Series comparison

-[Qemu-devel] [PULL 00/20] target-arm queue
+[PULL 0/9] target-arm queue
-Changes v1->v2: it turns out that the raspi3 support exposes a
+This one's almost all docs fixes.
 preexisting bug in our register definitions for VMPIDR/VMIDR:
 https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg04181.html
 So I've dropped the final "enable raspi3 board" patch for the
 moment. When that VMIDR/VMPIDR patch gets reviewed we can
 put the raspi3 patch in with it.
 thanks
 -- PMM
-The following changes since commit f003d07337a6d4d02c43429b26a4270459afb51a:
+The following changes since commit ba54a7e6b86884e43bed2d2f5a79c719059652a8:
-  Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging (2018-02-15 15:45:33 +0000)
+  Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging (2024-11-26 14:06:40 +0000)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180215-1
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20241126
-for you to fetch changes up to bade58166f4466546600d824a2695a00269d10eb:
+for you to fetch changes up to d8790ead55a2ef1e65332ebec63ae3c5db598942:
-  raspi: Raspberry Pi 3 support (2018-02-15 18:33:46 +0000)
+  docs/system/arm/aspeed: add missing model supermicrox11spi-bmc (2024-11-26 16:22:38 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * aspeed: code cleanup to use unimplemented_device
+ * target/arm/tcg/cpu32.c: swap ATCM and BTCM register names
- * preparatory work for 'raspi3' RaspberryPi 3 machine model
+ * docs/system/arm: Fix broken links and missing feature names
  * more SVE prep work
  * v8M: add minor missing registers
  * v7M: fix bug where we weren't migrating v7m.other_sp
  * v7M: fix bugs in handling of interrupt registers for
    external interrupts beyond 32
 ----------------------------------------------------------------
-Pekka Enberg (2):
+Michael Tokarev (1):
-      bcm2836: Make CPU type configurable
+      target/arm/tcg/cpu32.c: swap ATCM and BTCM register names
       raspi: Raspberry Pi 3 support
-Peter Maydell (11):
+Pierrick Bouvier (8):
-      hw/intc/armv7m_nvic: Don't hardcode M profile ID registers in NVIC
+      docs/system/arm/emulation: mention armv9
-      hw/intc/armv7m_nvic: Fix ICSR PENDNMISET/CLR handling
+      docs/system/arm/emulation: fix typo in feature name
-      hw/intc/armv7m_nvic: Implement M profile cache maintenance ops
+      docs/system/arm/emulation: add FEAT_SSBS2
-      hw/intc/armv7m_nvic: Implement v8M CPPWR register
+      target/arm/tcg/: fix typo in FEAT name
-      hw/intc/armv7m_nvic: Implement cache ID registers
+      docs/system/arm/: add FEAT_MTE_ASYNC
-      hw/intc/armv7m_nvic: Implement SCR
+      docs/system/arm/: add FEAT_DoubleLock
-      target/arm: Implement writing to CONTROL_NS for v8M
+      docs/system/arm/fby35: update link to product page
-      hw/intc/armv7m_nvic: Fix byte-to-interrupt number conversions
+      docs/system/arm/aspeed: add missing model supermicrox11spi-bmc
       target/arm: Add AIRCR to vmstate struct
       target/arm: Migrate v7m.other_sp
       target/arm: Implement v8M MSPLIM and PSPLIM registers
-Philippe Mathieu-Daudé (2):
+ docs/system/arm/aspeed.rst    |  7 ++++---
-      hw/arm/aspeed: directly map the serial device to the system address space
+ docs/system/arm/emulation.rst | 11 +++++++----
-      hw/arm/aspeed: simplify using the 'unimplemented device' for aspeed_soc.io
+ docs/system/arm/fby35.rst     |  2 +-
+ target/arm/tcg/cpu32.c        |  6 +++---
-Richard Henderson (5):
+files changed, 15 insertions(+), 11 deletions(-)
       target/arm: Remove ARM_CP_64BIT from ZCR_EL registers
       target/arm: Enforce FP access to FPCR/FPSR
       target/arm: Suppress TB end for FPCR/FPSR
       target/arm: Enforce access to ZCR_EL at translation
       target/arm: Handle SVE registers when using clear_vec_high
  include/hw/arm/aspeed_soc.h |   1 -
  include/hw/arm/bcm2836.h    |   1 +
  target/arm/cpu.h            |  71 ++++++++++++-----
  target/arm/internals.h      |   6 ++
  hw/arm/aspeed_soc.c         |  35 ++-------
  hw/arm/bcm2836.c            |  17 +++--
  hw/arm/raspi.c              |  34 ++++++---
  hw/intc/armv7m_nvic.c       |  98 ++++++++++++++++++------
  target/arm/cpu.c            |  28 +++++++
  target/arm/helper.c         |  84 +++++++++++++++-----
  target/arm/machine.c        |  84 ++++++++++++++++++++
  target/arm/translate-a64.c  | 181 ++++++++++++++++++++------------------------
 files changed, 429 insertions(+), 211 deletions(-)

-[Qemu-devel] [PULL 05/20] target/arm: Suppress TB end for FPCR/FPSR
+[PULL 1/9] target/arm/tcg/cpu32.c: swap ATCM and BTCM register names
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Michael Tokarev <mjt@tls.msk.ru>
-Nothing in either register affects the TB.
+According to Cortex-R5 r1p2 manual, register with opcode2=0 is
 BTCM and with opcode2=1 is ATCM, - exactly the opposite from how
 qemu labels them.  Just swap the labels to avoid confusion, -
 both registers are implemented as always-zero.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Message-id: 20180211205848.4568-4-richard.henderson@linaro.org
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20241121171602.3273252-1-mjt@tls.msk.ru
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 4 ++--
+ target/arm/tcg/cpu32.c | 4 ++--
 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/tcg/cpu32.c
-+++ b/target/arm/helper.c
++++ b/target/arm/tcg/cpu32.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
+@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
-       .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore },
-     { .name = "FPCR", .state = ARM_CP_STATE_AA64,
+ static const ARMCPRegInfo cortexr5_cp_reginfo[] = {
-       .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4,
+     /* Dummy the TCM region regs for the moment */
--      .access = PL0_RW, .type = ARM_CP_FPU,
+-    { .name = "ATCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
-+      .access = PL0_RW, .type = ARM_CP_FPU | ARM_CP_SUPPRESS_TB_END,
++    { .name = "BTCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
-       .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
+       .access = PL1_RW, .type = ARM_CP_CONST },
-     { .name = "FPSR", .state = ARM_CP_STATE_AA64,
+-    { .name = "BTCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
-       .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4,
++    { .name = "ATCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
--      .access = PL0_RW, .type = ARM_CP_FPU,
+       .access = PL1_RW, .type = ARM_CP_CONST },
-+      .access = PL0_RW, .type = ARM_CP_FPU | ARM_CP_SUPPRESS_TB_END,
+     { .name = "DCACHE_INVAL", .cp = 15, .opc1 = 0, .crn = 15, .crm = 5,
-       .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
+       .opc2 = 0, .access = PL1_W, .type = ARM_CP_NOP },
      { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64,
        .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0,
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 20/20] raspi: Raspberry Pi 3 support
+[PULL 2/9] docs/system/arm/emulation: mention armv9
-From: Pekka Enberg <penberg@iki.fi>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-This patch adds Raspberry Pi 3 support to hw/arm/raspi.c. The
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-differences to Pi 2 are:
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20241122225049.1617774-2-pierrick.bouvier@linaro.org
  - Firmware address
  - Board ID
  - Board revision
 The CPU is different too, but that's going to be configured as part of
 the machine default CPU when we introduce a new machine type.
 The patch was written from scratch by me but the logic is similar to
 Zoltán Baldaszti's previous work, which I used as a reference (with
 permission from the author):
   https://github.com/bztsrc/qemu-raspi3
 Signed-off-by: Pekka Enberg <penberg@iki.fi>
 [PMM: fixed trailing whitespace on one line]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/raspi.c | 31 +++++++++++++++++++++----------
+ docs/system/arm/emulation.rst | 6 +++---
-file changed, 21 insertions(+), 10 deletions(-)
+file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/raspi.c
+--- a/docs/system/arm/emulation.rst
-+++ b/hw/arm/raspi.c
++++ b/docs/system/arm/emulation.rst
 @@ -XXX,XX +XXX,XX @@
-  * Rasperry Pi 2 emulation Copyright (c) 2015, Microsoft
+ A-profile CPU architecture support
-  * Written by Andrew Baumann
+ ==================================
-  *
-+ * Raspberry Pi 3 emulation Copyright (c) 2018 Zoltán Baldaszti
+-QEMU's TCG emulation includes support for the Armv5, Armv6, Armv7 and
-+ * Upstream code cleanup (c) 2018 Pekka Enberg
+-Armv8 versions of the A-profile architecture. It also has support for
-+ *
++QEMU's TCG emulation includes support for the Armv5, Armv6, Armv7,
-  * This code is licensed under the GNU GPLv2 and later.
++Armv8 and Armv9 versions of the A-profile architecture. It also has support for
-  */
+ the following architecture extensions:
-@@ -XXX,XX +XXX,XX @@
+ - FEAT_AA32BF16 (AArch32 BFloat16 instructions)
- #define SMPBOOT_ADDR    0x300 /* this should leave enough space for ATAGS */
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- #define MVBAR_ADDR      0x400 /* secure vectors */
+ - FEAT_XNX (Translation table stage 2 Unprivileged Execute-never)
- #define BOARDSETUP_ADDR (MVBAR_ADDR + 0x20) /* board setup code */
--#define FIRMWARE_ADDR   0x8000 /* Pi loads kernel.img here by default */
+ For information on the specifics of these extensions, please refer
-+#define FIRMWARE_ADDR_2 0x8000 /* Pi 2 loads kernel.img here by default */
+-to the `Armv8-A Arm Architecture Reference Manual
-+#define FIRMWARE_ADDR_3 0x80000 /* Pi 3 loads kernel.img here by default */
++to the `Arm Architecture Reference Manual for A-profile architecture
+ <https://developer.arm.com/documentation/ddi0487/latest>`_.
- /* Table of Linux board IDs for different Pi versions */
--static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43};
+ When a specific named CPU is being emulated, only those features which
 +static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43, [3] = 0xc44};
  typedef struct RasPiState {
      BCM2836State soc;
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
      binfo.secure_board_setup = true;
      binfo.secure_boot = true;
 -    /* Pi2 requires SMP setup */
 -    if (version == 2) {
 +    /* Pi2 and Pi3 requires SMP setup */
 +    if (version >= 2) {
          binfo.smp_loader_start = SMPBOOT_ADDR;
          binfo.write_secondary_boot = write_smpboot;
          binfo.secondary_cpu_reset_hook = reset_secondary;
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
       * the normal Linux boot process
       */
      if (machine->firmware) {
 +        hwaddr firmware_addr = version == 3 ? FIRMWARE_ADDR_3 : FIRMWARE_ADDR_2;
          /* load the firmware image (typically kernel.img) */
 -        r = load_image_targphys(machine->firmware, FIRMWARE_ADDR,
 -                                ram_size - FIRMWARE_ADDR);
 +        r = load_image_targphys(machine->firmware, firmware_addr,
 +                                ram_size - firmware_addr);
          if (r < 0) {
              error_report("Failed to load firmware from %s", machine->firmware);
              exit(1);
          }
 -        binfo.entry = FIRMWARE_ADDR;
 +        binfo.entry = firmware_addr;
          binfo.firmware_loaded = true;
      } else {
          binfo.kernel_filename = machine->kernel_filename;
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
      arm_load_kernel(ARM_CPU(first_cpu), &binfo);
  }
 -static void raspi2_init(MachineState *machine)
 +static void raspi_init(MachineState *machine, int version)
  {
      RasPiState *s = g_new0(RasPiState, 1);
      uint32_t vcram_size;
@@ -XXX,XX +XXX,XX @@ static void raspi2_init(MachineState *machine)
                              &error_abort);
      object_property_set_int(OBJECT(&s->soc), smp_cpus, "enabled-cpus",
                              &error_abort);
 -    object_property_set_int(OBJECT(&s->soc), 0xa21041, "board-rev",
 +    int board_rev = version == 3 ? 0xa02082 : 0xa21041;
 +    object_property_set_int(OBJECT(&s->soc), board_rev, "board-rev",
                              &error_abort);
      object_property_set_bool(OBJECT(&s->soc), true, "realized", &error_abort);
@@ -XXX,XX +XXX,XX @@ static void raspi2_init(MachineState *machine)
      vcram_size = object_property_get_uint(OBJECT(&s->soc), "vcram-size",
                                            &error_abort);
 -    setup_boot(machine, 2, machine->ram_size - vcram_size);
 +    setup_boot(machine, version, machine->ram_size - vcram_size);
 +}
 +
 +static void raspi2_init(MachineState *machine)
 +{
 +    raspi_init(machine, 2);
  }
  static void raspi2_machine_init(MachineClass *mc)
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 19/20] bcm2836: Make CPU type configurable
+[PULL 3/9] docs/system/arm/emulation: fix typo in feature name
-From: Pekka Enberg <penberg@iki.fi>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-This patch adds a "cpu-type" property to BCM2836 SoC in preparation for
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-reusing the code for the Raspberry Pi 3, which has a different processor
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-model.
+Message-id: 20241122225049.1617774-3-pierrick.bouvier@linaro.org
 Signed-off-by: Pekka Enberg <penberg@iki.fi>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/bcm2836.h |  1 +
+ docs/system/arm/emulation.rst | 2 +-
- hw/arm/bcm2836.c         | 17 +++++++++--------
+file changed, 1 insertion(+), 1 deletion(-)
  hw/arm/raspi.c           |  3 +++
 files changed, 13 insertions(+), 8 deletions(-)
-diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/bcm2836.h
+--- a/docs/system/arm/emulation.rst
-+++ b/include/hw/arm/bcm2836.h
++++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ typedef struct BCM2836State {
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
-     DeviceState parent_obj;
+ - FEAT_LSE2 (Large System Extensions v2)
-     /*< public >*/
+ - FEAT_LVA (Large Virtual Address space)
+ - FEAT_MixedEnd (Mixed-endian support)
-+    char *cpu_type;
+-- FEAT_MixdEndEL0 (Mixed-endian support at EL0)
-     uint32_t enabled_cpus;
++- FEAT_MixedEndEL0 (Mixed-endian support at EL0)
+ - FEAT_MOPS (Standardization of memory operations)
-     ARMCPU cpus[BCM2836_NCPUS];
+ - FEAT_MTE (Memory Tagging Extension)
-diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
+ - FEAT_MTE2 (Memory Tagging Extension)
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/bcm2836.c
 +++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@
  static void bcm2836_init(Object *obj)
  {
      BCM2836State *s = BCM2836(obj);
 -    int n;
 -
 -    for (n = 0; n < BCM2836_NCPUS; n++) {
 -        object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
 -                          "cortex-a15-" TYPE_ARM_CPU);
 -        object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
 -                                  &error_abort);
 -    }
      object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTROL);
      object_property_add_child(obj, "control", OBJECT(&s->control), NULL);
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
      /* common peripherals from bcm2835 */
 +    obj = OBJECT(dev);
 +    for (n = 0; n < BCM2836_NCPUS; n++) {
 +        object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
 +                          s->cpu_type);
 +        object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
 +                                  &error_abort);
 +    }
 +
      obj = object_property_get_link(OBJECT(dev), "ram", &err);
      if (obj == NULL) {
          error_setg(errp, "%s: required ram link not found: %s",
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
  }
  static Property bcm2836_props[] = {
 +    DEFINE_PROP_STRING("cpu-type", BCM2836State, cpu_type),
      DEFINE_PROP_UINT32("enabled-cpus", BCM2836State, enabled_cpus, BCM2836_NCPUS),
      DEFINE_PROP_END_OF_LIST()
  };
 diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/raspi.c
 +++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void raspi2_init(MachineState *machine)
      /* Setup the SOC */
      object_property_add_const_link(OBJECT(&s->soc), "ram", OBJECT(&s->ram),
                                     &error_abort);
 +    object_property_set_str(OBJECT(&s->soc), machine->cpu_type, "cpu-type",
 +                            &error_abort);
      object_property_set_int(OBJECT(&s->soc), smp_cpus, "enabled-cpus",
                              &error_abort);
      object_property_set_int(OBJECT(&s->soc), 0xa21041, "board-rev",
@@ -XXX,XX +XXX,XX @@ static void raspi2_machine_init(MachineClass *mc)
      mc->no_parallel = 1;
      mc->no_floppy = 1;
      mc->no_cdrom = 1;
 +    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a15");
      mc->max_cpus = BCM2836_NCPUS;
      mc->min_cpus = BCM2836_NCPUS;
      mc->default_cpus = BCM2836_NCPUS;
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 07/20] target/arm: Handle SVE registers when using clear_vec_high
+[PULL 4/9] docs/system/arm/emulation: add FEAT_SSBS2
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-When storing to an AdvSIMD FP register, all of the high
+We implemented this at the same times as FEAT_SSBS, but forgot
-bits of the SVE register are zeroed.  Therefore, call it
+to list it in the documentation.
 more often with is_q as a parameter.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-Message-id: 20180211205848.4568-6-richard.henderson@linaro.org
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20241122225049.1617774-4-pierrick.bouvier@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: improve commit message]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 162 +++++++++++++++++----------------------------
+ docs/system/arm/emulation.rst | 1 +
-file changed, 62 insertions(+), 100 deletions(-)
+file changed, 1 insertion(+)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/docs/system/arm/emulation.rst
-+++ b/target/arm/translate-a64.c
++++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ static TCGv_i32 read_fp_sreg(DisasContext *s, int reg)
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
-     return v;
+ - FEAT_SVE2 (Scalable Vector Extension version 2)
- }
+ - FEAT_SPECRES (Speculation restriction instructions)
+ - FEAT_SSBS (Speculative Store Bypass Safe)
-+/* Clear the bits above an N-bit vector, for N = (is_q ? 128 : 64).
++- FEAT_SSBS2 (MRS and MSR instructions for SSBS version 2)
-+ * If SVE is not enabled, then there are only 128 bits in the vector.
+ - FEAT_TGran16K (Support for 16KB memory translation granule size at stage 1)
-+ */
+ - FEAT_TGran4K (Support for 4KB memory translation granule size at stage 1)
-+static void clear_vec_high(DisasContext *s, bool is_q, int rd)
+ - FEAT_TGran64K (Support for 64KB memory translation granule size at stage 1)
 +{
 +    unsigned ofs = fp_reg_offset(s, rd, MO_64);
 +    unsigned vsz = vec_full_reg_size(s);
 +
 +    if (!is_q) {
 +        TCGv_i64 tcg_zero = tcg_const_i64(0);
 +        tcg_gen_st_i64(tcg_zero, cpu_env, ofs + 8);
 +        tcg_temp_free_i64(tcg_zero);
 +    }
 +    if (vsz > 16) {
 +        tcg_gen_gvec_dup8i(ofs + 16, vsz - 16, vsz - 16, 0);
 +    }
 +}
 +
  static void write_fp_dreg(DisasContext *s, int reg, TCGv_i64 v)
  {
 -    TCGv_i64 tcg_zero = tcg_const_i64(0);
 +    unsigned ofs = fp_reg_offset(s, reg, MO_64);
 -    tcg_gen_st_i64(v, cpu_env, fp_reg_offset(s, reg, MO_64));
 -    tcg_gen_st_i64(tcg_zero, cpu_env, fp_reg_hi_offset(s, reg));
 -    tcg_temp_free_i64(tcg_zero);
 +    tcg_gen_st_i64(v, cpu_env, ofs);
 +    clear_vec_high(s, false, reg);
  }
  static void write_fp_sreg(DisasContext *s, int reg, TCGv_i32 v)
@@ -XXX,XX +XXX,XX @@ static void do_fp_ld(DisasContext *s, int destidx, TCGv_i64 tcg_addr, int size)
      tcg_temp_free_i64(tmplo);
      tcg_temp_free_i64(tmphi);
 +
 +    clear_vec_high(s, true, destidx);
  }
  /*
@@ -XXX,XX +XXX,XX @@ static void write_vec_element_i32(DisasContext *s, TCGv_i32 tcg_src,
      }
  }
 -/* Clear the high 64 bits of a 128 bit vector (in general non-quad
 - * vector ops all need to do this).
 - */
 -static void clear_vec_high(DisasContext *s, int rd)
 -{
 -    TCGv_i64 tcg_zero = tcg_const_i64(0);
 -
 -    write_vec_element(s, tcg_zero, rd, 1, MO_64);
 -    tcg_temp_free_i64(tcg_zero);
 -}
 -
  /* Store from vector register to memory */
  static void do_vec_st(DisasContext *s, int srcidx, int element,
                        TCGv_i64 tcg_addr, int size)
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_multiple_struct(DisasContext *s, uint32_t insn)
                      /* For non-quad operations, setting a slice of the low
                       * 64 bits of the register clears the high 64 bits (in
                       * the ARM ARM pseudocode this is implicit in the fact
 -                     * that 'rval' is a 64 bit wide variable). We optimize
 -                     * by noticing that we only need to do this the first
 -                     * time we touch a register.
 +                     * that 'rval' is a 64 bit wide variable).
 +                     * For quad operations, we might still need to zero the
 +                     * high bits of SVE.  We optimize by noticing that we only
 +                     * need to do this the first time we touch a register.
                       */
 -                    if (!is_q && e == 0 && (r == 0 || xs == selem - 1)) {
 -                        clear_vec_high(s, tt);
 +                    if (e == 0 && (r == 0 || xs == selem - 1)) {
 +                        clear_vec_high(s, is_q, tt);
                      }
                  }
                  tcg_gen_addi_i64(tcg_addr, tcg_addr, ebytes);
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_single_struct(DisasContext *s, uint32_t insn)
              write_vec_element(s, tcg_tmp, rt, 0, MO_64);
              if (is_q) {
                  write_vec_element(s, tcg_tmp, rt, 1, MO_64);
 -            } else {
 -                clear_vec_high(s, rt);
              }
              tcg_temp_free_i64(tcg_tmp);
 +            clear_vec_high(s, is_q, rt);
          } else {
              /* Load/store one element per register */
              if (is_load) {
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_sqshrn(DisasContext *s, bool is_scalar, bool is_q,
      }
      if (!is_q) {
 -        clear_vec_high(s, rd);
          write_vec_element(s, tcg_final, rd, 0, MO_64);
      } else {
          write_vec_element(s, tcg_final, rd, 1, MO_64);
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_sqshrn(DisasContext *s, bool is_scalar, bool is_q,
      tcg_temp_free_i64(tcg_rd);
      tcg_temp_free_i32(tcg_rd_narrowed);
      tcg_temp_free_i64(tcg_final);
 -    return;
 +
 +    clear_vec_high(s, is_q, rd);
  }
  /* SQSHLU, UQSHL, SQSHL: saturating left shifts */
@@ -XXX,XX +XXX,XX @@ static void handle_simd_qshl(DisasContext *s, bool scalar, bool is_q,
              tcg_temp_free_i64(tcg_op);
          }
          tcg_temp_free_i64(tcg_shift);
 -
 -        if (!is_q) {
 -            clear_vec_high(s, rd);
 -        }
 +        clear_vec_high(s, is_q, rd);
      } else {
          TCGv_i32 tcg_shift = tcg_const_i32(shift);
          static NeonGenTwoOpEnvFn * const fns[2][2][3] = {
@@ -XXX,XX +XXX,XX @@ static void handle_simd_qshl(DisasContext *s, bool scalar, bool is_q,
          }
          tcg_temp_free_i32(tcg_shift);
 -        if (!is_q && !scalar) {
 -            clear_vec_high(s, rd);
 +        if (!scalar) {
 +            clear_vec_high(s, is_q, rd);
          }
      }
  }
@@ -XXX,XX +XXX,XX @@ static void handle_simd_intfp_conv(DisasContext *s, int rd, int rn,
          }
      }
 -    if (!is_double && elements == 2) {
 -        clear_vec_high(s, rd);
 -    }
 -
      tcg_temp_free_i64(tcg_int);
      tcg_temp_free_ptr(tcg_fpst);
      tcg_temp_free_i32(tcg_shift);
 +
 +    clear_vec_high(s, elements << size == 16, rd);
  }
  /* UCVTF/SCVTF - Integer to FP conversion */
@@ -XXX,XX +XXX,XX @@ static void handle_simd_shift_fpint_conv(DisasContext *s, bool is_scalar,
              write_vec_element(s, tcg_op, rd, pass, MO_64);
              tcg_temp_free_i64(tcg_op);
          }
 -        if (!is_q) {
 -            clear_vec_high(s, rd);
 -        }
 +        clear_vec_high(s, is_q, rd);
      } else {
          int maxpass = is_scalar ? 1 : is_q ? 4 : 2;
          for (pass = 0; pass < maxpass; pass++) {
@@ -XXX,XX +XXX,XX @@ static void handle_simd_shift_fpint_conv(DisasContext *s, bool is_scalar,
              }
              tcg_temp_free_i32(tcg_op);
          }
 -        if (!is_q && !is_scalar) {
 -            clear_vec_high(s, rd);
 +        if (!is_scalar) {
 +            clear_vec_high(s, is_q, rd);
          }
      }
@@ -XXX,XX +XXX,XX @@ static void handle_3same_float(DisasContext *s, int size, int elements,
      tcg_temp_free_ptr(fpst);
 -    if ((elements << size) < 4) {
 -        /* scalar, or non-quad vector op */
 -        clear_vec_high(s, rd);
 -    }
 +    clear_vec_high(s, elements * (size ? 8 : 4) > 8, rd);
  }
  /* AdvSIMD scalar three same
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_fcmp_zero(DisasContext *s, int opcode,
              }
              write_vec_element(s, tcg_res, rd, pass, MO_64);
          }
 -        if (is_scalar) {
 -            clear_vec_high(s, rd);
 -        }
 -
          tcg_temp_free_i64(tcg_res);
          tcg_temp_free_i64(tcg_zero);
          tcg_temp_free_i64(tcg_op);
 +
 +        clear_vec_high(s, !is_scalar, rd);
      } else {
          TCGv_i32 tcg_op = tcg_temp_new_i32();
          TCGv_i32 tcg_zero = tcg_const_i32(0);
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_fcmp_zero(DisasContext *s, int opcode,
          tcg_temp_free_i32(tcg_res);
          tcg_temp_free_i32(tcg_zero);
          tcg_temp_free_i32(tcg_op);
 -        if (!is_q && !is_scalar) {
 -            clear_vec_high(s, rd);
 +        if (!is_scalar) {
 +            clear_vec_high(s, is_q, rd);
          }
      }
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_reciprocal(DisasContext *s, int opcode,
              }
              write_vec_element(s, tcg_res, rd, pass, MO_64);
          }
 -        if (is_scalar) {
 -            clear_vec_high(s, rd);
 -        }
 -
          tcg_temp_free_i64(tcg_res);
          tcg_temp_free_i64(tcg_op);
 +        clear_vec_high(s, !is_scalar, rd);
      } else {
          TCGv_i32 tcg_op = tcg_temp_new_i32();
          TCGv_i32 tcg_res = tcg_temp_new_i32();
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_reciprocal(DisasContext *s, int opcode,
          }
          tcg_temp_free_i32(tcg_res);
          tcg_temp_free_i32(tcg_op);
 -        if (!is_q && !is_scalar) {
 -            clear_vec_high(s, rd);
 +        if (!is_scalar) {
 +            clear_vec_high(s, is_q, rd);
          }
      }
      tcg_temp_free_ptr(fpst);
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_narrow(DisasContext *s, bool scalar,
          write_vec_element_i32(s, tcg_res[pass], rd, destelt + pass, MO_32);
          tcg_temp_free_i32(tcg_res[pass]);
      }
 -    if (!is_q) {
 -        clear_vec_high(s, rd);
 -    }
 +    clear_vec_high(s, is_q, rd);
  }
  /* Remaining saturating accumulating ops */
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_satacc(DisasContext *s, bool is_scalar, bool is_u,
              }
              write_vec_element(s, tcg_rd, rd, pass, MO_64);
          }
 -        if (is_scalar) {
 -            clear_vec_high(s, rd);
 -        }
 -
          tcg_temp_free_i64(tcg_rd);
          tcg_temp_free_i64(tcg_rn);
 +        clear_vec_high(s, !is_scalar, rd);
      } else {
          TCGv_i32 tcg_rn = tcg_temp_new_i32();
          TCGv_i32 tcg_rd = tcg_temp_new_i32();
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_satacc(DisasContext *s, bool is_scalar, bool is_u,
              }
              write_vec_element_i32(s, tcg_rd, rd, pass, MO_32);
          }
 -
 -        if (!is_q) {
 -            clear_vec_high(s, rd);
 -        }
 -
          tcg_temp_free_i32(tcg_rd);
          tcg_temp_free_i32(tcg_rn);
 +        clear_vec_high(s, is_q, rd);
      }
  }
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shri(DisasContext *s, bool is_q, bool is_u,
      tcg_temp_free_i64(tcg_round);
   done:
 -    if (!is_q) {
 -        clear_vec_high(s, rd);
 -    }
 +    clear_vec_high(s, is_q, rd);
  }
  static void gen_shl8_ins_i64(TCGv_i64 d, TCGv_i64 a, int64_t shift)
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shrn(DisasContext *s, bool is_q,
      }
      if (!is_q) {
 -        clear_vec_high(s, rd);
          write_vec_element(s, tcg_final, rd, 0, MO_64);
      } else {
          write_vec_element(s, tcg_final, rd, 1, MO_64);
      }
 -
      if (round) {
          tcg_temp_free_i64(tcg_round);
      }
      tcg_temp_free_i64(tcg_rn);
      tcg_temp_free_i64(tcg_rd);
      tcg_temp_free_i64(tcg_final);
 -    return;
 +
 +    clear_vec_high(s, is_q, rd);
  }
@@ -XXX,XX +XXX,XX @@ static void handle_3rd_narrowing(DisasContext *s, int is_q, int is_u, int size,
          write_vec_element_i32(s, tcg_res[pass], rd, pass + part, MO_32);
          tcg_temp_free_i32(tcg_res[pass]);
      }
 -    if (!is_q) {
 -        clear_vec_high(s, rd);
 -    }
 +    clear_vec_high(s, is_q, rd);
  }
  static void handle_pmull_64(DisasContext *s, int is_q, int rd, int rn, int rm)
@@ -XXX,XX +XXX,XX @@ static void handle_simd_3same_pair(DisasContext *s, int is_q, int u, int opcode,
              write_vec_element_i32(s, tcg_res[pass], rd, pass, MO_32);
              tcg_temp_free_i32(tcg_res[pass]);
          }
 -        if (!is_q) {
 -            clear_vec_high(s, rd);
 -        }
 +        clear_vec_high(s, is_q, rd);
      }
      if (fpst) {
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
              tcg_temp_free_i32(tcg_op2);
          }
      }
 -
 -    if (!is_q) {
 -        clear_vec_high(s, rd);
 -    }
 +    clear_vec_high(s, is_q, rd);
  }
  /* AdvSIMD three same
@@ -XXX,XX +XXX,XX @@ static void handle_rev(DisasContext *s, int opcode, bool u,
              write_vec_element(s, tcg_tmp, rd, i, grp_size);
              tcg_temp_free_i64(tcg_tmp);
          }
 -        if (!is_q) {
 -            clear_vec_high(s, rd);
 -        }
 +        clear_vec_high(s, is_q, rd);
      } else {
          int revmask = (1 << grp_size) - 1;
          int esize = 8 << size;
@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc(DisasContext *s, uint32_t insn)
              tcg_temp_free_i32(tcg_op);
          }
      }
 -    if (!is_q) {
 -        clear_vec_high(s, rd);
 -    }
 +    clear_vec_high(s, is_q, rd);
      if (need_rmode) {
          gen_helper_set_rmode(tcg_rmode, tcg_rmode, cpu_env);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_indexed(DisasContext *s, uint32_t insn)
              tcg_temp_free_i64(tcg_res);
          }
 -        if (is_scalar) {
 -            clear_vec_high(s, rd);
 -        }
 -
          tcg_temp_free_i64(tcg_idx);
 +        clear_vec_high(s, !is_scalar, rd);
      } else if (!is_long) {
          /* 32 bit floating point, or 16 or 32 bit integer.
           * For the 16 bit scalar case we use the usual Neon helpers and
@@ -XXX,XX +XXX,XX @@ static void disas_simd_indexed(DisasContext *s, uint32_t insn)
          }
          tcg_temp_free_i32(tcg_idx);
 -
 -        if (!is_q) {
 -            clear_vec_high(s, rd);
 -        }
 +        clear_vec_high(s, is_q, rd);
      } else {
          /* long ops: 16x16->32 or 32x32->64 */
          TCGv_i64 tcg_res[2];
@@ -XXX,XX +XXX,XX @@ static void disas_simd_indexed(DisasContext *s, uint32_t insn)
              }
              tcg_temp_free_i64(tcg_idx);
 -            if (is_scalar) {
 -                clear_vec_high(s, rd);
 -            }
 +            clear_vec_high(s, !is_scalar, rd);
          } else {
              TCGv_i32 tcg_idx = tcg_temp_new_i32();
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 06/20] target/arm: Enforce access to ZCR_EL at translation
+[PULL 5/9] target/arm/tcg/: fix typo in FEAT name
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-This also makes sure that we get the correct ordering of
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-SVE vs FP exceptions.
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20241122225049.1617774-5-pierrick.bouvier@linaro.org
 Message-id: 20180211205848.4568-5-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h           |  3 ++-
+ target/arm/tcg/cpu32.c | 2 +-
- target/arm/internals.h     |  6 ++++++
+file changed, 1 insertion(+), 1 deletion(-)
  target/arm/helper.c        | 22 ++++------------------
  target/arm/translate-a64.c | 16 ++++++++++++++++
 files changed, 28 insertions(+), 19 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/tcg/cpu32.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/tcg/cpu32.c
-@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
+@@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu)
- #define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
+     cpu->isar.id_mmfr5 = t;
- #define ARM_LAST_SPECIAL         ARM_CP_DC_ZVA
- #define ARM_CP_FPU               0x1000
+     t = cpu->isar.id_pfr0;
-+#define ARM_CP_SVE               0x2000
+-    t = FIELD_DP32(t, ID_PFR0, CSV2, 2);          /* FEAT_CVS2 */
- /* Used only as a terminator for ARMCPRegInfo lists */
++    t = FIELD_DP32(t, ID_PFR0, CSV2, 2);          /* FEAT_CSV2 */
- #define ARM_CP_SENTINEL          0xffff
+     t = FIELD_DP32(t, ID_PFR0, DIT, 1);           /* FEAT_DIT */
- /* Mask of only the flag bits in a type field */
+     t = FIELD_DP32(t, ID_PFR0, RAS, 1);           /* FEAT_RAS */
--#define ARM_CP_FLAG_MASK         0x10ff
+     cpu->isar.id_pfr0 = t;
 +#define ARM_CP_FLAG_MASK         0x30ff
  /* Valid values for ARMCPRegInfo state field, indicating which of
   * the AArch32 and AArch64 execution states this register is visible in.
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/internals.h
 +++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ enum arm_exception_class {
      EC_AA64_HVC               = 0x16,
      EC_AA64_SMC               = 0x17,
      EC_SYSTEMREGISTERTRAP     = 0x18,
 +    EC_SVEACCESSTRAP          = 0x19,
      EC_INSNABORT              = 0x20,
      EC_INSNABORT_SAME_EL      = 0x21,
      EC_PCALIGNMENT            = 0x22,
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_fp_access_trap(int cv, int cond, bool is_16bit)
          | (cv << 24) | (cond << 20);
  }
 +static inline uint32_t syn_sve_access_trap(void)
 +{
 +    return EC_SVEACCESSTRAP << ARM_EL_EC_SHIFT;
 +}
 +
  static inline uint32_t syn_insn_abort(int same_el, int ea, int s1ptw, int fsc)
  {
      return (EC_INSNABORT << ARM_EL_EC_SHIFT) | (same_el << ARM_EL_EC_SHIFT)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static int sve_exception_el(CPUARMState *env)
      return 0;
  }
 -static CPAccessResult zcr_access(CPUARMState *env, const ARMCPRegInfo *ri,
 -                                 bool isread)
 -{
 -    switch (sve_exception_el(env)) {
 -    case 3:
 -        return CP_ACCESS_TRAP_EL3;
 -    case 2:
 -        return CP_ACCESS_TRAP_EL2;
 -    case 1:
 -        return CP_ACCESS_TRAP;
 -    }
 -    return CP_ACCESS_OK;
 -}
 -
  static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
                        uint64_t value)
  {
@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
  static const ARMCPRegInfo zcr_el1_reginfo = {
      .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
      .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL1_RW, .accessfn = zcr_access,
 +    .access = PL1_RW, .type = ARM_CP_SVE | ARM_CP_FPU,
      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
      .writefn = zcr_write, .raw_writefn = raw_write
  };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo zcr_el1_reginfo = {
  static const ARMCPRegInfo zcr_el2_reginfo = {
      .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL2_RW, .accessfn = zcr_access,
 +    .access = PL2_RW, .type = ARM_CP_SVE | ARM_CP_FPU,
      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
      .writefn = zcr_write, .raw_writefn = raw_write
  };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo zcr_el2_reginfo = {
  static const ARMCPRegInfo zcr_no_el2_reginfo = {
      .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL2_RW,
 +    .access = PL2_RW, .type = ARM_CP_SVE | ARM_CP_FPU,
      .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore
  };
  static const ARMCPRegInfo zcr_el3_reginfo = {
      .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
      .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL3_RW, .accessfn = zcr_access,
 +    .access = PL3_RW, .type = ARM_CP_SVE | ARM_CP_FPU,
      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
      .writefn = zcr_write, .raw_writefn = raw_write
  };
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
      return false;
  }
 +/* Check that SVE access is enabled.  If it is, return true.
 + * If not, emit code to generate an appropriate exception and return false.
 + */
 +static inline bool sve_access_check(DisasContext *s)
 +{
 +    if (s->sve_excp_el) {
 +        gen_exception_insn(s, 4, EXCP_UDEF, syn_sve_access_trap(),
 +                           s->sve_excp_el);
 +        return false;
 +    }
 +    return true;
 +}
 +
  /*
   * This utility function is for doing register extension with an
   * optional shift. You will likely want to pass a temporary for the
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
      default:
          break;
      }
 +    if ((ri->type & ARM_CP_SVE) && !sve_access_check(s)) {
 +        return;
 +    }
      if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
          return;
      }
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 04/20] target/arm: Enforce FP access to FPCR/FPSR
+[PULL 6/9] docs/system/arm/: add FEAT_MTE_ASYNC
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+We already implement FEAT_MTE_ASYNC; we just forgot to list it
-Message-id: 20180211205848.4568-3-richard.henderson@linaro.org
+in the documentation.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20241122225049.1617774-6-pierrick.bouvier@linaro.org
 [PMM: expand commit message]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h           | 35 ++++++++++++++++++-----------------
+ docs/system/arm/emulation.rst | 1 +
- target/arm/helper.c        |  6 ++++--
+file changed, 1 insertion(+)
  target/arm/translate-a64.c |  3 +++
 files changed, 25 insertions(+), 19 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/docs/system/arm/emulation.rst
-+++ b/target/arm/cpu.h
++++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- }
+ - FEAT_MTE2 (Memory Tagging Extension)
+ - FEAT_MTE3 (MTE Asymmetric Fault Handling)
- /* ARMCPRegInfo type field bits. If the SPECIAL bit is set this is a
+ - FEAT_MTE_ASYM_FAULT (Memory tagging asymmetric faults)
-- * special-behaviour cp reg and bits [15..8] indicate what behaviour
++- FEAT_MTE_ASYNC (Asynchronous reporting of Tag Check Fault)
-+ * special-behaviour cp reg and bits [11..8] indicate what behaviour
+ - FEAT_NMI (Non-maskable Interrupt)
-  * it has. Otherwise it is a simple cp reg, where CONST indicates that
+ - FEAT_NV (Nested Virtualization)
-  * TCG can assume the value to be constant (ie load at translate time)
+ - FEAT_NV2 (Enhanced nested virtualization support)
   * and 64BIT indicates a 64 bit wide coprocessor register. SUPPRESS_TB_END
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
   * need to be surrounded by gen_io_start()/gen_io_end(). In particular,
   * registers which implement clocks or timers require this.
   */
 -#define ARM_CP_SPECIAL 1
 -#define ARM_CP_CONST 2
 -#define ARM_CP_64BIT 4
 -#define ARM_CP_SUPPRESS_TB_END 8
 -#define ARM_CP_OVERRIDE 16
 -#define ARM_CP_ALIAS 32
 -#define ARM_CP_IO 64
 -#define ARM_CP_NO_RAW 128
 -#define ARM_CP_NOP (ARM_CP_SPECIAL | (1 << 8))
 -#define ARM_CP_WFI (ARM_CP_SPECIAL | (2 << 8))
 -#define ARM_CP_NZCV (ARM_CP_SPECIAL | (3 << 8))
 -#define ARM_CP_CURRENTEL (ARM_CP_SPECIAL | (4 << 8))
 -#define ARM_CP_DC_ZVA (ARM_CP_SPECIAL | (5 << 8))
 -#define ARM_LAST_SPECIAL ARM_CP_DC_ZVA
 +#define ARM_CP_SPECIAL           0x0001
 +#define ARM_CP_CONST             0x0002
 +#define ARM_CP_64BIT             0x0004
 +#define ARM_CP_SUPPRESS_TB_END   0x0008
 +#define ARM_CP_OVERRIDE          0x0010
 +#define ARM_CP_ALIAS             0x0020
 +#define ARM_CP_IO                0x0040
 +#define ARM_CP_NO_RAW            0x0080
 +#define ARM_CP_NOP               (ARM_CP_SPECIAL | 0x0100)
 +#define ARM_CP_WFI               (ARM_CP_SPECIAL | 0x0200)
 +#define ARM_CP_NZCV              (ARM_CP_SPECIAL | 0x0300)
 +#define ARM_CP_CURRENTEL         (ARM_CP_SPECIAL | 0x0400)
 +#define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
 +#define ARM_LAST_SPECIAL         ARM_CP_DC_ZVA
 +#define ARM_CP_FPU               0x1000
  /* Used only as a terminator for ARMCPRegInfo lists */
 -#define ARM_CP_SENTINEL 0xffff
 +#define ARM_CP_SENTINEL          0xffff
  /* Mask of only the flag bits in a type field */
 -#define ARM_CP_FLAG_MASK 0xff
 +#define ARM_CP_FLAG_MASK         0x10ff
  /* Valid values for ARMCPRegInfo state field, indicating which of
   * the AArch32 and AArch64 execution states this register is visible in.
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
        .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore },
      { .name = "FPCR", .state = ARM_CP_STATE_AA64,
        .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4,
 -      .access = PL0_RW, .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
 +      .access = PL0_RW, .type = ARM_CP_FPU,
 +      .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
      { .name = "FPSR", .state = ARM_CP_STATE_AA64,
        .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4,
 -      .access = PL0_RW, .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
 +      .access = PL0_RW, .type = ARM_CP_FPU,
 +      .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
      { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64,
        .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0,
        .access = PL0_R, .type = ARM_CP_NO_RAW,
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
      default:
          break;
      }
 +    if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
 +        return;
 +    }
      if ((tb_cflags(s->base.tb) & CF_USE_ICOUNT) && (ri->type & ARM_CP_IO)) {
          gen_io_start();
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 03/20] target/arm: Remove ARM_CP_64BIT from ZCR_EL registers
+[PULL 7/9] docs/system/arm/: add FEAT_DoubleLock
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-Because they are ARM_CP_STATE_AA64, ARM_CP_64BIT is implied.
+We already implement FEAT_DoubleLock (see commit f94a6df5dd6a7) when
 the ID registers call for it.  This feature is actually one that must
 *not* be implemented in v9.0, but since our documentation lists
 everything we can emulate, we should include FEAT_DoubleLock in the
 list.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-Message-id: 20180211205848.4568-2-richard.henderson@linaro.org
+Message-id: 20241122225049.1617774-7-pierrick.bouvier@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: expand commit message]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 8 ++++----
+ docs/system/arm/emulation.rst | 1 +
-file changed, 4 insertions(+), 4 deletions(-)
+file changed, 1 insertion(+)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/docs/system/arm/emulation.rst
-+++ b/target/arm/helper.c
++++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- static const ARMCPRegInfo zcr_el1_reginfo = {
+ - FEAT_CSV3 (Cache speculation variant 3)
-     .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
+ - FEAT_DGH (Data gathering hint)
-     .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
+ - FEAT_DIT (Data Independent Timing instructions)
--    .access = PL1_RW, .accessfn = zcr_access, .type = ARM_CP_64BIT,
++- FEAT_DoubleLock (Double Lock)
-+    .access = PL1_RW, .accessfn = zcr_access,
+ - FEAT_DPB (DC CVAP instruction)
-     .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
+ - FEAT_DPB2 (DC CVADP instruction)
-     .writefn = zcr_write, .raw_writefn = raw_write
+ - FEAT_Debugv8p1 (Debug with VHE)
  };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo zcr_el1_reginfo = {
  static const ARMCPRegInfo zcr_el2_reginfo = {
      .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL2_RW, .accessfn = zcr_access, .type = ARM_CP_64BIT,
 +    .access = PL2_RW, .accessfn = zcr_access,
      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
      .writefn = zcr_write, .raw_writefn = raw_write
  };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo zcr_el2_reginfo = {
  static const ARMCPRegInfo zcr_no_el2_reginfo = {
      .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL2_RW, .type = ARM_CP_64BIT,
 +    .access = PL2_RW,
      .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore
  };
  static const ARMCPRegInfo zcr_el3_reginfo = {
      .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
      .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL3_RW, .accessfn = zcr_access, .type = ARM_CP_64BIT,
 +    .access = PL3_RW, .accessfn = zcr_access,
      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
      .writefn = zcr_write, .raw_writefn = raw_write
  };
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 02/20] hw/arm/aspeed: simplify using the 'unimplemented device' for aspeed_soc.io
+[PULL 8/9] docs/system/arm/fby35: update link to product page
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-(qemu) info mtree
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
- address-space: cpu-memory-0
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-   0000000000000000-ffffffffffffffff (prio 0, i/o): system
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-     0000000000000000-0000000007ffffff (prio 0, rom): aspeed.boot_rom
+Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
--    000000001e600000-000000001e7fffff (prio -1, i/o): aspeed_soc.io
+Message-id: 20241122225049.1617774-8-pierrick.bouvier@linaro.org
 +    000000001e600000-000000001e7fffff (prio -1000, i/o): aspeed_soc.io
      000000001e620000-000000001e6200ff (prio 0, i/o): aspeed.smc.ast2500-fmc
      000000001e630000-000000001e6300ff (prio 0, i/o): aspeed.smc.ast2500-spi1
      000000001e631000-000000001e6310ff (prio 0, i/o): aspeed.smc.ast2500-spi2
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Cédric Le Goater <clg@kaod.org>
 Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
 Message-id: 20180209085755.30414-3-f4bug@amsat.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/aspeed_soc.h |  1 -
+ docs/system/arm/fby35.rst | 2 +-
- hw/arm/aspeed_soc.c         | 32 +++-----------------------------
+file changed, 1 insertion(+), 1 deletion(-)
 files changed, 3 insertions(+), 30 deletions(-)
-diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
+diff --git a/docs/system/arm/fby35.rst b/docs/system/arm/fby35.rst
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/aspeed_soc.h
+--- a/docs/system/arm/fby35.rst
-+++ b/include/hw/arm/aspeed_soc.h
++++ b/docs/system/arm/fby35.rst
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
+@@ -XXX,XX +XXX,XX @@ include various compute accelerators (video, inferencing, etc). At the moment,
+ only the first server slot's BIC is included.
-     /*< public >*/
-     ARMCPU cpu;
+ Yosemite v3.5 is itself a sled which fits into a 40U chassis, and 3 sleds
--    MemoryRegion iomem;
+-can be fit into a chassis. See `here <https://www.opencompute.org/products/423/wiwynn-yosemite-v3-server>`__
-     MemoryRegion sram;
++can be fit into a chassis. See `here <https://www.opencompute.org/products-chiplets/237/wiwynn-yosemite-v3-server>`__
-     AspeedVICState vic;
+ for an example.
-     AspeedTimerCtrlState timerctrl;
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
+ In this generation, the BMC is an AST2600 and each BIC is an AST1030. The BMC
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/aspeed_soc.c
 +++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu-common.h"
  #include "cpu.h"
  #include "exec/address-spaces.h"
 +#include "hw/misc/unimp.h"
  #include "hw/arm/aspeed_soc.h"
  #include "hw/char/serial.h"
  #include "qemu/log.h"
@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
      },
  };
 -/*
 - * IO handlers: simply catch any reads/writes to IO addresses that aren't
 - * handled by a device mapping.
 - */
 -
 -static uint64_t aspeed_soc_io_read(void *p, hwaddr offset, unsigned size)
 -{
 -    qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx " [%u]\n",
 -                  __func__, offset, size);
 -    return 0;
 -}
 -
 -static void aspeed_soc_io_write(void *opaque, hwaddr offset, uint64_t value,
 -                unsigned size)
 -{
 -    qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx " <- 0x%" PRIx64 " [%u]\n",
 -                  __func__, offset, value, size);
 -}
 -
 -static const MemoryRegionOps aspeed_soc_io_ops = {
 -    .read = aspeed_soc_io_read,
 -    .write = aspeed_soc_io_write,
 -    .endianness = DEVICE_LITTLE_ENDIAN,
 -};
 -
  static void aspeed_soc_init(Object *obj)
  {
      AspeedSoCState *s = ASPEED_SOC(obj);
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
      Error *err = NULL, *local_err = NULL;
      /* IO space */
 -    memory_region_init_io(&s->iomem, NULL, &aspeed_soc_io_ops, NULL,
 -            "aspeed_soc.io", ASPEED_SOC_IOMEM_SIZE);
 -    memory_region_add_subregion_overlap(get_system_memory(),
 -                                        ASPEED_SOC_IOMEM_BASE, &s->iomem, -1);
 +    create_unimplemented_device("aspeed_soc.io",
 +                                ASPEED_SOC_IOMEM_BASE, ASPEED_SOC_IOMEM_SIZE);
      /* CPU */
      object_property_set_bool(OBJECT(&s->cpu), true, "realized", &err);
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 01/20] hw/arm/aspeed: directly map the serial device to the system address space
+[PULL 9/9] docs/system/arm/aspeed: add missing model supermicrox11spi-bmc
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-(qemu) info mtree
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
- address-space: cpu-memory-0
+Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
-   0000000000000000-ffffffffffffffff (prio 0, i/o): system
+Message-id: 20241122225049.1617774-13-pierrick.bouvier@linaro.org
      0000000000000000-0000000007ffffff (prio 0, rom): aspeed.boot_rom
      000000001e600000-000000001e7fffff (prio -1, i/o): aspeed_soc.io
 -      000000001e784000-000000001e78401f (prio 0, i/o): serial
      000000001e620000-000000001e6200ff (prio 0, i/o): aspeed.smc.ast2500-fmc
      000000001e630000-000000001e6300ff (prio 0, i/o): aspeed.smc.ast2500-spi1
      [...]
      000000001e720000-000000001e728fff (prio 0, ram): aspeed.sram
      000000001e782000-000000001e782fff (prio 0, i/o): aspeed.timer
 +    000000001e784000-000000001e78401f (prio 0, i/o): serial
      000000001e785000-000000001e78501f (prio 0, i/o): aspeed.wdt
      000000001e785020-000000001e78503f (prio 0, i/o): aspeed.wdt
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Cédric Le Goater <clg@kaod.org>
 Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
 Message-id: 20180209085755.30414-2-f4bug@amsat.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/aspeed_soc.c | 3 ++-
+ docs/system/arm/aspeed.rst | 7 ++++---
-file changed, 2 insertions(+), 1 deletion(-)
+file changed, 4 insertions(+), 3 deletions(-)
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
+--- a/docs/system/arm/aspeed.rst
-+++ b/hw/arm/aspeed_soc.c
++++ b/docs/system/arm/aspeed.rst
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@
-     /* UART - attach an 8250 to the IO space as our UART5 */
+-Aspeed family boards (``ast2500-evb``, ``ast2600-evb``, ``ast2700-evb``, ``bletchley-bmc``, ``fuji-bmc``, ``fby35-bmc``, ``fp5280g2-bmc``, ``g220a-bmc``, ``palmetto-bmc``, ``qcom-dc-scm-v1-bmc``, ``qcom-firework-bmc``, ``quanta-q71l-bmc``, ``rainier-bmc``, ``romulus-bmc``, ``sonorapass-bmc``, ``supermicrox11-bmc``, ``tiogapass-bmc``, ``tacoma-bmc``, ``witherspoon-bmc``, ``yosemitev2-bmc``)
-     if (serial_hds[0]) {
+-========================================================================================================================================================================================================================================================================================================================================================================================================
-         qemu_irq uart5 = qdev_get_gpio_in(DEVICE(&s->vic), uart_irqs[4]);
++Aspeed family boards (``ast2500-evb``, ``ast2600-evb``, ``ast2700-evb``, ``bletchley-bmc``, ``fuji-bmc``, ``fby35-bmc``, ``fp5280g2-bmc``, ``g220a-bmc``, ``palmetto-bmc``, ``qcom-dc-scm-v1-bmc``, ``qcom-firework-bmc``, ``quanta-q71l-bmc``, ``rainier-bmc``, ``romulus-bmc``, ``sonorapass-bmc``, ``supermicrox11-bmc``, ``supermicrox11spi-bmc``, ``tiogapass-bmc``, ``tacoma-bmc``, ``witherspoon-bmc``, ``yosemitev2-bmc``)
--        serial_mm_init(&s->iomem, ASPEED_SOC_UART_5_BASE, 2,
++==================================================================================================================================================================================================================================================================================================================================================================================================================================
-+        serial_mm_init(get_system_memory(),
-+                       ASPEED_SOC_IOMEM_BASE + ASPEED_SOC_UART_5_BASE, 2,
+ The QEMU Aspeed machines model BMCs of various OpenPOWER systems and
-                        uart5, 38400, serial_hds[0], DEVICE_LITTLE_ENDIAN);
+ Aspeed evaluation boards. They are based on different releases of the
-     }
+@@ -XXX,XX +XXX,XX @@ AST2400 SoC based machines :
  - ``palmetto-bmc``         OpenPOWER Palmetto POWER8 BMC
  - ``quanta-q71l-bmc``      OpenBMC Quanta BMC
 -- ``supermicrox11-bmc``    Supermicro X11 BMC
 +- ``supermicrox11-bmc``    Supermicro X11 BMC (ARM926EJ-S)
 +- ``supermicrox11spi-bmc``    Supermicro X11 SPI BMC (ARM1176)
  AST2500 SoC based machines :
 --
-.16.1
+.34.1

-[Qemu-devel] [PULL 08/20] hw/intc/armv7m_nvic: Don't hardcode M profile ID registers in NVIC
+Deleted patch
-Instead of hardcoding the values of M profile ID registers in the
-NVIC, use the fields in the CPU struct. This will allow us to
-give different M profile CPU types different ID register values.
-This commit includes the addition of the missing ID_ISAR5,
-which exists as RES0 in both v7M and v8M.
-(The values of the ID registers might be wrong for the M4 --
-this commit leaves the behaviour there unchanged.)
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-2-peter.maydell@linaro.org
----
- hw/intc/armv7m_nvic.c | 30 ++++++++++++++++--------------
- target/arm/cpu.c      | 28 ++++++++++++++++++++++++++++
-files changed, 44 insertions(+), 14 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-                       "Aux Fault status registers unimplemented\n");
-         return 0;
-     case 0xd40: /* PFR0.  */
--        return 0x00000030;
--    case 0xd44: /* PRF1.  */
--        return 0x00000200;
-+        return cpu->id_pfr0;
-+    case 0xd44: /* PFR1.  */
-+        return cpu->id_pfr1;
-     case 0xd48: /* DFR0.  */
--        return 0x00100000;
-+        return cpu->id_dfr0;
-     case 0xd4c: /* AFR0.  */
--        return 0x00000000;
-+        return cpu->id_afr0;
-     case 0xd50: /* MMFR0.  */
--        return 0x00000030;
-+        return cpu->id_mmfr0;
-     case 0xd54: /* MMFR1.  */
--        return 0x00000000;
-+        return cpu->id_mmfr1;
-     case 0xd58: /* MMFR2.  */
--        return 0x00000000;
-+        return cpu->id_mmfr2;
-     case 0xd5c: /* MMFR3.  */
--        return 0x00000000;
-+        return cpu->id_mmfr3;
-     case 0xd60: /* ISAR0.  */
--        return 0x01141110;
-+        return cpu->id_isar0;
-     case 0xd64: /* ISAR1.  */
--        return 0x02111000;
-+        return cpu->id_isar1;
-     case 0xd68: /* ISAR2.  */
--        return 0x21112231;
-+        return cpu->id_isar2;
-     case 0xd6c: /* ISAR3.  */
--        return 0x01111110;
-+        return cpu->id_isar3;
-     case 0xd70: /* ISAR4.  */
--        return 0x01310102;
-+        return cpu->id_isar4;
-+    case 0xd74: /* ISAR5.  */
-+        return cpu->id_isar5;
-     /* TODO: Implement debug registers.  */
-     case 0xd90: /* MPU_TYPE */
-         /* Unified MPU; if the MPU is not present this value is zero */
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void cortex_m3_initfn(Object *obj)
-     set_feature(&cpu->env, ARM_FEATURE_M);
-     cpu->midr = 0x410fc231;
-     cpu->pmsav7_dregion = 8;
-+    cpu->id_pfr0 = 0x00000030;
-+    cpu->id_pfr1 = 0x00000200;
-+    cpu->id_dfr0 = 0x00100000;
-+    cpu->id_afr0 = 0x00000000;
-+    cpu->id_mmfr0 = 0x00000030;
-+    cpu->id_mmfr1 = 0x00000000;
-+    cpu->id_mmfr2 = 0x00000000;
-+    cpu->id_mmfr3 = 0x00000000;
-+    cpu->id_isar0 = 0x01141110;
-+    cpu->id_isar1 = 0x02111000;
-+    cpu->id_isar2 = 0x21112231;
-+    cpu->id_isar3 = 0x01111110;
-+    cpu->id_isar4 = 0x01310102;
-+    cpu->id_isar5 = 0x00000000;
- }
- static void cortex_m4_initfn(Object *obj)
-@@ -XXX,XX +XXX,XX @@ static void cortex_m4_initfn(Object *obj)
-     set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
-     cpu->midr = 0x410fc240; /* r0p0 */
-     cpu->pmsav7_dregion = 8;
-+    cpu->id_pfr0 = 0x00000030;
-+    cpu->id_pfr1 = 0x00000200;
-+    cpu->id_dfr0 = 0x00100000;
-+    cpu->id_afr0 = 0x00000000;
-+    cpu->id_mmfr0 = 0x00000030;
-+    cpu->id_mmfr1 = 0x00000000;
-+    cpu->id_mmfr2 = 0x00000000;
-+    cpu->id_mmfr3 = 0x00000000;
-+    cpu->id_isar0 = 0x01141110;
-+    cpu->id_isar1 = 0x02111000;
-+    cpu->id_isar2 = 0x21112231;
-+    cpu->id_isar3 = 0x01111110;
-+    cpu->id_isar4 = 0x01310102;
-+    cpu->id_isar5 = 0x00000000;
- }
- static void arm_v7m_class_init(ObjectClass *oc, void *data)
---
-.16.1

-[Qemu-devel] [PULL 09/20] hw/intc/armv7m_nvic: Fix ICSR PENDNMISET/CLR handling
+Deleted patch
-The PENDNMISET/CLR bits in the ICSR should be RAZ/WI from
-NonSecure state if the AIRCR.BFHFNMINS bit is zero. We had
-misimplemented this as making the bits RAZ/WI from both
-Secure and NonSecure states. Fix this bug by checking
-attrs.secure so that Secure code can pend and unpend NMIs.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-3-peter.maydell@linaro.org
----
- hw/intc/armv7m_nvic.c | 6 +++---
-file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-             }
-         }
-         /* NMIPENDSET */
--        if ((cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) &&
--            s->vectors[ARMV7M_EXCP_NMI].pending) {
-+        if ((attrs.secure || (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK))
-+            && s->vectors[ARMV7M_EXCP_NMI].pending) {
-             val |= (1 << 31);
-         }
-         /* ISRPREEMPT: RES0 when halting debug not implemented */
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-         break;
-     }
-     case 0xd04: /* Interrupt Control State (ICSR) */
--        if (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
-+        if (attrs.secure || cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
-             if (value & (1 << 31)) {
-                 armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI, false);
-             } else if (value & (1 << 30) &&
---
-.16.1

-[Qemu-devel] [PULL 10/20] hw/intc/armv7m_nvic: Implement M profile cache maintenance ops
+Deleted patch
-For M profile cores, cache maintenance operations are done by
-writing to special registers in the system register space.
-For QEMU, cache operations are always NOPs, since we don't
-implement the cache. Implementing these explicitly avoids
-a spurious LOG_GUEST_ERROR when the guest uses them.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-4-peter.maydell@linaro.org
----
- hw/intc/armv7m_nvic.c | 12 ++++++++++++
-file changed, 12 insertions(+)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-         }
-         break;
-     }
-+    case 0xf50: /* ICIALLU */
-+    case 0xf58: /* ICIMVAU */
-+    case 0xf5c: /* DCIMVAC */
-+    case 0xf60: /* DCISW */
-+    case 0xf64: /* DCCMVAU */
-+    case 0xf68: /* DCCMVAC */
-+    case 0xf6c: /* DCCSW */
-+    case 0xf70: /* DCCIMVAC */
-+    case 0xf74: /* DCCISW */
-+    case 0xf78: /* BPIALL */
-+        /* Cache and branch predictor maintenance: for QEMU these always NOP */
-+        break;
-     default:
-     bad_offset:
-         qemu_log_mask(LOG_GUEST_ERROR,
---
-.16.1

-[Qemu-devel] [PULL 11/20] hw/intc/armv7m_nvic: Implement v8M CPPWR register
+Deleted patch
-The Coprocessor Power Control Register (CPPWR) is new in v8M.
-It allows software to control whether coprocessors are allowed
-to power down and lose their state. QEMU doesn't have any
-notion of power control, so we choose the IMPDEF option of
-making the whole register RAZ/WI (indicating that no coprocessors
-can ever power down and lose state).
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-5-peter.maydell@linaro.org
----
- hw/intc/armv7m_nvic.c | 14 ++++++++++++++
-file changed, 14 insertions(+)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-     switch (offset) {
-     case 4: /* Interrupt Control Type.  */
-         return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
-+    case 0xc: /* CPPWR */
-+        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
-+            goto bad_offset;
-+        }
-+        /* We make the IMPDEF choice that nothing can ever go into a
-+         * non-retentive power state, which allows us to RAZ/WI this.
-+         */
-+        return 0;
-     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
-     {
-         int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-     ARMCPU *cpu = s->cpu;
-     switch (offset) {
-+    case 0xc: /* CPPWR */
-+        if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
-+            goto bad_offset;
-+        }
-+        /* Make the IMPDEF choice to RAZ/WI this. */
-+        break;
-     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
-     {
-         int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
---
-.16.1

-[Qemu-devel] [PULL 12/20] hw/intc/armv7m_nvic: Implement cache ID registers
+Deleted patch
-M profile cores have a similar setup for cache ID registers
-to A profile:
- * Cache Level ID Register (CLIDR) is a fixed value
- * Cache Type Register (CTR) is a fixed value
- * Cache Size ID Registers (CCSIDR) are a bank of registers;
-   which one you see is selected by the Cache Size Selection
-   Register (CSSELR)
-The only difference is that they're in the NVIC memory mapped
-register space rather than being coprocessor registers.
-Implement the M profile view of them.
-Since neither Cortex-M3 nor Cortex-M4 implement caches,
-we don't need to update their init functions and can leave
-the ctr/clidr/ccsidr[] fields in their ARMCPU structs at zero.
-Newer cores (like the Cortex-M33) will want to be able to
-set these ID registers to non-zero values, though.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-6-peter.maydell@linaro.org
----
- target/arm/cpu.h      | 26 ++++++++++++++++++++++++++
- hw/intc/armv7m_nvic.c | 16 ++++++++++++++++
- target/arm/machine.c  | 36 ++++++++++++++++++++++++++++++++++++
-files changed, 78 insertions(+)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         uint32_t faultmask[M_REG_NUM_BANKS];
-         uint32_t aircr; /* only holds r/w state if security extn implemented */
-         uint32_t secure; /* Is CPU in Secure state? (not guest visible) */
-+        uint32_t csselr[M_REG_NUM_BANKS];
-     } v7m;
-     /* Information associated with an exception about to be taken:
-@@ -XXX,XX +XXX,XX @@ FIELD(V7M_MPU_CTRL, ENABLE, 0, 1)
- FIELD(V7M_MPU_CTRL, HFNMIENA, 1, 1)
- FIELD(V7M_MPU_CTRL, PRIVDEFENA, 2, 1)
-+/* v7M CLIDR bits */
-+FIELD(V7M_CLIDR, CTYPE_ALL, 0, 21)
-+FIELD(V7M_CLIDR, LOUIS, 21, 3)
-+FIELD(V7M_CLIDR, LOC, 24, 3)
-+FIELD(V7M_CLIDR, LOUU, 27, 3)
-+FIELD(V7M_CLIDR, ICB, 30, 2)
-+
-+FIELD(V7M_CSSELR, IND, 0, 1)
-+FIELD(V7M_CSSELR, LEVEL, 1, 3)
-+/* We use the combination of InD and Level to index into cpu->ccsidr[];
-+ * define a mask for this and check that it doesn't permit running off
-+ * the end of the array.
-+ */
-+FIELD(V7M_CSSELR, INDEX, 0, 4)
-+
-+QEMU_BUILD_BUG_ON(ARRAY_SIZE(((ARMCPU *)0)->ccsidr) <= R_V7M_CSSELR_INDEX_MASK);
-+
- /* If adding a feature bit which corresponds to a Linux ELF
-  * HWCAP bit, remember to update the feature-bit-to-hwcap
-  * mapping in linux-user/elfload.c:get_elf_hwcap().
-@@ -XXX,XX +XXX,XX @@ static inline int arm_debug_target_el(CPUARMState *env)
-     }
- }
-+static inline bool arm_v7m_csselr_razwi(ARMCPU *cpu)
-+{
-+    /* If all the CLIDR.Ctypem bits are 0 there are no caches, and
-+     * CSSELR is RAZ/WI.
-+     */
-+    return (cpu->clidr & R_V7M_CLIDR_CTYPE_ALL_MASK) != 0;
-+}
-+
- static inline bool aa64_generate_debug_exceptions(CPUARMState *env)
- {
-     if (arm_is_secure(env)) {
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-         return cpu->id_isar4;
-     case 0xd74: /* ISAR5.  */
-         return cpu->id_isar5;
-+    case 0xd78: /* CLIDR */
-+        return cpu->clidr;
-+    case 0xd7c: /* CTR */
-+        return cpu->ctr;
-+    case 0xd80: /* CSSIDR */
-+    {
-+        int idx = cpu->env.v7m.csselr[attrs.secure] & R_V7M_CSSELR_INDEX_MASK;
-+        return cpu->ccsidr[idx];
-+    }
-+    case 0xd84: /* CSSELR */
-+        return cpu->env.v7m.csselr[attrs.secure];
-     /* TODO: Implement debug registers.  */
-     case 0xd90: /* MPU_TYPE */
-         /* Unified MPU; if the MPU is not present this value is zero */
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-         qemu_log_mask(LOG_UNIMP,
-                       "NVIC: Aux fault status registers unimplemented\n");
-         break;
-+    case 0xd84: /* CSSELR */
-+        if (!arm_v7m_csselr_razwi(cpu)) {
-+            cpu->env.v7m.csselr[attrs.secure] = value & R_V7M_CSSELR_INDEX_MASK;
-+        }
-+        break;
-     case 0xd90: /* MPU_TYPE */
-         return; /* RO */
-     case 0xd94: /* MPU_CTRL */
-diff --git a/target/arm/machine.c b/target/arm/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/machine.c
-+++ b/target/arm/machine.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_faultmask_primask = {
-     }
- };
-+/* CSSELR is in a subsection because we didn't implement it previously.
-+ * Migration from an old implementation will leave it at zero, which
-+ * is OK since the only CPUs in the old implementation make the
-+ * register RAZ/WI.
-+ * Since there was no version of QEMU which implemented the CSSELR for
-+ * just non-secure, we transfer both banks here rather than putting
-+ * the secure banked version in the m-security subsection.
-+ */
-+static bool csselr_vmstate_validate(void *opaque, int version_id)
-+{
-+    ARMCPU *cpu = opaque;
-+
-+    return cpu->env.v7m.csselr[M_REG_NS] <= R_V7M_CSSELR_INDEX_MASK
-+        && cpu->env.v7m.csselr[M_REG_S] <= R_V7M_CSSELR_INDEX_MASK;
-+}
-+
-+static bool m_csselr_needed(void *opaque)
-+{
-+    ARMCPU *cpu = opaque;
-+
-+    return !arm_v7m_csselr_razwi(cpu);
-+}
-+
-+static const VMStateDescription vmstate_m_csselr = {
-+    .name = "cpu/m/csselr",
-+    .version_id = 1,
-+    .minimum_version_id = 1,
-+    .needed = m_csselr_needed,
-+    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32_ARRAY(env.v7m.csselr, ARMCPU, M_REG_NUM_BANKS),
-+        VMSTATE_VALIDATE("CSSELR is valid", csselr_vmstate_validate),
-+        VMSTATE_END_OF_LIST()
-+    }
-+};
-+
- static const VMStateDescription vmstate_m = {
-     .name = "cpu/m",
-     .version_id = 4,
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m = {
-     },
-     .subsections = (const VMStateDescription*[]) {
-         &vmstate_m_faultmask_primask,
-+        &vmstate_m_csselr,
-         NULL
-     }
- };
---
-.16.1

-[Qemu-devel] [PULL 13/20] hw/intc/armv7m_nvic: Implement SCR
+Deleted patch
-We were previously making the system control register (SCR)
-just RAZ/WI. Although we don't implement the functionality
-this register controls, we should at least provide the state,
-including the banked state for v8M.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-7-peter.maydell@linaro.org
----
- target/arm/cpu.h      |  7 +++++++
- hw/intc/armv7m_nvic.c | 12 ++++++++----
- target/arm/machine.c  | 12 ++++++++++++
-files changed, 27 insertions(+), 4 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         uint32_t aircr; /* only holds r/w state if security extn implemented */
-         uint32_t secure; /* Is CPU in Secure state? (not guest visible) */
-         uint32_t csselr[M_REG_NUM_BANKS];
-+        uint32_t scr[M_REG_NUM_BANKS];
-     } v7m;
-     /* Information associated with an exception about to be taken:
-@@ -XXX,XX +XXX,XX @@ FIELD(V7M_CCR, STKALIGN, 9, 1)
- FIELD(V7M_CCR, DC, 16, 1)
- FIELD(V7M_CCR, IC, 17, 1)
-+/* V7M SCR bits */
-+FIELD(V7M_SCR, SLEEPONEXIT, 1, 1)
-+FIELD(V7M_SCR, SLEEPDEEP, 2, 1)
-+FIELD(V7M_SCR, SLEEPDEEPS, 3, 1)
-+FIELD(V7M_SCR, SEVONPEND, 4, 1)
-+
- /* V7M AIRCR bits */
- FIELD(V7M_AIRCR, VECTRESET, 0, 1)
- FIELD(V7M_AIRCR, VECTCLRACTIVE, 1, 1)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-         }
-         return val;
-     case 0xd10: /* System Control.  */
--        /* TODO: Implement SLEEPONEXIT.  */
--        return 0;
-+        return cpu->env.v7m.scr[attrs.secure];
-     case 0xd14: /* Configuration Control.  */
-         /* The BFHFNMIGN bit is the only non-banked bit; we
-          * keep it in the non-secure copy of the register.
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-         }
-         break;
-     case 0xd10: /* System Control.  */
--        /* TODO: Implement control registers.  */
--        qemu_log_mask(LOG_UNIMP, "NVIC: SCR unimplemented\n");
-+        /* We don't implement deep-sleep so these bits are RAZ/WI.
-+         * The other bits in the register are banked.
-+         * QEMU's implementation ignores SEVONPEND and SLEEPONEXIT, which
-+         * is architecturally permitted.
-+         */
-+        value &= ~(R_V7M_SCR_SLEEPDEEP_MASK | R_V7M_SCR_SLEEPDEEPS_MASK);
-+        cpu->env.v7m.scr[attrs.secure] = value;
-         break;
-     case 0xd14: /* Configuration Control.  */
-         /* Enforce RAZ/WI on reserved and must-RAZ/WI bits */
-diff --git a/target/arm/machine.c b/target/arm/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/machine.c
-+++ b/target/arm/machine.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_csselr = {
-     }
- };
-+static const VMStateDescription vmstate_m_scr = {
-+    .name = "cpu/m/scr",
-+    .version_id = 1,
-+    .minimum_version_id = 1,
-+    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32(env.v7m.scr[M_REG_NS], ARMCPU),
-+        VMSTATE_END_OF_LIST()
-+    }
-+};
-+
- static const VMStateDescription vmstate_m = {
-     .name = "cpu/m",
-     .version_id = 4,
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m = {
-     .subsections = (const VMStateDescription*[]) {
-         &vmstate_m_faultmask_primask,
-         &vmstate_m_csselr,
-+        &vmstate_m_scr,
-         NULL
-     }
- };
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_security = {
-         VMSTATE_UINT32(env.sau.rnr, ARMCPU),
-         VMSTATE_VALIDATE("SAU_RNR is valid", sau_rnr_vmstate_validate),
-         VMSTATE_UINT32(env.sau.ctrl, ARMCPU),
-+        VMSTATE_UINT32(env.v7m.scr[M_REG_S], ARMCPU),
-         VMSTATE_END_OF_LIST()
-     }
- };
---
-.16.1

-[Qemu-devel] [PULL 14/20] target/arm: Implement writing to CONTROL_NS for v8M
+Deleted patch
-In commit 50f11062d4c896 we added support for MSR/MRS access
-to the NS banked special registers, but we forgot to implement
-the support for writing to CONTROL_NS. Correct the omission.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-8-peter.maydell@linaro.org
----
- target/arm/helper.c | 10 ++++++++++
-file changed, 10 insertions(+)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
-             }
-             env->v7m.faultmask[M_REG_NS] = val & 1;
-             return;
-+        case 0x94: /* CONTROL_NS */
-+            if (!env->v7m.secure) {
-+                return;
-+            }
-+            write_v7m_control_spsel_for_secstate(env,
-+                                                 val & R_V7M_CONTROL_SPSEL_MASK,
-+                                                 M_REG_NS);
-+            env->v7m.control[M_REG_NS] &= ~R_V7M_CONTROL_NPRIV_MASK;
-+            env->v7m.control[M_REG_NS] |= val & R_V7M_CONTROL_NPRIV_MASK;
-+            return;
-         case 0x98: /* SP_NS */
-         {
-             /* This gives the non-secure SP selected based on whether we're
---
-.16.1

-[Qemu-devel] [PULL 15/20] hw/intc/armv7m_nvic: Fix byte-to-interrupt number conversions
+Deleted patch
-In many of the NVIC registers relating to interrupts, we
-have to convert from a byte offset within a register set
-into the number of the first interrupt which is affected.
-We were getting this wrong for:
- * reads of NVIC_ISPR<n>, NVIC_ISER<n>, NVIC_ICPR<n>, NVIC_ICER<n>,
-   NVIC_IABR<n> -- in all these cases we were missing the "* 8"
-   needed to convert from the byte offset to the interrupt number
-   (since all these registers use one bit per interrupt)
- * writes of NVIC_IPR<n> had the opposite problem of a spurious
-   "* 8" (since these registers use one byte per interrupt)
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180209165810.6668-9-peter.maydell@linaro.org
----
- hw/intc/armv7m_nvic.c | 8 ++++----
-file changed, 4 insertions(+), 4 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
-         /* fall through */
-     case 0x180 ... 0x1bf: /* NVIC Clear enable */
-         val = 0;
--        startvec = offset - 0x180 + NVIC_FIRST_IRQ; /* vector # */
-+        startvec = 8 * (offset - 0x180) + NVIC_FIRST_IRQ; /* vector # */
-         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
-             if (s->vectors[startvec + i].enabled &&
-@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
-         /* fall through */
-     case 0x280 ... 0x2bf: /* NVIC Clear pend */
-         val = 0;
--        startvec = offset - 0x280 + NVIC_FIRST_IRQ; /* vector # */
-+        startvec = 8 * (offset - 0x280) + NVIC_FIRST_IRQ; /* vector # */
-         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
-             if (s->vectors[startvec + i].pending &&
-                 (attrs.secure || s->itns[startvec + i])) {
-@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
-         break;
-     case 0x300 ... 0x33f: /* NVIC Active */
-         val = 0;
--        startvec = offset - 0x300 + NVIC_FIRST_IRQ; /* vector # */
-+        startvec = 8 * (offset - 0x300) + NVIC_FIRST_IRQ; /* vector # */
-         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
-             if (s->vectors[startvec + i].active &&
-@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
-     case 0x300 ... 0x33f: /* NVIC Active */
-         return MEMTX_OK; /* R/O */
-     case 0x400 ... 0x5ef: /* NVIC Priority */
--        startvec = 8 * (offset - 0x400) + NVIC_FIRST_IRQ; /* vector # */
-+        startvec = (offset - 0x400) + NVIC_FIRST_IRQ; /* vector # */
-         for (i = 0; i < size && startvec + i < s->num_irq; i++) {
-             if (attrs.secure || s->itns[startvec + i]) {
---
-.16.1

-[Qemu-devel] [PULL 16/20] target/arm: Add AIRCR to vmstate struct
+Deleted patch
-In commit commit 3b2e934463121 we added support for the AIRCR
-register holding state, but forgot to add it to the vmstate
-structs. Since it only holds r/w state if the security extension
-is implemented, we can just add it to vmstate_m_security.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-10-peter.maydell@linaro.org
----
- target/arm/machine.c | 4 ++++
-file changed, 4 insertions(+)
-diff --git a/target/arm/machine.c b/target/arm/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/machine.c
-+++ b/target/arm/machine.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_security = {
-         VMSTATE_VALIDATE("SAU_RNR is valid", sau_rnr_vmstate_validate),
-         VMSTATE_UINT32(env.sau.ctrl, ARMCPU),
-         VMSTATE_UINT32(env.v7m.scr[M_REG_S], ARMCPU),
-+        /* AIRCR is not secure-only, but our implementation is R/O if the
-+         * security extension is unimplemented, so we migrate it here.
-+         */
-+        VMSTATE_UINT32(env.v7m.aircr, ARMCPU),
-         VMSTATE_END_OF_LIST()
-     }
- };
---
-.16.1

-[Qemu-devel] [PULL 17/20] target/arm: Migrate v7m.other_sp
+Deleted patch
-In commit abc24d86cc0364f we accidentally broke migration of
-the stack pointer value for the mode (process, handler) the CPU
-is not currently running as. (The commit correctly removed the
-no-longer-used v7m.current_sp flag from the VMState but also
-deleted the still very much in use v7m.other_sp SP value field.)
-Add a subsection to migrate it again. (We don't need to care
-about trying to retain compatibility with pre-abc24d86cc0364f
-versions of QEMU, because that commit bumped the version_id
-and we've since bumped it again a couple of times.)
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-11-peter.maydell@linaro.org
----
- target/arm/machine.c | 11 +++++++++++
-file changed, 11 insertions(+)
-diff --git a/target/arm/machine.c b/target/arm/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/machine.c
-+++ b/target/arm/machine.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_scr = {
-     }
- };
-+static const VMStateDescription vmstate_m_other_sp = {
-+    .name = "cpu/m/other-sp",
-+    .version_id = 1,
-+    .minimum_version_id = 1,
-+    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32(env.v7m.other_sp, ARMCPU),
-+        VMSTATE_END_OF_LIST()
-+    }
-+};
-+
- static const VMStateDescription vmstate_m = {
-     .name = "cpu/m",
-     .version_id = 4,
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m = {
-         &vmstate_m_faultmask_primask,
-         &vmstate_m_csselr,
-         &vmstate_m_scr,
-+        &vmstate_m_other_sp,
-         NULL
-     }
- };
---
-.16.1

-[Qemu-devel] [PULL 18/20] target/arm: Implement v8M MSPLIM and PSPLIM registers
+Deleted patch
-The v8M architecture includes hardware support for enforcing
-stack pointer limits. We don't implement this behaviour yet,
-but provide the MSPLIM and PSPLIM stack pointer limit registers
-as reads-as-written, so that when we do implement the checks
-in future this won't break guest migration.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180209165810.6668-12-peter.maydell@linaro.org
----
- target/arm/cpu.h     |  2 ++
- target/arm/helper.c  | 46 ++++++++++++++++++++++++++++++++++++++++++++++
- target/arm/machine.c | 21 +++++++++++++++++++++
-files changed, 69 insertions(+)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         uint32_t secure; /* Is CPU in Secure state? (not guest visible) */
-         uint32_t csselr[M_REG_NUM_BANKS];
-         uint32_t scr[M_REG_NUM_BANKS];
-+        uint32_t msplim[M_REG_NUM_BANKS];
-+        uint32_t psplim[M_REG_NUM_BANKS];
-     } v7m;
-     /* Information associated with an exception about to be taken:
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
-                 return 0;
-             }
-             return env->v7m.other_ss_psp;
-+        case 0x8a: /* MSPLIM_NS */
-+            if (!env->v7m.secure) {
-+                return 0;
-+            }
-+            return env->v7m.msplim[M_REG_NS];
-+        case 0x8b: /* PSPLIM_NS */
-+            if (!env->v7m.secure) {
-+                return 0;
-+            }
-+            return env->v7m.psplim[M_REG_NS];
-         case 0x90: /* PRIMASK_NS */
-             if (!env->v7m.secure) {
-                 return 0;
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
-         return v7m_using_psp(env) ? env->v7m.other_sp : env->regs[13];
-     case 9: /* PSP */
-         return v7m_using_psp(env) ? env->regs[13] : env->v7m.other_sp;
-+    case 10: /* MSPLIM */
-+        if (!arm_feature(env, ARM_FEATURE_V8)) {
-+            goto bad_reg;
-+        }
-+        return env->v7m.msplim[env->v7m.secure];
-+    case 11: /* PSPLIM */
-+        if (!arm_feature(env, ARM_FEATURE_V8)) {
-+            goto bad_reg;
-+        }
-+        return env->v7m.psplim[env->v7m.secure];
-     case 16: /* PRIMASK */
-         return env->v7m.primask[env->v7m.secure];
-     case 17: /* BASEPRI */
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
-     case 19: /* FAULTMASK */
-         return env->v7m.faultmask[env->v7m.secure];
-     default:
-+    bad_reg:
-         qemu_log_mask(LOG_GUEST_ERROR, "Attempt to read unknown special"
-                                        " register %d\n", reg);
-         return 0;
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
-             }
-             env->v7m.other_ss_psp = val;
-             return;
-+        case 0x8a: /* MSPLIM_NS */
-+            if (!env->v7m.secure) {
-+                return;
-+            }
-+            env->v7m.msplim[M_REG_NS] = val & ~7;
-+            return;
-+        case 0x8b: /* PSPLIM_NS */
-+            if (!env->v7m.secure) {
-+                return;
-+            }
-+            env->v7m.psplim[M_REG_NS] = val & ~7;
-+            return;
-         case 0x90: /* PRIMASK_NS */
-             if (!env->v7m.secure) {
-                 return;
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
-             env->v7m.other_sp = val;
-         }
-         break;
-+    case 10: /* MSPLIM */
-+        if (!arm_feature(env, ARM_FEATURE_V8)) {
-+            goto bad_reg;
-+        }
-+        env->v7m.msplim[env->v7m.secure] = val & ~7;
-+        break;
-+    case 11: /* PSPLIM */
-+        if (!arm_feature(env, ARM_FEATURE_V8)) {
-+            goto bad_reg;
-+        }
-+        env->v7m.psplim[env->v7m.secure] = val & ~7;
-+        break;
-     case 16: /* PRIMASK */
-         env->v7m.primask[env->v7m.secure] = val & 1;
-         break;
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
-         env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
-         break;
-     default:
-+    bad_reg:
-         qemu_log_mask(LOG_GUEST_ERROR, "Attempt to write unknown special"
-                                        " register %d\n", reg);
-         return;
-diff --git a/target/arm/machine.c b/target/arm/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/machine.c
-+++ b/target/arm/machine.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_other_sp = {
-     }
- };
-+static bool m_v8m_needed(void *opaque)
-+{
-+    ARMCPU *cpu = opaque;
-+    CPUARMState *env = &cpu->env;
-+
-+    return arm_feature(env, ARM_FEATURE_M) && arm_feature(env, ARM_FEATURE_V8);
-+}
-+
-+static const VMStateDescription vmstate_m_v8m = {
-+    .name = "cpu/m/v8m",
-+    .version_id = 1,
-+    .minimum_version_id = 1,
-+    .needed = m_v8m_needed,
-+    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32_ARRAY(env.v7m.msplim, ARMCPU, M_REG_NUM_BANKS),
-+        VMSTATE_UINT32_ARRAY(env.v7m.psplim, ARMCPU, M_REG_NUM_BANKS),
-+        VMSTATE_END_OF_LIST()
-+    }
-+};
-+
- static const VMStateDescription vmstate_m = {
-     .name = "cpu/m",
-     .version_id = 4,
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m = {
-         &vmstate_m_csselr,
-         &vmstate_m_scr,
-         &vmstate_m_other_sp,
-+        &vmstate_m_v8m,
-         NULL
-     }
- };
---
-.16.1

Changes v1->v2: it turns out that the raspi3 support exposes a
preexisting bug in our register definitions for VMPIDR/VMIDR:
https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg04181.html

So I've dropped the final "enable raspi3 board" patch for the
moment. When that VMIDR/VMPIDR patch gets reviewed we can
put the raspi3 patch in with it.

thanks
-- PMM

The following changes since commit f003d07337a6d4d02c43429b26a4270459afb51a:

Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging (2018-02-15 15:45:33 +0000)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180215-1

for you to fetch changes up to bade58166f4466546600d824a2695a00269d10eb:

raspi: Raspberry Pi 3 support (2018-02-15 18:33:46 +0000)

----------------------------------------------------------------
target-arm queue:
 * aspeed: code cleanup to use unimplemented_device
 * preparatory work for 'raspi3' RaspberryPi 3 machine model
 * more SVE prep work
 * v8M: add minor missing registers
 * v7M: fix bug where we weren't migrating v7m.other_sp
 * v7M: fix bugs in handling of interrupt registers for
   external interrupts beyond 32

----------------------------------------------------------------
Pekka Enberg (2):
      bcm2836: Make CPU type configurable
      raspi: Raspberry Pi 3 support

Peter Maydell (11):
      hw/intc/armv7m_nvic: Don't hardcode M profile ID registers in NVIC
      hw/intc/armv7m_nvic: Fix ICSR PENDNMISET/CLR handling
      hw/intc/armv7m_nvic: Implement M profile cache maintenance ops
      hw/intc/armv7m_nvic: Implement v8M CPPWR register
      hw/intc/armv7m_nvic: Implement cache ID registers
      hw/intc/armv7m_nvic: Implement SCR
      target/arm: Implement writing to CONTROL_NS for v8M
      hw/intc/armv7m_nvic: Fix byte-to-interrupt number conversions
      target/arm: Add AIRCR to vmstate struct
      target/arm: Migrate v7m.other_sp
      target/arm: Implement v8M MSPLIM and PSPLIM registers

Philippe Mathieu-Daudé (2):
      hw/arm/aspeed: directly map the serial device to the system address space
      hw/arm/aspeed: simplify using the 'unimplemented device' for aspeed_soc.io

Richard Henderson (5):
      target/arm: Remove ARM_CP_64BIT from ZCR_EL registers
      target/arm: Enforce FP access to FPCR/FPSR
      target/arm: Suppress TB end for FPCR/FPSR
      target/arm: Enforce access to ZCR_EL at translation
      target/arm: Handle SVE registers when using clear_vec_high

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

(qemu) info mtree
 address-space: cpu-memory-0
   0000000000000000-ffffffffffffffff (prio 0, i/o): system
     0000000000000000-0000000007ffffff (prio 0, rom): aspeed.boot_rom
     000000001e600000-000000001e7fffff (prio -1, i/o): aspeed_soc.io
-      000000001e784000-000000001e78401f (prio 0, i/o): serial
     000000001e620000-000000001e6200ff (prio 0, i/o): aspeed.smc.ast2500-fmc
     000000001e630000-000000001e6300ff (prio 0, i/o): aspeed.smc.ast2500-spi1
     [...]
     000000001e720000-000000001e728fff (prio 0, ram): aspeed.sram
     000000001e782000-000000001e782fff (prio 0, i/o): aspeed.timer
+    000000001e784000-000000001e78401f (prio 0, i/o): serial
     000000001e785000-000000001e78501f (prio 0, i/o): aspeed.wdt
     000000001e785020-000000001e78503f (prio 0, i/o): aspeed.wdt

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 20180209085755.30414-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed_soc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
     /* UART - attach an 8250 to the IO space as our UART5 */
     if (serial_hds[0]) {
         qemu_irq uart5 = qdev_get_gpio_in(DEVICE(&s->vic), uart_irqs[4]);
-        serial_mm_init(&s->iomem, ASPEED_SOC_UART_5_BASE, 2,
+        serial_mm_init(get_system_memory(),
+                       ASPEED_SOC_IOMEM_BASE + ASPEED_SOC_UART_5_BASE, 2,
                        uart5, 38400, serial_hds[0], DEVICE_LITTLE_ENDIAN);
     }
 
-- 
2.16.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 20180209085755.30414-3-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/aspeed_soc.h |  1 -
 hw/arm/aspeed_soc.c         | 32 +++-----------------------------
 2 files changed, 3 insertions(+), 30 deletions(-)

diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
 
     /*< public >*/
     ARMCPU cpu;
-    MemoryRegion iomem;
     MemoryRegion sram;
     AspeedVICState vic;
     AspeedTimerCtrlState timerctrl;
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "exec/address-spaces.h"
+#include "hw/misc/unimp.h"
 #include "hw/arm/aspeed_soc.h"
 #include "hw/char/serial.h"
 #include "qemu/log.h"
@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
     },
 };
 
-/*
- * IO handlers: simply catch any reads/writes to IO addresses that aren't
- * handled by a device mapping.
- */
-
-static uint64_t aspeed_soc_io_read(void *p, hwaddr offset, unsigned size)
-{
-    qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx " [%u]\n",
-                  __func__, offset, size);
-    return 0;
-}
-
-static void aspeed_soc_io_write(void *opaque, hwaddr offset, uint64_t value,
-                unsigned size)
-{
-    qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx " <- 0x%" PRIx64 " [%u]\n",
-                  __func__, offset, value, size);
-}
-
-static const MemoryRegionOps aspeed_soc_io_ops = {
-    .read = aspeed_soc_io_read,
-    .write = aspeed_soc_io_write,
-    .endianness = DEVICE_LITTLE_ENDIAN,
-};
-
 static void aspeed_soc_init(Object *obj)
 {
     AspeedSoCState *s = ASPEED_SOC(obj);
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
     Error *err = NULL, *local_err = NULL;
 
     /* IO space */
-    memory_region_init_io(&s->iomem, NULL, &aspeed_soc_io_ops, NULL,
-            "aspeed_soc.io", ASPEED_SOC_IOMEM_SIZE);
-    memory_region_add_subregion_overlap(get_system_memory(),
-                                        ASPEED_SOC_IOMEM_BASE, &s->iomem, -1);
+    create_unimplemented_device("aspeed_soc.io",
+                                ASPEED_SOC_IOMEM_BASE, ASPEED_SOC_IOMEM_SIZE);
 
     /* CPU */
     object_property_set_bool(OBJECT(&s->cpu), true, "realized", &err);
-- 
2.16.1

From: Richard Henderson <richard.henderson@linaro.org>

Because they are ARM_CP_STATE_AA64, ARM_CP_64BIT is implied.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
 static const ARMCPRegInfo zcr_el1_reginfo = {
     .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
     .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL1_RW, .accessfn = zcr_access, .type = ARM_CP_64BIT,
+    .access = PL1_RW, .accessfn = zcr_access,
     .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
     .writefn = zcr_write, .raw_writefn = raw_write
 };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo zcr_el1_reginfo = {
 static const ARMCPRegInfo zcr_el2_reginfo = {
     .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
     .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL2_RW, .accessfn = zcr_access, .type = ARM_CP_64BIT,
+    .access = PL2_RW, .accessfn = zcr_access,
     .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
     .writefn = zcr_write, .raw_writefn = raw_write
 };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo zcr_el2_reginfo = {
 static const ARMCPRegInfo zcr_no_el2_reginfo = {
     .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
     .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL2_RW, .type = ARM_CP_64BIT,
+    .access = PL2_RW,
     .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore
 };
 
 static const ARMCPRegInfo zcr_el3_reginfo = {
     .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
     .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL3_RW, .accessfn = zcr_access, .type = ARM_CP_64BIT,
+    .access = PL3_RW, .accessfn = zcr_access,
     .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
     .writefn = zcr_write, .raw_writefn = raw_write
 };
-- 
2.16.1

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h           | 35 ++++++++++++++++++-----------------
 target/arm/helper.c        |  6 ++++--
 target/arm/translate-a64.c |  3 +++
 3 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
 }
 
 /* ARMCPRegInfo type field bits. If the SPECIAL bit is set this is a
- * special-behaviour cp reg and bits [15..8] indicate what behaviour
+ * special-behaviour cp reg and bits [11..8] indicate what behaviour
  * it has. Otherwise it is a simple cp reg, where CONST indicates that
  * TCG can assume the value to be constant (ie load at translate time)
  * and 64BIT indicates a 64 bit wide coprocessor register. SUPPRESS_TB_END
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
  * need to be surrounded by gen_io_start()/gen_io_end(). In particular,
  * registers which implement clocks or timers require this.
  */
-#define ARM_CP_SPECIAL 1
-#define ARM_CP_CONST 2
-#define ARM_CP_64BIT 4
-#define ARM_CP_SUPPRESS_TB_END 8
-#define ARM_CP_OVERRIDE 16
-#define ARM_CP_ALIAS 32
-#define ARM_CP_IO 64
-#define ARM_CP_NO_RAW 128
-#define ARM_CP_NOP (ARM_CP_SPECIAL | (1 << 8))
-#define ARM_CP_WFI (ARM_CP_SPECIAL | (2 << 8))
-#define ARM_CP_NZCV (ARM_CP_SPECIAL | (3 << 8))
-#define ARM_CP_CURRENTEL (ARM_CP_SPECIAL | (4 << 8))
-#define ARM_CP_DC_ZVA (ARM_CP_SPECIAL | (5 << 8))
-#define ARM_LAST_SPECIAL ARM_CP_DC_ZVA
+#define ARM_CP_SPECIAL           0x0001
+#define ARM_CP_CONST             0x0002
+#define ARM_CP_64BIT             0x0004
+#define ARM_CP_SUPPRESS_TB_END   0x0008
+#define ARM_CP_OVERRIDE          0x0010
+#define ARM_CP_ALIAS             0x0020
+#define ARM_CP_IO                0x0040
+#define ARM_CP_NO_RAW            0x0080
+#define ARM_CP_NOP               (ARM_CP_SPECIAL | 0x0100)
+#define ARM_CP_WFI               (ARM_CP_SPECIAL | 0x0200)
+#define ARM_CP_NZCV              (ARM_CP_SPECIAL | 0x0300)
+#define ARM_CP_CURRENTEL         (ARM_CP_SPECIAL | 0x0400)
+#define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
+#define ARM_LAST_SPECIAL         ARM_CP_DC_ZVA
+#define ARM_CP_FPU               0x1000
 /* Used only as a terminator for ARMCPRegInfo lists */
-#define ARM_CP_SENTINEL 0xffff
+#define ARM_CP_SENTINEL          0xffff
 /* Mask of only the flag bits in a type field */
-#define ARM_CP_FLAG_MASK 0xff
+#define ARM_CP_FLAG_MASK         0x10ff
 
 /* Valid values for ARMCPRegInfo state field, indicating which of
  * the AArch32 and AArch64 execution states this register is visible in.
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore },
     { .name = "FPCR", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4,
-      .access = PL0_RW, .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
+      .access = PL0_RW, .type = ARM_CP_FPU,
+      .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
     { .name = "FPSR", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4,
-      .access = PL0_RW, .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
+      .access = PL0_RW, .type = ARM_CP_FPU,
+      .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
     { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0,
       .access = PL0_R, .type = ARM_CP_NO_RAW,
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
     default:
         break;
     }
+    if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
+        return;
+    }
 
     if ((tb_cflags(s->base.tb) & CF_USE_ICOUNT) && (ri->type & ARM_CP_IO)) {
         gen_io_start();
-- 
2.16.1

From: Richard Henderson <richard.henderson@linaro.org>

Nothing in either register affects the TB.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore },
     { .name = "FPCR", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4,
-      .access = PL0_RW, .type = ARM_CP_FPU,
+      .access = PL0_RW, .type = ARM_CP_FPU | ARM_CP_SUPPRESS_TB_END,
       .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
     { .name = "FPSR", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4,
-      .access = PL0_RW, .type = ARM_CP_FPU,
+      .access = PL0_RW, .type = ARM_CP_FPU | ARM_CP_SUPPRESS_TB_END,
       .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
     { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0,
-- 
2.16.1

From: Richard Henderson <richard.henderson@linaro.org>

This also makes sure that we get the correct ordering of
SVE vs FP exceptions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h           |  3 ++-
 target/arm/internals.h     |  6 ++++++
 target/arm/helper.c        | 22 ++++------------------
 target/arm/translate-a64.c | 16 ++++++++++++++++
 4 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
 #define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
 #define ARM_LAST_SPECIAL         ARM_CP_DC_ZVA
 #define ARM_CP_FPU               0x1000
+#define ARM_CP_SVE               0x2000
 /* Used only as a terminator for ARMCPRegInfo lists */
 #define ARM_CP_SENTINEL          0xffff
 /* Mask of only the flag bits in a type field */
-#define ARM_CP_FLAG_MASK         0x10ff
+#define ARM_CP_FLAG_MASK         0x30ff
 
 /* Valid values for ARMCPRegInfo state field, indicating which of
  * the AArch32 and AArch64 execution states this register is visible in.
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ enum arm_exception_class {
     EC_AA64_HVC               = 0x16,
     EC_AA64_SMC               = 0x17,
     EC_SYSTEMREGISTERTRAP     = 0x18,
+    EC_SVEACCESSTRAP          = 0x19,
     EC_INSNABORT              = 0x20,
     EC_INSNABORT_SAME_EL      = 0x21,
     EC_PCALIGNMENT            = 0x22,
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_fp_access_trap(int cv, int cond, bool is_16bit)
         | (cv << 24) | (cond << 20);
 }
 
+static inline uint32_t syn_sve_access_trap(void)
+{
+    return EC_SVEACCESSTRAP << ARM_EL_EC_SHIFT;
+}
+
 static inline uint32_t syn_insn_abort(int same_el, int ea, int s1ptw, int fsc)
 {
     return (EC_INSNABORT << ARM_EL_EC_SHIFT) | (same_el << ARM_EL_EC_SHIFT)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static int sve_exception_el(CPUARMState *env)
     return 0;
 }
 
-static CPAccessResult zcr_access(CPUARMState *env, const ARMCPRegInfo *ri,
-                                 bool isread)
-{
-    switch (sve_exception_el(env)) {
-    case 3:
-        return CP_ACCESS_TRAP_EL3;
-    case 2:
-        return CP_ACCESS_TRAP_EL2;
-    case 1:
-        return CP_ACCESS_TRAP;
-    }
-    return CP_ACCESS_OK;
-}
-
 static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
                       uint64_t value)
 {
@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
 static const ARMCPRegInfo zcr_el1_reginfo = {
     .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
     .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL1_RW, .accessfn = zcr_access,
+    .access = PL1_RW, .type = ARM_CP_SVE | ARM_CP_FPU,
     .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
     .writefn = zcr_write, .raw_writefn = raw_write
 };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo zcr_el1_reginfo = {
 static const ARMCPRegInfo zcr_el2_reginfo = {
     .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
     .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL2_RW, .accessfn = zcr_access,
+    .access = PL2_RW, .type = ARM_CP_SVE | ARM_CP_FPU,
     .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
     .writefn = zcr_write, .raw_writefn = raw_write
 };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo zcr_el2_reginfo = {
 static const ARMCPRegInfo zcr_no_el2_reginfo = {
     .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
     .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL2_RW,
+    .access = PL2_RW, .type = ARM_CP_SVE | ARM_CP_FPU,
     .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore
 };
 
 static const ARMCPRegInfo zcr_el3_reginfo = {
     .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
     .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL3_RW, .accessfn = zcr_access,
+    .access = PL3_RW, .type = ARM_CP_SVE | ARM_CP_FPU,
     .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
     .writefn = zcr_write, .raw_writefn = raw_write
 };
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
     return false;
 }
 
+/* Check that SVE access is enabled.  If it is, return true.
+ * If not, emit code to generate an appropriate exception and return false.
+ */
+static inline bool sve_access_check(DisasContext *s)
+{
+    if (s->sve_excp_el) {
+        gen_exception_insn(s, 4, EXCP_UDEF, syn_sve_access_trap(),
+                           s->sve_excp_el);
+        return false;
+    }
+    return true;
+}
+
 /*
  * This utility function is for doing register extension with an
  * optional shift. You will likely want to pass a temporary for the
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
     default:
         break;
     }
+    if ((ri->type & ARM_CP_SVE) && !sve_access_check(s)) {
+        return;
+    }
     if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
         return;
     }
-- 
2.16.1

From: Richard Henderson <richard.henderson@linaro.org>

When storing to an AdvSIMD FP register, all of the high
bits of the SVE register are zeroed.  Therefore, call it
more often with is_q as a parameter.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-6-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 162 +++++++++++++++++----------------------------
 1 file changed, 62 insertions(+), 100 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static TCGv_i32 read_fp_sreg(DisasContext *s, int reg)
     return v;
 }
 
+/* Clear the bits above an N-bit vector, for N = (is_q ? 128 : 64).
+ * If SVE is not enabled, then there are only 128 bits in the vector.
+ */
+static void clear_vec_high(DisasContext *s, bool is_q, int rd)
+{
+    unsigned ofs = fp_reg_offset(s, rd, MO_64);
+    unsigned vsz = vec_full_reg_size(s);
+
+    if (!is_q) {
+        TCGv_i64 tcg_zero = tcg_const_i64(0);
+        tcg_gen_st_i64(tcg_zero, cpu_env, ofs + 8);
+        tcg_temp_free_i64(tcg_zero);
+    }
+    if (vsz > 16) {
+        tcg_gen_gvec_dup8i(ofs + 16, vsz - 16, vsz - 16, 0);
+    }
+}
+
 static void write_fp_dreg(DisasContext *s, int reg, TCGv_i64 v)
 {
-    TCGv_i64 tcg_zero = tcg_const_i64(0);
+    unsigned ofs = fp_reg_offset(s, reg, MO_64);
 
-    tcg_gen_st_i64(v, cpu_env, fp_reg_offset(s, reg, MO_64));
-    tcg_gen_st_i64(tcg_zero, cpu_env, fp_reg_hi_offset(s, reg));
-    tcg_temp_free_i64(tcg_zero);
+    tcg_gen_st_i64(v, cpu_env, ofs);
+    clear_vec_high(s, false, reg);
 }
 
 static void write_fp_sreg(DisasContext *s, int reg, TCGv_i32 v)
@@ -XXX,XX +XXX,XX @@ static void do_fp_ld(DisasContext *s, int destidx, TCGv_i64 tcg_addr, int size)
 
     tcg_temp_free_i64(tmplo);
     tcg_temp_free_i64(tmphi);
+
+    clear_vec_high(s, true, destidx);
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static void write_vec_element_i32(DisasContext *s, TCGv_i32 tcg_src,
     }
 }
 
-/* Clear the high 64 bits of a 128 bit vector (in general non-quad
- * vector ops all need to do this).
- */
-static void clear_vec_high(DisasContext *s, int rd)
-{
-    TCGv_i64 tcg_zero = tcg_const_i64(0);
-
-    write_vec_element(s, tcg_zero, rd, 1, MO_64);
-    tcg_temp_free_i64(tcg_zero);
-}
-
 /* Store from vector register to memory */
 static void do_vec_st(DisasContext *s, int srcidx, int element,
                       TCGv_i64 tcg_addr, int size)
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_multiple_struct(DisasContext *s, uint32_t insn)
                     /* For non-quad operations, setting a slice of the low
                      * 64 bits of the register clears the high 64 bits (in
                      * the ARM ARM pseudocode this is implicit in the fact
-                     * that 'rval' is a 64 bit wide variable). We optimize
-                     * by noticing that we only need to do this the first
-                     * time we touch a register.
+                     * that 'rval' is a 64 bit wide variable).
+                     * For quad operations, we might still need to zero the
+                     * high bits of SVE.  We optimize by noticing that we only
+                     * need to do this the first time we touch a register.
                      */
-                    if (!is_q && e == 0 && (r == 0 || xs == selem - 1)) {
-                        clear_vec_high(s, tt);
+                    if (e == 0 && (r == 0 || xs == selem - 1)) {
+                        clear_vec_high(s, is_q, tt);
                     }
                 }
                 tcg_gen_addi_i64(tcg_addr, tcg_addr, ebytes);
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_single_struct(DisasContext *s, uint32_t insn)
             write_vec_element(s, tcg_tmp, rt, 0, MO_64);
             if (is_q) {
                 write_vec_element(s, tcg_tmp, rt, 1, MO_64);
-            } else {
-                clear_vec_high(s, rt);
             }
             tcg_temp_free_i64(tcg_tmp);
+            clear_vec_high(s, is_q, rt);
         } else {
             /* Load/store one element per register */
             if (is_load) {
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_sqshrn(DisasContext *s, bool is_scalar, bool is_q,
     }
 
     if (!is_q) {
-        clear_vec_high(s, rd);
         write_vec_element(s, tcg_final, rd, 0, MO_64);
     } else {
         write_vec_element(s, tcg_final, rd, 1, MO_64);
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_sqshrn(DisasContext *s, bool is_scalar, bool is_q,
     tcg_temp_free_i64(tcg_rd);
     tcg_temp_free_i32(tcg_rd_narrowed);
     tcg_temp_free_i64(tcg_final);
-    return;
+
+    clear_vec_high(s, is_q, rd);
 }
 
 /* SQSHLU, UQSHL, SQSHL: saturating left shifts */
@@ -XXX,XX +XXX,XX @@ static void handle_simd_qshl(DisasContext *s, bool scalar, bool is_q,
             tcg_temp_free_i64(tcg_op);
         }
         tcg_temp_free_i64(tcg_shift);
-
-        if (!is_q) {
-            clear_vec_high(s, rd);
-        }
+        clear_vec_high(s, is_q, rd);
     } else {
         TCGv_i32 tcg_shift = tcg_const_i32(shift);
         static NeonGenTwoOpEnvFn * const fns[2][2][3] = {
@@ -XXX,XX +XXX,XX @@ static void handle_simd_qshl(DisasContext *s, bool scalar, bool is_q,
         }
         tcg_temp_free_i32(tcg_shift);
 
-        if (!is_q && !scalar) {
-            clear_vec_high(s, rd);
+        if (!scalar) {
+            clear_vec_high(s, is_q, rd);
         }
     }
 }
@@ -XXX,XX +XXX,XX @@ static void handle_simd_intfp_conv(DisasContext *s, int rd, int rn,
         }
     }
 
-    if (!is_double && elements == 2) {
-        clear_vec_high(s, rd);
-    }
-
     tcg_temp_free_i64(tcg_int);
     tcg_temp_free_ptr(tcg_fpst);
     tcg_temp_free_i32(tcg_shift);
+
+    clear_vec_high(s, elements << size == 16, rd);
 }
 
 /* UCVTF/SCVTF - Integer to FP conversion */
@@ -XXX,XX +XXX,XX @@ static void handle_simd_shift_fpint_conv(DisasContext *s, bool is_scalar,
             write_vec_element(s, tcg_op, rd, pass, MO_64);
             tcg_temp_free_i64(tcg_op);
         }
-        if (!is_q) {
-            clear_vec_high(s, rd);
-        }
+        clear_vec_high(s, is_q, rd);
     } else {
         int maxpass = is_scalar ? 1 : is_q ? 4 : 2;
         for (pass = 0; pass < maxpass; pass++) {
@@ -XXX,XX +XXX,XX @@ static void handle_simd_shift_fpint_conv(DisasContext *s, bool is_scalar,
             }
             tcg_temp_free_i32(tcg_op);
         }
-        if (!is_q && !is_scalar) {
-            clear_vec_high(s, rd);
+        if (!is_scalar) {
+            clear_vec_high(s, is_q, rd);
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static void handle_3same_float(DisasContext *s, int size, int elements,
 
     tcg_temp_free_ptr(fpst);
 
-    if ((elements << size) < 4) {
-        /* scalar, or non-quad vector op */
-        clear_vec_high(s, rd);
-    }
+    clear_vec_high(s, elements * (size ? 8 : 4) > 8, rd);
 }
 
 /* AdvSIMD scalar three same
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_fcmp_zero(DisasContext *s, int opcode,
             }
             write_vec_element(s, tcg_res, rd, pass, MO_64);
         }
-        if (is_scalar) {
-            clear_vec_high(s, rd);
-        }
-
         tcg_temp_free_i64(tcg_res);
         tcg_temp_free_i64(tcg_zero);
         tcg_temp_free_i64(tcg_op);
+
+        clear_vec_high(s, !is_scalar, rd);
     } else {
         TCGv_i32 tcg_op = tcg_temp_new_i32();
         TCGv_i32 tcg_zero = tcg_const_i32(0);
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_fcmp_zero(DisasContext *s, int opcode,
         tcg_temp_free_i32(tcg_res);
         tcg_temp_free_i32(tcg_zero);
         tcg_temp_free_i32(tcg_op);
-        if (!is_q && !is_scalar) {
-            clear_vec_high(s, rd);
+        if (!is_scalar) {
+            clear_vec_high(s, is_q, rd);
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_reciprocal(DisasContext *s, int opcode,
             }
             write_vec_element(s, tcg_res, rd, pass, MO_64);
         }
-        if (is_scalar) {
-            clear_vec_high(s, rd);
-        }
-
         tcg_temp_free_i64(tcg_res);
         tcg_temp_free_i64(tcg_op);
+        clear_vec_high(s, !is_scalar, rd);
     } else {
         TCGv_i32 tcg_op = tcg_temp_new_i32();
         TCGv_i32 tcg_res = tcg_temp_new_i32();
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_reciprocal(DisasContext *s, int opcode,
         }
         tcg_temp_free_i32(tcg_res);
         tcg_temp_free_i32(tcg_op);
-        if (!is_q && !is_scalar) {
-            clear_vec_high(s, rd);
+        if (!is_scalar) {
+            clear_vec_high(s, is_q, rd);
         }
     }
     tcg_temp_free_ptr(fpst);
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_narrow(DisasContext *s, bool scalar,
         write_vec_element_i32(s, tcg_res[pass], rd, destelt + pass, MO_32);
         tcg_temp_free_i32(tcg_res[pass]);
     }
-    if (!is_q) {
-        clear_vec_high(s, rd);
-    }
+    clear_vec_high(s, is_q, rd);
 }
 
 /* Remaining saturating accumulating ops */
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_satacc(DisasContext *s, bool is_scalar, bool is_u,
             }
             write_vec_element(s, tcg_rd, rd, pass, MO_64);
         }
-        if (is_scalar) {
-            clear_vec_high(s, rd);
-        }
-
         tcg_temp_free_i64(tcg_rd);
         tcg_temp_free_i64(tcg_rn);
+        clear_vec_high(s, !is_scalar, rd);
     } else {
         TCGv_i32 tcg_rn = tcg_temp_new_i32();
         TCGv_i32 tcg_rd = tcg_temp_new_i32();
@@ -XXX,XX +XXX,XX @@ static void handle_2misc_satacc(DisasContext *s, bool is_scalar, bool is_u,
             }
             write_vec_element_i32(s, tcg_rd, rd, pass, MO_32);
         }
-
-        if (!is_q) {
-            clear_vec_high(s, rd);
-        }
-
         tcg_temp_free_i32(tcg_rd);
         tcg_temp_free_i32(tcg_rn);
+        clear_vec_high(s, is_q, rd);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shri(DisasContext *s, bool is_q, bool is_u,
     tcg_temp_free_i64(tcg_round);
 
  done:
-    if (!is_q) {
-        clear_vec_high(s, rd);
-    }
+    clear_vec_high(s, is_q, rd);
 }
 
 static void gen_shl8_ins_i64(TCGv_i64 d, TCGv_i64 a, int64_t shift)
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shrn(DisasContext *s, bool is_q,
     }
 
     if (!is_q) {
-        clear_vec_high(s, rd);
         write_vec_element(s, tcg_final, rd, 0, MO_64);
     } else {
         write_vec_element(s, tcg_final, rd, 1, MO_64);
     }
-
     if (round) {
         tcg_temp_free_i64(tcg_round);
     }
     tcg_temp_free_i64(tcg_rn);
     tcg_temp_free_i64(tcg_rd);
     tcg_temp_free_i64(tcg_final);
-    return;
+
+    clear_vec_high(s, is_q, rd);
 }
 
 
@@ -XXX,XX +XXX,XX @@ static void handle_3rd_narrowing(DisasContext *s, int is_q, int is_u, int size,
         write_vec_element_i32(s, tcg_res[pass], rd, pass + part, MO_32);
         tcg_temp_free_i32(tcg_res[pass]);
     }
-    if (!is_q) {
-        clear_vec_high(s, rd);
-    }
+    clear_vec_high(s, is_q, rd);
 }
 
 static void handle_pmull_64(DisasContext *s, int is_q, int rd, int rn, int rm)
@@ -XXX,XX +XXX,XX @@ static void handle_simd_3same_pair(DisasContext *s, int is_q, int u, int opcode,
             write_vec_element_i32(s, tcg_res[pass], rd, pass, MO_32);
             tcg_temp_free_i32(tcg_res[pass]);
         }
-        if (!is_q) {
-            clear_vec_high(s, rd);
-        }
+        clear_vec_high(s, is_q, rd);
     }
 
     if (fpst) {
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
             tcg_temp_free_i32(tcg_op2);
         }
     }
-
-    if (!is_q) {
-        clear_vec_high(s, rd);
-    }
+    clear_vec_high(s, is_q, rd);
 }
 
 /* AdvSIMD three same
@@ -XXX,XX +XXX,XX @@ static void handle_rev(DisasContext *s, int opcode, bool u,
             write_vec_element(s, tcg_tmp, rd, i, grp_size);
             tcg_temp_free_i64(tcg_tmp);
         }
-        if (!is_q) {
-            clear_vec_high(s, rd);
-        }
+        clear_vec_high(s, is_q, rd);
     } else {
         int revmask = (1 << grp_size) - 1;
         int esize = 8 << size;
@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc(DisasContext *s, uint32_t insn)
             tcg_temp_free_i32(tcg_op);
         }
     }
-    if (!is_q) {
-        clear_vec_high(s, rd);
-    }
+    clear_vec_high(s, is_q, rd);
 
     if (need_rmode) {
         gen_helper_set_rmode(tcg_rmode, tcg_rmode, cpu_env);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_indexed(DisasContext *s, uint32_t insn)
             tcg_temp_free_i64(tcg_res);
         }
 
-        if (is_scalar) {
-            clear_vec_high(s, rd);
-        }
-
         tcg_temp_free_i64(tcg_idx);
+        clear_vec_high(s, !is_scalar, rd);
     } else if (!is_long) {
         /* 32 bit floating point, or 16 or 32 bit integer.
          * For the 16 bit scalar case we use the usual Neon helpers and
@@ -XXX,XX +XXX,XX @@ static void disas_simd_indexed(DisasContext *s, uint32_t insn)
         }
 
         tcg_temp_free_i32(tcg_idx);
-
-        if (!is_q) {
-            clear_vec_high(s, rd);
-        }
+        clear_vec_high(s, is_q, rd);
     } else {
         /* long ops: 16x16->32 or 32x32->64 */
         TCGv_i64 tcg_res[2];
@@ -XXX,XX +XXX,XX @@ static void disas_simd_indexed(DisasContext *s, uint32_t insn)
             }
             tcg_temp_free_i64(tcg_idx);
 
-            if (is_scalar) {
-                clear_vec_high(s, rd);
-            }
+            clear_vec_high(s, !is_scalar, rd);
         } else {
             TCGv_i32 tcg_idx = tcg_temp_new_i32();
 
-- 
2.16.1

Instead of hardcoding the values of M profile ID registers in the
NVIC, use the fields in the CPU struct. This will allow us to
give different M profile CPU types different ID register values.

This commit includes the addition of the missing ID_ISAR5,
which exists as RES0 in both v7M and v8M.

(The values of the ID registers might be wrong for the M4 --
this commit leaves the behaviour there unchanged.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-2-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 30 ++++++++++++++++--------------
 target/arm/cpu.c      | 28 ++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 14 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
                       "Aux Fault status registers unimplemented\n");
         return 0;
     case 0xd40: /* PFR0.  */
-        return 0x00000030;
-    case 0xd44: /* PRF1.  */
-        return 0x00000200;
+        return cpu->id_pfr0;
+    case 0xd44: /* PFR1.  */
+        return cpu->id_pfr1;
     case 0xd48: /* DFR0.  */
-        return 0x00100000;
+        return cpu->id_dfr0;
     case 0xd4c: /* AFR0.  */
-        return 0x00000000;
+        return cpu->id_afr0;
     case 0xd50: /* MMFR0.  */
-        return 0x00000030;
+        return cpu->id_mmfr0;
     case 0xd54: /* MMFR1.  */
-        return 0x00000000;
+        return cpu->id_mmfr1;
     case 0xd58: /* MMFR2.  */
-        return 0x00000000;
+        return cpu->id_mmfr2;
     case 0xd5c: /* MMFR3.  */
-        return 0x00000000;
+        return cpu->id_mmfr3;
     case 0xd60: /* ISAR0.  */
-        return 0x01141110;
+        return cpu->id_isar0;
     case 0xd64: /* ISAR1.  */
-        return 0x02111000;
+        return cpu->id_isar1;
     case 0xd68: /* ISAR2.  */
-        return 0x21112231;
+        return cpu->id_isar2;
     case 0xd6c: /* ISAR3.  */
-        return 0x01111110;
+        return cpu->id_isar3;
     case 0xd70: /* ISAR4.  */
-        return 0x01310102;
+        return cpu->id_isar4;
+    case 0xd74: /* ISAR5.  */
+        return cpu->id_isar5;
     /* TODO: Implement debug registers.  */
     case 0xd90: /* MPU_TYPE */
         /* Unified MPU; if the MPU is not present this value is zero */
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void cortex_m3_initfn(Object *obj)
     set_feature(&cpu->env, ARM_FEATURE_M);
     cpu->midr = 0x410fc231;
     cpu->pmsav7_dregion = 8;
+    cpu->id_pfr0 = 0x00000030;
+    cpu->id_pfr1 = 0x00000200;
+    cpu->id_dfr0 = 0x00100000;
+    cpu->id_afr0 = 0x00000000;
+    cpu->id_mmfr0 = 0x00000030;
+    cpu->id_mmfr1 = 0x00000000;
+    cpu->id_mmfr2 = 0x00000000;
+    cpu->id_mmfr3 = 0x00000000;
+    cpu->id_isar0 = 0x01141110;
+    cpu->id_isar1 = 0x02111000;
+    cpu->id_isar2 = 0x21112231;
+    cpu->id_isar3 = 0x01111110;
+    cpu->id_isar4 = 0x01310102;
+    cpu->id_isar5 = 0x00000000;
 }
 
 static void cortex_m4_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void cortex_m4_initfn(Object *obj)
     set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
     cpu->midr = 0x410fc240; /* r0p0 */
     cpu->pmsav7_dregion = 8;
+    cpu->id_pfr0 = 0x00000030;
+    cpu->id_pfr1 = 0x00000200;
+    cpu->id_dfr0 = 0x00100000;
+    cpu->id_afr0 = 0x00000000;
+    cpu->id_mmfr0 = 0x00000030;
+    cpu->id_mmfr1 = 0x00000000;
+    cpu->id_mmfr2 = 0x00000000;
+    cpu->id_mmfr3 = 0x00000000;
+    cpu->id_isar0 = 0x01141110;
+    cpu->id_isar1 = 0x02111000;
+    cpu->id_isar2 = 0x21112231;
+    cpu->id_isar3 = 0x01111110;
+    cpu->id_isar4 = 0x01310102;
+    cpu->id_isar5 = 0x00000000;
 }
 
 static void arm_v7m_class_init(ObjectClass *oc, void *data)
-- 
2.16.1

The PENDNMISET/CLR bits in the ICSR should be RAZ/WI from
NonSecure state if the AIRCR.BFHFNMINS bit is zero. We had
misimplemented this as making the bits RAZ/WI from both
Secure and NonSecure states. Fix this bug by checking
attrs.secure so that Secure code can pend and unpend NMIs.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-3-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
             }
         }
         /* NMIPENDSET */
-        if ((cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) &&
-            s->vectors[ARMV7M_EXCP_NMI].pending) {
+        if ((attrs.secure || (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK))
+            && s->vectors[ARMV7M_EXCP_NMI].pending) {
             val |= (1 << 31);
         }
         /* ISRPREEMPT: RES0 when halting debug not implemented */
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
         break;
     }
     case 0xd04: /* Interrupt Control State (ICSR) */
-        if (cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
+        if (attrs.secure || cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
             if (value & (1 << 31)) {
                 armv7m_nvic_set_pending(s, ARMV7M_EXCP_NMI, false);
             } else if (value & (1 << 30) &&
-- 
2.16.1

For M profile cores, cache maintenance operations are done by
writing to special registers in the system register space.
For QEMU, cache operations are always NOPs, since we don't
implement the cache. Implementing these explicitly avoids
a spurious LOG_GUEST_ERROR when the guest uses them.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-4-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
         }
         break;
     }
+    case 0xf50: /* ICIALLU */
+    case 0xf58: /* ICIMVAU */
+    case 0xf5c: /* DCIMVAC */
+    case 0xf60: /* DCISW */
+    case 0xf64: /* DCCMVAU */
+    case 0xf68: /* DCCMVAC */
+    case 0xf6c: /* DCCSW */
+    case 0xf70: /* DCCIMVAC */
+    case 0xf74: /* DCCISW */
+    case 0xf78: /* BPIALL */
+        /* Cache and branch predictor maintenance: for QEMU these always NOP */
+        break;
     default:
     bad_offset:
         qemu_log_mask(LOG_GUEST_ERROR,
-- 
2.16.1

The Coprocessor Power Control Register (CPPWR) is new in v8M.
It allows software to control whether coprocessors are allowed
to power down and lose their state. QEMU doesn't have any
notion of power control, so we choose the IMPDEF option of
making the whole register RAZ/WI (indicating that no coprocessors
can ever power down and lose state).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-5-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

M profile cores have a similar setup for cache ID registers
to A profile:
 * Cache Level ID Register (CLIDR) is a fixed value
 * Cache Type Register (CTR) is a fixed value
 * Cache Size ID Registers (CCSIDR) are a bank of registers;
   which one you see is selected by the Cache Size Selection
   Register (CSSELR)

The only difference is that they're in the NVIC memory mapped
register space rather than being coprocessor registers.
Implement the M profile view of them.

Since neither Cortex-M3 nor Cortex-M4 implement caches,
we don't need to update their init functions and can leave
the ctr/clidr/ccsidr[] fields in their ARMCPU structs at zero.
Newer cores (like the Cortex-M33) will want to be able to
set these ID registers to non-zero values, though.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-6-peter.maydell@linaro.org
---
 target/arm/cpu.h      | 26 ++++++++++++++++++++++++++
 hw/intc/armv7m_nvic.c | 16 ++++++++++++++++
 target/arm/machine.c  | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 78 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         uint32_t faultmask[M_REG_NUM_BANKS];
         uint32_t aircr; /* only holds r/w state if security extn implemented */
         uint32_t secure; /* Is CPU in Secure state? (not guest visible) */
+        uint32_t csselr[M_REG_NUM_BANKS];
     } v7m;
 
     /* Information associated with an exception about to be taken:
@@ -XXX,XX +XXX,XX @@ FIELD(V7M_MPU_CTRL, ENABLE, 0, 1)
 FIELD(V7M_MPU_CTRL, HFNMIENA, 1, 1)
 FIELD(V7M_MPU_CTRL, PRIVDEFENA, 2, 1)
 
+/* v7M CLIDR bits */
+FIELD(V7M_CLIDR, CTYPE_ALL, 0, 21)
+FIELD(V7M_CLIDR, LOUIS, 21, 3)
+FIELD(V7M_CLIDR, LOC, 24, 3)
+FIELD(V7M_CLIDR, LOUU, 27, 3)
+FIELD(V7M_CLIDR, ICB, 30, 2)
+
+FIELD(V7M_CSSELR, IND, 0, 1)
+FIELD(V7M_CSSELR, LEVEL, 1, 3)
+/* We use the combination of InD and Level to index into cpu->ccsidr[];
+ * define a mask for this and check that it doesn't permit running off
+ * the end of the array.
+ */
+FIELD(V7M_CSSELR, INDEX, 0, 4)
+
+QEMU_BUILD_BUG_ON(ARRAY_SIZE(((ARMCPU *)0)->ccsidr) <= R_V7M_CSSELR_INDEX_MASK);
+
 /* If adding a feature bit which corresponds to a Linux ELF
  * HWCAP bit, remember to update the feature-bit-to-hwcap
  * mapping in linux-user/elfload.c:get_elf_hwcap().
@@ -XXX,XX +XXX,XX @@ static inline int arm_debug_target_el(CPUARMState *env)
     }
 }
 
+static inline bool arm_v7m_csselr_razwi(ARMCPU *cpu)
+{
+    /* If all the CLIDR.Ctypem bits are 0 there are no caches, and
+     * CSSELR is RAZ/WI.
+     */
+    return (cpu->clidr & R_V7M_CLIDR_CTYPE_ALL_MASK) != 0;
+}
+
 static inline bool aa64_generate_debug_exceptions(CPUARMState *env)
 {
     if (arm_is_secure(env)) {
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         return cpu->id_isar4;
     case 0xd74: /* ISAR5.  */
         return cpu->id_isar5;
+    case 0xd78: /* CLIDR */
+        return cpu->clidr;
+    case 0xd7c: /* CTR */
+        return cpu->ctr;
+    case 0xd80: /* CSSIDR */
+    {
+        int idx = cpu->env.v7m.csselr[attrs.secure] & R_V7M_CSSELR_INDEX_MASK;
+        return cpu->ccsidr[idx];
+    }
+    case 0xd84: /* CSSELR */
+        return cpu->env.v7m.csselr[attrs.secure];
     /* TODO: Implement debug registers.  */
     case 0xd90: /* MPU_TYPE */
         /* Unified MPU; if the MPU is not present this value is zero */
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
         qemu_log_mask(LOG_UNIMP,
                       "NVIC: Aux fault status registers unimplemented\n");
         break;
+    case 0xd84: /* CSSELR */
+        if (!arm_v7m_csselr_razwi(cpu)) {
+            cpu->env.v7m.csselr[attrs.secure] = value & R_V7M_CSSELR_INDEX_MASK;
+        }
+        break;
     case 0xd90: /* MPU_TYPE */
         return; /* RO */
     case 0xd94: /* MPU_CTRL */
diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_faultmask_primask = {
     }
 };
 
+/* CSSELR is in a subsection because we didn't implement it previously.
+ * Migration from an old implementation will leave it at zero, which
+ * is OK since the only CPUs in the old implementation make the
+ * register RAZ/WI.
+ * Since there was no version of QEMU which implemented the CSSELR for
+ * just non-secure, we transfer both banks here rather than putting
+ * the secure banked version in the m-security subsection.
+ */
+static bool csselr_vmstate_validate(void *opaque, int version_id)
+{
+    ARMCPU *cpu = opaque;
+
+    return cpu->env.v7m.csselr[M_REG_NS] <= R_V7M_CSSELR_INDEX_MASK
+        && cpu->env.v7m.csselr[M_REG_S] <= R_V7M_CSSELR_INDEX_MASK;
+}
+
+static bool m_csselr_needed(void *opaque)
+{
+    ARMCPU *cpu = opaque;
+
+    return !arm_v7m_csselr_razwi(cpu);
+}
+
+static const VMStateDescription vmstate_m_csselr = {
+    .name = "cpu/m/csselr",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = m_csselr_needed,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(env.v7m.csselr, ARMCPU, M_REG_NUM_BANKS),
+        VMSTATE_VALIDATE("CSSELR is valid", csselr_vmstate_validate),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_m = {
     .name = "cpu/m",
     .version_id = 4,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m = {
     },
     .subsections = (const VMStateDescription*[]) {
         &vmstate_m_faultmask_primask,
+        &vmstate_m_csselr,
         NULL
     }
 };
-- 
2.16.1

We were previously making the system control register (SCR)
just RAZ/WI. Although we don't implement the functionality
this register controls, we should at least provide the state,
including the banked state for v8M.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-7-peter.maydell@linaro.org
---
 target/arm/cpu.h      |  7 +++++++
 hw/intc/armv7m_nvic.c | 12 ++++++++----
 target/arm/machine.c  | 12 ++++++++++++
 3 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         uint32_t aircr; /* only holds r/w state if security extn implemented */
         uint32_t secure; /* Is CPU in Secure state? (not guest visible) */
         uint32_t csselr[M_REG_NUM_BANKS];
+        uint32_t scr[M_REG_NUM_BANKS];
     } v7m;
 
     /* Information associated with an exception about to be taken:
@@ -XXX,XX +XXX,XX @@ FIELD(V7M_CCR, STKALIGN, 9, 1)
 FIELD(V7M_CCR, DC, 16, 1)
 FIELD(V7M_CCR, IC, 17, 1)
 
+/* V7M SCR bits */
+FIELD(V7M_SCR, SLEEPONEXIT, 1, 1)
+FIELD(V7M_SCR, SLEEPDEEP, 2, 1)
+FIELD(V7M_SCR, SLEEPDEEPS, 3, 1)
+FIELD(V7M_SCR, SEVONPEND, 4, 1)
+
 /* V7M AIRCR bits */
 FIELD(V7M_AIRCR, VECTRESET, 0, 1)
 FIELD(V7M_AIRCR, VECTCLRACTIVE, 1, 1)
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         }
         return val;
     case 0xd10: /* System Control.  */
-        /* TODO: Implement SLEEPONEXIT.  */
-        return 0;
+        return cpu->env.v7m.scr[attrs.secure];
     case 0xd14: /* Configuration Control.  */
         /* The BFHFNMIGN bit is the only non-banked bit; we
          * keep it in the non-secure copy of the register.
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
         }
         break;
     case 0xd10: /* System Control.  */
-        /* TODO: Implement control registers.  */
-        qemu_log_mask(LOG_UNIMP, "NVIC: SCR unimplemented\n");
+        /* We don't implement deep-sleep so these bits are RAZ/WI.
+         * The other bits in the register are banked.
+         * QEMU's implementation ignores SEVONPEND and SLEEPONEXIT, which
+         * is architecturally permitted.
+         */
+        value &= ~(R_V7M_SCR_SLEEPDEEP_MASK | R_V7M_SCR_SLEEPDEEPS_MASK);
+        cpu->env.v7m.scr[attrs.secure] = value;
         break;
     case 0xd14: /* Configuration Control.  */
         /* Enforce RAZ/WI on reserved and must-RAZ/WI bits */
diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_csselr = {
     }
 };
 
+static const VMStateDescription vmstate_m_scr = {
+    .name = "cpu/m/scr",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(env.v7m.scr[M_REG_NS], ARMCPU),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_m = {
     .name = "cpu/m",
     .version_id = 4,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m = {
     .subsections = (const VMStateDescription*[]) {
         &vmstate_m_faultmask_primask,
         &vmstate_m_csselr,
+        &vmstate_m_scr,
         NULL
     }
 };
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_security = {
         VMSTATE_UINT32(env.sau.rnr, ARMCPU),
         VMSTATE_VALIDATE("SAU_RNR is valid", sau_rnr_vmstate_validate),
         VMSTATE_UINT32(env.sau.ctrl, ARMCPU),
+        VMSTATE_UINT32(env.v7m.scr[M_REG_S], ARMCPU),
         VMSTATE_END_OF_LIST()
     }
 };
-- 
2.16.1

In commit 50f11062d4c896 we added support for MSR/MRS access
to the NS banked special registers, but we forgot to implement
the support for writing to CONTROL_NS. Correct the omission.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-8-peter.maydell@linaro.org
---
 target/arm/helper.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
             }
             env->v7m.faultmask[M_REG_NS] = val & 1;
             return;
+        case 0x94: /* CONTROL_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            write_v7m_control_spsel_for_secstate(env,
+                                                 val & R_V7M_CONTROL_SPSEL_MASK,
+                                                 M_REG_NS);
+            env->v7m.control[M_REG_NS] &= ~R_V7M_CONTROL_NPRIV_MASK;
+            env->v7m.control[M_REG_NS] |= val & R_V7M_CONTROL_NPRIV_MASK;
+            return;
         case 0x98: /* SP_NS */
         {
             /* This gives the non-secure SP selected based on whether we're
-- 
2.16.1

In many of the NVIC registers relating to interrupts, we
have to convert from a byte offset within a register set
into the number of the first interrupt which is affected.
We were getting this wrong for:
 * reads of NVIC_ISPR<n>, NVIC_ISER<n>, NVIC_ICPR<n>, NVIC_ICER<n>,
   NVIC_IABR<n> -- in all these cases we were missing the "* 8"
   needed to convert from the byte offset to the interrupt number
   (since all these registers use one bit per interrupt)
 * writes of NVIC_IPR<n> had the opposite problem of a spurious
   "* 8" (since these registers use one byte per interrupt)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180209165810.6668-9-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
         /* fall through */
     case 0x180 ... 0x1bf: /* NVIC Clear enable */
         val = 0;
-        startvec = offset - 0x180 + NVIC_FIRST_IRQ; /* vector # */
+        startvec = 8 * (offset - 0x180) + NVIC_FIRST_IRQ; /* vector # */
 
         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
             if (s->vectors[startvec + i].enabled &&
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
         /* fall through */
     case 0x280 ... 0x2bf: /* NVIC Clear pend */
         val = 0;
-        startvec = offset - 0x280 + NVIC_FIRST_IRQ; /* vector # */
+        startvec = 8 * (offset - 0x280) + NVIC_FIRST_IRQ; /* vector # */
         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
             if (s->vectors[startvec + i].pending &&
                 (attrs.secure || s->itns[startvec + i])) {
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
         break;
     case 0x300 ... 0x33f: /* NVIC Active */
         val = 0;
-        startvec = offset - 0x300 + NVIC_FIRST_IRQ; /* vector # */
+        startvec = 8 * (offset - 0x300) + NVIC_FIRST_IRQ; /* vector # */
 
         for (i = 0, end = size * 8; i < end && startvec + i < s->num_irq; i++) {
             if (s->vectors[startvec + i].active &&
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
     case 0x300 ... 0x33f: /* NVIC Active */
         return MEMTX_OK; /* R/O */
     case 0x400 ... 0x5ef: /* NVIC Priority */
-        startvec = 8 * (offset - 0x400) + NVIC_FIRST_IRQ; /* vector # */
+        startvec = (offset - 0x400) + NVIC_FIRST_IRQ; /* vector # */
 
         for (i = 0; i < size && startvec + i < s->num_irq; i++) {
             if (attrs.secure || s->itns[startvec + i]) {
-- 
2.16.1

In commit commit 3b2e934463121 we added support for the AIRCR
register holding state, but forgot to add it to the vmstate
structs. Since it only holds r/w state if the security extension
is implemented, we can just add it to vmstate_m_security.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-10-peter.maydell@linaro.org
---
 target/arm/machine.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_security = {
         VMSTATE_VALIDATE("SAU_RNR is valid", sau_rnr_vmstate_validate),
         VMSTATE_UINT32(env.sau.ctrl, ARMCPU),
         VMSTATE_UINT32(env.v7m.scr[M_REG_S], ARMCPU),
+        /* AIRCR is not secure-only, but our implementation is R/O if the
+         * security extension is unimplemented, so we migrate it here.
+         */
+        VMSTATE_UINT32(env.v7m.aircr, ARMCPU),
         VMSTATE_END_OF_LIST()
     }
 };
-- 
2.16.1

In commit abc24d86cc0364f we accidentally broke migration of
the stack pointer value for the mode (process, handler) the CPU
is not currently running as. (The commit correctly removed the
no-longer-used v7m.current_sp flag from the VMState but also
deleted the still very much in use v7m.other_sp SP value field.)

Add a subsection to migrate it again. (We don't need to care
about trying to retain compatibility with pre-abc24d86cc0364f
versions of QEMU, because that commit bumped the version_id
and we've since bumped it again a couple of times.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-11-peter.maydell@linaro.org
---
 target/arm/machine.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_scr = {
     }
 };
 
+static const VMStateDescription vmstate_m_other_sp = {
+    .name = "cpu/m/other-sp",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(env.v7m.other_sp, ARMCPU),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_m = {
     .name = "cpu/m",
     .version_id = 4,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m = {
         &vmstate_m_faultmask_primask,
         &vmstate_m_csselr,
         &vmstate_m_scr,
+        &vmstate_m_other_sp,
         NULL
     }
 };
-- 
2.16.1

The v8M architecture includes hardware support for enforcing
stack pointer limits. We don't implement this behaviour yet,
but provide the MSPLIM and PSPLIM stack pointer limit registers
as reads-as-written, so that when we do implement the checks
in future this won't break guest migration.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-12-peter.maydell@linaro.org
---
 target/arm/cpu.h     |  2 ++
 target/arm/helper.c  | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 target/arm/machine.c | 21 +++++++++++++++++++++
 3 files changed, 69 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         uint32_t secure; /* Is CPU in Secure state? (not guest visible) */
         uint32_t csselr[M_REG_NUM_BANKS];
         uint32_t scr[M_REG_NUM_BANKS];
+        uint32_t msplim[M_REG_NUM_BANKS];
+        uint32_t psplim[M_REG_NUM_BANKS];
     } v7m;
 
     /* Information associated with an exception about to be taken:
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
                 return 0;
             }
             return env->v7m.other_ss_psp;
+        case 0x8a: /* MSPLIM_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.msplim[M_REG_NS];
+        case 0x8b: /* PSPLIM_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.psplim[M_REG_NS];
         case 0x90: /* PRIMASK_NS */
             if (!env->v7m.secure) {
                 return 0;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
         return v7m_using_psp(env) ? env->v7m.other_sp : env->regs[13];
     case 9: /* PSP */
         return v7m_using_psp(env) ? env->regs[13] : env->v7m.other_sp;
+    case 10: /* MSPLIM */
+        if (!arm_feature(env, ARM_FEATURE_V8)) {
+            goto bad_reg;
+        }
+        return env->v7m.msplim[env->v7m.secure];
+    case 11: /* PSPLIM */
+        if (!arm_feature(env, ARM_FEATURE_V8)) {
+            goto bad_reg;
+        }
+        return env->v7m.psplim[env->v7m.secure];
     case 16: /* PRIMASK */
         return env->v7m.primask[env->v7m.secure];
     case 17: /* BASEPRI */
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
     case 19: /* FAULTMASK */
         return env->v7m.faultmask[env->v7m.secure];
     default:
+    bad_reg:
         qemu_log_mask(LOG_GUEST_ERROR, "Attempt to read unknown special"
                                        " register %d\n", reg);
         return 0;
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
             }
             env->v7m.other_ss_psp = val;
             return;
+        case 0x8a: /* MSPLIM_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.msplim[M_REG_NS] = val & ~7;
+            return;
+        case 0x8b: /* PSPLIM_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.psplim[M_REG_NS] = val & ~7;
+            return;
         case 0x90: /* PRIMASK_NS */
             if (!env->v7m.secure) {
                 return;
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
             env->v7m.other_sp = val;
         }
         break;
+    case 10: /* MSPLIM */
+        if (!arm_feature(env, ARM_FEATURE_V8)) {
+            goto bad_reg;
+        }
+        env->v7m.msplim[env->v7m.secure] = val & ~7;
+        break;
+    case 11: /* PSPLIM */
+        if (!arm_feature(env, ARM_FEATURE_V8)) {
+            goto bad_reg;
+        }
+        env->v7m.psplim[env->v7m.secure] = val & ~7;
+        break;
     case 16: /* PRIMASK */
         env->v7m.primask[env->v7m.secure] = val & 1;
         break;
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
         env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
         break;
     default:
+    bad_reg:
         qemu_log_mask(LOG_GUEST_ERROR, "Attempt to write unknown special"
                                        " register %d\n", reg);
         return;
diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m_other_sp = {
     }
 };
 
+static bool m_v8m_needed(void *opaque)
+{
+    ARMCPU *cpu = opaque;
+    CPUARMState *env = &cpu->env;
+
+    return arm_feature(env, ARM_FEATURE_M) && arm_feature(env, ARM_FEATURE_V8);
+}
+
+static const VMStateDescription vmstate_m_v8m = {
+    .name = "cpu/m/v8m",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = m_v8m_needed,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(env.v7m.msplim, ARMCPU, M_REG_NUM_BANKS),
+        VMSTATE_UINT32_ARRAY(env.v7m.psplim, ARMCPU, M_REG_NUM_BANKS),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_m = {
     .name = "cpu/m",
     .version_id = 4,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m = {
         &vmstate_m_csselr,
         &vmstate_m_scr,
         &vmstate_m_other_sp,
+        &vmstate_m_v8m,
         NULL
     }
 };
-- 
2.16.1

From: Pekka Enberg <penberg@iki.fi>

This patch adds a "cpu-type" property to BCM2836 SoC in preparation for
reusing the code for the Raspberry Pi 3, which has a different processor
model.

Signed-off-by: Pekka Enberg <penberg@iki.fi>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/bcm2836.h |  1 +
 hw/arm/bcm2836.c         | 17 +++++++++--------
 hw/arm/raspi.c           |  3 +++
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/bcm2836.h
+++ b/include/hw/arm/bcm2836.h
@@ -XXX,XX +XXX,XX @@ typedef struct BCM2836State {
     DeviceState parent_obj;
     /*< public >*/
 
+    char *cpu_type;
     uint32_t enabled_cpus;
 
     ARMCPU cpus[BCM2836_NCPUS];
diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@
 static void bcm2836_init(Object *obj)
 {
     BCM2836State *s = BCM2836(obj);
-    int n;
-
-    for (n = 0; n < BCM2836_NCPUS; n++) {
-        object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
-                          "cortex-a15-" TYPE_ARM_CPU);
-        object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
-                                  &error_abort);
-    }
 
     object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTROL);
     object_property_add_child(obj, "control", OBJECT(&s->control), NULL);
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
 
     /* common peripherals from bcm2835 */
 
+    obj = OBJECT(dev);
+    for (n = 0; n < BCM2836_NCPUS; n++) {
+        object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
+                          s->cpu_type);
+        object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
+                                  &error_abort);
+    }
+
     obj = object_property_get_link(OBJECT(dev), "ram", &err);
     if (obj == NULL) {
         error_setg(errp, "%s: required ram link not found: %s",
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
 }
 
 static Property bcm2836_props[] = {
+    DEFINE_PROP_STRING("cpu-type", BCM2836State, cpu_type),
     DEFINE_PROP_UINT32("enabled-cpus", BCM2836State, enabled_cpus, BCM2836_NCPUS),
     DEFINE_PROP_END_OF_LIST()
 };
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void raspi2_init(MachineState *machine)
     /* Setup the SOC */
     object_property_add_const_link(OBJECT(&s->soc), "ram", OBJECT(&s->ram),
                                    &error_abort);
+    object_property_set_str(OBJECT(&s->soc), machine->cpu_type, "cpu-type",
+                            &error_abort);
     object_property_set_int(OBJECT(&s->soc), smp_cpus, "enabled-cpus",
                             &error_abort);
     object_property_set_int(OBJECT(&s->soc), 0xa21041, "board-rev",
@@ -XXX,XX +XXX,XX @@ static void raspi2_machine_init(MachineClass *mc)
     mc->no_parallel = 1;
     mc->no_floppy = 1;
     mc->no_cdrom = 1;
+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a15");
     mc->max_cpus = BCM2836_NCPUS;
     mc->min_cpus = BCM2836_NCPUS;
     mc->default_cpus = BCM2836_NCPUS;
-- 
2.16.1

From: Pekka Enberg <penberg@iki.fi>

This patch adds Raspberry Pi 3 support to hw/arm/raspi.c. The
differences to Pi 2 are:

- Firmware address
 - Board ID
 - Board revision

The CPU is different too, but that's going to be configured as part of
the machine default CPU when we introduce a new machine type.

The patch was written from scratch by me but the logic is similar to
Zoltán Baldaszti's previous work, which I used as a reference (with
permission from the author):

https://github.com/bztsrc/qemu-raspi3

Signed-off-by: Pekka Enberg <penberg@iki.fi>
[PMM: fixed trailing whitespace on one line]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/raspi.c | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
  * Rasperry Pi 2 emulation Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
+ * Raspberry Pi 3 emulation Copyright (c) 2018 Zoltán Baldaszti
+ * Upstream code cleanup (c) 2018 Pekka Enberg
+ *
  * This code is licensed under the GNU GPLv2 and later.
  */
 
@@ -XXX,XX +XXX,XX @@
 #define SMPBOOT_ADDR    0x300 /* this should leave enough space for ATAGS */
 #define MVBAR_ADDR      0x400 /* secure vectors */
 #define BOARDSETUP_ADDR (MVBAR_ADDR + 0x20) /* board setup code */
-#define FIRMWARE_ADDR   0x8000 /* Pi loads kernel.img here by default */
+#define FIRMWARE_ADDR_2 0x8000 /* Pi 2 loads kernel.img here by default */
+#define FIRMWARE_ADDR_3 0x80000 /* Pi 3 loads kernel.img here by default */
 
 /* Table of Linux board IDs for different Pi versions */
-static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43};
+static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43, [3] = 0xc44};
 
 typedef struct RasPiState {
     BCM2836State soc;
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
     binfo.secure_board_setup = true;
     binfo.secure_boot = true;
 
-    /* Pi2 requires SMP setup */
-    if (version == 2) {
+    /* Pi2 and Pi3 requires SMP setup */
+    if (version >= 2) {
         binfo.smp_loader_start = SMPBOOT_ADDR;
         binfo.write_secondary_boot = write_smpboot;
         binfo.secondary_cpu_reset_hook = reset_secondary;
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
      * the normal Linux boot process
      */
     if (machine->firmware) {
+        hwaddr firmware_addr = version == 3 ? FIRMWARE_ADDR_3 : FIRMWARE_ADDR_2;
         /* load the firmware image (typically kernel.img) */
-        r = load_image_targphys(machine->firmware, FIRMWARE_ADDR,
-                                ram_size - FIRMWARE_ADDR);
+        r = load_image_targphys(machine->firmware, firmware_addr,
+                                ram_size - firmware_addr);
         if (r < 0) {
             error_report("Failed to load firmware from %s", machine->firmware);
             exit(1);
         }
 
-        binfo.entry = FIRMWARE_ADDR;
+        binfo.entry = firmware_addr;
         binfo.firmware_loaded = true;
     } else {
         binfo.kernel_filename = machine->kernel_filename;
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
     arm_load_kernel(ARM_CPU(first_cpu), &binfo);
 }
 
-static void raspi2_init(MachineState *machine)
+static void raspi_init(MachineState *machine, int version)
 {
     RasPiState *s = g_new0(RasPiState, 1);
     uint32_t vcram_size;
@@ -XXX,XX +XXX,XX @@ static void raspi2_init(MachineState *machine)
                             &error_abort);
     object_property_set_int(OBJECT(&s->soc), smp_cpus, "enabled-cpus",
                             &error_abort);
-    object_property_set_int(OBJECT(&s->soc), 0xa21041, "board-rev",
+    int board_rev = version == 3 ? 0xa02082 : 0xa21041;
+    object_property_set_int(OBJECT(&s->soc), board_rev, "board-rev",
                             &error_abort);
     object_property_set_bool(OBJECT(&s->soc), true, "realized", &error_abort);
 
@@ -XXX,XX +XXX,XX @@ static void raspi2_init(MachineState *machine)
 
     vcram_size = object_property_get_uint(OBJECT(&s->soc), "vcram-size",
                                           &error_abort);
-    setup_boot(machine, 2, machine->ram_size - vcram_size);
+    setup_boot(machine, version, machine->ram_size - vcram_size);
+}
+
+static void raspi2_init(MachineState *machine)
+{
+    raspi_init(machine, 2);
 }
 
 static void raspi2_machine_init(MachineClass *mc)
-- 
2.16.1

This one's almost all docs fixes.

thanks
-- PMM

The following changes since commit ba54a7e6b86884e43bed2d2f5a79c719059652a8:

Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging (2024-11-26 14:06:40 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20241126

for you to fetch changes up to d8790ead55a2ef1e65332ebec63ae3c5db598942:

docs/system/arm/aspeed: add missing model supermicrox11spi-bmc (2024-11-26 16:22:38 +0000)

----------------------------------------------------------------
target-arm queue:
 * target/arm/tcg/cpu32.c: swap ATCM and BTCM register names
 * docs/system/arm: Fix broken links and missing feature names

----------------------------------------------------------------
Michael Tokarev (1):
      target/arm/tcg/cpu32.c: swap ATCM and BTCM register names

Pierrick Bouvier (8):
      docs/system/arm/emulation: mention armv9
      docs/system/arm/emulation: fix typo in feature name
      docs/system/arm/emulation: add FEAT_SSBS2
      target/arm/tcg/: fix typo in FEAT name
      docs/system/arm/: add FEAT_MTE_ASYNC
      docs/system/arm/: add FEAT_DoubleLock
      docs/system/arm/fby35: update link to product page
      docs/system/arm/aspeed: add missing model supermicrox11spi-bmc

docs/system/arm/aspeed.rst    |  7 ++++---
 docs/system/arm/emulation.rst | 11 +++++++----
 docs/system/arm/fby35.rst     |  2 +-
 target/arm/tcg/cpu32.c        |  6 +++---
 4 files changed, 15 insertions(+), 11 deletions(-)

From: Michael Tokarev <mjt@tls.msk.ru>

According to Cortex-R5 r1p2 manual, register with opcode2=0 is
BTCM and with opcode2=1 is ATCM, - exactly the opposite from how
qemu labels them.  Just swap the labels to avoid confusion, -
both registers are implemented as always-zero.

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20241121171602.3273252-1-mjt@tls.msk.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/cpu32.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/cpu32.c
+++ b/target/arm/tcg/cpu32.c
@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
 
 static const ARMCPRegInfo cortexr5_cp_reginfo[] = {
     /* Dummy the TCM region regs for the moment */
-    { .name = "ATCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
+    { .name = "BTCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
       .access = PL1_RW, .type = ARM_CP_CONST },
-    { .name = "BTCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
+    { .name = "ATCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
       .access = PL1_RW, .type = ARM_CP_CONST },
     { .name = "DCACHE_INVAL", .cp = 15, .opc1 = 0, .crn = 15, .crm = 5,
       .opc2 = 0, .access = PL1_W, .type = ARM_CP_NOP },
-- 
2.34.1