Series comparison

-[Qemu-devel] [PULL 00/27] target-arm queue
+[PULL 0/5] target-arm queue
-The following changes since commit 0d3e41d5efd638a0c5682f6813b26448c3c51624:
+Just a few minor bugfixes, but we might as well get them in
 for rc0 tomorrow.
-  Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-02-14 17:42:25 +0000)
+-- PMM
 The following changes since commit 787f82407c5056a8b1097e39e53d01dd1abe406b:
   Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20200323' into staging (2020-03-23 15:38:30 +0000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190214
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200323
-for you to fetch changes up to 497bc12b1b374ecd62903bf062229bd93f8924af:
+for you to fetch changes up to 550a04893c2bd4442211b353680b9a6408d94dba:
-  gdbstub: Send a reply to the vKill packet. (2019-02-14 18:45:49 +0000)
+  target/arm: Move computation of index in handle_simd_dupe (2020-03-23 17:22:30 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * gdbstub: Send a reply to the vKill packet
+ * target/arm: avoid undefined behaviour shift in watchpoint code
- * Improve codegen for neon min/max and saturating arithmetic
+ * target/arm: avoid undefined behaviour shift in handle_simd_dupe()
- * Fix a bug in clearing FPSCR exception status bits
+ * target/arm: add assert that immh != 0 in disas_simd_shift_imm()
- * hw/arm/armsse: Fix miswiring of expansion IRQs
+ * aspeed/smc: Fix DMA support for AST2600
- * hw/intc/armv7m_nvic: Allow byte accesses to SHPR1
+ * hw/arm/bcm283x: Correct the license text ('and' vs 'or')
  * MAINTAINERS: Remove Peter Crosthwaite from various entries
  * arm: Allow system registers for KVM guests to be changed by QEMU code
  * linux-user: support HWCAP_CPUID which exposes ID registers to user code
  * Fix bug in 128-bit cmpxchg for BE Arm guests
  * Implement (no-op) HACR_EL2
  * Fix CRn to be 14 for PMEVTYPER/PMEVCNTR
 ----------------------------------------------------------------
-Aaron Lindsay OS (1):
+Cédric Le Goater (1):
-      target/arm: Fix CRn to be 14 for PMEVTYPER/PMEVCNTR
+      aspeed/smc: Fix DMA support for AST2600
-Alex Bennée (5):
+Philippe Mathieu-Daudé (1):
-      target/arm: relax permission checks for HWCAP_CPUID registers
+      hw/arm/bcm283x: Correct the license text
       target/arm: expose CPUID registers to userspace
       target/arm: expose MPIDR_EL1 to userspace
       target/arm: expose remaining CPUID registers as RAZ
       linux-user/elfload: enable HWCAP_CPUID for AArch64
-Catherine Ho (1):
+Richard Henderson (3):
-      target/arm: Fix int128_make128 lo, hi order in paired_cmpxchg64_be
+      target/arm: Rearrange disabled check for watchpoints
       target/arm: Assert immh != 0 in disas_simd_shift_imm
       target/arm: Move computation of index in handle_simd_dupe
-Peter Maydell (5):
+ include/hw/arm/bcm2835_peripherals.h |  3 ++-
-      target/arm: Implement HACR_EL2
+ include/hw/arm/bcm2836.h             |  3 ++-
-      arm: Allow system registers for KVM guests to be changed by QEMU code
+ include/hw/char/bcm2835_aux.h        |  3 ++-
-      MAINTAINERS: Remove Peter Crosthwaite from various entries
+ include/hw/display/bcm2835_fb.h      |  3 ++-
-      hw/intc/armv7m_nvic: Allow byte accesses to SHPR1
+ include/hw/dma/bcm2835_dma.h         |  4 +++-
-      hw/arm/armsse: Fix miswiring of expansion IRQs
+ include/hw/intc/bcm2835_ic.h         |  4 +++-
  include/hw/intc/bcm2836_control.h    |  3 ++-
  include/hw/misc/bcm2835_mbox.h       |  4 +++-
  include/hw/misc/bcm2835_mbox_defs.h  |  4 +++-
  include/hw/misc/bcm2835_property.h   |  4 +++-
  hw/arm/aspeed_ast2600.c              |  6 ++++++
  hw/arm/bcm2835_peripherals.c         |  3 ++-
  hw/arm/bcm2836.c                     |  3 ++-
  hw/arm/raspi.c                       |  3 ++-
  hw/display/bcm2835_fb.c              |  1 -
  hw/dma/bcm2835_dma.c                 |  4 +++-
  hw/intc/bcm2835_ic.c                 |  4 ++--
  hw/intc/bcm2836_control.c            |  4 +++-
  hw/misc/bcm2835_mbox.c               |  4 +++-
  hw/misc/bcm2835_property.c           |  4 +++-
  hw/ssi/aspeed_smc.c                  | 15 +++++++++++++--
  target/arm/helper.c                  | 11 ++++++-----
  target/arm/translate-a64.c           |  6 +++++-
  hw/ssi/trace-events                  |  1 +
 files changed, 76 insertions(+), 28 deletions(-)
-Richard Henderson (14):
-      target/arm: Force result size into dp after operation
-      target/arm: Restructure disas_fp_int_conv
-      target/arm: Rely on optimization within tcg_gen_gvec_or
-      target/arm: Use vector minmax expanders for aarch64
-      target/arm: Use vector minmax expanders for aarch32
-      target/arm: Use tcg integer min/max primitives for neon
-      target/arm: Remove neon min/max helpers
-      target/arm: Fix vfp_gdb_get/set_reg vs FPSCR
-      target/arm: Fix arm_cpu_dump_state vs FPSCR
-      target/arm: Split out flags setting from vfp compares
-      target/arm: Fix set of bits kept in xregs[ARM_VFP_FPSCR]
-      target/arm: Split out FPSCR.QC to a vector field
-      target/arm: Use vector operations for saturation
-      target/arm: Add missing clear_tail calls
-Sandra Loosemore (1):
-      gdbstub: Send a reply to the vKill packet.
- target/arm/cpu.h           |  50 ++++++++-
- target/arm/helper.h        |  45 +++++---
- target/arm/translate.h     |   4 +
- gdbstub.c                  |   1 +
- hw/arm/armsse.c            |   2 +-
- hw/intc/armv7m_nvic.c      |   4 +-
- linux-user/elfload.c       |   1 +
- target/arm/helper-a64.c    |   4 +-
- target/arm/helper.c        | 228 ++++++++++++++++++++++++++++++++--------
- target/arm/kvm32.c         |  20 +---
- target/arm/kvm64.c         |   2 +
- target/arm/machine.c       |   2 +-
- target/arm/neon_helper.c   |  14 +--
- target/arm/translate-a64.c | 171 +++++++++++++++---------------
- target/arm/translate-sve.c |   6 +-
- target/arm/translate.c     | 251 ++++++++++++++++++++++++++++++++++-----------
- target/arm/vec_helper.c    | 134 +++++++++++++++++++++++-
- MAINTAINERS                |   4 -
-files changed, 687 insertions(+), 256 deletions(-)

-[Qemu-devel] [PULL 01/27] target/arm: Fix CRn to be 14 for PMEVTYPER/PMEVCNTR
+Deleted patch
-From: Aaron Lindsay OS <aaron@os.amperecomputing.com>
-This bug was introduced in:
-    commit 5ecdd3e47cadae83a62dc92b472f1fe163b56f59
-    target/arm: Finish implementation of PM[X]EVCNTR and PM[X]EVTYPER
-Signed-off-by: Aaron Lindsay <aaron@os.amperecomputing.com>
-Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-Message-id: 20190205135129.19338-1-aaron@os.amperecomputing.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 8 ++++----
-file changed, 4 insertions(+), 4 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-             char *pmevtyper_name = g_strdup_printf("PMEVTYPER%d", i);
-             char *pmevtyper_el0_name = g_strdup_printf("PMEVTYPER%d_EL0", i);
-             ARMCPRegInfo pmev_regs[] = {
--                { .name = pmevcntr_name, .cp = 15, .crn = 15,
-+                { .name = pmevcntr_name, .cp = 15, .crn = 14,
-                   .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
-                   .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
-                   .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
-                   .accessfn = pmreg_access },
-                 { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
--                  .opc0 = 3, .opc1 = 3, .crn = 15, .crm = 8 | (3 & (i >> 3)),
-+                  .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
-                   .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
-                   .type = ARM_CP_IO,
-                   .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
-                   .raw_readfn = pmevcntr_rawread,
-                   .raw_writefn = pmevcntr_rawwrite },
--                { .name = pmevtyper_name, .cp = 15, .crn = 15,
-+                { .name = pmevtyper_name, .cp = 15, .crn = 14,
-                   .crm = 12 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
-                   .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
-                   .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
-                   .accessfn = pmreg_access },
-                 { .name = pmevtyper_el0_name, .state = ARM_CP_STATE_AA64,
--                  .opc0 = 3, .opc1 = 3, .crn = 15, .crm = 12 | (3 & (i >> 3)),
-+                  .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 12 | (3 & (i >> 3)),
-                   .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
-                   .type = ARM_CP_IO,
-                   .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
---
-.20.1

-[Qemu-devel] [PULL 02/27] target/arm: Implement HACR_EL2
+Deleted patch
-HACR_EL2 is a register with IMPDEF behaviour, which allows
-implementation specific trapping to EL2. Implement it as RAZ/WI,
-since QEMU's implementation has no extra traps. This also
-matches what h/w implementations like Cortex-A53 and A57 do.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190205181218.8995-1-peter.maydell@linaro.org
----
- target/arm/helper.c | 6 ++++++
-file changed, 6 insertions(+)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
-       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
-       .access = PL2_RW,
-       .type = ARM_CP_CONST, .resetvalue = 0 },
-+    { .name = "HACR_EL2", .state = ARM_CP_STATE_BOTH,
-+      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 7,
-+      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-     { .name = "ESR_EL2", .state = ARM_CP_STATE_BOTH,
-       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 0,
-       .access = PL2_RW,
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
-       .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
-       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),
-       .writefn = hcr_writelow },
-+    { .name = "HACR_EL2", .state = ARM_CP_STATE_BOTH,
-+      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 7,
-+      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-     { .name = "ELR_EL2", .state = ARM_CP_STATE_AA64,
-       .type = ARM_CP_ALIAS,
-       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 1,
---
-.20.1

-[Qemu-devel] [PULL 03/27] target/arm: Fix int128_make128 lo, hi order in paired_cmpxchg64_be
+Deleted patch
-From: Catherine Ho <catherine.hecx@gmail.com>
-The lo,hi order is different from the comments. And in commit
-ec182c33379 ("target/arm: Convert to HAVE_CMPXCHG128"), it changes
-the original code logic. So just restore the old code logic before this
-commit:
-do_paired_cmpxchg64_be():
-    cmpv = int128_make128(env->exclusive_high, env->exclusive_val);
-    newv = int128_make128(new_hi, new_lo);
-This fixes a bug that would only be visible for big-endian
-AArch64 guest code.
-Fixes: 1ec182c33379 ("target/arm: Convert to HAVE_CMPXCHG128")
-Signed-off-by: Catherine Ho <catherine.hecx@gmail.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1548985244-24523-1-git-send-email-catherine.hecx@gmail.com
-[PMM: added note that bug only affects BE guests]
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-a64.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.c
-+++ b/target/arm/helper-a64.c
-@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_be)(CPUARMState *env, uint64_t addr,
-      * High and low need to be switched here because this is not actually a
-      * 128bit store but two doublewords stored consecutively
-      */
--    Int128 cmpv = int128_make128(env->exclusive_val, env->exclusive_high);
--    Int128 newv = int128_make128(new_lo, new_hi);
-+    Int128 cmpv = int128_make128(env->exclusive_high, env->exclusive_val);
-+    Int128 newv = int128_make128(new_hi, new_lo);
-     Int128 oldv;
-     uintptr_t ra = GETPC();
-     uint64_t o0, o1;
---
-.20.1

-[Qemu-devel] [PULL 04/27] target/arm: Force result size into dp after operation
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Rather than a complex set of cases testing for writeback,
-adjust DP after performing the operation.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190206052857.5077-2-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate.c | 32 ++++++++++++++++----------------
-file changed, 16 insertions(+), 16 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
-                         tcg_gen_or_i32(tmp, tmp, tmp2);
-                         tcg_temp_free_i32(tmp2);
-                         gen_vfp_msr(tmp);
-+                        dp = 0; /* always a single precision result */
-                         break;
-                     }
-                     case 7: /* vcvtt.f16.f32, vcvtt.f16.f64 */
-@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
-                         tcg_gen_or_i32(tmp, tmp, tmp2);
-                         tcg_temp_free_i32(tmp2);
-                         gen_vfp_msr(tmp);
-+                        dp = 0; /* always a single precision result */
-                         break;
-                     }
-                     case 8: /* cmp */
-                         gen_vfp_cmp(dp);
-+                        dp = -1; /* no write back */
-                         break;
-                     case 9: /* cmpe */
-                         gen_vfp_cmpe(dp);
-+                        dp = -1; /* no write back */
-                         break;
-                     case 10: /* cmpz */
-                         gen_vfp_cmp(dp);
-+                        dp = -1; /* no write back */
-                         break;
-                     case 11: /* cmpez */
-                         gen_vfp_F1_ld0(dp);
-                         gen_vfp_cmpe(dp);
-+                        dp = -1; /* no write back */
-                         break;
-                     case 12: /* vrintr */
-                     {
-@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
-                         break;
-                     }
-                     case 15: /* single<->double conversion */
--                        if (dp)
-+                        if (dp) {
-                             gen_helper_vfp_fcvtsd(cpu_F0s, cpu_F0d, cpu_env);
--                        else
-+                        } else {
-                             gen_helper_vfp_fcvtds(cpu_F0d, cpu_F0s, cpu_env);
-+                        }
-+                        dp = !dp; /* result size is opposite */
-                         break;
-                     case 16: /* fuito */
-                         gen_vfp_uito(dp, 0);
-@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
-                         break;
-                     case 24: /* ftoui */
-                         gen_vfp_toui(dp, 0);
-+                        dp = 0; /* always an integer result */
-                         break;
-                     case 25: /* ftouiz */
-                         gen_vfp_touiz(dp, 0);
-+                        dp = 0; /* always an integer result */
-                         break;
-                     case 26: /* ftosi */
-                         gen_vfp_tosi(dp, 0);
-+                        dp = 0; /* always an integer result */
-                         break;
-                     case 27: /* ftosiz */
-                         gen_vfp_tosiz(dp, 0);
-+                        dp = 0; /* always an integer result */
-                         break;
-                     case 28: /* ftosh */
-                         if (!arm_dc_feature(s, ARM_FEATURE_VFP3)) {
-@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
-                     return 1;
-                 }
--                /* Write back the result.  */
--                if (op == 15 && (rn >= 8 && rn <= 11)) {
--                    /* Comparison, do nothing.  */
--                } else if (op == 15 && dp && ((rn & 0x1c) == 0x18 ||
--                                              (rn & 0x1e) == 0x6)) {
--                    /* VCVT double to int: always integer result.
--                     * VCVT double to half precision is always a single
--                     * precision result.
--                     */
--                    gen_mov_vreg_F0(0, rd);
--                } else if (op == 15 && rn == 15) {
--                    /* conversion */
--                    gen_mov_vreg_F0(!dp, rd);
--                } else {
-+                /* Write back the result, if any.  */
-+                if (dp >= 0) {
-                     gen_mov_vreg_F0(dp, rd);
-                 }
---
-.20.1

-[Qemu-devel] [PULL 27/27] gdbstub: Send a reply to the vKill packet.
+[PULL 1/5] hw/arm/bcm283x: Correct the license text
-From: Sandra Loosemore <sandra@codesourcery.com>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Per the GDB remote protocol documentation
+The license is the 'GNU General Public License v2.0 or later',
+not 'and':
-https://sourceware.org/gdb/current/onlinedocs/gdb/Packets.html#index-vKill-packet
+  This program is free software; you can redistribute it and/ori
-the debug stub is expected to send a reply to the 'vKill' packet.  At
+  modify it under the terms of the GNU General Public License as
-least some versions of GDB crash if the gdb stub simply exits without
+  published by the Free Software Foundation; either version 2 of
-sending a reply.  This patch fixes QEMU's gdb stub to conform to the
+  the License, or (at your option) any later version.
-expected behavior.
+Fix the license comment.
-Note that QEMU's existing handling of the legacy 'k' packet is
-correct: in that case GDB does not expect a reply, and QEMU does not
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-send one.
+Message-id: 20200312213455.15854-1-philmd@redhat.com
 Signed-off-by: Sandra Loosemore <sandra@codesourcery.com>
 Message-id: 1550008033-26540-1-git-send-email-sandra@codesourcery.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- gdbstub.c | 1 +
+ include/hw/arm/bcm2835_peripherals.h | 3 ++-
-file changed, 1 insertion(+)
+ include/hw/arm/bcm2836.h             | 3 ++-
+ include/hw/char/bcm2835_aux.h        | 3 ++-
-diff --git a/gdbstub.c b/gdbstub.c
+ include/hw/display/bcm2835_fb.h      | 3 ++-
-index XXXXXXX..XXXXXXX 100644
+ include/hw/dma/bcm2835_dma.h         | 4 +++-
---- a/gdbstub.c
+ include/hw/intc/bcm2835_ic.h         | 4 +++-
-+++ b/gdbstub.c
+ include/hw/intc/bcm2836_control.h    | 3 ++-
-@@ -XXX,XX +XXX,XX @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
+ include/hw/misc/bcm2835_mbox.h       | 4 +++-
-             break;
+ include/hw/misc/bcm2835_mbox_defs.h  | 4 +++-
-         } else if (strncmp(p, "Kill;", 5) == 0) {
+ include/hw/misc/bcm2835_property.h   | 4 +++-
-             /* Kill the target */
+ hw/arm/bcm2835_peripherals.c         | 3 ++-
-+            put_packet(s, "OK");
+ hw/arm/bcm2836.c                     | 3 ++-
-             error_report("QEMU: Terminated via GDBstub");
+ hw/arm/raspi.c                       | 3 ++-
-             exit(0);
+ hw/display/bcm2835_fb.c              | 1 -
-         } else {
+ hw/dma/bcm2835_dma.c                 | 4 +++-
  hw/intc/bcm2835_ic.c                 | 4 ++--
  hw/intc/bcm2836_control.c            | 4 +++-
  hw/misc/bcm2835_mbox.c               | 4 +++-
  hw/misc/bcm2835_property.c           | 4 +++-
 files changed, 45 insertions(+), 20 deletions(-)
 diff --git a/include/hw/arm/bcm2835_peripherals.h b/include/hw/arm/bcm2835_peripherals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/bcm2835_peripherals.h
 +++ b/include/hw/arm/bcm2835_peripherals.h
@@ -XXX,XX +XXX,XX @@
   * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
   * Written by Andrew Baumann
   *
 - * This code is licensed under the GNU GPLv2 and later.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2835_PERIPHERALS_H
 diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/bcm2836.h
 +++ b/include/hw/arm/bcm2836.h
@@ -XXX,XX +XXX,XX @@
   * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
   * Written by Andrew Baumann
   *
 - * This code is licensed under the GNU GPLv2 and later.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2836_H
 diff --git a/include/hw/char/bcm2835_aux.h b/include/hw/char/bcm2835_aux.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/char/bcm2835_aux.h
 +++ b/include/hw/char/bcm2835_aux.h
@@ -XXX,XX +XXX,XX @@
   * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
   * Written by Andrew Baumann
   *
 - * This code is licensed under the GNU GPLv2 and later.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2835_AUX_H
 diff --git a/include/hw/display/bcm2835_fb.h b/include/hw/display/bcm2835_fb.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/display/bcm2835_fb.h
 +++ b/include/hw/display/bcm2835_fb.h
@@ -XXX,XX +XXX,XX @@
   * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
   * Written by Andrew Baumann
   *
 - * This code is licensed under the GNU GPLv2 and later.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2835_FB_H
 diff --git a/include/hw/dma/bcm2835_dma.h b/include/hw/dma/bcm2835_dma.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/dma/bcm2835_dma.h
 +++ b/include/hw/dma/bcm2835_dma.h
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2835_DMA_H
 diff --git a/include/hw/intc/bcm2835_ic.h b/include/hw/intc/bcm2835_ic.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/intc/bcm2835_ic.h
 +++ b/include/hw/intc/bcm2835_ic.h
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2835_IC_H
 diff --git a/include/hw/intc/bcm2836_control.h b/include/hw/intc/bcm2836_control.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/intc/bcm2836_control.h
 +++ b/include/hw/intc/bcm2836_control.h
@@ -XXX,XX +XXX,XX @@
   * ARM Local Timer IRQ Copyright (c) 2019. Zoltán Baldaszti
   * Added basic IRQ_TIMER interrupt support
   *
 - * This code is licensed under the GNU GPLv2 and later.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2836_CONTROL_H
 diff --git a/include/hw/misc/bcm2835_mbox.h b/include/hw/misc/bcm2835_mbox.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/misc/bcm2835_mbox.h
 +++ b/include/hw/misc/bcm2835_mbox.h
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2835_MBOX_H
 diff --git a/include/hw/misc/bcm2835_mbox_defs.h b/include/hw/misc/bcm2835_mbox_defs.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/misc/bcm2835_mbox_defs.h
 +++ b/include/hw/misc/bcm2835_mbox_defs.h
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2835_MBOX_DEFS_H
 diff --git a/include/hw/misc/bcm2835_property.h b/include/hw/misc/bcm2835_property.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/misc/bcm2835_property.h
 +++ b/include/hw/misc/bcm2835_property.h
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #ifndef BCM2835_PROPERTY_H
 diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/bcm2835_peripherals.c
 +++ b/hw/arm/bcm2835_peripherals.c
@@ -XXX,XX +XXX,XX @@
   * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
   * Written by Andrew Baumann
   *
 - * This code is licensed under the GNU GPLv2 and later.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #include "qemu/osdep.h"
 diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/bcm2836.c
 +++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@
   * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
   * Written by Andrew Baumann
   *
 - * This code is licensed under the GNU GPLv2 and later.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #include "qemu/osdep.h"
 diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/raspi.c
 +++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
   * Raspberry Pi 3 emulation Copyright (c) 2018 Zoltán Baldaszti
   * Upstream code cleanup (c) 2018 Pekka Enberg
   *
 - * This code is licensed under the GNU GPLv2 and later.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #include "qemu/osdep.h"
 diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/display/bcm2835_fb.c
 +++ b/hw/display/bcm2835_fb.c
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
   * Refactoring for Pi2 Copyright (c) 2015, Microsoft. Written by Andrew Baumann.
 - * This code is licensed under the GNU GPLv2 and later.
   *
   * Heavily based on milkymist-vgafb.c, copyright terms below:
   *  QEMU model of the Milkymist VGA framebuffer.
 diff --git a/hw/dma/bcm2835_dma.c b/hw/dma/bcm2835_dma.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/dma/bcm2835_dma.c
 +++ b/hw/dma/bcm2835_dma.c
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #include "qemu/osdep.h"
 diff --git a/hw/intc/bcm2835_ic.c b/hw/intc/bcm2835_ic.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/bcm2835_ic.c
 +++ b/hw/intc/bcm2835_ic.c
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
   * Refactoring for Pi2 Copyright (c) 2015, Microsoft. Written by Andrew Baumann.
 - * This code is licensed under the GNU GPLv2 and later.
   * Heavily based on pl190.c, copyright terms below:
   *
   * Arm PrimeCell PL190 Vector Interrupt Controller
@@ -XXX,XX +XXX,XX @@
   * Copyright (c) 2006 CodeSourcery.
   * Written by Paul Brook
   *
 - * This code is licensed under the GPL.
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #include "qemu/osdep.h"
 diff --git a/hw/intc/bcm2836_control.c b/hw/intc/bcm2836_control.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/bcm2836_control.c
 +++ b/hw/intc/bcm2836_control.c
@@ -XXX,XX +XXX,XX @@
   * Written by Andrew Baumann
   *
   * Based on bcm2835_ic.c (Raspberry Pi emulation) (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
   *
   * At present, only implements interrupt routing, and mailboxes (i.e.,
   * not PMU interrupt, or AXI counters).
@@ -XXX,XX +XXX,XX @@
   *
   * Ref:
   * https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #include "qemu/osdep.h"
 diff --git a/hw/misc/bcm2835_mbox.c b/hw/misc/bcm2835_mbox.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/bcm2835_mbox.c
 +++ b/hw/misc/bcm2835_mbox.c
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
   *
   * This file models the system mailboxes, which are used for
   * communication with low-bandwidth GPU peripherals. Refs:
   *   https://github.com/raspberrypi/firmware/wiki/Mailboxes
   *   https://github.com/raspberrypi/firmware/wiki/Accessing-mailboxes
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #include "qemu/osdep.h"
 diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/bcm2835_property.c
 +++ b/hw/misc/bcm2835_property.c
@@ -XXX,XX +XXX,XX @@
  /*
   * Raspberry Pi emulation (c) 2012 Gregory Estrade
 - * This code is licensed under the GNU GPLv2 and later.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
   */
  #include "qemu/osdep.h"
 --
 .20.1

-[Qemu-devel] [PULL 26/27] target/arm: Add missing clear_tail calls
+[PULL 2/5] aspeed/smc: Fix DMA support for AST2600
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Cédric Le Goater <clg@kaod.org>
-Fortunately, the functions affected are so far only called from SVE,
+Recent firmwares uses SPI DMA transfers in U-Boot to load the
-so there is no tail to be cleared.  But as we convert more of AdvSIMD
+different images (kernel, initrd, dtb) in the SoC DRAM. The AST2600
-to gvec, this will matter.
+FMC model is missing the masks to be applied on the DMA registers
 which resulted in incorrect values. Fix that and wire the SPI
 controllers which have DMA support on the AST2600.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Fixes: bcaa8ddd081c ("aspeed/smc: Add AST2600 support")
-Message-id: 20190209033847.9014-13-richard.henderson@linaro.org
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
 Message-id: 20200320053923.20565-1-clg@kaod.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/vec_helper.c | 2 ++
+ hw/arm/aspeed_ast2600.c |  6 ++++++
-file changed, 2 insertions(+)
+ hw/ssi/aspeed_smc.c     | 15 +++++++++++++--
  hw/ssi/trace-events     |  1 +
 files changed, 20 insertions(+), 2 deletions(-)
-diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
+diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vec_helper.c
+--- a/hw/arm/aspeed_ast2600.c
-+++ b/target/arm/vec_helper.c
++++ b/hw/arm/aspeed_ast2600.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(NAME)(void *vd, void *vn, void *stat, uint32_t desc)  \
+@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_ast2600_realize(DeviceState *dev, Error **errp)
-     for (i = 0; i < oprsz / sizeof(TYPE); i++) {                  \
-         d[i] = FUNC(n[i], stat);                                  \
+     /* SPI */
-     }                                                             \
+     for (i = 0; i < sc->spis_num; i++) {
-+    clear_tail(d, oprsz, simd_maxsz(desc));                       \
++        object_property_set_link(OBJECT(&s->spi[i]), OBJECT(s->dram_mr),
- }
++                                 "dram", &err);
++        if (err) {
- DO_2OP(gvec_frecpe_h, helper_recpe_f16, float16)
++            error_propagate(errp, err);
-@@ -XXX,XX +XXX,XX @@ void HELPER(NAME)(void *vd, void *vn, void *vm, void *stat, uint32_t desc) \
++            return;
-     for (i = 0; i < oprsz / sizeof(TYPE); i++) {                           \
++        }
-         d[i] = FUNC(n[i], m[i], stat);                                     \
+         object_property_set_int(OBJECT(&s->spi[i]), 1, "num-cs", &err);
-     }                                                                      \
+         object_property_set_bool(OBJECT(&s->spi[i]), true, "realized",
-+    clear_tail(d, oprsz, simd_maxsz(desc));                                \
+                                  &local_err);
- }
+diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
+index XXXXXXX..XXXXXXX 100644
- DO_3OP(gvec_fadd_h, float16_add, float16)
+--- a/hw/ssi/aspeed_smc.c
 +++ b/hw/ssi/aspeed_smc.c
@@ -XXX,XX +XXX,XX @@ static const AspeedSMCController controllers[] = {
          .flash_window_base = ASPEED26_SOC_FMC_FLASH_BASE,
          .flash_window_size = 0x10000000,
          .has_dma           = true,
 +        .dma_flash_mask    = 0x0FFFFFFC,
 +        .dma_dram_mask     = 0x3FFFFFFC,
          .nregs             = ASPEED_SMC_R_MAX,
          .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
          .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
@@ -XXX,XX +XXX,XX @@ static const AspeedSMCController controllers[] = {
          .segments          = aspeed_segments_ast2600_spi1,
          .flash_window_base = ASPEED26_SOC_SPI_FLASH_BASE,
          .flash_window_size = 0x10000000,
 -        .has_dma           = false,
 +        .has_dma           = true,
 +        .dma_flash_mask    = 0x0FFFFFFC,
 +        .dma_dram_mask     = 0x3FFFFFFC,
          .nregs             = ASPEED_SMC_R_MAX,
          .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
          .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
@@ -XXX,XX +XXX,XX @@ static const AspeedSMCController controllers[] = {
          .segments          = aspeed_segments_ast2600_spi2,
          .flash_window_base = ASPEED26_SOC_SPI2_FLASH_BASE,
          .flash_window_size = 0x10000000,
 -        .has_dma           = false,
 +        .has_dma           = true,
 +        .dma_flash_mask    = 0x0FFFFFFC,
 +        .dma_dram_mask     = 0x3FFFFFFC,
          .nregs             = ASPEED_SMC_R_MAX,
          .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
          .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
@@ -XXX,XX +XXX,XX @@ static void aspeed_smc_dma_rw(AspeedSMCState *s)
      MemTxResult result;
      uint32_t data;
 +    trace_aspeed_smc_dma_rw(s->regs[R_DMA_CTRL] & DMA_CTRL_WRITE ?
 +                            "write" : "read",
 +                            s->regs[R_DMA_FLASH_ADDR],
 +                            s->regs[R_DMA_DRAM_ADDR],
 +                            s->regs[R_DMA_LEN]);
      while (s->regs[R_DMA_LEN]) {
          if (s->regs[R_DMA_CTRL] & DMA_CTRL_WRITE) {
              data = address_space_ldl_le(&s->dram_as, s->regs[R_DMA_DRAM_ADDR],
 diff --git a/hw/ssi/trace-events b/hw/ssi/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/ssi/trace-events
 +++ b/hw/ssi/trace-events
@@ -XXX,XX +XXX,XX @@ aspeed_smc_do_snoop(int cs, int index, int dummies, int data) "CS%d index:0x%x d
  aspeed_smc_flash_write(int cs, uint64_t addr,  uint32_t size, uint64_t data, int mode) "CS%d @0x%" PRIx64 " size %u: 0x%" PRIx64" mode:%d"
  aspeed_smc_read(uint64_t addr,  uint32_t size, uint64_t data) "@0x%" PRIx64 " size %u: 0x%" PRIx64
  aspeed_smc_dma_checksum(uint32_t addr, uint32_t data) "0x%08x: 0x%08x"
 +aspeed_smc_dma_rw(const char *dir, uint32_t flash_addr, uint32_t dram_addr, uint32_t size) "%s flash:@0x%08x dram:@0x%08x size:0x%08x"
  aspeed_smc_write(uint64_t addr,  uint32_t size, uint64_t data) "@0x%" PRIx64 " size %u: 0x%" PRIx64
  aspeed_smc_flash_select(int cs, const char *prefix) "CS%d %sselect"
 --
 .20.1

-[Qemu-devel] [PULL 20/27] target/arm: Fix vfp_gdb_get/set_reg vs FPSCR
+[PULL 3/5] target/arm: Rearrange disabled check for watchpoints
 From: Richard Henderson <richard.henderson@linaro.org>
-The components of this register is stored in several
+Coverity rightly notes that ctz32(bas) on 0 will return 32,
-different locations.
+which makes the len calculation a BAD_SHIFT.
+A value of 0 in DBGWCR<n>_EL1.BAS is reserved.  Simply move
+the existing check we have for this case.
+Reported-by: Coverity (CID 1421964)
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-7-richard.henderson@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20200320160622.8040-2-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 4 ++--
+ target/arm/helper.c | 11 ++++++-----
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 6 insertions(+), 5 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
+@@ -XXX,XX +XXX,XX @@ void hw_watchpoint_update(ARMCPU *cpu, int n)
-     }
+         int bas = extract64(wcr, 5, 8);
-     switch (reg - nregs) {
+         int basstart;
-     case 0: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSID]); return 4;
--    case 1: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSCR]); return 4;
+-        if (bas == 0) {
-+    case 1: stl_p(buf, vfp_get_fpscr(env)); return 4;
+-            /* This must act as if the watchpoint is disabled */
-     case 2: stl_p(buf, env->vfp.xregs[ARM_VFP_FPEXC]); return 4;
+-            return;
-     }
+-        }
-     return 0;
+-
-@@ -XXX,XX +XXX,XX @@ static int vfp_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
+         if (extract64(wvr, 2, 1)) {
-     }
+             /* Deprecated case of an only 4-aligned address. BAS[7:4] are
-     switch (reg - nregs) {
+              * ignored, and BAS[3:0] define which bytes to watch.
-     case 0: env->vfp.xregs[ARM_VFP_FPSID] = ldl_p(buf); return 4;
+              */
--    case 1: env->vfp.xregs[ARM_VFP_FPSCR] = ldl_p(buf); return 4;
+             bas &= 0xf;
-+    case 1: vfp_set_fpscr(env, ldl_p(buf)); return 4;
+         }
-     case 2: env->vfp.xregs[ARM_VFP_FPEXC] = ldl_p(buf) & (1 << 30); return 4;
++
-     }
++        if (bas == 0) {
-     return 0;
++            /* This must act as if the watchpoint is disabled */
 +            return;
 +        }
 +
          /* The BAS bits are supposed to be programmed to indicate a contiguous
           * range of bytes. Otherwise it is CONSTRAINED UNPREDICTABLE whether
           * we fire for each byte in the word/doubleword addressed by the WVR.
 --
 .20.1

-[Qemu-devel] [PULL 25/27] target/arm: Use vector operations for saturation
+[PULL 4/5] target/arm: Assert immh != 0 in disas_simd_shift_imm
 From: Richard Henderson <richard.henderson@linaro.org>
-For same-sign saturation, we have tcg vector operations.  We can
+Coverity raised a shed-load of errors cascading from inferring
-compute the QC bit by comparing the saturated value against the
+that clz32(immh) might yield 32, from immh might be 0.
 unsaturated value.
+While immh cannot be 0 from encoding, it is not obvious even to
+a human how we've checked that: via the filtering provided by
+data_proc_simd[].
+Reported-by: Coverity (CID 1421923, and more)
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-12-richard.henderson@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20200320160622.8040-3-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.h        |  33 +++++++
+ target/arm/translate-a64.c | 3 +++
- target/arm/translate.h     |   4 +
+file changed, 3 insertions(+)
  target/arm/translate-a64.c |  36 ++++----
  target/arm/translate.c     | 172 +++++++++++++++++++++++++++++++------
  target/arm/vec_helper.c    | 130 ++++++++++++++++++++++++++++
 files changed, 331 insertions(+), 44 deletions(-)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
-+++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(gvec_fmla_idx_s, TCG_CALL_NO_RWG,
- DEF_HELPER_FLAGS_6(gvec_fmla_idx_d, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uqadd_b, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uqadd_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uqadd_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uqadd_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sqadd_b, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sqadd_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sqadd_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sqadd_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uqsub_b, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uqsub_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uqsub_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uqsub_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sqsub_b, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sqsub_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sqsub_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sqsub_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+
- #ifdef TARGET_AARCH64
- #include "helper-a64.h"
- #include "helper-sve.h"
-diff --git a/target/arm/translate.h b/target/arm/translate.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.h
-+++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ extern const GVecGen2i ssra_op[4];
- extern const GVecGen2i usra_op[4];
- extern const GVecGen2i sri_op[4];
- extern const GVecGen2i sli_op[4];
-+extern const GVecGen4 uqadd_op[4];
-+extern const GVecGen4 sqadd_op[4];
-+extern const GVecGen4 uqsub_op[4];
-+extern const GVecGen4 sqsub_op[4];
- void gen_cmtst_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
- /*
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void disas_simd_shift_imm(DisasContext *s, uint32_t insn)
-     }
+     bool is_u = extract32(insn, 29, 1);
+     bool is_q = extract32(insn, 30, 1);
 +    /* data_proc_simd[] has sent immh == 0 to disas_simd_mod_imm. */
 +    assert(immh != 0);
 +
      switch (opcode) {
-+    case 0x01: /* SQADD, UQADD */
+     case 0x08: /* SRI */
-+        tcg_gen_gvec_4(vec_full_reg_offset(s, rd),
+         if (!is_u) {
 +                       offsetof(CPUARMState, vfp.qc),
 +                       vec_full_reg_offset(s, rn),
 +                       vec_full_reg_offset(s, rm),
 +                       is_q ? 16 : 8, vec_full_reg_size(s),
 +                       (u ? uqadd_op : sqadd_op) + size);
 +        return;
 +    case 0x05: /* SQSUB, UQSUB */
 +        tcg_gen_gvec_4(vec_full_reg_offset(s, rd),
 +                       offsetof(CPUARMState, vfp.qc),
 +                       vec_full_reg_offset(s, rn),
 +                       vec_full_reg_offset(s, rm),
 +                       is_q ? 16 : 8, vec_full_reg_size(s),
 +                       (u ? uqsub_op : sqsub_op) + size);
 +        return;
      case 0x0c: /* SMAX, UMAX */
          if (u) {
              gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umax, size);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                  genfn = fns[size][u];
                  break;
              }
 -            case 0x1: /* SQADD, UQADD */
 -            {
 -                static NeonGenTwoOpEnvFn * const fns[3][2] = {
 -                    { gen_helper_neon_qadd_s8, gen_helper_neon_qadd_u8 },
 -                    { gen_helper_neon_qadd_s16, gen_helper_neon_qadd_u16 },
 -                    { gen_helper_neon_qadd_s32, gen_helper_neon_qadd_u32 },
 -                };
 -                genenvfn = fns[size][u];
 -                break;
 -            }
              case 0x2: /* SRHADD, URHADD */
              {
                  static NeonGenTwoOpFn * const fns[3][2] = {
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                  genfn = fns[size][u];
                  break;
              }
 -            case 0x5: /* SQSUB, UQSUB */
 -            {
 -                static NeonGenTwoOpEnvFn * const fns[3][2] = {
 -                    { gen_helper_neon_qsub_s8, gen_helper_neon_qsub_u8 },
 -                    { gen_helper_neon_qsub_s16, gen_helper_neon_qsub_u16 },
 -                    { gen_helper_neon_qsub_s32, gen_helper_neon_qsub_u32 },
 -                };
 -                genenvfn = fns[size][u];
 -                break;
 -            }
              case 0x8: /* SSHL, USHL */
              {
                  static NeonGenTwoOpFn * const fns[3][2] = {
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ const GVecGen3 cmtst_op[4] = {
        .vece = MO_64 },
  };
 +static void gen_uqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
 +                          TCGv_vec a, TCGv_vec b)
 +{
 +    TCGv_vec x = tcg_temp_new_vec_matching(t);
 +    tcg_gen_add_vec(vece, x, a, b);
 +    tcg_gen_usadd_vec(vece, t, a, b);
 +    tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
 +    tcg_gen_or_vec(vece, sat, sat, x);
 +    tcg_temp_free_vec(x);
 +}
 +
 +const GVecGen4 uqadd_op[4] = {
 +    { .fniv = gen_uqadd_vec,
 +      .fno = gen_helper_gvec_uqadd_b,
 +      .opc = INDEX_op_usadd_vec,
 +      .write_aofs = true,
 +      .vece = MO_8 },
 +    { .fniv = gen_uqadd_vec,
 +      .fno = gen_helper_gvec_uqadd_h,
 +      .opc = INDEX_op_usadd_vec,
 +      .write_aofs = true,
 +      .vece = MO_16 },
 +    { .fniv = gen_uqadd_vec,
 +      .fno = gen_helper_gvec_uqadd_s,
 +      .opc = INDEX_op_usadd_vec,
 +      .write_aofs = true,
 +      .vece = MO_32 },
 +    { .fniv = gen_uqadd_vec,
 +      .fno = gen_helper_gvec_uqadd_d,
 +      .opc = INDEX_op_usadd_vec,
 +      .write_aofs = true,
 +      .vece = MO_64 },
 +};
 +
 +static void gen_sqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
 +                          TCGv_vec a, TCGv_vec b)
 +{
 +    TCGv_vec x = tcg_temp_new_vec_matching(t);
 +    tcg_gen_add_vec(vece, x, a, b);
 +    tcg_gen_ssadd_vec(vece, t, a, b);
 +    tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
 +    tcg_gen_or_vec(vece, sat, sat, x);
 +    tcg_temp_free_vec(x);
 +}
 +
 +const GVecGen4 sqadd_op[4] = {
 +    { .fniv = gen_sqadd_vec,
 +      .fno = gen_helper_gvec_sqadd_b,
 +      .opc = INDEX_op_ssadd_vec,
 +      .write_aofs = true,
 +      .vece = MO_8 },
 +    { .fniv = gen_sqadd_vec,
 +      .fno = gen_helper_gvec_sqadd_h,
 +      .opc = INDEX_op_ssadd_vec,
 +      .write_aofs = true,
 +      .vece = MO_16 },
 +    { .fniv = gen_sqadd_vec,
 +      .fno = gen_helper_gvec_sqadd_s,
 +      .opc = INDEX_op_ssadd_vec,
 +      .write_aofs = true,
 +      .vece = MO_32 },
 +    { .fniv = gen_sqadd_vec,
 +      .fno = gen_helper_gvec_sqadd_d,
 +      .opc = INDEX_op_ssadd_vec,
 +      .write_aofs = true,
 +      .vece = MO_64 },
 +};
 +
 +static void gen_uqsub_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
 +                          TCGv_vec a, TCGv_vec b)
 +{
 +    TCGv_vec x = tcg_temp_new_vec_matching(t);
 +    tcg_gen_sub_vec(vece, x, a, b);
 +    tcg_gen_ussub_vec(vece, t, a, b);
 +    tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
 +    tcg_gen_or_vec(vece, sat, sat, x);
 +    tcg_temp_free_vec(x);
 +}
 +
 +const GVecGen4 uqsub_op[4] = {
 +    { .fniv = gen_uqsub_vec,
 +      .fno = gen_helper_gvec_uqsub_b,
 +      .opc = INDEX_op_ussub_vec,
 +      .write_aofs = true,
 +      .vece = MO_8 },
 +    { .fniv = gen_uqsub_vec,
 +      .fno = gen_helper_gvec_uqsub_h,
 +      .opc = INDEX_op_ussub_vec,
 +      .write_aofs = true,
 +      .vece = MO_16 },
 +    { .fniv = gen_uqsub_vec,
 +      .fno = gen_helper_gvec_uqsub_s,
 +      .opc = INDEX_op_ussub_vec,
 +      .write_aofs = true,
 +      .vece = MO_32 },
 +    { .fniv = gen_uqsub_vec,
 +      .fno = gen_helper_gvec_uqsub_d,
 +      .opc = INDEX_op_ussub_vec,
 +      .write_aofs = true,
 +      .vece = MO_64 },
 +};
 +
 +static void gen_sqsub_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
 +                          TCGv_vec a, TCGv_vec b)
 +{
 +    TCGv_vec x = tcg_temp_new_vec_matching(t);
 +    tcg_gen_sub_vec(vece, x, a, b);
 +    tcg_gen_sssub_vec(vece, t, a, b);
 +    tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
 +    tcg_gen_or_vec(vece, sat, sat, x);
 +    tcg_temp_free_vec(x);
 +}
 +
 +const GVecGen4 sqsub_op[4] = {
 +    { .fniv = gen_sqsub_vec,
 +      .fno = gen_helper_gvec_sqsub_b,
 +      .opc = INDEX_op_sssub_vec,
 +      .write_aofs = true,
 +      .vece = MO_8 },
 +    { .fniv = gen_sqsub_vec,
 +      .fno = gen_helper_gvec_sqsub_h,
 +      .opc = INDEX_op_sssub_vec,
 +      .write_aofs = true,
 +      .vece = MO_16 },
 +    { .fniv = gen_sqsub_vec,
 +      .fno = gen_helper_gvec_sqsub_s,
 +      .opc = INDEX_op_sssub_vec,
 +      .write_aofs = true,
 +      .vece = MO_32 },
 +    { .fniv = gen_sqsub_vec,
 +      .fno = gen_helper_gvec_sqsub_d,
 +      .opc = INDEX_op_sssub_vec,
 +      .write_aofs = true,
 +      .vece = MO_64 },
 +};
 +
  /* Translate a NEON data processing instruction.  Return nonzero if the
     instruction is invalid.
     We process data in a mixture of 32-bit and 64-bit chunks.
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
              }
              return 0;
 +        case NEON_3R_VQADD:
 +            tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
 +                           rn_ofs, rm_ofs, vec_size, vec_size,
 +                           (u ? uqadd_op : sqadd_op) + size);
 +            break;
 +
 +        case NEON_3R_VQSUB:
 +            tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
 +                           rn_ofs, rm_ofs, vec_size, vec_size,
 +                           (u ? uqsub_op : sqsub_op) + size);
 +            break;
 +
          case NEON_3R_VMUL: /* VMUL */
              if (u) {
                  /* Polynomial case allows only P8 and is handled below.  */
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                  neon_load_reg64(cpu_V0, rn + pass);
                  neon_load_reg64(cpu_V1, rm + pass);
                  switch (op) {
 -                case NEON_3R_VQADD:
 -                    if (u) {
 -                        gen_helper_neon_qadd_u64(cpu_V0, cpu_env,
 -                                                 cpu_V0, cpu_V1);
 -                    } else {
 -                        gen_helper_neon_qadd_s64(cpu_V0, cpu_env,
 -                                                 cpu_V0, cpu_V1);
 -                    }
 -                    break;
 -                case NEON_3R_VQSUB:
 -                    if (u) {
 -                        gen_helper_neon_qsub_u64(cpu_V0, cpu_env,
 -                                                 cpu_V0, cpu_V1);
 -                    } else {
 -                        gen_helper_neon_qsub_s64(cpu_V0, cpu_env,
 -                                                 cpu_V0, cpu_V1);
 -                    }
 -                    break;
                  case NEON_3R_VSHL:
                      if (u) {
                          gen_helper_neon_shl_u64(cpu_V0, cpu_V1, cpu_V0);
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
          case NEON_3R_VHADD:
              GEN_NEON_INTEGER_OP(hadd);
              break;
 -        case NEON_3R_VQADD:
 -            GEN_NEON_INTEGER_OP_ENV(qadd);
 -            break;
          case NEON_3R_VRHADD:
              GEN_NEON_INTEGER_OP(rhadd);
              break;
          case NEON_3R_VHSUB:
              GEN_NEON_INTEGER_OP(hsub);
              break;
 -        case NEON_3R_VQSUB:
 -            GEN_NEON_INTEGER_OP_ENV(qsub);
 -            break;
          case NEON_3R_VSHL:
              GEN_NEON_INTEGER_OP(shl);
              break;
 diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/vec_helper.c
 +++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ DO_FMLA_IDX(gvec_fmla_idx_s, float32, H4)
  DO_FMLA_IDX(gvec_fmla_idx_d, float64, )
  #undef DO_FMLA_IDX
 +
 +#define DO_SAT(NAME, WTYPE, TYPEN, TYPEM, OP, MIN, MAX) \
 +void HELPER(NAME)(void *vd, void *vq, void *vn, void *vm, uint32_t desc)   \
 +{                                                                          \
 +    intptr_t i, oprsz = simd_oprsz(desc);                                  \
 +    TYPEN *d = vd, *n = vn; TYPEM *m = vm;                                 \
 +    bool q = false;                                                        \
 +    for (i = 0; i < oprsz / sizeof(TYPEN); i++) {                          \
 +        WTYPE dd = (WTYPE)n[i] OP m[i];                                    \
 +        if (dd < MIN) {                                                    \
 +            dd = MIN;                                                      \
 +            q = true;                                                      \
 +        } else if (dd > MAX) {                                             \
 +            dd = MAX;                                                      \
 +            q = true;                                                      \
 +        }                                                                  \
 +        d[i] = dd;                                                         \
 +    }                                                                      \
 +    if (q) {                                                               \
 +        uint32_t *qc = vq;                                                 \
 +        qc[0] = 1;                                                         \
 +    }                                                                      \
 +    clear_tail(d, oprsz, simd_maxsz(desc));                                \
 +}
 +
 +DO_SAT(gvec_uqadd_b, int, uint8_t, uint8_t, +, 0, UINT8_MAX)
 +DO_SAT(gvec_uqadd_h, int, uint16_t, uint16_t, +, 0, UINT16_MAX)
 +DO_SAT(gvec_uqadd_s, int64_t, uint32_t, uint32_t, +, 0, UINT32_MAX)
 +
 +DO_SAT(gvec_sqadd_b, int, int8_t, int8_t, +, INT8_MIN, INT8_MAX)
 +DO_SAT(gvec_sqadd_h, int, int16_t, int16_t, +, INT16_MIN, INT16_MAX)
 +DO_SAT(gvec_sqadd_s, int64_t, int32_t, int32_t, +, INT32_MIN, INT32_MAX)
 +
 +DO_SAT(gvec_uqsub_b, int, uint8_t, uint8_t, -, 0, UINT8_MAX)
 +DO_SAT(gvec_uqsub_h, int, uint16_t, uint16_t, -, 0, UINT16_MAX)
 +DO_SAT(gvec_uqsub_s, int64_t, uint32_t, uint32_t, -, 0, UINT32_MAX)
 +
 +DO_SAT(gvec_sqsub_b, int, int8_t, int8_t, -, INT8_MIN, INT8_MAX)
 +DO_SAT(gvec_sqsub_h, int, int16_t, int16_t, -, INT16_MIN, INT16_MAX)
 +DO_SAT(gvec_sqsub_s, int64_t, int32_t, int32_t, -, INT32_MIN, INT32_MAX)
 +
 +#undef DO_SAT
 +
 +void HELPER(gvec_uqadd_d)(void *vd, void *vq, void *vn,
 +                          void *vm, uint32_t desc)
 +{
 +    intptr_t i, oprsz = simd_oprsz(desc);
 +    uint64_t *d = vd, *n = vn, *m = vm;
 +    bool q = false;
 +
 +    for (i = 0; i < oprsz / 8; i++) {
 +        uint64_t nn = n[i], mm = m[i], dd = nn + mm;
 +        if (dd < nn) {
 +            dd = UINT64_MAX;
 +            q = true;
 +        }
 +        d[i] = dd;
 +    }
 +    if (q) {
 +        uint32_t *qc = vq;
 +        qc[0] = 1;
 +    }
 +    clear_tail(d, oprsz, simd_maxsz(desc));
 +}
 +
 +void HELPER(gvec_uqsub_d)(void *vd, void *vq, void *vn,
 +                          void *vm, uint32_t desc)
 +{
 +    intptr_t i, oprsz = simd_oprsz(desc);
 +    uint64_t *d = vd, *n = vn, *m = vm;
 +    bool q = false;
 +
 +    for (i = 0; i < oprsz / 8; i++) {
 +        uint64_t nn = n[i], mm = m[i], dd = nn - mm;
 +        if (nn < mm) {
 +            dd = 0;
 +            q = true;
 +        }
 +        d[i] = dd;
 +    }
 +    if (q) {
 +        uint32_t *qc = vq;
 +        qc[0] = 1;
 +    }
 +    clear_tail(d, oprsz, simd_maxsz(desc));
 +}
 +
 +void HELPER(gvec_sqadd_d)(void *vd, void *vq, void *vn,
 +                          void *vm, uint32_t desc)
 +{
 +    intptr_t i, oprsz = simd_oprsz(desc);
 +    int64_t *d = vd, *n = vn, *m = vm;
 +    bool q = false;
 +
 +    for (i = 0; i < oprsz / 8; i++) {
 +        int64_t nn = n[i], mm = m[i], dd = nn + mm;
 +        if (((dd ^ nn) & ~(nn ^ mm)) & INT64_MIN) {
 +            dd = (nn >> 63) ^ ~INT64_MIN;
 +            q = true;
 +        }
 +        d[i] = dd;
 +    }
 +    if (q) {
 +        uint32_t *qc = vq;
 +        qc[0] = 1;
 +    }
 +    clear_tail(d, oprsz, simd_maxsz(desc));
 +}
 +
 +void HELPER(gvec_sqsub_d)(void *vd, void *vq, void *vn,
 +                          void *vm, uint32_t desc)
 +{
 +    intptr_t i, oprsz = simd_oprsz(desc);
 +    int64_t *d = vd, *n = vn, *m = vm;
 +    bool q = false;
 +
 +    for (i = 0; i < oprsz / 8; i++) {
 +        int64_t nn = n[i], mm = m[i], dd = nn - mm;
 +        if (((dd ^ nn) & (nn ^ mm)) & INT64_MIN) {
 +            dd = (nn >> 63) ^ ~INT64_MIN;
 +            q = true;
 +        }
 +        d[i] = dd;
 +    }
 +    if (q) {
 +        uint32_t *qc = vq;
 +        qc[0] = 1;
 +    }
 +    clear_tail(d, oprsz, simd_maxsz(desc));
 +}
 --
 .20.1

-[Qemu-devel] [PULL 05/27] target/arm: Restructure disas_fp_int_conv
+[PULL 5/5] target/arm: Move computation of index in handle_simd_dupe
 From: Richard Henderson <richard.henderson@linaro.org>
-For opcodes 0-5, move some if conditions into the structure
+Coverity reports a BAD_SHIFT with ctz32(imm5), with imm5 == 0.
-of a switch statement.  For opcodes 6 & 7, decode everything
+This is an invalid encoding, but we diagnose that just below
-at once with a second switch.
+by rejecting size > 3.  Avoid the warning by sinking the
 computation of index below the check.
+Reported-by: Coverity (CID 1421965)
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190206052857.5077-3-richard.henderson@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20200320160622.8040-4-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 94 ++++++++++++++++++++------------------
+ target/arm/translate-a64.c | 3 ++-
-file changed, 49 insertions(+), 45 deletions(-)
+file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_fp_int_conv(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupe(DisasContext *s, int is_q, int rd, int rn,
-     int type = extract32(insn, 22, 2);
+                              int imm5)
-     bool sbit = extract32(insn, 29, 1);
+ {
-     bool sf = extract32(insn, 31, 1);
+     int size = ctz32(imm5);
-+    bool itof = false;
+-    int index = imm5 >> (size + 1);
++    int index;
-     if (sbit) {
--        unallocated_encoding(s);
+     if (size > 3 || (size == 3 && !is_q)) {
--        return;
+         unallocated_encoding(s);
-+        goto do_unallocated;
+@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupe(DisasContext *s, int is_q, int rd, int rn,
          return;
      }
--    if (opcode > 5) {
++    index = imm5 >> (size + 1);
--        /* FMOV */
+     tcg_gen_gvec_dup_mem(size, vec_full_reg_offset(s, rd),
--        bool itof = opcode & 1;
+                          vec_reg_offset(s, rn, index, size),
--
+                          is_q ? 16 : 8, vec_full_reg_size(s));
 -        if (rmode >= 2) {
 -            unallocated_encoding(s);
 -            return;
 -        }
 -
 -        switch (sf << 3 | type << 1 | rmode) {
 -        case 0x0: /* 32 bit */
 -        case 0xa: /* 64 bit */
 -        case 0xd: /* 64 bit to top half of quad */
 -            break;
 -        case 0x6: /* 16-bit float, 32-bit int */
 -        case 0xe: /* 16-bit float, 64-bit int */
 -            if (dc_isar_feature(aa64_fp16, s)) {
 -                break;
 -            }
 -            /* fallthru */
 -        default:
 -            /* all other sf/type/rmode combinations are invalid */
 -            unallocated_encoding(s);
 -            return;
 -        }
 -
 -        if (!fp_access_check(s)) {
 -            return;
 -        }
 -        handle_fmov(s, rd, rn, type, itof);
 -    } else {
 -        /* actual FP conversions */
 -        bool itof = extract32(opcode, 1, 1);
 -
 -        if (rmode != 0 && opcode > 1) {
 -            unallocated_encoding(s);
 -            return;
 +    switch (opcode) {
 +    case 2: /* SCVTF */
 +    case 3: /* UCVTF */
 +        itof = true;
 +        /* fallthru */
 +    case 4: /* FCVTAS */
 +    case 5: /* FCVTAU */
 +        if (rmode != 0) {
 +            goto do_unallocated;
          }
 +        /* fallthru */
 +    case 0: /* FCVT[NPMZ]S */
 +    case 1: /* FCVT[NPMZ]U */
          switch (type) {
          case 0: /* float32 */
          case 1: /* float64 */
              break;
          case 3: /* float16 */
 -            if (dc_isar_feature(aa64_fp16, s)) {
 -                break;
 +            if (!dc_isar_feature(aa64_fp16, s)) {
 +                goto do_unallocated;
              }
 -            /* fallthru */
 +            break;
          default:
 -            unallocated_encoding(s);
 -            return;
 +            goto do_unallocated;
          }
 -
          if (!fp_access_check(s)) {
              return;
          }
          handle_fpfpcvt(s, rd, rn, opcode, itof, rmode, 64, sf, type);
 +        break;
 +
 +    default:
 +        switch (sf << 7 | type << 5 | rmode << 3 | opcode) {
 +        case 0b01100110: /* FMOV half <-> 32-bit int */
 +        case 0b01100111:
 +        case 0b11100110: /* FMOV half <-> 64-bit int */
 +        case 0b11100111:
 +            if (!dc_isar_feature(aa64_fp16, s)) {
 +                goto do_unallocated;
 +            }
 +            /* fallthru */
 +        case 0b00000110: /* FMOV 32-bit */
 +        case 0b00000111:
 +        case 0b10100110: /* FMOV 64-bit */
 +        case 0b10100111:
 +        case 0b11001110: /* FMOV top half of 128-bit */
 +        case 0b11001111:
 +            if (!fp_access_check(s)) {
 +                return;
 +            }
 +            itof = opcode & 1;
 +            handle_fmov(s, rd, rn, type, itof);
 +            break;
 +
 +        default:
 +        do_unallocated:
 +            unallocated_encoding(s);
 +            return;
 +        }
 +        break;
      }
  }
 --
 .20.1

-[Qemu-devel] [PULL 06/27] target/arm: relax permission checks for HWCAP_CPUID registers
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-Although technically not visible to userspace the kernel does make
-them visible via a trap and emulate ABI. We provide a new permission
-mask (PL0U_R) which maps to PL0_R for CONFIG_USER builds and adjust
-the minimum permission check accordingly.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20190205190224.2198-2-alex.bennee@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h    | 12 ++++++++++++
- target/arm/helper.c |  6 +++++-
-files changed, 17 insertions(+), 1 deletion(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool cptype_valid(int cptype)
- #define PL0_R (0x02 | PL1_R)
- #define PL0_W (0x01 | PL1_W)
-+/*
-+ * For user-mode some registers are accessible to EL0 via a kernel
-+ * trap-and-emulate ABI. In this case we define the read permissions
-+ * as actually being PL0_R. However some bits of any given register
-+ * may still be masked.
-+ */
-+#ifdef CONFIG_USER_ONLY
-+#define PL0U_R PL0_R
-+#else
-+#define PL0U_R PL1_R
-+#endif
-+
- #define PL3_RW (PL3_R | PL3_W)
- #define PL2_RW (PL2_R | PL2_W)
- #define PL1_RW (PL1_R | PL1_W)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
-     if (r->state != ARM_CP_STATE_AA32) {
-         int mask = 0;
-         switch (r->opc1) {
--        case 0: case 1: case 2:
-+        case 0:
-+            /* min_EL EL1, but some accessible to EL0 via kernel ABI */
-+            mask = PL0U_R | PL1_RW;
-+            break;
-+        case 1: case 2:
-             /* min_EL EL1 */
-             mask = PL1_RW;
-             break;
---
-.20.1

-[Qemu-devel] [PULL 07/27] target/arm: expose CPUID registers to userspace
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-A number of CPUID registers are exposed to userspace by modern Linux
-kernels thanks to the "ARM64 CPU Feature Registers" ABI. For QEMU's
-user-mode emulation we don't need to emulate the kernels trap but just
-return the value the trap would have done. To avoid too much #ifdef
-hackery we process ARMCPRegInfo with a new helper (modify_arm_cp_regs)
-before defining the registers. The modify routine is driven by a
-simple data structure which describes which bits are exported and
-which are fixed.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20190205190224.2198-3-alex.bennee@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h    | 21 ++++++++++++++++
- target/arm/helper.c | 59 +++++++++++++++++++++++++++++++++++++++++++++
-files changed, 80 insertions(+)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline void define_one_arm_cp_reg(ARMCPU *cpu, const ARMCPRegInfo *regs)
- }
- const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp);
-+/*
-+ * Definition of an ARM co-processor register as viewed from
-+ * userspace. This is used for presenting sanitised versions of
-+ * registers to userspace when emulating the Linux AArch64 CPU
-+ * ID/feature ABI (advertised as HWCAP_CPUID).
-+ */
-+typedef struct ARMCPRegUserSpaceInfo {
-+    /* Name of register */
-+    const char *name;
-+
-+    /* Only some bits are exported to user space */
-+    uint64_t exported_bits;
-+
-+    /* Fixed bits are applied after the mask */
-+    uint64_t fixed_bits;
-+} ARMCPRegUserSpaceInfo;
-+
-+#define REGUSERINFO_SENTINEL { .name = NULL }
-+
-+void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods);
-+
- /* CPWriteFn that can be used to implement writes-ignored behaviour */
- void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
-                          uint64_t value);
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-               .resetvalue = cpu->pmceid1 },
-             REGINFO_SENTINEL
-         };
-+#ifdef CONFIG_USER_ONLY
-+        ARMCPRegUserSpaceInfo v8_user_idregs[] = {
-+            { .name = "ID_AA64PFR0_EL1",
-+              .exported_bits = 0x000f000f00ff0000,
-+              .fixed_bits    = 0x0000000000000011 },
-+            { .name = "ID_AA64PFR1_EL1",
-+              .exported_bits = 0x00000000000000f0 },
-+            { .name = "ID_AA64ZFR0_EL1"           },
-+            { .name = "ID_AA64MMFR0_EL1",
-+              .fixed_bits    = 0x00000000ff000000 },
-+            { .name = "ID_AA64MMFR1_EL1"          },
-+            { .name = "ID_AA64DFR0_EL1",
-+              .fixed_bits    = 0x0000000000000006 },
-+            { .name = "ID_AA64DFR1_EL1"           },
-+            { .name = "ID_AA64AFR0_EL1"           },
-+            { .name = "ID_AA64AFR1_EL1"           },
-+            { .name = "ID_AA64ISAR0_EL1",
-+              .exported_bits = 0x00fffffff0fffff0 },
-+            { .name = "ID_AA64ISAR1_EL1",
-+              .exported_bits = 0x000000f0ffffffff },
-+            REGUSERINFO_SENTINEL
-+        };
-+        modify_arm_cp_regs(v8_idregs, v8_user_idregs);
-+#endif
-         /* RVBAR_EL1 is only implemented if EL1 is the highest EL */
-         if (!arm_feature(env, ARM_FEATURE_EL3) &&
-             !arm_feature(env, ARM_FEATURE_EL2)) {
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-             .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_W,
-             .type = ARM_CP_NOP | ARM_CP_OVERRIDE
-         };
-+#ifdef CONFIG_USER_ONLY
-+        ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
-+            { .name = "MIDR_EL1",
-+              .exported_bits = 0x00000000ffffffff },
-+            { .name = "REVIDR_EL1"                },
-+            REGUSERINFO_SENTINEL
-+        };
-+        modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo);
-+#endif
-         if (arm_feature(env, ARM_FEATURE_OMAPCP) ||
-             arm_feature(env, ARM_FEATURE_STRONGARM)) {
-             ARMCPRegInfo *r;
-@@ -XXX,XX +XXX,XX @@ void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
-     }
- }
-+/*
-+ * Modify ARMCPRegInfo for access from userspace.
-+ *
-+ * This is a data driven modification directed by
-+ * ARMCPRegUserSpaceInfo. All registers become ARM_CP_CONST as
-+ * user-space cannot alter any values and dynamic values pertaining to
-+ * execution state are hidden from user space view anyway.
-+ */
-+void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods)
-+{
-+    const ARMCPRegUserSpaceInfo *m;
-+    ARMCPRegInfo *r;
-+
-+    for (m = mods; m->name; m++) {
-+        for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
-+            if (strcmp(r->name, m->name) == 0) {
-+                r->type = ARM_CP_CONST;
-+                r->access = PL0U_R;
-+                r->resetvalue &= m->exported_bits;
-+                r->resetvalue |= m->fixed_bits;
-+                break;
-+            }
-+        }
-+    }
-+}
-+
- const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp)
- {
-     return g_hash_table_lookup(cpregs, &encoded_cp);
---
-.20.1

-[Qemu-devel] [PULL 08/27] target/arm: expose MPIDR_EL1 to userspace
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-As this is a single register we could expose it with a simple ifdef
-but we use the existing modify_arm_cp_regs mechanism for consistency.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20190205190224.2198-4-alex.bennee@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 21 ++++++++++++++-------
-file changed, 14 insertions(+), 7 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t mpidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
-     return mpidr_read_val(env);
- }
--static const ARMCPRegInfo mpidr_cp_reginfo[] = {
--    { .name = "MPIDR", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
--      .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
--    REGINFO_SENTINEL
--};
--
- static const ARMCPRegInfo lpae_cp_reginfo[] = {
-     /* NOP AMAIR0/1 */
-     { .name = "AMAIR0", .state = ARM_CP_STATE_BOTH,
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-     }
-     if (arm_feature(env, ARM_FEATURE_MPIDR)) {
-+        ARMCPRegInfo mpidr_cp_reginfo[] = {
-+            { .name = "MPIDR_EL1", .state = ARM_CP_STATE_BOTH,
-+              .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
-+              .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
-+            REGINFO_SENTINEL
-+        };
-+#ifdef CONFIG_USER_ONLY
-+        ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
-+            { .name = "MPIDR_EL1",
-+              .fixed_bits = 0x0000000080000000 },
-+            REGUSERINFO_SENTINEL
-+        };
-+        modify_arm_cp_regs(mpidr_cp_reginfo, mpidr_user_cp_reginfo);
-+#endif
-         define_arm_cp_regs(cpu, mpidr_cp_reginfo);
-     }
---
-.20.1

-[Qemu-devel] [PULL 09/27] target/arm: expose remaining CPUID registers as RAZ
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-There are a whole bunch more registers in the CPUID space which are
-currently not used but are exposed as RAZ. To avoid too much
-duplication we expand ARMCPRegUserSpaceInfo to understand glob
-patterns so we only need one entry to tweak whole ranges of registers.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20190205190224.2198-5-alex.bennee@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h    |  3 +++
- target/arm/helper.c | 26 +++++++++++++++++++++++---
-files changed, 26 insertions(+), 3 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct ARMCPRegUserSpaceInfo {
-     /* Name of register */
-     const char *name;
-+    /* Is the name actually a glob pattern */
-+    bool is_glob;
-+
-     /* Only some bits are exported to user space */
-     uint64_t exported_bits;
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-               .fixed_bits    = 0x0000000000000011 },
-             { .name = "ID_AA64PFR1_EL1",
-               .exported_bits = 0x00000000000000f0 },
-+            { .name = "ID_AA64PFR*_EL1_RESERVED",
-+              .is_glob = true                     },
-             { .name = "ID_AA64ZFR0_EL1"           },
-             { .name = "ID_AA64MMFR0_EL1",
-               .fixed_bits    = 0x00000000ff000000 },
-             { .name = "ID_AA64MMFR1_EL1"          },
-+            { .name = "ID_AA64MMFR*_EL1_RESERVED",
-+              .is_glob = true                     },
-             { .name = "ID_AA64DFR0_EL1",
-               .fixed_bits    = 0x0000000000000006 },
-             { .name = "ID_AA64DFR1_EL1"           },
--            { .name = "ID_AA64AFR0_EL1"           },
--            { .name = "ID_AA64AFR1_EL1"           },
-+            { .name = "ID_AA64DFR*_EL1_RESERVED",
-+              .is_glob = true                     },
-+            { .name = "ID_AA64AFR*",
-+              .is_glob = true                     },
-             { .name = "ID_AA64ISAR0_EL1",
-               .exported_bits = 0x00fffffff0fffff0 },
-             { .name = "ID_AA64ISAR1_EL1",
-               .exported_bits = 0x000000f0ffffffff },
-+            { .name = "ID_AA64ISAR*_EL1_RESERVED",
-+              .is_glob = true                     },
-             REGUSERINFO_SENTINEL
-         };
-         modify_arm_cp_regs(v8_idregs, v8_user_idregs);
-@@ -XXX,XX +XXX,XX @@ void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods)
-     ARMCPRegInfo *r;
-     for (m = mods; m->name; m++) {
-+        GPatternSpec *pat = NULL;
-+        if (m->is_glob) {
-+            pat = g_pattern_spec_new(m->name);
-+        }
-         for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
--            if (strcmp(r->name, m->name) == 0) {
-+            if (pat && g_pattern_match_string(pat, r->name)) {
-+                r->type = ARM_CP_CONST;
-+                r->access = PL0U_R;
-+                r->resetvalue = 0;
-+                /* continue */
-+            } else if (strcmp(r->name, m->name) == 0) {
-                 r->type = ARM_CP_CONST;
-                 r->access = PL0U_R;
-                 r->resetvalue &= m->exported_bits;
-@@ -XXX,XX +XXX,XX @@ void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods)
-                 break;
-             }
-         }
-+        if (pat) {
-+            g_pattern_spec_free(pat);
-+        }
-     }
- }
---
-.20.1

-[Qemu-devel] [PULL 10/27] linux-user/elfload: enable HWCAP_CPUID for AArch64
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-Userspace programs should (in theory) query the ELF HWCAP before
-probing these registers. Now we have implemented them all make it
-public.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190205190224.2198-6-alex.bennee@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- linux-user/elfload.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/linux-user/elfload.c b/linux-user/elfload.c
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/elfload.c
-+++ b/linux-user/elfload.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap(void)
-     hwcaps |= ARM_HWCAP_A64_FP;
-     hwcaps |= ARM_HWCAP_A64_ASIMD;
-+    hwcaps |= ARM_HWCAP_A64_CPUID;
-     /* probe for the extra features */
- #define GET_FEATURE_ID(feat, hwcap) \
---
-.20.1

-[Qemu-devel] [PULL 11/27] arm: Allow system registers for KVM guests to be changed by QEMU code
+Deleted patch
-At the moment the Arm implementations of kvm_arch_{get,put}_registers()
-don't support having QEMU change the values of system registers
-(aka coprocessor registers for AArch32). This is because although
-kvm_arch_get_registers() calls write_list_to_cpustate() to
-update the CPU state struct fields (so QEMU code can read the
-values in the usual way), kvm_arch_put_registers() does not
-call write_cpustate_to_list(), meaning that any changes to
-the CPU state struct fields will not be passed back to KVM.
-The rationale for this design is documented in a comment in the
-AArch32 kvm_arch_put_registers() -- writing the values in the
-cpregs list into the CPU state struct is "lossy" because the
-write of a register might not succeed, and so if we blindly
-copy the CPU state values back again we will incorrectly
-change register values for the guest. The assumption was that
-no QEMU code would need to write to the registers.
-However, when we implemented debug support for KVM guests, we
-broke that assumption: the code to handle "set the guest up
-to take a breakpoint exception" does so by updating various
-guest registers including ESR_EL1.
-Support this by making kvm_arch_put_registers() synchronize
-CPU state back into the list. We sync only those registers
-where the initial write succeeds, which should be sufficient.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
-Tested-by: Dongjiu Geng <gengdongjiu@huawei.com>
----
- target/arm/cpu.h     |  9 ++++++++-
- target/arm/helper.c  | 27 +++++++++++++++++++++++++--
- target/arm/kvm32.c   | 20 ++------------------
- target/arm/kvm64.c   |  2 ++
- target/arm/machine.c |  2 +-
-files changed, 38 insertions(+), 22 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ bool write_list_to_cpustate(ARMCPU *cpu);
- /**
-  * write_cpustate_to_list:
-  * @cpu: ARMCPU
-+ * @kvm_sync: true if this is for syncing back to KVM
-  *
-  * For each register listed in the ARMCPU cpreg_indexes list, write
-  * its value from the ARMCPUState structure into the cpreg_values list.
-  * This is used to copy info from TCG's working data structures into
-  * KVM or for outbound migration.
-  *
-+ * @kvm_sync is true if we are doing this in order to sync the
-+ * register state back to KVM. In this case we will only update
-+ * values in the list if the previous list->cpustate sync actually
-+ * successfully wrote the CPU state. Otherwise we will keep the value
-+ * that is in the list.
-+ *
-  * Returns: true if all register values were read correctly,
-  * false if some register was unknown or could not be read.
-  * Note that we do not stop early on failure -- we will attempt
-  * reading all registers in the list.
-  */
--bool write_cpustate_to_list(ARMCPU *cpu);
-+bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
- #define ARM_CPUID_TI915T      0x54029152
- #define ARM_CPUID_TI925T      0x54029252
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static bool raw_accessors_invalid(const ARMCPRegInfo *ri)
-     return true;
- }
--bool write_cpustate_to_list(ARMCPU *cpu)
-+bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync)
- {
-     /* Write the coprocessor state from cpu->env to the (index,value) list. */
-     int i;
-@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu)
-     for (i = 0; i < cpu->cpreg_array_len; i++) {
-         uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
-         const ARMCPRegInfo *ri;
-+        uint64_t newval;
-         ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
-         if (!ri) {
-@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu)
-         if (ri->type & ARM_CP_NO_RAW) {
-             continue;
-         }
--        cpu->cpreg_values[i] = read_raw_cp_reg(&cpu->env, ri);
-+
-+        newval = read_raw_cp_reg(&cpu->env, ri);
-+        if (kvm_sync) {
-+            /*
-+             * Only sync if the previous list->cpustate sync succeeded.
-+             * Rather than tracking the success/failure state for every
-+             * item in the list, we just recheck "does the raw write we must
-+             * have made in write_list_to_cpustate() read back OK" here.
-+             */
-+            uint64_t oldval = cpu->cpreg_values[i];
-+
-+            if (oldval == newval) {
-+                continue;
-+            }
-+
-+            write_raw_cp_reg(&cpu->env, ri, oldval);
-+            if (read_raw_cp_reg(&cpu->env, ri) != oldval) {
-+                continue;
-+            }
-+
-+            write_raw_cp_reg(&cpu->env, ri, newval);
-+        }
-+        cpu->cpreg_values[i] = newval;
-     }
-     return ok;
- }
-diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm32.c
-+++ b/target/arm/kvm32.c
-@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
-         return ret;
-     }
--    /* Note that we do not call write_cpustate_to_list()
--     * here, so we are only writing the tuple list back to
--     * KVM. This is safe because nothing can change the
--     * CPUARMState cp15 fields (in particular gdb accesses cannot)
--     * and so there are no changes to sync. In fact syncing would
--     * be wrong at this point: for a constant register where TCG and
--     * KVM disagree about its value, the preceding write_list_to_cpustate()
--     * would not have had any effect on the CPUARMState value (since the
--     * register is read-only), and a write_cpustate_to_list() here would
--     * then try to write the TCG value back into KVM -- this would either
--     * fail or incorrectly change the value the guest sees.
--     *
--     * If we ever want to allow the user to modify cp15 registers via
--     * the gdb stub, we would need to be more clever here (for instance
--     * tracking the set of registers kvm_arch_get_registers() successfully
--     * managed to update the CPUARMState with, and only allowing those
--     * to be written back up into the kernel).
--     */
-+    write_cpustate_to_list(cpu, true);
-+
-     if (!write_list_to_kvmstate(cpu, level)) {
-         return EINVAL;
-     }
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm64.c
-+++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
-         return ret;
-     }
-+    write_cpustate_to_list(cpu, true);
-+
-     if (!write_list_to_kvmstate(cpu, level)) {
-         return EINVAL;
-     }
-diff --git a/target/arm/machine.c b/target/arm/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/machine.c
-+++ b/target/arm/machine.c
-@@ -XXX,XX +XXX,XX @@ static int cpu_pre_save(void *opaque)
-             abort();
-         }
-     } else {
--        if (!write_cpustate_to_list(cpu)) {
-+        if (!write_cpustate_to_list(cpu, false)) {
-             /* This should never fail. */
-             abort();
-         }
---
-.20.1

-[Qemu-devel] [PULL 12/27] MAINTAINERS: Remove Peter Crosthwaite from various entries
+Deleted patch
-Peter Crosthwaite hasn't had the bandwidth to do code review or
-other QEMU work for some time now -- remove his email address
-from MAINTAINERS file entries so we don't bombard him with
-patch emails.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20190207181422.4907-1-peter.maydell@linaro.org
----
- MAINTAINERS | 4 ----
-file changed, 4 deletions(-)
-diff --git a/MAINTAINERS b/MAINTAINERS
-index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ Guest CPU cores (TCG):
- ----------------------
- Overall
- L: qemu-devel@nongnu.org
--M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
- M: Richard Henderson <rth@twiddle.net>
- R: Paolo Bonzini <pbonzini@redhat.com>
- S: Maintained
-@@ -XXX,XX +XXX,XX @@ F: tests/virtio-scsi-test.c
- T: git https://github.com/bonzini/qemu.git scsi-next
- SSI
--M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
- M: Alistair Francis <alistair@alistair23.me>
- S: Maintained
- F: hw/ssi/*
-@@ -XXX,XX +XXX,XX @@ F: tests/m25p80-test.c
- Xilinx SPI
- M: Alistair Francis <alistair@alistair23.me>
--M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
- S: Maintained
- F: hw/ssi/xilinx_*
-@@ -XXX,XX +XXX,XX @@ F: qom/cpu.c
- F: include/qom/cpu.h
- Device Tree
--M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
- M: Alexander Graf <agraf@suse.de>
- S: Maintained
- F: device_tree.c
---
-.20.1

-[Qemu-devel] [PULL 13/27] hw/intc/armv7m_nvic: Allow byte accesses to SHPR1
+Deleted patch
-The code for handling the NVIC SHPR1 register intends to permit
-byte and halfword accesses (as the architecture requires). However
-the 'case' line for it only lists the base address of the
-register, so attempts to access bytes other than the first one
-end up in the "bad write" default logic. This bug was added
-accidentally when we split out the SHPR1 logic from SHPR2 and
-SHPR3 to support v6M.
-Fixes: 7c9140afd594 ("nvic: Handle ARMv6-M SCS reserved registers")
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
----
-The Zephyr RTOS happens to access SHPR1 byte at a time,
-which is how I spotted this.
----
- hw/intc/armv7m_nvic.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
-             }
-         }
-         break;
--    case 0xd18: /* System Handler Priority (SHPR1) */
-+    case 0xd18 ... 0xd1b: /* System Handler Priority (SHPR1) */
-         if (!arm_feature(&s->cpu->env, ARM_FEATURE_M_MAIN)) {
-             val = 0;
-             break;
-@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
-         }
-         nvic_irq_update(s);
-         return MEMTX_OK;
--    case 0xd18: /* System Handler Priority (SHPR1) */
-+    case 0xd18 ... 0xd1b: /* System Handler Priority (SHPR1) */
-         if (!arm_feature(&s->cpu->env, ARM_FEATURE_M_MAIN)) {
-             return MEMTX_OK;
-         }
---
-.20.1

-[Qemu-devel] [PULL 14/27] hw/arm/armsse: Fix miswiring of expansion IRQs
+Deleted patch
-In commit 91c1e9fcbd7548db368 where we added dual-CPU support to
-the ARMSSE, we set up the wiring of the expansion IRQs via nested
-loops: the outer loop on 'i' loops for each CPU, and the inner loop
-on 'j' loops for each interrupt. Fix a typo which meant we were
-wiring every expansion IRQ line to external IRQ 0 on CPU 0 and
-to external IRQ 1 on CPU 1.
-Fixes: 91c1e9fcbd7548db368 ("hw/arm/armsse: Support dual-CPU configuration")
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
----
- hw/arm/armsse.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/armsse.c b/hw/arm/armsse.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/armsse.c
-+++ b/hw/arm/armsse.c
-@@ -XXX,XX +XXX,XX @@ static void armsse_realize(DeviceState *dev, Error **errp)
-         /* Connect EXP_IRQ/EXP_CPUn_IRQ GPIOs to the NVIC's lines 32 and up */
-         s->exp_irqs[i] = g_new(qemu_irq, s->exp_numirq);
-         for (j = 0; j < s->exp_numirq; j++) {
--            s->exp_irqs[i][j] = qdev_get_gpio_in(cpudev, i + 32);
-+            s->exp_irqs[i][j] = qdev_get_gpio_in(cpudev, j + 32);
-         }
-         if (i == 0) {
-             gpioname = g_strdup("EXP_IRQ");
---
-.20.1

-[Qemu-devel] [PULL 15/27] target/arm: Rely on optimization within tcg_gen_gvec_or
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Since we're now handling a == b generically, we no longer need
-to do it by hand within target/arm/.
-Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-2-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate-a64.c |  6 +-----
- target/arm/translate-sve.c |  6 +-----
- target/arm/translate.c     | 12 +++---------
-files changed, 5 insertions(+), 19 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
-+++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_logic(DisasContext *s, uint32_t insn)
-         gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_andc, 0);
-         return;
-     case 2: /* ORR */
--        if (rn == rm) { /* MOV */
--            gen_gvec_fn2(s, is_q, rd, rn, tcg_gen_gvec_mov, 0);
--        } else {
--            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_or, 0);
--        }
-+        gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_or, 0);
-         return;
-     case 3: /* ORN */
-         gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_orc, 0);
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_AND_zzz(DisasContext *s, arg_rrr_esz *a)
- static bool trans_ORR_zzz(DisasContext *s, arg_rrr_esz *a)
- {
--    if (a->rn == a->rm) { /* MOV */
--        return do_mov_z(s, a->rd, a->rn);
--    } else {
--        return do_vector3_z(s, tcg_gen_gvec_or, 0, a->rd, a->rn, a->rm);
--    }
-+    return do_vector3_z(s, tcg_gen_gvec_or, 0, a->rd, a->rn, a->rm);
- }
- static bool trans_EOR_zzz(DisasContext *s, arg_rrr_esz *a)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
-                 tcg_gen_gvec_andc(0, rd_ofs, rn_ofs, rm_ofs,
-                                   vec_size, vec_size);
-                 break;
--            case 2:
--                if (rn == rm) {
--                    /* VMOV */
--                    tcg_gen_gvec_mov(0, rd_ofs, rn_ofs, vec_size, vec_size);
--                } else {
--                    /* VORR */
--                    tcg_gen_gvec_or(0, rd_ofs, rn_ofs, rm_ofs,
--                                    vec_size, vec_size);
--                }
-+            case 2: /* VORR */
-+                tcg_gen_gvec_or(0, rd_ofs, rn_ofs, rm_ofs,
-+                                vec_size, vec_size);
-                 break;
-             case 3: /* VORN */
-                 tcg_gen_gvec_orc(0, rd_ofs, rn_ofs, rm_ofs,
---
-.20.1

-[Qemu-devel] [PULL 16/27] target/arm: Use vector minmax expanders for aarch64
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-3-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate-a64.c | 35 ++++++++++++++---------------------
-file changed, 14 insertions(+), 21 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
-+++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
-     }
-     switch (opcode) {
-+    case 0x0c: /* SMAX, UMAX */
-+        if (u) {
-+            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umax, size);
-+        } else {
-+            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_smax, size);
-+        }
-+        return;
-+    case 0x0d: /* SMIN, UMIN */
-+        if (u) {
-+            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umin, size);
-+        } else {
-+            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_smin, size);
-+        }
-+        return;
-     case 0x10: /* ADD, SUB */
-         if (u) {
-             gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_sub, size);
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
-                 genenvfn = fns[size][u];
-                 break;
-             }
--            case 0xc: /* SMAX, UMAX */
--            {
--                static NeonGenTwoOpFn * const fns[3][2] = {
--                    { gen_helper_neon_max_s8, gen_helper_neon_max_u8 },
--                    { gen_helper_neon_max_s16, gen_helper_neon_max_u16 },
--                    { tcg_gen_smax_i32, tcg_gen_umax_i32 },
--                };
--                genfn = fns[size][u];
--                break;
--            }
--
--            case 0xd: /* SMIN, UMIN */
--            {
--                static NeonGenTwoOpFn * const fns[3][2] = {
--                    { gen_helper_neon_min_s8, gen_helper_neon_min_u8 },
--                    { gen_helper_neon_min_s16, gen_helper_neon_min_u16 },
--                    { tcg_gen_smin_i32, tcg_gen_umin_i32 },
--                };
--                genfn = fns[size][u];
--                break;
--            }
-             case 0xe: /* SABD, UABD */
-             case 0xf: /* SABA, UABA */
-             {
---
-.20.1

-[Qemu-devel] [PULL 17/27] target/arm: Use vector minmax expanders for aarch32
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-4-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate.c | 25 +++++++++++++++++++------
-file changed, 19 insertions(+), 6 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
-             tcg_gen_gvec_cmp(u ? TCG_COND_GEU : TCG_COND_GE, size,
-                              rd_ofs, rn_ofs, rm_ofs, vec_size, vec_size);
-             return 0;
-+
-+        case NEON_3R_VMAX:
-+            if (u) {
-+                tcg_gen_gvec_umax(size, rd_ofs, rn_ofs, rm_ofs,
-+                                  vec_size, vec_size);
-+            } else {
-+                tcg_gen_gvec_smax(size, rd_ofs, rn_ofs, rm_ofs,
-+                                  vec_size, vec_size);
-+            }
-+            return 0;
-+        case NEON_3R_VMIN:
-+            if (u) {
-+                tcg_gen_gvec_umin(size, rd_ofs, rn_ofs, rm_ofs,
-+                                  vec_size, vec_size);
-+            } else {
-+                tcg_gen_gvec_smin(size, rd_ofs, rn_ofs, rm_ofs,
-+                                  vec_size, vec_size);
-+            }
-+            return 0;
-         }
-         if (size == 3) {
-@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
-         case NEON_3R_VQRSHL:
-             GEN_NEON_INTEGER_OP_ENV(qrshl);
-             break;
--        case NEON_3R_VMAX:
--            GEN_NEON_INTEGER_OP(max);
--            break;
--        case NEON_3R_VMIN:
--            GEN_NEON_INTEGER_OP(min);
--            break;
-         case NEON_3R_VABD:
-             GEN_NEON_INTEGER_OP(abd);
-             break;
---
-.20.1

-[Qemu-devel] [PULL 18/27] target/arm: Use tcg integer min/max primitives for neon
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-The 32-bit PMIN/PMAX has been decomposed to scalars,
-and so can be trivially expanded inline.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-5-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate.c | 8 ++++----
-file changed, 4 insertions(+), 4 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline void gen_neon_rsb(int size, TCGv_i32 t0, TCGv_i32 t1)
- }
- /* 32-bit pairwise ops end up the same as the elementwise versions.  */
--#define gen_helper_neon_pmax_s32  gen_helper_neon_max_s32
--#define gen_helper_neon_pmax_u32  gen_helper_neon_max_u32
--#define gen_helper_neon_pmin_s32  gen_helper_neon_min_s32
--#define gen_helper_neon_pmin_u32  gen_helper_neon_min_u32
-+#define gen_helper_neon_pmax_s32  tcg_gen_smax_i32
-+#define gen_helper_neon_pmax_u32  tcg_gen_umax_i32
-+#define gen_helper_neon_pmin_s32  tcg_gen_smin_i32
-+#define gen_helper_neon_pmin_u32  tcg_gen_umin_i32
- #define GEN_NEON_INTEGER_OP_ENV(name) do { \
-     switch ((size << 1) | u) { \
---
-.20.1

-[Qemu-devel] [PULL 19/27] target/arm: Remove neon min/max helpers
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-These are now unused.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-6-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.h      | 12 ------------
- target/arm/neon_helper.c | 12 ------------
-files changed, 24 deletions(-)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
-+++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(neon_cge_s16, i32, i32, i32)
- DEF_HELPER_2(neon_cge_u32, i32, i32, i32)
- DEF_HELPER_2(neon_cge_s32, i32, i32, i32)
--DEF_HELPER_2(neon_min_u8, i32, i32, i32)
--DEF_HELPER_2(neon_min_s8, i32, i32, i32)
--DEF_HELPER_2(neon_min_u16, i32, i32, i32)
--DEF_HELPER_2(neon_min_s16, i32, i32, i32)
--DEF_HELPER_2(neon_min_u32, i32, i32, i32)
--DEF_HELPER_2(neon_min_s32, i32, i32, i32)
--DEF_HELPER_2(neon_max_u8, i32, i32, i32)
--DEF_HELPER_2(neon_max_s8, i32, i32, i32)
--DEF_HELPER_2(neon_max_u16, i32, i32, i32)
--DEF_HELPER_2(neon_max_s16, i32, i32, i32)
--DEF_HELPER_2(neon_max_u32, i32, i32, i32)
--DEF_HELPER_2(neon_max_s32, i32, i32, i32)
- DEF_HELPER_2(neon_pmin_u8, i32, i32, i32)
- DEF_HELPER_2(neon_pmin_s8, i32, i32, i32)
- DEF_HELPER_2(neon_pmin_u16, i32, i32, i32)
-diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/neon_helper.c
-+++ b/target/arm/neon_helper.c
-@@ -XXX,XX +XXX,XX @@ NEON_VOP(cge_u32, neon_u32, 1)
- #undef NEON_FN
- #define NEON_FN(dest, src1, src2) dest = (src1 < src2) ? src1 : src2
--NEON_VOP(min_s8, neon_s8, 4)
--NEON_VOP(min_u8, neon_u8, 4)
--NEON_VOP(min_s16, neon_s16, 2)
--NEON_VOP(min_u16, neon_u16, 2)
--NEON_VOP(min_s32, neon_s32, 1)
--NEON_VOP(min_u32, neon_u32, 1)
- NEON_POP(pmin_s8, neon_s8, 4)
- NEON_POP(pmin_u8, neon_u8, 4)
- NEON_POP(pmin_s16, neon_s16, 2)
-@@ -XXX,XX +XXX,XX @@ NEON_POP(pmin_u16, neon_u16, 2)
- #undef NEON_FN
- #define NEON_FN(dest, src1, src2) dest = (src1 > src2) ? src1 : src2
--NEON_VOP(max_s8, neon_s8, 4)
--NEON_VOP(max_u8, neon_u8, 4)
--NEON_VOP(max_s16, neon_s16, 2)
--NEON_VOP(max_u16, neon_u16, 2)
--NEON_VOP(max_s32, neon_s32, 1)
--NEON_VOP(max_u32, neon_u32, 1)
- NEON_POP(pmax_s8, neon_s8, 4)
- NEON_POP(pmax_u8, neon_u8, 4)
- NEON_POP(pmax_s16, neon_s16, 2)
---
-.20.1

-[Qemu-devel] [PULL 21/27] target/arm: Fix arm_cpu_dump_state vs FPSCR
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-8-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ void arm_cpu_dump_state(CPUState *cs, FILE *f, fprintf_function cpu_fprintf,
-                         i * 2 + 1, (uint32_t)(v >> 32),
-                         i, v);
-         }
--        cpu_fprintf(f, "FPSCR: %08x\n", (int)env->vfp.xregs[ARM_VFP_FPSCR]);
-+        cpu_fprintf(f, "FPSCR: %08x\n", vfp_get_fpscr(env));
-     }
- }
---
-.20.1

-[Qemu-devel] [PULL 22/27] target/arm: Split out flags setting from vfp compares
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Minimize the code within a macro by splitting out a helper function.
-Use deposit32 instead of manual bit manipulation.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-9-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 45 +++++++++++++++++++++++++++------------------
-file changed, 27 insertions(+), 18 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ float64 VFP_HELPER(sqrt, d)(float64 a, CPUARMState *env)
-     return float64_sqrt(a, &env->vfp.fp_status);
- }
-+static void softfloat_to_vfp_compare(CPUARMState *env, int cmp)
-+{
-+    uint32_t flags;
-+    switch (cmp) {
-+    case float_relation_equal:
-+        flags = 0x6;
-+        break;
-+    case float_relation_less:
-+        flags = 0x8;
-+        break;
-+    case float_relation_greater:
-+        flags = 0x2;
-+        break;
-+    case float_relation_unordered:
-+        flags = 0x3;
-+        break;
-+    default:
-+        g_assert_not_reached();
-+    }
-+    env->vfp.xregs[ARM_VFP_FPSCR] =
-+        deposit32(env->vfp.xregs[ARM_VFP_FPSCR], 28, 4, flags);
-+}
-+
- /* XXX: check quiet/signaling case */
- #define DO_VFP_cmp(p, type) \
- void VFP_HELPER(cmp, p)(type a, type b, CPUARMState *env)  \
- { \
--    uint32_t flags; \
--    switch(type ## _compare_quiet(a, b, &env->vfp.fp_status)) { \
--    case 0: flags = 0x6; break; \
--    case -1: flags = 0x8; break; \
--    case 1: flags = 0x2; break; \
--    default: case 2: flags = 0x3; break; \
--    } \
--    env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
--        | (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fffffff); \
-+    softfloat_to_vfp_compare(env, \
-+        type ## _compare_quiet(a, b, &env->vfp.fp_status)); \
- } \
- void VFP_HELPER(cmpe, p)(type a, type b, CPUARMState *env) \
- { \
--    uint32_t flags; \
--    switch(type ## _compare(a, b, &env->vfp.fp_status)) { \
--    case 0: flags = 0x6; break; \
--    case -1: flags = 0x8; break; \
--    case 1: flags = 0x2; break; \
--    default: case 2: flags = 0x3; break; \
--    } \
--    env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
--        | (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fffffff); \
-+    softfloat_to_vfp_compare(env, \
-+        type ## _compare(a, b, &env->vfp.fp_status)); \
- }
- DO_VFP_cmp(s, float32)
- DO_VFP_cmp(d, float64)
---
-.20.1

-[Qemu-devel] [PULL 23/27] target/arm: Fix set of bits kept in xregs[ARM_VFP_FPSCR]
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Given that we mask bits properly on set, there is no reason
-to mask them again on get.  We failed to clear the exception
-status bits, 0x9f, which means that the wrong value would be
-returned on get.  Except in the (probably normal) case in which
-the set clears all of the bits.
-Simplify the code in set to also clear the RES0 bits.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-10-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 15 ++++++++-------
-file changed, 8 insertions(+), 7 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
-     int i;
-     uint32_t fpscr;
--    fpscr = (env->vfp.xregs[ARM_VFP_FPSCR] & 0xffc8ffff)
-+    fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
-             | (env->vfp.vec_len << 16)
-             | (env->vfp.vec_stride << 20);
-@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_to_host(int target_bits)
- void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
- {
-     int i;
--    uint32_t changed;
-+    uint32_t changed = env->vfp.xregs[ARM_VFP_FPSCR];
-     /* When ARMv8.2-FP16 is not supported, FZ16 is RES0.  */
-     if (!cpu_isar_feature(aa64_fp16, arm_env_get_cpu(env))) {
-@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
-     /*
-      * We don't implement trapped exception handling, so the
--     * trap enable bits are all RAZ/WI (not RES0!)
-+     * trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!)
-+     *
-+     * If we exclude the exception flags, IOC|DZC|OFC|UFC|IXC|IDC
-+     * (which are stored in fp_status), and the other RES0 bits
-+     * in between, then we clear all of the low 16 bits.
-      */
--    val &= ~(FPCR_IDE | FPCR_IXE | FPCR_UFE | FPCR_OFE | FPCR_DZE | FPCR_IOE);
--
--    changed = env->vfp.xregs[ARM_VFP_FPSCR];
--    env->vfp.xregs[ARM_VFP_FPSCR] = (val & 0xffc8ffff);
-+    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xffc80000;
-     env->vfp.vec_len = (val >> 16) & 7;
-     env->vfp.vec_stride = (val >> 20) & 3;
---
-.20.1

-[Qemu-devel] [PULL 24/27] target/arm: Split out FPSCR.QC to a vector field
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Change the representation of this field such that it is easy
-to set from vector code.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190209033847.9014-11-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h         |  5 ++++-
- target/arm/helper.c      | 19 +++++++++++++++----
- target/arm/neon_helper.c |  2 +-
- target/arm/vec_helper.c  |  2 +-
-files changed, 21 insertions(+), 7 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         ARMPredicateReg preg_tmp;
- #endif
--        uint32_t xregs[16];
-         /* We store these fpcsr fields separately for convenience.  */
-+        uint32_t qc[4] QEMU_ALIGNED(16);
-         int vec_len;
-         int vec_stride;
-+        uint32_t xregs[16];
-+
-         /* Scratch space for aa32 neon expansion.  */
-         uint32_t scratch[8];
-@@ -XXX,XX +XXX,XX @@ void vfp_set_fpscr(CPUARMState *env, uint32_t val);
- #define FPCR_FZ16   (1 << 19)   /* ARMv8.2+, FP16 flush-to-zero */
- #define FPCR_FZ     (1 << 24)   /* Flush-to-zero enable bit */
- #define FPCR_DN     (1 << 25)   /* Default NaN enable bit */
-+#define FPCR_QC     (1 << 27)   /* Cumulative saturation bit */
- static inline uint32_t vfp_get_fpsr(CPUARMState *env)
- {
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_from_host(int host_bits)
- uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
- {
--    int i;
--    uint32_t fpscr;
-+    uint32_t i, fpscr;
-     fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
-             | (env->vfp.vec_len << 16)
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
-     /* FZ16 does not generate an input denormal exception.  */
-     i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
-           & ~float_flag_input_denormal);
--
-     fpscr |= vfp_exceptbits_from_host(i);
-+
-+    i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
-+    fpscr |= i ? FPCR_QC : 0;
-+
-     return fpscr;
- }
-@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
-      * (which are stored in fp_status), and the other RES0 bits
-      * in between, then we clear all of the low 16 bits.
-      */
--    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xffc80000;
-+    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xf7c80000;
-     env->vfp.vec_len = (val >> 16) & 7;
-     env->vfp.vec_stride = (val >> 20) & 3;
-+    /*
-+     * The bit we set within fpscr_q is arbitrary; the register as a
-+     * whole being zero/non-zero is what counts.
-+     */
-+    env->vfp.qc[0] = val & FPCR_QC;
-+    env->vfp.qc[1] = 0;
-+    env->vfp.qc[2] = 0;
-+    env->vfp.qc[3] = 0;
-+
-     changed ^= val;
-     if (changed & (3 << 22)) {
-         i = (val >> 22) & 3;
-diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/neon_helper.c
-+++ b/target/arm/neon_helper.c
-@@ -XXX,XX +XXX,XX @@
- #define SIGNBIT (uint32_t)0x80000000
- #define SIGNBIT64 ((uint64_t)1 << 63)
--#define SET_QC() env->vfp.xregs[ARM_VFP_FPSCR] |= CPSR_Q
-+#define SET_QC() env->vfp.qc[0] = 1
- #define NEON_TYPE1(name, type) \
- typedef struct \
-diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vec_helper.c
-+++ b/target/arm/vec_helper.c
-@@ -XXX,XX +XXX,XX @@
- #define H4(x)  (x)
- #endif
--#define SET_QC() env->vfp.xregs[ARM_VFP_FPSCR] |= CPSR_Q
-+#define SET_QC() env->vfp.qc[0] = 1
- static void clear_tail(void *vd, uintptr_t opr_sz, uintptr_t max_sz)
- {
---
-.20.1

The following changes since commit 0d3e41d5efd638a0c5682f6813b26448c3c51624:

Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-02-14 17:42:25 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190214

for you to fetch changes up to 497bc12b1b374ecd62903bf062229bd93f8924af:

gdbstub: Send a reply to the vKill packet. (2019-02-14 18:45:49 +0000)

----------------------------------------------------------------
target-arm queue:
 * gdbstub: Send a reply to the vKill packet
 * Improve codegen for neon min/max and saturating arithmetic
 * Fix a bug in clearing FPSCR exception status bits
 * hw/arm/armsse: Fix miswiring of expansion IRQs
 * hw/intc/armv7m_nvic: Allow byte accesses to SHPR1
 * MAINTAINERS: Remove Peter Crosthwaite from various entries
 * arm: Allow system registers for KVM guests to be changed by QEMU code
 * linux-user: support HWCAP_CPUID which exposes ID registers to user code
 * Fix bug in 128-bit cmpxchg for BE Arm guests
 * Implement (no-op) HACR_EL2
 * Fix CRn to be 14 for PMEVTYPER/PMEVCNTR

----------------------------------------------------------------
Aaron Lindsay OS (1):
      target/arm: Fix CRn to be 14 for PMEVTYPER/PMEVCNTR

Alex Bennée (5):
      target/arm: relax permission checks for HWCAP_CPUID registers
      target/arm: expose CPUID registers to userspace
      target/arm: expose MPIDR_EL1 to userspace
      target/arm: expose remaining CPUID registers as RAZ
      linux-user/elfload: enable HWCAP_CPUID for AArch64

Catherine Ho (1):
      target/arm: Fix int128_make128 lo, hi order in paired_cmpxchg64_be

Peter Maydell (5):
      target/arm: Implement HACR_EL2
      arm: Allow system registers for KVM guests to be changed by QEMU code
      MAINTAINERS: Remove Peter Crosthwaite from various entries
      hw/intc/armv7m_nvic: Allow byte accesses to SHPR1
      hw/arm/armsse: Fix miswiring of expansion IRQs

Richard Henderson (14):
      target/arm: Force result size into dp after operation
      target/arm: Restructure disas_fp_int_conv
      target/arm: Rely on optimization within tcg_gen_gvec_or
      target/arm: Use vector minmax expanders for aarch64
      target/arm: Use vector minmax expanders for aarch32
      target/arm: Use tcg integer min/max primitives for neon
      target/arm: Remove neon min/max helpers
      target/arm: Fix vfp_gdb_get/set_reg vs FPSCR
      target/arm: Fix arm_cpu_dump_state vs FPSCR
      target/arm: Split out flags setting from vfp compares
      target/arm: Fix set of bits kept in xregs[ARM_VFP_FPSCR]
      target/arm: Split out FPSCR.QC to a vector field
      target/arm: Use vector operations for saturation
      target/arm: Add missing clear_tail calls

Sandra Loosemore (1):
      gdbstub: Send a reply to the vKill packet.

From: Aaron Lindsay OS <aaron@os.amperecomputing.com>

This bug was introduced in:
    commit 5ecdd3e47cadae83a62dc92b472f1fe163b56f59
    target/arm: Finish implementation of PM[X]EVCNTR and PM[X]EVTYPER

Signed-off-by: Aaron Lindsay <aaron@os.amperecomputing.com>
Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20190205135129.19338-1-aaron@os.amperecomputing.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             char *pmevtyper_name = g_strdup_printf("PMEVTYPER%d", i);
             char *pmevtyper_el0_name = g_strdup_printf("PMEVTYPER%d_EL0", i);
             ARMCPRegInfo pmev_regs[] = {
-                { .name = pmevcntr_name, .cp = 15, .crn = 15,
+                { .name = pmevcntr_name, .cp = 15, .crn = 14,
                   .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
                   .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
                   .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
                   .accessfn = pmreg_access },
                 { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
-                  .opc0 = 3, .opc1 = 3, .crn = 15, .crm = 8 | (3 & (i >> 3)),
+                  .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
                   .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
                   .type = ARM_CP_IO,
                   .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
                   .raw_readfn = pmevcntr_rawread,
                   .raw_writefn = pmevcntr_rawwrite },
-                { .name = pmevtyper_name, .cp = 15, .crn = 15,
+                { .name = pmevtyper_name, .cp = 15, .crn = 14,
                   .crm = 12 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
                   .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
                   .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
                   .accessfn = pmreg_access },
                 { .name = pmevtyper_el0_name, .state = ARM_CP_STATE_AA64,
-                  .opc0 = 3, .opc1 = 3, .crn = 15, .crm = 12 | (3 & (i >> 3)),
+                  .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 12 | (3 & (i >> 3)),
                   .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
                   .type = ARM_CP_IO,
                   .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
-- 
2.20.1

HACR_EL2 is a register with IMPDEF behaviour, which allows
implementation specific trapping to EL2. Implement it as RAZ/WI,
since QEMU's implementation has no extra traps. This also
matches what h/w implementations like Cortex-A53 and A57 do.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190205181218.8995-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
       .access = PL2_RW,
       .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "HACR_EL2", .state = ARM_CP_STATE_BOTH,
+      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 7,
+      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
     { .name = "ESR_EL2", .state = ARM_CP_STATE_BOTH,
       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 0,
       .access = PL2_RW,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
       .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),
       .writefn = hcr_writelow },
+    { .name = "HACR_EL2", .state = ARM_CP_STATE_BOTH,
+      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 7,
+      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
     { .name = "ELR_EL2", .state = ARM_CP_STATE_AA64,
       .type = ARM_CP_ALIAS,
       .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 1,
-- 
2.20.1

From: Catherine Ho <catherine.hecx@gmail.com>

The lo,hi order is different from the comments. And in commit
1ec182c33379 ("target/arm: Convert to HAVE_CMPXCHG128"), it changes
the original code logic. So just restore the old code logic before this
commit:
do_paired_cmpxchg64_be():
    cmpv = int128_make128(env->exclusive_high, env->exclusive_val);
    newv = int128_make128(new_hi, new_lo);

This fixes a bug that would only be visible for big-endian
AArch64 guest code.

Fixes: 1ec182c33379 ("target/arm: Convert to HAVE_CMPXCHG128")
Signed-off-by: Catherine Ho <catherine.hecx@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1548985244-24523-1-git-send-email-catherine.hecx@gmail.com
[PMM: added note that bug only affects BE guests]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-a64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(paired_cmpxchg64_be)(CPUARMState *env, uint64_t addr,
      * High and low need to be switched here because this is not actually a
      * 128bit store but two doublewords stored consecutively
      */
-    Int128 cmpv = int128_make128(env->exclusive_val, env->exclusive_high);
-    Int128 newv = int128_make128(new_lo, new_hi);
+    Int128 cmpv = int128_make128(env->exclusive_high, env->exclusive_val);
+    Int128 newv = int128_make128(new_hi, new_lo);
     Int128 oldv;
     uintptr_t ra = GETPC();
     uint64_t o0, o1;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Rather than a complex set of cases testing for writeback,
adjust DP after performing the operation.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190206052857.5077-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
                         tcg_gen_or_i32(tmp, tmp, tmp2);
                         tcg_temp_free_i32(tmp2);
                         gen_vfp_msr(tmp);
+                        dp = 0; /* always a single precision result */
                         break;
                     }
                     case 7: /* vcvtt.f16.f32, vcvtt.f16.f64 */
@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
                         tcg_gen_or_i32(tmp, tmp, tmp2);
                         tcg_temp_free_i32(tmp2);
                         gen_vfp_msr(tmp);
+                        dp = 0; /* always a single precision result */
                         break;
                     }
                     case 8: /* cmp */
                         gen_vfp_cmp(dp);
+                        dp = -1; /* no write back */
                         break;
                     case 9: /* cmpe */
                         gen_vfp_cmpe(dp);
+                        dp = -1; /* no write back */
                         break;
                     case 10: /* cmpz */
                         gen_vfp_cmp(dp);
+                        dp = -1; /* no write back */
                         break;
                     case 11: /* cmpez */
                         gen_vfp_F1_ld0(dp);
                         gen_vfp_cmpe(dp);
+                        dp = -1; /* no write back */
                         break;
                     case 12: /* vrintr */
                     {
@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
                         break;
                     }
                     case 15: /* single<->double conversion */
-                        if (dp)
+                        if (dp) {
                             gen_helper_vfp_fcvtsd(cpu_F0s, cpu_F0d, cpu_env);
-                        else
+                        } else {
                             gen_helper_vfp_fcvtds(cpu_F0d, cpu_F0s, cpu_env);
+                        }
+                        dp = !dp; /* result size is opposite */
                         break;
                     case 16: /* fuito */
                         gen_vfp_uito(dp, 0);
@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
                         break;
                     case 24: /* ftoui */
                         gen_vfp_toui(dp, 0);
+                        dp = 0; /* always an integer result */
                         break;
                     case 25: /* ftouiz */
                         gen_vfp_touiz(dp, 0);
+                        dp = 0; /* always an integer result */
                         break;
                     case 26: /* ftosi */
                         gen_vfp_tosi(dp, 0);
+                        dp = 0; /* always an integer result */
                         break;
                     case 27: /* ftosiz */
                         gen_vfp_tosiz(dp, 0);
+                        dp = 0; /* always an integer result */
                         break;
                     case 28: /* ftosh */
                         if (!arm_dc_feature(s, ARM_FEATURE_VFP3)) {
@@ -XXX,XX +XXX,XX @@ static int disas_vfp_insn(DisasContext *s, uint32_t insn)
                     return 1;
                 }
 
-                /* Write back the result.  */
-                if (op == 15 && (rn >= 8 && rn <= 11)) {
-                    /* Comparison, do nothing.  */
-                } else if (op == 15 && dp && ((rn & 0x1c) == 0x18 ||
-                                              (rn & 0x1e) == 0x6)) {
-                    /* VCVT double to int: always integer result.
-                     * VCVT double to half precision is always a single
-                     * precision result.
-                     */
-                    gen_mov_vreg_F0(0, rd);
-                } else if (op == 15 && rn == 15) {
-                    /* conversion */
-                    gen_mov_vreg_F0(!dp, rd);
-                } else {
+                /* Write back the result, if any.  */
+                if (dp >= 0) {
                     gen_mov_vreg_F0(dp, rd);
                 }
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

For opcodes 0-5, move some if conditions into the structure
of a switch statement.  For opcodes 6 & 7, decode everything
at once with a second switch.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190206052857.5077-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 94 ++++++++++++++++++++------------------
 1 file changed, 49 insertions(+), 45 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_fp_int_conv(DisasContext *s, uint32_t insn)
     int type = extract32(insn, 22, 2);
     bool sbit = extract32(insn, 29, 1);
     bool sf = extract32(insn, 31, 1);
+    bool itof = false;
 
     if (sbit) {
-        unallocated_encoding(s);
-        return;
+        goto do_unallocated;
     }
 
-    if (opcode > 5) {
-        /* FMOV */
-        bool itof = opcode & 1;
-
-        if (rmode >= 2) {
-            unallocated_encoding(s);
-            return;
-        }
-
-        switch (sf << 3 | type << 1 | rmode) {
-        case 0x0: /* 32 bit */
-        case 0xa: /* 64 bit */
-        case 0xd: /* 64 bit to top half of quad */
-            break;
-        case 0x6: /* 16-bit float, 32-bit int */
-        case 0xe: /* 16-bit float, 64-bit int */
-            if (dc_isar_feature(aa64_fp16, s)) {
-                break;
-            }
-            /* fallthru */
-        default:
-            /* all other sf/type/rmode combinations are invalid */
-            unallocated_encoding(s);
-            return;
-        }
-
-        if (!fp_access_check(s)) {
-            return;
-        }
-        handle_fmov(s, rd, rn, type, itof);
-    } else {
-        /* actual FP conversions */
-        bool itof = extract32(opcode, 1, 1);
-
-        if (rmode != 0 && opcode > 1) {
-            unallocated_encoding(s);
-            return;
+    switch (opcode) {
+    case 2: /* SCVTF */
+    case 3: /* UCVTF */
+        itof = true;
+        /* fallthru */
+    case 4: /* FCVTAS */
+    case 5: /* FCVTAU */
+        if (rmode != 0) {
+            goto do_unallocated;
         }
+        /* fallthru */
+    case 0: /* FCVT[NPMZ]S */
+    case 1: /* FCVT[NPMZ]U */
         switch (type) {
         case 0: /* float32 */
         case 1: /* float64 */
             break;
         case 3: /* float16 */
-            if (dc_isar_feature(aa64_fp16, s)) {
-                break;
+            if (!dc_isar_feature(aa64_fp16, s)) {
+                goto do_unallocated;
             }
-            /* fallthru */
+            break;
         default:
-            unallocated_encoding(s);
-            return;
+            goto do_unallocated;
         }
-
         if (!fp_access_check(s)) {
             return;
         }
         handle_fpfpcvt(s, rd, rn, opcode, itof, rmode, 64, sf, type);
+        break;
+
+    default:
+        switch (sf << 7 | type << 5 | rmode << 3 | opcode) {
+        case 0b01100110: /* FMOV half <-> 32-bit int */
+        case 0b01100111:
+        case 0b11100110: /* FMOV half <-> 64-bit int */
+        case 0b11100111:
+            if (!dc_isar_feature(aa64_fp16, s)) {
+                goto do_unallocated;
+            }
+            /* fallthru */
+        case 0b00000110: /* FMOV 32-bit */
+        case 0b00000111:
+        case 0b10100110: /* FMOV 64-bit */
+        case 0b10100111:
+        case 0b11001110: /* FMOV top half of 128-bit */
+        case 0b11001111:
+            if (!fp_access_check(s)) {
+                return;
+            }
+            itof = opcode & 1;
+            handle_fmov(s, rd, rn, type, itof);
+            break;
+
+        default:
+        do_unallocated:
+            unallocated_encoding(s);
+            return;
+        }
+        break;
     }
 }
 
-- 
2.20.1

From: Alex Bennée <alex.bennee@linaro.org>

Although technically not visible to userspace the kernel does make
them visible via a trap and emulate ABI. We provide a new permission
mask (PL0U_R) which maps to PL0_R for CONFIG_USER builds and adjust
the minimum permission check accordingly.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20190205190224.2198-2-alex.bennee@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    | 12 ++++++++++++
 target/arm/helper.c |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool cptype_valid(int cptype)
 #define PL0_R (0x02 | PL1_R)
 #define PL0_W (0x01 | PL1_W)
 
+/*
+ * For user-mode some registers are accessible to EL0 via a kernel
+ * trap-and-emulate ABI. In this case we define the read permissions
+ * as actually being PL0_R. However some bits of any given register
+ * may still be masked.
+ */
+#ifdef CONFIG_USER_ONLY
+#define PL0U_R PL0_R
+#else
+#define PL0U_R PL1_R
+#endif
+
 #define PL3_RW (PL3_R | PL3_W)
 #define PL2_RW (PL2_R | PL2_W)
 #define PL1_RW (PL1_R | PL1_W)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
     if (r->state != ARM_CP_STATE_AA32) {
         int mask = 0;
         switch (r->opc1) {
-        case 0: case 1: case 2:
+        case 0:
+            /* min_EL EL1, but some accessible to EL0 via kernel ABI */
+            mask = PL0U_R | PL1_RW;
+            break;
+        case 1: case 2:
             /* min_EL EL1 */
             mask = PL1_RW;
             break;
-- 
2.20.1

From: Alex Bennée <alex.bennee@linaro.org>

A number of CPUID registers are exposed to userspace by modern Linux
kernels thanks to the "ARM64 CPU Feature Registers" ABI. For QEMU's
user-mode emulation we don't need to emulate the kernels trap but just
return the value the trap would have done. To avoid too much #ifdef
hackery we process ARMCPRegInfo with a new helper (modify_arm_cp_regs)
before defining the registers. The modify routine is driven by a
simple data structure which describes which bits are exported and
which are fixed.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20190205190224.2198-3-alex.bennee@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    | 21 ++++++++++++++++
 target/arm/helper.c | 59 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void define_one_arm_cp_reg(ARMCPU *cpu, const ARMCPRegInfo *regs)
 }
 const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp);
 
+/*
+ * Definition of an ARM co-processor register as viewed from
+ * userspace. This is used for presenting sanitised versions of
+ * registers to userspace when emulating the Linux AArch64 CPU
+ * ID/feature ABI (advertised as HWCAP_CPUID).
+ */
+typedef struct ARMCPRegUserSpaceInfo {
+    /* Name of register */
+    const char *name;
+
+    /* Only some bits are exported to user space */
+    uint64_t exported_bits;
+
+    /* Fixed bits are applied after the mask */
+    uint64_t fixed_bits;
+} ARMCPRegUserSpaceInfo;
+
+#define REGUSERINFO_SENTINEL { .name = NULL }
+
+void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods);
+
 /* CPWriteFn that can be used to implement writes-ignored behaviour */
 void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
                          uint64_t value);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .resetvalue = cpu->pmceid1 },
             REGINFO_SENTINEL
         };
+#ifdef CONFIG_USER_ONLY
+        ARMCPRegUserSpaceInfo v8_user_idregs[] = {
+            { .name = "ID_AA64PFR0_EL1",
+              .exported_bits = 0x000f000f00ff0000,
+              .fixed_bits    = 0x0000000000000011 },
+            { .name = "ID_AA64PFR1_EL1",
+              .exported_bits = 0x00000000000000f0 },
+            { .name = "ID_AA64ZFR0_EL1"           },
+            { .name = "ID_AA64MMFR0_EL1",
+              .fixed_bits    = 0x00000000ff000000 },
+            { .name = "ID_AA64MMFR1_EL1"          },
+            { .name = "ID_AA64DFR0_EL1",
+              .fixed_bits    = 0x0000000000000006 },
+            { .name = "ID_AA64DFR1_EL1"           },
+            { .name = "ID_AA64AFR0_EL1"           },
+            { .name = "ID_AA64AFR1_EL1"           },
+            { .name = "ID_AA64ISAR0_EL1",
+              .exported_bits = 0x00fffffff0fffff0 },
+            { .name = "ID_AA64ISAR1_EL1",
+              .exported_bits = 0x000000f0ffffffff },
+            REGUSERINFO_SENTINEL
+        };
+        modify_arm_cp_regs(v8_idregs, v8_user_idregs);
+#endif
         /* RVBAR_EL1 is only implemented if EL1 is the highest EL */
         if (!arm_feature(env, ARM_FEATURE_EL3) &&
             !arm_feature(env, ARM_FEATURE_EL2)) {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_W,
             .type = ARM_CP_NOP | ARM_CP_OVERRIDE
         };
+#ifdef CONFIG_USER_ONLY
+        ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
+            { .name = "MIDR_EL1",
+              .exported_bits = 0x00000000ffffffff },
+            { .name = "REVIDR_EL1"                },
+            REGUSERINFO_SENTINEL
+        };
+        modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo);
+#endif
         if (arm_feature(env, ARM_FEATURE_OMAPCP) ||
             arm_feature(env, ARM_FEATURE_STRONGARM)) {
             ARMCPRegInfo *r;
@@ -XXX,XX +XXX,XX @@ void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
     }
 }
 
+/*
+ * Modify ARMCPRegInfo for access from userspace.
+ *
+ * This is a data driven modification directed by
+ * ARMCPRegUserSpaceInfo. All registers become ARM_CP_CONST as
+ * user-space cannot alter any values and dynamic values pertaining to
+ * execution state are hidden from user space view anyway.
+ */
+void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods)
+{
+    const ARMCPRegUserSpaceInfo *m;
+    ARMCPRegInfo *r;
+
+    for (m = mods; m->name; m++) {
+        for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
+            if (strcmp(r->name, m->name) == 0) {
+                r->type = ARM_CP_CONST;
+                r->access = PL0U_R;
+                r->resetvalue &= m->exported_bits;
+                r->resetvalue |= m->fixed_bits;
+                break;
+            }
+        }
+    }
+}
+
 const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp)
 {
     return g_hash_table_lookup(cpregs, &encoded_cp);
-- 
2.20.1

From: Alex Bennée <alex.bennee@linaro.org>

As this is a single register we could expose it with a simple ifdef
but we use the existing modify_arm_cp_regs mechanism for consistency.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20190205190224.2198-4-alex.bennee@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t mpidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
     return mpidr_read_val(env);
 }
 
-static const ARMCPRegInfo mpidr_cp_reginfo[] = {
-    { .name = "MPIDR", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
-      .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
-    REGINFO_SENTINEL
-};
-
 static const ARMCPRegInfo lpae_cp_reginfo[] = {
     /* NOP AMAIR0/1 */
     { .name = "AMAIR0", .state = ARM_CP_STATE_BOTH,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
     }
 
     if (arm_feature(env, ARM_FEATURE_MPIDR)) {
+        ARMCPRegInfo mpidr_cp_reginfo[] = {
+            { .name = "MPIDR_EL1", .state = ARM_CP_STATE_BOTH,
+              .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
+              .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
+            REGINFO_SENTINEL
+        };
+#ifdef CONFIG_USER_ONLY
+        ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
+            { .name = "MPIDR_EL1",
+              .fixed_bits = 0x0000000080000000 },
+            REGUSERINFO_SENTINEL
+        };
+        modify_arm_cp_regs(mpidr_cp_reginfo, mpidr_user_cp_reginfo);
+#endif
         define_arm_cp_regs(cpu, mpidr_cp_reginfo);
     }
 
-- 
2.20.1

From: Alex Bennée <alex.bennee@linaro.org>

There are a whole bunch more registers in the CPUID space which are
currently not used but are exposed as RAZ. To avoid too much
duplication we expand ARMCPRegUserSpaceInfo to understand glob
patterns so we only need one entry to tweak whole ranges of registers.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20190205190224.2198-5-alex.bennee@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  3 +++
 target/arm/helper.c | 26 +++++++++++++++++++++++---
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct ARMCPRegUserSpaceInfo {
     /* Name of register */
     const char *name;
 
+    /* Is the name actually a glob pattern */
+    bool is_glob;
+
     /* Only some bits are exported to user space */
     uint64_t exported_bits;
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .fixed_bits    = 0x0000000000000011 },
             { .name = "ID_AA64PFR1_EL1",
               .exported_bits = 0x00000000000000f0 },
+            { .name = "ID_AA64PFR*_EL1_RESERVED",
+              .is_glob = true                     },
             { .name = "ID_AA64ZFR0_EL1"           },
             { .name = "ID_AA64MMFR0_EL1",
               .fixed_bits    = 0x00000000ff000000 },
             { .name = "ID_AA64MMFR1_EL1"          },
+            { .name = "ID_AA64MMFR*_EL1_RESERVED",
+              .is_glob = true                     },
             { .name = "ID_AA64DFR0_EL1",
               .fixed_bits    = 0x0000000000000006 },
             { .name = "ID_AA64DFR1_EL1"           },
-            { .name = "ID_AA64AFR0_EL1"           },
-            { .name = "ID_AA64AFR1_EL1"           },
+            { .name = "ID_AA64DFR*_EL1_RESERVED",
+              .is_glob = true                     },
+            { .name = "ID_AA64AFR*",
+              .is_glob = true                     },
             { .name = "ID_AA64ISAR0_EL1",
               .exported_bits = 0x00fffffff0fffff0 },
             { .name = "ID_AA64ISAR1_EL1",
               .exported_bits = 0x000000f0ffffffff },
+            { .name = "ID_AA64ISAR*_EL1_RESERVED",
+              .is_glob = true                     },
             REGUSERINFO_SENTINEL
         };
         modify_arm_cp_regs(v8_idregs, v8_user_idregs);
@@ -XXX,XX +XXX,XX @@ void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods)
     ARMCPRegInfo *r;
 
     for (m = mods; m->name; m++) {
+        GPatternSpec *pat = NULL;
+        if (m->is_glob) {
+            pat = g_pattern_spec_new(m->name);
+        }
         for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
-            if (strcmp(r->name, m->name) == 0) {
+            if (pat && g_pattern_match_string(pat, r->name)) {
+                r->type = ARM_CP_CONST;
+                r->access = PL0U_R;
+                r->resetvalue = 0;
+                /* continue */
+            } else if (strcmp(r->name, m->name) == 0) {
                 r->type = ARM_CP_CONST;
                 r->access = PL0U_R;
                 r->resetvalue &= m->exported_bits;
@@ -XXX,XX +XXX,XX @@ void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods)
                 break;
             }
         }
+        if (pat) {
+            g_pattern_spec_free(pat);
+        }
     }
 }
 
-- 
2.20.1

At the moment the Arm implementations of kvm_arch_{get,put}_registers()
don't support having QEMU change the values of system registers
(aka coprocessor registers for AArch32). This is because although
kvm_arch_get_registers() calls write_list_to_cpustate() to
update the CPU state struct fields (so QEMU code can read the
values in the usual way), kvm_arch_put_registers() does not
call write_cpustate_to_list(), meaning that any changes to
the CPU state struct fields will not be passed back to KVM.

The rationale for this design is documented in a comment in the
AArch32 kvm_arch_put_registers() -- writing the values in the
cpregs list into the CPU state struct is "lossy" because the
write of a register might not succeed, and so if we blindly
copy the CPU state values back again we will incorrectly
change register values for the guest. The assumption was that
no QEMU code would need to write to the registers.

However, when we implemented debug support for KVM guests, we
broke that assumption: the code to handle "set the guest up
to take a breakpoint exception" does so by updating various
guest registers including ESR_EL1.

Support this by making kvm_arch_put_registers() synchronize
CPU state back into the list. We sync only those registers
where the initial write succeeds, which should be sufficient.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Dongjiu Geng <gengdongjiu@huawei.com>
---
 target/arm/cpu.h     |  9 ++++++++-
 target/arm/helper.c  | 27 +++++++++++++++++++++++++--
 target/arm/kvm32.c   | 20 ++------------------
 target/arm/kvm64.c   |  2 ++
 target/arm/machine.c |  2 +-
 5 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ bool write_list_to_cpustate(ARMCPU *cpu);
 /**
  * write_cpustate_to_list:
  * @cpu: ARMCPU
+ * @kvm_sync: true if this is for syncing back to KVM
  *
  * For each register listed in the ARMCPU cpreg_indexes list, write
  * its value from the ARMCPUState structure into the cpreg_values list.
  * This is used to copy info from TCG's working data structures into
  * KVM or for outbound migration.
  *
+ * @kvm_sync is true if we are doing this in order to sync the
+ * register state back to KVM. In this case we will only update
+ * values in the list if the previous list->cpustate sync actually
+ * successfully wrote the CPU state. Otherwise we will keep the value
+ * that is in the list.
+ *
  * Returns: true if all register values were read correctly,
  * false if some register was unknown or could not be read.
  * Note that we do not stop early on failure -- we will attempt
  * reading all registers in the list.
  */
-bool write_cpustate_to_list(ARMCPU *cpu);
+bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
 
 #define ARM_CPUID_TI915T      0x54029152
 #define ARM_CPUID_TI925T      0x54029252
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool raw_accessors_invalid(const ARMCPRegInfo *ri)
     return true;
 }
 
-bool write_cpustate_to_list(ARMCPU *cpu)
+bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync)
 {
     /* Write the coprocessor state from cpu->env to the (index,value) list. */
     int i;
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu)
     for (i = 0; i < cpu->cpreg_array_len; i++) {
         uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
         const ARMCPRegInfo *ri;
+        uint64_t newval;
 
         ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
         if (!ri) {
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu)
         if (ri->type & ARM_CP_NO_RAW) {
             continue;
         }
-        cpu->cpreg_values[i] = read_raw_cp_reg(&cpu->env, ri);
+
+        newval = read_raw_cp_reg(&cpu->env, ri);
+        if (kvm_sync) {
+            /*
+             * Only sync if the previous list->cpustate sync succeeded.
+             * Rather than tracking the success/failure state for every
+             * item in the list, we just recheck "does the raw write we must
+             * have made in write_list_to_cpustate() read back OK" here.
+             */
+            uint64_t oldval = cpu->cpreg_values[i];
+
+            if (oldval == newval) {
+                continue;
+            }
+
+            write_raw_cp_reg(&cpu->env, ri, oldval);
+            if (read_raw_cp_reg(&cpu->env, ri) != oldval) {
+                continue;
+            }
+
+            write_raw_cp_reg(&cpu->env, ri, newval);
+        }
+        cpu->cpreg_values[i] = newval;
     }
     return ok;
 }
diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
         return ret;
     }
 
-    /* Note that we do not call write_cpustate_to_list()
-     * here, so we are only writing the tuple list back to
-     * KVM. This is safe because nothing can change the
-     * CPUARMState cp15 fields (in particular gdb accesses cannot)
-     * and so there are no changes to sync. In fact syncing would
-     * be wrong at this point: for a constant register where TCG and
-     * KVM disagree about its value, the preceding write_list_to_cpustate()
-     * would not have had any effect on the CPUARMState value (since the
-     * register is read-only), and a write_cpustate_to_list() here would
-     * then try to write the TCG value back into KVM -- this would either
-     * fail or incorrectly change the value the guest sees.
-     *
-     * If we ever want to allow the user to modify cp15 registers via
-     * the gdb stub, we would need to be more clever here (for instance
-     * tracking the set of registers kvm_arch_get_registers() successfully
-     * managed to update the CPUARMState with, and only allowing those
-     * to be written back up into the kernel).
-     */
+    write_cpustate_to_list(cpu, true);
+
     if (!write_list_to_kvmstate(cpu, level)) {
         return EINVAL;
     }
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
         return ret;
     }
 
+    write_cpustate_to_list(cpu, true);
+
     if (!write_list_to_kvmstate(cpu, level)) {
         return EINVAL;
     }
diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static int cpu_pre_save(void *opaque)
             abort();
         }
     } else {
-        if (!write_cpustate_to_list(cpu)) {
+        if (!write_cpustate_to_list(cpu, false)) {
             /* This should never fail. */
             abort();
         }
-- 
2.20.1

Peter Crosthwaite hasn't had the bandwidth to do code review or
other QEMU work for some time now -- remove his email address
from MAINTAINERS file entries so we don't bombard him with
patch emails.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20190207181422.4907-1-peter.maydell@linaro.org
---
 MAINTAINERS | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ Guest CPU cores (TCG):
 ----------------------
 Overall
 L: qemu-devel@nongnu.org
-M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
 M: Richard Henderson <rth@twiddle.net>
 R: Paolo Bonzini <pbonzini@redhat.com>
 S: Maintained
@@ -XXX,XX +XXX,XX @@ F: tests/virtio-scsi-test.c
 T: git https://github.com/bonzini/qemu.git scsi-next
 
 SSI
-M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
 M: Alistair Francis <alistair@alistair23.me>
 S: Maintained
 F: hw/ssi/*
@@ -XXX,XX +XXX,XX @@ F: tests/m25p80-test.c
 
 Xilinx SPI
 M: Alistair Francis <alistair@alistair23.me>
-M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
 S: Maintained
 F: hw/ssi/xilinx_*
 
@@ -XXX,XX +XXX,XX @@ F: qom/cpu.c
 F: include/qom/cpu.h
 
 Device Tree
-M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
 M: Alexander Graf <agraf@suse.de>
 S: Maintained
 F: device_tree.c
-- 
2.20.1

The code for handling the NVIC SHPR1 register intends to permit
byte and halfword accesses (as the architecture requires). However
the 'case' line for it only lists the base address of the
register, so attempts to access bytes other than the first one
end up in the "bad write" default logic. This bug was added
accidentally when we split out the SHPR1 logic from SHPR2 and
SHPR3 to support v6M.

Fixes: 7c9140afd594 ("nvic: Handle ARMv6-M SCS reserved registers")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
The Zephyr RTOS happens to access SHPR1 byte at a time,
which is how I spotted this.
---
 hw/intc/armv7m_nvic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr addr,
             }
         }
         break;
-    case 0xd18: /* System Handler Priority (SHPR1) */
+    case 0xd18 ... 0xd1b: /* System Handler Priority (SHPR1) */
         if (!arm_feature(&s->cpu->env, ARM_FEATURE_M_MAIN)) {
             val = 0;
             break;
@@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_write(void *opaque, hwaddr addr,
         }
         nvic_irq_update(s);
         return MEMTX_OK;
-    case 0xd18: /* System Handler Priority (SHPR1) */
+    case 0xd18 ... 0xd1b: /* System Handler Priority (SHPR1) */
         if (!arm_feature(&s->cpu->env, ARM_FEATURE_M_MAIN)) {
             return MEMTX_OK;
         }
-- 
2.20.1

In commit 91c1e9fcbd7548db368 where we added dual-CPU support to
the ARMSSE, we set up the wiring of the expansion IRQs via nested
loops: the outer loop on 'i' loops for each CPU, and the inner loop
on 'j' loops for each interrupt. Fix a typo which meant we were
wiring every expansion IRQ line to external IRQ 0 on CPU 0 and
to external IRQ 1 on CPU 1.

Fixes: 91c1e9fcbd7548db368 ("hw/arm/armsse: Support dual-CPU configuration")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 hw/arm/armsse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/armsse.c b/hw/arm/armsse.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/armsse.c
+++ b/hw/arm/armsse.c
@@ -XXX,XX +XXX,XX @@ static void armsse_realize(DeviceState *dev, Error **errp)
         /* Connect EXP_IRQ/EXP_CPUn_IRQ GPIOs to the NVIC's lines 32 and up */
         s->exp_irqs[i] = g_new(qemu_irq, s->exp_numirq);
         for (j = 0; j < s->exp_numirq; j++) {
-            s->exp_irqs[i][j] = qdev_get_gpio_in(cpudev, i + 32);
+            s->exp_irqs[i][j] = qdev_get_gpio_in(cpudev, j + 32);
         }
         if (i == 0) {
             gpioname = g_strdup("EXP_IRQ");
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Since we're now handling a == b generically, we no longer need
to do it by hand within target/arm/.

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c |  6 +-----
 target/arm/translate-sve.c |  6 +-----
 target/arm/translate.c     | 12 +++---------
 3 files changed, 5 insertions(+), 19 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_logic(DisasContext *s, uint32_t insn)
         gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_andc, 0);
         return;
     case 2: /* ORR */
-        if (rn == rm) { /* MOV */
-            gen_gvec_fn2(s, is_q, rd, rn, tcg_gen_gvec_mov, 0);
-        } else {
-            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_or, 0);
-        }
+        gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_or, 0);
         return;
     case 3: /* ORN */
         gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_orc, 0);
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_AND_zzz(DisasContext *s, arg_rrr_esz *a)
 
 static bool trans_ORR_zzz(DisasContext *s, arg_rrr_esz *a)
 {
-    if (a->rn == a->rm) { /* MOV */
-        return do_mov_z(s, a->rd, a->rn);
-    } else {
-        return do_vector3_z(s, tcg_gen_gvec_or, 0, a->rd, a->rn, a->rm);
-    }
+    return do_vector3_z(s, tcg_gen_gvec_or, 0, a->rd, a->rn, a->rm);
 }
 
 static bool trans_EOR_zzz(DisasContext *s, arg_rrr_esz *a)
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                 tcg_gen_gvec_andc(0, rd_ofs, rn_ofs, rm_ofs,
                                   vec_size, vec_size);
                 break;
-            case 2:
-                if (rn == rm) {
-                    /* VMOV */
-                    tcg_gen_gvec_mov(0, rd_ofs, rn_ofs, vec_size, vec_size);
-                } else {
-                    /* VORR */
-                    tcg_gen_gvec_or(0, rd_ofs, rn_ofs, rm_ofs,
-                                    vec_size, vec_size);
-                }
+            case 2: /* VORR */
+                tcg_gen_gvec_or(0, rd_ofs, rn_ofs, rm_ofs,
+                                vec_size, vec_size);
                 break;
             case 3: /* VORN */
                 tcg_gen_gvec_orc(0, rd_ofs, rn_ofs, rm_ofs,
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 35 ++++++++++++++---------------------
 1 file changed, 14 insertions(+), 21 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
     }
 
     switch (opcode) {
+    case 0x0c: /* SMAX, UMAX */
+        if (u) {
+            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umax, size);
+        } else {
+            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_smax, size);
+        }
+        return;
+    case 0x0d: /* SMIN, UMIN */
+        if (u) {
+            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umin, size);
+        } else {
+            gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_smin, size);
+        }
+        return;
     case 0x10: /* ADD, SUB */
         if (u) {
             gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_sub, size);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                 genenvfn = fns[size][u];
                 break;
             }
-            case 0xc: /* SMAX, UMAX */
-            {
-                static NeonGenTwoOpFn * const fns[3][2] = {
-                    { gen_helper_neon_max_s8, gen_helper_neon_max_u8 },
-                    { gen_helper_neon_max_s16, gen_helper_neon_max_u16 },
-                    { tcg_gen_smax_i32, tcg_gen_umax_i32 },
-                };
-                genfn = fns[size][u];
-                break;
-            }
-
-            case 0xd: /* SMIN, UMIN */
-            {
-                static NeonGenTwoOpFn * const fns[3][2] = {
-                    { gen_helper_neon_min_s8, gen_helper_neon_min_u8 },
-                    { gen_helper_neon_min_s16, gen_helper_neon_min_u16 },
-                    { tcg_gen_smin_i32, tcg_gen_umin_i32 },
-                };
-                genfn = fns[size][u];
-                break;
-            }
             case 0xe: /* SABD, UABD */
             case 0xf: /* SABA, UABA */
             {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
             tcg_gen_gvec_cmp(u ? TCG_COND_GEU : TCG_COND_GE, size,
                              rd_ofs, rn_ofs, rm_ofs, vec_size, vec_size);
             return 0;
+
+        case NEON_3R_VMAX:
+            if (u) {
+                tcg_gen_gvec_umax(size, rd_ofs, rn_ofs, rm_ofs,
+                                  vec_size, vec_size);
+            } else {
+                tcg_gen_gvec_smax(size, rd_ofs, rn_ofs, rm_ofs,
+                                  vec_size, vec_size);
+            }
+            return 0;
+        case NEON_3R_VMIN:
+            if (u) {
+                tcg_gen_gvec_umin(size, rd_ofs, rn_ofs, rm_ofs,
+                                  vec_size, vec_size);
+            } else {
+                tcg_gen_gvec_smin(size, rd_ofs, rn_ofs, rm_ofs,
+                                  vec_size, vec_size);
+            }
+            return 0;
         }
 
         if (size == 3) {
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
         case NEON_3R_VQRSHL:
             GEN_NEON_INTEGER_OP_ENV(qrshl);
             break;
-        case NEON_3R_VMAX:
-            GEN_NEON_INTEGER_OP(max);
-            break;
-        case NEON_3R_VMIN:
-            GEN_NEON_INTEGER_OP(min);
-            break;
         case NEON_3R_VABD:
             GEN_NEON_INTEGER_OP(abd);
             break;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The 32-bit PMIN/PMAX has been decomposed to scalars,
and so can be trivially expanded inline.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_neon_rsb(int size, TCGv_i32 t0, TCGv_i32 t1)
 }
 
 /* 32-bit pairwise ops end up the same as the elementwise versions.  */
-#define gen_helper_neon_pmax_s32  gen_helper_neon_max_s32
-#define gen_helper_neon_pmax_u32  gen_helper_neon_max_u32
-#define gen_helper_neon_pmin_s32  gen_helper_neon_min_s32
-#define gen_helper_neon_pmin_u32  gen_helper_neon_min_u32
+#define gen_helper_neon_pmax_s32  tcg_gen_smax_i32
+#define gen_helper_neon_pmax_u32  tcg_gen_umax_i32
+#define gen_helper_neon_pmin_s32  tcg_gen_smin_i32
+#define gen_helper_neon_pmin_u32  tcg_gen_umin_i32
 
 #define GEN_NEON_INTEGER_OP_ENV(name) do { \
     switch ((size << 1) | u) { \
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

These are now unused.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-6-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h      | 12 ------------
 target/arm/neon_helper.c | 12 ------------
 2 files changed, 24 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(neon_cge_s16, i32, i32, i32)
 DEF_HELPER_2(neon_cge_u32, i32, i32, i32)
 DEF_HELPER_2(neon_cge_s32, i32, i32, i32)
 
-DEF_HELPER_2(neon_min_u8, i32, i32, i32)
-DEF_HELPER_2(neon_min_s8, i32, i32, i32)
-DEF_HELPER_2(neon_min_u16, i32, i32, i32)
-DEF_HELPER_2(neon_min_s16, i32, i32, i32)
-DEF_HELPER_2(neon_min_u32, i32, i32, i32)
-DEF_HELPER_2(neon_min_s32, i32, i32, i32)
-DEF_HELPER_2(neon_max_u8, i32, i32, i32)
-DEF_HELPER_2(neon_max_s8, i32, i32, i32)
-DEF_HELPER_2(neon_max_u16, i32, i32, i32)
-DEF_HELPER_2(neon_max_s16, i32, i32, i32)
-DEF_HELPER_2(neon_max_u32, i32, i32, i32)
-DEF_HELPER_2(neon_max_s32, i32, i32, i32)
 DEF_HELPER_2(neon_pmin_u8, i32, i32, i32)
 DEF_HELPER_2(neon_pmin_s8, i32, i32, i32)
 DEF_HELPER_2(neon_pmin_u16, i32, i32, i32)
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -XXX,XX +XXX,XX @@ NEON_VOP(cge_u32, neon_u32, 1)
 #undef NEON_FN
 
 #define NEON_FN(dest, src1, src2) dest = (src1 < src2) ? src1 : src2
-NEON_VOP(min_s8, neon_s8, 4)
-NEON_VOP(min_u8, neon_u8, 4)
-NEON_VOP(min_s16, neon_s16, 2)
-NEON_VOP(min_u16, neon_u16, 2)
-NEON_VOP(min_s32, neon_s32, 1)
-NEON_VOP(min_u32, neon_u32, 1)
 NEON_POP(pmin_s8, neon_s8, 4)
 NEON_POP(pmin_u8, neon_u8, 4)
 NEON_POP(pmin_s16, neon_s16, 2)
@@ -XXX,XX +XXX,XX @@ NEON_POP(pmin_u16, neon_u16, 2)
 #undef NEON_FN
 
 #define NEON_FN(dest, src1, src2) dest = (src1 > src2) ? src1 : src2
-NEON_VOP(max_s8, neon_s8, 4)
-NEON_VOP(max_u8, neon_u8, 4)
-NEON_VOP(max_s16, neon_s16, 2)
-NEON_VOP(max_u16, neon_u16, 2)
-NEON_VOP(max_s32, neon_s32, 1)
-NEON_VOP(max_u32, neon_u32, 1)
 NEON_POP(pmax_s8, neon_s8, 4)
 NEON_POP(pmax_u8, neon_u8, 4)
 NEON_POP(pmax_s16, neon_s16, 2)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The components of this register is stored in several
different locations.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-7-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
     }
     switch (reg - nregs) {
     case 0: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSID]); return 4;
-    case 1: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSCR]); return 4;
+    case 1: stl_p(buf, vfp_get_fpscr(env)); return 4;
     case 2: stl_p(buf, env->vfp.xregs[ARM_VFP_FPEXC]); return 4;
     }
     return 0;
@@ -XXX,XX +XXX,XX @@ static int vfp_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
     }
     switch (reg - nregs) {
     case 0: env->vfp.xregs[ARM_VFP_FPSID] = ldl_p(buf); return 4;
-    case 1: env->vfp.xregs[ARM_VFP_FPSCR] = ldl_p(buf); return 4;
+    case 1: vfp_set_fpscr(env, ldl_p(buf)); return 4;
     case 2: env->vfp.xregs[ARM_VFP_FPEXC] = ldl_p(buf) & (1 << 30); return 4;
     }
     return 0;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Minimize the code within a macro by splitting out a helper function.
Use deposit32 instead of manual bit manipulation.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-9-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 45 +++++++++++++++++++++++++++------------------
 1 file changed, 27 insertions(+), 18 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ float64 VFP_HELPER(sqrt, d)(float64 a, CPUARMState *env)
     return float64_sqrt(a, &env->vfp.fp_status);
 }
 
+static void softfloat_to_vfp_compare(CPUARMState *env, int cmp)
+{
+    uint32_t flags;
+    switch (cmp) {
+    case float_relation_equal:
+        flags = 0x6;
+        break;
+    case float_relation_less:
+        flags = 0x8;
+        break;
+    case float_relation_greater:
+        flags = 0x2;
+        break;
+    case float_relation_unordered:
+        flags = 0x3;
+        break;
+    default:
+        g_assert_not_reached();
+    }
+    env->vfp.xregs[ARM_VFP_FPSCR] =
+        deposit32(env->vfp.xregs[ARM_VFP_FPSCR], 28, 4, flags);
+}
+
 /* XXX: check quiet/signaling case */
 #define DO_VFP_cmp(p, type) \
 void VFP_HELPER(cmp, p)(type a, type b, CPUARMState *env)  \
 { \
-    uint32_t flags; \
-    switch(type ## _compare_quiet(a, b, &env->vfp.fp_status)) { \
-    case 0: flags = 0x6; break; \
-    case -1: flags = 0x8; break; \
-    case 1: flags = 0x2; break; \
-    default: case 2: flags = 0x3; break; \
-    } \
-    env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
-        | (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fffffff); \
+    softfloat_to_vfp_compare(env, \
+        type ## _compare_quiet(a, b, &env->vfp.fp_status)); \
 } \
 void VFP_HELPER(cmpe, p)(type a, type b, CPUARMState *env) \
 { \
-    uint32_t flags; \
-    switch(type ## _compare(a, b, &env->vfp.fp_status)) { \
-    case 0: flags = 0x6; break; \
-    case -1: flags = 0x8; break; \
-    case 1: flags = 0x2; break; \
-    default: case 2: flags = 0x3; break; \
-    } \
-    env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
-        | (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fffffff); \
+    softfloat_to_vfp_compare(env, \
+        type ## _compare(a, b, &env->vfp.fp_status)); \
 }
 DO_VFP_cmp(s, float32)
 DO_VFP_cmp(d, float64)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Given that we mask bits properly on set, there is no reason
to mask them again on get.  We failed to clear the exception
status bits, 0x9f, which means that the wrong value would be
returned on get.  Except in the (probably normal) case in which
the set clears all of the bits.

Simplify the code in set to also clear the RES0 bits.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-10-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
     int i;
     uint32_t fpscr;
 
-    fpscr = (env->vfp.xregs[ARM_VFP_FPSCR] & 0xffc8ffff)
+    fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
             | (env->vfp.vec_len << 16)
             | (env->vfp.vec_stride << 20);
 
@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_to_host(int target_bits)
 void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
 {
     int i;
-    uint32_t changed;
+    uint32_t changed = env->vfp.xregs[ARM_VFP_FPSCR];
 
     /* When ARMv8.2-FP16 is not supported, FZ16 is RES0.  */
     if (!cpu_isar_feature(aa64_fp16, arm_env_get_cpu(env))) {
@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
 
     /*
      * We don't implement trapped exception handling, so the
-     * trap enable bits are all RAZ/WI (not RES0!)
+     * trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!)
+     *
+     * If we exclude the exception flags, IOC|DZC|OFC|UFC|IXC|IDC
+     * (which are stored in fp_status), and the other RES0 bits
+     * in between, then we clear all of the low 16 bits.
      */
-    val &= ~(FPCR_IDE | FPCR_IXE | FPCR_UFE | FPCR_OFE | FPCR_DZE | FPCR_IOE);
-
-    changed = env->vfp.xregs[ARM_VFP_FPSCR];
-    env->vfp.xregs[ARM_VFP_FPSCR] = (val & 0xffc8ffff);
+    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xffc80000;
     env->vfp.vec_len = (val >> 16) & 7;
     env->vfp.vec_stride = (val >> 20) & 3;
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Change the representation of this field such that it is easy
to set from vector code.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-11-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h         |  5 ++++-
 target/arm/helper.c      | 19 +++++++++++++++----
 target/arm/neon_helper.c |  2 +-
 target/arm/vec_helper.c  |  2 +-
 4 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         ARMPredicateReg preg_tmp;
 #endif
 
-        uint32_t xregs[16];
         /* We store these fpcsr fields separately for convenience.  */
+        uint32_t qc[4] QEMU_ALIGNED(16);
         int vec_len;
         int vec_stride;
 
+        uint32_t xregs[16];
+
         /* Scratch space for aa32 neon expansion.  */
         uint32_t scratch[8];
 
@@ -XXX,XX +XXX,XX @@ void vfp_set_fpscr(CPUARMState *env, uint32_t val);
 #define FPCR_FZ16   (1 << 19)   /* ARMv8.2+, FP16 flush-to-zero */
 #define FPCR_FZ     (1 << 24)   /* Flush-to-zero enable bit */
 #define FPCR_DN     (1 << 25)   /* Default NaN enable bit */
+#define FPCR_QC     (1 << 27)   /* Cumulative saturation bit */
 
 static inline uint32_t vfp_get_fpsr(CPUARMState *env)
 {
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_from_host(int host_bits)
 
 uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
 {
-    int i;
-    uint32_t fpscr;
+    uint32_t i, fpscr;
 
     fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
             | (env->vfp.vec_len << 16)
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
     /* FZ16 does not generate an input denormal exception.  */
     i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
           & ~float_flag_input_denormal);
-
     fpscr |= vfp_exceptbits_from_host(i);
+
+    i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
+    fpscr |= i ? FPCR_QC : 0;
+
     return fpscr;
 }
 
@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
      * (which are stored in fp_status), and the other RES0 bits
      * in between, then we clear all of the low 16 bits.
      */
-    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xffc80000;
+    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xf7c80000;
     env->vfp.vec_len = (val >> 16) & 7;
     env->vfp.vec_stride = (val >> 20) & 3;
 
+    /*
+     * The bit we set within fpscr_q is arbitrary; the register as a
+     * whole being zero/non-zero is what counts.
+     */
+    env->vfp.qc[0] = val & FPCR_QC;
+    env->vfp.qc[1] = 0;
+    env->vfp.qc[2] = 0;
+    env->vfp.qc[3] = 0;
+
     changed ^= val;
     if (changed & (3 << 22)) {
         i = (val >> 22) & 3;
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -XXX,XX +XXX,XX @@
 #define SIGNBIT (uint32_t)0x80000000
 #define SIGNBIT64 ((uint64_t)1 << 63)
 
-#define SET_QC() env->vfp.xregs[ARM_VFP_FPSCR] |= CPSR_Q
+#define SET_QC() env->vfp.qc[0] = 1
 
 #define NEON_TYPE1(name, type) \
 typedef struct \
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@
 #define H4(x)  (x)
 #endif
 
-#define SET_QC() env->vfp.xregs[ARM_VFP_FPSCR] |= CPSR_Q
+#define SET_QC() env->vfp.qc[0] = 1
 
 static void clear_tail(void *vd, uintptr_t opr_sz, uintptr_t max_sz)
 {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

For same-sign saturation, we have tcg vector operations.  We can
compute the QC bit by comparing the saturated value against the
unsaturated value.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-12-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  33 +++++++
 target/arm/translate.h     |   4 +
 target/arm/translate-a64.c |  36 ++++----
 target/arm/translate.c     | 172 +++++++++++++++++++++++++++++++------
 target/arm/vec_helper.c    | 130 ++++++++++++++++++++++++++++
 5 files changed, 331 insertions(+), 44 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(gvec_fmla_idx_s, TCG_CALL_NO_RWG,
 DEF_HELPER_FLAGS_6(gvec_fmla_idx_d, TCG_CALL_NO_RWG,
                    void, ptr, ptr, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_5(gvec_uqadd_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uqadd_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uqadd_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uqadd_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sqadd_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sqadd_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sqadd_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sqadd_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uqsub_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uqsub_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uqsub_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uqsub_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sqsub_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sqsub_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sqsub_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sqsub_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ extern const GVecGen2i ssra_op[4];
 extern const GVecGen2i usra_op[4];
 extern const GVecGen2i sri_op[4];
 extern const GVecGen2i sli_op[4];
+extern const GVecGen4 uqadd_op[4];
+extern const GVecGen4 sqadd_op[4];
+extern const GVecGen4 uqsub_op[4];
+extern const GVecGen4 sqsub_op[4];
 void gen_cmtst_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
 
 /*
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
     }
 
     switch (opcode) {
+    case 0x01: /* SQADD, UQADD */
+        tcg_gen_gvec_4(vec_full_reg_offset(s, rd),
+                       offsetof(CPUARMState, vfp.qc),
+                       vec_full_reg_offset(s, rn),
+                       vec_full_reg_offset(s, rm),
+                       is_q ? 16 : 8, vec_full_reg_size(s),
+                       (u ? uqadd_op : sqadd_op) + size);
+        return;
+    case 0x05: /* SQSUB, UQSUB */
+        tcg_gen_gvec_4(vec_full_reg_offset(s, rd),
+                       offsetof(CPUARMState, vfp.qc),
+                       vec_full_reg_offset(s, rn),
+                       vec_full_reg_offset(s, rm),
+                       is_q ? 16 : 8, vec_full_reg_size(s),
+                       (u ? uqsub_op : sqsub_op) + size);
+        return;
     case 0x0c: /* SMAX, UMAX */
         if (u) {
             gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umax, size);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                 genfn = fns[size][u];
                 break;
             }
-            case 0x1: /* SQADD, UQADD */
-            {
-                static NeonGenTwoOpEnvFn * const fns[3][2] = {
-                    { gen_helper_neon_qadd_s8, gen_helper_neon_qadd_u8 },
-                    { gen_helper_neon_qadd_s16, gen_helper_neon_qadd_u16 },
-                    { gen_helper_neon_qadd_s32, gen_helper_neon_qadd_u32 },
-                };
-                genenvfn = fns[size][u];
-                break;
-            }
             case 0x2: /* SRHADD, URHADD */
             {
                 static NeonGenTwoOpFn * const fns[3][2] = {
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                 genfn = fns[size][u];
                 break;
             }
-            case 0x5: /* SQSUB, UQSUB */
-            {
-                static NeonGenTwoOpEnvFn * const fns[3][2] = {
-                    { gen_helper_neon_qsub_s8, gen_helper_neon_qsub_u8 },
-                    { gen_helper_neon_qsub_s16, gen_helper_neon_qsub_u16 },
-                    { gen_helper_neon_qsub_s32, gen_helper_neon_qsub_u32 },
-                };
-                genenvfn = fns[size][u];
-                break;
-            }
             case 0x8: /* SSHL, USHL */
             {
                 static NeonGenTwoOpFn * const fns[3][2] = {
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ const GVecGen3 cmtst_op[4] = {
       .vece = MO_64 },
 };
 
+static void gen_uqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
+                          TCGv_vec a, TCGv_vec b)
+{
+    TCGv_vec x = tcg_temp_new_vec_matching(t);
+    tcg_gen_add_vec(vece, x, a, b);
+    tcg_gen_usadd_vec(vece, t, a, b);
+    tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
+    tcg_gen_or_vec(vece, sat, sat, x);
+    tcg_temp_free_vec(x);
+}
+
+const GVecGen4 uqadd_op[4] = {
+    { .fniv = gen_uqadd_vec,
+      .fno = gen_helper_gvec_uqadd_b,
+      .opc = INDEX_op_usadd_vec,
+      .write_aofs = true,
+      .vece = MO_8 },
+    { .fniv = gen_uqadd_vec,
+      .fno = gen_helper_gvec_uqadd_h,
+      .opc = INDEX_op_usadd_vec,
+      .write_aofs = true,
+      .vece = MO_16 },
+    { .fniv = gen_uqadd_vec,
+      .fno = gen_helper_gvec_uqadd_s,
+      .opc = INDEX_op_usadd_vec,
+      .write_aofs = true,
+      .vece = MO_32 },
+    { .fniv = gen_uqadd_vec,
+      .fno = gen_helper_gvec_uqadd_d,
+      .opc = INDEX_op_usadd_vec,
+      .write_aofs = true,
+      .vece = MO_64 },
+};
+
+static void gen_sqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
+                          TCGv_vec a, TCGv_vec b)
+{
+    TCGv_vec x = tcg_temp_new_vec_matching(t);
+    tcg_gen_add_vec(vece, x, a, b);
+    tcg_gen_ssadd_vec(vece, t, a, b);
+    tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
+    tcg_gen_or_vec(vece, sat, sat, x);
+    tcg_temp_free_vec(x);
+}
+
+const GVecGen4 sqadd_op[4] = {
+    { .fniv = gen_sqadd_vec,
+      .fno = gen_helper_gvec_sqadd_b,
+      .opc = INDEX_op_ssadd_vec,
+      .write_aofs = true,
+      .vece = MO_8 },
+    { .fniv = gen_sqadd_vec,
+      .fno = gen_helper_gvec_sqadd_h,
+      .opc = INDEX_op_ssadd_vec,
+      .write_aofs = true,
+      .vece = MO_16 },
+    { .fniv = gen_sqadd_vec,
+      .fno = gen_helper_gvec_sqadd_s,
+      .opc = INDEX_op_ssadd_vec,
+      .write_aofs = true,
+      .vece = MO_32 },
+    { .fniv = gen_sqadd_vec,
+      .fno = gen_helper_gvec_sqadd_d,
+      .opc = INDEX_op_ssadd_vec,
+      .write_aofs = true,
+      .vece = MO_64 },
+};
+
+static void gen_uqsub_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
+                          TCGv_vec a, TCGv_vec b)
+{
+    TCGv_vec x = tcg_temp_new_vec_matching(t);
+    tcg_gen_sub_vec(vece, x, a, b);
+    tcg_gen_ussub_vec(vece, t, a, b);
+    tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
+    tcg_gen_or_vec(vece, sat, sat, x);
+    tcg_temp_free_vec(x);
+}
+
+const GVecGen4 uqsub_op[4] = {
+    { .fniv = gen_uqsub_vec,
+      .fno = gen_helper_gvec_uqsub_b,
+      .opc = INDEX_op_ussub_vec,
+      .write_aofs = true,
+      .vece = MO_8 },
+    { .fniv = gen_uqsub_vec,
+      .fno = gen_helper_gvec_uqsub_h,
+      .opc = INDEX_op_ussub_vec,
+      .write_aofs = true,
+      .vece = MO_16 },
+    { .fniv = gen_uqsub_vec,
+      .fno = gen_helper_gvec_uqsub_s,
+      .opc = INDEX_op_ussub_vec,
+      .write_aofs = true,
+      .vece = MO_32 },
+    { .fniv = gen_uqsub_vec,
+      .fno = gen_helper_gvec_uqsub_d,
+      .opc = INDEX_op_ussub_vec,
+      .write_aofs = true,
+      .vece = MO_64 },
+};
+
+static void gen_sqsub_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
+                          TCGv_vec a, TCGv_vec b)
+{
+    TCGv_vec x = tcg_temp_new_vec_matching(t);
+    tcg_gen_sub_vec(vece, x, a, b);
+    tcg_gen_sssub_vec(vece, t, a, b);
+    tcg_gen_cmp_vec(TCG_COND_NE, vece, x, x, t);
+    tcg_gen_or_vec(vece, sat, sat, x);
+    tcg_temp_free_vec(x);
+}
+
+const GVecGen4 sqsub_op[4] = {
+    { .fniv = gen_sqsub_vec,
+      .fno = gen_helper_gvec_sqsub_b,
+      .opc = INDEX_op_sssub_vec,
+      .write_aofs = true,
+      .vece = MO_8 },
+    { .fniv = gen_sqsub_vec,
+      .fno = gen_helper_gvec_sqsub_h,
+      .opc = INDEX_op_sssub_vec,
+      .write_aofs = true,
+      .vece = MO_16 },
+    { .fniv = gen_sqsub_vec,
+      .fno = gen_helper_gvec_sqsub_s,
+      .opc = INDEX_op_sssub_vec,
+      .write_aofs = true,
+      .vece = MO_32 },
+    { .fniv = gen_sqsub_vec,
+      .fno = gen_helper_gvec_sqsub_d,
+      .opc = INDEX_op_sssub_vec,
+      .write_aofs = true,
+      .vece = MO_64 },
+};
+
 /* Translate a NEON data processing instruction.  Return nonzero if the
    instruction is invalid.
    We process data in a mixture of 32-bit and 64-bit chunks.
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
             }
             return 0;
 
+        case NEON_3R_VQADD:
+            tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
+                           rn_ofs, rm_ofs, vec_size, vec_size,
+                           (u ? uqadd_op : sqadd_op) + size);
+            break;
+
+        case NEON_3R_VQSUB:
+            tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
+                           rn_ofs, rm_ofs, vec_size, vec_size,
+                           (u ? uqsub_op : sqsub_op) + size);
+            break;
+
         case NEON_3R_VMUL: /* VMUL */
             if (u) {
                 /* Polynomial case allows only P8 and is handled below.  */
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                 neon_load_reg64(cpu_V0, rn + pass);
                 neon_load_reg64(cpu_V1, rm + pass);
                 switch (op) {
-                case NEON_3R_VQADD:
-                    if (u) {
-                        gen_helper_neon_qadd_u64(cpu_V0, cpu_env,
-                                                 cpu_V0, cpu_V1);
-                    } else {
-                        gen_helper_neon_qadd_s64(cpu_V0, cpu_env,
-                                                 cpu_V0, cpu_V1);
-                    }
-                    break;
-                case NEON_3R_VQSUB:
-                    if (u) {
-                        gen_helper_neon_qsub_u64(cpu_V0, cpu_env,
-                                                 cpu_V0, cpu_V1);
-                    } else {
-                        gen_helper_neon_qsub_s64(cpu_V0, cpu_env,
-                                                 cpu_V0, cpu_V1);
-                    }
-                    break;
                 case NEON_3R_VSHL:
                     if (u) {
                         gen_helper_neon_shl_u64(cpu_V0, cpu_V1, cpu_V0);
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
         case NEON_3R_VHADD:
             GEN_NEON_INTEGER_OP(hadd);
             break;
-        case NEON_3R_VQADD:
-            GEN_NEON_INTEGER_OP_ENV(qadd);
-            break;
         case NEON_3R_VRHADD:
             GEN_NEON_INTEGER_OP(rhadd);
             break;
         case NEON_3R_VHSUB:
             GEN_NEON_INTEGER_OP(hsub);
             break;
-        case NEON_3R_VQSUB:
-            GEN_NEON_INTEGER_OP_ENV(qsub);
-            break;
         case NEON_3R_VSHL:
             GEN_NEON_INTEGER_OP(shl);
             break;
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ DO_FMLA_IDX(gvec_fmla_idx_s, float32, H4)
 DO_FMLA_IDX(gvec_fmla_idx_d, float64, )
 
 #undef DO_FMLA_IDX
+
+#define DO_SAT(NAME, WTYPE, TYPEN, TYPEM, OP, MIN, MAX) \
+void HELPER(NAME)(void *vd, void *vq, void *vn, void *vm, uint32_t desc)   \
+{                                                                          \
+    intptr_t i, oprsz = simd_oprsz(desc);                                  \
+    TYPEN *d = vd, *n = vn; TYPEM *m = vm;                                 \
+    bool q = false;                                                        \
+    for (i = 0; i < oprsz / sizeof(TYPEN); i++) {                          \
+        WTYPE dd = (WTYPE)n[i] OP m[i];                                    \
+        if (dd < MIN) {                                                    \
+            dd = MIN;                                                      \
+            q = true;                                                      \
+        } else if (dd > MAX) {                                             \
+            dd = MAX;                                                      \
+            q = true;                                                      \
+        }                                                                  \
+        d[i] = dd;                                                         \
+    }                                                                      \
+    if (q) {                                                               \
+        uint32_t *qc = vq;                                                 \
+        qc[0] = 1;                                                         \
+    }                                                                      \
+    clear_tail(d, oprsz, simd_maxsz(desc));                                \
+}
+
+DO_SAT(gvec_uqadd_b, int, uint8_t, uint8_t, +, 0, UINT8_MAX)
+DO_SAT(gvec_uqadd_h, int, uint16_t, uint16_t, +, 0, UINT16_MAX)
+DO_SAT(gvec_uqadd_s, int64_t, uint32_t, uint32_t, +, 0, UINT32_MAX)
+
+DO_SAT(gvec_sqadd_b, int, int8_t, int8_t, +, INT8_MIN, INT8_MAX)
+DO_SAT(gvec_sqadd_h, int, int16_t, int16_t, +, INT16_MIN, INT16_MAX)
+DO_SAT(gvec_sqadd_s, int64_t, int32_t, int32_t, +, INT32_MIN, INT32_MAX)
+
+DO_SAT(gvec_uqsub_b, int, uint8_t, uint8_t, -, 0, UINT8_MAX)
+DO_SAT(gvec_uqsub_h, int, uint16_t, uint16_t, -, 0, UINT16_MAX)
+DO_SAT(gvec_uqsub_s, int64_t, uint32_t, uint32_t, -, 0, UINT32_MAX)
+
+DO_SAT(gvec_sqsub_b, int, int8_t, int8_t, -, INT8_MIN, INT8_MAX)
+DO_SAT(gvec_sqsub_h, int, int16_t, int16_t, -, INT16_MIN, INT16_MAX)
+DO_SAT(gvec_sqsub_s, int64_t, int32_t, int32_t, -, INT32_MIN, INT32_MAX)
+
+#undef DO_SAT
+
+void HELPER(gvec_uqadd_d)(void *vd, void *vq, void *vn,
+                          void *vm, uint32_t desc)
+{
+    intptr_t i, oprsz = simd_oprsz(desc);
+    uint64_t *d = vd, *n = vn, *m = vm;
+    bool q = false;
+
+    for (i = 0; i < oprsz / 8; i++) {
+        uint64_t nn = n[i], mm = m[i], dd = nn + mm;
+        if (dd < nn) {
+            dd = UINT64_MAX;
+            q = true;
+        }
+        d[i] = dd;
+    }
+    if (q) {
+        uint32_t *qc = vq;
+        qc[0] = 1;
+    }
+    clear_tail(d, oprsz, simd_maxsz(desc));
+}
+
+void HELPER(gvec_uqsub_d)(void *vd, void *vq, void *vn,
+                          void *vm, uint32_t desc)
+{
+    intptr_t i, oprsz = simd_oprsz(desc);
+    uint64_t *d = vd, *n = vn, *m = vm;
+    bool q = false;
+
+    for (i = 0; i < oprsz / 8; i++) {
+        uint64_t nn = n[i], mm = m[i], dd = nn - mm;
+        if (nn < mm) {
+            dd = 0;
+            q = true;
+        }
+        d[i] = dd;
+    }
+    if (q) {
+        uint32_t *qc = vq;
+        qc[0] = 1;
+    }
+    clear_tail(d, oprsz, simd_maxsz(desc));
+}
+
+void HELPER(gvec_sqadd_d)(void *vd, void *vq, void *vn,
+                          void *vm, uint32_t desc)
+{
+    intptr_t i, oprsz = simd_oprsz(desc);
+    int64_t *d = vd, *n = vn, *m = vm;
+    bool q = false;
+
+    for (i = 0; i < oprsz / 8; i++) {
+        int64_t nn = n[i], mm = m[i], dd = nn + mm;
+        if (((dd ^ nn) & ~(nn ^ mm)) & INT64_MIN) {
+            dd = (nn >> 63) ^ ~INT64_MIN;
+            q = true;
+        }
+        d[i] = dd;
+    }
+    if (q) {
+        uint32_t *qc = vq;
+        qc[0] = 1;
+    }
+    clear_tail(d, oprsz, simd_maxsz(desc));
+}
+
+void HELPER(gvec_sqsub_d)(void *vd, void *vq, void *vn,
+                          void *vm, uint32_t desc)
+{
+    intptr_t i, oprsz = simd_oprsz(desc);
+    int64_t *d = vd, *n = vn, *m = vm;
+    bool q = false;
+
+    for (i = 0; i < oprsz / 8; i++) {
+        int64_t nn = n[i], mm = m[i], dd = nn - mm;
+        if (((dd ^ nn) & (nn ^ mm)) & INT64_MIN) {
+            dd = (nn >> 63) ^ ~INT64_MIN;
+            q = true;
+        }
+        d[i] = dd;
+    }
+    if (q) {
+        uint32_t *qc = vq;
+        qc[0] = 1;
+    }
+    clear_tail(d, oprsz, simd_maxsz(desc));
+}
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Fortunately, the functions affected are so far only called from SVE,
so there is no tail to be cleared.  But as we convert more of AdvSIMD
to gvec, this will matter.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190209033847.9014-13-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/vec_helper.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(NAME)(void *vd, void *vn, void *stat, uint32_t desc)  \
     for (i = 0; i < oprsz / sizeof(TYPE); i++) {                  \
         d[i] = FUNC(n[i], stat);                                  \
     }                                                             \
+    clear_tail(d, oprsz, simd_maxsz(desc));                       \
 }
 
 DO_2OP(gvec_frecpe_h, helper_recpe_f16, float16)
@@ -XXX,XX +XXX,XX @@ void HELPER(NAME)(void *vd, void *vn, void *vm, void *stat, uint32_t desc) \
     for (i = 0; i < oprsz / sizeof(TYPE); i++) {                           \
         d[i] = FUNC(n[i], m[i], stat);                                     \
     }                                                                      \
+    clear_tail(d, oprsz, simd_maxsz(desc));                                \
 }
 
 DO_3OP(gvec_fadd_h, float16_add, float16)
-- 
2.20.1

From: Sandra Loosemore <sandra@codesourcery.com>

Per the GDB remote protocol documentation

https://sourceware.org/gdb/current/onlinedocs/gdb/Packets.html#index-vKill-packet

the debug stub is expected to send a reply to the 'vKill' packet.  At
least some versions of GDB crash if the gdb stub simply exits without
sending a reply.  This patch fixes QEMU's gdb stub to conform to the
expected behavior.

Note that QEMU's existing handling of the legacy 'k' packet is
correct: in that case GDB does not expect a reply, and QEMU does not
send one.

Signed-off-by: Sandra Loosemore <sandra@codesourcery.com>
Message-id: 1550008033-26540-1-git-send-email-sandra@codesourcery.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 gdbstub.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gdbstub.c b/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -XXX,XX +XXX,XX @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
             break;
         } else if (strncmp(p, "Kill;", 5) == 0) {
             /* Kill the target */
+            put_packet(s, "OK");
             error_report("QEMU: Terminated via GDBstub");
             exit(0);
         } else {
-- 
2.20.1

Just a few minor bugfixes, but we might as well get them in
for rc0 tomorrow.

-- PMM

The following changes since commit 787f82407c5056a8b1097e39e53d01dd1abe406b:

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20200323' into staging (2020-03-23 15:38:30 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200323

for you to fetch changes up to 550a04893c2bd4442211b353680b9a6408d94dba:

target/arm: Move computation of index in handle_simd_dupe (2020-03-23 17:22:30 +0000)

----------------------------------------------------------------
target-arm queue:
 * target/arm: avoid undefined behaviour shift in watchpoint code
 * target/arm: avoid undefined behaviour shift in handle_simd_dupe()
 * target/arm: add assert that immh != 0 in disas_simd_shift_imm()
 * aspeed/smc: Fix DMA support for AST2600
 * hw/arm/bcm283x: Correct the license text ('and' vs 'or')

----------------------------------------------------------------
Cédric Le Goater (1):
      aspeed/smc: Fix DMA support for AST2600

Philippe Mathieu-Daudé (1):
      hw/arm/bcm283x: Correct the license text

Richard Henderson (3):
      target/arm: Rearrange disabled check for watchpoints
      target/arm: Assert immh != 0 in disas_simd_shift_imm
      target/arm: Move computation of index in handle_simd_dupe

From: Philippe Mathieu-Daudé <philmd@redhat.com>

The license is the 'GNU General Public License v2.0 or later',
not 'and':

This program is free software; you can redistribute it and/ori
  modify it under the terms of the GNU General Public License as
  published by the Free Software Foundation; either version 2 of
  the License, or (at your option) any later version.

Fix the license comment.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200312213455.15854-1-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/bcm2835_peripherals.h | 3 ++-
 include/hw/arm/bcm2836.h             | 3 ++-
 include/hw/char/bcm2835_aux.h        | 3 ++-
 include/hw/display/bcm2835_fb.h      | 3 ++-
 include/hw/dma/bcm2835_dma.h         | 4 +++-
 include/hw/intc/bcm2835_ic.h         | 4 +++-
 include/hw/intc/bcm2836_control.h    | 3 ++-
 include/hw/misc/bcm2835_mbox.h       | 4 +++-
 include/hw/misc/bcm2835_mbox_defs.h  | 4 +++-
 include/hw/misc/bcm2835_property.h   | 4 +++-
 hw/arm/bcm2835_peripherals.c         | 3 ++-
 hw/arm/bcm2836.c                     | 3 ++-
 hw/arm/raspi.c                       | 3 ++-
 hw/display/bcm2835_fb.c              | 1 -
 hw/dma/bcm2835_dma.c                 | 4 +++-
 hw/intc/bcm2835_ic.c                 | 4 ++--
 hw/intc/bcm2836_control.c            | 4 +++-
 hw/misc/bcm2835_mbox.c               | 4 +++-
 hw/misc/bcm2835_property.c           | 4 +++-
 19 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/include/hw/arm/bcm2835_peripherals.h b/include/hw/arm/bcm2835_peripherals.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/bcm2835_peripherals.h
+++ b/include/hw/arm/bcm2835_peripherals.h
@@ -XXX,XX +XXX,XX @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_PERIPHERALS_H
diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/bcm2836.h
+++ b/include/hw/arm/bcm2836.h
@@ -XXX,XX +XXX,XX @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2836_H
diff --git a/include/hw/char/bcm2835_aux.h b/include/hw/char/bcm2835_aux.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/char/bcm2835_aux.h
+++ b/include/hw/char/bcm2835_aux.h
@@ -XXX,XX +XXX,XX @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_AUX_H
diff --git a/include/hw/display/bcm2835_fb.h b/include/hw/display/bcm2835_fb.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/display/bcm2835_fb.h
+++ b/include/hw/display/bcm2835_fb.h
@@ -XXX,XX +XXX,XX @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_FB_H
diff --git a/include/hw/dma/bcm2835_dma.h b/include/hw/dma/bcm2835_dma.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/dma/bcm2835_dma.h
+++ b/include/hw/dma/bcm2835_dma.h
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_DMA_H
diff --git a/include/hw/intc/bcm2835_ic.h b/include/hw/intc/bcm2835_ic.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/bcm2835_ic.h
+++ b/include/hw/intc/bcm2835_ic.h
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_IC_H
diff --git a/include/hw/intc/bcm2836_control.h b/include/hw/intc/bcm2836_control.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/bcm2836_control.h
+++ b/include/hw/intc/bcm2836_control.h
@@ -XXX,XX +XXX,XX @@
  * ARM Local Timer IRQ Copyright (c) 2019. Zoltán Baldaszti
  * Added basic IRQ_TIMER interrupt support
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2836_CONTROL_H
diff --git a/include/hw/misc/bcm2835_mbox.h b/include/hw/misc/bcm2835_mbox.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/misc/bcm2835_mbox.h
+++ b/include/hw/misc/bcm2835_mbox.h
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_MBOX_H
diff --git a/include/hw/misc/bcm2835_mbox_defs.h b/include/hw/misc/bcm2835_mbox_defs.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/misc/bcm2835_mbox_defs.h
+++ b/include/hw/misc/bcm2835_mbox_defs.h
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_MBOX_DEFS_H
diff --git a/include/hw/misc/bcm2835_property.h b/include/hw/misc/bcm2835_property.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/misc/bcm2835_property.h
+++ b/include/hw/misc/bcm2835_property.h
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_PROPERTY_H
diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -XXX,XX +XXX,XX @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #include "qemu/osdep.h"
diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #include "qemu/osdep.h"
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
  * Raspberry Pi 3 emulation Copyright (c) 2018 Zoltán Baldaszti
  * Upstream code cleanup (c) 2018 Pekka Enberg
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #include "qemu/osdep.h"
diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/bcm2835_fb.c
+++ b/hw/display/bcm2835_fb.c
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
  * Refactoring for Pi2 Copyright (c) 2015, Microsoft. Written by Andrew Baumann.
- * This code is licensed under the GNU GPLv2 and later.
  *
  * Heavily based on milkymist-vgafb.c, copyright terms below:
  *  QEMU model of the Milkymist VGA framebuffer.
diff --git a/hw/dma/bcm2835_dma.c b/hw/dma/bcm2835_dma.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/dma/bcm2835_dma.c
+++ b/hw/dma/bcm2835_dma.c
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #include "qemu/osdep.h"
diff --git a/hw/intc/bcm2835_ic.c b/hw/intc/bcm2835_ic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/bcm2835_ic.c
+++ b/hw/intc/bcm2835_ic.c
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
  * Refactoring for Pi2 Copyright (c) 2015, Microsoft. Written by Andrew Baumann.
- * This code is licensed under the GNU GPLv2 and later.
  * Heavily based on pl190.c, copyright terms below:
  *
  * Arm PrimeCell PL190 Vector Interrupt Controller
@@ -XXX,XX +XXX,XX @@
  * Copyright (c) 2006 CodeSourcery.
  * Written by Paul Brook
  *
- * This code is licensed under the GPL.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #include "qemu/osdep.h"
diff --git a/hw/intc/bcm2836_control.c b/hw/intc/bcm2836_control.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/bcm2836_control.c
+++ b/hw/intc/bcm2836_control.c
@@ -XXX,XX +XXX,XX @@
  * Written by Andrew Baumann
  *
  * Based on bcm2835_ic.c (Raspberry Pi emulation) (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
  *
  * At present, only implements interrupt routing, and mailboxes (i.e.,
  * not PMU interrupt, or AXI counters).
@@ -XXX,XX +XXX,XX @@
  *
  * Ref:
  * https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #include "qemu/osdep.h"
diff --git a/hw/misc/bcm2835_mbox.c b/hw/misc/bcm2835_mbox.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/bcm2835_mbox.c
+++ b/hw/misc/bcm2835_mbox.c
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
  *
  * This file models the system mailboxes, which are used for
  * communication with low-bandwidth GPU peripherals. Refs:
  *   https://github.com/raspberrypi/firmware/wiki/Mailboxes
  *   https://github.com/raspberrypi/firmware/wiki/Accessing-mailboxes
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #include "qemu/osdep.h"
diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -XXX,XX +XXX,XX @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #include "qemu/osdep.h"
-- 
2.20.1

From: Cédric Le Goater <clg@kaod.org>

Recent firmwares uses SPI DMA transfers in U-Boot to load the
different images (kernel, initrd, dtb) in the SoC DRAM. The AST2600
FMC model is missing the masks to be applied on the DMA registers
which resulted in incorrect values. Fix that and wire the SPI
controllers which have DMA support on the AST2600.

Fixes: bcaa8ddd081c ("aspeed/smc: Add AST2600 support")
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20200320053923.20565-1-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed_ast2600.c |  6 ++++++
 hw/ssi/aspeed_smc.c     | 15 +++++++++++++--
 hw/ssi/trace-events     |  1 +
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_ast2600.c
+++ b/hw/arm/aspeed_ast2600.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_ast2600_realize(DeviceState *dev, Error **errp)
 
     /* SPI */
     for (i = 0; i < sc->spis_num; i++) {
+        object_property_set_link(OBJECT(&s->spi[i]), OBJECT(s->dram_mr),
+                                 "dram", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
         object_property_set_int(OBJECT(&s->spi[i]), 1, "num-cs", &err);
         object_property_set_bool(OBJECT(&s->spi[i]), true, "realized",
                                  &local_err);
diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -XXX,XX +XXX,XX @@ static const AspeedSMCController controllers[] = {
         .flash_window_base = ASPEED26_SOC_FMC_FLASH_BASE,
         .flash_window_size = 0x10000000,
         .has_dma           = true,
+        .dma_flash_mask    = 0x0FFFFFFC,
+        .dma_dram_mask     = 0x3FFFFFFC,
         .nregs             = ASPEED_SMC_R_MAX,
         .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
         .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
@@ -XXX,XX +XXX,XX @@ static const AspeedSMCController controllers[] = {
         .segments          = aspeed_segments_ast2600_spi1,
         .flash_window_base = ASPEED26_SOC_SPI_FLASH_BASE,
         .flash_window_size = 0x10000000,
-        .has_dma           = false,
+        .has_dma           = true,
+        .dma_flash_mask    = 0x0FFFFFFC,
+        .dma_dram_mask     = 0x3FFFFFFC,
         .nregs             = ASPEED_SMC_R_MAX,
         .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
         .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
@@ -XXX,XX +XXX,XX @@ static const AspeedSMCController controllers[] = {
         .segments          = aspeed_segments_ast2600_spi2,
         .flash_window_base = ASPEED26_SOC_SPI2_FLASH_BASE,
         .flash_window_size = 0x10000000,
-        .has_dma           = false,
+        .has_dma           = true,
+        .dma_flash_mask    = 0x0FFFFFFC,
+        .dma_dram_mask     = 0x3FFFFFFC,
         .nregs             = ASPEED_SMC_R_MAX,
         .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
         .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
@@ -XXX,XX +XXX,XX @@ static void aspeed_smc_dma_rw(AspeedSMCState *s)
     MemTxResult result;
     uint32_t data;
 
+    trace_aspeed_smc_dma_rw(s->regs[R_DMA_CTRL] & DMA_CTRL_WRITE ?
+                            "write" : "read",
+                            s->regs[R_DMA_FLASH_ADDR],
+                            s->regs[R_DMA_DRAM_ADDR],
+                            s->regs[R_DMA_LEN]);
     while (s->regs[R_DMA_LEN]) {
         if (s->regs[R_DMA_CTRL] & DMA_CTRL_WRITE) {
             data = address_space_ldl_le(&s->dram_as, s->regs[R_DMA_DRAM_ADDR],
diff --git a/hw/ssi/trace-events b/hw/ssi/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/trace-events
+++ b/hw/ssi/trace-events
@@ -XXX,XX +XXX,XX @@ aspeed_smc_do_snoop(int cs, int index, int dummies, int data) "CS%d index:0x%x d
 aspeed_smc_flash_write(int cs, uint64_t addr,  uint32_t size, uint64_t data, int mode) "CS%d @0x%" PRIx64 " size %u: 0x%" PRIx64" mode:%d"
 aspeed_smc_read(uint64_t addr,  uint32_t size, uint64_t data) "@0x%" PRIx64 " size %u: 0x%" PRIx64
 aspeed_smc_dma_checksum(uint32_t addr, uint32_t data) "0x%08x: 0x%08x"
+aspeed_smc_dma_rw(const char *dir, uint32_t flash_addr, uint32_t dram_addr, uint32_t size) "%s flash:@0x%08x dram:@0x%08x size:0x%08x"
 aspeed_smc_write(uint64_t addr,  uint32_t size, uint64_t data) "@0x%" PRIx64 " size %u: 0x%" PRIx64
 aspeed_smc_flash_select(int cs, const char *prefix) "CS%d %sselect"
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Coverity rightly notes that ctz32(bas) on 0 will return 32,
which makes the len calculation a BAD_SHIFT.

A value of 0 in DBGWCR<n>_EL1.BAS is reserved.  Simply move
the existing check we have for this case.

Reported-by: Coverity (CID 1421964)
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200320160622.8040-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void hw_watchpoint_update(ARMCPU *cpu, int n)
         int bas = extract64(wcr, 5, 8);
         int basstart;
 
-        if (bas == 0) {
-            /* This must act as if the watchpoint is disabled */
-            return;
-        }
-
         if (extract64(wvr, 2, 1)) {
             /* Deprecated case of an only 4-aligned address. BAS[7:4] are
              * ignored, and BAS[3:0] define which bytes to watch.
              */
             bas &= 0xf;
         }
+
+        if (bas == 0) {
+            /* This must act as if the watchpoint is disabled */
+            return;
+        }
+
         /* The BAS bits are supposed to be programmed to indicate a contiguous
          * range of bytes. Otherwise it is CONSTRAINED UNPREDICTABLE whether
          * we fire for each byte in the word/doubleword addressed by the WVR.
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Coverity raised a shed-load of errors cascading from inferring
that clz32(immh) might yield 32, from immh might be 0.

While immh cannot be 0 from encoding, it is not obvious even to
a human how we've checked that: via the filtering provided by
data_proc_simd[].

Reported-by: Coverity (CID 1421923, and more)
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200320160622.8040-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 3 +++
 1 file changed, 3 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Coverity reports a BAD_SHIFT with ctz32(imm5), with imm5 == 0.
This is an invalid encoding, but we diagnose that just below
by rejecting size > 3.  Avoid the warning by sinking the
computation of index below the check.

Reported-by: Coverity (CID 1421965)
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200320160622.8040-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupe(DisasContext *s, int is_q, int rd, int rn,
                              int imm5)
 {
     int size = ctz32(imm5);
-    int index = imm5 >> (size + 1);
+    int index;
 
     if (size > 3 || (size == 3 && !is_q)) {
         unallocated_encoding(s);
@@ -XXX,XX +XXX,XX @@ static void handle_simd_dupe(DisasContext *s, int is_q, int rd, int rn,
         return;
     }
 
+    index = imm5 >> (size + 1);
     tcg_gen_gvec_dup_mem(size, vec_full_reg_offset(s, rd),
                          vec_reg_offset(s, rn, index, size),
                          is_q ? 16 : 8, vec_full_reg_size(s));
-- 
2.20.1