Just a collection of bug fixes this time around...

The following changes since commit 2a6ae69154542caa91dd17c40fd3f5ffbec300de:

Merge tag 'pull-maintainer-ominbus-030723-1' of https://gitlab.com/stsquad/qemu into staging (2023-07-04 08:36:44 +0200)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230704

for you to fetch changes up to 86a78272f094857b4eda79d721c116e93942aa9a:

target/xtensa: Assert that interrupt level is within bounds (2023-07-04 14:27:08 +0100)

* Add raw_writes ops for register whose write induce TLB maintenance

* hw/arm/sbsa-ref: use XHCI to replace EHCI

* Avoid splitting Zregs across lines in dump

* Dump ZA[] when active

* Fix SME full tile indexing

* Handle IC IVAU to improve compatibility with JITs

* xlnx-canfd-test: Fix code coverity issues

* gdbstub: Guard M-profile code with CONFIG_TCG

* allwinner-sramc: Set class_size

* target/xtensa: Assert that interrupt level is within bounds

Akihiko Odaki (1):

hw: arm: allwinner-sramc: Set class_size

Eric Auger (1):

target/arm: Add raw_writes ops for register whose write induce TLB maintenance

Fabiano Rosas (1):

target/arm: gdbstub: Guard M-profile code with CONFIG_TCG

John Högberg (2):

target/arm: Handle IC IVAU to improve compatibility with JITs

tests/tcg/aarch64: Add testcases for IC IVAU and dual-mapped code

Peter Maydell (1):

target/xtensa: Assert that interrupt level is within bounds

From: Eric Auger <eric.auger@redhat.com>

target/arm/helper.c | 23 +++++++++++++----------

1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c

--- a/target/arm/helper.c

+++ b/target/arm/helper.c

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {

.opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.fgt = FGT_TTBR0_EL1,

- .writefn = vmsa_ttbr_write, .resetvalue = 0,

+ .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),

offsetof(CPUARMState, cp15.ttbr0_ns) } },

{ .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.fgt = FGT_TTBR1_EL1,

- .writefn = vmsa_ttbr_write, .resetvalue = 0,

+ .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),

offsetof(CPUARMState, cp15.ttbr1_ns) } },

{ .name = "TCR_EL1", .state = ARM_CP_STATE_AA64,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lpae_cp_reginfo[] = {

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),

offsetof(CPUARMState, cp15.ttbr0_ns) },

- .writefn = vmsa_ttbr_write, },

+ .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },

{ .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),

offsetof(CPUARMState, cp15.ttbr1_ns) },

- .writefn = vmsa_ttbr_write, },

+ .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },

};

static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.type = ARM_CP_IO,

.opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),

- .writefn = hcr_write },

+ .writefn = hcr_write, .raw_writefn = raw_write },

{ .name = "HCR", .state = ARM_CP_STATE_AA32,

.type = ARM_CP_ALIAS | ARM_CP_IO,

.cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

{ .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,

.access = PL2_RW, .writefn = vmsa_tcr_el12_write,

+ .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.tcr_el[2]) },

{ .name = "VTCR", .state = ARM_CP_STATE_AA32,

.cp = 15, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.access = PL2_RW, .accessfn = access_el3_aa32ns,

.fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2),

- .writefn = vttbr_write },

+ .writefn = vttbr_write, .raw_writefn = raw_write },

{ .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,

- .access = PL2_RW, .writefn = vttbr_write,

+ .access = PL2_RW, .writefn = vttbr_write, .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2) },

{ .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[2]) },

{ .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,

- .access = PL2_RW, .resetvalue = 0, .writefn = vmsa_tcr_ttbr_el2_write,

+ .access = PL2_RW, .resetvalue = 0,

+ .writefn = vmsa_tcr_ttbr_el2_write, .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) },

{ .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,

.access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_cp_reginfo[] = {

{ .name = "SCR_EL3", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),

- .resetfn = scr_reset, .writefn = scr_write },

+ .resetfn = scr_reset, .writefn = scr_write, .raw_writefn = raw_write },

{ .name = "SCR", .type = ARM_CP_ALIAS | ARM_CP_NEWEL,

.cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL1_RW, .accessfn = access_trap_aa32s_el1,

.fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),

- .writefn = scr_write },

+ .writefn = scr_write, .raw_writefn = raw_write },

{ .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1,

.access = PL3_RW, .resetvalue = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vhe_reginfo[] = {

{ .name = "TTBR1_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 1,

.access = PL2_RW, .writefn = vmsa_tcr_ttbr_el2_write,

+ .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.ttbr1_el[2]) },

#ifndef CONFIG_USER_ONLY

{ .name = "CNTHV_CVAL_EL2", .state = ARM_CP_STATE_AA64,

2.34.1

From: Yuquan Wang <wangyuquan1236@phytium.com.cn>

The current sbsa-ref cannot use EHCI controller which is only

able to do 32-bit DMA, since sbsa-ref doesn't have RAM below 4GB.

Hence, this uses XHCI to provide a usb controller with 64-bit

DMA capablity instead of EHCI.

We bump the platform version to 0.3 with this change. Although the

hardware at the USB controller address changes, the firmware and

Linux can both cope with this -- on an older non-XHCI-aware

firmware/kernel setup the probe routine simply fails and the guest

proceeds without any USB. (This isn't a loss of functionality,

because the old USB controller never worked in the first place.) So

we can call this a backwards-compatible change and only bump the

minor version.

docs/system/arm/sbsa.rst | 5 ++++-

hw/arm/sbsa-ref.c | 23 +++++++++++++----------

hw/arm/Kconfig | 2 +-

3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/docs/system/arm/sbsa.rst b/docs/system/arm/sbsa.rst

--- a/docs/system/arm/sbsa.rst

+++ b/docs/system/arm/sbsa.rst

@@ -XXX,XX +XXX,XX @@ The ``sbsa-ref`` board supports:

- A configurable number of AArch64 CPUs

- GIC version 3

- System bus AHCI controller

- - System bus EHCI controller

+ - System bus XHCI controller

- CDROM and hard disc on AHCI bus

- E1000E ethernet card on PCIe bus

- Bochs display adapter on PCIe bus

@@ -XXX,XX +XXX,XX @@ Platform version changes:

0.2

GIC ITS information is present in devicetree.

+

+0.3

+ The USB controller is an XHCI device, not EHCI

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/sbsa-ref.c

+++ b/hw/arm/sbsa-ref.c

#include "hw/pci-host/gpex.h"

#include "hw/qdev-properties.h"

#include "hw/usb.h"

+#include "hw/usb/xhci.h"

#include "hw/char/pl011.h"

#include "hw/watchdog/sbsa_gwdt.h"

#include "net/net.h"

@@ -XXX,XX +XXX,XX @@ enum {

SBSA_SECURE_UART_MM,

SBSA_SECURE_MEM,

SBSA_AHCI,

- SBSA_EHCI,

+ SBSA_XHCI,

struct SBSAMachineState {

@@ -XXX,XX +XXX,XX @@ static const MemMapEntry sbsa_ref_memmap[] = {

[SBSA_SMMU] = { 0x60050000, 0x00020000 },

/* Space here reserved for more SMMUs */

[SBSA_AHCI] = { 0x60100000, 0x00010000 },

- [SBSA_EHCI] = { 0x60110000, 0x00010000 },

+ [SBSA_XHCI] = { 0x60110000, 0x00010000 },

/* Space here reserved for other devices */

[SBSA_PCIE_PIO] = { 0x7fff0000, 0x00010000 },

/* 32-bit address PCIE MMIO space */

@@ -XXX,XX +XXX,XX @@ static const int sbsa_ref_irqmap[] = {

[SBSA_SECURE_UART] = 8,

[SBSA_SECURE_UART_MM] = 9,

[SBSA_AHCI] = 10,

- [SBSA_EHCI] = 11,

+ [SBSA_XHCI] = 11,

[SBSA_SMMU] = 12, /* ... to 15 */

[SBSA_GWDT_WS0] = 16,

@@ -XXX,XX +XXX,XX @@ static void create_fdt(SBSAMachineState *sms)

* fw compatibility.

*/

qemu_fdt_setprop_cell(fdt, "/", "machine-version-major", 0);

- qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 2);

+ qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 3);

if (ms->numa_state->have_numa_distance) {

int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);

@@ -XXX,XX +XXX,XX @@ static void create_ahci(const SBSAMachineState *sms)

}

}

-static void create_ehci(const SBSAMachineState *sms)

+static void create_xhci(const SBSAMachineState *sms)

- hwaddr base = sbsa_ref_memmap[SBSA_EHCI].base;

- int irq = sbsa_ref_irqmap[SBSA_EHCI];

+ hwaddr base = sbsa_ref_memmap[SBSA_XHCI].base;

+ int irq = sbsa_ref_irqmap[SBSA_XHCI];

+ DeviceState *dev = qdev_new(TYPE_XHCI_SYSBUS);

- sysbus_create_simple("platform-ehci-usb", base,

- qdev_get_gpio_in(sms->gic, irq));

+ sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);

+ sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);

+ sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, qdev_get_gpio_in(sms->gic, irq));

static void create_smmu(const SBSAMachineState *sms, PCIBus *bus)

@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)

create_ahci(sms);

- create_ehci(sms);

+ create_xhci(sms);

create_pcie(sms);

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig

--- a/hw/arm/Kconfig

+++ b/hw/arm/Kconfig

@@ -XXX,XX +XXX,XX @@ config SBSA_REF

select PL011 # UART

select PL031 # RTC

select PL061 # GPIO

- select USB_EHCI_SYSBUS

+ select USB_XHCI_SYSBUS

select WDT_SBSA

select BOCHS_DISPLAY

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Allow the line length to extend to 548 columns. While annoyingly wide,

it's still less confusing than the continuations we print. Also, the

default VL used by Linux (and max for A64FX) uses only 140 columns.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20230622151201.1578522-2-richard.henderson@linaro.org

target/arm/cpu.c | 36 ++++++++++++++----------------------

1 file changed, 14 insertions(+), 22 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

ARMCPU *cpu = ARM_CPU(cs);

CPUARMState *env = &cpu->env;

uint32_t psr = pstate_read(env);

- int i;

+ int i, j;

int el = arm_current_el(env);

const char *ns_status;

bool sve;

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

}

if (sve) {

- int j, zcr_len = sve_vqm1_for_el(env, el);

+ int zcr_len = sve_vqm1_for_el(env, el);

for (i = 0; i <= FFR_PRED_NUM; i++) {

bool eol;

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

}

- for (i = 0; i < 32; i++) {

- if (zcr_len == 0) {

+ if (zcr_len == 0) {

+ /*

+ * With vl=16, there are only 37 columns per register,

+ * so output two registers per line.

+ */

+ for (i = 0; i < 32; i++) {

qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64 "%s",

i, env->vfp.zregs[i].d[1],

env->vfp.zregs[i].d[0], i & 1 ? "\n" : " ");

- } else if (zcr_len == 1) {

- qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64

- ":%016" PRIx64 ":%016" PRIx64 "\n",

- i, env->vfp.zregs[i].d[3], env->vfp.zregs[i].d[2],

- env->vfp.zregs[i].d[1], env->vfp.zregs[i].d[0]);

- } else {

+ }

+ } else {

+ for (i = 0; i < 32; i++) {

+ qemu_fprintf(f, "Z%02d=", i);

for (j = zcr_len; j >= 0; j--) {

- bool odd = (zcr_len - j) % 2 != 0;

- if (j == zcr_len) {

- qemu_fprintf(f, "Z%02d[%x-%x]=", i, j, j - 1);

- } else if (!odd) {

- if (j > 0) {

- qemu_fprintf(f, " [%x-%x]=", j, j - 1);

- } else {

- qemu_fprintf(f, " [%x]=", j);

- }

- }

qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%s",

env->vfp.zregs[i].d[j * 2 + 1],

- env->vfp.zregs[i].d[j * 2],

- odd || j == 0 ? "\n" : ":");

+ env->vfp.zregs[i].d[j * 2 + 0],

+ j ? ":" : "\n");

}

}

}

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Always print each matrix row whole, one per line, so that we

get the entire matrix in the proper shape.

target/arm/cpu.c | 18 ++++++++++++++++++

1 file changed, 18 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

i, q[1], q[0], (i & 1 ? "\n" : " "));

}

}

+ if (cpu_isar_feature(aa64_sme, cpu) &&

+ FIELD_EX64(env->svcr, SVCR, ZA) &&

+ sme_exception_el(env, el) == 0) {

+ int zcr_len = sve_vqm1_for_el_sm(env, el, true);

+ int svl = (zcr_len + 1) * 16;

+ int svl_lg10 = svl < 100 ? 2 : 3;

+ for (i = 0; i < svl; i++) {

+ qemu_fprintf(f, "ZA[%0*d]=", svl_lg10, i);

+ for (j = zcr_len; j >= 0; --j) {

+ qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%c",

+ env->zarray[i].d[2 * j + 1],

+ env->zarray[i].d[2 * j],

+ j ? ':' : '\n');

+ }

+ }

#else

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

For the outer product set of insns, which take an entire matrix

tile as output, the argument is not a combined tile+column.

Therefore using get_tile_rowcol was incorrect, as we extracted

the tile number from itself.

The test case relies only on assembler support for SME, since

no release of GCC recognizes -march=armv9-a+sme yet.

Cc: qemu-stable@nongnu.org

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1620

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20230622151201.1578522-5-richard.henderson@linaro.org

target/arm/tcg/translate-sme.c | 24 ++++++---

tests/tcg/aarch64/sme-outprod1.c | 83 +++++++++++++++++++++++++++++++

tests/tcg/aarch64/Makefile.target | 10 ++--

3 files changed, 108 insertions(+), 9 deletions(-)

create mode 100644 tests/tcg/aarch64/sme-outprod1.c

diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c

--- a/target/arm/tcg/translate-sme.c

+++ b/target/arm/tcg/translate-sme.c

@@ -XXX,XX +XXX,XX @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,

return addr;

}

+/*

+ * Resolve tile.size[0] to a host pointer.

+ * Used by e.g. outer product insns where we require the entire tile.

+ */

+static TCGv_ptr get_tile(DisasContext *s, int esz, int tile)

+{

+ TCGv_ptr addr = tcg_temp_new_ptr();

+ int offset;

+

+ offset = tile * sizeof(ARMVectorReg) + offsetof(CPUARMState, zarray);

+

+ tcg_gen_addi_ptr(addr, cpu_env, offset);

+ return addr;

+}

+

static bool trans_ZERO(DisasContext *s, arg_ZERO *a)

if (!dc_isar_feature(aa64_sme, s)) {

@@ -XXX,XX +XXX,XX @@ static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

pn = pred_full_reg_ptr(s, a->pn);

pm = pred_full_reg_ptr(s, a->pm);

@@ -XXX,XX +XXX,XX @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

zm = vec_full_reg_ptr(s, a->zm);

pn = pred_full_reg_ptr(s, a->pn);

@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

zm = vec_full_reg_ptr(s, a->zm);

pn = pred_full_reg_ptr(s, a->pn);

diff --git a/tests/tcg/aarch64/sme-outprod1.c b/tests/tcg/aarch64/sme-outprod1.c

new file mode 100644

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/tcg/aarch64/sme-outprod1.c

@@ -XXX,XX +XXX,XX @@

+/*

+ * SME outer product, 1 x 1.

+ * SPDX-License-Identifier: GPL-2.0-or-later

+ */

+

+#include <stdio.h>

+

+extern void foo(float *dst);

+

+asm(

+"    .arch_extension sme\n"

+"    .type foo, @function\n"

+"foo:\n"

+"    stp x29, x30, [sp, -80]!\n"

+"    mov x29, sp\n"

+"    stp d8, d9, [sp, 16]\n"

+"    stp d10, d11, [sp, 32]\n"

+"    stp d12, d13, [sp, 48]\n"

+"    stp d14, d15, [sp, 64]\n"

+"    smstart\n"

+"    ptrue p0.s, vl4\n"

+"    fmov z0.s, #1.0\n"

+/*

+ * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.

+ * Note that we are using tile 1 here (za1.s) rather than tile 0.

+ */

+"    zero {za}\n"

+"    fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n"

+/*

+ * Read the first 4x4 sub-matrix of elements from tile 1:

+ * Note that za1h should be interchangable here.

+ */

+"    mov w12, #0\n"

+"    mova z0.s, p0/m, za1v.s[w12, #0]\n"

+"    mova z1.s, p0/m, za1v.s[w12, #1]\n"

+"    mova z2.s, p0/m, za1v.s[w12, #2]\n"

+"    mova z3.s, p0/m, za1v.s[w12, #3]\n"

+/*

+ * And store them to the input pointer (dst in the C code):

+ */

+"    st1w {z0.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z1.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z2.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z3.s}, p0, [x0]\n"

+"    smstop\n"

+"    ldp d8, d9, [sp, 16]\n"

+"    ldp d10, d11, [sp, 32]\n"

+"    ldp d12, d13, [sp, 48]\n"

+"    ldp d14, d15, [sp, 64]\n"

+"    ldp x29, x30, [sp], 80\n"

+"    ret\n"

+"    .size foo, . - foo"

+);

+

+int main()

+{

+ float dst[16];

+ int i, j;

+

+ foo(dst);

+

+ for (i = 0; i < 16; i++) {

+ if (dst[i] != 1.0f) {

+ break;

+ }

+ }

+

+ if (i == 16) {

+ return 0; /* success */

+ }

+

+ /* failure */

+ for (i = 0; i < 4; ++i) {

+ for (j = 0; j < 4; ++j) {

+ printf("%f ", (double)dst[i * 4 + j]);

+ }

+ printf("\n");

+ }

+ return 1;

+}

diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target

index XXXXXXX..XXXXXXX 100644

--- a/tests/tcg/aarch64/Makefile.target

+++ b/tests/tcg/aarch64/Makefile.target

@@ -XXX,XX +XXX,XX @@ config-cc.mak: Makefile

     $(call cc-option,-march=armv8.5-a, CROSS_CC_HAS_ARMV8_5); \

     $(call cc-option,-mbranch-protection=standard, CROSS_CC_HAS_ARMV8_BTI); \

     $(call cc-option,-march=armv8.5-a+memtag, CROSS_CC_HAS_ARMV8_MTE); \

-     $(call cc-option,-march=armv9-a+sme, CROSS_CC_HAS_ARMV9_SME)) 3> config-cc.mak

+     $(call cc-option,-Wa$(COMMA)-march=armv9-a+sme, CROSS_AS_HAS_ARMV9_SME)) 3> config-cc.mak

-include config-cc.mak

ifneq ($(CROSS_CC_HAS_ARMV8_2),)

@@ -XXX,XX +XXX,XX @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7

mte-%: CFLAGS += -march=armv8.5-a+memtag

endif

+ifneq ($(CROSS_AS_HAS_ARMV9_SME),)

+AARCH64_TESTS += sme-outprod1

+endif

+

ifneq ($(CROSS_CC_HAS_SVE),)

# System Registers Tests

AARCH64_TESTS += sysregs

-ifneq ($(CROSS_CC_HAS_ARMV9_SME),)

-sysregs: CFLAGS+=-march=armv9-a+sme -DHAS_ARMV9_SME

+ifneq ($(CROSS_AS_HAS_ARMV9_SME),)

+sysregs: CFLAGS+=-Wa,-march=armv9-a+sme -DHAS_ARMV9_SME

else

sysregs: CFLAGS+=-march=armv8.1-a+sve

endif

2.34.1

From: John Högberg <john.hogberg@ericsson.com>

Unlike architectures with precise self-modifying code semantics

(e.g. x86) ARM processors do not maintain coherency for instruction

execution and memory, requiring an instruction synchronization

barrier on every core that will execute the new code, and on many

models also the explicit use of cache management instructions.

target/arm/cpu.c | 11 +++++++++++

target/arm/helper.c | 47 ++++++++++++++++++++++++++++++++++++++++++---

2 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)

return;

}

+#ifdef CONFIG_USER_ONLY

+ /*

+ * User mode relies on IC IVAU instructions to catch modification of

+ * dual-mapped code.

+ *

+ * Clear CTR_EL0.DIC to ensure that software that honors these flags uses

+ * IC IVAU even if the emulated processor does not normally require it.

+ */

+ cpu->ctr = FIELD_DP64(cpu->ctr, CTR_EL0, DIC, 0);

+#endif

+

if (arm_feature(env, ARM_FEATURE_AARCH64) &&

cpu->has_vfp != cpu->has_neon) {

/*

diff --git a/target/arm/helper.c b/target/arm/helper.c

--- a/target/arm/helper.c

+++ b/target/arm/helper.c

@@ -XXX,XX +XXX,XX @@ static void mdcr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,

}

+#ifdef CONFIG_USER_ONLY

+/*

+ * `IC IVAU` is handled to improve compatibility with JITs that dual-map their

+ * code to get around W^X restrictions, where one region is writable and the

+ * other is executable.

+ *

+ * Since the executable region is never written to we cannot detect code

+ * changes when running in user mode, and rely on the emulated JIT telling us

+ * that the code has changed by executing this instruction.

+ */

+static void ic_ivau_write(CPUARMState *env, const ARMCPRegInfo *ri,

+ uint64_t value)

+{

+ uint64_t icache_line_mask, start_address, end_address;

+ const ARMCPU *cpu;

+

+ cpu = env_archcpu(env);

+

+ icache_line_mask = (4 << extract32(cpu->ctr, 0, 4)) - 1;

+ start_address = value & ~icache_line_mask;

+ end_address = value | icache_line_mask;

+

+ mmap_lock();

+

+ tb_invalidate_phys_range(start_address, end_address);

+

+ mmap_unlock();

+}

+#endif

+

static const ARMCPRegInfo v8_cp_reginfo[] = {

/*

* Minimal set of EL0-visible registers. This will need to be expanded

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {

{ .name = "CURRENTEL", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 0, .opc2 = 2, .crn = 4, .crm = 2,

.access = PL1_R, .type = ARM_CP_CURRENTEL },

- /* Cache ops: all NOPs since we don't emulate caches */

+ /*

+ * Instruction cache ops. All of these except `IC IVAU` NOP because we

+ * don't emulate caches.

+ */

{ .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64,

.opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,

.access = PL1_W, .type = ARM_CP_NOP,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {

.accessfn = access_tocu },

{ .name = "IC_IVAU", .state = ARM_CP_STATE_AA64,

.opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1,

- .access = PL0_W, .type = ARM_CP_NOP,

+ .access = PL0_W,

.fgt = FGT_ICIVAU,

- .accessfn = access_tocu },

+ .accessfn = access_tocu,

+#ifdef CONFIG_USER_ONLY

+ .type = ARM_CP_NO_RAW,

+ .writefn = ic_ivau_write

+#else

+ .type = ARM_CP_NOP

+#endif

+ },

+ /* Cache ops: all NOPs since we don't emulate caches */

{ .name = "DC_IVAC", .state = ARM_CP_STATE_AA64,

.opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,

.access = PL1_W, .accessfn = aa64_cacheop_poc_access,

2.34.1

From: John Högberg <john.hogberg@ericsson.com>

https://gitlab.com/qemu-project/qemu/-/issues/1034

Signed-off-by: John Högberg <john.hogberg@ericsson.com>

Message-id: 168778890374.24232.3402138851538068785-2@git.sr.ht

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

[PMM: fixed typo in comment]

tests/tcg/aarch64/icivau.c | 189 ++++++++++++++++++++++++++++++

tests/tcg/aarch64/Makefile.target | 3 +-

2 files changed, 191 insertions(+), 1 deletion(-)

create mode 100644 tests/tcg/aarch64/icivau.c

diff --git a/tests/tcg/aarch64/icivau.c b/tests/tcg/aarch64/icivau.c

new file mode 100644

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/tcg/aarch64/icivau.c

@@ -XXX,XX +XXX,XX @@

+/*

+ * Tests the IC IVAU-driven workaround for catching changes made to dual-mapped

+ * code that would otherwise go unnoticed in user mode.

+ *

+ * Copyright (c) 2023 Ericsson AB

+ * SPDX-License-Identifier: GPL-2.0-or-later

+ */

+

+#include <sys/mman.h>

+#include <sys/stat.h>

+#include <string.h>

+#include <stdint.h>

+#include <stdlib.h>

+#include <unistd.h>

+#include <fcntl.h>

+

+#define MAX_CODE_SIZE 128

+

+typedef int (SelfModTest)(uint32_t, uint32_t*);

+typedef int (BasicTest)(int);

+

+static void mark_code_modified(const uint32_t *exec_data, size_t length)

+{

+ int dc_required, ic_required;

+ unsigned long ctr_el0;

+

+ /*

+ * Clear the data/instruction cache, as indicated by the CTR_ELO.{DIC,IDC}

+ * flags.

+ *

+ * For completeness we might be tempted to assert that we should fail when

+ * the whole code update sequence is omitted, but that would make the test

+ * flaky as it can succeed by coincidence on actual hardware.

+ */

+ asm ("mrs %0, ctr_el0\n" : "=r"(ctr_el0));

+

+ /* CTR_EL0.IDC */

+ dc_required = !((ctr_el0 >> 28) & 1);

+

+ /* CTR_EL0.DIC */

+ ic_required = !((ctr_el0 >> 29) & 1);

+

+ if (dc_required) {

+ size_t dcache_stride, i;

+

+ /*

+ * Step according to the minimum cache size, as the cache maintenance

+ * instructions operate on the cache line of the given address.

+ *

+ * We assume that exec_data is properly aligned.

+ */

+ dcache_stride = (4 << ((ctr_el0 >> 16) & 0xF));

+

+ for (i = 0; i < length; i += dcache_stride) {

+ const char *dc_addr = &((const char *)exec_data)[i];

+ asm volatile ("dc cvau, %x[dc_addr]\n"

+ : /* no outputs */

+ : [dc_addr] "r"(dc_addr)

+ : "memory");

+ }

+

+ asm volatile ("dmb ish\n");

+ }

+

+ if (ic_required) {

+ size_t icache_stride, i;

+

+ icache_stride = (4 << (ctr_el0 & 0xF));

+

+ for (i = 0; i < length; i += icache_stride) {

+ const char *ic_addr = &((const char *)exec_data)[i];

+ asm volatile ("ic ivau, %x[ic_addr]\n"

+ : /* no outputs */

+ : [ic_addr] "r"(ic_addr)

+ : "memory");

+ }

+

+ asm volatile ("dmb ish\n");

+ }

+

+ asm volatile ("isb sy\n");

+}

+

+static int basic_test(uint32_t *rw_data, const uint32_t *exec_data)

+{

+ /*

+ * As user mode only misbehaved for dual-mapped code when previously

+ * translated code had been changed, we'll start off with this basic test

+ * function to ensure that there's already some translated code at

+ * exec_data before the next test. This should cause the next test to fail

+ * if `mark_code_modified` fails to invalidate the code.

+ *

+ * Note that the payload is in binary form instead of inline assembler

+ * because we cannot use __attribute__((naked)) on this platform and the

+ * workarounds are at least as ugly as this is.

+ */

+ static const uint32_t basic_payload[] = {

+ 0xD65F03C0 /* 0x00: RET */

+ };

+

+ BasicTest *copied_ptr = (BasicTest *)exec_data;

+

+ memcpy(rw_data, basic_payload, sizeof(basic_payload));

+ mark_code_modified(exec_data, sizeof(basic_payload));

+

+ return copied_ptr(1234) == 1234;

+}

+

+static int self_modification_test(uint32_t *rw_data, const uint32_t *exec_data)

+{

+ /*

+ * This test is self-modifying in an attempt to cover an edge case where

+ * the IC IVAU instruction invalidates itself.

+ *

+ * Note that the IC IVAU instruction is 16 bytes into the function, in what

+ * will be the same cache line as the modified instruction on machines with

+ * a cache line size >= 16 bytes.

+ */

+ static const uint32_t self_mod_payload[] = {