Series comparison

-[Qemu-devel] [PULL 00/16] target-arm queue
+[PULL 00/26] target-arm queue
-The following changes since commit ad1b4ec39caa5b3f17cbd8160283a03a3dcfe2ae:
+The following changes since commit 64ada298b98a51eb2512607f6e6180cb330c47b1:
-  Merge remote-tracking branch 'remotes/kraxel/tags/input-20180515-pull-request' into staging (2018-05-15 12:50:06 +0100)
+  Merge remote-tracking branch 'remotes/legoater/tags/pull-ppc-20220302' into staging (2022-03-02 12:38:46 +0000)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180515
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220302
-for you to fetch changes up to ae7651804748c6b479d5ae09aeac4edb9c44f76e:
+for you to fetch changes up to 268c11984e67867c22f53beb3c7f8b98900d66b2:
-  tcg: Optionally log FPU state in TCG -d cpu logging (2018-05-15 14:58:44 +0100)
+  ui/cocoa.m: Remove unnecessary NSAutoreleasePools (2022-03-02 19:27:37 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * Fix coverity nit in int_to_float code
+ * mps3-an547: Add missing user ahb interfaces
- * Don't set Invalid for float-to-int(MAXINT)
+ * hw/arm/mps2-tz.c: Update AN547 documentation URL
- * Fix fp_status_f16 tininess before rounding
+ * hw/input/tsc210x: Don't abort on bad SPI word widths
- * Add various missing insns from the v8.2-FP16 extension
+ * hw/i2c: flatten pca954x mux device
- * Fix sqrt_f16 exception raising
+ * target/arm: Support PSCI 1.1 and SMCCC 1.0
- * sdcard: Correct CRC16 offset in sd_function_switch()
+ * target/arm: Fix early free of TCG temp in handle_simd_shift_fpint_conv()
- * tcg: Optionally log FPU state in TCG -d cpu logging
+ * tests/qtest: add qtests for npcm7xx sdhci
  * Implement FEAT_LVA
  * Implement FEAT_LPA
  * Implement FEAT_LPA2 (but do not enable it yet)
  * Report KVM's actual PSCI version to guest in dtb
  * ui/cocoa.m: Fix updateUIInfo threading issues
  * ui/cocoa.m: Remove unnecessary NSAutoreleasePools
 ----------------------------------------------------------------
-Alex Bennée (5):
+Akihiko Odaki (1):
-      fpu/softfloat: int_to_float ensure r fully initialised
+      target/arm: Support PSCI 1.1 and SMCCC 1.0
       target/arm: Implement FCMP for fp16
       target/arm: Implement FCSEL for fp16
       target/arm: Implement FMOV (immediate) for fp16
       target/arm: Fix sqrt_f16 exception raising
-Peter Maydell (3):
+Jimmy Brisson (1):
-      fpu/softfloat: Don't set Invalid for float-to-int(MAXINT)
+      mps3-an547: Add missing user ahb interfaces
       target/arm: Fix fp_status_f16 tininess before rounding
       tcg: Optionally log FPU state in TCG -d cpu logging
-Philippe Mathieu-Daudé (1):
+Patrick Venture (1):
-      sdcard: Correct CRC16 offset in sd_function_switch()
+      hw/i2c: flatten pca954x mux device
-Richard Henderson (7):
+Peter Maydell (5):
-      target/arm: Implement FMOV (general) for fp16
+      hw/arm/mps2-tz.c: Update AN547 documentation URL
-      target/arm: Early exit after unallocated_encoding in disas_fp_int_conv
+      hw/input/tsc210x: Don't abort on bad SPI word widths
-      target/arm: Implement FCVT (scalar, integer) for fp16
+      target/arm: Report KVM's actual PSCI version to guest in dtb
-      target/arm: Implement FCVT (scalar, fixed-point) for fp16
+      ui/cocoa.m: Fix updateUIInfo threading issues
-      target/arm: Introduce and use read_fp_hreg
+      ui/cocoa.m: Remove unnecessary NSAutoreleasePools
       target/arm: Implement FP data-processing (2 source) for fp16
       target/arm: Implement FP data-processing (3 source) for fp16
- include/qemu/log.h         |   1 +
+Richard Henderson (16):
- target/arm/helper-a64.h    |   2 +
+      hw/registerfields: Add FIELD_SEX<N> and FIELD_SDP<N>
- target/arm/helper.h        |   6 +
+      target/arm: Set TCR_EL1.TSZ for user-only
- accel/tcg/cpu-exec.c       |   9 +-
+      target/arm: Fault on invalid TCR_ELx.TxSZ
- fpu/softfloat.c            |   6 +-
+      target/arm: Move arm_pamax out of line
- hw/sd/sd.c                 |   2 +-
+      target/arm: Pass outputsize down to check_s2_mmu_setup
- target/arm/cpu.c           |   2 +
+      target/arm: Use MAKE_64BIT_MASK to compute indexmask
- target/arm/helper-a64.c    |  10 ++
+      target/arm: Honor TCR_ELx.{I}PS
- target/arm/helper.c        |  38 +++-
+      target/arm: Prepare DBGBVR and DBGWVR for FEAT_LVA
- target/arm/translate-a64.c | 421 ++++++++++++++++++++++++++++++++++++++-------
+      target/arm: Implement FEAT_LVA
- util/log.c                 |   2 +
+      target/arm: Implement FEAT_LPA
-files changed, 428 insertions(+), 71 deletions(-)
+      target/arm: Extend arm_fi_to_lfsc to level -1
       target/arm: Introduce tlbi_aa64_get_range
       target/arm: Fix TLBIRange.base for 16k and 64k pages
       target/arm: Validate tlbi TG matches translation granule in use
       target/arm: Advertise all page sizes for -cpu max
       target/arm: Implement FEAT_LPA2
+Shengtan Mao (1):
+      tests/qtest: add qtests for npcm7xx sdhci
+Wentao_Liang (1):
+      target/arm: Fix early free of TCG temp in handle_simd_shift_fpint_conv()
+ docs/system/arm/emulation.rst    |   3 +
+ include/hw/registerfields.h      |  48 +++++-
+ target/arm/cpu-param.h           |   4 +-
+ target/arm/cpu.h                 |  27 ++++
+ target/arm/internals.h           |  58 ++++---
+ target/arm/kvm-consts.h          |  14 +-
+ hw/arm/boot.c                    |  11 +-
+ hw/arm/mps2-tz.c                 |   6 +-
+ hw/i2c/i2c_mux_pca954x.c         |  77 ++-------
+ hw/input/tsc210x.c               |   8 +-
+ target/arm/cpu.c                 |   8 +-
+ target/arm/cpu64.c               |   7 +-
+ target/arm/helper.c              | 332 ++++++++++++++++++++++++++++++---------
+ target/arm/hvf/hvf.c             |  27 +++-
+ target/arm/kvm64.c               |  14 +-
+ target/arm/psci.c                |  35 ++++-
+ target/arm/translate-a64.c       |   2 +-
+ tests/qtest/npcm7xx_sdhci-test.c | 215 +++++++++++++++++++++++++
+ tests/qtest/meson.build          |   1 +
+ ui/cocoa.m                       |  31 ++--
+files changed, 736 insertions(+), 192 deletions(-)
+ create mode 100644 tests/qtest/npcm7xx_sdhci-test.c

-New patch
+[PULL 01/26] mps3-an547: Add missing user ahb interfaces
+From: Jimmy Brisson <jimmy.brisson@linaro.org>
+With these interfaces missing, TFM would delegate peripherals 0, 1,
+, 3 and 8, and qemu would ignore the delegation of interface 8, as
+it thought interface 4 was eth & USB.
+This patch corrects this behavior and allows TFM to delegate the
+eth & USB peripheral to NS mode.
+(The old QEMU behaviour was based on revision B of the AN547
+appnote; revision C corrects this error in the documentation,
+and this commit brings QEMU in to line with how the FPGA
+image really behaves.)
+Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
+Message-id: 20220210210227.3203883-1-jimmy.brisson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: added commit message note clarifying that the old behaviour
+was a docs issue, not because there were two different versions
+of the FPGA image]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/mps2-tz.c | 4 ++++
+file changed, 4 insertions(+)
+diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/mps2-tz.c
++++ b/hw/arm/mps2-tz.c
+@@ -XXX,XX +XXX,XX @@ static void mps2tz_common_init(MachineState *machine)
+                 { "gpio1", make_unimp_dev, &mms->gpio[1], 0x41101000, 0x1000 },
+                 { "gpio2", make_unimp_dev, &mms->gpio[2], 0x41102000, 0x1000 },
+                 { "gpio3", make_unimp_dev, &mms->gpio[3], 0x41103000, 0x1000 },
++                { /* port 4 USER AHB interface 0 */ },
++                { /* port 5 USER AHB interface 1 */ },
++                { /* port 6 USER AHB interface 2 */ },
++                { /* port 7 USER AHB interface 3 */ },
+                 { "eth-usb", make_eth_usb, NULL, 0x41400000, 0x200000, { 49 } },
+             },
+         },
+--
+.25.1

-[Qemu-devel] [PULL 16/16] tcg: Optionally log FPU state in TCG -d cpu logging
+[PULL 02/26] hw/arm/mps2-tz.c: Update AN547 documentation URL
-Usually the logging of the CPU state produced by -d cpu is sufficient
+The AN547 application note URL has changed: update our comment
-to diagnose problems, but sometimes you want to see the state of
+accordingly. (Rev B is still downloadable from the old URL,
-the floating point registers as well. We don't want to enable that
+but there is a new Rev C of the document now.)
 by default as it adds a lot of extra data to the log; instead,
 allow it to be optionally enabled via -d fpu.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180510130024.31678-1-peter.maydell@linaro.org
+Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20220221094144.426191-1-peter.maydell@linaro.org
 ---
- include/qemu/log.h   | 1 +
+ hw/arm/mps2-tz.c | 2 +-
- accel/tcg/cpu-exec.c | 9 ++++++---
+file changed, 1 insertion(+), 1 deletion(-)
  util/log.c           | 2 ++
 files changed, 9 insertions(+), 3 deletions(-)
-diff --git a/include/qemu/log.h b/include/qemu/log.h
+diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/qemu/log.h
+--- a/hw/arm/mps2-tz.c
-+++ b/include/qemu/log.h
++++ b/hw/arm/mps2-tz.c
-@@ -XXX,XX +XXX,XX @@ static inline bool qemu_log_separate(void)
+@@ -XXX,XX +XXX,XX @@
- #define CPU_LOG_PAGE       (1 << 14)
+  * Application Note AN524:
- /* LOG_TRACE (1 << 15) is defined in log-for-trace.h */
+  * https://developer.arm.com/documentation/dai0524/latest/
- #define CPU_LOG_TB_OP_IND  (1 << 16)
+  * Application Note AN547:
-+#define CPU_LOG_TB_FPU     (1 << 17)
+- * https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/DAI0547B_SSE300_PLUS_U55_FPGA_for_mps3.pdf
++ * https://developer.arm.com/documentation/dai0547/latest/
- /* Lock output for a series of related logs.  Since this is not needed
+  *
-  * for a single qemu_log / qemu_log_mask / qemu_log_mask_and_addr, we
+  * The AN505 defers to the Cortex-M33 processor ARMv8M IoT Kit FVP User Guide
-diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+  * (ARM ECM0601256) for the details of some of the device layout:
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cpu-exec.c
 +++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static inline tcg_target_ulong cpu_tb_exec(CPUState *cpu, TranslationBlock *itb)
      if (qemu_loglevel_mask(CPU_LOG_TB_CPU)
          && qemu_log_in_addr_range(itb->pc)) {
          qemu_log_lock();
 +        int flags = 0;
 +        if (qemu_loglevel_mask(CPU_LOG_TB_FPU)) {
 +            flags |= CPU_DUMP_FPU;
 +        }
  #if defined(TARGET_I386)
 -        log_cpu_state(cpu, CPU_DUMP_CCOP);
 -#else
 -        log_cpu_state(cpu, 0);
 +        flags |= CPU_DUMP_CCOP;
  #endif
 +        log_cpu_state(cpu, flags);
          qemu_log_unlock();
      }
  #endif /* DEBUG_DISAS */
 diff --git a/util/log.c b/util/log.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/log.c
 +++ b/util/log.c
@@ -XXX,XX +XXX,XX @@ const QEMULogItem qemu_log_items[] = {
        "show trace before each executed TB (lots of logs)" },
      { CPU_LOG_TB_CPU, "cpu",
        "show CPU registers before entering a TB (lots of logs)" },
 +    { CPU_LOG_TB_FPU, "fpu",
 +      "include FPU registers in the 'cpu' logging" },
      { CPU_LOG_MMU, "mmu",
        "log MMU-related activities" },
      { CPU_LOG_PCALL, "pcall",
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 14/16] target/arm: Fix sqrt_f16 exception raising
+[PULL 03/26] hw/input/tsc210x: Don't abort on bad SPI word widths
-From: Alex Bennée <alex.bennee@linaro.org>
+The tsc210x doesn't support anything other than 16-bit reads on the
 SPI bus, but the guest can program the SPI controller to attempt
 them anyway. If this happens, don't abort QEMU, just log this as
 a guest error.
-We are meant to explicitly pass fpst, not cpu_env.
+This fixes our machine_arm_n8x0.py:N8x0Machine.test_n800
 acceptance test, which hits this assertion.
-Cc: qemu-stable@nongnu.org
+The reason we hit the assertion is because the guest kernel thinks
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+there is a TSC2005 on this SPI bus address, not a TSC210x.  (The n810
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+*does* have a TSC2005 at this address.) The TSC2005 supports the
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+-bit accesses which the guest driver makes, and the TSC210x does
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+not (that is, our TSC210x emulation is not missing support for a word
-Message-id: 20180512003217.9105-12-richard.henderson@linaro.org
+width the hardware can handle).  It's not clear whether the problem
 here is that the guest kernel incorrectly thinks the n800 has the
 same device at this SPI bus address as the n810, or that QEMU's n810
 board model doesn't get the SPI devices right.  At this late date
 there no longer appears to be any reliable information on the web
 about the hardware behaviour, but I am inclined to think this is a
 guest kernel bug.  In any case, we prefer not to abort QEMU for
 guest-triggerable conditions, so logging the error is the right thing
 to do.
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/736
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220221140750.514557-1-peter.maydell@linaro.org
 ---
- target/arm/translate-a64.c | 3 ++-
+ hw/input/tsc210x.c | 8 ++++++--
-file changed, 2 insertions(+), 1 deletion(-)
+file changed, 6 insertions(+), 2 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/hw/input/tsc210x.c
-+++ b/target/arm/translate-a64.c
++++ b/hw/input/tsc210x.c
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_1src_half(DisasContext *s, int opcode, int rd, int rn)
+@@ -XXX,XX +XXX,XX @@
-         tcg_gen_xori_i32(tcg_res, tcg_op, 0x8000);
+ #include "hw/hw.h"
-         break;
+ #include "audio/audio.h"
-     case 0x3: /* FSQRT */
+ #include "qemu/timer.h"
--        gen_helper_sqrt_f16(tcg_res, tcg_op, cpu_env);
++#include "qemu/log.h"
-+        fpst = get_fpstatus_ptr(true);
+ #include "sysemu/reset.h"
-+        gen_helper_sqrt_f16(tcg_res, tcg_op, fpst);
+ #include "ui/console.h"
-         break;
+ #include "hw/arm/omap.h"            /* For I2SCodec */
-     case 0x8: /* FRINTN */
+@@ -XXX,XX +XXX,XX @@ uint32_t tsc210x_txrx(void *opaque, uint32_t value, int len)
-     case 0x9: /* FRINTP */
+     TSC210xState *s = opaque;
      uint32_t ret = 0;
 -    if (len != 16)
 -        hw_error("%s: FIXME: bad SPI word width %i\n", __func__, len);
 +    if (len != 16) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s: bad SPI word width %i\n", __func__, len);
 +        return 0;
 +    }
      /* TODO: sequential reads etc - how do we make sure the host doesn't
       * unintentionally read out a conversion result from a register while
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 01/16] fpu/softfloat: int_to_float ensure r fully initialised
+[PULL 04/26] hw/i2c: flatten pca954x mux device
-From: Alex Bennée <alex.bennee@linaro.org>
+From: Patrick Venture <venture@google.com>
-Reported by Coverity (CID1390635). We ensure this for uint_to_float
+Previously this device created N subdevices which each owned an i2c bus.
-later on so we might as well mirror that.
+Now this device simply owns the N i2c busses directly.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Tested: Verified devices behind mux are still accessible via qmp and i2c
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+from within an arm32 SoC.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Hao Wu <wuhaotsh@google.com>
 Signed-off-by: Patrick Venture <venture@google.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20220202164533.1283668-1-venture@google.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- fpu/softfloat.c | 2 +-
+ hw/i2c/i2c_mux_pca954x.c | 77 +++++++---------------------------------
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 13 insertions(+), 64 deletions(-)
-diff --git a/fpu/softfloat.c b/fpu/softfloat.c
+diff --git a/hw/i2c/i2c_mux_pca954x.c b/hw/i2c/i2c_mux_pca954x.c
 index XXXXXXX..XXXXXXX 100644
---- a/fpu/softfloat.c
+--- a/hw/i2c/i2c_mux_pca954x.c
-+++ b/fpu/softfloat.c
++++ b/hw/i2c/i2c_mux_pca954x.c
-@@ -XXX,XX +XXX,XX @@ FLOAT_TO_UINT(64, 64)
+@@ -XXX,XX +XXX,XX @@
+ #define PCA9548_CHANNEL_COUNT 8
- static FloatParts int_to_float(int64_t a, float_status *status)
+ #define PCA9546_CHANNEL_COUNT 4
 -/*
 - * struct Pca954xChannel - The i2c mux device will have N of these states
 - * that own the i2c channel bus.
 - * @bus: The owned channel bus.
 - * @enabled: Is this channel active?
 - */
 -typedef struct Pca954xChannel {
 -    SysBusDevice parent;
 -
 -    I2CBus       *bus;
 -
 -    bool         enabled;
 -} Pca954xChannel;
 -
 -#define TYPE_PCA954X_CHANNEL "pca954x-channel"
 -#define PCA954X_CHANNEL(obj) \
 -    OBJECT_CHECK(Pca954xChannel, (obj), TYPE_PCA954X_CHANNEL)
 -
  /*
   * struct Pca954xState - The pca954x state object.
   * @control: The value written to the mux control.
@@ -XXX,XX +XXX,XX @@ typedef struct Pca954xState {
      uint8_t control;
 -    /* The channel i2c buses. */
 -    Pca954xChannel channel[PCA9548_CHANNEL_COUNT];
 +    bool enabled[PCA9548_CHANNEL_COUNT];
 +    I2CBus *bus[PCA9548_CHANNEL_COUNT];
  } Pca954xState;
  /*
@@ -XXX,XX +XXX,XX @@ static bool pca954x_match(I2CSlave *candidate, uint8_t address,
      }
      for (i = 0; i < mc->nchans; i++) {
 -        if (!mux->channel[i].enabled) {
 +        if (!mux->enabled[i]) {
              continue;
          }
 -        if (i2c_scan_bus(mux->channel[i].bus, address, broadcast,
 +        if (i2c_scan_bus(mux->bus[i], address, broadcast,
                           current_devs)) {
              if (!broadcast) {
                  return true;
@@ -XXX,XX +XXX,XX @@ static void pca954x_enable_channel(Pca954xState *s, uint8_t enable_mask)
       */
      for (i = 0; i < mc->nchans; i++) {
          if (enable_mask & (1 << i)) {
 -            s->channel[i].enabled = true;
 +            s->enabled[i] = true;
          } else {
 -            s->channel[i].enabled = false;
 +            s->enabled[i] = false;
          }
      }
  }
@@ -XXX,XX +XXX,XX @@ I2CBus *pca954x_i2c_get_bus(I2CSlave *mux, uint8_t channel)
      Pca954xState *pca954x = PCA954X(mux);
      g_assert(channel < pc->nchans);
 -    return I2C_BUS(qdev_get_child_bus(DEVICE(&pca954x->channel[channel]),
 -                                      "i2c-bus"));
 -}
 -
 -static void pca954x_channel_init(Object *obj)
 -{
 -    Pca954xChannel *s = PCA954X_CHANNEL(obj);
 -    s->bus = i2c_init_bus(DEVICE(s), "i2c-bus");
 -
 -    /* Start all channels as disabled. */
 -    s->enabled = false;
 -}
 -
 -static void pca954x_channel_class_init(ObjectClass *klass, void *data)
 -{
 -    DeviceClass *dc = DEVICE_CLASS(klass);
 -    dc->desc = "Pca954x Channel";
 +    return pca954x->bus[channel];
  }
  static void pca9546_class_init(ObjectClass *klass, void *data)
@@ -XXX,XX +XXX,XX @@ static void pca9548_class_init(ObjectClass *klass, void *data)
      s->nchans = PCA9548_CHANNEL_COUNT;
  }
 -static void pca954x_realize(DeviceState *dev, Error **errp)
 -{
 -    Pca954xState *s = PCA954X(dev);
 -    Pca954xClass *c = PCA954X_GET_CLASS(s);
 -    int i;
 -
 -    /* SMBus modules. Cannot fail. */
 -    for (i = 0; i < c->nchans; i++) {
 -        sysbus_realize(SYS_BUS_DEVICE(&s->channel[i]), &error_abort);
 -    }
 -}
 -
  static void pca954x_init(Object *obj)
  {
--    FloatParts r;
+     Pca954xState *s = PCA954X(obj);
-+    FloatParts r = {};
+     Pca954xClass *c = PCA954X_GET_CLASS(obj);
-     if (a == 0) {
+     int i;
-         r.cls = float_class_zero;
-         r.sign = false;
+-    /* Only initialize the children we expect. */
 +    /* SMBus modules. Cannot fail. */
      for (i = 0; i < c->nchans; i++) {
 -        object_initialize_child(obj, "channel[*]", &s->channel[i],
 -                                TYPE_PCA954X_CHANNEL);
 +        g_autofree gchar *bus_name = g_strdup_printf("i2c.%d", i);
 +
 +        /* start all channels as disabled. */
 +        s->enabled[i] = false;
 +        s->bus[i] = i2c_init_bus(DEVICE(s), bus_name);
      }
  }
@@ -XXX,XX +XXX,XX @@ static void pca954x_class_init(ObjectClass *klass, void *data)
      rc->phases.enter = pca954x_enter_reset;
      dc->desc = "Pca954x i2c-mux";
 -    dc->realize = pca954x_realize;
      k->write_data = pca954x_write_data;
      k->receive_byte = pca954x_read_byte;
@@ -XXX,XX +XXX,XX @@ static const TypeInfo pca954x_info[] = {
          .parent        = TYPE_PCA954X,
          .class_init    = pca9548_class_init,
      },
 -    {
 -        .name = TYPE_PCA954X_CHANNEL,
 -        .parent = TYPE_SYS_BUS_DEVICE,
 -        .class_init = pca954x_channel_class_init,
 -        .instance_size = sizeof(Pca954xChannel),
 -        .instance_init = pca954x_channel_init,
 -    }
  };
  DEFINE_TYPES(pca954x_info)
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 15/16] sdcard: Correct CRC16 offset in sd_function_switch()
+[PULL 05/26] target/arm: Support PSCI 1.1 and SMCCC 1.0
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Akihiko Odaki <akihiko.odaki@gmail.com>
-Per the Physical Layer Simplified Spec. "4.3.10.4 Switch Function Status":
+Support the latest PSCI on TCG and HVF. A 64-bit function called from
 AArch32 now returns NOT_SUPPORTED, which is necessary to adhere to SMC
 Calling Convention 1.0. It is still not compliant with SMCCC 1.3 since
 they do not implement mandatory functions.
-  The block length is predefined to 512 bits
+Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
+Message-id: 20220213035753.34577-1-akihiko.odaki@gmail.com
 and "4.10.2 SD Status":
   The SD Status contains status bits that are related to the SD Memory Card
   proprietary features and may be used for future application-specific usage.
   The size of the SD Status is one data block of 512 bit. The content of this
   register is transmitted to the Host over the DAT bus along with a 16-bit CRC.
 Thus the 16-bit CRC goes at offset 64.
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20180509060104.4458-3-f4bug@amsat.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: update MISMATCH_CHECK checks on PSCI_VERSION macros to match]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/sd/sd.c | 2 +-
+ target/arm/kvm-consts.h | 13 +++++++++----
-file changed, 1 insertion(+), 1 deletion(-)
+ hw/arm/boot.c           | 12 +++++++++---
  target/arm/cpu.c        |  5 +++--
  target/arm/hvf/hvf.c    | 27 ++++++++++++++++++++++++++-
  target/arm/kvm64.c      |  2 +-
  target/arm/psci.c       | 35 ++++++++++++++++++++++++++++++++---
 files changed, 80 insertions(+), 14 deletions(-)
-diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+diff --git a/target/arm/kvm-consts.h b/target/arm/kvm-consts.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/sd.c
+--- a/target/arm/kvm-consts.h
-+++ b/hw/sd/sd.c
++++ b/target/arm/kvm-consts.h
-@@ -XXX,XX +XXX,XX @@ static void sd_function_switch(SDState *sd, uint32_t arg)
+@@ -XXX,XX +XXX,XX @@ MISMATCH_CHECK(QEMU_PSCI_0_1_FN_MIGRATE, KVM_PSCI_FN_MIGRATE);
-         sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
+ #define QEMU_PSCI_0_2_FN64_AFFINITY_INFO QEMU_PSCI_0_2_FN64(4)
-     }
+ #define QEMU_PSCI_0_2_FN64_MIGRATE QEMU_PSCI_0_2_FN64(5)
-     memset(&sd->data[17], 0, 47);
--    stw_be_p(sd->data + 65, sd_crc16(sd->data, 64));
++#define QEMU_PSCI_1_0_FN_PSCI_FEATURES QEMU_PSCI_0_2_FN(10)
-+    stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
++
  MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_SUSPEND, PSCI_0_2_FN_CPU_SUSPEND);
  MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_OFF, PSCI_0_2_FN_CPU_OFF);
  MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_ON, PSCI_0_2_FN_CPU_ON);
@@ -XXX,XX +XXX,XX @@ MISMATCH_CHECK(QEMU_PSCI_0_2_FN_MIGRATE, PSCI_0_2_FN_MIGRATE);
  MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_CPU_SUSPEND, PSCI_0_2_FN64_CPU_SUSPEND);
  MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_CPU_ON, PSCI_0_2_FN64_CPU_ON);
  MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_MIGRATE, PSCI_0_2_FN64_MIGRATE);
 +MISMATCH_CHECK(QEMU_PSCI_1_0_FN_PSCI_FEATURES, PSCI_1_0_FN_PSCI_FEATURES);
  /* PSCI v0.2 return values used by TCG emulation of PSCI */
  /* No Trusted OS migration to worry about when offlining CPUs */
  #define QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED        2
 -/* We implement version 0.2 only */
 -#define QEMU_PSCI_0_2_RET_VERSION_0_2                       2
 +#define QEMU_PSCI_VERSION_0_1                     0x00001
 +#define QEMU_PSCI_VERSION_0_2                     0x00002
 +#define QEMU_PSCI_VERSION_1_1                     0x10001
  MISMATCH_CHECK(QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED, PSCI_0_2_TOS_MP);
 -MISMATCH_CHECK(QEMU_PSCI_0_2_RET_VERSION_0_2,
 -               (PSCI_VERSION_MAJOR(0) | PSCI_VERSION_MINOR(2)));
 +/* We don't bother to check every possible version value */
 +MISMATCH_CHECK(QEMU_PSCI_VERSION_0_2, PSCI_VERSION(0, 2));
 +MISMATCH_CHECK(QEMU_PSCI_VERSION_1_1, PSCI_VERSION(1, 1));
  /* PSCI return values (inclusive of all PSCI versions) */
  #define QEMU_PSCI_RET_SUCCESS                     0
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/boot.c
 +++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
      }
      qemu_fdt_add_subnode(fdt, "/psci");
 -    if (armcpu->psci_version == 2) {
 -        const char comp[] = "arm,psci-0.2\0arm,psci";
 -        qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
 +    if (armcpu->psci_version == QEMU_PSCI_VERSION_0_2 ||
 +        armcpu->psci_version == QEMU_PSCI_VERSION_1_1) {
 +        if (armcpu->psci_version == QEMU_PSCI_VERSION_0_2) {
 +            const char comp[] = "arm,psci-0.2\0arm,psci";
 +            qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
 +        } else {
 +            const char comp[] = "arm,psci-1.0\0arm,psci-0.2\0arm,psci";
 +            qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
 +        }
          cpu_off_fn = QEMU_PSCI_0_2_FN_CPU_OFF;
          if (arm_feature(&armcpu->env, ARM_FEATURE_AARCH64)) {
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
       * picky DTB consumer will also provide a helpful error message.
       */
      cpu->dtb_compatible = "qemu,unknown";
 -    cpu->psci_version = 1; /* By default assume PSCI v0.1 */
 +    cpu->psci_version = QEMU_PSCI_VERSION_0_1; /* By default assume PSCI v0.1 */
      cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
      if (tcg_enabled() || hvf_enabled()) {
 -        cpu->psci_version = 2; /* TCG and HVF implement PSCI 0.2 */
 +        /* TCG and HVF implement PSCI 1.1 */
 +        cpu->psci_version = QEMU_PSCI_VERSION_1_1;
      }
  }
- static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
+diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/hvf/hvf.c
 +++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@ static bool hvf_handle_psci_call(CPUState *cpu)
      switch (param[0]) {
      case QEMU_PSCI_0_2_FN_PSCI_VERSION:
 -        ret = QEMU_PSCI_0_2_RET_VERSION_0_2;
 +        ret = QEMU_PSCI_VERSION_1_1;
          break;
      case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
          ret = QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED; /* No trusted OS */
@@ -XXX,XX +XXX,XX @@ static bool hvf_handle_psci_call(CPUState *cpu)
      case QEMU_PSCI_0_2_FN_MIGRATE:
          ret = QEMU_PSCI_RET_NOT_SUPPORTED;
          break;
 +    case QEMU_PSCI_1_0_FN_PSCI_FEATURES:
 +        switch (param[1]) {
 +        case QEMU_PSCI_0_2_FN_PSCI_VERSION:
 +        case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
 +        case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
 +        case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
 +        case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
 +        case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
 +        case QEMU_PSCI_0_1_FN_CPU_ON:
 +        case QEMU_PSCI_0_2_FN_CPU_ON:
 +        case QEMU_PSCI_0_2_FN64_CPU_ON:
 +        case QEMU_PSCI_0_1_FN_CPU_OFF:
 +        case QEMU_PSCI_0_2_FN_CPU_OFF:
 +        case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
 +        case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
 +        case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
 +        case QEMU_PSCI_1_0_FN_PSCI_FEATURES:
 +            ret = 0;
 +            break;
 +        case QEMU_PSCI_0_1_FN_MIGRATE:
 +        case QEMU_PSCI_0_2_FN_MIGRATE:
 +        default:
 +            ret = QEMU_PSCI_RET_NOT_SUPPORTED;
 +        }
 +        break;
      default:
          return false;
      }
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
          cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_POWER_OFF;
      }
      if (kvm_check_extension(cs->kvm_state, KVM_CAP_ARM_PSCI_0_2)) {
 -        cpu->psci_version = 2;
 +        cpu->psci_version = QEMU_PSCI_VERSION_0_2;
          cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_PSCI_0_2;
      }
      if (!arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 diff --git a/target/arm/psci.c b/target/arm/psci.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/psci.c
 +++ b/target/arm/psci.c
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
  {
      /*
       * This function partially implements the logic for dispatching Power State
 -     * Coordination Interface (PSCI) calls (as described in ARM DEN 0022B.b),
 +     * Coordination Interface (PSCI) calls (as described in ARM DEN 0022D.b),
       * to the extent required for bringing up and taking down secondary cores,
       * and for handling reset and poweroff requests.
       * Additional information about the calling convention used is available in
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
      }
      if ((param[0] & QEMU_PSCI_0_2_64BIT) && !is_a64(env)) {
 -        ret = QEMU_PSCI_RET_INVALID_PARAMS;
 +        ret = QEMU_PSCI_RET_NOT_SUPPORTED;
          goto err;
      }
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
          ARMCPU *target_cpu;
      case QEMU_PSCI_0_2_FN_PSCI_VERSION:
 -        ret = QEMU_PSCI_0_2_RET_VERSION_0_2;
 +        ret = QEMU_PSCI_VERSION_1_1;
          break;
      case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
          ret = QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED; /* No trusted OS */
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
          }
          helper_wfi(env, 4);
          break;
 +    case QEMU_PSCI_1_0_FN_PSCI_FEATURES:
 +        switch (param[1]) {
 +        case QEMU_PSCI_0_2_FN_PSCI_VERSION:
 +        case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
 +        case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
 +        case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
 +        case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
 +        case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
 +        case QEMU_PSCI_0_1_FN_CPU_ON:
 +        case QEMU_PSCI_0_2_FN_CPU_ON:
 +        case QEMU_PSCI_0_2_FN64_CPU_ON:
 +        case QEMU_PSCI_0_1_FN_CPU_OFF:
 +        case QEMU_PSCI_0_2_FN_CPU_OFF:
 +        case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
 +        case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
 +        case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
 +        case QEMU_PSCI_1_0_FN_PSCI_FEATURES:
 +            if (!(param[1] & QEMU_PSCI_0_2_64BIT) || is_a64(env)) {
 +                ret = 0;
 +                break;
 +            }
 +            /* fallthrough */
 +        case QEMU_PSCI_0_1_FN_MIGRATE:
 +        case QEMU_PSCI_0_2_FN_MIGRATE:
 +        default:
 +            ret = QEMU_PSCI_RET_NOT_SUPPORTED;
 +            break;
 +        }
 +        break;
      case QEMU_PSCI_0_1_FN_MIGRATE:
      case QEMU_PSCI_0_2_FN_MIGRATE:
      default:
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 05/16] target/arm: Early exit after unallocated_encoding in disas_fp_int_conv
+[PULL 06/26] target/arm: Fix early free of TCG temp in handle_simd_shift_fpint_conv()
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Wentao_Liang <Wentao_Liang_g@163.com>
-No sense in emitting code after the exception.
+handle_simd_shift_fpint_conv() was accidentally freeing the TCG
 temporary tcg_fpstatus too early, before the last use of it.  Move
 the free down to where it belongs.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180512003217.9105-3-richard.henderson@linaro.org
+[PMM: cleaned up commit message]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/translate-a64.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_int_conv(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void handle_simd_shift_fpint_conv(DisasContext *s, bool is_scalar,
          default:
              /* all other sf/type/rmode combinations are invalid */
              unallocated_encoding(s);
 -            break;
 +            return;
          }
+     }
-         if (!fp_access_check(s)) {
 -    tcg_temp_free_ptr(tcg_fpstatus);
      tcg_temp_free_i32(tcg_shift);
      gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
 +    tcg_temp_free_ptr(tcg_fpstatus);
      tcg_temp_free_i32(tcg_rmode);
  }
 --
-.17.0
+.25.1

-New patch
+[PULL 07/26] tests/qtest: add qtests for npcm7xx sdhci
+From: Shengtan Mao <stmao@google.com>
+Reviewed-by: Hao Wu <wuhaotsh@google.com>
+Reviewed-by: Chris Rauer <crauer@google.com>
+Signed-off-by: Shengtan Mao <stmao@google.com>
+Signed-off-by: Patrick Venture <venture@google.com>
+Message-id: 20220225174451.192304-1-wuhaotsh@google.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/qtest/npcm7xx_sdhci-test.c | 215 +++++++++++++++++++++++++++++++
+ tests/qtest/meson.build          |   1 +
+files changed, 216 insertions(+)
+ create mode 100644 tests/qtest/npcm7xx_sdhci-test.c
+diff --git a/tests/qtest/npcm7xx_sdhci-test.c b/tests/qtest/npcm7xx_sdhci-test.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tests/qtest/npcm7xx_sdhci-test.c
+@@ -XXX,XX +XXX,XX @@
++/*
++ * QTests for NPCM7xx SD-3.0 / MMC-4.51 Host Controller
++ *
++ * Copyright (c) 2022 Google LLC
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by the
++ * Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * for more details.
++ */
++
++#include "qemu/osdep.h"
++#include "hw/sd/npcm7xx_sdhci.h"
++
++#include "libqos/libqtest.h"
++#include "libqtest-single.h"
++#include "libqos/sdhci-cmd.h"
++
++#define NPCM7XX_REG_SIZE 0x100
++#define NPCM7XX_MMC_BA 0xF0842000
++#define NPCM7XX_BLK_SIZE 512
++#define NPCM7XX_TEST_IMAGE_SIZE (1 << 30)
++
++char *sd_path;
++
++static QTestState *setup_sd_card(void)
++{
++    QTestState *qts = qtest_initf(
++        "-machine kudo-bmc "
++        "-device sd-card,drive=drive0 "
++        "-drive id=drive0,if=none,file=%s,format=raw,auto-read-only=off",
++        sd_path);
++
++    qtest_writew(qts, NPCM7XX_MMC_BA + SDHC_SWRST, SDHC_RESET_ALL);
++    qtest_writew(qts, NPCM7XX_MMC_BA + SDHC_CLKCON,
++                 SDHC_CLOCK_SDCLK_EN | SDHC_CLOCK_INT_STABLE |
++                     SDHC_CLOCK_INT_EN);
++    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0, 0, SDHC_APP_CMD);
++    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0x41200000, 0, (41 << 8));
++    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0, 0, SDHC_ALL_SEND_CID);
++    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0, 0, SDHC_SEND_RELATIVE_ADDR);
++    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0x45670000, 0,
++                   SDHC_SELECT_DESELECT_CARD);
++
++    return qts;
++}
++
++static void write_sdread(QTestState *qts, const char *msg)
++{
++    int fd, ret;
++    size_t len = strlen(msg);
++    char *rmsg = g_malloc(len);
++
++    /* write message to sd */
++    fd = open(sd_path, O_WRONLY);
++    g_assert(fd >= 0);
++    ret = write(fd, msg, len);
++    close(fd);
++    g_assert(ret == len);
++
++    /* read message using sdhci */
++    ret = sdhci_read_cmd(qts, NPCM7XX_MMC_BA, rmsg, len);
++    g_assert(ret == len);
++    g_assert(!memcmp(rmsg, msg, len));
++
++    g_free(rmsg);
++}
++
++/* Check MMC can read values from sd */
++static void test_read_sd(void)
++{
++    QTestState *qts = setup_sd_card();
++
++    write_sdread(qts, "hello world");
++    write_sdread(qts, "goodbye");
++
++    qtest_quit(qts);
++}
++
++static void sdwrite_read(QTestState *qts, const char *msg)
++{
++    int fd, ret;
++    size_t len = strlen(msg);
++    char *rmsg = g_malloc(len);
++
++    /* write message using sdhci */
++    sdhci_write_cmd(qts, NPCM7XX_MMC_BA, msg, len, NPCM7XX_BLK_SIZE);
++
++    /* read message from sd */
++    fd = open(sd_path, O_RDONLY);
++    g_assert(fd >= 0);
++    ret = read(fd, rmsg, len);
++    close(fd);
++    g_assert(ret == len);
++
++    g_assert(!memcmp(rmsg, msg, len));
++
++    g_free(rmsg);
++}
++
++/* Check MMC can write values to sd */
++static void test_write_sd(void)
++{
++    QTestState *qts = setup_sd_card();
++
++    sdwrite_read(qts, "hello world");
++    sdwrite_read(qts, "goodbye");
++
++    qtest_quit(qts);
++}
++
++/* Check SDHCI has correct default values. */
++static void test_reset(void)
++{
++    QTestState *qts = qtest_init("-machine kudo-bmc");
++    uint64_t addr = NPCM7XX_MMC_BA;
++    uint64_t end_addr = addr + NPCM7XX_REG_SIZE;
++    uint16_t prstvals_resets[] = {NPCM7XX_PRSTVALS_0_RESET,
++                                  NPCM7XX_PRSTVALS_1_RESET,
++                                  0,
++                                  NPCM7XX_PRSTVALS_3_RESET,
++                                  0,
++                                  0};
++    int i;
++    uint32_t mask;
++
++    while (addr < end_addr) {
++        switch (addr - NPCM7XX_MMC_BA) {
++        case SDHC_PRNSTS:
++            /*
++             * ignores bits 20 to 24: they are changed when reading registers
++             */
++            mask = 0x1f00000;
++            g_assert_cmphex(qtest_readl(qts, addr) | mask, ==,
++                            NPCM7XX_PRSNTS_RESET | mask);
++            addr += 4;
++            break;
++        case SDHC_BLKGAP:
++            g_assert_cmphex(qtest_readb(qts, addr), ==, NPCM7XX_BLKGAP_RESET);
++            addr += 1;
++            break;
++        case SDHC_CAPAB:
++            g_assert_cmphex(qtest_readq(qts, addr), ==, NPCM7XX_CAPAB_RESET);
++            addr += 8;
++            break;
++        case SDHC_MAXCURR:
++            g_assert_cmphex(qtest_readq(qts, addr), ==, NPCM7XX_MAXCURR_RESET);
++            addr += 8;
++            break;
++        case SDHC_HCVER:
++            g_assert_cmphex(qtest_readw(qts, addr), ==, NPCM7XX_HCVER_RESET);
++            addr += 2;
++            break;
++        case NPCM7XX_PRSTVALS:
++            for (i = 0; i < NPCM7XX_PRSTVALS_SIZE; ++i) {
++                g_assert_cmphex(qtest_readw(qts, addr + 2 * i), ==,
++                                prstvals_resets[i]);
++            }
++            addr += NPCM7XX_PRSTVALS_SIZE * 2;
++            break;
++        default:
++            g_assert_cmphex(qtest_readb(qts, addr), ==, 0);
++            addr += 1;
++        }
++    }
++
++    qtest_quit(qts);
++}
++
++static void drive_destroy(void)
++{
++    unlink(sd_path);
++    g_free(sd_path);
++}
++
++static void drive_create(void)
++{
++    int fd, ret;
++    GError *error = NULL;
++
++    /* Create a temporary raw image */
++    fd = g_file_open_tmp("sdhci_XXXXXX", &sd_path, &error);
++    if (fd == -1) {
++        fprintf(stderr, "unable to create sdhci file: %s\n", error->message);
++        g_error_free(error);
++    }
++    g_assert(sd_path != NULL);
++
++    ret = ftruncate(fd, NPCM7XX_TEST_IMAGE_SIZE);
++    g_assert_cmpint(ret, ==, 0);
++    g_message("%s", sd_path);
++    close(fd);
++}
++
++int main(int argc, char **argv)
++{
++    int ret;
++
++    drive_create();
++
++    g_test_init(&argc, &argv, NULL);
++
++    qtest_add_func("npcm7xx_sdhci/reset", test_reset);
++    qtest_add_func("npcm7xx_sdhci/write_sd", test_write_sd);
++    qtest_add_func("npcm7xx_sdhci/read_sd", test_read_sd);
++
++    ret = g_test_run();
++    drive_destroy();
++    return ret;
++}
+diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/qtest/meson.build
++++ b/tests/qtest/meson.build
+@@ -XXX,XX +XXX,XX @@ qtests_npcm7xx = \
+    'npcm7xx_gpio-test',
+    'npcm7xx_pwm-test',
+    'npcm7xx_rng-test',
++   'npcm7xx_sdhci-test',
+    'npcm7xx_smbus-test',
+    'npcm7xx_timer-test',
+    'npcm7xx_watchdog_timer-test'] + \
+--
+.25.1

-[Qemu-devel] [PULL 13/16] target/arm: Implement FMOV (immediate) for fp16
+[PULL 08/26] hw/registerfields: Add FIELD_SEX<N> and FIELD_SDP<N>
-From: Alex Bennée <alex.bennee@linaro.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-All the hard work is already done by vfp_expand_imm, we just need to
+Add new macros to manipulate signed fields within the register.
 make sure we pick up the correct size.
-Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
 Tested-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180512003217.9105-11-richard.henderson@linaro.org
+Message-id: 20220301215958.157011-2-richard.henderson@linaro.org
-[rth: Merge unallocated_encoding check with TCGMemOp conversion.]
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 20 +++++++++++++++++---
+ include/hw/registerfields.h | 48 ++++++++++++++++++++++++++++++++++++-
-file changed, 17 insertions(+), 3 deletions(-)
+file changed, 47 insertions(+), 1 deletion(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/include/hw/registerfields.h b/include/hw/registerfields.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/include/hw/registerfields.h
-+++ b/target/arm/translate-a64.c
++++ b/include/hw/registerfields.h
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_imm(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@
- {
+     extract64((storage), R_ ## reg ## _ ## field ## _SHIFT,               \
-     int rd = extract32(insn, 0, 5);
+               R_ ## reg ## _ ## field ## _LENGTH)
-     int imm8 = extract32(insn, 13, 8);
--    int is_double = extract32(insn, 22, 2);
++#define FIELD_SEX8(storage, reg, field)                                   \
-+    int type = extract32(insn, 22, 2);
++    sextract8((storage), R_ ## reg ## _ ## field ## _SHIFT,               \
-     uint64_t imm;
++              R_ ## reg ## _ ## field ## _LENGTH)
-     TCGv_i64 tcg_res;
++#define FIELD_SEX16(storage, reg, field)                                  \
-+    TCGMemOp sz;
++    sextract16((storage), R_ ## reg ## _ ## field ## _SHIFT,              \
++               R_ ## reg ## _ ## field ## _LENGTH)
--    if (is_double > 1) {
++#define FIELD_SEX32(storage, reg, field)                                  \
-+    switch (type) {
++    sextract32((storage), R_ ## reg ## _ ## field ## _SHIFT,              \
-+    case 0:
++               R_ ## reg ## _ ## field ## _LENGTH)
-+        sz = MO_32;
++#define FIELD_SEX64(storage, reg, field)                                  \
-+        break;
++    sextract64((storage), R_ ## reg ## _ ## field ## _SHIFT,              \
-+    case 1:
++               R_ ## reg ## _ ## field ## _LENGTH)
-+        sz = MO_64;
++
-+        break;
+ /* Extract a field from an array of registers */
-+    case 3:
+ #define ARRAY_FIELD_EX32(regs, reg, field)                                \
-+        sz = MO_16;
+     FIELD_EX32((regs)[R_ ## reg], reg, field)
-+        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+@@ -XXX,XX +XXX,XX @@
-+            break;
+     _d; })
-+        }
+ #define FIELD_DP64(storage, reg, field, val) ({                           \
-+        /* fallthru */
+     struct {                                                              \
-+    default:
+-        uint64_t v:R_ ## reg ## _ ## field ## _LENGTH;                \
-         unallocated_encoding(s);
++        uint64_t v:R_ ## reg ## _ ## field ## _LENGTH;                    \
-         return;
++    } _v = { .v = val };                                                  \
-     }
++    uint64_t _d;                                                          \
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_imm(DisasContext *s, uint32_t insn)
++    _d = deposit64((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
-         return;
++                  R_ ## reg ## _ ## field ## _LENGTH, _v.v);              \
-     }
++    _d; })
++
--    imm = vfp_expand_imm(MO_32 + is_double, imm8);
++#define FIELD_SDP8(storage, reg, field, val) ({                           \
-+    imm = vfp_expand_imm(sz, imm8);
++    struct {                                                              \
++        signed int v:R_ ## reg ## _ ## field ## _LENGTH;                  \
-     tcg_res = tcg_const_i64(imm);
++    } _v = { .v = val };                                                  \
-     write_fp_dreg(s, rd, tcg_res);
++    uint8_t _d;                                                           \
 +    _d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
 +                  R_ ## reg ## _ ## field ## _LENGTH, _v.v);              \
 +    _d; })
 +#define FIELD_SDP16(storage, reg, field, val) ({                          \
 +    struct {                                                              \
 +        signed int v:R_ ## reg ## _ ## field ## _LENGTH;                  \
 +    } _v = { .v = val };                                                  \
 +    uint16_t _d;                                                          \
 +    _d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
 +                  R_ ## reg ## _ ## field ## _LENGTH, _v.v);              \
 +    _d; })
 +#define FIELD_SDP32(storage, reg, field, val) ({                          \
 +    struct {                                                              \
 +        signed int v:R_ ## reg ## _ ## field ## _LENGTH;                  \
 +    } _v = { .v = val };                                                  \
 +    uint32_t _d;                                                          \
 +    _d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
 +                  R_ ## reg ## _ ## field ## _LENGTH, _v.v);              \
 +    _d; })
 +#define FIELD_SDP64(storage, reg, field, val) ({                          \
 +    struct {                                                              \
 +        int64_t v:R_ ## reg ## _ ## field ## _LENGTH;                     \
      } _v = { .v = val };                                                  \
      uint64_t _d;                                                          \
      _d = deposit64((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 03/16] target/arm: Fix fp_status_f16 tininess before rounding
+[PULL 09/26] target/arm: Set TCR_EL1.TSZ for user-only
-In commit d81ce0ef2c4f105 we added an extra float_status field
+From: Richard Henderson <richard.henderson@linaro.org>
 fp_status_fp16 for Arm, but forgot to initialize it correctly
 by setting it to float_tininess_before_rounding. This currently
 will only cause problems for the new V8_FP16 feature, since the
 float-to-float conversion code doesn't use it yet. The effect
 would be that we failed to set the Underflow IEEE exception flag
 in all the cases where we should.
-Add the missing initialization.
+Set this as the kernel would, to 48 bits, to keep the computation
 of the address space correct for PAuth.
-Fixes: d81ce0ef2c4f105
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Cc: qemu-stable@nongnu.org
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220301215958.157011-3-richard.henderson@linaro.org
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180512004311.9299-16-richard.henderson@linaro.org
 ---
- target/arm/cpu.c | 2 ++
+ target/arm/cpu.c | 3 ++-
-file changed, 2 insertions(+)
+file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-                               &env->vfp.fp_status);
+                 aarch64_sve_zcr_get_valid_len(cpu, cpu->sve_default_vq - 1);
-     set_float_detect_tininess(float_tininess_before_rounding,
+         }
-                               &env->vfp.standard_fp_status);
+         /*
-+    set_float_detect_tininess(float_tininess_before_rounding,
++         * Enable 48-bit address space (TODO: take reserved_va into account).
-+                              &env->vfp.fp_status_f16);
+          * Enable TBI0 but not TBI1.
- #ifndef CONFIG_USER_ONLY
+          * Note that this must match useronly_clean_ptr.
-     if (kvm_enabled()) {
+          */
-         kvm_arm_reset_vcpu(cpu);
+-        env->cp15.tcr_el[1].raw_tcr = (1ULL << 37);
 +        env->cp15.tcr_el[1].raw_tcr = 5 | (1ULL << 37);
          /* Enable MTE */
          if (cpu_isar_feature(aa64_mte, cpu)) {
 --
-.17.0
+.25.1

-New patch
+[PULL 10/26] target/arm: Fault on invalid TCR_ELx.TxSZ
+From: Richard Henderson <richard.henderson@linaro.org>
+Without FEAT_LVA, the behaviour of programming an invalid value
+is IMPLEMENTATION DEFINED.  With FEAT_LVA, programming an invalid
+minimum value requires a Translation fault.
+It is most self-consistent to choose to generate the fault always.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220301215958.157011-4-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/internals.h |  1 +
+ target/arm/helper.c    | 32 ++++++++++++++++++++++++++++----
+files changed, 29 insertions(+), 4 deletions(-)
+diff --git a/target/arm/internals.h b/target/arm/internals.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/internals.h
++++ b/target/arm/internals.h
+@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
+     bool hpd        : 1;
+     bool using16k   : 1;
+     bool using64k   : 1;
++    bool tsz_oob    : 1;  /* tsz has been clamped to legal range */
+ } ARMVAParameters;
+ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+                                    ARMMMUIdx mmu_idx, bool data)
+ {
+     uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
+-    bool epd, hpd, using16k, using64k;
+-    int select, tsz, tbi, max_tsz;
++    bool epd, hpd, using16k, using64k, tsz_oob;
++    int select, tsz, tbi, max_tsz, min_tsz;
+     if (!regime_has_2_ranges(mmu_idx)) {
+         select = 0;
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+     } else {
+         max_tsz = 39;
+     }
++    min_tsz = 16;  /* TODO: ARMv8.2-LVA  */
+-    tsz = MIN(tsz, max_tsz);
+-    tsz = MAX(tsz, 16);  /* TODO: ARMv8.2-LVA  */
++    if (tsz > max_tsz) {
++        tsz = max_tsz;
++        tsz_oob = true;
++    } else if (tsz < min_tsz) {
++        tsz = min_tsz;
++        tsz_oob = true;
++    } else {
++        tsz_oob = false;
++    }
+     /* Present TBI as a composite with TBID.  */
+     tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+         .hpd = hpd,
+         .using16k = using16k,
+         .using64k = using64k,
++        .tsz_oob = tsz_oob,
+     };
+ }
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
+         param = aa64_va_parameters(env, address, mmu_idx,
+                                    access_type != MMU_INST_FETCH);
+         level = 0;
++
++        /*
++         * If TxSZ is programmed to a value larger than the maximum,
++         * or smaller than the effective minimum, it is IMPLEMENTATION
++         * DEFINED whether we behave as if the field were programmed
++         * within bounds, or if a level 0 Translation fault is generated.
++         *
++         * With FEAT_LVA, fault on less than minimum becomes required,
++         * so our choice is to always raise the fault.
++         */
++        if (param.tsz_oob) {
++            fault_type = ARMFault_Translation;
++            goto do_fault;
++        }
++
+         addrsize = 64 - 8 * param.tbi;
+         inputsize = 64 - param.tsz;
+     } else {
+--
+.25.1

-[Qemu-devel] [PULL 10/16] target/arm: Implement FP data-processing (3 source) for fp16
+[PULL 11/26] target/arm: Move arm_pamax out of line
 From: Richard Henderson <richard.henderson@linaro.org>
-We missed all of the scalar fp16 fma operations.
+We will shortly share parts of this function with other portions
 of address translation.
-Cc: qemu-stable@nongnu.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220301215958.157011-5-richard.henderson@linaro.org
 Message-id: 20180512003217.9105-8-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 48 ++++++++++++++++++++++++++++++++++++++
+ target/arm/internals.h | 19 +------------------
-file changed, 48 insertions(+)
+ target/arm/helper.c    | 22 ++++++++++++++++++++++
 files changed, 23 insertions(+), 18 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/internals.h
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_3src_double(DisasContext *s, bool o0, bool o1,
+@@ -XXX,XX +XXX,XX @@ static inline void update_spsel(CPUARMState *env, uint32_t imm)
-     tcg_temp_free_i64(tcg_res);
+  * Returns the implementation defined bit-width of physical addresses.
   * The ARMv8 reference manuals refer to this as PAMax().
   */
 -static inline unsigned int arm_pamax(ARMCPU *cpu)
 -{
 -    static const unsigned int pamax_map[] = {
 -        [0] = 32,
 -        [1] = 36,
 -        [2] = 40,
 -        [3] = 42,
 -        [4] = 44,
 -        [5] = 48,
 -    };
 -    unsigned int parange =
 -        FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
 -
 -    /* id_aa64mmfr0 is a read-only register so values outside of the
 -     * supported mappings can be considered an implementation error.  */
 -    assert(parange < ARRAY_SIZE(pamax_map));
 -    return pamax_map[parange];
 -}
 +unsigned int arm_pamax(ARMCPU *cpu);
  /* Return true if extended addresses are enabled.
   * This is always the case if our translation regime is 64 bit,
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
  }
+ #endif /* !CONFIG_USER_ONLY */
-+/* Floating-point data-processing (3 source) - half precision */
-+static void handle_fp_3src_half(DisasContext *s, bool o0, bool o1,
++/* The cpu-specific constant value of PAMax; also used by hw/arm/virt. */
-+                                int rd, int rn, int rm, int ra)
++unsigned int arm_pamax(ARMCPU *cpu)
 +{
-+    TCGv_i32 tcg_op1, tcg_op2, tcg_op3;
++    static const unsigned int pamax_map[] = {
-+    TCGv_i32 tcg_res = tcg_temp_new_i32();
++        [0] = 32,
-+    TCGv_ptr fpst = get_fpstatus_ptr(true);
++        [1] = 36,
 +        [2] = 40,
 +        [3] = 42,
 +        [4] = 44,
 +        [5] = 48,
 +    };
 +    unsigned int parange =
 +        FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
 +
-+    tcg_op1 = read_fp_hreg(s, rn);
++    /*
-+    tcg_op2 = read_fp_hreg(s, rm);
++     * id_aa64mmfr0 is a read-only register so values outside of the
-+    tcg_op3 = read_fp_hreg(s, ra);
++     * supported mappings can be considered an implementation error.
 +
 +    /* These are fused multiply-add, and must be done as one
 +     * floating point operation with no rounding between the
 +     * multiplication and addition steps.
 +     * NB that doing the negations here as separate steps is
 +     * correct : an input NaN should come out with its sign bit
 +     * flipped if it is a negated-input.
 +     */
-+    if (o1 == true) {
++    assert(parange < ARRAY_SIZE(pamax_map));
-+        tcg_gen_xori_i32(tcg_op3, tcg_op3, 0x8000);
++    return pamax_map[parange];
 +    }
 +
 +    if (o0 != o1) {
 +        tcg_gen_xori_i32(tcg_op1, tcg_op1, 0x8000);
 +    }
 +
 +    gen_helper_advsimd_muladdh(tcg_res, tcg_op1, tcg_op2, tcg_op3, fpst);
 +
 +    write_fp_sreg(s, rd, tcg_res);
 +
 +    tcg_temp_free_ptr(fpst);
 +    tcg_temp_free_i32(tcg_op1);
 +    tcg_temp_free_i32(tcg_op2);
 +    tcg_temp_free_i32(tcg_op3);
 +    tcg_temp_free_i32(tcg_res);
 +}
 +
- /* Floating point data-processing (3 source)
+ static int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
-  *   31  30  29 28       24 23  22  21  20  16  15  14  10 9    5 4    0
+ {
-  * +---+---+---+-----------+------+----+------+----+------+------+------+
+     if (regime_has_2_ranges(mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static void disas_fp_3src(DisasContext *s, uint32_t insn)
          }
          handle_fp_3src_double(s, o0, o1, rd, rn, rm, ra);
          break;
 +    case 3:
 +        if (!arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
 +            unallocated_encoding(s);
 +            return;
 +        }
 +        if (!fp_access_check(s)) {
 +            return;
 +        }
 +        handle_fp_3src_half(s, o0, o1, rd, rn, rm, ra);
 +        break;
      default:
          unallocated_encoding(s);
      }
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 08/16] target/arm: Introduce and use read_fp_hreg
+[PULL 12/26] target/arm: Pass outputsize down to check_s2_mmu_setup
 From: Richard Henderson <richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
+Pass down the width of the output address from translation.
 For now this is still just PAMax, but a subsequent patch will
 compute the correct value from TCR_ELx.{I}PS.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220301215958.157011-6-richard.henderson@linaro.org
 Message-id: 20180512003217.9105-6-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 30 ++++++++++++++----------------
+ target/arm/helper.c | 21 ++++++++++-----------
-file changed, 14 insertions(+), 16 deletions(-)
+file changed, 10 insertions(+), 11 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/helper.c
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static TCGv_i32 read_fp_sreg(DisasContext *s, int reg)
+@@ -XXX,XX +XXX,XX @@ do_fault:
-     return v;
+  * false otherwise.
  }
 +static TCGv_i32 read_fp_hreg(DisasContext *s, int reg)
 +{
 +    TCGv_i32 v = tcg_temp_new_i32();
 +
 +    tcg_gen_ld16u_i32(v, cpu_env, fp_reg_offset(s, reg, MO_16));
 +    return v;
 +}
 +
  /* Clear the bits above an N-bit vector, for N = (is_q ? 128 : 64).
   * If SVE is not enabled, then there are only 128 bits in the vector.
   */
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
+ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
- static void handle_fp_1src_half(DisasContext *s, int opcode, int rd, int rn)
+-                               int inputsize, int stride)
 +                               int inputsize, int stride, int outputsize)
  {
-     TCGv_ptr fpst = NULL;
+     const int grainsize = stride + 3;
--    TCGv_i32 tcg_op = tcg_temp_new_i32();
+     int startsizecheck;
-+    TCGv_i32 tcg_op = read_fp_hreg(s, rn);
+@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
-     TCGv_i32 tcg_res = tcg_temp_new_i32();
+     }
--    read_vec_element_i32(s, tcg_op, rn, 0, MO_16);
+     if (is_aa64) {
 -        CPUARMState *env = &cpu->env;
 -        unsigned int pamax = arm_pamax(cpu);
 -
-     switch (opcode) {
+         switch (stride) {
-     case 0x0: /* FMOV */
+         case 13: /* 64KB Pages.  */
-         tcg_gen_mov_i32(tcg_res, tcg_op);
+-            if (level == 0 || (level == 1 && pamax <= 42)) {
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_scalar_three_reg_diff(DisasContext *s, uint32_t insn)
++            if (level == 0 || (level == 1 && outputsize <= 42)) {
-         tcg_temp_free_i64(tcg_op2);
+                 return false;
-         tcg_temp_free_i64(tcg_res);
+             }
              break;
          case 11: /* 16KB Pages.  */
 -            if (level == 0 || (level == 1 && pamax <= 40)) {
 +            if (level == 0 || (level == 1 && outputsize <= 40)) {
                  return false;
              }
              break;
          case 9: /* 4KB Pages.  */
 -            if (level == 0 && pamax <= 42) {
 +            if (level == 0 && outputsize <= 42) {
                  return false;
              }
              break;
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
          }
          /* Inputsize checks.  */
 -        if (inputsize > pamax &&
 -            (arm_el_is_aa64(env, 1) || inputsize > 40)) {
 +        if (inputsize > outputsize &&
 +            (arm_el_is_aa64(&cpu->env, 1) || inputsize > 40)) {
              /* This is CONSTRAINED UNPREDICTABLE and we choose to fault.  */
              return false;
          }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
      target_ulong page_size;
      uint32_t attrs;
      int32_t stride;
 -    int addrsize, inputsize;
 +    int addrsize, inputsize, outputsize;
      TCR *tcr = regime_tcr(env, mmu_idx);
      int ap, ns, xn, pxn;
      uint32_t el = regime_el(env, mmu_idx);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          addrsize = 64 - 8 * param.tbi;
          inputsize = 64 - param.tsz;
 +        outputsize = arm_pamax(cpu);
      } else {
--        TCGv_i32 tcg_op1 = tcg_temp_new_i32();
+         param = aa32_va_parameters(env, address, mmu_idx);
--        TCGv_i32 tcg_op2 = tcg_temp_new_i32();
+         level = 1;
-+        TCGv_i32 tcg_op1 = read_fp_hreg(s, rn);
+         addrsize = (mmu_idx == ARMMMUIdx_Stage2 ? 40 : 32);
-+        TCGv_i32 tcg_op2 = read_fp_hreg(s, rm);
+         inputsize = addrsize - param.tsz;
-         TCGv_i64 tcg_res = tcg_temp_new_i64();
++        outputsize = 40;
 -        read_vec_element_i32(s, tcg_op1, rn, 0, MO_16);
 -        read_vec_element_i32(s, tcg_op2, rm, 0, MO_16);
 -
          gen_helper_neon_mull_s16(tcg_res, tcg_op1, tcg_op2);
          gen_helper_neon_addl_saturate_s32(tcg_res, cpu_env, tcg_res, tcg_res);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_scalar_three_reg_same_fp16(DisasContext *s,
      fpst = get_fpstatus_ptr(true);
 -    tcg_op1 = tcg_temp_new_i32();
 -    tcg_op2 = tcg_temp_new_i32();
 +    tcg_op1 = read_fp_hreg(s, rn);
 +    tcg_op2 = read_fp_hreg(s, rm);
      tcg_res = tcg_temp_new_i32();
 -    read_vec_element_i32(s, tcg_op1, rn, 0, MO_16);
 -    read_vec_element_i32(s, tcg_op2, rm, 0, MO_16);
 -
      switch (fpopcode) {
      case 0x03: /* FMULX */
          gen_helper_advsimd_mulxh(tcg_res, tcg_op1, tcg_op2, fpst);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc_fp16(DisasContext *s, uint32_t insn)
      }
-     if (is_scalar) {
+     /*
--        TCGv_i32 tcg_op = tcg_temp_new_i32();
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
-+        TCGv_i32 tcg_op = read_fp_hreg(s, rn);
-         TCGv_i32 tcg_res = tcg_temp_new_i32();
+         /* Check that the starting level is valid. */
+         ok = check_s2_mmu_setup(cpu, aarch64, startlevel,
--        read_vec_element_i32(s, tcg_op, rn, 0, MO_16);
+-                                inputsize, stride);
--
++                                inputsize, stride, outputsize);
-         switch (fpop) {
+         if (!ok) {
-         case 0x1a: /* FCVTNS */
+             fault_type = ARMFault_Translation;
-         case 0x1b: /* FCVTMS */
+             goto do_fault;
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 02/16] fpu/softfloat: Don't set Invalid for float-to-int(MAXINT)
+[PULL 13/26] target/arm: Use MAKE_64BIT_MASK to compute indexmask
-In float-to-integer conversion, if the floating point input
+From: Richard Henderson <richard.henderson@linaro.org>
 converts exactly to the largest or smallest integer that
 fits in to the result type, this is not an overflow.
 In this situation we were producing the correct result value,
 but were incorrectly setting the Invalid flag.
 For example for Arm A64, "FCVTAS w0, d0" on an input of
 x41dfffffffc00000 should produce 0x7fffffff and set no flags.
-Fix the boundary case to take the right half of the if()
+The macro is a bit more readable than the inlined computation.
 statements.
-This fixes a regression from 2.11 introduced by the softfloat
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-refactoring.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220301215958.157011-7-richard.henderson@linaro.org
 Cc: qemu-stable@nongnu.org
 Fixes: ab52f973a50
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180510140141.12120-1-peter.maydell@linaro.org
 ---
- fpu/softfloat.c | 4 ++--
+ target/arm/helper.c | 4 ++--
 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/fpu/softfloat.c b/fpu/softfloat.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/fpu/softfloat.c
+--- a/target/arm/helper.c
-+++ b/fpu/softfloat.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static int64_t round_to_int_and_pack(FloatParts in, int rmode,
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
-             r = UINT64_MAX;
+         level = startlevel;
-         }
+     }
-         if (p.sign) {
--            if (r < -(uint64_t) min) {
+-    indexmask_grainsize = (1ULL << (stride + 3)) - 1;
-+            if (r <= -(uint64_t) min) {
+-    indexmask = (1ULL << (inputsize - (stride * (4 - level)))) - 1;
-                 return -r;
++    indexmask_grainsize = MAKE_64BIT_MASK(0, stride + 3);
-             } else {
++    indexmask = MAKE_64BIT_MASK(0, inputsize - (stride * (4 - level)));
-                 s->float_exception_flags = orig_flags | float_flag_invalid;
-                 return min;
+     /* Now we can extract the actual base address from the TTBR */
-             }
+     descaddr = extract64(ttbr, 0, 48);
          } else {
 -            if (r < max) {
 +            if (r <= max) {
                  return r;
              } else {
                  s->float_exception_flags = orig_flags | float_flag_invalid;
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 07/16] target/arm: Implement FCVT (scalar, fixed-point) for fp16
+[PULL 14/26] target/arm: Honor TCR_ELx.{I}PS
 From: Richard Henderson <richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
+This field controls the output (intermediate) physical address size
 of the translation process.  V8 requires to raise an AddressSize
 fault if the page tables are programmed incorrectly, such that any
 intermediate descriptor address, or the final translated address,
 is out of range.
 Add a PS field to ARMVAParameters, and properly compute outputsize
 in get_phys_addr_lpae.  Test the descaddr as extracted from TTBR
 and from page table entries.
 Restrict descaddrmask so that we won't raise the fault for v7.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220301215958.157011-8-richard.henderson@linaro.org
 Message-id: 20180512003217.9105-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 17 +++++++++++++++--
+ target/arm/internals.h |  1 +
-file changed, 15 insertions(+), 2 deletions(-)
+ target/arm/helper.c    | 72 ++++++++++++++++++++++++++++++++----------
 files changed, 57 insertions(+), 16 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/internals.h
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_fixed_conv(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t aarch64_pstate_valid_mask(const ARMISARegisters *id)
-     bool sf = extract32(insn, 31, 1);
+  */
-     bool itof;
+ typedef struct ARMVAParameters {
+     unsigned tsz    : 8;
--    if (sbit || (type > 1)
++    unsigned ps     : 3;
--        || (!sf && scale < 32)) {
+     unsigned select : 1;
-+    if (sbit || (!sf && scale < 32)) {
+     bool tbi        : 1;
-+        unallocated_encoding(s);
+     bool epd        : 1;
-+        return;
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
  }
  #endif /* !CONFIG_USER_ONLY */
 +/* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
 +static const uint8_t pamax_map[] = {
 +    [0] = 32,
 +    [1] = 36,
 +    [2] = 40,
 +    [3] = 42,
 +    [4] = 44,
 +    [5] = 48,
 +};
 +
  /* The cpu-specific constant value of PAMax; also used by hw/arm/virt. */
  unsigned int arm_pamax(ARMCPU *cpu)
  {
 -    static const unsigned int pamax_map[] = {
 -        [0] = 32,
 -        [1] = 36,
 -        [2] = 40,
 -        [3] = 42,
 -        [4] = 44,
 -        [5] = 48,
 -    };
      unsigned int parange =
          FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
  {
      uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
      bool epd, hpd, using16k, using64k, tsz_oob;
 -    int select, tsz, tbi, max_tsz, min_tsz;
 +    int select, tsz, tbi, max_tsz, min_tsz, ps;
      if (!regime_has_2_ranges(mmu_idx)) {
          select = 0;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
              hpd = extract32(tcr, 24, 1);
          }
          epd = false;
 +        ps = extract32(tcr, 16, 3);
      } else {
          /*
           * Bit 55 is always between the two regions, and is canonical for
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
              epd = extract32(tcr, 23, 1);
              hpd = extract64(tcr, 42, 1);
          }
 +        ps = extract64(tcr, 32, 3);
      }
      if (cpu_isar_feature(aa64_st, env_archcpu(env))) {
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
      return (ARMVAParameters) {
          .tsz = tsz,
 +        .ps = ps,
          .select = select,
          .tbi = tbi,
          .epd = epd,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
      /* TODO: This code does not support shareability levels. */
      if (aarch64) {
 +        int ps;
 +
          param = aa64_va_parameters(env, address, mmu_idx,
                                     access_type != MMU_INST_FETCH);
          level = 0;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          addrsize = 64 - 8 * param.tbi;
          inputsize = 64 - param.tsz;
 -        outputsize = arm_pamax(cpu);
 +
 +        /*
 +         * Bound PS by PARANGE to find the effective output address size.
 +         * ID_AA64MMFR0 is a read-only register so values outside of the
 +         * supported mappings can be considered an implementation error.
 +         */
 +        ps = FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
 +        ps = MIN(ps, param.ps);
 +        assert(ps < ARRAY_SIZE(pamax_map));
 +        outputsize = pamax_map[ps];
      } else {
          param = aa32_va_parameters(env, address, mmu_idx);
          level = 1;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
      /* Now we can extract the actual base address from the TTBR */
      descaddr = extract64(ttbr, 0, 48);
 +
 +    /*
 +     * If the base address is out of range, raise AddressSizeFault.
 +     * In the pseudocode, this is !IsZero(baseregister<47:outputsize>),
 +     * but we've just cleared the bits above 47, so simplify the test.
 +     */
 +    if (descaddr >> outputsize) {
 +        level = 0;
 +        fault_type = ARMFault_AddressSize;
 +        goto do_fault;
 +    }
 +
-+    switch (type) {
+     /*
-+    case 0: /* float32 */
+      * We rely on this masking to clear the RES0 bits at the bottom of the TTBR
-+    case 1: /* float64 */
+      * and also to mask out CnP (bit 0) which could validly be non-zero.
-+        break;
+      */
-+    case 3: /* float16 */
+     descaddr &= ~indexmask;
-+        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
-+            break;
+-    /* The address field in the descriptor goes up to bit 39 for ARMv7
 -     * but up to bit 47 for ARMv8, but we use the descaddrmask
 -     * up to bit 39 for AArch32, because we don't need other bits in that case
 -     * to construct next descriptor address (anyway they should be all zeroes).
 +    /*
 +     * For AArch32, the address field in the descriptor goes up to bit 39
 +     * for both v7 and v8.  However, for v8 the SBZ bits [47:40] must be 0
 +     * or an AddressSize fault is raised.  So for v8 we extract those SBZ
 +     * bits as part of the address, which will be checked via outputsize.
 +     * For AArch64, the address field always goes up to bit 47 (with extra
 +     * bits for FEAT_LPA placed elsewhere).  AArch64 implies v8.
       */
 -    descaddrmask = ((1ull << (aarch64 ? 48 : 40)) - 1) &
 -                   ~indexmask_grainsize;
 +    if (arm_feature(env, ARM_FEATURE_V8)) {
 +        descaddrmask = MAKE_64BIT_MASK(0, 48);
 +    } else {
 +        descaddrmask = MAKE_64BIT_MASK(0, 40);
 +    }
 +    descaddrmask &= ~indexmask_grainsize;
      /* Secure accesses start with the page table in secure memory and
       * can be downgraded to non-secure at any step. Non-secure accesses
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
              /* Invalid, or the Reserved level 3 encoding */
              goto do_fault;
          }
 +
          descaddr = descriptor & descaddrmask;
 +        if (descaddr >> outputsize) {
 +            fault_type = ARMFault_AddressSize;
 +            goto do_fault;
 +        }
-+        /* fallthru */
-+    default:
+         if ((descriptor & 2) && (level < 3)) {
-         unallocated_encoding(s);
+             /* Table entry. The top five bits are attributes which may
          return;
      }
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 06/16] target/arm: Implement FCVT (scalar, integer) for fp16
+[PULL 15/26] target/arm: Prepare DBGBVR and DBGWVR for FEAT_LVA
 From: Richard Henderson <richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
+The original A.a revision of the AArch64 ARM required that we
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+force-extend the addresses in these registers from 49 bits.
 This language has been loosened via a combination of IMPLEMENTATION
 DEFINED and CONSTRAINTED UNPREDICTABLE to allow consideration of
 the entire aligned address.
 This means that we do not have to consider whether or not FEAT_LVA
 is enabled, and decide from which bit an address might need to be
 extended.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220301215958.157011-9-richard.henderson@linaro.org
 Message-id: 20180512003217.9105-4-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.h        |  6 +++
+ target/arm/helper.c | 32 ++++++++++++++++++++++++--------
- target/arm/helper.c        | 38 ++++++++++++++-
+file changed, 24 insertions(+), 8 deletions(-)
  target/arm/translate-a64.c | 96 +++++++++++++++++++++++++++++++-------
 files changed, 122 insertions(+), 18 deletions(-)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
-+++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(vfp_touhd_round_to_zero, i64, f64, i32, ptr)
- DEF_HELPER_3(vfp_tould_round_to_zero, i64, f64, i32, ptr)
- DEF_HELPER_3(vfp_touhh, i32, f16, i32, ptr)
- DEF_HELPER_3(vfp_toshh, i32, f16, i32, ptr)
-+DEF_HELPER_3(vfp_toulh, i32, f16, i32, ptr)
-+DEF_HELPER_3(vfp_toslh, i32, f16, i32, ptr)
-+DEF_HELPER_3(vfp_touqh, i64, f16, i32, ptr)
-+DEF_HELPER_3(vfp_tosqh, i64, f16, i32, ptr)
- DEF_HELPER_3(vfp_toshs, i32, f32, i32, ptr)
- DEF_HELPER_3(vfp_tosls, i32, f32, i32, ptr)
- DEF_HELPER_3(vfp_tosqs, i64, f32, i32, ptr)
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(vfp_ultod, f64, i64, i32, ptr)
- DEF_HELPER_3(vfp_uqtod, f64, i64, i32, ptr)
- DEF_HELPER_3(vfp_sltoh, f16, i32, i32, ptr)
- DEF_HELPER_3(vfp_ultoh, f16, i32, i32, ptr)
-+DEF_HELPER_3(vfp_sqtoh, f16, i64, i32, ptr)
-+DEF_HELPER_3(vfp_uqtoh, f16, i64, i32, ptr)
- DEF_HELPER_FLAGS_2(set_rmode, TCG_CALL_NO_RWG, i32, i32, ptr)
- DEF_HELPER_FLAGS_2(set_neon_rmode, TCG_CALL_NO_RWG, i32, i32, env)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ VFP_CONV_FIX_A64(uq, s, 32, 64, uint64)
+@@ -XXX,XX +XXX,XX @@ static void dbgwvr_write(CPUARMState *env, const ARMCPRegInfo *ri,
- #undef VFP_CONV_FIX_A64
+     ARMCPU *cpu = env_archcpu(env);
+     int i = ri->crm;
- /* Conversion to/from f16 can overflow to infinity before/after scaling.
-- * Therefore we convert to f64 (which does not round), scale,
+-    /* Bits [63:49] are hardwired to the value of bit [48]; that is, the
-- * and then convert f64 to f16 (which may round).
+-     * register reads and behaves as if values written are sign extended.
-+ * Therefore we convert to f64, scale, and then convert f64 to f16; or
++    /*
-+ * vice versa for conversion to integer.
+      * Bits [1:0] are RES0.
-+ *
++     *
-+ * For 16- and 32-bit integers, the conversion to f64 never rounds.
++     * It is IMPLEMENTATION DEFINED whether [63:49] ([63:53] with FEAT_LVA)
-+ * For 64-bit integers, any integer that would cause rounding will also
++     * are hardwired to the value of bit [48] ([52] with FEAT_LVA), or if
-+ * overflow to f16 infinity, so there is no double rounding problem.
++     * they contain the value written.  It is CONSTRAINED UNPREDICTABLE
-  */
++     * whether the RESS bits are ignored when comparing an address.
++     *
- static float16 do_postscale_fp16(float64 f, int shift, float_status *fpst)
++     * Therefore we are allowed to compare the entire register, which lets
-@@ -XXX,XX +XXX,XX @@ float16 HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
++     * us avoid considering whether or not FEAT_LVA is actually enabled.
-     return do_postscale_fp16(uint32_to_float64(x, fpst), shift, fpst);
+      */
- }
+-    value = sextract64(value, 0, 49) & ~3ULL;
++    value &= ~3ULL;
-+float16 HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
-+{
+     raw_write(env, ri, value);
-+    return do_postscale_fp16(int64_to_float64(x, fpst), shift, fpst);
+     hw_watchpoint_update(cpu, i);
-+}
+@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update(ARMCPU *cpu, int n)
-+
+     case 0: /* unlinked address match */
-+float16 HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
+     case 1: /* linked address match */
-+{
+     {
-+    return do_postscale_fp16(uint64_to_float64(x, fpst), shift, fpst);
+-        /* Bits [63:49] are hardwired to the value of bit [48]; that is,
-+}
+-         * we behave as if the register was sign extended. Bits [1:0] are
-+
+-         * RES0. The BAS field is used to allow setting breakpoints on 16
- static float64 do_prescale_fp16(float16 f, int shift, float_status *fpst)
+-         * bit wide instructions; it is CONSTRAINED UNPREDICTABLE whether
- {
++        /*
-     if (unlikely(float16_is_any_nan(f))) {
++         * Bits [1:0] are RES0.
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(vfp_touhh)(float16 x, uint32_t shift, void *fpst)
++         *
-     return float64_to_uint16(do_prescale_fp16(x, shift, fpst), fpst);
++         * It is IMPLEMENTATION DEFINED whether bits [63:49]
- }
++         * ([63:53] for FEAT_LVA) are hardwired to a copy of the sign bit
++         * of the VA field ([48] or [52] for FEAT_LVA), or whether the
-+uint32_t HELPER(vfp_toslh)(float16 x, uint32_t shift, void *fpst)
++         * value is read as written.  It is CONSTRAINED UNPREDICTABLE
-+{
++         * whether the RESS bits are ignored when comparing an address.
-+    return float64_to_int32(do_prescale_fp16(x, shift, fpst), fpst);
++         * Therefore we are allowed to compare the entire register, which
-+}
++         * lets us avoid considering whether FEAT_LVA is actually enabled.
-+
++         *
-+uint32_t HELPER(vfp_toulh)(float16 x, uint32_t shift, void *fpst)
++         * The BAS field is used to allow setting breakpoints on 16-bit
-+{
++         * wide instructions; it is CONSTRAINED UNPREDICTABLE whether
-+    return float64_to_uint32(do_prescale_fp16(x, shift, fpst), fpst);
+          * a bp will fire if the addresses covered by the bp and the addresses
-+}
+          * covered by the insn overlap but the insn doesn't start at the
-+
+          * start of the bp address range. We choose to require the insn and
-+uint64_t HELPER(vfp_tosqh)(float16 x, uint32_t shift, void *fpst)
+@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update(ARMCPU *cpu, int n)
-+{
+          * See also figure D2-3 in the v8 ARM ARM (DDI0487A.c).
-+    return float64_to_int64(do_prescale_fp16(x, shift, fpst), fpst);
+          */
-+}
+         int bas = extract64(bcr, 5, 4);
-+
+-        addr = sextract64(bvr, 0, 49) & ~3ULL;
-+uint64_t HELPER(vfp_touqh)(float16 x, uint32_t shift, void *fpst)
++        addr = bvr & ~3ULL;
-+{
+         if (bas == 0) {
 +    return float64_to_uint64(do_prescale_fp16(x, shift, fpst), fpst);
 +}
 +
  /* Set the current fp rounding mode and return the old one.
   * The argument is a softfloat float_round_ value.
   */
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
                             bool itof, int rmode, int scale, int sf, int type)
  {
      bool is_signed = !(opcode & 1);
 -    bool is_double = type;
      TCGv_ptr tcg_fpstatus;
 -    TCGv_i32 tcg_shift;
 +    TCGv_i32 tcg_shift, tcg_single;
 +    TCGv_i64 tcg_double;
 -    tcg_fpstatus = get_fpstatus_ptr(false);
 +    tcg_fpstatus = get_fpstatus_ptr(type == 3);
      tcg_shift = tcg_const_i32(64 - scale);
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
              tcg_int = tcg_extend;
          }
 -        if (is_double) {
 -            TCGv_i64 tcg_double = tcg_temp_new_i64();
 +        switch (type) {
 +        case 1: /* float64 */
 +            tcg_double = tcg_temp_new_i64();
              if (is_signed) {
                  gen_helper_vfp_sqtod(tcg_double, tcg_int,
                                       tcg_shift, tcg_fpstatus);
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
              }
              write_fp_dreg(s, rd, tcg_double);
              tcg_temp_free_i64(tcg_double);
 -        } else {
 -            TCGv_i32 tcg_single = tcg_temp_new_i32();
 +            break;
 +
 +        case 0: /* float32 */
 +            tcg_single = tcg_temp_new_i32();
              if (is_signed) {
                  gen_helper_vfp_sqtos(tcg_single, tcg_int,
                                       tcg_shift, tcg_fpstatus);
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
              }
              write_fp_sreg(s, rd, tcg_single);
              tcg_temp_free_i32(tcg_single);
 +            break;
 +
 +        case 3: /* float16 */
 +            tcg_single = tcg_temp_new_i32();
 +            if (is_signed) {
 +                gen_helper_vfp_sqtoh(tcg_single, tcg_int,
 +                                     tcg_shift, tcg_fpstatus);
 +            } else {
 +                gen_helper_vfp_uqtoh(tcg_single, tcg_int,
 +                                     tcg_shift, tcg_fpstatus);
 +            }
 +            write_fp_sreg(s, rd, tcg_single);
 +            tcg_temp_free_i32(tcg_single);
 +            break;
 +
 +        default:
 +            g_assert_not_reached();
          }
      } else {
          TCGv_i64 tcg_int = cpu_reg(s, rd);
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
          gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
 -        if (is_double) {
 -            TCGv_i64 tcg_double = read_fp_dreg(s, rn);
 +        switch (type) {
 +        case 1: /* float64 */
 +            tcg_double = read_fp_dreg(s, rn);
              if (is_signed) {
                  if (!sf) {
                      gen_helper_vfp_tosld(tcg_int, tcg_double,
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
                                           tcg_shift, tcg_fpstatus);
                  }
              }
 +            if (!sf) {
 +                tcg_gen_ext32u_i64(tcg_int, tcg_int);
 +            }
              tcg_temp_free_i64(tcg_double);
 -        } else {
 -            TCGv_i32 tcg_single = read_fp_sreg(s, rn);
 +            break;
 +
 +        case 0: /* float32 */
 +            tcg_single = read_fp_sreg(s, rn);
              if (sf) {
                  if (is_signed) {
                      gen_helper_vfp_tosqs(tcg_int, tcg_single,
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
                  tcg_temp_free_i32(tcg_dest);
              }
              tcg_temp_free_i32(tcg_single);
 +            break;
 +
 +        case 3: /* float16 */
 +            tcg_single = read_fp_sreg(s, rn);
 +            if (sf) {
 +                if (is_signed) {
 +                    gen_helper_vfp_tosqh(tcg_int, tcg_single,
 +                                         tcg_shift, tcg_fpstatus);
 +                } else {
 +                    gen_helper_vfp_touqh(tcg_int, tcg_single,
 +                                         tcg_shift, tcg_fpstatus);
 +                }
 +            } else {
 +                TCGv_i32 tcg_dest = tcg_temp_new_i32();
 +                if (is_signed) {
 +                    gen_helper_vfp_toslh(tcg_dest, tcg_single,
 +                                         tcg_shift, tcg_fpstatus);
 +                } else {
 +                    gen_helper_vfp_toulh(tcg_dest, tcg_single,
 +                                         tcg_shift, tcg_fpstatus);
 +                }
 +                tcg_gen_extu_i32_i64(tcg_int, tcg_dest);
 +                tcg_temp_free_i32(tcg_dest);
 +            }
 +            tcg_temp_free_i32(tcg_single);
 +            break;
 +
 +        default:
 +            g_assert_not_reached();
          }
          gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
          tcg_temp_free_i32(tcg_rmode);
 -
 -        if (!sf) {
 -            tcg_gen_ext32u_i64(tcg_int, tcg_int);
 -        }
      }
      tcg_temp_free_ptr(tcg_fpstatus);
@@ -XXX,XX +XXX,XX @@ static void disas_fp_int_conv(DisasContext *s, uint32_t insn)
          /* actual FP conversions */
          bool itof = extract32(opcode, 1, 1);
 -        if (type > 1 || (rmode != 0 && opcode > 1)) {
 +        if (rmode != 0 && opcode > 1) {
 +            unallocated_encoding(s);
 +            return;
 +        }
 +        switch (type) {
 +        case 0: /* float32 */
 +        case 1: /* float64 */
 +            break;
 +        case 3: /* float16 */
 +            if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
 +                break;
 +            }
 +            /* fallthru */
 +        default:
              unallocated_encoding(s);
              return;
          }
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 09/16] target/arm: Implement FP data-processing (2 source) for fp16
+[PULL 16/26] target/arm: Implement FEAT_LVA
 From: Richard Henderson <richard.henderson@linaro.org>
-We missed all of the scalar fp16 binary operations.
+This feature is relatively small, as it applies only to
 k pages and thus requires no additional changes to the
 table descriptor walking algorithm, only a change to the
 minimum TSZ (which is the inverse of the maximum virtual
 address space size).
-Cc: qemu-stable@nongnu.org
+Note that this feature widens VBAR_ELx, but we already
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+treat the register as being 64 bits wide.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220301215958.157011-10-richard.henderson@linaro.org
 Message-id: 20180512003217.9105-7-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 65 ++++++++++++++++++++++++++++++++++++++
+ docs/system/arm/emulation.rst | 1 +
-file changed, 65 insertions(+)
+ target/arm/cpu-param.h        | 2 +-
  target/arm/cpu.h              | 5 +++++
  target/arm/cpu64.c            | 1 +
  target/arm/helper.c           | 9 ++++++++-
 files changed, 16 insertions(+), 2 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/docs/system/arm/emulation.rst
-+++ b/target/arm/translate-a64.c
++++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_2src_double(DisasContext *s, int opcode,
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
-     tcg_temp_free_i64(tcg_res);
+ - FEAT_LRCPC (Load-acquire RCpc instructions)
  - FEAT_LRCPC2 (Load-acquire RCpc instructions v2)
  - FEAT_LSE (Large System Extensions)
 +- FEAT_LVA (Large Virtual Address space)
  - FEAT_MTE (Memory Tagging Extension)
  - FEAT_MTE2 (Memory Tagging Extension)
  - FEAT_MTE3 (MTE Asymmetric Fault Handling)
 diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu-param.h
 +++ b/target/arm/cpu-param.h
@@ -XXX,XX +XXX,XX @@
  #ifdef TARGET_AARCH64
  # define TARGET_LONG_BITS             64
  # define TARGET_PHYS_ADDR_SPACE_BITS  48
 -# define TARGET_VIRT_ADDR_SPACE_BITS  48
 +# define TARGET_VIRT_ADDR_SPACE_BITS  52
  #else
  # define TARGET_LONG_BITS             32
  # define TARGET_PHYS_ADDR_SPACE_BITS  40
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_ccidx(const ARMISARegisters *id)
      return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, CCIDX) != 0;
  }
-+/* Floating-point data-processing (2 source) - half precision */
++static inline bool isar_feature_aa64_lva(const ARMISARegisters *id)
 +static void handle_fp_2src_half(DisasContext *s, int opcode,
 +                                int rd, int rn, int rm)
 +{
-+    TCGv_i32 tcg_op1;
++    return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, VARANGE) != 0;
 +    TCGv_i32 tcg_op2;
 +    TCGv_i32 tcg_res;
 +    TCGv_ptr fpst;
 +
 +    tcg_res = tcg_temp_new_i32();
 +    fpst = get_fpstatus_ptr(true);
 +    tcg_op1 = read_fp_hreg(s, rn);
 +    tcg_op2 = read_fp_hreg(s, rm);
 +
 +    switch (opcode) {
 +    case 0x0: /* FMUL */
 +        gen_helper_advsimd_mulh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        break;
 +    case 0x1: /* FDIV */
 +        gen_helper_advsimd_divh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        break;
 +    case 0x2: /* FADD */
 +        gen_helper_advsimd_addh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        break;
 +    case 0x3: /* FSUB */
 +        gen_helper_advsimd_subh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        break;
 +    case 0x4: /* FMAX */
 +        gen_helper_advsimd_maxh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        break;
 +    case 0x5: /* FMIN */
 +        gen_helper_advsimd_minh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        break;
 +    case 0x6: /* FMAXNM */
 +        gen_helper_advsimd_maxnumh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        break;
 +    case 0x7: /* FMINNM */
 +        gen_helper_advsimd_minnumh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        break;
 +    case 0x8: /* FNMUL */
 +        gen_helper_advsimd_mulh(tcg_res, tcg_op1, tcg_op2, fpst);
 +        tcg_gen_xori_i32(tcg_res, tcg_res, 0x8000);
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +
 +    write_fp_sreg(s, rd, tcg_res);
 +
 +    tcg_temp_free_ptr(fpst);
 +    tcg_temp_free_i32(tcg_op1);
 +    tcg_temp_free_i32(tcg_op2);
 +    tcg_temp_free_i32(tcg_res);
 +}
 +
- /* Floating point data-processing (2 source)
+ static inline bool isar_feature_aa64_tts2uxn(const ARMISARegisters *id)
-  *   31  30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
+ {
-  * +---+---+---+-----------+------+---+------+--------+-----+------+------+
+     return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, XNX) != 0;
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_2src(DisasContext *s, uint32_t insn)
+diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-         }
+index XXXXXXX..XXXXXXX 100644
-         handle_fp_2src_double(s, opcode, rd, rn, rm);
+--- a/target/arm/cpu64.c
-         break;
++++ b/target/arm/cpu64.c
-+    case 3:
+@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-+        if (!arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+     t = FIELD_DP64(t, ID_AA64MMFR2, UAO, 1);
-+            unallocated_encoding(s);
+     t = FIELD_DP64(t, ID_AA64MMFR2, CNP, 1); /* TTCNP */
-+            return;
+     t = FIELD_DP64(t, ID_AA64MMFR2, ST, 1); /* TTST */
 +    t = FIELD_DP64(t, ID_AA64MMFR2, VARANGE, 1); /* FEAT_LVA */
      cpu->isar.id_aa64mmfr2 = t;
      t = cpu->isar.id_aa64zfr0;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
      } else {
          max_tsz = 39;
      }
 -    min_tsz = 16;  /* TODO: ARMv8.2-LVA  */
 +
 +    min_tsz = 16;
 +    if (using64k) {
 +        if (cpu_isar_feature(aa64_lva, env_archcpu(env))) {
 +            min_tsz = 12;
 +        }
-+        if (!fp_access_check(s)) {
++    }
-+            return;
++    /* TODO: FEAT_LPA2 */
-+        }
-+        handle_fp_2src_half(s, opcode, rd, rn, rm);
+     if (tsz > max_tsz) {
-+        break;
+         tsz = max_tsz;
      default:
          unallocated_encoding(s);
      }
 --
-.17.0
+.25.1

-New patch
+[PULL 17/26] target/arm: Implement FEAT_LPA
+From: Richard Henderson <richard.henderson@linaro.org>
+This feature widens physical addresses (and intermediate physical
+addresses for 2-stage translation) from 48 to 52 bits, when using
+k pages.  The only thing left at this point is to handle the
+extra bits in the TTBR and in the table descriptors.
+Note that PAR_EL1 and HPFAR_EL2 are nominally extended, but we don't
+mask out the high bits when writing to those registers, so no changes
+are required there.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220301215958.157011-11-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/emulation.rst |  1 +
+ target/arm/cpu-param.h        |  2 +-
+ target/arm/cpu64.c            |  2 +-
+ target/arm/helper.c           | 19 ++++++++++++++++---
+files changed, 19 insertions(+), 5 deletions(-)
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/emulation.rst
++++ b/docs/system/arm/emulation.rst
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+ - FEAT_I8MM (AArch64 Int8 matrix multiplication instructions)
+ - FEAT_JSCVT (JavaScript conversion instructions)
+ - FEAT_LOR (Limited ordering regions)
++- FEAT_LPA (Large Physical Address space)
+ - FEAT_LRCPC (Load-acquire RCpc instructions)
+ - FEAT_LRCPC2 (Load-acquire RCpc instructions v2)
+ - FEAT_LSE (Large System Extensions)
+diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu-param.h
++++ b/target/arm/cpu-param.h
+@@ -XXX,XX +XXX,XX @@
+ #ifdef TARGET_AARCH64
+ # define TARGET_LONG_BITS             64
+-# define TARGET_PHYS_ADDR_SPACE_BITS  48
++# define TARGET_PHYS_ADDR_SPACE_BITS  52
+ # define TARGET_VIRT_ADDR_SPACE_BITS  52
+ #else
+ # define TARGET_LONG_BITS             32
+diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu64.c
++++ b/target/arm/cpu64.c
+@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+     cpu->isar.id_aa64pfr1 = t;
+     t = cpu->isar.id_aa64mmfr0;
+-    t = FIELD_DP64(t, ID_AA64MMFR0, PARANGE, 5); /* PARange: 48 bits */
++    t = FIELD_DP64(t, ID_AA64MMFR0, PARANGE, 6); /* FEAT_LPA: 52 bits */
+     cpu->isar.id_aa64mmfr0 = t;
+     t = cpu->isar.id_aa64mmfr1;
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static const uint8_t pamax_map[] = {
+     [3] = 42,
+     [4] = 44,
+     [5] = 48,
++    [6] = 52,
+ };
+ /* The cpu-specific constant value of PAMax; also used by hw/arm/virt. */
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
+     descaddr = extract64(ttbr, 0, 48);
+     /*
+-     * If the base address is out of range, raise AddressSizeFault.
++     * For FEAT_LPA and PS=6, bits [51:48] of descaddr are in [5:2] of TTBR.
++     *
++     * Otherwise, if the base address is out of range, raise AddressSizeFault.
+      * In the pseudocode, this is !IsZero(baseregister<47:outputsize>),
+      * but we've just cleared the bits above 47, so simplify the test.
+      */
+-    if (descaddr >> outputsize) {
++    if (outputsize > 48) {
++        descaddr |= extract64(ttbr, 2, 4) << 48;
++    } else if (descaddr >> outputsize) {
+         level = 0;
+         fault_type = ARMFault_AddressSize;
+         goto do_fault;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
+         }
+         descaddr = descriptor & descaddrmask;
+-        if (descaddr >> outputsize) {
++
++        /*
++         * For FEAT_LPA and PS=6, bits [51:48] of descaddr are in [15:12]
++         * of descriptor.  Otherwise, if descaddr is out of range, raise
++         * AddressSizeFault.
++         */
++        if (outputsize > 48) {
++            descaddr |= extract64(descriptor, 12, 4) << 48;
++        } else if (descaddr >> outputsize) {
+             fault_type = ARMFault_AddressSize;
+             goto do_fault;
+         }
+--
+.25.1

-New patch
+[PULL 18/26] target/arm: Extend arm_fi_to_lfsc to level -1
+From: Richard Henderson <richard.henderson@linaro.org>
+With FEAT_LPA2, rather than introducing translation level 4,
+we introduce level -1, below the current level 0.  Extend
+arm_fi_to_lfsc to handle these faults.
+Assert that this new translation level does not leak into
+fault types for which it is not defined, which allows some
+masking of fi->level to be removed.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220301215958.157011-12-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/internals.h | 35 +++++++++++++++++++++++++++++------
+file changed, 29 insertions(+), 6 deletions(-)
+diff --git a/target/arm/internals.h b/target/arm/internals.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/internals.h
++++ b/target/arm/internals.h
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi)
+     case ARMFault_None:
+         return 0;
+     case ARMFault_AddressSize:
+-        fsc = fi->level & 3;
++        assert(fi->level >= -1 && fi->level <= 3);
++        if (fi->level < 0) {
++            fsc = 0b101001;
++        } else {
++            fsc = fi->level;
++        }
+         break;
+     case ARMFault_AccessFlag:
+-        fsc = (fi->level & 3) | (0x2 << 2);
++        assert(fi->level >= 0 && fi->level <= 3);
++        fsc = 0b001000 | fi->level;
+         break;
+     case ARMFault_Permission:
+-        fsc = (fi->level & 3) | (0x3 << 2);
++        assert(fi->level >= 0 && fi->level <= 3);
++        fsc = 0b001100 | fi->level;
+         break;
+     case ARMFault_Translation:
+-        fsc = (fi->level & 3) | (0x1 << 2);
++        assert(fi->level >= -1 && fi->level <= 3);
++        if (fi->level < 0) {
++            fsc = 0b101011;
++        } else {
++            fsc = 0b000100 | fi->level;
++        }
+         break;
+     case ARMFault_SyncExternal:
+         fsc = 0x10 | (fi->ea << 12);
+         break;
+     case ARMFault_SyncExternalOnWalk:
+-        fsc = (fi->level & 3) | (0x5 << 2) | (fi->ea << 12);
++        assert(fi->level >= -1 && fi->level <= 3);
++        if (fi->level < 0) {
++            fsc = 0b010011;
++        } else {
++            fsc = 0b010100 | fi->level;
++        }
++        fsc |= fi->ea << 12;
+         break;
+     case ARMFault_SyncParity:
+         fsc = 0x18;
+         break;
+     case ARMFault_SyncParityOnWalk:
+-        fsc = (fi->level & 3) | (0x7 << 2);
++        assert(fi->level >= -1 && fi->level <= 3);
++        if (fi->level < 0) {
++            fsc = 0b011011;
++        } else {
++            fsc = 0b011100 | fi->level;
++        }
+         break;
+     case ARMFault_AsyncParity:
+         fsc = 0x19;
+--
+.25.1

-[Qemu-devel] [PULL 04/16] target/arm: Implement FMOV (general) for fp16
+[PULL 19/26] target/arm: Introduce tlbi_aa64_get_range
 From: Richard Henderson <richard.henderson@linaro.org>
-Adding the fp16 moves to/from general registers.
+Merge tlbi_aa64_range_get_length and tlbi_aa64_range_get_base,
 returning a structure containing both results.  Pass in the
 ARMMMUIdx, rather than the digested two_ranges boolean.
-Cc: qemu-stable@nongnu.org
+This is in preparation for FEAT_LPA2, where the interpretation
 of 'value' depends on the effective value of DS for the regime.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220301215958.157011-13-richard.henderson@linaro.org
 Message-id: 20180512003217.9105-2-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 21 +++++++++++++++++++++
+ target/arm/helper.c | 58 +++++++++++++++++++--------------------------
-file changed, 21 insertions(+)
+file changed, 24 insertions(+), 34 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/helper.c
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void handle_fmov(DisasContext *s, int rd, int rn, int type, bool itof)
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
-             tcg_gen_st_i64(tcg_rn, cpu_env, fp_reg_hi_offset(s, rd));
+ }
-             clear_vec_high(s, true, rd);
-             break;
+ #ifdef TARGET_AARCH64
-+        case 3:
+-static uint64_t tlbi_aa64_range_get_length(CPUARMState *env,
-+            /* 16 bit */
+-                                           uint64_t value)
-+            tmp = tcg_temp_new_i64();
+-{
-+            tcg_gen_ext16u_i64(tmp, tcg_rn);
+-    unsigned int page_shift;
-+            write_fp_dreg(s, rd, tmp);
+-    unsigned int page_size_granule;
-+            tcg_temp_free_i64(tmp);
+-    uint64_t num;
-+            break;
+-    uint64_t scale;
-+        default:
+-    uint64_t exponent;
-+            g_assert_not_reached();
++typedef struct {
-         }
++    uint64_t base;
      uint64_t length;
 +} TLBIRange;
 +
 +static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
 +                                     uint64_t value)
 +{
 +    unsigned int page_size_granule, page_shift, num, scale, exponent;
 +    TLBIRange ret = { };
 -    num = extract64(value, 39, 5);
 -    scale = extract64(value, 44, 2);
      page_size_granule = extract64(value, 46, 2);
      if (page_size_granule == 0) {
          qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
                        page_size_granule);
 -        return 0;
 +        return ret;
      }
      page_shift = (page_size_granule - 1) * 2 + 12;
 -
 +    num = extract64(value, 39, 5);
 +    scale = extract64(value, 44, 2);
      exponent = (5 * scale) + 1;
 -    length = (num + 1) << (exponent + page_shift);
 -    return length;
 -}
 +    ret.length = (num + 1) << (exponent + page_shift);
 -static uint64_t tlbi_aa64_range_get_base(CPUARMState *env, uint64_t value,
 -                                        bool two_ranges)
 -{
 -    /* TODO: ARMv8.7 FEAT_LPA2 */
 -    uint64_t pageaddr;
 -
 -    if (two_ranges) {
 -        pageaddr = sextract64(value, 0, 37) << TARGET_PAGE_BITS;
 +    if (regime_has_2_ranges(mmuidx)) {
 +        ret.base = sextract64(value, 0, 37) << TARGET_PAGE_BITS;
      } else {
-         TCGv_i64 tcg_rd = cpu_reg(s, rd);
+-        pageaddr = extract64(value, 0, 37) << TARGET_PAGE_BITS;
-@@ -XXX,XX +XXX,XX @@ static void handle_fmov(DisasContext *s, int rd, int rn, int type, bool itof)
++        ret.base = extract64(value, 0, 37) << TARGET_PAGE_BITS;
-             /* 64 bits from top half */
+     }
-             tcg_gen_ld_i64(tcg_rd, cpu_env, fp_reg_hi_offset(s, rn));
-             break;
+-    return pageaddr;
-+        case 3:
++    return ret;
-+            /* 16 bit */
+ }
-+            tcg_gen_ld16u_i64(tcg_rd, cpu_env, fp_reg_offset(s, rn, MO_16));
-+            break;
+ static void do_rvae_write(CPUARMState *env, uint64_t value,
-+        default:
+                           int idxmap, bool synced)
-+            g_assert_not_reached();
+ {
-         }
+     ARMMMUIdx one_idx = ARM_MMU_IDX_A | ctz32(idxmap);
 -    bool two_ranges = regime_has_2_ranges(one_idx);
 -    uint64_t baseaddr, length;
 +    TLBIRange range;
      int bits;
 -    baseaddr = tlbi_aa64_range_get_base(env, value, two_ranges);
 -    length = tlbi_aa64_range_get_length(env, value);
 -    bits = tlbbits_for_regime(env, one_idx, baseaddr);
 +    range = tlbi_aa64_get_range(env, one_idx, value);
 +    bits = tlbbits_for_regime(env, one_idx, range.base);
      if (synced) {
          tlb_flush_range_by_mmuidx_all_cpus_synced(env_cpu(env),
 -                                                  baseaddr,
 -                                                  length,
 +                                                  range.base,
 +                                                  range.length,
                                                    idxmap,
                                                    bits);
      } else {
 -        tlb_flush_range_by_mmuidx(env_cpu(env), baseaddr,
 -                                  length, idxmap, bits);
 +        tlb_flush_range_by_mmuidx(env_cpu(env), range.base,
 +                                  range.length, idxmap, bits);
      }
  }
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_int_conv(DisasContext *s, uint32_t insn)
          case 0xa: /* 64 bit */
          case 0xd: /* 64 bit to top half of quad */
              break;
 +        case 0x6: /* 16-bit float, 32-bit int */
 +        case 0xe: /* 16-bit float, 64-bit int */
 +            if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
 +                break;
 +            }
 +            /* fallthru */
          default:
              /* all other sf/type/rmode combinations are invalid */
              unallocated_encoding(s);
 --
-.17.0
+.25.1

-New patch
+[PULL 20/26] target/arm: Fix TLBIRange.base for 16k and 64k pages
+From: Richard Henderson <richard.henderson@linaro.org>
+The shift of the BaseADDR field depends on the translation
+granule in use.
+Fixes: 84940ed8255 ("target/arm: Add support for FEAT_TLBIRANGE")
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220301215958.157011-14-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.c | 5 +++--
+file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
+     ret.length = (num + 1) << (exponent + page_shift);
+     if (regime_has_2_ranges(mmuidx)) {
+-        ret.base = sextract64(value, 0, 37) << TARGET_PAGE_BITS;
++        ret.base = sextract64(value, 0, 37);
+     } else {
+-        ret.base = extract64(value, 0, 37) << TARGET_PAGE_BITS;
++        ret.base = extract64(value, 0, 37);
+     }
++    ret.base <<= page_shift;
+     return ret;
+ }
+--
+.25.1

-New patch
+[PULL 21/26] target/arm: Validate tlbi TG matches translation granule in use
+From: Richard Henderson <richard.henderson@linaro.org>
+For FEAT_LPA2, we will need other ARMVAParameters, which themselves
+depend on the translation granule in use.  We might as well validate
+that the given TG matches; the architecture "does not require that
+the instruction invalidates any entries" if this is not true.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220301215958.157011-15-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.c | 10 +++++++---
+file changed, 7 insertions(+), 3 deletions(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
+                                      uint64_t value)
+ {
+     unsigned int page_size_granule, page_shift, num, scale, exponent;
++    /* Extract one bit to represent the va selector in use. */
++    uint64_t select = sextract64(value, 36, 1);
++    ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true);
+     TLBIRange ret = { };
+     page_size_granule = extract64(value, 46, 2);
+-    if (page_size_granule == 0) {
+-        qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
++    /* The granule encoded in value must match the granule in use. */
++    if (page_size_granule != (param.using64k ? 3 : param.using16k ? 2 : 1)) {
++        qemu_log_mask(LOG_GUEST_ERROR, "Invalid tlbi page size granule %d\n",
+                       page_size_granule);
+         return ret;
+     }
+@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
+     ret.length = (num + 1) << (exponent + page_shift);
+-    if (regime_has_2_ranges(mmuidx)) {
++    if (param.select) {
+         ret.base = sextract64(value, 0, 37);
+     } else {
+         ret.base = extract64(value, 0, 37);
+--
+.25.1

-New patch
+[PULL 22/26] target/arm: Advertise all page sizes for -cpu max
+From: Richard Henderson <richard.henderson@linaro.org>
+We support 16k pages, but do not advertize that in ID_AA64MMFR0.
+The value 0 in the TGRAN*_2 fields indicates that stage2 lookups defer
+to the same support as stage1 lookups.  This setting is deprecated, so
+indicate support for all stage2 page sizes directly.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220301215958.157011-16-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/cpu64.c | 4 ++++
+file changed, 4 insertions(+)
+diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu64.c
++++ b/target/arm/cpu64.c
+@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+     t = cpu->isar.id_aa64mmfr0;
+     t = FIELD_DP64(t, ID_AA64MMFR0, PARANGE, 6); /* FEAT_LPA: 52 bits */
++    t = FIELD_DP64(t, ID_AA64MMFR0, TGRAN16, 1);   /* 16k pages supported */
++    t = FIELD_DP64(t, ID_AA64MMFR0, TGRAN16_2, 2); /* 16k stage2 supported */
++    t = FIELD_DP64(t, ID_AA64MMFR0, TGRAN64_2, 2); /* 64k stage2 supported */
++    t = FIELD_DP64(t, ID_AA64MMFR0, TGRAN4_2, 2);  /*  4k stage2 supported */
+     cpu->isar.id_aa64mmfr0 = t;
+     t = cpu->isar.id_aa64mmfr1;
+--
+.25.1

-[Qemu-devel] [PULL 11/16] target/arm: Implement FCMP for fp16
+[PULL 23/26] target/arm: Implement FEAT_LPA2
-From: Alex Bennée <alex.bennee@linaro.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-These where missed out from the rest of the half-precision work.
+This feature widens physical addresses (and intermediate physical
+addresses for 2-stage translation) from 48 to 52 bits, when using
-Cc: qemu-stable@nongnu.org
+k or 16k pages.
 This introduces the DS bit to TCR_ELx, which is RES0 unless the
 page size is enabled and supports LPA2, resulting in the effective
 value of DS for a given table walk.  The DS bit changes the format
 of the page table descriptor slightly, moving the PS field out to
 TCR so that all pages have the same sharability and repurposing
 those bits of the page table descriptor for the highest bits of
 the output address.
 Do not yet enable FEAT_LPA2; we need extra plumbing to avoid
 tickling an old kernel bug.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180512003217.9105-9-richard.henderson@linaro.org
+Message-id: 20220301215958.157011-17-richard.henderson@linaro.org
 [rth: Diagnose lack of FP16 before fp_access_check]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper-a64.h    |  2 +
+ docs/system/arm/emulation.rst |   1 +
- target/arm/helper-a64.c    | 10 +++++
+ target/arm/cpu.h              |  22 ++++++++
- target/arm/translate-a64.c | 88 ++++++++++++++++++++++++++++++--------
+ target/arm/internals.h        |   2 +
-files changed, 83 insertions(+), 17 deletions(-)
+ target/arm/helper.c           | 102 +++++++++++++++++++++++++++++-----
+files changed, 112 insertions(+), 15 deletions(-)
-diff --git a/target/arm/helper-a64.h b/target/arm/helper-a64.h
 diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.h
+--- a/docs/system/arm/emulation.rst
-+++ b/target/arm/helper-a64.h
++++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- DEF_HELPER_FLAGS_2(udiv64, TCG_CALL_NO_RWG_SE, i64, i64, i64)
+ - FEAT_JSCVT (JavaScript conversion instructions)
- DEF_HELPER_FLAGS_2(sdiv64, TCG_CALL_NO_RWG_SE, s64, s64, s64)
+ - FEAT_LOR (Limited ordering regions)
- DEF_HELPER_FLAGS_1(rbit64, TCG_CALL_NO_RWG_SE, i64, i64)
+ - FEAT_LPA (Large Physical Address space)
-+DEF_HELPER_3(vfp_cmph_a64, i64, f16, f16, ptr)
++- FEAT_LPA2 (Large Physical and virtual Address space v2)
-+DEF_HELPER_3(vfp_cmpeh_a64, i64, f16, f16, ptr)
+ - FEAT_LRCPC (Load-acquire RCpc instructions)
- DEF_HELPER_3(vfp_cmps_a64, i64, f32, f32, ptr)
+ - FEAT_LRCPC2 (Load-acquire RCpc instructions v2)
- DEF_HELPER_3(vfp_cmpes_a64, i64, f32, f32, ptr)
+ - FEAT_LSE (Large System Extensions)
- DEF_HELPER_3(vfp_cmpd_a64, i64, f64, f64, ptr)
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.c
+--- a/target/arm/cpu.h
-+++ b/target/arm/helper-a64.c
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t float_rel_to_flags(int res)
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_i8mm(const ARMISARegisters *id)
-     return flags;
+     return FIELD_EX64(id->id_aa64isar1, ID_AA64ISAR1, I8MM) != 0;
  }
-+uint64_t HELPER(vfp_cmph_a64)(float16 x, float16 y, void *fp_status)
++static inline bool isar_feature_aa64_tgran4_lpa2(const ARMISARegisters *id)
 +{
-+    return float_rel_to_flags(float16_compare_quiet(x, y, fp_status));
++    return FIELD_SEX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4) >= 1;
 +}
 +
-+uint64_t HELPER(vfp_cmpeh_a64)(float16 x, float16 y, void *fp_status)
++static inline bool isar_feature_aa64_tgran4_2_lpa2(const ARMISARegisters *id)
 +{
-+    return float_rel_to_flags(float16_compare(x, y, fp_status));
++    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4_2);
 +    return t >= 3 || (t == 0 && isar_feature_aa64_tgran4_lpa2(id));
 +}
 +
- uint64_t HELPER(vfp_cmps_a64)(float32 x, float32 y, void *fp_status)
++static inline bool isar_feature_aa64_tgran16_lpa2(const ARMISARegisters *id)
 +{
 +    return FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN16) >= 2;
 +}
 +
 +static inline bool isar_feature_aa64_tgran16_2_lpa2(const ARMISARegisters *id)
 +{
 +    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN16_2);
 +    return t >= 3 || (t == 0 && isar_feature_aa64_tgran16_lpa2(id));
 +}
 +
  static inline bool isar_feature_aa64_ccidx(const ARMISARegisters *id)
  {
-     return float_rel_to_flags(float32_compare_quiet(x, y, fp_status));
+     return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, CCIDX) != 0;
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/internals.h
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_reg(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t aarch64_pstate_valid_mask(const ARMISARegisters *id)
-     }
+ typedef struct ARMVAParameters {
- }
+     unsigned tsz    : 8;
+     unsigned ps     : 3;
--static void handle_fp_compare(DisasContext *s, bool is_double,
++    unsigned sh     : 2;
-+static void handle_fp_compare(DisasContext *s, int size,
+     unsigned select : 1;
-                               unsigned int rn, unsigned int rm,
+     bool tbi        : 1;
-                               bool cmp_with_zero, bool signal_all_nans)
+     bool epd        : 1;
@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
      bool using16k   : 1;
      bool using64k   : 1;
      bool tsz_oob    : 1;  /* tsz has been clamped to legal range */
 +    bool ds         : 1;
  } ARMVAParameters;
  ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
      } else {
          ret.base = extract64(value, 0, 37);
      }
 +    if (param.ds) {
 +        /*
 +         * With DS=1, BaseADDR is always shifted 16 so that it is able
 +         * to address all 52 va bits.  The input address is perforce
 +         * aligned on a 64k boundary regardless of translation granule.
 +         */
 +        page_shift = 16;
 +    }
      ret.base <<= page_shift;
      return ret;
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
      const int grainsize = stride + 3;
      int startsizecheck;
 -    /* Negative levels are never allowed.  */
 -    if (level < 0) {
 +    /*
 +     * Negative levels are usually not allowed...
 +     * Except for FEAT_LPA2, 4k page table, 52-bit address space, which
 +     * begins with level -1.  Note that previous feature tests will have
 +     * eliminated this combination if it is not enabled.
 +     */
 +    if (level < (inputsize == 52 && stride == 9 ? -1 : 0)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
                                     ARMMMUIdx mmu_idx, bool data)
  {
-     TCGv_i64 tcg_flags = tcg_temp_new_i64();
+     uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
--    TCGv_ptr fpst = get_fpstatus_ptr(false);
+-    bool epd, hpd, using16k, using64k, tsz_oob;
-+    TCGv_ptr fpst = get_fpstatus_ptr(size == MO_16);
+-    int select, tsz, tbi, max_tsz, min_tsz, ps;
++    bool epd, hpd, using16k, using64k, tsz_oob, ds;
--    if (is_double) {
++    int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
-+    if (size == MO_64) {
++    ARMCPU *cpu = env_archcpu(env);
-         TCGv_i64 tcg_vn, tcg_vm;
+     if (!regime_has_2_ranges(mmu_idx)) {
-         tcg_vn = read_fp_dreg(s, rn);
+         select = 0;
-@@ -XXX,XX +XXX,XX @@ static void handle_fp_compare(DisasContext *s, bool is_double,
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-         tcg_temp_free_i64(tcg_vn);
+             hpd = extract32(tcr, 24, 1);
-         tcg_temp_free_i64(tcg_vm);
+         }
          epd = false;
 +        sh = extract32(tcr, 12, 2);
          ps = extract32(tcr, 16, 3);
 +        ds = extract64(tcr, 32, 1);
      } else {
--        TCGv_i32 tcg_vn, tcg_vm;
+         /*
-+        TCGv_i32 tcg_vn = tcg_temp_new_i32();
+          * Bit 55 is always between the two regions, and is canonical for
-+        TCGv_i32 tcg_vm = tcg_temp_new_i32();
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+         if (!select) {
--        tcg_vn = read_fp_sreg(s, rn);
+             tsz = extract32(tcr, 0, 6);
-+        read_vec_element_i32(s, tcg_vn, rn, 0, size);
+             epd = extract32(tcr, 7, 1);
-         if (cmp_with_zero) {
++            sh = extract32(tcr, 12, 2);
--            tcg_vm = tcg_const_i32(0);
+             using64k = extract32(tcr, 14, 1);
-+            tcg_gen_movi_i32(tcg_vm, 0);
+             using16k = extract32(tcr, 15, 1);
-         } else {
+             hpd = extract64(tcr, 41, 1);
--            tcg_vm = read_fp_sreg(s, rm);
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-+            read_vec_element_i32(s, tcg_vm, rm, 0, size);
+             using64k = tg == 3;
              tsz = extract32(tcr, 16, 6);
              epd = extract32(tcr, 23, 1);
 +            sh = extract32(tcr, 28, 2);
              hpd = extract64(tcr, 42, 1);
          }
--        if (signal_all_nans) {
+         ps = extract64(tcr, 32, 3);
--            gen_helper_vfp_cmpes_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
++        ds = extract64(tcr, 59, 1);
--        } else {
+     }
--            gen_helper_vfp_cmps_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
-+
+-    if (cpu_isar_feature(aa64_st, env_archcpu(env))) {
-+        switch (size) {
++    if (cpu_isar_feature(aa64_st, cpu)) {
-+        case MO_32:
+         max_tsz = 48 - using64k;
-+            if (signal_all_nans) {
+     } else {
-+                gen_helper_vfp_cmpes_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
+         max_tsz = 39;
      }
 +    /*
 +     * DS is RES0 unless FEAT_LPA2 is supported for the given page size;
 +     * adjust the effective value of DS, as documented.
 +     */
      min_tsz = 16;
      if (using64k) {
 -        if (cpu_isar_feature(aa64_lva, env_archcpu(env))) {
 +        if (cpu_isar_feature(aa64_lva, cpu)) {
 +            min_tsz = 12;
 +        }
 +        ds = false;
 +    } else if (ds) {
 +        switch (mmu_idx) {
 +        case ARMMMUIdx_Stage2:
 +        case ARMMMUIdx_Stage2_S:
 +            if (using16k) {
 +                ds = cpu_isar_feature(aa64_tgran16_2_lpa2, cpu);
 +            } else {
-+                gen_helper_vfp_cmps_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
++                ds = cpu_isar_feature(aa64_tgran4_2_lpa2, cpu);
 +            }
 +            break;
 +        case MO_16:
 +            if (signal_all_nans) {
 +                gen_helper_vfp_cmpeh_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
 +            } else {
 +                gen_helper_vfp_cmph_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
 +            }
 +            break;
 +        default:
-+            g_assert_not_reached();
++            if (using16k) {
-         }
++                ds = cpu_isar_feature(aa64_tgran16_lpa2, cpu);
-+
++            } else {
-         tcg_temp_free_i32(tcg_vn);
++                ds = cpu_isar_feature(aa64_tgran4_lpa2, cpu);
-         tcg_temp_free_i32(tcg_vm);
++            }
      }
@@ -XXX,XX +XXX,XX @@ static void handle_fp_compare(DisasContext *s, bool is_double,
  static void disas_fp_compare(DisasContext *s, uint32_t insn)
  {
      unsigned int mos, type, rm, op, rn, opc, op2r;
 +    int size;
      mos = extract32(insn, 29, 3);
 -    type = extract32(insn, 22, 2); /* 0 = single, 1 = double */
 +    type = extract32(insn, 22, 2);
      rm = extract32(insn, 16, 5);
      op = extract32(insn, 14, 2);
      rn = extract32(insn, 5, 5);
      opc = extract32(insn, 3, 2);
      op2r = extract32(insn, 0, 3);
 -    if (mos || op || op2r || type > 1) {
 +    if (mos || op || op2r) {
 +        unallocated_encoding(s);
 +        return;
 +    }
 +
 +    switch (type) {
 +    case 0:
 +        size = MO_32;
 +        break;
 +    case 1:
 +        size = MO_64;
 +        break;
 +    case 3:
 +        size = MO_16;
 +        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
 +            break;
 +        }
-+        /* fallthru */
++        if (ds) {
-+    default:
+             min_tsz = 12;
-         unallocated_encoding(s);
+         }
-         return;
+     }
-     }
+-    /* TODO: FEAT_LPA2 */
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_compare(DisasContext *s, uint32_t insn)
-         return;
+     if (tsz > max_tsz) {
-     }
+         tsz = max_tsz;
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
--    handle_fp_compare(s, type, rn, rm, opc & 1, opc & 2);
+     return (ARMVAParameters) {
-+    handle_fp_compare(s, size, rn, rm, opc & 1, opc & 2);
+         .tsz = tsz,
          .ps = ps,
 +        .sh = sh,
          .select = select,
          .tbi = tbi,
          .epd = epd,
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
          .using16k = using16k,
          .using64k = using64k,
          .tsz_oob = tsz_oob,
 +        .ds = ds,
      };
  }
- /* Floating point conditional compare
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_ccomp(DisasContext *s, uint32_t insn)
+          * VTCR_EL2.SL0 field (whose interpretation depends on the page size)
-     unsigned int mos, type, rm, cond, rn, op, nzcv;
+          */
-     TCGv_i64 tcg_flags;
+         uint32_t sl0 = extract32(tcr->raw_tcr, 6, 2);
-     TCGLabel *label_continue = NULL;
++        uint32_t sl2 = extract64(tcr->raw_tcr, 33, 1);
-+    int size;
+         uint32_t startlevel;
+         bool ok;
-     mos = extract32(insn, 29, 3);
--    type = extract32(insn, 22, 2); /* 0 = single, 1 = double */
+-        if (!aarch64 || stride == 9) {
-+    type = extract32(insn, 22, 2);
++        /* SL2 is RES0 unless DS=1 & 4kb granule. */
-     rm = extract32(insn, 16, 5);
++        if (param.ds && stride == 9 && sl2) {
-     cond = extract32(insn, 12, 4);
++            if (sl0 != 0) {
-     rn = extract32(insn, 5, 5);
++                level = 0;
-     op = extract32(insn, 4, 1);
++                fault_type = ARMFault_Translation;
-     nzcv = extract32(insn, 0, 4);
++                goto do_fault;
++            }
--    if (mos || type > 1) {
++            startlevel = -1;
-+    if (mos) {
++        } else if (!aarch64 || stride == 9) {
-+        unallocated_encoding(s);
+             /* AArch32 or 4KB pages */
-+        return;
+             startlevel = 2 - sl0;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
       * for both v7 and v8.  However, for v8 the SBZ bits [47:40] must be 0
       * or an AddressSize fault is raised.  So for v8 we extract those SBZ
       * bits as part of the address, which will be checked via outputsize.
 -     * For AArch64, the address field always goes up to bit 47 (with extra
 -     * bits for FEAT_LPA placed elsewhere).  AArch64 implies v8.
 +     * For AArch64, the address field goes up to bit 47, or 49 with FEAT_LPA2;
 +     * the highest bits of a 52-bit output are placed elsewhere.
       */
 -    if (arm_feature(env, ARM_FEATURE_V8)) {
 +    if (param.ds) {
 +        descaddrmask = MAKE_64BIT_MASK(0, 50);
 +    } else if (arm_feature(env, ARM_FEATURE_V8)) {
          descaddrmask = MAKE_64BIT_MASK(0, 48);
      } else {
          descaddrmask = MAKE_64BIT_MASK(0, 40);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          /*
           * For FEAT_LPA and PS=6, bits [51:48] of descaddr are in [15:12]
 -         * of descriptor.  Otherwise, if descaddr is out of range, raise
 -         * AddressSizeFault.
 +         * of descriptor.  For FEAT_LPA2 and effective DS, bits [51:50] of
 +         * descaddr are in [9:8].  Otherwise, if descaddr is out of range,
 +         * raise AddressSizeFault.
           */
          if (outputsize > 48) {
 -            descaddr |= extract64(descriptor, 12, 4) << 48;
 +            if (param.ds) {
 +                descaddr |= extract64(descriptor, 8, 2) << 50;
 +            } else {
 +                descaddr |= extract64(descriptor, 12, 4) << 48;
 +            }
          } else if (descaddr >> outputsize) {
              fault_type = ARMFault_AddressSize;
              goto do_fault;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          assert(attrindx <= 7);
          cacheattrs->attrs = extract64(mair, attrindx * 8, 8);
      }
 -    cacheattrs->shareability = extract32(attrs, 6, 2);
 +
 +    /*
 +     * For FEAT_LPA2 and effective DS, the SH field in the attributes
 +     * was re-purposed for output address bits.  The SH attribute in
 +     * that case comes from TCR_ELx, which we extracted earlier.
 +     */
 +    if (param.ds) {
 +        cacheattrs->shareability = param.sh;
 +    } else {
 +        cacheattrs->shareability = extract32(attrs, 6, 2);
 +    }
-+
-+    switch (type) {
+     *phys_ptr = descaddr;
-+    case 0:
+     *page_size_ptr = page_size;
 +        size = MO_32;
 +        break;
 +    case 1:
 +        size = MO_64;
 +        break;
 +    case 3:
 +        size = MO_16;
 +        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
 +            break;
 +        }
 +        /* fallthru */
 +    default:
          unallocated_encoding(s);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_fp_ccomp(DisasContext *s, uint32_t insn)
          gen_set_label(label_match);
      }
 -    handle_fp_compare(s, type, rn, rm, false, op);
 +    handle_fp_compare(s, size, rn, rm, false, op);
      if (cond < 0x0e) {
          gen_set_label(label_continue);
 --
-.17.0
+.25.1

-New patch
+[PULL 24/26] target/arm: Report KVM's actual PSCI version to guest in dtb
+When we're using KVM, the PSCI implementation is provided by the
+kernel, but QEMU has to tell the guest about it via the device tree.
+Currently we look at the KVM_CAP_ARM_PSCI_0_2 capability to determine
+if the kernel is providing at least PSCI 0.2, but if the kernel
+provides a newer version than that we will still only tell the guest
+it has PSCI 0.2.  (This is fairly harmless; it just means the guest
+won't use newer parts of the PSCI API.)
+The kernel exposes the specific PSCI version it is implementing via
+the ONE_REG API; use this to report in the dtb that the PSCI
+implementation is 1.0-compatible if appropriate.  (The device tree
+binding currently only distinguishes "pre-0.2", "0.2-compatible" and
+"1.0-compatible".)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Andrew Jones <drjones@redhat.com>
+Message-id: 20220224134655.1207865-1-peter.maydell@linaro.org
+---
+ target/arm/kvm-consts.h |  1 +
+ hw/arm/boot.c           |  5 ++---
+ target/arm/kvm64.c      | 12 ++++++++++++
+files changed, 15 insertions(+), 3 deletions(-)
+diff --git a/target/arm/kvm-consts.h b/target/arm/kvm-consts.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/kvm-consts.h
++++ b/target/arm/kvm-consts.h
+@@ -XXX,XX +XXX,XX @@ MISMATCH_CHECK(QEMU_PSCI_1_0_FN_PSCI_FEATURES, PSCI_1_0_FN_PSCI_FEATURES);
+ #define QEMU_PSCI_VERSION_0_1                     0x00001
+ #define QEMU_PSCI_VERSION_0_2                     0x00002
++#define QEMU_PSCI_VERSION_1_0                     0x10000
+ #define QEMU_PSCI_VERSION_1_1                     0x10001
+ MISMATCH_CHECK(QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED, PSCI_0_2_TOS_MP);
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
+     }
+     qemu_fdt_add_subnode(fdt, "/psci");
+-    if (armcpu->psci_version == QEMU_PSCI_VERSION_0_2 ||
+-        armcpu->psci_version == QEMU_PSCI_VERSION_1_1) {
+-        if (armcpu->psci_version == QEMU_PSCI_VERSION_0_2) {
++    if (armcpu->psci_version >= QEMU_PSCI_VERSION_0_2) {
++        if (armcpu->psci_version < QEMU_PSCI_VERSION_1_0) {
+             const char comp[] = "arm,psci-0.2\0arm,psci";
+             qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
+         } else {
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/kvm64.c
++++ b/target/arm/kvm64.c
+@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
+     uint64_t mpidr;
+     ARMCPU *cpu = ARM_CPU(cs);
+     CPUARMState *env = &cpu->env;
++    uint64_t psciver;
+     if (cpu->kvm_target == QEMU_KVM_ARM_TARGET_NONE ||
+         !object_dynamic_cast(OBJECT(cpu), TYPE_AARCH64_CPU)) {
+@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
+         }
+     }
++    /*
++     * KVM reports the exact PSCI version it is implementing via a
++     * special sysreg. If it is present, use its contents to determine
++     * what to report to the guest in the dtb (it is the PSCI version,
++     * in the same 15-bits major 16-bits minor format that PSCI_VERSION
++     * returns).
++     */
++    if (!kvm_get_one_reg(cs, KVM_REG_ARM_PSCI_VERSION, &psciver)) {
++        cpu->psci_version = psciver;
++    }
++
+     /*
+      * When KVM is in use, PSCI is emulated in-kernel and not by qemu.
+      * Currently KVM has its own idea about MPIDR assignment, so we
+--
+.25.1

-[Qemu-devel] [PULL 12/16] target/arm: Implement FCSEL for fp16
+[PULL 25/26] ui/cocoa.m: Fix updateUIInfo threading issues
-From: Alex Bennée <alex.bennee@linaro.org>
+The updateUIInfo method makes Cocoa API calls.  It also calls back
 into QEMU functions like dpy_set_ui_info().  To do this safely, we
 need to follow two rules:
  * Cocoa API calls are made on the Cocoa UI thread
  * When calling back into QEMU we must hold the iothread lock
-These were missed out from the rest of the half-precision work.
+Fix the places where we got this wrong, by taking the iothread lock
 while executing updateUIInfo, and moving the call in cocoa_switch()
 inside the dispatch_async block.
-Cc: qemu-stable@nongnu.org
+Some of the Cocoa UI methods which call updateUIInfo are invoked as
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+part of the initial application startup, while we're still doing the
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+little cross-thread dance described in the comment just above
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+call_qemu_main().  This meant they were calling back into the QEMU UI
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+layer before we'd actually finished initializing our display and
-Message-id: 20180512003217.9105-10-richard.henderson@linaro.org
+registered the DisplayChangeListener, which isn't really valid.  Once
-[rth: Fix erroneous check vs type]
+updateUIInfo takes the iothread lock, we no longer get away with
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+this, because during this startup phase the iothread lock is held by
 the QEMU main-loop thread which is waiting for us to finish our
 display initialization.  So we must suppress updateUIInfo until
 applicationDidFinishLaunching allows the QEMU main-loop thread to
 continue.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com>
+Tested-by: Akihiko Odaki <akihiko.odaki@gmail.com>
+Message-id: 20220224101330.967429-2-peter.maydell@linaro.org
 ---
- target/arm/translate-a64.c | 31 +++++++++++++++++++++++++------
+ ui/cocoa.m | 25 ++++++++++++++++++++++---
-file changed, 25 insertions(+), 6 deletions(-)
+file changed, 22 insertions(+), 3 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/ui/cocoa.m b/ui/cocoa.m
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/ui/cocoa.m
-+++ b/target/arm/translate-a64.c
++++ b/ui/cocoa.m
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ QemuCocoaView *cocoaView;
-     unsigned int mos, type, rm, cond, rn, rd;
+     }
-     TCGv_i64 t_true, t_false, t_zero;
+ }
-     DisasCompare64 c;
-+    TCGMemOp sz;
+-- (void) updateUIInfo
++- (void) updateUIInfoLocked
-     mos = extract32(insn, 29, 3);
+ {
--    type = extract32(insn, 22, 2); /* 0 = single, 1 = double */
++    /* Must be called with the iothread lock, i.e. via updateUIInfo */
-+    type = extract32(insn, 22, 2);
+     NSSize frameSize;
-     rm = extract32(insn, 16, 5);
+     QemuUIInfo info;
-     cond = extract32(insn, 12, 4);
-     rn = extract32(insn, 5, 5);
+@@ -XXX,XX +XXX,XX @@ QemuCocoaView *cocoaView;
-     rd = extract32(insn, 0, 5);
+     dpy_set_ui_info(dcl.con, &info, TRUE);
+ }
--    if (mos || type > 1) {
-+    if (mos) {
++- (void) updateUIInfo
-+        unallocated_encoding(s);
++{
 +    if (!allow_events) {
 +        /*
 +         * Don't try to tell QEMU about UI information in the application
 +         * startup phase -- we haven't yet registered dcl with the QEMU UI
 +         * layer, and also trying to take the iothread lock would deadlock.
 +         * When cocoa_display_init() does register the dcl, the UI layer
 +         * will call cocoa_switch(), which will call updateUIInfo, so
 +         * we don't lose any information here.
 +         */
 +        return;
 +    }
 +
-+    switch (type) {
++    with_iothread_lock(^{
-+    case 0:
++        [self updateUIInfoLocked];
-+        sz = MO_32;
++    });
-+        break;
++}
-+    case 1:
++
-+        sz = MO_64;
+ - (void)viewDidMoveToWindow
-+        break;
+ {
-+    case 3:
+     [self updateUIInfo];
-+        sz = MO_16;
+@@ -XXX,XX +XXX,XX @@ static void cocoa_switch(DisplayChangeListener *dcl,
-+        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
-+            break;
+     COCOA_DEBUG("qemu_cocoa: cocoa_switch\n");
-+        }
-+        /* fallthru */
+-    [cocoaView updateUIInfo];
-+    default:
+-
-         unallocated_encoding(s);
+     // The DisplaySurface will be freed as soon as this callback returns.
-         return;
+     // We take a reference to the underlying pixman image here so it does
-     }
+     // not disappear from under our feet; the switchSurface method will
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void cocoa_switch(DisplayChangeListener *dcl,
-         return;
+     pixman_image_ref(image);
-     }
+     dispatch_async(dispatch_get_main_queue(), ^{
--    /* Zero extend sreg inputs to 64 bits now.  */
++        [cocoaView updateUIInfo];
-+    /* Zero extend sreg & hreg inputs to 64 bits now.  */
+         [cocoaView switchSurface:image];
-     t_true = tcg_temp_new_i64();
+     });
-     t_false = tcg_temp_new_i64();
+     [pool release];
 -    read_vec_element(s, t_true, rn, 0, type ? MO_64 : MO_32);
 -    read_vec_element(s, t_false, rm, 0, type ? MO_64 : MO_32);
 +    read_vec_element(s, t_true, rn, 0, sz);
 +    read_vec_element(s, t_false, rm, 0, sz);
      a64_test_cc(&c, cond);
      t_zero = tcg_const_i64(0);
@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
      tcg_temp_free_i64(t_false);
      a64_free_cc(&c);
 -    /* Note that sregs write back zeros to the high bits,
 +    /* Note that sregs & hregs write back zeros to the high bits,
         and we've already done the zero-extension.  */
      write_fp_dreg(s, rd, t_true);
      tcg_temp_free_i64(t_true);
 --
-.17.0
+.25.1

-New patch
+[PULL 26/26] ui/cocoa.m: Remove unnecessary NSAutoreleasePools
+In commit 6e657e64cdc478 in 2013 we added some autorelease pools to
+deal with complaints from macOS when we made calls into Cocoa from
+threads that didn't have automatically created autorelease pools.
+Later on, macOS got stricter about forbidding cross-thread Cocoa
+calls, and in commit 5588840ff77800e839d8 we restructured the code to
+avoid them.  This left the autorelease pool creation in several
+functions without any purpose; delete it.
+We still need the pool in cocoa_refresh() for the clipboard related
+code which is called directly there.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com>
+Tested-by: Akihiko Odaki <akihiko.odaki@gmail.com>
+Message-id: 20220224101330.967429-3-peter.maydell@linaro.org
+---
+ ui/cocoa.m | 6 ------
+file changed, 6 deletions(-)
+diff --git a/ui/cocoa.m b/ui/cocoa.m
+index XXXXXXX..XXXXXXX 100644
+--- a/ui/cocoa.m
++++ b/ui/cocoa.m
+@@ -XXX,XX +XXX,XX @@ int main (int argc, char **argv) {
+ static void cocoa_update(DisplayChangeListener *dcl,
+                          int x, int y, int w, int h)
+ {
+-    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
+-
+     COCOA_DEBUG("qemu_cocoa: cocoa_update\n");
+     dispatch_async(dispatch_get_main_queue(), ^{
+@@ -XXX,XX +XXX,XX @@ static void cocoa_update(DisplayChangeListener *dcl,
+         }
+         [cocoaView setNeedsDisplayInRect:rect];
+     });
+-
+-    [pool release];
+ }
+ static void cocoa_switch(DisplayChangeListener *dcl,
+                          DisplaySurface *surface)
+ {
+-    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
+     pixman_image_t *image = surface->image;
+     COCOA_DEBUG("qemu_cocoa: cocoa_switch\n");
+@@ -XXX,XX +XXX,XX @@ static void cocoa_switch(DisplayChangeListener *dcl,
+         [cocoaView updateUIInfo];
+         [cocoaView switchSurface:image];
+     });
+-    [pool release];
+ }
+ static void cocoa_refresh(DisplayChangeListener *dcl)
+--
+.25.1

The following changes since commit ad1b4ec39caa5b3f17cbd8160283a03a3dcfe2ae:

Merge remote-tracking branch 'remotes/kraxel/tags/input-20180515-pull-request' into staging (2018-05-15 12:50:06 +0100)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180515

for you to fetch changes up to ae7651804748c6b479d5ae09aeac4edb9c44f76e:

tcg: Optionally log FPU state in TCG -d cpu logging (2018-05-15 14:58:44 +0100)

----------------------------------------------------------------
target-arm queue:
 * Fix coverity nit in int_to_float code
 * Don't set Invalid for float-to-int(MAXINT)
 * Fix fp_status_f16 tininess before rounding
 * Add various missing insns from the v8.2-FP16 extension
 * Fix sqrt_f16 exception raising
 * sdcard: Correct CRC16 offset in sd_function_switch()
 * tcg: Optionally log FPU state in TCG -d cpu logging

----------------------------------------------------------------
Alex Bennée (5):
      fpu/softfloat: int_to_float ensure r fully initialised
      target/arm: Implement FCMP for fp16
      target/arm: Implement FCSEL for fp16
      target/arm: Implement FMOV (immediate) for fp16
      target/arm: Fix sqrt_f16 exception raising

Peter Maydell (3):
      fpu/softfloat: Don't set Invalid for float-to-int(MAXINT)
      target/arm: Fix fp_status_f16 tininess before rounding
      tcg: Optionally log FPU state in TCG -d cpu logging

Philippe Mathieu-Daudé (1):
      sdcard: Correct CRC16 offset in sd_function_switch()

Richard Henderson (7):
      target/arm: Implement FMOV (general) for fp16
      target/arm: Early exit after unallocated_encoding in disas_fp_int_conv
      target/arm: Implement FCVT (scalar, integer) for fp16
      target/arm: Implement FCVT (scalar, fixed-point) for fp16
      target/arm: Introduce and use read_fp_hreg
      target/arm: Implement FP data-processing (2 source) for fp16
      target/arm: Implement FP data-processing (3 source) for fp16

In float-to-integer conversion, if the floating point input
converts exactly to the largest or smallest integer that
fits in to the result type, this is not an overflow.
In this situation we were producing the correct result value,
but were incorrectly setting the Invalid flag.
For example for Arm A64, "FCVTAS w0, d0" on an input of
0x41dfffffffc00000 should produce 0x7fffffff and set no flags.

Fix the boundary case to take the right half of the if()
statements.

This fixes a regression from 2.11 introduced by the softfloat
refactoring.

Cc: qemu-stable@nongnu.org
Fixes: ab52f973a50
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180510140141.12120-1-peter.maydell@linaro.org
---
 fpu/softfloat.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fpu/softfloat.c b/fpu/softfloat.c
index XXXXXXX..XXXXXXX 100644
--- a/fpu/softfloat.c
+++ b/fpu/softfloat.c
@@ -XXX,XX +XXX,XX @@ static int64_t round_to_int_and_pack(FloatParts in, int rmode,
             r = UINT64_MAX;
         }
         if (p.sign) {
-            if (r < -(uint64_t) min) {
+            if (r <= -(uint64_t) min) {
                 return -r;
             } else {
                 s->float_exception_flags = orig_flags | float_flag_invalid;
                 return min;
             }
         } else {
-            if (r < max) {
+            if (r <= max) {
                 return r;
             } else {
                 s->float_exception_flags = orig_flags | float_flag_invalid;
-- 
2.17.0

In commit d81ce0ef2c4f105 we added an extra float_status field
fp_status_fp16 for Arm, but forgot to initialize it correctly
by setting it to float_tininess_before_rounding. This currently
will only cause problems for the new V8_FP16 feature, since the
float-to-float conversion code doesn't use it yet. The effect
would be that we failed to set the Underflow IEEE exception flag
in all the cases where we should.

Add the missing initialization.

Fixes: d81ce0ef2c4f105
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180512004311.9299-16-richard.henderson@linaro.org
---
 target/arm/cpu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s)
                               &env->vfp.fp_status);
     set_float_detect_tininess(float_tininess_before_rounding,
                               &env->vfp.standard_fp_status);
+    set_float_detect_tininess(float_tininess_before_rounding,
+                              &env->vfp.fp_status_f16);
 #ifndef CONFIG_USER_ONLY
     if (kvm_enabled()) {
         kvm_arm_reset_vcpu(cpu);
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

Adding the fp16 moves to/from general registers.

Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180512003217.9105-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_fmov(DisasContext *s, int rd, int rn, int type, bool itof)
             tcg_gen_st_i64(tcg_rn, cpu_env, fp_reg_hi_offset(s, rd));
             clear_vec_high(s, true, rd);
             break;
+        case 3:
+            /* 16 bit */
+            tmp = tcg_temp_new_i64();
+            tcg_gen_ext16u_i64(tmp, tcg_rn);
+            write_fp_dreg(s, rd, tmp);
+            tcg_temp_free_i64(tmp);
+            break;
+        default:
+            g_assert_not_reached();
         }
     } else {
         TCGv_i64 tcg_rd = cpu_reg(s, rd);
@@ -XXX,XX +XXX,XX @@ static void handle_fmov(DisasContext *s, int rd, int rn, int type, bool itof)
             /* 64 bits from top half */
             tcg_gen_ld_i64(tcg_rd, cpu_env, fp_reg_hi_offset(s, rn));
             break;
+        case 3:
+            /* 16 bit */
+            tcg_gen_ld16u_i64(tcg_rd, cpu_env, fp_reg_offset(s, rn, MO_16));
+            break;
+        default:
+            g_assert_not_reached();
         }
     }
 }
@@ -XXX,XX +XXX,XX @@ static void disas_fp_int_conv(DisasContext *s, uint32_t insn)
         case 0xa: /* 64 bit */
         case 0xd: /* 64 bit to top half of quad */
             break;
+        case 0x6: /* 16-bit float, 32-bit int */
+        case 0xe: /* 16-bit float, 64-bit int */
+            if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+                break;
+            }
+            /* fallthru */
         default:
             /* all other sf/type/rmode combinations are invalid */
             unallocated_encoding(s);
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

Cc: qemu-stable@nongnu.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180512003217.9105-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  6 +++
 target/arm/helper.c        | 38 ++++++++++++++-
 target/arm/translate-a64.c | 96 +++++++++++++++++++++++++++++++-------
 3 files changed, 122 insertions(+), 18 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(vfp_touhd_round_to_zero, i64, f64, i32, ptr)
 DEF_HELPER_3(vfp_tould_round_to_zero, i64, f64, i32, ptr)
 DEF_HELPER_3(vfp_touhh, i32, f16, i32, ptr)
 DEF_HELPER_3(vfp_toshh, i32, f16, i32, ptr)
+DEF_HELPER_3(vfp_toulh, i32, f16, i32, ptr)
+DEF_HELPER_3(vfp_toslh, i32, f16, i32, ptr)
+DEF_HELPER_3(vfp_touqh, i64, f16, i32, ptr)
+DEF_HELPER_3(vfp_tosqh, i64, f16, i32, ptr)
 DEF_HELPER_3(vfp_toshs, i32, f32, i32, ptr)
 DEF_HELPER_3(vfp_tosls, i32, f32, i32, ptr)
 DEF_HELPER_3(vfp_tosqs, i64, f32, i32, ptr)
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(vfp_ultod, f64, i64, i32, ptr)
 DEF_HELPER_3(vfp_uqtod, f64, i64, i32, ptr)
 DEF_HELPER_3(vfp_sltoh, f16, i32, i32, ptr)
 DEF_HELPER_3(vfp_ultoh, f16, i32, i32, ptr)
+DEF_HELPER_3(vfp_sqtoh, f16, i64, i32, ptr)
+DEF_HELPER_3(vfp_uqtoh, f16, i64, i32, ptr)
 
 DEF_HELPER_FLAGS_2(set_rmode, TCG_CALL_NO_RWG, i32, i32, ptr)
 DEF_HELPER_FLAGS_2(set_neon_rmode, TCG_CALL_NO_RWG, i32, i32, env)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ VFP_CONV_FIX_A64(uq, s, 32, 64, uint64)
 #undef VFP_CONV_FIX_A64
 
 /* Conversion to/from f16 can overflow to infinity before/after scaling.
- * Therefore we convert to f64 (which does not round), scale,
- * and then convert f64 to f16 (which may round).
+ * Therefore we convert to f64, scale, and then convert f64 to f16; or
+ * vice versa for conversion to integer.
+ *
+ * For 16- and 32-bit integers, the conversion to f64 never rounds.
+ * For 64-bit integers, any integer that would cause rounding will also
+ * overflow to f16 infinity, so there is no double rounding problem.
  */
 
 static float16 do_postscale_fp16(float64 f, int shift, float_status *fpst)
@@ -XXX,XX +XXX,XX @@ float16 HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
     return do_postscale_fp16(uint32_to_float64(x, fpst), shift, fpst);
 }
 
+float16 HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
+{
+    return do_postscale_fp16(int64_to_float64(x, fpst), shift, fpst);
+}
+
+float16 HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
+{
+    return do_postscale_fp16(uint64_to_float64(x, fpst), shift, fpst);
+}
+
 static float64 do_prescale_fp16(float16 f, int shift, float_status *fpst)
 {
     if (unlikely(float16_is_any_nan(f))) {
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(vfp_touhh)(float16 x, uint32_t shift, void *fpst)
     return float64_to_uint16(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
+uint32_t HELPER(vfp_toslh)(float16 x, uint32_t shift, void *fpst)
+{
+    return float64_to_int32(do_prescale_fp16(x, shift, fpst), fpst);
+}
+
+uint32_t HELPER(vfp_toulh)(float16 x, uint32_t shift, void *fpst)
+{
+    return float64_to_uint32(do_prescale_fp16(x, shift, fpst), fpst);
+}
+
+uint64_t HELPER(vfp_tosqh)(float16 x, uint32_t shift, void *fpst)
+{
+    return float64_to_int64(do_prescale_fp16(x, shift, fpst), fpst);
+}
+
+uint64_t HELPER(vfp_touqh)(float16 x, uint32_t shift, void *fpst)
+{
+    return float64_to_uint64(do_prescale_fp16(x, shift, fpst), fpst);
+}
+
 /* Set the current fp rounding mode and return the old one.
  * The argument is a softfloat float_round_ value.
  */
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
                            bool itof, int rmode, int scale, int sf, int type)
 {
     bool is_signed = !(opcode & 1);
-    bool is_double = type;
     TCGv_ptr tcg_fpstatus;
-    TCGv_i32 tcg_shift;
+    TCGv_i32 tcg_shift, tcg_single;
+    TCGv_i64 tcg_double;
 
-    tcg_fpstatus = get_fpstatus_ptr(false);
+    tcg_fpstatus = get_fpstatus_ptr(type == 3);
 
     tcg_shift = tcg_const_i32(64 - scale);
 
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
             tcg_int = tcg_extend;
         }
 
-        if (is_double) {
-            TCGv_i64 tcg_double = tcg_temp_new_i64();
+        switch (type) {
+        case 1: /* float64 */
+            tcg_double = tcg_temp_new_i64();
             if (is_signed) {
                 gen_helper_vfp_sqtod(tcg_double, tcg_int,
                                      tcg_shift, tcg_fpstatus);
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
             }
             write_fp_dreg(s, rd, tcg_double);
             tcg_temp_free_i64(tcg_double);
-        } else {
-            TCGv_i32 tcg_single = tcg_temp_new_i32();
+            break;
+
+        case 0: /* float32 */
+            tcg_single = tcg_temp_new_i32();
             if (is_signed) {
                 gen_helper_vfp_sqtos(tcg_single, tcg_int,
                                      tcg_shift, tcg_fpstatus);
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
             }
             write_fp_sreg(s, rd, tcg_single);
             tcg_temp_free_i32(tcg_single);
+            break;
+
+        case 3: /* float16 */
+            tcg_single = tcg_temp_new_i32();
+            if (is_signed) {
+                gen_helper_vfp_sqtoh(tcg_single, tcg_int,
+                                     tcg_shift, tcg_fpstatus);
+            } else {
+                gen_helper_vfp_uqtoh(tcg_single, tcg_int,
+                                     tcg_shift, tcg_fpstatus);
+            }
+            write_fp_sreg(s, rd, tcg_single);
+            tcg_temp_free_i32(tcg_single);
+            break;
+
+        default:
+            g_assert_not_reached();
         }
     } else {
         TCGv_i64 tcg_int = cpu_reg(s, rd);
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
 
         gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
 
-        if (is_double) {
-            TCGv_i64 tcg_double = read_fp_dreg(s, rn);
+        switch (type) {
+        case 1: /* float64 */
+            tcg_double = read_fp_dreg(s, rn);
             if (is_signed) {
                 if (!sf) {
                     gen_helper_vfp_tosld(tcg_int, tcg_double,
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
                                          tcg_shift, tcg_fpstatus);
                 }
             }
+            if (!sf) {
+                tcg_gen_ext32u_i64(tcg_int, tcg_int);
+            }
             tcg_temp_free_i64(tcg_double);
-        } else {
-            TCGv_i32 tcg_single = read_fp_sreg(s, rn);
+            break;
+
+        case 0: /* float32 */
+            tcg_single = read_fp_sreg(s, rn);
             if (sf) {
                 if (is_signed) {
                     gen_helper_vfp_tosqs(tcg_int, tcg_single,
@@ -XXX,XX +XXX,XX @@ static void handle_fpfpcvt(DisasContext *s, int rd, int rn, int opcode,
                 tcg_temp_free_i32(tcg_dest);
             }
             tcg_temp_free_i32(tcg_single);
+            break;
+
+        case 3: /* float16 */
+            tcg_single = read_fp_sreg(s, rn);
+            if (sf) {
+                if (is_signed) {
+                    gen_helper_vfp_tosqh(tcg_int, tcg_single,
+                                         tcg_shift, tcg_fpstatus);
+                } else {
+                    gen_helper_vfp_touqh(tcg_int, tcg_single,
+                                         tcg_shift, tcg_fpstatus);
+                }
+            } else {
+                TCGv_i32 tcg_dest = tcg_temp_new_i32();
+                if (is_signed) {
+                    gen_helper_vfp_toslh(tcg_dest, tcg_single,
+                                         tcg_shift, tcg_fpstatus);
+                } else {
+                    gen_helper_vfp_toulh(tcg_dest, tcg_single,
+                                         tcg_shift, tcg_fpstatus);
+                }
+                tcg_gen_extu_i32_i64(tcg_int, tcg_dest);
+                tcg_temp_free_i32(tcg_dest);
+            }
+            tcg_temp_free_i32(tcg_single);
+            break;
+
+        default:
+            g_assert_not_reached();
         }
 
         gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
         tcg_temp_free_i32(tcg_rmode);
-
-        if (!sf) {
-            tcg_gen_ext32u_i64(tcg_int, tcg_int);
-        }
     }
 
     tcg_temp_free_ptr(tcg_fpstatus);
@@ -XXX,XX +XXX,XX @@ static void disas_fp_int_conv(DisasContext *s, uint32_t insn)
         /* actual FP conversions */
         bool itof = extract32(opcode, 1, 1);
 
-        if (type > 1 || (rmode != 0 && opcode > 1)) {
+        if (rmode != 0 && opcode > 1) {
+            unallocated_encoding(s);
+            return;
+        }
+        switch (type) {
+        case 0: /* float32 */
+        case 1: /* float64 */
+            break;
+        case 3: /* float16 */
+            if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+                break;
+            }
+            /* fallthru */
+        default:
             unallocated_encoding(s);
             return;
         }
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

Cc: qemu-stable@nongnu.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180512003217.9105-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_fp_fixed_conv(DisasContext *s, uint32_t insn)
     bool sf = extract32(insn, 31, 1);
     bool itof;
 
-    if (sbit || (type > 1)
-        || (!sf && scale < 32)) {
+    if (sbit || (!sf && scale < 32)) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    switch (type) {
+    case 0: /* float32 */
+    case 1: /* float64 */
+        break;
+    case 3: /* float16 */
+        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+            break;
+        }
+        /* fallthru */
+    default:
         unallocated_encoding(s);
         return;
     }
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180512003217.9105-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static TCGv_i32 read_fp_sreg(DisasContext *s, int reg)
     return v;
 }
 
+static TCGv_i32 read_fp_hreg(DisasContext *s, int reg)
+{
+    TCGv_i32 v = tcg_temp_new_i32();
+
+    tcg_gen_ld16u_i32(v, cpu_env, fp_reg_offset(s, reg, MO_16));
+    return v;
+}
+
 /* Clear the bits above an N-bit vector, for N = (is_q ? 128 : 64).
  * If SVE is not enabled, then there are only 128 bits in the vector.
  */
@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
 static void handle_fp_1src_half(DisasContext *s, int opcode, int rd, int rn)
 {
     TCGv_ptr fpst = NULL;
-    TCGv_i32 tcg_op = tcg_temp_new_i32();
+    TCGv_i32 tcg_op = read_fp_hreg(s, rn);
     TCGv_i32 tcg_res = tcg_temp_new_i32();
 
-    read_vec_element_i32(s, tcg_op, rn, 0, MO_16);
-
     switch (opcode) {
     case 0x0: /* FMOV */
         tcg_gen_mov_i32(tcg_res, tcg_op);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_scalar_three_reg_diff(DisasContext *s, uint32_t insn)
         tcg_temp_free_i64(tcg_op2);
         tcg_temp_free_i64(tcg_res);
     } else {
-        TCGv_i32 tcg_op1 = tcg_temp_new_i32();
-        TCGv_i32 tcg_op2 = tcg_temp_new_i32();
+        TCGv_i32 tcg_op1 = read_fp_hreg(s, rn);
+        TCGv_i32 tcg_op2 = read_fp_hreg(s, rm);
         TCGv_i64 tcg_res = tcg_temp_new_i64();
 
-        read_vec_element_i32(s, tcg_op1, rn, 0, MO_16);
-        read_vec_element_i32(s, tcg_op2, rm, 0, MO_16);
-
         gen_helper_neon_mull_s16(tcg_res, tcg_op1, tcg_op2);
         gen_helper_neon_addl_saturate_s32(tcg_res, cpu_env, tcg_res, tcg_res);
 
@@ -XXX,XX +XXX,XX @@ static void disas_simd_scalar_three_reg_same_fp16(DisasContext *s,
 
     fpst = get_fpstatus_ptr(true);
 
-    tcg_op1 = tcg_temp_new_i32();
-    tcg_op2 = tcg_temp_new_i32();
+    tcg_op1 = read_fp_hreg(s, rn);
+    tcg_op2 = read_fp_hreg(s, rm);
     tcg_res = tcg_temp_new_i32();
 
-    read_vec_element_i32(s, tcg_op1, rn, 0, MO_16);
-    read_vec_element_i32(s, tcg_op2, rm, 0, MO_16);
-
     switch (fpopcode) {
     case 0x03: /* FMULX */
         gen_helper_advsimd_mulxh(tcg_res, tcg_op1, tcg_op2, fpst);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc_fp16(DisasContext *s, uint32_t insn)
     }
 
     if (is_scalar) {
-        TCGv_i32 tcg_op = tcg_temp_new_i32();
+        TCGv_i32 tcg_op = read_fp_hreg(s, rn);
         TCGv_i32 tcg_res = tcg_temp_new_i32();
 
-        read_vec_element_i32(s, tcg_op, rn, 0, MO_16);
-
         switch (fpop) {
         case 0x1a: /* FCVTNS */
         case 0x1b: /* FCVTMS */
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

We missed all of the scalar fp16 binary operations.

Cc: qemu-stable@nongnu.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180512003217.9105-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 65 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_fp_2src_double(DisasContext *s, int opcode,
     tcg_temp_free_i64(tcg_res);
 }
 
+/* Floating-point data-processing (2 source) - half precision */
+static void handle_fp_2src_half(DisasContext *s, int opcode,
+                                int rd, int rn, int rm)
+{
+    TCGv_i32 tcg_op1;
+    TCGv_i32 tcg_op2;
+    TCGv_i32 tcg_res;
+    TCGv_ptr fpst;
+
+    tcg_res = tcg_temp_new_i32();
+    fpst = get_fpstatus_ptr(true);
+    tcg_op1 = read_fp_hreg(s, rn);
+    tcg_op2 = read_fp_hreg(s, rm);
+
+    switch (opcode) {
+    case 0x0: /* FMUL */
+        gen_helper_advsimd_mulh(tcg_res, tcg_op1, tcg_op2, fpst);
+        break;
+    case 0x1: /* FDIV */
+        gen_helper_advsimd_divh(tcg_res, tcg_op1, tcg_op2, fpst);
+        break;
+    case 0x2: /* FADD */
+        gen_helper_advsimd_addh(tcg_res, tcg_op1, tcg_op2, fpst);
+        break;
+    case 0x3: /* FSUB */
+        gen_helper_advsimd_subh(tcg_res, tcg_op1, tcg_op2, fpst);
+        break;
+    case 0x4: /* FMAX */
+        gen_helper_advsimd_maxh(tcg_res, tcg_op1, tcg_op2, fpst);
+        break;
+    case 0x5: /* FMIN */
+        gen_helper_advsimd_minh(tcg_res, tcg_op1, tcg_op2, fpst);
+        break;
+    case 0x6: /* FMAXNM */
+        gen_helper_advsimd_maxnumh(tcg_res, tcg_op1, tcg_op2, fpst);
+        break;
+    case 0x7: /* FMINNM */
+        gen_helper_advsimd_minnumh(tcg_res, tcg_op1, tcg_op2, fpst);
+        break;
+    case 0x8: /* FNMUL */
+        gen_helper_advsimd_mulh(tcg_res, tcg_op1, tcg_op2, fpst);
+        tcg_gen_xori_i32(tcg_res, tcg_res, 0x8000);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    write_fp_sreg(s, rd, tcg_res);
+
+    tcg_temp_free_ptr(fpst);
+    tcg_temp_free_i32(tcg_op1);
+    tcg_temp_free_i32(tcg_op2);
+    tcg_temp_free_i32(tcg_res);
+}
+
 /* Floating point data-processing (2 source)
  *   31  30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
  * +---+---+---+-----------+------+---+------+--------+-----+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_fp_2src(DisasContext *s, uint32_t insn)
         }
         handle_fp_2src_double(s, opcode, rd, rn, rm);
         break;
+    case 3:
+        if (!arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+            unallocated_encoding(s);
+            return;
+        }
+        if (!fp_access_check(s)) {
+            return;
+        }
+        handle_fp_2src_half(s, opcode, rd, rn, rm);
+        break;
     default:
         unallocated_encoding(s);
     }
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

We missed all of the scalar fp16 fma operations.

Cc: qemu-stable@nongnu.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180512003217.9105-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 48 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_fp_3src_double(DisasContext *s, bool o0, bool o1,
     tcg_temp_free_i64(tcg_res);
 }
 
+/* Floating-point data-processing (3 source) - half precision */
+static void handle_fp_3src_half(DisasContext *s, bool o0, bool o1,
+                                int rd, int rn, int rm, int ra)
+{
+    TCGv_i32 tcg_op1, tcg_op2, tcg_op3;
+    TCGv_i32 tcg_res = tcg_temp_new_i32();
+    TCGv_ptr fpst = get_fpstatus_ptr(true);
+
+    tcg_op1 = read_fp_hreg(s, rn);
+    tcg_op2 = read_fp_hreg(s, rm);
+    tcg_op3 = read_fp_hreg(s, ra);
+
+    /* These are fused multiply-add, and must be done as one
+     * floating point operation with no rounding between the
+     * multiplication and addition steps.
+     * NB that doing the negations here as separate steps is
+     * correct : an input NaN should come out with its sign bit
+     * flipped if it is a negated-input.
+     */
+    if (o1 == true) {
+        tcg_gen_xori_i32(tcg_op3, tcg_op3, 0x8000);
+    }
+
+    if (o0 != o1) {
+        tcg_gen_xori_i32(tcg_op1, tcg_op1, 0x8000);
+    }
+
+    gen_helper_advsimd_muladdh(tcg_res, tcg_op1, tcg_op2, tcg_op3, fpst);
+
+    write_fp_sreg(s, rd, tcg_res);
+
+    tcg_temp_free_ptr(fpst);
+    tcg_temp_free_i32(tcg_op1);
+    tcg_temp_free_i32(tcg_op2);
+    tcg_temp_free_i32(tcg_op3);
+    tcg_temp_free_i32(tcg_res);
+}
+
 /* Floating point data-processing (3 source)
  *   31  30  29 28       24 23  22  21  20  16  15  14  10 9    5 4    0
  * +---+---+---+-----------+------+----+------+----+------+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_fp_3src(DisasContext *s, uint32_t insn)
         }
         handle_fp_3src_double(s, o0, o1, rd, rn, rm, ra);
         break;
+    case 3:
+        if (!arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+            unallocated_encoding(s);
+            return;
+        }
+        if (!fp_access_check(s)) {
+            return;
+        }
+        handle_fp_3src_half(s, o0, o1, rd, rn, rm, ra);
+        break;
     default:
         unallocated_encoding(s);
     }
-- 
2.17.0

From: Alex Bennée <alex.bennee@linaro.org>

These where missed out from the rest of the half-precision work.

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180512003217.9105-9-richard.henderson@linaro.org
[rth: Diagnose lack of FP16 before fp_access_check]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-a64.h    |  2 +
 target/arm/helper-a64.c    | 10 +++++
 target/arm/translate-a64.c | 88 ++++++++++++++++++++++++++++++--------
 3 files changed, 83 insertions(+), 17 deletions(-)

diff --git a/target/arm/helper-a64.h b/target/arm/helper-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.h
+++ b/target/arm/helper-a64.h
@@ -XXX,XX +XXX,XX @@
 DEF_HELPER_FLAGS_2(udiv64, TCG_CALL_NO_RWG_SE, i64, i64, i64)
 DEF_HELPER_FLAGS_2(sdiv64, TCG_CALL_NO_RWG_SE, s64, s64, s64)
 DEF_HELPER_FLAGS_1(rbit64, TCG_CALL_NO_RWG_SE, i64, i64)
+DEF_HELPER_3(vfp_cmph_a64, i64, f16, f16, ptr)
+DEF_HELPER_3(vfp_cmpeh_a64, i64, f16, f16, ptr)
 DEF_HELPER_3(vfp_cmps_a64, i64, f32, f32, ptr)
 DEF_HELPER_3(vfp_cmpes_a64, i64, f32, f32, ptr)
 DEF_HELPER_3(vfp_cmpd_a64, i64, f64, f64, ptr)
diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t float_rel_to_flags(int res)
     return flags;
 }
 
+uint64_t HELPER(vfp_cmph_a64)(float16 x, float16 y, void *fp_status)
+{
+    return float_rel_to_flags(float16_compare_quiet(x, y, fp_status));
+}
+
+uint64_t HELPER(vfp_cmpeh_a64)(float16 x, float16 y, void *fp_status)
+{
+    return float_rel_to_flags(float16_compare(x, y, fp_status));
+}
+
 uint64_t HELPER(vfp_cmps_a64)(float32 x, float32 y, void *fp_status)
 {
     return float_rel_to_flags(float32_compare_quiet(x, y, fp_status));
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_reg(DisasContext *s, uint32_t insn)
     }
 }
 
-static void handle_fp_compare(DisasContext *s, bool is_double,
+static void handle_fp_compare(DisasContext *s, int size,
                               unsigned int rn, unsigned int rm,
                               bool cmp_with_zero, bool signal_all_nans)
 {
     TCGv_i64 tcg_flags = tcg_temp_new_i64();
-    TCGv_ptr fpst = get_fpstatus_ptr(false);
+    TCGv_ptr fpst = get_fpstatus_ptr(size == MO_16);
 
-    if (is_double) {
+    if (size == MO_64) {
         TCGv_i64 tcg_vn, tcg_vm;
 
         tcg_vn = read_fp_dreg(s, rn);
@@ -XXX,XX +XXX,XX @@ static void handle_fp_compare(DisasContext *s, bool is_double,
         tcg_temp_free_i64(tcg_vn);
         tcg_temp_free_i64(tcg_vm);
     } else {
-        TCGv_i32 tcg_vn, tcg_vm;
+        TCGv_i32 tcg_vn = tcg_temp_new_i32();
+        TCGv_i32 tcg_vm = tcg_temp_new_i32();
 
-        tcg_vn = read_fp_sreg(s, rn);
+        read_vec_element_i32(s, tcg_vn, rn, 0, size);
         if (cmp_with_zero) {
-            tcg_vm = tcg_const_i32(0);
+            tcg_gen_movi_i32(tcg_vm, 0);
         } else {
-            tcg_vm = read_fp_sreg(s, rm);
+            read_vec_element_i32(s, tcg_vm, rm, 0, size);
         }
-        if (signal_all_nans) {
-            gen_helper_vfp_cmpes_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
-        } else {
-            gen_helper_vfp_cmps_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
+
+        switch (size) {
+        case MO_32:
+            if (signal_all_nans) {
+                gen_helper_vfp_cmpes_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
+            } else {
+                gen_helper_vfp_cmps_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
+            }
+            break;
+        case MO_16:
+            if (signal_all_nans) {
+                gen_helper_vfp_cmpeh_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
+            } else {
+                gen_helper_vfp_cmph_a64(tcg_flags, tcg_vn, tcg_vm, fpst);
+            }
+            break;
+        default:
+            g_assert_not_reached();
         }
+
         tcg_temp_free_i32(tcg_vn);
         tcg_temp_free_i32(tcg_vm);
     }
@@ -XXX,XX +XXX,XX @@ static void handle_fp_compare(DisasContext *s, bool is_double,
 static void disas_fp_compare(DisasContext *s, uint32_t insn)
 {
     unsigned int mos, type, rm, op, rn, opc, op2r;
+    int size;
 
     mos = extract32(insn, 29, 3);
-    type = extract32(insn, 22, 2); /* 0 = single, 1 = double */
+    type = extract32(insn, 22, 2);
     rm = extract32(insn, 16, 5);
     op = extract32(insn, 14, 2);
     rn = extract32(insn, 5, 5);
     opc = extract32(insn, 3, 2);
     op2r = extract32(insn, 0, 3);
 
-    if (mos || op || op2r || type > 1) {
+    if (mos || op || op2r) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    switch (type) {
+    case 0:
+        size = MO_32;
+        break;
+    case 1:
+        size = MO_64;
+        break;
+    case 3:
+        size = MO_16;
+        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+            break;
+        }
+        /* fallthru */
+    default:
         unallocated_encoding(s);
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_fp_compare(DisasContext *s, uint32_t insn)
         return;
     }
 
-    handle_fp_compare(s, type, rn, rm, opc & 1, opc & 2);
+    handle_fp_compare(s, size, rn, rm, opc & 1, opc & 2);
 }
 
 /* Floating point conditional compare
@@ -XXX,XX +XXX,XX @@ static void disas_fp_ccomp(DisasContext *s, uint32_t insn)
     unsigned int mos, type, rm, cond, rn, op, nzcv;
     TCGv_i64 tcg_flags;
     TCGLabel *label_continue = NULL;
+    int size;
 
     mos = extract32(insn, 29, 3);
-    type = extract32(insn, 22, 2); /* 0 = single, 1 = double */
+    type = extract32(insn, 22, 2);
     rm = extract32(insn, 16, 5);
     cond = extract32(insn, 12, 4);
     rn = extract32(insn, 5, 5);
     op = extract32(insn, 4, 1);
     nzcv = extract32(insn, 0, 4);
 
-    if (mos || type > 1) {
+    if (mos) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    switch (type) {
+    case 0:
+        size = MO_32;
+        break;
+    case 1:
+        size = MO_64;
+        break;
+    case 3:
+        size = MO_16;
+        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+            break;
+        }
+        /* fallthru */
+    default:
         unallocated_encoding(s);
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_fp_ccomp(DisasContext *s, uint32_t insn)
         gen_set_label(label_match);
     }
 
-    handle_fp_compare(s, type, rn, rm, false, op);
+    handle_fp_compare(s, size, rn, rm, false, op);
 
     if (cond < 0x0e) {
         gen_set_label(label_continue);
-- 
2.17.0

From: Alex Bennée <alex.bennee@linaro.org>

These were missed out from the rest of the half-precision work.

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180512003217.9105-10-richard.henderson@linaro.org
[rth: Fix erroneous check vs type]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
     unsigned int mos, type, rm, cond, rn, rd;
     TCGv_i64 t_true, t_false, t_zero;
     DisasCompare64 c;
+    TCGMemOp sz;
 
     mos = extract32(insn, 29, 3);
-    type = extract32(insn, 22, 2); /* 0 = single, 1 = double */
+    type = extract32(insn, 22, 2);
     rm = extract32(insn, 16, 5);
     cond = extract32(insn, 12, 4);
     rn = extract32(insn, 5, 5);
     rd = extract32(insn, 0, 5);
 
-    if (mos || type > 1) {
+    if (mos) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    switch (type) {
+    case 0:
+        sz = MO_32;
+        break;
+    case 1:
+        sz = MO_64;
+        break;
+    case 3:
+        sz = MO_16;
+        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+            break;
+        }
+        /* fallthru */
+    default:
         unallocated_encoding(s);
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
         return;
     }
 
-    /* Zero extend sreg inputs to 64 bits now.  */
+    /* Zero extend sreg & hreg inputs to 64 bits now.  */
     t_true = tcg_temp_new_i64();
     t_false = tcg_temp_new_i64();
-    read_vec_element(s, t_true, rn, 0, type ? MO_64 : MO_32);
-    read_vec_element(s, t_false, rm, 0, type ? MO_64 : MO_32);
+    read_vec_element(s, t_true, rn, 0, sz);
+    read_vec_element(s, t_false, rm, 0, sz);
 
     a64_test_cc(&c, cond);
     t_zero = tcg_const_i64(0);
@@ -XXX,XX +XXX,XX @@ static void disas_fp_csel(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(t_false);
     a64_free_cc(&c);
 
-    /* Note that sregs write back zeros to the high bits,
+    /* Note that sregs & hregs write back zeros to the high bits,
        and we've already done the zero-extension.  */
     write_fp_dreg(s, rd, t_true);
     tcg_temp_free_i64(t_true);
-- 
2.17.0

From: Alex Bennée <alex.bennee@linaro.org>

All the hard work is already done by vfp_expand_imm, we just need to
make sure we pick up the correct size.

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180512003217.9105-11-richard.henderson@linaro.org
[rth: Merge unallocated_encoding check with TCGMemOp conversion.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_fp_imm(DisasContext *s, uint32_t insn)
 {
     int rd = extract32(insn, 0, 5);
     int imm8 = extract32(insn, 13, 8);
-    int is_double = extract32(insn, 22, 2);
+    int type = extract32(insn, 22, 2);
     uint64_t imm;
     TCGv_i64 tcg_res;
+    TCGMemOp sz;
 
-    if (is_double > 1) {
+    switch (type) {
+    case 0:
+        sz = MO_32;
+        break;
+    case 1:
+        sz = MO_64;
+        break;
+    case 3:
+        sz = MO_16;
+        if (arm_dc_feature(s, ARM_FEATURE_V8_FP16)) {
+            break;
+        }
+        /* fallthru */
+    default:
         unallocated_encoding(s);
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_fp_imm(DisasContext *s, uint32_t insn)
         return;
     }
 
-    imm = vfp_expand_imm(MO_32 + is_double, imm8);
+    imm = vfp_expand_imm(sz, imm8);
 
     tcg_res = tcg_const_i64(imm);
     write_fp_dreg(s, rd, tcg_res);
-- 
2.17.0

From: Alex Bennée <alex.bennee@linaro.org>

We are meant to explicitly pass fpst, not cpu_env.

Cc: qemu-stable@nongnu.org
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180512003217.9105-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_fp_1src_half(DisasContext *s, int opcode, int rd, int rn)
         tcg_gen_xori_i32(tcg_res, tcg_op, 0x8000);
         break;
     case 0x3: /* FSQRT */
-        gen_helper_sqrt_f16(tcg_res, tcg_op, cpu_env);
+        fpst = get_fpstatus_ptr(true);
+        gen_helper_sqrt_f16(tcg_res, tcg_op, fpst);
         break;
     case 0x8: /* FRINTN */
     case 0x9: /* FRINTP */
-- 
2.17.0

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Per the Physical Layer Simplified Spec. "4.3.10.4 Switch Function Status":

The block length is predefined to 512 bits

and "4.10.2 SD Status":

The SD Status contains status bits that are related to the SD Memory Card
  proprietary features and may be used for future application-specific usage.
  The size of the SD Status is one data block of 512 bit. The content of this
  register is transmitted to the Host over the DAT bus along with a 16-bit CRC.

Thus the 16-bit CRC goes at offset 64.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180509060104.4458-3-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sd/sd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -XXX,XX +XXX,XX @@ static void sd_function_switch(SDState *sd, uint32_t arg)
         sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
     }
     memset(&sd->data[17], 0, 47);
-    stw_be_p(sd->data + 65, sd_crc16(sd->data, 64));
+    stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
 }
 
 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
-- 
2.17.0

Usually the logging of the CPU state produced by -d cpu is sufficient
to diagnose problems, but sometimes you want to see the state of
the floating point registers as well. We don't want to enable that
by default as it adds a lot of extra data to the log; instead,
allow it to be optionally enabled via -d fpu.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180510130024.31678-1-peter.maydell@linaro.org
---
 include/qemu/log.h   | 1 +
 accel/tcg/cpu-exec.c | 9 ++++++---
 util/log.c           | 2 ++
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/qemu/log.h b/include/qemu/log.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/log.h
+++ b/include/qemu/log.h
@@ -XXX,XX +XXX,XX @@ static inline bool qemu_log_separate(void)
 #define CPU_LOG_PAGE       (1 << 14)
 /* LOG_TRACE (1 << 15) is defined in log-for-trace.h */
 #define CPU_LOG_TB_OP_IND  (1 << 16)
+#define CPU_LOG_TB_FPU     (1 << 17)
 
 /* Lock output for a series of related logs.  Since this is not needed
  * for a single qemu_log / qemu_log_mask / qemu_log_mask_and_addr, we
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static inline tcg_target_ulong cpu_tb_exec(CPUState *cpu, TranslationBlock *itb)
     if (qemu_loglevel_mask(CPU_LOG_TB_CPU)
         && qemu_log_in_addr_range(itb->pc)) {
         qemu_log_lock();
+        int flags = 0;
+        if (qemu_loglevel_mask(CPU_LOG_TB_FPU)) {
+            flags |= CPU_DUMP_FPU;
+        }
 #if defined(TARGET_I386)
-        log_cpu_state(cpu, CPU_DUMP_CCOP);
-#else
-        log_cpu_state(cpu, 0);
+        flags |= CPU_DUMP_CCOP;
 #endif
+        log_cpu_state(cpu, flags);
         qemu_log_unlock();
     }
 #endif /* DEBUG_DISAS */
diff --git a/util/log.c b/util/log.c
index XXXXXXX..XXXXXXX 100644
--- a/util/log.c
+++ b/util/log.c
@@ -XXX,XX +XXX,XX @@ const QEMULogItem qemu_log_items[] = {
       "show trace before each executed TB (lots of logs)" },
     { CPU_LOG_TB_CPU, "cpu",
       "show CPU registers before entering a TB (lots of logs)" },
+    { CPU_LOG_TB_FPU, "fpu",
+      "include FPU registers in the 'cpu' logging" },
     { CPU_LOG_MMU, "mmu",
       "log MMU-related activities" },
     { CPU_LOG_PCALL, "pcall",
-- 
2.17.0

The following changes since commit 64ada298b98a51eb2512607f6e6180cb330c47b1:

Merge remote-tracking branch 'remotes/legoater/tags/pull-ppc-20220302' into staging (2022-03-02 12:38:46 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220302

for you to fetch changes up to 268c11984e67867c22f53beb3c7f8b98900d66b2:

ui/cocoa.m: Remove unnecessary NSAutoreleasePools (2022-03-02 19:27:37 +0000)

----------------------------------------------------------------
target-arm queue:
 * mps3-an547: Add missing user ahb interfaces
 * hw/arm/mps2-tz.c: Update AN547 documentation URL
 * hw/input/tsc210x: Don't abort on bad SPI word widths
 * hw/i2c: flatten pca954x mux device
 * target/arm: Support PSCI 1.1 and SMCCC 1.0
 * target/arm: Fix early free of TCG temp in handle_simd_shift_fpint_conv()
 * tests/qtest: add qtests for npcm7xx sdhci
 * Implement FEAT_LVA
 * Implement FEAT_LPA
 * Implement FEAT_LPA2 (but do not enable it yet)
 * Report KVM's actual PSCI version to guest in dtb
 * ui/cocoa.m: Fix updateUIInfo threading issues
 * ui/cocoa.m: Remove unnecessary NSAutoreleasePools

----------------------------------------------------------------
Akihiko Odaki (1):
      target/arm: Support PSCI 1.1 and SMCCC 1.0

Jimmy Brisson (1):
      mps3-an547: Add missing user ahb interfaces

Patrick Venture (1):
      hw/i2c: flatten pca954x mux device

Peter Maydell (5):
      hw/arm/mps2-tz.c: Update AN547 documentation URL
      hw/input/tsc210x: Don't abort on bad SPI word widths
      target/arm: Report KVM's actual PSCI version to guest in dtb
      ui/cocoa.m: Fix updateUIInfo threading issues
      ui/cocoa.m: Remove unnecessary NSAutoreleasePools

Richard Henderson (16):
      hw/registerfields: Add FIELD_SEX<N> and FIELD_SDP<N>
      target/arm: Set TCR_EL1.TSZ for user-only
      target/arm: Fault on invalid TCR_ELx.TxSZ
      target/arm: Move arm_pamax out of line
      target/arm: Pass outputsize down to check_s2_mmu_setup
      target/arm: Use MAKE_64BIT_MASK to compute indexmask
      target/arm: Honor TCR_ELx.{I}PS
      target/arm: Prepare DBGBVR and DBGWVR for FEAT_LVA
      target/arm: Implement FEAT_LVA
      target/arm: Implement FEAT_LPA
      target/arm: Extend arm_fi_to_lfsc to level -1
      target/arm: Introduce tlbi_aa64_get_range
      target/arm: Fix TLBIRange.base for 16k and 64k pages
      target/arm: Validate tlbi TG matches translation granule in use
      target/arm: Advertise all page sizes for -cpu max
      target/arm: Implement FEAT_LPA2

Shengtan Mao (1):
      tests/qtest: add qtests for npcm7xx sdhci

Wentao_Liang (1):
      target/arm: Fix early free of TCG temp in handle_simd_shift_fpint_conv()

From: Jimmy Brisson <jimmy.brisson@linaro.org>

With these interfaces missing, TFM would delegate peripherals 0, 1,
2, 3 and 8, and qemu would ignore the delegation of interface 8, as
it thought interface 4 was eth & USB.

This patch corrects this behavior and allows TFM to delegate the
eth & USB peripheral to NS mode.

(The old QEMU behaviour was based on revision B of the AN547
appnote; revision C corrects this error in the documentation,
and this commit brings QEMU in to line with how the FPGA
image really behaves.)

Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
Message-id: 20220210210227.3203883-1-jimmy.brisson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: added commit message note clarifying that the old behaviour
was a docs issue, not because there were two different versions
of the FPGA image]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/mps2-tz.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps2-tz.c
+++ b/hw/arm/mps2-tz.c
@@ -XXX,XX +XXX,XX @@ static void mps2tz_common_init(MachineState *machine)
                 { "gpio1", make_unimp_dev, &mms->gpio[1], 0x41101000, 0x1000 },
                 { "gpio2", make_unimp_dev, &mms->gpio[2], 0x41102000, 0x1000 },
                 { "gpio3", make_unimp_dev, &mms->gpio[3], 0x41103000, 0x1000 },
+                { /* port 4 USER AHB interface 0 */ },
+                { /* port 5 USER AHB interface 1 */ },
+                { /* port 6 USER AHB interface 2 */ },
+                { /* port 7 USER AHB interface 3 */ },
                 { "eth-usb", make_eth_usb, NULL, 0x41400000, 0x200000, { 49 } },
             },
         },
-- 
2.25.1

The AN547 application note URL has changed: update our comment
accordingly. (Rev B is still downloadable from the old URL,
but there is a new Rev C of the document now.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20220221094144.426191-1-peter.maydell@linaro.org
---
 hw/arm/mps2-tz.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps2-tz.c
+++ b/hw/arm/mps2-tz.c
@@ -XXX,XX +XXX,XX @@
  * Application Note AN524:
  * https://developer.arm.com/documentation/dai0524/latest/
  * Application Note AN547:
- * https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/DAI0547B_SSE300_PLUS_U55_FPGA_for_mps3.pdf
+ * https://developer.arm.com/documentation/dai0547/latest/
  *
  * The AN505 defers to the Cortex-M33 processor ARMv8M IoT Kit FVP User Guide
  * (ARM ECM0601256) for the details of some of the device layout:
-- 
2.25.1

The tsc210x doesn't support anything other than 16-bit reads on the
SPI bus, but the guest can program the SPI controller to attempt
them anyway. If this happens, don't abort QEMU, just log this as
a guest error.

This fixes our machine_arm_n8x0.py:N8x0Machine.test_n800
acceptance test, which hits this assertion.

The reason we hit the assertion is because the guest kernel thinks
there is a TSC2005 on this SPI bus address, not a TSC210x.  (The n810
*does* have a TSC2005 at this address.) The TSC2005 supports the
24-bit accesses which the guest driver makes, and the TSC210x does
not (that is, our TSC210x emulation is not missing support for a word
width the hardware can handle).  It's not clear whether the problem
here is that the guest kernel incorrectly thinks the n800 has the
same device at this SPI bus address as the n810, or that QEMU's n810
board model doesn't get the SPI devices right.  At this late date
there no longer appears to be any reliable information on the web
about the hardware behaviour, but I am inclined to think this is a
guest kernel bug.  In any case, we prefer not to abort QEMU for
guest-triggerable conditions, so logging the error is the right thing
to do.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/736
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20220221140750.514557-1-peter.maydell@linaro.org
---
 hw/input/tsc210x.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/input/tsc210x.c
+++ b/hw/input/tsc210x.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/hw.h"
 #include "audio/audio.h"
 #include "qemu/timer.h"
+#include "qemu/log.h"
 #include "sysemu/reset.h"
 #include "ui/console.h"
 #include "hw/arm/omap.h"            /* For I2SCodec */
@@ -XXX,XX +XXX,XX @@ uint32_t tsc210x_txrx(void *opaque, uint32_t value, int len)
     TSC210xState *s = opaque;
     uint32_t ret = 0;
 
-    if (len != 16)
-        hw_error("%s: FIXME: bad SPI word width %i\n", __func__, len);
+    if (len != 16) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: bad SPI word width %i\n", __func__, len);
+        return 0;
+    }
 
     /* TODO: sequential reads etc - how do we make sure the host doesn't
      * unintentionally read out a conversion result from a register while
-- 
2.25.1

From: Patrick Venture <venture@google.com>

Previously this device created N subdevices which each owned an i2c bus.
Now this device simply owns the N i2c busses directly.

Tested: Verified devices behind mux are still accessible via qmp and i2c
from within an arm32 SoC.

Reviewed-by: Hao Wu <wuhaotsh@google.com>
Signed-off-by: Patrick Venture <venture@google.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20220202164533.1283668-1-venture@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/i2c/i2c_mux_pca954x.c | 77 +++++++---------------------------------
 1 file changed, 13 insertions(+), 64 deletions(-)

diff --git a/hw/i2c/i2c_mux_pca954x.c b/hw/i2c/i2c_mux_pca954x.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/i2c/i2c_mux_pca954x.c
+++ b/hw/i2c/i2c_mux_pca954x.c
@@ -XXX,XX +XXX,XX @@
 #define PCA9548_CHANNEL_COUNT 8
 #define PCA9546_CHANNEL_COUNT 4
 
-/*
- * struct Pca954xChannel - The i2c mux device will have N of these states
- * that own the i2c channel bus.
- * @bus: The owned channel bus.
- * @enabled: Is this channel active?
- */
-typedef struct Pca954xChannel {
-    SysBusDevice parent;
-
-    I2CBus       *bus;
-
-    bool         enabled;
-} Pca954xChannel;
-
-#define TYPE_PCA954X_CHANNEL "pca954x-channel"
-#define PCA954X_CHANNEL(obj) \
-    OBJECT_CHECK(Pca954xChannel, (obj), TYPE_PCA954X_CHANNEL)
-
 /*
  * struct Pca954xState - The pca954x state object.
  * @control: The value written to the mux control.
@@ -XXX,XX +XXX,XX @@ typedef struct Pca954xState {
 
     uint8_t control;
 
-    /* The channel i2c buses. */
-    Pca954xChannel channel[PCA9548_CHANNEL_COUNT];
+    bool enabled[PCA9548_CHANNEL_COUNT];
+    I2CBus *bus[PCA9548_CHANNEL_COUNT];
 } Pca954xState;
 
 /*
@@ -XXX,XX +XXX,XX @@ static bool pca954x_match(I2CSlave *candidate, uint8_t address,
     }
 
     for (i = 0; i < mc->nchans; i++) {
-        if (!mux->channel[i].enabled) {
+        if (!mux->enabled[i]) {
             continue;
         }
 
-        if (i2c_scan_bus(mux->channel[i].bus, address, broadcast,
+        if (i2c_scan_bus(mux->bus[i], address, broadcast,
                          current_devs)) {
             if (!broadcast) {
                 return true;
@@ -XXX,XX +XXX,XX @@ static void pca954x_enable_channel(Pca954xState *s, uint8_t enable_mask)
      */
     for (i = 0; i < mc->nchans; i++) {
         if (enable_mask & (1 << i)) {
-            s->channel[i].enabled = true;
+            s->enabled[i] = true;
         } else {
-            s->channel[i].enabled = false;
+            s->enabled[i] = false;
         }
     }
 }
@@ -XXX,XX +XXX,XX @@ I2CBus *pca954x_i2c_get_bus(I2CSlave *mux, uint8_t channel)
     Pca954xState *pca954x = PCA954X(mux);
 
     g_assert(channel < pc->nchans);
-    return I2C_BUS(qdev_get_child_bus(DEVICE(&pca954x->channel[channel]),
-                                      "i2c-bus"));
-}
-
-static void pca954x_channel_init(Object *obj)
-{
-    Pca954xChannel *s = PCA954X_CHANNEL(obj);
-    s->bus = i2c_init_bus(DEVICE(s), "i2c-bus");
-
-    /* Start all channels as disabled. */
-    s->enabled = false;
-}
-
-static void pca954x_channel_class_init(ObjectClass *klass, void *data)
-{
-    DeviceClass *dc = DEVICE_CLASS(klass);
-    dc->desc = "Pca954x Channel";
+    return pca954x->bus[channel];
 }
 
 static void pca9546_class_init(ObjectClass *klass, void *data)
@@ -XXX,XX +XXX,XX @@ static void pca9548_class_init(ObjectClass *klass, void *data)
     s->nchans = PCA9548_CHANNEL_COUNT;
 }
 
-static void pca954x_realize(DeviceState *dev, Error **errp)
-{
-    Pca954xState *s = PCA954X(dev);
-    Pca954xClass *c = PCA954X_GET_CLASS(s);
-    int i;
-
-    /* SMBus modules. Cannot fail. */
-    for (i = 0; i < c->nchans; i++) {
-        sysbus_realize(SYS_BUS_DEVICE(&s->channel[i]), &error_abort);
-    }
-}
-
 static void pca954x_init(Object *obj)
 {
     Pca954xState *s = PCA954X(obj);
     Pca954xClass *c = PCA954X_GET_CLASS(obj);
     int i;
 
-    /* Only initialize the children we expect. */
+    /* SMBus modules. Cannot fail. */
     for (i = 0; i < c->nchans; i++) {
-        object_initialize_child(obj, "channel[*]", &s->channel[i],
-                                TYPE_PCA954X_CHANNEL);
+        g_autofree gchar *bus_name = g_strdup_printf("i2c.%d", i);
+
+        /* start all channels as disabled. */
+        s->enabled[i] = false;
+        s->bus[i] = i2c_init_bus(DEVICE(s), bus_name);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void pca954x_class_init(ObjectClass *klass, void *data)
     rc->phases.enter = pca954x_enter_reset;
 
     dc->desc = "Pca954x i2c-mux";
-    dc->realize = pca954x_realize;
 
     k->write_data = pca954x_write_data;
     k->receive_byte = pca954x_read_byte;
@@ -XXX,XX +XXX,XX @@ static const TypeInfo pca954x_info[] = {
         .parent        = TYPE_PCA954X,
         .class_init    = pca9548_class_init,
     },
-    {
-        .name = TYPE_PCA954X_CHANNEL,
-        .parent = TYPE_SYS_BUS_DEVICE,
-        .class_init = pca954x_channel_class_init,
-        .instance_size = sizeof(Pca954xChannel),
-        .instance_init = pca954x_channel_init,
-    }
 };
 
 DEFINE_TYPES(pca954x_info)
-- 
2.25.1

From: Akihiko Odaki <akihiko.odaki@gmail.com>

Support the latest PSCI on TCG and HVF. A 64-bit function called from
AArch32 now returns NOT_SUPPORTED, which is necessary to adhere to SMC
Calling Convention 1.0. It is still not compliant with SMCCC 1.3 since
they do not implement mandatory functions.

Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-id: 20220213035753.34577-1-akihiko.odaki@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: update MISMATCH_CHECK checks on PSCI_VERSION macros to match]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm-consts.h | 13 +++++++++----
 hw/arm/boot.c           | 12 +++++++++---
 target/arm/cpu.c        |  5 +++--
 target/arm/hvf/hvf.c    | 27 ++++++++++++++++++++++++++-
 target/arm/kvm64.c      |  2 +-
 target/arm/psci.c       | 35 ++++++++++++++++++++++++++++++++---
 6 files changed, 80 insertions(+), 14 deletions(-)

diff --git a/target/arm/kvm-consts.h b/target/arm/kvm-consts.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm-consts.h
+++ b/target/arm/kvm-consts.h
@@ -XXX,XX +XXX,XX @@ MISMATCH_CHECK(QEMU_PSCI_0_1_FN_MIGRATE, KVM_PSCI_FN_MIGRATE);
 #define QEMU_PSCI_0_2_FN64_AFFINITY_INFO QEMU_PSCI_0_2_FN64(4)
 #define QEMU_PSCI_0_2_FN64_MIGRATE QEMU_PSCI_0_2_FN64(5)
 
+#define QEMU_PSCI_1_0_FN_PSCI_FEATURES QEMU_PSCI_0_2_FN(10)
+
 MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_SUSPEND, PSCI_0_2_FN_CPU_SUSPEND);
 MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_OFF, PSCI_0_2_FN_CPU_OFF);
 MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_ON, PSCI_0_2_FN_CPU_ON);
@@ -XXX,XX +XXX,XX @@ MISMATCH_CHECK(QEMU_PSCI_0_2_FN_MIGRATE, PSCI_0_2_FN_MIGRATE);
 MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_CPU_SUSPEND, PSCI_0_2_FN64_CPU_SUSPEND);
 MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_CPU_ON, PSCI_0_2_FN64_CPU_ON);
 MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_MIGRATE, PSCI_0_2_FN64_MIGRATE);
+MISMATCH_CHECK(QEMU_PSCI_1_0_FN_PSCI_FEATURES, PSCI_1_0_FN_PSCI_FEATURES);
 
 /* PSCI v0.2 return values used by TCG emulation of PSCI */
 
 /* No Trusted OS migration to worry about when offlining CPUs */
 #define QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED        2
 
-/* We implement version 0.2 only */
-#define QEMU_PSCI_0_2_RET_VERSION_0_2                       2
+#define QEMU_PSCI_VERSION_0_1                     0x00001
+#define QEMU_PSCI_VERSION_0_2                     0x00002
+#define QEMU_PSCI_VERSION_1_1                     0x10001
 
 MISMATCH_CHECK(QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED, PSCI_0_2_TOS_MP);
-MISMATCH_CHECK(QEMU_PSCI_0_2_RET_VERSION_0_2,
-               (PSCI_VERSION_MAJOR(0) | PSCI_VERSION_MINOR(2)));
+/* We don't bother to check every possible version value */
+MISMATCH_CHECK(QEMU_PSCI_VERSION_0_2, PSCI_VERSION(0, 2));
+MISMATCH_CHECK(QEMU_PSCI_VERSION_1_1, PSCI_VERSION(1, 1));
 
 /* PSCI return values (inclusive of all PSCI versions) */
 #define QEMU_PSCI_RET_SUCCESS                     0
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
     }
 
     qemu_fdt_add_subnode(fdt, "/psci");
-    if (armcpu->psci_version == 2) {
-        const char comp[] = "arm,psci-0.2\0arm,psci";
-        qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
+    if (armcpu->psci_version == QEMU_PSCI_VERSION_0_2 ||
+        armcpu->psci_version == QEMU_PSCI_VERSION_1_1) {
+        if (armcpu->psci_version == QEMU_PSCI_VERSION_0_2) {
+            const char comp[] = "arm,psci-0.2\0arm,psci";
+            qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
+        } else {
+            const char comp[] = "arm,psci-1.0\0arm,psci-0.2\0arm,psci";
+            qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
+        }
 
         cpu_off_fn = QEMU_PSCI_0_2_FN_CPU_OFF;
         if (arm_feature(&armcpu->env, ARM_FEATURE_AARCH64)) {
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
      * picky DTB consumer will also provide a helpful error message.
      */
     cpu->dtb_compatible = "qemu,unknown";
-    cpu->psci_version = 1; /* By default assume PSCI v0.1 */
+    cpu->psci_version = QEMU_PSCI_VERSION_0_1; /* By default assume PSCI v0.1 */
     cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
 
     if (tcg_enabled() || hvf_enabled()) {
-        cpu->psci_version = 2; /* TCG and HVF implement PSCI 0.2 */
+        /* TCG and HVF implement PSCI 1.1 */
+        cpu->psci_version = QEMU_PSCI_VERSION_1_1;
     }
 }
 
diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@ static bool hvf_handle_psci_call(CPUState *cpu)
 
     switch (param[0]) {
     case QEMU_PSCI_0_2_FN_PSCI_VERSION:
-        ret = QEMU_PSCI_0_2_RET_VERSION_0_2;
+        ret = QEMU_PSCI_VERSION_1_1;
         break;
     case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
         ret = QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED; /* No trusted OS */
@@ -XXX,XX +XXX,XX @@ static bool hvf_handle_psci_call(CPUState *cpu)
     case QEMU_PSCI_0_2_FN_MIGRATE:
         ret = QEMU_PSCI_RET_NOT_SUPPORTED;
         break;
+    case QEMU_PSCI_1_0_FN_PSCI_FEATURES:
+        switch (param[1]) {
+        case QEMU_PSCI_0_2_FN_PSCI_VERSION:
+        case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
+        case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
+        case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
+        case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
+        case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
+        case QEMU_PSCI_0_1_FN_CPU_ON:
+        case QEMU_PSCI_0_2_FN_CPU_ON:
+        case QEMU_PSCI_0_2_FN64_CPU_ON:
+        case QEMU_PSCI_0_1_FN_CPU_OFF:
+        case QEMU_PSCI_0_2_FN_CPU_OFF:
+        case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
+        case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
+        case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
+        case QEMU_PSCI_1_0_FN_PSCI_FEATURES:
+            ret = 0;
+            break;
+        case QEMU_PSCI_0_1_FN_MIGRATE:
+        case QEMU_PSCI_0_2_FN_MIGRATE:
+        default:
+            ret = QEMU_PSCI_RET_NOT_SUPPORTED;
+        }
+        break;
     default:
         return false;
     }
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
         cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_POWER_OFF;
     }
     if (kvm_check_extension(cs->kvm_state, KVM_CAP_ARM_PSCI_0_2)) {
-        cpu->psci_version = 2;
+        cpu->psci_version = QEMU_PSCI_VERSION_0_2;
         cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_PSCI_0_2;
     }
     if (!arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
diff --git a/target/arm/psci.c b/target/arm/psci.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/psci.c
+++ b/target/arm/psci.c
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
 {
     /*
      * This function partially implements the logic for dispatching Power State
-     * Coordination Interface (PSCI) calls (as described in ARM DEN 0022B.b),
+     * Coordination Interface (PSCI) calls (as described in ARM DEN 0022D.b),
      * to the extent required for bringing up and taking down secondary cores,
      * and for handling reset and poweroff requests.
      * Additional information about the calling convention used is available in
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
     }
 
     if ((param[0] & QEMU_PSCI_0_2_64BIT) && !is_a64(env)) {
-        ret = QEMU_PSCI_RET_INVALID_PARAMS;
+        ret = QEMU_PSCI_RET_NOT_SUPPORTED;
         goto err;
     }
 
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
         ARMCPU *target_cpu;
 
     case QEMU_PSCI_0_2_FN_PSCI_VERSION:
-        ret = QEMU_PSCI_0_2_RET_VERSION_0_2;
+        ret = QEMU_PSCI_VERSION_1_1;
         break;
     case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
         ret = QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED; /* No trusted OS */
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
         }
         helper_wfi(env, 4);
         break;
+    case QEMU_PSCI_1_0_FN_PSCI_FEATURES:
+        switch (param[1]) {
+        case QEMU_PSCI_0_2_FN_PSCI_VERSION:
+        case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
+        case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
+        case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
+        case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
+        case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
+        case QEMU_PSCI_0_1_FN_CPU_ON:
+        case QEMU_PSCI_0_2_FN_CPU_ON:
+        case QEMU_PSCI_0_2_FN64_CPU_ON:
+        case QEMU_PSCI_0_1_FN_CPU_OFF:
+        case QEMU_PSCI_0_2_FN_CPU_OFF:
+        case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
+        case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
+        case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
+        case QEMU_PSCI_1_0_FN_PSCI_FEATURES:
+            if (!(param[1] & QEMU_PSCI_0_2_64BIT) || is_a64(env)) {
+                ret = 0;
+                break;
+            }
+            /* fallthrough */
+        case QEMU_PSCI_0_1_FN_MIGRATE:
+        case QEMU_PSCI_0_2_FN_MIGRATE:
+        default:
+            ret = QEMU_PSCI_RET_NOT_SUPPORTED;
+            break;
+        }
+        break;
     case QEMU_PSCI_0_1_FN_MIGRATE:
     case QEMU_PSCI_0_2_FN_MIGRATE:
     default:
-- 
2.25.1

From: Wentao_Liang <Wentao_Liang_g@163.com>

handle_simd_shift_fpint_conv() was accidentally freeing the TCG
temporary tcg_fpstatus too early, before the last use of it.  Move
the free down to where it belongs.

Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
[PMM: cleaned up commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_simd_shift_fpint_conv(DisasContext *s, bool is_scalar,
         }
     }
 
-    tcg_temp_free_ptr(tcg_fpstatus);
     tcg_temp_free_i32(tcg_shift);
     gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
+    tcg_temp_free_ptr(tcg_fpstatus);
     tcg_temp_free_i32(tcg_rmode);
 }
 
-- 
2.25.1

From: Shengtan Mao <stmao@google.com>

Reviewed-by: Hao Wu <wuhaotsh@google.com>
Reviewed-by: Chris Rauer <crauer@google.com>
Signed-off-by: Shengtan Mao <stmao@google.com>
Signed-off-by: Patrick Venture <venture@google.com>
Message-id: 20220225174451.192304-1-wuhaotsh@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/npcm7xx_sdhci-test.c | 215 +++++++++++++++++++++++++++++++
 tests/qtest/meson.build          |   1 +
 2 files changed, 216 insertions(+)
 create mode 100644 tests/qtest/npcm7xx_sdhci-test.c

diff --git a/tests/qtest/npcm7xx_sdhci-test.c b/tests/qtest/npcm7xx_sdhci-test.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/npcm7xx_sdhci-test.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QTests for NPCM7xx SD-3.0 / MMC-4.51 Host Controller
+ *
+ * Copyright (c) 2022 Google LLC
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/sd/npcm7xx_sdhci.h"
+
+#include "libqos/libqtest.h"
+#include "libqtest-single.h"
+#include "libqos/sdhci-cmd.h"
+
+#define NPCM7XX_REG_SIZE 0x100
+#define NPCM7XX_MMC_BA 0xF0842000
+#define NPCM7XX_BLK_SIZE 512
+#define NPCM7XX_TEST_IMAGE_SIZE (1 << 30)
+
+char *sd_path;
+
+static QTestState *setup_sd_card(void)
+{
+    QTestState *qts = qtest_initf(
+        "-machine kudo-bmc "
+        "-device sd-card,drive=drive0 "
+        "-drive id=drive0,if=none,file=%s,format=raw,auto-read-only=off",
+        sd_path);
+
+    qtest_writew(qts, NPCM7XX_MMC_BA + SDHC_SWRST, SDHC_RESET_ALL);
+    qtest_writew(qts, NPCM7XX_MMC_BA + SDHC_CLKCON,
+                 SDHC_CLOCK_SDCLK_EN | SDHC_CLOCK_INT_STABLE |
+                     SDHC_CLOCK_INT_EN);
+    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0, 0, SDHC_APP_CMD);
+    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0x41200000, 0, (41 << 8));
+    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0, 0, SDHC_ALL_SEND_CID);
+    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0, 0, SDHC_SEND_RELATIVE_ADDR);
+    sdhci_cmd_regs(qts, NPCM7XX_MMC_BA, 0, 0, 0x45670000, 0,
+                   SDHC_SELECT_DESELECT_CARD);
+
+    return qts;
+}
+
+static void write_sdread(QTestState *qts, const char *msg)
+{
+    int fd, ret;
+    size_t len = strlen(msg);
+    char *rmsg = g_malloc(len);
+
+    /* write message to sd */
+    fd = open(sd_path, O_WRONLY);
+    g_assert(fd >= 0);
+    ret = write(fd, msg, len);
+    close(fd);
+    g_assert(ret == len);
+
+    /* read message using sdhci */
+    ret = sdhci_read_cmd(qts, NPCM7XX_MMC_BA, rmsg, len);
+    g_assert(ret == len);
+    g_assert(!memcmp(rmsg, msg, len));
+
+    g_free(rmsg);
+}
+
+/* Check MMC can read values from sd */
+static void test_read_sd(void)
+{
+    QTestState *qts = setup_sd_card();
+
+    write_sdread(qts, "hello world");
+    write_sdread(qts, "goodbye");
+
+    qtest_quit(qts);
+}
+
+static void sdwrite_read(QTestState *qts, const char *msg)
+{
+    int fd, ret;
+    size_t len = strlen(msg);
+    char *rmsg = g_malloc(len);
+
+    /* write message using sdhci */
+    sdhci_write_cmd(qts, NPCM7XX_MMC_BA, msg, len, NPCM7XX_BLK_SIZE);
+
+    /* read message from sd */
+    fd = open(sd_path, O_RDONLY);
+    g_assert(fd >= 0);
+    ret = read(fd, rmsg, len);
+    close(fd);
+    g_assert(ret == len);
+
+    g_assert(!memcmp(rmsg, msg, len));
+
+    g_free(rmsg);
+}
+
+/* Check MMC can write values to sd */
+static void test_write_sd(void)
+{
+    QTestState *qts = setup_sd_card();
+
+    sdwrite_read(qts, "hello world");
+    sdwrite_read(qts, "goodbye");
+
+    qtest_quit(qts);
+}
+
+/* Check SDHCI has correct default values. */
+static void test_reset(void)
+{
+    QTestState *qts = qtest_init("-machine kudo-bmc");
+    uint64_t addr = NPCM7XX_MMC_BA;
+    uint64_t end_addr = addr + NPCM7XX_REG_SIZE;
+    uint16_t prstvals_resets[] = {NPCM7XX_PRSTVALS_0_RESET,
+                                  NPCM7XX_PRSTVALS_1_RESET,
+                                  0,
+                                  NPCM7XX_PRSTVALS_3_RESET,
+                                  0,
+                                  0};
+    int i;
+    uint32_t mask;
+
+    while (addr < end_addr) {
+        switch (addr - NPCM7XX_MMC_BA) {
+        case SDHC_PRNSTS:
+            /*
+             * ignores bits 20 to 24: they are changed when reading registers
+             */
+            mask = 0x1f00000;
+            g_assert_cmphex(qtest_readl(qts, addr) | mask, ==,
+                            NPCM7XX_PRSNTS_RESET | mask);
+            addr += 4;
+            break;
+        case SDHC_BLKGAP:
+            g_assert_cmphex(qtest_readb(qts, addr), ==, NPCM7XX_BLKGAP_RESET);
+            addr += 1;
+            break;
+        case SDHC_CAPAB:
+            g_assert_cmphex(qtest_readq(qts, addr), ==, NPCM7XX_CAPAB_RESET);
+            addr += 8;
+            break;
+        case SDHC_MAXCURR:
+            g_assert_cmphex(qtest_readq(qts, addr), ==, NPCM7XX_MAXCURR_RESET);
+            addr += 8;
+            break;
+        case SDHC_HCVER:
+            g_assert_cmphex(qtest_readw(qts, addr), ==, NPCM7XX_HCVER_RESET);
+            addr += 2;
+            break;
+        case NPCM7XX_PRSTVALS:
+            for (i = 0; i < NPCM7XX_PRSTVALS_SIZE; ++i) {
+                g_assert_cmphex(qtest_readw(qts, addr + 2 * i), ==,
+                                prstvals_resets[i]);
+            }
+            addr += NPCM7XX_PRSTVALS_SIZE * 2;
+            break;
+        default:
+            g_assert_cmphex(qtest_readb(qts, addr), ==, 0);
+            addr += 1;
+        }
+    }
+
+    qtest_quit(qts);
+}
+
+static void drive_destroy(void)
+{
+    unlink(sd_path);
+    g_free(sd_path);
+}
+
+static void drive_create(void)
+{
+    int fd, ret;
+    GError *error = NULL;
+
+    /* Create a temporary raw image */
+    fd = g_file_open_tmp("sdhci_XXXXXX", &sd_path, &error);
+    if (fd == -1) {
+        fprintf(stderr, "unable to create sdhci file: %s\n", error->message);
+        g_error_free(error);
+    }
+    g_assert(sd_path != NULL);
+
+    ret = ftruncate(fd, NPCM7XX_TEST_IMAGE_SIZE);
+    g_assert_cmpint(ret, ==, 0);
+    g_message("%s", sd_path);
+    close(fd);
+}
+
+int main(int argc, char **argv)
+{
+    int ret;
+
+    drive_create();
+
+    g_test_init(&argc, &argv, NULL);
+
+    qtest_add_func("npcm7xx_sdhci/reset", test_reset);
+    qtest_add_func("npcm7xx_sdhci/write_sd", test_write_sd);
+    qtest_add_func("npcm7xx_sdhci/read_sd", test_read_sd);
+
+    ret = g_test_run();
+    drive_destroy();
+    return ret;
+}
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -XXX,XX +XXX,XX @@ qtests_npcm7xx = \
    'npcm7xx_gpio-test',
    'npcm7xx_pwm-test',
    'npcm7xx_rng-test',
+   'npcm7xx_sdhci-test',
    'npcm7xx_smbus-test',
    'npcm7xx_timer-test',
    'npcm7xx_watchdog_timer-test'] + \
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add new macros to manipulate signed fields within the register.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-2-richard.henderson@linaro.org
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/registerfields.h | 48 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/include/hw/registerfields.h b/include/hw/registerfields.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/registerfields.h
+++ b/include/hw/registerfields.h
@@ -XXX,XX +XXX,XX @@
     extract64((storage), R_ ## reg ## _ ## field ## _SHIFT,               \
               R_ ## reg ## _ ## field ## _LENGTH)
 
+#define FIELD_SEX8(storage, reg, field)                                   \
+    sextract8((storage), R_ ## reg ## _ ## field ## _SHIFT,               \
+              R_ ## reg ## _ ## field ## _LENGTH)
+#define FIELD_SEX16(storage, reg, field)                                  \
+    sextract16((storage), R_ ## reg ## _ ## field ## _SHIFT,              \
+               R_ ## reg ## _ ## field ## _LENGTH)
+#define FIELD_SEX32(storage, reg, field)                                  \
+    sextract32((storage), R_ ## reg ## _ ## field ## _SHIFT,              \
+               R_ ## reg ## _ ## field ## _LENGTH)
+#define FIELD_SEX64(storage, reg, field)                                  \
+    sextract64((storage), R_ ## reg ## _ ## field ## _SHIFT,              \
+               R_ ## reg ## _ ## field ## _LENGTH)
+
 /* Extract a field from an array of registers */
 #define ARRAY_FIELD_EX32(regs, reg, field)                                \
     FIELD_EX32((regs)[R_ ## reg], reg, field)
@@ -XXX,XX +XXX,XX @@
     _d; })
 #define FIELD_DP64(storage, reg, field, val) ({                           \
     struct {                                                              \
-        uint64_t v:R_ ## reg ## _ ## field ## _LENGTH;                \
+        uint64_t v:R_ ## reg ## _ ## field ## _LENGTH;                    \
+    } _v = { .v = val };                                                  \
+    uint64_t _d;                                                          \
+    _d = deposit64((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
+                  R_ ## reg ## _ ## field ## _LENGTH, _v.v);              \
+    _d; })
+
+#define FIELD_SDP8(storage, reg, field, val) ({                           \
+    struct {                                                              \
+        signed int v:R_ ## reg ## _ ## field ## _LENGTH;                  \
+    } _v = { .v = val };                                                  \
+    uint8_t _d;                                                           \
+    _d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
+                  R_ ## reg ## _ ## field ## _LENGTH, _v.v);              \
+    _d; })
+#define FIELD_SDP16(storage, reg, field, val) ({                          \
+    struct {                                                              \
+        signed int v:R_ ## reg ## _ ## field ## _LENGTH;                  \
+    } _v = { .v = val };                                                  \
+    uint16_t _d;                                                          \
+    _d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
+                  R_ ## reg ## _ ## field ## _LENGTH, _v.v);              \
+    _d; })
+#define FIELD_SDP32(storage, reg, field, val) ({                          \
+    struct {                                                              \
+        signed int v:R_ ## reg ## _ ## field ## _LENGTH;                  \
+    } _v = { .v = val };                                                  \
+    uint32_t _d;                                                          \
+    _d = deposit32((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
+                  R_ ## reg ## _ ## field ## _LENGTH, _v.v);              \
+    _d; })
+#define FIELD_SDP64(storage, reg, field, val) ({                          \
+    struct {                                                              \
+        int64_t v:R_ ## reg ## _ ## field ## _LENGTH;                     \
     } _v = { .v = val };                                                  \
     uint64_t _d;                                                          \
     _d = deposit64((storage), R_ ## reg ## _ ## field ## _SHIFT,          \
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Set this as the kernel would, to 48 bits, to keep the computation
of the address space correct for PAuth.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
                 aarch64_sve_zcr_get_valid_len(cpu, cpu->sve_default_vq - 1);
         }
         /*
+         * Enable 48-bit address space (TODO: take reserved_va into account).
          * Enable TBI0 but not TBI1.
          * Note that this must match useronly_clean_ptr.
          */
-        env->cp15.tcr_el[1].raw_tcr = (1ULL << 37);
+        env->cp15.tcr_el[1].raw_tcr = 5 | (1ULL << 37);
 
         /* Enable MTE */
         if (cpu_isar_feature(aa64_mte, cpu)) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Without FEAT_LVA, the behaviour of programming an invalid value
is IMPLEMENTATION DEFINED.  With FEAT_LVA, programming an invalid
minimum value requires a Translation fault.

It is most self-consistent to choose to generate the fault always.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h |  1 +
 target/arm/helper.c    | 32 ++++++++++++++++++++++++++++----
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
     bool hpd        : 1;
     bool using16k   : 1;
     bool using64k   : 1;
+    bool tsz_oob    : 1;  /* tsz has been clamped to legal range */
 } ARMVAParameters;
 
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
                                    ARMMMUIdx mmu_idx, bool data)
 {
     uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
-    bool epd, hpd, using16k, using64k;
-    int select, tsz, tbi, max_tsz;
+    bool epd, hpd, using16k, using64k, tsz_oob;
+    int select, tsz, tbi, max_tsz, min_tsz;
 
     if (!regime_has_2_ranges(mmu_idx)) {
         select = 0;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
     } else {
         max_tsz = 39;
     }
+    min_tsz = 16;  /* TODO: ARMv8.2-LVA  */
 
-    tsz = MIN(tsz, max_tsz);
-    tsz = MAX(tsz, 16);  /* TODO: ARMv8.2-LVA  */
+    if (tsz > max_tsz) {
+        tsz = max_tsz;
+        tsz_oob = true;
+    } else if (tsz < min_tsz) {
+        tsz = min_tsz;
+        tsz_oob = true;
+    } else {
+        tsz_oob = false;
+    }
 
     /* Present TBI as a composite with TBID.  */
     tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         .hpd = hpd,
         .using16k = using16k,
         .using64k = using64k,
+        .tsz_oob = tsz_oob,
     };
 }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
         param = aa64_va_parameters(env, address, mmu_idx,
                                    access_type != MMU_INST_FETCH);
         level = 0;
+
+        /*
+         * If TxSZ is programmed to a value larger than the maximum,
+         * or smaller than the effective minimum, it is IMPLEMENTATION
+         * DEFINED whether we behave as if the field were programmed
+         * within bounds, or if a level 0 Translation fault is generated.
+         *
+         * With FEAT_LVA, fault on less than minimum becomes required,
+         * so our choice is to always raise the fault.
+         */
+        if (param.tsz_oob) {
+            fault_type = ARMFault_Translation;
+            goto do_fault;
+        }
+
         addrsize = 64 - 8 * param.tbi;
         inputsize = 64 - param.tsz;
     } else {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We will shortly share parts of this function with other portions
of address translation.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 19 +------------------
 target/arm/helper.c    | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline void update_spsel(CPUARMState *env, uint32_t imm)
  * Returns the implementation defined bit-width of physical addresses.
  * The ARMv8 reference manuals refer to this as PAMax().
  */
-static inline unsigned int arm_pamax(ARMCPU *cpu)
-{
-    static const unsigned int pamax_map[] = {
-        [0] = 32,
-        [1] = 36,
-        [2] = 40,
-        [3] = 42,
-        [4] = 44,
-        [5] = 48,
-    };
-    unsigned int parange =
-        FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
-
-    /* id_aa64mmfr0 is a read-only register so values outside of the
-     * supported mappings can be considered an implementation error.  */
-    assert(parange < ARRAY_SIZE(pamax_map));
-    return pamax_map[parange];
-}
+unsigned int arm_pamax(ARMCPU *cpu);
 
 /* Return true if extended addresses are enabled.
  * This is always the case if our translation regime is 64 bit,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
 }
 #endif /* !CONFIG_USER_ONLY */
 
+/* The cpu-specific constant value of PAMax; also used by hw/arm/virt. */
+unsigned int arm_pamax(ARMCPU *cpu)
+{
+    static const unsigned int pamax_map[] = {
+        [0] = 32,
+        [1] = 36,
+        [2] = 40,
+        [3] = 42,
+        [4] = 44,
+        [5] = 48,
+    };
+    unsigned int parange =
+        FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
+
+    /*
+     * id_aa64mmfr0 is a read-only register so values outside of the
+     * supported mappings can be considered an implementation error.
+     */
+    assert(parange < ARRAY_SIZE(pamax_map));
+    return pamax_map[parange];
+}
+
 static int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
 {
     if (regime_has_2_ranges(mmu_idx)) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Pass down the width of the output address from translation.
For now this is still just PAMax, but a subsequent patch will
compute the correct value from TCR_ELx.{I}PS.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ do_fault:
  * false otherwise.
  */
 static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
-                               int inputsize, int stride)
+                               int inputsize, int stride, int outputsize)
 {
     const int grainsize = stride + 3;
     int startsizecheck;
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
     }
 
     if (is_aa64) {
-        CPUARMState *env = &cpu->env;
-        unsigned int pamax = arm_pamax(cpu);
-
         switch (stride) {
         case 13: /* 64KB Pages.  */
-            if (level == 0 || (level == 1 && pamax <= 42)) {
+            if (level == 0 || (level == 1 && outputsize <= 42)) {
                 return false;
             }
             break;
         case 11: /* 16KB Pages.  */
-            if (level == 0 || (level == 1 && pamax <= 40)) {
+            if (level == 0 || (level == 1 && outputsize <= 40)) {
                 return false;
             }
             break;
         case 9: /* 4KB Pages.  */
-            if (level == 0 && pamax <= 42) {
+            if (level == 0 && outputsize <= 42) {
                 return false;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
         }
 
         /* Inputsize checks.  */
-        if (inputsize > pamax &&
-            (arm_el_is_aa64(env, 1) || inputsize > 40)) {
+        if (inputsize > outputsize &&
+            (arm_el_is_aa64(&cpu->env, 1) || inputsize > 40)) {
             /* This is CONSTRAINED UNPREDICTABLE and we choose to fault.  */
             return false;
         }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
     target_ulong page_size;
     uint32_t attrs;
     int32_t stride;
-    int addrsize, inputsize;
+    int addrsize, inputsize, outputsize;
     TCR *tcr = regime_tcr(env, mmu_idx);
     int ap, ns, xn, pxn;
     uint32_t el = regime_el(env, mmu_idx);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 
         addrsize = 64 - 8 * param.tbi;
         inputsize = 64 - param.tsz;
+        outputsize = arm_pamax(cpu);
     } else {
         param = aa32_va_parameters(env, address, mmu_idx);
         level = 1;
         addrsize = (mmu_idx == ARMMMUIdx_Stage2 ? 40 : 32);
         inputsize = addrsize - param.tsz;
+        outputsize = 40;
     }
 
     /*
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 
         /* Check that the starting level is valid. */
         ok = check_s2_mmu_setup(cpu, aarch64, startlevel,
-                                inputsize, stride);
+                                inputsize, stride, outputsize);
         if (!ok) {
             fault_type = ARMFault_Translation;
             goto do_fault;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The macro is a bit more readable than the inlined computation.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
         level = startlevel;
     }
 
-    indexmask_grainsize = (1ULL << (stride + 3)) - 1;
-    indexmask = (1ULL << (inputsize - (stride * (4 - level)))) - 1;
+    indexmask_grainsize = MAKE_64BIT_MASK(0, stride + 3);
+    indexmask = MAKE_64BIT_MASK(0, inputsize - (stride * (4 - level)));
 
     /* Now we can extract the actual base address from the TTBR */
     descaddr = extract64(ttbr, 0, 48);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This field controls the output (intermediate) physical address size
of the translation process.  V8 requires to raise an AddressSize
fault if the page tables are programmed incorrectly, such that any
intermediate descriptor address, or the final translated address,
is out of range.

Add a PS field to ARMVAParameters, and properly compute outputsize
in get_phys_addr_lpae.  Test the descaddr as extracted from TTBR
and from page table entries.

Restrict descaddrmask so that we won't raise the fault for v7.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h |  1 +
 target/arm/helper.c    | 72 ++++++++++++++++++++++++++++++++----------
 2 files changed, 57 insertions(+), 16 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t aarch64_pstate_valid_mask(const ARMISARegisters *id)
  */
 typedef struct ARMVAParameters {
     unsigned tsz    : 8;
+    unsigned ps     : 3;
     unsigned select : 1;
     bool tbi        : 1;
     bool epd        : 1;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
 }
 #endif /* !CONFIG_USER_ONLY */
 
+/* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
+static const uint8_t pamax_map[] = {
+    [0] = 32,
+    [1] = 36,
+    [2] = 40,
+    [3] = 42,
+    [4] = 44,
+    [5] = 48,
+};
+
 /* The cpu-specific constant value of PAMax; also used by hw/arm/virt. */
 unsigned int arm_pamax(ARMCPU *cpu)
 {
-    static const unsigned int pamax_map[] = {
-        [0] = 32,
-        [1] = 36,
-        [2] = 40,
-        [3] = 42,
-        [4] = 44,
-        [5] = 48,
-    };
     unsigned int parange =
         FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
 
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
 {
     uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
     bool epd, hpd, using16k, using64k, tsz_oob;
-    int select, tsz, tbi, max_tsz, min_tsz;
+    int select, tsz, tbi, max_tsz, min_tsz, ps;
 
     if (!regime_has_2_ranges(mmu_idx)) {
         select = 0;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
             hpd = extract32(tcr, 24, 1);
         }
         epd = false;
+        ps = extract32(tcr, 16, 3);
     } else {
         /*
          * Bit 55 is always between the two regions, and is canonical for
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
             epd = extract32(tcr, 23, 1);
             hpd = extract64(tcr, 42, 1);
         }
+        ps = extract64(tcr, 32, 3);
     }
 
     if (cpu_isar_feature(aa64_st, env_archcpu(env))) {
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
 
     return (ARMVAParameters) {
         .tsz = tsz,
+        .ps = ps,
         .select = select,
         .tbi = tbi,
         .epd = epd,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 
     /* TODO: This code does not support shareability levels. */
     if (aarch64) {
+        int ps;
+
         param = aa64_va_parameters(env, address, mmu_idx,
                                    access_type != MMU_INST_FETCH);
         level = 0;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 
         addrsize = 64 - 8 * param.tbi;
         inputsize = 64 - param.tsz;
-        outputsize = arm_pamax(cpu);
+
+        /*
+         * Bound PS by PARANGE to find the effective output address size.
+         * ID_AA64MMFR0 is a read-only register so values outside of the
+         * supported mappings can be considered an implementation error.
+         */
+        ps = FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
+        ps = MIN(ps, param.ps);
+        assert(ps < ARRAY_SIZE(pamax_map));
+        outputsize = pamax_map[ps];
     } else {
         param = aa32_va_parameters(env, address, mmu_idx);
         level = 1;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 
     /* Now we can extract the actual base address from the TTBR */
     descaddr = extract64(ttbr, 0, 48);
+
+    /*
+     * If the base address is out of range, raise AddressSizeFault.
+     * In the pseudocode, this is !IsZero(baseregister<47:outputsize>),
+     * but we've just cleared the bits above 47, so simplify the test.
+     */
+    if (descaddr >> outputsize) {
+        level = 0;
+        fault_type = ARMFault_AddressSize;
+        goto do_fault;
+    }
+
     /*
      * We rely on this masking to clear the RES0 bits at the bottom of the TTBR
      * and also to mask out CnP (bit 0) which could validly be non-zero.
      */
     descaddr &= ~indexmask;
 
-    /* The address field in the descriptor goes up to bit 39 for ARMv7
-     * but up to bit 47 for ARMv8, but we use the descaddrmask
-     * up to bit 39 for AArch32, because we don't need other bits in that case
-     * to construct next descriptor address (anyway they should be all zeroes).
+    /*
+     * For AArch32, the address field in the descriptor goes up to bit 39
+     * for both v7 and v8.  However, for v8 the SBZ bits [47:40] must be 0
+     * or an AddressSize fault is raised.  So for v8 we extract those SBZ
+     * bits as part of the address, which will be checked via outputsize.
+     * For AArch64, the address field always goes up to bit 47 (with extra
+     * bits for FEAT_LPA placed elsewhere).  AArch64 implies v8.
      */
-    descaddrmask = ((1ull << (aarch64 ? 48 : 40)) - 1) &
-                   ~indexmask_grainsize;
+    if (arm_feature(env, ARM_FEATURE_V8)) {
+        descaddrmask = MAKE_64BIT_MASK(0, 48);
+    } else {
+        descaddrmask = MAKE_64BIT_MASK(0, 40);
+    }
+    descaddrmask &= ~indexmask_grainsize;
 
     /* Secure accesses start with the page table in secure memory and
      * can be downgraded to non-secure at any step. Non-secure accesses
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
             /* Invalid, or the Reserved level 3 encoding */
             goto do_fault;
         }
+
         descaddr = descriptor & descaddrmask;
+        if (descaddr >> outputsize) {
+            fault_type = ARMFault_AddressSize;
+            goto do_fault;
+        }
 
         if ((descriptor & 2) && (level < 3)) {
             /* Table entry. The top five bits are attributes which may
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The original A.a revision of the AArch64 ARM required that we
force-extend the addresses in these registers from 49 bits.
This language has been loosened via a combination of IMPLEMENTATION
DEFINED and CONSTRAINTED UNPREDICTABLE to allow consideration of
the entire aligned address.

This means that we do not have to consider whether or not FEAT_LVA
is enabled, and decide from which bit an address might need to be
extended.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void dbgwvr_write(CPUARMState *env, const ARMCPRegInfo *ri,
     ARMCPU *cpu = env_archcpu(env);
     int i = ri->crm;
 
-    /* Bits [63:49] are hardwired to the value of bit [48]; that is, the
-     * register reads and behaves as if values written are sign extended.
+    /*
      * Bits [1:0] are RES0.
+     *
+     * It is IMPLEMENTATION DEFINED whether [63:49] ([63:53] with FEAT_LVA)
+     * are hardwired to the value of bit [48] ([52] with FEAT_LVA), or if
+     * they contain the value written.  It is CONSTRAINED UNPREDICTABLE
+     * whether the RESS bits are ignored when comparing an address.
+     *
+     * Therefore we are allowed to compare the entire register, which lets
+     * us avoid considering whether or not FEAT_LVA is actually enabled.
      */
-    value = sextract64(value, 0, 49) & ~3ULL;
+    value &= ~3ULL;
 
     raw_write(env, ri, value);
     hw_watchpoint_update(cpu, i);
@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update(ARMCPU *cpu, int n)
     case 0: /* unlinked address match */
     case 1: /* linked address match */
     {
-        /* Bits [63:49] are hardwired to the value of bit [48]; that is,
-         * we behave as if the register was sign extended. Bits [1:0] are
-         * RES0. The BAS field is used to allow setting breakpoints on 16
-         * bit wide instructions; it is CONSTRAINED UNPREDICTABLE whether
+        /*
+         * Bits [1:0] are RES0.
+         *
+         * It is IMPLEMENTATION DEFINED whether bits [63:49]
+         * ([63:53] for FEAT_LVA) are hardwired to a copy of the sign bit
+         * of the VA field ([48] or [52] for FEAT_LVA), or whether the
+         * value is read as written.  It is CONSTRAINED UNPREDICTABLE
+         * whether the RESS bits are ignored when comparing an address.
+         * Therefore we are allowed to compare the entire register, which
+         * lets us avoid considering whether FEAT_LVA is actually enabled.
+         *
+         * The BAS field is used to allow setting breakpoints on 16-bit
+         * wide instructions; it is CONSTRAINED UNPREDICTABLE whether
          * a bp will fire if the addresses covered by the bp and the addresses
          * covered by the insn overlap but the insn doesn't start at the
          * start of the bp address range. We choose to require the insn and
@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update(ARMCPU *cpu, int n)
          * See also figure D2-3 in the v8 ARM ARM (DDI0487A.c).
          */
         int bas = extract64(bcr, 5, 4);
-        addr = sextract64(bvr, 0, 49) & ~3ULL;
+        addr = bvr & ~3ULL;
         if (bas == 0) {
             return;
         }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This feature is relatively small, as it applies only to
64k pages and thus requires no additional changes to the
table descriptor walking algorithm, only a change to the
minimum TSZ (which is the inverse of the maximum virtual
address space size).

Note that this feature widens VBAR_ELx, but we already
treat the register as being 64 bits wide.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu-param.h        | 2 +-
 target/arm/cpu.h              | 5 +++++
 target/arm/cpu64.c            | 1 +
 target/arm/helper.c           | 9 ++++++++-
 5 files changed, 16 insertions(+), 2 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

This feature widens physical addresses (and intermediate physical
addresses for 2-stage translation) from 48 to 52 bits, when using
64k pages.  The only thing left at this point is to handle the
extra bits in the TTBR and in the table descriptors.

Note that PAR_EL1 and HPFAR_EL2 are nominally extended, but we don't
mask out the high bits when writing to those registers, so no changes
are required there.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst |  1 +
 target/arm/cpu-param.h        |  2 +-
 target/arm/cpu64.c            |  2 +-
 target/arm/helper.c           | 19 ++++++++++++++++---
 4 files changed, 19 insertions(+), 5 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

With FEAT_LPA2, rather than introducing translation level 4,
we introduce level -1, below the current level 0.  Extend
arm_fi_to_lfsc to handle these faults.

Assert that this new translation level does not leak into
fault types for which it is not defined, which allows some
masking of fi->level to be removed.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 35 +++++++++++++++++++++++++++++------
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi)
     case ARMFault_None:
         return 0;
     case ARMFault_AddressSize:
-        fsc = fi->level & 3;
+        assert(fi->level >= -1 && fi->level <= 3);
+        if (fi->level < 0) {
+            fsc = 0b101001;
+        } else {
+            fsc = fi->level;
+        }
         break;
     case ARMFault_AccessFlag:
-        fsc = (fi->level & 3) | (0x2 << 2);
+        assert(fi->level >= 0 && fi->level <= 3);
+        fsc = 0b001000 | fi->level;
         break;
     case ARMFault_Permission:
-        fsc = (fi->level & 3) | (0x3 << 2);
+        assert(fi->level >= 0 && fi->level <= 3);
+        fsc = 0b001100 | fi->level;
         break;
     case ARMFault_Translation:
-        fsc = (fi->level & 3) | (0x1 << 2);
+        assert(fi->level >= -1 && fi->level <= 3);
+        if (fi->level < 0) {
+            fsc = 0b101011;
+        } else {
+            fsc = 0b000100 | fi->level;
+        }
         break;
     case ARMFault_SyncExternal:
         fsc = 0x10 | (fi->ea << 12);
         break;
     case ARMFault_SyncExternalOnWalk:
-        fsc = (fi->level & 3) | (0x5 << 2) | (fi->ea << 12);
+        assert(fi->level >= -1 && fi->level <= 3);
+        if (fi->level < 0) {
+            fsc = 0b010011;
+        } else {
+            fsc = 0b010100 | fi->level;
+        }
+        fsc |= fi->ea << 12;
         break;
     case ARMFault_SyncParity:
         fsc = 0x18;
         break;
     case ARMFault_SyncParityOnWalk:
-        fsc = (fi->level & 3) | (0x7 << 2);
+        assert(fi->level >= -1 && fi->level <= 3);
+        if (fi->level < 0) {
+            fsc = 0b011011;
+        } else {
+            fsc = 0b011100 | fi->level;
+        }
         break;
     case ARMFault_AsyncParity:
         fsc = 0x19;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Merge tlbi_aa64_range_get_length and tlbi_aa64_range_get_base,
returning a structure containing both results.  Pass in the
ARMMMUIdx, rather than the digested two_ranges boolean.

This is in preparation for FEAT_LPA2, where the interpretation
of 'value' depends on the effective value of DS for the regime.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 58 +++++++++++++++++++--------------------------
 1 file changed, 24 insertions(+), 34 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
 }
 
 #ifdef TARGET_AARCH64
-static uint64_t tlbi_aa64_range_get_length(CPUARMState *env,
-                                           uint64_t value)
-{
-    unsigned int page_shift;
-    unsigned int page_size_granule;
-    uint64_t num;
-    uint64_t scale;
-    uint64_t exponent;
+typedef struct {
+    uint64_t base;
     uint64_t length;
+} TLBIRange;
+
+static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
+                                     uint64_t value)
+{
+    unsigned int page_size_granule, page_shift, num, scale, exponent;
+    TLBIRange ret = { };
 
-    num = extract64(value, 39, 5);
-    scale = extract64(value, 44, 2);
     page_size_granule = extract64(value, 46, 2);
 
     if (page_size_granule == 0) {
         qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
                       page_size_granule);
-        return 0;
+        return ret;
     }
 
     page_shift = (page_size_granule - 1) * 2 + 12;
-
+    num = extract64(value, 39, 5);
+    scale = extract64(value, 44, 2);
     exponent = (5 * scale) + 1;
-    length = (num + 1) << (exponent + page_shift);
 
-    return length;
-}
+    ret.length = (num + 1) << (exponent + page_shift);
 
-static uint64_t tlbi_aa64_range_get_base(CPUARMState *env, uint64_t value,
-                                        bool two_ranges)
-{
-    /* TODO: ARMv8.7 FEAT_LPA2 */
-    uint64_t pageaddr;
-
-    if (two_ranges) {
-        pageaddr = sextract64(value, 0, 37) << TARGET_PAGE_BITS;
+    if (regime_has_2_ranges(mmuidx)) {
+        ret.base = sextract64(value, 0, 37) << TARGET_PAGE_BITS;
     } else {
-        pageaddr = extract64(value, 0, 37) << TARGET_PAGE_BITS;
+        ret.base = extract64(value, 0, 37) << TARGET_PAGE_BITS;
     }
 
-    return pageaddr;
+    return ret;
 }
 
 static void do_rvae_write(CPUARMState *env, uint64_t value,
                           int idxmap, bool synced)
 {
     ARMMMUIdx one_idx = ARM_MMU_IDX_A | ctz32(idxmap);
-    bool two_ranges = regime_has_2_ranges(one_idx);
-    uint64_t baseaddr, length;
+    TLBIRange range;
     int bits;
 
-    baseaddr = tlbi_aa64_range_get_base(env, value, two_ranges);
-    length = tlbi_aa64_range_get_length(env, value);
-    bits = tlbbits_for_regime(env, one_idx, baseaddr);
+    range = tlbi_aa64_get_range(env, one_idx, value);
+    bits = tlbbits_for_regime(env, one_idx, range.base);
 
     if (synced) {
         tlb_flush_range_by_mmuidx_all_cpus_synced(env_cpu(env),
-                                                  baseaddr,
-                                                  length,
+                                                  range.base,
+                                                  range.length,
                                                   idxmap,
                                                   bits);
     } else {
-        tlb_flush_range_by_mmuidx(env_cpu(env), baseaddr,
-                                  length, idxmap, bits);
+        tlb_flush_range_by_mmuidx(env_cpu(env), range.base,
+                                  range.length, idxmap, bits);
     }
 }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The shift of the BaseADDR field depends on the translation
granule in use.

Fixes: 84940ed8255 ("target/arm: Add support for FEAT_TLBIRANGE")
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
     ret.length = (num + 1) << (exponent + page_shift);
 
     if (regime_has_2_ranges(mmuidx)) {
-        ret.base = sextract64(value, 0, 37) << TARGET_PAGE_BITS;
+        ret.base = sextract64(value, 0, 37);
     } else {
-        ret.base = extract64(value, 0, 37) << TARGET_PAGE_BITS;
+        ret.base = extract64(value, 0, 37);
     }
+    ret.base <<= page_shift;
 
     return ret;
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

For FEAT_LPA2, we will need other ARMVAParameters, which themselves
depend on the translation granule in use.  We might as well validate
that the given TG matches; the architecture "does not require that
the instruction invalidates any entries" if this is not true.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
                                      uint64_t value)
 {
     unsigned int page_size_granule, page_shift, num, scale, exponent;
+    /* Extract one bit to represent the va selector in use. */
+    uint64_t select = sextract64(value, 36, 1);
+    ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true);
     TLBIRange ret = { };
 
     page_size_granule = extract64(value, 46, 2);
 
-    if (page_size_granule == 0) {
-        qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
+    /* The granule encoded in value must match the granule in use. */
+    if (page_size_granule != (param.using64k ? 3 : param.using16k ? 2 : 1)) {
+        qemu_log_mask(LOG_GUEST_ERROR, "Invalid tlbi page size granule %d\n",
                       page_size_granule);
         return ret;
     }
@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
 
     ret.length = (num + 1) << (exponent + page_shift);
 
-    if (regime_has_2_ranges(mmuidx)) {
+    if (param.select) {
         ret.base = sextract64(value, 0, 37);
     } else {
         ret.base = extract64(value, 0, 37);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We support 16k pages, but do not advertize that in ID_AA64MMFR0.

The value 0 in the TGRAN*_2 fields indicates that stage2 lookups defer
to the same support as stage1 lookups.  This setting is deprecated, so
indicate support for all stage2 page sizes directly.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220301215958.157011-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu64.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
 
     t = cpu->isar.id_aa64mmfr0;
     t = FIELD_DP64(t, ID_AA64MMFR0, PARANGE, 6); /* FEAT_LPA: 52 bits */
+    t = FIELD_DP64(t, ID_AA64MMFR0, TGRAN16, 1);   /* 16k pages supported */
+    t = FIELD_DP64(t, ID_AA64MMFR0, TGRAN16_2, 2); /* 16k stage2 supported */
+    t = FIELD_DP64(t, ID_AA64MMFR0, TGRAN64_2, 2); /* 64k stage2 supported */
+    t = FIELD_DP64(t, ID_AA64MMFR0, TGRAN4_2, 2);  /*  4k stage2 supported */
     cpu->isar.id_aa64mmfr0 = t;
 
     t = cpu->isar.id_aa64mmfr1;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This feature widens physical addresses (and intermediate physical
addresses for 2-stage translation) from 48 to 52 bits, when using
4k or 16k pages.

This introduces the DS bit to TCR_ELx, which is RES0 unless the
page size is enabled and supports LPA2, resulting in the effective
value of DS for a given table walk.  The DS bit changes the format
of the page table descriptor slightly, moving the PS field out to
TCR so that all pages have the same sharability and repurposing
those bits of the page table descriptor for the highest bits of
the output address.

Do not yet enable FEAT_LPA2; we need extra plumbing to avoid
tickling an old kernel bug.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220301215958.157011-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst |   1 +
 target/arm/cpu.h              |  22 ++++++++
 target/arm/internals.h        |   2 +
 target/arm/helper.c           | 102 +++++++++++++++++++++++++++++-----
 4 files changed, 112 insertions(+), 15 deletions(-)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
 - FEAT_JSCVT (JavaScript conversion instructions)
 - FEAT_LOR (Limited ordering regions)
 - FEAT_LPA (Large Physical Address space)
+- FEAT_LPA2 (Large Physical and virtual Address space v2)
 - FEAT_LRCPC (Load-acquire RCpc instructions)
 - FEAT_LRCPC2 (Load-acquire RCpc instructions v2)
 - FEAT_LSE (Large System Extensions)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_i8mm(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64isar1, ID_AA64ISAR1, I8MM) != 0;
 }
 
+static inline bool isar_feature_aa64_tgran4_lpa2(const ARMISARegisters *id)
+{
+    return FIELD_SEX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4) >= 1;
+}
+
+static inline bool isar_feature_aa64_tgran4_2_lpa2(const ARMISARegisters *id)
+{
+    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4_2);
+    return t >= 3 || (t == 0 && isar_feature_aa64_tgran4_lpa2(id));
+}
+
+static inline bool isar_feature_aa64_tgran16_lpa2(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN16) >= 2;
+}
+
+static inline bool isar_feature_aa64_tgran16_2_lpa2(const ARMISARegisters *id)
+{
+    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN16_2);
+    return t >= 3 || (t == 0 && isar_feature_aa64_tgran16_lpa2(id));
+}
+
 static inline bool isar_feature_aa64_ccidx(const ARMISARegisters *id)
 {
     return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, CCIDX) != 0;
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t aarch64_pstate_valid_mask(const ARMISARegisters *id)
 typedef struct ARMVAParameters {
     unsigned tsz    : 8;
     unsigned ps     : 3;
+    unsigned sh     : 2;
     unsigned select : 1;
     bool tbi        : 1;
     bool epd        : 1;
@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
     bool using16k   : 1;
     bool using64k   : 1;
     bool tsz_oob    : 1;  /* tsz has been clamped to legal range */
+    bool ds         : 1;
 } ARMVAParameters;
 
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
     } else {
         ret.base = extract64(value, 0, 37);
     }
+    if (param.ds) {
+        /*
+         * With DS=1, BaseADDR is always shifted 16 so that it is able
+         * to address all 52 va bits.  The input address is perforce
+         * aligned on a 64k boundary regardless of translation granule.
+         */
+        page_shift = 16;
+    }
     ret.base <<= page_shift;
 
     return ret;
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
     const int grainsize = stride + 3;
     int startsizecheck;
 
-    /* Negative levels are never allowed.  */
-    if (level < 0) {
+    /*
+     * Negative levels are usually not allowed...
+     * Except for FEAT_LPA2, 4k page table, 52-bit address space, which
+     * begins with level -1.  Note that previous feature tests will have
+     * eliminated this combination if it is not enabled.
+     */
+    if (level < (inputsize == 52 && stride == 9 ? -1 : 0)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
                                    ARMMMUIdx mmu_idx, bool data)
 {
     uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
-    bool epd, hpd, using16k, using64k, tsz_oob;
-    int select, tsz, tbi, max_tsz, min_tsz, ps;
+    bool epd, hpd, using16k, using64k, tsz_oob, ds;
+    int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
+    ARMCPU *cpu = env_archcpu(env);
 
     if (!regime_has_2_ranges(mmu_idx)) {
         select = 0;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
             hpd = extract32(tcr, 24, 1);
         }
         epd = false;
+        sh = extract32(tcr, 12, 2);
         ps = extract32(tcr, 16, 3);
+        ds = extract64(tcr, 32, 1);
     } else {
         /*
          * Bit 55 is always between the two regions, and is canonical for
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         if (!select) {
             tsz = extract32(tcr, 0, 6);
             epd = extract32(tcr, 7, 1);
+            sh = extract32(tcr, 12, 2);
             using64k = extract32(tcr, 14, 1);
             using16k = extract32(tcr, 15, 1);
             hpd = extract64(tcr, 41, 1);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
             using64k = tg == 3;
             tsz = extract32(tcr, 16, 6);
             epd = extract32(tcr, 23, 1);
+            sh = extract32(tcr, 28, 2);
             hpd = extract64(tcr, 42, 1);
         }
         ps = extract64(tcr, 32, 3);
+        ds = extract64(tcr, 59, 1);
     }
 
-    if (cpu_isar_feature(aa64_st, env_archcpu(env))) {
+    if (cpu_isar_feature(aa64_st, cpu)) {
         max_tsz = 48 - using64k;
     } else {
         max_tsz = 39;
     }
 
+    /*
+     * DS is RES0 unless FEAT_LPA2 is supported for the given page size;
+     * adjust the effective value of DS, as documented.
+     */
     min_tsz = 16;
     if (using64k) {
-        if (cpu_isar_feature(aa64_lva, env_archcpu(env))) {
+        if (cpu_isar_feature(aa64_lva, cpu)) {
+            min_tsz = 12;
+        }
+        ds = false;
+    } else if (ds) {
+        switch (mmu_idx) {
+        case ARMMMUIdx_Stage2:
+        case ARMMMUIdx_Stage2_S:
+            if (using16k) {
+                ds = cpu_isar_feature(aa64_tgran16_2_lpa2, cpu);
+            } else {
+                ds = cpu_isar_feature(aa64_tgran4_2_lpa2, cpu);
+            }
+            break;
+        default:
+            if (using16k) {
+                ds = cpu_isar_feature(aa64_tgran16_lpa2, cpu);
+            } else {
+                ds = cpu_isar_feature(aa64_tgran4_lpa2, cpu);
+            }
+            break;
+        }
+        if (ds) {
             min_tsz = 12;
         }
     }
-    /* TODO: FEAT_LPA2 */
 
     if (tsz > max_tsz) {
         tsz = max_tsz;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
     return (ARMVAParameters) {
         .tsz = tsz,
         .ps = ps,
+        .sh = sh,
         .select = select,
         .tbi = tbi,
         .epd = epd,
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         .using16k = using16k,
         .using64k = using64k,
         .tsz_oob = tsz_oob,
+        .ds = ds,
     };
 }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          * VTCR_EL2.SL0 field (whose interpretation depends on the page size)
          */
         uint32_t sl0 = extract32(tcr->raw_tcr, 6, 2);
+        uint32_t sl2 = extract64(tcr->raw_tcr, 33, 1);
         uint32_t startlevel;
         bool ok;
 
-        if (!aarch64 || stride == 9) {
+        /* SL2 is RES0 unless DS=1 & 4kb granule. */
+        if (param.ds && stride == 9 && sl2) {
+            if (sl0 != 0) {
+                level = 0;
+                fault_type = ARMFault_Translation;
+                goto do_fault;
+            }
+            startlevel = -1;
+        } else if (!aarch64 || stride == 9) {
             /* AArch32 or 4KB pages */
             startlevel = 2 - sl0;
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
      * for both v7 and v8.  However, for v8 the SBZ bits [47:40] must be 0
      * or an AddressSize fault is raised.  So for v8 we extract those SBZ
      * bits as part of the address, which will be checked via outputsize.
-     * For AArch64, the address field always goes up to bit 47 (with extra
-     * bits for FEAT_LPA placed elsewhere).  AArch64 implies v8.
+     * For AArch64, the address field goes up to bit 47, or 49 with FEAT_LPA2;
+     * the highest bits of a 52-bit output are placed elsewhere.
      */
-    if (arm_feature(env, ARM_FEATURE_V8)) {
+    if (param.ds) {
+        descaddrmask = MAKE_64BIT_MASK(0, 50);
+    } else if (arm_feature(env, ARM_FEATURE_V8)) {
         descaddrmask = MAKE_64BIT_MASK(0, 48);
     } else {
         descaddrmask = MAKE_64BIT_MASK(0, 40);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 
         /*
          * For FEAT_LPA and PS=6, bits [51:48] of descaddr are in [15:12]
-         * of descriptor.  Otherwise, if descaddr is out of range, raise
-         * AddressSizeFault.
+         * of descriptor.  For FEAT_LPA2 and effective DS, bits [51:50] of
+         * descaddr are in [9:8].  Otherwise, if descaddr is out of range,
+         * raise AddressSizeFault.
          */
         if (outputsize > 48) {
-            descaddr |= extract64(descriptor, 12, 4) << 48;
+            if (param.ds) {
+                descaddr |= extract64(descriptor, 8, 2) << 50;
+            } else {
+                descaddr |= extract64(descriptor, 12, 4) << 48;
+            }
         } else if (descaddr >> outputsize) {
             fault_type = ARMFault_AddressSize;
             goto do_fault;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
         assert(attrindx <= 7);
         cacheattrs->attrs = extract64(mair, attrindx * 8, 8);
     }
-    cacheattrs->shareability = extract32(attrs, 6, 2);
+
+    /*
+     * For FEAT_LPA2 and effective DS, the SH field in the attributes
+     * was re-purposed for output address bits.  The SH attribute in
+     * that case comes from TCR_ELx, which we extracted earlier.
+     */
+    if (param.ds) {
+        cacheattrs->shareability = param.sh;
+    } else {
+        cacheattrs->shareability = extract32(attrs, 6, 2);
+    }
 
     *phys_ptr = descaddr;
     *page_size_ptr = page_size;
-- 
2.25.1

When we're using KVM, the PSCI implementation is provided by the
kernel, but QEMU has to tell the guest about it via the device tree.
Currently we look at the KVM_CAP_ARM_PSCI_0_2 capability to determine
if the kernel is providing at least PSCI 0.2, but if the kernel
provides a newer version than that we will still only tell the guest
it has PSCI 0.2.  (This is fairly harmless; it just means the guest
won't use newer parts of the PSCI API.)

The kernel exposes the specific PSCI version it is implementing via
the ONE_REG API; use this to report in the dtb that the PSCI
implementation is 1.0-compatible if appropriate.  (The device tree
binding currently only distinguishes "pre-0.2", "0.2-compatible" and
"1.0-compatible".)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 20220224134655.1207865-1-peter.maydell@linaro.org
---
 target/arm/kvm-consts.h |  1 +
 hw/arm/boot.c           |  5 ++---
 target/arm/kvm64.c      | 12 ++++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/target/arm/kvm-consts.h b/target/arm/kvm-consts.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm-consts.h
+++ b/target/arm/kvm-consts.h
@@ -XXX,XX +XXX,XX @@ MISMATCH_CHECK(QEMU_PSCI_1_0_FN_PSCI_FEATURES, PSCI_1_0_FN_PSCI_FEATURES);
 
 #define QEMU_PSCI_VERSION_0_1                     0x00001
 #define QEMU_PSCI_VERSION_0_2                     0x00002
+#define QEMU_PSCI_VERSION_1_0                     0x10000
 #define QEMU_PSCI_VERSION_1_1                     0x10001
 
 MISMATCH_CHECK(QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED, PSCI_0_2_TOS_MP);
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
     }
 
     qemu_fdt_add_subnode(fdt, "/psci");
-    if (armcpu->psci_version == QEMU_PSCI_VERSION_0_2 ||
-        armcpu->psci_version == QEMU_PSCI_VERSION_1_1) {
-        if (armcpu->psci_version == QEMU_PSCI_VERSION_0_2) {
+    if (armcpu->psci_version >= QEMU_PSCI_VERSION_0_2) {
+        if (armcpu->psci_version < QEMU_PSCI_VERSION_1_0) {
             const char comp[] = "arm,psci-0.2\0arm,psci";
             qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
         } else {
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
     uint64_t mpidr;
     ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
+    uint64_t psciver;
 
     if (cpu->kvm_target == QEMU_KVM_ARM_TARGET_NONE ||
         !object_dynamic_cast(OBJECT(cpu), TYPE_AARCH64_CPU)) {
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
         }
     }
 
+    /*
+     * KVM reports the exact PSCI version it is implementing via a
+     * special sysreg. If it is present, use its contents to determine
+     * what to report to the guest in the dtb (it is the PSCI version,
+     * in the same 15-bits major 16-bits minor format that PSCI_VERSION
+     * returns).
+     */
+    if (!kvm_get_one_reg(cs, KVM_REG_ARM_PSCI_VERSION, &psciver)) {
+        cpu->psci_version = psciver;
+    }
+
     /*
      * When KVM is in use, PSCI is emulated in-kernel and not by qemu.
      * Currently KVM has its own idea about MPIDR assignment, so we
-- 
2.25.1

The updateUIInfo method makes Cocoa API calls.  It also calls back
into QEMU functions like dpy_set_ui_info().  To do this safely, we
need to follow two rules:
 * Cocoa API calls are made on the Cocoa UI thread
 * When calling back into QEMU we must hold the iothread lock

Fix the places where we got this wrong, by taking the iothread lock
while executing updateUIInfo, and moving the call in cocoa_switch()
inside the dispatch_async block.

Some of the Cocoa UI methods which call updateUIInfo are invoked as
part of the initial application startup, while we're still doing the
little cross-thread dance described in the comment just above
call_qemu_main().  This meant they were calling back into the QEMU UI
layer before we'd actually finished initializing our display and
registered the DisplayChangeListener, which isn't really valid.  Once
updateUIInfo takes the iothread lock, we no longer get away with
this, because during this startup phase the iothread lock is held by
the QEMU main-loop thread which is waiting for us to finish our
display initialization.  So we must suppress updateUIInfo until
applicationDidFinishLaunching allows the QEMU main-loop thread to
continue.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Tested-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-id: 20220224101330.967429-2-peter.maydell@linaro.org
---
 ui/cocoa.m | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/ui/cocoa.m b/ui/cocoa.m
index XXXXXXX..XXXXXXX 100644
--- a/ui/cocoa.m
+++ b/ui/cocoa.m
@@ -XXX,XX +XXX,XX @@ QemuCocoaView *cocoaView;
     }
 }
 
-- (void) updateUIInfo
+- (void) updateUIInfoLocked
 {
+    /* Must be called with the iothread lock, i.e. via updateUIInfo */
     NSSize frameSize;
     QemuUIInfo info;
 
@@ -XXX,XX +XXX,XX @@ QemuCocoaView *cocoaView;
     dpy_set_ui_info(dcl.con, &info, TRUE);
 }
 
+- (void) updateUIInfo
+{
+    if (!allow_events) {
+        /*
+         * Don't try to tell QEMU about UI information in the application
+         * startup phase -- we haven't yet registered dcl with the QEMU UI
+         * layer, and also trying to take the iothread lock would deadlock.
+         * When cocoa_display_init() does register the dcl, the UI layer
+         * will call cocoa_switch(), which will call updateUIInfo, so
+         * we don't lose any information here.
+         */
+        return;
+    }
+
+    with_iothread_lock(^{
+        [self updateUIInfoLocked];
+    });
+}
+
 - (void)viewDidMoveToWindow
 {
     [self updateUIInfo];
@@ -XXX,XX +XXX,XX @@ static void cocoa_switch(DisplayChangeListener *dcl,
 
     COCOA_DEBUG("qemu_cocoa: cocoa_switch\n");
 
-    [cocoaView updateUIInfo];
-
     // The DisplaySurface will be freed as soon as this callback returns.
     // We take a reference to the underlying pixman image here so it does
     // not disappear from under our feet; the switchSurface method will
@@ -XXX,XX +XXX,XX @@ static void cocoa_switch(DisplayChangeListener *dcl,
     pixman_image_ref(image);
 
     dispatch_async(dispatch_get_main_queue(), ^{
+        [cocoaView updateUIInfo];
         [cocoaView switchSurface:image];
     });
     [pool release];
-- 
2.25.1

In commit 6e657e64cdc478 in 2013 we added some autorelease pools to
deal with complaints from macOS when we made calls into Cocoa from
threads that didn't have automatically created autorelease pools.
Later on, macOS got stricter about forbidding cross-thread Cocoa
calls, and in commit 5588840ff77800e839d8 we restructured the code to
avoid them.  This left the autorelease pool creation in several
functions without any purpose; delete it.

We still need the pool in cocoa_refresh() for the clipboard related
code which is called directly there.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Tested-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-id: 20220224101330.967429-3-peter.maydell@linaro.org
---
 ui/cocoa.m | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/ui/cocoa.m b/ui/cocoa.m
index XXXXXXX..XXXXXXX 100644
--- a/ui/cocoa.m
+++ b/ui/cocoa.m
@@ -XXX,XX +XXX,XX @@ int main (int argc, char **argv) {
 static void cocoa_update(DisplayChangeListener *dcl,
                          int x, int y, int w, int h)
 {
-    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
-
     COCOA_DEBUG("qemu_cocoa: cocoa_update\n");
 
     dispatch_async(dispatch_get_main_queue(), ^{
@@ -XXX,XX +XXX,XX @@ static void cocoa_update(DisplayChangeListener *dcl,
         }
         [cocoaView setNeedsDisplayInRect:rect];
     });
-
-    [pool release];
 }
 
 static void cocoa_switch(DisplayChangeListener *dcl,
                          DisplaySurface *surface)
 {
-    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
     pixman_image_t *image = surface->image;
 
     COCOA_DEBUG("qemu_cocoa: cocoa_switch\n");
@@ -XXX,XX +XXX,XX @@ static void cocoa_switch(DisplayChangeListener *dcl,
         [cocoaView updateUIInfo];
         [cocoaView switchSurface:image];
     });
-    [pool release];
 }
 
 static void cocoa_refresh(DisplayChangeListener *dcl)
-- 
2.25.1