Series comparison

-[Qemu-devel] [PULL 00/25] target-arm queue
+[Qemu-devel] [PULL 00/29] target-arm queue
-target-arm queue. This has the "plumb txattrs through various
+First arm pullreq of 4.2...
 bits of exec.c" patches, and a collection of bug fixes from
 various people.
 thanks
 -- PMM
+The following changes since commit 27608c7c66bd923eb5e5faab80e795408cbe2b51:
+  Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20190814a' into staging (2019-08-16 12:00:18 +0100)
 The following changes since commit a3ac12fba028df90f7b3dbec924995c126c41022:
   Merge remote-tracking branch 'remotes/ehabkost/tags/numa-next-pull-request' into staging (2018-05-31 11:12:36 +0100)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180531
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190816
-for you to fetch changes up to 49d1dca0520ea71bc21867fab6647f474fcf857b:
+for you to fetch changes up to 664b7e3b97d6376f3329986c465b3782458b0f8b:
-  KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice (2018-05-31 14:52:53 +0100)
+  target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word (2019-08-16 14:02:53 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * target/arm: Honour FPCR.FZ in FRECPX
+ * target/arm: generate a custom MIDR for -cpu max
- * MAINTAINERS: Add entries for newer MPS2 boards and devices
+ * hw/misc/zynq_slcr: refactor to use standard register definition
- * hw/intc/arm_gicv3: Fix APxR<n> register dispatching
+ * Set ENET_BD_BDU in I.MX FEC controller
- * arm_gicv3_kvm: fix bug in writing zero bits back to the in-kernel
+ * target/arm: Fix routing of singlestep exceptions
-   GIC state
+ * refactor a32/t32 decoder handling of PC
- * tcg: Fix helper function vs host abi for float16
+ * minor optimisations/cleanups of some a32/t32 codegen
- * arm: fix qemu crash on startup with -bios option
+ * target/arm/cpu64: Ensure kvm really supports aarch64=off
- * arm: fix malloc type mismatch
+ * target/arm/cpu: Ensure we can use the pmu with kvm
- * xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
+ * target/arm: Minor cleanups preparatory to KVM SVE support
  * Correct CPACR reset value for v7 cores
  * memory.h: Improve IOMMU related documentation
  * exec: Plumb transaction attributes through various functions in
    preparation for allowing IOMMUs to see them
  * vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
  * ARM: ACPI: Fix use-after-free due to memory realloc
  * KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
 ----------------------------------------------------------------
-Francisco Iglesias (1):
+Aaron Hill (1):
-      xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
+      Set ENET_BD_BDU in I.MX FEC controller
-Igor Mammedov (1):
+Alex Bennée (1):
-      arm: fix qemu crash on startup with -bios option
+      target/arm: generate a custom MIDR for -cpu max
-Jan Kiszka (1):
+Andrew Jones (6):
-      hw/intc/arm_gicv3: Fix APxR<n> register dispatching
+      target/arm/cpu64: Ensure kvm really supports aarch64=off
       target/arm/cpu: Ensure we can use the pmu with kvm
       target/arm/helper: zcr: Add build bug next to value range assumption
       target/arm/cpu: Use div-round-up to determine predicate register array size
       target/arm/kvm64: Fix error returns
       target/arm/kvm64: Move the get/put of fpsimd registers out
-Paolo Bonzini (1):
+Damien Hedde (1):
-      arm: fix malloc type mismatch
+      hw/misc/zynq_slcr: use standard register definition
-Peter Maydell (17):
+Peter Maydell (2):
-      target/arm: Honour FPCR.FZ in FRECPX
+      target/arm: Factor out 'generate singlestep exception' function
-      MAINTAINERS: Add entries for newer MPS2 boards and devices
+      target/arm: Fix routing of singlestep exceptions
       Correct CPACR reset value for v7 cores
       memory.h: Improve IOMMU related documentation
       Make tb_invalidate_phys_addr() take a MemTxAttrs argument
       Make address_space_translate{, _cached}() take a MemTxAttrs argument
       Make address_space_map() take a MemTxAttrs argument
       Make address_space_access_valid() take a MemTxAttrs argument
       Make flatview_extend_translation() take a MemTxAttrs argument
       Make memory_region_access_valid() take a MemTxAttrs argument
       Make MemoryRegion valid.accepts callback take a MemTxAttrs argument
       Make flatview_access_valid() take a MemTxAttrs argument
       Make flatview_translate() take a MemTxAttrs argument
       Make address_space_get_iotlb_entry() take a MemTxAttrs argument
       Make flatview_do_translate() take a MemTxAttrs argument
       Make address_space_translate_iommu take a MemTxAttrs argument
       vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
-Richard Henderson (1):
+Richard Henderson (18):
-      tcg: Fix helper function vs host abi for float16
+      target/arm: Pass in pc to thumb_insn_is_16bit
       target/arm: Introduce pc_curr
       target/arm: Introduce read_pc
       target/arm: Introduce add_reg_for_lit
       target/arm: Remove redundant s->pc & ~1
       target/arm: Replace s->pc with s->base.pc_next
       target/arm: Replace offset with pc in gen_exception_insn
       target/arm: Replace offset with pc in gen_exception_internal_insn
       target/arm: Remove offset argument to gen_exception_bkpt_insn
       target/arm: Use unallocated_encoding for aarch32
       target/arm: Remove helper_double_saturate
       target/arm: Use tcg_gen_extract_i32 for shifter_out_im
       target/arm: Use tcg_gen_deposit_i32 for PKHBT, PKHTB
       target/arm: Remove redundant shift tests
       target/arm: Use ror32 instead of open-coding the operation
       target/arm: Use tcg_gen_rotri_i32 for gen_swap_half
       target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR
       target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word
-Shannon Zhao (3):
+ target/arm/cpu.h               |  13 +-
-      arm_gicv3_kvm: increase clroffset accordingly
+ target/arm/helper.h            |   1 -
-      ARM: ACPI: Fix use-after-free due to memory realloc
+ target/arm/kvm_arm.h           |  28 ++
-      KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
+ target/arm/translate-a64.h     |   4 +-
  target/arm/translate.h         |  39 ++-
  hw/misc/zynq_slcr.c            | 450 ++++++++++++++++----------------
  hw/net/imx_fec.c               |   4 +
  target/arm/cpu.c               |  30 ++-
  target/arm/cpu64.c             |  31 ++-
  target/arm/helper.c            |   7 +
  target/arm/kvm.c               |   7 +
  target/arm/kvm64.c             | 161 +++++++-----
  target/arm/op_helper.c         |  15 --
  target/arm/translate-a64.c     | 130 ++++------
  target/arm/translate-vfp.inc.c |  45 +---
  target/arm/translate.c         | 572 +++++++++++++++++------------------------
 files changed, 771 insertions(+), 766 deletions(-)
- include/exec/exec-all.h        |   5 +-
- include/exec/helper-head.h     |   2 +-
- include/exec/memory-internal.h |   3 +-
- include/exec/memory.h          | 128 +++++++++++++++++++++++++++++++++++------
- include/migration/vmstate.h    |   3 +
- include/sysemu/dma.h           |   6 +-
- accel/tcg/translate-all.c      |   4 +-
- exec.c                         |  95 ++++++++++++++++++------------
- hw/arm/boot.c                  |  18 +++---
- hw/arm/virt-acpi-build.c       |  20 +++++--
- hw/dma/xlnx-zdma.c             |  10 +++-
- hw/hppa/dino.c                 |   3 +-
- hw/intc/arm_gic_kvm.c          |   1 -
- hw/intc/arm_gicv3_cpuif.c      |  12 ++--
- hw/intc/arm_gicv3_kvm.c        |   2 +-
- hw/nvram/fw_cfg.c              |  12 ++--
- hw/s390x/s390-pci-inst.c       |   3 +-
- hw/scsi/esp.c                  |   3 +-
- hw/vfio/common.c               |   3 +-
- hw/virtio/vhost.c              |   3 +-
- hw/xen/xen_pt_msi.c            |   3 +-
- memory.c                       |  12 ++--
- memory_ldst.inc.c              |  18 +++---
- target/arm/gdbstub.c           |   3 +-
- target/arm/helper-a64.c        |  41 +++++++------
- target/arm/helper.c            |  90 ++++++++++++++++-------------
- target/ppc/mmu-hash64.c        |   3 +-
- target/riscv/helper.c          |   2 +-
- target/s390x/diag.c            |   6 +-
- target/s390x/excp_helper.c     |   3 +-
- target/s390x/mmu_helper.c      |   3 +-
- target/s390x/sigp.c            |   3 +-
- target/xtensa/op_helper.c      |   3 +-
- MAINTAINERS                    |   9 ++-
-files changed, 353 insertions(+), 182 deletions(-)

-[Qemu-devel] [PULL 25/25] KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
+[Qemu-devel] [PULL 01/29] target/arm: generate a custom MIDR for -cpu max
-From: Shannon Zhao <zhaoshenglong@huawei.com>
+From: Alex Bennée <alex.bennee@linaro.org>
-kvm_irqchip_create called by kvm_init will call kvm_init_irq_routing to
+While most features are now detected by probing the ID_* registers
-initialize global capability variables. If we call kvm_init_irq_routing in
+kernels can (and do) use MIDR_EL1 for working out of they have to
-GIC realize function, previous allocated memory will leak.
+apply errata. This can trip up warnings in the kernel as it tries to
 work out if it should apply workarounds to features that don't
 actually exist in the reported CPU type.
-Fix this by deleting the unnecessary call.
+Avoid this problem by synthesising our own MIDR value.
-Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1527750994-14360-1-git-send-email-zhaoshenglong@huawei.com
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20190726113950.7499-1-alex.bennee@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/intc/arm_gic_kvm.c   | 1 -
+ target/arm/cpu.h   |  6 ++++++
- hw/intc/arm_gicv3_kvm.c | 1 -
+ target/arm/cpu64.c | 19 +++++++++++++++++++
-files changed, 2 deletions(-)
+files changed, 25 insertions(+)
-diff --git a/hw/intc/arm_gic_kvm.c b/hw/intc/arm_gic_kvm.c
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gic_kvm.c
+--- a/target/arm/cpu.h
-+++ b/hw/intc/arm_gic_kvm.c
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gic_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ FIELD(V7M_FPCCR, ASPEN, 31, 1)
+ /*
-     if (kvm_has_gsi_routing()) {
+  * System register ID fields.
-         /* set up irq routing */
+  */
--        kvm_init_irq_routing(kvm_state);
++FIELD(MIDR_EL1, REVISION, 0, 4)
-         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
++FIELD(MIDR_EL1, PARTNUM, 4, 12)
-             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
++FIELD(MIDR_EL1, ARCHITECTURE, 16, 4)
-         }
++FIELD(MIDR_EL1, VARIANT, 20, 4)
-diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
++FIELD(MIDR_EL1, IMPLEMENTER, 24, 8)
 +
  FIELD(ID_ISAR0, SWAP, 0, 4)
  FIELD(ID_ISAR0, BITCOUNT, 4, 4)
  FIELD(ID_ISAR0, BITFIELD, 8, 4)
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_kvm.c
+--- a/target/arm/cpu64.c
-+++ b/hw/intc/arm_gicv3_kvm.c
++++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gicv3_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+         uint32_t u;
-     if (kvm_has_gsi_routing()) {
+         aarch64_a57_initfn(obj);
-         /* set up irq routing */
--        kvm_init_irq_routing(kvm_state);
++        /*
-         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
++         * Reset MIDR so the guest doesn't mistake our 'max' CPU type for a real
-             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
++         * one and try to apply errata workarounds or use impdef features we
-         }
++         * don't provide.
 +         * An IMPLEMENTER field of 0 means "reserved for software use";
 +         * ARCHITECTURE must be 0xf indicating "v7 or later, check ID registers
 +         * to see which features are present";
 +         * the VARIANT, PARTNUM and REVISION fields are all implementation
 +         * defined and we choose to define PARTNUM just in case guest
 +         * code needs to distinguish this QEMU CPU from other software
 +         * implementations, though this shouldn't be needed.
 +         */
 +        t = FIELD_DP64(0, MIDR_EL1, IMPLEMENTER, 0);
 +        t = FIELD_DP64(t, MIDR_EL1, ARCHITECTURE, 0xf);
 +        t = FIELD_DP64(t, MIDR_EL1, PARTNUM, 'Q');
 +        t = FIELD_DP64(t, MIDR_EL1, VARIANT, 0);
 +        t = FIELD_DP64(t, MIDR_EL1, REVISION, 0);
 +        cpu->midr = t;
 +
          t = cpu->isar.id_aa64isar0;
          t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2); /* AES + PMULL */
          t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 01/25] target/arm: Honour FPCR.FZ in FRECPX
+[Qemu-devel] [PULL 02/29] hw/misc/zynq_slcr: use standard register definition
-The FRECPX instructions should (like most other floating point operations)
+From: Damien Hedde <damien.hedde@greensocs.com>
 honour the FPCR.FZ bit which specifies whether input denormals should
 be flushed to zero (or FZ16 for the half-precision version).
 We forgot to implement this, which doesn't affect the results (since
 the calculation doesn't actually care about the mantissa bits) but did
 mean we were failing to set the FPSR.IDC bit.
+Replace the zynq_slcr registers enum and macros using the
+hw/registerfields.h macros.
+Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20190729145654.14644-30-damien.hedde@greensocs.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521172712.19930-1-peter.maydell@linaro.org
 ---
- target/arm/helper-a64.c | 6 ++++++
+ hw/misc/zynq_slcr.c | 450 ++++++++++++++++++++++----------------------
-file changed, 6 insertions(+)
+file changed, 225 insertions(+), 225 deletions(-)
-diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
+diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.c
+--- a/hw/misc/zynq_slcr.c
-+++ b/target/arm/helper-a64.c
++++ b/hw/misc/zynq_slcr.c
-@@ -XXX,XX +XXX,XX @@ float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
+@@ -XXX,XX +XXX,XX @@
-         return nan;
+ #include "sysemu/sysemu.h"
  #include "qemu/log.h"
  #include "qemu/module.h"
 +#include "hw/registerfields.h"
  #ifndef ZYNQ_SLCR_ERR_DEBUG
  #define ZYNQ_SLCR_ERR_DEBUG 0
@@ -XXX,XX +XXX,XX @@
  #define XILINX_LOCK_KEY 0x767b
  #define XILINX_UNLOCK_KEY 0xdf0d
 -#define R_PSS_RST_CTRL_SOFT_RST 0x1
 +REG32(SCL, 0x000)
 +REG32(LOCK, 0x004)
 +REG32(UNLOCK, 0x008)
 +REG32(LOCKSTA, 0x00c)
 -enum {
 -    SCL             = 0x000 / 4,
 -    LOCK,
 -    UNLOCK,
 -    LOCKSTA,
 +REG32(ARM_PLL_CTRL, 0x100)
 +REG32(DDR_PLL_CTRL, 0x104)
 +REG32(IO_PLL_CTRL, 0x108)
 +REG32(PLL_STATUS, 0x10c)
 +REG32(ARM_PLL_CFG, 0x110)
 +REG32(DDR_PLL_CFG, 0x114)
 +REG32(IO_PLL_CFG, 0x118)
 -    ARM_PLL_CTRL    = 0x100 / 4,
 -    DDR_PLL_CTRL,
 -    IO_PLL_CTRL,
 -    PLL_STATUS,
 -    ARM_PLL_CFG,
 -    DDR_PLL_CFG,
 -    IO_PLL_CFG,
 -
 -    ARM_CLK_CTRL    = 0x120 / 4,
 -    DDR_CLK_CTRL,
 -    DCI_CLK_CTRL,
 -    APER_CLK_CTRL,
 -    USB0_CLK_CTRL,
 -    USB1_CLK_CTRL,
 -    GEM0_RCLK_CTRL,
 -    GEM1_RCLK_CTRL,
 -    GEM0_CLK_CTRL,
 -    GEM1_CLK_CTRL,
 -    SMC_CLK_CTRL,
 -    LQSPI_CLK_CTRL,
 -    SDIO_CLK_CTRL,
 -    UART_CLK_CTRL,
 -    SPI_CLK_CTRL,
 -    CAN_CLK_CTRL,
 -    CAN_MIOCLK_CTRL,
 -    DBG_CLK_CTRL,
 -    PCAP_CLK_CTRL,
 -    TOPSW_CLK_CTRL,
 +REG32(ARM_CLK_CTRL, 0x120)
 +REG32(DDR_CLK_CTRL, 0x124)
 +REG32(DCI_CLK_CTRL, 0x128)
 +REG32(APER_CLK_CTRL, 0x12c)
 +REG32(USB0_CLK_CTRL, 0x130)
 +REG32(USB1_CLK_CTRL, 0x134)
 +REG32(GEM0_RCLK_CTRL, 0x138)
 +REG32(GEM1_RCLK_CTRL, 0x13c)
 +REG32(GEM0_CLK_CTRL, 0x140)
 +REG32(GEM1_CLK_CTRL, 0x144)
 +REG32(SMC_CLK_CTRL, 0x148)
 +REG32(LQSPI_CLK_CTRL, 0x14c)
 +REG32(SDIO_CLK_CTRL, 0x150)
 +REG32(UART_CLK_CTRL, 0x154)
 +REG32(SPI_CLK_CTRL, 0x158)
 +REG32(CAN_CLK_CTRL, 0x15c)
 +REG32(CAN_MIOCLK_CTRL, 0x160)
 +REG32(DBG_CLK_CTRL, 0x164)
 +REG32(PCAP_CLK_CTRL, 0x168)
 +REG32(TOPSW_CLK_CTRL, 0x16c)
  #define FPGA_CTRL_REGS(n, start) \
 -    FPGA ## n ## _CLK_CTRL = (start) / 4, \
 -    FPGA ## n ## _THR_CTRL, \
 -    FPGA ## n ## _THR_CNT, \
 -    FPGA ## n ## _THR_STA,
 -    FPGA_CTRL_REGS(0, 0x170)
 -    FPGA_CTRL_REGS(1, 0x180)
 -    FPGA_CTRL_REGS(2, 0x190)
 -    FPGA_CTRL_REGS(3, 0x1a0)
 +    REG32(FPGA ## n ## _CLK_CTRL, (start)) \
 +    REG32(FPGA ## n ## _THR_CTRL, (start) + 0x4)\
 +    REG32(FPGA ## n ## _THR_CNT,  (start) + 0x8)\
 +    REG32(FPGA ## n ## _THR_STA,  (start) + 0xc)
 +FPGA_CTRL_REGS(0, 0x170)
 +FPGA_CTRL_REGS(1, 0x180)
 +FPGA_CTRL_REGS(2, 0x190)
 +FPGA_CTRL_REGS(3, 0x1a0)
 -    BANDGAP_TRIP    = 0x1b8 / 4,
 -    PLL_PREDIVISOR  = 0x1c0 / 4,
 -    CLK_621_TRUE,
 +REG32(BANDGAP_TRIP, 0x1b8)
 +REG32(PLL_PREDIVISOR, 0x1c0)
 +REG32(CLK_621_TRUE, 0x1c4)
 -    PSS_RST_CTRL    = 0x200 / 4,
 -    DDR_RST_CTRL,
 -    TOPSW_RESET_CTRL,
 -    DMAC_RST_CTRL,
 -    USB_RST_CTRL,
 -    GEM_RST_CTRL,
 -    SDIO_RST_CTRL,
 -    SPI_RST_CTRL,
 -    CAN_RST_CTRL,
 -    I2C_RST_CTRL,
 -    UART_RST_CTRL,
 -    GPIO_RST_CTRL,
 -    LQSPI_RST_CTRL,
 -    SMC_RST_CTRL,
 -    OCM_RST_CTRL,
 -    FPGA_RST_CTRL   = 0x240 / 4,
 -    A9_CPU_RST_CTRL,
 +REG32(PSS_RST_CTRL, 0x200)
 +    FIELD(PSS_RST_CTRL, SOFT_RST, 0, 1)
 +REG32(DDR_RST_CTRL, 0x204)
 +REG32(TOPSW_RESET_CTRL, 0x208)
 +REG32(DMAC_RST_CTRL, 0x20c)
 +REG32(USB_RST_CTRL, 0x210)
 +REG32(GEM_RST_CTRL, 0x214)
 +REG32(SDIO_RST_CTRL, 0x218)
 +REG32(SPI_RST_CTRL, 0x21c)
 +REG32(CAN_RST_CTRL, 0x220)
 +REG32(I2C_RST_CTRL, 0x224)
 +REG32(UART_RST_CTRL, 0x228)
 +REG32(GPIO_RST_CTRL, 0x22c)
 +REG32(LQSPI_RST_CTRL, 0x230)
 +REG32(SMC_RST_CTRL, 0x234)
 +REG32(OCM_RST_CTRL, 0x238)
 +REG32(FPGA_RST_CTRL, 0x240)
 +REG32(A9_CPU_RST_CTRL, 0x244)
 -    RS_AWDT_CTRL    = 0x24c / 4,
 -    RST_REASON,
 +REG32(RS_AWDT_CTRL, 0x24c)
 +REG32(RST_REASON, 0x250)
 -    REBOOT_STATUS   = 0x258 / 4,
 -    BOOT_MODE,
 +REG32(REBOOT_STATUS, 0x258)
 +REG32(BOOT_MODE, 0x25c)
 -    APU_CTRL        = 0x300 / 4,
 -    WDT_CLK_SEL,
 +REG32(APU_CTRL, 0x300)
 +REG32(WDT_CLK_SEL, 0x304)
 -    TZ_DMA_NS       = 0x440 / 4,
 -    TZ_DMA_IRQ_NS,
 -    TZ_DMA_PERIPH_NS,
 +REG32(TZ_DMA_NS, 0x440)
 +REG32(TZ_DMA_IRQ_NS, 0x444)
 +REG32(TZ_DMA_PERIPH_NS, 0x448)
 -    PSS_IDCODE      = 0x530 / 4,
 +REG32(PSS_IDCODE, 0x530)
 -    DDR_URGENT      = 0x600 / 4,
 -    DDR_CAL_START   = 0x60c / 4,
 -    DDR_REF_START   = 0x614 / 4,
 -    DDR_CMD_STA,
 -    DDR_URGENT_SEL,
 -    DDR_DFI_STATUS,
 +REG32(DDR_URGENT, 0x600)
 +REG32(DDR_CAL_START, 0x60c)
 +REG32(DDR_REF_START, 0x614)
 +REG32(DDR_CMD_STA, 0x618)
 +REG32(DDR_URGENT_SEL, 0x61c)
 +REG32(DDR_DFI_STATUS, 0x620)
 -    MIO             = 0x700 / 4,
 +REG32(MIO, 0x700)
  #define MIO_LENGTH 54
 -    MIO_LOOPBACK    = 0x804 / 4,
 -    MIO_MST_TRI0,
 -    MIO_MST_TRI1,
 +REG32(MIO_LOOPBACK, 0x804)
 +REG32(MIO_MST_TRI0, 0x808)
 +REG32(MIO_MST_TRI1, 0x80c)
 -    SD0_WP_CD_SEL   = 0x830 / 4,
 -    SD1_WP_CD_SEL,
 +REG32(SD0_WP_CD_SEL, 0x830)
 +REG32(SD1_WP_CD_SEL, 0x834)
 -    LVL_SHFTR_EN    = 0x900 / 4,
 -    OCM_CFG         = 0x910 / 4,
 +REG32(LVL_SHFTR_EN, 0x900)
 +REG32(OCM_CFG, 0x910)
 -    CPU_RAM         = 0xa00 / 4,
 +REG32(CPU_RAM, 0xa00)
 -    IOU             = 0xa30 / 4,
 +REG32(IOU, 0xa30)
 -    DMAC_RAM        = 0xa50 / 4,
 +REG32(DMAC_RAM, 0xa50)
 -    AFI0            = 0xa60 / 4,
 -    AFI1 = AFI0 + 3,
 -    AFI2 = AFI1 + 3,
 -    AFI3 = AFI2 + 3,
 +REG32(AFI0, 0xa60)
 +REG32(AFI1, 0xa6c)
 +REG32(AFI2, 0xa78)
 +REG32(AFI3, 0xa84)
  #define AFI_LENGTH 3
 -    OCM             = 0xa90 / 4,
 +REG32(OCM, 0xa90)
 -    DEVCI_RAM       = 0xaa0 / 4,
 +REG32(DEVCI_RAM, 0xaa0)
 -    CSG_RAM         = 0xab0 / 4,
 +REG32(CSG_RAM, 0xab0)
 -    GPIOB_CTRL      = 0xb00 / 4,
 -    GPIOB_CFG_CMOS18,
 -    GPIOB_CFG_CMOS25,
 -    GPIOB_CFG_CMOS33,
 -    GPIOB_CFG_HSTL  = 0xb14 / 4,
 -    GPIOB_DRVR_BIAS_CTRL,
 +REG32(GPIOB_CTRL, 0xb00)
 +REG32(GPIOB_CFG_CMOS18, 0xb04)
 +REG32(GPIOB_CFG_CMOS25, 0xb08)
 +REG32(GPIOB_CFG_CMOS33, 0xb0c)
 +REG32(GPIOB_CFG_HSTL, 0xb14)
 +REG32(GPIOB_DRVR_BIAS_CTRL, 0xb18)
 -    DDRIOB          = 0xb40 / 4,
 +REG32(DDRIOB, 0xb40)
  #define DDRIOB_LENGTH 14
 -};
  #define ZYNQ_SLCR_MMIO_SIZE     0x1000
  #define ZYNQ_SLCR_NUM_REGS      (ZYNQ_SLCR_MMIO_SIZE / 4)
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_reset(DeviceState *d)
      DB_PRINT("RESET\n");
 -    s->regs[LOCKSTA] = 1;
 +    s->regs[R_LOCKSTA] = 1;
      /* 0x100 - 0x11C */
 -    s->regs[ARM_PLL_CTRL]   = 0x0001A008;
 -    s->regs[DDR_PLL_CTRL]   = 0x0001A008;
 -    s->regs[IO_PLL_CTRL]    = 0x0001A008;
 -    s->regs[PLL_STATUS]     = 0x0000003F;
 -    s->regs[ARM_PLL_CFG]    = 0x00014000;
 -    s->regs[DDR_PLL_CFG]    = 0x00014000;
 -    s->regs[IO_PLL_CFG]     = 0x00014000;
 +    s->regs[R_ARM_PLL_CTRL]   = 0x0001A008;
 +    s->regs[R_DDR_PLL_CTRL]   = 0x0001A008;
 +    s->regs[R_IO_PLL_CTRL]    = 0x0001A008;
 +    s->regs[R_PLL_STATUS]     = 0x0000003F;
 +    s->regs[R_ARM_PLL_CFG]    = 0x00014000;
 +    s->regs[R_DDR_PLL_CFG]    = 0x00014000;
 +    s->regs[R_IO_PLL_CFG]     = 0x00014000;
      /* 0x120 - 0x16C */
 -    s->regs[ARM_CLK_CTRL]   = 0x1F000400;
 -    s->regs[DDR_CLK_CTRL]   = 0x18400003;
 -    s->regs[DCI_CLK_CTRL]   = 0x01E03201;
 -    s->regs[APER_CLK_CTRL]  = 0x01FFCCCD;
 -    s->regs[USB0_CLK_CTRL]  = s->regs[USB1_CLK_CTRL]    = 0x00101941;
 -    s->regs[GEM0_RCLK_CTRL] = s->regs[GEM1_RCLK_CTRL]   = 0x00000001;
 -    s->regs[GEM0_CLK_CTRL]  = s->regs[GEM1_CLK_CTRL]    = 0x00003C01;
 -    s->regs[SMC_CLK_CTRL]   = 0x00003C01;
 -    s->regs[LQSPI_CLK_CTRL] = 0x00002821;
 -    s->regs[SDIO_CLK_CTRL]  = 0x00001E03;
 -    s->regs[UART_CLK_CTRL]  = 0x00003F03;
 -    s->regs[SPI_CLK_CTRL]   = 0x00003F03;
 -    s->regs[CAN_CLK_CTRL]   = 0x00501903;
 -    s->regs[DBG_CLK_CTRL]   = 0x00000F03;
 -    s->regs[PCAP_CLK_CTRL]  = 0x00000F01;
 +    s->regs[R_ARM_CLK_CTRL]   = 0x1F000400;
 +    s->regs[R_DDR_CLK_CTRL]   = 0x18400003;
 +    s->regs[R_DCI_CLK_CTRL]   = 0x01E03201;
 +    s->regs[R_APER_CLK_CTRL]  = 0x01FFCCCD;
 +    s->regs[R_USB0_CLK_CTRL]  = s->regs[R_USB1_CLK_CTRL]  = 0x00101941;
 +    s->regs[R_GEM0_RCLK_CTRL] = s->regs[R_GEM1_RCLK_CTRL] = 0x00000001;
 +    s->regs[R_GEM0_CLK_CTRL]  = s->regs[R_GEM1_CLK_CTRL]  = 0x00003C01;
 +    s->regs[R_SMC_CLK_CTRL]   = 0x00003C01;
 +    s->regs[R_LQSPI_CLK_CTRL] = 0x00002821;
 +    s->regs[R_SDIO_CLK_CTRL]  = 0x00001E03;
 +    s->regs[R_UART_CLK_CTRL]  = 0x00003F03;
 +    s->regs[R_SPI_CLK_CTRL]   = 0x00003F03;
 +    s->regs[R_CAN_CLK_CTRL]   = 0x00501903;
 +    s->regs[R_DBG_CLK_CTRL]   = 0x00000F03;
 +    s->regs[R_PCAP_CLK_CTRL]  = 0x00000F01;
      /* 0x170 - 0x1AC */
 -    s->regs[FPGA0_CLK_CTRL] = s->regs[FPGA1_CLK_CTRL] = s->regs[FPGA2_CLK_CTRL]
 -                            = s->regs[FPGA3_CLK_CTRL] = 0x00101800;
 -    s->regs[FPGA0_THR_STA] = s->regs[FPGA1_THR_STA] = s->regs[FPGA2_THR_STA]
 -                           = s->regs[FPGA3_THR_STA] = 0x00010000;
 +    s->regs[R_FPGA0_CLK_CTRL] = s->regs[R_FPGA1_CLK_CTRL]
 +                              = s->regs[R_FPGA2_CLK_CTRL]
 +                              = s->regs[R_FPGA3_CLK_CTRL] = 0x00101800;
 +    s->regs[R_FPGA0_THR_STA] = s->regs[R_FPGA1_THR_STA]
 +                             = s->regs[R_FPGA2_THR_STA]
 +                             = s->regs[R_FPGA3_THR_STA] = 0x00010000;
      /* 0x1B0 - 0x1D8 */
 -    s->regs[BANDGAP_TRIP]   = 0x0000001F;
 -    s->regs[PLL_PREDIVISOR] = 0x00000001;
 -    s->regs[CLK_621_TRUE]   = 0x00000001;
 +    s->regs[R_BANDGAP_TRIP]   = 0x0000001F;
 +    s->regs[R_PLL_PREDIVISOR] = 0x00000001;
 +    s->regs[R_CLK_621_TRUE]   = 0x00000001;
      /* 0x200 - 0x25C */
 -    s->regs[FPGA_RST_CTRL]  = 0x01F33F0F;
 -    s->regs[RST_REASON]     = 0x00000040;
 +    s->regs[R_FPGA_RST_CTRL]  = 0x01F33F0F;
 +    s->regs[R_RST_REASON]     = 0x00000040;
 -    s->regs[BOOT_MODE]      = 0x00000001;
 +    s->regs[R_BOOT_MODE]      = 0x00000001;
      /* 0x700 - 0x7D4 */
      for (i = 0; i < 54; i++) {
 -        s->regs[MIO + i] = 0x00001601;
 +        s->regs[R_MIO + i] = 0x00001601;
      }
+     for (i = 2; i <= 8; i++) {
-+    a = float16_squash_input_denormal(a, fpst);
+-        s->regs[MIO + i] = 0x00000601;
-+
++        s->regs[R_MIO + i] = 0x00000601;
      val16 = float16_val(a);
      sbit = 0x8000 & val16;
      exp = extract32(val16, 10, 5);
@@ -XXX,XX +XXX,XX @@ float32 HELPER(frecpx_f32)(float32 a, void *fpstp)
          return nan;
      }
-+    a = float32_squash_input_denormal(a, fpst);
+-    s->regs[MIO_MST_TRI0] = s->regs[MIO_MST_TRI1] = 0xFFFFFFFF;
-+
++    s->regs[R_MIO_MST_TRI0] = s->regs[R_MIO_MST_TRI1] = 0xFFFFFFFF;
-     val32 = float32_val(a);
-     sbit = 0x80000000ULL & val32;
+-    s->regs[CPU_RAM + 0] = s->regs[CPU_RAM + 1] = s->regs[CPU_RAM + 3]
-     exp = extract32(val32, 23, 8);
+-                         = s->regs[CPU_RAM + 4] = s->regs[CPU_RAM + 7]
-@@ -XXX,XX +XXX,XX @@ float64 HELPER(frecpx_f64)(float64 a, void *fpstp)
+-                         = 0x00010101;
-         return nan;
+-    s->regs[CPU_RAM + 2] = s->regs[CPU_RAM + 5] = 0x01010101;
 -    s->regs[CPU_RAM + 6] = 0x00000001;
 +    s->regs[R_CPU_RAM + 0] = s->regs[R_CPU_RAM + 1] = s->regs[R_CPU_RAM + 3]
 +                           = s->regs[R_CPU_RAM + 4] = s->regs[R_CPU_RAM + 7]
 +                           = 0x00010101;
 +    s->regs[R_CPU_RAM + 2] = s->regs[R_CPU_RAM + 5] = 0x01010101;
 +    s->regs[R_CPU_RAM + 6] = 0x00000001;
 -    s->regs[IOU + 0] = s->regs[IOU + 1] = s->regs[IOU + 2] = s->regs[IOU + 3]
 -                     = 0x09090909;
 -    s->regs[IOU + 4] = s->regs[IOU + 5] = 0x00090909;
 -    s->regs[IOU + 6] = 0x00000909;
 +    s->regs[R_IOU + 0] = s->regs[R_IOU + 1] = s->regs[R_IOU + 2]
 +                       = s->regs[R_IOU + 3] = 0x09090909;
 +    s->regs[R_IOU + 4] = s->regs[R_IOU + 5] = 0x00090909;
 +    s->regs[R_IOU + 6] = 0x00000909;
 -    s->regs[DMAC_RAM] = 0x00000009;
 +    s->regs[R_DMAC_RAM] = 0x00000009;
 -    s->regs[AFI0 + 0] = s->regs[AFI0 + 1] = 0x09090909;
 -    s->regs[AFI1 + 0] = s->regs[AFI1 + 1] = 0x09090909;
 -    s->regs[AFI2 + 0] = s->regs[AFI2 + 1] = 0x09090909;
 -    s->regs[AFI3 + 0] = s->regs[AFI3 + 1] = 0x09090909;
 -    s->regs[AFI0 + 2] = s->regs[AFI1 + 2] = s->regs[AFI2 + 2]
 -                      = s->regs[AFI3 + 2] = 0x00000909;
 +    s->regs[R_AFI0 + 0] = s->regs[R_AFI0 + 1] = 0x09090909;
 +    s->regs[R_AFI1 + 0] = s->regs[R_AFI1 + 1] = 0x09090909;
 +    s->regs[R_AFI2 + 0] = s->regs[R_AFI2 + 1] = 0x09090909;
 +    s->regs[R_AFI3 + 0] = s->regs[R_AFI3 + 1] = 0x09090909;
 +    s->regs[R_AFI0 + 2] = s->regs[R_AFI1 + 2] = s->regs[R_AFI2 + 2]
 +                        = s->regs[R_AFI3 + 2] = 0x00000909;
 -    s->regs[OCM + 0]    = 0x01010101;
 -    s->regs[OCM + 1]    = s->regs[OCM + 2] = 0x09090909;
 +    s->regs[R_OCM + 0] = 0x01010101;
 +    s->regs[R_OCM + 1] = s->regs[R_OCM + 2] = 0x09090909;
 -    s->regs[DEVCI_RAM]  = 0x00000909;
 -    s->regs[CSG_RAM]    = 0x00000001;
 +    s->regs[R_DEVCI_RAM] = 0x00000909;
 +    s->regs[R_CSG_RAM]   = 0x00000001;
 -    s->regs[DDRIOB + 0] = s->regs[DDRIOB + 1] = s->regs[DDRIOB + 2]
 -                        = s->regs[DDRIOB + 3] = 0x00000e00;
 -    s->regs[DDRIOB + 4] = s->regs[DDRIOB + 5] = s->regs[DDRIOB + 6]
 -                        = 0x00000e00;
 -    s->regs[DDRIOB + 12] = 0x00000021;
 +    s->regs[R_DDRIOB + 0] = s->regs[R_DDRIOB + 1] = s->regs[R_DDRIOB + 2]
 +                          = s->regs[R_DDRIOB + 3] = 0x00000e00;
 +    s->regs[R_DDRIOB + 4] = s->regs[R_DDRIOB + 5] = s->regs[R_DDRIOB + 6]
 +                          = 0x00000e00;
 +    s->regs[R_DDRIOB + 12] = 0x00000021;
  }
  static bool zynq_slcr_check_offset(hwaddr offset, bool rnw)
  {
      switch (offset) {
 -    case LOCK:
 -    case UNLOCK:
 -    case DDR_CAL_START:
 -    case DDR_REF_START:
 +    case R_LOCK:
 +    case R_UNLOCK:
 +    case R_DDR_CAL_START:
 +    case R_DDR_REF_START:
          return !rnw; /* Write only */
 -    case LOCKSTA:
 -    case FPGA0_THR_STA:
 -    case FPGA1_THR_STA:
 -    case FPGA2_THR_STA:
 -    case FPGA3_THR_STA:
 -    case BOOT_MODE:
 -    case PSS_IDCODE:
 -    case DDR_CMD_STA:
 -    case DDR_DFI_STATUS:
 -    case PLL_STATUS:
 +    case R_LOCKSTA:
 +    case R_FPGA0_THR_STA:
 +    case R_FPGA1_THR_STA:
 +    case R_FPGA2_THR_STA:
 +    case R_FPGA3_THR_STA:
 +    case R_BOOT_MODE:
 +    case R_PSS_IDCODE:
 +    case R_DDR_CMD_STA:
 +    case R_DDR_DFI_STATUS:
 +    case R_PLL_STATUS:
          return rnw;/* read only */
 -    case SCL:
 -    case ARM_PLL_CTRL ... IO_PLL_CTRL:
 -    case ARM_PLL_CFG ... IO_PLL_CFG:
 -    case ARM_CLK_CTRL ... TOPSW_CLK_CTRL:
 -    case FPGA0_CLK_CTRL ... FPGA0_THR_CNT:
 -    case FPGA1_CLK_CTRL ... FPGA1_THR_CNT:
 -    case FPGA2_CLK_CTRL ... FPGA2_THR_CNT:
 -    case FPGA3_CLK_CTRL ... FPGA3_THR_CNT:
 -    case BANDGAP_TRIP:
 -    case PLL_PREDIVISOR:
 -    case CLK_621_TRUE:
 -    case PSS_RST_CTRL ... A9_CPU_RST_CTRL:
 -    case RS_AWDT_CTRL:
 -    case RST_REASON:
 -    case REBOOT_STATUS:
 -    case APU_CTRL:
 -    case WDT_CLK_SEL:
 -    case TZ_DMA_NS ... TZ_DMA_PERIPH_NS:
 -    case DDR_URGENT:
 -    case DDR_URGENT_SEL:
 -    case MIO ... MIO + MIO_LENGTH - 1:
 -    case MIO_LOOPBACK ... MIO_MST_TRI1:
 -    case SD0_WP_CD_SEL:
 -    case SD1_WP_CD_SEL:
 -    case LVL_SHFTR_EN:
 -    case OCM_CFG:
 -    case CPU_RAM:
 -    case IOU:
 -    case DMAC_RAM:
 -    case AFI0 ... AFI3 + AFI_LENGTH - 1:
 -    case OCM:
 -    case DEVCI_RAM:
 -    case CSG_RAM:
 -    case GPIOB_CTRL ... GPIOB_CFG_CMOS33:
 -    case GPIOB_CFG_HSTL:
 -    case GPIOB_DRVR_BIAS_CTRL:
 -    case DDRIOB ... DDRIOB + DDRIOB_LENGTH - 1:
 +    case R_SCL:
 +    case R_ARM_PLL_CTRL ... R_IO_PLL_CTRL:
 +    case R_ARM_PLL_CFG ... R_IO_PLL_CFG:
 +    case R_ARM_CLK_CTRL ... R_TOPSW_CLK_CTRL:
 +    case R_FPGA0_CLK_CTRL ... R_FPGA0_THR_CNT:
 +    case R_FPGA1_CLK_CTRL ... R_FPGA1_THR_CNT:
 +    case R_FPGA2_CLK_CTRL ... R_FPGA2_THR_CNT:
 +    case R_FPGA3_CLK_CTRL ... R_FPGA3_THR_CNT:
 +    case R_BANDGAP_TRIP:
 +    case R_PLL_PREDIVISOR:
 +    case R_CLK_621_TRUE:
 +    case R_PSS_RST_CTRL ... R_A9_CPU_RST_CTRL:
 +    case R_RS_AWDT_CTRL:
 +    case R_RST_REASON:
 +    case R_REBOOT_STATUS:
 +    case R_APU_CTRL:
 +    case R_WDT_CLK_SEL:
 +    case R_TZ_DMA_NS ... R_TZ_DMA_PERIPH_NS:
 +    case R_DDR_URGENT:
 +    case R_DDR_URGENT_SEL:
 +    case R_MIO ... R_MIO + MIO_LENGTH - 1:
 +    case R_MIO_LOOPBACK ... R_MIO_MST_TRI1:
 +    case R_SD0_WP_CD_SEL:
 +    case R_SD1_WP_CD_SEL:
 +    case R_LVL_SHFTR_EN:
 +    case R_OCM_CFG:
 +    case R_CPU_RAM:
 +    case R_IOU:
 +    case R_DMAC_RAM:
 +    case R_AFI0 ... R_AFI3 + AFI_LENGTH - 1:
 +    case R_OCM:
 +    case R_DEVCI_RAM:
 +    case R_CSG_RAM:
 +    case R_GPIOB_CTRL ... R_GPIOB_CFG_CMOS33:
 +    case R_GPIOB_CFG_HSTL:
 +    case R_GPIOB_DRVR_BIAS_CTRL:
 +    case R_DDRIOB ... R_DDRIOB + DDRIOB_LENGTH - 1:
          return true;
      default:
          return false;
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
      }
-+    a = float64_squash_input_denormal(a, fpst);
+     switch (offset) {
-+
+-    case SCL:
-     val64 = float64_val(a);
+-        s->regs[SCL] = val & 0x1;
-     sbit = 0x8000000000000000ULL & val64;
++    case R_SCL:
-     exp = extract64(float64_val(a), 52, 11);
++        s->regs[R_SCL] = val & 0x1;
          return;
 -    case LOCK:
 +    case R_LOCK:
          if ((val & 0xFFFF) == XILINX_LOCK_KEY) {
              DB_PRINT("XILINX LOCK 0xF8000000 + 0x%x <= 0x%x\n", (int)offset,
                  (unsigned)val & 0xFFFF);
 -            s->regs[LOCKSTA] = 1;
 +            s->regs[R_LOCKSTA] = 1;
          } else {
              DB_PRINT("WRONG XILINX LOCK KEY 0xF8000000 + 0x%x <= 0x%x\n",
                  (int)offset, (unsigned)val & 0xFFFF);
          }
          return;
 -    case UNLOCK:
 +    case R_UNLOCK:
          if ((val & 0xFFFF) == XILINX_UNLOCK_KEY) {
              DB_PRINT("XILINX UNLOCK 0xF8000000 + 0x%x <= 0x%x\n", (int)offset,
                  (unsigned)val & 0xFFFF);
 -            s->regs[LOCKSTA] = 0;
 +            s->regs[R_LOCKSTA] = 0;
          } else {
              DB_PRINT("WRONG XILINX UNLOCK KEY 0xF8000000 + 0x%x <= 0x%x\n",
                  (int)offset, (unsigned)val & 0xFFFF);
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
          return;
      }
 -    if (s->regs[LOCKSTA]) {
 +    if (s->regs[R_LOCKSTA]) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "SCLR registers are locked. Unlock them first\n");
          return;
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
      s->regs[offset] = val;
      switch (offset) {
 -    case PSS_RST_CTRL:
 -        if (val & R_PSS_RST_CTRL_SOFT_RST) {
 +    case R_PSS_RST_CTRL:
 +        if (FIELD_EX32(val, PSS_RST_CTRL, SOFT_RST)) {
              qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
          }
          break;
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 23/25] vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
+[Qemu-devel] [PULL 03/29] Set ENET_BD_BDU in I.MX FEC controller
-Provide a VMSTATE_BOOL_SUB_ARRAY to go with VMSTATE_UINT8_SUB_ARRAY
+From: Aaron Hill <aa1ronham@gmail.com>
 and friends.
+This commit properly sets the ENET_BD_BDU flag once the emulated FEC controller
+has finished processing the last descriptor. This is done for both transmit
+and receive descriptors.
+This allows the QNX 7.0.0 BSP for the Sabrelite board (which can be
+found at http://blackberry.qnx.com/en/developers/bsp) to properly
+control the FEC. Without this patch, the BSP ethernet driver will never
+re-use FEC descriptors, as the unset ENET_BD_BDU flag will cause
+it to believe that the descriptors are still in use by the NIC.
+Note that Linux does not appear to use this field at all, and is
+unaffected by this patch.
+Without this patch, QNX will think that the NIC is still processing its
+transaction descriptors, and won't send any more data over the network.
+For reference:
+On page 1192 of the I.MX 6DQ reference manual revision (Rev. 5, 06/2018),
+which can be found at https://www.nxp.com/products/processors-and-microcontrollers/arm-based-processors-and-mcus/i.mx-applications-processors/i.mx-6-processors/i.mx-6quad-processors-high-performance-3d-graphics-hd-video-arm-cortex-a9-core:i.MX6Q?&tab=Documentation_Tab&linkline=Application-Note
+the 'BDU' field is described as follows for the 'Enhanced transmit
+buffer descriptor':
+'Last buffer descriptor update done. Indicates that the last BD data has been updated by
+uDMA. This field is written by the user (=0) and uDMA (=1).'
+The same description is used for the receive buffer descriptor.
+Signed-off-by: Aaron Hill <aa1ronham@gmail.com>
+Message-id: 20190805142417.10433-1-aaron.hill@alertinnovation.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20180521140402.23318-23-peter.maydell@linaro.org
 ---
- include/migration/vmstate.h | 3 +++
+ hw/net/imx_fec.c | 4 ++++
-file changed, 3 insertions(+)
+file changed, 4 insertions(+)
-diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
+diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/migration/vmstate.h
+--- a/hw/net/imx_fec.c
-+++ b/include/migration/vmstate.h
++++ b/hw/net/imx_fec.c
-@@ -XXX,XX +XXX,XX @@ extern const VMStateInfo vmstate_info_qtailq;
+@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
- #define VMSTATE_BOOL_ARRAY(_f, _s, _n)                               \
+             if (bd.option & ENET_BD_TX_INT) {
-     VMSTATE_BOOL_ARRAY_V(_f, _s, _n, 0)
+                 s->regs[ENET_EIR] |= int_txf;
+             }
-+#define VMSTATE_BOOL_SUB_ARRAY(_f, _s, _start, _num)                \
++            /* Indicate that we've updated the last buffer descriptor. */
-+    VMSTATE_SUB_ARRAY(_f, _s, _start, _num, 0, vmstate_info_bool, bool)
++            bd.last_buffer = ENET_BD_BDU;
-+
+         }
- #define VMSTATE_UINT16_ARRAY_V(_f, _s, _n, _v)                         \
+         if (bd.option & ENET_BD_TX_INT) {
-     VMSTATE_ARRAY(_f, _s, _n, _v, vmstate_info_uint16, uint16_t)
+             s->regs[ENET_EIR] |= int_txb;
+@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
              /* Last buffer in frame.  */
              bd.flags |= flags | ENET_BD_L;
              FEC_PRINTF("rx frame flags %04x\n", bd.flags);
 +            /* Indicate that we've updated the last buffer descriptor. */
 +            bd.last_buffer = ENET_BD_BDU;
              if (bd.option & ENET_BD_RX_INT) {
                  s->regs[ENET_EIR] |= ENET_INT_RXF;
              }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 14/25] Make address_space_access_valid() take a MemTxAttrs argument
+[Qemu-devel] [PULL 04/29] target/arm: Factor out 'generate singlestep exception' function
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+Factor out code to 'generate a singlestep exception', which is
-add MemTxAttrs as an argument to address_space_access_valid().
+currently repeated in four places.
-Its callers either have an attrs value to hand, or don't care
-and can use MEMTXATTRS_UNSPECIFIED.
+To do this we need to also pull the identical copies of the
 gen-exception() function out of translate-a64.c and translate.c
 into translate.h.
 (There is a bug in the code: we're taking the exception to the wrong
 target EL.  This will be simpler to fix if there's only one place to
 do it.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190805130952.4415-2-peter.maydell@linaro.org
 Message-id: 20180521140402.23318-6-peter.maydell@linaro.org
 ---
- include/exec/memory.h      | 4 +++-
+ target/arm/translate.h     | 23 +++++++++++++++++++++++
- include/sysemu/dma.h       | 3 ++-
+ target/arm/translate-a64.c | 19 ++-----------------
- exec.c                     | 3 ++-
+ target/arm/translate.c     | 20 ++------------------
- target/s390x/diag.c        | 6 ++++--
+files changed, 27 insertions(+), 35 deletions(-)
  target/s390x/excp_helper.c | 3 ++-
  target/s390x/mmu_helper.c  | 3 ++-
  target/s390x/sigp.c        | 3 ++-
 files changed, 17 insertions(+), 8 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/target/arm/translate.h
-+++ b/include/exec/memory.h
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
+@@ -XXX,XX +XXX,XX @@
-  * @addr: address within that address space
+ #define TARGET_ARM_TRANSLATE_H
-  * @len: length of the area to be checked
-  * @is_write: indicates the transfer direction
+ #include "exec/translator.h"
-+ * @attrs: memory attributes
++#include "internals.h"
-  */
--bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_write);
-+bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len,
+ /* internal defines */
-+                                bool is_write, MemTxAttrs attrs);
+@@ -XXX,XX +XXX,XX @@ static inline void gen_ss_advance(DisasContext *s)
+     }
- /* address_space_map: map a physical memory region into a host virtual address
+ }
-  *
-diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
++static inline void gen_exception(int excp, uint32_t syndrome,
 +                                 uint32_t target_el)
 +{
 +    TCGv_i32 tcg_excp = tcg_const_i32(excp);
 +    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
 +    TCGv_i32 tcg_el = tcg_const_i32(target_el);
 +
 +    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
 +                                       tcg_syn, tcg_el);
 +
 +    tcg_temp_free_i32(tcg_el);
 +    tcg_temp_free_i32(tcg_syn);
 +    tcg_temp_free_i32(tcg_excp);
 +}
 +
 +/* Generate an architectural singlestep exception */
 +static inline void gen_swstep_exception(DisasContext *s, int isv, int ex)
 +{
 +    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, isv, ex),
 +                  default_exception_el(s));
 +}
 +
  /*
   * Given a VFP floating point constant encoded into an 8 bit immediate in an
   * instruction, expand it to the actual constant value of the specified
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/dma.h
+--- a/target/arm/translate-a64.c
-+++ b/include/sysemu/dma.h
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static inline bool dma_memory_valid(AddressSpace *as,
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
-                                     DMADirection dir)
+     tcg_temp_free_i32(tcg_excp);
  }
 -static void gen_exception(int excp, uint32_t syndrome, uint32_t target_el)
 -{
 -    TCGv_i32 tcg_excp = tcg_const_i32(excp);
 -    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
 -    TCGv_i32 tcg_el = tcg_const_i32(target_el);
 -
 -    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
 -                                       tcg_syn, tcg_el);
 -    tcg_temp_free_i32(tcg_el);
 -    tcg_temp_free_i32(tcg_syn);
 -    tcg_temp_free_i32(tcg_excp);
 -}
 -
  static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
  {
-     return address_space_access_valid(as, addr, len,
+     gen_a64_set_pc_im(s->pc - offset);
--                                      dir == DMA_DIRECTION_FROM_DEVICE);
+@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
-+                                      dir == DMA_DIRECTION_FROM_DEVICE,
+      * of the exception, and our syndrome information is always correct.
-+                                      MEMTXATTRS_UNSPECIFIED);
+      */
      gen_ss_advance(s);
 -    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, 1, s->is_ldex),
 -                  default_exception_el(s));
 +    gen_swstep_exception(s, 1, s->is_ldex);
      s->base.is_jmp = DISAS_NORETURN;
  }
- static inline int dma_memory_rw_relaxed(AddressSpace *as, dma_addr_t addr,
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-diff --git a/exec.c b/exec.c
+          * bits should be zero.
           */
          assert(dc->base.num_insns == 1);
 -        gen_exception(EXCP_UDEF, syn_swstep(dc->ss_same_el, 0, 0),
 -                      default_exception_el(dc));
 +        gen_swstep_exception(dc, 0, 0);
          dc->base.is_jmp = DISAS_NORETURN;
      } else {
          disas_a64_insn(env, dc);
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/translate.c
-+++ b/exec.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
      tcg_temp_free_i32(tcg_excp);
  }
- bool address_space_access_valid(AddressSpace *as, hwaddr addr,
+-static void gen_exception(int excp, uint32_t syndrome, uint32_t target_el)
--                                int len, bool is_write)
+-{
-+                                int len, bool is_write,
+-    TCGv_i32 tcg_excp = tcg_const_i32(excp);
-+                                MemTxAttrs attrs)
+-    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
 -    TCGv_i32 tcg_el = tcg_const_i32(target_el);
 -
 -    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
 -                                       tcg_syn, tcg_el);
 -
 -    tcg_temp_free_i32(tcg_el);
 -    tcg_temp_free_i32(tcg_syn);
 -    tcg_temp_free_i32(tcg_excp);
 -}
 -
  static void gen_step_complete_exception(DisasContext *s)
  {
-     FlatView *fv;
+     /* We just completed step of an insn. Move from Active-not-pending
-     bool result;
+@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
-diff --git a/target/s390x/diag.c b/target/s390x/diag.c
+      * of the exception, and our syndrome information is always correct.
-index XXXXXXX..XXXXXXX 100644
+      */
---- a/target/s390x/diag.c
+     gen_ss_advance(s);
-+++ b/target/s390x/diag.c
+-    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, 1, s->is_ldex),
-@@ -XXX,XX +XXX,XX @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
+-                  default_exception_el(s));
-             return;
++    gen_swstep_exception(s, 1, s->is_ldex);
-         }
+     s->base.is_jmp = DISAS_NORETURN;
-         if (!address_space_access_valid(&address_space_memory, addr,
+ }
--                                        sizeof(IplParameterBlock), false)) {
-+                                        sizeof(IplParameterBlock), false,
+@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
-+                                        MEMTXATTRS_UNSPECIFIED)) {
+          * bits should be zero.
-             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
+          */
-             return;
+         assert(dc->base.num_insns == 1);
-         }
+-        gen_exception(EXCP_UDEF, syn_swstep(dc->ss_same_el, 0, 0),
-@@ -XXX,XX +XXX,XX @@ out:
+-                      default_exception_el(dc));
-             return;
++        gen_swstep_exception(dc, 0, 0);
-         }
+         dc->base.is_jmp = DISAS_NORETURN;
-         if (!address_space_access_valid(&address_space_memory, addr,
+         return true;
 -                                        sizeof(IplParameterBlock), true)) {
 +                                        sizeof(IplParameterBlock), true,
 +                                        MEMTXATTRS_UNSPECIFIED)) {
              s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
              return;
          }
 diff --git a/target/s390x/excp_helper.c b/target/s390x/excp_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/excp_helper.c
 +++ b/target/s390x/excp_helper.c
@@ -XXX,XX +XXX,XX @@ int s390_cpu_handle_mmu_fault(CPUState *cs, vaddr orig_vaddr, int size,
      /* check out of RAM access */
      if (!address_space_access_valid(&address_space_memory, raddr,
 -                                    TARGET_PAGE_SIZE, rw)) {
 +                                    TARGET_PAGE_SIZE, rw,
 +                                    MEMTXATTRS_UNSPECIFIED)) {
          DPRINTF("%s: raddr %" PRIx64 " > ram_size %" PRIx64 "\n", __func__,
                  (uint64_t)raddr, (uint64_t)ram_size);
          trigger_pgm_exception(env, PGM_ADDRESSING, ILEN_AUTO);
 diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/mmu_helper.c
 +++ b/target/s390x/mmu_helper.c
@@ -XXX,XX +XXX,XX @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages,
              return ret;
          }
          if (!address_space_access_valid(&address_space_memory, pages[i],
 -                                        TARGET_PAGE_SIZE, is_write)) {
 +                                        TARGET_PAGE_SIZE, is_write,
 +                                        MEMTXATTRS_UNSPECIFIED)) {
              trigger_access_exception(env, PGM_ADDRESSING, ILEN_AUTO, 0);
              return -EFAULT;
          }
 diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/sigp.c
 +++ b/target/s390x/sigp.c
@@ -XXX,XX +XXX,XX @@ static void sigp_set_prefix(CPUState *cs, run_on_cpu_data arg)
      cpu_synchronize_state(cs);
      if (!address_space_access_valid(&address_space_memory, addr,
 -                                    sizeof(struct LowCore), false)) {
 +                                    sizeof(struct LowCore), false,
 +                                    MEMTXATTRS_UNSPECIFIED)) {
          set_sigp_status(si, SIGP_STAT_INVALID_PARAMETER);
          return;
      }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 17/25] Make MemoryRegion valid.accepts callback take a MemTxAttrs argument
+[Qemu-devel] [PULL 05/29] target/arm: Fix routing of singlestep exceptions
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+When generating an architectural single-step exception we were
-add MemTxAttrs as an argument to the MemoryRegion valid.accepts
+routing it to the "default exception level", which is to say
-callback. We'll need this for subpage_accepts().
+the same exception level we execute at except that EL0 exceptions
 go to EL1. This is incorrect because the debug exception level
 can be configured by the guest for situations such as single
 stepping of EL0 and EL1 code by EL2.
-We could take the approach we used with the read and write
+We have to track the target debug exception level in the TB
-callbacks and add new a new _with_attrs version, but since there
+flags, because it is dependent on CPU state like HCR_EL2.TGE
-are so few implementations of the accepts hook we just change
+and MDCR_EL2.TDE. (That we were previously calling the
-them all.
+arm_debug_target_el() function to determine dc->ss_same_el
 is itself a bug, though one that would only have manifested
 as incorrect syndrome information.) Since we are out of TB
 flag bits unless we want to expand into the cs_base field,
 we share some bits with the M-profile only HANDLER and
 STACKCHECK bits, since only A-profile has this singlestep.
+Fixes: https://bugs.launchpad.net/qemu/+bug/1838913
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Tested-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20180521140402.23318-9-peter.maydell@linaro.org
+Message-id: 20190805130952.4415-3-peter.maydell@linaro.org
 ---
- include/exec/memory.h |  3 ++-
+ target/arm/cpu.h           |  5 +++++
- exec.c                |  9 ++++++---
+ target/arm/translate.h     | 15 +++++++++++----
- hw/hppa/dino.c        |  3 ++-
+ target/arm/helper.c        |  6 ++++++
- hw/nvram/fw_cfg.c     | 12 ++++++++----
+ target/arm/translate-a64.c |  2 +-
- hw/scsi/esp.c         |  3 ++-
+ target/arm/translate.c     |  4 +++-
- hw/xen/xen_pt_msi.c   |  3 ++-
+files changed, 26 insertions(+), 6 deletions(-)
  memory.c              |  5 +++--
 files changed, 25 insertions(+), 13 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/target/arm/cpu.h
-+++ b/include/exec/memory.h
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct MemoryRegionOps {
+@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_ANY, PSTATE_SS, 26, 1)
-          * as a machine check exception).
+ /* Target EL if we take a floating-point-disabled exception */
-          */
+ FIELD(TBFLAG_ANY, FPEXC_EL, 24, 2)
-         bool (*accepts)(void *opaque, hwaddr addr,
+ FIELD(TBFLAG_ANY, BE_DATA, 23, 1)
--                        unsigned size, bool is_write);
++/*
-+                        unsigned size, bool is_write,
++ * For A-profile only, target EL for debug exceptions.
-+                        MemTxAttrs attrs);
++ * Note that this overlaps with the M-profile-only HANDLER and STACKCHECK bits.
-     } valid;
++ */
-     /* Internal implementation constraints: */
++FIELD(TBFLAG_ANY, DEBUG_TARGET_EL, 21, 2)
-     struct {
-diff --git a/exec.c b/exec.c
+ /* Bit usage when in AArch32 state: */
  FIELD(TBFLAG_A32, THUMB, 0, 1)
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/translate.h
-+++ b/exec.c
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ static void notdirty_mem_write(void *opaque, hwaddr ram_addr,
+@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      uint32_t svc_imm;
      int aarch64;
      int current_el;
 +    /* Debug target exception level for single-step exceptions */
 +    int debug_target_el;
      GHashTable *cp_regs;
      uint64_t features; /* CPU features bits */
      /* Because unallocated encodings generate different exception syndrome
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
       * ie A64 LDX*, LDAX*, A32/T32 LDREX*, LDAEX*.
       */
      bool is_ldex;
 -    /* True if a single-step exception will be taken to the current EL */
 -    bool ss_same_el;
      /* True if v8.3-PAuth is active.  */
      bool pauth_active;
      /* True with v8.5-BTI and SCTLR_ELx.BT* set.  */
@@ -XXX,XX +XXX,XX @@ static inline void gen_exception(int excp, uint32_t syndrome,
  /* Generate an architectural singlestep exception */
  static inline void gen_swstep_exception(DisasContext *s, int isv, int ex)
  {
 -    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, isv, ex),
 -                  default_exception_el(s));
 +    bool same_el = (s->debug_target_el == s->current_el);
 +
 +    /*
 +     * If singlestep is targeting a lower EL than the current one,
 +     * then s->ss_active must be false and we can never get here.
 +     */
 +    assert(s->debug_target_el >= s->current_el);
 +
 +    gen_exception(EXCP_UDEF, syn_swstep(same_el, isv, ex), s->debug_target_el);
  }
- static bool notdirty_mem_accepts(void *opaque, hwaddr addr,
+ /*
--                                 unsigned size, bool is_write)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return is_write;
  }
@@ -XXX,XX +XXX,XX @@ static MemTxResult subpage_write(void *opaque, hwaddr addr,
  }
  static bool subpage_accepts(void *opaque, hwaddr addr,
 -                            unsigned len, bool is_write)
 +                            unsigned len, bool is_write,
 +                            MemTxAttrs attrs)
  {
      subpage_t *subpage = opaque;
  #if defined(DEBUG_SUBPAGE)
@@ -XXX,XX +XXX,XX @@ static void readonly_mem_write(void *opaque, hwaddr addr,
  }
  static bool readonly_mem_accepts(void *opaque, hwaddr addr,
 -                                 unsigned size, bool is_write)
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return is_write;
  }
 diff --git a/hw/hppa/dino.c b/hw/hppa/dino.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/hppa/dino.c
+--- a/target/arm/helper.c
-+++ b/hw/hppa/dino.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void gsc_to_pci_forwarding(DinoState *s)
+@@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
  }
  static bool dino_chip_mem_valid(void *opaque, hwaddr addr,
 -                                unsigned size, bool is_write)
 +                                unsigned size, bool is_write,
 +                                MemTxAttrs attrs)
  {
      switch (addr) {
      case DINO_IAR0:
 diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/nvram/fw_cfg.c
 +++ b/hw/nvram/fw_cfg.c
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_dma_mem_write(void *opaque, hwaddr addr,
  }
  static bool fw_cfg_dma_mem_valid(void *opaque, hwaddr addr,
 -                                  unsigned size, bool is_write)
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return !is_write || ((size == 4 && (addr == 0 || addr == 4)) ||
                           (size == 8 && addr == 0));
  }
  static bool fw_cfg_data_mem_valid(void *opaque, hwaddr addr,
 -                                  unsigned size, bool is_write)
 +                                  unsigned size, bool is_write,
 +                                  MemTxAttrs attrs)
  {
      return addr == 0;
  }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_ctl_mem_write(void *opaque, hwaddr addr,
  }
  static bool fw_cfg_ctl_mem_valid(void *opaque, hwaddr addr,
 -                                 unsigned size, bool is_write)
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return is_write && size == 2;
  }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_comb_write(void *opaque, hwaddr addr,
  }
  static bool fw_cfg_comb_valid(void *opaque, hwaddr addr,
 -                                  unsigned size, bool is_write)
 +                              unsigned size, bool is_write,
 +                              MemTxAttrs attrs)
  {
      return (size == 1) || (is_write && size == 2);
  }
 diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/scsi/esp.c
 +++ b/hw/scsi/esp.c
@@ -XXX,XX +XXX,XX @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
  }
  static bool esp_mem_accepts(void *opaque, hwaddr addr,
 -                            unsigned size, bool is_write)
 +                            unsigned size, bool is_write,
 +                            MemTxAttrs attrs)
  {
      return (size == 1) || (is_write && size == 4);
  }
 diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/xen/xen_pt_msi.c
 +++ b/hw/xen/xen_pt_msi.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pci_msix_read(void *opaque, hwaddr addr,
  }
  static bool pci_msix_accepts(void *opaque, hwaddr addr,
 -                             unsigned size, bool is_write)
 +                             unsigned size, bool is_write,
 +                             MemTxAttrs attrs)
  {
      return !(addr & (size - 1));
  }
 diff --git a/memory.c b/memory.c
 index XXXXXXX..XXXXXXX 100644
 --- a/memory.c
 +++ b/memory.c
@@ -XXX,XX +XXX,XX @@ static void unassigned_mem_write(void *opaque, hwaddr addr,
  }
  static bool unassigned_mem_accepts(void *opaque, hwaddr addr,
 -                                   unsigned size, bool is_write)
 +                                   unsigned size, bool is_write,
 +                                   MemTxAttrs attrs)
  {
      return false;
  }
@@ -XXX,XX +XXX,XX @@ bool memory_region_access_valid(MemoryRegion *mr,
      access_size = MAX(MIN(size, access_size_max), access_size_min);
      for (i = 0; i < size; i += access_size) {
          if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
 -                                    is_write)) {
 +                                    is_write, attrs)) {
              return false;
          }
      }
++    if (!arm_feature(env, ARM_FEATURE_M)) {
++        int target_el = arm_debug_target_el(env);
++
++        flags = FIELD_DP32(flags, TBFLAG_ANY, DEBUG_TARGET_EL, target_el);
++    }
++
+     *pflags = flags;
+     *cs_base = 0;
+ }
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-a64.c
++++ b/target/arm/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
+     dc->ss_active = FIELD_EX32(tb_flags, TBFLAG_ANY, SS_ACTIVE);
+     dc->pstate_ss = FIELD_EX32(tb_flags, TBFLAG_ANY, PSTATE_SS);
+     dc->is_ldex = false;
+-    dc->ss_same_el = (arm_debug_target_el(env) == dc->current_el);
++    dc->debug_target_el = FIELD_EX32(tb_flags, TBFLAG_ANY, DEBUG_TARGET_EL);
+     /* Bound the number of insns to execute to those left on the page.  */
+     bound = -(dc->base.pc_first | TARGET_PAGE_MASK) / 4;
+diff --git a/target/arm/translate.c b/target/arm/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
++++ b/target/arm/translate.c
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+     dc->ss_active = FIELD_EX32(tb_flags, TBFLAG_ANY, SS_ACTIVE);
+     dc->pstate_ss = FIELD_EX32(tb_flags, TBFLAG_ANY, PSTATE_SS);
+     dc->is_ldex = false;
+-    dc->ss_same_el = false; /* Can't be true since EL_d must be AArch64 */
++    if (!arm_feature(env, ARM_FEATURE_M)) {
++        dc->debug_target_el = FIELD_EX32(tb_flags, TBFLAG_ANY, DEBUG_TARGET_EL);
++    }
+     dc->page_start = dc->base.pc_first & TARGET_PAGE_MASK;
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 11/25] Make tb_invalidate_phys_addr() take a MemTxAttrs argument
+[Qemu-devel] [PULL 06/29] target/arm: Pass in pc to thumb_insn_is_16bit
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Richard Henderson <richard.henderson@linaro.org>
 add MemTxAttrs as an argument to tb_invalidate_phys_addr().
 Its callers either have an attrs value to hand, or don't care
 and can use MEMTXATTRS_UNSPECIFIED.
+This function is used in two different contexts, and it will be
+clearer if the function is given the address to which it applies.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190807045335.1361-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20180521140402.23318-3-peter.maydell@linaro.org
 ---
- include/exec/exec-all.h   | 5 +++--
+ target/arm/translate.c | 14 +++++++-------
- accel/tcg/translate-all.c | 2 +-
+file changed, 7 insertions(+), 7 deletions(-)
  exec.c                    | 2 +-
  target/xtensa/op_helper.c | 3 ++-
 files changed, 7 insertions(+), 5 deletions(-)
-diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/exec-all.h
+--- a/target/arm/translate.c
-+++ b/include/exec/exec-all.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
  void tlb_set_page(CPUState *cpu, target_ulong vaddr,
                    hwaddr paddr, int prot,
                    int mmu_idx, target_ulong size);
 -void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr);
 +void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
  void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
                   uintptr_t retaddr);
  #else
@@ -XXX,XX +XXX,XX @@ static inline void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *cpu,
                                                         uint16_t idxmap)
  {
  }
 -static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
 +static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr,
 +                                           MemTxAttrs attrs)
  {
  }
  #endif
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
  }
  #if !defined(CONFIG_USER_ONLY)
 -void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
 +void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
  {
      ram_addr_t ram_addr;
      MemoryRegion *mr;
 diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/exec.c
 +++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
      if (phys != -1) {
          /* Locks grabbed by tb_invalidate_phys_addr */
          tb_invalidate_phys_addr(cpu->cpu_ases[asidx].as,
 -                                phys | (pc & ~TARGET_PAGE_MASK));
 +                                phys | (pc & ~TARGET_PAGE_MASK), attrs);
      }
  }
- #endif
-diff --git a/target/xtensa/op_helper.c b/target/xtensa/op_helper.c
+-static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
-index XXXXXXX..XXXXXXX 100644
++static bool thumb_insn_is_16bit(DisasContext *s, uint32_t pc, uint32_t insn)
---- a/target/xtensa/op_helper.c
+ {
-+++ b/target/xtensa/op_helper.c
+-    /* Return true if this is a 16 bit instruction. We must be precise
-@@ -XXX,XX +XXX,XX @@ static void tb_invalidate_virtual_addr(CPUXtensaState *env, uint32_t vaddr)
+-     * about this (matching the decode).  We assume that s->pc still
-     int ret = xtensa_get_physical_addr(env, false, vaddr, 2, 0,
+-     * points to the first 16 bits of the insn.
-             &paddr, &page_size, &access);
++    /*
-     if (ret == 0) {
++     * Return true if this is a 16 bit instruction. We must be precise
--        tb_invalidate_phys_addr(&address_space_memory, paddr);
++     * about this (matching the decode).
-+        tb_invalidate_phys_addr(&address_space_memory, paddr,
+      */
-+                                MEMTXATTRS_UNSPECIFIED);
+     if ((insn >> 11) < 0x1d) {
          /* Definitely a 16-bit instruction */
@@ -XXX,XX +XXX,XX @@ static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
          return false;
      }
+-    if ((insn >> 11) == 0x1e && s->pc - s->page_start < TARGET_PAGE_SIZE - 3) {
++    if ((insn >> 11) == 0x1e && pc - s->page_start < TARGET_PAGE_SIZE - 3) {
+         /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix, and the suffix
+          * is not on the next page; we merge this into a 32-bit
+          * insn.
+@@ -XXX,XX +XXX,XX @@ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
+      */
+     uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
+-    return !thumb_insn_is_16bit(s, insn);
++    return !thumb_insn_is_16bit(s, s->pc, insn);
  }
+ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+     }
+     insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
+-    is_16bit = thumb_insn_is_16bit(dc, insn);
++    is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
+     dc->pc += 2;
+     if (!is_16bit) {
+         uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
 --
-.17.1
+.20.1

-New patch
+[Qemu-devel] [PULL 07/29] target/arm: Introduce pc_curr
+From: Richard Henderson <richard.henderson@linaro.org>
 Add a new field to retain the address of the instruction currently
 being translated.  The 32-bit uses are all within subroutines used
 by a32 and t32.  This will become less obvious when t16 support is
 merged with a32+t32, and having a clear definition will help.
 Convert aarch64 as well for consistency.  Note that there is one
 instance of a pre-assert fprintf that used the wrong value for the
 address of the current instruction.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190807045335.1361-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/translate-a64.h |  2 +-
  target/arm/translate.h     |  2 ++
  target/arm/translate-a64.c | 21 +++++++++++----------
  target/arm/translate.c     | 14 ++++++++------
 files changed, 22 insertions(+), 17 deletions(-)
 diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.h
 +++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void unallocated_encoding(DisasContext *s);
          qemu_log_mask(LOG_UNIMP,                                         \
                        "%s:%d: unsupported instruction encoding 0x%08x "  \
                        "at pc=%016" PRIx64 "\n",                          \
 -                      __FILE__, __LINE__, insn, s->pc - 4);              \
 +                      __FILE__, __LINE__, insn, s->pc_curr);             \
          unallocated_encoding(s);                                         \
      } while (0)
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      const ARMISARegisters *isar;
      target_ulong pc;
 +    /* The address of the current instruction being translated. */
 +    target_ulong pc_curr;
      target_ulong page_start;
      uint32_t insn;
      /* Nonzero if this instruction has been conditionally skipped.  */
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
   */
  static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
  {
 -    uint64_t addr = s->pc + sextract32(insn, 0, 26) * 4 - 4;
 +    uint64_t addr = s->pc_curr + sextract32(insn, 0, 26) * 4;
      if (insn & (1U << 31)) {
          /* BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
      sf = extract32(insn, 31, 1);
      op = extract32(insn, 24, 1); /* 0: CBZ; 1: CBNZ */
      rt = extract32(insn, 0, 5);
 -    addr = s->pc + sextract32(insn, 5, 19) * 4 - 4;
 +    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
      tcg_cmp = read_cpu_reg(s, rt, sf);
      label_match = gen_new_label();
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
      bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
      op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
 -    addr = s->pc + sextract32(insn, 5, 14) * 4 - 4;
 +    addr = s->pc_curr + sextract32(insn, 5, 14) * 4;
      rt = extract32(insn, 0, 5);
      tcg_cmp = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
          unallocated_encoding(s);
          return;
      }
 -    addr = s->pc + sextract32(insn, 5, 19) * 4 - 4;
 +    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
      cond = extract32(insn, 0, 4);
      reset_btype(s);
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
          TCGv_i32 tcg_syn, tcg_isread;
          uint32_t syndrome;
 -        gen_a64_set_pc_im(s->pc - 4);
 +        gen_a64_set_pc_im(s->pc_curr);
          tmpptr = tcg_const_ptr(ri);
          syndrome = syn_aa64_sysregtrap(op0, op1, op2, crn, crm, rt, isread);
          tcg_syn = tcg_const_i32(syndrome);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              /* The pre HVC helper handles cases when HVC gets trapped
               * as an undefined insn by runtime configuration.
               */
 -            gen_a64_set_pc_im(s->pc - 4);
 +            gen_a64_set_pc_im(s->pc_curr);
              gen_helper_pre_hvc(cpu_env);
              gen_ss_advance(s);
              gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                  unallocated_encoding(s);
                  break;
              }
 -            gen_a64_set_pc_im(s->pc - 4);
 +            gen_a64_set_pc_im(s->pc_curr);
              tmp = tcg_const_i32(syn_aa64_smc(imm16));
              gen_helper_pre_smc(cpu_env, tmp);
              tcg_temp_free_i32(tmp);
@@ -XXX,XX +XXX,XX @@ static void disas_ld_lit(DisasContext *s, uint32_t insn)
      tcg_rt = cpu_reg(s, rt);
 -    clean_addr = tcg_const_i64((s->pc - 4) + imm);
 +    clean_addr = tcg_const_i64(s->pc_curr + imm);
      if (is_vector) {
          do_fp_ld(s, rt, clean_addr, size);
      } else {
@@ -XXX,XX +XXX,XX @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
      offset = sextract64(insn, 5, 19);
      offset = offset << 2 | extract32(insn, 29, 2);
      rd = extract32(insn, 0, 5);
 -    base = s->pc - 4;
 +    base = s->pc_curr;
      if (page) {
          /* ADRP (page based) */
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_same_fp16(DisasContext *s, uint32_t insn)
                  break;
              default:
                  fprintf(stderr, "%s: insn %#04x, fpop %#2x @ %#" PRIx64 "\n",
 -                        __func__, insn, fpopcode, s->pc);
 +                        __func__, insn, fpopcode, s->pc_curr);
                  g_assert_not_reached();
              }
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
  {
      uint32_t insn;
 +    s->pc_curr = s->pc;
      insn = arm_ldl_code(env, s->pc, s->sctlr_b);
      s->insn = insn;
      s->pc += 4;
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
       * as an undefined insn by runtime configuration (ie before
       * the insn really executes).
       */
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      gen_helper_pre_hvc(cpu_env);
      /* Otherwise we will treat this as a real exception which
       * happens after execution of the insn. (The distinction matters
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
       */
      TCGv_i32 tmp;
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      tmp = tcg_const_i32(syn_aa32_smc());
      gen_helper_pre_smc(cpu_env, tmp);
      tcg_temp_free_i32(tmp);
@@ -XXX,XX +XXX,XX @@ static void gen_msr_banked(DisasContext *s, int r, int sysm, int rn)
      /* Sync state because msr_banked() can raise exceptions */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      tcg_reg = load_reg(s, rn);
      tcg_tgtmode = tcg_const_i32(tgtmode);
      tcg_regno = tcg_const_i32(regno);
@@ -XXX,XX +XXX,XX @@ static void gen_mrs_banked(DisasContext *s, int r, int sysm, int rn)
      /* Sync state because mrs_banked() can raise exceptions */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      tcg_reg = tcg_temp_new_i32();
      tcg_tgtmode = tcg_const_i32(tgtmode);
      tcg_regno = tcg_const_i32(regno);
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
              }
              gen_set_condexec(s);
 -            gen_set_pc_im(s, s->pc - 4);
 +            gen_set_pc_im(s, s->pc_curr);
              tmpptr = tcg_const_ptr(ri);
              tcg_syn = tcg_const_i32(syndrome);
              tcg_isread = tcg_const_i32(isread);
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      tmp = tcg_const_i32(mode);
      /* get_r13_banked() will raise an exception if called from System mode */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      gen_helper_get_r13_banked(addr, cpu_env, tmp);
      tcg_temp_free_i32(tmp);
      switch (amode) {
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 +    dc->pc_curr = dc->pc;
      insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
      dc->insn = insn;
      dc->pc += 4;
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 +    dc->pc_curr = dc->pc;
      insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
      is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
      dc->pc += 2;
 --
 .20.1

-[Qemu-devel] [PULL 16/25] Make memory_region_access_valid() take a MemTxAttrs argument
+[Qemu-devel] [PULL 08/29] target/arm: Introduce read_pc
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Richard Henderson <richard.henderson@linaro.org>
-add MemTxAttrs as an argument to memory_region_access_valid().
-Its callers either have an attrs value to hand, or don't care
+We currently have 3 different ways of computing the architectural
-and can use MEMTXATTRS_UNSPECIFIED.
+value of "PC" as seen in the ARM ARM.
-The callsite in flatview_access_valid() is part of a recursive
+The value of s->pc has been incremented past the current insn,
-loop flatview_access_valid() -> memory_region_access_valid() ->
+but that is all.  Thus for a32, PC = s->pc + 4; for t32, PC = s->pc;
- subpage_accepts() -> flatview_access_valid(); we make it pass
+for t16, PC = s->pc + 2.  These differing computations make it
-MEMTXATTRS_UNSPECIFIED for now, until the next several commits
+impossible at present to unify the various code paths.
-have plumbed an attrs parameter through the rest of the loop
-and we can add an attrs parameter to flatview_access_valid().
+With the newly introduced s->pc_curr, we can compute the correct
+value for all cases, using the formula given in the ARM ARM.
 This changes the behaviour for load_reg() and load_reg_var()
 when called with reg==15 from a 32-bit Thumb instruction:
 previously they would have returned the incorrect value
 of pc_curr + 6, and now they will return the architecturally
 correct value of PC, which is pc_curr + 4. This will not
 affect well-behaved guest software, because all of the places
 we call these functions from T32 code are instructions where
 using r15 is UNPREDICTABLE. Using the architectural PC value
 here is more consistent with the T16 and A32 behaviour.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190807045335.1361-4-richard.henderson@linaro.org
 [PMM: added commit message note about UNPREDICTABLE T32 cases]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-8-peter.maydell@linaro.org
 ---
- include/exec/memory-internal.h | 3 ++-
+ target/arm/translate.c | 59 ++++++++++++++++--------------------------
- exec.c                         | 4 +++-
+file changed, 23 insertions(+), 36 deletions(-)
- hw/s390x/s390-pci-inst.c       | 3 ++-
- memory.c                       | 7 ++++---
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 files changed, 11 insertions(+), 6 deletions(-)
 diff --git a/include/exec/memory-internal.h b/include/exec/memory-internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory-internal.h
+--- a/target/arm/translate.c
-+++ b/include/exec/memory-internal.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ void flatview_unref(FlatView *view);
+@@ -XXX,XX +XXX,XX @@ static inline void store_cpu_offset(TCGv_i32 var, int offset)
- extern const MemoryRegionOps unassigned_mem_ops;
+ #define store_cpu_field(var, name) \
+     store_cpu_offset(var, offsetof(CPUARMState, name))
- bool memory_region_access_valid(MemoryRegion *mr, hwaddr addr,
--                                unsigned size, bool is_write);
++/* The architectural value of PC.  */
-+                                unsigned size, bool is_write,
++static uint32_t read_pc(DisasContext *s)
-+                                MemTxAttrs attrs);
++{
++    return s->pc_curr + (s->thumb ? 4 : 8);
- void flatview_add_to_dispatch(FlatView *fv, MemoryRegionSection *section);
++}
- AddressSpaceDispatch *address_space_dispatch_new(FlatView *fv);
++
-diff --git a/exec.c b/exec.c
+ /* Set a variable to the value of a CPU register.  */
-index XXXXXXX..XXXXXXX 100644
+ static void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
---- a/exec.c
+ {
-+++ b/exec.c
+     if (reg == 15) {
-@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
+-        uint32_t addr;
-         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
+-        /* normally, since we updated PC, we need only to add one insn */
-         if (!memory_access_is_direct(mr, is_write)) {
+-        if (s->thumb)
-             l = memory_access_size(mr, l, addr);
+-            addr = (long)s->pc + 2;
--            if (!memory_region_access_valid(mr, xlat, l, is_write)) {
+-        else
-+            /* When our callers all have attrs we'll pass them through here */
+-            addr = (long)s->pc + 4;
-+            if (!memory_region_access_valid(mr, xlat, l, is_write,
+-        tcg_gen_movi_i32(var, addr);
-+                                            MEMTXATTRS_UNSPECIFIED)) {
++        tcg_gen_movi_i32(var, read_pc(s));
-                 return false;
+     } else {
          tcg_gen_mov_i32(var, cpu_R[reg]);
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              /* branch link and change to thumb (blx <offset>) */
              int32_t offset;
 -            val = (uint32_t)s->pc;
              tmp = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp, val);
 +            tcg_gen_movi_i32(tmp, s->pc);
              store_reg(s, 14, tmp);
              /* Sign-extend the 24-bit offset */
              offset = (((int32_t)insn) << 8) >> 8;
 +            val = read_pc(s);
              /* offset * 4 + bit24 * 2 + (thumb bit) */
              val += (offset << 2) | ((insn >> 23) & 2) | 1;
 -            /* pipeline offset */
 -            val += 4;
              /* protected by ARCH(5); above, near the start of uncond block */
              gen_bx_im(s, val);
              return;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                          } else {
                              /* store */
                              if (i == 15) {
 -                                /* special case: r15 = PC + 8 */
 -                                val = (long)s->pc + 4;
                                  tmp = tcg_temp_new_i32();
 -                                tcg_gen_movi_i32(tmp, val);
 +                                tcg_gen_movi_i32(tmp, read_pc(s));
                              } else if (user) {
                                  tmp = tcg_temp_new_i32();
                                  tmp2 = tcg_const_i32(i);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  int32_t offset;
                  /* branch (and link) */
 -                val = (int32_t)s->pc;
                  if (insn & (1 << 24)) {
                      tmp = tcg_temp_new_i32();
 -                    tcg_gen_movi_i32(tmp, val);
 +                    tcg_gen_movi_i32(tmp, s->pc);
                      store_reg(s, 14, tmp);
                  }
                  offset = sextract32(insn << 2, 0, 26);
 -                val += offset + 4;
 -                gen_jmp(s, val);
 +                gen_jmp(s, read_pc(s) + offset);
              }
+             break;
+         case 0xc:
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
+                 tcg_temp_free_i32(addr);
+             } else if ((insn & (7 << 5)) == 0) {
+                 /* Table Branch.  */
+-                if (rn == 15) {
+-                    addr = tcg_temp_new_i32();
+-                    tcg_gen_movi_i32(addr, s->pc);
+-                } else {
+-                    addr = load_reg(s, rn);
+-                }
++                addr = load_reg(s, rn);
+                 tmp = load_reg(s, rm);
+                 tcg_gen_add_i32(addr, addr, tmp);
+                 if (insn & (1 << 4)) {
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
+                 }
+                 tcg_temp_free_i32(addr);
+                 tcg_gen_shli_i32(tmp, tmp, 1);
+-                tcg_gen_addi_i32(tmp, tmp, s->pc);
++                tcg_gen_addi_i32(tmp, tmp, read_pc(s));
+                 store_reg(s, 15, tmp);
+             } else {
+                 bool is_lasr = false;
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
+                     tcg_gen_movi_i32(cpu_R[14], s->pc | 1);
+                 }
+-                offset += s->pc;
++                offset += read_pc(s);
+                 if (insn & (1 << 12)) {
+                     /* b/bl */
+                     gen_jmp(s, offset);
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
+                 offset |= (insn & (1 << 11)) << 8;
+                 /* jump to the offset */
+-                gen_jmp(s, s->pc + offset);
++                gen_jmp(s, read_pc(s) + offset);
+             }
+         } else {
+             /*
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
+         if (insn & (1 << 11)) {
+             rd = (insn >> 8) & 7;
+             /* load pc-relative.  Bit 1 of PC is ignored.  */
+-            val = s->pc + 2 + ((insn & 0xff) * 4);
++            val = read_pc(s) + ((insn & 0xff) * 4);
+             val &= ~(uint32_t)2;
+             addr = tcg_temp_new_i32();
+             tcg_gen_movi_i32(addr, val);
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
+         } else {
+             /* PC. bit 1 is ignored.  */
+             tmp = tcg_temp_new_i32();
+-            tcg_gen_movi_i32(tmp, (s->pc + 2) & ~(uint32_t)2);
++            tcg_gen_movi_i32(tmp, read_pc(s) & ~(uint32_t)2);
          }
-diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
+         val = (insn & 0xff) * 4;
-index XXXXXXX..XXXXXXX 100644
+         tcg_gen_addi_i32(tmp, tmp, val);
---- a/hw/s390x/s390-pci-inst.c
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-+++ b/hw/s390x/s390-pci-inst.c
+                 tcg_gen_brcondi_i32(TCG_COND_NE, tmp, 0, s->condlabel);
-@@ -XXX,XX +XXX,XX @@ int pcistb_service_call(S390CPU *cpu, uint8_t r1, uint8_t r3, uint64_t gaddr,
+             tcg_temp_free_i32(tmp);
-     mr = s390_get_subregion(mr, offset, len);
+             offset = ((insn & 0xf8) >> 2) | (insn & 0x200) >> 3;
-     offset -= mr->addr;
+-            val = (uint32_t)s->pc + 2;
+-            val += offset;
--    if (!memory_region_access_valid(mr, offset, len, true)) {
+-            gen_jmp(s, val);
-+    if (!memory_region_access_valid(mr, offset, len, true,
++            gen_jmp(s, read_pc(s) + offset);
-+                                    MEMTXATTRS_UNSPECIFIED)) {
+             break;
-         s390_program_interrupt(env, PGM_OPERAND, 6, ra);
-         return 0;
+         case 15: /* IT, nop-hint.  */
-     }
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-diff --git a/memory.c b/memory.c
+         arm_skip_unless(s, cond);
-index XXXXXXX..XXXXXXX 100644
---- a/memory.c
+         /* jump to the offset */
-+++ b/memory.c
+-        val = (uint32_t)s->pc + 2;
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps ram_device_mem_ops = {
++        val = read_pc(s);
- bool memory_region_access_valid(MemoryRegion *mr,
+         offset = ((int32_t)insn << 24) >> 24;
-                                 hwaddr addr,
+         val += offset << 1;
-                                 unsigned size,
+         gen_jmp(s, val);
--                                bool is_write)
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-+                                bool is_write,
+             break;
-+                                MemTxAttrs attrs)
+         }
- {
+         /* unconditional branch */
-     int access_size_min, access_size_max;
+-        val = (uint32_t)s->pc;
-     int access_size, i;
++        val = read_pc(s);
-@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
+         offset = ((int32_t)insn << 21) >> 21;
- {
+-        val += (offset << 1) + 2;
-     MemTxResult r;
++        val += offset << 1;
+         gen_jmp(s, val);
--    if (!memory_region_access_valid(mr, addr, size, false)) {
+         break;
-+    if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
-         *pval = unassigned_mem_read(mr, addr, size);
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-         return MEMTX_DECODE_ERROR;
+             /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix */
-     }
+             uint32_t uoffset = ((int32_t)insn << 21) >> 9;
-@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
-                                          unsigned size,
+-            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + uoffset);
-                                          MemTxAttrs attrs)
++            tcg_gen_movi_i32(cpu_R[14], read_pc(s) + uoffset);
- {
+         }
--    if (!memory_region_access_valid(mr, addr, size, true)) {
+         break;
 +    if (!memory_region_access_valid(mr, addr, size, true, attrs)) {
          unassigned_mem_write(mr, addr, data, size);
          return MEMTX_DECODE_ERROR;
      }
 --
-.17.1
+.20.1

-New patch
+[Qemu-devel] [PULL 09/29] target/arm: Introduce add_reg_for_lit
+From: Richard Henderson <richard.henderson@linaro.org>
 Provide a common routine for the places that require ALIGN(PC, 4)
 as the base address as opposed to plain PC.  The two are always
 the same for A32, but the difference is meaningful for thumb mode.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190807045335.1361-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/translate-vfp.inc.c |  38 ++------
  target/arm/translate.c         | 166 +++++++++++++++------------------
 files changed, 82 insertions(+), 122 deletions(-)
 diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.inc.c
 +++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_sp(DisasContext *s, arg_VLDR_VSTR_sp *a)
          offset = -offset;
      }
 -    if (s->thumb && a->rn == 15) {
 -        /* This is actually UNPREDICTABLE */
 -        addr = tcg_temp_new_i32();
 -        tcg_gen_movi_i32(addr, s->pc & ~2);
 -    } else {
 -        addr = load_reg(s, a->rn);
 -    }
 -    tcg_gen_addi_i32(addr, addr, offset);
 +    /* For thumb, use of PC is UNPREDICTABLE.  */
 +    addr = add_reg_for_lit(s, a->rn, offset);
      tmp = tcg_temp_new_i32();
      if (a->l) {
          gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_dp(DisasContext *s, arg_VLDR_VSTR_dp *a)
          offset = -offset;
      }
 -    if (s->thumb && a->rn == 15) {
 -        /* This is actually UNPREDICTABLE */
 -        addr = tcg_temp_new_i32();
 -        tcg_gen_movi_i32(addr, s->pc & ~2);
 -    } else {
 -        addr = load_reg(s, a->rn);
 -    }
 -    tcg_gen_addi_i32(addr, addr, offset);
 +    /* For thumb, use of PC is UNPREDICTABLE.  */
 +    addr = add_reg_for_lit(s, a->rn, offset);
      tmp = tcg_temp_new_i64();
      if (a->l) {
          gen_aa32_ld64(s, tmp, addr, get_mem_index(s));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_sp(DisasContext *s, arg_VLDM_VSTM_sp *a)
          return true;
      }
 -    if (s->thumb && a->rn == 15) {
 -        /* This is actually UNPREDICTABLE */
 -        addr = tcg_temp_new_i32();
 -        tcg_gen_movi_i32(addr, s->pc & ~2);
 -    } else {
 -        addr = load_reg(s, a->rn);
 -    }
 +    /* For thumb, use of PC is UNPREDICTABLE.  */
 +    addr = add_reg_for_lit(s, a->rn, 0);
      if (a->p) {
          /* pre-decrement */
          tcg_gen_addi_i32(addr, addr, -(a->imm << 2));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_dp(DisasContext *s, arg_VLDM_VSTM_dp *a)
          return true;
      }
 -    if (s->thumb && a->rn == 15) {
 -        /* This is actually UNPREDICTABLE */
 -        addr = tcg_temp_new_i32();
 -        tcg_gen_movi_i32(addr, s->pc & ~2);
 -    } else {
 -        addr = load_reg(s, a->rn);
 -    }
 +    /* For thumb, use of PC is UNPREDICTABLE.  */
 +    addr = add_reg_for_lit(s, a->rn, 0);
      if (a->p) {
          /* pre-decrement */
          tcg_gen_addi_i32(addr, addr, -(a->imm << 2));
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline TCGv_i32 load_reg(DisasContext *s, int reg)
      return tmp;
  }
 +/*
 + * Create a new temp, REG + OFS, except PC is ALIGN(PC, 4).
 + * This is used for load/store for which use of PC implies (literal),
 + * or ADD that implies ADR.
 + */
 +static TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs)
 +{
 +    TCGv_i32 tmp = tcg_temp_new_i32();
 +
 +    if (reg == 15) {
 +        tcg_gen_movi_i32(tmp, (read_pc(s) & ~3) + ofs);
 +    } else {
 +        tcg_gen_addi_i32(tmp, cpu_R[reg], ofs);
 +    }
 +    return tmp;
 +}
 +
  /* Set a CPU register.  The source must be a temporary and will be
     marked as dead.  */
  static void store_reg(DisasContext *s, int reg, TCGv_i32 var)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                   */
                  bool wback = extract32(insn, 21, 1);
 -                if (rn == 15) {
 -                    if (insn & (1 << 21)) {
 -                        /* UNPREDICTABLE */
 -                        goto illegal_op;
 -                    }
 -                    addr = tcg_temp_new_i32();
 -                    tcg_gen_movi_i32(addr, s->pc & ~3);
 -                } else {
 -                    addr = load_reg(s, rn);
 +                if (rn == 15 && (insn & (1 << 21))) {
 +                    /* UNPREDICTABLE */
 +                    goto illegal_op;
                  }
 +
 +                addr = add_reg_for_lit(s, rn, 0);
                  offset = (insn & 0xff) * 4;
                  if ((insn & (1 << 23)) == 0) {
                      offset = -offset;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                          store_reg(s, rd, tmp);
                      } else {
                          /* Add/sub 12-bit immediate.  */
 -                        if (rn == 15) {
 -                            offset = s->pc & ~(uint32_t)3;
 -                            if (insn & (1 << 23))
 -                                offset -= imm;
 -                            else
 -                                offset += imm;
 -                            tmp = tcg_temp_new_i32();
 -                            tcg_gen_movi_i32(tmp, offset);
 -                            store_reg(s, rd, tmp);
 +                        if (insn & (1 << 23)) {
 +                            imm = -imm;
 +                        }
 +                        tmp = add_reg_for_lit(s, rn, imm);
 +                        if (rn == 13 && rd == 13) {
 +                            /* ADD SP, SP, imm or SUB SP, SP, imm */
 +                            store_sp_checked(s, tmp);
                          } else {
 -                            tmp = load_reg(s, rn);
 -                            if (insn & (1 << 23))
 -                                tcg_gen_subi_i32(tmp, tmp, imm);
 -                            else
 -                                tcg_gen_addi_i32(tmp, tmp, imm);
 -                            if (rn == 13 && rd == 13) {
 -                                /* ADD SP, SP, imm or SUB SP, SP, imm */
 -                                store_sp_checked(s, tmp);
 -                            } else {
 -                                store_reg(s, rd, tmp);
 -                            }
 +                            store_reg(s, rd, tmp);
                          }
                      }
                  }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
              }
          }
          memidx = get_mem_index(s);
 -        if (rn == 15) {
 -            addr = tcg_temp_new_i32();
 -            /* PC relative.  */
 -            /* s->pc has already been incremented by 4.  */
 -            imm = s->pc & 0xfffffffc;
 -            if (insn & (1 << 23))
 -                imm += insn & 0xfff;
 -            else
 -                imm -= insn & 0xfff;
 -            tcg_gen_movi_i32(addr, imm);
 +        imm = insn & 0xfff;
 +        if (insn & (1 << 23)) {
 +            /* PC relative or Positive offset.  */
 +            addr = add_reg_for_lit(s, rn, imm);
 +        } else if (rn == 15) {
 +            /* PC relative with negative offset.  */
 +            addr = add_reg_for_lit(s, rn, -imm);
          } else {
              addr = load_reg(s, rn);
 -            if (insn & (1 << 23)) {
 -                /* Positive offset.  */
 -                imm = insn & 0xfff;
 -                tcg_gen_addi_i32(addr, addr, imm);
 -            } else {
 -                imm = insn & 0xff;
 -                switch ((insn >> 8) & 0xf) {
 -                case 0x0: /* Shifted Register.  */
 -                    shift = (insn >> 4) & 0xf;
 -                    if (shift > 3) {
 -                        tcg_temp_free_i32(addr);
 -                        goto illegal_op;
 -                    }
 -                    tmp = load_reg(s, rm);
 -                    if (shift)
 -                        tcg_gen_shli_i32(tmp, tmp, shift);
 -                    tcg_gen_add_i32(addr, addr, tmp);
 -                    tcg_temp_free_i32(tmp);
 -                    break;
 -                case 0xc: /* Negative offset.  */
 -                    tcg_gen_addi_i32(addr, addr, -imm);
 -                    break;
 -                case 0xe: /* User privilege.  */
 -                    tcg_gen_addi_i32(addr, addr, imm);
 -                    memidx = get_a32_user_mem_index(s);
 -                    break;
 -                case 0x9: /* Post-decrement.  */
 -                    imm = -imm;
 -                    /* Fall through.  */
 -                case 0xb: /* Post-increment.  */
 -                    postinc = 1;
 -                    writeback = 1;
 -                    break;
 -                case 0xd: /* Pre-decrement.  */
 -                    imm = -imm;
 -                    /* Fall through.  */
 -                case 0xf: /* Pre-increment.  */
 -                    writeback = 1;
 -                    break;
 -                default:
 +            imm = insn & 0xff;
 +            switch ((insn >> 8) & 0xf) {
 +            case 0x0: /* Shifted Register.  */
 +                shift = (insn >> 4) & 0xf;
 +                if (shift > 3) {
                      tcg_temp_free_i32(addr);
                      goto illegal_op;
                  }
 +                tmp = load_reg(s, rm);
 +                if (shift) {
 +                    tcg_gen_shli_i32(tmp, tmp, shift);
 +                }
 +                tcg_gen_add_i32(addr, addr, tmp);
 +                tcg_temp_free_i32(tmp);
 +                break;
 +            case 0xc: /* Negative offset.  */
 +                tcg_gen_addi_i32(addr, addr, -imm);
 +                break;
 +            case 0xe: /* User privilege.  */
 +                tcg_gen_addi_i32(addr, addr, imm);
 +                memidx = get_a32_user_mem_index(s);
 +                break;
 +            case 0x9: /* Post-decrement.  */
 +                imm = -imm;
 +                /* Fall through.  */
 +            case 0xb: /* Post-increment.  */
 +                postinc = 1;
 +                writeback = 1;
 +                break;
 +            case 0xd: /* Pre-decrement.  */
 +                imm = -imm;
 +                /* Fall through.  */
 +            case 0xf: /* Pre-increment.  */
 +                writeback = 1;
 +                break;
 +            default:
 +                tcg_temp_free_i32(addr);
 +                goto illegal_op;
              }
          }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          if (insn & (1 << 11)) {
              rd = (insn >> 8) & 7;
              /* load pc-relative.  Bit 1 of PC is ignored.  */
 -            val = read_pc(s) + ((insn & 0xff) * 4);
 -            val &= ~(uint32_t)2;
 -            addr = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(addr, val);
 +            addr = add_reg_for_lit(s, 15, (insn & 0xff) * 4);
              tmp = tcg_temp_new_i32();
              gen_aa32_ld32u_iss(s, tmp, addr, get_mem_index(s),
                                 rd | ISSIs16Bit);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
           *  - Add PC/SP (immediate)
           */
          rd = (insn >> 8) & 7;
 -        if (insn & (1 << 11)) {
 -            /* SP */
 -            tmp = load_reg(s, 13);
 -        } else {
 -            /* PC. bit 1 is ignored.  */
 -            tmp = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp, read_pc(s) & ~(uint32_t)2);
 -        }
          val = (insn & 0xff) * 4;
 -        tcg_gen_addi_i32(tmp, tmp, val);
 +        tmp = add_reg_for_lit(s, insn & (1 << 11) ? 13 : 15, val);
          store_reg(s, rd, tmp);
          break;
 --
 .20.1

-[Qemu-devel] [PULL 21/25] Make flatview_do_translate() take a MemTxAttrs argument
+[Qemu-devel] [PULL 10/29] target/arm: Remove redundant s->pc & ~1
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Richard Henderson <richard.henderson@linaro.org>
 add MemTxAttrs as an argument to flatview_do_translate().
+The thumb bit has already been removed from s->pc, and is always even.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190807045335.1361-6-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-13-peter.maydell@linaro.org
 ---
- exec.c | 9 ++++++---
+ target/arm/translate.c | 10 +++++-----
-file changed, 6 insertions(+), 3 deletions(-)
+file changed, 5 insertions(+), 5 deletions(-)
-diff --git a/exec.c b/exec.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/translate.c
-+++ b/exec.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ unassigned:
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
-  * @is_write: whether the translation operation is for write
+ /* Force a TB lookup after an instruction that changes the CPU state.  */
-  * @is_mmio: whether this can be MMIO, set true if it can
+ static inline void gen_lookup_tb(DisasContext *s)
   * @target_as: the address space targeted by the IOMMU
 + * @attrs: memory transaction attributes
   *
   * This function is called from RCU critical section
   */
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
                                                   hwaddr *page_mask_out,
                                                   bool is_write,
                                                   bool is_mmio,
 -                                                 AddressSpace **target_as)
 +                                                 AddressSpace **target_as,
 +                                                 MemTxAttrs attrs)
  {
-     MemoryRegionSection *section;
+-    tcg_gen_movi_i32(cpu_R[15], s->pc & ~1);
-     IOMMUMemoryRegion *iommu_mr;
++    tcg_gen_movi_i32(cpu_R[15], s->pc);
-@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
+     s->base.is_jmp = DISAS_EXIT;
-      * but page mask.
+ }
-      */
-     section = flatview_do_translate(address_space_to_flatview(as), addr, &xlat,
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
--                                    NULL, &page_mask, is_write, false, &as);
+                  * self-modifying code correctly and also to take
-+                                    NULL, &page_mask, is_write, false, &as,
+                  * any pending interrupts immediately.
-+                                    attrs);
+                  */
+-                gen_goto_tb(s, 0, s->pc & ~1);
-     /* Illegal translation */
++                gen_goto_tb(s, 0, s->pc);
-     if (section.mr == &io_mem_unassigned) {
+                 return;
-@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv, hwaddr addr, hwaddr *xlat,
+             case 7: /* sb */
+                 if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
-     /* This can be MMIO, so setup MMIO bit. */
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-     section = flatview_do_translate(fv, addr, xlat, plen, NULL,
+                  * for TCG; MB and end the TB instead.
--                                    is_write, true, &as);
+                  */
-+                                    is_write, true, &as, attrs);
+                 tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-     mr = section.mr;
+-                gen_goto_tb(s, 0, s->pc & ~1);
++                gen_goto_tb(s, 0, s->pc);
-     if (xen_enabled() && memory_access_is_direct(mr, is_write)) {
+                 return;
              default:
                  goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                               * and also to take any pending interrupts
                               * immediately.
                               */
 -                            gen_goto_tb(s, 0, s->pc & ~1);
 +                            gen_goto_tb(s, 0, s->pc);
                              break;
                          case 7: /* sb */
                              if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                               * for TCG; MB and end the TB instead.
                               */
                              tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -                            gen_goto_tb(s, 0, s->pc & ~1);
 +                            gen_goto_tb(s, 0, s->pc);
                              break;
                          default:
                              goto illegal_op;
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 20/25] Make address_space_get_iotlb_entry() take a MemTxAttrs argument
+[Qemu-devel] [PULL 11/29] target/arm: Replace s->pc with s->base.pc_next
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Richard Henderson <richard.henderson@linaro.org>
 add MemTxAttrs as an argument to address_space_get_iotlb_entry().
+We must update s->base.pc_next when we return from the translate_insn
+hook to the main translator loop.  By incrementing s->base.pc_next
+immediately after reading the insn word, "pc_next" contains the address
+of the next instruction throughout translation.
+All remaining uses of s->pc are referencing the address of the next insn,
+so this is now a simple global replacement.  Remove the "s->pc" field.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190807045335.1361-7-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-12-peter.maydell@linaro.org
 ---
- include/exec/memory.h | 2 +-
+ target/arm/translate.h     |   1 -
- exec.c                | 2 +-
+ target/arm/translate-a64.c |  51 +++++++++---------
- hw/virtio/vhost.c     | 3 ++-
+ target/arm/translate.c     | 103 ++++++++++++++++++-------------------
-files changed, 4 insertions(+), 3 deletions(-)
+files changed, 72 insertions(+), 83 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/target/arm/translate.h
-+++ b/include/exec/memory.h
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache);
+@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
-  * entry. Should be called from an RCU critical section.
+     DisasContextBase base;
-  */
+     const ARMISARegisters *isar;
- IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
--                                            bool is_write);
+-    target_ulong pc;
-+                                            bool is_write, MemTxAttrs attrs);
+     /* The address of the current instruction being translated. */
+     target_ulong pc_curr;
- /* address_space_translate: translate an address range into an address space
+     target_ulong page_start;
-  * into a MemoryRegion and an address range into that section.  Should be
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/translate-a64.c
-+++ b/exec.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
- /* Called from RCU critical section */
+ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
- IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
+ {
--                                            bool is_write)
+-    gen_a64_set_pc_im(s->pc - offset);
-+                                            bool is_write, MemTxAttrs attrs)
++    gen_a64_set_pc_im(s->base.pc_next - offset);
- {
+     gen_exception_internal(excp);
-     MemoryRegionSection section;
+     s->base.is_jmp = DISAS_NORETURN;
-     hwaddr xlat, page_mask;
+ }
-diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
  static void gen_exception_insn(DisasContext *s, int offset, int excp,
                                 uint32_t syndrome, uint32_t target_el)
  {
 -    gen_a64_set_pc_im(s->pc - offset);
 +    gen_a64_set_pc_im(s->base.pc_next - offset);
      gen_exception(excp, syndrome, target_el);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset,
  {
      TCGv_i32 tcg_syn;
 -    gen_a64_set_pc_im(s->pc - offset);
 +    gen_a64_set_pc_im(s->base.pc_next - offset);
      tcg_syn = tcg_const_i32(syndrome);
      gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
      tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
      if (insn & (1U << 31)) {
          /* BL Branch with link */
 -        tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
 +        tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
      }
      /* B Branch / BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
      tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                          tcg_cmp, 0, label_match);
 -    gen_goto_tb(s, 0, s->pc);
 +    gen_goto_tb(s, 0, s->base.pc_next);
      gen_set_label(label_match);
      gen_goto_tb(s, 1, addr);
  }
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
      tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                          tcg_cmp, 0, label_match);
      tcg_temp_free_i64(tcg_cmp);
 -    gen_goto_tb(s, 0, s->pc);
 +    gen_goto_tb(s, 0, s->base.pc_next);
      gen_set_label(label_match);
      gen_goto_tb(s, 1, addr);
  }
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
          /* genuinely conditional branches */
          TCGLabel *label_match = gen_new_label();
          arm_gen_test_cc(cond, label_match);
 -        gen_goto_tb(s, 0, s->pc);
 +        gen_goto_tb(s, 0, s->base.pc_next);
          gen_set_label(label_match);
          gen_goto_tb(s, 1, addr);
      } else {
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
           * any pending interrupts immediately.
           */
          reset_btype(s);
 -        gen_goto_tb(s, 0, s->pc);
 +        gen_goto_tb(s, 0, s->base.pc_next);
          return;
      case 7: /* SB */
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
           * MB and end the TB instead.
           */
          tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -        gen_goto_tb(s, 0, s->pc);
 +        gen_goto_tb(s, 0, s->base.pc_next);
          return;
      default:
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
          gen_a64_set_pc(s, dst);
          /* BLR also needs to load return address */
          if (opc == 1) {
 -            tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
 +            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
          }
          break;
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
          gen_a64_set_pc(s, dst);
          /* BLRAA also needs to load return address */
          if (opc == 9) {
 -            tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
 +            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
          }
          break;
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
  {
      uint32_t insn;
 -    s->pc_curr = s->pc;
 -    insn = arm_ldl_code(env, s->pc, s->sctlr_b);
 +    s->pc_curr = s->base.pc_next;
 +    insn = arm_ldl_code(env, s->base.pc_next, s->sctlr_b);
      s->insn = insn;
 -    s->pc += 4;
 +    s->base.pc_next += 4;
      s->fp_access_checked = false;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
      int bound, core_mmu_idx;
      dc->isar = &arm_cpu->isar;
 -    dc->pc = dc->base.pc_first;
      dc->condjmp = 0;
      dc->aarch64 = 1;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
 -    tcg_gen_insn_start(dc->pc, 0, 0);
 +    tcg_gen_insn_start(dc->base.pc_next, 0, 0);
      dc->insn_start = tcg_last_op();
  }
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
      DisasContext *dc = container_of(dcbase, DisasContext, base);
      if (bp->flags & BP_CPU) {
 -        gen_a64_set_pc_im(dc->pc);
 +        gen_a64_set_pc_im(dc->base.pc_next);
          gen_helper_check_breakpoints(cpu_env);
          /* End the TB early; it likely won't be executed */
          dc->base.is_jmp = DISAS_TOO_MANY;
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
             to for it to be properly cleared -- thus we
             increment the PC here so that the logic setting
             tb->size below does the right thing.  */
 -        dc->pc += 4;
 +        dc->base.pc_next += 4;
          dc->base.is_jmp = DISAS_NORETURN;
      }
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          disas_a64_insn(env, dc);
      }
 -    dc->base.pc_next = dc->pc;
      translator_loop_temp_check(&dc->base);
  }
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
           */
          switch (dc->base.is_jmp) {
          default:
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              /* fall through */
          case DISAS_EXIT:
          case DISAS_JUMP:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          switch (dc->base.is_jmp) {
          case DISAS_NEXT:
          case DISAS_TOO_MANY:
 -            gen_goto_tb(dc, 1, dc->pc);
 +            gen_goto_tb(dc, 1, dc->base.pc_next);
              break;
          default:
          case DISAS_UPDATE:
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              /* fall through */
          case DISAS_EXIT:
              tcg_gen_exit_tb(NULL, 0);
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          case DISAS_SWI:
              break;
          case DISAS_WFE:
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              gen_helper_wfe(cpu_env);
              break;
          case DISAS_YIELD:
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              gen_helper_yield(cpu_env);
              break;
          case DISAS_WFI:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
               */
              TCGv_i32 tmp = tcg_const_i32(4);
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              gen_helper_wfi(cpu_env, tmp);
              tcg_temp_free_i32(tmp);
              /* The helper doesn't necessarily throw an exception, but we
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          }
          }
      }
 -
 -    /* Functions above can change dc->pc, so re-align db->pc_next */
 -    dc->base.pc_next = dc->pc;
  }
  static void aarch64_tr_disas_log(const DisasContextBase *dcbase,
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/virtio/vhost.c
+--- a/target/arm/translate.c
-+++ b/hw/virtio/vhost.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ int vhost_device_iotlb_miss(struct vhost_dev *dev, uint64_t iova, int write)
+@@ -XXX,XX +XXX,XX @@ static inline void gen_blxns(DisasContext *s, int rm)
-     trace_vhost_iotlb_miss(dev, 1);
+      * We do however need to set the PC, because the blxns helper reads it.
+      * The blxns helper may throw an exception.
-     iotlb = address_space_get_iotlb_entry(dev->vdev->dma_as,
+      */
--                                          iova, write);
+-    gen_set_pc_im(s, s->pc);
-+                                          iova, write,
++    gen_set_pc_im(s, s->base.pc_next);
-+                                          MEMTXATTRS_UNSPECIFIED);
+     gen_helper_v7m_blxns(cpu_env, var);
-     if (iotlb.target_as != NULL) {
+     tcg_temp_free_i32(var);
-         ret = vhost_memory_region_lookup(dev, iotlb.translated_addr,
+     s->base.is_jmp = DISAS_EXIT;
-                                          &uaddr, &len);
+@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
       * for single stepping.)
       */
      s->svc_imm = imm16;
 -    gen_set_pc_im(s, s->pc);
 +    gen_set_pc_im(s, s->base.pc_next);
      s->base.is_jmp = DISAS_HVC;
  }
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
      tmp = tcg_const_i32(syn_aa32_smc());
      gen_helper_pre_smc(cpu_env, tmp);
      tcg_temp_free_i32(tmp);
 -    gen_set_pc_im(s, s->pc);
 +    gen_set_pc_im(s, s->base.pc_next);
      s->base.is_jmp = DISAS_SMC;
  }
  static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
  {
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - offset);
 +    gen_set_pc_im(s, s->base.pc_next - offset);
      gen_exception_internal(excp);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, int offset, int excp,
                                 int syn, uint32_t target_el)
  {
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - offset);
 +    gen_set_pc_im(s, s->base.pc_next - offset);
      gen_exception(excp, syn, target_el);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
      TCGv_i32 tcg_syn;
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - offset);
 +    gen_set_pc_im(s, s->base.pc_next - offset);
      tcg_syn = tcg_const_i32(syn);
      gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
      tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
  /* Force a TB lookup after an instruction that changes the CPU state.  */
  static inline void gen_lookup_tb(DisasContext *s)
  {
 -    tcg_gen_movi_i32(cpu_R[15], s->pc);
 +    tcg_gen_movi_i32(cpu_R[15], s->base.pc_next);
      s->base.is_jmp = DISAS_EXIT;
  }
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *s, target_ulong dest)
  {
  #ifndef CONFIG_USER_ONLY
      return (s->base.tb->pc & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK) ||
 -           ((s->pc - 1) & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK);
 +           ((s->base.pc_next - 1) & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK);
  #else
      return true;
  #endif
@@ -XXX,XX +XXX,XX @@ static void gen_nop_hint(DisasContext *s, int val)
           */
      case 1: /* yield */
          if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->base.is_jmp = DISAS_YIELD;
          }
          break;
      case 3: /* wfi */
 -        gen_set_pc_im(s, s->pc);
 +        gen_set_pc_im(s, s->base.pc_next);
          s->base.is_jmp = DISAS_WFI;
          break;
      case 2: /* wfe */
          if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->base.is_jmp = DISAS_WFE;
          }
          break;
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
              if (isread) {
                  return 1;
              }
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->base.is_jmp = DISAS_WFI;
              return 0;
          default:
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                   * self-modifying code correctly and also to take
                   * any pending interrupts immediately.
                   */
 -                gen_goto_tb(s, 0, s->pc);
 +                gen_goto_tb(s, 0, s->base.pc_next);
                  return;
              case 7: /* sb */
                  if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                   * for TCG; MB and end the TB instead.
                   */
                  tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -                gen_goto_tb(s, 0, s->pc);
 +                gen_goto_tb(s, 0, s->base.pc_next);
                  return;
              default:
                  goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              int32_t offset;
              tmp = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp, s->pc);
 +            tcg_gen_movi_i32(tmp, s->base.pc_next);
              store_reg(s, 14, tmp);
              /* Sign-extend the 24-bit offset */
              offset = (((int32_t)insn) << 8) >> 8;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              /* branch link/exchange thumb (blx) */
              tmp = load_reg(s, rm);
              tmp2 = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp2, s->pc);
 +            tcg_gen_movi_i32(tmp2, s->base.pc_next);
              store_reg(s, 14, tmp2);
              gen_bx(s, tmp);
              break;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  /* branch (and link) */
                  if (insn & (1 << 24)) {
                      tmp = tcg_temp_new_i32();
 -                    tcg_gen_movi_i32(tmp, s->pc);
 +                    tcg_gen_movi_i32(tmp, s->base.pc_next);
                      store_reg(s, 14, tmp);
                  }
                  offset = sextract32(insn << 2, 0, 26);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          case 0xf:
              /* swi */
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->svc_imm = extract32(insn, 0, 24);
              s->base.is_jmp = DISAS_SWI;
              break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                  if (insn & (1 << 14)) {
                      /* Branch and link.  */
 -                    tcg_gen_movi_i32(cpu_R[14], s->pc | 1);
 +                    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | 1);
                  }
                  offset += read_pc(s);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                               * and also to take any pending interrupts
                               * immediately.
                               */
 -                            gen_goto_tb(s, 0, s->pc);
 +                            gen_goto_tb(s, 0, s->base.pc_next);
                              break;
                          case 7: /* sb */
                              if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                               * for TCG; MB and end the TB instead.
                               */
                              tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -                            gen_goto_tb(s, 0, s->pc);
 +                            gen_goto_tb(s, 0, s->base.pc_next);
                              break;
                          default:
                              goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
                  /* BLX/BX */
                  tmp = load_reg(s, rm);
                  if (link) {
 -                    val = (uint32_t)s->pc | 1;
 +                    val = (uint32_t)s->base.pc_next | 1;
                      tmp2 = tcg_temp_new_i32();
                      tcg_gen_movi_i32(tmp2, val);
                      store_reg(s, 14, tmp2);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          if (cond == 0xf) {
              /* swi */
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->svc_imm = extract32(insn, 0, 8);
              s->base.is_jmp = DISAS_SWI;
              break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
              tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
              tmp2 = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp2, s->pc | 1);
 +            tcg_gen_movi_i32(tmp2, s->base.pc_next | 1);
              store_reg(s, 14, tmp2);
              gen_bx(s, tmp);
              break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
              tcg_gen_addi_i32(tmp, tmp, offset);
              tmp2 = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp2, s->pc | 1);
 +            tcg_gen_movi_i32(tmp2, s->base.pc_next | 1);
              store_reg(s, 14, tmp2);
              gen_bx(s, tmp);
          } else {
@@ -XXX,XX +XXX,XX @@ undef:
  static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
  {
 -    /* Return true if the insn at dc->pc might cross a page boundary.
 +    /* Return true if the insn at dc->base.pc_next might cross a page boundary.
       * (False positives are OK, false negatives are not.)
       * We know this is a Thumb insn, and our caller ensures we are
 -     * only called if dc->pc is less than 4 bytes from the page
 +     * only called if dc->base.pc_next is less than 4 bytes from the page
       * boundary, so we cross the page if the first 16 bits indicate
       * that this is a 32 bit insn.
       */
 -    uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 +    uint16_t insn = arm_lduw_code(env, s->base.pc_next, s->sctlr_b);
 -    return !thumb_insn_is_16bit(s, s->pc, insn);
 +    return !thumb_insn_is_16bit(s, s->base.pc_next, insn);
  }
  static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
      uint32_t condexec, core_mmu_idx;
      dc->isar = &cpu->isar;
 -    dc->pc = dc->base.pc_first;
      dc->condjmp = 0;
      dc->aarch64 = 0;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
 -    tcg_gen_insn_start(dc->pc,
 +    tcg_gen_insn_start(dc->base.pc_next,
                         (dc->condexec_cond << 4) | (dc->condexec_mask >> 1),
 );
      dc->insn_start = tcg_last_op();
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
      if (bp->flags & BP_CPU) {
          gen_set_condexec(dc);
 -        gen_set_pc_im(dc, dc->pc);
 +        gen_set_pc_im(dc, dc->base.pc_next);
          gen_helper_check_breakpoints(cpu_env);
          /* End the TB early; it's likely not going to be executed */
          dc->base.is_jmp = DISAS_TOO_MANY;
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
             tb->size below does the right thing.  */
          /* TODO: Advance PC by correct instruction length to
           * avoid disassembler error messages */
 -        dc->pc += 2;
 +        dc->base.pc_next += 2;
          dc->base.is_jmp = DISAS_NORETURN;
      }
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
  {
  #ifdef CONFIG_USER_ONLY
      /* Intercept jump to the magic kernel page.  */
 -    if (dc->pc >= 0xffff0000) {
 +    if (dc->base.pc_next >= 0xffff0000) {
          /* We always get here via a jump, so know we are not in a
             conditional execution block.  */
          gen_exception_internal(EXCP_KERNEL_TRAP);
@@ -XXX,XX +XXX,XX @@ static void arm_post_translate_insn(DisasContext *dc)
          gen_set_label(dc->condlabel);
          dc->condjmp = 0;
      }
 -    dc->base.pc_next = dc->pc;
      translator_loop_temp_check(&dc->base);
  }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 -    dc->pc_curr = dc->pc;
 -    insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
 +    dc->pc_curr = dc->base.pc_next;
 +    insn = arm_ldl_code(env, dc->base.pc_next, dc->sctlr_b);
      dc->insn = insn;
 -    dc->pc += 4;
 +    dc->base.pc_next += 4;
      disas_arm_insn(dc, insn);
      arm_post_translate_insn(dc);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 -    dc->pc_curr = dc->pc;
 -    insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
 -    is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
 -    dc->pc += 2;
 +    dc->pc_curr = dc->base.pc_next;
 +    insn = arm_lduw_code(env, dc->base.pc_next, dc->sctlr_b);
 +    is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
 +    dc->base.pc_next += 2;
      if (!is_16bit) {
 -        uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
 +        uint32_t insn2 = arm_lduw_code(env, dc->base.pc_next, dc->sctlr_b);
          insn = insn << 16 | insn2;
 -        dc->pc += 2;
 +        dc->base.pc_next += 2;
      }
      dc->insn = insn;
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
       * but isn't very efficient).
       */
      if (dc->base.is_jmp == DISAS_NEXT
 -        && (dc->pc - dc->page_start >= TARGET_PAGE_SIZE
 -            || (dc->pc - dc->page_start >= TARGET_PAGE_SIZE - 3
 +        && (dc->base.pc_next - dc->page_start >= TARGET_PAGE_SIZE
 +            || (dc->base.pc_next - dc->page_start >= TARGET_PAGE_SIZE - 3
                  && insn_crosses_page(env, dc)))) {
          dc->base.is_jmp = DISAS_TOO_MANY;
      }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          case DISAS_NEXT:
          case DISAS_TOO_MANY:
          case DISAS_UPDATE:
 -            gen_set_pc_im(dc, dc->pc);
 +            gen_set_pc_im(dc, dc->base.pc_next);
              /* fall through */
          default:
              /* FIXME: Single stepping a WFI insn will not halt the CPU. */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          switch(dc->base.is_jmp) {
          case DISAS_NEXT:
          case DISAS_TOO_MANY:
 -            gen_goto_tb(dc, 1, dc->pc);
 +            gen_goto_tb(dc, 1, dc->base.pc_next);
              break;
          case DISAS_JUMP:
              gen_goto_ptr();
              break;
          case DISAS_UPDATE:
 -            gen_set_pc_im(dc, dc->pc);
 +            gen_set_pc_im(dc, dc->base.pc_next);
              /* fall through */
          default:
              /* indicate that the hash table must be used to find the next TB */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          gen_set_label(dc->condlabel);
          gen_set_condexec(dc);
          if (unlikely(is_singlestepping(dc))) {
 -            gen_set_pc_im(dc, dc->pc);
 +            gen_set_pc_im(dc, dc->base.pc_next);
              gen_singlestep_exception(dc);
          } else {
 -            gen_goto_tb(dc, 1, dc->pc);
 +            gen_goto_tb(dc, 1, dc->base.pc_next);
          }
      }
 -
 -    /* Functions above can change dc->pc, so re-align db->pc_next */
 -    dc->base.pc_next = dc->pc;
  }
  static void arm_tr_disas_log(const DisasContextBase *dcbase, CPUState *cpu)
 --
-.17.1
+.20.1

-New patch
+[Qemu-devel] [PULL 12/29] target/arm: Replace offset with pc in gen_exception_insn
+From: Richard Henderson <richard.henderson@linaro.org>
 The offset is variable depending on the instruction set, whereas
 we have stored values for the current pc and the next pc.  Passing
 in the actual value is clearer in intent.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190807045335.1361-8-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/translate-a64.c     | 25 ++++++++++++++-----------
  target/arm/translate-vfp.inc.c |  6 +++---
  target/arm/translate.c         | 31 ++++++++++++++++---------------
 files changed, 33 insertions(+), 29 deletions(-)
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
      s->base.is_jmp = DISAS_NORETURN;
  }
 -static void gen_exception_insn(DisasContext *s, int offset, int excp,
 +static void gen_exception_insn(DisasContext *s, uint64_t pc, int excp,
                                 uint32_t syndrome, uint32_t target_el)
  {
 -    gen_a64_set_pc_im(s->base.pc_next - offset);
 +    gen_a64_set_pc_im(pc);
      gen_exception(excp, syndrome, target_el);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
  void unallocated_encoding(DisasContext *s)
  {
      /* Unallocated and reserved encodings are uncategorized */
 -    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                         default_exception_el(s));
  }
@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
          return true;
      }
 -    gen_exception_insn(s, 4, EXCP_UDEF, syn_fp_access_trap(1, 0xe, false),
 -                       s->fp_excp_el);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                       syn_fp_access_trap(1, 0xe, false), s->fp_excp_el);
      return false;
  }
@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
  bool sve_access_check(DisasContext *s)
  {
      if (s->sve_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF, syn_sve_access_trap(),
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_sve_access_trap(),
                             s->sve_excp_el);
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
          switch (op2_ll) {
          case 1:                                                     /* SVC */
              gen_ss_advance(s);
 -            gen_exception_insn(s, 0, EXCP_SWI, syn_aa64_svc(imm16),
 -                               default_exception_el(s));
 +            gen_exception_insn(s, s->base.pc_next, EXCP_SWI,
 +                               syn_aa64_svc(imm16), default_exception_el(s));
              break;
          case 2:                                                     /* HVC */
              if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              gen_a64_set_pc_im(s->pc_curr);
              gen_helper_pre_hvc(cpu_env);
              gen_ss_advance(s);
 -            gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2);
 +            gen_exception_insn(s, s->base.pc_next, EXCP_HVC,
 +                               syn_aa64_hvc(imm16), 2);
              break;
          case 3:                                                     /* SMC */
              if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              gen_helper_pre_smc(cpu_env, tmp);
              tcg_temp_free_i32(tmp);
              gen_ss_advance(s);
 -            gen_exception_insn(s, 0, EXCP_SMC, syn_aa64_smc(imm16), 3);
 +            gen_exception_insn(s, s->base.pc_next, EXCP_SMC,
 +                               syn_aa64_smc(imm16), 3);
              break;
          default:
              unallocated_encoding(s);
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
              if (s->btype != 0
                  && s->guarded_page
                  && !btype_destination_ok(insn, s->bt, s->btype)) {
 -                gen_exception_insn(s, 4, EXCP_UDEF, syn_btitrap(s->btype),
 +                gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                                   syn_btitrap(s->btype),
                                     default_exception_el(s));
                  return;
              }
 diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.inc.c
 +++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
  {
      if (s->fp_excp_el) {
          if (arm_dc_feature(s, ARM_FEATURE_M)) {
 -            gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
 +            gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized(),
                                 s->fp_excp_el);
          } else {
 -            gen_exception_insn(s, 4, EXCP_UDEF,
 +            gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                                 syn_fp_access_trap(1, 0xe, false),
                                 s->fp_excp_el);
          }
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
      if (!s->vfp_enabled && !ignore_vfp_enabled) {
          assert(!arm_dc_feature(s, ARM_FEATURE_M));
 -        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                             default_exception_el(s));
          return false;
      }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
      s->base.is_jmp = DISAS_NORETURN;
  }
 -static void gen_exception_insn(DisasContext *s, int offset, int excp,
 +static void gen_exception_insn(DisasContext *s, uint32_t pc, int excp,
                                 int syn, uint32_t target_el)
  {
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->base.pc_next - offset);
 +    gen_set_pc_im(s, pc);
      gen_exception(excp, syn, target_el);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
          return;
      }
 -    gen_exception_insn(s, s->thumb ? 2 : 4, EXCP_UDEF, syn_uncategorized(),
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                         default_exception_el(s));
  }
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
  undef:
      /* If we get here then some access check did not pass */
 -    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), exc_target);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                       syn_uncategorized(), exc_target);
      return false;
  }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_ls_insn(DisasContext *s, uint32_t insn)
       * for attempts to execute invalid vfp/neon encodings with FP disabled.
       */
      if (s->fp_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF,
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
       * for attempts to execute invalid vfp/neon encodings with FP disabled.
       */
      if (s->fp_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF,
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_insn_3same_ext(DisasContext *s, uint32_t insn)
      }
      if (s->fp_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF,
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_insn_2reg_scalar_ext(DisasContext *s, uint32_t insn)
          off_rm = vfp_reg_offset(0, rm);
      }
      if (s->fp_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF,
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
       * For the UNPREDICTABLE cases we choose to UNDEF.
       */
      if (s->current_el == 1 && !s->ns && mode == ARM_CPU_MODE_MON) {
 -        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), 3);
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(), 3);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      }
      if (undef) {
 -        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                             default_exception_el(s));
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
       * UsageFault exception.
       */
      if (arm_dc_feature(s, ARM_FEATURE_M)) {
 -        gen_exception_insn(s, 4, EXCP_INVSTATE, syn_uncategorized(),
 +        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized(),
                             default_exception_el(s));
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          default:
          illegal_op:
 -            gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                                 default_exception_el(s));
              break;
          }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
              }
              /* All other insns: NOCP */
 -            gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
 +            gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized(),
                                 default_exception_el(s));
              break;
          }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
      }
      return;
  illegal_op:
 -    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                         default_exception_el(s));
  }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
      return;
  illegal_op:
  undef:
 -    gen_exception_insn(s, 2, EXCP_UDEF, syn_uncategorized(),
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                         default_exception_el(s));
  }
 --
 .20.1

-[Qemu-devel] [PULL 13/25] Make address_space_map() take a MemTxAttrs argument
+[Qemu-devel] [PULL 13/29] target/arm: Replace offset with pc in gen_exception_internal_insn
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Richard Henderson <richard.henderson@linaro.org>
 add MemTxAttrs as an argument to address_space_map().
 Its callers either have an attrs value to hand, or don't care
 and can use MEMTXATTRS_UNSPECIFIED.
+The offset is variable depending on the instruction set.
+Passing in the actual value is clearer in intent.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190807045335.1361-9-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-5-peter.maydell@linaro.org
 ---
- include/exec/memory.h   | 3 ++-
+ target/arm/translate-a64.c | 8 ++++----
- include/sysemu/dma.h    | 3 ++-
+ target/arm/translate.c     | 8 ++++----
- exec.c                  | 6 ++++--
+files changed, 8 insertions(+), 8 deletions(-)
  target/ppc/mmu-hash64.c | 3 ++-
 files changed, 10 insertions(+), 5 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/target/arm/translate-a64.c
-+++ b/include/exec/memory.h
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
-  * @addr: address within that address space
+     tcg_temp_free_i32(tcg_excp);
-  * @plen: pointer to length of buffer; updated on return
+ }
-  * @is_write: indicates the transfer direction
-+ * @attrs: memory attributes
+-static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
-  */
++static void gen_exception_internal_insn(DisasContext *s, uint64_t pc, int excp)
- void *address_space_map(AddressSpace *as, hwaddr addr,
+ {
--                        hwaddr *plen, bool is_write);
+-    gen_a64_set_pc_im(s->base.pc_next - offset);
-+                        hwaddr *plen, bool is_write, MemTxAttrs attrs);
++    gen_a64_set_pc_im(pc);
+     gen_exception_internal(excp);
- /* address_space_unmap: Unmaps a memory region previously mapped by address_space_map()
+     s->base.is_jmp = DISAS_NORETURN;
-  *
+ }
-diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                  break;
              }
  #endif
 -            gen_exception_internal_insn(s, 0, EXCP_SEMIHOST);
 +            gen_exception_internal_insn(s, s->base.pc_next, EXCP_SEMIHOST);
          } else {
              unsupported_encoding(s, insn);
          }
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
          /* End the TB early; it likely won't be executed */
          dc->base.is_jmp = DISAS_TOO_MANY;
      } else {
 -        gen_exception_internal_insn(dc, 0, EXCP_DEBUG);
 +        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
          /* The address covered by the breakpoint must be
             included in [tb->pc, tb->pc + tb->size) in order
             to for it to be properly cleared -- thus we
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/dma.h
+--- a/target/arm/translate.c
-+++ b/include/sysemu/dma.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline void *dma_memory_map(AddressSpace *as,
+@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
-     hwaddr xlen = *len;
+     s->base.is_jmp = DISAS_SMC;
      void *p;
 -    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE);
 +    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE,
 +                          MEMTXATTRS_UNSPECIFIED);
      *len = xlen;
      return p;
  }
-diff --git a/exec.c b/exec.c
-index XXXXXXX..XXXXXXX 100644
+-static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
---- a/exec.c
++static void gen_exception_internal_insn(DisasContext *s, uint32_t pc, int excp)
 +++ b/exec.c
@@ -XXX,XX +XXX,XX @@ flatview_extend_translation(FlatView *fv, hwaddr addr,
  void *address_space_map(AddressSpace *as,
                          hwaddr addr,
                          hwaddr *plen,
 -                        bool is_write)
 +                        bool is_write,
 +                        MemTxAttrs attrs)
  {
-     hwaddr len = *plen;
+     gen_set_condexec(s);
-     hwaddr l, xlat;
+-    gen_set_pc_im(s, s->base.pc_next - offset);
-@@ -XXX,XX +XXX,XX @@ void *cpu_physical_memory_map(hwaddr addr,
++    gen_set_pc_im(s, pc);
-                               hwaddr *plen,
+     gen_exception_internal(excp);
-                               int is_write)
+     s->base.is_jmp = DISAS_NORETURN;
  {
 -    return address_space_map(&address_space_memory, addr, plen, is_write);
 +    return address_space_map(&address_space_memory, addr, plen, is_write,
 +                             MEMTXATTRS_UNSPECIFIED);
  }
+@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
- void cpu_physical_memory_unmap(void *buffer, hwaddr len,
+         s->current_el != 0 &&
-diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
+ #endif
-index XXXXXXX..XXXXXXX 100644
+         (imm == (s->thumb ? 0x3c : 0xf000))) {
---- a/target/ppc/mmu-hash64.c
+-        gen_exception_internal_insn(s, 0, EXCP_SEMIHOST);
-+++ b/target/ppc/mmu-hash64.c
++        gen_exception_internal_insn(s, s->base.pc_next, EXCP_SEMIHOST);
-@@ -XXX,XX +XXX,XX @@ const ppc_hash_pte64_t *ppc_hash64_map_hptes(PowerPCCPU *cpu,
+         return;
          return NULL;
      }
--    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false);
+@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-+    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false,
+         /* End the TB early; it's likely not going to be executed */
-+                              MEMTXATTRS_UNSPECIFIED);
+         dc->base.is_jmp = DISAS_TOO_MANY;
-     if (plen < (n * HASH_PTE_SIZE_64)) {
+     } else {
-         hw_error("%s: Unable to map all requested HPTEs\n", __func__);
+-        gen_exception_internal_insn(dc, 0, EXCP_DEBUG);
-     }
++        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
          /* The address covered by the breakpoint must be
             included in [tb->pc, tb->pc + tb->size) in order
             to for it to be properly cleared -- thus we
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 18/25] Make flatview_access_valid() take a MemTxAttrs argument
+[Qemu-devel] [PULL 14/29] target/arm: Remove offset argument to gen_exception_bkpt_insn
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Richard Henderson <richard.henderson@linaro.org>
 add MemTxAttrs as an argument to flatview_access_valid().
 Its callers now all have an attrs value to hand, so we can
 correct our earlier temporary use of MEMTXATTRS_UNSPECIFIED.
+Unlike the other more generic gen_exception{,_internal}_insn
+interfaces, breakpoints always refer to the current instruction.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190807045335.1361-10-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-10-peter.maydell@linaro.org
 ---
- exec.c | 12 +++++-------
+ target/arm/translate-a64.c | 7 +++----
-file changed, 5 insertions(+), 7 deletions(-)
+ target/arm/translate.c     | 8 ++++----
 files changed, 7 insertions(+), 8 deletions(-)
-diff --git a/exec.c b/exec.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/translate-a64.c
-+++ b/exec.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, uint64_t pc, int excp,
- static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+     s->base.is_jmp = DISAS_NORETURN;
                                    const uint8_t *buf, int len);
  static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
 -                                  bool is_write);
 +                                  bool is_write, MemTxAttrs attrs);
  static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data,
                                  unsigned len, MemTxAttrs attrs)
@@ -XXX,XX +XXX,XX @@ static bool subpage_accepts(void *opaque, hwaddr addr,
  #endif
      return flatview_access_valid(subpage->fv, addr + subpage->base,
 -                                 len, is_write);
 +                                 len, is_write, attrs);
  }
- static const MemoryRegionOps subpage_ops = {
+-static void gen_exception_bkpt_insn(DisasContext *s, int offset,
-@@ -XXX,XX +XXX,XX @@ static void cpu_notify_map_clients(void)
+-                                    uint32_t syndrome)
 +static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syndrome)
  {
      TCGv_i32 tcg_syn;
 -    gen_a64_set_pc_im(s->base.pc_next - offset);
 +    gen_a64_set_pc_im(s->pc_curr);
      tcg_syn = tcg_const_i32(syndrome);
      gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
      tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              break;
          }
          /* BRK */
 -        gen_exception_bkpt_insn(s, 4, syn_aa64_bkpt(imm16));
 +        gen_exception_bkpt_insn(s, syn_aa64_bkpt(imm16));
          break;
      case 2:
          if (op2_ll != 0) {
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, uint32_t pc, int excp,
      s->base.is_jmp = DISAS_NORETURN;
  }
- static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
+-static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
--                                  bool is_write)
++static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
 +                                  bool is_write, MemTxAttrs attrs)
  {
-     MemoryRegion *mr;
+     TCGv_i32 tcg_syn;
-     hwaddr l, xlat;
-@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
+     gen_set_condexec(s);
-         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
+-    gen_set_pc_im(s, s->base.pc_next - offset);
-         if (!memory_access_is_direct(mr, is_write)) {
++    gen_set_pc_im(s, s->pc_curr);
-             l = memory_access_size(mr, l, addr);
+     tcg_syn = tcg_const_i32(syn);
--            /* When our callers all have attrs we'll pass them through here */
+     gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
--            if (!memory_region_access_valid(mr, xlat, l, is_write,
+     tcg_temp_free_i32(tcg_syn);
--                                            MEMTXATTRS_UNSPECIFIED)) {
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-+            if (!memory_region_access_valid(mr, xlat, l, is_write, attrs)) {
+             case 1:
-                 return false;
+                 /* bkpt */
-             }
+                 ARCH(5);
 -                gen_exception_bkpt_insn(s, 4, syn_aa32_bkpt(imm16, false));
 +                gen_exception_bkpt_insn(s, syn_aa32_bkpt(imm16, false));
                  break;
              case 2:
                  /* Hypervisor call (v7) */
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          {
              int imm8 = extract32(insn, 0, 8);
              ARCH(5);
 -            gen_exception_bkpt_insn(s, 2, syn_aa32_bkpt(imm8, true));
 +            gen_exception_bkpt_insn(s, syn_aa32_bkpt(imm8, true));
              break;
          }
-@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
      rcu_read_lock();
      fv = address_space_to_flatview(as);
 -    result = flatview_access_valid(fv, addr, len, is_write);
 +    result = flatview_access_valid(fv, addr, len, is_write, attrs);
      rcu_read_unlock();
      return result;
  }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 05/25] tcg: Fix helper function vs host abi for float16
+[Qemu-devel] [PULL 15/29] target/arm: Use unallocated_encoding for aarch32
 From: Richard Henderson <richard.henderson@linaro.org>
-Depending on the host abi, float16, aka uint16_t, values are
+Promote this function from aarch64 to fully general use.
-passed and returned either zero-extended in the host register
+Use it to unify the code sequences for generating illegal
-or with garbage at the top of the host register.
+opcode exceptions.
-The tcg code generator has so far been assuming garbage, as that
-matches the x86 abi, but this is incorrect for other host abis.
-Further, target/arm has so far been assuming zero-extended results,
-so that it may store the 16-bit value into a 32-bit slot with the
-high 16-bits already clear.
-Rectify both problems by mapping "f16" in the helper definition
-to uint32_t instead of (a typedef for) uint16_t.  This forces
-the host compiler to assume garbage in the upper 16 bits on input
-and to zero-extend the result on output.
-Cc: qemu-stable@nongnu.org
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-Message-id: 20180522175629.24932-1-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190807045335.1361-11-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/exec/helper-head.h |  2 +-
+ target/arm/translate-a64.h     |  2 --
- target/arm/helper-a64.c    | 35 +++++++++--------
+ target/arm/translate.h         |  2 ++
- target/arm/helper.c        | 80 +++++++++++++++++++-------------------
+ target/arm/translate-a64.c     |  7 -------
-files changed, 59 insertions(+), 58 deletions(-)
+ target/arm/translate-vfp.inc.c |  3 +--
  target/arm/translate.c         | 22 ++++++++++++----------
 files changed, 15 insertions(+), 21 deletions(-)
-diff --git a/include/exec/helper-head.h b/include/exec/helper-head.h
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/helper-head.h
+--- a/target/arm/translate-a64.h
-+++ b/include/exec/helper-head.h
++++ b/target/arm/translate-a64.h
 @@ -XXX,XX +XXX,XX @@
- #define dh_ctype_int int
+ #ifndef TARGET_ARM_TRANSLATE_A64_H
- #define dh_ctype_i64 uint64_t
+ #define TARGET_ARM_TRANSLATE_A64_H
- #define dh_ctype_s64 int64_t
--#define dh_ctype_f16 float16
+-void unallocated_encoding(DisasContext *s);
-+#define dh_ctype_f16 uint32_t
+-
- #define dh_ctype_f32 float32
+ #define unsupported_encoding(s, insn)                                    \
- #define dh_ctype_f64 float64
+     do {                                                                 \
- #define dh_ctype_ptr void *
+         qemu_log_mask(LOG_UNIMP,                                         \
-diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
+diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.c
+--- a/target/arm/translate.h
-+++ b/target/arm/helper-a64.c
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t float_rel_to_flags(int res)
+@@ -XXX,XX +XXX,XX @@ typedef struct DisasCompare {
-     return flags;
+     bool value_global;
- }
+ } DisasCompare;
--uint64_t HELPER(vfp_cmph_a64)(float16 x, float16 y, void *fp_status)
++void unallocated_encoding(DisasContext *s);
-+uint64_t HELPER(vfp_cmph_a64)(uint32_t x, uint32_t y, void *fp_status)
++
- {
+ /* Share the TCG temporaries common between 32 and 64 bit modes.  */
-     return float_rel_to_flags(float16_compare_quiet(x, y, fp_status));
+ extern TCGv_i32 cpu_NF, cpu_ZF, cpu_CF, cpu_VF;
- }
+ extern TCGv_i64 cpu_exclusive_addr;
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 -uint64_t HELPER(vfp_cmpeh_a64)(float16 x, float16 y, void *fp_status)
 +uint64_t HELPER(vfp_cmpeh_a64)(uint32_t x, uint32_t y, void *fp_status)
  {
      return float_rel_to_flags(float16_compare(x, y, fp_status));
  }
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_cgt_f64)(float64 a, float64 b, void *fpstp)
  #define float64_three make_float64(0x4008000000000000ULL)
  #define float64_one_point_five make_float64(0x3FF8000000000000ULL)
 -float16 HELPER(recpsf_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(recpsf_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ float64 HELPER(recpsf_f64)(float64 a, float64 b, void *fpstp)
      return float64_muladd(a, b, float64_two, 0, fpst);
  }
 -float16 HELPER(rsqrtsf_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(rsqrtsf_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_addlp_u16)(uint64_t a)
  }
  /* Floating-point reciprocal exponent - see FPRecpX in ARM ARM */
 -float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
 +uint32_t HELPER(frecpx_f16)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
      uint16_t val16, sbit;
@@ -XXX,XX +XXX,XX @@ void HELPER(casp_be_parallel)(CPUARMState *env, uint32_t rs, uint64_t addr,
  #define ADVSIMD_HELPER(name, suffix) HELPER(glue(glue(advsimd_, name), suffix))
  #define ADVSIMD_HALFOP(name) \
 -float16 ADVSIMD_HELPER(name, h)(float16 a, float16 b, void *fpstp) \
 +uint32_t ADVSIMD_HELPER(name, h)(uint32_t a, uint32_t b, void *fpstp) \
  { \
      float_status *fpst = fpstp; \
      return float16_ ## name(a, b, fpst);    \
@@ -XXX,XX +XXX,XX @@ ADVSIMD_HALFOP(mulx)
  ADVSIMD_TWOHALFOP(mulx)
  /* fused multiply-accumulate */
 -float16 HELPER(advsimd_muladdh)(float16 a, float16 b, float16 c, void *fpstp)
 +uint32_t HELPER(advsimd_muladdh)(uint32_t a, uint32_t b, uint32_t c,
 +                                 void *fpstp)
  {
      float_status *fpst = fpstp;
      return float16_muladd(a, b, c, 0, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_muladd2h)(uint32_t two_a, uint32_t two_b,
  #define ADVSIMD_CMPRES(test) (test) ? 0xffff : 0
 -uint32_t HELPER(advsimd_ceq_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_ceq_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare_quiet(a, b, fpst);
      return ADVSIMD_CMPRES(compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_cge_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare(a, b, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
                            compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_cgt_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_cgt_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare(a, b, fpst);
      return ADVSIMD_CMPRES(compare == float_relation_greater);
  }
 -uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_acge_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
                            compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_acgt_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
  }
  /* round to integral */
 -float16 HELPER(advsimd_rinth_exact)(float16 x, void *fp_status)
 +uint32_t HELPER(advsimd_rinth_exact)(uint32_t x, void *fp_status)
  {
      return float16_round_to_int(x, fp_status);
  }
 -float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
 +uint32_t HELPER(advsimd_rinth)(uint32_t x, void *fp_status)
  {
      int old_flags = get_float_exception_flags(fp_status), new_flags;
      float16 ret;
@@ -XXX,XX +XXX,XX @@ float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
   * setting the mode appropriately before calling the helper.
   */
 -uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
 +uint32_t HELPER(advsimd_f16tosinth)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
      return float16_to_int16(a, fpst);
  }
 -uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
 +uint32_t HELPER(advsimd_f16touinth)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
   * Square Root and Reciprocal square root
   */
 -float16 HELPER(sqrt_f16)(float16 a, void *fpstp)
 +uint32_t HELPER(sqrt_f16)(uint32_t a, void *fpstp)
  {
      float_status *s = fpstp;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/translate-a64.c
-+++ b/target/arm/helper.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ DO_VFP_cmp(d, float64)
+@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
  /* Integer to float and float to integer conversions */
 -#define CONV_ITOF(name, fsz, sign) \
 -    float##fsz HELPER(name)(uint32_t x, void *fpstp) \
 -{ \
 -    float_status *fpst = fpstp; \
 -    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst); \
 +#define CONV_ITOF(name, ftype, fsz, sign)                           \
 +ftype HELPER(name)(uint32_t x, void *fpstp)                         \
 +{                                                                   \
 +    float_status *fpst = fpstp;                                     \
 +    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst);     \
  }
 -#define CONV_FTOI(name, fsz, sign, round) \
 -uint32_t HELPER(name)(float##fsz x, void *fpstp) \
 -{ \
 -    float_status *fpst = fpstp; \
 -    if (float##fsz##_is_any_nan(x)) { \
 -        float_raise(float_flag_invalid, fpst); \
 -        return 0; \
 -    } \
 -    return float##fsz##_to_##sign##int32##round(x, fpst); \
 +#define CONV_FTOI(name, ftype, fsz, sign, round)                \
 +uint32_t HELPER(name)(ftype x, void *fpstp)                     \
 +{                                                               \
 +    float_status *fpst = fpstp;                                 \
 +    if (float##fsz##_is_any_nan(x)) {                           \
 +        float_raise(float_flag_invalid, fpst);                  \
 +        return 0;                                               \
 +    }                                                           \
 +    return float##fsz##_to_##sign##int32##round(x, fpst);       \
  }
 -#define FLOAT_CONVS(name, p, fsz, sign) \
 -CONV_ITOF(vfp_##name##to##p, fsz, sign) \
 -CONV_FTOI(vfp_to##name##p, fsz, sign, ) \
 -CONV_FTOI(vfp_to##name##z##p, fsz, sign, _round_to_zero)
 +#define FLOAT_CONVS(name, p, ftype, fsz, sign)            \
 +    CONV_ITOF(vfp_##name##to##p, ftype, fsz, sign)        \
 +    CONV_FTOI(vfp_to##name##p, ftype, fsz, sign, )        \
 +    CONV_FTOI(vfp_to##name##z##p, ftype, fsz, sign, _round_to_zero)
 -FLOAT_CONVS(si, h, 16, )
 -FLOAT_CONVS(si, s, 32, )
 -FLOAT_CONVS(si, d, 64, )
 -FLOAT_CONVS(ui, h, 16, u)
 -FLOAT_CONVS(ui, s, 32, u)
 -FLOAT_CONVS(ui, d, 64, u)
 +FLOAT_CONVS(si, h, uint32_t, 16, )
 +FLOAT_CONVS(si, s, float32, 32, )
 +FLOAT_CONVS(si, d, float64, 64, )
 +FLOAT_CONVS(ui, h, uint32_t, 16, u)
 +FLOAT_CONVS(ui, s, float32, 32, u)
 +FLOAT_CONVS(ui, d, float64, 64, u)
  #undef CONV_ITOF
  #undef CONV_FTOI
@@ -XXX,XX +XXX,XX @@ static float16 do_postscale_fp16(float64 f, int shift, float_status *fpst)
      return float64_to_float16(float64_scalbn(f, -shift, fpst), true, fpst);
  }
 -float16 HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(int32_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(uint32_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(int64_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(uint64_to_float64(x, fpst), shift, fpst);
  }
@@ -XXX,XX +XXX,XX @@ static float64 do_prescale_fp16(float16 f, int shift, float_status *fpst)
      }
  }
--uint32_t HELPER(vfp_toshh)(float16 x, uint32_t shift, void *fpst)
+-void unallocated_encoding(DisasContext *s)
-+uint32_t HELPER(vfp_toshh)(uint32_t x, uint32_t shift, void *fpst)
+-{
 -    /* Unallocated and reserved encodings are uncategorized */
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 -}
 -
  static void init_tmp_a64_array(DisasContext *s)
  {
-     return float64_to_int16(do_prescale_fp16(x, shift, fpst), fpst);
+ #ifdef CONFIG_DEBUG_TCG
 diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.inc.c
 +++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
      if (!s->vfp_enabled && !ignore_vfp_enabled) {
          assert(!arm_dc_feature(s, ARM_FEATURE_M));
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                           default_exception_el(s));
 +        unallocated_encoding(s);
          return false;
      }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
      s->base.is_jmp = DISAS_NORETURN;
  }
--uint32_t HELPER(vfp_touhh)(float16 x, uint32_t shift, void *fpst)
++void unallocated_encoding(DisasContext *s)
-+uint32_t HELPER(vfp_touhh)(uint32_t x, uint32_t shift, void *fpst)
++{
 +    /* Unallocated and reserved encodings are uncategorized */
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
 +}
 +
  /* Force a TB lookup after an instruction that changes the CPU state.  */
  static inline void gen_lookup_tb(DisasContext *s)
  {
-     return float64_to_uint16(do_prescale_fp16(x, shift, fpst), fpst);
+@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
          return;
      }
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 +    unallocated_encoding(s);
  }
--uint32_t HELPER(vfp_toslh)(float16 x, uint32_t shift, void *fpst)
+ static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
-+uint32_t HELPER(vfp_toslh)(uint32_t x, uint32_t shift, void *fpst)
+@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
- {
+     }
-     return float64_to_int32(do_prescale_fp16(x, shift, fpst), fpst);
      if (undef) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                           default_exception_el(s));
 +        unallocated_encoding(s);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          default:
          illegal_op:
 -            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                               default_exception_el(s));
 +            unallocated_encoding(s);
              break;
          }
      }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
      }
      return;
  illegal_op:
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 +    unallocated_encoding(s);
  }
--uint32_t HELPER(vfp_toulh)(float16 x, uint32_t shift, void *fpst)
+ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-+uint32_t HELPER(vfp_toulh)(uint32_t x, uint32_t shift, void *fpst)
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
- {
+     return;
-     return float64_to_uint32(do_prescale_fp16(x, shift, fpst), fpst);
+ illegal_op:
  undef:
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 +    unallocated_encoding(s);
  }
--uint64_t HELPER(vfp_tosqh)(float16 x, uint32_t shift, void *fpst)
+ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 +uint64_t HELPER(vfp_tosqh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return float64_to_int64(do_prescale_fp16(x, shift, fpst), fpst);
  }
 -uint64_t HELPER(vfp_touqh)(float16 x, uint32_t shift, void *fpst)
 +uint64_t HELPER(vfp_touqh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return float64_to_uint64(do_prescale_fp16(x, shift, fpst), fpst);
  }
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(set_neon_rmode)(uint32_t rmode, CPUARMState *env)
  }
  /* Half precision conversions.  */
 -float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
 +float32 HELPER(vfp_fcvt_f16_to_f32)(uint32_t a, void *fpstp, uint32_t ahp_mode)
  {
      /* Squash FZ16 to 0 for the duration of conversion.  In this case,
       * it would affect flushing input denormals.
@@ -XXX,XX +XXX,XX @@ float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
      return r;
  }
 -float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
 +uint32_t HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
  {
      /* Squash FZ16 to 0 for the duration of conversion.  In this case,
       * it would affect flushing output denormals.
@@ -XXX,XX +XXX,XX @@ float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
      return r;
  }
 -float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
 +float64 HELPER(vfp_fcvt_f16_to_f64)(uint32_t a, void *fpstp, uint32_t ahp_mode)
  {
      /* Squash FZ16 to 0 for the duration of conversion.  In this case,
       * it would affect flushing input denormals.
@@ -XXX,XX +XXX,XX @@ float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
      return r;
  }
 -float16 HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
 +uint32_t HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
  {
      /* Squash FZ16 to 0 for the duration of conversion.  In this case,
       * it would affect flushing output denormals.
@@ -XXX,XX +XXX,XX @@ static bool round_to_inf(float_status *fpst, bool sign_bit)
      g_assert_not_reached();
  }
 -float16 HELPER(recpe_f16)(float16 input, void *fpstp)
 +uint32_t HELPER(recpe_f16)(uint32_t input, void *fpstp)
  {
      float_status *fpst = fpstp;
      float16 f16 = float16_squash_input_denormal(input, fpst);
@@ -XXX,XX +XXX,XX @@ static uint64_t recip_sqrt_estimate(int *exp , int exp_off, uint64_t frac)
      return extract64(estimate, 0, 8) << 44;
  }
 -float16 HELPER(rsqrte_f16)(float16 input, void *fpstp)
 +uint32_t HELPER(rsqrte_f16)(uint32_t input, void *fpstp)
  {
      float_status *s = fpstp;
      float16 f16 = float16_squash_input_denormal(input, s);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 15/25] Make flatview_extend_translation() take a MemTxAttrs argument
+[Qemu-devel] [PULL 16/29] target/arm: Remove helper_double_saturate
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Richard Henderson <richard.henderson@linaro.org>
 add MemTxAttrs as an argument to flatview_extend_translation().
 Its callers either have an attrs value to hand, or don't care
 and can use MEMTXATTRS_UNSPECIFIED.
+Replace x = double_saturate(y) with x = add_saturate(y, y).
+There is no need for a separate more specialized helper.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190807045335.1361-12-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-7-peter.maydell@linaro.org
 ---
- exec.c | 15 ++++++++++-----
+ target/arm/helper.h    |  1 -
-file changed, 10 insertions(+), 5 deletions(-)
+ target/arm/op_helper.c | 15 ---------------
  target/arm/translate.c |  4 ++--
 files changed, 2 insertions(+), 18 deletions(-)
-diff --git a/exec.c b/exec.c
+diff --git a/target/arm/helper.h b/target/arm/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/helper.h
-+++ b/exec.c
++++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(add_saturate, i32, env, i32, i32)
+ DEF_HELPER_3(sub_saturate, i32, env, i32, i32)
- static hwaddr
+ DEF_HELPER_3(add_usaturate, i32, env, i32, i32)
- flatview_extend_translation(FlatView *fv, hwaddr addr,
+ DEF_HELPER_3(sub_usaturate, i32, env, i32, i32)
--                                 hwaddr target_len,
+-DEF_HELPER_2(double_saturate, i32, env, s32)
--                                 MemoryRegion *mr, hwaddr base, hwaddr len,
+ DEF_HELPER_FLAGS_2(sdiv, TCG_CALL_NO_RWG_SE, s32, s32, s32)
--                                 bool is_write)
+ DEF_HELPER_FLAGS_2(udiv, TCG_CALL_NO_RWG_SE, i32, i32, i32)
-+                            hwaddr target_len,
+ DEF_HELPER_FLAGS_1(rbit, TCG_CALL_NO_RWG_SE, i32, i32)
-+                            MemoryRegion *mr, hwaddr base, hwaddr len,
+diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
-+                            bool is_write, MemTxAttrs attrs)
+index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/op_helper.c
 +++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
      return res;
  }
 -uint32_t HELPER(double_saturate)(CPUARMState *env, int32_t val)
 -{
 -    uint32_t res;
 -    if (val >= 0x40000000) {
 -        res = ~SIGNBIT;
 -        env->QF = 1;
 -    } else if (val <= (int32_t)0xc0000000) {
 -        res = SIGNBIT;
 -        env->QF = 1;
 -    } else {
 -        res = val << 1;
 -    }
 -    return res;
 -}
 -
  uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
  {
-     hwaddr done = 0;
+     uint32_t res = a + b;
-     hwaddr xlat;
+diff --git a/target/arm/translate.c b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ void *address_space_map(AddressSpace *as,
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
-     memory_region_ref(mr);
++++ b/target/arm/translate.c
-     *plen = flatview_extend_translation(fv, addr, len, mr, xlat,
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
--                                             l, is_write);
+             tmp = load_reg(s, rm);
-+                                        l, is_write, attrs);
+             tmp2 = load_reg(s, rn);
-     ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true);
+             if (op1 & 2)
-     rcu_read_unlock();
+-                gen_helper_double_saturate(tmp2, cpu_env, tmp2);
++                gen_helper_add_saturate(tmp2, cpu_env, tmp2, tmp2);
-@@ -XXX,XX +XXX,XX @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+             if (op1 & 1)
-     mr = cache->mrs.mr;
+                 gen_helper_sub_saturate(tmp, cpu_env, tmp, tmp2);
-     memory_region_ref(mr);
+             else
-     if (memory_access_is_direct(mr, is_write)) {
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
-+        /* We don't care about the memory attributes here as we're only
+                 tmp = load_reg(s, rn);
-+         * doing this if we found actual RAM, which behaves the same
+                 tmp2 = load_reg(s, rm);
-+         * regardless of attributes; so UNSPECIFIED is fine.
+                 if (op & 1)
-+         */
+-                    gen_helper_double_saturate(tmp, cpu_env, tmp);
-         l = flatview_extend_translation(cache->fv, addr, len, mr,
++                    gen_helper_add_saturate(tmp, cpu_env, tmp, tmp);
--                                        cache->xlat, l, is_write);
+                 if (op & 2)
-+                                        cache->xlat, l, is_write,
+                     gen_helper_sub_saturate(tmp, cpu_env, tmp2, tmp);
-+                                        MEMTXATTRS_UNSPECIFIED);
+                 else
          cache->ptr = qemu_ram_ptr_length(mr->ram_block, cache->xlat, &l, true);
      } else {
          cache->ptr = NULL;
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 10/25] memory.h: Improve IOMMU related documentation
+[Qemu-devel] [PULL 17/29] target/arm/cpu64: Ensure kvm really supports aarch64=off
-Add more detail to the documentation for memory_region_init_iommu()
+From: Andrew Jones <drjones@redhat.com>
 and other IOMMU-related functions and data structures.
+If -cpu <cpu>,aarch64=off is used then KVM must also be used, and it
+and the host must support running the vcpu in 32-bit mode. Also, if
+-cpu <cpu>,aarch64=on is used, then it doesn't matter if kvm is
+enabled or not.
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20180521140402.23318-2-peter.maydell@linaro.org
 ---
- include/exec/memory.h | 105 ++++++++++++++++++++++++++++++++++++++----
+ target/arm/kvm_arm.h | 14 ++++++++++++++
-file changed, 95 insertions(+), 10 deletions(-)
+ target/arm/cpu64.c   | 12 ++++++------
  target/arm/kvm64.c   |  9 +++++++++
 files changed, 29 insertions(+), 6 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/target/arm/kvm_arm.h
-+++ b/include/exec/memory.h
++++ b/target/arm/kvm_arm.h
-@@ -XXX,XX +XXX,XX @@ enum IOMMUMemoryRegionAttr {
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf);
-     IOMMU_ATTR_SPAPR_TCE_FD
+  */
- };
+ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
 +/**
-+ * IOMMUMemoryRegionClass:
++ * kvm_arm_aarch32_supported:
 + * @cs: CPUState
 + *
-+ * All IOMMU implementations need to subclass TYPE_IOMMU_MEMORY_REGION
++ * Returns: true if the KVM VCPU can enable AArch32 mode
-+ * and provide an implementation of at least the @translate method here
++ * and false otherwise.
 + * to handle requests to the memory region. Other methods are optional.
 + *
 + * The IOMMU implementation must use the IOMMU notifier infrastructure
 + * to report whenever mappings are changed, by calling
 + * memory_region_notify_iommu() (or, if necessary, by calling
 + * memory_region_notify_one() for each registered notifier).
 + */
- typedef struct IOMMUMemoryRegionClass {
++bool kvm_arm_aarch32_supported(CPUState *cs);
-     /* private */
++
-     struct DeviceClass parent_class;
+ /**
+  * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
-     /*
+  * IPA address space supported by KVM
--     * Return a TLB entry that contains a given address. Flag should
+@@ -XXX,XX +XXX,XX @@ static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
--     * be the access permission of this translation operation. We can
+     cpu->host_cpu_probe_failed = true;
--     * set flag to IOMMU_NONE to mean that we don't need any
+ }
--     * read/write permission checks, like, when for region replay.
-+     * Return a TLB entry that contains a given address.
++static inline bool kvm_arm_aarch32_supported(CPUState *cs)
-+     *
++{
-+     * The IOMMUAccessFlags indicated via @flag are optional and may
++    return false;
-+     * be specified as IOMMU_NONE to indicate that the caller needs
++}
-+     * the full translation information for both reads and writes. If
++
-+     * the access flags are specified then the IOMMU implementation
+ static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
-+     * may use this as an optimization, to stop doing a page table
+ {
-+     * walk as soon as it knows that the requested permissions are not
+     return -ENOENT;
-+     * allowed. If IOMMU_NONE is passed then the IOMMU must do the
+diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-+     * full page table walk and report the permissions in the returned
+index XXXXXXX..XXXXXXX 100644
-+     * IOMMUTLBEntry. (Note that this implies that an IOMMU may not
+--- a/target/arm/cpu64.c
-+     * return different mappings for reads and writes.)
++++ b/target/arm/cpu64.c
-+     *
+@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_set_aarch64(Object *obj, bool value, Error **errp)
-+     * The returned information remains valid while the caller is
+      * restriction allows us to avoid fixing up functionality that assumes a
-+     * holding the big QEMU lock or is inside an RCU critical section;
+      * uniform execution state like do_interrupt.
 +     * if the caller wishes to cache the mapping beyond that it must
 +     * register an IOMMU notifier so it can invalidate its cached
 +     * information when the IOMMU mapping changes.
 +     *
 +     * @iommu: the IOMMUMemoryRegion
 +     * @hwaddr: address to be translated within the memory region
 +     * @flag: requested access permissions
       */
-     IOMMUTLBEntry (*translate)(IOMMUMemoryRegion *iommu, hwaddr addr,
+-    if (!kvm_enabled()) {
-                                IOMMUAccessFlags flag);
+-        error_setg(errp, "'aarch64' feature cannot be disabled "
--    /* Returns minimum supported page size */
+-                         "unless KVM is enabled");
-+    /* Returns minimum supported page size in bytes.
+-        return;
-+     * If this method is not provided then the minimum is assumed to
+-    }
-+     * be TARGET_PAGE_SIZE.
+-
-+     *
+     if (value == false) {
-+     * @iommu: the IOMMUMemoryRegion
++        if (!kvm_enabled() || !kvm_arm_aarch32_supported(CPU(cpu))) {
-+     */
++            error_setg(errp, "'aarch64' feature cannot be disabled "
-     uint64_t (*get_min_page_size)(IOMMUMemoryRegion *iommu);
++                             "unless KVM is enabled and 32-bit EL1 "
--    /* Called when IOMMU Notifier flag changed */
++                             "is supported");
-+    /* Called when IOMMU Notifier flag changes (ie when the set of
++            return;
-+     * events which IOMMU users are requesting notification for changes).
++        }
-+     * Optional method -- need not be provided if the IOMMU does not
+         unset_feature(&cpu->env, ARM_FEATURE_AARCH64);
-+     * need to know exactly which events must be notified.
+     } else {
-+     *
+         set_feature(&cpu->env, ARM_FEATURE_AARCH64);
-+     * @iommu: the IOMMUMemoryRegion
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
-+     * @old_flags: events which previously needed to be notified
+index XXXXXXX..XXXXXXX 100644
-+     * @new_flags: events which now need to be notified
+--- a/target/arm/kvm64.c
-+     */
++++ b/target/arm/kvm64.c
-     void (*notify_flag_changed)(IOMMUMemoryRegion *iommu,
+@@ -XXX,XX +XXX,XX @@
-                                 IOMMUNotifierFlag old_flags,
+ #include "exec/gdbstub.h"
-                                 IOMMUNotifierFlag new_flags);
+ #include "sysemu/sysemu.h"
--    /* Set this up to provide customized IOMMU replay function */
+ #include "sysemu/kvm.h"
-+    /* Called to handle memory_region_iommu_replay().
++#include "sysemu/kvm_int.h"
-+     *
+ #include "kvm_arm.h"
-+     * The default implementation of memory_region_iommu_replay() is to
++#include "hw/boards.h"
-+     * call the IOMMU translate method for every page in the address space
+ #include "internals.h"
-+     * with flag == IOMMU_NONE and then call the notifier if translate
-+     * returns a valid mapping. If this method is implemented then it
+ static bool have_guest_debug;
-+     * overrides the default behaviour, and must provide the full semantics
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-+     * of memory_region_iommu_replay(), by calling @notifier for every
+     return true;
-+     * translation present in the IOMMU.
+ }
-+     *
-+     * Optional method -- an IOMMU only needs to provide this method
++bool kvm_arm_aarch32_supported(CPUState *cpu)
-+     * if the default is inefficient or produces undesirable side effects.
++{
-+     *
++    KVMState *s = KVM_STATE(current_machine->accelerator);
-+     * Note: this is not related to record-and-replay functionality.
++
-+     */
++    return kvm_check_extension(s, KVM_CAP_ARM_EL1_32BIT);
-     void (*replay)(IOMMUMemoryRegion *iommu, IOMMUNotifier *notifier);
++}
++
--    /* Get IOMMU misc attributes */
+ #define ARM_CPU_ID_MPIDR       3, 0, 0, 0, 5
--    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr,
-+    /* Get IOMMU misc attributes. This is an optional method that
+ int kvm_arch_init_vcpu(CPUState *cs)
 +     * can be used to allow users of the IOMMU to get implementation-specific
 +     * information. The IOMMU implements this method to handle calls
 +     * by IOMMU users to memory_region_iommu_get_attr() by filling in
 +     * the arbitrary data pointer for any IOMMUMemoryRegionAttr values that
 +     * the IOMMU supports. If the method is unimplemented then
 +     * memory_region_iommu_get_attr() will always return -EINVAL.
 +     *
 +     * @iommu: the IOMMUMemoryRegion
 +     * @attr: attribute being queried
 +     * @data: memory to fill in with the attribute data
 +     *
 +     * Returns 0 on success, or a negative errno; in particular
 +     * returns -EINVAL for unrecognized or unimplemented attribute types.
 +     */
 +    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr attr,
                      void *data);
  } IOMMUMemoryRegionClass;
@@ -XXX,XX +XXX,XX @@ static inline void memory_region_init_reservation(MemoryRegion *mr,
   * An IOMMU region translates addresses and forwards accesses to a target
   * memory region.
   *
 + * The IOMMU implementation must define a subclass of TYPE_IOMMU_MEMORY_REGION.
 + * @_iommu_mr should be a pointer to enough memory for an instance of
 + * that subclass, @instance_size is the size of that subclass, and
 + * @mrtypename is its name. This function will initialize @_iommu_mr as an
 + * instance of the subclass, and its methods will then be called to handle
 + * accesses to the memory region. See the documentation of
 + * #IOMMUMemoryRegionClass for further details.
 + *
   * @_iommu_mr: the #IOMMUMemoryRegion to be initialized
   * @instance_size: the IOMMUMemoryRegion subclass instance size
   * @mrtypename: the type name of the #IOMMUMemoryRegion
@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
   * a notifier with the minimum page granularity returned by
   * mr->iommu_ops->get_page_size().
   *
 + * Note: this is not related to record-and-replay functionality.
 + *
   * @iommu_mr: the memory region to observe
   * @n: the notifier to which to replay iommu mappings
   */
@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
   * memory_region_iommu_replay_all: replay existing IOMMU translations
   * to all the notifiers registered.
   *
 + * Note: this is not related to record-and-replay functionality.
 + *
   * @iommu_mr: the memory region to observe
   */
  void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
@@ -XXX,XX +XXX,XX @@ void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
   * memory_region_iommu_get_attr: return an IOMMU attr if get_attr() is
   * defined on the IOMMU.
   *
 - * Returns 0 if succeded, error code otherwise.
 + * Returns 0 on success, or a negative errno otherwise. In particular,
 + * -EINVAL indicates that the IOMMU does not support the requested
 + * attribute.
   *
   * @iommu_mr: the memory region
   * @attr: the requested attribute
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 24/25] ARM: ACPI: Fix use-after-free due to memory realloc
+[Qemu-devel] [PULL 18/29] target/arm/cpu: Ensure we can use the pmu with kvm
-From: Shannon Zhao <zhaoshenglong@huawei.com>
+From: Andrew Jones <drjones@redhat.com>
-acpi_data_push uses g_array_set_size to resize the memory size. If there
+We first convert the pmu property from a static property to one with
-is no enough contiguous memory, the address will be changed. So previous
+its own accessors. Then we use the set accessor to check if the PMU is
-pointer could not be used any more. It must update the pointer and use
+supported when using KVM. Indeed a 32-bit KVM host does not support
-the new one.
+the PMU, so this check will catch an attempt to use it at property-set
 time.
-Also, previous codes wrongly use le32 conversion of iort->node_offset
+Signed-off-by: Andrew Jones <drjones@redhat.com>
 for subsequent computations that will result incorrect value if host is
 not litlle endian. So use the non-converted one instead.
 Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 1527663951-14552-1-git-send-email-zhaoshenglong@huawei.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt-acpi-build.c | 20 +++++++++++++++-----
+ target/arm/kvm_arm.h | 14 ++++++++++++++
-file changed, 15 insertions(+), 5 deletions(-)
+ target/arm/cpu.c     | 30 +++++++++++++++++++++++++-----
  target/arm/kvm.c     |  7 +++++++
 files changed, 46 insertions(+), 5 deletions(-)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
+diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
+--- a/target/arm/kvm_arm.h
-+++ b/hw/arm/virt-acpi-build.c
++++ b/target/arm/kvm_arm.h
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
-     AcpiIortItsGroup *its;
+  */
-     AcpiIortTable *iort;
+ bool kvm_arm_aarch32_supported(CPUState *cs);
-     AcpiIortSmmu3 *smmu;
--    size_t node_size, iort_length, smmu_offset = 0;
++/**
-+    size_t node_size, iort_node_offset, iort_length, smmu_offset = 0;
++ * bool kvm_arm_pmu_supported:
-     AcpiIortRC *rc;
++ * @cs: CPUState
++ *
-     iort = acpi_data_push(table_data, sizeof(*iort));
++ * Returns: true if the KVM VCPU can enable its PMU
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
++ * and false otherwise.
++ */
-     iort_length = sizeof(*iort);
++bool kvm_arm_pmu_supported(CPUState *cs);
-     iort->node_count = cpu_to_le32(nb_nodes);
++
--    iort->node_offset = cpu_to_le32(sizeof(*iort));
+ /**
-+    /*
+  * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
-+     * Use a copy in case table_data->data moves during acpi_data_push
+  * IPA address space supported by KVM
-+     * operations.
+@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_aarch32_supported(CPUState *cs)
-+     */
+     return false;
-+    iort_node_offset = sizeof(*iort);
+ }
-+    iort->node_offset = cpu_to_le32(iort_node_offset);
++static inline bool kvm_arm_pmu_supported(CPUState *cs)
-     /* ITS group node */
++{
-     node_size =  sizeof(*its) + sizeof(uint32_t);
++    return false;
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
++}
-         int irq =  vms->irqmap[VIRT_SMMU];
++
+ static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
-         /* SMMUv3 node */
+ {
--        smmu_offset = iort->node_offset + node_size;
+     return -ENOENT;
-+        smmu_offset = iort_node_offset + node_size;
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-         node_size = sizeof(*smmu) + sizeof(*idmap);
+index XXXXXXX..XXXXXXX 100644
-         iort_length += node_size;
+--- a/target/arm/cpu.c
-         smmu = acpi_data_push(table_data, node_size);
++++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_has_el3_property =
-         idmap->id_count = cpu_to_le32(0xFFFF);
+ static Property arm_cpu_cfgend_property =
-         idmap->output_base = 0;
+             DEFINE_PROP_BOOL("cfgend", ARMCPU, cfgend, false);
-         /* output IORT node is the ITS group node (the first node) */
--        idmap->output_reference = cpu_to_le32(iort->node_offset);
+-/* use property name "pmu" to match other archs and virt tools */
-+        idmap->output_reference = cpu_to_le32(iort_node_offset);
+-static Property arm_cpu_has_pmu_property =
 -            DEFINE_PROP_BOOL("pmu", ARMCPU, has_pmu, true);
 -
  static Property arm_cpu_has_vfp_property =
              DEFINE_PROP_BOOL("vfp", ARMCPU, has_vfp, true);
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_pmsav7_dregion_property =
                                             pmsav7_dregion,
                                             qdev_prop_uint32, uint32_t);
 +static bool arm_get_pmu(Object *obj, Error **errp)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    return cpu->has_pmu;
 +}
 +
 +static void arm_set_pmu(Object *obj, bool value, Error **errp)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    if (value) {
 +        if (kvm_enabled() && !kvm_arm_pmu_supported(CPU(cpu))) {
 +            error_setg(errp, "'pmu' feature not supported by KVM on this host");
 +            return;
 +        }
 +        set_feature(&cpu->env, ARM_FEATURE_PMU);
 +    } else {
 +        unset_feature(&cpu->env, ARM_FEATURE_PMU);
 +    }
 +    cpu->has_pmu = value;
 +}
 +
  static void arm_get_init_svtor(Object *obj, Visitor *v, const char *name,
                                 void *opaque, Error **errp)
  {
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
      }
-     /* Root Complex Node */
+     if (arm_feature(&cpu->env, ARM_FEATURE_PMU)) {
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+-        qdev_property_add_static(DEVICE(obj), &arm_cpu_has_pmu_property,
-         idmap->output_reference = cpu_to_le32(smmu_offset);
++        cpu->has_pmu = true;
-     } else {
++        object_property_add_bool(obj, "pmu", arm_get_pmu, arm_set_pmu,
-         /* output IORT node is the ITS group node (the first node) */
+                                  &error_abort);
 -        idmap->output_reference = cpu_to_le32(iort->node_offset);
 +        idmap->output_reference = cpu_to_le32(iort_node_offset);
      }
-+    /*
+diff --git a/target/arm/kvm.c b/target/arm/kvm.c
-+     * Update the pointer address in case table_data->data moves during above
+index XXXXXXX..XXXXXXX 100644
-+     * acpi_data_push operations.
+--- a/target/arm/kvm.c
-+     */
++++ b/target/arm/kvm.c
-+    iort = (AcpiIortTable *)(table_data->data + iort_start);
+@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
-     iort->length = cpu_to_le32(iort_length);
+     env->features = arm_host_cpu_features.features;
+ }
-     build_header(linker, table_data, (void *)(table_data->data + iort_start),
 +bool kvm_arm_pmu_supported(CPUState *cpu)
 +{
 +    KVMState *s = KVM_STATE(current_machine->accelerator);
 +
 +    return kvm_check_extension(s, KVM_CAP_ARM_PMU_V3);
 +}
 +
  int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
  {
      KVMState *s = KVM_STATE(ms->accelerator);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 09/25] Correct CPACR reset value for v7 cores
+[Qemu-devel] [PULL 19/29] target/arm/helper: zcr: Add build bug next to value range assumption
-In commit f0aff255700 we made cpacr_write() enforce that some CPACR
+From: Andrew Jones <drjones@redhat.com>
 bits are RAZ/WI and some are RAO/WI for ARMv7 cores. Unfortunately
 we forgot to also update the register's reset value. The effect
 was that (a) a guest that read CPACR on reset would not see ones in
 the RAO bits, and (b) if you did a migration before the guest did
 a write to the CPACR then the migration would fail because the
 destination would enforce the RAO bits and then complain that they
 didn't match the zero value from the source.
-Implement reset for the CPACR using a custom reset function
+The current implementation of ZCR_ELx matches the architecture, only
-that just calls cpacr_write(), to avoid having to duplicate
+implementing the lower four bits, with the rest RAZ/WI. This puts
-the logic for which bits are RAO.
+a strict limit on ARM_MAX_VQ of 16. Make sure we don't let ARM_MAX_VQ
 grow without a corresponding update here.
-This bug would affect migration for TCG CPUs which are ARMv7
+Suggested-by: Dave Martin <Dave.Martin@arm.com>
-with VFP but without one of Neon or VFPv3.
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reported-by: Cédric Le Goater <clg@kaod.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Tested-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20180522173713.26282-1-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 10 +++++++++-
+ target/arm/helper.c | 1 +
-file changed, 9 insertions(+), 1 deletion(-)
+file changed, 1 insertion(+)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-     env->cp15.cpacr_el1 = value;
+     int new_len;
- }
+     /* Bits other than [3:0] are RAZ/WI.  */
-+static void cpacr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
++    QEMU_BUILD_BUG_ON(ARM_MAX_VQ > 16);
-+{
+     raw_write(env, ri, value & 0xf);
-+    /* Call cpacr_write() so that we reset with the correct RAO bits set
-+     * for our CPU features.
+     /*
 +     */
 +    cpacr_write(env, ri, 0);
 +}
 +
  static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
                                     bool isread)
  {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
      { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
        .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
        .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
 -      .resetvalue = 0, .writefn = cpacr_write },
 +      .resetfn = cpacr_reset, .writefn = cpacr_write },
      REGINFO_SENTINEL
  };
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 12/25] Make address_space_translate{, _cached}() take a MemTxAttrs argument
+[Qemu-devel] [PULL 20/29] target/arm/cpu: Use div-round-up to determine predicate register array size
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Andrew Jones <drjones@redhat.com>
 add MemTxAttrs as an argument to address_space_translate()
 and address_space_translate_cached(). Callers either have an
 attrs value to hand, or don't care and can use MEMTXATTRS_UNSPECIFIED.
+Unless we're guaranteed to always increase ARM_MAX_VQ by a multiple of
+four, then we should use DIV_ROUND_UP to ensure we get an appropriate
+array size.
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-4-peter.maydell@linaro.org
 ---
- include/exec/memory.h     |  4 +++-
+ target/arm/cpu.h | 2 +-
- accel/tcg/translate-all.c |  2 +-
+file changed, 1 insertion(+), 1 deletion(-)
  exec.c                    | 14 +++++++++-----
  hw/vfio/common.c          |  3 ++-
  memory_ldst.inc.c         | 18 +++++++++---------
  target/riscv/helper.c     |  2 +-
 files changed, 25 insertions(+), 18 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/target/arm/cpu.h
-+++ b/include/exec/memory.h
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ typedef struct ARMVectorReg {
-  * #MemoryRegion.
+ #ifdef TARGET_AARCH64
-  * @len: pointer to length
+ /* In AArch32 mode, predicate registers do not exist at all.  */
-  * @is_write: indicates the transfer direction
+ typedef struct ARMPredicateReg {
-+ * @attrs: memory attributes
+-    uint64_t p[2 * ARM_MAX_VQ / 8] QEMU_ALIGNED(16);
-  */
++    uint64_t p[DIV_ROUND_UP(2 * ARM_MAX_VQ, 8)] QEMU_ALIGNED(16);
- MemoryRegion *flatview_translate(FlatView *fv,
+ } ARMPredicateReg;
-                                  hwaddr addr, hwaddr *xlat,
-@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv,
+ /* In AArch32 mode, PAC keys do not exist at all.  */
  static inline MemoryRegion *address_space_translate(AddressSpace *as,
                                                      hwaddr addr, hwaddr *xlat,
 -                                                    hwaddr *len, bool is_write)
 +                                                    hwaddr *len, bool is_write,
 +                                                    MemTxAttrs attrs)
  {
      return flatview_translate(address_space_to_flatview(as),
                                addr, xlat, len, is_write);
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
      hwaddr l = 1;
      rcu_read_lock();
 -    mr = address_space_translate(as, addr, &addr, &l, false);
 +    mr = address_space_translate(as, addr, &addr, &l, false, attrs);
      if (!(memory_region_is_ram(mr)
            || memory_region_is_romd(mr))) {
          rcu_read_unlock();
 diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/exec.c
 +++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
      rcu_read_lock();
      while (len > 0) {
          l = len;
 -        mr = address_space_translate(as, addr, &addr1, &l, true);
 +        mr = address_space_translate(as, addr, &addr1, &l, true,
 +                                     MEMTXATTRS_UNSPECIFIED);
          if (!(memory_region_is_ram(mr) ||
                memory_region_is_romd(mr))) {
@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache)
   */
  static inline MemoryRegion *address_space_translate_cached(
      MemoryRegionCache *cache, hwaddr addr, hwaddr *xlat,
 -    hwaddr *plen, bool is_write)
 +    hwaddr *plen, bool is_write, MemTxAttrs attrs)
  {
      MemoryRegionSection section;
      MemoryRegion *mr;
@@ -XXX,XX +XXX,XX @@ address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr,
      MemoryRegion *mr;
      l = len;
 -    mr = address_space_translate_cached(cache, addr, &addr1, &l, false);
 +    mr = address_space_translate_cached(cache, addr, &addr1, &l, false,
 +                                        MEMTXATTRS_UNSPECIFIED);
      flatview_read_continue(cache->fv,
                             addr, MEMTXATTRS_UNSPECIFIED, buf, len,
                             addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr,
      MemoryRegion *mr;
      l = len;
 -    mr = address_space_translate_cached(cache, addr, &addr1, &l, true);
 +    mr = address_space_translate_cached(cache, addr, &addr1, &l, true,
 +                                        MEMTXATTRS_UNSPECIFIED);
      flatview_write_continue(cache->fv,
                              addr, MEMTXATTRS_UNSPECIFIED, buf, len,
                              addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ bool cpu_physical_memory_is_io(hwaddr phys_addr)
      rcu_read_lock();
      mr = address_space_translate(&address_space_memory,
 -                                 phys_addr, &phys_addr, &l, false);
 +                                 phys_addr, &phys_addr, &l, false,
 +                                 MEMTXATTRS_UNSPECIFIED);
      res = !(memory_region_is_ram(mr) || memory_region_is_romd(mr));
      rcu_read_unlock();
 diff --git a/hw/vfio/common.c b/hw/vfio/common.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/vfio/common.c
 +++ b/hw/vfio/common.c
@@ -XXX,XX +XXX,XX @@ static bool vfio_get_vaddr(IOMMUTLBEntry *iotlb, void **vaddr,
       */
      mr = address_space_translate(&address_space_memory,
                                   iotlb->translated_addr,
 -                                 &xlat, &len, writable);
 +                                 &xlat, &len, writable,
 +                                 MEMTXATTRS_UNSPECIFIED);
      if (!memory_region_is_ram(mr)) {
          error_report("iommu map to non memory area %"HWADDR_PRIx"",
                       xlat);
 diff --git a/memory_ldst.inc.c b/memory_ldst.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/memory_ldst.inc.c
 +++ b/memory_ldst.inc.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, false);
 +    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
      if (l < 4 || !IS_DIRECT(mr, false)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, false);
 +    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
      if (l < 8 || !IS_DIRECT(mr, false)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, false);
 +    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
      if (!IS_DIRECT(mr, false)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, false);
 +    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
      if (l < 2 || !IS_DIRECT(mr, false)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ void glue(address_space_stl_notdirty, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (l < 4 || !IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stl_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (l < 4 || !IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ void glue(address_space_stb, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (!IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
          r = memory_region_dispatch_write(mr, addr1, val, 1, attrs);
@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stw_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (l < 2 || !IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
@@ -XXX,XX +XXX,XX @@ static void glue(address_space_stq_internal, SUFFIX)(ARG1_DECL,
      bool release_lock = false;
      RCU_READ_LOCK();
 -    mr = TRANSLATE(addr, &addr1, &l, true);
 +    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
      if (l < 8 || !IS_DIRECT(mr, true)) {
          release_lock |= prepare_mmio_access(mr);
 diff --git a/target/riscv/helper.c b/target/riscv/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/helper.c
 +++ b/target/riscv/helper.c
@@ -XXX,XX +XXX,XX @@ restart:
                  MemoryRegion *mr;
                  hwaddr l = sizeof(target_ulong), addr1;
                  mr = address_space_translate(cs->as, pte_addr,
 -                    &addr1, &l, false);
 +                    &addr1, &l, false, MEMTXATTRS_UNSPECIFIED);
                  if (memory_access_is_direct(mr, true)) {
                      target_ulong *pte_pa =
                          qemu_map_ram_ptr(mr->ram_block, addr1);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 19/25] Make flatview_translate() take a MemTxAttrs argument
+[Qemu-devel] [PULL 21/29] target/arm/kvm64: Fix error returns
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Andrew Jones <drjones@redhat.com>
 add MemTxAttrs as an argument to flatview_translate(); all its
 callers now have attrs available.
+A couple return -EINVAL's forgot their '-'s.
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-11-peter.maydell@linaro.org
 ---
- include/exec/memory.h |  7 ++++---
+ target/arm/kvm64.c | 4 ++--
- exec.c                | 17 +++++++++--------
+file changed, 2 insertions(+), 2 deletions(-)
 files changed, 13 insertions(+), 11 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/target/arm/kvm64.c
-+++ b/include/exec/memory.h
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
-  */
+     write_cpustate_to_list(cpu, true);
- MemoryRegion *flatview_translate(FlatView *fv,
-                                  hwaddr addr, hwaddr *xlat,
+     if (!write_list_to_kvmstate(cpu, level)) {
--                                 hwaddr *len, bool is_write);
+-        return EINVAL;
-+                                 hwaddr *len, bool is_write,
++        return -EINVAL;
 +                                 MemTxAttrs attrs);
  static inline MemoryRegion *address_space_translate(AddressSpace *as,
                                                      hwaddr addr, hwaddr *xlat,
@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
                                                      MemTxAttrs attrs)
  {
      return flatview_translate(address_space_to_flatview(as),
 -                              addr, xlat, len, is_write);
 +                              addr, xlat, len, is_write, attrs);
  }
  /* address_space_access_valid: check for validity of accessing an address
@@ -XXX,XX +XXX,XX @@ MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
              rcu_read_lock();
              fv = address_space_to_flatview(as);
              l = len;
 -            mr = flatview_translate(fv, addr, &addr1, &l, false);
 +            mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
              if (len == l && memory_access_is_direct(mr, false)) {
                  ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
                  memcpy(buf, ptr, len);
 diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/exec.c
 +++ b/exec.c
@@ -XXX,XX +XXX,XX @@ iotlb_fail:
  /* Called from RCU critical section */
  MemoryRegion *flatview_translate(FlatView *fv, hwaddr addr, hwaddr *xlat,
 -                                 hwaddr *plen, bool is_write)
 +                                 hwaddr *plen, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      MemoryRegion *mr;
      MemoryRegionSection section;
@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
          }
          l = len;
 -        mr = flatview_translate(fv, addr, &addr1, &l, true);
 +        mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
      }
-     return result;
+     kvm_arm_sync_mpstate_to_kvm(cpu);
-@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
      MemTxResult result = MEMTX_OK;
      l = len;
 -    mr = flatview_translate(fv, addr, &addr1, &l, true);
 +    mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
      result = flatview_write_continue(fv, addr, attrs, buf, len,
                                       addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
          }
          l = len;
 -        mr = flatview_translate(fv, addr, &addr1, &l, false);
 +        mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
      }
-     return result;
+     if (!write_kvmstate_to_list(cpu)) {
-@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
+-        return EINVAL;
-     MemoryRegion *mr;
++        return -EINVAL;
+     }
-     l = len;
+     /* Note that it's OK to have registers which aren't in CPUState,
--    mr = flatview_translate(fv, addr, &addr1, &l, false);
+      * so we can ignore a failure return here.
 +    mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
      return flatview_read_continue(fv, addr, attrs, buf, len,
                                    addr1, l, mr);
  }
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
      while (len > 0) {
          l = len;
 -        mr = flatview_translate(fv, addr, &xlat, &l, is_write);
 +        mr = flatview_translate(fv, addr, &xlat, &l, is_write, attrs);
          if (!memory_access_is_direct(mr, is_write)) {
              l = memory_access_size(mr, l, addr);
              if (!memory_region_access_valid(mr, xlat, l, is_write, attrs)) {
@@ -XXX,XX +XXX,XX @@ flatview_extend_translation(FlatView *fv, hwaddr addr,
          len = target_len;
          this_mr = flatview_translate(fv, addr, &xlat,
 -                                                   &len, is_write);
 +                                     &len, is_write, attrs);
          if (this_mr != mr || xlat != base + done) {
              return done;
          }
@@ -XXX,XX +XXX,XX @@ void *address_space_map(AddressSpace *as,
      l = len;
      rcu_read_lock();
      fv = address_space_to_flatview(as);
 -    mr = flatview_translate(fv, addr, &xlat, &l, is_write);
 +    mr = flatview_translate(fv, addr, &xlat, &l, is_write, attrs);
      if (!memory_access_is_direct(mr, is_write)) {
          if (atomic_xchg(&bounce.in_use, true)) {
 --
-.17.1
+.20.1

-New patch
+[Qemu-devel] [PULL 22/29] target/arm/kvm64: Move the get/put of fpsimd registers out
+From: Andrew Jones <drjones@redhat.com>
 Move the getting/putting of the fpsimd registers out of
 kvm_arch_get/put_registers() into their own helper functions
 to prepare for alternatively getting/putting SVE registers.
 No functional change.
 Signed-off-by: Andrew Jones <drjones@redhat.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/kvm64.c | 148 +++++++++++++++++++++++++++------------------
 file changed, 88 insertions(+), 60 deletions(-)
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arm_cpreg_level(uint64_t regidx)
  #define AARCH64_SIMD_CTRL_REG(x)   (KVM_REG_ARM64 | KVM_REG_SIZE_U32 | \
                   KVM_REG_ARM_CORE | KVM_REG_ARM_CORE_REG(x))
 +static int kvm_arch_put_fpsimd(CPUState *cs)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    struct kvm_one_reg reg;
 +    uint32_t fpr;
 +    int i, ret;
 +
 +    for (i = 0; i < 32; i++) {
 +        uint64_t *q = aa64_vfp_qreg(env, i);
 +#ifdef HOST_WORDS_BIGENDIAN
 +        uint64_t fp_val[2] = { q[1], q[0] };
 +        reg.addr = (uintptr_t)fp_val;
 +#else
 +        reg.addr = (uintptr_t)q;
 +#endif
 +        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
 +        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +        if (ret) {
 +            return ret;
 +        }
 +    }
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    fpr = vfp_get_fpsr(env);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    fpr = vfp_get_fpcr(env);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    return 0;
 +}
 +
  int kvm_arch_put_registers(CPUState *cs, int level)
  {
      struct kvm_one_reg reg;
 -    uint32_t fpr;
      uint64_t val;
 -    int i;
 -    int ret;
 +    int i, ret;
      unsigned int el;
      ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
          }
      }
 -    /* Advanced SIMD and FP registers. */
 -    for (i = 0; i < 32; i++) {
 -        uint64_t *q = aa64_vfp_qreg(env, i);
 -#ifdef HOST_WORDS_BIGENDIAN
 -        uint64_t fp_val[2] = { q[1], q[0] };
 -        reg.addr = (uintptr_t)fp_val;
 -#else
 -        reg.addr = (uintptr_t)q;
 -#endif
 -        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
 -        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 -        if (ret) {
 -            return ret;
 -        }
 -    }
 -
 -    reg.addr = (uintptr_t)(&fpr);
 -    fpr = vfp_get_fpsr(env);
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 -    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 -    if (ret) {
 -        return ret;
 -    }
 -
 -    fpr = vfp_get_fpcr(env);
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 -    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +    ret = kvm_arch_put_fpsimd(cs);
      if (ret) {
          return ret;
      }
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
      return ret;
  }
 +static int kvm_arch_get_fpsimd(CPUState *cs)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    struct kvm_one_reg reg;
 +    uint32_t fpr;
 +    int i, ret;
 +
 +    for (i = 0; i < 32; i++) {
 +        uint64_t *q = aa64_vfp_qreg(env, i);
 +        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
 +        reg.addr = (uintptr_t)q;
 +        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +        if (ret) {
 +            return ret;
 +        } else {
 +#ifdef HOST_WORDS_BIGENDIAN
 +            uint64_t t;
 +            t = q[0], q[0] = q[1], q[1] = t;
 +#endif
 +        }
 +    }
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +    vfp_set_fpsr(env, fpr);
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +    vfp_set_fpcr(env, fpr);
 +
 +    return 0;
 +}
 +
  int kvm_arch_get_registers(CPUState *cs)
  {
      struct kvm_one_reg reg;
      uint64_t val;
 -    uint32_t fpr;
      unsigned int el;
 -    int i;
 -    int ret;
 +    int i, ret;
      ARMCPU *cpu = ARM_CPU(cs);
      CPUARMState *env = &cpu->env;
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
          env->spsr = env->banked_spsr[i];
      }
 -    /* Advanced SIMD and FP registers */
 -    for (i = 0; i < 32; i++) {
 -        uint64_t *q = aa64_vfp_qreg(env, i);
 -        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
 -        reg.addr = (uintptr_t)q;
 -        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 -        if (ret) {
 -            return ret;
 -        } else {
 -#ifdef HOST_WORDS_BIGENDIAN
 -            uint64_t t;
 -            t = q[0], q[0] = q[1], q[1] = t;
 -#endif
 -        }
 -    }
 -
 -    reg.addr = (uintptr_t)(&fpr);
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 -    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    ret = kvm_arch_get_fpsimd(cs);
      if (ret) {
          return ret;
      }
 -    vfp_set_fpsr(env, fpr);
 -
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 -    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 -    if (ret) {
 -        return ret;
 -    }
 -    vfp_set_fpcr(env, fpr);
      ret = kvm_get_vcpu_events(cpu);
      if (ret) {
 --
 .20.1

-[Qemu-devel] [PULL 08/25] xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
+[Qemu-devel] [PULL 23/29] target/arm: Use tcg_gen_extract_i32 for shifter_out_im
-From: Francisco Iglesias <frasse.iglesias@gmail.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Coverity found that the string return by 'object_get_canonical_path' was not
+Extract is a compact combination of shift + and.
 being freed at two locations in the model (CID 1391294 and CID 1391293) and
 also that a memset was being called with a value greater than the max of a byte
 on the second argument (CID 1391286). This patch corrects this by adding the
 freeing of the strings and also changing to memset to zero instead on
 descriptor unaligned errors.
-Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Message-id: 20190808202616.13782-2-richard.henderson@linaro.org
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20180528184859.3530-1-frasse.iglesias@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/dma/xlnx-zdma.c | 10 +++++++---
+ target/arm/translate.c | 9 +--------
-file changed, 7 insertions(+), 3 deletions(-)
+file changed, 1 insertion(+), 8 deletions(-)
-diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xlnx-zdma.c
+--- a/target/arm/translate.c
-+++ b/hw/dma/xlnx-zdma.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static bool zdma_load_descriptor(XlnxZDMA *s, uint64_t addr, void *buf)
+@@ -XXX,XX +XXX,XX @@ static void gen_sar(TCGv_i32 dest, TCGv_i32 t0, TCGv_i32 t1)
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "zdma: unaligned descriptor at %" PRIx64,
+ static void shifter_out_im(TCGv_i32 var, int shift)
-                       addr);
+ {
--        memset(buf, 0xdeadbeef, sizeof(XlnxZDMADescr));
+-    if (shift == 0) {
-+        memset(buf, 0x0, sizeof(XlnxZDMADescr));
+-        tcg_gen_andi_i32(cpu_CF, var, 1);
-         s->error = true;
+-    } else {
-         return false;
+-        tcg_gen_shri_i32(cpu_CF, var, shift);
-     }
+-        if (shift != 31) {
-@@ -XXX,XX +XXX,XX @@ static uint64_t zdma_read(void *opaque, hwaddr addr, unsigned size)
+-            tcg_gen_andi_i32(cpu_CF, cpu_CF, 1);
-     RegisterInfo *r = &s->regs_info[addr / 4];
+-        }
+-    }
-     if (!r->data) {
++    tcg_gen_extract_i32(cpu_CF, var, shift, 1);
-+        gchar *path = object_get_canonical_path(OBJECT(s));
+ }
-         qemu_log("%s: Decode error: read from %" HWADDR_PRIx "\n",
--                 object_get_canonical_path(OBJECT(s)),
+ /* Shift by immediate.  Includes special handling for shift == 0.  */
 +                 path,
                   addr);
 +        g_free(path);
          ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
          zdma_ch_imr_update_irq(s);
          return 0;
@@ -XXX,XX +XXX,XX @@ static void zdma_write(void *opaque, hwaddr addr, uint64_t value,
      RegisterInfo *r = &s->regs_info[addr / 4];
      if (!r->data) {
 +        gchar *path = object_get_canonical_path(OBJECT(s));
          qemu_log("%s: Decode error: write to %" HWADDR_PRIx "=%" PRIx64 "\n",
 -                 object_get_canonical_path(OBJECT(s)),
 +                 path,
                   addr, value);
 +        g_free(path);
          ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
          zdma_ch_imr_update_irq(s);
          return;
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 07/25] arm: fix malloc type mismatch
+[Qemu-devel] [PULL 24/29] target/arm: Use tcg_gen_deposit_i32 for PKHBT, PKHTB
-From: Paolo Bonzini <pbonzini@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-cpregs_keys is an uint32_t* so the allocation should use uint32_t.
+Use deposit as the composit operation to merge the
-g_new is even better because it is type-safe.
+bits from the two inputs.
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20190808202616.13782-3-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/gdbstub.c | 3 +--
+ target/arm/translate.c | 26 ++++++++++----------------
-file changed, 1 insertion(+), 2 deletions(-)
+file changed, 10 insertions(+), 16 deletions(-)
-diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/gdbstub.c
+--- a/target/arm/translate.c
-+++ b/target/arm/gdbstub.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ int arm_gen_dynamic_xml(CPUState *cs)
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-     RegisterSysregXmlParam param = {cs, s};
+                         shift = (insn >> 7) & 0x1f;
+                         if (insn & (1 << 6)) {
-     cpu->dyn_xml.num_cpregs = 0;
+                             /* pkhtb */
--    cpu->dyn_xml.cpregs_keys = g_malloc(sizeof(uint32_t *) *
+-                            if (shift == 0)
--                                        g_hash_table_size(cpu->cp_regs));
++                            if (shift == 0) {
-+    cpu->dyn_xml.cpregs_keys = g_new(uint32_t, g_hash_table_size(cpu->cp_regs));
+                                 shift = 31;
-     g_string_printf(s, "<?xml version=\"1.0\"?>");
++                            }
-     g_string_append_printf(s, "<!DOCTYPE target SYSTEM \"gdb-target.dtd\">");
+                             tcg_gen_sari_i32(tmp2, tmp2, shift);
-     g_string_append_printf(s, "<feature name=\"org.qemu.gdb.arm.sys.regs\">");
+-                            tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
 -                            tcg_gen_ext16u_i32(tmp2, tmp2);
 +                            tcg_gen_deposit_i32(tmp, tmp, tmp2, 0, 16);
                          } else {
                              /* pkhbt */
 -                            if (shift)
 -                                tcg_gen_shli_i32(tmp2, tmp2, shift);
 -                            tcg_gen_ext16u_i32(tmp, tmp);
 -                            tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
 +                            tcg_gen_shli_i32(tmp2, tmp2, shift);
 +                            tcg_gen_deposit_i32(tmp, tmp2, tmp, 0, 16);
                          }
 -                        tcg_gen_or_i32(tmp, tmp, tmp2);
                          tcg_temp_free_i32(tmp2);
                          store_reg(s, rd, tmp);
                      } else if ((insn & 0x00200020) == 0x00200000) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
              shift = ((insn >> 10) & 0x1c) | ((insn >> 6) & 0x3);
              if (insn & (1 << 5)) {
                  /* pkhtb */
 -                if (shift == 0)
 +                if (shift == 0) {
                      shift = 31;
 +                }
                  tcg_gen_sari_i32(tmp2, tmp2, shift);
 -                tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
 -                tcg_gen_ext16u_i32(tmp2, tmp2);
 +                tcg_gen_deposit_i32(tmp, tmp, tmp2, 0, 16);
              } else {
                  /* pkhbt */
 -                if (shift)
 -                    tcg_gen_shli_i32(tmp2, tmp2, shift);
 -                tcg_gen_ext16u_i32(tmp, tmp);
 -                tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
 +                tcg_gen_shli_i32(tmp2, tmp2, shift);
 +                tcg_gen_deposit_i32(tmp, tmp2, tmp, 0, 16);
              }
 -            tcg_gen_or_i32(tmp, tmp, tmp2);
              tcg_temp_free_i32(tmp2);
              store_reg(s, rd, tmp);
          } else {
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 04/25] arm_gicv3_kvm: increase clroffset accordingly
+[Qemu-devel] [PULL 25/29] target/arm: Remove redundant shift tests
-From: Shannon Zhao <zhaoshenglong@huawei.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-It forgot to increase clroffset during the loop. So it only clear the
+The immediate shift generator functions already test for,
-first 4 bytes.
+and eliminate, the case of a shift by zero.
-Fixes: 367b9f527becdd20ddf116e17a3c0c2bbc486920
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
+Message-id: 20190808202616.13782-4-richard.henderson@linaro.org
 Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1527047633-12368-1-git-send-email-zhaoshenglong@huawei.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/intc/arm_gicv3_kvm.c | 1 +
+ target/arm/translate.c | 19 +++++++------------
-file changed, 1 insertion(+)
+file changed, 7 insertions(+), 12 deletions(-)
-diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_kvm.c
+--- a/target/arm/translate.c
-+++ b/hw/intc/arm_gicv3_kvm.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void kvm_dist_putbmp(GICv3State *s, uint32_t offset,
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-         if (clroffset != 0) {
+                         shift = (insn >> 10) & 3;
-             reg = 0;
+                         /* ??? In many cases it's not necessary to do a
-             kvm_gicd_access(s, clroffset, &reg, true);
+                            rotate, a shift is sufficient.  */
-+            clroffset += 4;
+-                        if (shift != 0)
-         }
+-                            tcg_gen_rotri_i32(tmp, tmp, shift * 8);
-         reg = *gic_bmp_ptr32(bmp, irq);
++                        tcg_gen_rotri_i32(tmp, tmp, shift * 8);
-         kvm_gicd_access(s, offset, &reg, true);
+                         op1 = (insn >> 20) & 7;
                          switch (op1) {
                          case 0: gen_sxtb16(tmp);  break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
              shift = (insn >> 4) & 3;
              /* ??? In many cases it's not necessary to do a
                 rotate, a shift is sufficient.  */
 -            if (shift != 0)
 -                tcg_gen_rotri_i32(tmp, tmp, shift * 8);
 +            tcg_gen_rotri_i32(tmp, tmp, shift * 8);
              op = (insn >> 20) & 7;
              switch (op) {
              case 0: gen_sxth(tmp);   break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                      case 7:
                          goto illegal_op;
                      default: /* Saturate.  */
 -                        if (shift) {
 -                            if (op & 1)
 -                                tcg_gen_sari_i32(tmp, tmp, shift);
 -                            else
 -                                tcg_gen_shli_i32(tmp, tmp, shift);
 +                        if (op & 1) {
 +                            tcg_gen_sari_i32(tmp, tmp, shift);
 +                        } else {
 +                            tcg_gen_shli_i32(tmp, tmp, shift);
                          }
                          tmp2 = tcg_const_i32(imm);
                          if (op & 4) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                      goto illegal_op;
                  }
                  tmp = load_reg(s, rm);
 -                if (shift) {
 -                    tcg_gen_shli_i32(tmp, tmp, shift);
 -                }
 +                tcg_gen_shli_i32(tmp, tmp, shift);
                  tcg_gen_add_i32(addr, addr, tmp);
                  tcg_temp_free_i32(tmp);
                  break;
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 06/25] arm: fix qemu crash on startup with -bios option
+[Qemu-devel] [PULL 26/29] target/arm: Use ror32 instead of open-coding the operation
-From: Igor Mammedov <imammedo@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-When QEMU is started with following CLI
+The helper function is more documentary, and also already
- -machine virt,gic-version=3,accel=kvm -cpu host -bios AAVMF_CODE.fd
+handles the case of rotate by zero.
 it crashes with abort at
  accel/kvm/kvm-all.c:2164:
  KVM_SET_DEVICE_ATTR failed: Group 6 attr 0x000000000000c665: Invalid argument
-Which is caused by implicit dependency of kvm_arm_gicv3_reset() on
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-arm_gicv3_icc_reset() where the later is called by CPU reset
+Message-id: 20190808202616.13782-5-richard.henderson@linaro.org
 reset callback.
 However commit:
 b77f6c arm/boot: split load_dtb() from arm_load_kernel()
 broke CPU reset callback registration in case
   arm_load_kernel()
       ...
       if (!info->kernel_filename || info->firmware_loaded)
 branch is taken, i.e. it's sufficient to provide a firmware
 or do not provide kernel on CLI to skip cpu reset callback
 registration, where before offending commit the callback
 has been registered unconditionally.
 Fix it by registering the callback right at the beginning of
 arm_load_kernel() unconditionally instead of doing it at the end.
 NOTE:
  we probably should eliminate that dependency anyways as well as
  separate arch CPU reset parts from arm_load_kernel() into CPU
  itself, but that refactoring that I probably would have to do
  anyways later for CPU hotplug to work.
 Reported-by: Auger Eric <eric.auger@redhat.com>
 Signed-off-by: Igor Mammedov <imammedo@redhat.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1527070950-208350-1-git-send-email-imammedo@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/boot.c | 18 +++++++++---------
+ target/arm/translate.c | 7 ++-----
-file changed, 9 insertions(+), 9 deletions(-)
+file changed, 2 insertions(+), 5 deletions(-)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/target/arm/translate.c
-+++ b/hw/arm/boot.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-     static const ARMInsnFixup *primary_loader;
+                 /* CPSR = immediate */
-     AddressSpace *as = arm_boot_address_space(cpu, info);
+                 val = insn & 0xff;
+                 shift = ((insn >> 8) & 0xf) * 2;
-+    /* CPU objects (unlike devices) are not automatically reset on system
+-                if (shift)
-+     * reset, so we must always register a handler to do so. If we're
+-                    val = (val >> shift) | (val << (32 - shift));
-+     * actually loading a kernel, the handler is also responsible for
++                val = ror32(val, shift);
-+     * arranging that we start it correctly.
+                 i = ((insn & (1 << 22)) != 0);
-+     */
+                 if (gen_set_psr_im(s, msr_mask(s, (insn >> 16) & 0xf, i),
-+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
+                                    i, val)) {
-+        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-+    }
+             /* immediate operand */
-+
+             val = insn & 0xff;
-     /* The board code is not supposed to set secure_board_setup unless
+             shift = ((insn >> 8) & 0xf) * 2;
-      * running its code in secure mode is actually possible, and KVM
+-            if (shift) {
-      * doesn't support secure.
+-                val = (val >> shift) | (val << (32 - shift));
-@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
+-            }
-         ARM_CPU(cs)->env.boot_info = info;
++            val = ror32(val, shift);
-     }
+             tmp2 = tcg_temp_new_i32();
+             tcg_gen_movi_i32(tmp2, val);
--    /* CPU objects (unlike devices) are not automatically reset on system
+             if (logic_cc && shift) {
 -     * reset, so we must always register a handler to do so. If we're
 -     * actually loading a kernel, the handler is also responsible for
 -     * arranging that we start it correctly.
 -     */
 -    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
 -        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
 -    }
 -
      if (!info->skip_dtb_autoload && have_dtb(info)) {
          if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as) < 0) {
              exit(1);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 03/25] hw/intc/arm_gicv3: Fix APxR<n> register dispatching
+[Qemu-devel] [PULL 27/29] target/arm: Use tcg_gen_rotri_i32 for gen_swap_half
-From: Jan Kiszka <jan.kiszka@siemens.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-There was a nasty flip in identifying which register group an access is
+Rotate is the more compact and obvious way to swap 16-bit
-targeting. The issue caused spuriously raised priorities of the guest
+elements of a 32-bit word.
 when handing CPUs over in the Jailhouse hypervisor.
-Cc: qemu-stable@nongnu.org
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Message-id: 20190808202616.13782-6-richard.henderson@linaro.org
 Message-id: 28b927d3-da58-bce4-cc13-bfec7f9b1cb9@siemens.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/intc/arm_gicv3_cpuif.c | 12 ++++++------
+ target/arm/translate.c | 6 +-----
-file changed, 6 insertions(+), 6 deletions(-)
+file changed, 1 insertion(+), 5 deletions(-)
-diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_cpuif.c
+--- a/target/arm/translate.c
-+++ b/hw/intc/arm_gicv3_cpuif.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t icv_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
+@@ -XXX,XX +XXX,XX @@ static TCGv_i64 gen_muls_i64_i32(TCGv_i32 a, TCGv_i32 b)
  /* Swap low and high halfwords.  */
  static void gen_swap_half(TCGv_i32 var)
  {
-     GICv3CPUState *cs = icc_cs_from_env(env);
+-    TCGv_i32 tmp = tcg_temp_new_i32();
-     int regno = ri->opc2 & 3;
+-    tcg_gen_shri_i32(tmp, var, 16);
--    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+-    tcg_gen_shli_i32(var, var, 16);
-+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
+-    tcg_gen_or_i32(var, var, tmp);
-     uint64_t value = cs->ich_apr[grp][regno];
+-    tcg_temp_free_i32(tmp);
++    tcg_gen_rotri_i32(var, var, 16);
-     trace_gicv3_icv_ap_read(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
+ }
-@@ -XXX,XX +XXX,XX @@ static void icv_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
- {
+ /* Dual 16-bit add.  Result placed in t0 and t1 is marked as dead.
      GICv3CPUState *cs = icc_cs_from_env(env);
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
 +    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
      trace_gicv3_icv_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
@@ -XXX,XX +XXX,XX @@ static uint64_t icc_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
      uint64_t value;
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
 +    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
      if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
          return icv_ap_read(env, ri);
@@ -XXX,XX +XXX,XX @@ static void icc_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
      GICv3CPUState *cs = icc_cs_from_env(env);
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
 +    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
      if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
          icv_ap_write(env, ri, value);
@@ -XXX,XX +XXX,XX @@ static uint64_t ich_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
      GICv3CPUState *cs = icc_cs_from_env(env);
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
 +    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
      uint64_t value;
      value = cs->ich_apr[grp][regno];
@@ -XXX,XX +XXX,XX @@ static void ich_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
  {
      GICv3CPUState *cs = icc_cs_from_env(env);
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
 +    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
      trace_gicv3_ich_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 02/25] MAINTAINERS: Add entries for newer MPS2 boards and devices
+[Qemu-devel] [PULL 28/29] target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR
-Add entries to MAINTAINERS to cover the newer MPS2 boards and
+From: Richard Henderson <richard.henderson@linaro.org>
 the new devices they use.
+All of the inputs to these instructions are 32-bits.  Rather than
+extend each input to 64-bits and then extract the high 32-bits of
+the output, use tcg_gen_muls2_i32 and other 32-bit generator functions.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190808202616.13782-7-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180518153157.14899-1-peter.maydell@linaro.org
 ---
- MAINTAINERS | 9 +++++++--
+ target/arm/translate.c | 72 +++++++++++++++---------------------------
-file changed, 7 insertions(+), 2 deletions(-)
+file changed, 26 insertions(+), 46 deletions(-)
-diff --git a/MAINTAINERS b/MAINTAINERS
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
+--- a/target/arm/translate.c
-+++ b/MAINTAINERS
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ F: hw/timer/cmsdk-apb-timer.c
+@@ -XXX,XX +XXX,XX @@ static void gen_revsh(TCGv_i32 var)
- F: include/hw/timer/cmsdk-apb-timer.h
+     tcg_gen_ext16s_i32(var, var);
- F: hw/char/cmsdk-apb-uart.c
+ }
- F: include/hw/char/cmsdk-apb-uart.h
-+F: hw/misc/tz-ppc.c
+-/* Return (b << 32) + a. Mark inputs as dead */
-+F: include/hw/misc/tz-ppc.h
+-static TCGv_i64 gen_addq_msw(TCGv_i64 a, TCGv_i32 b)
+-{
- ARM cores
+-    TCGv_i64 tmp64 = tcg_temp_new_i64();
- M: Peter Maydell <peter.maydell@linaro.org>
+-
-@@ -XXX,XX +XXX,XX @@ M: Peter Maydell <peter.maydell@linaro.org>
+-    tcg_gen_extu_i32_i64(tmp64, b);
- L: qemu-arm@nongnu.org
+-    tcg_temp_free_i32(b);
- S: Maintained
+-    tcg_gen_shli_i64(tmp64, tmp64, 32);
- F: hw/arm/mps2.c
+-    tcg_gen_add_i64(a, tmp64, a);
--F: hw/misc/mps2-scc.c
+-
--F: include/hw/misc/mps2-scc.h
+-    tcg_temp_free_i64(tmp64);
-+F: hw/arm/mps2-tz.c
+-    return a;
-+F: hw/misc/mps2-*.c
+-}
-+F: include/hw/misc/mps2-*.h
+-
-+F: hw/arm/iotkit.c
+-/* Return (b << 32) - a. Mark inputs as dead. */
-+F: include/hw/arm/iotkit.h
+-static TCGv_i64 gen_subq_msw(TCGv_i64 a, TCGv_i32 b)
+-{
- Musicpal
+-    TCGv_i64 tmp64 = tcg_temp_new_i64();
- M: Jan Kiszka <jan.kiszka@web.de>
+-
 -    tcg_gen_extu_i32_i64(tmp64, b);
 -    tcg_temp_free_i32(b);
 -    tcg_gen_shli_i64(tmp64, tmp64, 32);
 -    tcg_gen_sub_i64(a, tmp64, a);
 -
 -    tcg_temp_free_i64(tmp64);
 -    return a;
 -}
 -
  /* 32x32->64 multiply.  Marks inputs as dead.  */
  static TCGv_i64 gen_mulu_i64_i32(TCGv_i32 a, TCGv_i32 b)
  {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                             (SMMUL, SMMLA, SMMLS) */
                          tmp = load_reg(s, rm);
                          tmp2 = load_reg(s, rs);
 -                        tmp64 = gen_muls_i64_i32(tmp, tmp2);
 +                        tcg_gen_muls2_i32(tmp2, tmp, tmp, tmp2);
                          if (rd != 15) {
 -                            tmp = load_reg(s, rd);
 +                            tmp3 = load_reg(s, rd);
                              if (insn & (1 << 6)) {
 -                                tmp64 = gen_subq_msw(tmp64, tmp);
 +                                tcg_gen_sub_i32(tmp, tmp, tmp3);
                              } else {
 -                                tmp64 = gen_addq_msw(tmp64, tmp);
 +                                tcg_gen_add_i32(tmp, tmp, tmp3);
                              }
 +                            tcg_temp_free_i32(tmp3);
                          }
                          if (insn & (1 << 5)) {
 -                            tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
 +                            /*
 +                             * Adding 0x80000000 to the 64-bit quantity
 +                             * means that we have carry in to the high
 +                             * word when the low word has the high bit set.
 +                             */
 +                            tcg_gen_shri_i32(tmp2, tmp2, 31);
 +                            tcg_gen_add_i32(tmp, tmp, tmp2);
                          }
 -                        tcg_gen_shri_i64(tmp64, tmp64, 32);
 -                        tmp = tcg_temp_new_i32();
 -                        tcg_gen_extrl_i64_i32(tmp, tmp64);
 -                        tcg_temp_free_i64(tmp64);
 +                        tcg_temp_free_i32(tmp2);
                          store_reg(s, rn, tmp);
                          break;
                      case 0:
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                    }
                  break;
              case 5: case 6: /* 32 * 32 -> 32msb (SMMUL, SMMLA, SMMLS) */
 -                tmp64 = gen_muls_i64_i32(tmp, tmp2);
 +                tcg_gen_muls2_i32(tmp2, tmp, tmp, tmp2);
                  if (rs != 15) {
 -                    tmp = load_reg(s, rs);
 +                    tmp3 = load_reg(s, rs);
                      if (insn & (1 << 20)) {
 -                        tmp64 = gen_addq_msw(tmp64, tmp);
 +                        tcg_gen_add_i32(tmp, tmp, tmp3);
                      } else {
 -                        tmp64 = gen_subq_msw(tmp64, tmp);
 +                        tcg_gen_sub_i32(tmp, tmp, tmp3);
                      }
 +                    tcg_temp_free_i32(tmp3);
                  }
                  if (insn & (1 << 4)) {
 -                    tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
 +                    /*
 +                     * Adding 0x80000000 to the 64-bit quantity
 +                     * means that we have carry in to the high
 +                     * word when the low word has the high bit set.
 +                     */
 +                    tcg_gen_shri_i32(tmp2, tmp2, 31);
 +                    tcg_gen_add_i32(tmp, tmp, tmp2);
                  }
 -                tcg_gen_shri_i64(tmp64, tmp64, 32);
 -                tmp = tcg_temp_new_i32();
 -                tcg_gen_extrl_i64_i32(tmp, tmp64);
 -                tcg_temp_free_i64(tmp64);
 +                tcg_temp_free_i32(tmp2);
                  break;
              case 7: /* Unsigned sum of absolute differences.  */
                  gen_helper_usad8(tmp, tmp, tmp2);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 22/25] Make address_space_translate_iommu take a MemTxAttrs argument
+[Qemu-devel] [PULL 29/29] target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Richard Henderson <richard.henderson@linaro.org>
 add MemTxAttrs as an argument to address_space_translate_iommu().
+Separate shift + extract low will result in one extra insn
+for hosts like RISC-V, MIPS, and Sparc.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190808202616.13782-8-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-14-peter.maydell@linaro.org
 ---
- exec.c | 8 +++++---
+ target/arm/translate.c | 18 ++++++------------
-file changed, 5 insertions(+), 3 deletions(-)
+file changed, 6 insertions(+), 12 deletions(-)
-diff --git a/exec.c b/exec.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/translate.c
-+++ b/exec.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ address_space_translate_internal(AddressSpaceDispatch *d, hwaddr addr, hwaddr *x
+@@ -XXX,XX +XXX,XX @@ static int disas_iwmmxt_insn(DisasContext *s, uint32_t insn)
-  * @is_write: whether the translation operation is for write
+             if (insn & ARM_CP_RW_BIT) {                         /* TMRRC */
-  * @is_mmio: whether this can be MMIO, set true if it can
+                 iwmmxt_load_reg(cpu_V0, wrd);
-  * @target_as: the address space targeted by the IOMMU
+                 tcg_gen_extrl_i64_i32(cpu_R[rdlo], cpu_V0);
-+ * @attrs: transaction attributes
+-                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-  *
+-                tcg_gen_extrl_i64_i32(cpu_R[rdhi], cpu_V0);
-  * This function is called from RCU critical section.  It is the common
++                tcg_gen_extrh_i64_i32(cpu_R[rdhi], cpu_V0);
-  * part of flatview_do_translate and address_space_translate_cached.
+             } else {                                    /* TMCRR */
-@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection address_space_translate_iommu(IOMMUMemoryRegion *iomm
+                 tcg_gen_concat_i32_i64(cpu_V0, cpu_R[rdlo], cpu_R[rdhi]);
-                                                          hwaddr *page_mask_out,
+                 iwmmxt_store_reg(cpu_V0, wrd);
-                                                          bool is_write,
+@@ -XXX,XX +XXX,XX @@ static int disas_dsp_insn(DisasContext *s, uint32_t insn)
-                                                          bool is_mmio,
+         if (insn & ARM_CP_RW_BIT) {                     /* MRA */
--                                                         AddressSpace **target_as)
+             iwmmxt_load_reg(cpu_V0, acc);
-+                                                         AddressSpace **target_as,
+             tcg_gen_extrl_i64_i32(cpu_R[rdlo], cpu_V0);
-+                                                         MemTxAttrs attrs)
+-            tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
- {
+-            tcg_gen_extrl_i64_i32(cpu_R[rdhi], cpu_V0);
-     MemoryRegionSection *section;
++            tcg_gen_extrh_i64_i32(cpu_R[rdhi], cpu_V0);
-     hwaddr page_mask = (hwaddr)-1;
+             tcg_gen_andi_i32(cpu_R[rdhi], cpu_R[rdhi], (1 << (40 - 32)) - 1);
-@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
+         } else {                                        /* MAR */
-         return address_space_translate_iommu(iommu_mr, xlat,
+             tcg_gen_concat_i32_i64(cpu_V0, cpu_R[rdlo], cpu_R[rdhi]);
-                                              plen_out, page_mask_out,
+@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
-                                              is_write, is_mmio,
+                                 gen_helper_neon_narrow_high_u16(tmp, cpu_V0);
--                                             target_as);
+                                 break;
-+                                             target_as, attrs);
+                             case 2:
-     }
+-                                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-     if (page_mask_out) {
+-                                tcg_gen_extrl_i64_i32(tmp, cpu_V0);
-         /* Not behind an IOMMU, use default page size. */
++                                tcg_gen_extrh_i64_i32(tmp, cpu_V0);
-@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate_cached(
+                                 break;
+                             default: abort();
-     section = address_space_translate_iommu(iommu_mr, xlat, plen,
+                             }
-                                             NULL, is_write, true,
+@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
--                                            &target_as);
+                                 break;
-+                                            &target_as, attrs);
+                             case 2:
-     return section.mr;
+                                 tcg_gen_addi_i64(cpu_V0, cpu_V0, 1u << 31);
 -                                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
 -                                tcg_gen_extrl_i64_i32(tmp, cpu_V0);
 +                                tcg_gen_extrh_i64_i32(tmp, cpu_V0);
                                  break;
                              default: abort();
                              }
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
                  tmp = tcg_temp_new_i32();
                  tcg_gen_extrl_i64_i32(tmp, tmp64);
                  store_reg(s, rt, tmp);
 -                tcg_gen_shri_i64(tmp64, tmp64, 32);
                  tmp = tcg_temp_new_i32();
 -                tcg_gen_extrl_i64_i32(tmp, tmp64);
 +                tcg_gen_extrh_i64_i32(tmp, tmp64);
                  tcg_temp_free_i64(tmp64);
                  store_reg(s, rt2, tmp);
              } else {
@@ -XXX,XX +XXX,XX @@ static void gen_storeq_reg(DisasContext *s, int rlow, int rhigh, TCGv_i64 val)
      tcg_gen_extrl_i64_i32(tmp, val);
      store_reg(s, rlow, tmp);
      tmp = tcg_temp_new_i32();
 -    tcg_gen_shri_i64(val, val, 32);
 -    tcg_gen_extrl_i64_i32(tmp, val);
 +    tcg_gen_extrh_i64_i32(tmp, val);
      store_reg(s, rhigh, tmp);
  }
 --
-.17.1
+.20.1

target-arm queue. This has the "plumb txattrs through various
bits of exec.c" patches, and a collection of bug fixes from
various people.

thanks
-- PMM

The following changes since commit a3ac12fba028df90f7b3dbec924995c126c41022:

Merge remote-tracking branch 'remotes/ehabkost/tags/numa-next-pull-request' into staging (2018-05-31 11:12:36 +0100)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180531

for you to fetch changes up to 49d1dca0520ea71bc21867fab6647f474fcf857b:

KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice (2018-05-31 14:52:53 +0100)

----------------------------------------------------------------
target-arm queue:
 * target/arm: Honour FPCR.FZ in FRECPX
 * MAINTAINERS: Add entries for newer MPS2 boards and devices
 * hw/intc/arm_gicv3: Fix APxR<n> register dispatching
 * arm_gicv3_kvm: fix bug in writing zero bits back to the in-kernel
   GIC state
 * tcg: Fix helper function vs host abi for float16
 * arm: fix qemu crash on startup with -bios option
 * arm: fix malloc type mismatch
 * xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
 * Correct CPACR reset value for v7 cores
 * memory.h: Improve IOMMU related documentation
 * exec: Plumb transaction attributes through various functions in
   preparation for allowing IOMMUs to see them
 * vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
 * ARM: ACPI: Fix use-after-free due to memory realloc
 * KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice

----------------------------------------------------------------
Francisco Iglesias (1):
      xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors

Igor Mammedov (1):
      arm: fix qemu crash on startup with -bios option

Jan Kiszka (1):
      hw/intc/arm_gicv3: Fix APxR<n> register dispatching

Paolo Bonzini (1):
      arm: fix malloc type mismatch

Peter Maydell (17):
      target/arm: Honour FPCR.FZ in FRECPX
      MAINTAINERS: Add entries for newer MPS2 boards and devices
      Correct CPACR reset value for v7 cores
      memory.h: Improve IOMMU related documentation
      Make tb_invalidate_phys_addr() take a MemTxAttrs argument
      Make address_space_translate{, _cached}() take a MemTxAttrs argument
      Make address_space_map() take a MemTxAttrs argument
      Make address_space_access_valid() take a MemTxAttrs argument
      Make flatview_extend_translation() take a MemTxAttrs argument
      Make memory_region_access_valid() take a MemTxAttrs argument
      Make MemoryRegion valid.accepts callback take a MemTxAttrs argument
      Make flatview_access_valid() take a MemTxAttrs argument
      Make flatview_translate() take a MemTxAttrs argument
      Make address_space_get_iotlb_entry() take a MemTxAttrs argument
      Make flatview_do_translate() take a MemTxAttrs argument
      Make address_space_translate_iommu take a MemTxAttrs argument
      vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY

Richard Henderson (1):
      tcg: Fix helper function vs host abi for float16

Shannon Zhao (3):
      arm_gicv3_kvm: increase clroffset accordingly
      ARM: ACPI: Fix use-after-free due to memory realloc
      KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice

The FRECPX instructions should (like most other floating point operations)
honour the FPCR.FZ bit which specifies whether input denormals should
be flushed to zero (or FZ16 for the half-precision version).
We forgot to implement this, which doesn't affect the results (since
the calculation doesn't actually care about the mantissa bits) but did
mean we were failing to set the FPSR.IDC bit.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521172712.19930-1-peter.maydell@linaro.org
---
 target/arm/helper-a64.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
         return nan;
     }
 
+    a = float16_squash_input_denormal(a, fpst);
+
     val16 = float16_val(a);
     sbit = 0x8000 & val16;
     exp = extract32(val16, 10, 5);
@@ -XXX,XX +XXX,XX @@ float32 HELPER(frecpx_f32)(float32 a, void *fpstp)
         return nan;
     }
 
+    a = float32_squash_input_denormal(a, fpst);
+
     val32 = float32_val(a);
     sbit = 0x80000000ULL & val32;
     exp = extract32(val32, 23, 8);
@@ -XXX,XX +XXX,XX @@ float64 HELPER(frecpx_f64)(float64 a, void *fpstp)
         return nan;
     }
 
+    a = float64_squash_input_denormal(a, fpst);
+
     val64 = float64_val(a);
     sbit = 0x8000000000000000ULL & val64;
     exp = extract64(float64_val(a), 52, 11);
-- 
2.17.1

Add entries to MAINTAINERS to cover the newer MPS2 boards and
the new devices they use.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180518153157.14899-1-peter.maydell@linaro.org
---
 MAINTAINERS | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: hw/timer/cmsdk-apb-timer.c
 F: include/hw/timer/cmsdk-apb-timer.h
 F: hw/char/cmsdk-apb-uart.c
 F: include/hw/char/cmsdk-apb-uart.h
+F: hw/misc/tz-ppc.c
+F: include/hw/misc/tz-ppc.h
 
 ARM cores
 M: Peter Maydell <peter.maydell@linaro.org>
@@ -XXX,XX +XXX,XX @@ M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/mps2.c
-F: hw/misc/mps2-scc.c
-F: include/hw/misc/mps2-scc.h
+F: hw/arm/mps2-tz.c
+F: hw/misc/mps2-*.c
+F: include/hw/misc/mps2-*.h
+F: hw/arm/iotkit.c
+F: include/hw/arm/iotkit.h
 
 Musicpal
 M: Jan Kiszka <jan.kiszka@web.de>
-- 
2.17.1

From: Jan Kiszka <jan.kiszka@siemens.com>

There was a nasty flip in identifying which register group an access is
targeting. The issue caused spuriously raised priorities of the guest
when handing CPUs over in the Jailhouse hypervisor.

Cc: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Message-id: 28b927d3-da58-bce4-cc13-bfec7f9b1cb9@siemens.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_cpuif.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static uint64_t icv_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     GICv3CPUState *cs = icc_cs_from_env(env);
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
     uint64_t value = cs->ich_apr[grp][regno];
 
     trace_gicv3_icv_ap_read(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
@@ -XXX,XX +XXX,XX @@ static void icv_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     GICv3CPUState *cs = icc_cs_from_env(env);
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
 
     trace_gicv3_icv_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
 
@@ -XXX,XX +XXX,XX @@ static uint64_t icc_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
     uint64_t value;
 
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
+    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
 
     if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
         return icv_ap_read(env, ri);
@@ -XXX,XX +XXX,XX @@ static void icc_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
     GICv3CPUState *cs = icc_cs_from_env(env);
 
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
+    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
 
     if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
         icv_ap_write(env, ri, value);
@@ -XXX,XX +XXX,XX @@ static uint64_t ich_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     GICv3CPUState *cs = icc_cs_from_env(env);
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
     uint64_t value;
 
     value = cs->ich_apr[grp][regno];
@@ -XXX,XX +XXX,XX @@ static void ich_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     GICv3CPUState *cs = icc_cs_from_env(env);
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
 
     trace_gicv3_ich_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
 
-- 
2.17.1

From: Shannon Zhao <zhaoshenglong@huawei.com>

It forgot to increase clroffset during the loop. So it only clear the
first 4 bytes.

Fixes: 367b9f527becdd20ddf116e17a3c0c2bbc486920
Cc: qemu-stable@nongnu.org
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1527047633-12368-1-git-send-email-zhaoshenglong@huawei.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_kvm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_kvm.c
+++ b/hw/intc/arm_gicv3_kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_dist_putbmp(GICv3State *s, uint32_t offset,
         if (clroffset != 0) {
             reg = 0;
             kvm_gicd_access(s, clroffset, &reg, true);
+            clroffset += 4;
         }
         reg = *gic_bmp_ptr32(bmp, irq);
         kvm_gicd_access(s, offset, &reg, true);
-- 
2.17.1

From: Richard Henderson <richard.henderson@linaro.org>

Depending on the host abi, float16, aka uint16_t, values are
passed and returned either zero-extended in the host register
or with garbage at the top of the host register.

The tcg code generator has so far been assuming garbage, as that
matches the x86 abi, but this is incorrect for other host abis.
Further, target/arm has so far been assuming zero-extended results,
so that it may store the 16-bit value into a 32-bit slot with the
high 16-bits already clear.

Rectify both problems by mapping "f16" in the helper definition
to uint32_t instead of (a typedef for) uint16_t.  This forces
the host compiler to assume garbage in the upper 16 bits on input
and to zero-extend the result on output.

Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20180522175629.24932-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/helper-head.h |  2 +-
 target/arm/helper-a64.c    | 35 +++++++++--------
 target/arm/helper.c        | 80 +++++++++++++++++++-------------------
 3 files changed, 59 insertions(+), 58 deletions(-)

diff --git a/include/exec/helper-head.h b/include/exec/helper-head.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/helper-head.h
+++ b/include/exec/helper-head.h
@@ -XXX,XX +XXX,XX @@
 #define dh_ctype_int int
 #define dh_ctype_i64 uint64_t
 #define dh_ctype_s64 int64_t
-#define dh_ctype_f16 float16
+#define dh_ctype_f16 uint32_t
 #define dh_ctype_f32 float32
 #define dh_ctype_f64 float64
 #define dh_ctype_ptr void *
diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t float_rel_to_flags(int res)
     return flags;
 }
 
-uint64_t HELPER(vfp_cmph_a64)(float16 x, float16 y, void *fp_status)
+uint64_t HELPER(vfp_cmph_a64)(uint32_t x, uint32_t y, void *fp_status)
 {
     return float_rel_to_flags(float16_compare_quiet(x, y, fp_status));
 }
 
-uint64_t HELPER(vfp_cmpeh_a64)(float16 x, float16 y, void *fp_status)
+uint64_t HELPER(vfp_cmpeh_a64)(uint32_t x, uint32_t y, void *fp_status)
 {
     return float_rel_to_flags(float16_compare(x, y, fp_status));
 }
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_cgt_f64)(float64 a, float64 b, void *fpstp)
 #define float64_three make_float64(0x4008000000000000ULL)
 #define float64_one_point_five make_float64(0x3FF8000000000000ULL)
 
-float16 HELPER(recpsf_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(recpsf_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
 
@@ -XXX,XX +XXX,XX @@ float64 HELPER(recpsf_f64)(float64 a, float64 b, void *fpstp)
     return float64_muladd(a, b, float64_two, 0, fpst);
 }
 
-float16 HELPER(rsqrtsf_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(rsqrtsf_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
 
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_addlp_u16)(uint64_t a)
 }
 
 /* Floating-point reciprocal exponent - see FPRecpX in ARM ARM */
-float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
+uint32_t HELPER(frecpx_f16)(uint32_t a, void *fpstp)
 {
     float_status *fpst = fpstp;
     uint16_t val16, sbit;
@@ -XXX,XX +XXX,XX @@ void HELPER(casp_be_parallel)(CPUARMState *env, uint32_t rs, uint64_t addr,
 #define ADVSIMD_HELPER(name, suffix) HELPER(glue(glue(advsimd_, name), suffix))
 
 #define ADVSIMD_HALFOP(name) \
-float16 ADVSIMD_HELPER(name, h)(float16 a, float16 b, void *fpstp) \
+uint32_t ADVSIMD_HELPER(name, h)(uint32_t a, uint32_t b, void *fpstp) \
 { \
     float_status *fpst = fpstp; \
     return float16_ ## name(a, b, fpst);    \
@@ -XXX,XX +XXX,XX @@ ADVSIMD_HALFOP(mulx)
 ADVSIMD_TWOHALFOP(mulx)
 
 /* fused multiply-accumulate */
-float16 HELPER(advsimd_muladdh)(float16 a, float16 b, float16 c, void *fpstp)
+uint32_t HELPER(advsimd_muladdh)(uint32_t a, uint32_t b, uint32_t c,
+                                 void *fpstp)
 {
     float_status *fpst = fpstp;
     return float16_muladd(a, b, c, 0, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_muladd2h)(uint32_t two_a, uint32_t two_b,
 
 #define ADVSIMD_CMPRES(test) (test) ? 0xffff : 0
 
-uint32_t HELPER(advsimd_ceq_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_ceq_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     int compare = float16_compare_quiet(a, b, fpst);
     return ADVSIMD_CMPRES(compare == float_relation_equal);
 }
 
-uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_cge_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     int compare = float16_compare(a, b, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
                           compare == float_relation_equal);
 }
 
-uint32_t HELPER(advsimd_cgt_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_cgt_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     int compare = float16_compare(a, b, fpst);
     return ADVSIMD_CMPRES(compare == float_relation_greater);
 }
 
-uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_acge_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
                           compare == float_relation_equal);
 }
 
-uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_acgt_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
 }
 
 /* round to integral */
-float16 HELPER(advsimd_rinth_exact)(float16 x, void *fp_status)
+uint32_t HELPER(advsimd_rinth_exact)(uint32_t x, void *fp_status)
 {
     return float16_round_to_int(x, fp_status);
 }
 
-float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
+uint32_t HELPER(advsimd_rinth)(uint32_t x, void *fp_status)
 {
     int old_flags = get_float_exception_flags(fp_status), new_flags;
     float16 ret;
@@ -XXX,XX +XXX,XX @@ float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
  * setting the mode appropriately before calling the helper.
  */
 
-uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
+uint32_t HELPER(advsimd_f16tosinth)(uint32_t a, void *fpstp)
 {
     float_status *fpst = fpstp;
 
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
     return float16_to_int16(a, fpst);
 }
 
-uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
+uint32_t HELPER(advsimd_f16touinth)(uint32_t a, void *fpstp)
 {
     float_status *fpst = fpstp;
 
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
  * Square Root and Reciprocal square root
  */
 
-float16 HELPER(sqrt_f16)(float16 a, void *fpstp)
+uint32_t HELPER(sqrt_f16)(uint32_t a, void *fpstp)
 {
     float_status *s = fpstp;
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ DO_VFP_cmp(d, float64)
 
 /* Integer to float and float to integer conversions */
 
-#define CONV_ITOF(name, fsz, sign) \
-    float##fsz HELPER(name)(uint32_t x, void *fpstp) \
-{ \
-    float_status *fpst = fpstp; \
-    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst); \
+#define CONV_ITOF(name, ftype, fsz, sign)                           \
+ftype HELPER(name)(uint32_t x, void *fpstp)                         \
+{                                                                   \
+    float_status *fpst = fpstp;                                     \
+    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst);     \
 }
 
-#define CONV_FTOI(name, fsz, sign, round) \
-uint32_t HELPER(name)(float##fsz x, void *fpstp) \
-{ \
-    float_status *fpst = fpstp; \
-    if (float##fsz##_is_any_nan(x)) { \
-        float_raise(float_flag_invalid, fpst); \
-        return 0; \
-    } \
-    return float##fsz##_to_##sign##int32##round(x, fpst); \
+#define CONV_FTOI(name, ftype, fsz, sign, round)                \
+uint32_t HELPER(name)(ftype x, void *fpstp)                     \
+{                                                               \
+    float_status *fpst = fpstp;                                 \
+    if (float##fsz##_is_any_nan(x)) {                           \
+        float_raise(float_flag_invalid, fpst);                  \
+        return 0;                                               \
+    }                                                           \
+    return float##fsz##_to_##sign##int32##round(x, fpst);       \
 }
 
-#define FLOAT_CONVS(name, p, fsz, sign) \
-CONV_ITOF(vfp_##name##to##p, fsz, sign) \
-CONV_FTOI(vfp_to##name##p, fsz, sign, ) \
-CONV_FTOI(vfp_to##name##z##p, fsz, sign, _round_to_zero)
+#define FLOAT_CONVS(name, p, ftype, fsz, sign)            \
+    CONV_ITOF(vfp_##name##to##p, ftype, fsz, sign)        \
+    CONV_FTOI(vfp_to##name##p, ftype, fsz, sign, )        \
+    CONV_FTOI(vfp_to##name##z##p, ftype, fsz, sign, _round_to_zero)
 
-FLOAT_CONVS(si, h, 16, )
-FLOAT_CONVS(si, s, 32, )
-FLOAT_CONVS(si, d, 64, )
-FLOAT_CONVS(ui, h, 16, u)
-FLOAT_CONVS(ui, s, 32, u)
-FLOAT_CONVS(ui, d, 64, u)
+FLOAT_CONVS(si, h, uint32_t, 16, )
+FLOAT_CONVS(si, s, float32, 32, )
+FLOAT_CONVS(si, d, float64, 64, )
+FLOAT_CONVS(ui, h, uint32_t, 16, u)
+FLOAT_CONVS(ui, s, float32, 32, u)
+FLOAT_CONVS(ui, d, float64, 64, u)
 
 #undef CONV_ITOF
 #undef CONV_FTOI
@@ -XXX,XX +XXX,XX @@ static float16 do_postscale_fp16(float64 f, int shift, float_status *fpst)
     return float64_to_float16(float64_scalbn(f, -shift, fpst), true, fpst);
 }
 
-float16 HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return do_postscale_fp16(int32_to_float64(x, fpst), shift, fpst);
 }
 
-float16 HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return do_postscale_fp16(uint32_to_float64(x, fpst), shift, fpst);
 }
 
-float16 HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
 {
     return do_postscale_fp16(int64_to_float64(x, fpst), shift, fpst);
 }
 
-float16 HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
 {
     return do_postscale_fp16(uint64_to_float64(x, fpst), shift, fpst);
 }
@@ -XXX,XX +XXX,XX @@ static float64 do_prescale_fp16(float16 f, int shift, float_status *fpst)
     }
 }
 
-uint32_t HELPER(vfp_toshh)(float16 x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_toshh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_int16(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint32_t HELPER(vfp_touhh)(float16 x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_touhh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_uint16(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint32_t HELPER(vfp_toslh)(float16 x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_toslh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_int32(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint32_t HELPER(vfp_toulh)(float16 x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_toulh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_uint32(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint64_t HELPER(vfp_tosqh)(float16 x, uint32_t shift, void *fpst)
+uint64_t HELPER(vfp_tosqh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_int64(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint64_t HELPER(vfp_touqh)(float16 x, uint32_t shift, void *fpst)
+uint64_t HELPER(vfp_touqh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_uint64(do_prescale_fp16(x, shift, fpst), fpst);
 }
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(set_neon_rmode)(uint32_t rmode, CPUARMState *env)
 }
 
 /* Half precision conversions.  */
-float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
+float32 HELPER(vfp_fcvt_f16_to_f32)(uint32_t a, void *fpstp, uint32_t ahp_mode)
 {
     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
      * it would affect flushing input denormals.
@@ -XXX,XX +XXX,XX @@ float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
     return r;
 }
 
-float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
+uint32_t HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
 {
     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
      * it would affect flushing output denormals.
@@ -XXX,XX +XXX,XX @@ float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
     return r;
 }
 
-float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
+float64 HELPER(vfp_fcvt_f16_to_f64)(uint32_t a, void *fpstp, uint32_t ahp_mode)
 {
     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
      * it would affect flushing input denormals.
@@ -XXX,XX +XXX,XX @@ float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
     return r;
 }
 
-float16 HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
+uint32_t HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
 {
     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
      * it would affect flushing output denormals.
@@ -XXX,XX +XXX,XX @@ static bool round_to_inf(float_status *fpst, bool sign_bit)
     g_assert_not_reached();
 }
 
-float16 HELPER(recpe_f16)(float16 input, void *fpstp)
+uint32_t HELPER(recpe_f16)(uint32_t input, void *fpstp)
 {
     float_status *fpst = fpstp;
     float16 f16 = float16_squash_input_denormal(input, fpst);
@@ -XXX,XX +XXX,XX @@ static uint64_t recip_sqrt_estimate(int *exp , int exp_off, uint64_t frac)
     return extract64(estimate, 0, 8) << 44;
 }
 
-float16 HELPER(rsqrte_f16)(float16 input, void *fpstp)
+uint32_t HELPER(rsqrte_f16)(uint32_t input, void *fpstp)
 {
     float_status *s = fpstp;
     float16 f16 = float16_squash_input_denormal(input, s);
-- 
2.17.1

From: Igor Mammedov <imammedo@redhat.com>

When QEMU is started with following CLI
 -machine virt,gic-version=3,accel=kvm -cpu host -bios AAVMF_CODE.fd
it crashes with abort at
 accel/kvm/kvm-all.c:2164:
 KVM_SET_DEVICE_ATTR failed: Group 6 attr 0x000000000000c665: Invalid argument

Which is caused by implicit dependency of kvm_arm_gicv3_reset() on
arm_gicv3_icc_reset() where the later is called by CPU reset
reset callback.

However commit:
 3b77f6c arm/boot: split load_dtb() from arm_load_kernel()
broke CPU reset callback registration in case

arm_load_kernel()
      ...
      if (!info->kernel_filename || info->firmware_loaded)

branch is taken, i.e. it's sufficient to provide a firmware
or do not provide kernel on CLI to skip cpu reset callback
registration, where before offending commit the callback
has been registered unconditionally.

Fix it by registering the callback right at the beginning of
arm_load_kernel() unconditionally instead of doing it at the end.

NOTE:
 we probably should eliminate that dependency anyways as well as
 separate arch CPU reset parts from arm_load_kernel() into CPU
 itself, but that refactoring that I probably would have to do
 anyways later for CPU hotplug to work.

Reported-by: Auger Eric <eric.auger@redhat.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1527070950-208350-1-git-send-email-imammedo@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
     static const ARMInsnFixup *primary_loader;
     AddressSpace *as = arm_boot_address_space(cpu, info);
 
+    /* CPU objects (unlike devices) are not automatically reset on system
+     * reset, so we must always register a handler to do so. If we're
+     * actually loading a kernel, the handler is also responsible for
+     * arranging that we start it correctly.
+     */
+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
+        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
+    }
+
     /* The board code is not supposed to set secure_board_setup unless
      * running its code in secure mode is actually possible, and KVM
      * doesn't support secure.
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
         ARM_CPU(cs)->env.boot_info = info;
     }
 
-    /* CPU objects (unlike devices) are not automatically reset on system
-     * reset, so we must always register a handler to do so. If we're
-     * actually loading a kernel, the handler is also responsible for
-     * arranging that we start it correctly.
-     */
-    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
-        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
-    }
-
     if (!info->skip_dtb_autoload && have_dtb(info)) {
         if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as) < 0) {
             exit(1);
-- 
2.17.1

From: Paolo Bonzini <pbonzini@redhat.com>

cpregs_keys is an uint32_t* so the allocation should use uint32_t.
g_new is even better because it is type-safe.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/gdbstub.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@ int arm_gen_dynamic_xml(CPUState *cs)
     RegisterSysregXmlParam param = {cs, s};
 
     cpu->dyn_xml.num_cpregs = 0;
-    cpu->dyn_xml.cpregs_keys = g_malloc(sizeof(uint32_t *) *
-                                        g_hash_table_size(cpu->cp_regs));
+    cpu->dyn_xml.cpregs_keys = g_new(uint32_t, g_hash_table_size(cpu->cp_regs));
     g_string_printf(s, "<?xml version=\"1.0\"?>");
     g_string_append_printf(s, "<!DOCTYPE target SYSTEM \"gdb-target.dtd\">");
     g_string_append_printf(s, "<feature name=\"org.qemu.gdb.arm.sys.regs\">");
-- 
2.17.1

From: Francisco Iglesias <frasse.iglesias@gmail.com>

Coverity found that the string return by 'object_get_canonical_path' was not
being freed at two locations in the model (CID 1391294 and CID 1391293) and
also that a memset was being called with a value greater than the max of a byte
on the second argument (CID 1391286). This patch corrects this by adding the
freeing of the strings and also changing to memset to zero instead on
descriptor unaligned errors.

Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180528184859.3530-1-frasse.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/dma/xlnx-zdma.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/dma/xlnx-zdma.c
+++ b/hw/dma/xlnx-zdma.c
@@ -XXX,XX +XXX,XX @@ static bool zdma_load_descriptor(XlnxZDMA *s, uint64_t addr, void *buf)
         qemu_log_mask(LOG_GUEST_ERROR,
                       "zdma: unaligned descriptor at %" PRIx64,
                       addr);
-        memset(buf, 0xdeadbeef, sizeof(XlnxZDMADescr));
+        memset(buf, 0x0, sizeof(XlnxZDMADescr));
         s->error = true;
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static uint64_t zdma_read(void *opaque, hwaddr addr, unsigned size)
     RegisterInfo *r = &s->regs_info[addr / 4];
 
     if (!r->data) {
+        gchar *path = object_get_canonical_path(OBJECT(s));
         qemu_log("%s: Decode error: read from %" HWADDR_PRIx "\n",
-                 object_get_canonical_path(OBJECT(s)),
+                 path,
                  addr);
+        g_free(path);
         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
         zdma_ch_imr_update_irq(s);
         return 0;
@@ -XXX,XX +XXX,XX @@ static void zdma_write(void *opaque, hwaddr addr, uint64_t value,
     RegisterInfo *r = &s->regs_info[addr / 4];
 
     if (!r->data) {
+        gchar *path = object_get_canonical_path(OBJECT(s));
         qemu_log("%s: Decode error: write to %" HWADDR_PRIx "=%" PRIx64 "\n",
-                 object_get_canonical_path(OBJECT(s)),
+                 path,
                  addr, value);
+        g_free(path);
         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
         zdma_ch_imr_update_irq(s);
         return;
-- 
2.17.1

In commit f0aff255700 we made cpacr_write() enforce that some CPACR
bits are RAZ/WI and some are RAO/WI for ARMv7 cores. Unfortunately
we forgot to also update the register's reset value. The effect
was that (a) a guest that read CPACR on reset would not see ones in
the RAO bits, and (b) if you did a migration before the guest did
a write to the CPACR then the migration would fail because the
destination would enforce the RAO bits and then complain that they
didn't match the zero value from the source.

Implement reset for the CPACR using a custom reset function
that just calls cpacr_write(), to avoid having to duplicate
the logic for which bits are RAO.

This bug would affect migration for TCG CPUs which are ARMv7
with VFP but without one of Neon or VFPv3.

Reported-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20180522173713.26282-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
     env->cp15.cpacr_el1 = value;
 }
 
+static void cpacr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    /* Call cpacr_write() so that we reset with the correct RAO bits set
+     * for our CPU features.
+     */
+    cpacr_write(env, ri, 0);
+}
+
 static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
                                    bool isread)
 {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
     { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
       .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
-      .resetvalue = 0, .writefn = cpacr_write },
+      .resetfn = cpacr_reset, .writefn = cpacr_write },
     REGINFO_SENTINEL
 };
 
-- 
2.17.1

Add more detail to the documentation for memory_region_init_iommu()
and other IOMMU-related functions and data structures.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20180521140402.23318-2-peter.maydell@linaro.org
---
 include/exec/memory.h | 105 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 95 insertions(+), 10 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ enum IOMMUMemoryRegionAttr {
     IOMMU_ATTR_SPAPR_TCE_FD
 };
 
+/**
+ * IOMMUMemoryRegionClass:
+ *
+ * All IOMMU implementations need to subclass TYPE_IOMMU_MEMORY_REGION
+ * and provide an implementation of at least the @translate method here
+ * to handle requests to the memory region. Other methods are optional.
+ *
+ * The IOMMU implementation must use the IOMMU notifier infrastructure
+ * to report whenever mappings are changed, by calling
+ * memory_region_notify_iommu() (or, if necessary, by calling
+ * memory_region_notify_one() for each registered notifier).
+ */
 typedef struct IOMMUMemoryRegionClass {
     /* private */
     struct DeviceClass parent_class;
 
     /*
-     * Return a TLB entry that contains a given address. Flag should
-     * be the access permission of this translation operation. We can
-     * set flag to IOMMU_NONE to mean that we don't need any
-     * read/write permission checks, like, when for region replay.
+     * Return a TLB entry that contains a given address.
+     *
+     * The IOMMUAccessFlags indicated via @flag are optional and may
+     * be specified as IOMMU_NONE to indicate that the caller needs
+     * the full translation information for both reads and writes. If
+     * the access flags are specified then the IOMMU implementation
+     * may use this as an optimization, to stop doing a page table
+     * walk as soon as it knows that the requested permissions are not
+     * allowed. If IOMMU_NONE is passed then the IOMMU must do the
+     * full page table walk and report the permissions in the returned
+     * IOMMUTLBEntry. (Note that this implies that an IOMMU may not
+     * return different mappings for reads and writes.)
+     *
+     * The returned information remains valid while the caller is
+     * holding the big QEMU lock or is inside an RCU critical section;
+     * if the caller wishes to cache the mapping beyond that it must
+     * register an IOMMU notifier so it can invalidate its cached
+     * information when the IOMMU mapping changes.
+     *
+     * @iommu: the IOMMUMemoryRegion
+     * @hwaddr: address to be translated within the memory region
+     * @flag: requested access permissions
      */
     IOMMUTLBEntry (*translate)(IOMMUMemoryRegion *iommu, hwaddr addr,
                                IOMMUAccessFlags flag);
-    /* Returns minimum supported page size */
+    /* Returns minimum supported page size in bytes.
+     * If this method is not provided then the minimum is assumed to
+     * be TARGET_PAGE_SIZE.
+     *
+     * @iommu: the IOMMUMemoryRegion
+     */
     uint64_t (*get_min_page_size)(IOMMUMemoryRegion *iommu);
-    /* Called when IOMMU Notifier flag changed */
+    /* Called when IOMMU Notifier flag changes (ie when the set of
+     * events which IOMMU users are requesting notification for changes).
+     * Optional method -- need not be provided if the IOMMU does not
+     * need to know exactly which events must be notified.
+     *
+     * @iommu: the IOMMUMemoryRegion
+     * @old_flags: events which previously needed to be notified
+     * @new_flags: events which now need to be notified
+     */
     void (*notify_flag_changed)(IOMMUMemoryRegion *iommu,
                                 IOMMUNotifierFlag old_flags,
                                 IOMMUNotifierFlag new_flags);
-    /* Set this up to provide customized IOMMU replay function */
+    /* Called to handle memory_region_iommu_replay().
+     *
+     * The default implementation of memory_region_iommu_replay() is to
+     * call the IOMMU translate method for every page in the address space
+     * with flag == IOMMU_NONE and then call the notifier if translate
+     * returns a valid mapping. If this method is implemented then it
+     * overrides the default behaviour, and must provide the full semantics
+     * of memory_region_iommu_replay(), by calling @notifier for every
+     * translation present in the IOMMU.
+     *
+     * Optional method -- an IOMMU only needs to provide this method
+     * if the default is inefficient or produces undesirable side effects.
+     *
+     * Note: this is not related to record-and-replay functionality.
+     */
     void (*replay)(IOMMUMemoryRegion *iommu, IOMMUNotifier *notifier);
 
-    /* Get IOMMU misc attributes */
-    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr,
+    /* Get IOMMU misc attributes. This is an optional method that
+     * can be used to allow users of the IOMMU to get implementation-specific
+     * information. The IOMMU implements this method to handle calls
+     * by IOMMU users to memory_region_iommu_get_attr() by filling in
+     * the arbitrary data pointer for any IOMMUMemoryRegionAttr values that
+     * the IOMMU supports. If the method is unimplemented then
+     * memory_region_iommu_get_attr() will always return -EINVAL.
+     *
+     * @iommu: the IOMMUMemoryRegion
+     * @attr: attribute being queried
+     * @data: memory to fill in with the attribute data
+     *
+     * Returns 0 on success, or a negative errno; in particular
+     * returns -EINVAL for unrecognized or unimplemented attribute types.
+     */
+    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr attr,
                     void *data);
 } IOMMUMemoryRegionClass;
 
@@ -XXX,XX +XXX,XX @@ static inline void memory_region_init_reservation(MemoryRegion *mr,
  * An IOMMU region translates addresses and forwards accesses to a target
  * memory region.
  *
+ * The IOMMU implementation must define a subclass of TYPE_IOMMU_MEMORY_REGION.
+ * @_iommu_mr should be a pointer to enough memory for an instance of
+ * that subclass, @instance_size is the size of that subclass, and
+ * @mrtypename is its name. This function will initialize @_iommu_mr as an
+ * instance of the subclass, and its methods will then be called to handle
+ * accesses to the memory region. See the documentation of
+ * #IOMMUMemoryRegionClass for further details.
+ *
  * @_iommu_mr: the #IOMMUMemoryRegion to be initialized
  * @instance_size: the IOMMUMemoryRegion subclass instance size
  * @mrtypename: the type name of the #IOMMUMemoryRegion
@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
  * a notifier with the minimum page granularity returned by
  * mr->iommu_ops->get_page_size().
  *
+ * Note: this is not related to record-and-replay functionality.
+ *
  * @iommu_mr: the memory region to observe
  * @n: the notifier to which to replay iommu mappings
  */
@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
  * memory_region_iommu_replay_all: replay existing IOMMU translations
  * to all the notifiers registered.
  *
+ * Note: this is not related to record-and-replay functionality.
+ *
  * @iommu_mr: the memory region to observe
  */
 void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
@@ -XXX,XX +XXX,XX @@ void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
  * memory_region_iommu_get_attr: return an IOMMU attr if get_attr() is
  * defined on the IOMMU.
  *
- * Returns 0 if succeded, error code otherwise.
+ * Returns 0 on success, or a negative errno otherwise. In particular,
+ * -EINVAL indicates that the IOMMU does not support the requested
+ * attribute.
  *
  * @iommu_mr: the memory region
  * @attr: the requested attribute
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to tb_invalidate_phys_addr().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180521140402.23318-3-peter.maydell@linaro.org
---
 include/exec/exec-all.h   | 5 +++--
 accel/tcg/translate-all.c | 2 +-
 exec.c                    | 2 +-
 target/xtensa/op_helper.c | 3 ++-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
 void tlb_set_page(CPUState *cpu, target_ulong vaddr,
                   hwaddr paddr, int prot,
                   int mmu_idx, target_ulong size);
-void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr);
+void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
                  uintptr_t retaddr);
 #else
@@ -XXX,XX +XXX,XX @@ static inline void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *cpu,
                                                        uint16_t idxmap)
 {
 }
-static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
+static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr,
+                                           MemTxAttrs attrs)
 {
 }
 #endif
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
 }
 
 #if !defined(CONFIG_USER_ONLY)
-void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
+void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
 {
     ram_addr_t ram_addr;
     MemoryRegion *mr;
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
     if (phys != -1) {
         /* Locks grabbed by tb_invalidate_phys_addr */
         tb_invalidate_phys_addr(cpu->cpu_ases[asidx].as,
-                                phys | (pc & ~TARGET_PAGE_MASK));
+                                phys | (pc & ~TARGET_PAGE_MASK), attrs);
     }
 }
 #endif
diff --git a/target/xtensa/op_helper.c b/target/xtensa/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/op_helper.c
+++ b/target/xtensa/op_helper.c
@@ -XXX,XX +XXX,XX @@ static void tb_invalidate_virtual_addr(CPUXtensaState *env, uint32_t vaddr)
     int ret = xtensa_get_physical_addr(env, false, vaddr, 2, 0,
             &paddr, &page_size, &access);
     if (ret == 0) {
-        tb_invalidate_phys_addr(&address_space_memory, paddr);
+        tb_invalidate_phys_addr(&address_space_memory, paddr,
+                                MEMTXATTRS_UNSPECIFIED);
     }
 }
 
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_translate()
and address_space_translate_cached(). Callers either have an
attrs value to hand, or don't care and can use MEMTXATTRS_UNSPECIFIED.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-4-peter.maydell@linaro.org
---
 include/exec/memory.h     |  4 +++-
 accel/tcg/translate-all.c |  2 +-
 exec.c                    | 14 +++++++++-----
 hw/vfio/common.c          |  3 ++-
 memory_ldst.inc.c         | 18 +++++++++---------
 target/riscv/helper.c     |  2 +-
 6 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
  * #MemoryRegion.
  * @len: pointer to length
  * @is_write: indicates the transfer direction
+ * @attrs: memory attributes
  */
 MemoryRegion *flatview_translate(FlatView *fv,
                                  hwaddr addr, hwaddr *xlat,
@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv,
 
 static inline MemoryRegion *address_space_translate(AddressSpace *as,
                                                     hwaddr addr, hwaddr *xlat,
-                                                    hwaddr *len, bool is_write)
+                                                    hwaddr *len, bool is_write,
+                                                    MemTxAttrs attrs)
 {
     return flatview_translate(address_space_to_flatview(as),
                               addr, xlat, len, is_write);
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
     hwaddr l = 1;
 
     rcu_read_lock();
-    mr = address_space_translate(as, addr, &addr, &l, false);
+    mr = address_space_translate(as, addr, &addr, &l, false, attrs);
     if (!(memory_region_is_ram(mr)
           || memory_region_is_romd(mr))) {
         rcu_read_unlock();
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
     rcu_read_lock();
     while (len > 0) {
         l = len;
-        mr = address_space_translate(as, addr, &addr1, &l, true);
+        mr = address_space_translate(as, addr, &addr1, &l, true,
+                                     MEMTXATTRS_UNSPECIFIED);
 
         if (!(memory_region_is_ram(mr) ||
               memory_region_is_romd(mr))) {
@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache)
  */
 static inline MemoryRegion *address_space_translate_cached(
     MemoryRegionCache *cache, hwaddr addr, hwaddr *xlat,
-    hwaddr *plen, bool is_write)
+    hwaddr *plen, bool is_write, MemTxAttrs attrs)
 {
     MemoryRegionSection section;
     MemoryRegion *mr;
@@ -XXX,XX +XXX,XX @@ address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr,
     MemoryRegion *mr;
 
     l = len;
-    mr = address_space_translate_cached(cache, addr, &addr1, &l, false);
+    mr = address_space_translate_cached(cache, addr, &addr1, &l, false,
+                                        MEMTXATTRS_UNSPECIFIED);
     flatview_read_continue(cache->fv,
                            addr, MEMTXATTRS_UNSPECIFIED, buf, len,
                            addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr,
     MemoryRegion *mr;
 
     l = len;
-    mr = address_space_translate_cached(cache, addr, &addr1, &l, true);
+    mr = address_space_translate_cached(cache, addr, &addr1, &l, true,
+                                        MEMTXATTRS_UNSPECIFIED);
     flatview_write_continue(cache->fv,
                             addr, MEMTXATTRS_UNSPECIFIED, buf, len,
                             addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ bool cpu_physical_memory_is_io(hwaddr phys_addr)
 
     rcu_read_lock();
     mr = address_space_translate(&address_space_memory,
-                                 phys_addr, &phys_addr, &l, false);
+                                 phys_addr, &phys_addr, &l, false,
+                                 MEMTXATTRS_UNSPECIFIED);
 
     res = !(memory_region_is_ram(mr) || memory_region_is_romd(mr));
     rcu_read_unlock();
diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -XXX,XX +XXX,XX @@ static bool vfio_get_vaddr(IOMMUTLBEntry *iotlb, void **vaddr,
      */
     mr = address_space_translate(&address_space_memory,
                                  iotlb->translated_addr,
-                                 &xlat, &len, writable);
+                                 &xlat, &len, writable,
+                                 MEMTXATTRS_UNSPECIFIED);
     if (!memory_region_is_ram(mr)) {
         error_report("iommu map to non memory area %"HWADDR_PRIx"",
                      xlat);
diff --git a/memory_ldst.inc.c b/memory_ldst.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/memory_ldst.inc.c
+++ b/memory_ldst.inc.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, false);
+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
     if (l < 4 || !IS_DIRECT(mr, false)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, false);
+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
     if (l < 8 || !IS_DIRECT(mr, false)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, false);
+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
     if (!IS_DIRECT(mr, false)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, false);
+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
     if (l < 2 || !IS_DIRECT(mr, false)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ void glue(address_space_stl_notdirty, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (l < 4 || !IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stl_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (l < 4 || !IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ void glue(address_space_stb, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (!IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
         r = memory_region_dispatch_write(mr, addr1, val, 1, attrs);
@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stw_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (l < 2 || !IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ static void glue(address_space_stq_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (l < 8 || !IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
 
diff --git a/target/riscv/helper.c b/target/riscv/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/helper.c
+++ b/target/riscv/helper.c
@@ -XXX,XX +XXX,XX @@ restart:
                 MemoryRegion *mr;
                 hwaddr l = sizeof(target_ulong), addr1;
                 mr = address_space_translate(cs->as, pte_addr,
-                    &addr1, &l, false);
+                    &addr1, &l, false, MEMTXATTRS_UNSPECIFIED);
                 if (memory_access_is_direct(mr, true)) {
                     target_ulong *pte_pa =
                         qemu_map_ram_ptr(mr->ram_block, addr1);
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_map().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-5-peter.maydell@linaro.org
---
 include/exec/memory.h   | 3 ++-
 include/sysemu/dma.h    | 3 ++-
 exec.c                  | 6 ++++--
 target/ppc/mmu-hash64.c | 3 ++-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_
  * @addr: address within that address space
  * @plen: pointer to length of buffer; updated on return
  * @is_write: indicates the transfer direction
+ * @attrs: memory attributes
  */
 void *address_space_map(AddressSpace *as, hwaddr addr,
-                        hwaddr *plen, bool is_write);
+                        hwaddr *plen, bool is_write, MemTxAttrs attrs);
 
 /* address_space_unmap: Unmaps a memory region previously mapped by address_space_map()
  *
diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/dma.h
+++ b/include/sysemu/dma.h
@@ -XXX,XX +XXX,XX @@ static inline void *dma_memory_map(AddressSpace *as,
     hwaddr xlen = *len;
     void *p;
 
-    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE);
+    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE,
+                          MEMTXATTRS_UNSPECIFIED);
     *len = xlen;
     return p;
 }
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ flatview_extend_translation(FlatView *fv, hwaddr addr,
 void *address_space_map(AddressSpace *as,
                         hwaddr addr,
                         hwaddr *plen,
-                        bool is_write)
+                        bool is_write,
+                        MemTxAttrs attrs)
 {
     hwaddr len = *plen;
     hwaddr l, xlat;
@@ -XXX,XX +XXX,XX @@ void *cpu_physical_memory_map(hwaddr addr,
                               hwaddr *plen,
                               int is_write)
 {
-    return address_space_map(&address_space_memory, addr, plen, is_write);
+    return address_space_map(&address_space_memory, addr, plen, is_write,
+                             MEMTXATTRS_UNSPECIFIED);
 }
 
 void cpu_physical_memory_unmap(void *buffer, hwaddr len,
diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/mmu-hash64.c
+++ b/target/ppc/mmu-hash64.c
@@ -XXX,XX +XXX,XX @@ const ppc_hash_pte64_t *ppc_hash64_map_hptes(PowerPCCPU *cpu,
         return NULL;
     }
 
-    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false);
+    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false,
+                              MEMTXATTRS_UNSPECIFIED);
     if (plen < (n * HASH_PTE_SIZE_64)) {
         hw_error("%s: Unable to map all requested HPTEs\n", __func__);
     }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_access_valid().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-6-peter.maydell@linaro.org
---
 include/exec/memory.h      | 4 +++-
 include/sysemu/dma.h       | 3 ++-
 exec.c                     | 3 ++-
 target/s390x/diag.c        | 6 ++++--
 target/s390x/excp_helper.c | 3 ++-
 target/s390x/mmu_helper.c  | 3 ++-
 target/s390x/sigp.c        | 3 ++-
 7 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
  * @addr: address within that address space
  * @len: length of the area to be checked
  * @is_write: indicates the transfer direction
+ * @attrs: memory attributes
  */
-bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_write);
+bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len,
+                                bool is_write, MemTxAttrs attrs);
 
 /* address_space_map: map a physical memory region into a host virtual address
  *
diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/dma.h
+++ b/include/sysemu/dma.h
@@ -XXX,XX +XXX,XX @@ static inline bool dma_memory_valid(AddressSpace *as,
                                     DMADirection dir)
 {
     return address_space_access_valid(as, addr, len,
-                                      dir == DMA_DIRECTION_FROM_DEVICE);
+                                      dir == DMA_DIRECTION_FROM_DEVICE,
+                                      MEMTXATTRS_UNSPECIFIED);
 }
 
 static inline int dma_memory_rw_relaxed(AddressSpace *as, dma_addr_t addr,
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
 }
 
 bool address_space_access_valid(AddressSpace *as, hwaddr addr,
-                                int len, bool is_write)
+                                int len, bool is_write,
+                                MemTxAttrs attrs)
 {
     FlatView *fv;
     bool result;
diff --git a/target/s390x/diag.c b/target/s390x/diag.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/diag.c
+++ b/target/s390x/diag.c
@@ -XXX,XX +XXX,XX @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
             return;
         }
         if (!address_space_access_valid(&address_space_memory, addr,
-                                        sizeof(IplParameterBlock), false)) {
+                                        sizeof(IplParameterBlock), false,
+                                        MEMTXATTRS_UNSPECIFIED)) {
             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
             return;
         }
@@ -XXX,XX +XXX,XX @@ out:
             return;
         }
         if (!address_space_access_valid(&address_space_memory, addr,
-                                        sizeof(IplParameterBlock), true)) {
+                                        sizeof(IplParameterBlock), true,
+                                        MEMTXATTRS_UNSPECIFIED)) {
             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
             return;
         }
diff --git a/target/s390x/excp_helper.c b/target/s390x/excp_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/excp_helper.c
+++ b/target/s390x/excp_helper.c
@@ -XXX,XX +XXX,XX @@ int s390_cpu_handle_mmu_fault(CPUState *cs, vaddr orig_vaddr, int size,
 
     /* check out of RAM access */
     if (!address_space_access_valid(&address_space_memory, raddr,
-                                    TARGET_PAGE_SIZE, rw)) {
+                                    TARGET_PAGE_SIZE, rw,
+                                    MEMTXATTRS_UNSPECIFIED)) {
         DPRINTF("%s: raddr %" PRIx64 " > ram_size %" PRIx64 "\n", __func__,
                 (uint64_t)raddr, (uint64_t)ram_size);
         trigger_pgm_exception(env, PGM_ADDRESSING, ILEN_AUTO);
diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/mmu_helper.c
+++ b/target/s390x/mmu_helper.c
@@ -XXX,XX +XXX,XX @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages,
             return ret;
         }
         if (!address_space_access_valid(&address_space_memory, pages[i],
-                                        TARGET_PAGE_SIZE, is_write)) {
+                                        TARGET_PAGE_SIZE, is_write,
+                                        MEMTXATTRS_UNSPECIFIED)) {
             trigger_access_exception(env, PGM_ADDRESSING, ILEN_AUTO, 0);
             return -EFAULT;
         }
diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/sigp.c
+++ b/target/s390x/sigp.c
@@ -XXX,XX +XXX,XX @@ static void sigp_set_prefix(CPUState *cs, run_on_cpu_data arg)
     cpu_synchronize_state(cs);
 
     if (!address_space_access_valid(&address_space_memory, addr,
-                                    sizeof(struct LowCore), false)) {
+                                    sizeof(struct LowCore), false,
+                                    MEMTXATTRS_UNSPECIFIED)) {
         set_sigp_status(si, SIGP_STAT_INVALID_PARAMETER);
         return;
     }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to flatview_extend_translation().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
 
 static hwaddr
 flatview_extend_translation(FlatView *fv, hwaddr addr,
-                                 hwaddr target_len,
-                                 MemoryRegion *mr, hwaddr base, hwaddr len,
-                                 bool is_write)
+                            hwaddr target_len,
+                            MemoryRegion *mr, hwaddr base, hwaddr len,
+                            bool is_write, MemTxAttrs attrs)
 {
     hwaddr done = 0;
     hwaddr xlat;
@@ -XXX,XX +XXX,XX @@ void *address_space_map(AddressSpace *as,
 
     memory_region_ref(mr);
     *plen = flatview_extend_translation(fv, addr, len, mr, xlat,
-                                             l, is_write);
+                                        l, is_write, attrs);
     ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true);
     rcu_read_unlock();
 
@@ -XXX,XX +XXX,XX @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
     mr = cache->mrs.mr;
     memory_region_ref(mr);
     if (memory_access_is_direct(mr, is_write)) {
+        /* We don't care about the memory attributes here as we're only
+         * doing this if we found actual RAM, which behaves the same
+         * regardless of attributes; so UNSPECIFIED is fine.
+         */
         l = flatview_extend_translation(cache->fv, addr, len, mr,
-                                        cache->xlat, l, is_write);
+                                        cache->xlat, l, is_write,
+                                        MEMTXATTRS_UNSPECIFIED);
         cache->ptr = qemu_ram_ptr_length(mr->ram_block, cache->xlat, &l, true);
     } else {
         cache->ptr = NULL;
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to memory_region_access_valid().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

The callsite in flatview_access_valid() is part of a recursive
loop flatview_access_valid() -> memory_region_access_valid() ->
 subpage_accepts() -> flatview_access_valid(); we make it pass
MEMTXATTRS_UNSPECIFIED for now, until the next several commits
have plumbed an attrs parameter through the rest of the loop
and we can add an attrs parameter to flatview_access_valid().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-8-peter.maydell@linaro.org
---
 include/exec/memory-internal.h | 3 ++-
 exec.c                         | 4 +++-
 hw/s390x/s390-pci-inst.c       | 3 ++-
 memory.c                       | 7 ++++---
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/include/exec/memory-internal.h b/include/exec/memory-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory-internal.h
+++ b/include/exec/memory-internal.h
@@ -XXX,XX +XXX,XX @@ void flatview_unref(FlatView *view);
 extern const MemoryRegionOps unassigned_mem_ops;
 
 bool memory_region_access_valid(MemoryRegion *mr, hwaddr addr,
-                                unsigned size, bool is_write);
+                                unsigned size, bool is_write,
+                                MemTxAttrs attrs);
 
 void flatview_add_to_dispatch(FlatView *fv, MemoryRegionSection *section);
 AddressSpaceDispatch *address_space_dispatch_new(FlatView *fv);
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
         if (!memory_access_is_direct(mr, is_write)) {
             l = memory_access_size(mr, l, addr);
-            if (!memory_region_access_valid(mr, xlat, l, is_write)) {
+            /* When our callers all have attrs we'll pass them through here */
+            if (!memory_region_access_valid(mr, xlat, l, is_write,
+                                            MEMTXATTRS_UNSPECIFIED)) {
                 return false;
             }
         }
diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/s390x/s390-pci-inst.c
+++ b/hw/s390x/s390-pci-inst.c
@@ -XXX,XX +XXX,XX @@ int pcistb_service_call(S390CPU *cpu, uint8_t r1, uint8_t r3, uint64_t gaddr,
     mr = s390_get_subregion(mr, offset, len);
     offset -= mr->addr;
 
-    if (!memory_region_access_valid(mr, offset, len, true)) {
+    if (!memory_region_access_valid(mr, offset, len, true,
+                                    MEMTXATTRS_UNSPECIFIED)) {
         s390_program_interrupt(env, PGM_OPERAND, 6, ra);
         return 0;
     }
diff --git a/memory.c b/memory.c
index XXXXXXX..XXXXXXX 100644
--- a/memory.c
+++ b/memory.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps ram_device_mem_ops = {
 bool memory_region_access_valid(MemoryRegion *mr,
                                 hwaddr addr,
                                 unsigned size,
-                                bool is_write)
+                                bool is_write,
+                                MemTxAttrs attrs)
 {
     int access_size_min, access_size_max;
     int access_size, i;
@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
 {
     MemTxResult r;
 
-    if (!memory_region_access_valid(mr, addr, size, false)) {
+    if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
         *pval = unassigned_mem_read(mr, addr, size);
         return MEMTX_DECODE_ERROR;
     }
@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
                                          unsigned size,
                                          MemTxAttrs attrs)
 {
-    if (!memory_region_access_valid(mr, addr, size, true)) {
+    if (!memory_region_access_valid(mr, addr, size, true, attrs)) {
         unassigned_mem_write(mr, addr, data, size);
         return MEMTX_DECODE_ERROR;
     }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to the MemoryRegion valid.accepts
callback. We'll need this for subpage_accepts().

We could take the approach we used with the read and write
callbacks and add new a new _with_attrs version, but since there
are so few implementations of the accepts hook we just change
them all.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-9-peter.maydell@linaro.org
---
 include/exec/memory.h |  3 ++-
 exec.c                |  9 ++++++---
 hw/hppa/dino.c        |  3 ++-
 hw/nvram/fw_cfg.c     | 12 ++++++++----
 hw/scsi/esp.c         |  3 ++-
 hw/xen/xen_pt_msi.c   |  3 ++-
 memory.c              |  5 +++--
 7 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ struct MemoryRegionOps {
          * as a machine check exception).
          */
         bool (*accepts)(void *opaque, hwaddr addr,
-                        unsigned size, bool is_write);
+                        unsigned size, bool is_write,
+                        MemTxAttrs attrs);
     } valid;
     /* Internal implementation constraints: */
     struct {
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static void notdirty_mem_write(void *opaque, hwaddr ram_addr,
 }
 
 static bool notdirty_mem_accepts(void *opaque, hwaddr addr,
-                                 unsigned size, bool is_write)
+                                 unsigned size, bool is_write,
+                                 MemTxAttrs attrs)
 {
     return is_write;
 }
@@ -XXX,XX +XXX,XX @@ static MemTxResult subpage_write(void *opaque, hwaddr addr,
 }
 
 static bool subpage_accepts(void *opaque, hwaddr addr,
-                            unsigned len, bool is_write)
+                            unsigned len, bool is_write,
+                            MemTxAttrs attrs)
 {
     subpage_t *subpage = opaque;
 #if defined(DEBUG_SUBPAGE)
@@ -XXX,XX +XXX,XX @@ static void readonly_mem_write(void *opaque, hwaddr addr,
 }
 
 static bool readonly_mem_accepts(void *opaque, hwaddr addr,
-                                 unsigned size, bool is_write)
+                                 unsigned size, bool is_write,
+                                 MemTxAttrs attrs)
 {
     return is_write;
 }
diff --git a/hw/hppa/dino.c b/hw/hppa/dino.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/hppa/dino.c
+++ b/hw/hppa/dino.c
@@ -XXX,XX +XXX,XX @@ static void gsc_to_pci_forwarding(DinoState *s)
 }
 
 static bool dino_chip_mem_valid(void *opaque, hwaddr addr,
-                                unsigned size, bool is_write)
+                                unsigned size, bool is_write,
+                                MemTxAttrs attrs)
 {
     switch (addr) {
     case DINO_IAR0:
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_dma_mem_write(void *opaque, hwaddr addr,
 }
 
 static bool fw_cfg_dma_mem_valid(void *opaque, hwaddr addr,
-                                  unsigned size, bool is_write)
+                                 unsigned size, bool is_write,
+                                 MemTxAttrs attrs)
 {
     return !is_write || ((size == 4 && (addr == 0 || addr == 4)) ||
                          (size == 8 && addr == 0));
 }
 
 static bool fw_cfg_data_mem_valid(void *opaque, hwaddr addr,
-                                  unsigned size, bool is_write)
+                                  unsigned size, bool is_write,
+                                  MemTxAttrs attrs)
 {
     return addr == 0;
 }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_ctl_mem_write(void *opaque, hwaddr addr,
 }
 
 static bool fw_cfg_ctl_mem_valid(void *opaque, hwaddr addr,
-                                 unsigned size, bool is_write)
+                                 unsigned size, bool is_write,
+                                 MemTxAttrs attrs)
 {
     return is_write && size == 2;
 }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_comb_write(void *opaque, hwaddr addr,
 }
 
 static bool fw_cfg_comb_valid(void *opaque, hwaddr addr,
-                                  unsigned size, bool is_write)
+                              unsigned size, bool is_write,
+                              MemTxAttrs attrs)
 {
     return (size == 1) || (is_write && size == 2);
 }
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -XXX,XX +XXX,XX @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
 }
 
 static bool esp_mem_accepts(void *opaque, hwaddr addr,
-                            unsigned size, bool is_write)
+                            unsigned size, bool is_write,
+                            MemTxAttrs attrs)
 {
     return (size == 1) || (is_write && size == 4);
 }
diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/xen/xen_pt_msi.c
+++ b/hw/xen/xen_pt_msi.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pci_msix_read(void *opaque, hwaddr addr,
 }
 
 static bool pci_msix_accepts(void *opaque, hwaddr addr,
-                             unsigned size, bool is_write)
+                             unsigned size, bool is_write,
+                             MemTxAttrs attrs)
 {
     return !(addr & (size - 1));
 }
diff --git a/memory.c b/memory.c
index XXXXXXX..XXXXXXX 100644
--- a/memory.c
+++ b/memory.c
@@ -XXX,XX +XXX,XX @@ static void unassigned_mem_write(void *opaque, hwaddr addr,
 }
 
 static bool unassigned_mem_accepts(void *opaque, hwaddr addr,
-                                   unsigned size, bool is_write)
+                                   unsigned size, bool is_write,
+                                   MemTxAttrs attrs)
 {
     return false;
 }
@@ -XXX,XX +XXX,XX @@ bool memory_region_access_valid(MemoryRegion *mr,
     access_size = MAX(MIN(size, access_size_max), access_size_min);
     for (i = 0; i < size; i += access_size) {
         if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
-                                    is_write)) {
+                                    is_write, attrs)) {
             return false;
         }
     }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to flatview_access_valid().
Its callers now all have an attrs value to hand, so we can
correct our earlier temporary use of MEMTXATTRS_UNSPECIFIED.

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
 static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
                                   const uint8_t *buf, int len);
 static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
-                                  bool is_write);
+                                  bool is_write, MemTxAttrs attrs);
 
 static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data,
                                 unsigned len, MemTxAttrs attrs)
@@ -XXX,XX +XXX,XX @@ static bool subpage_accepts(void *opaque, hwaddr addr,
 #endif
 
     return flatview_access_valid(subpage->fv, addr + subpage->base,
-                                 len, is_write);
+                                 len, is_write, attrs);
 }
 
 static const MemoryRegionOps subpage_ops = {
@@ -XXX,XX +XXX,XX @@ static void cpu_notify_map_clients(void)
 }
 
 static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
-                                  bool is_write)
+                                  bool is_write, MemTxAttrs attrs)
 {
     MemoryRegion *mr;
     hwaddr l, xlat;
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
         if (!memory_access_is_direct(mr, is_write)) {
             l = memory_access_size(mr, l, addr);
-            /* When our callers all have attrs we'll pass them through here */
-            if (!memory_region_access_valid(mr, xlat, l, is_write,
-                                            MEMTXATTRS_UNSPECIFIED)) {
+            if (!memory_region_access_valid(mr, xlat, l, is_write, attrs)) {
                 return false;
             }
         }
@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
 
     rcu_read_lock();
     fv = address_space_to_flatview(as);
-    result = flatview_access_valid(fv, addr, len, is_write);
+    result = flatview_access_valid(fv, addr, len, is_write, attrs);
     rcu_read_unlock();
     return result;
 }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to flatview_translate(); all its
callers now have attrs available.

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_get_iotlb_entry().

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache);
  * entry. Should be called from an RCU critical section.
  */
 IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
-                                            bool is_write);
+                                            bool is_write, MemTxAttrs attrs);
 
 /* address_space_translate: translate an address range into an address space
  * into a MemoryRegion and an address range into that section.  Should be
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
 
 /* Called from RCU critical section */
 IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
-                                            bool is_write)
+                                            bool is_write, MemTxAttrs attrs)
 {
     MemoryRegionSection section;
     hwaddr xlat, page_mask;
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -XXX,XX +XXX,XX @@ int vhost_device_iotlb_miss(struct vhost_dev *dev, uint64_t iova, int write)
     trace_vhost_iotlb_miss(dev, 1);
 
     iotlb = address_space_get_iotlb_entry(dev->vdev->dma_as,
-                                          iova, write);
+                                          iova, write,
+                                          MEMTXATTRS_UNSPECIFIED);
     if (iotlb.target_as != NULL) {
         ret = vhost_memory_region_lookup(dev, iotlb.translated_addr,
                                          &uaddr, &len);
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to flatview_do_translate().

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ unassigned:
  * @is_write: whether the translation operation is for write
  * @is_mmio: whether this can be MMIO, set true if it can
  * @target_as: the address space targeted by the IOMMU
+ * @attrs: memory transaction attributes
  *
  * This function is called from RCU critical section
  */
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
                                                  hwaddr *page_mask_out,
                                                  bool is_write,
                                                  bool is_mmio,
-                                                 AddressSpace **target_as)
+                                                 AddressSpace **target_as,
+                                                 MemTxAttrs attrs)
 {
     MemoryRegionSection *section;
     IOMMUMemoryRegion *iommu_mr;
@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
      * but page mask.
      */
     section = flatview_do_translate(address_space_to_flatview(as), addr, &xlat,
-                                    NULL, &page_mask, is_write, false, &as);
+                                    NULL, &page_mask, is_write, false, &as,
+                                    attrs);
 
     /* Illegal translation */
     if (section.mr == &io_mem_unassigned) {
@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv, hwaddr addr, hwaddr *xlat,
 
     /* This can be MMIO, so setup MMIO bit. */
     section = flatview_do_translate(fv, addr, xlat, plen, NULL,
-                                    is_write, true, &as);
+                                    is_write, true, &as, attrs);
     mr = section.mr;
 
     if (xen_enabled() && memory_access_is_direct(mr, is_write)) {
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_translate_iommu().

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ address_space_translate_internal(AddressSpaceDispatch *d, hwaddr addr, hwaddr *x
  * @is_write: whether the translation operation is for write
  * @is_mmio: whether this can be MMIO, set true if it can
  * @target_as: the address space targeted by the IOMMU
+ * @attrs: transaction attributes
  *
  * This function is called from RCU critical section.  It is the common
  * part of flatview_do_translate and address_space_translate_cached.
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection address_space_translate_iommu(IOMMUMemoryRegion *iomm
                                                          hwaddr *page_mask_out,
                                                          bool is_write,
                                                          bool is_mmio,
-                                                         AddressSpace **target_as)
+                                                         AddressSpace **target_as,
+                                                         MemTxAttrs attrs)
 {
     MemoryRegionSection *section;
     hwaddr page_mask = (hwaddr)-1;
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
         return address_space_translate_iommu(iommu_mr, xlat,
                                              plen_out, page_mask_out,
                                              is_write, is_mmio,
-                                             target_as);
+                                             target_as, attrs);
     }
     if (page_mask_out) {
         /* Not behind an IOMMU, use default page size. */
@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate_cached(
 
     section = address_space_translate_iommu(iommu_mr, xlat, plen,
                                             NULL, is_write, true,
-                                            &target_as);
+                                            &target_as, attrs);
     return section.mr;
 }
 
-- 
2.17.1

From: Shannon Zhao <zhaoshenglong@huawei.com>

acpi_data_push uses g_array_set_size to resize the memory size. If there
is no enough contiguous memory, the address will be changed. So previous
pointer could not be used any more. It must update the pointer and use
the new one.

Also, previous codes wrongly use le32 conversion of iort->node_offset
for subsequent computations that will result incorrect value if host is
not litlle endian. So use the non-converted one instead.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1527663951-14552-1-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     AcpiIortItsGroup *its;
     AcpiIortTable *iort;
     AcpiIortSmmu3 *smmu;
-    size_t node_size, iort_length, smmu_offset = 0;
+    size_t node_size, iort_node_offset, iort_length, smmu_offset = 0;
     AcpiIortRC *rc;
 
     iort = acpi_data_push(table_data, sizeof(*iort));
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 
     iort_length = sizeof(*iort);
     iort->node_count = cpu_to_le32(nb_nodes);
-    iort->node_offset = cpu_to_le32(sizeof(*iort));
+    /*
+     * Use a copy in case table_data->data moves during acpi_data_push
+     * operations.
+     */
+    iort_node_offset = sizeof(*iort);
+    iort->node_offset = cpu_to_le32(iort_node_offset);
 
     /* ITS group node */
     node_size =  sizeof(*its) + sizeof(uint32_t);
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
         int irq =  vms->irqmap[VIRT_SMMU];
 
         /* SMMUv3 node */
-        smmu_offset = iort->node_offset + node_size;
+        smmu_offset = iort_node_offset + node_size;
         node_size = sizeof(*smmu) + sizeof(*idmap);
         iort_length += node_size;
         smmu = acpi_data_push(table_data, node_size);
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
         idmap->id_count = cpu_to_le32(0xFFFF);
         idmap->output_base = 0;
         /* output IORT node is the ITS group node (the first node) */
-        idmap->output_reference = cpu_to_le32(iort->node_offset);
+        idmap->output_reference = cpu_to_le32(iort_node_offset);
     }
 
     /* Root Complex Node */
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
         idmap->output_reference = cpu_to_le32(smmu_offset);
     } else {
         /* output IORT node is the ITS group node (the first node) */
-        idmap->output_reference = cpu_to_le32(iort->node_offset);
+        idmap->output_reference = cpu_to_le32(iort_node_offset);
     }
 
+    /*
+     * Update the pointer address in case table_data->data moves during above
+     * acpi_data_push operations.
+     */
+    iort = (AcpiIortTable *)(table_data->data + iort_start);
     iort->length = cpu_to_le32(iort_length);
 
     build_header(linker, table_data, (void *)(table_data->data + iort_start),
-- 
2.17.1

From: Shannon Zhao <zhaoshenglong@huawei.com>

kvm_irqchip_create called by kvm_init will call kvm_init_irq_routing to
initialize global capability variables. If we call kvm_init_irq_routing in
GIC realize function, previous allocated memory will leak.

Fix this by deleting the unnecessary call.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1527750994-14360-1-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gic_kvm.c   | 1 -
 hw/intc/arm_gicv3_kvm.c | 1 -
 2 files changed, 2 deletions(-)

diff --git a/hw/intc/arm_gic_kvm.c b/hw/intc/arm_gic_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gic_kvm.c
+++ b/hw/intc/arm_gic_kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gic_realize(DeviceState *dev, Error **errp)
 
     if (kvm_has_gsi_routing()) {
         /* set up irq routing */
-        kvm_init_irq_routing(kvm_state);
         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
         }
diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_kvm.c
+++ b/hw/intc/arm_gicv3_kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gicv3_realize(DeviceState *dev, Error **errp)
 
     if (kvm_has_gsi_routing()) {
         /* set up irq routing */
-        kvm_init_irq_routing(kvm_state);
         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
         }
-- 
2.17.1

First arm pullreq of 4.2...

thanks
-- PMM

The following changes since commit 27608c7c66bd923eb5e5faab80e795408cbe2b51:

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20190814a' into staging (2019-08-16 12:00:18 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190816

for you to fetch changes up to 664b7e3b97d6376f3329986c465b3782458b0f8b:

target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word (2019-08-16 14:02:53 +0100)

----------------------------------------------------------------
target-arm queue:
 * target/arm: generate a custom MIDR for -cpu max
 * hw/misc/zynq_slcr: refactor to use standard register definition
 * Set ENET_BD_BDU in I.MX FEC controller
 * target/arm: Fix routing of singlestep exceptions
 * refactor a32/t32 decoder handling of PC
 * minor optimisations/cleanups of some a32/t32 codegen
 * target/arm/cpu64: Ensure kvm really supports aarch64=off
 * target/arm/cpu: Ensure we can use the pmu with kvm
 * target/arm: Minor cleanups preparatory to KVM SVE support

----------------------------------------------------------------
Aaron Hill (1):
      Set ENET_BD_BDU in I.MX FEC controller

Alex Bennée (1):
      target/arm: generate a custom MIDR for -cpu max

Andrew Jones (6):
      target/arm/cpu64: Ensure kvm really supports aarch64=off
      target/arm/cpu: Ensure we can use the pmu with kvm
      target/arm/helper: zcr: Add build bug next to value range assumption
      target/arm/cpu: Use div-round-up to determine predicate register array size
      target/arm/kvm64: Fix error returns
      target/arm/kvm64: Move the get/put of fpsimd registers out

Damien Hedde (1):
      hw/misc/zynq_slcr: use standard register definition

Peter Maydell (2):
      target/arm: Factor out 'generate singlestep exception' function
      target/arm: Fix routing of singlestep exceptions

Richard Henderson (18):
      target/arm: Pass in pc to thumb_insn_is_16bit
      target/arm: Introduce pc_curr
      target/arm: Introduce read_pc
      target/arm: Introduce add_reg_for_lit
      target/arm: Remove redundant s->pc & ~1
      target/arm: Replace s->pc with s->base.pc_next
      target/arm: Replace offset with pc in gen_exception_insn
      target/arm: Replace offset with pc in gen_exception_internal_insn
      target/arm: Remove offset argument to gen_exception_bkpt_insn
      target/arm: Use unallocated_encoding for aarch32
      target/arm: Remove helper_double_saturate
      target/arm: Use tcg_gen_extract_i32 for shifter_out_im
      target/arm: Use tcg_gen_deposit_i32 for PKHBT, PKHTB
      target/arm: Remove redundant shift tests
      target/arm: Use ror32 instead of open-coding the operation
      target/arm: Use tcg_gen_rotri_i32 for gen_swap_half
      target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR
      target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word

From: Alex Bennée <alex.bennee@linaro.org>

While most features are now detected by probing the ID_* registers
kernels can (and do) use MIDR_EL1 for working out of they have to
apply errata. This can trip up warnings in the kernel as it tries to
work out if it should apply workarounds to features that don't
actually exist in the reported CPU type.

Avoid this problem by synthesising our own MIDR value.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190726113950.7499-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h   |  6 ++++++
 target/arm/cpu64.c | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(V7M_FPCCR, ASPEN, 31, 1)
 /*
  * System register ID fields.
  */
+FIELD(MIDR_EL1, REVISION, 0, 4)
+FIELD(MIDR_EL1, PARTNUM, 4, 12)
+FIELD(MIDR_EL1, ARCHITECTURE, 16, 4)
+FIELD(MIDR_EL1, VARIANT, 20, 4)
+FIELD(MIDR_EL1, IMPLEMENTER, 24, 8)
+
 FIELD(ID_ISAR0, SWAP, 0, 4)
 FIELD(ID_ISAR0, BITCOUNT, 4, 4)
 FIELD(ID_ISAR0, BITFIELD, 8, 4)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
         uint32_t u;
         aarch64_a57_initfn(obj);
 
+        /*
+         * Reset MIDR so the guest doesn't mistake our 'max' CPU type for a real
+         * one and try to apply errata workarounds or use impdef features we
+         * don't provide.
+         * An IMPLEMENTER field of 0 means "reserved for software use";
+         * ARCHITECTURE must be 0xf indicating "v7 or later, check ID registers
+         * to see which features are present";
+         * the VARIANT, PARTNUM and REVISION fields are all implementation
+         * defined and we choose to define PARTNUM just in case guest
+         * code needs to distinguish this QEMU CPU from other software
+         * implementations, though this shouldn't be needed.
+         */
+        t = FIELD_DP64(0, MIDR_EL1, IMPLEMENTER, 0);
+        t = FIELD_DP64(t, MIDR_EL1, ARCHITECTURE, 0xf);
+        t = FIELD_DP64(t, MIDR_EL1, PARTNUM, 'Q');
+        t = FIELD_DP64(t, MIDR_EL1, VARIANT, 0);
+        t = FIELD_DP64(t, MIDR_EL1, REVISION, 0);
+        cpu->midr = t;
+
         t = cpu->isar.id_aa64isar0;
         t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2); /* AES + PMULL */
         t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1);
-- 
2.20.1

From: Damien Hedde <damien.hedde@greensocs.com>

Replace the zynq_slcr registers enum and macros using the
hw/registerfields.h macros.

Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190729145654.14644-30-damien.hedde@greensocs.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/zynq_slcr.c | 450 ++++++++++++++++++++++----------------------
 1 file changed, 225 insertions(+), 225 deletions(-)

diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/zynq_slcr.c
+++ b/hw/misc/zynq_slcr.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/sysemu.h"
 #include "qemu/log.h"
 #include "qemu/module.h"
+#include "hw/registerfields.h"
 
 #ifndef ZYNQ_SLCR_ERR_DEBUG
 #define ZYNQ_SLCR_ERR_DEBUG 0
@@ -XXX,XX +XXX,XX @@
 #define XILINX_LOCK_KEY 0x767b
 #define XILINX_UNLOCK_KEY 0xdf0d
 
-#define R_PSS_RST_CTRL_SOFT_RST 0x1
+REG32(SCL, 0x000)
+REG32(LOCK, 0x004)
+REG32(UNLOCK, 0x008)
+REG32(LOCKSTA, 0x00c)
 
-enum {
-    SCL             = 0x000 / 4,
-    LOCK,
-    UNLOCK,
-    LOCKSTA,
+REG32(ARM_PLL_CTRL, 0x100)
+REG32(DDR_PLL_CTRL, 0x104)
+REG32(IO_PLL_CTRL, 0x108)
+REG32(PLL_STATUS, 0x10c)
+REG32(ARM_PLL_CFG, 0x110)
+REG32(DDR_PLL_CFG, 0x114)
+REG32(IO_PLL_CFG, 0x118)
 
-    ARM_PLL_CTRL    = 0x100 / 4,
-    DDR_PLL_CTRL,
-    IO_PLL_CTRL,
-    PLL_STATUS,
-    ARM_PLL_CFG,
-    DDR_PLL_CFG,
-    IO_PLL_CFG,
-
-    ARM_CLK_CTRL    = 0x120 / 4,
-    DDR_CLK_CTRL,
-    DCI_CLK_CTRL,
-    APER_CLK_CTRL,
-    USB0_CLK_CTRL,
-    USB1_CLK_CTRL,
-    GEM0_RCLK_CTRL,
-    GEM1_RCLK_CTRL,
-    GEM0_CLK_CTRL,
-    GEM1_CLK_CTRL,
-    SMC_CLK_CTRL,
-    LQSPI_CLK_CTRL,
-    SDIO_CLK_CTRL,
-    UART_CLK_CTRL,
-    SPI_CLK_CTRL,
-    CAN_CLK_CTRL,
-    CAN_MIOCLK_CTRL,
-    DBG_CLK_CTRL,
-    PCAP_CLK_CTRL,
-    TOPSW_CLK_CTRL,
+REG32(ARM_CLK_CTRL, 0x120)
+REG32(DDR_CLK_CTRL, 0x124)
+REG32(DCI_CLK_CTRL, 0x128)
+REG32(APER_CLK_CTRL, 0x12c)
+REG32(USB0_CLK_CTRL, 0x130)
+REG32(USB1_CLK_CTRL, 0x134)
+REG32(GEM0_RCLK_CTRL, 0x138)
+REG32(GEM1_RCLK_CTRL, 0x13c)
+REG32(GEM0_CLK_CTRL, 0x140)
+REG32(GEM1_CLK_CTRL, 0x144)
+REG32(SMC_CLK_CTRL, 0x148)
+REG32(LQSPI_CLK_CTRL, 0x14c)
+REG32(SDIO_CLK_CTRL, 0x150)
+REG32(UART_CLK_CTRL, 0x154)
+REG32(SPI_CLK_CTRL, 0x158)
+REG32(CAN_CLK_CTRL, 0x15c)
+REG32(CAN_MIOCLK_CTRL, 0x160)
+REG32(DBG_CLK_CTRL, 0x164)
+REG32(PCAP_CLK_CTRL, 0x168)
+REG32(TOPSW_CLK_CTRL, 0x16c)
 
 #define FPGA_CTRL_REGS(n, start) \
-    FPGA ## n ## _CLK_CTRL = (start) / 4, \
-    FPGA ## n ## _THR_CTRL, \
-    FPGA ## n ## _THR_CNT, \
-    FPGA ## n ## _THR_STA,
-    FPGA_CTRL_REGS(0, 0x170)
-    FPGA_CTRL_REGS(1, 0x180)
-    FPGA_CTRL_REGS(2, 0x190)
-    FPGA_CTRL_REGS(3, 0x1a0)
+    REG32(FPGA ## n ## _CLK_CTRL, (start)) \
+    REG32(FPGA ## n ## _THR_CTRL, (start) + 0x4)\
+    REG32(FPGA ## n ## _THR_CNT,  (start) + 0x8)\
+    REG32(FPGA ## n ## _THR_STA,  (start) + 0xc)
+FPGA_CTRL_REGS(0, 0x170)
+FPGA_CTRL_REGS(1, 0x180)
+FPGA_CTRL_REGS(2, 0x190)
+FPGA_CTRL_REGS(3, 0x1a0)
 
-    BANDGAP_TRIP    = 0x1b8 / 4,
-    PLL_PREDIVISOR  = 0x1c0 / 4,
-    CLK_621_TRUE,
+REG32(BANDGAP_TRIP, 0x1b8)
+REG32(PLL_PREDIVISOR, 0x1c0)
+REG32(CLK_621_TRUE, 0x1c4)
 
-    PSS_RST_CTRL    = 0x200 / 4,
-    DDR_RST_CTRL,
-    TOPSW_RESET_CTRL,
-    DMAC_RST_CTRL,
-    USB_RST_CTRL,
-    GEM_RST_CTRL,
-    SDIO_RST_CTRL,
-    SPI_RST_CTRL,
-    CAN_RST_CTRL,
-    I2C_RST_CTRL,
-    UART_RST_CTRL,
-    GPIO_RST_CTRL,
-    LQSPI_RST_CTRL,
-    SMC_RST_CTRL,
-    OCM_RST_CTRL,
-    FPGA_RST_CTRL   = 0x240 / 4,
-    A9_CPU_RST_CTRL,
+REG32(PSS_RST_CTRL, 0x200)
+    FIELD(PSS_RST_CTRL, SOFT_RST, 0, 1)
+REG32(DDR_RST_CTRL, 0x204)
+REG32(TOPSW_RESET_CTRL, 0x208)
+REG32(DMAC_RST_CTRL, 0x20c)
+REG32(USB_RST_CTRL, 0x210)
+REG32(GEM_RST_CTRL, 0x214)
+REG32(SDIO_RST_CTRL, 0x218)
+REG32(SPI_RST_CTRL, 0x21c)
+REG32(CAN_RST_CTRL, 0x220)
+REG32(I2C_RST_CTRL, 0x224)
+REG32(UART_RST_CTRL, 0x228)
+REG32(GPIO_RST_CTRL, 0x22c)
+REG32(LQSPI_RST_CTRL, 0x230)
+REG32(SMC_RST_CTRL, 0x234)
+REG32(OCM_RST_CTRL, 0x238)
+REG32(FPGA_RST_CTRL, 0x240)
+REG32(A9_CPU_RST_CTRL, 0x244)
 
-    RS_AWDT_CTRL    = 0x24c / 4,
-    RST_REASON,
+REG32(RS_AWDT_CTRL, 0x24c)
+REG32(RST_REASON, 0x250)
 
-    REBOOT_STATUS   = 0x258 / 4,
-    BOOT_MODE,
+REG32(REBOOT_STATUS, 0x258)
+REG32(BOOT_MODE, 0x25c)
 
-    APU_CTRL        = 0x300 / 4,
-    WDT_CLK_SEL,
+REG32(APU_CTRL, 0x300)
+REG32(WDT_CLK_SEL, 0x304)
 
-    TZ_DMA_NS       = 0x440 / 4,
-    TZ_DMA_IRQ_NS,
-    TZ_DMA_PERIPH_NS,
+REG32(TZ_DMA_NS, 0x440)
+REG32(TZ_DMA_IRQ_NS, 0x444)
+REG32(TZ_DMA_PERIPH_NS, 0x448)
 
-    PSS_IDCODE      = 0x530 / 4,
+REG32(PSS_IDCODE, 0x530)
 
-    DDR_URGENT      = 0x600 / 4,
-    DDR_CAL_START   = 0x60c / 4,
-    DDR_REF_START   = 0x614 / 4,
-    DDR_CMD_STA,
-    DDR_URGENT_SEL,
-    DDR_DFI_STATUS,
+REG32(DDR_URGENT, 0x600)
+REG32(DDR_CAL_START, 0x60c)
+REG32(DDR_REF_START, 0x614)
+REG32(DDR_CMD_STA, 0x618)
+REG32(DDR_URGENT_SEL, 0x61c)
+REG32(DDR_DFI_STATUS, 0x620)
 
-    MIO             = 0x700 / 4,
+REG32(MIO, 0x700)
 #define MIO_LENGTH 54
 
-    MIO_LOOPBACK    = 0x804 / 4,
-    MIO_MST_TRI0,
-    MIO_MST_TRI1,
+REG32(MIO_LOOPBACK, 0x804)
+REG32(MIO_MST_TRI0, 0x808)
+REG32(MIO_MST_TRI1, 0x80c)
 
-    SD0_WP_CD_SEL   = 0x830 / 4,
-    SD1_WP_CD_SEL,
+REG32(SD0_WP_CD_SEL, 0x830)
+REG32(SD1_WP_CD_SEL, 0x834)
 
-    LVL_SHFTR_EN    = 0x900 / 4,
-    OCM_CFG         = 0x910 / 4,
+REG32(LVL_SHFTR_EN, 0x900)
+REG32(OCM_CFG, 0x910)
 
-    CPU_RAM         = 0xa00 / 4,
+REG32(CPU_RAM, 0xa00)
 
-    IOU             = 0xa30 / 4,
+REG32(IOU, 0xa30)
 
-    DMAC_RAM        = 0xa50 / 4,
+REG32(DMAC_RAM, 0xa50)
 
-    AFI0            = 0xa60 / 4,
-    AFI1 = AFI0 + 3,
-    AFI2 = AFI1 + 3,
-    AFI3 = AFI2 + 3,
+REG32(AFI0, 0xa60)
+REG32(AFI1, 0xa6c)
+REG32(AFI2, 0xa78)
+REG32(AFI3, 0xa84)
 #define AFI_LENGTH 3
 
-    OCM             = 0xa90 / 4,
+REG32(OCM, 0xa90)
 
-    DEVCI_RAM       = 0xaa0 / 4,
+REG32(DEVCI_RAM, 0xaa0)
 
-    CSG_RAM         = 0xab0 / 4,
+REG32(CSG_RAM, 0xab0)
 
-    GPIOB_CTRL      = 0xb00 / 4,
-    GPIOB_CFG_CMOS18,
-    GPIOB_CFG_CMOS25,
-    GPIOB_CFG_CMOS33,
-    GPIOB_CFG_HSTL  = 0xb14 / 4,
-    GPIOB_DRVR_BIAS_CTRL,
+REG32(GPIOB_CTRL, 0xb00)
+REG32(GPIOB_CFG_CMOS18, 0xb04)
+REG32(GPIOB_CFG_CMOS25, 0xb08)
+REG32(GPIOB_CFG_CMOS33, 0xb0c)
+REG32(GPIOB_CFG_HSTL, 0xb14)
+REG32(GPIOB_DRVR_BIAS_CTRL, 0xb18)
 
-    DDRIOB          = 0xb40 / 4,
+REG32(DDRIOB, 0xb40)
 #define DDRIOB_LENGTH 14
-};
 
 #define ZYNQ_SLCR_MMIO_SIZE     0x1000
 #define ZYNQ_SLCR_NUM_REGS      (ZYNQ_SLCR_MMIO_SIZE / 4)
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_reset(DeviceState *d)
 
     DB_PRINT("RESET\n");
 
-    s->regs[LOCKSTA] = 1;
+    s->regs[R_LOCKSTA] = 1;
     /* 0x100 - 0x11C */
-    s->regs[ARM_PLL_CTRL]   = 0x0001A008;
-    s->regs[DDR_PLL_CTRL]   = 0x0001A008;
-    s->regs[IO_PLL_CTRL]    = 0x0001A008;
-    s->regs[PLL_STATUS]     = 0x0000003F;
-    s->regs[ARM_PLL_CFG]    = 0x00014000;
-    s->regs[DDR_PLL_CFG]    = 0x00014000;
-    s->regs[IO_PLL_CFG]     = 0x00014000;
+    s->regs[R_ARM_PLL_CTRL]   = 0x0001A008;
+    s->regs[R_DDR_PLL_CTRL]   = 0x0001A008;
+    s->regs[R_IO_PLL_CTRL]    = 0x0001A008;
+    s->regs[R_PLL_STATUS]     = 0x0000003F;
+    s->regs[R_ARM_PLL_CFG]    = 0x00014000;
+    s->regs[R_DDR_PLL_CFG]    = 0x00014000;
+    s->regs[R_IO_PLL_CFG]     = 0x00014000;
 
     /* 0x120 - 0x16C */
-    s->regs[ARM_CLK_CTRL]   = 0x1F000400;
-    s->regs[DDR_CLK_CTRL]   = 0x18400003;
-    s->regs[DCI_CLK_CTRL]   = 0x01E03201;
-    s->regs[APER_CLK_CTRL]  = 0x01FFCCCD;
-    s->regs[USB0_CLK_CTRL]  = s->regs[USB1_CLK_CTRL]    = 0x00101941;
-    s->regs[GEM0_RCLK_CTRL] = s->regs[GEM1_RCLK_CTRL]   = 0x00000001;
-    s->regs[GEM0_CLK_CTRL]  = s->regs[GEM1_CLK_CTRL]    = 0x00003C01;
-    s->regs[SMC_CLK_CTRL]   = 0x00003C01;
-    s->regs[LQSPI_CLK_CTRL] = 0x00002821;
-    s->regs[SDIO_CLK_CTRL]  = 0x00001E03;
-    s->regs[UART_CLK_CTRL]  = 0x00003F03;
-    s->regs[SPI_CLK_CTRL]   = 0x00003F03;
-    s->regs[CAN_CLK_CTRL]   = 0x00501903;
-    s->regs[DBG_CLK_CTRL]   = 0x00000F03;
-    s->regs[PCAP_CLK_CTRL]  = 0x00000F01;
+    s->regs[R_ARM_CLK_CTRL]   = 0x1F000400;
+    s->regs[R_DDR_CLK_CTRL]   = 0x18400003;
+    s->regs[R_DCI_CLK_CTRL]   = 0x01E03201;
+    s->regs[R_APER_CLK_CTRL]  = 0x01FFCCCD;
+    s->regs[R_USB0_CLK_CTRL]  = s->regs[R_USB1_CLK_CTRL]  = 0x00101941;
+    s->regs[R_GEM0_RCLK_CTRL] = s->regs[R_GEM1_RCLK_CTRL] = 0x00000001;
+    s->regs[R_GEM0_CLK_CTRL]  = s->regs[R_GEM1_CLK_CTRL]  = 0x00003C01;
+    s->regs[R_SMC_CLK_CTRL]   = 0x00003C01;
+    s->regs[R_LQSPI_CLK_CTRL] = 0x00002821;
+    s->regs[R_SDIO_CLK_CTRL]  = 0x00001E03;
+    s->regs[R_UART_CLK_CTRL]  = 0x00003F03;
+    s->regs[R_SPI_CLK_CTRL]   = 0x00003F03;
+    s->regs[R_CAN_CLK_CTRL]   = 0x00501903;
+    s->regs[R_DBG_CLK_CTRL]   = 0x00000F03;
+    s->regs[R_PCAP_CLK_CTRL]  = 0x00000F01;
 
     /* 0x170 - 0x1AC */
-    s->regs[FPGA0_CLK_CTRL] = s->regs[FPGA1_CLK_CTRL] = s->regs[FPGA2_CLK_CTRL]
-                            = s->regs[FPGA3_CLK_CTRL] = 0x00101800;
-    s->regs[FPGA0_THR_STA] = s->regs[FPGA1_THR_STA] = s->regs[FPGA2_THR_STA]
-                           = s->regs[FPGA3_THR_STA] = 0x00010000;
+    s->regs[R_FPGA0_CLK_CTRL] = s->regs[R_FPGA1_CLK_CTRL]
+                              = s->regs[R_FPGA2_CLK_CTRL]
+                              = s->regs[R_FPGA3_CLK_CTRL] = 0x00101800;
+    s->regs[R_FPGA0_THR_STA] = s->regs[R_FPGA1_THR_STA]
+                             = s->regs[R_FPGA2_THR_STA]
+                             = s->regs[R_FPGA3_THR_STA] = 0x00010000;
 
     /* 0x1B0 - 0x1D8 */
-    s->regs[BANDGAP_TRIP]   = 0x0000001F;
-    s->regs[PLL_PREDIVISOR] = 0x00000001;
-    s->regs[CLK_621_TRUE]   = 0x00000001;
+    s->regs[R_BANDGAP_TRIP]   = 0x0000001F;
+    s->regs[R_PLL_PREDIVISOR] = 0x00000001;
+    s->regs[R_CLK_621_TRUE]   = 0x00000001;
 
     /* 0x200 - 0x25C */
-    s->regs[FPGA_RST_CTRL]  = 0x01F33F0F;
-    s->regs[RST_REASON]     = 0x00000040;
+    s->regs[R_FPGA_RST_CTRL]  = 0x01F33F0F;
+    s->regs[R_RST_REASON]     = 0x00000040;
 
-    s->regs[BOOT_MODE]      = 0x00000001;
+    s->regs[R_BOOT_MODE]      = 0x00000001;
 
     /* 0x700 - 0x7D4 */
     for (i = 0; i < 54; i++) {
-        s->regs[MIO + i] = 0x00001601;
+        s->regs[R_MIO + i] = 0x00001601;
     }
     for (i = 2; i <= 8; i++) {
-        s->regs[MIO + i] = 0x00000601;
+        s->regs[R_MIO + i] = 0x00000601;
     }
 
-    s->regs[MIO_MST_TRI0] = s->regs[MIO_MST_TRI1] = 0xFFFFFFFF;
+    s->regs[R_MIO_MST_TRI0] = s->regs[R_MIO_MST_TRI1] = 0xFFFFFFFF;
 
-    s->regs[CPU_RAM + 0] = s->regs[CPU_RAM + 1] = s->regs[CPU_RAM + 3]
-                         = s->regs[CPU_RAM + 4] = s->regs[CPU_RAM + 7]
-                         = 0x00010101;
-    s->regs[CPU_RAM + 2] = s->regs[CPU_RAM + 5] = 0x01010101;
-    s->regs[CPU_RAM + 6] = 0x00000001;
+    s->regs[R_CPU_RAM + 0] = s->regs[R_CPU_RAM + 1] = s->regs[R_CPU_RAM + 3]
+                           = s->regs[R_CPU_RAM + 4] = s->regs[R_CPU_RAM + 7]
+                           = 0x00010101;
+    s->regs[R_CPU_RAM + 2] = s->regs[R_CPU_RAM + 5] = 0x01010101;
+    s->regs[R_CPU_RAM + 6] = 0x00000001;
 
-    s->regs[IOU + 0] = s->regs[IOU + 1] = s->regs[IOU + 2] = s->regs[IOU + 3]
-                     = 0x09090909;
-    s->regs[IOU + 4] = s->regs[IOU + 5] = 0x00090909;
-    s->regs[IOU + 6] = 0x00000909;
+    s->regs[R_IOU + 0] = s->regs[R_IOU + 1] = s->regs[R_IOU + 2]
+                       = s->regs[R_IOU + 3] = 0x09090909;
+    s->regs[R_IOU + 4] = s->regs[R_IOU + 5] = 0x00090909;
+    s->regs[R_IOU + 6] = 0x00000909;
 
-    s->regs[DMAC_RAM] = 0x00000009;
+    s->regs[R_DMAC_RAM] = 0x00000009;
 
-    s->regs[AFI0 + 0] = s->regs[AFI0 + 1] = 0x09090909;
-    s->regs[AFI1 + 0] = s->regs[AFI1 + 1] = 0x09090909;
-    s->regs[AFI2 + 0] = s->regs[AFI2 + 1] = 0x09090909;
-    s->regs[AFI3 + 0] = s->regs[AFI3 + 1] = 0x09090909;
-    s->regs[AFI0 + 2] = s->regs[AFI1 + 2] = s->regs[AFI2 + 2]
-                      = s->regs[AFI3 + 2] = 0x00000909;
+    s->regs[R_AFI0 + 0] = s->regs[R_AFI0 + 1] = 0x09090909;
+    s->regs[R_AFI1 + 0] = s->regs[R_AFI1 + 1] = 0x09090909;
+    s->regs[R_AFI2 + 0] = s->regs[R_AFI2 + 1] = 0x09090909;
+    s->regs[R_AFI3 + 0] = s->regs[R_AFI3 + 1] = 0x09090909;
+    s->regs[R_AFI0 + 2] = s->regs[R_AFI1 + 2] = s->regs[R_AFI2 + 2]
+                        = s->regs[R_AFI3 + 2] = 0x00000909;
 
-    s->regs[OCM + 0]    = 0x01010101;
-    s->regs[OCM + 1]    = s->regs[OCM + 2] = 0x09090909;
+    s->regs[R_OCM + 0] = 0x01010101;
+    s->regs[R_OCM + 1] = s->regs[R_OCM + 2] = 0x09090909;
 
-    s->regs[DEVCI_RAM]  = 0x00000909;
-    s->regs[CSG_RAM]    = 0x00000001;
+    s->regs[R_DEVCI_RAM] = 0x00000909;
+    s->regs[R_CSG_RAM]   = 0x00000001;
 
-    s->regs[DDRIOB + 0] = s->regs[DDRIOB + 1] = s->regs[DDRIOB + 2]
-                        = s->regs[DDRIOB + 3] = 0x00000e00;
-    s->regs[DDRIOB + 4] = s->regs[DDRIOB + 5] = s->regs[DDRIOB + 6]
-                        = 0x00000e00;
-    s->regs[DDRIOB + 12] = 0x00000021;
+    s->regs[R_DDRIOB + 0] = s->regs[R_DDRIOB + 1] = s->regs[R_DDRIOB + 2]
+                          = s->regs[R_DDRIOB + 3] = 0x00000e00;
+    s->regs[R_DDRIOB + 4] = s->regs[R_DDRIOB + 5] = s->regs[R_DDRIOB + 6]
+                          = 0x00000e00;
+    s->regs[R_DDRIOB + 12] = 0x00000021;
 }
 
 
 static bool zynq_slcr_check_offset(hwaddr offset, bool rnw)
 {
     switch (offset) {
-    case LOCK:
-    case UNLOCK:
-    case DDR_CAL_START:
-    case DDR_REF_START:
+    case R_LOCK:
+    case R_UNLOCK:
+    case R_DDR_CAL_START:
+    case R_DDR_REF_START:
         return !rnw; /* Write only */
-    case LOCKSTA:
-    case FPGA0_THR_STA:
-    case FPGA1_THR_STA:
-    case FPGA2_THR_STA:
-    case FPGA3_THR_STA:
-    case BOOT_MODE:
-    case PSS_IDCODE:
-    case DDR_CMD_STA:
-    case DDR_DFI_STATUS:
-    case PLL_STATUS:
+    case R_LOCKSTA:
+    case R_FPGA0_THR_STA:
+    case R_FPGA1_THR_STA:
+    case R_FPGA2_THR_STA:
+    case R_FPGA3_THR_STA:
+    case R_BOOT_MODE:
+    case R_PSS_IDCODE:
+    case R_DDR_CMD_STA:
+    case R_DDR_DFI_STATUS:
+    case R_PLL_STATUS:
         return rnw;/* read only */
-    case SCL:
-    case ARM_PLL_CTRL ... IO_PLL_CTRL:
-    case ARM_PLL_CFG ... IO_PLL_CFG:
-    case ARM_CLK_CTRL ... TOPSW_CLK_CTRL:
-    case FPGA0_CLK_CTRL ... FPGA0_THR_CNT:
-    case FPGA1_CLK_CTRL ... FPGA1_THR_CNT:
-    case FPGA2_CLK_CTRL ... FPGA2_THR_CNT:
-    case FPGA3_CLK_CTRL ... FPGA3_THR_CNT:
-    case BANDGAP_TRIP:
-    case PLL_PREDIVISOR:
-    case CLK_621_TRUE:
-    case PSS_RST_CTRL ... A9_CPU_RST_CTRL:
-    case RS_AWDT_CTRL:
-    case RST_REASON:
-    case REBOOT_STATUS:
-    case APU_CTRL:
-    case WDT_CLK_SEL:
-    case TZ_DMA_NS ... TZ_DMA_PERIPH_NS:
-    case DDR_URGENT:
-    case DDR_URGENT_SEL:
-    case MIO ... MIO + MIO_LENGTH - 1:
-    case MIO_LOOPBACK ... MIO_MST_TRI1:
-    case SD0_WP_CD_SEL:
-    case SD1_WP_CD_SEL:
-    case LVL_SHFTR_EN:
-    case OCM_CFG:
-    case CPU_RAM:
-    case IOU:
-    case DMAC_RAM:
-    case AFI0 ... AFI3 + AFI_LENGTH - 1:
-    case OCM:
-    case DEVCI_RAM:
-    case CSG_RAM:
-    case GPIOB_CTRL ... GPIOB_CFG_CMOS33:
-    case GPIOB_CFG_HSTL:
-    case GPIOB_DRVR_BIAS_CTRL:
-    case DDRIOB ... DDRIOB + DDRIOB_LENGTH - 1:
+    case R_SCL:
+    case R_ARM_PLL_CTRL ... R_IO_PLL_CTRL:
+    case R_ARM_PLL_CFG ... R_IO_PLL_CFG:
+    case R_ARM_CLK_CTRL ... R_TOPSW_CLK_CTRL:
+    case R_FPGA0_CLK_CTRL ... R_FPGA0_THR_CNT:
+    case R_FPGA1_CLK_CTRL ... R_FPGA1_THR_CNT:
+    case R_FPGA2_CLK_CTRL ... R_FPGA2_THR_CNT:
+    case R_FPGA3_CLK_CTRL ... R_FPGA3_THR_CNT:
+    case R_BANDGAP_TRIP:
+    case R_PLL_PREDIVISOR:
+    case R_CLK_621_TRUE:
+    case R_PSS_RST_CTRL ... R_A9_CPU_RST_CTRL:
+    case R_RS_AWDT_CTRL:
+    case R_RST_REASON:
+    case R_REBOOT_STATUS:
+    case R_APU_CTRL:
+    case R_WDT_CLK_SEL:
+    case R_TZ_DMA_NS ... R_TZ_DMA_PERIPH_NS:
+    case R_DDR_URGENT:
+    case R_DDR_URGENT_SEL:
+    case R_MIO ... R_MIO + MIO_LENGTH - 1:
+    case R_MIO_LOOPBACK ... R_MIO_MST_TRI1:
+    case R_SD0_WP_CD_SEL:
+    case R_SD1_WP_CD_SEL:
+    case R_LVL_SHFTR_EN:
+    case R_OCM_CFG:
+    case R_CPU_RAM:
+    case R_IOU:
+    case R_DMAC_RAM:
+    case R_AFI0 ... R_AFI3 + AFI_LENGTH - 1:
+    case R_OCM:
+    case R_DEVCI_RAM:
+    case R_CSG_RAM:
+    case R_GPIOB_CTRL ... R_GPIOB_CFG_CMOS33:
+    case R_GPIOB_CFG_HSTL:
+    case R_GPIOB_DRVR_BIAS_CTRL:
+    case R_DDRIOB ... R_DDRIOB + DDRIOB_LENGTH - 1:
         return true;
     default:
         return false;
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
     }
 
     switch (offset) {
-    case SCL:
-        s->regs[SCL] = val & 0x1;
+    case R_SCL:
+        s->regs[R_SCL] = val & 0x1;
         return;
-    case LOCK:
+    case R_LOCK:
         if ((val & 0xFFFF) == XILINX_LOCK_KEY) {
             DB_PRINT("XILINX LOCK 0xF8000000 + 0x%x <= 0x%x\n", (int)offset,
                 (unsigned)val & 0xFFFF);
-            s->regs[LOCKSTA] = 1;
+            s->regs[R_LOCKSTA] = 1;
         } else {
             DB_PRINT("WRONG XILINX LOCK KEY 0xF8000000 + 0x%x <= 0x%x\n",
                 (int)offset, (unsigned)val & 0xFFFF);
         }
         return;
-    case UNLOCK:
+    case R_UNLOCK:
         if ((val & 0xFFFF) == XILINX_UNLOCK_KEY) {
             DB_PRINT("XILINX UNLOCK 0xF8000000 + 0x%x <= 0x%x\n", (int)offset,
                 (unsigned)val & 0xFFFF);
-            s->regs[LOCKSTA] = 0;
+            s->regs[R_LOCKSTA] = 0;
         } else {
             DB_PRINT("WRONG XILINX UNLOCK KEY 0xF8000000 + 0x%x <= 0x%x\n",
                 (int)offset, (unsigned)val & 0xFFFF);
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
         return;
     }
 
-    if (s->regs[LOCKSTA]) {
+    if (s->regs[R_LOCKSTA]) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "SCLR registers are locked. Unlock them first\n");
         return;
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
     s->regs[offset] = val;
 
     switch (offset) {
-    case PSS_RST_CTRL:
-        if (val & R_PSS_RST_CTRL_SOFT_RST) {
+    case R_PSS_RST_CTRL:
+        if (FIELD_EX32(val, PSS_RST_CTRL, SOFT_RST)) {
             qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
         }
         break;
-- 
2.20.1

From: Aaron Hill <aa1ronham@gmail.com>

This commit properly sets the ENET_BD_BDU flag once the emulated FEC controller
has finished processing the last descriptor. This is done for both transmit
and receive descriptors.

This allows the QNX 7.0.0 BSP for the Sabrelite board (which can be
found at http://blackberry.qnx.com/en/developers/bsp) to properly
control the FEC. Without this patch, the BSP ethernet driver will never
re-use FEC descriptors, as the unset ENET_BD_BDU flag will cause
it to believe that the descriptors are still in use by the NIC.

Note that Linux does not appear to use this field at all, and is
unaffected by this patch.

Without this patch, QNX will think that the NIC is still processing its
transaction descriptors, and won't send any more data over the network.

For reference:

On page 1192 of the I.MX 6DQ reference manual revision (Rev. 5, 06/2018),
which can be found at https://www.nxp.com/products/processors-and-microcontrollers/arm-based-processors-and-mcus/i.mx-applications-processors/i.mx-6-processors/i.mx-6quad-processors-high-performance-3d-graphics-hd-video-arm-cortex-a9-core:i.MX6Q?&tab=Documentation_Tab&linkline=Application-Note

the 'BDU' field is described as follows for the 'Enhanced transmit
buffer descriptor':

'Last buffer descriptor update done. Indicates that the last BD data has been updated by
uDMA. This field is written by the user (=0) and uDMA (=1).'

The same description is used for the receive buffer descriptor.

Signed-off-by: Aaron Hill <aa1ronham@gmail.com>
Message-id: 20190805142417.10433-1-aaron.hill@alertinnovation.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/imx_fec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
             if (bd.option & ENET_BD_TX_INT) {
                 s->regs[ENET_EIR] |= int_txf;
             }
+            /* Indicate that we've updated the last buffer descriptor. */
+            bd.last_buffer = ENET_BD_BDU;
         }
         if (bd.option & ENET_BD_TX_INT) {
             s->regs[ENET_EIR] |= int_txb;
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
             /* Last buffer in frame.  */
             bd.flags |= flags | ENET_BD_L;
             FEC_PRINTF("rx frame flags %04x\n", bd.flags);
+            /* Indicate that we've updated the last buffer descriptor. */
+            bd.last_buffer = ENET_BD_BDU;
             if (bd.option & ENET_BD_RX_INT) {
                 s->regs[ENET_EIR] |= ENET_INT_RXF;
             }
-- 
2.20.1

Factor out code to 'generate a singlestep exception', which is
currently repeated in four places.

To do this we need to also pull the identical copies of the
gen-exception() function out of translate-a64.c and translate.c
into translate.h.

(There is a bug in the code: we're taking the exception to the wrong
target EL.  This will be simpler to fix if there's only one place to
do it.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20190805130952.4415-2-peter.maydell@linaro.org
---
 target/arm/translate.h     | 23 +++++++++++++++++++++++
 target/arm/translate-a64.c | 19 ++-----------------
 target/arm/translate.c     | 20 ++------------------
 3 files changed, 27 insertions(+), 35 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@
 #define TARGET_ARM_TRANSLATE_H
 
 #include "exec/translator.h"
+#include "internals.h"
 
 
 /* internal defines */
@@ -XXX,XX +XXX,XX @@ static inline void gen_ss_advance(DisasContext *s)
     }
 }
 
+static inline void gen_exception(int excp, uint32_t syndrome,
+                                 uint32_t target_el)
+{
+    TCGv_i32 tcg_excp = tcg_const_i32(excp);
+    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
+    TCGv_i32 tcg_el = tcg_const_i32(target_el);
+
+    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
+                                       tcg_syn, tcg_el);
+
+    tcg_temp_free_i32(tcg_el);
+    tcg_temp_free_i32(tcg_syn);
+    tcg_temp_free_i32(tcg_excp);
+}
+
+/* Generate an architectural singlestep exception */
+static inline void gen_swstep_exception(DisasContext *s, int isv, int ex)
+{
+    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, isv, ex),
+                  default_exception_el(s));
+}
+
 /*
  * Given a VFP floating point constant encoded into an 8 bit immediate in an
  * instruction, expand it to the actual constant value of the specified
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     tcg_temp_free_i32(tcg_excp);
 }
 
-static void gen_exception(int excp, uint32_t syndrome, uint32_t target_el)
-{
-    TCGv_i32 tcg_excp = tcg_const_i32(excp);
-    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
-    TCGv_i32 tcg_el = tcg_const_i32(target_el);
-
-    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
-                                       tcg_syn, tcg_el);
-    tcg_temp_free_i32(tcg_el);
-    tcg_temp_free_i32(tcg_syn);
-    tcg_temp_free_i32(tcg_excp);
-}
-
 static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 {
     gen_a64_set_pc_im(s->pc - offset);
@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
      * of the exception, and our syndrome information is always correct.
      */
     gen_ss_advance(s);
-    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, 1, s->is_ldex),
-                  default_exception_el(s));
+    gen_swstep_exception(s, 1, s->is_ldex);
     s->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          * bits should be zero.
          */
         assert(dc->base.num_insns == 1);
-        gen_exception(EXCP_UDEF, syn_swstep(dc->ss_same_el, 0, 0),
-                      default_exception_el(dc));
+        gen_swstep_exception(dc, 0, 0);
         dc->base.is_jmp = DISAS_NORETURN;
     } else {
         disas_a64_insn(env, dc);
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     tcg_temp_free_i32(tcg_excp);
 }
 
-static void gen_exception(int excp, uint32_t syndrome, uint32_t target_el)
-{
-    TCGv_i32 tcg_excp = tcg_const_i32(excp);
-    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
-    TCGv_i32 tcg_el = tcg_const_i32(target_el);
-
-    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
-                                       tcg_syn, tcg_el);
-
-    tcg_temp_free_i32(tcg_el);
-    tcg_temp_free_i32(tcg_syn);
-    tcg_temp_free_i32(tcg_excp);
-}
-
 static void gen_step_complete_exception(DisasContext *s)
 {
     /* We just completed step of an insn. Move from Active-not-pending
@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
      * of the exception, and our syndrome information is always correct.
      */
     gen_ss_advance(s);
-    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, 1, s->is_ldex),
-                  default_exception_el(s));
+    gen_swstep_exception(s, 1, s->is_ldex);
     s->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
          * bits should be zero.
          */
         assert(dc->base.num_insns == 1);
-        gen_exception(EXCP_UDEF, syn_swstep(dc->ss_same_el, 0, 0),
-                      default_exception_el(dc));
+        gen_swstep_exception(dc, 0, 0);
         dc->base.is_jmp = DISAS_NORETURN;
         return true;
     }
-- 
2.20.1

When generating an architectural single-step exception we were
routing it to the "default exception level", which is to say
the same exception level we execute at except that EL0 exceptions
go to EL1. This is incorrect because the debug exception level
can be configured by the guest for situations such as single
stepping of EL0 and EL1 code by EL2.

We have to track the target debug exception level in the TB
flags, because it is dependent on CPU state like HCR_EL2.TGE
and MDCR_EL2.TDE. (That we were previously calling the
arm_debug_target_el() function to determine dc->ss_same_el
is itself a bug, though one that would only have manifested
as incorrect syndrome information.) Since we are out of TB
flag bits unless we want to expand into the cs_base field,
we share some bits with the M-profile only HANDLER and
STACKCHECK bits, since only A-profile has this singlestep.

Fixes: https://bugs.launchpad.net/qemu/+bug/1838913
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20190805130952.4415-3-peter.maydell@linaro.org
---
 target/arm/cpu.h           |  5 +++++
 target/arm/translate.h     | 15 +++++++++++----
 target/arm/helper.c        |  6 ++++++
 target/arm/translate-a64.c |  2 +-
 target/arm/translate.c     |  4 +++-
 5 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_ANY, PSTATE_SS, 26, 1)
 /* Target EL if we take a floating-point-disabled exception */
 FIELD(TBFLAG_ANY, FPEXC_EL, 24, 2)
 FIELD(TBFLAG_ANY, BE_DATA, 23, 1)
+/*
+ * For A-profile only, target EL for debug exceptions.
+ * Note that this overlaps with the M-profile-only HANDLER and STACKCHECK bits.
+ */
+FIELD(TBFLAG_ANY, DEBUG_TARGET_EL, 21, 2)
 
 /* Bit usage when in AArch32 state: */
 FIELD(TBFLAG_A32, THUMB, 0, 1)
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     uint32_t svc_imm;
     int aarch64;
     int current_el;
+    /* Debug target exception level for single-step exceptions */
+    int debug_target_el;
     GHashTable *cp_regs;
     uint64_t features; /* CPU features bits */
     /* Because unallocated encodings generate different exception syndrome
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      * ie A64 LDX*, LDAX*, A32/T32 LDREX*, LDAEX*.
      */
     bool is_ldex;
-    /* True if a single-step exception will be taken to the current EL */
-    bool ss_same_el;
     /* True if v8.3-PAuth is active.  */
     bool pauth_active;
     /* True with v8.5-BTI and SCTLR_ELx.BT* set.  */
@@ -XXX,XX +XXX,XX @@ static inline void gen_exception(int excp, uint32_t syndrome,
 /* Generate an architectural singlestep exception */
 static inline void gen_swstep_exception(DisasContext *s, int isv, int ex)
 {
-    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, isv, ex),
-                  default_exception_el(s));
+    bool same_el = (s->debug_target_el == s->current_el);
+
+    /*
+     * If singlestep is targeting a lower EL than the current one,
+     * then s->ss_active must be false and we can never get here.
+     */
+    assert(s->debug_target_el >= s->current_el);
+
+    gen_exception(EXCP_UDEF, syn_swstep(same_el, isv, ex), s->debug_target_el);
 }
 
 /*
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
         }
     }
 
+    if (!arm_feature(env, ARM_FEATURE_M)) {
+        int target_el = arm_debug_target_el(env);
+
+        flags = FIELD_DP32(flags, TBFLAG_ANY, DEBUG_TARGET_EL, target_el);
+    }
+
     *pflags = flags;
     *cs_base = 0;
 }
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     dc->ss_active = FIELD_EX32(tb_flags, TBFLAG_ANY, SS_ACTIVE);
     dc->pstate_ss = FIELD_EX32(tb_flags, TBFLAG_ANY, PSTATE_SS);
     dc->is_ldex = false;
-    dc->ss_same_el = (arm_debug_target_el(env) == dc->current_el);
+    dc->debug_target_el = FIELD_EX32(tb_flags, TBFLAG_ANY, DEBUG_TARGET_EL);
 
     /* Bound the number of insns to execute to those left on the page.  */
     bound = -(dc->base.pc_first | TARGET_PAGE_MASK) / 4;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     dc->ss_active = FIELD_EX32(tb_flags, TBFLAG_ANY, SS_ACTIVE);
     dc->pstate_ss = FIELD_EX32(tb_flags, TBFLAG_ANY, PSTATE_SS);
     dc->is_ldex = false;
-    dc->ss_same_el = false; /* Can't be true since EL_d must be AArch64 */
+    if (!arm_feature(env, ARM_FEATURE_M)) {
+        dc->debug_target_el = FIELD_EX32(tb_flags, TBFLAG_ANY, DEBUG_TARGET_EL);
+    }
 
     dc->page_start = dc->base.pc_first & TARGET_PAGE_MASK;
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

This function is used in two different contexts, and it will be
clearer if the function is given the address to which it applies.

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
     }
 }
 
-static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
+static bool thumb_insn_is_16bit(DisasContext *s, uint32_t pc, uint32_t insn)
 {
-    /* Return true if this is a 16 bit instruction. We must be precise
-     * about this (matching the decode).  We assume that s->pc still
-     * points to the first 16 bits of the insn.
+    /*
+     * Return true if this is a 16 bit instruction. We must be precise
+     * about this (matching the decode).
      */
     if ((insn >> 11) < 0x1d) {
         /* Definitely a 16-bit instruction */
@@ -XXX,XX +XXX,XX @@ static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
         return false;
     }
 
-    if ((insn >> 11) == 0x1e && s->pc - s->page_start < TARGET_PAGE_SIZE - 3) {
+    if ((insn >> 11) == 0x1e && pc - s->page_start < TARGET_PAGE_SIZE - 3) {
         /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix, and the suffix
          * is not on the next page; we merge this into a 32-bit
          * insn.
@@ -XXX,XX +XXX,XX @@ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
      */
     uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 
-    return !thumb_insn_is_16bit(s, insn);
+    return !thumb_insn_is_16bit(s, s->pc, insn);
 }
 
 static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     }
 
     insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
-    is_16bit = thumb_insn_is_16bit(dc, insn);
+    is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
     dc->pc += 2;
     if (!is_16bit) {
         uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Add a new field to retain the address of the instruction currently
being translated.  The 32-bit uses are all within subroutines used
by a32 and t32.  This will become less obvious when t16 support is
merged with a32+t32, and having a clear definition will help.

Convert aarch64 as well for consistency.  Note that there is one
instance of a pre-assert fprintf that used the wrong value for the
address of the current instruction.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h |  2 +-
 target/arm/translate.h     |  2 ++
 target/arm/translate-a64.c | 21 +++++++++++----------
 target/arm/translate.c     | 14 ++++++++------
 4 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void unallocated_encoding(DisasContext *s);
         qemu_log_mask(LOG_UNIMP,                                         \
                       "%s:%d: unsupported instruction encoding 0x%08x "  \
                       "at pc=%016" PRIx64 "\n",                          \
-                      __FILE__, __LINE__, insn, s->pc - 4);              \
+                      __FILE__, __LINE__, insn, s->pc_curr);             \
         unallocated_encoding(s);                                         \
     } while (0)
 
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     const ARMISARegisters *isar;
 
     target_ulong pc;
+    /* The address of the current instruction being translated. */
+    target_ulong pc_curr;
     target_ulong page_start;
     uint32_t insn;
     /* Nonzero if this instruction has been conditionally skipped.  */
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
  */
 static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
 {
-    uint64_t addr = s->pc + sextract32(insn, 0, 26) * 4 - 4;
+    uint64_t addr = s->pc_curr + sextract32(insn, 0, 26) * 4;
 
     if (insn & (1U << 31)) {
         /* BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
     sf = extract32(insn, 31, 1);
     op = extract32(insn, 24, 1); /* 0: CBZ; 1: CBNZ */
     rt = extract32(insn, 0, 5);
-    addr = s->pc + sextract32(insn, 5, 19) * 4 - 4;
+    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
 
     tcg_cmp = read_cpu_reg(s, rt, sf);
     label_match = gen_new_label();
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
 
     bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
     op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
-    addr = s->pc + sextract32(insn, 5, 14) * 4 - 4;
+    addr = s->pc_curr + sextract32(insn, 5, 14) * 4;
     rt = extract32(insn, 0, 5);
 
     tcg_cmp = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
         unallocated_encoding(s);
         return;
     }
-    addr = s->pc + sextract32(insn, 5, 19) * 4 - 4;
+    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
     cond = extract32(insn, 0, 4);
 
     reset_btype(s);
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
         TCGv_i32 tcg_syn, tcg_isread;
         uint32_t syndrome;
 
-        gen_a64_set_pc_im(s->pc - 4);
+        gen_a64_set_pc_im(s->pc_curr);
         tmpptr = tcg_const_ptr(ri);
         syndrome = syn_aa64_sysregtrap(op0, op1, op2, crn, crm, rt, isread);
         tcg_syn = tcg_const_i32(syndrome);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             /* The pre HVC helper handles cases when HVC gets trapped
              * as an undefined insn by runtime configuration.
              */
-            gen_a64_set_pc_im(s->pc - 4);
+            gen_a64_set_pc_im(s->pc_curr);
             gen_helper_pre_hvc(cpu_env);
             gen_ss_advance(s);
             gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                 unallocated_encoding(s);
                 break;
             }
-            gen_a64_set_pc_im(s->pc - 4);
+            gen_a64_set_pc_im(s->pc_curr);
             tmp = tcg_const_i32(syn_aa64_smc(imm16));
             gen_helper_pre_smc(cpu_env, tmp);
             tcg_temp_free_i32(tmp);
@@ -XXX,XX +XXX,XX @@ static void disas_ld_lit(DisasContext *s, uint32_t insn)
 
     tcg_rt = cpu_reg(s, rt);
 
-    clean_addr = tcg_const_i64((s->pc - 4) + imm);
+    clean_addr = tcg_const_i64(s->pc_curr + imm);
     if (is_vector) {
         do_fp_ld(s, rt, clean_addr, size);
     } else {
@@ -XXX,XX +XXX,XX @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
     offset = sextract64(insn, 5, 19);
     offset = offset << 2 | extract32(insn, 29, 2);
     rd = extract32(insn, 0, 5);
-    base = s->pc - 4;
+    base = s->pc_curr;
 
     if (page) {
         /* ADRP (page based) */
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_same_fp16(DisasContext *s, uint32_t insn)
                 break;
             default:
                 fprintf(stderr, "%s: insn %#04x, fpop %#2x @ %#" PRIx64 "\n",
-                        __func__, insn, fpopcode, s->pc);
+                        __func__, insn, fpopcode, s->pc_curr);
                 g_assert_not_reached();
             }
 
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
 {
     uint32_t insn;
 
+    s->pc_curr = s->pc;
     insn = arm_ldl_code(env, s->pc, s->sctlr_b);
     s->insn = insn;
     s->pc += 4;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
      * as an undefined insn by runtime configuration (ie before
      * the insn really executes).
      */
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     gen_helper_pre_hvc(cpu_env);
     /* Otherwise we will treat this as a real exception which
      * happens after execution of the insn. (The distinction matters
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
      */
     TCGv_i32 tmp;
 
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     tmp = tcg_const_i32(syn_aa32_smc());
     gen_helper_pre_smc(cpu_env, tmp);
     tcg_temp_free_i32(tmp);
@@ -XXX,XX +XXX,XX @@ static void gen_msr_banked(DisasContext *s, int r, int sysm, int rn)
 
     /* Sync state because msr_banked() can raise exceptions */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     tcg_reg = load_reg(s, rn);
     tcg_tgtmode = tcg_const_i32(tgtmode);
     tcg_regno = tcg_const_i32(regno);
@@ -XXX,XX +XXX,XX @@ static void gen_mrs_banked(DisasContext *s, int r, int sysm, int rn)
 
     /* Sync state because mrs_banked() can raise exceptions */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     tcg_reg = tcg_temp_new_i32();
     tcg_tgtmode = tcg_const_i32(tgtmode);
     tcg_regno = tcg_const_i32(regno);
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
             }
 
             gen_set_condexec(s);
-            gen_set_pc_im(s, s->pc - 4);
+            gen_set_pc_im(s, s->pc_curr);
             tmpptr = tcg_const_ptr(ri);
             tcg_syn = tcg_const_i32(syndrome);
             tcg_isread = tcg_const_i32(isread);
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     tmp = tcg_const_i32(mode);
     /* get_r13_banked() will raise an exception if called from System mode */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     gen_helper_get_r13_banked(addr, cpu_env, tmp);
     tcg_temp_free_i32(tmp);
     switch (amode) {
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
+    dc->pc_curr = dc->pc;
     insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
     dc->insn = insn;
     dc->pc += 4;
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
+    dc->pc_curr = dc->pc;
     insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
     is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
     dc->pc += 2;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We currently have 3 different ways of computing the architectural
value of "PC" as seen in the ARM ARM.

The value of s->pc has been incremented past the current insn,
but that is all.  Thus for a32, PC = s->pc + 4; for t32, PC = s->pc;
for t16, PC = s->pc + 2.  These differing computations make it
impossible at present to unify the various code paths.

With the newly introduced s->pc_curr, we can compute the correct
value for all cases, using the formula given in the ARM ARM.

This changes the behaviour for load_reg() and load_reg_var()
when called with reg==15 from a 32-bit Thumb instruction:
previously they would have returned the incorrect value
of pc_curr + 6, and now they will return the architecturally
correct value of PC, which is pc_curr + 4. This will not
affect well-behaved guest software, because all of the places
we call these functions from T32 code are instructions where
using r15 is UNPREDICTABLE. Using the architectural PC value
here is more consistent with the T16 and A32 behaviour.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-4-richard.henderson@linaro.org
[PMM: added commit message note about UNPREDICTABLE T32 cases]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 59 ++++++++++++++++--------------------------
 1 file changed, 23 insertions(+), 36 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void store_cpu_offset(TCGv_i32 var, int offset)
 #define store_cpu_field(var, name) \
     store_cpu_offset(var, offsetof(CPUARMState, name))
 
+/* The architectural value of PC.  */
+static uint32_t read_pc(DisasContext *s)
+{
+    return s->pc_curr + (s->thumb ? 4 : 8);
+}
+
 /* Set a variable to the value of a CPU register.  */
 static void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
 {
     if (reg == 15) {
-        uint32_t addr;
-        /* normally, since we updated PC, we need only to add one insn */
-        if (s->thumb)
-            addr = (long)s->pc + 2;
-        else
-            addr = (long)s->pc + 4;
-        tcg_gen_movi_i32(var, addr);
+        tcg_gen_movi_i32(var, read_pc(s));
     } else {
         tcg_gen_mov_i32(var, cpu_R[reg]);
     }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             /* branch link and change to thumb (blx <offset>) */
             int32_t offset;
 
-            val = (uint32_t)s->pc;
             tmp = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp, val);
+            tcg_gen_movi_i32(tmp, s->pc);
             store_reg(s, 14, tmp);
             /* Sign-extend the 24-bit offset */
             offset = (((int32_t)insn) << 8) >> 8;
+            val = read_pc(s);
             /* offset * 4 + bit24 * 2 + (thumb bit) */
             val += (offset << 2) | ((insn >> 23) & 2) | 1;
-            /* pipeline offset */
-            val += 4;
             /* protected by ARCH(5); above, near the start of uncond block */
             gen_bx_im(s, val);
             return;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         } else {
                             /* store */
                             if (i == 15) {
-                                /* special case: r15 = PC + 8 */
-                                val = (long)s->pc + 4;
                                 tmp = tcg_temp_new_i32();
-                                tcg_gen_movi_i32(tmp, val);
+                                tcg_gen_movi_i32(tmp, read_pc(s));
                             } else if (user) {
                                 tmp = tcg_temp_new_i32();
                                 tmp2 = tcg_const_i32(i);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                 int32_t offset;
 
                 /* branch (and link) */
-                val = (int32_t)s->pc;
                 if (insn & (1 << 24)) {
                     tmp = tcg_temp_new_i32();
-                    tcg_gen_movi_i32(tmp, val);
+                    tcg_gen_movi_i32(tmp, s->pc);
                     store_reg(s, 14, tmp);
                 }
                 offset = sextract32(insn << 2, 0, 26);
-                val += offset + 4;
-                gen_jmp(s, val);
+                gen_jmp(s, read_pc(s) + offset);
             }
             break;
         case 0xc:
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                 tcg_temp_free_i32(addr);
             } else if ((insn & (7 << 5)) == 0) {
                 /* Table Branch.  */
-                if (rn == 15) {
-                    addr = tcg_temp_new_i32();
-                    tcg_gen_movi_i32(addr, s->pc);
-                } else {
-                    addr = load_reg(s, rn);
-                }
+                addr = load_reg(s, rn);
                 tmp = load_reg(s, rm);
                 tcg_gen_add_i32(addr, addr, tmp);
                 if (insn & (1 << 4)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                 }
                 tcg_temp_free_i32(addr);
                 tcg_gen_shli_i32(tmp, tmp, 1);
-                tcg_gen_addi_i32(tmp, tmp, s->pc);
+                tcg_gen_addi_i32(tmp, tmp, read_pc(s));
                 store_reg(s, 15, tmp);
             } else {
                 bool is_lasr = false;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     tcg_gen_movi_i32(cpu_R[14], s->pc | 1);
                 }
 
-                offset += s->pc;
+                offset += read_pc(s);
                 if (insn & (1 << 12)) {
                     /* b/bl */
                     gen_jmp(s, offset);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                 offset |= (insn & (1 << 11)) << 8;
 
                 /* jump to the offset */
-                gen_jmp(s, s->pc + offset);
+                gen_jmp(s, read_pc(s) + offset);
             }
         } else {
             /*
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
         if (insn & (1 << 11)) {
             rd = (insn >> 8) & 7;
             /* load pc-relative.  Bit 1 of PC is ignored.  */
-            val = s->pc + 2 + ((insn & 0xff) * 4);
+            val = read_pc(s) + ((insn & 0xff) * 4);
             val &= ~(uint32_t)2;
             addr = tcg_temp_new_i32();
             tcg_gen_movi_i32(addr, val);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
         } else {
             /* PC. bit 1 is ignored.  */
             tmp = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp, (s->pc + 2) & ~(uint32_t)2);
+            tcg_gen_movi_i32(tmp, read_pc(s) & ~(uint32_t)2);
         }
         val = (insn & 0xff) * 4;
         tcg_gen_addi_i32(tmp, tmp, val);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
                 tcg_gen_brcondi_i32(TCG_COND_NE, tmp, 0, s->condlabel);
             tcg_temp_free_i32(tmp);
             offset = ((insn & 0xf8) >> 2) | (insn & 0x200) >> 3;
-            val = (uint32_t)s->pc + 2;
-            val += offset;
-            gen_jmp(s, val);
+            gen_jmp(s, read_pc(s) + offset);
             break;
 
         case 15: /* IT, nop-hint.  */
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
         arm_skip_unless(s, cond);
 
         /* jump to the offset */
-        val = (uint32_t)s->pc + 2;
+        val = read_pc(s);
         offset = ((int32_t)insn << 24) >> 24;
         val += offset << 1;
         gen_jmp(s, val);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
             break;
         }
         /* unconditional branch */
-        val = (uint32_t)s->pc;
+        val = read_pc(s);
         offset = ((int32_t)insn << 21) >> 21;
-        val += (offset << 1) + 2;
+        val += offset << 1;
         gen_jmp(s, val);
         break;
 
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
             /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix */
             uint32_t uoffset = ((int32_t)insn << 21) >> 9;
 
-            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + uoffset);
+            tcg_gen_movi_i32(cpu_R[14], read_pc(s) + uoffset);
         }
         break;
     }
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Provide a common routine for the places that require ALIGN(PC, 4)
as the base address as opposed to plain PC.  The two are always
the same for A32, but the difference is meaningful for thumb mode.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-vfp.inc.c |  38 ++------
 target/arm/translate.c         | 166 +++++++++++++++------------------
 2 files changed, 82 insertions(+), 122 deletions(-)

diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_sp(DisasContext *s, arg_VLDR_VSTR_sp *a)
         offset = -offset;
     }
 
-    if (s->thumb && a->rn == 15) {
-        /* This is actually UNPREDICTABLE */
-        addr = tcg_temp_new_i32();
-        tcg_gen_movi_i32(addr, s->pc & ~2);
-    } else {
-        addr = load_reg(s, a->rn);
-    }
-    tcg_gen_addi_i32(addr, addr, offset);
+    /* For thumb, use of PC is UNPREDICTABLE.  */
+    addr = add_reg_for_lit(s, a->rn, offset);
     tmp = tcg_temp_new_i32();
     if (a->l) {
         gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_dp(DisasContext *s, arg_VLDR_VSTR_dp *a)
         offset = -offset;
     }
 
-    if (s->thumb && a->rn == 15) {
-        /* This is actually UNPREDICTABLE */
-        addr = tcg_temp_new_i32();
-        tcg_gen_movi_i32(addr, s->pc & ~2);
-    } else {
-        addr = load_reg(s, a->rn);
-    }
-    tcg_gen_addi_i32(addr, addr, offset);
+    /* For thumb, use of PC is UNPREDICTABLE.  */
+    addr = add_reg_for_lit(s, a->rn, offset);
     tmp = tcg_temp_new_i64();
     if (a->l) {
         gen_aa32_ld64(s, tmp, addr, get_mem_index(s));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_sp(DisasContext *s, arg_VLDM_VSTM_sp *a)
         return true;
     }
 
-    if (s->thumb && a->rn == 15) {
-        /* This is actually UNPREDICTABLE */
-        addr = tcg_temp_new_i32();
-        tcg_gen_movi_i32(addr, s->pc & ~2);
-    } else {
-        addr = load_reg(s, a->rn);
-    }
+    /* For thumb, use of PC is UNPREDICTABLE.  */
+    addr = add_reg_for_lit(s, a->rn, 0);
     if (a->p) {
         /* pre-decrement */
         tcg_gen_addi_i32(addr, addr, -(a->imm << 2));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_dp(DisasContext *s, arg_VLDM_VSTM_dp *a)
         return true;
     }
 
-    if (s->thumb && a->rn == 15) {
-        /* This is actually UNPREDICTABLE */
-        addr = tcg_temp_new_i32();
-        tcg_gen_movi_i32(addr, s->pc & ~2);
-    } else {
-        addr = load_reg(s, a->rn);
-    }
+    /* For thumb, use of PC is UNPREDICTABLE.  */
+    addr = add_reg_for_lit(s, a->rn, 0);
     if (a->p) {
         /* pre-decrement */
         tcg_gen_addi_i32(addr, addr, -(a->imm << 2));
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline TCGv_i32 load_reg(DisasContext *s, int reg)
     return tmp;
 }
 
+/*
+ * Create a new temp, REG + OFS, except PC is ALIGN(PC, 4).
+ * This is used for load/store for which use of PC implies (literal),
+ * or ADD that implies ADR.
+ */
+static TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs)
+{
+    TCGv_i32 tmp = tcg_temp_new_i32();
+
+    if (reg == 15) {
+        tcg_gen_movi_i32(tmp, (read_pc(s) & ~3) + ofs);
+    } else {
+        tcg_gen_addi_i32(tmp, cpu_R[reg], ofs);
+    }
+    return tmp;
+}
+
 /* Set a CPU register.  The source must be a temporary and will be
    marked as dead.  */
 static void store_reg(DisasContext *s, int reg, TCGv_i32 var)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                  */
                 bool wback = extract32(insn, 21, 1);
 
-                if (rn == 15) {
-                    if (insn & (1 << 21)) {
-                        /* UNPREDICTABLE */
-                        goto illegal_op;
-                    }
-                    addr = tcg_temp_new_i32();
-                    tcg_gen_movi_i32(addr, s->pc & ~3);
-                } else {
-                    addr = load_reg(s, rn);
+                if (rn == 15 && (insn & (1 << 21))) {
+                    /* UNPREDICTABLE */
+                    goto illegal_op;
                 }
+
+                addr = add_reg_for_lit(s, rn, 0);
                 offset = (insn & 0xff) * 4;
                 if ((insn & (1 << 23)) == 0) {
                     offset = -offset;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                         store_reg(s, rd, tmp);
                     } else {
                         /* Add/sub 12-bit immediate.  */
-                        if (rn == 15) {
-                            offset = s->pc & ~(uint32_t)3;
-                            if (insn & (1 << 23))
-                                offset -= imm;
-                            else
-                                offset += imm;
-                            tmp = tcg_temp_new_i32();
-                            tcg_gen_movi_i32(tmp, offset);
-                            store_reg(s, rd, tmp);
+                        if (insn & (1 << 23)) {
+                            imm = -imm;
+                        }
+                        tmp = add_reg_for_lit(s, rn, imm);
+                        if (rn == 13 && rd == 13) {
+                            /* ADD SP, SP, imm or SUB SP, SP, imm */
+                            store_sp_checked(s, tmp);
                         } else {
-                            tmp = load_reg(s, rn);
-                            if (insn & (1 << 23))
-                                tcg_gen_subi_i32(tmp, tmp, imm);
-                            else
-                                tcg_gen_addi_i32(tmp, tmp, imm);
-                            if (rn == 13 && rd == 13) {
-                                /* ADD SP, SP, imm or SUB SP, SP, imm */
-                                store_sp_checked(s, tmp);
-                            } else {
-                                store_reg(s, rd, tmp);
-                            }
+                            store_reg(s, rd, tmp);
                         }
                     }
                 }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
             }
         }
         memidx = get_mem_index(s);
-        if (rn == 15) {
-            addr = tcg_temp_new_i32();
-            /* PC relative.  */
-            /* s->pc has already been incremented by 4.  */
-            imm = s->pc & 0xfffffffc;
-            if (insn & (1 << 23))
-                imm += insn & 0xfff;
-            else
-                imm -= insn & 0xfff;
-            tcg_gen_movi_i32(addr, imm);
+        imm = insn & 0xfff;
+        if (insn & (1 << 23)) {
+            /* PC relative or Positive offset.  */
+            addr = add_reg_for_lit(s, rn, imm);
+        } else if (rn == 15) {
+            /* PC relative with negative offset.  */
+            addr = add_reg_for_lit(s, rn, -imm);
         } else {
             addr = load_reg(s, rn);
-            if (insn & (1 << 23)) {
-                /* Positive offset.  */
-                imm = insn & 0xfff;
-                tcg_gen_addi_i32(addr, addr, imm);
-            } else {
-                imm = insn & 0xff;
-                switch ((insn >> 8) & 0xf) {
-                case 0x0: /* Shifted Register.  */
-                    shift = (insn >> 4) & 0xf;
-                    if (shift > 3) {
-                        tcg_temp_free_i32(addr);
-                        goto illegal_op;
-                    }
-                    tmp = load_reg(s, rm);
-                    if (shift)
-                        tcg_gen_shli_i32(tmp, tmp, shift);
-                    tcg_gen_add_i32(addr, addr, tmp);
-                    tcg_temp_free_i32(tmp);
-                    break;
-                case 0xc: /* Negative offset.  */
-                    tcg_gen_addi_i32(addr, addr, -imm);
-                    break;
-                case 0xe: /* User privilege.  */
-                    tcg_gen_addi_i32(addr, addr, imm);
-                    memidx = get_a32_user_mem_index(s);
-                    break;
-                case 0x9: /* Post-decrement.  */
-                    imm = -imm;
-                    /* Fall through.  */
-                case 0xb: /* Post-increment.  */
-                    postinc = 1;
-                    writeback = 1;
-                    break;
-                case 0xd: /* Pre-decrement.  */
-                    imm = -imm;
-                    /* Fall through.  */
-                case 0xf: /* Pre-increment.  */
-                    writeback = 1;
-                    break;
-                default:
+            imm = insn & 0xff;
+            switch ((insn >> 8) & 0xf) {
+            case 0x0: /* Shifted Register.  */
+                shift = (insn >> 4) & 0xf;
+                if (shift > 3) {
                     tcg_temp_free_i32(addr);
                     goto illegal_op;
                 }
+                tmp = load_reg(s, rm);
+                if (shift) {
+                    tcg_gen_shli_i32(tmp, tmp, shift);
+                }
+                tcg_gen_add_i32(addr, addr, tmp);
+                tcg_temp_free_i32(tmp);
+                break;
+            case 0xc: /* Negative offset.  */
+                tcg_gen_addi_i32(addr, addr, -imm);
+                break;
+            case 0xe: /* User privilege.  */
+                tcg_gen_addi_i32(addr, addr, imm);
+                memidx = get_a32_user_mem_index(s);
+                break;
+            case 0x9: /* Post-decrement.  */
+                imm = -imm;
+                /* Fall through.  */
+            case 0xb: /* Post-increment.  */
+                postinc = 1;
+                writeback = 1;
+                break;
+            case 0xd: /* Pre-decrement.  */
+                imm = -imm;
+                /* Fall through.  */
+            case 0xf: /* Pre-increment.  */
+                writeback = 1;
+                break;
+            default:
+                tcg_temp_free_i32(addr);
+                goto illegal_op;
             }
         }
 
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
         if (insn & (1 << 11)) {
             rd = (insn >> 8) & 7;
             /* load pc-relative.  Bit 1 of PC is ignored.  */
-            val = read_pc(s) + ((insn & 0xff) * 4);
-            val &= ~(uint32_t)2;
-            addr = tcg_temp_new_i32();
-            tcg_gen_movi_i32(addr, val);
+            addr = add_reg_for_lit(s, 15, (insn & 0xff) * 4);
             tmp = tcg_temp_new_i32();
             gen_aa32_ld32u_iss(s, tmp, addr, get_mem_index(s),
                                rd | ISSIs16Bit);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          *  - Add PC/SP (immediate)
          */
         rd = (insn >> 8) & 7;
-        if (insn & (1 << 11)) {
-            /* SP */
-            tmp = load_reg(s, 13);
-        } else {
-            /* PC. bit 1 is ignored.  */
-            tmp = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp, read_pc(s) & ~(uint32_t)2);
-        }
         val = (insn & 0xff) * 4;
-        tcg_gen_addi_i32(tmp, tmp, val);
+        tmp = add_reg_for_lit(s, insn & (1 << 11) ? 13 : 15, val);
         store_reg(s, rd, tmp);
         break;
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The thumb bit has already been removed from s->pc, and is always even.

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
-    tcg_gen_movi_i32(cpu_R[15], s->pc & ~1);
+    tcg_gen_movi_i32(cpu_R[15], s->pc);
     s->base.is_jmp = DISAS_EXIT;
 }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  * self-modifying code correctly and also to take
                  * any pending interrupts immediately.
                  */
-                gen_goto_tb(s, 0, s->pc & ~1);
+                gen_goto_tb(s, 0, s->pc);
                 return;
             case 7: /* sb */
                 if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  * for TCG; MB and end the TB instead.
                  */
                 tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-                gen_goto_tb(s, 0, s->pc & ~1);
+                gen_goto_tb(s, 0, s->pc);
                 return;
             default:
                 goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                              * and also to take any pending interrupts
                              * immediately.
                              */
-                            gen_goto_tb(s, 0, s->pc & ~1);
+                            gen_goto_tb(s, 0, s->pc);
                             break;
                         case 7: /* sb */
                             if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                              * for TCG; MB and end the TB instead.
                              */
                             tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-                            gen_goto_tb(s, 0, s->pc & ~1);
+                            gen_goto_tb(s, 0, s->pc);
                             break;
                         default:
                             goto illegal_op;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We must update s->base.pc_next when we return from the translate_insn
hook to the main translator loop.  By incrementing s->base.pc_next
immediately after reading the insn word, "pc_next" contains the address
of the next instruction throughout translation.

All remaining uses of s->pc are referencing the address of the next insn,
so this is now a simple global replacement.  Remove the "s->pc" field.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.h     |   1 -
 target/arm/translate-a64.c |  51 +++++++++---------
 target/arm/translate.c     | 103 ++++++++++++++++++-------------------
 3 files changed, 72 insertions(+), 83 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     DisasContextBase base;
     const ARMISARegisters *isar;
 
-    target_ulong pc;
     /* The address of the current instruction being translated. */
     target_ulong pc_curr;
     target_ulong page_start;
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
 
 static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 {
-    gen_a64_set_pc_im(s->pc - offset);
+    gen_a64_set_pc_im(s->base.pc_next - offset);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 static void gen_exception_insn(DisasContext *s, int offset, int excp,
                                uint32_t syndrome, uint32_t target_el)
 {
-    gen_a64_set_pc_im(s->pc - offset);
+    gen_a64_set_pc_im(s->base.pc_next - offset);
     gen_exception(excp, syndrome, target_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset,
 {
     TCGv_i32 tcg_syn;
 
-    gen_a64_set_pc_im(s->pc - offset);
+    gen_a64_set_pc_im(s->base.pc_next - offset);
     tcg_syn = tcg_const_i32(syndrome);
     gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
     tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
 
     if (insn & (1U << 31)) {
         /* BL Branch with link */
-        tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
+        tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
     }
 
     /* B Branch / BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
     tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                         tcg_cmp, 0, label_match);
 
-    gen_goto_tb(s, 0, s->pc);
+    gen_goto_tb(s, 0, s->base.pc_next);
     gen_set_label(label_match);
     gen_goto_tb(s, 1, addr);
 }
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
     tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                         tcg_cmp, 0, label_match);
     tcg_temp_free_i64(tcg_cmp);
-    gen_goto_tb(s, 0, s->pc);
+    gen_goto_tb(s, 0, s->base.pc_next);
     gen_set_label(label_match);
     gen_goto_tb(s, 1, addr);
 }
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
         /* genuinely conditional branches */
         TCGLabel *label_match = gen_new_label();
         arm_gen_test_cc(cond, label_match);
-        gen_goto_tb(s, 0, s->pc);
+        gen_goto_tb(s, 0, s->base.pc_next);
         gen_set_label(label_match);
         gen_goto_tb(s, 1, addr);
     } else {
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
          * any pending interrupts immediately.
          */
         reset_btype(s);
-        gen_goto_tb(s, 0, s->pc);
+        gen_goto_tb(s, 0, s->base.pc_next);
         return;
 
     case 7: /* SB */
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
          * MB and end the TB instead.
          */
         tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-        gen_goto_tb(s, 0, s->pc);
+        gen_goto_tb(s, 0, s->base.pc_next);
         return;
 
     default:
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         gen_a64_set_pc(s, dst);
         /* BLR also needs to load return address */
         if (opc == 1) {
-            tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
+            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
         }
         break;
 
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         gen_a64_set_pc(s, dst);
         /* BLRAA also needs to load return address */
         if (opc == 9) {
-            tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
+            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
         }
         break;
 
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
 {
     uint32_t insn;
 
-    s->pc_curr = s->pc;
-    insn = arm_ldl_code(env, s->pc, s->sctlr_b);
+    s->pc_curr = s->base.pc_next;
+    insn = arm_ldl_code(env, s->base.pc_next, s->sctlr_b);
     s->insn = insn;
-    s->pc += 4;
+    s->base.pc_next += 4;
 
     s->fp_access_checked = false;
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     int bound, core_mmu_idx;
 
     dc->isar = &arm_cpu->isar;
-    dc->pc = dc->base.pc_first;
     dc->condjmp = 0;
 
     dc->aarch64 = 1;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
-    tcg_gen_insn_start(dc->pc, 0, 0);
+    tcg_gen_insn_start(dc->base.pc_next, 0, 0);
     dc->insn_start = tcg_last_op();
 }
 
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
     if (bp->flags & BP_CPU) {
-        gen_a64_set_pc_im(dc->pc);
+        gen_a64_set_pc_im(dc->base.pc_next);
         gen_helper_check_breakpoints(cpu_env);
         /* End the TB early; it likely won't be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
            to for it to be properly cleared -- thus we
            increment the PC here so that the logic setting
            tb->size below does the right thing.  */
-        dc->pc += 4;
+        dc->base.pc_next += 4;
         dc->base.is_jmp = DISAS_NORETURN;
     }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         disas_a64_insn(env, dc);
     }
 
-    dc->base.pc_next = dc->pc;
     translator_loop_temp_check(&dc->base);
 }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          */
         switch (dc->base.is_jmp) {
         default:
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             /* fall through */
         case DISAS_EXIT:
         case DISAS_JUMP:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         switch (dc->base.is_jmp) {
         case DISAS_NEXT:
         case DISAS_TOO_MANY:
-            gen_goto_tb(dc, 1, dc->pc);
+            gen_goto_tb(dc, 1, dc->base.pc_next);
             break;
         default:
         case DISAS_UPDATE:
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             /* fall through */
         case DISAS_EXIT:
             tcg_gen_exit_tb(NULL, 0);
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         case DISAS_SWI:
             break;
         case DISAS_WFE:
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             gen_helper_wfe(cpu_env);
             break;
         case DISAS_YIELD:
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             gen_helper_yield(cpu_env);
             break;
         case DISAS_WFI:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
              */
             TCGv_i32 tmp = tcg_const_i32(4);
 
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             gen_helper_wfi(cpu_env, tmp);
             tcg_temp_free_i32(tmp);
             /* The helper doesn't necessarily throw an exception, but we
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         }
         }
     }
-
-    /* Functions above can change dc->pc, so re-align db->pc_next */
-    dc->base.pc_next = dc->pc;
 }
 
 static void aarch64_tr_disas_log(const DisasContextBase *dcbase,
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_blxns(DisasContext *s, int rm)
      * We do however need to set the PC, because the blxns helper reads it.
      * The blxns helper may throw an exception.
      */
-    gen_set_pc_im(s, s->pc);
+    gen_set_pc_im(s, s->base.pc_next);
     gen_helper_v7m_blxns(cpu_env, var);
     tcg_temp_free_i32(var);
     s->base.is_jmp = DISAS_EXIT;
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
      * for single stepping.)
      */
     s->svc_imm = imm16;
-    gen_set_pc_im(s, s->pc);
+    gen_set_pc_im(s, s->base.pc_next);
     s->base.is_jmp = DISAS_HVC;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
     tmp = tcg_const_i32(syn_aa32_smc());
     gen_helper_pre_smc(cpu_env, tmp);
     tcg_temp_free_i32(tmp);
-    gen_set_pc_im(s, s->pc);
+    gen_set_pc_im(s, s->base.pc_next);
     s->base.is_jmp = DISAS_SMC;
 }
 
 static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - offset);
+    gen_set_pc_im(s, s->base.pc_next - offset);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, int offset, int excp,
                                int syn, uint32_t target_el)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - offset);
+    gen_set_pc_im(s, s->base.pc_next - offset);
     gen_exception(excp, syn, target_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
     TCGv_i32 tcg_syn;
 
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - offset);
+    gen_set_pc_im(s, s->base.pc_next - offset);
     tcg_syn = tcg_const_i32(syn);
     gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
     tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
-    tcg_gen_movi_i32(cpu_R[15], s->pc);
+    tcg_gen_movi_i32(cpu_R[15], s->base.pc_next);
     s->base.is_jmp = DISAS_EXIT;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *s, target_ulong dest)
 {
 #ifndef CONFIG_USER_ONLY
     return (s->base.tb->pc & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK) ||
-           ((s->pc - 1) & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK);
+           ((s->base.pc_next - 1) & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK);
 #else
     return true;
 #endif
@@ -XXX,XX +XXX,XX @@ static void gen_nop_hint(DisasContext *s, int val)
          */
     case 1: /* yield */
         if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->base.is_jmp = DISAS_YIELD;
         }
         break;
     case 3: /* wfi */
-        gen_set_pc_im(s, s->pc);
+        gen_set_pc_im(s, s->base.pc_next);
         s->base.is_jmp = DISAS_WFI;
         break;
     case 2: /* wfe */
         if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->base.is_jmp = DISAS_WFE;
         }
         break;
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
             if (isread) {
                 return 1;
             }
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->base.is_jmp = DISAS_WFI;
             return 0;
         default:
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  * self-modifying code correctly and also to take
                  * any pending interrupts immediately.
                  */
-                gen_goto_tb(s, 0, s->pc);
+                gen_goto_tb(s, 0, s->base.pc_next);
                 return;
             case 7: /* sb */
                 if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  * for TCG; MB and end the TB instead.
                  */
                 tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-                gen_goto_tb(s, 0, s->pc);
+                gen_goto_tb(s, 0, s->base.pc_next);
                 return;
             default:
                 goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             int32_t offset;
 
             tmp = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp, s->pc);
+            tcg_gen_movi_i32(tmp, s->base.pc_next);
             store_reg(s, 14, tmp);
             /* Sign-extend the 24-bit offset */
             offset = (((int32_t)insn) << 8) >> 8;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             /* branch link/exchange thumb (blx) */
             tmp = load_reg(s, rm);
             tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc);
+            tcg_gen_movi_i32(tmp2, s->base.pc_next);
             store_reg(s, 14, tmp2);
             gen_bx(s, tmp);
             break;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                 /* branch (and link) */
                 if (insn & (1 << 24)) {
                     tmp = tcg_temp_new_i32();
-                    tcg_gen_movi_i32(tmp, s->pc);
+                    tcg_gen_movi_i32(tmp, s->base.pc_next);
                     store_reg(s, 14, tmp);
                 }
                 offset = sextract32(insn << 2, 0, 26);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         case 0xf:
             /* swi */
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->svc_imm = extract32(insn, 0, 24);
             s->base.is_jmp = DISAS_SWI;
             break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
 
                 if (insn & (1 << 14)) {
                     /* Branch and link.  */
-                    tcg_gen_movi_i32(cpu_R[14], s->pc | 1);
+                    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | 1);
                 }
 
                 offset += read_pc(s);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                              * and also to take any pending interrupts
                              * immediately.
                              */
-                            gen_goto_tb(s, 0, s->pc);
+                            gen_goto_tb(s, 0, s->base.pc_next);
                             break;
                         case 7: /* sb */
                             if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                              * for TCG; MB and end the TB instead.
                              */
                             tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-                            gen_goto_tb(s, 0, s->pc);
+                            gen_goto_tb(s, 0, s->base.pc_next);
                             break;
                         default:
                             goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
                 /* BLX/BX */
                 tmp = load_reg(s, rm);
                 if (link) {
-                    val = (uint32_t)s->pc | 1;
+                    val = (uint32_t)s->base.pc_next | 1;
                     tmp2 = tcg_temp_new_i32();
                     tcg_gen_movi_i32(tmp2, val);
                     store_reg(s, 14, tmp2);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
 
         if (cond == 0xf) {
             /* swi */
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->svc_imm = extract32(insn, 0, 8);
             s->base.is_jmp = DISAS_SWI;
             break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
             tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
 
             tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc | 1);
+            tcg_gen_movi_i32(tmp2, s->base.pc_next | 1);
             store_reg(s, 14, tmp2);
             gen_bx(s, tmp);
             break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
             tcg_gen_addi_i32(tmp, tmp, offset);
 
             tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc | 1);
+            tcg_gen_movi_i32(tmp2, s->base.pc_next | 1);
             store_reg(s, 14, tmp2);
             gen_bx(s, tmp);
         } else {
@@ -XXX,XX +XXX,XX @@ undef:
 
 static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 {
-    /* Return true if the insn at dc->pc might cross a page boundary.
+    /* Return true if the insn at dc->base.pc_next might cross a page boundary.
      * (False positives are OK, false negatives are not.)
      * We know this is a Thumb insn, and our caller ensures we are
-     * only called if dc->pc is less than 4 bytes from the page
+     * only called if dc->base.pc_next is less than 4 bytes from the page
      * boundary, so we cross the page if the first 16 bits indicate
      * that this is a 32 bit insn.
      */
-    uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
+    uint16_t insn = arm_lduw_code(env, s->base.pc_next, s->sctlr_b);
 
-    return !thumb_insn_is_16bit(s, s->pc, insn);
+    return !thumb_insn_is_16bit(s, s->base.pc_next, insn);
 }
 
 static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     uint32_t condexec, core_mmu_idx;
 
     dc->isar = &cpu->isar;
-    dc->pc = dc->base.pc_first;
     dc->condjmp = 0;
 
     dc->aarch64 = 0;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
-    tcg_gen_insn_start(dc->pc,
+    tcg_gen_insn_start(dc->base.pc_next,
                        (dc->condexec_cond << 4) | (dc->condexec_mask >> 1),
                        0);
     dc->insn_start = tcg_last_op();
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 
     if (bp->flags & BP_CPU) {
         gen_set_condexec(dc);
-        gen_set_pc_im(dc, dc->pc);
+        gen_set_pc_im(dc, dc->base.pc_next);
         gen_helper_check_breakpoints(cpu_env);
         /* End the TB early; it's likely not going to be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
            tb->size below does the right thing.  */
         /* TODO: Advance PC by correct instruction length to
          * avoid disassembler error messages */
-        dc->pc += 2;
+        dc->base.pc_next += 2;
         dc->base.is_jmp = DISAS_NORETURN;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
 {
 #ifdef CONFIG_USER_ONLY
     /* Intercept jump to the magic kernel page.  */
-    if (dc->pc >= 0xffff0000) {
+    if (dc->base.pc_next >= 0xffff0000) {
         /* We always get here via a jump, so know we are not in a
            conditional execution block.  */
         gen_exception_internal(EXCP_KERNEL_TRAP);
@@ -XXX,XX +XXX,XX @@ static void arm_post_translate_insn(DisasContext *dc)
         gen_set_label(dc->condlabel);
         dc->condjmp = 0;
     }
-    dc->base.pc_next = dc->pc;
     translator_loop_temp_check(&dc->base);
 }
 
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
-    dc->pc_curr = dc->pc;
-    insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
+    dc->pc_curr = dc->base.pc_next;
+    insn = arm_ldl_code(env, dc->base.pc_next, dc->sctlr_b);
     dc->insn = insn;
-    dc->pc += 4;
+    dc->base.pc_next += 4;
     disas_arm_insn(dc, insn);
 
     arm_post_translate_insn(dc);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
-    dc->pc_curr = dc->pc;
-    insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
-    is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
-    dc->pc += 2;
+    dc->pc_curr = dc->base.pc_next;
+    insn = arm_lduw_code(env, dc->base.pc_next, dc->sctlr_b);
+    is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
+    dc->base.pc_next += 2;
     if (!is_16bit) {
-        uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
+        uint32_t insn2 = arm_lduw_code(env, dc->base.pc_next, dc->sctlr_b);
 
         insn = insn << 16 | insn2;
-        dc->pc += 2;
+        dc->base.pc_next += 2;
     }
     dc->insn = insn;
 
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      * but isn't very efficient).
      */
     if (dc->base.is_jmp == DISAS_NEXT
-        && (dc->pc - dc->page_start >= TARGET_PAGE_SIZE
-            || (dc->pc - dc->page_start >= TARGET_PAGE_SIZE - 3
+        && (dc->base.pc_next - dc->page_start >= TARGET_PAGE_SIZE
+            || (dc->base.pc_next - dc->page_start >= TARGET_PAGE_SIZE - 3
                 && insn_crosses_page(env, dc)))) {
         dc->base.is_jmp = DISAS_TOO_MANY;
     }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         case DISAS_NEXT:
         case DISAS_TOO_MANY:
         case DISAS_UPDATE:
-            gen_set_pc_im(dc, dc->pc);
+            gen_set_pc_im(dc, dc->base.pc_next);
             /* fall through */
         default:
             /* FIXME: Single stepping a WFI insn will not halt the CPU. */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         switch(dc->base.is_jmp) {
         case DISAS_NEXT:
         case DISAS_TOO_MANY:
-            gen_goto_tb(dc, 1, dc->pc);
+            gen_goto_tb(dc, 1, dc->base.pc_next);
             break;
         case DISAS_JUMP:
             gen_goto_ptr();
             break;
         case DISAS_UPDATE:
-            gen_set_pc_im(dc, dc->pc);
+            gen_set_pc_im(dc, dc->base.pc_next);
             /* fall through */
         default:
             /* indicate that the hash table must be used to find the next TB */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         gen_set_label(dc->condlabel);
         gen_set_condexec(dc);
         if (unlikely(is_singlestepping(dc))) {
-            gen_set_pc_im(dc, dc->pc);
+            gen_set_pc_im(dc, dc->base.pc_next);
             gen_singlestep_exception(dc);
         } else {
-            gen_goto_tb(dc, 1, dc->pc);
+            gen_goto_tb(dc, 1, dc->base.pc_next);
         }
     }
-
-    /* Functions above can change dc->pc, so re-align db->pc_next */
-    dc->base.pc_next = dc->pc;
 }
 
 static void arm_tr_disas_log(const DisasContextBase *dcbase, CPUState *cpu)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The offset is variable depending on the instruction set, whereas
we have stored values for the current pc and the next pc.  Passing
in the actual value is clearer in intent.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c     | 25 ++++++++++++++-----------
 target/arm/translate-vfp.inc.c |  6 +++---
 target/arm/translate.c         | 31 ++++++++++++++++---------------
 3 files changed, 33 insertions(+), 29 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_exception_insn(DisasContext *s, int offset, int excp,
+static void gen_exception_insn(DisasContext *s, uint64_t pc, int excp,
                                uint32_t syndrome, uint32_t target_el)
 {
-    gen_a64_set_pc_im(s->base.pc_next - offset);
+    gen_a64_set_pc_im(pc);
     gen_exception(excp, syndrome, target_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
 void unallocated_encoding(DisasContext *s)
 {
     /* Unallocated and reserved encodings are uncategorized */
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                        default_exception_el(s));
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
         return true;
     }
 
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_fp_access_trap(1, 0xe, false),
-                       s->fp_excp_el);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                       syn_fp_access_trap(1, 0xe, false), s->fp_excp_el);
     return false;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
 bool sve_access_check(DisasContext *s)
 {
     if (s->sve_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF, syn_sve_access_trap(),
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_sve_access_trap(),
                            s->sve_excp_el);
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
         switch (op2_ll) {
         case 1:                                                     /* SVC */
             gen_ss_advance(s);
-            gen_exception_insn(s, 0, EXCP_SWI, syn_aa64_svc(imm16),
-                               default_exception_el(s));
+            gen_exception_insn(s, s->base.pc_next, EXCP_SWI,
+                               syn_aa64_svc(imm16), default_exception_el(s));
             break;
         case 2:                                                     /* HVC */
             if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             gen_a64_set_pc_im(s->pc_curr);
             gen_helper_pre_hvc(cpu_env);
             gen_ss_advance(s);
-            gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2);
+            gen_exception_insn(s, s->base.pc_next, EXCP_HVC,
+                               syn_aa64_hvc(imm16), 2);
             break;
         case 3:                                                     /* SMC */
             if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             gen_helper_pre_smc(cpu_env, tmp);
             tcg_temp_free_i32(tmp);
             gen_ss_advance(s);
-            gen_exception_insn(s, 0, EXCP_SMC, syn_aa64_smc(imm16), 3);
+            gen_exception_insn(s, s->base.pc_next, EXCP_SMC,
+                               syn_aa64_smc(imm16), 3);
             break;
         default:
             unallocated_encoding(s);
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
             if (s->btype != 0
                 && s->guarded_page
                 && !btype_destination_ok(insn, s->bt, s->btype)) {
-                gen_exception_insn(s, 4, EXCP_UDEF, syn_btitrap(s->btype),
+                gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                                   syn_btitrap(s->btype),
                                    default_exception_el(s));
                 return;
             }
diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 {
     if (s->fp_excp_el) {
         if (arm_dc_feature(s, ARM_FEATURE_M)) {
-            gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
+            gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized(),
                                s->fp_excp_el);
         } else {
-            gen_exception_insn(s, 4, EXCP_UDEF,
+            gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                                syn_fp_access_trap(1, 0xe, false),
                                s->fp_excp_el);
         }
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                            default_exception_el(s));
         return false;
     }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_exception_insn(DisasContext *s, int offset, int excp,
+static void gen_exception_insn(DisasContext *s, uint32_t pc, int excp,
                                int syn, uint32_t target_el)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->base.pc_next - offset);
+    gen_set_pc_im(s, pc);
     gen_exception(excp, syn, target_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         return;
     }
 
-    gen_exception_insn(s, s->thumb ? 2 : 4, EXCP_UDEF, syn_uncategorized(),
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                        default_exception_el(s));
 }
 
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
 
 undef:
     /* If we get here then some access check did not pass */
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), exc_target);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                       syn_uncategorized(), exc_target);
     return false;
 }
 
@@ -XXX,XX +XXX,XX @@ static int disas_neon_ls_insn(DisasContext *s, uint32_t insn)
      * for attempts to execute invalid vfp/neon encodings with FP disabled.
      */
     if (s->fp_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF,
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
         return 0;
     }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
      * for attempts to execute invalid vfp/neon encodings with FP disabled.
      */
     if (s->fp_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF,
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
         return 0;
     }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_insn_3same_ext(DisasContext *s, uint32_t insn)
     }
 
     if (s->fp_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF,
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
         return 0;
     }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_insn_2reg_scalar_ext(DisasContext *s, uint32_t insn)
         off_rm = vfp_reg_offset(0, rm);
     }
     if (s->fp_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF,
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
         return 0;
     }
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      * For the UNPREDICTABLE cases we choose to UNDEF.
      */
     if (s->current_el == 1 && !s->ns && mode == ARM_CPU_MODE_MON) {
-        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), 3);
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(), 3);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     }
 
     if (undef) {
-        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                            default_exception_el(s));
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
      * UsageFault exception.
      */
     if (arm_dc_feature(s, ARM_FEATURE_M)) {
-        gen_exception_insn(s, 4, EXCP_INVSTATE, syn_uncategorized(),
+        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized(),
                            default_exception_el(s));
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         default:
         illegal_op:
-            gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                                default_exception_el(s));
             break;
         }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
             }
 
             /* All other insns: NOCP */
-            gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
+            gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized(),
                                default_exception_el(s));
             break;
         }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
     }
     return;
 illegal_op:
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                        default_exception_el(s));
 }
 
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
     return;
 illegal_op:
 undef:
-    gen_exception_insn(s, 2, EXCP_UDEF, syn_uncategorized(),
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                        default_exception_el(s));
 }
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The offset is variable depending on the instruction set.
Passing in the actual value is clearer in intent.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 8 ++++----
 target/arm/translate.c     | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     tcg_temp_free_i32(tcg_excp);
 }
 
-static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
+static void gen_exception_internal_insn(DisasContext *s, uint64_t pc, int excp)
 {
-    gen_a64_set_pc_im(s->base.pc_next - offset);
+    gen_a64_set_pc_im(pc);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                 break;
             }
 #endif
-            gen_exception_internal_insn(s, 0, EXCP_SEMIHOST);
+            gen_exception_internal_insn(s, s->base.pc_next, EXCP_SEMIHOST);
         } else {
             unsupported_encoding(s, insn);
         }
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
         /* End the TB early; it likely won't be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
     } else {
-        gen_exception_internal_insn(dc, 0, EXCP_DEBUG);
+        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
         /* The address covered by the breakpoint must be
            included in [tb->pc, tb->pc + tb->size) in order
            to for it to be properly cleared -- thus we
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
     s->base.is_jmp = DISAS_SMC;
 }
 
-static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
+static void gen_exception_internal_insn(DisasContext *s, uint32_t pc, int excp)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->base.pc_next - offset);
+    gen_set_pc_im(s, pc);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         s->current_el != 0 &&
 #endif
         (imm == (s->thumb ? 0x3c : 0xf000))) {
-        gen_exception_internal_insn(s, 0, EXCP_SEMIHOST);
+        gen_exception_internal_insn(s, s->base.pc_next, EXCP_SEMIHOST);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
         /* End the TB early; it's likely not going to be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
     } else {
-        gen_exception_internal_insn(dc, 0, EXCP_DEBUG);
+        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
         /* The address covered by the breakpoint must be
            included in [tb->pc, tb->pc + tb->size) in order
            to for it to be properly cleared -- thus we
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Unlike the other more generic gen_exception{,_internal}_insn
interfaces, breakpoints always refer to the current instruction.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 7 +++----
 target/arm/translate.c     | 8 ++++----
 2 files changed, 7 insertions(+), 8 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Promote this function from aarch64 to fully general use.
Use it to unify the code sequences for generating illegal
opcode exceptions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h     |  2 --
 target/arm/translate.h         |  2 ++
 target/arm/translate-a64.c     |  7 -------
 target/arm/translate-vfp.inc.c |  3 +--
 target/arm/translate.c         | 22 ++++++++++++----------
 5 files changed, 15 insertions(+), 21 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@
 #ifndef TARGET_ARM_TRANSLATE_A64_H
 #define TARGET_ARM_TRANSLATE_A64_H
 
-void unallocated_encoding(DisasContext *s);
-
 #define unsupported_encoding(s, insn)                                    \
     do {                                                                 \
         qemu_log_mask(LOG_UNIMP,                                         \
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasCompare {
     bool value_global;
 } DisasCompare;
 
+void unallocated_encoding(DisasContext *s);
+
 /* Share the TCG temporaries common between 32 and 64 bit modes.  */
 extern TCGv_i32 cpu_NF, cpu_ZF, cpu_CF, cpu_VF;
 extern TCGv_i64 cpu_exclusive_addr;
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
     }
 }
 
-void unallocated_encoding(DisasContext *s)
-{
-    /* Unallocated and reserved encodings are uncategorized */
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
-}
-
 static void init_tmp_a64_array(DisasContext *s)
 {
 #ifdef CONFIG_DEBUG_TCG
diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                           default_exception_el(s));
+        unallocated_encoding(s);
         return false;
     }
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
+void unallocated_encoding(DisasContext *s)
+{
+    /* Unallocated and reserved encodings are uncategorized */
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
+}
+
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         return;
     }
 
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     }
 
     if (undef) {
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                           default_exception_el(s));
+        unallocated_encoding(s);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         default:
         illegal_op:
-            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                               default_exception_el(s));
+            unallocated_encoding(s);
             break;
         }
     }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
     }
     return;
 illegal_op:
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
     return;
 illegal_op:
 undef:
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Replace x = double_saturate(y) with x = add_saturate(y, y).
There is no need for a separate more specialized helper.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h    |  1 -
 target/arm/op_helper.c | 15 ---------------
 target/arm/translate.c |  4 ++--
 3 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(add_saturate, i32, env, i32, i32)
 DEF_HELPER_3(sub_saturate, i32, env, i32, i32)
 DEF_HELPER_3(add_usaturate, i32, env, i32, i32)
 DEF_HELPER_3(sub_usaturate, i32, env, i32, i32)
-DEF_HELPER_2(double_saturate, i32, env, s32)
 DEF_HELPER_FLAGS_2(sdiv, TCG_CALL_NO_RWG_SE, s32, s32, s32)
 DEF_HELPER_FLAGS_2(udiv, TCG_CALL_NO_RWG_SE, i32, i32, i32)
 DEF_HELPER_FLAGS_1(rbit, TCG_CALL_NO_RWG_SE, i32, i32)
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
     return res;
 }
 
-uint32_t HELPER(double_saturate)(CPUARMState *env, int32_t val)
-{
-    uint32_t res;
-    if (val >= 0x40000000) {
-        res = ~SIGNBIT;
-        env->QF = 1;
-    } else if (val <= (int32_t)0xc0000000) {
-        res = SIGNBIT;
-        env->QF = 1;
-    } else {
-        res = val << 1;
-    }
-    return res;
-}
-
 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
 {
     uint32_t res = a + b;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             tmp = load_reg(s, rm);
             tmp2 = load_reg(s, rn);
             if (op1 & 2)
-                gen_helper_double_saturate(tmp2, cpu_env, tmp2);
+                gen_helper_add_saturate(tmp2, cpu_env, tmp2, tmp2);
             if (op1 & 1)
                 gen_helper_sub_saturate(tmp, cpu_env, tmp, tmp2);
             else
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                 tmp = load_reg(s, rn);
                 tmp2 = load_reg(s, rm);
                 if (op & 1)
-                    gen_helper_double_saturate(tmp, cpu_env, tmp);
+                    gen_helper_add_saturate(tmp, cpu_env, tmp, tmp);
                 if (op & 2)
                     gen_helper_sub_saturate(tmp, cpu_env, tmp2, tmp);
                 else
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

If -cpu <cpu>,aarch64=off is used then KVM must also be used, and it
and the host must support running the vcpu in 32-bit mode. Also, if
-cpu <cpu>,aarch64=on is used, then it doesn't matter if kvm is
enabled or not.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm_arm.h | 14 ++++++++++++++
 target/arm/cpu64.c   | 12 ++++++------
 target/arm/kvm64.c   |  9 +++++++++
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf);
  */
 void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
 
+/**
+ * kvm_arm_aarch32_supported:
+ * @cs: CPUState
+ *
+ * Returns: true if the KVM VCPU can enable AArch32 mode
+ * and false otherwise.
+ */
+bool kvm_arm_aarch32_supported(CPUState *cs);
+
 /**
  * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
  * IPA address space supported by KVM
@@ -XXX,XX +XXX,XX @@ static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
     cpu->host_cpu_probe_failed = true;
 }
 
+static inline bool kvm_arm_aarch32_supported(CPUState *cs)
+{
+    return false;
+}
+
 static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 {
     return -ENOENT;
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_set_aarch64(Object *obj, bool value, Error **errp)
      * restriction allows us to avoid fixing up functionality that assumes a
      * uniform execution state like do_interrupt.
      */
-    if (!kvm_enabled()) {
-        error_setg(errp, "'aarch64' feature cannot be disabled "
-                         "unless KVM is enabled");
-        return;
-    }
-
     if (value == false) {
+        if (!kvm_enabled() || !kvm_arm_aarch32_supported(CPU(cpu))) {
+            error_setg(errp, "'aarch64' feature cannot be disabled "
+                             "unless KVM is enabled and 32-bit EL1 "
+                             "is supported");
+            return;
+        }
         unset_feature(&cpu->env, ARM_FEATURE_AARCH64);
     } else {
         set_feature(&cpu->env, ARM_FEATURE_AARCH64);
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/gdbstub.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
+#include "sysemu/kvm_int.h"
 #include "kvm_arm.h"
+#include "hw/boards.h"
 #include "internals.h"
 
 static bool have_guest_debug;
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     return true;
 }
 
+bool kvm_arm_aarch32_supported(CPUState *cpu)
+{
+    KVMState *s = KVM_STATE(current_machine->accelerator);
+
+    return kvm_check_extension(s, KVM_CAP_ARM_EL1_32BIT);
+}
+
 #define ARM_CPU_ID_MPIDR       3, 0, 0, 0, 5
 
 int kvm_arch_init_vcpu(CPUState *cs)
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

We first convert the pmu property from a static property to one with
its own accessors. Then we use the set accessor to check if the PMU is
supported when using KVM. Indeed a 32-bit KVM host does not support
the PMU, so this check will catch an attempt to use it at property-set
time.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm_arm.h | 14 ++++++++++++++
 target/arm/cpu.c     | 30 +++++++++++++++++++++++++-----
 target/arm/kvm.c     |  7 +++++++
 3 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
  */
 bool kvm_arm_aarch32_supported(CPUState *cs);
 
+/**
+ * bool kvm_arm_pmu_supported:
+ * @cs: CPUState
+ *
+ * Returns: true if the KVM VCPU can enable its PMU
+ * and false otherwise.
+ */
+bool kvm_arm_pmu_supported(CPUState *cs);
+
 /**
  * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
  * IPA address space supported by KVM
@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_aarch32_supported(CPUState *cs)
     return false;
 }
 
+static inline bool kvm_arm_pmu_supported(CPUState *cs)
+{
+    return false;
+}
+
 static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 {
     return -ENOENT;
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_has_el3_property =
 static Property arm_cpu_cfgend_property =
             DEFINE_PROP_BOOL("cfgend", ARMCPU, cfgend, false);
 
-/* use property name "pmu" to match other archs and virt tools */
-static Property arm_cpu_has_pmu_property =
-            DEFINE_PROP_BOOL("pmu", ARMCPU, has_pmu, true);
-
 static Property arm_cpu_has_vfp_property =
             DEFINE_PROP_BOOL("vfp", ARMCPU, has_vfp, true);
 
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_pmsav7_dregion_property =
                                            pmsav7_dregion,
                                            qdev_prop_uint32, uint32_t);
 
+static bool arm_get_pmu(Object *obj, Error **errp)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    return cpu->has_pmu;
+}
+
+static void arm_set_pmu(Object *obj, bool value, Error **errp)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    if (value) {
+        if (kvm_enabled() && !kvm_arm_pmu_supported(CPU(cpu))) {
+            error_setg(errp, "'pmu' feature not supported by KVM on this host");
+            return;
+        }
+        set_feature(&cpu->env, ARM_FEATURE_PMU);
+    } else {
+        unset_feature(&cpu->env, ARM_FEATURE_PMU);
+    }
+    cpu->has_pmu = value;
+}
+
 static void arm_get_init_svtor(Object *obj, Visitor *v, const char *name,
                                void *opaque, Error **errp)
 {
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
     }
 
     if (arm_feature(&cpu->env, ARM_FEATURE_PMU)) {
-        qdev_property_add_static(DEVICE(obj), &arm_cpu_has_pmu_property,
+        cpu->has_pmu = true;
+        object_property_add_bool(obj, "pmu", arm_get_pmu, arm_set_pmu,
                                  &error_abort);
     }
 
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
     env->features = arm_host_cpu_features.features;
 }
 
+bool kvm_arm_pmu_supported(CPUState *cpu)
+{
+    KVMState *s = KVM_STATE(current_machine->accelerator);
+
+    return kvm_check_extension(s, KVM_CAP_ARM_PMU_V3);
+}
+
 int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 {
     KVMState *s = KVM_STATE(ms->accelerator);
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

The current implementation of ZCR_ELx matches the architecture, only
implementing the lower four bits, with the rest RAZ/WI. This puts
a strict limit on ARM_MAX_VQ of 16. Make sure we don't let ARM_MAX_VQ
grow without a corresponding update here.

Suggested-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
     int new_len;
 
     /* Bits other than [3:0] are RAZ/WI.  */
+    QEMU_BUILD_BUG_ON(ARM_MAX_VQ > 16);
     raw_write(env, ri, value & 0xf);
 
     /*
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

A couple return -EINVAL's forgot their '-'s.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
     write_cpustate_to_list(cpu, true);
 
     if (!write_list_to_kvmstate(cpu, level)) {
-        return EINVAL;
+        return -EINVAL;
     }
 
     kvm_arm_sync_mpstate_to_kvm(cpu);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
     }
 
     if (!write_kvmstate_to_list(cpu)) {
-        return EINVAL;
+        return -EINVAL;
     }
     /* Note that it's OK to have registers which aren't in CPUState,
      * so we can ignore a failure return here.
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

Move the getting/putting of the fpsimd registers out of
kvm_arch_get/put_registers() into their own helper functions
to prepare for alternatively getting/putting SVE registers.

No functional change.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 148 +++++++++++++++++++++++++++------------------
 1 file changed, 88 insertions(+), 60 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arm_cpreg_level(uint64_t regidx)
 #define AARCH64_SIMD_CTRL_REG(x)   (KVM_REG_ARM64 | KVM_REG_SIZE_U32 | \
                  KVM_REG_ARM_CORE | KVM_REG_ARM_CORE_REG(x))
 
+static int kvm_arch_put_fpsimd(CPUState *cs)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    struct kvm_one_reg reg;
+    uint32_t fpr;
+    int i, ret;
+
+    for (i = 0; i < 32; i++) {
+        uint64_t *q = aa64_vfp_qreg(env, i);
+#ifdef HOST_WORDS_BIGENDIAN
+        uint64_t fp_val[2] = { q[1], q[0] };
+        reg.addr = (uintptr_t)fp_val;
+#else
+        reg.addr = (uintptr_t)q;
+#endif
+        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
+        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+        if (ret) {
+            return ret;
+        }
+    }
+
+    reg.addr = (uintptr_t)(&fpr);
+    fpr = vfp_get_fpsr(env);
+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
+    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+    if (ret) {
+        return ret;
+    }
+
+    reg.addr = (uintptr_t)(&fpr);
+    fpr = vfp_get_fpcr(env);
+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
+    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+    if (ret) {
+        return ret;
+    }
+
+    return 0;
+}
+
 int kvm_arch_put_registers(CPUState *cs, int level)
 {
     struct kvm_one_reg reg;
-    uint32_t fpr;
     uint64_t val;
-    int i;
-    int ret;
+    int i, ret;
     unsigned int el;
 
     ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
         }
     }
 
-    /* Advanced SIMD and FP registers. */
-    for (i = 0; i < 32; i++) {
-        uint64_t *q = aa64_vfp_qreg(env, i);
-#ifdef HOST_WORDS_BIGENDIAN
-        uint64_t fp_val[2] = { q[1], q[0] };
-        reg.addr = (uintptr_t)fp_val;
-#else
-        reg.addr = (uintptr_t)q;
-#endif
-        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
-        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
-        if (ret) {
-            return ret;
-        }
-    }
-
-    reg.addr = (uintptr_t)(&fpr);
-    fpr = vfp_get_fpsr(env);
-    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
-    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
-    if (ret) {
-        return ret;
-    }
-
-    fpr = vfp_get_fpcr(env);
-    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
-    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+    ret = kvm_arch_put_fpsimd(cs);
     if (ret) {
         return ret;
     }
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
     return ret;
 }
 
+static int kvm_arch_get_fpsimd(CPUState *cs)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    struct kvm_one_reg reg;
+    uint32_t fpr;
+    int i, ret;
+
+    for (i = 0; i < 32; i++) {
+        uint64_t *q = aa64_vfp_qreg(env, i);
+        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
+        reg.addr = (uintptr_t)q;
+        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+        if (ret) {
+            return ret;
+        } else {
+#ifdef HOST_WORDS_BIGENDIAN
+            uint64_t t;
+            t = q[0], q[0] = q[1], q[1] = t;
+#endif
+        }
+    }
+
+    reg.addr = (uintptr_t)(&fpr);
+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
+    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+    if (ret) {
+        return ret;
+    }
+    vfp_set_fpsr(env, fpr);
+
+    reg.addr = (uintptr_t)(&fpr);
+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
+    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+    if (ret) {
+        return ret;
+    }
+    vfp_set_fpcr(env, fpr);
+
+    return 0;
+}
+
 int kvm_arch_get_registers(CPUState *cs)
 {
     struct kvm_one_reg reg;
     uint64_t val;
-    uint32_t fpr;
     unsigned int el;
-    int i;
-    int ret;
+    int i, ret;
 
     ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
         env->spsr = env->banked_spsr[i];
     }
 
-    /* Advanced SIMD and FP registers */
-    for (i = 0; i < 32; i++) {
-        uint64_t *q = aa64_vfp_qreg(env, i);
-        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
-        reg.addr = (uintptr_t)q;
-        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
-        if (ret) {
-            return ret;
-        } else {
-#ifdef HOST_WORDS_BIGENDIAN
-            uint64_t t;
-            t = q[0], q[0] = q[1], q[1] = t;
-#endif
-        }
-    }
-
-    reg.addr = (uintptr_t)(&fpr);
-    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
-    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+    ret = kvm_arch_get_fpsimd(cs);
     if (ret) {
         return ret;
     }
-    vfp_set_fpsr(env, fpr);
-
-    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
-    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
-    if (ret) {
-        return ret;
-    }
-    vfp_set_fpcr(env, fpr);
 
     ret = kvm_get_vcpu_events(cpu);
     if (ret) {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Extract is a compact combination of shift + and.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_sar(TCGv_i32 dest, TCGv_i32 t0, TCGv_i32 t1)
 
 static void shifter_out_im(TCGv_i32 var, int shift)
 {
-    if (shift == 0) {
-        tcg_gen_andi_i32(cpu_CF, var, 1);
-    } else {
-        tcg_gen_shri_i32(cpu_CF, var, shift);
-        if (shift != 31) {
-            tcg_gen_andi_i32(cpu_CF, cpu_CF, 1);
-        }
-    }
+    tcg_gen_extract_i32(cpu_CF, var, shift, 1);
 }
 
 /* Shift by immediate.  Includes special handling for shift == 0.  */
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Use deposit as the composit operation to merge the
bits from the two inputs.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 26 ++++++++++----------------
 1 file changed, 10 insertions(+), 16 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         shift = (insn >> 7) & 0x1f;
                         if (insn & (1 << 6)) {
                             /* pkhtb */
-                            if (shift == 0)
+                            if (shift == 0) {
                                 shift = 31;
+                            }
                             tcg_gen_sari_i32(tmp2, tmp2, shift);
-                            tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
-                            tcg_gen_ext16u_i32(tmp2, tmp2);
+                            tcg_gen_deposit_i32(tmp, tmp, tmp2, 0, 16);
                         } else {
                             /* pkhbt */
-                            if (shift)
-                                tcg_gen_shli_i32(tmp2, tmp2, shift);
-                            tcg_gen_ext16u_i32(tmp, tmp);
-                            tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
+                            tcg_gen_shli_i32(tmp2, tmp2, shift);
+                            tcg_gen_deposit_i32(tmp, tmp2, tmp, 0, 16);
                         }
-                        tcg_gen_or_i32(tmp, tmp, tmp2);
                         tcg_temp_free_i32(tmp2);
                         store_reg(s, rd, tmp);
                     } else if ((insn & 0x00200020) == 0x00200000) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
             shift = ((insn >> 10) & 0x1c) | ((insn >> 6) & 0x3);
             if (insn & (1 << 5)) {
                 /* pkhtb */
-                if (shift == 0)
+                if (shift == 0) {
                     shift = 31;
+                }
                 tcg_gen_sari_i32(tmp2, tmp2, shift);
-                tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
-                tcg_gen_ext16u_i32(tmp2, tmp2);
+                tcg_gen_deposit_i32(tmp, tmp, tmp2, 0, 16);
             } else {
                 /* pkhbt */
-                if (shift)
-                    tcg_gen_shli_i32(tmp2, tmp2, shift);
-                tcg_gen_ext16u_i32(tmp, tmp);
-                tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
+                tcg_gen_shli_i32(tmp2, tmp2, shift);
+                tcg_gen_deposit_i32(tmp, tmp2, tmp, 0, 16);
             }
-            tcg_gen_or_i32(tmp, tmp, tmp2);
             tcg_temp_free_i32(tmp2);
             store_reg(s, rd, tmp);
         } else {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The immediate shift generator functions already test for,
and eliminate, the case of a shift by zero.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         shift = (insn >> 10) & 3;
                         /* ??? In many cases it's not necessary to do a
                            rotate, a shift is sufficient.  */
-                        if (shift != 0)
-                            tcg_gen_rotri_i32(tmp, tmp, shift * 8);
+                        tcg_gen_rotri_i32(tmp, tmp, shift * 8);
                         op1 = (insn >> 20) & 7;
                         switch (op1) {
                         case 0: gen_sxtb16(tmp);  break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
             shift = (insn >> 4) & 3;
             /* ??? In many cases it's not necessary to do a
                rotate, a shift is sufficient.  */
-            if (shift != 0)
-                tcg_gen_rotri_i32(tmp, tmp, shift * 8);
+            tcg_gen_rotri_i32(tmp, tmp, shift * 8);
             op = (insn >> 20) & 7;
             switch (op) {
             case 0: gen_sxth(tmp);   break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     case 7:
                         goto illegal_op;
                     default: /* Saturate.  */
-                        if (shift) {
-                            if (op & 1)
-                                tcg_gen_sari_i32(tmp, tmp, shift);
-                            else
-                                tcg_gen_shli_i32(tmp, tmp, shift);
+                        if (op & 1) {
+                            tcg_gen_sari_i32(tmp, tmp, shift);
+                        } else {
+                            tcg_gen_shli_i32(tmp, tmp, shift);
                         }
                         tmp2 = tcg_const_i32(imm);
                         if (op & 4) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     goto illegal_op;
                 }
                 tmp = load_reg(s, rm);
-                if (shift) {
-                    tcg_gen_shli_i32(tmp, tmp, shift);
-                }
+                tcg_gen_shli_i32(tmp, tmp, shift);
                 tcg_gen_add_i32(addr, addr, tmp);
                 tcg_temp_free_i32(tmp);
                 break;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The helper function is more documentary, and also already
handles the case of rotate by zero.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                 /* CPSR = immediate */
                 val = insn & 0xff;
                 shift = ((insn >> 8) & 0xf) * 2;
-                if (shift)
-                    val = (val >> shift) | (val << (32 - shift));
+                val = ror32(val, shift);
                 i = ((insn & (1 << 22)) != 0);
                 if (gen_set_psr_im(s, msr_mask(s, (insn >> 16) & 0xf, i),
                                    i, val)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             /* immediate operand */
             val = insn & 0xff;
             shift = ((insn >> 8) & 0xf) * 2;
-            if (shift) {
-                val = (val >> shift) | (val << (32 - shift));
-            }
+            val = ror32(val, shift);
             tmp2 = tcg_temp_new_i32();
             tcg_gen_movi_i32(tmp2, val);
             if (logic_cc && shift) {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Rotate is the more compact and obvious way to swap 16-bit
elements of a 32-bit word.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-6-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static TCGv_i64 gen_muls_i64_i32(TCGv_i32 a, TCGv_i32 b)
 /* Swap low and high halfwords.  */
 static void gen_swap_half(TCGv_i32 var)
 {
-    TCGv_i32 tmp = tcg_temp_new_i32();
-    tcg_gen_shri_i32(tmp, var, 16);
-    tcg_gen_shli_i32(var, var, 16);
-    tcg_gen_or_i32(var, var, tmp);
-    tcg_temp_free_i32(tmp);
+    tcg_gen_rotri_i32(var, var, 16);
 }
 
 /* Dual 16-bit add.  Result placed in t0 and t1 is marked as dead.
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

All of the inputs to these instructions are 32-bits.  Rather than
extend each input to 64-bits and then extract the high 32-bits of
the output, use tcg_gen_muls2_i32 and other 32-bit generator functions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-7-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 72 +++++++++++++++---------------------------
 1 file changed, 26 insertions(+), 46 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_revsh(TCGv_i32 var)
     tcg_gen_ext16s_i32(var, var);
 }
 
-/* Return (b << 32) + a. Mark inputs as dead */
-static TCGv_i64 gen_addq_msw(TCGv_i64 a, TCGv_i32 b)
-{
-    TCGv_i64 tmp64 = tcg_temp_new_i64();
-
-    tcg_gen_extu_i32_i64(tmp64, b);
-    tcg_temp_free_i32(b);
-    tcg_gen_shli_i64(tmp64, tmp64, 32);
-    tcg_gen_add_i64(a, tmp64, a);
-
-    tcg_temp_free_i64(tmp64);
-    return a;
-}
-
-/* Return (b << 32) - a. Mark inputs as dead. */
-static TCGv_i64 gen_subq_msw(TCGv_i64 a, TCGv_i32 b)
-{
-    TCGv_i64 tmp64 = tcg_temp_new_i64();
-
-    tcg_gen_extu_i32_i64(tmp64, b);
-    tcg_temp_free_i32(b);
-    tcg_gen_shli_i64(tmp64, tmp64, 32);
-    tcg_gen_sub_i64(a, tmp64, a);
-
-    tcg_temp_free_i64(tmp64);
-    return a;
-}
-
 /* 32x32->64 multiply.  Marks inputs as dead.  */
 static TCGv_i64 gen_mulu_i64_i32(TCGv_i32 a, TCGv_i32 b)
 {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                            (SMMUL, SMMLA, SMMLS) */
                         tmp = load_reg(s, rm);
                         tmp2 = load_reg(s, rs);
-                        tmp64 = gen_muls_i64_i32(tmp, tmp2);
+                        tcg_gen_muls2_i32(tmp2, tmp, tmp, tmp2);
 
                         if (rd != 15) {
-                            tmp = load_reg(s, rd);
+                            tmp3 = load_reg(s, rd);
                             if (insn & (1 << 6)) {
-                                tmp64 = gen_subq_msw(tmp64, tmp);
+                                tcg_gen_sub_i32(tmp, tmp, tmp3);
                             } else {
-                                tmp64 = gen_addq_msw(tmp64, tmp);
+                                tcg_gen_add_i32(tmp, tmp, tmp3);
                             }
+                            tcg_temp_free_i32(tmp3);
                         }
                         if (insn & (1 << 5)) {
-                            tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
+                            /*
+                             * Adding 0x80000000 to the 64-bit quantity
+                             * means that we have carry in to the high
+                             * word when the low word has the high bit set.
+                             */
+                            tcg_gen_shri_i32(tmp2, tmp2, 31);
+                            tcg_gen_add_i32(tmp, tmp, tmp2);
                         }
-                        tcg_gen_shri_i64(tmp64, tmp64, 32);
-                        tmp = tcg_temp_new_i32();
-                        tcg_gen_extrl_i64_i32(tmp, tmp64);
-                        tcg_temp_free_i64(tmp64);
+                        tcg_temp_free_i32(tmp2);
                         store_reg(s, rn, tmp);
                         break;
                     case 0:
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                   }
                 break;
             case 5: case 6: /* 32 * 32 -> 32msb (SMMUL, SMMLA, SMMLS) */
-                tmp64 = gen_muls_i64_i32(tmp, tmp2);
+                tcg_gen_muls2_i32(tmp2, tmp, tmp, tmp2);
                 if (rs != 15) {
-                    tmp = load_reg(s, rs);
+                    tmp3 = load_reg(s, rs);
                     if (insn & (1 << 20)) {
-                        tmp64 = gen_addq_msw(tmp64, tmp);
+                        tcg_gen_add_i32(tmp, tmp, tmp3);
                     } else {
-                        tmp64 = gen_subq_msw(tmp64, tmp);
+                        tcg_gen_sub_i32(tmp, tmp, tmp3);
                     }
+                    tcg_temp_free_i32(tmp3);
                 }
                 if (insn & (1 << 4)) {
-                    tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
+                    /*
+                     * Adding 0x80000000 to the 64-bit quantity
+                     * means that we have carry in to the high
+                     * word when the low word has the high bit set.
+                     */
+                    tcg_gen_shri_i32(tmp2, tmp2, 31);
+                    tcg_gen_add_i32(tmp, tmp, tmp2);
                 }
-                tcg_gen_shri_i64(tmp64, tmp64, 32);
-                tmp = tcg_temp_new_i32();
-                tcg_gen_extrl_i64_i32(tmp, tmp64);
-                tcg_temp_free_i64(tmp64);
+                tcg_temp_free_i32(tmp2);
                 break;
             case 7: /* Unsigned sum of absolute differences.  */
                 gen_helper_usad8(tmp, tmp, tmp2);
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Separate shift + extract low will result in one extra insn
for hosts like RISC-V, MIPS, and Sparc.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-8-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_iwmmxt_insn(DisasContext *s, uint32_t insn)
             if (insn & ARM_CP_RW_BIT) {                         /* TMRRC */
                 iwmmxt_load_reg(cpu_V0, wrd);
                 tcg_gen_extrl_i64_i32(cpu_R[rdlo], cpu_V0);
-                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-                tcg_gen_extrl_i64_i32(cpu_R[rdhi], cpu_V0);
+                tcg_gen_extrh_i64_i32(cpu_R[rdhi], cpu_V0);
             } else {                                    /* TMCRR */
                 tcg_gen_concat_i32_i64(cpu_V0, cpu_R[rdlo], cpu_R[rdhi]);
                 iwmmxt_store_reg(cpu_V0, wrd);
@@ -XXX,XX +XXX,XX @@ static int disas_dsp_insn(DisasContext *s, uint32_t insn)
         if (insn & ARM_CP_RW_BIT) {                     /* MRA */
             iwmmxt_load_reg(cpu_V0, acc);
             tcg_gen_extrl_i64_i32(cpu_R[rdlo], cpu_V0);
-            tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-            tcg_gen_extrl_i64_i32(cpu_R[rdhi], cpu_V0);
+            tcg_gen_extrh_i64_i32(cpu_R[rdhi], cpu_V0);
             tcg_gen_andi_i32(cpu_R[rdhi], cpu_R[rdhi], (1 << (40 - 32)) - 1);
         } else {                                        /* MAR */
             tcg_gen_concat_i32_i64(cpu_V0, cpu_R[rdlo], cpu_R[rdhi]);
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                 gen_helper_neon_narrow_high_u16(tmp, cpu_V0);
                                 break;
                             case 2:
-                                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-                                tcg_gen_extrl_i64_i32(tmp, cpu_V0);
+                                tcg_gen_extrh_i64_i32(tmp, cpu_V0);
                                 break;
                             default: abort();
                             }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                 break;
                             case 2:
                                 tcg_gen_addi_i64(cpu_V0, cpu_V0, 1u << 31);
-                                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-                                tcg_gen_extrl_i64_i32(tmp, cpu_V0);
+                                tcg_gen_extrh_i64_i32(tmp, cpu_V0);
                                 break;
                             default: abort();
                             }
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
                 tmp = tcg_temp_new_i32();
                 tcg_gen_extrl_i64_i32(tmp, tmp64);
                 store_reg(s, rt, tmp);
-                tcg_gen_shri_i64(tmp64, tmp64, 32);
                 tmp = tcg_temp_new_i32();
-                tcg_gen_extrl_i64_i32(tmp, tmp64);
+                tcg_gen_extrh_i64_i32(tmp, tmp64);
                 tcg_temp_free_i64(tmp64);
                 store_reg(s, rt2, tmp);
             } else {
@@ -XXX,XX +XXX,XX @@ static void gen_storeq_reg(DisasContext *s, int rlow, int rhigh, TCGv_i64 val)
     tcg_gen_extrl_i64_i32(tmp, val);
     store_reg(s, rlow, tmp);
     tmp = tcg_temp_new_i32();
-    tcg_gen_shri_i64(val, val, 32);
-    tcg_gen_extrl_i64_i32(tmp, val);
+    tcg_gen_extrh_i64_i32(tmp, val);
     store_reg(s, rhigh, tmp);
 }
 
-- 
2.20.1