From nobody Mon Feb  9 02:01:31 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=linaro.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1535120091598351.69625120920875;
 Fri, 24 Aug 2018 07:14:51 -0700 (PDT)
Received: from localhost ([::1]:41991 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1ftCrK-0002Zr-1d
	for importer@patchew.org; Fri, 24 Aug 2018 10:14:42 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49894)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pm215@archaic.org.uk>) id 1ftCqL-0002Dd-Ce
	for qemu-devel@nongnu.org; Fri, 24 Aug 2018 10:13:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pm215@archaic.org.uk>) id 1ftCqK-0000ye-B7
	for qemu-devel@nongnu.org; Fri, 24 Aug 2018 10:13:41 -0400
Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:44910)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <pm215@archaic.org.uk>)
	id 1ftCqI-0000ue-2e; Fri, 24 Aug 2018 10:13:38 -0400
Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89)
	(envelope-from <pm215@archaic.org.uk>)
	id 1ftCqF-0006qm-UQ; Fri, 24 Aug 2018 15:13:35 +0100
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-arm@nongnu.org,
	qemu-devel@nongnu.org
Date: Fri, 24 Aug 2018 15:13:33 +0100
Message-Id: <20180824141333.24903-1-peter.maydell@linaro.org>
X-Mailer: git-send-email 2.18.0
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2001:8b0:1d0::2
Subject: [Qemu-devel] [PATCH] target/arm: Don't calculate zcr_len for TB
 flags in non-SVE CPUs
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Richard Henderson <richard.henderson@linaro.org>, patches@linaro.org
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RDMRC_1  RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

Skip calculation of the zcr_len part of TB flags if the CPU
doesn't have SVE. This fixes a bug where for a non-SVE CPU
we might end up with a bogus zcr_len value of -1, which then
trashes other TB flags when it is ORed into the flags word,
resulting in a QEMU crash later due to a bogus mmu_idx field.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Not entirely sure why this doesn't cause us problems more often.
I saw it with an AArch32 setup with an A57 with EL2 but not EL3.

 target/arm/helper.c | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 088f452716e..89767f55a1e 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -12597,26 +12597,28 @@ void cpu_get_tb_cpu_state(CPUARMState *env, targe=
t_ulong *pc,
         flags |=3D (arm_regime_tbi1(env, mmu_idx) << ARM_TBFLAG_TBI1_SHIFT=
);
         flags |=3D sve_el << ARM_TBFLAG_SVEEXC_EL_SHIFT;
=20
-        /* If SVE is disabled, but FP is enabled,
-           then the effective len is 0.  */
-        if (sve_el !=3D 0 && fp_el =3D=3D 0) {
-            zcr_len =3D 0;
-        } else {
-            int current_el =3D arm_current_el(env);
-            ARMCPU *cpu =3D arm_env_get_cpu(env);
+        if (arm_feature(env, ARM_FEATURE_SVE)) {
+            /* If SVE is disabled, but FP is enabled,
+               then the effective len is 0.  */
+            if (sve_el !=3D 0 && fp_el =3D=3D 0) {
+                zcr_len =3D 0;
+            } else {
+                int current_el =3D arm_current_el(env);
+                ARMCPU *cpu =3D arm_env_get_cpu(env);
=20
-            zcr_len =3D cpu->sve_max_vq - 1;
-            if (current_el <=3D 1) {
-                zcr_len =3D MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1=
]);
-            }
-            if (current_el < 2 && arm_feature(env, ARM_FEATURE_EL2)) {
-                zcr_len =3D MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[2=
]);
-            }
-            if (current_el < 3 && arm_feature(env, ARM_FEATURE_EL3)) {
-                zcr_len =3D MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[3=
]);
+                zcr_len =3D cpu->sve_max_vq - 1;
+                if (current_el <=3D 1) {
+                    zcr_len =3D MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_=
el[1]);
+                }
+                if (current_el < 2 && arm_feature(env, ARM_FEATURE_EL2)) {
+                    zcr_len =3D MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_=
el[2]);
+                }
+                if (current_el < 3 && arm_feature(env, ARM_FEATURE_EL3)) {
+                    zcr_len =3D MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_=
el[3]);
+                }
             }
+            flags |=3D zcr_len << ARM_TBFLAG_ZCR_LEN_SHIFT;
         }
-        flags |=3D zcr_len << ARM_TBFLAG_ZCR_LEN_SHIFT;
     } else {
         *pc =3D env->regs[15];
         flags =3D (env->thumb << ARM_TBFLAG_THUMB_SHIFT)
--=20
2.18.0