)
-  *   31  30  29 28       24 23  22  21  20  16  15  14  10 9    5 4    0
-  * +---+---+---+-----------+------+----+------+----+------+------+------+
-  * | M | 0 | S | 1 1 1 1 1 | type | o1 |  Rm  | o0 |  Ra  |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_3src(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.28 Floating point immediate
-+/* Floating point immediate
-  *   31  30  29 28       24 23  22  21 20        13 12   10 9    5 4    0
-  * +---+---+---+-----------+------+---+------------+-------+------+------+
-  * | M | 0 | S | 1 1 1 1 0 | type | 1 |    imm8    | 1 0 0 | imm5 |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
-     tcg_temp_free_i32(tcg_shift);
- }
--/* C3.6.29 Floating point <-> fixed point conversions
-+/* Floating point <-> fixed point conversions
-  *   31   30  29 28       24 23  22  21 20   19 18    16 15   10 9    5 4    0
-  * +----+---+---+-----------+------+---+-------+--------+-------+------+------+
-  * | sf | 0 | S | 1 1 1 1 0 | type | 0 | rmode | opcode | scale |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_fmov(DisasContext *s, int rd, int rn, int type, bool itof)
-     }
- }
--/* C3.6.30 Floating point <-> integer conversions
-+/* Floating point <-> integer conversions
-  *   31   30  29 28       24 23  22  21 20   19 18 16 15         10 9  5 4  0
-  * +----+---+---+-----------+------+---+-------+-----+-------------+----+----+
-  * | sf | 0 | S | 1 1 1 1 0 | type | 1 | rmode | opc | 0 0 0 0 0 0 | Rn | Rd |
-@@ -XXX,XX +XXX,XX @@ static void do_ext64(DisasContext *s, TCGv_i64 tcg_left, TCGv_i64 tcg_right,
-     tcg_temp_free_i64(tcg_tmp);
- }
--/* C3.6.1 EXT
-+/* EXT
-  *   31  30 29         24 23 22  21 20  16 15  14  11 10  9    5 4    0
-  * +---+---+-------------+-----+---+------+---+------+---+------+------+
-  * | 0 | Q | 1 0 1 1 1 0 | op2 | 0 |  Rm  | 0 | imm4 | 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_ext(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_resh);
- }
--/* C3.6.2 TBL/TBX
-+/* TBL/TBX
-  *   31  30 29         24 23 22  21 20  16 15  14 13  12  11 10 9    5 4    0
-  * +---+---+-------------+-----+---+------+---+-----+----+-----+------+------+
-  * | 0 | Q | 0 0 1 1 1 0 | op2 | 0 |  Rm  | 0 | len | op | 0 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_tb(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_resh);
- }
--/* C3.6.3 ZIP/UZP/TRN
-+/* ZIP/UZP/TRN
-  *   31  30 29         24 23  22  21 20   16 15 14 12 11 10 9    5 4    0
-  * +---+---+-------------+------+---+------+---+------------------+------+
-  * | 0 | Q | 0 0 1 1 1 0 | size | 0 |  Rm  | 0 | opc | 1 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void do_minmaxop(DisasContext *s, TCGv_i32 tcg_elt1, TCGv_i32 tcg_elt2,
-     }
- }
--/* C3.6.4 AdvSIMD across lanes
-+/* AdvSIMD across lanes
-  *   31  30  29 28       24 23  22 21       17 16    12 11 10 9    5 4    0
-  * +---+---+---+-----------+------+-----------+--------+-----+------+------+
-  * | 0 | Q | U | 0 1 1 1 0 | size | 1 1 0 0 0 | opcode | 1 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_across_lanes(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_res);
- }
--/* C6.3.31 DUP (Element, Vector)
-+/* DUP (Element, Vector)
-  *
-  *  31  30   29              21 20    16 15        10  9    5 4    0
-  * +---+---+-------------------+--------+-------------+------+------+
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupe(DisasContext *s, int is_q, int rd, int rn,
-     tcg_temp_free_i64(tmp);
- }
--/* C6.3.31 DUP (element, scalar)
-+/* DUP (element, scalar)
-  *  31                   21 20    16 15        10  9    5 4    0
-  * +-----------------------+--------+-------------+------+------+
-  * | 0 1 0 1 1 1 1 0 0 0 0 |  imm5  | 0 0 0 0 0 1 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupes(DisasContext *s, int rd, int rn,
-     tcg_temp_free_i64(tmp);
- }
--/* C6.3.32 DUP (General)
-+/* DUP (General)
-  *
-  *  31  30   29              21 20    16 15        10  9    5 4    0
-  * +---+---+-------------------+--------+-------------+------+------+
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupg(DisasContext *s, int is_q, int rd, int rn,
-     }
- }
--/* C6.3.150 INS (Element)
-+/* INS (Element)
-  *
-  *  31                   21 20    16 15  14    11  10 9    5 4    0
-  * +-----------------------+--------+------------+---+------+------+
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_inse(DisasContext *s, int rd, int rn,
- }
--/* C6.3.151 INS (General)
-+/* INS (General)
-  *
-  *  31                   21 20    16 15        10  9    5 4    0
-  * +-----------------------+--------+-------------+------+------+
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_insg(DisasContext *s, int rd, int rn, int imm5)
- }
- /*
-- * C6.3.321 UMOV (General)
-- * C6.3.237 SMOV (General)
-+ * UMOV (General)
-+ * SMOV (General)
-  *
-  *  31  30   29              21 20    16 15    12   10 9    5 4    0
-  * +---+---+-------------------+--------+-------------+------+------+
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_umov_smov(DisasContext *s, int is_q, int is_signed,
-     }
- }
--/* C3.6.5 AdvSIMD copy
-+/* AdvSIMD copy
-  *   31  30  29  28             21 20  16 15  14  11 10  9    5 4    0
-  * +---+---+----+-----------------+------+---+------+---+------+------+
-  * | 0 | Q | op | 0 1 1 1 0 0 0 0 | imm5 | 0 | imm4 | 1 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_copy(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.6 AdvSIMD modified immediate
-+/* AdvSIMD modified immediate
-  *  31  30   29  28                 19 18 16 15   12  11  10  9     5 4    0
-  * +---+---+----+---------------------+-----+-------+----+---+-------+------+
-  * | 0 | Q | op | 0 1 1 1 1 0 0 0 0 0 | abc | cmode | o2 | 1 | defgh |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_mod_imm(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_imm);
- }
--/* C3.6.7 AdvSIMD scalar copy
-+/* AdvSIMD scalar copy
-  *  31 30  29  28             21 20  16 15  14  11 10  9    5 4    0
-  * +-----+----+-----------------+------+---+------+---+------+------+
-  * | 0 1 | op | 1 1 1 1 0 0 0 0 | imm5 | 0 | imm4 | 1 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_scalar_copy(DisasContext *s, uint32_t insn)
-     handle_simd_dupes(s, rd, rn, imm5);
- }
--/* C3.6.8 AdvSIMD scalar pairwise
-+/* AdvSIMD scalar pairwise
-  *  31 30  29 28       24 23  22 21       17 16    12 11 10 9    5 4    0
-  * +-----+---+-----------+------+-----------+--------+-----+------+------+
-  * | 0 1 | U | 1 1 1 1 0 | size | 1 1 0 0 0 | opcode | 1 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_shift_fpint_conv(DisasContext *s, bool is_scalar,
-     tcg_temp_free_i32(tcg_rmode);
- }
--/* C3.6.9 AdvSIMD scalar shift by immediate
-+/* AdvSIMD scalar shift by immediate
-  *  31 30  29 28         23 22  19 18  16 15    11  10 9    5 4    0
-  * +-----+---+-------------+------+------+--------+---+------+------+
-  * | 0 1 | U | 1 1 1 1 1 0 | immh | immb | opcode | 1 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_scalar_shift_imm(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.10 AdvSIMD scalar three different
-+/* AdvSIMD scalar three different
-  *  31 30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
-  * +-----+---+-----------+------+---+------+--------+-----+------+------+
-  * | 0 1 | U | 1 1 1 1 0 | size | 1 |  Rm  | opcode | 0 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_3same_float(DisasContext *s, int size, int elements,
-     }
- }
--/* C3.6.11 AdvSIMD scalar three same
-+/* AdvSIMD scalar three same
-  *  31 30  29 28       24 23  22  21 20  16 15    11  10 9    5 4    0
-  * +-----+---+-----------+------+---+------+--------+---+------+------+
-  * | 0 1 | U | 1 1 1 1 0 | size | 1 |  Rm  | opcode | 1 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_2misc_satacc(DisasContext *s, bool is_scalar, bool is_u,
-     }
- }
--/* C3.6.12 AdvSIMD scalar two reg misc
-+/* AdvSIMD scalar two reg misc
-  *  31 30  29 28       24 23  22 21       17 16    12 11 10 9    5 4    0
-  * +-----+---+-----------+------+-----------+--------+-----+------+------+
-  * | 0 1 | U | 1 1 1 1 0 | size | 1 0 0 0 0 | opcode | 1 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shrn(DisasContext *s, bool is_q,
- }
--/* C3.6.14 AdvSIMD shift by immediate
-+/* AdvSIMD shift by immediate
-  *  31  30   29 28         23 22  19 18  16 15    11  10 9    5 4    0
-  * +---+---+---+-------------+------+------+--------+---+------+------+
-  * | 0 | Q | U | 0 1 1 1 1 0 | immh | immb | opcode | 1 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_pmull_64(DisasContext *s, int is_q, int rd, int rn, int rm)
-     tcg_temp_free_i64(tcg_res);
- }
--/* C3.6.15 AdvSIMD three different
-+/* AdvSIMD three different
-  *   31  30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
-  * +---+---+---+-----------+------+---+------+--------+-----+------+------+
-  * | 0 | Q | U | 0 1 1 1 0 | size | 1 |  Rm  | opcode | 0 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.16 AdvSIMD three same
-+/* AdvSIMD three same
-  *  31  30  29  28       24 23  22  21 20  16 15    11  10 9    5 4    0
-  * +---+---+---+-----------+------+---+------+--------+---+------+------+
-  * | 0 | Q | U | 0 1 1 1 0 | size | 1 |  Rm  | opcode | 1 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void handle_shll(DisasContext *s, bool is_q, int size, int rn, int rd)
-     }
- }
--/* C3.6.17 AdvSIMD two reg misc
-+/* AdvSIMD two reg misc
-  *   31  30  29 28       24 23  22 21       17 16    12 11 10 9    5 4    0
-  * +---+---+---+-----------+------+-----------+--------+-----+------+------+
-  * | 0 | Q | U | 0 1 1 1 0 | size | 1 0 0 0 0 | opcode | 1 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.13 AdvSIMD scalar x indexed element
-+/* AdvSIMD scalar x indexed element
-  *  31 30  29 28       24 23  22 21  20  19  16 15 12  11  10 9    5 4    0
-  * +-----+---+-----------+------+---+---+------+-----+---+---+------+------+
-  * | 0 1 | U | 1 1 1 1 1 | size | L | M |  Rm  | opc | H | 0 |  Rn  |  Rd  |
-  * +-----+---+-----------+------+---+---+------+-----+---+---+------+------+
-- * C3.6.18 AdvSIMD vector x indexed element
-+ * AdvSIMD vector x indexed element
-  *   31  30  29 28       24 23  22 21  20  19  16 15 12  11  10 9    5 4    0
-  * +---+---+---+-----------+------+---+---+------+-----+---+---+------+------+
-  * | 0 | Q | U | 0 1 1 1 1 | size | L | M |  Rm  | opc | H | 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_indexed(DisasContext *s, uint32_t insn)
-     }
- }
--/* C3.6.19 Crypto AES
-+/* Crypto AES
-  *  31             24 23  22 21       17 16    12 11 10 9    5 4    0
-  * +-----------------+------+-----------+--------+-----+------+------+
-  * | 0 1 0 0 1 1 1 0 | size | 1 0 1 0 0 | opcode | 1 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_crypto_aes(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i32(tcg_decrypt);
- }
--/* C3.6.20 Crypto three-reg SHA
-+/* Crypto three-reg SHA
-  *  31             24 23  22  21 20  16  15 14    12 11 10 9    5 4    0
-  * +-----------------+------+---+------+---+--------+-----+------+------+
-  * | 0 1 0 1 1 1 1 0 | size | 0 |  Rm  | 0 | opcode | 0 0 |  Rn  |  Rd  |
-@@ -XXX,XX +XXX,XX @@ static void disas_crypto_three_reg_sha(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i32(tcg_rm_regno);
- }
--/* C3.6.21 Crypto two-reg SHA
-+/* Crypto two-reg SHA
-  *  31             24 23  22 21       17 16    12 11 10 9    5 4    0
-  * +-----------------+------+-----------+--------+-----+------+------+
-  * | 0 1 0 1 1 1 1 0 | size | 1 0 1 0 0 | opcode | 1 0 |  Rn  |  Rd  |
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 22/31] hw/gpio/omap_gpio.c: Don't use old_mmio
+[Qemu-devel] [PULL 15/25] Make flatview_extend_translation() take a MemTxAttrs argument
-Drop the use of old_mmio in the omap2_gpio memory ops.
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
 add MemTxAttrs as an argument to flatview_extend_translation().
 Its callers either have an attrs value to hand, or don't care
 and can use MEMTXATTRS_UNSPECIFIED.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505580378-9044-3-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-7-peter.maydell@linaro.org
 ---
- hw/gpio/omap_gpio.c | 26 ++++++++++++--------------
+ exec.c | 15 ++++++++++-----
-file changed, 12 insertions(+), 14 deletions(-)
+file changed, 10 insertions(+), 5 deletions(-)
-diff --git a/hw/gpio/omap_gpio.c b/hw/gpio/omap_gpio.c
+diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/omap_gpio.c
+--- a/exec.c
-+++ b/hw/gpio/omap_gpio.c
++++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ static void omap2_gpio_module_write(void *opaque, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
-     }
- }
+ static hwaddr
+ flatview_extend_translation(FlatView *fv, hwaddr addr,
--static uint32_t omap2_gpio_module_readp(void *opaque, hwaddr addr)
+-                                 hwaddr target_len,
-+static uint64_t omap2_gpio_module_readp(void *opaque, hwaddr addr,
+-                                 MemoryRegion *mr, hwaddr base, hwaddr len,
-+                                        unsigned size)
+-                                 bool is_write)
 +                            hwaddr target_len,
 +                            MemoryRegion *mr, hwaddr base, hwaddr len,
 +                            bool is_write, MemTxAttrs attrs)
  {
-     return omap2_gpio_module_read(opaque, addr & ~3) >> ((addr & 3) << 3);
+     hwaddr done = 0;
- }
+     hwaddr xlat;
+@@ -XXX,XX +XXX,XX @@ void *address_space_map(AddressSpace *as,
- static void omap2_gpio_module_writep(void *opaque, hwaddr addr,
--                uint32_t value)
+     memory_region_ref(mr);
-+                                     uint64_t value, unsigned size)
+     *plen = flatview_extend_translation(fv, addr, len, mr, xlat,
- {
+-                                             l, is_write);
-     uint32_t cur = 0;
++                                        l, is_write, attrs);
-     uint32_t mask = 0xffff;
+     ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true);
+     rcu_read_unlock();
-+    if (size == 4) {
-+        omap2_gpio_module_write(opaque, addr, value);
+@@ -XXX,XX +XXX,XX @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
-+        return;
+     mr = cache->mrs.mr;
-+    }
+     memory_region_ref(mr);
-+
+     if (memory_access_is_direct(mr, is_write)) {
-     switch (addr & ~3) {
++        /* We don't care about the memory attributes here as we're only
-     case 0x00:    /* GPIO_REVISION */
++         * doing this if we found actual RAM, which behaves the same
-     case 0x14:    /* GPIO_SYSSTATUS */
++         * regardless of attributes; so UNSPECIFIED is fine.
-@@ -XXX,XX +XXX,XX @@ static void omap2_gpio_module_writep(void *opaque, hwaddr addr,
++         */
- }
+         l = flatview_extend_translation(cache->fv, addr, len, mr,
+-                                        cache->xlat, l, is_write);
- static const MemoryRegionOps omap2_gpio_module_ops = {
++                                        cache->xlat, l, is_write,
--    .old_mmio = {
++                                        MEMTXATTRS_UNSPECIFIED);
--        .read = {
+         cache->ptr = qemu_ram_ptr_length(mr->ram_block, cache->xlat, &l, true);
--            omap2_gpio_module_readp,
+     } else {
--            omap2_gpio_module_readp,
+         cache->ptr = NULL;
 -            omap2_gpio_module_read,
 -        },
 -        .write = {
 -            omap2_gpio_module_writep,
 -            omap2_gpio_module_writep,
 -            omap2_gpio_module_write,
 -        },
 -    },
 +    .read = omap2_gpio_module_readp,
 +    .write = omap2_gpio_module_writep,
 +    .valid.min_access_size = 1,
 +    .valid.max_access_size = 4,
      .endianness = DEVICE_NATIVE_ENDIAN,
  };
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 07/31] nvic: Implement NVIC_ITNS<n> registers
+[Qemu-devel] [PULL 16/25] Make memory_region_access_valid() take a MemTxAttrs argument
-For v8M, the NVIC has a new set of registers per interrupt,
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-NVIC_ITNS<n>. These determine whether the interrupt targets Secure
+add MemTxAttrs as an argument to memory_region_access_valid().
-or Non-secure state. Implement the register read/write code for
+Its callers either have an attrs value to hand, or don't care
-these, and make them cause NVIC_IABR, NVIC_ICER, NVIC_ISER,
+and can use MEMTXATTRS_UNSPECIFIED.
-NVIC_ICPR, NVIC_IPR and NVIC_ISPR to RAZ/WI for non-secure
-accesses to fields corresponding to interrupts which are
+The callsite in flatview_access_valid() is part of a recursive
-configured to target secure state.
+loop flatview_access_valid() -> memory_region_access_valid() ->
  subpage_accepts() -> flatview_access_valid(); we make it pass
 MEMTXATTRS_UNSPECIFIED for now, until the next several commits
 have plumbed an attrs parameter through the rest of the loop
 and we can add an attrs parameter to flatview_access_valid().
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-8-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-8-peter.maydell@linaro.org
 ---
- include/hw/intc/armv7m_nvic.h |  3 ++
+ include/exec/memory-internal.h | 3 ++-
- hw/intc/armv7m_nvic.c         | 74 +++++++++++++++++++++++++++++++++++++++----
+ exec.c                         | 4 +++-
-files changed, 70 insertions(+), 7 deletions(-)
+ hw/s390x/s390-pci-inst.c       | 3 ++-
  memory.c                       | 7 ++++---
 files changed, 11 insertions(+), 6 deletions(-)
-diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
+diff --git a/include/exec/memory-internal.h b/include/exec/memory-internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/intc/armv7m_nvic.h
+--- a/include/exec/memory-internal.h
-+++ b/include/hw/intc/armv7m_nvic.h
++++ b/include/exec/memory-internal.h
-@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
+@@ -XXX,XX +XXX,XX @@ void flatview_unref(FlatView *view);
-     /* The PRIGROUP field in AIRCR is banked */
+ extern const MemoryRegionOps unassigned_mem_ops;
-     uint32_t prigroup[M_REG_NUM_BANKS];
+ bool memory_region_access_valid(MemoryRegion *mr, hwaddr addr,
-+    /* v8M NVIC_ITNS state (stored as a bool per bit) */
+-                                unsigned size, bool is_write);
-+    bool itns[NVIC_MAX_VECTORS];
++                                unsigned size, bool is_write,
-+
++                                MemTxAttrs attrs);
-     /* The following fields are all cached state that can be recalculated
-      * from the vectors[] and sec_vectors[] arrays and the prigroup field:
+ void flatview_add_to_dispatch(FlatView *fv, MemoryRegionSection *section);
-      *  - vectpending
+ AddressSpaceDispatch *address_space_dispatch_new(FlatView *fv);
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/exec.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
+@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
-     switch (offset) {
+         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
-     case 4: /* Interrupt Control Type.  */
+         if (!memory_access_is_direct(mr, is_write)) {
-         return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
+             l = memory_access_size(mr, l, addr);
-+    case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
+-            if (!memory_region_access_valid(mr, xlat, l, is_write)) {
-+    {
++            /* When our callers all have attrs we'll pass them through here */
-+        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
++            if (!memory_region_access_valid(mr, xlat, l, is_write,
-+        int i;
++                                            MEMTXATTRS_UNSPECIFIED)) {
-+
+                 return false;
 +        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
 +            goto bad_offset;
 +        }
 +        if (!attrs.secure) {
 +            return 0;
 +        }
 +        val = 0;
 +        for (i = 0; i < 32 && startvec + i < s->num_irq; i++) {
 +            if (s->itns[startvec + i]) {
 +                val |= (1 << i);
 +            }
 +        }
 +        return val;
 +    }
      case 0xd00: /* CPUID Base.  */
          return cpu->midr;
      case 0xd04: /* Interrupt Control State.  */
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
      ARMCPU *cpu = s->cpu;
      switch (offset) {
 +    case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
 +    {
 +        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
 +        int i;
 +
 +        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
 +            goto bad_offset;
 +        }
 +        if (!attrs.secure) {
 +            break;
 +        }
 +        for (i = 0; i < 32 && startvec + i < s->num_irq; i++) {
 +            s->itns[startvec + i] = (value >> i) & 1;
 +        }
 +        nvic_irq_update(s);
 +        break;
 +    }
      case 0xd04: /* Interrupt Control State.  */
          if (value & (1 << 31)) {
              armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI);
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
          startvec = offset - 0x180 + NVIC_FIRST_IRQ; /* vector # */
          for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
 -            if (s->vectors[startvec + i].enabled) {
 +            if (s->vectors[startvec + i].enabled &&
 +                (attrs.secure || s->itns[startvec + i])) {
                  val |= (1 << i);
              }
          }
-@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
+diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
-         val = 0;
+index XXXXXXX..XXXXXXX 100644
-         startvec = offset - 0x280 + NVIC_FIRST_IRQ; /* vector # */
+--- a/hw/s390x/s390-pci-inst.c
-         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
++++ b/hw/s390x/s390-pci-inst.c
--            if (s->vectors[startvec + i].pending) {
+@@ -XXX,XX +XXX,XX @@ int pcistb_service_call(S390CPU *cpu, uint8_t r1, uint8_t r3, uint64_t gaddr,
-+            if (s->vectors[startvec + i].pending &&
+     mr = s390_get_subregion(mr, offset, len);
-+                (attrs.secure || s->itns[startvec + i])) {
+     offset -= mr->addr;
-                 val |= (1 << i);
-             }
+-    if (!memory_region_access_valid(mr, offset, len, true)) {
-         }
++    if (!memory_region_access_valid(mr, offset, len, true,
-@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
++                                    MEMTXATTRS_UNSPECIFIED)) {
-         startvec = offset - 0x300 + NVIC_FIRST_IRQ; /* vector # */
+         s390_program_interrupt(env, PGM_OPERAND, 6, ra);
+         return 0;
          for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
 -            if (s->vectors[startvec + i].active) {
 +            if (s->vectors[startvec + i].active &&
 +                (attrs.secure || s->itns[startvec + i])) {
                  val |= (1 << i);
              }
          }
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
          startvec = offset - 0x400 + NVIC_FIRST_IRQ; /* vector # */
          for (i = 0; i < size && startvec + i < s->num_irq; i++) {
 -            val |= s->vectors[startvec + i].prio << (8 * i);
 +            if (attrs.secure || s->itns[startvec + i]) {
 +                val |= s->vectors[startvec + i].prio << (8 * i);
 +            }
          }
          break;
      case 0xd18 ... 0xd23: /* System Handler Priority.  */
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
          startvec = 8 * (offset - 0x180) + NVIC_FIRST_IRQ;
          for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
 -            if (value & (1 << i)) {
 +            if (value & (1 << i) &&
 +                (attrs.secure || s->itns[startvec + i])) {
                  s->vectors[startvec + i].enabled = setval;
              }
          }
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
          startvec = 8 * (offset - 0x280) + NVIC_FIRST_IRQ; /* vector # */
          for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
 -            if (value & (1 << i)) {
 +            if (value & (1 << i) &&
 +                (attrs.secure || s->itns[startvec + i])) {
                  s->vectors[startvec + i].pending = setval;
              }
          }
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
          startvec = 8 * (offset - 0x400) + NVIC_FIRST_IRQ; /* vector # */
          for (i = 0; i < size && startvec + i < s->num_irq; i++) {
 -            set_prio(s, startvec + i, (value >> (i * 8)) & 0xff);
 +            if (attrs.secure || s->itns[startvec + i]) {
 +                set_prio(s, startvec + i, (value >> (i * 8)) & 0xff);
 +            }
          }
          nvic_irq_update(s);
          return MEMTX_OK;
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nvic_security = {
          VMSTATE_STRUCT_ARRAY(sec_vectors, NVICState, NVIC_INTERNAL_VECTORS, 1,
                               vmstate_VecInfo, VecInfo),
          VMSTATE_UINT32(prigroup[M_REG_S], NVICState),
 +        VMSTATE_BOOL_ARRAY(itns, NVICState, NVIC_MAX_VECTORS),
          VMSTATE_END_OF_LIST()
      }
- };
+diff --git a/memory.c b/memory.c
-@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
+index XXXXXXX..XXXXXXX 100644
-     s->vectpending = 0;
+--- a/memory.c
-     s->vectpending_is_s_banked = false;
++++ b/memory.c
-     s->vectpending_prio = NVIC_NOEXC_PRIO;
+@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps ram_device_mem_ops = {
-+
+ bool memory_region_access_valid(MemoryRegion *mr,
-+    if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) {
+                                 hwaddr addr,
-+        memset(s->itns, 0, sizeof(s->itns));
+                                 unsigned size,
-+    } else {
+-                                bool is_write)
-+        /* This state is constant and not guest accessible in a non-security
++                                bool is_write,
-+         * NVIC; we set the bits to true to avoid having to do a feature
++                                MemTxAttrs attrs)
-+         * bit check in the NVIC enable/pend/etc register accessors.
+ {
-+         */
+     int access_size_min, access_size_max;
-+        int i;
+     int access_size, i;
-+
+@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
-+        for (i = NVIC_FIRST_IRQ; i < ARRAY_SIZE(s->itns); i++) {
+ {
-+            s->itns[i] = true;
+     MemTxResult r;
-+        }
-+    }
+-    if (!memory_region_access_valid(mr, addr, size, false)) {
- }
++    if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
+         *pval = unassigned_mem_read(mr, addr, size);
- static void nvic_systick_trigger(void *opaque, int n, int level)
+         return MEMTX_DECODE_ERROR;
      }
@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
                                           unsigned size,
                                           MemTxAttrs attrs)
  {
 -    if (!memory_region_access_valid(mr, addr, size, true)) {
 +    if (!memory_region_access_valid(mr, addr, size, true, attrs)) {
          unassigned_mem_write(mr, addr, data, size);
          return MEMTX_DECODE_ERROR;
      }
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 19/31] nvic: Support banked exceptions in acknowledge and complete
+[Qemu-devel] [PULL 17/25] Make MemoryRegion valid.accepts callback take a MemTxAttrs argument
-Update armv7m_nvic_acknowledge_irq() and armv7m_nvic_complete_irq()
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-to handle banked exceptions:
+add MemTxAttrs as an argument to the MemoryRegion valid.accepts
- * acknowledge needs to use the correct vector, which may be
+callback. We'll need this for subpage_accepts().
-   in sec_vectors[]
- * acknowledge needs to return to its caller whether the
+We could take the approach we used with the read and write
-   exception should be taken to secure or non-secure state
+callbacks and add new a new _with_attrs version, but since there
- * complete needs its caller to tell it whether the exception
+are so few implementations of the accepts hook we just change
-   being completed is a secure one or not
+them all.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-20-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-9-peter.maydell@linaro.org
 ---
- target/arm/cpu.h      | 15 +++++++++++++--
+ include/exec/memory.h |  3 ++-
- hw/intc/armv7m_nvic.c | 26 ++++++++++++++++++++------
+ exec.c                |  9 ++++++---
- target/arm/helper.c   |  8 +++++---
+ hw/hppa/dino.c        |  3 ++-
- hw/intc/trace-events  |  4 ++--
+ hw/nvram/fw_cfg.c     | 12 ++++++++----
-files changed, 40 insertions(+), 13 deletions(-)
+ hw/scsi/esp.c         |  3 ++-
  hw/xen/xen_pt_msi.c   |  3 ++-
  memory.c              |  5 +++--
 files changed, 25 insertions(+), 13 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/include/exec/memory.h b/include/exec/memory.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/include/exec/memory.h
-+++ b/target/arm/cpu.h
++++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@ static inline bool armv7m_nvic_can_take_pending_exception(void *opaque)
+@@ -XXX,XX +XXX,XX @@ struct MemoryRegionOps {
-  * of architecturally banked exceptions.
+          * as a machine check exception).
-  */
+          */
- void armv7m_nvic_set_pending(void *opaque, int irq, bool secure);
+         bool (*accepts)(void *opaque, hwaddr addr,
--void armv7m_nvic_acknowledge_irq(void *opaque);
+-                        unsigned size, bool is_write);
-+/**
++                        unsigned size, bool is_write,
-+ * armv7m_nvic_acknowledge_irq: make highest priority pending exception active
++                        MemTxAttrs attrs);
-+ * @opaque: the NVIC
+     } valid;
-+ *
+     /* Internal implementation constraints: */
-+ * Move the current highest priority pending exception from the pending
+     struct {
-+ * state to the active state, and update v7m.exception to indicate that
+diff --git a/exec.c b/exec.c
 + * it is the exception currently being handled.
 + *
 + * Returns: true if exception should be taken to Secure state, false for NS
 + */
 +bool armv7m_nvic_acknowledge_irq(void *opaque);
  /**
   * armv7m_nvic_complete_irq: complete specified interrupt or exception
   * @opaque: the NVIC
   * @irq: the exception number to complete
 + * @secure: true if this exception was secure
   *
   * Returns: -1 if the irq was not active
   *           1 if completing this irq brought us back to base (no active irqs)
   *           0 if there is still an irq active after this one was completed
   * (Ignoring -1, this is the same as the RETTOBASE value before completion.)
   */
 -int armv7m_nvic_complete_irq(void *opaque, int irq);
 +int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure);
  /**
   * armv7m_nvic_raw_execution_priority: return the raw execution priority
   * @opaque: the NVIC
 diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/exec.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
+@@ -XXX,XX +XXX,XX @@ static void notdirty_mem_write(void *opaque, hwaddr ram_addr,
  }
- /* Make pending IRQ active.  */
+ static bool notdirty_mem_accepts(void *opaque, hwaddr addr,
--void armv7m_nvic_acknowledge_irq(void *opaque)
+-                                 unsigned size, bool is_write)
-+bool armv7m_nvic_acknowledge_irq(void *opaque)
++                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
-     NVICState *s = (NVICState *)opaque;
+     return is_write;
      CPUARMState *env = &s->cpu->env;
      const int pending = s->vectpending;
      const int running = nvic_exec_prio(s);
      VecInfo *vec;
 +    bool targets_secure;
      assert(pending > ARMV7M_EXCP_RESET && pending < s->num_irq);
 -    vec = &s->vectors[pending];
 +    if (s->vectpending_is_s_banked) {
 +        vec = &s->sec_vectors[pending];
 +        targets_secure = true;
 +    } else {
 +        vec = &s->vectors[pending];
 +        targets_secure = !exc_is_banked(s->vectpending) &&
 +            exc_targets_secure(s, s->vectpending);
 +    }
      assert(vec->enabled);
      assert(vec->pending);
      assert(s->vectpending_prio < running);
 -    trace_nvic_acknowledge_irq(pending, s->vectpending_prio);
 +    trace_nvic_acknowledge_irq(pending, s->vectpending_prio, targets_secure);
      vec->active = 1;
      vec->pending = 0;
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_acknowledge_irq(void *opaque)
      env->v7m.exception = s->vectpending;
      nvic_irq_update(s);
 +
 +    return targets_secure;
  }
+@@ -XXX,XX +XXX,XX @@ static MemTxResult subpage_write(void *opaque, hwaddr addr,
--int armv7m_nvic_complete_irq(void *opaque, int irq)
+ }
-+int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure)
  static bool subpage_accepts(void *opaque, hwaddr addr,
 -                            unsigned len, bool is_write)
 +                            unsigned len, bool is_write,
 +                            MemTxAttrs attrs)
  {
-     NVICState *s = (NVICState *)opaque;
+     subpage_t *subpage = opaque;
-     VecInfo *vec;
+ #if defined(DEBUG_SUBPAGE)
-@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_complete_irq(void *opaque, int irq)
+@@ -XXX,XX +XXX,XX @@ static void readonly_mem_write(void *opaque, hwaddr addr,
+ }
-     assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);
+ static bool readonly_mem_accepts(void *opaque, hwaddr addr,
--    vec = &s->vectors[irq];
+-                                 unsigned size, bool is_write)
-+    if (secure && exc_is_banked(irq)) {
++                                 unsigned size, bool is_write,
-+        vec = &s->sec_vectors[irq];
++                                 MemTxAttrs attrs)
-+    } else {
+ {
-+        vec = &s->vectors[irq];
+     return is_write;
-+    }
+ }
+diff --git a/hw/hppa/dino.c b/hw/hppa/dino.c
 -    trace_nvic_complete_irq(irq);
 +    trace_nvic_complete_irq(irq, secure);
      if (!vec->active) {
          /* Tell the caller this was an illegal exception return */
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/hw/hppa/dino.c
-+++ b/target/arm/helper.c
++++ b/hw/hppa/dino.c
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
+@@ -XXX,XX +XXX,XX @@ static void gsc_to_pci_forwarding(DinoState *s)
-     bool return_to_sp_process = false;
+ }
-     bool return_to_handler = false;
-     bool rettobase = false;
+ static bool dino_chip_mem_valid(void *opaque, hwaddr addr,
-+    bool exc_secure = false;
+-                                unsigned size, bool is_write)
++                                unsigned size, bool is_write,
-     /* We can only get here from an EXCP_EXCEPTION_EXIT, and
++                                MemTxAttrs attrs)
-      * gen_bx_excret() enforces the architectural rule
+ {
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
+     switch (addr) {
-          * which security state's faultmask to clear. (v8M ARM ARM R_KBNF.)
+     case DINO_IAR0:
-          */
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
-         if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+index XXXXXXX..XXXXXXX 100644
--            int es = excret & R_V7M_EXCRET_ES_MASK;
+--- a/hw/nvram/fw_cfg.c
-+            exc_secure = excret & R_V7M_EXCRET_ES_MASK;
++++ b/hw/nvram/fw_cfg.c
-             if (armv7m_nvic_raw_execution_priority(env->nvic) >= 0) {
+@@ -XXX,XX +XXX,XX @@ static void fw_cfg_dma_mem_write(void *opaque, hwaddr addr,
--                env->v7m.faultmask[es] = 0;
+ }
-+                env->v7m.faultmask[exc_secure] = 0;
-             }
+ static bool fw_cfg_dma_mem_valid(void *opaque, hwaddr addr,
-         } else {
+-                                  unsigned size, bool is_write)
-             env->v7m.faultmask[M_REG_NS] = 0;
++                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return !is_write || ((size == 4 && (addr == 0 || addr == 4)) ||
                           (size == 8 && addr == 0));
  }
  static bool fw_cfg_data_mem_valid(void *opaque, hwaddr addr,
 -                                  unsigned size, bool is_write)
 +                                  unsigned size, bool is_write,
 +                                  MemTxAttrs attrs)
  {
      return addr == 0;
  }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_ctl_mem_write(void *opaque, hwaddr addr,
  }
  static bool fw_cfg_ctl_mem_valid(void *opaque, hwaddr addr,
 -                                 unsigned size, bool is_write)
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return is_write && size == 2;
  }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_comb_write(void *opaque, hwaddr addr,
  }
  static bool fw_cfg_comb_valid(void *opaque, hwaddr addr,
 -                                  unsigned size, bool is_write)
 +                              unsigned size, bool is_write,
 +                              MemTxAttrs attrs)
  {
      return (size == 1) || (is_write && size == 2);
  }
 diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/scsi/esp.c
 +++ b/hw/scsi/esp.c
@@ -XXX,XX +XXX,XX @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
  }
  static bool esp_mem_accepts(void *opaque, hwaddr addr,
 -                            unsigned size, bool is_write)
 +                            unsigned size, bool is_write,
 +                            MemTxAttrs attrs)
  {
      return (size == 1) || (is_write && size == 4);
  }
 diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/xen/xen_pt_msi.c
 +++ b/hw/xen/xen_pt_msi.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pci_msix_read(void *opaque, hwaddr addr,
  }
  static bool pci_msix_accepts(void *opaque, hwaddr addr,
 -                             unsigned size, bool is_write)
 +                             unsigned size, bool is_write,
 +                             MemTxAttrs attrs)
  {
      return !(addr & (size - 1));
  }
 diff --git a/memory.c b/memory.c
 index XXXXXXX..XXXXXXX 100644
 --- a/memory.c
 +++ b/memory.c
@@ -XXX,XX +XXX,XX @@ static void unassigned_mem_write(void *opaque, hwaddr addr,
  }
  static bool unassigned_mem_accepts(void *opaque, hwaddr addr,
 -                                   unsigned size, bool is_write)
 +                                   unsigned size, bool is_write,
 +                                   MemTxAttrs attrs)
  {
      return false;
  }
@@ -XXX,XX +XXX,XX @@ bool memory_region_access_valid(MemoryRegion *mr,
      access_size = MAX(MIN(size, access_size_max), access_size_min);
      for (i = 0; i < size; i += access_size) {
          if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
 -                                    is_write)) {
 +                                    is_write, attrs)) {
              return false;
          }
      }
--    switch (armv7m_nvic_complete_irq(env->nvic, env->v7m.exception)) {
-+    switch (armv7m_nvic_complete_irq(env->nvic, env->v7m.exception,
-+                                     exc_secure)) {
-     case -1:
-         /* attempt to exit an exception that isn't active */
-         ufault = true;
-diff --git a/hw/intc/trace-events b/hw/intc/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/trace-events
-+++ b/hw/intc/trace-events
-@@ -XXX,XX +XXX,XX @@ nvic_escalate_disabled(int irq) "NVIC escalating irq %d to HardFault: disabled"
- nvic_set_pending(int irq, bool secure, int en, int prio) "NVIC set pending irq %d secure-bank %d (enabled: %d priority %d)"
- nvic_clear_pending(int irq, bool secure, int en, int prio) "NVIC clear pending irq %d secure-bank %d (enabled: %d priority %d)"
- nvic_set_pending_level(int irq) "NVIC set pending: irq %d higher prio than vectpending: setting irq line to 1"
--nvic_acknowledge_irq(int irq, int prio) "NVIC acknowledge IRQ: %d now active (prio %d)"
--nvic_complete_irq(int irq) "NVIC complete IRQ %d"
-+nvic_acknowledge_irq(int irq, int prio, bool targets_secure) "NVIC acknowledge IRQ: %d now active (prio %d targets_secure %d)"
-+nvic_complete_irq(int irq, bool secure) "NVIC complete IRQ %d (secure %d)"
- nvic_set_irq_level(int irq, int level) "NVIC external irq %d level set to %d"
- nvic_sysreg_read(uint64_t addr, uint32_t value, unsigned size) "NVIC sysreg read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
- nvic_sysreg_write(uint64_t addr, uint32_t value, unsigned size) "NVIC sysreg write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 10/31] nvic: Make SHPR registers banked
+[Qemu-devel] [PULL 18/25] Make flatview_access_valid() take a MemTxAttrs argument
-Make the set_prio() function take a bool indicating
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-whether to pend the secure or non-secure version of a banked
+add MemTxAttrs as an argument to flatview_access_valid().
-interrupt, and use this to implement the correct banking
+Its callers now all have an attrs value to hand, so we can
-semantics for the SHPR registers.
+correct our earlier temporary use of MEMTXATTRS_UNSPECIFIED.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-11-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-10-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++-----
+ exec.c | 12 +++++-------
- hw/intc/trace-events  |  2 +-
+file changed, 5 insertions(+), 7 deletions(-)
 files changed, 88 insertions(+), 10 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/exec.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_raw_execution_priority(void *opaque)
+@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
-     return s->exception_prio;
+ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
                                    const uint8_t *buf, int len);
  static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
 -                                  bool is_write);
 +                                  bool is_write, MemTxAttrs attrs);
  static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data,
                                  unsigned len, MemTxAttrs attrs)
@@ -XXX,XX +XXX,XX @@ static bool subpage_accepts(void *opaque, hwaddr addr,
  #endif
      return flatview_access_valid(subpage->fv, addr + subpage->base,
 -                                 len, is_write);
 +                                 len, is_write, attrs);
  }
--/* caller must call nvic_irq_update() after this */
+ static const MemoryRegionOps subpage_ops = {
--static void set_prio(NVICState *s, unsigned irq, uint8_t prio)
+@@ -XXX,XX +XXX,XX @@ static void cpu_notify_map_clients(void)
-+/* caller must call nvic_irq_update() after this.
+ }
-+ * secure indicates the bank to use for banked exceptions (we assert if
-+ * we are passed secure=true for a non-banked exception).
+ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
-+ */
+-                                  bool is_write)
-+static void set_prio(NVICState *s, unsigned irq, bool secure, uint8_t prio)
++                                  bool is_write, MemTxAttrs attrs)
  {
-     assert(irq > ARMV7M_EXCP_NMI); /* only use for configurable prios */
+     MemoryRegion *mr;
-     assert(irq < s->num_irq);
+     hwaddr l, xlat;
+@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
--    s->vectors[irq].prio = prio;
+         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
-+    if (secure) {
+         if (!memory_access_is_direct(mr, is_write)) {
-+        assert(exc_is_banked(irq));
+             l = memory_access_size(mr, l, addr);
-+        s->sec_vectors[irq].prio = prio;
+-            /* When our callers all have attrs we'll pass them through here */
-+    } else {
+-            if (!memory_region_access_valid(mr, xlat, l, is_write,
-+        s->vectors[irq].prio = prio;
+-                                            MEMTXATTRS_UNSPECIFIED)) {
-+    }
++            if (!memory_region_access_valid(mr, xlat, l, is_write, attrs)) {
-+
+                 return false;
 +    trace_nvic_set_prio(irq, secure, prio);
 +}
 +
 +/* Return the current raw priority register value.
 + * secure indicates the bank to use for banked exceptions (we assert if
 + * we are passed secure=true for a non-banked exception).
 + */
 +static int get_prio(NVICState *s, unsigned irq, bool secure)
 +{
 +    assert(irq > ARMV7M_EXCP_NMI); /* only use for configurable prios */
 +    assert(irq < s->num_irq);
 -    trace_nvic_set_prio(irq, prio);
 +    if (secure) {
 +        assert(exc_is_banked(irq));
 +        return s->sec_vectors[irq].prio;
 +    } else {
 +        return s->vectors[irq].prio;
 +    }
  }
  /* Recompute state and assert irq line accordingly.
@@ -XXX,XX +XXX,XX @@ static bool nvic_user_access_ok(NVICState *s, hwaddr offset, MemTxAttrs attrs)
      }
  }
 +static int shpr_bank(NVICState *s, int exc, MemTxAttrs attrs)
 +{
 +    /* Behaviour for the SHPR register field for this exception:
 +     * return M_REG_NS to use the nonsecure vector (including for
 +     * non-banked exceptions), M_REG_S for the secure version of
 +     * a banked exception, and -1 if this field should RAZ/WI.
 +     */
 +    switch (exc) {
 +    case ARMV7M_EXCP_MEM:
 +    case ARMV7M_EXCP_USAGE:
 +    case ARMV7M_EXCP_SVC:
 +    case ARMV7M_EXCP_PENDSV:
 +    case ARMV7M_EXCP_SYSTICK:
 +        /* Banked exceptions */
 +        return attrs.secure;
 +    case ARMV7M_EXCP_BUS:
 +        /* Not banked, RAZ/WI from nonsecure if BFHFNMINS is zero */
 +        if (!attrs.secure &&
 +            !(s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
 +            return -1;
 +        }
 +        return M_REG_NS;
 +    case ARMV7M_EXCP_SECURE:
 +        /* Not banked, RAZ/WI from nonsecure */
 +        if (!attrs.secure) {
 +            return -1;
 +        }
 +        return M_REG_NS;
 +    case ARMV7M_EXCP_DEBUG:
 +        /* Not banked. TODO should RAZ/WI if DEMCR.SDME is set */
 +        return M_REG_NS;
 +    case 8 ... 10:
 +    case 13:
 +        /* RES0 */
 +        return -1;
 +    default:
 +        /* Not reachable due to decode of SHPR register addresses */
 +        g_assert_not_reached();
 +    }
 +}
 +
  static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
                                      uint64_t *data, unsigned size,
                                      MemTxAttrs attrs)
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
              }
          }
-         break;
+@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
--    case 0xd18 ... 0xd23: /* System Handler Priority.  */
-+    case 0xd18 ... 0xd23: /* System Handler Priority (SHPR1, SHPR2, SHPR3) */
+     rcu_read_lock();
-         val = 0;
+     fv = address_space_to_flatview(as);
-         for (i = 0; i < size; i++) {
+-    result = flatview_access_valid(fv, addr, len, is_write);
--            val |= s->vectors[(offset - 0xd14) + i].prio << (i * 8);
++    result = flatview_access_valid(fv, addr, len, is_write, attrs);
-+            unsigned hdlidx = (offset - 0xd14) + i;
+     rcu_read_unlock();
-+            int sbank = shpr_bank(s, hdlidx, attrs);
+     return result;
-+
+ }
 +            if (sbank < 0) {
 +                continue;
 +            }
 +            val = deposit32(val, i * 8, 8, get_prio(s, hdlidx, sbank));
          }
          break;
      case 0xfe0 ... 0xfff: /* ID.  */
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
          for (i = 0; i < size && startvec + i < s->num_irq; i++) {
              if (attrs.secure || s->itns[startvec + i]) {
 -                set_prio(s, startvec + i, (value >> (i * 8)) & 0xff);
 +                set_prio(s, startvec + i, false, (value >> (i * 8)) & 0xff);
              }
          }
          nvic_irq_update(s);
          return MEMTX_OK;
 -    case 0xd18 ... 0xd23: /* System Handler Priority.  */
 +    case 0xd18 ... 0xd23: /* System Handler Priority (SHPR1, SHPR2, SHPR3) */
          for (i = 0; i < size; i++) {
              unsigned hdlidx = (offset - 0xd14) + i;
 -            set_prio(s, hdlidx, (value >> (i * 8)) & 0xff);
 +            int newprio = extract32(value, i * 8, 8);
 +            int sbank = shpr_bank(s, hdlidx, attrs);
 +
 +            if (sbank < 0) {
 +                continue;
 +            }
 +            set_prio(s, hdlidx, sbank, newprio);
          }
          nvic_irq_update(s);
          return MEMTX_OK;
 diff --git a/hw/intc/trace-events b/hw/intc/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/trace-events
 +++ b/hw/intc/trace-events
@@ -XXX,XX +XXX,XX @@ gicv3_redist_send_sgi(uint32_t cpu, int irq) "GICv3 redistributor 0x%x pending S
  # hw/intc/armv7m_nvic.c
  nvic_recompute_state(int vectpending, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d vectpending_prio %d exception_prio %d"
  nvic_recompute_state_secure(int vectpending, bool vectpending_is_s_banked, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d is_s_banked %d vectpending_prio %d exception_prio %d"
 -nvic_set_prio(int irq, uint8_t prio) "NVIC set irq %d priority %d"
 +nvic_set_prio(int irq, bool secure, uint8_t prio) "NVIC set irq %d secure-bank %d priority %d"
  nvic_irq_update(int vectpending, int pendprio, int exception_prio, int level) "NVIC vectpending %d pending prio %d exception_prio %d: setting irq line to %d"
  nvic_escalate_prio(int irq, int irqprio, int runprio) "NVIC escalating irq %d to HardFault: insufficient priority %d >= %d"
  nvic_escalate_disabled(int irq) "NVIC escalating irq %d to HardFault: disabled"
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 21/31] hw/arm/palm.c: Don't use old_mmio for static_ops
+[Qemu-devel] [PULL 19/25] Make flatview_translate() take a MemTxAttrs argument
-Update the static_ops functions to use new-style mmio
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-rather than the legacy old_mmio functions.
+add MemTxAttrs as an argument to flatview_translate(); all its
 callers now have attrs available.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505580378-9044-2-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-11-peter.maydell@linaro.org
 ---
- hw/arm/palm.c | 30 ++++++++++--------------------
+ include/exec/memory.h |  7 ++++---
-file changed, 10 insertions(+), 20 deletions(-)
+ exec.c                | 17 +++++++++--------
 files changed, 13 insertions(+), 11 deletions(-)
-diff --git a/hw/arm/palm.c b/hw/arm/palm.c
+diff --git a/include/exec/memory.h b/include/exec/memory.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/palm.c
+--- a/include/exec/memory.h
-+++ b/hw/arm/palm.c
++++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
- #include "exec/address-spaces.h"
+  */
- #include "cpu.h"
+ MemoryRegion *flatview_translate(FlatView *fv,
+                                  hwaddr addr, hwaddr *xlat,
--static uint32_t static_readb(void *opaque, hwaddr offset)
+-                                 hwaddr *len, bool is_write);
-+static uint64_t static_read(void *opaque, hwaddr offset, unsigned size)
++                                 hwaddr *len, bool is_write,
 +                                 MemTxAttrs attrs);
  static inline MemoryRegion *address_space_translate(AddressSpace *as,
                                                      hwaddr addr, hwaddr *xlat,
@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
                                                      MemTxAttrs attrs)
  {
--    uint32_t *val = (uint32_t *) opaque;
+     return flatview_translate(address_space_to_flatview(as),
--    return *val >> ((offset & 3) << 3);
+-                              addr, xlat, len, is_write);
--}
++                              addr, xlat, len, is_write, attrs);
 +    uint32_t *val = (uint32_t *)opaque;
 +    uint32_t sizemask = 7 >> size;
 -static uint32_t static_readh(void *opaque, hwaddr offset)
 -{
 -    uint32_t *val = (uint32_t *) opaque;
 -    return *val >> ((offset & 1) << 3);
 -}
 -
 -static uint32_t static_readw(void *opaque, hwaddr offset)
 -{
 -    uint32_t *val = (uint32_t *) opaque;
 -    return *val >> ((offset & 0) << 3);
 +    return *val >> ((offset & sizemask) << 3);
  }
--static void static_write(void *opaque, hwaddr offset,
+ /* address_space_access_valid: check for validity of accessing an address
--                uint32_t value)
+@@ -XXX,XX +XXX,XX @@ MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
-+static void static_write(void *opaque, hwaddr offset, uint64_t value,
+             rcu_read_lock();
-+                         unsigned size)
+             fv = address_space_to_flatview(as);
              l = len;
 -            mr = flatview_translate(fv, addr, &addr1, &l, false);
 +            mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
              if (len == l && memory_access_is_direct(mr, false)) {
                  ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
                  memcpy(buf, ptr, len);
 diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/exec.c
 +++ b/exec.c
@@ -XXX,XX +XXX,XX @@ iotlb_fail:
  /* Called from RCU critical section */
  MemoryRegion *flatview_translate(FlatView *fv, hwaddr addr, hwaddr *xlat,
 -                                 hwaddr *plen, bool is_write)
 +                                 hwaddr *plen, bool is_write,
 +                                 MemTxAttrs attrs)
  {
- #ifdef SPY
+     MemoryRegion *mr;
-     printf("%s: value %08lx written at " PA_FMT "\n",
+     MemoryRegionSection section;
-@@ -XXX,XX +XXX,XX @@ static void static_write(void *opaque, hwaddr offset,
+@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
          }
          l = len;
 -        mr = flatview_translate(fv, addr, &addr1, &l, true);
 +        mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
      }
      return result;
@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
      MemTxResult result = MEMTX_OK;
      l = len;
 -    mr = flatview_translate(fv, addr, &addr1, &l, true);
 +    mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
      result = flatview_write_continue(fv, addr, attrs, buf, len,
                                       addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
          }
          l = len;
 -        mr = flatview_translate(fv, addr, &addr1, &l, false);
 +        mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
      }
      return result;
@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
      MemoryRegion *mr;
      l = len;
 -    mr = flatview_translate(fv, addr, &addr1, &l, false);
 +    mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
      return flatview_read_continue(fv, addr, attrs, buf, len,
                                    addr1, l, mr);
  }
+@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
- static const MemoryRegionOps static_ops = {
--    .old_mmio = {
+     while (len > 0) {
--        .read = { static_readb, static_readh, static_readw, },
+         l = len;
--        .write = { static_write, static_write, static_write, },
+-        mr = flatview_translate(fv, addr, &xlat, &l, is_write);
--    },
++        mr = flatview_translate(fv, addr, &xlat, &l, is_write, attrs);
-+    .read = static_read,
+         if (!memory_access_is_direct(mr, is_write)) {
-+    .write = static_write,
+             l = memory_access_size(mr, l, addr);
-+    .valid.min_access_size = 1,
+             if (!memory_region_access_valid(mr, xlat, l, is_write, attrs)) {
-+    .valid.max_access_size = 4,
+@@ -XXX,XX +XXX,XX @@ flatview_extend_translation(FlatView *fv, hwaddr addr,
-     .endianness = DEVICE_NATIVE_ENDIAN,
- };
+         len = target_len;
+         this_mr = flatview_translate(fv, addr, &xlat,
 -                                                   &len, is_write);
 +                                     &len, is_write, attrs);
          if (this_mr != mr || xlat != base + done) {
              return done;
          }
@@ -XXX,XX +XXX,XX @@ void *address_space_map(AddressSpace *as,
      l = len;
      rcu_read_lock();
      fv = address_space_to_flatview(as);
 -    mr = flatview_translate(fv, addr, &xlat, &l, is_write);
 +    mr = flatview_translate(fv, addr, &xlat, &l, is_write, attrs);
      if (!memory_access_is_direct(mr, is_write)) {
          if (atomic_xchg(&bounce.in_use, true)) {
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 18/31] nvic: Make SHCSR banked for v8M
+[Qemu-devel] [PULL 20/25] Make address_space_get_iotlb_entry() take a MemTxAttrs argument
-Handle banking of SHCSR: some register bits are banked between
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-Secure and Non-Secure, and some are only accessible to Secure.
+add MemTxAttrs as an argument to address_space_get_iotlb_entry().
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-19-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-12-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 221 ++++++++++++++++++++++++++++++++++++++------------
+ include/exec/memory.h | 2 +-
-file changed, 169 insertions(+), 52 deletions(-)
+ exec.c                | 2 +-
  hw/virtio/vhost.c     | 3 ++-
 files changed, 4 insertions(+), 3 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/include/exec/memory.h b/include/exec/memory.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/include/exec/memory.h
-+++ b/hw/intc/armv7m_nvic.c
++++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
+@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache);
-         val = cpu->env.v7m.ccr[attrs.secure];
+  * entry. Should be called from an RCU critical section.
-         val |= cpu->env.v7m.ccr[M_REG_NS] & R_V7M_CCR_BFHFNMIGN_MASK;
+  */
-         return val;
+ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
--    case 0xd24: /* System Handler Status.  */
+-                                            bool is_write);
-+    case 0xd24: /* System Handler Control and State (SHCSR) */
++                                            bool is_write, MemTxAttrs attrs);
-         val = 0;
--        if (s->vectors[ARMV7M_EXCP_MEM].active) {
+ /* address_space_translate: translate an address range into an address space
--            val |= (1 << 0);
+  * into a MemoryRegion and an address range into that section.  Should be
--        }
+diff --git a/exec.c b/exec.c
--        if (s->vectors[ARMV7M_EXCP_BUS].active) {
+index XXXXXXX..XXXXXXX 100644
--            val |= (1 << 1);
+--- a/exec.c
--        }
++++ b/exec.c
--        if (s->vectors[ARMV7M_EXCP_USAGE].active) {
+@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
--            val |= (1 << 3);
-+        if (attrs.secure) {
+ /* Called from RCU critical section */
-+            if (s->sec_vectors[ARMV7M_EXCP_MEM].active) {
+ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
-+                val |= (1 << 0);
+-                                            bool is_write)
-+            }
++                                            bool is_write, MemTxAttrs attrs)
-+            if (s->sec_vectors[ARMV7M_EXCP_HARD].active) {
+ {
-+                val |= (1 << 2);
+     MemoryRegionSection section;
-+            }
+     hwaddr xlat, page_mask;
-+            if (s->sec_vectors[ARMV7M_EXCP_USAGE].active) {
+diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
-+                val |= (1 << 3);
+index XXXXXXX..XXXXXXX 100644
-+            }
+--- a/hw/virtio/vhost.c
-+            if (s->sec_vectors[ARMV7M_EXCP_SVC].active) {
++++ b/hw/virtio/vhost.c
-+                val |= (1 << 7);
+@@ -XXX,XX +XXX,XX @@ int vhost_device_iotlb_miss(struct vhost_dev *dev, uint64_t iova, int write)
-+            }
+     trace_vhost_iotlb_miss(dev, 1);
-+            if (s->sec_vectors[ARMV7M_EXCP_PENDSV].active) {
-+                val |= (1 << 10);
+     iotlb = address_space_get_iotlb_entry(dev->vdev->dma_as,
-+            }
+-                                          iova, write);
-+            if (s->sec_vectors[ARMV7M_EXCP_SYSTICK].active) {
++                                          iova, write,
-+                val |= (1 << 11);
++                                          MEMTXATTRS_UNSPECIFIED);
-+            }
+     if (iotlb.target_as != NULL) {
-+            if (s->sec_vectors[ARMV7M_EXCP_USAGE].pending) {
+         ret = vhost_memory_region_lookup(dev, iotlb.translated_addr,
-+                val |= (1 << 12);
+                                          &uaddr, &len);
 +            }
 +            if (s->sec_vectors[ARMV7M_EXCP_MEM].pending) {
 +                val |= (1 << 13);
 +            }
 +            if (s->sec_vectors[ARMV7M_EXCP_SVC].pending) {
 +                val |= (1 << 15);
 +            }
 +            if (s->sec_vectors[ARMV7M_EXCP_MEM].enabled) {
 +                val |= (1 << 16);
 +            }
 +            if (s->sec_vectors[ARMV7M_EXCP_USAGE].enabled) {
 +                val |= (1 << 18);
 +            }
 +            if (s->sec_vectors[ARMV7M_EXCP_HARD].pending) {
 +                val |= (1 << 21);
 +            }
 +            /* SecureFault is not banked but is always RAZ/WI to NS */
 +            if (s->vectors[ARMV7M_EXCP_SECURE].active) {
 +                val |= (1 << 4);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_SECURE].enabled) {
 +                val |= (1 << 19);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_SECURE].pending) {
 +                val |= (1 << 20);
 +            }
 +        } else {
 +            if (s->vectors[ARMV7M_EXCP_MEM].active) {
 +                val |= (1 << 0);
 +            }
 +            if (arm_feature(&cpu->env, ARM_FEATURE_V8)) {
 +                /* HARDFAULTACT, HARDFAULTPENDED not present in v7M */
 +                if (s->vectors[ARMV7M_EXCP_HARD].active) {
 +                    val |= (1 << 2);
 +                }
 +                if (s->vectors[ARMV7M_EXCP_HARD].pending) {
 +                    val |= (1 << 21);
 +                }
 +            }
 +            if (s->vectors[ARMV7M_EXCP_USAGE].active) {
 +                val |= (1 << 3);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_SVC].active) {
 +                val |= (1 << 7);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_PENDSV].active) {
 +                val |= (1 << 10);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_SYSTICK].active) {
 +                val |= (1 << 11);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_USAGE].pending) {
 +                val |= (1 << 12);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_MEM].pending) {
 +                val |= (1 << 13);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_SVC].pending) {
 +                val |= (1 << 15);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_MEM].enabled) {
 +                val |= (1 << 16);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_USAGE].enabled) {
 +                val |= (1 << 18);
 +            }
          }
 -        if (s->vectors[ARMV7M_EXCP_SVC].active) {
 -            val |= (1 << 7);
 +        if (attrs.secure || (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
 +            if (s->vectors[ARMV7M_EXCP_BUS].active) {
 +                val |= (1 << 1);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_BUS].pending) {
 +                val |= (1 << 14);
 +            }
 +            if (s->vectors[ARMV7M_EXCP_BUS].enabled) {
 +                val |= (1 << 17);
 +            }
 +            if (arm_feature(&cpu->env, ARM_FEATURE_V8) &&
 +                s->vectors[ARMV7M_EXCP_NMI].active) {
 +                /* NMIACT is not present in v7M */
 +                val |= (1 << 5);
 +            }
          }
 +
 +        /* TODO: this is RAZ/WI from NS if DEMCR.SDME is set */
          if (s->vectors[ARMV7M_EXCP_DEBUG].active) {
              val |= (1 << 8);
          }
 -        if (s->vectors[ARMV7M_EXCP_PENDSV].active) {
 -            val |= (1 << 10);
 -        }
 -        if (s->vectors[ARMV7M_EXCP_SYSTICK].active) {
 -            val |= (1 << 11);
 -        }
 -        if (s->vectors[ARMV7M_EXCP_USAGE].pending) {
 -            val |= (1 << 12);
 -        }
 -        if (s->vectors[ARMV7M_EXCP_MEM].pending) {
 -            val |= (1 << 13);
 -        }
 -        if (s->vectors[ARMV7M_EXCP_BUS].pending) {
 -            val |= (1 << 14);
 -        }
 -        if (s->vectors[ARMV7M_EXCP_SVC].pending) {
 -            val |= (1 << 15);
 -        }
 -        if (s->vectors[ARMV7M_EXCP_MEM].enabled) {
 -            val |= (1 << 16);
 -        }
 -        if (s->vectors[ARMV7M_EXCP_BUS].enabled) {
 -            val |= (1 << 17);
 -        }
 -        if (s->vectors[ARMV7M_EXCP_USAGE].enabled) {
 -            val |= (1 << 18);
 -        }
          return val;
      case 0xd28: /* Configurable Fault Status.  */
          /* The BFSR bits [15:8] are shared between security states
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
          cpu->env.v7m.ccr[attrs.secure] = value;
          break;
 -    case 0xd24: /* System Handler Control.  */
 -        s->vectors[ARMV7M_EXCP_MEM].active = (value & (1 << 0)) != 0;
 -        s->vectors[ARMV7M_EXCP_BUS].active = (value & (1 << 1)) != 0;
 -        s->vectors[ARMV7M_EXCP_USAGE].active = (value & (1 << 3)) != 0;
 -        s->vectors[ARMV7M_EXCP_SVC].active = (value & (1 << 7)) != 0;
 +    case 0xd24: /* System Handler Control and State (SHCSR) */
 +        if (attrs.secure) {
 +            s->sec_vectors[ARMV7M_EXCP_MEM].active = (value & (1 << 0)) != 0;
 +            /* Secure HardFault active bit cannot be written */
 +            s->sec_vectors[ARMV7M_EXCP_USAGE].active = (value & (1 << 3)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_SVC].active = (value & (1 << 7)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_PENDSV].active =
 +                (value & (1 << 10)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_SYSTICK].active =
 +                (value & (1 << 11)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_USAGE].pending =
 +                (value & (1 << 12)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_MEM].pending = (value & (1 << 13)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_SVC].pending = (value & (1 << 15)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_MEM].enabled = (value & (1 << 16)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_BUS].enabled = (value & (1 << 17)) != 0;
 +            s->sec_vectors[ARMV7M_EXCP_USAGE].enabled =
 +                (value & (1 << 18)) != 0;
 +            /* SecureFault not banked, but RAZ/WI to NS */
 +            s->vectors[ARMV7M_EXCP_SECURE].active = (value & (1 << 4)) != 0;
 +            s->vectors[ARMV7M_EXCP_SECURE].enabled = (value & (1 << 19)) != 0;
 +            s->vectors[ARMV7M_EXCP_SECURE].pending = (value & (1 << 20)) != 0;
 +        } else {
 +            s->vectors[ARMV7M_EXCP_MEM].active = (value & (1 << 0)) != 0;
 +            if (arm_feature(&cpu->env, ARM_FEATURE_V8)) {
 +                /* HARDFAULTPENDED is not present in v7M */
 +                s->vectors[ARMV7M_EXCP_HARD].pending = (value & (1 << 21)) != 0;
 +            }
 +            s->vectors[ARMV7M_EXCP_USAGE].active = (value & (1 << 3)) != 0;
 +            s->vectors[ARMV7M_EXCP_SVC].active = (value & (1 << 7)) != 0;
 +            s->vectors[ARMV7M_EXCP_PENDSV].active = (value & (1 << 10)) != 0;
 +            s->vectors[ARMV7M_EXCP_SYSTICK].active = (value & (1 << 11)) != 0;
 +            s->vectors[ARMV7M_EXCP_USAGE].pending = (value & (1 << 12)) != 0;
 +            s->vectors[ARMV7M_EXCP_MEM].pending = (value & (1 << 13)) != 0;
 +            s->vectors[ARMV7M_EXCP_SVC].pending = (value & (1 << 15)) != 0;
 +            s->vectors[ARMV7M_EXCP_MEM].enabled = (value & (1 << 16)) != 0;
 +            s->vectors[ARMV7M_EXCP_USAGE].enabled = (value & (1 << 18)) != 0;
 +        }
 +        if (attrs.secure || (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
 +            s->vectors[ARMV7M_EXCP_BUS].active = (value & (1 << 1)) != 0;
 +            s->vectors[ARMV7M_EXCP_BUS].pending = (value & (1 << 14)) != 0;
 +            s->vectors[ARMV7M_EXCP_BUS].enabled = (value & (1 << 17)) != 0;
 +        }
 +        /* NMIACT can only be written if the write is of a zero, with
 +         * BFHFNMINS 1, and by the CPU in secure state via the NS alias.
 +         */
 +        if (!attrs.secure && cpu->env.v7m.secure &&
 +            (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) &&
 +            (value & (1 << 5)) == 0) {
 +            s->vectors[ARMV7M_EXCP_NMI].active = 0;
 +        }
 +        /* HARDFAULTACT can only be written if the write is of a zero
 +         * to the non-secure HardFault state by the CPU in secure state.
 +         * The only case where we can be targeting the non-secure HF state
 +         * when in secure state is if this is a write via the NS alias
 +         * and BFHFNMINS is 1.
 +         */
 +        if (!attrs.secure && cpu->env.v7m.secure &&
 +            (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) &&
 +            (value & (1 << 2)) == 0) {
 +            s->vectors[ARMV7M_EXCP_HARD].active = 0;
 +        }
 +
 +        /* TODO: this is RAZ/WI from NS if DEMCR.SDME is set */
          s->vectors[ARMV7M_EXCP_DEBUG].active = (value & (1 << 8)) != 0;
 -        s->vectors[ARMV7M_EXCP_PENDSV].active = (value & (1 << 10)) != 0;
 -        s->vectors[ARMV7M_EXCP_SYSTICK].active = (value & (1 << 11)) != 0;
 -        s->vectors[ARMV7M_EXCP_USAGE].pending = (value & (1 << 12)) != 0;
 -        s->vectors[ARMV7M_EXCP_MEM].pending = (value & (1 << 13)) != 0;
 -        s->vectors[ARMV7M_EXCP_BUS].pending = (value & (1 << 14)) != 0;
 -        s->vectors[ARMV7M_EXCP_SVC].pending = (value & (1 << 15)) != 0;
 -        s->vectors[ARMV7M_EXCP_MEM].enabled = (value & (1 << 16)) != 0;
 -        s->vectors[ARMV7M_EXCP_BUS].enabled = (value & (1 << 17)) != 0;
 -        s->vectors[ARMV7M_EXCP_USAGE].enabled = (value & (1 << 18)) != 0;
          nvic_irq_update(s);
          break;
      case 0xd28: /* Configurable Fault Status.  */
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 17/31] nvic: Make ICSR banked for v8M
+[Qemu-devel] [PULL 21/25] Make flatview_do_translate() take a MemTxAttrs argument
-The ICSR NVIC register is banked for v8M. This doesn't
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-require any new state, but it does mean that some bits
+add MemTxAttrs as an argument to flatview_do_translate().
 are controlled by BFHNFNMINS and some bits must work
 with the correct banked exception. There is also a new
 in v8M PENDNMICLR bit.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-18-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-13-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 45 ++++++++++++++++++++++++++++++++-------------
+ exec.c | 9 ++++++---
-file changed, 32 insertions(+), 13 deletions(-)
+file changed, 6 insertions(+), 3 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/exec.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
+@@ -XXX,XX +XXX,XX @@ unassigned:
-     }
+  * @is_write: whether the translation operation is for write
-     case 0xd00: /* CPUID Base.  */
+  * @is_mmio: whether this can be MMIO, set true if it can
-         return cpu->midr;
+  * @target_as: the address space targeted by the IOMMU
--    case 0xd04: /* Interrupt Control State.  */
++ * @attrs: memory transaction attributes
-+    case 0xd04: /* Interrupt Control State (ICSR) */
+  *
-         /* VECTACTIVE */
+  * This function is called from RCU critical section
-         val = cpu->env.v7m.exception;
+  */
-         /* VECTPENDING */
+@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
+                                                  hwaddr *page_mask_out,
-         if (nvic_rettobase(s)) {
+                                                  bool is_write,
-             val |= (1 << 11);
+                                                  bool is_mmio,
-         }
+-                                                 AddressSpace **target_as)
--        /* PENDSTSET */
++                                                 AddressSpace **target_as,
--        if (s->vectors[ARMV7M_EXCP_SYSTICK].pending) {
++                                                 MemTxAttrs attrs)
--            val |= (1 << 26);
+ {
--        }
+     MemoryRegionSection *section;
--        /* PENDSVSET */
+     IOMMUMemoryRegion *iommu_mr;
--        if (s->vectors[ARMV7M_EXCP_PENDSV].pending) {
+@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
--            val |= (1 << 28);
+      * but page mask.
-+        if (attrs.secure) {
+      */
-+            /* PENDSTSET */
+     section = flatview_do_translate(address_space_to_flatview(as), addr, &xlat,
-+            if (s->sec_vectors[ARMV7M_EXCP_SYSTICK].pending) {
+-                                    NULL, &page_mask, is_write, false, &as);
-+                val |= (1 << 26);
++                                    NULL, &page_mask, is_write, false, &as,
-+            }
++                                    attrs);
-+            /* PENDSVSET */
-+            if (s->sec_vectors[ARMV7M_EXCP_PENDSV].pending) {
+     /* Illegal translation */
-+                val |= (1 << 28);
+     if (section.mr == &io_mem_unassigned) {
-+            }
+@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv, hwaddr addr, hwaddr *xlat,
-+        } else {
-+            /* PENDSTSET */
+     /* This can be MMIO, so setup MMIO bit. */
-+            if (s->vectors[ARMV7M_EXCP_SYSTICK].pending) {
+     section = flatview_do_translate(fv, addr, xlat, plen, NULL,
-+                val |= (1 << 26);
+-                                    is_write, true, &as);
-+            }
++                                    is_write, true, &as, attrs);
-+            /* PENDSVSET */
+     mr = section.mr;
-+            if (s->vectors[ARMV7M_EXCP_PENDSV].pending) {
-+                val |= (1 << 28);
+     if (xen_enabled() && memory_access_is_direct(mr, is_write)) {
 +            }
          }
          /* NMIPENDSET */
 -        if (s->vectors[ARMV7M_EXCP_NMI].pending) {
 +        if ((cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) &&
 +            s->vectors[ARMV7M_EXCP_NMI].pending) {
              val |= (1 << 31);
          }
 -        /* ISRPREEMPT not implemented */
 +        /* ISRPREEMPT: RES0 when halting debug not implemented */
 +        /* STTNS: RES0 for the Main Extension */
          return val;
      case 0xd08: /* Vector Table Offset.  */
          return cpu->env.v7m.vecbase[attrs.secure];
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
          nvic_irq_update(s);
          break;
      }
 -    case 0xd04: /* Interrupt Control State.  */
 -        if (value & (1 << 31)) {
 -            armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI, false);
 +    case 0xd04: /* Interrupt Control State (ICSR) */
 +        if (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
 +            if (value & (1 << 31)) {
 +                armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI, false);
 +            } else if (value & (1 << 30) &&
 +                       arm_feature(&cpu->env, ARM_FEATURE_V8)) {
 +                /* PENDNMICLR didn't exist in v7M */
 +                armv7m_nvic_clear_pending(s, ARMV7M_EXCP_NMI, false);
 +            }
          }
          if (value & (1 << 28)) {
              armv7m_nvic_set_pending(s, ARMV7M_EXCP_PENDSV, attrs.secure);
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 16/31] target/arm: Handle banking in negative-execution-priority check in cpu_mmu_index()
+[Qemu-devel] [PULL 22/25] Make address_space_translate_iommu take a MemTxAttrs argument
-Now that we have a banked FAULTMASK register and banked exceptions,
+As part of plumbing MemTxAttrs down to the IOMMU translate method,
-we can implement the correct check in cpu_mmu_index() for whether
+add MemTxAttrs as an argument to address_space_translate_iommu().
 the MPU_CTRL.HFNMIENA bit's effect should apply. This bit causes
 handlers which have requested a negative execution priority to run
 with the MPU disabled. In v8M the test has to check this for the
 current security state and so takes account of banking.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-17-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-14-peter.maydell@linaro.org
 ---
- target/arm/cpu.h      | 21 ++++++++++++++++-----
+ exec.c | 8 +++++---
- hw/intc/armv7m_nvic.c | 29 +++++++++++++++++++++++++++++
+file changed, 5 insertions(+), 3 deletions(-)
 files changed, 45 insertions(+), 5 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/exec.c
-+++ b/target/arm/cpu.h
++++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_complete_irq(void *opaque, int irq);
+@@ -XXX,XX +XXX,XX @@ address_space_translate_internal(AddressSpaceDispatch *d, hwaddr addr, hwaddr *x
-  * (v8M ARM ARM I_PKLD.)
+  * @is_write: whether the translation operation is for write
-  */
+  * @is_mmio: whether this can be MMIO, set true if it can
- int armv7m_nvic_raw_execution_priority(void *opaque);
+  * @target_as: the address space targeted by the IOMMU
-+/**
++ * @attrs: transaction attributes
-+ * armv7m_nvic_neg_prio_requested: return true if the requested execution
+  *
-+ * priority is negative for the specified security state.
+  * This function is called from RCU critical section.  It is the common
-+ * @opaque: the NVIC
+  * part of flatview_do_translate and address_space_translate_cached.
-+ * @secure: the security state to test
+@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection address_space_translate_iommu(IOMMUMemoryRegion *iomm
-+ * This corresponds to the pseudocode IsReqExecPriNeg().
+                                                          hwaddr *page_mask_out,
-+ */
+                                                          bool is_write,
-+#ifndef CONFIG_USER_ONLY
+                                                          bool is_mmio,
-+bool armv7m_nvic_neg_prio_requested(void *opaque, bool secure);
+-                                                         AddressSpace **target_as)
-+#else
++                                                         AddressSpace **target_as,
-+static inline bool armv7m_nvic_neg_prio_requested(void *opaque, bool secure)
++                                                         MemTxAttrs attrs)
-+{
+ {
-+    return false;
+     MemoryRegionSection *section;
-+}
+     hwaddr page_mask = (hwaddr)-1;
-+#endif
+@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
+         return address_space_translate_iommu(iommu_mr, xlat,
- /* Interface for defining coprocessor registers.
+                                              plen_out, page_mask_out,
-  * Registers are defined in tables of arm_cp_reginfo structs
+                                              is_write, is_mmio,
-@@ -XXX,XX +XXX,XX @@ static inline int cpu_mmu_index(CPUARMState *env, bool ifetch)
+-                                             target_as);
-     if (arm_feature(env, ARM_FEATURE_M)) {
++                                             target_as, attrs);
-         ARMMMUIdx mmu_idx = el == 0 ? ARMMMUIdx_MUser : ARMMMUIdx_MPriv;
+     }
+     if (page_mask_out) {
--        /* Execution priority is negative if FAULTMASK is set or
+         /* Not behind an IOMMU, use default page size. */
--         * we're in a HardFault or NMI handler.
+@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate_cached(
--         */
--        if ((env->v7m.exception > 0 && env->v7m.exception <= 3)
+     section = address_space_translate_iommu(iommu_mr, xlat, plen,
--            || env->v7m.faultmask[env->v7m.secure]) {
+                                             NULL, is_write, true,
-+        if (armv7m_nvic_neg_prio_requested(env->nvic, env->v7m.secure)) {
+-                                            &target_as);
-             mmu_idx = ARMMMUIdx_MNegPri;
++                                            &target_as, attrs);
-         }
+     return section.mr;
 diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/armv7m_nvic.c
 +++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static inline int nvic_exec_prio(NVICState *s)
      return MIN(running, s->exception_prio);
  }
-+bool armv7m_nvic_neg_prio_requested(void *opaque, bool secure)
-+{
-+    /* Return true if the requested execution priority is negative
-+     * for the specified security state, ie that security state
-+     * has an active NMI or HardFault or has set its FAULTMASK.
-+     * Note that this is not the same as whether the execution
-+     * priority is actually negative (for instance AIRCR.PRIS may
-+     * mean we don't allow FAULTMASK_NS to actually make the execution
-+     * priority negative). Compare pseudocode IsReqExcPriNeg().
-+     */
-+    NVICState *s = opaque;
-+
-+    if (s->cpu->env.v7m.faultmask[secure]) {
-+        return true;
-+    }
-+
-+    if (secure ? s->sec_vectors[ARMV7M_EXCP_HARD].active :
-+        s->vectors[ARMV7M_EXCP_HARD].active) {
-+        return true;
-+    }
-+
-+    if (s->vectors[ARMV7M_EXCP_NMI].active &&
-+        exc_targets_secure(s, ARMV7M_EXCP_NMI) == secure) {
-+        return true;
-+    }
-+
-+    return false;
-+}
-+
- bool armv7m_nvic_can_take_pending_exception(void *opaque)
- {
-     NVICState *s = opaque;
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 13/31] nvic: Implement v8M changes to fixed priority exceptions
+[Qemu-devel] [PULL 23/25] vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
-In v7M, the fixed-priority exceptions are:
+Provide a VMSTATE_BOOL_SUB_ARRAY to go with VMSTATE_UINT8_SUB_ARRAY
- Reset: -3
+and friends.
  NMI: -2
  HardFault: -1
 In v8M, this changes because Secure HardFault may need
 to be prioritised above NMI:
  Reset: -4
  Secure HardFault if AIRCR.BFHFNMINS == 1: -3
  NMI: -2
  Secure HardFault if AIRCR.BFHFNMINS == 0: -1
  NonSecure HardFault: -1
 Make these changes, including support for changing the
 priority of Secure HardFault as AIRCR.BFHFNMINS changes.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 1505240046-11454-14-git-send-email-peter.maydell@linaro.org
+Message-id: 20180521140402.23318-23-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 22 +++++++++++++++++++---
+ include/migration/vmstate.h | 3 +++
-file changed, 19 insertions(+), 3 deletions(-)
+file changed, 3 insertions(+)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/include/migration/vmstate.h
-+++ b/hw/intc/armv7m_nvic.c
++++ b/include/migration/vmstate.h
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
+@@ -XXX,XX +XXX,XX @@ extern const VMStateInfo vmstate_info_qtailq;
-                     (R_V7M_AIRCR_SYSRESETREQS_MASK |
+ #define VMSTATE_BOOL_ARRAY(_f, _s, _n)                               \
-                      R_V7M_AIRCR_BFHFNMINS_MASK |
+     VMSTATE_BOOL_ARRAY_V(_f, _s, _n, 0)
-                      R_V7M_AIRCR_PRIS_MASK);
-+                /* BFHFNMINS changes the priority of Secure HardFault */
++#define VMSTATE_BOOL_SUB_ARRAY(_f, _s, _start, _num)                \
-+                if (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
++    VMSTATE_SUB_ARRAY(_f, _s, _start, _num, 0, vmstate_info_bool, bool)
 +                    s->sec_vectors[ARMV7M_EXCP_HARD].prio = -3;
 +                } else {
 +                    s->sec_vectors[ARMV7M_EXCP_HARD].prio = -1;
 +                }
              }
              nvic_irq_update(s);
          }
@@ -XXX,XX +XXX,XX @@ static int nvic_post_load(void *opaque, int version_id)
  {
      NVICState *s = opaque;
      unsigned i;
 +    int resetprio;
      /* Check for out of range priority settings */
 -    if (s->vectors[ARMV7M_EXCP_RESET].prio != -3 ||
 +    resetprio = arm_feature(&s->cpu->env, ARM_FEATURE_V8) ? -4 : -3;
 +
-+    if (s->vectors[ARMV7M_EXCP_RESET].prio != resetprio ||
+ #define VMSTATE_UINT16_ARRAY_V(_f, _s, _n, _v)                         \
-         s->vectors[ARMV7M_EXCP_NMI].prio != -2 ||
+     VMSTATE_ARRAY(_f, _s, _n, _v, vmstate_info_uint16, uint16_t)
          s->vectors[ARMV7M_EXCP_HARD].prio != -1) {
          return 1;
@@ -XXX,XX +XXX,XX @@ static int nvic_security_post_load(void *opaque, int version_id)
      int i;
      /* Check for out of range priority settings */
 -    if (s->sec_vectors[ARMV7M_EXCP_HARD].prio != -1) {
 +    if (s->sec_vectors[ARMV7M_EXCP_HARD].prio != -1
 +        && s->sec_vectors[ARMV7M_EXCP_HARD].prio != -3) {
 +        /* We can't cross-check against AIRCR.BFHFNMINS as we don't know
 +         * if the CPU state has been migrated yet; a mismatch won't
 +         * cause the emulation to blow up, though.
 +         */
          return 1;
      }
      for (i = ARMV7M_EXCP_MEM; i < ARRAY_SIZE(s->sec_vectors); i++) {
@@ -XXX,XX +XXX,XX @@ static Property props_nvic[] = {
  static void armv7m_nvic_reset(DeviceState *dev)
  {
 +    int resetprio;
      NVICState *s = NVIC(dev);
      s->vectors[ARMV7M_EXCP_NMI].enabled = 1;
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
      s->vectors[ARMV7M_EXCP_PENDSV].enabled = 1;
      s->vectors[ARMV7M_EXCP_SYSTICK].enabled = 1;
 -    s->vectors[ARMV7M_EXCP_RESET].prio = -3;
 +    resetprio = arm_feature(&s->cpu->env, ARM_FEATURE_V8) ? -4 : -3;
 +    s->vectors[ARMV7M_EXCP_RESET].prio = resetprio;
      s->vectors[ARMV7M_EXCP_NMI].prio = -2;
      s->vectors[ARMV7M_EXCP_HARD].prio = -1;
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 04/31] nvic: Add cached vectpending_prio state
+[Qemu-devel] [PULL 24/25] ARM: ACPI: Fix use-after-free due to memory realloc
-Instead of looking up the pending priority
+From: Shannon Zhao <zhaoshenglong@huawei.com>
 in nvic_pending_prio(), cache it in a new state struct
 field. The calculation of the pending priority given
 the interrupt number is more complicated in v8M with
 the security extension, so the caching will be worthwhile.
-This changes nvic_pending_prio() from returning a full
+acpi_data_push uses g_array_set_size to resize the memory size. If there
-(group + subpriority) priority value to returning a group
+is no enough contiguous memory, the address will be changed. So previous
-priority. This doesn't require changes to its callsites
+pointer could not be used any more. It must update the pointer and use
-because we use it only in comparisons of the form
+the new one.
   execution_prio > nvic_pending_prio()
 and execution priority is always a group priority, so
 a test (exec prio > full prio) is true if and only if
 (execprio > group_prio).
-(Architecturally the expected comparison is with the
+Also, previous codes wrongly use le32 conversion of iort->node_offset
-group priority for this sort of "would we preempt" test;
+for subsequent computations that will result incorrect value if host is
-we were only doing a test with a full priority as an
+not litlle endian. So use the non-converted one instead.
 optimisation to avoid the mask, which is possible
 precisely because the two comparisons always give the
 same answer.)
+Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 1527663951-14552-1-git-send-email-zhaoshenglong@huawei.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-5-git-send-email-peter.maydell@linaro.org
 ---
- include/hw/intc/armv7m_nvic.h |  2 ++
+ hw/arm/virt-acpi-build.c | 20 +++++++++++++++-----
- hw/intc/armv7m_nvic.c         | 23 +++++++++++++----------
+file changed, 15 insertions(+), 5 deletions(-)
  hw/intc/trace-events          |  2 +-
 files changed, 16 insertions(+), 11 deletions(-)
-diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
+diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/intc/armv7m_nvic.h
+--- a/hw/arm/virt-acpi-build.c
-+++ b/include/hw/intc/armv7m_nvic.h
++++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
+@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-      *  - vectpending
+     AcpiIortItsGroup *its;
-      *  - vectpending_is_secure
+     AcpiIortTable *iort;
-      *  - exception_prio
+     AcpiIortSmmu3 *smmu;
-+     *  - vectpending_prio
+-    size_t node_size, iort_length, smmu_offset = 0;
-      */
++    size_t node_size, iort_node_offset, iort_length, smmu_offset = 0;
-     unsigned int vectpending; /* highest prio pending enabled exception */
+     AcpiIortRC *rc;
-     /* true if vectpending is a banked secure exception, ie it is in
-@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
+     iort = acpi_data_push(table_data, sizeof(*iort));
-      */
+@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-     bool vectpending_is_s_banked;
-     int exception_prio; /* group prio of the highest prio active exception */
+     iort_length = sizeof(*iort);
-+    int vectpending_prio; /* group prio of the exeception in vectpending */
+     iort->node_count = cpu_to_le32(nb_nodes);
+-    iort->node_offset = cpu_to_le32(sizeof(*iort));
-     MemoryRegion sysregmem;
++    /*
-     MemoryRegion sysreg_ns_mem;
++     * Use a copy in case table_data->data moves during acpi_data_push
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
++     * operations.
-index XXXXXXX..XXXXXXX 100644
++     */
---- a/hw/intc/armv7m_nvic.c
++    iort_node_offset = sizeof(*iort);
-+++ b/hw/intc/armv7m_nvic.c
++    iort->node_offset = cpu_to_le32(iort_node_offset);
-@@ -XXX,XX +XXX,XX @@ static const uint8_t nvic_id[] = {
+     /* ITS group node */
- static int nvic_pending_prio(NVICState *s)
+     node_size =  sizeof(*its) + sizeof(uint32_t);
- {
+@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
--    /* return the priority of the current pending interrupt,
+         int irq =  vms->irqmap[VIRT_SMMU];
-+    /* return the group priority of the current pending interrupt,
-      * or NVIC_NOEXC_PRIO if no interrupt is pending
+         /* SMMUv3 node */
-      */
+-        smmu_offset = iort->node_offset + node_size;
--    return s->vectpending ? s->vectors[s->vectpending].prio : NVIC_NOEXC_PRIO;
++        smmu_offset = iort_node_offset + node_size;
-+    return s->vectpending_prio;
+         node_size = sizeof(*smmu) + sizeof(*idmap);
- }
+         iort_length += node_size;
+         smmu = acpi_data_push(table_data, node_size);
- /* Return the value of the ISCR RETTOBASE bit:
+@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-@@ -XXX,XX +XXX,XX @@ static void nvic_recompute_state(NVICState *s)
+         idmap->id_count = cpu_to_le32(0xFFFF);
-         active_prio &= nvic_gprio_mask(s);
+         idmap->output_base = 0;
          /* output IORT node is the ITS group node (the first node) */
 -        idmap->output_reference = cpu_to_le32(iort->node_offset);
 +        idmap->output_reference = cpu_to_le32(iort_node_offset);
      }
-+    if (pend_prio > 0) {
+     /* Root Complex Node */
-+        pend_prio &= nvic_gprio_mask(s);
+@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-+    }
+         idmap->output_reference = cpu_to_le32(smmu_offset);
-+
+     } else {
-     s->vectpending = pend_irq;
+         /* output IORT node is the ITS group node (the first node) */
-+    s->vectpending_prio = pend_prio;
+-        idmap->output_reference = cpu_to_le32(iort->node_offset);
-     s->exception_prio = active_prio;
++        idmap->output_reference = cpu_to_le32(iort_node_offset);
+     }
--    trace_nvic_recompute_state(s->vectpending, s->exception_prio);
-+    trace_nvic_recompute_state(s->vectpending,
++    /*
-+                               s->vectpending_prio,
++     * Update the pointer address in case table_data->data moves during above
-+                               s->exception_prio);
++     * acpi_data_push operations.
- }
++     */
++    iort = (AcpiIortTable *)(table_data->data + iort_start);
- /* Return the current execution priority of the CPU
+     iort->length = cpu_to_le32(iort_length);
-@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_acknowledge_irq(void *opaque)
-     CPUARMState *env = &s->cpu->env;
+     build_header(linker, table_data, (void *)(table_data->data + iort_start),
      const int pending = s->vectpending;
      const int running = nvic_exec_prio(s);
 -    int pendgroupprio;
      VecInfo *vec;
      assert(pending > ARMV7M_EXCP_RESET && pending < s->num_irq);
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_acknowledge_irq(void *opaque)
      assert(vec->enabled);
      assert(vec->pending);
 -    pendgroupprio = vec->prio;
 -    if (pendgroupprio > 0) {
 -        pendgroupprio &= nvic_gprio_mask(s);
 -    }
 -    assert(pendgroupprio < running);
 +    assert(s->vectpending_prio < running);
 -    trace_nvic_acknowledge_irq(pending, vec->prio);
 +    trace_nvic_acknowledge_irq(pending, s->vectpending_prio);
      vec->active = 1;
      vec->pending = 0;
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
      s->exception_prio = NVIC_NOEXC_PRIO;
      s->vectpending = 0;
      s->vectpending_is_s_banked = false;
 +    s->vectpending_prio = NVIC_NOEXC_PRIO;
  }
  static void nvic_systick_trigger(void *opaque, int n, int level)
 diff --git a/hw/intc/trace-events b/hw/intc/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/trace-events
 +++ b/hw/intc/trace-events
@@ -XXX,XX +XXX,XX @@ gicv3_redist_set_irq(uint32_t cpu, int irq, int level) "GICv3 redistributor 0x%x
  gicv3_redist_send_sgi(uint32_t cpu, int irq) "GICv3 redistributor 0x%x pending SGI %d"
  # hw/intc/armv7m_nvic.c
 -nvic_recompute_state(int vectpending, int exception_prio) "NVIC state recomputed: vectpending %d exception_prio %d"
 +nvic_recompute_state(int vectpending, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d vectpending_prio %d exception_prio %d"
  nvic_set_prio(int irq, uint8_t prio) "NVIC set irq %d priority %d"
  nvic_irq_update(int vectpending, int pendprio, int exception_prio, int level) "NVIC vectpending %d pending prio %d exception_prio %d: setting irq line to %d"
  nvic_escalate_prio(int irq, int irqprio, int runprio) "NVIC escalating irq %d to HardFault: insufficient priority %d >= %d"
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 05/31] nvic: Implement AIRCR changes for v8M
+Deleted patch
-The Application Interrupt and Reset Control Register has some changes
-for v8M:
- * new bits SYSRESETREQS, BFHFNMINS and PRIS: these all have
-   real state if the security extension is implemented and otherwise
-   are constant
- * the PRIGROUP field is banked between security states
- * non-secure code can be blocked from using the SYSRESET bit
-   to reset the system if SYSRESETREQS is set
-Implement the new state and the changes to register read and write.
-For the moment we ignore the effects of the secure PRIGROUP.
-We will implement the effects of PRIS and BFHFNMIS later.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-6-git-send-email-peter.maydell@linaro.org
----
- include/hw/intc/armv7m_nvic.h |  3 ++-
- target/arm/cpu.h              | 12 +++++++++++
- hw/intc/armv7m_nvic.c         | 49 +++++++++++++++++++++++++++++++++----------
- target/arm/cpu.c              |  7 +++++++
-files changed, 59 insertions(+), 12 deletions(-)
-diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/intc/armv7m_nvic.h
-+++ b/include/hw/intc/armv7m_nvic.h
-@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
-      * Entries in sec_vectors[] for non-banked exception numbers are unused.
-      */
-     VecInfo sec_vectors[NVIC_INTERNAL_VECTORS];
--    uint32_t prigroup;
-+    /* The PRIGROUP field in AIRCR is banked */
-+    uint32_t prigroup[M_REG_NUM_BANKS];
-     /* The following fields are all cached state that can be recalculated
-      * from the vectors[] and sec_vectors[] arrays and the prigroup field:
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         int exception;
-         uint32_t primask[M_REG_NUM_BANKS];
-         uint32_t faultmask[M_REG_NUM_BANKS];
-+        uint32_t aircr; /* only holds r/w state if security extn implemented */
-         uint32_t secure; /* Is CPU in Secure state? (not guest visible) */
-     } v7m;
-@@ -XXX,XX +XXX,XX @@ FIELD(V7M_CCR, STKALIGN, 9, 1)
- FIELD(V7M_CCR, DC, 16, 1)
- FIELD(V7M_CCR, IC, 17, 1)
-+/* V7M AIRCR bits */
-+FIELD(V7M_AIRCR, VECTRESET, 0, 1)
-+FIELD(V7M_AIRCR, VECTCLRACTIVE, 1, 1)
-+FIELD(V7M_AIRCR, SYSRESETREQ, 2, 1)
-+FIELD(V7M_AIRCR, SYSRESETREQS, 3, 1)
-+FIELD(V7M_AIRCR, PRIGROUP, 8, 3)
-+FIELD(V7M_AIRCR, BFHFNMINS, 13, 1)
-+FIELD(V7M_AIRCR, PRIS, 14, 1)
-+FIELD(V7M_AIRCR, ENDIANNESS, 15, 1)
-+FIELD(V7M_AIRCR, VECTKEY, 16, 16)
-+
- /* V7M CFSR bits for MMFSR */
- FIELD(V7M_CFSR, IACCVIOL, 0, 1)
- FIELD(V7M_CFSR, DACCVIOL, 1, 1)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static bool nvic_isrpending(NVICState *s)
-  */
- static inline uint32_t nvic_gprio_mask(NVICState *s)
- {
--    return ~0U << (s->prigroup + 1);
-+    return ~0U << (s->prigroup[M_REG_NS] + 1);
- }
- /* Recompute vectpending and exception_prio */
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-         return val;
-     case 0xd08: /* Vector Table Offset.  */
-         return cpu->env.v7m.vecbase[attrs.secure];
--    case 0xd0c: /* Application Interrupt/Reset Control.  */
--        return 0xfa050000 | (s->prigroup << 8);
-+    case 0xd0c: /* Application Interrupt/Reset Control (AIRCR) */
-+        val = 0xfa050000 | (s->prigroup[attrs.secure] << 8);
-+        if (attrs.secure) {
-+            /* s->aircr stores PRIS, BFHFNMINS, SYSRESETREQS */
-+            val |= cpu->env.v7m.aircr;
-+        } else {
-+            if (arm_feature(&cpu->env, ARM_FEATURE_V8)) {
-+                /* BFHFNMINS is R/O from NS; other bits are RAZ/WI. If
-+                 * security isn't supported then BFHFNMINS is RAO (and
-+                 * the bit in env.v7m.aircr is always set).
-+                 */
-+                val |= cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK;
-+            }
-+        }
-+        return val;
-     case 0xd10: /* System Control.  */
-         /* TODO: Implement SLEEPONEXIT.  */
-         return 0;
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-     case 0xd08: /* Vector Table Offset.  */
-         cpu->env.v7m.vecbase[attrs.secure] = value & 0xffffff80;
-         break;
--    case 0xd0c: /* Application Interrupt/Reset Control.  */
--        if ((value >> 16) == 0x05fa) {
--            if (value & 4) {
--                qemu_irq_pulse(s->sysresetreq);
-+    case 0xd0c: /* Application Interrupt/Reset Control (AIRCR) */
-+        if ((value >> R_V7M_AIRCR_VECTKEY_SHIFT) == 0x05fa) {
-+            if (value & R_V7M_AIRCR_SYSRESETREQ_MASK) {
-+                if (attrs.secure ||
-+                    !(cpu->env.v7m.aircr & R_V7M_AIRCR_SYSRESETREQS_MASK)) {
-+                    qemu_irq_pulse(s->sysresetreq);
-+                }
-             }
--            if (value & 2) {
-+            if (value & R_V7M_AIRCR_VECTCLRACTIVE_MASK) {
-                 qemu_log_mask(LOG_GUEST_ERROR,
-                               "Setting VECTCLRACTIVE when not in DEBUG mode "
-                               "is UNPREDICTABLE\n");
-             }
--            if (value & 1) {
-+            if (value & R_V7M_AIRCR_VECTRESET_MASK) {
-+                /* NB: this bit is RES0 in v8M */
-                 qemu_log_mask(LOG_GUEST_ERROR,
-                               "Setting VECTRESET when not in DEBUG mode "
-                               "is UNPREDICTABLE\n");
-             }
--            s->prigroup = extract32(value, 8, 3);
-+            s->prigroup[attrs.secure] = extract32(value,
-+                                                  R_V7M_AIRCR_PRIGROUP_SHIFT,
-+                                                  R_V7M_AIRCR_PRIGROUP_LENGTH);
-+            if (attrs.secure) {
-+                /* These bits are only writable by secure */
-+                cpu->env.v7m.aircr = value &
-+                    (R_V7M_AIRCR_SYSRESETREQS_MASK |
-+                     R_V7M_AIRCR_BFHFNMINS_MASK |
-+                     R_V7M_AIRCR_PRIS_MASK);
-+            }
-             nvic_irq_update(s);
-         }
-         break;
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nvic_security = {
-     .fields = (VMStateField[]) {
-         VMSTATE_STRUCT_ARRAY(sec_vectors, NVICState, NVIC_INTERNAL_VECTORS, 1,
-                              vmstate_VecInfo, VecInfo),
-+        VMSTATE_UINT32(prigroup[M_REG_S], NVICState),
-         VMSTATE_END_OF_LIST()
-     }
- };
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nvic = {
-     .fields = (VMStateField[]) {
-         VMSTATE_STRUCT_ARRAY(vectors, NVICState, NVIC_MAX_VECTORS, 1,
-                              vmstate_VecInfo, VecInfo),
--        VMSTATE_UINT32(prigroup, NVICState),
-+        VMSTATE_UINT32(prigroup[M_REG_NS], NVICState),
-         VMSTATE_END_OF_LIST()
-     },
-     .subsections = (const VMStateDescription*[]) {
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s)
-         if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-             env->v7m.secure = true;
-+        } else {
-+            /* This bit resets to 0 if security is supported, but 1 if
-+             * it is not. The bit is not present in v7M, but we set it
-+             * here so we can avoid having to make checks on it conditional
-+             * on ARM_FEATURE_V8 (we don't let the guest see the bit).
-+             */
-+            env->v7m.aircr = R_V7M_AIRCR_BFHFNMINS_MASK;
-         }
-         /* In v7M the reset value of this bit is IMPDEF, but ARM recommends
---
-.7.4

-[Qemu-devel] [PULL 06/31] nvic: Make ICSR.RETTOBASE handle banked exceptions
+Deleted patch
-Update the code in nvic_rettobase() so that it checks the
-sec_vectors[] array as well as the vectors[] array if needed.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-7-git-send-email-peter.maydell@linaro.org
----
- hw/intc/armv7m_nvic.c | 5 ++++-
-file changed, 4 insertions(+), 1 deletion(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static int nvic_pending_prio(NVICState *s)
- static bool nvic_rettobase(NVICState *s)
- {
-     int irq, nhand = 0;
-+    bool check_sec = arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY);
-     for (irq = ARMV7M_EXCP_RESET; irq < s->num_irq; irq++) {
--        if (s->vectors[irq].active) {
-+        if (s->vectors[irq].active ||
-+            (check_sec && irq < NVIC_INTERNAL_VECTORS &&
-+             s->sec_vectors[irq].active)) {
-             nhand++;
-             if (nhand == 2) {
-                 return 0;
---
-.7.4

-[Qemu-devel] [PULL 11/31] nvic: Compare group priority for escalation to HF
+Deleted patch
-In armv7m_nvic_set_pending() we have to compare the
-priority of an exception against the execution priority
-to decide whether it needs to be escalated to HardFault.
-In the specification this is a comparison against the
-exception's group priority; for v7M we implemented it
-as a comparison against the raw exception priority
-because the two comparisons will always give the
-same answer. For v8M the existence of AIRCR.PRIS and
-the possibility of different PRIGROUP values for secure
-and nonsecure exceptions means we need to explicitly
-calculate the vector's group priority for this check.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-12-git-send-email-peter.maydell@linaro.org
----
- hw/intc/armv7m_nvic.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
-         int running = nvic_exec_prio(s);
-         bool escalate = false;
--        if (vec->prio >= running) {
-+        if (exc_group_prio(s, vec->prio, secure) >= running) {
-             trace_nvic_escalate_prio(irq, vec->prio, running);
-             escalate = true;
-         } else if (!vec->enabled) {
---
-.7.4

-[Qemu-devel] [PULL 12/31] nvic: In escalation to HardFault, support HF not being priority -1
+[Qemu-devel] [PULL 25/25] KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
-When escalating to HardFault, we must go into Lockup if we
+From: Shannon Zhao <zhaoshenglong@huawei.com>
 can't take the synchronous HardFault because the current
 execution priority is already at or below the priority of
 HardFault. In v7M HF is always priority -1 so a simple < 0
 comparison sufficed; in v8M the priority of HardFault can
 vary depending on whether it is a Secure or NonSecure
 HardFault, so we must check against the priority of the
 HardFault exception vector we're about to use.
+kvm_irqchip_create called by kvm_init will call kvm_init_irq_routing to
+initialize global capability variables. If we call kvm_init_irq_routing in
+GIC realize function, previous allocated memory will leak.
+Fix this by deleting the unnecessary call.
+Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 1527750994-14360-1-git-send-email-zhaoshenglong@huawei.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-13-git-send-email-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 23 ++++++++++++-----------
+ hw/intc/arm_gic_kvm.c   | 1 -
-file changed, 12 insertions(+), 11 deletions(-)
+ hw/intc/arm_gicv3_kvm.c | 1 -
 files changed, 2 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/hw/intc/arm_gic_kvm.c b/hw/intc/arm_gic_kvm.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/hw/intc/arm_gic_kvm.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/hw/intc/arm_gic_kvm.c
-@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
+@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gic_realize(DeviceState *dev, Error **errp)
      if (kvm_has_gsi_routing()) {
          /* set up irq routing */
 -        kvm_init_irq_routing(kvm_state);
          for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
              kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
          }
+diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
-         if (escalate) {
+index XXXXXXX..XXXXXXX 100644
--            if (running < 0) {
+--- a/hw/intc/arm_gicv3_kvm.c
--                /* We want to escalate to HardFault but we can't take a
++++ b/hw/intc/arm_gicv3_kvm.c
--                 * synchronous HardFault at this point either. This is a
+@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gicv3_realize(DeviceState *dev, Error **errp)
--                 * Lockup condition due to a guest bug. We don't model
--                 * Lockup, so report via cpu_abort() instead.
+     if (kvm_has_gsi_routing()) {
--                 */
+         /* set up irq routing */
--                cpu_abort(&s->cpu->parent_obj,
+-        kvm_init_irq_routing(kvm_state);
--                          "Lockup: can't escalate %d to HardFault "
+         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
--                          "(current priority %d)\n", irq, running);
+             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
 -            }
 -            /* We can do the escalation, so we take HardFault instead.
 +            /* We need to escalate this exception to a synchronous HardFault.
               * If BFHFNMINS is set then we escalate to the banked HF for
               * the target security state of the original exception; otherwise
               * we take a Secure HardFault.
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
              } else {
                  vec = &s->vectors[irq];
              }
 +            if (running <= vec->prio) {
 +                /* We want to escalate to HardFault but we can't take the
 +                 * synchronous HardFault at this point either. This is a
 +                 * Lockup condition due to a guest bug. We don't model
 +                 * Lockup, so report via cpu_abort() instead.
 +                 */
 +                cpu_abort(&s->cpu->parent_obj,
 +                          "Lockup: can't escalate %d to HardFault "
 +                          "(current priority %d)\n", irq, running);
 +            }
 +
              /* HF may be banked but there is only one shared HFSR */
              s->cpu->env.v7m.hfsr |= R_V7M_HFSR_FORCED_MASK;
          }
 --
-.7.4
+.17.1

-[Qemu-devel] [PULL 15/31] nvic: Handle v8M changes in nvic_exec_prio()
+Deleted patch
-Update nvic_exec_prio() to support the v8M changes:
- * BASEPRI, FAULTMASK and PRIMASK are all banked
- * AIRCR.PRIS can affect NS priorities
- * AIRCR.BFHFNMINS affects FAULTMASK behaviour
-These changes mean that it's no longer possible to
-definitely say that if FAULTMASK is set it overrides
-PRIMASK, and if PRIMASK is set it overrides BASEPRI
-(since if PRIMASK_NS is set and AIRCR.PRIS is set then
-whether that 0x80 priority should take effect or the
-priority in BASEPRI_S depends on the value of BASEPRI_S,
-for instance). So we switch to the same approach used
-by the pseudocode of working through BASEPRI, PRIMASK
-and FAULTMASK and overriding the previous values if
-needed.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1505240046-11454-16-git-send-email-peter.maydell@linaro.org
----
- hw/intc/armv7m_nvic.c | 51 ++++++++++++++++++++++++++++++++++++++++++---------
-file changed, 42 insertions(+), 9 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static void nvic_recompute_state(NVICState *s)
- static inline int nvic_exec_prio(NVICState *s)
- {
-     CPUARMState *env = &s->cpu->env;
--    int running;
-+    int running = NVIC_NOEXC_PRIO;
--    if (env->v7m.faultmask[env->v7m.secure]) {
--        running = -1;
--    } else if (env->v7m.primask[env->v7m.secure]) {
-+    if (env->v7m.basepri[M_REG_NS] > 0) {
-+        running = exc_group_prio(s, env->v7m.basepri[M_REG_NS], M_REG_NS);
-+    }
-+
-+    if (env->v7m.basepri[M_REG_S] > 0) {
-+        int basepri = exc_group_prio(s, env->v7m.basepri[M_REG_S], M_REG_S);
-+        if (running > basepri) {
-+            running = basepri;
-+        }
-+    }
-+
-+    if (env->v7m.primask[M_REG_NS]) {
-+        if (env->v7m.aircr & R_V7M_AIRCR_PRIS_MASK) {
-+            if (running > NVIC_NS_PRIO_LIMIT) {
-+                running = NVIC_NS_PRIO_LIMIT;
-+            }
-+        } else {
-+            running = 0;
-+        }
-+    }
-+
-+    if (env->v7m.primask[M_REG_S]) {
-         running = 0;
--    } else if (env->v7m.basepri[env->v7m.secure] > 0) {
--        running = env->v7m.basepri[env->v7m.secure] &
--            nvic_gprio_mask(s, env->v7m.secure);
--    } else {
--        running = NVIC_NOEXC_PRIO; /* lower than any possible priority */
-     }
-+
-+    if (env->v7m.faultmask[M_REG_NS]) {
-+        if (env->v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
-+            running = -1;
-+        } else {
-+            if (env->v7m.aircr & R_V7M_AIRCR_PRIS_MASK) {
-+                if (running > NVIC_NS_PRIO_LIMIT) {
-+                    running = NVIC_NS_PRIO_LIMIT;
-+                }
-+            } else {
-+                running = 0;
-+            }
-+        }
-+    }
-+
-+    if (env->v7m.faultmask[M_REG_S]) {
-+        running = (env->v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) ? -3 : -1;
-+    }
-+
-     /* consider priority of active handler */
-     return MIN(running, s->exception_prio);
- }
---
-.7.4

ARM queue: mostly patches from me, but also the Smartfusion2 board.

thanks
-- PMM

The following changes since commit 9ee660e7c138595224b65ddc1c5712549f0a278c:

Merge remote-tracking branch 'remotes/yongbok/tags/mips-20170921' into staging (2017-09-21 14:40:32 +0100)

are available in the git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170921

for you to fetch changes up to 6d262dcb7d108eda93813574c2061398084dc795:

msf2: Add Emcraft's Smartfusion2 SOM kit (2017-09-21 16:36:56 +0100)

----------------------------------------------------------------
target-arm queue:
 * more preparatory work for v8M support
 * convert some omap devices away from old_mmio
 * remove out of date ARM ARM section references in comments
 * add the Smartfusion2 board

----------------------------------------------------------------
Peter Maydell (26):
      target/arm: Implement MSR/MRS access to NS banked registers
      nvic: Add banked exception states
      nvic: Add cached vectpending_is_s_banked state
      nvic: Add cached vectpending_prio state
      nvic: Implement AIRCR changes for v8M
      nvic: Make ICSR.RETTOBASE handle banked exceptions
      nvic: Implement NVIC_ITNS<n> registers
      nvic: Handle banked exceptions in nvic_recompute_state()
      nvic: Make set_pending and clear_pending take a secure parameter
      nvic: Make SHPR registers banked
      nvic: Compare group priority for escalation to HF
      nvic: In escalation to HardFault, support HF not being priority -1
      nvic: Implement v8M changes to fixed priority exceptions
      nvic: Disable the non-secure HardFault if AIRCR.BFHFNMINS is clear
      nvic: Handle v8M changes in nvic_exec_prio()
      target/arm: Handle banking in negative-execution-priority check in cpu_mmu_index()
      nvic: Make ICSR banked for v8M
      nvic: Make SHCSR banked for v8M
      nvic: Support banked exceptions in acknowledge and complete
      target/arm: Remove out of date ARM ARM section references in A64 decoder
      hw/arm/palm.c: Don't use old_mmio for static_ops
      hw/gpio/omap_gpio.c: Don't use old_mmio
      hw/timer/omap_synctimer.c: Don't use old_mmio
      hw/timer/omap_gptimer: Don't use old_mmio
      hw/i2c/omap_i2c.c: Don't use old_mmio
      hw/arm/omap2.c: Don't use old_mmio

Subbaraya Sundeep (5):
      msf2: Add Smartfusion2 System timer
      msf2: Microsemi Smartfusion2 System Register block
      msf2: Add Smartfusion2 SPI controller
      msf2: Add Smartfusion2 SoC
      msf2: Add Emcraft's Smartfusion2 SOM kit

hw/arm/Makefile.objs            |   1 +
 hw/misc/Makefile.objs           |   1 +
 hw/ssi/Makefile.objs            |   1 +
 hw/timer/Makefile.objs          |   1 +
 include/hw/arm/msf2-soc.h       |  67 +++
 include/hw/intc/armv7m_nvic.h   |  33 +-
 include/hw/misc/msf2-sysreg.h   |  77 ++++
 include/hw/ssi/mss-spi.h        |  58 +++
 include/hw/timer/mss-timer.h    |  64 +++
 target/arm/cpu.h                |  62 ++-
 hw/arm/msf2-soc.c               | 238 +++++++++++
 hw/arm/msf2-som.c               | 105 +++++
 hw/arm/omap2.c                  |  49 ++-
 hw/arm/palm.c                   |  30 +-
 hw/gpio/omap_gpio.c             |  26 +-
 hw/i2c/omap_i2c.c               |  44 +-
 hw/intc/armv7m_nvic.c           | 913 ++++++++++++++++++++++++++++++++++------
 hw/misc/msf2-sysreg.c           | 160 +++++++
 hw/ssi/mss-spi.c                | 404 ++++++++++++++++++
 hw/timer/mss-timer.c            | 289 +++++++++++++
 hw/timer/omap_gptimer.c         |  49 ++-
 hw/timer/omap_synctimer.c       |  35 +-
 target/arm/cpu.c                |   7 +
 target/arm/helper.c             | 142 ++++++-
 target/arm/translate-a64.c      | 227 +++++-----
 default-configs/arm-softmmu.mak |   1 +
 hw/intc/trace-events            |  13 +-
 hw/misc/trace-events            |   5 +
 28 files changed, 2735 insertions(+), 367 deletions(-)
 create mode 100644 include/hw/arm/msf2-soc.h
 create mode 100644 include/hw/misc/msf2-sysreg.h
 create mode 100644 include/hw/ssi/mss-spi.h
 create mode 100644 include/hw/timer/mss-timer.h
 create mode 100644 hw/arm/msf2-soc.c
 create mode 100644 hw/arm/msf2-som.c
 create mode 100644 hw/misc/msf2-sysreg.c
 create mode 100644 hw/ssi/mss-spi.c
 create mode 100644 hw/timer/mss-timer.c

In v8M the MSR and MRS instructions have extra register value
encodings to allow secure code to access the non-secure banked
version of various special registers.

(We don't implement the MSPLIM_NS or PSPLIM_NS aliases, because
we don't currently implement the stack limit registers at all.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-2-git-send-email-peter.maydell@linaro.org
---
 target/arm/helper.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 110 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
         break;
     case 20: /* CONTROL */
         return env->v7m.control[env->v7m.secure];
+    case 0x94: /* CONTROL_NS */
+        /* We have to handle this here because unprivileged Secure code
+         * can read the NS CONTROL register.
+         */
+        if (!env->v7m.secure) {
+            return 0;
+        }
+        return env->v7m.control[M_REG_NS];
     }
 
     if (el == 0) {
         return 0; /* unprivileged reads others as zero */
     }
 
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        switch (reg) {
+        case 0x88: /* MSP_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.other_ss_msp;
+        case 0x89: /* PSP_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.other_ss_psp;
+        case 0x90: /* PRIMASK_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.primask[M_REG_NS];
+        case 0x91: /* BASEPRI_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.basepri[M_REG_NS];
+        case 0x93: /* FAULTMASK_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.faultmask[M_REG_NS];
+        case 0x98: /* SP_NS */
+        {
+            /* This gives the non-secure SP selected based on whether we're
+             * currently in handler mode or not, using the NS CONTROL.SPSEL.
+             */
+            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
+
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            if (!arm_v7m_is_handler_mode(env) && spsel) {
+                return env->v7m.other_ss_psp;
+            } else {
+                return env->v7m.other_ss_msp;
+            }
+        }
+        default:
+            break;
+        }
+    }
+
     switch (reg) {
     case 8: /* MSP */
         return (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_SPSEL_MASK) ?
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
         return;
     }
 
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        switch (reg) {
+        case 0x88: /* MSP_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.other_ss_msp = val;
+            return;
+        case 0x89: /* PSP_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.other_ss_psp = val;
+            return;
+        case 0x90: /* PRIMASK_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.primask[M_REG_NS] = val & 1;
+            return;
+        case 0x91: /* BASEPRI_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.basepri[M_REG_NS] = val & 0xff;
+            return;
+        case 0x93: /* FAULTMASK_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.faultmask[M_REG_NS] = val & 1;
+            return;
+        case 0x98: /* SP_NS */
+        {
+            /* This gives the non-secure SP selected based on whether we're
+             * currently in handler mode or not, using the NS CONTROL.SPSEL.
+             */
+            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
+
+            if (!env->v7m.secure) {
+                return;
+            }
+            if (!arm_v7m_is_handler_mode(env) && spsel) {
+                env->v7m.other_ss_psp = val;
+            } else {
+                env->v7m.other_ss_msp = val;
+            }
+            return;
+        }
+        default:
+            break;
+        }
+    }
+
     switch (reg) {
     case 0 ... 7: /* xPSR sub-fields */
         /* only APSR is actually writable */
-- 
2.7.4

For the v8M security extension, some exceptions must be banked
between security states. Add the new vecinfo array which holds
the state for the banked exceptions and migrate it if the
CPU the NVIC is attached to implements the security extension.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/hw/intc/armv7m_nvic.h | 14 ++++++++++++
 hw/intc/armv7m_nvic.c         | 53 ++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/armv7m_nvic.h
+++ b/include/hw/intc/armv7m_nvic.h
@@ -XXX,XX +XXX,XX @@
 
 /* Highest permitted number of exceptions (architectural limit) */
 #define NVIC_MAX_VECTORS 512
+/* Number of internal exceptions */
+#define NVIC_INTERNAL_VECTORS 16
 
 typedef struct VecInfo {
     /* Exception priorities can range from -3 to 255; only the unmodifiable
@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
     ARMCPU *cpu;
 
     VecInfo vectors[NVIC_MAX_VECTORS];
+    /* If the v8M security extension is implemented, some of the internal
+     * exceptions are banked between security states (ie there exists both
+     * a Secure and a NonSecure version of the exception and its state):
+     *  HardFault, MemManage, UsageFault, SVCall, PendSV, SysTick (R_PJHV)
+     * The rest (including all the external exceptions) are not banked, though
+     * they may be configurable to target either Secure or NonSecure state.
+     * We store the secure exception state in sec_vectors[] for the banked
+     * exceptions, and otherwise use only vectors[] (including for exceptions
+     * like SecureFault that unconditionally target Secure state).
+     * Entries in sec_vectors[] for non-banked exception numbers are unused.
+     */
+    VecInfo sec_vectors[NVIC_INTERNAL_VECTORS];
     uint32_t prigroup;
 
     /* vectpending and exception_prio are both cached state that can
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@
  * For historical reasons QEMU tends to use "interrupt" and
  * "exception" more or less interchangeably.
  */
-#define NVIC_FIRST_IRQ 16
+#define NVIC_FIRST_IRQ NVIC_INTERNAL_VECTORS
 #define NVIC_MAX_IRQ (NVIC_MAX_VECTORS - NVIC_FIRST_IRQ)
 
 /* Effective running priority of the CPU when no exception is active
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_VecInfo = {
     }
 };
 
+static bool nvic_security_needed(void *opaque)
+{
+    NVICState *s = opaque;
+
+    return arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY);
+}
+
+static int nvic_security_post_load(void *opaque, int version_id)
+{
+    NVICState *s = opaque;
+    int i;
+
+    /* Check for out of range priority settings */
+    if (s->sec_vectors[ARMV7M_EXCP_HARD].prio != -1) {
+        return 1;
+    }
+    for (i = ARMV7M_EXCP_MEM; i < ARRAY_SIZE(s->sec_vectors); i++) {
+        if (s->sec_vectors[i].prio & ~0xff) {
+            return 1;
+        }
+    }
+    return 0;
+}
+
+static const VMStateDescription vmstate_nvic_security = {
+    .name = "nvic/m-security",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = nvic_security_needed,
+    .post_load = &nvic_security_post_load,
+    .fields = (VMStateField[]) {
+        VMSTATE_STRUCT_ARRAY(sec_vectors, NVICState, NVIC_INTERNAL_VECTORS, 1,
+                             vmstate_VecInfo, VecInfo),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_nvic = {
     .name = "armv7m_nvic",
     .version_id = 4,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nvic = {
                              vmstate_VecInfo, VecInfo),
         VMSTATE_UINT32(prigroup, NVICState),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription*[]) {
+        &vmstate_nvic_security,
+        NULL
     }
 };
 
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
     s->vectors[ARMV7M_EXCP_NMI].prio = -2;
     s->vectors[ARMV7M_EXCP_HARD].prio = -1;
 
+    if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) {
+        s->sec_vectors[ARMV7M_EXCP_HARD].enabled = 1;
+        s->sec_vectors[ARMV7M_EXCP_SVC].enabled = 1;
+        s->sec_vectors[ARMV7M_EXCP_PENDSV].enabled = 1;
+        s->sec_vectors[ARMV7M_EXCP_SYSTICK].enabled = 1;
+
+        /* AIRCR.BFHFNMINS resets to 0 so Secure HF is priority -1 (R_CMTC) */
+        s->sec_vectors[ARMV7M_EXCP_HARD].prio = -1;
+    }
+
     /* Strictly speaking the reset handler should be enabled.
      * However, we don't simulate soft resets through the NVIC,
      * and the reset vector should never be pended.
-- 
2.7.4

With banked exceptions, just the exception number in
s->vectpending is no longer sufficient to uniquely identify
the pending exception. Add a vectpending_is_s_banked bool
which is true if the exception is using the sec_vectors[]
array.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1505240046-11454-4-git-send-email-peter.maydell@linaro.org
---
 include/hw/intc/armv7m_nvic.h | 11 +++++++++--
 hw/intc/armv7m_nvic.c         |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/armv7m_nvic.h
+++ b/include/hw/intc/armv7m_nvic.h
@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
     VecInfo sec_vectors[NVIC_INTERNAL_VECTORS];
     uint32_t prigroup;
 
-    /* vectpending and exception_prio are both cached state that can
-     * be recalculated from the vectors[] array and the prigroup field.
+    /* The following fields are all cached state that can be recalculated
+     * from the vectors[] and sec_vectors[] arrays and the prigroup field:
+     *  - vectpending
+     *  - vectpending_is_secure
+     *  - exception_prio
      */
     unsigned int vectpending; /* highest prio pending enabled exception */
+    /* true if vectpending is a banked secure exception, ie it is in
+     * sec_vectors[] rather than vectors[]
+     */
+    bool vectpending_is_s_banked;
     int exception_prio; /* group prio of the highest prio active exception */
 
     MemoryRegion sysregmem;
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
 
     s->exception_prio = NVIC_NOEXC_PRIO;
     s->vectpending = 0;
+    s->vectpending_is_s_banked = false;
 }
 
 static void nvic_systick_trigger(void *opaque, int n, int level)
-- 
2.7.4

Instead of looking up the pending priority
in nvic_pending_prio(), cache it in a new state struct
field. The calculation of the pending priority given
the interrupt number is more complicated in v8M with
the security extension, so the caching will be worthwhile.

This changes nvic_pending_prio() from returning a full
(group + subpriority) priority value to returning a group
priority. This doesn't require changes to its callsites
because we use it only in comparisons of the form
  execution_prio > nvic_pending_prio()
and execution priority is always a group priority, so
a test (exec prio > full prio) is true if and only if
(execprio > group_prio).

(Architecturally the expected comparison is with the
group priority for this sort of "would we preempt" test;
we were only doing a test with a full priority as an
optimisation to avoid the mask, which is possible
precisely because the two comparisons always give the
same answer.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-5-git-send-email-peter.maydell@linaro.org
---
 include/hw/intc/armv7m_nvic.h |  2 ++
 hw/intc/armv7m_nvic.c         | 23 +++++++++++++----------
 hw/intc/trace-events          |  2 +-
 3 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/armv7m_nvic.h
+++ b/include/hw/intc/armv7m_nvic.h
@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
      *  - vectpending
      *  - vectpending_is_secure
      *  - exception_prio
+     *  - vectpending_prio
      */
     unsigned int vectpending; /* highest prio pending enabled exception */
     /* true if vectpending is a banked secure exception, ie it is in
@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
      */
     bool vectpending_is_s_banked;
     int exception_prio; /* group prio of the highest prio active exception */
+    int vectpending_prio; /* group prio of the exeception in vectpending */
 
     MemoryRegion sysregmem;
     MemoryRegion sysreg_ns_mem;
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t nvic_id[] = {
 
 static int nvic_pending_prio(NVICState *s)
 {
-    /* return the priority of the current pending interrupt,
+    /* return the group priority of the current pending interrupt,
      * or NVIC_NOEXC_PRIO if no interrupt is pending
      */
-    return s->vectpending ? s->vectors[s->vectpending].prio : NVIC_NOEXC_PRIO;
+    return s->vectpending_prio;
 }
 
 /* Return the value of the ISCR RETTOBASE bit:
@@ -XXX,XX +XXX,XX @@ static void nvic_recompute_state(NVICState *s)
         active_prio &= nvic_gprio_mask(s);
     }
 
+    if (pend_prio > 0) {
+        pend_prio &= nvic_gprio_mask(s);
+    }
+
     s->vectpending = pend_irq;
+    s->vectpending_prio = pend_prio;
     s->exception_prio = active_prio;
 
-    trace_nvic_recompute_state(s->vectpending, s->exception_prio);
+    trace_nvic_recompute_state(s->vectpending,
+                               s->vectpending_prio,
+                               s->exception_prio);
 }
 
 /* Return the current execution priority of the CPU
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_acknowledge_irq(void *opaque)
     CPUARMState *env = &s->cpu->env;
     const int pending = s->vectpending;
     const int running = nvic_exec_prio(s);
-    int pendgroupprio;
     VecInfo *vec;
 
     assert(pending > ARMV7M_EXCP_RESET && pending < s->num_irq);
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_acknowledge_irq(void *opaque)
     assert(vec->enabled);
     assert(vec->pending);
 
-    pendgroupprio = vec->prio;
-    if (pendgroupprio > 0) {
-        pendgroupprio &= nvic_gprio_mask(s);
-    }
-    assert(pendgroupprio < running);
+    assert(s->vectpending_prio < running);
 
-    trace_nvic_acknowledge_irq(pending, vec->prio);
+    trace_nvic_acknowledge_irq(pending, s->vectpending_prio);
 
     vec->active = 1;
     vec->pending = 0;
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
     s->exception_prio = NVIC_NOEXC_PRIO;
     s->vectpending = 0;
     s->vectpending_is_s_banked = false;
+    s->vectpending_prio = NVIC_NOEXC_PRIO;
 }
 
 static void nvic_systick_trigger(void *opaque, int n, int level)
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -XXX,XX +XXX,XX @@ gicv3_redist_set_irq(uint32_t cpu, int irq, int level) "GICv3 redistributor 0x%x
 gicv3_redist_send_sgi(uint32_t cpu, int irq) "GICv3 redistributor 0x%x pending SGI %d"
 
 # hw/intc/armv7m_nvic.c
-nvic_recompute_state(int vectpending, int exception_prio) "NVIC state recomputed: vectpending %d exception_prio %d"
+nvic_recompute_state(int vectpending, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d vectpending_prio %d exception_prio %d"
 nvic_set_prio(int irq, uint8_t prio) "NVIC set irq %d priority %d"
 nvic_irq_update(int vectpending, int pendprio, int exception_prio, int level) "NVIC vectpending %d pending prio %d exception_prio %d: setting irq line to %d"
 nvic_escalate_prio(int irq, int irqprio, int runprio) "NVIC escalating irq %d to HardFault: insufficient priority %d >= %d"
-- 
2.7.4

The Application Interrupt and Reset Control Register has some changes
for v8M:
 * new bits SYSRESETREQS, BFHFNMINS and PRIS: these all have
   real state if the security extension is implemented and otherwise
   are constant
 * the PRIGROUP field is banked between security states
 * non-secure code can be blocked from using the SYSRESET bit
   to reset the system if SYSRESETREQS is set

Implement the new state and the changes to register read and write.
For the moment we ignore the effects of the secure PRIGROUP.
We will implement the effects of PRIS and BFHFNMIS later.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-6-git-send-email-peter.maydell@linaro.org
---
 include/hw/intc/armv7m_nvic.h |  3 ++-
 target/arm/cpu.h              | 12 +++++++++++
 hw/intc/armv7m_nvic.c         | 49 +++++++++++++++++++++++++++++++++----------
 target/arm/cpu.c              |  7 +++++++
 4 files changed, 59 insertions(+), 12 deletions(-)

diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/armv7m_nvic.h
+++ b/include/hw/intc/armv7m_nvic.h
@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
      * Entries in sec_vectors[] for non-banked exception numbers are unused.
      */
     VecInfo sec_vectors[NVIC_INTERNAL_VECTORS];
-    uint32_t prigroup;
+    /* The PRIGROUP field in AIRCR is banked */
+    uint32_t prigroup[M_REG_NUM_BANKS];
 
     /* The following fields are all cached state that can be recalculated
      * from the vectors[] and sec_vectors[] arrays and the prigroup field:
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         int exception;
         uint32_t primask[M_REG_NUM_BANKS];
         uint32_t faultmask[M_REG_NUM_BANKS];
+        uint32_t aircr; /* only holds r/w state if security extn implemented */
         uint32_t secure; /* Is CPU in Secure state? (not guest visible) */
     } v7m;
 
@@ -XXX,XX +XXX,XX @@ FIELD(V7M_CCR, STKALIGN, 9, 1)
 FIELD(V7M_CCR, DC, 16, 1)
 FIELD(V7M_CCR, IC, 17, 1)
 
+/* V7M AIRCR bits */
+FIELD(V7M_AIRCR, VECTRESET, 0, 1)
+FIELD(V7M_AIRCR, VECTCLRACTIVE, 1, 1)
+FIELD(V7M_AIRCR, SYSRESETREQ, 2, 1)
+FIELD(V7M_AIRCR, SYSRESETREQS, 3, 1)
+FIELD(V7M_AIRCR, PRIGROUP, 8, 3)
+FIELD(V7M_AIRCR, BFHFNMINS, 13, 1)
+FIELD(V7M_AIRCR, PRIS, 14, 1)
+FIELD(V7M_AIRCR, ENDIANNESS, 15, 1)
+FIELD(V7M_AIRCR, VECTKEY, 16, 16)
+
 /* V7M CFSR bits for MMFSR */
 FIELD(V7M_CFSR, IACCVIOL, 0, 1)
 FIELD(V7M_CFSR, DACCVIOL, 1, 1)
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static bool nvic_isrpending(NVICState *s)
  */
 static inline uint32_t nvic_gprio_mask(NVICState *s)
 {
-    return ~0U << (s->prigroup + 1);
+    return ~0U << (s->prigroup[M_REG_NS] + 1);
 }
 
 /* Recompute vectpending and exception_prio */
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         return val;
     case 0xd08: /* Vector Table Offset.  */
         return cpu->env.v7m.vecbase[attrs.secure];
-    case 0xd0c: /* Application Interrupt/Reset Control.  */
-        return 0xfa050000 | (s->prigroup << 8);
+    case 0xd0c: /* Application Interrupt/Reset Control (AIRCR) */
+        val = 0xfa050000 | (s->prigroup[attrs.secure] << 8);
+        if (attrs.secure) {
+            /* s->aircr stores PRIS, BFHFNMINS, SYSRESETREQS */
+            val |= cpu->env.v7m.aircr;
+        } else {
+            if (arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+                /* BFHFNMINS is R/O from NS; other bits are RAZ/WI. If
+                 * security isn't supported then BFHFNMINS is RAO (and
+                 * the bit in env.v7m.aircr is always set).
+                 */
+                val |= cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK;
+            }
+        }
+        return val;
     case 0xd10: /* System Control.  */
         /* TODO: Implement SLEEPONEXIT.  */
         return 0;
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
     case 0xd08: /* Vector Table Offset.  */
         cpu->env.v7m.vecbase[attrs.secure] = value & 0xffffff80;
         break;
-    case 0xd0c: /* Application Interrupt/Reset Control.  */
-        if ((value >> 16) == 0x05fa) {
-            if (value & 4) {
-                qemu_irq_pulse(s->sysresetreq);
+    case 0xd0c: /* Application Interrupt/Reset Control (AIRCR) */
+        if ((value >> R_V7M_AIRCR_VECTKEY_SHIFT) == 0x05fa) {
+            if (value & R_V7M_AIRCR_SYSRESETREQ_MASK) {
+                if (attrs.secure ||
+                    !(cpu->env.v7m.aircr & R_V7M_AIRCR_SYSRESETREQS_MASK)) {
+                    qemu_irq_pulse(s->sysresetreq);
+                }
             }
-            if (value & 2) {
+            if (value & R_V7M_AIRCR_VECTCLRACTIVE_MASK) {
                 qemu_log_mask(LOG_GUEST_ERROR,
                               "Setting VECTCLRACTIVE when not in DEBUG mode "
                               "is UNPREDICTABLE\n");
             }
-            if (value & 1) {
+            if (value & R_V7M_AIRCR_VECTRESET_MASK) {
+                /* NB: this bit is RES0 in v8M */
                 qemu_log_mask(LOG_GUEST_ERROR,
                               "Setting VECTRESET when not in DEBUG mode "
                               "is UNPREDICTABLE\n");
             }
-            s->prigroup = extract32(value, 8, 3);
+            s->prigroup[attrs.secure] = extract32(value,
+                                                  R_V7M_AIRCR_PRIGROUP_SHIFT,
+                                                  R_V7M_AIRCR_PRIGROUP_LENGTH);
+            if (attrs.secure) {
+                /* These bits are only writable by secure */
+                cpu->env.v7m.aircr = value &
+                    (R_V7M_AIRCR_SYSRESETREQS_MASK |
+                     R_V7M_AIRCR_BFHFNMINS_MASK |
+                     R_V7M_AIRCR_PRIS_MASK);
+            }
             nvic_irq_update(s);
         }
         break;
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nvic_security = {
     .fields = (VMStateField[]) {
         VMSTATE_STRUCT_ARRAY(sec_vectors, NVICState, NVIC_INTERNAL_VECTORS, 1,
                              vmstate_VecInfo, VecInfo),
+        VMSTATE_UINT32(prigroup[M_REG_S], NVICState),
         VMSTATE_END_OF_LIST()
     }
 };
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nvic = {
     .fields = (VMStateField[]) {
         VMSTATE_STRUCT_ARRAY(vectors, NVICState, NVIC_MAX_VECTORS, 1,
                              vmstate_VecInfo, VecInfo),
-        VMSTATE_UINT32(prigroup, NVICState),
+        VMSTATE_UINT32(prigroup[M_REG_NS], NVICState),
         VMSTATE_END_OF_LIST()
     },
     .subsections = (const VMStateDescription*[]) {
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s)
 
         if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
             env->v7m.secure = true;
+        } else {
+            /* This bit resets to 0 if security is supported, but 1 if
+             * it is not. The bit is not present in v7M, but we set it
+             * here so we can avoid having to make checks on it conditional
+             * on ARM_FEATURE_V8 (we don't let the guest see the bit).
+             */
+            env->v7m.aircr = R_V7M_AIRCR_BFHFNMINS_MASK;
         }
 
         /* In v7M the reset value of this bit is IMPDEF, but ARM recommends
-- 
2.7.4

Update the code in nvic_rettobase() so that it checks the
sec_vectors[] array as well as the vectors[] array if needed.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-7-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static int nvic_pending_prio(NVICState *s)
 static bool nvic_rettobase(NVICState *s)
 {
     int irq, nhand = 0;
+    bool check_sec = arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY);
 
     for (irq = ARMV7M_EXCP_RESET; irq < s->num_irq; irq++) {
-        if (s->vectors[irq].active) {
+        if (s->vectors[irq].active ||
+            (check_sec && irq < NVIC_INTERNAL_VECTORS &&
+             s->sec_vectors[irq].active)) {
             nhand++;
             if (nhand == 2) {
                 return 0;
-- 
2.7.4

For v8M, the NVIC has a new set of registers per interrupt,
NVIC_ITNS<n>. These determine whether the interrupt targets Secure
or Non-secure state. Implement the register read/write code for
these, and make them cause NVIC_IABR, NVIC_ICER, NVIC_ISER,
NVIC_ICPR, NVIC_IPR and NVIC_ISPR to RAZ/WI for non-secure
accesses to fields corresponding to interrupts which are
configured to target secure state.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-8-git-send-email-peter.maydell@linaro.org
---
 include/hw/intc/armv7m_nvic.h |  3 ++
 hw/intc/armv7m_nvic.c         | 74 +++++++++++++++++++++++++++++++++++++++----
 2 files changed, 70 insertions(+), 7 deletions(-)

diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/armv7m_nvic.h
+++ b/include/hw/intc/armv7m_nvic.h
@@ -XXX,XX +XXX,XX @@ typedef struct NVICState {
     /* The PRIGROUP field in AIRCR is banked */
     uint32_t prigroup[M_REG_NUM_BANKS];
 
+    /* v8M NVIC_ITNS state (stored as a bool per bit) */
+    bool itns[NVIC_MAX_VECTORS];
+
     /* The following fields are all cached state that can be recalculated
      * from the vectors[] and sec_vectors[] arrays and the prigroup field:
      *  - vectpending
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
     switch (offset) {
     case 4: /* Interrupt Control Type.  */
         return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
+    case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
+    {
+        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+        int i;
+
+        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+            goto bad_offset;
+        }
+        if (!attrs.secure) {
+            return 0;
+        }
+        val = 0;
+        for (i = 0; i < 32 && startvec + i < s->num_irq; i++) {
+            if (s->itns[startvec + i]) {
+                val |= (1 << i);
+            }
+        }
+        return val;
+    }
     case 0xd00: /* CPUID Base.  */
         return cpu->midr;
     case 0xd04: /* Interrupt Control State.  */
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
     ARMCPU *cpu = s->cpu;
 
     switch (offset) {
+    case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
+    {
+        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+        int i;
+
+        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+            goto bad_offset;
+        }
+        if (!attrs.secure) {
+            break;
+        }
+        for (i = 0; i < 32 && startvec + i < s->num_irq; i++) {
+            s->itns[startvec + i] = (value >> i) & 1;
+        }
+        nvic_irq_update(s);
+        break;
+    }
     case 0xd04: /* Interrupt Control State.  */
         if (value & (1 << 31)) {
             armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI);
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
         startvec = offset - 0x180 + NVIC_FIRST_IRQ; /* vector # */
 
         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
-            if (s->vectors[startvec + i].enabled) {
+            if (s->vectors[startvec + i].enabled &&
+                (attrs.secure || s->itns[startvec + i])) {
                 val |= (1 << i);
             }
         }
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
         val = 0;
         startvec = offset - 0x280 + NVIC_FIRST_IRQ; /* vector # */
         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
-            if (s->vectors[startvec + i].pending) {
+            if (s->vectors[startvec + i].pending &&
+                (attrs.secure || s->itns[startvec + i])) {
                 val |= (1 << i);
             }
         }
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
         startvec = offset - 0x300 + NVIC_FIRST_IRQ; /* vector # */
 
         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
-            if (s->vectors[startvec + i].active) {
+            if (s->vectors[startvec + i].active &&
+                (attrs.secure || s->itns[startvec + i])) {
                 val |= (1 << i);
             }
         }
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
         startvec = offset - 0x400 + NVIC_FIRST_IRQ; /* vector # */
 
         for (i = 0; i < size && startvec + i < s->num_irq; i++) {
-            val |= s->vectors[startvec + i].prio << (8 * i);
+            if (attrs.secure || s->itns[startvec + i]) {
+                val |= s->vectors[startvec + i].prio << (8 * i);
+            }
         }
         break;
     case 0xd18 ... 0xd23: /* System Handler Priority.  */
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
         startvec = 8 * (offset - 0x180) + NVIC_FIRST_IRQ;
 
         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
-            if (value & (1 << i)) {
+            if (value & (1 << i) &&
+                (attrs.secure || s->itns[startvec + i])) {
                 s->vectors[startvec + i].enabled = setval;
             }
         }
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
         startvec = 8 * (offset - 0x280) + NVIC_FIRST_IRQ; /* vector # */
 
         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
-            if (value & (1 << i)) {
+            if (value & (1 << i) &&
+                (attrs.secure || s->itns[startvec + i])) {
                 s->vectors[startvec + i].pending = setval;
             }
         }
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
         startvec = 8 * (offset - 0x400) + NVIC_FIRST_IRQ; /* vector # */
 
         for (i = 0; i < size && startvec + i < s->num_irq; i++) {
-            set_prio(s, startvec + i, (value >> (i * 8)) & 0xff);
+            if (attrs.secure || s->itns[startvec + i]) {
+                set_prio(s, startvec + i, (value >> (i * 8)) & 0xff);
+            }
         }
         nvic_irq_update(s);
         return MEMTX_OK;
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nvic_security = {
         VMSTATE_STRUCT_ARRAY(sec_vectors, NVICState, NVIC_INTERNAL_VECTORS, 1,
                              vmstate_VecInfo, VecInfo),
         VMSTATE_UINT32(prigroup[M_REG_S], NVICState),
+        VMSTATE_BOOL_ARRAY(itns, NVICState, NVIC_MAX_VECTORS),
         VMSTATE_END_OF_LIST()
     }
 };
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
     s->vectpending = 0;
     s->vectpending_is_s_banked = false;
     s->vectpending_prio = NVIC_NOEXC_PRIO;
+
+    if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) {
+        memset(s->itns, 0, sizeof(s->itns));
+    } else {
+        /* This state is constant and not guest accessible in a non-security
+         * NVIC; we set the bits to true to avoid having to do a feature
+         * bit check in the NVIC enable/pend/etc register accessors.
+         */
+        int i;
+
+        for (i = NVIC_FIRST_IRQ; i < ARRAY_SIZE(s->itns); i++) {
+            s->itns[i] = true;
+        }
+    }
 }
 
 static void nvic_systick_trigger(void *opaque, int n, int level)
-- 
2.7.4

Update the nvic_recompute_state() code to handle the security
extension and its associated banked registers.

Code that uses the resulting cached state (ie the irq
acknowledge and complete code) will be updated in a later
commit.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-9-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 151 ++++++++++++++++++++++++++++++++++++++++++++++++--
 hw/intc/trace-events  |   1 +
 2 files changed, 147 insertions(+), 5 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@
  * (higher than the highest possible priority value)
  */
 #define NVIC_NOEXC_PRIO 0x100
+/* Maximum priority of non-secure exceptions when AIRCR.PRIS is set */
+#define NVIC_NS_PRIO_LIMIT 0x80
 
 static const uint8_t nvic_id[] = {
     0x00, 0xb0, 0x1b, 0x00, 0x0d, 0xe0, 0x05, 0xb1
@@ -XXX,XX +XXX,XX @@ static bool nvic_isrpending(NVICState *s)
     return false;
 }
 
+static bool exc_is_banked(int exc)
+{
+    /* Return true if this is one of the limited set of exceptions which
+     * are banked (and thus have state in sec_vectors[])
+     */
+    return exc == ARMV7M_EXCP_HARD ||
+        exc == ARMV7M_EXCP_MEM ||
+        exc == ARMV7M_EXCP_USAGE ||
+        exc == ARMV7M_EXCP_SVC ||
+        exc == ARMV7M_EXCP_PENDSV ||
+        exc == ARMV7M_EXCP_SYSTICK;
+}
+
 /* Return a mask word which clears the subpriority bits from
  * a priority value for an M-profile exception, leaving only
  * the group priority.
  */
-static inline uint32_t nvic_gprio_mask(NVICState *s)
+static inline uint32_t nvic_gprio_mask(NVICState *s, bool secure)
+{
+    return ~0U << (s->prigroup[secure] + 1);
+}
+
+static bool exc_targets_secure(NVICState *s, int exc)
+{
+    /* Return true if this non-banked exception targets Secure state. */
+    if (!arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) {
+        return false;
+    }
+
+    if (exc >= NVIC_FIRST_IRQ) {
+        return !s->itns[exc];
+    }
+
+    /* Function shouldn't be called for banked exceptions. */
+    assert(!exc_is_banked(exc));
+
+    switch (exc) {
+    case ARMV7M_EXCP_NMI:
+    case ARMV7M_EXCP_BUS:
+        return !(s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
+    case ARMV7M_EXCP_SECURE:
+        return true;
+    case ARMV7M_EXCP_DEBUG:
+        /* TODO: controlled by DEMCR.SDME, which we don't yet implement */
+        return false;
+    default:
+        /* reset, and reserved (unused) low exception numbers.
+         * We'll get called by code that loops through all the exception
+         * numbers, but it doesn't matter what we return here as these
+         * non-existent exceptions will never be pended or active.
+         */
+        return true;
+    }
+}
+
+static int exc_group_prio(NVICState *s, int rawprio, bool targets_secure)
+{
+    /* Return the group priority for this exception, given its raw
+     * (group-and-subgroup) priority value and whether it is targeting
+     * secure state or not.
+     */
+    if (rawprio < 0) {
+        return rawprio;
+    }
+    rawprio &= nvic_gprio_mask(s, targets_secure);
+    /* AIRCR.PRIS causes us to squash all NS priorities into the
+     * lower half of the total range
+     */
+    if (!targets_secure &&
+        (s->cpu->env.v7m.aircr & R_V7M_AIRCR_PRIS_MASK)) {
+        rawprio = (rawprio >> 1) + NVIC_NS_PRIO_LIMIT;
+    }
+    return rawprio;
+}
+
+/* Recompute vectpending and exception_prio for a CPU which implements
+ * the Security extension
+ */
+static void nvic_recompute_state_secure(NVICState *s)
 {
-    return ~0U << (s->prigroup[M_REG_NS] + 1);
+    int i, bank;
+    int pend_prio = NVIC_NOEXC_PRIO;
+    int active_prio = NVIC_NOEXC_PRIO;
+    int pend_irq = 0;
+    bool pending_is_s_banked = false;
+
+    /* R_CQRV: precedence is by:
+     *  - lowest group priority; if both the same then
+     *  - lowest subpriority; if both the same then
+     *  - lowest exception number; if both the same (ie banked) then
+     *  - secure exception takes precedence
+     * Compare pseudocode RawExecutionPriority.
+     * Annoyingly, now we have two prigroup values (for S and NS)
+     * we can't do the loop comparison on raw priority values.
+     */
+    for (i = 1; i < s->num_irq; i++) {
+        for (bank = M_REG_S; bank >= M_REG_NS; bank--) {
+            VecInfo *vec;
+            int prio;
+            bool targets_secure;
+
+            if (bank == M_REG_S) {
+                if (!exc_is_banked(i)) {
+                    continue;
+                }
+                vec = &s->sec_vectors[i];
+                targets_secure = true;
+            } else {
+                vec = &s->vectors[i];
+                targets_secure = !exc_is_banked(i) && exc_targets_secure(s, i);
+            }
+
+            prio = exc_group_prio(s, vec->prio, targets_secure);
+            if (vec->enabled && vec->pending && prio < pend_prio) {
+                pend_prio = prio;
+                pend_irq = i;
+                pending_is_s_banked = (bank == M_REG_S);
+            }
+            if (vec->active && prio < active_prio) {
+                active_prio = prio;
+            }
+        }
+    }
+
+    s->vectpending_is_s_banked = pending_is_s_banked;
+    s->vectpending = pend_irq;
+    s->vectpending_prio = pend_prio;
+    s->exception_prio = active_prio;
+
+    trace_nvic_recompute_state_secure(s->vectpending,
+                                      s->vectpending_is_s_banked,
+                                      s->vectpending_prio,
+                                      s->exception_prio);
 }
 
 /* Recompute vectpending and exception_prio */
@@ -XXX,XX +XXX,XX @@ static void nvic_recompute_state(NVICState *s)
     int active_prio = NVIC_NOEXC_PRIO;
     int pend_irq = 0;
 
+    /* In theory we could write one function that handled both
+     * the "security extension present" and "not present"; however
+     * the security related changes significantly complicate the
+     * recomputation just by themselves and mixing both cases together
+     * would be even worse, so we retain a separate non-secure-only
+     * version for CPUs which don't implement the security extension.
+     */
+    if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) {
+        nvic_recompute_state_secure(s);
+        return;
+    }
+
     for (i = 1; i < s->num_irq; i++) {
         VecInfo *vec = &s->vectors[i];
 
@@ -XXX,XX +XXX,XX @@ static void nvic_recompute_state(NVICState *s)
     }
 
     if (active_prio > 0) {
-        active_prio &= nvic_gprio_mask(s);
+        active_prio &= nvic_gprio_mask(s, false);
     }
 
     if (pend_prio > 0) {
-        pend_prio &= nvic_gprio_mask(s);
+        pend_prio &= nvic_gprio_mask(s, false);
     }
 
     s->vectpending = pend_irq;
@@ -XXX,XX +XXX,XX @@ static inline int nvic_exec_prio(NVICState *s)
     } else if (env->v7m.primask[env->v7m.secure]) {
         running = 0;
     } else if (env->v7m.basepri[env->v7m.secure] > 0) {
-        running = env->v7m.basepri[env->v7m.secure] & nvic_gprio_mask(s);
+        running = env->v7m.basepri[env->v7m.secure] &
+            nvic_gprio_mask(s, env->v7m.secure);
     } else {
         running = NVIC_NOEXC_PRIO; /* lower than any possible priority */
     }
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -XXX,XX +XXX,XX @@ gicv3_redist_send_sgi(uint32_t cpu, int irq) "GICv3 redistributor 0x%x pending S
 
 # hw/intc/armv7m_nvic.c
 nvic_recompute_state(int vectpending, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d vectpending_prio %d exception_prio %d"
+nvic_recompute_state_secure(int vectpending, bool vectpending_is_s_banked, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d is_s_banked %d vectpending_prio %d exception_prio %d"
 nvic_set_prio(int irq, uint8_t prio) "NVIC set irq %d priority %d"
 nvic_irq_update(int vectpending, int pendprio, int exception_prio, int level) "NVIC vectpending %d pending prio %d exception_prio %d: setting irq line to %d"
 nvic_escalate_prio(int irq, int irqprio, int runprio) "NVIC escalating irq %d to HardFault: insufficient priority %d >= %d"
-- 
2.7.4

Make the armv7m_nvic_set_pending() and armv7m_nvic_clear_pending()
functions take a bool indicating whether to pend the secure
or non-secure version of a banked interrupt, and update the
callsites accordingly.

In most callsites we can simply pass the correct security
state in; in a couple of cases we use TODO comments to indicate
that we will return the code in a subsequent commit.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-10-git-send-email-peter.maydell@linaro.org
---
 target/arm/cpu.h      | 14 ++++++++++-
 hw/intc/armv7m_nvic.c | 64 ++++++++++++++++++++++++++++++++++++++-------------
 target/arm/helper.c   | 24 +++++++++++--------
 hw/intc/trace-events  |  4 ++--
 4 files changed, 77 insertions(+), 29 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool armv7m_nvic_can_take_pending_exception(void *opaque)
     return true;
 }
 #endif
-void armv7m_nvic_set_pending(void *opaque, int irq);
+/**
+ * armv7m_nvic_set_pending: mark the specified exception as pending
+ * @opaque: the NVIC
+ * @irq: the exception number to mark pending
+ * @secure: false for non-banked exceptions or for the nonsecure
+ * version of a banked exception, true for the secure version of a banked
+ * exception.
+ *
+ * Marks the specified exception as pending. Note that we will assert()
+ * if @secure is true and @irq does not specify one of the fixed set
+ * of architecturally banked exceptions.
+ */
+void armv7m_nvic_set_pending(void *opaque, int irq, bool secure);
 void armv7m_nvic_acknowledge_irq(void *opaque);
 /**
  * armv7m_nvic_complete_irq: complete specified interrupt or exception
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static void nvic_irq_update(NVICState *s)
     qemu_set_irq(s->excpout, lvl);
 }
 
-static void armv7m_nvic_clear_pending(void *opaque, int irq)
+/**
+ * armv7m_nvic_clear_pending: mark the specified exception as not pending
+ * @opaque: the NVIC
+ * @irq: the exception number to mark as not pending
+ * @secure: false for non-banked exceptions or for the nonsecure
+ * version of a banked exception, true for the secure version of a banked
+ * exception.
+ *
+ * Marks the specified exception as not pending. Note that we will assert()
+ * if @secure is true and @irq does not specify one of the fixed set
+ * of architecturally banked exceptions.
+ */
+static void armv7m_nvic_clear_pending(void *opaque, int irq, bool secure)
 {
     NVICState *s = (NVICState *)opaque;
     VecInfo *vec;
 
     assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);
 
-    vec = &s->vectors[irq];
-    trace_nvic_clear_pending(irq, vec->enabled, vec->prio);
+    if (secure) {
+        assert(exc_is_banked(irq));
+        vec = &s->sec_vectors[irq];
+    } else {
+        vec = &s->vectors[irq];
+    }
+    trace_nvic_clear_pending(irq, secure, vec->enabled, vec->prio);
     if (vec->pending) {
         vec->pending = 0;
         nvic_irq_update(s);
     }
 }
 
-void armv7m_nvic_set_pending(void *opaque, int irq)
+void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
 {
     NVICState *s = (NVICState *)opaque;
+    bool banked = exc_is_banked(irq);
     VecInfo *vec;
 
     assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);
+    assert(!secure || banked);
 
-    vec = &s->vectors[irq];
-    trace_nvic_set_pending(irq, vec->enabled, vec->prio);
+    vec = (banked && secure) ? &s->sec_vectors[irq] : &s->vectors[irq];
 
+    trace_nvic_set_pending(irq, secure, vec->enabled, vec->prio);
 
     if (irq >= ARMV7M_EXCP_HARD && irq < ARMV7M_EXCP_PENDSV) {
         /* If a synchronous exception is pending then it may be
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq)
                           "(current priority %d)\n", irq, running);
             }
 
-            /* We can do the escalation, so we take HardFault instead */
+            /* We can do the escalation, so we take HardFault instead.
+             * If BFHFNMINS is set then we escalate to the banked HF for
+             * the target security state of the original exception; otherwise
+             * we take a Secure HardFault.
+             */
             irq = ARMV7M_EXCP_HARD;
-            vec = &s->vectors[irq];
+            if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY) &&
+                (secure ||
+                 !(s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK))) {
+                vec = &s->sec_vectors[irq];
+            } else {
+                vec = &s->vectors[irq];
+            }
+            /* HF may be banked but there is only one shared HFSR */
             s->cpu->env.v7m.hfsr |= R_V7M_HFSR_FORCED_MASK;
         }
     }
@@ -XXX,XX +XXX,XX @@ static void set_irq_level(void *opaque, int n, int level)
     if (level != vec->level) {
         vec->level = level;
         if (level) {
-            armv7m_nvic_set_pending(s, n);
+            armv7m_nvic_set_pending(s, n, false);
         }
     }
 }
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
     }
     case 0xd04: /* Interrupt Control State.  */
         if (value & (1 << 31)) {
-            armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI);
+            armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI, false);
         }
         if (value & (1 << 28)) {
-            armv7m_nvic_set_pending(s, ARMV7M_EXCP_PENDSV);
+            armv7m_nvic_set_pending(s, ARMV7M_EXCP_PENDSV, attrs.secure);
         } else if (value & (1 << 27)) {
-            armv7m_nvic_clear_pending(s, ARMV7M_EXCP_PENDSV);
+            armv7m_nvic_clear_pending(s, ARMV7M_EXCP_PENDSV, attrs.secure);
         }
         if (value & (1 << 26)) {
-            armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK);
+            armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK, attrs.secure);
         } else if (value & (1 << 25)) {
-            armv7m_nvic_clear_pending(s, ARMV7M_EXCP_SYSTICK);
+            armv7m_nvic_clear_pending(s, ARMV7M_EXCP_SYSTICK, attrs.secure);
         }
         break;
     case 0xd08: /* Vector Table Offset.  */
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
     {
         int excnum = (value & 0x1ff) + NVIC_FIRST_IRQ;
         if (excnum < s->num_irq) {
-            armv7m_nvic_set_pending(s, excnum);
+            armv7m_nvic_set_pending(s, excnum, false);
         }
         break;
     }
@@ -XXX,XX +XXX,XX @@ static void nvic_systick_trigger(void *opaque, int n, int level)
         /* SysTick just asked us to pend its exception.
          * (This is different from an external interrupt line's
          * behaviour.)
+         * TODO: when we implement the banked systicks we must make
+         * this pend the correct banked exception.
          */
-        armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK);
+        armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK, false);
     }
 }
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
          * stack, directly take a usage fault on the current stack.
          */
         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
         v7m_exception_taken(cpu, excret);
         qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
                       "stackframe: failed exception return integrity check\n");
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
      * exception return excret specified then this is a UsageFault.
      */
     if (return_to_handler != arm_v7m_is_handler_mode(env)) {
-        /* Take an INVPC UsageFault by pushing the stack again. */
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
+        /* Take an INVPC UsageFault by pushing the stack again.
+         * TODO: the v8M version of this code should target the
+         * background state for this exception.
+         */
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, false);
         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
         v7m_push_stack(cpu);
         v7m_exception_taken(cpu, excret);
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
        handle it.  */
     switch (cs->exception_index) {
     case EXCP_UDEF:
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNDEFINSTR_MASK;
         break;
     case EXCP_NOCP:
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_NOCP_MASK;
         break;
     case EXCP_INVSTATE:
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVSTATE_MASK;
         break;
     case EXCP_SWI:
         /* The PC already points to the next instruction.  */
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC);
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC, env->v7m.secure);
         break;
     case EXCP_PREFETCH_ABORT:
     case EXCP_DATA_ABORT:
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
                               env->v7m.bfar);
                 break;
             }
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS);
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
             break;
         default:
             /* All other FSR values are either MPU faults or "can't happen
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
                               env->v7m.mmfar[env->v7m.secure]);
                 break;
             }
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM);
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM,
+                                    env->v7m.secure);
             break;
         }
         break;
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
                 return;
             }
         }
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG);
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG, false);
         break;
     case EXCP_IRQ:
         break;
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -XXX,XX +XXX,XX @@ nvic_set_prio(int irq, uint8_t prio) "NVIC set irq %d priority %d"
 nvic_irq_update(int vectpending, int pendprio, int exception_prio, int level) "NVIC vectpending %d pending prio %d exception_prio %d: setting irq line to %d"
 nvic_escalate_prio(int irq, int irqprio, int runprio) "NVIC escalating irq %d to HardFault: insufficient priority %d >= %d"
 nvic_escalate_disabled(int irq) "NVIC escalating irq %d to HardFault: disabled"
-nvic_set_pending(int irq, int en, int prio) "NVIC set pending irq %d (enabled: %d priority %d)"
-nvic_clear_pending(int irq, int en, int prio) "NVIC clear pending irq %d (enabled: %d priority %d)"
+nvic_set_pending(int irq, bool secure, int en, int prio) "NVIC set pending irq %d secure-bank %d (enabled: %d priority %d)"
+nvic_clear_pending(int irq, bool secure, int en, int prio) "NVIC clear pending irq %d secure-bank %d (enabled: %d priority %d)"
 nvic_set_pending_level(int irq) "NVIC set pending: irq %d higher prio than vectpending: setting irq line to 1"
 nvic_acknowledge_irq(int irq, int prio) "NVIC acknowledge IRQ: %d now active (prio %d)"
 nvic_complete_irq(int irq) "NVIC complete IRQ %d"
-- 
2.7.4

Make the set_prio() function take a bool indicating
whether to pend the secure or non-secure version of a banked
interrupt, and use this to implement the correct banking
semantics for the SHPR registers.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-11-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++-----
 hw/intc/trace-events  |  2 +-
 2 files changed, 88 insertions(+), 10 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_raw_execution_priority(void *opaque)
     return s->exception_prio;
 }
 
-/* caller must call nvic_irq_update() after this */
-static void set_prio(NVICState *s, unsigned irq, uint8_t prio)
+/* caller must call nvic_irq_update() after this.
+ * secure indicates the bank to use for banked exceptions (we assert if
+ * we are passed secure=true for a non-banked exception).
+ */
+static void set_prio(NVICState *s, unsigned irq, bool secure, uint8_t prio)
 {
     assert(irq > ARMV7M_EXCP_NMI); /* only use for configurable prios */
     assert(irq < s->num_irq);
 
-    s->vectors[irq].prio = prio;
+    if (secure) {
+        assert(exc_is_banked(irq));
+        s->sec_vectors[irq].prio = prio;
+    } else {
+        s->vectors[irq].prio = prio;
+    }
+
+    trace_nvic_set_prio(irq, secure, prio);
+}
+
+/* Return the current raw priority register value.
+ * secure indicates the bank to use for banked exceptions (we assert if
+ * we are passed secure=true for a non-banked exception).
+ */
+static int get_prio(NVICState *s, unsigned irq, bool secure)
+{
+    assert(irq > ARMV7M_EXCP_NMI); /* only use for configurable prios */
+    assert(irq < s->num_irq);
 
-    trace_nvic_set_prio(irq, prio);
+    if (secure) {
+        assert(exc_is_banked(irq));
+        return s->sec_vectors[irq].prio;
+    } else {
+        return s->vectors[irq].prio;
+    }
 }
 
 /* Recompute state and assert irq line accordingly.
@@ -XXX,XX +XXX,XX @@ static bool nvic_user_access_ok(NVICState *s, hwaddr offset, MemTxAttrs attrs)
     }
 }
 
+static int shpr_bank(NVICState *s, int exc, MemTxAttrs attrs)
+{
+    /* Behaviour for the SHPR register field for this exception:
+     * return M_REG_NS to use the nonsecure vector (including for
+     * non-banked exceptions), M_REG_S for the secure version of
+     * a banked exception, and -1 if this field should RAZ/WI.
+     */
+    switch (exc) {
+    case ARMV7M_EXCP_MEM:
+    case ARMV7M_EXCP_USAGE:
+    case ARMV7M_EXCP_SVC:
+    case ARMV7M_EXCP_PENDSV:
+    case ARMV7M_EXCP_SYSTICK:
+        /* Banked exceptions */
+        return attrs.secure;
+    case ARMV7M_EXCP_BUS:
+        /* Not banked, RAZ/WI from nonsecure if BFHFNMINS is zero */
+        if (!attrs.secure &&
+            !(s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
+            return -1;
+        }
+        return M_REG_NS;
+    case ARMV7M_EXCP_SECURE:
+        /* Not banked, RAZ/WI from nonsecure */
+        if (!attrs.secure) {
+            return -1;
+        }
+        return M_REG_NS;
+    case ARMV7M_EXCP_DEBUG:
+        /* Not banked. TODO should RAZ/WI if DEMCR.SDME is set */
+        return M_REG_NS;
+    case 8 ... 10:
+    case 13:
+        /* RES0 */
+        return -1;
+    default:
+        /* Not reachable due to decode of SHPR register addresses */
+        g_assert_not_reached();
+    }
+}
+
 static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
                                     uint64_t *data, unsigned size,
                                     MemTxAttrs attrs)
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
             }
         }
         break;
-    case 0xd18 ... 0xd23: /* System Handler Priority.  */
+    case 0xd18 ... 0xd23: /* System Handler Priority (SHPR1, SHPR2, SHPR3) */
         val = 0;
         for (i = 0; i < size; i++) {
-            val |= s->vectors[(offset - 0xd14) + i].prio << (i * 8);
+            unsigned hdlidx = (offset - 0xd14) + i;
+            int sbank = shpr_bank(s, hdlidx, attrs);
+
+            if (sbank < 0) {
+                continue;
+            }
+            val = deposit32(val, i * 8, 8, get_prio(s, hdlidx, sbank));
         }
         break;
     case 0xfe0 ... 0xfff: /* ID.  */
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
 
         for (i = 0; i < size && startvec + i < s->num_irq; i++) {
             if (attrs.secure || s->itns[startvec + i]) {
-                set_prio(s, startvec + i, (value >> (i * 8)) & 0xff);
+                set_prio(s, startvec + i, false, (value >> (i * 8)) & 0xff);
             }
         }
         nvic_irq_update(s);
         return MEMTX_OK;
-    case 0xd18 ... 0xd23: /* System Handler Priority.  */
+    case 0xd18 ... 0xd23: /* System Handler Priority (SHPR1, SHPR2, SHPR3) */
         for (i = 0; i < size; i++) {
             unsigned hdlidx = (offset - 0xd14) + i;
-            set_prio(s, hdlidx, (value >> (i * 8)) & 0xff);
+            int newprio = extract32(value, i * 8, 8);
+            int sbank = shpr_bank(s, hdlidx, attrs);
+
+            if (sbank < 0) {
+                continue;
+            }
+            set_prio(s, hdlidx, sbank, newprio);
         }
         nvic_irq_update(s);
         return MEMTX_OK;
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -XXX,XX +XXX,XX @@ gicv3_redist_send_sgi(uint32_t cpu, int irq) "GICv3 redistributor 0x%x pending S
 # hw/intc/armv7m_nvic.c
 nvic_recompute_state(int vectpending, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d vectpending_prio %d exception_prio %d"
 nvic_recompute_state_secure(int vectpending, bool vectpending_is_s_banked, int vectpending_prio, int exception_prio) "NVIC state recomputed: vectpending %d is_s_banked %d vectpending_prio %d exception_prio %d"
-nvic_set_prio(int irq, uint8_t prio) "NVIC set irq %d priority %d"
+nvic_set_prio(int irq, bool secure, uint8_t prio) "NVIC set irq %d secure-bank %d priority %d"
 nvic_irq_update(int vectpending, int pendprio, int exception_prio, int level) "NVIC vectpending %d pending prio %d exception_prio %d: setting irq line to %d"
 nvic_escalate_prio(int irq, int irqprio, int runprio) "NVIC escalating irq %d to HardFault: insufficient priority %d >= %d"
 nvic_escalate_disabled(int irq) "NVIC escalating irq %d to HardFault: disabled"
-- 
2.7.4

In armv7m_nvic_set_pending() we have to compare the
priority of an exception against the execution priority
to decide whether it needs to be escalated to HardFault.
In the specification this is a comparison against the
exception's group priority; for v7M we implemented it
as a comparison against the raw exception priority
because the two comparisons will always give the
same answer. For v8M the existence of AIRCR.PRIS and
the possibility of different PRIGROUP values for secure
and nonsecure exceptions means we need to explicitly
calculate the vector's group priority for this check.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-12-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
         int running = nvic_exec_prio(s);
         bool escalate = false;
 
-        if (vec->prio >= running) {
+        if (exc_group_prio(s, vec->prio, secure) >= running) {
             trace_nvic_escalate_prio(irq, vec->prio, running);
             escalate = true;
         } else if (!vec->enabled) {
-- 
2.7.4

When escalating to HardFault, we must go into Lockup if we
can't take the synchronous HardFault because the current
execution priority is already at or below the priority of
HardFault. In v7M HF is always priority -1 so a simple < 0
comparison sufficed; in v8M the priority of HardFault can
vary depending on whether it is a Secure or NonSecure
HardFault, so we must check against the priority of the
HardFault exception vector we're about to use.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-13-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
         }
 
         if (escalate) {
-            if (running < 0) {
-                /* We want to escalate to HardFault but we can't take a
-                 * synchronous HardFault at this point either. This is a
-                 * Lockup condition due to a guest bug. We don't model
-                 * Lockup, so report via cpu_abort() instead.
-                 */
-                cpu_abort(&s->cpu->parent_obj,
-                          "Lockup: can't escalate %d to HardFault "
-                          "(current priority %d)\n", irq, running);
-            }
 
-            /* We can do the escalation, so we take HardFault instead.
+            /* We need to escalate this exception to a synchronous HardFault.
              * If BFHFNMINS is set then we escalate to the banked HF for
              * the target security state of the original exception; otherwise
              * we take a Secure HardFault.
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_set_pending(void *opaque, int irq, bool secure)
             } else {
                 vec = &s->vectors[irq];
             }
+            if (running <= vec->prio) {
+                /* We want to escalate to HardFault but we can't take the
+                 * synchronous HardFault at this point either. This is a
+                 * Lockup condition due to a guest bug. We don't model
+                 * Lockup, so report via cpu_abort() instead.
+                 */
+                cpu_abort(&s->cpu->parent_obj,
+                          "Lockup: can't escalate %d to HardFault "
+                          "(current priority %d)\n", irq, running);
+            }
+
             /* HF may be banked but there is only one shared HFSR */
             s->cpu->env.v7m.hfsr |= R_V7M_HFSR_FORCED_MASK;
         }
-- 
2.7.4

In v7M, the fixed-priority exceptions are:
 Reset: -3
 NMI: -2
 HardFault: -1

In v8M, this changes because Secure HardFault may need
to be prioritised above NMI:
 Reset: -4
 Secure HardFault if AIRCR.BFHFNMINS == 1: -3
 NMI: -2
 Secure HardFault if AIRCR.BFHFNMINS == 0: -1
 NonSecure HardFault: -1

Make these changes, including support for changing the
priority of Secure HardFault as AIRCR.BFHFNMINS changes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-14-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
                     (R_V7M_AIRCR_SYSRESETREQS_MASK |
                      R_V7M_AIRCR_BFHFNMINS_MASK |
                      R_V7M_AIRCR_PRIS_MASK);
+                /* BFHFNMINS changes the priority of Secure HardFault */
+                if (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
+                    s->sec_vectors[ARMV7M_EXCP_HARD].prio = -3;
+                } else {
+                    s->sec_vectors[ARMV7M_EXCP_HARD].prio = -1;
+                }
             }
             nvic_irq_update(s);
         }
@@ -XXX,XX +XXX,XX @@ static int nvic_post_load(void *opaque, int version_id)
 {
     NVICState *s = opaque;
     unsigned i;
+    int resetprio;
 
     /* Check for out of range priority settings */
-    if (s->vectors[ARMV7M_EXCP_RESET].prio != -3 ||
+    resetprio = arm_feature(&s->cpu->env, ARM_FEATURE_V8) ? -4 : -3;
+
+    if (s->vectors[ARMV7M_EXCP_RESET].prio != resetprio ||
         s->vectors[ARMV7M_EXCP_NMI].prio != -2 ||
         s->vectors[ARMV7M_EXCP_HARD].prio != -1) {
         return 1;
@@ -XXX,XX +XXX,XX @@ static int nvic_security_post_load(void *opaque, int version_id)
     int i;
 
     /* Check for out of range priority settings */
-    if (s->sec_vectors[ARMV7M_EXCP_HARD].prio != -1) {
+    if (s->sec_vectors[ARMV7M_EXCP_HARD].prio != -1
+        && s->sec_vectors[ARMV7M_EXCP_HARD].prio != -3) {
+        /* We can't cross-check against AIRCR.BFHFNMINS as we don't know
+         * if the CPU state has been migrated yet; a mismatch won't
+         * cause the emulation to blow up, though.
+         */
         return 1;
     }
     for (i = ARMV7M_EXCP_MEM; i < ARRAY_SIZE(s->sec_vectors); i++) {
@@ -XXX,XX +XXX,XX @@ static Property props_nvic[] = {
 
 static void armv7m_nvic_reset(DeviceState *dev)
 {
+    int resetprio;
     NVICState *s = NVIC(dev);
 
     s->vectors[ARMV7M_EXCP_NMI].enabled = 1;
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
     s->vectors[ARMV7M_EXCP_PENDSV].enabled = 1;
     s->vectors[ARMV7M_EXCP_SYSTICK].enabled = 1;
 
-    s->vectors[ARMV7M_EXCP_RESET].prio = -3;
+    resetprio = arm_feature(&s->cpu->env, ARM_FEATURE_V8) ? -4 : -3;
+    s->vectors[ARMV7M_EXCP_RESET].prio = resetprio;
     s->vectors[ARMV7M_EXCP_NMI].prio = -2;
     s->vectors[ARMV7M_EXCP_HARD].prio = -1;
 
-- 
2.7.4

If AIRCR.BFHFNMINS is clear, then although NonSecure HardFault
can still be pended via SHCSR.HARDFAULTPENDED it mustn't actually
preempt execution. The simple way to achieve this is to clear the
enable bit for it, since the enable bit isn't guest visible.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-15-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
                     (R_V7M_AIRCR_SYSRESETREQS_MASK |
                      R_V7M_AIRCR_BFHFNMINS_MASK |
                      R_V7M_AIRCR_PRIS_MASK);
-                /* BFHFNMINS changes the priority of Secure HardFault */
+                /* BFHFNMINS changes the priority of Secure HardFault, and
+                 * allows a pending Non-secure HardFault to preempt (which
+                 * we implement by marking it enabled).
+                 */
                 if (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
                     s->sec_vectors[ARMV7M_EXCP_HARD].prio = -3;
+                    s->vectors[ARMV7M_EXCP_HARD].enabled = 1;
                 } else {
                     s->sec_vectors[ARMV7M_EXCP_HARD].prio = -1;
+                    s->vectors[ARMV7M_EXCP_HARD].enabled = 0;
                 }
             }
             nvic_irq_update(s);
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
     NVICState *s = NVIC(dev);
 
     s->vectors[ARMV7M_EXCP_NMI].enabled = 1;
-    s->vectors[ARMV7M_EXCP_HARD].enabled = 1;
     /* MEM, BUS, and USAGE are enabled through
      * the System Handler Control register
      */
@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_reset(DeviceState *dev)
 
         /* AIRCR.BFHFNMINS resets to 0 so Secure HF is priority -1 (R_CMTC) */
         s->sec_vectors[ARMV7M_EXCP_HARD].prio = -1;
+        /* If AIRCR.BFHFNMINS is 0 then NS HF is (effectively) disabled */
+        s->vectors[ARMV7M_EXCP_HARD].enabled = 0;
+    } else {
+        s->vectors[ARMV7M_EXCP_HARD].enabled = 1;
     }
 
     /* Strictly speaking the reset handler should be enabled.
-- 
2.7.4

Update nvic_exec_prio() to support the v8M changes:
 * BASEPRI, FAULTMASK and PRIMASK are all banked
 * AIRCR.PRIS can affect NS priorities
 * AIRCR.BFHFNMINS affects FAULTMASK behaviour

These changes mean that it's no longer possible to
definitely say that if FAULTMASK is set it overrides
PRIMASK, and if PRIMASK is set it overrides BASEPRI
(since if PRIMASK_NS is set and AIRCR.PRIS is set then
whether that 0x80 priority should take effect or the
priority in BASEPRI_S depends on the value of BASEPRI_S,
for instance). So we switch to the same approach used
by the pseudocode of working through BASEPRI, PRIMASK
and FAULTMASK and overriding the previous values if
needed.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-16-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 51 ++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 42 insertions(+), 9 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static void nvic_recompute_state(NVICState *s)
 static inline int nvic_exec_prio(NVICState *s)
 {
     CPUARMState *env = &s->cpu->env;
-    int running;
+    int running = NVIC_NOEXC_PRIO;
 
-    if (env->v7m.faultmask[env->v7m.secure]) {
-        running = -1;
-    } else if (env->v7m.primask[env->v7m.secure]) {
+    if (env->v7m.basepri[M_REG_NS] > 0) {
+        running = exc_group_prio(s, env->v7m.basepri[M_REG_NS], M_REG_NS);
+    }
+
+    if (env->v7m.basepri[M_REG_S] > 0) {
+        int basepri = exc_group_prio(s, env->v7m.basepri[M_REG_S], M_REG_S);
+        if (running > basepri) {
+            running = basepri;
+        }
+    }
+
+    if (env->v7m.primask[M_REG_NS]) {
+        if (env->v7m.aircr & R_V7M_AIRCR_PRIS_MASK) {
+            if (running > NVIC_NS_PRIO_LIMIT) {
+                running = NVIC_NS_PRIO_LIMIT;
+            }
+        } else {
+            running = 0;
+        }
+    }
+
+    if (env->v7m.primask[M_REG_S]) {
         running = 0;
-    } else if (env->v7m.basepri[env->v7m.secure] > 0) {
-        running = env->v7m.basepri[env->v7m.secure] &
-            nvic_gprio_mask(s, env->v7m.secure);
-    } else {
-        running = NVIC_NOEXC_PRIO; /* lower than any possible priority */
     }
+
+    if (env->v7m.faultmask[M_REG_NS]) {
+        if (env->v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
+            running = -1;
+        } else {
+            if (env->v7m.aircr & R_V7M_AIRCR_PRIS_MASK) {
+                if (running > NVIC_NS_PRIO_LIMIT) {
+                    running = NVIC_NS_PRIO_LIMIT;
+                }
+            } else {
+                running = 0;
+            }
+        }
+    }
+
+    if (env->v7m.faultmask[M_REG_S]) {
+        running = (env->v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) ? -3 : -1;
+    }
+
     /* consider priority of active handler */
     return MIN(running, s->exception_prio);
 }
-- 
2.7.4

Now that we have a banked FAULTMASK register and banked exceptions,
we can implement the correct check in cpu_mmu_index() for whether
the MPU_CTRL.HFNMIENA bit's effect should apply. This bit causes
handlers which have requested a negative execution priority to run
with the MPU disabled. In v8M the test has to check this for the
current security state and so takes account of banking.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-17-git-send-email-peter.maydell@linaro.org
---
 target/arm/cpu.h      | 21 ++++++++++++++++-----
 hw/intc/armv7m_nvic.c | 29 +++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_complete_irq(void *opaque, int irq);
  * (v8M ARM ARM I_PKLD.)
  */
 int armv7m_nvic_raw_execution_priority(void *opaque);
+/**
+ * armv7m_nvic_neg_prio_requested: return true if the requested execution
+ * priority is negative for the specified security state.
+ * @opaque: the NVIC
+ * @secure: the security state to test
+ * This corresponds to the pseudocode IsReqExecPriNeg().
+ */
+#ifndef CONFIG_USER_ONLY
+bool armv7m_nvic_neg_prio_requested(void *opaque, bool secure);
+#else
+static inline bool armv7m_nvic_neg_prio_requested(void *opaque, bool secure)
+{
+    return false;
+}
+#endif
 
 /* Interface for defining coprocessor registers.
  * Registers are defined in tables of arm_cp_reginfo structs
@@ -XXX,XX +XXX,XX @@ static inline int cpu_mmu_index(CPUARMState *env, bool ifetch)
     if (arm_feature(env, ARM_FEATURE_M)) {
         ARMMMUIdx mmu_idx = el == 0 ? ARMMMUIdx_MUser : ARMMMUIdx_MPriv;
 
-        /* Execution priority is negative if FAULTMASK is set or
-         * we're in a HardFault or NMI handler.
-         */
-        if ((env->v7m.exception > 0 && env->v7m.exception <= 3)
-            || env->v7m.faultmask[env->v7m.secure]) {
+        if (armv7m_nvic_neg_prio_requested(env->nvic, env->v7m.secure)) {
             mmu_idx = ARMMMUIdx_MNegPri;
         }
 
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static inline int nvic_exec_prio(NVICState *s)
     return MIN(running, s->exception_prio);
 }
 
+bool armv7m_nvic_neg_prio_requested(void *opaque, bool secure)
+{
+    /* Return true if the requested execution priority is negative
+     * for the specified security state, ie that security state
+     * has an active NMI or HardFault or has set its FAULTMASK.
+     * Note that this is not the same as whether the execution
+     * priority is actually negative (for instance AIRCR.PRIS may
+     * mean we don't allow FAULTMASK_NS to actually make the execution
+     * priority negative). Compare pseudocode IsReqExcPriNeg().
+     */
+    NVICState *s = opaque;
+
+    if (s->cpu->env.v7m.faultmask[secure]) {
+        return true;
+    }
+
+    if (secure ? s->sec_vectors[ARMV7M_EXCP_HARD].active :
+        s->vectors[ARMV7M_EXCP_HARD].active) {
+        return true;
+    }
+
+    if (s->vectors[ARMV7M_EXCP_NMI].active &&
+        exc_targets_secure(s, ARMV7M_EXCP_NMI) == secure) {
+        return true;
+    }
+
+    return false;
+}
+
 bool armv7m_nvic_can_take_pending_exception(void *opaque)
 {
     NVICState *s = opaque;
-- 
2.7.4

The ICSR NVIC register is banked for v8M. This doesn't
require any new state, but it does mean that some bits
are controlled by BFHNFNMINS and some bits must work
with the correct banked exception. There is also a new
in v8M PENDNMICLR bit.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-18-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 45 ++++++++++++++++++++++++++++++++-------------
 1 file changed, 32 insertions(+), 13 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
     }
     case 0xd00: /* CPUID Base.  */
         return cpu->midr;
-    case 0xd04: /* Interrupt Control State.  */
+    case 0xd04: /* Interrupt Control State (ICSR) */
         /* VECTACTIVE */
         val = cpu->env.v7m.exception;
         /* VECTPENDING */
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         if (nvic_rettobase(s)) {
             val |= (1 << 11);
         }
-        /* PENDSTSET */
-        if (s->vectors[ARMV7M_EXCP_SYSTICK].pending) {
-            val |= (1 << 26);
-        }
-        /* PENDSVSET */
-        if (s->vectors[ARMV7M_EXCP_PENDSV].pending) {
-            val |= (1 << 28);
+        if (attrs.secure) {
+            /* PENDSTSET */
+            if (s->sec_vectors[ARMV7M_EXCP_SYSTICK].pending) {
+                val |= (1 << 26);
+            }
+            /* PENDSVSET */
+            if (s->sec_vectors[ARMV7M_EXCP_PENDSV].pending) {
+                val |= (1 << 28);
+            }
+        } else {
+            /* PENDSTSET */
+            if (s->vectors[ARMV7M_EXCP_SYSTICK].pending) {
+                val |= (1 << 26);
+            }
+            /* PENDSVSET */
+            if (s->vectors[ARMV7M_EXCP_PENDSV].pending) {
+                val |= (1 << 28);
+            }
         }
         /* NMIPENDSET */
-        if (s->vectors[ARMV7M_EXCP_NMI].pending) {
+        if ((cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) &&
+            s->vectors[ARMV7M_EXCP_NMI].pending) {
             val |= (1 << 31);
         }
-        /* ISRPREEMPT not implemented */
+        /* ISRPREEMPT: RES0 when halting debug not implemented */
+        /* STTNS: RES0 for the Main Extension */
         return val;
     case 0xd08: /* Vector Table Offset.  */
         return cpu->env.v7m.vecbase[attrs.secure];
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
         nvic_irq_update(s);
         break;
     }
-    case 0xd04: /* Interrupt Control State.  */
-        if (value & (1 << 31)) {
-            armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI, false);
+    case 0xd04: /* Interrupt Control State (ICSR) */
+        if (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
+            if (value & (1 << 31)) {
+                armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI, false);
+            } else if (value & (1 << 30) &&
+                       arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+                /* PENDNMICLR didn't exist in v7M */
+                armv7m_nvic_clear_pending(s, ARMV7M_EXCP_NMI, false);
+            }
         }
         if (value & (1 << 28)) {
             armv7m_nvic_set_pending(s, ARMV7M_EXCP_PENDSV, attrs.secure);
-- 
2.7.4

Handle banking of SHCSR: some register bits are banked between
Secure and Non-Secure, and some are only accessible to Secure.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-19-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 221 ++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 169 insertions(+), 52 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         val = cpu->env.v7m.ccr[attrs.secure];
         val |= cpu->env.v7m.ccr[M_REG_NS] & R_V7M_CCR_BFHFNMIGN_MASK;
         return val;
-    case 0xd24: /* System Handler Status.  */
+    case 0xd24: /* System Handler Control and State (SHCSR) */
         val = 0;
-        if (s->vectors[ARMV7M_EXCP_MEM].active) {
-            val |= (1 << 0);
-        }
-        if (s->vectors[ARMV7M_EXCP_BUS].active) {
-            val |= (1 << 1);
-        }
-        if (s->vectors[ARMV7M_EXCP_USAGE].active) {
-            val |= (1 << 3);
+        if (attrs.secure) {
+            if (s->sec_vectors[ARMV7M_EXCP_MEM].active) {
+                val |= (1 << 0);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_HARD].active) {
+                val |= (1 << 2);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_USAGE].active) {
+                val |= (1 << 3);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_SVC].active) {
+                val |= (1 << 7);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_PENDSV].active) {
+                val |= (1 << 10);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_SYSTICK].active) {
+                val |= (1 << 11);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_USAGE].pending) {
+                val |= (1 << 12);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_MEM].pending) {
+                val |= (1 << 13);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_SVC].pending) {
+                val |= (1 << 15);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_MEM].enabled) {
+                val |= (1 << 16);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_USAGE].enabled) {
+                val |= (1 << 18);
+            }
+            if (s->sec_vectors[ARMV7M_EXCP_HARD].pending) {
+                val |= (1 << 21);
+            }
+            /* SecureFault is not banked but is always RAZ/WI to NS */
+            if (s->vectors[ARMV7M_EXCP_SECURE].active) {
+                val |= (1 << 4);
+            }
+            if (s->vectors[ARMV7M_EXCP_SECURE].enabled) {
+                val |= (1 << 19);
+            }
+            if (s->vectors[ARMV7M_EXCP_SECURE].pending) {
+                val |= (1 << 20);
+            }
+        } else {
+            if (s->vectors[ARMV7M_EXCP_MEM].active) {
+                val |= (1 << 0);
+            }
+            if (arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+                /* HARDFAULTACT, HARDFAULTPENDED not present in v7M */
+                if (s->vectors[ARMV7M_EXCP_HARD].active) {
+                    val |= (1 << 2);
+                }
+                if (s->vectors[ARMV7M_EXCP_HARD].pending) {
+                    val |= (1 << 21);
+                }
+            }
+            if (s->vectors[ARMV7M_EXCP_USAGE].active) {
+                val |= (1 << 3);
+            }
+            if (s->vectors[ARMV7M_EXCP_SVC].active) {
+                val |= (1 << 7);
+            }
+            if (s->vectors[ARMV7M_EXCP_PENDSV].active) {
+                val |= (1 << 10);
+            }
+            if (s->vectors[ARMV7M_EXCP_SYSTICK].active) {
+                val |= (1 << 11);
+            }
+            if (s->vectors[ARMV7M_EXCP_USAGE].pending) {
+                val |= (1 << 12);
+            }
+            if (s->vectors[ARMV7M_EXCP_MEM].pending) {
+                val |= (1 << 13);
+            }
+            if (s->vectors[ARMV7M_EXCP_SVC].pending) {
+                val |= (1 << 15);
+            }
+            if (s->vectors[ARMV7M_EXCP_MEM].enabled) {
+                val |= (1 << 16);
+            }
+            if (s->vectors[ARMV7M_EXCP_USAGE].enabled) {
+                val |= (1 << 18);
+            }
         }
-        if (s->vectors[ARMV7M_EXCP_SVC].active) {
-            val |= (1 << 7);
+        if (attrs.secure || (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
+            if (s->vectors[ARMV7M_EXCP_BUS].active) {
+                val |= (1 << 1);
+            }
+            if (s->vectors[ARMV7M_EXCP_BUS].pending) {
+                val |= (1 << 14);
+            }
+            if (s->vectors[ARMV7M_EXCP_BUS].enabled) {
+                val |= (1 << 17);
+            }
+            if (arm_feature(&cpu->env, ARM_FEATURE_V8) &&
+                s->vectors[ARMV7M_EXCP_NMI].active) {
+                /* NMIACT is not present in v7M */
+                val |= (1 << 5);
+            }
         }
+
+        /* TODO: this is RAZ/WI from NS if DEMCR.SDME is set */
         if (s->vectors[ARMV7M_EXCP_DEBUG].active) {
             val |= (1 << 8);
         }
-        if (s->vectors[ARMV7M_EXCP_PENDSV].active) {
-            val |= (1 << 10);
-        }
-        if (s->vectors[ARMV7M_EXCP_SYSTICK].active) {
-            val |= (1 << 11);
-        }
-        if (s->vectors[ARMV7M_EXCP_USAGE].pending) {
-            val |= (1 << 12);
-        }
-        if (s->vectors[ARMV7M_EXCP_MEM].pending) {
-            val |= (1 << 13);
-        }
-        if (s->vectors[ARMV7M_EXCP_BUS].pending) {
-            val |= (1 << 14);
-        }
-        if (s->vectors[ARMV7M_EXCP_SVC].pending) {
-            val |= (1 << 15);
-        }
-        if (s->vectors[ARMV7M_EXCP_MEM].enabled) {
-            val |= (1 << 16);
-        }
-        if (s->vectors[ARMV7M_EXCP_BUS].enabled) {
-            val |= (1 << 17);
-        }
-        if (s->vectors[ARMV7M_EXCP_USAGE].enabled) {
-            val |= (1 << 18);
-        }
         return val;
     case 0xd28: /* Configurable Fault Status.  */
         /* The BFSR bits [15:8] are shared between security states
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
 
         cpu->env.v7m.ccr[attrs.secure] = value;
         break;
-    case 0xd24: /* System Handler Control.  */
-        s->vectors[ARMV7M_EXCP_MEM].active = (value & (1 << 0)) != 0;
-        s->vectors[ARMV7M_EXCP_BUS].active = (value & (1 << 1)) != 0;
-        s->vectors[ARMV7M_EXCP_USAGE].active = (value & (1 << 3)) != 0;
-        s->vectors[ARMV7M_EXCP_SVC].active = (value & (1 << 7)) != 0;
+    case 0xd24: /* System Handler Control and State (SHCSR) */
+        if (attrs.secure) {
+            s->sec_vectors[ARMV7M_EXCP_MEM].active = (value & (1 << 0)) != 0;
+            /* Secure HardFault active bit cannot be written */
+            s->sec_vectors[ARMV7M_EXCP_USAGE].active = (value & (1 << 3)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_SVC].active = (value & (1 << 7)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_PENDSV].active =
+                (value & (1 << 10)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_SYSTICK].active =
+                (value & (1 << 11)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_USAGE].pending =
+                (value & (1 << 12)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_MEM].pending = (value & (1 << 13)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_SVC].pending = (value & (1 << 15)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_MEM].enabled = (value & (1 << 16)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_BUS].enabled = (value & (1 << 17)) != 0;
+            s->sec_vectors[ARMV7M_EXCP_USAGE].enabled =
+                (value & (1 << 18)) != 0;
+            /* SecureFault not banked, but RAZ/WI to NS */
+            s->vectors[ARMV7M_EXCP_SECURE].active = (value & (1 << 4)) != 0;
+            s->vectors[ARMV7M_EXCP_SECURE].enabled = (value & (1 << 19)) != 0;
+            s->vectors[ARMV7M_EXCP_SECURE].pending = (value & (1 << 20)) != 0;
+        } else {
+            s->vectors[ARMV7M_EXCP_MEM].active = (value & (1 << 0)) != 0;
+            if (arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+                /* HARDFAULTPENDED is not present in v7M */
+                s->vectors[ARMV7M_EXCP_HARD].pending = (value & (1 << 21)) != 0;
+            }
+            s->vectors[ARMV7M_EXCP_USAGE].active = (value & (1 << 3)) != 0;
+            s->vectors[ARMV7M_EXCP_SVC].active = (value & (1 << 7)) != 0;
+            s->vectors[ARMV7M_EXCP_PENDSV].active = (value & (1 << 10)) != 0;
+            s->vectors[ARMV7M_EXCP_SYSTICK].active = (value & (1 << 11)) != 0;
+            s->vectors[ARMV7M_EXCP_USAGE].pending = (value & (1 << 12)) != 0;
+            s->vectors[ARMV7M_EXCP_MEM].pending = (value & (1 << 13)) != 0;
+            s->vectors[ARMV7M_EXCP_SVC].pending = (value & (1 << 15)) != 0;
+            s->vectors[ARMV7M_EXCP_MEM].enabled = (value & (1 << 16)) != 0;
+            s->vectors[ARMV7M_EXCP_USAGE].enabled = (value & (1 << 18)) != 0;
+        }
+        if (attrs.secure || (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
+            s->vectors[ARMV7M_EXCP_BUS].active = (value & (1 << 1)) != 0;
+            s->vectors[ARMV7M_EXCP_BUS].pending = (value & (1 << 14)) != 0;
+            s->vectors[ARMV7M_EXCP_BUS].enabled = (value & (1 << 17)) != 0;
+        }
+        /* NMIACT can only be written if the write is of a zero, with
+         * BFHFNMINS 1, and by the CPU in secure state via the NS alias.
+         */
+        if (!attrs.secure && cpu->env.v7m.secure &&
+            (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) &&
+            (value & (1 << 5)) == 0) {
+            s->vectors[ARMV7M_EXCP_NMI].active = 0;
+        }
+        /* HARDFAULTACT can only be written if the write is of a zero
+         * to the non-secure HardFault state by the CPU in secure state.
+         * The only case where we can be targeting the non-secure HF state
+         * when in secure state is if this is a write via the NS alias
+         * and BFHFNMINS is 1.
+         */
+        if (!attrs.secure && cpu->env.v7m.secure &&
+            (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) &&
+            (value & (1 << 2)) == 0) {
+            s->vectors[ARMV7M_EXCP_HARD].active = 0;
+        }
+
+        /* TODO: this is RAZ/WI from NS if DEMCR.SDME is set */
         s->vectors[ARMV7M_EXCP_DEBUG].active = (value & (1 << 8)) != 0;
-        s->vectors[ARMV7M_EXCP_PENDSV].active = (value & (1 << 10)) != 0;
-        s->vectors[ARMV7M_EXCP_SYSTICK].active = (value & (1 << 11)) != 0;
-        s->vectors[ARMV7M_EXCP_USAGE].pending = (value & (1 << 12)) != 0;
-        s->vectors[ARMV7M_EXCP_MEM].pending = (value & (1 << 13)) != 0;
-        s->vectors[ARMV7M_EXCP_BUS].pending = (value & (1 << 14)) != 0;
-        s->vectors[ARMV7M_EXCP_SVC].pending = (value & (1 << 15)) != 0;
-        s->vectors[ARMV7M_EXCP_MEM].enabled = (value & (1 << 16)) != 0;
-        s->vectors[ARMV7M_EXCP_BUS].enabled = (value & (1 << 17)) != 0;
-        s->vectors[ARMV7M_EXCP_USAGE].enabled = (value & (1 << 18)) != 0;
         nvic_irq_update(s);
         break;
     case 0xd28: /* Configurable Fault Status.  */
-- 
2.7.4

Update armv7m_nvic_acknowledge_irq() and armv7m_nvic_complete_irq()
to handle banked exceptions:
 * acknowledge needs to use the correct vector, which may be
   in sec_vectors[]
 * acknowledge needs to return to its caller whether the
   exception should be taken to secure or non-secure state
 * complete needs its caller to tell it whether the exception
   being completed is a secure one or not

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505240046-11454-20-git-send-email-peter.maydell@linaro.org
---
 target/arm/cpu.h      | 15 +++++++++++++--
 hw/intc/armv7m_nvic.c | 26 ++++++++++++++++++++------
 target/arm/helper.c   |  8 +++++---
 hw/intc/trace-events  |  4 ++--
 4 files changed, 40 insertions(+), 13 deletions(-)

In the A64 decoder, we have a lot of references to section numbers
from version A.a of the v8A ARM ARM (DDI0487). This version of the
document is now long obsolete (we are currently on revision B.a),
and various intervening versions renumbered all the sections.

The most recent B.a version of the document doesn't assign
section numbers at all to the individual instruction classes
in the way that the various A.x versions did. The simplest thing
to do is just to delete all the out of date C.x.x references.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20170915150849.23557-1-peter.maydell@linaro.org
---
 target/arm/translate-a64.c | 227 +++++++++++++++++++++++----------------------
 1 file changed, 114 insertions(+), 113 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
 }
 
 /*
- * the instruction disassembly implemented here matches
- * the instruction encoding classifications in chapter 3 (C3)
- * of the ARM Architecture Reference Manual (DDI0487A_a)
+ * The instruction disassembly implemented here matches
+ * the instruction encoding classifications in chapter C4
+ * of the ARM Architecture Reference Manual (DDI0487B_a);
+ * classification names and decode diagrams here should generally
+ * match up with those in the manual.
  */
 
-/* C3.2.7 Unconditional branch (immediate)
+/* Unconditional branch (immediate)
  *   31  30       26 25                                  0
  * +----+-----------+-------------------------------------+
  * | op | 0 0 1 0 1 |                 imm26               |
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
     uint64_t addr = s->pc + sextract32(insn, 0, 26) * 4 - 4;
 
     if (insn & (1U << 31)) {
-        /* C5.6.26 BL Branch with link */
+        /* BL Branch with link */
         tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
     }
 
-    /* C5.6.20 B Branch / C5.6.26 BL Branch with link */
+    /* B Branch / BL Branch with link */
     gen_goto_tb(s, 0, addr);
 }
 
-/* C3.2.1 Compare & branch (immediate)
+/* Compare and branch (immediate)
  *   31  30         25  24  23                  5 4      0
  * +----+-------------+----+---------------------+--------+
  * | sf | 0 1 1 0 1 0 | op |         imm19       |   Rt   |
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
     gen_goto_tb(s, 1, addr);
 }
 
-/* C3.2.5 Test & branch (immediate)
+/* Test and branch (immediate)
  *   31  30         25  24  23   19 18          5 4    0
  * +----+-------------+----+-------+-------------+------+
  * | b5 | 0 1 1 0 1 1 | op |  b40  |    imm14    |  Rt  |
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
     gen_goto_tb(s, 1, addr);
 }
 
-/* C3.2.2 / C5.6.19 Conditional branch (immediate)
+/* Conditional branch (immediate)
  *  31           25  24  23                  5   4  3    0
  * +---------------+----+---------------------+----+------+
  * | 0 1 0 1 0 1 0 | o1 |         imm19       | o0 | cond |
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C5.6.68 HINT */
+/* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
 {
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
     }
 }
 
-/* C5.6.130 MSR (immediate) - move immediate to processor state field */
+/* MSR (immediate) - move immediate to processor state field */
 static void handle_msr_i(DisasContext *s, uint32_t insn,
                          unsigned int op1, unsigned int op2, unsigned int crm)
 {
@@ -XXX,XX +XXX,XX @@ static void gen_set_nzcv(TCGv_i64 tcg_rt)
     tcg_temp_free_i32(nzcv);
 }
 
-/* C5.6.129 MRS - move from system register
- * C5.6.131 MSR (register) - move to system register
- * C5.6.204 SYS
- * C5.6.205 SYSL
+/* MRS - move from system register
+ * MSR (register) - move to system register
+ * SYS
+ * SYSL
  * These are all essentially the same insn in 'read' and 'write'
  * versions, with varying op0 fields.
  */
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
     }
 }
 
-/* C3.2.4 System
+/* System
  *  31                 22 21  20 19 18 16 15   12 11    8 7   5 4    0
  * +---------------------+---+-----+-----+-------+-------+-----+------+
  * | 1 1 0 1 0 1 0 1 0 0 | L | op0 | op1 |  CRn  |  CRm  | op2 |  Rt  |
@@ -XXX,XX +XXX,XX @@ static void disas_system(DisasContext *s, uint32_t insn)
             return;
         }
         switch (crn) {
-        case 2: /* C5.6.68 HINT */
+        case 2: /* HINT (including allocated hints like NOP, YIELD, etc) */
             handle_hint(s, insn, op1, op2, crm);
             break;
         case 3: /* CLREX, DSB, DMB, ISB */
             handle_sync(s, insn, op1, op2, crm);
             break;
-        case 4: /* C5.6.130 MSR (immediate) */
+        case 4: /* MSR (immediate) */
             handle_msr_i(s, insn, op1, op2, crm);
             break;
         default:
@@ -XXX,XX +XXX,XX @@ static void disas_system(DisasContext *s, uint32_t insn)
     handle_sys(s, insn, l, op0, op1, op2, crn, crm, rt);
 }
 
-/* C3.2.3 Exception generation
+/* Exception generation
  *
  *  31             24 23 21 20                     5 4   2 1  0
  * +-----------------+-----+------------------------+-----+----+
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.2.7 Unconditional branch (register)
+/* Unconditional branch (register)
  *  31           25 24   21 20   16 15   10 9    5 4     0
  * +---------------+-------+-------+-------+------+-------+
  * | 1 1 0 1 0 1 1 |  opc  |  op2  |  op3  |  Rn  |  op4  |
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
     s->base.is_jmp = DISAS_JUMP;
 }
 
-/* C3.2 Branches, exception generating and system instructions */
+/* Branches, exception generating and system instructions */
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 7)) {
@@ -XXX,XX +XXX,XX @@ static bool disas_ldst_compute_iss_sf(int size, bool is_signed, int opc)
     return regsize == 64;
 }
 
-/* C3.3.6 Load/store exclusive
+/* Load/store exclusive
  *
  *  31 30 29         24  23  22   21  20  16  15  14   10 9    5 4    0
  * +-----+-------------+----+---+----+------+----+-------+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_excl(DisasContext *s, uint32_t insn)
 }
 
 /*
- * C3.3.5 Load register (literal)
+ * Load register (literal)
  *
  *  31 30 29   27  26 25 24 23                5 4     0
  * +-----+-------+---+-----+-------------------+-------+
@@ -XXX,XX +XXX,XX @@ static void disas_ld_lit(DisasContext *s, uint32_t insn)
 }
 
 /*
- * C5.6.80 LDNP (Load Pair - non-temporal hint)
- * C5.6.81 LDP (Load Pair - non vector)
- * C5.6.82 LDPSW (Load Pair Signed Word - non vector)
- * C5.6.176 STNP (Store Pair - non-temporal hint)
- * C5.6.177 STP (Store Pair - non vector)
- * C6.3.165 LDNP (Load Pair of SIMD&FP - non-temporal hint)
- * C6.3.165 LDP (Load Pair of SIMD&FP)
- * C6.3.284 STNP (Store Pair of SIMD&FP - non-temporal hint)
- * C6.3.284 STP (Store Pair of SIMD&FP)
+ * LDNP (Load Pair - non-temporal hint)
+ * LDP (Load Pair - non vector)
+ * LDPSW (Load Pair Signed Word - non vector)
+ * STNP (Store Pair - non-temporal hint)
+ * STP (Store Pair - non vector)
+ * LDNP (Load Pair of SIMD&FP - non-temporal hint)
+ * LDP (Load Pair of SIMD&FP)
+ * STNP (Store Pair of SIMD&FP - non-temporal hint)
+ * STP (Store Pair of SIMD&FP)
  *
  *  31 30 29   27  26  25 24   23  22 21   15 14   10 9    5 4    0
  * +-----+-------+---+---+-------+---+-----------------------------+
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_pair(DisasContext *s, uint32_t insn)
 }
 
 /*
- * C3.3.8 Load/store (immediate post-indexed)
- * C3.3.9 Load/store (immediate pre-indexed)
- * C3.3.12 Load/store (unscaled immediate)
+ * Load/store (immediate post-indexed)
+ * Load/store (immediate pre-indexed)
+ * Load/store (unscaled immediate)
  *
  * 31 30 29   27  26 25 24 23 22 21  20    12 11 10 9    5 4    0
  * +----+-------+---+-----+-----+---+--------+-----+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_reg_imm9(DisasContext *s, uint32_t insn,
 }
 
 /*
- * C3.3.10 Load/store (register offset)
+ * Load/store (register offset)
  *
  * 31 30 29   27  26 25 24 23 22 21  20  16 15 13 12 11 10 9  5 4  0
  * +----+-------+---+-----+-----+---+------+-----+--+-----+----+----+
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_reg_roffset(DisasContext *s, uint32_t insn,
 }
 
 /*
- * C3.3.13 Load/store (unsigned immediate)
+ * Load/store (unsigned immediate)
  *
  * 31 30 29   27  26 25 24 23 22 21        10 9     5
  * +----+-------+---+-----+-----+------------+-------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_reg(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.3.1 AdvSIMD load/store multiple structures
+/* AdvSIMD load/store multiple structures
  *
  *  31  30  29           23 22  21         16 15    12 11  10 9    5 4    0
  * +---+---+---------------+---+-------------+--------+------+------+------+
  * | 0 | Q | 0 0 1 1 0 0 0 | L | 0 0 0 0 0 0 | opcode | size |  Rn  |  Rt  |
  * +---+---+---------------+---+-------------+--------+------+------+------+
  *
- * C3.3.2 AdvSIMD load/store multiple structures (post-indexed)
+ * AdvSIMD load/store multiple structures (post-indexed)
  *
  *  31  30  29           23 22  21  20     16 15    12 11  10 9    5 4    0
  * +---+---+---------------+---+---+---------+--------+------+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_multiple_struct(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_addr);
 }
 
-/* C3.3.3 AdvSIMD load/store single structure
+/* AdvSIMD load/store single structure
  *
  *  31  30  29           23 22 21 20       16 15 13 12  11  10 9    5 4    0
  * +---+---+---------------+-----+-----------+-----+---+------+------+------+
  * | 0 | Q | 0 0 1 1 0 1 0 | L R | 0 0 0 0 0 | opc | S | size |  Rn  |  Rt  |
  * +---+---+---------------+-----+-----------+-----+---+------+------+------+
  *
- * C3.3.4 AdvSIMD load/store single structure (post-indexed)
+ * AdvSIMD load/store single structure (post-indexed)
  *
  *  31  30  29           23 22 21 20       16 15 13 12  11  10 9    5 4    0
  * +---+---+---------------+-----+-----------+-----+---+------+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_single_struct(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_addr);
 }
 
-/* C3.3 Loads and stores */
+/* Loads and stores */
 static void disas_ldst(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 24, 6)) {
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.4.6 PC-rel. addressing
+/* PC-rel. addressing
  *   31  30   29 28       24 23                5 4    0
  * +----+-------+-----------+-------------------+------+
  * | op | immlo | 1 0 0 0 0 |       immhi       |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
 }
 
 /*
- * C3.4.1 Add/subtract (immediate)
+ * Add/subtract (immediate)
  *
  *  31 30 29 28       24 23 22 21         10 9   5 4   0
  * +--+--+--+-----------+-----+-------------+-----+-----+
@@ -XXX,XX +XXX,XX @@ static bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
     return true;
 }
 
-/* C3.4.4 Logical (immediate)
+/* Logical (immediate)
  *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
  * +----+-----+-------------+---+------+------+------+------+
  * | sf | opc | 1 0 0 1 0 0 | N | immr | imms |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_logic_imm(DisasContext *s, uint32_t insn)
 }
 
 /*
- * C3.4.5 Move wide (immediate)
+ * Move wide (immediate)
  *
  *  31 30 29 28         23 22 21 20             5 4    0
  * +--+-----+-------------+-----+----------------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_movw_imm(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.4.2 Bitfield
+/* Bitfield
  *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
  * +----+-----+-------------+---+------+------+------+------+
  * | sf | opc | 1 0 0 1 1 0 | N | immr | imms |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_bitfield(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.4.3 Extract
+/* Extract
  *   31  30  29 28         23 22   21  20  16 15    10 9    5 4    0
  * +----+------+-------------+---+----+------+--------+------+------+
  * | sf | op21 | 1 0 0 1 1 1 | N | o0 |  Rm  |  imms  |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.4 Data processing - immediate */
+/* Data processing - immediate */
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
@@ -XXX,XX +XXX,XX @@ static void shift_reg_imm(TCGv_i64 dst, TCGv_i64 src, int sf,
     }
 }
 
-/* C3.5.10 Logical (shifted register)
+/* Logical (shifted register)
  *   31  30 29 28       24 23   22 21  20  16 15    10 9    5 4    0
  * +----+-----+-----------+-------+---+------+--------+------+------+
  * | sf | opc | 0 1 0 1 0 | shift | N |  Rm  |  imm6  |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_logic_reg(DisasContext *s, uint32_t insn)
 }
 
 /*
- * C3.5.1 Add/subtract (extended register)
+ * Add/subtract (extended register)
  *
  *  31|30|29|28       24|23 22|21|20   16|15  13|12  10|9  5|4  0|
  * +--+--+--+-----------+-----+--+-------+------+------+----+----+
@@ -XXX,XX +XXX,XX @@ static void disas_add_sub_ext_reg(DisasContext *s, uint32_t insn)
 }
 
 /*
- * C3.5.2 Add/subtract (shifted register)
+ * Add/subtract (shifted register)
  *
  *  31 30 29 28       24 23 22 21 20   16 15     10 9    5 4    0
  * +--+--+--+-----------+-----+--+-------+---------+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_add_sub_reg(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_result);
 }
 
-/* C3.5.9 Data-processing (3 source)
-
-   31 30  29 28       24 23 21  20  16  15  14  10 9    5 4    0
-  +--+------+-----------+------+------+----+------+------+------+
-  |sf| op54 | 1 1 0 1 1 | op31 |  Rm  | o0 |  Ra  |  Rn  |  Rd  |
-  +--+------+-----------+------+------+----+------+------+------+
-
+/* Data-processing (3 source)
+ *
+ *    31 30  29 28       24 23 21  20  16  15  14  10 9    5 4    0
+ *  +--+------+-----------+------+------+----+------+------+------+
+ *  |sf| op54 | 1 1 0 1 1 | op31 |  Rm  | o0 |  Ra  |  Rn  |  Rd  |
+ *  +--+------+-----------+------+------+----+------+------+------+
  */
 static void disas_data_proc_3src(DisasContext *s, uint32_t insn)
 {
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_3src(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_tmp);
 }
 
-/* C3.5.3 - Add/subtract (with carry)
+/* Add/subtract (with carry)
  *  31 30 29 28 27 26 25 24 23 22 21  20  16  15   10  9    5 4   0
  * +--+--+--+------------------------+------+---------+------+-----+
  * |sf|op| S| 1  1  0  1  0  0  0  0 |  rm  | opcode2 |  Rn  |  Rd |
@@ -XXX,XX +XXX,XX @@ static void disas_adc_sbc(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.5.4 - C3.5.5 Conditional compare (immediate / register)
+/* Conditional compare (immediate / register)
  *  31 30 29 28 27 26 25 24 23 22 21  20    16 15  12  11  10  9   5  4 3   0
  * +--+--+--+------------------------+--------+------+----+--+------+--+-----+
  * |sf|op| S| 1  1  0  1  0  0  1  0 |imm5/rm | cond |i/r |o2|  Rn  |o3|nzcv |
@@ -XXX,XX +XXX,XX @@ static void disas_cc(DisasContext *s, uint32_t insn)
     tcg_temp_free_i32(tcg_t2);
 }
 
-/* C3.5.6 Conditional select
+/* Conditional select
  *   31   30  29  28             21 20  16 15  12 11 10 9    5 4    0
  * +----+----+---+-----------------+------+------+-----+------+------+
  * | sf | op | S | 1 1 0 1 0 1 0 0 |  Rm  | cond | op2 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_rbit(DisasContext *s, unsigned int sf,
     }
 }
 
-/* C5.6.149 REV with sf==1, opcode==3 ("REV64") */
+/* REV with sf==1, opcode==3 ("REV64") */
 static void handle_rev64(DisasContext *s, unsigned int sf,
                          unsigned int rn, unsigned int rd)
 {
@@ -XXX,XX +XXX,XX @@ static void handle_rev64(DisasContext *s, unsigned int sf,
     tcg_gen_bswap64_i64(cpu_reg(s, rd), cpu_reg(s, rn));
 }
 
-/* C5.6.149 REV with sf==0, opcode==2
- * C5.6.151 REV32 (sf==1, opcode==2)
+/* REV with sf==0, opcode==2
+ * REV32 (sf==1, opcode==2)
  */
 static void handle_rev32(DisasContext *s, unsigned int sf,
                          unsigned int rn, unsigned int rd)
@@ -XXX,XX +XXX,XX @@ static void handle_rev32(DisasContext *s, unsigned int sf,
     }
 }
 
-/* C5.6.150 REV16 (opcode==1) */
+/* REV16 (opcode==1) */
 static void handle_rev16(DisasContext *s, unsigned int sf,
                          unsigned int rn, unsigned int rd)
 {
@@ -XXX,XX +XXX,XX @@ static void handle_rev16(DisasContext *s, unsigned int sf,
     tcg_temp_free_i64(tcg_tmp);
 }
 
-/* C3.5.7 Data-processing (1 source)
+/* Data-processing (1 source)
  *   31  30  29  28             21 20     16 15    10 9    5 4    0
  * +----+---+---+-----------------+---------+--------+------+------+
  * | sf | 1 | S | 1 1 0 1 0 1 1 0 | opcode2 | opcode |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_div(DisasContext *s, bool is_signed, unsigned int sf,
     }
 }
 
-/* C5.6.115 LSLV, C5.6.118 LSRV, C5.6.17 ASRV, C5.6.154 RORV */
+/* LSLV, LSRV, ASRV, RORV */
 static void handle_shift_reg(DisasContext *s,
                              enum a64_shift_type shift_type, unsigned int sf,
                              unsigned int rm, unsigned int rn, unsigned int rd)
@@ -XXX,XX +XXX,XX @@ static void handle_crc32(DisasContext *s,
     tcg_temp_free_i32(tcg_bytes);
 }
 
-/* C3.5.8 Data-processing (2 source)
+/* Data-processing (2 source)
  *   31   30  29 28             21 20  16 15    10 9    5 4    0
  * +----+---+---+-----------------+------+--------+------+------+
  * | sf | 0 | S | 1 1 0 1 0 1 1 0 |  Rm  | opcode |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_2src(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.5 Data processing - register */
+/* Data processing - register */
 static void disas_data_proc_reg(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 24, 5)) {
@@ -XXX,XX +XXX,XX @@ static void handle_fp_compare(DisasContext *s, bool is_double,
     tcg_temp_free_i64(tcg_flags);
 }
 
-/* C3.6.22 Floating point compare
+/* Floating point compare
  *   31  30  29 28       24 23  22  21 20  16 15 14 13  10    9    5 4     0
  * +---+---+---+-----------+------+---+------+-----+---------+------+-------+
  * | M | 0 | S | 1 1 1 1 0 | type | 1 |  Rm  | op  | 1 0 0 0 |  Rn  |  op2  |
@@ -XXX,XX +XXX,XX @@ static void disas_fp_compare(DisasContext *s, uint32_t insn)
     handle_fp_compare(s, type, rn, rm, opc & 1, opc & 2);
 }
 
-/* C3.6.23 Floating point conditional compare
+/* Floating point conditional compare
  *   31  30  29 28       24 23  22  21 20  16 15  12 11 10 9    5  4   3    0
  * +---+---+---+-----------+------+---+------+------+-----+------+----+------+
  * | M | 0 | S | 1 1 1 1 0 | type | 1 |  Rm  | cond | 0 1 |  Rn  | op | nzcv |
@@ -XXX,XX +XXX,XX @@ static void disas_fp_ccomp(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.24 Floating point conditional select
+/* Floating point conditional select
  *   31  30  29 28       24 23  22  21 20  16 15  12 11 10 9    5 4    0
  * +---+---+---+-----------+------+---+------+------+-----+------+------+
  * | M | 0 | S | 1 1 1 1 0 | type | 1 |  Rm  | cond | 1 1 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(t_true);
 }
 
-/* C3.6.25 Floating-point data-processing (1 source) - single precision */
+/* Floating-point data-processing (1 source) - single precision */
 static void handle_fp_1src_single(DisasContext *s, int opcode, int rd, int rn)
 {
     TCGv_ptr fpst;
@@ -XXX,XX +XXX,XX @@ static void handle_fp_1src_single(DisasContext *s, int opcode, int rd, int rn)
     tcg_temp_free_i32(tcg_res);
 }
 
-/* C3.6.25 Floating-point data-processing (1 source) - double precision */
+/* Floating-point data-processing (1 source) - double precision */
 static void handle_fp_1src_double(DisasContext *s, int opcode, int rd, int rn)
 {
     TCGv_ptr fpst;
@@ -XXX,XX +XXX,XX @@ static void handle_fp_fcvt(DisasContext *s, int opcode,
     }
 }
 
-/* C3.6.25 Floating point data-processing (1 source)
+/* Floating point data-processing (1 source)
  *   31  30  29 28       24 23  22  21 20    15 14       10 9    5 4    0
  * +---+---+---+-----------+------+---+--------+-----------+------+------+
  * | M | 0 | S | 1 1 1 1 0 | type | 1 | opcode | 1 0 0 0 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_fp_1src(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.26 Floating-point data-processing (2 source) - single precision */
+/* Floating-point data-processing (2 source) - single precision */
 static void handle_fp_2src_single(DisasContext *s, int opcode,
                                   int rd, int rn, int rm)
 {
@@ -XXX,XX +XXX,XX @@ static void handle_fp_2src_single(DisasContext *s, int opcode,
     tcg_temp_free_i32(tcg_res);
 }
 
-/* C3.6.26 Floating-point data-processing (2 source) - double precision */
+/* Floating-point data-processing (2 source) - double precision */
 static void handle_fp_2src_double(DisasContext *s, int opcode,
                                   int rd, int rn, int rm)
 {
@@ -XXX,XX +XXX,XX @@ static void handle_fp_2src_double(DisasContext *s, int opcode,
     tcg_temp_free_i64(tcg_res);
 }
 
-/* C3.6.26 Floating point data-processing (2 source)
+/* Floating point data-processing (2 source)
  *   31  30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
  * +---+---+---+-----------+------+---+------+--------+-----+------+------+
  * | M | 0 | S | 1 1 1 1 0 | type | 1 |  Rm  | opcode | 1 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_fp_2src(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.27 Floating-point data-processing (3 source) - single precision */
+/* Floating-point data-processing (3 source) - single precision */
 static void handle_fp_3src_single(DisasContext *s, bool o0, bool o1,
                                   int rd, int rn, int rm, int ra)
 {
@@ -XXX,XX +XXX,XX @@ static void handle_fp_3src_single(DisasContext *s, bool o0, bool o1,
     tcg_temp_free_i32(tcg_res);
 }
 
-/* C3.6.27 Floating-point data-processing (3 source) - double precision */
+/* Floating-point data-processing (3 source) - double precision */
 static void handle_fp_3src_double(DisasContext *s, bool o0, bool o1,
                                   int rd, int rn, int rm, int ra)
 {
@@ -XXX,XX +XXX,XX @@ static void handle_fp_3src_double(DisasContext *s, bool o0, bool o1,
     tcg_temp_free_i64(tcg_res);
 }
 
-/* C3.6.27 Floating point data-processing (3 source)
+/* Floating point data-processing (3 source)
  *   31  30  29 28       24 23  22  21  20  16  15  14  10 9    5 4    0
  * +---+---+---+-----------+------+----+------+----+------+------+------+
  * | M | 0 | S | 1 1 1 1 1 | type | o1 |  Rm  | o0 |  Ra  |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_fp_3src(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.28 Floating point immediate
+/* Floating point immediate
  *   31  30  29 28       24 23  22  21 20        13 12   10 9    5 4    0
  * +---+---+---+-----------+------+---+------------+-------+------+------+
  * | M | 0 | S | 1 1 1 1 0 | type | 1 |    imm8    | 1 0 0 | imm5 |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
     tcg_temp_free_i32(tcg_shift);
 }
 
-/* C3.6.29 Floating point <-> fixed point conversions
+/* Floating point <-> fixed point conversions
  *   31   30  29 28       24 23  22  21 20   19 18    16 15   10 9    5 4    0
  * +----+---+---+-----------+------+---+-------+--------+-------+------+------+
  * | sf | 0 | S | 1 1 1 1 0 | type | 0 | rmode | opcode | scale |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_fmov(DisasContext *s, int rd, int rn, int type, bool itof)
     }
 }
 
-/* C3.6.30 Floating point <-> integer conversions
+/* Floating point <-> integer conversions
  *   31   30  29 28       24 23  22  21 20   19 18 16 15         10 9  5 4  0
  * +----+---+---+-----------+------+---+-------+-----+-------------+----+----+
  * | sf | 0 | S | 1 1 1 1 0 | type | 1 | rmode | opc | 0 0 0 0 0 0 | Rn | Rd |
@@ -XXX,XX +XXX,XX @@ static void do_ext64(DisasContext *s, TCGv_i64 tcg_left, TCGv_i64 tcg_right,
     tcg_temp_free_i64(tcg_tmp);
 }
 
-/* C3.6.1 EXT
+/* EXT
  *   31  30 29         24 23 22  21 20  16 15  14  11 10  9    5 4    0
  * +---+---+-------------+-----+---+------+---+------+---+------+------+
  * | 0 | Q | 1 0 1 1 1 0 | op2 | 0 |  Rm  | 0 | imm4 | 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_ext(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_resh);
 }
 
-/* C3.6.2 TBL/TBX
+/* TBL/TBX
  *   31  30 29         24 23 22  21 20  16 15  14 13  12  11 10 9    5 4    0
  * +---+---+-------------+-----+---+------+---+-----+----+-----+------+------+
  * | 0 | Q | 0 0 1 1 1 0 | op2 | 0 |  Rm  | 0 | len | op | 0 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_tb(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_resh);
 }
 
-/* C3.6.3 ZIP/UZP/TRN
+/* ZIP/UZP/TRN
  *   31  30 29         24 23  22  21 20   16 15 14 12 11 10 9    5 4    0
  * +---+---+-------------+------+---+------+---+------------------+------+
  * | 0 | Q | 0 0 1 1 1 0 | size | 0 |  Rm  | 0 | opc | 1 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void do_minmaxop(DisasContext *s, TCGv_i32 tcg_elt1, TCGv_i32 tcg_elt2,
     }
 }
 
-/* C3.6.4 AdvSIMD across lanes
+/* AdvSIMD across lanes
  *   31  30  29 28       24 23  22 21       17 16    12 11 10 9    5 4    0
  * +---+---+---+-----------+------+-----------+--------+-----+------+------+
  * | 0 | Q | U | 0 1 1 1 0 | size | 1 1 0 0 0 | opcode | 1 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_across_lanes(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_res);
 }
 
-/* C6.3.31 DUP (Element, Vector)
+/* DUP (Element, Vector)
  *
  *  31  30   29              21 20    16 15        10  9    5 4    0
  * +---+---+-------------------+--------+-------------+------+------+
@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupe(DisasContext *s, int is_q, int rd, int rn,
     tcg_temp_free_i64(tmp);
 }
 
-/* C6.3.31 DUP (element, scalar)
+/* DUP (element, scalar)
  *  31                   21 20    16 15        10  9    5 4    0
  * +-----------------------+--------+-------------+------+------+
  * | 0 1 0 1 1 1 1 0 0 0 0 |  imm5  | 0 0 0 0 0 1 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupes(DisasContext *s, int rd, int rn,
     tcg_temp_free_i64(tmp);
 }
 
-/* C6.3.32 DUP (General)
+/* DUP (General)
  *
  *  31  30   29              21 20    16 15        10  9    5 4    0
  * +---+---+-------------------+--------+-------------+------+------+
@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupg(DisasContext *s, int is_q, int rd, int rn,
     }
 }
 
-/* C6.3.150 INS (Element)
+/* INS (Element)
  *
  *  31                   21 20    16 15  14    11  10 9    5 4    0
  * +-----------------------+--------+------------+---+------+------+
@@ -XXX,XX +XXX,XX @@ static void handle_simd_inse(DisasContext *s, int rd, int rn,
 }
 
 
-/* C6.3.151 INS (General)
+/* INS (General)
  *
  *  31                   21 20    16 15        10  9    5 4    0
  * +-----------------------+--------+-------------+------+------+
@@ -XXX,XX +XXX,XX @@ static void handle_simd_insg(DisasContext *s, int rd, int rn, int imm5)
 }
 
 /*
- * C6.3.321 UMOV (General)
- * C6.3.237 SMOV (General)
+ * UMOV (General)
+ * SMOV (General)
  *
  *  31  30   29              21 20    16 15    12   10 9    5 4    0
  * +---+---+-------------------+--------+-------------+------+------+
@@ -XXX,XX +XXX,XX @@ static void handle_simd_umov_smov(DisasContext *s, int is_q, int is_signed,
     }
 }
 
-/* C3.6.5 AdvSIMD copy
+/* AdvSIMD copy
  *   31  30  29  28             21 20  16 15  14  11 10  9    5 4    0
  * +---+---+----+-----------------+------+---+------+---+------+------+
  * | 0 | Q | op | 0 1 1 1 0 0 0 0 | imm5 | 0 | imm4 | 1 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_copy(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.6 AdvSIMD modified immediate
+/* AdvSIMD modified immediate
  *  31  30   29  28                 19 18 16 15   12  11  10  9     5 4    0
  * +---+---+----+---------------------+-----+-------+----+---+-------+------+
  * | 0 | Q | op | 0 1 1 1 1 0 0 0 0 0 | abc | cmode | o2 | 1 | defgh |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_mod_imm(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_imm);
 }
 
-/* C3.6.7 AdvSIMD scalar copy
+/* AdvSIMD scalar copy
  *  31 30  29  28             21 20  16 15  14  11 10  9    5 4    0
  * +-----+----+-----------------+------+---+------+---+------+------+
  * | 0 1 | op | 1 1 1 1 0 0 0 0 | imm5 | 0 | imm4 | 1 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_scalar_copy(DisasContext *s, uint32_t insn)
     handle_simd_dupes(s, rd, rn, imm5);
 }
 
-/* C3.6.8 AdvSIMD scalar pairwise
+/* AdvSIMD scalar pairwise
  *  31 30  29 28       24 23  22 21       17 16    12 11 10 9    5 4    0
  * +-----+---+-----------+------+-----------+--------+-----+------+------+
  * | 0 1 | U | 1 1 1 1 0 | size | 1 1 0 0 0 | opcode | 1 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_simd_shift_fpint_conv(DisasContext *s, bool is_scalar,
     tcg_temp_free_i32(tcg_rmode);
 }
 
-/* C3.6.9 AdvSIMD scalar shift by immediate
+/* AdvSIMD scalar shift by immediate
  *  31 30  29 28         23 22  19 18  16 15    11  10 9    5 4    0
  * +-----+---+-------------+------+------+--------+---+------+------+
  * | 0 1 | U | 1 1 1 1 1 0 | immh | immb | opcode | 1 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_scalar_shift_imm(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.10 AdvSIMD scalar three different
+/* AdvSIMD scalar three different
  *  31 30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
  * +-----+---+-----------+------+---+------+--------+-----+------+------+
  * | 0 1 | U | 1 1 1 1 0 | size | 1 |  Rm  | opcode | 0 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_3same_float(DisasContext *s, int size, int elements,
     }
 }
 
-/* C3.6.11 AdvSIMD scalar three same
+/* AdvSIMD scalar three same
  *  31 30  29 28       24 23  22  21 20  16 15    11  10 9    5 4    0
  * +-----+---+-----------+------+---+------+--------+---+------+------+
  * | 0 1 | U | 1 1 1 1 0 | size | 1 |  Rm  | opcode | 1 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_satacc(DisasContext *s, bool is_scalar, bool is_u,
     }
 }
 
-/* C3.6.12 AdvSIMD scalar two reg misc
+/* AdvSIMD scalar two reg misc
  *  31 30  29 28       24 23  22 21       17 16    12 11 10 9    5 4    0
  * +-----+---+-----------+------+-----------+--------+-----+------+------+
  * | 0 1 | U | 1 1 1 1 0 | size | 1 0 0 0 0 | opcode | 1 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shrn(DisasContext *s, bool is_q,
 }
 
 
-/* C3.6.14 AdvSIMD shift by immediate
+/* AdvSIMD shift by immediate
  *  31  30   29 28         23 22  19 18  16 15    11  10 9    5 4    0
  * +---+---+---+-------------+------+------+--------+---+------+------+
  * | 0 | Q | U | 0 1 1 1 1 0 | immh | immb | opcode | 1 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_pmull_64(DisasContext *s, int is_q, int rd, int rn, int rm)
     tcg_temp_free_i64(tcg_res);
 }
 
-/* C3.6.15 AdvSIMD three different
+/* AdvSIMD three different
  *   31  30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
  * +---+---+---+-----------+------+---+------+--------+-----+------+------+
  * | 0 | Q | U | 0 1 1 1 0 | size | 1 |  Rm  | opcode | 0 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.16 AdvSIMD three same
+/* AdvSIMD three same
  *  31  30  29  28       24 23  22  21 20  16 15    11  10 9    5 4    0
  * +---+---+---+-----------+------+---+------+--------+---+------+------+
  * | 0 | Q | U | 0 1 1 1 0 | size | 1 |  Rm  | opcode | 1 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void handle_shll(DisasContext *s, bool is_q, int size, int rn, int rd)
     }
 }
 
-/* C3.6.17 AdvSIMD two reg misc
+/* AdvSIMD two reg misc
  *   31  30  29 28       24 23  22 21       17 16    12 11 10 9    5 4    0
  * +---+---+---+-----------+------+-----------+--------+-----+------+------+
  * | 0 | Q | U | 0 1 1 1 0 | size | 1 0 0 0 0 | opcode | 1 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.13 AdvSIMD scalar x indexed element
+/* AdvSIMD scalar x indexed element
  *  31 30  29 28       24 23  22 21  20  19  16 15 12  11  10 9    5 4    0
  * +-----+---+-----------+------+---+---+------+-----+---+---+------+------+
  * | 0 1 | U | 1 1 1 1 1 | size | L | M |  Rm  | opc | H | 0 |  Rn  |  Rd  |
  * +-----+---+-----------+------+---+---+------+-----+---+---+------+------+
- * C3.6.18 AdvSIMD vector x indexed element
+ * AdvSIMD vector x indexed element
  *   31  30  29 28       24 23  22 21  20  19  16 15 12  11  10 9    5 4    0
  * +---+---+---+-----------+------+---+---+------+-----+---+---+------+------+
  * | 0 | Q | U | 0 1 1 1 1 | size | L | M |  Rm  | opc | H | 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_simd_indexed(DisasContext *s, uint32_t insn)
     }
 }
 
-/* C3.6.19 Crypto AES
+/* Crypto AES
  *  31             24 23  22 21       17 16    12 11 10 9    5 4    0
  * +-----------------+------+-----------+--------+-----+------+------+
  * | 0 1 0 0 1 1 1 0 | size | 1 0 1 0 0 | opcode | 1 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_crypto_aes(DisasContext *s, uint32_t insn)
     tcg_temp_free_i32(tcg_decrypt);
 }
 
-/* C3.6.20 Crypto three-reg SHA
+/* Crypto three-reg SHA
  *  31             24 23  22  21 20  16  15 14    12 11 10 9    5 4    0
  * +-----------------+------+---+------+---+--------+-----+------+------+
  * | 0 1 0 1 1 1 1 0 | size | 0 |  Rm  | 0 | opcode | 0 0 |  Rn  |  Rd  |
@@ -XXX,XX +XXX,XX @@ static void disas_crypto_three_reg_sha(DisasContext *s, uint32_t insn)
     tcg_temp_free_i32(tcg_rm_regno);
 }
 
-/* C3.6.21 Crypto two-reg SHA
+/* Crypto two-reg SHA
  *  31             24 23  22 21       17 16    12 11 10 9    5 4    0
  * +-----------------+------+-----------+--------+-----+------+------+
  * | 0 1 0 1 1 1 1 0 | size | 1 0 1 0 0 | opcode | 1 0 |  Rn  |  Rd  |
-- 
2.7.4

Update the static_ops functions to use new-style mmio
rather than the legacy old_mmio functions.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505580378-9044-2-git-send-email-peter.maydell@linaro.org
---
 hw/arm/palm.c | 30 ++++++++++--------------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/hw/arm/palm.c b/hw/arm/palm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/palm.c
+++ b/hw/arm/palm.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/address-spaces.h"
 #include "cpu.h"
 
-static uint32_t static_readb(void *opaque, hwaddr offset)
+static uint64_t static_read(void *opaque, hwaddr offset, unsigned size)
 {
-    uint32_t *val = (uint32_t *) opaque;
-    return *val >> ((offset & 3) << 3);
-}
+    uint32_t *val = (uint32_t *)opaque;
+    uint32_t sizemask = 7 >> size;
 
-static uint32_t static_readh(void *opaque, hwaddr offset)
-{
-    uint32_t *val = (uint32_t *) opaque;
-    return *val >> ((offset & 1) << 3);
-}
-
-static uint32_t static_readw(void *opaque, hwaddr offset)
-{
-    uint32_t *val = (uint32_t *) opaque;
-    return *val >> ((offset & 0) << 3);
+    return *val >> ((offset & sizemask) << 3);
 }
 
-static void static_write(void *opaque, hwaddr offset,
-                uint32_t value)
+static void static_write(void *opaque, hwaddr offset, uint64_t value,
+                         unsigned size)
 {
 #ifdef SPY
     printf("%s: value %08lx written at " PA_FMT "\n",
@@ -XXX,XX +XXX,XX @@ static void static_write(void *opaque, hwaddr offset,
 }
 
 static const MemoryRegionOps static_ops = {
-    .old_mmio = {
-        .read = { static_readb, static_readh, static_readw, },
-        .write = { static_write, static_write, static_write, },
-    },
+    .read = static_read,
+    .write = static_write,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.7.4

Drop the use of old_mmio in the omap2_gpio memory ops.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505580378-9044-3-git-send-email-peter.maydell@linaro.org
---
 hw/gpio/omap_gpio.c | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/hw/gpio/omap_gpio.c b/hw/gpio/omap_gpio.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/omap_gpio.c
+++ b/hw/gpio/omap_gpio.c
@@ -XXX,XX +XXX,XX @@ static void omap2_gpio_module_write(void *opaque, hwaddr addr,
     }
 }
 
-static uint32_t omap2_gpio_module_readp(void *opaque, hwaddr addr)
+static uint64_t omap2_gpio_module_readp(void *opaque, hwaddr addr,
+                                        unsigned size)
 {
     return omap2_gpio_module_read(opaque, addr & ~3) >> ((addr & 3) << 3);
 }
 
 static void omap2_gpio_module_writep(void *opaque, hwaddr addr,
-                uint32_t value)
+                                     uint64_t value, unsigned size)
 {
     uint32_t cur = 0;
     uint32_t mask = 0xffff;
 
+    if (size == 4) {
+        omap2_gpio_module_write(opaque, addr, value);
+        return;
+    }
+
     switch (addr & ~3) {
     case 0x00:	/* GPIO_REVISION */
     case 0x14:	/* GPIO_SYSSTATUS */
@@ -XXX,XX +XXX,XX @@ static void omap2_gpio_module_writep(void *opaque, hwaddr addr,
 }
 
 static const MemoryRegionOps omap2_gpio_module_ops = {
-    .old_mmio = {
-        .read = {
-            omap2_gpio_module_readp,
-            omap2_gpio_module_readp,
-            omap2_gpio_module_read,
-        },
-        .write = {
-            omap2_gpio_module_writep,
-            omap2_gpio_module_writep,
-            omap2_gpio_module_write,
-        },
-    },
+    .read = omap2_gpio_module_readp,
+    .write = omap2_gpio_module_writep,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.7.4

Don't use the old_mmio in the memory region ops struct.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505580378-9044-4-git-send-email-peter.maydell@linaro.org
---
 hw/timer/omap_synctimer.c | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/hw/timer/omap_synctimer.c b/hw/timer/omap_synctimer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/omap_synctimer.c
+++ b/hw/timer/omap_synctimer.c
@@ -XXX,XX +XXX,XX @@ static uint32_t omap_synctimer_readh(void *opaque, hwaddr addr)
     }
 }
 
-static void omap_synctimer_write(void *opaque, hwaddr addr,
-                uint32_t value)
+static uint64_t omap_synctimer_readfn(void *opaque, hwaddr addr,
+                                      unsigned size)
+{
+    switch (size) {
+    case 1:
+        return omap_badwidth_read32(opaque, addr);
+    case 2:
+        return omap_synctimer_readh(opaque, addr);
+    case 4:
+        return omap_synctimer_readw(opaque, addr);
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static void omap_synctimer_writefn(void *opaque, hwaddr addr,
+                                   uint64_t value, unsigned size)
 {
     OMAP_BAD_REG(addr);
 }
 
 static const MemoryRegionOps omap_synctimer_ops = {
-    .old_mmio = {
-        .read = {
-            omap_badwidth_read32,
-            omap_synctimer_readh,
-            omap_synctimer_readw,
-        },
-        .write = {
-            omap_badwidth_write32,
-            omap_synctimer_write,
-            omap_synctimer_write,
-        },
-    },
+    .read = omap_synctimer_readfn,
+    .write = omap_synctimer_writefn,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.7.4

Don't use the old_mmio struct in memory region ops.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505580378-9044-5-git-send-email-peter.maydell@linaro.org
---
 hw/timer/omap_gptimer.c | 49 +++++++++++++++++++++++++++++++++++++------------
 1 file changed, 37 insertions(+), 12 deletions(-)

diff --git a/hw/timer/omap_gptimer.c b/hw/timer/omap_gptimer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/omap_gptimer.c
+++ b/hw/timer/omap_gptimer.c
@@ -XXX,XX +XXX,XX @@ static void omap_gp_timer_writeh(void *opaque, hwaddr addr,
         s->writeh = (uint16_t) value;
 }
 
+static uint64_t omap_gp_timer_readfn(void *opaque, hwaddr addr,
+                                     unsigned size)
+{
+    switch (size) {
+    case 1:
+        return omap_badwidth_read32(opaque, addr);
+    case 2:
+        return omap_gp_timer_readh(opaque, addr);
+    case 4:
+        return omap_gp_timer_readw(opaque, addr);
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static void omap_gp_timer_writefn(void *opaque, hwaddr addr,
+                                  uint64_t value, unsigned size)
+{
+    switch (size) {
+    case 1:
+        omap_badwidth_write32(opaque, addr, value);
+        break;
+    case 2:
+        omap_gp_timer_writeh(opaque, addr, value);
+        break;
+    case 4:
+        omap_gp_timer_write(opaque, addr, value);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+}
+
 static const MemoryRegionOps omap_gp_timer_ops = {
-    .old_mmio = {
-        .read = {
-            omap_badwidth_read32,
-            omap_gp_timer_readh,
-            omap_gp_timer_readw,
-        },
-        .write = {
-            omap_badwidth_write32,
-            omap_gp_timer_writeh,
-            omap_gp_timer_write,
-        },
-    },
+    .read = omap_gp_timer_readfn,
+    .write = omap_gp_timer_writefn,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.7.4

Don't use old_mmio in the memory region ops struct.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505580378-9044-6-git-send-email-peter.maydell@linaro.org
---
 hw/i2c/omap_i2c.c | 44 ++++++++++++++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 12 deletions(-)

diff --git a/hw/i2c/omap_i2c.c b/hw/i2c/omap_i2c.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/i2c/omap_i2c.c
+++ b/hw/i2c/omap_i2c.c
@@ -XXX,XX +XXX,XX @@ static void omap_i2c_writeb(void *opaque, hwaddr addr,
     }
 }
 
+static uint64_t omap_i2c_readfn(void *opaque, hwaddr addr,
+                                unsigned size)
+{
+    switch (size) {
+    case 2:
+        return omap_i2c_read(opaque, addr);
+    default:
+        return omap_badwidth_read16(opaque, addr);
+    }
+}
+
+static void omap_i2c_writefn(void *opaque, hwaddr addr,
+                             uint64_t value, unsigned size)
+{
+    switch (size) {
+    case 1:
+        /* Only the last fifo write can be 8 bit. */
+        omap_i2c_writeb(opaque, addr, value);
+        break;
+    case 2:
+        omap_i2c_write(opaque, addr, value);
+        break;
+    default:
+        omap_badwidth_write16(opaque, addr, value);
+        break;
+    }
+}
+
 static const MemoryRegionOps omap_i2c_ops = {
-    .old_mmio = {
-        .read = {
-            omap_badwidth_read16,
-            omap_i2c_read,
-            omap_badwidth_read16,
-        },
-        .write = {
-            omap_i2c_writeb, /* Only the last fifo write can be 8 bit.  */
-            omap_i2c_write,
-            omap_badwidth_write16,
-        },
-    },
+    .read = omap_i2c_readfn,
+    .write = omap_i2c_writefn,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.7.4

Don't use old_mmio in the memory region ops struct.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1505580378-9044-7-git-send-email-peter.maydell@linaro.org
---
 hw/arm/omap2.c | 49 +++++++++++++++++++++++++++++++++++++------------
 1 file changed, 37 insertions(+), 12 deletions(-)

diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap2.c
+++ b/hw/arm/omap2.c
@@ -XXX,XX +XXX,XX @@ static void omap_sysctl_write(void *opaque, hwaddr addr,
     }
 }
 
+static uint64_t omap_sysctl_readfn(void *opaque, hwaddr addr,
+                                   unsigned size)
+{
+    switch (size) {
+    case 1:
+        return omap_sysctl_read8(opaque, addr);
+    case 2:
+        return omap_badwidth_read32(opaque, addr); /* TODO */
+    case 4:
+        return omap_sysctl_read(opaque, addr);
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static void omap_sysctl_writefn(void *opaque, hwaddr addr,
+                                uint64_t value, unsigned size)
+{
+    switch (size) {
+    case 1:
+        omap_sysctl_write8(opaque, addr, value);
+        break;
+    case 2:
+        omap_badwidth_write32(opaque, addr, value); /* TODO */
+        break;
+    case 4:
+        omap_sysctl_write(opaque, addr, value);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+}
+
 static const MemoryRegionOps omap_sysctl_ops = {
-    .old_mmio = {
-        .read = {
-            omap_sysctl_read8,
-            omap_badwidth_read32,	/* TODO */
-            omap_sysctl_read,
-        },
-        .write = {
-            omap_sysctl_write8,
-            omap_badwidth_write32,	/* TODO */
-            omap_sysctl_write,
-        },
-    },
+    .read = omap_sysctl_readfn,
+    .write = omap_sysctl_writefn,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.7.4