[Qemu-devel] [PULL 00/13] target-arm queue
[PULL 0/9] target-arm queue
1
target-arm queue:
1
Arm queue; bugfixes only.
2
* mostly my latest v8M stuff, plus a couple of minor patches
3
2
4
The following changes since commit a0b261db8c030813e30a39eae47359ac2a37f7e2:
3
thanks
4
-- PMM
5
5
6
Merge remote-tracking branch 'remotes/ehabkost/tags/python-next-pull-request' into staging (2017-10-12 10:02:09 +0100)
6
The following changes since commit 48aa8f0ac536db3550a35c295ff7de94e4c33739:
7
7
8
are available in the git repository at:
8
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2020-11-16' into staging (2020-11-17 11:07:00 +0000)
9
9
10
git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20171012
10
are available in the Git repository at:
11
11
12
for you to fetch changes up to cf5f7937b05c84d5565134f058c00cd48304a117:
12
https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201117
13
13
14
nvic: Fix miscalculation of offsets into ITNS array (2017-10-12 16:33:16 +0100)
14
for you to fetch changes up to ab135622cf478585bdfcb68b85e4a817d74a0c42:
15
16
tmp105: Correct handling of temperature limit checks (2020-11-17 12:56:33 +0000)
15
17
16
----------------------------------------------------------------
18
----------------------------------------------------------------
17
target-arm queue:
19
target-arm queue:
18
* v8M: SG, BLXNS, secure-return
20
* hw/arm/virt: ARM_VIRT must select ARM_GIC
19
* v8M: fixes for coverity issues in previous patches
21
* exynos: Fix bad printf format specifiers
20
* arm: fix armv7m_init() declaration to match definition
22
* hw/input/ps2.c: Remove remnants of printf debug
21
* watchdog/aspeed: fix variable type to store reload value
23
* target/openrisc: Remove dead code attempting to check "is timer disabled"
24
* register: Remove unnecessary NULL check
25
* util/cutils: Fix Coverity array overrun in freq_to_str()
26
* configure: Make "does libgio work" test pull in some actual functions
27
* tmp105: reset the T_low and T_High registers
28
* tmp105: Correct handling of temperature limit checks
22
29
23
----------------------------------------------------------------
30
----------------------------------------------------------------
24
Cédric Le Goater (1):
31
Alex Chen (1):
25
watchdog/aspeed: fix variable type to store reload value
32
exynos: Fix bad printf format specifiers
26
33
27
Igor Mammedov (1):
34
Alistair Francis (1):
28
arm: fix armv7m_init() declaration to match definition
35
register: Remove unnecessary NULL check
29
36
30
Peter Maydell (11):
37
Andrew Jones (1):
31
target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()
38
hw/arm/virt: ARM_VIRT must select ARM_GIC
32
target/arm: Implement SG instruction
33
target/arm: Implement BLXNS
34
target/arm: Implement secure function return
35
target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1
36
target/arm: Pull Thumb insn word loads up to top level
37
target-arm: Simplify insn_crosses_page()
38
target/arm: Support some Thumb insns being always unconditional
39
target/arm: Implement SG instruction corner cases
40
nvic: Add missing 'break'
41
nvic: Fix miscalculation of offsets into ITNS array
42
39
43
include/hw/arm/arm.h | 2 +-
40
Peter Maydell (5):
44
target/arm/helper.h | 1 +
41
hw/input/ps2.c: Remove remnants of printf debug
45
target/arm/internals.h | 8 ++
42
target/openrisc: Remove dead code attempting to check "is timer disabled"
46
hw/intc/armv7m_nvic.c | 5 +-
43
configure: Make "does libgio work" test pull in some actual functions
47
hw/watchdog/wdt_aspeed.c | 4 +-
44
hw/misc/tmp105: reset the T_low and T_High registers
48
target/arm/helper.c | 306 ++++++++++++++++++++++++++++++++++++++++++++--
45
tmp105: Correct handling of temperature limit checks
49
target/arm/translate.c | 310 ++++++++++++++++++++++++++++++++---------------
50
7 files changed, 521 insertions(+), 115 deletions(-)
51
46
47
Philippe Mathieu-Daudé (1):
48
util/cutils: Fix Coverity array overrun in freq_to_str()
49
50
configure | 11 +++++--
51
hw/misc/tmp105.h | 7 +++++
52
hw/core/register.c | 4 ---
53
hw/input/ps2.c | 9 ------
54
hw/misc/tmp105.c | 73 ++++++++++++++++++++++++++++++++++++++------
55
hw/timer/exynos4210_mct.c | 4 +--
56
hw/timer/exynos4210_pwm.c | 8 ++---
57
target/openrisc/sys_helper.c | 3 --
58
util/cutils.c | 3 +-
59
hw/arm/Kconfig | 1 +
60
10 files changed, 89 insertions(+), 34 deletions(-)
61
diff view generated by jsdifflib
[Qemu-devel] [PULL 12/13] nvic: Add missing 'break'
[PULL 1/9] hw/arm/virt: ARM_VIRT must select ARM_GIC
1
Coverity points out that we forgot the 'break' for
1
From: Andrew Jones <drjones@redhat.com>
2
the SAU_CTRL write case (CID1381683). This has
3
no actual visible consequences because it happens
4
that the following case is effectively a no-op.
5
2
3
The removal of the selection of A15MPCORE from ARM_VIRT also
4
removed what A15MPCORE selects, ARM_GIC. We still need ARM_GIC.
5
6
Fixes: bec3c97e0cf9 ("hw/arm/virt: Remove dependency on Cortex-A15 MPCore peripherals")
7
Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
8
Signed-off-by: Andrew Jones <drjones@redhat.com>
9
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
10
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
11
Message-id: 20201111143440.112763-1-drjones@redhat.com
6
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
12
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
8
Message-id: 1507742676-9908-1-git-send-email-peter.maydell@linaro.org
9
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
10
---
13
---
11
hw/intc/armv7m_nvic.c | 1 +
14
hw/arm/Kconfig | 1 +
12
1 file changed, 1 insertion(+)
15
1 file changed, 1 insertion(+)
13
16
14
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
17
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
15
index XXXXXXX..XXXXXXX 100644
18
index XXXXXXX..XXXXXXX 100644
16
--- a/hw/intc/armv7m_nvic.c
19
--- a/hw/arm/Kconfig
17
+++ b/hw/intc/armv7m_nvic.c
20
+++ b/hw/arm/Kconfig
18
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
21
@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
19
return;
22
imply VFIO_PLATFORM
20
}
23
imply VFIO_XGMAC
21
cpu->env.sau.ctrl = value & 3;
24
imply TPM_TIS_SYSBUS
22
+ break;
25
+ select ARM_GIC
23
case 0xdd4: /* SAU_TYPE */
26
select ACPI
24
if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
27
select ARM_SMMUV3
25
goto bad_offset;
28
select GPIO_KEY
26
--
29
--
27
2.7.4
30
2.20.1
28
31
29
32
diff view generated by jsdifflib
[Qemu-devel] [PULL 08/13] target/arm: Pull Thumb insn word loads up to top level
[PULL 2/9] exynos: Fix bad printf format specifiers
1
Refactor the Thumb decode to do the loads of the instruction words at
1
From: Alex Chen <alex.chen@huawei.com>
2
the top level rather than only loading the second half of a 32-bit
3
Thumb insn in the middle of the decode.
4
2
5
This is simple apart from the awkward case of Thumb1, where the
3
We should use printf format specifier "%u" instead of "%d" for
6
BL/BLX prefix and suffix instructions live in what in Thumb2 is the
4
argument of type "unsigned int".
7
32-bit insn space. To handle these we decode enough to identify
8
whether we're looking at a prefix/suffix that we handle as a 16 bit
9
insn, or a prefix that we're going to merge with the following suffix
10
to consider as a 32 bit insn. The translation of the 16 bit cases
11
then moves from disas_thumb2_insn() to disas_thumb_insn().
12
5
13
The refactoring has the benefit that we don't need to pass the
6
Reported-by: Euler Robot <euler.robot@huawei.com>
14
CPUARMState* down into the decoder code any more, but the major
7
Signed-off-by: Alex Chen <alex.chen@huawei.com>
15
reason for doing this is that some Thumb instructions must be always
8
Message-id: 20201111073651.72804-1-alex.chen@huawei.com
16
unconditional regardless of the IT state bits, so we need to know the
9
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
17
whole insn before we emit the "skip this insn if the IT bits and cond
10
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
18
state tell us to" code. (The always unconditional insns are BKPT,
11
---
19
HLT and SG; the last of these is 32 bits.)
12
hw/timer/exynos4210_mct.c | 4 ++--
13
hw/timer/exynos4210_pwm.c | 8 ++++----
14
2 files changed, 6 insertions(+), 6 deletions(-)
20
15
21
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
16
diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
22
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
23
Message-id: 1507556919-24992-7-git-send-email-peter.maydell@linaro.org
24
---
25
target/arm/translate.c | 178 ++++++++++++++++++++++++++++++-------------------
26
1 file changed, 108 insertions(+), 70 deletions(-)
27
28
diff --git a/target/arm/translate.c b/target/arm/translate.c
29
index XXXXXXX..XXXXXXX 100644
17
index XXXXXXX..XXXXXXX 100644
30
--- a/target/arm/translate.c
18
--- a/hw/timer/exynos4210_mct.c
31
+++ b/target/arm/translate.c
19
+++ b/hw/timer/exynos4210_mct.c
32
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
20
@@ -XXX,XX +XXX,XX @@ static void exynos4210_gcomp_raise_irq(void *opaque, uint32_t id)
21
/* If CSTAT is pending and IRQ is enabled */
22
if ((s->reg.int_cstat & G_INT_CSTAT_COMP(id)) &&
23
(s->reg.int_enb & G_INT_ENABLE(id))) {
24
- DPRINTF("gcmp timer[%d] IRQ\n", id);
25
+ DPRINTF("gcmp timer[%u] IRQ\n", id);
26
qemu_irq_raise(s->irq[id]);
33
}
27
}
34
}
28
}
35
29
@@ -XXX,XX +XXX,XX @@ static void exynos4210_mct_update_freq(Exynos4210MCTState *s)
36
+static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
30
MCT_CFG_GET_DIVIDER(s->reg_mct_cfg));
37
+{
31
38
+ /* Return true if this is a 16 bit instruction. We must be precise
32
if (freq != s->freq) {
39
+ * about this (matching the decode). We assume that s->pc still
33
- DPRINTF("freq=%dHz\n", s->freq);
40
+ * points to the first 16 bits of the insn.
34
+ DPRINTF("freq=%uHz\n", s->freq);
41
+ */
35
42
+ if ((insn >> 11) < 0x1d) {
36
/* global timer */
43
+ /* Definitely a 16-bit instruction */
37
tx_ptimer_set_freq(s->g_timer.ptimer_frc, s->freq);
44
+ return true;
38
diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
45
+ }
39
index XXXXXXX..XXXXXXX 100644
46
+
40
--- a/hw/timer/exynos4210_pwm.c
47
+ /* Top five bits 0b11101 / 0b11110 / 0b11111 : this is the
41
+++ b/hw/timer/exynos4210_pwm.c
48
+ * first half of a 32-bit Thumb insn. Thumb-1 cores might
42
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_update_freq(Exynos4210PWMState *s, uint32_t id)
49
+ * end up actually treating this as two 16-bit insns, though,
43
50
+ * if it's half of a bl/blx pair that might span a page boundary.
44
if (freq != s->timer[id].freq) {
51
+ */
45
ptimer_set_freq(s->timer[id].ptimer, s->timer[id].freq);
52
+ if (arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
46
- DPRINTF("freq=%dHz\n", s->timer[id].freq);
53
+ /* Thumb2 cores (including all M profile ones) always treat
47
+ DPRINTF("freq=%uHz\n", s->timer[id].freq);
54
+ * 32-bit insns as 32-bit.
55
+ */
56
+ return false;
57
+ }
58
+
59
+ if ((insn >> 11) == 0x1e && (s->pc < s->next_page_start - 3)) {
60
+ /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix, and the suffix
61
+ * is not on the next page; we merge this into a 32-bit
62
+ * insn.
63
+ */
64
+ return false;
65
+ }
66
+ /* 0b1110_1xxx_xxxx_xxxx : BLX suffix (or UNDEF);
67
+ * 0b1111_1xxx_xxxx_xxxx : BL suffix;
68
+ * 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix on the end of a page
69
+ * -- handle as single 16 bit insn
70
+ */
71
+ return true;
72
+}
73
+
74
/* Return true if this is a Thumb-2 logical op. */
75
static int
76
thumb2_logic_op(int op)
77
@@ -XXX,XX +XXX,XX @@ gen_thumb2_data_op(DisasContext *s, int op, int conds, uint32_t shifter_out,
78
79
/* Translate a 32-bit thumb instruction. Returns nonzero if the instruction
80
is not legal. */
81
-static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw1)
82
+static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
83
{
84
- uint32_t insn, imm, shift, offset;
85
+ uint32_t imm, shift, offset;
86
uint32_t rd, rn, rm, rs;
87
TCGv_i32 tmp;
88
TCGv_i32 tmp2;
89
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
90
int conds;
91
int logic_cc;
92
93
- if (!arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
94
- /* Thumb-1 cores may need to treat bl and blx as a pair of
95
- 16-bit instructions to get correct prefetch abort behavior. */
96
- insn = insn_hw1;
97
- if ((insn & (1 << 12)) == 0) {
98
- ARCH(5);
99
- /* Second half of blx. */
100
- offset = ((insn & 0x7ff) << 1);
101
- tmp = load_reg(s, 14);
102
- tcg_gen_addi_i32(tmp, tmp, offset);
103
- tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
104
-
105
- tmp2 = tcg_temp_new_i32();
106
- tcg_gen_movi_i32(tmp2, s->pc | 1);
107
- store_reg(s, 14, tmp2);
108
- gen_bx(s, tmp);
109
- return 0;
110
- }
111
- if (insn & (1 << 11)) {
112
- /* Second half of bl. */
113
- offset = ((insn & 0x7ff) << 1) | 1;
114
- tmp = load_reg(s, 14);
115
- tcg_gen_addi_i32(tmp, tmp, offset);
116
-
117
- tmp2 = tcg_temp_new_i32();
118
- tcg_gen_movi_i32(tmp2, s->pc | 1);
119
- store_reg(s, 14, tmp2);
120
- gen_bx(s, tmp);
121
- return 0;
122
- }
123
- if ((s->pc & ~TARGET_PAGE_MASK) == 0) {
124
- /* Instruction spans a page boundary. Implement it as two
125
- 16-bit instructions in case the second half causes an
126
- prefetch abort. */
127
- offset = ((int32_t)insn << 21) >> 9;
128
- tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + offset);
129
- return 0;
130
- }
131
- /* Fall through to 32-bit decode. */
132
- }
133
-
134
- insn = arm_lduw_code(env, s->pc, s->sctlr_b);
135
- s->pc += 2;
136
- insn |= (uint32_t)insn_hw1 << 16;
137
-
138
+ /* The only 32 bit insn that's allowed for Thumb1 is the combined
139
+ * BL/BLX prefix and suffix.
140
+ */
141
if ((insn & 0xf800e800) != 0xf000e800) {
142
ARCH(6T2);
143
}
48
}
144
@@ -XXX,XX +XXX,XX @@ illegal_op:
145
return 1;
146
}
49
}
147
50
148
-static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
51
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
149
+static void disas_thumb_insn(DisasContext *s, uint32_t insn)
52
uint32_t id = s->id;
150
{
53
bool cmp;
151
- uint32_t val, insn, op, rm, rn, rd, shift, cond;
54
152
+ uint32_t val, op, rm, rn, rd, shift, cond;
55
- DPRINTF("timer %d tick\n", id);
153
int32_t offset;
56
+ DPRINTF("timer %u tick\n", id);
154
int i;
57
155
TCGv_i32 tmp;
58
/* set irq status */
156
TCGv_i32 tmp2;
59
p->reg_tint_cstat |= TINT_CSTAT_STATUS(id);
157
TCGv_i32 addr;
60
158
61
/* raise IRQ */
159
- if (s->condexec_mask) {
62
if (p->reg_tint_cstat & TINT_CSTAT_ENABLE(id)) {
160
- cond = s->condexec_cond;
63
- DPRINTF("timer %d IRQ\n", id);
161
- if (cond != 0x0e) { /* Skip conditional when condition is AL. */
64
+ DPRINTF("timer %u IRQ\n", id);
162
- s->condlabel = gen_new_label();
65
qemu_irq_raise(p->timer[id].irq);
163
- arm_gen_test_cc(cond ^ 1, s->condlabel);
164
- s->condjmp = 1;
165
- }
166
- }
167
-
168
- insn = arm_lduw_code(env, s->pc, s->sctlr_b);
169
- s->pc += 2;
170
-
171
switch (insn >> 12) {
172
case 0: case 1:
173
174
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
175
176
case 14:
177
if (insn & (1 << 11)) {
178
- if (disas_thumb2_insn(env, s, insn))
179
- goto undef32;
180
+ /* thumb_insn_is_16bit() ensures we can't get here for
181
+ * a Thumb2 CPU, so this must be a thumb1 split BL/BLX:
182
+ * 0b1110_1xxx_xxxx_xxxx : BLX suffix (or UNDEF)
183
+ */
184
+ assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
185
+ ARCH(5);
186
+ offset = ((insn & 0x7ff) << 1);
187
+ tmp = load_reg(s, 14);
188
+ tcg_gen_addi_i32(tmp, tmp, offset);
189
+ tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
190
+
191
+ tmp2 = tcg_temp_new_i32();
192
+ tcg_gen_movi_i32(tmp2, s->pc | 1);
193
+ store_reg(s, 14, tmp2);
194
+ gen_bx(s, tmp);
195
break;
196
}
197
/* unconditional branch */
198
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
199
break;
200
201
case 15:
202
- if (disas_thumb2_insn(env, s, insn))
203
- goto undef32;
204
+ /* thumb_insn_is_16bit() ensures we can't get here for
205
+ * a Thumb2 CPU, so this must be a thumb1 split BL/BLX.
206
+ */
207
+ assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
208
+
209
+ if (insn & (1 << 11)) {
210
+ /* 0b1111_1xxx_xxxx_xxxx : BL suffix */
211
+ offset = ((insn & 0x7ff) << 1) | 1;
212
+ tmp = load_reg(s, 14);
213
+ tcg_gen_addi_i32(tmp, tmp, offset);
214
+
215
+ tmp2 = tcg_temp_new_i32();
216
+ tcg_gen_movi_i32(tmp2, s->pc | 1);
217
+ store_reg(s, 14, tmp2);
218
+ gen_bx(s, tmp);
219
+ } else {
220
+ /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix */
221
+ uint32_t uoffset = ((int32_t)insn << 21) >> 9;
222
+
223
+ tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + uoffset);
224
+ }
225
break;
226
}
66
}
227
return;
67
228
-undef32:
68
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
229
- gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
230
- default_exception_el(s));
231
- return;
232
illegal_op:
233
undef:
234
gen_exception_insn(s, 2, EXCP_UDEF, syn_uncategorized(),
235
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
236
{
237
DisasContext *dc = container_of(dcbase, DisasContext, base);
238
CPUARMState *env = cpu->env_ptr;
239
+ uint32_t insn;
240
+ bool is_16bit;
241
242
if (arm_pre_translate_insn(dc)) {
243
return;
244
}
69
}
245
70
246
- disas_thumb_insn(env, dc);
71
if (cmp) {
247
+ insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
72
- DPRINTF("auto reload timer %d count to %x\n", id,
248
+ is_16bit = thumb_insn_is_16bit(dc, insn);
73
+ DPRINTF("auto reload timer %u count to %x\n", id,
249
+ dc->pc += 2;
74
p->timer[id].reg_tcntb);
250
+ if (!is_16bit) {
75
ptimer_set_count(p->timer[id].ptimer, p->timer[id].reg_tcntb);
251
+ uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
76
ptimer_run(p->timer[id].ptimer, 1);
252
+
253
+ insn = insn << 16 | insn2;
254
+ dc->pc += 2;
255
+ }
256
+
257
+ if (dc->condexec_mask) {
258
+ uint32_t cond = dc->condexec_cond;
259
+
260
+ if (cond != 0x0e) { /* Skip conditional when condition is AL. */
261
+ dc->condlabel = gen_new_label();
262
+ arm_gen_test_cc(cond ^ 1, dc->condlabel);
263
+ dc->condjmp = 1;
264
+ }
265
+ }
266
+
267
+ if (is_16bit) {
268
+ disas_thumb_insn(dc, insn);
269
+ } else {
270
+ disas_thumb2_insn(dc, insn);
271
+ }
272
273
/* Advance the Thumb condexec condition. */
274
if (dc->condexec_mask) {
275
--
77
--
276
2.7.4
78
2.20.1
277
79
278
80
diff view generated by jsdifflib
[Qemu-devel] [PULL 13/13] nvic: Fix miscalculation of offsets into ITNS array
[PULL 3/9] hw/input/ps2.c: Remove remnants of printf debug
1
This calculation of the first exception vector in
1
In commit 5edab03d4040 we added tracepoints to the ps2 keyboard
2
the ITNS<n> register being accessed:
2
and mouse emulation. However we didn't remove all the debug-by-printf
3
int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
3
support. In fact there is only one printf() remaining, and it is
4
4
redundant with the trace_ps2_write_mouse() event next to it.
5
is incorrect, because offset is in bytes, so we only want
5
Remove the printf() and the now-unused DEBUG* macros.
6
to multiply by 8.
7
8
Spotted by Coverity (CID 1381484, CID 1381488), though it is
9
not correct that it actually overflows the buffer, because
10
we have a 'startvec + i < s->num_irq' guard.
11
6
12
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
13
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
8
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
14
Message-id: 1507650856-11718-1-git-send-email-peter.maydell@linaro.org
9
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
10
Message-id: 20201101133258.4240-1-peter.maydell@linaro.org
15
---
11
---
16
hw/intc/armv7m_nvic.c | 4 ++--
12
hw/input/ps2.c | 9 ---------
17
1 file changed, 2 insertions(+), 2 deletions(-)
13
1 file changed, 9 deletions(-)
18
14
19
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
15
diff --git a/hw/input/ps2.c b/hw/input/ps2.c
20
index XXXXXXX..XXXXXXX 100644
16
index XXXXXXX..XXXXXXX 100644
21
--- a/hw/intc/armv7m_nvic.c
17
--- a/hw/input/ps2.c
22
+++ b/hw/intc/armv7m_nvic.c
18
+++ b/hw/input/ps2.c
23
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
19
@@ -XXX,XX +XXX,XX @@
24
return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
20
25
case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
21
#include "trace.h"
26
{
22
27
- int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
23
-/* debug PC keyboard */
28
+ int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
24
-//#define DEBUG_KBD
29
int i;
25
-
30
26
-/* debug PC keyboard : only mouse */
31
if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
27
-//#define DEBUG_MOUSE
32
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
28
-
33
switch (offset) {
29
/* Keyboard Commands */
34
case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
30
#define KBD_CMD_SET_LEDS    0xED    /* Set keyboard leds */
35
{
31
#define KBD_CMD_ECHO     0xEE
36
- int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
32
@@ -XXX,XX +XXX,XX @@ void ps2_write_mouse(void *opaque, int val)
37
+ int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
33
PS2MouseState *s = (PS2MouseState *)opaque;
38
int i;
34
39
35
trace_ps2_write_mouse(opaque, val);
40
if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
36
-#ifdef DEBUG_MOUSE
37
- printf("kbd: write mouse 0x%02x\n", val);
38
-#endif
39
switch(s->common.write_cmd) {
40
default:
41
case -1:
41
--
42
--
42
2.7.4
43
2.20.1
43
44
44
45
diff view generated by jsdifflib
[Qemu-devel] [PULL 11/13] target/arm: Implement SG instruction corner cases
[PULL 4/9] target/openrisc: Remove dead code attempting to check "is timer disabled"
1
The common situation of the SG instruction is that it is
1
In the mtspr helper we attempt to check for "is the timer disabled"
2
executed from S&NSC memory by a CPU in NS state. That case
2
with "if (env->ttmr & TIMER_NONE)". This is wrong because TIMER_NONE
3
is handled by v7m_handle_execute_nsc(). However the instruction
3
is zero and the condition is always false (Coverity complains about
4
also has defined behaviour in a couple of other cases:
4
the dead code.)
5
* SG instruction in NS memory (behaves as a NOP)
6
* SG in S memory but CPU already secure (clears IT bits and
7
does nothing else)
8
* SG instruction in v8M without Security Extension (NOP)
9
5
10
These can be implemented in translate.c.
6
The correct check would be to test whether the TTMR_M field in the
7
register is equal to TIMER_NONE instead. However, the
8
cpu_openrisc_timer_update() function checks whether the timer is
9
enabled (it looks at cpu->env.is_counting, which is set to 0 via
10
cpu_openrisc_count_stop() when the TTMR_M field is set to
11
TIMER_NONE), so there's no need to check for "timer disabled" in the
12
target/openrisc code. Instead, simply remove the dead code.
11
13
14
Fixes: Coverity CID 1005812
12
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
15
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
13
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
16
Acked-by: Stafford Horne <shorne@gmail.com>
14
Message-id: 1507556919-24992-10-git-send-email-peter.maydell@linaro.org
17
Message-id: 20201103114654.18540-1-peter.maydell@linaro.org
15
---
18
---
16
target/arm/translate.c | 23 ++++++++++++++++++++++-
19
target/openrisc/sys_helper.c | 3 ---
17
1 file changed, 22 insertions(+), 1 deletion(-)
20
1 file changed, 3 deletions(-)
18
21
19
diff --git a/target/arm/translate.c b/target/arm/translate.c
22
diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
20
index XXXXXXX..XXXXXXX 100644
23
index XXXXXXX..XXXXXXX 100644
21
--- a/target/arm/translate.c
24
--- a/target/openrisc/sys_helper.c
22
+++ b/target/arm/translate.c
25
+++ b/target/openrisc/sys_helper.c
23
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
26
@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr, target_ulong rb)
24
* - load/store doubleword, load/store exclusive, ldacq/strel,
27
25
* table branch.
28
case TO_SPR(10, 1): /* TTCR */
26
*/
29
cpu_openrisc_count_set(cpu, rb);
27
- if (insn & 0x01200000) {
30
- if (env->ttmr & TIMER_NONE) {
28
+ if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_M) &&
31
- return;
29
+ arm_dc_feature(s, ARM_FEATURE_V8)) {
32
- }
30
+ /* 0b1110_1001_0111_1111_1110_1001_0111_111
33
cpu_openrisc_timer_update(cpu);
31
+ * - SG (v8M only)
34
break;
32
+ * The bulk of the behaviour for this instruction is implemented
35
#endif
33
+ * in v7m_handle_execute_nsc(), which deals with the insn when
34
+ * it is executed by a CPU in non-secure state from memory
35
+ * which is Secure & NonSecure-Callable.
36
+ * Here we only need to handle the remaining cases:
37
+ * * in NS memory (including the "security extension not
38
+ * implemented" case) : NOP
39
+ * * in S memory but CPU already secure (clear IT bits)
40
+ * We know that the attribute for the memory this insn is
41
+ * in must match the current CPU state, because otherwise
42
+ * get_phys_addr_pmsav8 would have generated an exception.
43
+ */
44
+ if (s->v8m_secure) {
45
+ /* Like the IT insn, we don't need to generate any code */
46
+ s->condexec_cond = 0;
47
+ s->condexec_mask = 0;
48
+ }
49
+ } else if (insn & 0x01200000) {
50
/* 0b1110_1000_x11x_xxxx_xxxx_xxxx_xxxx_xxxx
51
* - load/store dual (post-indexed)
52
* 0b1111_1001_x10x_xxxx_xxxx_xxxx_xxxx_xxxx
53
--
36
--
54
2.7.4
37
2.20.1
55
38
56
39
diff view generated by jsdifflib
[Qemu-devel] [PULL 02/13] arm: fix armv7m_init() declaration to match definition
[PULL 5/9] register: Remove unnecessary NULL check
1
From: Igor Mammedov <imammedo@redhat.com>
1
From: Alistair Francis <alistair.francis@wdc.com>
2
2
3
s/cpu_model/cpu_type/ that has been forgotten during
3
This patch fixes CID 1432800 by removing an unnecessary check.
4
conversion (ba1ba5cc), while touching the line also
5
fixup alignment.
6
4
7
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
5
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
8
Message-id: 1507710805-221721-1-git-send-email-imammedo@redhat.com
9
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
6
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
10
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
11
---
8
---
12
include/hw/arm/arm.h | 2 +-
9
hw/core/register.c | 4 ----
13
1 file changed, 1 insertion(+), 1 deletion(-)
10
1 file changed, 4 deletions(-)
14
11
15
diff --git a/include/hw/arm/arm.h b/include/hw/arm/arm.h
12
diff --git a/hw/core/register.c b/hw/core/register.c
16
index XXXXXXX..XXXXXXX 100644
13
index XXXXXXX..XXXXXXX 100644
17
--- a/include/hw/arm/arm.h
14
--- a/hw/core/register.c
18
+++ b/include/hw/arm/arm.h
15
+++ b/hw/core/register.c
19
@@ -XXX,XX +XXX,XX @@ typedef enum {
16
@@ -XXX,XX +XXX,XX @@ static RegisterInfoArray *register_init_block(DeviceState *owner,
20
17
int index = rae[i].addr / data_size;
21
/* armv7m.c */
18
RegisterInfo *r = &ri[index];
22
DeviceState *armv7m_init(MemoryRegion *system_memory, int mem_size, int num_irq,
19
23
- const char *kernel_filename, const char *cpu_model);
20
- if (data + data_size * index == 0 || !&rae[i]) {
24
+ const char *kernel_filename, const char *cpu_type);
21
- continue;
25
/**
22
- }
26
* armv7m_load_kernel:
23
-
27
* @cpu: CPU
24
/* Init the register, this will zero it. */
25
object_initialize((void *)r, sizeof(*r), TYPE_REGISTER);
26
28
--
27
--
29
2.7.4
28
2.20.1
30
29
31
30
diff view generated by jsdifflib
[Qemu-devel] [PULL 01/13] watchdog/aspeed: fix variable type to store reload value
[PULL 6/9] util/cutils: Fix Coverity array overrun in freq_to_str()
1
From: Cédric Le Goater <clg@kaod.org>
1
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
2
2
3
Initially from Anton D. Kachalov" <mouse@yandex-team.ru> but the SoB was
3
Fix Coverity CID 1435957: Memory - illegal accesses (OVERRUN):
4
missing.
5
4
6
Signed-off-by: Cédric Le Goater <clg@kaod.org>
5
>>> Overrunning array "suffixes" of 7 8-byte elements at element
7
Acked-by: Andrew Jeffery <andrew@aj.id.au>
6
index 7 (byte offset 63) using index "idx" (which evaluates to 7).
8
Message-id: 20170920064915.30027-1-clg@kaod.org
7
9
[clg: change commit log and subject
8
Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
10
replace UL suffix by ULL ]
9
which is ~18.446 EHz, less than 1000 EHz.
11
Signed-off-by: Cédric Le Goater <clg@kaod.org>
10
11
Reported-by: Eduardo Habkost <ehabkost@redhat.com>
12
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
12
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
13
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
14
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
15
Reviewed-by: Luc Michel <luc@lmichel.fr>
16
Message-id: 20201101215755.2021421-1-f4bug@amsat.org
17
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
18
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
13
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
19
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
14
---
20
---
15
hw/watchdog/wdt_aspeed.c | 4 ++--
21
util/cutils.c | 3 ++-
16
1 file changed, 2 insertions(+), 2 deletions(-)
22
1 file changed, 2 insertions(+), 1 deletion(-)
17
23
18
diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
24
diff --git a/util/cutils.c b/util/cutils.c
19
index XXXXXXX..XXXXXXX 100644
25
index XXXXXXX..XXXXXXX 100644
20
--- a/hw/watchdog/wdt_aspeed.c
26
--- a/util/cutils.c
21
+++ b/hw/watchdog/wdt_aspeed.c
27
+++ b/util/cutils.c
22
@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_wdt_read(void *opaque, hwaddr offset, unsigned size)
28
@@ -XXX,XX +XXX,XX @@ char *freq_to_str(uint64_t freq_hz)
23
29
double freq = freq_hz;
24
static void aspeed_wdt_reload(AspeedWDTState *s, bool pclk)
30
size_t idx = 0;
25
{
31
26
- uint32_t reload;
32
- while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
27
+ uint64_t reload;
33
+ while (freq >= 1000.0) {
28
34
freq /= 1000.0;
29
if (pclk) {
35
idx++;
30
reload = muldiv64(s->regs[WDT_RELOAD_VALUE], NANOSECONDS_PER_SECOND,
31
s->pclk_freq);
32
} else {
33
- reload = s->regs[WDT_RELOAD_VALUE] * 1000;
34
+ reload = s->regs[WDT_RELOAD_VALUE] * 1000ULL;
35
}
36
}
36
37
+ assert(idx < ARRAY_SIZE(suffixes));
37
if (aspeed_wdt_is_enabled(s)) {
38
39
return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
40
}
38
--
41
--
39
2.7.4
42
2.20.1
40
43
41
44
diff view generated by jsdifflib
[Qemu-devel] [PULL 03/13] target/arm: Add M profile secure MMU index values to get_a32_user_mem_index()
Deleted patch
1
Add the M profile secure MMU index values to the switch in
2
get_a32_user_mem_index() so that LDRT/STRT work correctly
3
rather than asserting at translate time.
4
1
5
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
6
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
7
Message-id: 1507556919-24992-2-git-send-email-peter.maydell@linaro.org
8
---
9
target/arm/translate.c | 4 ++++
10
1 file changed, 4 insertions(+)
11
12
diff --git a/target/arm/translate.c b/target/arm/translate.c
13
index XXXXXXX..XXXXXXX 100644
14
--- a/target/arm/translate.c
15
+++ b/target/arm/translate.c
16
@@ -XXX,XX +XXX,XX @@ static inline int get_a32_user_mem_index(DisasContext *s)
17
case ARMMMUIdx_MPriv:
18
case ARMMMUIdx_MNegPri:
19
return arm_to_core_mmu_idx(ARMMMUIdx_MUser);
20
+ case ARMMMUIdx_MSUser:
21
+ case ARMMMUIdx_MSPriv:
22
+ case ARMMMUIdx_MSNegPri:
23
+ return arm_to_core_mmu_idx(ARMMMUIdx_MSUser);
24
case ARMMMUIdx_S2NS:
25
default:
26
g_assert_not_reached();
27
--
28
2.7.4
29
30
diff view generated by jsdifflib
[Qemu-devel] [PULL 04/13] target/arm: Implement SG instruction
Deleted patch
1
Implement the SG instruction, which we emulate 'by hand' in the
2
exception handling code path.
3
1
4
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
6
Message-id: 1507556919-24992-3-git-send-email-peter.maydell@linaro.org
7
---
8
target/arm/helper.c | 132 ++++++++++++++++++++++++++++++++++++++++++++++++++--
9
1 file changed, 127 insertions(+), 5 deletions(-)
10
11
diff --git a/target/arm/helper.c b/target/arm/helper.c
12
index XXXXXXX..XXXXXXX 100644
13
--- a/target/arm/helper.c
14
+++ b/target/arm/helper.c
15
@@ -XXX,XX +XXX,XX @@ typedef struct V8M_SAttributes {
16
bool irvalid;
17
} V8M_SAttributes;
18
19
+static void v8m_security_lookup(CPUARMState *env, uint32_t address,
20
+ MMUAccessType access_type, ARMMMUIdx mmu_idx,
21
+ V8M_SAttributes *sattrs);
22
+
23
/* Definitions for the PMCCNTR and PMCR registers */
24
#define PMCRD 0x8
25
#define PMCRC 0x4
26
@@ -XXX,XX +XXX,XX @@ static void arm_log_exception(int idx)
27
}
28
}
29
30
+static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
31
+ uint32_t addr, uint16_t *insn)
32
+{
33
+ /* Load a 16-bit portion of a v7M instruction, returning true on success,
34
+ * or false on failure (in which case we will have pended the appropriate
35
+ * exception).
36
+ * We need to do the instruction fetch's MPU and SAU checks
37
+ * like this because there is no MMU index that would allow
38
+ * doing the load with a single function call. Instead we must
39
+ * first check that the security attributes permit the load
40
+ * and that they don't mismatch on the two halves of the instruction,
41
+ * and then we do the load as a secure load (ie using the security
42
+ * attributes of the address, not the CPU, as architecturally required).
43
+ */
44
+ CPUState *cs = CPU(cpu);
45
+ CPUARMState *env = &cpu->env;
46
+ V8M_SAttributes sattrs = {};
47
+ MemTxAttrs attrs = {};
48
+ ARMMMUFaultInfo fi = {};
49
+ MemTxResult txres;
50
+ target_ulong page_size;
51
+ hwaddr physaddr;
52
+ int prot;
53
+ uint32_t fsr;
54
+
55
+ v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
56
+ if (!sattrs.nsc || sattrs.ns) {
57
+ /* This must be the second half of the insn, and it straddles a
58
+ * region boundary with the second half not being S&NSC.
59
+ */
60
+ env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
61
+ armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
62
+ qemu_log_mask(CPU_LOG_INT,
63
+ "...really SecureFault with SFSR.INVEP\n");
64
+ return false;
65
+ }
66
+ if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
67
+ &physaddr, &attrs, &prot, &page_size, &fsr, &fi)) {
68
+ /* the MPU lookup failed */
69
+ env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
70
+ armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
71
+ qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
72
+ return false;
73
+ }
74
+ *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,
75
+ attrs, &txres);
76
+ if (txres != MEMTX_OK) {
77
+ env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
78
+ armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
79
+ qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
80
+ return false;
81
+ }
82
+ return true;
83
+}
84
+
85
+static bool v7m_handle_execute_nsc(ARMCPU *cpu)
86
+{
87
+ /* Check whether this attempt to execute code in a Secure & NS-Callable
88
+ * memory region is for an SG instruction; if so, then emulate the
89
+ * effect of the SG instruction and return true. Otherwise pend
90
+ * the correct kind of exception and return false.
91
+ */
92
+ CPUARMState *env = &cpu->env;
93
+ ARMMMUIdx mmu_idx;
94
+ uint16_t insn;
95
+
96
+ /* We should never get here unless get_phys_addr_pmsav8() caused
97
+ * an exception for NS executing in S&NSC memory.
98
+ */
99
+ assert(!env->v7m.secure);
100
+ assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
101
+
102
+ /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
103
+ mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
104
+
105
+ if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
106
+ return false;
107
+ }
108
+
109
+ if (!env->thumb) {
110
+ goto gen_invep;
111
+ }
112
+
113
+ if (insn != 0xe97f) {
114
+ /* Not an SG instruction first half (we choose the IMPDEF
115
+ * early-SG-check option).
116
+ */
117
+ goto gen_invep;
118
+ }
119
+
120
+ if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
121
+ return false;
122
+ }
123
+
124
+ if (insn != 0xe97f) {
125
+ /* Not an SG instruction second half (yes, both halves of the SG
126
+ * insn have the same hex value)
127
+ */
128
+ goto gen_invep;
129
+ }
130
+
131
+ /* OK, we have confirmed that we really have an SG instruction.
132
+ * We know we're NS in S memory so don't need to repeat those checks.
133
+ */
134
+ qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
135
+ ", executing it\n", env->regs[15]);
136
+ env->regs[14] &= ~1;
137
+ switch_v7m_security_state(env, true);
138
+ xpsr_write(env, 0, XPSR_IT);
139
+ env->regs[15] += 4;
140
+ return true;
141
+
142
+gen_invep:
143
+ env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
144
+ armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
145
+ qemu_log_mask(CPU_LOG_INT,
146
+ "...really SecureFault with SFSR.INVEP\n");
147
+ return false;
148
+}
149
+
150
void arm_v7m_cpu_do_interrupt(CPUState *cs)
151
{
152
ARMCPU *cpu = ARM_CPU(cs);
153
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
154
* the SG instruction have the same security attributes.)
155
* Everything else must generate an INVEP SecureFault, so we
156
* emulate the SG instruction here.
157
- * TODO: actually emulate SG.
158
*/
159
- env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
160
- armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
161
- qemu_log_mask(CPU_LOG_INT,
162
- "...really SecureFault with SFSR.INVEP\n");
163
+ if (v7m_handle_execute_nsc(cpu)) {
164
+ return;
165
+ }
166
break;
167
case M_FAKE_FSR_SFAULT:
168
/* Various flavours of SecureFault for attempts to execute or
169
--
170
2.7.4
171
172
diff view generated by jsdifflib
[Qemu-devel] [PULL 10/13] target/arm: Support some Thumb insns being always unconditional
[PULL 7/9] configure: Make "does libgio work" test pull in some actual functions
1
A few Thumb instructions are always unconditional even inside an
1
In commit 76346b6264a9b01979 we tried to add a configure check that
2
IT block (as opposed to being UNPREDICTABLE if used inside an
2
the libgio pkg-config data was correct, which builds an executable
3
IT block): BKPT, the v8M SG instruction, and the A profile
3
linked against it. Unfortunately this doesn't catch the problem
4
HLT (debug halt) instruction.
4
(missing static library dependency info), because a "do nothing" test
5
source file doesn't have any symbol references that cause the linker
6
to pull in .o files from libgio.a, and so we don't see the "missing
7
symbols from libmount" error that a full QEMU link triggers.
5
8
6
This means we need to suppress the jump-over-instruction-on-condfail
9
(The ineffective test went unnoticed because of a typo that
7
code generation (though the IT state still advances as usual and
10
effectively disabled libgio unconditionally, but after commit
8
subsequent insns in the IT block may be conditional).
11
3569a5dfc11f2 fixed that, a static link of the system emulator on
12
Ubuntu stopped working again.)
13
14
Improve the gio test by having the test source fragment reference a
15
g_dbus function (which is what is indirectly causing us to end up
16
wanting functions from libmount).
9
17
10
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
18
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
11
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
19
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
12
Message-id: 1507556919-24992-9-git-send-email-peter.maydell@linaro.org
20
Message-id: 20201116104617.18333-1-peter.maydell@linaro.org
13
---
21
---
14
target/arm/translate.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
22
configure | 11 +++++++++--
15
1 file changed, 47 insertions(+), 1 deletion(-)
23
1 file changed, 9 insertions(+), 2 deletions(-)
16
24
17
diff --git a/target/arm/translate.c b/target/arm/translate.c
25
diff --git a/configure b/configure
18
index XXXXXXX..XXXXXXX 100644
26
index XXXXXXX..XXXXXXX 100755
19
--- a/target/arm/translate.c
27
--- a/configure
20
+++ b/target/arm/translate.c
28
+++ b/configure
21
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
29
@@ -XXX,XX +XXX,XX @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
22
in init_disas_context by adjusting max_insns. */
30
# Check that the libraries actually work -- Ubuntu 18.04 ships
23
}
31
# with pkg-config --static --libs data for gio-2.0 that is missing
24
32
# -lblkid and will give a link error.
25
+static bool thumb_insn_is_unconditional(DisasContext *s, uint32_t insn)
33
- write_c_skeleton
34
- if compile_prog "" "$gio_libs" ; then
35
+ cat > $TMPC <<EOF
36
+#include <gio/gio.h>
37
+int main(void)
26
+{
38
+{
27
+ /* Return true if this Thumb insn is always unconditional,
39
+ g_dbus_proxy_new_sync(0, 0, 0, 0, 0, 0, 0, 0);
28
+ * even inside an IT block. This is true of only a very few
40
+ return 0;
29
+ * instructions: BKPT, HLT, and SG.
30
+ *
31
+ * A larger class of instructions are UNPREDICTABLE if used
32
+ * inside an IT block; we do not need to detect those here, because
33
+ * what we do by default (perform the cc check and update the IT
34
+ * bits state machine) is a permitted CONSTRAINED UNPREDICTABLE
35
+ * choice for those situations.
36
+ *
37
+ * insn is either a 16-bit or a 32-bit instruction; the two are
38
+ * distinguishable because for the 16-bit case the top 16 bits
39
+ * are zeroes, and that isn't a valid 32-bit encoding.
40
+ */
41
+ if ((insn & 0xffffff00) == 0xbe00) {
42
+ /* BKPT */
43
+ return true;
44
+ }
45
+
46
+ if ((insn & 0xffffffc0) == 0xba80 && arm_dc_feature(s, ARM_FEATURE_V8) &&
47
+ !arm_dc_feature(s, ARM_FEATURE_M)) {
48
+ /* HLT: v8A only. This is unconditional even when it is going to
49
+ * UNDEF; see the v8A ARM ARM DDI0487B.a H3.3.
50
+ * For v7 cores this was a plain old undefined encoding and so
51
+ * honours its cc check. (We might be using the encoding as
52
+ * a semihosting trap, but we don't change the cc check behaviour
53
+ * on that account, because a debugger connected to a real v7A
54
+ * core and emulating semihosting traps by catching the UNDEF
55
+ * exception would also only see cases where the cc check passed.
56
+ * No guest code should be trying to do a HLT semihosting trap
57
+ * in an IT block anyway.
58
+ */
59
+ return true;
60
+ }
61
+
62
+ if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_V8) &&
63
+ arm_dc_feature(s, ARM_FEATURE_M)) {
64
+ /* SG: v8M only */
65
+ return true;
66
+ }
67
+
68
+ return false;
69
+}
41
+}
70
+
42
+EOF
71
static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
43
+ if compile_prog "$gio_cflags" "$gio_libs" ; then
72
{
44
gio=yes
73
DisasContext *dc = container_of(dcbase, DisasContext, base);
45
else
74
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
46
gio=no
75
dc->pc += 2;
76
}
77
78
- if (dc->condexec_mask) {
79
+ if (dc->condexec_mask && !thumb_insn_is_unconditional(dc, insn)) {
80
uint32_t cond = dc->condexec_cond;
81
82
if (cond != 0x0e) { /* Skip conditional when condition is AL. */
83
--
47
--
84
2.7.4
48
2.20.1
85
49
86
50
diff view generated by jsdifflib
[Qemu-devel] [PULL 09/13] target-arm: Simplify insn_crosses_page()
[PULL 8/9] hw/misc/tmp105: reset the T_low and T_High registers
1
Recent changes have left insn_crosses_page() more complicated
1
The TMP105 datasheet (https://www.ti.com/lit/gpn/tmp105) says that the
2
than it needed to be:
2
power-up reset values for the T_low and T_high registers are 80 degrees C
3
* it's only called from thumb_tr_translate_insn() so we know
3
and 75 degrees C, which are 0x500 and 0x4B0 hex according to table 5. These
4
for certain that we're looking at a Thumb insn
4
values are then shifted right by four bits to give the register reset
5
* the caller's check for dc->pc >= dc->next_page_start - 3
5
values, since both registers store the 12 bits of temperature data in bits
6
means that dc->pc can't possibly be 4 aligned, so there's
6
[15..4] of a 16 bit register.
7
no need to check that (the check was partly there to ensure
8
that we didn't treat an ARM insn as Thumb, I think)
9
* we now have thumb_insn_is_16bit() which lets us do a precise
10
check of the length of the next insn, rather than opencoding
11
an inaccurate check
12
7
13
Simplify it down to just loading the first half of the insn
8
We were resetting these registers to zero, which is problematic for Linux
14
and calling thumb_insn_is_16bit() on it.
9
guests which enable the alert interrupt and then immediately take an
10
unexpected overtemperature alert because the current temperature is above
11
freezing...
15
12
16
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
13
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
17
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
14
Reviewed-by: Cédric Le Goater <clg@kaod.org>
18
Message-id: 1507556919-24992-8-git-send-email-peter.maydell@linaro.org
15
Message-id: 20201110150023.25533-2-peter.maydell@linaro.org
19
---
16
---
20
target/arm/translate.c | 27 ++++++---------------------
17
hw/misc/tmp105.c | 3 +++
21
1 file changed, 6 insertions(+), 21 deletions(-)
18
1 file changed, 3 insertions(+)
22
19
23
diff --git a/target/arm/translate.c b/target/arm/translate.c
20
diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
24
index XXXXXXX..XXXXXXX 100644
21
index XXXXXXX..XXXXXXX 100644
25
--- a/target/arm/translate.c
22
--- a/hw/misc/tmp105.c
26
+++ b/target/arm/translate.c
23
+++ b/hw/misc/tmp105.c
27
@@ -XXX,XX +XXX,XX @@ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
24
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
28
{
25
s->faults = tmp105_faultq[(s->config >> 3) & 3];
29
/* Return true if the insn at dc->pc might cross a page boundary.
26
s->alarm = 0;
30
* (False positives are OK, false negatives are not.)
27
31
+ * We know this is a Thumb insn, and our caller ensures we are
28
+ s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
32
+ * only called if dc->pc is less than 4 bytes from the page
29
+ s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
33
+ * boundary, so we cross the page if the first 16 bits indicate
30
+
34
+ * that this is a 32 bit insn.
31
tmp105_interrupt_update(s);
35
*/
36
- uint16_t insn;
37
+ uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
38
39
- if ((s->pc & 3) == 0) {
40
- /* At a 4-aligned address we can't be crossing a page */
41
- return false;
42
- }
43
-
44
- /* This must be a Thumb insn */
45
- insn = arm_lduw_code(env, s->pc, s->sctlr_b);
46
-
47
- if ((insn >> 11) >= 0x1d) {
48
- /* Top five bits 0b11101 / 0b11110 / 0b11111 : this is the
49
- * First half of a 32-bit Thumb insn. Thumb-1 cores might
50
- * end up actually treating this as two 16-bit insns (see the
51
- * code at the start of disas_thumb2_insn()) but we don't bother
52
- * to check for that as it is unlikely, and false positives here
53
- * are harmless.
54
- */
55
- return true;
56
- }
57
- /* Definitely a 16-bit insn, can't be crossing a page. */
58
- return false;
59
+ return !thumb_insn_is_16bit(s, insn);
60
}
32
}
61
33
62
static int arm_tr_init_disas_context(DisasContextBase *dcbase,
63
--
34
--
64
2.7.4
35
2.20.1
65
36
66
37
diff view generated by jsdifflib
[Qemu-devel] [PULL 05/13] target/arm: Implement BLXNS
[PULL 9/9] tmp105: Correct handling of temperature limit checks
1
Implement the BLXNS instruction, which allows secure code to
1
The TMP105 datasheet says that in Interrupt Mode (when TM==1) the device
2
call non-secure code.
2
signals an alert when the temperature equals or exceeds the T_high value and
3
then remains high until a device register is read or the device responds to
4
the SMBUS Alert Response address, or the device is put into Shutdown Mode.
5
Thereafter the Alert pin will only be re-signalled when temperature falls
6
below T_low; alert can then be cleared in the same set of ways, and the
7
device returns to its initial "alert when temperature goes above T_high"
8
mode. (If this textual description is confusing, see figure 3 in the
9
TI datasheet at https://www.ti.com/lit/gpn/tmp105 .)
10
11
We were misimplementing this as a simple "always alert if temperature is
12
above T_high or below T_low" condition, which gives a spurious alert on
13
startup if using the "T_high = 80 degrees C, T_low = 75 degrees C" reset
14
limit values.
15
16
Implement the correct (hysteresis) behaviour by tracking whether we
17
are currently looking for the temperature to rise over T_high or
18
for it to fall below T_low. Our implementation of the comparator
19
mode (TM==0) wasn't wrong, but rephrase it to match the way that
20
interrupt mode is now handled for clarity.
3
21
4
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
22
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
23
Reviewed-by: Cédric Le Goater <clg@kaod.org>
6
Message-id: 1507556919-24992-4-git-send-email-peter.maydell@linaro.org
24
Message-id: 20201110150023.25533-3-peter.maydell@linaro.org
7
---
25
---
8
target/arm/helper.h | 1 +
26
hw/misc/tmp105.h | 7 +++++
9
target/arm/internals.h | 1 +
27
hw/misc/tmp105.c | 70 +++++++++++++++++++++++++++++++++++++++++-------
10
target/arm/helper.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
28
2 files changed, 68 insertions(+), 9 deletions(-)
11
target/arm/translate.c | 17 +++++++++++++--
12
4 files changed, 76 insertions(+), 2 deletions(-)
13
29
14
diff --git a/target/arm/helper.h b/target/arm/helper.h
30
diff --git a/hw/misc/tmp105.h b/hw/misc/tmp105.h
15
index XXXXXXX..XXXXXXX 100644
31
index XXXXXXX..XXXXXXX 100644
16
--- a/target/arm/helper.h
32
--- a/hw/misc/tmp105.h
17
+++ b/target/arm/helper.h
33
+++ b/hw/misc/tmp105.h
18
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(v7m_msr, void, env, i32, i32)
34
@@ -XXX,XX +XXX,XX @@ struct TMP105State {
19
DEF_HELPER_2(v7m_mrs, i32, env, i32)
35
int16_t limit[2];
20
36
int faults;
21
DEF_HELPER_2(v7m_bxns, void, env, i32)
37
uint8_t alarm;
22
+DEF_HELPER_2(v7m_blxns, void, env, i32)
38
+ /*
23
39
+ * The TMP105 initially looks for a temperature rising above T_high;
24
DEF_HELPER_4(access_check_cp_reg, void, env, ptr, i32, i32)
40
+ * once this is detected, the condition it looks for next is the
25
DEF_HELPER_3(set_cp_reg, void, env, ptr, i32)
41
+ * temperature falling below T_low. This flag is false when initially
26
diff --git a/target/arm/internals.h b/target/arm/internals.h
42
+ * looking for T_high, true when looking for T_low.
43
+ */
44
+ bool detect_falling;
45
};
46
47
#endif
48
diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
27
index XXXXXXX..XXXXXXX 100644
49
index XXXXXXX..XXXXXXX 100644
28
--- a/target/arm/internals.h
50
--- a/hw/misc/tmp105.c
29
+++ b/target/arm/internals.h
51
+++ b/hw/misc/tmp105.c
30
@@ -XXX,XX +XXX,XX @@ static inline bool excp_is_internal(int excp)
52
@@ -XXX,XX +XXX,XX @@ static void tmp105_alarm_update(TMP105State *s)
31
FIELD(V7M_CONTROL, NPRIV, 0, 1)
53
return;
32
FIELD(V7M_CONTROL, SPSEL, 1, 1)
54
}
33
FIELD(V7M_CONTROL, FPCA, 2, 1)
55
34
+FIELD(V7M_CONTROL, SFPA, 3, 1)
56
- if ((s->config >> 1) & 1) {                    /* TM */
35
57
- if (s->temperature >= s->limit[1])
36
/* Bit definitions for v7M exception return payload */
58
- s->alarm = 1;
37
FIELD(V7M_EXCRET, ES, 0, 1)
59
- else if (s->temperature < s->limit[0])
38
diff --git a/target/arm/helper.c b/target/arm/helper.c
60
- s->alarm = 1;
39
index XXXXXXX..XXXXXXX 100644
61
+ if (s->config >> 1 & 1) {
40
--- a/target/arm/helper.c
62
+ /*
41
+++ b/target/arm/helper.c
63
+ * TM == 1 : Interrupt mode. We signal Alert when the
42
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
64
+ * temperature rises above T_high, and expect the guest to clear
43
g_assert_not_reached();
65
+ * it (eg by reading a device register).
66
+ */
67
+ if (s->detect_falling) {
68
+ if (s->temperature < s->limit[0]) {
69
+ s->alarm = 1;
70
+ s->detect_falling = false;
71
+ }
72
+ } else {
73
+ if (s->temperature >= s->limit[1]) {
74
+ s->alarm = 1;
75
+ s->detect_falling = true;
76
+ }
77
+ }
78
} else {
79
- if (s->temperature >= s->limit[1])
80
- s->alarm = 1;
81
- else if (s->temperature < s->limit[0])
82
- s->alarm = 0;
83
+ /*
84
+ * TM == 0 : Comparator mode. We signal Alert when the temperature
85
+ * rises above T_high, and stop signalling it when the temperature
86
+ * falls below T_low.
87
+ */
88
+ if (s->detect_falling) {
89
+ if (s->temperature < s->limit[0]) {
90
+ s->alarm = 0;
91
+ s->detect_falling = false;
92
+ }
93
+ } else {
94
+ if (s->temperature >= s->limit[1]) {
95
+ s->alarm = 1;
96
+ s->detect_falling = true;
97
+ }
98
+ }
99
}
100
101
tmp105_interrupt_update(s);
102
@@ -XXX,XX +XXX,XX @@ static int tmp105_post_load(void *opaque, int version_id)
103
return 0;
44
}
104
}
45
105
46
+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
106
+static bool detect_falling_needed(void *opaque)
47
+{
107
+{
48
+ /* translate.c should never generate calls here in user-only mode */
108
+ TMP105State *s = opaque;
49
+ g_assert_not_reached();
109
+
110
+ /*
111
+ * We only need to migrate the detect_falling bool if it's set;
112
+ * for migration from older machines we assume that it is false
113
+ * (ie temperature is not out of range).
114
+ */
115
+ return s->detect_falling;
50
+}
116
+}
51
+
117
+
52
void switch_mode(CPUARMState *env, int mode)
118
+static const VMStateDescription vmstate_tmp105_detect_falling = {
53
{
119
+ .name = "TMP105/detect-falling",
54
ARMCPU *cpu = arm_env_get_cpu(env);
120
+ .version_id = 1,
55
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
121
+ .minimum_version_id = 1,
56
env->regs[15] = dest & ~1;
122
+ .needed = detect_falling_needed,
57
}
123
+ .fields = (VMStateField[]) {
58
124
+ VMSTATE_BOOL(detect_falling, TMP105State),
59
+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
125
+ VMSTATE_END_OF_LIST()
60
+{
126
+ }
61
+ /* Handle v7M BLXNS:
127
+};
62
+ * - bit 0 of the destination address is the target security state
63
+ */
64
+
128
+
65
+ /* At this point regs[15] is the address just after the BLXNS */
129
static const VMStateDescription vmstate_tmp105 = {
66
+ uint32_t nextinst = env->regs[15] | 1;
130
.name = "TMP105",
67
+ uint32_t sp = env->regs[13] - 8;
131
.version_id = 0,
68
+ uint32_t saved_psr;
132
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_tmp105 = {
69
+
133
VMSTATE_UINT8(alarm, TMP105State),
70
+ /* translate.c will have made BLXNS UNDEF unless we're secure */
134
VMSTATE_I2C_SLAVE(i2c, TMP105State),
71
+ assert(env->v7m.secure);
135
VMSTATE_END_OF_LIST()
72
+
136
+ },
73
+ if (dest & 1) {
137
+ .subsections = (const VMStateDescription*[]) {
74
+ /* target is Secure, so this is just a normal BLX,
138
+ &vmstate_tmp105_detect_falling,
75
+ * except that the low bit doesn't indicate Thumb/not.
139
+ NULL
76
+ */
140
}
77
+ env->regs[14] = nextinst;
141
};
78
+ env->thumb = 1;
142
79
+ env->regs[15] = dest & ~1;
143
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
80
+ return;
144
s->config = 0;
81
+ }
145
s->faults = tmp105_faultq[(s->config >> 3) & 3];
82
+
146
s->alarm = 0;
83
+ /* Target is non-secure: first push a stack frame */
147
+ s->detect_falling = false;
84
+ if (!QEMU_IS_ALIGNED(sp, 8)) {
148
85
+ qemu_log_mask(LOG_GUEST_ERROR,
149
s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
86
+ "BLXNS with misaligned SP is UNPREDICTABLE\n");
150
s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
87
+ }
88
+
89
+ saved_psr = env->v7m.exception;
90
+ if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
91
+ saved_psr |= XPSR_SFPA;
92
+ }
93
+
94
+ /* Note that these stores can throw exceptions on MPU faults */
95
+ cpu_stl_data(env, sp, nextinst);
96
+ cpu_stl_data(env, sp + 4, saved_psr);
97
+
98
+ env->regs[13] = sp;
99
+ env->regs[14] = 0xfeffffff;
100
+ if (arm_v7m_is_handler_mode(env)) {
101
+ /* Write a dummy value to IPSR, to avoid leaking the current secure
102
+ * exception number to non-secure code. This is guaranteed not
103
+ * to cause write_v7m_exception() to actually change stacks.
104
+ */
105
+ write_v7m_exception(env, 1);
106
+ }
107
+ switch_v7m_security_state(env, 0);
108
+ env->thumb = 1;
109
+ env->regs[15] = dest;
110
+}
111
+
112
static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
113
bool spsel)
114
{
115
diff --git a/target/arm/translate.c b/target/arm/translate.c
116
index XXXXXXX..XXXXXXX 100644
117
--- a/target/arm/translate.c
118
+++ b/target/arm/translate.c
119
@@ -XXX,XX +XXX,XX @@ static inline void gen_bxns(DisasContext *s, int rm)
120
s->base.is_jmp = DISAS_EXIT;
121
}
122
123
+static inline void gen_blxns(DisasContext *s, int rm)
124
+{
125
+ TCGv_i32 var = load_reg(s, rm);
126
+
127
+ /* We don't need to sync condexec state, for the same reason as bxns.
128
+ * We do however need to set the PC, because the blxns helper reads it.
129
+ * The blxns helper may throw an exception.
130
+ */
131
+ gen_set_pc_im(s, s->pc);
132
+ gen_helper_v7m_blxns(cpu_env, var);
133
+ tcg_temp_free_i32(var);
134
+ s->base.is_jmp = DISAS_EXIT;
135
+}
136
+
137
/* Variant of store_reg which uses branch&exchange logic when storing
138
to r15 in ARM architecture v7 and above. The source must be a temporary
139
and will be marked as dead. */
140
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
141
goto undef;
142
}
143
if (link) {
144
- /* BLXNS: not yet implemented */
145
- goto undef;
146
+ gen_blxns(s, rm);
147
} else {
148
gen_bxns(s, rm);
149
}
150
--
151
--
151
2.7.4
152
2.20.1
152
153
153
154
diff view generated by jsdifflib
[Qemu-devel] [PULL 06/13] target/arm: Implement secure function return
Deleted patch
1
Secure function return happens when a non-secure function has been
2
called using BLXNS and so has a particular magic LR value (either
3
0xfefffffe or 0xfeffffff). The function return via BX behaves
4
specially when the new PC value is this magic value, in the same
5
way that exception returns are handled.
6
1
7
Adjust our BX excret guards so that they recognize the function
8
return magic number as well, and perform the function-return
9
unstacking in do_v7m_exception_exit().
10
11
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
12
Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
13
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
14
Message-id: 1507556919-24992-5-git-send-email-peter.maydell@linaro.org
15
---
16
target/arm/internals.h | 7 +++
17
target/arm/helper.c | 115 +++++++++++++++++++++++++++++++++++++++++++++----
18
target/arm/translate.c | 14 +++++-
19
3 files changed, 126 insertions(+), 10 deletions(-)
20
21
diff --git a/target/arm/internals.h b/target/arm/internals.h
22
index XXXXXXX..XXXXXXX 100644
23
--- a/target/arm/internals.h
24
+++ b/target/arm/internals.h
25
@@ -XXX,XX +XXX,XX @@ FIELD(V7M_EXCRET, DCRS, 5, 1)
26
FIELD(V7M_EXCRET, S, 6, 1)
27
FIELD(V7M_EXCRET, RES1, 7, 25) /* including the must-be-1 prefix */
28
29
+/* Minimum value which is a magic number for exception return */
30
+#define EXC_RETURN_MIN_MAGIC 0xff000000
31
+/* Minimum number which is a magic number for function or exception return
32
+ * when using v8M security extension
33
+ */
34
+#define FNC_RETURN_MIN_MAGIC 0xfefffffe
35
+
36
/* We use a few fake FSR values for internal purposes in M profile.
37
* M profile cores don't have A/R format FSRs, but currently our
38
* get_phys_addr() code assumes A/R profile and reports failures via
39
diff --git a/target/arm/helper.c b/target/arm/helper.c
40
index XXXXXXX..XXXXXXX 100644
41
--- a/target/arm/helper.c
42
+++ b/target/arm/helper.c
43
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
44
* - if the return value is a magic value, do exception return (like BX)
45
* - otherwise bit 0 of the return value is the target security state
46
*/
47
- if (dest >= 0xff000000) {
48
+ uint32_t min_magic;
49
+
50
+ if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
51
+ /* Covers FNC_RETURN and EXC_RETURN magic */
52
+ min_magic = FNC_RETURN_MIN_MAGIC;
53
+ } else {
54
+ /* EXC_RETURN magic only */
55
+ min_magic = EXC_RETURN_MIN_MAGIC;
56
+ }
57
+
58
+ if (dest >= min_magic) {
59
/* This is an exception return magic value; put it where
60
* do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
61
* Note that if we ever add gen_ss_advance() singlestep support to
62
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
63
bool exc_secure = false;
64
bool return_to_secure;
65
66
- /* We can only get here from an EXCP_EXCEPTION_EXIT, and
67
- * gen_bx_excret() enforces the architectural rule
68
- * that jumps to magic addresses don't have magic behaviour unless
69
- * we're in Handler mode (compare pseudocode BXWritePC()).
70
+ /* If we're not in Handler mode then jumps to magic exception-exit
71
+ * addresses don't have magic behaviour. However for the v8M
72
+ * security extensions the magic secure-function-return has to
73
+ * work in thread mode too, so to avoid doing an extra check in
74
+ * the generated code we allow exception-exit magic to also cause the
75
+ * internal exception and bring us here in thread mode. Correct code
76
+ * will never try to do this (the following insn fetch will always
77
+ * fault) so we the overhead of having taken an unnecessary exception
78
+ * doesn't matter.
79
*/
80
- assert(arm_v7m_is_handler_mode(env));
81
+ if (!arm_v7m_is_handler_mode(env)) {
82
+ return;
83
+ }
84
85
/* In the spec pseudocode ExceptionReturn() is called directly
86
* from BXWritePC() and gets the full target PC value including
87
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
88
qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
89
}
90
91
+static bool do_v7m_function_return(ARMCPU *cpu)
92
+{
93
+ /* v8M security extensions magic function return.
94
+ * We may either:
95
+ * (1) throw an exception (longjump)
96
+ * (2) return true if we successfully handled the function return
97
+ * (3) return false if we failed a consistency check and have
98
+ * pended a UsageFault that needs to be taken now
99
+ *
100
+ * At this point the magic return value is split between env->regs[15]
101
+ * and env->thumb. We don't bother to reconstitute it because we don't
102
+ * need it (all values are handled the same way).
103
+ */
104
+ CPUARMState *env = &cpu->env;
105
+ uint32_t newpc, newpsr, newpsr_exc;
106
+
107
+ qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
108
+
109
+ {
110
+ bool threadmode, spsel;
111
+ TCGMemOpIdx oi;
112
+ ARMMMUIdx mmu_idx;
113
+ uint32_t *frame_sp_p;
114
+ uint32_t frameptr;
115
+
116
+ /* Pull the return address and IPSR from the Secure stack */
117
+ threadmode = !arm_v7m_is_handler_mode(env);
118
+ spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
119
+
120
+ frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
121
+ frameptr = *frame_sp_p;
122
+
123
+ /* These loads may throw an exception (for MPU faults). We want to
124
+ * do them as secure, so work out what MMU index that is.
125
+ */
126
+ mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
127
+ oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));
128
+ newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);
129
+ newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);
130
+
131
+ /* Consistency checks on new IPSR */
132
+ newpsr_exc = newpsr & XPSR_EXCP;
133
+ if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
134
+ (env->v7m.exception == 1 && newpsr_exc != 0))) {
135
+ /* Pend the fault and tell our caller to take it */
136
+ env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
137
+ armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
138
+ env->v7m.secure);
139
+ qemu_log_mask(CPU_LOG_INT,
140
+ "...taking INVPC UsageFault: "
141
+ "IPSR consistency check failed\n");
142
+ return false;
143
+ }
144
+
145
+ *frame_sp_p = frameptr + 8;
146
+ }
147
+
148
+ /* This invalidates frame_sp_p */
149
+ switch_v7m_security_state(env, true);
150
+ env->v7m.exception = newpsr_exc;
151
+ env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
152
+ if (newpsr & XPSR_SFPA) {
153
+ env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
154
+ }
155
+ xpsr_write(env, 0, XPSR_IT);
156
+ env->thumb = newpc & 1;
157
+ env->regs[15] = newpc & ~1;
158
+
159
+ qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
160
+ return true;
161
+}
162
+
163
static void arm_log_exception(int idx)
164
{
165
if (qemu_loglevel_mask(CPU_LOG_INT)) {
166
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
167
case EXCP_IRQ:
168
break;
169
case EXCP_EXCEPTION_EXIT:
170
- do_v7m_exception_exit(cpu);
171
- return;
172
+ if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
173
+ /* Must be v8M security extension function return */
174
+ assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
175
+ assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
176
+ if (do_v7m_function_return(cpu)) {
177
+ return;
178
+ }
179
+ } else {
180
+ do_v7m_exception_exit(cpu);
181
+ return;
182
+ }
183
+ break;
184
default:
185
cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
186
return; /* Never happens. Keep compiler happy. */
187
diff --git a/target/arm/translate.c b/target/arm/translate.c
188
index XXXXXXX..XXXXXXX 100644
189
--- a/target/arm/translate.c
190
+++ b/target/arm/translate.c
191
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
192
* s->base.is_jmp that we need to do the rest of the work later.
193
*/
194
gen_bx(s, var);
195
- if (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M)) {
196
+ if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY) ||
197
+ (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M))) {
198
s->base.is_jmp = DISAS_BX_EXCRET;
199
}
200
}
201
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
202
{
203
/* Generate the code to finish possible exception return and end the TB */
204
TCGLabel *excret_label = gen_new_label();
205
+ uint32_t min_magic;
206
+
207
+ if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY)) {
208
+ /* Covers FNC_RETURN and EXC_RETURN magic */
209
+ min_magic = FNC_RETURN_MIN_MAGIC;
210
+ } else {
211
+ /* EXC_RETURN magic only */
212
+ min_magic = EXC_RETURN_MIN_MAGIC;
213
+ }
214
215
/* Is the new PC value in the magic range indicating exception return? */
216
- tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], 0xff000000, excret_label);
217
+ tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
218
/* No: end the TB as we would for a DISAS_JMP */
219
if (is_singlestepping(s)) {
220
gen_singlestep_exception(s);
221
--
222
2.7.4
223
224
diff view generated by jsdifflib
[Qemu-devel] [PULL 07/13] target-arm: Don't check for "Thumb2 or M profile" for not-Thumb1
Deleted patch
1
The code which implements the Thumb1 split BL/BLX instructions
2
is guarded by a check on "not M or THUMB2". All we really need
3
to check here is "not THUMB2" (and we assume that elsewhere too,
4
eg in the ARCH(6T2) test that UNDEFs the Thumb2 insns).
5
1
6
This doesn't change behaviour because all M profile cores
7
have Thumb2 and so ARM_FEATURE_M implies ARM_FEATURE_THUMB2.
8
(v6M implements a very restricted subset of Thumb2, but we
9
can cross that bridge when we get to it with appropriate
10
feature bits.)
11
12
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
13
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
14
Message-id: 1507556919-24992-6-git-send-email-peter.maydell@linaro.org
15
---
16
target/arm/translate.c | 3 +--
17
1 file changed, 1 insertion(+), 2 deletions(-)
18
19
diff --git a/target/arm/translate.c b/target/arm/translate.c
20
index XXXXXXX..XXXXXXX 100644
21
--- a/target/arm/translate.c
22
+++ b/target/arm/translate.c
23
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
24
int conds;
25
int logic_cc;
26
27
- if (!(arm_dc_feature(s, ARM_FEATURE_THUMB2)
28
- || arm_dc_feature(s, ARM_FEATURE_M))) {
29
+ if (!arm_dc_feature(s, ARM_FEATURE_THUMB2)) {
30
/* Thumb-1 cores may need to treat bl and blx as a pair of
31
16-bit instructions to get correct prefetch abort behavior. */
32
insn = insn_hw1;
33
--
34
2.7.4
35
36
diff view generated by jsdifflib

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.