Series comparison

-[Qemu-devel] [PULL 0/9] target-arm queue
+[PULL 00/39] target-arm queue
-A last collection of patches to squeeze in before rc0.
+Last pullreq before 6.0 softfreeze: a few minor feature patches,
-The patches from me are all bugfixes. Philippe's are just
+some bugfixes, some cleanups.
 code-movement, but I wanted to get these into 4.1 because
 that kind of patch is so painful to have to rebase.
 (The diffstat is huge but it's just code moving from file to file.)
-thanks
 -- PMM
-The following changes since commit 234e256511e588680300600ce087c5185d68cf2a:
+The following changes since commit 6f34661b6c97a37a5efc27d31c037ddeda4547e2:
-  Merge remote-tracking branch 'remotes/armbru/tags/pull-build-2019-07-02-v2' into staging (2019-07-04 15:58:46 +0100)
+  Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.0-pull-request' into staging (2021-03-11 18:55:27 +0000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190704
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210312-1
-for you to fetch changes up to b75f3735802b5b33f10e4bfe374d4b17bb86d29a:
+for you to fetch changes up to 41f09f2e9f09e4dd386d84174a6dcb5136af17ca:
-  target/arm: Correct VMOV_imm_dp handling of short vectors (2019-07-04 16:52:05 +0100)
+  hw/display/pxa2xx: Inline template header (2021-03-12 13:26:08 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * more code-movement to separate TCG-only functions into their own files
+ * versal: Support XRAMs and XRAM controller
- * Correct VMOV_imm_dp handling of short vectors
+ * smmu: Various minor bug fixes
- * Execute Thumb instructions when their condbits are 0xf
+ * SVE emulation: fix bugs handling odd vector lengths
- * armv7m_systick: Forbid non-privileged accesses
+ * allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
- * Use _ra versions of cpu_stl_data() in v7M helpers
+ * tests/acceptance: fix orangepi-pc acceptance tests
- * v8M: Check state of exception being returned from
+ * hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()
- * v8M: Forcibly clear negative-priority exceptions on deactivate
+ * hw/arm/virt: KVM: The IPA lower bound is 32
  * npcm7xx: support MFT module
  * pl110, pxa2xx_lcd: tidy up template headers
 ----------------------------------------------------------------
-Peter Maydell (6):
+Andrew Jones (2):
-      arm v8M: Forcibly clear negative-priority exceptions on deactivate
+      accel: kvm: Fix kvm_type invocation
-      target/arm: v8M: Check state of exception being returned from
+      hw/arm/virt: KVM: The IPA lower bound is 32
       target/arm: Use _ra versions of cpu_stl_data() in v7M helpers
       hw/timer/armv7m_systick: Forbid non-privileged accesses
       target/arm: Execute Thumb instructions when their condbits are 0xf
       target/arm: Correct VMOV_imm_dp handling of short vectors
-Philippe Mathieu-Daudé (3):
+Edgar E. Iglesias (2):
-      target/arm: Move debug routines to debug_helper.c
+      hw/misc: versal: Add a model of the XRAM controller
-      target/arm: Restrict semi-hosting to TCG
+      hw/arm: versal: Add support for the XRAMs
       target/arm/helper: Move M profile routines to m_helper.c
- target/arm/Makefile.objs       |    5 +-
+Eric Auger (7):
- target/arm/cpu.h               |    7 +
+      intel_iommu: Fix mask may be uninitialized in vtd_context_device_invalidate
- hw/intc/armv7m_nvic.c          |   54 +-
+      dma: Introduce dma_aligned_pow2_mask()
- hw/timer/armv7m_systick.c      |   26 +-
+      virtio-iommu: Handle non power of 2 range invalidations
- target/arm/cpu.c               |    9 +-
+      hw/arm/smmu-common: Fix smmu_iotlb_inv_iova when asid is not set
- target/arm/debug_helper.c      |  311 +++++
+      hw/arm/smmuv3: Enforce invalidation on a power of two range
- target/arm/helper.c            | 2646 +--------------------------------------
+      hw/arm/smmuv3: Fix SMMU_CMD_CFGI_STE_RANGE handling
- target/arm/m_helper.c          | 2679 ++++++++++++++++++++++++++++++++++++++++
+      hw/arm/smmuv3: Uniformize sid traces
  target/arm/op_helper.c         |  295 -----
  target/arm/translate-vfp.inc.c |    2 +-
  target/arm/translate.c         |   15 +-
 files changed, 3096 insertions(+), 2953 deletions(-)
  create mode 100644 target/arm/debug_helper.c
  create mode 100644 target/arm/m_helper.c
+Hao Wu (5):
+      hw/misc: Add GPIOs for duty in NPCM7xx PWM
+      hw/misc: Add NPCM7XX MFT Module
+      hw/arm: Add MFT device to NPCM7xx Soc
+      hw/arm: Connect PWM fans in NPCM7XX boards
+      tests/qtest: Test PWM fan RPM using MFT in PWM test
+Niek Linnenbank (5):
+      hw/net/allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
+      tests/acceptance/boot_linux_console: remove Armbian 19.11.3 bionic test for orangepi-pc machine
+      tests/acceptance/boot_linux_console: change URL for test_arm_orangepi_bionic_20_08
+      tests/acceptance: update sunxi kernel from armbian to 5.10.16
+      tests/acceptance: drop ARMBIAN_ARTIFACTS_CACHED condition for orangepi-pc, cubieboard tests
+Peter Maydell (9):
+      hw/display/pl110: Remove dead code for non-32-bpp surfaces
+      hw/display/pl110: Pull included-once parts of template header into pl110.c
+      hw/display/pl110: Remove use of BITS from pl110_template.h
+      hw/display/pxa2xx_lcd: Remove dead code for non-32-bpp surfaces
+      hw/display/pxa2xx_lcd: Remove dest_width state field
+      hw/display/pxa2xx: Remove use of BITS in pxa2xx_template.h
+      hw/display/pxa2xx: Apply brace-related coding style fixes to template header
+      hw/display/pxa2xx: Apply whitespace-only coding style fixes to template header
+      hw/display/pxa2xx: Inline template header
+Philippe Mathieu-Daudé (1):
+      hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()
+Richard Henderson (8):
+      target/arm: Fix sve_uzp_p vs odd vector lengths
+      target/arm: Fix sve_zip_p vs odd vector lengths
+      target/arm: Fix sve_punpk_p vs odd vector lengths
+      target/arm: Update find_last_active for PREDDESC
+      target/arm: Update BRKA, BRKB, BRKN for PREDDESC
+      target/arm: Update CNTP for PREDDESC
+      target/arm: Update WHILE for PREDDESC
+      target/arm: Update sve reduction vs simd_desc
+ docs/system/arm/nuvoton.rst            |   2 +-
+ docs/system/arm/xlnx-versal-virt.rst   |   1 +
+ hw/arm/smmu-internal.h                 |   5 +
+ hw/display/pl110_template.h            | 120 +-------
+ hw/display/pxa2xx_template.h           | 447 ---------------------------
+ include/hw/arm/npcm7xx.h               |  13 +-
+ include/hw/arm/xlnx-versal.h           |  13 +
+ include/hw/boards.h                    |   1 +
+ include/hw/misc/npcm7xx_mft.h          |  70 +++++
+ include/hw/misc/npcm7xx_pwm.h          |   4 +-
+ include/hw/misc/xlnx-versal-xramc.h    |  97 ++++++
+ include/sysemu/dma.h                   |  12 +
+ target/arm/kvm_arm.h                   |   6 +-
+ accel/kvm/kvm-all.c                    |   2 +
+ hw/arm/npcm7xx.c                       |  45 ++-
+ hw/arm/npcm7xx_boards.c                |  99 ++++++
+ hw/arm/smmu-common.c                   |  32 +-
+ hw/arm/smmuv3.c                        |  58 ++--
+ hw/arm/virt.c                          |  23 +-
+ hw/arm/xlnx-versal.c                   |  36 +++
+ hw/display/pl110.c                     | 123 +++++---
+ hw/display/pxa2xx_lcd.c                | 520 ++++++++++++++++++++++++++-----
+ hw/i386/intel_iommu.c                  |  32 +-
+ hw/misc/npcm7xx_mft.c                  | 540 +++++++++++++++++++++++++++++++++
+ hw/misc/npcm7xx_pwm.c                  |   4 +
+ hw/misc/xlnx-versal-xramc.c            | 253 +++++++++++++++
+ hw/net/allwinner-sun8i-emac.c          |  62 ++--
+ hw/timer/sse-timer.c                   |   1 +
+ hw/virtio/virtio-iommu.c               |  19 +-
+ softmmu/dma-helpers.c                  |  26 ++
+ target/arm/kvm.c                       |   4 +-
+ target/arm/sve_helper.c                | 107 ++++---
+ target/arm/translate-sve.c             |  26 +-
+ tests/qtest/npcm7xx_pwm-test.c         | 205 ++++++++++++-
+ hw/arm/trace-events                    |  24 +-
+ hw/misc/meson.build                    |   2 +
+ hw/misc/trace-events                   |   8 +
+ tests/acceptance/boot_linux_console.py | 120 +++-----
+ tests/acceptance/replay_kernel.py      |  10 +-
+files changed, 2235 insertions(+), 937 deletions(-)
+ delete mode 100644 hw/display/pxa2xx_template.h
+ create mode 100644 include/hw/misc/npcm7xx_mft.h
+ create mode 100644 include/hw/misc/xlnx-versal-xramc.h
+ create mode 100644 hw/misc/npcm7xx_mft.c
+ create mode 100644 hw/misc/xlnx-versal-xramc.c

-[Qemu-devel] [PULL 1/9] target/arm: Move debug routines to debug_helper.c
+[PULL 01/39] hw/misc: versal: Add a model of the XRAM controller
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
-These routines are TCG specific.
+Add a model of the Xilinx Versal Accelerator RAM (XRAM).
+This is mainly a stub to make firmware happy. The size of
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+the RAMs can be probed. The interrupt mask logic is
-Message-id: 20190701194942.10092-2-philmd@redhat.com
+modelled but none of the interrups will ever be raised
 unless injected.
 Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Message-id: 20210308224637.2949533-2-edgar.iglesias@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/Makefile.objs  |   2 +-
+ include/hw/misc/xlnx-versal-xramc.h |  97 +++++++++++
- target/arm/cpu.c          |   9 +-
+ hw/misc/xlnx-versal-xramc.c         | 253 ++++++++++++++++++++++++++++
- target/arm/debug_helper.c | 311 ++++++++++++++++++++++++++++++++++++++
+ hw/misc/meson.build                 |   1 +
- target/arm/op_helper.c    | 295 ------------------------------------
+files changed, 351 insertions(+)
-files changed, 315 insertions(+), 302 deletions(-)
+ create mode 100644 include/hw/misc/xlnx-versal-xramc.h
- create mode 100644 target/arm/debug_helper.c
+ create mode 100644 hw/misc/xlnx-versal-xramc.c
-diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
+diff --git a/include/hw/misc/xlnx-versal-xramc.h b/include/hw/misc/xlnx-versal-xramc.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/Makefile.objs
 +++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ target/arm/translate-sve.o: target/arm/decode-sve.inc.c
  target/arm/translate.o: target/arm/decode-vfp.inc.c
  target/arm/translate.o: target/arm/decode-vfp-uncond.inc.c
 -obj-y += tlb_helper.o
 +obj-y += tlb_helper.o debug_helper.o
  obj-y += translate.o op_helper.o
  obj-y += crypto_helper.o
  obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
      cc->gdb_arch_name = arm_gdb_arch_name;
      cc->gdb_get_dynamic_xml = arm_gdb_get_dynamic_xml;
      cc->gdb_stop_before_watchpoint = true;
 -    cc->debug_excp_handler = arm_debug_excp_handler;
 -    cc->debug_check_watchpoint = arm_debug_check_watchpoint;
 -#if !defined(CONFIG_USER_ONLY)
 -    cc->adjust_watchpoint_address = arm_adjust_watchpoint_address;
 -#endif
 -
      cc->disas_set_info = arm_disas_set_info;
  #ifdef CONFIG_TCG
      cc->tcg_initialize = arm_translate_init;
      cc->tlb_fill = arm_cpu_tlb_fill;
 +    cc->debug_excp_handler = arm_debug_excp_handler;
 +    cc->debug_check_watchpoint = arm_debug_check_watchpoint;
  #if !defined(CONFIG_USER_ONLY)
      cc->do_unaligned_access = arm_cpu_do_unaligned_access;
      cc->do_transaction_failed = arm_cpu_do_transaction_failed;
 +    cc->adjust_watchpoint_address = arm_adjust_watchpoint_address;
  #endif /* CONFIG_TCG && !CONFIG_USER_ONLY */
  #endif
  }
 diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/target/arm/debug_helper.c
++++ b/include/hw/misc/xlnx-versal-xramc.h
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * ARM debug helpers.
++ * QEMU model of the Xilinx XRAM Controller.
 + *
-+ * This code is licensed under the GNU GPL v2 or later.
++ * Copyright (c) 2021 Xilinx Inc.
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + * Written by Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 + */
 +
 +#ifndef XLNX_VERSAL_XRAMC_H
 +#define XLNX_VERSAL_XRAMC_H
 +
 +#include "hw/sysbus.h"
 +#include "hw/register.h"
 +
 +#define TYPE_XLNX_XRAM_CTRL "xlnx.versal-xramc"
 +
 +#define XLNX_XRAM_CTRL(obj) \
 +     OBJECT_CHECK(XlnxXramCtrl, (obj), TYPE_XLNX_XRAM_CTRL)
 +
 +REG32(XRAM_ERR_CTRL, 0x0)
 +    FIELD(XRAM_ERR_CTRL, UE_RES, 3, 1)
 +    FIELD(XRAM_ERR_CTRL, PWR_ERR_RES, 2, 1)
 +    FIELD(XRAM_ERR_CTRL, PZ_ERR_RES, 1, 1)
 +    FIELD(XRAM_ERR_CTRL, APB_ERR_RES, 0, 1)
 +REG32(XRAM_ISR, 0x4)
 +    FIELD(XRAM_ISR, INV_APB, 0, 1)
 +REG32(XRAM_IMR, 0x8)
 +    FIELD(XRAM_IMR, INV_APB, 0, 1)
 +REG32(XRAM_IEN, 0xc)
 +    FIELD(XRAM_IEN, INV_APB, 0, 1)
 +REG32(XRAM_IDS, 0x10)
 +    FIELD(XRAM_IDS, INV_APB, 0, 1)
 +REG32(XRAM_ECC_CNTL, 0x14)
 +    FIELD(XRAM_ECC_CNTL, FI_MODE, 2, 1)
 +    FIELD(XRAM_ECC_CNTL, DET_ONLY, 1, 1)
 +    FIELD(XRAM_ECC_CNTL, ECC_ON_OFF, 0, 1)
 +REG32(XRAM_CLR_EXE, 0x18)
 +    FIELD(XRAM_CLR_EXE, MON_7, 7, 1)
 +    FIELD(XRAM_CLR_EXE, MON_6, 6, 1)
 +    FIELD(XRAM_CLR_EXE, MON_5, 5, 1)
 +    FIELD(XRAM_CLR_EXE, MON_4, 4, 1)
 +    FIELD(XRAM_CLR_EXE, MON_3, 3, 1)
 +    FIELD(XRAM_CLR_EXE, MON_2, 2, 1)
 +    FIELD(XRAM_CLR_EXE, MON_1, 1, 1)
 +    FIELD(XRAM_CLR_EXE, MON_0, 0, 1)
 +REG32(XRAM_CE_FFA, 0x1c)
 +    FIELD(XRAM_CE_FFA, ADDR, 0, 20)
 +REG32(XRAM_CE_FFD0, 0x20)
 +REG32(XRAM_CE_FFD1, 0x24)
 +REG32(XRAM_CE_FFD2, 0x28)
 +REG32(XRAM_CE_FFD3, 0x2c)
 +REG32(XRAM_CE_FFE, 0x30)
 +    FIELD(XRAM_CE_FFE, SYNDROME, 0, 16)
 +REG32(XRAM_UE_FFA, 0x34)
 +    FIELD(XRAM_UE_FFA, ADDR, 0, 20)
 +REG32(XRAM_UE_FFD0, 0x38)
 +REG32(XRAM_UE_FFD1, 0x3c)
 +REG32(XRAM_UE_FFD2, 0x40)
 +REG32(XRAM_UE_FFD3, 0x44)
 +REG32(XRAM_UE_FFE, 0x48)
 +    FIELD(XRAM_UE_FFE, SYNDROME, 0, 16)
 +REG32(XRAM_FI_D0, 0x4c)
 +REG32(XRAM_FI_D1, 0x50)
 +REG32(XRAM_FI_D2, 0x54)
 +REG32(XRAM_FI_D3, 0x58)
 +REG32(XRAM_FI_SY, 0x5c)
 +    FIELD(XRAM_FI_SY, DATA, 0, 16)
 +REG32(XRAM_RMW_UE_FFA, 0x70)
 +    FIELD(XRAM_RMW_UE_FFA, ADDR, 0, 20)
 +REG32(XRAM_FI_CNTR, 0x74)
 +    FIELD(XRAM_FI_CNTR, COUNT, 0, 24)
 +REG32(XRAM_IMP, 0x80)
 +    FIELD(XRAM_IMP, SIZE, 0, 4)
 +REG32(XRAM_PRDY_DBG, 0x84)
 +    FIELD(XRAM_PRDY_DBG, ISLAND3, 12, 4)
 +    FIELD(XRAM_PRDY_DBG, ISLAND2, 8, 4)
 +    FIELD(XRAM_PRDY_DBG, ISLAND1, 4, 4)
 +    FIELD(XRAM_PRDY_DBG, ISLAND0, 0, 4)
 +REG32(XRAM_SAFETY_CHK, 0xff8)
 +
 +#define XRAM_CTRL_R_MAX (R_XRAM_SAFETY_CHK + 1)
 +
 +typedef struct XlnxXramCtrl {
 +    SysBusDevice parent_obj;
 +    MemoryRegion ram;
 +    qemu_irq irq;
 +
 +    struct {
 +        uint64_t size;
 +        unsigned int encoded_size;
 +    } cfg;
 +
 +    RegisterInfoArray *reg_array;
 +    uint32_t regs[XRAM_CTRL_R_MAX];
 +    RegisterInfo regs_info[XRAM_CTRL_R_MAX];
 +} XlnxXramCtrl;
 +#endif
 diff --git a/hw/misc/xlnx-versal-xramc.c b/hw/misc/xlnx-versal-xramc.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/misc/xlnx-versal-xramc.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QEMU model of the Xilinx XRAM Controller.
 + *
++ * Copyright (c) 2021 Xilinx Inc.
 + * SPDX-License-Identifier: GPL-2.0-or-later
++ * Written by Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 + */
++
 +#include "qemu/osdep.h"
-+#include "cpu.h"
++#include "qemu/units.h"
-+#include "internals.h"
++#include "qapi/error.h"
-+#include "exec/exec-all.h"
++#include "migration/vmstate.h"
-+#include "exec/helper-proto.h"
++#include "hw/sysbus.h"
-+
++#include "hw/register.h"
-+/* Return true if the linked breakpoint entry lbn passes its checks */
++#include "hw/qdev-properties.h"
-+static bool linked_bp_matches(ARMCPU *cpu, int lbn)
++#include "hw/irq.h"
-+{
++#include "hw/misc/xlnx-versal-xramc.h"
-+    CPUARMState *env = &cpu->env;
++
-+    uint64_t bcr = env->cp15.dbgbcr[lbn];
++#ifndef XLNX_XRAM_CTRL_ERR_DEBUG
-+    int brps = extract32(cpu->dbgdidr, 24, 4);
++#define XLNX_XRAM_CTRL_ERR_DEBUG 0
-+    int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
++#endif
-+    int bt;
++
-+    uint32_t contextidr;
++static void xram_update_irq(XlnxXramCtrl *s)
-+
++{
-+    /*
++    bool pending = s->regs[R_XRAM_ISR] & ~s->regs[R_XRAM_IMR];
-+     * Links to unimplemented or non-context aware breakpoints are
++    qemu_set_irq(s->irq, pending);
-+     * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
++}
-+     * as if linked to an UNKNOWN context-aware breakpoint (in which
++
-+     * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
++static void xram_isr_postw(RegisterInfo *reg, uint64_t val64)
-+     * We choose the former.
++{
-+     */
++    XlnxXramCtrl *s = XLNX_XRAM_CTRL(reg->opaque);
-+    if (lbn > brps || lbn < (brps - ctx_cmps)) {
++    xram_update_irq(s);
-+        return false;
++}
 +
 +static uint64_t xram_ien_prew(RegisterInfo *reg, uint64_t val64)
 +{
 +    XlnxXramCtrl *s = XLNX_XRAM_CTRL(reg->opaque);
 +    uint32_t val = val64;
 +
 +    s->regs[R_XRAM_IMR] &= ~val;
 +    xram_update_irq(s);
 +    return 0;
 +}
 +
 +static uint64_t xram_ids_prew(RegisterInfo *reg, uint64_t val64)
 +{
 +    XlnxXramCtrl *s = XLNX_XRAM_CTRL(reg->opaque);
 +    uint32_t val = val64;
 +
 +    s->regs[R_XRAM_IMR] |= val;
 +    xram_update_irq(s);
 +    return 0;
 +}
 +
 +static const RegisterAccessInfo xram_ctrl_regs_info[] = {
 +    {   .name = "XRAM_ERR_CTRL",  .addr = A_XRAM_ERR_CTRL,
 +        .reset = 0xf,
 +        .rsvd = 0xfffffff0,
 +    },{ .name = "XRAM_ISR",  .addr = A_XRAM_ISR,
 +        .rsvd = 0xfffff800,
 +        .w1c = 0x7ff,
 +        .post_write = xram_isr_postw,
 +    },{ .name = "XRAM_IMR",  .addr = A_XRAM_IMR,
 +        .reset = 0x7ff,
 +        .rsvd = 0xfffff800,
 +        .ro = 0x7ff,
 +    },{ .name = "XRAM_IEN",  .addr = A_XRAM_IEN,
 +        .rsvd = 0xfffff800,
 +        .pre_write = xram_ien_prew,
 +    },{ .name = "XRAM_IDS",  .addr = A_XRAM_IDS,
 +        .rsvd = 0xfffff800,
 +        .pre_write = xram_ids_prew,
 +    },{ .name = "XRAM_ECC_CNTL",  .addr = A_XRAM_ECC_CNTL,
 +        .rsvd = 0xfffffff8,
 +    },{ .name = "XRAM_CLR_EXE",  .addr = A_XRAM_CLR_EXE,
 +        .rsvd = 0xffffff00,
 +    },{ .name = "XRAM_CE_FFA",  .addr = A_XRAM_CE_FFA,
 +        .rsvd = 0xfff00000,
 +        .ro = 0xfffff,
 +    },{ .name = "XRAM_CE_FFD0",  .addr = A_XRAM_CE_FFD0,
 +        .ro = 0xffffffff,
 +    },{ .name = "XRAM_CE_FFD1",  .addr = A_XRAM_CE_FFD1,
 +        .ro = 0xffffffff,
 +    },{ .name = "XRAM_CE_FFD2",  .addr = A_XRAM_CE_FFD2,
 +        .ro = 0xffffffff,
 +    },{ .name = "XRAM_CE_FFD3",  .addr = A_XRAM_CE_FFD3,
 +        .ro = 0xffffffff,
 +    },{ .name = "XRAM_CE_FFE",  .addr = A_XRAM_CE_FFE,
 +        .rsvd = 0xffff0000,
 +        .ro = 0xffff,
 +    },{ .name = "XRAM_UE_FFA",  .addr = A_XRAM_UE_FFA,
 +        .rsvd = 0xfff00000,
 +        .ro = 0xfffff,
 +    },{ .name = "XRAM_UE_FFD0",  .addr = A_XRAM_UE_FFD0,
 +        .ro = 0xffffffff,
 +    },{ .name = "XRAM_UE_FFD1",  .addr = A_XRAM_UE_FFD1,
 +        .ro = 0xffffffff,
 +    },{ .name = "XRAM_UE_FFD2",  .addr = A_XRAM_UE_FFD2,
 +        .ro = 0xffffffff,
 +    },{ .name = "XRAM_UE_FFD3",  .addr = A_XRAM_UE_FFD3,
 +        .ro = 0xffffffff,
 +    },{ .name = "XRAM_UE_FFE",  .addr = A_XRAM_UE_FFE,
 +        .rsvd = 0xffff0000,
 +        .ro = 0xffff,
 +    },{ .name = "XRAM_FI_D0",  .addr = A_XRAM_FI_D0,
 +    },{ .name = "XRAM_FI_D1",  .addr = A_XRAM_FI_D1,
 +    },{ .name = "XRAM_FI_D2",  .addr = A_XRAM_FI_D2,
 +    },{ .name = "XRAM_FI_D3",  .addr = A_XRAM_FI_D3,
 +    },{ .name = "XRAM_FI_SY",  .addr = A_XRAM_FI_SY,
 +        .rsvd = 0xffff0000,
 +    },{ .name = "XRAM_RMW_UE_FFA",  .addr = A_XRAM_RMW_UE_FFA,
 +        .rsvd = 0xfff00000,
 +        .ro = 0xfffff,
 +    },{ .name = "XRAM_FI_CNTR",  .addr = A_XRAM_FI_CNTR,
 +        .rsvd = 0xff000000,
 +    },{ .name = "XRAM_IMP",  .addr = A_XRAM_IMP,
 +        .reset = 0x4,
 +        .rsvd = 0xfffffff0,
 +        .ro = 0xf,
 +    },{ .name = "XRAM_PRDY_DBG",  .addr = A_XRAM_PRDY_DBG,
 +        .reset = 0xffff,
 +        .rsvd = 0xffff0000,
 +        .ro = 0xffff,
 +    },{ .name = "XRAM_SAFETY_CHK",  .addr = A_XRAM_SAFETY_CHK,
 +    }
-+
++};
-+    bcr = env->cp15.dbgbcr[lbn];
++
-+
++static void xram_ctrl_reset_enter(Object *obj, ResetType type)
-+    if (extract64(bcr, 0, 1) == 0) {
++{
-+        /* Linked breakpoint disabled : generate no events */
++    XlnxXramCtrl *s = XLNX_XRAM_CTRL(obj);
-+        return false;
++    unsigned int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(s->regs_info); ++i) {
 +        register_reset(&s->regs_info[i]);
 +    }
 +
-+    bt = extract64(bcr, 20, 4);
++    ARRAY_FIELD_DP32(s->regs, XRAM_IMP, SIZE, s->cfg.encoded_size);
-+
++}
-+    /*
++
-+     * We match the whole register even if this is AArch32 using the
++static void xram_ctrl_reset_hold(Object *obj)
-+     * short descriptor format (in which case it holds both PROCID and ASID),
++{
-+     * since we don't implement the optional v7 context ID masking.
++    XlnxXramCtrl *s = XLNX_XRAM_CTRL(obj);
-+     */
++
-+    contextidr = extract64(env->cp15.contextidr_el[1], 0, 32);
++    xram_update_irq(s);
-+
++}
-+    switch (bt) {
++
-+    case 3: /* linked context ID match */
++static const MemoryRegionOps xram_ctrl_ops = {
-+        if (arm_current_el(env) > 1) {
++    .read = register_read_memory,
-+            /* Context matches never fire in EL2 or (AArch64) EL3 */
++    .write = register_write_memory,
-+            return false;
++    .endianness = DEVICE_LITTLE_ENDIAN,
-+        }
++    .valid = {
-+        return (contextidr == extract64(env->cp15.dbgbvr[lbn], 0, 32));
++        .min_access_size = 4,
-+    case 5: /* linked address mismatch (reserved in AArch64) */
++        .max_access_size = 4,
-+    case 9: /* linked VMID match (reserved if no EL2) */
++    },
-+    case 11: /* linked context ID and VMID match (reserved if no EL2) */
++};
 +
 +static void xram_ctrl_realize(DeviceState *dev, Error **errp)
 +{
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 +    XlnxXramCtrl *s = XLNX_XRAM_CTRL(dev);
 +
 +    switch (s->cfg.size) {
 +    case 64 * KiB:
 +        s->cfg.encoded_size = 0;
 +        break;
 +    case 128 * KiB:
 +        s->cfg.encoded_size = 1;
 +        break;
 +    case 256 * KiB:
 +        s->cfg.encoded_size = 2;
 +        break;
 +    case 512 * KiB:
 +        s->cfg.encoded_size = 3;
 +        break;
 +    case 1 * MiB:
 +        s->cfg.encoded_size = 4;
 +        break;
 +    default:
-+        /*
++        error_setg(errp, "Unsupported XRAM size %" PRId64, s->cfg.size);
-+         * Links to Unlinked context breakpoints must generate no
++        return;
 +         * events; we choose to do the same for reserved values too.
 +         */
 +        return false;
 +    }
 +
-+    return false;
++    memory_region_init_ram(&s->ram, OBJECT(s),
-+}
++                           object_get_canonical_path_component(OBJECT(s)),
-+
++                           s->cfg.size, &error_fatal);
-+static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
++    sysbus_init_mmio(sbd, &s->ram);
-+{
++}
-+    CPUARMState *env = &cpu->env;
++
-+    uint64_t cr;
++static void xram_ctrl_init(Object *obj)
-+    int pac, hmc, ssc, wt, lbn;
++{
-+    /*
++    XlnxXramCtrl *s = XLNX_XRAM_CTRL(obj);
-+     * Note that for watchpoints the check is against the CPU security
++    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
-+     * state, not the S/NS attribute on the offending data access.
++
-+     */
++    s->reg_array =
-+    bool is_secure = arm_is_secure(env);
++        register_init_block32(DEVICE(obj), xram_ctrl_regs_info,
-+    int access_el = arm_current_el(env);
++                              ARRAY_SIZE(xram_ctrl_regs_info),
-+
++                              s->regs_info, s->regs,
-+    if (is_wp) {
++                              &xram_ctrl_ops,
-+        CPUWatchpoint *wp = env->cpu_watchpoint[n];
++                              XLNX_XRAM_CTRL_ERR_DEBUG,
-+
++                              XRAM_CTRL_R_MAX * 4);
-+        if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
++    sysbus_init_mmio(sbd, &s->reg_array->mem);
-+            return false;
++    sysbus_init_irq(sbd, &s->irq);
-+        }
++}
-+        cr = env->cp15.dbgwcr[n];
++
-+        if (wp->hitattrs.user) {
++static void xram_ctrl_finalize(Object *obj)
-+            /*
++{
-+             * The LDRT/STRT/LDT/STT "unprivileged access" instructions should
++    XlnxXramCtrl *s = XLNX_XRAM_CTRL(obj);
-+             * match watchpoints as if they were accesses done at EL0, even if
++    register_finalize_block(s->reg_array);
-+             * the CPU is at EL1 or higher.
++}
-+             */
++
-+            access_el = 0;
++static const VMStateDescription vmstate_xram_ctrl = {
-+        }
++    .name = TYPE_XLNX_XRAM_CTRL,
-+    } else {
++    .version_id = 1,
-+        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
++    .minimum_version_id = 1,
-+
++    .fields = (VMStateField[]) {
-+        if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
++        VMSTATE_UINT32_ARRAY(regs, XlnxXramCtrl, XRAM_CTRL_R_MAX),
-+            return false;
++        VMSTATE_END_OF_LIST(),
 +        }
 +        cr = env->cp15.dbgbcr[n];
 +    }
-+    /*
++};
-+     * The WATCHPOINT_HIT flag guarantees us that the watchpoint is
++
-+     * enabled and that the address and access type match; for breakpoints
++static Property xram_ctrl_properties[] = {
-+     * we know the address matched; check the remaining fields, including
++    DEFINE_PROP_UINT64("size", XlnxXramCtrl, cfg.size, 1 * MiB),
-+     * linked breakpoints. We rely on WCR and BCR having the same layout
++    DEFINE_PROP_END_OF_LIST(),
-+     * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
++};
-+     * Note that some combinations of {PAC, HMC, SSC} are reserved and
++
-+     * must act either like some valid combination or as if the watchpoint
++static void xram_ctrl_class_init(ObjectClass *klass, void *data)
-+     * were disabled. We choose the former, and use this together with
++{
-+     * the fact that EL3 must always be Secure and EL2 must always be
++    ResettableClass *rc = RESETTABLE_CLASS(klass);
-+     * Non-Secure to simplify the code slightly compared to the full
++    DeviceClass *dc = DEVICE_CLASS(klass);
-+     * table in the ARM ARM.
++
-+     */
++    dc->realize = xram_ctrl_realize;
-+    pac = extract64(cr, 1, 2);
++    dc->vmsd = &vmstate_xram_ctrl;
-+    hmc = extract64(cr, 13, 1);
++    device_class_set_props(dc, xram_ctrl_properties);
-+    ssc = extract64(cr, 14, 2);
++
-+
++    rc->phases.enter = xram_ctrl_reset_enter;
-+    switch (ssc) {
++    rc->phases.hold = xram_ctrl_reset_hold;
-+    case 0:
++}
-+        break;
++
-+    case 1:
++static const TypeInfo xram_ctrl_info = {
-+    case 3:
++    .name              = TYPE_XLNX_XRAM_CTRL,
-+        if (is_secure) {
++    .parent            = TYPE_SYS_BUS_DEVICE,
-+            return false;
++    .instance_size     = sizeof(XlnxXramCtrl),
-+        }
++    .class_init        = xram_ctrl_class_init,
-+        break;
++    .instance_init     = xram_ctrl_init,
-+    case 2:
++    .instance_finalize = xram_ctrl_finalize,
-+        if (!is_secure) {
++};
-+            return false;
++
-+        }
++static void xram_ctrl_register_types(void)
-+        break;
++{
-+    }
++    type_register_static(&xram_ctrl_info);
-+
++}
-+    switch (access_el) {
++
-+    case 3:
++type_init(xram_ctrl_register_types)
-+    case 2:
+diff --git a/hw/misc/meson.build b/hw/misc/meson.build
 +        if (!hmc) {
 +            return false;
 +        }
 +        break;
 +    case 1:
 +        if (extract32(pac, 0, 1) == 0) {
 +            return false;
 +        }
 +        break;
 +    case 0:
 +        if (extract32(pac, 1, 1) == 0) {
 +            return false;
 +        }
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +
 +    wt = extract64(cr, 20, 1);
 +    lbn = extract64(cr, 16, 4);
 +
 +    if (wt && !linked_bp_matches(cpu, lbn)) {
 +        return false;
 +    }
 +
 +    return true;
 +}
 +
 +static bool check_watchpoints(ARMCPU *cpu)
 +{
 +    CPUARMState *env = &cpu->env;
 +    int n;
 +
 +    /*
 +     * If watchpoints are disabled globally or we can't take debug
 +     * exceptions here then watchpoint firings are ignored.
 +     */
 +    if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
 +        || !arm_generate_debug_exceptions(env)) {
 +        return false;
 +    }
 +
 +    for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) {
 +        if (bp_wp_matches(cpu, n, true)) {
 +            return true;
 +        }
 +    }
 +    return false;
 +}
 +
 +static bool check_breakpoints(ARMCPU *cpu)
 +{
 +    CPUARMState *env = &cpu->env;
 +    int n;
 +
 +    /*
 +     * If breakpoints are disabled globally or we can't take debug
 +     * exceptions here then breakpoint firings are ignored.
 +     */
 +    if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
 +        || !arm_generate_debug_exceptions(env)) {
 +        return false;
 +    }
 +
 +    for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
 +        if (bp_wp_matches(cpu, n, false)) {
 +            return true;
 +        }
 +    }
 +    return false;
 +}
 +
 +void HELPER(check_breakpoints)(CPUARMState *env)
 +{
 +    ARMCPU *cpu = env_archcpu(env);
 +
 +    if (check_breakpoints(cpu)) {
 +        HELPER(exception_internal(env, EXCP_DEBUG));
 +    }
 +}
 +
 +bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
 +{
 +    /*
 +     * Called by core code when a CPU watchpoint fires; need to check if this
 +     * is also an architectural watchpoint match.
 +     */
 +    ARMCPU *cpu = ARM_CPU(cs);
 +
 +    return check_watchpoints(cpu);
 +}
 +
 +void arm_debug_excp_handler(CPUState *cs)
 +{
 +    /*
 +     * Called by core code when a watchpoint or breakpoint fires;
 +     * need to check which one and raise the appropriate exception.
 +     */
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    CPUWatchpoint *wp_hit = cs->watchpoint_hit;
 +
 +    if (wp_hit) {
 +        if (wp_hit->flags & BP_CPU) {
 +            bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0;
 +            bool same_el = arm_debug_target_el(env) == arm_current_el(env);
 +
 +            cs->watchpoint_hit = NULL;
 +
 +            env->exception.fsr = arm_debug_exception_fsr(env);
 +            env->exception.vaddress = wp_hit->hitaddr;
 +            raise_exception(env, EXCP_DATA_ABORT,
 +                    syn_watchpoint(same_el, 0, wnr),
 +                    arm_debug_target_el(env));
 +        }
 +    } else {
 +        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
 +        bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
 +
 +        /*
 +         * (1) GDB breakpoints should be handled first.
 +         * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
 +         * since singlestep is also done by generating a debug internal
 +         * exception.
 +         */
 +        if (cpu_breakpoint_test(cs, pc, BP_GDB)
 +            || !cpu_breakpoint_test(cs, pc, BP_CPU)) {
 +            return;
 +        }
 +
 +        env->exception.fsr = arm_debug_exception_fsr(env);
 +        /*
 +         * FAR is UNKNOWN: clear vaddress to avoid potentially exposing
 +         * values to the guest that it shouldn't be able to see at its
 +         * exception/security level.
 +         */
 +        env->exception.vaddress = 0;
 +        raise_exception(env, EXCP_PREFETCH_ABORT,
 +                        syn_breakpoint(same_el),
 +                        arm_debug_target_el(env));
 +    }
 +}
 +
 +#if !defined(CONFIG_USER_ONLY)
 +
 +vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +
 +    /*
 +     * In BE32 system mode, target memory is stored byteswapped (on a
 +     * little-endian host system), and by the time we reach here (via an
 +     * opcode helper) the addresses of subword accesses have been adjusted
 +     * to account for that, which means that watchpoints will not match.
 +     * Undo the adjustment here.
 +     */
 +    if (arm_sctlr_b(env)) {
 +        if (len == 1) {
 +            addr ^= 3;
 +        } else if (len == 2) {
 +            addr ^= 2;
 +        }
 +    }
 +
 +    return addr;
 +}
 +
 +#endif
 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/op_helper.c
+--- a/hw/misc/meson.build
-+++ b/target/arm/op_helper.c
++++ b/hw/misc/meson.build
-@@ -XXX,XX +XXX,XX @@ void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_RASPI', if_true: files(
-     }
+ ))
- }
+ softmmu_ss.add(when: 'CONFIG_SLAVIO', if_true: files('slavio_misc.c'))
+ softmmu_ss.add(when: 'CONFIG_ZYNQ', if_true: files('zynq_slcr.c', 'zynq-xadc.c'))
--/* Return true if the linked breakpoint entry lbn passes its checks */
++softmmu_ss.add(when: 'CONFIG_XLNX_VERSAL', if_true: files('xlnx-versal-xramc.c'))
--static bool linked_bp_matches(ARMCPU *cpu, int lbn)
+ softmmu_ss.add(when: 'CONFIG_STM32F2XX_SYSCFG', if_true: files('stm32f2xx_syscfg.c'))
--{
+ softmmu_ss.add(when: 'CONFIG_STM32F4XX_SYSCFG', if_true: files('stm32f4xx_syscfg.c'))
--    CPUARMState *env = &cpu->env;
+ softmmu_ss.add(when: 'CONFIG_STM32F4XX_EXTI', if_true: files('stm32f4xx_exti.c'))
 -    uint64_t bcr = env->cp15.dbgbcr[lbn];
 -    int brps = extract32(cpu->dbgdidr, 24, 4);
 -    int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
 -    int bt;
 -    uint32_t contextidr;
 -
 -    /*
 -     * Links to unimplemented or non-context aware breakpoints are
 -     * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
 -     * as if linked to an UNKNOWN context-aware breakpoint (in which
 -     * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
 -     * We choose the former.
 -     */
 -    if (lbn > brps || lbn < (brps - ctx_cmps)) {
 -        return false;
 -    }
 -
 -    bcr = env->cp15.dbgbcr[lbn];
 -
 -    if (extract64(bcr, 0, 1) == 0) {
 -        /* Linked breakpoint disabled : generate no events */
 -        return false;
 -    }
 -
 -    bt = extract64(bcr, 20, 4);
 -
 -    /*
 -     * We match the whole register even if this is AArch32 using the
 -     * short descriptor format (in which case it holds both PROCID and ASID),
 -     * since we don't implement the optional v7 context ID masking.
 -     */
 -    contextidr = extract64(env->cp15.contextidr_el[1], 0, 32);
 -
 -    switch (bt) {
 -    case 3: /* linked context ID match */
 -        if (arm_current_el(env) > 1) {
 -            /* Context matches never fire in EL2 or (AArch64) EL3 */
 -            return false;
 -        }
 -        return (contextidr == extract64(env->cp15.dbgbvr[lbn], 0, 32));
 -    case 5: /* linked address mismatch (reserved in AArch64) */
 -    case 9: /* linked VMID match (reserved if no EL2) */
 -    case 11: /* linked context ID and VMID match (reserved if no EL2) */
 -    default:
 -        /*
 -         * Links to Unlinked context breakpoints must generate no
 -         * events; we choose to do the same for reserved values too.
 -         */
 -        return false;
 -    }
 -
 -    return false;
 -}
 -
 -static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
 -{
 -    CPUARMState *env = &cpu->env;
 -    uint64_t cr;
 -    int pac, hmc, ssc, wt, lbn;
 -    /*
 -     * Note that for watchpoints the check is against the CPU security
 -     * state, not the S/NS attribute on the offending data access.
 -     */
 -    bool is_secure = arm_is_secure(env);
 -    int access_el = arm_current_el(env);
 -
 -    if (is_wp) {
 -        CPUWatchpoint *wp = env->cpu_watchpoint[n];
 -
 -        if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
 -            return false;
 -        }
 -        cr = env->cp15.dbgwcr[n];
 -        if (wp->hitattrs.user) {
 -            /*
 -             * The LDRT/STRT/LDT/STT "unprivileged access" instructions should
 -             * match watchpoints as if they were accesses done at EL0, even if
 -             * the CPU is at EL1 or higher.
 -             */
 -            access_el = 0;
 -        }
 -    } else {
 -        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
 -
 -        if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
 -            return false;
 -        }
 -        cr = env->cp15.dbgbcr[n];
 -    }
 -    /*
 -     * The WATCHPOINT_HIT flag guarantees us that the watchpoint is
 -     * enabled and that the address and access type match; for breakpoints
 -     * we know the address matched; check the remaining fields, including
 -     * linked breakpoints. We rely on WCR and BCR having the same layout
 -     * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
 -     * Note that some combinations of {PAC, HMC, SSC} are reserved and
 -     * must act either like some valid combination or as if the watchpoint
 -     * were disabled. We choose the former, and use this together with
 -     * the fact that EL3 must always be Secure and EL2 must always be
 -     * Non-Secure to simplify the code slightly compared to the full
 -     * table in the ARM ARM.
 -     */
 -    pac = extract64(cr, 1, 2);
 -    hmc = extract64(cr, 13, 1);
 -    ssc = extract64(cr, 14, 2);
 -
 -    switch (ssc) {
 -    case 0:
 -        break;
 -    case 1:
 -    case 3:
 -        if (is_secure) {
 -            return false;
 -        }
 -        break;
 -    case 2:
 -        if (!is_secure) {
 -            return false;
 -        }
 -        break;
 -    }
 -
 -    switch (access_el) {
 -    case 3:
 -    case 2:
 -        if (!hmc) {
 -            return false;
 -        }
 -        break;
 -    case 1:
 -        if (extract32(pac, 0, 1) == 0) {
 -            return false;
 -        }
 -        break;
 -    case 0:
 -        if (extract32(pac, 1, 1) == 0) {
 -            return false;
 -        }
 -        break;
 -    default:
 -        g_assert_not_reached();
 -    }
 -
 -    wt = extract64(cr, 20, 1);
 -    lbn = extract64(cr, 16, 4);
 -
 -    if (wt && !linked_bp_matches(cpu, lbn)) {
 -        return false;
 -    }
 -
 -    return true;
 -}
 -
 -static bool check_watchpoints(ARMCPU *cpu)
 -{
 -    CPUARMState *env = &cpu->env;
 -    int n;
 -
 -    /*
 -     * If watchpoints are disabled globally or we can't take debug
 -     * exceptions here then watchpoint firings are ignored.
 -     */
 -    if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
 -        || !arm_generate_debug_exceptions(env)) {
 -        return false;
 -    }
 -
 -    for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) {
 -        if (bp_wp_matches(cpu, n, true)) {
 -            return true;
 -        }
 -    }
 -    return false;
 -}
 -
 -static bool check_breakpoints(ARMCPU *cpu)
 -{
 -    CPUARMState *env = &cpu->env;
 -    int n;
 -
 -    /*
 -     * If breakpoints are disabled globally or we can't take debug
 -     * exceptions here then breakpoint firings are ignored.
 -     */
 -    if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
 -        || !arm_generate_debug_exceptions(env)) {
 -        return false;
 -    }
 -
 -    for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
 -        if (bp_wp_matches(cpu, n, false)) {
 -            return true;
 -        }
 -    }
 -    return false;
 -}
 -
 -void HELPER(check_breakpoints)(CPUARMState *env)
 -{
 -    ARMCPU *cpu = env_archcpu(env);
 -
 -    if (check_breakpoints(cpu)) {
 -        HELPER(exception_internal(env, EXCP_DEBUG));
 -    }
 -}
 -
 -bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
 -{
 -    /*
 -     * Called by core code when a CPU watchpoint fires; need to check if this
 -     * is also an architectural watchpoint match.
 -     */
 -    ARMCPU *cpu = ARM_CPU(cs);
 -
 -    return check_watchpoints(cpu);
 -}
 -
 -vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
 -{
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    CPUARMState *env = &cpu->env;
 -
 -    /*
 -     * In BE32 system mode, target memory is stored byteswapped (on a
 -     * little-endian host system), and by the time we reach here (via an
 -     * opcode helper) the addresses of subword accesses have been adjusted
 -     * to account for that, which means that watchpoints will not match.
 -     * Undo the adjustment here.
 -     */
 -    if (arm_sctlr_b(env)) {
 -        if (len == 1) {
 -            addr ^= 3;
 -        } else if (len == 2) {
 -            addr ^= 2;
 -        }
 -    }
 -
 -    return addr;
 -}
 -
 -void arm_debug_excp_handler(CPUState *cs)
 -{
 -    /*
 -     * Called by core code when a watchpoint or breakpoint fires;
 -     * need to check which one and raise the appropriate exception.
 -     */
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    CPUARMState *env = &cpu->env;
 -    CPUWatchpoint *wp_hit = cs->watchpoint_hit;
 -
 -    if (wp_hit) {
 -        if (wp_hit->flags & BP_CPU) {
 -            bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0;
 -            bool same_el = arm_debug_target_el(env) == arm_current_el(env);
 -
 -            cs->watchpoint_hit = NULL;
 -
 -            env->exception.fsr = arm_debug_exception_fsr(env);
 -            env->exception.vaddress = wp_hit->hitaddr;
 -            raise_exception(env, EXCP_DATA_ABORT,
 -                    syn_watchpoint(same_el, 0, wnr),
 -                    arm_debug_target_el(env));
 -        }
 -    } else {
 -        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
 -        bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
 -
 -        /*
 -         * (1) GDB breakpoints should be handled first.
 -         * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
 -         * since singlestep is also done by generating a debug internal
 -         * exception.
 -         */
 -        if (cpu_breakpoint_test(cs, pc, BP_GDB)
 -            || !cpu_breakpoint_test(cs, pc, BP_CPU)) {
 -            return;
 -        }
 -
 -        env->exception.fsr = arm_debug_exception_fsr(env);
 -        /*
 -         * FAR is UNKNOWN: clear vaddress to avoid potentially exposing
 -         * values to the guest that it shouldn't be able to see at its
 -         * exception/security level.
 -         */
 -        env->exception.vaddress = 0;
 -        raise_exception(env, EXCP_PREFETCH_ABORT,
 -                        syn_breakpoint(same_el),
 -                        arm_debug_target_el(env));
 -    }
 -}
 -
  /* ??? Flag setting arithmetic is awkward because we need to do comparisons.
     The only way to do that in TCG is a conditional branch, which clobbers
     all our temporaries.  For now implement these as helper functions.  */
 --
 .20.1

-New patch
+[PULL 02/39] hw/arm: versal: Add support for the XRAMs
+From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+Connect the support for the Versal Accelerator RAMs (XRAMs).
+Reviewed-by: Luc Michel <luc@lmichel.fr>
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Message-id: 20210308224637.2949533-3-edgar.iglesias@gmail.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/xlnx-versal-virt.rst |  1 +
+ include/hw/arm/xlnx-versal.h         | 13 ++++++++++
+ hw/arm/xlnx-versal.c                 | 36 ++++++++++++++++++++++++++++
+files changed, 50 insertions(+)
+diff --git a/docs/system/arm/xlnx-versal-virt.rst b/docs/system/arm/xlnx-versal-virt.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/xlnx-versal-virt.rst
++++ b/docs/system/arm/xlnx-versal-virt.rst
+@@ -XXX,XX +XXX,XX @@ Implemented devices:
+ - 8 ADMA (Xilinx zDMA) channels
+ - 2 SD Controllers
+ - OCM (256KB of On Chip Memory)
++- XRAM (4MB of on chip Accelerator RAM)
+ - DDR memory
+ QEMU does not yet model any other devices, including the PL and the AI Engine.
+diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/xlnx-versal.h
++++ b/include/hw/arm/xlnx-versal.h
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/sysbus.h"
+ #include "hw/arm/boot.h"
++#include "hw/or-irq.h"
+ #include "hw/sd/sdhci.h"
+ #include "hw/intc/arm_gicv3.h"
+ #include "hw/char/pl011.h"
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/rtc/xlnx-zynqmp-rtc.h"
+ #include "qom/object.h"
+ #include "hw/usb/xlnx-usb-subsystem.h"
++#include "hw/misc/xlnx-versal-xramc.h"
+ #define TYPE_XLNX_VERSAL "xlnx-versal"
+ OBJECT_DECLARE_SIMPLE_TYPE(Versal, XLNX_VERSAL)
+@@ -XXX,XX +XXX,XX @@ OBJECT_DECLARE_SIMPLE_TYPE(Versal, XLNX_VERSAL)
+ #define XLNX_VERSAL_NR_GEMS    2
+ #define XLNX_VERSAL_NR_ADMAS   8
+ #define XLNX_VERSAL_NR_SDS     2
++#define XLNX_VERSAL_NR_XRAM    4
+ #define XLNX_VERSAL_NR_IRQS    192
+ struct Versal {
+@@ -XXX,XX +XXX,XX @@ struct Versal {
+             XlnxZDMA adma[XLNX_VERSAL_NR_ADMAS];
+             VersalUsb2 usb;
+         } iou;
++
++        struct {
++            qemu_or_irq irq_orgate;
++            XlnxXramCtrl ctrl[XLNX_VERSAL_NR_XRAM];
++        } xram;
+     } lpd;
+     /* The Platform Management Controller subsystem.  */
+@@ -XXX,XX +XXX,XX @@ struct Versal {
+ #define VERSAL_GEM1_IRQ_0          58
+ #define VERSAL_GEM1_WAKE_IRQ_0     59
+ #define VERSAL_ADMA_IRQ_0          60
++#define VERSAL_XRAM_IRQ_0          79
+ #define VERSAL_RTC_APB_ERR_IRQ     121
+ #define VERSAL_SD0_IRQ_0           126
+ #define VERSAL_RTC_ALARM_IRQ       142
+@@ -XXX,XX +XXX,XX @@ struct Versal {
+ #define MM_OCM                      0xfffc0000U
+ #define MM_OCM_SIZE                 0x40000
++#define MM_XRAM                     0xfe800000
++#define MM_XRAMC                    0xff8e0000
++#define MM_XRAMC_SIZE               0x10000
++
+ #define MM_USB2_CTRL_REGS           0xFF9D0000
+ #define MM_USB2_CTRL_REGS_SIZE      0x10000
+diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-versal.c
++++ b/hw/arm/xlnx-versal.c
+@@ -XXX,XX +XXX,XX @@
+  */
+ #include "qemu/osdep.h"
++#include "qemu/units.h"
+ #include "qapi/error.h"
+ #include "qemu/log.h"
+ #include "qemu/module.h"
+@@ -XXX,XX +XXX,XX @@ static void versal_create_rtc(Versal *s, qemu_irq *pic)
+     sysbus_connect_irq(sbd, 1, pic[VERSAL_RTC_APB_ERR_IRQ]);
+ }
++static void versal_create_xrams(Versal *s, qemu_irq *pic)
++{
++    int nr_xrams = ARRAY_SIZE(s->lpd.xram.ctrl);
++    DeviceState *orgate;
++    int i;
++
++    /* XRAM IRQs get ORed into a single line.  */
++    object_initialize_child(OBJECT(s), "xram-irq-orgate",
++                            &s->lpd.xram.irq_orgate, TYPE_OR_IRQ);
++    orgate = DEVICE(&s->lpd.xram.irq_orgate);
++    object_property_set_int(OBJECT(orgate),
++                            "num-lines", nr_xrams, &error_fatal);
++    qdev_realize(orgate, NULL, &error_fatal);
++    qdev_connect_gpio_out(orgate, 0, pic[VERSAL_XRAM_IRQ_0]);
++
++    for (i = 0; i < ARRAY_SIZE(s->lpd.xram.ctrl); i++) {
++        SysBusDevice *sbd;
++        MemoryRegion *mr;
++
++        object_initialize_child(OBJECT(s), "xram[*]", &s->lpd.xram.ctrl[i],
++                                TYPE_XLNX_XRAM_CTRL);
++        sbd = SYS_BUS_DEVICE(&s->lpd.xram.ctrl[i]);
++        sysbus_realize(sbd, &error_fatal);
++
++        mr = sysbus_mmio_get_region(sbd, 0);
++        memory_region_add_subregion(&s->mr_ps,
++                                    MM_XRAMC + i * MM_XRAMC_SIZE, mr);
++        mr = sysbus_mmio_get_region(sbd, 1);
++        memory_region_add_subregion(&s->mr_ps, MM_XRAM + i * MiB, mr);
++
++        sysbus_connect_irq(sbd, 0, qdev_get_gpio_in(orgate, i));
++    }
++}
++
+ /* This takes the board allocated linear DDR memory and creates aliases
+  * for each split DDR range/aperture on the Versal address map.
+  */
+@@ -XXX,XX +XXX,XX @@ static void versal_realize(DeviceState *dev, Error **errp)
+     versal_create_admas(s, pic);
+     versal_create_sds(s, pic);
+     versal_create_rtc(s, pic);
++    versal_create_xrams(s, pic);
+     versal_map_ddr(s);
+     versal_unimp(s);
+--
+.20.1

-New patch
+[PULL 03/39] intel_iommu: Fix mask may be uninitialized in vtd_context_device_invalidate
+From: Eric Auger <eric.auger@redhat.com>
+With -Werror=maybe-uninitialized configuration we get
+../hw/i386/intel_iommu.c: In function ‘vtd_context_device_invalidate’:
+../hw/i386/intel_iommu.c:1888:10: error: ‘mask’ may be used
+uninitialized in this function [-Werror=maybe-uninitialized]
+|     mask = ~mask;
+      |     ~~~~~^~~~~~~
+Add a g_assert_not_reached() to avoid the error.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20210309102742.30442-2-eric.auger@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/i386/intel_iommu.c | 2 ++
+file changed, 2 insertions(+)
+diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/i386/intel_iommu.c
++++ b/hw/i386/intel_iommu.c
+@@ -XXX,XX +XXX,XX @@ static void vtd_context_device_invalidate(IntelIOMMUState *s,
+     case 3:
+         mask = 7;   /* Mask bit 2:0 in the SID field */
+         break;
++    default:
++        g_assert_not_reached();
+     }
+     mask = ~mask;
+--
+.20.1

-New patch
+[PULL 04/39] dma: Introduce dma_aligned_pow2_mask()
+From: Eric Auger <eric.auger@redhat.com>
+Currently get_naturally_aligned_size() is used by the intel iommu
+to compute the maximum invalidation range based on @size which is
+a power of 2 while being aligned with the @start address and less
+than the maximum range defined by @gaw.
+This helper is also useful for other iommu devices (virtio-iommu,
+SMMUv3) to make sure IOMMU UNMAP notifiers only are called with
+power of 2 range sizes.
+Let's move this latter into dma-helpers.c and rename it into
+dma_aligned_pow2_mask(). Also rewrite the helper so that it
+accomodates UINT64_MAX values for the size mask and max mask.
+It now returns a mask instead of a size. Change the caller.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Message-id: 20210309102742.30442-3-eric.auger@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/sysemu/dma.h  | 12 ++++++++++++
+ hw/i386/intel_iommu.c | 30 +++++++-----------------------
+ softmmu/dma-helpers.c | 26 ++++++++++++++++++++++++++
+files changed, 45 insertions(+), 23 deletions(-)
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -XXX,XX +XXX,XX @@ uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg);
+ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+                     QEMUSGList *sg, enum BlockAcctType type);
++/**
++ * dma_aligned_pow2_mask: Return the address bit mask of the largest
++ * power of 2 size less or equal than @end - @start + 1, aligned with @start,
++ * and bounded by 1 << @max_addr_bits bits.
++ *
++ * @start: range start address
++ * @end: range end address (greater than @start)
++ * @max_addr_bits: max address bits (<= 64)
++ */
++uint64_t dma_aligned_pow2_mask(uint64_t start, uint64_t end,
++                               int max_addr_bits);
++
+ #endif
+diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/i386/intel_iommu.c
++++ b/hw/i386/intel_iommu.c
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/i386/x86-iommu.h"
+ #include "hw/pci-host/q35.h"
+ #include "sysemu/kvm.h"
++#include "sysemu/dma.h"
+ #include "sysemu/sysemu.h"
+ #include "hw/i386/apic_internal.h"
+ #include "kvm/kvm_i386.h"
+@@ -XXX,XX +XXX,XX @@ VTDAddressSpace *vtd_find_add_as(IntelIOMMUState *s, PCIBus *bus, int devfn)
+     return vtd_dev_as;
+ }
+-static uint64_t get_naturally_aligned_size(uint64_t start,
+-                                           uint64_t size, int gaw)
+-{
+-    uint64_t max_mask = 1ULL << gaw;
+-    uint64_t alignment = start ? start & -start : max_mask;
+-
+-    alignment = MIN(alignment, max_mask);
+-    size = MIN(size, max_mask);
+-
+-    if (alignment <= size) {
+-        /* Increase the alignment of start */
+-        return alignment;
+-    } else {
+-        /* Find the largest page mask from size */
+-        return 1ULL << (63 - clz64(size));
+-    }
+-}
+-
+ /* Unmap the whole range in the notifier's scope. */
+ static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n)
+ {
+@@ -XXX,XX +XXX,XX @@ static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n)
+     while (remain >= VTD_PAGE_SIZE) {
+         IOMMUTLBEvent event;
+-        uint64_t mask = get_naturally_aligned_size(start, remain, s->aw_bits);
++        uint64_t mask = dma_aligned_pow2_mask(start, end, s->aw_bits);
++        uint64_t size = mask + 1;
+-        assert(mask);
++        assert(size);
+         event.type = IOMMU_NOTIFIER_UNMAP;
+         event.entry.iova = start;
+-        event.entry.addr_mask = mask - 1;
++        event.entry.addr_mask = mask;
+         event.entry.target_as = &address_space_memory;
+         event.entry.perm = IOMMU_NONE;
+         /* This field is meaningless for unmap */
+@@ -XXX,XX +XXX,XX @@ static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n)
+         memory_region_notify_iommu_one(n, &event);
+-        start += mask;
+-        remain -= mask;
++        start += size;
++        remain -= size;
+     }
+     assert(!remain);
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index XXXXXXX..XXXXXXX 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -XXX,XX +XXX,XX @@ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+ {
+     block_acct_start(blk_get_stats(blk), cookie, sg->size, type);
+ }
++
++uint64_t dma_aligned_pow2_mask(uint64_t start, uint64_t end, int max_addr_bits)
++{
++    uint64_t max_mask = UINT64_MAX, addr_mask = end - start;
++    uint64_t alignment_mask, size_mask;
++
++    if (max_addr_bits != 64) {
++        max_mask = (1ULL << max_addr_bits) - 1;
++    }
++
++    alignment_mask = start ? (start & -start) - 1 : max_mask;
++    alignment_mask = MIN(alignment_mask, max_mask);
++    size_mask = MIN(addr_mask, max_mask);
++
++    if (alignment_mask <= size_mask) {
++        /* Increase the alignment of start */
++        return alignment_mask;
++    } else {
++        /* Find the largest page mask from size */
++        if (addr_mask == UINT64_MAX) {
++            return UINT64_MAX;
++        }
++        return (1ULL << (63 - clz64(addr_mask + 1))) - 1;
++    }
++}
++
+--
+.20.1

-New patch
+[PULL 05/39] virtio-iommu: Handle non power of 2 range invalidations
+From: Eric Auger <eric.auger@redhat.com>
+Unmap notifiers work with an address mask assuming an
+invalidation range of a power of 2. Nothing mandates this
+in the VIRTIO-IOMMU spec.
+So in case the range is not a power of 2, split it into
+several invalidations.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Message-id: 20210309102742.30442-4-eric.auger@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/virtio/virtio-iommu.c | 19 ++++++++++++++++---
+file changed, 16 insertions(+), 3 deletions(-)
+diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/virtio/virtio-iommu.c
++++ b/hw/virtio/virtio-iommu.c
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_notify_unmap(IOMMUMemoryRegion *mr, hwaddr virt_start,
+                                       hwaddr virt_end)
+ {
+     IOMMUTLBEvent event;
++    uint64_t delta = virt_end - virt_start;
+     if (!(mr->iommu_notify_flags & IOMMU_NOTIFIER_UNMAP)) {
+         return;
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_notify_unmap(IOMMUMemoryRegion *mr, hwaddr virt_start,
+     event.type = IOMMU_NOTIFIER_UNMAP;
+     event.entry.target_as = &address_space_memory;
+-    event.entry.addr_mask = virt_end - virt_start;
+-    event.entry.iova = virt_start;
+     event.entry.perm = IOMMU_NONE;
+     event.entry.translated_addr = 0;
++    event.entry.addr_mask = delta;
++    event.entry.iova = virt_start;
+-    memory_region_notify_iommu(mr, 0, event);
++    if (delta == UINT64_MAX) {
++        memory_region_notify_iommu(mr, 0, event);
++    }
++
++
++    while (virt_start != virt_end + 1) {
++        uint64_t mask = dma_aligned_pow2_mask(virt_start, virt_end, 64);
++
++        event.entry.addr_mask = mask;
++        event.entry.iova = virt_start;
++        memory_region_notify_iommu(mr, 0, event);
++        virt_start += mask + 1;
++    }
+ }
+ static gboolean virtio_iommu_notify_unmap_cb(gpointer key, gpointer value,
+--
+.20.1

-New patch
+[PULL 06/39] hw/arm/smmu-common: Fix smmu_iotlb_inv_iova when asid is not set
+From: Eric Auger <eric.auger@redhat.com>
+If the asid is not set, do not attempt to locate the key directly
+as all inserted keys have a valid asid.
+Use g_hash_table_foreach_remove instead.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 20210309102742.30442-5-eric.auger@redhat.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/smmu-common.c | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/smmu-common.c
++++ b/hw/arm/smmu-common.c
+@@ -XXX,XX +XXX,XX @@ inline void
+ smmu_iotlb_inv_iova(SMMUState *s, int asid, dma_addr_t iova,
+                     uint8_t tg, uint64_t num_pages, uint8_t ttl)
+ {
+-    if (ttl && (num_pages == 1)) {
++    if (ttl && (num_pages == 1) && (asid >= 0)) {
+         SMMUIOTLBKey key = smmu_get_iotlb_key(asid, iova, tg, ttl);
+         g_hash_table_remove(s->iotlb, &key);
+--
+.20.1

-[Qemu-devel] [PULL 2/9] target/arm: Restrict semi-hosting to TCG
+[PULL 07/39] hw/arm/smmuv3: Enforce invalidation on a power of two range
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Eric Auger <eric.auger@redhat.com>
-Per Peter Maydell:
+As of today, the driver can invalidate a number of pages that is
 not a power of 2. However IOTLB unmap notifications and internal
 IOTLB invalidations work with masks leading to erroneous
 invalidations.
-  Semihosting hooks either SVC or HLT instructions, and inside KVM
+In case the range is not a power of 2, split invalidations into
-  both of those go to EL1, ie to the guest, and can't be trapped to
+power of 2 invalidations.
   KVM.
-Let check_for_semihosting() return False when not running on TCG.
+When looking for a single page entry in the vSMMU internal IOTLB,
 let's make sure that if the entry is not found using a
 g_hash_table_remove() we iterate over all the entries to find a
 potential range that overlaps it.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20190701194942.10092-3-philmd@redhat.com
+Message-id: 20210309102742.30442-6-eric.auger@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/Makefile.objs | 2 +-
+ hw/arm/smmu-common.c | 30 ++++++++++++++++++------------
- target/arm/cpu.h         | 7 +++++++
+ hw/arm/smmuv3.c      | 24 ++++++++++++++++++++----
- target/arm/helper.c      | 8 +++++++-
+files changed, 38 insertions(+), 16 deletions(-)
 files changed, 15 insertions(+), 2 deletions(-)
-diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
+diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/Makefile.objs
+--- a/hw/arm/smmu-common.c
-+++ b/target/arm/Makefile.objs
++++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ inline void
--obj-y += arm-semi.o
+ smmu_iotlb_inv_iova(SMMUState *s, int asid, dma_addr_t iova,
-+obj-$(CONFIG_TCG) += arm-semi.o
+                     uint8_t tg, uint64_t num_pages, uint8_t ttl)
- obj-y += helper.o vfp_helper.o
+ {
- obj-y += cpu.o gdbstub.o
++    /* if tg is not set we use 4KB range invalidation */
- obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
++    uint8_t granule = tg ? tg * 2 + 10 : 12;
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
++
      if (ttl && (num_pages == 1) && (asid >= 0)) {
          SMMUIOTLBKey key = smmu_get_iotlb_key(asid, iova, tg, ttl);
 -        g_hash_table_remove(s->iotlb, &key);
 -    } else {
 -        /* if tg is not set we use 4KB range invalidation */
 -        uint8_t granule = tg ? tg * 2 + 10 : 12;
 -
 -        SMMUIOTLBPageInvInfo info = {
 -            .asid = asid, .iova = iova,
 -            .mask = (num_pages * 1 << granule) - 1};
 -
 -        g_hash_table_foreach_remove(s->iotlb,
 -                                    smmu_hash_remove_by_asid_iova,
 -                                    &info);
 +        if (g_hash_table_remove(s->iotlb, &key)) {
 +            return;
 +        }
 +        /*
 +         * if the entry is not found, let's see if it does not
 +         * belong to a larger IOTLB entry
 +         */
      }
 +
 +    SMMUIOTLBPageInvInfo info = {
 +        .asid = asid, .iova = iova,
 +        .mask = (num_pages * 1 << granule) - 1};
 +
 +    g_hash_table_foreach_remove(s->iotlb,
 +                                smmu_hash_remove_by_asid_iova,
 +                                &info);
  }
  inline void smmu_iotlb_inv_asid(SMMUState *s, uint16_t asid)
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/hw/arm/smmuv3.c
-+++ b/target/arm/cpu.h
++++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static inline void aarch64_sve_change_el(CPUARMState *env, int o,
+@@ -XXX,XX +XXX,XX @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
- { }
+     uint16_t vmid = CMD_VMID(cmd);
- #endif
+     bool leaf = CMD_LEAF(cmd);
+     uint8_t tg = CMD_TG(cmd);
-+#if !defined(CONFIG_TCG)
+-    hwaddr num_pages = 1;
-+static inline target_ulong do_arm_semihosting(CPUARMState *env)
++    uint64_t first_page = 0, last_page;
-+{
++    uint64_t num_pages = 1;
-+    g_assert_not_reached();
+     int asid = -1;
-+}
-+#else
+     if (tg) {
- target_ulong do_arm_semihosting(CPUARMState *env);
+@@ -XXX,XX +XXX,XX @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
-+#endif
+     if (type == SMMU_CMD_TLBI_NH_VA) {
- void aarch64_sync_32_to_64(CPUARMState *env);
+         asid = CMD_ASID(cmd);
  void aarch64_sync_64_to_32(CPUARMState *env);
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/qemu-print.h"
  #include "exec/exec-all.h"
  #include "exec/cpu_ldst.h"
 -#include "arm_ldst.h"
  #include <zlib.h> /* For crc32 */
  #include "hw/semihosting/semihost.h"
  #include "sysemu/cpus.h"
@@ -XXX,XX +XXX,XX @@
  #include "qapi/qapi-commands-machine-target.h"
  #include "qapi/error.h"
  #include "qemu/guest-random.h"
 +#ifdef CONFIG_TCG
 +#include "arm_ldst.h"
 +#endif
  #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
  static inline bool check_for_semihosting(CPUState *cs)
  {
 +#ifdef CONFIG_TCG
      /* Check whether this exception is a semihosting call; if so
       * then handle it and return true; otherwise return false.
       */
@@ -XXX,XX +XXX,XX @@ static inline bool check_for_semihosting(CPUState *cs)
          env->regs[0] = do_arm_semihosting(env);
          return true;
      }
-+#else
+-    trace_smmuv3_s1_range_inval(vmid, asid, addr, tg, num_pages, ttl, leaf);
-+    return false;
+-    smmuv3_inv_notifiers_iova(s, asid, addr, tg, num_pages);
-+#endif
+-    smmu_iotlb_inv_iova(s, asid, addr, tg, num_pages, ttl);
 +
 +    /* Split invalidations into ^2 range invalidations */
 +    last_page = num_pages - 1;
 +    while (num_pages) {
 +        uint8_t granule = tg * 2 + 10;
 +        uint64_t mask, count;
 +
 +        mask = dma_aligned_pow2_mask(first_page, last_page, 64 - granule);
 +        count = mask + 1;
 +
 +        trace_smmuv3_s1_range_inval(vmid, asid, addr, tg, count, ttl, leaf);
 +        smmuv3_inv_notifiers_iova(s, asid, addr, tg, count);
 +        smmu_iotlb_inv_iova(s, asid, addr, tg, count, ttl);
 +
 +        num_pages -= count;
 +        first_page += count;
 +        addr += count * BIT_ULL(granule);
 +    }
  }
- /* Handle a CPU exception for A and R profile CPUs.
+ static int smmuv3_cmdq_consume(SMMUv3State *s)
 --
 .20.1

-New patch
+[PULL 08/39] hw/arm/smmuv3: Fix SMMU_CMD_CFGI_STE_RANGE handling
+From: Eric Auger <eric.auger@redhat.com>
+If the whole SID range (32b) is invalidated (SMMU_CMD_CFGI_ALL),
+@end overflows and we fail to handle the command properly.
+Once this gets fixed, the current code really is awkward in the
+sense it loops over the whole range instead of removing the
+currently cached configs through a hash table lookup.
+Fix both the overflow and the lookup.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20210309102742.30442-7-eric.auger@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/smmu-internal.h |  5 +++++
+ hw/arm/smmuv3.c        | 34 ++++++++++++++++++++--------------
+files changed, 25 insertions(+), 14 deletions(-)
+diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/smmu-internal.h
++++ b/hw/arm/smmu-internal.h
+@@ -XXX,XX +XXX,XX @@ typedef struct SMMUIOTLBPageInvInfo {
+     uint64_t mask;
+ } SMMUIOTLBPageInvInfo;
++typedef struct SMMUSIDRange {
++    uint32_t start;
++    uint32_t end;
++} SMMUSIDRange;
++
+ #endif
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/smmuv3.c
++++ b/hw/arm/smmuv3.c
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/arm/smmuv3.h"
+ #include "smmuv3-internal.h"
++#include "smmu-internal.h"
+ /**
+  * smmuv3_trigger_irq - pulse @irq if enabled and update
+@@ -XXX,XX +XXX,XX @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
+     }
+ }
++static gboolean
++smmuv3_invalidate_ste(gpointer key, gpointer value, gpointer user_data)
++{
++    SMMUDevice *sdev = (SMMUDevice *)key;
++    uint32_t sid = smmu_get_sid(sdev);
++    SMMUSIDRange *sid_range = (SMMUSIDRange *)user_data;
++
++    if (sid < sid_range->start || sid > sid_range->end) {
++        return false;
++    }
++    trace_smmuv3_config_cache_inv(sid);
++    return true;
++}
++
+ static int smmuv3_cmdq_consume(SMMUv3State *s)
+ {
+     SMMUState *bs = ARM_SMMU(s);
+@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
+         }
+         case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */
+         {
+-            uint32_t start = CMD_SID(&cmd), end, i;
++            uint32_t start = CMD_SID(&cmd);
+             uint8_t range = CMD_STE_RANGE(&cmd);
++            uint64_t end = start + (1ULL << (range + 1)) - 1;
++            SMMUSIDRange sid_range = {start, end};
+             if (CMD_SSEC(&cmd)) {
+                 cmd_error = SMMU_CERROR_ILL;
+                 break;
+             }
+-
+-            end = start + (1 << (range + 1)) - 1;
+             trace_smmuv3_cmdq_cfgi_ste_range(start, end);
+-
+-            for (i = start; i <= end; i++) {
+-                IOMMUMemoryRegion *mr = smmu_iommu_mr(bs, i);
+-                SMMUDevice *sdev;
+-
+-                if (!mr) {
+-                    continue;
+-                }
+-                sdev = container_of(mr, SMMUDevice, iommu);
+-                smmuv3_flush_config(sdev);
+-            }
++            g_hash_table_foreach_remove(bs->configs, smmuv3_invalidate_ste,
++                                        &sid_range);
+             break;
+         }
+         case SMMU_CMD_CFGI_CD:
+--
+.20.1

-New patch
+[PULL 09/39] hw/arm/smmuv3: Uniformize sid traces
+From: Eric Auger <eric.auger@redhat.com>
+Convert all sid printouts to sid=0x%x.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20210309102742.30442-8-eric.auger@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/trace-events | 24 ++++++++++++------------
+file changed, 12 insertions(+), 12 deletions(-)
+diff --git a/hw/arm/trace-events b/hw/arm/trace-events
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/trace-events
++++ b/hw/arm/trace-events
+@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
+ smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
+ smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
+ smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
+-smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
+-smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "SID:0x%x features:0x%x, sid_split:0x%x"
++smmuv3_record_event(const char *type, uint32_t sid) "%s sid=0x%x"
++smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "sid=0x%x features:0x%x, sid_split:0x%x"
+ smmuv3_find_ste_2lvl(uint64_t strtab_base, uint64_t l1ptr, int l1_ste_offset, uint64_t l2ptr, int l2_ste_offset, int max_l2_ste) "strtab_base:0x%"PRIx64" l1ptr:0x%"PRIx64" l1_off:0x%x, l2ptr:0x%"PRIx64" l2_off:0x%x max_l2_ste:%d"
+ smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64
+-smmuv3_translate_disable(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d bypass (smmu disabled) iova:0x%"PRIx64" is_write=%d"
+-smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d STE bypass iova:0x%"PRIx64" is_write=%d"
+-smmuv3_translate_abort(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d abort on iova:0x%"PRIx64" is_write=%d"
+-smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=%d iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
++smmuv3_translate_disable(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x bypass (smmu disabled) iova:0x%"PRIx64" is_write=%d"
++smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x STE bypass iova:0x%"PRIx64" is_write=%d"
++smmuv3_translate_abort(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x abort on iova:0x%"PRIx64" is_write=%d"
++smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=0x%x iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
+ smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64
+ smmuv3_decode_cd(uint32_t oas) "oas=%d"
+ smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz, bool had) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d had:%d"
+-smmuv3_cmdq_cfgi_ste(int streamid) "streamid =%d"
++smmuv3_cmdq_cfgi_ste(int streamid) "streamid= 0x%x"
+ smmuv3_cmdq_cfgi_ste_range(int start, int end) "start=0x%x - end=0x%x"
+-smmuv3_cmdq_cfgi_cd(uint32_t sid) "streamid = %d"
+-smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid %d (hits=%d, misses=%d, hit rate=%d)"
+-smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid %d (hits=%d, misses=%d, hit rate=%d)"
+-smmuv3_s1_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf) "vmid =%d asid =%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d"
++smmuv3_cmdq_cfgi_cd(uint32_t sid) "sid=0x%x"
++smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
++smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
++smmuv3_s1_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d"
+ smmuv3_cmdq_tlbi_nh(void) ""
+ smmuv3_cmdq_tlbi_nh_asid(uint16_t asid) "asid=%d"
+-smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid %d"
++smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
+ smmuv3_notify_flag_add(const char *iommu) "ADD SMMUNotifier node for iommu mr=%s"
+ smmuv3_notify_flag_del(const char *iommu) "DEL SMMUNotifier node for iommu mr=%s"
+ smmuv3_inv_notifiers_iova(const char *name, uint16_t asid, uint64_t iova, uint8_t tg, uint64_t num_pages) "iommu mr=%s asid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64
+--
+.20.1

-New patch
+[PULL 10/39] target/arm: Fix sve_uzp_p vs odd vector lengths
+From: Richard Henderson <richard.henderson@linaro.org>
+Missed out on compressing the second half of a predicate
+with length vl % 512 > 256.
+Adjust all of the x + (y << s) to x | (y << s) as a
+general style fix.  Drop the extract64 because the input
+uint64_t are known to be already zero-extended from the
+current size of the predicate.
+Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210309155305.11301-2-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sve_helper.c | 30 +++++++++++++++++++++---------
+file changed, 21 insertions(+), 9 deletions(-)
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_uzp_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
+     if (oprsz <= 8) {
+         l = compress_bits(n[0] >> odd, esz);
+         h = compress_bits(m[0] >> odd, esz);
+-        d[0] = extract64(l + (h << (4 * oprsz)), 0, 8 * oprsz);
++        d[0] = l | (h << (4 * oprsz));
+     } else {
+         ARMPredicateReg tmp_m;
+         intptr_t oprsz_16 = oprsz / 16;
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_uzp_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
+             h = n[2 * i + 1];
+             l = compress_bits(l >> odd, esz);
+             h = compress_bits(h >> odd, esz);
+-            d[i] = l + (h << 32);
++            d[i] = l | (h << 32);
+         }
+-        /* For VL which is not a power of 2, the results from M do not
+-           align nicely with the uint64_t for D.  Put the aligned results
+-           from M into TMP_M and then copy it into place afterward.  */
++        /*
++         * For VL which is not a multiple of 512, the results from M do not
++         * align nicely with the uint64_t for D.  Put the aligned results
++         * from M into TMP_M and then copy it into place afterward.
++         */
+         if (oprsz & 15) {
+-            d[i] = compress_bits(n[2 * i] >> odd, esz);
++            int final_shift = (oprsz & 15) * 2;
++
++            l = n[2 * i + 0];
++            h = n[2 * i + 1];
++            l = compress_bits(l >> odd, esz);
++            h = compress_bits(h >> odd, esz);
++            d[i] = l | (h << final_shift);
+             for (i = 0; i < oprsz_16; i++) {
+                 l = m[2 * i + 0];
+                 h = m[2 * i + 1];
+                 l = compress_bits(l >> odd, esz);
+                 h = compress_bits(h >> odd, esz);
+-                tmp_m.p[i] = l + (h << 32);
++                tmp_m.p[i] = l | (h << 32);
+             }
+-            tmp_m.p[i] = compress_bits(m[2 * i] >> odd, esz);
++            l = m[2 * i + 0];
++            h = m[2 * i + 1];
++            l = compress_bits(l >> odd, esz);
++            h = compress_bits(h >> odd, esz);
++            tmp_m.p[i] = l | (h << final_shift);
+             swap_memmove(vd + oprsz / 2, &tmp_m, oprsz / 2);
+         } else {
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_uzp_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
+                 h = m[2 * i + 1];
+                 l = compress_bits(l >> odd, esz);
+                 h = compress_bits(h >> odd, esz);
+-                d[oprsz_16 + i] = l + (h << 32);
++                d[oprsz_16 + i] = l | (h << 32);
+             }
+         }
+     }
+--
+.20.1

-New patch
+[PULL 11/39] target/arm: Fix sve_zip_p vs odd vector lengths
+From: Richard Henderson <richard.henderson@linaro.org>
+Wrote too much with low-half zip (zip1) with vl % 512 != 0.
+Adjust all of the x + (y << s) to x | (y << s) as a style fix.
+We only ever have exact overlap between D, M, and N.  Therefore
+we only need a single temporary, and we do not need to check for
+partial overlap.
+Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210309155305.11301-3-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sve_helper.c | 25 ++++++++++++++-----------
+file changed, 14 insertions(+), 11 deletions(-)
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_zip_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
+     intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     int esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
+     intptr_t high = FIELD_EX32(pred_desc, PREDDESC, DATA);
++    int esize = 1 << esz;
+     uint64_t *d = vd;
+     intptr_t i;
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_zip_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
+         mm = extract64(mm, high * half, half);
+         nn = expand_bits(nn, esz);
+         mm = expand_bits(mm, esz);
+-        d[0] = nn + (mm << (1 << esz));
++        d[0] = nn | (mm << esize);
+     } else {
+-        ARMPredicateReg tmp_n, tmp_m;
++        ARMPredicateReg tmp;
+         /* We produce output faster than we consume input.
+            Therefore we must be mindful of possible overlap.  */
+-        if ((vn - vd) < (uintptr_t)oprsz) {
+-            vn = memcpy(&tmp_n, vn, oprsz);
+-        }
+-        if ((vm - vd) < (uintptr_t)oprsz) {
+-            vm = memcpy(&tmp_m, vm, oprsz);
++        if (vd == vn) {
++            vn = memcpy(&tmp, vn, oprsz);
++            if (vd == vm) {
++                vm = vn;
++            }
++        } else if (vd == vm) {
++            vm = memcpy(&tmp, vm, oprsz);
+         }
+         if (high) {
+             high = oprsz >> 1;
+         }
+-        if ((high & 3) == 0) {
++        if ((oprsz & 7) == 0) {
+             uint32_t *n = vn, *m = vm;
+             high >>= 2;
+-            for (i = 0; i < DIV_ROUND_UP(oprsz, 8); i++) {
++            for (i = 0; i < oprsz / 8; i++) {
+                 uint64_t nn = n[H4(high + i)];
+                 uint64_t mm = m[H4(high + i)];
+                 nn = expand_bits(nn, esz);
+                 mm = expand_bits(mm, esz);
+-                d[i] = nn + (mm << (1 << esz));
++                d[i] = nn | (mm << esize);
+             }
+         } else {
+             uint8_t *n = vn, *m = vm;
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_zip_p)(void *vd, void *vn, void *vm, uint32_t pred_desc)
+                 nn = expand_bits(nn, esz);
+                 mm = expand_bits(mm, esz);
+-                d16[H2(i)] = nn + (mm << (1 << esz));
++                d16[H2(i)] = nn | (mm << esize);
+             }
+         }
+     }
+--
+.20.1

-New patch
+[PULL 12/39] target/arm: Fix sve_punpk_p vs odd vector lengths
+From: Richard Henderson <richard.henderson@linaro.org>
+Wrote too much with punpk1 with vl % 512 != 0.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210309155305.11301-4-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sve_helper.c | 4 ++--
+file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_punpk_p)(void *vd, void *vn, uint32_t pred_desc)
+             high = oprsz >> 1;
+         }
+-        if ((high & 3) == 0) {
++        if ((oprsz & 7) == 0) {
+             uint32_t *n = vn;
+             high >>= 2;
+-            for (i = 0; i < DIV_ROUND_UP(oprsz, 8); i++) {
++            for (i = 0; i < oprsz / 8; i++) {
+                 uint64_t nn = n[H4(high + i)];
+                 d[i] = expand_bits(nn, 0);
+             }
+--
+.20.1

-New patch
+[PULL 13/39] target/arm: Update find_last_active for PREDDESC
+From: Richard Henderson <richard.henderson@linaro.org>
+Since b64ee454a4a0, all predicate operations should be
+using these field macros for predicates.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210309155305.11301-5-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sve_helper.c    | 6 +++---
+ target/arm/translate-sve.c | 7 +++----
+files changed, 6 insertions(+), 7 deletions(-)
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_compact_d)(void *vd, void *vn, void *vg, uint32_t desc)
+  */
+ int32_t HELPER(sve_last_active_element)(void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
+-    intptr_t esz = extract32(pred_desc, SIMD_DATA_SHIFT, 2);
++    intptr_t words = DIV_ROUND_UP(FIELD_EX32(pred_desc, PREDDESC, OPRSZ), 8);
++    intptr_t esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
+-    return last_active_element(vg, DIV_ROUND_UP(oprsz, 8), esz);
++    return last_active_element(vg, words, esz);
+ }
+ void HELPER(sve_splice)(void *vd, void *vn, void *vm, void *vg, uint32_t desc)
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static void find_last_active(DisasContext *s, TCGv_i32 ret, int esz, int pg)
+      */
+     TCGv_ptr t_p = tcg_temp_new_ptr();
+     TCGv_i32 t_desc;
+-    unsigned vsz = pred_full_reg_size(s);
+-    unsigned desc;
++    unsigned desc = 0;
+-    desc = vsz - 2;
+-    desc = deposit32(desc, SIMD_DATA_SHIFT, 2, esz);
++    desc = FIELD_DP32(desc, PREDDESC, OPRSZ, pred_full_reg_size(s));
++    desc = FIELD_DP32(desc, PREDDESC, ESZ, esz);
+     tcg_gen_addi_ptr(t_p, cpu_env, pred_full_reg_offset(s, pg));
+     t_desc = tcg_const_i32(desc);
+--
+.20.1

-New patch
+[PULL 14/39] target/arm: Update BRKA, BRKB, BRKN for PREDDESC
+From: Richard Henderson <richard.henderson@linaro.org>
+Since b64ee454a4a0, all predicate operations should be
+using these field macros for predicates.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210309155305.11301-6-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sve_helper.c    | 30 ++++++++++++++----------------
+ target/arm/translate-sve.c |  4 ++--
+files changed, 16 insertions(+), 18 deletions(-)
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ static uint32_t do_zero(ARMPredicateReg *d, intptr_t oprsz)
+ void HELPER(sve_brkpa)(void *vd, void *vn, void *vm, void *vg,
+                        uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     if (last_active_pred(vn, vg, oprsz)) {
+         compute_brk_z(vd, vm, vg, oprsz, true);
+     } else {
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_brkpa)(void *vd, void *vn, void *vm, void *vg,
+ uint32_t HELPER(sve_brkpas)(void *vd, void *vn, void *vm, void *vg,
+                             uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     if (last_active_pred(vn, vg, oprsz)) {
+         return compute_brks_z(vd, vm, vg, oprsz, true);
+     } else {
+@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(sve_brkpas)(void *vd, void *vn, void *vm, void *vg,
+ void HELPER(sve_brkpb)(void *vd, void *vn, void *vm, void *vg,
+                        uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     if (last_active_pred(vn, vg, oprsz)) {
+         compute_brk_z(vd, vm, vg, oprsz, false);
+     } else {
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_brkpb)(void *vd, void *vn, void *vm, void *vg,
+ uint32_t HELPER(sve_brkpbs)(void *vd, void *vn, void *vm, void *vg,
+                             uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     if (last_active_pred(vn, vg, oprsz)) {
+         return compute_brks_z(vd, vm, vg, oprsz, false);
+     } else {
+@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(sve_brkpbs)(void *vd, void *vn, void *vm, void *vg,
+ void HELPER(sve_brka_z)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     compute_brk_z(vd, vn, vg, oprsz, true);
+ }
+ uint32_t HELPER(sve_brkas_z)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     return compute_brks_z(vd, vn, vg, oprsz, true);
+ }
+ void HELPER(sve_brkb_z)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     compute_brk_z(vd, vn, vg, oprsz, false);
+ }
+ uint32_t HELPER(sve_brkbs_z)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     return compute_brks_z(vd, vn, vg, oprsz, false);
+ }
+ void HELPER(sve_brka_m)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     compute_brk_m(vd, vn, vg, oprsz, true);
+ }
+ uint32_t HELPER(sve_brkas_m)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     return compute_brks_m(vd, vn, vg, oprsz, true);
+ }
+ void HELPER(sve_brkb_m)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     compute_brk_m(vd, vn, vg, oprsz, false);
+ }
+ uint32_t HELPER(sve_brkbs_m)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     return compute_brks_m(vd, vn, vg, oprsz, false);
+ }
+ void HELPER(sve_brkn)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
+-
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     if (!last_active_pred(vn, vg, oprsz)) {
+         do_zero(vd, oprsz);
+     }
+@@ -XXX,XX +XXX,XX @@ static uint32_t predtest_ones(ARMPredicateReg *d, intptr_t oprsz,
+ uint32_t HELPER(sve_brkns)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
+-
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
+     if (last_active_pred(vn, vg, oprsz)) {
+         return predtest_ones(vd, oprsz, -1);
+     } else {
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool do_brk3(DisasContext *s, arg_rprr_s *a,
+     TCGv_ptr n = tcg_temp_new_ptr();
+     TCGv_ptr m = tcg_temp_new_ptr();
+     TCGv_ptr g = tcg_temp_new_ptr();
+-    TCGv_i32 t = tcg_const_i32(vsz - 2);
++    TCGv_i32 t = tcg_const_i32(FIELD_DP32(0, PREDDESC, OPRSZ, vsz));
+     tcg_gen_addi_ptr(d, cpu_env, pred_full_reg_offset(s, a->rd));
+     tcg_gen_addi_ptr(n, cpu_env, pred_full_reg_offset(s, a->rn));
+@@ -XXX,XX +XXX,XX @@ static bool do_brk2(DisasContext *s, arg_rpr_s *a,
+     TCGv_ptr d = tcg_temp_new_ptr();
+     TCGv_ptr n = tcg_temp_new_ptr();
+     TCGv_ptr g = tcg_temp_new_ptr();
+-    TCGv_i32 t = tcg_const_i32(vsz - 2);
++    TCGv_i32 t = tcg_const_i32(FIELD_DP32(0, PREDDESC, OPRSZ, vsz));
+     tcg_gen_addi_ptr(d, cpu_env, pred_full_reg_offset(s, a->rd));
+     tcg_gen_addi_ptr(n, cpu_env, pred_full_reg_offset(s, a->rn));
+--
+.20.1

-New patch
+[PULL 15/39] target/arm: Update CNTP for PREDDESC
+From: Richard Henderson <richard.henderson@linaro.org>
+Since b64ee454a4a0, all predicate operations should be
+using these field macros for predicates.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210309155305.11301-7-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sve_helper.c    | 6 +++---
+ target/arm/translate-sve.c | 6 +++---
+files changed, 6 insertions(+), 6 deletions(-)
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(sve_brkns)(void *vd, void *vn, void *vg, uint32_t pred_desc)
+ uint64_t HELPER(sve_cntp)(void *vn, void *vg, uint32_t pred_desc)
+ {
+-    intptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
+-    intptr_t esz = extract32(pred_desc, SIMD_DATA_SHIFT, 2);
++    intptr_t words = DIV_ROUND_UP(FIELD_EX32(pred_desc, PREDDESC, OPRSZ), 8);
++    intptr_t esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
+     uint64_t *n = vn, *g = vg, sum = 0, mask = pred_esz_masks[esz];
+     intptr_t i;
+-    for (i = 0; i < DIV_ROUND_UP(oprsz, 8); ++i) {
++    for (i = 0; i < words; ++i) {
+         uint64_t t = n[i] & g[i] & mask;
+         sum += ctpop64(t);
+     }
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static void do_cntp(DisasContext *s, TCGv_i64 val, int esz, int pn, int pg)
+     } else {
+         TCGv_ptr t_pn = tcg_temp_new_ptr();
+         TCGv_ptr t_pg = tcg_temp_new_ptr();
+-        unsigned desc;
++        unsigned desc = 0;
+         TCGv_i32 t_desc;
+-        desc = psz - 2;
+-        desc = deposit32(desc, SIMD_DATA_SHIFT, 2, esz);
++        desc = FIELD_DP32(desc, PREDDESC, OPRSZ, psz);
++        desc = FIELD_DP32(desc, PREDDESC, ESZ, esz);
+         tcg_gen_addi_ptr(t_pn, cpu_env, pred_full_reg_offset(s, pn));
+         tcg_gen_addi_ptr(t_pg, cpu_env, pred_full_reg_offset(s, pg));
+--
+.20.1

-New patch
+[PULL 16/39] target/arm: Update WHILE for PREDDESC
+From: Richard Henderson <richard.henderson@linaro.org>
+Since b64ee454a4a0, all predicate operations should be
+using these field macros for predicates.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210309155305.11301-8-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sve_helper.c    | 4 ++--
+ target/arm/translate-sve.c | 7 ++++---
+files changed, 6 insertions(+), 5 deletions(-)
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(sve_cntp)(void *vn, void *vg, uint32_t pred_desc)
+ uint32_t HELPER(sve_while)(void *vd, uint32_t count, uint32_t pred_desc)
+ {
+-    uintptr_t oprsz = extract32(pred_desc, 0, SIMD_OPRSZ_BITS) + 2;
+-    intptr_t esz = extract32(pred_desc, SIMD_DATA_SHIFT, 2);
++    intptr_t oprsz = FIELD_EX32(pred_desc, PREDDESC, OPRSZ);
++    intptr_t esz = FIELD_EX32(pred_desc, PREDDESC, ESZ);
+     uint64_t esz_mask = pred_esz_masks[esz];
+     ARMPredicateReg *d = vd;
+     uint32_t flags;
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_WHILE(DisasContext *s, arg_WHILE *a)
+     TCGv_i64 op0, op1, t0, t1, tmax;
+     TCGv_i32 t2, t3;
+     TCGv_ptr ptr;
+-    unsigned desc, vsz = vec_full_reg_size(s);
++    unsigned vsz = vec_full_reg_size(s);
++    unsigned desc = 0;
+     TCGCond cond;
+     if (!sve_access_check(s)) {
+@@ -XXX,XX +XXX,XX @@ static bool trans_WHILE(DisasContext *s, arg_WHILE *a)
+     /* Scale elements to bits.  */
+     tcg_gen_shli_i32(t2, t2, a->esz);
+-    desc = (vsz / 8) - 2;
+-    desc = deposit32(desc, SIMD_DATA_SHIFT, 2, a->esz);
++    desc = FIELD_DP32(desc, PREDDESC, OPRSZ, vsz / 8);
++    desc = FIELD_DP32(desc, PREDDESC, ESZ, a->esz);
+     t3 = tcg_const_i32(desc);
+     ptr = tcg_temp_new_ptr();
+--
+.20.1

-New patch
+[PULL 17/39] target/arm: Update sve reduction vs simd_desc
+From: Richard Henderson <richard.henderson@linaro.org>
+With the reduction operations, we intentionally increase maxsz to
+the next power of 2, so as to fill out the reduction tree correctly.
+Since e2e7168a214b, oprsz must equal maxsz, with exceptions for small
+vectors, so this triggers an assertion for vector sizes > 32 that are
+not themselves a power of 2.
+Pass the power-of-two value in the simd_data field instead.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210309155305.11301-9-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sve_helper.c    | 2 +-
+ target/arm/translate-sve.c | 2 +-
+files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ static TYPE NAME##_reduce(TYPE *data, float_status *status, uintptr_t n) \
+ }                                                                     \
+ uint64_t HELPER(NAME)(void *vn, void *vg, void *vs, uint32_t desc)    \
+ {                                                                     \
+-    uintptr_t i, oprsz = simd_oprsz(desc), maxsz = simd_maxsz(desc);  \
++    uintptr_t i, oprsz = simd_oprsz(desc), maxsz = simd_data(desc);   \
+     TYPE data[sizeof(ARMVectorReg) / sizeof(TYPE)];                   \
+     for (i = 0; i < oprsz; ) {                                        \
+         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));               \
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static void do_reduce(DisasContext *s, arg_rpr_esz *a,
+ {
+     unsigned vsz = vec_full_reg_size(s);
+     unsigned p2vsz = pow2ceil(vsz);
+-    TCGv_i32 t_desc = tcg_const_i32(simd_desc(vsz, p2vsz, 0));
++    TCGv_i32 t_desc = tcg_const_i32(simd_desc(vsz, vsz, p2vsz));
+     TCGv_ptr t_zn, t_pg, status;
+     TCGv_i64 temp;
+--
+.20.1

-New patch
+[PULL 18/39] hw/net/allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
+From: Niek Linnenbank <nieklinnenbank@gmail.com>
+Currently the emulated EMAC for sun8i always traverses the transmit queue
+from the head when transferring packets. It searches for a list of consecutive
+descriptors whichs are flagged as ready for processing and transmits their payloads
+accordingly. The controller stops processing once it finds a descriptor that is not
+marked ready.
+While the above behaviour works in most situations, it is not the same as the actual
+EMAC in hardware. Actual hardware uses the TX_CUR_DESC register value to keep track
+of the last position in the transmit queue and continues processing from that position
+when software triggers the start of DMA processing. The currently emulated behaviour can
+lead to packet loss on transmit when software fills the transmit queue with ready
+descriptors that overlap the tail of the circular list.
+This commit modifies the emulated EMAC for sun8i such that it processes
+the transmit queue using the TX_CUR_DESC register in the same way as hardware.
+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210310195820.21950-2-nieklinnenbank@gmail.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/net/allwinner-sun8i-emac.c | 62 +++++++++++++++++++----------------
+file changed, 34 insertions(+), 28 deletions(-)
+diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/net/allwinner-sun8i-emac.c
++++ b/hw/net/allwinner-sun8i-emac.c
+@@ -XXX,XX +XXX,XX @@ static void allwinner_sun8i_emac_update_irq(AwSun8iEmacState *s)
+     qemu_set_irq(s->irq, (s->int_sta & s->int_en) != 0);
+ }
+-static uint32_t allwinner_sun8i_emac_next_desc(AwSun8iEmacState *s,
+-                                               FrameDescriptor *desc,
+-                                               size_t min_size)
++static bool allwinner_sun8i_emac_desc_owned(FrameDescriptor *desc,
++                                            size_t min_buf_size)
+ {
+-    uint32_t paddr = desc->next;
+-
+-    dma_memory_read(&s->dma_as, paddr, desc, sizeof(*desc));
+-
+-    if ((desc->status & DESC_STATUS_CTL) &&
+-        (desc->status2 & DESC_STATUS2_BUF_SIZE_MASK) >= min_size) {
+-        return paddr;
+-    } else {
+-        return 0;
+-    }
++    return (desc->status & DESC_STATUS_CTL) && (min_buf_size == 0 ||
++           (desc->status2 & DESC_STATUS2_BUF_SIZE_MASK) >= min_buf_size);
+ }
+-static uint32_t allwinner_sun8i_emac_get_desc(AwSun8iEmacState *s,
+-                                              FrameDescriptor *desc,
+-                                              uint32_t start_addr,
+-                                              size_t min_size)
++static void allwinner_sun8i_emac_get_desc(AwSun8iEmacState *s,
++                                          FrameDescriptor *desc,
++                                          uint32_t phys_addr)
++{
++    dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc));
++}
++
++static uint32_t allwinner_sun8i_emac_next_desc(AwSun8iEmacState *s,
++                                               FrameDescriptor *desc)
++{
++    const uint32_t nxt = desc->next;
++    allwinner_sun8i_emac_get_desc(s, desc, nxt);
++    return nxt;
++}
++
++static uint32_t allwinner_sun8i_emac_find_desc(AwSun8iEmacState *s,
++                                               FrameDescriptor *desc,
++                                               uint32_t start_addr,
++                                               size_t min_size)
+ {
+     uint32_t desc_addr = start_addr;
+     /* Note that the list is a cycle. Last entry points back to the head. */
+     while (desc_addr != 0) {
+-        dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc));
++        allwinner_sun8i_emac_get_desc(s, desc, desc_addr);
+-        if ((desc->status & DESC_STATUS_CTL) &&
+-            (desc->status2 & DESC_STATUS2_BUF_SIZE_MASK) >= min_size) {
++        if (allwinner_sun8i_emac_desc_owned(desc, min_size)) {
+             return desc_addr;
+         } else if (desc->next == start_addr) {
+             break;
+@@ -XXX,XX +XXX,XX @@ static uint32_t allwinner_sun8i_emac_rx_desc(AwSun8iEmacState *s,
+                                              FrameDescriptor *desc,
+                                              size_t min_size)
+ {
+-    return allwinner_sun8i_emac_get_desc(s, desc, s->rx_desc_curr, min_size);
++    return allwinner_sun8i_emac_find_desc(s, desc, s->rx_desc_curr, min_size);
+ }
+ static uint32_t allwinner_sun8i_emac_tx_desc(AwSun8iEmacState *s,
+-                                             FrameDescriptor *desc,
+-                                             size_t min_size)
++                                             FrameDescriptor *desc)
+ {
+-    return allwinner_sun8i_emac_get_desc(s, desc, s->tx_desc_head, min_size);
++    allwinner_sun8i_emac_get_desc(s, desc, s->tx_desc_curr);
++    return s->tx_desc_curr;
+ }
+ static void allwinner_sun8i_emac_flush_desc(AwSun8iEmacState *s,
+@@ -XXX,XX +XXX,XX @@ static ssize_t allwinner_sun8i_emac_receive(NetClientState *nc,
+         bytes_left -= desc_bytes;
+         /* Move to the next descriptor */
+-        s->rx_desc_curr = allwinner_sun8i_emac_next_desc(s, &desc, 64);
++        s->rx_desc_curr = allwinner_sun8i_emac_find_desc(s, &desc, desc.next,
++                                                         AW_SUN8I_EMAC_MIN_PKT_SZ);
+         if (!s->rx_desc_curr) {
+             /* Not enough buffer space available */
+             s->int_sta |= INT_STA_RX_BUF_UA;
+@@ -XXX,XX +XXX,XX @@ static void allwinner_sun8i_emac_transmit(AwSun8iEmacState *s)
+     size_t transmitted = 0;
+     static uint8_t packet_buf[2048];
+-    s->tx_desc_curr = allwinner_sun8i_emac_tx_desc(s, &desc, 0);
++    s->tx_desc_curr = allwinner_sun8i_emac_tx_desc(s, &desc);
+     /* Read all transmit descriptors */
+-    while (s->tx_desc_curr != 0) {
++    while (allwinner_sun8i_emac_desc_owned(&desc, 0)) {
+         /* Read from physical memory into packet buffer */
+         bytes = desc.status2 & DESC_STATUS2_BUF_SIZE_MASK;
+@@ -XXX,XX +XXX,XX @@ static void allwinner_sun8i_emac_transmit(AwSun8iEmacState *s)
+             packet_bytes = 0;
+             transmitted++;
+         }
+-        s->tx_desc_curr = allwinner_sun8i_emac_next_desc(s, &desc, 0);
++        s->tx_desc_curr = allwinner_sun8i_emac_next_desc(s, &desc);
+     }
+     /* Raise transmit completed interrupt */
+--
+.20.1

-New patch
+[PULL 19/39] tests/acceptance/boot_linux_console: remove Armbian 19.11.3 bionic test for orangepi-pc machine
+From: Niek Linnenbank <nieklinnenbank@gmail.com>
+The image for Armbian 19.11.3 bionic has been removed from the armbian server.
+Without the image as input the test arm_orangepi_bionic_19_11 cannot run.
+This commit removes the test completely and merges the code of the generic function
+do_test_arm_orangepi_uboot_armbian back with the 20.08 test.
+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Reviewed-by: Willian Rampazzo <willianr@redhat.com>
+Message-id: 20210310195820.21950-3-nieklinnenbank@gmail.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/acceptance/boot_linux_console.py | 72 ++++++++------------------
+file changed, 23 insertions(+), 49 deletions(-)
+diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/acceptance/boot_linux_console.py
++++ b/tests/acceptance/boot_linux_console.py
+@@ -XXX,XX +XXX,XX @@ def test_arm_orangepi_sd(self):
+         # Wait for VM to shut down gracefully
+         self.vm.wait()
+-    def do_test_arm_orangepi_uboot_armbian(self, image_path):
++    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
++                'Test artifacts fetched from unreliable apt.armbian.com')
++    @skipUnless(os.getenv('AVOCADO_ALLOW_LARGE_STORAGE'), 'storage limited')
++    def test_arm_orangepi_bionic_20_08(self):
++        """
++        :avocado: tags=arch:arm
++        :avocado: tags=machine:orangepi-pc
++        :avocado: tags=device:sd
++        """
++
++        # This test download a 275 MiB compressed image and expand it
++        # to 1036 MiB, but the underlying filesystem is 1552 MiB...
++        # As we expand it to 2 GiB we are safe.
++
++        image_url = ('https://dl.armbian.com/orangepipc/archive/'
++                     'Armbian_20.08.1_Orangepipc_bionic_current_5.8.5.img.xz')
++        image_hash = ('b4d6775f5673486329e45a0586bf06b6'
++                      'dbe792199fd182ac6b9c7bb6c7d3e6dd')
++        image_path_xz = self.fetch_asset(image_url, asset_hash=image_hash,
++                                         algorithm='sha256')
++        image_path = archive.extract(image_path_xz, self.workdir)
++        image_pow2ceil_expand(image_path)
++
+         self.vm.set_console()
+         self.vm.add_args('-drive', 'file=' + image_path + ',if=sd,format=raw',
+                          '-nic', 'user',
+@@ -XXX,XX +XXX,XX @@ def do_test_arm_orangepi_uboot_armbian(self, image_path):
+                                       'to <orangepipc>')
+         self.wait_for_console_pattern('Starting Load Kernel Modules...')
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+-    @skipUnless(os.getenv('AVOCADO_ALLOW_LARGE_STORAGE'), 'storage limited')
+-    @skipUnless(P7ZIP_AVAILABLE, '7z not installed')
+-    def test_arm_orangepi_bionic_19_11(self):
+-        """
+-        :avocado: tags=arch:arm
+-        :avocado: tags=machine:orangepi-pc
+-        :avocado: tags=device:sd
+-        """
+-
+-        # This test download a 196MB compressed image and expand it to 1GB
+-        image_url = ('https://dl.armbian.com/orangepipc/archive/'
+-                     'Armbian_19.11.3_Orangepipc_bionic_current_5.3.9.7z')
+-        image_hash = '196a8ffb72b0123d92cea4a070894813d305c71e'
+-        image_path_7z = self.fetch_asset(image_url, asset_hash=image_hash)
+-        image_name = 'Armbian_19.11.3_Orangepipc_bionic_current_5.3.9.img'
+-        image_path = os.path.join(self.workdir, image_name)
+-        process.run("7z e -o%s %s" % (self.workdir, image_path_7z))
+-        image_pow2ceil_expand(image_path)
+-
+-        self.do_test_arm_orangepi_uboot_armbian(image_path)
+-
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+-    @skipUnless(os.getenv('AVOCADO_ALLOW_LARGE_STORAGE'), 'storage limited')
+-    def test_arm_orangepi_bionic_20_08(self):
+-        """
+-        :avocado: tags=arch:arm
+-        :avocado: tags=machine:orangepi-pc
+-        :avocado: tags=device:sd
+-        """
+-
+-        # This test download a 275 MiB compressed image and expand it
+-        # to 1036 MiB, but the underlying filesystem is 1552 MiB...
+-        # As we expand it to 2 GiB we are safe.
+-
+-        image_url = ('https://dl.armbian.com/orangepipc/archive/'
+-                     'Armbian_20.08.1_Orangepipc_bionic_current_5.8.5.img.xz')
+-        image_hash = ('b4d6775f5673486329e45a0586bf06b6'
+-                      'dbe792199fd182ac6b9c7bb6c7d3e6dd')
+-        image_path_xz = self.fetch_asset(image_url, asset_hash=image_hash,
+-                                         algorithm='sha256')
+-        image_path = archive.extract(image_path_xz, self.workdir)
+-        image_pow2ceil_expand(image_path)
+-
+-        self.do_test_arm_orangepi_uboot_armbian(image_path)
+-
+     @skipUnless(os.getenv('AVOCADO_ALLOW_LARGE_STORAGE'), 'storage limited')
+     def test_arm_orangepi_uboot_netbsd9(self):
+         """
+--
+.20.1

-New patch
+[PULL 20/39] tests/acceptance/boot_linux_console: change URL for test_arm_orangepi_bionic_20_08
+From: Niek Linnenbank <nieklinnenbank@gmail.com>
+Update the download URL of the Armbian 20.08 Bionic image for
+test_arm_orangepi_bionic_20_08 of the orangepi-pc machine.
+The archive.armbian.com URL contains more images and should keep stable
+for a longer period of time than dl.armbian.com.
+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Willian Rampazzo <willianr@redhat.com>
+Message-id: 20210310195820.21950-4-nieklinnenbank@gmail.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/acceptance/boot_linux_console.py | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/acceptance/boot_linux_console.py
++++ b/tests/acceptance/boot_linux_console.py
+@@ -XXX,XX +XXX,XX @@ def test_arm_orangepi_bionic_20_08(self):
+         # to 1036 MiB, but the underlying filesystem is 1552 MiB...
+         # As we expand it to 2 GiB we are safe.
+-        image_url = ('https://dl.armbian.com/orangepipc/archive/'
++        image_url = ('https://archive.armbian.com/orangepipc/archive/'
+                      'Armbian_20.08.1_Orangepipc_bionic_current_5.8.5.img.xz')
+         image_hash = ('b4d6775f5673486329e45a0586bf06b6'
+                       'dbe792199fd182ac6b9c7bb6c7d3e6dd')
+--
+.20.1

-New patch
+[PULL 21/39] tests/acceptance: update sunxi kernel from armbian to 5.10.16
+From: Niek Linnenbank <nieklinnenbank@gmail.com>
+The linux kernel 4.20.7 binary for sunxi has been removed from apt.armbian.com:
+  $ ARMBIAN_ARTIFACTS_CACHED=yes AVOCADO_ALLOW_LARGE_STORAGE=yes avocado --show=app,console run -t machine:orangepi-pc tests/acceptance/boot_linux_console.py
+  Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi
+  ...
+  (1/6) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi:
+    CANCEL: Missing asset https://apt.armbian.com/pool/main/l/linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb (0.55 s)
+This commit updates the sunxi kernel to 5.10.16 for the acceptance
+tests of the orangepi-pc and cubieboard machines.
+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Reviewed-by: Willian Rampazzo <willianr@redhat.com>
+Message-id: 20210310195820.21950-5-nieklinnenbank@gmail.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/acceptance/boot_linux_console.py | 40 +++++++++++++-------------
+ tests/acceptance/replay_kernel.py      |  8 +++---
+files changed, 24 insertions(+), 24 deletions(-)
+diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/acceptance/boot_linux_console.py
++++ b/tests/acceptance/boot_linux_console.py
+@@ -XXX,XX +XXX,XX @@ def test_arm_cubieboard_initrd(self):
+         :avocado: tags=machine:cubieboard
+         """
+         deb_url = ('https://apt.armbian.com/pool/main/l/'
+-                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
+-        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
++                   'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
++        deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+         deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+         kernel_path = self.extract_from_deb(deb_path,
+-                                            '/boot/vmlinuz-4.20.7-sunxi')
+-        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun4i-a10-cubieboard.dtb'
++                                            '/boot/vmlinuz-5.10.16-sunxi')
++        dtb_path = '/usr/lib/linux-image-current-sunxi/sun4i-a10-cubieboard.dtb'
+         dtb_path = self.extract_from_deb(deb_path, dtb_path)
+         initrd_url = ('https://github.com/groeck/linux-build-test/raw/'
+                       '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
+@@ -XXX,XX +XXX,XX @@ def test_arm_cubieboard_sata(self):
+         :avocado: tags=machine:cubieboard
+         """
+         deb_url = ('https://apt.armbian.com/pool/main/l/'
+-                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
+-        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
++                   'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
++        deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+         deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+         kernel_path = self.extract_from_deb(deb_path,
+-                                            '/boot/vmlinuz-4.20.7-sunxi')
+-        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun4i-a10-cubieboard.dtb'
++                                            '/boot/vmlinuz-5.10.16-sunxi')
++        dtb_path = '/usr/lib/linux-image-current-sunxi/sun4i-a10-cubieboard.dtb'
+         dtb_path = self.extract_from_deb(deb_path, dtb_path)
+         rootfs_url = ('https://github.com/groeck/linux-build-test/raw/'
+                       '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
+@@ -XXX,XX +XXX,XX @@ def test_arm_orangepi(self):
+         :avocado: tags=machine:orangepi-pc
+         """
+         deb_url = ('https://apt.armbian.com/pool/main/l/'
+-                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
+-        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
++                   'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
++        deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+         deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+         kernel_path = self.extract_from_deb(deb_path,
+-                                            '/boot/vmlinuz-4.20.7-sunxi')
+-        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun8i-h3-orangepi-pc.dtb'
++                                            '/boot/vmlinuz-5.10.16-sunxi')
++        dtb_path = '/usr/lib/linux-image-current-sunxi/sun8i-h3-orangepi-pc.dtb'
+         dtb_path = self.extract_from_deb(deb_path, dtb_path)
+         self.vm.set_console()
+@@ -XXX,XX +XXX,XX @@ def test_arm_orangepi_initrd(self):
+         :avocado: tags=machine:orangepi-pc
+         """
+         deb_url = ('https://apt.armbian.com/pool/main/l/'
+-                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
+-        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
++                   'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
++        deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+         deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+         kernel_path = self.extract_from_deb(deb_path,
+-                                            '/boot/vmlinuz-4.20.7-sunxi')
+-        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun8i-h3-orangepi-pc.dtb'
++                                            '/boot/vmlinuz-5.10.16-sunxi')
++        dtb_path = '/usr/lib/linux-image-current-sunxi/sun8i-h3-orangepi-pc.dtb'
+         dtb_path = self.extract_from_deb(deb_path, dtb_path)
+         initrd_url = ('https://github.com/groeck/linux-build-test/raw/'
+                       '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
+@@ -XXX,XX +XXX,XX @@ def test_arm_orangepi_sd(self):
+         :avocado: tags=device:sd
+         """
+         deb_url = ('https://apt.armbian.com/pool/main/l/'
+-                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
+-        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
++                   'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
++        deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+         deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+         kernel_path = self.extract_from_deb(deb_path,
+-                                            '/boot/vmlinuz-4.20.7-sunxi')
+-        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun8i-h3-orangepi-pc.dtb'
++                                            '/boot/vmlinuz-5.10.16-sunxi')
++        dtb_path = '/usr/lib/linux-image-current-sunxi/sun8i-h3-orangepi-pc.dtb'
+         dtb_path = self.extract_from_deb(deb_path, dtb_path)
+         rootfs_url = ('http://storage.kernelci.org/images/rootfs/buildroot/'
+                       'kci-2019.02/armel/base/rootfs.ext2.xz')
+diff --git a/tests/acceptance/replay_kernel.py b/tests/acceptance/replay_kernel.py
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/acceptance/replay_kernel.py
++++ b/tests/acceptance/replay_kernel.py
+@@ -XXX,XX +XXX,XX @@ def test_arm_cubieboard_initrd(self):
+         :avocado: tags=machine:cubieboard
+         """
+         deb_url = ('https://apt.armbian.com/pool/main/l/'
+-                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
+-        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
++                   'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
++        deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+         deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+         kernel_path = self.extract_from_deb(deb_path,
+-                                            '/boot/vmlinuz-4.20.7-sunxi')
+-        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun4i-a10-cubieboard.dtb'
++                                            '/boot/vmlinuz-5.10.16-sunxi')
++        dtb_path = '/usr/lib/linux-image-current-sunxi/sun4i-a10-cubieboard.dtb'
+         dtb_path = self.extract_from_deb(deb_path, dtb_path)
+         initrd_url = ('https://github.com/groeck/linux-build-test/raw/'
+                       '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
+--
+.20.1

-New patch
+[PULL 22/39] tests/acceptance: drop ARMBIAN_ARTIFACTS_CACHED condition for orangepi-pc, cubieboard tests
+From: Niek Linnenbank <nieklinnenbank@gmail.com>
+Previously the ARMBIAN_ARTIFACTS_CACHED pre-condition was added to allow running
+tests that have already existing armbian.com artifacts stored in the local avocado cache,
+but do not have working URLs to download a fresh copy.
+At this time of writing the URLs for artifacts on the armbian.com server are updated and working.
+Any future broken URLs will result in a skipped acceptance test, for example:
+ (1/5) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi:
+  CANCEL: Missing asset https://apt.armbian.com/pool/main/l/linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb (0.53 s)
+This commits removes the ARMBIAN_ARTIFACTS_CACHED pre-condition such that
+the acceptance tests for the orangepi-pc and cubieboard machines can run.
+Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Reviewed-by: Willian Rampazzo <willianr@redhat.com>
+Message-id: 20210310195820.21950-6-nieklinnenbank@gmail.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/acceptance/boot_linux_console.py | 12 ------------
+ tests/acceptance/replay_kernel.py      |  2 --
+files changed, 14 deletions(-)
+diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/acceptance/boot_linux_console.py
++++ b/tests/acceptance/boot_linux_console.py
+@@ -XXX,XX +XXX,XX @@ def test_arm_exynos4210_initrd(self):
+         self.wait_for_console_pattern('Boot successful.')
+         # TODO user command, for now the uart is stuck
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+     def test_arm_cubieboard_initrd(self):
+         """
+         :avocado: tags=arch:arm
+@@ -XXX,XX +XXX,XX @@ def test_arm_cubieboard_initrd(self):
+                                                 'system-control@1c00000')
+         # cubieboard's reboot is not functioning; omit reboot test.
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+     def test_arm_cubieboard_sata(self):
+         """
+         :avocado: tags=arch:arm
+@@ -XXX,XX +XXX,XX @@ def test_arm_quanta_gsj_initrd(self):
+         self.wait_for_console_pattern(
+                 'Give root password for system maintenance')
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+     def test_arm_orangepi(self):
+         """
+         :avocado: tags=arch:arm
+@@ -XXX,XX +XXX,XX @@ def test_arm_orangepi(self):
+         console_pattern = 'Kernel command line: %s' % kernel_command_line
+         self.wait_for_console_pattern(console_pattern)
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+     def test_arm_orangepi_initrd(self):
+         """
+         :avocado: tags=arch:arm
+@@ -XXX,XX +XXX,XX @@ def test_arm_orangepi_initrd(self):
+         # Wait for VM to shut down gracefully
+         self.vm.wait()
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+     def test_arm_orangepi_sd(self):
+         """
+         :avocado: tags=arch:arm
+@@ -XXX,XX +XXX,XX @@ def test_arm_orangepi_sd(self):
+         # Wait for VM to shut down gracefully
+         self.vm.wait()
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+     @skipUnless(os.getenv('AVOCADO_ALLOW_LARGE_STORAGE'), 'storage limited')
+     def test_arm_orangepi_bionic_20_08(self):
+         """
+diff --git a/tests/acceptance/replay_kernel.py b/tests/acceptance/replay_kernel.py
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/acceptance/replay_kernel.py
++++ b/tests/acceptance/replay_kernel.py
+@@ -XXX,XX +XXX,XX @@ def test_arm_virt(self):
+         self.run_rr(kernel_path, kernel_command_line, console_pattern, shift=1)
+     @skipIf(os.getenv('GITLAB_CI'), 'Running on GitLab')
+-    @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+-                'Test artifacts fetched from unreliable apt.armbian.com')
+     def test_arm_cubieboard_initrd(self):
+         """
+         :avocado: tags=arch:arm
+--
+.20.1

-New patch
+[PULL 23/39] hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+If the SSECounter link is absent, we set an error message
+in sse_timer_realize() but forgot to propagate this error.
+Add the missing 'return'.
+Fixes: CID 1450755 (Null pointer dereferences)
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210312001845.1562670-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/timer/sse-timer.c | 1 +
+file changed, 1 insertion(+)
+diff --git a/hw/timer/sse-timer.c b/hw/timer/sse-timer.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/timer/sse-timer.c
++++ b/hw/timer/sse-timer.c
+@@ -XXX,XX +XXX,XX @@ static void sse_timer_realize(DeviceState *dev, Error **errp)
+     if (!s->counter) {
+         error_setg(errp, "counter property was not set");
++        return;
+     }
+     s->counter_notifier.notify = sse_timer_counter_callback;
+--
+.20.1

-New patch
+[PULL 24/39] accel: kvm: Fix kvm_type invocation
+From: Andrew Jones <drjones@redhat.com>
+Prior to commit f2ce39b4f067 a MachineClass kvm_type method
+only needed to be registered to ensure it would be executed.
+With commit f2ce39b4f067 a kvm-type machine property must also
+be specified. hw/arm/virt relies on the kvm_type method to pass
+its selected IPA limit to KVM, but this is not exposed as a
+machine property. Restore the previous functionality of invoking
+kvm_type when it's present.
+Fixes: f2ce39b4f067 ("vl: make qemu_get_machine_opts static")
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 20210310135218.255205-2-drjones@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/boards.h | 1 +
+ accel/kvm/kvm-all.c | 2 ++
+files changed, 3 insertions(+)
+diff --git a/include/hw/boards.h b/include/hw/boards.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/boards.h
++++ b/include/hw/boards.h
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+  * @kvm_type:
+  *    Return the type of KVM corresponding to the kvm-type string option or
+  *    computed based on other criteria such as the host kernel capabilities.
++ *    kvm-type may be NULL if it is not needed.
+  * @numa_mem_supported:
+  *    true if '--numa node.mem' option is supported and false otherwise
+  * @smp_parse:
+diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/kvm/kvm-all.c
++++ b/accel/kvm/kvm-all.c
+@@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms)
+                                                             "kvm-type",
+                                                             &error_abort);
+         type = mc->kvm_type(ms, kvm_type);
++    } else if (mc->kvm_type) {
++        type = mc->kvm_type(ms, NULL);
+     }
+     do {
+--
+.20.1

-[Qemu-devel] [PULL 7/9] hw/timer/armv7m_systick: Forbid non-privileged accesses
+[PULL 25/39] hw/arm/virt: KVM: The IPA lower bound is 32
-Like most of the v7M memory mapped system registers, the systick
+From: Andrew Jones <drjones@redhat.com>
 registers are accessible to privileged code only and user accesses
 must generate a BusFault. We implement that for registers in
 the NVIC proper already, but missed it for systick since we
 implement it as a separate device. Correct the omission.
+The virt machine already checks KVM_CAP_ARM_VM_IPA_SIZE to get the
+upper bound of the IPA size. If that bound is lower than the highest
+possible GPA for the machine, then QEMU will error out. However, the
+IPA is set to 40 when the highest GPA is less than or equal to 40,
+even when KVM may support an IPA limit as low as 32. This means KVM
+may fail the VM creation unnecessarily. Additionally, 40 is selected
+with the value 0, which means use the default, and that gets around
+a check in some versions of KVM, causing a difficult to debug fail.
+Always use the IPA size that corresponds to the highest possible GPA,
+unless it's lower than 32, in which case use 32. Also, we must still
+use 0 when KVM only supports the legacy fixed 40 bit IPA.
+Suggested-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Message-id: 20210310135218.255205-3-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190617175317.27557-6-peter.maydell@linaro.org
 ---
- hw/timer/armv7m_systick.c | 26 ++++++++++++++++++++------
+ target/arm/kvm_arm.h |  6 ++++--
-file changed, 20 insertions(+), 6 deletions(-)
+ hw/arm/virt.c        | 23 ++++++++++++++++-------
  target/arm/kvm.c     |  4 +++-
 files changed, 23 insertions(+), 10 deletions(-)
-diff --git a/hw/timer/armv7m_systick.c b/hw/timer/armv7m_systick.c
+diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/armv7m_systick.c
+--- a/target/arm/kvm_arm.h
-+++ b/hw/timer/armv7m_systick.c
++++ b/target/arm/kvm_arm.h
-@@ -XXX,XX +XXX,XX @@ static void systick_timer_tick(void *opaque)
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_sve_supported(void);
-     }
+ /**
   * kvm_arm_get_max_vm_ipa_size:
   * @ms: Machine state handle
 + * @fixed_ipa: True when the IPA limit is fixed at 40. This is the case
 + * for legacy KVM.
   *
   * Returns the number of bits in the IPA address space supported by KVM
   */
 -int kvm_arm_get_max_vm_ipa_size(MachineState *ms);
 +int kvm_arm_get_max_vm_ipa_size(MachineState *ms, bool *fixed_ipa);
  /**
   * kvm_arm_sync_mpstate_to_kvm:
@@ -XXX,XX +XXX,XX @@ static inline void kvm_arm_add_vcpu_properties(Object *obj)
      g_assert_not_reached();
  }
--static uint64_t systick_read(void *opaque, hwaddr addr, unsigned size)
+-static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
-+static MemTxResult systick_read(void *opaque, hwaddr addr, uint64_t *data,
++static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms, bool *fixed_ipa)
 +                                unsigned size, MemTxAttrs attrs)
  {
-     SysTickState *s = opaque;
+     g_assert_not_reached();
-     uint32_t val;
+ }
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-+    if (attrs.user) {
+index XXXXXXX..XXXXXXX 100644
-+        /* Generate BusFault for unprivileged accesses */
+--- a/hw/arm/virt.c
-+        return MEMTX_ERROR;
++++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static HotplugHandler *virt_machine_get_hotplug_handler(MachineState *machine,
  static int virt_kvm_type(MachineState *ms, const char *type_str)
  {
      VirtMachineState *vms = VIRT_MACHINE(ms);
 -    int max_vm_pa_size = kvm_arm_get_max_vm_ipa_size(ms);
 -    int requested_pa_size;
 +    int max_vm_pa_size, requested_pa_size;
 +    bool fixed_ipa;
 +
 +    max_vm_pa_size = kvm_arm_get_max_vm_ipa_size(ms, &fixed_ipa);
      /* we freeze the memory map to compute the highest gpa */
      virt_set_memmap(vms);
      requested_pa_size = 64 - clz64(vms->highest_gpa);
 +    /*
 +     * KVM requires the IPA size to be at least 32 bits.
 +     */
 +    if (requested_pa_size < 32) {
 +        requested_pa_size = 32;
 +    }
 +
-     switch (addr) {
+     if (requested_pa_size > max_vm_pa_size) {
-     case 0x0: /* SysTick Control and Status.  */
+         error_report("-m and ,maxmem option values "
-         val = s->control;
+                      "require an IPA range (%d bits) larger than "
-@@ -XXX,XX +XXX,XX @@ static uint64_t systick_read(void *opaque, hwaddr addr, unsigned size)
+                      "the one supported by the host (%d bits)",
                       requested_pa_size, max_vm_pa_size);
 -       exit(1);
 +        exit(1);
      }
+     /*
-     trace_systick_read(addr, val, size);
+-     * By default we return 0 which corresponds to an implicit legacy
--    return val;
+-     * 40b IPA setting. Otherwise we return the actual requested PA
-+    *data = val;
+-     * logsize
-+    return MEMTX_OK;
++     * We return the requested PA log size, unless KVM only supports
 +     * the implicit legacy 40b IPA setting, in which case the kvm_type
 +     * must be 0.
       */
 -    return requested_pa_size > 40 ? requested_pa_size : 0;
 +    return fixed_ipa ? 0 : requested_pa_size;
  }
--static void systick_write(void *opaque, hwaddr addr,
+ static void virt_machine_class_init(ObjectClass *oc, void *data)
--                          uint64_t value, unsigned size)
+diff --git a/target/arm/kvm.c b/target/arm/kvm.c
-+static MemTxResult systick_write(void *opaque, hwaddr addr,
+index XXXXXXX..XXXXXXX 100644
-+                                 uint64_t value, unsigned size,
+--- a/target/arm/kvm.c
-+                                 MemTxAttrs attrs)
++++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_pmu_supported(void)
      return kvm_check_extension(kvm_state, KVM_CAP_ARM_PMU_V3);
  }
 -int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 +int kvm_arm_get_max_vm_ipa_size(MachineState *ms, bool *fixed_ipa)
  {
-     SysTickState *s = opaque;
+     KVMState *s = KVM_STATE(ms->accelerator);
+     int ret;
-+    if (attrs.user) {
-+        /* Generate BusFault for unprivileged accesses */
+     ret = kvm_check_extension(s, KVM_CAP_ARM_VM_IPA_SIZE);
-+        return MEMTX_ERROR;
++    *fixed_ipa = ret <= 0;
 +    }
 +
-     trace_systick_write(addr, value, size);
+     return ret > 0 ? ret : 40;
      switch (addr) {
@@ -XXX,XX +XXX,XX @@ static void systick_write(void *opaque, hwaddr addr,
          qemu_log_mask(LOG_GUEST_ERROR,
                        "SysTick: Bad write offset 0x%" HWADDR_PRIx "\n", addr);
      }
 +    return MEMTX_OK;
  }
- static const MemoryRegionOps systick_ops = {
--    .read = systick_read,
--    .write = systick_write,
-+    .read_with_attrs = systick_read,
-+    .write_with_attrs = systick_write,
-     .endianness = DEVICE_NATIVE_ENDIAN,
-     .valid.min_access_size = 4,
-     .valid.max_access_size = 4,
 --
 .20.1

-New patch
+[PULL 26/39] hw/misc: Add GPIOs for duty in NPCM7xx PWM
+From: Hao Wu <wuhaotsh@google.com>
+This patch adds GPIOs in NPCM7xx PWM module for its duty values.
+The purpose of this is to connect it to the MFT module to provide
+an input for measuring a PWM fan's RPM. Each PWM module has
+NPCM7XX_PWM_PER_MODULE of GPIOs, each one corresponds to
+one PWM instance and can connect to multiple fan instances in MFT.
+Reviewed-by: Doug Evans <dje@google.com>
+Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
+Signed-off-by: Hao Wu <wuhaotsh@google.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20210311180855.149764-2-wuhaotsh@google.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/misc/npcm7xx_pwm.h | 4 +++-
+ hw/misc/npcm7xx_pwm.c         | 4 ++++
+files changed, 7 insertions(+), 1 deletion(-)
+diff --git a/include/hw/misc/npcm7xx_pwm.h b/include/hw/misc/npcm7xx_pwm.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/misc/npcm7xx_pwm.h
++++ b/include/hw/misc/npcm7xx_pwm.h
+@@ -XXX,XX +XXX,XX @@ typedef struct NPCM7xxPWM {
+  * @iomem: Memory region through which registers are accessed.
+  * @clock: The PWM clock.
+  * @pwm: The PWM channels owned by this module.
++ * @duty_gpio_out: The duty cycle of each PWM channels as a output GPIO.
+  * @ppr: The prescaler register.
+  * @csr: The clock selector register.
+  * @pcr: The control register.
+@@ -XXX,XX +XXX,XX @@ struct NPCM7xxPWMState {
+     MemoryRegion iomem;
+     Clock       *clock;
+-    NPCM7xxPWM pwm[NPCM7XX_PWM_PER_MODULE];
++    NPCM7xxPWM  pwm[NPCM7XX_PWM_PER_MODULE];
++    qemu_irq    duty_gpio_out[NPCM7XX_PWM_PER_MODULE];
+     uint32_t    ppr;
+     uint32_t    csr;
+diff --git a/hw/misc/npcm7xx_pwm.c b/hw/misc/npcm7xx_pwm.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/misc/npcm7xx_pwm.c
++++ b/hw/misc/npcm7xx_pwm.c
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_pwm_update_duty(NPCM7xxPWM *p)
+         trace_npcm7xx_pwm_update_duty(DEVICE(p->module)->canonical_path,
+                                       p->index, p->duty, duty);
+         p->duty = duty;
++        qemu_set_irq(p->module->duty_gpio_out[p->index], p->duty);
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_pwm_init(Object *obj)
+     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+     int i;
++    QEMU_BUILD_BUG_ON(ARRAY_SIZE(s->pwm) != NPCM7XX_PWM_PER_MODULE);
+     for (i = 0; i < NPCM7XX_PWM_PER_MODULE; i++) {
+         NPCM7xxPWM *p = &s->pwm[i];
+         p->module = s;
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_pwm_init(Object *obj)
+         object_property_add_uint32_ptr(obj, "duty[*]",
+                 &s->pwm[i].duty, OBJ_PROP_FLAG_READ);
+     }
++    qdev_init_gpio_out_named(DEVICE(s), s->duty_gpio_out,
++                             "duty-gpio-out", NPCM7XX_PWM_PER_MODULE);
+ }
+ static const VMStateDescription vmstate_npcm7xx_pwm = {
+--
+.20.1

-[Qemu-devel] [PULL 3/9] target/arm/helper: Move M profile routines to m_helper.c
+[PULL 27/39] hw/misc: Add NPCM7XX MFT Module
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Hao Wu <wuhaotsh@google.com>
-In preparation for supporting TCG disablement on ARM, we move most
+This patch implements Multi Function Timer (MFT) module for NPCM7XX.
-of TCG related v7m/v8m helpers and APIs into their own file.
+This module is mainly used to configure PWM fans. It has just enough
 functionality to make the PWM fan kernel module work.
-Note: It is easier to review this commit using the 'histogram'
+The module takes two input, the max_rpm of a fan (modifiable via QMP)
-      diff algorithm:
+and duty cycle (a GPIO from the PWM module.) The actual measured RPM
 is equal to max_rpm * duty_cycle / NPCM7XX_PWM_MAX_DUTY. The RPM is
 measured as a counter compared to a prescaled input clock. The kernel
 driver reads this counter and report to user space.
-    $ git diff --diff-algorithm=histogram ...
+Refs:
-  or
+https://github.com/torvalds/linux/blob/master/drivers/hwmon/npcm750-pwm-fan.c
     $ git diff --histogram ...
-Suggested-by: Samuel Ortiz <sameo@linux.intel.com>
+Reviewed-by: Doug Evans <dje@google.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
-Message-id: 20190702144335.10717-2-philmd@redhat.com
+Signed-off-by: Hao Wu <wuhaotsh@google.com>
 Message-id: 20210311180855.149764-3-wuhaotsh@google.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/Makefile.objs |    1 +
+ include/hw/misc/npcm7xx_mft.h |  70 +++++
- target/arm/helper.c      | 2638 +------------------------------------
+ hw/misc/npcm7xx_mft.c         | 540 ++++++++++++++++++++++++++++++++++
- target/arm/m_helper.c    | 2676 ++++++++++++++++++++++++++++++++++++++
+ hw/misc/meson.build           |   1 +
-files changed, 2681 insertions(+), 2634 deletions(-)
+ hw/misc/trace-events          |   8 +
- create mode 100644 target/arm/m_helper.c
+files changed, 619 insertions(+)
  create mode 100644 include/hw/misc/npcm7xx_mft.h
  create mode 100644 hw/misc/npcm7xx_mft.c
-diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
+diff --git a/include/hw/misc/npcm7xx_mft.h b/include/hw/misc/npcm7xx_mft.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/Makefile.objs
 +++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-y += tlb_helper.o debug_helper.o
  obj-y += translate.o op_helper.o
  obj-y += crypto_helper.o
  obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
 +obj-y += m_helper.o
  obj-$(CONFIG_SOFTMMU) += psci.o
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/crc32c.h"
  #include "qemu/qemu-print.h"
  #include "exec/exec-all.h"
 -#include "exec/cpu_ldst.h"
  #include <zlib.h> /* For crc32 */
  #include "hw/semihosting/semihost.h"
  #include "sysemu/cpus.h"
@@ -XXX,XX +XXX,XX @@
  #include "qemu/guest-random.h"
  #ifdef CONFIG_TCG
  #include "arm_ldst.h"
 +#include "exec/cpu_ldst.h"
  #endif
  #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(rbit)(uint32_t x)
  #ifdef CONFIG_USER_ONLY
 -/* These should probably raise undefined insn exceptions.  */
 -void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)
 -{
 -    ARMCPU *cpu = env_archcpu(env);
 -
 -    cpu_abort(CPU(cpu), "v7m_msr %d\n", reg);
 -}
 -
 -uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
 -{
 -    ARMCPU *cpu = env_archcpu(env);
 -
 -    cpu_abort(CPU(cpu), "v7m_mrs %d\n", reg);
 -    return 0;
 -}
 -
 -void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
 -{
 -    /* translate.c should never generate calls here in user-only mode */
 -    g_assert_not_reached();
 -}
 -
 -void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
 -{
 -    /* translate.c should never generate calls here in user-only mode */
 -    g_assert_not_reached();
 -}
 -
 -void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
 -{
 -    /* translate.c should never generate calls here in user-only mode */
 -    g_assert_not_reached();
 -}
 -
 -void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
 -{
 -    /* translate.c should never generate calls here in user-only mode */
 -    g_assert_not_reached();
 -}
 -
 -void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
 -{
 -    /* translate.c should never generate calls here in user-only mode */
 -    g_assert_not_reached();
 -}
 -
 -uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
 -{
 -    /*
 -     * The TT instructions can be used by unprivileged code, but in
 -     * user-only emulation we don't have the MPU.
 -     * Luckily since we know we are NonSecure unprivileged (and that in
 -     * turn means that the A flag wasn't specified), all the bits in the
 -     * register must be zero:
 -     *  IREGION: 0 because IRVALID is 0
 -     *  IRVALID: 0 because NS
 -     *  S: 0 because NS
 -     *  NSRW: 0 because NS
 -     *  NSR: 0 because NS
 -     *  RW: 0 because unpriv and A flag not set
 -     *  R: 0 because unpriv and A flag not set
 -     *  SRVALID: 0 because NS
 -     *  MRVALID: 0 because unpriv and A flag not set
 -     *  SREGION: 0 becaus SRVALID is 0
 -     *  MREGION: 0 because MRVALID is 0
 -     */
 -    return 0;
 -}
 -
  static void switch_mode(CPUARMState *env, int mode)
  {
      ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ void arm_log_exception(int idx)
      }
  }
 -/*
 - * What kind of stack write are we doing? This affects how exceptions
 - * generated during the stacking are treated.
 - */
 -typedef enum StackingMode {
 -    STACK_NORMAL,
 -    STACK_IGNFAULTS,
 -    STACK_LAZYFP,
 -} StackingMode;
 -
 -static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
 -                            ARMMMUIdx mmu_idx, StackingMode mode)
 -{
 -    CPUState *cs = CPU(cpu);
 -    CPUARMState *env = &cpu->env;
 -    MemTxAttrs attrs = {};
 -    MemTxResult txres;
 -    target_ulong page_size;
 -    hwaddr physaddr;
 -    int prot;
 -    ARMMMUFaultInfo fi = {};
 -    bool secure = mmu_idx & ARM_MMU_IDX_M_S;
 -    int exc;
 -    bool exc_secure;
 -
 -    if (get_phys_addr(env, addr, MMU_DATA_STORE, mmu_idx, &physaddr,
 -                      &attrs, &prot, &page_size, &fi, NULL)) {
 -        /* MPU/SAU lookup failed */
 -        if (fi.type == ARMFault_QEMU_SFault) {
 -            if (mode == STACK_LAZYFP) {
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...SecureFault with SFSR.LSPERR "
 -                              "during lazy stacking\n");
 -                env->v7m.sfsr |= R_V7M_SFSR_LSPERR_MASK;
 -            } else {
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...SecureFault with SFSR.AUVIOL "
 -                              "during stacking\n");
 -                env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
 -            }
 -            env->v7m.sfsr |= R_V7M_SFSR_SFARVALID_MASK;
 -            env->v7m.sfar = addr;
 -            exc = ARMV7M_EXCP_SECURE;
 -            exc_secure = false;
 -        } else {
 -            if (mode == STACK_LAZYFP) {
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...MemManageFault with CFSR.MLSPERR\n");
 -                env->v7m.cfsr[secure] |= R_V7M_CFSR_MLSPERR_MASK;
 -            } else {
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...MemManageFault with CFSR.MSTKERR\n");
 -                env->v7m.cfsr[secure] |= R_V7M_CFSR_MSTKERR_MASK;
 -            }
 -            exc = ARMV7M_EXCP_MEM;
 -            exc_secure = secure;
 -        }
 -        goto pend_fault;
 -    }
 -    address_space_stl_le(arm_addressspace(cs, attrs), physaddr, value,
 -                         attrs, &txres);
 -    if (txres != MEMTX_OK) {
 -        /* BusFault trying to write the data */
 -        if (mode == STACK_LAZYFP) {
 -            qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.LSPERR\n");
 -            env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_LSPERR_MASK;
 -        } else {
 -            qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.STKERR\n");
 -            env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_STKERR_MASK;
 -        }
 -        exc = ARMV7M_EXCP_BUS;
 -        exc_secure = false;
 -        goto pend_fault;
 -    }
 -    return true;
 -
 -pend_fault:
 -    /*
 -     * By pending the exception at this point we are making
 -     * the IMPDEF choice "overridden exceptions pended" (see the
 -     * MergeExcInfo() pseudocode). The other choice would be to not
 -     * pend them now and then make a choice about which to throw away
 -     * later if we have two derived exceptions.
 -     * The only case when we must not pend the exception but instead
 -     * throw it away is if we are doing the push of the callee registers
 -     * and we've already generated a derived exception (this is indicated
 -     * by the caller passing STACK_IGNFAULTS). Even in this case we will
 -     * still update the fault status registers.
 -     */
 -    switch (mode) {
 -    case STACK_NORMAL:
 -        armv7m_nvic_set_pending_derived(env->nvic, exc, exc_secure);
 -        break;
 -    case STACK_LAZYFP:
 -        armv7m_nvic_set_pending_lazyfp(env->nvic, exc, exc_secure);
 -        break;
 -    case STACK_IGNFAULTS:
 -        break;
 -    }
 -    return false;
 -}
 -
 -static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
 -                           ARMMMUIdx mmu_idx)
 -{
 -    CPUState *cs = CPU(cpu);
 -    CPUARMState *env = &cpu->env;
 -    MemTxAttrs attrs = {};
 -    MemTxResult txres;
 -    target_ulong page_size;
 -    hwaddr physaddr;
 -    int prot;
 -    ARMMMUFaultInfo fi = {};
 -    bool secure = mmu_idx & ARM_MMU_IDX_M_S;
 -    int exc;
 -    bool exc_secure;
 -    uint32_t value;
 -
 -    if (get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &physaddr,
 -                      &attrs, &prot, &page_size, &fi, NULL)) {
 -        /* MPU/SAU lookup failed */
 -        if (fi.type == ARMFault_QEMU_SFault) {
 -            qemu_log_mask(CPU_LOG_INT,
 -                          "...SecureFault with SFSR.AUVIOL during unstack\n");
 -            env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK | R_V7M_SFSR_SFARVALID_MASK;
 -            env->v7m.sfar = addr;
 -            exc = ARMV7M_EXCP_SECURE;
 -            exc_secure = false;
 -        } else {
 -            qemu_log_mask(CPU_LOG_INT,
 -                          "...MemManageFault with CFSR.MUNSTKERR\n");
 -            env->v7m.cfsr[secure] |= R_V7M_CFSR_MUNSTKERR_MASK;
 -            exc = ARMV7M_EXCP_MEM;
 -            exc_secure = secure;
 -        }
 -        goto pend_fault;
 -    }
 -
 -    value = address_space_ldl(arm_addressspace(cs, attrs), physaddr,
 -                              attrs, &txres);
 -    if (txres != MEMTX_OK) {
 -        /* BusFault trying to read the data */
 -        qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.UNSTKERR\n");
 -        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_UNSTKERR_MASK;
 -        exc = ARMV7M_EXCP_BUS;
 -        exc_secure = false;
 -        goto pend_fault;
 -    }
 -
 -    *dest = value;
 -    return true;
 -
 -pend_fault:
 -    /*
 -     * By pending the exception at this point we are making
 -     * the IMPDEF choice "overridden exceptions pended" (see the
 -     * MergeExcInfo() pseudocode). The other choice would be to not
 -     * pend them now and then make a choice about which to throw away
 -     * later if we have two derived exceptions.
 -     */
 -    armv7m_nvic_set_pending(env->nvic, exc, exc_secure);
 -    return false;
 -}
 -
 -void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
 -{
 -    /*
 -     * Preserve FP state (because LSPACT was set and we are about
 -     * to execute an FP instruction). This corresponds to the
 -     * PreserveFPState() pseudocode.
 -     * We may throw an exception if the stacking fails.
 -     */
 -    ARMCPU *cpu = env_archcpu(env);
 -    bool is_secure = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
 -    bool negpri = !(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_HFRDY_MASK);
 -    bool is_priv = !(env->v7m.fpccr[is_secure] & R_V7M_FPCCR_USER_MASK);
 -    bool splimviol = env->v7m.fpccr[is_secure] & R_V7M_FPCCR_SPLIMVIOL_MASK;
 -    uint32_t fpcar = env->v7m.fpcar[is_secure];
 -    bool stacked_ok = true;
 -    bool ts = is_secure && (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
 -    bool take_exception;
 -
 -    /* Take the iothread lock as we are going to touch the NVIC */
 -    qemu_mutex_lock_iothread();
 -
 -    /* Check the background context had access to the FPU */
 -    if (!v7m_cpacr_pass(env, is_secure, is_priv)) {
 -        armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, is_secure);
 -        env->v7m.cfsr[is_secure] |= R_V7M_CFSR_NOCP_MASK;
 -        stacked_ok = false;
 -    } else if (!is_secure && !extract32(env->v7m.nsacr, 10, 1)) {
 -        armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
 -        env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
 -        stacked_ok = false;
 -    }
 -
 -    if (!splimviol && stacked_ok) {
 -        /* We only stack if the stack limit wasn't violated */
 -        int i;
 -        ARMMMUIdx mmu_idx;
 -
 -        mmu_idx = arm_v7m_mmu_idx_all(env, is_secure, is_priv, negpri);
 -        for (i = 0; i < (ts ? 32 : 16); i += 2) {
 -            uint64_t dn = *aa32_vfp_dreg(env, i / 2);
 -            uint32_t faddr = fpcar + 4 * i;
 -            uint32_t slo = extract64(dn, 0, 32);
 -            uint32_t shi = extract64(dn, 32, 32);
 -
 -            if (i >= 16) {
 -                faddr += 8; /* skip the slot for the FPSCR */
 -            }
 -            stacked_ok = stacked_ok &&
 -                v7m_stack_write(cpu, faddr, slo, mmu_idx, STACK_LAZYFP) &&
 -                v7m_stack_write(cpu, faddr + 4, shi, mmu_idx, STACK_LAZYFP);
 -        }
 -
 -        stacked_ok = stacked_ok &&
 -            v7m_stack_write(cpu, fpcar + 0x40,
 -                            vfp_get_fpscr(env), mmu_idx, STACK_LAZYFP);
 -    }
 -
 -    /*
 -     * We definitely pended an exception, but it's possible that it
 -     * might not be able to be taken now. If its priority permits us
 -     * to take it now, then we must not update the LSPACT or FP regs,
 -     * but instead jump out to take the exception immediately.
 -     * If it's just pending and won't be taken until the current
 -     * handler exits, then we do update LSPACT and the FP regs.
 -     */
 -    take_exception = !stacked_ok &&
 -        armv7m_nvic_can_take_pending_exception(env->nvic);
 -
 -    qemu_mutex_unlock_iothread();
 -
 -    if (take_exception) {
 -        raise_exception_ra(env, EXCP_LAZYFP, 0, 1, GETPC());
 -    }
 -
 -    env->v7m.fpccr[is_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
 -
 -    if (ts) {
 -        /* Clear s0 to s31 and the FPSCR */
 -        int i;
 -
 -        for (i = 0; i < 32; i += 2) {
 -            *aa32_vfp_dreg(env, i / 2) = 0;
 -        }
 -        vfp_set_fpscr(env, 0);
 -    }
 -    /*
 -     * Otherwise s0 to s15 and FPSCR are UNKNOWN; we choose to leave them
 -     * unchanged.
 -     */
 -}
 -
 -/*
 - * Write to v7M CONTROL.SPSEL bit for the specified security bank.
 - * This may change the current stack pointer between Main and Process
 - * stack pointers if it is done for the CONTROL register for the current
 - * security state.
 - */
 -static void write_v7m_control_spsel_for_secstate(CPUARMState *env,
 -                                                 bool new_spsel,
 -                                                 bool secstate)
 -{
 -    bool old_is_psp = v7m_using_psp(env);
 -
 -    env->v7m.control[secstate] =
 -        deposit32(env->v7m.control[secstate],
 -                  R_V7M_CONTROL_SPSEL_SHIFT,
 -                  R_V7M_CONTROL_SPSEL_LENGTH, new_spsel);
 -
 -    if (secstate == env->v7m.secure) {
 -        bool new_is_psp = v7m_using_psp(env);
 -        uint32_t tmp;
 -
 -        if (old_is_psp != new_is_psp) {
 -            tmp = env->v7m.other_sp;
 -            env->v7m.other_sp = env->regs[13];
 -            env->regs[13] = tmp;
 -        }
 -    }
 -}
 -
 -/*
 - * Write to v7M CONTROL.SPSEL bit. This may change the current
 - * stack pointer between Main and Process stack pointers.
 - */
 -static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
 -{
 -    write_v7m_control_spsel_for_secstate(env, new_spsel, env->v7m.secure);
 -}
 -
 -void write_v7m_exception(CPUARMState *env, uint32_t new_exc)
 -{
 -    /*
 -     * Write a new value to v7m.exception, thus transitioning into or out
 -     * of Handler mode; this may result in a change of active stack pointer.
 -     */
 -    bool new_is_psp, old_is_psp = v7m_using_psp(env);
 -    uint32_t tmp;
 -
 -    env->v7m.exception = new_exc;
 -
 -    new_is_psp = v7m_using_psp(env);
 -
 -    if (old_is_psp != new_is_psp) {
 -        tmp = env->v7m.other_sp;
 -        env->v7m.other_sp = env->regs[13];
 -        env->regs[13] = tmp;
 -    }
 -}
 -
 -/* Switch M profile security state between NS and S */
 -static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
 -{
 -    uint32_t new_ss_msp, new_ss_psp;
 -
 -    if (env->v7m.secure == new_secstate) {
 -        return;
 -    }
 -
 -    /*
 -     * All the banked state is accessed by looking at env->v7m.secure
 -     * except for the stack pointer; rearrange the SP appropriately.
 -     */
 -    new_ss_msp = env->v7m.other_ss_msp;
 -    new_ss_psp = env->v7m.other_ss_psp;
 -
 -    if (v7m_using_psp(env)) {
 -        env->v7m.other_ss_psp = env->regs[13];
 -        env->v7m.other_ss_msp = env->v7m.other_sp;
 -    } else {
 -        env->v7m.other_ss_msp = env->regs[13];
 -        env->v7m.other_ss_psp = env->v7m.other_sp;
 -    }
 -
 -    env->v7m.secure = new_secstate;
 -
 -    if (v7m_using_psp(env)) {
 -        env->regs[13] = new_ss_psp;
 -        env->v7m.other_sp = new_ss_msp;
 -    } else {
 -        env->regs[13] = new_ss_msp;
 -        env->v7m.other_sp = new_ss_psp;
 -    }
 -}
 -
 -void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
 -{
 -    /*
 -     * Handle v7M BXNS:
 -     *  - if the return value is a magic value, do exception return (like BX)
 -     *  - otherwise bit 0 of the return value is the target security state
 -     */
 -    uint32_t min_magic;
 -
 -    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -        /* Covers FNC_RETURN and EXC_RETURN magic */
 -        min_magic = FNC_RETURN_MIN_MAGIC;
 -    } else {
 -        /* EXC_RETURN magic only */
 -        min_magic = EXC_RETURN_MIN_MAGIC;
 -    }
 -
 -    if (dest >= min_magic) {
 -        /*
 -         * This is an exception return magic value; put it where
 -         * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
 -         * Note that if we ever add gen_ss_advance() singlestep support to
 -         * M profile this should count as an "instruction execution complete"
 -         * event (compare gen_bx_excret_final_code()).
 -         */
 -        env->regs[15] = dest & ~1;
 -        env->thumb = dest & 1;
 -        HELPER(exception_internal)(env, EXCP_EXCEPTION_EXIT);
 -        /* notreached */
 -    }
 -
 -    /* translate.c should have made BXNS UNDEF unless we're secure */
 -    assert(env->v7m.secure);
 -
 -    if (!(dest & 1)) {
 -        env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 -    }
 -    switch_v7m_security_state(env, dest & 1);
 -    env->thumb = 1;
 -    env->regs[15] = dest & ~1;
 -}
 -
 -void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
 -{
 -    /*
 -     * Handle v7M BLXNS:
 -     *  - bit 0 of the destination address is the target security state
 -     */
 -
 -    /* At this point regs[15] is the address just after the BLXNS */
 -    uint32_t nextinst = env->regs[15] | 1;
 -    uint32_t sp = env->regs[13] - 8;
 -    uint32_t saved_psr;
 -
 -    /* translate.c will have made BLXNS UNDEF unless we're secure */
 -    assert(env->v7m.secure);
 -
 -    if (dest & 1) {
 -        /*
 -         * Target is Secure, so this is just a normal BLX,
 -         * except that the low bit doesn't indicate Thumb/not.
 -         */
 -        env->regs[14] = nextinst;
 -        env->thumb = 1;
 -        env->regs[15] = dest & ~1;
 -        return;
 -    }
 -
 -    /* Target is non-secure: first push a stack frame */
 -    if (!QEMU_IS_ALIGNED(sp, 8)) {
 -        qemu_log_mask(LOG_GUEST_ERROR,
 -                      "BLXNS with misaligned SP is UNPREDICTABLE\n");
 -    }
 -
 -    if (sp < v7m_sp_limit(env)) {
 -        raise_exception(env, EXCP_STKOF, 0, 1);
 -    }
 -
 -    saved_psr = env->v7m.exception;
 -    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
 -        saved_psr |= XPSR_SFPA;
 -    }
 -
 -    /* Note that these stores can throw exceptions on MPU faults */
 -    cpu_stl_data(env, sp, nextinst);
 -    cpu_stl_data(env, sp + 4, saved_psr);
 -
 -    env->regs[13] = sp;
 -    env->regs[14] = 0xfeffffff;
 -    if (arm_v7m_is_handler_mode(env)) {
 -        /*
 -         * Write a dummy value to IPSR, to avoid leaking the current secure
 -         * exception number to non-secure code. This is guaranteed not
 -         * to cause write_v7m_exception() to actually change stacks.
 -         */
 -        write_v7m_exception(env, 1);
 -    }
 -    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 -    switch_v7m_security_state(env, 0);
 -    env->thumb = 1;
 -    env->regs[15] = dest;
 -}
 -
 -static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
 -                                bool spsel)
 -{
 -    /*
 -     * Return a pointer to the location where we currently store the
 -     * stack pointer for the requested security state and thread mode.
 -     * This pointer will become invalid if the CPU state is updated
 -     * such that the stack pointers are switched around (eg changing
 -     * the SPSEL control bit).
 -     * Compare the v8M ARM ARM pseudocode LookUpSP_with_security_mode().
 -     * Unlike that pseudocode, we require the caller to pass us in the
 -     * SPSEL control bit value; this is because we also use this
 -     * function in handling of pushing of the callee-saves registers
 -     * part of the v8M stack frame (pseudocode PushCalleeStack()),
 -     * and in the tailchain codepath the SPSEL bit comes from the exception
 -     * return magic LR value from the previous exception. The pseudocode
 -     * opencodes the stack-selection in PushCalleeStack(), but we prefer
 -     * to make this utility function generic enough to do the job.
 -     */
 -    bool want_psp = threadmode && spsel;
 -
 -    if (secure == env->v7m.secure) {
 -        if (want_psp == v7m_using_psp(env)) {
 -            return &env->regs[13];
 -        } else {
 -            return &env->v7m.other_sp;
 -        }
 -    } else {
 -        if (want_psp) {
 -            return &env->v7m.other_ss_psp;
 -        } else {
 -            return &env->v7m.other_ss_msp;
 -        }
 -    }
 -}
 -
 -static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
 -                                uint32_t *pvec)
 -{
 -    CPUState *cs = CPU(cpu);
 -    CPUARMState *env = &cpu->env;
 -    MemTxResult result;
 -    uint32_t addr = env->v7m.vecbase[targets_secure] + exc * 4;
 -    uint32_t vector_entry;
 -    MemTxAttrs attrs = {};
 -    ARMMMUIdx mmu_idx;
 -    bool exc_secure;
 -
 -    mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
 -
 -    /*
 -     * We don't do a get_phys_addr() here because the rules for vector
 -     * loads are special: they always use the default memory map, and
 -     * the default memory map permits reads from all addresses.
 -     * Since there's no easy way to pass through to pmsav8_mpu_lookup()
 -     * that we want this special case which would always say "yes",
 -     * we just do the SAU lookup here followed by a direct physical load.
 -     */
 -    attrs.secure = targets_secure;
 -    attrs.user = false;
 -
 -    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -        V8M_SAttributes sattrs = {};
 -
 -        v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);
 -        if (sattrs.ns) {
 -            attrs.secure = false;
 -        } else if (!targets_secure) {
 -            /* NS access to S memory */
 -            goto load_fail;
 -        }
 -    }
 -
 -    vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
 -                                     attrs, &result);
 -    if (result != MEMTX_OK) {
 -        goto load_fail;
 -    }
 -    *pvec = vector_entry;
 -    return true;
 -
 -load_fail:
 -    /*
 -     * All vector table fetch fails are reported as HardFault, with
 -     * HFSR.VECTTBL and .FORCED set. (FORCED is set because
 -     * technically the underlying exception is a MemManage or BusFault
 -     * that is escalated to HardFault.) This is a terminal exception,
 -     * so we will either take the HardFault immediately or else enter
 -     * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
 -     */
 -    exc_secure = targets_secure ||
 -        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
 -    env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
 -    armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
 -    return false;
 -}
 -
 -static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
 -{
 -    /*
 -     * Return the integrity signature value for the callee-saves
 -     * stack frame section. @lr is the exception return payload/LR value
 -     * whose FType bit forms bit 0 of the signature if FP is present.
 -     */
 -    uint32_t sig = 0xfefa125a;
 -
 -    if (!arm_feature(env, ARM_FEATURE_VFP) || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
 -        sig |= 1;
 -    }
 -    return sig;
 -}
 -
 -static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
 -                                  bool ignore_faults)
 -{
 -    /*
 -     * For v8M, push the callee-saves register part of the stack frame.
 -     * Compare the v8M pseudocode PushCalleeStack().
 -     * In the tailchaining case this may not be the current stack.
 -     */
 -    CPUARMState *env = &cpu->env;
 -    uint32_t *frame_sp_p;
 -    uint32_t frameptr;
 -    ARMMMUIdx mmu_idx;
 -    bool stacked_ok;
 -    uint32_t limit;
 -    bool want_psp;
 -    uint32_t sig;
 -    StackingMode smode = ignore_faults ? STACK_IGNFAULTS : STACK_NORMAL;
 -
 -    if (dotailchain) {
 -        bool mode = lr & R_V7M_EXCRET_MODE_MASK;
 -        bool priv = !(env->v7m.control[M_REG_S] & R_V7M_CONTROL_NPRIV_MASK) ||
 -            !mode;
 -
 -        mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, M_REG_S, priv);
 -        frame_sp_p = get_v7m_sp_ptr(env, M_REG_S, mode,
 -                                    lr & R_V7M_EXCRET_SPSEL_MASK);
 -        want_psp = mode && (lr & R_V7M_EXCRET_SPSEL_MASK);
 -        if (want_psp) {
 -            limit = env->v7m.psplim[M_REG_S];
 -        } else {
 -            limit = env->v7m.msplim[M_REG_S];
 -        }
 -    } else {
 -        mmu_idx = arm_mmu_idx(env);
 -        frame_sp_p = &env->regs[13];
 -        limit = v7m_sp_limit(env);
 -    }
 -
 -    frameptr = *frame_sp_p - 0x28;
 -    if (frameptr < limit) {
 -        /*
 -         * Stack limit failure: set SP to the limit value, and generate
 -         * STKOF UsageFault. Stack pushes below the limit must not be
 -         * performed. It is IMPDEF whether pushes above the limit are
 -         * performed; we choose not to.
 -         */
 -        qemu_log_mask(CPU_LOG_INT,
 -                      "...STKOF during callee-saves register stacking\n");
 -        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 -                                env->v7m.secure);
 -        *frame_sp_p = limit;
 -        return true;
 -    }
 -
 -    /*
 -     * Write as much of the stack frame as we can. A write failure may
 -     * cause us to pend a derived exception.
 -     */
 -    sig = v7m_integrity_sig(env, lr);
 -    stacked_ok =
 -        v7m_stack_write(cpu, frameptr, sig, mmu_idx, smode) &&
 -        v7m_stack_write(cpu, frameptr + 0x8, env->regs[4], mmu_idx, smode) &&
 -        v7m_stack_write(cpu, frameptr + 0xc, env->regs[5], mmu_idx, smode) &&
 -        v7m_stack_write(cpu, frameptr + 0x10, env->regs[6], mmu_idx, smode) &&
 -        v7m_stack_write(cpu, frameptr + 0x14, env->regs[7], mmu_idx, smode) &&
 -        v7m_stack_write(cpu, frameptr + 0x18, env->regs[8], mmu_idx, smode) &&
 -        v7m_stack_write(cpu, frameptr + 0x1c, env->regs[9], mmu_idx, smode) &&
 -        v7m_stack_write(cpu, frameptr + 0x20, env->regs[10], mmu_idx, smode) &&
 -        v7m_stack_write(cpu, frameptr + 0x24, env->regs[11], mmu_idx, smode);
 -
 -    /* Update SP regardless of whether any of the stack accesses failed. */
 -    *frame_sp_p = frameptr;
 -
 -    return !stacked_ok;
 -}
 -
 -static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
 -                                bool ignore_stackfaults)
 -{
 -    /*
 -     * Do the "take the exception" parts of exception entry,
 -     * but not the pushing of state to the stack. This is
 -     * similar to the pseudocode ExceptionTaken() function.
 -     */
 -    CPUARMState *env = &cpu->env;
 -    uint32_t addr;
 -    bool targets_secure;
 -    int exc;
 -    bool push_failed = false;
 -
 -    armv7m_nvic_get_pending_irq_info(env->nvic, &exc, &targets_secure);
 -    qemu_log_mask(CPU_LOG_INT, "...taking pending %s exception %d\n",
 -                  targets_secure ? "secure" : "nonsecure", exc);
 -
 -    if (dotailchain) {
 -        /* Sanitize LR FType and PREFIX bits */
 -        if (!arm_feature(env, ARM_FEATURE_VFP)) {
 -            lr |= R_V7M_EXCRET_FTYPE_MASK;
 -        }
 -        lr = deposit32(lr, 24, 8, 0xff);
 -    }
 -
 -    if (arm_feature(env, ARM_FEATURE_V8)) {
 -        if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&
 -            (lr & R_V7M_EXCRET_S_MASK)) {
 -            /*
 -             * The background code (the owner of the registers in the
 -             * exception frame) is Secure. This means it may either already
 -             * have or now needs to push callee-saves registers.
 -             */
 -            if (targets_secure) {
 -                if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {
 -                    /*
 -                     * We took an exception from Secure to NonSecure
 -                     * (which means the callee-saved registers got stacked)
 -                     * and are now tailchaining to a Secure exception.
 -                     * Clear DCRS so eventual return from this Secure
 -                     * exception unstacks the callee-saved registers.
 -                     */
 -                    lr &= ~R_V7M_EXCRET_DCRS_MASK;
 -                }
 -            } else {
 -                /*
 -                 * We're going to a non-secure exception; push the
 -                 * callee-saves registers to the stack now, if they're
 -                 * not already saved.
 -                 */
 -                if (lr & R_V7M_EXCRET_DCRS_MASK &&
 -                    !(dotailchain && !(lr & R_V7M_EXCRET_ES_MASK))) {
 -                    push_failed = v7m_push_callee_stack(cpu, lr, dotailchain,
 -                                                        ignore_stackfaults);
 -                }
 -                lr |= R_V7M_EXCRET_DCRS_MASK;
 -            }
 -        }
 -
 -        lr &= ~R_V7M_EXCRET_ES_MASK;
 -        if (targets_secure || !arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -            lr |= R_V7M_EXCRET_ES_MASK;
 -        }
 -        lr &= ~R_V7M_EXCRET_SPSEL_MASK;
 -        if (env->v7m.control[targets_secure] & R_V7M_CONTROL_SPSEL_MASK) {
 -            lr |= R_V7M_EXCRET_SPSEL_MASK;
 -        }
 -
 -        /*
 -         * Clear registers if necessary to prevent non-secure exception
 -         * code being able to see register values from secure code.
 -         * Where register values become architecturally UNKNOWN we leave
 -         * them with their previous values.
 -         */
 -        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -            if (!targets_secure) {
 -                /*
 -                 * Always clear the caller-saved registers (they have been
 -                 * pushed to the stack earlier in v7m_push_stack()).
 -                 * Clear callee-saved registers if the background code is
 -                 * Secure (in which case these regs were saved in
 -                 * v7m_push_callee_stack()).
 -                 */
 -                int i;
 -
 -                for (i = 0; i < 13; i++) {
 -                    /* r4..r11 are callee-saves, zero only if EXCRET.S == 1 */
 -                    if (i < 4 || i > 11 || (lr & R_V7M_EXCRET_S_MASK)) {
 -                        env->regs[i] = 0;
 -                    }
 -                }
 -                /* Clear EAPSR */
 -                xpsr_write(env, 0, XPSR_NZCV | XPSR_Q | XPSR_GE | XPSR_IT);
 -            }
 -        }
 -    }
 -
 -    if (push_failed && !ignore_stackfaults) {
 -        /*
 -         * Derived exception on callee-saves register stacking:
 -         * we might now want to take a different exception which
 -         * targets a different security state, so try again from the top.
 -         */
 -        qemu_log_mask(CPU_LOG_INT,
 -                      "...derived exception on callee-saves register stacking");
 -        v7m_exception_taken(cpu, lr, true, true);
 -        return;
 -    }
 -
 -    if (!arm_v7m_load_vector(cpu, exc, targets_secure, &addr)) {
 -        /* Vector load failed: derived exception */
 -        qemu_log_mask(CPU_LOG_INT, "...derived exception on vector table load");
 -        v7m_exception_taken(cpu, lr, true, true);
 -        return;
 -    }
 -
 -    /*
 -     * Now we've done everything that might cause a derived exception
 -     * we can go ahead and activate whichever exception we're going to
 -     * take (which might now be the derived exception).
 -     */
 -    armv7m_nvic_acknowledge_irq(env->nvic);
 -
 -    /* Switch to target security state -- must do this before writing SPSEL */
 -    switch_v7m_security_state(env, targets_secure);
 -    write_v7m_control_spsel(env, 0);
 -    arm_clear_exclusive(env);
 -    /* Clear SFPA and FPCA (has no effect if no FPU) */
 -    env->v7m.control[M_REG_S] &=
 -        ~(R_V7M_CONTROL_FPCA_MASK | R_V7M_CONTROL_SFPA_MASK);
 -    /* Clear IT bits */
 -    env->condexec_bits = 0;
 -    env->regs[14] = lr;
 -    env->regs[15] = addr & 0xfffffffe;
 -    env->thumb = addr & 1;
 -}
 -
 -static void v7m_update_fpccr(CPUARMState *env, uint32_t frameptr,
 -                             bool apply_splim)
 -{
 -    /*
 -     * Like the pseudocode UpdateFPCCR: save state in FPCAR and FPCCR
 -     * that we will need later in order to do lazy FP reg stacking.
 -     */
 -    bool is_secure = env->v7m.secure;
 -    void *nvic = env->nvic;
 -    /*
 -     * Some bits are unbanked and live always in fpccr[M_REG_S]; some bits
 -     * are banked and we want to update the bit in the bank for the
 -     * current security state; and in one case we want to specifically
 -     * update the NS banked version of a bit even if we are secure.
 -     */
 -    uint32_t *fpccr_s = &env->v7m.fpccr[M_REG_S];
 -    uint32_t *fpccr_ns = &env->v7m.fpccr[M_REG_NS];
 -    uint32_t *fpccr = &env->v7m.fpccr[is_secure];
 -    bool hfrdy, bfrdy, mmrdy, ns_ufrdy, s_ufrdy, sfrdy, monrdy;
 -
 -    env->v7m.fpcar[is_secure] = frameptr & ~0x7;
 -
 -    if (apply_splim && arm_feature(env, ARM_FEATURE_V8)) {
 -        bool splimviol;
 -        uint32_t splim = v7m_sp_limit(env);
 -        bool ign = armv7m_nvic_neg_prio_requested(nvic, is_secure) &&
 -            (env->v7m.ccr[is_secure] & R_V7M_CCR_STKOFHFNMIGN_MASK);
 -
 -        splimviol = !ign && frameptr < splim;
 -        *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, SPLIMVIOL, splimviol);
 -    }
 -
 -    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, LSPACT, 1);
 -
 -    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, S, is_secure);
 -
 -    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, USER, arm_current_el(env) == 0);
 -
 -    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, THREAD,
 -                        !arm_v7m_is_handler_mode(env));
 -
 -    hfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_HARD, false);
 -    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, HFRDY, hfrdy);
 -
 -    bfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_BUS, false);
 -    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, BFRDY, bfrdy);
 -
 -    mmrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_MEM, is_secure);
 -    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, MMRDY, mmrdy);
 -
 -    ns_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, false);
 -    *fpccr_ns = FIELD_DP32(*fpccr_ns, V7M_FPCCR, UFRDY, ns_ufrdy);
 -
 -    monrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_DEBUG, false);
 -    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, MONRDY, monrdy);
 -
 -    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -        s_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, true);
 -        *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, UFRDY, s_ufrdy);
 -
 -        sfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_SECURE, false);
 -        *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, SFRDY, sfrdy);
 -    }
 -}
 -
 -void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
 -{
 -    /* fptr is the value of Rn, the frame pointer we store the FP regs to */
 -    bool s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
 -    bool lspact = env->v7m.fpccr[s] & R_V7M_FPCCR_LSPACT_MASK;
 -
 -    assert(env->v7m.secure);
 -
 -    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
 -        return;
 -    }
 -
 -    /* Check access to the coprocessor is permitted */
 -    if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
 -        raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
 -    }
 -
 -    if (lspact) {
 -        /* LSPACT should not be active when there is active FP state */
 -        raise_exception_ra(env, EXCP_LSERR, 0, 1, GETPC());
 -    }
 -
 -    if (fptr & 7) {
 -        raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
 -    }
 -
 -    /*
 -     * Note that we do not use v7m_stack_write() here, because the
 -     * accesses should not set the FSR bits for stacking errors if they
 -     * fail. (In pseudocode terms, they are AccType_NORMAL, not AccType_STACK
 -     * or AccType_LAZYFP). Faults in cpu_stl_data() will throw exceptions
 -     * and longjmp out.
 -     */
 -    if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
 -        bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
 -        int i;
 -
 -        for (i = 0; i < (ts ? 32 : 16); i += 2) {
 -            uint64_t dn = *aa32_vfp_dreg(env, i / 2);
 -            uint32_t faddr = fptr + 4 * i;
 -            uint32_t slo = extract64(dn, 0, 32);
 -            uint32_t shi = extract64(dn, 32, 32);
 -
 -            if (i >= 16) {
 -                faddr += 8; /* skip the slot for the FPSCR */
 -            }
 -            cpu_stl_data(env, faddr, slo);
 -            cpu_stl_data(env, faddr + 4, shi);
 -        }
 -        cpu_stl_data(env, fptr + 0x40, vfp_get_fpscr(env));
 -
 -        /*
 -         * If TS is 0 then s0 to s15 and FPSCR are UNKNOWN; we choose to
 -         * leave them unchanged, matching our choice in v7m_preserve_fp_state.
 -         */
 -        if (ts) {
 -            for (i = 0; i < 32; i += 2) {
 -                *aa32_vfp_dreg(env, i / 2) = 0;
 -            }
 -            vfp_set_fpscr(env, 0);
 -        }
 -    } else {
 -        v7m_update_fpccr(env, fptr, false);
 -    }
 -
 -    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
 -}
 -
 -void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
 -{
 -    /* fptr is the value of Rn, the frame pointer we load the FP regs from */
 -    assert(env->v7m.secure);
 -
 -    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
 -        return;
 -    }
 -
 -    /* Check access to the coprocessor is permitted */
 -    if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
 -        raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
 -    }
 -
 -    if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
 -        /* State in FP is still valid */
 -        env->v7m.fpccr[M_REG_S] &= ~R_V7M_FPCCR_LSPACT_MASK;
 -    } else {
 -        bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
 -        int i;
 -        uint32_t fpscr;
 -
 -        if (fptr & 7) {
 -            raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
 -        }
 -
 -        for (i = 0; i < (ts ? 32 : 16); i += 2) {
 -            uint32_t slo, shi;
 -            uint64_t dn;
 -            uint32_t faddr = fptr + 4 * i;
 -
 -            if (i >= 16) {
 -                faddr += 8; /* skip the slot for the FPSCR */
 -            }
 -
 -            slo = cpu_ldl_data(env, faddr);
 -            shi = cpu_ldl_data(env, faddr + 4);
 -
 -            dn = (uint64_t) shi << 32 | slo;
 -            *aa32_vfp_dreg(env, i / 2) = dn;
 -        }
 -        fpscr = cpu_ldl_data(env, fptr + 0x40);
 -        vfp_set_fpscr(env, fpscr);
 -    }
 -
 -    env->v7m.control[M_REG_S] |= R_V7M_CONTROL_FPCA_MASK;
 -}
 -
 -static bool v7m_push_stack(ARMCPU *cpu)
 -{
 -    /*
 -     * Do the "set up stack frame" part of exception entry,
 -     * similar to pseudocode PushStack().
 -     * Return true if we generate a derived exception (and so
 -     * should ignore further stack faults trying to process
 -     * that derived exception.)
 -     */
 -    bool stacked_ok = true, limitviol = false;
 -    CPUARMState *env = &cpu->env;
 -    uint32_t xpsr = xpsr_read(env);
 -    uint32_t frameptr = env->regs[13];
 -    ARMMMUIdx mmu_idx = arm_mmu_idx(env);
 -    uint32_t framesize;
 -    bool nsacr_cp10 = extract32(env->v7m.nsacr, 10, 1);
 -
 -    if ((env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) &&
 -        (env->v7m.secure || nsacr_cp10)) {
 -        if (env->v7m.secure &&
 -            env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK) {
 -            framesize = 0xa8;
 -        } else {
 -            framesize = 0x68;
 -        }
 -    } else {
 -        framesize = 0x20;
 -    }
 -
 -    /* Align stack pointer if the guest wants that */
 -    if ((frameptr & 4) &&
 -        (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_STKALIGN_MASK)) {
 -        frameptr -= 4;
 -        xpsr |= XPSR_SPREALIGN;
 -    }
 -
 -    xpsr &= ~XPSR_SFPA;
 -    if (env->v7m.secure &&
 -        (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
 -        xpsr |= XPSR_SFPA;
 -    }
 -
 -    frameptr -= framesize;
 -
 -    if (arm_feature(env, ARM_FEATURE_V8)) {
 -        uint32_t limit = v7m_sp_limit(env);
 -
 -        if (frameptr < limit) {
 -            /*
 -             * Stack limit failure: set SP to the limit value, and generate
 -             * STKOF UsageFault. Stack pushes below the limit must not be
 -             * performed. It is IMPDEF whether pushes above the limit are
 -             * performed; we choose not to.
 -             */
 -            qemu_log_mask(CPU_LOG_INT,
 -                          "...STKOF during stacking\n");
 -            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 -                                    env->v7m.secure);
 -            env->regs[13] = limit;
 -            /*
 -             * We won't try to perform any further memory accesses but
 -             * we must continue through the following code to check for
 -             * permission faults during FPU state preservation, and we
 -             * must update FPCCR if lazy stacking is enabled.
 -             */
 -            limitviol = true;
 -            stacked_ok = false;
 -        }
 -    }
 -
 -    /*
 -     * Write as much of the stack frame as we can. If we fail a stack
 -     * write this will result in a derived exception being pended
 -     * (which may be taken in preference to the one we started with
 -     * if it has higher priority).
 -     */
 -    stacked_ok = stacked_ok &&
 -        v7m_stack_write(cpu, frameptr, env->regs[0], mmu_idx, STACK_NORMAL) &&
 -        v7m_stack_write(cpu, frameptr + 4, env->regs[1],
 -                        mmu_idx, STACK_NORMAL) &&
 -        v7m_stack_write(cpu, frameptr + 8, env->regs[2],
 -                        mmu_idx, STACK_NORMAL) &&
 -        v7m_stack_write(cpu, frameptr + 12, env->regs[3],
 -                        mmu_idx, STACK_NORMAL) &&
 -        v7m_stack_write(cpu, frameptr + 16, env->regs[12],
 -                        mmu_idx, STACK_NORMAL) &&
 -        v7m_stack_write(cpu, frameptr + 20, env->regs[14],
 -                        mmu_idx, STACK_NORMAL) &&
 -        v7m_stack_write(cpu, frameptr + 24, env->regs[15],
 -                        mmu_idx, STACK_NORMAL) &&
 -        v7m_stack_write(cpu, frameptr + 28, xpsr, mmu_idx, STACK_NORMAL);
 -
 -    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) {
 -        /* FPU is active, try to save its registers */
 -        bool fpccr_s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
 -        bool lspact = env->v7m.fpccr[fpccr_s] & R_V7M_FPCCR_LSPACT_MASK;
 -
 -        if (lspact && arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -            qemu_log_mask(CPU_LOG_INT,
 -                          "...SecureFault because LSPACT and FPCA both set\n");
 -            env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -        } else if (!env->v7m.secure && !nsacr_cp10) {
 -            qemu_log_mask(CPU_LOG_INT,
 -                          "...Secure UsageFault with CFSR.NOCP because "
 -                          "NSACR.CP10 prevents stacking FP regs\n");
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
 -            env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
 -        } else {
 -            if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
 -                /* Lazy stacking disabled, save registers now */
 -                int i;
 -                bool cpacr_pass = v7m_cpacr_pass(env, env->v7m.secure,
 -                                                 arm_current_el(env) != 0);
 -
 -                if (stacked_ok && !cpacr_pass) {
 -                    /*
 -                     * Take UsageFault if CPACR forbids access. The pseudocode
 -                     * here does a full CheckCPEnabled() but we know the NSACR
 -                     * check can never fail as we have already handled that.
 -                     */
 -                    qemu_log_mask(CPU_LOG_INT,
 -                                  "...UsageFault with CFSR.NOCP because "
 -                                  "CPACR.CP10 prevents stacking FP regs\n");
 -                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 -                                            env->v7m.secure);
 -                    env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_NOCP_MASK;
 -                    stacked_ok = false;
 -                }
 -
 -                for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
 -                    uint64_t dn = *aa32_vfp_dreg(env, i / 2);
 -                    uint32_t faddr = frameptr + 0x20 + 4 * i;
 -                    uint32_t slo = extract64(dn, 0, 32);
 -                    uint32_t shi = extract64(dn, 32, 32);
 -
 -                    if (i >= 16) {
 -                        faddr += 8; /* skip the slot for the FPSCR */
 -                    }
 -                    stacked_ok = stacked_ok &&
 -                        v7m_stack_write(cpu, faddr, slo,
 -                                        mmu_idx, STACK_NORMAL) &&
 -                        v7m_stack_write(cpu, faddr + 4, shi,
 -                                        mmu_idx, STACK_NORMAL);
 -                }
 -                stacked_ok = stacked_ok &&
 -                    v7m_stack_write(cpu, frameptr + 0x60,
 -                                    vfp_get_fpscr(env), mmu_idx, STACK_NORMAL);
 -                if (cpacr_pass) {
 -                    for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
 -                        *aa32_vfp_dreg(env, i / 2) = 0;
 -                    }
 -                    vfp_set_fpscr(env, 0);
 -                }
 -            } else {
 -                /* Lazy stacking enabled, save necessary info to stack later */
 -                v7m_update_fpccr(env, frameptr + 0x20, true);
 -            }
 -        }
 -    }
 -
 -    /*
 -     * If we broke a stack limit then SP was already updated earlier;
 -     * otherwise we update SP regardless of whether any of the stack
 -     * accesses failed or we took some other kind of fault.
 -     */
 -    if (!limitviol) {
 -        env->regs[13] = frameptr;
 -    }
 -
 -    return !stacked_ok;
 -}
 -
 -static void do_v7m_exception_exit(ARMCPU *cpu)
 -{
 -    CPUARMState *env = &cpu->env;
 -    uint32_t excret;
 -    uint32_t xpsr, xpsr_mask;
 -    bool ufault = false;
 -    bool sfault = false;
 -    bool return_to_sp_process;
 -    bool return_to_handler;
 -    bool rettobase = false;
 -    bool exc_secure = false;
 -    bool return_to_secure;
 -    bool ftype;
 -    bool restore_s16_s31;
 -
 -    /*
 -     * If we're not in Handler mode then jumps to magic exception-exit
 -     * addresses don't have magic behaviour. However for the v8M
 -     * security extensions the magic secure-function-return has to
 -     * work in thread mode too, so to avoid doing an extra check in
 -     * the generated code we allow exception-exit magic to also cause the
 -     * internal exception and bring us here in thread mode. Correct code
 -     * will never try to do this (the following insn fetch will always
 -     * fault) so we the overhead of having taken an unnecessary exception
 -     * doesn't matter.
 -     */
 -    if (!arm_v7m_is_handler_mode(env)) {
 -        return;
 -    }
 -
 -    /*
 -     * In the spec pseudocode ExceptionReturn() is called directly
 -     * from BXWritePC() and gets the full target PC value including
 -     * bit zero. In QEMU's implementation we treat it as a normal
 -     * jump-to-register (which is then caught later on), and so split
 -     * the target value up between env->regs[15] and env->thumb in
 -     * gen_bx(). Reconstitute it.
 -     */
 -    excret = env->regs[15];
 -    if (env->thumb) {
 -        excret |= 1;
 -    }
 -
 -    qemu_log_mask(CPU_LOG_INT, "Exception return: magic PC %" PRIx32
 -                  " previous exception %d\n",
 -                  excret, env->v7m.exception);
 -
 -    if ((excret & R_V7M_EXCRET_RES1_MASK) != R_V7M_EXCRET_RES1_MASK) {
 -        qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero high bits in exception "
 -                      "exit PC value 0x%" PRIx32 " are UNPREDICTABLE\n",
 -                      excret);
 -    }
 -
 -    ftype = excret & R_V7M_EXCRET_FTYPE_MASK;
 -
 -    if (!arm_feature(env, ARM_FEATURE_VFP) && !ftype) {
 -        qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero FTYPE in exception "
 -                      "exit PC value 0x%" PRIx32 " is UNPREDICTABLE "
 -                      "if FPU not present\n",
 -                      excret);
 -        ftype = true;
 -    }
 -
 -    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -        /*
 -         * EXC_RETURN.ES validation check (R_SMFL). We must do this before
 -         * we pick which FAULTMASK to clear.
 -         */
 -        if (!env->v7m.secure &&
 -            ((excret & R_V7M_EXCRET_ES_MASK) ||
 -             !(excret & R_V7M_EXCRET_DCRS_MASK))) {
 -            sfault = 1;
 -            /* For all other purposes, treat ES as 0 (R_HXSR) */
 -            excret &= ~R_V7M_EXCRET_ES_MASK;
 -        }
 -        exc_secure = excret & R_V7M_EXCRET_ES_MASK;
 -    }
 -
 -    if (env->v7m.exception != ARMV7M_EXCP_NMI) {
 -        /*
 -         * Auto-clear FAULTMASK on return from other than NMI.
 -         * If the security extension is implemented then this only
 -         * happens if the raw execution priority is >= 0; the
 -         * value of the ES bit in the exception return value indicates
 -         * which security state's faultmask to clear. (v8M ARM ARM R_KBNF.)
 -         */
 -        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -            if (armv7m_nvic_raw_execution_priority(env->nvic) >= 0) {
 -                env->v7m.faultmask[exc_secure] = 0;
 -            }
 -        } else {
 -            env->v7m.faultmask[M_REG_NS] = 0;
 -        }
 -    }
 -
 -    switch (armv7m_nvic_complete_irq(env->nvic, env->v7m.exception,
 -                                     exc_secure)) {
 -    case -1:
 -        /* attempt to exit an exception that isn't active */
 -        ufault = true;
 -        break;
 -    case 0:
 -        /* still an irq active now */
 -        break;
 -    case 1:
 -        /*
 -         * We returned to base exception level, no nesting.
 -         * (In the pseudocode this is written using "NestedActivation != 1"
 -         * where we have 'rettobase == false'.)
 -         */
 -        rettobase = true;
 -        break;
 -    default:
 -        g_assert_not_reached();
 -    }
 -
 -    return_to_handler = !(excret & R_V7M_EXCRET_MODE_MASK);
 -    return_to_sp_process = excret & R_V7M_EXCRET_SPSEL_MASK;
 -    return_to_secure = arm_feature(env, ARM_FEATURE_M_SECURITY) &&
 -        (excret & R_V7M_EXCRET_S_MASK);
 -
 -    if (arm_feature(env, ARM_FEATURE_V8)) {
 -        if (!arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -            /*
 -             * UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
 -             * we choose to take the UsageFault.
 -             */
 -            if ((excret & R_V7M_EXCRET_S_MASK) ||
 -                (excret & R_V7M_EXCRET_ES_MASK) ||
 -                !(excret & R_V7M_EXCRET_DCRS_MASK)) {
 -                ufault = true;
 -            }
 -        }
 -        if (excret & R_V7M_EXCRET_RES0_MASK) {
 -            ufault = true;
 -        }
 -    } else {
 -        /* For v7M we only recognize certain combinations of the low bits */
 -        switch (excret & 0xf) {
 -        case 1: /* Return to Handler */
 -            break;
 -        case 13: /* Return to Thread using Process stack */
 -        case 9: /* Return to Thread using Main stack */
 -            /*
 -             * We only need to check NONBASETHRDENA for v7M, because in
 -             * v8M this bit does not exist (it is RES1).
 -             */
 -            if (!rettobase &&
 -                !(env->v7m.ccr[env->v7m.secure] &
 -                  R_V7M_CCR_NONBASETHRDENA_MASK)) {
 -                ufault = true;
 -            }
 -            break;
 -        default:
 -            ufault = true;
 -        }
 -    }
 -
 -    /*
 -     * Set CONTROL.SPSEL from excret.SPSEL. Since we're still in
 -     * Handler mode (and will be until we write the new XPSR.Interrupt
 -     * field) this does not switch around the current stack pointer.
 -     * We must do this before we do any kind of tailchaining, including
 -     * for the derived exceptions on integrity check failures, or we will
 -     * give the guest an incorrect EXCRET.SPSEL value on exception entry.
 -     */
 -    write_v7m_control_spsel_for_secstate(env, return_to_sp_process, exc_secure);
 -
 -    /*
 -     * Clear scratch FP values left in caller saved registers; this
 -     * must happen before any kind of tail chaining.
 -     */
 -    if ((env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_CLRONRET_MASK) &&
 -        (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
 -        if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
 -            env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -            qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
 -                          "stackframe: error during lazy state deactivation\n");
 -            v7m_exception_taken(cpu, excret, true, false);
 -            return;
 -        } else {
 -            /* Clear s0..s15 and FPSCR */
 -            int i;
 -
 -            for (i = 0; i < 16; i += 2) {
 -                *aa32_vfp_dreg(env, i / 2) = 0;
 -            }
 -            vfp_set_fpscr(env, 0);
 -        }
 -    }
 -
 -    if (sfault) {
 -        env->v7m.sfsr |= R_V7M_SFSR_INVER_MASK;
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -        qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
 -                      "stackframe: failed EXC_RETURN.ES validity check\n");
 -        v7m_exception_taken(cpu, excret, true, false);
 -        return;
 -    }
 -
 -    if (ufault) {
 -        /*
 -         * Bad exception return: instead of popping the exception
 -         * stack, directly take a usage fault on the current stack.
 -         */
 -        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 -        qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
 -                      "stackframe: failed exception return integrity check\n");
 -        v7m_exception_taken(cpu, excret, true, false);
 -        return;
 -    }
 -
 -    /*
 -     * Tailchaining: if there is currently a pending exception that
 -     * is high enough priority to preempt execution at the level we're
 -     * about to return to, then just directly take that exception now,
 -     * avoiding an unstack-and-then-stack. Note that now we have
 -     * deactivated the previous exception by calling armv7m_nvic_complete_irq()
 -     * our current execution priority is already the execution priority we are
 -     * returning to -- none of the state we would unstack or set based on
 -     * the EXCRET value affects it.
 -     */
 -    if (armv7m_nvic_can_take_pending_exception(env->nvic)) {
 -        qemu_log_mask(CPU_LOG_INT, "...tailchaining to pending exception\n");
 -        v7m_exception_taken(cpu, excret, true, false);
 -        return;
 -    }
 -
 -    switch_v7m_security_state(env, return_to_secure);
 -
 -    {
 -        /*
 -         * The stack pointer we should be reading the exception frame from
 -         * depends on bits in the magic exception return type value (and
 -         * for v8M isn't necessarily the stack pointer we will eventually
 -         * end up resuming execution with). Get a pointer to the location
 -         * in the CPU state struct where the SP we need is currently being
 -         * stored; we will use and modify it in place.
 -         * We use this limited C variable scope so we don't accidentally
 -         * use 'frame_sp_p' after we do something that makes it invalid.
 -         */
 -        uint32_t *frame_sp_p = get_v7m_sp_ptr(env,
 -                                              return_to_secure,
 -                                              !return_to_handler,
 -                                              return_to_sp_process);
 -        uint32_t frameptr = *frame_sp_p;
 -        bool pop_ok = true;
 -        ARMMMUIdx mmu_idx;
 -        bool return_to_priv = return_to_handler ||
 -            !(env->v7m.control[return_to_secure] & R_V7M_CONTROL_NPRIV_MASK);
 -
 -        mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, return_to_secure,
 -                                                        return_to_priv);
 -
 -        if (!QEMU_IS_ALIGNED(frameptr, 8) &&
 -            arm_feature(env, ARM_FEATURE_V8)) {
 -            qemu_log_mask(LOG_GUEST_ERROR,
 -                          "M profile exception return with non-8-aligned SP "
 -                          "for destination state is UNPREDICTABLE\n");
 -        }
 -
 -        /* Do we need to pop callee-saved registers? */
 -        if (return_to_secure &&
 -            ((excret & R_V7M_EXCRET_ES_MASK) == 0 ||
 -             (excret & R_V7M_EXCRET_DCRS_MASK) == 0)) {
 -            uint32_t actual_sig;
 -
 -            pop_ok = v7m_stack_read(cpu, &actual_sig, frameptr, mmu_idx);
 -
 -            if (pop_ok && v7m_integrity_sig(env, excret) != actual_sig) {
 -                /* Take a SecureFault on the current stack */
 -                env->v7m.sfsr |= R_V7M_SFSR_INVIS_MASK;
 -                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -                qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
 -                              "stackframe: failed exception return integrity "
 -                              "signature check\n");
 -                v7m_exception_taken(cpu, excret, true, false);
 -                return;
 -            }
 -
 -            pop_ok = pop_ok &&
 -                v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
 -                v7m_stack_read(cpu, &env->regs[5], frameptr + 0xc, mmu_idx) &&
 -                v7m_stack_read(cpu, &env->regs[6], frameptr + 0x10, mmu_idx) &&
 -                v7m_stack_read(cpu, &env->regs[7], frameptr + 0x14, mmu_idx) &&
 -                v7m_stack_read(cpu, &env->regs[8], frameptr + 0x18, mmu_idx) &&
 -                v7m_stack_read(cpu, &env->regs[9], frameptr + 0x1c, mmu_idx) &&
 -                v7m_stack_read(cpu, &env->regs[10], frameptr + 0x20, mmu_idx) &&
 -                v7m_stack_read(cpu, &env->regs[11], frameptr + 0x24, mmu_idx);
 -
 -            frameptr += 0x28;
 -        }
 -
 -        /* Pop registers */
 -        pop_ok = pop_ok &&
 -            v7m_stack_read(cpu, &env->regs[0], frameptr, mmu_idx) &&
 -            v7m_stack_read(cpu, &env->regs[1], frameptr + 0x4, mmu_idx) &&
 -            v7m_stack_read(cpu, &env->regs[2], frameptr + 0x8, mmu_idx) &&
 -            v7m_stack_read(cpu, &env->regs[3], frameptr + 0xc, mmu_idx) &&
 -            v7m_stack_read(cpu, &env->regs[12], frameptr + 0x10, mmu_idx) &&
 -            v7m_stack_read(cpu, &env->regs[14], frameptr + 0x14, mmu_idx) &&
 -            v7m_stack_read(cpu, &env->regs[15], frameptr + 0x18, mmu_idx) &&
 -            v7m_stack_read(cpu, &xpsr, frameptr + 0x1c, mmu_idx);
 -
 -        if (!pop_ok) {
 -            /*
 -             * v7m_stack_read() pended a fault, so take it (as a tail
 -             * chained exception on the same stack frame)
 -             */
 -            qemu_log_mask(CPU_LOG_INT, "...derived exception on unstacking\n");
 -            v7m_exception_taken(cpu, excret, true, false);
 -            return;
 -        }
 -
 -        /*
 -         * Returning from an exception with a PC with bit 0 set is defined
 -         * behaviour on v8M (bit 0 is ignored), but for v7M it was specified
 -         * to be UNPREDICTABLE. In practice actual v7M hardware seems to ignore
 -         * the lsbit, and there are several RTOSes out there which incorrectly
 -         * assume the r15 in the stack frame should be a Thumb-style "lsbit
 -         * indicates ARM/Thumb" value, so ignore the bit on v7M as well, but
 -         * complain about the badly behaved guest.
 -         */
 -        if (env->regs[15] & 1) {
 -            env->regs[15] &= ~1U;
 -            if (!arm_feature(env, ARM_FEATURE_V8)) {
 -                qemu_log_mask(LOG_GUEST_ERROR,
 -                              "M profile return from interrupt with misaligned "
 -                              "PC is UNPREDICTABLE on v7M\n");
 -            }
 -        }
 -
 -        if (arm_feature(env, ARM_FEATURE_V8)) {
 -            /*
 -             * For v8M we have to check whether the xPSR exception field
 -             * matches the EXCRET value for return to handler/thread
 -             * before we commit to changing the SP and xPSR.
 -             */
 -            bool will_be_handler = (xpsr & XPSR_EXCP) != 0;
 -            if (return_to_handler != will_be_handler) {
 -                /*
 -                 * Take an INVPC UsageFault on the current stack.
 -                 * By this point we will have switched to the security state
 -                 * for the background state, so this UsageFault will target
 -                 * that state.
 -                 */
 -                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 -                                        env->v7m.secure);
 -                env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 -                qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
 -                              "stackframe: failed exception return integrity "
 -                              "check\n");
 -                v7m_exception_taken(cpu, excret, true, false);
 -                return;
 -            }
 -        }
 -
 -        if (!ftype) {
 -            /* FP present and we need to handle it */
 -            if (!return_to_secure &&
 -                (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK)) {
 -                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -                env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...taking SecureFault on existing stackframe: "
 -                              "Secure LSPACT set but exception return is "
 -                              "not to secure state\n");
 -                v7m_exception_taken(cpu, excret, true, false);
 -                return;
 -            }
 -
 -            restore_s16_s31 = return_to_secure &&
 -                (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
 -
 -            if (env->v7m.fpccr[return_to_secure] & R_V7M_FPCCR_LSPACT_MASK) {
 -                /* State in FPU is still valid, just clear LSPACT */
 -                env->v7m.fpccr[return_to_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
 -            } else {
 -                int i;
 -                uint32_t fpscr;
 -                bool cpacr_pass, nsacr_pass;
 -
 -                cpacr_pass = v7m_cpacr_pass(env, return_to_secure,
 -                                            return_to_priv);
 -                nsacr_pass = return_to_secure ||
 -                    extract32(env->v7m.nsacr, 10, 1);
 -
 -                if (!cpacr_pass) {
 -                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 -                                            return_to_secure);
 -                    env->v7m.cfsr[return_to_secure] |= R_V7M_CFSR_NOCP_MASK;
 -                    qemu_log_mask(CPU_LOG_INT,
 -                                  "...taking UsageFault on existing "
 -                                  "stackframe: CPACR.CP10 prevents unstacking "
 -                                  "FP regs\n");
 -                    v7m_exception_taken(cpu, excret, true, false);
 -                    return;
 -                } else if (!nsacr_pass) {
 -                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, true);
 -                    env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_INVPC_MASK;
 -                    qemu_log_mask(CPU_LOG_INT,
 -                                  "...taking Secure UsageFault on existing "
 -                                  "stackframe: NSACR.CP10 prevents unstacking "
 -                                  "FP regs\n");
 -                    v7m_exception_taken(cpu, excret, true, false);
 -                    return;
 -                }
 -
 -                for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
 -                    uint32_t slo, shi;
 -                    uint64_t dn;
 -                    uint32_t faddr = frameptr + 0x20 + 4 * i;
 -
 -                    if (i >= 16) {
 -                        faddr += 8; /* Skip the slot for the FPSCR */
 -                    }
 -
 -                    pop_ok = pop_ok &&
 -                        v7m_stack_read(cpu, &slo, faddr, mmu_idx) &&
 -                        v7m_stack_read(cpu, &shi, faddr + 4, mmu_idx);
 -
 -                    if (!pop_ok) {
 -                        break;
 -                    }
 -
 -                    dn = (uint64_t)shi << 32 | slo;
 -                    *aa32_vfp_dreg(env, i / 2) = dn;
 -                }
 -                pop_ok = pop_ok &&
 -                    v7m_stack_read(cpu, &fpscr, frameptr + 0x60, mmu_idx);
 -                if (pop_ok) {
 -                    vfp_set_fpscr(env, fpscr);
 -                }
 -                if (!pop_ok) {
 -                    /*
 -                     * These regs are 0 if security extension present;
 -                     * otherwise merely UNKNOWN. We zero always.
 -                     */
 -                    for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
 -                        *aa32_vfp_dreg(env, i / 2) = 0;
 -                    }
 -                    vfp_set_fpscr(env, 0);
 -                }
 -            }
 -        }
 -        env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
 -                                               V7M_CONTROL, FPCA, !ftype);
 -
 -        /* Commit to consuming the stack frame */
 -        frameptr += 0x20;
 -        if (!ftype) {
 -            frameptr += 0x48;
 -            if (restore_s16_s31) {
 -                frameptr += 0x40;
 -            }
 -        }
 -        /*
 -         * Undo stack alignment (the SPREALIGN bit indicates that the original
 -         * pre-exception SP was not 8-aligned and we added a padding word to
 -         * align it, so we undo this by ORing in the bit that increases it
 -         * from the current 8-aligned value to the 8-unaligned value. (Adding 4
 -         * would work too but a logical OR is how the pseudocode specifies it.)
 -         */
 -        if (xpsr & XPSR_SPREALIGN) {
 -            frameptr |= 4;
 -        }
 -        *frame_sp_p = frameptr;
 -    }
 -
 -    xpsr_mask = ~(XPSR_SPREALIGN | XPSR_SFPA);
 -    if (!arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
 -        xpsr_mask &= ~XPSR_GE;
 -    }
 -    /* This xpsr_write() will invalidate frame_sp_p as it may switch stack */
 -    xpsr_write(env, xpsr, xpsr_mask);
 -
 -    if (env->v7m.secure) {
 -        bool sfpa = xpsr & XPSR_SFPA;
 -
 -        env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
 -                                               V7M_CONTROL, SFPA, sfpa);
 -    }
 -
 -    /*
 -     * The restored xPSR exception field will be zero if we're
 -     * resuming in Thread mode. If that doesn't match what the
 -     * exception return excret specified then this is a UsageFault.
 -     * v7M requires we make this check here; v8M did it earlier.
 -     */
 -    if (return_to_handler != arm_v7m_is_handler_mode(env)) {
 -        /*
 -         * Take an INVPC UsageFault by pushing the stack again;
 -         * we know we're v7M so this is never a Secure UsageFault.
 -         */
 -        bool ignore_stackfaults;
 -
 -        assert(!arm_feature(env, ARM_FEATURE_V8));
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, false);
 -        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 -        ignore_stackfaults = v7m_push_stack(cpu);
 -        qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on new stackframe: "
 -                      "failed exception return integrity check\n");
 -        v7m_exception_taken(cpu, excret, false, ignore_stackfaults);
 -        return;
 -    }
 -
 -    /* Otherwise, we have a successful exception exit. */
 -    arm_clear_exclusive(env);
 -    qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
 -}
 -
 -static bool do_v7m_function_return(ARMCPU *cpu)
 -{
 -    /*
 -     * v8M security extensions magic function return.
 -     * We may either:
 -     *  (1) throw an exception (longjump)
 -     *  (2) return true if we successfully handled the function return
 -     *  (3) return false if we failed a consistency check and have
 -     *      pended a UsageFault that needs to be taken now
 -     *
 -     * At this point the magic return value is split between env->regs[15]
 -     * and env->thumb. We don't bother to reconstitute it because we don't
 -     * need it (all values are handled the same way).
 -     */
 -    CPUARMState *env = &cpu->env;
 -    uint32_t newpc, newpsr, newpsr_exc;
 -
 -    qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
 -
 -    {
 -        bool threadmode, spsel;
 -        TCGMemOpIdx oi;
 -        ARMMMUIdx mmu_idx;
 -        uint32_t *frame_sp_p;
 -        uint32_t frameptr;
 -
 -        /* Pull the return address and IPSR from the Secure stack */
 -        threadmode = !arm_v7m_is_handler_mode(env);
 -        spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
 -
 -        frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
 -        frameptr = *frame_sp_p;
 -
 -        /*
 -         * These loads may throw an exception (for MPU faults). We want to
 -         * do them as secure, so work out what MMU index that is.
 -         */
 -        mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
 -        oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));
 -        newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);
 -        newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);
 -
 -        /* Consistency checks on new IPSR */
 -        newpsr_exc = newpsr & XPSR_EXCP;
 -        if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
 -              (env->v7m.exception == 1 && newpsr_exc != 0))) {
 -            /* Pend the fault and tell our caller to take it */
 -            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 -                                    env->v7m.secure);
 -            qemu_log_mask(CPU_LOG_INT,
 -                          "...taking INVPC UsageFault: "
 -                          "IPSR consistency check failed\n");
 -            return false;
 -        }
 -
 -        *frame_sp_p = frameptr + 8;
 -    }
 -
 -    /* This invalidates frame_sp_p */
 -    switch_v7m_security_state(env, true);
 -    env->v7m.exception = newpsr_exc;
 -    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 -    if (newpsr & XPSR_SFPA) {
 -        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
 -    }
 -    xpsr_write(env, 0, XPSR_IT);
 -    env->thumb = newpc & 1;
 -    env->regs[15] = newpc & ~1;
 -
 -    qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
 -    return true;
 -}
 -
 -static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
 -                               uint32_t addr, uint16_t *insn)
 -{
 -    /*
 -     * Load a 16-bit portion of a v7M instruction, returning true on success,
 -     * or false on failure (in which case we will have pended the appropriate
 -     * exception).
 -     * We need to do the instruction fetch's MPU and SAU checks
 -     * like this because there is no MMU index that would allow
 -     * doing the load with a single function call. Instead we must
 -     * first check that the security attributes permit the load
 -     * and that they don't mismatch on the two halves of the instruction,
 -     * and then we do the load as a secure load (ie using the security
 -     * attributes of the address, not the CPU, as architecturally required).
 -     */
 -    CPUState *cs = CPU(cpu);
 -    CPUARMState *env = &cpu->env;
 -    V8M_SAttributes sattrs = {};
 -    MemTxAttrs attrs = {};
 -    ARMMMUFaultInfo fi = {};
 -    MemTxResult txres;
 -    target_ulong page_size;
 -    hwaddr physaddr;
 -    int prot;
 -
 -    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
 -    if (!sattrs.nsc || sattrs.ns) {
 -        /*
 -         * This must be the second half of the insn, and it straddles a
 -         * region boundary with the second half not being S&NSC.
 -         */
 -        env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -        qemu_log_mask(CPU_LOG_INT,
 -                      "...really SecureFault with SFSR.INVEP\n");
 -        return false;
 -    }
 -    if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
 -                      &physaddr, &attrs, &prot, &page_size, &fi, NULL)) {
 -        /* the MPU lookup failed */
 -        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
 -        qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
 -        return false;
 -    }
 -    *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,
 -                                 attrs, &txres);
 -    if (txres != MEMTX_OK) {
 -        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
 -        qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
 -        return false;
 -    }
 -    return true;
 -}
 -
 -static bool v7m_handle_execute_nsc(ARMCPU *cpu)
 -{
 -    /*
 -     * Check whether this attempt to execute code in a Secure & NS-Callable
 -     * memory region is for an SG instruction; if so, then emulate the
 -     * effect of the SG instruction and return true. Otherwise pend
 -     * the correct kind of exception and return false.
 -     */
 -    CPUARMState *env = &cpu->env;
 -    ARMMMUIdx mmu_idx;
 -    uint16_t insn;
 -
 -    /*
 -     * We should never get here unless get_phys_addr_pmsav8() caused
 -     * an exception for NS executing in S&NSC memory.
 -     */
 -    assert(!env->v7m.secure);
 -    assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
 -
 -    /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
 -    mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
 -
 -    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
 -        return false;
 -    }
 -
 -    if (!env->thumb) {
 -        goto gen_invep;
 -    }
 -
 -    if (insn != 0xe97f) {
 -        /*
 -         * Not an SG instruction first half (we choose the IMPDEF
 -         * early-SG-check option).
 -         */
 -        goto gen_invep;
 -    }
 -
 -    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
 -        return false;
 -    }
 -
 -    if (insn != 0xe97f) {
 -        /*
 -         * Not an SG instruction second half (yes, both halves of the SG
 -         * insn have the same hex value)
 -         */
 -        goto gen_invep;
 -    }
 -
 -    /*
 -     * OK, we have confirmed that we really have an SG instruction.
 -     * We know we're NS in S memory so don't need to repeat those checks.
 -     */
 -    qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
 -                  ", executing it\n", env->regs[15]);
 -    env->regs[14] &= ~1;
 -    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 -    switch_v7m_security_state(env, true);
 -    xpsr_write(env, 0, XPSR_IT);
 -    env->regs[15] += 4;
 -    return true;
 -
 -gen_invep:
 -    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
 -    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -    qemu_log_mask(CPU_LOG_INT,
 -                  "...really SecureFault with SFSR.INVEP\n");
 -    return false;
 -}
 -
 -void arm_v7m_cpu_do_interrupt(CPUState *cs)
 -{
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    CPUARMState *env = &cpu->env;
 -    uint32_t lr;
 -    bool ignore_stackfaults;
 -
 -    arm_log_exception(cs->exception_index);
 -
 -    /*
 -     * For exceptions we just mark as pending on the NVIC, and let that
 -     * handle it.
 -     */
 -    switch (cs->exception_index) {
 -    case EXCP_UDEF:
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 -        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNDEFINSTR_MASK;
 -        break;
 -    case EXCP_NOCP:
 -    {
 -        /*
 -         * NOCP might be directed to something other than the current
 -         * security state if this fault is because of NSACR; we indicate
 -         * the target security state using exception.target_el.
 -         */
 -        int target_secstate;
 -
 -        if (env->exception.target_el == 3) {
 -            target_secstate = M_REG_S;
 -        } else {
 -            target_secstate = env->v7m.secure;
 -        }
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, target_secstate);
 -        env->v7m.cfsr[target_secstate] |= R_V7M_CFSR_NOCP_MASK;
 -        break;
 -    }
 -    case EXCP_INVSTATE:
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 -        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVSTATE_MASK;
 -        break;
 -    case EXCP_STKOF:
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 -        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
 -        break;
 -    case EXCP_LSERR:
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -        env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
 -        break;
 -    case EXCP_UNALIGNED:
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 -        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNALIGNED_MASK;
 -        break;
 -    case EXCP_SWI:
 -        /* The PC already points to the next instruction.  */
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC, env->v7m.secure);
 -        break;
 -    case EXCP_PREFETCH_ABORT:
 -    case EXCP_DATA_ABORT:
 -        /*
 -         * Note that for M profile we don't have a guest facing FSR, but
 -         * the env->exception.fsr will be populated by the code that
 -         * raises the fault, in the A profile short-descriptor format.
 -         */
 -        switch (env->exception.fsr & 0xf) {
 -        case M_FAKE_FSR_NSC_EXEC:
 -            /*
 -             * Exception generated when we try to execute code at an address
 -             * which is marked as Secure & Non-Secure Callable and the CPU
 -             * is in the Non-Secure state. The only instruction which can
 -             * be executed like this is SG (and that only if both halves of
 -             * the SG instruction have the same security attributes.)
 -             * Everything else must generate an INVEP SecureFault, so we
 -             * emulate the SG instruction here.
 -             */
 -            if (v7m_handle_execute_nsc(cpu)) {
 -                return;
 -            }
 -            break;
 -        case M_FAKE_FSR_SFAULT:
 -            /*
 -             * Various flavours of SecureFault for attempts to execute or
 -             * access data in the wrong security state.
 -             */
 -            switch (cs->exception_index) {
 -            case EXCP_PREFETCH_ABORT:
 -                if (env->v7m.secure) {
 -                    env->v7m.sfsr |= R_V7M_SFSR_INVTRAN_MASK;
 -                    qemu_log_mask(CPU_LOG_INT,
 -                                  "...really SecureFault with SFSR.INVTRAN\n");
 -                } else {
 -                    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
 -                    qemu_log_mask(CPU_LOG_INT,
 -                                  "...really SecureFault with SFSR.INVEP\n");
 -                }
 -                break;
 -            case EXCP_DATA_ABORT:
 -                /* This must be an NS access to S memory */
 -                env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...really SecureFault with SFSR.AUVIOL\n");
 -                break;
 -            }
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 -            break;
 -        case 0x8: /* External Abort */
 -            switch (cs->exception_index) {
 -            case EXCP_PREFETCH_ABORT:
 -                env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
 -                qemu_log_mask(CPU_LOG_INT, "...with CFSR.IBUSERR\n");
 -                break;
 -            case EXCP_DATA_ABORT:
 -                env->v7m.cfsr[M_REG_NS] |=
 -                    (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK);
 -                env->v7m.bfar = env->exception.vaddress;
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...with CFSR.PRECISERR and BFAR 0x%x\n",
 -                              env->v7m.bfar);
 -                break;
 -            }
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
 -            break;
 -        default:
 -            /*
 -             * All other FSR values are either MPU faults or "can't happen
 -             * for M profile" cases.
 -             */
 -            switch (cs->exception_index) {
 -            case EXCP_PREFETCH_ABORT:
 -                env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
 -                qemu_log_mask(CPU_LOG_INT, "...with CFSR.IACCVIOL\n");
 -                break;
 -            case EXCP_DATA_ABORT:
 -                env->v7m.cfsr[env->v7m.secure] |=
 -                    (R_V7M_CFSR_DACCVIOL_MASK | R_V7M_CFSR_MMARVALID_MASK);
 -                env->v7m.mmfar[env->v7m.secure] = env->exception.vaddress;
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...with CFSR.DACCVIOL and MMFAR 0x%x\n",
 -                              env->v7m.mmfar[env->v7m.secure]);
 -                break;
 -            }
 -            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM,
 -                                    env->v7m.secure);
 -            break;
 -        }
 -        break;
 -    case EXCP_BKPT:
 -        if (semihosting_enabled()) {
 -            int nr;
 -            nr = arm_lduw_code(env, env->regs[15], arm_sctlr_b(env)) & 0xff;
 -            if (nr == 0xab) {
 -                env->regs[15] += 2;
 -                qemu_log_mask(CPU_LOG_INT,
 -                              "...handling as semihosting call 0x%x\n",
 -                              env->regs[0]);
 -                env->regs[0] = do_arm_semihosting(env);
 -                return;
 -            }
 -        }
 -        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG, false);
 -        break;
 -    case EXCP_IRQ:
 -        break;
 -    case EXCP_EXCEPTION_EXIT:
 -        if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
 -            /* Must be v8M security extension function return */
 -            assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
 -            assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
 -            if (do_v7m_function_return(cpu)) {
 -                return;
 -            }
 -        } else {
 -            do_v7m_exception_exit(cpu);
 -            return;
 -        }
 -        break;
 -    case EXCP_LAZYFP:
 -        /*
 -         * We already pended the specific exception in the NVIC in the
 -         * v7m_preserve_fp_state() helper function.
 -         */
 -        break;
 -    default:
 -        cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
 -        return; /* Never happens.  Keep compiler happy.  */
 -    }
 -
 -    if (arm_feature(env, ARM_FEATURE_V8)) {
 -        lr = R_V7M_EXCRET_RES1_MASK |
 -            R_V7M_EXCRET_DCRS_MASK;
 -        /*
 -         * The S bit indicates whether we should return to Secure
 -         * or NonSecure (ie our current state).
 -         * The ES bit indicates whether we're taking this exception
 -         * to Secure or NonSecure (ie our target state). We set it
 -         * later, in v7m_exception_taken().
 -         * The SPSEL bit is also set in v7m_exception_taken() for v8M.
 -         * This corresponds to the ARM ARM pseudocode for v8M setting
 -         * some LR bits in PushStack() and some in ExceptionTaken();
 -         * the distinction matters for the tailchain cases where we
 -         * can take an exception without pushing the stack.
 -         */
 -        if (env->v7m.secure) {
 -            lr |= R_V7M_EXCRET_S_MASK;
 -        }
 -        if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
 -            lr |= R_V7M_EXCRET_FTYPE_MASK;
 -        }
 -    } else {
 -        lr = R_V7M_EXCRET_RES1_MASK |
 -            R_V7M_EXCRET_S_MASK |
 -            R_V7M_EXCRET_DCRS_MASK |
 -            R_V7M_EXCRET_FTYPE_MASK |
 -            R_V7M_EXCRET_ES_MASK;
 -        if (env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK) {
 -            lr |= R_V7M_EXCRET_SPSEL_MASK;
 -        }
 -    }
 -    if (!arm_v7m_is_handler_mode(env)) {
 -        lr |= R_V7M_EXCRET_MODE_MASK;
 -    }
 -
 -    ignore_stackfaults = v7m_push_stack(cpu);
 -    v7m_exception_taken(cpu, lr, false, ignore_stackfaults);
 -}
 -
  /*
   * Function used to synchronize QEMU's AArch64 register set with AArch32
   * register set.  This is necessary when switching between AArch32 and AArch64
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
      return phys_addr;
  }
 -uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
 -{
 -    uint32_t mask;
 -    unsigned el = arm_current_el(env);
 -
 -    /* First handle registers which unprivileged can read */
 -
 -    switch (reg) {
 -    case 0 ... 7: /* xPSR sub-fields */
 -        mask = 0;
 -        if ((reg & 1) && el) {
 -            mask |= XPSR_EXCP; /* IPSR (unpriv. reads as zero) */
 -        }
 -        if (!(reg & 4)) {
 -            mask |= XPSR_NZCV | XPSR_Q; /* APSR */
 -            if (arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
 -                mask |= XPSR_GE;
 -            }
 -        }
 -        /* EPSR reads as zero */
 -        return xpsr_read(env) & mask;
 -        break;
 -    case 20: /* CONTROL */
 -    {
 -        uint32_t value = env->v7m.control[env->v7m.secure];
 -        if (!env->v7m.secure) {
 -            /* SFPA is RAZ/WI from NS; FPCA is stored in the M_REG_S bank */
 -            value |= env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK;
 -        }
 -        return value;
 -    }
 -    case 0x94: /* CONTROL_NS */
 -        /*
 -         * We have to handle this here because unprivileged Secure code
 -         * can read the NS CONTROL register.
 -         */
 -        if (!env->v7m.secure) {
 -            return 0;
 -        }
 -        return env->v7m.control[M_REG_NS] |
 -            (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK);
 -    }
 -
 -    if (el == 0) {
 -        return 0; /* unprivileged reads others as zero */
 -    }
 -
 -    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -        switch (reg) {
 -        case 0x88: /* MSP_NS */
 -            if (!env->v7m.secure) {
 -                return 0;
 -            }
 -            return env->v7m.other_ss_msp;
 -        case 0x89: /* PSP_NS */
 -            if (!env->v7m.secure) {
 -                return 0;
 -            }
 -            return env->v7m.other_ss_psp;
 -        case 0x8a: /* MSPLIM_NS */
 -            if (!env->v7m.secure) {
 -                return 0;
 -            }
 -            return env->v7m.msplim[M_REG_NS];
 -        case 0x8b: /* PSPLIM_NS */
 -            if (!env->v7m.secure) {
 -                return 0;
 -            }
 -            return env->v7m.psplim[M_REG_NS];
 -        case 0x90: /* PRIMASK_NS */
 -            if (!env->v7m.secure) {
 -                return 0;
 -            }
 -            return env->v7m.primask[M_REG_NS];
 -        case 0x91: /* BASEPRI_NS */
 -            if (!env->v7m.secure) {
 -                return 0;
 -            }
 -            return env->v7m.basepri[M_REG_NS];
 -        case 0x93: /* FAULTMASK_NS */
 -            if (!env->v7m.secure) {
 -                return 0;
 -            }
 -            return env->v7m.faultmask[M_REG_NS];
 -        case 0x98: /* SP_NS */
 -        {
 -            /*
 -             * This gives the non-secure SP selected based on whether we're
 -             * currently in handler mode or not, using the NS CONTROL.SPSEL.
 -             */
 -            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
 -
 -            if (!env->v7m.secure) {
 -                return 0;
 -            }
 -            if (!arm_v7m_is_handler_mode(env) && spsel) {
 -                return env->v7m.other_ss_psp;
 -            } else {
 -                return env->v7m.other_ss_msp;
 -            }
 -        }
 -        default:
 -            break;
 -        }
 -    }
 -
 -    switch (reg) {
 -    case 8: /* MSP */
 -        return v7m_using_psp(env) ? env->v7m.other_sp : env->regs[13];
 -    case 9: /* PSP */
 -        return v7m_using_psp(env) ? env->regs[13] : env->v7m.other_sp;
 -    case 10: /* MSPLIM */
 -        if (!arm_feature(env, ARM_FEATURE_V8)) {
 -            goto bad_reg;
 -        }
 -        return env->v7m.msplim[env->v7m.secure];
 -    case 11: /* PSPLIM */
 -        if (!arm_feature(env, ARM_FEATURE_V8)) {
 -            goto bad_reg;
 -        }
 -        return env->v7m.psplim[env->v7m.secure];
 -    case 16: /* PRIMASK */
 -        return env->v7m.primask[env->v7m.secure];
 -    case 17: /* BASEPRI */
 -    case 18: /* BASEPRI_MAX */
 -        return env->v7m.basepri[env->v7m.secure];
 -    case 19: /* FAULTMASK */
 -        return env->v7m.faultmask[env->v7m.secure];
 -    default:
 -    bad_reg:
 -        qemu_log_mask(LOG_GUEST_ERROR, "Attempt to read unknown special"
 -                                       " register %d\n", reg);
 -        return 0;
 -    }
 -}
 -
 -void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
 -{
 -    /*
 -     * We're passed bits [11..0] of the instruction; extract
 -     * SYSm and the mask bits.
 -     * Invalid combinations of SYSm and mask are UNPREDICTABLE;
 -     * we choose to treat them as if the mask bits were valid.
 -     * NB that the pseudocode 'mask' variable is bits [11..10],
 -     * whereas ours is [11..8].
 -     */
 -    uint32_t mask = extract32(maskreg, 8, 4);
 -    uint32_t reg = extract32(maskreg, 0, 8);
 -    int cur_el = arm_current_el(env);
 -
 -    if (cur_el == 0 && reg > 7 && reg != 20) {
 -        /*
 -         * only xPSR sub-fields and CONTROL.SFPA may be written by
 -         * unprivileged code
 -         */
 -        return;
 -    }
 -
 -    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -        switch (reg) {
 -        case 0x88: /* MSP_NS */
 -            if (!env->v7m.secure) {
 -                return;
 -            }
 -            env->v7m.other_ss_msp = val;
 -            return;
 -        case 0x89: /* PSP_NS */
 -            if (!env->v7m.secure) {
 -                return;
 -            }
 -            env->v7m.other_ss_psp = val;
 -            return;
 -        case 0x8a: /* MSPLIM_NS */
 -            if (!env->v7m.secure) {
 -                return;
 -            }
 -            env->v7m.msplim[M_REG_NS] = val & ~7;
 -            return;
 -        case 0x8b: /* PSPLIM_NS */
 -            if (!env->v7m.secure) {
 -                return;
 -            }
 -            env->v7m.psplim[M_REG_NS] = val & ~7;
 -            return;
 -        case 0x90: /* PRIMASK_NS */
 -            if (!env->v7m.secure) {
 -                return;
 -            }
 -            env->v7m.primask[M_REG_NS] = val & 1;
 -            return;
 -        case 0x91: /* BASEPRI_NS */
 -            if (!env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_MAIN)) {
 -                return;
 -            }
 -            env->v7m.basepri[M_REG_NS] = val & 0xff;
 -            return;
 -        case 0x93: /* FAULTMASK_NS */
 -            if (!env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_MAIN)) {
 -                return;
 -            }
 -            env->v7m.faultmask[M_REG_NS] = val & 1;
 -            return;
 -        case 0x94: /* CONTROL_NS */
 -            if (!env->v7m.secure) {
 -                return;
 -            }
 -            write_v7m_control_spsel_for_secstate(env,
 -                                                 val & R_V7M_CONTROL_SPSEL_MASK,
 -                                                 M_REG_NS);
 -            if (arm_feature(env, ARM_FEATURE_M_MAIN)) {
 -                env->v7m.control[M_REG_NS] &= ~R_V7M_CONTROL_NPRIV_MASK;
 -                env->v7m.control[M_REG_NS] |= val & R_V7M_CONTROL_NPRIV_MASK;
 -            }
 -            /*
 -             * SFPA is RAZ/WI from NS. FPCA is RO if NSACR.CP10 == 0,
 -             * RES0 if the FPU is not present, and is stored in the S bank
 -             */
 -            if (arm_feature(env, ARM_FEATURE_VFP) &&
 -                extract32(env->v7m.nsacr, 10, 1)) {
 -                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
 -                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
 -            }
 -            return;
 -        case 0x98: /* SP_NS */
 -        {
 -            /*
 -             * This gives the non-secure SP selected based on whether we're
 -             * currently in handler mode or not, using the NS CONTROL.SPSEL.
 -             */
 -            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
 -            bool is_psp = !arm_v7m_is_handler_mode(env) && spsel;
 -            uint32_t limit;
 -
 -            if (!env->v7m.secure) {
 -                return;
 -            }
 -
 -            limit = is_psp ? env->v7m.psplim[false] : env->v7m.msplim[false];
 -
 -            if (val < limit) {
 -                CPUState *cs = env_cpu(env);
 -
 -                cpu_restore_state(cs, GETPC(), true);
 -                raise_exception(env, EXCP_STKOF, 0, 1);
 -            }
 -
 -            if (is_psp) {
 -                env->v7m.other_ss_psp = val;
 -            } else {
 -                env->v7m.other_ss_msp = val;
 -            }
 -            return;
 -        }
 -        default:
 -            break;
 -        }
 -    }
 -
 -    switch (reg) {
 -    case 0 ... 7: /* xPSR sub-fields */
 -        /* only APSR is actually writable */
 -        if (!(reg & 4)) {
 -            uint32_t apsrmask = 0;
 -
 -            if (mask & 8) {
 -                apsrmask |= XPSR_NZCV | XPSR_Q;
 -            }
 -            if ((mask & 4) && arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
 -                apsrmask |= XPSR_GE;
 -            }
 -            xpsr_write(env, val, apsrmask);
 -        }
 -        break;
 -    case 8: /* MSP */
 -        if (v7m_using_psp(env)) {
 -            env->v7m.other_sp = val;
 -        } else {
 -            env->regs[13] = val;
 -        }
 -        break;
 -    case 9: /* PSP */
 -        if (v7m_using_psp(env)) {
 -            env->regs[13] = val;
 -        } else {
 -            env->v7m.other_sp = val;
 -        }
 -        break;
 -    case 10: /* MSPLIM */
 -        if (!arm_feature(env, ARM_FEATURE_V8)) {
 -            goto bad_reg;
 -        }
 -        env->v7m.msplim[env->v7m.secure] = val & ~7;
 -        break;
 -    case 11: /* PSPLIM */
 -        if (!arm_feature(env, ARM_FEATURE_V8)) {
 -            goto bad_reg;
 -        }
 -        env->v7m.psplim[env->v7m.secure] = val & ~7;
 -        break;
 -    case 16: /* PRIMASK */
 -        env->v7m.primask[env->v7m.secure] = val & 1;
 -        break;
 -    case 17: /* BASEPRI */
 -        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
 -            goto bad_reg;
 -        }
 -        env->v7m.basepri[env->v7m.secure] = val & 0xff;
 -        break;
 -    case 18: /* BASEPRI_MAX */
 -        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
 -            goto bad_reg;
 -        }
 -        val &= 0xff;
 -        if (val != 0 && (val < env->v7m.basepri[env->v7m.secure]
 -                         || env->v7m.basepri[env->v7m.secure] == 0)) {
 -            env->v7m.basepri[env->v7m.secure] = val;
 -        }
 -        break;
 -    case 19: /* FAULTMASK */
 -        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
 -            goto bad_reg;
 -        }
 -        env->v7m.faultmask[env->v7m.secure] = val & 1;
 -        break;
 -    case 20: /* CONTROL */
 -        /*
 -         * Writing to the SPSEL bit only has an effect if we are in
 -         * thread mode; other bits can be updated by any privileged code.
 -         * write_v7m_control_spsel() deals with updating the SPSEL bit in
 -         * env->v7m.control, so we only need update the others.
 -         * For v7M, we must just ignore explicit writes to SPSEL in handler
 -         * mode; for v8M the write is permitted but will have no effect.
 -         * All these bits are writes-ignored from non-privileged code,
 -         * except for SFPA.
 -         */
 -        if (cur_el > 0 && (arm_feature(env, ARM_FEATURE_V8) ||
 -                           !arm_v7m_is_handler_mode(env))) {
 -            write_v7m_control_spsel(env, (val & R_V7M_CONTROL_SPSEL_MASK) != 0);
 -        }
 -        if (cur_el > 0 && arm_feature(env, ARM_FEATURE_M_MAIN)) {
 -            env->v7m.control[env->v7m.secure] &= ~R_V7M_CONTROL_NPRIV_MASK;
 -            env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
 -        }
 -        if (arm_feature(env, ARM_FEATURE_VFP)) {
 -            /*
 -             * SFPA is RAZ/WI from NS or if no FPU.
 -             * FPCA is RO if NSACR.CP10 == 0, RES0 if the FPU is not present.
 -             * Both are stored in the S bank.
 -             */
 -            if (env->v7m.secure) {
 -                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 -                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_SFPA_MASK;
 -            }
 -            if (cur_el > 0 &&
 -                (env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_SECURITY) ||
 -                 extract32(env->v7m.nsacr, 10, 1))) {
 -                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
 -                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
 -            }
 -        }
 -        break;
 -    default:
 -    bad_reg:
 -        qemu_log_mask(LOG_GUEST_ERROR, "Attempt to write unknown special"
 -                                       " register %d\n", reg);
 -        return;
 -    }
 -}
 -
 -uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
 -{
 -    /* Implement the TT instruction. op is bits [7:6] of the insn. */
 -    bool forceunpriv = op & 1;
 -    bool alt = op & 2;
 -    V8M_SAttributes sattrs = {};
 -    uint32_t tt_resp;
 -    bool r, rw, nsr, nsrw, mrvalid;
 -    int prot;
 -    ARMMMUFaultInfo fi = {};
 -    MemTxAttrs attrs = {};
 -    hwaddr phys_addr;
 -    ARMMMUIdx mmu_idx;
 -    uint32_t mregion;
 -    bool targetpriv;
 -    bool targetsec = env->v7m.secure;
 -    bool is_subpage;
 -
 -    /*
 -     * Work out what the security state and privilege level we're
 -     * interested in is...
 -     */
 -    if (alt) {
 -        targetsec = !targetsec;
 -    }
 -
 -    if (forceunpriv) {
 -        targetpriv = false;
 -    } else {
 -        targetpriv = arm_v7m_is_handler_mode(env) ||
 -            !(env->v7m.control[targetsec] & R_V7M_CONTROL_NPRIV_MASK);
 -    }
 -
 -    /* ...and then figure out which MMU index this is */
 -    mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targetsec, targetpriv);
 -
 -    /*
 -     * We know that the MPU and SAU don't care about the access type
 -     * for our purposes beyond that we don't want to claim to be
 -     * an insn fetch, so we arbitrarily call this a read.
 -     */
 -
 -    /*
 -     * MPU region info only available for privileged or if
 -     * inspecting the other MPU state.
 -     */
 -    if (arm_current_el(env) != 0 || alt) {
 -        /* We can ignore the return value as prot is always set */
 -        pmsav8_mpu_lookup(env, addr, MMU_DATA_LOAD, mmu_idx,
 -                          &phys_addr, &attrs, &prot, &is_subpage,
 -                          &fi, &mregion);
 -        if (mregion == -1) {
 -            mrvalid = false;
 -            mregion = 0;
 -        } else {
 -            mrvalid = true;
 -        }
 -        r = prot & PAGE_READ;
 -        rw = prot & PAGE_WRITE;
 -    } else {
 -        r = false;
 -        rw = false;
 -        mrvalid = false;
 -        mregion = 0;
 -    }
 -
 -    if (env->v7m.secure) {
 -        v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);
 -        nsr = sattrs.ns && r;
 -        nsrw = sattrs.ns && rw;
 -    } else {
 -        sattrs.ns = true;
 -        nsr = false;
 -        nsrw = false;
 -    }
 -
 -    tt_resp = (sattrs.iregion << 24) |
 -        (sattrs.irvalid << 23) |
 -        ((!sattrs.ns) << 22) |
 -        (nsrw << 21) |
 -        (nsr << 20) |
 -        (rw << 19) |
 -        (r << 18) |
 -        (sattrs.srvalid << 17) |
 -        (mrvalid << 16) |
 -        (sattrs.sregion << 8) |
 -        mregion;
 -
 -    return tt_resp;
 -}
 -
  #endif
  /* Note that signed overflow is undefined in C.  The following routines are
@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
      return 0;
  }
 -ARMMMUIdx arm_v7m_mmu_idx_all(CPUARMState *env,
 -                              bool secstate, bool priv, bool negpri)
 -{
 -    ARMMMUIdx mmu_idx = ARM_MMU_IDX_M;
 -
 -    if (priv) {
 -        mmu_idx |= ARM_MMU_IDX_M_PRIV;
 -    }
 -
 -    if (negpri) {
 -        mmu_idx |= ARM_MMU_IDX_M_NEGPRI;
 -    }
 -
 -    if (secstate) {
 -        mmu_idx |= ARM_MMU_IDX_M_S;
 -    }
 -
 -    return mmu_idx;
 -}
 -
 -ARMMMUIdx arm_v7m_mmu_idx_for_secstate_and_priv(CPUARMState *env,
 -                                                bool secstate, bool priv)
 -{
 -    bool negpri = armv7m_nvic_neg_prio_requested(env->nvic, secstate);
 -
 -    return arm_v7m_mmu_idx_all(env, secstate, priv, negpri);
 -}
 -
 -/* Return the MMU index for a v7M CPU in the specified security state */
 +#ifndef CONFIG_TCG
  ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate)
  {
 -    bool priv = arm_current_el(env) != 0;
 -
 -    return arm_v7m_mmu_idx_for_secstate_and_priv(env, secstate, priv);
 +    g_assert_not_reached();
  }
 +#endif
  ARMMMUIdx arm_mmu_idx(CPUARMState *env)
  {
 diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/target/arm/m_helper.c
++++ b/include/hw/misc/npcm7xx_mft.h
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * ARM generic helpers.
++ * Nuvoton NPCM7xx MFT Module
 + *
-+ * This code is licensed under the GNU GPL v2 or later.
++ * Copyright 2021 Google LLC
 + *
-+ * SPDX-License-Identifier: GPL-2.0-or-later
++ * This program is free software; you can redistribute it and/or modify it
-+ */
++ * under the terms of the GNU General Public License as published by the
 + * Free Software Foundation; either version 2 of the License, or
 + * (at your option) any later version.
 + *
 + * This program is distributed in the hope that it will be useful, but WITHOUT
 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
 + * for more details.
 + */
 +#ifndef NPCM7XX_MFT_H
 +#define NPCM7XX_MFT_H
 +
 +#include "exec/memory.h"
 +#include "hw/clock.h"
 +#include "hw/irq.h"
 +#include "hw/sysbus.h"
 +#include "qom/object.h"
 +
 +/* Max Fan input number. */
 +#define NPCM7XX_MFT_MAX_FAN_INPUT 19
 +
 +/*
 + * Number of registers in one MFT module. Don't change this without increasing
 + * the version_id in vmstate.
 + */
 +#define NPCM7XX_MFT_NR_REGS (0x20 / sizeof(uint16_t))
 +
 +/*
 + * The MFT can take up to 4 inputs: A0, B0, A1, B1. It can measure one A and one
 + * B simultaneously. NPCM7XX_MFT_INASEL and NPCM7XX_MFT_INBSEL are used to
 + * select which A or B input are used.
 + */
 +#define NPCM7XX_MFT_FANIN_COUNT 4
 +
 +/**
 + * struct NPCM7xxMFTState - Multi Functional Tachometer device state.
 + * @parent: System bus device.
 + * @iomem: Memory region through which registers are accessed.
 + * @clock_in: The input clock for MFT from CLK module.
 + * @clock_{1,2}: The counter clocks for NPCM7XX_MFT_CNT{1,2}
 + * @irq: The IRQ for this MFT state.
 + * @regs: The MMIO registers.
 + * @max_rpm: The maximum rpm for fans. Order: A0, B0, A1, B1.
 + * @duty: The duty cycles for fans, relative to NPCM7XX_PWM_MAX_DUTY.
 + */
 +typedef struct NPCM7xxMFTState {
 +    SysBusDevice parent;
 +
 +    MemoryRegion iomem;
 +
 +    Clock       *clock_in;
 +    Clock       *clock_1, *clock_2;
 +    qemu_irq    irq;
 +    uint16_t    regs[NPCM7XX_MFT_NR_REGS];
 +
 +    uint32_t    max_rpm[NPCM7XX_MFT_FANIN_COUNT];
 +    uint32_t    duty[NPCM7XX_MFT_FANIN_COUNT];
 +} NPCM7xxMFTState;
 +
 +#define TYPE_NPCM7XX_MFT "npcm7xx-mft"
 +#define NPCM7XX_MFT(obj) \
 +    OBJECT_CHECK(NPCM7xxMFTState, (obj), TYPE_NPCM7XX_MFT)
 +
 +#endif /* NPCM7XX_MFT_H */
 diff --git a/hw/misc/npcm7xx_mft.c b/hw/misc/npcm7xx_mft.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/misc/npcm7xx_mft.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Nuvoton NPCM7xx MFT Module
 + *
 + * Copyright 2021 Google LLC
 + *
 + * This program is free software; you can redistribute it and/or modify it
 + * under the terms of the GNU General Public License as published by the
 + * Free Software Foundation; either version 2 of the License, or
 + * (at your option) any later version.
 + *
 + * This program is distributed in the hope that it will be useful, but WITHOUT
 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
 + * for more details.
 + */
 +
 +#include "qemu/osdep.h"
++#include "hw/irq.h"
++#include "hw/qdev-clock.h"
++#include "hw/qdev-properties.h"
++#include "hw/misc/npcm7xx_mft.h"
++#include "hw/misc/npcm7xx_pwm.h"
++#include "hw/registerfields.h"
++#include "migration/vmstate.h"
++#include "qapi/error.h"
++#include "qapi/visitor.h"
++#include "qemu/bitops.h"
++#include "qemu/error-report.h"
++#include "qemu/log.h"
++#include "qemu/module.h"
++#include "qemu/timer.h"
 +#include "qemu/units.h"
-+#include "target/arm/idau.h"
 +#include "trace.h"
-+#include "cpu.h"
++
-+#include "internals.h"
++/*
-+#include "exec/gdbstub.h"
++ * Some of the registers can only accessed via 16-bit ops and some can only
-+#include "exec/helper-proto.h"
++ * be accessed via 8-bit ops. However we mark all of them using REG16 to
-+#include "qemu/host-utils.h"
++ * simplify implementation. npcm7xx_mft_check_mem_op checks the access length
-+#include "sysemu/sysemu.h"
++ * of memory operations.
-+#include "qemu/bitops.h"
++ */
-+#include "qemu/crc32c.h"
++REG16(NPCM7XX_MFT_CNT1, 0x00);
-+#include "qemu/qemu-print.h"
++REG16(NPCM7XX_MFT_CRA, 0x02);
-+#include "exec/exec-all.h"
++REG16(NPCM7XX_MFT_CRB, 0x04);
-+#include <zlib.h> /* For crc32 */
++REG16(NPCM7XX_MFT_CNT2, 0x06);
-+#include "hw/semihosting/semihost.h"
++REG16(NPCM7XX_MFT_PRSC, 0x08);
-+#include "sysemu/cpus.h"
++REG16(NPCM7XX_MFT_CKC, 0x0a);
-+#include "sysemu/kvm.h"
++REG16(NPCM7XX_MFT_MCTRL, 0x0c);
-+#include "qemu/range.h"
++REG16(NPCM7XX_MFT_ICTRL, 0x0e);
-+#include "qapi/qapi-commands-target.h"
++REG16(NPCM7XX_MFT_ICLR, 0x10);
-+#include "qapi/error.h"
++REG16(NPCM7XX_MFT_IEN, 0x12);
-+#include "qemu/guest-random.h"
++REG16(NPCM7XX_MFT_CPA, 0x14);
-+#ifdef CONFIG_TCG
++REG16(NPCM7XX_MFT_CPB, 0x16);
-+#include "arm_ldst.h"
++REG16(NPCM7XX_MFT_CPCFG, 0x18);
-+#include "exec/cpu_ldst.h"
++REG16(NPCM7XX_MFT_INASEL, 0x1a);
-+#endif
++REG16(NPCM7XX_MFT_INBSEL, 0x1c);
 +
-+#ifdef CONFIG_USER_ONLY
++/* Register Fields */
-+
++#define NPCM7XX_MFT_CKC_C2CSEL          BIT(3)
-+/* These should probably raise undefined insn exceptions.  */
++#define NPCM7XX_MFT_CKC_C1CSEL          BIT(0)
-+void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)
++
-+{
++#define NPCM7XX_MFT_MCTRL_TBEN          BIT(6)
-+    ARMCPU *cpu = env_archcpu(env);
++#define NPCM7XX_MFT_MCTRL_TAEN          BIT(5)
-+
++#define NPCM7XX_MFT_MCTRL_TBEDG         BIT(4)
-+    cpu_abort(CPU(cpu), "v7m_msr %d\n", reg);
++#define NPCM7XX_MFT_MCTRL_TAEDG         BIT(3)
-+}
++#define NPCM7XX_MFT_MCTRL_MODE5         BIT(2)
 +
-+uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
++#define NPCM7XX_MFT_ICTRL_TFPND         BIT(5)
-+{
++#define NPCM7XX_MFT_ICTRL_TEPND         BIT(4)
-+    ARMCPU *cpu = env_archcpu(env);
++#define NPCM7XX_MFT_ICTRL_TDPND         BIT(3)
-+
++#define NPCM7XX_MFT_ICTRL_TCPND         BIT(2)
-+    cpu_abort(CPU(cpu), "v7m_mrs %d\n", reg);
++#define NPCM7XX_MFT_ICTRL_TBPND         BIT(1)
-+    return 0;
++#define NPCM7XX_MFT_ICTRL_TAPND         BIT(0)
-+}
++
-+
++#define NPCM7XX_MFT_ICLR_TFCLR          BIT(5)
-+void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
++#define NPCM7XX_MFT_ICLR_TECLR          BIT(4)
-+{
++#define NPCM7XX_MFT_ICLR_TDCLR          BIT(3)
-+    /* translate.c should never generate calls here in user-only mode */
++#define NPCM7XX_MFT_ICLR_TCCLR          BIT(2)
-+    g_assert_not_reached();
++#define NPCM7XX_MFT_ICLR_TBCLR          BIT(1)
-+}
++#define NPCM7XX_MFT_ICLR_TACLR          BIT(0)
 +
-+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
++#define NPCM7XX_MFT_IEN_TFIEN           BIT(5)
-+{
++#define NPCM7XX_MFT_IEN_TEIEN           BIT(4)
-+    /* translate.c should never generate calls here in user-only mode */
++#define NPCM7XX_MFT_IEN_TDIEN           BIT(3)
-+    g_assert_not_reached();
++#define NPCM7XX_MFT_IEN_TCIEN           BIT(2)
-+}
++#define NPCM7XX_MFT_IEN_TBIEN           BIT(1)
-+
++#define NPCM7XX_MFT_IEN_TAIEN           BIT(0)
-+void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
++
-+{
++#define NPCM7XX_MFT_CPCFG_GET_B(rv)     extract8((rv), 4, 4)
-+    /* translate.c should never generate calls here in user-only mode */
++#define NPCM7XX_MFT_CPCFG_GET_A(rv)     extract8((rv), 0, 4)
-+    g_assert_not_reached();
++#define NPCM7XX_MFT_CPCFG_HIEN          BIT(3)
-+}
++#define NPCM7XX_MFT_CPCFG_EQEN          BIT(2)
-+
++#define NPCM7XX_MFT_CPCFG_LOEN          BIT(1)
-+void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
++#define NPCM7XX_MFT_CPCFG_CPSEL         BIT(0)
-+{
++
-+    /* translate.c should never generate calls here in user-only mode */
++#define NPCM7XX_MFT_INASEL_SELA         BIT(0)
-+    g_assert_not_reached();
++#define NPCM7XX_MFT_INBSEL_SELB         BIT(0)
-+}
++
-+
++/* Max CNT values of the module. The CNT value is a countdown from it. */
-+void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
++#define NPCM7XX_MFT_MAX_CNT             0xFFFF
-+{
++
-+    /* translate.c should never generate calls here in user-only mode */
++/* Each fan revolution should generated 2 pulses */
-+    g_assert_not_reached();
++#define NPCM7XX_MFT_PULSE_PER_REVOLUTION 2
-+}
++
-+
++typedef enum NPCM7xxMFTCaptureState {
-+uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
++    /* capture succeeded with a valid CNT value. */
 +    NPCM7XX_CAPTURE_SUCCEED,
 +    /* capture stopped prematurely due to reaching CPCFG condition. */
 +    NPCM7XX_CAPTURE_COMPARE_HIT,
 +    /* capture fails since it reaches underflow condition for CNT. */
 +    NPCM7XX_CAPTURE_UNDERFLOW,
 +} NPCM7xxMFTCaptureState;
 +
 +static void npcm7xx_mft_reset(NPCM7xxMFTState *s)
 +{
 +    int i;
 +
 +    /* Only registers PRSC ~ INBSEL need to be reset. */
 +    for (i = R_NPCM7XX_MFT_PRSC; i <= R_NPCM7XX_MFT_INBSEL; ++i) {
 +        s->regs[i] = 0;
 +    }
 +}
 +
 +static void npcm7xx_mft_clear_interrupt(NPCM7xxMFTState *s, uint8_t iclr)
 +{
 +    /*
-+     * The TT instructions can be used by unprivileged code, but in
++     * Clear bits in ICTRL where corresponding bits in iclr is 1.
-+     * user-only emulation we don't have the MPU.
++     * Both iclr and ictrl are 8-bit regs. (See npcm7xx_mft_check_mem_op)
 +     * Luckily since we know we are NonSecure unprivileged (and that in
 +     * turn means that the A flag wasn't specified), all the bits in the
 +     * register must be zero:
 +     *  IREGION: 0 because IRVALID is 0
 +     *  IRVALID: 0 because NS
 +     *  S: 0 because NS
 +     *  NSRW: 0 because NS
 +     *  NSR: 0 because NS
 +     *  RW: 0 because unpriv and A flag not set
 +     *  R: 0 because unpriv and A flag not set
 +     *  SRVALID: 0 because NS
 +     *  MRVALID: 0 because unpriv and A flag not set
 +     *  SREGION: 0 becaus SRVALID is 0
 +     *  MREGION: 0 because MRVALID is 0
 +     */
-+    return 0;
++    s->regs[R_NPCM7XX_MFT_ICTRL] &= ~iclr;
 +}
 +
 +#else
 +
 +/*
-+ * What kind of stack write are we doing? This affects how exceptions
++ * If the CPCFG's condition should be triggered during count down from
-+ * generated during the stacking are treated.
++ * NPCM7XX_MFT_MAX_CNT to src if compared to tgt, return the count when
-+ */
++ * the condition is triggered.
-+typedef enum StackingMode {
++ * Otherwise return -1.
-+    STACK_NORMAL,
++ * Since tgt is uint16_t it must always <= NPCM7XX_MFT_MAX_CNT.
-+    STACK_IGNFAULTS,
++ */
-+    STACK_LAZYFP,
++static int npcm7xx_mft_compare(int32_t src, uint16_t tgt, uint8_t cpcfg)
-+} StackingMode;
++{
-+
++    if (cpcfg & NPCM7XX_MFT_CPCFG_HIEN) {
-+static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
++        return NPCM7XX_MFT_MAX_CNT;
-+                            ARMMMUIdx mmu_idx, StackingMode mode)
++    }
-+{
++    if ((cpcfg & NPCM7XX_MFT_CPCFG_EQEN) && (src <= tgt)) {
-+    CPUState *cs = CPU(cpu);
++        return tgt;
-+    CPUARMState *env = &cpu->env;
++    }
-+    MemTxAttrs attrs = {};
++    if ((cpcfg & NPCM7XX_MFT_CPCFG_LOEN) && (tgt > 0) && (src < tgt)) {
-+    MemTxResult txres;
++        return tgt - 1;
-+    target_ulong page_size;
++    }
-+    hwaddr physaddr;
++
-+    int prot;
++    return -1;
-+    ARMMMUFaultInfo fi = {};
++}
-+    bool secure = mmu_idx & ARM_MMU_IDX_M_S;
++
-+    int exc;
++/* Compute CNT according to corresponding fan's RPM. */
-+    bool exc_secure;
++static NPCM7xxMFTCaptureState npcm7xx_mft_compute_cnt(
-+
++    Clock *clock, uint32_t max_rpm, uint32_t duty, uint16_t tgt,
-+    if (get_phys_addr(env, addr, MMU_DATA_STORE, mmu_idx, &physaddr,
++    uint8_t cpcfg, uint16_t *cnt)
-+                      &attrs, &prot, &page_size, &fi, NULL)) {
++{
-+        /* MPU/SAU lookup failed */
++    uint32_t rpm = (uint64_t)max_rpm * (uint64_t)duty / NPCM7XX_PWM_MAX_DUTY;
-+        if (fi.type == ARMFault_QEMU_SFault) {
++    int32_t count;
-+            if (mode == STACK_LAZYFP) {
++    int stopped;
-+                qemu_log_mask(CPU_LOG_INT,
++    NPCM7xxMFTCaptureState state;
-+                              "...SecureFault with SFSR.LSPERR "
++
-+                              "during lazy stacking\n");
++    if (rpm == 0) {
-+                env->v7m.sfsr |= R_V7M_SFSR_LSPERR_MASK;
++        /*
-+            } else {
++         * If RPM = 0, capture won't happen. CNT will continue count down.
-+                qemu_log_mask(CPU_LOG_INT,
++         * So it's effective equivalent to have a cnt > NPCM7XX_MFT_MAX_CNT
-+                              "...SecureFault with SFSR.AUVIOL "
++         */
-+                              "during stacking\n");
++        count = NPCM7XX_MFT_MAX_CNT + 1;
-+                env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
++    } else {
-+            }
++        /*
-+            env->v7m.sfsr |= R_V7M_SFSR_SFARVALID_MASK;
++         * RPM = revolution/min. The time for one revlution (in ns) is
-+            env->v7m.sfar = addr;
++         * MINUTE_TO_NANOSECOND / RPM.
-+            exc = ARMV7M_EXCP_SECURE;
++         */
-+            exc_secure = false;
++        count = clock_ns_to_ticks(clock, (60 * NANOSECONDS_PER_SECOND) /
 +            (rpm * NPCM7XX_MFT_PULSE_PER_REVOLUTION));
 +    }
 +
 +    if (count > NPCM7XX_MFT_MAX_CNT) {
 +        count = -1;
 +    } else {
 +        /* The CNT is a countdown value from NPCM7XX_MFT_MAX_CNT. */
 +        count = NPCM7XX_MFT_MAX_CNT - count;
 +    }
 +    stopped = npcm7xx_mft_compare(count, tgt, cpcfg);
 +    if (stopped == -1) {
 +        if (count == -1) {
 +            /* Underflow */
 +            state = NPCM7XX_CAPTURE_UNDERFLOW;
 +        } else {
-+            if (mode == STACK_LAZYFP) {
++            state = NPCM7XX_CAPTURE_SUCCEED;
 +                qemu_log_mask(CPU_LOG_INT,
 +                              "...MemManageFault with CFSR.MLSPERR\n");
 +                env->v7m.cfsr[secure] |= R_V7M_CFSR_MLSPERR_MASK;
 +            } else {
 +                qemu_log_mask(CPU_LOG_INT,
 +                              "...MemManageFault with CFSR.MSTKERR\n");
 +                env->v7m.cfsr[secure] |= R_V7M_CFSR_MSTKERR_MASK;
 +            }
 +            exc = ARMV7M_EXCP_MEM;
 +            exc_secure = secure;
 +        }
 +        goto pend_fault;
 +    }
 +    address_space_stl_le(arm_addressspace(cs, attrs), physaddr, value,
 +                         attrs, &txres);
 +    if (txres != MEMTX_OK) {
 +        /* BusFault trying to write the data */
 +        if (mode == STACK_LAZYFP) {
 +            qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.LSPERR\n");
 +            env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_LSPERR_MASK;
 +        } else {
 +            qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.STKERR\n");
 +            env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_STKERR_MASK;
 +        }
 +        exc = ARMV7M_EXCP_BUS;
 +        exc_secure = false;
 +        goto pend_fault;
 +    }
 +    return true;
 +
 +pend_fault:
 +    /*
 +     * By pending the exception at this point we are making
 +     * the IMPDEF choice "overridden exceptions pended" (see the
 +     * MergeExcInfo() pseudocode). The other choice would be to not
 +     * pend them now and then make a choice about which to throw away
 +     * later if we have two derived exceptions.
 +     * The only case when we must not pend the exception but instead
 +     * throw it away is if we are doing the push of the callee registers
 +     * and we've already generated a derived exception (this is indicated
 +     * by the caller passing STACK_IGNFAULTS). Even in this case we will
 +     * still update the fault status registers.
 +     */
 +    switch (mode) {
 +    case STACK_NORMAL:
 +        armv7m_nvic_set_pending_derived(env->nvic, exc, exc_secure);
 +        break;
 +    case STACK_LAZYFP:
 +        armv7m_nvic_set_pending_lazyfp(env->nvic, exc, exc_secure);
 +        break;
 +    case STACK_IGNFAULTS:
 +        break;
 +    }
 +    return false;
 +}
 +
 +static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
 +                           ARMMMUIdx mmu_idx)
 +{
 +    CPUState *cs = CPU(cpu);
 +    CPUARMState *env = &cpu->env;
 +    MemTxAttrs attrs = {};
 +    MemTxResult txres;
 +    target_ulong page_size;
 +    hwaddr physaddr;
 +    int prot;
 +    ARMMMUFaultInfo fi = {};
 +    bool secure = mmu_idx & ARM_MMU_IDX_M_S;
 +    int exc;
 +    bool exc_secure;
 +    uint32_t value;
 +
 +    if (get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &physaddr,
 +                      &attrs, &prot, &page_size, &fi, NULL)) {
 +        /* MPU/SAU lookup failed */
 +        if (fi.type == ARMFault_QEMU_SFault) {
 +            qemu_log_mask(CPU_LOG_INT,
 +                          "...SecureFault with SFSR.AUVIOL during unstack\n");
 +            env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK | R_V7M_SFSR_SFARVALID_MASK;
 +            env->v7m.sfar = addr;
 +            exc = ARMV7M_EXCP_SECURE;
 +            exc_secure = false;
 +        } else {
 +            qemu_log_mask(CPU_LOG_INT,
 +                          "...MemManageFault with CFSR.MUNSTKERR\n");
 +            env->v7m.cfsr[secure] |= R_V7M_CFSR_MUNSTKERR_MASK;
 +            exc = ARMV7M_EXCP_MEM;
 +            exc_secure = secure;
 +        }
 +        goto pend_fault;
 +    }
 +
 +    value = address_space_ldl(arm_addressspace(cs, attrs), physaddr,
 +                              attrs, &txres);
 +    if (txres != MEMTX_OK) {
 +        /* BusFault trying to read the data */
 +        qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.UNSTKERR\n");
 +        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_UNSTKERR_MASK;
 +        exc = ARMV7M_EXCP_BUS;
 +        exc_secure = false;
 +        goto pend_fault;
 +    }
 +
 +    *dest = value;
 +    return true;
 +
 +pend_fault:
 +    /*
 +     * By pending the exception at this point we are making
 +     * the IMPDEF choice "overridden exceptions pended" (see the
 +     * MergeExcInfo() pseudocode). The other choice would be to not
 +     * pend them now and then make a choice about which to throw away
 +     * later if we have two derived exceptions.
 +     */
 +    armv7m_nvic_set_pending(env->nvic, exc, exc_secure);
 +    return false;
 +}
 +
 +void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
 +{
 +    /*
 +     * Preserve FP state (because LSPACT was set and we are about
 +     * to execute an FP instruction). This corresponds to the
 +     * PreserveFPState() pseudocode.
 +     * We may throw an exception if the stacking fails.
 +     */
 +    ARMCPU *cpu = env_archcpu(env);
 +    bool is_secure = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
 +    bool negpri = !(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_HFRDY_MASK);
 +    bool is_priv = !(env->v7m.fpccr[is_secure] & R_V7M_FPCCR_USER_MASK);
 +    bool splimviol = env->v7m.fpccr[is_secure] & R_V7M_FPCCR_SPLIMVIOL_MASK;
 +    uint32_t fpcar = env->v7m.fpcar[is_secure];
 +    bool stacked_ok = true;
 +    bool ts = is_secure && (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
 +    bool take_exception;
 +
 +    /* Take the iothread lock as we are going to touch the NVIC */
 +    qemu_mutex_lock_iothread();
 +
 +    /* Check the background context had access to the FPU */
 +    if (!v7m_cpacr_pass(env, is_secure, is_priv)) {
 +        armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, is_secure);
 +        env->v7m.cfsr[is_secure] |= R_V7M_CFSR_NOCP_MASK;
 +        stacked_ok = false;
 +    } else if (!is_secure && !extract32(env->v7m.nsacr, 10, 1)) {
 +        armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
 +        env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
 +        stacked_ok = false;
 +    }
 +
 +    if (!splimviol && stacked_ok) {
 +        /* We only stack if the stack limit wasn't violated */
 +        int i;
 +        ARMMMUIdx mmu_idx;
 +
 +        mmu_idx = arm_v7m_mmu_idx_all(env, is_secure, is_priv, negpri);
 +        for (i = 0; i < (ts ? 32 : 16); i += 2) {
 +            uint64_t dn = *aa32_vfp_dreg(env, i / 2);
 +            uint32_t faddr = fpcar + 4 * i;
 +            uint32_t slo = extract64(dn, 0, 32);
 +            uint32_t shi = extract64(dn, 32, 32);
 +
 +            if (i >= 16) {
 +                faddr += 8; /* skip the slot for the FPSCR */
 +            }
 +            stacked_ok = stacked_ok &&
 +                v7m_stack_write(cpu, faddr, slo, mmu_idx, STACK_LAZYFP) &&
 +                v7m_stack_write(cpu, faddr + 4, shi, mmu_idx, STACK_LAZYFP);
 +        }
 +
 +        stacked_ok = stacked_ok &&
 +            v7m_stack_write(cpu, fpcar + 0x40,
 +                            vfp_get_fpscr(env), mmu_idx, STACK_LAZYFP);
 +    }
 +
 +    /*
 +     * We definitely pended an exception, but it's possible that it
 +     * might not be able to be taken now. If its priority permits us
 +     * to take it now, then we must not update the LSPACT or FP regs,
 +     * but instead jump out to take the exception immediately.
 +     * If it's just pending and won't be taken until the current
 +     * handler exits, then we do update LSPACT and the FP regs.
 +     */
 +    take_exception = !stacked_ok &&
 +        armv7m_nvic_can_take_pending_exception(env->nvic);
 +
 +    qemu_mutex_unlock_iothread();
 +
 +    if (take_exception) {
 +        raise_exception_ra(env, EXCP_LAZYFP, 0, 1, GETPC());
 +    }
 +
 +    env->v7m.fpccr[is_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
 +
 +    if (ts) {
 +        /* Clear s0 to s31 and the FPSCR */
 +        int i;
 +
 +        for (i = 0; i < 32; i += 2) {
 +            *aa32_vfp_dreg(env, i / 2) = 0;
 +        }
 +        vfp_set_fpscr(env, 0);
 +    }
 +    /*
 +     * Otherwise s0 to s15 and FPSCR are UNKNOWN; we choose to leave them
 +     * unchanged.
 +     */
 +}
 +
 +/*
 + * Write to v7M CONTROL.SPSEL bit for the specified security bank.
 + * This may change the current stack pointer between Main and Process
 + * stack pointers if it is done for the CONTROL register for the current
 + * security state.
 + */
 +static void write_v7m_control_spsel_for_secstate(CPUARMState *env,
 +                                                 bool new_spsel,
 +                                                 bool secstate)
 +{
 +    bool old_is_psp = v7m_using_psp(env);
 +
 +    env->v7m.control[secstate] =
 +        deposit32(env->v7m.control[secstate],
 +                  R_V7M_CONTROL_SPSEL_SHIFT,
 +                  R_V7M_CONTROL_SPSEL_LENGTH, new_spsel);
 +
 +    if (secstate == env->v7m.secure) {
 +        bool new_is_psp = v7m_using_psp(env);
 +        uint32_t tmp;
 +
 +        if (old_is_psp != new_is_psp) {
 +            tmp = env->v7m.other_sp;
 +            env->v7m.other_sp = env->regs[13];
 +            env->regs[13] = tmp;
 +        }
 +    }
 +}
 +
 +/*
 + * Write to v7M CONTROL.SPSEL bit. This may change the current
 + * stack pointer between Main and Process stack pointers.
 + */
 +static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
 +{
 +    write_v7m_control_spsel_for_secstate(env, new_spsel, env->v7m.secure);
 +}
 +
 +void write_v7m_exception(CPUARMState *env, uint32_t new_exc)
 +{
 +    /*
 +     * Write a new value to v7m.exception, thus transitioning into or out
 +     * of Handler mode; this may result in a change of active stack pointer.
 +     */
 +    bool new_is_psp, old_is_psp = v7m_using_psp(env);
 +    uint32_t tmp;
 +
 +    env->v7m.exception = new_exc;
 +
 +    new_is_psp = v7m_using_psp(env);
 +
 +    if (old_is_psp != new_is_psp) {
 +        tmp = env->v7m.other_sp;
 +        env->v7m.other_sp = env->regs[13];
 +        env->regs[13] = tmp;
 +    }
 +}
 +
 +/* Switch M profile security state between NS and S */
 +static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
 +{
 +    uint32_t new_ss_msp, new_ss_psp;
 +
 +    if (env->v7m.secure == new_secstate) {
 +        return;
 +    }
 +
 +    /*
 +     * All the banked state is accessed by looking at env->v7m.secure
 +     * except for the stack pointer; rearrange the SP appropriately.
 +     */
 +    new_ss_msp = env->v7m.other_ss_msp;
 +    new_ss_psp = env->v7m.other_ss_psp;
 +
 +    if (v7m_using_psp(env)) {
 +        env->v7m.other_ss_psp = env->regs[13];
 +        env->v7m.other_ss_msp = env->v7m.other_sp;
 +    } else {
 +        env->v7m.other_ss_msp = env->regs[13];
 +        env->v7m.other_ss_psp = env->v7m.other_sp;
 +    }
 +
 +    env->v7m.secure = new_secstate;
 +
 +    if (v7m_using_psp(env)) {
 +        env->regs[13] = new_ss_psp;
 +        env->v7m.other_sp = new_ss_msp;
 +    } else {
 +        env->regs[13] = new_ss_msp;
 +        env->v7m.other_sp = new_ss_psp;
 +    }
 +}
 +
 +void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
 +{
 +    /*
 +     * Handle v7M BXNS:
 +     *  - if the return value is a magic value, do exception return (like BX)
 +     *  - otherwise bit 0 of the return value is the target security state
 +     */
 +    uint32_t min_magic;
 +
 +    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +        /* Covers FNC_RETURN and EXC_RETURN magic */
 +        min_magic = FNC_RETURN_MIN_MAGIC;
 +    } else {
 +        /* EXC_RETURN magic only */
 +        min_magic = EXC_RETURN_MIN_MAGIC;
 +    }
 +
 +    if (dest >= min_magic) {
 +        /*
 +         * This is an exception return magic value; put it where
 +         * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
 +         * Note that if we ever add gen_ss_advance() singlestep support to
 +         * M profile this should count as an "instruction execution complete"
 +         * event (compare gen_bx_excret_final_code()).
 +         */
 +        env->regs[15] = dest & ~1;
 +        env->thumb = dest & 1;
 +        HELPER(exception_internal)(env, EXCP_EXCEPTION_EXIT);
 +        /* notreached */
 +    }
 +
 +    /* translate.c should have made BXNS UNDEF unless we're secure */
 +    assert(env->v7m.secure);
 +
 +    if (!(dest & 1)) {
 +        env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 +    }
 +    switch_v7m_security_state(env, dest & 1);
 +    env->thumb = 1;
 +    env->regs[15] = dest & ~1;
 +}
 +
 +void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
 +{
 +    /*
 +     * Handle v7M BLXNS:
 +     *  - bit 0 of the destination address is the target security state
 +     */
 +
 +    /* At this point regs[15] is the address just after the BLXNS */
 +    uint32_t nextinst = env->regs[15] | 1;
 +    uint32_t sp = env->regs[13] - 8;
 +    uint32_t saved_psr;
 +
 +    /* translate.c will have made BLXNS UNDEF unless we're secure */
 +    assert(env->v7m.secure);
 +
 +    if (dest & 1) {
 +        /*
 +         * Target is Secure, so this is just a normal BLX,
 +         * except that the low bit doesn't indicate Thumb/not.
 +         */
 +        env->regs[14] = nextinst;
 +        env->thumb = 1;
 +        env->regs[15] = dest & ~1;
 +        return;
 +    }
 +
 +    /* Target is non-secure: first push a stack frame */
 +    if (!QEMU_IS_ALIGNED(sp, 8)) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "BLXNS with misaligned SP is UNPREDICTABLE\n");
 +    }
 +
 +    if (sp < v7m_sp_limit(env)) {
 +        raise_exception(env, EXCP_STKOF, 0, 1);
 +    }
 +
 +    saved_psr = env->v7m.exception;
 +    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
 +        saved_psr |= XPSR_SFPA;
 +    }
 +
 +    /* Note that these stores can throw exceptions on MPU faults */
 +    cpu_stl_data(env, sp, nextinst);
 +    cpu_stl_data(env, sp + 4, saved_psr);
 +
 +    env->regs[13] = sp;
 +    env->regs[14] = 0xfeffffff;
 +    if (arm_v7m_is_handler_mode(env)) {
 +        /*
 +         * Write a dummy value to IPSR, to avoid leaking the current secure
 +         * exception number to non-secure code. This is guaranteed not
 +         * to cause write_v7m_exception() to actually change stacks.
 +         */
 +        write_v7m_exception(env, 1);
 +    }
 +    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 +    switch_v7m_security_state(env, 0);
 +    env->thumb = 1;
 +    env->regs[15] = dest;
 +}
 +
 +static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
 +                                bool spsel)
 +{
 +    /*
 +     * Return a pointer to the location where we currently store the
 +     * stack pointer for the requested security state and thread mode.
 +     * This pointer will become invalid if the CPU state is updated
 +     * such that the stack pointers are switched around (eg changing
 +     * the SPSEL control bit).
 +     * Compare the v8M ARM ARM pseudocode LookUpSP_with_security_mode().
 +     * Unlike that pseudocode, we require the caller to pass us in the
 +     * SPSEL control bit value; this is because we also use this
 +     * function in handling of pushing of the callee-saves registers
 +     * part of the v8M stack frame (pseudocode PushCalleeStack()),
 +     * and in the tailchain codepath the SPSEL bit comes from the exception
 +     * return magic LR value from the previous exception. The pseudocode
 +     * opencodes the stack-selection in PushCalleeStack(), but we prefer
 +     * to make this utility function generic enough to do the job.
 +     */
 +    bool want_psp = threadmode && spsel;
 +
 +    if (secure == env->v7m.secure) {
 +        if (want_psp == v7m_using_psp(env)) {
 +            return &env->regs[13];
 +        } else {
 +            return &env->v7m.other_sp;
 +        }
 +    } else {
-+        if (want_psp) {
++        count = stopped;
-+            return &env->v7m.other_ss_psp;
++        state = NPCM7XX_CAPTURE_COMPARE_HIT;
-+        } else {
++    }
-+            return &env->v7m.other_ss_msp;
++
-+        }
++    if (count != -1) {
-+    }
++        *cnt = count;
-+}
++    }
-+
++    trace_npcm7xx_mft_rpm(clock->canonical_path, clock_get_hz(clock),
-+static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
++                          state, count, rpm, duty);
-+                                uint32_t *pvec)
++    return state;
-+{
++}
-+    CPUState *cs = CPU(cpu);
++
-+    CPUARMState *env = &cpu->env;
++/*
-+    MemTxResult result;
++ * Capture Fan RPM and update CNT and CR registers accordingly.
-+    uint32_t addr = env->v7m.vecbase[targets_secure] + exc * 4;
++ * Raise IRQ if certain contidions are met in IEN.
-+    uint32_t vector_entry;
++ */
-+    MemTxAttrs attrs = {};
++static void npcm7xx_mft_capture(NPCM7xxMFTState *s)
-+    ARMMMUIdx mmu_idx;
++{
-+    bool exc_secure;
++    int irq_level = 0;
-+
++    NPCM7xxMFTCaptureState state;
-+    mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
++    int sel;
 +    uint8_t cpcfg;
 +
 +    /*
-+     * We don't do a get_phys_addr() here because the rules for vector
++     * If not mode 5, the behavior is undefined. We just do nothing in this
-+     * loads are special: they always use the default memory map, and
++     * case.
 +     * the default memory map permits reads from all addresses.
 +     * Since there's no easy way to pass through to pmsav8_mpu_lookup()
 +     * that we want this special case which would always say "yes",
 +     * we just do the SAU lookup here followed by a direct physical load.
 +     */
-+    attrs.secure = targets_secure;
++    if (!(s->regs[R_NPCM7XX_MFT_MCTRL] & NPCM7XX_MFT_MCTRL_MODE5)) {
 +    attrs.user = false;
 +
 +    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +        V8M_SAttributes sattrs = {};
 +
 +        v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);
 +        if (sattrs.ns) {
 +            attrs.secure = false;
 +        } else if (!targets_secure) {
 +            /* NS access to S memory */
 +            goto load_fail;
 +        }
 +    }
 +
 +    vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
 +                                     attrs, &result);
 +    if (result != MEMTX_OK) {
 +        goto load_fail;
 +    }
 +    *pvec = vector_entry;
 +    return true;
 +
 +load_fail:
 +    /*
 +     * All vector table fetch fails are reported as HardFault, with
 +     * HFSR.VECTTBL and .FORCED set. (FORCED is set because
 +     * technically the underlying exception is a MemManage or BusFault
 +     * that is escalated to HardFault.) This is a terminal exception,
 +     * so we will either take the HardFault immediately or else enter
 +     * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
 +     */
 +    exc_secure = targets_secure ||
 +        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
 +    env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
 +    armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
 +    return false;
 +}
 +
 +static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
 +{
 +    /*
 +     * Return the integrity signature value for the callee-saves
 +     * stack frame section. @lr is the exception return payload/LR value
 +     * whose FType bit forms bit 0 of the signature if FP is present.
 +     */
 +    uint32_t sig = 0xfefa125a;
 +
 +    if (!arm_feature(env, ARM_FEATURE_VFP) || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
 +        sig |= 1;
 +    }
 +    return sig;
 +}
 +
 +static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
 +                                  bool ignore_faults)
 +{
 +    /*
 +     * For v8M, push the callee-saves register part of the stack frame.
 +     * Compare the v8M pseudocode PushCalleeStack().
 +     * In the tailchaining case this may not be the current stack.
 +     */
 +    CPUARMState *env = &cpu->env;
 +    uint32_t *frame_sp_p;
 +    uint32_t frameptr;
 +    ARMMMUIdx mmu_idx;
 +    bool stacked_ok;
 +    uint32_t limit;
 +    bool want_psp;
 +    uint32_t sig;
 +    StackingMode smode = ignore_faults ? STACK_IGNFAULTS : STACK_NORMAL;
 +
 +    if (dotailchain) {
 +        bool mode = lr & R_V7M_EXCRET_MODE_MASK;
 +        bool priv = !(env->v7m.control[M_REG_S] & R_V7M_CONTROL_NPRIV_MASK) ||
 +            !mode;
 +
 +        mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, M_REG_S, priv);
 +        frame_sp_p = get_v7m_sp_ptr(env, M_REG_S, mode,
 +                                    lr & R_V7M_EXCRET_SPSEL_MASK);
 +        want_psp = mode && (lr & R_V7M_EXCRET_SPSEL_MASK);
 +        if (want_psp) {
 +            limit = env->v7m.psplim[M_REG_S];
 +        } else {
 +            limit = env->v7m.msplim[M_REG_S];
 +        }
 +    } else {
 +        mmu_idx = arm_mmu_idx(env);
 +        frame_sp_p = &env->regs[13];
 +        limit = v7m_sp_limit(env);
 +    }
 +
 +    frameptr = *frame_sp_p - 0x28;
 +    if (frameptr < limit) {
 +        /*
 +         * Stack limit failure: set SP to the limit value, and generate
 +         * STKOF UsageFault. Stack pushes below the limit must not be
 +         * performed. It is IMPDEF whether pushes above the limit are
 +         * performed; we choose not to.
 +         */
 +        qemu_log_mask(CPU_LOG_INT,
 +                      "...STKOF during callee-saves register stacking\n");
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 +                                env->v7m.secure);
 +        *frame_sp_p = limit;
 +        return true;
 +    }
 +
 +    /*
 +     * Write as much of the stack frame as we can. A write failure may
 +     * cause us to pend a derived exception.
 +     */
 +    sig = v7m_integrity_sig(env, lr);
 +    stacked_ok =
 +        v7m_stack_write(cpu, frameptr, sig, mmu_idx, smode) &&
 +        v7m_stack_write(cpu, frameptr + 0x8, env->regs[4], mmu_idx, smode) &&
 +        v7m_stack_write(cpu, frameptr + 0xc, env->regs[5], mmu_idx, smode) &&
 +        v7m_stack_write(cpu, frameptr + 0x10, env->regs[6], mmu_idx, smode) &&
 +        v7m_stack_write(cpu, frameptr + 0x14, env->regs[7], mmu_idx, smode) &&
 +        v7m_stack_write(cpu, frameptr + 0x18, env->regs[8], mmu_idx, smode) &&
 +        v7m_stack_write(cpu, frameptr + 0x1c, env->regs[9], mmu_idx, smode) &&
 +        v7m_stack_write(cpu, frameptr + 0x20, env->regs[10], mmu_idx, smode) &&
 +        v7m_stack_write(cpu, frameptr + 0x24, env->regs[11], mmu_idx, smode);
 +
 +    /* Update SP regardless of whether any of the stack accesses failed. */
 +    *frame_sp_p = frameptr;
 +
 +    return !stacked_ok;
 +}
 +
 +static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
 +                                bool ignore_stackfaults)
 +{
 +    /*
 +     * Do the "take the exception" parts of exception entry,
 +     * but not the pushing of state to the stack. This is
 +     * similar to the pseudocode ExceptionTaken() function.
 +     */
 +    CPUARMState *env = &cpu->env;
 +    uint32_t addr;
 +    bool targets_secure;
 +    int exc;
 +    bool push_failed = false;
 +
 +    armv7m_nvic_get_pending_irq_info(env->nvic, &exc, &targets_secure);
 +    qemu_log_mask(CPU_LOG_INT, "...taking pending %s exception %d\n",
 +                  targets_secure ? "secure" : "nonsecure", exc);
 +
 +    if (dotailchain) {
 +        /* Sanitize LR FType and PREFIX bits */
 +        if (!arm_feature(env, ARM_FEATURE_VFP)) {
 +            lr |= R_V7M_EXCRET_FTYPE_MASK;
 +        }
 +        lr = deposit32(lr, 24, 8, 0xff);
 +    }
 +
 +    if (arm_feature(env, ARM_FEATURE_V8)) {
 +        if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&
 +            (lr & R_V7M_EXCRET_S_MASK)) {
 +            /*
 +             * The background code (the owner of the registers in the
 +             * exception frame) is Secure. This means it may either already
 +             * have or now needs to push callee-saves registers.
 +             */
 +            if (targets_secure) {
 +                if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {
 +                    /*
 +                     * We took an exception from Secure to NonSecure
 +                     * (which means the callee-saved registers got stacked)
 +                     * and are now tailchaining to a Secure exception.
 +                     * Clear DCRS so eventual return from this Secure
 +                     * exception unstacks the callee-saved registers.
 +                     */
 +                    lr &= ~R_V7M_EXCRET_DCRS_MASK;
 +                }
 +            } else {
 +                /*
 +                 * We're going to a non-secure exception; push the
 +                 * callee-saves registers to the stack now, if they're
 +                 * not already saved.
 +                 */
 +                if (lr & R_V7M_EXCRET_DCRS_MASK &&
 +                    !(dotailchain && !(lr & R_V7M_EXCRET_ES_MASK))) {
 +                    push_failed = v7m_push_callee_stack(cpu, lr, dotailchain,
 +                                                        ignore_stackfaults);
 +                }
 +                lr |= R_V7M_EXCRET_DCRS_MASK;
 +            }
 +        }
 +
 +        lr &= ~R_V7M_EXCRET_ES_MASK;
 +        if (targets_secure || !arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +            lr |= R_V7M_EXCRET_ES_MASK;
 +        }
 +        lr &= ~R_V7M_EXCRET_SPSEL_MASK;
 +        if (env->v7m.control[targets_secure] & R_V7M_CONTROL_SPSEL_MASK) {
 +            lr |= R_V7M_EXCRET_SPSEL_MASK;
 +        }
 +
 +        /*
 +         * Clear registers if necessary to prevent non-secure exception
 +         * code being able to see register values from secure code.
 +         * Where register values become architecturally UNKNOWN we leave
 +         * them with their previous values.
 +         */
 +        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +            if (!targets_secure) {
 +                /*
 +                 * Always clear the caller-saved registers (they have been
 +                 * pushed to the stack earlier in v7m_push_stack()).
 +                 * Clear callee-saved registers if the background code is
 +                 * Secure (in which case these regs were saved in
 +                 * v7m_push_callee_stack()).
 +                 */
 +                int i;
 +
 +                for (i = 0; i < 13; i++) {
 +                    /* r4..r11 are callee-saves, zero only if EXCRET.S == 1 */
 +                    if (i < 4 || i > 11 || (lr & R_V7M_EXCRET_S_MASK)) {
 +                        env->regs[i] = 0;
 +                    }
 +                }
 +                /* Clear EAPSR */
 +                xpsr_write(env, 0, XPSR_NZCV | XPSR_Q | XPSR_GE | XPSR_IT);
 +            }
 +        }
 +    }
 +
 +    if (push_failed && !ignore_stackfaults) {
 +        /*
 +         * Derived exception on callee-saves register stacking:
 +         * we might now want to take a different exception which
 +         * targets a different security state, so try again from the top.
 +         */
 +        qemu_log_mask(CPU_LOG_INT,
 +                      "...derived exception on callee-saves register stacking");
 +        v7m_exception_taken(cpu, lr, true, true);
 +        return;
 +    }
 +
-+    if (!arm_v7m_load_vector(cpu, exc, targets_secure, &addr)) {
++    /* Capture input A. */
-+        /* Vector load failed: derived exception */
++    if (s->regs[R_NPCM7XX_MFT_MCTRL] & NPCM7XX_MFT_MCTRL_TAEN &&
-+        qemu_log_mask(CPU_LOG_INT, "...derived exception on vector table load");
++        s->regs[R_NPCM7XX_MFT_CKC] & NPCM7XX_MFT_CKC_C1CSEL) {
-+        v7m_exception_taken(cpu, lr, true, true);
++        sel = s->regs[R_NPCM7XX_MFT_INASEL] & NPCM7XX_MFT_INASEL_SELA;
-+        return;
++        cpcfg = NPCM7XX_MFT_CPCFG_GET_A(s->regs[R_NPCM7XX_MFT_CPCFG]);
-+    }
++        state = npcm7xx_mft_compute_cnt(s->clock_1,
-+
++                                        sel ? s->max_rpm[2] : s->max_rpm[0],
-+    /*
++                                        sel ? s->duty[2] : s->duty[0],
-+     * Now we've done everything that might cause a derived exception
++                                        s->regs[R_NPCM7XX_MFT_CPA],
-+     * we can go ahead and activate whichever exception we're going to
++                                        cpcfg,
-+     * take (which might now be the derived exception).
++                                        &s->regs[R_NPCM7XX_MFT_CNT1]);
-+     */
++        switch (state) {
-+    armv7m_nvic_acknowledge_irq(env->nvic);
++        case NPCM7XX_CAPTURE_SUCCEED:
-+
++            /* Interrupt on input capture on TAn transition - TAPND */
-+    /* Switch to target security state -- must do this before writing SPSEL */
++            s->regs[R_NPCM7XX_MFT_CRA] = s->regs[R_NPCM7XX_MFT_CNT1];
-+    switch_v7m_security_state(env, targets_secure);
++            s->regs[R_NPCM7XX_MFT_ICTRL] |= NPCM7XX_MFT_ICTRL_TAPND;
-+    write_v7m_control_spsel(env, 0);
++            if (s->regs[R_NPCM7XX_MFT_IEN] & NPCM7XX_MFT_IEN_TAIEN) {
-+    arm_clear_exclusive(env);
++                irq_level = 1;
 +    /* Clear SFPA and FPCA (has no effect if no FPU) */
 +    env->v7m.control[M_REG_S] &=
 +        ~(R_V7M_CONTROL_FPCA_MASK | R_V7M_CONTROL_SFPA_MASK);
 +    /* Clear IT bits */
 +    env->condexec_bits = 0;
 +    env->regs[14] = lr;
 +    env->regs[15] = addr & 0xfffffffe;
 +    env->thumb = addr & 1;
 +}
 +
 +static void v7m_update_fpccr(CPUARMState *env, uint32_t frameptr,
 +                             bool apply_splim)
 +{
 +    /*
 +     * Like the pseudocode UpdateFPCCR: save state in FPCAR and FPCCR
 +     * that we will need later in order to do lazy FP reg stacking.
 +     */
 +    bool is_secure = env->v7m.secure;
 +    void *nvic = env->nvic;
 +    /*
 +     * Some bits are unbanked and live always in fpccr[M_REG_S]; some bits
 +     * are banked and we want to update the bit in the bank for the
 +     * current security state; and in one case we want to specifically
 +     * update the NS banked version of a bit even if we are secure.
 +     */
 +    uint32_t *fpccr_s = &env->v7m.fpccr[M_REG_S];
 +    uint32_t *fpccr_ns = &env->v7m.fpccr[M_REG_NS];
 +    uint32_t *fpccr = &env->v7m.fpccr[is_secure];
 +    bool hfrdy, bfrdy, mmrdy, ns_ufrdy, s_ufrdy, sfrdy, monrdy;
 +
 +    env->v7m.fpcar[is_secure] = frameptr & ~0x7;
 +
 +    if (apply_splim && arm_feature(env, ARM_FEATURE_V8)) {
 +        bool splimviol;
 +        uint32_t splim = v7m_sp_limit(env);
 +        bool ign = armv7m_nvic_neg_prio_requested(nvic, is_secure) &&
 +            (env->v7m.ccr[is_secure] & R_V7M_CCR_STKOFHFNMIGN_MASK);
 +
 +        splimviol = !ign && frameptr < splim;
 +        *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, SPLIMVIOL, splimviol);
 +    }
 +
 +    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, LSPACT, 1);
 +
 +    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, S, is_secure);
 +
 +    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, USER, arm_current_el(env) == 0);
 +
 +    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, THREAD,
 +                        !arm_v7m_is_handler_mode(env));
 +
 +    hfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_HARD, false);
 +    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, HFRDY, hfrdy);
 +
 +    bfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_BUS, false);
 +    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, BFRDY, bfrdy);
 +
 +    mmrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_MEM, is_secure);
 +    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, MMRDY, mmrdy);
 +
 +    ns_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, false);
 +    *fpccr_ns = FIELD_DP32(*fpccr_ns, V7M_FPCCR, UFRDY, ns_ufrdy);
 +
 +    monrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_DEBUG, false);
 +    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, MONRDY, monrdy);
 +
 +    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +        s_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, true);
 +        *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, UFRDY, s_ufrdy);
 +
 +        sfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_SECURE, false);
 +        *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, SFRDY, sfrdy);
 +    }
 +}
 +
 +void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
 +{
 +    /* fptr is the value of Rn, the frame pointer we store the FP regs to */
 +    bool s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
 +    bool lspact = env->v7m.fpccr[s] & R_V7M_FPCCR_LSPACT_MASK;
 +
 +    assert(env->v7m.secure);
 +
 +    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
 +        return;
 +    }
 +
 +    /* Check access to the coprocessor is permitted */
 +    if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
 +        raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
 +    }
 +
 +    if (lspact) {
 +        /* LSPACT should not be active when there is active FP state */
 +        raise_exception_ra(env, EXCP_LSERR, 0, 1, GETPC());
 +    }
 +
 +    if (fptr & 7) {
 +        raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
 +    }
 +
 +    /*
 +     * Note that we do not use v7m_stack_write() here, because the
 +     * accesses should not set the FSR bits for stacking errors if they
 +     * fail. (In pseudocode terms, they are AccType_NORMAL, not AccType_STACK
 +     * or AccType_LAZYFP). Faults in cpu_stl_data() will throw exceptions
 +     * and longjmp out.
 +     */
 +    if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
 +        bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
 +        int i;
 +
 +        for (i = 0; i < (ts ? 32 : 16); i += 2) {
 +            uint64_t dn = *aa32_vfp_dreg(env, i / 2);
 +            uint32_t faddr = fptr + 4 * i;
 +            uint32_t slo = extract64(dn, 0, 32);
 +            uint32_t shi = extract64(dn, 32, 32);
 +
 +            if (i >= 16) {
 +                faddr += 8; /* skip the slot for the FPSCR */
 +            }
 +            cpu_stl_data(env, faddr, slo);
 +            cpu_stl_data(env, faddr + 4, shi);
 +        }
 +        cpu_stl_data(env, fptr + 0x40, vfp_get_fpscr(env));
 +
 +        /*
 +         * If TS is 0 then s0 to s15 and FPSCR are UNKNOWN; we choose to
 +         * leave them unchanged, matching our choice in v7m_preserve_fp_state.
 +         */
 +        if (ts) {
 +            for (i = 0; i < 32; i += 2) {
 +                *aa32_vfp_dreg(env, i / 2) = 0;
 +            }
 +            vfp_set_fpscr(env, 0);
 +        }
 +    } else {
 +        v7m_update_fpccr(env, fptr, false);
 +    }
 +
 +    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
 +}
 +
 +void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
 +{
 +    /* fptr is the value of Rn, the frame pointer we load the FP regs from */
 +    assert(env->v7m.secure);
 +
 +    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
 +        return;
 +    }
 +
 +    /* Check access to the coprocessor is permitted */
 +    if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
 +        raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
 +    }
 +
 +    if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
 +        /* State in FP is still valid */
 +        env->v7m.fpccr[M_REG_S] &= ~R_V7M_FPCCR_LSPACT_MASK;
 +    } else {
 +        bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
 +        int i;
 +        uint32_t fpscr;
 +
 +        if (fptr & 7) {
 +            raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
 +        }
 +
 +        for (i = 0; i < (ts ? 32 : 16); i += 2) {
 +            uint32_t slo, shi;
 +            uint64_t dn;
 +            uint32_t faddr = fptr + 4 * i;
 +
 +            if (i >= 16) {
 +                faddr += 8; /* skip the slot for the FPSCR */
 +            }
 +
 +            slo = cpu_ldl_data(env, faddr);
 +            shi = cpu_ldl_data(env, faddr + 4);
 +
 +            dn = (uint64_t) shi << 32 | slo;
 +            *aa32_vfp_dreg(env, i / 2) = dn;
 +        }
 +        fpscr = cpu_ldl_data(env, fptr + 0x40);
 +        vfp_set_fpscr(env, fpscr);
 +    }
 +
 +    env->v7m.control[M_REG_S] |= R_V7M_CONTROL_FPCA_MASK;
 +}
 +
 +static bool v7m_push_stack(ARMCPU *cpu)
 +{
 +    /*
 +     * Do the "set up stack frame" part of exception entry,
 +     * similar to pseudocode PushStack().
 +     * Return true if we generate a derived exception (and so
 +     * should ignore further stack faults trying to process
 +     * that derived exception.)
 +     */
 +    bool stacked_ok = true, limitviol = false;
 +    CPUARMState *env = &cpu->env;
 +    uint32_t xpsr = xpsr_read(env);
 +    uint32_t frameptr = env->regs[13];
 +    ARMMMUIdx mmu_idx = arm_mmu_idx(env);
 +    uint32_t framesize;
 +    bool nsacr_cp10 = extract32(env->v7m.nsacr, 10, 1);
 +
 +    if ((env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) &&
 +        (env->v7m.secure || nsacr_cp10)) {
 +        if (env->v7m.secure &&
 +            env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK) {
 +            framesize = 0xa8;
 +        } else {
 +            framesize = 0x68;
 +        }
 +    } else {
 +        framesize = 0x20;
 +    }
 +
 +    /* Align stack pointer if the guest wants that */
 +    if ((frameptr & 4) &&
 +        (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_STKALIGN_MASK)) {
 +        frameptr -= 4;
 +        xpsr |= XPSR_SPREALIGN;
 +    }
 +
 +    xpsr &= ~XPSR_SFPA;
 +    if (env->v7m.secure &&
 +        (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
 +        xpsr |= XPSR_SFPA;
 +    }
 +
 +    frameptr -= framesize;
 +
 +    if (arm_feature(env, ARM_FEATURE_V8)) {
 +        uint32_t limit = v7m_sp_limit(env);
 +
 +        if (frameptr < limit) {
 +            /*
 +             * Stack limit failure: set SP to the limit value, and generate
 +             * STKOF UsageFault. Stack pushes below the limit must not be
 +             * performed. It is IMPDEF whether pushes above the limit are
 +             * performed; we choose not to.
 +             */
 +            qemu_log_mask(CPU_LOG_INT,
 +                          "...STKOF during stacking\n");
 +            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 +                                    env->v7m.secure);
 +            env->regs[13] = limit;
 +            /*
 +             * We won't try to perform any further memory accesses but
 +             * we must continue through the following code to check for
 +             * permission faults during FPU state preservation, and we
 +             * must update FPCCR if lazy stacking is enabled.
 +             */
 +            limitviol = true;
 +            stacked_ok = false;
 +        }
 +    }
 +
 +    /*
 +     * Write as much of the stack frame as we can. If we fail a stack
 +     * write this will result in a derived exception being pended
 +     * (which may be taken in preference to the one we started with
 +     * if it has higher priority).
 +     */
 +    stacked_ok = stacked_ok &&
 +        v7m_stack_write(cpu, frameptr, env->regs[0], mmu_idx, STACK_NORMAL) &&
 +        v7m_stack_write(cpu, frameptr + 4, env->regs[1],
 +                        mmu_idx, STACK_NORMAL) &&
 +        v7m_stack_write(cpu, frameptr + 8, env->regs[2],
 +                        mmu_idx, STACK_NORMAL) &&
 +        v7m_stack_write(cpu, frameptr + 12, env->regs[3],
 +                        mmu_idx, STACK_NORMAL) &&
 +        v7m_stack_write(cpu, frameptr + 16, env->regs[12],
 +                        mmu_idx, STACK_NORMAL) &&
 +        v7m_stack_write(cpu, frameptr + 20, env->regs[14],
 +                        mmu_idx, STACK_NORMAL) &&
 +        v7m_stack_write(cpu, frameptr + 24, env->regs[15],
 +                        mmu_idx, STACK_NORMAL) &&
 +        v7m_stack_write(cpu, frameptr + 28, xpsr, mmu_idx, STACK_NORMAL);
 +
 +    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) {
 +        /* FPU is active, try to save its registers */
 +        bool fpccr_s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
 +        bool lspact = env->v7m.fpccr[fpccr_s] & R_V7M_FPCCR_LSPACT_MASK;
 +
 +        if (lspact && arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +            qemu_log_mask(CPU_LOG_INT,
 +                          "...SecureFault because LSPACT and FPCA both set\n");
 +            env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +        } else if (!env->v7m.secure && !nsacr_cp10) {
 +            qemu_log_mask(CPU_LOG_INT,
 +                          "...Secure UsageFault with CFSR.NOCP because "
 +                          "NSACR.CP10 prevents stacking FP regs\n");
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
 +            env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
 +        } else {
 +            if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
 +                /* Lazy stacking disabled, save registers now */
 +                int i;
 +                bool cpacr_pass = v7m_cpacr_pass(env, env->v7m.secure,
 +                                                 arm_current_el(env) != 0);
 +
 +                if (stacked_ok && !cpacr_pass) {
 +                    /*
 +                     * Take UsageFault if CPACR forbids access. The pseudocode
 +                     * here does a full CheckCPEnabled() but we know the NSACR
 +                     * check can never fail as we have already handled that.
 +                     */
 +                    qemu_log_mask(CPU_LOG_INT,
 +                                  "...UsageFault with CFSR.NOCP because "
 +                                  "CPACR.CP10 prevents stacking FP regs\n");
 +                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 +                                            env->v7m.secure);
 +                    env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_NOCP_MASK;
 +                    stacked_ok = false;
 +                }
 +
 +                for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
 +                    uint64_t dn = *aa32_vfp_dreg(env, i / 2);
 +                    uint32_t faddr = frameptr + 0x20 + 4 * i;
 +                    uint32_t slo = extract64(dn, 0, 32);
 +                    uint32_t shi = extract64(dn, 32, 32);
 +
 +                    if (i >= 16) {
 +                        faddr += 8; /* skip the slot for the FPSCR */
 +                    }
 +                    stacked_ok = stacked_ok &&
 +                        v7m_stack_write(cpu, faddr, slo,
 +                                        mmu_idx, STACK_NORMAL) &&
 +                        v7m_stack_write(cpu, faddr + 4, shi,
 +                                        mmu_idx, STACK_NORMAL);
 +                }
 +                stacked_ok = stacked_ok &&
 +                    v7m_stack_write(cpu, frameptr + 0x60,
 +                                    vfp_get_fpscr(env), mmu_idx, STACK_NORMAL);
 +                if (cpacr_pass) {
 +                    for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
 +                        *aa32_vfp_dreg(env, i / 2) = 0;
 +                    }
 +                    vfp_set_fpscr(env, 0);
 +                }
 +            } else {
 +                /* Lazy stacking enabled, save necessary info to stack later */
 +                v7m_update_fpccr(env, frameptr + 0x20, true);
 +            }
 +        }
 +    }
 +
 +    /*
 +     * If we broke a stack limit then SP was already updated earlier;
 +     * otherwise we update SP regardless of whether any of the stack
 +     * accesses failed or we took some other kind of fault.
 +     */
 +    if (!limitviol) {
 +        env->regs[13] = frameptr;
 +    }
 +
 +    return !stacked_ok;
 +}
 +
 +static void do_v7m_exception_exit(ARMCPU *cpu)
 +{
 +    CPUARMState *env = &cpu->env;
 +    uint32_t excret;
 +    uint32_t xpsr, xpsr_mask;
 +    bool ufault = false;
 +    bool sfault = false;
 +    bool return_to_sp_process;
 +    bool return_to_handler;
 +    bool rettobase = false;
 +    bool exc_secure = false;
 +    bool return_to_secure;
 +    bool ftype;
 +    bool restore_s16_s31;
 +
 +    /*
 +     * If we're not in Handler mode then jumps to magic exception-exit
 +     * addresses don't have magic behaviour. However for the v8M
 +     * security extensions the magic secure-function-return has to
 +     * work in thread mode too, so to avoid doing an extra check in
 +     * the generated code we allow exception-exit magic to also cause the
 +     * internal exception and bring us here in thread mode. Correct code
 +     * will never try to do this (the following insn fetch will always
 +     * fault) so we the overhead of having taken an unnecessary exception
 +     * doesn't matter.
 +     */
 +    if (!arm_v7m_is_handler_mode(env)) {
 +        return;
 +    }
 +
 +    /*
 +     * In the spec pseudocode ExceptionReturn() is called directly
 +     * from BXWritePC() and gets the full target PC value including
 +     * bit zero. In QEMU's implementation we treat it as a normal
 +     * jump-to-register (which is then caught later on), and so split
 +     * the target value up between env->regs[15] and env->thumb in
 +     * gen_bx(). Reconstitute it.
 +     */
 +    excret = env->regs[15];
 +    if (env->thumb) {
 +        excret |= 1;
 +    }
 +
 +    qemu_log_mask(CPU_LOG_INT, "Exception return: magic PC %" PRIx32
 +                  " previous exception %d\n",
 +                  excret, env->v7m.exception);
 +
 +    if ((excret & R_V7M_EXCRET_RES1_MASK) != R_V7M_EXCRET_RES1_MASK) {
 +        qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero high bits in exception "
 +                      "exit PC value 0x%" PRIx32 " are UNPREDICTABLE\n",
 +                      excret);
 +    }
 +
 +    ftype = excret & R_V7M_EXCRET_FTYPE_MASK;
 +
 +    if (!arm_feature(env, ARM_FEATURE_VFP) && !ftype) {
 +        qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero FTYPE in exception "
 +                      "exit PC value 0x%" PRIx32 " is UNPREDICTABLE "
 +                      "if FPU not present\n",
 +                      excret);
 +        ftype = true;
 +    }
 +
 +    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +        /*
 +         * EXC_RETURN.ES validation check (R_SMFL). We must do this before
 +         * we pick which FAULTMASK to clear.
 +         */
 +        if (!env->v7m.secure &&
 +            ((excret & R_V7M_EXCRET_ES_MASK) ||
 +             !(excret & R_V7M_EXCRET_DCRS_MASK))) {
 +            sfault = 1;
 +            /* For all other purposes, treat ES as 0 (R_HXSR) */
 +            excret &= ~R_V7M_EXCRET_ES_MASK;
 +        }
 +        exc_secure = excret & R_V7M_EXCRET_ES_MASK;
 +    }
 +
 +    if (env->v7m.exception != ARMV7M_EXCP_NMI) {
 +        /*
 +         * Auto-clear FAULTMASK on return from other than NMI.
 +         * If the security extension is implemented then this only
 +         * happens if the raw execution priority is >= 0; the
 +         * value of the ES bit in the exception return value indicates
 +         * which security state's faultmask to clear. (v8M ARM ARM R_KBNF.)
 +         */
 +        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +            if (armv7m_nvic_raw_execution_priority(env->nvic) >= 0) {
 +                env->v7m.faultmask[exc_secure] = 0;
 +            }
 +        } else {
 +            env->v7m.faultmask[M_REG_NS] = 0;
 +        }
 +    }
 +
 +    switch (armv7m_nvic_complete_irq(env->nvic, env->v7m.exception,
 +                                     exc_secure)) {
 +    case -1:
 +        /* attempt to exit an exception that isn't active */
 +        ufault = true;
 +        break;
 +    case 0:
 +        /* still an irq active now */
 +        break;
 +    case 1:
 +        /*
 +         * We returned to base exception level, no nesting.
 +         * (In the pseudocode this is written using "NestedActivation != 1"
 +         * where we have 'rettobase == false'.)
 +         */
 +        rettobase = true;
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +
 +    return_to_handler = !(excret & R_V7M_EXCRET_MODE_MASK);
 +    return_to_sp_process = excret & R_V7M_EXCRET_SPSEL_MASK;
 +    return_to_secure = arm_feature(env, ARM_FEATURE_M_SECURITY) &&
 +        (excret & R_V7M_EXCRET_S_MASK);
 +
 +    if (arm_feature(env, ARM_FEATURE_V8)) {
 +        if (!arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +            /*
 +             * UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
 +             * we choose to take the UsageFault.
 +             */
 +            if ((excret & R_V7M_EXCRET_S_MASK) ||
 +                (excret & R_V7M_EXCRET_ES_MASK) ||
 +                !(excret & R_V7M_EXCRET_DCRS_MASK)) {
 +                ufault = true;
 +            }
 +        }
 +        if (excret & R_V7M_EXCRET_RES0_MASK) {
 +            ufault = true;
 +        }
 +    } else {
 +        /* For v7M we only recognize certain combinations of the low bits */
 +        switch (excret & 0xf) {
 +        case 1: /* Return to Handler */
 +            break;
 +        case 13: /* Return to Thread using Process stack */
 +        case 9: /* Return to Thread using Main stack */
 +            /*
 +             * We only need to check NONBASETHRDENA for v7M, because in
 +             * v8M this bit does not exist (it is RES1).
 +             */
 +            if (!rettobase &&
 +                !(env->v7m.ccr[env->v7m.secure] &
 +                  R_V7M_CCR_NONBASETHRDENA_MASK)) {
 +                ufault = true;
 +            }
 +            break;
-+        default:
++
-+            ufault = true;
++        case NPCM7XX_CAPTURE_COMPARE_HIT:
-+        }
++            /* Compare Hit - TEPND */
-+    }
++            s->regs[R_NPCM7XX_MFT_ICTRL] |= NPCM7XX_MFT_ICTRL_TEPND;
-+
++            if (s->regs[R_NPCM7XX_MFT_IEN] & NPCM7XX_MFT_IEN_TEIEN) {
-+    /*
++                irq_level = 1;
 +     * Set CONTROL.SPSEL from excret.SPSEL. Since we're still in
 +     * Handler mode (and will be until we write the new XPSR.Interrupt
 +     * field) this does not switch around the current stack pointer.
 +     * We must do this before we do any kind of tailchaining, including
 +     * for the derived exceptions on integrity check failures, or we will
 +     * give the guest an incorrect EXCRET.SPSEL value on exception entry.
 +     */
 +    write_v7m_control_spsel_for_secstate(env, return_to_sp_process, exc_secure);
 +
 +    /*
 +     * Clear scratch FP values left in caller saved registers; this
 +     * must happen before any kind of tail chaining.
 +     */
 +    if ((env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_CLRONRET_MASK) &&
 +        (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
 +        if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
 +            env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +            qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
 +                          "stackframe: error during lazy state deactivation\n");
 +            v7m_exception_taken(cpu, excret, true, false);
 +            return;
 +        } else {
 +            /* Clear s0..s15 and FPSCR */
 +            int i;
 +
 +            for (i = 0; i < 16; i += 2) {
 +                *aa32_vfp_dreg(env, i / 2) = 0;
 +            }
 +            vfp_set_fpscr(env, 0);
 +        }
 +    }
 +
 +    if (sfault) {
 +        env->v7m.sfsr |= R_V7M_SFSR_INVER_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +        qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
 +                      "stackframe: failed EXC_RETURN.ES validity check\n");
 +        v7m_exception_taken(cpu, excret, true, false);
 +        return;
 +    }
 +
 +    if (ufault) {
 +        /*
 +         * Bad exception return: instead of popping the exception
 +         * stack, directly take a usage fault on the current stack.
 +         */
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 +        qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
 +                      "stackframe: failed exception return integrity check\n");
 +        v7m_exception_taken(cpu, excret, true, false);
 +        return;
 +    }
 +
 +    /*
 +     * Tailchaining: if there is currently a pending exception that
 +     * is high enough priority to preempt execution at the level we're
 +     * about to return to, then just directly take that exception now,
 +     * avoiding an unstack-and-then-stack. Note that now we have
 +     * deactivated the previous exception by calling armv7m_nvic_complete_irq()
 +     * our current execution priority is already the execution priority we are
 +     * returning to -- none of the state we would unstack or set based on
 +     * the EXCRET value affects it.
 +     */
 +    if (armv7m_nvic_can_take_pending_exception(env->nvic)) {
 +        qemu_log_mask(CPU_LOG_INT, "...tailchaining to pending exception\n");
 +        v7m_exception_taken(cpu, excret, true, false);
 +        return;
 +    }
 +
 +    switch_v7m_security_state(env, return_to_secure);
 +
 +    {
 +        /*
 +         * The stack pointer we should be reading the exception frame from
 +         * depends on bits in the magic exception return type value (and
 +         * for v8M isn't necessarily the stack pointer we will eventually
 +         * end up resuming execution with). Get a pointer to the location
 +         * in the CPU state struct where the SP we need is currently being
 +         * stored; we will use and modify it in place.
 +         * We use this limited C variable scope so we don't accidentally
 +         * use 'frame_sp_p' after we do something that makes it invalid.
 +         */
 +        uint32_t *frame_sp_p = get_v7m_sp_ptr(env,
 +                                              return_to_secure,
 +                                              !return_to_handler,
 +                                              return_to_sp_process);
 +        uint32_t frameptr = *frame_sp_p;
 +        bool pop_ok = true;
 +        ARMMMUIdx mmu_idx;
 +        bool return_to_priv = return_to_handler ||
 +            !(env->v7m.control[return_to_secure] & R_V7M_CONTROL_NPRIV_MASK);
 +
 +        mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, return_to_secure,
 +                                                        return_to_priv);
 +
 +        if (!QEMU_IS_ALIGNED(frameptr, 8) &&
 +            arm_feature(env, ARM_FEATURE_V8)) {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "M profile exception return with non-8-aligned SP "
 +                          "for destination state is UNPREDICTABLE\n");
 +        }
 +
 +        /* Do we need to pop callee-saved registers? */
 +        if (return_to_secure &&
 +            ((excret & R_V7M_EXCRET_ES_MASK) == 0 ||
 +             (excret & R_V7M_EXCRET_DCRS_MASK) == 0)) {
 +            uint32_t actual_sig;
 +
 +            pop_ok = v7m_stack_read(cpu, &actual_sig, frameptr, mmu_idx);
 +
 +            if (pop_ok && v7m_integrity_sig(env, excret) != actual_sig) {
 +                /* Take a SecureFault on the current stack */
 +                env->v7m.sfsr |= R_V7M_SFSR_INVIS_MASK;
 +                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +                qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
 +                              "stackframe: failed exception return integrity "
 +                              "signature check\n");
 +                v7m_exception_taken(cpu, excret, true, false);
 +                return;
 +            }
 +
 +            pop_ok = pop_ok &&
 +                v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
 +                v7m_stack_read(cpu, &env->regs[5], frameptr + 0xc, mmu_idx) &&
 +                v7m_stack_read(cpu, &env->regs[6], frameptr + 0x10, mmu_idx) &&
 +                v7m_stack_read(cpu, &env->regs[7], frameptr + 0x14, mmu_idx) &&
 +                v7m_stack_read(cpu, &env->regs[8], frameptr + 0x18, mmu_idx) &&
 +                v7m_stack_read(cpu, &env->regs[9], frameptr + 0x1c, mmu_idx) &&
 +                v7m_stack_read(cpu, &env->regs[10], frameptr + 0x20, mmu_idx) &&
 +                v7m_stack_read(cpu, &env->regs[11], frameptr + 0x24, mmu_idx);
 +
 +            frameptr += 0x28;
 +        }
 +
 +        /* Pop registers */
 +        pop_ok = pop_ok &&
 +            v7m_stack_read(cpu, &env->regs[0], frameptr, mmu_idx) &&
 +            v7m_stack_read(cpu, &env->regs[1], frameptr + 0x4, mmu_idx) &&
 +            v7m_stack_read(cpu, &env->regs[2], frameptr + 0x8, mmu_idx) &&
 +            v7m_stack_read(cpu, &env->regs[3], frameptr + 0xc, mmu_idx) &&
 +            v7m_stack_read(cpu, &env->regs[12], frameptr + 0x10, mmu_idx) &&
 +            v7m_stack_read(cpu, &env->regs[14], frameptr + 0x14, mmu_idx) &&
 +            v7m_stack_read(cpu, &env->regs[15], frameptr + 0x18, mmu_idx) &&
 +            v7m_stack_read(cpu, &xpsr, frameptr + 0x1c, mmu_idx);
 +
 +        if (!pop_ok) {
 +            /*
 +             * v7m_stack_read() pended a fault, so take it (as a tail
 +             * chained exception on the same stack frame)
 +             */
 +            qemu_log_mask(CPU_LOG_INT, "...derived exception on unstacking\n");
 +            v7m_exception_taken(cpu, excret, true, false);
 +            return;
 +        }
 +
 +        /*
 +         * Returning from an exception with a PC with bit 0 set is defined
 +         * behaviour on v8M (bit 0 is ignored), but for v7M it was specified
 +         * to be UNPREDICTABLE. In practice actual v7M hardware seems to ignore
 +         * the lsbit, and there are several RTOSes out there which incorrectly
 +         * assume the r15 in the stack frame should be a Thumb-style "lsbit
 +         * indicates ARM/Thumb" value, so ignore the bit on v7M as well, but
 +         * complain about the badly behaved guest.
 +         */
 +        if (env->regs[15] & 1) {
 +            env->regs[15] &= ~1U;
 +            if (!arm_feature(env, ARM_FEATURE_V8)) {
 +                qemu_log_mask(LOG_GUEST_ERROR,
 +                              "M profile return from interrupt with misaligned "
 +                              "PC is UNPREDICTABLE on v7M\n");
 +            }
 +        }
 +
 +        if (arm_feature(env, ARM_FEATURE_V8)) {
 +            /*
 +             * For v8M we have to check whether the xPSR exception field
 +             * matches the EXCRET value for return to handler/thread
 +             * before we commit to changing the SP and xPSR.
 +             */
 +            bool will_be_handler = (xpsr & XPSR_EXCP) != 0;
 +            if (return_to_handler != will_be_handler) {
 +                /*
 +                 * Take an INVPC UsageFault on the current stack.
 +                 * By this point we will have switched to the security state
 +                 * for the background state, so this UsageFault will target
 +                 * that state.
 +                 */
 +                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 +                                        env->v7m.secure);
 +                env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 +                qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
 +                              "stackframe: failed exception return integrity "
 +                              "check\n");
 +                v7m_exception_taken(cpu, excret, true, false);
 +                return;
 +            }
 +        }
 +
 +        if (!ftype) {
 +            /* FP present and we need to handle it */
 +            if (!return_to_secure &&
 +                (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK)) {
 +                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +                env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
 +                qemu_log_mask(CPU_LOG_INT,
 +                              "...taking SecureFault on existing stackframe: "
 +                              "Secure LSPACT set but exception return is "
 +                              "not to secure state\n");
 +                v7m_exception_taken(cpu, excret, true, false);
 +                return;
 +            }
 +
 +            restore_s16_s31 = return_to_secure &&
 +                (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
 +
 +            if (env->v7m.fpccr[return_to_secure] & R_V7M_FPCCR_LSPACT_MASK) {
 +                /* State in FPU is still valid, just clear LSPACT */
 +                env->v7m.fpccr[return_to_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
 +            } else {
 +                int i;
 +                uint32_t fpscr;
 +                bool cpacr_pass, nsacr_pass;
 +
 +                cpacr_pass = v7m_cpacr_pass(env, return_to_secure,
 +                                            return_to_priv);
 +                nsacr_pass = return_to_secure ||
 +                    extract32(env->v7m.nsacr, 10, 1);
 +
 +                if (!cpacr_pass) {
 +                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 +                                            return_to_secure);
 +                    env->v7m.cfsr[return_to_secure] |= R_V7M_CFSR_NOCP_MASK;
 +                    qemu_log_mask(CPU_LOG_INT,
 +                                  "...taking UsageFault on existing "
 +                                  "stackframe: CPACR.CP10 prevents unstacking "
 +                                  "FP regs\n");
 +                    v7m_exception_taken(cpu, excret, true, false);
 +                    return;
 +                } else if (!nsacr_pass) {
 +                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, true);
 +                    env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_INVPC_MASK;
 +                    qemu_log_mask(CPU_LOG_INT,
 +                                  "...taking Secure UsageFault on existing "
 +                                  "stackframe: NSACR.CP10 prevents unstacking "
 +                                  "FP regs\n");
 +                    v7m_exception_taken(cpu, excret, true, false);
 +                    return;
 +                }
 +
 +                for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
 +                    uint32_t slo, shi;
 +                    uint64_t dn;
 +                    uint32_t faddr = frameptr + 0x20 + 4 * i;
 +
 +                    if (i >= 16) {
 +                        faddr += 8; /* Skip the slot for the FPSCR */
 +                    }
 +
 +                    pop_ok = pop_ok &&
 +                        v7m_stack_read(cpu, &slo, faddr, mmu_idx) &&
 +                        v7m_stack_read(cpu, &shi, faddr + 4, mmu_idx);
 +
 +                    if (!pop_ok) {
 +                        break;
 +                    }
 +
 +                    dn = (uint64_t)shi << 32 | slo;
 +                    *aa32_vfp_dreg(env, i / 2) = dn;
 +                }
 +                pop_ok = pop_ok &&
 +                    v7m_stack_read(cpu, &fpscr, frameptr + 0x60, mmu_idx);
 +                if (pop_ok) {
 +                    vfp_set_fpscr(env, fpscr);
 +                }
 +                if (!pop_ok) {
 +                    /*
 +                     * These regs are 0 if security extension present;
 +                     * otherwise merely UNKNOWN. We zero always.
 +                     */
 +                    for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
 +                        *aa32_vfp_dreg(env, i / 2) = 0;
 +                    }
 +                    vfp_set_fpscr(env, 0);
 +                }
 +            }
 +        }
 +        env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
 +                                               V7M_CONTROL, FPCA, !ftype);
 +
 +        /* Commit to consuming the stack frame */
 +        frameptr += 0x20;
 +        if (!ftype) {
 +            frameptr += 0x48;
 +            if (restore_s16_s31) {
 +                frameptr += 0x40;
 +            }
 +        }
 +        /*
 +         * Undo stack alignment (the SPREALIGN bit indicates that the original
 +         * pre-exception SP was not 8-aligned and we added a padding word to
 +         * align it, so we undo this by ORing in the bit that increases it
 +         * from the current 8-aligned value to the 8-unaligned value. (Adding 4
 +         * would work too but a logical OR is how the pseudocode specifies it.)
 +         */
 +        if (xpsr & XPSR_SPREALIGN) {
 +            frameptr |= 4;
 +        }
 +        *frame_sp_p = frameptr;
 +    }
 +
 +    xpsr_mask = ~(XPSR_SPREALIGN | XPSR_SFPA);
 +    if (!arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
 +        xpsr_mask &= ~XPSR_GE;
 +    }
 +    /* This xpsr_write() will invalidate frame_sp_p as it may switch stack */
 +    xpsr_write(env, xpsr, xpsr_mask);
 +
 +    if (env->v7m.secure) {
 +        bool sfpa = xpsr & XPSR_SFPA;
 +
 +        env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
 +                                               V7M_CONTROL, SFPA, sfpa);
 +    }
 +
 +    /*
 +     * The restored xPSR exception field will be zero if we're
 +     * resuming in Thread mode. If that doesn't match what the
 +     * exception return excret specified then this is a UsageFault.
 +     * v7M requires we make this check here; v8M did it earlier.
 +     */
 +    if (return_to_handler != arm_v7m_is_handler_mode(env)) {
 +        /*
 +         * Take an INVPC UsageFault by pushing the stack again;
 +         * we know we're v7M so this is never a Secure UsageFault.
 +         */
 +        bool ignore_stackfaults;
 +
 +        assert(!arm_feature(env, ARM_FEATURE_V8));
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, false);
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 +        ignore_stackfaults = v7m_push_stack(cpu);
 +        qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on new stackframe: "
 +                      "failed exception return integrity check\n");
 +        v7m_exception_taken(cpu, excret, false, ignore_stackfaults);
 +        return;
 +    }
 +
 +    /* Otherwise, we have a successful exception exit. */
 +    arm_clear_exclusive(env);
 +    qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
 +}
 +
 +static bool do_v7m_function_return(ARMCPU *cpu)
 +{
 +    /*
 +     * v8M security extensions magic function return.
 +     * We may either:
 +     *  (1) throw an exception (longjump)
 +     *  (2) return true if we successfully handled the function return
 +     *  (3) return false if we failed a consistency check and have
 +     *      pended a UsageFault that needs to be taken now
 +     *
 +     * At this point the magic return value is split between env->regs[15]
 +     * and env->thumb. We don't bother to reconstitute it because we don't
 +     * need it (all values are handled the same way).
 +     */
 +    CPUARMState *env = &cpu->env;
 +    uint32_t newpc, newpsr, newpsr_exc;
 +
 +    qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
 +
 +    {
 +        bool threadmode, spsel;
 +        TCGMemOpIdx oi;
 +        ARMMMUIdx mmu_idx;
 +        uint32_t *frame_sp_p;
 +        uint32_t frameptr;
 +
 +        /* Pull the return address and IPSR from the Secure stack */
 +        threadmode = !arm_v7m_is_handler_mode(env);
 +        spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
 +
 +        frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
 +        frameptr = *frame_sp_p;
 +
 +        /*
 +         * These loads may throw an exception (for MPU faults). We want to
 +         * do them as secure, so work out what MMU index that is.
 +         */
 +        mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
 +        oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));
 +        newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);
 +        newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);
 +
 +        /* Consistency checks on new IPSR */
 +        newpsr_exc = newpsr & XPSR_EXCP;
 +        if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
 +              (env->v7m.exception == 1 && newpsr_exc != 0))) {
 +            /* Pend the fault and tell our caller to take it */
 +            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
 +                                    env->v7m.secure);
 +            qemu_log_mask(CPU_LOG_INT,
 +                          "...taking INVPC UsageFault: "
 +                          "IPSR consistency check failed\n");
 +            return false;
 +        }
 +
 +        *frame_sp_p = frameptr + 8;
 +    }
 +
 +    /* This invalidates frame_sp_p */
 +    switch_v7m_security_state(env, true);
 +    env->v7m.exception = newpsr_exc;
 +    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 +    if (newpsr & XPSR_SFPA) {
 +        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
 +    }
 +    xpsr_write(env, 0, XPSR_IT);
 +    env->thumb = newpc & 1;
 +    env->regs[15] = newpc & ~1;
 +
 +    qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
 +    return true;
 +}
 +
 +static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
 +                               uint32_t addr, uint16_t *insn)
 +{
 +    /*
 +     * Load a 16-bit portion of a v7M instruction, returning true on success,
 +     * or false on failure (in which case we will have pended the appropriate
 +     * exception).
 +     * We need to do the instruction fetch's MPU and SAU checks
 +     * like this because there is no MMU index that would allow
 +     * doing the load with a single function call. Instead we must
 +     * first check that the security attributes permit the load
 +     * and that they don't mismatch on the two halves of the instruction,
 +     * and then we do the load as a secure load (ie using the security
 +     * attributes of the address, not the CPU, as architecturally required).
 +     */
 +    CPUState *cs = CPU(cpu);
 +    CPUARMState *env = &cpu->env;
 +    V8M_SAttributes sattrs = {};
 +    MemTxAttrs attrs = {};
 +    ARMMMUFaultInfo fi = {};
 +    MemTxResult txres;
 +    target_ulong page_size;
 +    hwaddr physaddr;
 +    int prot;
 +
 +    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
 +    if (!sattrs.nsc || sattrs.ns) {
 +        /*
 +         * This must be the second half of the insn, and it straddles a
 +         * region boundary with the second half not being S&NSC.
 +         */
 +        env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +        qemu_log_mask(CPU_LOG_INT,
 +                      "...really SecureFault with SFSR.INVEP\n");
 +        return false;
 +    }
 +    if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
 +                      &physaddr, &attrs, &prot, &page_size, &fi, NULL)) {
 +        /* the MPU lookup failed */
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
 +        qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
 +        return false;
 +    }
 +    *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,
 +                                 attrs, &txres);
 +    if (txres != MEMTX_OK) {
 +        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
 +        qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
 +        return false;
 +    }
 +    return true;
 +}
 +
 +static bool v7m_handle_execute_nsc(ARMCPU *cpu)
 +{
 +    /*
 +     * Check whether this attempt to execute code in a Secure & NS-Callable
 +     * memory region is for an SG instruction; if so, then emulate the
 +     * effect of the SG instruction and return true. Otherwise pend
 +     * the correct kind of exception and return false.
 +     */
 +    CPUARMState *env = &cpu->env;
 +    ARMMMUIdx mmu_idx;
 +    uint16_t insn;
 +
 +    /*
 +     * We should never get here unless get_phys_addr_pmsav8() caused
 +     * an exception for NS executing in S&NSC memory.
 +     */
 +    assert(!env->v7m.secure);
 +    assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
 +
 +    /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
 +    mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
 +
 +    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
 +        return false;
 +    }
 +
 +    if (!env->thumb) {
 +        goto gen_invep;
 +    }
 +
 +    if (insn != 0xe97f) {
 +        /*
 +         * Not an SG instruction first half (we choose the IMPDEF
 +         * early-SG-check option).
 +         */
 +        goto gen_invep;
 +    }
 +
 +    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
 +        return false;
 +    }
 +
 +    if (insn != 0xe97f) {
 +        /*
 +         * Not an SG instruction second half (yes, both halves of the SG
 +         * insn have the same hex value)
 +         */
 +        goto gen_invep;
 +    }
 +
 +    /*
 +     * OK, we have confirmed that we really have an SG instruction.
 +     * We know we're NS in S memory so don't need to repeat those checks.
 +     */
 +    qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
 +                  ", executing it\n", env->regs[15]);
 +    env->regs[14] &= ~1;
 +    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 +    switch_v7m_security_state(env, true);
 +    xpsr_write(env, 0, XPSR_IT);
 +    env->regs[15] += 4;
 +    return true;
 +
 +gen_invep:
 +    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
 +    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +    qemu_log_mask(CPU_LOG_INT,
 +                  "...really SecureFault with SFSR.INVEP\n");
 +    return false;
 +}
 +
 +void arm_v7m_cpu_do_interrupt(CPUState *cs)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    uint32_t lr;
 +    bool ignore_stackfaults;
 +
 +    arm_log_exception(cs->exception_index);
 +
 +    /*
 +     * For exceptions we just mark as pending on the NVIC, and let that
 +     * handle it.
 +     */
 +    switch (cs->exception_index) {
 +    case EXCP_UDEF:
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNDEFINSTR_MASK;
 +        break;
 +    case EXCP_NOCP:
 +    {
 +        /*
 +         * NOCP might be directed to something other than the current
 +         * security state if this fault is because of NSACR; we indicate
 +         * the target security state using exception.target_el.
 +         */
 +        int target_secstate;
 +
 +        if (env->exception.target_el == 3) {
 +            target_secstate = M_REG_S;
 +        } else {
 +            target_secstate = env->v7m.secure;
 +        }
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, target_secstate);
 +        env->v7m.cfsr[target_secstate] |= R_V7M_CFSR_NOCP_MASK;
 +        break;
 +    }
 +    case EXCP_INVSTATE:
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVSTATE_MASK;
 +        break;
 +    case EXCP_STKOF:
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
 +        break;
 +    case EXCP_LSERR:
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +        env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
 +        break;
 +    case EXCP_UNALIGNED:
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
 +        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNALIGNED_MASK;
 +        break;
 +    case EXCP_SWI:
 +        /* The PC already points to the next instruction.  */
 +        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC, env->v7m.secure);
 +        break;
 +    case EXCP_PREFETCH_ABORT:
 +    case EXCP_DATA_ABORT:
 +        /*
 +         * Note that for M profile we don't have a guest facing FSR, but
 +         * the env->exception.fsr will be populated by the code that
 +         * raises the fault, in the A profile short-descriptor format.
 +         */
 +        switch (env->exception.fsr & 0xf) {
 +        case M_FAKE_FSR_NSC_EXEC:
 +            /*
 +             * Exception generated when we try to execute code at an address
 +             * which is marked as Secure & Non-Secure Callable and the CPU
 +             * is in the Non-Secure state. The only instruction which can
 +             * be executed like this is SG (and that only if both halves of
 +             * the SG instruction have the same security attributes.)
 +             * Everything else must generate an INVEP SecureFault, so we
 +             * emulate the SG instruction here.
 +             */
 +            if (v7m_handle_execute_nsc(cpu)) {
 +                return;
 +            }
 +            break;
-+        case M_FAKE_FSR_SFAULT:
++
-+            /*
++        case NPCM7XX_CAPTURE_UNDERFLOW:
-+             * Various flavours of SecureFault for attempts to execute or
++            /* Underflow - TCPND */
-+             * access data in the wrong security state.
++            s->regs[R_NPCM7XX_MFT_ICTRL] |= NPCM7XX_MFT_ICTRL_TCPND;
-+             */
++            if (s->regs[R_NPCM7XX_MFT_IEN] & NPCM7XX_MFT_IEN_TCIEN) {
-+            switch (cs->exception_index) {
++                irq_level = 1;
 +            case EXCP_PREFETCH_ABORT:
 +                if (env->v7m.secure) {
 +                    env->v7m.sfsr |= R_V7M_SFSR_INVTRAN_MASK;
 +                    qemu_log_mask(CPU_LOG_INT,
 +                                  "...really SecureFault with SFSR.INVTRAN\n");
 +                } else {
 +                    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
 +                    qemu_log_mask(CPU_LOG_INT,
 +                                  "...really SecureFault with SFSR.INVEP\n");
 +                }
 +                break;
 +            case EXCP_DATA_ABORT:
 +                /* This must be an NS access to S memory */
 +                env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
 +                qemu_log_mask(CPU_LOG_INT,
 +                              "...really SecureFault with SFSR.AUVIOL\n");
 +                break;
 +            }
-+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +            break;
-+        case 0x8: /* External Abort */
++
-+            switch (cs->exception_index) {
++        default:
-+            case EXCP_PREFETCH_ABORT:
++            g_assert_not_reached();
-+                env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
++        }
-+                qemu_log_mask(CPU_LOG_INT, "...with CFSR.IBUSERR\n");
++    }
-+                break;
++
-+            case EXCP_DATA_ABORT:
++    /* Capture input B. */
-+                env->v7m.cfsr[M_REG_NS] |=
++    if (s->regs[R_NPCM7XX_MFT_MCTRL] & NPCM7XX_MFT_MCTRL_TBEN &&
-+                    (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK);
++        s->regs[R_NPCM7XX_MFT_CKC] & NPCM7XX_MFT_CKC_C2CSEL) {
-+                env->v7m.bfar = env->exception.vaddress;
++        sel = s->regs[R_NPCM7XX_MFT_INBSEL] & NPCM7XX_MFT_INBSEL_SELB;
-+                qemu_log_mask(CPU_LOG_INT,
++        cpcfg = NPCM7XX_MFT_CPCFG_GET_B(s->regs[R_NPCM7XX_MFT_CPCFG]);
-+                              "...with CFSR.PRECISERR and BFAR 0x%x\n",
++        state = npcm7xx_mft_compute_cnt(s->clock_2,
-+                              env->v7m.bfar);
++                                        sel ? s->max_rpm[3] : s->max_rpm[1],
-+                break;
++                                        sel ? s->duty[3] : s->duty[1],
 +                                        s->regs[R_NPCM7XX_MFT_CPB],
 +                                        cpcfg,
 +                                        &s->regs[R_NPCM7XX_MFT_CNT2]);
 +        switch (state) {
 +        case NPCM7XX_CAPTURE_SUCCEED:
 +            /* Interrupt on input capture on TBn transition - TBPND */
 +            s->regs[R_NPCM7XX_MFT_CRB] = s->regs[R_NPCM7XX_MFT_CNT2];
 +            s->regs[R_NPCM7XX_MFT_ICTRL] |= NPCM7XX_MFT_ICTRL_TBPND;
 +            if (s->regs[R_NPCM7XX_MFT_IEN] & NPCM7XX_MFT_IEN_TBIEN) {
 +                irq_level = 1;
 +            }
-+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
 +            break;
++
++        case NPCM7XX_CAPTURE_COMPARE_HIT:
++            /* Compare Hit - TFPND */
++            s->regs[R_NPCM7XX_MFT_ICTRL] |= NPCM7XX_MFT_ICTRL_TFPND;
++            if (s->regs[R_NPCM7XX_MFT_IEN] & NPCM7XX_MFT_IEN_TFIEN) {
++                irq_level = 1;
++            }
++            break;
++
++        case NPCM7XX_CAPTURE_UNDERFLOW:
++            /* Underflow - TDPND */
++            s->regs[R_NPCM7XX_MFT_ICTRL] |= NPCM7XX_MFT_ICTRL_TDPND;
++            if (s->regs[R_NPCM7XX_MFT_IEN] & NPCM7XX_MFT_IEN_TDIEN) {
++                irq_level = 1;
++            }
++            break;
++
 +        default:
-+            /*
++            g_assert_not_reached();
 +             * All other FSR values are either MPU faults or "can't happen
 +             * for M profile" cases.
 +             */
 +            switch (cs->exception_index) {
 +            case EXCP_PREFETCH_ABORT:
 +                env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
 +                qemu_log_mask(CPU_LOG_INT, "...with CFSR.IACCVIOL\n");
 +                break;
 +            case EXCP_DATA_ABORT:
 +                env->v7m.cfsr[env->v7m.secure] |=
 +                    (R_V7M_CFSR_DACCVIOL_MASK | R_V7M_CFSR_MMARVALID_MASK);
 +                env->v7m.mmfar[env->v7m.secure] = env->exception.vaddress;
 +                qemu_log_mask(CPU_LOG_INT,
 +                              "...with CFSR.DACCVIOL and MMFAR 0x%x\n",
 +                              env->v7m.mmfar[env->v7m.secure]);
 +                break;
 +            }
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM,
 +                                    env->v7m.secure);
 +            break;
 +        }
++    }
++
++    trace_npcm7xx_mft_capture(DEVICE(s)->canonical_path, irq_level);
++    qemu_set_irq(s->irq, irq_level);
++}
++
++/* Update clock for counters. */
++static void npcm7xx_mft_update_clock(void *opaque, ClockEvent event)
++{
++    NPCM7xxMFTState *s = NPCM7XX_MFT(opaque);
++    uint64_t prescaled_clock_period;
++
++    prescaled_clock_period = clock_get(s->clock_in) *
++        (s->regs[R_NPCM7XX_MFT_PRSC] + 1ULL);
++    trace_npcm7xx_mft_update_clock(s->clock_in->canonical_path,
++                                   s->regs[R_NPCM7XX_MFT_CKC],
++                                   clock_get(s->clock_in),
++                                   prescaled_clock_period);
++    /* Update clock 1 */
++    if (s->regs[R_NPCM7XX_MFT_CKC] & NPCM7XX_MFT_CKC_C1CSEL) {
++        /* Clock is prescaled. */
++        clock_update(s->clock_1, prescaled_clock_period);
++    } else {
++        /* Clock stopped. */
++        clock_update(s->clock_1, 0);
++    }
++    /* Update clock 2 */
++    if (s->regs[R_NPCM7XX_MFT_CKC] & NPCM7XX_MFT_CKC_C2CSEL) {
++        /* Clock is prescaled. */
++        clock_update(s->clock_2, prescaled_clock_period);
++    } else {
++        /* Clock stopped. */
++        clock_update(s->clock_2, 0);
++    }
++
++    npcm7xx_mft_capture(s);
++}
++
++static uint64_t npcm7xx_mft_read(void *opaque, hwaddr offset, unsigned size)
++{
++    NPCM7xxMFTState *s = NPCM7XX_MFT(opaque);
++    uint16_t value = 0;
++
++    switch (offset) {
++    case A_NPCM7XX_MFT_ICLR:
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: register @ 0x%04" HWADDR_PRIx " is write-only\n",
++                      __func__, offset);
 +        break;
-+    case EXCP_BKPT:
++
-+        if (semihosting_enabled()) {
++    default:
-+            int nr;
++        value = s->regs[offset / 2];
-+            nr = arm_lduw_code(env, env->regs[15], arm_sctlr_b(env)) & 0xff;
++    }
-+            if (nr == 0xab) {
++
-+                env->regs[15] += 2;
++    trace_npcm7xx_mft_read(DEVICE(s)->canonical_path, offset, value);
-+                qemu_log_mask(CPU_LOG_INT,
++    return value;
-+                              "...handling as semihosting call 0x%x\n",
++}
-+                              env->regs[0]);
++
-+                env->regs[0] = do_arm_semihosting(env);
++static void npcm7xx_mft_write(void *opaque, hwaddr offset,
-+                return;
++                              uint64_t v, unsigned size)
-+            }
++{
-+        }
++    NPCM7xxMFTState *s = NPCM7XX_MFT(opaque);
-+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG, false);
++
 +    trace_npcm7xx_mft_write(DEVICE(s)->canonical_path, offset, v);
 +    switch (offset) {
 +    case A_NPCM7XX_MFT_ICLR:
 +        npcm7xx_mft_clear_interrupt(s, v);
 +        break;
-+    case EXCP_IRQ:
++
 +    case A_NPCM7XX_MFT_CKC:
 +    case A_NPCM7XX_MFT_PRSC:
 +        s->regs[offset / 2] = v;
 +        npcm7xx_mft_update_clock(s, ClockUpdate);
 +        break;
-+    case EXCP_EXCEPTION_EXIT:
++
-+        if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
++    default:
-+            /* Must be v8M security extension function return */
++        s->regs[offset / 2] = v;
-+            assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
++        npcm7xx_mft_capture(s);
 +            assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
 +            if (do_v7m_function_return(cpu)) {
 +                return;
 +            }
 +        } else {
 +            do_v7m_exception_exit(cpu);
 +            return;
 +        }
 +        break;
-+    case EXCP_LAZYFP:
++    }
-+        /*
++}
-+         * We already pended the specific exception in the NVIC in the
++
-+         * v7m_preserve_fp_state() helper function.
++static bool npcm7xx_mft_check_mem_op(void *opaque, hwaddr offset,
-+         */
++                                     unsigned size, bool is_write,
-+        break;
++                                     MemTxAttrs attrs)
 +{
 +    switch (offset) {
 +    /* 16-bit registers. Must be accessed with 16-bit read/write.*/
 +    case A_NPCM7XX_MFT_CNT1:
 +    case A_NPCM7XX_MFT_CRA:
 +    case A_NPCM7XX_MFT_CRB:
 +    case A_NPCM7XX_MFT_CNT2:
 +    case A_NPCM7XX_MFT_CPA:
 +    case A_NPCM7XX_MFT_CPB:
 +        return size == 2;
 +
 +    /* 8-bit registers. Must be accessed with 8-bit read/write.*/
 +    case A_NPCM7XX_MFT_PRSC:
 +    case A_NPCM7XX_MFT_CKC:
 +    case A_NPCM7XX_MFT_MCTRL:
 +    case A_NPCM7XX_MFT_ICTRL:
 +    case A_NPCM7XX_MFT_ICLR:
 +    case A_NPCM7XX_MFT_IEN:
 +    case A_NPCM7XX_MFT_CPCFG:
 +    case A_NPCM7XX_MFT_INASEL:
 +    case A_NPCM7XX_MFT_INBSEL:
 +        return size == 1;
 +
 +    default:
-+        cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
++        /* Invalid registers. */
-+        return; /* Never happens.  Keep compiler happy.  */
++        return false;
 +    }
-+
++}
-+    if (arm_feature(env, ARM_FEATURE_V8)) {
++
-+        lr = R_V7M_EXCRET_RES1_MASK |
++static void npcm7xx_mft_get_max_rpm(Object *obj, Visitor *v, const char *name,
-+            R_V7M_EXCRET_DCRS_MASK;
++                                    void *opaque, Error **errp)
-+        /*
++{
-+         * The S bit indicates whether we should return to Secure
++    visit_type_uint32(v, name, (uint32_t *)opaque, errp);
-+         * or NonSecure (ie our current state).
++}
-+         * The ES bit indicates whether we're taking this exception
++
-+         * to Secure or NonSecure (ie our target state). We set it
++static void npcm7xx_mft_set_max_rpm(Object *obj, Visitor *v, const char *name,
-+         * later, in v7m_exception_taken().
++                                    void *opaque, Error **errp)
-+         * The SPSEL bit is also set in v7m_exception_taken() for v8M.
++{
-+         * This corresponds to the ARM ARM pseudocode for v8M setting
++    NPCM7xxMFTState *s = NPCM7XX_MFT(obj);
-+         * some LR bits in PushStack() and some in ExceptionTaken();
++    uint32_t *max_rpm = opaque;
-+         * the distinction matters for the tailchain cases where we
++    uint32_t value;
-+         * can take an exception without pushing the stack.
++
-+         */
++    if (!visit_type_uint32(v, name, &value, errp)) {
 +        if (env->v7m.secure) {
 +            lr |= R_V7M_EXCRET_S_MASK;
 +        }
 +        if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
 +            lr |= R_V7M_EXCRET_FTYPE_MASK;
 +        }
 +    } else {
 +        lr = R_V7M_EXCRET_RES1_MASK |
 +            R_V7M_EXCRET_S_MASK |
 +            R_V7M_EXCRET_DCRS_MASK |
 +            R_V7M_EXCRET_FTYPE_MASK |
 +            R_V7M_EXCRET_ES_MASK;
 +        if (env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK) {
 +            lr |= R_V7M_EXCRET_SPSEL_MASK;
 +        }
 +    }
 +    if (!arm_v7m_is_handler_mode(env)) {
 +        lr |= R_V7M_EXCRET_MODE_MASK;
 +    }
 +
 +    ignore_stackfaults = v7m_push_stack(cpu);
 +    v7m_exception_taken(cpu, lr, false, ignore_stackfaults);
 +}
 +
 +uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
 +{
 +    uint32_t mask;
 +    unsigned el = arm_current_el(env);
 +
 +    /* First handle registers which unprivileged can read */
 +
 +    switch (reg) {
 +    case 0 ... 7: /* xPSR sub-fields */
 +        mask = 0;
 +        if ((reg & 1) && el) {
 +            mask |= XPSR_EXCP; /* IPSR (unpriv. reads as zero) */
 +        }
 +        if (!(reg & 4)) {
 +            mask |= XPSR_NZCV | XPSR_Q; /* APSR */
 +            if (arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
 +                mask |= XPSR_GE;
 +            }
 +        }
 +        /* EPSR reads as zero */
 +        return xpsr_read(env) & mask;
 +        break;
 +    case 20: /* CONTROL */
 +    {
 +        uint32_t value = env->v7m.control[env->v7m.secure];
 +        if (!env->v7m.secure) {
 +            /* SFPA is RAZ/WI from NS; FPCA is stored in the M_REG_S bank */
 +            value |= env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK;
 +        }
 +        return value;
 +    }
 +    case 0x94: /* CONTROL_NS */
 +        /*
 +         * We have to handle this here because unprivileged Secure code
 +         * can read the NS CONTROL register.
 +         */
 +        if (!env->v7m.secure) {
 +            return 0;
 +        }
 +        return env->v7m.control[M_REG_NS] |
 +            (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK);
 +    }
 +
 +    if (el == 0) {
 +        return 0; /* unprivileged reads others as zero */
 +    }
 +
 +    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +        switch (reg) {
 +        case 0x88: /* MSP_NS */
 +            if (!env->v7m.secure) {
 +                return 0;
 +            }
 +            return env->v7m.other_ss_msp;
 +        case 0x89: /* PSP_NS */
 +            if (!env->v7m.secure) {
 +                return 0;
 +            }
 +            return env->v7m.other_ss_psp;
 +        case 0x8a: /* MSPLIM_NS */
 +            if (!env->v7m.secure) {
 +                return 0;
 +            }
 +            return env->v7m.msplim[M_REG_NS];
 +        case 0x8b: /* PSPLIM_NS */
 +            if (!env->v7m.secure) {
 +                return 0;
 +            }
 +            return env->v7m.psplim[M_REG_NS];
 +        case 0x90: /* PRIMASK_NS */
 +            if (!env->v7m.secure) {
 +                return 0;
 +            }
 +            return env->v7m.primask[M_REG_NS];
 +        case 0x91: /* BASEPRI_NS */
 +            if (!env->v7m.secure) {
 +                return 0;
 +            }
 +            return env->v7m.basepri[M_REG_NS];
 +        case 0x93: /* FAULTMASK_NS */
 +            if (!env->v7m.secure) {
 +                return 0;
 +            }
 +            return env->v7m.faultmask[M_REG_NS];
 +        case 0x98: /* SP_NS */
 +        {
 +            /*
 +             * This gives the non-secure SP selected based on whether we're
 +             * currently in handler mode or not, using the NS CONTROL.SPSEL.
 +             */
 +            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
 +
 +            if (!env->v7m.secure) {
 +                return 0;
 +            }
 +            if (!arm_v7m_is_handler_mode(env) && spsel) {
 +                return env->v7m.other_ss_psp;
 +            } else {
 +                return env->v7m.other_ss_msp;
 +            }
 +        }
 +        default:
 +            break;
 +        }
 +    }
 +
 +    switch (reg) {
 +    case 8: /* MSP */
 +        return v7m_using_psp(env) ? env->v7m.other_sp : env->regs[13];
 +    case 9: /* PSP */
 +        return v7m_using_psp(env) ? env->regs[13] : env->v7m.other_sp;
 +    case 10: /* MSPLIM */
 +        if (!arm_feature(env, ARM_FEATURE_V8)) {
 +            goto bad_reg;
 +        }
 +        return env->v7m.msplim[env->v7m.secure];
 +    case 11: /* PSPLIM */
 +        if (!arm_feature(env, ARM_FEATURE_V8)) {
 +            goto bad_reg;
 +        }
 +        return env->v7m.psplim[env->v7m.secure];
 +    case 16: /* PRIMASK */
 +        return env->v7m.primask[env->v7m.secure];
 +    case 17: /* BASEPRI */
 +    case 18: /* BASEPRI_MAX */
 +        return env->v7m.basepri[env->v7m.secure];
 +    case 19: /* FAULTMASK */
 +        return env->v7m.faultmask[env->v7m.secure];
 +    default:
 +    bad_reg:
 +        qemu_log_mask(LOG_GUEST_ERROR, "Attempt to read unknown special"
 +                                       " register %d\n", reg);
 +        return 0;
 +    }
 +}
 +
 +void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
 +{
 +    /*
 +     * We're passed bits [11..0] of the instruction; extract
 +     * SYSm and the mask bits.
 +     * Invalid combinations of SYSm and mask are UNPREDICTABLE;
 +     * we choose to treat them as if the mask bits were valid.
 +     * NB that the pseudocode 'mask' variable is bits [11..10],
 +     * whereas ours is [11..8].
 +     */
 +    uint32_t mask = extract32(maskreg, 8, 4);
 +    uint32_t reg = extract32(maskreg, 0, 8);
 +    int cur_el = arm_current_el(env);
 +
 +    if (cur_el == 0 && reg > 7 && reg != 20) {
 +        /*
 +         * only xPSR sub-fields and CONTROL.SFPA may be written by
 +         * unprivileged code
 +         */
 +        return;
 +    }
 +
-+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
++    *max_rpm = value;
-+        switch (reg) {
++    npcm7xx_mft_capture(s);
-+        case 0x88: /* MSP_NS */
++}
-+            if (!env->v7m.secure) {
++
-+                return;
++static void npcm7xx_mft_duty_handler(void *opaque, int n, int value)
-+            }
++{
-+            env->v7m.other_ss_msp = val;
++    NPCM7xxMFTState *s = NPCM7XX_MFT(opaque);
-+            return;
++
-+        case 0x89: /* PSP_NS */
++    trace_npcm7xx_mft_set_duty(DEVICE(s)->canonical_path, n, value);
-+            if (!env->v7m.secure) {
++    s->duty[n] = value;
-+                return;
++    npcm7xx_mft_capture(s);
-+            }
++}
-+            env->v7m.other_ss_psp = val;
++
-+            return;
++static const struct MemoryRegionOps npcm7xx_mft_ops = {
-+        case 0x8a: /* MSPLIM_NS */
++    .read       = npcm7xx_mft_read,
-+            if (!env->v7m.secure) {
++    .write      = npcm7xx_mft_write,
-+                return;
++    .endianness = DEVICE_LITTLE_ENDIAN,
-+            }
++    .valid      = {
-+            env->v7m.msplim[M_REG_NS] = val & ~7;
++        .min_access_size        = 1,
-+            return;
++        .max_access_size        = 2,
-+        case 0x8b: /* PSPLIM_NS */
++        .unaligned              = false,
-+            if (!env->v7m.secure) {
++        .accepts                = npcm7xx_mft_check_mem_op,
-+                return;
++    },
-+            }
++};
-+            env->v7m.psplim[M_REG_NS] = val & ~7;
++
-+            return;
++static void npcm7xx_mft_enter_reset(Object *obj, ResetType type)
-+        case 0x90: /* PRIMASK_NS */
++{
-+            if (!env->v7m.secure) {
++    NPCM7xxMFTState *s = NPCM7XX_MFT(obj);
-+                return;
++
-+            }
++    npcm7xx_mft_reset(s);
-+            env->v7m.primask[M_REG_NS] = val & 1;
++}
-+            return;
++
-+        case 0x91: /* BASEPRI_NS */
++static void npcm7xx_mft_hold_reset(Object *obj)
-+            if (!env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_MAIN)) {
++{
-+                return;
++    NPCM7xxMFTState *s = NPCM7XX_MFT(obj);
-+            }
++
-+            env->v7m.basepri[M_REG_NS] = val & 0xff;
++    qemu_irq_lower(s->irq);
-+            return;
++}
-+        case 0x93: /* FAULTMASK_NS */
++
-+            if (!env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_MAIN)) {
++static void npcm7xx_mft_init(Object *obj)
-+                return;
++{
-+            }
++    NPCM7xxMFTState *s = NPCM7XX_MFT(obj);
-+            env->v7m.faultmask[M_REG_NS] = val & 1;
++    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
-+            return;
++    DeviceState *dev = DEVICE(obj);
-+        case 0x94: /* CONTROL_NS */
++
-+            if (!env->v7m.secure) {
++    memory_region_init_io(&s->iomem, obj, &npcm7xx_mft_ops, s,
-+                return;
++                          TYPE_NPCM7XX_MFT, 4 * KiB);
-+            }
++    sysbus_init_mmio(sbd, &s->iomem);
-+            write_v7m_control_spsel_for_secstate(env,
++    sysbus_init_irq(sbd, &s->irq);
-+                                                 val & R_V7M_CONTROL_SPSEL_MASK,
++    s->clock_in = qdev_init_clock_in(dev, "clock-in", npcm7xx_mft_update_clock,
-+                                                 M_REG_NS);
++                                     s, ClockUpdate);
-+            if (arm_feature(env, ARM_FEATURE_M_MAIN)) {
++    s->clock_1 = qdev_init_clock_out(dev, "clock1");
-+                env->v7m.control[M_REG_NS] &= ~R_V7M_CONTROL_NPRIV_MASK;
++    s->clock_2 = qdev_init_clock_out(dev, "clock2");
-+                env->v7m.control[M_REG_NS] |= val & R_V7M_CONTROL_NPRIV_MASK;
++
-+            }
++    for (int i = 0; i < NPCM7XX_PWM_PER_MODULE; ++i) {
-+            /*
++        object_property_add(obj, "max_rpm[*]", "uint32",
-+             * SFPA is RAZ/WI from NS. FPCA is RO if NSACR.CP10 == 0,
++                            npcm7xx_mft_get_max_rpm,
-+             * RES0 if the FPU is not present, and is stored in the S bank
++                            npcm7xx_mft_set_max_rpm,
-+             */
++                            NULL, &s->max_rpm[i]);
-+            if (arm_feature(env, ARM_FEATURE_VFP) &&
++    }
-+                extract32(env->v7m.nsacr, 10, 1)) {
++    qdev_init_gpio_in_named(dev, npcm7xx_mft_duty_handler, "duty",
-+                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
++                            NPCM7XX_MFT_FANIN_COUNT);
-+                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
++}
-+            }
++
-+            return;
++static const VMStateDescription vmstate_npcm7xx_mft = {
-+        case 0x98: /* SP_NS */
++    .name = "npcm7xx-mft-module",
-+        {
++    .version_id = 0,
-+            /*
++    .minimum_version_id = 0,
-+             * This gives the non-secure SP selected based on whether we're
++    .fields = (VMStateField[]) {
-+             * currently in handler mode or not, using the NS CONTROL.SPSEL.
++        VMSTATE_CLOCK(clock_in, NPCM7xxMFTState),
-+             */
++        VMSTATE_CLOCK(clock_1, NPCM7xxMFTState),
-+            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
++        VMSTATE_CLOCK(clock_2, NPCM7xxMFTState),
-+            bool is_psp = !arm_v7m_is_handler_mode(env) && spsel;
++        VMSTATE_UINT16_ARRAY(regs, NPCM7xxMFTState, NPCM7XX_MFT_NR_REGS),
-+            uint32_t limit;
++        VMSTATE_UINT32_ARRAY(max_rpm, NPCM7xxMFTState, NPCM7XX_MFT_FANIN_COUNT),
-+
++        VMSTATE_UINT32_ARRAY(duty, NPCM7xxMFTState, NPCM7XX_MFT_FANIN_COUNT),
-+            if (!env->v7m.secure) {
++        VMSTATE_END_OF_LIST(),
-+                return;
++    },
-+            }
++};
 +
-+            limit = is_psp ? env->v7m.psplim[false] : env->v7m.msplim[false];
++static void npcm7xx_mft_class_init(ObjectClass *klass, void *data)
-+
++{
-+            if (val < limit) {
++    ResettableClass *rc = RESETTABLE_CLASS(klass);
-+                CPUState *cs = env_cpu(env);
++    DeviceClass *dc = DEVICE_CLASS(klass);
 +
-+                cpu_restore_state(cs, GETPC(), true);
++    dc->desc = "NPCM7xx MFT Controller";
-+                raise_exception(env, EXCP_STKOF, 0, 1);
++    dc->vmsd = &vmstate_npcm7xx_mft;
-+            }
++    rc->phases.enter = npcm7xx_mft_enter_reset;
-+
++    rc->phases.hold = npcm7xx_mft_hold_reset;
-+            if (is_psp) {
++}
-+                env->v7m.other_ss_psp = val;
++
-+            } else {
++static const TypeInfo npcm7xx_mft_info = {
-+                env->v7m.other_ss_msp = val;
++    .name               = TYPE_NPCM7XX_MFT,
-+            }
++    .parent             = TYPE_SYS_BUS_DEVICE,
-+            return;
++    .instance_size      = sizeof(NPCM7xxMFTState),
-+        }
++    .class_init         = npcm7xx_mft_class_init,
-+        default:
++    .instance_init      = npcm7xx_mft_init,
-+            break;
++};
-+        }
++
-+    }
++static void npcm7xx_mft_register_type(void)
-+
++{
-+    switch (reg) {
++    type_register_static(&npcm7xx_mft_info);
-+    case 0 ... 7: /* xPSR sub-fields */
++}
-+        /* only APSR is actually writable */
++type_init(npcm7xx_mft_register_type);
-+        if (!(reg & 4)) {
+diff --git a/hw/misc/meson.build b/hw/misc/meson.build
-+            uint32_t apsrmask = 0;
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/hw/misc/meson.build
-+            if (mask & 8) {
++++ b/hw/misc/meson.build
-+                apsrmask |= XPSR_NZCV | XPSR_Q;
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_MAINSTONE', if_true: files('mst_fpga.c'))
-+            }
+ softmmu_ss.add(when: 'CONFIG_NPCM7XX', if_true: files(
-+            if ((mask & 4) && arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
+   'npcm7xx_clk.c',
-+                apsrmask |= XPSR_GE;
+   'npcm7xx_gcr.c',
-+            }
++  'npcm7xx_mft.c',
-+            xpsr_write(env, val, apsrmask);
+   'npcm7xx_pwm.c',
-+        }
+   'npcm7xx_rng.c',
-+        break;
+ ))
-+    case 8: /* MSP */
+diff --git a/hw/misc/trace-events b/hw/misc/trace-events
-+        if (v7m_using_psp(env)) {
+index XXXXXXX..XXXXXXX 100644
-+            env->v7m.other_sp = val;
+--- a/hw/misc/trace-events
-+        } else {
++++ b/hw/misc/trace-events
-+            env->regs[13] = val;
+@@ -XXX,XX +XXX,XX @@ npcm7xx_clk_write(uint64_t offset, uint32_t value) "offset: 0x%04" PRIx64 " valu
-+        }
+ npcm7xx_gcr_read(uint64_t offset, uint32_t value) " offset: 0x%04" PRIx64 " value: 0x%08" PRIx32
-+        break;
+ npcm7xx_gcr_write(uint64_t offset, uint32_t value) "offset: 0x%04" PRIx64 " value: 0x%08" PRIx32
-+    case 9: /* PSP */
-+        if (v7m_using_psp(env)) {
++# npcm7xx_mft.c
-+            env->regs[13] = val;
++npcm7xx_mft_read(const char *name, uint64_t offset, uint16_t value) "%s: offset: 0x%04" PRIx64 " value: 0x%04" PRIx16
-+        } else {
++npcm7xx_mft_write(const char *name, uint64_t offset, uint16_t value) "%s: offset: 0x%04" PRIx64 " value: 0x%04" PRIx16
-+            env->v7m.other_sp = val;
++npcm7xx_mft_rpm(const char *clock, uint32_t clock_hz, int state, int32_t cnt, uint32_t rpm, uint32_t duty) " fan clk: %s clock_hz: %" PRIu32 ", state: %d, cnt: %" PRIi32 ", rpm: %" PRIu32 ", duty: %" PRIu32
-+        }
++npcm7xx_mft_capture(const char *name, int irq_level) "%s: level: %d"
-+        break;
++npcm7xx_mft_update_clock(const char *name, uint16_t sel, uint64_t clock_period, uint64_t prescaled_clock_period) "%s: sel: 0x%02" PRIx16 ", period: %" PRIu64 ", prescaled: %" PRIu64
-+    case 10: /* MSPLIM */
++npcm7xx_mft_set_duty(const char *name, int n, int value) "%s[%d]: %d"
-+        if (!arm_feature(env, ARM_FEATURE_V8)) {
++
-+            goto bad_reg;
+ # npcm7xx_rng.c
-+        }
+ npcm7xx_rng_read(uint64_t offset, uint64_t value, unsigned size) "offset: 0x%04" PRIx64 " value: 0x%02" PRIx64 " size: %u"
-+        env->v7m.msplim[env->v7m.secure] = val & ~7;
+ npcm7xx_rng_write(uint64_t offset, uint64_t value, unsigned size) "offset: 0x%04" PRIx64 " value: 0x%02" PRIx64 " size: %u"
 +        break;
 +    case 11: /* PSPLIM */
 +        if (!arm_feature(env, ARM_FEATURE_V8)) {
 +            goto bad_reg;
 +        }
 +        env->v7m.psplim[env->v7m.secure] = val & ~7;
 +        break;
 +    case 16: /* PRIMASK */
 +        env->v7m.primask[env->v7m.secure] = val & 1;
 +        break;
 +    case 17: /* BASEPRI */
 +        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
 +            goto bad_reg;
 +        }
 +        env->v7m.basepri[env->v7m.secure] = val & 0xff;
 +        break;
 +    case 18: /* BASEPRI_MAX */
 +        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
 +            goto bad_reg;
 +        }
 +        val &= 0xff;
 +        if (val != 0 && (val < env->v7m.basepri[env->v7m.secure]
 +                         || env->v7m.basepri[env->v7m.secure] == 0)) {
 +            env->v7m.basepri[env->v7m.secure] = val;
 +        }
 +        break;
 +    case 19: /* FAULTMASK */
 +        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
 +            goto bad_reg;
 +        }
 +        env->v7m.faultmask[env->v7m.secure] = val & 1;
 +        break;
 +    case 20: /* CONTROL */
 +        /*
 +         * Writing to the SPSEL bit only has an effect if we are in
 +         * thread mode; other bits can be updated by any privileged code.
 +         * write_v7m_control_spsel() deals with updating the SPSEL bit in
 +         * env->v7m.control, so we only need update the others.
 +         * For v7M, we must just ignore explicit writes to SPSEL in handler
 +         * mode; for v8M the write is permitted but will have no effect.
 +         * All these bits are writes-ignored from non-privileged code,
 +         * except for SFPA.
 +         */
 +        if (cur_el > 0 && (arm_feature(env, ARM_FEATURE_V8) ||
 +                           !arm_v7m_is_handler_mode(env))) {
 +            write_v7m_control_spsel(env, (val & R_V7M_CONTROL_SPSEL_MASK) != 0);
 +        }
 +        if (cur_el > 0 && arm_feature(env, ARM_FEATURE_M_MAIN)) {
 +            env->v7m.control[env->v7m.secure] &= ~R_V7M_CONTROL_NPRIV_MASK;
 +            env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
 +        }
 +        if (arm_feature(env, ARM_FEATURE_VFP)) {
 +            /*
 +             * SFPA is RAZ/WI from NS or if no FPU.
 +             * FPCA is RO if NSACR.CP10 == 0, RES0 if the FPU is not present.
 +             * Both are stored in the S bank.
 +             */
 +            if (env->v7m.secure) {
 +                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
 +                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_SFPA_MASK;
 +            }
 +            if (cur_el > 0 &&
 +                (env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_SECURITY) ||
 +                 extract32(env->v7m.nsacr, 10, 1))) {
 +                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
 +                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
 +            }
 +        }
 +        break;
 +    default:
 +    bad_reg:
 +        qemu_log_mask(LOG_GUEST_ERROR, "Attempt to write unknown special"
 +                                       " register %d\n", reg);
 +        return;
 +    }
 +}
 +
 +uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
 +{
 +    /* Implement the TT instruction. op is bits [7:6] of the insn. */
 +    bool forceunpriv = op & 1;
 +    bool alt = op & 2;
 +    V8M_SAttributes sattrs = {};
 +    uint32_t tt_resp;
 +    bool r, rw, nsr, nsrw, mrvalid;
 +    int prot;
 +    ARMMMUFaultInfo fi = {};
 +    MemTxAttrs attrs = {};
 +    hwaddr phys_addr;
 +    ARMMMUIdx mmu_idx;
 +    uint32_t mregion;
 +    bool targetpriv;
 +    bool targetsec = env->v7m.secure;
 +    bool is_subpage;
 +
 +    /*
 +     * Work out what the security state and privilege level we're
 +     * interested in is...
 +     */
 +    if (alt) {
 +        targetsec = !targetsec;
 +    }
 +
 +    if (forceunpriv) {
 +        targetpriv = false;
 +    } else {
 +        targetpriv = arm_v7m_is_handler_mode(env) ||
 +            !(env->v7m.control[targetsec] & R_V7M_CONTROL_NPRIV_MASK);
 +    }
 +
 +    /* ...and then figure out which MMU index this is */
 +    mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targetsec, targetpriv);
 +
 +    /*
 +     * We know that the MPU and SAU don't care about the access type
 +     * for our purposes beyond that we don't want to claim to be
 +     * an insn fetch, so we arbitrarily call this a read.
 +     */
 +
 +    /*
 +     * MPU region info only available for privileged or if
 +     * inspecting the other MPU state.
 +     */
 +    if (arm_current_el(env) != 0 || alt) {
 +        /* We can ignore the return value as prot is always set */
 +        pmsav8_mpu_lookup(env, addr, MMU_DATA_LOAD, mmu_idx,
 +                          &phys_addr, &attrs, &prot, &is_subpage,
 +                          &fi, &mregion);
 +        if (mregion == -1) {
 +            mrvalid = false;
 +            mregion = 0;
 +        } else {
 +            mrvalid = true;
 +        }
 +        r = prot & PAGE_READ;
 +        rw = prot & PAGE_WRITE;
 +    } else {
 +        r = false;
 +        rw = false;
 +        mrvalid = false;
 +        mregion = 0;
 +    }
 +
 +    if (env->v7m.secure) {
 +        v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);
 +        nsr = sattrs.ns && r;
 +        nsrw = sattrs.ns && rw;
 +    } else {
 +        sattrs.ns = true;
 +        nsr = false;
 +        nsrw = false;
 +    }
 +
 +    tt_resp = (sattrs.iregion << 24) |
 +        (sattrs.irvalid << 23) |
 +        ((!sattrs.ns) << 22) |
 +        (nsrw << 21) |
 +        (nsr << 20) |
 +        (rw << 19) |
 +        (r << 18) |
 +        (sattrs.srvalid << 17) |
 +        (mrvalid << 16) |
 +        (sattrs.sregion << 8) |
 +        mregion;
 +
 +    return tt_resp;
 +}
 +
 +#endif /* !CONFIG_USER_ONLY */
 +
 +ARMMMUIdx arm_v7m_mmu_idx_all(CPUARMState *env,
 +                              bool secstate, bool priv, bool negpri)
 +{
 +    ARMMMUIdx mmu_idx = ARM_MMU_IDX_M;
 +
 +    if (priv) {
 +        mmu_idx |= ARM_MMU_IDX_M_PRIV;
 +    }
 +
 +    if (negpri) {
 +        mmu_idx |= ARM_MMU_IDX_M_NEGPRI;
 +    }
 +
 +    if (secstate) {
 +        mmu_idx |= ARM_MMU_IDX_M_S;
 +    }
 +
 +    return mmu_idx;
 +}
 +
 +ARMMMUIdx arm_v7m_mmu_idx_for_secstate_and_priv(CPUARMState *env,
 +                                                bool secstate, bool priv)
 +{
 +    bool negpri = armv7m_nvic_neg_prio_requested(env->nvic, secstate);
 +
 +    return arm_v7m_mmu_idx_all(env, secstate, priv, negpri);
 +}
 +
 +/* Return the MMU index for a v7M CPU in the specified security state */
 +ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate)
 +{
 +    bool priv = arm_current_el(env) != 0;
 +
 +    return arm_v7m_mmu_idx_for_secstate_and_priv(env, secstate, priv);
 +}
 --
 .20.1

-New patch
+[PULL 28/39] hw/arm: Add MFT device to NPCM7xx Soc
+From: Hao Wu <wuhaotsh@google.com>
+This patch adds the recently implemented MFT device to the NPCM7XX
+SoC file.
+Reviewed-by: Doug Evans <dje@google.com>
+Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
+Signed-off-by: Hao Wu <wuhaotsh@google.com>
+Message-id: 20210311180855.149764-4-wuhaotsh@google.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/nuvoton.rst |  2 +-
+ include/hw/arm/npcm7xx.h    |  2 ++
+ hw/arm/npcm7xx.c            | 45 ++++++++++++++++++++++++++++++-------
+files changed, 40 insertions(+), 9 deletions(-)
+diff --git a/docs/system/arm/nuvoton.rst b/docs/system/arm/nuvoton.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/nuvoton.rst
++++ b/docs/system/arm/nuvoton.rst
+@@ -XXX,XX +XXX,XX @@ Supported devices
+  * Pulse Width Modulation (PWM)
+  * SMBus controller (SMBF)
+  * Ethernet controller (EMC)
++ * Tachometer
+ Missing devices
+ ---------------
+@@ -XXX,XX +XXX,XX @@ Missing devices
+  * Peripheral SPI controller (PSPI)
+  * SD/MMC host
+  * PECI interface
+- * Tachometer
+  * PCI and PCIe root complex and bridges
+  * VDM and MCTP support
+  * Serial I/O expansion
+diff --git a/include/hw/arm/npcm7xx.h b/include/hw/arm/npcm7xx.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/npcm7xx.h
++++ b/include/hw/arm/npcm7xx.h
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/mem/npcm7xx_mc.h"
+ #include "hw/misc/npcm7xx_clk.h"
+ #include "hw/misc/npcm7xx_gcr.h"
++#include "hw/misc/npcm7xx_mft.h"
+ #include "hw/misc/npcm7xx_pwm.h"
+ #include "hw/misc/npcm7xx_rng.h"
+ #include "hw/net/npcm7xx_emc.h"
+@@ -XXX,XX +XXX,XX @@ typedef struct NPCM7xxState {
+     NPCM7xxTimerCtrlState tim[3];
+     NPCM7xxADCState     adc;
+     NPCM7xxPWMState     pwm[2];
++    NPCM7xxMFTState     mft[8];
+     NPCM7xxOTPState     key_storage;
+     NPCM7xxOTPState     fuse_array;
+     NPCM7xxMCState      mc;
+diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/npcm7xx.c
++++ b/hw/arm/npcm7xx.c
+@@ -XXX,XX +XXX,XX @@ enum NPCM7xxInterrupt {
+     NPCM7XX_SMBUS15_IRQ,
+     NPCM7XX_PWM0_IRQ            = 93,   /* PWM module 0 */
+     NPCM7XX_PWM1_IRQ,                   /* PWM module 1 */
++    NPCM7XX_MFT0_IRQ            = 96,   /* MFT module 0 */
++    NPCM7XX_MFT1_IRQ,                   /* MFT module 1 */
++    NPCM7XX_MFT2_IRQ,                   /* MFT module 2 */
++    NPCM7XX_MFT3_IRQ,                   /* MFT module 3 */
++    NPCM7XX_MFT4_IRQ,                   /* MFT module 4 */
++    NPCM7XX_MFT5_IRQ,                   /* MFT module 5 */
++    NPCM7XX_MFT6_IRQ,                   /* MFT module 6 */
++    NPCM7XX_MFT7_IRQ,                   /* MFT module 7 */
+     NPCM7XX_EMC2RX_IRQ          = 114,
+     NPCM7XX_EMC2TX_IRQ,
+     NPCM7XX_GPIO0_IRQ           = 116,
+@@ -XXX,XX +XXX,XX @@ static const hwaddr npcm7xx_pwm_addr[] = {
+xf0104000,
+ };
++/* Register base address for each MFT Module */
++static const hwaddr npcm7xx_mft_addr[] = {
++    0xf0180000,
++    0xf0181000,
++    0xf0182000,
++    0xf0183000,
++    0xf0184000,
++    0xf0185000,
++    0xf0186000,
++    0xf0187000,
++};
++
+ /* Direct memory-mapped access to each SMBus Module. */
+ static const hwaddr npcm7xx_smbus_addr[] = {
+xf0080000,
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_init(Object *obj)
+         object_initialize_child(obj, "pwm[*]", &s->pwm[i], TYPE_NPCM7XX_PWM);
+     }
++    for (i = 0; i < ARRAY_SIZE(s->mft); i++) {
++        object_initialize_child(obj, "mft[*]", &s->mft[i], TYPE_NPCM7XX_MFT);
++    }
++
+     for (i = 0; i < ARRAY_SIZE(s->emc); i++) {
+         object_initialize_child(obj, "emc[*]", &s->emc[i], TYPE_NPCM7XX_EMC);
+     }
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_realize(DeviceState *dev, Error **errp)
+         sysbus_connect_irq(sbd, i, npcm7xx_irq(s, NPCM7XX_PWM0_IRQ + i));
+     }
++    /* MFT Modules. Cannot fail. */
++    QEMU_BUILD_BUG_ON(ARRAY_SIZE(npcm7xx_mft_addr) != ARRAY_SIZE(s->mft));
++    for (i = 0; i < ARRAY_SIZE(s->mft); i++) {
++        SysBusDevice *sbd = SYS_BUS_DEVICE(&s->mft[i]);
++
++        qdev_connect_clock_in(DEVICE(&s->mft[i]), "clock-in",
++                              qdev_get_clock_out(DEVICE(&s->clk),
++                                                 "apb4-clock"));
++        sysbus_realize(sbd, &error_abort);
++        sysbus_mmio_map(sbd, 0, npcm7xx_mft_addr[i]);
++        sysbus_connect_irq(sbd, 0, npcm7xx_irq(s, NPCM7XX_MFT0_IRQ + i));
++    }
++
+     /*
+      * EMC Modules. Cannot fail.
+      * The mapping of the device to its netdev backend works as follows:
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_realize(DeviceState *dev, Error **errp)
+     create_unimplemented_device("npcm7xx.peci",         0xf0100000,   4 * KiB);
+     create_unimplemented_device("npcm7xx.siox[1]",      0xf0101000,   4 * KiB);
+     create_unimplemented_device("npcm7xx.siox[2]",      0xf0102000,   4 * KiB);
+-    create_unimplemented_device("npcm7xx.mft[0]",       0xf0180000,   4 * KiB);
+-    create_unimplemented_device("npcm7xx.mft[1]",       0xf0181000,   4 * KiB);
+-    create_unimplemented_device("npcm7xx.mft[2]",       0xf0182000,   4 * KiB);
+-    create_unimplemented_device("npcm7xx.mft[3]",       0xf0183000,   4 * KiB);
+-    create_unimplemented_device("npcm7xx.mft[4]",       0xf0184000,   4 * KiB);
+-    create_unimplemented_device("npcm7xx.mft[5]",       0xf0185000,   4 * KiB);
+-    create_unimplemented_device("npcm7xx.mft[6]",       0xf0186000,   4 * KiB);
+-    create_unimplemented_device("npcm7xx.mft[7]",       0xf0187000,   4 * KiB);
+     create_unimplemented_device("npcm7xx.pspi1",        0xf0200000,   4 * KiB);
+     create_unimplemented_device("npcm7xx.pspi2",        0xf0201000,   4 * KiB);
+     create_unimplemented_device("npcm7xx.ahbpci",       0xf0400000,   1 * MiB);
+--
+.20.1

-New patch
+[PULL 29/39] hw/arm: Connect PWM fans in NPCM7XX boards
+From: Hao Wu <wuhaotsh@google.com>
 This patch adds fan_splitters (split IRQs) in NPCM7XX boards. Each fan
 splitter corresponds to 1 PWM output and can connect to multiple fan
 inputs (MFT devices).
 In NPCM7XX boards(NPCM750 EVB and Quanta GSJ boards), we initializes
 these splitters and connect them to their corresponding modules
 according their specific device trees.
 Reviewed-by: Doug Evans <dje@google.com>
 Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
 Signed-off-by: Hao Wu <wuhaotsh@google.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20210311180855.149764-5-wuhaotsh@google.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  include/hw/arm/npcm7xx.h | 11 ++++-
  hw/arm/npcm7xx_boards.c  | 99 ++++++++++++++++++++++++++++++++++++++++
 files changed, 109 insertions(+), 1 deletion(-)
 diff --git a/include/hw/arm/npcm7xx.h b/include/hw/arm/npcm7xx.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/npcm7xx.h
 +++ b/include/hw/arm/npcm7xx.h
@@ -XXX,XX +XXX,XX @@
  #include "hw/boards.h"
  #include "hw/adc/npcm7xx_adc.h"
 +#include "hw/core/split-irq.h"
  #include "hw/cpu/a9mpcore.h"
  #include "hw/gpio/npcm7xx_gpio.h"
  #include "hw/i2c/npcm7xx_smbus.h"
@@ -XXX,XX +XXX,XX @@
  #define NPCM7XX_GIC_CPU_IF_ADDR         (0xf03fe100)  /* GIC within A9 */
  #define NPCM7XX_BOARD_SETUP_ADDR        (0xffff1000)  /* Boot ROM */
 +#define NPCM7XX_NR_PWM_MODULES 2
 +
  typedef struct NPCM7xxMachine {
      MachineState        parent;
 +    /*
 +     * PWM fan splitter. each splitter connects to one PWM output and
 +     * multiple MFT inputs.
 +     */
 +    SplitIRQ            fan_splitter[NPCM7XX_NR_PWM_MODULES *
 +                                     NPCM7XX_PWM_PER_MODULE];
  } NPCM7xxMachine;
  #define TYPE_NPCM7XX_MACHINE MACHINE_TYPE_NAME("npcm7xx")
@@ -XXX,XX +XXX,XX @@ typedef struct NPCM7xxState {
      NPCM7xxCLKState     clk;
      NPCM7xxTimerCtrlState tim[3];
      NPCM7xxADCState     adc;
 -    NPCM7xxPWMState     pwm[2];
 +    NPCM7xxPWMState     pwm[NPCM7XX_NR_PWM_MODULES];
      NPCM7xxMFTState     mft[8];
      NPCM7xxOTPState     key_storage;
      NPCM7xxOTPState     fuse_array;
 diff --git a/hw/arm/npcm7xx_boards.c b/hw/arm/npcm7xx_boards.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/npcm7xx_boards.c
 +++ b/hw/arm/npcm7xx_boards.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/core/cpu.h"
  #include "hw/i2c/smbus_eeprom.h"
  #include "hw/loader.h"
 +#include "hw/qdev-core.h"
  #include "hw/qdev-properties.h"
  #include "qapi/error.h"
  #include "qemu-common.h"
@@ -XXX,XX +XXX,XX @@ static void at24c_eeprom_init(NPCM7xxState *soc, int bus, uint8_t addr,
      i2c_slave_realize_and_unref(i2c_dev, i2c_bus, &error_abort);
  }
 +static void npcm7xx_init_pwm_splitter(NPCM7xxMachine *machine,
 +                                      NPCM7xxState *soc, const int *fan_counts)
 +{
 +    SplitIRQ *splitters = machine->fan_splitter;
 +
 +    /*
 +     * PWM 0~3 belong to module 0 output 0~3.
 +     * PWM 4~7 belong to module 1 output 0~3.
 +     */
 +    for (int i = 0; i < NPCM7XX_NR_PWM_MODULES; ++i) {
 +        for (int j = 0; j < NPCM7XX_PWM_PER_MODULE; ++j) {
 +            int splitter_no = i * NPCM7XX_PWM_PER_MODULE + j;
 +            DeviceState *splitter;
 +
 +            if (fan_counts[splitter_no] < 1) {
 +                continue;
 +            }
 +            object_initialize_child(OBJECT(machine), "fan-splitter[*]",
 +                                    &splitters[splitter_no], TYPE_SPLIT_IRQ);
 +            splitter = DEVICE(&splitters[splitter_no]);
 +            qdev_prop_set_uint16(splitter, "num-lines",
 +                                 fan_counts[splitter_no]);
 +            qdev_realize(splitter, NULL, &error_abort);
 +            qdev_connect_gpio_out_named(DEVICE(&soc->pwm[i]), "duty-gpio-out",
 +                                        j, qdev_get_gpio_in(splitter, 0));
 +        }
 +    }
 +}
 +
 +static void npcm7xx_connect_pwm_fan(NPCM7xxState *soc, SplitIRQ *splitter,
 +                                    int fan_no, int output_no)
 +{
 +    DeviceState *fan;
 +    int fan_input;
 +    qemu_irq fan_duty_gpio;
 +
 +    g_assert(fan_no >= 0 && fan_no <= NPCM7XX_MFT_MAX_FAN_INPUT);
 +    /*
 +     * Fan 0~1 belong to module 0 input 0~1.
 +     * Fan 2~3 belong to module 1 input 0~1.
 +     * ...
 +     * Fan 14~15 belong to module 7 input 0~1.
 +     * Fan 16~17 belong to module 0 input 2~3.
 +     * Fan 18~19 belong to module 1 input 2~3.
 +     */
 +    if (fan_no < 16) {
 +        fan = DEVICE(&soc->mft[fan_no / 2]);
 +        fan_input = fan_no % 2;
 +    } else {
 +        fan = DEVICE(&soc->mft[(fan_no - 16) / 2]);
 +        fan_input = fan_no % 2 + 2;
 +    }
 +
 +    /* Connect the Fan to PWM module */
 +    fan_duty_gpio = qdev_get_gpio_in_named(fan, "duty", fan_input);
 +    qdev_connect_gpio_out(DEVICE(splitter), output_no, fan_duty_gpio);
 +}
 +
  static void npcm750_evb_i2c_init(NPCM7xxState *soc)
  {
      /* lm75 temperature sensor on SVB, tmp105 is compatible */
@@ -XXX,XX +XXX,XX @@ static void npcm750_evb_i2c_init(NPCM7xxState *soc)
      i2c_slave_create_simple(npcm7xx_i2c_get_bus(soc, 6), "tmp105", 0x48);
  }
 +static void npcm750_evb_fan_init(NPCM7xxMachine *machine, NPCM7xxState *soc)
 +{
 +    SplitIRQ *splitter = machine->fan_splitter;
 +    static const int fan_counts[] = {2, 2, 2, 2, 2, 2, 2, 2};
 +
 +    npcm7xx_init_pwm_splitter(machine, soc, fan_counts);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[0], 0x00, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[0], 0x01, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[1], 0x02, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[1], 0x03, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[2], 0x04, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[2], 0x05, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[3], 0x06, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[3], 0x07, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[4], 0x08, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[4], 0x09, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[5], 0x0a, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[5], 0x0b, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[6], 0x0c, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[6], 0x0d, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[7], 0x0e, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[7], 0x0f, 1);
 +}
 +
  static void quanta_gsj_i2c_init(NPCM7xxState *soc)
  {
      /* GSJ machine have 4 max31725 temperature sensors, tmp105 is compatible. */
@@ -XXX,XX +XXX,XX @@ static void quanta_gsj_i2c_init(NPCM7xxState *soc)
      /* TODO: Add additional i2c devices. */
  }
 +static void quanta_gsj_fan_init(NPCM7xxMachine *machine, NPCM7xxState *soc)
 +{
 +    SplitIRQ *splitter = machine->fan_splitter;
 +    static const int fan_counts[] = {2, 2, 2, 0, 0, 0, 0, 0};
 +
 +    npcm7xx_init_pwm_splitter(machine, soc, fan_counts);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[0], 0x00, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[0], 0x01, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[1], 0x02, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[1], 0x03, 1);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[2], 0x04, 0);
 +    npcm7xx_connect_pwm_fan(soc, &splitter[2], 0x05, 1);
 +}
 +
  static void npcm750_evb_init(MachineState *machine)
  {
      NPCM7xxState *soc;
@@ -XXX,XX +XXX,XX @@ static void npcm750_evb_init(MachineState *machine)
      npcm7xx_load_bootrom(machine, soc);
      npcm7xx_connect_flash(&soc->fiu[0], 0, "w25q256", drive_get(IF_MTD, 0, 0));
      npcm750_evb_i2c_init(soc);
 +    npcm750_evb_fan_init(NPCM7XX_MACHINE(machine), soc);
      npcm7xx_load_kernel(machine, soc);
  }
@@ -XXX,XX +XXX,XX @@ static void quanta_gsj_init(MachineState *machine)
      npcm7xx_connect_flash(&soc->fiu[0], 0, "mx25l25635e",
                            drive_get(IF_MTD, 0, 0));
      quanta_gsj_i2c_init(soc);
 +    quanta_gsj_fan_init(NPCM7XX_MACHINE(machine), soc);
      npcm7xx_load_kernel(machine, soc);
  }
 --
 .20.1

-[Qemu-devel] [PULL 9/9] target/arm: Correct VMOV_imm_dp handling of short vectors
+[PULL 30/39] tests/qtest: Test PWM fan RPM using MFT in PWM test
-Coverity points out (CID 1402195) that the loop in trans_VMOV_imm_dp()
+From: Hao Wu <wuhaotsh@google.com>
-that iterates over the destination registers in a short-vector VMOV
-accidentally throws away the returned updated register number
+This patch adds testing of PWM fan RPMs in the existing npcm7xx pwm
-from vfp_advance_dreg(). Add the missing assignment. (We got this
+test. It tests whether the MFT module can measure correct fan values
-correct in trans_VMOV_imm_sp().)
+for a PWM fan in NPCM7XX boards.
-Fixes: 18cf951af9a27ae573a
+Reviewed-by: Doug Evans <dje@google.com>
 Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
 Signed-off-by: Hao Wu <wuhaotsh@google.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20210311180855.149764-6-wuhaotsh@google.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190702105115.9465-1-peter.maydell@linaro.org
 ---
- target/arm/translate-vfp.inc.c | 2 +-
+ tests/qtest/npcm7xx_pwm-test.c | 205 ++++++++++++++++++++++++++++++++-
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 199 insertions(+), 6 deletions(-)
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+diff --git a/tests/qtest/npcm7xx_pwm-test.c b/tests/qtest/npcm7xx_pwm-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.inc.c
+--- a/tests/qtest/npcm7xx_pwm-test.c
-+++ b/target/arm/translate-vfp.inc.c
++++ b/tests/qtest/npcm7xx_pwm-test.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
+@@ -XXX,XX +XXX,XX @@
+ #define PLL_FBDV(rv)    extract32((rv), 16, 12)
-         /* Set up the operands for the next iteration */
+ #define PLL_OTDV1(rv)   extract32((rv), 8, 3)
-         veclen--;
+ #define PLL_OTDV2(rv)   extract32((rv), 13, 3)
--        vfp_advance_dreg(vd, delta_d);
++#define APB4CKDIV(rv)   extract32((rv), 30, 2)
-+        vd = vfp_advance_dreg(vd, delta_d);
+ #define APB3CKDIV(rv)   extract32((rv), 28, 2)
  #define CLK2CKDIV(rv)   extract32((rv), 0, 1)
  #define CLK4CKDIV(rv)   extract32((rv), 26, 2)
@@ -XXX,XX +XXX,XX @@
  #define MAX_DUTY        1000000
 +/* MFT (PWM fan) related */
 +#define MFT_BA(n)       (0xf0180000 + ((n) * 0x1000))
 +#define MFT_IRQ(n)      (96 + (n))
 +#define MFT_CNT1        0x00
 +#define MFT_CRA         0x02
 +#define MFT_CRB         0x04
 +#define MFT_CNT2        0x06
 +#define MFT_PRSC        0x08
 +#define MFT_CKC         0x0a
 +#define MFT_MCTRL       0x0c
 +#define MFT_ICTRL       0x0e
 +#define MFT_ICLR        0x10
 +#define MFT_IEN         0x12
 +#define MFT_CPA         0x14
 +#define MFT_CPB         0x16
 +#define MFT_CPCFG       0x18
 +#define MFT_INASEL      0x1a
 +#define MFT_INBSEL      0x1c
 +
 +#define MFT_MCTRL_ALL   0x64
 +#define MFT_ICLR_ALL    0x3f
 +#define MFT_IEN_ALL     0x3f
 +#define MFT_CPCFG_EQ_MODE 0x44
 +
 +#define MFT_CKC_C2CSEL  BIT(3)
 +#define MFT_CKC_C1CSEL  BIT(0)
 +
 +#define MFT_ICTRL_TFPND BIT(5)
 +#define MFT_ICTRL_TEPND BIT(4)
 +#define MFT_ICTRL_TDPND BIT(3)
 +#define MFT_ICTRL_TCPND BIT(2)
 +#define MFT_ICTRL_TBPND BIT(1)
 +#define MFT_ICTRL_TAPND BIT(0)
 +
 +#define MFT_MAX_CNT     0xffff
 +#define MFT_TIMEOUT     0x5000
 +
 +#define DEFAULT_RPM     19800
 +#define DEFAULT_PRSC    255
 +#define MFT_PULSE_PER_REVOLUTION 2
 +
 +#define MAX_ERROR       1
 +
  typedef struct PWMModule {
      int irq;
      uint64_t base_addr;
@@ -XXX,XX +XXX,XX @@ static uint64_t pwm_get_duty(QTestState *qts, int module_index, int pwm_index)
      return pwm_qom_get(qts, path, name);
  }
 +static void mft_qom_set(QTestState *qts, int index, const char *name,
 +                        uint32_t value)
 +{
 +    QDict *response;
 +    char *path = g_strdup_printf("/machine/soc/mft[%d]", index);
 +
 +    g_test_message("Setting properties %s of mft[%d] with value %u",
 +                   name, index, value);
 +    response = qtest_qmp(qts, "{ 'execute': 'qom-set',"
 +            " 'arguments': { 'path': %s, "
 +            " 'property': %s, 'value': %u}}",
 +            path, name, value);
 +    /* The qom set message returns successfully. */
 +    g_assert_true(qdict_haskey(response, "return"));
 +}
 +
  static uint32_t get_pll(uint32_t con)
  {
      return REF_HZ * PLL_FBDV(con) / (PLL_INDV(con) * PLL_OTDV1(con)
              * PLL_OTDV2(con));
  }
 -static uint64_t read_pclk(QTestState *qts)
 +static uint64_t read_pclk(QTestState *qts, bool mft)
  {
      uint64_t freq = REF_HZ;
      uint32_t clksel = qtest_readl(qts, CLK_BA + CLKSEL);
      uint32_t pllcon;
      uint32_t clkdiv1 = qtest_readl(qts, CLK_BA + CLKDIV1);
      uint32_t clkdiv2 = qtest_readl(qts, CLK_BA + CLKDIV2);
 +    uint32_t apbdiv = mft ? APB4CKDIV(clkdiv2) : APB3CKDIV(clkdiv2);
      switch (CPUCKSEL(clksel)) {
      case 0:
@@ -XXX,XX +XXX,XX @@ static uint64_t read_pclk(QTestState *qts)
          g_assert_not_reached();
      }
-     tcg_temp_free_i64(fd);
+-    freq >>= (CLK2CKDIV(clkdiv1) + CLK4CKDIV(clkdiv1) + APB3CKDIV(clkdiv2));
 +    freq >>= (CLK2CKDIV(clkdiv1) + CLK4CKDIV(clkdiv1) + apbdiv);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint32_t pwm_selector(uint32_t csr)
  static uint64_t pwm_compute_freq(QTestState *qts, uint32_t ppr, uint32_t csr,
          uint32_t cnr)
  {
 -    return read_pclk(qts) / ((ppr + 1) * pwm_selector(csr) * (cnr + 1));
 +    return read_pclk(qts, false) / ((ppr + 1) * pwm_selector(csr) * (cnr + 1));
  }
  static uint64_t pwm_compute_duty(uint32_t cnr, uint32_t cmr, bool inverted)
@@ -XXX,XX +XXX,XX @@ static void pwm_write(QTestState *qts, const TestData *td, unsigned offset,
      qtest_writel(qts, td->module->base_addr + offset, value);
  }
 +static uint8_t mft_readb(QTestState *qts, int index, unsigned offset)
 +{
 +    return qtest_readb(qts, MFT_BA(index) + offset);
 +}
 +
 +static uint16_t mft_readw(QTestState *qts, int index, unsigned offset)
 +{
 +    return qtest_readw(qts, MFT_BA(index) + offset);
 +}
 +
 +static void mft_writeb(QTestState *qts, int index, unsigned offset,
 +                        uint8_t value)
 +{
 +    qtest_writeb(qts, MFT_BA(index) + offset, value);
 +}
 +
 +static void mft_writew(QTestState *qts, int index, unsigned offset,
 +                        uint16_t value)
 +{
 +    return qtest_writew(qts, MFT_BA(index) + offset, value);
 +}
 +
  static uint32_t pwm_read_ppr(QTestState *qts, const TestData *td)
  {
      return extract32(pwm_read(qts, td, PPR), ppr_base[pwm_index(td->pwm)], 8);
@@ -XXX,XX +XXX,XX @@ static void pwm_write_cmr(QTestState *qts, const TestData *td, uint32_t value)
      pwm_write(qts, td, td->pwm->cmr_offset, value);
  }
 +static int mft_compute_index(const TestData *td)
 +{
 +    int index = pwm_module_index(td->module) * ARRAY_SIZE(pwm_list) +
 +                pwm_index(td->pwm);
 +
 +    g_assert_cmpint(index, <,
 +                    ARRAY_SIZE(pwm_module_list) * ARRAY_SIZE(pwm_list));
 +
 +    return index;
 +}
 +
 +static void mft_reset_counters(QTestState *qts, int index)
 +{
 +    mft_writew(qts, index, MFT_CNT1, MFT_MAX_CNT);
 +    mft_writew(qts, index, MFT_CNT2, MFT_MAX_CNT);
 +    mft_writew(qts, index, MFT_CRA, MFT_MAX_CNT);
 +    mft_writew(qts, index, MFT_CRB, MFT_MAX_CNT);
 +    mft_writew(qts, index, MFT_CPA, MFT_MAX_CNT - MFT_TIMEOUT);
 +    mft_writew(qts, index, MFT_CPB, MFT_MAX_CNT - MFT_TIMEOUT);
 +}
 +
 +static void mft_init(QTestState *qts, const TestData *td)
 +{
 +    int index = mft_compute_index(td);
 +
 +    /* Enable everything */
 +    mft_writeb(qts, index, MFT_CKC, 0);
 +    mft_writeb(qts, index, MFT_ICLR, MFT_ICLR_ALL);
 +    mft_writeb(qts, index, MFT_MCTRL, MFT_MCTRL_ALL);
 +    mft_writeb(qts, index, MFT_IEN, MFT_IEN_ALL);
 +    mft_writeb(qts, index, MFT_INASEL, 0);
 +    mft_writeb(qts, index, MFT_INBSEL, 0);
 +
 +    /* Set cpcfg to use EQ mode, same as kernel driver */
 +    mft_writeb(qts, index, MFT_CPCFG, MFT_CPCFG_EQ_MODE);
 +
 +    /* Write default counters, timeout and prescaler */
 +    mft_reset_counters(qts, index);
 +    mft_writeb(qts, index, MFT_PRSC, DEFAULT_PRSC);
 +
 +    /* Write default max rpm via QMP */
 +    mft_qom_set(qts, index, "max_rpm[0]", DEFAULT_RPM);
 +    mft_qom_set(qts, index, "max_rpm[1]", DEFAULT_RPM);
 +}
 +
 +static int32_t mft_compute_cnt(uint32_t rpm, uint64_t clk)
 +{
 +    uint64_t cnt;
 +
 +    if (rpm == 0) {
 +        return -1;
 +    }
 +
 +    cnt = clk * 60 / ((DEFAULT_PRSC + 1) * rpm * MFT_PULSE_PER_REVOLUTION);
 +    if (cnt >= MFT_TIMEOUT) {
 +        return -1;
 +    }
 +    return MFT_MAX_CNT - cnt;
 +}
 +
 +static void mft_verify_rpm(QTestState *qts, const TestData *td, uint64_t duty)
 +{
 +    int index = mft_compute_index(td);
 +    uint16_t cnt, cr;
 +    uint32_t rpm = DEFAULT_RPM * duty / MAX_DUTY;
 +    uint64_t clk = read_pclk(qts, true);
 +    int32_t expected_cnt = mft_compute_cnt(rpm, clk);
 +
 +    qtest_irq_intercept_in(qts, "/machine/soc/a9mpcore/gic");
 +    g_test_message(
 +        "verifying rpm for mft[%d]: clk: %lu, duty: %lu, rpm: %u, cnt: %d",
 +        index, clk, duty, rpm, expected_cnt);
 +
 +    /* Verify rpm for fan A */
 +    /* Stop capture */
 +    mft_writeb(qts, index, MFT_CKC, 0);
 +    mft_writeb(qts, index, MFT_ICLR, MFT_ICLR_ALL);
 +    mft_reset_counters(qts, index);
 +    g_assert_cmphex(mft_readw(qts, index, MFT_CNT1), ==, MFT_MAX_CNT);
 +    g_assert_cmphex(mft_readw(qts, index, MFT_CRA), ==, MFT_MAX_CNT);
 +    g_assert_cmphex(mft_readw(qts, index, MFT_CPA), ==,
 +                    MFT_MAX_CNT - MFT_TIMEOUT);
 +    /* Start capture */
 +    mft_writeb(qts, index, MFT_CKC, MFT_CKC_C1CSEL);
 +    g_assert_true(qtest_get_irq(qts, MFT_IRQ(index)));
 +    if (expected_cnt == -1) {
 +        g_assert_cmphex(mft_readb(qts, index, MFT_ICTRL), ==, MFT_ICTRL_TEPND);
 +    } else {
 +        g_assert_cmphex(mft_readb(qts, index, MFT_ICTRL), ==, MFT_ICTRL_TAPND);
 +        cnt = mft_readw(qts, index, MFT_CNT1);
 +        /*
 +         * Due to error in clock measurement and rounding, we might have a small
 +         * error in measuring RPM.
 +         */
 +        g_assert_cmphex(cnt + MAX_ERROR, >=, expected_cnt);
 +        g_assert_cmphex(cnt, <=, expected_cnt + MAX_ERROR);
 +        cr = mft_readw(qts, index, MFT_CRA);
 +        g_assert_cmphex(cnt, ==, cr);
 +    }
 +
 +    /* Verify rpm for fan B */
 +
 +    qtest_irq_intercept_out(qts, "/machine/soc/a9mpcore/gic");
 +}
 +
  /* Check pwm registers can be reset to default value */
  static void test_init(gconstpointer test_data)
  {
      const TestData *td = test_data;
 -    QTestState *qts = qtest_init("-machine quanta-gsj");
 +    QTestState *qts = qtest_init("-machine npcm750-evb");
      int module = pwm_module_index(td->module);
      int pwm = pwm_index(td->pwm);
@@ -XXX,XX +XXX,XX @@ static void test_init(gconstpointer test_data)
  static void test_oneshot(gconstpointer test_data)
  {
      const TestData *td = test_data;
 -    QTestState *qts = qtest_init("-machine quanta-gsj");
 +    QTestState *qts = qtest_init("-machine npcm750-evb");
      int module = pwm_module_index(td->module);
      int pwm = pwm_index(td->pwm);
      uint32_t ppr, csr, pcr;
@@ -XXX,XX +XXX,XX @@ static void test_oneshot(gconstpointer test_data)
  static void test_toggle(gconstpointer test_data)
  {
      const TestData *td = test_data;
 -    QTestState *qts = qtest_init("-machine quanta-gsj");
 +    QTestState *qts = qtest_init("-machine npcm750-evb");
      int module = pwm_module_index(td->module);
      int pwm = pwm_index(td->pwm);
      uint32_t ppr, csr, pcr, cnr, cmr;
      int i, j, k, l;
      uint64_t expected_freq, expected_duty;
 +    mft_init(qts, td);
 +
      pcr = CH_EN | CH_MOD;
      for (i = 0; i < ARRAY_SIZE(ppr_list); ++i) {
          ppr = ppr_list[i];
@@ -XXX,XX +XXX,XX @@ static void test_toggle(gconstpointer test_data)
                                  ==, expected_freq);
                      }
 +                    /* Test MFT's RPM is correct. */
 +                    mft_verify_rpm(qts, td, expected_duty);
 +
                      /* Test inverted mode */
                      expected_duty = pwm_compute_duty(cnr, cmr, true);
                      pwm_write_pcr(qts, td, pcr | CH_INV);
 --
 .20.1

-[Qemu-devel] [PULL 5/9] target/arm: v8M: Check state of exception being returned from
+[PULL 31/39] hw/display/pl110: Remove dead code for non-32-bpp surfaces
-In v8M, an attempt to return from an exception which is not
+For a long time now the UI layer has guaranteed that the console
-active is an illegal exception return. For this purpose,
+surface is always 32 bits per pixel. Remove the legacy dead
-exceptions which can configurably target either Secure or
+code from the pl110 display device which was handling the
-NonSecure are not considered to be active if they are
+possibility that the console surface was some other format.
 configured for the opposite security state for the one
 we're trying to return from (eg attempt to return from
 an NS NMI but NMI targets Secure). In the pseudocode this
 is handled by IsActiveForState().
 Detect this case rather than counting an active exception
 possibly of the wrong security state as being sufficient.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20190617175317.27557-4-peter.maydell@linaro.org
+Message-id: 20210211141515.8755-2-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 14 +++++++++++++-
+ hw/display/pl110.c | 53 +++++++---------------------------------------
-file changed, 13 insertions(+), 1 deletion(-)
+file changed, 8 insertions(+), 45 deletions(-)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/hw/display/pl110.c b/hw/display/pl110.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/hw/display/pl110.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/hw/display/pl110.c
-@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure)
+@@ -XXX,XX +XXX,XX @@ static const unsigned char *idregs[] = {
-         return -1;
+     pl111_id
  };
 -#define BITS 8
 -#include "pl110_template.h"
 -#define BITS 15
 -#include "pl110_template.h"
 -#define BITS 16
 -#include "pl110_template.h"
 -#define BITS 24
 -#include "pl110_template.h"
  #define BITS 32
  #include "pl110_template.h"
@@ -XXX,XX +XXX,XX @@ static void pl110_update_display(void *opaque)
      PL110State *s = (PL110State *)opaque;
      SysBusDevice *sbd;
      DisplaySurface *surface = qemu_console_surface(s->con);
 -    drawfn* fntable;
      drawfn fn;
 -    int dest_width;
      int src_width;
      int bpp_offset;
      int first;
@@ -XXX,XX +XXX,XX @@ static void pl110_update_display(void *opaque)
      sbd = SYS_BUS_DEVICE(s);
 -    switch (surface_bits_per_pixel(surface)) {
 -    case 0:
 -        return;
 -    case 8:
 -        fntable = pl110_draw_fn_8;
 -        dest_width = 1;
 -        break;
 -    case 15:
 -        fntable = pl110_draw_fn_15;
 -        dest_width = 2;
 -        break;
 -    case 16:
 -        fntable = pl110_draw_fn_16;
 -        dest_width = 2;
 -        break;
 -    case 24:
 -        fntable = pl110_draw_fn_24;
 -        dest_width = 3;
 -        break;
 -    case 32:
 -        fntable = pl110_draw_fn_32;
 -        dest_width = 4;
 -        break;
 -    default:
 -        fprintf(stderr, "pl110: Bad color depth\n");
 -        exit(1);
 -    }
      if (s->cr & PL110_CR_BGR)
          bpp_offset = 0;
      else
@@ -XXX,XX +XXX,XX @@ static void pl110_update_display(void *opaque)
          }
      }
--    ret = nvic_rettobase(s);
+-    if (s->cr & PL110_CR_BEBO)
-+    /*
+-        fn = fntable[s->bpp + 8 + bpp_offset];
-+     * If this is a configurable exception and it is currently
+-    else if (s->cr & PL110_CR_BEPO)
-+     * targeting the opposite security state from the one we're trying
+-        fn = fntable[s->bpp + 16 + bpp_offset];
-+     * to complete it for, this counts as an illegal exception return.
+-    else
-+     * We still need to deactivate whatever vector the logic above has
+-        fn = fntable[s->bpp + bpp_offset];
-+     * selected, though, as it might not be the same as the one for the
++    if (s->cr & PL110_CR_BEBO) {
-+     * requested exception number.
++        fn = pl110_draw_fn_32[s->bpp + 8 + bpp_offset];
-+     */
++    } else if (s->cr & PL110_CR_BEPO) {
-+    if (!exc_is_banked(irq) && exc_targets_secure(s, irq) != secure) {
++        fn = pl110_draw_fn_32[s->bpp + 16 + bpp_offset];
 +        ret = -1;
 +    } else {
-+        ret = nvic_rettobase(s);
++        fn = pl110_draw_fn_32[s->bpp + bpp_offset];
 +    }
-     vec->active = 0;
+     src_width = s->cols;
-     if (vec->level) {
+     switch (s->bpp) {
@@ -XXX,XX +XXX,XX @@ static void pl110_update_display(void *opaque)
          src_width <<= 2;
          break;
      }
 -    dest_width *= s->cols;
      first = 0;
      if (s->invalidate) {
          framebuffer_update_memory_section(&s->fbsection,
@@ -XXX,XX +XXX,XX @@ static void pl110_update_display(void *opaque)
      framebuffer_update_display(surface, &s->fbsection,
                                 s->cols, s->rows,
 -                               src_width, dest_width, 0,
 +                               src_width, s->cols * 4, 0,
                                 s->invalidate,
                                 fn, s->palette,
                                 &first, &last);
 --
 .20.1

-New patch
+[PULL 32/39] hw/display/pl110: Pull included-once parts of template header into pl110.c
+The pl110_template.h header has a doubly-nested multiple-include pattern:
  * pl110.c includes it once for each host bit depth (now always 32)
  * every time it is included, it includes itself 6 times, to account
    for multiple guest device pixel and byte orders
 Now we only have to deal with 32-bit host bit depths, we can move the
 code corresponding to the outer layer of this double-nesting to be
 directly in pl110.c and reduce the template header to a single layer
 of nesting.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Acked-by: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: 20210211141515.8755-3-peter.maydell@linaro.org
 ---
  hw/display/pl110_template.h | 100 +-----------------------------------
  hw/display/pl110.c          |  79 ++++++++++++++++++++++++++++
 files changed, 80 insertions(+), 99 deletions(-)
 diff --git a/hw/display/pl110_template.h b/hw/display/pl110_template.h
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/display/pl110_template.h
 +++ b/hw/display/pl110_template.h
@@ -XXX,XX +XXX,XX @@
   */
  #ifndef ORDER
 -
 -#if BITS == 8
 -#define COPY_PIXEL(to, from) *(to++) = from
 -#elif BITS == 15 || BITS == 16
 -#define COPY_PIXEL(to, from) do { *(uint16_t *)to = from; to += 2; } while (0)
 -#elif BITS == 24
 -#define COPY_PIXEL(to, from)    \
 -    do {                        \
 -        *(to++) = from;         \
 -        *(to++) = (from) >> 8;  \
 -        *(to++) = (from) >> 16; \
 -    } while (0)
 -#elif BITS == 32
 -#define COPY_PIXEL(to, from) do { *(uint32_t *)to = from; to += 4; } while (0)
 -#else
 -#error unknown bit depth
 +#error "pl110_template.h is only for inclusion by pl110.c"
  #endif
 -#undef RGB
 -#define BORDER bgr
 -#define ORDER 0
 -#include "pl110_template.h"
 -#define ORDER 1
 -#include "pl110_template.h"
 -#define ORDER 2
 -#include "pl110_template.h"
 -#undef BORDER
 -#define RGB
 -#define BORDER rgb
 -#define ORDER 0
 -#include "pl110_template.h"
 -#define ORDER 1
 -#include "pl110_template.h"
 -#define ORDER 2
 -#include "pl110_template.h"
 -#undef BORDER
 -
 -static drawfn glue(pl110_draw_fn_,BITS)[48] =
 -{
 -    glue(pl110_draw_line1_lblp_bgr,BITS),
 -    glue(pl110_draw_line2_lblp_bgr,BITS),
 -    glue(pl110_draw_line4_lblp_bgr,BITS),
 -    glue(pl110_draw_line8_lblp_bgr,BITS),
 -    glue(pl110_draw_line16_555_lblp_bgr,BITS),
 -    glue(pl110_draw_line32_lblp_bgr,BITS),
 -    glue(pl110_draw_line16_lblp_bgr,BITS),
 -    glue(pl110_draw_line12_lblp_bgr,BITS),
 -
 -    glue(pl110_draw_line1_bbbp_bgr,BITS),
 -    glue(pl110_draw_line2_bbbp_bgr,BITS),
 -    glue(pl110_draw_line4_bbbp_bgr,BITS),
 -    glue(pl110_draw_line8_bbbp_bgr,BITS),
 -    glue(pl110_draw_line16_555_bbbp_bgr,BITS),
 -    glue(pl110_draw_line32_bbbp_bgr,BITS),
 -    glue(pl110_draw_line16_bbbp_bgr,BITS),
 -    glue(pl110_draw_line12_bbbp_bgr,BITS),
 -
 -    glue(pl110_draw_line1_lbbp_bgr,BITS),
 -    glue(pl110_draw_line2_lbbp_bgr,BITS),
 -    glue(pl110_draw_line4_lbbp_bgr,BITS),
 -    glue(pl110_draw_line8_lbbp_bgr,BITS),
 -    glue(pl110_draw_line16_555_lbbp_bgr,BITS),
 -    glue(pl110_draw_line32_lbbp_bgr,BITS),
 -    glue(pl110_draw_line16_lbbp_bgr,BITS),
 -    glue(pl110_draw_line12_lbbp_bgr,BITS),
 -
 -    glue(pl110_draw_line1_lblp_rgb,BITS),
 -    glue(pl110_draw_line2_lblp_rgb,BITS),
 -    glue(pl110_draw_line4_lblp_rgb,BITS),
 -    glue(pl110_draw_line8_lblp_rgb,BITS),
 -    glue(pl110_draw_line16_555_lblp_rgb,BITS),
 -    glue(pl110_draw_line32_lblp_rgb,BITS),
 -    glue(pl110_draw_line16_lblp_rgb,BITS),
 -    glue(pl110_draw_line12_lblp_rgb,BITS),
 -
 -    glue(pl110_draw_line1_bbbp_rgb,BITS),
 -    glue(pl110_draw_line2_bbbp_rgb,BITS),
 -    glue(pl110_draw_line4_bbbp_rgb,BITS),
 -    glue(pl110_draw_line8_bbbp_rgb,BITS),
 -    glue(pl110_draw_line16_555_bbbp_rgb,BITS),
 -    glue(pl110_draw_line32_bbbp_rgb,BITS),
 -    glue(pl110_draw_line16_bbbp_rgb,BITS),
 -    glue(pl110_draw_line12_bbbp_rgb,BITS),
 -
 -    glue(pl110_draw_line1_lbbp_rgb,BITS),
 -    glue(pl110_draw_line2_lbbp_rgb,BITS),
 -    glue(pl110_draw_line4_lbbp_rgb,BITS),
 -    glue(pl110_draw_line8_lbbp_rgb,BITS),
 -    glue(pl110_draw_line16_555_lbbp_rgb,BITS),
 -    glue(pl110_draw_line32_lbbp_rgb,BITS),
 -    glue(pl110_draw_line16_lbbp_rgb,BITS),
 -    glue(pl110_draw_line12_lbbp_rgb,BITS),
 -};
 -
 -#undef BITS
 -#undef COPY_PIXEL
 -
 -#else
 -
  #if ORDER == 0
  #define NAME glue(glue(lblp_, BORDER), BITS)
  #ifdef HOST_WORDS_BIGENDIAN
@@ -XXX,XX +XXX,XX @@ static void glue(pl110_draw_line12_,NAME)(void *opaque, uint8_t *d, const uint8_
  #undef NAME
  #undef SWAP_WORDS
  #undef ORDER
 -
 -#endif
 diff --git a/hw/display/pl110.c b/hw/display/pl110.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/display/pl110.c
 +++ b/hw/display/pl110.c
@@ -XXX,XX +XXX,XX @@ static const unsigned char *idregs[] = {
  };
  #define BITS 32
 +#define COPY_PIXEL(to, from) do { *(uint32_t *)to = from; to += 4; } while (0)
 +
 +#undef RGB
 +#define BORDER bgr
 +#define ORDER 0
  #include "pl110_template.h"
 +#define ORDER 1
 +#include "pl110_template.h"
 +#define ORDER 2
 +#include "pl110_template.h"
 +#undef BORDER
 +#define RGB
 +#define BORDER rgb
 +#define ORDER 0
 +#include "pl110_template.h"
 +#define ORDER 1
 +#include "pl110_template.h"
 +#define ORDER 2
 +#include "pl110_template.h"
 +#undef BORDER
 +
 +static drawfn pl110_draw_fn_32[48] = {
 +    pl110_draw_line1_lblp_bgr32,
 +    pl110_draw_line2_lblp_bgr32,
 +    pl110_draw_line4_lblp_bgr32,
 +    pl110_draw_line8_lblp_bgr32,
 +    pl110_draw_line16_555_lblp_bgr32,
 +    pl110_draw_line32_lblp_bgr32,
 +    pl110_draw_line16_lblp_bgr32,
 +    pl110_draw_line12_lblp_bgr32,
 +
 +    pl110_draw_line1_bbbp_bgr32,
 +    pl110_draw_line2_bbbp_bgr32,
 +    pl110_draw_line4_bbbp_bgr32,
 +    pl110_draw_line8_bbbp_bgr32,
 +    pl110_draw_line16_555_bbbp_bgr32,
 +    pl110_draw_line32_bbbp_bgr32,
 +    pl110_draw_line16_bbbp_bgr32,
 +    pl110_draw_line12_bbbp_bgr32,
 +
 +    pl110_draw_line1_lbbp_bgr32,
 +    pl110_draw_line2_lbbp_bgr32,
 +    pl110_draw_line4_lbbp_bgr32,
 +    pl110_draw_line8_lbbp_bgr32,
 +    pl110_draw_line16_555_lbbp_bgr32,
 +    pl110_draw_line32_lbbp_bgr32,
 +    pl110_draw_line16_lbbp_bgr32,
 +    pl110_draw_line12_lbbp_bgr32,
 +
 +    pl110_draw_line1_lblp_rgb32,
 +    pl110_draw_line2_lblp_rgb32,
 +    pl110_draw_line4_lblp_rgb32,
 +    pl110_draw_line8_lblp_rgb32,
 +    pl110_draw_line16_555_lblp_rgb32,
 +    pl110_draw_line32_lblp_rgb32,
 +    pl110_draw_line16_lblp_rgb32,
 +    pl110_draw_line12_lblp_rgb32,
 +
 +    pl110_draw_line1_bbbp_rgb32,
 +    pl110_draw_line2_bbbp_rgb32,
 +    pl110_draw_line4_bbbp_rgb32,
 +    pl110_draw_line8_bbbp_rgb32,
 +    pl110_draw_line16_555_bbbp_rgb32,
 +    pl110_draw_line32_bbbp_rgb32,
 +    pl110_draw_line16_bbbp_rgb32,
 +    pl110_draw_line12_bbbp_rgb32,
 +
 +    pl110_draw_line1_lbbp_rgb32,
 +    pl110_draw_line2_lbbp_rgb32,
 +    pl110_draw_line4_lbbp_rgb32,
 +    pl110_draw_line8_lbbp_rgb32,
 +    pl110_draw_line16_555_lbbp_rgb32,
 +    pl110_draw_line32_lbbp_rgb32,
 +    pl110_draw_line16_lbbp_rgb32,
 +    pl110_draw_line12_lbbp_rgb32,
 +};
 +
 +#undef BITS
 +#undef COPY_PIXEL
 +
  static int pl110_enabled(PL110State *s)
  {
 --
 .20.1

-New patch
+[PULL 33/39] hw/display/pl110: Remove use of BITS from pl110_template.h
+BITS is always 32, so remove all uses of it from the template header,
 by dropping the trailing '32' from the draw function names and
 not constructing the name of rgb_to_pixel32() via the glue() macro.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Acked-by: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: 20210211141515.8755-4-peter.maydell@linaro.org
 ---
  hw/display/pl110_template.h |  20 +++----
  hw/display/pl110.c          | 113 ++++++++++++++++++------------------
 files changed, 65 insertions(+), 68 deletions(-)
 diff --git a/hw/display/pl110_template.h b/hw/display/pl110_template.h
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/display/pl110_template.h
 +++ b/hw/display/pl110_template.h
@@ -XXX,XX +XXX,XX @@
  #endif
  #if ORDER == 0
 -#define NAME glue(glue(lblp_, BORDER), BITS)
 +#define NAME glue(lblp_, BORDER)
  #ifdef HOST_WORDS_BIGENDIAN
  #define SWAP_WORDS 1
  #endif
  #elif ORDER == 1
 -#define NAME glue(glue(bbbp_, BORDER), BITS)
 +#define NAME glue(bbbp_, BORDER)
  #ifndef HOST_WORDS_BIGENDIAN
  #define SWAP_WORDS 1
  #endif
  #else
  #define SWAP_PIXELS 1
 -#define NAME glue(glue(lbbp_, BORDER), BITS)
 +#define NAME glue(lbbp_, BORDER)
  #ifdef HOST_WORDS_BIGENDIAN
  #define SWAP_WORDS 1
  #endif
@@ -XXX,XX +XXX,XX @@ static void glue(pl110_draw_line16_,NAME)(void *opaque, uint8_t *d, const uint8_
          MSB = (data & 0x1f) << 3;
          data >>= 5;
  #endif
 -        COPY_PIXEL(d, glue(rgb_to_pixel,BITS)(r, g, b));
 +        COPY_PIXEL(d, rgb_to_pixel32(r, g, b));
          LSB = (data & 0x1f) << 3;
          data >>= 5;
          g = (data & 0x3f) << 2;
          data >>= 6;
          MSB = (data & 0x1f) << 3;
          data >>= 5;
 -        COPY_PIXEL(d, glue(rgb_to_pixel,BITS)(r, g, b));
 +        COPY_PIXEL(d, rgb_to_pixel32(r, g, b));
  #undef MSB
  #undef LSB
          width -= 2;
@@ -XXX,XX +XXX,XX @@ static void glue(pl110_draw_line32_,NAME)(void *opaque, uint8_t *d, const uint8_
          g = (data >> 16) & 0xff;
          MSB = (data >> 8) & 0xff;
  #endif
 -        COPY_PIXEL(d, glue(rgb_to_pixel,BITS)(r, g, b));
 +        COPY_PIXEL(d, rgb_to_pixel32(r, g, b));
  #undef MSB
  #undef LSB
          width--;
@@ -XXX,XX +XXX,XX @@ static void glue(pl110_draw_line16_555_,NAME)(void *opaque, uint8_t *d, const ui
          data >>= 5;
          MSB = (data & 0x1f) << 3;
          data >>= 5;
 -        COPY_PIXEL(d, glue(rgb_to_pixel,BITS)(r, g, b));
 +        COPY_PIXEL(d, rgb_to_pixel32(r, g, b));
          LSB = (data & 0x1f) << 3;
          data >>= 5;
          g = (data & 0x1f) << 3;
          data >>= 5;
          MSB = (data & 0x1f) << 3;
          data >>= 6;
 -        COPY_PIXEL(d, glue(rgb_to_pixel,BITS)(r, g, b));
 +        COPY_PIXEL(d, rgb_to_pixel32(r, g, b));
  #undef MSB
  #undef LSB
          width -= 2;
@@ -XXX,XX +XXX,XX @@ static void glue(pl110_draw_line12_,NAME)(void *opaque, uint8_t *d, const uint8_
          data >>= 4;
          MSB = (data & 0xf) << 4;
          data >>= 8;
 -        COPY_PIXEL(d, glue(rgb_to_pixel,BITS)(r, g, b));
 +        COPY_PIXEL(d, rgb_to_pixel32(r, g, b));
          LSB = (data & 0xf) << 4;
          data >>= 4;
          g = (data & 0xf) << 4;
          data >>= 4;
          MSB = (data & 0xf) << 4;
          data >>= 8;
 -        COPY_PIXEL(d, glue(rgb_to_pixel,BITS)(r, g, b));
 +        COPY_PIXEL(d, rgb_to_pixel32(r, g, b));
  #undef MSB
  #undef LSB
          width -= 2;
 diff --git a/hw/display/pl110.c b/hw/display/pl110.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/display/pl110.c
 +++ b/hw/display/pl110.c
@@ -XXX,XX +XXX,XX @@ static const unsigned char *idregs[] = {
      pl111_id
  };
 -#define BITS 32
  #define COPY_PIXEL(to, from) do { *(uint32_t *)to = from; to += 4; } while (0)
  #undef RGB
@@ -XXX,XX +XXX,XX @@ static const unsigned char *idregs[] = {
  #include "pl110_template.h"
  #undef BORDER
 -static drawfn pl110_draw_fn_32[48] = {
 -    pl110_draw_line1_lblp_bgr32,
 -    pl110_draw_line2_lblp_bgr32,
 -    pl110_draw_line4_lblp_bgr32,
 -    pl110_draw_line8_lblp_bgr32,
 -    pl110_draw_line16_555_lblp_bgr32,
 -    pl110_draw_line32_lblp_bgr32,
 -    pl110_draw_line16_lblp_bgr32,
 -    pl110_draw_line12_lblp_bgr32,
 -
 -    pl110_draw_line1_bbbp_bgr32,
 -    pl110_draw_line2_bbbp_bgr32,
 -    pl110_draw_line4_bbbp_bgr32,
 -    pl110_draw_line8_bbbp_bgr32,
 -    pl110_draw_line16_555_bbbp_bgr32,
 -    pl110_draw_line32_bbbp_bgr32,
 -    pl110_draw_line16_bbbp_bgr32,
 -    pl110_draw_line12_bbbp_bgr32,
 -
 -    pl110_draw_line1_lbbp_bgr32,
 -    pl110_draw_line2_lbbp_bgr32,
 -    pl110_draw_line4_lbbp_bgr32,
 -    pl110_draw_line8_lbbp_bgr32,
 -    pl110_draw_line16_555_lbbp_bgr32,
 -    pl110_draw_line32_lbbp_bgr32,
 -    pl110_draw_line16_lbbp_bgr32,
 -    pl110_draw_line12_lbbp_bgr32,
 -
 -    pl110_draw_line1_lblp_rgb32,
 -    pl110_draw_line2_lblp_rgb32,
 -    pl110_draw_line4_lblp_rgb32,
 -    pl110_draw_line8_lblp_rgb32,
 -    pl110_draw_line16_555_lblp_rgb32,
 -    pl110_draw_line32_lblp_rgb32,
 -    pl110_draw_line16_lblp_rgb32,
 -    pl110_draw_line12_lblp_rgb32,
 -
 -    pl110_draw_line1_bbbp_rgb32,
 -    pl110_draw_line2_bbbp_rgb32,
 -    pl110_draw_line4_bbbp_rgb32,
 -    pl110_draw_line8_bbbp_rgb32,
 -    pl110_draw_line16_555_bbbp_rgb32,
 -    pl110_draw_line32_bbbp_rgb32,
 -    pl110_draw_line16_bbbp_rgb32,
 -    pl110_draw_line12_bbbp_rgb32,
 -
 -    pl110_draw_line1_lbbp_rgb32,
 -    pl110_draw_line2_lbbp_rgb32,
 -    pl110_draw_line4_lbbp_rgb32,
 -    pl110_draw_line8_lbbp_rgb32,
 -    pl110_draw_line16_555_lbbp_rgb32,
 -    pl110_draw_line32_lbbp_rgb32,
 -    pl110_draw_line16_lbbp_rgb32,
 -    pl110_draw_line12_lbbp_rgb32,
 -};
 -
 -#undef BITS
  #undef COPY_PIXEL
 +static drawfn pl110_draw_fn_32[48] = {
 +    pl110_draw_line1_lblp_bgr,
 +    pl110_draw_line2_lblp_bgr,
 +    pl110_draw_line4_lblp_bgr,
 +    pl110_draw_line8_lblp_bgr,
 +    pl110_draw_line16_555_lblp_bgr,
 +    pl110_draw_line32_lblp_bgr,
 +    pl110_draw_line16_lblp_bgr,
 +    pl110_draw_line12_lblp_bgr,
 +
 +    pl110_draw_line1_bbbp_bgr,
 +    pl110_draw_line2_bbbp_bgr,
 +    pl110_draw_line4_bbbp_bgr,
 +    pl110_draw_line8_bbbp_bgr,
 +    pl110_draw_line16_555_bbbp_bgr,
 +    pl110_draw_line32_bbbp_bgr,
 +    pl110_draw_line16_bbbp_bgr,
 +    pl110_draw_line12_bbbp_bgr,
 +
 +    pl110_draw_line1_lbbp_bgr,
 +    pl110_draw_line2_lbbp_bgr,
 +    pl110_draw_line4_lbbp_bgr,
 +    pl110_draw_line8_lbbp_bgr,
 +    pl110_draw_line16_555_lbbp_bgr,
 +    pl110_draw_line32_lbbp_bgr,
 +    pl110_draw_line16_lbbp_bgr,
 +    pl110_draw_line12_lbbp_bgr,
 +
 +    pl110_draw_line1_lblp_rgb,
 +    pl110_draw_line2_lblp_rgb,
 +    pl110_draw_line4_lblp_rgb,
 +    pl110_draw_line8_lblp_rgb,
 +    pl110_draw_line16_555_lblp_rgb,
 +    pl110_draw_line32_lblp_rgb,
 +    pl110_draw_line16_lblp_rgb,
 +    pl110_draw_line12_lblp_rgb,
 +
 +    pl110_draw_line1_bbbp_rgb,
 +    pl110_draw_line2_bbbp_rgb,
 +    pl110_draw_line4_bbbp_rgb,
 +    pl110_draw_line8_bbbp_rgb,
 +    pl110_draw_line16_555_bbbp_rgb,
 +    pl110_draw_line32_bbbp_rgb,
 +    pl110_draw_line16_bbbp_rgb,
 +    pl110_draw_line12_bbbp_rgb,
 +
 +    pl110_draw_line1_lbbp_rgb,
 +    pl110_draw_line2_lbbp_rgb,
 +    pl110_draw_line4_lbbp_rgb,
 +    pl110_draw_line8_lbbp_rgb,
 +    pl110_draw_line16_555_lbbp_rgb,
 +    pl110_draw_line32_lbbp_rgb,
 +    pl110_draw_line16_lbbp_rgb,
 +    pl110_draw_line12_lbbp_rgb,
 +};
  static int pl110_enabled(PL110State *s)
  {
 --
 .20.1

-New patch
+[PULL 34/39] hw/display/pxa2xx_lcd: Remove dead code for non-32-bpp surfaces
+For a long time now the UI layer has guaranteed that the console
+surface is always 32 bits per pixel.  Remove the legacy dead code
+from the pxa2xx_lcd display device which was handling the possibility
+that the console surface was some other format.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20210211141515.8755-5-peter.maydell@linaro.org
+---
+ hw/display/pxa2xx_lcd.c | 79 +++++++++--------------------------------
+file changed, 17 insertions(+), 62 deletions(-)
+diff --git a/hw/display/pxa2xx_lcd.c b/hw/display/pxa2xx_lcd.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/display/pxa2xx_lcd.c
++++ b/hw/display/pxa2xx_lcd.c
+@@ -XXX,XX +XXX,XX @@ struct PXA2xxLCDState {
+     int invalidated;
+     QemuConsole *con;
+-    drawfn *line_fn[2];
+     int dest_width;
+     int xres, yres;
+     int pal_for;
+@@ -XXX,XX +XXX,XX @@ typedef struct QEMU_PACKED {
+ #define LDCMD_SOFINT    (1 << 22)
+ #define LDCMD_PAL    (1 << 26)
++#define BITS 32
++#include "pxa2xx_template.h"
++
+ /* Route internal interrupt lines to the global IC */
+ static void pxa2xx_lcdc_int_update(PXA2xxLCDState *s)
+ {
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_palette_parse(PXA2xxLCDState *s, int ch, int bpp)
+     }
+ }
++static inline drawfn pxa2xx_drawfn(PXA2xxLCDState *s)
++{
++    if (s->transp) {
++        return pxa2xx_draw_fn_32t[s->bpp];
++    } else {
++        return pxa2xx_draw_fn_32[s->bpp];
++    }
++}
++
+ static void pxa2xx_lcdc_dma0_redraw_rot0(PXA2xxLCDState *s,
+                 hwaddr addr, int *miny, int *maxy)
+ {
+     DisplaySurface *surface = qemu_console_surface(s->con);
+     int src_width, dest_width;
+-    drawfn fn = NULL;
+-    if (s->dest_width)
+-        fn = s->line_fn[s->transp][s->bpp];
++    drawfn fn = pxa2xx_drawfn(s);
+     if (!fn)
+         return;
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_lcdc_dma0_redraw_rot90(PXA2xxLCDState *s,
+ {
+     DisplaySurface *surface = qemu_console_surface(s->con);
+     int src_width, dest_width;
+-    drawfn fn = NULL;
+-    if (s->dest_width)
+-        fn = s->line_fn[s->transp][s->bpp];
++    drawfn fn = pxa2xx_drawfn(s);
+     if (!fn)
+         return;
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_lcdc_dma0_redraw_rot180(PXA2xxLCDState *s,
+ {
+     DisplaySurface *surface = qemu_console_surface(s->con);
+     int src_width, dest_width;
+-    drawfn fn = NULL;
+-    if (s->dest_width) {
+-        fn = s->line_fn[s->transp][s->bpp];
+-    }
++    drawfn fn = pxa2xx_drawfn(s);
+     if (!fn) {
+         return;
+     }
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_lcdc_dma0_redraw_rot270(PXA2xxLCDState *s,
+ {
+     DisplaySurface *surface = qemu_console_surface(s->con);
+     int src_width, dest_width;
+-    drawfn fn = NULL;
+-    if (s->dest_width) {
+-        fn = s->line_fn[s->transp][s->bpp];
+-    }
++    drawfn fn = pxa2xx_drawfn(s);
+     if (!fn) {
+         return;
+     }
+@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pxa2xx_lcdc = {
+     }
+ };
+-#define BITS 8
+-#include "pxa2xx_template.h"
+-#define BITS 15
+-#include "pxa2xx_template.h"
+-#define BITS 16
+-#include "pxa2xx_template.h"
+-#define BITS 24
+-#include "pxa2xx_template.h"
+-#define BITS 32
+-#include "pxa2xx_template.h"
+-
+ static const GraphicHwOps pxa2xx_ops = {
+     .invalidate  = pxa2xx_invalidate_display,
+     .gfx_update  = pxa2xx_update_display,
+@@ -XXX,XX +XXX,XX @@ PXA2xxLCDState *pxa2xx_lcdc_init(MemoryRegion *sysmem,
+                                  hwaddr base, qemu_irq irq)
+ {
+     PXA2xxLCDState *s;
+-    DisplaySurface *surface;
+     s = (PXA2xxLCDState *) g_malloc0(sizeof(PXA2xxLCDState));
+     s->invalidated = 1;
+@@ -XXX,XX +XXX,XX @@ PXA2xxLCDState *pxa2xx_lcdc_init(MemoryRegion *sysmem,
+     memory_region_add_subregion(sysmem, base, &s->iomem);
+     s->con = graphic_console_init(NULL, 0, &pxa2xx_ops, s);
+-    surface = qemu_console_surface(s->con);
+-
+-    switch (surface_bits_per_pixel(surface)) {
+-    case 0:
+-        s->dest_width = 0;
+-        break;
+-    case 8:
+-        s->line_fn[0] = pxa2xx_draw_fn_8;
+-        s->line_fn[1] = pxa2xx_draw_fn_8t;
+-        s->dest_width = 1;
+-        break;
+-    case 15:
+-        s->line_fn[0] = pxa2xx_draw_fn_15;
+-        s->line_fn[1] = pxa2xx_draw_fn_15t;
+-        s->dest_width = 2;
+-        break;
+-    case 16:
+-        s->line_fn[0] = pxa2xx_draw_fn_16;
+-        s->line_fn[1] = pxa2xx_draw_fn_16t;
+-        s->dest_width = 2;
+-        break;
+-    case 24:
+-        s->line_fn[0] = pxa2xx_draw_fn_24;
+-        s->line_fn[1] = pxa2xx_draw_fn_24t;
+-        s->dest_width = 3;
+-        break;
+-    case 32:
+-        s->line_fn[0] = pxa2xx_draw_fn_32;
+-        s->line_fn[1] = pxa2xx_draw_fn_32t;
+-        s->dest_width = 4;
+-        break;
+-    default:
+-        fprintf(stderr, "%s: Bad color depth\n", __func__);
+-        exit(1);
+-    }
++    s->dest_width = 4;
+     vmstate_register(NULL, 0, &vmstate_pxa2xx_lcdc, s);
+--
+.20.1

-New patch
+[PULL 35/39] hw/display/pxa2xx_lcd: Remove dest_width state field
+Since the dest_width is now always 4 because the output surface is
+bpp, we can replace the dest_width state field with a constant.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20210211141515.8755-6-peter.maydell@linaro.org
+---
+ hw/display/pxa2xx_lcd.c | 20 +++++++++++---------
+file changed, 11 insertions(+), 9 deletions(-)
+diff --git a/hw/display/pxa2xx_lcd.c b/hw/display/pxa2xx_lcd.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/display/pxa2xx_lcd.c
++++ b/hw/display/pxa2xx_lcd.c
+@@ -XXX,XX +XXX,XX @@ typedef struct QEMU_PACKED {
+ #define LDCMD_SOFINT    (1 << 22)
+ #define LDCMD_PAL    (1 << 26)
++/* Size of a pixel in the QEMU UI output surface, in bytes */
++#define DEST_PIXEL_WIDTH 4
++
+ #define BITS 32
+ #include "pxa2xx_template.h"
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_lcdc_dma0_redraw_rot0(PXA2xxLCDState *s,
+     else if (s->bpp > pxa_lcdc_8bpp)
+         src_width *= 2;
+-    dest_width = s->xres * s->dest_width;
++    dest_width = s->xres * DEST_PIXEL_WIDTH;
+     *miny = 0;
+     if (s->invalidated) {
+         framebuffer_update_memory_section(&s->fbsection, s->sysmem,
+                                           addr, s->yres, src_width);
+     }
+     framebuffer_update_display(surface, &s->fbsection, s->xres, s->yres,
+-                               src_width, dest_width, s->dest_width,
++                               src_width, dest_width, DEST_PIXEL_WIDTH,
+                                s->invalidated,
+                                fn, s->dma_ch[0].palette, miny, maxy);
+ }
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_lcdc_dma0_redraw_rot90(PXA2xxLCDState *s,
+     else if (s->bpp > pxa_lcdc_8bpp)
+         src_width *= 2;
+-    dest_width = s->yres * s->dest_width;
++    dest_width = s->yres * DEST_PIXEL_WIDTH;
+     *miny = 0;
+     if (s->invalidated) {
+         framebuffer_update_memory_section(&s->fbsection, s->sysmem,
+                                           addr, s->yres, src_width);
+     }
+     framebuffer_update_display(surface, &s->fbsection, s->xres, s->yres,
+-                               src_width, s->dest_width, -dest_width,
++                               src_width, DEST_PIXEL_WIDTH, -dest_width,
+                                s->invalidated,
+                                fn, s->dma_ch[0].palette,
+                                miny, maxy);
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_lcdc_dma0_redraw_rot180(PXA2xxLCDState *s,
+         src_width *= 2;
+     }
+-    dest_width = s->xres * s->dest_width;
++    dest_width = s->xres * DEST_PIXEL_WIDTH;
+     *miny = 0;
+     if (s->invalidated) {
+         framebuffer_update_memory_section(&s->fbsection, s->sysmem,
+                                           addr, s->yres, src_width);
+     }
+     framebuffer_update_display(surface, &s->fbsection, s->xres, s->yres,
+-                               src_width, -dest_width, -s->dest_width,
++                               src_width, -dest_width, -DEST_PIXEL_WIDTH,
+                                s->invalidated,
+                                fn, s->dma_ch[0].palette, miny, maxy);
+ }
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_lcdc_dma0_redraw_rot270(PXA2xxLCDState *s,
+         src_width *= 2;
+     }
+-    dest_width = s->yres * s->dest_width;
++    dest_width = s->yres * DEST_PIXEL_WIDTH;
+     *miny = 0;
+     if (s->invalidated) {
+         framebuffer_update_memory_section(&s->fbsection, s->sysmem,
+                                           addr, s->yres, src_width);
+     }
+     framebuffer_update_display(surface, &s->fbsection, s->xres, s->yres,
+-                               src_width, -s->dest_width, dest_width,
++                               src_width, -DEST_PIXEL_WIDTH, dest_width,
+                                s->invalidated,
+                                fn, s->dma_ch[0].palette,
+                                miny, maxy);
+@@ -XXX,XX +XXX,XX @@ PXA2xxLCDState *pxa2xx_lcdc_init(MemoryRegion *sysmem,
+     memory_region_add_subregion(sysmem, base, &s->iomem);
+     s->con = graphic_console_init(NULL, 0, &pxa2xx_ops, s);
+-    s->dest_width = 4;
+     vmstate_register(NULL, 0, &vmstate_pxa2xx_lcdc, s);
+--
+.20.1

-[Qemu-devel] [PULL 6/9] target/arm: Use _ra versions of cpu_stl_data() in v7M helpers
+[PULL 36/39] hw/display/pxa2xx: Remove use of BITS in pxa2xx_template.h
-In the various helper functions for v7M/v8M instructions, use
+Now that BITS is always 32, expand out all its uses in the template
-the _ra versions of cpu_stl_data() and friends. Otherwise we
+header, including removing now-useless uses of the glue() macro.
 may get wrong behaviour or an assert() due to not being able
 to locate the TB if there is an exception on the memory access
 or if it performs an IO operation when in icount mode.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20190617175317.27557-5-peter.maydell@linaro.org
+Message-id: 20210211141515.8755-7-peter.maydell@linaro.org
 ---
- target/arm/m_helper.c | 21 ++++++++++++---------
+ hw/display/pxa2xx_template.h | 110 ++++++++++++++---------------------
-file changed, 12 insertions(+), 9 deletions(-)
+file changed, 45 insertions(+), 65 deletions(-)
-diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
+diff --git a/hw/display/pxa2xx_template.h b/hw/display/pxa2xx_template.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/m_helper.c
+--- a/hw/display/pxa2xx_template.h
-+++ b/target/arm/m_helper.c
++++ b/hw/display/pxa2xx_template.h
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
+@@ -XXX,XX +XXX,XX @@
-     }
+  */
-     /* Note that these stores can throw exceptions on MPU faults */
+ # define SKIP_PIXEL(to)        to += deststep
--    cpu_stl_data(env, sp, nextinst);
+-#if BITS == 8
--    cpu_stl_data(env, sp + 4, saved_psr);
+-# define COPY_PIXEL(to, from)  do { *to = from; SKIP_PIXEL(to); } while (0)
-+    cpu_stl_data_ra(env, sp, nextinst, GETPC());
+-#elif BITS == 15 || BITS == 16
-+    cpu_stl_data_ra(env, sp + 4, saved_psr, GETPC());
+-# define COPY_PIXEL(to, from)    \
+-    do {                         \
-     env->regs[13] = sp;
+-        *(uint16_t *) to = from; \
-     env->regs[14] = 0xfeffffff;
+-        SKIP_PIXEL(to);          \
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
+-    } while (0)
-     /* fptr is the value of Rn, the frame pointer we store the FP regs to */
+-#elif BITS == 24
-     bool s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
+-# define COPY_PIXEL(to, from)     \
-     bool lspact = env->v7m.fpccr[s] & R_V7M_FPCCR_LSPACT_MASK;
+-    do {                          \
-+    uintptr_t ra = GETPC();
+-        *(uint16_t *) to = from;  \
+-        *(to + 2) = (from) >> 16; \
-     assert(env->v7m.secure);
+-        SKIP_PIXEL(to);           \
+-    } while (0)
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
+-#elif BITS == 32
-      * Note that we do not use v7m_stack_write() here, because the
+ # define COPY_PIXEL(to, from)    \
-      * accesses should not set the FSR bits for stacking errors if they
+     do {                         \
-      * fail. (In pseudocode terms, they are AccType_NORMAL, not AccType_STACK
+         *(uint32_t *) to = from; \
--     * or AccType_LAZYFP). Faults in cpu_stl_data() will throw exceptions
+         SKIP_PIXEL(to);          \
-+     * or AccType_LAZYFP). Faults in cpu_stl_data_ra() will throw exceptions
+     } while (0)
-      * and longjmp out.
+-#else
-      */
+-# error unknown bit depth
-     if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
+-#endif
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
-             if (i >= 16) {
+ #ifdef HOST_WORDS_BIGENDIAN
-                 faddr += 8; /* skip the slot for the FPSCR */
+ # define SWAP_WORDS    1
-             }
+@@ -XXX,XX +XXX,XX @@
--            cpu_stl_data(env, faddr, slo);
+ #define FN_2(x)        FN(x + 1) FN(x)
--            cpu_stl_data(env, faddr + 4, shi);
+ #define FN_4(x)        FN_2(x + 2) FN_2(x)
-+            cpu_stl_data_ra(env, faddr, slo, ra);
-+            cpu_stl_data_ra(env, faddr + 4, shi, ra);
+-static void glue(pxa2xx_draw_line2_, BITS)(void *opaque,
-         }
++static void pxa2xx_draw_line2(void *opaque,
--        cpu_stl_data(env, fptr + 0x40, vfp_get_fpscr(env));
+                 uint8_t *dest, const uint8_t *src, int width, int deststep)
-+        cpu_stl_data_ra(env, fptr + 0x40, vfp_get_fpscr(env), ra);
+ {
+     uint32_t *palette = opaque;
-         /*
+@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line2_, BITS)(void *opaque,
-          * If TS is 0 then s0 to s15 and FPSCR are UNKNOWN; we choose to
+     }
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
+ }
- void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
+-static void glue(pxa2xx_draw_line4_, BITS)(void *opaque,
- {
++static void pxa2xx_draw_line4(void *opaque,
-+    uintptr_t ra = GETPC();
+                 uint8_t *dest, const uint8_t *src, int width, int deststep)
-+
+ {
-     /* fptr is the value of Rn, the frame pointer we load the FP regs from */
+     uint32_t *palette = opaque;
-     assert(env->v7m.secure);
+@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line4_, BITS)(void *opaque,
+     }
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
+ }
-                 faddr += 8; /* skip the slot for the FPSCR */
-             }
+-static void glue(pxa2xx_draw_line8_, BITS)(void *opaque,
++static void pxa2xx_draw_line8(void *opaque,
--            slo = cpu_ldl_data(env, faddr);
+                 uint8_t *dest, const uint8_t *src, int width, int deststep)
--            shi = cpu_ldl_data(env, faddr + 4);
+ {
-+            slo = cpu_ldl_data_ra(env, faddr, ra);
+     uint32_t *palette = opaque;
-+            shi = cpu_ldl_data_ra(env, faddr + 4, ra);
+@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line8_, BITS)(void *opaque,
+     }
-             dn = (uint64_t) shi << 32 | slo;
+ }
-             *aa32_vfp_dreg(env, i / 2) = dn;
-         }
+-static void glue(pxa2xx_draw_line16_, BITS)(void *opaque,
--        fpscr = cpu_ldl_data(env, fptr + 0x40);
++static void pxa2xx_draw_line16(void *opaque,
-+        fpscr = cpu_ldl_data_ra(env, fptr + 0x40, ra);
+                 uint8_t *dest, const uint8_t *src, int width, int deststep)
-         vfp_set_fpscr(env, fpscr);
+ {
-     }
+     uint32_t data;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line16_, BITS)(void *opaque,
          data >>= 6;
          r = (data & 0x1f) << 3;
          data >>= 5;
 -        COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          b = (data & 0x1f) << 3;
          data >>= 5;
          g = (data & 0x3f) << 2;
          data >>= 6;
          r = (data & 0x1f) << 3;
 -        COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 2;
          src += 4;
      }
  }
 -static void glue(pxa2xx_draw_line16t_, BITS)(void *opaque,
 +static void pxa2xx_draw_line16t(void *opaque,
                  uint8_t *dest, const uint8_t *src, int width, int deststep)
  {
      uint32_t data;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line16t_, BITS)(void *opaque,
          if (data & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          data >>= 1;
          b = (data & 0x1f) << 3;
          data >>= 5;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line16t_, BITS)(void *opaque,
          if (data & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 2;
          src += 4;
      }
  }
 -static void glue(pxa2xx_draw_line18_, BITS)(void *opaque,
 +static void pxa2xx_draw_line18(void *opaque,
                  uint8_t *dest, const uint8_t *src, int width, int deststep)
  {
      uint32_t data;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line18_, BITS)(void *opaque,
          g = (data & 0x3f) << 2;
          data >>= 6;
          r = (data & 0x3f) << 2;
 -        COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 1;
          src += 4;
      }
  }
  /* The wicked packed format */
 -static void glue(pxa2xx_draw_line18p_, BITS)(void *opaque,
 +static void pxa2xx_draw_line18p(void *opaque,
                  uint8_t *dest, const uint8_t *src, int width, int deststep)
  {
      uint32_t data[3];
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line18p_, BITS)(void *opaque,
          data[0] >>= 6;
          r = (data[0] & 0x3f) << 2;
          data[0] >>= 12;
 -        COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          b = (data[0] & 0x3f) << 2;
          data[0] >>= 6;
          g = ((data[1] & 0xf) << 4) | (data[0] << 2);
          data[1] >>= 4;
          r = (data[1] & 0x3f) << 2;
          data[1] >>= 12;
 -        COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          b = (data[1] & 0x3f) << 2;
          data[1] >>= 6;
          g = (data[1] & 0x3f) << 2;
          data[1] >>= 6;
          r = ((data[2] & 0x3) << 6) | (data[1] << 2);
          data[2] >>= 8;
 -        COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          b = (data[2] & 0x3f) << 2;
          data[2] >>= 6;
          g = (data[2] & 0x3f) << 2;
          data[2] >>= 6;
          r = data[2] << 2;
 -        COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 4;
      }
  }
 -static void glue(pxa2xx_draw_line19_, BITS)(void *opaque,
 +static void pxa2xx_draw_line19(void *opaque,
                  uint8_t *dest, const uint8_t *src, int width, int deststep)
  {
      uint32_t data;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line19_, BITS)(void *opaque,
          if (data & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 1;
          src += 4;
      }
  }
  /* The wicked packed format */
 -static void glue(pxa2xx_draw_line19p_, BITS)(void *opaque,
 +static void pxa2xx_draw_line19p(void *opaque,
                  uint8_t *dest, const uint8_t *src, int width, int deststep)
  {
      uint32_t data[3];
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line19p_, BITS)(void *opaque,
          if (data[0] & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          data[0] >>= 6;
          b = (data[0] & 0x3f) << 2;
          data[0] >>= 6;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line19p_, BITS)(void *opaque,
          if (data[1] & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          data[1] >>= 6;
          b = (data[1] & 0x3f) << 2;
          data[1] >>= 6;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line19p_, BITS)(void *opaque,
          if (data[2] & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          data[2] >>= 6;
          b = (data[2] & 0x3f) << 2;
          data[2] >>= 6;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line19p_, BITS)(void *opaque,
          if (data[2] & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 4;
      }
  }
 -static void glue(pxa2xx_draw_line24_, BITS)(void *opaque,
 +static void pxa2xx_draw_line24(void *opaque,
                  uint8_t *dest, const uint8_t *src, int width, int deststep)
  {
      uint32_t data;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line24_, BITS)(void *opaque,
          g = data & 0xff;
          data >>= 8;
          r = data & 0xff;
 -        COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 1;
          src += 4;
      }
  }
 -static void glue(pxa2xx_draw_line24t_, BITS)(void *opaque,
 +static void pxa2xx_draw_line24t(void *opaque,
                  uint8_t *dest, const uint8_t *src, int width, int deststep)
  {
      uint32_t data;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line24t_, BITS)(void *opaque,
          if (data & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 1;
          src += 4;
      }
  }
 -static void glue(pxa2xx_draw_line25_, BITS)(void *opaque,
 +static void pxa2xx_draw_line25(void *opaque,
                  uint8_t *dest, const uint8_t *src, int width, int deststep)
  {
      uint32_t data;
@@ -XXX,XX +XXX,XX @@ static void glue(pxa2xx_draw_line25_, BITS)(void *opaque,
          if (data & 1)
              SKIP_PIXEL(dest);
          else
 -            COPY_PIXEL(dest, glue(rgb_to_pixel, BITS)(r, g, b));
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
          width -= 1;
          src += 4;
      }
  }
  /* Overlay planes disabled, no transparency */
 -static drawfn glue(pxa2xx_draw_fn_, BITS)[16] =
 +static drawfn pxa2xx_draw_fn_32[16] =
  {
      [0 ... 0xf]       = NULL,
 -    [pxa_lcdc_2bpp]   = glue(pxa2xx_draw_line2_, BITS),
 -    [pxa_lcdc_4bpp]   = glue(pxa2xx_draw_line4_, BITS),
 -    [pxa_lcdc_8bpp]   = glue(pxa2xx_draw_line8_, BITS),
 -    [pxa_lcdc_16bpp]  = glue(pxa2xx_draw_line16_, BITS),
 -    [pxa_lcdc_18bpp]  = glue(pxa2xx_draw_line18_, BITS),
 -    [pxa_lcdc_18pbpp] = glue(pxa2xx_draw_line18p_, BITS),
 -    [pxa_lcdc_24bpp]  = glue(pxa2xx_draw_line24_, BITS),
 +    [pxa_lcdc_2bpp]   = pxa2xx_draw_line2,
 +    [pxa_lcdc_4bpp]   = pxa2xx_draw_line4,
 +    [pxa_lcdc_8bpp]   = pxa2xx_draw_line8,
 +    [pxa_lcdc_16bpp]  = pxa2xx_draw_line16,
 +    [pxa_lcdc_18bpp]  = pxa2xx_draw_line18,
 +    [pxa_lcdc_18pbpp] = pxa2xx_draw_line18p,
 +    [pxa_lcdc_24bpp]  = pxa2xx_draw_line24,
  };
  /* Overlay planes enabled, transparency used */
 -static drawfn glue(glue(pxa2xx_draw_fn_, BITS), t)[16] =
 +static drawfn pxa2xx_draw_fn_32t[16] =
  {
      [0 ... 0xf]       = NULL,
 -    [pxa_lcdc_4bpp]   = glue(pxa2xx_draw_line4_, BITS),
 -    [pxa_lcdc_8bpp]   = glue(pxa2xx_draw_line8_, BITS),
 -    [pxa_lcdc_16bpp]  = glue(pxa2xx_draw_line16t_, BITS),
 -    [pxa_lcdc_19bpp]  = glue(pxa2xx_draw_line19_, BITS),
 -    [pxa_lcdc_19pbpp] = glue(pxa2xx_draw_line19p_, BITS),
 -    [pxa_lcdc_24bpp]  = glue(pxa2xx_draw_line24t_, BITS),
 -    [pxa_lcdc_25bpp]  = glue(pxa2xx_draw_line25_, BITS),
 +    [pxa_lcdc_4bpp]   = pxa2xx_draw_line4,
 +    [pxa_lcdc_8bpp]   = pxa2xx_draw_line8,
 +    [pxa_lcdc_16bpp]  = pxa2xx_draw_line16t,
 +    [pxa_lcdc_19bpp]  = pxa2xx_draw_line19,
 +    [pxa_lcdc_19pbpp] = pxa2xx_draw_line19p,
 +    [pxa_lcdc_24bpp]  = pxa2xx_draw_line24t,
 +    [pxa_lcdc_25bpp]  = pxa2xx_draw_line25,
  };
 -#undef BITS
  #undef COPY_PIXEL
  #undef SKIP_PIXEL
 --
 .20.1

-[Qemu-devel] [PULL 8/9] target/arm: Execute Thumb instructions when their condbits are 0xf
+[PULL 37/39] hw/display/pxa2xx: Apply brace-related coding style fixes to template header
-Thumb instructions in an IT block are set up to be conditionally
+We're about to move code from the template header into pxa2xx_lcd.c.
-executed depending on a set of condition bits encoded into the IT
+Before doing that, make coding style fixes so checkpatch doesn't
-bits of the CPSR/XPSR.  The architecture specifies that if the
+complain about the patch which moves the code. This commit fixes
-condition bits are 0b1111 this means "always execute" (like 0b1110),
+missing braces in the SKIP_PIXEL() macro definition and in if()
-not "never execute"; we were treating it as "never execute".  (See
+statements.
 the ConditionHolds() pseudocode in both the A-profile and M-profile
 Arm ARM.)
 This is a bit of an obscure corner case, because the only legal
 way to get to an 0b1111 set of condbits is to do an exception
 return which sets the XPSR/CPSR up that way. An IT instruction
 which encodes a condition sequence that would include an 0b1111 is
 UNPREDICTABLE, and for v8A the CONSTRAINED UNPREDICTABLE choices
 for such an IT insn are to NOP, UNDEF, or treat 0b1111 like 0b1110.
 Add a comment noting that we take the latter option.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20190617175317.27557-7-peter.maydell@linaro.org
+Message-id: 20210211141515.8755-8-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 15 +++++++++++++--
+ hw/display/pxa2xx_template.h | 47 +++++++++++++++++++++---------------
-file changed, 13 insertions(+), 2 deletions(-)
+file changed, 28 insertions(+), 19 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+diff --git a/hw/display/pxa2xx_template.h b/hw/display/pxa2xx_template.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/hw/display/pxa2xx_template.h
-+++ b/target/arm/translate.c
++++ b/hw/display/pxa2xx_template.h
-@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@
-                 gen_nop_hint(s, (insn >> 4) & 0xf);
+  * Framebuffer format conversion routines.
-                 break;
+  */
-             }
--            /* If Then.  */
+-# define SKIP_PIXEL(to)        to += deststep
-+            /*
++# define SKIP_PIXEL(to) do { to += deststep; } while (0)
-+             * IT (If-Then)
+ # define COPY_PIXEL(to, from)    \
-+             *
+     do {                         \
-+             * Combinations of firstcond and mask which set up an 0b1111
+         *(uint32_t *) to = from; \
-+             * condition are UNPREDICTABLE; we take the CONSTRAINED
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line16t(void *opaque,
-+             * UNPREDICTABLE choice to treat 0b1111 the same as 0b1110,
+         data >>= 5;
-+             * i.e. both meaning "execute always".
+         r = (data & 0x1f) << 3;
-+             */
+         data >>= 5;
-             s->condexec_cond = (insn >> 4) & 0xe;
+-        if (data & 1)
-             s->condexec_mask = insn & 0x1f;
++        if (data & 1) {
-             /* No actual code generated for this insn, just setup state.  */
+             SKIP_PIXEL(dest);
-@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+-        else
-     if (dc->condexec_mask && !thumb_insn_is_unconditional(dc, insn)) {
++        } else {
-         uint32_t cond = dc->condexec_cond;
+             COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
++        }
--        if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
+         data >>= 1;
-+        /*
+         b = (data & 0x1f) << 3;
-+         * Conditionally skip the insn. Note that both 0xe and 0xf mean
+         data >>= 5;
-+         * "always"; 0xf is not "never".
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line16t(void *opaque,
-+         */
+         data >>= 5;
-+        if (cond < 0x0e) {
+         r = (data & 0x1f) << 3;
-             arm_skip_unless(dc, cond);
+         data >>= 5;
-         }
+-        if (data & 1)
 +        if (data & 1) {
              SKIP_PIXEL(dest);
 -        else
 +        } else {
              COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
          width -= 2;
          src += 4;
      }
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line19(void *opaque,
          data >>= 6;
          r = (data & 0x3f) << 2;
          data >>= 6;
 -        if (data & 1)
 +        if (data & 1) {
              SKIP_PIXEL(dest);
 -        else
 +        } else {
              COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
          width -= 1;
          src += 4;
      }
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line19p(void *opaque,
          data[0] >>= 6;
          r = (data[0] & 0x3f) << 2;
          data[0] >>= 6;
 -        if (data[0] & 1)
 +        if (data[0] & 1) {
              SKIP_PIXEL(dest);
 -        else
 +        } else {
              COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
          data[0] >>= 6;
          b = (data[0] & 0x3f) << 2;
          data[0] >>= 6;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line19p(void *opaque,
          data[1] >>= 4;
          r = (data[1] & 0x3f) << 2;
          data[1] >>= 6;
 -        if (data[1] & 1)
 +        if (data[1] & 1) {
              SKIP_PIXEL(dest);
 -        else
 +        } else {
              COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
          data[1] >>= 6;
          b = (data[1] & 0x3f) << 2;
          data[1] >>= 6;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line19p(void *opaque,
          data[1] >>= 6;
          r = ((data[2] & 0x3) << 6) | (data[1] << 2);
          data[2] >>= 2;
 -        if (data[2] & 1)
 +        if (data[2] & 1) {
              SKIP_PIXEL(dest);
 -        else
 +        } else {
              COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
          data[2] >>= 6;
          b = (data[2] & 0x3f) << 2;
          data[2] >>= 6;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line19p(void *opaque,
          data[2] >>= 6;
          r = data[2] << 2;
          data[2] >>= 6;
 -        if (data[2] & 1)
 +        if (data[2] & 1) {
              SKIP_PIXEL(dest);
 -        else
 +        } else {
              COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
          width -= 4;
      }
  }
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line24t(void *opaque,
          data >>= 8;
          r = data & 0xff;
          data >>= 8;
 -        if (data & 1)
 +        if (data & 1) {
              SKIP_PIXEL(dest);
 -        else
 +        } else {
              COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
          width -= 1;
          src += 4;
      }
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line25(void *opaque,
          data >>= 8;
          r = data & 0xff;
          data >>= 8;
 -        if (data & 1)
 +        if (data & 1) {
              SKIP_PIXEL(dest);
 -        else
 +        } else {
              COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
          width -= 1;
          src += 4;
      }
 --
 .20.1

-New patch
+[PULL 38/39] hw/display/pxa2xx: Apply whitespace-only coding style fixes to template header
+We're about to move code from the template header into pxa2xx_lcd.c.
 Before doing that, make coding style fixes so checkpatch doesn't
 complain about the patch which moves the code. This commit is
 whitespace changes only:
  * avoid hard-coded tabs
  * fix ident on function prototypes
  * no newline before open brace on array definitions
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Acked-by: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: 20210211141515.8755-9-peter.maydell@linaro.org
 ---
  hw/display/pxa2xx_template.h | 66 +++++++++++++++++-------------------
 file changed, 32 insertions(+), 34 deletions(-)
 diff --git a/hw/display/pxa2xx_template.h b/hw/display/pxa2xx_template.h
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/display/pxa2xx_template.h
 +++ b/hw/display/pxa2xx_template.h
@@ -XXX,XX +XXX,XX @@
      } while (0)
  #ifdef HOST_WORDS_BIGENDIAN
 -# define SWAP_WORDS    1
 +# define SWAP_WORDS 1
  #endif
 -#define FN_2(x)        FN(x + 1) FN(x)
 -#define FN_4(x)        FN_2(x + 2) FN_2(x)
 +#define FN_2(x) FN(x + 1) FN(x)
 +#define FN_4(x) FN_2(x + 2) FN_2(x)
 -static void pxa2xx_draw_line2(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line2(void *opaque, uint8_t *dest, const uint8_t *src,
 +                              int width, int deststep)
  {
      uint32_t *palette = opaque;
      uint32_t data;
      while (width > 0) {
          data = *(uint32_t *) src;
 -#define FN(x)        COPY_PIXEL(dest, palette[(data >> ((x) * 2)) & 3]);
 +#define FN(x) COPY_PIXEL(dest, palette[(data >> ((x) * 2)) & 3]);
  #ifdef SWAP_WORDS
          FN_4(12)
          FN_4(8)
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line2(void *opaque,
      }
  }
 -static void pxa2xx_draw_line4(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line4(void *opaque, uint8_t *dest, const uint8_t *src,
 +                              int width, int deststep)
  {
      uint32_t *palette = opaque;
      uint32_t data;
      while (width > 0) {
          data = *(uint32_t *) src;
 -#define FN(x)        COPY_PIXEL(dest, palette[(data >> ((x) * 4)) & 0xf]);
 +#define FN(x) COPY_PIXEL(dest, palette[(data >> ((x) * 4)) & 0xf]);
  #ifdef SWAP_WORDS
          FN_2(6)
          FN_2(4)
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line4(void *opaque,
      }
  }
 -static void pxa2xx_draw_line8(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line8(void *opaque, uint8_t *dest, const uint8_t *src,
 +                              int width, int deststep)
  {
      uint32_t *palette = opaque;
      uint32_t data;
      while (width > 0) {
          data = *(uint32_t *) src;
 -#define FN(x)        COPY_PIXEL(dest, palette[(data >> (x)) & 0xff]);
 +#define FN(x) COPY_PIXEL(dest, palette[(data >> (x)) & 0xff]);
  #ifdef SWAP_WORDS
          FN(24)
          FN(16)
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line8(void *opaque,
      }
  }
 -static void pxa2xx_draw_line16(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line16(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
  {
      uint32_t data;
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line16(void *opaque,
      }
  }
 -static void pxa2xx_draw_line16t(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line16t(void *opaque, uint8_t *dest, const uint8_t *src,
 +                                int width, int deststep)
  {
      uint32_t data;
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line16t(void *opaque,
      }
  }
 -static void pxa2xx_draw_line18(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line18(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
  {
      uint32_t data;
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line18(void *opaque,
  }
  /* The wicked packed format */
 -static void pxa2xx_draw_line18p(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line18p(void *opaque, uint8_t *dest, const uint8_t *src,
 +                                int width, int deststep)
  {
      uint32_t data[3];
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line18p(void *opaque,
      }
  }
 -static void pxa2xx_draw_line19(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line19(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
  {
      uint32_t data;
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line19(void *opaque,
  }
  /* The wicked packed format */
 -static void pxa2xx_draw_line19p(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line19p(void *opaque, uint8_t *dest, const uint8_t *src,
 +                                int width, int deststep)
  {
      uint32_t data[3];
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line19p(void *opaque,
      }
  }
 -static void pxa2xx_draw_line24(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line24(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
  {
      uint32_t data;
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line24(void *opaque,
      }
  }
 -static void pxa2xx_draw_line24t(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line24t(void *opaque, uint8_t *dest, const uint8_t *src,
 +                                int width, int deststep)
  {
      uint32_t data;
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line24t(void *opaque,
      }
  }
 -static void pxa2xx_draw_line25(void *opaque,
 -                uint8_t *dest, const uint8_t *src, int width, int deststep)
 +static void pxa2xx_draw_line25(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
  {
      uint32_t data;
      unsigned int r, g, b;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_draw_line25(void *opaque,
  }
  /* Overlay planes disabled, no transparency */
 -static drawfn pxa2xx_draw_fn_32[16] =
 -{
 +static drawfn pxa2xx_draw_fn_32[16] = {
      [0 ... 0xf]       = NULL,
      [pxa_lcdc_2bpp]   = pxa2xx_draw_line2,
      [pxa_lcdc_4bpp]   = pxa2xx_draw_line4,
@@ -XXX,XX +XXX,XX @@ static drawfn pxa2xx_draw_fn_32[16] =
  };
  /* Overlay planes enabled, transparency used */
 -static drawfn pxa2xx_draw_fn_32t[16] =
 -{
 +static drawfn pxa2xx_draw_fn_32t[16] = {
      [0 ... 0xf]       = NULL,
      [pxa_lcdc_4bpp]   = pxa2xx_draw_line4,
      [pxa_lcdc_8bpp]   = pxa2xx_draw_line8,
 --
 .20.1

-[Qemu-devel] [PULL 4/9] arm v8M: Forcibly clear negative-priority exceptions on deactivate
+[PULL 39/39] hw/display/pxa2xx: Inline template header
-To prevent execution priority remaining negative if the guest
+The template header is now included only once; just inline its contents
-returns from an NMI or HardFault with a corrupted IPSR, the
+in hw/display/pxa2xx_lcd.c.
 v8M interrupt deactivation process forces the HardFault and NMI
 to inactive based on the current raw execution priority,
 even if the interrupt the guest is trying to deactivate
 is something else. In the pseudocode this is done in the
 Deactivate() function.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20190617175317.27557-3-peter.maydell@linaro.org
+Message-id: 20210211141515.8755-10-peter.maydell@linaro.org
 ---
- hw/intc/armv7m_nvic.c | 40 +++++++++++++++++++++++++++++++++++-----
+ hw/display/pxa2xx_template.h | 434 -----------------------------------
-file changed, 35 insertions(+), 5 deletions(-)
+ hw/display/pxa2xx_lcd.c      | 427 +++++++++++++++++++++++++++++++++-
 files changed, 425 insertions(+), 436 deletions(-)
  delete mode 100644 hw/display/pxa2xx_template.h
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+diff --git a/hw/display/pxa2xx_template.h b/hw/display/pxa2xx_template.h
 deleted file mode 100644
 index XXXXXXX..XXXXXXX
 --- a/hw/display/pxa2xx_template.h
 +++ /dev/null
@@ -XXX,XX +XXX,XX @@
 -/*
 - * Intel XScale PXA255/270 LCDC emulation.
 - *
 - * Copyright (c) 2006 Openedhand Ltd.
 - * Written by Andrzej Zaborowski <balrog@zabor.org>
 - *
 - * This code is licensed under the GPLv2.
 - *
 - * Framebuffer format conversion routines.
 - */
 -
 -# define SKIP_PIXEL(to) do { to += deststep; } while (0)
 -# define COPY_PIXEL(to, from)    \
 -    do {                         \
 -        *(uint32_t *) to = from; \
 -        SKIP_PIXEL(to);          \
 -    } while (0)
 -
 -#ifdef HOST_WORDS_BIGENDIAN
 -# define SWAP_WORDS 1
 -#endif
 -
 -#define FN_2(x) FN(x + 1) FN(x)
 -#define FN_4(x) FN_2(x + 2) FN_2(x)
 -
 -static void pxa2xx_draw_line2(void *opaque, uint8_t *dest, const uint8_t *src,
 -                              int width, int deststep)
 -{
 -    uint32_t *palette = opaque;
 -    uint32_t data;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#define FN(x) COPY_PIXEL(dest, palette[(data >> ((x) * 2)) & 3]);
 -#ifdef SWAP_WORDS
 -        FN_4(12)
 -        FN_4(8)
 -        FN_4(4)
 -        FN_4(0)
 -#else
 -        FN_4(0)
 -        FN_4(4)
 -        FN_4(8)
 -        FN_4(12)
 -#endif
 -#undef FN
 -        width -= 16;
 -        src += 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line4(void *opaque, uint8_t *dest, const uint8_t *src,
 -                              int width, int deststep)
 -{
 -    uint32_t *palette = opaque;
 -    uint32_t data;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#define FN(x) COPY_PIXEL(dest, palette[(data >> ((x) * 4)) & 0xf]);
 -#ifdef SWAP_WORDS
 -        FN_2(6)
 -        FN_2(4)
 -        FN_2(2)
 -        FN_2(0)
 -#else
 -        FN_2(0)
 -        FN_2(2)
 -        FN_2(4)
 -        FN_2(6)
 -#endif
 -#undef FN
 -        width -= 8;
 -        src += 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line8(void *opaque, uint8_t *dest, const uint8_t *src,
 -                              int width, int deststep)
 -{
 -    uint32_t *palette = opaque;
 -    uint32_t data;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#define FN(x) COPY_PIXEL(dest, palette[(data >> (x)) & 0xff]);
 -#ifdef SWAP_WORDS
 -        FN(24)
 -        FN(16)
 -        FN(8)
 -        FN(0)
 -#else
 -        FN(0)
 -        FN(8)
 -        FN(16)
 -        FN(24)
 -#endif
 -#undef FN
 -        width -= 4;
 -        src += 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line16(void *opaque, uint8_t *dest, const uint8_t *src,
 -                               int width, int deststep)
 -{
 -    uint32_t data;
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#ifdef SWAP_WORDS
 -        data = bswap32(data);
 -#endif
 -        b = (data & 0x1f) << 3;
 -        data >>= 5;
 -        g = (data & 0x3f) << 2;
 -        data >>= 6;
 -        r = (data & 0x1f) << 3;
 -        data >>= 5;
 -        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        b = (data & 0x1f) << 3;
 -        data >>= 5;
 -        g = (data & 0x3f) << 2;
 -        data >>= 6;
 -        r = (data & 0x1f) << 3;
 -        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        width -= 2;
 -        src += 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line16t(void *opaque, uint8_t *dest, const uint8_t *src,
 -                                int width, int deststep)
 -{
 -    uint32_t data;
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#ifdef SWAP_WORDS
 -        data = bswap32(data);
 -#endif
 -        b = (data & 0x1f) << 3;
 -        data >>= 5;
 -        g = (data & 0x1f) << 3;
 -        data >>= 5;
 -        r = (data & 0x1f) << 3;
 -        data >>= 5;
 -        if (data & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        data >>= 1;
 -        b = (data & 0x1f) << 3;
 -        data >>= 5;
 -        g = (data & 0x1f) << 3;
 -        data >>= 5;
 -        r = (data & 0x1f) << 3;
 -        data >>= 5;
 -        if (data & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        width -= 2;
 -        src += 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line18(void *opaque, uint8_t *dest, const uint8_t *src,
 -                               int width, int deststep)
 -{
 -    uint32_t data;
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#ifdef SWAP_WORDS
 -        data = bswap32(data);
 -#endif
 -        b = (data & 0x3f) << 2;
 -        data >>= 6;
 -        g = (data & 0x3f) << 2;
 -        data >>= 6;
 -        r = (data & 0x3f) << 2;
 -        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        width -= 1;
 -        src += 4;
 -    }
 -}
 -
 -/* The wicked packed format */
 -static void pxa2xx_draw_line18p(void *opaque, uint8_t *dest, const uint8_t *src,
 -                                int width, int deststep)
 -{
 -    uint32_t data[3];
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data[0] = *(uint32_t *) src;
 -        src += 4;
 -        data[1] = *(uint32_t *) src;
 -        src += 4;
 -        data[2] = *(uint32_t *) src;
 -        src += 4;
 -#ifdef SWAP_WORDS
 -        data[0] = bswap32(data[0]);
 -        data[1] = bswap32(data[1]);
 -        data[2] = bswap32(data[2]);
 -#endif
 -        b = (data[0] & 0x3f) << 2;
 -        data[0] >>= 6;
 -        g = (data[0] & 0x3f) << 2;
 -        data[0] >>= 6;
 -        r = (data[0] & 0x3f) << 2;
 -        data[0] >>= 12;
 -        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        b = (data[0] & 0x3f) << 2;
 -        data[0] >>= 6;
 -        g = ((data[1] & 0xf) << 4) | (data[0] << 2);
 -        data[1] >>= 4;
 -        r = (data[1] & 0x3f) << 2;
 -        data[1] >>= 12;
 -        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        b = (data[1] & 0x3f) << 2;
 -        data[1] >>= 6;
 -        g = (data[1] & 0x3f) << 2;
 -        data[1] >>= 6;
 -        r = ((data[2] & 0x3) << 6) | (data[1] << 2);
 -        data[2] >>= 8;
 -        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        b = (data[2] & 0x3f) << 2;
 -        data[2] >>= 6;
 -        g = (data[2] & 0x3f) << 2;
 -        data[2] >>= 6;
 -        r = data[2] << 2;
 -        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        width -= 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line19(void *opaque, uint8_t *dest, const uint8_t *src,
 -                               int width, int deststep)
 -{
 -    uint32_t data;
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#ifdef SWAP_WORDS
 -        data = bswap32(data);
 -#endif
 -        b = (data & 0x3f) << 2;
 -        data >>= 6;
 -        g = (data & 0x3f) << 2;
 -        data >>= 6;
 -        r = (data & 0x3f) << 2;
 -        data >>= 6;
 -        if (data & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        width -= 1;
 -        src += 4;
 -    }
 -}
 -
 -/* The wicked packed format */
 -static void pxa2xx_draw_line19p(void *opaque, uint8_t *dest, const uint8_t *src,
 -                                int width, int deststep)
 -{
 -    uint32_t data[3];
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data[0] = *(uint32_t *) src;
 -        src += 4;
 -        data[1] = *(uint32_t *) src;
 -        src += 4;
 -        data[2] = *(uint32_t *) src;
 -        src += 4;
 -# ifdef SWAP_WORDS
 -        data[0] = bswap32(data[0]);
 -        data[1] = bswap32(data[1]);
 -        data[2] = bswap32(data[2]);
 -# endif
 -        b = (data[0] & 0x3f) << 2;
 -        data[0] >>= 6;
 -        g = (data[0] & 0x3f) << 2;
 -        data[0] >>= 6;
 -        r = (data[0] & 0x3f) << 2;
 -        data[0] >>= 6;
 -        if (data[0] & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        data[0] >>= 6;
 -        b = (data[0] & 0x3f) << 2;
 -        data[0] >>= 6;
 -        g = ((data[1] & 0xf) << 4) | (data[0] << 2);
 -        data[1] >>= 4;
 -        r = (data[1] & 0x3f) << 2;
 -        data[1] >>= 6;
 -        if (data[1] & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        data[1] >>= 6;
 -        b = (data[1] & 0x3f) << 2;
 -        data[1] >>= 6;
 -        g = (data[1] & 0x3f) << 2;
 -        data[1] >>= 6;
 -        r = ((data[2] & 0x3) << 6) | (data[1] << 2);
 -        data[2] >>= 2;
 -        if (data[2] & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        data[2] >>= 6;
 -        b = (data[2] & 0x3f) << 2;
 -        data[2] >>= 6;
 -        g = (data[2] & 0x3f) << 2;
 -        data[2] >>= 6;
 -        r = data[2] << 2;
 -        data[2] >>= 6;
 -        if (data[2] & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        width -= 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line24(void *opaque, uint8_t *dest, const uint8_t *src,
 -                               int width, int deststep)
 -{
 -    uint32_t data;
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#ifdef SWAP_WORDS
 -        data = bswap32(data);
 -#endif
 -        b = data & 0xff;
 -        data >>= 8;
 -        g = data & 0xff;
 -        data >>= 8;
 -        r = data & 0xff;
 -        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        width -= 1;
 -        src += 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line24t(void *opaque, uint8_t *dest, const uint8_t *src,
 -                                int width, int deststep)
 -{
 -    uint32_t data;
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#ifdef SWAP_WORDS
 -        data = bswap32(data);
 -#endif
 -        b = (data & 0x7f) << 1;
 -        data >>= 7;
 -        g = data & 0xff;
 -        data >>= 8;
 -        r = data & 0xff;
 -        data >>= 8;
 -        if (data & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        width -= 1;
 -        src += 4;
 -    }
 -}
 -
 -static void pxa2xx_draw_line25(void *opaque, uint8_t *dest, const uint8_t *src,
 -                               int width, int deststep)
 -{
 -    uint32_t data;
 -    unsigned int r, g, b;
 -    while (width > 0) {
 -        data = *(uint32_t *) src;
 -#ifdef SWAP_WORDS
 -        data = bswap32(data);
 -#endif
 -        b = data & 0xff;
 -        data >>= 8;
 -        g = data & 0xff;
 -        data >>= 8;
 -        r = data & 0xff;
 -        data >>= 8;
 -        if (data & 1) {
 -            SKIP_PIXEL(dest);
 -        } else {
 -            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 -        }
 -        width -= 1;
 -        src += 4;
 -    }
 -}
 -
 -/* Overlay planes disabled, no transparency */
 -static drawfn pxa2xx_draw_fn_32[16] = {
 -    [0 ... 0xf]       = NULL,
 -    [pxa_lcdc_2bpp]   = pxa2xx_draw_line2,
 -    [pxa_lcdc_4bpp]   = pxa2xx_draw_line4,
 -    [pxa_lcdc_8bpp]   = pxa2xx_draw_line8,
 -    [pxa_lcdc_16bpp]  = pxa2xx_draw_line16,
 -    [pxa_lcdc_18bpp]  = pxa2xx_draw_line18,
 -    [pxa_lcdc_18pbpp] = pxa2xx_draw_line18p,
 -    [pxa_lcdc_24bpp]  = pxa2xx_draw_line24,
 -};
 -
 -/* Overlay planes enabled, transparency used */
 -static drawfn pxa2xx_draw_fn_32t[16] = {
 -    [0 ... 0xf]       = NULL,
 -    [pxa_lcdc_4bpp]   = pxa2xx_draw_line4,
 -    [pxa_lcdc_8bpp]   = pxa2xx_draw_line8,
 -    [pxa_lcdc_16bpp]  = pxa2xx_draw_line16t,
 -    [pxa_lcdc_19bpp]  = pxa2xx_draw_line19,
 -    [pxa_lcdc_19pbpp] = pxa2xx_draw_line19p,
 -    [pxa_lcdc_24bpp]  = pxa2xx_draw_line24t,
 -    [pxa_lcdc_25bpp]  = pxa2xx_draw_line25,
 -};
 -
 -#undef COPY_PIXEL
 -#undef SKIP_PIXEL
 -
 -#ifdef SWAP_WORDS
 -# undef SWAP_WORDS
 -#endif
 diff --git a/hw/display/pxa2xx_lcd.c b/hw/display/pxa2xx_lcd.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
+--- a/hw/display/pxa2xx_lcd.c
-+++ b/hw/intc/armv7m_nvic.c
++++ b/hw/display/pxa2xx_lcd.c
-@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_get_pending_irq_info(void *opaque,
+@@ -XXX,XX +XXX,XX @@ typedef struct QEMU_PACKED {
- int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure)
+ /* Size of a pixel in the QEMU UI output surface, in bytes */
- {
+ #define DEST_PIXEL_WIDTH 4
-     NVICState *s = (NVICState *)opaque;
--    VecInfo *vec;
+-#define BITS 32
-+    VecInfo *vec = NULL;
+-#include "pxa2xx_template.h"
-     int ret;
++/* Line drawing code to handle the various possible guest pixel formats */
++
-     assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);
++# define SKIP_PIXEL(to) do { to += deststep; } while (0)
++# define COPY_PIXEL(to, from)    \
--    if (secure && exc_is_banked(irq)) {
++    do {                         \
--        vec = &s->sec_vectors[irq];
++        *(uint32_t *) to = from; \
--    } else {
++        SKIP_PIXEL(to);          \
--        vec = &s->vectors[irq];
++    } while (0)
-+    /*
++
-+     * For negative priorities, v8M will forcibly deactivate the appropriate
++#ifdef HOST_WORDS_BIGENDIAN
-+     * NMI or HardFault regardless of what interrupt we're being asked to
++# define SWAP_WORDS 1
-+     * deactivate (compare the DeActivate() pseudocode). This is a guard
++#endif
-+     * against software returning from NMI or HardFault with a corrupted
++
-+     * IPSR and leaving the CPU in a negative-priority state.
++#define FN_2(x) FN(x + 1) FN(x)
-+     * v7M does not do this, but simply deactivates the requested interrupt.
++#define FN_4(x) FN_2(x + 2) FN_2(x)
-+     */
++
-+    if (arm_feature(&s->cpu->env, ARM_FEATURE_V8)) {
++static void pxa2xx_draw_line2(void *opaque, uint8_t *dest, const uint8_t *src,
-+        switch (armv7m_nvic_raw_execution_priority(s)) {
++                              int width, int deststep)
-+        case -1:
++{
-+            if (s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
++    uint32_t *palette = opaque;
-+                vec = &s->vectors[ARMV7M_EXCP_HARD];
++    uint32_t data;
-+            } else {
++    while (width > 0) {
-+                vec = &s->sec_vectors[ARMV7M_EXCP_HARD];
++        data = *(uint32_t *) src;
-+            }
++#define FN(x) COPY_PIXEL(dest, palette[(data >> ((x) * 2)) & 3]);
-+            break;
++#ifdef SWAP_WORDS
-+        case -2:
++        FN_4(12)
-+            vec = &s->vectors[ARMV7M_EXCP_NMI];
++        FN_4(8)
-+            break;
++        FN_4(4)
-+        case -3:
++        FN_4(0)
-+            vec = &s->sec_vectors[ARMV7M_EXCP_HARD];
++#else
-+            break;
++        FN_4(0)
-+        default:
++        FN_4(4)
-+            break;
++        FN_4(8)
 +        FN_4(12)
 +#endif
 +#undef FN
 +        width -= 16;
 +        src += 4;
 +    }
 +}
 +
 +static void pxa2xx_draw_line4(void *opaque, uint8_t *dest, const uint8_t *src,
 +                              int width, int deststep)
 +{
 +    uint32_t *palette = opaque;
 +    uint32_t data;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#define FN(x) COPY_PIXEL(dest, palette[(data >> ((x) * 4)) & 0xf]);
 +#ifdef SWAP_WORDS
 +        FN_2(6)
 +        FN_2(4)
 +        FN_2(2)
 +        FN_2(0)
 +#else
 +        FN_2(0)
 +        FN_2(2)
 +        FN_2(4)
 +        FN_2(6)
 +#endif
 +#undef FN
 +        width -= 8;
 +        src += 4;
 +    }
 +}
 +
 +static void pxa2xx_draw_line8(void *opaque, uint8_t *dest, const uint8_t *src,
 +                              int width, int deststep)
 +{
 +    uint32_t *palette = opaque;
 +    uint32_t data;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#define FN(x) COPY_PIXEL(dest, palette[(data >> (x)) & 0xff]);
 +#ifdef SWAP_WORDS
 +        FN(24)
 +        FN(16)
 +        FN(8)
 +        FN(0)
 +#else
 +        FN(0)
 +        FN(8)
 +        FN(16)
 +        FN(24)
 +#endif
 +#undef FN
 +        width -= 4;
 +        src += 4;
 +    }
 +}
 +
 +static void pxa2xx_draw_line16(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
 +{
 +    uint32_t data;
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#ifdef SWAP_WORDS
 +        data = bswap32(data);
 +#endif
 +        b = (data & 0x1f) << 3;
 +        data >>= 5;
 +        g = (data & 0x3f) << 2;
 +        data >>= 6;
 +        r = (data & 0x1f) << 3;
 +        data >>= 5;
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        b = (data & 0x1f) << 3;
 +        data >>= 5;
 +        g = (data & 0x3f) << 2;
 +        data >>= 6;
 +        r = (data & 0x1f) << 3;
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        width -= 2;
 +        src += 4;
 +    }
 +}
 +
 +static void pxa2xx_draw_line16t(void *opaque, uint8_t *dest, const uint8_t *src,
 +                                int width, int deststep)
 +{
 +    uint32_t data;
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#ifdef SWAP_WORDS
 +        data = bswap32(data);
 +#endif
 +        b = (data & 0x1f) << 3;
 +        data >>= 5;
 +        g = (data & 0x1f) << 3;
 +        data >>= 5;
 +        r = (data & 0x1f) << 3;
 +        data >>= 5;
 +        if (data & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
-+    }
++        data >>= 1;
-+
++        b = (data & 0x1f) << 3;
-+    if (!vec) {
++        data >>= 5;
-+        if (secure && exc_is_banked(irq)) {
++        g = (data & 0x1f) << 3;
-+            vec = &s->sec_vectors[irq];
++        data >>= 5;
 +        r = (data & 0x1f) << 3;
 +        data >>= 5;
 +        if (data & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
-+            vec = &s->vectors[irq];
++            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
-     }
++        width -= 2;
++        src += 4;
-     trace_nvic_complete_irq(irq, secure);
++    }
 +}
 +
 +static void pxa2xx_draw_line18(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
 +{
 +    uint32_t data;
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#ifdef SWAP_WORDS
 +        data = bswap32(data);
 +#endif
 +        b = (data & 0x3f) << 2;
 +        data >>= 6;
 +        g = (data & 0x3f) << 2;
 +        data >>= 6;
 +        r = (data & 0x3f) << 2;
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        width -= 1;
 +        src += 4;
 +    }
 +}
 +
 +/* The wicked packed format */
 +static void pxa2xx_draw_line18p(void *opaque, uint8_t *dest, const uint8_t *src,
 +                                int width, int deststep)
 +{
 +    uint32_t data[3];
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data[0] = *(uint32_t *) src;
 +        src += 4;
 +        data[1] = *(uint32_t *) src;
 +        src += 4;
 +        data[2] = *(uint32_t *) src;
 +        src += 4;
 +#ifdef SWAP_WORDS
 +        data[0] = bswap32(data[0]);
 +        data[1] = bswap32(data[1]);
 +        data[2] = bswap32(data[2]);
 +#endif
 +        b = (data[0] & 0x3f) << 2;
 +        data[0] >>= 6;
 +        g = (data[0] & 0x3f) << 2;
 +        data[0] >>= 6;
 +        r = (data[0] & 0x3f) << 2;
 +        data[0] >>= 12;
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        b = (data[0] & 0x3f) << 2;
 +        data[0] >>= 6;
 +        g = ((data[1] & 0xf) << 4) | (data[0] << 2);
 +        data[1] >>= 4;
 +        r = (data[1] & 0x3f) << 2;
 +        data[1] >>= 12;
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        b = (data[1] & 0x3f) << 2;
 +        data[1] >>= 6;
 +        g = (data[1] & 0x3f) << 2;
 +        data[1] >>= 6;
 +        r = ((data[2] & 0x3) << 6) | (data[1] << 2);
 +        data[2] >>= 8;
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        b = (data[2] & 0x3f) << 2;
 +        data[2] >>= 6;
 +        g = (data[2] & 0x3f) << 2;
 +        data[2] >>= 6;
 +        r = data[2] << 2;
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        width -= 4;
 +    }
 +}
 +
 +static void pxa2xx_draw_line19(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
 +{
 +    uint32_t data;
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#ifdef SWAP_WORDS
 +        data = bswap32(data);
 +#endif
 +        b = (data & 0x3f) << 2;
 +        data >>= 6;
 +        g = (data & 0x3f) << 2;
 +        data >>= 6;
 +        r = (data & 0x3f) << 2;
 +        data >>= 6;
 +        if (data & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
 +        width -= 1;
 +        src += 4;
 +    }
 +}
 +
 +/* The wicked packed format */
 +static void pxa2xx_draw_line19p(void *opaque, uint8_t *dest, const uint8_t *src,
 +                                int width, int deststep)
 +{
 +    uint32_t data[3];
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data[0] = *(uint32_t *) src;
 +        src += 4;
 +        data[1] = *(uint32_t *) src;
 +        src += 4;
 +        data[2] = *(uint32_t *) src;
 +        src += 4;
 +# ifdef SWAP_WORDS
 +        data[0] = bswap32(data[0]);
 +        data[1] = bswap32(data[1]);
 +        data[2] = bswap32(data[2]);
 +# endif
 +        b = (data[0] & 0x3f) << 2;
 +        data[0] >>= 6;
 +        g = (data[0] & 0x3f) << 2;
 +        data[0] >>= 6;
 +        r = (data[0] & 0x3f) << 2;
 +        data[0] >>= 6;
 +        if (data[0] & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
 +        data[0] >>= 6;
 +        b = (data[0] & 0x3f) << 2;
 +        data[0] >>= 6;
 +        g = ((data[1] & 0xf) << 4) | (data[0] << 2);
 +        data[1] >>= 4;
 +        r = (data[1] & 0x3f) << 2;
 +        data[1] >>= 6;
 +        if (data[1] & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
 +        data[1] >>= 6;
 +        b = (data[1] & 0x3f) << 2;
 +        data[1] >>= 6;
 +        g = (data[1] & 0x3f) << 2;
 +        data[1] >>= 6;
 +        r = ((data[2] & 0x3) << 6) | (data[1] << 2);
 +        data[2] >>= 2;
 +        if (data[2] & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
 +        data[2] >>= 6;
 +        b = (data[2] & 0x3f) << 2;
 +        data[2] >>= 6;
 +        g = (data[2] & 0x3f) << 2;
 +        data[2] >>= 6;
 +        r = data[2] << 2;
 +        data[2] >>= 6;
 +        if (data[2] & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
 +        width -= 4;
 +    }
 +}
 +
 +static void pxa2xx_draw_line24(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
 +{
 +    uint32_t data;
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#ifdef SWAP_WORDS
 +        data = bswap32(data);
 +#endif
 +        b = data & 0xff;
 +        data >>= 8;
 +        g = data & 0xff;
 +        data >>= 8;
 +        r = data & 0xff;
 +        COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        width -= 1;
 +        src += 4;
 +    }
 +}
 +
 +static void pxa2xx_draw_line24t(void *opaque, uint8_t *dest, const uint8_t *src,
 +                                int width, int deststep)
 +{
 +    uint32_t data;
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#ifdef SWAP_WORDS
 +        data = bswap32(data);
 +#endif
 +        b = (data & 0x7f) << 1;
 +        data >>= 7;
 +        g = data & 0xff;
 +        data >>= 8;
 +        r = data & 0xff;
 +        data >>= 8;
 +        if (data & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
 +        width -= 1;
 +        src += 4;
 +    }
 +}
 +
 +static void pxa2xx_draw_line25(void *opaque, uint8_t *dest, const uint8_t *src,
 +                               int width, int deststep)
 +{
 +    uint32_t data;
 +    unsigned int r, g, b;
 +    while (width > 0) {
 +        data = *(uint32_t *) src;
 +#ifdef SWAP_WORDS
 +        data = bswap32(data);
 +#endif
 +        b = data & 0xff;
 +        data >>= 8;
 +        g = data & 0xff;
 +        data >>= 8;
 +        r = data & 0xff;
 +        data >>= 8;
 +        if (data & 1) {
 +            SKIP_PIXEL(dest);
 +        } else {
 +            COPY_PIXEL(dest, rgb_to_pixel32(r, g, b));
 +        }
 +        width -= 1;
 +        src += 4;
 +    }
 +}
 +
 +/* Overlay planes disabled, no transparency */
 +static drawfn pxa2xx_draw_fn_32[16] = {
 +    [0 ... 0xf]       = NULL,
 +    [pxa_lcdc_2bpp]   = pxa2xx_draw_line2,
 +    [pxa_lcdc_4bpp]   = pxa2xx_draw_line4,
 +    [pxa_lcdc_8bpp]   = pxa2xx_draw_line8,
 +    [pxa_lcdc_16bpp]  = pxa2xx_draw_line16,
 +    [pxa_lcdc_18bpp]  = pxa2xx_draw_line18,
 +    [pxa_lcdc_18pbpp] = pxa2xx_draw_line18p,
 +    [pxa_lcdc_24bpp]  = pxa2xx_draw_line24,
 +};
 +
 +/* Overlay planes enabled, transparency used */
 +static drawfn pxa2xx_draw_fn_32t[16] = {
 +    [0 ... 0xf]       = NULL,
 +    [pxa_lcdc_4bpp]   = pxa2xx_draw_line4,
 +    [pxa_lcdc_8bpp]   = pxa2xx_draw_line8,
 +    [pxa_lcdc_16bpp]  = pxa2xx_draw_line16t,
 +    [pxa_lcdc_19bpp]  = pxa2xx_draw_line19,
 +    [pxa_lcdc_19pbpp] = pxa2xx_draw_line19p,
 +    [pxa_lcdc_24bpp]  = pxa2xx_draw_line24t,
 +    [pxa_lcdc_25bpp]  = pxa2xx_draw_line25,
 +};
 +
 +#undef COPY_PIXEL
 +#undef SKIP_PIXEL
 +
 +#ifdef SWAP_WORDS
 +# undef SWAP_WORDS
 +#endif
  /* Route internal interrupt lines to the global IC */
  static void pxa2xx_lcdc_int_update(PXA2xxLCDState *s)
 --
 .20.1

A last collection of patches to squeeze in before rc0.
The patches from me are all bugfixes. Philippe's are just
code-movement, but I wanted to get these into 4.1 because
that kind of patch is so painful to have to rebase.
(The diffstat is huge but it's just code moving from file to file.)

thanks
-- PMM

The following changes since commit 234e256511e588680300600ce087c5185d68cf2a:

Merge remote-tracking branch 'remotes/armbru/tags/pull-build-2019-07-02-v2' into staging (2019-07-04 15:58:46 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190704

for you to fetch changes up to b75f3735802b5b33f10e4bfe374d4b17bb86d29a:

target/arm: Correct VMOV_imm_dp handling of short vectors (2019-07-04 16:52:05 +0100)

----------------------------------------------------------------
target-arm queue:
 * more code-movement to separate TCG-only functions into their own files
 * Correct VMOV_imm_dp handling of short vectors
 * Execute Thumb instructions when their condbits are 0xf
 * armv7m_systick: Forbid non-privileged accesses
 * Use _ra versions of cpu_stl_data() in v7M helpers
 * v8M: Check state of exception being returned from
 * v8M: Forcibly clear negative-priority exceptions on deactivate

----------------------------------------------------------------
Peter Maydell (6):
      arm v8M: Forcibly clear negative-priority exceptions on deactivate
      target/arm: v8M: Check state of exception being returned from
      target/arm: Use _ra versions of cpu_stl_data() in v7M helpers
      hw/timer/armv7m_systick: Forbid non-privileged accesses
      target/arm: Execute Thumb instructions when their condbits are 0xf
      target/arm: Correct VMOV_imm_dp handling of short vectors

Philippe Mathieu-Daudé (3):
      target/arm: Move debug routines to debug_helper.c
      target/arm: Restrict semi-hosting to TCG
      target/arm/helper: Move M profile routines to m_helper.c

target/arm/Makefile.objs       |    5 +-
 target/arm/cpu.h               |    7 +
 hw/intc/armv7m_nvic.c          |   54 +-
 hw/timer/armv7m_systick.c      |   26 +-
 target/arm/cpu.c               |    9 +-
 target/arm/debug_helper.c      |  311 +++++
 target/arm/helper.c            | 2646 +--------------------------------------
 target/arm/m_helper.c          | 2679 ++++++++++++++++++++++++++++++++++++++++
 target/arm/op_helper.c         |  295 -----
 target/arm/translate-vfp.inc.c |    2 +-
 target/arm/translate.c         |   15 +-
 11 files changed, 3096 insertions(+), 2953 deletions(-)
 create mode 100644 target/arm/debug_helper.c
 create mode 100644 target/arm/m_helper.c

From: Philippe Mathieu-Daudé <philmd@redhat.com>

These routines are TCG specific.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701194942.10092-2-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Makefile.objs  |   2 +-
 target/arm/cpu.c          |   9 +-
 target/arm/debug_helper.c | 311 ++++++++++++++++++++++++++++++++++++++
 target/arm/op_helper.c    | 295 ------------------------------------
 4 files changed, 315 insertions(+), 302 deletions(-)
 create mode 100644 target/arm/debug_helper.c

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ target/arm/translate-sve.o: target/arm/decode-sve.inc.c
 target/arm/translate.o: target/arm/decode-vfp.inc.c
 target/arm/translate.o: target/arm/decode-vfp-uncond.inc.c
 
-obj-y += tlb_helper.o
+obj-y += tlb_helper.o debug_helper.o
 obj-y += translate.o op_helper.o
 obj-y += crypto_helper.o
 obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
     cc->gdb_arch_name = arm_gdb_arch_name;
     cc->gdb_get_dynamic_xml = arm_gdb_get_dynamic_xml;
     cc->gdb_stop_before_watchpoint = true;
-    cc->debug_excp_handler = arm_debug_excp_handler;
-    cc->debug_check_watchpoint = arm_debug_check_watchpoint;
-#if !defined(CONFIG_USER_ONLY)
-    cc->adjust_watchpoint_address = arm_adjust_watchpoint_address;
-#endif
-
     cc->disas_set_info = arm_disas_set_info;
 #ifdef CONFIG_TCG
     cc->tcg_initialize = arm_translate_init;
     cc->tlb_fill = arm_cpu_tlb_fill;
+    cc->debug_excp_handler = arm_debug_excp_handler;
+    cc->debug_check_watchpoint = arm_debug_check_watchpoint;
 #if !defined(CONFIG_USER_ONLY)
     cc->do_unaligned_access = arm_cpu_do_unaligned_access;
     cc->do_transaction_failed = arm_cpu_do_transaction_failed;
+    cc->adjust_watchpoint_address = arm_adjust_watchpoint_address;
 #endif /* CONFIG_TCG && !CONFIG_USER_ONLY */
 #endif
 }
diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM debug helpers.
+ *
+ * This code is licensed under the GNU GPL v2 or later.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "internals.h"
+#include "exec/exec-all.h"
+#include "exec/helper-proto.h"
+
+/* Return true if the linked breakpoint entry lbn passes its checks */
+static bool linked_bp_matches(ARMCPU *cpu, int lbn)
+{
+    CPUARMState *env = &cpu->env;
+    uint64_t bcr = env->cp15.dbgbcr[lbn];
+    int brps = extract32(cpu->dbgdidr, 24, 4);
+    int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
+    int bt;
+    uint32_t contextidr;
+
+    /*
+     * Links to unimplemented or non-context aware breakpoints are
+     * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
+     * as if linked to an UNKNOWN context-aware breakpoint (in which
+     * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
+     * We choose the former.
+     */
+    if (lbn > brps || lbn < (brps - ctx_cmps)) {
+        return false;
+    }
+
+    bcr = env->cp15.dbgbcr[lbn];
+
+    if (extract64(bcr, 0, 1) == 0) {
+        /* Linked breakpoint disabled : generate no events */
+        return false;
+    }
+
+    bt = extract64(bcr, 20, 4);
+
+    /*
+     * We match the whole register even if this is AArch32 using the
+     * short descriptor format (in which case it holds both PROCID and ASID),
+     * since we don't implement the optional v7 context ID masking.
+     */
+    contextidr = extract64(env->cp15.contextidr_el[1], 0, 32);
+
+    switch (bt) {
+    case 3: /* linked context ID match */
+        if (arm_current_el(env) > 1) {
+            /* Context matches never fire in EL2 or (AArch64) EL3 */
+            return false;
+        }
+        return (contextidr == extract64(env->cp15.dbgbvr[lbn], 0, 32));
+    case 5: /* linked address mismatch (reserved in AArch64) */
+    case 9: /* linked VMID match (reserved if no EL2) */
+    case 11: /* linked context ID and VMID match (reserved if no EL2) */
+    default:
+        /*
+         * Links to Unlinked context breakpoints must generate no
+         * events; we choose to do the same for reserved values too.
+         */
+        return false;
+    }
+
+    return false;
+}
+
+static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
+{
+    CPUARMState *env = &cpu->env;
+    uint64_t cr;
+    int pac, hmc, ssc, wt, lbn;
+    /*
+     * Note that for watchpoints the check is against the CPU security
+     * state, not the S/NS attribute on the offending data access.
+     */
+    bool is_secure = arm_is_secure(env);
+    int access_el = arm_current_el(env);
+
+    if (is_wp) {
+        CPUWatchpoint *wp = env->cpu_watchpoint[n];
+
+        if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
+            return false;
+        }
+        cr = env->cp15.dbgwcr[n];
+        if (wp->hitattrs.user) {
+            /*
+             * The LDRT/STRT/LDT/STT "unprivileged access" instructions should
+             * match watchpoints as if they were accesses done at EL0, even if
+             * the CPU is at EL1 or higher.
+             */
+            access_el = 0;
+        }
+    } else {
+        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
+
+        if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
+            return false;
+        }
+        cr = env->cp15.dbgbcr[n];
+    }
+    /*
+     * The WATCHPOINT_HIT flag guarantees us that the watchpoint is
+     * enabled and that the address and access type match; for breakpoints
+     * we know the address matched; check the remaining fields, including
+     * linked breakpoints. We rely on WCR and BCR having the same layout
+     * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
+     * Note that some combinations of {PAC, HMC, SSC} are reserved and
+     * must act either like some valid combination or as if the watchpoint
+     * were disabled. We choose the former, and use this together with
+     * the fact that EL3 must always be Secure and EL2 must always be
+     * Non-Secure to simplify the code slightly compared to the full
+     * table in the ARM ARM.
+     */
+    pac = extract64(cr, 1, 2);
+    hmc = extract64(cr, 13, 1);
+    ssc = extract64(cr, 14, 2);
+
+    switch (ssc) {
+    case 0:
+        break;
+    case 1:
+    case 3:
+        if (is_secure) {
+            return false;
+        }
+        break;
+    case 2:
+        if (!is_secure) {
+            return false;
+        }
+        break;
+    }
+
+    switch (access_el) {
+    case 3:
+    case 2:
+        if (!hmc) {
+            return false;
+        }
+        break;
+    case 1:
+        if (extract32(pac, 0, 1) == 0) {
+            return false;
+        }
+        break;
+    case 0:
+        if (extract32(pac, 1, 1) == 0) {
+            return false;
+        }
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    wt = extract64(cr, 20, 1);
+    lbn = extract64(cr, 16, 4);
+
+    if (wt && !linked_bp_matches(cpu, lbn)) {
+        return false;
+    }
+
+    return true;
+}
+
+static bool check_watchpoints(ARMCPU *cpu)
+{
+    CPUARMState *env = &cpu->env;
+    int n;
+
+    /*
+     * If watchpoints are disabled globally or we can't take debug
+     * exceptions here then watchpoint firings are ignored.
+     */
+    if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
+        || !arm_generate_debug_exceptions(env)) {
+        return false;
+    }
+
+    for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) {
+        if (bp_wp_matches(cpu, n, true)) {
+            return true;
+        }
+    }
+    return false;
+}
+
+static bool check_breakpoints(ARMCPU *cpu)
+{
+    CPUARMState *env = &cpu->env;
+    int n;
+
+    /*
+     * If breakpoints are disabled globally or we can't take debug
+     * exceptions here then breakpoint firings are ignored.
+     */
+    if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
+        || !arm_generate_debug_exceptions(env)) {
+        return false;
+    }
+
+    for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
+        if (bp_wp_matches(cpu, n, false)) {
+            return true;
+        }
+    }
+    return false;
+}
+
+void HELPER(check_breakpoints)(CPUARMState *env)
+{
+    ARMCPU *cpu = env_archcpu(env);
+
+    if (check_breakpoints(cpu)) {
+        HELPER(exception_internal(env, EXCP_DEBUG));
+    }
+}
+
+bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
+{
+    /*
+     * Called by core code when a CPU watchpoint fires; need to check if this
+     * is also an architectural watchpoint match.
+     */
+    ARMCPU *cpu = ARM_CPU(cs);
+
+    return check_watchpoints(cpu);
+}
+
+void arm_debug_excp_handler(CPUState *cs)
+{
+    /*
+     * Called by core code when a watchpoint or breakpoint fires;
+     * need to check which one and raise the appropriate exception.
+     */
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    CPUWatchpoint *wp_hit = cs->watchpoint_hit;
+
+    if (wp_hit) {
+        if (wp_hit->flags & BP_CPU) {
+            bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0;
+            bool same_el = arm_debug_target_el(env) == arm_current_el(env);
+
+            cs->watchpoint_hit = NULL;
+
+            env->exception.fsr = arm_debug_exception_fsr(env);
+            env->exception.vaddress = wp_hit->hitaddr;
+            raise_exception(env, EXCP_DATA_ABORT,
+                    syn_watchpoint(same_el, 0, wnr),
+                    arm_debug_target_el(env));
+        }
+    } else {
+        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
+        bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
+
+        /*
+         * (1) GDB breakpoints should be handled first.
+         * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
+         * since singlestep is also done by generating a debug internal
+         * exception.
+         */
+        if (cpu_breakpoint_test(cs, pc, BP_GDB)
+            || !cpu_breakpoint_test(cs, pc, BP_CPU)) {
+            return;
+        }
+
+        env->exception.fsr = arm_debug_exception_fsr(env);
+        /*
+         * FAR is UNKNOWN: clear vaddress to avoid potentially exposing
+         * values to the guest that it shouldn't be able to see at its
+         * exception/security level.
+         */
+        env->exception.vaddress = 0;
+        raise_exception(env, EXCP_PREFETCH_ABORT,
+                        syn_breakpoint(same_el),
+                        arm_debug_target_el(env));
+    }
+}
+
+#if !defined(CONFIG_USER_ONLY)
+
+vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+
+    /*
+     * In BE32 system mode, target memory is stored byteswapped (on a
+     * little-endian host system), and by the time we reach here (via an
+     * opcode helper) the addresses of subword accesses have been adjusted
+     * to account for that, which means that watchpoints will not match.
+     * Undo the adjustment here.
+     */
+    if (arm_sctlr_b(env)) {
+        if (len == 1) {
+            addr ^= 3;
+        } else if (len == 2) {
+            addr ^= 2;
+        }
+    }
+
+    return addr;
+}
+
+#endif
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
     }
 }
 
-/* Return true if the linked breakpoint entry lbn passes its checks */
-static bool linked_bp_matches(ARMCPU *cpu, int lbn)
-{
-    CPUARMState *env = &cpu->env;
-    uint64_t bcr = env->cp15.dbgbcr[lbn];
-    int brps = extract32(cpu->dbgdidr, 24, 4);
-    int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
-    int bt;
-    uint32_t contextidr;
-
-    /*
-     * Links to unimplemented or non-context aware breakpoints are
-     * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
-     * as if linked to an UNKNOWN context-aware breakpoint (in which
-     * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
-     * We choose the former.
-     */
-    if (lbn > brps || lbn < (brps - ctx_cmps)) {
-        return false;
-    }
-
-    bcr = env->cp15.dbgbcr[lbn];
-
-    if (extract64(bcr, 0, 1) == 0) {
-        /* Linked breakpoint disabled : generate no events */
-        return false;
-    }
-
-    bt = extract64(bcr, 20, 4);
-
-    /*
-     * We match the whole register even if this is AArch32 using the
-     * short descriptor format (in which case it holds both PROCID and ASID),
-     * since we don't implement the optional v7 context ID masking.
-     */
-    contextidr = extract64(env->cp15.contextidr_el[1], 0, 32);
-
-    switch (bt) {
-    case 3: /* linked context ID match */
-        if (arm_current_el(env) > 1) {
-            /* Context matches never fire in EL2 or (AArch64) EL3 */
-            return false;
-        }
-        return (contextidr == extract64(env->cp15.dbgbvr[lbn], 0, 32));
-    case 5: /* linked address mismatch (reserved in AArch64) */
-    case 9: /* linked VMID match (reserved if no EL2) */
-    case 11: /* linked context ID and VMID match (reserved if no EL2) */
-    default:
-        /*
-         * Links to Unlinked context breakpoints must generate no
-         * events; we choose to do the same for reserved values too.
-         */
-        return false;
-    }
-
-    return false;
-}
-
-static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
-{
-    CPUARMState *env = &cpu->env;
-    uint64_t cr;
-    int pac, hmc, ssc, wt, lbn;
-    /*
-     * Note that for watchpoints the check is against the CPU security
-     * state, not the S/NS attribute on the offending data access.
-     */
-    bool is_secure = arm_is_secure(env);
-    int access_el = arm_current_el(env);
-
-    if (is_wp) {
-        CPUWatchpoint *wp = env->cpu_watchpoint[n];
-
-        if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
-            return false;
-        }
-        cr = env->cp15.dbgwcr[n];
-        if (wp->hitattrs.user) {
-            /*
-             * The LDRT/STRT/LDT/STT "unprivileged access" instructions should
-             * match watchpoints as if they were accesses done at EL0, even if
-             * the CPU is at EL1 or higher.
-             */
-            access_el = 0;
-        }
-    } else {
-        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
-
-        if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
-            return false;
-        }
-        cr = env->cp15.dbgbcr[n];
-    }
-    /*
-     * The WATCHPOINT_HIT flag guarantees us that the watchpoint is
-     * enabled and that the address and access type match; for breakpoints
-     * we know the address matched; check the remaining fields, including
-     * linked breakpoints. We rely on WCR and BCR having the same layout
-     * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
-     * Note that some combinations of {PAC, HMC, SSC} are reserved and
-     * must act either like some valid combination or as if the watchpoint
-     * were disabled. We choose the former, and use this together with
-     * the fact that EL3 must always be Secure and EL2 must always be
-     * Non-Secure to simplify the code slightly compared to the full
-     * table in the ARM ARM.
-     */
-    pac = extract64(cr, 1, 2);
-    hmc = extract64(cr, 13, 1);
-    ssc = extract64(cr, 14, 2);
-
-    switch (ssc) {
-    case 0:
-        break;
-    case 1:
-    case 3:
-        if (is_secure) {
-            return false;
-        }
-        break;
-    case 2:
-        if (!is_secure) {
-            return false;
-        }
-        break;
-    }
-
-    switch (access_el) {
-    case 3:
-    case 2:
-        if (!hmc) {
-            return false;
-        }
-        break;
-    case 1:
-        if (extract32(pac, 0, 1) == 0) {
-            return false;
-        }
-        break;
-    case 0:
-        if (extract32(pac, 1, 1) == 0) {
-            return false;
-        }
-        break;
-    default:
-        g_assert_not_reached();
-    }
-
-    wt = extract64(cr, 20, 1);
-    lbn = extract64(cr, 16, 4);
-
-    if (wt && !linked_bp_matches(cpu, lbn)) {
-        return false;
-    }
-
-    return true;
-}
-
-static bool check_watchpoints(ARMCPU *cpu)
-{
-    CPUARMState *env = &cpu->env;
-    int n;
-
-    /*
-     * If watchpoints are disabled globally or we can't take debug
-     * exceptions here then watchpoint firings are ignored.
-     */
-    if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
-        || !arm_generate_debug_exceptions(env)) {
-        return false;
-    }
-
-    for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) {
-        if (bp_wp_matches(cpu, n, true)) {
-            return true;
-        }
-    }
-    return false;
-}
-
-static bool check_breakpoints(ARMCPU *cpu)
-{
-    CPUARMState *env = &cpu->env;
-    int n;
-
-    /*
-     * If breakpoints are disabled globally or we can't take debug
-     * exceptions here then breakpoint firings are ignored.
-     */
-    if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
-        || !arm_generate_debug_exceptions(env)) {
-        return false;
-    }
-
-    for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
-        if (bp_wp_matches(cpu, n, false)) {
-            return true;
-        }
-    }
-    return false;
-}
-
-void HELPER(check_breakpoints)(CPUARMState *env)
-{
-    ARMCPU *cpu = env_archcpu(env);
-
-    if (check_breakpoints(cpu)) {
-        HELPER(exception_internal(env, EXCP_DEBUG));
-    }
-}
-
-bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
-{
-    /*
-     * Called by core code when a CPU watchpoint fires; need to check if this
-     * is also an architectural watchpoint match.
-     */
-    ARMCPU *cpu = ARM_CPU(cs);
-
-    return check_watchpoints(cpu);
-}
-
-vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
-{
-    ARMCPU *cpu = ARM_CPU(cs);
-    CPUARMState *env = &cpu->env;
-
-    /*
-     * In BE32 system mode, target memory is stored byteswapped (on a
-     * little-endian host system), and by the time we reach here (via an
-     * opcode helper) the addresses of subword accesses have been adjusted
-     * to account for that, which means that watchpoints will not match.
-     * Undo the adjustment here.
-     */
-    if (arm_sctlr_b(env)) {
-        if (len == 1) {
-            addr ^= 3;
-        } else if (len == 2) {
-            addr ^= 2;
-        }
-    }
-
-    return addr;
-}
-
-void arm_debug_excp_handler(CPUState *cs)
-{
-    /*
-     * Called by core code when a watchpoint or breakpoint fires;
-     * need to check which one and raise the appropriate exception.
-     */
-    ARMCPU *cpu = ARM_CPU(cs);
-    CPUARMState *env = &cpu->env;
-    CPUWatchpoint *wp_hit = cs->watchpoint_hit;
-
-    if (wp_hit) {
-        if (wp_hit->flags & BP_CPU) {
-            bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0;
-            bool same_el = arm_debug_target_el(env) == arm_current_el(env);
-
-            cs->watchpoint_hit = NULL;
-
-            env->exception.fsr = arm_debug_exception_fsr(env);
-            env->exception.vaddress = wp_hit->hitaddr;
-            raise_exception(env, EXCP_DATA_ABORT,
-                    syn_watchpoint(same_el, 0, wnr),
-                    arm_debug_target_el(env));
-        }
-    } else {
-        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
-        bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
-
-        /*
-         * (1) GDB breakpoints should be handled first.
-         * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
-         * since singlestep is also done by generating a debug internal
-         * exception.
-         */
-        if (cpu_breakpoint_test(cs, pc, BP_GDB)
-            || !cpu_breakpoint_test(cs, pc, BP_CPU)) {
-            return;
-        }
-
-        env->exception.fsr = arm_debug_exception_fsr(env);
-        /*
-         * FAR is UNKNOWN: clear vaddress to avoid potentially exposing
-         * values to the guest that it shouldn't be able to see at its
-         * exception/security level.
-         */
-        env->exception.vaddress = 0;
-        raise_exception(env, EXCP_PREFETCH_ABORT,
-                        syn_breakpoint(same_el),
-                        arm_debug_target_el(env));
-    }
-}
-
 /* ??? Flag setting arithmetic is awkward because we need to do comparisons.
    The only way to do that in TCG is a conditional branch, which clobbers
    all our temporaries.  For now implement these as helper functions.  */
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Per Peter Maydell:

Semihosting hooks either SVC or HLT instructions, and inside KVM
  both of those go to EL1, ie to the guest, and can't be trapped to
  KVM.

Let check_for_semihosting() return False when not running on TCG.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701194942.10092-3-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Makefile.objs | 2 +-
 target/arm/cpu.h         | 7 +++++++
 target/arm/helper.c      | 8 +++++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@
-obj-y += arm-semi.o
+obj-$(CONFIG_TCG) += arm-semi.o
 obj-y += helper.o vfp_helper.o
 obj-y += cpu.o gdbstub.o
 obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void aarch64_sve_change_el(CPUARMState *env, int o,
 { }
 #endif
 
+#if !defined(CONFIG_TCG)
+static inline target_ulong do_arm_semihosting(CPUARMState *env)
+{
+    g_assert_not_reached();
+}
+#else
 target_ulong do_arm_semihosting(CPUARMState *env);
+#endif
 void aarch64_sync_32_to_64(CPUARMState *env);
 void aarch64_sync_64_to_32(CPUARMState *env);
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/qemu-print.h"
 #include "exec/exec-all.h"
 #include "exec/cpu_ldst.h"
-#include "arm_ldst.h"
 #include <zlib.h> /* For crc32 */
 #include "hw/semihosting/semihost.h"
 #include "sysemu/cpus.h"
@@ -XXX,XX +XXX,XX @@
 #include "qapi/qapi-commands-machine-target.h"
 #include "qapi/error.h"
 #include "qemu/guest-random.h"
+#ifdef CONFIG_TCG
+#include "arm_ldst.h"
+#endif
 
 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
 
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
 
 static inline bool check_for_semihosting(CPUState *cs)
 {
+#ifdef CONFIG_TCG
     /* Check whether this exception is a semihosting call; if so
      * then handle it and return true; otherwise return false.
      */
@@ -XXX,XX +XXX,XX @@ static inline bool check_for_semihosting(CPUState *cs)
         env->regs[0] = do_arm_semihosting(env);
         return true;
     }
+#else
+    return false;
+#endif
 }
 
 /* Handle a CPU exception for A and R profile CPUs.
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In preparation for supporting TCG disablement on ARM, we move most
of TCG related v7m/v8m helpers and APIs into their own file.

Note: It is easier to review this commit using the 'histogram'
      diff algorithm:

$ git diff --diff-algorithm=histogram ...
  or
    $ git diff --histogram ...

Suggested-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190702144335.10717-2-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Makefile.objs |    1 +
 target/arm/helper.c      | 2638 +------------------------------------
 target/arm/m_helper.c    | 2676 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 2681 insertions(+), 2634 deletions(-)
 create mode 100644 target/arm/m_helper.c

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-y += tlb_helper.o debug_helper.o
 obj-y += translate.o op_helper.o
 obj-y += crypto_helper.o
 obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
+obj-y += m_helper.o
 
 obj-$(CONFIG_SOFTMMU) += psci.o
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/crc32c.h"
 #include "qemu/qemu-print.h"
 #include "exec/exec-all.h"
-#include "exec/cpu_ldst.h"
 #include <zlib.h> /* For crc32 */
 #include "hw/semihosting/semihost.h"
 #include "sysemu/cpus.h"
@@ -XXX,XX +XXX,XX @@
 #include "qemu/guest-random.h"
 #ifdef CONFIG_TCG
 #include "arm_ldst.h"
+#include "exec/cpu_ldst.h"
 #endif
 
 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(rbit)(uint32_t x)
 
 #ifdef CONFIG_USER_ONLY
 
-/* These should probably raise undefined insn exceptions.  */
-void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)
-{
-    ARMCPU *cpu = env_archcpu(env);
-
-    cpu_abort(CPU(cpu), "v7m_msr %d\n", reg);
-}
-
-uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
-{
-    ARMCPU *cpu = env_archcpu(env);
-
-    cpu_abort(CPU(cpu), "v7m_mrs %d\n", reg);
-    return 0;
-}
-
-void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
-{
-    /* translate.c should never generate calls here in user-only mode */
-    g_assert_not_reached();
-}
-
-void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
-{
-    /* translate.c should never generate calls here in user-only mode */
-    g_assert_not_reached();
-}
-
-void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
-{
-    /* translate.c should never generate calls here in user-only mode */
-    g_assert_not_reached();
-}
-
-void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
-{
-    /* translate.c should never generate calls here in user-only mode */
-    g_assert_not_reached();
-}
-
-void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
-{
-    /* translate.c should never generate calls here in user-only mode */
-    g_assert_not_reached();
-}
-
-uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
-{
-    /*
-     * The TT instructions can be used by unprivileged code, but in
-     * user-only emulation we don't have the MPU.
-     * Luckily since we know we are NonSecure unprivileged (and that in
-     * turn means that the A flag wasn't specified), all the bits in the
-     * register must be zero:
-     *  IREGION: 0 because IRVALID is 0
-     *  IRVALID: 0 because NS
-     *  S: 0 because NS
-     *  NSRW: 0 because NS
-     *  NSR: 0 because NS
-     *  RW: 0 because unpriv and A flag not set
-     *  R: 0 because unpriv and A flag not set
-     *  SRVALID: 0 because NS
-     *  MRVALID: 0 because unpriv and A flag not set
-     *  SREGION: 0 becaus SRVALID is 0
-     *  MREGION: 0 because MRVALID is 0
-     */
-    return 0;
-}
-
 static void switch_mode(CPUARMState *env, int mode)
 {
     ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ void arm_log_exception(int idx)
     }
 }
 
-/*
- * What kind of stack write are we doing? This affects how exceptions
- * generated during the stacking are treated.
- */
-typedef enum StackingMode {
-    STACK_NORMAL,
-    STACK_IGNFAULTS,
-    STACK_LAZYFP,
-} StackingMode;
-
-static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
-                            ARMMMUIdx mmu_idx, StackingMode mode)
-{
-    CPUState *cs = CPU(cpu);
-    CPUARMState *env = &cpu->env;
-    MemTxAttrs attrs = {};
-    MemTxResult txres;
-    target_ulong page_size;
-    hwaddr physaddr;
-    int prot;
-    ARMMMUFaultInfo fi = {};
-    bool secure = mmu_idx & ARM_MMU_IDX_M_S;
-    int exc;
-    bool exc_secure;
-
-    if (get_phys_addr(env, addr, MMU_DATA_STORE, mmu_idx, &physaddr,
-                      &attrs, &prot, &page_size, &fi, NULL)) {
-        /* MPU/SAU lookup failed */
-        if (fi.type == ARMFault_QEMU_SFault) {
-            if (mode == STACK_LAZYFP) {
-                qemu_log_mask(CPU_LOG_INT,
-                              "...SecureFault with SFSR.LSPERR "
-                              "during lazy stacking\n");
-                env->v7m.sfsr |= R_V7M_SFSR_LSPERR_MASK;
-            } else {
-                qemu_log_mask(CPU_LOG_INT,
-                              "...SecureFault with SFSR.AUVIOL "
-                              "during stacking\n");
-                env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
-            }
-            env->v7m.sfsr |= R_V7M_SFSR_SFARVALID_MASK;
-            env->v7m.sfar = addr;
-            exc = ARMV7M_EXCP_SECURE;
-            exc_secure = false;
-        } else {
-            if (mode == STACK_LAZYFP) {
-                qemu_log_mask(CPU_LOG_INT,
-                              "...MemManageFault with CFSR.MLSPERR\n");
-                env->v7m.cfsr[secure] |= R_V7M_CFSR_MLSPERR_MASK;
-            } else {
-                qemu_log_mask(CPU_LOG_INT,
-                              "...MemManageFault with CFSR.MSTKERR\n");
-                env->v7m.cfsr[secure] |= R_V7M_CFSR_MSTKERR_MASK;
-            }
-            exc = ARMV7M_EXCP_MEM;
-            exc_secure = secure;
-        }
-        goto pend_fault;
-    }
-    address_space_stl_le(arm_addressspace(cs, attrs), physaddr, value,
-                         attrs, &txres);
-    if (txres != MEMTX_OK) {
-        /* BusFault trying to write the data */
-        if (mode == STACK_LAZYFP) {
-            qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.LSPERR\n");
-            env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_LSPERR_MASK;
-        } else {
-            qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.STKERR\n");
-            env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_STKERR_MASK;
-        }
-        exc = ARMV7M_EXCP_BUS;
-        exc_secure = false;
-        goto pend_fault;
-    }
-    return true;
-
-pend_fault:
-    /*
-     * By pending the exception at this point we are making
-     * the IMPDEF choice "overridden exceptions pended" (see the
-     * MergeExcInfo() pseudocode). The other choice would be to not
-     * pend them now and then make a choice about which to throw away
-     * later if we have two derived exceptions.
-     * The only case when we must not pend the exception but instead
-     * throw it away is if we are doing the push of the callee registers
-     * and we've already generated a derived exception (this is indicated
-     * by the caller passing STACK_IGNFAULTS). Even in this case we will
-     * still update the fault status registers.
-     */
-    switch (mode) {
-    case STACK_NORMAL:
-        armv7m_nvic_set_pending_derived(env->nvic, exc, exc_secure);
-        break;
-    case STACK_LAZYFP:
-        armv7m_nvic_set_pending_lazyfp(env->nvic, exc, exc_secure);
-        break;
-    case STACK_IGNFAULTS:
-        break;
-    }
-    return false;
-}
-
-static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
-                           ARMMMUIdx mmu_idx)
-{
-    CPUState *cs = CPU(cpu);
-    CPUARMState *env = &cpu->env;
-    MemTxAttrs attrs = {};
-    MemTxResult txres;
-    target_ulong page_size;
-    hwaddr physaddr;
-    int prot;
-    ARMMMUFaultInfo fi = {};
-    bool secure = mmu_idx & ARM_MMU_IDX_M_S;
-    int exc;
-    bool exc_secure;
-    uint32_t value;
-
-    if (get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &physaddr,
-                      &attrs, &prot, &page_size, &fi, NULL)) {
-        /* MPU/SAU lookup failed */
-        if (fi.type == ARMFault_QEMU_SFault) {
-            qemu_log_mask(CPU_LOG_INT,
-                          "...SecureFault with SFSR.AUVIOL during unstack\n");
-            env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK | R_V7M_SFSR_SFARVALID_MASK;
-            env->v7m.sfar = addr;
-            exc = ARMV7M_EXCP_SECURE;
-            exc_secure = false;
-        } else {
-            qemu_log_mask(CPU_LOG_INT,
-                          "...MemManageFault with CFSR.MUNSTKERR\n");
-            env->v7m.cfsr[secure] |= R_V7M_CFSR_MUNSTKERR_MASK;
-            exc = ARMV7M_EXCP_MEM;
-            exc_secure = secure;
-        }
-        goto pend_fault;
-    }
-
-    value = address_space_ldl(arm_addressspace(cs, attrs), physaddr,
-                              attrs, &txres);
-    if (txres != MEMTX_OK) {
-        /* BusFault trying to read the data */
-        qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.UNSTKERR\n");
-        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_UNSTKERR_MASK;
-        exc = ARMV7M_EXCP_BUS;
-        exc_secure = false;
-        goto pend_fault;
-    }
-
-    *dest = value;
-    return true;
-
-pend_fault:
-    /*
-     * By pending the exception at this point we are making
-     * the IMPDEF choice "overridden exceptions pended" (see the
-     * MergeExcInfo() pseudocode). The other choice would be to not
-     * pend them now and then make a choice about which to throw away
-     * later if we have two derived exceptions.
-     */
-    armv7m_nvic_set_pending(env->nvic, exc, exc_secure);
-    return false;
-}
-
-void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
-{
-    /*
-     * Preserve FP state (because LSPACT was set and we are about
-     * to execute an FP instruction). This corresponds to the
-     * PreserveFPState() pseudocode.
-     * We may throw an exception if the stacking fails.
-     */
-    ARMCPU *cpu = env_archcpu(env);
-    bool is_secure = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
-    bool negpri = !(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_HFRDY_MASK);
-    bool is_priv = !(env->v7m.fpccr[is_secure] & R_V7M_FPCCR_USER_MASK);
-    bool splimviol = env->v7m.fpccr[is_secure] & R_V7M_FPCCR_SPLIMVIOL_MASK;
-    uint32_t fpcar = env->v7m.fpcar[is_secure];
-    bool stacked_ok = true;
-    bool ts = is_secure && (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
-    bool take_exception;
-
-    /* Take the iothread lock as we are going to touch the NVIC */
-    qemu_mutex_lock_iothread();
-
-    /* Check the background context had access to the FPU */
-    if (!v7m_cpacr_pass(env, is_secure, is_priv)) {
-        armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, is_secure);
-        env->v7m.cfsr[is_secure] |= R_V7M_CFSR_NOCP_MASK;
-        stacked_ok = false;
-    } else if (!is_secure && !extract32(env->v7m.nsacr, 10, 1)) {
-        armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
-        env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
-        stacked_ok = false;
-    }
-
-    if (!splimviol && stacked_ok) {
-        /* We only stack if the stack limit wasn't violated */
-        int i;
-        ARMMMUIdx mmu_idx;
-
-        mmu_idx = arm_v7m_mmu_idx_all(env, is_secure, is_priv, negpri);
-        for (i = 0; i < (ts ? 32 : 16); i += 2) {
-            uint64_t dn = *aa32_vfp_dreg(env, i / 2);
-            uint32_t faddr = fpcar + 4 * i;
-            uint32_t slo = extract64(dn, 0, 32);
-            uint32_t shi = extract64(dn, 32, 32);
-
-            if (i >= 16) {
-                faddr += 8; /* skip the slot for the FPSCR */
-            }
-            stacked_ok = stacked_ok &&
-                v7m_stack_write(cpu, faddr, slo, mmu_idx, STACK_LAZYFP) &&
-                v7m_stack_write(cpu, faddr + 4, shi, mmu_idx, STACK_LAZYFP);
-        }
-
-        stacked_ok = stacked_ok &&
-            v7m_stack_write(cpu, fpcar + 0x40,
-                            vfp_get_fpscr(env), mmu_idx, STACK_LAZYFP);
-    }
-
-    /*
-     * We definitely pended an exception, but it's possible that it
-     * might not be able to be taken now. If its priority permits us
-     * to take it now, then we must not update the LSPACT or FP regs,
-     * but instead jump out to take the exception immediately.
-     * If it's just pending and won't be taken until the current
-     * handler exits, then we do update LSPACT and the FP regs.
-     */
-    take_exception = !stacked_ok &&
-        armv7m_nvic_can_take_pending_exception(env->nvic);
-
-    qemu_mutex_unlock_iothread();
-
-    if (take_exception) {
-        raise_exception_ra(env, EXCP_LAZYFP, 0, 1, GETPC());
-    }
-
-    env->v7m.fpccr[is_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
-
-    if (ts) {
-        /* Clear s0 to s31 and the FPSCR */
-        int i;
-
-        for (i = 0; i < 32; i += 2) {
-            *aa32_vfp_dreg(env, i / 2) = 0;
-        }
-        vfp_set_fpscr(env, 0);
-    }
-    /*
-     * Otherwise s0 to s15 and FPSCR are UNKNOWN; we choose to leave them
-     * unchanged.
-     */
-}
-
-/*
- * Write to v7M CONTROL.SPSEL bit for the specified security bank.
- * This may change the current stack pointer between Main and Process
- * stack pointers if it is done for the CONTROL register for the current
- * security state.
- */
-static void write_v7m_control_spsel_for_secstate(CPUARMState *env,
-                                                 bool new_spsel,
-                                                 bool secstate)
-{
-    bool old_is_psp = v7m_using_psp(env);
-
-    env->v7m.control[secstate] =
-        deposit32(env->v7m.control[secstate],
-                  R_V7M_CONTROL_SPSEL_SHIFT,
-                  R_V7M_CONTROL_SPSEL_LENGTH, new_spsel);
-
-    if (secstate == env->v7m.secure) {
-        bool new_is_psp = v7m_using_psp(env);
-        uint32_t tmp;
-
-        if (old_is_psp != new_is_psp) {
-            tmp = env->v7m.other_sp;
-            env->v7m.other_sp = env->regs[13];
-            env->regs[13] = tmp;
-        }
-    }
-}
-
-/*
- * Write to v7M CONTROL.SPSEL bit. This may change the current
- * stack pointer between Main and Process stack pointers.
- */
-static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
-{
-    write_v7m_control_spsel_for_secstate(env, new_spsel, env->v7m.secure);
-}
-
-void write_v7m_exception(CPUARMState *env, uint32_t new_exc)
-{
-    /*
-     * Write a new value to v7m.exception, thus transitioning into or out
-     * of Handler mode; this may result in a change of active stack pointer.
-     */
-    bool new_is_psp, old_is_psp = v7m_using_psp(env);
-    uint32_t tmp;
-
-    env->v7m.exception = new_exc;
-
-    new_is_psp = v7m_using_psp(env);
-
-    if (old_is_psp != new_is_psp) {
-        tmp = env->v7m.other_sp;
-        env->v7m.other_sp = env->regs[13];
-        env->regs[13] = tmp;
-    }
-}
-
-/* Switch M profile security state between NS and S */
-static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
-{
-    uint32_t new_ss_msp, new_ss_psp;
-
-    if (env->v7m.secure == new_secstate) {
-        return;
-    }
-
-    /*
-     * All the banked state is accessed by looking at env->v7m.secure
-     * except for the stack pointer; rearrange the SP appropriately.
-     */
-    new_ss_msp = env->v7m.other_ss_msp;
-    new_ss_psp = env->v7m.other_ss_psp;
-
-    if (v7m_using_psp(env)) {
-        env->v7m.other_ss_psp = env->regs[13];
-        env->v7m.other_ss_msp = env->v7m.other_sp;
-    } else {
-        env->v7m.other_ss_msp = env->regs[13];
-        env->v7m.other_ss_psp = env->v7m.other_sp;
-    }
-
-    env->v7m.secure = new_secstate;
-
-    if (v7m_using_psp(env)) {
-        env->regs[13] = new_ss_psp;
-        env->v7m.other_sp = new_ss_msp;
-    } else {
-        env->regs[13] = new_ss_msp;
-        env->v7m.other_sp = new_ss_psp;
-    }
-}
-
-void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
-{
-    /*
-     * Handle v7M BXNS:
-     *  - if the return value is a magic value, do exception return (like BX)
-     *  - otherwise bit 0 of the return value is the target security state
-     */
-    uint32_t min_magic;
-
-    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-        /* Covers FNC_RETURN and EXC_RETURN magic */
-        min_magic = FNC_RETURN_MIN_MAGIC;
-    } else {
-        /* EXC_RETURN magic only */
-        min_magic = EXC_RETURN_MIN_MAGIC;
-    }
-
-    if (dest >= min_magic) {
-        /*
-         * This is an exception return magic value; put it where
-         * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
-         * Note that if we ever add gen_ss_advance() singlestep support to
-         * M profile this should count as an "instruction execution complete"
-         * event (compare gen_bx_excret_final_code()).
-         */
-        env->regs[15] = dest & ~1;
-        env->thumb = dest & 1;
-        HELPER(exception_internal)(env, EXCP_EXCEPTION_EXIT);
-        /* notreached */
-    }
-
-    /* translate.c should have made BXNS UNDEF unless we're secure */
-    assert(env->v7m.secure);
-
-    if (!(dest & 1)) {
-        env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
-    }
-    switch_v7m_security_state(env, dest & 1);
-    env->thumb = 1;
-    env->regs[15] = dest & ~1;
-}
-
-void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
-{
-    /*
-     * Handle v7M BLXNS:
-     *  - bit 0 of the destination address is the target security state
-     */
-
-    /* At this point regs[15] is the address just after the BLXNS */
-    uint32_t nextinst = env->regs[15] | 1;
-    uint32_t sp = env->regs[13] - 8;
-    uint32_t saved_psr;
-
-    /* translate.c will have made BLXNS UNDEF unless we're secure */
-    assert(env->v7m.secure);
-
-    if (dest & 1) {
-        /*
-         * Target is Secure, so this is just a normal BLX,
-         * except that the low bit doesn't indicate Thumb/not.
-         */
-        env->regs[14] = nextinst;
-        env->thumb = 1;
-        env->regs[15] = dest & ~1;
-        return;
-    }
-
-    /* Target is non-secure: first push a stack frame */
-    if (!QEMU_IS_ALIGNED(sp, 8)) {
-        qemu_log_mask(LOG_GUEST_ERROR,
-                      "BLXNS with misaligned SP is UNPREDICTABLE\n");
-    }
-
-    if (sp < v7m_sp_limit(env)) {
-        raise_exception(env, EXCP_STKOF, 0, 1);
-    }
-
-    saved_psr = env->v7m.exception;
-    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
-        saved_psr |= XPSR_SFPA;
-    }
-
-    /* Note that these stores can throw exceptions on MPU faults */
-    cpu_stl_data(env, sp, nextinst);
-    cpu_stl_data(env, sp + 4, saved_psr);
-
-    env->regs[13] = sp;
-    env->regs[14] = 0xfeffffff;
-    if (arm_v7m_is_handler_mode(env)) {
-        /*
-         * Write a dummy value to IPSR, to avoid leaking the current secure
-         * exception number to non-secure code. This is guaranteed not
-         * to cause write_v7m_exception() to actually change stacks.
-         */
-        write_v7m_exception(env, 1);
-    }
-    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
-    switch_v7m_security_state(env, 0);
-    env->thumb = 1;
-    env->regs[15] = dest;
-}
-
-static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
-                                bool spsel)
-{
-    /*
-     * Return a pointer to the location where we currently store the
-     * stack pointer for the requested security state and thread mode.
-     * This pointer will become invalid if the CPU state is updated
-     * such that the stack pointers are switched around (eg changing
-     * the SPSEL control bit).
-     * Compare the v8M ARM ARM pseudocode LookUpSP_with_security_mode().
-     * Unlike that pseudocode, we require the caller to pass us in the
-     * SPSEL control bit value; this is because we also use this
-     * function in handling of pushing of the callee-saves registers
-     * part of the v8M stack frame (pseudocode PushCalleeStack()),
-     * and in the tailchain codepath the SPSEL bit comes from the exception
-     * return magic LR value from the previous exception. The pseudocode
-     * opencodes the stack-selection in PushCalleeStack(), but we prefer
-     * to make this utility function generic enough to do the job.
-     */
-    bool want_psp = threadmode && spsel;
-
-    if (secure == env->v7m.secure) {
-        if (want_psp == v7m_using_psp(env)) {
-            return &env->regs[13];
-        } else {
-            return &env->v7m.other_sp;
-        }
-    } else {
-        if (want_psp) {
-            return &env->v7m.other_ss_psp;
-        } else {
-            return &env->v7m.other_ss_msp;
-        }
-    }
-}
-
-static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
-                                uint32_t *pvec)
-{
-    CPUState *cs = CPU(cpu);
-    CPUARMState *env = &cpu->env;
-    MemTxResult result;
-    uint32_t addr = env->v7m.vecbase[targets_secure] + exc * 4;
-    uint32_t vector_entry;
-    MemTxAttrs attrs = {};
-    ARMMMUIdx mmu_idx;
-    bool exc_secure;
-
-    mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
-
-    /*
-     * We don't do a get_phys_addr() here because the rules for vector
-     * loads are special: they always use the default memory map, and
-     * the default memory map permits reads from all addresses.
-     * Since there's no easy way to pass through to pmsav8_mpu_lookup()
-     * that we want this special case which would always say "yes",
-     * we just do the SAU lookup here followed by a direct physical load.
-     */
-    attrs.secure = targets_secure;
-    attrs.user = false;
-
-    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-        V8M_SAttributes sattrs = {};
-
-        v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);
-        if (sattrs.ns) {
-            attrs.secure = false;
-        } else if (!targets_secure) {
-            /* NS access to S memory */
-            goto load_fail;
-        }
-    }
-
-    vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
-                                     attrs, &result);
-    if (result != MEMTX_OK) {
-        goto load_fail;
-    }
-    *pvec = vector_entry;
-    return true;
-
-load_fail:
-    /*
-     * All vector table fetch fails are reported as HardFault, with
-     * HFSR.VECTTBL and .FORCED set. (FORCED is set because
-     * technically the underlying exception is a MemManage or BusFault
-     * that is escalated to HardFault.) This is a terminal exception,
-     * so we will either take the HardFault immediately or else enter
-     * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
-     */
-    exc_secure = targets_secure ||
-        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
-    env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
-    armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
-    return false;
-}
-
-static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
-{
-    /*
-     * Return the integrity signature value for the callee-saves
-     * stack frame section. @lr is the exception return payload/LR value
-     * whose FType bit forms bit 0 of the signature if FP is present.
-     */
-    uint32_t sig = 0xfefa125a;
-
-    if (!arm_feature(env, ARM_FEATURE_VFP) || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
-        sig |= 1;
-    }
-    return sig;
-}
-
-static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
-                                  bool ignore_faults)
-{
-    /*
-     * For v8M, push the callee-saves register part of the stack frame.
-     * Compare the v8M pseudocode PushCalleeStack().
-     * In the tailchaining case this may not be the current stack.
-     */
-    CPUARMState *env = &cpu->env;
-    uint32_t *frame_sp_p;
-    uint32_t frameptr;
-    ARMMMUIdx mmu_idx;
-    bool stacked_ok;
-    uint32_t limit;
-    bool want_psp;
-    uint32_t sig;
-    StackingMode smode = ignore_faults ? STACK_IGNFAULTS : STACK_NORMAL;
-
-    if (dotailchain) {
-        bool mode = lr & R_V7M_EXCRET_MODE_MASK;
-        bool priv = !(env->v7m.control[M_REG_S] & R_V7M_CONTROL_NPRIV_MASK) ||
-            !mode;
-
-        mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, M_REG_S, priv);
-        frame_sp_p = get_v7m_sp_ptr(env, M_REG_S, mode,
-                                    lr & R_V7M_EXCRET_SPSEL_MASK);
-        want_psp = mode && (lr & R_V7M_EXCRET_SPSEL_MASK);
-        if (want_psp) {
-            limit = env->v7m.psplim[M_REG_S];
-        } else {
-            limit = env->v7m.msplim[M_REG_S];
-        }
-    } else {
-        mmu_idx = arm_mmu_idx(env);
-        frame_sp_p = &env->regs[13];
-        limit = v7m_sp_limit(env);
-    }
-
-    frameptr = *frame_sp_p - 0x28;
-    if (frameptr < limit) {
-        /*
-         * Stack limit failure: set SP to the limit value, and generate
-         * STKOF UsageFault. Stack pushes below the limit must not be
-         * performed. It is IMPDEF whether pushes above the limit are
-         * performed; we choose not to.
-         */
-        qemu_log_mask(CPU_LOG_INT,
-                      "...STKOF during callee-saves register stacking\n");
-        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
-                                env->v7m.secure);
-        *frame_sp_p = limit;
-        return true;
-    }
-
-    /*
-     * Write as much of the stack frame as we can. A write failure may
-     * cause us to pend a derived exception.
-     */
-    sig = v7m_integrity_sig(env, lr);
-    stacked_ok =
-        v7m_stack_write(cpu, frameptr, sig, mmu_idx, smode) &&
-        v7m_stack_write(cpu, frameptr + 0x8, env->regs[4], mmu_idx, smode) &&
-        v7m_stack_write(cpu, frameptr + 0xc, env->regs[5], mmu_idx, smode) &&
-        v7m_stack_write(cpu, frameptr + 0x10, env->regs[6], mmu_idx, smode) &&
-        v7m_stack_write(cpu, frameptr + 0x14, env->regs[7], mmu_idx, smode) &&
-        v7m_stack_write(cpu, frameptr + 0x18, env->regs[8], mmu_idx, smode) &&
-        v7m_stack_write(cpu, frameptr + 0x1c, env->regs[9], mmu_idx, smode) &&
-        v7m_stack_write(cpu, frameptr + 0x20, env->regs[10], mmu_idx, smode) &&
-        v7m_stack_write(cpu, frameptr + 0x24, env->regs[11], mmu_idx, smode);
-
-    /* Update SP regardless of whether any of the stack accesses failed. */
-    *frame_sp_p = frameptr;
-
-    return !stacked_ok;
-}
-
-static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
-                                bool ignore_stackfaults)
-{
-    /*
-     * Do the "take the exception" parts of exception entry,
-     * but not the pushing of state to the stack. This is
-     * similar to the pseudocode ExceptionTaken() function.
-     */
-    CPUARMState *env = &cpu->env;
-    uint32_t addr;
-    bool targets_secure;
-    int exc;
-    bool push_failed = false;
-
-    armv7m_nvic_get_pending_irq_info(env->nvic, &exc, &targets_secure);
-    qemu_log_mask(CPU_LOG_INT, "...taking pending %s exception %d\n",
-                  targets_secure ? "secure" : "nonsecure", exc);
-
-    if (dotailchain) {
-        /* Sanitize LR FType and PREFIX bits */
-        if (!arm_feature(env, ARM_FEATURE_VFP)) {
-            lr |= R_V7M_EXCRET_FTYPE_MASK;
-        }
-        lr = deposit32(lr, 24, 8, 0xff);
-    }
-
-    if (arm_feature(env, ARM_FEATURE_V8)) {
-        if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&
-            (lr & R_V7M_EXCRET_S_MASK)) {
-            /*
-             * The background code (the owner of the registers in the
-             * exception frame) is Secure. This means it may either already
-             * have or now needs to push callee-saves registers.
-             */
-            if (targets_secure) {
-                if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {
-                    /*
-                     * We took an exception from Secure to NonSecure
-                     * (which means the callee-saved registers got stacked)
-                     * and are now tailchaining to a Secure exception.
-                     * Clear DCRS so eventual return from this Secure
-                     * exception unstacks the callee-saved registers.
-                     */
-                    lr &= ~R_V7M_EXCRET_DCRS_MASK;
-                }
-            } else {
-                /*
-                 * We're going to a non-secure exception; push the
-                 * callee-saves registers to the stack now, if they're
-                 * not already saved.
-                 */
-                if (lr & R_V7M_EXCRET_DCRS_MASK &&
-                    !(dotailchain && !(lr & R_V7M_EXCRET_ES_MASK))) {
-                    push_failed = v7m_push_callee_stack(cpu, lr, dotailchain,
-                                                        ignore_stackfaults);
-                }
-                lr |= R_V7M_EXCRET_DCRS_MASK;
-            }
-        }
-
-        lr &= ~R_V7M_EXCRET_ES_MASK;
-        if (targets_secure || !arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-            lr |= R_V7M_EXCRET_ES_MASK;
-        }
-        lr &= ~R_V7M_EXCRET_SPSEL_MASK;
-        if (env->v7m.control[targets_secure] & R_V7M_CONTROL_SPSEL_MASK) {
-            lr |= R_V7M_EXCRET_SPSEL_MASK;
-        }
-
-        /*
-         * Clear registers if necessary to prevent non-secure exception
-         * code being able to see register values from secure code.
-         * Where register values become architecturally UNKNOWN we leave
-         * them with their previous values.
-         */
-        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-            if (!targets_secure) {
-                /*
-                 * Always clear the caller-saved registers (they have been
-                 * pushed to the stack earlier in v7m_push_stack()).
-                 * Clear callee-saved registers if the background code is
-                 * Secure (in which case these regs were saved in
-                 * v7m_push_callee_stack()).
-                 */
-                int i;
-
-                for (i = 0; i < 13; i++) {
-                    /* r4..r11 are callee-saves, zero only if EXCRET.S == 1 */
-                    if (i < 4 || i > 11 || (lr & R_V7M_EXCRET_S_MASK)) {
-                        env->regs[i] = 0;
-                    }
-                }
-                /* Clear EAPSR */
-                xpsr_write(env, 0, XPSR_NZCV | XPSR_Q | XPSR_GE | XPSR_IT);
-            }
-        }
-    }
-
-    if (push_failed && !ignore_stackfaults) {
-        /*
-         * Derived exception on callee-saves register stacking:
-         * we might now want to take a different exception which
-         * targets a different security state, so try again from the top.
-         */
-        qemu_log_mask(CPU_LOG_INT,
-                      "...derived exception on callee-saves register stacking");
-        v7m_exception_taken(cpu, lr, true, true);
-        return;
-    }
-
-    if (!arm_v7m_load_vector(cpu, exc, targets_secure, &addr)) {
-        /* Vector load failed: derived exception */
-        qemu_log_mask(CPU_LOG_INT, "...derived exception on vector table load");
-        v7m_exception_taken(cpu, lr, true, true);
-        return;
-    }
-
-    /*
-     * Now we've done everything that might cause a derived exception
-     * we can go ahead and activate whichever exception we're going to
-     * take (which might now be the derived exception).
-     */
-    armv7m_nvic_acknowledge_irq(env->nvic);
-
-    /* Switch to target security state -- must do this before writing SPSEL */
-    switch_v7m_security_state(env, targets_secure);
-    write_v7m_control_spsel(env, 0);
-    arm_clear_exclusive(env);
-    /* Clear SFPA and FPCA (has no effect if no FPU) */
-    env->v7m.control[M_REG_S] &=
-        ~(R_V7M_CONTROL_FPCA_MASK | R_V7M_CONTROL_SFPA_MASK);
-    /* Clear IT bits */
-    env->condexec_bits = 0;
-    env->regs[14] = lr;
-    env->regs[15] = addr & 0xfffffffe;
-    env->thumb = addr & 1;
-}
-
-static void v7m_update_fpccr(CPUARMState *env, uint32_t frameptr,
-                             bool apply_splim)
-{
-    /*
-     * Like the pseudocode UpdateFPCCR: save state in FPCAR and FPCCR
-     * that we will need later in order to do lazy FP reg stacking.
-     */
-    bool is_secure = env->v7m.secure;
-    void *nvic = env->nvic;
-    /*
-     * Some bits are unbanked and live always in fpccr[M_REG_S]; some bits
-     * are banked and we want to update the bit in the bank for the
-     * current security state; and in one case we want to specifically
-     * update the NS banked version of a bit even if we are secure.
-     */
-    uint32_t *fpccr_s = &env->v7m.fpccr[M_REG_S];
-    uint32_t *fpccr_ns = &env->v7m.fpccr[M_REG_NS];
-    uint32_t *fpccr = &env->v7m.fpccr[is_secure];
-    bool hfrdy, bfrdy, mmrdy, ns_ufrdy, s_ufrdy, sfrdy, monrdy;
-
-    env->v7m.fpcar[is_secure] = frameptr & ~0x7;
-
-    if (apply_splim && arm_feature(env, ARM_FEATURE_V8)) {
-        bool splimviol;
-        uint32_t splim = v7m_sp_limit(env);
-        bool ign = armv7m_nvic_neg_prio_requested(nvic, is_secure) &&
-            (env->v7m.ccr[is_secure] & R_V7M_CCR_STKOFHFNMIGN_MASK);
-
-        splimviol = !ign && frameptr < splim;
-        *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, SPLIMVIOL, splimviol);
-    }
-
-    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, LSPACT, 1);
-
-    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, S, is_secure);
-
-    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, USER, arm_current_el(env) == 0);
-
-    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, THREAD,
-                        !arm_v7m_is_handler_mode(env));
-
-    hfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_HARD, false);
-    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, HFRDY, hfrdy);
-
-    bfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_BUS, false);
-    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, BFRDY, bfrdy);
-
-    mmrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_MEM, is_secure);
-    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, MMRDY, mmrdy);
-
-    ns_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, false);
-    *fpccr_ns = FIELD_DP32(*fpccr_ns, V7M_FPCCR, UFRDY, ns_ufrdy);
-
-    monrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_DEBUG, false);
-    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, MONRDY, monrdy);
-
-    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-        s_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, true);
-        *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, UFRDY, s_ufrdy);
-
-        sfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_SECURE, false);
-        *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, SFRDY, sfrdy);
-    }
-}
-
-void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
-{
-    /* fptr is the value of Rn, the frame pointer we store the FP regs to */
-    bool s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
-    bool lspact = env->v7m.fpccr[s] & R_V7M_FPCCR_LSPACT_MASK;
-
-    assert(env->v7m.secure);
-
-    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
-        return;
-    }
-
-    /* Check access to the coprocessor is permitted */
-    if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
-        raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
-    }
-
-    if (lspact) {
-        /* LSPACT should not be active when there is active FP state */
-        raise_exception_ra(env, EXCP_LSERR, 0, 1, GETPC());
-    }
-
-    if (fptr & 7) {
-        raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
-    }
-
-    /*
-     * Note that we do not use v7m_stack_write() here, because the
-     * accesses should not set the FSR bits for stacking errors if they
-     * fail. (In pseudocode terms, they are AccType_NORMAL, not AccType_STACK
-     * or AccType_LAZYFP). Faults in cpu_stl_data() will throw exceptions
-     * and longjmp out.
-     */
-    if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
-        bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
-        int i;
-
-        for (i = 0; i < (ts ? 32 : 16); i += 2) {
-            uint64_t dn = *aa32_vfp_dreg(env, i / 2);
-            uint32_t faddr = fptr + 4 * i;
-            uint32_t slo = extract64(dn, 0, 32);
-            uint32_t shi = extract64(dn, 32, 32);
-
-            if (i >= 16) {
-                faddr += 8; /* skip the slot for the FPSCR */
-            }
-            cpu_stl_data(env, faddr, slo);
-            cpu_stl_data(env, faddr + 4, shi);
-        }
-        cpu_stl_data(env, fptr + 0x40, vfp_get_fpscr(env));
-
-        /*
-         * If TS is 0 then s0 to s15 and FPSCR are UNKNOWN; we choose to
-         * leave them unchanged, matching our choice in v7m_preserve_fp_state.
-         */
-        if (ts) {
-            for (i = 0; i < 32; i += 2) {
-                *aa32_vfp_dreg(env, i / 2) = 0;
-            }
-            vfp_set_fpscr(env, 0);
-        }
-    } else {
-        v7m_update_fpccr(env, fptr, false);
-    }
-
-    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
-}
-
-void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
-{
-    /* fptr is the value of Rn, the frame pointer we load the FP regs from */
-    assert(env->v7m.secure);
-
-    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
-        return;
-    }
-
-    /* Check access to the coprocessor is permitted */
-    if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
-        raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
-    }
-
-    if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
-        /* State in FP is still valid */
-        env->v7m.fpccr[M_REG_S] &= ~R_V7M_FPCCR_LSPACT_MASK;
-    } else {
-        bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
-        int i;
-        uint32_t fpscr;
-
-        if (fptr & 7) {
-            raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
-        }
-
-        for (i = 0; i < (ts ? 32 : 16); i += 2) {
-            uint32_t slo, shi;
-            uint64_t dn;
-            uint32_t faddr = fptr + 4 * i;
-
-            if (i >= 16) {
-                faddr += 8; /* skip the slot for the FPSCR */
-            }
-
-            slo = cpu_ldl_data(env, faddr);
-            shi = cpu_ldl_data(env, faddr + 4);
-
-            dn = (uint64_t) shi << 32 | slo;
-            *aa32_vfp_dreg(env, i / 2) = dn;
-        }
-        fpscr = cpu_ldl_data(env, fptr + 0x40);
-        vfp_set_fpscr(env, fpscr);
-    }
-
-    env->v7m.control[M_REG_S] |= R_V7M_CONTROL_FPCA_MASK;
-}
-
-static bool v7m_push_stack(ARMCPU *cpu)
-{
-    /*
-     * Do the "set up stack frame" part of exception entry,
-     * similar to pseudocode PushStack().
-     * Return true if we generate a derived exception (and so
-     * should ignore further stack faults trying to process
-     * that derived exception.)
-     */
-    bool stacked_ok = true, limitviol = false;
-    CPUARMState *env = &cpu->env;
-    uint32_t xpsr = xpsr_read(env);
-    uint32_t frameptr = env->regs[13];
-    ARMMMUIdx mmu_idx = arm_mmu_idx(env);
-    uint32_t framesize;
-    bool nsacr_cp10 = extract32(env->v7m.nsacr, 10, 1);
-
-    if ((env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) &&
-        (env->v7m.secure || nsacr_cp10)) {
-        if (env->v7m.secure &&
-            env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK) {
-            framesize = 0xa8;
-        } else {
-            framesize = 0x68;
-        }
-    } else {
-        framesize = 0x20;
-    }
-
-    /* Align stack pointer if the guest wants that */
-    if ((frameptr & 4) &&
-        (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_STKALIGN_MASK)) {
-        frameptr -= 4;
-        xpsr |= XPSR_SPREALIGN;
-    }
-
-    xpsr &= ~XPSR_SFPA;
-    if (env->v7m.secure &&
-        (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
-        xpsr |= XPSR_SFPA;
-    }
-
-    frameptr -= framesize;
-
-    if (arm_feature(env, ARM_FEATURE_V8)) {
-        uint32_t limit = v7m_sp_limit(env);
-
-        if (frameptr < limit) {
-            /*
-             * Stack limit failure: set SP to the limit value, and generate
-             * STKOF UsageFault. Stack pushes below the limit must not be
-             * performed. It is IMPDEF whether pushes above the limit are
-             * performed; we choose not to.
-             */
-            qemu_log_mask(CPU_LOG_INT,
-                          "...STKOF during stacking\n");
-            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
-                                    env->v7m.secure);
-            env->regs[13] = limit;
-            /*
-             * We won't try to perform any further memory accesses but
-             * we must continue through the following code to check for
-             * permission faults during FPU state preservation, and we
-             * must update FPCCR if lazy stacking is enabled.
-             */
-            limitviol = true;
-            stacked_ok = false;
-        }
-    }
-
-    /*
-     * Write as much of the stack frame as we can. If we fail a stack
-     * write this will result in a derived exception being pended
-     * (which may be taken in preference to the one we started with
-     * if it has higher priority).
-     */
-    stacked_ok = stacked_ok &&
-        v7m_stack_write(cpu, frameptr, env->regs[0], mmu_idx, STACK_NORMAL) &&
-        v7m_stack_write(cpu, frameptr + 4, env->regs[1],
-                        mmu_idx, STACK_NORMAL) &&
-        v7m_stack_write(cpu, frameptr + 8, env->regs[2],
-                        mmu_idx, STACK_NORMAL) &&
-        v7m_stack_write(cpu, frameptr + 12, env->regs[3],
-                        mmu_idx, STACK_NORMAL) &&
-        v7m_stack_write(cpu, frameptr + 16, env->regs[12],
-                        mmu_idx, STACK_NORMAL) &&
-        v7m_stack_write(cpu, frameptr + 20, env->regs[14],
-                        mmu_idx, STACK_NORMAL) &&
-        v7m_stack_write(cpu, frameptr + 24, env->regs[15],
-                        mmu_idx, STACK_NORMAL) &&
-        v7m_stack_write(cpu, frameptr + 28, xpsr, mmu_idx, STACK_NORMAL);
-
-    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) {
-        /* FPU is active, try to save its registers */
-        bool fpccr_s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
-        bool lspact = env->v7m.fpccr[fpccr_s] & R_V7M_FPCCR_LSPACT_MASK;
-
-        if (lspact && arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-            qemu_log_mask(CPU_LOG_INT,
-                          "...SecureFault because LSPACT and FPCA both set\n");
-            env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-        } else if (!env->v7m.secure && !nsacr_cp10) {
-            qemu_log_mask(CPU_LOG_INT,
-                          "...Secure UsageFault with CFSR.NOCP because "
-                          "NSACR.CP10 prevents stacking FP regs\n");
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
-            env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
-        } else {
-            if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
-                /* Lazy stacking disabled, save registers now */
-                int i;
-                bool cpacr_pass = v7m_cpacr_pass(env, env->v7m.secure,
-                                                 arm_current_el(env) != 0);
-
-                if (stacked_ok && !cpacr_pass) {
-                    /*
-                     * Take UsageFault if CPACR forbids access. The pseudocode
-                     * here does a full CheckCPEnabled() but we know the NSACR
-                     * check can never fail as we have already handled that.
-                     */
-                    qemu_log_mask(CPU_LOG_INT,
-                                  "...UsageFault with CFSR.NOCP because "
-                                  "CPACR.CP10 prevents stacking FP regs\n");
-                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
-                                            env->v7m.secure);
-                    env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_NOCP_MASK;
-                    stacked_ok = false;
-                }
-
-                for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
-                    uint64_t dn = *aa32_vfp_dreg(env, i / 2);
-                    uint32_t faddr = frameptr + 0x20 + 4 * i;
-                    uint32_t slo = extract64(dn, 0, 32);
-                    uint32_t shi = extract64(dn, 32, 32);
-
-                    if (i >= 16) {
-                        faddr += 8; /* skip the slot for the FPSCR */
-                    }
-                    stacked_ok = stacked_ok &&
-                        v7m_stack_write(cpu, faddr, slo,
-                                        mmu_idx, STACK_NORMAL) &&
-                        v7m_stack_write(cpu, faddr + 4, shi,
-                                        mmu_idx, STACK_NORMAL);
-                }
-                stacked_ok = stacked_ok &&
-                    v7m_stack_write(cpu, frameptr + 0x60,
-                                    vfp_get_fpscr(env), mmu_idx, STACK_NORMAL);
-                if (cpacr_pass) {
-                    for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
-                        *aa32_vfp_dreg(env, i / 2) = 0;
-                    }
-                    vfp_set_fpscr(env, 0);
-                }
-            } else {
-                /* Lazy stacking enabled, save necessary info to stack later */
-                v7m_update_fpccr(env, frameptr + 0x20, true);
-            }
-        }
-    }
-
-    /*
-     * If we broke a stack limit then SP was already updated earlier;
-     * otherwise we update SP regardless of whether any of the stack
-     * accesses failed or we took some other kind of fault.
-     */
-    if (!limitviol) {
-        env->regs[13] = frameptr;
-    }
-
-    return !stacked_ok;
-}
-
-static void do_v7m_exception_exit(ARMCPU *cpu)
-{
-    CPUARMState *env = &cpu->env;
-    uint32_t excret;
-    uint32_t xpsr, xpsr_mask;
-    bool ufault = false;
-    bool sfault = false;
-    bool return_to_sp_process;
-    bool return_to_handler;
-    bool rettobase = false;
-    bool exc_secure = false;
-    bool return_to_secure;
-    bool ftype;
-    bool restore_s16_s31;
-
-    /*
-     * If we're not in Handler mode then jumps to magic exception-exit
-     * addresses don't have magic behaviour. However for the v8M
-     * security extensions the magic secure-function-return has to
-     * work in thread mode too, so to avoid doing an extra check in
-     * the generated code we allow exception-exit magic to also cause the
-     * internal exception and bring us here in thread mode. Correct code
-     * will never try to do this (the following insn fetch will always
-     * fault) so we the overhead of having taken an unnecessary exception
-     * doesn't matter.
-     */
-    if (!arm_v7m_is_handler_mode(env)) {
-        return;
-    }
-
-    /*
-     * In the spec pseudocode ExceptionReturn() is called directly
-     * from BXWritePC() and gets the full target PC value including
-     * bit zero. In QEMU's implementation we treat it as a normal
-     * jump-to-register (which is then caught later on), and so split
-     * the target value up between env->regs[15] and env->thumb in
-     * gen_bx(). Reconstitute it.
-     */
-    excret = env->regs[15];
-    if (env->thumb) {
-        excret |= 1;
-    }
-
-    qemu_log_mask(CPU_LOG_INT, "Exception return: magic PC %" PRIx32
-                  " previous exception %d\n",
-                  excret, env->v7m.exception);
-
-    if ((excret & R_V7M_EXCRET_RES1_MASK) != R_V7M_EXCRET_RES1_MASK) {
-        qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero high bits in exception "
-                      "exit PC value 0x%" PRIx32 " are UNPREDICTABLE\n",
-                      excret);
-    }
-
-    ftype = excret & R_V7M_EXCRET_FTYPE_MASK;
-
-    if (!arm_feature(env, ARM_FEATURE_VFP) && !ftype) {
-        qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero FTYPE in exception "
-                      "exit PC value 0x%" PRIx32 " is UNPREDICTABLE "
-                      "if FPU not present\n",
-                      excret);
-        ftype = true;
-    }
-
-    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-        /*
-         * EXC_RETURN.ES validation check (R_SMFL). We must do this before
-         * we pick which FAULTMASK to clear.
-         */
-        if (!env->v7m.secure &&
-            ((excret & R_V7M_EXCRET_ES_MASK) ||
-             !(excret & R_V7M_EXCRET_DCRS_MASK))) {
-            sfault = 1;
-            /* For all other purposes, treat ES as 0 (R_HXSR) */
-            excret &= ~R_V7M_EXCRET_ES_MASK;
-        }
-        exc_secure = excret & R_V7M_EXCRET_ES_MASK;
-    }
-
-    if (env->v7m.exception != ARMV7M_EXCP_NMI) {
-        /*
-         * Auto-clear FAULTMASK on return from other than NMI.
-         * If the security extension is implemented then this only
-         * happens if the raw execution priority is >= 0; the
-         * value of the ES bit in the exception return value indicates
-         * which security state's faultmask to clear. (v8M ARM ARM R_KBNF.)
-         */
-        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-            if (armv7m_nvic_raw_execution_priority(env->nvic) >= 0) {
-                env->v7m.faultmask[exc_secure] = 0;
-            }
-        } else {
-            env->v7m.faultmask[M_REG_NS] = 0;
-        }
-    }
-
-    switch (armv7m_nvic_complete_irq(env->nvic, env->v7m.exception,
-                                     exc_secure)) {
-    case -1:
-        /* attempt to exit an exception that isn't active */
-        ufault = true;
-        break;
-    case 0:
-        /* still an irq active now */
-        break;
-    case 1:
-        /*
-         * We returned to base exception level, no nesting.
-         * (In the pseudocode this is written using "NestedActivation != 1"
-         * where we have 'rettobase == false'.)
-         */
-        rettobase = true;
-        break;
-    default:
-        g_assert_not_reached();
-    }
-
-    return_to_handler = !(excret & R_V7M_EXCRET_MODE_MASK);
-    return_to_sp_process = excret & R_V7M_EXCRET_SPSEL_MASK;
-    return_to_secure = arm_feature(env, ARM_FEATURE_M_SECURITY) &&
-        (excret & R_V7M_EXCRET_S_MASK);
-
-    if (arm_feature(env, ARM_FEATURE_V8)) {
-        if (!arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-            /*
-             * UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
-             * we choose to take the UsageFault.
-             */
-            if ((excret & R_V7M_EXCRET_S_MASK) ||
-                (excret & R_V7M_EXCRET_ES_MASK) ||
-                !(excret & R_V7M_EXCRET_DCRS_MASK)) {
-                ufault = true;
-            }
-        }
-        if (excret & R_V7M_EXCRET_RES0_MASK) {
-            ufault = true;
-        }
-    } else {
-        /* For v7M we only recognize certain combinations of the low bits */
-        switch (excret & 0xf) {
-        case 1: /* Return to Handler */
-            break;
-        case 13: /* Return to Thread using Process stack */
-        case 9: /* Return to Thread using Main stack */
-            /*
-             * We only need to check NONBASETHRDENA for v7M, because in
-             * v8M this bit does not exist (it is RES1).
-             */
-            if (!rettobase &&
-                !(env->v7m.ccr[env->v7m.secure] &
-                  R_V7M_CCR_NONBASETHRDENA_MASK)) {
-                ufault = true;
-            }
-            break;
-        default:
-            ufault = true;
-        }
-    }
-
-    /*
-     * Set CONTROL.SPSEL from excret.SPSEL. Since we're still in
-     * Handler mode (and will be until we write the new XPSR.Interrupt
-     * field) this does not switch around the current stack pointer.
-     * We must do this before we do any kind of tailchaining, including
-     * for the derived exceptions on integrity check failures, or we will
-     * give the guest an incorrect EXCRET.SPSEL value on exception entry.
-     */
-    write_v7m_control_spsel_for_secstate(env, return_to_sp_process, exc_secure);
-
-    /*
-     * Clear scratch FP values left in caller saved registers; this
-     * must happen before any kind of tail chaining.
-     */
-    if ((env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_CLRONRET_MASK) &&
-        (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
-        if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
-            env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-            qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
-                          "stackframe: error during lazy state deactivation\n");
-            v7m_exception_taken(cpu, excret, true, false);
-            return;
-        } else {
-            /* Clear s0..s15 and FPSCR */
-            int i;
-
-            for (i = 0; i < 16; i += 2) {
-                *aa32_vfp_dreg(env, i / 2) = 0;
-            }
-            vfp_set_fpscr(env, 0);
-        }
-    }
-
-    if (sfault) {
-        env->v7m.sfsr |= R_V7M_SFSR_INVER_MASK;
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-        qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
-                      "stackframe: failed EXC_RETURN.ES validity check\n");
-        v7m_exception_taken(cpu, excret, true, false);
-        return;
-    }
-
-    if (ufault) {
-        /*
-         * Bad exception return: instead of popping the exception
-         * stack, directly take a usage fault on the current stack.
-         */
-        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
-        qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
-                      "stackframe: failed exception return integrity check\n");
-        v7m_exception_taken(cpu, excret, true, false);
-        return;
-    }
-
-    /*
-     * Tailchaining: if there is currently a pending exception that
-     * is high enough priority to preempt execution at the level we're
-     * about to return to, then just directly take that exception now,
-     * avoiding an unstack-and-then-stack. Note that now we have
-     * deactivated the previous exception by calling armv7m_nvic_complete_irq()
-     * our current execution priority is already the execution priority we are
-     * returning to -- none of the state we would unstack or set based on
-     * the EXCRET value affects it.
-     */
-    if (armv7m_nvic_can_take_pending_exception(env->nvic)) {
-        qemu_log_mask(CPU_LOG_INT, "...tailchaining to pending exception\n");
-        v7m_exception_taken(cpu, excret, true, false);
-        return;
-    }
-
-    switch_v7m_security_state(env, return_to_secure);
-
-    {
-        /*
-         * The stack pointer we should be reading the exception frame from
-         * depends on bits in the magic exception return type value (and
-         * for v8M isn't necessarily the stack pointer we will eventually
-         * end up resuming execution with). Get a pointer to the location
-         * in the CPU state struct where the SP we need is currently being
-         * stored; we will use and modify it in place.
-         * We use this limited C variable scope so we don't accidentally
-         * use 'frame_sp_p' after we do something that makes it invalid.
-         */
-        uint32_t *frame_sp_p = get_v7m_sp_ptr(env,
-                                              return_to_secure,
-                                              !return_to_handler,
-                                              return_to_sp_process);
-        uint32_t frameptr = *frame_sp_p;
-        bool pop_ok = true;
-        ARMMMUIdx mmu_idx;
-        bool return_to_priv = return_to_handler ||
-            !(env->v7m.control[return_to_secure] & R_V7M_CONTROL_NPRIV_MASK);
-
-        mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, return_to_secure,
-                                                        return_to_priv);
-
-        if (!QEMU_IS_ALIGNED(frameptr, 8) &&
-            arm_feature(env, ARM_FEATURE_V8)) {
-            qemu_log_mask(LOG_GUEST_ERROR,
-                          "M profile exception return with non-8-aligned SP "
-                          "for destination state is UNPREDICTABLE\n");
-        }
-
-        /* Do we need to pop callee-saved registers? */
-        if (return_to_secure &&
-            ((excret & R_V7M_EXCRET_ES_MASK) == 0 ||
-             (excret & R_V7M_EXCRET_DCRS_MASK) == 0)) {
-            uint32_t actual_sig;
-
-            pop_ok = v7m_stack_read(cpu, &actual_sig, frameptr, mmu_idx);
-
-            if (pop_ok && v7m_integrity_sig(env, excret) != actual_sig) {
-                /* Take a SecureFault on the current stack */
-                env->v7m.sfsr |= R_V7M_SFSR_INVIS_MASK;
-                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-                qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
-                              "stackframe: failed exception return integrity "
-                              "signature check\n");
-                v7m_exception_taken(cpu, excret, true, false);
-                return;
-            }
-
-            pop_ok = pop_ok &&
-                v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
-                v7m_stack_read(cpu, &env->regs[5], frameptr + 0xc, mmu_idx) &&
-                v7m_stack_read(cpu, &env->regs[6], frameptr + 0x10, mmu_idx) &&
-                v7m_stack_read(cpu, &env->regs[7], frameptr + 0x14, mmu_idx) &&
-                v7m_stack_read(cpu, &env->regs[8], frameptr + 0x18, mmu_idx) &&
-                v7m_stack_read(cpu, &env->regs[9], frameptr + 0x1c, mmu_idx) &&
-                v7m_stack_read(cpu, &env->regs[10], frameptr + 0x20, mmu_idx) &&
-                v7m_stack_read(cpu, &env->regs[11], frameptr + 0x24, mmu_idx);
-
-            frameptr += 0x28;
-        }
-
-        /* Pop registers */
-        pop_ok = pop_ok &&
-            v7m_stack_read(cpu, &env->regs[0], frameptr, mmu_idx) &&
-            v7m_stack_read(cpu, &env->regs[1], frameptr + 0x4, mmu_idx) &&
-            v7m_stack_read(cpu, &env->regs[2], frameptr + 0x8, mmu_idx) &&
-            v7m_stack_read(cpu, &env->regs[3], frameptr + 0xc, mmu_idx) &&
-            v7m_stack_read(cpu, &env->regs[12], frameptr + 0x10, mmu_idx) &&
-            v7m_stack_read(cpu, &env->regs[14], frameptr + 0x14, mmu_idx) &&
-            v7m_stack_read(cpu, &env->regs[15], frameptr + 0x18, mmu_idx) &&
-            v7m_stack_read(cpu, &xpsr, frameptr + 0x1c, mmu_idx);
-
-        if (!pop_ok) {
-            /*
-             * v7m_stack_read() pended a fault, so take it (as a tail
-             * chained exception on the same stack frame)
-             */
-            qemu_log_mask(CPU_LOG_INT, "...derived exception on unstacking\n");
-            v7m_exception_taken(cpu, excret, true, false);
-            return;
-        }
-
-        /*
-         * Returning from an exception with a PC with bit 0 set is defined
-         * behaviour on v8M (bit 0 is ignored), but for v7M it was specified
-         * to be UNPREDICTABLE. In practice actual v7M hardware seems to ignore
-         * the lsbit, and there are several RTOSes out there which incorrectly
-         * assume the r15 in the stack frame should be a Thumb-style "lsbit
-         * indicates ARM/Thumb" value, so ignore the bit on v7M as well, but
-         * complain about the badly behaved guest.
-         */
-        if (env->regs[15] & 1) {
-            env->regs[15] &= ~1U;
-            if (!arm_feature(env, ARM_FEATURE_V8)) {
-                qemu_log_mask(LOG_GUEST_ERROR,
-                              "M profile return from interrupt with misaligned "
-                              "PC is UNPREDICTABLE on v7M\n");
-            }
-        }
-
-        if (arm_feature(env, ARM_FEATURE_V8)) {
-            /*
-             * For v8M we have to check whether the xPSR exception field
-             * matches the EXCRET value for return to handler/thread
-             * before we commit to changing the SP and xPSR.
-             */
-            bool will_be_handler = (xpsr & XPSR_EXCP) != 0;
-            if (return_to_handler != will_be_handler) {
-                /*
-                 * Take an INVPC UsageFault on the current stack.
-                 * By this point we will have switched to the security state
-                 * for the background state, so this UsageFault will target
-                 * that state.
-                 */
-                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
-                                        env->v7m.secure);
-                env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
-                qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
-                              "stackframe: failed exception return integrity "
-                              "check\n");
-                v7m_exception_taken(cpu, excret, true, false);
-                return;
-            }
-        }
-
-        if (!ftype) {
-            /* FP present and we need to handle it */
-            if (!return_to_secure &&
-                (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK)) {
-                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-                env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
-                qemu_log_mask(CPU_LOG_INT,
-                              "...taking SecureFault on existing stackframe: "
-                              "Secure LSPACT set but exception return is "
-                              "not to secure state\n");
-                v7m_exception_taken(cpu, excret, true, false);
-                return;
-            }
-
-            restore_s16_s31 = return_to_secure &&
-                (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
-
-            if (env->v7m.fpccr[return_to_secure] & R_V7M_FPCCR_LSPACT_MASK) {
-                /* State in FPU is still valid, just clear LSPACT */
-                env->v7m.fpccr[return_to_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
-            } else {
-                int i;
-                uint32_t fpscr;
-                bool cpacr_pass, nsacr_pass;
-
-                cpacr_pass = v7m_cpacr_pass(env, return_to_secure,
-                                            return_to_priv);
-                nsacr_pass = return_to_secure ||
-                    extract32(env->v7m.nsacr, 10, 1);
-
-                if (!cpacr_pass) {
-                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
-                                            return_to_secure);
-                    env->v7m.cfsr[return_to_secure] |= R_V7M_CFSR_NOCP_MASK;
-                    qemu_log_mask(CPU_LOG_INT,
-                                  "...taking UsageFault on existing "
-                                  "stackframe: CPACR.CP10 prevents unstacking "
-                                  "FP regs\n");
-                    v7m_exception_taken(cpu, excret, true, false);
-                    return;
-                } else if (!nsacr_pass) {
-                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, true);
-                    env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_INVPC_MASK;
-                    qemu_log_mask(CPU_LOG_INT,
-                                  "...taking Secure UsageFault on existing "
-                                  "stackframe: NSACR.CP10 prevents unstacking "
-                                  "FP regs\n");
-                    v7m_exception_taken(cpu, excret, true, false);
-                    return;
-                }
-
-                for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
-                    uint32_t slo, shi;
-                    uint64_t dn;
-                    uint32_t faddr = frameptr + 0x20 + 4 * i;
-
-                    if (i >= 16) {
-                        faddr += 8; /* Skip the slot for the FPSCR */
-                    }
-
-                    pop_ok = pop_ok &&
-                        v7m_stack_read(cpu, &slo, faddr, mmu_idx) &&
-                        v7m_stack_read(cpu, &shi, faddr + 4, mmu_idx);
-
-                    if (!pop_ok) {
-                        break;
-                    }
-
-                    dn = (uint64_t)shi << 32 | slo;
-                    *aa32_vfp_dreg(env, i / 2) = dn;
-                }
-                pop_ok = pop_ok &&
-                    v7m_stack_read(cpu, &fpscr, frameptr + 0x60, mmu_idx);
-                if (pop_ok) {
-                    vfp_set_fpscr(env, fpscr);
-                }
-                if (!pop_ok) {
-                    /*
-                     * These regs are 0 if security extension present;
-                     * otherwise merely UNKNOWN. We zero always.
-                     */
-                    for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
-                        *aa32_vfp_dreg(env, i / 2) = 0;
-                    }
-                    vfp_set_fpscr(env, 0);
-                }
-            }
-        }
-        env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
-                                               V7M_CONTROL, FPCA, !ftype);
-
-        /* Commit to consuming the stack frame */
-        frameptr += 0x20;
-        if (!ftype) {
-            frameptr += 0x48;
-            if (restore_s16_s31) {
-                frameptr += 0x40;
-            }
-        }
-        /*
-         * Undo stack alignment (the SPREALIGN bit indicates that the original
-         * pre-exception SP was not 8-aligned and we added a padding word to
-         * align it, so we undo this by ORing in the bit that increases it
-         * from the current 8-aligned value to the 8-unaligned value. (Adding 4
-         * would work too but a logical OR is how the pseudocode specifies it.)
-         */
-        if (xpsr & XPSR_SPREALIGN) {
-            frameptr |= 4;
-        }
-        *frame_sp_p = frameptr;
-    }
-
-    xpsr_mask = ~(XPSR_SPREALIGN | XPSR_SFPA);
-    if (!arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
-        xpsr_mask &= ~XPSR_GE;
-    }
-    /* This xpsr_write() will invalidate frame_sp_p as it may switch stack */
-    xpsr_write(env, xpsr, xpsr_mask);
-
-    if (env->v7m.secure) {
-        bool sfpa = xpsr & XPSR_SFPA;
-
-        env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
-                                               V7M_CONTROL, SFPA, sfpa);
-    }
-
-    /*
-     * The restored xPSR exception field will be zero if we're
-     * resuming in Thread mode. If that doesn't match what the
-     * exception return excret specified then this is a UsageFault.
-     * v7M requires we make this check here; v8M did it earlier.
-     */
-    if (return_to_handler != arm_v7m_is_handler_mode(env)) {
-        /*
-         * Take an INVPC UsageFault by pushing the stack again;
-         * we know we're v7M so this is never a Secure UsageFault.
-         */
-        bool ignore_stackfaults;
-
-        assert(!arm_feature(env, ARM_FEATURE_V8));
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, false);
-        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
-        ignore_stackfaults = v7m_push_stack(cpu);
-        qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on new stackframe: "
-                      "failed exception return integrity check\n");
-        v7m_exception_taken(cpu, excret, false, ignore_stackfaults);
-        return;
-    }
-
-    /* Otherwise, we have a successful exception exit. */
-    arm_clear_exclusive(env);
-    qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
-}
-
-static bool do_v7m_function_return(ARMCPU *cpu)
-{
-    /*
-     * v8M security extensions magic function return.
-     * We may either:
-     *  (1) throw an exception (longjump)
-     *  (2) return true if we successfully handled the function return
-     *  (3) return false if we failed a consistency check and have
-     *      pended a UsageFault that needs to be taken now
-     *
-     * At this point the magic return value is split between env->regs[15]
-     * and env->thumb. We don't bother to reconstitute it because we don't
-     * need it (all values are handled the same way).
-     */
-    CPUARMState *env = &cpu->env;
-    uint32_t newpc, newpsr, newpsr_exc;
-
-    qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
-
-    {
-        bool threadmode, spsel;
-        TCGMemOpIdx oi;
-        ARMMMUIdx mmu_idx;
-        uint32_t *frame_sp_p;
-        uint32_t frameptr;
-
-        /* Pull the return address and IPSR from the Secure stack */
-        threadmode = !arm_v7m_is_handler_mode(env);
-        spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
-
-        frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
-        frameptr = *frame_sp_p;
-
-        /*
-         * These loads may throw an exception (for MPU faults). We want to
-         * do them as secure, so work out what MMU index that is.
-         */
-        mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
-        oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));
-        newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);
-        newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);
-
-        /* Consistency checks on new IPSR */
-        newpsr_exc = newpsr & XPSR_EXCP;
-        if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
-              (env->v7m.exception == 1 && newpsr_exc != 0))) {
-            /* Pend the fault and tell our caller to take it */
-            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
-                                    env->v7m.secure);
-            qemu_log_mask(CPU_LOG_INT,
-                          "...taking INVPC UsageFault: "
-                          "IPSR consistency check failed\n");
-            return false;
-        }
-
-        *frame_sp_p = frameptr + 8;
-    }
-
-    /* This invalidates frame_sp_p */
-    switch_v7m_security_state(env, true);
-    env->v7m.exception = newpsr_exc;
-    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
-    if (newpsr & XPSR_SFPA) {
-        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
-    }
-    xpsr_write(env, 0, XPSR_IT);
-    env->thumb = newpc & 1;
-    env->regs[15] = newpc & ~1;
-
-    qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
-    return true;
-}
-
-static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
-                               uint32_t addr, uint16_t *insn)
-{
-    /*
-     * Load a 16-bit portion of a v7M instruction, returning true on success,
-     * or false on failure (in which case we will have pended the appropriate
-     * exception).
-     * We need to do the instruction fetch's MPU and SAU checks
-     * like this because there is no MMU index that would allow
-     * doing the load with a single function call. Instead we must
-     * first check that the security attributes permit the load
-     * and that they don't mismatch on the two halves of the instruction,
-     * and then we do the load as a secure load (ie using the security
-     * attributes of the address, not the CPU, as architecturally required).
-     */
-    CPUState *cs = CPU(cpu);
-    CPUARMState *env = &cpu->env;
-    V8M_SAttributes sattrs = {};
-    MemTxAttrs attrs = {};
-    ARMMMUFaultInfo fi = {};
-    MemTxResult txres;
-    target_ulong page_size;
-    hwaddr physaddr;
-    int prot;
-
-    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
-    if (!sattrs.nsc || sattrs.ns) {
-        /*
-         * This must be the second half of the insn, and it straddles a
-         * region boundary with the second half not being S&NSC.
-         */
-        env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-        qemu_log_mask(CPU_LOG_INT,
-                      "...really SecureFault with SFSR.INVEP\n");
-        return false;
-    }
-    if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
-                      &physaddr, &attrs, &prot, &page_size, &fi, NULL)) {
-        /* the MPU lookup failed */
-        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
-        qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
-        return false;
-    }
-    *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,
-                                 attrs, &txres);
-    if (txres != MEMTX_OK) {
-        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
-        qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
-        return false;
-    }
-    return true;
-}
-
-static bool v7m_handle_execute_nsc(ARMCPU *cpu)
-{
-    /*
-     * Check whether this attempt to execute code in a Secure & NS-Callable
-     * memory region is for an SG instruction; if so, then emulate the
-     * effect of the SG instruction and return true. Otherwise pend
-     * the correct kind of exception and return false.
-     */
-    CPUARMState *env = &cpu->env;
-    ARMMMUIdx mmu_idx;
-    uint16_t insn;
-
-    /*
-     * We should never get here unless get_phys_addr_pmsav8() caused
-     * an exception for NS executing in S&NSC memory.
-     */
-    assert(!env->v7m.secure);
-    assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
-
-    /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
-    mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
-
-    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
-        return false;
-    }
-
-    if (!env->thumb) {
-        goto gen_invep;
-    }
-
-    if (insn != 0xe97f) {
-        /*
-         * Not an SG instruction first half (we choose the IMPDEF
-         * early-SG-check option).
-         */
-        goto gen_invep;
-    }
-
-    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
-        return false;
-    }
-
-    if (insn != 0xe97f) {
-        /*
-         * Not an SG instruction second half (yes, both halves of the SG
-         * insn have the same hex value)
-         */
-        goto gen_invep;
-    }
-
-    /*
-     * OK, we have confirmed that we really have an SG instruction.
-     * We know we're NS in S memory so don't need to repeat those checks.
-     */
-    qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
-                  ", executing it\n", env->regs[15]);
-    env->regs[14] &= ~1;
-    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
-    switch_v7m_security_state(env, true);
-    xpsr_write(env, 0, XPSR_IT);
-    env->regs[15] += 4;
-    return true;
-
-gen_invep:
-    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
-    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-    qemu_log_mask(CPU_LOG_INT,
-                  "...really SecureFault with SFSR.INVEP\n");
-    return false;
-}
-
-void arm_v7m_cpu_do_interrupt(CPUState *cs)
-{
-    ARMCPU *cpu = ARM_CPU(cs);
-    CPUARMState *env = &cpu->env;
-    uint32_t lr;
-    bool ignore_stackfaults;
-
-    arm_log_exception(cs->exception_index);
-
-    /*
-     * For exceptions we just mark as pending on the NVIC, and let that
-     * handle it.
-     */
-    switch (cs->exception_index) {
-    case EXCP_UDEF:
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
-        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNDEFINSTR_MASK;
-        break;
-    case EXCP_NOCP:
-    {
-        /*
-         * NOCP might be directed to something other than the current
-         * security state if this fault is because of NSACR; we indicate
-         * the target security state using exception.target_el.
-         */
-        int target_secstate;
-
-        if (env->exception.target_el == 3) {
-            target_secstate = M_REG_S;
-        } else {
-            target_secstate = env->v7m.secure;
-        }
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, target_secstate);
-        env->v7m.cfsr[target_secstate] |= R_V7M_CFSR_NOCP_MASK;
-        break;
-    }
-    case EXCP_INVSTATE:
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
-        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVSTATE_MASK;
-        break;
-    case EXCP_STKOF:
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
-        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
-        break;
-    case EXCP_LSERR:
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-        env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
-        break;
-    case EXCP_UNALIGNED:
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
-        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNALIGNED_MASK;
-        break;
-    case EXCP_SWI:
-        /* The PC already points to the next instruction.  */
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC, env->v7m.secure);
-        break;
-    case EXCP_PREFETCH_ABORT:
-    case EXCP_DATA_ABORT:
-        /*
-         * Note that for M profile we don't have a guest facing FSR, but
-         * the env->exception.fsr will be populated by the code that
-         * raises the fault, in the A profile short-descriptor format.
-         */
-        switch (env->exception.fsr & 0xf) {
-        case M_FAKE_FSR_NSC_EXEC:
-            /*
-             * Exception generated when we try to execute code at an address
-             * which is marked as Secure & Non-Secure Callable and the CPU
-             * is in the Non-Secure state. The only instruction which can
-             * be executed like this is SG (and that only if both halves of
-             * the SG instruction have the same security attributes.)
-             * Everything else must generate an INVEP SecureFault, so we
-             * emulate the SG instruction here.
-             */
-            if (v7m_handle_execute_nsc(cpu)) {
-                return;
-            }
-            break;
-        case M_FAKE_FSR_SFAULT:
-            /*
-             * Various flavours of SecureFault for attempts to execute or
-             * access data in the wrong security state.
-             */
-            switch (cs->exception_index) {
-            case EXCP_PREFETCH_ABORT:
-                if (env->v7m.secure) {
-                    env->v7m.sfsr |= R_V7M_SFSR_INVTRAN_MASK;
-                    qemu_log_mask(CPU_LOG_INT,
-                                  "...really SecureFault with SFSR.INVTRAN\n");
-                } else {
-                    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
-                    qemu_log_mask(CPU_LOG_INT,
-                                  "...really SecureFault with SFSR.INVEP\n");
-                }
-                break;
-            case EXCP_DATA_ABORT:
-                /* This must be an NS access to S memory */
-                env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
-                qemu_log_mask(CPU_LOG_INT,
-                              "...really SecureFault with SFSR.AUVIOL\n");
-                break;
-            }
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-            break;
-        case 0x8: /* External Abort */
-            switch (cs->exception_index) {
-            case EXCP_PREFETCH_ABORT:
-                env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
-                qemu_log_mask(CPU_LOG_INT, "...with CFSR.IBUSERR\n");
-                break;
-            case EXCP_DATA_ABORT:
-                env->v7m.cfsr[M_REG_NS] |=
-                    (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK);
-                env->v7m.bfar = env->exception.vaddress;
-                qemu_log_mask(CPU_LOG_INT,
-                              "...with CFSR.PRECISERR and BFAR 0x%x\n",
-                              env->v7m.bfar);
-                break;
-            }
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
-            break;
-        default:
-            /*
-             * All other FSR values are either MPU faults or "can't happen
-             * for M profile" cases.
-             */
-            switch (cs->exception_index) {
-            case EXCP_PREFETCH_ABORT:
-                env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
-                qemu_log_mask(CPU_LOG_INT, "...with CFSR.IACCVIOL\n");
-                break;
-            case EXCP_DATA_ABORT:
-                env->v7m.cfsr[env->v7m.secure] |=
-                    (R_V7M_CFSR_DACCVIOL_MASK | R_V7M_CFSR_MMARVALID_MASK);
-                env->v7m.mmfar[env->v7m.secure] = env->exception.vaddress;
-                qemu_log_mask(CPU_LOG_INT,
-                              "...with CFSR.DACCVIOL and MMFAR 0x%x\n",
-                              env->v7m.mmfar[env->v7m.secure]);
-                break;
-            }
-            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM,
-                                    env->v7m.secure);
-            break;
-        }
-        break;
-    case EXCP_BKPT:
-        if (semihosting_enabled()) {
-            int nr;
-            nr = arm_lduw_code(env, env->regs[15], arm_sctlr_b(env)) & 0xff;
-            if (nr == 0xab) {
-                env->regs[15] += 2;
-                qemu_log_mask(CPU_LOG_INT,
-                              "...handling as semihosting call 0x%x\n",
-                              env->regs[0]);
-                env->regs[0] = do_arm_semihosting(env);
-                return;
-            }
-        }
-        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG, false);
-        break;
-    case EXCP_IRQ:
-        break;
-    case EXCP_EXCEPTION_EXIT:
-        if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
-            /* Must be v8M security extension function return */
-            assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
-            assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
-            if (do_v7m_function_return(cpu)) {
-                return;
-            }
-        } else {
-            do_v7m_exception_exit(cpu);
-            return;
-        }
-        break;
-    case EXCP_LAZYFP:
-        /*
-         * We already pended the specific exception in the NVIC in the
-         * v7m_preserve_fp_state() helper function.
-         */
-        break;
-    default:
-        cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
-        return; /* Never happens.  Keep compiler happy.  */
-    }
-
-    if (arm_feature(env, ARM_FEATURE_V8)) {
-        lr = R_V7M_EXCRET_RES1_MASK |
-            R_V7M_EXCRET_DCRS_MASK;
-        /*
-         * The S bit indicates whether we should return to Secure
-         * or NonSecure (ie our current state).
-         * The ES bit indicates whether we're taking this exception
-         * to Secure or NonSecure (ie our target state). We set it
-         * later, in v7m_exception_taken().
-         * The SPSEL bit is also set in v7m_exception_taken() for v8M.
-         * This corresponds to the ARM ARM pseudocode for v8M setting
-         * some LR bits in PushStack() and some in ExceptionTaken();
-         * the distinction matters for the tailchain cases where we
-         * can take an exception without pushing the stack.
-         */
-        if (env->v7m.secure) {
-            lr |= R_V7M_EXCRET_S_MASK;
-        }
-        if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
-            lr |= R_V7M_EXCRET_FTYPE_MASK;
-        }
-    } else {
-        lr = R_V7M_EXCRET_RES1_MASK |
-            R_V7M_EXCRET_S_MASK |
-            R_V7M_EXCRET_DCRS_MASK |
-            R_V7M_EXCRET_FTYPE_MASK |
-            R_V7M_EXCRET_ES_MASK;
-        if (env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK) {
-            lr |= R_V7M_EXCRET_SPSEL_MASK;
-        }
-    }
-    if (!arm_v7m_is_handler_mode(env)) {
-        lr |= R_V7M_EXCRET_MODE_MASK;
-    }
-
-    ignore_stackfaults = v7m_push_stack(cpu);
-    v7m_exception_taken(cpu, lr, false, ignore_stackfaults);
-}
-
 /*
  * Function used to synchronize QEMU's AArch64 register set with AArch32
  * register set.  This is necessary when switching between AArch32 and AArch64
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
     return phys_addr;
 }
 
-uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
-{
-    uint32_t mask;
-    unsigned el = arm_current_el(env);
-
-    /* First handle registers which unprivileged can read */
-
-    switch (reg) {
-    case 0 ... 7: /* xPSR sub-fields */
-        mask = 0;
-        if ((reg & 1) && el) {
-            mask |= XPSR_EXCP; /* IPSR (unpriv. reads as zero) */
-        }
-        if (!(reg & 4)) {
-            mask |= XPSR_NZCV | XPSR_Q; /* APSR */
-            if (arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
-                mask |= XPSR_GE;
-            }
-        }
-        /* EPSR reads as zero */
-        return xpsr_read(env) & mask;
-        break;
-    case 20: /* CONTROL */
-    {
-        uint32_t value = env->v7m.control[env->v7m.secure];
-        if (!env->v7m.secure) {
-            /* SFPA is RAZ/WI from NS; FPCA is stored in the M_REG_S bank */
-            value |= env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK;
-        }
-        return value;
-    }
-    case 0x94: /* CONTROL_NS */
-        /*
-         * We have to handle this here because unprivileged Secure code
-         * can read the NS CONTROL register.
-         */
-        if (!env->v7m.secure) {
-            return 0;
-        }
-        return env->v7m.control[M_REG_NS] |
-            (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK);
-    }
-
-    if (el == 0) {
-        return 0; /* unprivileged reads others as zero */
-    }
-
-    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-        switch (reg) {
-        case 0x88: /* MSP_NS */
-            if (!env->v7m.secure) {
-                return 0;
-            }
-            return env->v7m.other_ss_msp;
-        case 0x89: /* PSP_NS */
-            if (!env->v7m.secure) {
-                return 0;
-            }
-            return env->v7m.other_ss_psp;
-        case 0x8a: /* MSPLIM_NS */
-            if (!env->v7m.secure) {
-                return 0;
-            }
-            return env->v7m.msplim[M_REG_NS];
-        case 0x8b: /* PSPLIM_NS */
-            if (!env->v7m.secure) {
-                return 0;
-            }
-            return env->v7m.psplim[M_REG_NS];
-        case 0x90: /* PRIMASK_NS */
-            if (!env->v7m.secure) {
-                return 0;
-            }
-            return env->v7m.primask[M_REG_NS];
-        case 0x91: /* BASEPRI_NS */
-            if (!env->v7m.secure) {
-                return 0;
-            }
-            return env->v7m.basepri[M_REG_NS];
-        case 0x93: /* FAULTMASK_NS */
-            if (!env->v7m.secure) {
-                return 0;
-            }
-            return env->v7m.faultmask[M_REG_NS];
-        case 0x98: /* SP_NS */
-        {
-            /*
-             * This gives the non-secure SP selected based on whether we're
-             * currently in handler mode or not, using the NS CONTROL.SPSEL.
-             */
-            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
-
-            if (!env->v7m.secure) {
-                return 0;
-            }
-            if (!arm_v7m_is_handler_mode(env) && spsel) {
-                return env->v7m.other_ss_psp;
-            } else {
-                return env->v7m.other_ss_msp;
-            }
-        }
-        default:
-            break;
-        }
-    }
-
-    switch (reg) {
-    case 8: /* MSP */
-        return v7m_using_psp(env) ? env->v7m.other_sp : env->regs[13];
-    case 9: /* PSP */
-        return v7m_using_psp(env) ? env->regs[13] : env->v7m.other_sp;
-    case 10: /* MSPLIM */
-        if (!arm_feature(env, ARM_FEATURE_V8)) {
-            goto bad_reg;
-        }
-        return env->v7m.msplim[env->v7m.secure];
-    case 11: /* PSPLIM */
-        if (!arm_feature(env, ARM_FEATURE_V8)) {
-            goto bad_reg;
-        }
-        return env->v7m.psplim[env->v7m.secure];
-    case 16: /* PRIMASK */
-        return env->v7m.primask[env->v7m.secure];
-    case 17: /* BASEPRI */
-    case 18: /* BASEPRI_MAX */
-        return env->v7m.basepri[env->v7m.secure];
-    case 19: /* FAULTMASK */
-        return env->v7m.faultmask[env->v7m.secure];
-    default:
-    bad_reg:
-        qemu_log_mask(LOG_GUEST_ERROR, "Attempt to read unknown special"
-                                       " register %d\n", reg);
-        return 0;
-    }
-}
-
-void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
-{
-    /*
-     * We're passed bits [11..0] of the instruction; extract
-     * SYSm and the mask bits.
-     * Invalid combinations of SYSm and mask are UNPREDICTABLE;
-     * we choose to treat them as if the mask bits were valid.
-     * NB that the pseudocode 'mask' variable is bits [11..10],
-     * whereas ours is [11..8].
-     */
-    uint32_t mask = extract32(maskreg, 8, 4);
-    uint32_t reg = extract32(maskreg, 0, 8);
-    int cur_el = arm_current_el(env);
-
-    if (cur_el == 0 && reg > 7 && reg != 20) {
-        /*
-         * only xPSR sub-fields and CONTROL.SFPA may be written by
-         * unprivileged code
-         */
-        return;
-    }
-
-    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-        switch (reg) {
-        case 0x88: /* MSP_NS */
-            if (!env->v7m.secure) {
-                return;
-            }
-            env->v7m.other_ss_msp = val;
-            return;
-        case 0x89: /* PSP_NS */
-            if (!env->v7m.secure) {
-                return;
-            }
-            env->v7m.other_ss_psp = val;
-            return;
-        case 0x8a: /* MSPLIM_NS */
-            if (!env->v7m.secure) {
-                return;
-            }
-            env->v7m.msplim[M_REG_NS] = val & ~7;
-            return;
-        case 0x8b: /* PSPLIM_NS */
-            if (!env->v7m.secure) {
-                return;
-            }
-            env->v7m.psplim[M_REG_NS] = val & ~7;
-            return;
-        case 0x90: /* PRIMASK_NS */
-            if (!env->v7m.secure) {
-                return;
-            }
-            env->v7m.primask[M_REG_NS] = val & 1;
-            return;
-        case 0x91: /* BASEPRI_NS */
-            if (!env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_MAIN)) {
-                return;
-            }
-            env->v7m.basepri[M_REG_NS] = val & 0xff;
-            return;
-        case 0x93: /* FAULTMASK_NS */
-            if (!env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_MAIN)) {
-                return;
-            }
-            env->v7m.faultmask[M_REG_NS] = val & 1;
-            return;
-        case 0x94: /* CONTROL_NS */
-            if (!env->v7m.secure) {
-                return;
-            }
-            write_v7m_control_spsel_for_secstate(env,
-                                                 val & R_V7M_CONTROL_SPSEL_MASK,
-                                                 M_REG_NS);
-            if (arm_feature(env, ARM_FEATURE_M_MAIN)) {
-                env->v7m.control[M_REG_NS] &= ~R_V7M_CONTROL_NPRIV_MASK;
-                env->v7m.control[M_REG_NS] |= val & R_V7M_CONTROL_NPRIV_MASK;
-            }
-            /*
-             * SFPA is RAZ/WI from NS. FPCA is RO if NSACR.CP10 == 0,
-             * RES0 if the FPU is not present, and is stored in the S bank
-             */
-            if (arm_feature(env, ARM_FEATURE_VFP) &&
-                extract32(env->v7m.nsacr, 10, 1)) {
-                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
-                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
-            }
-            return;
-        case 0x98: /* SP_NS */
-        {
-            /*
-             * This gives the non-secure SP selected based on whether we're
-             * currently in handler mode or not, using the NS CONTROL.SPSEL.
-             */
-            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
-            bool is_psp = !arm_v7m_is_handler_mode(env) && spsel;
-            uint32_t limit;
-
-            if (!env->v7m.secure) {
-                return;
-            }
-
-            limit = is_psp ? env->v7m.psplim[false] : env->v7m.msplim[false];
-
-            if (val < limit) {
-                CPUState *cs = env_cpu(env);
-
-                cpu_restore_state(cs, GETPC(), true);
-                raise_exception(env, EXCP_STKOF, 0, 1);
-            }
-
-            if (is_psp) {
-                env->v7m.other_ss_psp = val;
-            } else {
-                env->v7m.other_ss_msp = val;
-            }
-            return;
-        }
-        default:
-            break;
-        }
-    }
-
-    switch (reg) {
-    case 0 ... 7: /* xPSR sub-fields */
-        /* only APSR is actually writable */
-        if (!(reg & 4)) {
-            uint32_t apsrmask = 0;
-
-            if (mask & 8) {
-                apsrmask |= XPSR_NZCV | XPSR_Q;
-            }
-            if ((mask & 4) && arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
-                apsrmask |= XPSR_GE;
-            }
-            xpsr_write(env, val, apsrmask);
-        }
-        break;
-    case 8: /* MSP */
-        if (v7m_using_psp(env)) {
-            env->v7m.other_sp = val;
-        } else {
-            env->regs[13] = val;
-        }
-        break;
-    case 9: /* PSP */
-        if (v7m_using_psp(env)) {
-            env->regs[13] = val;
-        } else {
-            env->v7m.other_sp = val;
-        }
-        break;
-    case 10: /* MSPLIM */
-        if (!arm_feature(env, ARM_FEATURE_V8)) {
-            goto bad_reg;
-        }
-        env->v7m.msplim[env->v7m.secure] = val & ~7;
-        break;
-    case 11: /* PSPLIM */
-        if (!arm_feature(env, ARM_FEATURE_V8)) {
-            goto bad_reg;
-        }
-        env->v7m.psplim[env->v7m.secure] = val & ~7;
-        break;
-    case 16: /* PRIMASK */
-        env->v7m.primask[env->v7m.secure] = val & 1;
-        break;
-    case 17: /* BASEPRI */
-        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
-            goto bad_reg;
-        }
-        env->v7m.basepri[env->v7m.secure] = val & 0xff;
-        break;
-    case 18: /* BASEPRI_MAX */
-        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
-            goto bad_reg;
-        }
-        val &= 0xff;
-        if (val != 0 && (val < env->v7m.basepri[env->v7m.secure]
-                         || env->v7m.basepri[env->v7m.secure] == 0)) {
-            env->v7m.basepri[env->v7m.secure] = val;
-        }
-        break;
-    case 19: /* FAULTMASK */
-        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
-            goto bad_reg;
-        }
-        env->v7m.faultmask[env->v7m.secure] = val & 1;
-        break;
-    case 20: /* CONTROL */
-        /*
-         * Writing to the SPSEL bit only has an effect if we are in
-         * thread mode; other bits can be updated by any privileged code.
-         * write_v7m_control_spsel() deals with updating the SPSEL bit in
-         * env->v7m.control, so we only need update the others.
-         * For v7M, we must just ignore explicit writes to SPSEL in handler
-         * mode; for v8M the write is permitted but will have no effect.
-         * All these bits are writes-ignored from non-privileged code,
-         * except for SFPA.
-         */
-        if (cur_el > 0 && (arm_feature(env, ARM_FEATURE_V8) ||
-                           !arm_v7m_is_handler_mode(env))) {
-            write_v7m_control_spsel(env, (val & R_V7M_CONTROL_SPSEL_MASK) != 0);
-        }
-        if (cur_el > 0 && arm_feature(env, ARM_FEATURE_M_MAIN)) {
-            env->v7m.control[env->v7m.secure] &= ~R_V7M_CONTROL_NPRIV_MASK;
-            env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
-        }
-        if (arm_feature(env, ARM_FEATURE_VFP)) {
-            /*
-             * SFPA is RAZ/WI from NS or if no FPU.
-             * FPCA is RO if NSACR.CP10 == 0, RES0 if the FPU is not present.
-             * Both are stored in the S bank.
-             */
-            if (env->v7m.secure) {
-                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
-                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_SFPA_MASK;
-            }
-            if (cur_el > 0 &&
-                (env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_SECURITY) ||
-                 extract32(env->v7m.nsacr, 10, 1))) {
-                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
-                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
-            }
-        }
-        break;
-    default:
-    bad_reg:
-        qemu_log_mask(LOG_GUEST_ERROR, "Attempt to write unknown special"
-                                       " register %d\n", reg);
-        return;
-    }
-}
-
-uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
-{
-    /* Implement the TT instruction. op is bits [7:6] of the insn. */
-    bool forceunpriv = op & 1;
-    bool alt = op & 2;
-    V8M_SAttributes sattrs = {};
-    uint32_t tt_resp;
-    bool r, rw, nsr, nsrw, mrvalid;
-    int prot;
-    ARMMMUFaultInfo fi = {};
-    MemTxAttrs attrs = {};
-    hwaddr phys_addr;
-    ARMMMUIdx mmu_idx;
-    uint32_t mregion;
-    bool targetpriv;
-    bool targetsec = env->v7m.secure;
-    bool is_subpage;
-
-    /*
-     * Work out what the security state and privilege level we're
-     * interested in is...
-     */
-    if (alt) {
-        targetsec = !targetsec;
-    }
-
-    if (forceunpriv) {
-        targetpriv = false;
-    } else {
-        targetpriv = arm_v7m_is_handler_mode(env) ||
-            !(env->v7m.control[targetsec] & R_V7M_CONTROL_NPRIV_MASK);
-    }
-
-    /* ...and then figure out which MMU index this is */
-    mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targetsec, targetpriv);
-
-    /*
-     * We know that the MPU and SAU don't care about the access type
-     * for our purposes beyond that we don't want to claim to be
-     * an insn fetch, so we arbitrarily call this a read.
-     */
-
-    /*
-     * MPU region info only available for privileged or if
-     * inspecting the other MPU state.
-     */
-    if (arm_current_el(env) != 0 || alt) {
-        /* We can ignore the return value as prot is always set */
-        pmsav8_mpu_lookup(env, addr, MMU_DATA_LOAD, mmu_idx,
-                          &phys_addr, &attrs, &prot, &is_subpage,
-                          &fi, &mregion);
-        if (mregion == -1) {
-            mrvalid = false;
-            mregion = 0;
-        } else {
-            mrvalid = true;
-        }
-        r = prot & PAGE_READ;
-        rw = prot & PAGE_WRITE;
-    } else {
-        r = false;
-        rw = false;
-        mrvalid = false;
-        mregion = 0;
-    }
-
-    if (env->v7m.secure) {
-        v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);
-        nsr = sattrs.ns && r;
-        nsrw = sattrs.ns && rw;
-    } else {
-        sattrs.ns = true;
-        nsr = false;
-        nsrw = false;
-    }
-
-    tt_resp = (sattrs.iregion << 24) |
-        (sattrs.irvalid << 23) |
-        ((!sattrs.ns) << 22) |
-        (nsrw << 21) |
-        (nsr << 20) |
-        (rw << 19) |
-        (r << 18) |
-        (sattrs.srvalid << 17) |
-        (mrvalid << 16) |
-        (sattrs.sregion << 8) |
-        mregion;
-
-    return tt_resp;
-}
-
 #endif
 
 /* Note that signed overflow is undefined in C.  The following routines are
@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
     return 0;
 }
 
-ARMMMUIdx arm_v7m_mmu_idx_all(CPUARMState *env,
-                              bool secstate, bool priv, bool negpri)
-{
-    ARMMMUIdx mmu_idx = ARM_MMU_IDX_M;
-
-    if (priv) {
-        mmu_idx |= ARM_MMU_IDX_M_PRIV;
-    }
-
-    if (negpri) {
-        mmu_idx |= ARM_MMU_IDX_M_NEGPRI;
-    }
-
-    if (secstate) {
-        mmu_idx |= ARM_MMU_IDX_M_S;
-    }
-
-    return mmu_idx;
-}
-
-ARMMMUIdx arm_v7m_mmu_idx_for_secstate_and_priv(CPUARMState *env,
-                                                bool secstate, bool priv)
-{
-    bool negpri = armv7m_nvic_neg_prio_requested(env->nvic, secstate);
-
-    return arm_v7m_mmu_idx_all(env, secstate, priv, negpri);
-}
-
-/* Return the MMU index for a v7M CPU in the specified security state */
+#ifndef CONFIG_TCG
 ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate)
 {
-    bool priv = arm_current_el(env) != 0;
-
-    return arm_v7m_mmu_idx_for_secstate_and_priv(env, secstate, priv);
+    g_assert_not_reached();
 }
+#endif
 
 ARMMMUIdx arm_mmu_idx(CPUARMState *env)
 {
diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM generic helpers.
+ *
+ * This code is licensed under the GNU GPL v2 or later.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "target/arm/idau.h"
+#include "trace.h"
+#include "cpu.h"
+#include "internals.h"
+#include "exec/gdbstub.h"
+#include "exec/helper-proto.h"
+#include "qemu/host-utils.h"
+#include "sysemu/sysemu.h"
+#include "qemu/bitops.h"
+#include "qemu/crc32c.h"
+#include "qemu/qemu-print.h"
+#include "exec/exec-all.h"
+#include <zlib.h> /* For crc32 */
+#include "hw/semihosting/semihost.h"
+#include "sysemu/cpus.h"
+#include "sysemu/kvm.h"
+#include "qemu/range.h"
+#include "qapi/qapi-commands-target.h"
+#include "qapi/error.h"
+#include "qemu/guest-random.h"
+#ifdef CONFIG_TCG
+#include "arm_ldst.h"
+#include "exec/cpu_ldst.h"
+#endif
+
+#ifdef CONFIG_USER_ONLY
+
+/* These should probably raise undefined insn exceptions.  */
+void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)
+{
+    ARMCPU *cpu = env_archcpu(env);
+
+    cpu_abort(CPU(cpu), "v7m_msr %d\n", reg);
+}
+
+uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
+{
+    ARMCPU *cpu = env_archcpu(env);
+
+    cpu_abort(CPU(cpu), "v7m_mrs %d\n", reg);
+    return 0;
+}
+
+void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
+{
+    /* translate.c should never generate calls here in user-only mode */
+    g_assert_not_reached();
+}
+
+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
+{
+    /* translate.c should never generate calls here in user-only mode */
+    g_assert_not_reached();
+}
+
+void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
+{
+    /* translate.c should never generate calls here in user-only mode */
+    g_assert_not_reached();
+}
+
+void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
+{
+    /* translate.c should never generate calls here in user-only mode */
+    g_assert_not_reached();
+}
+
+void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
+{
+    /* translate.c should never generate calls here in user-only mode */
+    g_assert_not_reached();
+}
+
+uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
+{
+    /*
+     * The TT instructions can be used by unprivileged code, but in
+     * user-only emulation we don't have the MPU.
+     * Luckily since we know we are NonSecure unprivileged (and that in
+     * turn means that the A flag wasn't specified), all the bits in the
+     * register must be zero:
+     *  IREGION: 0 because IRVALID is 0
+     *  IRVALID: 0 because NS
+     *  S: 0 because NS
+     *  NSRW: 0 because NS
+     *  NSR: 0 because NS
+     *  RW: 0 because unpriv and A flag not set
+     *  R: 0 because unpriv and A flag not set
+     *  SRVALID: 0 because NS
+     *  MRVALID: 0 because unpriv and A flag not set
+     *  SREGION: 0 becaus SRVALID is 0
+     *  MREGION: 0 because MRVALID is 0
+     */
+    return 0;
+}
+
+#else
+
+/*
+ * What kind of stack write are we doing? This affects how exceptions
+ * generated during the stacking are treated.
+ */
+typedef enum StackingMode {
+    STACK_NORMAL,
+    STACK_IGNFAULTS,
+    STACK_LAZYFP,
+} StackingMode;
+
+static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
+                            ARMMMUIdx mmu_idx, StackingMode mode)
+{
+    CPUState *cs = CPU(cpu);
+    CPUARMState *env = &cpu->env;
+    MemTxAttrs attrs = {};
+    MemTxResult txres;
+    target_ulong page_size;
+    hwaddr physaddr;
+    int prot;
+    ARMMMUFaultInfo fi = {};
+    bool secure = mmu_idx & ARM_MMU_IDX_M_S;
+    int exc;
+    bool exc_secure;
+
+    if (get_phys_addr(env, addr, MMU_DATA_STORE, mmu_idx, &physaddr,
+                      &attrs, &prot, &page_size, &fi, NULL)) {
+        /* MPU/SAU lookup failed */
+        if (fi.type == ARMFault_QEMU_SFault) {
+            if (mode == STACK_LAZYFP) {
+                qemu_log_mask(CPU_LOG_INT,
+                              "...SecureFault with SFSR.LSPERR "
+                              "during lazy stacking\n");
+                env->v7m.sfsr |= R_V7M_SFSR_LSPERR_MASK;
+            } else {
+                qemu_log_mask(CPU_LOG_INT,
+                              "...SecureFault with SFSR.AUVIOL "
+                              "during stacking\n");
+                env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
+            }
+            env->v7m.sfsr |= R_V7M_SFSR_SFARVALID_MASK;
+            env->v7m.sfar = addr;
+            exc = ARMV7M_EXCP_SECURE;
+            exc_secure = false;
+        } else {
+            if (mode == STACK_LAZYFP) {
+                qemu_log_mask(CPU_LOG_INT,
+                              "...MemManageFault with CFSR.MLSPERR\n");
+                env->v7m.cfsr[secure] |= R_V7M_CFSR_MLSPERR_MASK;
+            } else {
+                qemu_log_mask(CPU_LOG_INT,
+                              "...MemManageFault with CFSR.MSTKERR\n");
+                env->v7m.cfsr[secure] |= R_V7M_CFSR_MSTKERR_MASK;
+            }
+            exc = ARMV7M_EXCP_MEM;
+            exc_secure = secure;
+        }
+        goto pend_fault;
+    }
+    address_space_stl_le(arm_addressspace(cs, attrs), physaddr, value,
+                         attrs, &txres);
+    if (txres != MEMTX_OK) {
+        /* BusFault trying to write the data */
+        if (mode == STACK_LAZYFP) {
+            qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.LSPERR\n");
+            env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_LSPERR_MASK;
+        } else {
+            qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.STKERR\n");
+            env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_STKERR_MASK;
+        }
+        exc = ARMV7M_EXCP_BUS;
+        exc_secure = false;
+        goto pend_fault;
+    }
+    return true;
+
+pend_fault:
+    /*
+     * By pending the exception at this point we are making
+     * the IMPDEF choice "overridden exceptions pended" (see the
+     * MergeExcInfo() pseudocode). The other choice would be to not
+     * pend them now and then make a choice about which to throw away
+     * later if we have two derived exceptions.
+     * The only case when we must not pend the exception but instead
+     * throw it away is if we are doing the push of the callee registers
+     * and we've already generated a derived exception (this is indicated
+     * by the caller passing STACK_IGNFAULTS). Even in this case we will
+     * still update the fault status registers.
+     */
+    switch (mode) {
+    case STACK_NORMAL:
+        armv7m_nvic_set_pending_derived(env->nvic, exc, exc_secure);
+        break;
+    case STACK_LAZYFP:
+        armv7m_nvic_set_pending_lazyfp(env->nvic, exc, exc_secure);
+        break;
+    case STACK_IGNFAULTS:
+        break;
+    }
+    return false;
+}
+
+static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
+                           ARMMMUIdx mmu_idx)
+{
+    CPUState *cs = CPU(cpu);
+    CPUARMState *env = &cpu->env;
+    MemTxAttrs attrs = {};
+    MemTxResult txres;
+    target_ulong page_size;
+    hwaddr physaddr;
+    int prot;
+    ARMMMUFaultInfo fi = {};
+    bool secure = mmu_idx & ARM_MMU_IDX_M_S;
+    int exc;
+    bool exc_secure;
+    uint32_t value;
+
+    if (get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &physaddr,
+                      &attrs, &prot, &page_size, &fi, NULL)) {
+        /* MPU/SAU lookup failed */
+        if (fi.type == ARMFault_QEMU_SFault) {
+            qemu_log_mask(CPU_LOG_INT,
+                          "...SecureFault with SFSR.AUVIOL during unstack\n");
+            env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK | R_V7M_SFSR_SFARVALID_MASK;
+            env->v7m.sfar = addr;
+            exc = ARMV7M_EXCP_SECURE;
+            exc_secure = false;
+        } else {
+            qemu_log_mask(CPU_LOG_INT,
+                          "...MemManageFault with CFSR.MUNSTKERR\n");
+            env->v7m.cfsr[secure] |= R_V7M_CFSR_MUNSTKERR_MASK;
+            exc = ARMV7M_EXCP_MEM;
+            exc_secure = secure;
+        }
+        goto pend_fault;
+    }
+
+    value = address_space_ldl(arm_addressspace(cs, attrs), physaddr,
+                              attrs, &txres);
+    if (txres != MEMTX_OK) {
+        /* BusFault trying to read the data */
+        qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.UNSTKERR\n");
+        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_UNSTKERR_MASK;
+        exc = ARMV7M_EXCP_BUS;
+        exc_secure = false;
+        goto pend_fault;
+    }
+
+    *dest = value;
+    return true;
+
+pend_fault:
+    /*
+     * By pending the exception at this point we are making
+     * the IMPDEF choice "overridden exceptions pended" (see the
+     * MergeExcInfo() pseudocode). The other choice would be to not
+     * pend them now and then make a choice about which to throw away
+     * later if we have two derived exceptions.
+     */
+    armv7m_nvic_set_pending(env->nvic, exc, exc_secure);
+    return false;
+}
+
+void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
+{
+    /*
+     * Preserve FP state (because LSPACT was set and we are about
+     * to execute an FP instruction). This corresponds to the
+     * PreserveFPState() pseudocode.
+     * We may throw an exception if the stacking fails.
+     */
+    ARMCPU *cpu = env_archcpu(env);
+    bool is_secure = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
+    bool negpri = !(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_HFRDY_MASK);
+    bool is_priv = !(env->v7m.fpccr[is_secure] & R_V7M_FPCCR_USER_MASK);
+    bool splimviol = env->v7m.fpccr[is_secure] & R_V7M_FPCCR_SPLIMVIOL_MASK;
+    uint32_t fpcar = env->v7m.fpcar[is_secure];
+    bool stacked_ok = true;
+    bool ts = is_secure && (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
+    bool take_exception;
+
+    /* Take the iothread lock as we are going to touch the NVIC */
+    qemu_mutex_lock_iothread();
+
+    /* Check the background context had access to the FPU */
+    if (!v7m_cpacr_pass(env, is_secure, is_priv)) {
+        armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, is_secure);
+        env->v7m.cfsr[is_secure] |= R_V7M_CFSR_NOCP_MASK;
+        stacked_ok = false;
+    } else if (!is_secure && !extract32(env->v7m.nsacr, 10, 1)) {
+        armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
+        env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
+        stacked_ok = false;
+    }
+
+    if (!splimviol && stacked_ok) {
+        /* We only stack if the stack limit wasn't violated */
+        int i;
+        ARMMMUIdx mmu_idx;
+
+        mmu_idx = arm_v7m_mmu_idx_all(env, is_secure, is_priv, negpri);
+        for (i = 0; i < (ts ? 32 : 16); i += 2) {
+            uint64_t dn = *aa32_vfp_dreg(env, i / 2);
+            uint32_t faddr = fpcar + 4 * i;
+            uint32_t slo = extract64(dn, 0, 32);
+            uint32_t shi = extract64(dn, 32, 32);
+
+            if (i >= 16) {
+                faddr += 8; /* skip the slot for the FPSCR */
+            }
+            stacked_ok = stacked_ok &&
+                v7m_stack_write(cpu, faddr, slo, mmu_idx, STACK_LAZYFP) &&
+                v7m_stack_write(cpu, faddr + 4, shi, mmu_idx, STACK_LAZYFP);
+        }
+
+        stacked_ok = stacked_ok &&
+            v7m_stack_write(cpu, fpcar + 0x40,
+                            vfp_get_fpscr(env), mmu_idx, STACK_LAZYFP);
+    }
+
+    /*
+     * We definitely pended an exception, but it's possible that it
+     * might not be able to be taken now. If its priority permits us
+     * to take it now, then we must not update the LSPACT or FP regs,
+     * but instead jump out to take the exception immediately.
+     * If it's just pending and won't be taken until the current
+     * handler exits, then we do update LSPACT and the FP regs.
+     */
+    take_exception = !stacked_ok &&
+        armv7m_nvic_can_take_pending_exception(env->nvic);
+
+    qemu_mutex_unlock_iothread();
+
+    if (take_exception) {
+        raise_exception_ra(env, EXCP_LAZYFP, 0, 1, GETPC());
+    }
+
+    env->v7m.fpccr[is_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
+
+    if (ts) {
+        /* Clear s0 to s31 and the FPSCR */
+        int i;
+
+        for (i = 0; i < 32; i += 2) {
+            *aa32_vfp_dreg(env, i / 2) = 0;
+        }
+        vfp_set_fpscr(env, 0);
+    }
+    /*
+     * Otherwise s0 to s15 and FPSCR are UNKNOWN; we choose to leave them
+     * unchanged.
+     */
+}
+
+/*
+ * Write to v7M CONTROL.SPSEL bit for the specified security bank.
+ * This may change the current stack pointer between Main and Process
+ * stack pointers if it is done for the CONTROL register for the current
+ * security state.
+ */
+static void write_v7m_control_spsel_for_secstate(CPUARMState *env,
+                                                 bool new_spsel,
+                                                 bool secstate)
+{
+    bool old_is_psp = v7m_using_psp(env);
+
+    env->v7m.control[secstate] =
+        deposit32(env->v7m.control[secstate],
+                  R_V7M_CONTROL_SPSEL_SHIFT,
+                  R_V7M_CONTROL_SPSEL_LENGTH, new_spsel);
+
+    if (secstate == env->v7m.secure) {
+        bool new_is_psp = v7m_using_psp(env);
+        uint32_t tmp;
+
+        if (old_is_psp != new_is_psp) {
+            tmp = env->v7m.other_sp;
+            env->v7m.other_sp = env->regs[13];
+            env->regs[13] = tmp;
+        }
+    }
+}
+
+/*
+ * Write to v7M CONTROL.SPSEL bit. This may change the current
+ * stack pointer between Main and Process stack pointers.
+ */
+static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
+{
+    write_v7m_control_spsel_for_secstate(env, new_spsel, env->v7m.secure);
+}
+
+void write_v7m_exception(CPUARMState *env, uint32_t new_exc)
+{
+    /*
+     * Write a new value to v7m.exception, thus transitioning into or out
+     * of Handler mode; this may result in a change of active stack pointer.
+     */
+    bool new_is_psp, old_is_psp = v7m_using_psp(env);
+    uint32_t tmp;
+
+    env->v7m.exception = new_exc;
+
+    new_is_psp = v7m_using_psp(env);
+
+    if (old_is_psp != new_is_psp) {
+        tmp = env->v7m.other_sp;
+        env->v7m.other_sp = env->regs[13];
+        env->regs[13] = tmp;
+    }
+}
+
+/* Switch M profile security state between NS and S */
+static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
+{
+    uint32_t new_ss_msp, new_ss_psp;
+
+    if (env->v7m.secure == new_secstate) {
+        return;
+    }
+
+    /*
+     * All the banked state is accessed by looking at env->v7m.secure
+     * except for the stack pointer; rearrange the SP appropriately.
+     */
+    new_ss_msp = env->v7m.other_ss_msp;
+    new_ss_psp = env->v7m.other_ss_psp;
+
+    if (v7m_using_psp(env)) {
+        env->v7m.other_ss_psp = env->regs[13];
+        env->v7m.other_ss_msp = env->v7m.other_sp;
+    } else {
+        env->v7m.other_ss_msp = env->regs[13];
+        env->v7m.other_ss_psp = env->v7m.other_sp;
+    }
+
+    env->v7m.secure = new_secstate;
+
+    if (v7m_using_psp(env)) {
+        env->regs[13] = new_ss_psp;
+        env->v7m.other_sp = new_ss_msp;
+    } else {
+        env->regs[13] = new_ss_msp;
+        env->v7m.other_sp = new_ss_psp;
+    }
+}
+
+void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
+{
+    /*
+     * Handle v7M BXNS:
+     *  - if the return value is a magic value, do exception return (like BX)
+     *  - otherwise bit 0 of the return value is the target security state
+     */
+    uint32_t min_magic;
+
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        /* Covers FNC_RETURN and EXC_RETURN magic */
+        min_magic = FNC_RETURN_MIN_MAGIC;
+    } else {
+        /* EXC_RETURN magic only */
+        min_magic = EXC_RETURN_MIN_MAGIC;
+    }
+
+    if (dest >= min_magic) {
+        /*
+         * This is an exception return magic value; put it where
+         * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
+         * Note that if we ever add gen_ss_advance() singlestep support to
+         * M profile this should count as an "instruction execution complete"
+         * event (compare gen_bx_excret_final_code()).
+         */
+        env->regs[15] = dest & ~1;
+        env->thumb = dest & 1;
+        HELPER(exception_internal)(env, EXCP_EXCEPTION_EXIT);
+        /* notreached */
+    }
+
+    /* translate.c should have made BXNS UNDEF unless we're secure */
+    assert(env->v7m.secure);
+
+    if (!(dest & 1)) {
+        env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
+    }
+    switch_v7m_security_state(env, dest & 1);
+    env->thumb = 1;
+    env->regs[15] = dest & ~1;
+}
+
+void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
+{
+    /*
+     * Handle v7M BLXNS:
+     *  - bit 0 of the destination address is the target security state
+     */
+
+    /* At this point regs[15] is the address just after the BLXNS */
+    uint32_t nextinst = env->regs[15] | 1;
+    uint32_t sp = env->regs[13] - 8;
+    uint32_t saved_psr;
+
+    /* translate.c will have made BLXNS UNDEF unless we're secure */
+    assert(env->v7m.secure);
+
+    if (dest & 1) {
+        /*
+         * Target is Secure, so this is just a normal BLX,
+         * except that the low bit doesn't indicate Thumb/not.
+         */
+        env->regs[14] = nextinst;
+        env->thumb = 1;
+        env->regs[15] = dest & ~1;
+        return;
+    }
+
+    /* Target is non-secure: first push a stack frame */
+    if (!QEMU_IS_ALIGNED(sp, 8)) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "BLXNS with misaligned SP is UNPREDICTABLE\n");
+    }
+
+    if (sp < v7m_sp_limit(env)) {
+        raise_exception(env, EXCP_STKOF, 0, 1);
+    }
+
+    saved_psr = env->v7m.exception;
+    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
+        saved_psr |= XPSR_SFPA;
+    }
+
+    /* Note that these stores can throw exceptions on MPU faults */
+    cpu_stl_data(env, sp, nextinst);
+    cpu_stl_data(env, sp + 4, saved_psr);
+
+    env->regs[13] = sp;
+    env->regs[14] = 0xfeffffff;
+    if (arm_v7m_is_handler_mode(env)) {
+        /*
+         * Write a dummy value to IPSR, to avoid leaking the current secure
+         * exception number to non-secure code. This is guaranteed not
+         * to cause write_v7m_exception() to actually change stacks.
+         */
+        write_v7m_exception(env, 1);
+    }
+    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
+    switch_v7m_security_state(env, 0);
+    env->thumb = 1;
+    env->regs[15] = dest;
+}
+
+static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
+                                bool spsel)
+{
+    /*
+     * Return a pointer to the location where we currently store the
+     * stack pointer for the requested security state and thread mode.
+     * This pointer will become invalid if the CPU state is updated
+     * such that the stack pointers are switched around (eg changing
+     * the SPSEL control bit).
+     * Compare the v8M ARM ARM pseudocode LookUpSP_with_security_mode().
+     * Unlike that pseudocode, we require the caller to pass us in the
+     * SPSEL control bit value; this is because we also use this
+     * function in handling of pushing of the callee-saves registers
+     * part of the v8M stack frame (pseudocode PushCalleeStack()),
+     * and in the tailchain codepath the SPSEL bit comes from the exception
+     * return magic LR value from the previous exception. The pseudocode
+     * opencodes the stack-selection in PushCalleeStack(), but we prefer
+     * to make this utility function generic enough to do the job.
+     */
+    bool want_psp = threadmode && spsel;
+
+    if (secure == env->v7m.secure) {
+        if (want_psp == v7m_using_psp(env)) {
+            return &env->regs[13];
+        } else {
+            return &env->v7m.other_sp;
+        }
+    } else {
+        if (want_psp) {
+            return &env->v7m.other_ss_psp;
+        } else {
+            return &env->v7m.other_ss_msp;
+        }
+    }
+}
+
+static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
+                                uint32_t *pvec)
+{
+    CPUState *cs = CPU(cpu);
+    CPUARMState *env = &cpu->env;
+    MemTxResult result;
+    uint32_t addr = env->v7m.vecbase[targets_secure] + exc * 4;
+    uint32_t vector_entry;
+    MemTxAttrs attrs = {};
+    ARMMMUIdx mmu_idx;
+    bool exc_secure;
+
+    mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
+
+    /*
+     * We don't do a get_phys_addr() here because the rules for vector
+     * loads are special: they always use the default memory map, and
+     * the default memory map permits reads from all addresses.
+     * Since there's no easy way to pass through to pmsav8_mpu_lookup()
+     * that we want this special case which would always say "yes",
+     * we just do the SAU lookup here followed by a direct physical load.
+     */
+    attrs.secure = targets_secure;
+    attrs.user = false;
+
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        V8M_SAttributes sattrs = {};
+
+        v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);
+        if (sattrs.ns) {
+            attrs.secure = false;
+        } else if (!targets_secure) {
+            /* NS access to S memory */
+            goto load_fail;
+        }
+    }
+
+    vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
+                                     attrs, &result);
+    if (result != MEMTX_OK) {
+        goto load_fail;
+    }
+    *pvec = vector_entry;
+    return true;
+
+load_fail:
+    /*
+     * All vector table fetch fails are reported as HardFault, with
+     * HFSR.VECTTBL and .FORCED set. (FORCED is set because
+     * technically the underlying exception is a MemManage or BusFault
+     * that is escalated to HardFault.) This is a terminal exception,
+     * so we will either take the HardFault immediately or else enter
+     * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
+     */
+    exc_secure = targets_secure ||
+        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
+    env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
+    armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
+    return false;
+}
+
+static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
+{
+    /*
+     * Return the integrity signature value for the callee-saves
+     * stack frame section. @lr is the exception return payload/LR value
+     * whose FType bit forms bit 0 of the signature if FP is present.
+     */
+    uint32_t sig = 0xfefa125a;
+
+    if (!arm_feature(env, ARM_FEATURE_VFP) || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
+        sig |= 1;
+    }
+    return sig;
+}
+
+static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
+                                  bool ignore_faults)
+{
+    /*
+     * For v8M, push the callee-saves register part of the stack frame.
+     * Compare the v8M pseudocode PushCalleeStack().
+     * In the tailchaining case this may not be the current stack.
+     */
+    CPUARMState *env = &cpu->env;
+    uint32_t *frame_sp_p;
+    uint32_t frameptr;
+    ARMMMUIdx mmu_idx;
+    bool stacked_ok;
+    uint32_t limit;
+    bool want_psp;
+    uint32_t sig;
+    StackingMode smode = ignore_faults ? STACK_IGNFAULTS : STACK_NORMAL;
+
+    if (dotailchain) {
+        bool mode = lr & R_V7M_EXCRET_MODE_MASK;
+        bool priv = !(env->v7m.control[M_REG_S] & R_V7M_CONTROL_NPRIV_MASK) ||
+            !mode;
+
+        mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, M_REG_S, priv);
+        frame_sp_p = get_v7m_sp_ptr(env, M_REG_S, mode,
+                                    lr & R_V7M_EXCRET_SPSEL_MASK);
+        want_psp = mode && (lr & R_V7M_EXCRET_SPSEL_MASK);
+        if (want_psp) {
+            limit = env->v7m.psplim[M_REG_S];
+        } else {
+            limit = env->v7m.msplim[M_REG_S];
+        }
+    } else {
+        mmu_idx = arm_mmu_idx(env);
+        frame_sp_p = &env->regs[13];
+        limit = v7m_sp_limit(env);
+    }
+
+    frameptr = *frame_sp_p - 0x28;
+    if (frameptr < limit) {
+        /*
+         * Stack limit failure: set SP to the limit value, and generate
+         * STKOF UsageFault. Stack pushes below the limit must not be
+         * performed. It is IMPDEF whether pushes above the limit are
+         * performed; we choose not to.
+         */
+        qemu_log_mask(CPU_LOG_INT,
+                      "...STKOF during callee-saves register stacking\n");
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                env->v7m.secure);
+        *frame_sp_p = limit;
+        return true;
+    }
+
+    /*
+     * Write as much of the stack frame as we can. A write failure may
+     * cause us to pend a derived exception.
+     */
+    sig = v7m_integrity_sig(env, lr);
+    stacked_ok =
+        v7m_stack_write(cpu, frameptr, sig, mmu_idx, smode) &&
+        v7m_stack_write(cpu, frameptr + 0x8, env->regs[4], mmu_idx, smode) &&
+        v7m_stack_write(cpu, frameptr + 0xc, env->regs[5], mmu_idx, smode) &&
+        v7m_stack_write(cpu, frameptr + 0x10, env->regs[6], mmu_idx, smode) &&
+        v7m_stack_write(cpu, frameptr + 0x14, env->regs[7], mmu_idx, smode) &&
+        v7m_stack_write(cpu, frameptr + 0x18, env->regs[8], mmu_idx, smode) &&
+        v7m_stack_write(cpu, frameptr + 0x1c, env->regs[9], mmu_idx, smode) &&
+        v7m_stack_write(cpu, frameptr + 0x20, env->regs[10], mmu_idx, smode) &&
+        v7m_stack_write(cpu, frameptr + 0x24, env->regs[11], mmu_idx, smode);
+
+    /* Update SP regardless of whether any of the stack accesses failed. */
+    *frame_sp_p = frameptr;
+
+    return !stacked_ok;
+}
+
+static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
+                                bool ignore_stackfaults)
+{
+    /*
+     * Do the "take the exception" parts of exception entry,
+     * but not the pushing of state to the stack. This is
+     * similar to the pseudocode ExceptionTaken() function.
+     */
+    CPUARMState *env = &cpu->env;
+    uint32_t addr;
+    bool targets_secure;
+    int exc;
+    bool push_failed = false;
+
+    armv7m_nvic_get_pending_irq_info(env->nvic, &exc, &targets_secure);
+    qemu_log_mask(CPU_LOG_INT, "...taking pending %s exception %d\n",
+                  targets_secure ? "secure" : "nonsecure", exc);
+
+    if (dotailchain) {
+        /* Sanitize LR FType and PREFIX bits */
+        if (!arm_feature(env, ARM_FEATURE_VFP)) {
+            lr |= R_V7M_EXCRET_FTYPE_MASK;
+        }
+        lr = deposit32(lr, 24, 8, 0xff);
+    }
+
+    if (arm_feature(env, ARM_FEATURE_V8)) {
+        if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&
+            (lr & R_V7M_EXCRET_S_MASK)) {
+            /*
+             * The background code (the owner of the registers in the
+             * exception frame) is Secure. This means it may either already
+             * have or now needs to push callee-saves registers.
+             */
+            if (targets_secure) {
+                if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {
+                    /*
+                     * We took an exception from Secure to NonSecure
+                     * (which means the callee-saved registers got stacked)
+                     * and are now tailchaining to a Secure exception.
+                     * Clear DCRS so eventual return from this Secure
+                     * exception unstacks the callee-saved registers.
+                     */
+                    lr &= ~R_V7M_EXCRET_DCRS_MASK;
+                }
+            } else {
+                /*
+                 * We're going to a non-secure exception; push the
+                 * callee-saves registers to the stack now, if they're
+                 * not already saved.
+                 */
+                if (lr & R_V7M_EXCRET_DCRS_MASK &&
+                    !(dotailchain && !(lr & R_V7M_EXCRET_ES_MASK))) {
+                    push_failed = v7m_push_callee_stack(cpu, lr, dotailchain,
+                                                        ignore_stackfaults);
+                }
+                lr |= R_V7M_EXCRET_DCRS_MASK;
+            }
+        }
+
+        lr &= ~R_V7M_EXCRET_ES_MASK;
+        if (targets_secure || !arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+            lr |= R_V7M_EXCRET_ES_MASK;
+        }
+        lr &= ~R_V7M_EXCRET_SPSEL_MASK;
+        if (env->v7m.control[targets_secure] & R_V7M_CONTROL_SPSEL_MASK) {
+            lr |= R_V7M_EXCRET_SPSEL_MASK;
+        }
+
+        /*
+         * Clear registers if necessary to prevent non-secure exception
+         * code being able to see register values from secure code.
+         * Where register values become architecturally UNKNOWN we leave
+         * them with their previous values.
+         */
+        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+            if (!targets_secure) {
+                /*
+                 * Always clear the caller-saved registers (they have been
+                 * pushed to the stack earlier in v7m_push_stack()).
+                 * Clear callee-saved registers if the background code is
+                 * Secure (in which case these regs were saved in
+                 * v7m_push_callee_stack()).
+                 */
+                int i;
+
+                for (i = 0; i < 13; i++) {
+                    /* r4..r11 are callee-saves, zero only if EXCRET.S == 1 */
+                    if (i < 4 || i > 11 || (lr & R_V7M_EXCRET_S_MASK)) {
+                        env->regs[i] = 0;
+                    }
+                }
+                /* Clear EAPSR */
+                xpsr_write(env, 0, XPSR_NZCV | XPSR_Q | XPSR_GE | XPSR_IT);
+            }
+        }
+    }
+
+    if (push_failed && !ignore_stackfaults) {
+        /*
+         * Derived exception on callee-saves register stacking:
+         * we might now want to take a different exception which
+         * targets a different security state, so try again from the top.
+         */
+        qemu_log_mask(CPU_LOG_INT,
+                      "...derived exception on callee-saves register stacking");
+        v7m_exception_taken(cpu, lr, true, true);
+        return;
+    }
+
+    if (!arm_v7m_load_vector(cpu, exc, targets_secure, &addr)) {
+        /* Vector load failed: derived exception */
+        qemu_log_mask(CPU_LOG_INT, "...derived exception on vector table load");
+        v7m_exception_taken(cpu, lr, true, true);
+        return;
+    }
+
+    /*
+     * Now we've done everything that might cause a derived exception
+     * we can go ahead and activate whichever exception we're going to
+     * take (which might now be the derived exception).
+     */
+    armv7m_nvic_acknowledge_irq(env->nvic);
+
+    /* Switch to target security state -- must do this before writing SPSEL */
+    switch_v7m_security_state(env, targets_secure);
+    write_v7m_control_spsel(env, 0);
+    arm_clear_exclusive(env);
+    /* Clear SFPA and FPCA (has no effect if no FPU) */
+    env->v7m.control[M_REG_S] &=
+        ~(R_V7M_CONTROL_FPCA_MASK | R_V7M_CONTROL_SFPA_MASK);
+    /* Clear IT bits */
+    env->condexec_bits = 0;
+    env->regs[14] = lr;
+    env->regs[15] = addr & 0xfffffffe;
+    env->thumb = addr & 1;
+}
+
+static void v7m_update_fpccr(CPUARMState *env, uint32_t frameptr,
+                             bool apply_splim)
+{
+    /*
+     * Like the pseudocode UpdateFPCCR: save state in FPCAR and FPCCR
+     * that we will need later in order to do lazy FP reg stacking.
+     */
+    bool is_secure = env->v7m.secure;
+    void *nvic = env->nvic;
+    /*
+     * Some bits are unbanked and live always in fpccr[M_REG_S]; some bits
+     * are banked and we want to update the bit in the bank for the
+     * current security state; and in one case we want to specifically
+     * update the NS banked version of a bit even if we are secure.
+     */
+    uint32_t *fpccr_s = &env->v7m.fpccr[M_REG_S];
+    uint32_t *fpccr_ns = &env->v7m.fpccr[M_REG_NS];
+    uint32_t *fpccr = &env->v7m.fpccr[is_secure];
+    bool hfrdy, bfrdy, mmrdy, ns_ufrdy, s_ufrdy, sfrdy, monrdy;
+
+    env->v7m.fpcar[is_secure] = frameptr & ~0x7;
+
+    if (apply_splim && arm_feature(env, ARM_FEATURE_V8)) {
+        bool splimviol;
+        uint32_t splim = v7m_sp_limit(env);
+        bool ign = armv7m_nvic_neg_prio_requested(nvic, is_secure) &&
+            (env->v7m.ccr[is_secure] & R_V7M_CCR_STKOFHFNMIGN_MASK);
+
+        splimviol = !ign && frameptr < splim;
+        *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, SPLIMVIOL, splimviol);
+    }
+
+    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, LSPACT, 1);
+
+    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, S, is_secure);
+
+    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, USER, arm_current_el(env) == 0);
+
+    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, THREAD,
+                        !arm_v7m_is_handler_mode(env));
+
+    hfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_HARD, false);
+    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, HFRDY, hfrdy);
+
+    bfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_BUS, false);
+    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, BFRDY, bfrdy);
+
+    mmrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_MEM, is_secure);
+    *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, MMRDY, mmrdy);
+
+    ns_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, false);
+    *fpccr_ns = FIELD_DP32(*fpccr_ns, V7M_FPCCR, UFRDY, ns_ufrdy);
+
+    monrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_DEBUG, false);
+    *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, MONRDY, monrdy);
+
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        s_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, true);
+        *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, UFRDY, s_ufrdy);
+
+        sfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_SECURE, false);
+        *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, SFRDY, sfrdy);
+    }
+}
+
+void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
+{
+    /* fptr is the value of Rn, the frame pointer we store the FP regs to */
+    bool s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
+    bool lspact = env->v7m.fpccr[s] & R_V7M_FPCCR_LSPACT_MASK;
+
+    assert(env->v7m.secure);
+
+    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
+        return;
+    }
+
+    /* Check access to the coprocessor is permitted */
+    if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
+        raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
+    }
+
+    if (lspact) {
+        /* LSPACT should not be active when there is active FP state */
+        raise_exception_ra(env, EXCP_LSERR, 0, 1, GETPC());
+    }
+
+    if (fptr & 7) {
+        raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
+    }
+
+    /*
+     * Note that we do not use v7m_stack_write() here, because the
+     * accesses should not set the FSR bits for stacking errors if they
+     * fail. (In pseudocode terms, they are AccType_NORMAL, not AccType_STACK
+     * or AccType_LAZYFP). Faults in cpu_stl_data() will throw exceptions
+     * and longjmp out.
+     */
+    if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
+        bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
+        int i;
+
+        for (i = 0; i < (ts ? 32 : 16); i += 2) {
+            uint64_t dn = *aa32_vfp_dreg(env, i / 2);
+            uint32_t faddr = fptr + 4 * i;
+            uint32_t slo = extract64(dn, 0, 32);
+            uint32_t shi = extract64(dn, 32, 32);
+
+            if (i >= 16) {
+                faddr += 8; /* skip the slot for the FPSCR */
+            }
+            cpu_stl_data(env, faddr, slo);
+            cpu_stl_data(env, faddr + 4, shi);
+        }
+        cpu_stl_data(env, fptr + 0x40, vfp_get_fpscr(env));
+
+        /*
+         * If TS is 0 then s0 to s15 and FPSCR are UNKNOWN; we choose to
+         * leave them unchanged, matching our choice in v7m_preserve_fp_state.
+         */
+        if (ts) {
+            for (i = 0; i < 32; i += 2) {
+                *aa32_vfp_dreg(env, i / 2) = 0;
+            }
+            vfp_set_fpscr(env, 0);
+        }
+    } else {
+        v7m_update_fpccr(env, fptr, false);
+    }
+
+    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
+}
+
+void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
+{
+    /* fptr is the value of Rn, the frame pointer we load the FP regs from */
+    assert(env->v7m.secure);
+
+    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
+        return;
+    }
+
+    /* Check access to the coprocessor is permitted */
+    if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
+        raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
+    }
+
+    if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
+        /* State in FP is still valid */
+        env->v7m.fpccr[M_REG_S] &= ~R_V7M_FPCCR_LSPACT_MASK;
+    } else {
+        bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
+        int i;
+        uint32_t fpscr;
+
+        if (fptr & 7) {
+            raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
+        }
+
+        for (i = 0; i < (ts ? 32 : 16); i += 2) {
+            uint32_t slo, shi;
+            uint64_t dn;
+            uint32_t faddr = fptr + 4 * i;
+
+            if (i >= 16) {
+                faddr += 8; /* skip the slot for the FPSCR */
+            }
+
+            slo = cpu_ldl_data(env, faddr);
+            shi = cpu_ldl_data(env, faddr + 4);
+
+            dn = (uint64_t) shi << 32 | slo;
+            *aa32_vfp_dreg(env, i / 2) = dn;
+        }
+        fpscr = cpu_ldl_data(env, fptr + 0x40);
+        vfp_set_fpscr(env, fpscr);
+    }
+
+    env->v7m.control[M_REG_S] |= R_V7M_CONTROL_FPCA_MASK;
+}
+
+static bool v7m_push_stack(ARMCPU *cpu)
+{
+    /*
+     * Do the "set up stack frame" part of exception entry,
+     * similar to pseudocode PushStack().
+     * Return true if we generate a derived exception (and so
+     * should ignore further stack faults trying to process
+     * that derived exception.)
+     */
+    bool stacked_ok = true, limitviol = false;
+    CPUARMState *env = &cpu->env;
+    uint32_t xpsr = xpsr_read(env);
+    uint32_t frameptr = env->regs[13];
+    ARMMMUIdx mmu_idx = arm_mmu_idx(env);
+    uint32_t framesize;
+    bool nsacr_cp10 = extract32(env->v7m.nsacr, 10, 1);
+
+    if ((env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) &&
+        (env->v7m.secure || nsacr_cp10)) {
+        if (env->v7m.secure &&
+            env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK) {
+            framesize = 0xa8;
+        } else {
+            framesize = 0x68;
+        }
+    } else {
+        framesize = 0x20;
+    }
+
+    /* Align stack pointer if the guest wants that */
+    if ((frameptr & 4) &&
+        (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_STKALIGN_MASK)) {
+        frameptr -= 4;
+        xpsr |= XPSR_SPREALIGN;
+    }
+
+    xpsr &= ~XPSR_SFPA;
+    if (env->v7m.secure &&
+        (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
+        xpsr |= XPSR_SFPA;
+    }
+
+    frameptr -= framesize;
+
+    if (arm_feature(env, ARM_FEATURE_V8)) {
+        uint32_t limit = v7m_sp_limit(env);
+
+        if (frameptr < limit) {
+            /*
+             * Stack limit failure: set SP to the limit value, and generate
+             * STKOF UsageFault. Stack pushes below the limit must not be
+             * performed. It is IMPDEF whether pushes above the limit are
+             * performed; we choose not to.
+             */
+            qemu_log_mask(CPU_LOG_INT,
+                          "...STKOF during stacking\n");
+            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                    env->v7m.secure);
+            env->regs[13] = limit;
+            /*
+             * We won't try to perform any further memory accesses but
+             * we must continue through the following code to check for
+             * permission faults during FPU state preservation, and we
+             * must update FPCCR if lazy stacking is enabled.
+             */
+            limitviol = true;
+            stacked_ok = false;
+        }
+    }
+
+    /*
+     * Write as much of the stack frame as we can. If we fail a stack
+     * write this will result in a derived exception being pended
+     * (which may be taken in preference to the one we started with
+     * if it has higher priority).
+     */
+    stacked_ok = stacked_ok &&
+        v7m_stack_write(cpu, frameptr, env->regs[0], mmu_idx, STACK_NORMAL) &&
+        v7m_stack_write(cpu, frameptr + 4, env->regs[1],
+                        mmu_idx, STACK_NORMAL) &&
+        v7m_stack_write(cpu, frameptr + 8, env->regs[2],
+                        mmu_idx, STACK_NORMAL) &&
+        v7m_stack_write(cpu, frameptr + 12, env->regs[3],
+                        mmu_idx, STACK_NORMAL) &&
+        v7m_stack_write(cpu, frameptr + 16, env->regs[12],
+                        mmu_idx, STACK_NORMAL) &&
+        v7m_stack_write(cpu, frameptr + 20, env->regs[14],
+                        mmu_idx, STACK_NORMAL) &&
+        v7m_stack_write(cpu, frameptr + 24, env->regs[15],
+                        mmu_idx, STACK_NORMAL) &&
+        v7m_stack_write(cpu, frameptr + 28, xpsr, mmu_idx, STACK_NORMAL);
+
+    if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) {
+        /* FPU is active, try to save its registers */
+        bool fpccr_s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
+        bool lspact = env->v7m.fpccr[fpccr_s] & R_V7M_FPCCR_LSPACT_MASK;
+
+        if (lspact && arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+            qemu_log_mask(CPU_LOG_INT,
+                          "...SecureFault because LSPACT and FPCA both set\n");
+            env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+        } else if (!env->v7m.secure && !nsacr_cp10) {
+            qemu_log_mask(CPU_LOG_INT,
+                          "...Secure UsageFault with CFSR.NOCP because "
+                          "NSACR.CP10 prevents stacking FP regs\n");
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
+            env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
+        } else {
+            if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
+                /* Lazy stacking disabled, save registers now */
+                int i;
+                bool cpacr_pass = v7m_cpacr_pass(env, env->v7m.secure,
+                                                 arm_current_el(env) != 0);
+
+                if (stacked_ok && !cpacr_pass) {
+                    /*
+                     * Take UsageFault if CPACR forbids access. The pseudocode
+                     * here does a full CheckCPEnabled() but we know the NSACR
+                     * check can never fail as we have already handled that.
+                     */
+                    qemu_log_mask(CPU_LOG_INT,
+                                  "...UsageFault with CFSR.NOCP because "
+                                  "CPACR.CP10 prevents stacking FP regs\n");
+                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                            env->v7m.secure);
+                    env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_NOCP_MASK;
+                    stacked_ok = false;
+                }
+
+                for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
+                    uint64_t dn = *aa32_vfp_dreg(env, i / 2);
+                    uint32_t faddr = frameptr + 0x20 + 4 * i;
+                    uint32_t slo = extract64(dn, 0, 32);
+                    uint32_t shi = extract64(dn, 32, 32);
+
+                    if (i >= 16) {
+                        faddr += 8; /* skip the slot for the FPSCR */
+                    }
+                    stacked_ok = stacked_ok &&
+                        v7m_stack_write(cpu, faddr, slo,
+                                        mmu_idx, STACK_NORMAL) &&
+                        v7m_stack_write(cpu, faddr + 4, shi,
+                                        mmu_idx, STACK_NORMAL);
+                }
+                stacked_ok = stacked_ok &&
+                    v7m_stack_write(cpu, frameptr + 0x60,
+                                    vfp_get_fpscr(env), mmu_idx, STACK_NORMAL);
+                if (cpacr_pass) {
+                    for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
+                        *aa32_vfp_dreg(env, i / 2) = 0;
+                    }
+                    vfp_set_fpscr(env, 0);
+                }
+            } else {
+                /* Lazy stacking enabled, save necessary info to stack later */
+                v7m_update_fpccr(env, frameptr + 0x20, true);
+            }
+        }
+    }
+
+    /*
+     * If we broke a stack limit then SP was already updated earlier;
+     * otherwise we update SP regardless of whether any of the stack
+     * accesses failed or we took some other kind of fault.
+     */
+    if (!limitviol) {
+        env->regs[13] = frameptr;
+    }
+
+    return !stacked_ok;
+}
+
+static void do_v7m_exception_exit(ARMCPU *cpu)
+{
+    CPUARMState *env = &cpu->env;
+    uint32_t excret;
+    uint32_t xpsr, xpsr_mask;
+    bool ufault = false;
+    bool sfault = false;
+    bool return_to_sp_process;
+    bool return_to_handler;
+    bool rettobase = false;
+    bool exc_secure = false;
+    bool return_to_secure;
+    bool ftype;
+    bool restore_s16_s31;
+
+    /*
+     * If we're not in Handler mode then jumps to magic exception-exit
+     * addresses don't have magic behaviour. However for the v8M
+     * security extensions the magic secure-function-return has to
+     * work in thread mode too, so to avoid doing an extra check in
+     * the generated code we allow exception-exit magic to also cause the
+     * internal exception and bring us here in thread mode. Correct code
+     * will never try to do this (the following insn fetch will always
+     * fault) so we the overhead of having taken an unnecessary exception
+     * doesn't matter.
+     */
+    if (!arm_v7m_is_handler_mode(env)) {
+        return;
+    }
+
+    /*
+     * In the spec pseudocode ExceptionReturn() is called directly
+     * from BXWritePC() and gets the full target PC value including
+     * bit zero. In QEMU's implementation we treat it as a normal
+     * jump-to-register (which is then caught later on), and so split
+     * the target value up between env->regs[15] and env->thumb in
+     * gen_bx(). Reconstitute it.
+     */
+    excret = env->regs[15];
+    if (env->thumb) {
+        excret |= 1;
+    }
+
+    qemu_log_mask(CPU_LOG_INT, "Exception return: magic PC %" PRIx32
+                  " previous exception %d\n",
+                  excret, env->v7m.exception);
+
+    if ((excret & R_V7M_EXCRET_RES1_MASK) != R_V7M_EXCRET_RES1_MASK) {
+        qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero high bits in exception "
+                      "exit PC value 0x%" PRIx32 " are UNPREDICTABLE\n",
+                      excret);
+    }
+
+    ftype = excret & R_V7M_EXCRET_FTYPE_MASK;
+
+    if (!arm_feature(env, ARM_FEATURE_VFP) && !ftype) {
+        qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero FTYPE in exception "
+                      "exit PC value 0x%" PRIx32 " is UNPREDICTABLE "
+                      "if FPU not present\n",
+                      excret);
+        ftype = true;
+    }
+
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        /*
+         * EXC_RETURN.ES validation check (R_SMFL). We must do this before
+         * we pick which FAULTMASK to clear.
+         */
+        if (!env->v7m.secure &&
+            ((excret & R_V7M_EXCRET_ES_MASK) ||
+             !(excret & R_V7M_EXCRET_DCRS_MASK))) {
+            sfault = 1;
+            /* For all other purposes, treat ES as 0 (R_HXSR) */
+            excret &= ~R_V7M_EXCRET_ES_MASK;
+        }
+        exc_secure = excret & R_V7M_EXCRET_ES_MASK;
+    }
+
+    if (env->v7m.exception != ARMV7M_EXCP_NMI) {
+        /*
+         * Auto-clear FAULTMASK on return from other than NMI.
+         * If the security extension is implemented then this only
+         * happens if the raw execution priority is >= 0; the
+         * value of the ES bit in the exception return value indicates
+         * which security state's faultmask to clear. (v8M ARM ARM R_KBNF.)
+         */
+        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+            if (armv7m_nvic_raw_execution_priority(env->nvic) >= 0) {
+                env->v7m.faultmask[exc_secure] = 0;
+            }
+        } else {
+            env->v7m.faultmask[M_REG_NS] = 0;
+        }
+    }
+
+    switch (armv7m_nvic_complete_irq(env->nvic, env->v7m.exception,
+                                     exc_secure)) {
+    case -1:
+        /* attempt to exit an exception that isn't active */
+        ufault = true;
+        break;
+    case 0:
+        /* still an irq active now */
+        break;
+    case 1:
+        /*
+         * We returned to base exception level, no nesting.
+         * (In the pseudocode this is written using "NestedActivation != 1"
+         * where we have 'rettobase == false'.)
+         */
+        rettobase = true;
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    return_to_handler = !(excret & R_V7M_EXCRET_MODE_MASK);
+    return_to_sp_process = excret & R_V7M_EXCRET_SPSEL_MASK;
+    return_to_secure = arm_feature(env, ARM_FEATURE_M_SECURITY) &&
+        (excret & R_V7M_EXCRET_S_MASK);
+
+    if (arm_feature(env, ARM_FEATURE_V8)) {
+        if (!arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+            /*
+             * UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
+             * we choose to take the UsageFault.
+             */
+            if ((excret & R_V7M_EXCRET_S_MASK) ||
+                (excret & R_V7M_EXCRET_ES_MASK) ||
+                !(excret & R_V7M_EXCRET_DCRS_MASK)) {
+                ufault = true;
+            }
+        }
+        if (excret & R_V7M_EXCRET_RES0_MASK) {
+            ufault = true;
+        }
+    } else {
+        /* For v7M we only recognize certain combinations of the low bits */
+        switch (excret & 0xf) {
+        case 1: /* Return to Handler */
+            break;
+        case 13: /* Return to Thread using Process stack */
+        case 9: /* Return to Thread using Main stack */
+            /*
+             * We only need to check NONBASETHRDENA for v7M, because in
+             * v8M this bit does not exist (it is RES1).
+             */
+            if (!rettobase &&
+                !(env->v7m.ccr[env->v7m.secure] &
+                  R_V7M_CCR_NONBASETHRDENA_MASK)) {
+                ufault = true;
+            }
+            break;
+        default:
+            ufault = true;
+        }
+    }
+
+    /*
+     * Set CONTROL.SPSEL from excret.SPSEL. Since we're still in
+     * Handler mode (and will be until we write the new XPSR.Interrupt
+     * field) this does not switch around the current stack pointer.
+     * We must do this before we do any kind of tailchaining, including
+     * for the derived exceptions on integrity check failures, or we will
+     * give the guest an incorrect EXCRET.SPSEL value on exception entry.
+     */
+    write_v7m_control_spsel_for_secstate(env, return_to_sp_process, exc_secure);
+
+    /*
+     * Clear scratch FP values left in caller saved registers; this
+     * must happen before any kind of tail chaining.
+     */
+    if ((env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_CLRONRET_MASK) &&
+        (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
+        if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
+            env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+            qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
+                          "stackframe: error during lazy state deactivation\n");
+            v7m_exception_taken(cpu, excret, true, false);
+            return;
+        } else {
+            /* Clear s0..s15 and FPSCR */
+            int i;
+
+            for (i = 0; i < 16; i += 2) {
+                *aa32_vfp_dreg(env, i / 2) = 0;
+            }
+            vfp_set_fpscr(env, 0);
+        }
+    }
+
+    if (sfault) {
+        env->v7m.sfsr |= R_V7M_SFSR_INVER_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+        qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
+                      "stackframe: failed EXC_RETURN.ES validity check\n");
+        v7m_exception_taken(cpu, excret, true, false);
+        return;
+    }
+
+    if (ufault) {
+        /*
+         * Bad exception return: instead of popping the exception
+         * stack, directly take a usage fault on the current stack.
+         */
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
+        qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
+                      "stackframe: failed exception return integrity check\n");
+        v7m_exception_taken(cpu, excret, true, false);
+        return;
+    }
+
+    /*
+     * Tailchaining: if there is currently a pending exception that
+     * is high enough priority to preempt execution at the level we're
+     * about to return to, then just directly take that exception now,
+     * avoiding an unstack-and-then-stack. Note that now we have
+     * deactivated the previous exception by calling armv7m_nvic_complete_irq()
+     * our current execution priority is already the execution priority we are
+     * returning to -- none of the state we would unstack or set based on
+     * the EXCRET value affects it.
+     */
+    if (armv7m_nvic_can_take_pending_exception(env->nvic)) {
+        qemu_log_mask(CPU_LOG_INT, "...tailchaining to pending exception\n");
+        v7m_exception_taken(cpu, excret, true, false);
+        return;
+    }
+
+    switch_v7m_security_state(env, return_to_secure);
+
+    {
+        /*
+         * The stack pointer we should be reading the exception frame from
+         * depends on bits in the magic exception return type value (and
+         * for v8M isn't necessarily the stack pointer we will eventually
+         * end up resuming execution with). Get a pointer to the location
+         * in the CPU state struct where the SP we need is currently being
+         * stored; we will use and modify it in place.
+         * We use this limited C variable scope so we don't accidentally
+         * use 'frame_sp_p' after we do something that makes it invalid.
+         */
+        uint32_t *frame_sp_p = get_v7m_sp_ptr(env,
+                                              return_to_secure,
+                                              !return_to_handler,
+                                              return_to_sp_process);
+        uint32_t frameptr = *frame_sp_p;
+        bool pop_ok = true;
+        ARMMMUIdx mmu_idx;
+        bool return_to_priv = return_to_handler ||
+            !(env->v7m.control[return_to_secure] & R_V7M_CONTROL_NPRIV_MASK);
+
+        mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, return_to_secure,
+                                                        return_to_priv);
+
+        if (!QEMU_IS_ALIGNED(frameptr, 8) &&
+            arm_feature(env, ARM_FEATURE_V8)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "M profile exception return with non-8-aligned SP "
+                          "for destination state is UNPREDICTABLE\n");
+        }
+
+        /* Do we need to pop callee-saved registers? */
+        if (return_to_secure &&
+            ((excret & R_V7M_EXCRET_ES_MASK) == 0 ||
+             (excret & R_V7M_EXCRET_DCRS_MASK) == 0)) {
+            uint32_t actual_sig;
+
+            pop_ok = v7m_stack_read(cpu, &actual_sig, frameptr, mmu_idx);
+
+            if (pop_ok && v7m_integrity_sig(env, excret) != actual_sig) {
+                /* Take a SecureFault on the current stack */
+                env->v7m.sfsr |= R_V7M_SFSR_INVIS_MASK;
+                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+                qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
+                              "stackframe: failed exception return integrity "
+                              "signature check\n");
+                v7m_exception_taken(cpu, excret, true, false);
+                return;
+            }
+
+            pop_ok = pop_ok &&
+                v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
+                v7m_stack_read(cpu, &env->regs[5], frameptr + 0xc, mmu_idx) &&
+                v7m_stack_read(cpu, &env->regs[6], frameptr + 0x10, mmu_idx) &&
+                v7m_stack_read(cpu, &env->regs[7], frameptr + 0x14, mmu_idx) &&
+                v7m_stack_read(cpu, &env->regs[8], frameptr + 0x18, mmu_idx) &&
+                v7m_stack_read(cpu, &env->regs[9], frameptr + 0x1c, mmu_idx) &&
+                v7m_stack_read(cpu, &env->regs[10], frameptr + 0x20, mmu_idx) &&
+                v7m_stack_read(cpu, &env->regs[11], frameptr + 0x24, mmu_idx);
+
+            frameptr += 0x28;
+        }
+
+        /* Pop registers */
+        pop_ok = pop_ok &&
+            v7m_stack_read(cpu, &env->regs[0], frameptr, mmu_idx) &&
+            v7m_stack_read(cpu, &env->regs[1], frameptr + 0x4, mmu_idx) &&
+            v7m_stack_read(cpu, &env->regs[2], frameptr + 0x8, mmu_idx) &&
+            v7m_stack_read(cpu, &env->regs[3], frameptr + 0xc, mmu_idx) &&
+            v7m_stack_read(cpu, &env->regs[12], frameptr + 0x10, mmu_idx) &&
+            v7m_stack_read(cpu, &env->regs[14], frameptr + 0x14, mmu_idx) &&
+            v7m_stack_read(cpu, &env->regs[15], frameptr + 0x18, mmu_idx) &&
+            v7m_stack_read(cpu, &xpsr, frameptr + 0x1c, mmu_idx);
+
+        if (!pop_ok) {
+            /*
+             * v7m_stack_read() pended a fault, so take it (as a tail
+             * chained exception on the same stack frame)
+             */
+            qemu_log_mask(CPU_LOG_INT, "...derived exception on unstacking\n");
+            v7m_exception_taken(cpu, excret, true, false);
+            return;
+        }
+
+        /*
+         * Returning from an exception with a PC with bit 0 set is defined
+         * behaviour on v8M (bit 0 is ignored), but for v7M it was specified
+         * to be UNPREDICTABLE. In practice actual v7M hardware seems to ignore
+         * the lsbit, and there are several RTOSes out there which incorrectly
+         * assume the r15 in the stack frame should be a Thumb-style "lsbit
+         * indicates ARM/Thumb" value, so ignore the bit on v7M as well, but
+         * complain about the badly behaved guest.
+         */
+        if (env->regs[15] & 1) {
+            env->regs[15] &= ~1U;
+            if (!arm_feature(env, ARM_FEATURE_V8)) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                              "M profile return from interrupt with misaligned "
+                              "PC is UNPREDICTABLE on v7M\n");
+            }
+        }
+
+        if (arm_feature(env, ARM_FEATURE_V8)) {
+            /*
+             * For v8M we have to check whether the xPSR exception field
+             * matches the EXCRET value for return to handler/thread
+             * before we commit to changing the SP and xPSR.
+             */
+            bool will_be_handler = (xpsr & XPSR_EXCP) != 0;
+            if (return_to_handler != will_be_handler) {
+                /*
+                 * Take an INVPC UsageFault on the current stack.
+                 * By this point we will have switched to the security state
+                 * for the background state, so this UsageFault will target
+                 * that state.
+                 */
+                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                        env->v7m.secure);
+                env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
+                qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
+                              "stackframe: failed exception return integrity "
+                              "check\n");
+                v7m_exception_taken(cpu, excret, true, false);
+                return;
+            }
+        }
+
+        if (!ftype) {
+            /* FP present and we need to handle it */
+            if (!return_to_secure &&
+                (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK)) {
+                armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+                env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
+                qemu_log_mask(CPU_LOG_INT,
+                              "...taking SecureFault on existing stackframe: "
+                              "Secure LSPACT set but exception return is "
+                              "not to secure state\n");
+                v7m_exception_taken(cpu, excret, true, false);
+                return;
+            }
+
+            restore_s16_s31 = return_to_secure &&
+                (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
+
+            if (env->v7m.fpccr[return_to_secure] & R_V7M_FPCCR_LSPACT_MASK) {
+                /* State in FPU is still valid, just clear LSPACT */
+                env->v7m.fpccr[return_to_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
+            } else {
+                int i;
+                uint32_t fpscr;
+                bool cpacr_pass, nsacr_pass;
+
+                cpacr_pass = v7m_cpacr_pass(env, return_to_secure,
+                                            return_to_priv);
+                nsacr_pass = return_to_secure ||
+                    extract32(env->v7m.nsacr, 10, 1);
+
+                if (!cpacr_pass) {
+                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                            return_to_secure);
+                    env->v7m.cfsr[return_to_secure] |= R_V7M_CFSR_NOCP_MASK;
+                    qemu_log_mask(CPU_LOG_INT,
+                                  "...taking UsageFault on existing "
+                                  "stackframe: CPACR.CP10 prevents unstacking "
+                                  "FP regs\n");
+                    v7m_exception_taken(cpu, excret, true, false);
+                    return;
+                } else if (!nsacr_pass) {
+                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, true);
+                    env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_INVPC_MASK;
+                    qemu_log_mask(CPU_LOG_INT,
+                                  "...taking Secure UsageFault on existing "
+                                  "stackframe: NSACR.CP10 prevents unstacking "
+                                  "FP regs\n");
+                    v7m_exception_taken(cpu, excret, true, false);
+                    return;
+                }
+
+                for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
+                    uint32_t slo, shi;
+                    uint64_t dn;
+                    uint32_t faddr = frameptr + 0x20 + 4 * i;
+
+                    if (i >= 16) {
+                        faddr += 8; /* Skip the slot for the FPSCR */
+                    }
+
+                    pop_ok = pop_ok &&
+                        v7m_stack_read(cpu, &slo, faddr, mmu_idx) &&
+                        v7m_stack_read(cpu, &shi, faddr + 4, mmu_idx);
+
+                    if (!pop_ok) {
+                        break;
+                    }
+
+                    dn = (uint64_t)shi << 32 | slo;
+                    *aa32_vfp_dreg(env, i / 2) = dn;
+                }
+                pop_ok = pop_ok &&
+                    v7m_stack_read(cpu, &fpscr, frameptr + 0x60, mmu_idx);
+                if (pop_ok) {
+                    vfp_set_fpscr(env, fpscr);
+                }
+                if (!pop_ok) {
+                    /*
+                     * These regs are 0 if security extension present;
+                     * otherwise merely UNKNOWN. We zero always.
+                     */
+                    for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
+                        *aa32_vfp_dreg(env, i / 2) = 0;
+                    }
+                    vfp_set_fpscr(env, 0);
+                }
+            }
+        }
+        env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
+                                               V7M_CONTROL, FPCA, !ftype);
+
+        /* Commit to consuming the stack frame */
+        frameptr += 0x20;
+        if (!ftype) {
+            frameptr += 0x48;
+            if (restore_s16_s31) {
+                frameptr += 0x40;
+            }
+        }
+        /*
+         * Undo stack alignment (the SPREALIGN bit indicates that the original
+         * pre-exception SP was not 8-aligned and we added a padding word to
+         * align it, so we undo this by ORing in the bit that increases it
+         * from the current 8-aligned value to the 8-unaligned value. (Adding 4
+         * would work too but a logical OR is how the pseudocode specifies it.)
+         */
+        if (xpsr & XPSR_SPREALIGN) {
+            frameptr |= 4;
+        }
+        *frame_sp_p = frameptr;
+    }
+
+    xpsr_mask = ~(XPSR_SPREALIGN | XPSR_SFPA);
+    if (!arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
+        xpsr_mask &= ~XPSR_GE;
+    }
+    /* This xpsr_write() will invalidate frame_sp_p as it may switch stack */
+    xpsr_write(env, xpsr, xpsr_mask);
+
+    if (env->v7m.secure) {
+        bool sfpa = xpsr & XPSR_SFPA;
+
+        env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
+                                               V7M_CONTROL, SFPA, sfpa);
+    }
+
+    /*
+     * The restored xPSR exception field will be zero if we're
+     * resuming in Thread mode. If that doesn't match what the
+     * exception return excret specified then this is a UsageFault.
+     * v7M requires we make this check here; v8M did it earlier.
+     */
+    if (return_to_handler != arm_v7m_is_handler_mode(env)) {
+        /*
+         * Take an INVPC UsageFault by pushing the stack again;
+         * we know we're v7M so this is never a Secure UsageFault.
+         */
+        bool ignore_stackfaults;
+
+        assert(!arm_feature(env, ARM_FEATURE_V8));
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, false);
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
+        ignore_stackfaults = v7m_push_stack(cpu);
+        qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on new stackframe: "
+                      "failed exception return integrity check\n");
+        v7m_exception_taken(cpu, excret, false, ignore_stackfaults);
+        return;
+    }
+
+    /* Otherwise, we have a successful exception exit. */
+    arm_clear_exclusive(env);
+    qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
+}
+
+static bool do_v7m_function_return(ARMCPU *cpu)
+{
+    /*
+     * v8M security extensions magic function return.
+     * We may either:
+     *  (1) throw an exception (longjump)
+     *  (2) return true if we successfully handled the function return
+     *  (3) return false if we failed a consistency check and have
+     *      pended a UsageFault that needs to be taken now
+     *
+     * At this point the magic return value is split between env->regs[15]
+     * and env->thumb. We don't bother to reconstitute it because we don't
+     * need it (all values are handled the same way).
+     */
+    CPUARMState *env = &cpu->env;
+    uint32_t newpc, newpsr, newpsr_exc;
+
+    qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
+
+    {
+        bool threadmode, spsel;
+        TCGMemOpIdx oi;
+        ARMMMUIdx mmu_idx;
+        uint32_t *frame_sp_p;
+        uint32_t frameptr;
+
+        /* Pull the return address and IPSR from the Secure stack */
+        threadmode = !arm_v7m_is_handler_mode(env);
+        spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
+
+        frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
+        frameptr = *frame_sp_p;
+
+        /*
+         * These loads may throw an exception (for MPU faults). We want to
+         * do them as secure, so work out what MMU index that is.
+         */
+        mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
+        oi = make_memop_idx(MO_LE, arm_to_core_mmu_idx(mmu_idx));
+        newpc = helper_le_ldul_mmu(env, frameptr, oi, 0);
+        newpsr = helper_le_ldul_mmu(env, frameptr + 4, oi, 0);
+
+        /* Consistency checks on new IPSR */
+        newpsr_exc = newpsr & XPSR_EXCP;
+        if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
+              (env->v7m.exception == 1 && newpsr_exc != 0))) {
+            /* Pend the fault and tell our caller to take it */
+            env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
+                                    env->v7m.secure);
+            qemu_log_mask(CPU_LOG_INT,
+                          "...taking INVPC UsageFault: "
+                          "IPSR consistency check failed\n");
+            return false;
+        }
+
+        *frame_sp_p = frameptr + 8;
+    }
+
+    /* This invalidates frame_sp_p */
+    switch_v7m_security_state(env, true);
+    env->v7m.exception = newpsr_exc;
+    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
+    if (newpsr & XPSR_SFPA) {
+        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
+    }
+    xpsr_write(env, 0, XPSR_IT);
+    env->thumb = newpc & 1;
+    env->regs[15] = newpc & ~1;
+
+    qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
+    return true;
+}
+
+static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
+                               uint32_t addr, uint16_t *insn)
+{
+    /*
+     * Load a 16-bit portion of a v7M instruction, returning true on success,
+     * or false on failure (in which case we will have pended the appropriate
+     * exception).
+     * We need to do the instruction fetch's MPU and SAU checks
+     * like this because there is no MMU index that would allow
+     * doing the load with a single function call. Instead we must
+     * first check that the security attributes permit the load
+     * and that they don't mismatch on the two halves of the instruction,
+     * and then we do the load as a secure load (ie using the security
+     * attributes of the address, not the CPU, as architecturally required).
+     */
+    CPUState *cs = CPU(cpu);
+    CPUARMState *env = &cpu->env;
+    V8M_SAttributes sattrs = {};
+    MemTxAttrs attrs = {};
+    ARMMMUFaultInfo fi = {};
+    MemTxResult txres;
+    target_ulong page_size;
+    hwaddr physaddr;
+    int prot;
+
+    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
+    if (!sattrs.nsc || sattrs.ns) {
+        /*
+         * This must be the second half of the insn, and it straddles a
+         * region boundary with the second half not being S&NSC.
+         */
+        env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+        qemu_log_mask(CPU_LOG_INT,
+                      "...really SecureFault with SFSR.INVEP\n");
+        return false;
+    }
+    if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
+                      &physaddr, &attrs, &prot, &page_size, &fi, NULL)) {
+        /* the MPU lookup failed */
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
+        qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
+        return false;
+    }
+    *insn = address_space_lduw_le(arm_addressspace(cs, attrs), physaddr,
+                                 attrs, &txres);
+    if (txres != MEMTX_OK) {
+        env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
+        qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
+        return false;
+    }
+    return true;
+}
+
+static bool v7m_handle_execute_nsc(ARMCPU *cpu)
+{
+    /*
+     * Check whether this attempt to execute code in a Secure & NS-Callable
+     * memory region is for an SG instruction; if so, then emulate the
+     * effect of the SG instruction and return true. Otherwise pend
+     * the correct kind of exception and return false.
+     */
+    CPUARMState *env = &cpu->env;
+    ARMMMUIdx mmu_idx;
+    uint16_t insn;
+
+    /*
+     * We should never get here unless get_phys_addr_pmsav8() caused
+     * an exception for NS executing in S&NSC memory.
+     */
+    assert(!env->v7m.secure);
+    assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
+
+    /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
+    mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
+
+    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
+        return false;
+    }
+
+    if (!env->thumb) {
+        goto gen_invep;
+    }
+
+    if (insn != 0xe97f) {
+        /*
+         * Not an SG instruction first half (we choose the IMPDEF
+         * early-SG-check option).
+         */
+        goto gen_invep;
+    }
+
+    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
+        return false;
+    }
+
+    if (insn != 0xe97f) {
+        /*
+         * Not an SG instruction second half (yes, both halves of the SG
+         * insn have the same hex value)
+         */
+        goto gen_invep;
+    }
+
+    /*
+     * OK, we have confirmed that we really have an SG instruction.
+     * We know we're NS in S memory so don't need to repeat those checks.
+     */
+    qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
+                  ", executing it\n", env->regs[15]);
+    env->regs[14] &= ~1;
+    env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
+    switch_v7m_security_state(env, true);
+    xpsr_write(env, 0, XPSR_IT);
+    env->regs[15] += 4;
+    return true;
+
+gen_invep:
+    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
+    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+    qemu_log_mask(CPU_LOG_INT,
+                  "...really SecureFault with SFSR.INVEP\n");
+    return false;
+}
+
+void arm_v7m_cpu_do_interrupt(CPUState *cs)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    uint32_t lr;
+    bool ignore_stackfaults;
+
+    arm_log_exception(cs->exception_index);
+
+    /*
+     * For exceptions we just mark as pending on the NVIC, and let that
+     * handle it.
+     */
+    switch (cs->exception_index) {
+    case EXCP_UDEF:
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNDEFINSTR_MASK;
+        break;
+    case EXCP_NOCP:
+    {
+        /*
+         * NOCP might be directed to something other than the current
+         * security state if this fault is because of NSACR; we indicate
+         * the target security state using exception.target_el.
+         */
+        int target_secstate;
+
+        if (env->exception.target_el == 3) {
+            target_secstate = M_REG_S;
+        } else {
+            target_secstate = env->v7m.secure;
+        }
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, target_secstate);
+        env->v7m.cfsr[target_secstate] |= R_V7M_CFSR_NOCP_MASK;
+        break;
+    }
+    case EXCP_INVSTATE:
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVSTATE_MASK;
+        break;
+    case EXCP_STKOF:
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
+        break;
+    case EXCP_LSERR:
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+        env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
+        break;
+    case EXCP_UNALIGNED:
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
+        env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNALIGNED_MASK;
+        break;
+    case EXCP_SWI:
+        /* The PC already points to the next instruction.  */
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC, env->v7m.secure);
+        break;
+    case EXCP_PREFETCH_ABORT:
+    case EXCP_DATA_ABORT:
+        /*
+         * Note that for M profile we don't have a guest facing FSR, but
+         * the env->exception.fsr will be populated by the code that
+         * raises the fault, in the A profile short-descriptor format.
+         */
+        switch (env->exception.fsr & 0xf) {
+        case M_FAKE_FSR_NSC_EXEC:
+            /*
+             * Exception generated when we try to execute code at an address
+             * which is marked as Secure & Non-Secure Callable and the CPU
+             * is in the Non-Secure state. The only instruction which can
+             * be executed like this is SG (and that only if both halves of
+             * the SG instruction have the same security attributes.)
+             * Everything else must generate an INVEP SecureFault, so we
+             * emulate the SG instruction here.
+             */
+            if (v7m_handle_execute_nsc(cpu)) {
+                return;
+            }
+            break;
+        case M_FAKE_FSR_SFAULT:
+            /*
+             * Various flavours of SecureFault for attempts to execute or
+             * access data in the wrong security state.
+             */
+            switch (cs->exception_index) {
+            case EXCP_PREFETCH_ABORT:
+                if (env->v7m.secure) {
+                    env->v7m.sfsr |= R_V7M_SFSR_INVTRAN_MASK;
+                    qemu_log_mask(CPU_LOG_INT,
+                                  "...really SecureFault with SFSR.INVTRAN\n");
+                } else {
+                    env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
+                    qemu_log_mask(CPU_LOG_INT,
+                                  "...really SecureFault with SFSR.INVEP\n");
+                }
+                break;
+            case EXCP_DATA_ABORT:
+                /* This must be an NS access to S memory */
+                env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
+                qemu_log_mask(CPU_LOG_INT,
+                              "...really SecureFault with SFSR.AUVIOL\n");
+                break;
+            }
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
+            break;
+        case 0x8: /* External Abort */
+            switch (cs->exception_index) {
+            case EXCP_PREFETCH_ABORT:
+                env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
+                qemu_log_mask(CPU_LOG_INT, "...with CFSR.IBUSERR\n");
+                break;
+            case EXCP_DATA_ABORT:
+                env->v7m.cfsr[M_REG_NS] |=
+                    (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK);
+                env->v7m.bfar = env->exception.vaddress;
+                qemu_log_mask(CPU_LOG_INT,
+                              "...with CFSR.PRECISERR and BFAR 0x%x\n",
+                              env->v7m.bfar);
+                break;
+            }
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
+            break;
+        default:
+            /*
+             * All other FSR values are either MPU faults or "can't happen
+             * for M profile" cases.
+             */
+            switch (cs->exception_index) {
+            case EXCP_PREFETCH_ABORT:
+                env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
+                qemu_log_mask(CPU_LOG_INT, "...with CFSR.IACCVIOL\n");
+                break;
+            case EXCP_DATA_ABORT:
+                env->v7m.cfsr[env->v7m.secure] |=
+                    (R_V7M_CFSR_DACCVIOL_MASK | R_V7M_CFSR_MMARVALID_MASK);
+                env->v7m.mmfar[env->v7m.secure] = env->exception.vaddress;
+                qemu_log_mask(CPU_LOG_INT,
+                              "...with CFSR.DACCVIOL and MMFAR 0x%x\n",
+                              env->v7m.mmfar[env->v7m.secure]);
+                break;
+            }
+            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM,
+                                    env->v7m.secure);
+            break;
+        }
+        break;
+    case EXCP_BKPT:
+        if (semihosting_enabled()) {
+            int nr;
+            nr = arm_lduw_code(env, env->regs[15], arm_sctlr_b(env)) & 0xff;
+            if (nr == 0xab) {
+                env->regs[15] += 2;
+                qemu_log_mask(CPU_LOG_INT,
+                              "...handling as semihosting call 0x%x\n",
+                              env->regs[0]);
+                env->regs[0] = do_arm_semihosting(env);
+                return;
+            }
+        }
+        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG, false);
+        break;
+    case EXCP_IRQ:
+        break;
+    case EXCP_EXCEPTION_EXIT:
+        if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
+            /* Must be v8M security extension function return */
+            assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
+            assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
+            if (do_v7m_function_return(cpu)) {
+                return;
+            }
+        } else {
+            do_v7m_exception_exit(cpu);
+            return;
+        }
+        break;
+    case EXCP_LAZYFP:
+        /*
+         * We already pended the specific exception in the NVIC in the
+         * v7m_preserve_fp_state() helper function.
+         */
+        break;
+    default:
+        cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
+        return; /* Never happens.  Keep compiler happy.  */
+    }
+
+    if (arm_feature(env, ARM_FEATURE_V8)) {
+        lr = R_V7M_EXCRET_RES1_MASK |
+            R_V7M_EXCRET_DCRS_MASK;
+        /*
+         * The S bit indicates whether we should return to Secure
+         * or NonSecure (ie our current state).
+         * The ES bit indicates whether we're taking this exception
+         * to Secure or NonSecure (ie our target state). We set it
+         * later, in v7m_exception_taken().
+         * The SPSEL bit is also set in v7m_exception_taken() for v8M.
+         * This corresponds to the ARM ARM pseudocode for v8M setting
+         * some LR bits in PushStack() and some in ExceptionTaken();
+         * the distinction matters for the tailchain cases where we
+         * can take an exception without pushing the stack.
+         */
+        if (env->v7m.secure) {
+            lr |= R_V7M_EXCRET_S_MASK;
+        }
+        if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
+            lr |= R_V7M_EXCRET_FTYPE_MASK;
+        }
+    } else {
+        lr = R_V7M_EXCRET_RES1_MASK |
+            R_V7M_EXCRET_S_MASK |
+            R_V7M_EXCRET_DCRS_MASK |
+            R_V7M_EXCRET_FTYPE_MASK |
+            R_V7M_EXCRET_ES_MASK;
+        if (env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK) {
+            lr |= R_V7M_EXCRET_SPSEL_MASK;
+        }
+    }
+    if (!arm_v7m_is_handler_mode(env)) {
+        lr |= R_V7M_EXCRET_MODE_MASK;
+    }
+
+    ignore_stackfaults = v7m_push_stack(cpu);
+    v7m_exception_taken(cpu, lr, false, ignore_stackfaults);
+}
+
+uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
+{
+    uint32_t mask;
+    unsigned el = arm_current_el(env);
+
+    /* First handle registers which unprivileged can read */
+
+    switch (reg) {
+    case 0 ... 7: /* xPSR sub-fields */
+        mask = 0;
+        if ((reg & 1) && el) {
+            mask |= XPSR_EXCP; /* IPSR (unpriv. reads as zero) */
+        }
+        if (!(reg & 4)) {
+            mask |= XPSR_NZCV | XPSR_Q; /* APSR */
+            if (arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
+                mask |= XPSR_GE;
+            }
+        }
+        /* EPSR reads as zero */
+        return xpsr_read(env) & mask;
+        break;
+    case 20: /* CONTROL */
+    {
+        uint32_t value = env->v7m.control[env->v7m.secure];
+        if (!env->v7m.secure) {
+            /* SFPA is RAZ/WI from NS; FPCA is stored in the M_REG_S bank */
+            value |= env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK;
+        }
+        return value;
+    }
+    case 0x94: /* CONTROL_NS */
+        /*
+         * We have to handle this here because unprivileged Secure code
+         * can read the NS CONTROL register.
+         */
+        if (!env->v7m.secure) {
+            return 0;
+        }
+        return env->v7m.control[M_REG_NS] |
+            (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK);
+    }
+
+    if (el == 0) {
+        return 0; /* unprivileged reads others as zero */
+    }
+
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        switch (reg) {
+        case 0x88: /* MSP_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.other_ss_msp;
+        case 0x89: /* PSP_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.other_ss_psp;
+        case 0x8a: /* MSPLIM_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.msplim[M_REG_NS];
+        case 0x8b: /* PSPLIM_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.psplim[M_REG_NS];
+        case 0x90: /* PRIMASK_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.primask[M_REG_NS];
+        case 0x91: /* BASEPRI_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.basepri[M_REG_NS];
+        case 0x93: /* FAULTMASK_NS */
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            return env->v7m.faultmask[M_REG_NS];
+        case 0x98: /* SP_NS */
+        {
+            /*
+             * This gives the non-secure SP selected based on whether we're
+             * currently in handler mode or not, using the NS CONTROL.SPSEL.
+             */
+            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
+
+            if (!env->v7m.secure) {
+                return 0;
+            }
+            if (!arm_v7m_is_handler_mode(env) && spsel) {
+                return env->v7m.other_ss_psp;
+            } else {
+                return env->v7m.other_ss_msp;
+            }
+        }
+        default:
+            break;
+        }
+    }
+
+    switch (reg) {
+    case 8: /* MSP */
+        return v7m_using_psp(env) ? env->v7m.other_sp : env->regs[13];
+    case 9: /* PSP */
+        return v7m_using_psp(env) ? env->regs[13] : env->v7m.other_sp;
+    case 10: /* MSPLIM */
+        if (!arm_feature(env, ARM_FEATURE_V8)) {
+            goto bad_reg;
+        }
+        return env->v7m.msplim[env->v7m.secure];
+    case 11: /* PSPLIM */
+        if (!arm_feature(env, ARM_FEATURE_V8)) {
+            goto bad_reg;
+        }
+        return env->v7m.psplim[env->v7m.secure];
+    case 16: /* PRIMASK */
+        return env->v7m.primask[env->v7m.secure];
+    case 17: /* BASEPRI */
+    case 18: /* BASEPRI_MAX */
+        return env->v7m.basepri[env->v7m.secure];
+    case 19: /* FAULTMASK */
+        return env->v7m.faultmask[env->v7m.secure];
+    default:
+    bad_reg:
+        qemu_log_mask(LOG_GUEST_ERROR, "Attempt to read unknown special"
+                                       " register %d\n", reg);
+        return 0;
+    }
+}
+
+void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
+{
+    /*
+     * We're passed bits [11..0] of the instruction; extract
+     * SYSm and the mask bits.
+     * Invalid combinations of SYSm and mask are UNPREDICTABLE;
+     * we choose to treat them as if the mask bits were valid.
+     * NB that the pseudocode 'mask' variable is bits [11..10],
+     * whereas ours is [11..8].
+     */
+    uint32_t mask = extract32(maskreg, 8, 4);
+    uint32_t reg = extract32(maskreg, 0, 8);
+    int cur_el = arm_current_el(env);
+
+    if (cur_el == 0 && reg > 7 && reg != 20) {
+        /*
+         * only xPSR sub-fields and CONTROL.SFPA may be written by
+         * unprivileged code
+         */
+        return;
+    }
+
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+        switch (reg) {
+        case 0x88: /* MSP_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.other_ss_msp = val;
+            return;
+        case 0x89: /* PSP_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.other_ss_psp = val;
+            return;
+        case 0x8a: /* MSPLIM_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.msplim[M_REG_NS] = val & ~7;
+            return;
+        case 0x8b: /* PSPLIM_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.psplim[M_REG_NS] = val & ~7;
+            return;
+        case 0x90: /* PRIMASK_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            env->v7m.primask[M_REG_NS] = val & 1;
+            return;
+        case 0x91: /* BASEPRI_NS */
+            if (!env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_MAIN)) {
+                return;
+            }
+            env->v7m.basepri[M_REG_NS] = val & 0xff;
+            return;
+        case 0x93: /* FAULTMASK_NS */
+            if (!env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_MAIN)) {
+                return;
+            }
+            env->v7m.faultmask[M_REG_NS] = val & 1;
+            return;
+        case 0x94: /* CONTROL_NS */
+            if (!env->v7m.secure) {
+                return;
+            }
+            write_v7m_control_spsel_for_secstate(env,
+                                                 val & R_V7M_CONTROL_SPSEL_MASK,
+                                                 M_REG_NS);
+            if (arm_feature(env, ARM_FEATURE_M_MAIN)) {
+                env->v7m.control[M_REG_NS] &= ~R_V7M_CONTROL_NPRIV_MASK;
+                env->v7m.control[M_REG_NS] |= val & R_V7M_CONTROL_NPRIV_MASK;
+            }
+            /*
+             * SFPA is RAZ/WI from NS. FPCA is RO if NSACR.CP10 == 0,
+             * RES0 if the FPU is not present, and is stored in the S bank
+             */
+            if (arm_feature(env, ARM_FEATURE_VFP) &&
+                extract32(env->v7m.nsacr, 10, 1)) {
+                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
+                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
+            }
+            return;
+        case 0x98: /* SP_NS */
+        {
+            /*
+             * This gives the non-secure SP selected based on whether we're
+             * currently in handler mode or not, using the NS CONTROL.SPSEL.
+             */
+            bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
+            bool is_psp = !arm_v7m_is_handler_mode(env) && spsel;
+            uint32_t limit;
+
+            if (!env->v7m.secure) {
+                return;
+            }
+
+            limit = is_psp ? env->v7m.psplim[false] : env->v7m.msplim[false];
+
+            if (val < limit) {
+                CPUState *cs = env_cpu(env);
+
+                cpu_restore_state(cs, GETPC(), true);
+                raise_exception(env, EXCP_STKOF, 0, 1);
+            }
+
+            if (is_psp) {
+                env->v7m.other_ss_psp = val;
+            } else {
+                env->v7m.other_ss_msp = val;
+            }
+            return;
+        }
+        default:
+            break;
+        }
+    }
+
+    switch (reg) {
+    case 0 ... 7: /* xPSR sub-fields */
+        /* only APSR is actually writable */
+        if (!(reg & 4)) {
+            uint32_t apsrmask = 0;
+
+            if (mask & 8) {
+                apsrmask |= XPSR_NZCV | XPSR_Q;
+            }
+            if ((mask & 4) && arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
+                apsrmask |= XPSR_GE;
+            }
+            xpsr_write(env, val, apsrmask);
+        }
+        break;
+    case 8: /* MSP */
+        if (v7m_using_psp(env)) {
+            env->v7m.other_sp = val;
+        } else {
+            env->regs[13] = val;
+        }
+        break;
+    case 9: /* PSP */
+        if (v7m_using_psp(env)) {
+            env->regs[13] = val;
+        } else {
+            env->v7m.other_sp = val;
+        }
+        break;
+    case 10: /* MSPLIM */
+        if (!arm_feature(env, ARM_FEATURE_V8)) {
+            goto bad_reg;
+        }
+        env->v7m.msplim[env->v7m.secure] = val & ~7;
+        break;
+    case 11: /* PSPLIM */
+        if (!arm_feature(env, ARM_FEATURE_V8)) {
+            goto bad_reg;
+        }
+        env->v7m.psplim[env->v7m.secure] = val & ~7;
+        break;
+    case 16: /* PRIMASK */
+        env->v7m.primask[env->v7m.secure] = val & 1;
+        break;
+    case 17: /* BASEPRI */
+        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
+            goto bad_reg;
+        }
+        env->v7m.basepri[env->v7m.secure] = val & 0xff;
+        break;
+    case 18: /* BASEPRI_MAX */
+        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
+            goto bad_reg;
+        }
+        val &= 0xff;
+        if (val != 0 && (val < env->v7m.basepri[env->v7m.secure]
+                         || env->v7m.basepri[env->v7m.secure] == 0)) {
+            env->v7m.basepri[env->v7m.secure] = val;
+        }
+        break;
+    case 19: /* FAULTMASK */
+        if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
+            goto bad_reg;
+        }
+        env->v7m.faultmask[env->v7m.secure] = val & 1;
+        break;
+    case 20: /* CONTROL */
+        /*
+         * Writing to the SPSEL bit only has an effect if we are in
+         * thread mode; other bits can be updated by any privileged code.
+         * write_v7m_control_spsel() deals with updating the SPSEL bit in
+         * env->v7m.control, so we only need update the others.
+         * For v7M, we must just ignore explicit writes to SPSEL in handler
+         * mode; for v8M the write is permitted but will have no effect.
+         * All these bits are writes-ignored from non-privileged code,
+         * except for SFPA.
+         */
+        if (cur_el > 0 && (arm_feature(env, ARM_FEATURE_V8) ||
+                           !arm_v7m_is_handler_mode(env))) {
+            write_v7m_control_spsel(env, (val & R_V7M_CONTROL_SPSEL_MASK) != 0);
+        }
+        if (cur_el > 0 && arm_feature(env, ARM_FEATURE_M_MAIN)) {
+            env->v7m.control[env->v7m.secure] &= ~R_V7M_CONTROL_NPRIV_MASK;
+            env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
+        }
+        if (arm_feature(env, ARM_FEATURE_VFP)) {
+            /*
+             * SFPA is RAZ/WI from NS or if no FPU.
+             * FPCA is RO if NSACR.CP10 == 0, RES0 if the FPU is not present.
+             * Both are stored in the S bank.
+             */
+            if (env->v7m.secure) {
+                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
+                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_SFPA_MASK;
+            }
+            if (cur_el > 0 &&
+                (env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_SECURITY) ||
+                 extract32(env->v7m.nsacr, 10, 1))) {
+                env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
+                env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
+            }
+        }
+        break;
+    default:
+    bad_reg:
+        qemu_log_mask(LOG_GUEST_ERROR, "Attempt to write unknown special"
+                                       " register %d\n", reg);
+        return;
+    }
+}
+
+uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
+{
+    /* Implement the TT instruction. op is bits [7:6] of the insn. */
+    bool forceunpriv = op & 1;
+    bool alt = op & 2;
+    V8M_SAttributes sattrs = {};
+    uint32_t tt_resp;
+    bool r, rw, nsr, nsrw, mrvalid;
+    int prot;
+    ARMMMUFaultInfo fi = {};
+    MemTxAttrs attrs = {};
+    hwaddr phys_addr;
+    ARMMMUIdx mmu_idx;
+    uint32_t mregion;
+    bool targetpriv;
+    bool targetsec = env->v7m.secure;
+    bool is_subpage;
+
+    /*
+     * Work out what the security state and privilege level we're
+     * interested in is...
+     */
+    if (alt) {
+        targetsec = !targetsec;
+    }
+
+    if (forceunpriv) {
+        targetpriv = false;
+    } else {
+        targetpriv = arm_v7m_is_handler_mode(env) ||
+            !(env->v7m.control[targetsec] & R_V7M_CONTROL_NPRIV_MASK);
+    }
+
+    /* ...and then figure out which MMU index this is */
+    mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targetsec, targetpriv);
+
+    /*
+     * We know that the MPU and SAU don't care about the access type
+     * for our purposes beyond that we don't want to claim to be
+     * an insn fetch, so we arbitrarily call this a read.
+     */
+
+    /*
+     * MPU region info only available for privileged or if
+     * inspecting the other MPU state.
+     */
+    if (arm_current_el(env) != 0 || alt) {
+        /* We can ignore the return value as prot is always set */
+        pmsav8_mpu_lookup(env, addr, MMU_DATA_LOAD, mmu_idx,
+                          &phys_addr, &attrs, &prot, &is_subpage,
+                          &fi, &mregion);
+        if (mregion == -1) {
+            mrvalid = false;
+            mregion = 0;
+        } else {
+            mrvalid = true;
+        }
+        r = prot & PAGE_READ;
+        rw = prot & PAGE_WRITE;
+    } else {
+        r = false;
+        rw = false;
+        mrvalid = false;
+        mregion = 0;
+    }
+
+    if (env->v7m.secure) {
+        v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);
+        nsr = sattrs.ns && r;
+        nsrw = sattrs.ns && rw;
+    } else {
+        sattrs.ns = true;
+        nsr = false;
+        nsrw = false;
+    }
+
+    tt_resp = (sattrs.iregion << 24) |
+        (sattrs.irvalid << 23) |
+        ((!sattrs.ns) << 22) |
+        (nsrw << 21) |
+        (nsr << 20) |
+        (rw << 19) |
+        (r << 18) |
+        (sattrs.srvalid << 17) |
+        (mrvalid << 16) |
+        (sattrs.sregion << 8) |
+        mregion;
+
+    return tt_resp;
+}
+
+#endif /* !CONFIG_USER_ONLY */
+
+ARMMMUIdx arm_v7m_mmu_idx_all(CPUARMState *env,
+                              bool secstate, bool priv, bool negpri)
+{
+    ARMMMUIdx mmu_idx = ARM_MMU_IDX_M;
+
+    if (priv) {
+        mmu_idx |= ARM_MMU_IDX_M_PRIV;
+    }
+
+    if (negpri) {
+        mmu_idx |= ARM_MMU_IDX_M_NEGPRI;
+    }
+
+    if (secstate) {
+        mmu_idx |= ARM_MMU_IDX_M_S;
+    }
+
+    return mmu_idx;
+}
+
+ARMMMUIdx arm_v7m_mmu_idx_for_secstate_and_priv(CPUARMState *env,
+                                                bool secstate, bool priv)
+{
+    bool negpri = armv7m_nvic_neg_prio_requested(env->nvic, secstate);
+
+    return arm_v7m_mmu_idx_all(env, secstate, priv, negpri);
+}
+
+/* Return the MMU index for a v7M CPU in the specified security state */
+ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate)
+{
+    bool priv = arm_current_el(env) != 0;
+
+    return arm_v7m_mmu_idx_for_secstate_and_priv(env, secstate, priv);
+}
-- 
2.20.1

To prevent execution priority remaining negative if the guest
returns from an NMI or HardFault with a corrupted IPSR, the
v8M interrupt deactivation process forces the HardFault and NMI
to inactive based on the current raw execution priority,
even if the interrupt the guest is trying to deactivate
is something else. In the pseudocode this is done in the
Deactivate() function.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190617175317.27557-3-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_get_pending_irq_info(void *opaque,
 int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure)
 {
     NVICState *s = (NVICState *)opaque;
-    VecInfo *vec;
+    VecInfo *vec = NULL;
     int ret;
 
     assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);
 
-    if (secure && exc_is_banked(irq)) {
-        vec = &s->sec_vectors[irq];
-    } else {
-        vec = &s->vectors[irq];
+    /*
+     * For negative priorities, v8M will forcibly deactivate the appropriate
+     * NMI or HardFault regardless of what interrupt we're being asked to
+     * deactivate (compare the DeActivate() pseudocode). This is a guard
+     * against software returning from NMI or HardFault with a corrupted
+     * IPSR and leaving the CPU in a negative-priority state.
+     * v7M does not do this, but simply deactivates the requested interrupt.
+     */
+    if (arm_feature(&s->cpu->env, ARM_FEATURE_V8)) {
+        switch (armv7m_nvic_raw_execution_priority(s)) {
+        case -1:
+            if (s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {
+                vec = &s->vectors[ARMV7M_EXCP_HARD];
+            } else {
+                vec = &s->sec_vectors[ARMV7M_EXCP_HARD];
+            }
+            break;
+        case -2:
+            vec = &s->vectors[ARMV7M_EXCP_NMI];
+            break;
+        case -3:
+            vec = &s->sec_vectors[ARMV7M_EXCP_HARD];
+            break;
+        default:
+            break;
+        }
+    }
+
+    if (!vec) {
+        if (secure && exc_is_banked(irq)) {
+            vec = &s->sec_vectors[irq];
+        } else {
+            vec = &s->vectors[irq];
+        }
     }
 
     trace_nvic_complete_irq(irq, secure);
-- 
2.20.1

In v8M, an attempt to return from an exception which is not
active is an illegal exception return. For this purpose,
exceptions which can configurably target either Secure or
NonSecure are not considered to be active if they are
configured for the opposite security state for the one
we're trying to return from (eg attempt to return from
an NS NMI but NMI targets Secure). In the pseudocode this
is handled by IsActiveForState().

Detect this case rather than counting an active exception
possibly of the wrong security state as being sufficient.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190617175317.27557-4-peter.maydell@linaro.org
---
 hw/intc/armv7m_nvic.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure)
         return -1;
     }
 
-    ret = nvic_rettobase(s);
+    /*
+     * If this is a configurable exception and it is currently
+     * targeting the opposite security state from the one we're trying
+     * to complete it for, this counts as an illegal exception return.
+     * We still need to deactivate whatever vector the logic above has
+     * selected, though, as it might not be the same as the one for the
+     * requested exception number.
+     */
+    if (!exc_is_banked(irq) && exc_targets_secure(s, irq) != secure) {
+        ret = -1;
+    } else {
+        ret = nvic_rettobase(s);
+    }
 
     vec->active = 0;
     if (vec->level) {
-- 
2.20.1

In the various helper functions for v7M/v8M instructions, use
the _ra versions of cpu_stl_data() and friends. Otherwise we
may get wrong behaviour or an assert() due to not being able
to locate the TB if there is an exception on the memory access
or if it performs an IO operation when in icount mode.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190617175317.27557-5-peter.maydell@linaro.org
---
 target/arm/m_helper.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
     }
 
     /* Note that these stores can throw exceptions on MPU faults */
-    cpu_stl_data(env, sp, nextinst);
-    cpu_stl_data(env, sp + 4, saved_psr);
+    cpu_stl_data_ra(env, sp, nextinst, GETPC());
+    cpu_stl_data_ra(env, sp + 4, saved_psr, GETPC());
 
     env->regs[13] = sp;
     env->regs[14] = 0xfeffffff;
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
     /* fptr is the value of Rn, the frame pointer we store the FP regs to */
     bool s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
     bool lspact = env->v7m.fpccr[s] & R_V7M_FPCCR_LSPACT_MASK;
+    uintptr_t ra = GETPC();
 
     assert(env->v7m.secure);
 
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
      * Note that we do not use v7m_stack_write() here, because the
      * accesses should not set the FSR bits for stacking errors if they
      * fail. (In pseudocode terms, they are AccType_NORMAL, not AccType_STACK
-     * or AccType_LAZYFP). Faults in cpu_stl_data() will throw exceptions
+     * or AccType_LAZYFP). Faults in cpu_stl_data_ra() will throw exceptions
      * and longjmp out.
      */
     if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
             if (i >= 16) {
                 faddr += 8; /* skip the slot for the FPSCR */
             }
-            cpu_stl_data(env, faddr, slo);
-            cpu_stl_data(env, faddr + 4, shi);
+            cpu_stl_data_ra(env, faddr, slo, ra);
+            cpu_stl_data_ra(env, faddr + 4, shi, ra);
         }
-        cpu_stl_data(env, fptr + 0x40, vfp_get_fpscr(env));
+        cpu_stl_data_ra(env, fptr + 0x40, vfp_get_fpscr(env), ra);
 
         /*
          * If TS is 0 then s0 to s15 and FPSCR are UNKNOWN; we choose to
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
 
 void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
 {
+    uintptr_t ra = GETPC();
+
     /* fptr is the value of Rn, the frame pointer we load the FP regs from */
     assert(env->v7m.secure);
 
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
                 faddr += 8; /* skip the slot for the FPSCR */
             }
 
-            slo = cpu_ldl_data(env, faddr);
-            shi = cpu_ldl_data(env, faddr + 4);
+            slo = cpu_ldl_data_ra(env, faddr, ra);
+            shi = cpu_ldl_data_ra(env, faddr + 4, ra);
 
             dn = (uint64_t) shi << 32 | slo;
             *aa32_vfp_dreg(env, i / 2) = dn;
         }
-        fpscr = cpu_ldl_data(env, fptr + 0x40);
+        fpscr = cpu_ldl_data_ra(env, fptr + 0x40, ra);
         vfp_set_fpscr(env, fpscr);
     }
 
-- 
2.20.1

Like most of the v7M memory mapped system registers, the systick
registers are accessible to privileged code only and user accesses
must generate a BusFault. We implement that for registers in
the NVIC proper already, but missed it for systick since we
implement it as a separate device. Correct the omission.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190617175317.27557-6-peter.maydell@linaro.org
---
 hw/timer/armv7m_systick.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/hw/timer/armv7m_systick.c b/hw/timer/armv7m_systick.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/armv7m_systick.c
+++ b/hw/timer/armv7m_systick.c
@@ -XXX,XX +XXX,XX @@ static void systick_timer_tick(void *opaque)
     }
 }
 
-static uint64_t systick_read(void *opaque, hwaddr addr, unsigned size)
+static MemTxResult systick_read(void *opaque, hwaddr addr, uint64_t *data,
+                                unsigned size, MemTxAttrs attrs)
 {
     SysTickState *s = opaque;
     uint32_t val;
 
+    if (attrs.user) {
+        /* Generate BusFault for unprivileged accesses */
+        return MEMTX_ERROR;
+    }
+
     switch (addr) {
     case 0x0: /* SysTick Control and Status.  */
         val = s->control;
@@ -XXX,XX +XXX,XX @@ static uint64_t systick_read(void *opaque, hwaddr addr, unsigned size)
     }
 
     trace_systick_read(addr, val, size);
-    return val;
+    *data = val;
+    return MEMTX_OK;
 }
 
-static void systick_write(void *opaque, hwaddr addr,
-                          uint64_t value, unsigned size)
+static MemTxResult systick_write(void *opaque, hwaddr addr,
+                                 uint64_t value, unsigned size,
+                                 MemTxAttrs attrs)
 {
     SysTickState *s = opaque;
 
+    if (attrs.user) {
+        /* Generate BusFault for unprivileged accesses */
+        return MEMTX_ERROR;
+    }
+
     trace_systick_write(addr, value, size);
 
     switch (addr) {
@@ -XXX,XX +XXX,XX @@ static void systick_write(void *opaque, hwaddr addr,
         qemu_log_mask(LOG_GUEST_ERROR,
                       "SysTick: Bad write offset 0x%" HWADDR_PRIx "\n", addr);
     }
+    return MEMTX_OK;
 }
 
 static const MemoryRegionOps systick_ops = {
-    .read = systick_read,
-    .write = systick_write,
+    .read_with_attrs = systick_read,
+    .write_with_attrs = systick_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid.min_access_size = 4,
     .valid.max_access_size = 4,
-- 
2.20.1

Thumb instructions in an IT block are set up to be conditionally
executed depending on a set of condition bits encoded into the IT
bits of the CPSR/XPSR.  The architecture specifies that if the
condition bits are 0b1111 this means "always execute" (like 0b1110),
not "never execute"; we were treating it as "never execute".  (See
the ConditionHolds() pseudocode in both the A-profile and M-profile
Arm ARM.)

This is a bit of an obscure corner case, because the only legal
way to get to an 0b1111 set of condbits is to do an exception
return which sets the XPSR/CPSR up that way. An IT instruction
which encodes a condition sequence that would include an 0b1111 is
UNPREDICTABLE, and for v8A the CONSTRAINED UNPREDICTABLE choices
for such an IT insn are to NOP, UNDEF, or treat 0b1111 like 0b1110.
Add a comment noting that we take the latter option.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190617175317.27557-7-peter.maydell@linaro.org
---
 target/arm/translate.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
                 gen_nop_hint(s, (insn >> 4) & 0xf);
                 break;
             }
-            /* If Then.  */
+            /*
+             * IT (If-Then)
+             *
+             * Combinations of firstcond and mask which set up an 0b1111
+             * condition are UNPREDICTABLE; we take the CONSTRAINED
+             * UNPREDICTABLE choice to treat 0b1111 the same as 0b1110,
+             * i.e. both meaning "execute always".
+             */
             s->condexec_cond = (insn >> 4) & 0xe;
             s->condexec_mask = insn & 0x1f;
             /* No actual code generated for this insn, just setup state.  */
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     if (dc->condexec_mask && !thumb_insn_is_unconditional(dc, insn)) {
         uint32_t cond = dc->condexec_cond;
 
-        if (cond != 0x0e) {     /* Skip conditional when condition is AL. */
+        /*
+         * Conditionally skip the insn. Note that both 0xe and 0xf mean
+         * "always"; 0xf is not "never".
+         */
+        if (cond < 0x0e) {
             arm_skip_unless(dc, cond);
         }
     }
-- 
2.20.1

Coverity points out (CID 1402195) that the loop in trans_VMOV_imm_dp()
that iterates over the destination registers in a short-vector VMOV
accidentally throws away the returned updated register number
from vfp_advance_dreg(). Add the missing assignment. (We got this
correct in trans_VMOV_imm_sp().)

Fixes: 18cf951af9a27ae573a
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190702105115.9465-1-peter.maydell@linaro.org
---
 target/arm/translate-vfp.inc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
 
         /* Set up the operands for the next iteration */
         veclen--;
-        vfp_advance_dreg(vd, delta_d);
+        vd = vfp_advance_dreg(vd, delta_d);
     }
 
     tcg_temp_free_i64(fd);
-- 
2.20.1

Last pullreq before 6.0 softfreeze: a few minor feature patches,
some bugfixes, some cleanups.

-- PMM

The following changes since commit 6f34661b6c97a37a5efc27d31c037ddeda4547e2:

Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.0-pull-request' into staging (2021-03-11 18:55:27 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210312-1

for you to fetch changes up to 41f09f2e9f09e4dd386d84174a6dcb5136af17ca:

hw/display/pxa2xx: Inline template header (2021-03-12 13:26:08 +0000)

----------------------------------------------------------------
target-arm queue:
 * versal: Support XRAMs and XRAM controller
 * smmu: Various minor bug fixes
 * SVE emulation: fix bugs handling odd vector lengths
 * allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
 * tests/acceptance: fix orangepi-pc acceptance tests
 * hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()
 * hw/arm/virt: KVM: The IPA lower bound is 32
 * npcm7xx: support MFT module
 * pl110, pxa2xx_lcd: tidy up template headers

----------------------------------------------------------------
Andrew Jones (2):
      accel: kvm: Fix kvm_type invocation
      hw/arm/virt: KVM: The IPA lower bound is 32

Edgar E. Iglesias (2):
      hw/misc: versal: Add a model of the XRAM controller
      hw/arm: versal: Add support for the XRAMs

Eric Auger (7):
      intel_iommu: Fix mask may be uninitialized in vtd_context_device_invalidate
      dma: Introduce dma_aligned_pow2_mask()
      virtio-iommu: Handle non power of 2 range invalidations
      hw/arm/smmu-common: Fix smmu_iotlb_inv_iova when asid is not set
      hw/arm/smmuv3: Enforce invalidation on a power of two range
      hw/arm/smmuv3: Fix SMMU_CMD_CFGI_STE_RANGE handling
      hw/arm/smmuv3: Uniformize sid traces

Hao Wu (5):
      hw/misc: Add GPIOs for duty in NPCM7xx PWM
      hw/misc: Add NPCM7XX MFT Module
      hw/arm: Add MFT device to NPCM7xx Soc
      hw/arm: Connect PWM fans in NPCM7XX boards
      tests/qtest: Test PWM fan RPM using MFT in PWM test

Niek Linnenbank (5):
      hw/net/allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
      tests/acceptance/boot_linux_console: remove Armbian 19.11.3 bionic test for orangepi-pc machine
      tests/acceptance/boot_linux_console: change URL for test_arm_orangepi_bionic_20_08
      tests/acceptance: update sunxi kernel from armbian to 5.10.16
      tests/acceptance: drop ARMBIAN_ARTIFACTS_CACHED condition for orangepi-pc, cubieboard tests

Peter Maydell (9):
      hw/display/pl110: Remove dead code for non-32-bpp surfaces
      hw/display/pl110: Pull included-once parts of template header into pl110.c
      hw/display/pl110: Remove use of BITS from pl110_template.h
      hw/display/pxa2xx_lcd: Remove dead code for non-32-bpp surfaces
      hw/display/pxa2xx_lcd: Remove dest_width state field
      hw/display/pxa2xx: Remove use of BITS in pxa2xx_template.h
      hw/display/pxa2xx: Apply brace-related coding style fixes to template header
      hw/display/pxa2xx: Apply whitespace-only coding style fixes to template header
      hw/display/pxa2xx: Inline template header

Philippe Mathieu-Daudé (1):
      hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()

Richard Henderson (8):
      target/arm: Fix sve_uzp_p vs odd vector lengths
      target/arm: Fix sve_zip_p vs odd vector lengths
      target/arm: Fix sve_punpk_p vs odd vector lengths
      target/arm: Update find_last_active for PREDDESC
      target/arm: Update BRKA, BRKB, BRKN for PREDDESC
      target/arm: Update CNTP for PREDDESC
      target/arm: Update WHILE for PREDDESC
      target/arm: Update sve reduction vs simd_desc

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Add a model of the Xilinx Versal Accelerator RAM (XRAM).
This is mainly a stub to make firmware happy. The size of
the RAMs can be probed. The interrupt mask logic is
modelled but none of the interrups will ever be raised
unless injected.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20210308224637.2949533-2-edgar.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/misc/xlnx-versal-xramc.h |  97 +++++++++++
 hw/misc/xlnx-versal-xramc.c         | 253 ++++++++++++++++++++++++++++
 hw/misc/meson.build                 |   1 +
 3 files changed, 351 insertions(+)
 create mode 100644 include/hw/misc/xlnx-versal-xramc.h
 create mode 100644 hw/misc/xlnx-versal-xramc.c

diff --git a/include/hw/misc/xlnx-versal-xramc.h b/include/hw/misc/xlnx-versal-xramc.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/misc/xlnx-versal-xramc.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU model of the Xilinx XRAM Controller.
+ *
+ * Copyright (c) 2021 Xilinx Inc.
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ * Written by Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+ */
+
+#ifndef XLNX_VERSAL_XRAMC_H
+#define XLNX_VERSAL_XRAMC_H
+
+#include "hw/sysbus.h"
+#include "hw/register.h"
+
+#define TYPE_XLNX_XRAM_CTRL "xlnx.versal-xramc"
+
+#define XLNX_XRAM_CTRL(obj) \
+     OBJECT_CHECK(XlnxXramCtrl, (obj), TYPE_XLNX_XRAM_CTRL)
+
+REG32(XRAM_ERR_CTRL, 0x0)
+    FIELD(XRAM_ERR_CTRL, UE_RES, 3, 1)
+    FIELD(XRAM_ERR_CTRL, PWR_ERR_RES, 2, 1)
+    FIELD(XRAM_ERR_CTRL, PZ_ERR_RES, 1, 1)
+    FIELD(XRAM_ERR_CTRL, APB_ERR_RES, 0, 1)
+REG32(XRAM_ISR, 0x4)
+    FIELD(XRAM_ISR, INV_APB, 0, 1)
+REG32(XRAM_IMR, 0x8)
+    FIELD(XRAM_IMR, INV_APB, 0, 1)
+REG32(XRAM_IEN, 0xc)
+    FIELD(XRAM_IEN, INV_APB, 0, 1)
+REG32(XRAM_IDS, 0x10)
+    FIELD(XRAM_IDS, INV_APB, 0, 1)
+REG32(XRAM_ECC_CNTL, 0x14)
+    FIELD(XRAM_ECC_CNTL, FI_MODE, 2, 1)
+    FIELD(XRAM_ECC_CNTL, DET_ONLY, 1, 1)
+    FIELD(XRAM_ECC_CNTL, ECC_ON_OFF, 0, 1)
+REG32(XRAM_CLR_EXE, 0x18)
+    FIELD(XRAM_CLR_EXE, MON_7, 7, 1)
+    FIELD(XRAM_CLR_EXE, MON_6, 6, 1)
+    FIELD(XRAM_CLR_EXE, MON_5, 5, 1)
+    FIELD(XRAM_CLR_EXE, MON_4, 4, 1)
+    FIELD(XRAM_CLR_EXE, MON_3, 3, 1)
+    FIELD(XRAM_CLR_EXE, MON_2, 2, 1)
+    FIELD(XRAM_CLR_EXE, MON_1, 1, 1)
+    FIELD(XRAM_CLR_EXE, MON_0, 0, 1)
+REG32(XRAM_CE_FFA, 0x1c)
+    FIELD(XRAM_CE_FFA, ADDR, 0, 20)
+REG32(XRAM_CE_FFD0, 0x20)
+REG32(XRAM_CE_FFD1, 0x24)
+REG32(XRAM_CE_FFD2, 0x28)
+REG32(XRAM_CE_FFD3, 0x2c)
+REG32(XRAM_CE_FFE, 0x30)
+    FIELD(XRAM_CE_FFE, SYNDROME, 0, 16)
+REG32(XRAM_UE_FFA, 0x34)
+    FIELD(XRAM_UE_FFA, ADDR, 0, 20)
+REG32(XRAM_UE_FFD0, 0x38)
+REG32(XRAM_UE_FFD1, 0x3c)
+REG32(XRAM_UE_FFD2, 0x40)
+REG32(XRAM_UE_FFD3, 0x44)
+REG32(XRAM_UE_FFE, 0x48)
+    FIELD(XRAM_UE_FFE, SYNDROME, 0, 16)
+REG32(XRAM_FI_D0, 0x4c)
+REG32(XRAM_FI_D1, 0x50)
+REG32(XRAM_FI_D2, 0x54)
+REG32(XRAM_FI_D3, 0x58)
+REG32(XRAM_FI_SY, 0x5c)
+    FIELD(XRAM_FI_SY, DATA, 0, 16)
+REG32(XRAM_RMW_UE_FFA, 0x70)
+    FIELD(XRAM_RMW_UE_FFA, ADDR, 0, 20)
+REG32(XRAM_FI_CNTR, 0x74)
+    FIELD(XRAM_FI_CNTR, COUNT, 0, 24)
+REG32(XRAM_IMP, 0x80)
+    FIELD(XRAM_IMP, SIZE, 0, 4)
+REG32(XRAM_PRDY_DBG, 0x84)
+    FIELD(XRAM_PRDY_DBG, ISLAND3, 12, 4)
+    FIELD(XRAM_PRDY_DBG, ISLAND2, 8, 4)
+    FIELD(XRAM_PRDY_DBG, ISLAND1, 4, 4)
+    FIELD(XRAM_PRDY_DBG, ISLAND0, 0, 4)
+REG32(XRAM_SAFETY_CHK, 0xff8)
+
+#define XRAM_CTRL_R_MAX (R_XRAM_SAFETY_CHK + 1)
+
+typedef struct XlnxXramCtrl {
+    SysBusDevice parent_obj;
+    MemoryRegion ram;
+    qemu_irq irq;
+
+    struct {
+        uint64_t size;
+        unsigned int encoded_size;
+    } cfg;
+
+    RegisterInfoArray *reg_array;
+    uint32_t regs[XRAM_CTRL_R_MAX];
+    RegisterInfo regs_info[XRAM_CTRL_R_MAX];
+} XlnxXramCtrl;
+#endif
diff --git a/hw/misc/xlnx-versal-xramc.c b/hw/misc/xlnx-versal-xramc.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/misc/xlnx-versal-xramc.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU model of the Xilinx XRAM Controller.
+ *
+ * Copyright (c) 2021 Xilinx Inc.
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ * Written by Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "migration/vmstate.h"
+#include "hw/sysbus.h"
+#include "hw/register.h"
+#include "hw/qdev-properties.h"
+#include "hw/irq.h"
+#include "hw/misc/xlnx-versal-xramc.h"
+
+#ifndef XLNX_XRAM_CTRL_ERR_DEBUG
+#define XLNX_XRAM_CTRL_ERR_DEBUG 0
+#endif
+
+static void xram_update_irq(XlnxXramCtrl *s)
+{
+    bool pending = s->regs[R_XRAM_ISR] & ~s->regs[R_XRAM_IMR];
+    qemu_set_irq(s->irq, pending);
+}
+
+static void xram_isr_postw(RegisterInfo *reg, uint64_t val64)
+{
+    XlnxXramCtrl *s = XLNX_XRAM_CTRL(reg->opaque);
+    xram_update_irq(s);
+}
+
+static uint64_t xram_ien_prew(RegisterInfo *reg, uint64_t val64)
+{
+    XlnxXramCtrl *s = XLNX_XRAM_CTRL(reg->opaque);
+    uint32_t val = val64;
+
+    s->regs[R_XRAM_IMR] &= ~val;
+    xram_update_irq(s);
+    return 0;
+}
+
+static uint64_t xram_ids_prew(RegisterInfo *reg, uint64_t val64)
+{
+    XlnxXramCtrl *s = XLNX_XRAM_CTRL(reg->opaque);
+    uint32_t val = val64;
+
+    s->regs[R_XRAM_IMR] |= val;
+    xram_update_irq(s);
+    return 0;
+}
+
+static const RegisterAccessInfo xram_ctrl_regs_info[] = {
+    {   .name = "XRAM_ERR_CTRL",  .addr = A_XRAM_ERR_CTRL,
+        .reset = 0xf,
+        .rsvd = 0xfffffff0,
+    },{ .name = "XRAM_ISR",  .addr = A_XRAM_ISR,
+        .rsvd = 0xfffff800,
+        .w1c = 0x7ff,
+        .post_write = xram_isr_postw,
+    },{ .name = "XRAM_IMR",  .addr = A_XRAM_IMR,
+        .reset = 0x7ff,
+        .rsvd = 0xfffff800,
+        .ro = 0x7ff,
+    },{ .name = "XRAM_IEN",  .addr = A_XRAM_IEN,
+        .rsvd = 0xfffff800,
+        .pre_write = xram_ien_prew,
+    },{ .name = "XRAM_IDS",  .addr = A_XRAM_IDS,
+        .rsvd = 0xfffff800,
+        .pre_write = xram_ids_prew,
+    },{ .name = "XRAM_ECC_CNTL",  .addr = A_XRAM_ECC_CNTL,
+        .rsvd = 0xfffffff8,
+    },{ .name = "XRAM_CLR_EXE",  .addr = A_XRAM_CLR_EXE,
+        .rsvd = 0xffffff00,
+    },{ .name = "XRAM_CE_FFA",  .addr = A_XRAM_CE_FFA,
+        .rsvd = 0xfff00000,
+        .ro = 0xfffff,
+    },{ .name = "XRAM_CE_FFD0",  .addr = A_XRAM_CE_FFD0,
+        .ro = 0xffffffff,
+    },{ .name = "XRAM_CE_FFD1",  .addr = A_XRAM_CE_FFD1,
+        .ro = 0xffffffff,
+    },{ .name = "XRAM_CE_FFD2",  .addr = A_XRAM_CE_FFD2,
+        .ro = 0xffffffff,
+    },{ .name = "XRAM_CE_FFD3",  .addr = A_XRAM_CE_FFD3,
+        .ro = 0xffffffff,
+    },{ .name = "XRAM_CE_FFE",  .addr = A_XRAM_CE_FFE,
+        .rsvd = 0xffff0000,
+        .ro = 0xffff,
+    },{ .name = "XRAM_UE_FFA",  .addr = A_XRAM_UE_FFA,
+        .rsvd = 0xfff00000,
+        .ro = 0xfffff,
+    },{ .name = "XRAM_UE_FFD0",  .addr = A_XRAM_UE_FFD0,
+        .ro = 0xffffffff,
+    },{ .name = "XRAM_UE_FFD1",  .addr = A_XRAM_UE_FFD1,
+        .ro = 0xffffffff,
+    },{ .name = "XRAM_UE_FFD2",  .addr = A_XRAM_UE_FFD2,
+        .ro = 0xffffffff,
+    },{ .name = "XRAM_UE_FFD3",  .addr = A_XRAM_UE_FFD3,
+        .ro = 0xffffffff,
+    },{ .name = "XRAM_UE_FFE",  .addr = A_XRAM_UE_FFE,
+        .rsvd = 0xffff0000,
+        .ro = 0xffff,
+    },{ .name = "XRAM_FI_D0",  .addr = A_XRAM_FI_D0,
+    },{ .name = "XRAM_FI_D1",  .addr = A_XRAM_FI_D1,
+    },{ .name = "XRAM_FI_D2",  .addr = A_XRAM_FI_D2,
+    },{ .name = "XRAM_FI_D3",  .addr = A_XRAM_FI_D3,
+    },{ .name = "XRAM_FI_SY",  .addr = A_XRAM_FI_SY,
+        .rsvd = 0xffff0000,
+    },{ .name = "XRAM_RMW_UE_FFA",  .addr = A_XRAM_RMW_UE_FFA,
+        .rsvd = 0xfff00000,
+        .ro = 0xfffff,
+    },{ .name = "XRAM_FI_CNTR",  .addr = A_XRAM_FI_CNTR,
+        .rsvd = 0xff000000,
+    },{ .name = "XRAM_IMP",  .addr = A_XRAM_IMP,
+        .reset = 0x4,
+        .rsvd = 0xfffffff0,
+        .ro = 0xf,
+    },{ .name = "XRAM_PRDY_DBG",  .addr = A_XRAM_PRDY_DBG,
+        .reset = 0xffff,
+        .rsvd = 0xffff0000,
+        .ro = 0xffff,
+    },{ .name = "XRAM_SAFETY_CHK",  .addr = A_XRAM_SAFETY_CHK,
+    }
+};
+
+static void xram_ctrl_reset_enter(Object *obj, ResetType type)
+{
+    XlnxXramCtrl *s = XLNX_XRAM_CTRL(obj);
+    unsigned int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->regs_info); ++i) {
+        register_reset(&s->regs_info[i]);
+    }
+
+    ARRAY_FIELD_DP32(s->regs, XRAM_IMP, SIZE, s->cfg.encoded_size);
+}
+
+static void xram_ctrl_reset_hold(Object *obj)
+{
+    XlnxXramCtrl *s = XLNX_XRAM_CTRL(obj);
+
+    xram_update_irq(s);
+}
+
+static const MemoryRegionOps xram_ctrl_ops = {
+    .read = register_read_memory,
+    .write = register_write_memory,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+    },
+};
+
+static void xram_ctrl_realize(DeviceState *dev, Error **errp)
+{
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+    XlnxXramCtrl *s = XLNX_XRAM_CTRL(dev);
+
+    switch (s->cfg.size) {
+    case 64 * KiB:
+        s->cfg.encoded_size = 0;
+        break;
+    case 128 * KiB:
+        s->cfg.encoded_size = 1;
+        break;
+    case 256 * KiB:
+        s->cfg.encoded_size = 2;
+        break;
+    case 512 * KiB:
+        s->cfg.encoded_size = 3;
+        break;
+    case 1 * MiB:
+        s->cfg.encoded_size = 4;
+        break;
+    default:
+        error_setg(errp, "Unsupported XRAM size %" PRId64, s->cfg.size);
+        return;
+    }
+
+    memory_region_init_ram(&s->ram, OBJECT(s),
+                           object_get_canonical_path_component(OBJECT(s)),
+                           s->cfg.size, &error_fatal);
+    sysbus_init_mmio(sbd, &s->ram);
+}
+
+static void xram_ctrl_init(Object *obj)
+{
+    XlnxXramCtrl *s = XLNX_XRAM_CTRL(obj);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+
+    s->reg_array =
+        register_init_block32(DEVICE(obj), xram_ctrl_regs_info,
+                              ARRAY_SIZE(xram_ctrl_regs_info),
+                              s->regs_info, s->regs,
+                              &xram_ctrl_ops,
+                              XLNX_XRAM_CTRL_ERR_DEBUG,
+                              XRAM_CTRL_R_MAX * 4);
+    sysbus_init_mmio(sbd, &s->reg_array->mem);
+    sysbus_init_irq(sbd, &s->irq);
+}
+
+static void xram_ctrl_finalize(Object *obj)
+{
+    XlnxXramCtrl *s = XLNX_XRAM_CTRL(obj);
+    register_finalize_block(s->reg_array);
+}
+
+static const VMStateDescription vmstate_xram_ctrl = {
+    .name = TYPE_XLNX_XRAM_CTRL,
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(regs, XlnxXramCtrl, XRAM_CTRL_R_MAX),
+        VMSTATE_END_OF_LIST(),
+    }
+};
+
+static Property xram_ctrl_properties[] = {
+    DEFINE_PROP_UINT64("size", XlnxXramCtrl, cfg.size, 1 * MiB),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void xram_ctrl_class_init(ObjectClass *klass, void *data)
+{
+    ResettableClass *rc = RESETTABLE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = xram_ctrl_realize;
+    dc->vmsd = &vmstate_xram_ctrl;
+    device_class_set_props(dc, xram_ctrl_properties);
+
+    rc->phases.enter = xram_ctrl_reset_enter;
+    rc->phases.hold = xram_ctrl_reset_hold;
+}
+
+static const TypeInfo xram_ctrl_info = {
+    .name              = TYPE_XLNX_XRAM_CTRL,
+    .parent            = TYPE_SYS_BUS_DEVICE,
+    .instance_size     = sizeof(XlnxXramCtrl),
+    .class_init        = xram_ctrl_class_init,
+    .instance_init     = xram_ctrl_init,
+    .instance_finalize = xram_ctrl_finalize,
+};
+
+static void xram_ctrl_register_types(void)
+{
+    type_register_static(&xram_ctrl_info);
+}
+
+type_init(xram_ctrl_register_types)
diff --git a/hw/misc/meson.build b/hw/misc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/meson.build
+++ b/hw/misc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_RASPI', if_true: files(
 ))
 softmmu_ss.add(when: 'CONFIG_SLAVIO', if_true: files('slavio_misc.c'))
 softmmu_ss.add(when: 'CONFIG_ZYNQ', if_true: files('zynq_slcr.c', 'zynq-xadc.c'))
+softmmu_ss.add(when: 'CONFIG_XLNX_VERSAL', if_true: files('xlnx-versal-xramc.c'))
 softmmu_ss.add(when: 'CONFIG_STM32F2XX_SYSCFG', if_true: files('stm32f2xx_syscfg.c'))
 softmmu_ss.add(when: 'CONFIG_STM32F4XX_SYSCFG', if_true: files('stm32f4xx_syscfg.c'))
 softmmu_ss.add(when: 'CONFIG_STM32F4XX_EXTI', if_true: files('stm32f4xx_exti.c'))
-- 
2.20.1

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Connect the support for the Versal Accelerator RAMs (XRAMs).

Reviewed-by: Luc Michel <luc@lmichel.fr>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20210308224637.2949533-3-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/xlnx-versal-virt.rst |  1 +
 include/hw/arm/xlnx-versal.h         | 13 ++++++++++
 hw/arm/xlnx-versal.c                 | 36 ++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+)

diff --git a/docs/system/arm/xlnx-versal-virt.rst b/docs/system/arm/xlnx-versal-virt.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/xlnx-versal-virt.rst
+++ b/docs/system/arm/xlnx-versal-virt.rst
@@ -XXX,XX +XXX,XX @@ Implemented devices:
 - 8 ADMA (Xilinx zDMA) channels
 - 2 SD Controllers
 - OCM (256KB of On Chip Memory)
+- XRAM (4MB of on chip Accelerator RAM)
 - DDR memory
 
 QEMU does not yet model any other devices, including the PL and the AI Engine.
diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-versal.h
+++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@
 
 #include "hw/sysbus.h"
 #include "hw/arm/boot.h"
+#include "hw/or-irq.h"
 #include "hw/sd/sdhci.h"
 #include "hw/intc/arm_gicv3.h"
 #include "hw/char/pl011.h"
@@ -XXX,XX +XXX,XX @@
 #include "hw/rtc/xlnx-zynqmp-rtc.h"
 #include "qom/object.h"
 #include "hw/usb/xlnx-usb-subsystem.h"
+#include "hw/misc/xlnx-versal-xramc.h"
 
 #define TYPE_XLNX_VERSAL "xlnx-versal"
 OBJECT_DECLARE_SIMPLE_TYPE(Versal, XLNX_VERSAL)
@@ -XXX,XX +XXX,XX @@ OBJECT_DECLARE_SIMPLE_TYPE(Versal, XLNX_VERSAL)
 #define XLNX_VERSAL_NR_GEMS    2
 #define XLNX_VERSAL_NR_ADMAS   8
 #define XLNX_VERSAL_NR_SDS     2
+#define XLNX_VERSAL_NR_XRAM    4
 #define XLNX_VERSAL_NR_IRQS    192
 
 struct Versal {
@@ -XXX,XX +XXX,XX @@ struct Versal {
             XlnxZDMA adma[XLNX_VERSAL_NR_ADMAS];
             VersalUsb2 usb;
         } iou;
+
+        struct {
+            qemu_or_irq irq_orgate;
+            XlnxXramCtrl ctrl[XLNX_VERSAL_NR_XRAM];
+        } xram;
     } lpd;
 
     /* The Platform Management Controller subsystem.  */
@@ -XXX,XX +XXX,XX @@ struct Versal {
 #define VERSAL_GEM1_IRQ_0          58
 #define VERSAL_GEM1_WAKE_IRQ_0     59
 #define VERSAL_ADMA_IRQ_0          60
+#define VERSAL_XRAM_IRQ_0          79
 #define VERSAL_RTC_APB_ERR_IRQ     121
 #define VERSAL_SD0_IRQ_0           126
 #define VERSAL_RTC_ALARM_IRQ       142
@@ -XXX,XX +XXX,XX @@ struct Versal {
 #define MM_OCM                      0xfffc0000U
 #define MM_OCM_SIZE                 0x40000
 
+#define MM_XRAM                     0xfe800000
+#define MM_XRAMC                    0xff8e0000
+#define MM_XRAMC_SIZE               0x10000
+
 #define MM_USB2_CTRL_REGS           0xFF9D0000
 #define MM_USB2_CTRL_REGS_SIZE      0x10000
 
diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal.c
+++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/units.h"
 #include "qapi/error.h"
 #include "qemu/log.h"
 #include "qemu/module.h"
@@ -XXX,XX +XXX,XX @@ static void versal_create_rtc(Versal *s, qemu_irq *pic)
     sysbus_connect_irq(sbd, 1, pic[VERSAL_RTC_APB_ERR_IRQ]);
 }
 
+static void versal_create_xrams(Versal *s, qemu_irq *pic)
+{
+    int nr_xrams = ARRAY_SIZE(s->lpd.xram.ctrl);
+    DeviceState *orgate;
+    int i;
+
+    /* XRAM IRQs get ORed into a single line.  */
+    object_initialize_child(OBJECT(s), "xram-irq-orgate",
+                            &s->lpd.xram.irq_orgate, TYPE_OR_IRQ);
+    orgate = DEVICE(&s->lpd.xram.irq_orgate);
+    object_property_set_int(OBJECT(orgate),
+                            "num-lines", nr_xrams, &error_fatal);
+    qdev_realize(orgate, NULL, &error_fatal);
+    qdev_connect_gpio_out(orgate, 0, pic[VERSAL_XRAM_IRQ_0]);
+
+    for (i = 0; i < ARRAY_SIZE(s->lpd.xram.ctrl); i++) {
+        SysBusDevice *sbd;
+        MemoryRegion *mr;
+
+        object_initialize_child(OBJECT(s), "xram[*]", &s->lpd.xram.ctrl[i],
+                                TYPE_XLNX_XRAM_CTRL);
+        sbd = SYS_BUS_DEVICE(&s->lpd.xram.ctrl[i]);
+        sysbus_realize(sbd, &error_fatal);
+
+        mr = sysbus_mmio_get_region(sbd, 0);
+        memory_region_add_subregion(&s->mr_ps,
+                                    MM_XRAMC + i * MM_XRAMC_SIZE, mr);
+        mr = sysbus_mmio_get_region(sbd, 1);
+        memory_region_add_subregion(&s->mr_ps, MM_XRAM + i * MiB, mr);
+
+        sysbus_connect_irq(sbd, 0, qdev_get_gpio_in(orgate, i));
+    }
+}
+
 /* This takes the board allocated linear DDR memory and creates aliases
  * for each split DDR range/aperture on the Versal address map.
  */
@@ -XXX,XX +XXX,XX @@ static void versal_realize(DeviceState *dev, Error **errp)
     versal_create_admas(s, pic);
     versal_create_sds(s, pic);
     versal_create_rtc(s, pic);
+    versal_create_xrams(s, pic);
     versal_map_ddr(s);
     versal_unimp(s);
 
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

With -Werror=maybe-uninitialized configuration we get
../hw/i386/intel_iommu.c: In function ‘vtd_context_device_invalidate’:
../hw/i386/intel_iommu.c:1888:10: error: ‘mask’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
 1888 |     mask = ~mask;
      |     ~~~~~^~~~~~~

Add a g_assert_not_reached() to avoid the error.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20210309102742.30442-2-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/i386/intel_iommu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -XXX,XX +XXX,XX @@ static void vtd_context_device_invalidate(IntelIOMMUState *s,
     case 3:
         mask = 7;   /* Mask bit 2:0 in the SID field */
         break;
+    default:
+        g_assert_not_reached();
     }
     mask = ~mask;
 
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

Currently get_naturally_aligned_size() is used by the intel iommu
to compute the maximum invalidation range based on @size which is
a power of 2 while being aligned with the @start address and less
than the maximum range defined by @gaw.

This helper is also useful for other iommu devices (virtio-iommu,
SMMUv3) to make sure IOMMU UNMAP notifiers only are called with
power of 2 range sizes.

Let's move this latter into dma-helpers.c and rename it into
dma_aligned_pow2_mask(). Also rewrite the helper so that it
accomodates UINT64_MAX values for the size mask and max mask.
It now returns a mask instead of a size. Change the caller.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Message-id: 20210309102742.30442-3-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/sysemu/dma.h  | 12 ++++++++++++
 hw/i386/intel_iommu.c | 30 +++++++-----------------------
 softmmu/dma-helpers.c | 26 ++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 23 deletions(-)

diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/dma.h
+++ b/include/sysemu/dma.h
@@ -XXX,XX +XXX,XX @@ uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg);
 void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
                     QEMUSGList *sg, enum BlockAcctType type);
 
+/**
+ * dma_aligned_pow2_mask: Return the address bit mask of the largest
+ * power of 2 size less or equal than @end - @start + 1, aligned with @start,
+ * and bounded by 1 << @max_addr_bits bits.
+ *
+ * @start: range start address
+ * @end: range end address (greater than @start)
+ * @max_addr_bits: max address bits (<= 64)
+ */
+uint64_t dma_aligned_pow2_mask(uint64_t start, uint64_t end,
+                               int max_addr_bits);
+
 #endif
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/i386/x86-iommu.h"
 #include "hw/pci-host/q35.h"
 #include "sysemu/kvm.h"
+#include "sysemu/dma.h"
 #include "sysemu/sysemu.h"
 #include "hw/i386/apic_internal.h"
 #include "kvm/kvm_i386.h"
@@ -XXX,XX +XXX,XX @@ VTDAddressSpace *vtd_find_add_as(IntelIOMMUState *s, PCIBus *bus, int devfn)
     return vtd_dev_as;
 }
 
-static uint64_t get_naturally_aligned_size(uint64_t start,
-                                           uint64_t size, int gaw)
-{
-    uint64_t max_mask = 1ULL << gaw;
-    uint64_t alignment = start ? start & -start : max_mask;
-
-    alignment = MIN(alignment, max_mask);
-    size = MIN(size, max_mask);
-
-    if (alignment <= size) {
-        /* Increase the alignment of start */
-        return alignment;
-    } else {
-        /* Find the largest page mask from size */
-        return 1ULL << (63 - clz64(size));
-    }
-}
-
 /* Unmap the whole range in the notifier's scope. */
 static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n)
 {
@@ -XXX,XX +XXX,XX @@ static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n)
 
     while (remain >= VTD_PAGE_SIZE) {
         IOMMUTLBEvent event;
-        uint64_t mask = get_naturally_aligned_size(start, remain, s->aw_bits);
+        uint64_t mask = dma_aligned_pow2_mask(start, end, s->aw_bits);
+        uint64_t size = mask + 1;
 
-        assert(mask);
+        assert(size);
 
         event.type = IOMMU_NOTIFIER_UNMAP;
         event.entry.iova = start;
-        event.entry.addr_mask = mask - 1;
+        event.entry.addr_mask = mask;
         event.entry.target_as = &address_space_memory;
         event.entry.perm = IOMMU_NONE;
         /* This field is meaningless for unmap */
@@ -XXX,XX +XXX,XX @@ static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n)
 
         memory_region_notify_iommu_one(n, &event);
 
-        start += mask;
-        remain -= mask;
+        start += size;
+        remain -= size;
     }
 
     assert(!remain);
diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/dma-helpers.c
+++ b/softmmu/dma-helpers.c
@@ -XXX,XX +XXX,XX @@ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
 {
     block_acct_start(blk_get_stats(blk), cookie, sg->size, type);
 }
+
+uint64_t dma_aligned_pow2_mask(uint64_t start, uint64_t end, int max_addr_bits)
+{
+    uint64_t max_mask = UINT64_MAX, addr_mask = end - start;
+    uint64_t alignment_mask, size_mask;
+
+    if (max_addr_bits != 64) {
+        max_mask = (1ULL << max_addr_bits) - 1;
+    }
+
+    alignment_mask = start ? (start & -start) - 1 : max_mask;
+    alignment_mask = MIN(alignment_mask, max_mask);
+    size_mask = MIN(addr_mask, max_mask);
+
+    if (alignment_mask <= size_mask) {
+        /* Increase the alignment of start */
+        return alignment_mask;
+    } else {
+        /* Find the largest page mask from size */
+        if (addr_mask == UINT64_MAX) {
+            return UINT64_MAX;
+        }
+        return (1ULL << (63 - clz64(addr_mask + 1))) - 1;
+    }
+}
+
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

Unmap notifiers work with an address mask assuming an
invalidation range of a power of 2. Nothing mandates this
in the VIRTIO-IOMMU spec.

So in case the range is not a power of 2, split it into
several invalidations.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Message-id: 20210309102742.30442-4-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/virtio/virtio-iommu.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_notify_unmap(IOMMUMemoryRegion *mr, hwaddr virt_start,
                                       hwaddr virt_end)
 {
     IOMMUTLBEvent event;
+    uint64_t delta = virt_end - virt_start;
 
     if (!(mr->iommu_notify_flags & IOMMU_NOTIFIER_UNMAP)) {
         return;
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_notify_unmap(IOMMUMemoryRegion *mr, hwaddr virt_start,
 
     event.type = IOMMU_NOTIFIER_UNMAP;
     event.entry.target_as = &address_space_memory;
-    event.entry.addr_mask = virt_end - virt_start;
-    event.entry.iova = virt_start;
     event.entry.perm = IOMMU_NONE;
     event.entry.translated_addr = 0;
+    event.entry.addr_mask = delta;
+    event.entry.iova = virt_start;
 
-    memory_region_notify_iommu(mr, 0, event);
+    if (delta == UINT64_MAX) {
+        memory_region_notify_iommu(mr, 0, event);
+    }
+
+
+    while (virt_start != virt_end + 1) {
+        uint64_t mask = dma_aligned_pow2_mask(virt_start, virt_end, 64);
+
+        event.entry.addr_mask = mask;
+        event.entry.iova = virt_start;
+        memory_region_notify_iommu(mr, 0, event);
+        virt_start += mask + 1;
+    }
 }
 
 static gboolean virtio_iommu_notify_unmap_cb(gpointer key, gpointer value,
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

If the asid is not set, do not attempt to locate the key directly
as all inserted keys have a valid asid.

Use g_hash_table_foreach_remove instead.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210309102742.30442-5-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

From: Eric Auger <eric.auger@redhat.com>

As of today, the driver can invalidate a number of pages that is
not a power of 2. However IOTLB unmap notifications and internal
IOTLB invalidations work with masks leading to erroneous
invalidations.

In case the range is not a power of 2, split invalidations into
power of 2 invalidations.

When looking for a single page entry in the vSMMU internal IOTLB,
let's make sure that if the entry is not found using a
g_hash_table_remove() we iterate over all the entries to find a
potential range that overlaps it.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210309102742.30442-6-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-common.c | 30 ++++++++++++++++++------------
 hw/arm/smmuv3.c      | 24 ++++++++++++++++++++----
 2 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ inline void
 smmu_iotlb_inv_iova(SMMUState *s, int asid, dma_addr_t iova,
                     uint8_t tg, uint64_t num_pages, uint8_t ttl)
 {
+    /* if tg is not set we use 4KB range invalidation */
+    uint8_t granule = tg ? tg * 2 + 10 : 12;
+
     if (ttl && (num_pages == 1) && (asid >= 0)) {
         SMMUIOTLBKey key = smmu_get_iotlb_key(asid, iova, tg, ttl);
 
-        g_hash_table_remove(s->iotlb, &key);
-    } else {
-        /* if tg is not set we use 4KB range invalidation */
-        uint8_t granule = tg ? tg * 2 + 10 : 12;
-
-        SMMUIOTLBPageInvInfo info = {
-            .asid = asid, .iova = iova,
-            .mask = (num_pages * 1 << granule) - 1};
-
-        g_hash_table_foreach_remove(s->iotlb,
-                                    smmu_hash_remove_by_asid_iova,
-                                    &info);
+        if (g_hash_table_remove(s->iotlb, &key)) {
+            return;
+        }
+        /*
+         * if the entry is not found, let's see if it does not
+         * belong to a larger IOTLB entry
+         */
     }
+
+    SMMUIOTLBPageInvInfo info = {
+        .asid = asid, .iova = iova,
+        .mask = (num_pages * 1 << granule) - 1};
+
+    g_hash_table_foreach_remove(s->iotlb,
+                                smmu_hash_remove_by_asid_iova,
+                                &info);
 }
 
 inline void smmu_iotlb_inv_asid(SMMUState *s, uint16_t asid)
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
     uint16_t vmid = CMD_VMID(cmd);
     bool leaf = CMD_LEAF(cmd);
     uint8_t tg = CMD_TG(cmd);
-    hwaddr num_pages = 1;
+    uint64_t first_page = 0, last_page;
+    uint64_t num_pages = 1;
     int asid = -1;
 
     if (tg) {
@@ -XXX,XX +XXX,XX @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
     if (type == SMMU_CMD_TLBI_NH_VA) {
         asid = CMD_ASID(cmd);
     }
-    trace_smmuv3_s1_range_inval(vmid, asid, addr, tg, num_pages, ttl, leaf);
-    smmuv3_inv_notifiers_iova(s, asid, addr, tg, num_pages);
-    smmu_iotlb_inv_iova(s, asid, addr, tg, num_pages, ttl);
+
+    /* Split invalidations into ^2 range invalidations */
+    last_page = num_pages - 1;
+    while (num_pages) {
+        uint8_t granule = tg * 2 + 10;
+        uint64_t mask, count;
+
+        mask = dma_aligned_pow2_mask(first_page, last_page, 64 - granule);
+        count = mask + 1;
+
+        trace_smmuv3_s1_range_inval(vmid, asid, addr, tg, count, ttl, leaf);
+        smmuv3_inv_notifiers_iova(s, asid, addr, tg, count);
+        smmu_iotlb_inv_iova(s, asid, addr, tg, count, ttl);
+
+        num_pages -= count;
+        first_page += count;
+        addr += count * BIT_ULL(granule);
+    }
 }
 
 static int smmuv3_cmdq_consume(SMMUv3State *s)
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

If the whole SID range (32b) is invalidated (SMMU_CMD_CFGI_ALL),
@end overflows and we fail to handle the command properly.

Once this gets fixed, the current code really is awkward in the
sense it loops over the whole range instead of removing the
currently cached configs through a hash table lookup.

Fix both the overflow and the lookup.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210309102742.30442-7-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-internal.h |  5 +++++
 hw/arm/smmuv3.c        | 34 ++++++++++++++++++++--------------
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-internal.h
+++ b/hw/arm/smmu-internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUIOTLBPageInvInfo {
     uint64_t mask;
 } SMMUIOTLBPageInvInfo;
 
+typedef struct SMMUSIDRange {
+    uint32_t start;
+    uint32_t end;
+} SMMUSIDRange;
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
 
 #include "hw/arm/smmuv3.h"
 #include "smmuv3-internal.h"
+#include "smmu-internal.h"
 
 /**
  * smmuv3_trigger_irq - pulse @irq if enabled and update
@@ -XXX,XX +XXX,XX @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
     }
 }
 
+static gboolean
+smmuv3_invalidate_ste(gpointer key, gpointer value, gpointer user_data)
+{
+    SMMUDevice *sdev = (SMMUDevice *)key;
+    uint32_t sid = smmu_get_sid(sdev);
+    SMMUSIDRange *sid_range = (SMMUSIDRange *)user_data;
+
+    if (sid < sid_range->start || sid > sid_range->end) {
+        return false;
+    }
+    trace_smmuv3_config_cache_inv(sid);
+    return true;
+}
+
 static int smmuv3_cmdq_consume(SMMUv3State *s)
 {
     SMMUState *bs = ARM_SMMU(s);
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
         }
         case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */
         {
-            uint32_t start = CMD_SID(&cmd), end, i;
+            uint32_t start = CMD_SID(&cmd);
             uint8_t range = CMD_STE_RANGE(&cmd);
+            uint64_t end = start + (1ULL << (range + 1)) - 1;
+            SMMUSIDRange sid_range = {start, end};
 
             if (CMD_SSEC(&cmd)) {
                 cmd_error = SMMU_CERROR_ILL;
                 break;
             }
-
-            end = start + (1 << (range + 1)) - 1;
             trace_smmuv3_cmdq_cfgi_ste_range(start, end);
-
-            for (i = start; i <= end; i++) {
-                IOMMUMemoryRegion *mr = smmu_iommu_mr(bs, i);
-                SMMUDevice *sdev;
-
-                if (!mr) {
-                    continue;
-                }
-                sdev = container_of(mr, SMMUDevice, iommu);
-                smmuv3_flush_config(sdev);
-            }
+            g_hash_table_foreach_remove(bs->configs, smmuv3_invalidate_ste,
+                                        &sid_range);
             break;
         }
         case SMMU_CMD_CFGI_CD:
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

Convert all sid printouts to sid=0x%x.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20210309102742.30442-8-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/trace-events | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
 smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
 smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
 smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
-smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
-smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "SID:0x%x features:0x%x, sid_split:0x%x"
+smmuv3_record_event(const char *type, uint32_t sid) "%s sid=0x%x"
+smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "sid=0x%x features:0x%x, sid_split:0x%x"
 smmuv3_find_ste_2lvl(uint64_t strtab_base, uint64_t l1ptr, int l1_ste_offset, uint64_t l2ptr, int l2_ste_offset, int max_l2_ste) "strtab_base:0x%"PRIx64" l1ptr:0x%"PRIx64" l1_off:0x%x, l2ptr:0x%"PRIx64" l2_off:0x%x max_l2_ste:%d"
 smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64
-smmuv3_translate_disable(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d bypass (smmu disabled) iova:0x%"PRIx64" is_write=%d"
-smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d STE bypass iova:0x%"PRIx64" is_write=%d"
-smmuv3_translate_abort(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d abort on iova:0x%"PRIx64" is_write=%d"
-smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=%d iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
+smmuv3_translate_disable(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x bypass (smmu disabled) iova:0x%"PRIx64" is_write=%d"
+smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x STE bypass iova:0x%"PRIx64" is_write=%d"
+smmuv3_translate_abort(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x abort on iova:0x%"PRIx64" is_write=%d"
+smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=0x%x iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
 smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64
 smmuv3_decode_cd(uint32_t oas) "oas=%d"
 smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz, bool had) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d had:%d"
-smmuv3_cmdq_cfgi_ste(int streamid) "streamid =%d"
+smmuv3_cmdq_cfgi_ste(int streamid) "streamid= 0x%x"
 smmuv3_cmdq_cfgi_ste_range(int start, int end) "start=0x%x - end=0x%x"
-smmuv3_cmdq_cfgi_cd(uint32_t sid) "streamid = %d"
-smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid %d (hits=%d, misses=%d, hit rate=%d)"
-smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid %d (hits=%d, misses=%d, hit rate=%d)"
-smmuv3_s1_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf) "vmid =%d asid =%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d"
+smmuv3_cmdq_cfgi_cd(uint32_t sid) "sid=0x%x"
+smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
+smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
+smmuv3_s1_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d"
 smmuv3_cmdq_tlbi_nh(void) ""
 smmuv3_cmdq_tlbi_nh_asid(uint16_t asid) "asid=%d"
-smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid %d"
+smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
 smmuv3_notify_flag_add(const char *iommu) "ADD SMMUNotifier node for iommu mr=%s"
 smmuv3_notify_flag_del(const char *iommu) "DEL SMMUNotifier node for iommu mr=%s"
 smmuv3_inv_notifiers_iova(const char *name, uint16_t asid, uint64_t iova, uint8_t tg, uint64_t num_pages) "iommu mr=%s asid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64
-- 
2.20.1