Series comparison

-[Qemu-devel] [PULL 00/37] target-arm queue
+[Qemu-devel] [PULL 00/29] target-arm queue
-First target-arm pullreq of the 4.0 series; most of this
+First arm pullreq of 4.2...
 is Mao's cleanups that finally let us drop sysbus::init;
 the most interesting user-visible feature is RTH's patches
 adding some v8.1 and v8.2 architecture features.
 thanks
 -- PMM
-The following changes since commit 6145a6d84b3bf0f25935b88543febe076c61b0f4:
+The following changes since commit 27608c7c66bd923eb5e5faab80e795408cbe2b51:
-  Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20181212' into staging (2018-12-13 13:06:09 +0000)
+  Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20190814a' into staging (2019-08-16 12:00:18 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20181213
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190816
-for you to fetch changes up to 2d7137c10fafefe40a0a049ff8a7bd78b66e661f:
+for you to fetch changes up to 664b7e3b97d6376f3329986c465b3782458b0f8b:
-  target/arm: Implement the ARMv8.1-LOR extension (2018-12-13 14:41:24 +0000)
+  target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word (2019-08-16 14:02:53 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * Convert various devices from sysbus init to instance_init
+ * target/arm: generate a custom MIDR for -cpu max
- * Remove the now unused sysbus init support entirely
+ * hw/misc/zynq_slcr: refactor to use standard register definition
- * Allow AArch64 processors to boot from a kernel placed over 4GB
+ * Set ENET_BD_BDU in I.MX FEC controller
- * hw: arm: musicpal: drop TYPE_WM8750 in object_property_set_link()
+ * target/arm: Fix routing of singlestep exceptions
- * versal: minor fixes to virtio-mmio instantation
+ * refactor a32/t32 decoder handling of PC
- * arm: Implement the ARMv8.1-HPD extension
+ * minor optimisations/cleanups of some a32/t32 codegen
- * arm: Implement the ARMv8.2-AA32HPD extension
+ * target/arm/cpu64: Ensure kvm really supports aarch64=off
- * arm: Implement the ARMv8.1-LOR extension (as the trivial
+ * target/arm/cpu: Ensure we can use the pmu with kvm
-   "no limited ordering regions provided" minimum)
+ * target/arm: Minor cleanups preparatory to KVM SVE support
 ----------------------------------------------------------------
-Edgar E. Iglesias (4):
+Aaron Hill (1):
-      hw/arm: versal: Remove bogus virtio-mmio creation
+      Set ENET_BD_BDU in I.MX FEC controller
       hw/arm: versal: Reduce number of virtio-mmio instances
       hw/arm: versal: Use IRQs 111 - 118 for virtio-mmio
       hw/arm: versal: Correct the nr of IRQs to 192
-Li Qiang (1):
+Alex Bennée (1):
-      hw: arm: musicpal: drop TYPE_WM8750 in object_property_set_link()
+      target/arm: generate a custom MIDR for -cpu max
-Mao Zhongyi (21):
+Andrew Jones (6):
-      musicpal: Convert sysbus init function to realize function
+      target/arm/cpu64: Ensure kvm really supports aarch64=off
-      block/noenand: Convert sysbus init function to realize function
+      target/arm/cpu: Ensure we can use the pmu with kvm
-      char/grlib_apbuart: Convert sysbus init function to realize function
+      target/arm/helper: zcr: Add build bug next to value range assumption
-      core/empty_slot: Convert sysbus init function to realize function
+      target/arm/cpu: Use div-round-up to determine predicate register array size
-      display/g364fb: Convert sysbus init function to realize function
+      target/arm/kvm64: Fix error returns
-      dma/puv3_dma: Convert sysbus init function to realize function
+      target/arm/kvm64: Move the get/put of fpsimd registers out
       gpio/puv3_gpio: Convert sysbus init function to realize function
       milkymist-softusb: Convert sysbus init function to realize function
       input/pl050: Convert sysbus init function to realize function
       intc/puv3_intc: Convert sysbus init function to realize function
       milkymist-hpdmc: Convert sysbus init function to realize function
       milkymist-pfpu: Convert sysbus init function to realize function
       puv3_pm.c: Convert sysbus init function to realize function
       nvram/ds1225y: Convert sysbus init function to realize function
       pci-bridge/dec: Convert sysbus init function to realize function
       timer/etraxfs_timer: Convert sysbus init function to realize function
       timer/grlib_gptimer: Convert sysbus init function to realize function
       timer/puv3_ost: Convert sysbus init function to realize function
       usb/tusb6010: Convert sysbus init function to realize function
       xen_backend: remove xen_sysdev_init() function
       core/sysbus: remove the SysBusDeviceClass::init path
-Peter Maydell (1):
+Damien Hedde (1):
-      target/arm: Move id_aa64mmfr* to ARMISARegisters
+      hw/misc/zynq_slcr: use standard register definition
-Ricardo Perez Blanco (1):
+Peter Maydell (2):
-      Allow AArch64 processors to boot from a kernel placed over 4GB
+      target/arm: Factor out 'generate singlestep exception' function
       target/arm: Fix routing of singlestep exceptions
-Richard Henderson (9):
+Richard Henderson (18):
-      target/arm: Add HCR_EL2 bits up to ARMv8.5
+      target/arm: Pass in pc to thumb_insn_is_16bit
-      target/arm: Add SCR_EL3 bits up to ARMv8.5
+      target/arm: Introduce pc_curr
-      target/arm: Fix HCR_EL2.TGE check in arm_phys_excp_target_el
+      target/arm: Introduce read_pc
-      target/arm: Tidy scr_write
+      target/arm: Introduce add_reg_for_lit
-      target/arm: Implement the ARMv8.1-HPD extension
+      target/arm: Remove redundant s->pc & ~1
-      target/arm: Implement the ARMv8.2-AA32HPD extension
+      target/arm: Replace s->pc with s->base.pc_next
-      target/arm: Introduce arm_hcr_el2_eff
+      target/arm: Replace offset with pc in gen_exception_insn
-      target/arm: Use arm_hcr_el2_eff more places
+      target/arm: Replace offset with pc in gen_exception_internal_insn
-      target/arm: Implement the ARMv8.1-LOR extension
+      target/arm: Remove offset argument to gen_exception_bkpt_insn
       target/arm: Use unallocated_encoding for aarch32
       target/arm: Remove helper_double_saturate
       target/arm: Use tcg_gen_extract_i32 for shifter_out_im
       target/arm: Use tcg_gen_deposit_i32 for PKHBT, PKHTB
       target/arm: Remove redundant shift tests
       target/arm: Use ror32 instead of open-coding the operation
       target/arm: Use tcg_gen_rotri_i32 for gen_swap_half
       target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR
       target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word
- include/hw/arm/xlnx-versal.h |   8 +-
+ target/arm/cpu.h               |  13 +-
- include/hw/sysbus.h          |   3 -
+ target/arm/helper.h            |   1 -
- target/arm/cpu.h             | 141 ++++++++++++++++-----------
+ target/arm/kvm_arm.h           |  28 ++
- target/arm/internals.h       |   3 +-
+ target/arm/translate-a64.h     |   4 +-
- hw/arm/boot.c                |  35 ++++---
+ target/arm/translate.h         |  39 ++-
- hw/arm/musicpal.c            |  11 +--
+ hw/misc/zynq_slcr.c            | 450 ++++++++++++++++----------------
- hw/arm/xlnx-versal-virt.c    |   7 +-
+ hw/net/imx_fec.c               |   4 +
- hw/block/onenand.c           |  16 ++--
+ target/arm/cpu.c               |  30 ++-
- hw/char/grlib_apbuart.c      |  12 +--
+ target/arm/cpu64.c             |  31 ++-
- hw/core/empty_slot.c         |   9 +-
+ target/arm/helper.c            |   7 +
- hw/core/sysbus.c             |  15 +--
+ target/arm/kvm.c               |   7 +
- hw/display/g364fb.c          |   9 +-
+ target/arm/kvm64.c             | 161 +++++++-----
- hw/dma/puv3_dma.c            |  10 +-
+ target/arm/op_helper.c         |  15 --
- hw/gpio/puv3_gpio.c          |  29 +++---
+ target/arm/translate-a64.c     | 130 ++++------
- hw/input/milkymist-softusb.c |  16 ++--
+ target/arm/translate-vfp.inc.c |  45 +---
- hw/input/pl050.c             |  11 +--
+ target/arm/translate.c         | 572 +++++++++++++++++------------------------
- hw/intc/arm_gicv3_cpuif.c    |  21 ++--
+files changed, 771 insertions(+), 766 deletions(-)
  hw/intc/puv3_intc.c          |  11 +--
  hw/misc/milkymist-hpdmc.c    |   9 +-
  hw/misc/milkymist-pfpu.c     |  12 +--
  hw/misc/puv3_pm.c            |  10 +-
  hw/nvram/ds1225y.c           |  12 +--
  hw/pci-bridge/dec.c          |  12 +--
  hw/timer/etraxfs_timer.c     |  14 +--
  hw/timer/grlib_gptimer.c     |  11 +--
  hw/timer/puv3_ost.c          |  13 ++-
  hw/usb/tusb6010.c            |   8 +-
  hw/xen/xen_backend.c         |   7 --
  target/arm/cpu.c             |   4 +
  target/arm/cpu64.c           |  11 ++-
  target/arm/helper.c          | 222 ++++++++++++++++++++++++++++++++++++-------
  target/arm/kvm64.c           |   4 +
  target/arm/op_helper.c       |  14 ++-
  target/arm/translate-a64.c   |  12 +++
 files changed, 456 insertions(+), 286 deletions(-)

-[Qemu-devel] [PULL 28/37] target/arm: Move id_aa64mmfr* to ARMISARegisters
+[Qemu-devel] [PULL 01/29] target/arm: generate a custom MIDR for -cpu max
-At the same time, define the fields for these registers,
+From: Alex Bennée <alex.bennee@linaro.org>
 and use those defines in arm_pamax().
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+While most features are now detected by probing the ID_* registers
-Message-id: 20181203203839.757-2-richard.henderson@linaro.org
+kernels can (and do) use MIDR_EL1 for working out of they have to
 apply errata. This can trip up warnings in the kernel as it tries to
 work out if it should apply workarounds to features that don't
 actually exist in the reported CPU type.
 Avoid this problem by synthesising our own MIDR value.
 Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-[PMM: fixed up typo (s/achf/ahcf/) belatedly spotted by RTH]
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20190726113950.7499-1-alex.bennee@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h       | 26 ++++++++++++++++++++++++--
+ target/arm/cpu.h   |  6 ++++++
- target/arm/internals.h |  3 ++-
+ target/arm/cpu64.c | 19 +++++++++++++++++++
- target/arm/cpu64.c     |  6 +++---
+files changed, 25 insertions(+)
  target/arm/helper.c    |  4 ++--
  target/arm/kvm64.c     |  4 ++++
 files changed, 35 insertions(+), 8 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
+@@ -XXX,XX +XXX,XX @@ FIELD(V7M_FPCCR, ASPEN, 31, 1)
-         uint64_t id_aa64isar1;
+ /*
-         uint64_t id_aa64pfr0;
+  * System register ID fields.
-         uint64_t id_aa64pfr1;
+  */
-+        uint64_t id_aa64mmfr0;
++FIELD(MIDR_EL1, REVISION, 0, 4)
-+        uint64_t id_aa64mmfr1;
++FIELD(MIDR_EL1, PARTNUM, 4, 12)
-     } isar;
++FIELD(MIDR_EL1, ARCHITECTURE, 16, 4)
-     uint32_t midr;
++FIELD(MIDR_EL1, VARIANT, 20, 4)
-     uint32_t revidr;
++FIELD(MIDR_EL1, IMPLEMENTER, 24, 8)
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
      uint64_t id_aa64dfr1;
      uint64_t id_aa64afr0;
      uint64_t id_aa64afr1;
 -    uint64_t id_aa64mmfr0;
 -    uint64_t id_aa64mmfr1;
      uint32_t dbgdidr;
      uint32_t clidr;
      uint64_t mp_affinity; /* MP ID without feature bits */
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64PFR0, GIC, 24, 4)
  FIELD(ID_AA64PFR0, RAS, 28, 4)
  FIELD(ID_AA64PFR0, SVE, 32, 4)
 +FIELD(ID_AA64MMFR0, PARANGE, 0, 4)
 +FIELD(ID_AA64MMFR0, ASIDBITS, 4, 4)
 +FIELD(ID_AA64MMFR0, BIGEND, 8, 4)
 +FIELD(ID_AA64MMFR0, SNSMEM, 12, 4)
 +FIELD(ID_AA64MMFR0, BIGENDEL0, 16, 4)
 +FIELD(ID_AA64MMFR0, TGRAN16, 20, 4)
 +FIELD(ID_AA64MMFR0, TGRAN64, 24, 4)
 +FIELD(ID_AA64MMFR0, TGRAN4, 28, 4)
 +FIELD(ID_AA64MMFR0, TGRAN16_2, 32, 4)
 +FIELD(ID_AA64MMFR0, TGRAN64_2, 36, 4)
 +FIELD(ID_AA64MMFR0, TGRAN4_2, 40, 4)
 +FIELD(ID_AA64MMFR0, EXS, 44, 4)
 +
-+FIELD(ID_AA64MMFR1, HAFDBS, 0, 4)
+ FIELD(ID_ISAR0, SWAP, 0, 4)
-+FIELD(ID_AA64MMFR1, VMIDBITS, 4, 4)
+ FIELD(ID_ISAR0, BITCOUNT, 4, 4)
-+FIELD(ID_AA64MMFR1, VH, 8, 4)
+ FIELD(ID_ISAR0, BITFIELD, 8, 4)
 +FIELD(ID_AA64MMFR1, HPDS, 12, 4)
 +FIELD(ID_AA64MMFR1, LO, 16, 4)
 +FIELD(ID_AA64MMFR1, PAN, 20, 4)
 +FIELD(ID_AA64MMFR1, SPECSEI, 24, 4)
 +FIELD(ID_AA64MMFR1, XNX, 28, 4)
 +
  QEMU_BUILD_BUG_ON(ARRAY_SIZE(((ARMCPU *)0)->ccsidr) <= R_V7M_CSSELR_INDEX_MASK);
  /* If adding a feature bit which corresponds to a Linux ELF
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/internals.h
 +++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline unsigned int arm_pamax(ARMCPU *cpu)
          [4] = 44,
          [5] = 48,
      };
 -    unsigned int parange = extract32(cpu->id_aa64mmfr0, 0, 4);
 +    unsigned int parange =
 +        FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
      /* id_aa64mmfr0 is a read-only register so values outside of the
       * supported mappings can be considered an implementation error.  */
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-     cpu->pmceid0 = 0x00000000;
+         uint32_t u;
-     cpu->pmceid1 = 0x00000000;
+         aarch64_a57_initfn(obj);
-     cpu->isar.id_aa64isar0 = 0x00011120;
--    cpu->id_aa64mmfr0 = 0x00001124;
++        /*
-+    cpu->isar.id_aa64mmfr0 = 0x00001124;
++         * Reset MIDR so the guest doesn't mistake our 'max' CPU type for a real
-     cpu->dbgdidr = 0x3516d000;
++         * one and try to apply errata workarounds or use impdef features we
-     cpu->clidr = 0x0a200023;
++         * don't provide.
-     cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
++         * An IMPLEMENTER field of 0 means "reserved for software use";
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
++         * ARCHITECTURE must be 0xf indicating "v7 or later, check ID registers
-     cpu->isar.id_aa64pfr0 = 0x00002222;
++         * to see which features are present";
-     cpu->id_aa64dfr0 = 0x10305106;
++         * the VARIANT, PARTNUM and REVISION fields are all implementation
-     cpu->isar.id_aa64isar0 = 0x00011120;
++         * defined and we choose to define PARTNUM just in case guest
--    cpu->id_aa64mmfr0 = 0x00001122; /* 40 bit physical addr */
++         * code needs to distinguish this QEMU CPU from other software
-+    cpu->isar.id_aa64mmfr0 = 0x00001122; /* 40 bit physical addr */
++         * implementations, though this shouldn't be needed.
-     cpu->dbgdidr = 0x3516d000;
++         */
-     cpu->clidr = 0x0a200023;
++        t = FIELD_DP64(0, MIDR_EL1, IMPLEMENTER, 0);
-     cpu->ccsidr[0] = 0x700fe01a; /* 32KB L1 dcache */
++        t = FIELD_DP64(t, MIDR_EL1, ARCHITECTURE, 0xf);
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
++        t = FIELD_DP64(t, MIDR_EL1, PARTNUM, 'Q');
-     cpu->pmceid0 = 0x00000000;
++        t = FIELD_DP64(t, MIDR_EL1, VARIANT, 0);
-     cpu->pmceid1 = 0x00000000;
++        t = FIELD_DP64(t, MIDR_EL1, REVISION, 0);
-     cpu->isar.id_aa64isar0 = 0x00011120;
++        cpu->midr = t;
--    cpu->id_aa64mmfr0 = 0x00001124;
++
-+    cpu->isar.id_aa64mmfr0 = 0x00001124;
+         t = cpu->isar.id_aa64isar0;
-     cpu->dbgdidr = 0x3516d000;
+         t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2); /* AES + PMULL */
-     cpu->clidr = 0x0a200023;
+         t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1);
      cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
              { .name = "ID_AA64MMFR0_EL1", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
                .access = PL1_R, .type = ARM_CP_CONST,
 -              .resetvalue = cpu->id_aa64mmfr0 },
 +              .resetvalue = cpu->isar.id_aa64mmfr0 },
              { .name = "ID_AA64MMFR1_EL1", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 1,
                .access = PL1_R, .type = ARM_CP_CONST,
 -              .resetvalue = cpu->id_aa64mmfr1 },
 +              .resetvalue = cpu->isar.id_aa64mmfr1 },
              { .name = "ID_AA64MMFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 2,
                .access = PL1_R, .type = ARM_CP_CONST,
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
                                ARM64_SYS_REG(3, 0, 0, 6, 0));
          err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64isar1,
                                ARM64_SYS_REG(3, 0, 0, 6, 1));
 +        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64mmfr0,
 +                              ARM64_SYS_REG(3, 0, 0, 7, 0));
 +        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64mmfr1,
 +                              ARM64_SYS_REG(3, 0, 0, 7, 1));
          /*
           * Note that if AArch32 support is not present in the host,
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 25/37] hw/arm: versal: Reduce number of virtio-mmio instances
+[Qemu-devel] [PULL 02/29] hw/misc/zynq_slcr: use standard register definition
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Damien Hedde <damien.hedde@greensocs.com>
-Reduce number of virtio-mmio instances. This is in preparation
+Replace the zynq_slcr registers enum and macros using the
-for correcting the interrupt setup for Versal.
+hw/registerfields.h macros.
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 20181129163655.20370-3-edgar.iglesias@gmail.com
+Message-id: 20190729145654.14644-30-damien.hedde@greensocs.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/xlnx-versal-virt.c | 2 +-
+ hw/misc/zynq_slcr.c | 450 ++++++++++++++++++++++----------------------
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 225 insertions(+), 225 deletions(-)
-diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
+diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-versal-virt.c
+--- a/hw/misc/zynq_slcr.c
-+++ b/hw/arm/xlnx-versal-virt.c
++++ b/hw/misc/zynq_slcr.c
-@@ -XXX,XX +XXX,XX @@ static void *versal_virt_get_dtb(const struct arm_boot_info *binfo,
+@@ -XXX,XX +XXX,XX @@
-     return board->fdt;
+ #include "sysemu/sysemu.h"
  #include "qemu/log.h"
  #include "qemu/module.h"
 +#include "hw/registerfields.h"
  #ifndef ZYNQ_SLCR_ERR_DEBUG
  #define ZYNQ_SLCR_ERR_DEBUG 0
@@ -XXX,XX +XXX,XX @@
  #define XILINX_LOCK_KEY 0x767b
  #define XILINX_UNLOCK_KEY 0xdf0d
 -#define R_PSS_RST_CTRL_SOFT_RST 0x1
 +REG32(SCL, 0x000)
 +REG32(LOCK, 0x004)
 +REG32(UNLOCK, 0x008)
 +REG32(LOCKSTA, 0x00c)
 -enum {
 -    SCL             = 0x000 / 4,
 -    LOCK,
 -    UNLOCK,
 -    LOCKSTA,
 +REG32(ARM_PLL_CTRL, 0x100)
 +REG32(DDR_PLL_CTRL, 0x104)
 +REG32(IO_PLL_CTRL, 0x108)
 +REG32(PLL_STATUS, 0x10c)
 +REG32(ARM_PLL_CFG, 0x110)
 +REG32(DDR_PLL_CFG, 0x114)
 +REG32(IO_PLL_CFG, 0x118)
 -    ARM_PLL_CTRL    = 0x100 / 4,
 -    DDR_PLL_CTRL,
 -    IO_PLL_CTRL,
 -    PLL_STATUS,
 -    ARM_PLL_CFG,
 -    DDR_PLL_CFG,
 -    IO_PLL_CFG,
 -
 -    ARM_CLK_CTRL    = 0x120 / 4,
 -    DDR_CLK_CTRL,
 -    DCI_CLK_CTRL,
 -    APER_CLK_CTRL,
 -    USB0_CLK_CTRL,
 -    USB1_CLK_CTRL,
 -    GEM0_RCLK_CTRL,
 -    GEM1_RCLK_CTRL,
 -    GEM0_CLK_CTRL,
 -    GEM1_CLK_CTRL,
 -    SMC_CLK_CTRL,
 -    LQSPI_CLK_CTRL,
 -    SDIO_CLK_CTRL,
 -    UART_CLK_CTRL,
 -    SPI_CLK_CTRL,
 -    CAN_CLK_CTRL,
 -    CAN_MIOCLK_CTRL,
 -    DBG_CLK_CTRL,
 -    PCAP_CLK_CTRL,
 -    TOPSW_CLK_CTRL,
 +REG32(ARM_CLK_CTRL, 0x120)
 +REG32(DDR_CLK_CTRL, 0x124)
 +REG32(DCI_CLK_CTRL, 0x128)
 +REG32(APER_CLK_CTRL, 0x12c)
 +REG32(USB0_CLK_CTRL, 0x130)
 +REG32(USB1_CLK_CTRL, 0x134)
 +REG32(GEM0_RCLK_CTRL, 0x138)
 +REG32(GEM1_RCLK_CTRL, 0x13c)
 +REG32(GEM0_CLK_CTRL, 0x140)
 +REG32(GEM1_CLK_CTRL, 0x144)
 +REG32(SMC_CLK_CTRL, 0x148)
 +REG32(LQSPI_CLK_CTRL, 0x14c)
 +REG32(SDIO_CLK_CTRL, 0x150)
 +REG32(UART_CLK_CTRL, 0x154)
 +REG32(SPI_CLK_CTRL, 0x158)
 +REG32(CAN_CLK_CTRL, 0x15c)
 +REG32(CAN_MIOCLK_CTRL, 0x160)
 +REG32(DBG_CLK_CTRL, 0x164)
 +REG32(PCAP_CLK_CTRL, 0x168)
 +REG32(TOPSW_CLK_CTRL, 0x16c)
  #define FPGA_CTRL_REGS(n, start) \
 -    FPGA ## n ## _CLK_CTRL = (start) / 4, \
 -    FPGA ## n ## _THR_CTRL, \
 -    FPGA ## n ## _THR_CNT, \
 -    FPGA ## n ## _THR_STA,
 -    FPGA_CTRL_REGS(0, 0x170)
 -    FPGA_CTRL_REGS(1, 0x180)
 -    FPGA_CTRL_REGS(2, 0x190)
 -    FPGA_CTRL_REGS(3, 0x1a0)
 +    REG32(FPGA ## n ## _CLK_CTRL, (start)) \
 +    REG32(FPGA ## n ## _THR_CTRL, (start) + 0x4)\
 +    REG32(FPGA ## n ## _THR_CNT,  (start) + 0x8)\
 +    REG32(FPGA ## n ## _THR_STA,  (start) + 0xc)
 +FPGA_CTRL_REGS(0, 0x170)
 +FPGA_CTRL_REGS(1, 0x180)
 +FPGA_CTRL_REGS(2, 0x190)
 +FPGA_CTRL_REGS(3, 0x1a0)
 -    BANDGAP_TRIP    = 0x1b8 / 4,
 -    PLL_PREDIVISOR  = 0x1c0 / 4,
 -    CLK_621_TRUE,
 +REG32(BANDGAP_TRIP, 0x1b8)
 +REG32(PLL_PREDIVISOR, 0x1c0)
 +REG32(CLK_621_TRUE, 0x1c4)
 -    PSS_RST_CTRL    = 0x200 / 4,
 -    DDR_RST_CTRL,
 -    TOPSW_RESET_CTRL,
 -    DMAC_RST_CTRL,
 -    USB_RST_CTRL,
 -    GEM_RST_CTRL,
 -    SDIO_RST_CTRL,
 -    SPI_RST_CTRL,
 -    CAN_RST_CTRL,
 -    I2C_RST_CTRL,
 -    UART_RST_CTRL,
 -    GPIO_RST_CTRL,
 -    LQSPI_RST_CTRL,
 -    SMC_RST_CTRL,
 -    OCM_RST_CTRL,
 -    FPGA_RST_CTRL   = 0x240 / 4,
 -    A9_CPU_RST_CTRL,
 +REG32(PSS_RST_CTRL, 0x200)
 +    FIELD(PSS_RST_CTRL, SOFT_RST, 0, 1)
 +REG32(DDR_RST_CTRL, 0x204)
 +REG32(TOPSW_RESET_CTRL, 0x208)
 +REG32(DMAC_RST_CTRL, 0x20c)
 +REG32(USB_RST_CTRL, 0x210)
 +REG32(GEM_RST_CTRL, 0x214)
 +REG32(SDIO_RST_CTRL, 0x218)
 +REG32(SPI_RST_CTRL, 0x21c)
 +REG32(CAN_RST_CTRL, 0x220)
 +REG32(I2C_RST_CTRL, 0x224)
 +REG32(UART_RST_CTRL, 0x228)
 +REG32(GPIO_RST_CTRL, 0x22c)
 +REG32(LQSPI_RST_CTRL, 0x230)
 +REG32(SMC_RST_CTRL, 0x234)
 +REG32(OCM_RST_CTRL, 0x238)
 +REG32(FPGA_RST_CTRL, 0x240)
 +REG32(A9_CPU_RST_CTRL, 0x244)
 -    RS_AWDT_CTRL    = 0x24c / 4,
 -    RST_REASON,
 +REG32(RS_AWDT_CTRL, 0x24c)
 +REG32(RST_REASON, 0x250)
 -    REBOOT_STATUS   = 0x258 / 4,
 -    BOOT_MODE,
 +REG32(REBOOT_STATUS, 0x258)
 +REG32(BOOT_MODE, 0x25c)
 -    APU_CTRL        = 0x300 / 4,
 -    WDT_CLK_SEL,
 +REG32(APU_CTRL, 0x300)
 +REG32(WDT_CLK_SEL, 0x304)
 -    TZ_DMA_NS       = 0x440 / 4,
 -    TZ_DMA_IRQ_NS,
 -    TZ_DMA_PERIPH_NS,
 +REG32(TZ_DMA_NS, 0x440)
 +REG32(TZ_DMA_IRQ_NS, 0x444)
 +REG32(TZ_DMA_PERIPH_NS, 0x448)
 -    PSS_IDCODE      = 0x530 / 4,
 +REG32(PSS_IDCODE, 0x530)
 -    DDR_URGENT      = 0x600 / 4,
 -    DDR_CAL_START   = 0x60c / 4,
 -    DDR_REF_START   = 0x614 / 4,
 -    DDR_CMD_STA,
 -    DDR_URGENT_SEL,
 -    DDR_DFI_STATUS,
 +REG32(DDR_URGENT, 0x600)
 +REG32(DDR_CAL_START, 0x60c)
 +REG32(DDR_REF_START, 0x614)
 +REG32(DDR_CMD_STA, 0x618)
 +REG32(DDR_URGENT_SEL, 0x61c)
 +REG32(DDR_DFI_STATUS, 0x620)
 -    MIO             = 0x700 / 4,
 +REG32(MIO, 0x700)
  #define MIO_LENGTH 54
 -    MIO_LOOPBACK    = 0x804 / 4,
 -    MIO_MST_TRI0,
 -    MIO_MST_TRI1,
 +REG32(MIO_LOOPBACK, 0x804)
 +REG32(MIO_MST_TRI0, 0x808)
 +REG32(MIO_MST_TRI1, 0x80c)
 -    SD0_WP_CD_SEL   = 0x830 / 4,
 -    SD1_WP_CD_SEL,
 +REG32(SD0_WP_CD_SEL, 0x830)
 +REG32(SD1_WP_CD_SEL, 0x834)
 -    LVL_SHFTR_EN    = 0x900 / 4,
 -    OCM_CFG         = 0x910 / 4,
 +REG32(LVL_SHFTR_EN, 0x900)
 +REG32(OCM_CFG, 0x910)
 -    CPU_RAM         = 0xa00 / 4,
 +REG32(CPU_RAM, 0xa00)
 -    IOU             = 0xa30 / 4,
 +REG32(IOU, 0xa30)
 -    DMAC_RAM        = 0xa50 / 4,
 +REG32(DMAC_RAM, 0xa50)
 -    AFI0            = 0xa60 / 4,
 -    AFI1 = AFI0 + 3,
 -    AFI2 = AFI1 + 3,
 -    AFI3 = AFI2 + 3,
 +REG32(AFI0, 0xa60)
 +REG32(AFI1, 0xa6c)
 +REG32(AFI2, 0xa78)
 +REG32(AFI3, 0xa84)
  #define AFI_LENGTH 3
 -    OCM             = 0xa90 / 4,
 +REG32(OCM, 0xa90)
 -    DEVCI_RAM       = 0xaa0 / 4,
 +REG32(DEVCI_RAM, 0xaa0)
 -    CSG_RAM         = 0xab0 / 4,
 +REG32(CSG_RAM, 0xab0)
 -    GPIOB_CTRL      = 0xb00 / 4,
 -    GPIOB_CFG_CMOS18,
 -    GPIOB_CFG_CMOS25,
 -    GPIOB_CFG_CMOS33,
 -    GPIOB_CFG_HSTL  = 0xb14 / 4,
 -    GPIOB_DRVR_BIAS_CTRL,
 +REG32(GPIOB_CTRL, 0xb00)
 +REG32(GPIOB_CFG_CMOS18, 0xb04)
 +REG32(GPIOB_CFG_CMOS25, 0xb08)
 +REG32(GPIOB_CFG_CMOS33, 0xb0c)
 +REG32(GPIOB_CFG_HSTL, 0xb14)
 +REG32(GPIOB_DRVR_BIAS_CTRL, 0xb18)
 -    DDRIOB          = 0xb40 / 4,
 +REG32(DDRIOB, 0xb40)
  #define DDRIOB_LENGTH 14
 -};
  #define ZYNQ_SLCR_MMIO_SIZE     0x1000
  #define ZYNQ_SLCR_NUM_REGS      (ZYNQ_SLCR_MMIO_SIZE / 4)
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_reset(DeviceState *d)
      DB_PRINT("RESET\n");
 -    s->regs[LOCKSTA] = 1;
 +    s->regs[R_LOCKSTA] = 1;
      /* 0x100 - 0x11C */
 -    s->regs[ARM_PLL_CTRL]   = 0x0001A008;
 -    s->regs[DDR_PLL_CTRL]   = 0x0001A008;
 -    s->regs[IO_PLL_CTRL]    = 0x0001A008;
 -    s->regs[PLL_STATUS]     = 0x0000003F;
 -    s->regs[ARM_PLL_CFG]    = 0x00014000;
 -    s->regs[DDR_PLL_CFG]    = 0x00014000;
 -    s->regs[IO_PLL_CFG]     = 0x00014000;
 +    s->regs[R_ARM_PLL_CTRL]   = 0x0001A008;
 +    s->regs[R_DDR_PLL_CTRL]   = 0x0001A008;
 +    s->regs[R_IO_PLL_CTRL]    = 0x0001A008;
 +    s->regs[R_PLL_STATUS]     = 0x0000003F;
 +    s->regs[R_ARM_PLL_CFG]    = 0x00014000;
 +    s->regs[R_DDR_PLL_CFG]    = 0x00014000;
 +    s->regs[R_IO_PLL_CFG]     = 0x00014000;
      /* 0x120 - 0x16C */
 -    s->regs[ARM_CLK_CTRL]   = 0x1F000400;
 -    s->regs[DDR_CLK_CTRL]   = 0x18400003;
 -    s->regs[DCI_CLK_CTRL]   = 0x01E03201;
 -    s->regs[APER_CLK_CTRL]  = 0x01FFCCCD;
 -    s->regs[USB0_CLK_CTRL]  = s->regs[USB1_CLK_CTRL]    = 0x00101941;
 -    s->regs[GEM0_RCLK_CTRL] = s->regs[GEM1_RCLK_CTRL]   = 0x00000001;
 -    s->regs[GEM0_CLK_CTRL]  = s->regs[GEM1_CLK_CTRL]    = 0x00003C01;
 -    s->regs[SMC_CLK_CTRL]   = 0x00003C01;
 -    s->regs[LQSPI_CLK_CTRL] = 0x00002821;
 -    s->regs[SDIO_CLK_CTRL]  = 0x00001E03;
 -    s->regs[UART_CLK_CTRL]  = 0x00003F03;
 -    s->regs[SPI_CLK_CTRL]   = 0x00003F03;
 -    s->regs[CAN_CLK_CTRL]   = 0x00501903;
 -    s->regs[DBG_CLK_CTRL]   = 0x00000F03;
 -    s->regs[PCAP_CLK_CTRL]  = 0x00000F01;
 +    s->regs[R_ARM_CLK_CTRL]   = 0x1F000400;
 +    s->regs[R_DDR_CLK_CTRL]   = 0x18400003;
 +    s->regs[R_DCI_CLK_CTRL]   = 0x01E03201;
 +    s->regs[R_APER_CLK_CTRL]  = 0x01FFCCCD;
 +    s->regs[R_USB0_CLK_CTRL]  = s->regs[R_USB1_CLK_CTRL]  = 0x00101941;
 +    s->regs[R_GEM0_RCLK_CTRL] = s->regs[R_GEM1_RCLK_CTRL] = 0x00000001;
 +    s->regs[R_GEM0_CLK_CTRL]  = s->regs[R_GEM1_CLK_CTRL]  = 0x00003C01;
 +    s->regs[R_SMC_CLK_CTRL]   = 0x00003C01;
 +    s->regs[R_LQSPI_CLK_CTRL] = 0x00002821;
 +    s->regs[R_SDIO_CLK_CTRL]  = 0x00001E03;
 +    s->regs[R_UART_CLK_CTRL]  = 0x00003F03;
 +    s->regs[R_SPI_CLK_CTRL]   = 0x00003F03;
 +    s->regs[R_CAN_CLK_CTRL]   = 0x00501903;
 +    s->regs[R_DBG_CLK_CTRL]   = 0x00000F03;
 +    s->regs[R_PCAP_CLK_CTRL]  = 0x00000F01;
      /* 0x170 - 0x1AC */
 -    s->regs[FPGA0_CLK_CTRL] = s->regs[FPGA1_CLK_CTRL] = s->regs[FPGA2_CLK_CTRL]
 -                            = s->regs[FPGA3_CLK_CTRL] = 0x00101800;
 -    s->regs[FPGA0_THR_STA] = s->regs[FPGA1_THR_STA] = s->regs[FPGA2_THR_STA]
 -                           = s->regs[FPGA3_THR_STA] = 0x00010000;
 +    s->regs[R_FPGA0_CLK_CTRL] = s->regs[R_FPGA1_CLK_CTRL]
 +                              = s->regs[R_FPGA2_CLK_CTRL]
 +                              = s->regs[R_FPGA3_CLK_CTRL] = 0x00101800;
 +    s->regs[R_FPGA0_THR_STA] = s->regs[R_FPGA1_THR_STA]
 +                             = s->regs[R_FPGA2_THR_STA]
 +                             = s->regs[R_FPGA3_THR_STA] = 0x00010000;
      /* 0x1B0 - 0x1D8 */
 -    s->regs[BANDGAP_TRIP]   = 0x0000001F;
 -    s->regs[PLL_PREDIVISOR] = 0x00000001;
 -    s->regs[CLK_621_TRUE]   = 0x00000001;
 +    s->regs[R_BANDGAP_TRIP]   = 0x0000001F;
 +    s->regs[R_PLL_PREDIVISOR] = 0x00000001;
 +    s->regs[R_CLK_621_TRUE]   = 0x00000001;
      /* 0x200 - 0x25C */
 -    s->regs[FPGA_RST_CTRL]  = 0x01F33F0F;
 -    s->regs[RST_REASON]     = 0x00000040;
 +    s->regs[R_FPGA_RST_CTRL]  = 0x01F33F0F;
 +    s->regs[R_RST_REASON]     = 0x00000040;
 -    s->regs[BOOT_MODE]      = 0x00000001;
 +    s->regs[R_BOOT_MODE]      = 0x00000001;
      /* 0x700 - 0x7D4 */
      for (i = 0; i < 54; i++) {
 -        s->regs[MIO + i] = 0x00001601;
 +        s->regs[R_MIO + i] = 0x00001601;
      }
      for (i = 2; i <= 8; i++) {
 -        s->regs[MIO + i] = 0x00000601;
 +        s->regs[R_MIO + i] = 0x00000601;
      }
 -    s->regs[MIO_MST_TRI0] = s->regs[MIO_MST_TRI1] = 0xFFFFFFFF;
 +    s->regs[R_MIO_MST_TRI0] = s->regs[R_MIO_MST_TRI1] = 0xFFFFFFFF;
 -    s->regs[CPU_RAM + 0] = s->regs[CPU_RAM + 1] = s->regs[CPU_RAM + 3]
 -                         = s->regs[CPU_RAM + 4] = s->regs[CPU_RAM + 7]
 -                         = 0x00010101;
 -    s->regs[CPU_RAM + 2] = s->regs[CPU_RAM + 5] = 0x01010101;
 -    s->regs[CPU_RAM + 6] = 0x00000001;
 +    s->regs[R_CPU_RAM + 0] = s->regs[R_CPU_RAM + 1] = s->regs[R_CPU_RAM + 3]
 +                           = s->regs[R_CPU_RAM + 4] = s->regs[R_CPU_RAM + 7]
 +                           = 0x00010101;
 +    s->regs[R_CPU_RAM + 2] = s->regs[R_CPU_RAM + 5] = 0x01010101;
 +    s->regs[R_CPU_RAM + 6] = 0x00000001;
 -    s->regs[IOU + 0] = s->regs[IOU + 1] = s->regs[IOU + 2] = s->regs[IOU + 3]
 -                     = 0x09090909;
 -    s->regs[IOU + 4] = s->regs[IOU + 5] = 0x00090909;
 -    s->regs[IOU + 6] = 0x00000909;
 +    s->regs[R_IOU + 0] = s->regs[R_IOU + 1] = s->regs[R_IOU + 2]
 +                       = s->regs[R_IOU + 3] = 0x09090909;
 +    s->regs[R_IOU + 4] = s->regs[R_IOU + 5] = 0x00090909;
 +    s->regs[R_IOU + 6] = 0x00000909;
 -    s->regs[DMAC_RAM] = 0x00000009;
 +    s->regs[R_DMAC_RAM] = 0x00000009;
 -    s->regs[AFI0 + 0] = s->regs[AFI0 + 1] = 0x09090909;
 -    s->regs[AFI1 + 0] = s->regs[AFI1 + 1] = 0x09090909;
 -    s->regs[AFI2 + 0] = s->regs[AFI2 + 1] = 0x09090909;
 -    s->regs[AFI3 + 0] = s->regs[AFI3 + 1] = 0x09090909;
 -    s->regs[AFI0 + 2] = s->regs[AFI1 + 2] = s->regs[AFI2 + 2]
 -                      = s->regs[AFI3 + 2] = 0x00000909;
 +    s->regs[R_AFI0 + 0] = s->regs[R_AFI0 + 1] = 0x09090909;
 +    s->regs[R_AFI1 + 0] = s->regs[R_AFI1 + 1] = 0x09090909;
 +    s->regs[R_AFI2 + 0] = s->regs[R_AFI2 + 1] = 0x09090909;
 +    s->regs[R_AFI3 + 0] = s->regs[R_AFI3 + 1] = 0x09090909;
 +    s->regs[R_AFI0 + 2] = s->regs[R_AFI1 + 2] = s->regs[R_AFI2 + 2]
 +                        = s->regs[R_AFI3 + 2] = 0x00000909;
 -    s->regs[OCM + 0]    = 0x01010101;
 -    s->regs[OCM + 1]    = s->regs[OCM + 2] = 0x09090909;
 +    s->regs[R_OCM + 0] = 0x01010101;
 +    s->regs[R_OCM + 1] = s->regs[R_OCM + 2] = 0x09090909;
 -    s->regs[DEVCI_RAM]  = 0x00000909;
 -    s->regs[CSG_RAM]    = 0x00000001;
 +    s->regs[R_DEVCI_RAM] = 0x00000909;
 +    s->regs[R_CSG_RAM]   = 0x00000001;
 -    s->regs[DDRIOB + 0] = s->regs[DDRIOB + 1] = s->regs[DDRIOB + 2]
 -                        = s->regs[DDRIOB + 3] = 0x00000e00;
 -    s->regs[DDRIOB + 4] = s->regs[DDRIOB + 5] = s->regs[DDRIOB + 6]
 -                        = 0x00000e00;
 -    s->regs[DDRIOB + 12] = 0x00000021;
 +    s->regs[R_DDRIOB + 0] = s->regs[R_DDRIOB + 1] = s->regs[R_DDRIOB + 2]
 +                          = s->regs[R_DDRIOB + 3] = 0x00000e00;
 +    s->regs[R_DDRIOB + 4] = s->regs[R_DDRIOB + 5] = s->regs[R_DDRIOB + 6]
 +                          = 0x00000e00;
 +    s->regs[R_DDRIOB + 12] = 0x00000021;
  }
--#define NUM_VIRTIO_TRANSPORT 32
-+#define NUM_VIRTIO_TRANSPORT 8
+ static bool zynq_slcr_check_offset(hwaddr offset, bool rnw)
  static void create_virtio_regions(VersalVirt *s)
  {
-     int virtio_mmio_size = 0x200;
+     switch (offset) {
 -    case LOCK:
 -    case UNLOCK:
 -    case DDR_CAL_START:
 -    case DDR_REF_START:
 +    case R_LOCK:
 +    case R_UNLOCK:
 +    case R_DDR_CAL_START:
 +    case R_DDR_REF_START:
          return !rnw; /* Write only */
 -    case LOCKSTA:
 -    case FPGA0_THR_STA:
 -    case FPGA1_THR_STA:
 -    case FPGA2_THR_STA:
 -    case FPGA3_THR_STA:
 -    case BOOT_MODE:
 -    case PSS_IDCODE:
 -    case DDR_CMD_STA:
 -    case DDR_DFI_STATUS:
 -    case PLL_STATUS:
 +    case R_LOCKSTA:
 +    case R_FPGA0_THR_STA:
 +    case R_FPGA1_THR_STA:
 +    case R_FPGA2_THR_STA:
 +    case R_FPGA3_THR_STA:
 +    case R_BOOT_MODE:
 +    case R_PSS_IDCODE:
 +    case R_DDR_CMD_STA:
 +    case R_DDR_DFI_STATUS:
 +    case R_PLL_STATUS:
          return rnw;/* read only */
 -    case SCL:
 -    case ARM_PLL_CTRL ... IO_PLL_CTRL:
 -    case ARM_PLL_CFG ... IO_PLL_CFG:
 -    case ARM_CLK_CTRL ... TOPSW_CLK_CTRL:
 -    case FPGA0_CLK_CTRL ... FPGA0_THR_CNT:
 -    case FPGA1_CLK_CTRL ... FPGA1_THR_CNT:
 -    case FPGA2_CLK_CTRL ... FPGA2_THR_CNT:
 -    case FPGA3_CLK_CTRL ... FPGA3_THR_CNT:
 -    case BANDGAP_TRIP:
 -    case PLL_PREDIVISOR:
 -    case CLK_621_TRUE:
 -    case PSS_RST_CTRL ... A9_CPU_RST_CTRL:
 -    case RS_AWDT_CTRL:
 -    case RST_REASON:
 -    case REBOOT_STATUS:
 -    case APU_CTRL:
 -    case WDT_CLK_SEL:
 -    case TZ_DMA_NS ... TZ_DMA_PERIPH_NS:
 -    case DDR_URGENT:
 -    case DDR_URGENT_SEL:
 -    case MIO ... MIO + MIO_LENGTH - 1:
 -    case MIO_LOOPBACK ... MIO_MST_TRI1:
 -    case SD0_WP_CD_SEL:
 -    case SD1_WP_CD_SEL:
 -    case LVL_SHFTR_EN:
 -    case OCM_CFG:
 -    case CPU_RAM:
 -    case IOU:
 -    case DMAC_RAM:
 -    case AFI0 ... AFI3 + AFI_LENGTH - 1:
 -    case OCM:
 -    case DEVCI_RAM:
 -    case CSG_RAM:
 -    case GPIOB_CTRL ... GPIOB_CFG_CMOS33:
 -    case GPIOB_CFG_HSTL:
 -    case GPIOB_DRVR_BIAS_CTRL:
 -    case DDRIOB ... DDRIOB + DDRIOB_LENGTH - 1:
 +    case R_SCL:
 +    case R_ARM_PLL_CTRL ... R_IO_PLL_CTRL:
 +    case R_ARM_PLL_CFG ... R_IO_PLL_CFG:
 +    case R_ARM_CLK_CTRL ... R_TOPSW_CLK_CTRL:
 +    case R_FPGA0_CLK_CTRL ... R_FPGA0_THR_CNT:
 +    case R_FPGA1_CLK_CTRL ... R_FPGA1_THR_CNT:
 +    case R_FPGA2_CLK_CTRL ... R_FPGA2_THR_CNT:
 +    case R_FPGA3_CLK_CTRL ... R_FPGA3_THR_CNT:
 +    case R_BANDGAP_TRIP:
 +    case R_PLL_PREDIVISOR:
 +    case R_CLK_621_TRUE:
 +    case R_PSS_RST_CTRL ... R_A9_CPU_RST_CTRL:
 +    case R_RS_AWDT_CTRL:
 +    case R_RST_REASON:
 +    case R_REBOOT_STATUS:
 +    case R_APU_CTRL:
 +    case R_WDT_CLK_SEL:
 +    case R_TZ_DMA_NS ... R_TZ_DMA_PERIPH_NS:
 +    case R_DDR_URGENT:
 +    case R_DDR_URGENT_SEL:
 +    case R_MIO ... R_MIO + MIO_LENGTH - 1:
 +    case R_MIO_LOOPBACK ... R_MIO_MST_TRI1:
 +    case R_SD0_WP_CD_SEL:
 +    case R_SD1_WP_CD_SEL:
 +    case R_LVL_SHFTR_EN:
 +    case R_OCM_CFG:
 +    case R_CPU_RAM:
 +    case R_IOU:
 +    case R_DMAC_RAM:
 +    case R_AFI0 ... R_AFI3 + AFI_LENGTH - 1:
 +    case R_OCM:
 +    case R_DEVCI_RAM:
 +    case R_CSG_RAM:
 +    case R_GPIOB_CTRL ... R_GPIOB_CFG_CMOS33:
 +    case R_GPIOB_CFG_HSTL:
 +    case R_GPIOB_DRVR_BIAS_CTRL:
 +    case R_DDRIOB ... R_DDRIOB + DDRIOB_LENGTH - 1:
          return true;
      default:
          return false;
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
      }
      switch (offset) {
 -    case SCL:
 -        s->regs[SCL] = val & 0x1;
 +    case R_SCL:
 +        s->regs[R_SCL] = val & 0x1;
          return;
 -    case LOCK:
 +    case R_LOCK:
          if ((val & 0xFFFF) == XILINX_LOCK_KEY) {
              DB_PRINT("XILINX LOCK 0xF8000000 + 0x%x <= 0x%x\n", (int)offset,
                  (unsigned)val & 0xFFFF);
 -            s->regs[LOCKSTA] = 1;
 +            s->regs[R_LOCKSTA] = 1;
          } else {
              DB_PRINT("WRONG XILINX LOCK KEY 0xF8000000 + 0x%x <= 0x%x\n",
                  (int)offset, (unsigned)val & 0xFFFF);
          }
          return;
 -    case UNLOCK:
 +    case R_UNLOCK:
          if ((val & 0xFFFF) == XILINX_UNLOCK_KEY) {
              DB_PRINT("XILINX UNLOCK 0xF8000000 + 0x%x <= 0x%x\n", (int)offset,
                  (unsigned)val & 0xFFFF);
 -            s->regs[LOCKSTA] = 0;
 +            s->regs[R_LOCKSTA] = 0;
          } else {
              DB_PRINT("WRONG XILINX UNLOCK KEY 0xF8000000 + 0x%x <= 0x%x\n",
                  (int)offset, (unsigned)val & 0xFFFF);
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
          return;
      }
 -    if (s->regs[LOCKSTA]) {
 +    if (s->regs[R_LOCKSTA]) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "SCLR registers are locked. Unlock them first\n");
          return;
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
      s->regs[offset] = val;
      switch (offset) {
 -    case PSS_RST_CTRL:
 -        if (val & R_PSS_RST_CTRL_SOFT_RST) {
 +    case R_PSS_RST_CTRL:
 +        if (FIELD_EX32(val, PSS_RST_CTRL, SOFT_RST)) {
              qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
          }
          break;
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 02/37] Allow AArch64 processors to boot from a kernel placed over 4GB
+[Qemu-devel] [PULL 03/29] Set ENET_BD_BDU in I.MX FEC controller
-From: Ricardo Perez Blanco <ricardo.perez_blanco@nokia.com>
+From: Aaron Hill <aa1ronham@gmail.com>
-Architecturally, it's possible for an AArch64 machine to have
+This commit properly sets the ENET_BD_BDU flag once the emulated FEC controller
-all of its RAM over the 4GB mark, but our kernel/initrd loading
+has finished processing the last descriptor. This is done for both transmit
-code in boot.c assumes that the upper half of the addresses
+and receive descriptors.
 to load these images to is always zero. Write the whole 64 bit
 address into the bootloader code fragment, not just the low half.
-Note that, currently, none of the existing QEMU machines have
+This allows the QNX 7.0.0 BSP for the Sabrelite board (which can be
-their main memory over 4GBs, so this was not a user-visible bug.
+found at http://blackberry.qnx.com/en/developers/bsp) to properly
 control the FEC. Without this patch, the BSP ethernet driver will never
 re-use FEC descriptors, as the unset ENET_BD_BDU flag will cause
 it to believe that the descriptors are still in use by the NIC.
-Signed-off-by: Ricardo Perez Blanco <ricardo.perez_blanco@nokia.com>
+Note that Linux does not appear to use this field at all, and is
-[PMM: revised commit message and tweaked some long lines]
+unaffected by this patch.
 Without this patch, QNX will think that the NIC is still processing its
 transaction descriptors, and won't send any more data over the network.
 For reference:
 On page 1192 of the I.MX 6DQ reference manual revision (Rev. 5, 06/2018),
 which can be found at https://www.nxp.com/products/processors-and-microcontrollers/arm-based-processors-and-mcus/i.mx-applications-processors/i.mx-6-processors/i.mx-6quad-processors-high-performance-3d-graphics-hd-video-arm-cortex-a9-core:i.MX6Q?&tab=Documentation_Tab&linkline=Application-Note
 the 'BDU' field is described as follows for the 'Enhanced transmit
 buffer descriptor':
 'Last buffer descriptor update done. Indicates that the last BD data has been updated by
 uDMA. This field is written by the user (=0) and uDMA (=1).'
 The same description is used for the receive buffer descriptor.
 Signed-off-by: Aaron Hill <aa1ronham@gmail.com>
 Message-id: 20190805142417.10433-1-aaron.hill@alertinnovation.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/boot.c | 35 ++++++++++++++++++++++-------------
+ hw/net/imx_fec.c | 4 ++++
-file changed, 22 insertions(+), 13 deletions(-)
+file changed, 4 insertions(+)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/hw/net/imx_fec.c
-+++ b/hw/arm/boot.c
++++ b/hw/net/imx_fec.c
-@@ -XXX,XX +XXX,XX @@ typedef enum {
+@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
-     FIXUP_TERMINATOR,   /* end of insns */
+             if (bd.option & ENET_BD_TX_INT) {
-     FIXUP_BOARDID,      /* overwrite with board ID number */
+                 s->regs[ENET_EIR] |= int_txf;
      FIXUP_BOARD_SETUP,  /* overwrite with board specific setup code address */
 -    FIXUP_ARGPTR,       /* overwrite with pointer to kernel args */
 -    FIXUP_ENTRYPOINT,   /* overwrite with kernel entry point */
 +    FIXUP_ARGPTR_LO,    /* overwrite with pointer to kernel args */
 +    FIXUP_ARGPTR_HI,    /* overwrite with pointer to kernel args (high half) */
 +    FIXUP_ENTRYPOINT_LO, /* overwrite with kernel entry point */
 +    FIXUP_ENTRYPOINT_HI, /* overwrite with kernel entry point (high half) */
      FIXUP_GIC_CPU_IF,   /* overwrite with GIC CPU interface address */
      FIXUP_BOOTREG,      /* overwrite with boot register address */
      FIXUP_DSB,          /* overwrite with correct DSB insn for cpu */
@@ -XXX,XX +XXX,XX @@ static const ARMInsnFixup bootloader_aarch64[] = {
      { 0xaa1f03e3 }, /* mov x3, xzr */
      { 0x58000084 }, /* ldr x4, entry ; Load the lower 32-bits of kernel entry */
      { 0xd61f0080 }, /* br x4      ; Jump to the kernel entry point */
 -    { 0, FIXUP_ARGPTR }, /* arg: .word @DTB Lower 32-bits */
 -    { 0 }, /* .word @DTB Higher 32-bits */
 -    { 0, FIXUP_ENTRYPOINT }, /* entry: .word @Kernel Entry Lower 32-bits */
 -    { 0 }, /* .word @Kernel Entry Higher 32-bits */
 +    { 0, FIXUP_ARGPTR_LO }, /* arg: .word @DTB Lower 32-bits */
 +    { 0, FIXUP_ARGPTR_HI}, /* .word @DTB Higher 32-bits */
 +    { 0, FIXUP_ENTRYPOINT_LO }, /* entry: .word @Kernel Entry Lower 32-bits */
 +    { 0, FIXUP_ENTRYPOINT_HI }, /* .word @Kernel Entry Higher 32-bits */
      { 0, FIXUP_TERMINATOR }
  };
@@ -XXX,XX +XXX,XX @@ static const ARMInsnFixup bootloader[] = {
      { 0xe59f2004 }, /* ldr     r2, [pc, #4] */
      { 0xe59ff004 }, /* ldr     pc, [pc, #4] */
      { 0, FIXUP_BOARDID },
 -    { 0, FIXUP_ARGPTR },
 -    { 0, FIXUP_ENTRYPOINT },
 +    { 0, FIXUP_ARGPTR_LO },
 +    { 0, FIXUP_ENTRYPOINT_LO },
      { 0, FIXUP_TERMINATOR }
  };
@@ -XXX,XX +XXX,XX @@ static void write_bootloader(const char *name, hwaddr addr,
              break;
          case FIXUP_BOARDID:
          case FIXUP_BOARD_SETUP:
 -        case FIXUP_ARGPTR:
 -        case FIXUP_ENTRYPOINT:
 +        case FIXUP_ARGPTR_LO:
 +        case FIXUP_ARGPTR_HI:
 +        case FIXUP_ENTRYPOINT_LO:
 +        case FIXUP_ENTRYPOINT_HI:
          case FIXUP_GIC_CPU_IF:
          case FIXUP_BOOTREG:
          case FIXUP_DSB:
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
              /* Place the DTB after the initrd in memory with alignment. */
              info->dtb_start = QEMU_ALIGN_UP(info->initrd_start + initrd_size,
                                             align);
 -            fixupcontext[FIXUP_ARGPTR] = info->dtb_start;
 +            fixupcontext[FIXUP_ARGPTR_LO] = info->dtb_start;
 +            fixupcontext[FIXUP_ARGPTR_HI] = info->dtb_start >> 32;
          } else {
 -            fixupcontext[FIXUP_ARGPTR] = info->loader_start + KERNEL_ARGS_ADDR;
 +            fixupcontext[FIXUP_ARGPTR_LO] =
 +                info->loader_start + KERNEL_ARGS_ADDR;
 +            fixupcontext[FIXUP_ARGPTR_HI] =
 +                (info->loader_start + KERNEL_ARGS_ADDR) >> 32;
              if (info->ram_size >= (1ULL << 32)) {
                  error_report("RAM size must be less than 4GB to boot"
                               " Linux kernel using ATAGS (try passing a device tree"
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
                  exit(1);
              }
++            /* Indicate that we've updated the last buffer descriptor. */
++            bd.last_buffer = ENET_BD_BDU;
          }
--        fixupcontext[FIXUP_ENTRYPOINT] = entry;
+         if (bd.option & ENET_BD_TX_INT) {
-+        fixupcontext[FIXUP_ENTRYPOINT_LO] = entry;
+             s->regs[ENET_EIR] |= int_txb;
-+        fixupcontext[FIXUP_ENTRYPOINT_HI] = entry >> 32;
+@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
+             /* Last buffer in frame.  */
-         write_bootloader("bootloader", info->loader_start,
+             bd.flags |= flags | ENET_BD_L;
-                          primary_loader, fixupcontext, as);
+             FEC_PRINTF("rx frame flags %04x\n", bd.flags);
 +            /* Indicate that we've updated the last buffer descriptor. */
 +            bd.last_buffer = ENET_BD_BDU;
              if (bd.option & ENET_BD_RX_INT) {
                  s->regs[ENET_EIR] |= ENET_INT_RXF;
              }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 20/37] timer/puv3_ost: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 04/29] target/arm: Factor out 'generate singlestep exception' function
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+Factor out code to 'generate a singlestep exception', which is
 currently repeated in four places.
-Use DeviceClass rather than SysBusDeviceClass in
+To do this we need to also pull the identical copies of the
-puv3_ost_class_init().
+gen-exception() function out of translate-a64.c and translate.c
 into translate.h.
-Cc: gxt@mprc.pku.edu.cn
+(There is a bug in the code: we're taking the exception to the wrong
 target EL.  This will be simpler to fix if there's only one place to
 do it.)
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-19-maozhongyi@cmss.chinamobile.com
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20190805130952.4415-2-peter.maydell@linaro.org
 ---
- hw/timer/puv3_ost.c | 13 ++++++-------
+ target/arm/translate.h     | 23 +++++++++++++++++++++++
-file changed, 6 insertions(+), 7 deletions(-)
+ target/arm/translate-a64.c | 19 ++-----------------
  target/arm/translate.c     | 20 ++------------------
 files changed, 27 insertions(+), 35 deletions(-)
-diff --git a/hw/timer/puv3_ost.c b/hw/timer/puv3_ost.c
+diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/puv3_ost.c
+--- a/target/arm/translate.h
-+++ b/hw/timer/puv3_ost.c
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ static void puv3_ost_tick(void *opaque)
+@@ -XXX,XX +XXX,XX @@
  #define TARGET_ARM_TRANSLATE_H
  #include "exec/translator.h"
 +#include "internals.h"
  /* internal defines */
@@ -XXX,XX +XXX,XX @@ static inline void gen_ss_advance(DisasContext *s)
      }
  }
--static int puv3_ost_init(SysBusDevice *dev)
++static inline void gen_exception(int excp, uint32_t syndrome,
-+static void puv3_ost_realize(DeviceState *dev, Error **errp)
++                                 uint32_t target_el)
 +{
 +    TCGv_i32 tcg_excp = tcg_const_i32(excp);
 +    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
 +    TCGv_i32 tcg_el = tcg_const_i32(target_el);
 +
 +    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
 +                                       tcg_syn, tcg_el);
 +
 +    tcg_temp_free_i32(tcg_el);
 +    tcg_temp_free_i32(tcg_syn);
 +    tcg_temp_free_i32(tcg_excp);
 +}
 +
 +/* Generate an architectural singlestep exception */
 +static inline void gen_swstep_exception(DisasContext *s, int isv, int ex)
 +{
 +    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, isv, ex),
 +                  default_exception_el(s));
 +}
 +
  /*
   * Given a VFP floating point constant encoded into an 8 bit immediate in an
   * instruction, expand it to the actual constant value of the specified
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
      tcg_temp_free_i32(tcg_excp);
  }
 -static void gen_exception(int excp, uint32_t syndrome, uint32_t target_el)
 -{
 -    TCGv_i32 tcg_excp = tcg_const_i32(excp);
 -    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
 -    TCGv_i32 tcg_el = tcg_const_i32(target_el);
 -
 -    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
 -                                       tcg_syn, tcg_el);
 -    tcg_temp_free_i32(tcg_el);
 -    tcg_temp_free_i32(tcg_syn);
 -    tcg_temp_free_i32(tcg_excp);
 -}
 -
  static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
  {
-     PUV3OSTState *s = PUV3_OST(dev);
+     gen_a64_set_pc_im(s->pc - offset);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
+      * of the exception, and our syndrome information is always correct.
-     s->reg_OIER = 0;
+      */
-     s->reg_OSSR = 0;
+     gen_ss_advance(s);
-     s->reg_OSMR0 = 0;
+-    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, 1, s->is_ldex),
-     s->reg_OSCR = 0;
+-                  default_exception_el(s));
++    gen_swstep_exception(s, 1, s->is_ldex);
--    sysbus_init_irq(dev, &s->irq);
+     s->base.is_jmp = DISAS_NORETURN;
-+    sysbus_init_irq(sbd, &s->irq);
+ }
-     s->bh = qemu_bh_new(puv3_ost_tick, s);
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-     s->ptimer = ptimer_init(s->bh, PTIMER_POLICY_DEFAULT);
+          * bits should be zero.
-@@ -XXX,XX +XXX,XX @@ static int puv3_ost_init(SysBusDevice *dev)
+          */
+         assert(dc->base.num_insns == 1);
-     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_ost_ops, s, "puv3_ost",
+-        gen_exception(EXCP_UDEF, syn_swstep(dc->ss_same_el, 0, 0),
-             PUV3_REGS_OFFSET);
+-                      default_exception_el(dc));
--    sysbus_init_mmio(dev, &s->iomem);
++        gen_swstep_exception(dc, 0, 0);
          dc->base.is_jmp = DISAS_NORETURN;
      } else {
          disas_a64_insn(env, dc);
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
      tcg_temp_free_i32(tcg_excp);
  }
 -static void gen_exception(int excp, uint32_t syndrome, uint32_t target_el)
 -{
 -    TCGv_i32 tcg_excp = tcg_const_i32(excp);
 -    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
 -    TCGv_i32 tcg_el = tcg_const_i32(target_el);
 -
--    return 0;
+-    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
-+    sysbus_init_mmio(sbd, &s->iomem);
+-                                       tcg_syn, tcg_el);
 -
 -    tcg_temp_free_i32(tcg_el);
 -    tcg_temp_free_i32(tcg_syn);
 -    tcg_temp_free_i32(tcg_excp);
 -}
 -
  static void gen_step_complete_exception(DisasContext *s)
  {
      /* We just completed step of an insn. Move from Active-not-pending
@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
       * of the exception, and our syndrome information is always correct.
       */
      gen_ss_advance(s);
 -    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, 1, s->is_ldex),
 -                  default_exception_el(s));
 +    gen_swstep_exception(s, 1, s->is_ldex);
      s->base.is_jmp = DISAS_NORETURN;
  }
- static void puv3_ost_class_init(ObjectClass *klass, void *data)
+@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
- {
+          * bits should be zero.
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+          */
-+    DeviceClass *dc = DEVICE_CLASS(klass);
+         assert(dc->base.num_insns == 1);
+-        gen_exception(EXCP_UDEF, syn_swstep(dc->ss_same_el, 0, 0),
--    sdc->init = puv3_ost_init;
+-                      default_exception_el(dc));
-+    dc->realize = puv3_ost_realize;
++        gen_swstep_exception(dc, 0, 0);
- }
+         dc->base.is_jmp = DISAS_NORETURN;
+         return true;
- static const TypeInfo puv3_ost_info = {
+     }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 37/37] target/arm: Implement the ARMv8.1-LOR extension
+[Qemu-devel] [PULL 05/29] target/arm: Fix routing of singlestep exceptions
-From: Richard Henderson <richard.henderson@linaro.org>
+When generating an architectural single-step exception we were
 routing it to the "default exception level", which is to say
 the same exception level we execute at except that EL0 exceptions
 go to EL1. This is incorrect because the debug exception level
 can be configured by the guest for situations such as single
 stepping of EL0 and EL1 code by EL2.
-Provide a trivial implementation with zero limited ordering regions,
+We have to track the target debug exception level in the TB
-which causes the LDLAR and STLLR instructions to devolve into the
+flags, because it is dependent on CPU state like HCR_EL2.TGE
-LDAR and STLR instructions from the base ARMv8.0 instruction set.
+and MDCR_EL2.TDE. (That we were previously calling the
 arm_debug_target_el() function to determine dc->ss_same_el
 is itself a bug, though one that would only have manifested
 as incorrect syndrome information.) Since we are out of TB
 flag bits unless we want to expand into the cs_base field,
 we share some bits with the M-profile only HANDLER and
 STACKCHECK bits, since only A-profile has this singlestep.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Fixes: https://bugs.launchpad.net/qemu/+bug/1838913
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20181210150501.7990-4-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20190805130952.4415-3-peter.maydell@linaro.org
 ---
- target/arm/cpu.h           |  5 +++
+ target/arm/cpu.h           |  5 +++++
- target/arm/cpu64.c         |  1 +
+ target/arm/translate.h     | 15 +++++++++++----
- target/arm/helper.c        | 75 ++++++++++++++++++++++++++++++++++++++
+ target/arm/helper.c        |  6 ++++++
- target/arm/translate-a64.c | 12 ++++++
+ target/arm/translate-a64.c |  2 +-
-files changed, 93 insertions(+)
+ target/arm/translate.c     |  4 +++-
 files changed, 26 insertions(+), 6 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_sve(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_ANY, PSTATE_SS, 26, 1)
-     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, SVE) != 0;
+ /* Target EL if we take a floating-point-disabled exception */
  FIELD(TBFLAG_ANY, FPEXC_EL, 24, 2)
  FIELD(TBFLAG_ANY, BE_DATA, 23, 1)
 +/*
 + * For A-profile only, target EL for debug exceptions.
 + * Note that this overlaps with the M-profile-only HANDLER and STACKCHECK bits.
 + */
 +FIELD(TBFLAG_ANY, DEBUG_TARGET_EL, 21, 2)
  /* Bit usage when in AArch32 state: */
  FIELD(TBFLAG_A32, THUMB, 0, 1)
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      uint32_t svc_imm;
      int aarch64;
      int current_el;
 +    /* Debug target exception level for single-step exceptions */
 +    int debug_target_el;
      GHashTable *cp_regs;
      uint64_t features; /* CPU features bits */
      /* Because unallocated encodings generate different exception syndrome
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
       * ie A64 LDX*, LDAX*, A32/T32 LDREX*, LDAEX*.
       */
      bool is_ldex;
 -    /* True if a single-step exception will be taken to the current EL */
 -    bool ss_same_el;
      /* True if v8.3-PAuth is active.  */
      bool pauth_active;
      /* True with v8.5-BTI and SCTLR_ELx.BT* set.  */
@@ -XXX,XX +XXX,XX @@ static inline void gen_exception(int excp, uint32_t syndrome,
  /* Generate an architectural singlestep exception */
  static inline void gen_swstep_exception(DisasContext *s, int isv, int ex)
  {
 -    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, isv, ex),
 -                  default_exception_el(s));
 +    bool same_el = (s->debug_target_el == s->current_el);
 +
 +    /*
 +     * If singlestep is targeting a lower EL than the current one,
 +     * then s->ss_active must be false and we can never get here.
 +     */
 +    assert(s->debug_target_el >= s->current_el);
 +
 +    gen_exception(EXCP_UDEF, syn_swstep(same_el, isv, ex), s->debug_target_el);
  }
-+static inline bool isar_feature_aa64_lor(const ARMISARegisters *id)
-+{
-+    return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, LO) != 0;
-+}
-+
  /*
-  * Forward to the above feature tests given an ARMCPU pointer.
-  */
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-         t = cpu->isar.id_aa64mmfr1;
-         t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */
-+        t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);
-         cpu->isar.id_aa64mmfr1 = t;
-         /* Replicate the same data to the 32-bit id registers.  */
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+@@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
  {
      /* Begin with base v8.0 state.  */
      uint32_t valid_mask = 0x3fff;
 +    ARMCPU *cpu = arm_env_get_cpu(env);
      if (arm_el_is_aa64(env, 3)) {
          value |= SCR_FW | SCR_AW;   /* these two bits are RES1.  */
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
              valid_mask &= ~SCR_SMD;
          }
      }
-+    if (cpu_isar_feature(aa64_lor, cpu)) {
-+        valid_mask |= SCR_TLOR;
++    if (!arm_feature(env, ARM_FEATURE_M)) {
-+    }
++        int target_el = arm_debug_target_el(env);
      /* Clear all-context RES0 bits.  */
      value &= valid_mask;
@@ -XXX,XX +XXX,XX @@ static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
           */
          valid_mask &= ~HCR_TSC;
      }
 +    if (cpu_isar_feature(aa64_lor, cpu)) {
 +        valid_mask |= HCR_TLOR;
 +    }
      /* Clear RES0 bits.  */
      value &= valid_mask;
@@ -XXX,XX +XXX,XX @@ static uint64_t id_aa64pfr0_read(CPUARMState *env, const ARMCPRegInfo *ri)
      return pfr0;
  }
 +/* Shared logic between LORID and the rest of the LOR* registers.
 + * Secure state has already been delt with.
 + */
 +static CPAccessResult access_lor_ns(CPUARMState *env)
 +{
 +    int el = arm_current_el(env);
 +
-+    if (el < 2 && (arm_hcr_el2_eff(env) & HCR_TLOR)) {
++        flags = FIELD_DP32(flags, TBFLAG_ANY, DEBUG_TARGET_EL, target_el);
 +        return CP_ACCESS_TRAP_EL2;
 +    }
 +    if (el < 3 && (env->cp15.scr_el3 & SCR_TLOR)) {
 +        return CP_ACCESS_TRAP_EL3;
 +    }
 +    return CP_ACCESS_OK;
 +}
 +
 +static CPAccessResult access_lorid(CPUARMState *env, const ARMCPRegInfo *ri,
 +                                   bool isread)
 +{
 +    if (arm_is_secure_below_el3(env)) {
 +        /* Access ok in secure mode.  */
 +        return CP_ACCESS_OK;
 +    }
 +    return access_lor_ns(env);
 +}
 +
 +static CPAccessResult access_lor_other(CPUARMState *env,
 +                                       const ARMCPRegInfo *ri, bool isread)
 +{
 +    if (arm_is_secure_below_el3(env)) {
 +        /* Access denied in secure mode.  */
 +        return CP_ACCESS_TRAP;
 +    }
 +    return access_lor_ns(env);
 +}
 +
  void register_cp_regs_for_features(ARMCPU *cpu)
  {
      /* Register all the coprocessor registers based on feature bits */
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
          define_one_arm_cp_reg(cpu, &sctlr);
      }
 +    if (cpu_isar_feature(aa64_lor, cpu)) {
 +        /*
 +         * A trivial implementation of ARMv8.1-LOR leaves all of these
 +         * registers fixed at 0, which indicates that there are zero
 +         * supported Limited Ordering regions.
 +         */
 +        static const ARMCPRegInfo lor_reginfo[] = {
 +            { .name = "LORSA_EL1", .state = ARM_CP_STATE_AA64,
 +              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 0,
 +              .access = PL1_RW, .accessfn = access_lor_other,
 +              .type = ARM_CP_CONST, .resetvalue = 0 },
 +            { .name = "LOREA_EL1", .state = ARM_CP_STATE_AA64,
 +              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 1,
 +              .access = PL1_RW, .accessfn = access_lor_other,
 +              .type = ARM_CP_CONST, .resetvalue = 0 },
 +            { .name = "LORN_EL1", .state = ARM_CP_STATE_AA64,
 +              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 2,
 +              .access = PL1_RW, .accessfn = access_lor_other,
 +              .type = ARM_CP_CONST, .resetvalue = 0 },
 +            { .name = "LORC_EL1", .state = ARM_CP_STATE_AA64,
 +              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 3,
 +              .access = PL1_RW, .accessfn = access_lor_other,
 +              .type = ARM_CP_CONST, .resetvalue = 0 },
 +            { .name = "LORID_EL1", .state = ARM_CP_STATE_AA64,
 +              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 7,
 +              .access = PL1_R, .accessfn = access_lorid,
 +              .type = ARM_CP_CONST, .resetvalue = 0 },
 +            REGINFO_SENTINEL
 +        };
 +        define_arm_cp_regs(cpu, lor_reginfo);
 +    }
 +
-     if (cpu_isar_feature(aa64_sve, cpu)) {
+     *pflags = flags;
-         define_one_arm_cp_reg(cpu, &zcr_el1_reginfo);
+     *cs_base = 0;
-         if (arm_feature(env, ARM_FEATURE_EL2)) {
+ }
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_excl(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
-         }
+     dc->ss_active = FIELD_EX32(tb_flags, TBFLAG_ANY, SS_ACTIVE);
-         return;
+     dc->pstate_ss = FIELD_EX32(tb_flags, TBFLAG_ANY, PSTATE_SS);
+     dc->is_ldex = false;
-+    case 0x8: /* STLLR */
+-    dc->ss_same_el = (arm_debug_target_el(env) == dc->current_el);
-+        if (!dc_isar_feature(aa64_lor, s)) {
++    dc->debug_target_el = FIELD_EX32(tb_flags, TBFLAG_ANY, DEBUG_TARGET_EL);
-+            break;
-+        }
+     /* Bound the number of insns to execute to those left on the page.  */
-+        /* StoreLORelease is the same as Store-Release for QEMU.  */
+     bound = -(dc->base.pc_first | TARGET_PAGE_MASK) / 4;
-+        /* fall through */
+diff --git a/target/arm/translate.c b/target/arm/translate.c
-     case 0x9: /* STLR */
+index XXXXXXX..XXXXXXX 100644
-         /* Generate ISS for non-exclusive accesses including LASR.  */
+--- a/target/arm/translate.c
-         if (rn == 31) {
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void disas_ldst_excl(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
-                   disas_ldst_compute_iss_sf(size, false, 0), is_lasr);
+     dc->ss_active = FIELD_EX32(tb_flags, TBFLAG_ANY, SS_ACTIVE);
-         return;
+     dc->pstate_ss = FIELD_EX32(tb_flags, TBFLAG_ANY, PSTATE_SS);
+     dc->is_ldex = false;
-+    case 0xc: /* LDLAR */
+-    dc->ss_same_el = false; /* Can't be true since EL_d must be AArch64 */
-+        if (!dc_isar_feature(aa64_lor, s)) {
++    if (!arm_feature(env, ARM_FEATURE_M)) {
-+            break;
++        dc->debug_target_el = FIELD_EX32(tb_flags, TBFLAG_ANY, DEBUG_TARGET_EL);
-+        }
++    }
-+        /* LoadLOAcquire is the same as Load-Acquire for QEMU.  */
-+        /* fall through */
+     dc->page_start = dc->base.pc_first & TARGET_PAGE_MASK;
-     case 0xd: /* LDAR */
          /* Generate ISS for non-exclusive accesses including LASR.  */
          if (rn == 31) {
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 19/37] timer/grlib_gptimer: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 06/29] target/arm: Pass in pc to thumb_insn_is_16bit
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use DeviceClass rather than SysBusDeviceClass in
+This function is used in two different contexts, and it will be
-grlib_gptimer_class_init().
+clearer if the function is given the address to which it applies.
-Cc: chouteau@adacore.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-18-maozhongyi@cmss.chinamobile.com
+Message-id: 20190807045335.1361-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/timer/grlib_gptimer.c | 11 +++++------
+ target/arm/translate.c | 14 +++++++-------
-file changed, 5 insertions(+), 6 deletions(-)
+file changed, 7 insertions(+), 7 deletions(-)
-diff --git a/hw/timer/grlib_gptimer.c b/hw/timer/grlib_gptimer.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/grlib_gptimer.c
+--- a/target/arm/translate.c
-+++ b/hw/timer/grlib_gptimer.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void grlib_gptimer_reset(DeviceState *d)
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
      }
  }
--static int grlib_gptimer_init(SysBusDevice *dev)
+-static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
-+static void grlib_gptimer_realize(DeviceState *dev, Error **errp)
++static bool thumb_insn_is_16bit(DisasContext *s, uint32_t pc, uint32_t insn)
  {
-     GPTimerUnit  *unit = GRLIB_GPTIMER(dev);
+-    /* Return true if this is a 16 bit instruction. We must be precise
-     unsigned int  i;
+-     * about this (matching the decode).  We assume that s->pc still
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+-     * points to the first 16 bits of the insn.
++    /*
-     assert(unit->nr_timers > 0);
++     * Return true if this is a 16 bit instruction. We must be precise
-     assert(unit->nr_timers <= GPTIMER_MAX_TIMERS);
++     * about this (matching the decode).
-@@ -XXX,XX +XXX,XX @@ static int grlib_gptimer_init(SysBusDevice *dev)
+      */
-         timer->id     = i;
+     if ((insn >> 11) < 0x1d) {
+         /* Definitely a 16-bit instruction */
-         /* One IRQ line for each timer */
+@@ -XXX,XX +XXX,XX @@ static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
--        sysbus_init_irq(dev, &timer->irq);
+         return false;
 +        sysbus_init_irq(sbd, &timer->irq);
          ptimer_set_freq(timer->ptimer, unit->freq_hz);
      }
-@@ -XXX,XX +XXX,XX @@ static int grlib_gptimer_init(SysBusDevice *dev)
-                           unit, "gptimer",
+-    if ((insn >> 11) == 0x1e && s->pc - s->page_start < TARGET_PAGE_SIZE - 3) {
-                           UNIT_REG_SIZE + GPTIMER_REG_SIZE * unit->nr_timers);
++    if ((insn >> 11) == 0x1e && pc - s->page_start < TARGET_PAGE_SIZE - 3) {
+         /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix, and the suffix
--    sysbus_init_mmio(dev, &unit->iomem);
+          * is not on the next page; we merge this into a 32-bit
--    return 0;
+          * insn.
-+    sysbus_init_mmio(sbd, &unit->iomem);
+@@ -XXX,XX +XXX,XX @@ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
       */
      uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 -    return !thumb_insn_is_16bit(s, insn);
 +    return !thumb_insn_is_16bit(s, s->pc, insn);
  }
- static Property grlib_gptimer_properties[] = {
+ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
-@@ -XXX,XX +XXX,XX @@ static Property grlib_gptimer_properties[] = {
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
- static void grlib_gptimer_class_init(ObjectClass *klass, void *data)
+     }
- {
-     DeviceClass *dc = DEVICE_CLASS(klass);
+     insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+-    is_16bit = thumb_insn_is_16bit(dc, insn);
++    is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
--    k->init = grlib_gptimer_init;
+     dc->pc += 2;
-+    dc->realize = grlib_gptimer_realize;
+     if (!is_16bit) {
-     dc->reset = grlib_gptimer_reset;
+         uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
      dc->props = grlib_gptimer_properties;
  }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 27/37] hw/arm: versal: Correct the nr of IRQs to 192
+[Qemu-devel] [PULL 07/29] target/arm: Introduce pc_curr
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Correct the nr of IRQs to 192.
+Add a new field to retain the address of the instruction currently
+being translated.  The 32-bit uses are all within subroutines used
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+by a32 and t32.  This will become less obvious when t16 support is
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+merged with a32+t32, and having a clear definition will help.
-Message-id: 20181129163655.20370-5-edgar.iglesias@gmail.com
 Convert aarch64 as well for consistency.  Note that there is one
 instance of a pre-assert fprintf that used the wrong value for the
 address of the current instruction.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190807045335.1361-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/xlnx-versal.h | 2 +-
+ target/arm/translate-a64.h |  2 +-
-file changed, 1 insertion(+), 1 deletion(-)
+ target/arm/translate.h     |  2 ++
+ target/arm/translate-a64.c | 21 +++++++++++----------
-diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
+ target/arm/translate.c     | 14 ++++++++------
-index XXXXXXX..XXXXXXX 100644
+files changed, 22 insertions(+), 17 deletions(-)
---- a/include/hw/arm/xlnx-versal.h
-+++ b/include/hw/arm/xlnx-versal.h
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
-@@ -XXX,XX +XXX,XX @@
+index XXXXXXX..XXXXXXX 100644
- #define XLNX_VERSAL_NR_ACPUS   2
+--- a/target/arm/translate-a64.h
- #define XLNX_VERSAL_NR_UARTS   2
++++ b/target/arm/translate-a64.h
- #define XLNX_VERSAL_NR_GEMS    2
+@@ -XXX,XX +XXX,XX @@ void unallocated_encoding(DisasContext *s);
--#define XLNX_VERSAL_NR_IRQS    256
+         qemu_log_mask(LOG_UNIMP,                                         \
-+#define XLNX_VERSAL_NR_IRQS    192
+                       "%s:%d: unsupported instruction encoding 0x%08x "  \
+                       "at pc=%016" PRIx64 "\n",                          \
- typedef struct Versal {
+-                      __FILE__, __LINE__, insn, s->pc - 4);              \
-     /*< private >*/
++                      __FILE__, __LINE__, insn, s->pc_curr);             \
          unallocated_encoding(s);                                         \
      } while (0)
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      const ARMISARegisters *isar;
      target_ulong pc;
 +    /* The address of the current instruction being translated. */
 +    target_ulong pc_curr;
      target_ulong page_start;
      uint32_t insn;
      /* Nonzero if this instruction has been conditionally skipped.  */
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
   */
  static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
  {
 -    uint64_t addr = s->pc + sextract32(insn, 0, 26) * 4 - 4;
 +    uint64_t addr = s->pc_curr + sextract32(insn, 0, 26) * 4;
      if (insn & (1U << 31)) {
          /* BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
      sf = extract32(insn, 31, 1);
      op = extract32(insn, 24, 1); /* 0: CBZ; 1: CBNZ */
      rt = extract32(insn, 0, 5);
 -    addr = s->pc + sextract32(insn, 5, 19) * 4 - 4;
 +    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
      tcg_cmp = read_cpu_reg(s, rt, sf);
      label_match = gen_new_label();
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
      bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
      op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
 -    addr = s->pc + sextract32(insn, 5, 14) * 4 - 4;
 +    addr = s->pc_curr + sextract32(insn, 5, 14) * 4;
      rt = extract32(insn, 0, 5);
      tcg_cmp = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
          unallocated_encoding(s);
          return;
      }
 -    addr = s->pc + sextract32(insn, 5, 19) * 4 - 4;
 +    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
      cond = extract32(insn, 0, 4);
      reset_btype(s);
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
          TCGv_i32 tcg_syn, tcg_isread;
          uint32_t syndrome;
 -        gen_a64_set_pc_im(s->pc - 4);
 +        gen_a64_set_pc_im(s->pc_curr);
          tmpptr = tcg_const_ptr(ri);
          syndrome = syn_aa64_sysregtrap(op0, op1, op2, crn, crm, rt, isread);
          tcg_syn = tcg_const_i32(syndrome);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              /* The pre HVC helper handles cases when HVC gets trapped
               * as an undefined insn by runtime configuration.
               */
 -            gen_a64_set_pc_im(s->pc - 4);
 +            gen_a64_set_pc_im(s->pc_curr);
              gen_helper_pre_hvc(cpu_env);
              gen_ss_advance(s);
              gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                  unallocated_encoding(s);
                  break;
              }
 -            gen_a64_set_pc_im(s->pc - 4);
 +            gen_a64_set_pc_im(s->pc_curr);
              tmp = tcg_const_i32(syn_aa64_smc(imm16));
              gen_helper_pre_smc(cpu_env, tmp);
              tcg_temp_free_i32(tmp);
@@ -XXX,XX +XXX,XX @@ static void disas_ld_lit(DisasContext *s, uint32_t insn)
      tcg_rt = cpu_reg(s, rt);
 -    clean_addr = tcg_const_i64((s->pc - 4) + imm);
 +    clean_addr = tcg_const_i64(s->pc_curr + imm);
      if (is_vector) {
          do_fp_ld(s, rt, clean_addr, size);
      } else {
@@ -XXX,XX +XXX,XX @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
      offset = sextract64(insn, 5, 19);
      offset = offset << 2 | extract32(insn, 29, 2);
      rd = extract32(insn, 0, 5);
 -    base = s->pc - 4;
 +    base = s->pc_curr;
      if (page) {
          /* ADRP (page based) */
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_same_fp16(DisasContext *s, uint32_t insn)
                  break;
              default:
                  fprintf(stderr, "%s: insn %#04x, fpop %#2x @ %#" PRIx64 "\n",
 -                        __func__, insn, fpopcode, s->pc);
 +                        __func__, insn, fpopcode, s->pc_curr);
                  g_assert_not_reached();
              }
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
  {
      uint32_t insn;
 +    s->pc_curr = s->pc;
      insn = arm_ldl_code(env, s->pc, s->sctlr_b);
      s->insn = insn;
      s->pc += 4;
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
       * as an undefined insn by runtime configuration (ie before
       * the insn really executes).
       */
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      gen_helper_pre_hvc(cpu_env);
      /* Otherwise we will treat this as a real exception which
       * happens after execution of the insn. (The distinction matters
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
       */
      TCGv_i32 tmp;
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      tmp = tcg_const_i32(syn_aa32_smc());
      gen_helper_pre_smc(cpu_env, tmp);
      tcg_temp_free_i32(tmp);
@@ -XXX,XX +XXX,XX @@ static void gen_msr_banked(DisasContext *s, int r, int sysm, int rn)
      /* Sync state because msr_banked() can raise exceptions */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      tcg_reg = load_reg(s, rn);
      tcg_tgtmode = tcg_const_i32(tgtmode);
      tcg_regno = tcg_const_i32(regno);
@@ -XXX,XX +XXX,XX @@ static void gen_mrs_banked(DisasContext *s, int r, int sysm, int rn)
      /* Sync state because mrs_banked() can raise exceptions */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      tcg_reg = tcg_temp_new_i32();
      tcg_tgtmode = tcg_const_i32(tgtmode);
      tcg_regno = tcg_const_i32(regno);
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
              }
              gen_set_condexec(s);
 -            gen_set_pc_im(s, s->pc - 4);
 +            gen_set_pc_im(s, s->pc_curr);
              tmpptr = tcg_const_ptr(ri);
              tcg_syn = tcg_const_i32(syndrome);
              tcg_isread = tcg_const_i32(isread);
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      tmp = tcg_const_i32(mode);
      /* get_r13_banked() will raise an exception if called from System mode */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - 4);
 +    gen_set_pc_im(s, s->pc_curr);
      gen_helper_get_r13_banked(addr, cpu_env, tmp);
      tcg_temp_free_i32(tmp);
      switch (amode) {
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 +    dc->pc_curr = dc->pc;
      insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
      dc->insn = insn;
      dc->pc += 4;
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 +    dc->pc_curr = dc->pc;
      insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
      is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
      dc->pc += 2;
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 33/37] target/arm: Implement the ARMv8.1-HPD extension
+[Qemu-devel] [PULL 08/29] target/arm: Introduce read_pc
 From: Richard Henderson <richard.henderson@linaro.org>
-Since the TCR_*.HPD bits were RES0 in ARMv8.0, we can simply
+We currently have 3 different ways of computing the architectural
-interpret the bits as if ARMv8.1-HPD is present without checking.
+value of "PC" as seen in the ARM ARM.
-We will need a slightly different check for hpd for aarch32.
+The value of s->pc has been incremented past the current insn,
 but that is all.  Thus for a32, PC = s->pc + 4; for t32, PC = s->pc;
 for t16, PC = s->pc + 2.  These differing computations make it
 impossible at present to unify the various code paths.
 With the newly introduced s->pc_curr, we can compute the correct
 value for all cases, using the formula given in the ARM ARM.
 This changes the behaviour for load_reg() and load_reg_var()
 when called with reg==15 from a 32-bit Thumb instruction:
 previously they would have returned the incorrect value
 of pc_curr + 6, and now they will return the architecturally
 correct value of PC, which is pc_curr + 4. This will not
 affect well-behaved guest software, because all of the places
 we call these functions from T32 code are instructions where
 using r15 is UNPREDICTABLE. Using the architectural PC value
 here is more consistent with the T16 and A32 behaviour.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181203203839.757-10-richard.henderson@linaro.org
+Message-id: 20190807045335.1361-4-richard.henderson@linaro.org
 [PMM: added commit message note about UNPREDICTABLE T32 cases]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu64.c  |  4 ++++
+ target/arm/translate.c | 59 ++++++++++++++++--------------------------
- target/arm/helper.c | 27 ++++++++++++++++++++-------
+file changed, 23 insertions(+), 36 deletions(-)
-files changed, 24 insertions(+), 7 deletions(-)
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
+--- a/target/arm/translate.c
-+++ b/target/arm/cpu64.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static inline void store_cpu_offset(TCGv_i32 var, int offset)
-         t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);
+ #define store_cpu_field(var, name) \
-         cpu->isar.id_aa64pfr0 = t;
+     store_cpu_offset(var, offsetof(CPUARMState, name))
-+        t = cpu->isar.id_aa64mmfr1;
++/* The architectural value of PC.  */
-+        t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */
++static uint32_t read_pc(DisasContext *s)
-+        cpu->isar.id_aa64mmfr1 = t;
++{
 +    return s->pc_curr + (s->thumb ? 4 : 8);
 +}
 +
-         /* Replicate the same data to the 32-bit id registers.  */
+ /* Set a variable to the value of a CPU register.  */
-         u = cpu->isar.id_isar5;
+ static void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
-         u = FIELD_DP32(u, ID_ISAR5, AES, 2); /* AES + PMULL */
+ {
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+     if (reg == 15) {
-index XXXXXXX..XXXXXXX 100644
+-        uint32_t addr;
---- a/target/arm/helper.c
+-        /* normally, since we updated PC, we need only to add one insn */
-+++ b/target/arm/helper.c
+-        if (s->thumb)
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
+-            addr = (long)s->pc + 2;
-     bool ttbr1_valid = true;
+-        else
-     uint64_t descaddrmask;
+-            addr = (long)s->pc + 4;
-     bool aarch64 = arm_el_is_aa64(env, el);
+-        tcg_gen_movi_i32(var, addr);
-+    bool hpd = false;
++        tcg_gen_movi_i32(var, read_pc(s));
+     } else {
-     /* TODO:
+         tcg_gen_mov_i32(var, cpu_R[reg]);
-      * This code does not handle the different format TCR for VTCR_EL2.
+     }
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-         if (tg == 2) { /* 16KB pages */
+             /* branch link and change to thumb (blx <offset>) */
-             stride = 11;
+             int32_t offset;
 -            val = (uint32_t)s->pc;
              tmp = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp, val);
 +            tcg_gen_movi_i32(tmp, s->pc);
              store_reg(s, 14, tmp);
              /* Sign-extend the 24-bit offset */
              offset = (((int32_t)insn) << 8) >> 8;
 +            val = read_pc(s);
              /* offset * 4 + bit24 * 2 + (thumb bit) */
              val += (offset << 2) | ((insn >> 23) & 2) | 1;
 -            /* pipeline offset */
 -            val += 4;
              /* protected by ARCH(5); above, near the start of uncond block */
              gen_bx_im(s, val);
              return;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                          } else {
                              /* store */
                              if (i == 15) {
 -                                /* special case: r15 = PC + 8 */
 -                                val = (long)s->pc + 4;
                                  tmp = tcg_temp_new_i32();
 -                                tcg_gen_movi_i32(tmp, val);
 +                                tcg_gen_movi_i32(tmp, read_pc(s));
                              } else if (user) {
                                  tmp = tcg_temp_new_i32();
                                  tmp2 = tcg_const_i32(i);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  int32_t offset;
                  /* branch (and link) */
 -                val = (int32_t)s->pc;
                  if (insn & (1 << 24)) {
                      tmp = tcg_temp_new_i32();
 -                    tcg_gen_movi_i32(tmp, val);
 +                    tcg_gen_movi_i32(tmp, s->pc);
                      store_reg(s, 14, tmp);
                  }
                  offset = sextract32(insn << 2, 0, 26);
 -                val += offset + 4;
 -                gen_jmp(s, val);
 +                gen_jmp(s, read_pc(s) + offset);
              }
              break;
          case 0xc:
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                  tcg_temp_free_i32(addr);
              } else if ((insn & (7 << 5)) == 0) {
                  /* Table Branch.  */
 -                if (rn == 15) {
 -                    addr = tcg_temp_new_i32();
 -                    tcg_gen_movi_i32(addr, s->pc);
 -                } else {
 -                    addr = load_reg(s, rn);
 -                }
 +                addr = load_reg(s, rn);
                  tmp = load_reg(s, rm);
                  tcg_gen_add_i32(addr, addr, tmp);
                  if (insn & (1 << 4)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                  }
                  tcg_temp_free_i32(addr);
                  tcg_gen_shli_i32(tmp, tmp, 1);
 -                tcg_gen_addi_i32(tmp, tmp, s->pc);
 +                tcg_gen_addi_i32(tmp, tmp, read_pc(s));
                  store_reg(s, 15, tmp);
              } else {
                  bool is_lasr = false;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                      tcg_gen_movi_i32(cpu_R[14], s->pc | 1);
                  }
 -                offset += s->pc;
 +                offset += read_pc(s);
                  if (insn & (1 << 12)) {
                      /* b/bl */
                      gen_jmp(s, offset);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                  offset |= (insn & (1 << 11)) << 8;
                  /* jump to the offset */
 -                gen_jmp(s, s->pc + offset);
 +                gen_jmp(s, read_pc(s) + offset);
              }
          } else {
              /*
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          if (insn & (1 << 11)) {
              rd = (insn >> 8) & 7;
              /* load pc-relative.  Bit 1 of PC is ignored.  */
 -            val = s->pc + 2 + ((insn & 0xff) * 4);
 +            val = read_pc(s) + ((insn & 0xff) * 4);
              val &= ~(uint32_t)2;
              addr = tcg_temp_new_i32();
              tcg_gen_movi_i32(addr, val);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          } else {
              /* PC. bit 1 is ignored.  */
              tmp = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp, (s->pc + 2) & ~(uint32_t)2);
 +            tcg_gen_movi_i32(tmp, read_pc(s) & ~(uint32_t)2);
          }
-+        if (aarch64) {
+         val = (insn & 0xff) * 4;
-+            if (el > 1) {
+         tcg_gen_addi_i32(tmp, tmp, val);
-+                hpd = extract64(tcr->raw_tcr, 24, 1);
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-+            } else {
+                 tcg_gen_brcondi_i32(TCG_COND_NE, tmp, 0, s->condlabel);
-+                hpd = extract64(tcr->raw_tcr, 41, 1);
+             tcg_temp_free_i32(tmp);
-+            }
+             offset = ((insn & 0xf8) >> 2) | (insn & 0x200) >> 3;
-+        }
+-            val = (uint32_t)s->pc + 2;
-     } else {
+-            val += offset;
-         /* We should only be here if TTBR1 is valid */
+-            gen_jmp(s, val);
-         assert(ttbr1_valid);
++            gen_jmp(s, read_pc(s) + offset);
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
+             break;
-         if (tg == 1) { /* 16KB pages */
-             stride = 11;
+         case 15: /* IT, nop-hint.  */
-         }
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-+        if (aarch64) {
+         arm_skip_unless(s, cond);
-+            hpd = extract64(tcr->raw_tcr, 42, 1);
-+        }
+         /* jump to the offset */
-     }
+-        val = (uint32_t)s->pc + 2;
++        val = read_pc(s);
-     /* Here we should have set up all the parameters for the translation:
+         offset = ((int32_t)insn << 24) >> 24;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
+         val += offset << 1;
-         descaddr = descriptor & descaddrmask;
+         gen_jmp(s, val);
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          if ((descriptor & 2) && (level < 3)) {
 -            /* Table entry. The top five bits are attributes which  may
 +            /* Table entry. The top five bits are attributes which may
               * propagate down through lower levels of the table (and
               * which are all arranged so that 0 means "no effect", so
               * we can gather them up by ORing in the bits at each level).
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
              break;
          }
-         /* Merge in attributes from table descriptors */
+         /* unconditional branch */
--        attrs |= extract32(tableattrs, 0, 2) << 11; /* XN, PXN */
+-        val = (uint32_t)s->pc;
--        attrs |= extract32(tableattrs, 3, 1) << 5; /* APTable[1] => AP[2] */
++        val = read_pc(s);
-+        attrs |= nstable << 3; /* NS */
+         offset = ((int32_t)insn << 21) >> 21;
-+        if (hpd) {
+-        val += (offset << 1) + 2;
-+            /* HPD disables all the table attributes except NSTable.  */
++        val += offset << 1;
-+            break;
+         gen_jmp(s, val);
-+        }
+         break;
-+        attrs |= extract32(tableattrs, 0, 2) << 11;     /* XN, PXN */
-         /* The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-          * means "force PL1 access only", which means forcing AP[1] to 0.
+             /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix */
-          */
+             uint32_t uoffset = ((int32_t)insn << 21) >> 9;
--        if (extract32(tableattrs, 2, 1)) {
--            attrs &= ~(1 << 4);
+-            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + uoffset);
--        }
++            tcg_gen_movi_i32(cpu_R[14], read_pc(s) + uoffset);
--        attrs |= nstable << 3; /* NS */
+         }
 +        attrs &= ~(extract32(tableattrs, 2, 1) << 4);   /* !APT[0] => AP[1] */
 +        attrs |= extract32(tableattrs, 3, 1) << 5;      /* APT[1] => AP[2] */
          break;
      }
-     /* Here descaddr is the final physical address, and attributes
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 08/37] dma/puv3_dma: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 09/29] target/arm: Introduce add_reg_for_lit
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use DeviceClass rather than SysBusDeviceClass in
+Provide a common routine for the places that require ALIGN(PC, 4)
-puv3_dma_class_init().
+as the base address as opposed to plain PC.  The two are always
+the same for A32, but the difference is meaningful for thumb mode.
-Cc: gxt@mprc.pku.edu.cn
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-7-maozhongyi@cmss.chinamobile.com
+Message-id: 20190807045335.1361-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/dma/puv3_dma.c | 10 ++++------
+ target/arm/translate-vfp.inc.c |  38 ++------
-file changed, 4 insertions(+), 6 deletions(-)
+ target/arm/translate.c         | 166 +++++++++++++++------------------
+files changed, 82 insertions(+), 122 deletions(-)
-diff --git a/hw/dma/puv3_dma.c b/hw/dma/puv3_dma.c
 diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/puv3_dma.c
+--- a/target/arm/translate-vfp.inc.c
-+++ b/hw/dma/puv3_dma.c
++++ b/target/arm/translate-vfp.inc.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps puv3_dma_ops = {
+@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_sp(DisasContext *s, arg_VLDR_VSTR_sp *a)
-     .endianness = DEVICE_NATIVE_ENDIAN,
+         offset = -offset;
- };
+     }
--static int puv3_dma_init(SysBusDevice *dev)
+-    if (s->thumb && a->rn == 15) {
-+static void puv3_dma_realize(DeviceState *dev, Error **errp)
+-        /* This is actually UNPREDICTABLE */
- {
+-        addr = tcg_temp_new_i32();
-     PUV3DMAState *s = PUV3_DMA(dev);
+-        tcg_gen_movi_i32(addr, s->pc & ~2);
-     int i;
+-    } else {
-@@ -XXX,XX +XXX,XX @@ static int puv3_dma_init(SysBusDevice *dev)
+-        addr = load_reg(s, a->rn);
+-    }
-     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_dma_ops, s, "puv3_dma",
+-    tcg_gen_addi_i32(addr, addr, offset);
-             PUV3_REGS_OFFSET);
++    /* For thumb, use of PC is UNPREDICTABLE.  */
--    sysbus_init_mmio(dev, &s->iomem);
++    addr = add_reg_for_lit(s, a->rn, offset);
--
+     tmp = tcg_temp_new_i32();
--    return 0;
+     if (a->l) {
-+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
+         gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_dp(DisasContext *s, arg_VLDR_VSTR_dp *a)
          offset = -offset;
      }
 -    if (s->thumb && a->rn == 15) {
 -        /* This is actually UNPREDICTABLE */
 -        addr = tcg_temp_new_i32();
 -        tcg_gen_movi_i32(addr, s->pc & ~2);
 -    } else {
 -        addr = load_reg(s, a->rn);
 -    }
 -    tcg_gen_addi_i32(addr, addr, offset);
 +    /* For thumb, use of PC is UNPREDICTABLE.  */
 +    addr = add_reg_for_lit(s, a->rn, offset);
      tmp = tcg_temp_new_i64();
      if (a->l) {
          gen_aa32_ld64(s, tmp, addr, get_mem_index(s));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_sp(DisasContext *s, arg_VLDM_VSTM_sp *a)
          return true;
      }
 -    if (s->thumb && a->rn == 15) {
 -        /* This is actually UNPREDICTABLE */
 -        addr = tcg_temp_new_i32();
 -        tcg_gen_movi_i32(addr, s->pc & ~2);
 -    } else {
 -        addr = load_reg(s, a->rn);
 -    }
 +    /* For thumb, use of PC is UNPREDICTABLE.  */
 +    addr = add_reg_for_lit(s, a->rn, 0);
      if (a->p) {
          /* pre-decrement */
          tcg_gen_addi_i32(addr, addr, -(a->imm << 2));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_dp(DisasContext *s, arg_VLDM_VSTM_dp *a)
          return true;
      }
 -    if (s->thumb && a->rn == 15) {
 -        /* This is actually UNPREDICTABLE */
 -        addr = tcg_temp_new_i32();
 -        tcg_gen_movi_i32(addr, s->pc & ~2);
 -    } else {
 -        addr = load_reg(s, a->rn);
 -    }
 +    /* For thumb, use of PC is UNPREDICTABLE.  */
 +    addr = add_reg_for_lit(s, a->rn, 0);
      if (a->p) {
          /* pre-decrement */
          tcg_gen_addi_i32(addr, addr, -(a->imm << 2));
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline TCGv_i32 load_reg(DisasContext *s, int reg)
      return tmp;
  }
- static void puv3_dma_class_init(ObjectClass *klass, void *data)
++/*
- {
++ * Create a new temp, REG + OFS, except PC is ALIGN(PC, 4).
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
++ * This is used for load/store for which use of PC implies (literal),
-+    DeviceClass *dc = DEVICE_CLASS(klass);
++ * or ADD that implies ADR.
++ */
--    sdc->init = puv3_dma_init;
++static TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs)
-+    dc->realize = puv3_dma_realize;
++{
- }
++    TCGv_i32 tmp = tcg_temp_new_i32();
++
- static const TypeInfo puv3_dma_info = {
++    if (reg == 15) {
 +        tcg_gen_movi_i32(tmp, (read_pc(s) & ~3) + ofs);
 +    } else {
 +        tcg_gen_addi_i32(tmp, cpu_R[reg], ofs);
 +    }
 +    return tmp;
 +}
 +
  /* Set a CPU register.  The source must be a temporary and will be
     marked as dead.  */
  static void store_reg(DisasContext *s, int reg, TCGv_i32 var)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                   */
                  bool wback = extract32(insn, 21, 1);
 -                if (rn == 15) {
 -                    if (insn & (1 << 21)) {
 -                        /* UNPREDICTABLE */
 -                        goto illegal_op;
 -                    }
 -                    addr = tcg_temp_new_i32();
 -                    tcg_gen_movi_i32(addr, s->pc & ~3);
 -                } else {
 -                    addr = load_reg(s, rn);
 +                if (rn == 15 && (insn & (1 << 21))) {
 +                    /* UNPREDICTABLE */
 +                    goto illegal_op;
                  }
 +
 +                addr = add_reg_for_lit(s, rn, 0);
                  offset = (insn & 0xff) * 4;
                  if ((insn & (1 << 23)) == 0) {
                      offset = -offset;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                          store_reg(s, rd, tmp);
                      } else {
                          /* Add/sub 12-bit immediate.  */
 -                        if (rn == 15) {
 -                            offset = s->pc & ~(uint32_t)3;
 -                            if (insn & (1 << 23))
 -                                offset -= imm;
 -                            else
 -                                offset += imm;
 -                            tmp = tcg_temp_new_i32();
 -                            tcg_gen_movi_i32(tmp, offset);
 -                            store_reg(s, rd, tmp);
 +                        if (insn & (1 << 23)) {
 +                            imm = -imm;
 +                        }
 +                        tmp = add_reg_for_lit(s, rn, imm);
 +                        if (rn == 13 && rd == 13) {
 +                            /* ADD SP, SP, imm or SUB SP, SP, imm */
 +                            store_sp_checked(s, tmp);
                          } else {
 -                            tmp = load_reg(s, rn);
 -                            if (insn & (1 << 23))
 -                                tcg_gen_subi_i32(tmp, tmp, imm);
 -                            else
 -                                tcg_gen_addi_i32(tmp, tmp, imm);
 -                            if (rn == 13 && rd == 13) {
 -                                /* ADD SP, SP, imm or SUB SP, SP, imm */
 -                                store_sp_checked(s, tmp);
 -                            } else {
 -                                store_reg(s, rd, tmp);
 -                            }
 +                            store_reg(s, rd, tmp);
                          }
                      }
                  }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
              }
          }
          memidx = get_mem_index(s);
 -        if (rn == 15) {
 -            addr = tcg_temp_new_i32();
 -            /* PC relative.  */
 -            /* s->pc has already been incremented by 4.  */
 -            imm = s->pc & 0xfffffffc;
 -            if (insn & (1 << 23))
 -                imm += insn & 0xfff;
 -            else
 -                imm -= insn & 0xfff;
 -            tcg_gen_movi_i32(addr, imm);
 +        imm = insn & 0xfff;
 +        if (insn & (1 << 23)) {
 +            /* PC relative or Positive offset.  */
 +            addr = add_reg_for_lit(s, rn, imm);
 +        } else if (rn == 15) {
 +            /* PC relative with negative offset.  */
 +            addr = add_reg_for_lit(s, rn, -imm);
          } else {
              addr = load_reg(s, rn);
 -            if (insn & (1 << 23)) {
 -                /* Positive offset.  */
 -                imm = insn & 0xfff;
 -                tcg_gen_addi_i32(addr, addr, imm);
 -            } else {
 -                imm = insn & 0xff;
 -                switch ((insn >> 8) & 0xf) {
 -                case 0x0: /* Shifted Register.  */
 -                    shift = (insn >> 4) & 0xf;
 -                    if (shift > 3) {
 -                        tcg_temp_free_i32(addr);
 -                        goto illegal_op;
 -                    }
 -                    tmp = load_reg(s, rm);
 -                    if (shift)
 -                        tcg_gen_shli_i32(tmp, tmp, shift);
 -                    tcg_gen_add_i32(addr, addr, tmp);
 -                    tcg_temp_free_i32(tmp);
 -                    break;
 -                case 0xc: /* Negative offset.  */
 -                    tcg_gen_addi_i32(addr, addr, -imm);
 -                    break;
 -                case 0xe: /* User privilege.  */
 -                    tcg_gen_addi_i32(addr, addr, imm);
 -                    memidx = get_a32_user_mem_index(s);
 -                    break;
 -                case 0x9: /* Post-decrement.  */
 -                    imm = -imm;
 -                    /* Fall through.  */
 -                case 0xb: /* Post-increment.  */
 -                    postinc = 1;
 -                    writeback = 1;
 -                    break;
 -                case 0xd: /* Pre-decrement.  */
 -                    imm = -imm;
 -                    /* Fall through.  */
 -                case 0xf: /* Pre-increment.  */
 -                    writeback = 1;
 -                    break;
 -                default:
 +            imm = insn & 0xff;
 +            switch ((insn >> 8) & 0xf) {
 +            case 0x0: /* Shifted Register.  */
 +                shift = (insn >> 4) & 0xf;
 +                if (shift > 3) {
                      tcg_temp_free_i32(addr);
                      goto illegal_op;
                  }
 +                tmp = load_reg(s, rm);
 +                if (shift) {
 +                    tcg_gen_shli_i32(tmp, tmp, shift);
 +                }
 +                tcg_gen_add_i32(addr, addr, tmp);
 +                tcg_temp_free_i32(tmp);
 +                break;
 +            case 0xc: /* Negative offset.  */
 +                tcg_gen_addi_i32(addr, addr, -imm);
 +                break;
 +            case 0xe: /* User privilege.  */
 +                tcg_gen_addi_i32(addr, addr, imm);
 +                memidx = get_a32_user_mem_index(s);
 +                break;
 +            case 0x9: /* Post-decrement.  */
 +                imm = -imm;
 +                /* Fall through.  */
 +            case 0xb: /* Post-increment.  */
 +                postinc = 1;
 +                writeback = 1;
 +                break;
 +            case 0xd: /* Pre-decrement.  */
 +                imm = -imm;
 +                /* Fall through.  */
 +            case 0xf: /* Pre-increment.  */
 +                writeback = 1;
 +                break;
 +            default:
 +                tcg_temp_free_i32(addr);
 +                goto illegal_op;
              }
          }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          if (insn & (1 << 11)) {
              rd = (insn >> 8) & 7;
              /* load pc-relative.  Bit 1 of PC is ignored.  */
 -            val = read_pc(s) + ((insn & 0xff) * 4);
 -            val &= ~(uint32_t)2;
 -            addr = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(addr, val);
 +            addr = add_reg_for_lit(s, 15, (insn & 0xff) * 4);
              tmp = tcg_temp_new_i32();
              gen_aa32_ld32u_iss(s, tmp, addr, get_mem_index(s),
                                 rd | ISSIs16Bit);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
           *  - Add PC/SP (immediate)
           */
          rd = (insn >> 8) & 7;
 -        if (insn & (1 << 11)) {
 -            /* SP */
 -            tmp = load_reg(s, 13);
 -        } else {
 -            /* PC. bit 1 is ignored.  */
 -            tmp = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp, read_pc(s) & ~(uint32_t)2);
 -        }
          val = (insn & 0xff) * 4;
 -        tcg_gen_addi_i32(tmp, tmp, val);
 +        tmp = add_reg_for_lit(s, insn & (1 << 11) ? 13 : 15, val);
          store_reg(s, rd, tmp);
          break;
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 15/37] puv3_pm.c: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 10/29] target/arm: Remove redundant s->pc & ~1
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use DeviceClass rather than SysBusDeviceClass in
+The thumb bit has already been removed from s->pc, and is always even.
 puv3_pm_class_init().
-Cc: gxt@mprc.pku.edu.cn
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-14-maozhongyi@cmss.chinamobile.com
+Message-id: 20190807045335.1361-6-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/misc/puv3_pm.c | 10 ++++------
+ target/arm/translate.c | 10 +++++-----
-file changed, 4 insertions(+), 6 deletions(-)
+file changed, 5 insertions(+), 5 deletions(-)
-diff --git a/hw/misc/puv3_pm.c b/hw/misc/puv3_pm.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/puv3_pm.c
+--- a/target/arm/translate.c
-+++ b/hw/misc/puv3_pm.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps puv3_pm_ops = {
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
-     .endianness = DEVICE_NATIVE_ENDIAN,
+ /* Force a TB lookup after an instruction that changes the CPU state.  */
- };
+ static inline void gen_lookup_tb(DisasContext *s)
 -static int puv3_pm_init(SysBusDevice *dev)
 +static void puv3_pm_realize(DeviceState *dev, Error **errp)
  {
-     PUV3PMState *s = PUV3_PM(dev);
+-    tcg_gen_movi_i32(cpu_R[15], s->pc & ~1);
++    tcg_gen_movi_i32(cpu_R[15], s->pc);
-@@ -XXX,XX +XXX,XX @@ static int puv3_pm_init(SysBusDevice *dev)
+     s->base.is_jmp = DISAS_EXIT;
      memory_region_init_io(&s->iomem, OBJECT(s), &puv3_pm_ops, s, "puv3_pm",
              PUV3_REGS_OFFSET);
 -    sysbus_init_mmio(dev, &s->iomem);
 -
 -    return 0;
 +    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
  }
- static void puv3_pm_class_init(ObjectClass *klass, void *data)
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
- {
+                  * self-modifying code correctly and also to take
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+                  * any pending interrupts immediately.
-+    DeviceClass *dc = DEVICE_CLASS(klass);
+                  */
+-                gen_goto_tb(s, 0, s->pc & ~1);
--    sdc->init = puv3_pm_init;
++                gen_goto_tb(s, 0, s->pc);
-+    dc->realize = puv3_pm_realize;
+                 return;
- }
+             case 7: /* sb */
+                 if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
- static const TypeInfo puv3_pm_info = {
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                   * for TCG; MB and end the TB instead.
                   */
                  tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -                gen_goto_tb(s, 0, s->pc & ~1);
 +                gen_goto_tb(s, 0, s->pc);
                  return;
              default:
                  goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                               * and also to take any pending interrupts
                               * immediately.
                               */
 -                            gen_goto_tb(s, 0, s->pc & ~1);
 +                            gen_goto_tb(s, 0, s->pc);
                              break;
                          case 7: /* sb */
                              if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                               * for TCG; MB and end the TB instead.
                               */
                              tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -                            gen_goto_tb(s, 0, s->pc & ~1);
 +                            gen_goto_tb(s, 0, s->pc);
                              break;
                          default:
                              goto illegal_op;
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 26/37] hw/arm: versal: Use IRQs 111 - 118 for virtio-mmio
+[Qemu-devel] [PULL 11/29] target/arm: Replace s->pc with s->base.pc_next
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use IRQs 111 - 118 for virtio-mmio. The interrupts we're currently
+We must update s->base.pc_next when we return from the translate_insn
-using 160+ are not available in the Versal GIC.
+hook to the main translator loop.  By incrementing s->base.pc_next
 immediately after reading the insn word, "pc_next" contains the address
 of the next instruction throughout translation.
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+All remaining uses of s->pc are referencing the address of the next insn,
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+so this is now a simple global replacement.  Remove the "s->pc" field.
-Message-id: 20181129163655.20370-4-edgar.iglesias@gmail.com
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190807045335.1361-7-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/xlnx-versal.h | 6 +++---
+ target/arm/translate.h     |   1 -
- hw/arm/xlnx-versal-virt.c    | 4 ++--
+ target/arm/translate-a64.c |  51 +++++++++---------
-files changed, 5 insertions(+), 5 deletions(-)
+ target/arm/translate.c     | 103 ++++++++++++++++++-------------------
 files changed, 72 insertions(+), 83 deletions(-)
-diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
+diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/xlnx-versal.h
+--- a/target/arm/translate.h
-+++ b/include/hw/arm/xlnx-versal.h
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ typedef struct Versal {
+@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
- #define VERSAL_GEM1_IRQ_0          58
+     DisasContextBase base;
- #define VERSAL_GEM1_WAKE_IRQ_0     59
+     const ARMISARegisters *isar;
--/* Architecturally eserved IRQs suitable for virtualization.  */
+-    target_ulong pc;
--#define VERSAL_RSVD_HIGH_IRQ_FIRST 160
+     /* The address of the current instruction being translated. */
--#define VERSAL_RSVD_HIGH_IRQ_LAST  255
+     target_ulong pc_curr;
-+/* Architecturally reserved IRQs suitable for virtualization.  */
+     target_ulong page_start;
-+#define VERSAL_RSVD_IRQ_FIRST 111
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 +#define VERSAL_RSVD_IRQ_LAST  118
  #define MM_TOP_RSVD                 0xa0000000U
  #define MM_TOP_RSVD_SIZE            0x4000000
 diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-versal-virt.c
+--- a/target/arm/translate-a64.c
-+++ b/hw/arm/xlnx-versal-virt.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void create_virtio_regions(VersalVirt *s)
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
-     for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
-         char *name = g_strdup_printf("virtio%d", i);;
+ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
-         hwaddr base = MM_TOP_RSVD + i * virtio_mmio_size;
+ {
--        int irq = VERSAL_RSVD_HIGH_IRQ_FIRST + i;
+-    gen_a64_set_pc_im(s->pc - offset);
-+        int irq = VERSAL_RSVD_IRQ_FIRST + i;
++    gen_a64_set_pc_im(s->base.pc_next - offset);
-         MemoryRegion *mr;
+     gen_exception_internal(excp);
-         DeviceState *dev;
+     s->base.is_jmp = DISAS_NORETURN;
-         qemu_irq pic_irq;
+ }
-@@ -XXX,XX +XXX,XX @@ static void create_virtio_regions(VersalVirt *s)
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
+ static void gen_exception_insn(DisasContext *s, int offset, int excp,
-     for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
+                                uint32_t syndrome, uint32_t target_el)
-         hwaddr base = MM_TOP_RSVD + i * virtio_mmio_size;
+ {
--        int irq = VERSAL_RSVD_HIGH_IRQ_FIRST + i;
+-    gen_a64_set_pc_im(s->pc - offset);
-+        int irq = VERSAL_RSVD_IRQ_FIRST + i;
++    gen_a64_set_pc_im(s->base.pc_next - offset);
-         char *name = g_strdup_printf("/virtio_mmio@%" PRIx64, base);
+     gen_exception(excp, syndrome, target_el);
+     s->base.is_jmp = DISAS_NORETURN;
-         qemu_fdt_add_subnode(s->fdt, name);
+ }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset,
  {
      TCGv_i32 tcg_syn;
 -    gen_a64_set_pc_im(s->pc - offset);
 +    gen_a64_set_pc_im(s->base.pc_next - offset);
      tcg_syn = tcg_const_i32(syndrome);
      gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
      tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
      if (insn & (1U << 31)) {
          /* BL Branch with link */
 -        tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
 +        tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
      }
      /* B Branch / BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
      tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                          tcg_cmp, 0, label_match);
 -    gen_goto_tb(s, 0, s->pc);
 +    gen_goto_tb(s, 0, s->base.pc_next);
      gen_set_label(label_match);
      gen_goto_tb(s, 1, addr);
  }
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
      tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                          tcg_cmp, 0, label_match);
      tcg_temp_free_i64(tcg_cmp);
 -    gen_goto_tb(s, 0, s->pc);
 +    gen_goto_tb(s, 0, s->base.pc_next);
      gen_set_label(label_match);
      gen_goto_tb(s, 1, addr);
  }
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
          /* genuinely conditional branches */
          TCGLabel *label_match = gen_new_label();
          arm_gen_test_cc(cond, label_match);
 -        gen_goto_tb(s, 0, s->pc);
 +        gen_goto_tb(s, 0, s->base.pc_next);
          gen_set_label(label_match);
          gen_goto_tb(s, 1, addr);
      } else {
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
           * any pending interrupts immediately.
           */
          reset_btype(s);
 -        gen_goto_tb(s, 0, s->pc);
 +        gen_goto_tb(s, 0, s->base.pc_next);
          return;
      case 7: /* SB */
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
           * MB and end the TB instead.
           */
          tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -        gen_goto_tb(s, 0, s->pc);
 +        gen_goto_tb(s, 0, s->base.pc_next);
          return;
      default:
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
          gen_a64_set_pc(s, dst);
          /* BLR also needs to load return address */
          if (opc == 1) {
 -            tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
 +            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
          }
          break;
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
          gen_a64_set_pc(s, dst);
          /* BLRAA also needs to load return address */
          if (opc == 9) {
 -            tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
 +            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
          }
          break;
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
  {
      uint32_t insn;
 -    s->pc_curr = s->pc;
 -    insn = arm_ldl_code(env, s->pc, s->sctlr_b);
 +    s->pc_curr = s->base.pc_next;
 +    insn = arm_ldl_code(env, s->base.pc_next, s->sctlr_b);
      s->insn = insn;
 -    s->pc += 4;
 +    s->base.pc_next += 4;
      s->fp_access_checked = false;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
      int bound, core_mmu_idx;
      dc->isar = &arm_cpu->isar;
 -    dc->pc = dc->base.pc_first;
      dc->condjmp = 0;
      dc->aarch64 = 1;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
 -    tcg_gen_insn_start(dc->pc, 0, 0);
 +    tcg_gen_insn_start(dc->base.pc_next, 0, 0);
      dc->insn_start = tcg_last_op();
  }
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
      DisasContext *dc = container_of(dcbase, DisasContext, base);
      if (bp->flags & BP_CPU) {
 -        gen_a64_set_pc_im(dc->pc);
 +        gen_a64_set_pc_im(dc->base.pc_next);
          gen_helper_check_breakpoints(cpu_env);
          /* End the TB early; it likely won't be executed */
          dc->base.is_jmp = DISAS_TOO_MANY;
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
             to for it to be properly cleared -- thus we
             increment the PC here so that the logic setting
             tb->size below does the right thing.  */
 -        dc->pc += 4;
 +        dc->base.pc_next += 4;
          dc->base.is_jmp = DISAS_NORETURN;
      }
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          disas_a64_insn(env, dc);
      }
 -    dc->base.pc_next = dc->pc;
      translator_loop_temp_check(&dc->base);
  }
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
           */
          switch (dc->base.is_jmp) {
          default:
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              /* fall through */
          case DISAS_EXIT:
          case DISAS_JUMP:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          switch (dc->base.is_jmp) {
          case DISAS_NEXT:
          case DISAS_TOO_MANY:
 -            gen_goto_tb(dc, 1, dc->pc);
 +            gen_goto_tb(dc, 1, dc->base.pc_next);
              break;
          default:
          case DISAS_UPDATE:
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              /* fall through */
          case DISAS_EXIT:
              tcg_gen_exit_tb(NULL, 0);
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          case DISAS_SWI:
              break;
          case DISAS_WFE:
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              gen_helper_wfe(cpu_env);
              break;
          case DISAS_YIELD:
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              gen_helper_yield(cpu_env);
              break;
          case DISAS_WFI:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
               */
              TCGv_i32 tmp = tcg_const_i32(4);
 -            gen_a64_set_pc_im(dc->pc);
 +            gen_a64_set_pc_im(dc->base.pc_next);
              gen_helper_wfi(cpu_env, tmp);
              tcg_temp_free_i32(tmp);
              /* The helper doesn't necessarily throw an exception, but we
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          }
          }
      }
 -
 -    /* Functions above can change dc->pc, so re-align db->pc_next */
 -    dc->base.pc_next = dc->pc;
  }
  static void aarch64_tr_disas_log(const DisasContextBase *dcbase,
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_blxns(DisasContext *s, int rm)
       * We do however need to set the PC, because the blxns helper reads it.
       * The blxns helper may throw an exception.
       */
 -    gen_set_pc_im(s, s->pc);
 +    gen_set_pc_im(s, s->base.pc_next);
      gen_helper_v7m_blxns(cpu_env, var);
      tcg_temp_free_i32(var);
      s->base.is_jmp = DISAS_EXIT;
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
       * for single stepping.)
       */
      s->svc_imm = imm16;
 -    gen_set_pc_im(s, s->pc);
 +    gen_set_pc_im(s, s->base.pc_next);
      s->base.is_jmp = DISAS_HVC;
  }
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
      tmp = tcg_const_i32(syn_aa32_smc());
      gen_helper_pre_smc(cpu_env, tmp);
      tcg_temp_free_i32(tmp);
 -    gen_set_pc_im(s, s->pc);
 +    gen_set_pc_im(s, s->base.pc_next);
      s->base.is_jmp = DISAS_SMC;
  }
  static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
  {
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - offset);
 +    gen_set_pc_im(s, s->base.pc_next - offset);
      gen_exception_internal(excp);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, int offset, int excp,
                                 int syn, uint32_t target_el)
  {
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - offset);
 +    gen_set_pc_im(s, s->base.pc_next - offset);
      gen_exception(excp, syn, target_el);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
      TCGv_i32 tcg_syn;
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc - offset);
 +    gen_set_pc_im(s, s->base.pc_next - offset);
      tcg_syn = tcg_const_i32(syn);
      gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
      tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
  /* Force a TB lookup after an instruction that changes the CPU state.  */
  static inline void gen_lookup_tb(DisasContext *s)
  {
 -    tcg_gen_movi_i32(cpu_R[15], s->pc);
 +    tcg_gen_movi_i32(cpu_R[15], s->base.pc_next);
      s->base.is_jmp = DISAS_EXIT;
  }
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *s, target_ulong dest)
  {
  #ifndef CONFIG_USER_ONLY
      return (s->base.tb->pc & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK) ||
 -           ((s->pc - 1) & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK);
 +           ((s->base.pc_next - 1) & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK);
  #else
      return true;
  #endif
@@ -XXX,XX +XXX,XX @@ static void gen_nop_hint(DisasContext *s, int val)
           */
      case 1: /* yield */
          if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->base.is_jmp = DISAS_YIELD;
          }
          break;
      case 3: /* wfi */
 -        gen_set_pc_im(s, s->pc);
 +        gen_set_pc_im(s, s->base.pc_next);
          s->base.is_jmp = DISAS_WFI;
          break;
      case 2: /* wfe */
          if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->base.is_jmp = DISAS_WFE;
          }
          break;
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
              if (isread) {
                  return 1;
              }
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->base.is_jmp = DISAS_WFI;
              return 0;
          default:
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                   * self-modifying code correctly and also to take
                   * any pending interrupts immediately.
                   */
 -                gen_goto_tb(s, 0, s->pc);
 +                gen_goto_tb(s, 0, s->base.pc_next);
                  return;
              case 7: /* sb */
                  if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                   * for TCG; MB and end the TB instead.
                   */
                  tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -                gen_goto_tb(s, 0, s->pc);
 +                gen_goto_tb(s, 0, s->base.pc_next);
                  return;
              default:
                  goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              int32_t offset;
              tmp = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp, s->pc);
 +            tcg_gen_movi_i32(tmp, s->base.pc_next);
              store_reg(s, 14, tmp);
              /* Sign-extend the 24-bit offset */
              offset = (((int32_t)insn) << 8) >> 8;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              /* branch link/exchange thumb (blx) */
              tmp = load_reg(s, rm);
              tmp2 = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp2, s->pc);
 +            tcg_gen_movi_i32(tmp2, s->base.pc_next);
              store_reg(s, 14, tmp2);
              gen_bx(s, tmp);
              break;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  /* branch (and link) */
                  if (insn & (1 << 24)) {
                      tmp = tcg_temp_new_i32();
 -                    tcg_gen_movi_i32(tmp, s->pc);
 +                    tcg_gen_movi_i32(tmp, s->base.pc_next);
                      store_reg(s, 14, tmp);
                  }
                  offset = sextract32(insn << 2, 0, 26);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          case 0xf:
              /* swi */
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->svc_imm = extract32(insn, 0, 24);
              s->base.is_jmp = DISAS_SWI;
              break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                  if (insn & (1 << 14)) {
                      /* Branch and link.  */
 -                    tcg_gen_movi_i32(cpu_R[14], s->pc | 1);
 +                    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | 1);
                  }
                  offset += read_pc(s);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                               * and also to take any pending interrupts
                               * immediately.
                               */
 -                            gen_goto_tb(s, 0, s->pc);
 +                            gen_goto_tb(s, 0, s->base.pc_next);
                              break;
                          case 7: /* sb */
                              if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                               * for TCG; MB and end the TB instead.
                               */
                              tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -                            gen_goto_tb(s, 0, s->pc);
 +                            gen_goto_tb(s, 0, s->base.pc_next);
                              break;
                          default:
                              goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
                  /* BLX/BX */
                  tmp = load_reg(s, rm);
                  if (link) {
 -                    val = (uint32_t)s->pc | 1;
 +                    val = (uint32_t)s->base.pc_next | 1;
                      tmp2 = tcg_temp_new_i32();
                      tcg_gen_movi_i32(tmp2, val);
                      store_reg(s, 14, tmp2);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          if (cond == 0xf) {
              /* swi */
 -            gen_set_pc_im(s, s->pc);
 +            gen_set_pc_im(s, s->base.pc_next);
              s->svc_imm = extract32(insn, 0, 8);
              s->base.is_jmp = DISAS_SWI;
              break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
              tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
              tmp2 = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp2, s->pc | 1);
 +            tcg_gen_movi_i32(tmp2, s->base.pc_next | 1);
              store_reg(s, 14, tmp2);
              gen_bx(s, tmp);
              break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
              tcg_gen_addi_i32(tmp, tmp, offset);
              tmp2 = tcg_temp_new_i32();
 -            tcg_gen_movi_i32(tmp2, s->pc | 1);
 +            tcg_gen_movi_i32(tmp2, s->base.pc_next | 1);
              store_reg(s, 14, tmp2);
              gen_bx(s, tmp);
          } else {
@@ -XXX,XX +XXX,XX @@ undef:
  static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
  {
 -    /* Return true if the insn at dc->pc might cross a page boundary.
 +    /* Return true if the insn at dc->base.pc_next might cross a page boundary.
       * (False positives are OK, false negatives are not.)
       * We know this is a Thumb insn, and our caller ensures we are
 -     * only called if dc->pc is less than 4 bytes from the page
 +     * only called if dc->base.pc_next is less than 4 bytes from the page
       * boundary, so we cross the page if the first 16 bits indicate
       * that this is a 32 bit insn.
       */
 -    uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 +    uint16_t insn = arm_lduw_code(env, s->base.pc_next, s->sctlr_b);
 -    return !thumb_insn_is_16bit(s, s->pc, insn);
 +    return !thumb_insn_is_16bit(s, s->base.pc_next, insn);
  }
  static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
      uint32_t condexec, core_mmu_idx;
      dc->isar = &cpu->isar;
 -    dc->pc = dc->base.pc_first;
      dc->condjmp = 0;
      dc->aarch64 = 0;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
 -    tcg_gen_insn_start(dc->pc,
 +    tcg_gen_insn_start(dc->base.pc_next,
                         (dc->condexec_cond << 4) | (dc->condexec_mask >> 1),
 );
      dc->insn_start = tcg_last_op();
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
      if (bp->flags & BP_CPU) {
          gen_set_condexec(dc);
 -        gen_set_pc_im(dc, dc->pc);
 +        gen_set_pc_im(dc, dc->base.pc_next);
          gen_helper_check_breakpoints(cpu_env);
          /* End the TB early; it's likely not going to be executed */
          dc->base.is_jmp = DISAS_TOO_MANY;
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
             tb->size below does the right thing.  */
          /* TODO: Advance PC by correct instruction length to
           * avoid disassembler error messages */
 -        dc->pc += 2;
 +        dc->base.pc_next += 2;
          dc->base.is_jmp = DISAS_NORETURN;
      }
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
  {
  #ifdef CONFIG_USER_ONLY
      /* Intercept jump to the magic kernel page.  */
 -    if (dc->pc >= 0xffff0000) {
 +    if (dc->base.pc_next >= 0xffff0000) {
          /* We always get here via a jump, so know we are not in a
             conditional execution block.  */
          gen_exception_internal(EXCP_KERNEL_TRAP);
@@ -XXX,XX +XXX,XX @@ static void arm_post_translate_insn(DisasContext *dc)
          gen_set_label(dc->condlabel);
          dc->condjmp = 0;
      }
 -    dc->base.pc_next = dc->pc;
      translator_loop_temp_check(&dc->base);
  }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 -    dc->pc_curr = dc->pc;
 -    insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
 +    dc->pc_curr = dc->base.pc_next;
 +    insn = arm_ldl_code(env, dc->base.pc_next, dc->sctlr_b);
      dc->insn = insn;
 -    dc->pc += 4;
 +    dc->base.pc_next += 4;
      disas_arm_insn(dc, insn);
      arm_post_translate_insn(dc);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 -    dc->pc_curr = dc->pc;
 -    insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
 -    is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
 -    dc->pc += 2;
 +    dc->pc_curr = dc->base.pc_next;
 +    insn = arm_lduw_code(env, dc->base.pc_next, dc->sctlr_b);
 +    is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
 +    dc->base.pc_next += 2;
      if (!is_16bit) {
 -        uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
 +        uint32_t insn2 = arm_lduw_code(env, dc->base.pc_next, dc->sctlr_b);
          insn = insn << 16 | insn2;
 -        dc->pc += 2;
 +        dc->base.pc_next += 2;
      }
      dc->insn = insn;
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
       * but isn't very efficient).
       */
      if (dc->base.is_jmp == DISAS_NEXT
 -        && (dc->pc - dc->page_start >= TARGET_PAGE_SIZE
 -            || (dc->pc - dc->page_start >= TARGET_PAGE_SIZE - 3
 +        && (dc->base.pc_next - dc->page_start >= TARGET_PAGE_SIZE
 +            || (dc->base.pc_next - dc->page_start >= TARGET_PAGE_SIZE - 3
                  && insn_crosses_page(env, dc)))) {
          dc->base.is_jmp = DISAS_TOO_MANY;
      }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          case DISAS_NEXT:
          case DISAS_TOO_MANY:
          case DISAS_UPDATE:
 -            gen_set_pc_im(dc, dc->pc);
 +            gen_set_pc_im(dc, dc->base.pc_next);
              /* fall through */
          default:
              /* FIXME: Single stepping a WFI insn will not halt the CPU. */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          switch(dc->base.is_jmp) {
          case DISAS_NEXT:
          case DISAS_TOO_MANY:
 -            gen_goto_tb(dc, 1, dc->pc);
 +            gen_goto_tb(dc, 1, dc->base.pc_next);
              break;
          case DISAS_JUMP:
              gen_goto_ptr();
              break;
          case DISAS_UPDATE:
 -            gen_set_pc_im(dc, dc->pc);
 +            gen_set_pc_im(dc, dc->base.pc_next);
              /* fall through */
          default:
              /* indicate that the hash table must be used to find the next TB */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          gen_set_label(dc->condlabel);
          gen_set_condexec(dc);
          if (unlikely(is_singlestepping(dc))) {
 -            gen_set_pc_im(dc, dc->pc);
 +            gen_set_pc_im(dc, dc->base.pc_next);
              gen_singlestep_exception(dc);
          } else {
 -            gen_goto_tb(dc, 1, dc->pc);
 +            gen_goto_tb(dc, 1, dc->base.pc_next);
          }
      }
 -
 -    /* Functions above can change dc->pc, so re-align db->pc_next */
 -    dc->base.pc_next = dc->pc;
  }
  static void arm_tr_disas_log(const DisasContextBase *dcbase, CPUState *cpu)
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 11/37] input/pl050: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 12/29] target/arm: Replace offset with pc in gen_exception_insn
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use DeviceClass rather than SysBusDeviceClass in
+The offset is variable depending on the instruction set, whereas
-pl050_class_init().
+we have stored values for the current pc and the next pc.  Passing
+in the actual value is clearer in intent.
-Cc: peter.maydell@linaro.org
-Cc: qemu-arm@nongnu.org
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-10-maozhongyi@cmss.chinamobile.com
+Message-id: 20190807045335.1361-8-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/input/pl050.c | 11 +++++------
+ target/arm/translate-a64.c     | 25 ++++++++++++++-----------
-file changed, 5 insertions(+), 6 deletions(-)
+ target/arm/translate-vfp.inc.c |  6 +++---
+ target/arm/translate.c         | 31 ++++++++++++++++---------------
-diff --git a/hw/input/pl050.c b/hw/input/pl050.c
+files changed, 33 insertions(+), 29 deletions(-)
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/input/pl050.c
+--- a/target/arm/translate-a64.c
-+++ b/hw/input/pl050.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps pl050_ops = {
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
-     .endianness = DEVICE_NATIVE_ENDIAN,
+     s->base.is_jmp = DISAS_NORETURN;
- };
+ }
--static int pl050_initfn(SysBusDevice *dev)
+-static void gen_exception_insn(DisasContext *s, int offset, int excp,
-+static void pl050_realize(DeviceState *dev, Error **errp)
++static void gen_exception_insn(DisasContext *s, uint64_t pc, int excp,
- {
+                                uint32_t syndrome, uint32_t target_el)
-     PL050State *s = PL050(dev);
+ {
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+-    gen_a64_set_pc_im(s->base.pc_next - offset);
++    gen_a64_set_pc_im(pc);
-     memory_region_init_io(&s->iomem, OBJECT(s), &pl050_ops, s, "pl050", 0x1000);
+     gen_exception(excp, syndrome, target_el);
--    sysbus_init_mmio(dev, &s->iomem);
+     s->base.is_jmp = DISAS_NORETURN;
--    sysbus_init_irq(dev, &s->irq);
+ }
-+    sysbus_init_mmio(sbd, &s->iomem);
+@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
-+    sysbus_init_irq(sbd, &s->irq);
+ void unallocated_encoding(DisasContext *s)
-     if (s->is_mouse) {
+ {
-         s->dev = ps2_mouse_init(pl050_update, s);
+     /* Unallocated and reserved encodings are uncategorized */
-     } else {
+-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
-         s->dev = ps2_kbd_init(pl050_update, s);
++    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-     }
+                        default_exception_el(s));
--    return 0;
+ }
- }
+@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
- static void pl050_keyboard_init(Object *obj)
+         return true;
-@@ -XXX,XX +XXX,XX @@ static const TypeInfo pl050_mouse_info = {
+     }
- static void pl050_class_init(ObjectClass *oc, void *data)
- {
+-    gen_exception_insn(s, 4, EXCP_UDEF, syn_fp_access_trap(1, 0xe, false),
-     DeviceClass *dc = DEVICE_CLASS(oc);
+-                       s->fp_excp_el);
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(oc);
++    gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
++                       syn_fp_access_trap(1, 0xe, false), s->fp_excp_el);
--    sdc->init = pl050_initfn;
+     return false;
-+    dc->realize = pl050_realize;
+ }
-     dc->vmsd = &vmstate_pl050;
- }
+@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
  bool sve_access_check(DisasContext *s)
  {
      if (s->sve_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF, syn_sve_access_trap(),
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_sve_access_trap(),
                             s->sve_excp_el);
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
          switch (op2_ll) {
          case 1:                                                     /* SVC */
              gen_ss_advance(s);
 -            gen_exception_insn(s, 0, EXCP_SWI, syn_aa64_svc(imm16),
 -                               default_exception_el(s));
 +            gen_exception_insn(s, s->base.pc_next, EXCP_SWI,
 +                               syn_aa64_svc(imm16), default_exception_el(s));
              break;
          case 2:                                                     /* HVC */
              if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              gen_a64_set_pc_im(s->pc_curr);
              gen_helper_pre_hvc(cpu_env);
              gen_ss_advance(s);
 -            gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2);
 +            gen_exception_insn(s, s->base.pc_next, EXCP_HVC,
 +                               syn_aa64_hvc(imm16), 2);
              break;
          case 3:                                                     /* SMC */
              if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              gen_helper_pre_smc(cpu_env, tmp);
              tcg_temp_free_i32(tmp);
              gen_ss_advance(s);
 -            gen_exception_insn(s, 0, EXCP_SMC, syn_aa64_smc(imm16), 3);
 +            gen_exception_insn(s, s->base.pc_next, EXCP_SMC,
 +                               syn_aa64_smc(imm16), 3);
              break;
          default:
              unallocated_encoding(s);
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
              if (s->btype != 0
                  && s->guarded_page
                  && !btype_destination_ok(insn, s->bt, s->btype)) {
 -                gen_exception_insn(s, 4, EXCP_UDEF, syn_btitrap(s->btype),
 +                gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                                   syn_btitrap(s->btype),
                                     default_exception_el(s));
                  return;
              }
 diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.inc.c
 +++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
  {
      if (s->fp_excp_el) {
          if (arm_dc_feature(s, ARM_FEATURE_M)) {
 -            gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
 +            gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized(),
                                 s->fp_excp_el);
          } else {
 -            gen_exception_insn(s, 4, EXCP_UDEF,
 +            gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                                 syn_fp_access_trap(1, 0xe, false),
                                 s->fp_excp_el);
          }
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
      if (!s->vfp_enabled && !ignore_vfp_enabled) {
          assert(!arm_dc_feature(s, ARM_FEATURE_M));
 -        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                             default_exception_el(s));
          return false;
      }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
      s->base.is_jmp = DISAS_NORETURN;
  }
 -static void gen_exception_insn(DisasContext *s, int offset, int excp,
 +static void gen_exception_insn(DisasContext *s, uint32_t pc, int excp,
                                 int syn, uint32_t target_el)
  {
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->base.pc_next - offset);
 +    gen_set_pc_im(s, pc);
      gen_exception(excp, syn, target_el);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
          return;
      }
 -    gen_exception_insn(s, s->thumb ? 2 : 4, EXCP_UDEF, syn_uncategorized(),
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                         default_exception_el(s));
  }
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
  undef:
      /* If we get here then some access check did not pass */
 -    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), exc_target);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                       syn_uncategorized(), exc_target);
      return false;
  }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_ls_insn(DisasContext *s, uint32_t insn)
       * for attempts to execute invalid vfp/neon encodings with FP disabled.
       */
      if (s->fp_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF,
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
       * for attempts to execute invalid vfp/neon encodings with FP disabled.
       */
      if (s->fp_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF,
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_insn_3same_ext(DisasContext *s, uint32_t insn)
      }
      if (s->fp_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF,
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_insn_2reg_scalar_ext(DisasContext *s, uint32_t insn)
          off_rm = vfp_reg_offset(0, rm);
      }
      if (s->fp_excp_el) {
 -        gen_exception_insn(s, 4, EXCP_UDEF,
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
       * For the UNPREDICTABLE cases we choose to UNDEF.
       */
      if (s->current_el == 1 && !s->ns && mode == ARM_CPU_MODE_MON) {
 -        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), 3);
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(), 3);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      }
      if (undef) {
 -        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                             default_exception_el(s));
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
       * UsageFault exception.
       */
      if (arm_dc_feature(s, ARM_FEATURE_M)) {
 -        gen_exception_insn(s, 4, EXCP_INVSTATE, syn_uncategorized(),
 +        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized(),
                             default_exception_el(s));
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          default:
          illegal_op:
 -            gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                                 default_exception_el(s));
              break;
          }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
              }
              /* All other insns: NOCP */
 -            gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
 +            gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized(),
                                 default_exception_el(s));
              break;
          }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
      }
      return;
  illegal_op:
 -    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                         default_exception_el(s));
  }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
      return;
  illegal_op:
  undef:
 -    gen_exception_insn(s, 2, EXCP_UDEF, syn_uncategorized(),
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                         default_exception_el(s));
  }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 18/37] timer/etraxfs_timer: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 13/29] target/arm: Replace offset with pc in gen_exception_internal_insn
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use DeviceClass rather than SysBusDeviceClass in
+The offset is variable depending on the instruction set.
-etraxfs_timer_class_init().
+Passing in the actual value is clearer in intent.
-Cc: edgar.iglesias@gmail.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Message-id: 20190807045335.1361-9-richard.henderson@linaro.org
 Message-id: 20181130093852.20739-17-maozhongyi@cmss.chinamobile.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/timer/etraxfs_timer.c | 14 +++++++-------
+ target/arm/translate-a64.c | 8 ++++----
-file changed, 7 insertions(+), 7 deletions(-)
+ target/arm/translate.c     | 8 ++++----
 files changed, 8 insertions(+), 8 deletions(-)
-diff --git a/hw/timer/etraxfs_timer.c b/hw/timer/etraxfs_timer.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/etraxfs_timer.c
+--- a/target/arm/translate-a64.c
-+++ b/hw/timer/etraxfs_timer.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void etraxfs_timer_reset(void *opaque)
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
-     qemu_irq_lower(t->irq);
+     tcg_temp_free_i32(tcg_excp);
  }
--static int etraxfs_timer_init(SysBusDevice *dev)
+-static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
-+static void etraxfs_timer_realize(DeviceState *dev, Error **errp)
++static void gen_exception_internal_insn(DisasContext *s, uint64_t pc, int excp)
  {
-     ETRAXTimerState *t = ETRAX_TIMER(dev);
+-    gen_a64_set_pc_im(s->base.pc_next - offset);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
++    gen_a64_set_pc_im(pc);
+     gen_exception_internal(excp);
-     t->bh_t0 = qemu_bh_new(timer0_hit, t);
+     s->base.is_jmp = DISAS_NORETURN;
      t->bh_t1 = qemu_bh_new(timer1_hit, t);
@@ -XXX,XX +XXX,XX @@ static int etraxfs_timer_init(SysBusDevice *dev)
      t->ptimer_t1 = ptimer_init(t->bh_t1, PTIMER_POLICY_DEFAULT);
      t->ptimer_wd = ptimer_init(t->bh_wd, PTIMER_POLICY_DEFAULT);
 -    sysbus_init_irq(dev, &t->irq);
 -    sysbus_init_irq(dev, &t->nmi);
 +    sysbus_init_irq(sbd, &t->irq);
 +    sysbus_init_irq(sbd, &t->nmi);
      memory_region_init_io(&t->mmio, OBJECT(t), &timer_ops, t,
                            "etraxfs-timer", 0x5c);
 -    sysbus_init_mmio(dev, &t->mmio);
 +    sysbus_init_mmio(sbd, &t->mmio);
      qemu_register_reset(etraxfs_timer_reset, t);
 -    return 0;
  }
+@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
- static void etraxfs_timer_class_init(ObjectClass *klass, void *data)
+                 break;
              }
  #endif
 -            gen_exception_internal_insn(s, 0, EXCP_SEMIHOST);
 +            gen_exception_internal_insn(s, s->base.pc_next, EXCP_SEMIHOST);
          } else {
              unsupported_encoding(s, insn);
          }
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
          /* End the TB early; it likely won't be executed */
          dc->base.is_jmp = DISAS_TOO_MANY;
      } else {
 -        gen_exception_internal_insn(dc, 0, EXCP_DEBUG);
 +        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
          /* The address covered by the breakpoint must be
             included in [tb->pc, tb->pc + tb->size) in order
             to for it to be properly cleared -- thus we
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
      s->base.is_jmp = DISAS_SMC;
  }
 -static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 +static void gen_exception_internal_insn(DisasContext *s, uint32_t pc, int excp)
  {
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+     gen_set_condexec(s);
-+    DeviceClass *dc = DEVICE_CLASS(klass);
+-    gen_set_pc_im(s, s->base.pc_next - offset);
++    gen_set_pc_im(s, pc);
--    sdc->init = etraxfs_timer_init;
+     gen_exception_internal(excp);
-+    dc->realize = etraxfs_timer_realize;
+     s->base.is_jmp = DISAS_NORETURN;
  }
+@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
- static const TypeInfo etraxfs_timer_info = {
+         s->current_el != 0 &&
  #endif
          (imm == (s->thumb ? 0x3c : 0xf000))) {
 -        gen_exception_internal_insn(s, 0, EXCP_SEMIHOST);
 +        gen_exception_internal_insn(s, s->base.pc_next, EXCP_SEMIHOST);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
          /* End the TB early; it's likely not going to be executed */
          dc->base.is_jmp = DISAS_TOO_MANY;
      } else {
 -        gen_exception_internal_insn(dc, 0, EXCP_DEBUG);
 +        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
          /* The address covered by the breakpoint must be
             included in [tb->pc, tb->pc + tb->size) in order
             to for it to be properly cleared -- thus we
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 21/37] usb/tusb6010: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 14/29] target/arm: Remove offset argument to gen_exception_bkpt_insn
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use DeviceClass rather than SysBusDeviceClass in
+Unlike the other more generic gen_exception{,_internal}_insn
-tusb6010_class_init().
+interfaces, breakpoints always refer to the current instruction.
-Cc: kraxel@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
+Message-id: 20190807045335.1361-10-richard.henderson@linaro.org
 Message-id: 20181130093852.20739-20-maozhongyi@cmss.chinamobile.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/usb/tusb6010.c | 8 +++-----
+ target/arm/translate-a64.c | 7 +++----
-file changed, 3 insertions(+), 5 deletions(-)
+ target/arm/translate.c     | 8 ++++----
 files changed, 7 insertions(+), 8 deletions(-)
-diff --git a/hw/usb/tusb6010.c b/hw/usb/tusb6010.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/usb/tusb6010.c
+--- a/target/arm/translate-a64.c
-+++ b/hw/usb/tusb6010.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void tusb6010_reset(DeviceState *dev)
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, uint64_t pc, int excp,
-     musb_reset(s->musb);
+     s->base.is_jmp = DISAS_NORETURN;
  }
--static int tusb6010_init(SysBusDevice *sbd)
+-static void gen_exception_bkpt_insn(DisasContext *s, int offset,
-+static void tusb6010_realize(DeviceState *dev, Error **errp)
+-                                    uint32_t syndrome)
 +static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syndrome)
  {
--    DeviceState *dev = DEVICE(sbd);
+     TCGv_i32 tcg_syn;
-     TUSBState *s = TUSB(dev);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+-    gen_a64_set_pc_im(s->base.pc_next - offset);
++    gen_a64_set_pc_im(s->pc_curr);
-     s->otg_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, tusb_otg_tick, s);
+     tcg_syn = tcg_const_i32(syndrome);
-     s->pwr_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, tusb_power_tick, s);
+     gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
-@@ -XXX,XX +XXX,XX @@ static int tusb6010_init(SysBusDevice *sbd)
+     tcg_temp_free_i32(tcg_syn);
-     sysbus_init_irq(sbd, &s->irq);
+@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
-     qdev_init_gpio_in(dev, tusb6010_irq, musb_irq_max + 1);
+             break;
-     s->musb = musb_init(dev, 1);
+         }
--    return 0;
+         /* BRK */
 -        gen_exception_bkpt_insn(s, 4, syn_aa64_bkpt(imm16));
 +        gen_exception_bkpt_insn(s, syn_aa64_bkpt(imm16));
          break;
      case 2:
          if (op2_ll != 0) {
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, uint32_t pc, int excp,
      s->base.is_jmp = DISAS_NORETURN;
  }
- static void tusb6010_class_init(ObjectClass *klass, void *data)
+-static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
 +static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
  {
-     DeviceClass *dc = DEVICE_CLASS(klass);
+     TCGv_i32 tcg_syn;
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+     gen_set_condexec(s);
--    k->init = tusb6010_init;
+-    gen_set_pc_im(s, s->base.pc_next - offset);
-+    dc->realize = tusb6010_realize;
++    gen_set_pc_im(s, s->pc_curr);
-     dc->reset = tusb6010_reset;
+     tcg_syn = tcg_const_i32(syn);
- }
+     gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
      tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              case 1:
                  /* bkpt */
                  ARCH(5);
 -                gen_exception_bkpt_insn(s, 4, syn_aa32_bkpt(imm16, false));
 +                gen_exception_bkpt_insn(s, syn_aa32_bkpt(imm16, false));
                  break;
              case 2:
                  /* Hypervisor call (v7) */
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          {
              int imm8 = extract32(insn, 0, 8);
              ARCH(5);
 -            gen_exception_bkpt_insn(s, 2, syn_aa32_bkpt(imm8, true));
 +            gen_exception_bkpt_insn(s, syn_aa32_bkpt(imm8, true));
              break;
          }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 06/37] core/empty_slot: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 15/29] target/arm: Use unallocated_encoding for aarch32
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use DeviceClass rather than SysBusDeviceClass in
+Promote this function from aarch64 to fully general use.
-empty_slot_class_init().
+Use it to unify the code sequences for generating illegal
 opcode exceptions.
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-5-maozhongyi@cmss.chinamobile.com
+Message-id: 20190807045335.1361-11-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/core/empty_slot.c | 9 ++++-----
+ target/arm/translate-a64.h     |  2 --
-file changed, 4 insertions(+), 5 deletions(-)
+ target/arm/translate.h         |  2 ++
  target/arm/translate-a64.c     |  7 -------
  target/arm/translate-vfp.inc.c |  3 +--
  target/arm/translate.c         | 22 ++++++++++++----------
 files changed, 15 insertions(+), 21 deletions(-)
-diff --git a/hw/core/empty_slot.c b/hw/core/empty_slot.c
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/core/empty_slot.c
+--- a/target/arm/translate-a64.h
-+++ b/hw/core/empty_slot.c
++++ b/target/arm/translate-a64.h
-@@ -XXX,XX +XXX,XX @@ void empty_slot_init(hwaddr addr, uint64_t slot_size)
+@@ -XXX,XX +XXX,XX @@
  #ifndef TARGET_ARM_TRANSLATE_A64_H
  #define TARGET_ARM_TRANSLATE_A64_H
 -void unallocated_encoding(DisasContext *s);
 -
  #define unsupported_encoding(s, insn)                                    \
      do {                                                                 \
          qemu_log_mask(LOG_UNIMP,                                         \
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasCompare {
      bool value_global;
  } DisasCompare;
 +void unallocated_encoding(DisasContext *s);
 +
  /* Share the TCG temporaries common between 32 and 64 bit modes.  */
  extern TCGv_i32 cpu_NF, cpu_ZF, cpu_CF, cpu_VF;
  extern TCGv_i64 cpu_exclusive_addr;
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
      }
  }
--static int empty_slot_init1(SysBusDevice *dev)
+-void unallocated_encoding(DisasContext *s)
-+static void empty_slot_realize(DeviceState *dev, Error **errp)
+-{
 -    /* Unallocated and reserved encodings are uncategorized */
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 -}
 -
  static void init_tmp_a64_array(DisasContext *s)
  {
-     EmptySlot *s = EMPTY_SLOT(dev);
+ #ifdef CONFIG_DEBUG_TCG
+diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
-     memory_region_init_io(&s->iomem, OBJECT(s), &empty_slot_ops, s,
+index XXXXXXX..XXXXXXX 100644
-                           "empty-slot", s->size);
+--- a/target/arm/translate-vfp.inc.c
--    sysbus_init_mmio(dev, &s->iomem);
++++ b/target/arm/translate-vfp.inc.c
--    return 0;
+@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
-+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
      if (!s->vfp_enabled && !ignore_vfp_enabled) {
          assert(!arm_dc_feature(s, ARM_FEATURE_M));
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                           default_exception_el(s));
 +        unallocated_encoding(s);
          return false;
      }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
      s->base.is_jmp = DISAS_NORETURN;
  }
- static void empty_slot_class_init(ObjectClass *klass, void *data)
++void unallocated_encoding(DisasContext *s)
 +{
 +    /* Unallocated and reserved encodings are uncategorized */
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
 +}
 +
  /* Force a TB lookup after an instruction that changes the CPU state.  */
  static inline void gen_lookup_tb(DisasContext *s)
  {
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
-+    DeviceClass *dc = DEVICE_CLASS(klass);
+         return;
+     }
--    k->init = empty_slot_init1;
-+    dc->realize = empty_slot_realize;
+-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 +    unallocated_encoding(s);
  }
- static const TypeInfo empty_slot_info = {
+ static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      }
      if (undef) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                           default_exception_el(s));
 +        unallocated_encoding(s);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          default:
          illegal_op:
 -            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                               default_exception_el(s));
 +            unallocated_encoding(s);
              break;
          }
      }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
      }
      return;
  illegal_op:
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 +    unallocated_encoding(s);
  }
  static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
      return;
  illegal_op:
  undef:
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 +    unallocated_encoding(s);
  }
  static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 36/37] target/arm: Use arm_hcr_el2_eff more places
+[Qemu-devel] [PULL 16/29] target/arm: Remove helper_double_saturate
 From: Richard Henderson <richard.henderson@linaro.org>
-Since arm_hcr_el2_eff includes a check against
+Replace x = double_saturate(y) with x = add_saturate(y, y).
-arm_is_secure_below_el3, we can often remove a
+There is no need for a separate more specialized helper.
 nearby check against secure state.
-In some cases, sort the call to arm_hcr_el2_eff
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 to the end of a short-circuit logical sequence.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181210150501.7990-3-richard.henderson@linaro.org
+Message-id: 20190807045335.1361-12-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c    | 12 +++++-------
+ target/arm/helper.h    |  1 -
- target/arm/op_helper.c | 14 ++++++--------
+ target/arm/op_helper.c | 15 ---------------
-files changed, 11 insertions(+), 15 deletions(-)
+ target/arm/translate.c |  4 ++--
 files changed, 2 insertions(+), 18 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/target/arm/helper.h b/target/arm/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/helper.h
-+++ b/target/arm/helper.c
++++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(add_saturate, i32, env, i32, i32)
-     int el = arm_current_el(env);
+ DEF_HELPER_3(sub_saturate, i32, env, i32, i32)
-     bool mdcr_el2_tdosa = (env->cp15.mdcr_el2 & MDCR_TDOSA) ||
+ DEF_HELPER_3(add_usaturate, i32, env, i32, i32)
-         (env->cp15.mdcr_el2 & MDCR_TDE) ||
+ DEF_HELPER_3(sub_usaturate, i32, env, i32, i32)
--        (env->cp15.hcr_el2 & HCR_TGE);
+-DEF_HELPER_2(double_saturate, i32, env, s32)
-+        (arm_hcr_el2_eff(env) & HCR_TGE);
+ DEF_HELPER_FLAGS_2(sdiv, TCG_CALL_NO_RWG_SE, s32, s32, s32)
+ DEF_HELPER_FLAGS_2(udiv, TCG_CALL_NO_RWG_SE, i32, i32, i32)
-     if (el < 2 && mdcr_el2_tdosa && !arm_is_secure_below_el3(env)) {
+ DEF_HELPER_FLAGS_1(rbit, TCG_CALL_NO_RWG_SE, i32, i32)
          return CP_ACCESS_TRAP_EL2;
@@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri,
      int el = arm_current_el(env);
      bool mdcr_el2_tdra = (env->cp15.mdcr_el2 & MDCR_TDRA) ||
          (env->cp15.mdcr_el2 & MDCR_TDE) ||
 -        (env->cp15.hcr_el2 & HCR_TGE);
 +        (arm_hcr_el2_eff(env) & HCR_TGE);
      if (el < 2 && mdcr_el2_tdra && !arm_is_secure_below_el3(env)) {
          return CP_ACCESS_TRAP_EL2;
@@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tda(CPUARMState *env, const ARMCPRegInfo *ri,
      int el = arm_current_el(env);
      bool mdcr_el2_tda = (env->cp15.mdcr_el2 & MDCR_TDA) ||
          (env->cp15.mdcr_el2 & MDCR_TDE) ||
 -        (env->cp15.hcr_el2 & HCR_TGE);
 +        (arm_hcr_el2_eff(env) & HCR_TGE);
      if (el < 2 && mdcr_el2_tda && !arm_is_secure_below_el3(env)) {
          return CP_ACCESS_TRAP_EL2;
@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
          if (disabled) {
              /* route_to_el2 */
              return (arm_feature(env, ARM_FEATURE_EL2)
 -                    && !arm_is_secure(env)
 -                    && (env->cp15.hcr_el2 & HCR_TGE) ? 2 : 1);
 +                    && (arm_hcr_el2_eff(env) & HCR_TGE) ? 2 : 1);
          }
          /* Check CPACR.FPEN.  */
@@ -XXX,XX +XXX,XX @@ static int bad_mode_switch(CPUARMState *env, int mode, CPSRWriteType write_type)
           * and CPS are treated as illegal mode changes.
           */
          if (write_type == CPSRWriteByInstr &&
 -            (env->cp15.hcr_el2 & HCR_TGE) &&
              (env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON &&
 -            !arm_is_secure_below_el3(env)) {
 +            (arm_hcr_el2_eff(env) & HCR_TGE)) {
              return 1;
          }
          return 0;
 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/op_helper.c
 +++ b/target/arm/op_helper.c
-@@ -XXX,XX +XXX,XX @@ void raise_exception(CPUARMState *env, uint32_t excp,
+@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
      return res;
  }
 -uint32_t HELPER(double_saturate)(CPUARMState *env, int32_t val)
 -{
 -    uint32_t res;
 -    if (val >= 0x40000000) {
 -        res = ~SIGNBIT;
 -        env->QF = 1;
 -    } else if (val <= (int32_t)0xc0000000) {
 -        res = SIGNBIT;
 -        env->QF = 1;
 -    } else {
 -        res = val << 1;
 -    }
 -    return res;
 -}
 -
  uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
  {
-     CPUState *cs = CPU(arm_env_get_cpu(env));
+     uint32_t res = a + b;
+diff --git a/target/arm/translate.c b/target/arm/translate.c
--    if ((env->cp15.hcr_el2 & HCR_TGE) &&
+index XXXXXXX..XXXXXXX 100644
--        target_el == 1 && !arm_is_secure(env)) {
+--- a/target/arm/translate.c
-+    if (target_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
++++ b/target/arm/translate.c
-         /*
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-          * Redirect NS EL1 exceptions to NS EL2. These are reported with
+             tmp = load_reg(s, rm);
-          * their original syndrome register value, with the exception of
+             tmp2 = load_reg(s, rn);
-@@ -XXX,XX +XXX,XX @@ static inline int check_wfx_trap(CPUARMState *env, bool is_wfe)
+             if (op1 & 2)
-      * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the
+-                gen_helper_double_saturate(tmp2, cpu_env, tmp2);
-      * bits will be zero indicating no trap.
++                gen_helper_add_saturate(tmp2, cpu_env, tmp2, tmp2);
-      */
+             if (op1 & 1)
--    if (cur_el < 2 && !arm_is_secure(env)) {
+                 gen_helper_sub_saturate(tmp, cpu_env, tmp, tmp2);
--        mask = (is_wfe) ? HCR_TWE : HCR_TWI;
+             else
--        if (env->cp15.hcr_el2 & mask) {
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
-+    if (cur_el < 2) {
+                 tmp = load_reg(s, rn);
-+        mask = is_wfe ? HCR_TWE : HCR_TWI;
+                 tmp2 = load_reg(s, rm);
-+        if (arm_hcr_el2_eff(env) & mask) {
+                 if (op & 1)
-             return 2;
+-                    gen_helper_double_saturate(tmp, cpu_env, tmp);
-         }
++                    gen_helper_add_saturate(tmp, cpu_env, tmp, tmp);
-     }
+                 if (op & 2)
-@@ -XXX,XX +XXX,XX @@ void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
+                     gen_helper_sub_saturate(tmp, cpu_env, tmp2, tmp);
-                         exception_target_el(env));
+                 else
      }
 -    if (!secure && cur_el == 1 && (env->cp15.hcr_el2 & HCR_TSC)) {
 +    if (cur_el == 1 && (arm_hcr_el2_eff(env) & HCR_TSC)) {
          /* In NS EL1, HCR controlled routing to EL2 has priority over SMD.
           * We also want an EL2 guest to be able to forbid its EL1 from
           * making PSCI calls into QEMU's "firmware" via HCR.TSC.
@@ -XXX,XX +XXX,XX @@ void HELPER(exception_return)(CPUARMState *env)
          goto illegal_return;
      }
 -    if (new_el == 1 && (env->cp15.hcr_el2 & HCR_TGE)
 -        && !arm_is_secure_below_el3(env)) {
 +    if (new_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
          goto illegal_return;
      }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 17/37] pci-bridge/dec: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 17/29] target/arm/cpu64: Ensure kvm really supports aarch64=off
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Andrew Jones <drjones@redhat.com>
-Use DeviceClass rather than SysBusDeviceClass in
+If -cpu <cpu>,aarch64=off is used then KVM must also be used, and it
-pci_dec_21154_device_class_init().
+and the host must support running the vcpu in 32-bit mode. Also, if
 -cpu <cpu>,aarch64=on is used, then it doesn't matter if kvm is
 enabled or not.
-Cc: david@gibson.dropbear.id.au
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-Cc: mst@redhat.com
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Cc: marcel.apfelbaum@gmail.com
 Cc: qemu-ppc@nongnu.org
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
 Acked-by: David Gibson <david@gibson.dropbear.id.au>
 Message-id: 20181130093852.20739-16-maozhongyi@cmss.chinamobile.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/pci-bridge/dec.c | 12 ++++++------
+ target/arm/kvm_arm.h | 14 ++++++++++++++
-file changed, 6 insertions(+), 6 deletions(-)
+ target/arm/cpu64.c   | 12 ++++++------
  target/arm/kvm64.c   |  9 +++++++++
 files changed, 29 insertions(+), 6 deletions(-)
-diff --git a/hw/pci-bridge/dec.c b/hw/pci-bridge/dec.c
+diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/pci-bridge/dec.c
+--- a/target/arm/kvm_arm.h
-+++ b/hw/pci-bridge/dec.c
++++ b/target/arm/kvm_arm.h
-@@ -XXX,XX +XXX,XX @@ PCIBus *pci_dec_21154_init(PCIBus *parent_bus, int devfn)
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf);
-     return pci_bridge_get_sec_bus(br);
+  */
  void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
 +/**
 + * kvm_arm_aarch32_supported:
 + * @cs: CPUState
 + *
 + * Returns: true if the KVM VCPU can enable AArch32 mode
 + * and false otherwise.
 + */
 +bool kvm_arm_aarch32_supported(CPUState *cs);
 +
  /**
   * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
   * IPA address space supported by KVM
@@ -XXX,XX +XXX,XX @@ static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
      cpu->host_cpu_probe_failed = true;
  }
--static int pci_dec_21154_device_init(SysBusDevice *dev)
++static inline bool kvm_arm_aarch32_supported(CPUState *cs)
-+static void pci_dec_21154_device_realize(DeviceState *dev, Error **errp)
++{
 +    return false;
 +}
 +
  static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
  {
-     PCIHostState *phb;
+     return -ENOENT;
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+index XXXXXXX..XXXXXXX 100644
-     phb = PCI_HOST_BRIDGE(dev);
+--- a/target/arm/cpu64.c
++++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static int pci_dec_21154_device_init(SysBusDevice *dev)
+@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_set_aarch64(Object *obj, bool value, Error **errp)
-                           dev, "pci-conf-idx", 0x1000);
+      * restriction allows us to avoid fixing up functionality that assumes a
-     memory_region_init_io(&phb->data_mem, OBJECT(dev), &pci_host_data_le_ops,
+      * uniform execution state like do_interrupt.
-                           dev, "pci-data-idx", 0x1000);
+      */
--    sysbus_init_mmio(dev, &phb->conf_mem);
+-    if (!kvm_enabled()) {
--    sysbus_init_mmio(dev, &phb->data_mem);
+-        error_setg(errp, "'aarch64' feature cannot be disabled "
--    return 0;
+-                         "unless KVM is enabled");
-+    sysbus_init_mmio(sbd, &phb->conf_mem);
+-        return;
-+    sysbus_init_mmio(sbd, &phb->data_mem);
+-    }
 -
      if (value == false) {
 +        if (!kvm_enabled() || !kvm_arm_aarch32_supported(CPU(cpu))) {
 +            error_setg(errp, "'aarch64' feature cannot be disabled "
 +                             "unless KVM is enabled and 32-bit EL1 "
 +                             "is supported");
 +            return;
 +        }
          unset_feature(&cpu->env, ARM_FEATURE_AARCH64);
      } else {
          set_feature(&cpu->env, ARM_FEATURE_AARCH64);
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@
  #include "exec/gdbstub.h"
  #include "sysemu/sysemu.h"
  #include "sysemu/kvm.h"
 +#include "sysemu/kvm_int.h"
  #include "kvm_arm.h"
 +#include "hw/boards.h"
  #include "internals.h"
  static bool have_guest_debug;
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
      return true;
  }
- static void dec_21154_pci_host_realize(PCIDevice *d, Error **errp)
++bool kvm_arm_aarch32_supported(CPUState *cpu)
-@@ -XXX,XX +XXX,XX @@ static const TypeInfo dec_21154_pci_host_info = {
++{
++    KVMState *s = KVM_STATE(current_machine->accelerator);
- static void pci_dec_21154_device_class_init(ObjectClass *klass, void *data)
++
- {
++    return kvm_check_extension(s, KVM_CAP_ARM_EL1_32BIT);
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
++}
-+    DeviceClass *dc = DEVICE_CLASS(klass);
++
+ #define ARM_CPU_ID_MPIDR       3, 0, 0, 0, 5
--    sdc->init = pci_dec_21154_device_init;
-+    dc->realize = pci_dec_21154_device_realize;
+ int kvm_arch_init_vcpu(CPUState *cs)
  }
  static const TypeInfo pci_dec_21154_device_info = {
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 13/37] milkymist-hpdmc: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 18/29] target/arm/cpu: Ensure we can use the pmu with kvm
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Andrew Jones <drjones@redhat.com>
-Use DeviceClass rather than SysBusDeviceClass in
+We first convert the pmu property from a static property to one with
-milkymist_hpdmc_class_init().
+its own accessors. Then we use the set accessor to check if the PMU is
 supported when using KVM. Indeed a 32-bit KVM host does not support
 the PMU, so this check will catch an attempt to use it at property-set
 time.
-Cc: gxt@mprc.pku.edu.cn
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-Cc: michael@walle.cc
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20181130093852.20739-12-maozhongyi@cmss.chinamobile.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/misc/milkymist-hpdmc.c | 9 +++------
+ target/arm/kvm_arm.h | 14 ++++++++++++++
-file changed, 3 insertions(+), 6 deletions(-)
+ target/arm/cpu.c     | 30 +++++++++++++++++++++++++-----
  target/arm/kvm.c     |  7 +++++++
 files changed, 46 insertions(+), 5 deletions(-)
-diff --git a/hw/misc/milkymist-hpdmc.c b/hw/misc/milkymist-hpdmc.c
+diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/milkymist-hpdmc.c
+--- a/target/arm/kvm_arm.h
-+++ b/hw/misc/milkymist-hpdmc.c
++++ b/target/arm/kvm_arm.h
-@@ -XXX,XX +XXX,XX @@ static void milkymist_hpdmc_reset(DeviceState *d)
+@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
-                          | IODELAY_PLL2_LOCKED;
+  */
  bool kvm_arm_aarch32_supported(CPUState *cs);
 +/**
 + * bool kvm_arm_pmu_supported:
 + * @cs: CPUState
 + *
 + * Returns: true if the KVM VCPU can enable its PMU
 + * and false otherwise.
 + */
 +bool kvm_arm_pmu_supported(CPUState *cs);
 +
  /**
   * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
   * IPA address space supported by KVM
@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_aarch32_supported(CPUState *cs)
      return false;
  }
--static int milkymist_hpdmc_init(SysBusDevice *dev)
++static inline bool kvm_arm_pmu_supported(CPUState *cs)
-+static void milkymist_hpdmc_realize(DeviceState *dev, Error **errp)
++{
 +    return false;
 +}
 +
  static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
  {
-     MilkymistHpdmcState *s = MILKYMIST_HPDMC(dev);
+     return -ENOENT;
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-     memory_region_init_io(&s->regs_region, OBJECT(dev), &hpdmc_mmio_ops, s,
+index XXXXXXX..XXXXXXX 100644
-             "milkymist-hpdmc", R_MAX * 4);
+--- a/target/arm/cpu.c
--    sysbus_init_mmio(dev, &s->regs_region);
++++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_has_el3_property =
  static Property arm_cpu_cfgend_property =
              DEFINE_PROP_BOOL("cfgend", ARMCPU, cfgend, false);
 -/* use property name "pmu" to match other archs and virt tools */
 -static Property arm_cpu_has_pmu_property =
 -            DEFINE_PROP_BOOL("pmu", ARMCPU, has_pmu, true);
 -
--    return 0;
+ static Property arm_cpu_has_vfp_property =
-+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->regs_region);
+             DEFINE_PROP_BOOL("vfp", ARMCPU, has_vfp, true);
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_pmsav7_dregion_property =
                                             pmsav7_dregion,
                                             qdev_prop_uint32, uint32_t);
 +static bool arm_get_pmu(Object *obj, Error **errp)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    return cpu->has_pmu;
 +}
 +
 +static void arm_set_pmu(Object *obj, bool value, Error **errp)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    if (value) {
 +        if (kvm_enabled() && !kvm_arm_pmu_supported(CPU(cpu))) {
 +            error_setg(errp, "'pmu' feature not supported by KVM on this host");
 +            return;
 +        }
 +        set_feature(&cpu->env, ARM_FEATURE_PMU);
 +    } else {
 +        unset_feature(&cpu->env, ARM_FEATURE_PMU);
 +    }
 +    cpu->has_pmu = value;
 +}
 +
  static void arm_get_init_svtor(Object *obj, Visitor *v, const char *name,
                                 void *opaque, Error **errp)
  {
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
      }
      if (arm_feature(&cpu->env, ARM_FEATURE_PMU)) {
 -        qdev_property_add_static(DEVICE(obj), &arm_cpu_has_pmu_property,
 +        cpu->has_pmu = true;
 +        object_property_add_bool(obj, "pmu", arm_get_pmu, arm_set_pmu,
                                   &error_abort);
      }
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
      env->features = arm_host_cpu_features.features;
  }
- static const VMStateDescription vmstate_milkymist_hpdmc = {
++bool kvm_arm_pmu_supported(CPUState *cpu)
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_milkymist_hpdmc = {
++{
- static void milkymist_hpdmc_class_init(ObjectClass *klass, void *data)
++    KVMState *s = KVM_STATE(current_machine->accelerator);
 +
 +    return kvm_check_extension(s, KVM_CAP_ARM_PMU_V3);
 +}
 +
  int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
  {
-     DeviceClass *dc = DEVICE_CLASS(klass);
+     KVMState *s = KVM_STATE(ms->accelerator);
 -    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 -    k->init = milkymist_hpdmc_init;
 +    dc->realize = milkymist_hpdmc_realize;
      dc->reset = milkymist_hpdmc_reset;
      dc->vmsd = &vmstate_milkymist_hpdmc;
  }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 31/37] target/arm: Fix HCR_EL2.TGE check in arm_phys_excp_target_el
+[Qemu-devel] [PULL 19/29] target/arm/helper: zcr: Add build bug next to value range assumption
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Andrew Jones <drjones@redhat.com>
-The enable for TGE has already occurred within arm_hcr_el2_amo
+The current implementation of ZCR_ELx matches the architecture, only
-and friends.  Moreover, when E2H is also set, the sense is
+implementing the lower four bits, with the rest RAZ/WI. This puts
-supposed to be reversed, which has also already occurred within
+a strict limit on ARM_MAX_VQ of 16. Make sure we don't let ARM_MAX_VQ
-the helpers.
+grow without a corresponding update here.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Suggested-by: Dave Martin <Dave.Martin@arm.com>
-Message-id: 20181203203839.757-5-richard.henderson@linaro.org
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 3 ---
+ target/arm/helper.c | 1 +
-file changed, 3 deletions(-)
+file changed, 1 insertion(+)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
+@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-         break;
+     int new_len;
-     };
+     /* Bits other than [3:0] are RAZ/WI.  */
--    /* If HCR.TGE is set then HCR is treated as being 1 */
++    QEMU_BUILD_BUG_ON(ARM_MAX_VQ > 16);
--    hcr |= ((env->cp15.hcr_el2 & HCR_TGE) == HCR_TGE);
+     raw_write(env, ri, value & 0xf);
--
-     /* Perform a table-lookup for the target EL given the current state */
+     /*
      target_el = target_el_table[is64][scr][rw][hcr][secure][cur_el];
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 34/37] target/arm: Implement the ARMv8.2-AA32HPD extension
+[Qemu-devel] [PULL 20/29] target/arm/cpu: Use div-round-up to determine predicate register array size
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Andrew Jones <drjones@redhat.com>
-The bulk of the work here, beyond base HPD, is defining the
+Unless we're guaranteed to always increase ARM_MAX_VQ by a multiple of
-TTBCR2 register.  In addition we must check TTBCR.T2E, which
+four, then we should use DIV_ROUND_UP to ensure we get an appropriate
-is not present (RES0) for AArch64.
+array size.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20181203203839.757-11-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h    |  9 +++++++++
+ target/arm/cpu.h | 2 +-
- target/arm/cpu.c    |  4 ++++
+file changed, 1 insertion(+), 1 deletion(-)
  target/arm/helper.c | 37 +++++++++++++++++++++++++++++--------
 files changed, 42 insertions(+), 8 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ FIELD(ID_ISAR6, FHM, 8, 4)
+@@ -XXX,XX +XXX,XX @@ typedef struct ARMVectorReg {
- FIELD(ID_ISAR6, SB, 12, 4)
+ #ifdef TARGET_AARCH64
- FIELD(ID_ISAR6, SPECRES, 16, 4)
+ /* In AArch32 mode, predicate registers do not exist at all.  */
+ typedef struct ARMPredicateReg {
-+FIELD(ID_MMFR4, SPECSEI, 0, 4)
+-    uint64_t p[2 * ARM_MAX_VQ / 8] QEMU_ALIGNED(16);
-+FIELD(ID_MMFR4, AC2, 4, 4)
++    uint64_t p[DIV_ROUND_UP(2 * ARM_MAX_VQ, 8)] QEMU_ALIGNED(16);
-+FIELD(ID_MMFR4, XNX, 8, 4)
+ } ARMPredicateReg;
-+FIELD(ID_MMFR4, CNP, 12, 4)
-+FIELD(ID_MMFR4, HPDS, 16, 4)
+ /* In AArch32 mode, PAC keys do not exist at all.  */
 +FIELD(ID_MMFR4, LSM, 20, 4)
 +FIELD(ID_MMFR4, CCIDX, 24, 4)
 +FIELD(ID_MMFR4, EVT, 28, 4)
 +
  FIELD(ID_AA64ISAR0, AES, 4, 4)
  FIELD(ID_AA64ISAR0, SHA1, 8, 4)
  FIELD(ID_AA64ISAR0, SHA2, 12, 4)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
              t = cpu->isar.id_isar6;
              t = FIELD_DP32(t, ID_ISAR6, DP, 1);
              cpu->isar.id_isar6 = t;
 +
 +            t = cpu->id_mmfr4;
 +            t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
 +            cpu->id_mmfr4 = t;
          }
  #endif
      }
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
                               uint64_t value)
  {
      ARMCPU *cpu = arm_env_get_cpu(env);
 +    TCR *tcr = raw_ptr(env, ri);
      if (arm_feature(env, ARM_FEATURE_LPAE)) {
          /* With LPAE the TTBCR could result in a change of ASID
@@ -XXX,XX +XXX,XX @@ static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
           */
          tlb_flush(CPU(cpu));
      }
 +    /* Preserve the high half of TCR_EL1, set via TTBCR2.  */
 +    value = deposit64(tcr->raw_tcr, 0, 32, value);
      vmsa_ttbcr_raw_write(env, ri, value);
  }
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {
      REGINFO_SENTINEL
  };
 +/* Note that unlike TTBCR, writing to TTBCR2 does not require flushing
 + * qemu tlbs nor adjusting cached masks.
 + */
 +static const ARMCPRegInfo ttbcr2_reginfo = {
 +    .name = "TTBCR2", .cp = 15, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 3,
 +    .access = PL1_RW, .type = ARM_CP_ALIAS,
 +    .bank_fieldoffsets = { offsetofhigh32(CPUARMState, cp15.tcr_el[3]),
 +                           offsetofhigh32(CPUARMState, cp15.tcr_el[1]) },
 +};
 +
  static void omap_ticonfig_write(CPUARMState *env, const ARMCPRegInfo *ri,
                                  uint64_t value)
  {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
      } else {
          define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
          define_arm_cp_regs(cpu, vmsa_cp_reginfo);
 +        /* TTCBR2 is introduced with ARMv8.2-A32HPD.  */
 +        if (FIELD_EX32(cpu->id_mmfr4, ID_MMFR4, HPDS) != 0) {
 +            define_one_arm_cp_reg(cpu, &ttbcr2_reginfo);
 +        }
      }
      if (arm_feature(env, ARM_FEATURE_THUMB2EE)) {
          define_arm_cp_regs(cpu, t2ee_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
          if (tg == 2) { /* 16KB pages */
              stride = 11;
          }
 -        if (aarch64) {
 -            if (el > 1) {
 -                hpd = extract64(tcr->raw_tcr, 24, 1);
 -            } else {
 -                hpd = extract64(tcr->raw_tcr, 41, 1);
 -            }
 +        if (aarch64 && el > 1) {
 +            hpd = extract64(tcr->raw_tcr, 24, 1);
 +        } else {
 +            hpd = extract64(tcr->raw_tcr, 41, 1);
 +        }
 +        if (!aarch64) {
 +            /* For aarch32, hpd0 is not enabled without t2e as well.  */
 +            hpd &= extract64(tcr->raw_tcr, 6, 1);
          }
      } else {
          /* We should only be here if TTBR1 is valid */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
          if (tg == 1) { /* 16KB pages */
              stride = 11;
          }
 -        if (aarch64) {
 -            hpd = extract64(tcr->raw_tcr, 42, 1);
 +        hpd = extract64(tcr->raw_tcr, 42, 1);
 +        if (!aarch64) {
 +            /* For aarch32, hpd1 is not enabled without t2e as well.  */
 +            hpd &= extract64(tcr->raw_tcr, 6, 1);
          }
      }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 24/37] hw/arm: versal: Remove bogus virtio-mmio creation
+[Qemu-devel] [PULL 21/29] target/arm/kvm64: Fix error returns
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Andrew Jones <drjones@redhat.com>
-Remove bogus virtio-mmio creation. This was an accidental
+A couple return -EINVAL's forgot their '-'s.
 left-over an experiment.
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Luc Michel <luc.michel@greensocs.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20181129163655.20370-2-edgar.iglesias@gmail.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/xlnx-versal-virt.c | 1 -
+ target/arm/kvm64.c | 4 ++--
-file changed, 1 deletion(-)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-versal-virt.c
+--- a/target/arm/kvm64.c
-+++ b/hw/arm/xlnx-versal-virt.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ static void create_virtio_regions(VersalVirt *s)
+@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
-         sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic_irq);
+     write_cpustate_to_list(cpu, true);
-         mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
-         memory_region_add_subregion(&s->soc.mr_ps, base, mr);
+     if (!write_list_to_kvmstate(cpu, level)) {
--        sysbus_create_simple("virtio-mmio", base, pic_irq);
+-        return EINVAL;
 +        return -EINVAL;
      }
-     for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
+     kvm_arm_sync_mpstate_to_kvm(cpu);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
      }
      if (!write_kvmstate_to_list(cpu)) {
 -        return EINVAL;
 +        return -EINVAL;
      }
      /* Note that it's OK to have registers which aren't in CPUState,
       * so we can ignore a failure return here.
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 14/37] milkymist-pfpu: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 22/29] target/arm/kvm64: Move the get/put of fpsimd registers out
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Andrew Jones <drjones@redhat.com>
-Use DeviceClass rather than SysBusDeviceClass in
+Move the getting/putting of the fpsimd registers out of
-milkymist_pfpu_class_init().
+kvm_arch_get/put_registers() into their own helper functions
+to prepare for alternatively getting/putting SVE registers.
-Cc: michael@walle.cc
+No functional change.
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20181130093852.20739-13-maozhongyi@cmss.chinamobile.com
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/misc/milkymist-pfpu.c | 12 +++++-------
+ target/arm/kvm64.c | 148 +++++++++++++++++++++++++++------------------
-file changed, 5 insertions(+), 7 deletions(-)
+file changed, 88 insertions(+), 60 deletions(-)
-diff --git a/hw/misc/milkymist-pfpu.c b/hw/misc/milkymist-pfpu.c
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/milkymist-pfpu.c
+--- a/target/arm/kvm64.c
-+++ b/hw/misc/milkymist-pfpu.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ static void milkymist_pfpu_reset(DeviceState *d)
+@@ -XXX,XX +XXX,XX @@ int kvm_arm_cpreg_level(uint64_t regidx)
-     }
+ #define AARCH64_SIMD_CTRL_REG(x)   (KVM_REG_ARM64 | KVM_REG_SIZE_U32 | \
                   KVM_REG_ARM_CORE | KVM_REG_ARM_CORE_REG(x))
 +static int kvm_arch_put_fpsimd(CPUState *cs)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    struct kvm_one_reg reg;
 +    uint32_t fpr;
 +    int i, ret;
 +
 +    for (i = 0; i < 32; i++) {
 +        uint64_t *q = aa64_vfp_qreg(env, i);
 +#ifdef HOST_WORDS_BIGENDIAN
 +        uint64_t fp_val[2] = { q[1], q[0] };
 +        reg.addr = (uintptr_t)fp_val;
 +#else
 +        reg.addr = (uintptr_t)q;
 +#endif
 +        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
 +        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +        if (ret) {
 +            return ret;
 +        }
 +    }
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    fpr = vfp_get_fpsr(env);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    fpr = vfp_get_fpcr(env);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    return 0;
 +}
 +
  int kvm_arch_put_registers(CPUState *cs, int level)
  {
      struct kvm_one_reg reg;
 -    uint32_t fpr;
      uint64_t val;
 -    int i;
 -    int ret;
 +    int i, ret;
      unsigned int el;
      ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
          }
      }
 -    /* Advanced SIMD and FP registers. */
 -    for (i = 0; i < 32; i++) {
 -        uint64_t *q = aa64_vfp_qreg(env, i);
 -#ifdef HOST_WORDS_BIGENDIAN
 -        uint64_t fp_val[2] = { q[1], q[0] };
 -        reg.addr = (uintptr_t)fp_val;
 -#else
 -        reg.addr = (uintptr_t)q;
 -#endif
 -        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
 -        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 -        if (ret) {
 -            return ret;
 -        }
 -    }
 -
 -    reg.addr = (uintptr_t)(&fpr);
 -    fpr = vfp_get_fpsr(env);
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 -    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 -    if (ret) {
 -        return ret;
 -    }
 -
 -    fpr = vfp_get_fpcr(env);
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 -    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +    ret = kvm_arch_put_fpsimd(cs);
      if (ret) {
          return ret;
      }
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
      return ret;
  }
--static int milkymist_pfpu_init(SysBusDevice *dev)
++static int kvm_arch_get_fpsimd(CPUState *cs)
-+static void milkymist_pfpu_realize(DeviceState *dev, Error **errp)
++{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    struct kvm_one_reg reg;
 +    uint32_t fpr;
 +    int i, ret;
 +
 +    for (i = 0; i < 32; i++) {
 +        uint64_t *q = aa64_vfp_qreg(env, i);
 +        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
 +        reg.addr = (uintptr_t)q;
 +        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +        if (ret) {
 +            return ret;
 +        } else {
 +#ifdef HOST_WORDS_BIGENDIAN
 +            uint64_t t;
 +            t = q[0], q[0] = q[1], q[1] = t;
 +#endif
 +        }
 +    }
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +    vfp_set_fpsr(env, fpr);
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +    vfp_set_fpcr(env, fpr);
 +
 +    return 0;
 +}
 +
  int kvm_arch_get_registers(CPUState *cs)
  {
-     MilkymistPFPUState *s = MILKYMIST_PFPU(dev);
+     struct kvm_one_reg reg;
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+     uint64_t val;
+-    uint32_t fpr;
--    sysbus_init_irq(dev, &s->irq);
+     unsigned int el;
-+    sysbus_init_irq(sbd, &s->irq);
+-    int i;
+-    int ret;
-     memory_region_init_io(&s->regs_region, OBJECT(dev), &pfpu_mmio_ops, s,
++    int i, ret;
-             "milkymist-pfpu", MICROCODE_END * 4);
--    sysbus_init_mmio(dev, &s->regs_region);
+     ARMCPU *cpu = ARM_CPU(cs);
--
+     CPUARMState *env = &cpu->env;
--    return 0;
+@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
-+    sysbus_init_mmio(sbd, &s->regs_region);
+         env->spsr = env->banked_spsr[i];
- }
+     }
- static const VMStateDescription vmstate_milkymist_pfpu = {
+-    /* Advanced SIMD and FP registers */
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_milkymist_pfpu = {
+-    for (i = 0; i < 32; i++) {
- static void milkymist_pfpu_class_init(ObjectClass *klass, void *data)
+-        uint64_t *q = aa64_vfp_qreg(env, i);
- {
+-        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
-     DeviceClass *dc = DEVICE_CLASS(klass);
+-        reg.addr = (uintptr_t)q;
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+-        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+-        if (ret) {
--    k->init = milkymist_pfpu_init;
+-            return ret;
-+    dc->realize = milkymist_pfpu_realize;
+-        } else {
-     dc->reset = milkymist_pfpu_reset;
+-#ifdef HOST_WORDS_BIGENDIAN
-     dc->vmsd = &vmstate_milkymist_pfpu;
+-            uint64_t t;
- }
+-            t = q[0], q[0] = q[1], q[1] = t;
 -#endif
 -        }
 -    }
 -
 -    reg.addr = (uintptr_t)(&fpr);
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 -    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    ret = kvm_arch_get_fpsimd(cs);
      if (ret) {
          return ret;
      }
 -    vfp_set_fpsr(env, fpr);
 -
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 -    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 -    if (ret) {
 -        return ret;
 -    }
 -    vfp_set_fpcr(env, fpr);
      ret = kvm_get_vcpu_events(cpu);
      if (ret) {
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 16/37] nvram/ds1225y: Convert sysbus init function to realize function
+[Qemu-devel] [PULL 23/29] target/arm: Use tcg_gen_extract_i32 for shifter_out_im
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Use DeviceClass rather than SysBusDeviceClass in
+Extract is a compact combination of shift + and.
 nvram_sysbus_class_init().
-Cc: pbonzini@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Cc: marcandre.lureau@redhat.com
+Message-id: 20190808202616.13782-2-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20181130093852.20739-15-maozhongyi@cmss.chinamobile.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/nvram/ds1225y.c | 12 +++++-------
+ target/arm/translate.c | 9 +--------
-file changed, 5 insertions(+), 7 deletions(-)
+file changed, 1 insertion(+), 8 deletions(-)
-diff --git a/hw/nvram/ds1225y.c b/hw/nvram/ds1225y.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/nvram/ds1225y.c
+--- a/target/arm/translate.c
-+++ b/hw/nvram/ds1225y.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void gen_sar(TCGv_i32 dest, TCGv_i32 t0, TCGv_i32 t1)
- #include "qemu/osdep.h"
- #include "hw/sysbus.h"
+ static void shifter_out_im(TCGv_i32 var, int shift)
  #include "trace.h"
 +#include "qemu/error-report.h"
  typedef struct {
      MemoryRegion iomem;
@@ -XXX,XX +XXX,XX @@ typedef struct {
      NvRamState nvram;
  } SysBusNvRamState;
 -static int nvram_sysbus_initfn(SysBusDevice *dev)
 +static void nvram_sysbus_realize(DeviceState *dev, Error **errp)
  {
-     SysBusNvRamState *sys = DS1225Y(dev);
+-    if (shift == 0) {
-     NvRamState *s = &sys->nvram;
+-        tcg_gen_andi_i32(cpu_CF, var, 1);
-@@ -XXX,XX +XXX,XX @@ static int nvram_sysbus_initfn(SysBusDevice *dev)
+-    } else {
+-        tcg_gen_shri_i32(cpu_CF, var, shift);
-     memory_region_init_io(&s->iomem, OBJECT(s), &nvram_ops, s,
+-        if (shift != 31) {
-                           "nvram", s->chip_size);
+-            tcg_gen_andi_i32(cpu_CF, cpu_CF, 1);
--    sysbus_init_mmio(dev, &s->iomem);
+-        }
-+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
+-    }
++    tcg_gen_extract_i32(cpu_CF, var, shift, 1);
      /* Read current file */
      file = s->filename ? fopen(s->filename, "rb") : NULL;
      if (file) {
          /* Read nvram contents */
          if (fread(s->contents, s->chip_size, 1, file) != 1) {
 -            printf("nvram_sysbus_initfn: short read\n");
 +            error_report("nvram_sysbus_realize: short read");
          }
          fclose(file);
      }
      nvram_post_load(s, 0);
 -
 -    return 0;
  }
- static Property nvram_sysbus_properties[] = {
+ /* Shift by immediate.  Includes special handling for shift == 0.  */
@@ -XXX,XX +XXX,XX @@ static Property nvram_sysbus_properties[] = {
  static void nvram_sysbus_class_init(ObjectClass *klass, void *data)
  {
      DeviceClass *dc = DEVICE_CLASS(klass);
 -    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 -    k->init = nvram_sysbus_initfn;
 +    dc->realize = nvram_sysbus_realize;
      dc->vmsd = &vmstate_nvram;
      dc->props = nvram_sysbus_properties;
  }
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 29/37] target/arm: Add HCR_EL2 bits up to ARMv8.5
+[Qemu-devel] [PULL 24/29] target/arm: Use tcg_gen_deposit_i32 for PKHBT, PKHTB
 From: Richard Henderson <richard.henderson@linaro.org>
-Post v8.3 bits taken from SysReg_v85_xml-00bet8.
+Use deposit as the composit operation to merge the
 bits from the two inputs.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20181203203839.757-3-richard.henderson@linaro.org
+Message-id: 20190808202616.13782-3-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h | 22 +++++++++++++++++++++-
+ target/arm/translate.c | 26 ++++++++++----------------
-file changed, 21 insertions(+), 1 deletion(-)
+file changed, 10 insertions(+), 16 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/translate.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
- #define HCR_TIDCP     (1ULL << 20)
+                         shift = (insn >> 7) & 0x1f;
- #define HCR_TACR      (1ULL << 21)
+                         if (insn & (1 << 6)) {
- #define HCR_TSW       (1ULL << 22)
+                             /* pkhtb */
--#define HCR_TPC       (1ULL << 23)
+-                            if (shift == 0)
-+#define HCR_TPCP      (1ULL << 23)
++                            if (shift == 0) {
- #define HCR_TPU       (1ULL << 24)
+                                 shift = 31;
- #define HCR_TTLB      (1ULL << 25)
++                            }
- #define HCR_TVM       (1ULL << 26)
+                             tcg_gen_sari_i32(tmp2, tmp2, shift);
-@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
+-                            tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
- #define HCR_CD        (1ULL << 32)
+-                            tcg_gen_ext16u_i32(tmp2, tmp2);
- #define HCR_ID        (1ULL << 33)
++                            tcg_gen_deposit_i32(tmp, tmp, tmp2, 0, 16);
- #define HCR_E2H       (1ULL << 34)
+                         } else {
-+#define HCR_TLOR      (1ULL << 35)
+                             /* pkhbt */
-+#define HCR_TERR      (1ULL << 36)
+-                            if (shift)
-+#define HCR_TEA       (1ULL << 37)
+-                                tcg_gen_shli_i32(tmp2, tmp2, shift);
-+#define HCR_MIOCNCE   (1ULL << 38)
+-                            tcg_gen_ext16u_i32(tmp, tmp);
-+#define HCR_APK       (1ULL << 40)
+-                            tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
-+#define HCR_API       (1ULL << 41)
++                            tcg_gen_shli_i32(tmp2, tmp2, shift);
-+#define HCR_NV        (1ULL << 42)
++                            tcg_gen_deposit_i32(tmp, tmp2, tmp, 0, 16);
-+#define HCR_NV1       (1ULL << 43)
+                         }
-+#define HCR_AT        (1ULL << 44)
+-                        tcg_gen_or_i32(tmp, tmp, tmp2);
-+#define HCR_NV2       (1ULL << 45)
+                         tcg_temp_free_i32(tmp2);
-+#define HCR_FWB       (1ULL << 46)
+                         store_reg(s, rd, tmp);
-+#define HCR_FIEN      (1ULL << 47)
+                     } else if ((insn & 0x00200020) == 0x00200000) {
-+#define HCR_TID4      (1ULL << 49)
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
-+#define HCR_TICAB     (1ULL << 50)
+             shift = ((insn >> 10) & 0x1c) | ((insn >> 6) & 0x3);
-+#define HCR_TOCU      (1ULL << 52)
+             if (insn & (1 << 5)) {
-+#define HCR_TTLBIS    (1ULL << 54)
+                 /* pkhtb */
-+#define HCR_TTLBOS    (1ULL << 55)
+-                if (shift == 0)
-+#define HCR_ATA       (1ULL << 56)
++                if (shift == 0) {
-+#define HCR_DCT       (1ULL << 57)
+                     shift = 31;
-+
++                }
- /*
+                 tcg_gen_sari_i32(tmp2, tmp2, shift);
-  * When we actually implement ARMv8.1-VHE we should add HCR_E2H to
+-                tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
-  * HCR_MASK and then clear it again if the feature bit is not set in
+-                tcg_gen_ext16u_i32(tmp2, tmp2);
 +                tcg_gen_deposit_i32(tmp, tmp, tmp2, 0, 16);
              } else {
                  /* pkhbt */
 -                if (shift)
 -                    tcg_gen_shli_i32(tmp2, tmp2, shift);
 -                tcg_gen_ext16u_i32(tmp, tmp);
 -                tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
 +                tcg_gen_shli_i32(tmp2, tmp2, shift);
 +                tcg_gen_deposit_i32(tmp, tmp2, tmp, 0, 16);
              }
 -            tcg_gen_or_i32(tmp, tmp, tmp2);
              tcg_temp_free_i32(tmp2);
              store_reg(s, rd, tmp);
          } else {
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 32/37] target/arm: Tidy scr_write
+[Qemu-devel] [PULL 25/29] target/arm: Remove redundant shift tests
 From: Richard Henderson <richard.henderson@linaro.org>
-Because EL3 has a fixed execution mode, we can properly decide
+The immediate shift generator functions already test for,
-which of the bits are RES{0,1}.
+and eliminate, the case of a shift by zero.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20181203203839.757-8-richard.henderson@linaro.org
+Message-id: 20190808202616.13782-4-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h    |  2 --
+ target/arm/translate.c | 19 +++++++------------
- target/arm/helper.c | 14 +++++++++-----
+file changed, 7 insertions(+), 12 deletions(-)
 files changed, 9 insertions(+), 7 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/translate.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
- #define SCR_FIEN              (1U << 21)
+                         shift = (insn >> 10) & 3;
- #define SCR_ENSCXT            (1U << 25)
+                         /* ??? In many cases it's not necessary to do a
- #define SCR_ATA               (1U << 26)
+                            rotate, a shift is sufficient.  */
--#define SCR_AARCH32_MASK      (0x3fff & ~(SCR_RW | SCR_ST))
+-                        if (shift != 0)
--#define SCR_AARCH64_MASK      (0x3fff & ~SCR_NET)
+-                            tcg_gen_rotri_i32(tmp, tmp, shift * 8);
++                        tcg_gen_rotri_i32(tmp, tmp, shift * 8);
- /* Return the current FPSCR value.  */
+                         op1 = (insn >> 20) & 7;
- uint32_t vfp_get_fpscr(CPUARMState *env);
+                         switch (op1) {
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+                         case 0: gen_sxtb16(tmp);  break;
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
---- a/target/arm/helper.c
+             shift = (insn >> 4) & 3;
-+++ b/target/arm/helper.c
+             /* ??? In many cases it's not necessary to do a
-@@ -XXX,XX +XXX,XX @@ static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                rotate, a shift is sufficient.  */
+-            if (shift != 0)
- static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+-                tcg_gen_rotri_i32(tmp, tmp, shift * 8);
- {
++            tcg_gen_rotri_i32(tmp, tmp, shift * 8);
--    /* We only mask off bits that are RES0 both for AArch64 and AArch32.
+             op = (insn >> 20) & 7;
--     * For bits that vary between AArch32/64, code needs to check the
+             switch (op) {
--     * current execution mode before directly using the feature bit.
+             case 0: gen_sxth(tmp);   break;
--     */
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
--    uint32_t valid_mask = SCR_AARCH64_MASK | SCR_AARCH32_MASK;
+                     case 7:
-+    /* Begin with base v8.0 state.  */
+                         goto illegal_op;
-+    uint32_t valid_mask = 0x3fff;
+                     default: /* Saturate.  */
-+
+-                        if (shift) {
-+    if (arm_el_is_aa64(env, 3)) {
+-                            if (op & 1)
-+        value |= SCR_FW | SCR_AW;   /* these two bits are RES1.  */
+-                                tcg_gen_sari_i32(tmp, tmp, shift);
-+        valid_mask &= ~SCR_NET;
+-                            else
-+    } else {
+-                                tcg_gen_shli_i32(tmp, tmp, shift);
-+        valid_mask &= ~(SCR_RW | SCR_ST);
++                        if (op & 1) {
-+    }
++                            tcg_gen_sari_i32(tmp, tmp, shift);
++                        } else {
-     if (!arm_feature(env, ARM_FEATURE_EL2)) {
++                            tcg_gen_shli_i32(tmp, tmp, shift);
-         valid_mask &= ~SCR_HCE;
+                         }
                          tmp2 = tcg_const_i32(imm);
                          if (op & 4) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                      goto illegal_op;
                  }
                  tmp = load_reg(s, rm);
 -                if (shift) {
 -                    tcg_gen_shli_i32(tmp, tmp, shift);
 -                }
 +                tcg_gen_shli_i32(tmp, tmp, shift);
                  tcg_gen_add_i32(addr, addr, tmp);
                  tcg_temp_free_i32(tmp);
                  break;
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 01/37] hw: arm: musicpal: drop TYPE_WM8750 in object_property_set_link()
+[Qemu-devel] [PULL 26/29] target/arm: Use ror32 instead of open-coding the operation
-From: Li Qiang <liq3ea@gmail.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The third argument of object_property_set_link() is the name of
+The helper function is more documentary, and also already
-property, not related with the QOM type name, using the constant
+handles the case of rotate by zero.
 string instead.
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190808202616.13782-5-richard.henderson@linaro.org
 Message-id: 1542880825-2604-1-git-send-email-liq3ea@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/musicpal.c | 2 +-
+ target/arm/translate.c | 7 ++-----
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 2 insertions(+), 5 deletions(-)
-diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/musicpal.c
+--- a/target/arm/translate.c
-+++ b/hw/arm/musicpal.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void musicpal_init(MachineState *machine)
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-     dev = qdev_create(NULL, TYPE_MV88W8618_AUDIO);
+                 /* CPSR = immediate */
-     s = SYS_BUS_DEVICE(dev);
+                 val = insn & 0xff;
-     object_property_set_link(OBJECT(dev), OBJECT(wm8750_dev),
+                 shift = ((insn >> 8) & 0xf) * 2;
--                             TYPE_WM8750, NULL);
+-                if (shift)
-+                             "wm8750", NULL);
+-                    val = (val >> shift) | (val << (32 - shift));
-     qdev_init_nofail(dev);
++                val = ror32(val, shift);
-     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
+                 i = ((insn & (1 << 22)) != 0);
-     sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
+                 if (gen_set_psr_im(s, msr_mask(s, (insn >> 16) & 0xf, i),
                                     i, val)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              /* immediate operand */
              val = insn & 0xff;
              shift = ((insn >> 8) & 0xf) * 2;
 -            if (shift) {
 -                val = (val >> shift) | (val << (32 - shift));
 -            }
 +            val = ror32(val, shift);
              tmp2 = tcg_temp_new_i32();
              tcg_gen_movi_i32(tmp2, val);
              if (logic_cc && shift) {
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 03/37] musicpal: Convert sysbus init function to realize function
+Deleted patch
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Use DeviceClass rather than SysBusDeviceClass in
-mv88w8618_wlan_class_init().
-Cc: jan.kiszka@web.de
-Cc: peter.maydell@linaro.org
-Cc: qemu-arm@nongnu.org
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-2-maozhongyi@cmss.chinamobile.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/musicpal.c | 9 ++++-----
-file changed, 4 insertions(+), 5 deletions(-)
-diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/musicpal.c
-+++ b/hw/arm/musicpal.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps mv88w8618_wlan_ops = {
-     .endianness = DEVICE_NATIVE_ENDIAN,
- };
--static int mv88w8618_wlan_init(SysBusDevice *dev)
-+static void mv88w8618_wlan_realize(DeviceState *dev, Error **errp)
- {
-     MemoryRegion *iomem = g_new(MemoryRegion, 1);
-     memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
-                           "musicpal-wlan", MP_WLAN_SIZE);
--    sysbus_init_mmio(dev, iomem);
--    return 0;
-+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), iomem);
- }
- /* GPIO register offsets */
-@@ -XXX,XX +XXX,XX @@ DEFINE_MACHINE("musicpal", musicpal_machine_init)
- static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
- {
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
-+    DeviceClass *dc = DEVICE_CLASS(klass);
--    sdc->init = mv88w8618_wlan_init;
-+    dc->realize = mv88w8618_wlan_realize;
- }
- static const TypeInfo mv88w8618_wlan_info = {
---
-.19.2

-[Qemu-devel] [PULL 04/37] block/noenand: Convert sysbus init function to realize function
+Deleted patch
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Use DeviceClass rather than SysBusDeviceClass in
-onenand_class_init().
-Cc: kwolf@redhat.com
-Cc: mreitz@redhat.com
-Cc: qemu-block@nongnu.org
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-3-maozhongyi@cmss.chinamobile.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/block/onenand.c | 16 +++++++---------
-file changed, 7 insertions(+), 9 deletions(-)
-diff --git a/hw/block/onenand.c b/hw/block/onenand.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/block/onenand.c
-+++ b/hw/block/onenand.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps onenand_ops = {
-     .endianness = DEVICE_NATIVE_ENDIAN,
- };
--static int onenand_initfn(SysBusDevice *sbd)
-+static void onenand_realize(DeviceState *dev, Error **errp)
- {
--    DeviceState *dev = DEVICE(sbd);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
-     OneNANDState *s = ONE_NAND(dev);
-     uint32_t size = 1 << (24 + ((s->id.dev >> 4) & 7));
-     void *ram;
-@@ -XXX,XX +XXX,XX @@ static int onenand_initfn(SysBusDevice *sbd)
-xff, size + (size >> 5));
-     } else {
-         if (blk_is_read_only(s->blk)) {
--            error_report("Can't use a read-only drive");
--            return -1;
-+            error_setg(errp, "Can't use a read-only drive");
-+            return;
-         }
-         blk_set_perm(s->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
-                      BLK_PERM_ALL, &local_err);
-         if (local_err) {
--            error_report_err(local_err);
--            return -1;
-+            error_propagate(errp, local_err);
-+            return;
-         }
-         s->blk_cur = s->blk;
-     }
-@@ -XXX,XX +XXX,XX @@ static int onenand_initfn(SysBusDevice *sbd)
-                      | ((s->id.dev & 0xff) << 8)
-                      | (s->id.ver & 0xff),
-                      &vmstate_onenand, s);
--    return 0;
- }
- static Property onenand_properties[] = {
-@@ -XXX,XX +XXX,XX @@ static Property onenand_properties[] = {
- static void onenand_class_init(ObjectClass *klass, void *data)
- {
-     DeviceClass *dc = DEVICE_CLASS(klass);
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
--    k->init = onenand_initfn;
-+    dc->realize = onenand_realize;
-     dc->reset = onenand_system_reset;
-     dc->props = onenand_properties;
- }
---
-.19.2

-[Qemu-devel] [PULL 05/37] char/grlib_apbuart: Convert sysbus init function to realize function
+Deleted patch
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Use DeviceClass rather than SysBusDeviceClass in
-grlib_apbuart_class_init().
-Cc: chouteau@adacore.com
-Cc: marcandre.lureau@redhat.com
-Cc: pbonzini@redhat.com
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-4-maozhongyi@cmss.chinamobile.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/char/grlib_apbuart.c | 12 +++++-------
-file changed, 5 insertions(+), 7 deletions(-)
-diff --git a/hw/char/grlib_apbuart.c b/hw/char/grlib_apbuart.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/char/grlib_apbuart.c
-+++ b/hw/char/grlib_apbuart.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps grlib_apbuart_ops = {
-     .endianness = DEVICE_NATIVE_ENDIAN,
- };
--static int grlib_apbuart_init(SysBusDevice *dev)
-+static void grlib_apbuart_realize(DeviceState *dev, Error **errp)
- {
-     UART *uart = GRLIB_APB_UART(dev);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
-     qemu_chr_fe_set_handlers(&uart->chr,
-                              grlib_apbuart_can_receive,
-@@ -XXX,XX +XXX,XX @@ static int grlib_apbuart_init(SysBusDevice *dev)
-                              grlib_apbuart_event,
-                              NULL, uart, NULL, true);
--    sysbus_init_irq(dev, &uart->irq);
-+    sysbus_init_irq(sbd, &uart->irq);
-     memory_region_init_io(&uart->iomem, OBJECT(uart), &grlib_apbuart_ops, uart,
-                           "uart", UART_REG_SIZE);
--    sysbus_init_mmio(dev, &uart->iomem);
--
--    return 0;
-+    sysbus_init_mmio(sbd, &uart->iomem);
- }
- static void grlib_apbuart_reset(DeviceState *d)
-@@ -XXX,XX +XXX,XX @@ static Property grlib_apbuart_properties[] = {
- static void grlib_apbuart_class_init(ObjectClass *klass, void *data)
- {
-     DeviceClass *dc = DEVICE_CLASS(klass);
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
--    k->init = grlib_apbuart_init;
-+    dc->realize = grlib_apbuart_realize;
-     dc->reset = grlib_apbuart_reset;
-     dc->props = grlib_apbuart_properties;
- }
---
-.19.2

-[Qemu-devel] [PULL 07/37] display/g364fb: Convert sysbus init function to realize function
+Deleted patch
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Use DeviceClass rather than SysBusDeviceClass in
-g364fb_sysbus_class_init().
-Cc: pbonzini@redhat.com
-Cc: kraxel@redhat.com
-Cc: f4bug@amsat.org
-Cc: alistair.francis@wdc.com
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-6-maozhongyi@cmss.chinamobile.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/display/g364fb.c | 9 +++------
-file changed, 3 insertions(+), 6 deletions(-)
-diff --git a/hw/display/g364fb.c b/hw/display/g364fb.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/display/g364fb.c
-+++ b/hw/display/g364fb.c
-@@ -XXX,XX +XXX,XX @@ typedef struct {
-     G364State g364;
- } G364SysBusState;
--static int g364fb_sysbus_init(SysBusDevice *sbd)
-+static void g364fb_sysbus_realize(DeviceState *dev, Error **errp)
- {
--    DeviceState *dev = DEVICE(sbd);
-     G364SysBusState *sbs = G364(dev);
-     G364State *s = &sbs->g364;
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
-     g364fb_init(dev, s);
-     sysbus_init_irq(sbd, &s->irq);
-     sysbus_init_mmio(sbd, &s->mem_ctrl);
-     sysbus_init_mmio(sbd, &s->mem_vram);
--
--    return 0;
- }
- static void g364fb_sysbus_reset(DeviceState *d)
-@@ -XXX,XX +XXX,XX @@ static Property g364fb_sysbus_properties[] = {
- static void g364fb_sysbus_class_init(ObjectClass *klass, void *data)
- {
-     DeviceClass *dc = DEVICE_CLASS(klass);
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
--    k->init = g364fb_sysbus_init;
-+    dc->realize = g364fb_sysbus_realize;
-     set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
-     dc->desc = "G364 framebuffer";
-     dc->reset = g364fb_sysbus_reset;
---
-.19.2

-[Qemu-devel] [PULL 09/37] gpio/puv3_gpio: Convert sysbus init function to realize function
+Deleted patch
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Use DeviceClass rather than SysBusDeviceClass in
-puv3_gpio_class_init().
-Cc: gxt@mprc.pku.edu.cn
-Cc: peter.maydell@linaro.org
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-8-maozhongyi@cmss.chinamobile.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/gpio/puv3_gpio.c | 29 ++++++++++++++---------------
-file changed, 14 insertions(+), 15 deletions(-)
-diff --git a/hw/gpio/puv3_gpio.c b/hw/gpio/puv3_gpio.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/puv3_gpio.c
-+++ b/hw/gpio/puv3_gpio.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps puv3_gpio_ops = {
-     .endianness = DEVICE_NATIVE_ENDIAN,
- };
--static int puv3_gpio_init(SysBusDevice *dev)
-+static void puv3_gpio_realize(DeviceState *dev, Error **errp)
- {
-     PUV3GPIOState *s = PUV3_GPIO(dev);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
-     s->reg_GPLR = 0;
-     s->reg_GPDR = 0;
-     /* FIXME: these irqs not handled yet */
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW0]);
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW1]);
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW2]);
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW3]);
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW4]);
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW5]);
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW6]);
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW7]);
--    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOHIGH]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW0]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW1]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW2]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW3]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW4]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW5]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW6]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW7]);
-+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOHIGH]);
-     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_gpio_ops, s, "puv3_gpio",
-             PUV3_REGS_OFFSET);
--    sysbus_init_mmio(dev, &s->iomem);
--
--    return 0;
-+    sysbus_init_mmio(sbd, &s->iomem);
- }
- static void puv3_gpio_class_init(ObjectClass *klass, void *data)
- {
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
-+    DeviceClass *dc = DEVICE_CLASS(klass);
--    sdc->init = puv3_gpio_init;
-+    dc->realize = puv3_gpio_realize;
- }
- static const TypeInfo puv3_gpio_info = {
---
-.19.2

-[Qemu-devel] [PULL 10/37] milkymist-softusb: Convert sysbus init function to realize function
+Deleted patch
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Use DeviceClass rather than SysBusDeviceClass in
-milkymist_softusb_class_init().
-Cc: michael@walle.cc
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-9-maozhongyi@cmss.chinamobile.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/input/milkymist-softusb.c | 16 +++++++---------
-file changed, 7 insertions(+), 9 deletions(-)
-diff --git a/hw/input/milkymist-softusb.c b/hw/input/milkymist-softusb.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/input/milkymist-softusb.c
-+++ b/hw/input/milkymist-softusb.c
-@@ -XXX,XX +XXX,XX @@ static void milkymist_softusb_reset(DeviceState *d)
-     s->regs[R_CTRL] = CTRL_RESET;
- }
--static int milkymist_softusb_init(SysBusDevice *dev)
-+static void milkymist_softusb_realize(DeviceState *dev, Error **errp)
- {
-     MilkymistSoftUsbState *s = MILKYMIST_SOFTUSB(dev);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
--    sysbus_init_irq(dev, &s->irq);
-+    sysbus_init_irq(sbd, &s->irq);
-     memory_region_init_io(&s->regs_region, OBJECT(s), &softusb_mmio_ops, s,
-                           "milkymist-softusb", R_MAX * 4);
--    sysbus_init_mmio(dev, &s->regs_region);
-+    sysbus_init_mmio(sbd, &s->regs_region);
-     /* register pmem and dmem */
-     memory_region_init_ram_nomigrate(&s->pmem, OBJECT(s), "milkymist-softusb.pmem",
-                            s->pmem_size, &error_fatal);
-     vmstate_register_ram_global(&s->pmem);
-     s->pmem_ptr = memory_region_get_ram_ptr(&s->pmem);
--    sysbus_init_mmio(dev, &s->pmem);
-+    sysbus_init_mmio(sbd, &s->pmem);
-     memory_region_init_ram_nomigrate(&s->dmem, OBJECT(s), "milkymist-softusb.dmem",
-                            s->dmem_size, &error_fatal);
-     vmstate_register_ram_global(&s->dmem);
-     s->dmem_ptr = memory_region_get_ram_ptr(&s->dmem);
--    sysbus_init_mmio(dev, &s->dmem);
-+    sysbus_init_mmio(sbd, &s->dmem);
-     hid_init(&s->hid_kbd, HID_KEYBOARD, softusb_kbd_hid_datain);
-     hid_init(&s->hid_mouse, HID_MOUSE, softusb_mouse_hid_datain);
--
--    return 0;
- }
- static const VMStateDescription vmstate_milkymist_softusb = {
-@@ -XXX,XX +XXX,XX @@ static Property milkymist_softusb_properties[] = {
- static void milkymist_softusb_class_init(ObjectClass *klass, void *data)
- {
-     DeviceClass *dc = DEVICE_CLASS(klass);
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
--    k->init = milkymist_softusb_init;
-+    dc->realize = milkymist_softusb_realize;
-     dc->reset = milkymist_softusb_reset;
-     dc->vmsd = &vmstate_milkymist_softusb;
-     dc->props = milkymist_softusb_properties;
---
-.19.2

-[Qemu-devel] [PULL 12/37] intc/puv3_intc: Convert sysbus init function to realize function
+Deleted patch
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Use DeviceClass rather than SysBusDeviceClass in
-puv3_intc_class_init().
-Cc: gxt@mprc.pku.edu.cn
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181130093852.20739-11-maozhongyi@cmss.chinamobile.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/intc/puv3_intc.c | 11 ++++-------
-file changed, 4 insertions(+), 7 deletions(-)
-diff --git a/hw/intc/puv3_intc.c b/hw/intc/puv3_intc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/puv3_intc.c
-+++ b/hw/intc/puv3_intc.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps puv3_intc_ops = {
-     .endianness = DEVICE_NATIVE_ENDIAN,
- };
--static int puv3_intc_init(SysBusDevice *sbd)
-+static void puv3_intc_realize(DeviceState *dev, Error **errp)
- {
--    DeviceState *dev = DEVICE(sbd);
-     PUV3INTCState *s = PUV3_INTC(dev);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
-     qdev_init_gpio_in(dev, puv3_intc_handler, PUV3_IRQS_NR);
-     sysbus_init_irq(sbd, &s->parent_irq);
-@@ -XXX,XX +XXX,XX @@ static int puv3_intc_init(SysBusDevice *sbd)
-     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_intc_ops, s, "puv3_intc",
-                           PUV3_REGS_OFFSET);
-     sysbus_init_mmio(sbd, &s->iomem);
--
--    return 0;
- }
- static void puv3_intc_class_init(ObjectClass *klass, void *data)
- {
--    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
--
--    sdc->init = puv3_intc_init;
-+    DeviceClass *dc = DEVICE_CLASS(klass);
-+    dc->realize = puv3_intc_realize;
- }
- static const TypeInfo puv3_intc_info = {
---
-.19.2

-[Qemu-devel] [PULL 22/37] xen_backend: remove xen_sysdev_init() function
+Deleted patch
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-The init function doesn't do anything at all, so we
-just omit it.
-Cc: sstabellini@kernel.org
-Cc: anthony.perard@citrix.com
-Cc: xen-devel@lists.xenproject.org
-Cc: peter.maydell@linaro.org
-Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
-Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
-Acked-by: Anthony PERARD <anthony.perard@citrix.com>
-Message-id: 20181130093852.20739-21-maozhongyi@cmss.chinamobile.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/xen/xen_backend.c | 7 -------
-file changed, 7 deletions(-)
-diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/xen/xen_backend.c
-+++ b/hw/xen/xen_backend.c
-@@ -XXX,XX +XXX,XX @@ static const TypeInfo xensysbus_info = {
-     }
- };
--static int xen_sysdev_init(SysBusDevice *dev)
--{
--    return 0;
--}
--
- static Property xen_sysdev_properties[] = {
-     {/* end of property list */},
- };
-@@ -XXX,XX +XXX,XX @@ static Property xen_sysdev_properties[] = {
- static void xen_sysdev_class_init(ObjectClass *klass, void *data)
- {
-     DeviceClass *dc = DEVICE_CLASS(klass);
--    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
--    k->init = xen_sysdev_init;
-     dc->props = xen_sysdev_properties;
-     dc->bus_type = TYPE_XENSYSBUS;
- }
---
-.19.2

-[Qemu-devel] [PULL 23/37] core/sysbus: remove the SysBusDeviceClass::init path
+[Qemu-devel] [PULL 27/29] target/arm: Use tcg_gen_rotri_i32 for gen_swap_half
-From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Currently, all sysbus devices have been converted to realize(),
+Rotate is the more compact and obvious way to swap 16-bit
-so remove this path.
+elements of a 32-bit word.
-Cc: ehabkost@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Cc: thuth@redhat.com
+Message-id: 20190808202616.13782-6-richard.henderson@linaro.org
 Cc: pbonzini@redhat.com
 Cc: armbru@redhat.com
 Cc: peter.maydell@linaro.org
 Cc: richard.henderson@linaro.org
 Cc: alistair.francis@wdc.com
 Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
 Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
 Message-id: 20181130093852.20739-22-maozhongyi@cmss.chinamobile.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/sysbus.h |  3 ---
+ target/arm/translate.c | 6 +-----
- hw/core/sysbus.c    | 15 +++++----------
+file changed, 1 insertion(+), 5 deletions(-)
 files changed, 5 insertions(+), 13 deletions(-)
-diff --git a/include/hw/sysbus.h b/include/hw/sysbus.h
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/sysbus.h
+--- a/target/arm/translate.c
-+++ b/include/hw/sysbus.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ typedef struct SysBusDevice SysBusDevice;
+@@ -XXX,XX +XXX,XX @@ static TCGv_i64 gen_muls_i64_i32(TCGv_i32 a, TCGv_i32 b)
- typedef struct SysBusDeviceClass {
+ /* Swap low and high halfwords.  */
-     /*< private >*/
+ static void gen_swap_half(TCGv_i32 var)
-     DeviceClass parent_class;
+ {
--    /*< public >*/
+-    TCGv_i32 tmp = tcg_temp_new_i32();
--
+-    tcg_gen_shri_i32(tmp, var, 16);
--    int (*init)(SysBusDevice *dev);
+-    tcg_gen_shli_i32(var, var, 16);
+-    tcg_gen_or_i32(var, var, tmp);
-     /*
+-    tcg_temp_free_i32(tmp);
-      * Let the sysbus device format its own non-PIO, non-MMIO unit address.
++    tcg_gen_rotri_i32(var, var, 16);
 diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/core/sysbus.c
 +++ b/hw/core/sysbus.c
@@ -XXX,XX +XXX,XX @@ void sysbus_init_ioports(SysBusDevice *dev, uint32_t ioport, uint32_t size)
      }
  }
--/* TODO remove once all sysbus devices have been converted to realize */
+ /* Dual 16-bit add.  Result placed in t0 and t1 is marked as dead.
 +/* The purpose of preserving this empty realize function
 + * is to prevent the parent_realize field of some subclasses
 + * from being set to NULL to break the normal init/realize
 + * of some devices.
 + */
  static void sysbus_realize(DeviceState *dev, Error **errp)
  {
 -    SysBusDevice *sd = SYS_BUS_DEVICE(dev);
 -    SysBusDeviceClass *sbc = SYS_BUS_DEVICE_GET_CLASS(sd);
 -
 -    if (!sbc->init) {
 -        return;
 -    }
 -    if (sbc->init(sd) < 0) {
 -        error_setg(errp, "Device initialization failed");
 -    }
  }
  DeviceState *sysbus_create_varargs(const char *name,
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 35/37] target/arm: Introduce arm_hcr_el2_eff
+[Qemu-devel] [PULL 28/29] target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR
 From: Richard Henderson <richard.henderson@linaro.org>
-Replace arm_hcr_el2_{fmo,imo,amo} with a more general routine
+All of the inputs to these instructions are 32-bits.  Rather than
-that also takes SCR_EL3.NS (aka arm_is_secure_below_el3) into
+extend each input to 64-bits and then extract the high 32-bits of
-account, as documented for the plethora of bits in HCR_EL2.
+the output, use tcg_gen_muls2_i32 and other 32-bit generator functions.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20181210150501.7990-2-richard.henderson@linaro.org
+Message-id: 20190808202616.13782-7-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h          | 67 +++++++++------------------------------
+ target/arm/translate.c | 72 +++++++++++++++---------------------------
- hw/intc/arm_gicv3_cpuif.c | 21 ++++++------
+file changed, 26 insertions(+), 46 deletions(-)
  target/arm/helper.c       | 66 ++++++++++++++++++++++++++++++++------
 files changed, 83 insertions(+), 71 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/translate.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ static void gen_revsh(TCGv_i32 var)
      tcg_gen_ext16s_i32(var, var);
  }
- #endif
+-/* Return (b << 32) + a. Mark inputs as dead */
-+/**
+-static TCGv_i64 gen_addq_msw(TCGv_i64 a, TCGv_i32 b)
 + * arm_hcr_el2_eff(): Return the effective value of HCR_EL2.
 + * E.g. when in secure state, fields in HCR_EL2 are suppressed,
 + * "for all purposes other than a direct read or write access of HCR_EL2."
 + * Not included here is HCR_RW.
 + */
 +uint64_t arm_hcr_el2_eff(CPUARMState *env);
 +
  /* Return true if the specified exception level is running in AArch64 state. */
  static inline bool arm_el_is_aa64(CPUARMState *env, int el)
  {
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu);
  #  define TARGET_VIRT_ADDR_SPACE_BITS 32
  #endif
 -/**
 - * arm_hcr_el2_imo(): Return the effective value of HCR_EL2.IMO.
 - * Depending on the values of HCR_EL2.E2H and TGE, this may be
 - * "behaves as 1 for all purposes other than direct read/write" or
 - * "behaves as 0 for all purposes other than direct read/write"
 - */
 -static inline bool arm_hcr_el2_imo(CPUARMState *env)
 -{
--    switch (env->cp15.hcr_el2 & (HCR_TGE | HCR_E2H)) {
+-    TCGv_i64 tmp64 = tcg_temp_new_i64();
--    case HCR_TGE:
+-
--        return true;
+-    tcg_gen_extu_i32_i64(tmp64, b);
--    case HCR_TGE | HCR_E2H:
+-    tcg_temp_free_i32(b);
--        return false;
+-    tcg_gen_shli_i64(tmp64, tmp64, 32);
--    default:
+-    tcg_gen_add_i64(a, tmp64, a);
--        return env->cp15.hcr_el2 & HCR_IMO;
+-
--    }
+-    tcg_temp_free_i64(tmp64);
 -    return a;
 -}
 -
--/**
+-/* Return (b << 32) - a. Mark inputs as dead. */
-- * arm_hcr_el2_fmo(): Return the effective value of HCR_EL2.FMO.
+-static TCGv_i64 gen_subq_msw(TCGv_i64 a, TCGv_i32 b)
 - */
 -static inline bool arm_hcr_el2_fmo(CPUARMState *env)
 -{
--    switch (env->cp15.hcr_el2 & (HCR_TGE | HCR_E2H)) {
+-    TCGv_i64 tmp64 = tcg_temp_new_i64();
--    case HCR_TGE:
+-
--        return true;
+-    tcg_gen_extu_i32_i64(tmp64, b);
--    case HCR_TGE | HCR_E2H:
+-    tcg_temp_free_i32(b);
--        return false;
+-    tcg_gen_shli_i64(tmp64, tmp64, 32);
--    default:
+-    tcg_gen_sub_i64(a, tmp64, a);
--        return env->cp15.hcr_el2 & HCR_FMO;
+-
--    }
+-    tcg_temp_free_i64(tmp64);
 -    return a;
 -}
 -
--/**
+ /* 32x32->64 multiply.  Marks inputs as dead.  */
-- * arm_hcr_el2_amo(): Return the effective value of HCR_EL2.AMO.
+ static TCGv_i64 gen_mulu_i64_i32(TCGv_i32 a, TCGv_i32 b)
 - */
 -static inline bool arm_hcr_el2_amo(CPUARMState *env)
 -{
 -    switch (env->cp15.hcr_el2 & (HCR_TGE | HCR_E2H)) {
 -    case HCR_TGE:
 -        return true;
 -    case HCR_TGE | HCR_E2H:
 -        return false;
 -    default:
 -        return env->cp15.hcr_el2 & HCR_AMO;
 -    }
 -}
 -
  static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
                                       unsigned int target_el)
  {
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-     bool secure = arm_is_secure(env);
+                            (SMMUL, SMMLA, SMMLS) */
-     bool pstate_unmasked;
+                         tmp = load_reg(s, rm);
-     int8_t unmasked = 0;
+                         tmp2 = load_reg(s, rs);
-+    uint64_t hcr_el2;
+-                        tmp64 = gen_muls_i64_i32(tmp, tmp2);
++                        tcg_gen_muls2_i32(tmp2, tmp, tmp, tmp2);
-     /* Don't take exceptions if they target a lower EL.
-      * This check should catch any exceptions that would not be taken but left
+                         if (rd != 15) {
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
+-                            tmp = load_reg(s, rd);
-         return false;
++                            tmp3 = load_reg(s, rd);
-     }
+                             if (insn & (1 << 6)) {
+-                                tmp64 = gen_subq_msw(tmp64, tmp);
-+    hcr_el2 = arm_hcr_el2_eff(env);
++                                tcg_gen_sub_i32(tmp, tmp, tmp3);
-+
+                             } else {
-     switch (excp_idx) {
+-                                tmp64 = gen_addq_msw(tmp64, tmp);
-     case EXCP_FIQ:
++                                tcg_gen_add_i32(tmp, tmp, tmp3);
-         pstate_unmasked = !(env->daif & PSTATE_F);
+                             }
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
++                            tcg_temp_free_i32(tmp3);
-         break;
+                         }
+                         if (insn & (1 << 5)) {
-     case EXCP_VFIQ:
+-                            tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
--        if (secure || !arm_hcr_el2_fmo(env) || (env->cp15.hcr_el2 & HCR_TGE)) {
++                            /*
-+        if (secure || !(hcr_el2 & HCR_FMO) || (hcr_el2 & HCR_TGE)) {
++                             * Adding 0x80000000 to the 64-bit quantity
-             /* VFIQs are only taken when hypervized and non-secure.  */
++                             * means that we have carry in to the high
-             return false;
++                             * word when the low word has the high bit set.
-         }
++                             */
-         return !(env->daif & PSTATE_F);
++                            tcg_gen_shri_i32(tmp2, tmp2, 31);
-     case EXCP_VIRQ:
++                            tcg_gen_add_i32(tmp, tmp, tmp2);
--        if (secure || !arm_hcr_el2_imo(env) || (env->cp15.hcr_el2 & HCR_TGE)) {
+                         }
-+        if (secure || !(hcr_el2 & HCR_IMO) || (hcr_el2 & HCR_TGE)) {
+-                        tcg_gen_shri_i64(tmp64, tmp64, 32);
-             /* VIRQs are only taken when hypervized and non-secure.  */
+-                        tmp = tcg_temp_new_i32();
-             return false;
+-                        tcg_gen_extrl_i64_i32(tmp, tmp64);
-         }
+-                        tcg_temp_free_i64(tmp64);
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
++                        tcg_temp_free_i32(tmp2);
-                  * to the CPSR.F setting otherwise we further assess the state
+                         store_reg(s, rn, tmp);
-                  * below.
+                         break;
-                  */
+                     case 0:
--                hcr = arm_hcr_el2_fmo(env);
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
-+                hcr = hcr_el2 & HCR_FMO;
+                   }
                  scr = (env->cp15.scr_el3 & SCR_FIQ);
                  /* When EL3 is 32-bit, the SCR.FW bit controls whether the
@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
                   * when setting the target EL, so it does not have a further
                   * affect here.
                   */
 -                hcr = arm_hcr_el2_imo(env);
 +                hcr = hcr_el2 & HCR_IMO;
                  scr = false;
                  break;
-             default:
+             case 5: case 6: /* 32 * 32 -> 32msb (SMMUL, SMMLA, SMMLS) */
-diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+-                tmp64 = gen_muls_i64_i32(tmp, tmp2);
-index XXXXXXX..XXXXXXX 100644
++                tcg_gen_muls2_i32(tmp2, tmp, tmp, tmp2);
---- a/hw/intc/arm_gicv3_cpuif.c
+                 if (rs != 15) {
-+++ b/hw/intc/arm_gicv3_cpuif.c
+-                    tmp = load_reg(s, rs);
-@@ -XXX,XX +XXX,XX @@ static bool icv_access(CPUARMState *env, int hcr_flags)
++                    tmp3 = load_reg(s, rs);
-      *  * access if NS EL1 and either IMO or FMO == 1:
+                     if (insn & (1 << 20)) {
-      *    CTLR, DIR, PMR, RPR
+-                        tmp64 = gen_addq_msw(tmp64, tmp);
-      */
++                        tcg_gen_add_i32(tmp, tmp, tmp3);
--    bool flagmatch = ((hcr_flags & HCR_IMO) && arm_hcr_el2_imo(env)) ||
+                     } else {
--        ((hcr_flags & HCR_FMO) && arm_hcr_el2_fmo(env));
+-                        tmp64 = gen_subq_msw(tmp64, tmp);
-+    uint64_t hcr_el2 = arm_hcr_el2_eff(env);
++                        tcg_gen_sub_i32(tmp, tmp, tmp3);
-+    bool flagmatch = hcr_el2 & hcr_flags & (HCR_IMO | HCR_FMO);
+                     }
++                    tcg_temp_free_i32(tmp3);
-     return flagmatch && arm_current_el(env) == 1
+                 }
-         && !arm_is_secure_below_el3(env);
+                 if (insn & (1 << 4)) {
-@@ -XXX,XX +XXX,XX @@ static void icc_dir_write(CPUARMState *env, const ARMCPRegInfo *ri,
+-                    tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
-     /* No need to include !IsSecure in route_*_to_el2 as it's only
++                    /*
-      * tested in cases where we know !IsSecure is true.
++                     * Adding 0x80000000 to the 64-bit quantity
-      */
++                     * means that we have carry in to the high
--    route_fiq_to_el2 = arm_hcr_el2_fmo(env);
++                     * word when the low word has the high bit set.
--    route_irq_to_el2 = arm_hcr_el2_imo(env);
++                     */
-+    uint64_t hcr_el2 = arm_hcr_el2_eff(env);
++                    tcg_gen_shri_i32(tmp2, tmp2, 31);
-+    route_fiq_to_el2 = hcr_el2 & HCR_FMO;
++                    tcg_gen_add_i32(tmp, tmp, tmp2);
-+    route_irq_to_el2 = hcr_el2 & HCR_IMO;
+                 }
+-                tcg_gen_shri_i64(tmp64, tmp64, 32);
-     switch (arm_current_el(env)) {
+-                tmp = tcg_temp_new_i32();
-     case 3:
+-                tcg_gen_extrl_i64_i32(tmp, tmp64);
-@@ -XXX,XX +XXX,XX @@ static CPAccessResult gicv3_irqfiq_access(CPUARMState *env,
+-                tcg_temp_free_i64(tmp64);
-     if ((env->cp15.scr_el3 & (SCR_FIQ | SCR_IRQ)) == (SCR_FIQ | SCR_IRQ)) {
++                tcg_temp_free_i32(tmp2);
-         switch (el) {
+                 break;
-         case 1:
+             case 7: /* Unsigned sum of absolute differences.  */
--            if (arm_is_secure_below_el3(env) ||
+                 gen_helper_usad8(tmp, tmp, tmp2);
 -                (arm_hcr_el2_imo(env) == 0 && arm_hcr_el2_fmo(env) == 0)) {
 +            /* Note that arm_hcr_el2_eff takes secure state into account.  */
 +            if ((arm_hcr_el2_eff(env) & (HCR_IMO | HCR_FMO)) == 0) {
                  r = CP_ACCESS_TRAP_EL3;
              }
              break;
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gicv3_dir_access(CPUARMState *env,
  static CPAccessResult gicv3_sgi_access(CPUARMState *env,
                                         const ARMCPRegInfo *ri, bool isread)
  {
 -    if ((arm_hcr_el2_imo(env) || arm_hcr_el2_fmo(env)) &&
 -        arm_current_el(env) == 1 && !arm_is_secure_below_el3(env)) {
 +    if (arm_current_el(env) == 1 &&
 +        (arm_hcr_el2_eff(env) & (HCR_IMO | HCR_FMO)) != 0) {
          /* Takes priority over a possible EL3 trap */
          return CP_ACCESS_TRAP_EL2;
      }
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gicv3_fiq_access(CPUARMState *env,
      if (env->cp15.scr_el3 & SCR_FIQ) {
          switch (el) {
          case 1:
 -            if (arm_is_secure_below_el3(env) || !arm_hcr_el2_fmo(env)) {
 +            if ((arm_hcr_el2_eff(env) & HCR_FMO) == 0) {
                  r = CP_ACCESS_TRAP_EL3;
              }
              break;
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gicv3_irq_access(CPUARMState *env,
      if (env->cp15.scr_el3 & SCR_IRQ) {
          switch (el) {
          case 1:
 -            if (arm_is_secure_below_el3(env) || !arm_hcr_el2_imo(env)) {
 +            if ((arm_hcr_el2_eff(env) & HCR_IMO) == 0) {
                  r = CP_ACCESS_TRAP_EL3;
              }
              break;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void csselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
  static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
      CPUState *cs = ENV_GET_CPU(env);
 +    uint64_t hcr_el2 = arm_hcr_el2_eff(env);
      uint64_t ret = 0;
 -    if (arm_hcr_el2_imo(env)) {
 +    if (hcr_el2 & HCR_IMO) {
          if (cs->interrupt_request & CPU_INTERRUPT_VIRQ) {
              ret |= CPSR_I;
          }
@@ -XXX,XX +XXX,XX @@ static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
          }
      }
 -    if (arm_hcr_el2_fmo(env)) {
 +    if (hcr_el2 & HCR_FMO) {
          if (cs->interrupt_request & CPU_INTERRUPT_VFIQ) {
              ret |= CPSR_F;
          }
@@ -XXX,XX +XXX,XX @@ static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri,
      hcr_write(env, NULL, value);
  }
 +/*
 + * Return the effective value of HCR_EL2.
 + * Bits that are not included here:
 + * RW       (read from SCR_EL3.RW as needed)
 + */
 +uint64_t arm_hcr_el2_eff(CPUARMState *env)
 +{
 +    uint64_t ret = env->cp15.hcr_el2;
 +
 +    if (arm_is_secure_below_el3(env)) {
 +        /*
 +         * "This register has no effect if EL2 is not enabled in the
 +         * current Security state".  This is ARMv8.4-SecEL2 speak for
 +         * !(SCR_EL3.NS==1 || SCR_EL3.EEL2==1).
 +         *
 +         * Prior to that, the language was "In an implementation that
 +         * includes EL3, when the value of SCR_EL3.NS is 0 the PE behaves
 +         * as if this field is 0 for all purposes other than a direct
 +         * read or write access of HCR_EL2".  With lots of enumeration
 +         * on a per-field basis.  In current QEMU, this is condition
 +         * is arm_is_secure_below_el3.
 +         *
 +         * Since the v8.4 language applies to the entire register, and
 +         * appears to be backward compatible, use that.
 +         */
 +        ret = 0;
 +    } else if (ret & HCR_TGE) {
 +        /* These bits are up-to-date as of ARMv8.4.  */
 +        if (ret & HCR_E2H) {
 +            ret &= ~(HCR_VM | HCR_FMO | HCR_IMO | HCR_AMO |
 +                     HCR_BSU_MASK | HCR_DC | HCR_TWI | HCR_TWE |
 +                     HCR_TID0 | HCR_TID2 | HCR_TPCP | HCR_TPU |
 +                     HCR_TDZ | HCR_CD | HCR_ID | HCR_MIOCNCE);
 +        } else {
 +            ret |= HCR_FMO | HCR_IMO | HCR_AMO;
 +        }
 +        ret &= ~(HCR_SWIO | HCR_PTW | HCR_VF | HCR_VI | HCR_VSE |
 +                 HCR_FB | HCR_TID1 | HCR_TID3 | HCR_TSC | HCR_TACR |
 +                 HCR_TSW | HCR_TTLB | HCR_TVM | HCR_HCD | HCR_TRVM |
 +                 HCR_TLOR);
 +    }
 +
 +    return ret;
 +}
 +
  static const ARMCPRegInfo el2_cp_reginfo[] = {
      { .name = "HCR_EL2", .state = ARM_CP_STATE_AA64,
        .type = ARM_CP_IO,
@@ -XXX,XX +XXX,XX @@ uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
                                   uint32_t cur_el, bool secure)
  {
      CPUARMState *env = cs->env_ptr;
 -    int rw;
 -    int scr;
 -    int hcr;
 +    bool rw;
 +    bool scr;
 +    bool hcr;
      int target_el;
      /* Is the highest EL AArch64? */
 -    int is64 = arm_feature(env, ARM_FEATURE_AARCH64);
 +    bool is64 = arm_feature(env, ARM_FEATURE_AARCH64);
 +    uint64_t hcr_el2;
      if (arm_feature(env, ARM_FEATURE_EL3)) {
          rw = ((env->cp15.scr_el3 & SCR_RW) == SCR_RW);
@@ -XXX,XX +XXX,XX @@ uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
          rw = is64;
      }
 +    hcr_el2 = arm_hcr_el2_eff(env);
      switch (excp_idx) {
      case EXCP_IRQ:
          scr = ((env->cp15.scr_el3 & SCR_IRQ) == SCR_IRQ);
 -        hcr = arm_hcr_el2_imo(env);
 +        hcr = hcr_el2 & HCR_IMO;
          break;
      case EXCP_FIQ:
          scr = ((env->cp15.scr_el3 & SCR_FIQ) == SCR_FIQ);
 -        hcr = arm_hcr_el2_fmo(env);
 +        hcr = hcr_el2 & HCR_FMO;
          break;
      default:
          scr = ((env->cp15.scr_el3 & SCR_EA) == SCR_EA);
 -        hcr = arm_hcr_el2_amo(env);
 +        hcr = hcr_el2 & HCR_AMO;
          break;
      };
 --
-.19.2
+.20.1

-[Qemu-devel] [PULL 30/37] target/arm: Add SCR_EL3 bits up to ARMv8.5
+[Qemu-devel] [PULL 29/29] target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word
 From: Richard Henderson <richard.henderson@linaro.org>
-Post v8.4 bits taken from SysReg_v85_xml-00bet8.
+Separate shift + extract low will result in one extra insn
 for hosts like RISC-V, MIPS, and Sparc.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20181203203839.757-4-richard.henderson@linaro.org
+Message-id: 20190808202616.13782-8-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h | 10 ++++++++++
+ target/arm/translate.c | 18 ++++++------------
-file changed, 10 insertions(+)
+file changed, 6 insertions(+), 12 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/translate.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
+@@ -XXX,XX +XXX,XX @@ static int disas_iwmmxt_insn(DisasContext *s, uint32_t insn)
- #define SCR_ST                (1U << 11)
+             if (insn & ARM_CP_RW_BIT) {                         /* TMRRC */
- #define SCR_TWI               (1U << 12)
+                 iwmmxt_load_reg(cpu_V0, wrd);
- #define SCR_TWE               (1U << 13)
+                 tcg_gen_extrl_i64_i32(cpu_R[rdlo], cpu_V0);
-+#define SCR_TLOR              (1U << 14)
+-                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-+#define SCR_TERR              (1U << 15)
+-                tcg_gen_extrl_i64_i32(cpu_R[rdhi], cpu_V0);
-+#define SCR_APK               (1U << 16)
++                tcg_gen_extrh_i64_i32(cpu_R[rdhi], cpu_V0);
-+#define SCR_API               (1U << 17)
+             } else {                                    /* TMCRR */
-+#define SCR_EEL2              (1U << 18)
+                 tcg_gen_concat_i32_i64(cpu_V0, cpu_R[rdlo], cpu_R[rdhi]);
-+#define SCR_EASE              (1U << 19)
+                 iwmmxt_store_reg(cpu_V0, wrd);
-+#define SCR_NMEA              (1U << 20)
+@@ -XXX,XX +XXX,XX @@ static int disas_dsp_insn(DisasContext *s, uint32_t insn)
-+#define SCR_FIEN              (1U << 21)
+         if (insn & ARM_CP_RW_BIT) {                     /* MRA */
-+#define SCR_ENSCXT            (1U << 25)
+             iwmmxt_load_reg(cpu_V0, acc);
-+#define SCR_ATA               (1U << 26)
+             tcg_gen_extrl_i64_i32(cpu_R[rdlo], cpu_V0);
- #define SCR_AARCH32_MASK      (0x3fff & ~(SCR_RW | SCR_ST))
+-            tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
- #define SCR_AARCH64_MASK      (0x3fff & ~SCR_NET)
+-            tcg_gen_extrl_i64_i32(cpu_R[rdhi], cpu_V0);
 +            tcg_gen_extrh_i64_i32(cpu_R[rdhi], cpu_V0);
              tcg_gen_andi_i32(cpu_R[rdhi], cpu_R[rdhi], (1 << (40 - 32)) - 1);
          } else {                                        /* MAR */
              tcg_gen_concat_i32_i64(cpu_V0, cpu_R[rdlo], cpu_R[rdhi]);
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                  gen_helper_neon_narrow_high_u16(tmp, cpu_V0);
                                  break;
                              case 2:
 -                                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
 -                                tcg_gen_extrl_i64_i32(tmp, cpu_V0);
 +                                tcg_gen_extrh_i64_i32(tmp, cpu_V0);
                                  break;
                              default: abort();
                              }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                  break;
                              case 2:
                                  tcg_gen_addi_i64(cpu_V0, cpu_V0, 1u << 31);
 -                                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
 -                                tcg_gen_extrl_i64_i32(tmp, cpu_V0);
 +                                tcg_gen_extrh_i64_i32(tmp, cpu_V0);
                                  break;
                              default: abort();
                              }
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
                  tmp = tcg_temp_new_i32();
                  tcg_gen_extrl_i64_i32(tmp, tmp64);
                  store_reg(s, rt, tmp);
 -                tcg_gen_shri_i64(tmp64, tmp64, 32);
                  tmp = tcg_temp_new_i32();
 -                tcg_gen_extrl_i64_i32(tmp, tmp64);
 +                tcg_gen_extrh_i64_i32(tmp, tmp64);
                  tcg_temp_free_i64(tmp64);
                  store_reg(s, rt2, tmp);
              } else {
@@ -XXX,XX +XXX,XX @@ static void gen_storeq_reg(DisasContext *s, int rlow, int rhigh, TCGv_i64 val)
      tcg_gen_extrl_i64_i32(tmp, val);
      store_reg(s, rlow, tmp);
      tmp = tcg_temp_new_i32();
 -    tcg_gen_shri_i64(val, val, 32);
 -    tcg_gen_extrl_i64_i32(tmp, val);
 +    tcg_gen_extrh_i64_i32(tmp, val);
      store_reg(s, rhigh, tmp);
  }
 --
-.19.2
+.20.1

First target-arm pullreq of the 4.0 series; most of this
is Mao's cleanups that finally let us drop sysbus::init;
the most interesting user-visible feature is RTH's patches
adding some v8.1 and v8.2 architecture features.

thanks
-- PMM

The following changes since commit 6145a6d84b3bf0f25935b88543febe076c61b0f4:

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20181212' into staging (2018-12-13 13:06:09 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20181213

for you to fetch changes up to 2d7137c10fafefe40a0a049ff8a7bd78b66e661f:

target/arm: Implement the ARMv8.1-LOR extension (2018-12-13 14:41:24 +0000)

----------------------------------------------------------------
target-arm queue:
 * Convert various devices from sysbus init to instance_init
 * Remove the now unused sysbus init support entirely
 * Allow AArch64 processors to boot from a kernel placed over 4GB
 * hw: arm: musicpal: drop TYPE_WM8750 in object_property_set_link()
 * versal: minor fixes to virtio-mmio instantation
 * arm: Implement the ARMv8.1-HPD extension
 * arm: Implement the ARMv8.2-AA32HPD extension
 * arm: Implement the ARMv8.1-LOR extension (as the trivial
   "no limited ordering regions provided" minimum)

----------------------------------------------------------------
Edgar E. Iglesias (4):
      hw/arm: versal: Remove bogus virtio-mmio creation
      hw/arm: versal: Reduce number of virtio-mmio instances
      hw/arm: versal: Use IRQs 111 - 118 for virtio-mmio
      hw/arm: versal: Correct the nr of IRQs to 192

Li Qiang (1):
      hw: arm: musicpal: drop TYPE_WM8750 in object_property_set_link()

Mao Zhongyi (21):
      musicpal: Convert sysbus init function to realize function
      block/noenand: Convert sysbus init function to realize function
      char/grlib_apbuart: Convert sysbus init function to realize function
      core/empty_slot: Convert sysbus init function to realize function
      display/g364fb: Convert sysbus init function to realize function
      dma/puv3_dma: Convert sysbus init function to realize function
      gpio/puv3_gpio: Convert sysbus init function to realize function
      milkymist-softusb: Convert sysbus init function to realize function
      input/pl050: Convert sysbus init function to realize function
      intc/puv3_intc: Convert sysbus init function to realize function
      milkymist-hpdmc: Convert sysbus init function to realize function
      milkymist-pfpu: Convert sysbus init function to realize function
      puv3_pm.c: Convert sysbus init function to realize function
      nvram/ds1225y: Convert sysbus init function to realize function
      pci-bridge/dec: Convert sysbus init function to realize function
      timer/etraxfs_timer: Convert sysbus init function to realize function
      timer/grlib_gptimer: Convert sysbus init function to realize function
      timer/puv3_ost: Convert sysbus init function to realize function
      usb/tusb6010: Convert sysbus init function to realize function
      xen_backend: remove xen_sysdev_init() function
      core/sysbus: remove the SysBusDeviceClass::init path

Peter Maydell (1):
      target/arm: Move id_aa64mmfr* to ARMISARegisters

Ricardo Perez Blanco (1):
      Allow AArch64 processors to boot from a kernel placed over 4GB

Richard Henderson (9):
      target/arm: Add HCR_EL2 bits up to ARMv8.5
      target/arm: Add SCR_EL3 bits up to ARMv8.5
      target/arm: Fix HCR_EL2.TGE check in arm_phys_excp_target_el
      target/arm: Tidy scr_write
      target/arm: Implement the ARMv8.1-HPD extension
      target/arm: Implement the ARMv8.2-AA32HPD extension
      target/arm: Introduce arm_hcr_el2_eff
      target/arm: Use arm_hcr_el2_eff more places
      target/arm: Implement the ARMv8.1-LOR extension

From: Li Qiang <liq3ea@gmail.com>

The third argument of object_property_set_link() is the name of
property, not related with the QOM type name, using the constant
string instead.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 1542880825-2604-1-git-send-email-liq3ea@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/musicpal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/musicpal.c
+++ b/hw/arm/musicpal.c
@@ -XXX,XX +XXX,XX @@ static void musicpal_init(MachineState *machine)
     dev = qdev_create(NULL, TYPE_MV88W8618_AUDIO);
     s = SYS_BUS_DEVICE(dev);
     object_property_set_link(OBJECT(dev), OBJECT(wm8750_dev),
-                             TYPE_WM8750, NULL);
+                             "wm8750", NULL);
     qdev_init_nofail(dev);
     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
     sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
-- 
2.19.2

From: Ricardo Perez Blanco <ricardo.perez_blanco@nokia.com>

Architecturally, it's possible for an AArch64 machine to have
all of its RAM over the 4GB mark, but our kernel/initrd loading
code in boot.c assumes that the upper half of the addresses
to load these images to is always zero. Write the whole 64 bit
address into the bootloader code fragment, not just the low half.

Note that, currently, none of the existing QEMU machines have
their main memory over 4GBs, so this was not a user-visible bug.

Signed-off-by: Ricardo Perez Blanco <ricardo.perez_blanco@nokia.com>
[PMM: revised commit message and tweaked some long lines]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ typedef enum {
     FIXUP_TERMINATOR,   /* end of insns */
     FIXUP_BOARDID,      /* overwrite with board ID number */
     FIXUP_BOARD_SETUP,  /* overwrite with board specific setup code address */
-    FIXUP_ARGPTR,       /* overwrite with pointer to kernel args */
-    FIXUP_ENTRYPOINT,   /* overwrite with kernel entry point */
+    FIXUP_ARGPTR_LO,    /* overwrite with pointer to kernel args */
+    FIXUP_ARGPTR_HI,    /* overwrite with pointer to kernel args (high half) */
+    FIXUP_ENTRYPOINT_LO, /* overwrite with kernel entry point */
+    FIXUP_ENTRYPOINT_HI, /* overwrite with kernel entry point (high half) */
     FIXUP_GIC_CPU_IF,   /* overwrite with GIC CPU interface address */
     FIXUP_BOOTREG,      /* overwrite with boot register address */
     FIXUP_DSB,          /* overwrite with correct DSB insn for cpu */
@@ -XXX,XX +XXX,XX @@ static const ARMInsnFixup bootloader_aarch64[] = {
     { 0xaa1f03e3 }, /* mov x3, xzr */
     { 0x58000084 }, /* ldr x4, entry ; Load the lower 32-bits of kernel entry */
     { 0xd61f0080 }, /* br x4      ; Jump to the kernel entry point */
-    { 0, FIXUP_ARGPTR }, /* arg: .word @DTB Lower 32-bits */
-    { 0 }, /* .word @DTB Higher 32-bits */
-    { 0, FIXUP_ENTRYPOINT }, /* entry: .word @Kernel Entry Lower 32-bits */
-    { 0 }, /* .word @Kernel Entry Higher 32-bits */
+    { 0, FIXUP_ARGPTR_LO }, /* arg: .word @DTB Lower 32-bits */
+    { 0, FIXUP_ARGPTR_HI}, /* .word @DTB Higher 32-bits */
+    { 0, FIXUP_ENTRYPOINT_LO }, /* entry: .word @Kernel Entry Lower 32-bits */
+    { 0, FIXUP_ENTRYPOINT_HI }, /* .word @Kernel Entry Higher 32-bits */
     { 0, FIXUP_TERMINATOR }
 };
 
@@ -XXX,XX +XXX,XX @@ static const ARMInsnFixup bootloader[] = {
     { 0xe59f2004 }, /* ldr     r2, [pc, #4] */
     { 0xe59ff004 }, /* ldr     pc, [pc, #4] */
     { 0, FIXUP_BOARDID },
-    { 0, FIXUP_ARGPTR },
-    { 0, FIXUP_ENTRYPOINT },
+    { 0, FIXUP_ARGPTR_LO },
+    { 0, FIXUP_ENTRYPOINT_LO },
     { 0, FIXUP_TERMINATOR }
 };
 
@@ -XXX,XX +XXX,XX @@ static void write_bootloader(const char *name, hwaddr addr,
             break;
         case FIXUP_BOARDID:
         case FIXUP_BOARD_SETUP:
-        case FIXUP_ARGPTR:
-        case FIXUP_ENTRYPOINT:
+        case FIXUP_ARGPTR_LO:
+        case FIXUP_ARGPTR_HI:
+        case FIXUP_ENTRYPOINT_LO:
+        case FIXUP_ENTRYPOINT_HI:
         case FIXUP_GIC_CPU_IF:
         case FIXUP_BOOTREG:
         case FIXUP_DSB:
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
             /* Place the DTB after the initrd in memory with alignment. */
             info->dtb_start = QEMU_ALIGN_UP(info->initrd_start + initrd_size,
                                            align);
-            fixupcontext[FIXUP_ARGPTR] = info->dtb_start;
+            fixupcontext[FIXUP_ARGPTR_LO] = info->dtb_start;
+            fixupcontext[FIXUP_ARGPTR_HI] = info->dtb_start >> 32;
         } else {
-            fixupcontext[FIXUP_ARGPTR] = info->loader_start + KERNEL_ARGS_ADDR;
+            fixupcontext[FIXUP_ARGPTR_LO] =
+                info->loader_start + KERNEL_ARGS_ADDR;
+            fixupcontext[FIXUP_ARGPTR_HI] =
+                (info->loader_start + KERNEL_ARGS_ADDR) >> 32;
             if (info->ram_size >= (1ULL << 32)) {
                 error_report("RAM size must be less than 4GB to boot"
                              " Linux kernel using ATAGS (try passing a device tree"
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
                 exit(1);
             }
         }
-        fixupcontext[FIXUP_ENTRYPOINT] = entry;
+        fixupcontext[FIXUP_ENTRYPOINT_LO] = entry;
+        fixupcontext[FIXUP_ENTRYPOINT_HI] = entry >> 32;
 
         write_bootloader("bootloader", info->loader_start,
                          primary_loader, fixupcontext, as);
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
mv88w8618_wlan_class_init().

Cc: jan.kiszka@web.de
Cc: peter.maydell@linaro.org
Cc: qemu-arm@nongnu.org

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-2-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/musicpal.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/musicpal.c
+++ b/hw/arm/musicpal.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps mv88w8618_wlan_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static int mv88w8618_wlan_init(SysBusDevice *dev)
+static void mv88w8618_wlan_realize(DeviceState *dev, Error **errp)
 {
     MemoryRegion *iomem = g_new(MemoryRegion, 1);
 
     memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
                           "musicpal-wlan", MP_WLAN_SIZE);
-    sysbus_init_mmio(dev, iomem);
-    return 0;
+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), iomem);
 }
 
 /* GPIO register offsets */
@@ -XXX,XX +XXX,XX @@ DEFINE_MACHINE("musicpal", musicpal_machine_init)
 
 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
-    sdc->init = mv88w8618_wlan_init;
+    dc->realize = mv88w8618_wlan_realize;
 }
 
 static const TypeInfo mv88w8618_wlan_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
onenand_class_init().

Cc: kwolf@redhat.com
Cc: mreitz@redhat.com
Cc: qemu-block@nongnu.org

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-3-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/block/onenand.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/hw/block/onenand.c b/hw/block/onenand.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/onenand.c
+++ b/hw/block/onenand.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps onenand_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static int onenand_initfn(SysBusDevice *sbd)
+static void onenand_realize(DeviceState *dev, Error **errp)
 {
-    DeviceState *dev = DEVICE(sbd);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
     OneNANDState *s = ONE_NAND(dev);
     uint32_t size = 1 << (24 + ((s->id.dev >> 4) & 7));
     void *ram;
@@ -XXX,XX +XXX,XX @@ static int onenand_initfn(SysBusDevice *sbd)
                           0xff, size + (size >> 5));
     } else {
         if (blk_is_read_only(s->blk)) {
-            error_report("Can't use a read-only drive");
-            return -1;
+            error_setg(errp, "Can't use a read-only drive");
+            return;
         }
         blk_set_perm(s->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
                      BLK_PERM_ALL, &local_err);
         if (local_err) {
-            error_report_err(local_err);
-            return -1;
+            error_propagate(errp, local_err);
+            return;
         }
         s->blk_cur = s->blk;
     }
@@ -XXX,XX +XXX,XX @@ static int onenand_initfn(SysBusDevice *sbd)
                      | ((s->id.dev & 0xff) << 8)
                      | (s->id.ver & 0xff),
                      &vmstate_onenand, s);
-    return 0;
 }
 
 static Property onenand_properties[] = {
@@ -XXX,XX +XXX,XX @@ static Property onenand_properties[] = {
 static void onenand_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = onenand_initfn;
+    dc->realize = onenand_realize;
     dc->reset = onenand_system_reset;
     dc->props = onenand_properties;
 }
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
grlib_apbuart_class_init().

Cc: chouteau@adacore.com
Cc: marcandre.lureau@redhat.com
Cc: pbonzini@redhat.com

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-4-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/grlib_apbuart.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/hw/char/grlib_apbuart.c b/hw/char/grlib_apbuart.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/grlib_apbuart.c
+++ b/hw/char/grlib_apbuart.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps grlib_apbuart_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static int grlib_apbuart_init(SysBusDevice *dev)
+static void grlib_apbuart_realize(DeviceState *dev, Error **errp)
 {
     UART *uart = GRLIB_APB_UART(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     qemu_chr_fe_set_handlers(&uart->chr,
                              grlib_apbuart_can_receive,
@@ -XXX,XX +XXX,XX @@ static int grlib_apbuart_init(SysBusDevice *dev)
                              grlib_apbuart_event,
                              NULL, uart, NULL, true);
 
-    sysbus_init_irq(dev, &uart->irq);
+    sysbus_init_irq(sbd, &uart->irq);
 
     memory_region_init_io(&uart->iomem, OBJECT(uart), &grlib_apbuart_ops, uart,
                           "uart", UART_REG_SIZE);
 
-    sysbus_init_mmio(dev, &uart->iomem);
-
-    return 0;
+    sysbus_init_mmio(sbd, &uart->iomem);
 }
 
 static void grlib_apbuart_reset(DeviceState *d)
@@ -XXX,XX +XXX,XX @@ static Property grlib_apbuart_properties[] = {
 static void grlib_apbuart_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = grlib_apbuart_init;
+    dc->realize = grlib_apbuart_realize;
     dc->reset = grlib_apbuart_reset;
     dc->props = grlib_apbuart_properties;
 }
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
empty_slot_class_init().

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-5-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/core/empty_slot.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/core/empty_slot.c b/hw/core/empty_slot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/empty_slot.c
+++ b/hw/core/empty_slot.c
@@ -XXX,XX +XXX,XX @@ void empty_slot_init(hwaddr addr, uint64_t slot_size)
     }
 }
 
-static int empty_slot_init1(SysBusDevice *dev)
+static void empty_slot_realize(DeviceState *dev, Error **errp)
 {
     EmptySlot *s = EMPTY_SLOT(dev);
 
     memory_region_init_io(&s->iomem, OBJECT(s), &empty_slot_ops, s,
                           "empty-slot", s->size);
-    sysbus_init_mmio(dev, &s->iomem);
-    return 0;
+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
 }
 
 static void empty_slot_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
-    k->init = empty_slot_init1;
+    dc->realize = empty_slot_realize;
 }
 
 static const TypeInfo empty_slot_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
g364fb_sysbus_class_init().

Cc: pbonzini@redhat.com
Cc: kraxel@redhat.com
Cc: f4bug@amsat.org
Cc: alistair.francis@wdc.com

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-6-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/g364fb.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/hw/display/g364fb.c b/hw/display/g364fb.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/g364fb.c
+++ b/hw/display/g364fb.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
     G364State g364;
 } G364SysBusState;
 
-static int g364fb_sysbus_init(SysBusDevice *sbd)
+static void g364fb_sysbus_realize(DeviceState *dev, Error **errp)
 {
-    DeviceState *dev = DEVICE(sbd);
     G364SysBusState *sbs = G364(dev);
     G364State *s = &sbs->g364;
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     g364fb_init(dev, s);
     sysbus_init_irq(sbd, &s->irq);
     sysbus_init_mmio(sbd, &s->mem_ctrl);
     sysbus_init_mmio(sbd, &s->mem_vram);
-
-    return 0;
 }
 
 static void g364fb_sysbus_reset(DeviceState *d)
@@ -XXX,XX +XXX,XX @@ static Property g364fb_sysbus_properties[] = {
 static void g364fb_sysbus_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = g364fb_sysbus_init;
+    dc->realize = g364fb_sysbus_realize;
     set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
     dc->desc = "G364 framebuffer";
     dc->reset = g364fb_sysbus_reset;
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
puv3_dma_class_init().

Cc: gxt@mprc.pku.edu.cn

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-7-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/dma/puv3_dma.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/hw/dma/puv3_dma.c b/hw/dma/puv3_dma.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/dma/puv3_dma.c
+++ b/hw/dma/puv3_dma.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps puv3_dma_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static int puv3_dma_init(SysBusDevice *dev)
+static void puv3_dma_realize(DeviceState *dev, Error **errp)
 {
     PUV3DMAState *s = PUV3_DMA(dev);
     int i;
@@ -XXX,XX +XXX,XX @@ static int puv3_dma_init(SysBusDevice *dev)
 
     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_dma_ops, s, "puv3_dma",
             PUV3_REGS_OFFSET);
-    sysbus_init_mmio(dev, &s->iomem);
-
-    return 0;
+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
 }
 
 static void puv3_dma_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
-    sdc->init = puv3_dma_init;
+    dc->realize = puv3_dma_realize;
 }
 
 static const TypeInfo puv3_dma_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
puv3_gpio_class_init().

Cc: gxt@mprc.pku.edu.cn
Cc: peter.maydell@linaro.org

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-8-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/gpio/puv3_gpio.c | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/hw/gpio/puv3_gpio.c b/hw/gpio/puv3_gpio.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/puv3_gpio.c
+++ b/hw/gpio/puv3_gpio.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps puv3_gpio_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static int puv3_gpio_init(SysBusDevice *dev)
+static void puv3_gpio_realize(DeviceState *dev, Error **errp)
 {
     PUV3GPIOState *s = PUV3_GPIO(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     s->reg_GPLR = 0;
     s->reg_GPDR = 0;
 
     /* FIXME: these irqs not handled yet */
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW0]);
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW1]);
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW2]);
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW3]);
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW4]);
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW5]);
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW6]);
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOLOW7]);
-    sysbus_init_irq(dev, &s->irq[PUV3_IRQS_GPIOHIGH]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW0]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW1]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW2]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW3]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW4]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW5]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW6]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOLOW7]);
+    sysbus_init_irq(sbd, &s->irq[PUV3_IRQS_GPIOHIGH]);
 
     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_gpio_ops, s, "puv3_gpio",
             PUV3_REGS_OFFSET);
-    sysbus_init_mmio(dev, &s->iomem);
-
-    return 0;
+    sysbus_init_mmio(sbd, &s->iomem);
 }
 
 static void puv3_gpio_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
-    sdc->init = puv3_gpio_init;
+    dc->realize = puv3_gpio_realize;
 }
 
 static const TypeInfo puv3_gpio_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
milkymist_softusb_class_init().

Cc: michael@walle.cc

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-9-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/input/milkymist-softusb.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/hw/input/milkymist-softusb.c b/hw/input/milkymist-softusb.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/input/milkymist-softusb.c
+++ b/hw/input/milkymist-softusb.c
@@ -XXX,XX +XXX,XX @@ static void milkymist_softusb_reset(DeviceState *d)
     s->regs[R_CTRL] = CTRL_RESET;
 }
 
-static int milkymist_softusb_init(SysBusDevice *dev)
+static void milkymist_softusb_realize(DeviceState *dev, Error **errp)
 {
     MilkymistSoftUsbState *s = MILKYMIST_SOFTUSB(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
-    sysbus_init_irq(dev, &s->irq);
+    sysbus_init_irq(sbd, &s->irq);
 
     memory_region_init_io(&s->regs_region, OBJECT(s), &softusb_mmio_ops, s,
                           "milkymist-softusb", R_MAX * 4);
-    sysbus_init_mmio(dev, &s->regs_region);
+    sysbus_init_mmio(sbd, &s->regs_region);
 
     /* register pmem and dmem */
     memory_region_init_ram_nomigrate(&s->pmem, OBJECT(s), "milkymist-softusb.pmem",
                            s->pmem_size, &error_fatal);
     vmstate_register_ram_global(&s->pmem);
     s->pmem_ptr = memory_region_get_ram_ptr(&s->pmem);
-    sysbus_init_mmio(dev, &s->pmem);
+    sysbus_init_mmio(sbd, &s->pmem);
     memory_region_init_ram_nomigrate(&s->dmem, OBJECT(s), "milkymist-softusb.dmem",
                            s->dmem_size, &error_fatal);
     vmstate_register_ram_global(&s->dmem);
     s->dmem_ptr = memory_region_get_ram_ptr(&s->dmem);
-    sysbus_init_mmio(dev, &s->dmem);
+    sysbus_init_mmio(sbd, &s->dmem);
 
     hid_init(&s->hid_kbd, HID_KEYBOARD, softusb_kbd_hid_datain);
     hid_init(&s->hid_mouse, HID_MOUSE, softusb_mouse_hid_datain);
-
-    return 0;
 }
 
 static const VMStateDescription vmstate_milkymist_softusb = {
@@ -XXX,XX +XXX,XX @@ static Property milkymist_softusb_properties[] = {
 static void milkymist_softusb_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = milkymist_softusb_init;
+    dc->realize = milkymist_softusb_realize;
     dc->reset = milkymist_softusb_reset;
     dc->vmsd = &vmstate_milkymist_softusb;
     dc->props = milkymist_softusb_properties;
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
pl050_class_init().

Cc: peter.maydell@linaro.org
Cc: qemu-arm@nongnu.org

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-10-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/input/pl050.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/hw/input/pl050.c b/hw/input/pl050.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/input/pl050.c
+++ b/hw/input/pl050.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps pl050_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static int pl050_initfn(SysBusDevice *dev)
+static void pl050_realize(DeviceState *dev, Error **errp)
 {
     PL050State *s = PL050(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     memory_region_init_io(&s->iomem, OBJECT(s), &pl050_ops, s, "pl050", 0x1000);
-    sysbus_init_mmio(dev, &s->iomem);
-    sysbus_init_irq(dev, &s->irq);
+    sysbus_init_mmio(sbd, &s->iomem);
+    sysbus_init_irq(sbd, &s->irq);
     if (s->is_mouse) {
         s->dev = ps2_mouse_init(pl050_update, s);
     } else {
         s->dev = ps2_kbd_init(pl050_update, s);
     }
-    return 0;
 }
 
 static void pl050_keyboard_init(Object *obj)
@@ -XXX,XX +XXX,XX @@ static const TypeInfo pl050_mouse_info = {
 static void pl050_class_init(ObjectClass *oc, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(oc);
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(oc);
 
-    sdc->init = pl050_initfn;
+    dc->realize = pl050_realize;
     dc->vmsd = &vmstate_pl050;
 }
 
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
puv3_intc_class_init().

Cc: gxt@mprc.pku.edu.cn

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-11-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/puv3_intc.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/hw/intc/puv3_intc.c b/hw/intc/puv3_intc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/puv3_intc.c
+++ b/hw/intc/puv3_intc.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps puv3_intc_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static int puv3_intc_init(SysBusDevice *sbd)
+static void puv3_intc_realize(DeviceState *dev, Error **errp)
 {
-    DeviceState *dev = DEVICE(sbd);
     PUV3INTCState *s = PUV3_INTC(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     qdev_init_gpio_in(dev, puv3_intc_handler, PUV3_IRQS_NR);
     sysbus_init_irq(sbd, &s->parent_irq);
@@ -XXX,XX +XXX,XX @@ static int puv3_intc_init(SysBusDevice *sbd)
     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_intc_ops, s, "puv3_intc",
                           PUV3_REGS_OFFSET);
     sysbus_init_mmio(sbd, &s->iomem);
-
-    return 0;
 }
 
 static void puv3_intc_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
-
-    sdc->init = puv3_intc_init;
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    dc->realize = puv3_intc_realize;
 }
 
 static const TypeInfo puv3_intc_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
milkymist_hpdmc_class_init().

Cc: gxt@mprc.pku.edu.cn
Cc: michael@walle.cc

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-12-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/milkymist-hpdmc.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/hw/misc/milkymist-hpdmc.c b/hw/misc/milkymist-hpdmc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/milkymist-hpdmc.c
+++ b/hw/misc/milkymist-hpdmc.c
@@ -XXX,XX +XXX,XX @@ static void milkymist_hpdmc_reset(DeviceState *d)
                          | IODELAY_PLL2_LOCKED;
 }
 
-static int milkymist_hpdmc_init(SysBusDevice *dev)
+static void milkymist_hpdmc_realize(DeviceState *dev, Error **errp)
 {
     MilkymistHpdmcState *s = MILKYMIST_HPDMC(dev);
 
     memory_region_init_io(&s->regs_region, OBJECT(dev), &hpdmc_mmio_ops, s,
             "milkymist-hpdmc", R_MAX * 4);
-    sysbus_init_mmio(dev, &s->regs_region);
-
-    return 0;
+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->regs_region);
 }
 
 static const VMStateDescription vmstate_milkymist_hpdmc = {
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_milkymist_hpdmc = {
 static void milkymist_hpdmc_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = milkymist_hpdmc_init;
+    dc->realize = milkymist_hpdmc_realize;
     dc->reset = milkymist_hpdmc_reset;
     dc->vmsd = &vmstate_milkymist_hpdmc;
 }
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
milkymist_pfpu_class_init().

Cc: michael@walle.cc

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-13-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/milkymist-pfpu.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/hw/misc/milkymist-pfpu.c b/hw/misc/milkymist-pfpu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/milkymist-pfpu.c
+++ b/hw/misc/milkymist-pfpu.c
@@ -XXX,XX +XXX,XX @@ static void milkymist_pfpu_reset(DeviceState *d)
     }
 }
 
-static int milkymist_pfpu_init(SysBusDevice *dev)
+static void milkymist_pfpu_realize(DeviceState *dev, Error **errp)
 {
     MilkymistPFPUState *s = MILKYMIST_PFPU(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
-    sysbus_init_irq(dev, &s->irq);
+    sysbus_init_irq(sbd, &s->irq);
 
     memory_region_init_io(&s->regs_region, OBJECT(dev), &pfpu_mmio_ops, s,
             "milkymist-pfpu", MICROCODE_END * 4);
-    sysbus_init_mmio(dev, &s->regs_region);
-
-    return 0;
+    sysbus_init_mmio(sbd, &s->regs_region);
 }
 
 static const VMStateDescription vmstate_milkymist_pfpu = {
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_milkymist_pfpu = {
 static void milkymist_pfpu_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = milkymist_pfpu_init;
+    dc->realize = milkymist_pfpu_realize;
     dc->reset = milkymist_pfpu_reset;
     dc->vmsd = &vmstate_milkymist_pfpu;
 }
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
puv3_pm_class_init().

Cc: gxt@mprc.pku.edu.cn

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-14-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/puv3_pm.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/hw/misc/puv3_pm.c b/hw/misc/puv3_pm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/puv3_pm.c
+++ b/hw/misc/puv3_pm.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps puv3_pm_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static int puv3_pm_init(SysBusDevice *dev)
+static void puv3_pm_realize(DeviceState *dev, Error **errp)
 {
     PUV3PMState *s = PUV3_PM(dev);
 
@@ -XXX,XX +XXX,XX @@ static int puv3_pm_init(SysBusDevice *dev)
 
     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_pm_ops, s, "puv3_pm",
             PUV3_REGS_OFFSET);
-    sysbus_init_mmio(dev, &s->iomem);
-
-    return 0;
+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
 }
 
 static void puv3_pm_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
-    sdc->init = puv3_pm_init;
+    dc->realize = puv3_pm_realize;
 }
 
 static const TypeInfo puv3_pm_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
nvram_sysbus_class_init().

Cc: pbonzini@redhat.com
Cc: marcandre.lureau@redhat.com

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-15-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/nvram/ds1225y.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/hw/nvram/ds1225y.c b/hw/nvram/ds1225y.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/nvram/ds1225y.c
+++ b/hw/nvram/ds1225y.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "hw/sysbus.h"
 #include "trace.h"
+#include "qemu/error-report.h"
 
 typedef struct {
     MemoryRegion iomem;
@@ -XXX,XX +XXX,XX @@ typedef struct {
     NvRamState nvram;
 } SysBusNvRamState;
 
-static int nvram_sysbus_initfn(SysBusDevice *dev)
+static void nvram_sysbus_realize(DeviceState *dev, Error **errp)
 {
     SysBusNvRamState *sys = DS1225Y(dev);
     NvRamState *s = &sys->nvram;
@@ -XXX,XX +XXX,XX @@ static int nvram_sysbus_initfn(SysBusDevice *dev)
 
     memory_region_init_io(&s->iomem, OBJECT(s), &nvram_ops, s,
                           "nvram", s->chip_size);
-    sysbus_init_mmio(dev, &s->iomem);
+    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
 
     /* Read current file */
     file = s->filename ? fopen(s->filename, "rb") : NULL;
     if (file) {
         /* Read nvram contents */
         if (fread(s->contents, s->chip_size, 1, file) != 1) {
-            printf("nvram_sysbus_initfn: short read\n");
+            error_report("nvram_sysbus_realize: short read");
         }
         fclose(file);
     }
     nvram_post_load(s, 0);
-
-    return 0;
 }
 
 static Property nvram_sysbus_properties[] = {
@@ -XXX,XX +XXX,XX @@ static Property nvram_sysbus_properties[] = {
 static void nvram_sysbus_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = nvram_sysbus_initfn;
+    dc->realize = nvram_sysbus_realize;
     dc->vmsd = &vmstate_nvram;
     dc->props = nvram_sysbus_properties;
 }
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
pci_dec_21154_device_class_init().

Cc: david@gibson.dropbear.id.au
Cc: mst@redhat.com
Cc: marcel.apfelbaum@gmail.com
Cc: qemu-ppc@nongnu.org

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Message-id: 20181130093852.20739-16-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/pci-bridge/dec.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/pci-bridge/dec.c b/hw/pci-bridge/dec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/pci-bridge/dec.c
+++ b/hw/pci-bridge/dec.c
@@ -XXX,XX +XXX,XX @@ PCIBus *pci_dec_21154_init(PCIBus *parent_bus, int devfn)
     return pci_bridge_get_sec_bus(br);
 }
 
-static int pci_dec_21154_device_init(SysBusDevice *dev)
+static void pci_dec_21154_device_realize(DeviceState *dev, Error **errp)
 {
     PCIHostState *phb;
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     phb = PCI_HOST_BRIDGE(dev);
 
@@ -XXX,XX +XXX,XX @@ static int pci_dec_21154_device_init(SysBusDevice *dev)
                           dev, "pci-conf-idx", 0x1000);
     memory_region_init_io(&phb->data_mem, OBJECT(dev), &pci_host_data_le_ops,
                           dev, "pci-data-idx", 0x1000);
-    sysbus_init_mmio(dev, &phb->conf_mem);
-    sysbus_init_mmio(dev, &phb->data_mem);
-    return 0;
+    sysbus_init_mmio(sbd, &phb->conf_mem);
+    sysbus_init_mmio(sbd, &phb->data_mem);
 }
 
 static void dec_21154_pci_host_realize(PCIDevice *d, Error **errp)
@@ -XXX,XX +XXX,XX @@ static const TypeInfo dec_21154_pci_host_info = {
 
 static void pci_dec_21154_device_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
-    sdc->init = pci_dec_21154_device_init;
+    dc->realize = pci_dec_21154_device_realize;
 }
 
 static const TypeInfo pci_dec_21154_device_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
etraxfs_timer_class_init().

Cc: edgar.iglesias@gmail.com

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20181130093852.20739-17-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/etraxfs_timer.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/hw/timer/etraxfs_timer.c b/hw/timer/etraxfs_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/etraxfs_timer.c
+++ b/hw/timer/etraxfs_timer.c
@@ -XXX,XX +XXX,XX @@ static void etraxfs_timer_reset(void *opaque)
     qemu_irq_lower(t->irq);
 }
 
-static int etraxfs_timer_init(SysBusDevice *dev)
+static void etraxfs_timer_realize(DeviceState *dev, Error **errp)
 {
     ETRAXTimerState *t = ETRAX_TIMER(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     t->bh_t0 = qemu_bh_new(timer0_hit, t);
     t->bh_t1 = qemu_bh_new(timer1_hit, t);
@@ -XXX,XX +XXX,XX @@ static int etraxfs_timer_init(SysBusDevice *dev)
     t->ptimer_t1 = ptimer_init(t->bh_t1, PTIMER_POLICY_DEFAULT);
     t->ptimer_wd = ptimer_init(t->bh_wd, PTIMER_POLICY_DEFAULT);
 
-    sysbus_init_irq(dev, &t->irq);
-    sysbus_init_irq(dev, &t->nmi);
+    sysbus_init_irq(sbd, &t->irq);
+    sysbus_init_irq(sbd, &t->nmi);
 
     memory_region_init_io(&t->mmio, OBJECT(t), &timer_ops, t,
                           "etraxfs-timer", 0x5c);
-    sysbus_init_mmio(dev, &t->mmio);
+    sysbus_init_mmio(sbd, &t->mmio);
     qemu_register_reset(etraxfs_timer_reset, t);
-    return 0;
 }
 
 static void etraxfs_timer_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
-    sdc->init = etraxfs_timer_init;
+    dc->realize = etraxfs_timer_realize;
 }
 
 static const TypeInfo etraxfs_timer_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
grlib_gptimer_class_init().

Cc: chouteau@adacore.com

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-18-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/grlib_gptimer.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/hw/timer/grlib_gptimer.c b/hw/timer/grlib_gptimer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/grlib_gptimer.c
+++ b/hw/timer/grlib_gptimer.c
@@ -XXX,XX +XXX,XX @@ static void grlib_gptimer_reset(DeviceState *d)
     }
 }
 
-static int grlib_gptimer_init(SysBusDevice *dev)
+static void grlib_gptimer_realize(DeviceState *dev, Error **errp)
 {
     GPTimerUnit  *unit = GRLIB_GPTIMER(dev);
     unsigned int  i;
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     assert(unit->nr_timers > 0);
     assert(unit->nr_timers <= GPTIMER_MAX_TIMERS);
@@ -XXX,XX +XXX,XX @@ static int grlib_gptimer_init(SysBusDevice *dev)
         timer->id     = i;
 
         /* One IRQ line for each timer */
-        sysbus_init_irq(dev, &timer->irq);
+        sysbus_init_irq(sbd, &timer->irq);
 
         ptimer_set_freq(timer->ptimer, unit->freq_hz);
     }
@@ -XXX,XX +XXX,XX @@ static int grlib_gptimer_init(SysBusDevice *dev)
                           unit, "gptimer",
                           UNIT_REG_SIZE + GPTIMER_REG_SIZE * unit->nr_timers);
 
-    sysbus_init_mmio(dev, &unit->iomem);
-    return 0;
+    sysbus_init_mmio(sbd, &unit->iomem);
 }
 
 static Property grlib_gptimer_properties[] = {
@@ -XXX,XX +XXX,XX @@ static Property grlib_gptimer_properties[] = {
 static void grlib_gptimer_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = grlib_gptimer_init;
+    dc->realize = grlib_gptimer_realize;
     dc->reset = grlib_gptimer_reset;
     dc->props = grlib_gptimer_properties;
 }
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
puv3_ost_class_init().

Cc: gxt@mprc.pku.edu.cn

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181130093852.20739-19-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/puv3_ost.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/hw/timer/puv3_ost.c b/hw/timer/puv3_ost.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/puv3_ost.c
+++ b/hw/timer/puv3_ost.c
@@ -XXX,XX +XXX,XX @@ static void puv3_ost_tick(void *opaque)
     }
 }
 
-static int puv3_ost_init(SysBusDevice *dev)
+static void puv3_ost_realize(DeviceState *dev, Error **errp)
 {
     PUV3OSTState *s = PUV3_OST(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     s->reg_OIER = 0;
     s->reg_OSSR = 0;
     s->reg_OSMR0 = 0;
     s->reg_OSCR = 0;
 
-    sysbus_init_irq(dev, &s->irq);
+    sysbus_init_irq(sbd, &s->irq);
 
     s->bh = qemu_bh_new(puv3_ost_tick, s);
     s->ptimer = ptimer_init(s->bh, PTIMER_POLICY_DEFAULT);
@@ -XXX,XX +XXX,XX @@ static int puv3_ost_init(SysBusDevice *dev)
 
     memory_region_init_io(&s->iomem, OBJECT(s), &puv3_ost_ops, s, "puv3_ost",
             PUV3_REGS_OFFSET);
-    sysbus_init_mmio(dev, &s->iomem);
-
-    return 0;
+    sysbus_init_mmio(sbd, &s->iomem);
 }
 
 static void puv3_ost_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
-    sdc->init = puv3_ost_init;
+    dc->realize = puv3_ost_realize;
 }
 
 static const TypeInfo puv3_ost_info = {
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Use DeviceClass rather than SysBusDeviceClass in
tusb6010_class_init().

Cc: kraxel@redhat.com

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Message-id: 20181130093852.20739-20-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/usb/tusb6010.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/hw/usb/tusb6010.c b/hw/usb/tusb6010.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/tusb6010.c
+++ b/hw/usb/tusb6010.c
@@ -XXX,XX +XXX,XX @@ static void tusb6010_reset(DeviceState *dev)
     musb_reset(s->musb);
 }
 
-static int tusb6010_init(SysBusDevice *sbd)
+static void tusb6010_realize(DeviceState *dev, Error **errp)
 {
-    DeviceState *dev = DEVICE(sbd);
     TUSBState *s = TUSB(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     s->otg_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, tusb_otg_tick, s);
     s->pwr_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, tusb_power_tick, s);
@@ -XXX,XX +XXX,XX @@ static int tusb6010_init(SysBusDevice *sbd)
     sysbus_init_irq(sbd, &s->irq);
     qdev_init_gpio_in(dev, tusb6010_irq, musb_irq_max + 1);
     s->musb = musb_init(dev, 1);
-    return 0;
 }
 
 static void tusb6010_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = tusb6010_init;
+    dc->realize = tusb6010_realize;
     dc->reset = tusb6010_reset;
 }
 
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

The init function doesn't do anything at all, so we
just omit it.

Cc: sstabellini@kernel.org
Cc: anthony.perard@citrix.com
Cc: xen-devel@lists.xenproject.org
Cc: peter.maydell@linaro.org

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Message-id: 20181130093852.20739-21-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/xen/xen_backend.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/xen/xen_backend.c
+++ b/hw/xen/xen_backend.c
@@ -XXX,XX +XXX,XX @@ static const TypeInfo xensysbus_info = {
     }
 };
 
-static int xen_sysdev_init(SysBusDevice *dev)
-{
-    return 0;
-}
-
 static Property xen_sysdev_properties[] = {
     {/* end of property list */},
 };
@@ -XXX,XX +XXX,XX @@ static Property xen_sysdev_properties[] = {
 static void xen_sysdev_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
-    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = xen_sysdev_init;
     dc->props = xen_sysdev_properties;
     dc->bus_type = TYPE_XENSYSBUS;
 }
-- 
2.19.2

From: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>

Currently, all sysbus devices have been converted to realize(),
so remove this path.

Cc: ehabkost@redhat.com
Cc: thuth@redhat.com
Cc: pbonzini@redhat.com
Cc: armbru@redhat.com
Cc: peter.maydell@linaro.org
Cc: richard.henderson@linaro.org
Cc: alistair.francis@wdc.com

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Message-id: 20181130093852.20739-22-maozhongyi@cmss.chinamobile.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/sysbus.h |  3 ---
 hw/core/sysbus.c    | 15 +++++----------
 2 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/include/hw/sysbus.h b/include/hw/sysbus.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/sysbus.h
+++ b/include/hw/sysbus.h
@@ -XXX,XX +XXX,XX @@ typedef struct SysBusDevice SysBusDevice;
 typedef struct SysBusDeviceClass {
     /*< private >*/
     DeviceClass parent_class;
-    /*< public >*/
-
-    int (*init)(SysBusDevice *dev);
 
     /*
      * Let the sysbus device format its own non-PIO, non-MMIO unit address.
diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/sysbus.c
+++ b/hw/core/sysbus.c
@@ -XXX,XX +XXX,XX @@ void sysbus_init_ioports(SysBusDevice *dev, uint32_t ioport, uint32_t size)
     }
 }
 
-/* TODO remove once all sysbus devices have been converted to realize */
+/* The purpose of preserving this empty realize function
+ * is to prevent the parent_realize field of some subclasses
+ * from being set to NULL to break the normal init/realize
+ * of some devices.
+ */
 static void sysbus_realize(DeviceState *dev, Error **errp)
 {
-    SysBusDevice *sd = SYS_BUS_DEVICE(dev);
-    SysBusDeviceClass *sbc = SYS_BUS_DEVICE_GET_CLASS(sd);
-
-    if (!sbc->init) {
-        return;
-    }
-    if (sbc->init(sd) < 0) {
-        error_setg(errp, "Device initialization failed");
-    }
 }
 
 DeviceState *sysbus_create_varargs(const char *name,
-- 
2.19.2

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Remove bogus virtio-mmio creation. This was an accidental
left-over an experiment.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Message-id: 20181129163655.20370-2-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/xlnx-versal-virt.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal-virt.c
+++ b/hw/arm/xlnx-versal-virt.c
@@ -XXX,XX +XXX,XX @@ static void create_virtio_regions(VersalVirt *s)
         sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic_irq);
         mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
         memory_region_add_subregion(&s->soc.mr_ps, base, mr);
-        sysbus_create_simple("virtio-mmio", base, pic_irq);
     }
 
     for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
-- 
2.19.2

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Use IRQs 111 - 118 for virtio-mmio. The interrupts we're currently
using 160+ are not available in the Versal GIC.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20181129163655.20370-4-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/xlnx-versal.h | 6 +++---
 hw/arm/xlnx-versal-virt.c    | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-versal.h
+++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@ typedef struct Versal {
 #define VERSAL_GEM1_IRQ_0          58
 #define VERSAL_GEM1_WAKE_IRQ_0     59
 
-/* Architecturally eserved IRQs suitable for virtualization.  */
-#define VERSAL_RSVD_HIGH_IRQ_FIRST 160
-#define VERSAL_RSVD_HIGH_IRQ_LAST  255
+/* Architecturally reserved IRQs suitable for virtualization.  */
+#define VERSAL_RSVD_IRQ_FIRST 111
+#define VERSAL_RSVD_IRQ_LAST  118
 
 #define MM_TOP_RSVD                 0xa0000000U
 #define MM_TOP_RSVD_SIZE            0x4000000
diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal-virt.c
+++ b/hw/arm/xlnx-versal-virt.c
@@ -XXX,XX +XXX,XX @@ static void create_virtio_regions(VersalVirt *s)
     for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
         char *name = g_strdup_printf("virtio%d", i);;
         hwaddr base = MM_TOP_RSVD + i * virtio_mmio_size;
-        int irq = VERSAL_RSVD_HIGH_IRQ_FIRST + i;
+        int irq = VERSAL_RSVD_IRQ_FIRST + i;
         MemoryRegion *mr;
         DeviceState *dev;
         qemu_irq pic_irq;
@@ -XXX,XX +XXX,XX @@ static void create_virtio_regions(VersalVirt *s)
 
     for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
         hwaddr base = MM_TOP_RSVD + i * virtio_mmio_size;
-        int irq = VERSAL_RSVD_HIGH_IRQ_FIRST + i;
+        int irq = VERSAL_RSVD_IRQ_FIRST + i;
         char *name = g_strdup_printf("/virtio_mmio@%" PRIx64, base);
 
         qemu_fdt_add_subnode(s->fdt, name);
-- 
2.19.2

At the same time, define the fields for these registers,
and use those defines in arm_pamax().

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181203203839.757-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: fixed up typo (s/achf/ahcf/) belatedly spotted by RTH]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h       | 26 ++++++++++++++++++++++++--
 target/arm/internals.h |  3 ++-
 target/arm/cpu64.c     |  6 +++---
 target/arm/helper.c    |  4 ++--
 target/arm/kvm64.c     |  4 ++++
 5 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
         uint64_t id_aa64isar1;
         uint64_t id_aa64pfr0;
         uint64_t id_aa64pfr1;
+        uint64_t id_aa64mmfr0;
+        uint64_t id_aa64mmfr1;
     } isar;
     uint32_t midr;
     uint32_t revidr;
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
     uint64_t id_aa64dfr1;
     uint64_t id_aa64afr0;
     uint64_t id_aa64afr1;
-    uint64_t id_aa64mmfr0;
-    uint64_t id_aa64mmfr1;
     uint32_t dbgdidr;
     uint32_t clidr;
     uint64_t mp_affinity; /* MP ID without feature bits */
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64PFR0, GIC, 24, 4)
 FIELD(ID_AA64PFR0, RAS, 28, 4)
 FIELD(ID_AA64PFR0, SVE, 32, 4)
 
+FIELD(ID_AA64MMFR0, PARANGE, 0, 4)
+FIELD(ID_AA64MMFR0, ASIDBITS, 4, 4)
+FIELD(ID_AA64MMFR0, BIGEND, 8, 4)
+FIELD(ID_AA64MMFR0, SNSMEM, 12, 4)
+FIELD(ID_AA64MMFR0, BIGENDEL0, 16, 4)
+FIELD(ID_AA64MMFR0, TGRAN16, 20, 4)
+FIELD(ID_AA64MMFR0, TGRAN64, 24, 4)
+FIELD(ID_AA64MMFR0, TGRAN4, 28, 4)
+FIELD(ID_AA64MMFR0, TGRAN16_2, 32, 4)
+FIELD(ID_AA64MMFR0, TGRAN64_2, 36, 4)
+FIELD(ID_AA64MMFR0, TGRAN4_2, 40, 4)
+FIELD(ID_AA64MMFR0, EXS, 44, 4)
+
+FIELD(ID_AA64MMFR1, HAFDBS, 0, 4)
+FIELD(ID_AA64MMFR1, VMIDBITS, 4, 4)
+FIELD(ID_AA64MMFR1, VH, 8, 4)
+FIELD(ID_AA64MMFR1, HPDS, 12, 4)
+FIELD(ID_AA64MMFR1, LO, 16, 4)
+FIELD(ID_AA64MMFR1, PAN, 20, 4)
+FIELD(ID_AA64MMFR1, SPECSEI, 24, 4)
+FIELD(ID_AA64MMFR1, XNX, 28, 4)
+
 QEMU_BUILD_BUG_ON(ARRAY_SIZE(((ARMCPU *)0)->ccsidr) <= R_V7M_CSSELR_INDEX_MASK);
 
 /* If adding a feature bit which corresponds to a Linux ELF
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline unsigned int arm_pamax(ARMCPU *cpu)
         [4] = 44,
         [5] = 48,
     };
-    unsigned int parange = extract32(cpu->id_aa64mmfr0, 0, 4);
+    unsigned int parange =
+        FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
 
     /* id_aa64mmfr0 is a read-only register so values outside of the
      * supported mappings can be considered an implementation error.  */
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
     cpu->pmceid0 = 0x00000000;
     cpu->pmceid1 = 0x00000000;
     cpu->isar.id_aa64isar0 = 0x00011120;
-    cpu->id_aa64mmfr0 = 0x00001124;
+    cpu->isar.id_aa64mmfr0 = 0x00001124;
     cpu->dbgdidr = 0x3516d000;
     cpu->clidr = 0x0a200023;
     cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
     cpu->isar.id_aa64pfr0 = 0x00002222;
     cpu->id_aa64dfr0 = 0x10305106;
     cpu->isar.id_aa64isar0 = 0x00011120;
-    cpu->id_aa64mmfr0 = 0x00001122; /* 40 bit physical addr */
+    cpu->isar.id_aa64mmfr0 = 0x00001122; /* 40 bit physical addr */
     cpu->dbgdidr = 0x3516d000;
     cpu->clidr = 0x0a200023;
     cpu->ccsidr[0] = 0x700fe01a; /* 32KB L1 dcache */
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
     cpu->pmceid0 = 0x00000000;
     cpu->pmceid1 = 0x00000000;
     cpu->isar.id_aa64isar0 = 0x00011120;
-    cpu->id_aa64mmfr0 = 0x00001124;
+    cpu->isar.id_aa64mmfr0 = 0x00001124;
     cpu->dbgdidr = 0x3516d000;
     cpu->clidr = 0x0a200023;
     cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "ID_AA64MMFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
-              .resetvalue = cpu->id_aa64mmfr0 },
+              .resetvalue = cpu->isar.id_aa64mmfr0 },
             { .name = "ID_AA64MMFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
-              .resetvalue = cpu->id_aa64mmfr1 },
+              .resetvalue = cpu->isar.id_aa64mmfr1 },
             { .name = "ID_AA64MMFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
                               ARM64_SYS_REG(3, 0, 0, 6, 0));
         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64isar1,
                               ARM64_SYS_REG(3, 0, 0, 6, 1));
+        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64mmfr0,
+                              ARM64_SYS_REG(3, 0, 0, 7, 0));
+        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64mmfr1,
+                              ARM64_SYS_REG(3, 0, 0, 7, 1));
 
         /*
          * Note that if AArch32 support is not present in the host,
-- 
2.19.2

From: Richard Henderson <richard.henderson@linaro.org>

Post v8.3 bits taken from SysReg_v85_xml-00bet8.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181203203839.757-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
 #define HCR_TIDCP     (1ULL << 20)
 #define HCR_TACR      (1ULL << 21)
 #define HCR_TSW       (1ULL << 22)
-#define HCR_TPC       (1ULL << 23)
+#define HCR_TPCP      (1ULL << 23)
 #define HCR_TPU       (1ULL << 24)
 #define HCR_TTLB      (1ULL << 25)
 #define HCR_TVM       (1ULL << 26)
@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
 #define HCR_CD        (1ULL << 32)
 #define HCR_ID        (1ULL << 33)
 #define HCR_E2H       (1ULL << 34)
+#define HCR_TLOR      (1ULL << 35)
+#define HCR_TERR      (1ULL << 36)
+#define HCR_TEA       (1ULL << 37)
+#define HCR_MIOCNCE   (1ULL << 38)
+#define HCR_APK       (1ULL << 40)
+#define HCR_API       (1ULL << 41)
+#define HCR_NV        (1ULL << 42)
+#define HCR_NV1       (1ULL << 43)
+#define HCR_AT        (1ULL << 44)
+#define HCR_NV2       (1ULL << 45)
+#define HCR_FWB       (1ULL << 46)
+#define HCR_FIEN      (1ULL << 47)
+#define HCR_TID4      (1ULL << 49)
+#define HCR_TICAB     (1ULL << 50)
+#define HCR_TOCU      (1ULL << 52)
+#define HCR_TTLBIS    (1ULL << 54)
+#define HCR_TTLBOS    (1ULL << 55)
+#define HCR_ATA       (1ULL << 56)
+#define HCR_DCT       (1ULL << 57)
+
 /*
  * When we actually implement ARMv8.1-VHE we should add HCR_E2H to
  * HCR_MASK and then clear it again if the feature bit is not set in
-- 
2.19.2

From: Richard Henderson <richard.henderson@linaro.org>

Post v8.4 bits taken from SysReg_v85_xml-00bet8.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181203203839.757-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

The enable for TGE has already occurred within arm_hcr_el2_amo
and friends.  Moreover, when E2H is also set, the sense is
supposed to be reversed, which has also already occurred within
the helpers.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181203203839.757-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
         break;
     };
 
-    /* If HCR.TGE is set then HCR is treated as being 1 */
-    hcr |= ((env->cp15.hcr_el2 & HCR_TGE) == HCR_TGE);
-
     /* Perform a table-lookup for the target EL given the current state */
     target_el = target_el_table[is64][scr][rw][hcr][secure][cur_el];
 
-- 
2.19.2

From: Richard Henderson <richard.henderson@linaro.org>

Because EL3 has a fixed execution mode, we can properly decide
which of the bits are RES{0,1}.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181203203839.757-8-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  2 --
 target/arm/helper.c | 14 +++++++++-----
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
 #define SCR_FIEN              (1U << 21)
 #define SCR_ENSCXT            (1U << 25)
 #define SCR_ATA               (1U << 26)
-#define SCR_AARCH32_MASK      (0x3fff & ~(SCR_RW | SCR_ST))
-#define SCR_AARCH64_MASK      (0x3fff & ~SCR_NET)
 
 /* Return the current FPSCR value.  */
 uint32_t vfp_get_fpscr(CPUARMState *env);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
 
 static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
 {
-    /* We only mask off bits that are RES0 both for AArch64 and AArch32.
-     * For bits that vary between AArch32/64, code needs to check the
-     * current execution mode before directly using the feature bit.
-     */
-    uint32_t valid_mask = SCR_AARCH64_MASK | SCR_AARCH32_MASK;
+    /* Begin with base v8.0 state.  */
+    uint32_t valid_mask = 0x3fff;
+
+    if (arm_el_is_aa64(env, 3)) {
+        value |= SCR_FW | SCR_AW;   /* these two bits are RES1.  */
+        valid_mask &= ~SCR_NET;
+    } else {
+        valid_mask &= ~(SCR_RW | SCR_ST);
+    }
 
     if (!arm_feature(env, ARM_FEATURE_EL2)) {
         valid_mask &= ~SCR_HCE;
-- 
2.19.2

From: Richard Henderson <richard.henderson@linaro.org>

Since the TCR_*.HPD bits were RES0 in ARMv8.0, we can simply
interpret the bits as if ARMv8.1-HPD is present without checking.
We will need a slightly different check for hpd for aarch32.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181203203839.757-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu64.c  |  4 ++++
 target/arm/helper.c | 27 ++++++++++++++++++++-------
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
         t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);
         cpu->isar.id_aa64pfr0 = t;
 
+        t = cpu->isar.id_aa64mmfr1;
+        t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */
+        cpu->isar.id_aa64mmfr1 = t;
+
         /* Replicate the same data to the 32-bit id registers.  */
         u = cpu->isar.id_isar5;
         u = FIELD_DP32(u, ID_ISAR5, AES, 2); /* AES + PMULL */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
     bool ttbr1_valid = true;
     uint64_t descaddrmask;
     bool aarch64 = arm_el_is_aa64(env, el);
+    bool hpd = false;
 
     /* TODO:
      * This code does not handle the different format TCR for VTCR_EL2.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
         if (tg == 2) { /* 16KB pages */
             stride = 11;
         }
+        if (aarch64) {
+            if (el > 1) {
+                hpd = extract64(tcr->raw_tcr, 24, 1);
+            } else {
+                hpd = extract64(tcr->raw_tcr, 41, 1);
+            }
+        }
     } else {
         /* We should only be here if TTBR1 is valid */
         assert(ttbr1_valid);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
         if (tg == 1) { /* 16KB pages */
             stride = 11;
         }
+        if (aarch64) {
+            hpd = extract64(tcr->raw_tcr, 42, 1);
+        }
     }
 
     /* Here we should have set up all the parameters for the translation:
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
         descaddr = descriptor & descaddrmask;
 
         if ((descriptor & 2) && (level < 3)) {
-            /* Table entry. The top five bits are attributes which  may
+            /* Table entry. The top five bits are attributes which may
              * propagate down through lower levels of the table (and
              * which are all arranged so that 0 means "no effect", so
              * we can gather them up by ORing in the bits at each level).
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
             break;
         }
         /* Merge in attributes from table descriptors */
-        attrs |= extract32(tableattrs, 0, 2) << 11; /* XN, PXN */
-        attrs |= extract32(tableattrs, 3, 1) << 5; /* APTable[1] => AP[2] */
+        attrs |= nstable << 3; /* NS */
+        if (hpd) {
+            /* HPD disables all the table attributes except NSTable.  */
+            break;
+        }
+        attrs |= extract32(tableattrs, 0, 2) << 11;     /* XN, PXN */
         /* The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
          * means "force PL1 access only", which means forcing AP[1] to 0.
          */
-        if (extract32(tableattrs, 2, 1)) {
-            attrs &= ~(1 << 4);
-        }
-        attrs |= nstable << 3; /* NS */
+        attrs &= ~(extract32(tableattrs, 2, 1) << 4);   /* !APT[0] => AP[1] */
+        attrs |= extract32(tableattrs, 3, 1) << 5;      /* APT[1] => AP[2] */
         break;
     }
     /* Here descaddr is the final physical address, and attributes
-- 
2.19.2

From: Richard Henderson <richard.henderson@linaro.org>

The bulk of the work here, beyond base HPD, is defining the
TTBCR2 register.  In addition we must check TTBCR.T2E, which
is not present (RES0) for AArch64.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181203203839.757-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  9 +++++++++
 target/arm/cpu.c    |  4 ++++
 target/arm/helper.c | 37 +++++++++++++++++++++++++++++--------
 3 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(ID_ISAR6, FHM, 8, 4)
 FIELD(ID_ISAR6, SB, 12, 4)
 FIELD(ID_ISAR6, SPECRES, 16, 4)
 
+FIELD(ID_MMFR4, SPECSEI, 0, 4)
+FIELD(ID_MMFR4, AC2, 4, 4)
+FIELD(ID_MMFR4, XNX, 8, 4)
+FIELD(ID_MMFR4, CNP, 12, 4)
+FIELD(ID_MMFR4, HPDS, 16, 4)
+FIELD(ID_MMFR4, LSM, 20, 4)
+FIELD(ID_MMFR4, CCIDX, 24, 4)
+FIELD(ID_MMFR4, EVT, 28, 4)
+
 FIELD(ID_AA64ISAR0, AES, 4, 4)
 FIELD(ID_AA64ISAR0, SHA1, 8, 4)
 FIELD(ID_AA64ISAR0, SHA2, 12, 4)
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
             t = cpu->isar.id_isar6;
             t = FIELD_DP32(t, ID_ISAR6, DP, 1);
             cpu->isar.id_isar6 = t;
+
+            t = cpu->id_mmfr4;
+            t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
+            cpu->id_mmfr4 = t;
         }
 #endif
     }
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
                              uint64_t value)
 {
     ARMCPU *cpu = arm_env_get_cpu(env);
+    TCR *tcr = raw_ptr(env, ri);
 
     if (arm_feature(env, ARM_FEATURE_LPAE)) {
         /* With LPAE the TTBCR could result in a change of ASID
@@ -XXX,XX +XXX,XX @@ static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
          */
         tlb_flush(CPU(cpu));
     }
+    /* Preserve the high half of TCR_EL1, set via TTBCR2.  */
+    value = deposit64(tcr->raw_tcr, 0, 32, value);
     vmsa_ttbcr_raw_write(env, ri, value);
 }
 
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {
     REGINFO_SENTINEL
 };
 
+/* Note that unlike TTBCR, writing to TTBCR2 does not require flushing
+ * qemu tlbs nor adjusting cached masks.
+ */
+static const ARMCPRegInfo ttbcr2_reginfo = {
+    .name = "TTBCR2", .cp = 15, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 3,
+    .access = PL1_RW, .type = ARM_CP_ALIAS,
+    .bank_fieldoffsets = { offsetofhigh32(CPUARMState, cp15.tcr_el[3]),
+                           offsetofhigh32(CPUARMState, cp15.tcr_el[1]) },
+};
+
 static void omap_ticonfig_write(CPUARMState *env, const ARMCPRegInfo *ri,
                                 uint64_t value)
 {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
     } else {
         define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
         define_arm_cp_regs(cpu, vmsa_cp_reginfo);
+        /* TTCBR2 is introduced with ARMv8.2-A32HPD.  */
+        if (FIELD_EX32(cpu->id_mmfr4, ID_MMFR4, HPDS) != 0) {
+            define_one_arm_cp_reg(cpu, &ttbcr2_reginfo);
+        }
     }
     if (arm_feature(env, ARM_FEATURE_THUMB2EE)) {
         define_arm_cp_regs(cpu, t2ee_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
         if (tg == 2) { /* 16KB pages */
             stride = 11;
         }
-        if (aarch64) {
-            if (el > 1) {
-                hpd = extract64(tcr->raw_tcr, 24, 1);
-            } else {
-                hpd = extract64(tcr->raw_tcr, 41, 1);
-            }
+        if (aarch64 && el > 1) {
+            hpd = extract64(tcr->raw_tcr, 24, 1);
+        } else {
+            hpd = extract64(tcr->raw_tcr, 41, 1);
+        }
+        if (!aarch64) {
+            /* For aarch32, hpd0 is not enabled without t2e as well.  */
+            hpd &= extract64(tcr->raw_tcr, 6, 1);
         }
     } else {
         /* We should only be here if TTBR1 is valid */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
         if (tg == 1) { /* 16KB pages */
             stride = 11;
         }
-        if (aarch64) {
-            hpd = extract64(tcr->raw_tcr, 42, 1);
+        hpd = extract64(tcr->raw_tcr, 42, 1);
+        if (!aarch64) {
+            /* For aarch32, hpd1 is not enabled without t2e as well.  */
+            hpd &= extract64(tcr->raw_tcr, 6, 1);
         }
     }
 
-- 
2.19.2

From: Richard Henderson <richard.henderson@linaro.org>

Replace arm_hcr_el2_{fmo,imo,amo} with a more general routine
that also takes SCR_EL3.NS (aka arm_is_secure_below_el3) into
account, as documented for the plethora of bits in HCR_EL2.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181210150501.7990-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h          | 67 +++++++++------------------------------
 hw/intc/arm_gicv3_cpuif.c | 21 ++++++------
 target/arm/helper.c       | 66 ++++++++++++++++++++++++++++++++------
 3 files changed, 83 insertions(+), 71 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env)
 }
 #endif
 
+/**
+ * arm_hcr_el2_eff(): Return the effective value of HCR_EL2.
+ * E.g. when in secure state, fields in HCR_EL2 are suppressed,
+ * "for all purposes other than a direct read or write access of HCR_EL2."
+ * Not included here is HCR_RW.
+ */
+uint64_t arm_hcr_el2_eff(CPUARMState *env);
+
 /* Return true if the specified exception level is running in AArch64 state. */
 static inline bool arm_el_is_aa64(CPUARMState *env, int el)
 {
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu);
 #  define TARGET_VIRT_ADDR_SPACE_BITS 32
 #endif
 
-/**
- * arm_hcr_el2_imo(): Return the effective value of HCR_EL2.IMO.
- * Depending on the values of HCR_EL2.E2H and TGE, this may be
- * "behaves as 1 for all purposes other than direct read/write" or
- * "behaves as 0 for all purposes other than direct read/write"
- */
-static inline bool arm_hcr_el2_imo(CPUARMState *env)
-{
-    switch (env->cp15.hcr_el2 & (HCR_TGE | HCR_E2H)) {
-    case HCR_TGE:
-        return true;
-    case HCR_TGE | HCR_E2H:
-        return false;
-    default:
-        return env->cp15.hcr_el2 & HCR_IMO;
-    }
-}
-
-/**
- * arm_hcr_el2_fmo(): Return the effective value of HCR_EL2.FMO.
- */
-static inline bool arm_hcr_el2_fmo(CPUARMState *env)
-{
-    switch (env->cp15.hcr_el2 & (HCR_TGE | HCR_E2H)) {
-    case HCR_TGE:
-        return true;
-    case HCR_TGE | HCR_E2H:
-        return false;
-    default:
-        return env->cp15.hcr_el2 & HCR_FMO;
-    }
-}
-
-/**
- * arm_hcr_el2_amo(): Return the effective value of HCR_EL2.AMO.
- */
-static inline bool arm_hcr_el2_amo(CPUARMState *env)
-{
-    switch (env->cp15.hcr_el2 & (HCR_TGE | HCR_E2H)) {
-    case HCR_TGE:
-        return true;
-    case HCR_TGE | HCR_E2H:
-        return false;
-    default:
-        return env->cp15.hcr_el2 & HCR_AMO;
-    }
-}
-
 static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
                                      unsigned int target_el)
 {
@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
     bool secure = arm_is_secure(env);
     bool pstate_unmasked;
     int8_t unmasked = 0;
+    uint64_t hcr_el2;
 
     /* Don't take exceptions if they target a lower EL.
      * This check should catch any exceptions that would not be taken but left
@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
         return false;
     }
 
+    hcr_el2 = arm_hcr_el2_eff(env);
+
     switch (excp_idx) {
     case EXCP_FIQ:
         pstate_unmasked = !(env->daif & PSTATE_F);
@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
         break;
 
     case EXCP_VFIQ:
-        if (secure || !arm_hcr_el2_fmo(env) || (env->cp15.hcr_el2 & HCR_TGE)) {
+        if (secure || !(hcr_el2 & HCR_FMO) || (hcr_el2 & HCR_TGE)) {
             /* VFIQs are only taken when hypervized and non-secure.  */
             return false;
         }
         return !(env->daif & PSTATE_F);
     case EXCP_VIRQ:
-        if (secure || !arm_hcr_el2_imo(env) || (env->cp15.hcr_el2 & HCR_TGE)) {
+        if (secure || !(hcr_el2 & HCR_IMO) || (hcr_el2 & HCR_TGE)) {
             /* VIRQs are only taken when hypervized and non-secure.  */
             return false;
         }
@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
                  * to the CPSR.F setting otherwise we further assess the state
                  * below.
                  */
-                hcr = arm_hcr_el2_fmo(env);
+                hcr = hcr_el2 & HCR_FMO;
                 scr = (env->cp15.scr_el3 & SCR_FIQ);
 
                 /* When EL3 is 32-bit, the SCR.FW bit controls whether the
@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
                  * when setting the target EL, so it does not have a further
                  * affect here.
                  */
-                hcr = arm_hcr_el2_imo(env);
+                hcr = hcr_el2 & HCR_IMO;
                 scr = false;
                 break;
             default:
diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static bool icv_access(CPUARMState *env, int hcr_flags)
      *  * access if NS EL1 and either IMO or FMO == 1:
      *    CTLR, DIR, PMR, RPR
      */
-    bool flagmatch = ((hcr_flags & HCR_IMO) && arm_hcr_el2_imo(env)) ||
-        ((hcr_flags & HCR_FMO) && arm_hcr_el2_fmo(env));
+    uint64_t hcr_el2 = arm_hcr_el2_eff(env);
+    bool flagmatch = hcr_el2 & hcr_flags & (HCR_IMO | HCR_FMO);
 
     return flagmatch && arm_current_el(env) == 1
         && !arm_is_secure_below_el3(env);
@@ -XXX,XX +XXX,XX @@ static void icc_dir_write(CPUARMState *env, const ARMCPRegInfo *ri,
     /* No need to include !IsSecure in route_*_to_el2 as it's only
      * tested in cases where we know !IsSecure is true.
      */
-    route_fiq_to_el2 = arm_hcr_el2_fmo(env);
-    route_irq_to_el2 = arm_hcr_el2_imo(env);
+    uint64_t hcr_el2 = arm_hcr_el2_eff(env);
+    route_fiq_to_el2 = hcr_el2 & HCR_FMO;
+    route_irq_to_el2 = hcr_el2 & HCR_IMO;
 
     switch (arm_current_el(env)) {
     case 3:
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gicv3_irqfiq_access(CPUARMState *env,
     if ((env->cp15.scr_el3 & (SCR_FIQ | SCR_IRQ)) == (SCR_FIQ | SCR_IRQ)) {
         switch (el) {
         case 1:
-            if (arm_is_secure_below_el3(env) ||
-                (arm_hcr_el2_imo(env) == 0 && arm_hcr_el2_fmo(env) == 0)) {
+            /* Note that arm_hcr_el2_eff takes secure state into account.  */
+            if ((arm_hcr_el2_eff(env) & (HCR_IMO | HCR_FMO)) == 0) {
                 r = CP_ACCESS_TRAP_EL3;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gicv3_dir_access(CPUARMState *env,
 static CPAccessResult gicv3_sgi_access(CPUARMState *env,
                                        const ARMCPRegInfo *ri, bool isread)
 {
-    if ((arm_hcr_el2_imo(env) || arm_hcr_el2_fmo(env)) &&
-        arm_current_el(env) == 1 && !arm_is_secure_below_el3(env)) {
+    if (arm_current_el(env) == 1 &&
+        (arm_hcr_el2_eff(env) & (HCR_IMO | HCR_FMO)) != 0) {
         /* Takes priority over a possible EL3 trap */
         return CP_ACCESS_TRAP_EL2;
     }
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gicv3_fiq_access(CPUARMState *env,
     if (env->cp15.scr_el3 & SCR_FIQ) {
         switch (el) {
         case 1:
-            if (arm_is_secure_below_el3(env) || !arm_hcr_el2_fmo(env)) {
+            if ((arm_hcr_el2_eff(env) & HCR_FMO) == 0) {
                 r = CP_ACCESS_TRAP_EL3;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gicv3_irq_access(CPUARMState *env,
     if (env->cp15.scr_el3 & SCR_IRQ) {
         switch (el) {
         case 1:
-            if (arm_is_secure_below_el3(env) || !arm_hcr_el2_imo(env)) {
+            if ((arm_hcr_el2_eff(env) & HCR_IMO) == 0) {
                 r = CP_ACCESS_TRAP_EL3;
             }
             break;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void csselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
 static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     CPUState *cs = ENV_GET_CPU(env);
+    uint64_t hcr_el2 = arm_hcr_el2_eff(env);
     uint64_t ret = 0;
 
-    if (arm_hcr_el2_imo(env)) {
+    if (hcr_el2 & HCR_IMO) {
         if (cs->interrupt_request & CPU_INTERRUPT_VIRQ) {
             ret |= CPSR_I;
         }
@@ -XXX,XX +XXX,XX @@ static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
         }
     }
 
-    if (arm_hcr_el2_fmo(env)) {
+    if (hcr_el2 & HCR_FMO) {
         if (cs->interrupt_request & CPU_INTERRUPT_VFIQ) {
             ret |= CPSR_F;
         }
@@ -XXX,XX +XXX,XX @@ static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri,
     hcr_write(env, NULL, value);
 }
 
+/*
+ * Return the effective value of HCR_EL2.
+ * Bits that are not included here:
+ * RW       (read from SCR_EL3.RW as needed)
+ */
+uint64_t arm_hcr_el2_eff(CPUARMState *env)
+{
+    uint64_t ret = env->cp15.hcr_el2;
+
+    if (arm_is_secure_below_el3(env)) {
+        /*
+         * "This register has no effect if EL2 is not enabled in the
+         * current Security state".  This is ARMv8.4-SecEL2 speak for
+         * !(SCR_EL3.NS==1 || SCR_EL3.EEL2==1).
+         *
+         * Prior to that, the language was "In an implementation that
+         * includes EL3, when the value of SCR_EL3.NS is 0 the PE behaves
+         * as if this field is 0 for all purposes other than a direct
+         * read or write access of HCR_EL2".  With lots of enumeration
+         * on a per-field basis.  In current QEMU, this is condition
+         * is arm_is_secure_below_el3.
+         *
+         * Since the v8.4 language applies to the entire register, and
+         * appears to be backward compatible, use that.
+         */
+        ret = 0;
+    } else if (ret & HCR_TGE) {
+        /* These bits are up-to-date as of ARMv8.4.  */
+        if (ret & HCR_E2H) {
+            ret &= ~(HCR_VM | HCR_FMO | HCR_IMO | HCR_AMO |
+                     HCR_BSU_MASK | HCR_DC | HCR_TWI | HCR_TWE |
+                     HCR_TID0 | HCR_TID2 | HCR_TPCP | HCR_TPU |
+                     HCR_TDZ | HCR_CD | HCR_ID | HCR_MIOCNCE);
+        } else {
+            ret |= HCR_FMO | HCR_IMO | HCR_AMO;
+        }
+        ret &= ~(HCR_SWIO | HCR_PTW | HCR_VF | HCR_VI | HCR_VSE |
+                 HCR_FB | HCR_TID1 | HCR_TID3 | HCR_TSC | HCR_TACR |
+                 HCR_TSW | HCR_TTLB | HCR_TVM | HCR_HCD | HCR_TRVM |
+                 HCR_TLOR);
+    }
+
+    return ret;
+}
+
 static const ARMCPRegInfo el2_cp_reginfo[] = {
     { .name = "HCR_EL2", .state = ARM_CP_STATE_AA64,
       .type = ARM_CP_IO,
@@ -XXX,XX +XXX,XX @@ uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
                                  uint32_t cur_el, bool secure)
 {
     CPUARMState *env = cs->env_ptr;
-    int rw;
-    int scr;
-    int hcr;
+    bool rw;
+    bool scr;
+    bool hcr;
     int target_el;
     /* Is the highest EL AArch64? */
-    int is64 = arm_feature(env, ARM_FEATURE_AARCH64);
+    bool is64 = arm_feature(env, ARM_FEATURE_AARCH64);
+    uint64_t hcr_el2;
 
     if (arm_feature(env, ARM_FEATURE_EL3)) {
         rw = ((env->cp15.scr_el3 & SCR_RW) == SCR_RW);
@@ -XXX,XX +XXX,XX @@ uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
         rw = is64;
     }
 
+    hcr_el2 = arm_hcr_el2_eff(env);
     switch (excp_idx) {
     case EXCP_IRQ:
         scr = ((env->cp15.scr_el3 & SCR_IRQ) == SCR_IRQ);
-        hcr = arm_hcr_el2_imo(env);
+        hcr = hcr_el2 & HCR_IMO;
         break;
     case EXCP_FIQ:
         scr = ((env->cp15.scr_el3 & SCR_FIQ) == SCR_FIQ);
-        hcr = arm_hcr_el2_fmo(env);
+        hcr = hcr_el2 & HCR_FMO;
         break;
     default:
         scr = ((env->cp15.scr_el3 & SCR_EA) == SCR_EA);
-        hcr = arm_hcr_el2_amo(env);
+        hcr = hcr_el2 & HCR_AMO;
         break;
     };
 
-- 
2.19.2

From: Richard Henderson <richard.henderson@linaro.org>

Since arm_hcr_el2_eff includes a check against
arm_is_secure_below_el3, we can often remove a
nearby check against secure state.

In some cases, sort the call to arm_hcr_el2_eff
to the end of a short-circuit logical sequence.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181210150501.7990-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c    | 12 +++++-------
 target/arm/op_helper.c | 14 ++++++--------
 2 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri,
     int el = arm_current_el(env);
     bool mdcr_el2_tdosa = (env->cp15.mdcr_el2 & MDCR_TDOSA) ||
         (env->cp15.mdcr_el2 & MDCR_TDE) ||
-        (env->cp15.hcr_el2 & HCR_TGE);
+        (arm_hcr_el2_eff(env) & HCR_TGE);
 
     if (el < 2 && mdcr_el2_tdosa && !arm_is_secure_below_el3(env)) {
         return CP_ACCESS_TRAP_EL2;
@@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri,
     int el = arm_current_el(env);
     bool mdcr_el2_tdra = (env->cp15.mdcr_el2 & MDCR_TDRA) ||
         (env->cp15.mdcr_el2 & MDCR_TDE) ||
-        (env->cp15.hcr_el2 & HCR_TGE);
+        (arm_hcr_el2_eff(env) & HCR_TGE);
 
     if (el < 2 && mdcr_el2_tdra && !arm_is_secure_below_el3(env)) {
         return CP_ACCESS_TRAP_EL2;
@@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tda(CPUARMState *env, const ARMCPRegInfo *ri,
     int el = arm_current_el(env);
     bool mdcr_el2_tda = (env->cp15.mdcr_el2 & MDCR_TDA) ||
         (env->cp15.mdcr_el2 & MDCR_TDE) ||
-        (env->cp15.hcr_el2 & HCR_TGE);
+        (arm_hcr_el2_eff(env) & HCR_TGE);
 
     if (el < 2 && mdcr_el2_tda && !arm_is_secure_below_el3(env)) {
         return CP_ACCESS_TRAP_EL2;
@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
         if (disabled) {
             /* route_to_el2 */
             return (arm_feature(env, ARM_FEATURE_EL2)
-                    && !arm_is_secure(env)
-                    && (env->cp15.hcr_el2 & HCR_TGE) ? 2 : 1);
+                    && (arm_hcr_el2_eff(env) & HCR_TGE) ? 2 : 1);
         }
 
         /* Check CPACR.FPEN.  */
@@ -XXX,XX +XXX,XX @@ static int bad_mode_switch(CPUARMState *env, int mode, CPSRWriteType write_type)
          * and CPS are treated as illegal mode changes.
          */
         if (write_type == CPSRWriteByInstr &&
-            (env->cp15.hcr_el2 & HCR_TGE) &&
             (env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON &&
-            !arm_is_secure_below_el3(env)) {
+            (arm_hcr_el2_eff(env) & HCR_TGE)) {
             return 1;
         }
         return 0;
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void raise_exception(CPUARMState *env, uint32_t excp,
 {
     CPUState *cs = CPU(arm_env_get_cpu(env));
 
-    if ((env->cp15.hcr_el2 & HCR_TGE) &&
-        target_el == 1 && !arm_is_secure(env)) {
+    if (target_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
         /*
          * Redirect NS EL1 exceptions to NS EL2. These are reported with
          * their original syndrome register value, with the exception of
@@ -XXX,XX +XXX,XX @@ static inline int check_wfx_trap(CPUARMState *env, bool is_wfe)
      * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the
      * bits will be zero indicating no trap.
      */
-    if (cur_el < 2 && !arm_is_secure(env)) {
-        mask = (is_wfe) ? HCR_TWE : HCR_TWI;
-        if (env->cp15.hcr_el2 & mask) {
+    if (cur_el < 2) {
+        mask = is_wfe ? HCR_TWE : HCR_TWI;
+        if (arm_hcr_el2_eff(env) & mask) {
             return 2;
         }
     }
@@ -XXX,XX +XXX,XX @@ void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
                         exception_target_el(env));
     }
 
-    if (!secure && cur_el == 1 && (env->cp15.hcr_el2 & HCR_TSC)) {
+    if (cur_el == 1 && (arm_hcr_el2_eff(env) & HCR_TSC)) {
         /* In NS EL1, HCR controlled routing to EL2 has priority over SMD.
          * We also want an EL2 guest to be able to forbid its EL1 from
          * making PSCI calls into QEMU's "firmware" via HCR.TSC.
@@ -XXX,XX +XXX,XX @@ void HELPER(exception_return)(CPUARMState *env)
         goto illegal_return;
     }
 
-    if (new_el == 1 && (env->cp15.hcr_el2 & HCR_TGE)
-        && !arm_is_secure_below_el3(env)) {
+    if (new_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
         goto illegal_return;
     }
 
-- 
2.19.2

From: Richard Henderson <richard.henderson@linaro.org>

Provide a trivial implementation with zero limited ordering regions,
which causes the LDLAR and STLLR instructions to devolve into the
LDAR and STLR instructions from the base ARMv8.0 instruction set.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20181210150501.7990-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h           |  5 +++
 target/arm/cpu64.c         |  1 +
 target/arm/helper.c        | 75 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-a64.c | 12 ++++++
 4 files changed, 93 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_sve(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, SVE) != 0;
 }
 
+static inline bool isar_feature_aa64_lor(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, LO) != 0;
+}
+
 /*
  * Forward to the above feature tests given an ARMCPU pointer.
  */
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
 
         t = cpu->isar.id_aa64mmfr1;
         t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */
+        t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);
         cpu->isar.id_aa64mmfr1 = t;
 
         /* Replicate the same data to the 32-bit id registers.  */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
 {
     /* Begin with base v8.0 state.  */
     uint32_t valid_mask = 0x3fff;
+    ARMCPU *cpu = arm_env_get_cpu(env);
 
     if (arm_el_is_aa64(env, 3)) {
         value |= SCR_FW | SCR_AW;   /* these two bits are RES1.  */
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
             valid_mask &= ~SCR_SMD;
         }
     }
+    if (cpu_isar_feature(aa64_lor, cpu)) {
+        valid_mask |= SCR_TLOR;
+    }
 
     /* Clear all-context RES0 bits.  */
     value &= valid_mask;
@@ -XXX,XX +XXX,XX @@ static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
          */
         valid_mask &= ~HCR_TSC;
     }
+    if (cpu_isar_feature(aa64_lor, cpu)) {
+        valid_mask |= HCR_TLOR;
+    }
 
     /* Clear RES0 bits.  */
     value &= valid_mask;
@@ -XXX,XX +XXX,XX @@ static uint64_t id_aa64pfr0_read(CPUARMState *env, const ARMCPRegInfo *ri)
     return pfr0;
 }
 
+/* Shared logic between LORID and the rest of the LOR* registers.
+ * Secure state has already been delt with.
+ */
+static CPAccessResult access_lor_ns(CPUARMState *env)
+{
+    int el = arm_current_el(env);
+
+    if (el < 2 && (arm_hcr_el2_eff(env) & HCR_TLOR)) {
+        return CP_ACCESS_TRAP_EL2;
+    }
+    if (el < 3 && (env->cp15.scr_el3 & SCR_TLOR)) {
+        return CP_ACCESS_TRAP_EL3;
+    }
+    return CP_ACCESS_OK;
+}
+
+static CPAccessResult access_lorid(CPUARMState *env, const ARMCPRegInfo *ri,
+                                   bool isread)
+{
+    if (arm_is_secure_below_el3(env)) {
+        /* Access ok in secure mode.  */
+        return CP_ACCESS_OK;
+    }
+    return access_lor_ns(env);
+}
+
+static CPAccessResult access_lor_other(CPUARMState *env,
+                                       const ARMCPRegInfo *ri, bool isread)
+{
+    if (arm_is_secure_below_el3(env)) {
+        /* Access denied in secure mode.  */
+        return CP_ACCESS_TRAP;
+    }
+    return access_lor_ns(env);
+}
+
 void register_cp_regs_for_features(ARMCPU *cpu)
 {
     /* Register all the coprocessor registers based on feature bits */
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
         define_one_arm_cp_reg(cpu, &sctlr);
     }
 
+    if (cpu_isar_feature(aa64_lor, cpu)) {
+        /*
+         * A trivial implementation of ARMv8.1-LOR leaves all of these
+         * registers fixed at 0, which indicates that there are zero
+         * supported Limited Ordering regions.
+         */
+        static const ARMCPRegInfo lor_reginfo[] = {
+            { .name = "LORSA_EL1", .state = ARM_CP_STATE_AA64,
+              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 0,
+              .access = PL1_RW, .accessfn = access_lor_other,
+              .type = ARM_CP_CONST, .resetvalue = 0 },
+            { .name = "LOREA_EL1", .state = ARM_CP_STATE_AA64,
+              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 1,
+              .access = PL1_RW, .accessfn = access_lor_other,
+              .type = ARM_CP_CONST, .resetvalue = 0 },
+            { .name = "LORN_EL1", .state = ARM_CP_STATE_AA64,
+              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 2,
+              .access = PL1_RW, .accessfn = access_lor_other,
+              .type = ARM_CP_CONST, .resetvalue = 0 },
+            { .name = "LORC_EL1", .state = ARM_CP_STATE_AA64,
+              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 3,
+              .access = PL1_RW, .accessfn = access_lor_other,
+              .type = ARM_CP_CONST, .resetvalue = 0 },
+            { .name = "LORID_EL1", .state = ARM_CP_STATE_AA64,
+              .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 7,
+              .access = PL1_R, .accessfn = access_lorid,
+              .type = ARM_CP_CONST, .resetvalue = 0 },
+            REGINFO_SENTINEL
+        };
+        define_arm_cp_regs(cpu, lor_reginfo);
+    }
+
     if (cpu_isar_feature(aa64_sve, cpu)) {
         define_one_arm_cp_reg(cpu, &zcr_el1_reginfo);
         if (arm_feature(env, ARM_FEATURE_EL2)) {
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_excl(DisasContext *s, uint32_t insn)
         }
         return;
 
+    case 0x8: /* STLLR */
+        if (!dc_isar_feature(aa64_lor, s)) {
+            break;
+        }
+        /* StoreLORelease is the same as Store-Release for QEMU.  */
+        /* fall through */
     case 0x9: /* STLR */
         /* Generate ISS for non-exclusive accesses including LASR.  */
         if (rn == 31) {
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_excl(DisasContext *s, uint32_t insn)
                   disas_ldst_compute_iss_sf(size, false, 0), is_lasr);
         return;
 
+    case 0xc: /* LDLAR */
+        if (!dc_isar_feature(aa64_lor, s)) {
+            break;
+        }
+        /* LoadLOAcquire is the same as Load-Acquire for QEMU.  */
+        /* fall through */
     case 0xd: /* LDAR */
         /* Generate ISS for non-exclusive accesses including LASR.  */
         if (rn == 31) {
-- 
2.19.2

First arm pullreq of 4.2...

thanks
-- PMM

The following changes since commit 27608c7c66bd923eb5e5faab80e795408cbe2b51:

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20190814a' into staging (2019-08-16 12:00:18 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190816

for you to fetch changes up to 664b7e3b97d6376f3329986c465b3782458b0f8b:

target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word (2019-08-16 14:02:53 +0100)

----------------------------------------------------------------
target-arm queue:
 * target/arm: generate a custom MIDR for -cpu max
 * hw/misc/zynq_slcr: refactor to use standard register definition
 * Set ENET_BD_BDU in I.MX FEC controller
 * target/arm: Fix routing of singlestep exceptions
 * refactor a32/t32 decoder handling of PC
 * minor optimisations/cleanups of some a32/t32 codegen
 * target/arm/cpu64: Ensure kvm really supports aarch64=off
 * target/arm/cpu: Ensure we can use the pmu with kvm
 * target/arm: Minor cleanups preparatory to KVM SVE support

----------------------------------------------------------------
Aaron Hill (1):
      Set ENET_BD_BDU in I.MX FEC controller

Alex Bennée (1):
      target/arm: generate a custom MIDR for -cpu max

Andrew Jones (6):
      target/arm/cpu64: Ensure kvm really supports aarch64=off
      target/arm/cpu: Ensure we can use the pmu with kvm
      target/arm/helper: zcr: Add build bug next to value range assumption
      target/arm/cpu: Use div-round-up to determine predicate register array size
      target/arm/kvm64: Fix error returns
      target/arm/kvm64: Move the get/put of fpsimd registers out

Damien Hedde (1):
      hw/misc/zynq_slcr: use standard register definition

Peter Maydell (2):
      target/arm: Factor out 'generate singlestep exception' function
      target/arm: Fix routing of singlestep exceptions

Richard Henderson (18):
      target/arm: Pass in pc to thumb_insn_is_16bit
      target/arm: Introduce pc_curr
      target/arm: Introduce read_pc
      target/arm: Introduce add_reg_for_lit
      target/arm: Remove redundant s->pc & ~1
      target/arm: Replace s->pc with s->base.pc_next
      target/arm: Replace offset with pc in gen_exception_insn
      target/arm: Replace offset with pc in gen_exception_internal_insn
      target/arm: Remove offset argument to gen_exception_bkpt_insn
      target/arm: Use unallocated_encoding for aarch32
      target/arm: Remove helper_double_saturate
      target/arm: Use tcg_gen_extract_i32 for shifter_out_im
      target/arm: Use tcg_gen_deposit_i32 for PKHBT, PKHTB
      target/arm: Remove redundant shift tests
      target/arm: Use ror32 instead of open-coding the operation
      target/arm: Use tcg_gen_rotri_i32 for gen_swap_half
      target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR
      target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word

From: Alex Bennée <alex.bennee@linaro.org>

While most features are now detected by probing the ID_* registers
kernels can (and do) use MIDR_EL1 for working out of they have to
apply errata. This can trip up warnings in the kernel as it tries to
work out if it should apply workarounds to features that don't
actually exist in the reported CPU type.

Avoid this problem by synthesising our own MIDR value.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190726113950.7499-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h   |  6 ++++++
 target/arm/cpu64.c | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(V7M_FPCCR, ASPEN, 31, 1)
 /*
  * System register ID fields.
  */
+FIELD(MIDR_EL1, REVISION, 0, 4)
+FIELD(MIDR_EL1, PARTNUM, 4, 12)
+FIELD(MIDR_EL1, ARCHITECTURE, 16, 4)
+FIELD(MIDR_EL1, VARIANT, 20, 4)
+FIELD(MIDR_EL1, IMPLEMENTER, 24, 8)
+
 FIELD(ID_ISAR0, SWAP, 0, 4)
 FIELD(ID_ISAR0, BITCOUNT, 4, 4)
 FIELD(ID_ISAR0, BITFIELD, 8, 4)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
         uint32_t u;
         aarch64_a57_initfn(obj);
 
+        /*
+         * Reset MIDR so the guest doesn't mistake our 'max' CPU type for a real
+         * one and try to apply errata workarounds or use impdef features we
+         * don't provide.
+         * An IMPLEMENTER field of 0 means "reserved for software use";
+         * ARCHITECTURE must be 0xf indicating "v7 or later, check ID registers
+         * to see which features are present";
+         * the VARIANT, PARTNUM and REVISION fields are all implementation
+         * defined and we choose to define PARTNUM just in case guest
+         * code needs to distinguish this QEMU CPU from other software
+         * implementations, though this shouldn't be needed.
+         */
+        t = FIELD_DP64(0, MIDR_EL1, IMPLEMENTER, 0);
+        t = FIELD_DP64(t, MIDR_EL1, ARCHITECTURE, 0xf);
+        t = FIELD_DP64(t, MIDR_EL1, PARTNUM, 'Q');
+        t = FIELD_DP64(t, MIDR_EL1, VARIANT, 0);
+        t = FIELD_DP64(t, MIDR_EL1, REVISION, 0);
+        cpu->midr = t;
+
         t = cpu->isar.id_aa64isar0;
         t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2); /* AES + PMULL */
         t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1);
-- 
2.20.1

From: Damien Hedde <damien.hedde@greensocs.com>

Replace the zynq_slcr registers enum and macros using the
hw/registerfields.h macros.

Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190729145654.14644-30-damien.hedde@greensocs.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/zynq_slcr.c | 450 ++++++++++++++++++++++----------------------
 1 file changed, 225 insertions(+), 225 deletions(-)

diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/zynq_slcr.c
+++ b/hw/misc/zynq_slcr.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/sysemu.h"
 #include "qemu/log.h"
 #include "qemu/module.h"
+#include "hw/registerfields.h"
 
 #ifndef ZYNQ_SLCR_ERR_DEBUG
 #define ZYNQ_SLCR_ERR_DEBUG 0
@@ -XXX,XX +XXX,XX @@
 #define XILINX_LOCK_KEY 0x767b
 #define XILINX_UNLOCK_KEY 0xdf0d
 
-#define R_PSS_RST_CTRL_SOFT_RST 0x1
+REG32(SCL, 0x000)
+REG32(LOCK, 0x004)
+REG32(UNLOCK, 0x008)
+REG32(LOCKSTA, 0x00c)
 
-enum {
-    SCL             = 0x000 / 4,
-    LOCK,
-    UNLOCK,
-    LOCKSTA,
+REG32(ARM_PLL_CTRL, 0x100)
+REG32(DDR_PLL_CTRL, 0x104)
+REG32(IO_PLL_CTRL, 0x108)
+REG32(PLL_STATUS, 0x10c)
+REG32(ARM_PLL_CFG, 0x110)
+REG32(DDR_PLL_CFG, 0x114)
+REG32(IO_PLL_CFG, 0x118)
 
-    ARM_PLL_CTRL    = 0x100 / 4,
-    DDR_PLL_CTRL,
-    IO_PLL_CTRL,
-    PLL_STATUS,
-    ARM_PLL_CFG,
-    DDR_PLL_CFG,
-    IO_PLL_CFG,
-
-    ARM_CLK_CTRL    = 0x120 / 4,
-    DDR_CLK_CTRL,
-    DCI_CLK_CTRL,
-    APER_CLK_CTRL,
-    USB0_CLK_CTRL,
-    USB1_CLK_CTRL,
-    GEM0_RCLK_CTRL,
-    GEM1_RCLK_CTRL,
-    GEM0_CLK_CTRL,
-    GEM1_CLK_CTRL,
-    SMC_CLK_CTRL,
-    LQSPI_CLK_CTRL,
-    SDIO_CLK_CTRL,
-    UART_CLK_CTRL,
-    SPI_CLK_CTRL,
-    CAN_CLK_CTRL,
-    CAN_MIOCLK_CTRL,
-    DBG_CLK_CTRL,
-    PCAP_CLK_CTRL,
-    TOPSW_CLK_CTRL,
+REG32(ARM_CLK_CTRL, 0x120)
+REG32(DDR_CLK_CTRL, 0x124)
+REG32(DCI_CLK_CTRL, 0x128)
+REG32(APER_CLK_CTRL, 0x12c)
+REG32(USB0_CLK_CTRL, 0x130)
+REG32(USB1_CLK_CTRL, 0x134)
+REG32(GEM0_RCLK_CTRL, 0x138)
+REG32(GEM1_RCLK_CTRL, 0x13c)
+REG32(GEM0_CLK_CTRL, 0x140)
+REG32(GEM1_CLK_CTRL, 0x144)
+REG32(SMC_CLK_CTRL, 0x148)
+REG32(LQSPI_CLK_CTRL, 0x14c)
+REG32(SDIO_CLK_CTRL, 0x150)
+REG32(UART_CLK_CTRL, 0x154)
+REG32(SPI_CLK_CTRL, 0x158)
+REG32(CAN_CLK_CTRL, 0x15c)
+REG32(CAN_MIOCLK_CTRL, 0x160)
+REG32(DBG_CLK_CTRL, 0x164)
+REG32(PCAP_CLK_CTRL, 0x168)
+REG32(TOPSW_CLK_CTRL, 0x16c)
 
 #define FPGA_CTRL_REGS(n, start) \
-    FPGA ## n ## _CLK_CTRL = (start) / 4, \
-    FPGA ## n ## _THR_CTRL, \
-    FPGA ## n ## _THR_CNT, \
-    FPGA ## n ## _THR_STA,
-    FPGA_CTRL_REGS(0, 0x170)
-    FPGA_CTRL_REGS(1, 0x180)
-    FPGA_CTRL_REGS(2, 0x190)
-    FPGA_CTRL_REGS(3, 0x1a0)
+    REG32(FPGA ## n ## _CLK_CTRL, (start)) \
+    REG32(FPGA ## n ## _THR_CTRL, (start) + 0x4)\
+    REG32(FPGA ## n ## _THR_CNT,  (start) + 0x8)\
+    REG32(FPGA ## n ## _THR_STA,  (start) + 0xc)
+FPGA_CTRL_REGS(0, 0x170)
+FPGA_CTRL_REGS(1, 0x180)
+FPGA_CTRL_REGS(2, 0x190)
+FPGA_CTRL_REGS(3, 0x1a0)
 
-    BANDGAP_TRIP    = 0x1b8 / 4,
-    PLL_PREDIVISOR  = 0x1c0 / 4,
-    CLK_621_TRUE,
+REG32(BANDGAP_TRIP, 0x1b8)
+REG32(PLL_PREDIVISOR, 0x1c0)
+REG32(CLK_621_TRUE, 0x1c4)
 
-    PSS_RST_CTRL    = 0x200 / 4,
-    DDR_RST_CTRL,
-    TOPSW_RESET_CTRL,
-    DMAC_RST_CTRL,
-    USB_RST_CTRL,
-    GEM_RST_CTRL,
-    SDIO_RST_CTRL,
-    SPI_RST_CTRL,
-    CAN_RST_CTRL,
-    I2C_RST_CTRL,
-    UART_RST_CTRL,
-    GPIO_RST_CTRL,
-    LQSPI_RST_CTRL,
-    SMC_RST_CTRL,
-    OCM_RST_CTRL,
-    FPGA_RST_CTRL   = 0x240 / 4,
-    A9_CPU_RST_CTRL,
+REG32(PSS_RST_CTRL, 0x200)
+    FIELD(PSS_RST_CTRL, SOFT_RST, 0, 1)
+REG32(DDR_RST_CTRL, 0x204)
+REG32(TOPSW_RESET_CTRL, 0x208)
+REG32(DMAC_RST_CTRL, 0x20c)
+REG32(USB_RST_CTRL, 0x210)
+REG32(GEM_RST_CTRL, 0x214)
+REG32(SDIO_RST_CTRL, 0x218)
+REG32(SPI_RST_CTRL, 0x21c)
+REG32(CAN_RST_CTRL, 0x220)
+REG32(I2C_RST_CTRL, 0x224)
+REG32(UART_RST_CTRL, 0x228)
+REG32(GPIO_RST_CTRL, 0x22c)
+REG32(LQSPI_RST_CTRL, 0x230)
+REG32(SMC_RST_CTRL, 0x234)
+REG32(OCM_RST_CTRL, 0x238)
+REG32(FPGA_RST_CTRL, 0x240)
+REG32(A9_CPU_RST_CTRL, 0x244)
 
-    RS_AWDT_CTRL    = 0x24c / 4,
-    RST_REASON,
+REG32(RS_AWDT_CTRL, 0x24c)
+REG32(RST_REASON, 0x250)
 
-    REBOOT_STATUS   = 0x258 / 4,
-    BOOT_MODE,
+REG32(REBOOT_STATUS, 0x258)
+REG32(BOOT_MODE, 0x25c)
 
-    APU_CTRL        = 0x300 / 4,
-    WDT_CLK_SEL,
+REG32(APU_CTRL, 0x300)
+REG32(WDT_CLK_SEL, 0x304)
 
-    TZ_DMA_NS       = 0x440 / 4,
-    TZ_DMA_IRQ_NS,
-    TZ_DMA_PERIPH_NS,
+REG32(TZ_DMA_NS, 0x440)
+REG32(TZ_DMA_IRQ_NS, 0x444)
+REG32(TZ_DMA_PERIPH_NS, 0x448)
 
-    PSS_IDCODE      = 0x530 / 4,
+REG32(PSS_IDCODE, 0x530)
 
-    DDR_URGENT      = 0x600 / 4,
-    DDR_CAL_START   = 0x60c / 4,
-    DDR_REF_START   = 0x614 / 4,
-    DDR_CMD_STA,
-    DDR_URGENT_SEL,
-    DDR_DFI_STATUS,
+REG32(DDR_URGENT, 0x600)
+REG32(DDR_CAL_START, 0x60c)
+REG32(DDR_REF_START, 0x614)
+REG32(DDR_CMD_STA, 0x618)
+REG32(DDR_URGENT_SEL, 0x61c)
+REG32(DDR_DFI_STATUS, 0x620)
 
-    MIO             = 0x700 / 4,
+REG32(MIO, 0x700)
 #define MIO_LENGTH 54
 
-    MIO_LOOPBACK    = 0x804 / 4,
-    MIO_MST_TRI0,
-    MIO_MST_TRI1,
+REG32(MIO_LOOPBACK, 0x804)
+REG32(MIO_MST_TRI0, 0x808)
+REG32(MIO_MST_TRI1, 0x80c)
 
-    SD0_WP_CD_SEL   = 0x830 / 4,
-    SD1_WP_CD_SEL,
+REG32(SD0_WP_CD_SEL, 0x830)
+REG32(SD1_WP_CD_SEL, 0x834)
 
-    LVL_SHFTR_EN    = 0x900 / 4,
-    OCM_CFG         = 0x910 / 4,
+REG32(LVL_SHFTR_EN, 0x900)
+REG32(OCM_CFG, 0x910)
 
-    CPU_RAM         = 0xa00 / 4,
+REG32(CPU_RAM, 0xa00)
 
-    IOU             = 0xa30 / 4,
+REG32(IOU, 0xa30)
 
-    DMAC_RAM        = 0xa50 / 4,
+REG32(DMAC_RAM, 0xa50)
 
-    AFI0            = 0xa60 / 4,
-    AFI1 = AFI0 + 3,
-    AFI2 = AFI1 + 3,
-    AFI3 = AFI2 + 3,
+REG32(AFI0, 0xa60)
+REG32(AFI1, 0xa6c)
+REG32(AFI2, 0xa78)
+REG32(AFI3, 0xa84)
 #define AFI_LENGTH 3
 
-    OCM             = 0xa90 / 4,
+REG32(OCM, 0xa90)
 
-    DEVCI_RAM       = 0xaa0 / 4,
+REG32(DEVCI_RAM, 0xaa0)
 
-    CSG_RAM         = 0xab0 / 4,
+REG32(CSG_RAM, 0xab0)
 
-    GPIOB_CTRL      = 0xb00 / 4,
-    GPIOB_CFG_CMOS18,
-    GPIOB_CFG_CMOS25,
-    GPIOB_CFG_CMOS33,
-    GPIOB_CFG_HSTL  = 0xb14 / 4,
-    GPIOB_DRVR_BIAS_CTRL,
+REG32(GPIOB_CTRL, 0xb00)
+REG32(GPIOB_CFG_CMOS18, 0xb04)
+REG32(GPIOB_CFG_CMOS25, 0xb08)
+REG32(GPIOB_CFG_CMOS33, 0xb0c)
+REG32(GPIOB_CFG_HSTL, 0xb14)
+REG32(GPIOB_DRVR_BIAS_CTRL, 0xb18)
 
-    DDRIOB          = 0xb40 / 4,
+REG32(DDRIOB, 0xb40)
 #define DDRIOB_LENGTH 14
-};
 
 #define ZYNQ_SLCR_MMIO_SIZE     0x1000
 #define ZYNQ_SLCR_NUM_REGS      (ZYNQ_SLCR_MMIO_SIZE / 4)
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_reset(DeviceState *d)
 
     DB_PRINT("RESET\n");
 
-    s->regs[LOCKSTA] = 1;
+    s->regs[R_LOCKSTA] = 1;
     /* 0x100 - 0x11C */
-    s->regs[ARM_PLL_CTRL]   = 0x0001A008;
-    s->regs[DDR_PLL_CTRL]   = 0x0001A008;
-    s->regs[IO_PLL_CTRL]    = 0x0001A008;
-    s->regs[PLL_STATUS]     = 0x0000003F;
-    s->regs[ARM_PLL_CFG]    = 0x00014000;
-    s->regs[DDR_PLL_CFG]    = 0x00014000;
-    s->regs[IO_PLL_CFG]     = 0x00014000;
+    s->regs[R_ARM_PLL_CTRL]   = 0x0001A008;
+    s->regs[R_DDR_PLL_CTRL]   = 0x0001A008;
+    s->regs[R_IO_PLL_CTRL]    = 0x0001A008;
+    s->regs[R_PLL_STATUS]     = 0x0000003F;
+    s->regs[R_ARM_PLL_CFG]    = 0x00014000;
+    s->regs[R_DDR_PLL_CFG]    = 0x00014000;
+    s->regs[R_IO_PLL_CFG]     = 0x00014000;
 
     /* 0x120 - 0x16C */
-    s->regs[ARM_CLK_CTRL]   = 0x1F000400;
-    s->regs[DDR_CLK_CTRL]   = 0x18400003;
-    s->regs[DCI_CLK_CTRL]   = 0x01E03201;
-    s->regs[APER_CLK_CTRL]  = 0x01FFCCCD;
-    s->regs[USB0_CLK_CTRL]  = s->regs[USB1_CLK_CTRL]    = 0x00101941;
-    s->regs[GEM0_RCLK_CTRL] = s->regs[GEM1_RCLK_CTRL]   = 0x00000001;
-    s->regs[GEM0_CLK_CTRL]  = s->regs[GEM1_CLK_CTRL]    = 0x00003C01;
-    s->regs[SMC_CLK_CTRL]   = 0x00003C01;
-    s->regs[LQSPI_CLK_CTRL] = 0x00002821;
-    s->regs[SDIO_CLK_CTRL]  = 0x00001E03;
-    s->regs[UART_CLK_CTRL]  = 0x00003F03;
-    s->regs[SPI_CLK_CTRL]   = 0x00003F03;
-    s->regs[CAN_CLK_CTRL]   = 0x00501903;
-    s->regs[DBG_CLK_CTRL]   = 0x00000F03;
-    s->regs[PCAP_CLK_CTRL]  = 0x00000F01;
+    s->regs[R_ARM_CLK_CTRL]   = 0x1F000400;
+    s->regs[R_DDR_CLK_CTRL]   = 0x18400003;
+    s->regs[R_DCI_CLK_CTRL]   = 0x01E03201;
+    s->regs[R_APER_CLK_CTRL]  = 0x01FFCCCD;
+    s->regs[R_USB0_CLK_CTRL]  = s->regs[R_USB1_CLK_CTRL]  = 0x00101941;
+    s->regs[R_GEM0_RCLK_CTRL] = s->regs[R_GEM1_RCLK_CTRL] = 0x00000001;
+    s->regs[R_GEM0_CLK_CTRL]  = s->regs[R_GEM1_CLK_CTRL]  = 0x00003C01;
+    s->regs[R_SMC_CLK_CTRL]   = 0x00003C01;
+    s->regs[R_LQSPI_CLK_CTRL] = 0x00002821;
+    s->regs[R_SDIO_CLK_CTRL]  = 0x00001E03;
+    s->regs[R_UART_CLK_CTRL]  = 0x00003F03;
+    s->regs[R_SPI_CLK_CTRL]   = 0x00003F03;
+    s->regs[R_CAN_CLK_CTRL]   = 0x00501903;
+    s->regs[R_DBG_CLK_CTRL]   = 0x00000F03;
+    s->regs[R_PCAP_CLK_CTRL]  = 0x00000F01;
 
     /* 0x170 - 0x1AC */
-    s->regs[FPGA0_CLK_CTRL] = s->regs[FPGA1_CLK_CTRL] = s->regs[FPGA2_CLK_CTRL]
-                            = s->regs[FPGA3_CLK_CTRL] = 0x00101800;
-    s->regs[FPGA0_THR_STA] = s->regs[FPGA1_THR_STA] = s->regs[FPGA2_THR_STA]
-                           = s->regs[FPGA3_THR_STA] = 0x00010000;
+    s->regs[R_FPGA0_CLK_CTRL] = s->regs[R_FPGA1_CLK_CTRL]
+                              = s->regs[R_FPGA2_CLK_CTRL]
+                              = s->regs[R_FPGA3_CLK_CTRL] = 0x00101800;
+    s->regs[R_FPGA0_THR_STA] = s->regs[R_FPGA1_THR_STA]
+                             = s->regs[R_FPGA2_THR_STA]
+                             = s->regs[R_FPGA3_THR_STA] = 0x00010000;
 
     /* 0x1B0 - 0x1D8 */
-    s->regs[BANDGAP_TRIP]   = 0x0000001F;
-    s->regs[PLL_PREDIVISOR] = 0x00000001;
-    s->regs[CLK_621_TRUE]   = 0x00000001;
+    s->regs[R_BANDGAP_TRIP]   = 0x0000001F;
+    s->regs[R_PLL_PREDIVISOR] = 0x00000001;
+    s->regs[R_CLK_621_TRUE]   = 0x00000001;
 
     /* 0x200 - 0x25C */
-    s->regs[FPGA_RST_CTRL]  = 0x01F33F0F;
-    s->regs[RST_REASON]     = 0x00000040;
+    s->regs[R_FPGA_RST_CTRL]  = 0x01F33F0F;
+    s->regs[R_RST_REASON]     = 0x00000040;
 
-    s->regs[BOOT_MODE]      = 0x00000001;
+    s->regs[R_BOOT_MODE]      = 0x00000001;
 
     /* 0x700 - 0x7D4 */
     for (i = 0; i < 54; i++) {
-        s->regs[MIO + i] = 0x00001601;
+        s->regs[R_MIO + i] = 0x00001601;
     }
     for (i = 2; i <= 8; i++) {
-        s->regs[MIO + i] = 0x00000601;
+        s->regs[R_MIO + i] = 0x00000601;
     }
 
-    s->regs[MIO_MST_TRI0] = s->regs[MIO_MST_TRI1] = 0xFFFFFFFF;
+    s->regs[R_MIO_MST_TRI0] = s->regs[R_MIO_MST_TRI1] = 0xFFFFFFFF;
 
-    s->regs[CPU_RAM + 0] = s->regs[CPU_RAM + 1] = s->regs[CPU_RAM + 3]
-                         = s->regs[CPU_RAM + 4] = s->regs[CPU_RAM + 7]
-                         = 0x00010101;
-    s->regs[CPU_RAM + 2] = s->regs[CPU_RAM + 5] = 0x01010101;
-    s->regs[CPU_RAM + 6] = 0x00000001;
+    s->regs[R_CPU_RAM + 0] = s->regs[R_CPU_RAM + 1] = s->regs[R_CPU_RAM + 3]
+                           = s->regs[R_CPU_RAM + 4] = s->regs[R_CPU_RAM + 7]
+                           = 0x00010101;
+    s->regs[R_CPU_RAM + 2] = s->regs[R_CPU_RAM + 5] = 0x01010101;
+    s->regs[R_CPU_RAM + 6] = 0x00000001;
 
-    s->regs[IOU + 0] = s->regs[IOU + 1] = s->regs[IOU + 2] = s->regs[IOU + 3]
-                     = 0x09090909;
-    s->regs[IOU + 4] = s->regs[IOU + 5] = 0x00090909;
-    s->regs[IOU + 6] = 0x00000909;
+    s->regs[R_IOU + 0] = s->regs[R_IOU + 1] = s->regs[R_IOU + 2]
+                       = s->regs[R_IOU + 3] = 0x09090909;
+    s->regs[R_IOU + 4] = s->regs[R_IOU + 5] = 0x00090909;
+    s->regs[R_IOU + 6] = 0x00000909;
 
-    s->regs[DMAC_RAM] = 0x00000009;
+    s->regs[R_DMAC_RAM] = 0x00000009;
 
-    s->regs[AFI0 + 0] = s->regs[AFI0 + 1] = 0x09090909;
-    s->regs[AFI1 + 0] = s->regs[AFI1 + 1] = 0x09090909;
-    s->regs[AFI2 + 0] = s->regs[AFI2 + 1] = 0x09090909;
-    s->regs[AFI3 + 0] = s->regs[AFI3 + 1] = 0x09090909;
-    s->regs[AFI0 + 2] = s->regs[AFI1 + 2] = s->regs[AFI2 + 2]
-                      = s->regs[AFI3 + 2] = 0x00000909;
+    s->regs[R_AFI0 + 0] = s->regs[R_AFI0 + 1] = 0x09090909;
+    s->regs[R_AFI1 + 0] = s->regs[R_AFI1 + 1] = 0x09090909;
+    s->regs[R_AFI2 + 0] = s->regs[R_AFI2 + 1] = 0x09090909;
+    s->regs[R_AFI3 + 0] = s->regs[R_AFI3 + 1] = 0x09090909;
+    s->regs[R_AFI0 + 2] = s->regs[R_AFI1 + 2] = s->regs[R_AFI2 + 2]
+                        = s->regs[R_AFI3 + 2] = 0x00000909;
 
-    s->regs[OCM + 0]    = 0x01010101;
-    s->regs[OCM + 1]    = s->regs[OCM + 2] = 0x09090909;
+    s->regs[R_OCM + 0] = 0x01010101;
+    s->regs[R_OCM + 1] = s->regs[R_OCM + 2] = 0x09090909;
 
-    s->regs[DEVCI_RAM]  = 0x00000909;
-    s->regs[CSG_RAM]    = 0x00000001;
+    s->regs[R_DEVCI_RAM] = 0x00000909;
+    s->regs[R_CSG_RAM]   = 0x00000001;
 
-    s->regs[DDRIOB + 0] = s->regs[DDRIOB + 1] = s->regs[DDRIOB + 2]
-                        = s->regs[DDRIOB + 3] = 0x00000e00;
-    s->regs[DDRIOB + 4] = s->regs[DDRIOB + 5] = s->regs[DDRIOB + 6]
-                        = 0x00000e00;
-    s->regs[DDRIOB + 12] = 0x00000021;
+    s->regs[R_DDRIOB + 0] = s->regs[R_DDRIOB + 1] = s->regs[R_DDRIOB + 2]
+                          = s->regs[R_DDRIOB + 3] = 0x00000e00;
+    s->regs[R_DDRIOB + 4] = s->regs[R_DDRIOB + 5] = s->regs[R_DDRIOB + 6]
+                          = 0x00000e00;
+    s->regs[R_DDRIOB + 12] = 0x00000021;
 }
 
 
 static bool zynq_slcr_check_offset(hwaddr offset, bool rnw)
 {
     switch (offset) {
-    case LOCK:
-    case UNLOCK:
-    case DDR_CAL_START:
-    case DDR_REF_START:
+    case R_LOCK:
+    case R_UNLOCK:
+    case R_DDR_CAL_START:
+    case R_DDR_REF_START:
         return !rnw; /* Write only */
-    case LOCKSTA:
-    case FPGA0_THR_STA:
-    case FPGA1_THR_STA:
-    case FPGA2_THR_STA:
-    case FPGA3_THR_STA:
-    case BOOT_MODE:
-    case PSS_IDCODE:
-    case DDR_CMD_STA:
-    case DDR_DFI_STATUS:
-    case PLL_STATUS:
+    case R_LOCKSTA:
+    case R_FPGA0_THR_STA:
+    case R_FPGA1_THR_STA:
+    case R_FPGA2_THR_STA:
+    case R_FPGA3_THR_STA:
+    case R_BOOT_MODE:
+    case R_PSS_IDCODE:
+    case R_DDR_CMD_STA:
+    case R_DDR_DFI_STATUS:
+    case R_PLL_STATUS:
         return rnw;/* read only */
-    case SCL:
-    case ARM_PLL_CTRL ... IO_PLL_CTRL:
-    case ARM_PLL_CFG ... IO_PLL_CFG:
-    case ARM_CLK_CTRL ... TOPSW_CLK_CTRL:
-    case FPGA0_CLK_CTRL ... FPGA0_THR_CNT:
-    case FPGA1_CLK_CTRL ... FPGA1_THR_CNT:
-    case FPGA2_CLK_CTRL ... FPGA2_THR_CNT:
-    case FPGA3_CLK_CTRL ... FPGA3_THR_CNT:
-    case BANDGAP_TRIP:
-    case PLL_PREDIVISOR:
-    case CLK_621_TRUE:
-    case PSS_RST_CTRL ... A9_CPU_RST_CTRL:
-    case RS_AWDT_CTRL:
-    case RST_REASON:
-    case REBOOT_STATUS:
-    case APU_CTRL:
-    case WDT_CLK_SEL:
-    case TZ_DMA_NS ... TZ_DMA_PERIPH_NS:
-    case DDR_URGENT:
-    case DDR_URGENT_SEL:
-    case MIO ... MIO + MIO_LENGTH - 1:
-    case MIO_LOOPBACK ... MIO_MST_TRI1:
-    case SD0_WP_CD_SEL:
-    case SD1_WP_CD_SEL:
-    case LVL_SHFTR_EN:
-    case OCM_CFG:
-    case CPU_RAM:
-    case IOU:
-    case DMAC_RAM:
-    case AFI0 ... AFI3 + AFI_LENGTH - 1:
-    case OCM:
-    case DEVCI_RAM:
-    case CSG_RAM:
-    case GPIOB_CTRL ... GPIOB_CFG_CMOS33:
-    case GPIOB_CFG_HSTL:
-    case GPIOB_DRVR_BIAS_CTRL:
-    case DDRIOB ... DDRIOB + DDRIOB_LENGTH - 1:
+    case R_SCL:
+    case R_ARM_PLL_CTRL ... R_IO_PLL_CTRL:
+    case R_ARM_PLL_CFG ... R_IO_PLL_CFG:
+    case R_ARM_CLK_CTRL ... R_TOPSW_CLK_CTRL:
+    case R_FPGA0_CLK_CTRL ... R_FPGA0_THR_CNT:
+    case R_FPGA1_CLK_CTRL ... R_FPGA1_THR_CNT:
+    case R_FPGA2_CLK_CTRL ... R_FPGA2_THR_CNT:
+    case R_FPGA3_CLK_CTRL ... R_FPGA3_THR_CNT:
+    case R_BANDGAP_TRIP:
+    case R_PLL_PREDIVISOR:
+    case R_CLK_621_TRUE:
+    case R_PSS_RST_CTRL ... R_A9_CPU_RST_CTRL:
+    case R_RS_AWDT_CTRL:
+    case R_RST_REASON:
+    case R_REBOOT_STATUS:
+    case R_APU_CTRL:
+    case R_WDT_CLK_SEL:
+    case R_TZ_DMA_NS ... R_TZ_DMA_PERIPH_NS:
+    case R_DDR_URGENT:
+    case R_DDR_URGENT_SEL:
+    case R_MIO ... R_MIO + MIO_LENGTH - 1:
+    case R_MIO_LOOPBACK ... R_MIO_MST_TRI1:
+    case R_SD0_WP_CD_SEL:
+    case R_SD1_WP_CD_SEL:
+    case R_LVL_SHFTR_EN:
+    case R_OCM_CFG:
+    case R_CPU_RAM:
+    case R_IOU:
+    case R_DMAC_RAM:
+    case R_AFI0 ... R_AFI3 + AFI_LENGTH - 1:
+    case R_OCM:
+    case R_DEVCI_RAM:
+    case R_CSG_RAM:
+    case R_GPIOB_CTRL ... R_GPIOB_CFG_CMOS33:
+    case R_GPIOB_CFG_HSTL:
+    case R_GPIOB_DRVR_BIAS_CTRL:
+    case R_DDRIOB ... R_DDRIOB + DDRIOB_LENGTH - 1:
         return true;
     default:
         return false;
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
     }
 
     switch (offset) {
-    case SCL:
-        s->regs[SCL] = val & 0x1;
+    case R_SCL:
+        s->regs[R_SCL] = val & 0x1;
         return;
-    case LOCK:
+    case R_LOCK:
         if ((val & 0xFFFF) == XILINX_LOCK_KEY) {
             DB_PRINT("XILINX LOCK 0xF8000000 + 0x%x <= 0x%x\n", (int)offset,
                 (unsigned)val & 0xFFFF);
-            s->regs[LOCKSTA] = 1;
+            s->regs[R_LOCKSTA] = 1;
         } else {
             DB_PRINT("WRONG XILINX LOCK KEY 0xF8000000 + 0x%x <= 0x%x\n",
                 (int)offset, (unsigned)val & 0xFFFF);
         }
         return;
-    case UNLOCK:
+    case R_UNLOCK:
         if ((val & 0xFFFF) == XILINX_UNLOCK_KEY) {
             DB_PRINT("XILINX UNLOCK 0xF8000000 + 0x%x <= 0x%x\n", (int)offset,
                 (unsigned)val & 0xFFFF);
-            s->regs[LOCKSTA] = 0;
+            s->regs[R_LOCKSTA] = 0;
         } else {
             DB_PRINT("WRONG XILINX UNLOCK KEY 0xF8000000 + 0x%x <= 0x%x\n",
                 (int)offset, (unsigned)val & 0xFFFF);
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
         return;
     }
 
-    if (s->regs[LOCKSTA]) {
+    if (s->regs[R_LOCKSTA]) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "SCLR registers are locked. Unlock them first\n");
         return;
@@ -XXX,XX +XXX,XX @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
     s->regs[offset] = val;
 
     switch (offset) {
-    case PSS_RST_CTRL:
-        if (val & R_PSS_RST_CTRL_SOFT_RST) {
+    case R_PSS_RST_CTRL:
+        if (FIELD_EX32(val, PSS_RST_CTRL, SOFT_RST)) {
             qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
         }
         break;
-- 
2.20.1

From: Aaron Hill <aa1ronham@gmail.com>

This commit properly sets the ENET_BD_BDU flag once the emulated FEC controller
has finished processing the last descriptor. This is done for both transmit
and receive descriptors.

This allows the QNX 7.0.0 BSP for the Sabrelite board (which can be
found at http://blackberry.qnx.com/en/developers/bsp) to properly
control the FEC. Without this patch, the BSP ethernet driver will never
re-use FEC descriptors, as the unset ENET_BD_BDU flag will cause
it to believe that the descriptors are still in use by the NIC.

Note that Linux does not appear to use this field at all, and is
unaffected by this patch.

Without this patch, QNX will think that the NIC is still processing its
transaction descriptors, and won't send any more data over the network.

For reference:

On page 1192 of the I.MX 6DQ reference manual revision (Rev. 5, 06/2018),
which can be found at https://www.nxp.com/products/processors-and-microcontrollers/arm-based-processors-and-mcus/i.mx-applications-processors/i.mx-6-processors/i.mx-6quad-processors-high-performance-3d-graphics-hd-video-arm-cortex-a9-core:i.MX6Q?&tab=Documentation_Tab&linkline=Application-Note

the 'BDU' field is described as follows for the 'Enhanced transmit
buffer descriptor':

'Last buffer descriptor update done. Indicates that the last BD data has been updated by
uDMA. This field is written by the user (=0) and uDMA (=1).'

The same description is used for the receive buffer descriptor.

Signed-off-by: Aaron Hill <aa1ronham@gmail.com>
Message-id: 20190805142417.10433-1-aaron.hill@alertinnovation.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/imx_fec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
             if (bd.option & ENET_BD_TX_INT) {
                 s->regs[ENET_EIR] |= int_txf;
             }
+            /* Indicate that we've updated the last buffer descriptor. */
+            bd.last_buffer = ENET_BD_BDU;
         }
         if (bd.option & ENET_BD_TX_INT) {
             s->regs[ENET_EIR] |= int_txb;
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
             /* Last buffer in frame.  */
             bd.flags |= flags | ENET_BD_L;
             FEC_PRINTF("rx frame flags %04x\n", bd.flags);
+            /* Indicate that we've updated the last buffer descriptor. */
+            bd.last_buffer = ENET_BD_BDU;
             if (bd.option & ENET_BD_RX_INT) {
                 s->regs[ENET_EIR] |= ENET_INT_RXF;
             }
-- 
2.20.1

Factor out code to 'generate a singlestep exception', which is
currently repeated in four places.

To do this we need to also pull the identical copies of the
gen-exception() function out of translate-a64.c and translate.c
into translate.h.

(There is a bug in the code: we're taking the exception to the wrong
target EL.  This will be simpler to fix if there's only one place to
do it.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20190805130952.4415-2-peter.maydell@linaro.org
---
 target/arm/translate.h     | 23 +++++++++++++++++++++++
 target/arm/translate-a64.c | 19 ++-----------------
 target/arm/translate.c     | 20 ++------------------
 3 files changed, 27 insertions(+), 35 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@
 #define TARGET_ARM_TRANSLATE_H
 
 #include "exec/translator.h"
+#include "internals.h"
 
 
 /* internal defines */
@@ -XXX,XX +XXX,XX @@ static inline void gen_ss_advance(DisasContext *s)
     }
 }
 
+static inline void gen_exception(int excp, uint32_t syndrome,
+                                 uint32_t target_el)
+{
+    TCGv_i32 tcg_excp = tcg_const_i32(excp);
+    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
+    TCGv_i32 tcg_el = tcg_const_i32(target_el);
+
+    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
+                                       tcg_syn, tcg_el);
+
+    tcg_temp_free_i32(tcg_el);
+    tcg_temp_free_i32(tcg_syn);
+    tcg_temp_free_i32(tcg_excp);
+}
+
+/* Generate an architectural singlestep exception */
+static inline void gen_swstep_exception(DisasContext *s, int isv, int ex)
+{
+    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, isv, ex),
+                  default_exception_el(s));
+}
+
 /*
  * Given a VFP floating point constant encoded into an 8 bit immediate in an
  * instruction, expand it to the actual constant value of the specified
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     tcg_temp_free_i32(tcg_excp);
 }
 
-static void gen_exception(int excp, uint32_t syndrome, uint32_t target_el)
-{
-    TCGv_i32 tcg_excp = tcg_const_i32(excp);
-    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
-    TCGv_i32 tcg_el = tcg_const_i32(target_el);
-
-    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
-                                       tcg_syn, tcg_el);
-    tcg_temp_free_i32(tcg_el);
-    tcg_temp_free_i32(tcg_syn);
-    tcg_temp_free_i32(tcg_excp);
-}
-
 static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 {
     gen_a64_set_pc_im(s->pc - offset);
@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
      * of the exception, and our syndrome information is always correct.
      */
     gen_ss_advance(s);
-    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, 1, s->is_ldex),
-                  default_exception_el(s));
+    gen_swstep_exception(s, 1, s->is_ldex);
     s->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          * bits should be zero.
          */
         assert(dc->base.num_insns == 1);
-        gen_exception(EXCP_UDEF, syn_swstep(dc->ss_same_el, 0, 0),
-                      default_exception_el(dc));
+        gen_swstep_exception(dc, 0, 0);
         dc->base.is_jmp = DISAS_NORETURN;
     } else {
         disas_a64_insn(env, dc);
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     tcg_temp_free_i32(tcg_excp);
 }
 
-static void gen_exception(int excp, uint32_t syndrome, uint32_t target_el)
-{
-    TCGv_i32 tcg_excp = tcg_const_i32(excp);
-    TCGv_i32 tcg_syn = tcg_const_i32(syndrome);
-    TCGv_i32 tcg_el = tcg_const_i32(target_el);
-
-    gen_helper_exception_with_syndrome(cpu_env, tcg_excp,
-                                       tcg_syn, tcg_el);
-
-    tcg_temp_free_i32(tcg_el);
-    tcg_temp_free_i32(tcg_syn);
-    tcg_temp_free_i32(tcg_excp);
-}
-
 static void gen_step_complete_exception(DisasContext *s)
 {
     /* We just completed step of an insn. Move from Active-not-pending
@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
      * of the exception, and our syndrome information is always correct.
      */
     gen_ss_advance(s);
-    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, 1, s->is_ldex),
-                  default_exception_el(s));
+    gen_swstep_exception(s, 1, s->is_ldex);
     s->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
          * bits should be zero.
          */
         assert(dc->base.num_insns == 1);
-        gen_exception(EXCP_UDEF, syn_swstep(dc->ss_same_el, 0, 0),
-                      default_exception_el(dc));
+        gen_swstep_exception(dc, 0, 0);
         dc->base.is_jmp = DISAS_NORETURN;
         return true;
     }
-- 
2.20.1

When generating an architectural single-step exception we were
routing it to the "default exception level", which is to say
the same exception level we execute at except that EL0 exceptions
go to EL1. This is incorrect because the debug exception level
can be configured by the guest for situations such as single
stepping of EL0 and EL1 code by EL2.

We have to track the target debug exception level in the TB
flags, because it is dependent on CPU state like HCR_EL2.TGE
and MDCR_EL2.TDE. (That we were previously calling the
arm_debug_target_el() function to determine dc->ss_same_el
is itself a bug, though one that would only have manifested
as incorrect syndrome information.) Since we are out of TB
flag bits unless we want to expand into the cs_base field,
we share some bits with the M-profile only HANDLER and
STACKCHECK bits, since only A-profile has this singlestep.

Fixes: https://bugs.launchpad.net/qemu/+bug/1838913
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20190805130952.4415-3-peter.maydell@linaro.org
---
 target/arm/cpu.h           |  5 +++++
 target/arm/translate.h     | 15 +++++++++++----
 target/arm/helper.c        |  6 ++++++
 target/arm/translate-a64.c |  2 +-
 target/arm/translate.c     |  4 +++-
 5 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_ANY, PSTATE_SS, 26, 1)
 /* Target EL if we take a floating-point-disabled exception */
 FIELD(TBFLAG_ANY, FPEXC_EL, 24, 2)
 FIELD(TBFLAG_ANY, BE_DATA, 23, 1)
+/*
+ * For A-profile only, target EL for debug exceptions.
+ * Note that this overlaps with the M-profile-only HANDLER and STACKCHECK bits.
+ */
+FIELD(TBFLAG_ANY, DEBUG_TARGET_EL, 21, 2)
 
 /* Bit usage when in AArch32 state: */
 FIELD(TBFLAG_A32, THUMB, 0, 1)
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     uint32_t svc_imm;
     int aarch64;
     int current_el;
+    /* Debug target exception level for single-step exceptions */
+    int debug_target_el;
     GHashTable *cp_regs;
     uint64_t features; /* CPU features bits */
     /* Because unallocated encodings generate different exception syndrome
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      * ie A64 LDX*, LDAX*, A32/T32 LDREX*, LDAEX*.
      */
     bool is_ldex;
-    /* True if a single-step exception will be taken to the current EL */
-    bool ss_same_el;
     /* True if v8.3-PAuth is active.  */
     bool pauth_active;
     /* True with v8.5-BTI and SCTLR_ELx.BT* set.  */
@@ -XXX,XX +XXX,XX @@ static inline void gen_exception(int excp, uint32_t syndrome,
 /* Generate an architectural singlestep exception */
 static inline void gen_swstep_exception(DisasContext *s, int isv, int ex)
 {
-    gen_exception(EXCP_UDEF, syn_swstep(s->ss_same_el, isv, ex),
-                  default_exception_el(s));
+    bool same_el = (s->debug_target_el == s->current_el);
+
+    /*
+     * If singlestep is targeting a lower EL than the current one,
+     * then s->ss_active must be false and we can never get here.
+     */
+    assert(s->debug_target_el >= s->current_el);
+
+    gen_exception(EXCP_UDEF, syn_swstep(same_el, isv, ex), s->debug_target_el);
 }
 
 /*
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
         }
     }
 
+    if (!arm_feature(env, ARM_FEATURE_M)) {
+        int target_el = arm_debug_target_el(env);
+
+        flags = FIELD_DP32(flags, TBFLAG_ANY, DEBUG_TARGET_EL, target_el);
+    }
+
     *pflags = flags;
     *cs_base = 0;
 }
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     dc->ss_active = FIELD_EX32(tb_flags, TBFLAG_ANY, SS_ACTIVE);
     dc->pstate_ss = FIELD_EX32(tb_flags, TBFLAG_ANY, PSTATE_SS);
     dc->is_ldex = false;
-    dc->ss_same_el = (arm_debug_target_el(env) == dc->current_el);
+    dc->debug_target_el = FIELD_EX32(tb_flags, TBFLAG_ANY, DEBUG_TARGET_EL);
 
     /* Bound the number of insns to execute to those left on the page.  */
     bound = -(dc->base.pc_first | TARGET_PAGE_MASK) / 4;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     dc->ss_active = FIELD_EX32(tb_flags, TBFLAG_ANY, SS_ACTIVE);
     dc->pstate_ss = FIELD_EX32(tb_flags, TBFLAG_ANY, PSTATE_SS);
     dc->is_ldex = false;
-    dc->ss_same_el = false; /* Can't be true since EL_d must be AArch64 */
+    if (!arm_feature(env, ARM_FEATURE_M)) {
+        dc->debug_target_el = FIELD_EX32(tb_flags, TBFLAG_ANY, DEBUG_TARGET_EL);
+    }
 
     dc->page_start = dc->base.pc_first & TARGET_PAGE_MASK;
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

This function is used in two different contexts, and it will be
clearer if the function is given the address to which it applies.

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
     }
 }
 
-static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
+static bool thumb_insn_is_16bit(DisasContext *s, uint32_t pc, uint32_t insn)
 {
-    /* Return true if this is a 16 bit instruction. We must be precise
-     * about this (matching the decode).  We assume that s->pc still
-     * points to the first 16 bits of the insn.
+    /*
+     * Return true if this is a 16 bit instruction. We must be precise
+     * about this (matching the decode).
      */
     if ((insn >> 11) < 0x1d) {
         /* Definitely a 16-bit instruction */
@@ -XXX,XX +XXX,XX @@ static bool thumb_insn_is_16bit(DisasContext *s, uint32_t insn)
         return false;
     }
 
-    if ((insn >> 11) == 0x1e && s->pc - s->page_start < TARGET_PAGE_SIZE - 3) {
+    if ((insn >> 11) == 0x1e && pc - s->page_start < TARGET_PAGE_SIZE - 3) {
         /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix, and the suffix
          * is not on the next page; we merge this into a 32-bit
          * insn.
@@ -XXX,XX +XXX,XX @@ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
      */
     uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
 
-    return !thumb_insn_is_16bit(s, insn);
+    return !thumb_insn_is_16bit(s, s->pc, insn);
 }
 
 static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     }
 
     insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
-    is_16bit = thumb_insn_is_16bit(dc, insn);
+    is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
     dc->pc += 2;
     if (!is_16bit) {
         uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Add a new field to retain the address of the instruction currently
being translated.  The 32-bit uses are all within subroutines used
by a32 and t32.  This will become less obvious when t16 support is
merged with a32+t32, and having a clear definition will help.

Convert aarch64 as well for consistency.  Note that there is one
instance of a pre-assert fprintf that used the wrong value for the
address of the current instruction.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h |  2 +-
 target/arm/translate.h     |  2 ++
 target/arm/translate-a64.c | 21 +++++++++++----------
 target/arm/translate.c     | 14 ++++++++------
 4 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void unallocated_encoding(DisasContext *s);
         qemu_log_mask(LOG_UNIMP,                                         \
                       "%s:%d: unsupported instruction encoding 0x%08x "  \
                       "at pc=%016" PRIx64 "\n",                          \
-                      __FILE__, __LINE__, insn, s->pc - 4);              \
+                      __FILE__, __LINE__, insn, s->pc_curr);             \
         unallocated_encoding(s);                                         \
     } while (0)
 
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     const ARMISARegisters *isar;
 
     target_ulong pc;
+    /* The address of the current instruction being translated. */
+    target_ulong pc_curr;
     target_ulong page_start;
     uint32_t insn;
     /* Nonzero if this instruction has been conditionally skipped.  */
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
  */
 static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
 {
-    uint64_t addr = s->pc + sextract32(insn, 0, 26) * 4 - 4;
+    uint64_t addr = s->pc_curr + sextract32(insn, 0, 26) * 4;
 
     if (insn & (1U << 31)) {
         /* BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
     sf = extract32(insn, 31, 1);
     op = extract32(insn, 24, 1); /* 0: CBZ; 1: CBNZ */
     rt = extract32(insn, 0, 5);
-    addr = s->pc + sextract32(insn, 5, 19) * 4 - 4;
+    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
 
     tcg_cmp = read_cpu_reg(s, rt, sf);
     label_match = gen_new_label();
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
 
     bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
     op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
-    addr = s->pc + sextract32(insn, 5, 14) * 4 - 4;
+    addr = s->pc_curr + sextract32(insn, 5, 14) * 4;
     rt = extract32(insn, 0, 5);
 
     tcg_cmp = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
         unallocated_encoding(s);
         return;
     }
-    addr = s->pc + sextract32(insn, 5, 19) * 4 - 4;
+    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
     cond = extract32(insn, 0, 4);
 
     reset_btype(s);
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
         TCGv_i32 tcg_syn, tcg_isread;
         uint32_t syndrome;
 
-        gen_a64_set_pc_im(s->pc - 4);
+        gen_a64_set_pc_im(s->pc_curr);
         tmpptr = tcg_const_ptr(ri);
         syndrome = syn_aa64_sysregtrap(op0, op1, op2, crn, crm, rt, isread);
         tcg_syn = tcg_const_i32(syndrome);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             /* The pre HVC helper handles cases when HVC gets trapped
              * as an undefined insn by runtime configuration.
              */
-            gen_a64_set_pc_im(s->pc - 4);
+            gen_a64_set_pc_im(s->pc_curr);
             gen_helper_pre_hvc(cpu_env);
             gen_ss_advance(s);
             gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2);
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                 unallocated_encoding(s);
                 break;
             }
-            gen_a64_set_pc_im(s->pc - 4);
+            gen_a64_set_pc_im(s->pc_curr);
             tmp = tcg_const_i32(syn_aa64_smc(imm16));
             gen_helper_pre_smc(cpu_env, tmp);
             tcg_temp_free_i32(tmp);
@@ -XXX,XX +XXX,XX @@ static void disas_ld_lit(DisasContext *s, uint32_t insn)
 
     tcg_rt = cpu_reg(s, rt);
 
-    clean_addr = tcg_const_i64((s->pc - 4) + imm);
+    clean_addr = tcg_const_i64(s->pc_curr + imm);
     if (is_vector) {
         do_fp_ld(s, rt, clean_addr, size);
     } else {
@@ -XXX,XX +XXX,XX @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
     offset = sextract64(insn, 5, 19);
     offset = offset << 2 | extract32(insn, 29, 2);
     rd = extract32(insn, 0, 5);
-    base = s->pc - 4;
+    base = s->pc_curr;
 
     if (page) {
         /* ADRP (page based) */
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_same_fp16(DisasContext *s, uint32_t insn)
                 break;
             default:
                 fprintf(stderr, "%s: insn %#04x, fpop %#2x @ %#" PRIx64 "\n",
-                        __func__, insn, fpopcode, s->pc);
+                        __func__, insn, fpopcode, s->pc_curr);
                 g_assert_not_reached();
             }
 
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
 {
     uint32_t insn;
 
+    s->pc_curr = s->pc;
     insn = arm_ldl_code(env, s->pc, s->sctlr_b);
     s->insn = insn;
     s->pc += 4;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
      * as an undefined insn by runtime configuration (ie before
      * the insn really executes).
      */
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     gen_helper_pre_hvc(cpu_env);
     /* Otherwise we will treat this as a real exception which
      * happens after execution of the insn. (The distinction matters
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
      */
     TCGv_i32 tmp;
 
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     tmp = tcg_const_i32(syn_aa32_smc());
     gen_helper_pre_smc(cpu_env, tmp);
     tcg_temp_free_i32(tmp);
@@ -XXX,XX +XXX,XX @@ static void gen_msr_banked(DisasContext *s, int r, int sysm, int rn)
 
     /* Sync state because msr_banked() can raise exceptions */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     tcg_reg = load_reg(s, rn);
     tcg_tgtmode = tcg_const_i32(tgtmode);
     tcg_regno = tcg_const_i32(regno);
@@ -XXX,XX +XXX,XX @@ static void gen_mrs_banked(DisasContext *s, int r, int sysm, int rn)
 
     /* Sync state because mrs_banked() can raise exceptions */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     tcg_reg = tcg_temp_new_i32();
     tcg_tgtmode = tcg_const_i32(tgtmode);
     tcg_regno = tcg_const_i32(regno);
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
             }
 
             gen_set_condexec(s);
-            gen_set_pc_im(s, s->pc - 4);
+            gen_set_pc_im(s, s->pc_curr);
             tmpptr = tcg_const_ptr(ri);
             tcg_syn = tcg_const_i32(syndrome);
             tcg_isread = tcg_const_i32(isread);
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     tmp = tcg_const_i32(mode);
     /* get_r13_banked() will raise an exception if called from System mode */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - 4);
+    gen_set_pc_im(s, s->pc_curr);
     gen_helper_get_r13_banked(addr, cpu_env, tmp);
     tcg_temp_free_i32(tmp);
     switch (amode) {
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
+    dc->pc_curr = dc->pc;
     insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
     dc->insn = insn;
     dc->pc += 4;
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
+    dc->pc_curr = dc->pc;
     insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
     is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
     dc->pc += 2;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We currently have 3 different ways of computing the architectural
value of "PC" as seen in the ARM ARM.

The value of s->pc has been incremented past the current insn,
but that is all.  Thus for a32, PC = s->pc + 4; for t32, PC = s->pc;
for t16, PC = s->pc + 2.  These differing computations make it
impossible at present to unify the various code paths.

With the newly introduced s->pc_curr, we can compute the correct
value for all cases, using the formula given in the ARM ARM.

This changes the behaviour for load_reg() and load_reg_var()
when called with reg==15 from a 32-bit Thumb instruction:
previously they would have returned the incorrect value
of pc_curr + 6, and now they will return the architecturally
correct value of PC, which is pc_curr + 4. This will not
affect well-behaved guest software, because all of the places
we call these functions from T32 code are instructions where
using r15 is UNPREDICTABLE. Using the architectural PC value
here is more consistent with the T16 and A32 behaviour.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-4-richard.henderson@linaro.org
[PMM: added commit message note about UNPREDICTABLE T32 cases]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 59 ++++++++++++++++--------------------------
 1 file changed, 23 insertions(+), 36 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void store_cpu_offset(TCGv_i32 var, int offset)
 #define store_cpu_field(var, name) \
     store_cpu_offset(var, offsetof(CPUARMState, name))
 
+/* The architectural value of PC.  */
+static uint32_t read_pc(DisasContext *s)
+{
+    return s->pc_curr + (s->thumb ? 4 : 8);
+}
+
 /* Set a variable to the value of a CPU register.  */
 static void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
 {
     if (reg == 15) {
-        uint32_t addr;
-        /* normally, since we updated PC, we need only to add one insn */
-        if (s->thumb)
-            addr = (long)s->pc + 2;
-        else
-            addr = (long)s->pc + 4;
-        tcg_gen_movi_i32(var, addr);
+        tcg_gen_movi_i32(var, read_pc(s));
     } else {
         tcg_gen_mov_i32(var, cpu_R[reg]);
     }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             /* branch link and change to thumb (blx <offset>) */
             int32_t offset;
 
-            val = (uint32_t)s->pc;
             tmp = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp, val);
+            tcg_gen_movi_i32(tmp, s->pc);
             store_reg(s, 14, tmp);
             /* Sign-extend the 24-bit offset */
             offset = (((int32_t)insn) << 8) >> 8;
+            val = read_pc(s);
             /* offset * 4 + bit24 * 2 + (thumb bit) */
             val += (offset << 2) | ((insn >> 23) & 2) | 1;
-            /* pipeline offset */
-            val += 4;
             /* protected by ARCH(5); above, near the start of uncond block */
             gen_bx_im(s, val);
             return;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         } else {
                             /* store */
                             if (i == 15) {
-                                /* special case: r15 = PC + 8 */
-                                val = (long)s->pc + 4;
                                 tmp = tcg_temp_new_i32();
-                                tcg_gen_movi_i32(tmp, val);
+                                tcg_gen_movi_i32(tmp, read_pc(s));
                             } else if (user) {
                                 tmp = tcg_temp_new_i32();
                                 tmp2 = tcg_const_i32(i);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                 int32_t offset;
 
                 /* branch (and link) */
-                val = (int32_t)s->pc;
                 if (insn & (1 << 24)) {
                     tmp = tcg_temp_new_i32();
-                    tcg_gen_movi_i32(tmp, val);
+                    tcg_gen_movi_i32(tmp, s->pc);
                     store_reg(s, 14, tmp);
                 }
                 offset = sextract32(insn << 2, 0, 26);
-                val += offset + 4;
-                gen_jmp(s, val);
+                gen_jmp(s, read_pc(s) + offset);
             }
             break;
         case 0xc:
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                 tcg_temp_free_i32(addr);
             } else if ((insn & (7 << 5)) == 0) {
                 /* Table Branch.  */
-                if (rn == 15) {
-                    addr = tcg_temp_new_i32();
-                    tcg_gen_movi_i32(addr, s->pc);
-                } else {
-                    addr = load_reg(s, rn);
-                }
+                addr = load_reg(s, rn);
                 tmp = load_reg(s, rm);
                 tcg_gen_add_i32(addr, addr, tmp);
                 if (insn & (1 << 4)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                 }
                 tcg_temp_free_i32(addr);
                 tcg_gen_shli_i32(tmp, tmp, 1);
-                tcg_gen_addi_i32(tmp, tmp, s->pc);
+                tcg_gen_addi_i32(tmp, tmp, read_pc(s));
                 store_reg(s, 15, tmp);
             } else {
                 bool is_lasr = false;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     tcg_gen_movi_i32(cpu_R[14], s->pc | 1);
                 }
 
-                offset += s->pc;
+                offset += read_pc(s);
                 if (insn & (1 << 12)) {
                     /* b/bl */
                     gen_jmp(s, offset);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                 offset |= (insn & (1 << 11)) << 8;
 
                 /* jump to the offset */
-                gen_jmp(s, s->pc + offset);
+                gen_jmp(s, read_pc(s) + offset);
             }
         } else {
             /*
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
         if (insn & (1 << 11)) {
             rd = (insn >> 8) & 7;
             /* load pc-relative.  Bit 1 of PC is ignored.  */
-            val = s->pc + 2 + ((insn & 0xff) * 4);
+            val = read_pc(s) + ((insn & 0xff) * 4);
             val &= ~(uint32_t)2;
             addr = tcg_temp_new_i32();
             tcg_gen_movi_i32(addr, val);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
         } else {
             /* PC. bit 1 is ignored.  */
             tmp = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp, (s->pc + 2) & ~(uint32_t)2);
+            tcg_gen_movi_i32(tmp, read_pc(s) & ~(uint32_t)2);
         }
         val = (insn & 0xff) * 4;
         tcg_gen_addi_i32(tmp, tmp, val);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
                 tcg_gen_brcondi_i32(TCG_COND_NE, tmp, 0, s->condlabel);
             tcg_temp_free_i32(tmp);
             offset = ((insn & 0xf8) >> 2) | (insn & 0x200) >> 3;
-            val = (uint32_t)s->pc + 2;
-            val += offset;
-            gen_jmp(s, val);
+            gen_jmp(s, read_pc(s) + offset);
             break;
 
         case 15: /* IT, nop-hint.  */
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
         arm_skip_unless(s, cond);
 
         /* jump to the offset */
-        val = (uint32_t)s->pc + 2;
+        val = read_pc(s);
         offset = ((int32_t)insn << 24) >> 24;
         val += offset << 1;
         gen_jmp(s, val);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
             break;
         }
         /* unconditional branch */
-        val = (uint32_t)s->pc;
+        val = read_pc(s);
         offset = ((int32_t)insn << 21) >> 21;
-        val += (offset << 1) + 2;
+        val += offset << 1;
         gen_jmp(s, val);
         break;
 
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
             /* 0b1111_0xxx_xxxx_xxxx : BL/BLX prefix */
             uint32_t uoffset = ((int32_t)insn << 21) >> 9;
 
-            tcg_gen_movi_i32(cpu_R[14], s->pc + 2 + uoffset);
+            tcg_gen_movi_i32(cpu_R[14], read_pc(s) + uoffset);
         }
         break;
     }
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Provide a common routine for the places that require ALIGN(PC, 4)
as the base address as opposed to plain PC.  The two are always
the same for A32, but the difference is meaningful for thumb mode.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-vfp.inc.c |  38 ++------
 target/arm/translate.c         | 166 +++++++++++++++------------------
 2 files changed, 82 insertions(+), 122 deletions(-)

diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_sp(DisasContext *s, arg_VLDR_VSTR_sp *a)
         offset = -offset;
     }
 
-    if (s->thumb && a->rn == 15) {
-        /* This is actually UNPREDICTABLE */
-        addr = tcg_temp_new_i32();
-        tcg_gen_movi_i32(addr, s->pc & ~2);
-    } else {
-        addr = load_reg(s, a->rn);
-    }
-    tcg_gen_addi_i32(addr, addr, offset);
+    /* For thumb, use of PC is UNPREDICTABLE.  */
+    addr = add_reg_for_lit(s, a->rn, offset);
     tmp = tcg_temp_new_i32();
     if (a->l) {
         gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_dp(DisasContext *s, arg_VLDR_VSTR_dp *a)
         offset = -offset;
     }
 
-    if (s->thumb && a->rn == 15) {
-        /* This is actually UNPREDICTABLE */
-        addr = tcg_temp_new_i32();
-        tcg_gen_movi_i32(addr, s->pc & ~2);
-    } else {
-        addr = load_reg(s, a->rn);
-    }
-    tcg_gen_addi_i32(addr, addr, offset);
+    /* For thumb, use of PC is UNPREDICTABLE.  */
+    addr = add_reg_for_lit(s, a->rn, offset);
     tmp = tcg_temp_new_i64();
     if (a->l) {
         gen_aa32_ld64(s, tmp, addr, get_mem_index(s));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_sp(DisasContext *s, arg_VLDM_VSTM_sp *a)
         return true;
     }
 
-    if (s->thumb && a->rn == 15) {
-        /* This is actually UNPREDICTABLE */
-        addr = tcg_temp_new_i32();
-        tcg_gen_movi_i32(addr, s->pc & ~2);
-    } else {
-        addr = load_reg(s, a->rn);
-    }
+    /* For thumb, use of PC is UNPREDICTABLE.  */
+    addr = add_reg_for_lit(s, a->rn, 0);
     if (a->p) {
         /* pre-decrement */
         tcg_gen_addi_i32(addr, addr, -(a->imm << 2));
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_dp(DisasContext *s, arg_VLDM_VSTM_dp *a)
         return true;
     }
 
-    if (s->thumb && a->rn == 15) {
-        /* This is actually UNPREDICTABLE */
-        addr = tcg_temp_new_i32();
-        tcg_gen_movi_i32(addr, s->pc & ~2);
-    } else {
-        addr = load_reg(s, a->rn);
-    }
+    /* For thumb, use of PC is UNPREDICTABLE.  */
+    addr = add_reg_for_lit(s, a->rn, 0);
     if (a->p) {
         /* pre-decrement */
         tcg_gen_addi_i32(addr, addr, -(a->imm << 2));
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline TCGv_i32 load_reg(DisasContext *s, int reg)
     return tmp;
 }
 
+/*
+ * Create a new temp, REG + OFS, except PC is ALIGN(PC, 4).
+ * This is used for load/store for which use of PC implies (literal),
+ * or ADD that implies ADR.
+ */
+static TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs)
+{
+    TCGv_i32 tmp = tcg_temp_new_i32();
+
+    if (reg == 15) {
+        tcg_gen_movi_i32(tmp, (read_pc(s) & ~3) + ofs);
+    } else {
+        tcg_gen_addi_i32(tmp, cpu_R[reg], ofs);
+    }
+    return tmp;
+}
+
 /* Set a CPU register.  The source must be a temporary and will be
    marked as dead.  */
 static void store_reg(DisasContext *s, int reg, TCGv_i32 var)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                  */
                 bool wback = extract32(insn, 21, 1);
 
-                if (rn == 15) {
-                    if (insn & (1 << 21)) {
-                        /* UNPREDICTABLE */
-                        goto illegal_op;
-                    }
-                    addr = tcg_temp_new_i32();
-                    tcg_gen_movi_i32(addr, s->pc & ~3);
-                } else {
-                    addr = load_reg(s, rn);
+                if (rn == 15 && (insn & (1 << 21))) {
+                    /* UNPREDICTABLE */
+                    goto illegal_op;
                 }
+
+                addr = add_reg_for_lit(s, rn, 0);
                 offset = (insn & 0xff) * 4;
                 if ((insn & (1 << 23)) == 0) {
                     offset = -offset;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                         store_reg(s, rd, tmp);
                     } else {
                         /* Add/sub 12-bit immediate.  */
-                        if (rn == 15) {
-                            offset = s->pc & ~(uint32_t)3;
-                            if (insn & (1 << 23))
-                                offset -= imm;
-                            else
-                                offset += imm;
-                            tmp = tcg_temp_new_i32();
-                            tcg_gen_movi_i32(tmp, offset);
-                            store_reg(s, rd, tmp);
+                        if (insn & (1 << 23)) {
+                            imm = -imm;
+                        }
+                        tmp = add_reg_for_lit(s, rn, imm);
+                        if (rn == 13 && rd == 13) {
+                            /* ADD SP, SP, imm or SUB SP, SP, imm */
+                            store_sp_checked(s, tmp);
                         } else {
-                            tmp = load_reg(s, rn);
-                            if (insn & (1 << 23))
-                                tcg_gen_subi_i32(tmp, tmp, imm);
-                            else
-                                tcg_gen_addi_i32(tmp, tmp, imm);
-                            if (rn == 13 && rd == 13) {
-                                /* ADD SP, SP, imm or SUB SP, SP, imm */
-                                store_sp_checked(s, tmp);
-                            } else {
-                                store_reg(s, rd, tmp);
-                            }
+                            store_reg(s, rd, tmp);
                         }
                     }
                 }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
             }
         }
         memidx = get_mem_index(s);
-        if (rn == 15) {
-            addr = tcg_temp_new_i32();
-            /* PC relative.  */
-            /* s->pc has already been incremented by 4.  */
-            imm = s->pc & 0xfffffffc;
-            if (insn & (1 << 23))
-                imm += insn & 0xfff;
-            else
-                imm -= insn & 0xfff;
-            tcg_gen_movi_i32(addr, imm);
+        imm = insn & 0xfff;
+        if (insn & (1 << 23)) {
+            /* PC relative or Positive offset.  */
+            addr = add_reg_for_lit(s, rn, imm);
+        } else if (rn == 15) {
+            /* PC relative with negative offset.  */
+            addr = add_reg_for_lit(s, rn, -imm);
         } else {
             addr = load_reg(s, rn);
-            if (insn & (1 << 23)) {
-                /* Positive offset.  */
-                imm = insn & 0xfff;
-                tcg_gen_addi_i32(addr, addr, imm);
-            } else {
-                imm = insn & 0xff;
-                switch ((insn >> 8) & 0xf) {
-                case 0x0: /* Shifted Register.  */
-                    shift = (insn >> 4) & 0xf;
-                    if (shift > 3) {
-                        tcg_temp_free_i32(addr);
-                        goto illegal_op;
-                    }
-                    tmp = load_reg(s, rm);
-                    if (shift)
-                        tcg_gen_shli_i32(tmp, tmp, shift);
-                    tcg_gen_add_i32(addr, addr, tmp);
-                    tcg_temp_free_i32(tmp);
-                    break;
-                case 0xc: /* Negative offset.  */
-                    tcg_gen_addi_i32(addr, addr, -imm);
-                    break;
-                case 0xe: /* User privilege.  */
-                    tcg_gen_addi_i32(addr, addr, imm);
-                    memidx = get_a32_user_mem_index(s);
-                    break;
-                case 0x9: /* Post-decrement.  */
-                    imm = -imm;
-                    /* Fall through.  */
-                case 0xb: /* Post-increment.  */
-                    postinc = 1;
-                    writeback = 1;
-                    break;
-                case 0xd: /* Pre-decrement.  */
-                    imm = -imm;
-                    /* Fall through.  */
-                case 0xf: /* Pre-increment.  */
-                    writeback = 1;
-                    break;
-                default:
+            imm = insn & 0xff;
+            switch ((insn >> 8) & 0xf) {
+            case 0x0: /* Shifted Register.  */
+                shift = (insn >> 4) & 0xf;
+                if (shift > 3) {
                     tcg_temp_free_i32(addr);
                     goto illegal_op;
                 }
+                tmp = load_reg(s, rm);
+                if (shift) {
+                    tcg_gen_shli_i32(tmp, tmp, shift);
+                }
+                tcg_gen_add_i32(addr, addr, tmp);
+                tcg_temp_free_i32(tmp);
+                break;
+            case 0xc: /* Negative offset.  */
+                tcg_gen_addi_i32(addr, addr, -imm);
+                break;
+            case 0xe: /* User privilege.  */
+                tcg_gen_addi_i32(addr, addr, imm);
+                memidx = get_a32_user_mem_index(s);
+                break;
+            case 0x9: /* Post-decrement.  */
+                imm = -imm;
+                /* Fall through.  */
+            case 0xb: /* Post-increment.  */
+                postinc = 1;
+                writeback = 1;
+                break;
+            case 0xd: /* Pre-decrement.  */
+                imm = -imm;
+                /* Fall through.  */
+            case 0xf: /* Pre-increment.  */
+                writeback = 1;
+                break;
+            default:
+                tcg_temp_free_i32(addr);
+                goto illegal_op;
             }
         }
 
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
         if (insn & (1 << 11)) {
             rd = (insn >> 8) & 7;
             /* load pc-relative.  Bit 1 of PC is ignored.  */
-            val = read_pc(s) + ((insn & 0xff) * 4);
-            val &= ~(uint32_t)2;
-            addr = tcg_temp_new_i32();
-            tcg_gen_movi_i32(addr, val);
+            addr = add_reg_for_lit(s, 15, (insn & 0xff) * 4);
             tmp = tcg_temp_new_i32();
             gen_aa32_ld32u_iss(s, tmp, addr, get_mem_index(s),
                                rd | ISSIs16Bit);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
          *  - Add PC/SP (immediate)
          */
         rd = (insn >> 8) & 7;
-        if (insn & (1 << 11)) {
-            /* SP */
-            tmp = load_reg(s, 13);
-        } else {
-            /* PC. bit 1 is ignored.  */
-            tmp = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp, read_pc(s) & ~(uint32_t)2);
-        }
         val = (insn & 0xff) * 4;
-        tcg_gen_addi_i32(tmp, tmp, val);
+        tmp = add_reg_for_lit(s, insn & (1 << 11) ? 13 : 15, val);
         store_reg(s, rd, tmp);
         break;
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The thumb bit has already been removed from s->pc, and is always even.

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
-    tcg_gen_movi_i32(cpu_R[15], s->pc & ~1);
+    tcg_gen_movi_i32(cpu_R[15], s->pc);
     s->base.is_jmp = DISAS_EXIT;
 }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  * self-modifying code correctly and also to take
                  * any pending interrupts immediately.
                  */
-                gen_goto_tb(s, 0, s->pc & ~1);
+                gen_goto_tb(s, 0, s->pc);
                 return;
             case 7: /* sb */
                 if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  * for TCG; MB and end the TB instead.
                  */
                 tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-                gen_goto_tb(s, 0, s->pc & ~1);
+                gen_goto_tb(s, 0, s->pc);
                 return;
             default:
                 goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                              * and also to take any pending interrupts
                              * immediately.
                              */
-                            gen_goto_tb(s, 0, s->pc & ~1);
+                            gen_goto_tb(s, 0, s->pc);
                             break;
                         case 7: /* sb */
                             if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                              * for TCG; MB and end the TB instead.
                              */
                             tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-                            gen_goto_tb(s, 0, s->pc & ~1);
+                            gen_goto_tb(s, 0, s->pc);
                             break;
                         default:
                             goto illegal_op;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We must update s->base.pc_next when we return from the translate_insn
hook to the main translator loop.  By incrementing s->base.pc_next
immediately after reading the insn word, "pc_next" contains the address
of the next instruction throughout translation.

All remaining uses of s->pc are referencing the address of the next insn,
so this is now a simple global replacement.  Remove the "s->pc" field.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.h     |   1 -
 target/arm/translate-a64.c |  51 +++++++++---------
 target/arm/translate.c     | 103 ++++++++++++++++++-------------------
 3 files changed, 72 insertions(+), 83 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     DisasContextBase base;
     const ARMISARegisters *isar;
 
-    target_ulong pc;
     /* The address of the current instruction being translated. */
     target_ulong pc_curr;
     target_ulong page_start;
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
 
 static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 {
-    gen_a64_set_pc_im(s->pc - offset);
+    gen_a64_set_pc_im(s->base.pc_next - offset);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 static void gen_exception_insn(DisasContext *s, int offset, int excp,
                                uint32_t syndrome, uint32_t target_el)
 {
-    gen_a64_set_pc_im(s->pc - offset);
+    gen_a64_set_pc_im(s->base.pc_next - offset);
     gen_exception(excp, syndrome, target_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset,
 {
     TCGv_i32 tcg_syn;
 
-    gen_a64_set_pc_im(s->pc - offset);
+    gen_a64_set_pc_im(s->base.pc_next - offset);
     tcg_syn = tcg_const_i32(syndrome);
     gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
     tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
 
     if (insn & (1U << 31)) {
         /* BL Branch with link */
-        tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
+        tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
     }
 
     /* B Branch / BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
     tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                         tcg_cmp, 0, label_match);
 
-    gen_goto_tb(s, 0, s->pc);
+    gen_goto_tb(s, 0, s->base.pc_next);
     gen_set_label(label_match);
     gen_goto_tb(s, 1, addr);
 }
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
     tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                         tcg_cmp, 0, label_match);
     tcg_temp_free_i64(tcg_cmp);
-    gen_goto_tb(s, 0, s->pc);
+    gen_goto_tb(s, 0, s->base.pc_next);
     gen_set_label(label_match);
     gen_goto_tb(s, 1, addr);
 }
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
         /* genuinely conditional branches */
         TCGLabel *label_match = gen_new_label();
         arm_gen_test_cc(cond, label_match);
-        gen_goto_tb(s, 0, s->pc);
+        gen_goto_tb(s, 0, s->base.pc_next);
         gen_set_label(label_match);
         gen_goto_tb(s, 1, addr);
     } else {
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
          * any pending interrupts immediately.
          */
         reset_btype(s);
-        gen_goto_tb(s, 0, s->pc);
+        gen_goto_tb(s, 0, s->base.pc_next);
         return;
 
     case 7: /* SB */
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
          * MB and end the TB instead.
          */
         tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-        gen_goto_tb(s, 0, s->pc);
+        gen_goto_tb(s, 0, s->base.pc_next);
         return;
 
     default:
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         gen_a64_set_pc(s, dst);
         /* BLR also needs to load return address */
         if (opc == 1) {
-            tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
+            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
         }
         break;
 
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         gen_a64_set_pc(s, dst);
         /* BLRAA also needs to load return address */
         if (opc == 9) {
-            tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
+            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
         }
         break;
 
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
 {
     uint32_t insn;
 
-    s->pc_curr = s->pc;
-    insn = arm_ldl_code(env, s->pc, s->sctlr_b);
+    s->pc_curr = s->base.pc_next;
+    insn = arm_ldl_code(env, s->base.pc_next, s->sctlr_b);
     s->insn = insn;
-    s->pc += 4;
+    s->base.pc_next += 4;
 
     s->fp_access_checked = false;
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     int bound, core_mmu_idx;
 
     dc->isar = &arm_cpu->isar;
-    dc->pc = dc->base.pc_first;
     dc->condjmp = 0;
 
     dc->aarch64 = 1;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
-    tcg_gen_insn_start(dc->pc, 0, 0);
+    tcg_gen_insn_start(dc->base.pc_next, 0, 0);
     dc->insn_start = tcg_last_op();
 }
 
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
     if (bp->flags & BP_CPU) {
-        gen_a64_set_pc_im(dc->pc);
+        gen_a64_set_pc_im(dc->base.pc_next);
         gen_helper_check_breakpoints(cpu_env);
         /* End the TB early; it likely won't be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
            to for it to be properly cleared -- thus we
            increment the PC here so that the logic setting
            tb->size below does the right thing.  */
-        dc->pc += 4;
+        dc->base.pc_next += 4;
         dc->base.is_jmp = DISAS_NORETURN;
     }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         disas_a64_insn(env, dc);
     }
 
-    dc->base.pc_next = dc->pc;
     translator_loop_temp_check(&dc->base);
 }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          */
         switch (dc->base.is_jmp) {
         default:
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             /* fall through */
         case DISAS_EXIT:
         case DISAS_JUMP:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         switch (dc->base.is_jmp) {
         case DISAS_NEXT:
         case DISAS_TOO_MANY:
-            gen_goto_tb(dc, 1, dc->pc);
+            gen_goto_tb(dc, 1, dc->base.pc_next);
             break;
         default:
         case DISAS_UPDATE:
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             /* fall through */
         case DISAS_EXIT:
             tcg_gen_exit_tb(NULL, 0);
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         case DISAS_SWI:
             break;
         case DISAS_WFE:
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             gen_helper_wfe(cpu_env);
             break;
         case DISAS_YIELD:
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             gen_helper_yield(cpu_env);
             break;
         case DISAS_WFI:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
              */
             TCGv_i32 tmp = tcg_const_i32(4);
 
-            gen_a64_set_pc_im(dc->pc);
+            gen_a64_set_pc_im(dc->base.pc_next);
             gen_helper_wfi(cpu_env, tmp);
             tcg_temp_free_i32(tmp);
             /* The helper doesn't necessarily throw an exception, but we
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         }
         }
     }
-
-    /* Functions above can change dc->pc, so re-align db->pc_next */
-    dc->base.pc_next = dc->pc;
 }
 
 static void aarch64_tr_disas_log(const DisasContextBase *dcbase,
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_blxns(DisasContext *s, int rm)
      * We do however need to set the PC, because the blxns helper reads it.
      * The blxns helper may throw an exception.
      */
-    gen_set_pc_im(s, s->pc);
+    gen_set_pc_im(s, s->base.pc_next);
     gen_helper_v7m_blxns(cpu_env, var);
     tcg_temp_free_i32(var);
     s->base.is_jmp = DISAS_EXIT;
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
      * for single stepping.)
      */
     s->svc_imm = imm16;
-    gen_set_pc_im(s, s->pc);
+    gen_set_pc_im(s, s->base.pc_next);
     s->base.is_jmp = DISAS_HVC;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
     tmp = tcg_const_i32(syn_aa32_smc());
     gen_helper_pre_smc(cpu_env, tmp);
     tcg_temp_free_i32(tmp);
-    gen_set_pc_im(s, s->pc);
+    gen_set_pc_im(s, s->base.pc_next);
     s->base.is_jmp = DISAS_SMC;
 }
 
 static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - offset);
+    gen_set_pc_im(s, s->base.pc_next - offset);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, int offset, int excp,
                                int syn, uint32_t target_el)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - offset);
+    gen_set_pc_im(s, s->base.pc_next - offset);
     gen_exception(excp, syn, target_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
     TCGv_i32 tcg_syn;
 
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc - offset);
+    gen_set_pc_im(s, s->base.pc_next - offset);
     tcg_syn = tcg_const_i32(syn);
     gen_helper_exception_bkpt_insn(cpu_env, tcg_syn);
     tcg_temp_free_i32(tcg_syn);
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn)
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
-    tcg_gen_movi_i32(cpu_R[15], s->pc);
+    tcg_gen_movi_i32(cpu_R[15], s->base.pc_next);
     s->base.is_jmp = DISAS_EXIT;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *s, target_ulong dest)
 {
 #ifndef CONFIG_USER_ONLY
     return (s->base.tb->pc & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK) ||
-           ((s->pc - 1) & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK);
+           ((s->base.pc_next - 1) & TARGET_PAGE_MASK) == (dest & TARGET_PAGE_MASK);
 #else
     return true;
 #endif
@@ -XXX,XX +XXX,XX @@ static void gen_nop_hint(DisasContext *s, int val)
          */
     case 1: /* yield */
         if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->base.is_jmp = DISAS_YIELD;
         }
         break;
     case 3: /* wfi */
-        gen_set_pc_im(s, s->pc);
+        gen_set_pc_im(s, s->base.pc_next);
         s->base.is_jmp = DISAS_WFI;
         break;
     case 2: /* wfe */
         if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->base.is_jmp = DISAS_WFE;
         }
         break;
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
             if (isread) {
                 return 1;
             }
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->base.is_jmp = DISAS_WFI;
             return 0;
         default:
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  * self-modifying code correctly and also to take
                  * any pending interrupts immediately.
                  */
-                gen_goto_tb(s, 0, s->pc);
+                gen_goto_tb(s, 0, s->base.pc_next);
                 return;
             case 7: /* sb */
                 if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                  * for TCG; MB and end the TB instead.
                  */
                 tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-                gen_goto_tb(s, 0, s->pc);
+                gen_goto_tb(s, 0, s->base.pc_next);
                 return;
             default:
                 goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             int32_t offset;
 
             tmp = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp, s->pc);
+            tcg_gen_movi_i32(tmp, s->base.pc_next);
             store_reg(s, 14, tmp);
             /* Sign-extend the 24-bit offset */
             offset = (((int32_t)insn) << 8) >> 8;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             /* branch link/exchange thumb (blx) */
             tmp = load_reg(s, rm);
             tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc);
+            tcg_gen_movi_i32(tmp2, s->base.pc_next);
             store_reg(s, 14, tmp2);
             gen_bx(s, tmp);
             break;
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                 /* branch (and link) */
                 if (insn & (1 << 24)) {
                     tmp = tcg_temp_new_i32();
-                    tcg_gen_movi_i32(tmp, s->pc);
+                    tcg_gen_movi_i32(tmp, s->base.pc_next);
                     store_reg(s, 14, tmp);
                 }
                 offset = sextract32(insn << 2, 0, 26);
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         case 0xf:
             /* swi */
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->svc_imm = extract32(insn, 0, 24);
             s->base.is_jmp = DISAS_SWI;
             break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
 
                 if (insn & (1 << 14)) {
                     /* Branch and link.  */
-                    tcg_gen_movi_i32(cpu_R[14], s->pc | 1);
+                    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | 1);
                 }
 
                 offset += read_pc(s);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                              * and also to take any pending interrupts
                              * immediately.
                              */
-                            gen_goto_tb(s, 0, s->pc);
+                            gen_goto_tb(s, 0, s->base.pc_next);
                             break;
                         case 7: /* sb */
                             if ((insn & 0xf) || !dc_isar_feature(aa32_sb, s)) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                              * for TCG; MB and end the TB instead.
                              */
                             tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-                            gen_goto_tb(s, 0, s->pc);
+                            gen_goto_tb(s, 0, s->base.pc_next);
                             break;
                         default:
                             goto illegal_op;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
                 /* BLX/BX */
                 tmp = load_reg(s, rm);
                 if (link) {
-                    val = (uint32_t)s->pc | 1;
+                    val = (uint32_t)s->base.pc_next | 1;
                     tmp2 = tcg_temp_new_i32();
                     tcg_gen_movi_i32(tmp2, val);
                     store_reg(s, 14, tmp2);
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
 
         if (cond == 0xf) {
             /* swi */
-            gen_set_pc_im(s, s->pc);
+            gen_set_pc_im(s, s->base.pc_next);
             s->svc_imm = extract32(insn, 0, 8);
             s->base.is_jmp = DISAS_SWI;
             break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
             tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
 
             tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc | 1);
+            tcg_gen_movi_i32(tmp2, s->base.pc_next | 1);
             store_reg(s, 14, tmp2);
             gen_bx(s, tmp);
             break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
             tcg_gen_addi_i32(tmp, tmp, offset);
 
             tmp2 = tcg_temp_new_i32();
-            tcg_gen_movi_i32(tmp2, s->pc | 1);
+            tcg_gen_movi_i32(tmp2, s->base.pc_next | 1);
             store_reg(s, 14, tmp2);
             gen_bx(s, tmp);
         } else {
@@ -XXX,XX +XXX,XX @@ undef:
 
 static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 {
-    /* Return true if the insn at dc->pc might cross a page boundary.
+    /* Return true if the insn at dc->base.pc_next might cross a page boundary.
      * (False positives are OK, false negatives are not.)
      * We know this is a Thumb insn, and our caller ensures we are
-     * only called if dc->pc is less than 4 bytes from the page
+     * only called if dc->base.pc_next is less than 4 bytes from the page
      * boundary, so we cross the page if the first 16 bits indicate
      * that this is a 32 bit insn.
      */
-    uint16_t insn = arm_lduw_code(env, s->pc, s->sctlr_b);
+    uint16_t insn = arm_lduw_code(env, s->base.pc_next, s->sctlr_b);
 
-    return !thumb_insn_is_16bit(s, s->pc, insn);
+    return !thumb_insn_is_16bit(s, s->base.pc_next, insn);
 }
 
 static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     uint32_t condexec, core_mmu_idx;
 
     dc->isar = &cpu->isar;
-    dc->pc = dc->base.pc_first;
     dc->condjmp = 0;
 
     dc->aarch64 = 0;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
-    tcg_gen_insn_start(dc->pc,
+    tcg_gen_insn_start(dc->base.pc_next,
                        (dc->condexec_cond << 4) | (dc->condexec_mask >> 1),
                        0);
     dc->insn_start = tcg_last_op();
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 
     if (bp->flags & BP_CPU) {
         gen_set_condexec(dc);
-        gen_set_pc_im(dc, dc->pc);
+        gen_set_pc_im(dc, dc->base.pc_next);
         gen_helper_check_breakpoints(cpu_env);
         /* End the TB early; it's likely not going to be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
            tb->size below does the right thing.  */
         /* TODO: Advance PC by correct instruction length to
          * avoid disassembler error messages */
-        dc->pc += 2;
+        dc->base.pc_next += 2;
         dc->base.is_jmp = DISAS_NORETURN;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
 {
 #ifdef CONFIG_USER_ONLY
     /* Intercept jump to the magic kernel page.  */
-    if (dc->pc >= 0xffff0000) {
+    if (dc->base.pc_next >= 0xffff0000) {
         /* We always get here via a jump, so know we are not in a
            conditional execution block.  */
         gen_exception_internal(EXCP_KERNEL_TRAP);
@@ -XXX,XX +XXX,XX @@ static void arm_post_translate_insn(DisasContext *dc)
         gen_set_label(dc->condlabel);
         dc->condjmp = 0;
     }
-    dc->base.pc_next = dc->pc;
     translator_loop_temp_check(&dc->base);
 }
 
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
-    dc->pc_curr = dc->pc;
-    insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
+    dc->pc_curr = dc->base.pc_next;
+    insn = arm_ldl_code(env, dc->base.pc_next, dc->sctlr_b);
     dc->insn = insn;
-    dc->pc += 4;
+    dc->base.pc_next += 4;
     disas_arm_insn(dc, insn);
 
     arm_post_translate_insn(dc);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
-    dc->pc_curr = dc->pc;
-    insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
-    is_16bit = thumb_insn_is_16bit(dc, dc->pc, insn);
-    dc->pc += 2;
+    dc->pc_curr = dc->base.pc_next;
+    insn = arm_lduw_code(env, dc->base.pc_next, dc->sctlr_b);
+    is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
+    dc->base.pc_next += 2;
     if (!is_16bit) {
-        uint32_t insn2 = arm_lduw_code(env, dc->pc, dc->sctlr_b);
+        uint32_t insn2 = arm_lduw_code(env, dc->base.pc_next, dc->sctlr_b);
 
         insn = insn << 16 | insn2;
-        dc->pc += 2;
+        dc->base.pc_next += 2;
     }
     dc->insn = insn;
 
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      * but isn't very efficient).
      */
     if (dc->base.is_jmp == DISAS_NEXT
-        && (dc->pc - dc->page_start >= TARGET_PAGE_SIZE
-            || (dc->pc - dc->page_start >= TARGET_PAGE_SIZE - 3
+        && (dc->base.pc_next - dc->page_start >= TARGET_PAGE_SIZE
+            || (dc->base.pc_next - dc->page_start >= TARGET_PAGE_SIZE - 3
                 && insn_crosses_page(env, dc)))) {
         dc->base.is_jmp = DISAS_TOO_MANY;
     }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         case DISAS_NEXT:
         case DISAS_TOO_MANY:
         case DISAS_UPDATE:
-            gen_set_pc_im(dc, dc->pc);
+            gen_set_pc_im(dc, dc->base.pc_next);
             /* fall through */
         default:
             /* FIXME: Single stepping a WFI insn will not halt the CPU. */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         switch(dc->base.is_jmp) {
         case DISAS_NEXT:
         case DISAS_TOO_MANY:
-            gen_goto_tb(dc, 1, dc->pc);
+            gen_goto_tb(dc, 1, dc->base.pc_next);
             break;
         case DISAS_JUMP:
             gen_goto_ptr();
             break;
         case DISAS_UPDATE:
-            gen_set_pc_im(dc, dc->pc);
+            gen_set_pc_im(dc, dc->base.pc_next);
             /* fall through */
         default:
             /* indicate that the hash table must be used to find the next TB */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         gen_set_label(dc->condlabel);
         gen_set_condexec(dc);
         if (unlikely(is_singlestepping(dc))) {
-            gen_set_pc_im(dc, dc->pc);
+            gen_set_pc_im(dc, dc->base.pc_next);
             gen_singlestep_exception(dc);
         } else {
-            gen_goto_tb(dc, 1, dc->pc);
+            gen_goto_tb(dc, 1, dc->base.pc_next);
         }
     }
-
-    /* Functions above can change dc->pc, so re-align db->pc_next */
-    dc->base.pc_next = dc->pc;
 }
 
 static void arm_tr_disas_log(const DisasContextBase *dcbase, CPUState *cpu)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The offset is variable depending on the instruction set, whereas
we have stored values for the current pc and the next pc.  Passing
in the actual value is clearer in intent.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c     | 25 ++++++++++++++-----------
 target/arm/translate-vfp.inc.c |  6 +++---
 target/arm/translate.c         | 31 ++++++++++++++++---------------
 3 files changed, 33 insertions(+), 29 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_exception_insn(DisasContext *s, int offset, int excp,
+static void gen_exception_insn(DisasContext *s, uint64_t pc, int excp,
                                uint32_t syndrome, uint32_t target_el)
 {
-    gen_a64_set_pc_im(s->base.pc_next - offset);
+    gen_a64_set_pc_im(pc);
     gen_exception(excp, syndrome, target_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
 void unallocated_encoding(DisasContext *s)
 {
     /* Unallocated and reserved encodings are uncategorized */
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                        default_exception_el(s));
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
         return true;
     }
 
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_fp_access_trap(1, 0xe, false),
-                       s->fp_excp_el);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                       syn_fp_access_trap(1, 0xe, false), s->fp_excp_el);
     return false;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool fp_access_check(DisasContext *s)
 bool sve_access_check(DisasContext *s)
 {
     if (s->sve_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF, syn_sve_access_trap(),
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_sve_access_trap(),
                            s->sve_excp_el);
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
         switch (op2_ll) {
         case 1:                                                     /* SVC */
             gen_ss_advance(s);
-            gen_exception_insn(s, 0, EXCP_SWI, syn_aa64_svc(imm16),
-                               default_exception_el(s));
+            gen_exception_insn(s, s->base.pc_next, EXCP_SWI,
+                               syn_aa64_svc(imm16), default_exception_el(s));
             break;
         case 2:                                                     /* HVC */
             if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             gen_a64_set_pc_im(s->pc_curr);
             gen_helper_pre_hvc(cpu_env);
             gen_ss_advance(s);
-            gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2);
+            gen_exception_insn(s, s->base.pc_next, EXCP_HVC,
+                               syn_aa64_hvc(imm16), 2);
             break;
         case 3:                                                     /* SMC */
             if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             gen_helper_pre_smc(cpu_env, tmp);
             tcg_temp_free_i32(tmp);
             gen_ss_advance(s);
-            gen_exception_insn(s, 0, EXCP_SMC, syn_aa64_smc(imm16), 3);
+            gen_exception_insn(s, s->base.pc_next, EXCP_SMC,
+                               syn_aa64_smc(imm16), 3);
             break;
         default:
             unallocated_encoding(s);
@@ -XXX,XX +XXX,XX @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
             if (s->btype != 0
                 && s->guarded_page
                 && !btype_destination_ok(insn, s->bt, s->btype)) {
-                gen_exception_insn(s, 4, EXCP_UDEF, syn_btitrap(s->btype),
+                gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                                   syn_btitrap(s->btype),
                                    default_exception_el(s));
                 return;
             }
diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 {
     if (s->fp_excp_el) {
         if (arm_dc_feature(s, ARM_FEATURE_M)) {
-            gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
+            gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized(),
                                s->fp_excp_el);
         } else {
-            gen_exception_insn(s, 4, EXCP_UDEF,
+            gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                                syn_fp_access_trap(1, 0xe, false),
                                s->fp_excp_el);
         }
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                            default_exception_el(s));
         return false;
     }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_exception_insn(DisasContext *s, int offset, int excp,
+static void gen_exception_insn(DisasContext *s, uint32_t pc, int excp,
                                int syn, uint32_t target_el)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->base.pc_next - offset);
+    gen_set_pc_im(s, pc);
     gen_exception(excp, syn, target_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         return;
     }
 
-    gen_exception_insn(s, s->thumb ? 2 : 4, EXCP_UDEF, syn_uncategorized(),
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                        default_exception_el(s));
 }
 
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
 
 undef:
     /* If we get here then some access check did not pass */
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), exc_target);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                       syn_uncategorized(), exc_target);
     return false;
 }
 
@@ -XXX,XX +XXX,XX @@ static int disas_neon_ls_insn(DisasContext *s, uint32_t insn)
      * for attempts to execute invalid vfp/neon encodings with FP disabled.
      */
     if (s->fp_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF,
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
         return 0;
     }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
      * for attempts to execute invalid vfp/neon encodings with FP disabled.
      */
     if (s->fp_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF,
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
         return 0;
     }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_insn_3same_ext(DisasContext *s, uint32_t insn)
     }
 
     if (s->fp_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF,
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
         return 0;
     }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_insn_2reg_scalar_ext(DisasContext *s, uint32_t insn)
         off_rm = vfp_reg_offset(0, rm);
     }
     if (s->fp_excp_el) {
-        gen_exception_insn(s, 4, EXCP_UDEF,
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_simd_access_trap(1, 0xe, false), s->fp_excp_el);
         return 0;
     }
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      * For the UNPREDICTABLE cases we choose to UNDEF.
      */
     if (s->current_el == 1 && !s->ns && mode == ARM_CPU_MODE_MON) {
-        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(), 3);
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(), 3);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     }
 
     if (undef) {
-        gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                            default_exception_el(s));
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
      * UsageFault exception.
      */
     if (arm_dc_feature(s, ARM_FEATURE_M)) {
-        gen_exception_insn(s, 4, EXCP_INVSTATE, syn_uncategorized(),
+        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized(),
                            default_exception_el(s));
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         default:
         illegal_op:
-            gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                                default_exception_el(s));
             break;
         }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
             }
 
             /* All other insns: NOCP */
-            gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
+            gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized(),
                                default_exception_el(s));
             break;
         }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
     }
     return;
 illegal_op:
-    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                        default_exception_el(s));
 }
 
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
     return;
 illegal_op:
 undef:
-    gen_exception_insn(s, 2, EXCP_UDEF, syn_uncategorized(),
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
                        default_exception_el(s));
 }
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The offset is variable depending on the instruction set.
Passing in the actual value is clearer in intent.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 8 ++++----
 target/arm/translate.c     | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     tcg_temp_free_i32(tcg_excp);
 }
 
-static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
+static void gen_exception_internal_insn(DisasContext *s, uint64_t pc, int excp)
 {
-    gen_a64_set_pc_im(s->base.pc_next - offset);
+    gen_a64_set_pc_im(pc);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                 break;
             }
 #endif
-            gen_exception_internal_insn(s, 0, EXCP_SEMIHOST);
+            gen_exception_internal_insn(s, s->base.pc_next, EXCP_SEMIHOST);
         } else {
             unsupported_encoding(s, insn);
         }
@@ -XXX,XX +XXX,XX @@ static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
         /* End the TB early; it likely won't be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
     } else {
-        gen_exception_internal_insn(dc, 0, EXCP_DEBUG);
+        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
         /* The address covered by the breakpoint must be
            included in [tb->pc, tb->pc + tb->size) in order
            to for it to be properly cleared -- thus we
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
     s->base.is_jmp = DISAS_SMC;
 }
 
-static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
+static void gen_exception_internal_insn(DisasContext *s, uint32_t pc, int excp)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->base.pc_next - offset);
+    gen_set_pc_im(s, pc);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         s->current_el != 0 &&
 #endif
         (imm == (s->thumb ? 0x3c : 0xf000))) {
-        gen_exception_internal_insn(s, 0, EXCP_SEMIHOST);
+        gen_exception_internal_insn(s, s->base.pc_next, EXCP_SEMIHOST);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
         /* End the TB early; it's likely not going to be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
     } else {
-        gen_exception_internal_insn(dc, 0, EXCP_DEBUG);
+        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
         /* The address covered by the breakpoint must be
            included in [tb->pc, tb->pc + tb->size) in order
            to for it to be properly cleared -- thus we
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Unlike the other more generic gen_exception{,_internal}_insn
interfaces, breakpoints always refer to the current instruction.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 7 +++----
 target/arm/translate.c     | 8 ++++----
 2 files changed, 7 insertions(+), 8 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Promote this function from aarch64 to fully general use.
Use it to unify the code sequences for generating illegal
opcode exceptions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h     |  2 --
 target/arm/translate.h         |  2 ++
 target/arm/translate-a64.c     |  7 -------
 target/arm/translate-vfp.inc.c |  3 +--
 target/arm/translate.c         | 22 ++++++++++++----------
 5 files changed, 15 insertions(+), 21 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@
 #ifndef TARGET_ARM_TRANSLATE_A64_H
 #define TARGET_ARM_TRANSLATE_A64_H
 
-void unallocated_encoding(DisasContext *s);
-
 #define unsupported_encoding(s, insn)                                    \
     do {                                                                 \
         qemu_log_mask(LOG_UNIMP,                                         \
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasCompare {
     bool value_global;
 } DisasCompare;
 
+void unallocated_encoding(DisasContext *s);
+
 /* Share the TCG temporaries common between 32 and 64 bit modes.  */
 extern TCGv_i32 cpu_NF, cpu_ZF, cpu_CF, cpu_VF;
 extern TCGv_i64 cpu_exclusive_addr;
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
     }
 }
 
-void unallocated_encoding(DisasContext *s)
-{
-    /* Unallocated and reserved encodings are uncategorized */
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
-}
-
 static void init_tmp_a64_array(DisasContext *s)
 {
 #ifdef CONFIG_DEBUG_TCG
diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                           default_exception_el(s));
+        unallocated_encoding(s);
         return false;
     }
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
+void unallocated_encoding(DisasContext *s)
+{
+    /* Unallocated and reserved encodings are uncategorized */
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
+}
+
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         return;
     }
 
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     }
 
     if (undef) {
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                           default_exception_el(s));
+        unallocated_encoding(s);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         default:
         illegal_op:
-            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                               default_exception_el(s));
+            unallocated_encoding(s);
             break;
         }
     }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
     }
     return;
 illegal_op:
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
     return;
 illegal_op:
 undef:
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Replace x = double_saturate(y) with x = add_saturate(y, y).
There is no need for a separate more specialized helper.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190807045335.1361-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h    |  1 -
 target/arm/op_helper.c | 15 ---------------
 target/arm/translate.c |  4 ++--
 3 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(add_saturate, i32, env, i32, i32)
 DEF_HELPER_3(sub_saturate, i32, env, i32, i32)
 DEF_HELPER_3(add_usaturate, i32, env, i32, i32)
 DEF_HELPER_3(sub_usaturate, i32, env, i32, i32)
-DEF_HELPER_2(double_saturate, i32, env, s32)
 DEF_HELPER_FLAGS_2(sdiv, TCG_CALL_NO_RWG_SE, s32, s32, s32)
 DEF_HELPER_FLAGS_2(udiv, TCG_CALL_NO_RWG_SE, i32, i32, i32)
 DEF_HELPER_FLAGS_1(rbit, TCG_CALL_NO_RWG_SE, i32, i32)
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
     return res;
 }
 
-uint32_t HELPER(double_saturate)(CPUARMState *env, int32_t val)
-{
-    uint32_t res;
-    if (val >= 0x40000000) {
-        res = ~SIGNBIT;
-        env->QF = 1;
-    } else if (val <= (int32_t)0xc0000000) {
-        res = SIGNBIT;
-        env->QF = 1;
-    } else {
-        res = val << 1;
-    }
-    return res;
-}
-
 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
 {
     uint32_t res = a + b;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             tmp = load_reg(s, rm);
             tmp2 = load_reg(s, rn);
             if (op1 & 2)
-                gen_helper_double_saturate(tmp2, cpu_env, tmp2);
+                gen_helper_add_saturate(tmp2, cpu_env, tmp2, tmp2);
             if (op1 & 1)
                 gen_helper_sub_saturate(tmp, cpu_env, tmp, tmp2);
             else
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                 tmp = load_reg(s, rn);
                 tmp2 = load_reg(s, rm);
                 if (op & 1)
-                    gen_helper_double_saturate(tmp, cpu_env, tmp);
+                    gen_helper_add_saturate(tmp, cpu_env, tmp, tmp);
                 if (op & 2)
                     gen_helper_sub_saturate(tmp, cpu_env, tmp2, tmp);
                 else
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

If -cpu <cpu>,aarch64=off is used then KVM must also be used, and it
and the host must support running the vcpu in 32-bit mode. Also, if
-cpu <cpu>,aarch64=on is used, then it doesn't matter if kvm is
enabled or not.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm_arm.h | 14 ++++++++++++++
 target/arm/cpu64.c   | 12 ++++++------
 target/arm/kvm64.c   |  9 +++++++++
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf);
  */
 void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
 
+/**
+ * kvm_arm_aarch32_supported:
+ * @cs: CPUState
+ *
+ * Returns: true if the KVM VCPU can enable AArch32 mode
+ * and false otherwise.
+ */
+bool kvm_arm_aarch32_supported(CPUState *cs);
+
 /**
  * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
  * IPA address space supported by KVM
@@ -XXX,XX +XXX,XX @@ static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
     cpu->host_cpu_probe_failed = true;
 }
 
+static inline bool kvm_arm_aarch32_supported(CPUState *cs)
+{
+    return false;
+}
+
 static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 {
     return -ENOENT;
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_set_aarch64(Object *obj, bool value, Error **errp)
      * restriction allows us to avoid fixing up functionality that assumes a
      * uniform execution state like do_interrupt.
      */
-    if (!kvm_enabled()) {
-        error_setg(errp, "'aarch64' feature cannot be disabled "
-                         "unless KVM is enabled");
-        return;
-    }
-
     if (value == false) {
+        if (!kvm_enabled() || !kvm_arm_aarch32_supported(CPU(cpu))) {
+            error_setg(errp, "'aarch64' feature cannot be disabled "
+                             "unless KVM is enabled and 32-bit EL1 "
+                             "is supported");
+            return;
+        }
         unset_feature(&cpu->env, ARM_FEATURE_AARCH64);
     } else {
         set_feature(&cpu->env, ARM_FEATURE_AARCH64);
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/gdbstub.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
+#include "sysemu/kvm_int.h"
 #include "kvm_arm.h"
+#include "hw/boards.h"
 #include "internals.h"
 
 static bool have_guest_debug;
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     return true;
 }
 
+bool kvm_arm_aarch32_supported(CPUState *cpu)
+{
+    KVMState *s = KVM_STATE(current_machine->accelerator);
+
+    return kvm_check_extension(s, KVM_CAP_ARM_EL1_32BIT);
+}
+
 #define ARM_CPU_ID_MPIDR       3, 0, 0, 0, 5
 
 int kvm_arch_init_vcpu(CPUState *cs)
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

We first convert the pmu property from a static property to one with
its own accessors. Then we use the set accessor to check if the PMU is
supported when using KVM. Indeed a 32-bit KVM host does not support
the PMU, so this check will catch an attempt to use it at property-set
time.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm_arm.h | 14 ++++++++++++++
 target/arm/cpu.c     | 30 +++++++++++++++++++++++++-----
 target/arm/kvm.c     |  7 +++++++
 3 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
  */
 bool kvm_arm_aarch32_supported(CPUState *cs);
 
+/**
+ * bool kvm_arm_pmu_supported:
+ * @cs: CPUState
+ *
+ * Returns: true if the KVM VCPU can enable its PMU
+ * and false otherwise.
+ */
+bool kvm_arm_pmu_supported(CPUState *cs);
+
 /**
  * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
  * IPA address space supported by KVM
@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_aarch32_supported(CPUState *cs)
     return false;
 }
 
+static inline bool kvm_arm_pmu_supported(CPUState *cs)
+{
+    return false;
+}
+
 static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 {
     return -ENOENT;
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_has_el3_property =
 static Property arm_cpu_cfgend_property =
             DEFINE_PROP_BOOL("cfgend", ARMCPU, cfgend, false);
 
-/* use property name "pmu" to match other archs and virt tools */
-static Property arm_cpu_has_pmu_property =
-            DEFINE_PROP_BOOL("pmu", ARMCPU, has_pmu, true);
-
 static Property arm_cpu_has_vfp_property =
             DEFINE_PROP_BOOL("vfp", ARMCPU, has_vfp, true);
 
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_pmsav7_dregion_property =
                                            pmsav7_dregion,
                                            qdev_prop_uint32, uint32_t);
 
+static bool arm_get_pmu(Object *obj, Error **errp)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    return cpu->has_pmu;
+}
+
+static void arm_set_pmu(Object *obj, bool value, Error **errp)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    if (value) {
+        if (kvm_enabled() && !kvm_arm_pmu_supported(CPU(cpu))) {
+            error_setg(errp, "'pmu' feature not supported by KVM on this host");
+            return;
+        }
+        set_feature(&cpu->env, ARM_FEATURE_PMU);
+    } else {
+        unset_feature(&cpu->env, ARM_FEATURE_PMU);
+    }
+    cpu->has_pmu = value;
+}
+
 static void arm_get_init_svtor(Object *obj, Visitor *v, const char *name,
                                void *opaque, Error **errp)
 {
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
     }
 
     if (arm_feature(&cpu->env, ARM_FEATURE_PMU)) {
-        qdev_property_add_static(DEVICE(obj), &arm_cpu_has_pmu_property,
+        cpu->has_pmu = true;
+        object_property_add_bool(obj, "pmu", arm_get_pmu, arm_set_pmu,
                                  &error_abort);
     }
 
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
     env->features = arm_host_cpu_features.features;
 }
 
+bool kvm_arm_pmu_supported(CPUState *cpu)
+{
+    KVMState *s = KVM_STATE(current_machine->accelerator);
+
+    return kvm_check_extension(s, KVM_CAP_ARM_PMU_V3);
+}
+
 int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 {
     KVMState *s = KVM_STATE(ms->accelerator);
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

The current implementation of ZCR_ELx matches the architecture, only
implementing the lower four bits, with the rest RAZ/WI. This puts
a strict limit on ARM_MAX_VQ of 16. Make sure we don't let ARM_MAX_VQ
grow without a corresponding update here.

Suggested-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
     int new_len;
 
     /* Bits other than [3:0] are RAZ/WI.  */
+    QEMU_BUILD_BUG_ON(ARM_MAX_VQ > 16);
     raw_write(env, ri, value & 0xf);
 
     /*
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

A couple return -EINVAL's forgot their '-'s.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
     write_cpustate_to_list(cpu, true);
 
     if (!write_list_to_kvmstate(cpu, level)) {
-        return EINVAL;
+        return -EINVAL;
     }
 
     kvm_arm_sync_mpstate_to_kvm(cpu);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
     }
 
     if (!write_kvmstate_to_list(cpu)) {
-        return EINVAL;
+        return -EINVAL;
     }
     /* Note that it's OK to have registers which aren't in CPUState,
      * so we can ignore a failure return here.
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

Move the getting/putting of the fpsimd registers out of
kvm_arch_get/put_registers() into their own helper functions
to prepare for alternatively getting/putting SVE registers.

No functional change.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 148 +++++++++++++++++++++++++++------------------
 1 file changed, 88 insertions(+), 60 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arm_cpreg_level(uint64_t regidx)
 #define AARCH64_SIMD_CTRL_REG(x)   (KVM_REG_ARM64 | KVM_REG_SIZE_U32 | \
                  KVM_REG_ARM_CORE | KVM_REG_ARM_CORE_REG(x))
 
+static int kvm_arch_put_fpsimd(CPUState *cs)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    struct kvm_one_reg reg;
+    uint32_t fpr;
+    int i, ret;
+
+    for (i = 0; i < 32; i++) {
+        uint64_t *q = aa64_vfp_qreg(env, i);
+#ifdef HOST_WORDS_BIGENDIAN
+        uint64_t fp_val[2] = { q[1], q[0] };
+        reg.addr = (uintptr_t)fp_val;
+#else
+        reg.addr = (uintptr_t)q;
+#endif
+        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
+        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+        if (ret) {
+            return ret;
+        }
+    }
+
+    reg.addr = (uintptr_t)(&fpr);
+    fpr = vfp_get_fpsr(env);
+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
+    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+    if (ret) {
+        return ret;
+    }
+
+    reg.addr = (uintptr_t)(&fpr);
+    fpr = vfp_get_fpcr(env);
+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
+    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+    if (ret) {
+        return ret;
+    }
+
+    return 0;
+}
+
 int kvm_arch_put_registers(CPUState *cs, int level)
 {
     struct kvm_one_reg reg;
-    uint32_t fpr;
     uint64_t val;
-    int i;
-    int ret;
+    int i, ret;
     unsigned int el;
 
     ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
         }
     }
 
-    /* Advanced SIMD and FP registers. */
-    for (i = 0; i < 32; i++) {
-        uint64_t *q = aa64_vfp_qreg(env, i);
-#ifdef HOST_WORDS_BIGENDIAN
-        uint64_t fp_val[2] = { q[1], q[0] };
-        reg.addr = (uintptr_t)fp_val;
-#else
-        reg.addr = (uintptr_t)q;
-#endif
-        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
-        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
-        if (ret) {
-            return ret;
-        }
-    }
-
-    reg.addr = (uintptr_t)(&fpr);
-    fpr = vfp_get_fpsr(env);
-    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
-    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
-    if (ret) {
-        return ret;
-    }
-
-    fpr = vfp_get_fpcr(env);
-    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
-    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+    ret = kvm_arch_put_fpsimd(cs);
     if (ret) {
         return ret;
     }
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
     return ret;
 }
 
+static int kvm_arch_get_fpsimd(CPUState *cs)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    struct kvm_one_reg reg;
+    uint32_t fpr;
+    int i, ret;
+
+    for (i = 0; i < 32; i++) {
+        uint64_t *q = aa64_vfp_qreg(env, i);
+        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
+        reg.addr = (uintptr_t)q;
+        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+        if (ret) {
+            return ret;
+        } else {
+#ifdef HOST_WORDS_BIGENDIAN
+            uint64_t t;
+            t = q[0], q[0] = q[1], q[1] = t;
+#endif
+        }
+    }
+
+    reg.addr = (uintptr_t)(&fpr);
+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
+    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+    if (ret) {
+        return ret;
+    }
+    vfp_set_fpsr(env, fpr);
+
+    reg.addr = (uintptr_t)(&fpr);
+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
+    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+    if (ret) {
+        return ret;
+    }
+    vfp_set_fpcr(env, fpr);
+
+    return 0;
+}
+
 int kvm_arch_get_registers(CPUState *cs)
 {
     struct kvm_one_reg reg;
     uint64_t val;
-    uint32_t fpr;
     unsigned int el;
-    int i;
-    int ret;
+    int i, ret;
 
     ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
         env->spsr = env->banked_spsr[i];
     }
 
-    /* Advanced SIMD and FP registers */
-    for (i = 0; i < 32; i++) {
-        uint64_t *q = aa64_vfp_qreg(env, i);
-        reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
-        reg.addr = (uintptr_t)q;
-        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
-        if (ret) {
-            return ret;
-        } else {
-#ifdef HOST_WORDS_BIGENDIAN
-            uint64_t t;
-            t = q[0], q[0] = q[1], q[1] = t;
-#endif
-        }
-    }
-
-    reg.addr = (uintptr_t)(&fpr);
-    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
-    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+    ret = kvm_arch_get_fpsimd(cs);
     if (ret) {
         return ret;
     }
-    vfp_set_fpsr(env, fpr);
-
-    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
-    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
-    if (ret) {
-        return ret;
-    }
-    vfp_set_fpcr(env, fpr);
 
     ret = kvm_get_vcpu_events(cpu);
     if (ret) {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Extract is a compact combination of shift + and.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_sar(TCGv_i32 dest, TCGv_i32 t0, TCGv_i32 t1)
 
 static void shifter_out_im(TCGv_i32 var, int shift)
 {
-    if (shift == 0) {
-        tcg_gen_andi_i32(cpu_CF, var, 1);
-    } else {
-        tcg_gen_shri_i32(cpu_CF, var, shift);
-        if (shift != 31) {
-            tcg_gen_andi_i32(cpu_CF, cpu_CF, 1);
-        }
-    }
+    tcg_gen_extract_i32(cpu_CF, var, shift, 1);
 }
 
 /* Shift by immediate.  Includes special handling for shift == 0.  */
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Use deposit as the composit operation to merge the
bits from the two inputs.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 26 ++++++++++----------------
 1 file changed, 10 insertions(+), 16 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         shift = (insn >> 7) & 0x1f;
                         if (insn & (1 << 6)) {
                             /* pkhtb */
-                            if (shift == 0)
+                            if (shift == 0) {
                                 shift = 31;
+                            }
                             tcg_gen_sari_i32(tmp2, tmp2, shift);
-                            tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
-                            tcg_gen_ext16u_i32(tmp2, tmp2);
+                            tcg_gen_deposit_i32(tmp, tmp, tmp2, 0, 16);
                         } else {
                             /* pkhbt */
-                            if (shift)
-                                tcg_gen_shli_i32(tmp2, tmp2, shift);
-                            tcg_gen_ext16u_i32(tmp, tmp);
-                            tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
+                            tcg_gen_shli_i32(tmp2, tmp2, shift);
+                            tcg_gen_deposit_i32(tmp, tmp2, tmp, 0, 16);
                         }
-                        tcg_gen_or_i32(tmp, tmp, tmp2);
                         tcg_temp_free_i32(tmp2);
                         store_reg(s, rd, tmp);
                     } else if ((insn & 0x00200020) == 0x00200000) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
             shift = ((insn >> 10) & 0x1c) | ((insn >> 6) & 0x3);
             if (insn & (1 << 5)) {
                 /* pkhtb */
-                if (shift == 0)
+                if (shift == 0) {
                     shift = 31;
+                }
                 tcg_gen_sari_i32(tmp2, tmp2, shift);
-                tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
-                tcg_gen_ext16u_i32(tmp2, tmp2);
+                tcg_gen_deposit_i32(tmp, tmp, tmp2, 0, 16);
             } else {
                 /* pkhbt */
-                if (shift)
-                    tcg_gen_shli_i32(tmp2, tmp2, shift);
-                tcg_gen_ext16u_i32(tmp, tmp);
-                tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
+                tcg_gen_shli_i32(tmp2, tmp2, shift);
+                tcg_gen_deposit_i32(tmp, tmp2, tmp, 0, 16);
             }
-            tcg_gen_or_i32(tmp, tmp, tmp2);
             tcg_temp_free_i32(tmp2);
             store_reg(s, rd, tmp);
         } else {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The immediate shift generator functions already test for,
and eliminate, the case of a shift by zero.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         shift = (insn >> 10) & 3;
                         /* ??? In many cases it's not necessary to do a
                            rotate, a shift is sufficient.  */
-                        if (shift != 0)
-                            tcg_gen_rotri_i32(tmp, tmp, shift * 8);
+                        tcg_gen_rotri_i32(tmp, tmp, shift * 8);
                         op1 = (insn >> 20) & 7;
                         switch (op1) {
                         case 0: gen_sxtb16(tmp);  break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
             shift = (insn >> 4) & 3;
             /* ??? In many cases it's not necessary to do a
                rotate, a shift is sufficient.  */
-            if (shift != 0)
-                tcg_gen_rotri_i32(tmp, tmp, shift * 8);
+            tcg_gen_rotri_i32(tmp, tmp, shift * 8);
             op = (insn >> 20) & 7;
             switch (op) {
             case 0: gen_sxth(tmp);   break;
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     case 7:
                         goto illegal_op;
                     default: /* Saturate.  */
-                        if (shift) {
-                            if (op & 1)
-                                tcg_gen_sari_i32(tmp, tmp, shift);
-                            else
-                                tcg_gen_shli_i32(tmp, tmp, shift);
+                        if (op & 1) {
+                            tcg_gen_sari_i32(tmp, tmp, shift);
+                        } else {
+                            tcg_gen_shli_i32(tmp, tmp, shift);
                         }
                         tmp2 = tcg_const_i32(imm);
                         if (op & 4) {
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     goto illegal_op;
                 }
                 tmp = load_reg(s, rm);
-                if (shift) {
-                    tcg_gen_shli_i32(tmp, tmp, shift);
-                }
+                tcg_gen_shli_i32(tmp, tmp, shift);
                 tcg_gen_add_i32(addr, addr, tmp);
                 tcg_temp_free_i32(tmp);
                 break;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The helper function is more documentary, and also already
handles the case of rotate by zero.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                 /* CPSR = immediate */
                 val = insn & 0xff;
                 shift = ((insn >> 8) & 0xf) * 2;
-                if (shift)
-                    val = (val >> shift) | (val << (32 - shift));
+                val = ror32(val, shift);
                 i = ((insn & (1 << 22)) != 0);
                 if (gen_set_psr_im(s, msr_mask(s, (insn >> 16) & 0xf, i),
                                    i, val)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             /* immediate operand */
             val = insn & 0xff;
             shift = ((insn >> 8) & 0xf) * 2;
-            if (shift) {
-                val = (val >> shift) | (val << (32 - shift));
-            }
+            val = ror32(val, shift);
             tmp2 = tcg_temp_new_i32();
             tcg_gen_movi_i32(tmp2, val);
             if (logic_cc && shift) {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Rotate is the more compact and obvious way to swap 16-bit
elements of a 32-bit word.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-6-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static TCGv_i64 gen_muls_i64_i32(TCGv_i32 a, TCGv_i32 b)
 /* Swap low and high halfwords.  */
 static void gen_swap_half(TCGv_i32 var)
 {
-    TCGv_i32 tmp = tcg_temp_new_i32();
-    tcg_gen_shri_i32(tmp, var, 16);
-    tcg_gen_shli_i32(var, var, 16);
-    tcg_gen_or_i32(var, var, tmp);
-    tcg_temp_free_i32(tmp);
+    tcg_gen_rotri_i32(var, var, 16);
 }
 
 /* Dual 16-bit add.  Result placed in t0 and t1 is marked as dead.
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

All of the inputs to these instructions are 32-bits.  Rather than
extend each input to 64-bits and then extract the high 32-bits of
the output, use tcg_gen_muls2_i32 and other 32-bit generator functions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-7-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 72 +++++++++++++++---------------------------
 1 file changed, 26 insertions(+), 46 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_revsh(TCGv_i32 var)
     tcg_gen_ext16s_i32(var, var);
 }
 
-/* Return (b << 32) + a. Mark inputs as dead */
-static TCGv_i64 gen_addq_msw(TCGv_i64 a, TCGv_i32 b)
-{
-    TCGv_i64 tmp64 = tcg_temp_new_i64();
-
-    tcg_gen_extu_i32_i64(tmp64, b);
-    tcg_temp_free_i32(b);
-    tcg_gen_shli_i64(tmp64, tmp64, 32);
-    tcg_gen_add_i64(a, tmp64, a);
-
-    tcg_temp_free_i64(tmp64);
-    return a;
-}
-
-/* Return (b << 32) - a. Mark inputs as dead. */
-static TCGv_i64 gen_subq_msw(TCGv_i64 a, TCGv_i32 b)
-{
-    TCGv_i64 tmp64 = tcg_temp_new_i64();
-
-    tcg_gen_extu_i32_i64(tmp64, b);
-    tcg_temp_free_i32(b);
-    tcg_gen_shli_i64(tmp64, tmp64, 32);
-    tcg_gen_sub_i64(a, tmp64, a);
-
-    tcg_temp_free_i64(tmp64);
-    return a;
-}
-
 /* 32x32->64 multiply.  Marks inputs as dead.  */
 static TCGv_i64 gen_mulu_i64_i32(TCGv_i32 a, TCGv_i32 b)
 {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                            (SMMUL, SMMLA, SMMLS) */
                         tmp = load_reg(s, rm);
                         tmp2 = load_reg(s, rs);
-                        tmp64 = gen_muls_i64_i32(tmp, tmp2);
+                        tcg_gen_muls2_i32(tmp2, tmp, tmp, tmp2);
 
                         if (rd != 15) {
-                            tmp = load_reg(s, rd);
+                            tmp3 = load_reg(s, rd);
                             if (insn & (1 << 6)) {
-                                tmp64 = gen_subq_msw(tmp64, tmp);
+                                tcg_gen_sub_i32(tmp, tmp, tmp3);
                             } else {
-                                tmp64 = gen_addq_msw(tmp64, tmp);
+                                tcg_gen_add_i32(tmp, tmp, tmp3);
                             }
+                            tcg_temp_free_i32(tmp3);
                         }
                         if (insn & (1 << 5)) {
-                            tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
+                            /*
+                             * Adding 0x80000000 to the 64-bit quantity
+                             * means that we have carry in to the high
+                             * word when the low word has the high bit set.
+                             */
+                            tcg_gen_shri_i32(tmp2, tmp2, 31);
+                            tcg_gen_add_i32(tmp, tmp, tmp2);
                         }
-                        tcg_gen_shri_i64(tmp64, tmp64, 32);
-                        tmp = tcg_temp_new_i32();
-                        tcg_gen_extrl_i64_i32(tmp, tmp64);
-                        tcg_temp_free_i64(tmp64);
+                        tcg_temp_free_i32(tmp2);
                         store_reg(s, rn, tmp);
                         break;
                     case 0:
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                   }
                 break;
             case 5: case 6: /* 32 * 32 -> 32msb (SMMUL, SMMLA, SMMLS) */
-                tmp64 = gen_muls_i64_i32(tmp, tmp2);
+                tcg_gen_muls2_i32(tmp2, tmp, tmp, tmp2);
                 if (rs != 15) {
-                    tmp = load_reg(s, rs);
+                    tmp3 = load_reg(s, rs);
                     if (insn & (1 << 20)) {
-                        tmp64 = gen_addq_msw(tmp64, tmp);
+                        tcg_gen_add_i32(tmp, tmp, tmp3);
                     } else {
-                        tmp64 = gen_subq_msw(tmp64, tmp);
+                        tcg_gen_sub_i32(tmp, tmp, tmp3);
                     }
+                    tcg_temp_free_i32(tmp3);
                 }
                 if (insn & (1 << 4)) {
-                    tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
+                    /*
+                     * Adding 0x80000000 to the 64-bit quantity
+                     * means that we have carry in to the high
+                     * word when the low word has the high bit set.
+                     */
+                    tcg_gen_shri_i32(tmp2, tmp2, 31);
+                    tcg_gen_add_i32(tmp, tmp, tmp2);
                 }
-                tcg_gen_shri_i64(tmp64, tmp64, 32);
-                tmp = tcg_temp_new_i32();
-                tcg_gen_extrl_i64_i32(tmp, tmp64);
-                tcg_temp_free_i64(tmp64);
+                tcg_temp_free_i32(tmp2);
                 break;
             case 7: /* Unsigned sum of absolute differences.  */
                 gen_helper_usad8(tmp, tmp, tmp2);
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Separate shift + extract low will result in one extra insn
for hosts like RISC-V, MIPS, and Sparc.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190808202616.13782-8-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_iwmmxt_insn(DisasContext *s, uint32_t insn)
             if (insn & ARM_CP_RW_BIT) {                         /* TMRRC */
                 iwmmxt_load_reg(cpu_V0, wrd);
                 tcg_gen_extrl_i64_i32(cpu_R[rdlo], cpu_V0);
-                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-                tcg_gen_extrl_i64_i32(cpu_R[rdhi], cpu_V0);
+                tcg_gen_extrh_i64_i32(cpu_R[rdhi], cpu_V0);
             } else {                                    /* TMCRR */
                 tcg_gen_concat_i32_i64(cpu_V0, cpu_R[rdlo], cpu_R[rdhi]);
                 iwmmxt_store_reg(cpu_V0, wrd);
@@ -XXX,XX +XXX,XX @@ static int disas_dsp_insn(DisasContext *s, uint32_t insn)
         if (insn & ARM_CP_RW_BIT) {                     /* MRA */
             iwmmxt_load_reg(cpu_V0, acc);
             tcg_gen_extrl_i64_i32(cpu_R[rdlo], cpu_V0);
-            tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-            tcg_gen_extrl_i64_i32(cpu_R[rdhi], cpu_V0);
+            tcg_gen_extrh_i64_i32(cpu_R[rdhi], cpu_V0);
             tcg_gen_andi_i32(cpu_R[rdhi], cpu_R[rdhi], (1 << (40 - 32)) - 1);
         } else {                                        /* MAR */
             tcg_gen_concat_i32_i64(cpu_V0, cpu_R[rdlo], cpu_R[rdhi]);
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                 gen_helper_neon_narrow_high_u16(tmp, cpu_V0);
                                 break;
                             case 2:
-                                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-                                tcg_gen_extrl_i64_i32(tmp, cpu_V0);
+                                tcg_gen_extrh_i64_i32(tmp, cpu_V0);
                                 break;
                             default: abort();
                             }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                 break;
                             case 2:
                                 tcg_gen_addi_i64(cpu_V0, cpu_V0, 1u << 31);
-                                tcg_gen_shri_i64(cpu_V0, cpu_V0, 32);
-                                tcg_gen_extrl_i64_i32(tmp, cpu_V0);
+                                tcg_gen_extrh_i64_i32(tmp, cpu_V0);
                                 break;
                             default: abort();
                             }
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
                 tmp = tcg_temp_new_i32();
                 tcg_gen_extrl_i64_i32(tmp, tmp64);
                 store_reg(s, rt, tmp);
-                tcg_gen_shri_i64(tmp64, tmp64, 32);
                 tmp = tcg_temp_new_i32();
-                tcg_gen_extrl_i64_i32(tmp, tmp64);
+                tcg_gen_extrh_i64_i32(tmp, tmp64);
                 tcg_temp_free_i64(tmp64);
                 store_reg(s, rt2, tmp);
             } else {
@@ -XXX,XX +XXX,XX @@ static void gen_storeq_reg(DisasContext *s, int rlow, int rhigh, TCGv_i64 val)
     tcg_gen_extrl_i64_i32(tmp, val);
     store_reg(s, rlow, tmp);
     tmp = tcg_temp_new_i32();
-    tcg_gen_shri_i64(val, val, 32);
-    tcg_gen_extrl_i64_i32(tmp, val);
+    tcg_gen_extrh_i64_i32(tmp, val);
     store_reg(s, rhigh, tmp);
 }
 
-- 
2.20.1