A last collection of patches to squeeze in before rc0.

The patches from me are all bugfixes. Philippe's are just

code-movement, but I wanted to get these into 4.1 because

that kind of patch is so painful to have to rebase.

(The diffstat is huge but it's just code moving from file to file.)

The following changes since commit 234e256511e588680300600ce087c5185d68cf2a:

Merge remote-tracking branch 'remotes/armbru/tags/pull-build-2019-07-02-v2' into staging (2019-07-04 15:58:46 +0100)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190704

for you to fetch changes up to b75f3735802b5b33f10e4bfe374d4b17bb86d29a:

target/arm: Correct VMOV_imm_dp handling of short vectors (2019-07-04 16:52:05 +0100)

* more code-movement to separate TCG-only functions into their own files

* Correct VMOV_imm_dp handling of short vectors

* Execute Thumb instructions when their condbits are 0xf

* armv7m_systick: Forbid non-privileged accesses

* Use _ra versions of cpu_stl_data() in v7M helpers

* v8M: Check state of exception being returned from

* v8M: Forcibly clear negative-priority exceptions on deactivate

Peter Maydell (6):

arm v8M: Forcibly clear negative-priority exceptions on deactivate

target/arm: v8M: Check state of exception being returned from

target/arm: Use _ra versions of cpu_stl_data() in v7M helpers

hw/timer/armv7m_systick: Forbid non-privileged accesses

target/arm: Execute Thumb instructions when their condbits are 0xf

target/arm: Correct VMOV_imm_dp handling of short vectors

Philippe Mathieu-Daudé (3):

target/arm: Move debug routines to debug_helper.c

target/arm: Restrict semi-hosting to TCG

target/arm/helper: Move M profile routines to m_helper.c

target/arm/Makefile.objs | 5 +-

target/arm/cpu.h | 7 +

hw/intc/armv7m_nvic.c | 54 +-

hw/timer/armv7m_systick.c | 26 +-

target/arm/cpu.c | 9 +-

target/arm/debug_helper.c | 311 +++++

target/arm/helper.c | 2646 +--------------------------------------

target/arm/m_helper.c | 2679 ++++++++++++++++++++++++++++++++++++++++

target/arm/op_helper.c | 295 -----

target/arm/translate-vfp.inc.c | 2 +-

target/arm/translate.c | 15 +-

11 files changed, 3096 insertions(+), 2953 deletions(-)

create mode 100644 target/arm/debug_helper.c

create mode 100644 target/arm/m_helper.c

To prevent execution priority remaining negative if the guest

returns from an NMI or HardFault with a corrupted IPSR, the

v8M interrupt deactivation process forces the HardFault and NMI

to inactive based on the current raw execution priority,

even if the interrupt the guest is trying to deactivate

is something else. In the pseudocode this is done in the

Deactivate() function.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20190617175317.27557-3-peter.maydell@linaro.org

hw/intc/armv7m_nvic.c | 40 +++++++++++++++++++++++++++++++++++-----

1 file changed, 35 insertions(+), 5 deletions(-)

@@ -XXX,XX +XXX,XX @@ void armv7m_nvic_get_pending_irq_info(void *opaque,

int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure)

{

NVICState *s = (NVICState *)opaque;

- VecInfo *vec;

+ VecInfo *vec = NULL;

int ret;

assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);

- if (secure && exc_is_banked(irq)) {

- vec = &s->sec_vectors[irq];

- } else {

- vec = &s->vectors[irq];

+ /*

+ * For negative priorities, v8M will forcibly deactivate the appropriate

+ * NMI or HardFault regardless of what interrupt we're being asked to

+ * deactivate (compare the DeActivate() pseudocode). This is a guard

+ * against software returning from NMI or HardFault with a corrupted

+ * IPSR and leaving the CPU in a negative-priority state.

+ * v7M does not do this, but simply deactivates the requested interrupt.

+ */

+ if (arm_feature(&s->cpu->env, ARM_FEATURE_V8)) {

+ switch (armv7m_nvic_raw_execution_priority(s)) {

+ case -1:

+ if (s->cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK) {

+ vec = &s->vectors[ARMV7M_EXCP_HARD];

+ } else {

+ vec = &s->sec_vectors[ARMV7M_EXCP_HARD];

+ }

+ break;

+ case -2:

+ vec = &s->vectors[ARMV7M_EXCP_NMI];

+ break;

+ case -3:

+ vec = &s->sec_vectors[ARMV7M_EXCP_HARD];

+ break;

+ default:

+ break;

+ }

+ }

+

+ if (!vec) {

+ if (secure && exc_is_banked(irq)) {

+ vec = &s->sec_vectors[irq];

+ } else {

+ vec = &s->vectors[irq];

+ }

}

trace_nvic_complete_irq(irq, secure);

2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In preparation for supporting TCG disablement on ARM, we move most

of TCG related v7m/v8m helpers and APIs into their own file.

Note: It is easier to review this commit using the 'histogram'

diff algorithm:

$ git diff --diff-algorithm=histogram ...

or

$ git diff --histogram ...

Suggested-by: Samuel Ortiz <sameo@linux.intel.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Message-id: 20190702144335.10717-2-philmd@redhat.com

target/arm/Makefile.objs | 1 +

target/arm/helper.c | 2638 +------------------------------------

target/arm/m_helper.c | 2676 ++++++++++++++++++++++++++++++++++++++

3 files changed, 2681 insertions(+), 2634 deletions(-)

create mode 100644 target/arm/m_helper.c

@@ -XXX,XX +XXX,XX @@

#include "qemu/crc32c.h"

#include "qemu/qemu-print.h"

#include "exec/exec-all.h"

-#include "exec/cpu_ldst.h"

#include <zlib.h> /* For crc32 */

#include "hw/semihosting/semihost.h"

#include "sysemu/cpus.h"

@@ -XXX,XX +XXX,XX @@

#include "qemu/guest-random.h"

#ifdef CONFIG_TCG

#include "arm_ldst.h"

+#include "exec/cpu_ldst.h"

#endif

#define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */

@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(rbit)(uint32_t x)

#ifdef CONFIG_USER_ONLY

-/* These should probably raise undefined insn exceptions. */

-void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)

-{

- ARMCPU *cpu = env_archcpu(env);

-

- cpu_abort(CPU(cpu), "v7m_msr %d\n", reg);

-}

-

-uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)

-{

- ARMCPU *cpu = env_archcpu(env);

-

- cpu_abort(CPU(cpu), "v7m_mrs %d\n", reg);

- return 0;

-}

-

-void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)

-{

- /* translate.c should never generate calls here in user-only mode */

- g_assert_not_reached();

-}

-

-void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)

-{

- /* translate.c should never generate calls here in user-only mode */

- g_assert_not_reached();

-}

-

-void HELPER(v7m_preserve_fp_state)(CPUARMState *env)

-{

- /* translate.c should never generate calls here in user-only mode */

- g_assert_not_reached();

-}

-

-void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)

-{

- /* translate.c should never generate calls here in user-only mode */

- g_assert_not_reached();

-}

-

-void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)

-{

- /* translate.c should never generate calls here in user-only mode */

- g_assert_not_reached();

-}

-

-uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)

-{

- /*

- * The TT instructions can be used by unprivileged code, but in

- * user-only emulation we don't have the MPU.

- * Luckily since we know we are NonSecure unprivileged (and that in

- * turn means that the A flag wasn't specified), all the bits in the

- * register must be zero:

- * IREGION: 0 because IRVALID is 0

- * IRVALID: 0 because NS

- * S: 0 because NS

- * NSRW: 0 because NS

- * NSR: 0 because NS

- * RW: 0 because unpriv and A flag not set

- * R: 0 because unpriv and A flag not set

- * SRVALID: 0 because NS

- * MRVALID: 0 because unpriv and A flag not set

- * SREGION: 0 becaus SRVALID is 0

- * MREGION: 0 because MRVALID is 0

- */

- return 0;

-}

-

static void switch_mode(CPUARMState *env, int mode)

@@ -XXX,XX +XXX,XX @@ void arm_log_exception(int idx)

}

-/*

- * What kind of stack write are we doing? This affects how exceptions

- * generated during the stacking are treated.

- */

-typedef enum StackingMode {

- STACK_NORMAL,

- STACK_IGNFAULTS,

- STACK_LAZYFP,

-} StackingMode;

-

-static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,

- ARMMMUIdx mmu_idx, StackingMode mode)

-{

- CPUState *cs = CPU(cpu);

- CPUARMState *env = &cpu->env;

- MemTxAttrs attrs = {};

- MemTxResult txres;

- target_ulong page_size;

- hwaddr physaddr;

- int prot;

- ARMMMUFaultInfo fi = {};

- bool secure = mmu_idx & ARM_MMU_IDX_M_S;

- int exc;

- bool exc_secure;

-

- if (get_phys_addr(env, addr, MMU_DATA_STORE, mmu_idx, &physaddr,

- &attrs, &prot, &page_size, &fi, NULL)) {

- /* MPU/SAU lookup failed */

- if (fi.type == ARMFault_QEMU_SFault) {

- if (mode == STACK_LAZYFP) {

- qemu_log_mask(CPU_LOG_INT,

- "...SecureFault with SFSR.LSPERR "

- "during lazy stacking\n");

- env->v7m.sfsr |= R_V7M_SFSR_LSPERR_MASK;

- } else {

- qemu_log_mask(CPU_LOG_INT,

- "...SecureFault with SFSR.AUVIOL "

- "during stacking\n");

- env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;

- }

- env->v7m.sfsr |= R_V7M_SFSR_SFARVALID_MASK;

- env->v7m.sfar = addr;

- exc = ARMV7M_EXCP_SECURE;

- exc_secure = false;

- } else {

- if (mode == STACK_LAZYFP) {

- qemu_log_mask(CPU_LOG_INT,

- "...MemManageFault with CFSR.MLSPERR\n");

- env->v7m.cfsr[secure] |= R_V7M_CFSR_MLSPERR_MASK;

- } else {

- qemu_log_mask(CPU_LOG_INT,

- "...MemManageFault with CFSR.MSTKERR\n");

- env->v7m.cfsr[secure] |= R_V7M_CFSR_MSTKERR_MASK;

- }

- exc = ARMV7M_EXCP_MEM;

- exc_secure = secure;

- }

- goto pend_fault;

- }

- address_space_stl_le(arm_addressspace(cs, attrs), physaddr, value,

- attrs, &txres);

- if (txres != MEMTX_OK) {

- /* BusFault trying to write the data */

- if (mode == STACK_LAZYFP) {

- qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.LSPERR\n");

- env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_LSPERR_MASK;

- } else {

- qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.STKERR\n");

- env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_STKERR_MASK;

- }

- exc = ARMV7M_EXCP_BUS;

- exc_secure = false;

- goto pend_fault;

- }

- return true;

-

-pend_fault:

- /*

- * By pending the exception at this point we are making

- * the IMPDEF choice "overridden exceptions pended" (see the

- * MergeExcInfo() pseudocode). The other choice would be to not

- * pend them now and then make a choice about which to throw away

- * later if we have two derived exceptions.

- * The only case when we must not pend the exception but instead

- * throw it away is if we are doing the push of the callee registers

- * and we've already generated a derived exception (this is indicated

- * by the caller passing STACK_IGNFAULTS). Even in this case we will

- * still update the fault status registers.

- */

- switch (mode) {

- case STACK_NORMAL:

- armv7m_nvic_set_pending_derived(env->nvic, exc, exc_secure);

- break;

- case STACK_LAZYFP:

- armv7m_nvic_set_pending_lazyfp(env->nvic, exc, exc_secure);

- break;

- case STACK_IGNFAULTS:

- break;

- }

- return false;

-}

-

-static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,

- ARMMMUIdx mmu_idx)

-{

- CPUState *cs = CPU(cpu);

- CPUARMState *env = &cpu->env;

- MemTxAttrs attrs = {};

- MemTxResult txres;

- target_ulong page_size;

- hwaddr physaddr;

- int prot;

- ARMMMUFaultInfo fi = {};

- bool secure = mmu_idx & ARM_MMU_IDX_M_S;

- int exc;

- bool exc_secure;

- uint32_t value;

-

- if (get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &physaddr,

- &attrs, &prot, &page_size, &fi, NULL)) {

- /* MPU/SAU lookup failed */

- if (fi.type == ARMFault_QEMU_SFault) {

- qemu_log_mask(CPU_LOG_INT,

- "...SecureFault with SFSR.AUVIOL during unstack\n");

- env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK | R_V7M_SFSR_SFARVALID_MASK;

- env->v7m.sfar = addr;

- exc = ARMV7M_EXCP_SECURE;

- exc_secure = false;

- } else {

- qemu_log_mask(CPU_LOG_INT,

- "...MemManageFault with CFSR.MUNSTKERR\n");

- env->v7m.cfsr[secure] |= R_V7M_CFSR_MUNSTKERR_MASK;

- exc = ARMV7M_EXCP_MEM;

- exc_secure = secure;

- }

- goto pend_fault;

- }

-

- value = address_space_ldl(arm_addressspace(cs, attrs), physaddr,

- attrs, &txres);

- if (txres != MEMTX_OK) {

- /* BusFault trying to read the data */

- qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.UNSTKERR\n");

- env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_UNSTKERR_MASK;

- exc = ARMV7M_EXCP_BUS;

- exc_secure = false;

- goto pend_fault;

- }

-

- *dest = value;

- return true;

-

-pend_fault:

- /*

- * By pending the exception at this point we are making

- * the IMPDEF choice "overridden exceptions pended" (see the

- * MergeExcInfo() pseudocode). The other choice would be to not

- * pend them now and then make a choice about which to throw away

- * later if we have two derived exceptions.

- */

- armv7m_nvic_set_pending(env->nvic, exc, exc_secure);

- return false;

-}

-

-void HELPER(v7m_preserve_fp_state)(CPUARMState *env)

-{

- /*

- * Preserve FP state (because LSPACT was set and we are about

- * to execute an FP instruction). This corresponds to the

- * PreserveFPState() pseudocode.

- * We may throw an exception if the stacking fails.

- */

- ARMCPU *cpu = env_archcpu(env);

- bool is_secure = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;

- bool negpri = !(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_HFRDY_MASK);

- bool is_priv = !(env->v7m.fpccr[is_secure] & R_V7M_FPCCR_USER_MASK);

- bool splimviol = env->v7m.fpccr[is_secure] & R_V7M_FPCCR_SPLIMVIOL_MASK;

- uint32_t fpcar = env->v7m.fpcar[is_secure];

- bool stacked_ok = true;

- bool ts = is_secure && (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);

- bool take_exception;

-

- /* Take the iothread lock as we are going to touch the NVIC */

- qemu_mutex_lock_iothread();

-

- /* Check the background context had access to the FPU */

- if (!v7m_cpacr_pass(env, is_secure, is_priv)) {

- armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, is_secure);

- env->v7m.cfsr[is_secure] |= R_V7M_CFSR_NOCP_MASK;

- stacked_ok = false;

- } else if (!is_secure && !extract32(env->v7m.nsacr, 10, 1)) {

- armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);

- env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;

- stacked_ok = false;

- }

-

- if (!splimviol && stacked_ok) {

- /* We only stack if the stack limit wasn't violated */

- int i;

- ARMMMUIdx mmu_idx;

-

- mmu_idx = arm_v7m_mmu_idx_all(env, is_secure, is_priv, negpri);

- for (i = 0; i < (ts ? 32 : 16); i += 2) {

- uint64_t dn = *aa32_vfp_dreg(env, i / 2);

- uint32_t faddr = fpcar + 4 * i;

- uint32_t slo = extract64(dn, 0, 32);

- uint32_t shi = extract64(dn, 32, 32);

-

- if (i >= 16) {

- faddr += 8; /* skip the slot for the FPSCR */

- }

- stacked_ok = stacked_ok &&

- v7m_stack_write(cpu, faddr, slo, mmu_idx, STACK_LAZYFP) &&

- v7m_stack_write(cpu, faddr + 4, shi, mmu_idx, STACK_LAZYFP);

- }

-

- stacked_ok = stacked_ok &&

- v7m_stack_write(cpu, fpcar + 0x40,

- vfp_get_fpscr(env), mmu_idx, STACK_LAZYFP);

- }

-

- /*

- * We definitely pended an exception, but it's possible that it

- * might not be able to be taken now. If its priority permits us

- * to take it now, then we must not update the LSPACT or FP regs,

- * but instead jump out to take the exception immediately.

- * If it's just pending and won't be taken until the current

- * handler exits, then we do update LSPACT and the FP regs.

- */

- take_exception = !stacked_ok &&

- armv7m_nvic_can_take_pending_exception(env->nvic);

-

- qemu_mutex_unlock_iothread();

-

- if (take_exception) {

- raise_exception_ra(env, EXCP_LAZYFP, 0, 1, GETPC());

- }

-

- env->v7m.fpccr[is_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;

-

- if (ts) {

- /* Clear s0 to s31 and the FPSCR */

- int i;

-

- for (i = 0; i < 32; i += 2) {

- *aa32_vfp_dreg(env, i / 2) = 0;

- }

- vfp_set_fpscr(env, 0);

- }

- /*

- * Otherwise s0 to s15 and FPSCR are UNKNOWN; we choose to leave them

- * unchanged.

- */

-}

-

-/*

- * Write to v7M CONTROL.SPSEL bit for the specified security bank.

- * This may change the current stack pointer between Main and Process

- * stack pointers if it is done for the CONTROL register for the current

- * security state.

- */

-static void write_v7m_control_spsel_for_secstate(CPUARMState *env,

- bool new_spsel,

- bool secstate)

-{

- bool old_is_psp = v7m_using_psp(env);

-

- env->v7m.control[secstate] =

- deposit32(env->v7m.control[secstate],

- R_V7M_CONTROL_SPSEL_SHIFT,

- R_V7M_CONTROL_SPSEL_LENGTH, new_spsel);

-

- if (secstate == env->v7m.secure) {

- bool new_is_psp = v7m_using_psp(env);

- uint32_t tmp;

-

- if (old_is_psp != new_is_psp) {

- tmp = env->v7m.other_sp;

- env->v7m.other_sp = env->regs[13];

- env->regs[13] = tmp;

- }

- }

-}

-

-/*

- * Write to v7M CONTROL.SPSEL bit. This may change the current

- * stack pointer between Main and Process stack pointers.

- */

-static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)

-{

- write_v7m_control_spsel_for_secstate(env, new_spsel, env->v7m.secure);

-}

-

-void write_v7m_exception(CPUARMState *env, uint32_t new_exc)

-{

- /*

- * Write a new value to v7m.exception, thus transitioning into or out

- * of Handler mode; this may result in a change of active stack pointer.

- */

- bool new_is_psp, old_is_psp = v7m_using_psp(env);

- uint32_t tmp;

-

- env->v7m.exception = new_exc;

-

- new_is_psp = v7m_using_psp(env);

-

- if (old_is_psp != new_is_psp) {

- tmp = env->v7m.other_sp;

- env->v7m.other_sp = env->regs[13];

- env->regs[13] = tmp;

- }

-}

-

-/* Switch M profile security state between NS and S */

-static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)

-{

- uint32_t new_ss_msp, new_ss_psp;

-

- if (env->v7m.secure == new_secstate) {

- return;

- }

-

- /*

- * All the banked state is accessed by looking at env->v7m.secure

- * except for the stack pointer; rearrange the SP appropriately.

- */

- new_ss_msp = env->v7m.other_ss_msp;

- new_ss_psp = env->v7m.other_ss_psp;

-

- if (v7m_using_psp(env)) {

- env->v7m.other_ss_psp = env->regs[13];

- env->v7m.other_ss_msp = env->v7m.other_sp;

- } else {

- env->v7m.other_ss_msp = env->regs[13];

- env->v7m.other_ss_psp = env->v7m.other_sp;

- }

-

- env->v7m.secure = new_secstate;

-

- if (v7m_using_psp(env)) {

- env->regs[13] = new_ss_psp;

- env->v7m.other_sp = new_ss_msp;

- } else {

- env->regs[13] = new_ss_msp;

- env->v7m.other_sp = new_ss_psp;

- }

-}

-

-void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)

-{

- /*

- * Handle v7M BXNS:

- * - if the return value is a magic value, do exception return (like BX)

- * - otherwise bit 0 of the return value is the target security state

- */

- uint32_t min_magic;

-

- if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {

- /* Covers FNC_RETURN and EXC_RETURN magic */

- min_magic = FNC_RETURN_MIN_MAGIC;

- } else {

- /* EXC_RETURN magic only */

- min_magic = EXC_RETURN_MIN_MAGIC;

- }

-

- if (dest >= min_magic) {

- /*

- * This is an exception return magic value; put it where

- * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.

- * Note that if we ever add gen_ss_advance() singlestep support to

- * M profile this should count as an "instruction execution complete"

- * event (compare gen_bx_excret_final_code()).

- */

- env->regs[15] = dest & ~1;

- env->thumb = dest & 1;

- HELPER(exception_internal)(env, EXCP_EXCEPTION_EXIT);

- /* notreached */

- }

-

- /* translate.c should have made BXNS UNDEF unless we're secure */

- assert(env->v7m.secure);

-

- if (!(dest & 1)) {

- env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;

- }

- switch_v7m_security_state(env, dest & 1);

- env->thumb = 1;

- env->regs[15] = dest & ~1;

-}

-

-void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)

-{

- /*

- * Handle v7M BLXNS:

- * - bit 0 of the destination address is the target security state

- */

-

- /* At this point regs[15] is the address just after the BLXNS */

- uint32_t nextinst = env->regs[15] | 1;

- uint32_t sp = env->regs[13] - 8;

- uint32_t saved_psr;

-

- /* translate.c will have made BLXNS UNDEF unless we're secure */

- assert(env->v7m.secure);

-

- if (dest & 1) {

- /*

- * Target is Secure, so this is just a normal BLX,

- * except that the low bit doesn't indicate Thumb/not.

- */

- env->regs[14] = nextinst;

- env->thumb = 1;

- env->regs[15] = dest & ~1;

- return;

- }

-

- /* Target is non-secure: first push a stack frame */

- if (!QEMU_IS_ALIGNED(sp, 8)) {

- qemu_log_mask(LOG_GUEST_ERROR,

- "BLXNS with misaligned SP is UNPREDICTABLE\n");

- }

-

- if (sp < v7m_sp_limit(env)) {

- raise_exception(env, EXCP_STKOF, 0, 1);

- }

-

- saved_psr = env->v7m.exception;

- if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {

- saved_psr |= XPSR_SFPA;

- }

-

- /* Note that these stores can throw exceptions on MPU faults */

- cpu_stl_data(env, sp, nextinst);

- cpu_stl_data(env, sp + 4, saved_psr);

-

- env->regs[13] = sp;

- env->regs[14] = 0xfeffffff;

- if (arm_v7m_is_handler_mode(env)) {

- /*

- * Write a dummy value to IPSR, to avoid leaking the current secure

- * exception number to non-secure code. This is guaranteed not

- * to cause write_v7m_exception() to actually change stacks.

- */

- write_v7m_exception(env, 1);

- }

- env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;

- switch_v7m_security_state(env, 0);

- env->thumb = 1;

- env->regs[15] = dest;

-}

-

-static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,

- bool spsel)

-{

- /*

- * Return a pointer to the location where we currently store the

- * stack pointer for the requested security state and thread mode.

- * This pointer will become invalid if the CPU state is updated

- * such that the stack pointers are switched around (eg changing

- * the SPSEL control bit).

- * Compare the v8M ARM ARM pseudocode LookUpSP_with_security_mode().

- * Unlike that pseudocode, we require the caller to pass us in the

- * SPSEL control bit value; this is because we also use this

- * function in handling of pushing of the callee-saves registers

- * part of the v8M stack frame (pseudocode PushCalleeStack()),

- * and in the tailchain codepath the SPSEL bit comes from the exception

- * return magic LR value from the previous exception. The pseudocode

- * opencodes the stack-selection in PushCalleeStack(), but we prefer

- * to make this utility function generic enough to do the job.

- */

- bool want_psp = threadmode && spsel;

-

- if (secure == env->v7m.secure) {

- if (want_psp == v7m_using_psp(env)) {

- return &env->regs[13];

- } else {

- return &env->v7m.other_sp;

- }

- } else {

- if (want_psp) {

- return &env->v7m.other_ss_psp;

- } else {

- return &env->v7m.other_ss_msp;

- }

- }

-}

-

-static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,

- uint32_t *pvec)

-{

- CPUState *cs = CPU(cpu);

- CPUARMState *env = &cpu->env;

- MemTxResult result;

- uint32_t addr = env->v7m.vecbase[targets_secure] + exc * 4;

- uint32_t vector_entry;

- MemTxAttrs attrs = {};

- ARMMMUIdx mmu_idx;

- bool exc_secure;

-

- mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);

-

- /*

- * We don't do a get_phys_addr() here because the rules for vector

- * loads are special: they always use the default memory map, and

- * the default memory map permits reads from all addresses.

- * Since there's no easy way to pass through to pmsav8_mpu_lookup()

- * that we want this special case which would always say "yes",

- * we just do the SAU lookup here followed by a direct physical load.

- */

- attrs.secure = targets_secure;

- attrs.user = false;

-

- if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {

- V8M_SAttributes sattrs = {};

-

- v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs);

- if (sattrs.ns) {

- attrs.secure = false;

- } else if (!targets_secure) {

- /* NS access to S memory */

- goto load_fail;

- }

- }

-

- vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,

- attrs, &result);

- if (result != MEMTX_OK) {

- goto load_fail;

- }

- *pvec = vector_entry;

- return true;

-

-load_fail:

- /*

- * All vector table fetch fails are reported as HardFault, with

- * HFSR.VECTTBL and .FORCED set. (FORCED is set because

- * technically the underlying exception is a MemManage or BusFault

- * that is escalated to HardFault.) This is a terminal exception,

- * so we will either take the HardFault immediately or else enter

- * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).

- */

- exc_secure = targets_secure ||

- !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);

- env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;

- armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);

- return false;

-}

-

-static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)

-{

- /*

- * Return the integrity signature value for the callee-saves

- * stack frame section. @lr is the exception return payload/LR value

- * whose FType bit forms bit 0 of the signature if FP is present.

- */

- uint32_t sig = 0xfefa125a;

-

- if (!arm_feature(env, ARM_FEATURE_VFP) || (lr & R_V7M_EXCRET_FTYPE_MASK)) {

- sig |= 1;

- }

- return sig;

-}

-

-static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,

- bool ignore_faults)

-{

- /*

- * For v8M, push the callee-saves register part of the stack frame.

- * Compare the v8M pseudocode PushCalleeStack().

- * In the tailchaining case this may not be the current stack.

- */

- CPUARMState *env = &cpu->env;

- uint32_t *frame_sp_p;

- uint32_t frameptr;

- ARMMMUIdx mmu_idx;

- bool stacked_ok;

- uint32_t limit;

- bool want_psp;

- uint32_t sig;

- StackingMode smode = ignore_faults ? STACK_IGNFAULTS : STACK_NORMAL;

-

- if (dotailchain) {

- bool mode = lr & R_V7M_EXCRET_MODE_MASK;

- bool priv = !(env->v7m.control[M_REG_S] & R_V7M_CONTROL_NPRIV_MASK) ||

- !mode;

-

- mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, M_REG_S, priv);

- frame_sp_p = get_v7m_sp_ptr(env, M_REG_S, mode,

- lr & R_V7M_EXCRET_SPSEL_MASK);

- want_psp = mode && (lr & R_V7M_EXCRET_SPSEL_MASK);

- if (want_psp) {

- limit = env->v7m.psplim[M_REG_S];

- } else {

- limit = env->v7m.msplim[M_REG_S];

- }

- } else {

- mmu_idx = arm_mmu_idx(env);

- frame_sp_p = &env->regs[13];

- limit = v7m_sp_limit(env);

- }

-

- frameptr = *frame_sp_p - 0x28;

- if (frameptr < limit) {

- /*

- * Stack limit failure: set SP to the limit value, and generate

- * STKOF UsageFault. Stack pushes below the limit must not be

- * performed. It is IMPDEF whether pushes above the limit are

- * performed; we choose not to.

- */

- qemu_log_mask(CPU_LOG_INT,

- "...STKOF during callee-saves register stacking\n");

- env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;

- armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,

- env->v7m.secure);

- *frame_sp_p = limit;

- return true;

- }

-

- /*

- * Write as much of the stack frame as we can. A write failure may

- * cause us to pend a derived exception.

- */

- sig = v7m_integrity_sig(env, lr);

- stacked_ok =

- v7m_stack_write(cpu, frameptr, sig, mmu_idx, smode) &&

- v7m_stack_write(cpu, frameptr + 0x8, env->regs[4], mmu_idx, smode) &&

- v7m_stack_write(cpu, frameptr + 0xc, env->regs[5], mmu_idx, smode) &&

- v7m_stack_write(cpu, frameptr + 0x10, env->regs[6], mmu_idx, smode) &&

- v7m_stack_write(cpu, frameptr + 0x14, env->regs[7], mmu_idx, smode) &&

- v7m_stack_write(cpu, frameptr + 0x18, env->regs[8], mmu_idx, smode) &&

- v7m_stack_write(cpu, frameptr + 0x1c, env->regs[9], mmu_idx, smode) &&

- v7m_stack_write(cpu, frameptr + 0x20, env->regs[10], mmu_idx, smode) &&

- v7m_stack_write(cpu, frameptr + 0x24, env->regs[11], mmu_idx, smode);

-

- /* Update SP regardless of whether any of the stack accesses failed. */

- *frame_sp_p = frameptr;

-

- return !stacked_ok;

-}

-

-static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,

- bool ignore_stackfaults)

-{

- /*

- * Do the "take the exception" parts of exception entry,

- * but not the pushing of state to the stack. This is

- * similar to the pseudocode ExceptionTaken() function.

- */

- CPUARMState *env = &cpu->env;

- uint32_t addr;

- bool targets_secure;

- int exc;

- bool push_failed = false;

-

- armv7m_nvic_get_pending_irq_info(env->nvic, &exc, &targets_secure);

- qemu_log_mask(CPU_LOG_INT, "...taking pending %s exception %d\n",

- targets_secure ? "secure" : "nonsecure", exc);

-

- if (dotailchain) {

- /* Sanitize LR FType and PREFIX bits */

- if (!arm_feature(env, ARM_FEATURE_VFP)) {

- lr |= R_V7M_EXCRET_FTYPE_MASK;

- }

- lr = deposit32(lr, 24, 8, 0xff);

- }

-

- if (arm_feature(env, ARM_FEATURE_V8)) {

- if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&

- (lr & R_V7M_EXCRET_S_MASK)) {

- /*

- * The background code (the owner of the registers in the

- * exception frame) is Secure. This means it may either already

- * have or now needs to push callee-saves registers.

- */

- if (targets_secure) {

- if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {

- /*

- * We took an exception from Secure to NonSecure

- * (which means the callee-saved registers got stacked)

- * and are now tailchaining to a Secure exception.

- * Clear DCRS so eventual return from this Secure

- * exception unstacks the callee-saved registers.

- */

- lr &= ~R_V7M_EXCRET_DCRS_MASK;

- }

- } else {

- /*

- * We're going to a non-secure exception; push the

- * callee-saves registers to the stack now, if they're

- * not already saved.

- */

- if (lr & R_V7M_EXCRET_DCRS_MASK &&

- !(dotailchain && !(lr & R_V7M_EXCRET_ES_MASK))) {

- push_failed = v7m_push_callee_stack(cpu, lr, dotailchain,

- ignore_stackfaults);

- }

- lr |= R_V7M_EXCRET_DCRS_MASK;

- }

- }

-

- lr &= ~R_V7M_EXCRET_ES_MASK;

- if (targets_secure || !arm_feature(env, ARM_FEATURE_M_SECURITY)) {

- lr |= R_V7M_EXCRET_ES_MASK;

- }

- lr &= ~R_V7M_EXCRET_SPSEL_MASK;

- if (env->v7m.control[targets_secure] & R_V7M_CONTROL_SPSEL_MASK) {

- lr |= R_V7M_EXCRET_SPSEL_MASK;

- }

-

- /*

- * Clear registers if necessary to prevent non-secure exception

- * code being able to see register values from secure code.

- * Where register values become architecturally UNKNOWN we leave

- * them with their previous values.

- */

- if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {

- if (!targets_secure) {

- /*

- * Always clear the caller-saved registers (they have been

- * pushed to the stack earlier in v7m_push_stack()).

- * Clear callee-saved registers if the background code is

- * Secure (in which case these regs were saved in

- * v7m_push_callee_stack()).

- */

- int i;

-

- for (i = 0; i < 13; i++) {

- /* r4..r11 are callee-saves, zero only if EXCRET.S == 1 */

- if (i < 4 || i > 11 || (lr & R_V7M_EXCRET_S_MASK)) {

- env->regs[i] = 0;

- }

- }

- /* Clear EAPSR */

- xpsr_write(env, 0, XPSR_NZCV | XPSR_Q | XPSR_GE | XPSR_IT);

- }

- }

- }

-

- if (push_failed && !ignore_stackfaults) {

- /*

- * Derived exception on callee-saves register stacking:

- * we might now want to take a different exception which

- * targets a different security state, so try again from the top.

- */

- qemu_log_mask(CPU_LOG_INT,

- "...derived exception on callee-saves register stacking");

- v7m_exception_taken(cpu, lr, true, true);

- return;

- }

-

- if (!arm_v7m_load_vector(cpu, exc, targets_secure, &addr)) {

- /* Vector load failed: derived exception */

- qemu_log_mask(CPU_LOG_INT, "...derived exception on vector table load");

- v7m_exception_taken(cpu, lr, true, true);

- return;

- }

-

- /*

- * Now we've done everything that might cause a derived exception

- * we can go ahead and activate whichever exception we're going to

- * take (which might now be the derived exception).

- */

- armv7m_nvic_acknowledge_irq(env->nvic);

-

- /* Switch to target security state -- must do this before writing SPSEL */

- switch_v7m_security_state(env, targets_secure);

- write_v7m_control_spsel(env, 0);

- arm_clear_exclusive(env);

- /* Clear SFPA and FPCA (has no effect if no FPU) */

- env->v7m.control[M_REG_S] &=

- ~(R_V7M_CONTROL_FPCA_MASK | R_V7M_CONTROL_SFPA_MASK);

- /* Clear IT bits */

- env->condexec_bits = 0;

- env->regs[14] = lr;

- env->regs[15] = addr & 0xfffffffe;

- env->thumb = addr & 1;

-}

-

-static void v7m_update_fpccr(CPUARMState *env, uint32_t frameptr,

- bool apply_splim)

-{

- /*

- * Like the pseudocode UpdateFPCCR: save state in FPCAR and FPCCR

- * that we will need later in order to do lazy FP reg stacking.

- */

- bool is_secure = env->v7m.secure;

- void *nvic = env->nvic;

- /*

- * Some bits are unbanked and live always in fpccr[M_REG_S]; some bits

- * are banked and we want to update the bit in the bank for the

- * current security state; and in one case we want to specifically

- * update the NS banked version of a bit even if we are secure.

- */

- uint32_t *fpccr_s = &env->v7m.fpccr[M_REG_S];

- uint32_t *fpccr_ns = &env->v7m.fpccr[M_REG_NS];

- uint32_t *fpccr = &env->v7m.fpccr[is_secure];

- bool hfrdy, bfrdy, mmrdy, ns_ufrdy, s_ufrdy, sfrdy, monrdy;

-

- env->v7m.fpcar[is_secure] = frameptr & ~0x7;

-

- if (apply_splim && arm_feature(env, ARM_FEATURE_V8)) {

- bool splimviol;

- uint32_t splim = v7m_sp_limit(env);

- bool ign = armv7m_nvic_neg_prio_requested(nvic, is_secure) &&

- (env->v7m.ccr[is_secure] & R_V7M_CCR_STKOFHFNMIGN_MASK);

-

- splimviol = !ign && frameptr < splim;

- *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, SPLIMVIOL, splimviol);

- }

-

- *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, LSPACT, 1);

-

- *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, S, is_secure);

-

- *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, USER, arm_current_el(env) == 0);

-

- *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, THREAD,

- !arm_v7m_is_handler_mode(env));

-

- hfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_HARD, false);

- *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, HFRDY, hfrdy);

-

- bfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_BUS, false);

- *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, BFRDY, bfrdy);

-

- mmrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_MEM, is_secure);

- *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, MMRDY, mmrdy);

-

- ns_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, false);

- *fpccr_ns = FIELD_DP32(*fpccr_ns, V7M_FPCCR, UFRDY, ns_ufrdy);

-

- monrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_DEBUG, false);

- *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, MONRDY, monrdy);

-

- if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {

- s_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, true);

- *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, UFRDY, s_ufrdy);

-

- sfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_SECURE, false);

- *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, SFRDY, sfrdy);

- }

-}

-

-void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)

-{

- /* fptr is the value of Rn, the frame pointer we store the FP regs to */

- bool s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;

- bool lspact = env->v7m.fpccr[s] & R_V7M_FPCCR_LSPACT_MASK;

-

- assert(env->v7m.secure);

-

- if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {

- return;

- }

-

- /* Check access to the coprocessor is permitted */

- if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {

- raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());

- }

-

- if (lspact) {

- /* LSPACT should not be active when there is active FP state */

- raise_exception_ra(env, EXCP_LSERR, 0, 1, GETPC());

- }

-

- if (fptr & 7) {

- raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());

- }

-

- /*

- * Note that we do not use v7m_stack_write() here, because the

- * accesses should not set the FSR bits for stacking errors if they

- * fail. (In pseudocode terms, they are AccType_NORMAL, not AccType_STACK

- * or AccType_LAZYFP). Faults in cpu_stl_data() will throw exceptions

- * and longjmp out.

- */

- if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {

- bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;

- int i;

-

- for (i = 0; i < (ts ? 32 : 16); i += 2) {

- uint64_t dn = *aa32_vfp_dreg(env, i / 2);

- uint32_t faddr = fptr + 4 * i;

- uint32_t slo = extract64(dn, 0, 32);

- uint32_t shi = extract64(dn, 32, 32);

-

- if (i >= 16) {

- faddr += 8; /* skip the slot for the FPSCR */

- }

- cpu_stl_data(env, faddr, slo);

- cpu_stl_data(env, faddr + 4, shi);

- }

- cpu_stl_data(env, fptr + 0x40, vfp_get_fpscr(env));

-

- /*

- * If TS is 0 then s0 to s15 and FPSCR are UNKNOWN; we choose to

- * leave them unchanged, matching our choice in v7m_preserve_fp_state.

- */

- if (ts) {

- for (i = 0; i < 32; i += 2) {

- *aa32_vfp_dreg(env, i / 2) = 0;

- }

- vfp_set_fpscr(env, 0);

- }

- } else {

- v7m_update_fpccr(env, fptr, false);

- }

-

- env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;

-}

-

-void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)

-{

- /* fptr is the value of Rn, the frame pointer we load the FP regs from */

- assert(env->v7m.secure);

-

- if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {

- return;

- }