Series comparison

-[Qemu-devel] [PULL 00/13] target-arm queue
+[Qemu-devel] [PULL 00/12] target-arm queue
-target-arm queue:
+Not very much here, but several people have fallen over
- * mostly my latest v8M stuff, plus a couple of minor patches
+the vector operation segfault bug, so let's get the fix
 into master.
-The following changes since commit a0b261db8c030813e30a39eae47359ac2a37f7e2:
+thanks
 -- PMM
-  Merge remote-tracking branch 'remotes/ehabkost/tags/python-next-pull-request' into staging (2017-10-12 10:02:09 +0100)
+The following changes since commit d418238dca7b4e0b124135827ead3076233052b1:
-are available in the git repository at:
+  Merge remote-tracking branch 'remotes/rth/tags/pull-rng-20190522' into staging (2019-05-23 12:57:17 +0100)
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20171012
+are available in the Git repository at:
-for you to fetch changes up to cf5f7937b05c84d5565134f058c00cd48304a117:
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190523
-  nvic: Fix miscalculation of offsets into ITNS array (2017-10-12 16:33:16 +0100)
+for you to fetch changes up to 98e4f4fdb8ea05d840f51f47125924c2bb9df2df:
   hw/arm/exynos4210: QOM'ify the Exynos4210 SoC (2019-05-23 14:47:44 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * v8M: SG, BLXNS, secure-return
+ * exynos4210: QOM'ify the Exynos4210 SoC
- * v8M: fixes for coverity issues in previous patches
+ * exynos4210: Add DMA support for the Exynos4210
- * arm: fix armv7m_init() declaration to match definition
+ * arm_gicv3: Fix writes to ICC_CTLR_EL3
- * watchdog/aspeed: fix variable type to store reload value
+ * arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
  * target/arm: Fix vector operation segfault
  * target/arm: Minor improvements to BFXIL, EXTR
 ----------------------------------------------------------------
-Cédric Le Goater (1):
+Alistair Francis (1):
-      watchdog/aspeed: fix variable type to store reload value
+      target/arm: Fix vector operation segfault
-Igor Mammedov (1):
+Guenter Roeck (1):
-      arm: fix armv7m_init() declaration to match definition
+      hw/arm/exynos4210: Add DMA support for the Exynos4210
-Peter Maydell (11):
+Peter Maydell (5):
-      target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()
+      arm: Move system_clock_scale to armv7m_systick.h
-      target/arm: Implement SG instruction
+      arm: Remove unnecessary includes of hw/arm/arm.h
-      target/arm: Implement BLXNS
+      arm: Rename hw/arm/arm.h to hw/arm/boot.h
-      target/arm: Implement secure function return
+      hw/intc/arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
-      target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1
+      hw/intc/arm_gicv3: Fix writes to ICC_CTLR_EL3
       target/arm: Pull Thumb insn word loads up to top level
       target-arm: Simplify insn_crosses_page()
       target/arm: Support some Thumb insns being always unconditional
       target/arm: Implement SG instruction corner cases
       nvic: Add missing 'break'
       nvic: Fix miscalculation of offsets into ITNS array
- include/hw/arm/arm.h     |   2 +-
+Philippe Mathieu-Daudé (3):
- target/arm/helper.h      |   1 +
+      hw/arm/exynos4: Remove unuseful debug code
- target/arm/internals.h   |   8 ++
+      hw/arm/exynos4: Use the IEC binary prefix definitions
- hw/intc/armv7m_nvic.c    |   5 +-
+      hw/arm/exynos4210: QOM'ify the Exynos4210 SoC
  hw/watchdog/wdt_aspeed.c |   4 +-
  target/arm/helper.c      | 306 ++++++++++++++++++++++++++++++++++++++++++++--
  target/arm/translate.c   | 310 ++++++++++++++++++++++++++++++++---------------
 files changed, 521 insertions(+), 115 deletions(-)
+Richard Henderson (2):
+      target/arm: Use extract2 for EXTR
+      target/arm: Simplify BFXIL expansion
+ include/hw/arm/allwinner-a10.h    |  2 +-
+ include/hw/arm/aspeed_soc.h       |  1 -
+ include/hw/arm/bcm2836.h          |  1 -
+ include/hw/arm/{arm.h => boot.h}  | 12 +++------
+ include/hw/arm/exynos4210.h       |  9 +++++--
+ include/hw/arm/fsl-imx25.h        |  2 +-
+ include/hw/arm/fsl-imx31.h        |  2 +-
+ include/hw/arm/fsl-imx6.h         |  2 +-
+ include/hw/arm/fsl-imx6ul.h       |  2 +-
+ include/hw/arm/fsl-imx7.h         |  2 +-
+ include/hw/arm/virt.h             |  2 +-
+ include/hw/arm/xlnx-versal.h      |  2 +-
+ include/hw/arm/xlnx-zynqmp.h      |  2 +-
+ include/hw/timer/armv7m_systick.h | 22 ++++++++++++++++
+ hw/arm/armsse.c                   |  2 +-
+ hw/arm/armv7m.c                   |  2 +-
+ hw/arm/aspeed.c                   |  2 +-
+ hw/arm/boot.c                     |  2 +-
+ hw/arm/collie.c                   |  2 +-
+ hw/arm/exynos4210.c               | 54 ++++++++++++++++++++++++++++++++++++---
+ hw/arm/exynos4_boards.c           | 40 ++++++++---------------------
+ hw/arm/highbank.c                 |  2 +-
+ hw/arm/integratorcp.c             |  2 +-
+ hw/arm/mainstone.c                |  2 +-
+ hw/arm/microbit.c                 |  2 +-
+ hw/arm/mps2-tz.c                  |  2 +-
+ hw/arm/mps2.c                     |  2 +-
+ hw/arm/msf2-soc.c                 |  1 -
+ hw/arm/msf2-som.c                 |  2 +-
+ hw/arm/musca.c                    |  2 +-
+ hw/arm/musicpal.c                 |  2 +-
+ hw/arm/netduino2.c                |  2 +-
+ hw/arm/nrf51_soc.c                |  2 +-
+ hw/arm/nseries.c                  |  2 +-
+ hw/arm/omap1.c                    |  2 +-
+ hw/arm/omap2.c                    |  2 +-
+ hw/arm/omap_sx1.c                 |  2 +-
+ hw/arm/palm.c                     |  2 +-
+ hw/arm/raspi.c                    |  2 +-
+ hw/arm/realview.c                 |  2 +-
+ hw/arm/spitz.c                    |  2 +-
+ hw/arm/stellaris.c                |  2 +-
+ hw/arm/stm32f205_soc.c            |  2 +-
+ hw/arm/strongarm.c                |  2 +-
+ hw/arm/tosa.c                     |  2 +-
+ hw/arm/versatilepb.c              |  2 +-
+ hw/arm/vexpress.c                 |  2 +-
+ hw/arm/virt.c                     |  2 +-
+ hw/arm/xilinx_zynq.c              |  2 +-
+ hw/arm/xlnx-versal.c              |  2 +-
+ hw/arm/z2.c                       |  2 +-
+ hw/intc/arm_gicv3_cpuif.c         |  6 ++---
+ hw/intc/armv7m_nvic.c             |  1 -
+ target/arm/arm-semi.c             |  1 -
+ target/arm/cpu.c                  |  1 -
+ target/arm/cpu64.c                |  1 -
+ target/arm/kvm.c                  |  1 -
+ target/arm/kvm32.c                |  1 -
+ target/arm/kvm64.c                |  1 -
+ target/arm/translate-a64.c        | 44 ++++++++++++++++---------------
+ target/arm/translate.c            |  4 +--
+files changed, 164 insertions(+), 123 deletions(-)
+ rename include/hw/arm/{arm.h => boot.h} (96%)

-[Qemu-devel] [PULL 11/13] target/arm: Implement SG instruction corner cases
+[Qemu-devel] [PULL 01/12] target/arm: Use extract2 for EXTR
-The common situation of the SG instruction is that it is
+From: Richard Henderson <richard.henderson@linaro.org>
 executed from S&NSC memory by a CPU in NS state. That case
 is handled by v7m_handle_execute_nsc(). However the instruction
 also has defined behaviour in a couple of other cases:
  * SG instruction in NS memory (behaves as a NOP)
  * SG in S memory but CPU already secure (clears IT bits and
    does nothing else)
  * SG instruction in v8M without Security Extension (NOP)
-These can be implemented in translate.c.
+This is, after all, how we implement extract2 in tcg/aarch64.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190514011129.11330-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1507556919-24992-10-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 23 ++++++++++++++++++++++-
+ target/arm/translate-a64.c | 38 ++++++++++++++++++++------------------
-file changed, 22 insertions(+), 1 deletion(-)
+file changed, 20 insertions(+), 18 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/target/arm/translate-a64.c
-+++ b/target/arm/translate.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
-              * - load/store doubleword, load/store exclusive, ldacq/strel,
+             } else {
-              *   table branch.
+                 tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, rm));
-              */
+             }
--            if (insn & 0x01200000) {
+-        } else if (rm == rn) { /* ROR */
-+            if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_M) &&
+-            tcg_rm = cpu_reg(s, rm);
-+                arm_dc_feature(s, ARM_FEATURE_V8)) {
+-            if (sf) {
-+                /* 0b1110_1001_0111_1111_1110_1001_0111_111
+-                tcg_gen_rotri_i64(tcg_rd, tcg_rm, imm);
-+                 *  - SG (v8M only)
+-            } else {
-+                 * The bulk of the behaviour for this instruction is implemented
+-                TCGv_i32 tmp = tcg_temp_new_i32();
-+                 * in v7m_handle_execute_nsc(), which deals with the insn when
+-                tcg_gen_extrl_i64_i32(tmp, tcg_rm);
-+                 * it is executed by a CPU in non-secure state from memory
+-                tcg_gen_rotri_i32(tmp, tmp, imm);
-+                 * which is Secure & NonSecure-Callable.
+-                tcg_gen_extu_i32_i64(tcg_rd, tmp);
-+                 * Here we only need to handle the remaining cases:
+-                tcg_temp_free_i32(tmp);
-+                 *  * in NS memory (including the "security extension not
+-            }
-+                 *    implemented" case) : NOP
+         } else {
-+                 *  * in S memory but CPU already secure (clear IT bits)
+-            tcg_rm = read_cpu_reg(s, rm, sf);
-+                 * We know that the attribute for the memory this insn is
+-            tcg_rn = read_cpu_reg(s, rn, sf);
-+                 * in must match the current CPU state, because otherwise
+-            tcg_gen_shri_i64(tcg_rm, tcg_rm, imm);
-+                 * get_phys_addr_pmsav8 would have generated an exception.
+-            tcg_gen_shli_i64(tcg_rn, tcg_rn, bitsize - imm);
-+                 */
+-            tcg_gen_or_i64(tcg_rd, tcg_rm, tcg_rn);
-+                if (s->v8m_secure) {
+-            if (!sf) {
-+                    /* Like the IT insn, we don't need to generate any code */
+-                tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
-+                    s->condexec_cond = 0;
++            tcg_rm = cpu_reg(s, rm);
-+                    s->condexec_mask = 0;
++            tcg_rn = cpu_reg(s, rn);
 +
 +            if (sf) {
 +                /* Specialization to ROR happens in EXTRACT2.  */
 +                tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, imm);
 +            } else {
 +                TCGv_i32 t0 = tcg_temp_new_i32();
 +
 +                tcg_gen_extrl_i64_i32(t0, tcg_rm);
 +                if (rm == rn) {
 +                    tcg_gen_rotri_i32(t0, t0, imm);
 +                } else {
 +                    TCGv_i32 t1 = tcg_temp_new_i32();
 +                    tcg_gen_extrl_i64_i32(t1, tcg_rn);
 +                    tcg_gen_extract2_i32(t0, t0, t1, imm);
 +                    tcg_temp_free_i32(t1);
 +                }
-+            } else if (insn & 0x01200000) {
++                tcg_gen_extu_i32_i64(tcg_rd, t0);
-                 /* 0b1110_1000_x11x_xxxx_xxxx_xxxx_xxxx_xxxx
++                tcg_temp_free_i32(t0);
-                  *  - load/store dual (post-indexed)
+             }
-                  * 0b1111_1001_x10x_xxxx_xxxx_xxxx_xxxx_xxxx
+         }
      }
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 10/13] target/arm: Support some Thumb insns being always unconditional
+[Qemu-devel] [PULL 02/12] target/arm: Simplify BFXIL expansion
-A few Thumb instructions are always unconditional even inside an
+From: Richard Henderson <richard.henderson@linaro.org>
 IT block (as opposed to being UNPREDICTABLE if used inside an
 IT block): BKPT, the v8M SG instruction, and the A profile
 HLT (debug halt) instruction.
-This means we need to suppress the jump-over-instruction-on-condfail
+The mask implied by the extract is redundant with the one
-code generation (though the IT state still advances as usual and
+implied by the deposit.  Also, fix spelling of BFXIL.
 subsequent insns in the IT block may be conditional).
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190514011129.11330-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1507556919-24992-9-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
+ target/arm/translate-a64.c | 6 +++---
-file changed, 47 insertions(+), 1 deletion(-)
+file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/target/arm/translate-a64.c
-+++ b/target/arm/translate.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+@@ -XXX,XX +XXX,XX @@ static void disas_bitfield(DisasContext *s, uint32_t insn)
-        in init_disas_context by adjusting max_insns.  */
+             tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
- }
+             return;
+         }
-+static bool thumb_insn_is_unconditional(DisasContext *s, uint32_t insn)
+-        /* opc == 1, BXFIL fall through to deposit */
-+{
+-        tcg_gen_extract_i64(tcg_tmp, tcg_tmp, ri, len);
-+    /* Return true if this Thumb insn is always unconditional,
++        /* opc == 1, BFXIL fall through to deposit */
-+     * even inside an IT block. This is true of only a very few
++        tcg_gen_shri_i64(tcg_tmp, tcg_tmp, ri);
-+     * instructions: BKPT, HLT, and SG.
+         pos = 0;
-+     *
+     } else {
-+     * A larger class of instructions are UNPREDICTABLE if used
+         /* Handle the ri > si case with a deposit
-+     * inside an IT block; we do not need to detect those here, because
+@@ -XXX,XX +XXX,XX @@ static void disas_bitfield(DisasContext *s, uint32_t insn)
-+     * what we do by default (perform the cc check and update the IT
+         len = ri;
 +     * bits state machine) is a permitted CONSTRAINED UNPREDICTABLE
 +     * choice for those situations.
 +     *
 +     * insn is either a 16-bit or a 32-bit instruction; the two are
 +     * distinguishable because for the 16-bit case the top 16 bits
 +     * are zeroes, and that isn't a valid 32-bit encoding.
 +     */
 +    if ((insn & 0xffffff00) == 0xbe00) {
 +        /* BKPT */
 +        return true;
 +    }
 +
 +    if ((insn & 0xffffffc0) == 0xba80 && arm_dc_feature(s, ARM_FEATURE_V8) &&
 +        !arm_dc_feature(s, ARM_FEATURE_M)) {
 +        /* HLT: v8A only. This is unconditional even when it is going to
 +         * UNDEF; see the v8A ARM ARM DDI0487B.a H3.3.
 +         * For v7 cores this was a plain old undefined encoding and so
 +         * honours its cc check. (We might be using the encoding as
 +         * a semihosting trap, but we don't change the cc check behaviour
 +         * on that account, because a debugger connected to a real v7A
 +         * core and emulating semihosting traps by catching the UNDEF
 +         * exception would also only see cases where the cc check passed.
 +         * No guest code should be trying to do a HLT semihosting trap
 +         * in an IT block anyway.
 +         */
 +        return true;
 +    }
 +
 +    if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_V8) &&
 +        arm_dc_feature(s, ARM_FEATURE_M)) {
 +        /* SG: v8M only */
 +        return true;
 +    }
 +
 +    return false;
 +}
 +
  static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          dc->pc += 2;
      }
--    if (dc->condexec_mask) {
+-    if (opc == 1) { /* BFM, BXFIL */
-+    if (dc->condexec_mask && !thumb_insn_is_unconditional(dc, insn)) {
++    if (opc == 1) { /* BFM, BFXIL */
-         uint32_t cond = dc->condexec_cond;
+         tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
+     } else {
-         if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
+         /* SBFM or UBFM: We start with zero, and we haven't modified
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 09/13] target-arm: Simplify insn_crosses_page()
+[Qemu-devel] [PULL 03/12] target/arm: Fix vector operation segfault
-Recent changes have left insn_crosses_page() more complicated
+From: Alistair Francis <alistair.francis@wdc.com>
 than it needed to be:
  * it's only called from thumb_tr_translate_insn() so we know
    for certain that we're looking at a Thumb insn
  * the caller's check for dc->pc >= dc->next_page_start - 3
    means that dc->pc can't possibly be 4 aligned, so there's
    no need to check that (the check was partly there to ensure
    that we didn't treat an ARM insn as Thumb, I think)
  * we now have thumb_insn_is_16bit() which lets us do a precise
    check of the length of the next insn, rather than opencoding
    an inaccurate check
-Simplify it down to just loading the first half of the insn
+Commit 89e68b575 "target/arm: Use vector operations for saturation"
-and calling thumb_insn_is_16bit() on it.
+causes this abort() when booting QEMU ARM with a Cortex-A15:
+0x00007ffff4c2382f in raise () at /usr/lib/libc.so.6
+0x00007ffff4c0e672 in abort () at /usr/lib/libc.so.6
+0x00005555559c1839 in disas_neon_data_insn (insn=<optimized out>, s=<optimized out>) at ./target/arm/translate.c:6673
+0x00005555559c1839 in disas_neon_data_insn (s=<optimized out>, insn=<optimized out>) at ./target/arm/translate.c:6386
+0x00005555559cd8a4 in disas_arm_insn (insn=4081107068, s=0x7fffe59a9510) at ./target/arm/translate.c:9289
+0x00005555559cd8a4 in arm_tr_translate_insn (dcbase=0x7fffe59a9510, cpu=<optimized out>) at ./target/arm/translate.c:13612
+0x00005555558d1d39 in translator_loop (ops=0x5555561cc580 <arm_translator_ops>, db=0x7fffe59a9510, cpu=0x55555686a2f0, tb=<optimized out>, max_insns=<optimized out>) at ./accel/tcg/translator.c:96
+0x00005555559d10d4 in gen_intermediate_code (cpu=cpu@entry=0x55555686a2f0, tb=tb@entry=0x7fffd7840080 <code_gen_buffer+126091347>, max_insns=max_insns@entry=512) at ./target/arm/translate.c:13901
+0x00005555558d06b9 in tb_gen_code (cpu=cpu@entry=0x55555686a2f0, pc=3067096216, cs_base=0, flags=192, cflags=-16252928, cflags@entry=524288) at ./accel/tcg/translate-all.c:1736
+0x00005555558ce467 in tb_find (cf_mask=524288, tb_exit=1, last_tb=0x7fffd783e640 <code_gen_buffer+126084627>, cpu=0x1) at ./accel/tcg/cpu-exec.c:407
+0x00005555558ce467 in cpu_exec (cpu=cpu@entry=0x55555686a2f0) at ./accel/tcg/cpu-exec.c:728
+0x000055555588b0cf in tcg_cpu_exec (cpu=0x55555686a2f0) at ./cpus.c:1431
+0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=0x55555686a2f0) at ./cpus.c:1735
+0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=arg@entry=0x55555686a2f0) at ./cpus.c:1709
+0x0000555555d2629a in qemu_thread_start (args=<optimized out>) at ./util/qemu-thread-posix.c:502
+0x00007ffff4db8a92 in start_thread () at /usr/lib/libpthread.
+This patch ensures that we don't hit the abort() in the second switch
+case in disas_neon_data_insn() as we will return from the first case.
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: ad91b397f360b2fc7f4087e476f7df5b04d42ddb.1558021877.git.alistair.francis@wdc.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1507556919-24992-8-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 27 ++++++---------------------
+ target/arm/translate.c | 4 ++--
-file changed, 6 insertions(+), 21 deletions(-)
+file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
- {
+             tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
-     /* Return true if the insn at dc->pc might cross a page boundary.
+                            rn_ofs, rm_ofs, vec_size, vec_size,
-      * (False positives are OK, false negatives are not.)
+                            (u ? uqadd_op : sqadd_op) + size);
-+     * We know this is a Thumb insn, and our caller ensures we are
+-            break;
-+     * only called if dc->pc is less than 4 bytes from the page
++            return 0;
-+     * boundary, so we cross the page if the first 16 bits indicate
-+     * that this is a 32 bit insn.
+         case NEON_3R_VQSUB:
-      */
+             tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
--    uint16_t insn;
+                            rn_ofs, rm_ofs, vec_size, vec_size,
-+    uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
+                            (u ? uqsub_op : sqsub_op) + size);
+-            break;
--    if ((s->pc & 3) == 0) {
++            return 0;
--        /* At a 4-aligned address we can't be crossing a page */
--        return false;
+         case NEON_3R_VMUL: /* VMUL */
--    }
+             if (u) {
 -
 -    /* This must be a Thumb insn */
 -    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 -
 -    if ((insn >> 11) >= 0x1d) {
 -        /* Top five bits 0b11101 / 0b11110 / 0b11111 : this is the
 -         * First half of a 32-bit Thumb insn. Thumb-1 cores might
 -         * end up actually treating this as two 16-bit insns (see the
 -         * code at the start of disas_thumb2_insn()) but we don't bother
 -         * to check for that as it is unlikely, and false positives here
 -         * are harmless.
 -         */
 -        return true;
 -    }
 -    /* Definitely a 16-bit insn, can't be crossing a page. */
 -    return false;
 +    return !thumb_insn_is_16bit(s, insn);
  }
  static int arm_tr_init_disas_context(DisasContextBase *dcbase,
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 02/13] arm: fix armv7m_init() declaration to match definition
+[Qemu-devel] [PULL 04/12] arm: Move system_clock_scale to armv7m_systick.h
-From: Igor Mammedov <imammedo@redhat.com>
+The system_clock_scale global is used only by the armv7m systick
 device; move the extern declaration to the armv7m_systick.h header,
 and expand the comment to explain what it is and that it should
 ideally be replaced with a different approach.
-s/cpu_model/cpu_type/ that has been forgotten during
-conversion (ba1ba5cc), while touching the line also
-fixup alignment.
-Signed-off-by: Igor Mammedov <imammedo@redhat.com>
-Message-id: 1507710805-221721-1-git-send-email-imammedo@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190516163857.6430-2-peter.maydell@linaro.org
 ---
- include/hw/arm/arm.h | 2 +-
+ include/hw/arm/arm.h              |  4 ----
-file changed, 1 insertion(+), 1 deletion(-)
+ include/hw/timer/armv7m_systick.h | 22 ++++++++++++++++++++++
 files changed, 22 insertions(+), 4 deletions(-)
 diff --git a/include/hw/arm/arm.h b/include/hw/arm/arm.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/arm.h
 +++ b/include/hw/arm/arm.h
-@@ -XXX,XX +XXX,XX @@ typedef enum {
+@@ -XXX,XX +XXX,XX @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
+                                             const struct arm_boot_info *info,
- /* armv7m.c */
+                                             hwaddr mvbar_addr);
- DeviceState *armv7m_init(MemoryRegion *system_memory, int mem_size, int num_irq,
--                      const char *kernel_filename, const char *cpu_model);
+-/* Multiplication factor to convert from system clock ticks to qemu timer
-+                         const char *kernel_filename, const char *cpu_type);
+-   ticks.  */
- /**
+-extern int system_clock_scale;
-  * armv7m_load_kernel:
+-
-  * @cpu: CPU
+ #endif /* HW_ARM_H */
 diff --git a/include/hw/timer/armv7m_systick.h b/include/hw/timer/armv7m_systick.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/timer/armv7m_systick.h
 +++ b/include/hw/timer/armv7m_systick.h
@@ -XXX,XX +XXX,XX @@ typedef struct SysTickState {
      qemu_irq irq;
  } SysTickState;
 +/*
 + * Multiplication factor to convert from system clock ticks to qemu timer
 + * ticks. This should be set (by board code, usually) to a value
 + * equal to NANOSECONDS_PER_SECOND / frq, where frq is the clock frequency
 + * in Hz of the CPU.
 + *
 + * This value is used by the systick device when it is running in
 + * its "use the CPU clock" mode (ie when SYST_CSR.CLKSOURCE == 1) to
 + * set how fast the timer should tick.
 + *
 + * TODO: we should refactor this so that rather than using a global
 + * we use a device property or something similar. This is complicated
 + * because (a) the property would need to be plumbed through from the
 + * board code down through various layers to the systick device
 + * and (b) the property needs to be modifiable after realize, because
 + * the stellaris board uses this to implement the behaviour where the
 + * guest can reprogram the PLL registers to downclock the CPU, and the
 + * systick device needs to react accordingly. Possibly this should
 + * be deferred until we have a good API for modelling clock trees.
 + */
 +extern int system_clock_scale;
 +
  #endif
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 12/13] nvic: Add missing 'break'
+[Qemu-devel] [PULL 05/12] arm: Remove unnecessary includes of hw/arm/arm.h
-Coverity points out that we forgot the 'break' for
+The hw/arm/arm.h header now only includes declarations relating
-the SAU_CTRL write case (CID1381683). This has
+to boot.c code, so it is only needed by Arm board or SoC code.
-no actual visible consequences because it happens
+Remove some unnecessary inclusions of it from target/arm files
-that the following case is effectively a no-op.
+and from hw/intc/armv7m_nvic.c.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 1507742676-9908-1-git-send-email-peter.maydell@linaro.org
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190516163857.6430-3-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 1 +
+ hw/intc/armv7m_nvic.c | 1 -
-file changed, 1 insertion(+)
+ target/arm/arm-semi.c | 1 -
  target/arm/cpu.c      | 1 -
  target/arm/cpu64.c    | 1 -
  target/arm/kvm.c      | 1 -
  target/arm/kvm32.c    | 1 -
  target/arm/kvm64.c    | 1 -
 files changed, 7 deletions(-)
 diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/armv7m_nvic.c
 +++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
+@@ -XXX,XX +XXX,XX @@
-             return;
+ #include "cpu.h"
-         }
+ #include "hw/sysbus.h"
-         cpu->env.sau.ctrl = value & 3;
+ #include "qemu/timer.h"
-+        break;
+-#include "hw/arm/arm.h"
-     case 0xdd4: /* SAU_TYPE */
+ #include "hw/intc/armv7m_nvic.h"
-         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+ #include "target/arm/cpu.h"
-             goto bad_offset;
+ #include "exec/exec-all.h"
 diff --git a/target/arm/arm-semi.c b/target/arm/arm-semi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/arm-semi.c
 +++ b/target/arm/arm-semi.c
@@ -XXX,XX +XXX,XX @@
  #else
  #include "qemu-common.h"
  #include "exec/gdbstub.h"
 -#include "hw/arm/arm.h"
  #include "qemu/cutils.h"
  #endif
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@
  #if !defined(CONFIG_USER_ONLY)
  #include "hw/loader.h"
  #endif
 -#include "hw/arm/arm.h"
  #include "sysemu/sysemu.h"
  #include "sysemu/hw_accel.h"
  #include "kvm_arm.h"
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
  #if !defined(CONFIG_USER_ONLY)
  #include "hw/loader.h"
  #endif
 -#include "hw/arm/arm.h"
  #include "sysemu/sysemu.h"
  #include "sysemu/kvm.h"
  #include "kvm_arm.h"
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@
  #include "cpu.h"
  #include "trace.h"
  #include "internals.h"
 -#include "hw/arm/arm.h"
  #include "hw/pci/pci.h"
  #include "exec/memattrs.h"
  #include "exec/address-spaces.h"
 diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm32.c
 +++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@
  #include "sysemu/kvm.h"
  #include "kvm_arm.h"
  #include "internals.h"
 -#include "hw/arm/arm.h"
  #include "qemu/log.h"
  static inline void set_feature(uint64_t *features, int feature)
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@
  #include "sysemu/kvm.h"
  #include "kvm_arm.h"
  #include "internals.h"
 -#include "hw/arm/arm.h"
  static bool have_guest_debug;
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 06/13] target/arm: Implement secure function return
+[Qemu-devel] [PULL 06/12] arm: Rename hw/arm/arm.h to hw/arm/boot.h
-Secure function return happens when a non-secure function has been
+The header file hw/arm/arm.h now includes only declarations
-called using BLXNS and so has a particular magic LR value (either
+relating to hw/arm/boot.c functionality. Rename it accordingly,
-xfefffffe or 0xfeffffff). The function return via BX behaves
+and adjust its header comment.
 specially when the new PC value is this magic value, in the same
 way that exception returns are handled.
-Adjust our BX excret guards so that they recognize the function
+The bulk of this commit was created via
-return magic number as well, and perform the function-return
+ perl -pi -e 's|hw/arm/arm.h|hw/arm/boot.h|' hw/arm/*.c include/hw/arm/*.h
-unstacking in do_v7m_exception_exit().
 In a few cases we can just delete the #include:
 hw/arm/msf2-soc.c, include/hw/arm/aspeed_soc.h and
 include/hw/arm/bcm2836.h did not require it.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 1507556919-24992-5-git-send-email-peter.maydell@linaro.org
+Message-id: 20190516163857.6430-4-peter.maydell@linaro.org
 ---
- target/arm/internals.h |   7 +++
+ include/hw/arm/allwinner-a10.h   | 2 +-
- target/arm/helper.c    | 115 +++++++++++++++++++++++++++++++++++++++++++++----
+ include/hw/arm/aspeed_soc.h      | 1 -
- target/arm/translate.c |  14 +++++-
+ include/hw/arm/bcm2836.h         | 1 -
-files changed, 126 insertions(+), 10 deletions(-)
+ include/hw/arm/{arm.h => boot.h} | 8 ++++----
  include/hw/arm/fsl-imx25.h       | 2 +-
  include/hw/arm/fsl-imx31.h       | 2 +-
  include/hw/arm/fsl-imx6.h        | 2 +-
  include/hw/arm/fsl-imx6ul.h      | 2 +-
  include/hw/arm/fsl-imx7.h        | 2 +-
  include/hw/arm/virt.h            | 2 +-
  include/hw/arm/xlnx-versal.h     | 2 +-
  include/hw/arm/xlnx-zynqmp.h     | 2 +-
  hw/arm/armsse.c                  | 2 +-
  hw/arm/armv7m.c                  | 2 +-
  hw/arm/aspeed.c                  | 2 +-
  hw/arm/boot.c                    | 2 +-
  hw/arm/collie.c                  | 2 +-
  hw/arm/exynos4210.c              | 2 +-
  hw/arm/exynos4_boards.c          | 2 +-
  hw/arm/highbank.c                | 2 +-
  hw/arm/integratorcp.c            | 2 +-
  hw/arm/mainstone.c               | 2 +-
  hw/arm/microbit.c                | 2 +-
  hw/arm/mps2-tz.c                 | 2 +-
  hw/arm/mps2.c                    | 2 +-
  hw/arm/msf2-soc.c                | 1 -
  hw/arm/msf2-som.c                | 2 +-
  hw/arm/musca.c                   | 2 +-
  hw/arm/musicpal.c                | 2 +-
  hw/arm/netduino2.c               | 2 +-
  hw/arm/nrf51_soc.c               | 2 +-
  hw/arm/nseries.c                 | 2 +-
  hw/arm/omap1.c                   | 2 +-
  hw/arm/omap2.c                   | 2 +-
  hw/arm/omap_sx1.c                | 2 +-
  hw/arm/palm.c                    | 2 +-
  hw/arm/raspi.c                   | 2 +-
  hw/arm/realview.c                | 2 +-
  hw/arm/spitz.c                   | 2 +-
  hw/arm/stellaris.c               | 2 +-
  hw/arm/stm32f205_soc.c           | 2 +-
  hw/arm/strongarm.c               | 2 +-
  hw/arm/tosa.c                    | 2 +-
  hw/arm/versatilepb.c             | 2 +-
  hw/arm/vexpress.c                | 2 +-
  hw/arm/virt.c                    | 2 +-
  hw/arm/xilinx_zynq.c             | 2 +-
  hw/arm/xlnx-versal.c             | 2 +-
  hw/arm/z2.c                      | 2 +-
 files changed, 49 insertions(+), 52 deletions(-)
  rename include/hw/arm/{arm.h => boot.h} (98%)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/include/hw/arm/allwinner-a10.h
-+++ b/target/arm/internals.h
++++ b/include/hw/arm/allwinner-a10.h
-@@ -XXX,XX +XXX,XX @@ FIELD(V7M_EXCRET, DCRS, 5, 1)
+@@ -XXX,XX +XXX,XX @@
- FIELD(V7M_EXCRET, S, 6, 1)
+ #include "qemu-common.h"
- FIELD(V7M_EXCRET, RES1, 7, 25) /* including the must-be-1 prefix */
+ #include "qemu/error-report.h"
+ #include "hw/char/serial.h"
-+/* Minimum value which is a magic number for exception return */
+-#include "hw/arm/arm.h"
-+#define EXC_RETURN_MIN_MAGIC 0xff000000
++#include "hw/arm/boot.h"
-+/* Minimum number which is a magic number for function or exception return
+ #include "hw/timer/allwinner-a10-pit.h"
-+ * when using v8M security extension
+ #include "hw/intc/allwinner-a10-pic.h"
-+ */
+ #include "hw/net/allwinner_emac.h"
-+#define FNC_RETURN_MIN_MAGIC 0xfefffffe
+diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
-+
+index XXXXXXX..XXXXXXX 100644
- /* We use a few fake FSR values for internal purposes in M profile.
+--- a/include/hw/arm/aspeed_soc.h
-  * M profile cores don't have A/R format FSRs, but currently our
++++ b/include/hw/arm/aspeed_soc.h
-  * get_phys_addr() code assumes A/R profile and reports failures via
+@@ -XXX,XX +XXX,XX @@
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+ #ifndef ASPEED_SOC_H
-index XXXXXXX..XXXXXXX 100644
+ #define ASPEED_SOC_H
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
+-#include "hw/arm/arm.h"
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
+ #include "hw/intc/aspeed_vic.h"
-      *  - if the return value is a magic value, do exception return (like BX)
+ #include "hw/misc/aspeed_scu.h"
-      *  - otherwise bit 0 of the return value is the target security state
+ #include "hw/misc/aspeed_sdmc.h"
-      */
+diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
--    if (dest >= 0xff000000) {
+index XXXXXXX..XXXXXXX 100644
-+    uint32_t min_magic;
+--- a/include/hw/arm/bcm2836.h
-+
++++ b/include/hw/arm/bcm2836.h
-+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+@@ -XXX,XX +XXX,XX @@
-+        /* Covers FNC_RETURN and EXC_RETURN magic */
+ #ifndef BCM2836_H
-+        min_magic = FNC_RETURN_MIN_MAGIC;
+ #define BCM2836_H
-+    } else {
-+        /* EXC_RETURN magic only */
+-#include "hw/arm/arm.h"
-+        min_magic = EXC_RETURN_MIN_MAGIC;
+ #include "hw/arm/bcm2835_peripherals.h"
-+    }
+ #include "hw/intc/bcm2836_control.h"
-+
-+    if (dest >= min_magic) {
+diff --git a/include/hw/arm/arm.h b/include/hw/arm/boot.h
-         /* This is an exception return magic value; put it where
+similarity index 98%
-          * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
+rename from include/hw/arm/arm.h
-          * Note that if we ever add gen_ss_advance() singlestep support to
+rename to include/hw/arm/boot.h
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
+index XXXXXXX..XXXXXXX 100644
-     bool exc_secure = false;
+--- a/include/hw/arm/arm.h
-     bool return_to_secure;
++++ b/include/hw/arm/boot.h
+@@ -XXX,XX +XXX,XX @@
--    /* We can only get here from an EXCP_EXCEPTION_EXIT, and
+ /*
--     * gen_bx_excret() enforces the architectural rule
+- * Misc ARM declarations
--     * that jumps to magic addresses don't have magic behaviour unless
++ * ARM kernel loader.
--     * we're in Handler mode (compare pseudocode BXWritePC()).
+  *
-+    /* If we're not in Handler mode then jumps to magic exception-exit
+  * Copyright (c) 2006 CodeSourcery.
-+     * addresses don't have magic behaviour. However for the v8M
+  * Written by Paul Brook
-+     * security extensions the magic secure-function-return has to
+@@ -XXX,XX +XXX,XX @@
-+     * work in thread mode too, so to avoid doing an extra check in
+  *
-+     * the generated code we allow exception-exit magic to also cause the
+  */
-+     * internal exception and bring us here in thread mode. Correct code
-+     * will never try to do this (the following insn fetch will always
+-#ifndef HW_ARM_H
-+     * fault) so we the overhead of having taken an unnecessary exception
+-#define HW_ARM_H
-+     * doesn't matter.
++#ifndef HW_ARM_BOOT_H
-      */
++#define HW_ARM_BOOT_H
--    assert(arm_v7m_is_handler_mode(env));
-+    if (!arm_v7m_is_handler_mode(env)) {
+ #include "exec/memory.h"
-+        return;
+ #include "target/arm/cpu-qom.h"
-+    }
+@@ -XXX,XX +XXX,XX @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
+                                             const struct arm_boot_info *info,
-     /* In the spec pseudocode ExceptionReturn() is called directly
+                                             hwaddr mvbar_addr);
-      * from BXWritePC() and gets the full target PC value including
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
+-#endif /* HW_ARM_H */
-     qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
++#endif /* HW_ARM_BOOT_H */
- }
+diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
+index XXXXXXX..XXXXXXX 100644
-+static bool do_v7m_function_return(ARMCPU *cpu)
+--- a/include/hw/arm/fsl-imx25.h
-+{
++++ b/include/hw/arm/fsl-imx25.h
-+    /* v8M security extensions magic function return.
+@@ -XXX,XX +XXX,XX @@
-+     * We may either:
+ #ifndef FSL_IMX25_H
-+     *  (1) throw an exception (longjump)
+ #define FSL_IMX25_H
-+     *  (2) return true if we successfully handled the function return
-+     *  (3) return false if we failed a consistency check and have
+-#include "hw/arm/arm.h"
-+     *      pended a UsageFault that needs to be taken now
++#include "hw/arm/boot.h"
-+     *
+ #include "hw/intc/imx_avic.h"
-+     * At this point the magic return value is split between env->regs[15]
+ #include "hw/misc/imx25_ccm.h"
-+     * and env->thumb. We don't bother to reconstitute it because we don't
+ #include "hw/char/imx_serial.h"
-+     * need it (all values are handled the same way).
+diff --git a/include/hw/arm/fsl-imx31.h b/include/hw/arm/fsl-imx31.h
-+     */
+index XXXXXXX..XXXXXXX 100644
-+    CPUARMState *env = &cpu->env;
+--- a/include/hw/arm/fsl-imx31.h
-+    uint32_t newpc, newpsr, newpsr_exc;
++++ b/include/hw/arm/fsl-imx31.h
-+
+@@ -XXX,XX +XXX,XX @@
-+    qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
+ #ifndef FSL_IMX31_H
-+
+ #define FSL_IMX31_H
-+    {
-+        bool threadmode, spsel;
+-#include "hw/arm/arm.h"
-+        TCGMemOpIdx oi;
++#include "hw/arm/boot.h"
-+        ARMMMUIdx mmu_idx;
+ #include "hw/intc/imx_avic.h"
-+        uint32_t *frame_sp_p;
+ #include "hw/misc/imx31_ccm.h"
-+        uint32_t frameptr;
+ #include "hw/char/imx_serial.h"
-+
+diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h
-+        /* Pull the return address and IPSR from the Secure stack */
+index XXXXXXX..XXXXXXX 100644
-+        threadmode = !arm_v7m_is_handler_mode(env);
+--- a/include/hw/arm/fsl-imx6.h
-+        spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
++++ b/include/hw/arm/fsl-imx6.h
-+
+@@ -XXX,XX +XXX,XX @@
-+        frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
+ #ifndef FSL_IMX6_H
-+        frameptr = *frame_sp_p;
+ #define FSL_IMX6_H
-+
-+        /* These loads may throw an exception (for MPU faults). We want to
+-#include "hw/arm/arm.h"
-+         * do them as secure, so work out what MMU index that is.
++#include "hw/arm/boot.h"
-+         */
+ #include "hw/cpu/a9mpcore.h"
-+        mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
+ #include "hw/misc/imx6_ccm.h"
-+        oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));
+ #include "hw/misc/imx6_src.h"
-+        newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);
+diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h
-+        newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/include/hw/arm/fsl-imx6ul.h
-+        /* Consistency checks on new IPSR */
++++ b/include/hw/arm/fsl-imx6ul.h
-+        newpsr_exc = newpsr & XPSR_EXCP;
+@@ -XXX,XX +XXX,XX @@
-+        if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
+ #ifndef FSL_IMX6UL_H
-+              (env->v7m.exception == 1 && newpsr_exc != 0))) {
+ #define FSL_IMX6UL_H
-+            /* Pend the fault and tell our caller to take it */
-+            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
+-#include "hw/arm/arm.h"
-+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
++#include "hw/arm/boot.h"
-+                                    env->v7m.secure);
+ #include "hw/cpu/a15mpcore.h"
-+            qemu_log_mask(CPU_LOG_INT,
+ #include "hw/misc/imx6ul_ccm.h"
-+                          "...taking INVPC UsageFault: "
+ #include "hw/misc/imx6_src.h"
-+                          "IPSR consistency check failed\n");
+diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
-+            return false;
+index XXXXXXX..XXXXXXX 100644
-+        }
+--- a/include/hw/arm/fsl-imx7.h
-+
++++ b/include/hw/arm/fsl-imx7.h
-+        *frame_sp_p = frameptr + 8;
+@@ -XXX,XX +XXX,XX @@
-+    }
+ #ifndef FSL_IMX7_H
-+
+ #define FSL_IMX7_H
-+    /* This invalidates frame_sp_p */
-+    switch_v7m_security_state(env, true);
+-#include "hw/arm/arm.h"
-+    env->v7m.exception = newpsr_exc;
++#include "hw/arm/boot.h"
-+    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
+ #include "hw/cpu/a15mpcore.h"
-+    if (newpsr & XPSR_SFPA) {
+ #include "hw/intc/imx_gpcv2.h"
-+        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
+ #include "hw/misc/imx7_ccm.h"
-+    }
+diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
-+    xpsr_write(env, 0, XPSR_IT);
+index XXXXXXX..XXXXXXX 100644
-+    env->thumb = newpc & 1;
+--- a/include/hw/arm/virt.h
-+    env->regs[15] = newpc & ~1;
++++ b/include/hw/arm/virt.h
-+
+@@ -XXX,XX +XXX,XX @@
-+    qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
+ #include "exec/hwaddr.h"
-+    return true;
+ #include "qemu/notify.h"
-+}
+ #include "hw/boards.h"
-+
+-#include "hw/arm/arm.h"
- static void arm_log_exception(int idx)
++#include "hw/arm/boot.h"
  #include "hw/block/flash.h"
  #include "sysemu/kvm.h"
  #include "hw/intc/arm_gicv3_common.h"
 diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/xlnx-versal.h
 +++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@
  #define XLNX_VERSAL_H
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/intc/arm_gicv3.h"
  #define TYPE_XLNX_VERSAL "xlnx-versal"
 diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/xlnx-zynqmp.h
 +++ b/include/hw/arm/xlnx-zynqmp.h
@@ -XXX,XX +XXX,XX @@
  #ifndef XLNX_ZYNQMP_H
  #include "qemu-common.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/intc/arm_gic.h"
  #include "hw/net/cadence_gem.h"
  #include "hw/char/cadence_uart.h"
 diff --git a/hw/arm/armsse.c b/hw/arm/armsse.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/armsse.c
 +++ b/hw/arm/armsse.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/sysbus.h"
  #include "hw/registerfields.h"
  #include "hw/arm/armsse.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  /* Format of the System Information block SYS_CONFIG register */
  typedef enum SysConfigFormat {
 diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/armv7m.c
 +++ b/hw/arm/armv7m.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu-common.h"
  #include "cpu.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/loader.h"
  #include "elf.h"
  #include "sysemu/qtest.h"
 diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/aspeed.c
 +++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu-common.h"
  #include "cpu.h"
  #include "exec/address-spaces.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/aspeed.h"
  #include "hw/arm/aspeed_soc.h"
  #include "hw/boards.h"
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/boot.c
 +++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include <libfdt.h>
  #include "hw/hw.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/linux-boot-if.h"
  #include "sysemu/kvm.h"
  #include "sysemu/sysemu.h"
 diff --git a/hw/arm/collie.c b/hw/arm/collie.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/collie.c
 +++ b/hw/arm/collie.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/sysbus.h"
  #include "hw/boards.h"
  #include "strongarm.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/block/flash.h"
  #include "exec/address-spaces.h"
  #include "cpu.h"
 diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/exynos4210.c
 +++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/boards.h"
  #include "sysemu/sysemu.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/loader.h"
  #include "hw/arm/exynos4210.h"
  #include "hw/sd/sdhci.h"
 diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/exynos4_boards.c
 +++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@
  #include "sysemu/sysemu.h"
  #include "hw/sysbus.h"
  #include "net/net.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "exec/address-spaces.h"
  #include "hw/arm/exynos4210.h"
  #include "hw/net/lan9118.h"
 diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/highbank.c
 +++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/loader.h"
  #include "net/net.h"
  #include "sysemu/kvm.h"
 diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/integratorcp.c
 +++ b/hw/arm/integratorcp.c
@@ -XXX,XX +XXX,XX @@
  #include "cpu.h"
  #include "hw/sysbus.h"
  #include "hw/boards.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/misc/arm_integrator_debug.h"
  #include "hw/net/smc91c111.h"
  #include "net/net.h"
 diff --git a/hw/arm/mainstone.c b/hw/arm/mainstone.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/mainstone.c
 +++ b/hw/arm/mainstone.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include "hw/hw.h"
  #include "hw/arm/pxa.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "net/net.h"
  #include "hw/net/smc91c111.h"
  #include "hw/boards.h"
 diff --git a/hw/arm/microbit.c b/hw/arm/microbit.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/microbit.c
 +++ b/hw/arm/microbit.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
  #include "hw/boards.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "sysemu/sysemu.h"
  #include "exec/address-spaces.h"
 diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/mps2-tz.c
 +++ b/hw/arm/mps2-tz.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
  #include "qemu/error-report.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/armv7m.h"
  #include "hw/or-irq.h"
  #include "hw/boards.h"
 diff --git a/hw/arm/mps2.c b/hw/arm/mps2.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/mps2.c
 +++ b/hw/arm/mps2.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
  #include "qemu/error-report.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/armv7m.h"
  #include "hw/or-irq.h"
  #include "hw/boards.h"
 diff --git a/hw/arm/msf2-soc.c b/hw/arm/msf2-soc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/msf2-soc.c
 +++ b/hw/arm/msf2-soc.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/units.h"
  #include "qapi/error.h"
  #include "qemu-common.h"
 -#include "hw/arm/arm.h"
  #include "exec/address-spaces.h"
  #include "hw/char/serial.h"
  #include "hw/boards.h"
 diff --git a/hw/arm/msf2-som.c b/hw/arm/msf2-som.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/msf2-som.c
 +++ b/hw/arm/msf2-som.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include "qemu/error-report.h"
  #include "hw/boards.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "exec/address-spaces.h"
  #include "hw/arm/msf2-soc.h"
  #include "cpu.h"
 diff --git a/hw/arm/musca.c b/hw/arm/musca.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/musca.c
 +++ b/hw/arm/musca.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include "exec/address-spaces.h"
  #include "sysemu/sysemu.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/armsse.h"
  #include "hw/boards.h"
  #include "hw/char/pl011.h"
 diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/musicpal.c
 +++ b/hw/arm/musicpal.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu-common.h"
  #include "cpu.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "net/net.h"
  #include "sysemu/sysemu.h"
  #include "hw/boards.h"
 diff --git a/hw/arm/netduino2.c b/hw/arm/netduino2.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/netduino2.c
 +++ b/hw/arm/netduino2.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/boards.h"
  #include "qemu/error-report.h"
  #include "hw/arm/stm32f205_soc.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  static void netduino2_init(MachineState *machine)
  {
-     if (qemu_loglevel_mask(CPU_LOG_INT)) {
+diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
-@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
+index XXXXXXX..XXXXXXX 100644
-     case EXCP_IRQ:
+--- a/hw/arm/nrf51_soc.c
-         break;
++++ b/hw/arm/nrf51_soc.c
-     case EXCP_EXCEPTION_EXIT:
+@@ -XXX,XX +XXX,XX @@
--        do_v7m_exception_exit(cpu);
+ #include "qemu/osdep.h"
--        return;
+ #include "qapi/error.h"
-+        if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
+ #include "qemu-common.h"
-+            /* Must be v8M security extension function return */
+-#include "hw/arm/arm.h"
-+            assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
++#include "hw/arm/boot.h"
-+            assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
+ #include "hw/sysbus.h"
-+            if (do_v7m_function_return(cpu)) {
+ #include "hw/boards.h"
-+                return;
+ #include "hw/misc/unimp.h"
-+            }
+diff --git a/hw/arm/nseries.c b/hw/arm/nseries.c
-+        } else {
+index XXXXXXX..XXXXXXX 100644
-+            do_v7m_exception_exit(cpu);
+--- a/hw/arm/nseries.c
-+            return;
++++ b/hw/arm/nseries.c
-+        }
+@@ -XXX,XX +XXX,XX @@
-+        break;
+ #include "qemu/bswap.h"
-     default:
+ #include "sysemu/sysemu.h"
-         cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
+ #include "hw/arm/omap.h"
-         return; /* Never happens.  Keep compiler happy.  */
+-#include "hw/arm/arm.h"
-diff --git a/target/arm/translate.c b/target/arm/translate.c
++#include "hw/arm/boot.h"
-index XXXXXXX..XXXXXXX 100644
+ #include "hw/irq.h"
---- a/target/arm/translate.c
+ #include "ui/console.h"
-+++ b/target/arm/translate.c
+ #include "hw/boards.h"
-@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
+diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
-      * s->base.is_jmp that we need to do the rest of the work later.
+index XXXXXXX..XXXXXXX 100644
-      */
+--- a/hw/arm/omap1.c
-     gen_bx(s, var);
++++ b/hw/arm/omap1.c
--    if (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M)) {
+@@ -XXX,XX +XXX,XX @@
-+    if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY) ||
+ #include "cpu.h"
-+        (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M))) {
+ #include "hw/boards.h"
-         s->base.is_jmp = DISAS_BX_EXCRET;
+ #include "hw/hw.h"
-     }
+-#include "hw/arm/arm.h"
- }
++#include "hw/arm/boot.h"
-@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
+ #include "hw/arm/omap.h"
- {
+ #include "sysemu/sysemu.h"
-     /* Generate the code to finish possible exception return and end the TB */
+ #include "hw/arm/soc_dma.h"
-     TCGLabel *excret_label = gen_new_label();
+diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
-+    uint32_t min_magic;
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/hw/arm/omap2.c
-+    if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY)) {
++++ b/hw/arm/omap2.c
-+        /* Covers FNC_RETURN and EXC_RETURN magic */
+@@ -XXX,XX +XXX,XX @@
-+        min_magic = FNC_RETURN_MIN_MAGIC;
+ #include "sysemu/qtest.h"
-+    } else {
+ #include "hw/boards.h"
-+        /* EXC_RETURN magic only */
+ #include "hw/hw.h"
-+        min_magic = EXC_RETURN_MIN_MAGIC;
+-#include "hw/arm/arm.h"
-+    }
++#include "hw/arm/boot.h"
+ #include "hw/arm/omap.h"
-     /* Is the new PC value in the magic range indicating exception return? */
+ #include "sysemu/sysemu.h"
--    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], 0xff000000, excret_label);
+ #include "qemu/timer.h"
-+    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
+diff --git a/hw/arm/omap_sx1.c b/hw/arm/omap_sx1.c
-     /* No: end the TB as we would for a DISAS_JMP */
+index XXXXXXX..XXXXXXX 100644
-     if (is_singlestepping(s)) {
+--- a/hw/arm/omap_sx1.c
-         gen_singlestep_exception(s);
++++ b/hw/arm/omap_sx1.c
@@ -XXX,XX +XXX,XX @@
  #include "ui/console.h"
  #include "hw/arm/omap.h"
  #include "hw/boards.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/block/flash.h"
  #include "sysemu/qtest.h"
  #include "exec/address-spaces.h"
 diff --git a/hw/arm/palm.c b/hw/arm/palm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/palm.c
 +++ b/hw/arm/palm.c
@@ -XXX,XX +XXX,XX @@
  #include "ui/console.h"
  #include "hw/arm/omap.h"
  #include "hw/boards.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/input/tsc2xxx.h"
  #include "hw/loader.h"
  #include "exec/address-spaces.h"
 diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/raspi.c
 +++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/error-report.h"
  #include "hw/boards.h"
  #include "hw/loader.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "sysemu/sysemu.h"
  #define SMPBOOT_ADDR    0x300 /* this should leave enough space for ATAGS */
 diff --git a/hw/arm/realview.c b/hw/arm/realview.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/realview.c
 +++ b/hw/arm/realview.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu-common.h"
  #include "cpu.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/primecell.h"
  #include "hw/net/lan9118.h"
  #include "hw/net/smc91c111.h"
 diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/spitz.c
 +++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include "hw/hw.h"
  #include "hw/arm/pxa.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "sysemu/sysemu.h"
  #include "hw/pcmcia.h"
  #include "hw/i2c/i2c.h"
 diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/stellaris.c
 +++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include "hw/sysbus.h"
  #include "hw/ssi/ssi.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "qemu/timer.h"
  #include "hw/i2c/i2c.h"
  #include "net/net.h"
 diff --git a/hw/arm/stm32f205_soc.c b/hw/arm/stm32f205_soc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/stm32f205_soc.c
 +++ b/hw/arm/stm32f205_soc.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
  #include "qemu-common.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "exec/address-spaces.h"
  #include "hw/arm/stm32f205_soc.h"
 diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/strongarm.c
 +++ b/hw/arm/strongarm.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/sysbus.h"
  #include "strongarm.h"
  #include "qemu/error-report.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "chardev/char-fe.h"
  #include "chardev/char-serial.h"
  #include "sysemu/sysemu.h"
 diff --git a/hw/arm/tosa.c b/hw/arm/tosa.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/tosa.c
 +++ b/hw/arm/tosa.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include "hw/hw.h"
  #include "hw/arm/pxa.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/sharpsl.h"
  #include "hw/pcmcia.h"
  #include "hw/boards.h"
 diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/versatilepb.c
 +++ b/hw/arm/versatilepb.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu-common.h"
  #include "cpu.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/net/smc91c111.h"
  #include "net/net.h"
  #include "sysemu/sysemu.h"
 diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/vexpress.c
 +++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu-common.h"
  #include "cpu.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/primecell.h"
  #include "hw/net/lan9118.h"
  #include "hw/i2c/i2c.h"
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/option.h"
  #include "qapi/error.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/arm/primecell.h"
  #include "hw/arm/virt.h"
  #include "hw/block/flash.h"
 diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/xilinx_zynq.c
 +++ b/hw/arm/xilinx_zynq.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu-common.h"
  #include "cpu.h"
  #include "hw/sysbus.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "net/net.h"
  #include "exec/address-spaces.h"
  #include "sysemu/sysemu.h"
 diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/xlnx-versal.c
 +++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@
  #include "net/net.h"
  #include "sysemu/sysemu.h"
  #include "sysemu/kvm.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "kvm_arm.h"
  #include "hw/misc/unimp.h"
  #include "hw/intc/arm_gicv3_common.h"
 diff --git a/hw/arm/z2.c b/hw/arm/z2.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/z2.c
 +++ b/hw/arm/z2.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "hw/hw.h"
  #include "hw/arm/pxa.h"
 -#include "hw/arm/arm.h"
 +#include "hw/arm/boot.h"
  #include "hw/i2c/i2c.h"
  #include "hw/ssi/ssi.h"
  #include "hw/boards.h"
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 08/13] target/arm: Pull Thumb insn word loads up to top level
+[Qemu-devel] [PULL 07/12] hw/intc/arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
-Refactor the Thumb decode to do the loads of the instruction words at
+In ich_vmcr_write() we enforce "writes of BPR fields to less than
-the top level rather than only loading the second half of a 32-bit
+their minimum sets them to the minimum" by doing a "read vbpr and
-Thumb insn in the middle of the decode.
+write it back" operation.  A typo here meant that we weren't handling
+writes to these fields correctly, because we were reading from VBPR0
-This is simple apart from the awkward case of Thumb1, where the
+but writing to VBPR1.
 BL/BLX prefix and suffix instructions live in what in Thumb2 is the
 -bit insn space.  To handle these we decode enough to identify
 whether we're looking at a prefix/suffix that we handle as a 16 bit
 insn, or a prefix that we're going to merge with the following suffix
 to consider as a 32 bit insn.  The translation of the 16 bit cases
 then moves from disas_thumb2_insn() to disas_thumb_insn().
 The refactoring has the benefit that we don't need to pass the
 CPUARMState* down into the decoder code any more, but the major
 reason for doing this is that some Thumb instructions must be always
 unconditional regardless of the IT state bits, so we need to know the
 whole insn before we emit the "skip this insn if the IT bits and cond
 state tell us to" code.  (The always unconditional insns are BKPT,
 HLT and SG; the last of these is 32 bits.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 1507556919-24992-7-git-send-email-peter.maydell@linaro.org
+Message-id: 20190520162809.2677-4-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 178 ++++++++++++++++++++++++++++++-------------------
+ hw/intc/arm_gicv3_cpuif.c | 2 +-
-file changed, 108 insertions(+), 70 deletions(-)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/hw/intc/arm_gicv3_cpuif.c
-+++ b/target/arm/translate.c
++++ b/hw/intc/arm_gicv3_cpuif.c
-@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
+@@ -XXX,XX +XXX,XX @@ static void ich_vmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-     }
+     /* Enforce "writing BPRs to less than minimum sets them to the minimum"
- }
+      * by reading and writing back the fields.
+      */
-+static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
+-    write_vbpr(cs, GICV3_G1, read_vbpr(cs, GICV3_G0));
-+{
++    write_vbpr(cs, GICV3_G0, read_vbpr(cs, GICV3_G0));
-+    /* Return true if this is a 16 bit instruction. We must be precise
+     write_vbpr(cs, GICV3_G1, read_vbpr(cs, GICV3_G1));
-+     * about this (matching the decode).  We assume that s->pc still
-+     * points to the first 16 bits of the insn.
+     gicv3_cpuif_virt_update(cs);
 +     */
 +    if ((insn >> 11) < 0x1d) {
 +        /* Definitely a 16-bit instruction */
 +        return true;
 +    }
 +
 +    /* Top five bits 0b11101 / 0b11110 / 0b11111 : this is the
 +     * first half of a 32-bit Thumb insn. Thumb-1 cores might
 +     * end up actually treating this as two 16-bit insns, though,
 +     * if it's half of a bl/blx pair that might span a page boundary.
 +     */
 +    if (arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
 +        /* Thumb2 cores (including all M profile ones) always treat
 +         * 32-bit insns as 32-bit.
 +         */
 +        return false;
 +    }
 +
 +    if ((insn >> 11) == 0x1e && (s->pc < s->next_page_start - 3)) {
 +        /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix, and the suffix
 +         * is not on the next page; we merge this into a 32-bit
 +         * insn.
 +         */
 +        return false;
 +    }
 +    /* 0b1110_1xxx_xxxx_xxxx : BLX suffix (or UNDEF);
 +     * 0b1111_1xxx_xxxx_xxxx : BL suffix;
 +     * 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix on the end of a page
 +     *  -- handle as single 16 bit insn
 +     */
 +    return true;
 +}
 +
  /* Return true if this is a Thumb-2 logical op.  */
  static int
  thumb2_logic_op(int op)
@@ -XXX,XX +XXX,XX @@ gen_thumb2_data_op(DisasContext *s, int op, int conds, uint32_t shifter_out,
  /* Translate a 32-bit thumb instruction.  Returns nonzero if the instruction
     is not legal.  */
 -static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw1)
 +static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
  {
 -    uint32_t insn, imm, shift, offset;
 +    uint32_t imm, shift, offset;
      uint32_t rd, rn, rm, rs;
      TCGv_i32 tmp;
      TCGv_i32 tmp2;
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
      int conds;
      int logic_cc;
 -    if (!arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
 -        /* Thumb-1 cores may need to treat bl and blx as a pair of
 -           16-bit instructions to get correct prefetch abort behavior.  */
 -        insn = insn_hw1;
 -        if ((insn & (1 << 12)) == 0) {
 -            ARCH(5);
 -            /* Second half of blx.  */
 -            offset = ((insn & 0x7ff) << 1);
 -            tmp = load_reg(s, 14);
 -            tcg_gen_addi_i32(tmp, tmp, offset);
 -            tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
 -
 -            tmp2 = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp2, s->pc | 1);
 -            store_reg(s, 14, tmp2);
 -            gen_bx(s, tmp);
 -            return 0;
 -        }
 -        if (insn & (1 << 11)) {
 -            /* Second half of bl.  */
 -            offset = ((insn & 0x7ff) << 1) | 1;
 -            tmp = load_reg(s, 14);
 -            tcg_gen_addi_i32(tmp, tmp, offset);
 -
 -            tmp2 = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp2, s->pc | 1);
 -            store_reg(s, 14, tmp2);
 -            gen_bx(s, tmp);
 -            return 0;
 -        }
 -        if ((s->pc & ~TARGET_PAGE_MASK) == 0) {
 -            /* Instruction spans a page boundary.  Implement it as two
 -               16-bit instructions in case the second half causes an
 -               prefetch abort.  */
 -            offset = ((int32_t)insn << 21) >> 9;
 -            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + offset);
 -            return 0;
 -        }
 -        /* Fall through to 32-bit decode.  */
 -    }
 -
 -    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 -    s->pc += 2;
 -    insn |= (uint32_t)insn_hw1 << 16;
 -
 +    /* The only 32 bit insn that's allowed for Thumb1 is the combined
 +     * BL/BLX prefix and suffix.
 +     */
      if ((insn & 0xf800e800) != 0xf000e800) {
          ARCH(6T2);
      }
@@ -XXX,XX +XXX,XX @@ illegal_op:
      return 1;
  }
 -static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
 +static void disas_thumb_insn(DisasContext *s, uint32_t insn)
  {
 -    uint32_t val, insn, op, rm, rn, rd, shift, cond;
 +    uint32_t val, op, rm, rn, rd, shift, cond;
      int32_t offset;
      int i;
      TCGv_i32 tmp;
      TCGv_i32 tmp2;
      TCGv_i32 addr;
 -    if (s->condexec_mask) {
 -        cond = s->condexec_cond;
 -        if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
 -          s->condlabel = gen_new_label();
 -          arm_gen_test_cc(cond ^ 1, s->condlabel);
 -          s->condjmp = 1;
 -        }
 -    }
 -
 -    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 -    s->pc += 2;
 -
      switch (insn >> 12) {
      case 0: case 1:
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
      case 14:
          if (insn & (1 << 11)) {
 -            if (disas_thumb2_insn(env, s, insn))
 -              goto undef32;
 +            /* thumb_insn_is_16bit() ensures we can't get here for
 +             * a Thumb2 CPU, so this must be a thumb1 split BL/BLX:
 +             * 0b1110_1xxx_xxxx_xxxx : BLX suffix (or UNDEF)
 +             */
 +            assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
 +            ARCH(5);
 +            offset = ((insn & 0x7ff) << 1);
 +            tmp = load_reg(s, 14);
 +            tcg_gen_addi_i32(tmp, tmp, offset);
 +            tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
 +
 +            tmp2 = tcg_temp_new_i32();
 +            tcg_gen_movi_i32(tmp2, s->pc | 1);
 +            store_reg(s, 14, tmp2);
 +            gen_bx(s, tmp);
              break;
          }
          /* unconditional branch */
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
          break;
      case 15:
 -        if (disas_thumb2_insn(env, s, insn))
 -            goto undef32;
 +        /* thumb_insn_is_16bit() ensures we can't get here for
 +         * a Thumb2 CPU, so this must be a thumb1 split BL/BLX.
 +         */
 +        assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
 +
 +        if (insn & (1 << 11)) {
 +            /* 0b1111_1xxx_xxxx_xxxx : BL suffix */
 +            offset = ((insn & 0x7ff) << 1) | 1;
 +            tmp = load_reg(s, 14);
 +            tcg_gen_addi_i32(tmp, tmp, offset);
 +
 +            tmp2 = tcg_temp_new_i32();
 +            tcg_gen_movi_i32(tmp2, s->pc | 1);
 +            store_reg(s, 14, tmp2);
 +            gen_bx(s, tmp);
 +        } else {
 +            /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix */
 +            uint32_t uoffset = ((int32_t)insn << 21) >> 9;
 +
 +            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + uoffset);
 +        }
          break;
      }
      return;
 -undef32:
 -    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 -    return;
  illegal_op:
  undef:
      gen_exception_insn(s, 2, EXCP_UDEF, syn_uncategorized(),
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
      CPUARMState *env = cpu->env_ptr;
 +    uint32_t insn;
 +    bool is_16bit;
      if (arm_pre_translate_insn(dc)) {
          return;
      }
 -    disas_thumb_insn(env, dc);
 +    insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
 +    is_16bit = thumb_insn_is_16bit(dc, insn);
 +    dc->pc += 2;
 +    if (!is_16bit) {
 +        uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
 +
 +        insn = insn << 16 | insn2;
 +        dc->pc += 2;
 +    }
 +
 +    if (dc->condexec_mask) {
 +        uint32_t cond = dc->condexec_cond;
 +
 +        if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
 +            dc->condlabel = gen_new_label();
 +            arm_gen_test_cc(cond ^ 1, dc->condlabel);
 +            dc->condjmp = 1;
 +        }
 +    }
 +
 +    if (is_16bit) {
 +        disas_thumb_insn(dc, insn);
 +    } else {
 +        disas_thumb2_insn(dc, insn);
 +    }
      /* Advance the Thumb condexec condition.  */
      if (dc->condexec_mask) {
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 13/13] nvic: Fix miscalculation of offsets into ITNS array
+[Qemu-devel] [PULL 08/12] hw/intc/arm_gicv3: Fix writes to ICC_CTLR_EL3
-This calculation of the first exception vector in
+The ICC_CTLR_EL3 register includes some bits which are aliases
-the ITNS<n> register being accessed:
+of bits in the ICC_CTLR_EL1(S) and (NS) registers. QEMU chooses
-        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+to keep those bits in the cs->icc_ctlr_el1[] struct fields.
+Unfortunately a missing '~' in the code to update the bits
-is incorrect, because offset is in bytes, so we only want
+in those fields meant that writing to ICC_CTLR_EL3 would corrupt
-to multiply by 8.
+the ICC_CLTR_EL1 register values.
 Spotted by Coverity (CID 1381484, CID 1381488), though it is
 not correct that it actually overflows the buffer, because
 we have a 'startvec + i < s->num_irq' guard.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 1507650856-11718-1-git-send-email-peter.maydell@linaro.org
+Message-id: 20190520162809.2677-5-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 4 ++--
+ hw/intc/arm_gicv3_cpuif.c | 4 ++--
 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/hw/intc/arm_gicv3_cpuif.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/hw/intc/arm_gicv3_cpuif.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
+@@ -XXX,XX +XXX,XX @@ static void icc_ctlr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
-         return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
+     trace_gicv3_icc_ctlr_el3_write(gicv3_redist_affid(cs), value);
-     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
-     {
+     /* *_EL1NS and *_EL1S bits are aliases into the ICC_CTLR_EL1 bits. */
--        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+-    cs->icc_ctlr_el1[GICV3_NS] &= (ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
-+        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
++    cs->icc_ctlr_el1[GICV3_NS] &= ~(ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
-         int i;
+     if (value & ICC_CTLR_EL3_EOIMODE_EL1NS) {
+         cs->icc_ctlr_el1[GICV3_NS] |= ICC_CTLR_EL1_EOIMODE;
-         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+     }
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
+@@ -XXX,XX +XXX,XX @@ static void icc_ctlr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
-     switch (offset) {
+         cs->icc_ctlr_el1[GICV3_NS] |= ICC_CTLR_EL1_CBPR;
-     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
+     }
-     {
--        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+-    cs->icc_ctlr_el1[GICV3_S] &= (ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
-+        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
++    cs->icc_ctlr_el1[GICV3_S] &= ~(ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
-         int i;
+     if (value & ICC_CTLR_EL3_EOIMODE_EL1S) {
+         cs->icc_ctlr_el1[GICV3_S] |= ICC_CTLR_EL1_EOIMODE;
-         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
+     }
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 07/13] target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1
+[Qemu-devel] [PULL 09/12] hw/arm/exynos4: Remove unuseful debug code
-The code which implements the Thumb1 split BL/BLX instructions
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
 is guarded by a check on "not M or THUMB2". All we really need
 to check here is "not THUMB2" (and we assume that elsewhere too,
 eg in the ARCH(6T2) test that UNDEFs the Thumb2 insns).
-This doesn't change behaviour because all M profile cores
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-have Thumb2 and so ARM_FEATURE_M implies ARM_FEATURE_THUMB2.
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-(v6M implements a very restricted subset of Thumb2, but we
+Message-id: 20190520214342.13709-2-philmd@redhat.com
-can cross that bridge when we get to it with appropriate
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-feature bits.)
+---
  hw/arm/exynos4_boards.c | 24 ------------------------
 file changed, 24 deletions(-)
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 1507556919-24992-6-git-send-email-peter.maydell@linaro.org
 ---
  target/arm/translate.c | 3 +--
 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/hw/arm/exynos4_boards.c
-+++ b/target/arm/translate.c
++++ b/hw/arm/exynos4_boards.c
-@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
+@@ -XXX,XX +XXX,XX @@
-     int conds;
+ #include "hw/net/lan9118.h"
-     int logic_cc;
+ #include "hw/boards.h"
--    if (!(arm_dc_feature(s, ARM_FEATURE_THUMB2)
+-#undef DEBUG
--          || arm_dc_feature(s, ARM_FEATURE_M))) {
+-
-+    if (!arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
+-//#define DEBUG
-         /* Thumb-1 cores may need to treat bl and blx as a pair of
+-
--bit instructions to get correct prefetch abort behavior.  */
+-#ifdef DEBUG
-         insn = insn_hw1;
+-    #undef PRINT_DEBUG
 -    #define  PRINT_DEBUG(fmt, args...) \
 -        do { \
 -            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
 -        } while (0)
 -#else
 -    #define  PRINT_DEBUG(fmt, args...)  do {} while (0)
 -#endif
 -
  #define SMDK_LAN9118_BASE_ADDR      0x05000000
  typedef enum Exynos4BoardType {
@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
      exynos4_board_binfo.gic_cpu_if_addr =
              EXYNOS4210_SMP_PRIVATE_BASE_ADDR + 0x100;
 -    PRINT_DEBUG("\n ram_size: %luMiB [0x%08lx]\n"
 -            " kernel_filename: %s\n"
 -            " kernel_cmdline: %s\n"
 -            " initrd_filename: %s\n",
 -            exynos4_board_ram_size[board_type] / 1048576,
 -            exynos4_board_ram_size[board_type],
 -            machine->kernel_filename,
 -            machine->kernel_cmdline,
 -            machine->initrd_filename);
 -
      exynos4_boards_init_ram(s, get_system_memory(),
                              exynos4_board_ram_size[board_type]);
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 01/13] watchdog/aspeed: fix variable type to store reload value
+[Qemu-devel] [PULL 10/12] hw/arm/exynos4: Use the IEC binary prefix definitions
-From: Cédric Le Goater <clg@kaod.org>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Initially from Anton D. Kachalov" <mouse@yandex-team.ru> but the SoB was
+It eases code review, unit is explicit.
 missing.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Acked-by: Andrew Jeffery <andrew@aj.id.au>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 20170920064915.30027-1-clg@kaod.org
+Message-id: 20190520214342.13709-3-philmd@redhat.com
 [clg: change commit log and subject
       replace UL suffix by ULL ]
 Signed-off-by: Cédric Le Goater <clg@kaod.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/watchdog/wdt_aspeed.c | 4 ++--
+ hw/arm/exynos4_boards.c | 5 +++--
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
+diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/watchdog/wdt_aspeed.c
+--- a/hw/arm/exynos4_boards.c
-+++ b/hw/watchdog/wdt_aspeed.c
++++ b/hw/arm/exynos4_boards.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_wdt_read(void *opaque, hwaddr offset, unsigned size)
+@@ -XXX,XX +XXX,XX @@
+  */
- static void aspeed_wdt_reload(AspeedWDTState *s, bool pclk)
- {
+ #include "qemu/osdep.h"
--    uint32_t reload;
++#include "qemu/units.h"
-+    uint64_t reload;
+ #include "qapi/error.h"
+ #include "qemu/error-report.h"
-     if (pclk) {
+ #include "qemu-common.h"
-         reload = muldiv64(s->regs[WDT_RELOAD_VALUE], NANOSECONDS_PER_SECOND,
+@@ -XXX,XX +XXX,XX @@ static int exynos4_board_smp_bootreg_addr[EXYNOS4_NUM_OF_BOARDS] = {
-                           s->pclk_freq);
+ };
-     } else {
--        reload = s->regs[WDT_RELOAD_VALUE] * 1000;
+ static unsigned long exynos4_board_ram_size[EXYNOS4_NUM_OF_BOARDS] = {
-+        reload = s->regs[WDT_RELOAD_VALUE] * 1000ULL;
+-    [EXYNOS4_BOARD_NURI]     = 0x40000000,
-     }
+-    [EXYNOS4_BOARD_SMDKC210] = 0x40000000,
++    [EXYNOS4_BOARD_NURI]     = 1 * GiB,
-     if (aspeed_wdt_is_enabled(s)) {
++    [EXYNOS4_BOARD_SMDKC210] = 1 * GiB,
  };
  static struct arm_boot_info exynos4_board_binfo = {
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 03/13] target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()
+Deleted patch
-Add the M profile secure MMU index values to the switch in
-get_a32_user_mem_index() so that LDRT/STRT work correctly
-rather than asserting at translate time.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1507556919-24992-2-git-send-email-peter.maydell@linaro.org
----
- target/arm/translate.c | 4 ++++
-file changed, 4 insertions(+)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline int get_a32_user_mem_index(DisasContext *s)
-     case ARMMMUIdx_MPriv:
-     case ARMMMUIdx_MNegPri:
-         return arm_to_core_mmu_idx(ARMMMUIdx_MUser);
-+    case ARMMMUIdx_MSUser:
-+    case ARMMMUIdx_MSPriv:
-+    case ARMMMUIdx_MSNegPri:
-+        return arm_to_core_mmu_idx(ARMMMUIdx_MSUser);
-     case ARMMMUIdx_S2NS:
-     default:
-         g_assert_not_reached();
---
-.7.4

-[Qemu-devel] [PULL 05/13] target/arm: Implement BLXNS
+[Qemu-devel] [PULL 11/12] hw/arm/exynos4210: Add DMA support for the Exynos4210
-Implement the BLXNS instruction, which allows secure code to
+From: Guenter Roeck <linux@roeck-us.net>
 call non-secure code.
+QEMU already supports pl330. Instantiate it for Exynos4210.
+Relevant part of Linux arch/arm/boot/dts/exynos4.dtsi:
+/ {
+    soc: soc {
+        amba {
+            pdma0: pdma@12680000 {
+                compatible = "arm,pl330", "arm,primecell";
+                reg = <0x12680000 0x1000>;
+                interrupts = <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
+                clocks = <&clock CLK_PDMA0>;
+                clock-names = "apb_pclk";
+                #dma-cells = <1>;
+                #dma-channels = <8>;
+                #dma-requests = <32>;
+            };
+            pdma1: pdma@12690000 {
+                compatible = "arm,pl330", "arm,primecell";
+                reg = <0x12690000 0x1000>;
+                interrupts = <GIC_SPI 36 IRQ_TYPE_LEVEL_HIGH>;
+                clocks = <&clock CLK_PDMA1>;
+                clock-names = "apb_pclk";
+                #dma-cells = <1>;
+                #dma-channels = <8>;
+                #dma-requests = <32>;
+            };
+            mdma1: mdma@12850000 {
+                compatible = "arm,pl330", "arm,primecell";
+                reg = <0x12850000 0x1000>;
+                interrupts = <GIC_SPI 34 IRQ_TYPE_LEVEL_HIGH>;
+                clocks = <&clock CLK_MDMA>;
+                clock-names = "apb_pclk";
+                #dma-cells = <1>;
+                #dma-channels = <8>;
+                #dma-requests = <1>;
+            };
+        };
+    };
+};
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190520214342.13709-4-philmd@redhat.com
+[PMD: Do not set default qdev properties, create the controllers in the SoC
+      rather than the board (Peter Maydell), add dtsi in commit message]
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1507556919-24992-4-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/helper.h    |  1 +
+ hw/arm/exynos4210.c | 26 ++++++++++++++++++++++++++
- target/arm/internals.h |  1 +
+file changed, 26 insertions(+)
  target/arm/helper.c    | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
  target/arm/translate.c | 17 +++++++++++++--
 files changed, 76 insertions(+), 2 deletions(-)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
+diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
+--- a/hw/arm/exynos4210.c
-+++ b/target/arm/helper.h
++++ b/hw/arm/exynos4210.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(v7m_msr, void, env, i32, i32)
+@@ -XXX,XX +XXX,XX @@
- DEF_HELPER_2(v7m_mrs, i32, env, i32)
+ /* EHCI */
+ #define EXYNOS4210_EHCI_BASE_ADDR           0x12580000
- DEF_HELPER_2(v7m_bxns, void, env, i32)
-+DEF_HELPER_2(v7m_blxns, void, env, i32)
++/* DMA */
++#define EXYNOS4210_PL330_BASE0_ADDR         0x12680000
- DEF_HELPER_4(access_check_cp_reg, void, env, ptr, i32, i32)
++#define EXYNOS4210_PL330_BASE1_ADDR         0x12690000
- DEF_HELPER_3(set_cp_reg, void, env, ptr, i32)
++#define EXYNOS4210_PL330_BASE2_ADDR         0x12850000
-diff --git a/target/arm/internals.h b/target/arm/internals.h
++
-index XXXXXXX..XXXXXXX 100644
+ static uint8_t chipid_and_omr[] = { 0x11, 0x02, 0x21, 0x43,
---- a/target/arm/internals.h
+x09, 0x00, 0x00, 0x00 };
-+++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static inline bool excp_is_internal(int excp)
+@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_calc_affinity(int cpu)
- FIELD(V7M_CONTROL, NPRIV, 0, 1)
+     return (0x9 << ARM_AFF1_SHIFT) | cpu;
  FIELD(V7M_CONTROL, SPSEL, 1, 1)
  FIELD(V7M_CONTROL, FPCA, 2, 1)
 +FIELD(V7M_CONTROL, SFPA, 3, 1)
  /* Bit definitions for v7M exception return payload */
  FIELD(V7M_EXCRET, ES, 0, 1)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
      g_assert_not_reached();
  }
-+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
++static void pl330_create(uint32_t base, qemu_irq irq, int nreq)
 +{
-+    /* translate.c should never generate calls here in user-only mode */
++    SysBusDevice *busdev;
-+    g_assert_not_reached();
++    DeviceState *dev;
 +
 +    dev = qdev_create(NULL, "pl330");
 +    qdev_prop_set_uint8(dev, "num_periph_req",  nreq);
 +    qdev_init_nofail(dev);
 +    busdev = SYS_BUS_DEVICE(dev);
 +    sysbus_mmio_map(busdev, 0, base);
 +    sysbus_connect_irq(busdev, 0, irq);
 +}
 +
- void switch_mode(CPUARMState *env, int mode)
+ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
  {
-     ARMCPU *cpu = arm_env_get_cpu(env);
+     Exynos4210State *s = g_new0(Exynos4210State, 1);
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
+@@ -XXX,XX +XXX,XX @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
-     env->regs[15] = dest & ~1;
+     sysbus_create_simple(TYPE_EXYNOS4210_EHCI, EXYNOS4210_EHCI_BASE_ADDR,
              s->irq_table[exynos4210_get_irq(28, 3)]);
 +    /*** DMA controllers ***/
 +    pl330_create(EXYNOS4210_PL330_BASE0_ADDR,
 +                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(35, 1)]), 32);
 +    pl330_create(EXYNOS4210_PL330_BASE1_ADDR,
 +                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(36, 1)]), 32);
 +    pl330_create(EXYNOS4210_PL330_BASE2_ADDR,
 +                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(34, 1)]), 1);
 +
      return s;
  }
-+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
-+{
-+    /* Handle v7M BLXNS:
-+     *  - bit 0 of the destination address is the target security state
-+     */
-+
-+    /* At this point regs[15] is the address just after the BLXNS */
-+    uint32_t nextinst = env->regs[15] | 1;
-+    uint32_t sp = env->regs[13] - 8;
-+    uint32_t saved_psr;
-+
-+    /* translate.c will have made BLXNS UNDEF unless we're secure */
-+    assert(env->v7m.secure);
-+
-+    if (dest & 1) {
-+        /* target is Secure, so this is just a normal BLX,
-+         * except that the low bit doesn't indicate Thumb/not.
-+         */
-+        env->regs[14] = nextinst;
-+        env->thumb = 1;
-+        env->regs[15] = dest & ~1;
-+        return;
-+    }
-+
-+    /* Target is non-secure: first push a stack frame */
-+    if (!QEMU_IS_ALIGNED(sp, 8)) {
-+        qemu_log_mask(LOG_GUEST_ERROR,
-+                      "BLXNS with misaligned SP is UNPREDICTABLE\n");
-+    }
-+
-+    saved_psr = env->v7m.exception;
-+    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
-+        saved_psr |= XPSR_SFPA;
-+    }
-+
-+    /* Note that these stores can throw exceptions on MPU faults */
-+    cpu_stl_data(env, sp, nextinst);
-+    cpu_stl_data(env, sp + 4, saved_psr);
-+
-+    env->regs[13] = sp;
-+    env->regs[14] = 0xfeffffff;
-+    if (arm_v7m_is_handler_mode(env)) {
-+        /* Write a dummy value to IPSR, to avoid leaking the current secure
-+         * exception number to non-secure code. This is guaranteed not
-+         * to cause write_v7m_exception() to actually change stacks.
-+         */
-+        write_v7m_exception(env, 1);
-+    }
-+    switch_v7m_security_state(env, 0);
-+    env->thumb = 1;
-+    env->regs[15] = dest;
-+}
-+
- static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
-                                 bool spsel)
- {
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline void gen_bxns(DisasContext *s, int rm)
-     s->base.is_jmp = DISAS_EXIT;
- }
-+static inline void gen_blxns(DisasContext *s, int rm)
-+{
-+    TCGv_i32 var = load_reg(s, rm);
-+
-+    /* We don't need to sync condexec state, for the same reason as bxns.
-+     * We do however need to set the PC, because the blxns helper reads it.
-+     * The blxns helper may throw an exception.
-+     */
-+    gen_set_pc_im(s, s->pc);
-+    gen_helper_v7m_blxns(cpu_env, var);
-+    tcg_temp_free_i32(var);
-+    s->base.is_jmp = DISAS_EXIT;
-+}
-+
- /* Variant of store_reg which uses branch&exchange logic when storing
-    to r15 in ARM architecture v7 and above. The source must be a temporary
-    and will be marked as dead. */
-@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
-                         goto undef;
-                     }
-                     if (link) {
--                        /* BLXNS: not yet implemented */
--                        goto undef;
-+                        gen_blxns(s, rm);
-                     } else {
-                         gen_bxns(s, rm);
-                     }
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 04/13] target/arm: Implement SG instruction
+[Qemu-devel] [PULL 12/12] hw/arm/exynos4210: QOM'ify the Exynos4210 SoC
-Implement the SG instruction, which we emulate 'by hand' in the
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
 exception handling code path.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20190520214342.13709-5-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1507556919-24992-3-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 132 ++++++++++++++++++++++++++++++++++++++++++++++++++--
+ include/hw/arm/exynos4210.h |  9 +++++++--
-file changed, 127 insertions(+), 5 deletions(-)
+ hw/arm/exynos4210.c         | 28 ++++++++++++++++++++++++----
  hw/arm/exynos4_boards.c     |  9 ++++++---
 files changed, 37 insertions(+), 9 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/include/hw/arm/exynos4210.h b/include/hw/arm/exynos4210.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/include/hw/arm/exynos4210.h
-+++ b/target/arm/helper.c
++++ b/include/hw/arm/exynos4210.h
-@@ -XXX,XX +XXX,XX @@ typedef struct V8M_SAttributes {
+@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210Irq {
-     bool irvalid;
+ } Exynos4210Irq;
- } V8M_SAttributes;
+ typedef struct Exynos4210State {
-+static void v8m_security_lookup(CPUARMState *env, uint32_t address,
++    /*< private >*/
-+                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
++    SysBusDevice parent_obj;
-+                                V8M_SAttributes *sattrs);
++    /*< public >*/
      ARMCPU *cpu[EXYNOS4210_NCPUS];
      Exynos4210Irq irqs;
      qemu_irq *irq_table;
@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210State {
      I2CBus *i2c_if[EXYNOS4210_I2C_NUMBER];
  } Exynos4210State;
 +#define TYPE_EXYNOS4210_SOC "exynos4210"
 +#define EXYNOS4210_SOC(obj) \
 +    OBJECT_CHECK(Exynos4210State, obj, TYPE_EXYNOS4210_SOC)
 +
- /* Definitions for the PMCCNTR and PMCR registers */
+ void exynos4210_write_secondary(ARMCPU *cpu,
- #define PMCRD   0x8
+         const struct arm_boot_info *info);
- #define PMCRC   0x4
-@@ -XXX,XX +XXX,XX @@ static void arm_log_exception(int idx)
+-Exynos4210State *exynos4210_init(MemoryRegion *system_mem);
-     }
+-
  /* Initialize exynos4210 IRQ subsystem stub */
  qemu_irq *exynos4210_init_irq(Exynos4210Irq *env);
 diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/exynos4210.c
 +++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@ static void pl330_create(uint32_t base, qemu_irq irq, int nreq)
      sysbus_connect_irq(busdev, 0, irq);
  }
-+static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
+-Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
-+                               uint32_t addr, uint16_t *insn)
++static void exynos4210_realize(DeviceState *socdev, Error **errp)
  {
 -    Exynos4210State *s = g_new0(Exynos4210State, 1);
 +    Exynos4210State *s = EXYNOS4210_SOC(socdev);
 +    MemoryRegion *system_mem = get_system_memory();
      qemu_irq gate_irq[EXYNOS4210_NCPUS][EXYNOS4210_IRQ_GATE_NINPUTS];
      SysBusDevice *busdev;
      DeviceState *dev;
@@ -XXX,XX +XXX,XX @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
                   qemu_irq_invert(s->irq_table[exynos4210_get_irq(36, 1)]), 32);
      pl330_create(EXYNOS4210_PL330_BASE2_ADDR,
                   qemu_irq_invert(s->irq_table[exynos4210_get_irq(34, 1)]), 1);
 -
 -    return s;
  }
 +
 +static void exynos4210_class_init(ObjectClass *klass, void *data)
 +{
-+    /* Load a 16-bit portion of a v7M instruction, returning true on success,
++    DeviceClass *dc = DEVICE_CLASS(klass);
 +     * or false on failure (in which case we will have pended the appropriate
 +     * exception).
 +     * We need to do the instruction fetch's MPU and SAU checks
 +     * like this because there is no MMU index that would allow
 +     * doing the load with a single function call. Instead we must
 +     * first check that the security attributes permit the load
 +     * and that they don't mismatch on the two halves of the instruction,
 +     * and then we do the load as a secure load (ie using the security
 +     * attributes of the address, not the CPU, as architecturally required).
 +     */
 +    CPUState *cs = CPU(cpu);
 +    CPUARMState *env = &cpu->env;
 +    V8M_SAttributes sattrs = {};
 +    MemTxAttrs attrs = {};
 +    ARMMMUFaultInfo fi = {};
 +    MemTxResult txres;
 +    target_ulong page_size;
 +    hwaddr physaddr;
 +    int prot;
 +    uint32_t fsr;
 +
-+    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
++    dc->realize = exynos4210_realize;
 +    if (!sattrs.nsc || sattrs.ns) {
 +        /* This must be the second half of the insn, and it straddles a
 +         * region boundary with the second half not being S&NSC.
 +         */
 +        env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +        qemu_log_mask(CPU_LOG_INT,
 +                      "...really SecureFault with SFSR.INVEP\n");
 +        return false;
 +    }
 +    if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
 +                      &physaddr, &attrs, &prot, &page_size, &fsr, &fi)) {
 +        /* the MPU lookup failed */
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
 +        qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
 +        return false;
 +    }
 +    *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,
 +                                 attrs, &txres);
 +    if (txres != MEMTX_OK) {
 +        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
 +        qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
 +        return false;
 +    }
 +    return true;
 +}
 +
-+static bool v7m_handle_execute_nsc(ARMCPU *cpu)
++static const TypeInfo exynos4210_info = {
 +    .name = TYPE_EXYNOS4210_SOC,
 +    .parent = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(Exynos4210State),
 +    .class_init = exynos4210_class_init,
 +};
 +
 +static void exynos4210_register_types(void)
 +{
-+    /* Check whether this attempt to execute code in a Secure & NS-Callable
++    type_register_static(&exynos4210_info);
 +     * memory region is for an SG instruction; if so, then emulate the
 +     * effect of the SG instruction and return true. Otherwise pend
 +     * the correct kind of exception and return false.
 +     */
 +    CPUARMState *env = &cpu->env;
 +    ARMMMUIdx mmu_idx;
 +    uint16_t insn;
 +
 +    /* We should never get here unless get_phys_addr_pmsav8() caused
 +     * an exception for NS executing in S&NSC memory.
 +     */
 +    assert(!env->v7m.secure);
 +    assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
 +
 +    /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
 +    mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
 +
 +    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
 +        return false;
 +    }
 +
 +    if (!env->thumb) {
 +        goto gen_invep;
 +    }
 +
 +    if (insn != 0xe97f) {
 +        /* Not an SG instruction first half (we choose the IMPDEF
 +         * early-SG-check option).
 +         */
 +        goto gen_invep;
 +    }
 +
 +    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
 +        return false;
 +    }
 +
 +    if (insn != 0xe97f) {
 +        /* Not an SG instruction second half (yes, both halves of the SG
 +         * insn have the same hex value)
 +         */
 +        goto gen_invep;
 +    }
 +
 +    /* OK, we have confirmed that we really have an SG instruction.
 +     * We know we're NS in S memory so don't need to repeat those checks.
 +     */
 +    qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
 +                  ", executing it\n", env->regs[15]);
 +    env->regs[14] &= ~1;
 +    switch_v7m_security_state(env, true);
 +    xpsr_write(env, 0, XPSR_IT);
 +    env->regs[15] += 4;
 +    return true;
 +
 +gen_invep:
 +    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
 +    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +    qemu_log_mask(CPU_LOG_INT,
 +                  "...really SecureFault with SFSR.INVEP\n");
 +    return false;
 +}
 +
- void arm_v7m_cpu_do_interrupt(CPUState *cs)
++type_init(exynos4210_register_types)
- {
+diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
-     ARMCPU *cpu = ARM_CPU(cs);
+index XXXXXXX..XXXXXXX 100644
-@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
+--- a/hw/arm/exynos4_boards.c
-              * the SG instruction have the same security attributes.)
++++ b/hw/arm/exynos4_boards.c
-              * Everything else must generate an INVEP SecureFault, so we
+@@ -XXX,XX +XXX,XX @@ typedef enum Exynos4BoardType {
-              * emulate the SG instruction here.
+ } Exynos4BoardType;
--             * TODO: actually emulate SG.
-              */
+ typedef struct Exynos4BoardState {
--            env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
+-    Exynos4210State *soc;
--            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
++    Exynos4210State soc;
--            qemu_log_mask(CPU_LOG_INT,
+     MemoryRegion dram0_mem;
--                          "...really SecureFault with SFSR.INVEP\n");
+     MemoryRegion dram1_mem;
-+            if (v7m_handle_execute_nsc(cpu)) {
+ } Exynos4BoardState;
-+                return;
+@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
-+            }
+     exynos4_boards_init_ram(s, get_system_memory(),
-             break;
+                             exynos4_board_ram_size[board_type]);
-         case M_FAKE_FSR_SFAULT:
-             /* Various flavours of SecureFault for attempts to execute or
+-    s->soc = exynos4210_init(get_system_memory());
 +    object_initialize(&s->soc, sizeof(s->soc), TYPE_EXYNOS4210_SOC);
 +    qdev_set_parent_bus(DEVICE(&s->soc), sysbus_get_default());
 +    object_property_set_bool(OBJECT(&s->soc), true, "realized",
 +                             &error_fatal);
      return s;
  }
@@ -XXX,XX +XXX,XX @@ static void smdkc210_init(MachineState *machine)
                                                        EXYNOS4_BOARD_SMDKC210);
      lan9215_init(SMDK_LAN9118_BASE_ADDR,
 -            qemu_irq_invert(s->soc->irq_table[exynos4210_get_irq(37, 1)]));
 +            qemu_irq_invert(s->soc.irq_table[exynos4210_get_irq(37, 1)]));
      arm_load_kernel(ARM_CPU(first_cpu), &exynos4_board_binfo);
  }
 --
-.7.4
+.20.1

target-arm queue:
 * mostly my latest v8M stuff, plus a couple of minor patches

The following changes since commit a0b261db8c030813e30a39eae47359ac2a37f7e2:

Merge remote-tracking branch 'remotes/ehabkost/tags/python-next-pull-request' into staging (2017-10-12 10:02:09 +0100)

are available in the git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20171012

for you to fetch changes up to cf5f7937b05c84d5565134f058c00cd48304a117:

nvic: Fix miscalculation of offsets into ITNS array (2017-10-12 16:33:16 +0100)

----------------------------------------------------------------
target-arm queue:
 * v8M: SG, BLXNS, secure-return
 * v8M: fixes for coverity issues in previous patches
 * arm: fix armv7m_init() declaration to match definition
 * watchdog/aspeed: fix variable type to store reload value

----------------------------------------------------------------
Cédric Le Goater (1):
      watchdog/aspeed: fix variable type to store reload value

Igor Mammedov (1):
      arm: fix armv7m_init() declaration to match definition

Peter Maydell (11):
      target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()
      target/arm: Implement SG instruction
      target/arm: Implement BLXNS
      target/arm: Implement secure function return
      target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1
      target/arm: Pull Thumb insn word loads up to top level
      target-arm: Simplify insn_crosses_page()
      target/arm: Support some Thumb insns being always unconditional
      target/arm: Implement SG instruction corner cases
      nvic: Add missing 'break'
      nvic: Fix miscalculation of offsets into ITNS array

include/hw/arm/arm.h     |   2 +-
 target/arm/helper.h      |   1 +
 target/arm/internals.h   |   8 ++
 hw/intc/armv7m_nvic.c    |   5 +-
 hw/watchdog/wdt_aspeed.c |   4 +-
 target/arm/helper.c      | 306 ++++++++++++++++++++++++++++++++++++++++++++--
 target/arm/translate.c   | 310 ++++++++++++++++++++++++++++++++---------------
 7 files changed, 521 insertions(+), 115 deletions(-)

From: Cédric Le Goater <clg@kaod.org>

Initially from Anton D. Kachalov" <mouse@yandex-team.ru> but the SoB was
missing.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Acked-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 20170920064915.30027-1-clg@kaod.org
[clg: change commit log and subject
      replace UL suffix by ULL ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/watchdog/wdt_aspeed.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/watchdog/wdt_aspeed.c
+++ b/hw/watchdog/wdt_aspeed.c
@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_wdt_read(void *opaque, hwaddr offset, unsigned size)
 
 static void aspeed_wdt_reload(AspeedWDTState *s, bool pclk)
 {
-    uint32_t reload;
+    uint64_t reload;
 
     if (pclk) {
         reload = muldiv64(s->regs[WDT_RELOAD_VALUE], NANOSECONDS_PER_SECOND,
                           s->pclk_freq);
     } else {
-        reload = s->regs[WDT_RELOAD_VALUE] * 1000;
+        reload = s->regs[WDT_RELOAD_VALUE] * 1000ULL;
     }
 
     if (aspeed_wdt_is_enabled(s)) {
-- 
2.7.4

Implement the SG instruction, which we emulate 'by hand' in the
exception handling code path.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-3-git-send-email-peter.maydell@linaro.org
---
 target/arm/helper.c | 132 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 127 insertions(+), 5 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ typedef struct V8M_SAttributes {
     bool irvalid;
 } V8M_SAttributes;
 
+static void v8m_security_lookup(CPUARMState *env, uint32_t address,
+                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                                V8M_SAttributes *sattrs);
+
 /* Definitions for the PMCCNTR and PMCR registers */
 #define PMCRD   0x8
 #define PMCRC   0x4
@@ -XXX,XX +XXX,XX @@ static void arm_log_exception(int idx)
     }
 }
 
+static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
+                               uint32_t addr, uint16_t *insn)
+{
+    /* Load a 16-bit portion of a v7M instruction, returning true on success,
+     * or false on failure (in which case we will have pended the appropriate
+     * exception).
+     * We need to do the instruction fetch's MPU and SAU checks
+     * like this because there is no MMU index that would allow
+     * doing the load with a single function call. Instead we must
+     * first check that the security attributes permit the load
+     * and that they don't mismatch on the two halves of the instruction,
+     * and then we do the load as a secure load (ie using the security
+     * attributes of the address, not the CPU, as architecturally required).
+     */
+    CPUState *cs = CPU(cpu);
+    CPUARMState *env = &cpu->env;
+    V8M_SAttributes sattrs = {};
+    MemTxAttrs attrs = {};
+    ARMMMUFaultInfo fi = {};
+    MemTxResult txres;
+    target_ulong page_size;
+    hwaddr physaddr;
+    int prot;
+    uint32_t fsr;
+
+    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
+    if (!sattrs.nsc || sattrs.ns) {
+        /* This must be the second half of the insn, and it straddles a
+         * region boundary with the second half not being S&NSC.
+         */
+        env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+        qemu_log_mask(CPU_LOG_INT,
+                      "...really SecureFault with SFSR.INVEP\n");
+        return false;
+    }
+    if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
+                      &physaddr, &attrs, &prot, &page_size, &fsr, &fi)) {
+        /* the MPU lookup failed */
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
+        qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
+        return false;
+    }
+    *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,
+                                 attrs, &txres);
+    if (txres != MEMTX_OK) {
+        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
+        qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
+        return false;
+    }
+    return true;
+}
+
+static bool v7m_handle_execute_nsc(ARMCPU *cpu)
+{
+    /* Check whether this attempt to execute code in a Secure & NS-Callable
+     * memory region is for an SG instruction; if so, then emulate the
+     * effect of the SG instruction and return true. Otherwise pend
+     * the correct kind of exception and return false.
+     */
+    CPUARMState *env = &cpu->env;
+    ARMMMUIdx mmu_idx;
+    uint16_t insn;
+
+    /* We should never get here unless get_phys_addr_pmsav8() caused
+     * an exception for NS executing in S&NSC memory.
+     */
+    assert(!env->v7m.secure);
+    assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
+
+    /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
+    mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
+
+    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
+        return false;
+    }
+
+    if (!env->thumb) {
+        goto gen_invep;
+    }
+
+    if (insn != 0xe97f) {
+        /* Not an SG instruction first half (we choose the IMPDEF
+         * early-SG-check option).
+         */
+        goto gen_invep;
+    }
+
+    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
+        return false;
+    }
+
+    if (insn != 0xe97f) {
+        /* Not an SG instruction second half (yes, both halves of the SG
+         * insn have the same hex value)
+         */
+        goto gen_invep;
+    }
+
+    /* OK, we have confirmed that we really have an SG instruction.
+     * We know we're NS in S memory so don't need to repeat those checks.
+     */
+    qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
+                  ", executing it\n", env->regs[15]);
+    env->regs[14] &= ~1;
+    switch_v7m_security_state(env, true);
+    xpsr_write(env, 0, XPSR_IT);
+    env->regs[15] += 4;
+    return true;
+
+gen_invep:
+    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
+    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+    qemu_log_mask(CPU_LOG_INT,
+                  "...really SecureFault with SFSR.INVEP\n");
+    return false;
+}
+
 void arm_v7m_cpu_do_interrupt(CPUState *cs)
 {
     ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
              * the SG instruction have the same security attributes.)
              * Everything else must generate an INVEP SecureFault, so we
              * emulate the SG instruction here.
-             * TODO: actually emulate SG.
              */
-            env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-            qemu_log_mask(CPU_LOG_INT,
-                          "...really SecureFault with SFSR.INVEP\n");
+            if (v7m_handle_execute_nsc(cpu)) {
+                return;
+            }
             break;
         case M_FAKE_FSR_SFAULT:
             /* Various flavours of SecureFault for attempts to execute or
-- 
2.7.4

Implement the BLXNS instruction, which allows secure code to
call non-secure code.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-4-git-send-email-peter.maydell@linaro.org
---
 target/arm/helper.h    |  1 +
 target/arm/internals.h |  1 +
 target/arm/helper.c    | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
 target/arm/translate.c | 17 +++++++++++++--
 4 files changed, 76 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(v7m_msr, void, env, i32, i32)
 DEF_HELPER_2(v7m_mrs, i32, env, i32)
 
 DEF_HELPER_2(v7m_bxns, void, env, i32)
+DEF_HELPER_2(v7m_blxns, void, env, i32)
 
 DEF_HELPER_4(access_check_cp_reg, void, env, ptr, i32, i32)
 DEF_HELPER_3(set_cp_reg, void, env, ptr, i32)
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline bool excp_is_internal(int excp)
 FIELD(V7M_CONTROL, NPRIV, 0, 1)
 FIELD(V7M_CONTROL, SPSEL, 1, 1)
 FIELD(V7M_CONTROL, FPCA, 2, 1)
+FIELD(V7M_CONTROL, SFPA, 3, 1)
 
 /* Bit definitions for v7M exception return payload */
 FIELD(V7M_EXCRET, ES, 0, 1)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
     g_assert_not_reached();
 }
 
+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
+{
+    /* translate.c should never generate calls here in user-only mode */
+    g_assert_not_reached();
+}
+
 void switch_mode(CPUARMState *env, int mode)
 {
     ARMCPU *cpu = arm_env_get_cpu(env);
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
     env->regs[15] = dest & ~1;
 }
 
+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
+{
+    /* Handle v7M BLXNS:
+     *  - bit 0 of the destination address is the target security state
+     */
+
+    /* At this point regs[15] is the address just after the BLXNS */
+    uint32_t nextinst = env->regs[15] | 1;
+    uint32_t sp = env->regs[13] - 8;
+    uint32_t saved_psr;
+
+    /* translate.c will have made BLXNS UNDEF unless we're secure */
+    assert(env->v7m.secure);
+
+    if (dest & 1) {
+        /* target is Secure, so this is just a normal BLX,
+         * except that the low bit doesn't indicate Thumb/not.
+         */
+        env->regs[14] = nextinst;
+        env->thumb = 1;
+        env->regs[15] = dest & ~1;
+        return;
+    }
+
+    /* Target is non-secure: first push a stack frame */
+    if (!QEMU_IS_ALIGNED(sp, 8)) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "BLXNS with misaligned SP is UNPREDICTABLE\n");
+    }
+
+    saved_psr = env->v7m.exception;
+    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
+        saved_psr |= XPSR_SFPA;
+    }
+
+    /* Note that these stores can throw exceptions on MPU faults */
+    cpu_stl_data(env, sp, nextinst);
+    cpu_stl_data(env, sp + 4, saved_psr);
+
+    env->regs[13] = sp;
+    env->regs[14] = 0xfeffffff;
+    if (arm_v7m_is_handler_mode(env)) {
+        /* Write a dummy value to IPSR, to avoid leaking the current secure
+         * exception number to non-secure code. This is guaranteed not
+         * to cause write_v7m_exception() to actually change stacks.
+         */
+        write_v7m_exception(env, 1);
+    }
+    switch_v7m_security_state(env, 0);
+    env->thumb = 1;
+    env->regs[15] = dest;
+}
+
 static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
                                 bool spsel)
 {
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_bxns(DisasContext *s, int rm)
     s->base.is_jmp = DISAS_EXIT;
 }
 
+static inline void gen_blxns(DisasContext *s, int rm)
+{
+    TCGv_i32 var = load_reg(s, rm);
+
+    /* We don't need to sync condexec state, for the same reason as bxns.
+     * We do however need to set the PC, because the blxns helper reads it.
+     * The blxns helper may throw an exception.
+     */
+    gen_set_pc_im(s, s->pc);
+    gen_helper_v7m_blxns(cpu_env, var);
+    tcg_temp_free_i32(var);
+    s->base.is_jmp = DISAS_EXIT;
+}
+
 /* Variant of store_reg which uses branch&exchange logic when storing
    to r15 in ARM architecture v7 and above. The source must be a temporary
    and will be marked as dead. */
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
                         goto undef;
                     }
                     if (link) {
-                        /* BLXNS: not yet implemented */
-                        goto undef;
+                        gen_blxns(s, rm);
                     } else {
                         gen_bxns(s, rm);
                     }
-- 
2.7.4

Secure function return happens when a non-secure function has been
called using BLXNS and so has a particular magic LR value (either
0xfefffffe or 0xfeffffff). The function return via BX behaves
specially when the new PC value is this magic value, in the same
way that exception returns are handled.

Adjust our BX excret guards so that they recognize the function
return magic number as well, and perform the function-return
unstacking in do_v7m_exception_exit().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-5-git-send-email-peter.maydell@linaro.org
---
 target/arm/internals.h |   7 +++
 target/arm/helper.c    | 115 +++++++++++++++++++++++++++++++++++++++++++++----
 target/arm/translate.c |  14 +++++-
 3 files changed, 126 insertions(+), 10 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ FIELD(V7M_EXCRET, DCRS, 5, 1)
 FIELD(V7M_EXCRET, S, 6, 1)
 FIELD(V7M_EXCRET, RES1, 7, 25) /* including the must-be-1 prefix */
 
+/* Minimum value which is a magic number for exception return */
+#define EXC_RETURN_MIN_MAGIC 0xff000000
+/* Minimum number which is a magic number for function or exception return
+ * when using v8M security extension
+ */
+#define FNC_RETURN_MIN_MAGIC 0xfefffffe
+
 /* We use a few fake FSR values for internal purposes in M profile.
  * M profile cores don't have A/R format FSRs, but currently our
  * get_phys_addr() code assumes A/R profile and reports failures via
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
      *  - if the return value is a magic value, do exception return (like BX)
      *  - otherwise bit 0 of the return value is the target security state
      */
-    if (dest >= 0xff000000) {
+    uint32_t min_magic;
+
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        /* Covers FNC_RETURN and EXC_RETURN magic */
+        min_magic = FNC_RETURN_MIN_MAGIC;
+    } else {
+        /* EXC_RETURN magic only */
+        min_magic = EXC_RETURN_MIN_MAGIC;
+    }
+
+    if (dest >= min_magic) {
         /* This is an exception return magic value; put it where
          * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
          * Note that if we ever add gen_ss_advance() singlestep support to
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     bool exc_secure = false;
     bool return_to_secure;
 
-    /* We can only get here from an EXCP_EXCEPTION_EXIT, and
-     * gen_bx_excret() enforces the architectural rule
-     * that jumps to magic addresses don't have magic behaviour unless
-     * we're in Handler mode (compare pseudocode BXWritePC()).
+    /* If we're not in Handler mode then jumps to magic exception-exit
+     * addresses don't have magic behaviour. However for the v8M
+     * security extensions the magic secure-function-return has to
+     * work in thread mode too, so to avoid doing an extra check in
+     * the generated code we allow exception-exit magic to also cause the
+     * internal exception and bring us here in thread mode. Correct code
+     * will never try to do this (the following insn fetch will always
+     * fault) so we the overhead of having taken an unnecessary exception
+     * doesn't matter.
      */
-    assert(arm_v7m_is_handler_mode(env));
+    if (!arm_v7m_is_handler_mode(env)) {
+        return;
+    }
 
     /* In the spec pseudocode ExceptionReturn() is called directly
      * from BXWritePC() and gets the full target PC value including
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
 }
 
+static bool do_v7m_function_return(ARMCPU *cpu)
+{
+    /* v8M security extensions magic function return.
+     * We may either:
+     *  (1) throw an exception (longjump)
+     *  (2) return true if we successfully handled the function return
+     *  (3) return false if we failed a consistency check and have
+     *      pended a UsageFault that needs to be taken now
+     *
+     * At this point the magic return value is split between env->regs[15]
+     * and env->thumb. We don't bother to reconstitute it because we don't
+     * need it (all values are handled the same way).
+     */
+    CPUARMState *env = &cpu->env;
+    uint32_t newpc, newpsr, newpsr_exc;
+
+    qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
+
+    {
+        bool threadmode, spsel;
+        TCGMemOpIdx oi;
+        ARMMMUIdx mmu_idx;
+        uint32_t *frame_sp_p;
+        uint32_t frameptr;
+
+        /* Pull the return address and IPSR from the Secure stack */
+        threadmode = !arm_v7m_is_handler_mode(env);
+        spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
+
+        frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
+        frameptr = *frame_sp_p;
+
+        /* These loads may throw an exception (for MPU faults). We want to
+         * do them as secure, so work out what MMU index that is.
+         */
+        mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
+        oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));
+        newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);
+        newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);
+
+        /* Consistency checks on new IPSR */
+        newpsr_exc = newpsr & XPSR_EXCP;
+        if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
+              (env->v7m.exception == 1 && newpsr_exc != 0))) {
+            /* Pend the fault and tell our caller to take it */
+            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                    env->v7m.secure);
+            qemu_log_mask(CPU_LOG_INT,
+                          "...taking INVPC UsageFault: "
+                          "IPSR consistency check failed\n");
+            return false;
+        }
+
+        *frame_sp_p = frameptr + 8;
+    }
+
+    /* This invalidates frame_sp_p */
+    switch_v7m_security_state(env, true);
+    env->v7m.exception = newpsr_exc;
+    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
+    if (newpsr & XPSR_SFPA) {
+        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
+    }
+    xpsr_write(env, 0, XPSR_IT);
+    env->thumb = newpc & 1;
+    env->regs[15] = newpc & ~1;
+
+    qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
+    return true;
+}
+
 static void arm_log_exception(int idx)
 {
     if (qemu_loglevel_mask(CPU_LOG_INT)) {
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
     case EXCP_IRQ:
         break;
     case EXCP_EXCEPTION_EXIT:
-        do_v7m_exception_exit(cpu);
-        return;
+        if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
+            /* Must be v8M security extension function return */
+            assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
+            assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
+            if (do_v7m_function_return(cpu)) {
+                return;
+            }
+        } else {
+            do_v7m_exception_exit(cpu);
+            return;
+        }
+        break;
     default:
         cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
         return; /* Never happens.  Keep compiler happy.  */
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
      * s->base.is_jmp that we need to do the rest of the work later.
      */
     gen_bx(s, var);
-    if (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M)) {
+    if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY) ||
+        (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M))) {
         s->base.is_jmp = DISAS_BX_EXCRET;
     }
 }
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
 {
     /* Generate the code to finish possible exception return and end the TB */
     TCGLabel *excret_label = gen_new_label();
+    uint32_t min_magic;
+
+    if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY)) {
+        /* Covers FNC_RETURN and EXC_RETURN magic */
+        min_magic = FNC_RETURN_MIN_MAGIC;
+    } else {
+        /* EXC_RETURN magic only */
+        min_magic = EXC_RETURN_MIN_MAGIC;
+    }
 
     /* Is the new PC value in the magic range indicating exception return? */
-    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], 0xff000000, excret_label);
+    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
     /* No: end the TB as we would for a DISAS_JMP */
     if (is_singlestepping(s)) {
         gen_singlestep_exception(s);
-- 
2.7.4

The code which implements the Thumb1 split BL/BLX instructions
is guarded by a check on "not M or THUMB2". All we really need
to check here is "not THUMB2" (and we assume that elsewhere too,
eg in the ARCH(6T2) test that UNDEFs the Thumb2 insns).

This doesn't change behaviour because all M profile cores
have Thumb2 and so ARM_FEATURE_M implies ARM_FEATURE_THUMB2.
(v6M implements a very restricted subset of Thumb2, but we
can cross that bridge when we get to it with appropriate
feature bits.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-6-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
     int conds;
     int logic_cc;
 
-    if (!(arm_dc_feature(s, ARM_FEATURE_THUMB2)
-          || arm_dc_feature(s, ARM_FEATURE_M))) {
+    if (!arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
         /* Thumb-1 cores may need to treat bl and blx as a pair of
            16-bit instructions to get correct prefetch abort behavior.  */
         insn = insn_hw1;
-- 
2.7.4

Refactor the Thumb decode to do the loads of the instruction words at
the top level rather than only loading the second half of a 32-bit
Thumb insn in the middle of the decode.

This is simple apart from the awkward case of Thumb1, where the
BL/BLX prefix and suffix instructions live in what in Thumb2 is the
32-bit insn space.  To handle these we decode enough to identify
whether we're looking at a prefix/suffix that we handle as a 16 bit
insn, or a prefix that we're going to merge with the following suffix
to consider as a 32 bit insn.  The translation of the 16 bit cases
then moves from disas_thumb2_insn() to disas_thumb_insn().

The refactoring has the benefit that we don't need to pass the
CPUARMState* down into the decoder code any more, but the major
reason for doing this is that some Thumb instructions must be always
unconditional regardless of the IT state bits, so we need to know the
whole insn before we emit the "skip this insn if the IT bits and cond
state tell us to" code.  (The always unconditional insns are BKPT,
HLT and SG; the last of these is 32 bits.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-7-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 178 ++++++++++++++++++++++++++++++-------------------
 1 file changed, 108 insertions(+), 70 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
     }
 }
 
+static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
+{
+    /* Return true if this is a 16 bit instruction. We must be precise
+     * about this (matching the decode).  We assume that s->pc still
+     * points to the first 16 bits of the insn.
+     */
+    if ((insn >> 11) < 0x1d) {
+        /* Definitely a 16-bit instruction */
+        return true;
+    }
+
+    /* Top five bits 0b11101 / 0b11110 / 0b11111 : this is the
+     * first half of a 32-bit Thumb insn. Thumb-1 cores might
+     * end up actually treating this as two 16-bit insns, though,
+     * if it's half of a bl/blx pair that might span a page boundary.
+     */
+    if (arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
+        /* Thumb2 cores (including all M profile ones) always treat
+         * 32-bit insns as 32-bit.
+         */
+        return false;
+    }
+
+    if ((insn >> 11) == 0x1e && (s->pc < s->next_page_start - 3)) {
+        /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix, and the suffix
+         * is not on the next page; we merge this into a 32-bit
+         * insn.
+         */
+        return false;
+    }
+    /* 0b1110_1xxx_xxxx_xxxx : BLX suffix (or UNDEF);
+     * 0b1111_1xxx_xxxx_xxxx : BL suffix;
+     * 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix on the end of a page
+     *  -- handle as single 16 bit insn
+     */
+    return true;
+}
+
 /* Return true if this is a Thumb-2 logical op.  */
 static int
 thumb2_logic_op(int op)
@@ -XXX,XX +XXX,XX @@ gen_thumb2_data_op(DisasContext *s, int op, int conds, uint32_t shifter_out,
 
 /* Translate a 32-bit thumb instruction.  Returns nonzero if the instruction
    is not legal.  */
-static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw1)
+static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
 {
-    uint32_t insn, imm, shift, offset;
+    uint32_t imm, shift, offset;
     uint32_t rd, rn, rm, rs;
     TCGv_i32 tmp;
     TCGv_i32 tmp2;
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
     int conds;
     int logic_cc;
 
-    if (!arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
-        /* Thumb-1 cores may need to treat bl and blx as a pair of
-           16-bit instructions to get correct prefetch abort behavior.  */
-        insn = insn_hw1;
-        if ((insn & (1 << 12)) == 0) {
-            ARCH(5);
-            /* Second half of blx.  */
-            offset = ((insn & 0x7ff) << 1);
-            tmp = load_reg(s, 14);
-            tcg_gen_addi_i32(tmp, tmp, offset);
-            tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
-
-            tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc | 1);
-            store_reg(s, 14, tmp2);
-            gen_bx(s, tmp);
-            return 0;
-        }
-        if (insn & (1 << 11)) {
-            /* Second half of bl.  */
-            offset = ((insn & 0x7ff) << 1) | 1;
-            tmp = load_reg(s, 14);
-            tcg_gen_addi_i32(tmp, tmp, offset);
-
-            tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc | 1);
-            store_reg(s, 14, tmp2);
-            gen_bx(s, tmp);
-            return 0;
-        }
-        if ((s->pc & ~TARGET_PAGE_MASK) == 0) {
-            /* Instruction spans a page boundary.  Implement it as two
-               16-bit instructions in case the second half causes an
-               prefetch abort.  */
-            offset = ((int32_t)insn << 21) >> 9;
-            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + offset);
-            return 0;
-        }
-        /* Fall through to 32-bit decode.  */
-    }
-
-    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
-    s->pc += 2;
-    insn |= (uint32_t)insn_hw1 << 16;
-
+    /* The only 32 bit insn that's allowed for Thumb1 is the combined
+     * BL/BLX prefix and suffix.
+     */
     if ((insn & 0xf800e800) != 0xf000e800) {
         ARCH(6T2);
     }
@@ -XXX,XX +XXX,XX @@ illegal_op:
     return 1;
 }
 
-static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
+static void disas_thumb_insn(DisasContext *s, uint32_t insn)
 {
-    uint32_t val, insn, op, rm, rn, rd, shift, cond;
+    uint32_t val, op, rm, rn, rd, shift, cond;
     int32_t offset;
     int i;
     TCGv_i32 tmp;
     TCGv_i32 tmp2;
     TCGv_i32 addr;
 
-    if (s->condexec_mask) {
-        cond = s->condexec_cond;
-        if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
-          s->condlabel = gen_new_label();
-          arm_gen_test_cc(cond ^ 1, s->condlabel);
-          s->condjmp = 1;
-        }
-    }
-
-    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
-    s->pc += 2;
-
     switch (insn >> 12) {
     case 0: case 1:
 
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
 
     case 14:
         if (insn & (1 << 11)) {
-            if (disas_thumb2_insn(env, s, insn))
-              goto undef32;
+            /* thumb_insn_is_16bit() ensures we can't get here for
+             * a Thumb2 CPU, so this must be a thumb1 split BL/BLX:
+             * 0b1110_1xxx_xxxx_xxxx : BLX suffix (or UNDEF)
+             */
+            assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
+            ARCH(5);
+            offset = ((insn & 0x7ff) << 1);
+            tmp = load_reg(s, 14);
+            tcg_gen_addi_i32(tmp, tmp, offset);
+            tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
+
+            tmp2 = tcg_temp_new_i32();
+            tcg_gen_movi_i32(tmp2, s->pc | 1);
+            store_reg(s, 14, tmp2);
+            gen_bx(s, tmp);
             break;
         }
         /* unconditional branch */
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
         break;
 
     case 15:
-        if (disas_thumb2_insn(env, s, insn))
-            goto undef32;
+        /* thumb_insn_is_16bit() ensures we can't get here for
+         * a Thumb2 CPU, so this must be a thumb1 split BL/BLX.
+         */
+        assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
+
+        if (insn & (1 << 11)) {
+            /* 0b1111_1xxx_xxxx_xxxx : BL suffix */
+            offset = ((insn & 0x7ff) << 1) | 1;
+            tmp = load_reg(s, 14);
+            tcg_gen_addi_i32(tmp, tmp, offset);
+
+            tmp2 = tcg_temp_new_i32();
+            tcg_gen_movi_i32(tmp2, s->pc | 1);
+            store_reg(s, 14, tmp2);
+            gen_bx(s, tmp);
+        } else {
+            /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix */
+            uint32_t uoffset = ((int32_t)insn << 21) >> 9;
+
+            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + uoffset);
+        }
         break;
     }
     return;
-undef32:
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
-    return;
 illegal_op:
 undef:
     gen_exception_insn(s, 2, EXCP_UDEF, syn_uncategorized(),
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUARMState *env = cpu->env_ptr;
+    uint32_t insn;
+    bool is_16bit;
 
     if (arm_pre_translate_insn(dc)) {
         return;
     }
 
-    disas_thumb_insn(env, dc);
+    insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
+    is_16bit = thumb_insn_is_16bit(dc, insn);
+    dc->pc += 2;
+    if (!is_16bit) {
+        uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
+
+        insn = insn << 16 | insn2;
+        dc->pc += 2;
+    }
+
+    if (dc->condexec_mask) {
+        uint32_t cond = dc->condexec_cond;
+
+        if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
+            dc->condlabel = gen_new_label();
+            arm_gen_test_cc(cond ^ 1, dc->condlabel);
+            dc->condjmp = 1;
+        }
+    }
+
+    if (is_16bit) {
+        disas_thumb_insn(dc, insn);
+    } else {
+        disas_thumb2_insn(dc, insn);
+    }
 
     /* Advance the Thumb condexec condition.  */
     if (dc->condexec_mask) {
-- 
2.7.4

Recent changes have left insn_crosses_page() more complicated
than it needed to be:
 * it's only called from thumb_tr_translate_insn() so we know
   for certain that we're looking at a Thumb insn
 * the caller's check for dc->pc >= dc->next_page_start - 3
   means that dc->pc can't possibly be 4 aligned, so there's
   no need to check that (the check was partly there to ensure
   that we didn't treat an ARM insn as Thumb, I think)
 * we now have thumb_insn_is_16bit() which lets us do a precise
   check of the length of the next insn, rather than opencoding
   an inaccurate check

Simplify it down to just loading the first half of the insn
and calling thumb_insn_is_16bit() on it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-8-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 27 ++++++---------------------
 1 file changed, 6 insertions(+), 21 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 {
     /* Return true if the insn at dc->pc might cross a page boundary.
      * (False positives are OK, false negatives are not.)
+     * We know this is a Thumb insn, and our caller ensures we are
+     * only called if dc->pc is less than 4 bytes from the page
+     * boundary, so we cross the page if the first 16 bits indicate
+     * that this is a 32 bit insn.
      */
-    uint16_t insn;
+    uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 
-    if ((s->pc & 3) == 0) {
-        /* At a 4-aligned address we can't be crossing a page */
-        return false;
-    }
-
-    /* This must be a Thumb insn */
-    insn = arm_lduw_code(env, s->pc, s->sctlr_b);
-
-    if ((insn >> 11) >= 0x1d) {
-        /* Top five bits 0b11101 / 0b11110 / 0b11111 : this is the
-         * First half of a 32-bit Thumb insn. Thumb-1 cores might
-         * end up actually treating this as two 16-bit insns (see the
-         * code at the start of disas_thumb2_insn()) but we don't bother
-         * to check for that as it is unlikely, and false positives here
-         * are harmless.
-         */
-        return true;
-    }
-    /* Definitely a 16-bit insn, can't be crossing a page. */
-    return false;
+    return !thumb_insn_is_16bit(s, insn);
 }
 
 static int arm_tr_init_disas_context(DisasContextBase *dcbase,
-- 
2.7.4

A few Thumb instructions are always unconditional even inside an
IT block (as opposed to being UNPREDICTABLE if used inside an
IT block): BKPT, the v8M SG instruction, and the A profile
HLT (debug halt) instruction.

This means we need to suppress the jump-over-instruction-on-condfail
code generation (though the IT state still advances as usual and
subsequent insns in the IT block may be conditional).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-9-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
        in init_disas_context by adjusting max_insns.  */
 }
 
+static bool thumb_insn_is_unconditional(DisasContext *s, uint32_t insn)
+{
+    /* Return true if this Thumb insn is always unconditional,
+     * even inside an IT block. This is true of only a very few
+     * instructions: BKPT, HLT, and SG.
+     *
+     * A larger class of instructions are UNPREDICTABLE if used
+     * inside an IT block; we do not need to detect those here, because
+     * what we do by default (perform the cc check and update the IT
+     * bits state machine) is a permitted CONSTRAINED UNPREDICTABLE
+     * choice for those situations.
+     *
+     * insn is either a 16-bit or a 32-bit instruction; the two are
+     * distinguishable because for the 16-bit case the top 16 bits
+     * are zeroes, and that isn't a valid 32-bit encoding.
+     */
+    if ((insn & 0xffffff00) == 0xbe00) {
+        /* BKPT */
+        return true;
+    }
+
+    if ((insn & 0xffffffc0) == 0xba80 && arm_dc_feature(s, ARM_FEATURE_V8) &&
+        !arm_dc_feature(s, ARM_FEATURE_M)) {
+        /* HLT: v8A only. This is unconditional even when it is going to
+         * UNDEF; see the v8A ARM ARM DDI0487B.a H3.3.
+         * For v7 cores this was a plain old undefined encoding and so
+         * honours its cc check. (We might be using the encoding as
+         * a semihosting trap, but we don't change the cc check behaviour
+         * on that account, because a debugger connected to a real v7A
+         * core and emulating semihosting traps by catching the UNDEF
+         * exception would also only see cases where the cc check passed.
+         * No guest code should be trying to do a HLT semihosting trap
+         * in an IT block anyway.
+         */
+        return true;
+    }
+
+    if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_V8) &&
+        arm_dc_feature(s, ARM_FEATURE_M)) {
+        /* SG: v8M only */
+        return true;
+    }
+
+    return false;
+}
+
 static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         dc->pc += 2;
     }
 
-    if (dc->condexec_mask) {
+    if (dc->condexec_mask && !thumb_insn_is_unconditional(dc, insn)) {
         uint32_t cond = dc->condexec_cond;
 
         if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
-- 
2.7.4

The common situation of the SG instruction is that it is
executed from S&NSC memory by a CPU in NS state. That case
is handled by v7m_handle_execute_nsc(). However the instruction
also has defined behaviour in a couple of other cases:
 * SG instruction in NS memory (behaves as a NOP)
 * SG in S memory but CPU already secure (clears IT bits and
   does nothing else)
 * SG instruction in v8M without Security Extension (NOP)

These can be implemented in translate.c.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507556919-24992-10-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
              * - load/store doubleword, load/store exclusive, ldacq/strel,
              *   table branch.
              */
-            if (insn & 0x01200000) {
+            if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_M) &&
+                arm_dc_feature(s, ARM_FEATURE_V8)) {
+                /* 0b1110_1001_0111_1111_1110_1001_0111_111
+                 *  - SG (v8M only)
+                 * The bulk of the behaviour for this instruction is implemented
+                 * in v7m_handle_execute_nsc(), which deals with the insn when
+                 * it is executed by a CPU in non-secure state from memory
+                 * which is Secure & NonSecure-Callable.
+                 * Here we only need to handle the remaining cases:
+                 *  * in NS memory (including the "security extension not
+                 *    implemented" case) : NOP
+                 *  * in S memory but CPU already secure (clear IT bits)
+                 * We know that the attribute for the memory this insn is
+                 * in must match the current CPU state, because otherwise
+                 * get_phys_addr_pmsav8 would have generated an exception.
+                 */
+                if (s->v8m_secure) {
+                    /* Like the IT insn, we don't need to generate any code */
+                    s->condexec_cond = 0;
+                    s->condexec_mask = 0;
+                }
+            } else if (insn & 0x01200000) {
                 /* 0b1110_1000_x11x_xxxx_xxxx_xxxx_xxxx_xxxx
                  *  - load/store dual (post-indexed)
                  * 0b1111_1001_x10x_xxxx_xxxx_xxxx_xxxx_xxxx
-- 
2.7.4

This calculation of the first exception vector in
the ITNS<n> register being accessed:
        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;

is incorrect, because offset is in bytes, so we only want
to multiply by 8.

Spotted by Coverity (CID 1381484, CID 1381488), though it is
not correct that it actually overflows the buffer, because
we have a 'startvec + i < s->num_irq' guard.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1507650856-11718-1-git-send-email-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
     {
-        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
         int i;
 
         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
     switch (offset) {
     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
     {
-        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
         int i;
 
         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
-- 
2.7.4

Not very much here, but several people have fallen over
the vector operation segfault bug, so let's get the fix
into master.

thanks
-- PMM

The following changes since commit d418238dca7b4e0b124135827ead3076233052b1:

Merge remote-tracking branch 'remotes/rth/tags/pull-rng-20190522' into staging (2019-05-23 12:57:17 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190523

for you to fetch changes up to 98e4f4fdb8ea05d840f51f47125924c2bb9df2df:

hw/arm/exynos4210: QOM'ify the Exynos4210 SoC (2019-05-23 14:47:44 +0100)

----------------------------------------------------------------
target-arm queue:
 * exynos4210: QOM'ify the Exynos4210 SoC
 * exynos4210: Add DMA support for the Exynos4210
 * arm_gicv3: Fix writes to ICC_CTLR_EL3
 * arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
 * target/arm: Fix vector operation segfault
 * target/arm: Minor improvements to BFXIL, EXTR

----------------------------------------------------------------
Alistair Francis (1):
      target/arm: Fix vector operation segfault

Guenter Roeck (1):
      hw/arm/exynos4210: Add DMA support for the Exynos4210

Peter Maydell (5):
      arm: Move system_clock_scale to armv7m_systick.h
      arm: Remove unnecessary includes of hw/arm/arm.h
      arm: Rename hw/arm/arm.h to hw/arm/boot.h
      hw/intc/arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
      hw/intc/arm_gicv3: Fix writes to ICC_CTLR_EL3

Philippe Mathieu-Daudé (3):
      hw/arm/exynos4: Remove unuseful debug code
      hw/arm/exynos4: Use the IEC binary prefix definitions
      hw/arm/exynos4210: QOM'ify the Exynos4210 SoC

Richard Henderson (2):
      target/arm: Use extract2 for EXTR
      target/arm: Simplify BFXIL expansion

include/hw/arm/allwinner-a10.h    |  2 +-
 include/hw/arm/aspeed_soc.h       |  1 -
 include/hw/arm/bcm2836.h          |  1 -
 include/hw/arm/{arm.h => boot.h}  | 12 +++------
 include/hw/arm/exynos4210.h       |  9 +++++--
 include/hw/arm/fsl-imx25.h        |  2 +-
 include/hw/arm/fsl-imx31.h        |  2 +-
 include/hw/arm/fsl-imx6.h         |  2 +-
 include/hw/arm/fsl-imx6ul.h       |  2 +-
 include/hw/arm/fsl-imx7.h         |  2 +-
 include/hw/arm/virt.h             |  2 +-
 include/hw/arm/xlnx-versal.h      |  2 +-
 include/hw/arm/xlnx-zynqmp.h      |  2 +-
 include/hw/timer/armv7m_systick.h | 22 ++++++++++++++++
 hw/arm/armsse.c                   |  2 +-
 hw/arm/armv7m.c                   |  2 +-
 hw/arm/aspeed.c                   |  2 +-
 hw/arm/boot.c                     |  2 +-
 hw/arm/collie.c                   |  2 +-
 hw/arm/exynos4210.c               | 54 ++++++++++++++++++++++++++++++++++++---
 hw/arm/exynos4_boards.c           | 40 ++++++++---------------------
 hw/arm/highbank.c                 |  2 +-
 hw/arm/integratorcp.c             |  2 +-
 hw/arm/mainstone.c                |  2 +-
 hw/arm/microbit.c                 |  2 +-
 hw/arm/mps2-tz.c                  |  2 +-
 hw/arm/mps2.c                     |  2 +-
 hw/arm/msf2-soc.c                 |  1 -
 hw/arm/msf2-som.c                 |  2 +-
 hw/arm/musca.c                    |  2 +-
 hw/arm/musicpal.c                 |  2 +-
 hw/arm/netduino2.c                |  2 +-
 hw/arm/nrf51_soc.c                |  2 +-
 hw/arm/nseries.c                  |  2 +-
 hw/arm/omap1.c                    |  2 +-
 hw/arm/omap2.c                    |  2 +-
 hw/arm/omap_sx1.c                 |  2 +-
 hw/arm/palm.c                     |  2 +-
 hw/arm/raspi.c                    |  2 +-
 hw/arm/realview.c                 |  2 +-
 hw/arm/spitz.c                    |  2 +-
 hw/arm/stellaris.c                |  2 +-
 hw/arm/stm32f205_soc.c            |  2 +-
 hw/arm/strongarm.c                |  2 +-
 hw/arm/tosa.c                     |  2 +-
 hw/arm/versatilepb.c              |  2 +-
 hw/arm/vexpress.c                 |  2 +-
 hw/arm/virt.c                     |  2 +-
 hw/arm/xilinx_zynq.c              |  2 +-
 hw/arm/xlnx-versal.c              |  2 +-
 hw/arm/z2.c                       |  2 +-
 hw/intc/arm_gicv3_cpuif.c         |  6 ++---
 hw/intc/armv7m_nvic.c             |  1 -
 target/arm/arm-semi.c             |  1 -
 target/arm/cpu.c                  |  1 -
 target/arm/cpu64.c                |  1 -
 target/arm/kvm.c                  |  1 -
 target/arm/kvm32.c                |  1 -
 target/arm/kvm64.c                |  1 -
 target/arm/translate-a64.c        | 44 ++++++++++++++++---------------
 target/arm/translate.c            |  4 +--
 61 files changed, 164 insertions(+), 123 deletions(-)
 rename include/hw/arm/{arm.h => boot.h} (96%)

From: Richard Henderson <richard.henderson@linaro.org>

This is, after all, how we implement extract2 in tcg/aarch64.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190514011129.11330-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
             } else {
                 tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, rm));
             }
-        } else if (rm == rn) { /* ROR */
-            tcg_rm = cpu_reg(s, rm);
-            if (sf) {
-                tcg_gen_rotri_i64(tcg_rd, tcg_rm, imm);
-            } else {
-                TCGv_i32 tmp = tcg_temp_new_i32();
-                tcg_gen_extrl_i64_i32(tmp, tcg_rm);
-                tcg_gen_rotri_i32(tmp, tmp, imm);
-                tcg_gen_extu_i32_i64(tcg_rd, tmp);
-                tcg_temp_free_i32(tmp);
-            }
         } else {
-            tcg_rm = read_cpu_reg(s, rm, sf);
-            tcg_rn = read_cpu_reg(s, rn, sf);
-            tcg_gen_shri_i64(tcg_rm, tcg_rm, imm);
-            tcg_gen_shli_i64(tcg_rn, tcg_rn, bitsize - imm);
-            tcg_gen_or_i64(tcg_rd, tcg_rm, tcg_rn);
-            if (!sf) {
-                tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
+            tcg_rm = cpu_reg(s, rm);
+            tcg_rn = cpu_reg(s, rn);
+
+            if (sf) {
+                /* Specialization to ROR happens in EXTRACT2.  */
+                tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, imm);
+            } else {
+                TCGv_i32 t0 = tcg_temp_new_i32();
+
+                tcg_gen_extrl_i64_i32(t0, tcg_rm);
+                if (rm == rn) {
+                    tcg_gen_rotri_i32(t0, t0, imm);
+                } else {
+                    TCGv_i32 t1 = tcg_temp_new_i32();
+                    tcg_gen_extrl_i64_i32(t1, tcg_rn);
+                    tcg_gen_extract2_i32(t0, t0, t1, imm);
+                    tcg_temp_free_i32(t1);
+                }
+                tcg_gen_extu_i32_i64(tcg_rd, t0);
+                tcg_temp_free_i32(t0);
             }
         }
     }
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The mask implied by the extract is redundant with the one
implied by the deposit.  Also, fix spelling of BFXIL.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190514011129.11330-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

From: Alistair Francis <alistair.francis@wdc.com>

Commit 89e68b575 "target/arm: Use vector operations for saturation"
causes this abort() when booting QEMU ARM with a Cortex-A15:

0  0x00007ffff4c2382f in raise () at /usr/lib/libc.so.6
1  0x00007ffff4c0e672 in abort () at /usr/lib/libc.so.6
2  0x00005555559c1839 in disas_neon_data_insn (insn=<optimized out>, s=<optimized out>) at ./target/arm/translate.c:6673
3  0x00005555559c1839 in disas_neon_data_insn (s=<optimized out>, insn=<optimized out>) at ./target/arm/translate.c:6386
4  0x00005555559cd8a4 in disas_arm_insn (insn=4081107068, s=0x7fffe59a9510) at ./target/arm/translate.c:9289
5  0x00005555559cd8a4 in arm_tr_translate_insn (dcbase=0x7fffe59a9510, cpu=<optimized out>) at ./target/arm/translate.c:13612
6  0x00005555558d1d39 in translator_loop (ops=0x5555561cc580 <arm_translator_ops>, db=0x7fffe59a9510, cpu=0x55555686a2f0, tb=<optimized out>, max_insns=<optimized out>) at ./accel/tcg/translator.c:96
7  0x00005555559d10d4 in gen_intermediate_code (cpu=cpu@entry=0x55555686a2f0, tb=tb@entry=0x7fffd7840080 <code_gen_buffer+126091347>, max_insns=max_insns@entry=512) at ./target/arm/translate.c:13901
8  0x00005555558d06b9 in tb_gen_code (cpu=cpu@entry=0x55555686a2f0, pc=3067096216, cs_base=0, flags=192, cflags=-16252928, cflags@entry=524288) at ./accel/tcg/translate-all.c:1736
9  0x00005555558ce467 in tb_find (cf_mask=524288, tb_exit=1, last_tb=0x7fffd783e640 <code_gen_buffer+126084627>, cpu=0x1) at ./accel/tcg/cpu-exec.c:407
10 0x00005555558ce467 in cpu_exec (cpu=cpu@entry=0x55555686a2f0) at ./accel/tcg/cpu-exec.c:728
11 0x000055555588b0cf in tcg_cpu_exec (cpu=0x55555686a2f0) at ./cpus.c:1431
12 0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=0x55555686a2f0) at ./cpus.c:1735
13 0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=arg@entry=0x55555686a2f0) at ./cpus.c:1709
14 0x0000555555d2629a in qemu_thread_start (args=<optimized out>) at ./util/qemu-thread-posix.c:502
15 0x00007ffff4db8a92 in start_thread () at /usr/lib/libpthread.

This patch ensures that we don't hit the abort() in the second switch
case in disas_neon_data_insn() as we will return from the first case.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: ad91b397f360b2fc7f4087e476f7df5b04d42ddb.1558021877.git.alistair.francis@wdc.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
             tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
                            rn_ofs, rm_ofs, vec_size, vec_size,
                            (u ? uqadd_op : sqadd_op) + size);
-            break;
+            return 0;
 
         case NEON_3R_VQSUB:
             tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
                            rn_ofs, rm_ofs, vec_size, vec_size,
                            (u ? uqsub_op : sqsub_op) + size);
-            break;
+            return 0;
 
         case NEON_3R_VMUL: /* VMUL */
             if (u) {
-- 
2.20.1

The system_clock_scale global is used only by the armv7m systick
device; move the extern declaration to the armv7m_systick.h header,
and expand the comment to explain what it is and that it should
ideally be replaced with a different approach.

diff --git a/include/hw/arm/arm.h b/include/hw/arm/arm.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/arm.h
+++ b/include/hw/arm/arm.h
@@ -XXX,XX +XXX,XX @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
                                             const struct arm_boot_info *info,
                                             hwaddr mvbar_addr);
 
-/* Multiplication factor to convert from system clock ticks to qemu timer
-   ticks.  */
-extern int system_clock_scale;
-
 #endif /* HW_ARM_H */
diff --git a/include/hw/timer/armv7m_systick.h b/include/hw/timer/armv7m_systick.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/timer/armv7m_systick.h
+++ b/include/hw/timer/armv7m_systick.h
@@ -XXX,XX +XXX,XX @@ typedef struct SysTickState {
     qemu_irq irq;
 } SysTickState;
 
+/*
+ * Multiplication factor to convert from system clock ticks to qemu timer
+ * ticks. This should be set (by board code, usually) to a value
+ * equal to NANOSECONDS_PER_SECOND / frq, where frq is the clock frequency
+ * in Hz of the CPU.
+ *
+ * This value is used by the systick device when it is running in
+ * its "use the CPU clock" mode (ie when SYST_CSR.CLKSOURCE == 1) to
+ * set how fast the timer should tick.
+ *
+ * TODO: we should refactor this so that rather than using a global
+ * we use a device property or something similar. This is complicated
+ * because (a) the property would need to be plumbed through from the
+ * board code down through various layers to the systick device
+ * and (b) the property needs to be modifiable after realize, because
+ * the stellaris board uses this to implement the behaviour where the
+ * guest can reprogram the PLL registers to downclock the CPU, and the
+ * systick device needs to react accordingly. Possibly this should
+ * be deferred until we have a good API for modelling clock trees.
+ */
+extern int system_clock_scale;
+
 #endif
-- 
2.20.1

The hw/arm/arm.h header now only includes declarations relating
to boot.c code, so it is only needed by Arm board or SoC code.
Remove some unnecessary inclusions of it from target/arm files
and from hw/intc/armv7m_nvic.c.

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "hw/sysbus.h"
 #include "qemu/timer.h"
-#include "hw/arm/arm.h"
 #include "hw/intc/armv7m_nvic.h"
 #include "target/arm/cpu.h"
 #include "exec/exec-all.h"
diff --git a/target/arm/arm-semi.c b/target/arm/arm-semi.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/arm-semi.c
+++ b/target/arm/arm-semi.c
@@ -XXX,XX +XXX,XX @@
 #else
 #include "qemu-common.h"
 #include "exec/gdbstub.h"
-#include "hw/arm/arm.h"
 #include "qemu/cutils.h"
 #endif
 
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@
 #if !defined(CONFIG_USER_ONLY)
 #include "hw/loader.h"
 #endif
-#include "hw/arm/arm.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/hw_accel.h"
 #include "kvm_arm.h"
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
 #if !defined(CONFIG_USER_ONLY)
 #include "hw/loader.h"
 #endif
-#include "hw/arm/arm.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
 #include "kvm_arm.h"
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "trace.h"
 #include "internals.h"
-#include "hw/arm/arm.h"
 #include "hw/pci/pci.h"
 #include "exec/memattrs.h"
 #include "exec/address-spaces.h"
diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/kvm.h"
 #include "kvm_arm.h"
 #include "internals.h"
-#include "hw/arm/arm.h"
 #include "qemu/log.h"
 
 static inline void set_feature(uint64_t *features, int feature)
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/kvm.h"
 #include "kvm_arm.h"
 #include "internals.h"
-#include "hw/arm/arm.h"
 
 static bool have_guest_debug;
 
-- 
2.20.1

The header file hw/arm/arm.h now includes only declarations
relating to hw/arm/boot.c functionality. Rename it accordingly,
and adjust its header comment.

The bulk of this commit was created via
 perl -pi -e 's|hw/arm/arm.h|hw/arm/boot.h|' hw/arm/*.c include/hw/arm/*.h

In a few cases we can just delete the #include:
hw/arm/msf2-soc.c, include/hw/arm/aspeed_soc.h and
include/hw/arm/bcm2836.h did not require it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190516163857.6430-4-peter.maydell@linaro.org
---
 include/hw/arm/allwinner-a10.h   | 2 +-
 include/hw/arm/aspeed_soc.h      | 1 -
 include/hw/arm/bcm2836.h         | 1 -
 include/hw/arm/{arm.h => boot.h} | 8 ++++----
 include/hw/arm/fsl-imx25.h       | 2 +-
 include/hw/arm/fsl-imx31.h       | 2 +-
 include/hw/arm/fsl-imx6.h        | 2 +-
 include/hw/arm/fsl-imx6ul.h      | 2 +-
 include/hw/arm/fsl-imx7.h        | 2 +-
 include/hw/arm/virt.h            | 2 +-
 include/hw/arm/xlnx-versal.h     | 2 +-
 include/hw/arm/xlnx-zynqmp.h     | 2 +-
 hw/arm/armsse.c                  | 2 +-
 hw/arm/armv7m.c                  | 2 +-
 hw/arm/aspeed.c                  | 2 +-
 hw/arm/boot.c                    | 2 +-
 hw/arm/collie.c                  | 2 +-
 hw/arm/exynos4210.c              | 2 +-
 hw/arm/exynos4_boards.c          | 2 +-
 hw/arm/highbank.c                | 2 +-
 hw/arm/integratorcp.c            | 2 +-
 hw/arm/mainstone.c               | 2 +-
 hw/arm/microbit.c                | 2 +-
 hw/arm/mps2-tz.c                 | 2 +-
 hw/arm/mps2.c                    | 2 +-
 hw/arm/msf2-soc.c                | 1 -
 hw/arm/msf2-som.c                | 2 +-
 hw/arm/musca.c                   | 2 +-
 hw/arm/musicpal.c                | 2 +-
 hw/arm/netduino2.c               | 2 +-
 hw/arm/nrf51_soc.c               | 2 +-
 hw/arm/nseries.c                 | 2 +-
 hw/arm/omap1.c                   | 2 +-
 hw/arm/omap2.c                   | 2 +-
 hw/arm/omap_sx1.c                | 2 +-
 hw/arm/palm.c                    | 2 +-
 hw/arm/raspi.c                   | 2 +-
 hw/arm/realview.c                | 2 +-
 hw/arm/spitz.c                   | 2 +-
 hw/arm/stellaris.c               | 2 +-
 hw/arm/stm32f205_soc.c           | 2 +-
 hw/arm/strongarm.c               | 2 +-
 hw/arm/tosa.c                    | 2 +-
 hw/arm/versatilepb.c             | 2 +-
 hw/arm/vexpress.c                | 2 +-
 hw/arm/virt.c                    | 2 +-
 hw/arm/xilinx_zynq.c             | 2 +-
 hw/arm/xlnx-versal.c             | 2 +-
 hw/arm/z2.c                      | 2 +-
 49 files changed, 49 insertions(+), 52 deletions(-)
 rename include/hw/arm/{arm.h => boot.h} (98%)

diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/allwinner-a10.h
+++ b/include/hw/arm/allwinner-a10.h
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "qemu/error-report.h"
 #include "hw/char/serial.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/timer/allwinner-a10-pit.h"
 #include "hw/intc/allwinner-a10-pic.h"
 #include "hw/net/allwinner_emac.h"
diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -XXX,XX +XXX,XX @@
 #ifndef ASPEED_SOC_H
 #define ASPEED_SOC_H
 
-#include "hw/arm/arm.h"
 #include "hw/intc/aspeed_vic.h"
 #include "hw/misc/aspeed_scu.h"
 #include "hw/misc/aspeed_sdmc.h"
diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/bcm2836.h
+++ b/include/hw/arm/bcm2836.h
@@ -XXX,XX +XXX,XX @@
 #ifndef BCM2836_H
 #define BCM2836_H
 
-#include "hw/arm/arm.h"
 #include "hw/arm/bcm2835_peripherals.h"
 #include "hw/intc/bcm2836_control.h"
 
diff --git a/include/hw/arm/arm.h b/include/hw/arm/boot.h
similarity index 98%
rename from include/hw/arm/arm.h
rename to include/hw/arm/boot.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/arm.h
+++ b/include/hw/arm/boot.h
@@ -XXX,XX +XXX,XX @@
 /*
- * Misc ARM declarations
+ * ARM kernel loader.
  *
  * Copyright (c) 2006 CodeSourcery.
  * Written by Paul Brook
@@ -XXX,XX +XXX,XX @@
  *
  */
 
-#ifndef HW_ARM_H
-#define HW_ARM_H
+#ifndef HW_ARM_BOOT_H
+#define HW_ARM_BOOT_H
 
 #include "exec/memory.h"
 #include "target/arm/cpu-qom.h"
@@ -XXX,XX +XXX,XX @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
                                             const struct arm_boot_info *info,
                                             hwaddr mvbar_addr);
 
-#endif /* HW_ARM_H */
+#endif /* HW_ARM_BOOT_H */
diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx25.h
+++ b/include/hw/arm/fsl-imx25.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX25_H
 #define FSL_IMX25_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/intc/imx_avic.h"
 #include "hw/misc/imx25_ccm.h"
 #include "hw/char/imx_serial.h"
diff --git a/include/hw/arm/fsl-imx31.h b/include/hw/arm/fsl-imx31.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx31.h
+++ b/include/hw/arm/fsl-imx31.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX31_H
 #define FSL_IMX31_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/intc/imx_avic.h"
 #include "hw/misc/imx31_ccm.h"
 #include "hw/char/imx_serial.h"
diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx6.h
+++ b/include/hw/arm/fsl-imx6.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX6_H
 #define FSL_IMX6_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/cpu/a9mpcore.h"
 #include "hw/misc/imx6_ccm.h"
 #include "hw/misc/imx6_src.h"
diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx6ul.h
+++ b/include/hw/arm/fsl-imx6ul.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX6UL_H
 #define FSL_IMX6UL_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/cpu/a15mpcore.h"
 #include "hw/misc/imx6ul_ccm.h"
 #include "hw/misc/imx6_src.h"
diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx7.h
+++ b/include/hw/arm/fsl-imx7.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX7_H
 #define FSL_IMX7_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/cpu/a15mpcore.h"
 #include "hw/intc/imx_gpcv2.h"
 #include "hw/misc/imx7_ccm.h"
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -XXX,XX +XXX,XX @@
 #include "exec/hwaddr.h"
 #include "qemu/notify.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/block/flash.h"
 #include "sysemu/kvm.h"
 #include "hw/intc/arm_gicv3_common.h"
diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-versal.h
+++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@
 #define XLNX_VERSAL_H
 
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/intc/arm_gicv3.h"
 
 #define TYPE_XLNX_VERSAL "xlnx-versal"
diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-zynqmp.h
+++ b/include/hw/arm/xlnx-zynqmp.h
@@ -XXX,XX +XXX,XX @@
 #ifndef XLNX_ZYNQMP_H
 
 #include "qemu-common.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/intc/arm_gic.h"
 #include "hw/net/cadence_gem.h"
 #include "hw/char/cadence_uart.h"
diff --git a/hw/arm/armsse.c b/hw/arm/armsse.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/armsse.c
+++ b/hw/arm/armsse.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "hw/registerfields.h"
 #include "hw/arm/armsse.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 
 /* Format of the System Information block SYS_CONFIG register */
 typedef enum SysConfigFormat {
diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/armv7m.c
+++ b/hw/arm/armv7m.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/loader.h"
 #include "elf.h"
 #include "sysemu/qtest.h"
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "exec/address-spaces.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/aspeed.h"
 #include "hw/arm/aspeed_soc.h"
 #include "hw/boards.h"
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include <libfdt.h>
 #include "hw/hw.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/linux-boot-if.h"
 #include "sysemu/kvm.h"
 #include "sysemu/sysemu.h"
diff --git a/hw/arm/collie.c b/hw/arm/collie.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/collie.c
+++ b/hw/arm/collie.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "hw/boards.h"
 #include "strongarm.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/block/flash.h"
 #include "exec/address-spaces.h"
 #include "cpu.h"
diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4210.c
+++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/boards.h"
 #include "sysemu/sysemu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/loader.h"
 #include "hw/arm/exynos4210.h"
 #include "hw/sd/sdhci.h"
diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/sysemu.h"
 #include "hw/sysbus.h"
 #include "net/net.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "exec/address-spaces.h"
 #include "hw/arm/exynos4210.h"
 #include "hw/net/lan9118.h"
diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/loader.h"
 #include "net/net.h"
 #include "sysemu/kvm.h"
diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/integratorcp.c
+++ b/hw/arm/integratorcp.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "hw/sysbus.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/misc/arm_integrator_debug.h"
 #include "hw/net/smc91c111.h"
 #include "net/net.h"
diff --git a/hw/arm/mainstone.c b/hw/arm/mainstone.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mainstone.c
+++ b/hw/arm/mainstone.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/hw.h"
 #include "hw/arm/pxa.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "net/net.h"
 #include "hw/net/smc91c111.h"
 #include "hw/boards.h"
diff --git a/hw/arm/microbit.c b/hw/arm/microbit.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/microbit.c
+++ b/hw/arm/microbit.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "sysemu/sysemu.h"
 #include "exec/address-spaces.h"
 
diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps2-tz.c
+++ b/hw/arm/mps2-tz.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/armv7m.h"
 #include "hw/or-irq.h"
 #include "hw/boards.h"
diff --git a/hw/arm/mps2.c b/hw/arm/mps2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps2.c
+++ b/hw/arm/mps2.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/armv7m.h"
 #include "hw/or-irq.h"
 #include "hw/boards.h"
diff --git a/hw/arm/msf2-soc.c b/hw/arm/msf2-soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/msf2-soc.c
+++ b/hw/arm/msf2-soc.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/units.h"
 #include "qapi/error.h"
 #include "qemu-common.h"
-#include "hw/arm/arm.h"
 #include "exec/address-spaces.h"
 #include "hw/char/serial.h"
 #include "hw/boards.h"
diff --git a/hw/arm/msf2-som.c b/hw/arm/msf2-som.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/msf2-som.c
+++ b/hw/arm/msf2-som.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "exec/address-spaces.h"
 #include "hw/arm/msf2-soc.h"
 #include "cpu.h"
diff --git a/hw/arm/musca.c b/hw/arm/musca.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/musca.c
+++ b/hw/arm/musca.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "exec/address-spaces.h"
 #include "sysemu/sysemu.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/armsse.h"
 #include "hw/boards.h"
 #include "hw/char/pl011.h"
diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/musicpal.c
+++ b/hw/arm/musicpal.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "net/net.h"
 #include "sysemu/sysemu.h"
 #include "hw/boards.h"
diff --git a/hw/arm/netduino2.c b/hw/arm/netduino2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/netduino2.c
+++ b/hw/arm/netduino2.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/boards.h"
 #include "qemu/error-report.h"
 #include "hw/arm/stm32f205_soc.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 
 static void netduino2_init(MachineState *machine)
 {
diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/nrf51_soc.c
+++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu-common.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/sysbus.h"
 #include "hw/boards.h"
 #include "hw/misc/unimp.h"
diff --git a/hw/arm/nseries.c b/hw/arm/nseries.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/nseries.c
+++ b/hw/arm/nseries.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/bswap.h"
 #include "sysemu/sysemu.h"
 #include "hw/arm/omap.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/irq.h"
 #include "ui/console.h"
 #include "hw/boards.h"
diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap1.c
+++ b/hw/arm/omap1.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "hw/boards.h"
 #include "hw/hw.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/omap.h"
 #include "sysemu/sysemu.h"
 #include "hw/arm/soc_dma.h"
diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap2.c
+++ b/hw/arm/omap2.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/qtest.h"
 #include "hw/boards.h"
 #include "hw/hw.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/omap.h"
 #include "sysemu/sysemu.h"
 #include "qemu/timer.h"
diff --git a/hw/arm/omap_sx1.c b/hw/arm/omap_sx1.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap_sx1.c
+++ b/hw/arm/omap_sx1.c
@@ -XXX,XX +XXX,XX @@
 #include "ui/console.h"
 #include "hw/arm/omap.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/block/flash.h"
 #include "sysemu/qtest.h"
 #include "exec/address-spaces.h"
diff --git a/hw/arm/palm.c b/hw/arm/palm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/palm.c
+++ b/hw/arm/palm.c
@@ -XXX,XX +XXX,XX @@
 #include "ui/console.h"
 #include "hw/arm/omap.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/input/tsc2xxx.h"
 #include "hw/loader.h"
 #include "exec/address-spaces.h"
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/error-report.h"
 #include "hw/boards.h"
 #include "hw/loader.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "sysemu/sysemu.h"
 
 #define SMPBOOT_ADDR    0x300 /* this should leave enough space for ATAGS */
diff --git a/hw/arm/realview.c b/hw/arm/realview.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/realview.c
+++ b/hw/arm/realview.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/primecell.h"
 #include "hw/net/lan9118.h"
 #include "hw/net/smc91c111.h"
diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/hw.h"
 #include "hw/arm/pxa.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "sysemu/sysemu.h"
 #include "hw/pcmcia.h"
 #include "hw/i2c/i2c.h"
diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/sysbus.h"
 #include "hw/ssi/ssi.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "qemu/timer.h"
 #include "hw/i2c/i2c.h"
 #include "net/net.h"
diff --git a/hw/arm/stm32f205_soc.c b/hw/arm/stm32f205_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stm32f205_soc.c
+++ b/hw/arm/stm32f205_soc.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu-common.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "exec/address-spaces.h"
 #include "hw/arm/stm32f205_soc.h"
 
diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/strongarm.c
+++ b/hw/arm/strongarm.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "strongarm.h"
 #include "qemu/error-report.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "chardev/char-fe.h"
 #include "chardev/char-serial.h"
 #include "sysemu/sysemu.h"
diff --git a/hw/arm/tosa.c b/hw/arm/tosa.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/tosa.c
+++ b/hw/arm/tosa.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/hw.h"
 #include "hw/arm/pxa.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/sharpsl.h"
 #include "hw/pcmcia.h"
 #include "hw/boards.h"
diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/versatilepb.c
+++ b/hw/arm/versatilepb.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/net/smc91c111.h"
 #include "net/net.h"
 #include "sysemu/sysemu.h"
diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/primecell.h"
 #include "hw/net/lan9118.h"
 #include "hw/i2c/i2c.h"
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/option.h"
 #include "qapi/error.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/primecell.h"
 #include "hw/arm/virt.h"
 #include "hw/block/flash.h"
diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xilinx_zynq.c
+++ b/hw/arm/xilinx_zynq.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "net/net.h"
 #include "exec/address-spaces.h"
 #include "sysemu/sysemu.h"
diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal.c
+++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@
 #include "net/net.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "kvm_arm.h"
 #include "hw/misc/unimp.h"
 #include "hw/intc/arm_gicv3_common.h"
diff --git a/hw/arm/z2.c b/hw/arm/z2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/z2.c
+++ b/hw/arm/z2.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "hw/hw.h"
 #include "hw/arm/pxa.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/i2c/i2c.h"
 #include "hw/ssi/ssi.h"
 #include "hw/boards.h"
-- 
2.20.1

In ich_vmcr_write() we enforce "writes of BPR fields to less than
their minimum sets them to the minimum" by doing a "read vbpr and
write it back" operation.  A typo here meant that we weren't handling
writes to these fields correctly, because we were reading from VBPR0
but writing to VBPR1.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190520162809.2677-4-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_cpuif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

The ICC_CTLR_EL3 register includes some bits which are aliases
of bits in the ICC_CTLR_EL1(S) and (NS) registers. QEMU chooses
to keep those bits in the cs->icc_ctlr_el1[] struct fields.
Unfortunately a missing '~' in the code to update the bits
in those fields meant that writing to ICC_CTLR_EL3 would corrupt
the ICC_CLTR_EL1 register values.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190520162809.2677-5-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_cpuif.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static void icc_ctlr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
     trace_gicv3_icc_ctlr_el3_write(gicv3_redist_affid(cs), value);
 
     /* *_EL1NS and *_EL1S bits are aliases into the ICC_CTLR_EL1 bits. */
-    cs->icc_ctlr_el1[GICV3_NS] &= (ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
+    cs->icc_ctlr_el1[GICV3_NS] &= ~(ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
     if (value & ICC_CTLR_EL3_EOIMODE_EL1NS) {
         cs->icc_ctlr_el1[GICV3_NS] |= ICC_CTLR_EL1_EOIMODE;
     }
@@ -XXX,XX +XXX,XX @@ static void icc_ctlr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
         cs->icc_ctlr_el1[GICV3_NS] |= ICC_CTLR_EL1_CBPR;
     }
 
-    cs->icc_ctlr_el1[GICV3_S] &= (ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
+    cs->icc_ctlr_el1[GICV3_S] &= ~(ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
     if (value & ICC_CTLR_EL3_EOIMODE_EL1S) {
         cs->icc_ctlr_el1[GICV3_S] |= ICC_CTLR_EL1_EOIMODE;
     }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190520214342.13709-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/exynos4_boards.c | 24 ------------------------
 1 file changed, 24 deletions(-)

diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/net/lan9118.h"
 #include "hw/boards.h"
 
-#undef DEBUG
-
-//#define DEBUG
-
-#ifdef DEBUG
-    #undef PRINT_DEBUG
-    #define  PRINT_DEBUG(fmt, args...) \
-        do { \
-            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
-        } while (0)
-#else
-    #define  PRINT_DEBUG(fmt, args...)  do {} while (0)
-#endif
-
 #define SMDK_LAN9118_BASE_ADDR      0x05000000
 
 typedef enum Exynos4BoardType {
@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
     exynos4_board_binfo.gic_cpu_if_addr =
             EXYNOS4210_SMP_PRIVATE_BASE_ADDR + 0x100;
 
-    PRINT_DEBUG("\n ram_size: %luMiB [0x%08lx]\n"
-            " kernel_filename: %s\n"
-            " kernel_cmdline: %s\n"
-            " initrd_filename: %s\n",
-            exynos4_board_ram_size[board_type] / 1048576,
-            exynos4_board_ram_size[board_type],
-            machine->kernel_filename,
-            machine->kernel_cmdline,
-            machine->initrd_filename);
-
     exynos4_boards_init_ram(s, get_system_memory(),
                             exynos4_board_ram_size[board_type]);
 
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

It eases code review, unit is explicit.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190520214342.13709-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/exynos4_boards.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/units.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "qemu-common.h"
@@ -XXX,XX +XXX,XX @@ static int exynos4_board_smp_bootreg_addr[EXYNOS4_NUM_OF_BOARDS] = {
 };
 
 static unsigned long exynos4_board_ram_size[EXYNOS4_NUM_OF_BOARDS] = {
-    [EXYNOS4_BOARD_NURI]     = 0x40000000,
-    [EXYNOS4_BOARD_SMDKC210] = 0x40000000,
+    [EXYNOS4_BOARD_NURI]     = 1 * GiB,
+    [EXYNOS4_BOARD_SMDKC210] = 1 * GiB,
 };
 
 static struct arm_boot_info exynos4_board_binfo = {
-- 
2.20.1

From: Guenter Roeck <linux@roeck-us.net>

QEMU already supports pl330. Instantiate it for Exynos4210.

Relevant part of Linux arch/arm/boot/dts/exynos4.dtsi:

/ {
    soc: soc {
        amba {
            pdma0: pdma@12680000 {
                compatible = "arm,pl330", "arm,primecell";
                reg = <0x12680000 0x1000>;
                interrupts = <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
                clocks = <&clock CLK_PDMA0>;
                clock-names = "apb_pclk";
                #dma-cells = <1>;
                #dma-channels = <8>;
                #dma-requests = <32>;
            };
            pdma1: pdma@12690000 {
                compatible = "arm,pl330", "arm,primecell";
                reg = <0x12690000 0x1000>;
                interrupts = <GIC_SPI 36 IRQ_TYPE_LEVEL_HIGH>;
                clocks = <&clock CLK_PDMA1>;
                clock-names = "apb_pclk";
                #dma-cells = <1>;
                #dma-channels = <8>;
                #dma-requests = <32>;
            };
            mdma1: mdma@12850000 {
                compatible = "arm,pl330", "arm,primecell";
                reg = <0x12850000 0x1000>;
                interrupts = <GIC_SPI 34 IRQ_TYPE_LEVEL_HIGH>;
                clocks = <&clock CLK_MDMA>;
                clock-names = "apb_pclk";
                #dma-cells = <1>;
                #dma-channels = <8>;
                #dma-requests = <1>;
            };
        };
    };
};

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190520214342.13709-4-philmd@redhat.com
[PMD: Do not set default qdev properties, create the controllers in the SoC
      rather than the board (Peter Maydell), add dtsi in commit message]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/exynos4210.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4210.c
+++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@
 /* EHCI */
 #define EXYNOS4210_EHCI_BASE_ADDR           0x12580000
 
+/* DMA */
+#define EXYNOS4210_PL330_BASE0_ADDR         0x12680000
+#define EXYNOS4210_PL330_BASE1_ADDR         0x12690000
+#define EXYNOS4210_PL330_BASE2_ADDR         0x12850000
+
 static uint8_t chipid_and_omr[] = { 0x11, 0x02, 0x21, 0x43,
                                     0x09, 0x00, 0x00, 0x00 };
 
@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_calc_affinity(int cpu)
     return (0x9 << ARM_AFF1_SHIFT) | cpu;
 }
 
+static void pl330_create(uint32_t base, qemu_irq irq, int nreq)
+{
+    SysBusDevice *busdev;
+    DeviceState *dev;
+
+    dev = qdev_create(NULL, "pl330");
+    qdev_prop_set_uint8(dev, "num_periph_req",  nreq);
+    qdev_init_nofail(dev);
+    busdev = SYS_BUS_DEVICE(dev);
+    sysbus_mmio_map(busdev, 0, base);
+    sysbus_connect_irq(busdev, 0, irq);
+}
+
 Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
 {
     Exynos4210State *s = g_new0(Exynos4210State, 1);
@@ -XXX,XX +XXX,XX @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
     sysbus_create_simple(TYPE_EXYNOS4210_EHCI, EXYNOS4210_EHCI_BASE_ADDR,
             s->irq_table[exynos4210_get_irq(28, 3)]);
 
+    /*** DMA controllers ***/
+    pl330_create(EXYNOS4210_PL330_BASE0_ADDR,
+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(35, 1)]), 32);
+    pl330_create(EXYNOS4210_PL330_BASE1_ADDR,
+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(36, 1)]), 32);
+    pl330_create(EXYNOS4210_PL330_BASE2_ADDR,
+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(34, 1)]), 1);
+
     return s;
 }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190520214342.13709-5-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/exynos4210.h |  9 +++++++--
 hw/arm/exynos4210.c         | 28 ++++++++++++++++++++++++----
 hw/arm/exynos4_boards.c     |  9 ++++++---
 3 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/include/hw/arm/exynos4210.h b/include/hw/arm/exynos4210.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/exynos4210.h
+++ b/include/hw/arm/exynos4210.h
@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210Irq {
 } Exynos4210Irq;
 
 typedef struct Exynos4210State {
+    /*< private >*/
+    SysBusDevice parent_obj;
+    /*< public >*/
     ARMCPU *cpu[EXYNOS4210_NCPUS];
     Exynos4210Irq irqs;
     qemu_irq *irq_table;
@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210State {
     I2CBus *i2c_if[EXYNOS4210_I2C_NUMBER];
 } Exynos4210State;
 
+#define TYPE_EXYNOS4210_SOC "exynos4210"
+#define EXYNOS4210_SOC(obj) \
+    OBJECT_CHECK(Exynos4210State, obj, TYPE_EXYNOS4210_SOC)
+
 void exynos4210_write_secondary(ARMCPU *cpu,
         const struct arm_boot_info *info);
 
-Exynos4210State *exynos4210_init(MemoryRegion *system_mem);
-
 /* Initialize exynos4210 IRQ subsystem stub */
 qemu_irq *exynos4210_init_irq(Exynos4210Irq *env);
 
diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4210.c
+++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@ static void pl330_create(uint32_t base, qemu_irq irq, int nreq)
     sysbus_connect_irq(busdev, 0, irq);
 }
 
-Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
+static void exynos4210_realize(DeviceState *socdev, Error **errp)
 {
-    Exynos4210State *s = g_new0(Exynos4210State, 1);
+    Exynos4210State *s = EXYNOS4210_SOC(socdev);
+    MemoryRegion *system_mem = get_system_memory();
     qemu_irq gate_irq[EXYNOS4210_NCPUS][EXYNOS4210_IRQ_GATE_NINPUTS];
     SysBusDevice *busdev;
     DeviceState *dev;
@@ -XXX,XX +XXX,XX @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
                  qemu_irq_invert(s->irq_table[exynos4210_get_irq(36, 1)]), 32);
     pl330_create(EXYNOS4210_PL330_BASE2_ADDR,
                  qemu_irq_invert(s->irq_table[exynos4210_get_irq(34, 1)]), 1);
-
-    return s;
 }
+
+static void exynos4210_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = exynos4210_realize;
+}
+
+static const TypeInfo exynos4210_info = {
+    .name = TYPE_EXYNOS4210_SOC,
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210State),
+    .class_init = exynos4210_class_init,
+};
+
+static void exynos4210_register_types(void)
+{
+    type_register_static(&exynos4210_info);
+}
+
+type_init(exynos4210_register_types)
diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@ typedef enum Exynos4BoardType {
 } Exynos4BoardType;
 
 typedef struct Exynos4BoardState {
-    Exynos4210State *soc;
+    Exynos4210State soc;
     MemoryRegion dram0_mem;
     MemoryRegion dram1_mem;
 } Exynos4BoardState;
@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
     exynos4_boards_init_ram(s, get_system_memory(),
                             exynos4_board_ram_size[board_type]);
 
-    s->soc = exynos4210_init(get_system_memory());
+    object_initialize(&s->soc, sizeof(s->soc), TYPE_EXYNOS4210_SOC);
+    qdev_set_parent_bus(DEVICE(&s->soc), sysbus_get_default());
+    object_property_set_bool(OBJECT(&s->soc), true, "realized",
+                             &error_fatal);
 
     return s;
 }
@@ -XXX,XX +XXX,XX @@ static void smdkc210_init(MachineState *machine)
                                                       EXYNOS4_BOARD_SMDKC210);
 
     lan9215_init(SMDK_LAN9118_BASE_ADDR,
-            qemu_irq_invert(s->soc->irq_table[exynos4210_get_irq(37, 1)]));
+            qemu_irq_invert(s->soc.irq_table[exynos4210_get_irq(37, 1)]));
     arm_load_kernel(ARM_CPU(first_cpu), &exynos4_board_binfo);
 }
 
-- 
2.20.1