Series comparison

-[Qemu-devel] [PULL 00/21] target-arm queue
+[PULL 0/7] target-arm queue
-target-arm queue: this time around is all small fixes
+A last small test of bug fixes before rc1.
 and changes.
 thanks
 -- PMM
-The following changes since commit fec105c2abda8567ec15230429c41429b5ee307c:
+The following changes since commit ed8ad9728a9c0eec34db9dff61dfa2f1dd625637:
-  Merge remote-tracking branch 'remotes/kraxel/tags/audio-20190828-pull-request' into staging (2019-09-03 14:03:15 +0100)
+  Merge tag 'pull-tpm-2023-07-14-1' of https://github.com/stefanberger/qemu-tpm into staging (2023-07-15 14:54:04 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190903
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230717
-for you to fetch changes up to 5e5584c89f36b302c666bc6db535fd3f7ff35ad2:
+for you to fetch changes up to c2c1c4a35c7c2b1a4140b0942b9797c857e476a4:
-  target/arm: Don't abort on M-profile exception return in linux-user mode (2019-09-03 16:20:35 +0100)
+  hw/nvram: Avoid unnecessary Xilinx eFuse backstore write (2023-07-17 11:05:52 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * Revert and correctly fix refactoring of unallocated_encoding()
+ * hw/arm/sbsa-ref: set 'slots' property of xhci
- * Take exceptions on ATS instructions when needed
+ * linux-user: Remove pointless NULL check in clock_adjtime handling
- * aspeed/timer: Provide back-pressure information for short periods
+ * ptw: Fix S1_ptw_translate() debug path
- * memory: Remove unused memory_region_iommu_replay_all()
+ * ptw: Account for FEAT_RME when applying {N}SW, SA bits
- * hw/arm/smmuv3: Log a guest error when decoding an invalid STE
+ * accel/tcg: Zero-pad PC in TCG CPU exec trace lines
- * hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations
+ * hw/nvram: Avoid unnecessary Xilinx eFuse backstore write
  * target/arm: Fix SMMLS argument order
  * hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
  * hw/arm: Correct reference counting for creation of various objects
  * includes: remove stale [smp|max]_cpus externs
  * tcg/README: fix typo
  * atomic_template: fix indentation in GEN_ATOMIC_HELPER
  * include/exec/cpu-defs.h: fix typo
  * target/arm: Free TCG temps in trans_VMOV_64_sp()
  * target/arm: Don't abort on M-profile exception return in linux-user mode
 ----------------------------------------------------------------
-Alex Bennée (2):
+Peter Maydell (5):
-      includes: remove stale [smp|max]_cpus externs
+      linux-user: Remove pointless NULL check in clock_adjtime handling
-      include/exec/cpu-defs.h: fix typo
+      target/arm/ptw.c: Add comments to S1Translate struct fields
       target/arm: Fix S1_ptw_translate() debug path
       target/arm/ptw.c: Account for FEAT_RME when applying {N}SW, SA bits
       accel/tcg: Zero-pad PC in TCG CPU exec trace lines
-Andrew Jeffery (1):
+Tong Ho (1):
-      aspeed/timer: Provide back-pressure information for short periods
+      hw/nvram: Avoid unnecessary Xilinx eFuse backstore write
-Emilio G. Cota (2):
+Yuquan Wang (1):
-      tcg/README: fix typo s/afterwise/afterwards/
+      hw/arm/sbsa-ref: set 'slots' property of xhci
       atomic_template: fix indentation in GEN_ATOMIC_HELPER
-Eric Auger (3):
+ accel/tcg/cpu-exec.c      |  4 +--
-      memory: Remove unused memory_region_iommu_replay_all()
+ accel/tcg/translate-all.c |  2 +-
-      hw/arm/smmuv3: Log a guest error when decoding an invalid STE
+ hw/arm/sbsa-ref.c         |  1 +
-      hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations
+ hw/nvram/xlnx-efuse.c     | 11 ++++--
+ linux-user/syscall.c      | 12 +++----
-Peter Maydell (4):
+ target/arm/ptw.c          | 90 +++++++++++++++++++++++++++++++++++++++++------
-      target/arm: Allow ARMCPRegInfo read/write functions to throw exceptions
+files changed, 98 insertions(+), 22 deletions(-)
       target/arm: Take exceptions on ATS instructions when needed
       target/arm: Free TCG temps in trans_VMOV_64_sp()
       target/arm: Don't abort on M-profile exception return in linux-user mode
 Philippe Mathieu-Daudé (6):
       hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
       hw/arm: Use object_initialize_child for correct reference counting
       hw/arm: Use sysbus_init_child_obj for correct reference counting
       hw/arm/fsl-imx: Add the cpu as child of the SoC object
       hw/dma/xilinx_axi: Use object_initialize_child for correct ref. counting
       hw/net/xilinx_axi: Use object_initialize_child for correct ref. counting
 Richard Henderson (3):
       Revert "target/arm: Use unallocated_encoding for aarch32"
       target/arm: Factor out unallocated_encoding for aarch32
       target/arm: Fix SMMLS argument order
  accel/tcg/atomic_template.h    |   2 +-
  hw/arm/smmuv3-internal.h       |   1 +
  include/exec/cpu-defs.h        |   2 +-
  include/exec/memory.h          |  10 ----
  include/sysemu/sysemu.h        |   2 -
  target/arm/cpu.h               |   6 ++-
  target/arm/translate-a64.h     |   2 +
  target/arm/translate.h         |   2 -
  hw/arm/allwinner-a10.c         |   3 +-
  hw/arm/cubieboard.c            |   3 +-
  hw/arm/digic.c                 |   3 +-
  hw/arm/exynos4_boards.c        |   4 +-
  hw/arm/fsl-imx25.c             |   4 +-
  hw/arm/fsl-imx31.c             |   4 +-
  hw/arm/fsl-imx6.c              |   3 +-
  hw/arm/fsl-imx6ul.c            |   2 +-
  hw/arm/mcimx7d-sabre.c         |   9 ++--
  hw/arm/mps2-tz.c               |  15 +++---
  hw/arm/musca.c                 |   9 ++--
  hw/arm/smmuv3.c                |  18 ++++---
  hw/arm/xlnx-zynqmp.c           |   8 +--
  hw/dma/xilinx_axidma.c         |  16 +++---
  hw/net/xilinx_axienet.c        |  17 +++----
  hw/timer/aspeed_timer.c        |  17 ++++++-
  memory.c                       |   9 ----
  target/arm/helper.c            | 107 +++++++++++++++++++++++++++++++++++------
  target/arm/translate-a64.c     |  13 +++++
  target/arm/translate-vfp.inc.c |   2 +
  target/arm/translate.c         |  50 +++++++++++++++++--
  tcg/README                     |   2 +-
 files changed, 244 insertions(+), 101 deletions(-)

-[Qemu-devel] [PULL 07/21] hw/arm/smmuv3: Log a guest error when decoding an invalid STE
+[PULL 1/7] hw/arm/sbsa-ref: set 'slots' property of xhci
-From: Eric Auger <eric.auger@redhat.com>
+From: Yuquan Wang <wangyuquan1236@phytium.com.cn>
-Log a guest error when encountering an invalid STE.
+This extends the slots of xhci to 64, since the default xhci_sysbus
 just supports one slot.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Wang Yuquan <wangyuquan1236@phytium.com.cn>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Chen Baozi <chenbaozi@phytium.com.cn>
-Message-id: 20190822172350.12008-5-eric.auger@redhat.com
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
 Tested-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
 Message-id: 20230710063750.473510-2-wangyuquan1236@phytium.com.cn
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3.c | 1 +
+ hw/arm/sbsa-ref.c | 1 +
 file changed, 1 insertion(+)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/hw/arm/sbsa-ref.c
-+++ b/hw/arm/smmuv3.c
++++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
+@@ -XXX,XX +XXX,XX @@ static void create_xhci(const SBSAMachineState *sms)
-     uint32_t config;
+     hwaddr base = sbsa_ref_memmap[SBSA_XHCI].base;
+     int irq = sbsa_ref_irqmap[SBSA_XHCI];
-     if (!STE_VALID(ste)) {
+     DeviceState *dev = qdev_new(TYPE_XHCI_SYSBUS);
-+        qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
++    qdev_prop_set_uint32(dev, "slots", XHCI_MAXSLOTS);
-         goto bad_ste;
-     }
+     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
+     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 21/21] target/arm: Don't abort on M-profile exception return in linux-user mode
+[PULL 2/7] linux-user: Remove pointless NULL check in clock_adjtime handling
-An attempt to do an exception-return (branch to one of the magic
+In the code for TARGET_NR_clock_adjtime, we set the pointer phtx to
-addresses) in linux-user mode for M-profile should behave like
+the address of the local variable htx.  This means it can never be
-a normal branch, because linux-user mode is always going to be
+NULL, but later in the code we check it for NULL anyway.  Coverity
-in 'handler' mode. This used to work, but we broke it when we added
+complains about this (CID 1507683) because the NULL check comes after
-support for the M-profile security extension in commit d02a8698d7ae2bfed.
+a call to clock_adjtime() that assumes it is non-NULL.
-In that commit we allowed even handler-mode calls to magic return
+Since phtx is always &htx, and is used only in three places, it's not
-values to be checked for and dealt with by causing an
+really necessary.  Remove it, bringing the code structure in to line
-EXCP_EXCEPTION_EXIT exception to be taken, because this is
+with that for TARGET_NR_clock_adjtime64, which already uses a simple
-needed for the FNC_RETURN return-from-non-secure-function-call
+'&htx' when it wants a pointer to 'htx'.
 handling. For system mode we added a check in do_v7m_exception_exit()
 to make any spurious calls from Handler mode behave correctly, but
 forgot that linux-user mode would also be affected.
-How an attempted return-from-non-secure-function-call in linux-user
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-mode should be handled is not clear -- on real hardware it would
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-result in return to secure code (not to the Linux kernel) which
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-could then handle the error in any way it chose. For QEMU we take
+Message-id: 20230623144410.1837261-1-peter.maydell@linaro.org
-the simple approach of treating this erroneous return the same way
+---
-it would be handled on a CPU without the security extensions --
+ linux-user/syscall.c | 12 +++++-------
-treat it as a normal branch.
+file changed, 5 insertions(+), 7 deletions(-)
-The upshot of all this is that for linux-user mode we should never
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
 do any of the bx_excret magic, so the code change is simple.
 This ought to be a weird corner case that only affects broken guest
 code (because Linux user processes should never be attempting to do
 exception returns or NS function returns), except that the code that
 assigns addresses in RAM for the process and stack in our linux-user
 code does not attempt to avoid this magic address range, so
 legitimate code attempting to return to a trampoline routine on the
 stack can fall into this case. This change fixes those programs,
 but we should also look at restricting the range of memory we
 use for M-profile linux-user guests to the area that would be
 real RAM in hardware.
 Cc: qemu-stable@nongnu.org
 Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20190822131534.16602-1-peter.maydell@linaro.org
 Fixes: https://bugs.launchpad.net/qemu/+bug/1840922
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/translate.c | 21 ++++++++++++++++++++-
 file changed, 20 insertions(+), 1 deletion(-)
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/linux-user/syscall.c
-+++ b/target/arm/translate.c
++++ b/linux-user/syscall.c
-@@ -XXX,XX +XXX,XX @@ static inline void gen_bx(DisasContext *s, TCGv_i32 var)
+@@ -XXX,XX +XXX,XX @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
-     store_cpu_field(var, thumb);
+ #if defined(TARGET_NR_clock_adjtime) && defined(CONFIG_CLOCK_ADJTIME)
- }
+     case TARGET_NR_clock_adjtime:
+         {
--/* Set PC and Thumb state from var. var is marked as dead.
+-            struct timex htx, *phtx = &htx;
-+/*
++            struct timex htx;
-+ * Set PC and Thumb state from var. var is marked as dead.
-  * For M-profile CPUs, include logic to detect exception-return
+-            if (target_to_host_timex(phtx, arg2) != 0) {
-  * branches and handle them. This is needed for Thumb POP/LDM to PC, LDR to PC,
++            if (target_to_host_timex(&htx, arg2) != 0) {
-  * and BX reg, and no others, and happens only for code in Handler mode.
+                 return -TARGET_EFAULT;
-+ * The Security Extension also requires us to check for the FNC_RETURN
+             }
-+ * which signals a function return from non-secure state; this can happen
+-            ret = get_errno(clock_adjtime(arg1, phtx));
-+ * in both Handler and Thread mode.
+-            if (!is_error(ret) && phtx) {
-+ * To avoid having to do multiple comparisons in inline generated code,
+-                if (host_to_target_timex(arg2, phtx) != 0) {
-+ * we make the check we do here loose, so it will match for EXC_RETURN
+-                    return -TARGET_EFAULT;
-+ * in Thread mode. For system emulation do_v7m_exception_exit() checks
+-                }
-+ * for these spurious cases and returns without doing anything (giving
++            ret = get_errno(clock_adjtime(arg1, &htx));
-+ * the same behaviour as for a branch to a non-magic address).
++            if (!is_error(ret) && host_to_target_timex(arg2, &htx)) {
-+ *
++                return -TARGET_EFAULT;
-+ * In linux-user mode it is unclear what the right behaviour for an
+             }
-+ * attempted FNC_RETURN should be, because in real hardware this will go
+         }
-+ * directly to Secure code (ie not the Linux kernel) which will then treat
+         return ret;
 + * the error in any way it chooses. For QEMU we opt to make the FNC_RETURN
 + * attempt behave the way it would on a CPU without the security extension,
 + * which is to say "like a normal branch". That means we can simply treat
 + * all branches as normal with no magic address behaviour.
   */
  static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
  {
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
       * s->base.is_jmp that we need to do the rest of the work later.
       */
      gen_bx(s, var);
 +#ifndef CONFIG_USER_ONLY
      if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY) ||
          (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M))) {
          s->base.is_jmp = DISAS_BX_EXCRET;
      }
 +#endif
  }
  static inline void gen_bx_excret_final_code(DisasContext *s)
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 04/21] target/arm: Take exceptions on ATS instructions when needed
+[PULL 3/7] target/arm/ptw.c: Add comments to S1Translate struct fields
-The translation table walk for an ATS instruction can result in
+Add comments to the in_* fields in the S1Translate struct
-various faults.  In general these are just reported back via the
+that explain what they're doing.
 PAR_EL1 fault status fields, but in some cases the architecture
 requires that the fault is turned into an exception:
  * synchronous stage 2 faults of any kind during AT S1E0* and
    AT S1E1* instructions executed from NS EL1 fault to EL2 or EL3
  * synchronous external aborts are taken as Data Abort exceptions
 (This is documented in the v8A Arm ARM DDI0487A.e D5.2.11 and
 G5.13.4.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Message-id: 20230710152130.3928330-2-peter.maydell@linaro.org
 Message-id: 20190816125802.25877-3-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 107 +++++++++++++++++++++++++++++++++++++-------
+ target/arm/ptw.c | 40 ++++++++++++++++++++++++++++++++++++++++
-file changed, 92 insertions(+), 15 deletions(-)
+file changed, 40 insertions(+)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
+@@ -XXX,XX +XXX,XX @@
      ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs,
                          &prot, &page_size, &fi, &cacheattrs);
 +    if (ret) {
 +        /*
 +         * Some kinds of translation fault must cause exceptions rather
 +         * than being reported in the PAR.
 +         */
 +        int current_el = arm_current_el(env);
 +        int target_el;
 +        uint32_t syn, fsr, fsc;
 +        bool take_exc = false;
 +
 +        if (fi.s1ptw && current_el == 1 && !arm_is_secure(env)
 +            && (mmu_idx == ARMMMUIdx_S1NSE1 || mmu_idx == ARMMMUIdx_S1NSE0)) {
 +            /*
 +             * Synchronous stage 2 fault on an access made as part of the
 +             * translation table walk for AT S1E0* or AT S1E1* insn
 +             * executed from NS EL1. If this is a synchronous external abort
 +             * and SCR_EL3.EA == 1, then we take a synchronous external abort
 +             * to EL3. Otherwise the fault is taken as an exception to EL2,
 +             * and HPFAR_EL2 holds the faulting IPA.
 +             */
 +            if (fi.type == ARMFault_SyncExternalOnWalk &&
 +                (env->cp15.scr_el3 & SCR_EA)) {
 +                target_el = 3;
 +            } else {
 +                env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4;
 +                target_el = 2;
 +            }
 +            take_exc = true;
 +        } else if (fi.type == ARMFault_SyncExternalOnWalk) {
 +            /*
 +             * Synchronous external aborts during a translation table walk
 +             * are taken as Data Abort exceptions.
 +             */
 +            if (fi.stage2) {
 +                if (current_el == 3) {
 +                    target_el = 3;
 +                } else {
 +                    target_el = 2;
 +                }
 +            } else {
 +                target_el = exception_target_el(env);
 +            }
 +            take_exc = true;
 +        }
 +
 +        if (take_exc) {
 +            /* Construct FSR and FSC using same logic as arm_deliver_fault() */
 +            if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
 +                arm_s1_regime_using_lpae_format(env, mmu_idx)) {
 +                fsr = arm_fi_to_lfsc(&fi);
 +                fsc = extract32(fsr, 0, 6);
 +            } else {
 +                fsr = arm_fi_to_sfsc(&fi);
 +                fsc = 0x3f;
 +            }
 +            /*
 +             * Report exception with ESR indicating a fault due to a
 +             * translation table walk for a cache maintenance instruction.
 +             */
 +            syn = syn_data_abort_no_iss(current_el == target_el,
 +                                        fi.ea, 1, fi.s1ptw, 1, fsc);
 +            env->exception.vaddress = value;
 +            env->exception.fsr = fsr;
 +            raise_exception(env, EXCP_DATA_ABORT, syn, target_el);
 +        }
 +    }
 +
      if (is_a64(env)) {
          format64 = true;
      } else if (arm_feature(env, ARM_FEATURE_LPAE)) {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vapa_cp_reginfo[] = {
      /* This underdecoding is safe because the reginfo is NO_RAW. */
      { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
        .access = PL1_W, .accessfn = ats_access,
 -      .writefn = ats_write, .type = ARM_CP_NO_RAW },
 +      .writefn = ats_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
  #endif
-     REGINFO_SENTINEL
- };
+ typedef struct S1Translate {
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
++    /*
-     /* 64 bit address translation operations */
++     * in_mmu_idx : specifies which TTBR, TCR, etc to use for the walk.
-     { .name = "AT_S1E1R", .state = ARM_CP_STATE_AA64,
++     * Together with in_space, specifies the architectural translation regime.
-       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0,
++     */
--      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+     ARMMMUIdx in_mmu_idx;
-+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
++    /*
-+      .writefn = ats_write64 },
++     * in_ptw_idx: specifies which mmuidx to use for the actual
-     { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64,
++     * page table descriptor load operations. This will be one of the
-       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1,
++     * ARMMMUIdx_Stage2* or one of the ARMMMUIdx_Phys_* indexes.
--      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
++     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
-+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
++     * this field is updated accordingly.
-+      .writefn = ats_write64 },
++     */
-     { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64,
+     ARMMMUIdx in_ptw_idx;
-       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2,
++    /*
--      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
++     * in_space: the security space for this walk. This plus
-+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
++     * the in_mmu_idx specify the architectural translation regime.
-+      .writefn = ats_write64 },
++     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
-     { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
++     * this field is updated accordingly.
-       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
++     *
--      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
++     * Note that the security space for the in_ptw_idx may be different
-+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
++     * from that for the in_mmu_idx. We do not need to explicitly track
-+      .writefn = ats_write64 },
++     * the in_ptw_idx security space because:
-     { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
++     *  - if the in_ptw_idx is an ARMMMUIdx_Phys_* then the mmuidx
-       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4,
++     *    itself specifies the security space
--      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
++     *  - if the in_ptw_idx is an ARMMMUIdx_Stage2* then the security
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
++     *    space used for ptw reads is the same as that of the security
-+      .writefn = ats_write64 },
++     *    space of the stage 1 translation for all cases except where
-     { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
++     *    stage 1 is Secure; in that case the only possibilities for
-       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5,
++     *    the ptw read are Secure and NonSecure, and the in_ptw_idx
--      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
++     *    value being Stage2 vs Stage2_S distinguishes those.
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
++     */
-+      .writefn = ats_write64 },
+     ARMSecuritySpace in_space;
-     { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
++    /*
-       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6,
++     * in_secure: whether the translation regime is a Secure one.
--      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
++     * This is always equal to arm_space_is_secure(in_space).
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
++     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
-+      .writefn = ats_write64 },
++     * this field is updated accordingly.
-     { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
++     */
-       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7,
+     bool in_secure;
--      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
++    /*
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
++     * in_debug: is this a QEMU debug access (gdbstub, etc)? Debug
-+      .writefn = ats_write64 },
++     * accesses will not update the guest page table access flags
-     /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
++     * and will not change the state of the softmmu TLBs.
-     { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
++     */
-       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
+     bool in_debug;
--      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+     /*
-+      .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      * If this is stage 2 of a stage 1+2 page table walk, then this must
 +      .writefn = ats_write64 },
      { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1,
 -      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "PAR_EL1", .state = ARM_CP_STATE_AA64,
        .type = ARM_CP_ALIAS,
        .opc0 = 3, .opc1 = 0, .crn = 7, .crm = 4, .opc2 = 0,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
      { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
        .access = PL2_W, .accessfn = at_s1e2_access,
 -      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
      { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
        .access = PL2_W, .accessfn = at_s1e2_access,
 -      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
      /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
       * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
       * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       */
      { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
        .access = PL2_W,
 -      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
 +      .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
      { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
        .access = PL2_W,
 -      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
 +      .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
      { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
        .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
        /* ARMv7 requires bit 0 and 1 to reset to 1. ARMv8 defines the
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 01/21] Revert "target/arm: Use unallocated_encoding for aarch32"
+[PULL 4/7] target/arm: Fix S1_ptw_translate() debug path
-From: Richard Henderson <richard.henderson@linaro.org>
+In commit fe4a5472ccd6 we rearranged the logic in S1_ptw_translate()
 so that the debug-access "call get_phys_addr_*" codepath is used both
 when S1 is doing ptw reads from stage 2 and when it is doing ptw
 reads from physical memory.  However, we didn't update the
 calculation of s2ptw->in_space and s2ptw->in_secure to account for
 the "ptw reads from physical memory" case.  This meant that debug
 accesses when in Secure state broke.
-This reverts commit 3cb36637157088892e9e33ddb1034bffd1251d3b.
+Create a new function S2_security_space() which returns the
 correct security space to use for the ptw load, and use it to
 determine the correct .in_secure and .in_space fields for the
 stage 2 lookup for the ptw load.
-Despite the fact that the text for the call to gen_exception_insn
+Reported-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-is identical for aarch64 and aarch32, the implementation inside
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-gen_exception_insn is totally different.
+Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-This fixes exceptions raised from aarch64.
+Message-id: 20230710152130.3928330-3-peter.maydell@linaro.org
+Fixes: fe4a5472ccd6 ("target/arm: Use get_phys_addr_with_struct in S1_ptw_translate")
 Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
 Message-id: 20190826151536.6771-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.h     |  2 ++
+ target/arm/ptw.c | 37 ++++++++++++++++++++++++++++++++-----
- target/arm/translate.h         |  2 --
+file changed, 32 insertions(+), 5 deletions(-)
  target/arm/translate-a64.c     |  7 +++++++
  target/arm/translate-vfp.inc.c |  3 ++-
  target/arm/translate.c         | 22 ++++++++++------------
 files changed, 21 insertions(+), 15 deletions(-)
-diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-a64.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
  #ifndef TARGET_ARM_TRANSLATE_A64_H
  #define TARGET_ARM_TRANSLATE_A64_H
 +void unallocated_encoding(DisasContext *s);
 +
  #define unsupported_encoding(s, insn)                                    \
      do {                                                                 \
          qemu_log_mask(LOG_UNIMP,                                         \
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasCompare {
      bool value_global;
  } DisasCompare;
 -void unallocated_encoding(DisasContext *s);
 -
  /* Share the TCG temporaries common between 32 and 64 bit modes.  */
  extern TCGv_i32 cpu_NF, cpu_ZF, cpu_CF, cpu_VF;
  extern TCGv_i64 cpu_exclusive_addr;
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
      }
  }
-+void unallocated_encoding(DisasContext *s)
++static ARMSecuritySpace S2_security_space(ARMSecuritySpace s1_space,
 +                                          ARMMMUIdx s2_mmu_idx)
 +{
-+    /* Unallocated and reserved encodings are uncategorized */
++    /*
-+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
++     * Return the security space to use for stage 2 when doing
-+                       default_exception_el(s));
++     * the S1 page table descriptor load.
 +     */
 +    if (regime_is_stage2(s2_mmu_idx)) {
 +        /*
 +         * The security space for ptw reads is almost always the same
 +         * as that of the security space of the stage 1 translation.
 +         * The only exception is when stage 1 is Secure; in that case
 +         * the ptw read might be to the Secure or the NonSecure space
 +         * (but never Realm or Root), and the s2_mmu_idx tells us which.
 +         * Root translations are always single-stage.
 +         */
 +        if (s1_space == ARMSS_Secure) {
 +            return arm_secure_to_space(s2_mmu_idx == ARMMMUIdx_Stage2_S);
 +        } else {
 +            assert(s2_mmu_idx != ARMMMUIdx_Stage2_S);
 +            assert(s1_space != ARMSS_Root);
 +            return s1_space;
 +        }
 +    } else {
 +        /* ptw loads are from phys: the mmu idx itself says which space */
 +        return arm_phys_to_space(s2_mmu_idx);
 +    }
 +}
 +
- static void init_tmp_a64_array(DisasContext *s)
+ /* Translate a S1 pagetable walk through S2 if needed.  */
  static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
                               hwaddr addr, ARMMMUFaultInfo *fi)
  {
- #ifdef CONFIG_DEBUG_TCG
+-    ARMSecuritySpace space = ptw->in_space;
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+     bool is_secure = ptw->in_secure;
-index XXXXXXX..XXXXXXX 100644
+     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
---- a/target/arm/translate-vfp.inc.c
+     ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
-+++ b/target/arm/translate-vfp.inc.c
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
+          * From gdbstub, do not use softmmu so that we don't modify the
+          * state of the cpu at all, including softmmu tlb contents.
-     if (!s->vfp_enabled && !ignore_vfp_enabled) {
+          */
-         assert(!arm_dc_feature(s, ARM_FEATURE_M));
++        ARMSecuritySpace s2_space = S2_security_space(ptw->in_space, s2_mmu_idx);
--        unallocated_encoding(s);
+         S1Translate s2ptw = {
-+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+             .in_mmu_idx = s2_mmu_idx,
-+                           default_exception_el(s));
+             .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
-         return false;
+-            .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
-     }
+-            .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
+-                         : space == ARMSS_Realm ? ARMSS_Realm
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+-                         : ARMSS_NonSecure),
-index XXXXXXX..XXXXXXX 100644
++            .in_secure = arm_space_is_secure(s2_space),
---- a/target/arm/translate.c
++            .in_space = s2_space,
-+++ b/target/arm/translate.c
+             .in_debug = true,
-@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
+         };
-     s->base.is_jmp = DISAS_NORETURN;
+         GetPhysAddrResult s2 = { };
  }
 -void unallocated_encoding(DisasContext *s)
 -{
 -    /* Unallocated and reserved encodings are uncategorized */
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 -}
 -
  /* Force a TB lookup after an instruction that changes the CPU state.  */
  static inline void gen_lookup_tb(DisasContext *s)
  {
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
          return;
      }
 -    unallocated_encoding(s);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
  }
  static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      }
      if (undef) {
 -        unallocated_encoding(s);
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                           default_exception_el(s));
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          default:
          illegal_op:
 -            unallocated_encoding(s);
 +            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                               default_exception_el(s));
              break;
          }
      }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
      }
      return;
  illegal_op:
 -    unallocated_encoding(s);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
  }
  static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
      return;
  illegal_op:
  undef:
 -    unallocated_encoding(s);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
  }
  static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 03/21] target/arm: Allow ARMCPRegInfo read/write functions to throw exceptions
+[PULL 5/7] target/arm/ptw.c: Account for FEAT_RME when applying {N}SW, SA bits
-Currently the only part of an ARMCPRegInfo which is allowed to cause
+In get_phys_addr_twostage() the code that applies the effects of
-a CPU exception is the access function, which returns a value indicating
+VSTCR.{SA,SW} and VTCR.{NSA,NSW} only updates result->f.attrs.secure.
-that some flavour of UNDEF should be generated.
+Now we also have f.attrs.space for FEAT_RME, we need to keep the two
 in sync.
-For the ATS system instructions, we would like to conditionally
+These bits only have an effect for Secure space translations, not
-generate exceptions as part of the writefn, because some faults
+for Root, so use the input in_space field to determine whether to
-during the page table walk (like external aborts) should cause
+apply them rather than the input is_secure. This doesn't actually
-an exception to be raised rather than returning a value.
+make a difference because Root translations are never two-stage,
+but it's a little clearer.
 There are several ways we could do this:
  * plumb the GETPC() value from the top level set_cp_reg/get_cp_reg
    helper functions through into the readfn and writefn hooks
  * add extra readfn_with_ra/writefn_with_ra hooks that take the GETPC()
    value
  * require the ATS instructions to provide a dummy accessfn,
    which serves no purpose except to cause the code generation
    to emit TCG ops to sync the CPU state
  * add an ARM_CP_ flag to mark the ARMCPRegInfo as possibly
    throwing an exception in its read/write hooks, and make the
    codegen sync the CPU state before calling the hooks if the
    flag is set
 This patch opts for the last of these, as it is fairly simple
 to implement and doesn't require invasive changes like updating
 the readfn/writefn hook function prototype signature.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Message-id: 20230710152130.3928330-4-peter.maydell@linaro.org
 Message-id: 20190816125802.25877-2-peter.maydell@linaro.org
 ---
- target/arm/cpu.h           | 6 +++++-
+ target/arm/ptw.c | 13 ++++++++-----
- target/arm/translate-a64.c | 6 ++++++
+file changed, 8 insertions(+), 5 deletions(-)
  target/arm/translate.c     | 7 +++++++
 files changed, 18 insertions(+), 1 deletion(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-  * IO indicates that this register does I/O and therefore its accesses
+     hwaddr ipa;
-  * need to be surrounded by gen_io_start()/gen_io_end(). In particular,
+     int s1_prot, s1_lgpgsz;
-  * registers which implement clocks or timers require this.
+     bool is_secure = ptw->in_secure;
-+ * RAISES_EXC is for when the read or write hook might raise an exception;
++    ARMSecuritySpace in_space = ptw->in_space;
-+ * the generated code will synchronize the CPU state before calling the hook
+     bool ret, ipa_secure;
-+ * so that it is safe for the hook to call raise_exception().
+     ARMCacheAttrs cacheattrs1;
-  */
+     ARMSecuritySpace ipa_space;
- #define ARM_CP_SPECIAL           0x0001
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
- #define ARM_CP_CONST             0x0002
+      * Check if IPA translates to secure or non-secure PA space.
-@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
+      * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
- #define ARM_CP_FPU               0x1000
+      */
- #define ARM_CP_SVE               0x2000
+-    result->f.attrs.secure =
- #define ARM_CP_NO_GDB            0x4000
+-        (is_secure
-+#define ARM_CP_RAISES_EXC        0x8000
+-         && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
- /* Used only as a terminator for ARMCPRegInfo lists */
+-         && (ipa_secure
- #define ARM_CP_SENTINEL          0xffff
+-             || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
- /* Mask of only the flag bits in a type field */
++    if (in_space == ARMSS_Secure) {
--#define ARM_CP_FLAG_MASK         0x70ff
++        result->f.attrs.secure =
-+#define ARM_CP_FLAG_MASK         0xf0ff
++            !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
++            && (ipa_secure
- /* Valid values for ARMCPRegInfo state field, indicating which of
++                || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW)));
-  * the AArch32 and AArch64 execution states this register is visible in.
++        result->f.attrs.space = arm_secure_to_space(result->f.attrs.secure);
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
++    }
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+     return false;
-+++ b/target/arm/translate-a64.c
+ }
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
          tcg_temp_free_ptr(tmpptr);
          tcg_temp_free_i32(tcg_syn);
          tcg_temp_free_i32(tcg_isread);
 +    } else if (ri->type & ARM_CP_RAISES_EXC) {
 +        /*
 +         * The readfn or writefn might raise an exception;
 +         * synchronize the CPU state in case it does.
 +         */
 +        gen_a64_set_pc_im(s->pc_curr);
      }
      /* Handle special cases first */
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
              tcg_temp_free_ptr(tmpptr);
              tcg_temp_free_i32(tcg_syn);
              tcg_temp_free_i32(tcg_isread);
 +        } else if (ri->type & ARM_CP_RAISES_EXC) {
 +            /*
 +             * The readfn or writefn might raise an exception;
 +             * synchronize the CPU state in case it does.
 +             */
 +            gen_set_condexec(s);
 +            gen_set_pc_im(s, s->pc_curr);
          }
          /* Handle special cases first */
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 20/21] target/arm: Free TCG temps in trans_VMOV_64_sp()
+[PULL 6/7] accel/tcg: Zero-pad PC in TCG CPU exec trace lines
-The function neon_store_reg32() doesn't free the TCG temp that it
+In commit f0a08b0913befbd we changed the type of the PC from
-is passed, so the caller must do that. We got this right in most
+target_ulong to vaddr.  In doing so we inadvertently dropped the
-places but forgot to free the TCG temps in trans_VMOV_64_sp().
+zero-padding on the PC in trace lines (the second item inside the []
 in these lines).  They used to look like this on AArch64, for
 instance:
-Cc: qemu-stable@nongnu.org
+Trace 0: 0x7f2260000100 [00000000/0000000040000000/00000061/ff200000]
 and now they look like this:
 Trace 0: 0x7f4f50000100 [00000000/40000000/00000061/ff200000]
 and if the PC happens to be somewhere low like 0x5000
 then the field is shown as /5000/.
 This is because TARGET_FMT_lx is a "%08x" or "%016x" specifier,
 depending on TARGET_LONG_SIZE, whereas VADDR_PRIx is just PRIx64
 with no width specifier.
 Restore the zero-padding by adding an 016 width specifier to
 this tracing and a couple of others that were similarly recently
 changed to use VADDR_PRIx without a width specifier.
 We can't unfortunately restore the "32-bit guests are padded to
 hex digits and 64-bit guests to 16 hex digits" behaviour so
 easily.
 Fixes: f0a08b0913befbd ("accel/tcg/cpu-exec.c: Widen pc to vaddr")
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Anton Johansson <anjo@rev.ng>
-Message-id: 20190827121931.26836-1-peter.maydell@linaro.org
+Message-id: 20230711165434.4123674-1-peter.maydell@linaro.org
 ---
- target/arm/translate-vfp.inc.c | 2 ++
+ accel/tcg/cpu-exec.c      | 4 ++--
-file changed, 2 insertions(+)
+ accel/tcg/translate-all.c | 2 +-
 files changed, 3 insertions(+), 3 deletions(-)
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.inc.c
+--- a/accel/tcg/cpu-exec.c
-+++ b/target/arm/translate-vfp.inc.c
++++ b/accel/tcg/cpu-exec.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_64_sp(DisasContext *s, arg_VMOV_64_sp *a)
+@@ -XXX,XX +XXX,XX @@ static void log_cpu_exec(vaddr pc, CPUState *cpu,
-         /* gpreg to fpreg */
+     if (qemu_log_in_addr_range(pc)) {
-         tmp = load_reg(s, a->rt);
+         qemu_log_mask(CPU_LOG_EXEC,
-         neon_store_reg32(tmp, a->vm);
+                       "Trace %d: %p [%08" PRIx64
-+        tcg_temp_free_i32(tmp);
+-                      "/%" VADDR_PRIx "/%08x/%08x] %s\n",
-         tmp = load_reg(s, a->rt2);
++                      "/%016" VADDR_PRIx "/%08x/%08x] %s\n",
-         neon_store_reg32(tmp, a->vm + 1);
+                       cpu->cpu_index, tb->tc.ptr, tb->cs_base, pc,
-+        tcg_temp_free_i32(tmp);
+                       tb->flags, tb->cflags, lookup_symbol(pc));
@@ -XXX,XX +XXX,XX @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit)
          if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
              vaddr pc = log_pc(cpu, last_tb);
              if (qemu_log_in_addr_range(pc)) {
 -                qemu_log("Stopped execution of TB chain before %p [%"
 +                qemu_log("Stopped execution of TB chain before %p [%016"
                           VADDR_PRIx "] %s\n",
                           last_tb->tc.ptr, pc, lookup_symbol(pc));
              }
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
      if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
          vaddr pc = log_pc(cpu, tb);
          if (qemu_log_in_addr_range(pc)) {
 -            qemu_log("cpu_io_recompile: rewound execution of TB to %"
 +            qemu_log("cpu_io_recompile: rewound execution of TB to %016"
                       VADDR_PRIx "\n", pc);
          }
      }
-     return true;
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 02/21] target/arm: Factor out unallocated_encoding for aarch32
+[PULL 7/7] hw/nvram: Avoid unnecessary Xilinx eFuse backstore write
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Tong Ho <tong.ho@amd.com>
-Make this a static function private to translate.c.
+Add a check in the bit-set operation to write the backstore
-Thus we can use the same idiom between aarch64 and aarch32
+only if the affected bit is 0 before.
 without actually sharing function implementations.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+With this in place, there will be no need for callers to
-Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
+do the checking in order to avoid unnecessary writes.
-Message-id: 20190826151536.6771-3-richard.henderson@linaro.org
 Signed-off-by: Tong Ho <tong.ho@amd.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-vfp.inc.c |  3 +--
+ hw/nvram/xlnx-efuse.c | 11 +++++++++--
- target/arm/translate.c         | 22 ++++++++++++----------
+file changed, 9 insertions(+), 2 deletions(-)
 files changed, 13 insertions(+), 12 deletions(-)
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+diff --git a/hw/nvram/xlnx-efuse.c b/hw/nvram/xlnx-efuse.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.inc.c
+--- a/hw/nvram/xlnx-efuse.c
-+++ b/target/arm/translate-vfp.inc.c
++++ b/hw/nvram/xlnx-efuse.c
-@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
+@@ -XXX,XX +XXX,XX @@ static bool efuse_ro_bits_find(XlnxEFuse *s, uint32_t k)
-     if (!s->vfp_enabled && !ignore_vfp_enabled) {
+ bool xlnx_efuse_set_bit(XlnxEFuse *s, unsigned int bit)
-         assert(!arm_dc_feature(s, ARM_FEATURE_M));
+ {
--        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
++    uint32_t set, *row;
--                           default_exception_el(s));
++
-+        unallocated_encoding(s);
+     if (efuse_ro_bits_find(s, bit)) {
          g_autofree char *path = object_get_canonical_path(OBJECT(s));
@@ -XXX,XX +XXX,XX @@ bool xlnx_efuse_set_bit(XlnxEFuse *s, unsigned int bit)
          return false;
      }
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+-    s->fuse32[bit / 32] |= 1 << (bit % 32);
-index XXXXXXX..XXXXXXX 100644
+-    efuse_bdrv_sync(s, bit);
---- a/target/arm/translate.c
++    /* Avoid back-end write unless there is a real update */
-+++ b/target/arm/translate.c
++    row = &s->fuse32[bit / 32];
-@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
++    set = 1 << (bit % 32);
-     s->base.is_jmp = DISAS_NORETURN;
++    if (!(set & *row)) {
 +        *row |= set;
 +        efuse_bdrv_sync(s, bit);
 +    }
      return true;
  }
-+static void unallocated_encoding(DisasContext *s)
-+{
-+    /* Unallocated and reserved encodings are uncategorized */
-+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-+                       default_exception_el(s));
-+}
-+
- /* Force a TB lookup after an instruction that changes the CPU state.  */
- static inline void gen_lookup_tb(DisasContext *s)
- {
-@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
-         return;
-     }
--    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
--                       default_exception_el(s));
-+    unallocated_encoding(s);
- }
- static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
-@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
-     }
-     if (undef) {
--        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
--                           default_exception_el(s));
-+        unallocated_encoding(s);
-         return;
-     }
-@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-             break;
-         default:
-         illegal_op:
--            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
--                               default_exception_el(s));
-+            unallocated_encoding(s);
-             break;
-         }
-     }
-@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
-     }
-     return;
- illegal_op:
--    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
--                       default_exception_el(s));
-+    unallocated_encoding(s);
- }
- static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-     return;
- illegal_op:
- undef:
--    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
--                       default_exception_el(s));
-+    unallocated_encoding(s);
- }
- static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 05/21] aspeed/timer: Provide back-pressure information for short periods
+Deleted patch
-From: Andrew Jeffery <andrew@aj.id.au>
-First up: This is not the way the hardware behaves.
-However, it helps resolve real-world problems with short periods being
-used under Linux. Commit 4451d3f59f2a ("clocksource/drivers/fttmr010:
-Fix set_next_event handler") in Linux fixed the timer driver to
-correctly schedule the next event for the Aspeed controller, and in
-combination with 5daa8212c08e ("ARM: dts: aspeed: Describe random number
-device") Linux will now set a timer with a period as low as 1us.
-Configuring a qemu timer with such a short period results in spending
-time handling the interrupt in the model rather than executing guest
-code, leading to noticeable "sticky" behaviour in the guest.
-The behaviour of Linux is correct with respect to the hardware, so we
-need to improve our handling under emulation. The approach chosen is to
-provide back-pressure information by calculating an acceptable minimum
-number of ticks to be set on the model. Under Linux an additional read
-is added in the timer configuration path to detect back-pressure, which
-will never occur on hardware. However if back-pressure is observed, the
-driver alerts the clock event subsystem, which then performs its own
-next event dilation via a config option - d1748302f70b ("clockevents:
-Make minimum delay adjustments configurable")
-A minimum period of 5us was experimentally determined on a Lenovo
-T480s, which I've increased to 20us for "safety".
-Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Tested-by: Joel Stanley <joel@jms.id.au>
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20190704055150.4899-1-clg@kaod.org
-[clg: - changed the computation of min_ticks to be done each time the
-        timer value is reloaded. It removes the ordering issue of the
-        timer and scu reset handlers but is slightly slower ]
-      - introduced TIMER_MIN_NS
-      - introduced calculate_min_ticks() ]
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/timer/aspeed_timer.c | 17 ++++++++++++++++-
-file changed, 16 insertions(+), 1 deletion(-)
-diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/aspeed_timer.c
-+++ b/hw/timer/aspeed_timer.c
-@@ -XXX,XX +XXX,XX @@ enum timer_ctrl_op {
-     op_pulse_enable
- };
-+/*
-+ * Minimum value of the reload register to filter out short period
-+ * timers which have a noticeable impact in emulation. 5us should be
-+ * enough, use 20us for "safety".
-+ */
-+#define TIMER_MIN_NS (20 * SCALE_US)
-+
- /**
-  * Avoid mutual references between AspeedTimerCtrlState and AspeedTimer
-  * structs, as it's a waste of memory. The ptimer BH callback needs to know
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t calculate_ticks(struct AspeedTimer *t, uint64_t now_ns)
-     return t->reload - MIN(t->reload, ticks);
- }
-+static uint32_t calculate_min_ticks(AspeedTimer *t, uint32_t value)
-+{
-+    uint32_t rate = calculate_rate(t);
-+    uint32_t min_ticks = muldiv64(TIMER_MIN_NS, rate, NANOSECONDS_PER_SECOND);
-+
-+    return  value < min_ticks ? min_ticks : value;
-+}
-+
- static inline uint64_t calculate_time(struct AspeedTimer *t, uint32_t ticks)
- {
-     uint64_t delta_ns;
-@@ -XXX,XX +XXX,XX @@ static void aspeed_timer_set_value(AspeedTimerCtrlState *s, int timer, int reg,
-     switch (reg) {
-     case TIMER_REG_RELOAD:
-         old_reload = t->reload;
--        t->reload = value;
-+        t->reload = calculate_min_ticks(t, value);
-         /* If the reload value was not previously set, or zero, and
-          * the current value is valid, try to start the timer if it is
---
-.20.1

-[Qemu-devel] [PULL 06/21] memory: Remove unused memory_region_iommu_replay_all()
+Deleted patch
-From: Eric Auger <eric.auger@redhat.com>
-memory_region_iommu_replay_all is not used. Remove it.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Reported-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Peter Xu <peterx@redhat.com>
-Message-id: 20190822172350.12008-2-eric.auger@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/exec/memory.h | 10 ----------
- memory.c              |  9 ---------
-files changed, 19 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
-+++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
-  */
- void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
--/**
-- * memory_region_iommu_replay_all: replay existing IOMMU translations
-- * to all the notifiers registered.
-- *
-- * Note: this is not related to record-and-replay functionality.
-- *
-- * @iommu_mr: the memory region to observe
-- */
--void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
--
- /**
-  * memory_region_unregister_iommu_notifier: unregister a notifier for
-  * changes to IOMMU translation entries.
-diff --git a/memory.c b/memory.c
-index XXXXXXX..XXXXXXX 100644
---- a/memory.c
-+++ b/memory.c
-@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n)
-     }
- }
--void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr)
--{
--    IOMMUNotifier *notifier;
--
--    IOMMU_NOTIFIER_FOREACH(notifier, iommu_mr) {
--        memory_region_iommu_replay(iommu_mr, notifier);
--    }
--}
--
- void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
-                                              IOMMUNotifier *n)
- {
---
-.20.1

-[Qemu-devel] [PULL 08/21] hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations
+Deleted patch
-From: Eric Auger <eric.auger@redhat.com>
-An IOVA/ASID invalidation is notified to all IOMMU Memory Regions
-through smmuv3_inv_notifiers_iova/smmuv3_notify_iova.
-When the notification occurs it is possible that some of the
-PCIe devices associated to the notified regions do not have a
-valid stream table entry. In that case we output a LOG_GUEST_ERROR
-message, for example:
-invalid sid=<SID> (L1STD span=0)
-"smmuv3_notify_iova error decoding the configuration for iommu mr=<MR>
-This is unfortunate as the user gets the impression that there
-are some translation decoding errors whereas there are not.
-This patch adds a new field in SMMUEventInfo that tells whether
-the detection of an invalid STE must lead to an error report.
-invalid_ste_allowed is set before doing the invalidations and
-kept unset on actual translation.
-The other configuration decoding error messages are kept since if the
-STE is valid then the rest of the config must be correct.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20190822172350.12008-6-eric.auger@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/smmuv3-internal.h |  1 +
- hw/arm/smmuv3.c          | 19 +++++++++++--------
-files changed, 12 insertions(+), 8 deletions(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
-+++ b/hw/arm/smmuv3-internal.h
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
-     uint32_t sid;
-     bool recorded;
-     bool record_trans_faults;
-+    bool inval_ste_allowed;
-     union {
-         struct {
-             uint32_t ssid;
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
-     uint32_t config;
-     if (!STE_VALID(ste)) {
--        qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
-+        if (!event->inval_ste_allowed) {
-+            qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
-+        }
-         goto bad_ste;
-     }
-@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
-         if (!span) {
-             /* l2ptr is not valid */
--            qemu_log_mask(LOG_GUEST_ERROR,
--                          "invalid sid=%d (L1STD span=0)\n", sid);
-+            if (!event->inval_ste_allowed) {
-+                qemu_log_mask(LOG_GUEST_ERROR,
-+                              "invalid sid=%d (L1STD span=0)\n", sid);
-+            }
-             event->type = SMMU_EVT_C_BAD_STREAMID;
-             return -EINVAL;
-         }
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
-     SMMUv3State *s = sdev->smmu;
-     uint32_t sid = smmu_get_sid(sdev);
--    SMMUEventInfo event = {.type = SMMU_EVT_NONE, .sid = sid};
-+    SMMUEventInfo event = {.type = SMMU_EVT_NONE,
-+                           .sid = sid,
-+                           .inval_ste_allowed = false};
-     SMMUPTWEventInfo ptw_info = {};
-     SMMUTranslationStatus status;
-     SMMUState *bs = ARM_SMMU(s);
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
-                                dma_addr_t iova)
- {
-     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
--    SMMUEventInfo event = {};
-+    SMMUEventInfo event = {.inval_ste_allowed = true};
-     SMMUTransTableInfo *tt;
-     SMMUTransCfg *cfg;
-     IOMMUTLBEntry entry;
-     cfg = smmuv3_get_config(sdev, &event);
-     if (!cfg) {
--        qemu_log_mask(LOG_GUEST_ERROR,
--                      "%s error decoding the configuration for iommu mr=%s\n",
--                      __func__, mr->parent_obj.name);
-         return;
-     }
---
-.20.1

-[Qemu-devel] [PULL 09/21] target/arm: Fix SMMLS argument order
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-The previous simplification got the order of operands to the
-subtraction wrong.  Since the 64-bit product is the subtrahend,
-we must use a 64-bit subtract to properly compute the borrow
-from the low-part of the product.
-Fixes: 5f8cd06ebcf5 ("target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR")
-Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-Message-id: 20190829013258.16102-1-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate.c | 20 ++++++++++++++++++--
-file changed, 18 insertions(+), 2 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-                         if (rd != 15) {
-                             tmp3 = load_reg(s, rd);
-                             if (insn & (1 << 6)) {
--                                tcg_gen_sub_i32(tmp, tmp, tmp3);
-+                                /*
-+                                 * For SMMLS, we need a 64-bit subtract.
-+                                 * Borrow caused by a non-zero multiplicand
-+                                 * lowpart, and the correct result lowpart
-+                                 * for rounding.
-+                                 */
-+                                TCGv_i32 zero = tcg_const_i32(0);
-+                                tcg_gen_sub2_i32(tmp2, tmp, zero, tmp3,
-+                                                 tmp2, tmp);
-+                                tcg_temp_free_i32(zero);
-                             } else {
-                                 tcg_gen_add_i32(tmp, tmp, tmp3);
-                             }
-@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
-                     if (insn & (1 << 20)) {
-                         tcg_gen_add_i32(tmp, tmp, tmp3);
-                     } else {
--                        tcg_gen_sub_i32(tmp, tmp, tmp3);
-+                        /*
-+                         * For SMMLS, we need a 64-bit subtract.
-+                         * Borrow caused by a non-zero multiplicand lowpart,
-+                         * and the correct result lowpart for rounding.
-+                         */
-+                        TCGv_i32 zero = tcg_const_i32(0);
-+                        tcg_gen_sub2_i32(tmp2, tmp, zero, tmp3, tmp2, tmp);
-+                        tcg_temp_free_i32(zero);
-                     }
-                     tcg_temp_free_i32(tmp3);
-                 }
---
-.20.1

-[Qemu-devel] [PULL 10/21] hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Commit ba1ba5cca introduce the ARM_CPU_TYPE_NAME() macro.
-Unify the code base by use it in all places.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190823143249.8096-2-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/allwinner-a10.c | 3 ++-
- hw/arm/cubieboard.c    | 3 ++-
- hw/arm/digic.c         | 3 ++-
- hw/arm/fsl-imx25.c     | 2 +-
- hw/arm/fsl-imx31.c     | 2 +-
- hw/arm/fsl-imx6.c      | 3 ++-
- hw/arm/fsl-imx6ul.c    | 2 +-
- hw/arm/xlnx-zynqmp.c   | 8 ++++----
-files changed, 15 insertions(+), 11 deletions(-)
-diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/allwinner-a10.c
-+++ b/hw/arm/allwinner-a10.c
-@@ -XXX,XX +XXX,XX @@ static void aw_a10_init(Object *obj)
-     AwA10State *s = AW_A10(obj);
-     object_initialize_child(obj, "cpu", &s->cpu, sizeof(s->cpu),
--                            "cortex-a8-" TYPE_ARM_CPU, &error_abort, NULL);
-+                            ARM_CPU_TYPE_NAME("cortex-a8"),
-+                            &error_abort, NULL);
-     sysbus_init_child_obj(obj, "intc", &s->intc, sizeof(s->intc),
-                           TYPE_AW_A10_PIC);
-diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/cubieboard.c
-+++ b/hw/arm/cubieboard.c
-@@ -XXX,XX +XXX,XX @@ static void cubieboard_init(MachineState *machine)
- static void cubieboard_machine_init(MachineClass *mc)
- {
--    mc->desc = "cubietech cubieboard";
-+    mc->desc = "cubietech cubieboard (Cortex-A9)";
-+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a9");
-     mc->init = cubieboard_init;
-     mc->block_default_type = IF_IDE;
-     mc->units_per_default_bus = 1;
-diff --git a/hw/arm/digic.c b/hw/arm/digic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/digic.c
-+++ b/hw/arm/digic.c
-@@ -XXX,XX +XXX,XX @@ static void digic_init(Object *obj)
-     int i;
-     object_initialize_child(obj, "cpu", &s->cpu, sizeof(s->cpu),
--                            "arm946-" TYPE_ARM_CPU, &error_abort, NULL);
-+                            ARM_CPU_TYPE_NAME("arm946"),
-+                            &error_abort, NULL);
-     for (i = 0; i < DIGIC4_NB_TIMERS; i++) {
- #define DIGIC_TIMER_NAME_MLEN    11
-diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx25.c
-+++ b/hw/arm/fsl-imx25.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_init(Object *obj)
-     FslIMX25State *s = FSL_IMX25(obj);
-     int i;
--    object_initialize(&s->cpu, sizeof(s->cpu), "arm926-" TYPE_ARM_CPU);
-+    object_initialize(&s->cpu, sizeof(s->cpu), ARM_CPU_TYPE_NAME("arm926"));
-     sysbus_init_child_obj(obj, "avic", &s->avic, sizeof(s->avic),
-                           TYPE_IMX_AVIC);
-diff --git a/hw/arm/fsl-imx31.c b/hw/arm/fsl-imx31.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx31.c
-+++ b/hw/arm/fsl-imx31.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx31_init(Object *obj)
-     FslIMX31State *s = FSL_IMX31(obj);
-     int i;
--    object_initialize(&s->cpu, sizeof(s->cpu), "arm1136-" TYPE_ARM_CPU);
-+    object_initialize(&s->cpu, sizeof(s->cpu), ARM_CPU_TYPE_NAME("arm1136"));
-     sysbus_init_child_obj(obj, "avic", &s->avic, sizeof(s->avic),
-                           TYPE_IMX_AVIC);
-diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx6.c
-+++ b/hw/arm/fsl-imx6.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_init(Object *obj)
-     for (i = 0; i < MIN(ms->smp.cpus, FSL_IMX6_NUM_CPUS); i++) {
-         snprintf(name, NAME_SIZE, "cpu%d", i);
-         object_initialize_child(obj, name, &s->cpu[i], sizeof(s->cpu[i]),
--                                "cortex-a9-" TYPE_ARM_CPU, &error_abort, NULL);
-+                                ARM_CPU_TYPE_NAME("cortex-a9"),
-+                                &error_abort, NULL);
-     }
-     sysbus_init_child_obj(obj, "a9mpcore", &s->a9mpcore, sizeof(s->a9mpcore),
-diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx6ul.c
-+++ b/hw/arm/fsl-imx6ul.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj)
-     int i;
-     object_initialize_child(obj, "cpu0", &s->cpu, sizeof(s->cpu),
--                            "cortex-a7-" TYPE_ARM_CPU, &error_abort, NULL);
-+                            ARM_CPU_TYPE_NAME("cortex-a7"), &error_abort, NULL);
-     /*
-      * A7MPCORE
-diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-zynqmp.c
-+++ b/hw/arm/xlnx-zynqmp.c
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s,
-         object_initialize_child(OBJECT(&s->rpu_cluster), "rpu-cpu[*]",
-                                 &s->rpu_cpu[i], sizeof(s->rpu_cpu[i]),
--                                "cortex-r5f-" TYPE_ARM_CPU, &error_abort,
--                                NULL);
-+                                ARM_CPU_TYPE_NAME("cortex-r5f"),
-+                                &error_abort, NULL);
-         name = object_get_canonical_path_component(OBJECT(&s->rpu_cpu[i]));
-         if (strcmp(name, boot_cpu)) {
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_init(Object *obj)
-     for (i = 0; i < num_apus; i++) {
-         object_initialize_child(OBJECT(&s->apu_cluster), "apu-cpu[*]",
-                                 &s->apu_cpu[i], sizeof(s->apu_cpu[i]),
--                                "cortex-a53-" TYPE_ARM_CPU, &error_abort,
--                                NULL);
-+                                ARM_CPU_TYPE_NAME("cortex-a53"),
-+                                &error_abort, NULL);
-     }
-     sysbus_init_child_obj(obj, "gic", &s->gic, sizeof(s->gic),
---
-.20.1

-[Qemu-devel] [PULL 11/21] hw/arm: Use object_initialize_child for correct reference counting
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-As explained in commit aff39be0ed97:
-  Both functions, object_initialize() and object_property_add_child()
-  increase the reference counter of the new object, so one of the
-  references has to be dropped afterwards to get the reference
-  counting right. Otherwise the child object will not be properly
-  cleaned up when the parent gets destroyed.
-  Thus let's use now object_initialize_child() instead to get the
-  reference counting here right.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190823143249.8096-3-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/mcimx7d-sabre.c |  9 ++++-----
- hw/arm/mps2-tz.c       | 15 +++++++--------
- hw/arm/musca.c         |  9 +++++----
-files changed, 16 insertions(+), 17 deletions(-)
-diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/mcimx7d-sabre.c
-+++ b/hw/arm/mcimx7d-sabre.c
-@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
- {
-     static struct arm_boot_info boot_info;
-     MCIMX7Sabre *s = g_new0(MCIMX7Sabre, 1);
--    Object *soc;
-     int i;
-     if (machine->ram_size > FSL_IMX7_MMDC_SIZE) {
-@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
-         .nb_cpus = machine->smp.cpus,
-     };
--    object_initialize(&s->soc, sizeof(s->soc), TYPE_FSL_IMX7);
--    soc = OBJECT(&s->soc);
--    object_property_add_child(OBJECT(machine), "soc", soc, &error_fatal);
--    object_property_set_bool(soc, true, "realized", &error_fatal);
-+    object_initialize_child(OBJECT(machine), "soc",
-+                            &s->soc, sizeof(s->soc),
-+                            TYPE_FSL_IMX7, &error_fatal, NULL);
-+    object_property_set_bool(OBJECT(&s->soc), true, "realized", &error_fatal);
-     memory_region_allocate_system_memory(&s->ram, NULL, "mcimx7d-sabre.ram",
-                                          machine->ram_size);
-diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/mps2-tz.c
-+++ b/hw/arm/mps2-tz.c
-@@ -XXX,XX +XXX,XX @@ static void mps2tz_common_init(MachineState *machine)
-     /* The sec_resp_cfg output from the IoTKit must be split into multiple
-      * lines, one for each of the PPCs we create here, plus one per MSC.
-      */
--    object_initialize(&mms->sec_resp_splitter, sizeof(mms->sec_resp_splitter),
--                      TYPE_SPLIT_IRQ);
--    object_property_add_child(OBJECT(machine), "sec-resp-splitter",
--                              OBJECT(&mms->sec_resp_splitter), &error_abort);
-+    object_initialize_child(OBJECT(machine), "sec-resp-splitter",
-+                            &mms->sec_resp_splitter,
-+                            sizeof(mms->sec_resp_splitter),
-+                            TYPE_SPLIT_IRQ, &error_abort, NULL);
-     object_property_set_int(OBJECT(&mms->sec_resp_splitter),
-                             ARRAY_SIZE(mms->ppc) + ARRAY_SIZE(mms->msc),
-                             "num-lines", &error_fatal);
-@@ -XXX,XX +XXX,XX @@ static void mps2tz_common_init(MachineState *machine)
-      * Tx, Rx and "combined" IRQs are sent to the NVIC separately.
-      * Create the OR gate for this.
-      */
--    object_initialize(&mms->uart_irq_orgate, sizeof(mms->uart_irq_orgate),
--                      TYPE_OR_IRQ);
--    object_property_add_child(OBJECT(mms), "uart-irq-orgate",
--                              OBJECT(&mms->uart_irq_orgate), &error_abort);
-+    object_initialize_child(OBJECT(mms), "uart-irq-orgate",
-+                            &mms->uart_irq_orgate, sizeof(mms->uart_irq_orgate),
-+                            TYPE_OR_IRQ, &error_abort, NULL);
-     object_property_set_int(OBJECT(&mms->uart_irq_orgate), 10, "num-lines",
-                             &error_fatal);
-     object_property_set_bool(OBJECT(&mms->uart_irq_orgate), true,
-diff --git a/hw/arm/musca.c b/hw/arm/musca.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/musca.c
-+++ b/hw/arm/musca.c
-@@ -XXX,XX +XXX,XX @@ static void musca_init(MachineState *machine)
-      * The sec_resp_cfg output from the SSE-200 must be split into multiple
-      * lines, one for each of the PPCs we create here.
-      */
--    object_initialize(&mms->sec_resp_splitter, sizeof(mms->sec_resp_splitter),
--                      TYPE_SPLIT_IRQ);
--    object_property_add_child(OBJECT(machine), "sec-resp-splitter",
--                              OBJECT(&mms->sec_resp_splitter), &error_fatal);
-+    object_initialize_child(OBJECT(machine), "sec-resp-splitter",
-+                            &mms->sec_resp_splitter,
-+                            sizeof(mms->sec_resp_splitter),
-+                            TYPE_SPLIT_IRQ, &error_fatal, NULL);
-+
-     object_property_set_int(OBJECT(&mms->sec_resp_splitter),
-                             ARRAY_SIZE(mms->ppc), "num-lines", &error_fatal);
-     object_property_set_bool(OBJECT(&mms->sec_resp_splitter), true,
---
-.20.1

-[Qemu-devel] [PULL 12/21] hw/arm: Use sysbus_init_child_obj for correct reference counting
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Both object_initialize() and qdev_set_parent_bus() increase the
-reference counter of the new object, so one of the references has
-to be dropped afterwards to get the reference counting right.
-In machine model code this refcount leak is not particularly
-problematic because (unlike devices) machines will never be
-created on demand via QMP, and they are never destroyed.
-But in any case let's use the new sysbus_init_child_obj() instead
-to get the reference counting here right.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190823143249.8096-4-philmd@redhat.com
-[PMM: rewrote commit message]
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/exynos4_boards.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/exynos4_boards.c
-+++ b/hw/arm/exynos4_boards.c
-@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
-     exynos4_boards_init_ram(s, get_system_memory(),
-                             exynos4_board_ram_size[board_type]);
--    object_initialize(&s->soc, sizeof(s->soc), TYPE_EXYNOS4210_SOC);
--    qdev_set_parent_bus(DEVICE(&s->soc), sysbus_get_default());
-+    sysbus_init_child_obj(OBJECT(machine), "soc",
-+                          &s->soc, sizeof(s->soc), TYPE_EXYNOS4210_SOC);
-     object_property_set_bool(OBJECT(&s->soc), true, "realized",
-                              &error_fatal);
---
-.20.1

-[Qemu-devel] [PULL 13/21] hw/arm/fsl-imx: Add the cpu as child of the SoC object
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Child properties form the composition tree. All objects need to be
-a child of another object. Objects can only be a child of one object.
-Respect this with the i.MX SoC, to get a cleaner composition tree.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190823143249.8096-5-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/fsl-imx25.c | 4 +++-
- hw/arm/fsl-imx31.c | 4 +++-
-files changed, 6 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx25.c
-+++ b/hw/arm/fsl-imx25.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_init(Object *obj)
-     FslIMX25State *s = FSL_IMX25(obj);
-     int i;
--    object_initialize(&s->cpu, sizeof(s->cpu), ARM_CPU_TYPE_NAME("arm926"));
-+    object_initialize_child(obj, "cpu", &s->cpu, sizeof(s->cpu),
-+                            ARM_CPU_TYPE_NAME("arm926"),
-+                            &error_abort, NULL);
-     sysbus_init_child_obj(obj, "avic", &s->avic, sizeof(s->avic),
-                           TYPE_IMX_AVIC);
-diff --git a/hw/arm/fsl-imx31.c b/hw/arm/fsl-imx31.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx31.c
-+++ b/hw/arm/fsl-imx31.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx31_init(Object *obj)
-     FslIMX31State *s = FSL_IMX31(obj);
-     int i;
--    object_initialize(&s->cpu, sizeof(s->cpu), ARM_CPU_TYPE_NAME("arm1136"));
-+    object_initialize_child(obj, "cpu", &s->cpu, sizeof(s->cpu),
-+                            ARM_CPU_TYPE_NAME("arm1136"),
-+                            &error_abort, NULL);
-     sysbus_init_child_obj(obj, "avic", &s->avic, sizeof(s->avic),
-                           TYPE_IMX_AVIC);
---
-.20.1

-[Qemu-devel] [PULL 14/21] hw/dma/xilinx_axi: Use object_initialize_child for correct ref. counting
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-As explained in commit aff39be0ed97:
-  Both functions, object_initialize() and object_property_add_child()
-  increase the reference counter of the new object, so one of the
-  references has to be dropped afterwards to get the reference
-  counting right. Otherwise the child object will not be properly
-  cleaned up when the parent gets destroyed.
-  Thus let's use now object_initialize_child() instead to get the
-  reference counting here right.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190823143249.8096-6-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/dma/xilinx_axidma.c | 16 ++++++++--------
-file changed, 8 insertions(+), 8 deletions(-)
-diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xilinx_axidma.c
-+++ b/hw/dma/xilinx_axidma.c
-@@ -XXX,XX +XXX,XX @@ static void xilinx_axidma_init(Object *obj)
-     XilinxAXIDMA *s = XILINX_AXI_DMA(obj);
-     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
--    object_initialize(&s->rx_data_dev, sizeof(s->rx_data_dev),
--                      TYPE_XILINX_AXI_DMA_DATA_STREAM);
--    object_initialize(&s->rx_control_dev, sizeof(s->rx_control_dev),
--                      TYPE_XILINX_AXI_DMA_CONTROL_STREAM);
--    object_property_add_child(OBJECT(s), "axistream-connected-target",
--                              (Object *)&s->rx_data_dev, &error_abort);
--    object_property_add_child(OBJECT(s), "axistream-control-connected-target",
--                              (Object *)&s->rx_control_dev, &error_abort);
-+    object_initialize_child(OBJECT(s), "axistream-connected-target",
-+                            &s->rx_data_dev, sizeof(s->rx_data_dev),
-+                            TYPE_XILINX_AXI_DMA_DATA_STREAM, &error_abort,
-+                            NULL);
-+    object_initialize_child(OBJECT(s), "axistream-control-connected-target",
-+                            &s->rx_control_dev, sizeof(s->rx_control_dev),
-+                            TYPE_XILINX_AXI_DMA_CONTROL_STREAM, &error_abort,
-+                            NULL);
-     sysbus_init_irq(sbd, &s->streams[0].irq);
-     sysbus_init_irq(sbd, &s->streams[1].irq);
---
-.20.1

-[Qemu-devel] [PULL 15/21] hw/net/xilinx_axi: Use object_initialize_child for correct ref. counting
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-As explained in commit aff39be0ed97:
-  Both functions, object_initialize() and object_property_add_child()
-  increase the reference counter of the new object, so one of the
-  references has to be dropped afterwards to get the reference
-  counting right. Otherwise the child object will not be properly
-  cleaned up when the parent gets destroyed.
-  Thus let's use now object_initialize_child() instead to get the
-  reference counting here right.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190823143249.8096-7-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/net/xilinx_axienet.c | 17 ++++++++---------
-file changed, 8 insertions(+), 9 deletions(-)
-diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/xilinx_axienet.c
-+++ b/hw/net/xilinx_axienet.c
-@@ -XXX,XX +XXX,XX @@ static void xilinx_enet_init(Object *obj)
-     XilinxAXIEnet *s = XILINX_AXI_ENET(obj);
-     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
--    object_initialize(&s->rx_data_dev, sizeof(s->rx_data_dev),
--                      TYPE_XILINX_AXI_ENET_DATA_STREAM);
--    object_initialize(&s->rx_control_dev, sizeof(s->rx_control_dev),
--                      TYPE_XILINX_AXI_ENET_CONTROL_STREAM);
--    object_property_add_child(OBJECT(s), "axistream-connected-target",
--                              (Object *)&s->rx_data_dev, &error_abort);
--    object_property_add_child(OBJECT(s), "axistream-control-connected-target",
--                              (Object *)&s->rx_control_dev, &error_abort);
--
-+    object_initialize_child(OBJECT(s), "axistream-connected-target",
-+                            &s->rx_data_dev, sizeof(s->rx_data_dev),
-+                            TYPE_XILINX_AXI_ENET_DATA_STREAM, &error_abort,
-+                            NULL);
-+    object_initialize_child(OBJECT(s), "axistream-control-connected-target",
-+                            &s->rx_control_dev, sizeof(s->rx_control_dev),
-+                            TYPE_XILINX_AXI_ENET_CONTROL_STREAM, &error_abort,
-+                            NULL);
-     sysbus_init_irq(sbd, &s->irq);
-     memory_region_init_io(&s->iomem, OBJECT(s), &enet_ops, s, "enet", 0x40000);
---
-.20.1

-[Qemu-devel] [PULL 16/21] includes: remove stale [smp|max]_cpus externs
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-Commit a5e0b3311 removed these in favour of querying machine
-properties. Remove the extern declarations as well.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20190828165307.18321-6-alex.bennee@linaro.org
-Cc: Like Xu <like.xu@linux.intel.com>
-Message-Id: <20190711130546.18578-1-alex.bennee@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/sysemu/sysemu.h | 2 --
-file changed, 2 deletions(-)
-diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/sysemu.h
-+++ b/include/sysemu/sysemu.h
-@@ -XXX,XX +XXX,XX @@ extern const char *keyboard_layout;
- extern int win2k_install_hack;
- extern int alt_grab;
- extern int ctrl_grab;
--extern int smp_cpus;
--extern unsigned int max_cpus;
- extern int cursor_hide;
- extern int graphic_rotate;
- extern int no_quit;
---
-.20.1

-[Qemu-devel] [PULL 17/21] tcg/README: fix typo s/afterwise/afterwards/
+Deleted patch
-From: "Emilio G. Cota" <cota@braap.org>
-Afterwise is "wise after the fact", as in "hindsight".
-Here we meant "afterwards" (as in "subsequently"). Fix it.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Emilio G. Cota <cota@braap.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190828165307.18321-7-alex.bennee@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- tcg/README | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/tcg/README b/tcg/README
-index XXXXXXX..XXXXXXX 100644
---- a/tcg/README
-+++ b/tcg/README
-@@ -XXX,XX +XXX,XX @@ This can be overridden using the following function modifiers:
-   canonical locations before calling the helper.
- - TCG_CALL_NO_WRITE_GLOBALS means that the helper does not modify any globals.
-   They will only be saved to their canonical location before calling helpers,
--  but they won't be reloaded afterwise.
-+  but they won't be reloaded afterwards.
- - TCG_CALL_NO_SIDE_EFFECTS means that the call to the function is removed if
-   the return value is not used.
---
-.20.1

-[Qemu-devel] [PULL 18/21] atomic_template: fix indentation in GEN_ATOMIC_HELPER
+Deleted patch
-From: "Emilio G. Cota" <cota@braap.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Emilio G. Cota <cota@braap.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190828165307.18321-8-alex.bennee@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- accel/tcg/atomic_template.h | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/accel/tcg/atomic_template.h b/accel/tcg/atomic_template.h
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/atomic_template.h
-+++ b/accel/tcg/atomic_template.h
-@@ -XXX,XX +XXX,XX @@ ABI_TYPE ATOMIC_NAME(xchg)(CPUArchState *env, target_ulong addr,
- #define GEN_ATOMIC_HELPER(X)                                        \
- ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, target_ulong addr,       \
--                 ABI_TYPE val EXTRA_ARGS)                           \
-+                        ABI_TYPE val EXTRA_ARGS)                    \
- {                                                                   \
-     ATOMIC_MMU_DECLS;                                               \
-     DATA_TYPE *haddr = ATOMIC_MMU_LOOKUP;                           \
---
-.20.1

-[Qemu-devel] [PULL 19/21] include/exec/cpu-defs.h: fix typo
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190828165307.18321-10-alex.bennee@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/exec/cpu-defs.h | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu-defs.h
-+++ b/include/exec/cpu-defs.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUTLB { } CPUTLB;
- #endif  /* !CONFIG_USER_ONLY && CONFIG_TCG */
- /*
-- * This structure must be placed in ArchCPU immedately
-+ * This structure must be placed in ArchCPU immediately
-  * before CPUArchState, as a field named "neg".
-  */
- typedef struct CPUNegativeOffsetState {
---
-.20.1

target-arm queue: this time around is all small fixes
and changes.

thanks
-- PMM

The following changes since commit fec105c2abda8567ec15230429c41429b5ee307c:

Merge remote-tracking branch 'remotes/kraxel/tags/audio-20190828-pull-request' into staging (2019-09-03 14:03:15 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190903

for you to fetch changes up to 5e5584c89f36b302c666bc6db535fd3f7ff35ad2:

target/arm: Don't abort on M-profile exception return in linux-user mode (2019-09-03 16:20:35 +0100)

----------------------------------------------------------------
target-arm queue:
 * Revert and correctly fix refactoring of unallocated_encoding()
 * Take exceptions on ATS instructions when needed
 * aspeed/timer: Provide back-pressure information for short periods
 * memory: Remove unused memory_region_iommu_replay_all()
 * hw/arm/smmuv3: Log a guest error when decoding an invalid STE
 * hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations
 * target/arm: Fix SMMLS argument order
 * hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
 * hw/arm: Correct reference counting for creation of various objects
 * includes: remove stale [smp|max]_cpus externs
 * tcg/README: fix typo
 * atomic_template: fix indentation in GEN_ATOMIC_HELPER
 * include/exec/cpu-defs.h: fix typo
 * target/arm: Free TCG temps in trans_VMOV_64_sp()
 * target/arm: Don't abort on M-profile exception return in linux-user mode

----------------------------------------------------------------
Alex Bennée (2):
      includes: remove stale [smp|max]_cpus externs
      include/exec/cpu-defs.h: fix typo

Andrew Jeffery (1):
      aspeed/timer: Provide back-pressure information for short periods

Emilio G. Cota (2):
      tcg/README: fix typo s/afterwise/afterwards/
      atomic_template: fix indentation in GEN_ATOMIC_HELPER

Eric Auger (3):
      memory: Remove unused memory_region_iommu_replay_all()
      hw/arm/smmuv3: Log a guest error when decoding an invalid STE
      hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations

Peter Maydell (4):
      target/arm: Allow ARMCPRegInfo read/write functions to throw exceptions
      target/arm: Take exceptions on ATS instructions when needed
      target/arm: Free TCG temps in trans_VMOV_64_sp()
      target/arm: Don't abort on M-profile exception return in linux-user mode

Philippe Mathieu-Daudé (6):
      hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
      hw/arm: Use object_initialize_child for correct reference counting
      hw/arm: Use sysbus_init_child_obj for correct reference counting
      hw/arm/fsl-imx: Add the cpu as child of the SoC object
      hw/dma/xilinx_axi: Use object_initialize_child for correct ref. counting
      hw/net/xilinx_axi: Use object_initialize_child for correct ref. counting

Richard Henderson (3):
      Revert "target/arm: Use unallocated_encoding for aarch32"
      target/arm: Factor out unallocated_encoding for aarch32
      target/arm: Fix SMMLS argument order

From: Richard Henderson <richard.henderson@linaro.org>

This reverts commit 3cb36637157088892e9e33ddb1034bffd1251d3b.

Despite the fact that the text for the call to gen_exception_insn
is identical for aarch64 and aarch32, the implementation inside
gen_exception_insn is totally different.

This fixes exceptions raised from aarch64.

Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20190826151536.6771-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h     |  2 ++
 target/arm/translate.h         |  2 --
 target/arm/translate-a64.c     |  7 +++++++
 target/arm/translate-vfp.inc.c |  3 ++-
 target/arm/translate.c         | 22 ++++++++++------------
 5 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@
 #ifndef TARGET_ARM_TRANSLATE_A64_H
 #define TARGET_ARM_TRANSLATE_A64_H
 
+void unallocated_encoding(DisasContext *s);
+
 #define unsupported_encoding(s, insn)                                    \
     do {                                                                 \
         qemu_log_mask(LOG_UNIMP,                                         \
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasCompare {
     bool value_global;
 } DisasCompare;
 
-void unallocated_encoding(DisasContext *s);
-
 /* Share the TCG temporaries common between 32 and 64 bit modes.  */
 extern TCGv_i32 cpu_NF, cpu_ZF, cpu_CF, cpu_VF;
 extern TCGv_i64 cpu_exclusive_addr;
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
     }
 }
 
+void unallocated_encoding(DisasContext *s)
+{
+    /* Unallocated and reserved encodings are uncategorized */
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
+}
+
 static void init_tmp_a64_array(DisasContext *s)
 {
 #ifdef CONFIG_DEBUG_TCG
diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-        unallocated_encoding(s);
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                           default_exception_el(s));
         return false;
     }
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-void unallocated_encoding(DisasContext *s)
-{
-    /* Unallocated and reserved encodings are uncategorized */
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
-}
-
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         return;
     }
 
-    unallocated_encoding(s);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
 }
 
 static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     }
 
     if (undef) {
-        unallocated_encoding(s);
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                           default_exception_el(s));
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         default:
         illegal_op:
-            unallocated_encoding(s);
+            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                               default_exception_el(s));
             break;
         }
     }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
     }
     return;
 illegal_op:
-    unallocated_encoding(s);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
 }
 
 static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
     return;
 illegal_op:
 undef:
-    unallocated_encoding(s);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
 }
 
 static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Make this a static function private to translate.c.
Thus we can use the same idiom between aarch64 and aarch32
without actually sharing function implementations.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20190826151536.6771-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-vfp.inc.c |  3 +--
 target/arm/translate.c         | 22 ++++++++++++----------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                           default_exception_el(s));
+        unallocated_encoding(s);
         return false;
     }
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
+static void unallocated_encoding(DisasContext *s)
+{
+    /* Unallocated and reserved encodings are uncategorized */
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
+}
+
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         return;
     }
 
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     }
 
     if (undef) {
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                           default_exception_el(s));
+        unallocated_encoding(s);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         default:
         illegal_op:
-            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                               default_exception_el(s));
+            unallocated_encoding(s);
             break;
         }
     }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
     }
     return;
 illegal_op:
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
     return;
 illegal_op:
 undef:
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
-- 
2.20.1

Currently the only part of an ARMCPRegInfo which is allowed to cause
a CPU exception is the access function, which returns a value indicating
that some flavour of UNDEF should be generated.

For the ATS system instructions, we would like to conditionally
generate exceptions as part of the writefn, because some faults
during the page table walk (like external aborts) should cause
an exception to be raised rather than returning a value.

There are several ways we could do this:
 * plumb the GETPC() value from the top level set_cp_reg/get_cp_reg
   helper functions through into the readfn and writefn hooks
 * add extra readfn_with_ra/writefn_with_ra hooks that take the GETPC()
   value
 * require the ATS instructions to provide a dummy accessfn,
   which serves no purpose except to cause the code generation
   to emit TCG ops to sync the CPU state
 * add an ARM_CP_ flag to mark the ARMCPRegInfo as possibly
   throwing an exception in its read/write hooks, and make the
   codegen sync the CPU state before calling the hooks if the
   flag is set

This patch opts for the last of these, as it is fairly simple
to implement and doesn't require invasive changes like updating
the readfn/writefn hook function prototype signature.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20190816125802.25877-2-peter.maydell@linaro.org
---
 target/arm/cpu.h           | 6 +++++-
 target/arm/translate-a64.c | 6 ++++++
 target/arm/translate.c     | 7 +++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
  * IO indicates that this register does I/O and therefore its accesses
  * need to be surrounded by gen_io_start()/gen_io_end(). In particular,
  * registers which implement clocks or timers require this.
+ * RAISES_EXC is for when the read or write hook might raise an exception;
+ * the generated code will synchronize the CPU state before calling the hook
+ * so that it is safe for the hook to call raise_exception().
  */
 #define ARM_CP_SPECIAL           0x0001
 #define ARM_CP_CONST             0x0002
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
 #define ARM_CP_FPU               0x1000
 #define ARM_CP_SVE               0x2000
 #define ARM_CP_NO_GDB            0x4000
+#define ARM_CP_RAISES_EXC        0x8000
 /* Used only as a terminator for ARMCPRegInfo lists */
 #define ARM_CP_SENTINEL          0xffff
 /* Mask of only the flag bits in a type field */
-#define ARM_CP_FLAG_MASK         0x70ff
+#define ARM_CP_FLAG_MASK         0xf0ff
 
 /* Valid values for ARMCPRegInfo state field, indicating which of
  * the AArch32 and AArch64 execution states this register is visible in.
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
         tcg_temp_free_ptr(tmpptr);
         tcg_temp_free_i32(tcg_syn);
         tcg_temp_free_i32(tcg_isread);
+    } else if (ri->type & ARM_CP_RAISES_EXC) {
+        /*
+         * The readfn or writefn might raise an exception;
+         * synchronize the CPU state in case it does.
+         */
+        gen_a64_set_pc_im(s->pc_curr);
     }
 
     /* Handle special cases first */
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
             tcg_temp_free_ptr(tmpptr);
             tcg_temp_free_i32(tcg_syn);
             tcg_temp_free_i32(tcg_isread);
+        } else if (ri->type & ARM_CP_RAISES_EXC) {
+            /*
+             * The readfn or writefn might raise an exception;
+             * synchronize the CPU state in case it does.
+             */
+            gen_set_condexec(s);
+            gen_set_pc_im(s, s->pc_curr);
         }
 
         /* Handle special cases first */
-- 
2.20.1

The translation table walk for an ATS instruction can result in
various faults.  In general these are just reported back via the
PAR_EL1 fault status fields, but in some cases the architecture
requires that the fault is turned into an exception:
 * synchronous stage 2 faults of any kind during AT S1E0* and
   AT S1E1* instructions executed from NS EL1 fault to EL2 or EL3
 * synchronous external aborts are taken as Data Abort exceptions

(This is documented in the v8A Arm ARM DDI0487A.e D5.2.11 and
G5.13.4.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20190816125802.25877-3-peter.maydell@linaro.org
---
 target/arm/helper.c | 107 +++++++++++++++++++++++++++++++++++++-------
 1 file changed, 92 insertions(+), 15 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
     ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs,
                         &prot, &page_size, &fi, &cacheattrs);
 
+    if (ret) {
+        /*
+         * Some kinds of translation fault must cause exceptions rather
+         * than being reported in the PAR.
+         */
+        int current_el = arm_current_el(env);
+        int target_el;
+        uint32_t syn, fsr, fsc;
+        bool take_exc = false;
+
+        if (fi.s1ptw && current_el == 1 && !arm_is_secure(env)
+            && (mmu_idx == ARMMMUIdx_S1NSE1 || mmu_idx == ARMMMUIdx_S1NSE0)) {
+            /*
+             * Synchronous stage 2 fault on an access made as part of the
+             * translation table walk for AT S1E0* or AT S1E1* insn
+             * executed from NS EL1. If this is a synchronous external abort
+             * and SCR_EL3.EA == 1, then we take a synchronous external abort
+             * to EL3. Otherwise the fault is taken as an exception to EL2,
+             * and HPFAR_EL2 holds the faulting IPA.
+             */
+            if (fi.type == ARMFault_SyncExternalOnWalk &&
+                (env->cp15.scr_el3 & SCR_EA)) {
+                target_el = 3;
+            } else {
+                env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4;
+                target_el = 2;
+            }
+            take_exc = true;
+        } else if (fi.type == ARMFault_SyncExternalOnWalk) {
+            /*
+             * Synchronous external aborts during a translation table walk
+             * are taken as Data Abort exceptions.
+             */
+            if (fi.stage2) {
+                if (current_el == 3) {
+                    target_el = 3;
+                } else {
+                    target_el = 2;
+                }
+            } else {
+                target_el = exception_target_el(env);
+            }
+            take_exc = true;
+        }
+
+        if (take_exc) {
+            /* Construct FSR and FSC using same logic as arm_deliver_fault() */
+            if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
+                arm_s1_regime_using_lpae_format(env, mmu_idx)) {
+                fsr = arm_fi_to_lfsc(&fi);
+                fsc = extract32(fsr, 0, 6);
+            } else {
+                fsr = arm_fi_to_sfsc(&fi);
+                fsc = 0x3f;
+            }
+            /*
+             * Report exception with ESR indicating a fault due to a
+             * translation table walk for a cache maintenance instruction.
+             */
+            syn = syn_data_abort_no_iss(current_el == target_el,
+                                        fi.ea, 1, fi.s1ptw, 1, fsc);
+            env->exception.vaddress = value;
+            env->exception.fsr = fsr;
+            raise_exception(env, EXCP_DATA_ABORT, syn, target_el);
+        }
+    }
+
     if (is_a64(env)) {
         format64 = true;
     } else if (arm_feature(env, ARM_FEATURE_LPAE)) {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vapa_cp_reginfo[] = {
     /* This underdecoding is safe because the reginfo is NO_RAW. */
     { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
       .access = PL1_W, .accessfn = ats_access,
-      .writefn = ats_write, .type = ARM_CP_NO_RAW },
+      .writefn = ats_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
 #endif
     REGINFO_SENTINEL
 };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
     /* 64 bit address translation operations */
     { .name = "AT_S1E1R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0,
-      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1,
-      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2,
-      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
-      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4,
-      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6,
-      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7,
-      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
     { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
-      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1,
-      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "PAR_EL1", .state = ARM_CP_STATE_AA64,
       .type = ARM_CP_ALIAS,
       .opc0 = 3, .opc1 = 0, .crn = 7, .crm = 4, .opc2 = 0,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
     { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
       .access = PL2_W, .accessfn = at_s1e2_access,
-      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
     { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
       .access = PL2_W, .accessfn = at_s1e2_access,
-      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
     /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
      * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
      * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
      */
     { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
       .access = PL2_W,
-      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
+      .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
     { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
       .access = PL2_W,
-      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
+      .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
     { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
       /* ARMv7 requires bit 0 and 1 to reset to 1. ARMv8 defines the
-- 
2.20.1

From: Andrew Jeffery <andrew@aj.id.au>

First up: This is not the way the hardware behaves.

However, it helps resolve real-world problems with short periods being
used under Linux. Commit 4451d3f59f2a ("clocksource/drivers/fttmr010:
Fix set_next_event handler") in Linux fixed the timer driver to
correctly schedule the next event for the Aspeed controller, and in
combination with 5daa8212c08e ("ARM: dts: aspeed: Describe random number
device") Linux will now set a timer with a period as low as 1us.

Configuring a qemu timer with such a short period results in spending
time handling the interrupt in the model rather than executing guest
code, leading to noticeable "sticky" behaviour in the guest.

The behaviour of Linux is correct with respect to the hardware, so we
need to improve our handling under emulation. The approach chosen is to
provide back-pressure information by calculating an acceptable minimum
number of ticks to be set on the model. Under Linux an additional read
is added in the timer configuration path to detect back-pressure, which
will never occur on hardware. However if back-pressure is observed, the
driver alerts the clock event subsystem, which then performs its own
next event dilation via a config option - d1748302f70b ("clockevents:
Make minimum delay adjustments configurable")

A minimum period of 5us was experimentally determined on a Lenovo
T480s, which I've increased to 20us for "safety".

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20190704055150.4899-1-clg@kaod.org
[clg: - changed the computation of min_ticks to be done each time the
        timer value is reloaded. It removes the ordering issue of the
        timer and scu reset handlers but is slightly slower ]
      - introduced TIMER_MIN_NS
      - introduced calculate_min_ticks() ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/aspeed_timer.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/aspeed_timer.c
+++ b/hw/timer/aspeed_timer.c
@@ -XXX,XX +XXX,XX @@ enum timer_ctrl_op {
     op_pulse_enable
 };
 
+/*
+ * Minimum value of the reload register to filter out short period
+ * timers which have a noticeable impact in emulation. 5us should be
+ * enough, use 20us for "safety".
+ */
+#define TIMER_MIN_NS (20 * SCALE_US)
+
 /**
  * Avoid mutual references between AspeedTimerCtrlState and AspeedTimer
  * structs, as it's a waste of memory. The ptimer BH callback needs to know
@@ -XXX,XX +XXX,XX @@ static inline uint32_t calculate_ticks(struct AspeedTimer *t, uint64_t now_ns)
     return t->reload - MIN(t->reload, ticks);
 }
 
+static uint32_t calculate_min_ticks(AspeedTimer *t, uint32_t value)
+{
+    uint32_t rate = calculate_rate(t);
+    uint32_t min_ticks = muldiv64(TIMER_MIN_NS, rate, NANOSECONDS_PER_SECOND);
+
+    return  value < min_ticks ? min_ticks : value;
+}
+
 static inline uint64_t calculate_time(struct AspeedTimer *t, uint32_t ticks)
 {
     uint64_t delta_ns;
@@ -XXX,XX +XXX,XX @@ static void aspeed_timer_set_value(AspeedTimerCtrlState *s, int timer, int reg,
     switch (reg) {
     case TIMER_REG_RELOAD:
         old_reload = t->reload;
-        t->reload = value;
+        t->reload = calculate_min_ticks(t, value);
 
         /* If the reload value was not previously set, or zero, and
          * the current value is valid, try to start the timer if it is
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

memory_region_iommu_replay_all is not used. Remove it.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Message-id: 20190822172350.12008-2-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/memory.h | 10 ----------
 memory.c              |  9 ---------
 2 files changed, 19 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
  */
 void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
 
-/**
- * memory_region_iommu_replay_all: replay existing IOMMU translations
- * to all the notifiers registered.
- *
- * Note: this is not related to record-and-replay functionality.
- *
- * @iommu_mr: the memory region to observe
- */
-void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
-
 /**
  * memory_region_unregister_iommu_notifier: unregister a notifier for
  * changes to IOMMU translation entries.
diff --git a/memory.c b/memory.c
index XXXXXXX..XXXXXXX 100644
--- a/memory.c
+++ b/memory.c
@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n)
     }
 }
 
-void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr)
-{
-    IOMMUNotifier *notifier;
-
-    IOMMU_NOTIFIER_FOREACH(notifier, iommu_mr) {
-        memory_region_iommu_replay(iommu_mr, notifier);
-    }
-}
-
 void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
                                              IOMMUNotifier *n)
 {
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

An IOVA/ASID invalidation is notified to all IOMMU Memory Regions
through smmuv3_inv_notifiers_iova/smmuv3_notify_iova.

When the notification occurs it is possible that some of the
PCIe devices associated to the notified regions do not have a
valid stream table entry. In that case we output a LOG_GUEST_ERROR
message, for example:

invalid sid=<SID> (L1STD span=0)
"smmuv3_notify_iova error decoding the configuration for iommu mr=<MR>

This is unfortunate as the user gets the impression that there
are some translation decoding errors whereas there are not.

This patch adds a new field in SMMUEventInfo that tells whether
the detection of an invalid STE must lead to an error report.
invalid_ste_allowed is set before doing the invalidations and
kept unset on actual translation.

The other configuration decoding error messages are kept since if the
STE is valid then the rest of the config must be correct.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20190822172350.12008-6-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h |  1 +
 hw/arm/smmuv3.c          | 19 +++++++++++--------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
     uint32_t sid;
     bool recorded;
     bool record_trans_faults;
+    bool inval_ste_allowed;
     union {
         struct {
             uint32_t ssid;
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
     uint32_t config;
 
     if (!STE_VALID(ste)) {
-        qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
+        if (!event->inval_ste_allowed) {
+            qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
+        }
         goto bad_ste;
     }
 
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
 
         if (!span) {
             /* l2ptr is not valid */
-            qemu_log_mask(LOG_GUEST_ERROR,
-                          "invalid sid=%d (L1STD span=0)\n", sid);
+            if (!event->inval_ste_allowed) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                              "invalid sid=%d (L1STD span=0)\n", sid);
+            }
             event->type = SMMU_EVT_C_BAD_STREAMID;
             return -EINVAL;
         }
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
     SMMUv3State *s = sdev->smmu;
     uint32_t sid = smmu_get_sid(sdev);
-    SMMUEventInfo event = {.type = SMMU_EVT_NONE, .sid = sid};
+    SMMUEventInfo event = {.type = SMMU_EVT_NONE,
+                           .sid = sid,
+                           .inval_ste_allowed = false};
     SMMUPTWEventInfo ptw_info = {};
     SMMUTranslationStatus status;
     SMMUState *bs = ARM_SMMU(s);
@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
                                dma_addr_t iova)
 {
     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
-    SMMUEventInfo event = {};
+    SMMUEventInfo event = {.inval_ste_allowed = true};
     SMMUTransTableInfo *tt;
     SMMUTransCfg *cfg;
     IOMMUTLBEntry entry;
 
     cfg = smmuv3_get_config(sdev, &event);
     if (!cfg) {
-        qemu_log_mask(LOG_GUEST_ERROR,
-                      "%s error decoding the configuration for iommu mr=%s\n",
-                      __func__, mr->parent_obj.name);
         return;
     }
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The previous simplification got the order of operands to the
subtraction wrong.  Since the 64-bit product is the subtrahend,
we must use a 64-bit subtract to properly compute the borrow
from the low-part of the product.

Fixes: 5f8cd06ebcf5 ("target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR")
Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20190829013258.16102-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         if (rd != 15) {
                             tmp3 = load_reg(s, rd);
                             if (insn & (1 << 6)) {
-                                tcg_gen_sub_i32(tmp, tmp, tmp3);
+                                /*
+                                 * For SMMLS, we need a 64-bit subtract.
+                                 * Borrow caused by a non-zero multiplicand
+                                 * lowpart, and the correct result lowpart
+                                 * for rounding.
+                                 */
+                                TCGv_i32 zero = tcg_const_i32(0);
+                                tcg_gen_sub2_i32(tmp2, tmp, zero, tmp3,
+                                                 tmp2, tmp);
+                                tcg_temp_free_i32(zero);
                             } else {
                                 tcg_gen_add_i32(tmp, tmp, tmp3);
                             }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     if (insn & (1 << 20)) {
                         tcg_gen_add_i32(tmp, tmp, tmp3);
                     } else {
-                        tcg_gen_sub_i32(tmp, tmp, tmp3);
+                        /*
+                         * For SMMLS, we need a 64-bit subtract.
+                         * Borrow caused by a non-zero multiplicand lowpart,
+                         * and the correct result lowpart for rounding.
+                         */
+                        TCGv_i32 zero = tcg_const_i32(0);
+                        tcg_gen_sub2_i32(tmp2, tmp, zero, tmp3, tmp2, tmp);
+                        tcg_temp_free_i32(zero);
                     }
                     tcg_temp_free_i32(tmp3);
                 }
-- 
2.20.1