Series comparison

-[Qemu-devel] [PULL 00/12] target-arm queue
+[PULL 00/29] target-arm queue
-Not very much here, but several people have fallen over
+Hi; this mostly contains the first slice of A64 decodetree
-the vector operation segfault bug, so let's get the fix
+patches, plus some other minor pieces. It also has the
-into master.
+enablement of MTE for KVM guests.
 thanks
 -- PMM
-The following changes since commit d418238dca7b4e0b124135827ead3076233052b1:
+The following changes since commit d27e7c359330ba7020bdbed7ed2316cb4cf6ffc1:
-  Merge remote-tracking branch 'remotes/rth/tags/pull-rng-20190522' into staging (2019-05-23 12:57:17 +0100)
+  qapi/parser: Drop two bad type hints for now (2023-05-17 10:18:33 -0700)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190523
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230518
-for you to fetch changes up to 98e4f4fdb8ea05d840f51f47125924c2bb9df2df:
+for you to fetch changes up to 91608e2a44f36e79cb83f863b8a7bb57d2c98061:
-  hw/arm/exynos4210: QOM'ify the Exynos4210 SoC (2019-05-23 14:47:44 +0100)
+  docs: Convert u2f.txt to rST (2023-05-18 11:40:32 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * exynos4210: QOM'ify the Exynos4210 SoC
+ * Fix vd == vm overlap in sve_ldff1_z
- * exynos4210: Add DMA support for the Exynos4210
+ * Add support for MTE with KVM guests
- * arm_gicv3: Fix writes to ICC_CTLR_EL3
+ * Add RAZ/WI handling for DBGDTR[TX|RX]
- * arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
+ * Start of conversion of A64 decoder to decodetree
- * target/arm: Fix vector operation segfault
+ * Saturate L2CTLR_EL1 core count field rather than overflowing
- * target/arm: Minor improvements to BFXIL, EXTR
+ * vexpress: Avoid trivial memory leak of 'flashalias'
  * sbsa-ref: switch default cpu core to Neoverse-N1
  * sbsa-ref: use Bochs graphics card instead of VGA
  * MAINTAINERS: Add Marcin Juszkiewicz to sbsa-ref reviewer list
  * docs: Convert u2f.txt to rST
 ----------------------------------------------------------------
-Alistair Francis (1):
+Alex Bennée (1):
-      target/arm: Fix vector operation segfault
+      target/arm: add RAZ/WI handling for DBGDTR[TX|RX]
-Guenter Roeck (1):
+Cornelia Huck (1):
-      hw/arm/exynos4210: Add DMA support for the Exynos4210
+      arm/kvm: add support for MTE
-Peter Maydell (5):
+Marcin Juszkiewicz (3):
-      arm: Move system_clock_scale to armv7m_systick.h
+      sbsa-ref: switch default cpu core to Neoverse-N1
-      arm: Remove unnecessary includes of hw/arm/arm.h
+      Maintainers: add myself as reviewer for sbsa-ref
-      arm: Rename hw/arm/arm.h to hw/arm/boot.h
+      sbsa-ref: use Bochs graphics card instead of VGA
       hw/intc/arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
       hw/intc/arm_gicv3: Fix writes to ICC_CTLR_EL3
-Philippe Mathieu-Daudé (3):
+Peter Maydell (14):
-      hw/arm/exynos4: Remove unuseful debug code
+      target/arm: Create decodetree skeleton for A64
-      hw/arm/exynos4: Use the IEC binary prefix definitions
+      target/arm: Pull calls to disas_sve() and disas_sme() out of legacy decoder
-      hw/arm/exynos4210: QOM'ify the Exynos4210 SoC
+      target/arm: Convert Extract instructions to decodetree
       target/arm: Convert unconditional branch immediate to decodetree
       target/arm: Convert CBZ, CBNZ to decodetree
       target/arm: Convert TBZ, TBNZ to decodetree
       target/arm: Convert conditional branch insns to decodetree
       target/arm: Convert BR, BLR, RET to decodetree
       target/arm: Convert BRA[AB]Z, BLR[AB]Z, RETA[AB] to decodetree
       target/arm: Convert BRAA, BRAB, BLRAA, BLRAB to decodetree
       target/arm: Convert ERET, ERETAA, ERETAB to decodetree
       target/arm: Saturate L2CTLR_EL1 core count field rather than overflowing
       hw/arm/vexpress: Avoid trivial memory leak of 'flashalias'
       docs: Convert u2f.txt to rST
-Richard Henderson (2):
+Richard Henderson (10):
-      target/arm: Use extract2 for EXTR
+      target/arm: Fix vd == vm overlap in sve_ldff1_z
-      target/arm: Simplify BFXIL expansion
+      target/arm: Split out disas_a64_legacy
       target/arm: Convert PC-rel addressing to decodetree
       target/arm: Split gen_add_CC and gen_sub_CC
       target/arm: Convert Add/subtract (immediate) to decodetree
       target/arm: Convert Add/subtract (immediate with tags) to decodetree
       target/arm: Replace bitmask64 with MAKE_64BIT_MASK
       target/arm: Convert Logical (immediate) to decodetree
       target/arm: Convert Move wide (immediate) to decodetree
       target/arm: Convert Bitfield to decodetree
- include/hw/arm/allwinner-a10.h    |  2 +-
+ MAINTAINERS                      |    1 +
- include/hw/arm/aspeed_soc.h       |  1 -
+ docs/system/device-emulation.rst |    1 +
- include/hw/arm/bcm2836.h          |  1 -
+ docs/system/devices/usb-u2f.rst  |   93 +++
- include/hw/arm/{arm.h => boot.h}  | 12 +++------
+ docs/system/devices/usb.rst      |    2 +-
- include/hw/arm/exynos4210.h       |  9 +++++--
+ docs/u2f.txt                     |  110 ----
- include/hw/arm/fsl-imx25.h        |  2 +-
+ target/arm/cpu.h                 |    4 +
- include/hw/arm/fsl-imx31.h        |  2 +-
+ target/arm/kvm_arm.h             |   19 +
- include/hw/arm/fsl-imx6.h         |  2 +-
+ target/arm/tcg/translate.h       |    5 +
- include/hw/arm/fsl-imx6ul.h       |  2 +-
+ target/arm/tcg/a64.decode        |  152 +++++
- include/hw/arm/fsl-imx7.h         |  2 +-
+ hw/arm/sbsa-ref.c                |    4 +-
- include/hw/arm/virt.h             |  2 +-
+ hw/arm/vexpress.c                |   40 +-
- include/hw/arm/xlnx-versal.h      |  2 +-
+ hw/arm/virt.c                    |   73 ++-
- include/hw/arm/xlnx-zynqmp.h      |  2 +-
+ target/arm/cortex-regs.c         |   11 +-
- include/hw/timer/armv7m_systick.h | 22 ++++++++++++++++
+ target/arm/cpu.c                 |    9 +-
- hw/arm/armsse.c                   |  2 +-
+ target/arm/debug_helper.c        |   11 +-
- hw/arm/armv7m.c                   |  2 +-
+ target/arm/kvm.c                 |   35 +
- hw/arm/aspeed.c                   |  2 +-
+ target/arm/kvm64.c               |    5 +
- hw/arm/boot.c                     |  2 +-
+ target/arm/tcg/sve_helper.c      |    6 +
- hw/arm/collie.c                   |  2 +-
+ target/arm/tcg/translate-a64.c   | 1321 ++++++++++++++++----------------------
- hw/arm/exynos4210.c               | 54 ++++++++++++++++++++++++++++++++++++---
+ target/arm/tcg/meson.build       |    1 +
- hw/arm/exynos4_boards.c           | 40 ++++++++---------------------
+files changed, 979 insertions(+), 924 deletions(-)
- hw/arm/highbank.c                 |  2 +-
+ create mode 100644 docs/system/devices/usb-u2f.rst
- hw/arm/integratorcp.c             |  2 +-
+ delete mode 100644 docs/u2f.txt
- hw/arm/mainstone.c                |  2 +-
+ create mode 100644 target/arm/tcg/a64.decode
  hw/arm/microbit.c                 |  2 +-
  hw/arm/mps2-tz.c                  |  2 +-
  hw/arm/mps2.c                     |  2 +-
  hw/arm/msf2-soc.c                 |  1 -
  hw/arm/msf2-som.c                 |  2 +-
  hw/arm/musca.c                    |  2 +-
  hw/arm/musicpal.c                 |  2 +-
  hw/arm/netduino2.c                |  2 +-
  hw/arm/nrf51_soc.c                |  2 +-
  hw/arm/nseries.c                  |  2 +-
  hw/arm/omap1.c                    |  2 +-
  hw/arm/omap2.c                    |  2 +-
  hw/arm/omap_sx1.c                 |  2 +-
  hw/arm/palm.c                     |  2 +-
  hw/arm/raspi.c                    |  2 +-
  hw/arm/realview.c                 |  2 +-
  hw/arm/spitz.c                    |  2 +-
  hw/arm/stellaris.c                |  2 +-
  hw/arm/stm32f205_soc.c            |  2 +-
  hw/arm/strongarm.c                |  2 +-
  hw/arm/tosa.c                     |  2 +-
  hw/arm/versatilepb.c              |  2 +-
  hw/arm/vexpress.c                 |  2 +-
  hw/arm/virt.c                     |  2 +-
  hw/arm/xilinx_zynq.c              |  2 +-
  hw/arm/xlnx-versal.c              |  2 +-
  hw/arm/z2.c                       |  2 +-
  hw/intc/arm_gicv3_cpuif.c         |  6 ++---
  hw/intc/armv7m_nvic.c             |  1 -
  target/arm/arm-semi.c             |  1 -
  target/arm/cpu.c                  |  1 -
  target/arm/cpu64.c                |  1 -
  target/arm/kvm.c                  |  1 -
  target/arm/kvm32.c                |  1 -
  target/arm/kvm64.c                |  1 -
  target/arm/translate-a64.c        | 44 ++++++++++++++++---------------
  target/arm/translate.c            |  4 +--
 files changed, 164 insertions(+), 123 deletions(-)
  rename include/hw/arm/{arm.h => boot.h} (96%)

-[Qemu-devel] [PULL 10/12] hw/arm/exynos4: Use the IEC binary prefix definitions
+[PULL 01/29] sbsa-ref: switch default cpu core to Neoverse-N1
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
-It eases code review, unit is explicit.
+The world outside moves to newer and newer cpu cores. Let move SBSA
 Reference Platform to something newer as well.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
-Message-id: 20190520214342.13709-3-philmd@redhat.com
+Message-id: 20230506183417.1360427-1-marcin.juszkiewicz@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/exynos4_boards.c | 5 +++--
+ hw/arm/sbsa-ref.c | 2 +-
-file changed, 3 insertions(+), 2 deletions(-)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
+diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/exynos4_boards.c
+--- a/hw/arm/sbsa-ref.c
-+++ b/hw/arm/exynos4_boards.c
++++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_class_init(ObjectClass *oc, void *data)
-  */
+     mc->init = sbsa_ref_init;
- #include "qemu/osdep.h"
+     mc->desc = "QEMU 'SBSA Reference' ARM Virtual Machine";
-+#include "qemu/units.h"
+-    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a57");
- #include "qapi/error.h"
++    mc->default_cpu_type = ARM_CPU_TYPE_NAME("neoverse-n1");
- #include "qemu/error-report.h"
+     mc->max_cpus = 512;
- #include "qemu-common.h"
+     mc->pci_allow_0_address = true;
-@@ -XXX,XX +XXX,XX @@ static int exynos4_board_smp_bootreg_addr[EXYNOS4_NUM_OF_BOARDS] = {
+     mc->minimum_page_bits = 12;
  };
  static unsigned long exynos4_board_ram_size[EXYNOS4_NUM_OF_BOARDS] = {
 -    [EXYNOS4_BOARD_NURI]     = 0x40000000,
 -    [EXYNOS4_BOARD_SMDKC210] = 0x40000000,
 +    [EXYNOS4_BOARD_NURI]     = 1 * GiB,
 +    [EXYNOS4_BOARD_SMDKC210] = 1 * GiB,
  };
  static struct arm_boot_info exynos4_board_binfo = {
 --
-.20.1
+.34.1

-New patch
+[PULL 02/29] target/arm: Fix vd == vm overlap in sve_ldff1_z
+From: Richard Henderson <richard.henderson@linaro.org>
+If vd == vm, copy vm to scratch, so that we can pre-zero
+the output and still access the gather indicies.
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1612
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230504104232.1877774-1-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/tcg/sve_helper.c | 6 ++++++
+file changed, 6 insertions(+)
+diff --git a/target/arm/tcg/sve_helper.c b/target/arm/tcg/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/sve_helper.c
++++ b/target/arm/tcg/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+     intptr_t reg_off;
+     SVEHostPage info;
+     target_ulong addr, in_page;
++    ARMVectorReg scratch;
+     /* Skip to the first true predicate.  */
+     reg_off = find_next_active(vg, 0, reg_max, esz);
+@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+         return;
+     }
++    /* Protect against overlap between vd and vm. */
++    if (unlikely(vd == vm)) {
++        vm = memcpy(&scratch, vm, reg_max);
++    }
++
+     /*
+      * Probe the first element, allowing faults.
+      */
+--
+.34.1

-[Qemu-devel] [PULL 09/12] hw/arm/exynos4: Remove unuseful debug code
+[PULL 03/29] Maintainers: add myself as reviewer for sbsa-ref
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+At Linaro I work on sbsa-ref, know direction it goes.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 20190520214342.13709-2-philmd@redhat.com
+May not get code details each time.
 Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20230515143753.365591-1-marcin.juszkiewicz@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/exynos4_boards.c | 24 ------------------------
+ MAINTAINERS | 1 +
-file changed, 24 deletions(-)
+file changed, 1 insertion(+)
-diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
+diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/exynos4_boards.c
+--- a/MAINTAINERS
-+++ b/hw/arm/exynos4_boards.c
++++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ SBSA-REF
- #include "hw/net/lan9118.h"
+ M: Radoslaw Biernacki <rad@semihalf.com>
- #include "hw/boards.h"
+ M: Peter Maydell <peter.maydell@linaro.org>
+ R: Leif Lindholm <quic_llindhol@quicinc.com>
--#undef DEBUG
++R: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
--
+ L: qemu-arm@nongnu.org
--//#define DEBUG
+ S: Maintained
--
+ F: hw/arm/sbsa-ref.c
 -#ifdef DEBUG
 -    #undef PRINT_DEBUG
 -    #define  PRINT_DEBUG(fmt, args...) \
 -        do { \
 -            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
 -        } while (0)
 -#else
 -    #define  PRINT_DEBUG(fmt, args...)  do {} while (0)
 -#endif
 -
  #define SMDK_LAN9118_BASE_ADDR      0x05000000
  typedef enum Exynos4BoardType {
@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
      exynos4_board_binfo.gic_cpu_if_addr =
              EXYNOS4210_SMP_PRIVATE_BASE_ADDR + 0x100;
 -    PRINT_DEBUG("\n ram_size: %luMiB [0x%08lx]\n"
 -            " kernel_filename: %s\n"
 -            " kernel_cmdline: %s\n"
 -            " initrd_filename: %s\n",
 -            exynos4_board_ram_size[board_type] / 1048576,
 -            exynos4_board_ram_size[board_type],
 -            machine->kernel_filename,
 -            machine->kernel_cmdline,
 -            machine->initrd_filename);
 -
      exynos4_boards_init_ram(s, get_system_memory(),
                              exynos4_board_ram_size[board_type]);
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 05/12] arm: Remove unnecessary includes of hw/arm/arm.h
+[PULL 04/29] arm/kvm: add support for MTE
-The hw/arm/arm.h header now only includes declarations relating
+From: Cornelia Huck <cohuck@redhat.com>
-to boot.c code, so it is only needed by Arm board or SoC code.
-Remove some unnecessary inclusions of it from target/arm files
+Extend the 'mte' property for the virt machine to cover KVM as
-and from hw/intc/armv7m_nvic.c.
+well. For KVM, we don't allocate tag memory, but instead enable the
+capability.
 If MTE has been enabled, we need to disable migration, as we do not
 yet have a way to migrate the tags as well. Therefore, MTE will stay
 off with KVM unless requested explicitly.
 Signed-off-by: Cornelia Huck <cohuck@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20230428095533.21747-2-cohuck@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190516163857.6430-3-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 1 -
+ target/arm/cpu.h     |  4 +++
- target/arm/arm-semi.c | 1 -
+ target/arm/kvm_arm.h | 19 ++++++++++++
- target/arm/cpu.c      | 1 -
+ hw/arm/virt.c        | 73 +++++++++++++++++++++++++-------------------
- target/arm/cpu64.c    | 1 -
+ target/arm/cpu.c     |  9 +++---
- target/arm/kvm.c      | 1 -
+ target/arm/kvm.c     | 35 +++++++++++++++++++++
- target/arm/kvm32.c    | 1 -
+ target/arm/kvm64.c   |  5 +++
- target/arm/kvm64.c    | 1 -
+files changed, 109 insertions(+), 36 deletions(-)
-files changed, 7 deletions(-)
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.h
---- a/hw/intc/armv7m_nvic.c
++++ b/target/arm/cpu.h
-+++ b/hw/intc/armv7m_nvic.c
+@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
-@@ -XXX,XX +XXX,XX @@
+      */
- #include "cpu.h"
+     uint32_t psci_conduit;
- #include "hw/sysbus.h"
- #include "qemu/timer.h"
++    /* CPU has Memory Tag Extension */
--#include "hw/arm/arm.h"
++    bool has_mte;
- #include "hw/intc/armv7m_nvic.h"
++
- #include "target/arm/cpu.h"
+     /* For v8M, initial value of the Secure VTOR */
- #include "exec/exec-all.h"
+     uint32_t init_svtor;
-diff --git a/target/arm/arm-semi.c b/target/arm/arm-semi.c
+     /* For v8M, initial value of the Non-secure VTOR */
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
---- a/target/arm/arm-semi.c
+     bool prop_pauth;
-+++ b/target/arm/arm-semi.c
+     bool prop_pauth_impdef;
-@@ -XXX,XX +XXX,XX @@
+     bool prop_lpa2;
 +    OnOffAuto prop_mte;
      /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */
      uint32_t dcz_blocksize;
 diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm_arm.h
 +++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_pmu_supported(void);
   */
  bool kvm_arm_sve_supported(void);
 +/**
 + * kvm_arm_mte_supported:
 + *
 + * Returns: true if KVM can enable MTE, and false otherwise.
 + */
 +bool kvm_arm_mte_supported(void);
 +
  /**
   * kvm_arm_get_max_vm_ipa_size:
   * @ms: Machine state handle
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa);
  int kvm_arm_set_irq(int cpu, int irqtype, int irq, int level);
 +void kvm_arm_enable_mte(Object *cpuobj, Error **errp);
 +
  #else
- #include "qemu-common.h"
- #include "exec/gdbstub.h"
+ /*
--#include "hw/arm/arm.h"
+@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_steal_time_supported(void)
- #include "qemu/cutils.h"
+     return false;
  }
 +static inline bool kvm_arm_mte_supported(void)
 +{
 +    return false;
 +}
 +
  /*
   * These functions should never actually be called without KVM support.
   */
@@ -XXX,XX +XXX,XX @@ static inline uint32_t kvm_arm_sve_get_vls(CPUState *cs)
      g_assert_not_reached();
  }
 +static inline void kvm_arm_enable_mte(Object *cpuobj, Error **errp)
 +{
 +    g_assert_not_reached();
 +}
 +
  #endif
+ static inline const char *gic_class_name(void)
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/virt.c
++++ b/hw/arm/virt.c
+@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+         exit(1);
+     }
+-    if (vms->mte && (kvm_enabled() || hvf_enabled())) {
++    if (vms->mte && hvf_enabled()) {
+         error_report("mach-virt: %s does not support providing "
+                      "MTE to the guest CPU",
+                      current_accel_name());
+@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+         }
+         if (vms->mte) {
+-            /* Create the memory region only once, but link to all cpus. */
+-            if (!tag_sysmem) {
+-                /*
+-                 * The property exists only if MemTag is supported.
+-                 * If it is, we must allocate the ram to back that up.
+-                 */
+-                if (!object_property_find(cpuobj, "tag-memory")) {
+-                    error_report("MTE requested, but not supported "
+-                                 "by the guest CPU");
++            if (tcg_enabled()) {
++                /* Create the memory region only once, but link to all cpus. */
++                if (!tag_sysmem) {
++                    /*
++                     * The property exists only if MemTag is supported.
++                     * If it is, we must allocate the ram to back that up.
++                     */
++                    if (!object_property_find(cpuobj, "tag-memory")) {
++                        error_report("MTE requested, but not supported "
++                                     "by the guest CPU");
++                        exit(1);
++                    }
++
++                    tag_sysmem = g_new(MemoryRegion, 1);
++                    memory_region_init(tag_sysmem, OBJECT(machine),
++                                       "tag-memory", UINT64_MAX / 32);
++
++                    if (vms->secure) {
++                        secure_tag_sysmem = g_new(MemoryRegion, 1);
++                        memory_region_init(secure_tag_sysmem, OBJECT(machine),
++                                           "secure-tag-memory",
++                                           UINT64_MAX / 32);
++
++                        /* As with ram, secure-tag takes precedence over tag. */
++                        memory_region_add_subregion_overlap(secure_tag_sysmem,
++                                                            0, tag_sysmem, -1);
++                    }
++                }
++
++                object_property_set_link(cpuobj, "tag-memory",
++                                         OBJECT(tag_sysmem), &error_abort);
++                if (vms->secure) {
++                    object_property_set_link(cpuobj, "secure-tag-memory",
++                                             OBJECT(secure_tag_sysmem),
++                                             &error_abort);
++                }
++            } else if (kvm_enabled()) {
++                if (!kvm_arm_mte_supported()) {
++                    error_report("MTE requested, but not supported by KVM");
+                     exit(1);
+                 }
+-
+-                tag_sysmem = g_new(MemoryRegion, 1);
+-                memory_region_init(tag_sysmem, OBJECT(machine),
+-                                   "tag-memory", UINT64_MAX / 32);
+-
+-                if (vms->secure) {
+-                    secure_tag_sysmem = g_new(MemoryRegion, 1);
+-                    memory_region_init(secure_tag_sysmem, OBJECT(machine),
+-                                       "secure-tag-memory", UINT64_MAX / 32);
+-
+-                    /* As with ram, secure-tag takes precedence over tag.  */
+-                    memory_region_add_subregion_overlap(secure_tag_sysmem, 0,
+-                                                        tag_sysmem, -1);
+-                }
+-            }
+-
+-            object_property_set_link(cpuobj, "tag-memory", OBJECT(tag_sysmem),
+-                                     &error_abort);
+-            if (vms->secure) {
+-                object_property_set_link(cpuobj, "secure-tag-memory",
+-                                         OBJECT(secure_tag_sysmem),
+-                                         &error_abort);
++                kvm_arm_enable_mte(cpuobj, &error_abort);
+             }
+         }
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
- #if !defined(CONFIG_USER_ONLY)
+                                      qdev_prop_allow_set_link_before_realize,
- #include "hw/loader.h"
+                                      OBJ_PROP_LINK_STRONG);
          }
 +        cpu->has_mte = true;
      }
  #endif
--#include "hw/arm/arm.h"
+ }
- #include "sysemu/sysemu.h"
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
- #include "sysemu/hw_accel.h"
+         }
- #include "kvm_arm.h"
+         if (cpu->tag_memory) {
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+             error_setg(errp,
-index XXXXXXX..XXXXXXX 100644
+-                       "Cannot enable %s when guest CPUs has MTE enabled",
---- a/target/arm/cpu64.c
++                       "Cannot enable %s when guest CPUs has tag memory enabled",
-+++ b/target/arm/cpu64.c
+                        current_accel_name());
-@@ -XXX,XX +XXX,XX @@
+             return;
- #if !defined(CONFIG_USER_ONLY)
+         }
- #include "hw/loader.h"
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
- #endif
+     }
--#include "hw/arm/arm.h"
- #include "sysemu/sysemu.h"
+ #ifndef CONFIG_USER_ONLY
- #include "sysemu/kvm.h"
+-    if (cpu->tag_memory == NULL && cpu_isar_feature(aa64_mte, cpu)) {
- #include "kvm_arm.h"
++    if (!cpu->has_mte && cpu_isar_feature(aa64_mte, cpu)) {
          /*
 -         * Disable the MTE feature bits if we do not have tag-memory
 -         * provided by the machine.
 +         * Disable the MTE feature bits if we do not have the feature
 +         * setup by the machine.
           */
          cpu->isar.id_aa64pfr1 =
              FIELD_DP64(cpu->isar.id_aa64pfr1, ID_AA64PFR1, MTE, 0);
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
 @@ -XXX,XX +XXX,XX @@
- #include "cpu.h"
+ #include "hw/boards.h"
- #include "trace.h"
+ #include "hw/irq.h"
  #include "internals.h"
 -#include "hw/arm/arm.h"
  #include "hw/pci/pci.h"
  #include "exec/memattrs.h"
  #include "exec/address-spaces.h"
 diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm32.c
 +++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@
  #include "sysemu/kvm.h"
  #include "kvm_arm.h"
  #include "internals.h"
 -#include "hw/arm/arm.h"
  #include "qemu/log.h"
++#include "migration/blocker.h"
- static inline void set_feature(uint64_t *features, int feature)
  const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
      KVM_CAP_LAST_INFO
@@ -XXX,XX +XXX,XX @@ bool kvm_arch_cpu_check_are_resettable(void)
  void kvm_arch_accel_class_init(ObjectClass *oc)
  {
  }
 +
 +void kvm_arm_enable_mte(Object *cpuobj, Error **errp)
 +{
 +    static bool tried_to_enable;
 +    static bool succeeded_to_enable;
 +    Error *mte_migration_blocker = NULL;
 +    int ret;
 +
 +    if (!tried_to_enable) {
 +        /*
 +         * MTE on KVM is enabled on a per-VM basis (and retrying doesn't make
 +         * sense), and we only want a single migration blocker as well.
 +         */
 +        tried_to_enable = true;
 +
 +        ret = kvm_vm_enable_cap(kvm_state, KVM_CAP_ARM_MTE, 0);
 +        if (ret) {
 +            error_setg_errno(errp, -ret, "Failed to enable KVM_CAP_ARM_MTE");
 +            return;
 +        }
 +
 +        /* TODO: add proper migration support with MTE enabled */
 +        error_setg(&mte_migration_blocker,
 +                   "Live migration disabled due to MTE enabled");
 +        if (migrate_add_blocker(mte_migration_blocker, errp)) {
 +            error_free(mte_migration_blocker);
 +            return;
 +        }
 +        succeeded_to_enable = true;
 +    }
 +    if (succeeded_to_enable) {
 +        object_property_set_bool(cpuobj, "has_mte", true, NULL);
 +    }
 +}
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_steal_time_supported(void)
- #include "sysemu/kvm.h"
+     return kvm_check_extension(kvm_state, KVM_CAP_STEAL_TIME);
- #include "kvm_arm.h"
+ }
- #include "internals.h"
--#include "hw/arm/arm.h"
++bool kvm_arm_mte_supported(void)
++{
- static bool have_guest_debug;
++    return kvm_check_extension(kvm_state, KVM_CAP_ARM_MTE);
++}
 +
  QEMU_BUILD_BUG_ON(KVM_ARM64_SVE_VQ_MIN != 1);
  uint32_t kvm_arm_sve_get_vls(CPUState *cs)
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 03/12] target/arm: Fix vector operation segfault
+[PULL 05/29] target/arm: add RAZ/WI handling for DBGDTR[TX|RX]
-From: Alistair Francis <alistair.francis@wdc.com>
+From: Alex Bennée <alex.bennee@linaro.org>
-Commit 89e68b575 "target/arm: Use vector operations for saturation"
+The commit b3aa2f2128 (target/arm: provide stubs for more external
-causes this abort() when booting QEMU ARM with a Cortex-A15:
+debug registers) was added to handle HyperV's unconditional usage of
 Debug Communications Channel. It turns out that Linux will similarly
 break if you enable CONFIG_HVC_DCC "ARM JTAG DCC console".
-0x00007ffff4c2382f in raise () at /usr/lib/libc.so.6
+Extend the registers we RAZ/WI set to avoid this.
 0x00007ffff4c0e672 in abort () at /usr/lib/libc.so.6
 0x00005555559c1839 in disas_neon_data_insn (insn=<optimized out>, s=<optimized out>) at ./target/arm/translate.c:6673
 0x00005555559c1839 in disas_neon_data_insn (s=<optimized out>, insn=<optimized out>) at ./target/arm/translate.c:6386
 0x00005555559cd8a4 in disas_arm_insn (insn=4081107068, s=0x7fffe59a9510) at ./target/arm/translate.c:9289
 0x00005555559cd8a4 in arm_tr_translate_insn (dcbase=0x7fffe59a9510, cpu=<optimized out>) at ./target/arm/translate.c:13612
 0x00005555558d1d39 in translator_loop (ops=0x5555561cc580 <arm_translator_ops>, db=0x7fffe59a9510, cpu=0x55555686a2f0, tb=<optimized out>, max_insns=<optimized out>) at ./accel/tcg/translator.c:96
 0x00005555559d10d4 in gen_intermediate_code (cpu=cpu@entry=0x55555686a2f0, tb=tb@entry=0x7fffd7840080 <code_gen_buffer+126091347>, max_insns=max_insns@entry=512) at ./target/arm/translate.c:13901
 0x00005555558d06b9 in tb_gen_code (cpu=cpu@entry=0x55555686a2f0, pc=3067096216, cs_base=0, flags=192, cflags=-16252928, cflags@entry=524288) at ./accel/tcg/translate-all.c:1736
 0x00005555558ce467 in tb_find (cf_mask=524288, tb_exit=1, last_tb=0x7fffd783e640 <code_gen_buffer+126084627>, cpu=0x1) at ./accel/tcg/cpu-exec.c:407
 0x00005555558ce467 in cpu_exec (cpu=cpu@entry=0x55555686a2f0) at ./accel/tcg/cpu-exec.c:728
 0x000055555588b0cf in tcg_cpu_exec (cpu=0x55555686a2f0) at ./cpus.c:1431
 0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=0x55555686a2f0) at ./cpus.c:1735
 0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=arg@entry=0x55555686a2f0) at ./cpus.c:1709
 0x0000555555d2629a in qemu_thread_start (args=<optimized out>) at ./util/qemu-thread-posix.c:502
 0x00007ffff4db8a92 in start_thread () at /usr/lib/libpthread.
-This patch ensures that we don't hit the abort() in the second switch
+Cc: Anders Roxell <anders.roxell@linaro.org>
-case in disas_neon_data_insn() as we will return from the first case.
+Cc: Evgeny Iakovlev <eiakovlev@linux.microsoft.com>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20230516104420.407912-1-alex.bennee@linaro.org
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Tested-by: Alex Bennée <alex.bennee@linaro.org>
 Message-id: ad91b397f360b2fc7f4087e476f7df5b04d42ddb.1558021877.git.alistair.francis@wdc.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate.c | 4 ++--
+ target/arm/debug_helper.c | 11 +++++++++--
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/target/arm/debug_helper.c
-+++ b/target/arm/translate.c
++++ b/target/arm/debug_helper.c
-@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
-             tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
+       .access = PL0_R, .accessfn = access_tdcc,
-                            rn_ofs, rm_ofs, vec_size, vec_size,
+       .type = ARM_CP_CONST, .resetvalue = 0 },
-                            (u ? uqadd_op : sqadd_op) + size);
+     /*
--            break;
+-     * OSDTRRX_EL1/OSDTRTX_EL1 are used for save and restore of DBGDTRRX_EL0.
-+            return 0;
+-     * It is a component of the Debug Communications Channel, which is not implemented.
++     * These registers belong to the Debug Communications Channel,
-         case NEON_3R_VQSUB:
++     * which is not implemented. However we implement RAZ/WI behaviour
-             tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
++     * with trapping to prevent spurious SIGILLs if the guest OS does
-                            rn_ofs, rm_ofs, vec_size, vec_size,
++     * access them as the support cannot be probed for.
-                            (u ? uqsub_op : sqsub_op) + size);
+      */
--            break;
+     { .name = "OSDTRRX_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14,
-+            return 0;
+       .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 2,
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
-         case NEON_3R_VMUL: /* VMUL */
+       .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
-             if (u) {
+       .access = PL1_RW, .accessfn = access_tdcc,
        .type = ARM_CP_CONST, .resetvalue = 0 },
 +    /* DBGDTRTX_EL0/DBGDTRRX_EL0 depend on direction */
 +    { .name = "DBGDTR_EL0", .state = ARM_CP_STATE_BOTH, .cp = 14,
 +      .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 5, .opc2 = 0,
 +      .access = PL0_RW, .accessfn = access_tdcc,
 +      .type = ARM_CP_CONST, .resetvalue = 0 },
      /*
       * OSECCR_EL1 provides a mechanism for an operating system
       * to access the contents of EDECCR. EDECCR is not implemented though,
 --
-.20.1
+.34.1

-New patch
+[PULL 06/29] sbsa-ref: use Bochs graphics card instead of VGA
+From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+Bochs card is normal PCI Express card so it fits better in system with
+PCI Express bus. VGA is simple legacy PCI card.
+Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
+Message-id: 20230505120936.1097060-1-marcin.juszkiewicz@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/sbsa-ref.c | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/sbsa-ref.c
++++ b/hw/arm/sbsa-ref.c
+@@ -XXX,XX +XXX,XX @@ static void create_pcie(SBSAMachineState *sms)
+         }
+     }
+-    pci_create_simple(pci->bus, -1, "VGA");
++    pci_create_simple(pci->bus, -1, "bochs-display");
+     create_smmu(sms, pci->bus);
+ }
+--
+.34.1

-New patch
+[PULL 07/29] target/arm: Split out disas_a64_legacy
+From: Richard Henderson <richard.henderson@linaro.org>
+Split out all of the decode stuff from aarch64_tr_translate_insn.
+Call it disas_a64_legacy to indicate it will be replaced.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230512144106.3608981-2-peter.maydell@linaro.org
+[PMM: Rebased]
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/tcg/translate-a64.c | 82 ++++++++++++++++++----------------
+file changed, 44 insertions(+), 38 deletions(-)
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
+     return false;
+ }
++/* C3.1 A64 instruction index by encoding */
++static void disas_a64_legacy(DisasContext *s, uint32_t insn)
++{
++    switch (extract32(insn, 25, 4)) {
++    case 0x0:
++        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
++            unallocated_encoding(s);
++        }
++        break;
++    case 0x1: case 0x3: /* UNALLOCATED */
++        unallocated_encoding(s);
++        break;
++    case 0x2:
++        if (!disas_sve(s, insn)) {
++            unallocated_encoding(s);
++        }
++        break;
++    case 0x8: case 0x9: /* Data processing - immediate */
++        disas_data_proc_imm(s, insn);
++        break;
++    case 0xa: case 0xb: /* Branch, exception generation and system insns */
++        disas_b_exc_sys(s, insn);
++        break;
++    case 0x4:
++    case 0x6:
++    case 0xc:
++    case 0xe:      /* Loads and stores */
++        disas_ldst(s, insn);
++        break;
++    case 0x5:
++    case 0xd:      /* Data processing - register */
++        disas_data_proc_reg(s, insn);
++        break;
++    case 0x7:
++    case 0xf:      /* Data processing - SIMD and floating point */
++        disas_data_proc_simd_fp(s, insn);
++        break;
++    default:
++        assert(FALSE); /* all 15 cases should be handled above */
++        break;
++    }
++}
++
+ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
+                                           CPUState *cpu)
+ {
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+         disas_sme_fa64(s, insn);
+     }
+-    switch (extract32(insn, 25, 4)) {
+-    case 0x0:
+-        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+-            unallocated_encoding(s);
+-        }
+-        break;
+-    case 0x1: case 0x3: /* UNALLOCATED */
+-        unallocated_encoding(s);
+-        break;
+-    case 0x2:
+-        if (!disas_sve(s, insn)) {
+-            unallocated_encoding(s);
+-        }
+-        break;
+-    case 0x8: case 0x9: /* Data processing - immediate */
+-        disas_data_proc_imm(s, insn);
+-        break;
+-    case 0xa: case 0xb: /* Branch, exception generation and system insns */
+-        disas_b_exc_sys(s, insn);
+-        break;
+-    case 0x4:
+-    case 0x6:
+-    case 0xc:
+-    case 0xe:      /* Loads and stores */
+-        disas_ldst(s, insn);
+-        break;
+-    case 0x5:
+-    case 0xd:      /* Data processing - register */
+-        disas_data_proc_reg(s, insn);
+-        break;
+-    case 0x7:
+-    case 0xf:      /* Data processing - SIMD and floating point */
+-        disas_data_proc_simd_fp(s, insn);
+-        break;
+-    default:
+-        assert(FALSE); /* all 15 cases should be handled above */
+-        break;
+-    }
++    disas_a64_legacy(s, insn);
+     /*
+      * After execution of most insns, btype is reset to 0.
+--
+.34.1

-New patch
+[PULL 08/29] target/arm: Create decodetree skeleton for A64
+The A64 translator uses a hand-written decoder for everything except
+SVE or SME.  It's fairly well structured, but it's becoming obvious
+that it's still more painful to add instructions to than the A32
+translator, because putting a new instruction into the right place in
+a hand-written decoder is much harder than adding new instruction
+patterns to a decodetree file.
+As the first step in conversion to decodetree, create the skeleton of
+the decodetree decoder; where it does not handle instructions we will
+fall back to the legacy decoder (which will be for everything at the
+moment, since there are no patterns in a64.decode).
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-3-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      | 20 ++++++++++++++++++++
+ target/arm/tcg/translate-a64.c | 18 +++++++++++-------
+ target/arm/tcg/meson.build     |  1 +
+files changed, 32 insertions(+), 7 deletions(-)
+ create mode 100644 target/arm/tcg/a64.decode
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@
++# AArch64 A64 allowed instruction decoding
++#
++#  Copyright (c) 2023 Linaro, Ltd
++#
++# This library is free software; you can redistribute it and/or
++# modify it under the terms of the GNU Lesser General Public
++# License as published by the Free Software Foundation; either
++# version 2.1 of the License, or (at your option) any later version.
++#
++# This library is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public
++# License along with this library; if not, see <http://www.gnu.org/licenses/>.
++
++#
++# This file is processed by scripts/decodetree.py
++#
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ enum a64_shift_type {
+     A64_SHIFT_TYPE_ROR = 3
+ };
++/*
++ * Include the generated decoders.
++ */
++
++#include "decode-sme-fa64.c.inc"
++#include "decode-a64.c.inc"
++
+ /* Table based decoder typedefs - used when the relevant bits for decode
+  * are too awkwardly scattered across the instruction (eg SIMD).
+  */
+@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
+     }
+ }
+-/*
+- * Include the generated SME FA64 decoder.
+- */
+-
+-#include "decode-sme-fa64.c.inc"
+-
+ static bool trans_OK(DisasContext *s, arg_OK *a)
+ {
+     return true;
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+         disas_sme_fa64(s, insn);
+     }
+-    disas_a64_legacy(s, insn);
++
++    if (!disas_a64(s, insn)) {
++        disas_a64_legacy(s, insn);
++    }
+     /*
+      * After execution of most insns, btype is reset to 0.
+diff --git a/target/arm/tcg/meson.build b/target/arm/tcg/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/meson.build
++++ b/target/arm/tcg/meson.build
+@@ -XXX,XX +XXX,XX @@ gen = [
+   decodetree.process('a32-uncond.decode', extra_args: '--static-decode=disas_a32_uncond'),
+   decodetree.process('t32.decode', extra_args: '--static-decode=disas_t32'),
+   decodetree.process('t16.decode', extra_args: ['-w', '16', '--static-decode=disas_t16']),
++  decodetree.process('a64.decode', extra_args: ['--static-decode=disas_a64']),
+ ]
+ arm_ss.add(gen)
+--
+.34.1

-[Qemu-devel] [PULL 08/12] hw/intc/arm_gicv3: Fix writes to ICC_CTLR_EL3
+[PULL 09/29] target/arm: Pull calls to disas_sve() and disas_sme() out of legacy decoder
-The ICC_CTLR_EL3 register includes some bits which are aliases
+The SVE and SME decode is already done by decodetree.  Pull the calls
-of bits in the ICC_CTLR_EL1(S) and (NS) registers. QEMU chooses
+to these decoders out of the legacy decoder.  This doesn't change
-to keep those bits in the cs->icc_ctlr_el1[] struct fields.
+behaviour because all the patterns in sve.decode and sme.decode
-Unfortunately a missing '~' in the code to update the bits
+already require the bits that the legacy decoder is decoding to have
-in those fields meant that writing to ICC_CTLR_EL3 would corrupt
+the correct values.
 the ICC_CLTR_EL1 register values.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190520162809.2677-5-peter.maydell@linaro.org
+Message-id: 20230512144106.3608981-4-peter.maydell@linaro.org
 ---
- hw/intc/arm_gicv3_cpuif.c | 4 ++--
+ target/arm/tcg/translate-a64.c | 20 ++++----------------
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 4 insertions(+), 16 deletions(-)
-diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_cpuif.c
+--- a/target/arm/tcg/translate-a64.c
-+++ b/hw/intc/arm_gicv3_cpuif.c
++++ b/target/arm/tcg/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void icc_ctlr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
-     trace_gicv3_icc_ctlr_el3_write(gicv3_redist_affid(cs), value);
+ static void disas_a64_legacy(DisasContext *s, uint32_t insn)
+ {
-     /* *_EL1NS and *_EL1S bits are aliases into the ICC_CTLR_EL1 bits. */
+     switch (extract32(insn, 25, 4)) {
--    cs->icc_ctlr_el1[GICV3_NS] &= (ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
+-    case 0x0:
-+    cs->icc_ctlr_el1[GICV3_NS] &= ~(ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
+-        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
-     if (value & ICC_CTLR_EL3_EOIMODE_EL1NS) {
+-            unallocated_encoding(s);
-         cs->icc_ctlr_el1[GICV3_NS] |= ICC_CTLR_EL1_EOIMODE;
+-        }
 -        break;
 -    case 0x1: case 0x3: /* UNALLOCATED */
 -        unallocated_encoding(s);
 -        break;
 -    case 0x2:
 -        if (!disas_sve(s, insn)) {
 -            unallocated_encoding(s);
 -        }
 -        break;
      case 0x8: case 0x9: /* Data processing - immediate */
          disas_data_proc_imm(s, insn);
          break;
@@ -XXX,XX +XXX,XX @@ static void disas_a64_legacy(DisasContext *s, uint32_t insn)
          disas_data_proc_simd_fp(s, insn);
          break;
      default:
 -        assert(FALSE); /* all 15 cases should be handled above */
 +        unallocated_encoding(s);
          break;
      }
-@@ -XXX,XX +XXX,XX @@ static void icc_ctlr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ }
-         cs->icc_ctlr_el1[GICV3_NS] |= ICC_CTLR_EL1_CBPR;
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          disas_sme_fa64(s, insn);
      }
--    cs->icc_ctlr_el1[GICV3_S] &= (ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
+-
-+    cs->icc_ctlr_el1[GICV3_S] &= ~(ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
+-    if (!disas_a64(s, insn)) {
-     if (value & ICC_CTLR_EL3_EOIMODE_EL1S) {
++    if (!disas_a64(s, insn) &&
-         cs->icc_ctlr_el1[GICV3_S] |= ICC_CTLR_EL1_EOIMODE;
++        !disas_sme(s, insn) &&
 +        !disas_sve(s, insn)) {
          disas_a64_legacy(s, insn);
      }
 --
-.20.1
+.34.1

-New patch
+[PULL 10/29] target/arm: Convert PC-rel addressing to decodetree
+From: Richard Henderson <richard.henderson@linaro.org>
+Convert the ADR and ADRP instructions.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230512144106.3608981-5-peter.maydell@linaro.org
+[PMM: Rebased]
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/tcg/a64.decode      | 13 ++++++++++++
+ target/arm/tcg/translate-a64.c | 38 +++++++++++++---------------------
+files changed, 27 insertions(+), 24 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@
+ #
+ # This file is processed by scripts/decodetree.py
+ #
++
++&ri              rd imm
++
++
++### Data Processing - Immediate
++
++# PC-rel addressing
++
++%imm_pcrel      5:s19 29:2
++@pcrel          . .. ..... ................... rd:5     &ri imm=%imm_pcrel
++
++ADR             0 .. 10000 ................... .....    @pcrel
++ADRP            1 .. 10000 ................... .....    @pcrel
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
+     }
+ }
+-/* PC-rel. addressing
+- *   31  30   29 28       24 23                5 4    0
+- * +----+-------+-----------+-------------------+------+
+- * | op | immlo | 1 0 0 0 0 |       immhi       |  Rd  |
+- * +----+-------+-----------+-------------------+------+
++/*
++ * PC-rel. addressing
+  */
+-static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
++
++static bool trans_ADR(DisasContext *s, arg_ri *a)
+ {
+-    unsigned int page, rd;
+-    int64_t offset;
++    gen_pc_plus_diff(s, cpu_reg(s, a->rd), a->imm);
++    return true;
++}
+-    page = extract32(insn, 31, 1);
+-    /* SignExtend(immhi:immlo) -> offset */
+-    offset = sextract64(insn, 5, 19);
+-    offset = offset << 2 | extract32(insn, 29, 2);
+-    rd = extract32(insn, 0, 5);
++static bool trans_ADRP(DisasContext *s, arg_ri *a)
++{
++    int64_t offset = (int64_t)a->imm << 12;
+-    if (page) {
+-        /* ADRP (page based) */
+-        offset <<= 12;
+-        /* The page offset is ok for CF_PCREL. */
+-        offset -= s->pc_curr & 0xfff;
+-    }
+-
+-    gen_pc_plus_diff(s, cpu_reg(s, rd), offset);
++    /* The page offset is ok for CF_PCREL. */
++    offset -= s->pc_curr & 0xfff;
++    gen_pc_plus_diff(s, cpu_reg(s, a->rd), offset);
++    return true;
+ }
+ /*
+@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
+ static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 23, 6)) {
+-    case 0x20: case 0x21: /* PC-rel. addressing */
+-        disas_pc_rel_adr(s, insn);
+-        break;
+     case 0x22: /* Add/subtract (immediate) */
+         disas_add_sub_imm(s, insn);
+         break;
+--
+.34.1

-[Qemu-devel] [PULL 12/12] hw/arm/exynos4210: QOM'ify the Exynos4210 SoC
+[PULL 11/29] target/arm: Split gen_add_CC and gen_sub_CC
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Split out specific 32-bit and 64-bit functions.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+These carry the same signature as tcg_gen_add_i64,
-Message-id: 20190520214342.13709-5-philmd@redhat.com
+and so will be easier to pass as callbacks.
 Retain gen_add_CC and gen_sub_CC during conversion.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20230512144106.3608981-6-peter.maydell@linaro.org
 [PMM: rebased]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/exynos4210.h |  9 +++++++--
+ target/arm/tcg/translate-a64.c | 149 +++++++++++++++++++--------------
- hw/arm/exynos4210.c         | 28 ++++++++++++++++++++++++----
+file changed, 84 insertions(+), 65 deletions(-)
  hw/arm/exynos4_boards.c     |  9 ++++++---
 files changed, 37 insertions(+), 9 deletions(-)
-diff --git a/include/hw/arm/exynos4210.h b/include/hw/arm/exynos4210.h
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/exynos4210.h
+--- a/target/arm/tcg/translate-a64.c
-+++ b/include/hw/arm/exynos4210.h
++++ b/target/arm/tcg/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210Irq {
+@@ -XXX,XX +XXX,XX @@ static inline void gen_logic_CC(int sf, TCGv_i64 result)
- } Exynos4210Irq;
+ }
- typedef struct Exynos4210State {
+ /* dest = T0 + T1; compute C, N, V and Z flags */
-+    /*< private >*/
++static void gen_add64_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
-+    SysBusDevice parent_obj;
++{
-+    /*< public >*/
++    TCGv_i64 result, flag, tmp;
-     ARMCPU *cpu[EXYNOS4210_NCPUS];
++    result = tcg_temp_new_i64();
-     Exynos4210Irq irqs;
++    flag = tcg_temp_new_i64();
-     qemu_irq *irq_table;
++    tmp = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210State {
      I2CBus *i2c_if[EXYNOS4210_I2C_NUMBER];
  } Exynos4210State;
 +#define TYPE_EXYNOS4210_SOC "exynos4210"
 +#define EXYNOS4210_SOC(obj) \
 +    OBJECT_CHECK(Exynos4210State, obj, TYPE_EXYNOS4210_SOC)
 +
- void exynos4210_write_secondary(ARMCPU *cpu,
++    tcg_gen_movi_i64(tmp, 0);
-         const struct arm_boot_info *info);
++    tcg_gen_add2_i64(result, flag, t0, tmp, t1, tmp);
 -Exynos4210State *exynos4210_init(MemoryRegion *system_mem);
 -
  /* Initialize exynos4210 IRQ subsystem stub */
  qemu_irq *exynos4210_init_irq(Exynos4210Irq *env);
 diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/exynos4210.c
 +++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@ static void pl330_create(uint32_t base, qemu_irq irq, int nreq)
      sysbus_connect_irq(busdev, 0, irq);
  }
 -Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
 +static void exynos4210_realize(DeviceState *socdev, Error **errp)
  {
 -    Exynos4210State *s = g_new0(Exynos4210State, 1);
 +    Exynos4210State *s = EXYNOS4210_SOC(socdev);
 +    MemoryRegion *system_mem = get_system_memory();
      qemu_irq gate_irq[EXYNOS4210_NCPUS][EXYNOS4210_IRQ_GATE_NINPUTS];
      SysBusDevice *busdev;
      DeviceState *dev;
@@ -XXX,XX +XXX,XX @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
                   qemu_irq_invert(s->irq_table[exynos4210_get_irq(36, 1)]), 32);
      pl330_create(EXYNOS4210_PL330_BASE2_ADDR,
                   qemu_irq_invert(s->irq_table[exynos4210_get_irq(34, 1)]), 1);
 -
 -    return s;
  }
 +
-+static void exynos4210_class_init(ObjectClass *klass, void *data)
++    tcg_gen_extrl_i64_i32(cpu_CF, flag);
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
-+    dc->realize = exynos4210_realize;
++    gen_set_NZ64(result);
 +
 +    tcg_gen_xor_i64(flag, result, t0);
 +    tcg_gen_xor_i64(tmp, t0, t1);
 +    tcg_gen_andc_i64(flag, flag, tmp);
 +    tcg_gen_extrh_i64_i32(cpu_VF, flag);
 +
 +    tcg_gen_mov_i64(dest, result);
 +}
 +
-+static const TypeInfo exynos4210_info = {
++static void gen_add32_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
-+    .name = TYPE_EXYNOS4210_SOC,
++{
-+    .parent = TYPE_SYS_BUS_DEVICE,
++    TCGv_i32 t0_32 = tcg_temp_new_i32();
-+    .instance_size = sizeof(Exynos4210State),
++    TCGv_i32 t1_32 = tcg_temp_new_i32();
-+    .class_init = exynos4210_class_init,
++    TCGv_i32 tmp = tcg_temp_new_i32();
 +};
 +
-+static void exynos4210_register_types(void)
++    tcg_gen_movi_i32(tmp, 0);
-+{
++    tcg_gen_extrl_i64_i32(t0_32, t0);
-+    type_register_static(&exynos4210_info);
++    tcg_gen_extrl_i64_i32(t1_32, t1);
 +    tcg_gen_add2_i32(cpu_NF, cpu_CF, t0_32, tmp, t1_32, tmp);
 +    tcg_gen_mov_i32(cpu_ZF, cpu_NF);
 +    tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
 +    tcg_gen_xor_i32(tmp, t0_32, t1_32);
 +    tcg_gen_andc_i32(cpu_VF, cpu_VF, tmp);
 +    tcg_gen_extu_i32_i64(dest, cpu_NF);
 +}
 +
-+type_init(exynos4210_register_types)
+ static void gen_add_CC(int sf, TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
-diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
+ {
-index XXXXXXX..XXXXXXX 100644
+     if (sf) {
---- a/hw/arm/exynos4_boards.c
+-        TCGv_i64 result, flag, tmp;
-+++ b/hw/arm/exynos4_boards.c
+-        result = tcg_temp_new_i64();
-@@ -XXX,XX +XXX,XX @@ typedef enum Exynos4BoardType {
+-        flag = tcg_temp_new_i64();
- } Exynos4BoardType;
+-        tmp = tcg_temp_new_i64();
+-
- typedef struct Exynos4BoardState {
+-        tcg_gen_movi_i64(tmp, 0);
--    Exynos4210State *soc;
+-        tcg_gen_add2_i64(result, flag, t0, tmp, t1, tmp);
-+    Exynos4210State soc;
+-
-     MemoryRegion dram0_mem;
+-        tcg_gen_extrl_i64_i32(cpu_CF, flag);
-     MemoryRegion dram1_mem;
+-
- } Exynos4BoardState;
+-        gen_set_NZ64(result);
-@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
+-
-     exynos4_boards_init_ram(s, get_system_memory(),
+-        tcg_gen_xor_i64(flag, result, t0);
-                             exynos4_board_ram_size[board_type]);
+-        tcg_gen_xor_i64(tmp, t0, t1);
+-        tcg_gen_andc_i64(flag, flag, tmp);
--    s->soc = exynos4210_init(get_system_memory());
+-        tcg_gen_extrh_i64_i32(cpu_VF, flag);
-+    object_initialize(&s->soc, sizeof(s->soc), TYPE_EXYNOS4210_SOC);
+-
-+    qdev_set_parent_bus(DEVICE(&s->soc), sysbus_get_default());
+-        tcg_gen_mov_i64(dest, result);
-+    object_property_set_bool(OBJECT(&s->soc), true, "realized",
++        gen_add64_CC(dest, t0, t1);
-+                             &error_fatal);
+     } else {
+-        /* 32 bit arithmetic */
-     return s;
+-        TCGv_i32 t0_32 = tcg_temp_new_i32();
 -        TCGv_i32 t1_32 = tcg_temp_new_i32();
 -        TCGv_i32 tmp = tcg_temp_new_i32();
 -
 -        tcg_gen_movi_i32(tmp, 0);
 -        tcg_gen_extrl_i64_i32(t0_32, t0);
 -        tcg_gen_extrl_i64_i32(t1_32, t1);
 -        tcg_gen_add2_i32(cpu_NF, cpu_CF, t0_32, tmp, t1_32, tmp);
 -        tcg_gen_mov_i32(cpu_ZF, cpu_NF);
 -        tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
 -        tcg_gen_xor_i32(tmp, t0_32, t1_32);
 -        tcg_gen_andc_i32(cpu_VF, cpu_VF, tmp);
 -        tcg_gen_extu_i32_i64(dest, cpu_NF);
 +        gen_add32_CC(dest, t0, t1);
      }
  }
-@@ -XXX,XX +XXX,XX @@ static void smdkc210_init(MachineState *machine)
-                                                       EXYNOS4_BOARD_SMDKC210);
+ /* dest = T0 - T1; compute C, N, V and Z flags */
++static void gen_sub64_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
-     lan9215_init(SMDK_LAN9118_BASE_ADDR,
++{
--            qemu_irq_invert(s->soc->irq_table[exynos4210_get_irq(37, 1)]));
++    /* 64 bit arithmetic */
-+            qemu_irq_invert(s->soc.irq_table[exynos4210_get_irq(37, 1)]));
++    TCGv_i64 result, flag, tmp;
-     arm_load_kernel(ARM_CPU(first_cpu), &exynos4_board_binfo);
++
 +    result = tcg_temp_new_i64();
 +    flag = tcg_temp_new_i64();
 +    tcg_gen_sub_i64(result, t0, t1);
 +
 +    gen_set_NZ64(result);
 +
 +    tcg_gen_setcond_i64(TCG_COND_GEU, flag, t0, t1);
 +    tcg_gen_extrl_i64_i32(cpu_CF, flag);
 +
 +    tcg_gen_xor_i64(flag, result, t0);
 +    tmp = tcg_temp_new_i64();
 +    tcg_gen_xor_i64(tmp, t0, t1);
 +    tcg_gen_and_i64(flag, flag, tmp);
 +    tcg_gen_extrh_i64_i32(cpu_VF, flag);
 +    tcg_gen_mov_i64(dest, result);
 +}
 +
 +static void gen_sub32_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
 +{
 +    /* 32 bit arithmetic */
 +    TCGv_i32 t0_32 = tcg_temp_new_i32();
 +    TCGv_i32 t1_32 = tcg_temp_new_i32();
 +    TCGv_i32 tmp;
 +
 +    tcg_gen_extrl_i64_i32(t0_32, t0);
 +    tcg_gen_extrl_i64_i32(t1_32, t1);
 +    tcg_gen_sub_i32(cpu_NF, t0_32, t1_32);
 +    tcg_gen_mov_i32(cpu_ZF, cpu_NF);
 +    tcg_gen_setcond_i32(TCG_COND_GEU, cpu_CF, t0_32, t1_32);
 +    tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
 +    tmp = tcg_temp_new_i32();
 +    tcg_gen_xor_i32(tmp, t0_32, t1_32);
 +    tcg_gen_and_i32(cpu_VF, cpu_VF, tmp);
 +    tcg_gen_extu_i32_i64(dest, cpu_NF);
 +}
 +
  static void gen_sub_CC(int sf, TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
  {
      if (sf) {
 -        /* 64 bit arithmetic */
 -        TCGv_i64 result, flag, tmp;
 -
 -        result = tcg_temp_new_i64();
 -        flag = tcg_temp_new_i64();
 -        tcg_gen_sub_i64(result, t0, t1);
 -
 -        gen_set_NZ64(result);
 -
 -        tcg_gen_setcond_i64(TCG_COND_GEU, flag, t0, t1);
 -        tcg_gen_extrl_i64_i32(cpu_CF, flag);
 -
 -        tcg_gen_xor_i64(flag, result, t0);
 -        tmp = tcg_temp_new_i64();
 -        tcg_gen_xor_i64(tmp, t0, t1);
 -        tcg_gen_and_i64(flag, flag, tmp);
 -        tcg_gen_extrh_i64_i32(cpu_VF, flag);
 -        tcg_gen_mov_i64(dest, result);
 +        gen_sub64_CC(dest, t0, t1);
      } else {
 -        /* 32 bit arithmetic */
 -        TCGv_i32 t0_32 = tcg_temp_new_i32();
 -        TCGv_i32 t1_32 = tcg_temp_new_i32();
 -        TCGv_i32 tmp;
 -
 -        tcg_gen_extrl_i64_i32(t0_32, t0);
 -        tcg_gen_extrl_i64_i32(t1_32, t1);
 -        tcg_gen_sub_i32(cpu_NF, t0_32, t1_32);
 -        tcg_gen_mov_i32(cpu_ZF, cpu_NF);
 -        tcg_gen_setcond_i32(TCG_COND_GEU, cpu_CF, t0_32, t1_32);
 -        tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
 -        tmp = tcg_temp_new_i32();
 -        tcg_gen_xor_i32(tmp, t0_32, t1_32);
 -        tcg_gen_and_i32(cpu_VF, cpu_VF, tmp);
 -        tcg_gen_extu_i32_i64(dest, cpu_NF);
 +        gen_sub32_CC(dest, t0, t1);
      }
  }
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 11/12] hw/arm/exynos4210: Add DMA support for the Exynos4210
+[PULL 12/29] target/arm: Convert Add/subtract (immediate) to decodetree
-From: Guenter Roeck <linux@roeck-us.net>
+From: Richard Henderson <richard.henderson@linaro.org>
-QEMU already supports pl330. Instantiate it for Exynos4210.
+Convert the ADD and SUB (immediate) instructions.
-Relevant part of Linux arch/arm/boot/dts/exynos4.dtsi:
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 / {
     soc: soc {
         amba {
             pdma0: pdma@12680000 {
                 compatible = "arm,pl330", "arm,primecell";
                 reg = <0x12680000 0x1000>;
                 interrupts = <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
                 clocks = <&clock CLK_PDMA0>;
                 clock-names = "apb_pclk";
                 #dma-cells = <1>;
                 #dma-channels = <8>;
                 #dma-requests = <32>;
             };
             pdma1: pdma@12690000 {
                 compatible = "arm,pl330", "arm,primecell";
                 reg = <0x12690000 0x1000>;
                 interrupts = <GIC_SPI 36 IRQ_TYPE_LEVEL_HIGH>;
                 clocks = <&clock CLK_PDMA1>;
                 clock-names = "apb_pclk";
                 #dma-cells = <1>;
                 #dma-channels = <8>;
                 #dma-requests = <32>;
             };
             mdma1: mdma@12850000 {
                 compatible = "arm,pl330", "arm,primecell";
                 reg = <0x12850000 0x1000>;
                 interrupts = <GIC_SPI 34 IRQ_TYPE_LEVEL_HIGH>;
                 clocks = <&clock CLK_MDMA>;
                 clock-names = "apb_pclk";
                 #dma-cells = <1>;
                 #dma-channels = <8>;
                 #dma-requests = <1>;
             };
         };
     };
 };
 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20230512144106.3608981-7-peter.maydell@linaro.org
-Message-id: 20190520214342.13709-4-philmd@redhat.com
+[PMM: Rebased; adjusted to use translate.h's TRANS macro]
 [PMD: Do not set default qdev properties, create the controllers in the SoC
       rather than the board (Peter Maydell), add dtsi in commit message]
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/exynos4210.c | 26 ++++++++++++++++++++++++++
+ target/arm/tcg/translate.h     |  5 +++
-file changed, 26 insertions(+)
+ target/arm/tcg/a64.decode      | 17 ++++++++
  target/arm/tcg/translate-a64.c | 73 ++++++++++------------------------
 files changed, 42 insertions(+), 53 deletions(-)
-diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
+diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/exynos4210.c
+--- a/target/arm/tcg/translate.h
-+++ b/hw/arm/exynos4210.c
++++ b/target/arm/tcg/translate.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static inline int rsub_8(DisasContext *s, int x)
- /* EHCI */
+     return 8 - x;
  #define EXYNOS4210_EHCI_BASE_ADDR           0x12580000
 +/* DMA */
 +#define EXYNOS4210_PL330_BASE0_ADDR         0x12680000
 +#define EXYNOS4210_PL330_BASE1_ADDR         0x12690000
 +#define EXYNOS4210_PL330_BASE2_ADDR         0x12850000
 +
  static uint8_t chipid_and_omr[] = { 0x11, 0x02, 0x21, 0x43,
 x09, 0x00, 0x00, 0x00 };
@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_calc_affinity(int cpu)
      return (0x9 << ARM_AFF1_SHIFT) | cpu;
  }
-+static void pl330_create(uint32_t base, qemu_irq irq, int nreq)
++static inline int shl_12(DisasContext *s, int x)
 +{
-+    SysBusDevice *busdev;
++    return x << 12;
 +    DeviceState *dev;
 +
 +    dev = qdev_create(NULL, "pl330");
 +    qdev_prop_set_uint8(dev, "num_periph_req",  nreq);
 +    qdev_init_nofail(dev);
 +    busdev = SYS_BUS_DEVICE(dev);
 +    sysbus_mmio_map(busdev, 0, base);
 +    sysbus_connect_irq(busdev, 0, irq);
 +}
 +
- Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
+ static inline int neon_3same_fp_size(DisasContext *s, int x)
  {
-     Exynos4210State *s = g_new0(Exynos4210State, 1);
+     /* Convert 0==fp32, 1==fp16 into a MO_* value */
-@@ -XXX,XX +XXX,XX @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
-     sysbus_create_simple(TYPE_EXYNOS4210_EHCI, EXYNOS4210_EHCI_BASE_ADDR,
+index XXXXXXX..XXXXXXX 100644
-             s->irq_table[exynos4210_get_irq(28, 3)]);
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
-+    /*** DMA controllers ***/
+@@ -XXX,XX +XXX,XX @@
-+    pl330_create(EXYNOS4210_PL330_BASE0_ADDR,
+ #
-+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(35, 1)]), 32);
-+    pl330_create(EXYNOS4210_PL330_BASE1_ADDR,
+ &ri              rd imm
-+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(36, 1)]), 32);
++&rri_sf          rd rn imm sf
-+    pl330_create(EXYNOS4210_PL330_BASE2_ADDR,
-+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(34, 1)]), 1);
  ### Data Processing - Immediate
@@ -XXX,XX +XXX,XX @@
  ADR             0 .. 10000 ................... .....    @pcrel
  ADRP            1 .. 10000 ................... .....    @pcrel
 +
-     return s;
++# Add/subtract (immediate)
 +
 +%imm12_sh12     10:12 !function=shl_12
 +@addsub_imm     sf:1 .. ...... . imm:12 rn:5 rd:5
 +@addsub_imm12   sf:1 .. ...... . ............ rn:5 rd:5 imm=%imm12_sh12
 +
 +ADD_i           . 00 100010 0 ............ ..... .....  @addsub_imm
 +ADD_i           . 00 100010 1 ............ ..... .....  @addsub_imm12
 +ADDS_i          . 01 100010 0 ............ ..... .....  @addsub_imm
 +ADDS_i          . 01 100010 1 ............ ..... .....  @addsub_imm12
 +
 +SUB_i           . 10 100010 0 ............ ..... .....  @addsub_imm
 +SUB_i           . 10 100010 1 ............ ..... .....  @addsub_imm12
 +SUBS_i          . 11 100010 0 ............ ..... .....  @addsub_imm
 +SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
      }
  }
++typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
++
++static bool gen_rri(DisasContext *s, arg_rri_sf *a,
++                    bool rd_sp, bool rn_sp, ArithTwoOp *fn)
++{
++    TCGv_i64 tcg_rn = rn_sp ? cpu_reg_sp(s, a->rn) : cpu_reg(s, a->rn);
++    TCGv_i64 tcg_rd = rd_sp ? cpu_reg_sp(s, a->rd) : cpu_reg(s, a->rd);
++    TCGv_i64 tcg_imm = tcg_constant_i64(a->imm);
++
++    fn(tcg_rd, tcg_rn, tcg_imm);
++    if (!a->sf) {
++        tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
++    }
++    return true;
++}
++
+ /*
+  * PC-rel. addressing
+  */
+@@ -XXX,XX +XXX,XX @@ static bool trans_ADRP(DisasContext *s, arg_ri *a)
+ /*
+  * Add/subtract (immediate)
+- *
+- *  31 30 29 28         23 22 21         10 9   5 4   0
+- * +--+--+--+-------------+--+-------------+-----+-----+
+- * |sf|op| S| 1 0 0 0 1 0 |sh|    imm12    |  Rn | Rd  |
+- * +--+--+--+-------------+--+-------------+-----+-----+
+- *
+- *    sf: 0 -> 32bit, 1 -> 64bit
+- *    op: 0 -> add  , 1 -> sub
+- *     S: 1 -> set flags
+- *    sh: 1 -> LSL imm by 12
+  */
+-static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
+-{
+-    int rd = extract32(insn, 0, 5);
+-    int rn = extract32(insn, 5, 5);
+-    uint64_t imm = extract32(insn, 10, 12);
+-    bool shift = extract32(insn, 22, 1);
+-    bool setflags = extract32(insn, 29, 1);
+-    bool sub_op = extract32(insn, 30, 1);
+-    bool is_64bit = extract32(insn, 31, 1);
+-
+-    TCGv_i64 tcg_rn = cpu_reg_sp(s, rn);
+-    TCGv_i64 tcg_rd = setflags ? cpu_reg(s, rd) : cpu_reg_sp(s, rd);
+-    TCGv_i64 tcg_result;
+-
+-    if (shift) {
+-        imm <<= 12;
+-    }
+-
+-    tcg_result = tcg_temp_new_i64();
+-    if (!setflags) {
+-        if (sub_op) {
+-            tcg_gen_subi_i64(tcg_result, tcg_rn, imm);
+-        } else {
+-            tcg_gen_addi_i64(tcg_result, tcg_rn, imm);
+-        }
+-    } else {
+-        TCGv_i64 tcg_imm = tcg_constant_i64(imm);
+-        if (sub_op) {
+-            gen_sub_CC(is_64bit, tcg_result, tcg_rn, tcg_imm);
+-        } else {
+-            gen_add_CC(is_64bit, tcg_result, tcg_rn, tcg_imm);
+-        }
+-    }
+-
+-    if (is_64bit) {
+-        tcg_gen_mov_i64(tcg_rd, tcg_result);
+-    } else {
+-        tcg_gen_ext32u_i64(tcg_rd, tcg_result);
+-    }
+-}
++TRANS(ADD_i, gen_rri, a, 1, 1, tcg_gen_add_i64)
++TRANS(SUB_i, gen_rri, a, 1, 1, tcg_gen_sub_i64)
++TRANS(ADDS_i, gen_rri, a, 0, 1, a->sf ? gen_add64_CC : gen_add32_CC)
++TRANS(SUBS_i, gen_rri, a, 0, 1, a->sf ? gen_sub64_CC : gen_sub32_CC)
+ /*
+  * Add/subtract (immediate, with tags)
+@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
+ static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 23, 6)) {
+-    case 0x22: /* Add/subtract (immediate) */
+-        disas_add_sub_imm(s, insn);
+-        break;
+     case 0x23: /* Add/subtract (immediate, with tags) */
+         disas_add_sub_imm_with_tags(s, insn);
+         break;
 --
-.20.1
+.34.1

-New patch
+[PULL 13/29] target/arm: Convert Add/subtract (immediate with tags) to decodetree
+From: Richard Henderson <richard.henderson@linaro.org>
+Convert the ADDG and SUBG (immediate) instructions.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230512144106.3608981-8-peter.maydell@linaro.org
+[PMM: Rebased; use TRANS_FEAT()]
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/tcg/a64.decode      |  8 +++++++
+ target/arm/tcg/translate-a64.c | 38 ++++++++++------------------------
+files changed, 19 insertions(+), 27 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ SUB_i           . 10 100010 0 ............ ..... .....  @addsub_imm
+ SUB_i           . 10 100010 1 ............ ..... .....  @addsub_imm12
+ SUBS_i          . 11 100010 0 ............ ..... .....  @addsub_imm
+ SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
++
++# Add/subtract (immediate with tags)
++
++&rri_tag        rd rn uimm6 uimm4
++@addsub_imm_tag . .. ...... . uimm6:6 .. uimm4:4 rn:5 rd:5 &rri_tag
++
++ADDG_i          1 00 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
++SUBG_i          1 10 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ TRANS(SUBS_i, gen_rri, a, 0, 1, a->sf ? gen_sub64_CC : gen_sub32_CC)
+ /*
+  * Add/subtract (immediate, with tags)
+- *
+- *  31 30 29 28         23 22 21     16 14      10 9   5 4   0
+- * +--+--+--+-------------+--+---------+--+-------+-----+-----+
+- * |sf|op| S| 1 0 0 0 1 1 |o2|  uimm6  |o3| uimm4 |  Rn | Rd  |
+- * +--+--+--+-------------+--+---------+--+-------+-----+-----+
+- *
+- *    op: 0 -> add, 1 -> sub
+  */
+-static void disas_add_sub_imm_with_tags(DisasContext *s, uint32_t insn)
++
++static bool gen_add_sub_imm_with_tags(DisasContext *s, arg_rri_tag *a,
++                                      bool sub_op)
+ {
+-    int rd = extract32(insn, 0, 5);
+-    int rn = extract32(insn, 5, 5);
+-    int uimm4 = extract32(insn, 10, 4);
+-    int uimm6 = extract32(insn, 16, 6);
+-    bool sub_op = extract32(insn, 30, 1);
+     TCGv_i64 tcg_rn, tcg_rd;
+     int imm;
+-    /* Test all of sf=1, S=0, o2=0, o3=0.  */
+-    if ((insn & 0xa040c000u) != 0x80000000u ||
+-        !dc_isar_feature(aa64_mte_insn_reg, s)) {
+-        unallocated_encoding(s);
+-        return;
+-    }
+-
+-    imm = uimm6 << LOG2_TAG_GRANULE;
++    imm = a->uimm6 << LOG2_TAG_GRANULE;
+     if (sub_op) {
+         imm = -imm;
+     }
+-    tcg_rn = cpu_reg_sp(s, rn);
+-    tcg_rd = cpu_reg_sp(s, rd);
++    tcg_rn = cpu_reg_sp(s, a->rn);
++    tcg_rd = cpu_reg_sp(s, a->rd);
+     if (s->ata) {
+         gen_helper_addsubg(tcg_rd, cpu_env, tcg_rn,
+                            tcg_constant_i32(imm),
+-                           tcg_constant_i32(uimm4));
++                           tcg_constant_i32(a->uimm4));
+     } else {
+         tcg_gen_addi_i64(tcg_rd, tcg_rn, imm);
+         gen_address_with_allocation_tag0(tcg_rd, tcg_rd);
+     }
++    return true;
+ }
++TRANS_FEAT(ADDG_i, aa64_mte_insn_reg, gen_add_sub_imm_with_tags, a, false)
++TRANS_FEAT(SUBG_i, aa64_mte_insn_reg, gen_add_sub_imm_with_tags, a, true)
++
+ /* The input should be a value in the bottom e bits (with higher
+  * bits zero); returns that value replicated into every element
+  * of size e in a 64 bit integer.
+@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
+ static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 23, 6)) {
+-    case 0x23: /* Add/subtract (immediate, with tags) */
+-        disas_add_sub_imm_with_tags(s, insn);
+-        break;
+     case 0x24: /* Logical (immediate) */
+         disas_logic_imm(s, insn);
+         break;
+--
+.34.1

-New patch
+[PULL 14/29] target/arm: Replace bitmask64 with MAKE_64BIT_MASK
+From: Richard Henderson <richard.henderson@linaro.org>
+Use the bitops.h macro rather than rolling our own here.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230512144106.3608981-9-peter.maydell@linaro.org
+---
+ target/arm/tcg/translate-a64.c | 11 ++---------
+file changed, 2 insertions(+), 9 deletions(-)
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t bitfield_replicate(uint64_t mask, unsigned int e)
+     return mask;
+ }
+-/* Return a value with the bottom len bits set (where 0 < len <= 64) */
+-static inline uint64_t bitmask64(unsigned int length)
+-{
+-    assert(length > 0 && length <= 64);
+-    return ~0ULL >> (64 - length);
+-}
+-
+ /* Simplified variant of pseudocode DecodeBitMasks() for the case where we
+  * only require the wmask. Returns false if the imms/immr/immn are a reserved
+  * value (ie should cause a guest UNDEF exception), and true if they are
+@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
+     /* Create the value of one element: s+1 set bits rotated
+      * by r within the element (which is e bits wide)...
+      */
+-    mask = bitmask64(s + 1);
++    mask = MAKE_64BIT_MASK(0, s + 1);
+     if (r) {
+         mask = (mask >> r) | (mask << (e - r));
+-        mask &= bitmask64(e);
++        mask &= MAKE_64BIT_MASK(0, e);
+     }
+     /* ...then replicate the element over the whole 64 bit value */
+     mask = bitfield_replicate(mask, e);
+--
+.34.1

-New patch
+[PULL 15/29] target/arm: Convert Logical (immediate) to decodetree
+From: Richard Henderson <richard.henderson@linaro.org>
+Convert the ADD, ORR, EOR, ANDS (immediate) instructions.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230512144106.3608981-10-peter.maydell@linaro.org
+[PMM: rebased]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/tcg/a64.decode      | 15 ++++++
+ target/arm/tcg/translate-a64.c | 94 +++++++++++-----------------------
+files changed, 44 insertions(+), 65 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
+ ADDG_i          1 00 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
+ SUBG_i          1 10 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
++
++# Logical (immediate)
++
++&rri_log        rd rn sf dbm
++@logic_imm_64   1 .. ...... dbm:13 rn:5 rd:5            &rri_log sf=1
++@logic_imm_32   0 .. ...... 0 dbm:12 rn:5 rd:5          &rri_log sf=0
++
++AND_i           . 00 100100 . ...... ...... ..... ..... @logic_imm_64
++AND_i           . 00 100100 . ...... ...... ..... ..... @logic_imm_32
++ORR_i           . 01 100100 . ...... ...... ..... ..... @logic_imm_64
++ORR_i           . 01 100100 . ...... ...... ..... ..... @logic_imm_32
++EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_64
++EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_32
++ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_64
++ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_32
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t bitfield_replicate(uint64_t mask, unsigned int e)
+     return mask;
+ }
+-/* Simplified variant of pseudocode DecodeBitMasks() for the case where we
++/*
++ * Logical (immediate)
++ */
++
++/*
++ * Simplified variant of pseudocode DecodeBitMasks() for the case where we
+  * only require the wmask. Returns false if the imms/immr/immn are a reserved
+  * value (ie should cause a guest UNDEF exception), and true if they are
+  * valid, in which case the decoded bit pattern is written to result.
+@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
+     return true;
+ }
+-/* Logical (immediate)
+- *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
+- * +----+-----+-------------+---+------+------+------+------+
+- * | sf | opc | 1 0 0 1 0 0 | N | immr | imms |  Rn  |  Rd  |
+- * +----+-----+-------------+---+------+------+------+------+
+- */
+-static void disas_logic_imm(DisasContext *s, uint32_t insn)
++static bool gen_rri_log(DisasContext *s, arg_rri_log *a, bool set_cc,
++                        void (*fn)(TCGv_i64, TCGv_i64, int64_t))
+ {
+-    unsigned int sf, opc, is_n, immr, imms, rn, rd;
+     TCGv_i64 tcg_rd, tcg_rn;
+-    uint64_t wmask;
+-    bool is_and = false;
++    uint64_t imm;
+-    sf = extract32(insn, 31, 1);
+-    opc = extract32(insn, 29, 2);
+-    is_n = extract32(insn, 22, 1);
+-    immr = extract32(insn, 16, 6);
+-    imms = extract32(insn, 10, 6);
+-    rn = extract32(insn, 5, 5);
+-    rd = extract32(insn, 0, 5);
+-
+-    if (!sf && is_n) {
+-        unallocated_encoding(s);
+-        return;
++    /* Some immediate field values are reserved. */
++    if (!logic_imm_decode_wmask(&imm, extract32(a->dbm, 12, 1),
++                                extract32(a->dbm, 0, 6),
++                                extract32(a->dbm, 6, 6))) {
++        return false;
++    }
++    if (!a->sf) {
++        imm &= 0xffffffffull;
+     }
+-    if (opc == 0x3) { /* ANDS */
+-        tcg_rd = cpu_reg(s, rd);
+-    } else {
+-        tcg_rd = cpu_reg_sp(s, rd);
+-    }
+-    tcg_rn = cpu_reg(s, rn);
++    tcg_rd = set_cc ? cpu_reg(s, a->rd) : cpu_reg_sp(s, a->rd);
++    tcg_rn = cpu_reg(s, a->rn);
+-    if (!logic_imm_decode_wmask(&wmask, is_n, imms, immr)) {
+-        /* some immediate field values are reserved */
+-        unallocated_encoding(s);
+-        return;
++    fn(tcg_rd, tcg_rn, imm);
++    if (set_cc) {
++        gen_logic_CC(a->sf, tcg_rd);
+     }
+-
+-    if (!sf) {
+-        wmask &= 0xffffffff;
+-    }
+-
+-    switch (opc) {
+-    case 0x3: /* ANDS */
+-    case 0x0: /* AND */
+-        tcg_gen_andi_i64(tcg_rd, tcg_rn, wmask);
+-        is_and = true;
+-        break;
+-    case 0x1: /* ORR */
+-        tcg_gen_ori_i64(tcg_rd, tcg_rn, wmask);
+-        break;
+-    case 0x2: /* EOR */
+-        tcg_gen_xori_i64(tcg_rd, tcg_rn, wmask);
+-        break;
+-    default:
+-        assert(FALSE); /* must handle all above */
+-        break;
+-    }
+-
+-    if (!sf && !is_and) {
+-        /* zero extend final result; we know we can skip this for AND
+-         * since the immediate had the high 32 bits clear.
+-         */
++    if (!a->sf) {
+         tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
+     }
+-
+-    if (opc == 3) { /* ANDS */
+-        gen_logic_CC(sf, tcg_rd);
+-    }
++    return true;
+ }
++TRANS(AND_i, gen_rri_log, a, false, tcg_gen_andi_i64)
++TRANS(ORR_i, gen_rri_log, a, false, tcg_gen_ori_i64)
++TRANS(EOR_i, gen_rri_log, a, false, tcg_gen_xori_i64)
++TRANS(ANDS_i, gen_rri_log, a, true, tcg_gen_andi_i64)
++
+ /*
+  * Move wide (immediate)
+  *
+@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
+ static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 23, 6)) {
+-    case 0x24: /* Logical (immediate) */
+-        disas_logic_imm(s, insn);
+-        break;
+     case 0x25: /* Move wide (immediate) */
+         disas_movw_imm(s, insn);
+         break;
+--
+.34.1

-[Qemu-devel] [PULL 01/12] target/arm: Use extract2 for EXTR
+[PULL 16/29] target/arm: Convert Move wide (immediate) to decodetree
 From: Richard Henderson <richard.henderson@linaro.org>
-This is, after all, how we implement extract2 in tcg/aarch64.
+Convert the MON, MOVZ, MOVK instructions.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-11-peter.maydell@linaro.org
-Message-id: 20190514011129.11330-2-richard.henderson@linaro.org
+[PMM: Rebased]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 38 ++++++++++++++++++++------------------
+ target/arm/tcg/a64.decode      | 13 ++++++
-file changed, 20 insertions(+), 18 deletions(-)
+ target/arm/tcg/translate-a64.c | 73 ++++++++++++++--------------------
 files changed, 42 insertions(+), 44 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/tcg/a64.decode
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_64
  EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_32
  ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_64
  ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_32
 +
 +# Move wide (immediate)
 +
 +&movw           rd sf imm hw
 +@movw_64        1 .. ...... hw:2   imm:16 rd:5          &movw sf=1
 +@movw_32        0 .. ...... 0 hw:1 imm:16 rd:5          &movw sf=0
 +
 +MOVN            . 00 100101 .. ................ .....   @movw_64
 +MOVN            . 00 100101 .. ................ .....   @movw_32
 +MOVZ            . 10 100101 .. ................ .....   @movw_64
 +MOVZ            . 10 100101 .. ................ .....   @movw_32
 +MOVK            . 11 100101 .. ................ .....   @movw_64
 +MOVK            . 11 100101 .. ................ .....   @movw_32
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ TRANS(ANDS_i, gen_rri_log, a, true, tcg_gen_andi_i64)
  /*
   * Move wide (immediate)
 - *
 - *  31 30 29 28         23 22 21 20             5 4    0
 - * +--+-----+-------------+-----+----------------+------+
 - * |sf| opc | 1 0 0 1 0 1 |  hw |  imm16         |  Rd  |
 - * +--+-----+-------------+-----+----------------+------+
 - *
 - * sf: 0 -> 32 bit, 1 -> 64 bit
 - * opc: 00 -> N, 10 -> Z, 11 -> K
 - * hw: shift/16 (0,16, and sf only 32, 48)
   */
 -static void disas_movw_imm(DisasContext *s, uint32_t insn)
 +
 +static bool trans_MOVZ(DisasContext *s, arg_movw *a)
  {
 -    int rd = extract32(insn, 0, 5);
 -    uint64_t imm = extract32(insn, 5, 16);
 -    int sf = extract32(insn, 31, 1);
 -    int opc = extract32(insn, 29, 2);
 -    int pos = extract32(insn, 21, 2) << 4;
 -    TCGv_i64 tcg_rd = cpu_reg(s, rd);
 +    int pos = a->hw << 4;
 +    tcg_gen_movi_i64(cpu_reg(s, a->rd), (uint64_t)a->imm << pos);
 +    return true;
 +}
 -    if (!sf && (pos >= 32)) {
 -        unallocated_encoding(s);
 -        return;
 -    }
 +static bool trans_MOVN(DisasContext *s, arg_movw *a)
 +{
 +    int pos = a->hw << 4;
 +    uint64_t imm = a->imm;
 -    switch (opc) {
 -    case 0: /* MOVN */
 -    case 2: /* MOVZ */
 -        imm <<= pos;
 -        if (opc == 0) {
 -            imm = ~imm;
 -        }
 -        if (!sf) {
 -            imm &= 0xffffffffu;
 -        }
 -        tcg_gen_movi_i64(tcg_rd, imm);
 -        break;
 -    case 3: /* MOVK */
 -        tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_constant_i64(imm), pos, 16);
 -        if (!sf) {
 -            tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
 -        }
 -        break;
 -    default:
 -        unallocated_encoding(s);
 -        break;
 +    imm = ~(imm << pos);
 +    if (!a->sf) {
 +        imm = (uint32_t)imm;
      }
 +    tcg_gen_movi_i64(cpu_reg(s, a->rd), imm);
 +    return true;
 +}
 +
 +static bool trans_MOVK(DisasContext *s, arg_movw *a)
 +{
 +    int pos = a->hw << 4;
 +    TCGv_i64 tcg_rd, tcg_im;
 +
 +    tcg_rd = cpu_reg(s, a->rd);
 +    tcg_im = tcg_constant_i64(a->imm);
 +    tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_im, pos, 16);
 +    if (!a->sf) {
 +        tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
 +    }
 +    return true;
  }
  /* Bitfield
 @@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
-             } else {
+ static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
-                 tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, rm));
+ {
-             }
+     switch (extract32(insn, 23, 6)) {
--        } else if (rm == rn) { /* ROR */
+-    case 0x25: /* Move wide (immediate) */
--            tcg_rm = cpu_reg(s, rm);
+-        disas_movw_imm(s, insn);
--            if (sf) {
+-        break;
--                tcg_gen_rotri_i64(tcg_rd, tcg_rm, imm);
+     case 0x26: /* Bitfield */
--            } else {
+         disas_bitfield(s, insn);
--                TCGv_i32 tmp = tcg_temp_new_i32();
+         break;
 -                tcg_gen_extrl_i64_i32(tmp, tcg_rm);
 -                tcg_gen_rotri_i32(tmp, tmp, imm);
 -                tcg_gen_extu_i32_i64(tcg_rd, tmp);
 -                tcg_temp_free_i32(tmp);
 -            }
          } else {
 -            tcg_rm = read_cpu_reg(s, rm, sf);
 -            tcg_rn = read_cpu_reg(s, rn, sf);
 -            tcg_gen_shri_i64(tcg_rm, tcg_rm, imm);
 -            tcg_gen_shli_i64(tcg_rn, tcg_rn, bitsize - imm);
 -            tcg_gen_or_i64(tcg_rd, tcg_rm, tcg_rn);
 -            if (!sf) {
 -                tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
 +            tcg_rm = cpu_reg(s, rm);
 +            tcg_rn = cpu_reg(s, rn);
 +
 +            if (sf) {
 +                /* Specialization to ROR happens in EXTRACT2.  */
 +                tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, imm);
 +            } else {
 +                TCGv_i32 t0 = tcg_temp_new_i32();
 +
 +                tcg_gen_extrl_i64_i32(t0, tcg_rm);
 +                if (rm == rn) {
 +                    tcg_gen_rotri_i32(t0, t0, imm);
 +                } else {
 +                    TCGv_i32 t1 = tcg_temp_new_i32();
 +                    tcg_gen_extrl_i64_i32(t1, tcg_rn);
 +                    tcg_gen_extract2_i32(t0, t0, t1, imm);
 +                    tcg_temp_free_i32(t1);
 +                }
 +                tcg_gen_extu_i32_i64(tcg_rd, t0);
 +                tcg_temp_free_i32(t0);
              }
          }
      }
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 02/12] target/arm: Simplify BFXIL expansion
+[PULL 17/29] target/arm: Convert Bitfield to decodetree
 From: Richard Henderson <richard.henderson@linaro.org>
-The mask implied by the extract is redundant with the one
+Convert the BFM, SBFM, UBFM instructions.
 implied by the deposit.  Also, fix spelling of BFXIL.
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190514011129.11330-3-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20230512144106.3608981-12-peter.maydell@linaro.org
 [PMM: Rebased]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 6 +++---
+ target/arm/tcg/a64.decode      |  13 +++
-file changed, 3 insertions(+), 3 deletions(-)
+ target/arm/tcg/translate-a64.c | 144 ++++++++++++++++++---------------
 files changed, 94 insertions(+), 63 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/tcg/a64.decode
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/tcg/a64.decode
-@@ -XXX,XX +XXX,XX @@ static void disas_bitfield(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ MOVZ            . 10 100101 .. ................ .....   @movw_64
-             tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
+ MOVZ            . 10 100101 .. ................ .....   @movw_32
-             return;
+ MOVK            . 11 100101 .. ................ .....   @movw_64
  MOVK            . 11 100101 .. ................ .....   @movw_32
 +
 +# Bitfield
 +
 +&bitfield       rd rn sf immr imms
 +@bitfield_64    1 .. ...... 1 immr:6 imms:6 rn:5 rd:5      &bitfield sf=1
 +@bitfield_32    0 .. ...... 0 0 immr:5 0 imms:5 rn:5 rd:5  &bitfield sf=0
 +
 +SBFM            . 00 100110 . ...... ...... ..... ..... @bitfield_64
 +SBFM            . 00 100110 . ...... ...... ..... ..... @bitfield_32
 +BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_64
 +BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_32
 +UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_64
 +UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_MOVK(DisasContext *s, arg_movw *a)
      return true;
  }
 -/* Bitfield
 - *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
 - * +----+-----+-------------+---+------+------+------+------+
 - * | sf | opc | 1 0 0 1 1 0 | N | immr | imms |  Rn  |  Rd  |
 - * +----+-----+-------------+---+------+------+------+------+
 +/*
 + * Bitfield
   */
 -static void disas_bitfield(DisasContext *s, uint32_t insn)
 +
 +static bool trans_SBFM(DisasContext *s, arg_SBFM *a)
  {
 -    unsigned int sf, n, opc, ri, si, rn, rd, bitsize, pos, len;
 -    TCGv_i64 tcg_rd, tcg_tmp;
 +    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
 +    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +    unsigned int bitsize = a->sf ? 64 : 32;
 +    unsigned int ri = a->immr;
 +    unsigned int si = a->imms;
 +    unsigned int pos, len;
 -    sf = extract32(insn, 31, 1);
 -    opc = extract32(insn, 29, 2);
 -    n = extract32(insn, 22, 1);
 -    ri = extract32(insn, 16, 6);
 -    si = extract32(insn, 10, 6);
 -    rn = extract32(insn, 5, 5);
 -    rd = extract32(insn, 0, 5);
 -    bitsize = sf ? 64 : 32;
 -
 -    if (sf != n || ri >= bitsize || si >= bitsize || opc > 2) {
 -        unallocated_encoding(s);
 -        return;
 -    }
 -
 -    tcg_rd = cpu_reg(s, rd);
 -
 -    /* Suppress the zero-extend for !sf.  Since RI and SI are constrained
 -       to be smaller than bitsize, we'll never reference data outside the
 -       low 32-bits anyway.  */
 -    tcg_tmp = read_cpu_reg(s, rn, 1);
 -
 -    /* Recognize simple(r) extractions.  */
      if (si >= ri) {
          /* Wd<s-r:0> = Wn<s:r> */
          len = (si - ri) + 1;
 -        if (opc == 0) { /* SBFM: ASR, SBFX, SXTB, SXTH, SXTW */
 -            tcg_gen_sextract_i64(tcg_rd, tcg_tmp, ri, len);
 -            goto done;
 -        } else if (opc == 2) { /* UBFM: UBFX, LSR, UXTB, UXTH */
 -            tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
 -            return;
 +        tcg_gen_sextract_i64(tcg_rd, tcg_tmp, ri, len);
 +        if (!a->sf) {
 +            tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
          }
--        /* opc == 1, BXFIL fall through to deposit */
+-        /* opc == 1, BFXIL fall through to deposit */
--        tcg_gen_extract_i64(tcg_tmp, tcg_tmp, ri, len);
++    } else {
-+        /* opc == 1, BFXIL fall through to deposit */
++        /* Wd<32+s-r,32-r> = Wn<s:0> */
-+        tcg_gen_shri_i64(tcg_tmp, tcg_tmp, ri);
++        len = si + 1;
 +        pos = (bitsize - ri) & (bitsize - 1);
 +
 +        if (len < ri) {
 +            /*
 +             * Sign extend the destination field from len to fill the
 +             * balance of the word.  Let the deposit below insert all
 +             * of those sign bits.
 +             */
 +            tcg_gen_sextract_i64(tcg_tmp, tcg_tmp, 0, len);
 +            len = ri;
 +        }
 +
 +        /*
 +         * We start with zero, and we haven't modified any bits outside
 +         * bitsize, therefore no final zero-extension is unneeded for !sf.
 +         */
 +        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
 +    }
 +    return true;
 +}
 +
 +static bool trans_UBFM(DisasContext *s, arg_UBFM *a)
 +{
 +    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
 +    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +    unsigned int bitsize = a->sf ? 64 : 32;
 +    unsigned int ri = a->immr;
 +    unsigned int si = a->imms;
 +    unsigned int pos, len;
 +
 +    tcg_rd = cpu_reg(s, a->rd);
 +    tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +
 +    if (si >= ri) {
 +        /* Wd<s-r:0> = Wn<s:r> */
 +        len = (si - ri) + 1;
 +        tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
 +    } else {
 +        /* Wd<32+s-r,32-r> = Wn<s:0> */
 +        len = si + 1;
 +        pos = (bitsize - ri) & (bitsize - 1);
 +        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
 +    }
 +    return true;
 +}
 +
 +static bool trans_BFM(DisasContext *s, arg_BFM *a)
 +{
 +    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
 +    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +    unsigned int bitsize = a->sf ? 64 : 32;
 +    unsigned int ri = a->immr;
 +    unsigned int si = a->imms;
 +    unsigned int pos, len;
 +
 +    tcg_rd = cpu_reg(s, a->rd);
 +    tcg_tmp = read_cpu_reg(s, a->rn, 1);
 +
 +    if (si >= ri) {
 +        /* Wd<s-r:0> = Wn<s:r> */
          tcg_gen_shri_i64(tcg_tmp, tcg_tmp, ri);
 +        len = (si - ri) + 1;
          pos = 0;
      } else {
-         /* Handle the ri > si case with a deposit
+-        /* Handle the ri > si case with a deposit
-@@ -XXX,XX +XXX,XX @@ static void disas_bitfield(DisasContext *s, uint32_t insn)
+-         * Wd<32+s-r,32-r> = Wn<s:0>
-         len = ri;
+-         */
 +        /* Wd<32+s-r,32-r> = Wn<s:0> */
          len = si + 1;
          pos = (bitsize - ri) & (bitsize - 1);
      }
--    if (opc == 1) { /* BFM, BXFIL */
+-    if (opc == 0 && len < ri) {
-+    if (opc == 1) { /* BFM, BFXIL */
+-        /* SBFM: sign extend the destination field from len to fill
-         tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
+-           the balance of the word.  Let the deposit below insert all
-     } else {
+-           of those sign bits.  */
-         /* SBFM or UBFM: We start with zero, and we haven't modified
+-        tcg_gen_sextract_i64(tcg_tmp, tcg_tmp, 0, len);
 -        len = ri;
 -    }
 -
 -    if (opc == 1) { /* BFM, BFXIL */
 -        tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
 -    } else {
 -        /* SBFM or UBFM: We start with zero, and we haven't modified
 -           any bits outside bitsize, therefore the zero-extension
 -           below is unneeded.  */
 -        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
 -        return;
 -    }
 -
 - done:
 -    if (!sf) { /* zero extend final result */
 +    tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
 +    if (!a->sf) {
          tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
      }
 +    return true;
  }
  /* Extract
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
  static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
  {
      switch (extract32(insn, 23, 6)) {
 -    case 0x26: /* Bitfield */
 -        disas_bitfield(s, insn);
 -        break;
      case 0x27: /* Extract */
          disas_extract(s, insn);
          break;
 --
-.20.1
+.34.1

-New patch
+[PULL 18/29] target/arm: Convert Extract instructions to decodetree
+Convert the EXTR instruction to decodetree (this is the
+only one in the 'Extract" class). This is the last of
+the dp-immediate insns in the legacy decoder, so we
+can now remove disas_data_proc_imm().
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-13-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |  7 +++
+ target/arm/tcg/translate-a64.c | 94 +++++++++++-----------------------
+files changed, 36 insertions(+), 65 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_64
+ BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_32
+ UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_64
+ UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
++
++# Extract
++
++&extract        rd rn rm imm sf
++
++EXTR            1 00 100111 1 0 rm:5 imm:6 rn:5 rd:5     &extract sf=1
++EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_BFM(DisasContext *s, arg_BFM *a)
+     return true;
+ }
+-/* Extract
+- *   31  30  29 28         23 22   21  20  16 15    10 9    5 4    0
+- * +----+------+-------------+---+----+------+--------+------+------+
+- * | sf | op21 | 1 0 0 1 1 1 | N | o0 |  Rm  |  imms  |  Rn  |  Rd  |
+- * +----+------+-------------+---+----+------+--------+------+------+
+- */
+-static void disas_extract(DisasContext *s, uint32_t insn)
++static bool trans_EXTR(DisasContext *s, arg_extract *a)
+ {
+-    unsigned int sf, n, rm, imm, rn, rd, bitsize, op21, op0;
++    TCGv_i64 tcg_rd, tcg_rm, tcg_rn;
+-    sf = extract32(insn, 31, 1);
+-    n = extract32(insn, 22, 1);
+-    rm = extract32(insn, 16, 5);
+-    imm = extract32(insn, 10, 6);
+-    rn = extract32(insn, 5, 5);
+-    rd = extract32(insn, 0, 5);
+-    op21 = extract32(insn, 29, 2);
+-    op0 = extract32(insn, 21, 1);
+-    bitsize = sf ? 64 : 32;
++    tcg_rd = cpu_reg(s, a->rd);
+-    if (sf != n || op21 || op0 || imm >= bitsize) {
+-        unallocated_encoding(s);
+-    } else {
+-        TCGv_i64 tcg_rd, tcg_rm, tcg_rn;
+-
+-        tcg_rd = cpu_reg(s, rd);
+-
+-        if (unlikely(imm == 0)) {
+-            /* tcg shl_i32/shl_i64 is undefined for 32/64 bit shifts,
+-             * so an extract from bit 0 is a special case.
+-             */
+-            if (sf) {
+-                tcg_gen_mov_i64(tcg_rd, cpu_reg(s, rm));
+-            } else {
+-                tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, rm));
+-            }
++    if (unlikely(a->imm == 0)) {
++        /*
++         * tcg shl_i32/shl_i64 is undefined for 32/64 bit shifts,
++         * so an extract from bit 0 is a special case.
++         */
++        if (a->sf) {
++            tcg_gen_mov_i64(tcg_rd, cpu_reg(s, a->rm));
+         } else {
+-            tcg_rm = cpu_reg(s, rm);
+-            tcg_rn = cpu_reg(s, rn);
++            tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, a->rm));
++        }
++    } else {
++        tcg_rm = cpu_reg(s, a->rm);
++        tcg_rn = cpu_reg(s, a->rn);
+-            if (sf) {
+-                /* Specialization to ROR happens in EXTRACT2.  */
+-                tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, imm);
++        if (a->sf) {
++            /* Specialization to ROR happens in EXTRACT2.  */
++            tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, a->imm);
++        } else {
++            TCGv_i32 t0 = tcg_temp_new_i32();
++
++            tcg_gen_extrl_i64_i32(t0, tcg_rm);
++            if (a->rm == a->rn) {
++                tcg_gen_rotri_i32(t0, t0, a->imm);
+             } else {
+-                TCGv_i32 t0 = tcg_temp_new_i32();
+-
+-                tcg_gen_extrl_i64_i32(t0, tcg_rm);
+-                if (rm == rn) {
+-                    tcg_gen_rotri_i32(t0, t0, imm);
+-                } else {
+-                    TCGv_i32 t1 = tcg_temp_new_i32();
+-                    tcg_gen_extrl_i64_i32(t1, tcg_rn);
+-                    tcg_gen_extract2_i32(t0, t0, t1, imm);
+-                }
+-                tcg_gen_extu_i32_i64(tcg_rd, t0);
++                TCGv_i32 t1 = tcg_temp_new_i32();
++                tcg_gen_extrl_i64_i32(t1, tcg_rn);
++                tcg_gen_extract2_i32(t0, t0, t1, a->imm);
+             }
++            tcg_gen_extu_i32_i64(tcg_rd, t0);
+         }
+     }
+-}
+-
+-/* Data processing - immediate */
+-static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
+-{
+-    switch (extract32(insn, 23, 6)) {
+-    case 0x27: /* Extract */
+-        disas_extract(s, insn);
+-        break;
+-    default:
+-        unallocated_encoding(s);
+-        break;
+-    }
++    return true;
+ }
+ /* Shift a TCGv src by TCGv shift_amount, put result in dst.
+@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
+ static void disas_a64_legacy(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 25, 4)) {
+-    case 0x8: case 0x9: /* Data processing - immediate */
+-        disas_data_proc_imm(s, insn);
+-        break;
+     case 0xa: case 0xb: /* Branch, exception generation and system insns */
+         disas_b_exc_sys(s, insn);
+         break;
+--
+.34.1

-New patch
+[PULL 19/29] target/arm: Convert unconditional branch immediate to decodetree
+Convert the unconditional branch immediate insns B and BL to
+decodetree.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-14-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |  9 +++++++++
+ target/arm/tcg/translate-a64.c | 31 +++++++++++--------------------
+files changed, 20 insertions(+), 20 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@
+ &ri              rd imm
+ &rri_sf          rd rn imm sf
++&i               imm
+ ### Data Processing - Immediate
+@@ -XXX,XX +XXX,XX @@ UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
+ EXTR            1 00 100111 1 0 rm:5 imm:6 rn:5 rd:5     &extract sf=1
+ EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
++
++# Branches
++
++%imm26   0:s26 !function=times_4
++@branch         . ..... .......................... &i imm=%imm26
++
++B               0 00101 .......................... @branch
++BL              1 00101 .......................... @branch
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
+  * match up with those in the manual.
+  */
+-/* Unconditional branch (immediate)
+- *   31  30       26 25                                  0
+- * +----+-----------+-------------------------------------+
+- * | op | 0 0 1 0 1 |                 imm26               |
+- * +----+-----------+-------------------------------------+
+- */
+-static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
++static bool trans_B(DisasContext *s, arg_i *a)
+ {
+-    int64_t diff = sextract32(insn, 0, 26) * 4;
+-
+-    if (insn & (1U << 31)) {
+-        /* BL Branch with link */
+-        gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
+-    }
+-
+-    /* B Branch / BL Branch with link */
+     reset_btype(s);
+-    gen_goto_tb(s, 0, diff);
++    gen_goto_tb(s, 0, a->imm);
++    return true;
++}
++
++static bool trans_BL(DisasContext *s, arg_i *a)
++{
++    gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
++    reset_btype(s);
++    gen_goto_tb(s, 0, a->imm);
++    return true;
+ }
+ /* Compare and branch (immediate)
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 25, 7)) {
+-    case 0x0a: case 0x0b:
+-    case 0x4a: case 0x4b: /* Unconditional branch (immediate) */
+-        disas_uncond_b_imm(s, insn);
+-        break;
+     case 0x1a: case 0x5a: /* Compare & branch (immediate) */
+         disas_comp_b_imm(s, insn);
+         break;
+--
+.34.1

-New patch
+[PULL 20/29] target/arm: Convert CBZ, CBNZ to decodetree
+Convert the compare-and-branch-immediate insns CBZ and CBNZ
+to decodetree.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-15-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |  5 +++++
+ target/arm/tcg/translate-a64.c | 26 ++++++--------------------
+files changed, 11 insertions(+), 20 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
+ B               0 00101 .......................... @branch
+ BL              1 00101 .......................... @branch
++
++%imm19   5:s19 !function=times_4
++&cbz     rt imm sf nz
++
++CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_BL(DisasContext *s, arg_i *a)
+     return true;
+ }
+-/* Compare and branch (immediate)
+- *   31  30         25  24  23                  5 4      0
+- * +----+-------------+----+---------------------+--------+
+- * | sf | 0 1 1 0 1 0 | op |         imm19       |   Rt   |
+- * +----+-------------+----+---------------------+--------+
+- */
+-static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
++
++static bool trans_CBZ(DisasContext *s, arg_cbz *a)
+ {
+-    unsigned int sf, op, rt;
+-    int64_t diff;
+     DisasLabel match;
+     TCGv_i64 tcg_cmp;
+-    sf = extract32(insn, 31, 1);
+-    op = extract32(insn, 24, 1); /* 0: CBZ; 1: CBNZ */
+-    rt = extract32(insn, 0, 5);
+-    diff = sextract32(insn, 5, 19) * 4;
+-
+-    tcg_cmp = read_cpu_reg(s, rt, sf);
++    tcg_cmp = read_cpu_reg(s, a->rt, a->sf);
+     reset_btype(s);
+     match = gen_disas_label(s);
+-    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
++    tcg_gen_brcondi_i64(a->nz ? TCG_COND_NE : TCG_COND_EQ,
+                         tcg_cmp, 0, match.label);
+     gen_goto_tb(s, 0, 4);
+     set_disas_label(s, match);
+-    gen_goto_tb(s, 1, diff);
++    gen_goto_tb(s, 1, a->imm);
++    return true;
+ }
+ /* Test and branch (immediate)
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 25, 7)) {
+-    case 0x1a: case 0x5a: /* Compare & branch (immediate) */
+-        disas_comp_b_imm(s, insn);
+-        break;
+     case 0x1b: case 0x5b: /* Test & branch (immediate) */
+         disas_test_b_imm(s, insn);
+         break;
+--
+.34.1

-New patch
+[PULL 21/29] target/arm: Convert TBZ, TBNZ to decodetree
+Convert the test-and-branch-immediate insns TBZ and TBNZ
+to decodetree.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-16-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |  6 ++++++
+ target/arm/tcg/translate-a64.c | 25 +++++--------------------
+files changed, 11 insertions(+), 20 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ BL              1 00101 .......................... @branch
+ &cbz     rt imm sf nz
+ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
++
++%imm14     5:s14 !function=times_4
++%imm31_19  31:1 19:5
++&tbz       rt imm nz bitpos
++
++TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_CBZ(DisasContext *s, arg_cbz *a)
+     return true;
+ }
+-/* Test and branch (immediate)
+- *   31  30         25  24  23   19 18          5 4    0
+- * +----+-------------+----+-------+-------------+------+
+- * | b5 | 0 1 1 0 1 1 | op |  b40  |    imm14    |  Rt  |
+- * +----+-------------+----+-------+-------------+------+
+- */
+-static void disas_test_b_imm(DisasContext *s, uint32_t insn)
++static bool trans_TBZ(DisasContext *s, arg_tbz *a)
+ {
+-    unsigned int bit_pos, op, rt;
+-    int64_t diff;
+     DisasLabel match;
+     TCGv_i64 tcg_cmp;
+-    bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
+-    op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
+-    diff = sextract32(insn, 5, 14) * 4;
+-    rt = extract32(insn, 0, 5);
+-
+     tcg_cmp = tcg_temp_new_i64();
+-    tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, rt), (1ULL << bit_pos));
++    tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, a->rt), 1ULL << a->bitpos);
+     reset_btype(s);
+     match = gen_disas_label(s);
+-    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
++    tcg_gen_brcondi_i64(a->nz ? TCG_COND_NE : TCG_COND_EQ,
+                         tcg_cmp, 0, match.label);
+     gen_goto_tb(s, 0, 4);
+     set_disas_label(s, match);
+-    gen_goto_tb(s, 1, diff);
++    gen_goto_tb(s, 1, a->imm);
++    return true;
+ }
+ /* Conditional branch (immediate)
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 25, 7)) {
+-    case 0x1b: case 0x5b: /* Test & branch (immediate) */
+-        disas_test_b_imm(s, insn);
+-        break;
+     case 0x2a: /* Conditional branch (immediate) */
+         disas_cond_b_imm(s, insn);
+         break;
+--
+.34.1

-New patch
+[PULL 22/29] target/arm: Convert conditional branch insns to decodetree
+Convert the immediate conditional branch insn B.cond to
+decodetree.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-17-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |  2 ++
+ target/arm/tcg/translate-a64.c | 30 ++++++------------------------
+files changed, 8 insertions(+), 24 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
+ &tbz       rt imm nz bitpos
+ TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
++
++B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_TBZ(DisasContext *s, arg_tbz *a)
+     return true;
+ }
+-/* Conditional branch (immediate)
+- *  31           25  24  23                  5   4  3    0
+- * +---------------+----+---------------------+----+------+
+- * | 0 1 0 1 0 1 0 | o1 |         imm19       | o0 | cond |
+- * +---------------+----+---------------------+----+------+
+- */
+-static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
++static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
+ {
+-    unsigned int cond;
+-    int64_t diff;
+-
+-    if ((insn & (1 << 4)) || (insn & (1 << 24))) {
+-        unallocated_encoding(s);
+-        return;
+-    }
+-    diff = sextract32(insn, 5, 19) * 4;
+-    cond = extract32(insn, 0, 4);
+-
+     reset_btype(s);
+-    if (cond < 0x0e) {
++    if (a->cond < 0x0e) {
+         /* genuinely conditional branches */
+         DisasLabel match = gen_disas_label(s);
+-        arm_gen_test_cc(cond, match.label);
++        arm_gen_test_cc(a->cond, match.label);
+         gen_goto_tb(s, 0, 4);
+         set_disas_label(s, match);
+-        gen_goto_tb(s, 1, diff);
++        gen_goto_tb(s, 1, a->imm);
+     } else {
+         /* 0xe and 0xf are both "always" conditions */
+-        gen_goto_tb(s, 0, diff);
++        gen_goto_tb(s, 0, a->imm);
+     }
++    return true;
+ }
+ /* HINT instruction group, including various allocated HINTs */
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
+ {
+     switch (extract32(insn, 25, 7)) {
+-    case 0x2a: /* Conditional branch (immediate) */
+-        disas_cond_b_imm(s, insn);
+-        break;
+     case 0x6a: /* Exception generation / System */
+         if (insn & (1 << 24)) {
+             if (extract32(insn, 22, 2) == 0) {
+--
+.34.1

-New patch
+[PULL 23/29] target/arm: Convert BR, BLR, RET to decodetree
+Convert the simple (non-pointer-auth) BR, BLR and RET insns
+to decodetree.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-18-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |  5 ++++
+ target/arm/tcg/translate-a64.c | 55 ++++++++++++++++++++++++++++++----
+files changed, 54 insertions(+), 6 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@
+ # This file is processed by scripts/decodetree.py
+ #
++&r               rn
+ &ri              rd imm
+ &rri_sf          rd rn imm sf
+ &i               imm
+@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
+ TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
+ B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
++
++BR              1101011 0000 11111 000000 rn:5 00000 &r
++BLR             1101011 0001 11111 000000 rn:5 00000 &r
++RET             1101011 0010 11111 000000 rn:5 00000 &r
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
+     return true;
+ }
++static void set_btype_for_br(DisasContext *s, int rn)
++{
++    if (dc_isar_feature(aa64_bti, s)) {
++        /* BR to {x16,x17} or !guard -> 1, else 3.  */
++        set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3);
++    }
++}
++
++static void set_btype_for_blr(DisasContext *s)
++{
++    if (dc_isar_feature(aa64_bti, s)) {
++        /* BLR sets BTYPE to 2, regardless of source guarded page.  */
++        set_btype(s, 2);
++    }
++}
++
++static bool trans_BR(DisasContext *s, arg_r *a)
++{
++    gen_a64_set_pc(s, cpu_reg(s, a->rn));
++    set_btype_for_br(s, a->rn);
++    s->base.is_jmp = DISAS_JUMP;
++    return true;
++}
++
++static bool trans_BLR(DisasContext *s, arg_r *a)
++{
++    TCGv_i64 dst = cpu_reg(s, a->rn);
++    TCGv_i64 lr = cpu_reg(s, 30);
++    if (dst == lr) {
++        TCGv_i64 tmp = tcg_temp_new_i64();
++        tcg_gen_mov_i64(tmp, dst);
++        dst = tmp;
++    }
++    gen_pc_plus_diff(s, lr, curr_insn_len(s));
++    gen_a64_set_pc(s, dst);
++    set_btype_for_blr(s);
++    s->base.is_jmp = DISAS_JUMP;
++    return true;
++}
++
++static bool trans_RET(DisasContext *s, arg_r *a)
++{
++    gen_a64_set_pc(s, cpu_reg(s, a->rn));
++    s->base.is_jmp = DISAS_JUMP;
++    return true;
++}
++
+ /* HINT instruction group, including various allocated HINTs */
+ static void handle_hint(DisasContext *s, uint32_t insn,
+                         unsigned int op1, unsigned int op2, unsigned int crm)
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+         btype_mod = opc;
+         switch (op3) {
+         case 0:
+-            /* BR, BLR, RET */
+-            if (op4 != 0) {
+-                goto do_unallocated;
+-            }
+-            dst = cpu_reg(s, rn);
+-            break;
++            /* BR, BLR, RET : handled in decodetree */
++            goto do_unallocated;
+         case 2:
+         case 3:
+--
+.34.1

-New patch
+[PULL 24/29] target/arm: Convert BRA[AB]Z, BLR[AB]Z, RETA[AB] to decodetree
+Convert the single-register pointer-authentication variants of BR,
+BLR, RET to decodetree. (BRAA/BLRAA are in a different branch of
+the legacy decoder and will be dealt with in the next commit.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-19-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |   7 ++
+ target/arm/tcg/translate-a64.c | 132 +++++++++++++++++++--------------
+files changed, 84 insertions(+), 55 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
+ BR              1101011 0000 11111 000000 rn:5 00000 &r
+ BLR             1101011 0001 11111 000000 rn:5 00000 &r
+ RET             1101011 0010 11111 000000 rn:5 00000 &r
++
++&braz       rn m
++BRAZ            1101011 0000 11111 00001 m:1 rn:5 11111 &braz   # BRAAZ, BRABZ
++BLRAZ           1101011 0001 11111 00001 m:1 rn:5 11111 &braz   # BLRAAZ, BLRABZ
++
++&reta       m
++RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_RET(DisasContext *s, arg_r *a)
+     return true;
+ }
++static TCGv_i64 auth_branch_target(DisasContext *s, TCGv_i64 dst,
++                                   TCGv_i64 modifier, bool use_key_a)
++{
++    TCGv_i64 truedst;
++    /*
++     * Return the branch target for a BRAA/RETA/etc, which is either
++     * just the destination dst, or that value with the pauth check
++     * done and the code removed from the high bits.
++     */
++    if (!s->pauth_active) {
++        return dst;
++    }
++
++    truedst = tcg_temp_new_i64();
++    if (use_key_a) {
++        gen_helper_autia(truedst, cpu_env, dst, modifier);
++    } else {
++        gen_helper_autib(truedst, cpu_env, dst, modifier);
++    }
++    return truedst;
++}
++
++static bool trans_BRAZ(DisasContext *s, arg_braz *a)
++{
++    TCGv_i64 dst;
++
++    if (!dc_isar_feature(aa64_pauth, s)) {
++        return false;
++    }
++
++    dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m);
++    gen_a64_set_pc(s, dst);
++    set_btype_for_br(s, a->rn);
++    s->base.is_jmp = DISAS_JUMP;
++    return true;
++}
++
++static bool trans_BLRAZ(DisasContext *s, arg_braz *a)
++{
++    TCGv_i64 dst, lr;
++
++    if (!dc_isar_feature(aa64_pauth, s)) {
++        return false;
++    }
++
++    dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m);
++    lr = cpu_reg(s, 30);
++    if (dst == lr) {
++        TCGv_i64 tmp = tcg_temp_new_i64();
++        tcg_gen_mov_i64(tmp, dst);
++        dst = tmp;
++    }
++    gen_pc_plus_diff(s, lr, curr_insn_len(s));
++    gen_a64_set_pc(s, dst);
++    set_btype_for_blr(s);
++    s->base.is_jmp = DISAS_JUMP;
++    return true;
++}
++
++static bool trans_RETA(DisasContext *s, arg_reta *a)
++{
++    TCGv_i64 dst;
++
++    dst = auth_branch_target(s, cpu_reg(s, 30), cpu_X[31], !a->m);
++    gen_a64_set_pc(s, dst);
++    s->base.is_jmp = DISAS_JUMP;
++    return true;
++}
++
+ /* HINT instruction group, including various allocated HINTs */
+ static void handle_hint(DisasContext *s, uint32_t insn,
+                         unsigned int op1, unsigned int op2, unsigned int crm)
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+     }
+     switch (opc) {
+-    case 0: /* BR */
+-    case 1: /* BLR */
+-    case 2: /* RET */
+-        btype_mod = opc;
+-        switch (op3) {
+-        case 0:
+-            /* BR, BLR, RET : handled in decodetree */
+-            goto do_unallocated;
+-
+-        case 2:
+-        case 3:
+-            if (!dc_isar_feature(aa64_pauth, s)) {
+-                goto do_unallocated;
+-            }
+-            if (opc == 2) {
+-                /* RETAA, RETAB */
+-                if (rn != 0x1f || op4 != 0x1f) {
+-                    goto do_unallocated;
+-                }
+-                rn = 30;
+-                modifier = cpu_X[31];
+-            } else {
+-                /* BRAAZ, BRABZ, BLRAAZ, BLRABZ */
+-                if (op4 != 0x1f) {
+-                    goto do_unallocated;
+-                }
+-                modifier = tcg_constant_i64(0);
+-            }
+-            if (s->pauth_active) {
+-                dst = tcg_temp_new_i64();
+-                if (op3 == 2) {
+-                    gen_helper_autia(dst, cpu_env, cpu_reg(s, rn), modifier);
+-                } else {
+-                    gen_helper_autib(dst, cpu_env, cpu_reg(s, rn), modifier);
+-                }
+-            } else {
+-                dst = cpu_reg(s, rn);
+-            }
+-            break;
+-
+-        default:
+-            goto do_unallocated;
+-        }
+-        /* BLR also needs to load return address */
+-        if (opc == 1) {
+-            TCGv_i64 lr = cpu_reg(s, 30);
+-            if (dst == lr) {
+-                TCGv_i64 tmp = tcg_temp_new_i64();
+-                tcg_gen_mov_i64(tmp, dst);
+-                dst = tmp;
+-            }
+-            gen_pc_plus_diff(s, lr, curr_insn_len(s));
+-        }
+-        gen_a64_set_pc(s, dst);
+-        break;
++    case 0:
++    case 1:
++    case 2:
++        /*
++         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ:
++         * handled in decodetree
++         */
++        goto do_unallocated;
+     case 8: /* BRAA */
+     case 9: /* BLRAA */
+--
+.34.1

-New patch
+[PULL 25/29] target/arm: Convert BRAA, BRAB, BLRAA, BLRAB to decodetree
+Convert the last four BR-with-pointer-auth insns to decodetree.
+The remaining cases in the outer switch in disas_uncond_b_reg()
+all return early rather than leaving the case statement, so we
+can delete the now-unused code at the end of that function.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-20-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |  4 ++
+ target/arm/tcg/translate-a64.c | 97 ++++++++++++++--------------------
+files changed, 43 insertions(+), 58 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ BLRAZ           1101011 0001 11111 00001 m:1 rn:5 11111 &braz   # BLRAAZ, BLRABZ
+ &reta       m
+ RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
++
++&bra        rn rm m
++BRA             1101011 1000 11111 00001 m:1 rn:5 rm:5 &bra # BRAA, BRAB
++BLRA            1101011 1001 11111 00001 m:1 rn:5 rm:5 &bra # BLRAA, BLRAB
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_RETA(DisasContext *s, arg_reta *a)
+     return true;
+ }
++static bool trans_BRA(DisasContext *s, arg_bra *a)
++{
++    TCGv_i64 dst;
++
++    if (!dc_isar_feature(aa64_pauth, s)) {
++        return false;
++    }
++    dst = auth_branch_target(s, cpu_reg(s,a->rn), cpu_reg_sp(s, a->rm), !a->m);
++    gen_a64_set_pc(s, dst);
++    set_btype_for_br(s, a->rn);
++    s->base.is_jmp = DISAS_JUMP;
++    return true;
++}
++
++static bool trans_BLRA(DisasContext *s, arg_bra *a)
++{
++    TCGv_i64 dst, lr;
++
++    if (!dc_isar_feature(aa64_pauth, s)) {
++        return false;
++    }
++    dst = auth_branch_target(s, cpu_reg(s, a->rn), cpu_reg_sp(s, a->rm), !a->m);
++    lr = cpu_reg(s, 30);
++    if (dst == lr) {
++        TCGv_i64 tmp = tcg_temp_new_i64();
++        tcg_gen_mov_i64(tmp, dst);
++        dst = tmp;
++    }
++    gen_pc_plus_diff(s, lr, curr_insn_len(s));
++    gen_a64_set_pc(s, dst);
++    set_btype_for_blr(s);
++    s->base.is_jmp = DISAS_JUMP;
++    return true;
++}
++
+ /* HINT instruction group, including various allocated HINTs */
+ static void handle_hint(DisasContext *s, uint32_t insn,
+                         unsigned int op1, unsigned int op2, unsigned int crm)
+@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
+ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+ {
+     unsigned int opc, op2, op3, rn, op4;
+-    unsigned btype_mod = 2;   /* 0: BR, 1: BLR, 2: other */
+     TCGv_i64 dst;
+     TCGv_i64 modifier;
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+     case 0:
+     case 1:
+     case 2:
++    case 8:
++    case 9:
+         /*
+-         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ:
+-         * handled in decodetree
++         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ,
++         * BRAA, BLRAA: handled in decodetree
+          */
+         goto do_unallocated;
+-    case 8: /* BRAA */
+-    case 9: /* BLRAA */
+-        if (!dc_isar_feature(aa64_pauth, s)) {
+-            goto do_unallocated;
+-        }
+-        if ((op3 & ~1) != 2) {
+-            goto do_unallocated;
+-        }
+-        btype_mod = opc & 1;
+-        if (s->pauth_active) {
+-            dst = tcg_temp_new_i64();
+-            modifier = cpu_reg_sp(s, op4);
+-            if (op3 == 2) {
+-                gen_helper_autia(dst, cpu_env, cpu_reg(s, rn), modifier);
+-            } else {
+-                gen_helper_autib(dst, cpu_env, cpu_reg(s, rn), modifier);
+-            }
+-        } else {
+-            dst = cpu_reg(s, rn);
+-        }
+-        /* BLRAA also needs to load return address */
+-        if (opc == 9) {
+-            TCGv_i64 lr = cpu_reg(s, 30);
+-            if (dst == lr) {
+-                TCGv_i64 tmp = tcg_temp_new_i64();
+-                tcg_gen_mov_i64(tmp, dst);
+-                dst = tmp;
+-            }
+-            gen_pc_plus_diff(s, lr, curr_insn_len(s));
+-        }
+-        gen_a64_set_pc(s, dst);
+-        break;
+-
+     case 4: /* ERET */
+         if (s->current_el == 0) {
+             goto do_unallocated;
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+         unallocated_encoding(s);
+         return;
+     }
+-
+-    switch (btype_mod) {
+-    case 0: /* BR */
+-        if (dc_isar_feature(aa64_bti, s)) {
+-            /* BR to {x16,x17} or !guard -> 1, else 3.  */
+-            set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3);
+-        }
+-        break;
+-
+-    case 1: /* BLR */
+-        if (dc_isar_feature(aa64_bti, s)) {
+-            /* BLR sets BTYPE to 2, regardless of source guarded page.  */
+-            set_btype(s, 2);
+-        }
+-        break;
+-
+-    default: /* RET or none of the above.  */
+-        /* BTYPE will be set to 0 by normal end-of-insn processing.  */
+-        break;
+-    }
+-
+-    s->base.is_jmp = DISAS_JUMP;
+ }
+ /* Branches, exception generating and system instructions */
+--
+.34.1

-New patch
+[PULL 26/29] target/arm: Convert ERET, ERETAA, ERETAB to decodetree
+Convert the exception-return insns ERET, ERETA and ERETB to
+decodetree. These were the last insns left in the legacy
+decoder function disas_uncond_reg_b(), which allows us to
+remove it.
+The old decoder explicitly decoded the DRPS instruction,
+only in order to call unallocated_encoding() on it, exactly
+as would have happened if it hadn't decoded it. This is
+because this insn always UNDEFs unless the CPU is in
+halting-debug state, which we don't emulate. So we list
+the pattern in a comment in a64.decode, but don't actively
+decode it.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230512144106.3608981-21-peter.maydell@linaro.org
+---
+ target/arm/tcg/a64.decode      |   8 ++
+ target/arm/tcg/translate-a64.c | 163 +++++++++++----------------------
+files changed, 63 insertions(+), 108 deletions(-)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
+ &bra        rn rm m
+ BRA             1101011 1000 11111 00001 m:1 rn:5 rm:5 &bra # BRAA, BRAB
+ BLRA            1101011 1001 11111 00001 m:1 rn:5 rm:5 &bra # BLRAA, BLRAB
++
++ERET            1101011 0100 11111 000000 11111 00000
++ERETA           1101011 0100 11111 00001 m:1 11111 11111 &reta  # ERETAA, ERETAB
++
++# We don't need to decode DRPS because it always UNDEFs except when
++# the processor is in halting debug state (which we don't implement).
++# The pattern is listed here as documentation.
++# DRPS            1101011 0101 11111 000000 11111 00000
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_BLRA(DisasContext *s, arg_bra *a)
+     return true;
+ }
++static bool trans_ERET(DisasContext *s, arg_ERET *a)
++{
++    TCGv_i64 dst;
++
++    if (s->current_el == 0) {
++        return false;
++    }
++    if (s->fgt_eret) {
++        gen_exception_insn_el(s, 0, EXCP_UDEF, 0, 2);
++        return true;
++    }
++    dst = tcg_temp_new_i64();
++    tcg_gen_ld_i64(dst, cpu_env,
++                   offsetof(CPUARMState, elr_el[s->current_el]));
++
++    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
++        gen_io_start();
++    }
++
++    gen_helper_exception_return(cpu_env, dst);
++    /* Must exit loop to check un-masked IRQs */
++    s->base.is_jmp = DISAS_EXIT;
++    return true;
++}
++
++static bool trans_ERETA(DisasContext *s, arg_reta *a)
++{
++    TCGv_i64 dst;
++
++    if (!dc_isar_feature(aa64_pauth, s)) {
++        return false;
++    }
++    if (s->current_el == 0) {
++        return false;
++    }
++    /* The FGT trap takes precedence over an auth trap. */
++    if (s->fgt_eret) {
++        gen_exception_insn_el(s, 0, EXCP_UDEF, a->m ? 3 : 2, 2);
++        return true;
++    }
++    dst = tcg_temp_new_i64();
++    tcg_gen_ld_i64(dst, cpu_env,
++                   offsetof(CPUARMState, elr_el[s->current_el]));
++
++    dst = auth_branch_target(s, dst, cpu_X[31], !a->m);
++    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
++        gen_io_start();
++    }
++
++    gen_helper_exception_return(cpu_env, dst);
++    /* Must exit loop to check un-masked IRQs */
++    s->base.is_jmp = DISAS_EXIT;
++    return true;
++}
++
+ /* HINT instruction group, including various allocated HINTs */
+ static void handle_hint(DisasContext *s, uint32_t insn,
+                         unsigned int op1, unsigned int op2, unsigned int crm)
+@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
+     }
+ }
+-/* Unconditional branch (register)
+- *  31           25 24   21 20   16 15   10 9    5 4     0
+- * +---------------+-------+-------+-------+------+-------+
+- * | 1 1 0 1 0 1 1 |  opc  |  op2  |  op3  |  Rn  |  op4  |
+- * +---------------+-------+-------+-------+------+-------+
+- */
+-static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
+-{
+-    unsigned int opc, op2, op3, rn, op4;
+-    TCGv_i64 dst;
+-    TCGv_i64 modifier;
+-
+-    opc = extract32(insn, 21, 4);
+-    op2 = extract32(insn, 16, 5);
+-    op3 = extract32(insn, 10, 6);
+-    rn = extract32(insn, 5, 5);
+-    op4 = extract32(insn, 0, 5);
+-
+-    if (op2 != 0x1f) {
+-        goto do_unallocated;
+-    }
+-
+-    switch (opc) {
+-    case 0:
+-    case 1:
+-    case 2:
+-    case 8:
+-    case 9:
+-        /*
+-         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ,
+-         * BRAA, BLRAA: handled in decodetree
+-         */
+-        goto do_unallocated;
+-
+-    case 4: /* ERET */
+-        if (s->current_el == 0) {
+-            goto do_unallocated;
+-        }
+-        switch (op3) {
+-        case 0: /* ERET */
+-            if (op4 != 0) {
+-                goto do_unallocated;
+-            }
+-            if (s->fgt_eret) {
+-                gen_exception_insn_el(s, 0, EXCP_UDEF, syn_erettrap(op3), 2);
+-                return;
+-            }
+-            dst = tcg_temp_new_i64();
+-            tcg_gen_ld_i64(dst, cpu_env,
+-                           offsetof(CPUARMState, elr_el[s->current_el]));
+-            break;
+-
+-        case 2: /* ERETAA */
+-        case 3: /* ERETAB */
+-            if (!dc_isar_feature(aa64_pauth, s)) {
+-                goto do_unallocated;
+-            }
+-            if (rn != 0x1f || op4 != 0x1f) {
+-                goto do_unallocated;
+-            }
+-            /* The FGT trap takes precedence over an auth trap. */
+-            if (s->fgt_eret) {
+-                gen_exception_insn_el(s, 0, EXCP_UDEF, syn_erettrap(op3), 2);
+-                return;
+-            }
+-            dst = tcg_temp_new_i64();
+-            tcg_gen_ld_i64(dst, cpu_env,
+-                           offsetof(CPUARMState, elr_el[s->current_el]));
+-            if (s->pauth_active) {
+-                modifier = cpu_X[31];
+-                if (op3 == 2) {
+-                    gen_helper_autia(dst, cpu_env, dst, modifier);
+-                } else {
+-                    gen_helper_autib(dst, cpu_env, dst, modifier);
+-                }
+-            }
+-            break;
+-
+-        default:
+-            goto do_unallocated;
+-        }
+-        if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
+-            gen_io_start();
+-        }
+-
+-        gen_helper_exception_return(cpu_env, dst);
+-        /* Must exit loop to check un-masked IRQs */
+-        s->base.is_jmp = DISAS_EXIT;
+-        return;
+-
+-    case 5: /* DRPS */
+-        if (op3 != 0 || op4 != 0 || rn != 0x1f) {
+-            goto do_unallocated;
+-        } else {
+-            unallocated_encoding(s);
+-        }
+-        return;
+-
+-    default:
+-    do_unallocated:
+-        unallocated_encoding(s);
+-        return;
+-    }
+-}
+-
+ /* Branches, exception generating and system instructions */
+ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
+ {
+@@ -XXX,XX +XXX,XX @@ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
+             disas_exc(s, insn);
+         }
+         break;
+-    case 0x6b: /* Unconditional branch (register) */
+-        disas_uncond_b_reg(s, insn);
+-        break;
+     default:
+         unallocated_encoding(s);
+         break;
+--
+.34.1

-[Qemu-devel] [PULL 07/12] hw/intc/arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
+[PULL 27/29] target/arm: Saturate L2CTLR_EL1 core count field rather than overflowing
-In ich_vmcr_write() we enforce "writes of BPR fields to less than
+The IMPDEF sysreg L2CTLR_EL1 found on the Cortex-A35, A53, A57, A72
-their minimum sets them to the minimum" by doing a "read vbpr and
+and which we (arguably dubiously) also provide in '-cpu max' has a
-write it back" operation.  A typo here meant that we weren't handling
+bit field for the number of processors in the cluster. On real
-writes to these fields correctly, because we were reading from VBPR0
+hardware this must be sufficient because it can only be configured
-but writing to VBPR1.
+with up to 4 CPUs in the cluster. However on QEMU if the board code
 does not explicitly configure the code into clusters with the right
 CPU count we default to "give the value assuming that all CPUs in
 the system are in a single cluster", which might be too big to fit
 in the field.
 Instead of just overflowing this 2-bit field, saturate to 3 (meaning
 "4 CPUs", so at least we don't overwrite other fields in the register.
 It's unlikely that any guest code really cares about the value in
 this field; at least, if it does it probably also wants the system
 to be more closely matching real hardware, i.e. not to have more
 than 4 CPUs.
 This issue has been present since the L2CTLR was first added in
 commit 377a44ec8f2fac5b back in 2014. It was only noticed because
 Coverity complains (CID 1509227) that the shift might overflow 32 bits
 and inadvertently sign extend into the top half of the 64 bit value.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190520162809.2677-4-peter.maydell@linaro.org
+Message-id: 20230512170223.3801643-2-peter.maydell@linaro.org
 ---
- hw/intc/arm_gicv3_cpuif.c | 2 +-
+ target/arm/cortex-regs.c | 11 +++++++++--
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+diff --git a/target/arm/cortex-regs.c b/target/arm/cortex-regs.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_cpuif.c
+--- a/target/arm/cortex-regs.c
-+++ b/hw/intc/arm_gicv3_cpuif.c
++++ b/target/arm/cortex-regs.c
-@@ -XXX,XX +XXX,XX @@ static void ich_vmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static uint64_t l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
-     /* Enforce "writing BPRs to less than minimum sets them to the minimum"
+ {
-      * by reading and writing back the fields.
+     ARMCPU *cpu = env_archcpu(env);
-      */
--    write_vbpr(cs, GICV3_G1, read_vbpr(cs, GICV3_G0));
+-    /* Number of cores is in [25:24]; otherwise we RAZ */
-+    write_vbpr(cs, GICV3_G0, read_vbpr(cs, GICV3_G0));
+-    return (cpu->core_count - 1) << 24;
-     write_vbpr(cs, GICV3_G1, read_vbpr(cs, GICV3_G1));
++    /*
++     * Number of cores is in [25:24]; otherwise we RAZ.
-     gicv3_cpuif_virt_update(cs);
++     * If the board didn't configure the CPUs into clusters,
 +     * we default to "all CPUs in one cluster", which might be
 +     * more than the 4 that the hardware permits and which is
 +     * all you can report in this two-bit field. Saturate to
 +     * 0b11 (== 4 CPUs) rather than overflowing the field.
 +     */
 +    return MIN(cpu->core_count - 1, 3) << 24;
  }
  static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 06/12] arm: Rename hw/arm/arm.h to hw/arm/boot.h
+[PULL 28/29] hw/arm/vexpress: Avoid trivial memory leak of 'flashalias'
-The header file hw/arm/arm.h now includes only declarations
+In the vexpress board code, we allocate a new MemoryRegion at the top
-relating to hw/arm/boot.c functionality. Rename it accordingly,
+of vexpress_common_init() but only set it up and use it inside the
-and adjust its header comment.
+"if (map[VE_NORFLASHALIAS] != -1)" conditional, so we leak it if not.
 This isn't a very interesting leak as it's a tiny amount of memory
 once at startup, but it's easy to fix.
-The bulk of this commit was created via
+We could silence Coverity simply by moving the g_new() into the
- perl -pi -e 's|hw/arm/arm.h|hw/arm/boot.h|' hw/arm/*.c include/hw/arm/*.h
+if() block, but this use of g_new(MemoryRegion, 1) is a legacy from
 when this board model was originally written; we wouldn't do that
 if we wrote it today. The MemoryRegions are conceptually a part of
 the board and must not go away until the whole board is done with
 (at the end of the simulation), so they belong in its state struct.
-In a few cases we can just delete the #include:
+This machine already has a VexpressMachineState struct that extends
-hw/arm/msf2-soc.c, include/hw/arm/aspeed_soc.h and
+MachineState, so statically put the MemoryRegions in there instead of
-include/hw/arm/bcm2836.h did not require it.
+dynamically allocating them separately at runtime.
 Spotted by Coverity (CID 1509083).
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-id: 20190516163857.6430-4-peter.maydell@linaro.org
+Message-id: 20230512170223.3801643-3-peter.maydell@linaro.org
 ---
- include/hw/arm/allwinner-a10.h   | 2 +-
+ hw/arm/vexpress.c | 40 ++++++++++++++++++++--------------------
- include/hw/arm/aspeed_soc.h      | 1 -
+file changed, 20 insertions(+), 20 deletions(-)
  include/hw/arm/bcm2836.h         | 1 -
  include/hw/arm/{arm.h => boot.h} | 8 ++++----
  include/hw/arm/fsl-imx25.h       | 2 +-
  include/hw/arm/fsl-imx31.h       | 2 +-
  include/hw/arm/fsl-imx6.h        | 2 +-
  include/hw/arm/fsl-imx6ul.h      | 2 +-
  include/hw/arm/fsl-imx7.h        | 2 +-
  include/hw/arm/virt.h            | 2 +-
  include/hw/arm/xlnx-versal.h     | 2 +-
  include/hw/arm/xlnx-zynqmp.h     | 2 +-
  hw/arm/armsse.c                  | 2 +-
  hw/arm/armv7m.c                  | 2 +-
  hw/arm/aspeed.c                  | 2 +-
  hw/arm/boot.c                    | 2 +-
  hw/arm/collie.c                  | 2 +-
  hw/arm/exynos4210.c              | 2 +-
  hw/arm/exynos4_boards.c          | 2 +-
  hw/arm/highbank.c                | 2 +-
  hw/arm/integratorcp.c            | 2 +-
  hw/arm/mainstone.c               | 2 +-
  hw/arm/microbit.c                | 2 +-
  hw/arm/mps2-tz.c                 | 2 +-
  hw/arm/mps2.c                    | 2 +-
  hw/arm/msf2-soc.c                | 1 -
  hw/arm/msf2-som.c                | 2 +-
  hw/arm/musca.c                   | 2 +-
  hw/arm/musicpal.c                | 2 +-
  hw/arm/netduino2.c               | 2 +-
  hw/arm/nrf51_soc.c               | 2 +-
  hw/arm/nseries.c                 | 2 +-
  hw/arm/omap1.c                   | 2 +-
  hw/arm/omap2.c                   | 2 +-
  hw/arm/omap_sx1.c                | 2 +-
  hw/arm/palm.c                    | 2 +-
  hw/arm/raspi.c                   | 2 +-
  hw/arm/realview.c                | 2 +-
  hw/arm/spitz.c                   | 2 +-
  hw/arm/stellaris.c               | 2 +-
  hw/arm/stm32f205_soc.c           | 2 +-
  hw/arm/strongarm.c               | 2 +-
  hw/arm/tosa.c                    | 2 +-
  hw/arm/versatilepb.c             | 2 +-
  hw/arm/vexpress.c                | 2 +-
  hw/arm/virt.c                    | 2 +-
  hw/arm/xilinx_zynq.c             | 2 +-
  hw/arm/xlnx-versal.c             | 2 +-
  hw/arm/z2.c                      | 2 +-
 files changed, 49 insertions(+), 52 deletions(-)
  rename include/hw/arm/{arm.h => boot.h} (98%)
-diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/allwinner-a10.h
-+++ b/include/hw/arm/allwinner-a10.h
-@@ -XXX,XX +XXX,XX @@
- #include "qemu-common.h"
- #include "qemu/error-report.h"
- #include "hw/char/serial.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/timer/allwinner-a10-pit.h"
- #include "hw/intc/allwinner-a10-pic.h"
- #include "hw/net/allwinner_emac.h"
-diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/aspeed_soc.h
-+++ b/include/hw/arm/aspeed_soc.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef ASPEED_SOC_H
- #define ASPEED_SOC_H
--#include "hw/arm/arm.h"
- #include "hw/intc/aspeed_vic.h"
- #include "hw/misc/aspeed_scu.h"
- #include "hw/misc/aspeed_sdmc.h"
-diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/bcm2836.h
-+++ b/include/hw/arm/bcm2836.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef BCM2836_H
- #define BCM2836_H
--#include "hw/arm/arm.h"
- #include "hw/arm/bcm2835_peripherals.h"
- #include "hw/intc/bcm2836_control.h"
-diff --git a/include/hw/arm/arm.h b/include/hw/arm/boot.h
-similarity index 98%
-rename from include/hw/arm/arm.h
-rename to include/hw/arm/boot.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/arm.h
-+++ b/include/hw/arm/boot.h
-@@ -XXX,XX +XXX,XX @@
- /*
-- * Misc ARM declarations
-+ * ARM kernel loader.
-  *
-  * Copyright (c) 2006 CodeSourcery.
-  * Written by Paul Brook
-@@ -XXX,XX +XXX,XX @@
-  *
-  */
--#ifndef HW_ARM_H
--#define HW_ARM_H
-+#ifndef HW_ARM_BOOT_H
-+#define HW_ARM_BOOT_H
- #include "exec/memory.h"
- #include "target/arm/cpu-qom.h"
-@@ -XXX,XX +XXX,XX @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
-                                             const struct arm_boot_info *info,
-                                             hwaddr mvbar_addr);
--#endif /* HW_ARM_H */
-+#endif /* HW_ARM_BOOT_H */
-diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx25.h
-+++ b/include/hw/arm/fsl-imx25.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef FSL_IMX25_H
- #define FSL_IMX25_H
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/intc/imx_avic.h"
- #include "hw/misc/imx25_ccm.h"
- #include "hw/char/imx_serial.h"
-diff --git a/include/hw/arm/fsl-imx31.h b/include/hw/arm/fsl-imx31.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx31.h
-+++ b/include/hw/arm/fsl-imx31.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef FSL_IMX31_H
- #define FSL_IMX31_H
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/intc/imx_avic.h"
- #include "hw/misc/imx31_ccm.h"
- #include "hw/char/imx_serial.h"
-diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx6.h
-+++ b/include/hw/arm/fsl-imx6.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef FSL_IMX6_H
- #define FSL_IMX6_H
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/cpu/a9mpcore.h"
- #include "hw/misc/imx6_ccm.h"
- #include "hw/misc/imx6_src.h"
-diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx6ul.h
-+++ b/include/hw/arm/fsl-imx6ul.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef FSL_IMX6UL_H
- #define FSL_IMX6UL_H
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/cpu/a15mpcore.h"
- #include "hw/misc/imx6ul_ccm.h"
- #include "hw/misc/imx6_src.h"
-diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx7.h
-+++ b/include/hw/arm/fsl-imx7.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef FSL_IMX7_H
- #define FSL_IMX7_H
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/cpu/a15mpcore.h"
- #include "hw/intc/imx_gpcv2.h"
- #include "hw/misc/imx7_ccm.h"
-diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/virt.h
-+++ b/include/hw/arm/virt.h
-@@ -XXX,XX +XXX,XX @@
- #include "exec/hwaddr.h"
- #include "qemu/notify.h"
- #include "hw/boards.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/block/flash.h"
- #include "sysemu/kvm.h"
- #include "hw/intc/arm_gicv3_common.h"
-diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/xlnx-versal.h
-+++ b/include/hw/arm/xlnx-versal.h
-@@ -XXX,XX +XXX,XX @@
- #define XLNX_VERSAL_H
- #include "hw/sysbus.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/intc/arm_gicv3.h"
- #define TYPE_XLNX_VERSAL "xlnx-versal"
-diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/xlnx-zynqmp.h
-+++ b/include/hw/arm/xlnx-zynqmp.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef XLNX_ZYNQMP_H
- #include "qemu-common.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/intc/arm_gic.h"
- #include "hw/net/cadence_gem.h"
- #include "hw/char/cadence_uart.h"
-diff --git a/hw/arm/armsse.c b/hw/arm/armsse.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/armsse.c
-+++ b/hw/arm/armsse.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/sysbus.h"
- #include "hw/registerfields.h"
- #include "hw/arm/armsse.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- /* Format of the System Information block SYS_CONFIG register */
- typedef enum SysConfigFormat {
-diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/armv7m.c
-+++ b/hw/arm/armv7m.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu-common.h"
- #include "cpu.h"
- #include "hw/sysbus.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/loader.h"
- #include "elf.h"
- #include "sysemu/qtest.h"
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu-common.h"
- #include "cpu.h"
- #include "exec/address-spaces.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/aspeed.h"
- #include "hw/arm/aspeed_soc.h"
- #include "hw/boards.h"
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
-+++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
- #include <libfdt.h>
- #include "hw/hw.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/linux-boot-if.h"
- #include "sysemu/kvm.h"
- #include "sysemu/sysemu.h"
-diff --git a/hw/arm/collie.c b/hw/arm/collie.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/collie.c
-+++ b/hw/arm/collie.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/sysbus.h"
- #include "hw/boards.h"
- #include "strongarm.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/block/flash.h"
- #include "exec/address-spaces.h"
- #include "cpu.h"
-diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/exynos4210.c
-+++ b/hw/arm/exynos4210.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/boards.h"
- #include "sysemu/sysemu.h"
- #include "hw/sysbus.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/loader.h"
- #include "hw/arm/exynos4210.h"
- #include "hw/sd/sdhci.h"
-diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/exynos4_boards.c
-+++ b/hw/arm/exynos4_boards.c
-@@ -XXX,XX +XXX,XX @@
- #include "sysemu/sysemu.h"
- #include "hw/sysbus.h"
- #include "net/net.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "exec/address-spaces.h"
- #include "hw/arm/exynos4210.h"
- #include "hw/net/lan9118.h"
-diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/highbank.c
-+++ b/hw/arm/highbank.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/osdep.h"
- #include "qapi/error.h"
- #include "hw/sysbus.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/loader.h"
- #include "net/net.h"
- #include "sysemu/kvm.h"
-diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/integratorcp.c
-+++ b/hw/arm/integratorcp.c
-@@ -XXX,XX +XXX,XX @@
- #include "cpu.h"
- #include "hw/sysbus.h"
- #include "hw/boards.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/misc/arm_integrator_debug.h"
- #include "hw/net/smc91c111.h"
- #include "net/net.h"
-diff --git a/hw/arm/mainstone.c b/hw/arm/mainstone.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/mainstone.c
-+++ b/hw/arm/mainstone.c
-@@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
- #include "hw/hw.h"
- #include "hw/arm/pxa.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "net/net.h"
- #include "hw/net/smc91c111.h"
- #include "hw/boards.h"
-diff --git a/hw/arm/microbit.c b/hw/arm/microbit.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/microbit.c
-+++ b/hw/arm/microbit.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/osdep.h"
- #include "qapi/error.h"
- #include "hw/boards.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "sysemu/sysemu.h"
- #include "exec/address-spaces.h"
-diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/mps2-tz.c
-+++ b/hw/arm/mps2-tz.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/osdep.h"
- #include "qapi/error.h"
- #include "qemu/error-report.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/armv7m.h"
- #include "hw/or-irq.h"
- #include "hw/boards.h"
-diff --git a/hw/arm/mps2.c b/hw/arm/mps2.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/mps2.c
-+++ b/hw/arm/mps2.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/osdep.h"
- #include "qapi/error.h"
- #include "qemu/error-report.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/armv7m.h"
- #include "hw/or-irq.h"
- #include "hw/boards.h"
-diff --git a/hw/arm/msf2-soc.c b/hw/arm/msf2-soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/msf2-soc.c
-+++ b/hw/arm/msf2-soc.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/units.h"
- #include "qapi/error.h"
- #include "qemu-common.h"
--#include "hw/arm/arm.h"
- #include "exec/address-spaces.h"
- #include "hw/char/serial.h"
- #include "hw/boards.h"
-diff --git a/hw/arm/msf2-som.c b/hw/arm/msf2-som.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/msf2-som.c
-+++ b/hw/arm/msf2-som.c
-@@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
- #include "qemu/error-report.h"
- #include "hw/boards.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "exec/address-spaces.h"
- #include "hw/arm/msf2-soc.h"
- #include "cpu.h"
-diff --git a/hw/arm/musca.c b/hw/arm/musca.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/musca.c
-+++ b/hw/arm/musca.c
-@@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
- #include "exec/address-spaces.h"
- #include "sysemu/sysemu.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/armsse.h"
- #include "hw/boards.h"
- #include "hw/char/pl011.h"
-diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/musicpal.c
-+++ b/hw/arm/musicpal.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu-common.h"
- #include "cpu.h"
- #include "hw/sysbus.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "net/net.h"
- #include "sysemu/sysemu.h"
- #include "hw/boards.h"
-diff --git a/hw/arm/netduino2.c b/hw/arm/netduino2.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/netduino2.c
-+++ b/hw/arm/netduino2.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/boards.h"
- #include "qemu/error-report.h"
- #include "hw/arm/stm32f205_soc.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- static void netduino2_init(MachineState *machine)
- {
-diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/nrf51_soc.c
-+++ b/hw/arm/nrf51_soc.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/osdep.h"
- #include "qapi/error.h"
- #include "qemu-common.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/sysbus.h"
- #include "hw/boards.h"
- #include "hw/misc/unimp.h"
-diff --git a/hw/arm/nseries.c b/hw/arm/nseries.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/nseries.c
-+++ b/hw/arm/nseries.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/bswap.h"
- #include "sysemu/sysemu.h"
- #include "hw/arm/omap.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/irq.h"
- #include "ui/console.h"
- #include "hw/boards.h"
-diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/omap1.c
-+++ b/hw/arm/omap1.c
-@@ -XXX,XX +XXX,XX @@
- #include "cpu.h"
- #include "hw/boards.h"
- #include "hw/hw.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/omap.h"
- #include "sysemu/sysemu.h"
- #include "hw/arm/soc_dma.h"
-diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/omap2.c
-+++ b/hw/arm/omap2.c
-@@ -XXX,XX +XXX,XX @@
- #include "sysemu/qtest.h"
- #include "hw/boards.h"
- #include "hw/hw.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/omap.h"
- #include "sysemu/sysemu.h"
- #include "qemu/timer.h"
-diff --git a/hw/arm/omap_sx1.c b/hw/arm/omap_sx1.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/omap_sx1.c
-+++ b/hw/arm/omap_sx1.c
-@@ -XXX,XX +XXX,XX @@
- #include "ui/console.h"
- #include "hw/arm/omap.h"
- #include "hw/boards.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/block/flash.h"
- #include "sysemu/qtest.h"
- #include "exec/address-spaces.h"
-diff --git a/hw/arm/palm.c b/hw/arm/palm.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/palm.c
-+++ b/hw/arm/palm.c
-@@ -XXX,XX +XXX,XX @@
- #include "ui/console.h"
- #include "hw/arm/omap.h"
- #include "hw/boards.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/input/tsc2xxx.h"
- #include "hw/loader.h"
- #include "exec/address-spaces.h"
-diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/raspi.c
-+++ b/hw/arm/raspi.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/error-report.h"
- #include "hw/boards.h"
- #include "hw/loader.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "sysemu/sysemu.h"
- #define SMPBOOT_ADDR    0x300 /* this should leave enough space for ATAGS */
-diff --git a/hw/arm/realview.c b/hw/arm/realview.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/realview.c
-+++ b/hw/arm/realview.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu-common.h"
- #include "cpu.h"
- #include "hw/sysbus.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/primecell.h"
- #include "hw/net/lan9118.h"
- #include "hw/net/smc91c111.h"
-diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/spitz.c
-+++ b/hw/arm/spitz.c
-@@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
- #include "hw/hw.h"
- #include "hw/arm/pxa.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "sysemu/sysemu.h"
- #include "hw/pcmcia.h"
- #include "hw/i2c/i2c.h"
-diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/stellaris.c
-+++ b/hw/arm/stellaris.c
-@@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
- #include "hw/sysbus.h"
- #include "hw/ssi/ssi.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "qemu/timer.h"
- #include "hw/i2c/i2c.h"
- #include "net/net.h"
-diff --git a/hw/arm/stm32f205_soc.c b/hw/arm/stm32f205_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/stm32f205_soc.c
-+++ b/hw/arm/stm32f205_soc.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/osdep.h"
- #include "qapi/error.h"
- #include "qemu-common.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "exec/address-spaces.h"
- #include "hw/arm/stm32f205_soc.h"
-diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/strongarm.c
-+++ b/hw/arm/strongarm.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/sysbus.h"
- #include "strongarm.h"
- #include "qemu/error-report.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "chardev/char-fe.h"
- #include "chardev/char-serial.h"
- #include "sysemu/sysemu.h"
-diff --git a/hw/arm/tosa.c b/hw/arm/tosa.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/tosa.c
-+++ b/hw/arm/tosa.c
-@@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
- #include "hw/hw.h"
- #include "hw/arm/pxa.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/arm/sharpsl.h"
- #include "hw/pcmcia.h"
- #include "hw/boards.h"
-diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/versatilepb.c
-+++ b/hw/arm/versatilepb.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu-common.h"
- #include "cpu.h"
- #include "hw/sysbus.h"
--#include "hw/arm/arm.h"
-+#include "hw/arm/boot.h"
- #include "hw/net/smc91c111.h"
- #include "net/net.h"
- #include "sysemu/sysemu.h"
 diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/vexpress.c
 +++ b/hw/arm/vexpress.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ struct VexpressMachineClass {
- #include "qemu-common.h"
- #include "cpu.h"
+ struct VexpressMachineState {
- #include "hw/sysbus.h"
+     MachineState parent;
--#include "hw/arm/arm.h"
++    MemoryRegion vram;
-+#include "hw/arm/boot.h"
++    MemoryRegion sram;
- #include "hw/arm/primecell.h"
++    MemoryRegion flashalias;
- #include "hw/net/lan9118.h"
++    MemoryRegion lowram;
- #include "hw/i2c/i2c.h"
++    MemoryRegion a15sram;
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+     bool secure;
-index XXXXXXX..XXXXXXX 100644
+     bool virt;
---- a/hw/arm/virt.c
+ };
-+++ b/hw/arm/virt.c
+@@ -XXX,XX +XXX,XX @@ struct VexpressMachineState {
-@@ -XXX,XX +XXX,XX @@
+ #define TYPE_VEXPRESS_A15_MACHINE   MACHINE_TYPE_NAME("vexpress-a15")
- #include "qemu/option.h"
+ OBJECT_DECLARE_TYPE(VexpressMachineState, VexpressMachineClass, VEXPRESS_MACHINE)
- #include "qapi/error.h"
- #include "hw/sysbus.h"
+-typedef void DBoardInitFn(const VexpressMachineState *machine,
--#include "hw/arm/arm.h"
++typedef void DBoardInitFn(VexpressMachineState *machine,
-+#include "hw/arm/boot.h"
+                           ram_addr_t ram_size,
- #include "hw/arm/primecell.h"
+                           const char *cpu_type,
- #include "hw/arm/virt.h"
+                           qemu_irq *pic);
- #include "hw/block/flash.h"
+@@ -XXX,XX +XXX,XX @@ static void init_cpus(MachineState *ms, const char *cpu_type,
-diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
+     }
-index XXXXXXX..XXXXXXX 100644
+ }
---- a/hw/arm/xilinx_zynq.c
-+++ b/hw/arm/xilinx_zynq.c
+-static void a9_daughterboard_init(const VexpressMachineState *vms,
-@@ -XXX,XX +XXX,XX @@
++static void a9_daughterboard_init(VexpressMachineState *vms,
- #include "qemu-common.h"
+                                   ram_addr_t ram_size,
- #include "cpu.h"
+                                   const char *cpu_type,
- #include "hw/sysbus.h"
+                                   qemu_irq *pic)
--#include "hw/arm/arm.h"
+ {
-+#include "hw/arm/boot.h"
+     MachineState *machine = MACHINE(vms);
- #include "net/net.h"
+     MemoryRegion *sysmem = get_system_memory();
- #include "exec/address-spaces.h"
+-    MemoryRegion *lowram = g_new(MemoryRegion, 1);
- #include "sysemu/sysemu.h"
+     ram_addr_t low_ram_size;
-diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
-index XXXXXXX..XXXXXXX 100644
+     if (ram_size > 0x40000000) {
---- a/hw/arm/xlnx-versal.c
+@@ -XXX,XX +XXX,XX @@ static void a9_daughterboard_init(const VexpressMachineState *vms,
-+++ b/hw/arm/xlnx-versal.c
+      * address space should in theory be remappable to various
-@@ -XXX,XX +XXX,XX @@
+      * things including ROM or RAM; we always map the RAM there.
- #include "net/net.h"
+      */
- #include "sysemu/sysemu.h"
+-    memory_region_init_alias(lowram, NULL, "vexpress.lowmem", machine->ram,
- #include "sysemu/kvm.h"
+-                             0, low_ram_size);
--#include "hw/arm/arm.h"
+-    memory_region_add_subregion(sysmem, 0x0, lowram);
-+#include "hw/arm/boot.h"
++    memory_region_init_alias(&vms->lowram, NULL, "vexpress.lowmem",
- #include "kvm_arm.h"
++                             machine->ram, 0, low_ram_size);
- #include "hw/misc/unimp.h"
++    memory_region_add_subregion(sysmem, 0x0, &vms->lowram);
- #include "hw/intc/arm_gicv3_common.h"
+     memory_region_add_subregion(sysmem, 0x60000000, machine->ram);
-diff --git a/hw/arm/z2.c b/hw/arm/z2.c
-index XXXXXXX..XXXXXXX 100644
+     /* 0x1e000000 A9MPCore (SCU) private memory region */
---- a/hw/arm/z2.c
+@@ -XXX,XX +XXX,XX @@ static VEDBoardInfo a9_daughterboard = {
-+++ b/hw/arm/z2.c
+     .init = a9_daughterboard_init,
-@@ -XXX,XX +XXX,XX @@
+ };
- #include "qemu/osdep.h"
- #include "hw/hw.h"
+-static void a15_daughterboard_init(const VexpressMachineState *vms,
- #include "hw/arm/pxa.h"
++static void a15_daughterboard_init(VexpressMachineState *vms,
--#include "hw/arm/arm.h"
+                                    ram_addr_t ram_size,
-+#include "hw/arm/boot.h"
+                                    const char *cpu_type,
- #include "hw/i2c/i2c.h"
+                                    qemu_irq *pic)
- #include "hw/ssi/ssi.h"
+ {
- #include "hw/boards.h"
+     MachineState *machine = MACHINE(vms);
      MemoryRegion *sysmem = get_system_memory();
 -    MemoryRegion *sram = g_new(MemoryRegion, 1);
      {
          /* We have to use a separate 64 bit variable here to avoid the gcc
@@ -XXX,XX +XXX,XX @@ static void a15_daughterboard_init(const VexpressMachineState *vms,
      /* 0x2b060000: SP805 watchdog: not modelled */
      /* 0x2b0a0000: PL341 dynamic memory controller: not modelled */
      /* 0x2e000000: system SRAM */
 -    memory_region_init_ram(sram, NULL, "vexpress.a15sram", 0x10000,
 +    memory_region_init_ram(&vms->a15sram, NULL, "vexpress.a15sram", 0x10000,
                             &error_fatal);
 -    memory_region_add_subregion(sysmem, 0x2e000000, sram);
 +    memory_region_add_subregion(sysmem, 0x2e000000, &vms->a15sram);
      /* 0x7ffb0000: DMA330 DMA controller: not modelled */
      /* 0x7ffd0000: PL354 static memory controller: not modelled */
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
      I2CBus *i2c;
      ram_addr_t vram_size, sram_size;
      MemoryRegion *sysmem = get_system_memory();
 -    MemoryRegion *vram = g_new(MemoryRegion, 1);
 -    MemoryRegion *sram = g_new(MemoryRegion, 1);
 -    MemoryRegion *flashalias = g_new(MemoryRegion, 1);
 -    MemoryRegion *flash0mem;
      const hwaddr *map = daughterboard->motherboard_map;
      int i;
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
      if (map[VE_NORFLASHALIAS] != -1) {
          /* Map flash 0 as an alias into low memory */
 +        MemoryRegion *flash0mem;
          flash0mem = sysbus_mmio_get_region(SYS_BUS_DEVICE(pflash0), 0);
 -        memory_region_init_alias(flashalias, NULL, "vexpress.flashalias",
 +        memory_region_init_alias(&vms->flashalias, NULL, "vexpress.flashalias",
                                   flash0mem, 0, VEXPRESS_FLASH_SIZE);
 -        memory_region_add_subregion(sysmem, map[VE_NORFLASHALIAS], flashalias);
 +        memory_region_add_subregion(sysmem, map[VE_NORFLASHALIAS], &vms->flashalias);
      }
      dinfo = drive_get(IF_PFLASH, 0, 1);
      ve_pflash_cfi01_register(map[VE_NORFLASH1], "vexpress.flash1", dinfo);
      sram_size = 0x2000000;
 -    memory_region_init_ram(sram, NULL, "vexpress.sram", sram_size,
 +    memory_region_init_ram(&vms->sram, NULL, "vexpress.sram", sram_size,
                             &error_fatal);
 -    memory_region_add_subregion(sysmem, map[VE_SRAM], sram);
 +    memory_region_add_subregion(sysmem, map[VE_SRAM], &vms->sram);
      vram_size = 0x800000;
 -    memory_region_init_ram(vram, NULL, "vexpress.vram", vram_size,
 +    memory_region_init_ram(&vms->vram, NULL, "vexpress.vram", vram_size,
                             &error_fatal);
 -    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], vram);
 +    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], &vms->vram);
      /* 0x4e000000 LAN9118 Ethernet */
      if (nd_table[0].used) {
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 04/12] arm: Move system_clock_scale to armv7m_systick.h
+[PULL 29/29] docs: Convert u2f.txt to rST
-The system_clock_scale global is used only by the armv7m systick
+Convert the u2f.txt file to rST, and place it in the right place
-device; move the extern declaration to the armv7m_systick.h header,
+in our manual layout. The old text didn't fit very well into our
-and expand the comment to explain what it is and that it should
+manual style, so the new version ends up looking like a rewrite,
-ideally be replaced with a different approach.
+although some of the original text is preserved:
  * the 'building' section of the old file is removed, since we
    generally assume that users have already built QEMU
  * some rather verbose text has been cut back
  * document the passthrough device first, on the assumption
    that's most likely to be of interest to users
  * cut back on the duplication of text between sections
  * format example command lines etc with rST
 As it's a short document it seemed simplest to do this all
 in one go rather than try to do a minimal syntactic conversion
 and then clean up the wording and layout.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20230421163734.1152076-1-peter.maydell@linaro.org
 Message-id: 20190516163857.6430-2-peter.maydell@linaro.org
 ---
- include/hw/arm/arm.h              |  4 ----
+ docs/system/device-emulation.rst |   1 +
- include/hw/timer/armv7m_systick.h | 22 ++++++++++++++++++++++
+ docs/system/devices/usb-u2f.rst  |  93 ++++++++++++++++++++++++++
-files changed, 22 insertions(+), 4 deletions(-)
+ docs/system/devices/usb.rst      |   2 +-
+ docs/u2f.txt                     | 110 -------------------------------
-diff --git a/include/hw/arm/arm.h b/include/hw/arm/arm.h
+files changed, 95 insertions(+), 111 deletions(-)
  create mode 100644 docs/system/devices/usb-u2f.rst
  delete mode 100644 docs/u2f.txt
 diff --git a/docs/system/device-emulation.rst b/docs/system/device-emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/arm.h
+--- a/docs/system/device-emulation.rst
-+++ b/include/hw/arm/arm.h
++++ b/docs/system/device-emulation.rst
-@@ -XXX,XX +XXX,XX @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
+@@ -XXX,XX +XXX,XX @@ Emulated Devices
-                                             const struct arm_boot_info *info,
+    devices/virtio-pmem.rst
-                                             hwaddr mvbar_addr);
+    devices/vhost-user-rng.rst
+    devices/canokey.rst
--/* Multiplication factor to convert from system clock ticks to qemu timer
++   devices/usb-u2f.rst
--   ticks.  */
+    devices/igb.rst
--extern int system_clock_scale;
+diff --git a/docs/system/devices/usb-u2f.rst b/docs/system/devices/usb-u2f.rst
--
+new file mode 100644
- #endif /* HW_ARM_H */
+index XXXXXXX..XXXXXXX
-diff --git a/include/hw/timer/armv7m_systick.h b/include/hw/timer/armv7m_systick.h
+--- /dev/null
 +++ b/docs/system/devices/usb-u2f.rst
@@ -XXX,XX +XXX,XX @@
 +Universal Second Factor (U2F) USB Key Device
 +============================================
 +
 +U2F is an open authentication standard that enables relying parties
 +exposed to the internet to offer a strong second factor option for end
 +user authentication.
 +
 +The second factor is provided by a device implementing the U2F
 +protocol. In case of a USB U2F security key, it is a USB HID device
 +that implements the U2F protocol.
 +
 +QEMU supports both pass-through of a host U2F key device to a VM,
 +and software emulation of a U2F key.
 +
 +``u2f-passthru``
 +----------------
 +
 +The ``u2f-passthru`` device allows you to connect a real hardware
 +U2F key on your host to a guest VM. All requests made from the guest
 +are passed through to the physical security key connected to the
 +host machine and vice versa.
 +
 +In addition, the dedicated pass-through allows you to share a single
 +U2F security key with several guest VMs, which is not possible with a
 +simple host device assignment pass-through.
 +
 +You can specify the host U2F key to use with the ``hidraw``
 +option, which takes the host path to a Linux ``/dev/hidrawN`` device:
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-passthru,hidraw=/dev/hidraw0
 +
 +If you don't specify the device, the ``u2f-passthru`` device will
 +autoscan to take the first U2F device it finds on the host (this
 +requires a working libudev):
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-passthru
 +
 +``u2f-emulated``
 +----------------
 +
 +``u2f-emulated`` is a completely software emulated U2F device.
 +It uses `libu2f-emu <https://github.com/MattGorko/libu2f-emu>`__
 +for the U2F key emulation. libu2f-emu
 +provides a complete implementation of the U2F protocol device part for
 +all specified transports given by the FIDO Alliance.
 +
 +To work, an emulated U2F device must have four elements:
 +
 + * ec x509 certificate
 + * ec private key
 + * counter (four bytes value)
 + * 48 bytes of entropy (random bits)
 +
 +To use this type of device, these have to be configured, and these
 +four elements must be passed one way or another.
 +
 +Assuming that you have a working libu2f-emu installed on the host,
 +there are three possible ways to configure the ``u2f-emulated`` device:
 +
 + * ephemeral
 + * setup directory
 + * manual
 +
 +Ephemeral is the simplest way to configure; it lets the device generate
 +all the elements it needs for a single use of the lifetime of the device.
 +It is the default if you do not pass any other options to the device.
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-emulated
 +
 +You can pass the device the path of a setup directory on the host
 +using the ``dir`` option; the directory must contain these four files:
 +
 + * ``certificate.pem``: ec x509 certificate
 + * ``private-key.pem``: ec private key
 + * ``counter``: counter value
 + * ``entropy``: 48 bytes of entropy
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-emulated,dir=$dir
 +
 +You can also manually pass the device the paths to each of these files,
 +if you don't want them all to be in the same directory, using the options
 +
 + * ``cert``
 + * ``priv``
 + * ``counter``
 + * ``entropy``
 +
 +.. parsed-literal::
 +   |qemu_system| -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
 diff --git a/docs/system/devices/usb.rst b/docs/system/devices/usb.rst
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/timer/armv7m_systick.h
+--- a/docs/system/devices/usb.rst
-+++ b/include/hw/timer/armv7m_systick.h
++++ b/docs/system/devices/usb.rst
-@@ -XXX,XX +XXX,XX @@ typedef struct SysTickState {
+@@ -XXX,XX +XXX,XX @@ option or the ``device_add`` monitor command. Available devices are:
-     qemu_irq irq;
+    USB audio device
- } SysTickState;
+ ``u2f-{emulated,passthru}``
-+/*
+-   Universal Second Factor device
-+ * Multiplication factor to convert from system clock ticks to qemu timer
++   :doc:`usb-u2f`
-+ * ticks. This should be set (by board code, usually) to a value
-+ * equal to NANOSECONDS_PER_SECOND / frq, where frq is the clock frequency
+ ``canokey``
-+ * in Hz of the CPU.
+    An Open-source Secure Key implementing FIDO2, OpenPGP, PIV and more.
-+ *
+diff --git a/docs/u2f.txt b/docs/u2f.txt
-+ * This value is used by the systick device when it is running in
+deleted file mode 100644
-+ * its "use the CPU clock" mode (ie when SYST_CSR.CLKSOURCE == 1) to
+index XXXXXXX..XXXXXXX
-+ * set how fast the timer should tick.
+--- a/docs/u2f.txt
-+ *
++++ /dev/null
-+ * TODO: we should refactor this so that rather than using a global
+@@ -XXX,XX +XXX,XX @@
-+ * we use a device property or something similar. This is complicated
+-QEMU U2F Key Device Documentation.
-+ * because (a) the property would need to be plumbed through from the
+-
-+ * board code down through various layers to the systick device
+-Contents
-+ * and (b) the property needs to be modifiable after realize, because
+-1. USB U2F key device
-+ * the stellaris board uses this to implement the behaviour where the
+-2. Building
-+ * guest can reprogram the PLL registers to downclock the CPU, and the
+-3. Using u2f-emulated
-+ * systick device needs to react accordingly. Possibly this should
+-4. Using u2f-passthru
-+ * be deferred until we have a good API for modelling clock trees.
+-5. Libu2f-emu
-+ */
+-
-+extern int system_clock_scale;
+-1. USB U2F key device
-+
+-
- #endif
+-U2F is an open authentication standard that enables relying parties
 -exposed to the internet to offer a strong second factor option for end
 -user authentication.
 -
 -The standard brings many advantages to both parties, client and server,
 -allowing to reduce over-reliance on passwords, it increases authentication
 -security and simplifies passwords.
 -
 -The second factor is materialized by a device implementing the U2F
 -protocol. In case of a USB U2F security key, it is a USB HID device
 -that implements the U2F protocol.
 -
 -In QEMU, the USB U2F key device offers a dedicated support of U2F, allowing
 -guest USB FIDO/U2F security keys operating in two possible modes:
 -pass-through and emulated.
 -
 -The pass-through mode consists of passing all requests made from the guest
 -to the physical security key connected to the host machine and vice versa.
 -In addition, the dedicated pass-through allows to have a U2F security key
 -shared on several guests which is not possible with a simple host device
 -assignment pass-through.
 -
 -The emulated mode consists of completely emulating the behavior of an
 -U2F device through software part. Libu2f-emu is used for that.
 -
 -
 -2. Building
 -
 -To ensure the build of the u2f-emulated device variant which depends
 -on libu2f-emu: configuring and building:
 -
 -    ./configure --enable-u2f && make
 -
 -The pass-through mode is built by default on Linux. To take advantage
 -of the autoscan option it provides, make sure you have a working libudev
 -installed on the host.
 -
 -
 -3. Using u2f-emulated
 -
 -To work, an emulated U2F device must have four elements:
 - * ec x509 certificate
 - * ec private key
 - * counter (four bytes value)
 - * 48 bytes of entropy (random bits)
 -
 -To use this type of device, this one has to be configured, and these
 -four elements must be passed one way or another.
 -
 -Assuming that you have a working libu2f-emu installed on the host.
 -There are three possible ways of configurations:
 - * ephemeral
 - * setup directory
 - * manual
 -
 -Ephemeral is the simplest way to configure, it lets the device generate
 -all the elements it needs for a single use of the lifetime of the device.
 -
 -    qemu -usb -device u2f-emulated
 -
 -Setup directory allows to configure the device from a directory containing
 -four files:
 - * certificate.pem: ec x509 certificate
 - * private-key.pem: ec private key
 - * counter: counter value
 - * entropy: 48 bytes of entropy
 -
 -    qemu -usb -device u2f-emulated,dir=$dir
 -
 -Manual allows to configure the device more finely by specifying each
 -of the elements necessary for the device:
 - * cert
 - * priv
 - * counter
 - * entropy
 -
 -    qemu -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
 -
 -
 -4. Using u2f-passthru
 -
 -On the host specify the u2f-passthru device with a suitable hidraw:
 -
 -    qemu -usb -device u2f-passthru,hidraw=/dev/hidraw0
 -
 -Alternately, the u2f-passthru device can autoscan to take the first
 -U2F device it finds on the host (this requires a working libudev):
 -
 -    qemu -usb -device u2f-passthru
 -
 -
 -5. Libu2f-emu
 -
 -The u2f-emulated device uses libu2f-emu for the U2F key emulation. Libu2f-emu
 -implements completely the U2F protocol device part for all specified
 -transport given by the FIDO Alliance.
 -
 -For more information about libu2f-emu see this page:
 -https://github.com/MattGorko/libu2f-emu.
 --
-.20.1
+.34.1

Not very much here, but several people have fallen over
the vector operation segfault bug, so let's get the fix
into master.

thanks
-- PMM

The following changes since commit d418238dca7b4e0b124135827ead3076233052b1:

Merge remote-tracking branch 'remotes/rth/tags/pull-rng-20190522' into staging (2019-05-23 12:57:17 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190523

for you to fetch changes up to 98e4f4fdb8ea05d840f51f47125924c2bb9df2df:

hw/arm/exynos4210: QOM'ify the Exynos4210 SoC (2019-05-23 14:47:44 +0100)

----------------------------------------------------------------
target-arm queue:
 * exynos4210: QOM'ify the Exynos4210 SoC
 * exynos4210: Add DMA support for the Exynos4210
 * arm_gicv3: Fix writes to ICC_CTLR_EL3
 * arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
 * target/arm: Fix vector operation segfault
 * target/arm: Minor improvements to BFXIL, EXTR

----------------------------------------------------------------
Alistair Francis (1):
      target/arm: Fix vector operation segfault

Guenter Roeck (1):
      hw/arm/exynos4210: Add DMA support for the Exynos4210

Peter Maydell (5):
      arm: Move system_clock_scale to armv7m_systick.h
      arm: Remove unnecessary includes of hw/arm/arm.h
      arm: Rename hw/arm/arm.h to hw/arm/boot.h
      hw/intc/arm_gicv3: Fix write of ICH_VMCR_EL2.{VBPR0, VBPR1}
      hw/intc/arm_gicv3: Fix writes to ICC_CTLR_EL3

Philippe Mathieu-Daudé (3):
      hw/arm/exynos4: Remove unuseful debug code
      hw/arm/exynos4: Use the IEC binary prefix definitions
      hw/arm/exynos4210: QOM'ify the Exynos4210 SoC

Richard Henderson (2):
      target/arm: Use extract2 for EXTR
      target/arm: Simplify BFXIL expansion

include/hw/arm/allwinner-a10.h    |  2 +-
 include/hw/arm/aspeed_soc.h       |  1 -
 include/hw/arm/bcm2836.h          |  1 -
 include/hw/arm/{arm.h => boot.h}  | 12 +++------
 include/hw/arm/exynos4210.h       |  9 +++++--
 include/hw/arm/fsl-imx25.h        |  2 +-
 include/hw/arm/fsl-imx31.h        |  2 +-
 include/hw/arm/fsl-imx6.h         |  2 +-
 include/hw/arm/fsl-imx6ul.h       |  2 +-
 include/hw/arm/fsl-imx7.h         |  2 +-
 include/hw/arm/virt.h             |  2 +-
 include/hw/arm/xlnx-versal.h      |  2 +-
 include/hw/arm/xlnx-zynqmp.h      |  2 +-
 include/hw/timer/armv7m_systick.h | 22 ++++++++++++++++
 hw/arm/armsse.c                   |  2 +-
 hw/arm/armv7m.c                   |  2 +-
 hw/arm/aspeed.c                   |  2 +-
 hw/arm/boot.c                     |  2 +-
 hw/arm/collie.c                   |  2 +-
 hw/arm/exynos4210.c               | 54 ++++++++++++++++++++++++++++++++++++---
 hw/arm/exynos4_boards.c           | 40 ++++++++---------------------
 hw/arm/highbank.c                 |  2 +-
 hw/arm/integratorcp.c             |  2 +-
 hw/arm/mainstone.c                |  2 +-
 hw/arm/microbit.c                 |  2 +-
 hw/arm/mps2-tz.c                  |  2 +-
 hw/arm/mps2.c                     |  2 +-
 hw/arm/msf2-soc.c                 |  1 -
 hw/arm/msf2-som.c                 |  2 +-
 hw/arm/musca.c                    |  2 +-
 hw/arm/musicpal.c                 |  2 +-
 hw/arm/netduino2.c                |  2 +-
 hw/arm/nrf51_soc.c                |  2 +-
 hw/arm/nseries.c                  |  2 +-
 hw/arm/omap1.c                    |  2 +-
 hw/arm/omap2.c                    |  2 +-
 hw/arm/omap_sx1.c                 |  2 +-
 hw/arm/palm.c                     |  2 +-
 hw/arm/raspi.c                    |  2 +-
 hw/arm/realview.c                 |  2 +-
 hw/arm/spitz.c                    |  2 +-
 hw/arm/stellaris.c                |  2 +-
 hw/arm/stm32f205_soc.c            |  2 +-
 hw/arm/strongarm.c                |  2 +-
 hw/arm/tosa.c                     |  2 +-
 hw/arm/versatilepb.c              |  2 +-
 hw/arm/vexpress.c                 |  2 +-
 hw/arm/virt.c                     |  2 +-
 hw/arm/xilinx_zynq.c              |  2 +-
 hw/arm/xlnx-versal.c              |  2 +-
 hw/arm/z2.c                       |  2 +-
 hw/intc/arm_gicv3_cpuif.c         |  6 ++---
 hw/intc/armv7m_nvic.c             |  1 -
 target/arm/arm-semi.c             |  1 -
 target/arm/cpu.c                  |  1 -
 target/arm/cpu64.c                |  1 -
 target/arm/kvm.c                  |  1 -
 target/arm/kvm32.c                |  1 -
 target/arm/kvm64.c                |  1 -
 target/arm/translate-a64.c        | 44 ++++++++++++++++---------------
 target/arm/translate.c            |  4 +--
 61 files changed, 164 insertions(+), 123 deletions(-)
 rename include/hw/arm/{arm.h => boot.h} (96%)

From: Richard Henderson <richard.henderson@linaro.org>

This is, after all, how we implement extract2 in tcg/aarch64.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190514011129.11330-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
             } else {
                 tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, rm));
             }
-        } else if (rm == rn) { /* ROR */
-            tcg_rm = cpu_reg(s, rm);
-            if (sf) {
-                tcg_gen_rotri_i64(tcg_rd, tcg_rm, imm);
-            } else {
-                TCGv_i32 tmp = tcg_temp_new_i32();
-                tcg_gen_extrl_i64_i32(tmp, tcg_rm);
-                tcg_gen_rotri_i32(tmp, tmp, imm);
-                tcg_gen_extu_i32_i64(tcg_rd, tmp);
-                tcg_temp_free_i32(tmp);
-            }
         } else {
-            tcg_rm = read_cpu_reg(s, rm, sf);
-            tcg_rn = read_cpu_reg(s, rn, sf);
-            tcg_gen_shri_i64(tcg_rm, tcg_rm, imm);
-            tcg_gen_shli_i64(tcg_rn, tcg_rn, bitsize - imm);
-            tcg_gen_or_i64(tcg_rd, tcg_rm, tcg_rn);
-            if (!sf) {
-                tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
+            tcg_rm = cpu_reg(s, rm);
+            tcg_rn = cpu_reg(s, rn);
+
+            if (sf) {
+                /* Specialization to ROR happens in EXTRACT2.  */
+                tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, imm);
+            } else {
+                TCGv_i32 t0 = tcg_temp_new_i32();
+
+                tcg_gen_extrl_i64_i32(t0, tcg_rm);
+                if (rm == rn) {
+                    tcg_gen_rotri_i32(t0, t0, imm);
+                } else {
+                    TCGv_i32 t1 = tcg_temp_new_i32();
+                    tcg_gen_extrl_i64_i32(t1, tcg_rn);
+                    tcg_gen_extract2_i32(t0, t0, t1, imm);
+                    tcg_temp_free_i32(t1);
+                }
+                tcg_gen_extu_i32_i64(tcg_rd, t0);
+                tcg_temp_free_i32(t0);
             }
         }
     }
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The mask implied by the extract is redundant with the one
implied by the deposit.  Also, fix spelling of BFXIL.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190514011129.11330-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

From: Alistair Francis <alistair.francis@wdc.com>

Commit 89e68b575 "target/arm: Use vector operations for saturation"
causes this abort() when booting QEMU ARM with a Cortex-A15:

0  0x00007ffff4c2382f in raise () at /usr/lib/libc.so.6
1  0x00007ffff4c0e672 in abort () at /usr/lib/libc.so.6
2  0x00005555559c1839 in disas_neon_data_insn (insn=<optimized out>, s=<optimized out>) at ./target/arm/translate.c:6673
3  0x00005555559c1839 in disas_neon_data_insn (s=<optimized out>, insn=<optimized out>) at ./target/arm/translate.c:6386
4  0x00005555559cd8a4 in disas_arm_insn (insn=4081107068, s=0x7fffe59a9510) at ./target/arm/translate.c:9289
5  0x00005555559cd8a4 in arm_tr_translate_insn (dcbase=0x7fffe59a9510, cpu=<optimized out>) at ./target/arm/translate.c:13612
6  0x00005555558d1d39 in translator_loop (ops=0x5555561cc580 <arm_translator_ops>, db=0x7fffe59a9510, cpu=0x55555686a2f0, tb=<optimized out>, max_insns=<optimized out>) at ./accel/tcg/translator.c:96
7  0x00005555559d10d4 in gen_intermediate_code (cpu=cpu@entry=0x55555686a2f0, tb=tb@entry=0x7fffd7840080 <code_gen_buffer+126091347>, max_insns=max_insns@entry=512) at ./target/arm/translate.c:13901
8  0x00005555558d06b9 in tb_gen_code (cpu=cpu@entry=0x55555686a2f0, pc=3067096216, cs_base=0, flags=192, cflags=-16252928, cflags@entry=524288) at ./accel/tcg/translate-all.c:1736
9  0x00005555558ce467 in tb_find (cf_mask=524288, tb_exit=1, last_tb=0x7fffd783e640 <code_gen_buffer+126084627>, cpu=0x1) at ./accel/tcg/cpu-exec.c:407
10 0x00005555558ce467 in cpu_exec (cpu=cpu@entry=0x55555686a2f0) at ./accel/tcg/cpu-exec.c:728
11 0x000055555588b0cf in tcg_cpu_exec (cpu=0x55555686a2f0) at ./cpus.c:1431
12 0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=0x55555686a2f0) at ./cpus.c:1735
13 0x000055555588d223 in qemu_tcg_cpu_thread_fn (arg=arg@entry=0x55555686a2f0) at ./cpus.c:1709
14 0x0000555555d2629a in qemu_thread_start (args=<optimized out>) at ./util/qemu-thread-posix.c:502
15 0x00007ffff4db8a92 in start_thread () at /usr/lib/libpthread.

This patch ensures that we don't hit the abort() in the second switch
case in disas_neon_data_insn() as we will return from the first case.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: ad91b397f360b2fc7f4087e476f7df5b04d42ddb.1558021877.git.alistair.francis@wdc.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
             tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
                            rn_ofs, rm_ofs, vec_size, vec_size,
                            (u ? uqadd_op : sqadd_op) + size);
-            break;
+            return 0;
 
         case NEON_3R_VQSUB:
             tcg_gen_gvec_4(rd_ofs, offsetof(CPUARMState, vfp.qc),
                            rn_ofs, rm_ofs, vec_size, vec_size,
                            (u ? uqsub_op : sqsub_op) + size);
-            break;
+            return 0;
 
         case NEON_3R_VMUL: /* VMUL */
             if (u) {
-- 
2.20.1

The system_clock_scale global is used only by the armv7m systick
device; move the extern declaration to the armv7m_systick.h header,
and expand the comment to explain what it is and that it should
ideally be replaced with a different approach.

diff --git a/include/hw/arm/arm.h b/include/hw/arm/arm.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/arm.h
+++ b/include/hw/arm/arm.h
@@ -XXX,XX +XXX,XX @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
                                             const struct arm_boot_info *info,
                                             hwaddr mvbar_addr);
 
-/* Multiplication factor to convert from system clock ticks to qemu timer
-   ticks.  */
-extern int system_clock_scale;
-
 #endif /* HW_ARM_H */
diff --git a/include/hw/timer/armv7m_systick.h b/include/hw/timer/armv7m_systick.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/timer/armv7m_systick.h
+++ b/include/hw/timer/armv7m_systick.h
@@ -XXX,XX +XXX,XX @@ typedef struct SysTickState {
     qemu_irq irq;
 } SysTickState;
 
+/*
+ * Multiplication factor to convert from system clock ticks to qemu timer
+ * ticks. This should be set (by board code, usually) to a value
+ * equal to NANOSECONDS_PER_SECOND / frq, where frq is the clock frequency
+ * in Hz of the CPU.
+ *
+ * This value is used by the systick device when it is running in
+ * its "use the CPU clock" mode (ie when SYST_CSR.CLKSOURCE == 1) to
+ * set how fast the timer should tick.
+ *
+ * TODO: we should refactor this so that rather than using a global
+ * we use a device property or something similar. This is complicated
+ * because (a) the property would need to be plumbed through from the
+ * board code down through various layers to the systick device
+ * and (b) the property needs to be modifiable after realize, because
+ * the stellaris board uses this to implement the behaviour where the
+ * guest can reprogram the PLL registers to downclock the CPU, and the
+ * systick device needs to react accordingly. Possibly this should
+ * be deferred until we have a good API for modelling clock trees.
+ */
+extern int system_clock_scale;
+
 #endif
-- 
2.20.1

The hw/arm/arm.h header now only includes declarations relating
to boot.c code, so it is only needed by Arm board or SoC code.
Remove some unnecessary inclusions of it from target/arm files
and from hw/intc/armv7m_nvic.c.

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "hw/sysbus.h"
 #include "qemu/timer.h"
-#include "hw/arm/arm.h"
 #include "hw/intc/armv7m_nvic.h"
 #include "target/arm/cpu.h"
 #include "exec/exec-all.h"
diff --git a/target/arm/arm-semi.c b/target/arm/arm-semi.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/arm-semi.c
+++ b/target/arm/arm-semi.c
@@ -XXX,XX +XXX,XX @@
 #else
 #include "qemu-common.h"
 #include "exec/gdbstub.h"
-#include "hw/arm/arm.h"
 #include "qemu/cutils.h"
 #endif
 
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@
 #if !defined(CONFIG_USER_ONLY)
 #include "hw/loader.h"
 #endif
-#include "hw/arm/arm.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/hw_accel.h"
 #include "kvm_arm.h"
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
 #if !defined(CONFIG_USER_ONLY)
 #include "hw/loader.h"
 #endif
-#include "hw/arm/arm.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
 #include "kvm_arm.h"
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "trace.h"
 #include "internals.h"
-#include "hw/arm/arm.h"
 #include "hw/pci/pci.h"
 #include "exec/memattrs.h"
 #include "exec/address-spaces.h"
diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/kvm.h"
 #include "kvm_arm.h"
 #include "internals.h"
-#include "hw/arm/arm.h"
 #include "qemu/log.h"
 
 static inline void set_feature(uint64_t *features, int feature)
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/kvm.h"
 #include "kvm_arm.h"
 #include "internals.h"
-#include "hw/arm/arm.h"
 
 static bool have_guest_debug;
 
-- 
2.20.1

The header file hw/arm/arm.h now includes only declarations
relating to hw/arm/boot.c functionality. Rename it accordingly,
and adjust its header comment.

The bulk of this commit was created via
 perl -pi -e 's|hw/arm/arm.h|hw/arm/boot.h|' hw/arm/*.c include/hw/arm/*.h

In a few cases we can just delete the #include:
hw/arm/msf2-soc.c, include/hw/arm/aspeed_soc.h and
include/hw/arm/bcm2836.h did not require it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190516163857.6430-4-peter.maydell@linaro.org
---
 include/hw/arm/allwinner-a10.h   | 2 +-
 include/hw/arm/aspeed_soc.h      | 1 -
 include/hw/arm/bcm2836.h         | 1 -
 include/hw/arm/{arm.h => boot.h} | 8 ++++----
 include/hw/arm/fsl-imx25.h       | 2 +-
 include/hw/arm/fsl-imx31.h       | 2 +-
 include/hw/arm/fsl-imx6.h        | 2 +-
 include/hw/arm/fsl-imx6ul.h      | 2 +-
 include/hw/arm/fsl-imx7.h        | 2 +-
 include/hw/arm/virt.h            | 2 +-
 include/hw/arm/xlnx-versal.h     | 2 +-
 include/hw/arm/xlnx-zynqmp.h     | 2 +-
 hw/arm/armsse.c                  | 2 +-
 hw/arm/armv7m.c                  | 2 +-
 hw/arm/aspeed.c                  | 2 +-
 hw/arm/boot.c                    | 2 +-
 hw/arm/collie.c                  | 2 +-
 hw/arm/exynos4210.c              | 2 +-
 hw/arm/exynos4_boards.c          | 2 +-
 hw/arm/highbank.c                | 2 +-
 hw/arm/integratorcp.c            | 2 +-
 hw/arm/mainstone.c               | 2 +-
 hw/arm/microbit.c                | 2 +-
 hw/arm/mps2-tz.c                 | 2 +-
 hw/arm/mps2.c                    | 2 +-
 hw/arm/msf2-soc.c                | 1 -
 hw/arm/msf2-som.c                | 2 +-
 hw/arm/musca.c                   | 2 +-
 hw/arm/musicpal.c                | 2 +-
 hw/arm/netduino2.c               | 2 +-
 hw/arm/nrf51_soc.c               | 2 +-
 hw/arm/nseries.c                 | 2 +-
 hw/arm/omap1.c                   | 2 +-
 hw/arm/omap2.c                   | 2 +-
 hw/arm/omap_sx1.c                | 2 +-
 hw/arm/palm.c                    | 2 +-
 hw/arm/raspi.c                   | 2 +-
 hw/arm/realview.c                | 2 +-
 hw/arm/spitz.c                   | 2 +-
 hw/arm/stellaris.c               | 2 +-
 hw/arm/stm32f205_soc.c           | 2 +-
 hw/arm/strongarm.c               | 2 +-
 hw/arm/tosa.c                    | 2 +-
 hw/arm/versatilepb.c             | 2 +-
 hw/arm/vexpress.c                | 2 +-
 hw/arm/virt.c                    | 2 +-
 hw/arm/xilinx_zynq.c             | 2 +-
 hw/arm/xlnx-versal.c             | 2 +-
 hw/arm/z2.c                      | 2 +-
 49 files changed, 49 insertions(+), 52 deletions(-)
 rename include/hw/arm/{arm.h => boot.h} (98%)

diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/allwinner-a10.h
+++ b/include/hw/arm/allwinner-a10.h
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "qemu/error-report.h"
 #include "hw/char/serial.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/timer/allwinner-a10-pit.h"
 #include "hw/intc/allwinner-a10-pic.h"
 #include "hw/net/allwinner_emac.h"
diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -XXX,XX +XXX,XX @@
 #ifndef ASPEED_SOC_H
 #define ASPEED_SOC_H
 
-#include "hw/arm/arm.h"
 #include "hw/intc/aspeed_vic.h"
 #include "hw/misc/aspeed_scu.h"
 #include "hw/misc/aspeed_sdmc.h"
diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/bcm2836.h
+++ b/include/hw/arm/bcm2836.h
@@ -XXX,XX +XXX,XX @@
 #ifndef BCM2836_H
 #define BCM2836_H
 
-#include "hw/arm/arm.h"
 #include "hw/arm/bcm2835_peripherals.h"
 #include "hw/intc/bcm2836_control.h"
 
diff --git a/include/hw/arm/arm.h b/include/hw/arm/boot.h
similarity index 98%
rename from include/hw/arm/arm.h
rename to include/hw/arm/boot.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/arm.h
+++ b/include/hw/arm/boot.h
@@ -XXX,XX +XXX,XX @@
 /*
- * Misc ARM declarations
+ * ARM kernel loader.
  *
  * Copyright (c) 2006 CodeSourcery.
  * Written by Paul Brook
@@ -XXX,XX +XXX,XX @@
  *
  */
 
-#ifndef HW_ARM_H
-#define HW_ARM_H
+#ifndef HW_ARM_BOOT_H
+#define HW_ARM_BOOT_H
 
 #include "exec/memory.h"
 #include "target/arm/cpu-qom.h"
@@ -XXX,XX +XXX,XX @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
                                             const struct arm_boot_info *info,
                                             hwaddr mvbar_addr);
 
-#endif /* HW_ARM_H */
+#endif /* HW_ARM_BOOT_H */
diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx25.h
+++ b/include/hw/arm/fsl-imx25.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX25_H
 #define FSL_IMX25_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/intc/imx_avic.h"
 #include "hw/misc/imx25_ccm.h"
 #include "hw/char/imx_serial.h"
diff --git a/include/hw/arm/fsl-imx31.h b/include/hw/arm/fsl-imx31.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx31.h
+++ b/include/hw/arm/fsl-imx31.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX31_H
 #define FSL_IMX31_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/intc/imx_avic.h"
 #include "hw/misc/imx31_ccm.h"
 #include "hw/char/imx_serial.h"
diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx6.h
+++ b/include/hw/arm/fsl-imx6.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX6_H
 #define FSL_IMX6_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/cpu/a9mpcore.h"
 #include "hw/misc/imx6_ccm.h"
 #include "hw/misc/imx6_src.h"
diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx6ul.h
+++ b/include/hw/arm/fsl-imx6ul.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX6UL_H
 #define FSL_IMX6UL_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/cpu/a15mpcore.h"
 #include "hw/misc/imx6ul_ccm.h"
 #include "hw/misc/imx6_src.h"
diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx7.h
+++ b/include/hw/arm/fsl-imx7.h
@@ -XXX,XX +XXX,XX @@
 #ifndef FSL_IMX7_H
 #define FSL_IMX7_H
 
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/cpu/a15mpcore.h"
 #include "hw/intc/imx_gpcv2.h"
 #include "hw/misc/imx7_ccm.h"
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -XXX,XX +XXX,XX @@
 #include "exec/hwaddr.h"
 #include "qemu/notify.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/block/flash.h"
 #include "sysemu/kvm.h"
 #include "hw/intc/arm_gicv3_common.h"
diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-versal.h
+++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@
 #define XLNX_VERSAL_H
 
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/intc/arm_gicv3.h"
 
 #define TYPE_XLNX_VERSAL "xlnx-versal"
diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-zynqmp.h
+++ b/include/hw/arm/xlnx-zynqmp.h
@@ -XXX,XX +XXX,XX @@
 #ifndef XLNX_ZYNQMP_H
 
 #include "qemu-common.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/intc/arm_gic.h"
 #include "hw/net/cadence_gem.h"
 #include "hw/char/cadence_uart.h"
diff --git a/hw/arm/armsse.c b/hw/arm/armsse.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/armsse.c
+++ b/hw/arm/armsse.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "hw/registerfields.h"
 #include "hw/arm/armsse.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 
 /* Format of the System Information block SYS_CONFIG register */
 typedef enum SysConfigFormat {
diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/armv7m.c
+++ b/hw/arm/armv7m.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/loader.h"
 #include "elf.h"
 #include "sysemu/qtest.h"
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "exec/address-spaces.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/aspeed.h"
 #include "hw/arm/aspeed_soc.h"
 #include "hw/boards.h"
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include <libfdt.h>
 #include "hw/hw.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/linux-boot-if.h"
 #include "sysemu/kvm.h"
 #include "sysemu/sysemu.h"
diff --git a/hw/arm/collie.c b/hw/arm/collie.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/collie.c
+++ b/hw/arm/collie.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "hw/boards.h"
 #include "strongarm.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/block/flash.h"
 #include "exec/address-spaces.h"
 #include "cpu.h"
diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4210.c
+++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/boards.h"
 #include "sysemu/sysemu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/loader.h"
 #include "hw/arm/exynos4210.h"
 #include "hw/sd/sdhci.h"
diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/sysemu.h"
 #include "hw/sysbus.h"
 #include "net/net.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "exec/address-spaces.h"
 #include "hw/arm/exynos4210.h"
 #include "hw/net/lan9118.h"
diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/loader.h"
 #include "net/net.h"
 #include "sysemu/kvm.h"
diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/integratorcp.c
+++ b/hw/arm/integratorcp.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "hw/sysbus.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/misc/arm_integrator_debug.h"
 #include "hw/net/smc91c111.h"
 #include "net/net.h"
diff --git a/hw/arm/mainstone.c b/hw/arm/mainstone.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mainstone.c
+++ b/hw/arm/mainstone.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/hw.h"
 #include "hw/arm/pxa.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "net/net.h"
 #include "hw/net/smc91c111.h"
 #include "hw/boards.h"
diff --git a/hw/arm/microbit.c b/hw/arm/microbit.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/microbit.c
+++ b/hw/arm/microbit.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "sysemu/sysemu.h"
 #include "exec/address-spaces.h"
 
diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps2-tz.c
+++ b/hw/arm/mps2-tz.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/armv7m.h"
 #include "hw/or-irq.h"
 #include "hw/boards.h"
diff --git a/hw/arm/mps2.c b/hw/arm/mps2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps2.c
+++ b/hw/arm/mps2.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/armv7m.h"
 #include "hw/or-irq.h"
 #include "hw/boards.h"
diff --git a/hw/arm/msf2-soc.c b/hw/arm/msf2-soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/msf2-soc.c
+++ b/hw/arm/msf2-soc.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/units.h"
 #include "qapi/error.h"
 #include "qemu-common.h"
-#include "hw/arm/arm.h"
 #include "exec/address-spaces.h"
 #include "hw/char/serial.h"
 #include "hw/boards.h"
diff --git a/hw/arm/msf2-som.c b/hw/arm/msf2-som.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/msf2-som.c
+++ b/hw/arm/msf2-som.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "exec/address-spaces.h"
 #include "hw/arm/msf2-soc.h"
 #include "cpu.h"
diff --git a/hw/arm/musca.c b/hw/arm/musca.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/musca.c
+++ b/hw/arm/musca.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "exec/address-spaces.h"
 #include "sysemu/sysemu.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/armsse.h"
 #include "hw/boards.h"
 #include "hw/char/pl011.h"
diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/musicpal.c
+++ b/hw/arm/musicpal.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "net/net.h"
 #include "sysemu/sysemu.h"
 #include "hw/boards.h"
diff --git a/hw/arm/netduino2.c b/hw/arm/netduino2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/netduino2.c
+++ b/hw/arm/netduino2.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/boards.h"
 #include "qemu/error-report.h"
 #include "hw/arm/stm32f205_soc.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 
 static void netduino2_init(MachineState *machine)
 {
diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/nrf51_soc.c
+++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu-common.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/sysbus.h"
 #include "hw/boards.h"
 #include "hw/misc/unimp.h"
diff --git a/hw/arm/nseries.c b/hw/arm/nseries.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/nseries.c
+++ b/hw/arm/nseries.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/bswap.h"
 #include "sysemu/sysemu.h"
 #include "hw/arm/omap.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/irq.h"
 #include "ui/console.h"
 #include "hw/boards.h"
diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap1.c
+++ b/hw/arm/omap1.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "hw/boards.h"
 #include "hw/hw.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/omap.h"
 #include "sysemu/sysemu.h"
 #include "hw/arm/soc_dma.h"
diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap2.c
+++ b/hw/arm/omap2.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/qtest.h"
 #include "hw/boards.h"
 #include "hw/hw.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/omap.h"
 #include "sysemu/sysemu.h"
 #include "qemu/timer.h"
diff --git a/hw/arm/omap_sx1.c b/hw/arm/omap_sx1.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap_sx1.c
+++ b/hw/arm/omap_sx1.c
@@ -XXX,XX +XXX,XX @@
 #include "ui/console.h"
 #include "hw/arm/omap.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/block/flash.h"
 #include "sysemu/qtest.h"
 #include "exec/address-spaces.h"
diff --git a/hw/arm/palm.c b/hw/arm/palm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/palm.c
+++ b/hw/arm/palm.c
@@ -XXX,XX +XXX,XX @@
 #include "ui/console.h"
 #include "hw/arm/omap.h"
 #include "hw/boards.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/input/tsc2xxx.h"
 #include "hw/loader.h"
 #include "exec/address-spaces.h"
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/error-report.h"
 #include "hw/boards.h"
 #include "hw/loader.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "sysemu/sysemu.h"
 
 #define SMPBOOT_ADDR    0x300 /* this should leave enough space for ATAGS */
diff --git a/hw/arm/realview.c b/hw/arm/realview.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/realview.c
+++ b/hw/arm/realview.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/primecell.h"
 #include "hw/net/lan9118.h"
 #include "hw/net/smc91c111.h"
diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/hw.h"
 #include "hw/arm/pxa.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "sysemu/sysemu.h"
 #include "hw/pcmcia.h"
 #include "hw/i2c/i2c.h"
diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/sysbus.h"
 #include "hw/ssi/ssi.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "qemu/timer.h"
 #include "hw/i2c/i2c.h"
 #include "net/net.h"
diff --git a/hw/arm/stm32f205_soc.c b/hw/arm/stm32f205_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stm32f205_soc.c
+++ b/hw/arm/stm32f205_soc.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu-common.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "exec/address-spaces.h"
 #include "hw/arm/stm32f205_soc.h"
 
diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/strongarm.c
+++ b/hw/arm/strongarm.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "strongarm.h"
 #include "qemu/error-report.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "chardev/char-fe.h"
 #include "chardev/char-serial.h"
 #include "sysemu/sysemu.h"
diff --git a/hw/arm/tosa.c b/hw/arm/tosa.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/tosa.c
+++ b/hw/arm/tosa.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/hw.h"
 #include "hw/arm/pxa.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/sharpsl.h"
 #include "hw/pcmcia.h"
 #include "hw/boards.h"
diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/versatilepb.c
+++ b/hw/arm/versatilepb.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/net/smc91c111.h"
 #include "net/net.h"
 #include "sysemu/sysemu.h"
diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/primecell.h"
 #include "hw/net/lan9118.h"
 #include "hw/i2c/i2c.h"
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/option.h"
 #include "qapi/error.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/arm/primecell.h"
 #include "hw/arm/virt.h"
 #include "hw/block/flash.h"
diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xilinx_zynq.c
+++ b/hw/arm/xilinx_zynq.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "net/net.h"
 #include "exec/address-spaces.h"
 #include "sysemu/sysemu.h"
diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal.c
+++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@
 #include "net/net.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "kvm_arm.h"
 #include "hw/misc/unimp.h"
 #include "hw/intc/arm_gicv3_common.h"
diff --git a/hw/arm/z2.c b/hw/arm/z2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/z2.c
+++ b/hw/arm/z2.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "hw/hw.h"
 #include "hw/arm/pxa.h"
-#include "hw/arm/arm.h"
+#include "hw/arm/boot.h"
 #include "hw/i2c/i2c.h"
 #include "hw/ssi/ssi.h"
 #include "hw/boards.h"
-- 
2.20.1

In ich_vmcr_write() we enforce "writes of BPR fields to less than
their minimum sets them to the minimum" by doing a "read vbpr and
write it back" operation.  A typo here meant that we weren't handling
writes to these fields correctly, because we were reading from VBPR0
but writing to VBPR1.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190520162809.2677-4-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_cpuif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

The ICC_CTLR_EL3 register includes some bits which are aliases
of bits in the ICC_CTLR_EL1(S) and (NS) registers. QEMU chooses
to keep those bits in the cs->icc_ctlr_el1[] struct fields.
Unfortunately a missing '~' in the code to update the bits
in those fields meant that writing to ICC_CTLR_EL3 would corrupt
the ICC_CLTR_EL1 register values.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190520162809.2677-5-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_cpuif.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static void icc_ctlr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
     trace_gicv3_icc_ctlr_el3_write(gicv3_redist_affid(cs), value);
 
     /* *_EL1NS and *_EL1S bits are aliases into the ICC_CTLR_EL1 bits. */
-    cs->icc_ctlr_el1[GICV3_NS] &= (ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
+    cs->icc_ctlr_el1[GICV3_NS] &= ~(ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
     if (value & ICC_CTLR_EL3_EOIMODE_EL1NS) {
         cs->icc_ctlr_el1[GICV3_NS] |= ICC_CTLR_EL1_EOIMODE;
     }
@@ -XXX,XX +XXX,XX @@ static void icc_ctlr_el3_write(CPUARMState *env, const ARMCPRegInfo *ri,
         cs->icc_ctlr_el1[GICV3_NS] |= ICC_CTLR_EL1_CBPR;
     }
 
-    cs->icc_ctlr_el1[GICV3_S] &= (ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
+    cs->icc_ctlr_el1[GICV3_S] &= ~(ICC_CTLR_EL1_CBPR | ICC_CTLR_EL1_EOIMODE);
     if (value & ICC_CTLR_EL3_EOIMODE_EL1S) {
         cs->icc_ctlr_el1[GICV3_S] |= ICC_CTLR_EL1_EOIMODE;
     }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190520214342.13709-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/exynos4_boards.c | 24 ------------------------
 1 file changed, 24 deletions(-)

diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/net/lan9118.h"
 #include "hw/boards.h"
 
-#undef DEBUG
-
-//#define DEBUG
-
-#ifdef DEBUG
-    #undef PRINT_DEBUG
-    #define  PRINT_DEBUG(fmt, args...) \
-        do { \
-            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
-        } while (0)
-#else
-    #define  PRINT_DEBUG(fmt, args...)  do {} while (0)
-#endif
-
 #define SMDK_LAN9118_BASE_ADDR      0x05000000
 
 typedef enum Exynos4BoardType {
@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
     exynos4_board_binfo.gic_cpu_if_addr =
             EXYNOS4210_SMP_PRIVATE_BASE_ADDR + 0x100;
 
-    PRINT_DEBUG("\n ram_size: %luMiB [0x%08lx]\n"
-            " kernel_filename: %s\n"
-            " kernel_cmdline: %s\n"
-            " initrd_filename: %s\n",
-            exynos4_board_ram_size[board_type] / 1048576,
-            exynos4_board_ram_size[board_type],
-            machine->kernel_filename,
-            machine->kernel_cmdline,
-            machine->initrd_filename);
-
     exynos4_boards_init_ram(s, get_system_memory(),
                             exynos4_board_ram_size[board_type]);
 
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

It eases code review, unit is explicit.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190520214342.13709-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/exynos4_boards.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/units.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "qemu-common.h"
@@ -XXX,XX +XXX,XX @@ static int exynos4_board_smp_bootreg_addr[EXYNOS4_NUM_OF_BOARDS] = {
 };
 
 static unsigned long exynos4_board_ram_size[EXYNOS4_NUM_OF_BOARDS] = {
-    [EXYNOS4_BOARD_NURI]     = 0x40000000,
-    [EXYNOS4_BOARD_SMDKC210] = 0x40000000,
+    [EXYNOS4_BOARD_NURI]     = 1 * GiB,
+    [EXYNOS4_BOARD_SMDKC210] = 1 * GiB,
 };
 
 static struct arm_boot_info exynos4_board_binfo = {
-- 
2.20.1

From: Guenter Roeck <linux@roeck-us.net>

QEMU already supports pl330. Instantiate it for Exynos4210.

Relevant part of Linux arch/arm/boot/dts/exynos4.dtsi:

/ {
    soc: soc {
        amba {
            pdma0: pdma@12680000 {
                compatible = "arm,pl330", "arm,primecell";
                reg = <0x12680000 0x1000>;
                interrupts = <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
                clocks = <&clock CLK_PDMA0>;
                clock-names = "apb_pclk";
                #dma-cells = <1>;
                #dma-channels = <8>;
                #dma-requests = <32>;
            };
            pdma1: pdma@12690000 {
                compatible = "arm,pl330", "arm,primecell";
                reg = <0x12690000 0x1000>;
                interrupts = <GIC_SPI 36 IRQ_TYPE_LEVEL_HIGH>;
                clocks = <&clock CLK_PDMA1>;
                clock-names = "apb_pclk";
                #dma-cells = <1>;
                #dma-channels = <8>;
                #dma-requests = <32>;
            };
            mdma1: mdma@12850000 {
                compatible = "arm,pl330", "arm,primecell";
                reg = <0x12850000 0x1000>;
                interrupts = <GIC_SPI 34 IRQ_TYPE_LEVEL_HIGH>;
                clocks = <&clock CLK_MDMA>;
                clock-names = "apb_pclk";
                #dma-cells = <1>;
                #dma-channels = <8>;
                #dma-requests = <1>;
            };
        };
    };
};

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190520214342.13709-4-philmd@redhat.com
[PMD: Do not set default qdev properties, create the controllers in the SoC
      rather than the board (Peter Maydell), add dtsi in commit message]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/exynos4210.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4210.c
+++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@
 /* EHCI */
 #define EXYNOS4210_EHCI_BASE_ADDR           0x12580000
 
+/* DMA */
+#define EXYNOS4210_PL330_BASE0_ADDR         0x12680000
+#define EXYNOS4210_PL330_BASE1_ADDR         0x12690000
+#define EXYNOS4210_PL330_BASE2_ADDR         0x12850000
+
 static uint8_t chipid_and_omr[] = { 0x11, 0x02, 0x21, 0x43,
                                     0x09, 0x00, 0x00, 0x00 };
 
@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_calc_affinity(int cpu)
     return (0x9 << ARM_AFF1_SHIFT) | cpu;
 }
 
+static void pl330_create(uint32_t base, qemu_irq irq, int nreq)
+{
+    SysBusDevice *busdev;
+    DeviceState *dev;
+
+    dev = qdev_create(NULL, "pl330");
+    qdev_prop_set_uint8(dev, "num_periph_req",  nreq);
+    qdev_init_nofail(dev);
+    busdev = SYS_BUS_DEVICE(dev);
+    sysbus_mmio_map(busdev, 0, base);
+    sysbus_connect_irq(busdev, 0, irq);
+}
+
 Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
 {
     Exynos4210State *s = g_new0(Exynos4210State, 1);
@@ -XXX,XX +XXX,XX @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
     sysbus_create_simple(TYPE_EXYNOS4210_EHCI, EXYNOS4210_EHCI_BASE_ADDR,
             s->irq_table[exynos4210_get_irq(28, 3)]);
 
+    /*** DMA controllers ***/
+    pl330_create(EXYNOS4210_PL330_BASE0_ADDR,
+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(35, 1)]), 32);
+    pl330_create(EXYNOS4210_PL330_BASE1_ADDR,
+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(36, 1)]), 32);
+    pl330_create(EXYNOS4210_PL330_BASE2_ADDR,
+                 qemu_irq_invert(s->irq_table[exynos4210_get_irq(34, 1)]), 1);
+
     return s;
 }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190520214342.13709-5-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/exynos4210.h |  9 +++++++--
 hw/arm/exynos4210.c         | 28 ++++++++++++++++++++++++----
 hw/arm/exynos4_boards.c     |  9 ++++++---
 3 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/include/hw/arm/exynos4210.h b/include/hw/arm/exynos4210.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/exynos4210.h
+++ b/include/hw/arm/exynos4210.h
@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210Irq {
 } Exynos4210Irq;
 
 typedef struct Exynos4210State {
+    /*< private >*/
+    SysBusDevice parent_obj;
+    /*< public >*/
     ARMCPU *cpu[EXYNOS4210_NCPUS];
     Exynos4210Irq irqs;
     qemu_irq *irq_table;
@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210State {
     I2CBus *i2c_if[EXYNOS4210_I2C_NUMBER];
 } Exynos4210State;
 
+#define TYPE_EXYNOS4210_SOC "exynos4210"
+#define EXYNOS4210_SOC(obj) \
+    OBJECT_CHECK(Exynos4210State, obj, TYPE_EXYNOS4210_SOC)
+
 void exynos4210_write_secondary(ARMCPU *cpu,
         const struct arm_boot_info *info);
 
-Exynos4210State *exynos4210_init(MemoryRegion *system_mem);
-
 /* Initialize exynos4210 IRQ subsystem stub */
 qemu_irq *exynos4210_init_irq(Exynos4210Irq *env);
 
diff --git a/hw/arm/exynos4210.c b/hw/arm/exynos4210.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4210.c
+++ b/hw/arm/exynos4210.c
@@ -XXX,XX +XXX,XX @@ static void pl330_create(uint32_t base, qemu_irq irq, int nreq)
     sysbus_connect_irq(busdev, 0, irq);
 }
 
-Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
+static void exynos4210_realize(DeviceState *socdev, Error **errp)
 {
-    Exynos4210State *s = g_new0(Exynos4210State, 1);
+    Exynos4210State *s = EXYNOS4210_SOC(socdev);
+    MemoryRegion *system_mem = get_system_memory();
     qemu_irq gate_irq[EXYNOS4210_NCPUS][EXYNOS4210_IRQ_GATE_NINPUTS];
     SysBusDevice *busdev;
     DeviceState *dev;
@@ -XXX,XX +XXX,XX @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem)
                  qemu_irq_invert(s->irq_table[exynos4210_get_irq(36, 1)]), 32);
     pl330_create(EXYNOS4210_PL330_BASE2_ADDR,
                  qemu_irq_invert(s->irq_table[exynos4210_get_irq(34, 1)]), 1);
-
-    return s;
 }
+
+static void exynos4210_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = exynos4210_realize;
+}
+
+static const TypeInfo exynos4210_info = {
+    .name = TYPE_EXYNOS4210_SOC,
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210State),
+    .class_init = exynos4210_class_init,
+};
+
+static void exynos4210_register_types(void)
+{
+    type_register_static(&exynos4210_info);
+}
+
+type_init(exynos4210_register_types)
diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@ typedef enum Exynos4BoardType {
 } Exynos4BoardType;
 
 typedef struct Exynos4BoardState {
-    Exynos4210State *soc;
+    Exynos4210State soc;
     MemoryRegion dram0_mem;
     MemoryRegion dram1_mem;
 } Exynos4BoardState;
@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
     exynos4_boards_init_ram(s, get_system_memory(),
                             exynos4_board_ram_size[board_type]);
 
-    s->soc = exynos4210_init(get_system_memory());
+    object_initialize(&s->soc, sizeof(s->soc), TYPE_EXYNOS4210_SOC);
+    qdev_set_parent_bus(DEVICE(&s->soc), sysbus_get_default());
+    object_property_set_bool(OBJECT(&s->soc), true, "realized",
+                             &error_fatal);
 
     return s;
 }
@@ -XXX,XX +XXX,XX @@ static void smdkc210_init(MachineState *machine)
                                                       EXYNOS4_BOARD_SMDKC210);
 
     lan9215_init(SMDK_LAN9118_BASE_ADDR,
-            qemu_irq_invert(s->soc->irq_table[exynos4210_get_irq(37, 1)]));
+            qemu_irq_invert(s->soc.irq_table[exynos4210_get_irq(37, 1)]));
     arm_load_kernel(ARM_CPU(first_cpu), &exynos4_board_binfo);
 }
 
-- 
2.20.1

Hi; this mostly contains the first slice of A64 decodetree
patches, plus some other minor pieces. It also has the
enablement of MTE for KVM guests.

thanks
-- PMM

The following changes since commit d27e7c359330ba7020bdbed7ed2316cb4cf6ffc1:

qapi/parser: Drop two bad type hints for now (2023-05-17 10:18:33 -0700)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230518

for you to fetch changes up to 91608e2a44f36e79cb83f863b8a7bb57d2c98061:

docs: Convert u2f.txt to rST (2023-05-18 11:40:32 +0100)

----------------------------------------------------------------
target-arm queue:
 * Fix vd == vm overlap in sve_ldff1_z
 * Add support for MTE with KVM guests
 * Add RAZ/WI handling for DBGDTR[TX|RX]
 * Start of conversion of A64 decoder to decodetree
 * Saturate L2CTLR_EL1 core count field rather than overflowing
 * vexpress: Avoid trivial memory leak of 'flashalias'
 * sbsa-ref: switch default cpu core to Neoverse-N1
 * sbsa-ref: use Bochs graphics card instead of VGA
 * MAINTAINERS: Add Marcin Juszkiewicz to sbsa-ref reviewer list
 * docs: Convert u2f.txt to rST

----------------------------------------------------------------
Alex Bennée (1):
      target/arm: add RAZ/WI handling for DBGDTR[TX|RX]

Cornelia Huck (1):
      arm/kvm: add support for MTE

Marcin Juszkiewicz (3):
      sbsa-ref: switch default cpu core to Neoverse-N1
      Maintainers: add myself as reviewer for sbsa-ref
      sbsa-ref: use Bochs graphics card instead of VGA

Peter Maydell (14):
      target/arm: Create decodetree skeleton for A64
      target/arm: Pull calls to disas_sve() and disas_sme() out of legacy decoder
      target/arm: Convert Extract instructions to decodetree
      target/arm: Convert unconditional branch immediate to decodetree
      target/arm: Convert CBZ, CBNZ to decodetree
      target/arm: Convert TBZ, TBNZ to decodetree
      target/arm: Convert conditional branch insns to decodetree
      target/arm: Convert BR, BLR, RET to decodetree
      target/arm: Convert BRA[AB]Z, BLR[AB]Z, RETA[AB] to decodetree
      target/arm: Convert BRAA, BRAB, BLRAA, BLRAB to decodetree
      target/arm: Convert ERET, ERETAA, ERETAB to decodetree
      target/arm: Saturate L2CTLR_EL1 core count field rather than overflowing
      hw/arm/vexpress: Avoid trivial memory leak of 'flashalias'
      docs: Convert u2f.txt to rST

Richard Henderson (10):
      target/arm: Fix vd == vm overlap in sve_ldff1_z
      target/arm: Split out disas_a64_legacy
      target/arm: Convert PC-rel addressing to decodetree
      target/arm: Split gen_add_CC and gen_sub_CC
      target/arm: Convert Add/subtract (immediate) to decodetree
      target/arm: Convert Add/subtract (immediate with tags) to decodetree
      target/arm: Replace bitmask64 with MAKE_64BIT_MASK
      target/arm: Convert Logical (immediate) to decodetree
      target/arm: Convert Move wide (immediate) to decodetree
      target/arm: Convert Bitfield to decodetree

From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>

The world outside moves to newer and newer cpu cores. Let move SBSA
Reference Platform to something newer as well.

Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Message-id: 20230506183417.1360427-1-marcin.juszkiewicz@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/sbsa-ref.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_class_init(ObjectClass *oc, void *data)
 
     mc->init = sbsa_ref_init;
     mc->desc = "QEMU 'SBSA Reference' ARM Virtual Machine";
-    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a57");
+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("neoverse-n1");
     mc->max_cpus = 512;
     mc->pci_allow_0_address = true;
     mc->minimum_page_bits = 12;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

If vd == vm, copy vm to scratch, so that we can pre-zero
the output and still access the gather indicies.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1612
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230504104232.1877774-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/sve_helper.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/arm/tcg/sve_helper.c b/target/arm/tcg/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/sve_helper.c
+++ b/target/arm/tcg/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
     intptr_t reg_off;
     SVEHostPage info;
     target_ulong addr, in_page;
+    ARMVectorReg scratch;
 
     /* Skip to the first true predicate.  */
     reg_off = find_next_active(vg, 0, reg_max, esz);
@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
         return;
     }
 
+    /* Protect against overlap between vd and vm. */
+    if (unlikely(vd == vm)) {
+        vm = memcpy(&scratch, vm, reg_max);
+    }
+
     /*
      * Probe the first element, allowing faults.
      */
-- 
2.34.1

From: Cornelia Huck <cohuck@redhat.com>

Extend the 'mte' property for the virt machine to cover KVM as
well. For KVM, we don't allocate tag memory, but instead enable the
capability.

If MTE has been enabled, we need to disable migration, as we do not
yet have a way to migrate the tags as well. Therefore, MTE will stay
off with KVM unless requested explicitly.

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230428095533.21747-2-cohuck@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h     |  4 +++
 target/arm/kvm_arm.h | 19 ++++++++++++
 hw/arm/virt.c        | 73 +++++++++++++++++++++++++-------------------
 target/arm/cpu.c     |  9 +++---
 target/arm/kvm.c     | 35 +++++++++++++++++++++
 target/arm/kvm64.c   |  5 +++
 6 files changed, 109 insertions(+), 36 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
      */
     uint32_t psci_conduit;
 
+    /* CPU has Memory Tag Extension */
+    bool has_mte;
+
     /* For v8M, initial value of the Secure VTOR */
     uint32_t init_svtor;
     /* For v8M, initial value of the Non-secure VTOR */
@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
     bool prop_pauth;
     bool prop_pauth_impdef;
     bool prop_lpa2;
+    OnOffAuto prop_mte;
 
     /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */
     uint32_t dcz_blocksize;
diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_pmu_supported(void);
  */
 bool kvm_arm_sve_supported(void);
 
+/**
+ * kvm_arm_mte_supported:
+ *
+ * Returns: true if KVM can enable MTE, and false otherwise.
+ */
+bool kvm_arm_mte_supported(void);
+
 /**
  * kvm_arm_get_max_vm_ipa_size:
  * @ms: Machine state handle
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa);
 
 int kvm_arm_set_irq(int cpu, int irqtype, int irq, int level);
 
+void kvm_arm_enable_mte(Object *cpuobj, Error **errp);
+
 #else
 
 /*
@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_steal_time_supported(void)
     return false;
 }
 
+static inline bool kvm_arm_mte_supported(void)
+{
+    return false;
+}
+
 /*
  * These functions should never actually be called without KVM support.
  */
@@ -XXX,XX +XXX,XX @@ static inline uint32_t kvm_arm_sve_get_vls(CPUState *cs)
     g_assert_not_reached();
 }
 
+static inline void kvm_arm_enable_mte(Object *cpuobj, Error **errp)
+{
+    g_assert_not_reached();
+}
+
 #endif
 
 static inline const char *gic_class_name(void)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
         exit(1);
     }
 
-    if (vms->mte && (kvm_enabled() || hvf_enabled())) {
+    if (vms->mte && hvf_enabled()) {
         error_report("mach-virt: %s does not support providing "
                      "MTE to the guest CPU",
                      current_accel_name());
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
         }
 
         if (vms->mte) {
-            /* Create the memory region only once, but link to all cpus. */
-            if (!tag_sysmem) {
-                /*
-                 * The property exists only if MemTag is supported.
-                 * If it is, we must allocate the ram to back that up.
-                 */
-                if (!object_property_find(cpuobj, "tag-memory")) {
-                    error_report("MTE requested, but not supported "
-                                 "by the guest CPU");
+            if (tcg_enabled()) {
+                /* Create the memory region only once, but link to all cpus. */
+                if (!tag_sysmem) {
+                    /*
+                     * The property exists only if MemTag is supported.
+                     * If it is, we must allocate the ram to back that up.
+                     */
+                    if (!object_property_find(cpuobj, "tag-memory")) {
+                        error_report("MTE requested, but not supported "
+                                     "by the guest CPU");
+                        exit(1);
+                    }
+
+                    tag_sysmem = g_new(MemoryRegion, 1);
+                    memory_region_init(tag_sysmem, OBJECT(machine),
+                                       "tag-memory", UINT64_MAX / 32);
+
+                    if (vms->secure) {
+                        secure_tag_sysmem = g_new(MemoryRegion, 1);
+                        memory_region_init(secure_tag_sysmem, OBJECT(machine),
+                                           "secure-tag-memory",
+                                           UINT64_MAX / 32);
+
+                        /* As with ram, secure-tag takes precedence over tag. */
+                        memory_region_add_subregion_overlap(secure_tag_sysmem,
+                                                            0, tag_sysmem, -1);
+                    }
+                }
+
+                object_property_set_link(cpuobj, "tag-memory",
+                                         OBJECT(tag_sysmem), &error_abort);
+                if (vms->secure) {
+                    object_property_set_link(cpuobj, "secure-tag-memory",
+                                             OBJECT(secure_tag_sysmem),
+                                             &error_abort);
+                }
+            } else if (kvm_enabled()) {
+                if (!kvm_arm_mte_supported()) {
+                    error_report("MTE requested, but not supported by KVM");
                     exit(1);
                 }
-
-                tag_sysmem = g_new(MemoryRegion, 1);
-                memory_region_init(tag_sysmem, OBJECT(machine),
-                                   "tag-memory", UINT64_MAX / 32);
-
-                if (vms->secure) {
-                    secure_tag_sysmem = g_new(MemoryRegion, 1);
-                    memory_region_init(secure_tag_sysmem, OBJECT(machine),
-                                       "secure-tag-memory", UINT64_MAX / 32);
-
-                    /* As with ram, secure-tag takes precedence over tag.  */
-                    memory_region_add_subregion_overlap(secure_tag_sysmem, 0,
-                                                        tag_sysmem, -1);
-                }
-            }
-
-            object_property_set_link(cpuobj, "tag-memory", OBJECT(tag_sysmem),
-                                     &error_abort);
-            if (vms->secure) {
-                object_property_set_link(cpuobj, "secure-tag-memory",
-                                         OBJECT(secure_tag_sysmem),
-                                         &error_abort);
+                kvm_arm_enable_mte(cpuobj, &error_abort);
             }
         }
 
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
                                      qdev_prop_allow_set_link_before_realize,
                                      OBJ_PROP_LINK_STRONG);
         }
+        cpu->has_mte = true;
     }
 #endif
 }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
         }
         if (cpu->tag_memory) {
             error_setg(errp,
-                       "Cannot enable %s when guest CPUs has MTE enabled",
+                       "Cannot enable %s when guest CPUs has tag memory enabled",
                        current_accel_name());
             return;
         }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
     }
 
 #ifndef CONFIG_USER_ONLY
-    if (cpu->tag_memory == NULL && cpu_isar_feature(aa64_mte, cpu)) {
+    if (!cpu->has_mte && cpu_isar_feature(aa64_mte, cpu)) {
         /*
-         * Disable the MTE feature bits if we do not have tag-memory
-         * provided by the machine.
+         * Disable the MTE feature bits if we do not have the feature
+         * setup by the machine.
          */
         cpu->isar.id_aa64pfr1 =
             FIELD_DP64(cpu->isar.id_aa64pfr1, ID_AA64PFR1, MTE, 0);
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/boards.h"
 #include "hw/irq.h"
 #include "qemu/log.h"
+#include "migration/blocker.h"
 
 const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
     KVM_CAP_LAST_INFO
@@ -XXX,XX +XXX,XX @@ bool kvm_arch_cpu_check_are_resettable(void)
 void kvm_arch_accel_class_init(ObjectClass *oc)
 {
 }
+
+void kvm_arm_enable_mte(Object *cpuobj, Error **errp)
+{
+    static bool tried_to_enable;
+    static bool succeeded_to_enable;
+    Error *mte_migration_blocker = NULL;
+    int ret;
+
+    if (!tried_to_enable) {
+        /*
+         * MTE on KVM is enabled on a per-VM basis (and retrying doesn't make
+         * sense), and we only want a single migration blocker as well.
+         */
+        tried_to_enable = true;
+
+        ret = kvm_vm_enable_cap(kvm_state, KVM_CAP_ARM_MTE, 0);
+        if (ret) {
+            error_setg_errno(errp, -ret, "Failed to enable KVM_CAP_ARM_MTE");
+            return;
+        }
+
+        /* TODO: add proper migration support with MTE enabled */
+        error_setg(&mte_migration_blocker,
+                   "Live migration disabled due to MTE enabled");
+        if (migrate_add_blocker(mte_migration_blocker, errp)) {
+            error_free(mte_migration_blocker);
+            return;
+        }
+        succeeded_to_enable = true;
+    }
+    if (succeeded_to_enable) {
+        object_property_set_bool(cpuobj, "has_mte", true, NULL);
+    }
+}
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_steal_time_supported(void)
     return kvm_check_extension(kvm_state, KVM_CAP_STEAL_TIME);
 }
 
+bool kvm_arm_mte_supported(void)
+{
+    return kvm_check_extension(kvm_state, KVM_CAP_ARM_MTE);
+}
+
 QEMU_BUILD_BUG_ON(KVM_ARM64_SVE_VQ_MIN != 1);
 
 uint32_t kvm_arm_sve_get_vls(CPUState *cs)
-- 
2.34.1

From: Alex Bennée <alex.bennee@linaro.org>

The commit b3aa2f2128 (target/arm: provide stubs for more external
debug registers) was added to handle HyperV's unconditional usage of
Debug Communications Channel. It turns out that Linux will similarly
break if you enable CONFIG_HVC_DCC "ARM JTAG DCC console".

Extend the registers we RAZ/WI set to avoid this.

Cc: Anders Roxell <anders.roxell@linaro.org>
Cc: Evgeny Iakovlev <eiakovlev@linux.microsoft.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230516104420.407912-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/debug_helper.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
       .access = PL0_R, .accessfn = access_tdcc,
       .type = ARM_CP_CONST, .resetvalue = 0 },
     /*
-     * OSDTRRX_EL1/OSDTRTX_EL1 are used for save and restore of DBGDTRRX_EL0.
-     * It is a component of the Debug Communications Channel, which is not implemented.
+     * These registers belong to the Debug Communications Channel,
+     * which is not implemented. However we implement RAZ/WI behaviour
+     * with trapping to prevent spurious SIGILLs if the guest OS does
+     * access them as the support cannot be probed for.
      */
     { .name = "OSDTRRX_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14,
       .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 2,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
       .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
       .access = PL1_RW, .accessfn = access_tdcc,
       .type = ARM_CP_CONST, .resetvalue = 0 },
+    /* DBGDTRTX_EL0/DBGDTRRX_EL0 depend on direction */
+    { .name = "DBGDTR_EL0", .state = ARM_CP_STATE_BOTH, .cp = 14,
+      .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 5, .opc2 = 0,
+      .access = PL0_RW, .accessfn = access_tdcc,
+      .type = ARM_CP_CONST, .resetvalue = 0 },
     /*
      * OSECCR_EL1 provides a mechanism for an operating system
      * to access the contents of EDECCR. EDECCR is not implemented though,
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Split out all of the decode stuff from aarch64_tr_translate_insn.
Call it disas_a64_legacy to indicate it will be replaced.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-2-peter.maydell@linaro.org
[PMM: Rebased]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-a64.c | 82 ++++++++++++++++++----------------
 1 file changed, 44 insertions(+), 38 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
     return false;
 }
 
+/* C3.1 A64 instruction index by encoding */
+static void disas_a64_legacy(DisasContext *s, uint32_t insn)
+{
+    switch (extract32(insn, 25, 4)) {
+    case 0x0:
+        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+            unallocated_encoding(s);
+        }
+        break;
+    case 0x1: case 0x3: /* UNALLOCATED */
+        unallocated_encoding(s);
+        break;
+    case 0x2:
+        if (!disas_sve(s, insn)) {
+            unallocated_encoding(s);
+        }
+        break;
+    case 0x8: case 0x9: /* Data processing - immediate */
+        disas_data_proc_imm(s, insn);
+        break;
+    case 0xa: case 0xb: /* Branch, exception generation and system insns */
+        disas_b_exc_sys(s, insn);
+        break;
+    case 0x4:
+    case 0x6:
+    case 0xc:
+    case 0xe:      /* Loads and stores */
+        disas_ldst(s, insn);
+        break;
+    case 0x5:
+    case 0xd:      /* Data processing - register */
+        disas_data_proc_reg(s, insn);
+        break;
+    case 0x7:
+    case 0xf:      /* Data processing - SIMD and floating point */
+        disas_data_proc_simd_fp(s, insn);
+        break;
+    default:
+        assert(FALSE); /* all 15 cases should be handled above */
+        break;
+    }
+}
+
 static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
                                           CPUState *cpu)
 {
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         disas_sme_fa64(s, insn);
     }
 
-    switch (extract32(insn, 25, 4)) {
-    case 0x0:
-        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
-            unallocated_encoding(s);
-        }
-        break;
-    case 0x1: case 0x3: /* UNALLOCATED */
-        unallocated_encoding(s);
-        break;
-    case 0x2:
-        if (!disas_sve(s, insn)) {
-            unallocated_encoding(s);
-        }
-        break;
-    case 0x8: case 0x9: /* Data processing - immediate */
-        disas_data_proc_imm(s, insn);
-        break;
-    case 0xa: case 0xb: /* Branch, exception generation and system insns */
-        disas_b_exc_sys(s, insn);
-        break;
-    case 0x4:
-    case 0x6:
-    case 0xc:
-    case 0xe:      /* Loads and stores */
-        disas_ldst(s, insn);
-        break;
-    case 0x5:
-    case 0xd:      /* Data processing - register */
-        disas_data_proc_reg(s, insn);
-        break;
-    case 0x7:
-    case 0xf:      /* Data processing - SIMD and floating point */
-        disas_data_proc_simd_fp(s, insn);
-        break;
-    default:
-        assert(FALSE); /* all 15 cases should be handled above */
-        break;
-    }
+    disas_a64_legacy(s, insn);
 
     /*
      * After execution of most insns, btype is reset to 0.
-- 
2.34.1

The A64 translator uses a hand-written decoder for everything except
SVE or SME.  It's fairly well structured, but it's becoming obvious
that it's still more painful to add instructions to than the A32
translator, because putting a new instruction into the right place in
a hand-written decoder is much harder than adding new instruction
patterns to a decodetree file.

As the first step in conversion to decodetree, create the skeleton of
the decodetree decoder; where it does not handle instructions we will
fall back to the legacy decoder (which will be for everything at the
moment, since there are no patterns in a64.decode).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-3-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      | 20 ++++++++++++++++++++
 target/arm/tcg/translate-a64.c | 18 +++++++++++-------
 target/arm/tcg/meson.build     |  1 +
 3 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 target/arm/tcg/a64.decode

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
+# AArch64 A64 allowed instruction decoding
+#
+#  Copyright (c) 2023 Linaro, Ltd
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+#
+# This file is processed by scripts/decodetree.py
+#
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ enum a64_shift_type {
     A64_SHIFT_TYPE_ROR = 3
 };
 
+/*
+ * Include the generated decoders.
+ */
+
+#include "decode-sme-fa64.c.inc"
+#include "decode-a64.c.inc"
+
 /* Table based decoder typedefs - used when the relevant bits for decode
  * are too awkwardly scattered across the instruction (eg SIMD).
  */
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
     }
 }
 
-/*
- * Include the generated SME FA64 decoder.
- */
-
-#include "decode-sme-fa64.c.inc"
-
 static bool trans_OK(DisasContext *s, arg_OK *a)
 {
     return true;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         disas_sme_fa64(s, insn);
     }
 
-    disas_a64_legacy(s, insn);
+
+    if (!disas_a64(s, insn)) {
+        disas_a64_legacy(s, insn);
+    }
 
     /*
      * After execution of most insns, btype is reset to 0.
diff --git a/target/arm/tcg/meson.build b/target/arm/tcg/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/meson.build
+++ b/target/arm/tcg/meson.build
@@ -XXX,XX +XXX,XX @@ gen = [
   decodetree.process('a32-uncond.decode', extra_args: '--static-decode=disas_a32_uncond'),
   decodetree.process('t32.decode', extra_args: '--static-decode=disas_t32'),
   decodetree.process('t16.decode', extra_args: ['-w', '16', '--static-decode=disas_t16']),
+  decodetree.process('a64.decode', extra_args: ['--static-decode=disas_a64']),
 ]
 
 arm_ss.add(gen)
-- 
2.34.1

The SVE and SME decode is already done by decodetree.  Pull the calls
to these decoders out of the legacy decoder.  This doesn't change
behaviour because all the patterns in sve.decode and sme.decode
already require the bits that the legacy decoder is decoding to have
the correct values.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-4-peter.maydell@linaro.org
---
 target/arm/tcg/translate-a64.c | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
 static void disas_a64_legacy(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 4)) {
-    case 0x0:
-        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
-            unallocated_encoding(s);
-        }
-        break;
-    case 0x1: case 0x3: /* UNALLOCATED */
-        unallocated_encoding(s);
-        break;
-    case 0x2:
-        if (!disas_sve(s, insn)) {
-            unallocated_encoding(s);
-        }
-        break;
     case 0x8: case 0x9: /* Data processing - immediate */
         disas_data_proc_imm(s, insn);
         break;
@@ -XXX,XX +XXX,XX @@ static void disas_a64_legacy(DisasContext *s, uint32_t insn)
         disas_data_proc_simd_fp(s, insn);
         break;
     default:
-        assert(FALSE); /* all 15 cases should be handled above */
+        unallocated_encoding(s);
         break;
     }
 }
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         disas_sme_fa64(s, insn);
     }
 
-
-    if (!disas_a64(s, insn)) {
+    if (!disas_a64(s, insn) &&
+        !disas_sme(s, insn) &&
+        !disas_sve(s, insn)) {
         disas_a64_legacy(s, insn);
     }
 
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the ADR and ADRP instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-5-peter.maydell@linaro.org
[PMM: Rebased]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      | 13 ++++++++++++
 target/arm/tcg/translate-a64.c | 38 +++++++++++++---------------------
 2 files changed, 27 insertions(+), 24 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
 #
 # This file is processed by scripts/decodetree.py
 #
+
+&ri              rd imm
+
+
+### Data Processing - Immediate
+
+# PC-rel addressing
+
+%imm_pcrel      5:s19 29:2
+@pcrel          . .. ..... ................... rd:5     &ri imm=%imm_pcrel
+
+ADR             0 .. 10000 ................... .....    @pcrel
+ADRP            1 .. 10000 ................... .....    @pcrel
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
     }
 }
 
-/* PC-rel. addressing
- *   31  30   29 28       24 23                5 4    0
- * +----+-------+-----------+-------------------+------+
- * | op | immlo | 1 0 0 0 0 |       immhi       |  Rd  |
- * +----+-------+-----------+-------------------+------+
+/*
+ * PC-rel. addressing
  */
-static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
+
+static bool trans_ADR(DisasContext *s, arg_ri *a)
 {
-    unsigned int page, rd;
-    int64_t offset;
+    gen_pc_plus_diff(s, cpu_reg(s, a->rd), a->imm);
+    return true;
+}
 
-    page = extract32(insn, 31, 1);
-    /* SignExtend(immhi:immlo) -> offset */
-    offset = sextract64(insn, 5, 19);
-    offset = offset << 2 | extract32(insn, 29, 2);
-    rd = extract32(insn, 0, 5);
+static bool trans_ADRP(DisasContext *s, arg_ri *a)
+{
+    int64_t offset = (int64_t)a->imm << 12;
 
-    if (page) {
-        /* ADRP (page based) */
-        offset <<= 12;
-        /* The page offset is ok for CF_PCREL. */
-        offset -= s->pc_curr & 0xfff;
-    }
-
-    gen_pc_plus_diff(s, cpu_reg(s, rd), offset);
+    /* The page offset is ok for CF_PCREL. */
+    offset -= s->pc_curr & 0xfff;
+    gen_pc_plus_diff(s, cpu_reg(s, a->rd), offset);
+    return true;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
-    case 0x20: case 0x21: /* PC-rel. addressing */
-        disas_pc_rel_adr(s, insn);
-        break;
     case 0x22: /* Add/subtract (immediate) */
         disas_add_sub_imm(s, insn);
         break;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Split out specific 32-bit and 64-bit functions.
These carry the same signature as tcg_gen_add_i64,
and so will be easier to pass as callbacks.

Retain gen_add_CC and gen_sub_CC during conversion.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-6-peter.maydell@linaro.org
[PMM: rebased]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-a64.c | 149 +++++++++++++++++++--------------
 1 file changed, 84 insertions(+), 65 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_logic_CC(int sf, TCGv_i64 result)
 }
 
 /* dest = T0 + T1; compute C, N, V and Z flags */
+static void gen_add64_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
+{
+    TCGv_i64 result, flag, tmp;
+    result = tcg_temp_new_i64();
+    flag = tcg_temp_new_i64();
+    tmp = tcg_temp_new_i64();
+
+    tcg_gen_movi_i64(tmp, 0);
+    tcg_gen_add2_i64(result, flag, t0, tmp, t1, tmp);
+
+    tcg_gen_extrl_i64_i32(cpu_CF, flag);
+
+    gen_set_NZ64(result);
+
+    tcg_gen_xor_i64(flag, result, t0);
+    tcg_gen_xor_i64(tmp, t0, t1);
+    tcg_gen_andc_i64(flag, flag, tmp);
+    tcg_gen_extrh_i64_i32(cpu_VF, flag);
+
+    tcg_gen_mov_i64(dest, result);
+}
+
+static void gen_add32_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
+{
+    TCGv_i32 t0_32 = tcg_temp_new_i32();
+    TCGv_i32 t1_32 = tcg_temp_new_i32();
+    TCGv_i32 tmp = tcg_temp_new_i32();
+
+    tcg_gen_movi_i32(tmp, 0);
+    tcg_gen_extrl_i64_i32(t0_32, t0);
+    tcg_gen_extrl_i64_i32(t1_32, t1);
+    tcg_gen_add2_i32(cpu_NF, cpu_CF, t0_32, tmp, t1_32, tmp);
+    tcg_gen_mov_i32(cpu_ZF, cpu_NF);
+    tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
+    tcg_gen_xor_i32(tmp, t0_32, t1_32);
+    tcg_gen_andc_i32(cpu_VF, cpu_VF, tmp);
+    tcg_gen_extu_i32_i64(dest, cpu_NF);
+}
+
 static void gen_add_CC(int sf, TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
 {
     if (sf) {
-        TCGv_i64 result, flag, tmp;
-        result = tcg_temp_new_i64();
-        flag = tcg_temp_new_i64();
-        tmp = tcg_temp_new_i64();
-
-        tcg_gen_movi_i64(tmp, 0);
-        tcg_gen_add2_i64(result, flag, t0, tmp, t1, tmp);
-
-        tcg_gen_extrl_i64_i32(cpu_CF, flag);
-
-        gen_set_NZ64(result);
-
-        tcg_gen_xor_i64(flag, result, t0);
-        tcg_gen_xor_i64(tmp, t0, t1);
-        tcg_gen_andc_i64(flag, flag, tmp);
-        tcg_gen_extrh_i64_i32(cpu_VF, flag);
-
-        tcg_gen_mov_i64(dest, result);
+        gen_add64_CC(dest, t0, t1);
     } else {
-        /* 32 bit arithmetic */
-        TCGv_i32 t0_32 = tcg_temp_new_i32();
-        TCGv_i32 t1_32 = tcg_temp_new_i32();
-        TCGv_i32 tmp = tcg_temp_new_i32();
-
-        tcg_gen_movi_i32(tmp, 0);
-        tcg_gen_extrl_i64_i32(t0_32, t0);
-        tcg_gen_extrl_i64_i32(t1_32, t1);
-        tcg_gen_add2_i32(cpu_NF, cpu_CF, t0_32, tmp, t1_32, tmp);
-        tcg_gen_mov_i32(cpu_ZF, cpu_NF);
-        tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
-        tcg_gen_xor_i32(tmp, t0_32, t1_32);
-        tcg_gen_andc_i32(cpu_VF, cpu_VF, tmp);
-        tcg_gen_extu_i32_i64(dest, cpu_NF);
+        gen_add32_CC(dest, t0, t1);
     }
 }
 
 /* dest = T0 - T1; compute C, N, V and Z flags */
+static void gen_sub64_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
+{
+    /* 64 bit arithmetic */
+    TCGv_i64 result, flag, tmp;
+
+    result = tcg_temp_new_i64();
+    flag = tcg_temp_new_i64();
+    tcg_gen_sub_i64(result, t0, t1);
+
+    gen_set_NZ64(result);
+
+    tcg_gen_setcond_i64(TCG_COND_GEU, flag, t0, t1);
+    tcg_gen_extrl_i64_i32(cpu_CF, flag);
+
+    tcg_gen_xor_i64(flag, result, t0);
+    tmp = tcg_temp_new_i64();
+    tcg_gen_xor_i64(tmp, t0, t1);
+    tcg_gen_and_i64(flag, flag, tmp);
+    tcg_gen_extrh_i64_i32(cpu_VF, flag);
+    tcg_gen_mov_i64(dest, result);
+}
+
+static void gen_sub32_CC(TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
+{
+    /* 32 bit arithmetic */
+    TCGv_i32 t0_32 = tcg_temp_new_i32();
+    TCGv_i32 t1_32 = tcg_temp_new_i32();
+    TCGv_i32 tmp;
+
+    tcg_gen_extrl_i64_i32(t0_32, t0);
+    tcg_gen_extrl_i64_i32(t1_32, t1);
+    tcg_gen_sub_i32(cpu_NF, t0_32, t1_32);
+    tcg_gen_mov_i32(cpu_ZF, cpu_NF);
+    tcg_gen_setcond_i32(TCG_COND_GEU, cpu_CF, t0_32, t1_32);
+    tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
+    tmp = tcg_temp_new_i32();
+    tcg_gen_xor_i32(tmp, t0_32, t1_32);
+    tcg_gen_and_i32(cpu_VF, cpu_VF, tmp);
+    tcg_gen_extu_i32_i64(dest, cpu_NF);
+}
+
 static void gen_sub_CC(int sf, TCGv_i64 dest, TCGv_i64 t0, TCGv_i64 t1)
 {
     if (sf) {
-        /* 64 bit arithmetic */
-        TCGv_i64 result, flag, tmp;
-
-        result = tcg_temp_new_i64();
-        flag = tcg_temp_new_i64();
-        tcg_gen_sub_i64(result, t0, t1);
-
-        gen_set_NZ64(result);
-
-        tcg_gen_setcond_i64(TCG_COND_GEU, flag, t0, t1);
-        tcg_gen_extrl_i64_i32(cpu_CF, flag);
-
-        tcg_gen_xor_i64(flag, result, t0);
-        tmp = tcg_temp_new_i64();
-        tcg_gen_xor_i64(tmp, t0, t1);
-        tcg_gen_and_i64(flag, flag, tmp);
-        tcg_gen_extrh_i64_i32(cpu_VF, flag);
-        tcg_gen_mov_i64(dest, result);
+        gen_sub64_CC(dest, t0, t1);
     } else {
-        /* 32 bit arithmetic */
-        TCGv_i32 t0_32 = tcg_temp_new_i32();
-        TCGv_i32 t1_32 = tcg_temp_new_i32();
-        TCGv_i32 tmp;
-
-        tcg_gen_extrl_i64_i32(t0_32, t0);
-        tcg_gen_extrl_i64_i32(t1_32, t1);
-        tcg_gen_sub_i32(cpu_NF, t0_32, t1_32);
-        tcg_gen_mov_i32(cpu_ZF, cpu_NF);
-        tcg_gen_setcond_i32(TCG_COND_GEU, cpu_CF, t0_32, t1_32);
-        tcg_gen_xor_i32(cpu_VF, cpu_NF, t0_32);
-        tmp = tcg_temp_new_i32();
-        tcg_gen_xor_i32(tmp, t0_32, t1_32);
-        tcg_gen_and_i32(cpu_VF, cpu_VF, tmp);
-        tcg_gen_extu_i32_i64(dest, cpu_NF);
+        gen_sub32_CC(dest, t0, t1);
     }
 }
 
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the ADD and SUB (immediate) instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-7-peter.maydell@linaro.org
[PMM: Rebased; adjusted to use translate.h's TRANS macro]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate.h     |  5 +++
 target/arm/tcg/a64.decode      | 17 ++++++++
 target/arm/tcg/translate-a64.c | 73 ++++++++++------------------------
 3 files changed, 42 insertions(+), 53 deletions(-)

diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate.h
+++ b/target/arm/tcg/translate.h
@@ -XXX,XX +XXX,XX @@ static inline int rsub_8(DisasContext *s, int x)
     return 8 - x;
 }
 
+static inline int shl_12(DisasContext *s, int x)
+{
+    return x << 12;
+}
+
 static inline int neon_3same_fp_size(DisasContext *s, int x)
 {
     /* Convert 0==fp32, 1==fp16 into a MO_* value */
diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
 #
 
 &ri              rd imm
+&rri_sf          rd rn imm sf
 
 
 ### Data Processing - Immediate
@@ -XXX,XX +XXX,XX @@
 
 ADR             0 .. 10000 ................... .....    @pcrel
 ADRP            1 .. 10000 ................... .....    @pcrel
+
+# Add/subtract (immediate)
+
+%imm12_sh12     10:12 !function=shl_12
+@addsub_imm     sf:1 .. ...... . imm:12 rn:5 rd:5
+@addsub_imm12   sf:1 .. ...... . ............ rn:5 rd:5 imm=%imm12_sh12
+
+ADD_i           . 00 100010 0 ............ ..... .....  @addsub_imm
+ADD_i           . 00 100010 1 ............ ..... .....  @addsub_imm12
+ADDS_i          . 01 100010 0 ............ ..... .....  @addsub_imm
+ADDS_i          . 01 100010 1 ............ ..... .....  @addsub_imm12
+
+SUB_i           . 10 100010 0 ............ ..... .....  @addsub_imm
+SUB_i           . 10 100010 1 ............ ..... .....  @addsub_imm12
+SUBS_i          . 11 100010 0 ............ ..... .....  @addsub_imm
+SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
     }
 }
 
+typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
+
+static bool gen_rri(DisasContext *s, arg_rri_sf *a,
+                    bool rd_sp, bool rn_sp, ArithTwoOp *fn)
+{
+    TCGv_i64 tcg_rn = rn_sp ? cpu_reg_sp(s, a->rn) : cpu_reg(s, a->rn);
+    TCGv_i64 tcg_rd = rd_sp ? cpu_reg_sp(s, a->rd) : cpu_reg(s, a->rd);
+    TCGv_i64 tcg_imm = tcg_constant_i64(a->imm);
+
+    fn(tcg_rd, tcg_rn, tcg_imm);
+    if (!a->sf) {
+        tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
+    }
+    return true;
+}
+
 /*
  * PC-rel. addressing
  */
@@ -XXX,XX +XXX,XX @@ static bool trans_ADRP(DisasContext *s, arg_ri *a)
 
 /*
  * Add/subtract (immediate)
- *
- *  31 30 29 28         23 22 21         10 9   5 4   0
- * +--+--+--+-------------+--+-------------+-----+-----+
- * |sf|op| S| 1 0 0 0 1 0 |sh|    imm12    |  Rn | Rd  |
- * +--+--+--+-------------+--+-------------+-----+-----+
- *
- *    sf: 0 -> 32bit, 1 -> 64bit
- *    op: 0 -> add  , 1 -> sub
- *     S: 1 -> set flags
- *    sh: 1 -> LSL imm by 12
  */
-static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
-{
-    int rd = extract32(insn, 0, 5);
-    int rn = extract32(insn, 5, 5);
-    uint64_t imm = extract32(insn, 10, 12);
-    bool shift = extract32(insn, 22, 1);
-    bool setflags = extract32(insn, 29, 1);
-    bool sub_op = extract32(insn, 30, 1);
-    bool is_64bit = extract32(insn, 31, 1);
-
-    TCGv_i64 tcg_rn = cpu_reg_sp(s, rn);
-    TCGv_i64 tcg_rd = setflags ? cpu_reg(s, rd) : cpu_reg_sp(s, rd);
-    TCGv_i64 tcg_result;
-
-    if (shift) {
-        imm <<= 12;
-    }
-
-    tcg_result = tcg_temp_new_i64();
-    if (!setflags) {
-        if (sub_op) {
-            tcg_gen_subi_i64(tcg_result, tcg_rn, imm);
-        } else {
-            tcg_gen_addi_i64(tcg_result, tcg_rn, imm);
-        }
-    } else {
-        TCGv_i64 tcg_imm = tcg_constant_i64(imm);
-        if (sub_op) {
-            gen_sub_CC(is_64bit, tcg_result, tcg_rn, tcg_imm);
-        } else {
-            gen_add_CC(is_64bit, tcg_result, tcg_rn, tcg_imm);
-        }
-    }
-
-    if (is_64bit) {
-        tcg_gen_mov_i64(tcg_rd, tcg_result);
-    } else {
-        tcg_gen_ext32u_i64(tcg_rd, tcg_result);
-    }
-}
+TRANS(ADD_i, gen_rri, a, 1, 1, tcg_gen_add_i64)
+TRANS(SUB_i, gen_rri, a, 1, 1, tcg_gen_sub_i64)
+TRANS(ADDS_i, gen_rri, a, 0, 1, a->sf ? gen_add64_CC : gen_add32_CC)
+TRANS(SUBS_i, gen_rri, a, 0, 1, a->sf ? gen_sub64_CC : gen_sub32_CC)
 
 /*
  * Add/subtract (immediate, with tags)
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
-    case 0x22: /* Add/subtract (immediate) */
-        disas_add_sub_imm(s, insn);
-        break;
     case 0x23: /* Add/subtract (immediate, with tags) */
         disas_add_sub_imm_with_tags(s, insn);
         break;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the ADDG and SUBG (immediate) instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-8-peter.maydell@linaro.org
[PMM: Rebased; use TRANS_FEAT()]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      |  8 +++++++
 target/arm/tcg/translate-a64.c | 38 ++++++++++------------------------
 2 files changed, 19 insertions(+), 27 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Use the bitops.h macro rather than rolling our own here.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-9-peter.maydell@linaro.org
---
 target/arm/tcg/translate-a64.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static uint64_t bitfield_replicate(uint64_t mask, unsigned int e)
     return mask;
 }
 
-/* Return a value with the bottom len bits set (where 0 < len <= 64) */
-static inline uint64_t bitmask64(unsigned int length)
-{
-    assert(length > 0 && length <= 64);
-    return ~0ULL >> (64 - length);
-}
-
 /* Simplified variant of pseudocode DecodeBitMasks() for the case where we
  * only require the wmask. Returns false if the imms/immr/immn are a reserved
  * value (ie should cause a guest UNDEF exception), and true if they are
@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
     /* Create the value of one element: s+1 set bits rotated
      * by r within the element (which is e bits wide)...
      */
-    mask = bitmask64(s + 1);
+    mask = MAKE_64BIT_MASK(0, s + 1);
     if (r) {
         mask = (mask >> r) | (mask << (e - r));
-        mask &= bitmask64(e);
+        mask &= MAKE_64BIT_MASK(0, e);
     }
     /* ...then replicate the element over the whole 64 bit value */
     mask = bitfield_replicate(mask, e);
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the ADD, ORR, EOR, ANDS (immediate) instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-10-peter.maydell@linaro.org
[PMM: rebased]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      | 15 ++++++
 target/arm/tcg/translate-a64.c | 94 +++++++++++-----------------------
 2 files changed, 44 insertions(+), 65 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ SUBS_i          . 11 100010 1 ............ ..... .....  @addsub_imm12
 
 ADDG_i          1 00 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
 SUBG_i          1 10 100011 0 ...... 00 .... ..... ..... @addsub_imm_tag
+
+# Logical (immediate)
+
+&rri_log        rd rn sf dbm
+@logic_imm_64   1 .. ...... dbm:13 rn:5 rd:5            &rri_log sf=1
+@logic_imm_32   0 .. ...... 0 dbm:12 rn:5 rd:5          &rri_log sf=0
+
+AND_i           . 00 100100 . ...... ...... ..... ..... @logic_imm_64
+AND_i           . 00 100100 . ...... ...... ..... ..... @logic_imm_32
+ORR_i           . 01 100100 . ...... ...... ..... ..... @logic_imm_64
+ORR_i           . 01 100100 . ...... ...... ..... ..... @logic_imm_32
+EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_64
+EOR_i           . 10 100100 . ...... ...... ..... ..... @logic_imm_32
+ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_64
+ANDS_i          . 11 100100 . ...... ...... ..... ..... @logic_imm_32
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static uint64_t bitfield_replicate(uint64_t mask, unsigned int e)
     return mask;
 }
 
-/* Simplified variant of pseudocode DecodeBitMasks() for the case where we
+/*
+ * Logical (immediate)
+ */
+
+/*
+ * Simplified variant of pseudocode DecodeBitMasks() for the case where we
  * only require the wmask. Returns false if the imms/immr/immn are a reserved
  * value (ie should cause a guest UNDEF exception), and true if they are
  * valid, in which case the decoded bit pattern is written to result.
@@ -XXX,XX +XXX,XX @@ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
     return true;
 }
 
-/* Logical (immediate)
- *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
- * +----+-----+-------------+---+------+------+------+------+
- * | sf | opc | 1 0 0 1 0 0 | N | immr | imms |  Rn  |  Rd  |
- * +----+-----+-------------+---+------+------+------+------+
- */
-static void disas_logic_imm(DisasContext *s, uint32_t insn)
+static bool gen_rri_log(DisasContext *s, arg_rri_log *a, bool set_cc,
+                        void (*fn)(TCGv_i64, TCGv_i64, int64_t))
 {
-    unsigned int sf, opc, is_n, immr, imms, rn, rd;
     TCGv_i64 tcg_rd, tcg_rn;
-    uint64_t wmask;
-    bool is_and = false;
+    uint64_t imm;
 
-    sf = extract32(insn, 31, 1);
-    opc = extract32(insn, 29, 2);
-    is_n = extract32(insn, 22, 1);
-    immr = extract32(insn, 16, 6);
-    imms = extract32(insn, 10, 6);
-    rn = extract32(insn, 5, 5);
-    rd = extract32(insn, 0, 5);
-
-    if (!sf && is_n) {
-        unallocated_encoding(s);
-        return;
+    /* Some immediate field values are reserved. */
+    if (!logic_imm_decode_wmask(&imm, extract32(a->dbm, 12, 1),
+                                extract32(a->dbm, 0, 6),
+                                extract32(a->dbm, 6, 6))) {
+        return false;
+    }
+    if (!a->sf) {
+        imm &= 0xffffffffull;
     }
 
-    if (opc == 0x3) { /* ANDS */
-        tcg_rd = cpu_reg(s, rd);
-    } else {
-        tcg_rd = cpu_reg_sp(s, rd);
-    }
-    tcg_rn = cpu_reg(s, rn);
+    tcg_rd = set_cc ? cpu_reg(s, a->rd) : cpu_reg_sp(s, a->rd);
+    tcg_rn = cpu_reg(s, a->rn);
 
-    if (!logic_imm_decode_wmask(&wmask, is_n, imms, immr)) {
-        /* some immediate field values are reserved */
-        unallocated_encoding(s);
-        return;
+    fn(tcg_rd, tcg_rn, imm);
+    if (set_cc) {
+        gen_logic_CC(a->sf, tcg_rd);
     }
-
-    if (!sf) {
-        wmask &= 0xffffffff;
-    }
-
-    switch (opc) {
-    case 0x3: /* ANDS */
-    case 0x0: /* AND */
-        tcg_gen_andi_i64(tcg_rd, tcg_rn, wmask);
-        is_and = true;
-        break;
-    case 0x1: /* ORR */
-        tcg_gen_ori_i64(tcg_rd, tcg_rn, wmask);
-        break;
-    case 0x2: /* EOR */
-        tcg_gen_xori_i64(tcg_rd, tcg_rn, wmask);
-        break;
-    default:
-        assert(FALSE); /* must handle all above */
-        break;
-    }
-
-    if (!sf && !is_and) {
-        /* zero extend final result; we know we can skip this for AND
-         * since the immediate had the high 32 bits clear.
-         */
+    if (!a->sf) {
         tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
     }
-
-    if (opc == 3) { /* ANDS */
-        gen_logic_CC(sf, tcg_rd);
-    }
+    return true;
 }
 
+TRANS(AND_i, gen_rri_log, a, false, tcg_gen_andi_i64)
+TRANS(ORR_i, gen_rri_log, a, false, tcg_gen_ori_i64)
+TRANS(EOR_i, gen_rri_log, a, false, tcg_gen_xori_i64)
+TRANS(ANDS_i, gen_rri_log, a, true, tcg_gen_andi_i64)
+
 /*
  * Move wide (immediate)
  *
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
-    case 0x24: /* Logical (immediate) */
-        disas_logic_imm(s, insn);
-        break;
     case 0x25: /* Move wide (immediate) */
         disas_movw_imm(s, insn);
         break;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Convert the MON, MOVZ, MOVK instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-11-peter.maydell@linaro.org
[PMM: Rebased]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      | 13 ++++++
 target/arm/tcg/translate-a64.c | 73 ++++++++++++++--------------------
 2 files changed, 42 insertions(+), 44 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Convert the BFM, SBFM, UBFM instructions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230512144106.3608981-12-peter.maydell@linaro.org
[PMM: Rebased]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/a64.decode      |  13 +++
 target/arm/tcg/translate-a64.c | 144 ++++++++++++++++++---------------
 2 files changed, 94 insertions(+), 63 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ MOVZ            . 10 100101 .. ................ .....   @movw_64
 MOVZ            . 10 100101 .. ................ .....   @movw_32
 MOVK            . 11 100101 .. ................ .....   @movw_64
 MOVK            . 11 100101 .. ................ .....   @movw_32
+
+# Bitfield
+
+&bitfield       rd rn sf immr imms
+@bitfield_64    1 .. ...... 1 immr:6 imms:6 rn:5 rd:5      &bitfield sf=1
+@bitfield_32    0 .. ...... 0 0 immr:5 0 imms:5 rn:5 rd:5  &bitfield sf=0
+
+SBFM            . 00 100110 . ...... ...... ..... ..... @bitfield_64
+SBFM            . 00 100110 . ...... ...... ..... ..... @bitfield_32
+BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_64
+BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_32
+UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_64
+UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_MOVK(DisasContext *s, arg_movw *a)
     return true;
 }
 
-/* Bitfield
- *   31  30 29 28         23 22  21  16 15  10 9    5 4    0
- * +----+-----+-------------+---+------+------+------+------+
- * | sf | opc | 1 0 0 1 1 0 | N | immr | imms |  Rn  |  Rd  |
- * +----+-----+-------------+---+------+------+------+------+
+/*
+ * Bitfield
  */
-static void disas_bitfield(DisasContext *s, uint32_t insn)
+
+static bool trans_SBFM(DisasContext *s, arg_SBFM *a)
 {
-    unsigned int sf, n, opc, ri, si, rn, rd, bitsize, pos, len;
-    TCGv_i64 tcg_rd, tcg_tmp;
+    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
+    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
+    unsigned int bitsize = a->sf ? 64 : 32;
+    unsigned int ri = a->immr;
+    unsigned int si = a->imms;
+    unsigned int pos, len;
 
-    sf = extract32(insn, 31, 1);
-    opc = extract32(insn, 29, 2);
-    n = extract32(insn, 22, 1);
-    ri = extract32(insn, 16, 6);
-    si = extract32(insn, 10, 6);
-    rn = extract32(insn, 5, 5);
-    rd = extract32(insn, 0, 5);
-    bitsize = sf ? 64 : 32;
-
-    if (sf != n || ri >= bitsize || si >= bitsize || opc > 2) {
-        unallocated_encoding(s);
-        return;
-    }
-
-    tcg_rd = cpu_reg(s, rd);
-
-    /* Suppress the zero-extend for !sf.  Since RI and SI are constrained
-       to be smaller than bitsize, we'll never reference data outside the
-       low 32-bits anyway.  */
-    tcg_tmp = read_cpu_reg(s, rn, 1);
-
-    /* Recognize simple(r) extractions.  */
     if (si >= ri) {
         /* Wd<s-r:0> = Wn<s:r> */
         len = (si - ri) + 1;
-        if (opc == 0) { /* SBFM: ASR, SBFX, SXTB, SXTH, SXTW */
-            tcg_gen_sextract_i64(tcg_rd, tcg_tmp, ri, len);
-            goto done;
-        } else if (opc == 2) { /* UBFM: UBFX, LSR, UXTB, UXTH */
-            tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
-            return;
+        tcg_gen_sextract_i64(tcg_rd, tcg_tmp, ri, len);
+        if (!a->sf) {
+            tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
         }
-        /* opc == 1, BFXIL fall through to deposit */
+    } else {
+        /* Wd<32+s-r,32-r> = Wn<s:0> */
+        len = si + 1;
+        pos = (bitsize - ri) & (bitsize - 1);
+
+        if (len < ri) {
+            /*
+             * Sign extend the destination field from len to fill the
+             * balance of the word.  Let the deposit below insert all
+             * of those sign bits.
+             */
+            tcg_gen_sextract_i64(tcg_tmp, tcg_tmp, 0, len);
+            len = ri;
+        }
+
+        /*
+         * We start with zero, and we haven't modified any bits outside
+         * bitsize, therefore no final zero-extension is unneeded for !sf.
+         */
+        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
+    }
+    return true;
+}
+
+static bool trans_UBFM(DisasContext *s, arg_UBFM *a)
+{
+    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
+    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
+    unsigned int bitsize = a->sf ? 64 : 32;
+    unsigned int ri = a->immr;
+    unsigned int si = a->imms;
+    unsigned int pos, len;
+
+    tcg_rd = cpu_reg(s, a->rd);
+    tcg_tmp = read_cpu_reg(s, a->rn, 1);
+
+    if (si >= ri) {
+        /* Wd<s-r:0> = Wn<s:r> */
+        len = (si - ri) + 1;
+        tcg_gen_extract_i64(tcg_rd, tcg_tmp, ri, len);
+    } else {
+        /* Wd<32+s-r,32-r> = Wn<s:0> */
+        len = si + 1;
+        pos = (bitsize - ri) & (bitsize - 1);
+        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
+    }
+    return true;
+}
+
+static bool trans_BFM(DisasContext *s, arg_BFM *a)
+{
+    TCGv_i64 tcg_rd = cpu_reg(s, a->rd);
+    TCGv_i64 tcg_tmp = read_cpu_reg(s, a->rn, 1);
+    unsigned int bitsize = a->sf ? 64 : 32;
+    unsigned int ri = a->immr;
+    unsigned int si = a->imms;
+    unsigned int pos, len;
+
+    tcg_rd = cpu_reg(s, a->rd);
+    tcg_tmp = read_cpu_reg(s, a->rn, 1);
+
+    if (si >= ri) {
+        /* Wd<s-r:0> = Wn<s:r> */
         tcg_gen_shri_i64(tcg_tmp, tcg_tmp, ri);
+        len = (si - ri) + 1;
         pos = 0;
     } else {
-        /* Handle the ri > si case with a deposit
-         * Wd<32+s-r,32-r> = Wn<s:0>
-         */
+        /* Wd<32+s-r,32-r> = Wn<s:0> */
         len = si + 1;
         pos = (bitsize - ri) & (bitsize - 1);
     }
 
-    if (opc == 0 && len < ri) {
-        /* SBFM: sign extend the destination field from len to fill
-           the balance of the word.  Let the deposit below insert all
-           of those sign bits.  */
-        tcg_gen_sextract_i64(tcg_tmp, tcg_tmp, 0, len);
-        len = ri;
-    }
-
-    if (opc == 1) { /* BFM, BFXIL */
-        tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
-    } else {
-        /* SBFM or UBFM: We start with zero, and we haven't modified
-           any bits outside bitsize, therefore the zero-extension
-           below is unneeded.  */
-        tcg_gen_deposit_z_i64(tcg_rd, tcg_tmp, pos, len);
-        return;
-    }
-
- done:
-    if (!sf) { /* zero extend final result */
+    tcg_gen_deposit_i64(tcg_rd, tcg_rd, tcg_tmp, pos, len);
+    if (!a->sf) {
         tcg_gen_ext32u_i64(tcg_rd, tcg_rd);
     }
+    return true;
 }
 
 /* Extract
@@ -XXX,XX +XXX,XX @@ static void disas_extract(DisasContext *s, uint32_t insn)
 static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 23, 6)) {
-    case 0x26: /* Bitfield */
-        disas_bitfield(s, insn);
-        break;
     case 0x27: /* Extract */
         disas_extract(s, insn);
         break;
-- 
2.34.1

Convert the EXTR instruction to decodetree (this is the
only one in the 'Extract" class). This is the last of
the dp-immediate insns in the legacy decoder, so we
can now remove disas_data_proc_imm().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-13-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  7 +++
 target/arm/tcg/translate-a64.c | 94 +++++++++++-----------------------
 2 files changed, 36 insertions(+), 65 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_64
 BFM             . 01 100110 . ...... ...... ..... ..... @bitfield_32
 UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_64
 UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
+
+# Extract
+
+&extract        rd rn rm imm sf
+
+EXTR            1 00 100111 1 0 rm:5 imm:6 rn:5 rd:5     &extract sf=1
+EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_BFM(DisasContext *s, arg_BFM *a)
     return true;
 }
 
-/* Extract
- *   31  30  29 28         23 22   21  20  16 15    10 9    5 4    0
- * +----+------+-------------+---+----+------+--------+------+------+
- * | sf | op21 | 1 0 0 1 1 1 | N | o0 |  Rm  |  imms  |  Rn  |  Rd  |
- * +----+------+-------------+---+----+------+--------+------+------+
- */
-static void disas_extract(DisasContext *s, uint32_t insn)
+static bool trans_EXTR(DisasContext *s, arg_extract *a)
 {
-    unsigned int sf, n, rm, imm, rn, rd, bitsize, op21, op0;
+    TCGv_i64 tcg_rd, tcg_rm, tcg_rn;
 
-    sf = extract32(insn, 31, 1);
-    n = extract32(insn, 22, 1);
-    rm = extract32(insn, 16, 5);
-    imm = extract32(insn, 10, 6);
-    rn = extract32(insn, 5, 5);
-    rd = extract32(insn, 0, 5);
-    op21 = extract32(insn, 29, 2);
-    op0 = extract32(insn, 21, 1);
-    bitsize = sf ? 64 : 32;
+    tcg_rd = cpu_reg(s, a->rd);
 
-    if (sf != n || op21 || op0 || imm >= bitsize) {
-        unallocated_encoding(s);
-    } else {
-        TCGv_i64 tcg_rd, tcg_rm, tcg_rn;
-
-        tcg_rd = cpu_reg(s, rd);
-
-        if (unlikely(imm == 0)) {
-            /* tcg shl_i32/shl_i64 is undefined for 32/64 bit shifts,
-             * so an extract from bit 0 is a special case.
-             */
-            if (sf) {
-                tcg_gen_mov_i64(tcg_rd, cpu_reg(s, rm));
-            } else {
-                tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, rm));
-            }
+    if (unlikely(a->imm == 0)) {
+        /*
+         * tcg shl_i32/shl_i64 is undefined for 32/64 bit shifts,
+         * so an extract from bit 0 is a special case.
+         */
+        if (a->sf) {
+            tcg_gen_mov_i64(tcg_rd, cpu_reg(s, a->rm));
         } else {
-            tcg_rm = cpu_reg(s, rm);
-            tcg_rn = cpu_reg(s, rn);
+            tcg_gen_ext32u_i64(tcg_rd, cpu_reg(s, a->rm));
+        }
+    } else {
+        tcg_rm = cpu_reg(s, a->rm);
+        tcg_rn = cpu_reg(s, a->rn);
 
-            if (sf) {
-                /* Specialization to ROR happens in EXTRACT2.  */
-                tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, imm);
+        if (a->sf) {
+            /* Specialization to ROR happens in EXTRACT2.  */
+            tcg_gen_extract2_i64(tcg_rd, tcg_rm, tcg_rn, a->imm);
+        } else {
+            TCGv_i32 t0 = tcg_temp_new_i32();
+
+            tcg_gen_extrl_i64_i32(t0, tcg_rm);
+            if (a->rm == a->rn) {
+                tcg_gen_rotri_i32(t0, t0, a->imm);
             } else {
-                TCGv_i32 t0 = tcg_temp_new_i32();
-
-                tcg_gen_extrl_i64_i32(t0, tcg_rm);
-                if (rm == rn) {
-                    tcg_gen_rotri_i32(t0, t0, imm);
-                } else {
-                    TCGv_i32 t1 = tcg_temp_new_i32();
-                    tcg_gen_extrl_i64_i32(t1, tcg_rn);
-                    tcg_gen_extract2_i32(t0, t0, t1, imm);
-                }
-                tcg_gen_extu_i32_i64(tcg_rd, t0);
+                TCGv_i32 t1 = tcg_temp_new_i32();
+                tcg_gen_extrl_i64_i32(t1, tcg_rn);
+                tcg_gen_extract2_i32(t0, t0, t1, a->imm);
             }
+            tcg_gen_extu_i32_i64(tcg_rd, t0);
         }
     }
-}
-
-/* Data processing - immediate */
-static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
-{
-    switch (extract32(insn, 23, 6)) {
-    case 0x27: /* Extract */
-        disas_extract(s, insn);
-        break;
-    default:
-        unallocated_encoding(s);
-        break;
-    }
+    return true;
 }
 
 /* Shift a TCGv src by TCGv shift_amount, put result in dst.
@@ -XXX,XX +XXX,XX @@ static bool btype_destination_ok(uint32_t insn, bool bt, int btype)
 static void disas_a64_legacy(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 4)) {
-    case 0x8: case 0x9: /* Data processing - immediate */
-        disas_data_proc_imm(s, insn);
-        break;
     case 0xa: case 0xb: /* Branch, exception generation and system insns */
         disas_b_exc_sys(s, insn);
         break;
-- 
2.34.1

Convert the unconditional branch immediate insns B and BL to
decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-14-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  9 +++++++++
 target/arm/tcg/translate-a64.c | 31 +++++++++++--------------------
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
 
 &ri              rd imm
 &rri_sf          rd rn imm sf
+&i               imm
 
 
 ### Data Processing - Immediate
@@ -XXX,XX +XXX,XX @@ UBFM            . 10 100110 . ...... ...... ..... ..... @bitfield_32
 
 EXTR            1 00 100111 1 0 rm:5 imm:6 rn:5 rd:5     &extract sf=1
 EXTR            0 00 100111 0 0 rm:5 0 imm:5 rn:5 rd:5   &extract sf=0
+
+# Branches
+
+%imm26   0:s26 !function=times_4
+@branch         . ..... .......................... &i imm=%imm26
+
+B               0 00101 .......................... @branch
+BL              1 00101 .......................... @branch
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
  * match up with those in the manual.
  */
 
-/* Unconditional branch (immediate)
- *   31  30       26 25                                  0
- * +----+-----------+-------------------------------------+
- * | op | 0 0 1 0 1 |                 imm26               |
- * +----+-----------+-------------------------------------+
- */
-static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
+static bool trans_B(DisasContext *s, arg_i *a)
 {
-    int64_t diff = sextract32(insn, 0, 26) * 4;
-
-    if (insn & (1U << 31)) {
-        /* BL Branch with link */
-        gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
-    }
-
-    /* B Branch / BL Branch with link */
     reset_btype(s);
-    gen_goto_tb(s, 0, diff);
+    gen_goto_tb(s, 0, a->imm);
+    return true;
+}
+
+static bool trans_BL(DisasContext *s, arg_i *a)
+{
+    gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
+    reset_btype(s);
+    gen_goto_tb(s, 0, a->imm);
+    return true;
 }
 
 /* Compare and branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 7)) {
-    case 0x0a: case 0x0b:
-    case 0x4a: case 0x4b: /* Unconditional branch (immediate) */
-        disas_uncond_b_imm(s, insn);
-        break;
     case 0x1a: case 0x5a: /* Compare & branch (immediate) */
         disas_comp_b_imm(s, insn);
         break;
-- 
2.34.1

Convert the compare-and-branch-immediate insns CBZ and CBNZ
to decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-15-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  5 +++++
 target/arm/tcg/translate-a64.c | 26 ++++++--------------------
 2 files changed, 11 insertions(+), 20 deletions(-)

Convert the test-and-branch-immediate insns TBZ and TBNZ
to decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-16-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  6 ++++++
 target/arm/tcg/translate-a64.c | 25 +++++--------------------
 2 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ BL              1 00101 .......................... @branch
 &cbz     rt imm sf nz
 
 CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
+
+%imm14     5:s14 !function=times_4
+%imm31_19  31:1 19:5
+&tbz       rt imm nz bitpos
+
+TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_CBZ(DisasContext *s, arg_cbz *a)
     return true;
 }
 
-/* Test and branch (immediate)
- *   31  30         25  24  23   19 18          5 4    0
- * +----+-------------+----+-------+-------------+------+
- * | b5 | 0 1 1 0 1 1 | op |  b40  |    imm14    |  Rt  |
- * +----+-------------+----+-------+-------------+------+
- */
-static void disas_test_b_imm(DisasContext *s, uint32_t insn)
+static bool trans_TBZ(DisasContext *s, arg_tbz *a)
 {
-    unsigned int bit_pos, op, rt;
-    int64_t diff;
     DisasLabel match;
     TCGv_i64 tcg_cmp;
 
-    bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
-    op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
-    diff = sextract32(insn, 5, 14) * 4;
-    rt = extract32(insn, 0, 5);
-
     tcg_cmp = tcg_temp_new_i64();
-    tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, rt), (1ULL << bit_pos));
+    tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, a->rt), 1ULL << a->bitpos);
 
     reset_btype(s);
 
     match = gen_disas_label(s);
-    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
+    tcg_gen_brcondi_i64(a->nz ? TCG_COND_NE : TCG_COND_EQ,
                         tcg_cmp, 0, match.label);
     gen_goto_tb(s, 0, 4);
     set_disas_label(s, match);
-    gen_goto_tb(s, 1, diff);
+    gen_goto_tb(s, 1, a->imm);
+    return true;
 }
 
 /* Conditional branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 7)) {
-    case 0x1b: case 0x5b: /* Test & branch (immediate) */
-        disas_test_b_imm(s, insn);
-        break;
     case 0x2a: /* Conditional branch (immediate) */
         disas_cond_b_imm(s, insn);
         break;
-- 
2.34.1

Convert the immediate conditional branch insn B.cond to
decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-17-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  2 ++
 target/arm/tcg/translate-a64.c | 30 ++++++------------------------
 2 files changed, 8 insertions(+), 24 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
 &tbz       rt imm nz bitpos
 
 TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
+
+B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_TBZ(DisasContext *s, arg_tbz *a)
     return true;
 }
 
-/* Conditional branch (immediate)
- *  31           25  24  23                  5   4  3    0
- * +---------------+----+---------------------+----+------+
- * | 0 1 0 1 0 1 0 | o1 |         imm19       | o0 | cond |
- * +---------------+----+---------------------+----+------+
- */
-static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
+static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
 {
-    unsigned int cond;
-    int64_t diff;
-
-    if ((insn & (1 << 4)) || (insn & (1 << 24))) {
-        unallocated_encoding(s);
-        return;
-    }
-    diff = sextract32(insn, 5, 19) * 4;
-    cond = extract32(insn, 0, 4);
-
     reset_btype(s);
-    if (cond < 0x0e) {
+    if (a->cond < 0x0e) {
         /* genuinely conditional branches */
         DisasLabel match = gen_disas_label(s);
-        arm_gen_test_cc(cond, match.label);
+        arm_gen_test_cc(a->cond, match.label);
         gen_goto_tb(s, 0, 4);
         set_disas_label(s, match);
-        gen_goto_tb(s, 1, diff);
+        gen_goto_tb(s, 1, a->imm);
     } else {
         /* 0xe and 0xf are both "always" conditions */
-        gen_goto_tb(s, 0, diff);
+        gen_goto_tb(s, 0, a->imm);
     }
+    return true;
 }
 
 /* HINT instruction group, including various allocated HINTs */
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
     switch (extract32(insn, 25, 7)) {
-    case 0x2a: /* Conditional branch (immediate) */
-        disas_cond_b_imm(s, insn);
-        break;
     case 0x6a: /* Exception generation / System */
         if (insn & (1 << 24)) {
             if (extract32(insn, 22, 2) == 0) {
-- 
2.34.1

Convert the simple (non-pointer-auth) BR, BLR and RET insns
to decodetree.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-18-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  5 ++++
 target/arm/tcg/translate-a64.c | 55 ++++++++++++++++++++++++++++++----
 2 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@
 # This file is processed by scripts/decodetree.py
 #
 
+&r               rn
 &ri              rd imm
 &rri_sf          rd rn imm sf
 &i               imm
@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
 TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
 
 B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
+
+BR              1101011 0000 11111 000000 rn:5 00000 &r
+BLR             1101011 0001 11111 000000 rn:5 00000 &r
+RET             1101011 0010 11111 000000 rn:5 00000 &r
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
     return true;
 }
 
+static void set_btype_for_br(DisasContext *s, int rn)
+{
+    if (dc_isar_feature(aa64_bti, s)) {
+        /* BR to {x16,x17} or !guard -> 1, else 3.  */
+        set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3);
+    }
+}
+
+static void set_btype_for_blr(DisasContext *s)
+{
+    if (dc_isar_feature(aa64_bti, s)) {
+        /* BLR sets BTYPE to 2, regardless of source guarded page.  */
+        set_btype(s, 2);
+    }
+}
+
+static bool trans_BR(DisasContext *s, arg_r *a)
+{
+    gen_a64_set_pc(s, cpu_reg(s, a->rn));
+    set_btype_for_br(s, a->rn);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_BLR(DisasContext *s, arg_r *a)
+{
+    TCGv_i64 dst = cpu_reg(s, a->rn);
+    TCGv_i64 lr = cpu_reg(s, 30);
+    if (dst == lr) {
+        TCGv_i64 tmp = tcg_temp_new_i64();
+        tcg_gen_mov_i64(tmp, dst);
+        dst = tmp;
+    }
+    gen_pc_plus_diff(s, lr, curr_insn_len(s));
+    gen_a64_set_pc(s, dst);
+    set_btype_for_blr(s);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_RET(DisasContext *s, arg_r *a)
+{
+    gen_a64_set_pc(s, cpu_reg(s, a->rn));
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
 /* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         btype_mod = opc;
         switch (op3) {
         case 0:
-            /* BR, BLR, RET */
-            if (op4 != 0) {
-                goto do_unallocated;
-            }
-            dst = cpu_reg(s, rn);
-            break;
+            /* BR, BLR, RET : handled in decodetree */
+            goto do_unallocated;
 
         case 2:
         case 3:
-- 
2.34.1

Convert the single-register pointer-authentication variants of BR,
BLR, RET to decodetree. (BRAA/BLRAA are in a different branch of
the legacy decoder and will be dealt with in the next commit.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-19-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |   7 ++
 target/arm/tcg/translate-a64.c | 132 +++++++++++++++++++--------------
 2 files changed, 84 insertions(+), 55 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
 BR              1101011 0000 11111 000000 rn:5 00000 &r
 BLR             1101011 0001 11111 000000 rn:5 00000 &r
 RET             1101011 0010 11111 000000 rn:5 00000 &r
+
+&braz       rn m
+BRAZ            1101011 0000 11111 00001 m:1 rn:5 11111 &braz   # BRAAZ, BRABZ
+BLRAZ           1101011 0001 11111 00001 m:1 rn:5 11111 &braz   # BLRAAZ, BLRABZ
+
+&reta       m
+RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_RET(DisasContext *s, arg_r *a)
     return true;
 }
 
+static TCGv_i64 auth_branch_target(DisasContext *s, TCGv_i64 dst,
+                                   TCGv_i64 modifier, bool use_key_a)
+{
+    TCGv_i64 truedst;
+    /*
+     * Return the branch target for a BRAA/RETA/etc, which is either
+     * just the destination dst, or that value with the pauth check
+     * done and the code removed from the high bits.
+     */
+    if (!s->pauth_active) {
+        return dst;
+    }
+
+    truedst = tcg_temp_new_i64();
+    if (use_key_a) {
+        gen_helper_autia(truedst, cpu_env, dst, modifier);
+    } else {
+        gen_helper_autib(truedst, cpu_env, dst, modifier);
+    }
+    return truedst;
+}
+
+static bool trans_BRAZ(DisasContext *s, arg_braz *a)
+{
+    TCGv_i64 dst;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+
+    dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m);
+    gen_a64_set_pc(s, dst);
+    set_btype_for_br(s, a->rn);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_BLRAZ(DisasContext *s, arg_braz *a)
+{
+    TCGv_i64 dst, lr;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+
+    dst = auth_branch_target(s, cpu_reg(s, a->rn), tcg_constant_i64(0), !a->m);
+    lr = cpu_reg(s, 30);
+    if (dst == lr) {
+        TCGv_i64 tmp = tcg_temp_new_i64();
+        tcg_gen_mov_i64(tmp, dst);
+        dst = tmp;
+    }
+    gen_pc_plus_diff(s, lr, curr_insn_len(s));
+    gen_a64_set_pc(s, dst);
+    set_btype_for_blr(s);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_RETA(DisasContext *s, arg_reta *a)
+{
+    TCGv_i64 dst;
+
+    dst = auth_branch_target(s, cpu_reg(s, 30), cpu_X[31], !a->m);
+    gen_a64_set_pc(s, dst);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
 /* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
     }
 
     switch (opc) {
-    case 0: /* BR */
-    case 1: /* BLR */
-    case 2: /* RET */
-        btype_mod = opc;
-        switch (op3) {
-        case 0:
-            /* BR, BLR, RET : handled in decodetree */
-            goto do_unallocated;
-
-        case 2:
-        case 3:
-            if (!dc_isar_feature(aa64_pauth, s)) {
-                goto do_unallocated;
-            }
-            if (opc == 2) {
-                /* RETAA, RETAB */
-                if (rn != 0x1f || op4 != 0x1f) {
-                    goto do_unallocated;
-                }
-                rn = 30;
-                modifier = cpu_X[31];
-            } else {
-                /* BRAAZ, BRABZ, BLRAAZ, BLRABZ */
-                if (op4 != 0x1f) {
-                    goto do_unallocated;
-                }
-                modifier = tcg_constant_i64(0);
-            }
-            if (s->pauth_active) {
-                dst = tcg_temp_new_i64();
-                if (op3 == 2) {
-                    gen_helper_autia(dst, cpu_env, cpu_reg(s, rn), modifier);
-                } else {
-                    gen_helper_autib(dst, cpu_env, cpu_reg(s, rn), modifier);
-                }
-            } else {
-                dst = cpu_reg(s, rn);
-            }
-            break;
-
-        default:
-            goto do_unallocated;
-        }
-        /* BLR also needs to load return address */
-        if (opc == 1) {
-            TCGv_i64 lr = cpu_reg(s, 30);
-            if (dst == lr) {
-                TCGv_i64 tmp = tcg_temp_new_i64();
-                tcg_gen_mov_i64(tmp, dst);
-                dst = tmp;
-            }
-            gen_pc_plus_diff(s, lr, curr_insn_len(s));
-        }
-        gen_a64_set_pc(s, dst);
-        break;
+    case 0:
+    case 1:
+    case 2:
+        /*
+         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ:
+         * handled in decodetree
+         */
+        goto do_unallocated;
 
     case 8: /* BRAA */
     case 9: /* BLRAA */
-- 
2.34.1

Convert the last four BR-with-pointer-auth insns to decodetree.
The remaining cases in the outer switch in disas_uncond_b_reg()
all return early rather than leaving the case statement, so we
can delete the now-unused code at the end of that function.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-20-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |  4 ++
 target/arm/tcg/translate-a64.c | 97 ++++++++++++++--------------------
 2 files changed, 43 insertions(+), 58 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ BLRAZ           1101011 0001 11111 00001 m:1 rn:5 11111 &braz   # BLRAAZ, BLRABZ
 
 &reta       m
 RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
+
+&bra        rn rm m
+BRA             1101011 1000 11111 00001 m:1 rn:5 rm:5 &bra # BRAA, BRAB
+BLRA            1101011 1001 11111 00001 m:1 rn:5 rm:5 &bra # BLRAA, BLRAB
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_RETA(DisasContext *s, arg_reta *a)
     return true;
 }
 
+static bool trans_BRA(DisasContext *s, arg_bra *a)
+{
+    TCGv_i64 dst;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+    dst = auth_branch_target(s, cpu_reg(s,a->rn), cpu_reg_sp(s, a->rm), !a->m);
+    gen_a64_set_pc(s, dst);
+    set_btype_for_br(s, a->rn);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
+static bool trans_BLRA(DisasContext *s, arg_bra *a)
+{
+    TCGv_i64 dst, lr;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+    dst = auth_branch_target(s, cpu_reg(s, a->rn), cpu_reg_sp(s, a->rm), !a->m);
+    lr = cpu_reg(s, 30);
+    if (dst == lr) {
+        TCGv_i64 tmp = tcg_temp_new_i64();
+        tcg_gen_mov_i64(tmp, dst);
+        dst = tmp;
+    }
+    gen_pc_plus_diff(s, lr, curr_insn_len(s));
+    gen_a64_set_pc(s, dst);
+    set_btype_for_blr(s);
+    s->base.is_jmp = DISAS_JUMP;
+    return true;
+}
+
 /* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
 static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
 {
     unsigned int opc, op2, op3, rn, op4;
-    unsigned btype_mod = 2;   /* 0: BR, 1: BLR, 2: other */
     TCGv_i64 dst;
     TCGv_i64 modifier;
 
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
     case 0:
     case 1:
     case 2:
+    case 8:
+    case 9:
         /*
-         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ:
-         * handled in decodetree
+         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ,
+         * BRAA, BLRAA: handled in decodetree
          */
         goto do_unallocated;
 
-    case 8: /* BRAA */
-    case 9: /* BLRAA */
-        if (!dc_isar_feature(aa64_pauth, s)) {
-            goto do_unallocated;
-        }
-        if ((op3 & ~1) != 2) {
-            goto do_unallocated;
-        }
-        btype_mod = opc & 1;
-        if (s->pauth_active) {
-            dst = tcg_temp_new_i64();
-            modifier = cpu_reg_sp(s, op4);
-            if (op3 == 2) {
-                gen_helper_autia(dst, cpu_env, cpu_reg(s, rn), modifier);
-            } else {
-                gen_helper_autib(dst, cpu_env, cpu_reg(s, rn), modifier);
-            }
-        } else {
-            dst = cpu_reg(s, rn);
-        }
-        /* BLRAA also needs to load return address */
-        if (opc == 9) {
-            TCGv_i64 lr = cpu_reg(s, 30);
-            if (dst == lr) {
-                TCGv_i64 tmp = tcg_temp_new_i64();
-                tcg_gen_mov_i64(tmp, dst);
-                dst = tmp;
-            }
-            gen_pc_plus_diff(s, lr, curr_insn_len(s));
-        }
-        gen_a64_set_pc(s, dst);
-        break;
-
     case 4: /* ERET */
         if (s->current_el == 0) {
             goto do_unallocated;
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         unallocated_encoding(s);
         return;
     }
-
-    switch (btype_mod) {
-    case 0: /* BR */
-        if (dc_isar_feature(aa64_bti, s)) {
-            /* BR to {x16,x17} or !guard -> 1, else 3.  */
-            set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3);
-        }
-        break;
-
-    case 1: /* BLR */
-        if (dc_isar_feature(aa64_bti, s)) {
-            /* BLR sets BTYPE to 2, regardless of source guarded page.  */
-            set_btype(s, 2);
-        }
-        break;
-
-    default: /* RET or none of the above.  */
-        /* BTYPE will be set to 0 by normal end-of-insn processing.  */
-        break;
-    }
-
-    s->base.is_jmp = DISAS_JUMP;
 }
 
 /* Branches, exception generating and system instructions */
-- 
2.34.1

Convert the exception-return insns ERET, ERETA and ERETB to
decodetree. These were the last insns left in the legacy
decoder function disas_uncond_reg_b(), which allows us to
remove it.

The old decoder explicitly decoded the DRPS instruction,
only in order to call unallocated_encoding() on it, exactly
as would have happened if it hadn't decoded it. This is
because this insn always UNDEFs unless the CPU is in
halting-debug state, which we don't emulate. So we list
the pattern in a comment in a64.decode, but don't actively
decode it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512144106.3608981-21-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode      |   8 ++
 target/arm/tcg/translate-a64.c | 163 +++++++++++----------------------
 2 files changed, 63 insertions(+), 108 deletions(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ RETA            1101011 0010 11111 00001 m:1 11111 11111 &reta  # RETAA, RETAB
 &bra        rn rm m
 BRA             1101011 1000 11111 00001 m:1 rn:5 rm:5 &bra # BRAA, BRAB
 BLRA            1101011 1001 11111 00001 m:1 rn:5 rm:5 &bra # BLRAA, BLRAB
+
+ERET            1101011 0100 11111 000000 11111 00000
+ERETA           1101011 0100 11111 00001 m:1 11111 11111 &reta  # ERETAA, ERETAB
+
+# We don't need to decode DRPS because it always UNDEFs except when
+# the processor is in halting debug state (which we don't implement).
+# The pattern is listed here as documentation.
+# DRPS            1101011 0101 11111 000000 11111 00000
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_BLRA(DisasContext *s, arg_bra *a)
     return true;
 }
 
+static bool trans_ERET(DisasContext *s, arg_ERET *a)
+{
+    TCGv_i64 dst;
+
+    if (s->current_el == 0) {
+        return false;
+    }
+    if (s->fgt_eret) {
+        gen_exception_insn_el(s, 0, EXCP_UDEF, 0, 2);
+        return true;
+    }
+    dst = tcg_temp_new_i64();
+    tcg_gen_ld_i64(dst, cpu_env,
+                   offsetof(CPUARMState, elr_el[s->current_el]));
+
+    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
+        gen_io_start();
+    }
+
+    gen_helper_exception_return(cpu_env, dst);
+    /* Must exit loop to check un-masked IRQs */
+    s->base.is_jmp = DISAS_EXIT;
+    return true;
+}
+
+static bool trans_ERETA(DisasContext *s, arg_reta *a)
+{
+    TCGv_i64 dst;
+
+    if (!dc_isar_feature(aa64_pauth, s)) {
+        return false;
+    }
+    if (s->current_el == 0) {
+        return false;
+    }
+    /* The FGT trap takes precedence over an auth trap. */
+    if (s->fgt_eret) {
+        gen_exception_insn_el(s, 0, EXCP_UDEF, a->m ? 3 : 2, 2);
+        return true;
+    }
+    dst = tcg_temp_new_i64();
+    tcg_gen_ld_i64(dst, cpu_env,
+                   offsetof(CPUARMState, elr_el[s->current_el]));
+
+    dst = auth_branch_target(s, dst, cpu_X[31], !a->m);
+    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
+        gen_io_start();
+    }
+
+    gen_helper_exception_return(cpu_env, dst);
+    /* Must exit loop to check un-masked IRQs */
+    s->base.is_jmp = DISAS_EXIT;
+    return true;
+}
+
 /* HINT instruction group, including various allocated HINTs */
 static void handle_hint(DisasContext *s, uint32_t insn,
                         unsigned int op1, unsigned int op2, unsigned int crm)
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
     }
 }
 
-/* Unconditional branch (register)
- *  31           25 24   21 20   16 15   10 9    5 4     0
- * +---------------+-------+-------+-------+------+-------+
- * | 1 1 0 1 0 1 1 |  opc  |  op2  |  op3  |  Rn  |  op4  |
- * +---------------+-------+-------+-------+------+-------+
- */
-static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
-{
-    unsigned int opc, op2, op3, rn, op4;
-    TCGv_i64 dst;
-    TCGv_i64 modifier;
-
-    opc = extract32(insn, 21, 4);
-    op2 = extract32(insn, 16, 5);
-    op3 = extract32(insn, 10, 6);
-    rn = extract32(insn, 5, 5);
-    op4 = extract32(insn, 0, 5);
-
-    if (op2 != 0x1f) {
-        goto do_unallocated;
-    }
-
-    switch (opc) {
-    case 0:
-    case 1:
-    case 2:
-    case 8:
-    case 9:
-        /*
-         * BR, BLR, RET, RETAA, RETAB, BRAAZ, BRABZ, BLRAAZ, BLRABZ,
-         * BRAA, BLRAA: handled in decodetree
-         */
-        goto do_unallocated;
-
-    case 4: /* ERET */
-        if (s->current_el == 0) {
-            goto do_unallocated;
-        }
-        switch (op3) {
-        case 0: /* ERET */
-            if (op4 != 0) {
-                goto do_unallocated;
-            }
-            if (s->fgt_eret) {
-                gen_exception_insn_el(s, 0, EXCP_UDEF, syn_erettrap(op3), 2);
-                return;
-            }
-            dst = tcg_temp_new_i64();
-            tcg_gen_ld_i64(dst, cpu_env,
-                           offsetof(CPUARMState, elr_el[s->current_el]));
-            break;
-
-        case 2: /* ERETAA */
-        case 3: /* ERETAB */
-            if (!dc_isar_feature(aa64_pauth, s)) {
-                goto do_unallocated;
-            }
-            if (rn != 0x1f || op4 != 0x1f) {
-                goto do_unallocated;
-            }
-            /* The FGT trap takes precedence over an auth trap. */
-            if (s->fgt_eret) {
-                gen_exception_insn_el(s, 0, EXCP_UDEF, syn_erettrap(op3), 2);
-                return;
-            }
-            dst = tcg_temp_new_i64();
-            tcg_gen_ld_i64(dst, cpu_env,
-                           offsetof(CPUARMState, elr_el[s->current_el]));
-            if (s->pauth_active) {
-                modifier = cpu_X[31];
-                if (op3 == 2) {
-                    gen_helper_autia(dst, cpu_env, dst, modifier);
-                } else {
-                    gen_helper_autib(dst, cpu_env, dst, modifier);
-                }
-            }
-            break;
-
-        default:
-            goto do_unallocated;
-        }
-        if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-            gen_io_start();
-        }
-
-        gen_helper_exception_return(cpu_env, dst);
-        /* Must exit loop to check un-masked IRQs */
-        s->base.is_jmp = DISAS_EXIT;
-        return;
-
-    case 5: /* DRPS */
-        if (op3 != 0 || op4 != 0 || rn != 0x1f) {
-            goto do_unallocated;
-        } else {
-            unallocated_encoding(s);
-        }
-        return;
-
-    default:
-    do_unallocated:
-        unallocated_encoding(s);
-        return;
-    }
-}
-
 /* Branches, exception generating and system instructions */
 static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
 {
@@ -XXX,XX +XXX,XX @@ static void disas_b_exc_sys(DisasContext *s, uint32_t insn)
             disas_exc(s, insn);
         }
         break;
-    case 0x6b: /* Unconditional branch (register) */
-        disas_uncond_b_reg(s, insn);
-        break;
     default:
         unallocated_encoding(s);
         break;
-- 
2.34.1

The IMPDEF sysreg L2CTLR_EL1 found on the Cortex-A35, A53, A57, A72
and which we (arguably dubiously) also provide in '-cpu max' has a
2 bit field for the number of processors in the cluster. On real
hardware this must be sufficient because it can only be configured
with up to 4 CPUs in the cluster. However on QEMU if the board code
does not explicitly configure the code into clusters with the right
CPU count we default to "give the value assuming that all CPUs in
the system are in a single cluster", which might be too big to fit
in the field.

Instead of just overflowing this 2-bit field, saturate to 3 (meaning
"4 CPUs", so at least we don't overwrite other fields in the register.
It's unlikely that any guest code really cares about the value in
this field; at least, if it does it probably also wants the system
to be more closely matching real hardware, i.e. not to have more
than 4 CPUs.

This issue has been present since the L2CTLR was first added in
commit 377a44ec8f2fac5b back in 2014. It was only noticed because
Coverity complains (CID 1509227) that the shift might overflow 32 bits
and inadvertently sign extend into the top half of the 64 bit value.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230512170223.3801643-2-peter.maydell@linaro.org
---
 target/arm/cortex-regs.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/target/arm/cortex-regs.c b/target/arm/cortex-regs.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cortex-regs.c
+++ b/target/arm/cortex-regs.c
@@ -XXX,XX +XXX,XX @@ static uint64_t l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     ARMCPU *cpu = env_archcpu(env);
 
-    /* Number of cores is in [25:24]; otherwise we RAZ */
-    return (cpu->core_count - 1) << 24;
+    /*
+     * Number of cores is in [25:24]; otherwise we RAZ.
+     * If the board didn't configure the CPUs into clusters,
+     * we default to "all CPUs in one cluster", which might be
+     * more than the 4 that the hardware permits and which is
+     * all you can report in this two-bit field. Saturate to
+     * 0b11 (== 4 CPUs) rather than overflowing the field.
+     */
+    return MIN(cpu->core_count - 1, 3) << 24;
 }
 
 static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
-- 
2.34.1

In the vexpress board code, we allocate a new MemoryRegion at the top
of vexpress_common_init() but only set it up and use it inside the
"if (map[VE_NORFLASHALIAS] != -1)" conditional, so we leak it if not.
This isn't a very interesting leak as it's a tiny amount of memory
once at startup, but it's easy to fix.

We could silence Coverity simply by moving the g_new() into the
if() block, but this use of g_new(MemoryRegion, 1) is a legacy from
when this board model was originally written; we wouldn't do that
if we wrote it today. The MemoryRegions are conceptually a part of
the board and must not go away until the whole board is done with
(at the end of the simulation), so they belong in its state struct.

This machine already has a VexpressMachineState struct that extends
MachineState, so statically put the MemoryRegions in there instead of
dynamically allocating them separately at runtime.

Spotted by Coverity (CID 1509083).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230512170223.3801643-3-peter.maydell@linaro.org
---
 hw/arm/vexpress.c | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@ struct VexpressMachineClass {
 
 struct VexpressMachineState {
     MachineState parent;
+    MemoryRegion vram;
+    MemoryRegion sram;
+    MemoryRegion flashalias;
+    MemoryRegion lowram;
+    MemoryRegion a15sram;
     bool secure;
     bool virt;
 };
@@ -XXX,XX +XXX,XX @@ struct VexpressMachineState {
 #define TYPE_VEXPRESS_A15_MACHINE   MACHINE_TYPE_NAME("vexpress-a15")
 OBJECT_DECLARE_TYPE(VexpressMachineState, VexpressMachineClass, VEXPRESS_MACHINE)
 
-typedef void DBoardInitFn(const VexpressMachineState *machine,
+typedef void DBoardInitFn(VexpressMachineState *machine,
                           ram_addr_t ram_size,
                           const char *cpu_type,
                           qemu_irq *pic);
@@ -XXX,XX +XXX,XX @@ static void init_cpus(MachineState *ms, const char *cpu_type,
     }
 }
 
-static void a9_daughterboard_init(const VexpressMachineState *vms,
+static void a9_daughterboard_init(VexpressMachineState *vms,
                                   ram_addr_t ram_size,
                                   const char *cpu_type,
                                   qemu_irq *pic)
 {
     MachineState *machine = MACHINE(vms);
     MemoryRegion *sysmem = get_system_memory();
-    MemoryRegion *lowram = g_new(MemoryRegion, 1);
     ram_addr_t low_ram_size;
 
     if (ram_size > 0x40000000) {
@@ -XXX,XX +XXX,XX @@ static void a9_daughterboard_init(const VexpressMachineState *vms,
      * address space should in theory be remappable to various
      * things including ROM or RAM; we always map the RAM there.
      */
-    memory_region_init_alias(lowram, NULL, "vexpress.lowmem", machine->ram,
-                             0, low_ram_size);
-    memory_region_add_subregion(sysmem, 0x0, lowram);
+    memory_region_init_alias(&vms->lowram, NULL, "vexpress.lowmem",
+                             machine->ram, 0, low_ram_size);
+    memory_region_add_subregion(sysmem, 0x0, &vms->lowram);
     memory_region_add_subregion(sysmem, 0x60000000, machine->ram);
 
     /* 0x1e000000 A9MPCore (SCU) private memory region */
@@ -XXX,XX +XXX,XX @@ static VEDBoardInfo a9_daughterboard = {
     .init = a9_daughterboard_init,
 };
 
-static void a15_daughterboard_init(const VexpressMachineState *vms,
+static void a15_daughterboard_init(VexpressMachineState *vms,
                                    ram_addr_t ram_size,
                                    const char *cpu_type,
                                    qemu_irq *pic)
 {
     MachineState *machine = MACHINE(vms);
     MemoryRegion *sysmem = get_system_memory();
-    MemoryRegion *sram = g_new(MemoryRegion, 1);
 
     {
         /* We have to use a separate 64 bit variable here to avoid the gcc
@@ -XXX,XX +XXX,XX @@ static void a15_daughterboard_init(const VexpressMachineState *vms,
     /* 0x2b060000: SP805 watchdog: not modelled */
     /* 0x2b0a0000: PL341 dynamic memory controller: not modelled */
     /* 0x2e000000: system SRAM */
-    memory_region_init_ram(sram, NULL, "vexpress.a15sram", 0x10000,
+    memory_region_init_ram(&vms->a15sram, NULL, "vexpress.a15sram", 0x10000,
                            &error_fatal);
-    memory_region_add_subregion(sysmem, 0x2e000000, sram);
+    memory_region_add_subregion(sysmem, 0x2e000000, &vms->a15sram);
 
     /* 0x7ffb0000: DMA330 DMA controller: not modelled */
     /* 0x7ffd0000: PL354 static memory controller: not modelled */
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
     I2CBus *i2c;
     ram_addr_t vram_size, sram_size;
     MemoryRegion *sysmem = get_system_memory();
-    MemoryRegion *vram = g_new(MemoryRegion, 1);
-    MemoryRegion *sram = g_new(MemoryRegion, 1);
-    MemoryRegion *flashalias = g_new(MemoryRegion, 1);
-    MemoryRegion *flash0mem;
     const hwaddr *map = daughterboard->motherboard_map;
     int i;
 
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
 
     if (map[VE_NORFLASHALIAS] != -1) {
         /* Map flash 0 as an alias into low memory */
+        MemoryRegion *flash0mem;
         flash0mem = sysbus_mmio_get_region(SYS_BUS_DEVICE(pflash0), 0);
-        memory_region_init_alias(flashalias, NULL, "vexpress.flashalias",
+        memory_region_init_alias(&vms->flashalias, NULL, "vexpress.flashalias",
                                  flash0mem, 0, VEXPRESS_FLASH_SIZE);
-        memory_region_add_subregion(sysmem, map[VE_NORFLASHALIAS], flashalias);
+        memory_region_add_subregion(sysmem, map[VE_NORFLASHALIAS], &vms->flashalias);
     }
 
     dinfo = drive_get(IF_PFLASH, 0, 1);
     ve_pflash_cfi01_register(map[VE_NORFLASH1], "vexpress.flash1", dinfo);
 
     sram_size = 0x2000000;
-    memory_region_init_ram(sram, NULL, "vexpress.sram", sram_size,
+    memory_region_init_ram(&vms->sram, NULL, "vexpress.sram", sram_size,
                            &error_fatal);
-    memory_region_add_subregion(sysmem, map[VE_SRAM], sram);
+    memory_region_add_subregion(sysmem, map[VE_SRAM], &vms->sram);
 
     vram_size = 0x800000;
-    memory_region_init_ram(vram, NULL, "vexpress.vram", vram_size,
+    memory_region_init_ram(&vms->vram, NULL, "vexpress.vram", vram_size,
                            &error_fatal);
-    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], vram);
+    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], &vms->vram);
 
     /* 0x4e000000 LAN9118 Ethernet */
     if (nd_table[0].used) {
-- 
2.34.1

Convert the u2f.txt file to rST, and place it in the right place
in our manual layout. The old text didn't fit very well into our
manual style, so the new version ends up looking like a rewrite,
although some of the original text is preserved:

* the 'building' section of the old file is removed, since we
   generally assume that users have already built QEMU
 * some rather verbose text has been cut back
 * document the passthrough device first, on the assumption
   that's most likely to be of interest to users
 * cut back on the duplication of text between sections
 * format example command lines etc with rST

As it's a short document it seemed simplest to do this all
in one go rather than try to do a minimal syntactic conversion
and then clean up the wording and layout.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20230421163734.1152076-1-peter.maydell@linaro.org
---
 docs/system/device-emulation.rst |   1 +
 docs/system/devices/usb-u2f.rst  |  93 ++++++++++++++++++++++++++
 docs/system/devices/usb.rst      |   2 +-
 docs/u2f.txt                     | 110 -------------------------------
 4 files changed, 95 insertions(+), 111 deletions(-)
 create mode 100644 docs/system/devices/usb-u2f.rst
 delete mode 100644 docs/u2f.txt

diff --git a/docs/system/device-emulation.rst b/docs/system/device-emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/device-emulation.rst
+++ b/docs/system/device-emulation.rst
@@ -XXX,XX +XXX,XX @@ Emulated Devices
    devices/virtio-pmem.rst
    devices/vhost-user-rng.rst
    devices/canokey.rst
+   devices/usb-u2f.rst
    devices/igb.rst
diff --git a/docs/system/devices/usb-u2f.rst b/docs/system/devices/usb-u2f.rst
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/docs/system/devices/usb-u2f.rst
@@ -XXX,XX +XXX,XX @@
+Universal Second Factor (U2F) USB Key Device
+============================================
+
+U2F is an open authentication standard that enables relying parties
+exposed to the internet to offer a strong second factor option for end
+user authentication.
+
+The second factor is provided by a device implementing the U2F
+protocol. In case of a USB U2F security key, it is a USB HID device
+that implements the U2F protocol.
+
+QEMU supports both pass-through of a host U2F key device to a VM,
+and software emulation of a U2F key.
+
+``u2f-passthru``
+----------------
+
+The ``u2f-passthru`` device allows you to connect a real hardware
+U2F key on your host to a guest VM. All requests made from the guest
+are passed through to the physical security key connected to the
+host machine and vice versa.
+
+In addition, the dedicated pass-through allows you to share a single
+U2F security key with several guest VMs, which is not possible with a
+simple host device assignment pass-through.
+
+You can specify the host U2F key to use with the ``hidraw``
+option, which takes the host path to a Linux ``/dev/hidrawN`` device:
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-passthru,hidraw=/dev/hidraw0
+
+If you don't specify the device, the ``u2f-passthru`` device will
+autoscan to take the first U2F device it finds on the host (this
+requires a working libudev):
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-passthru
+
+``u2f-emulated``
+----------------
+
+``u2f-emulated`` is a completely software emulated U2F device.
+It uses `libu2f-emu <https://github.com/MattGorko/libu2f-emu>`__
+for the U2F key emulation. libu2f-emu
+provides a complete implementation of the U2F protocol device part for
+all specified transports given by the FIDO Alliance.
+
+To work, an emulated U2F device must have four elements:
+
+ * ec x509 certificate
+ * ec private key
+ * counter (four bytes value)
+ * 48 bytes of entropy (random bits)
+
+To use this type of device, these have to be configured, and these
+four elements must be passed one way or another.
+
+Assuming that you have a working libu2f-emu installed on the host,
+there are three possible ways to configure the ``u2f-emulated`` device:
+
+ * ephemeral
+ * setup directory
+ * manual
+
+Ephemeral is the simplest way to configure; it lets the device generate
+all the elements it needs for a single use of the lifetime of the device.
+It is the default if you do not pass any other options to the device.
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-emulated
+
+You can pass the device the path of a setup directory on the host
+using the ``dir`` option; the directory must contain these four files:
+
+ * ``certificate.pem``: ec x509 certificate
+ * ``private-key.pem``: ec private key
+ * ``counter``: counter value
+ * ``entropy``: 48 bytes of entropy
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-emulated,dir=$dir
+
+You can also manually pass the device the paths to each of these files,
+if you don't want them all to be in the same directory, using the options
+
+ * ``cert``
+ * ``priv``
+ * ``counter``
+ * ``entropy``
+
+.. parsed-literal::
+   |qemu_system| -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
diff --git a/docs/system/devices/usb.rst b/docs/system/devices/usb.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/devices/usb.rst
+++ b/docs/system/devices/usb.rst
@@ -XXX,XX +XXX,XX @@ option or the ``device_add`` monitor command. Available devices are:
    USB audio device
 
 ``u2f-{emulated,passthru}``
-   Universal Second Factor device
+   :doc:`usb-u2f`
 
 ``canokey``
    An Open-source Secure Key implementing FIDO2, OpenPGP, PIV and more.
diff --git a/docs/u2f.txt b/docs/u2f.txt
deleted file mode 100644
index XXXXXXX..XXXXXXX
--- a/docs/u2f.txt
+++ /dev/null
@@ -XXX,XX +XXX,XX @@
-QEMU U2F Key Device Documentation.
-
-Contents
-1. USB U2F key device
-2. Building
-3. Using u2f-emulated
-4. Using u2f-passthru
-5. Libu2f-emu
-
-1. USB U2F key device
-
-U2F is an open authentication standard that enables relying parties
-exposed to the internet to offer a strong second factor option for end
-user authentication.
-
-The standard brings many advantages to both parties, client and server,
-allowing to reduce over-reliance on passwords, it increases authentication
-security and simplifies passwords.
-
-The second factor is materialized by a device implementing the U2F
-protocol. In case of a USB U2F security key, it is a USB HID device
-that implements the U2F protocol.
-
-In QEMU, the USB U2F key device offers a dedicated support of U2F, allowing
-guest USB FIDO/U2F security keys operating in two possible modes:
-pass-through and emulated.
-
-The pass-through mode consists of passing all requests made from the guest
-to the physical security key connected to the host machine and vice versa.
-In addition, the dedicated pass-through allows to have a U2F security key
-shared on several guests which is not possible with a simple host device
-assignment pass-through.
-
-The emulated mode consists of completely emulating the behavior of an
-U2F device through software part. Libu2f-emu is used for that.
-
-
-2. Building
-
-To ensure the build of the u2f-emulated device variant which depends
-on libu2f-emu: configuring and building:
-
-    ./configure --enable-u2f && make
-
-The pass-through mode is built by default on Linux. To take advantage
-of the autoscan option it provides, make sure you have a working libudev
-installed on the host.
-
-
-3. Using u2f-emulated
-
-To work, an emulated U2F device must have four elements:
- * ec x509 certificate
- * ec private key
- * counter (four bytes value)
- * 48 bytes of entropy (random bits)
-
-To use this type of device, this one has to be configured, and these
-four elements must be passed one way or another.
-
-Assuming that you have a working libu2f-emu installed on the host.
-There are three possible ways of configurations:
- * ephemeral
- * setup directory
- * manual
-
-Ephemeral is the simplest way to configure, it lets the device generate
-all the elements it needs for a single use of the lifetime of the device.
-
-    qemu -usb -device u2f-emulated
-
-Setup directory allows to configure the device from a directory containing
-four files:
- * certificate.pem: ec x509 certificate
- * private-key.pem: ec private key
- * counter: counter value
- * entropy: 48 bytes of entropy
-
-    qemu -usb -device u2f-emulated,dir=$dir
-
-Manual allows to configure the device more finely by specifying each
-of the elements necessary for the device:
- * cert
- * priv
- * counter
- * entropy
-
-    qemu -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
-
-
-4. Using u2f-passthru
-
-On the host specify the u2f-passthru device with a suitable hidraw:
-
-    qemu -usb -device u2f-passthru,hidraw=/dev/hidraw0
-
-Alternately, the u2f-passthru device can autoscan to take the first
-U2F device it finds on the host (this requires a working libudev):
-
-    qemu -usb -device u2f-passthru
-
-
-5. Libu2f-emu
-
-The u2f-emulated device uses libu2f-emu for the U2F key emulation. Libu2f-emu
-implements completely the U2F protocol device part for all specified
-transport given by the FIDO Alliance.
-
-For more information about libu2f-emu see this page:
-https://github.com/MattGorko/libu2f-emu.
-- 
2.34.1