Changes v1->v2 (fixing CI failures in v1, added a couple of

extra patches in an attempt to avoid having to do a last

minute arm pullreq next week):

* new patch to hopefully fix the build issue with the SVE/SME sysregs test

* dropped the IC IVAU test case patch

* new patch: fix over-length shift

* new patches: define neoverse-v1

The following changes since commit 2a6ae69154542caa91dd17c40fd3f5ffbec300de:

Merge tag 'pull-maintainer-ominbus-030723-1' of https://gitlab.com/stsquad/qemu into staging (2023-07-04 08:36:44 +0200)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230706

for you to fetch changes up to c41077235168140cdd4a34fce9bd95c3d30efe9c:

target/arm: Avoid over-length shift in arm_cpu_sve_finalize() error case (2023-07-06 13:36:51 +0100)

* Add raw_writes ops for register whose write induce TLB maintenance

* hw/arm/sbsa-ref: use XHCI to replace EHCI

* Avoid splitting Zregs across lines in dump

* Dump ZA[] when active

* Fix SME full tile indexing

* Handle IC IVAU to improve compatibility with JITs

* xlnx-canfd-test: Fix code coverity issues

* gdbstub: Guard M-profile code with CONFIG_TCG

* allwinner-sramc: Set class_size

* target/xtensa: Assert that interrupt level is within bounds

* Avoid over-length shift in arm_cpu_sve_finalize() error case

* Define new 'neoverse-v1' CPU type

Akihiko Odaki (1):

hw: arm: allwinner-sramc: Set class_size

Eric Auger (1):

target/arm: Add raw_writes ops for register whose write induce TLB maintenance

Fabiano Rosas (1):

target/arm: gdbstub: Guard M-profile code with CONFIG_TCG

John Högberg (1):

target/arm: Handle IC IVAU to improve compatibility with JITs

Peter Maydell (5):

tests/tcg/aarch64/sysregs.c: Use S syntax for id_aa64zfr0_el1 and id_aa64smfr0_el1

target/xtensa: Assert that interrupt level is within bounds

target/arm: Suppress more TCG unimplemented features in ID registers

target/arm: Define neoverse-v1

target/arm: Avoid over-length shift in arm_cpu_sve_finalize() error case

From: Eric Auger <eric.auger@redhat.com>

Some registers whose 'cooked' writefns induce TLB maintenance do

not have raw_writefn ops defined. If only the writefn ops is set

(ie. no raw_writefn is provided), it is assumed the cooked also

work as the raw one. For those registers it is not obvious the

tlb_flush works on KVM mode so better/safer setting the raw write.

Signed-off-by: Eric Auger <eric.auger@redhat.com>

Suggested-by: Peter Maydell <peter.maydell@linaro.org>

target/arm/helper.c | 23 +++++++++++++----------

1 file changed, 13 insertions(+), 10 deletions(-)

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {

.opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.fgt = FGT_TTBR0_EL1,

- .writefn = vmsa_ttbr_write, .resetvalue = 0,

+ .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),

offsetof(CPUARMState, cp15.ttbr0_ns) } },

{ .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.fgt = FGT_TTBR1_EL1,

- .writefn = vmsa_ttbr_write, .resetvalue = 0,

+ .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),

offsetof(CPUARMState, cp15.ttbr1_ns) } },

{ .name = "TCR_EL1", .state = ARM_CP_STATE_AA64,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lpae_cp_reginfo[] = {

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),

offsetof(CPUARMState, cp15.ttbr0_ns) },

- .writefn = vmsa_ttbr_write, },

+ .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },

{ .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),

offsetof(CPUARMState, cp15.ttbr1_ns) },

- .writefn = vmsa_ttbr_write, },

+ .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },

};

static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.type = ARM_CP_IO,

.opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),

- .writefn = hcr_write },

+ .writefn = hcr_write, .raw_writefn = raw_write },

{ .name = "HCR", .state = ARM_CP_STATE_AA32,

.type = ARM_CP_ALIAS | ARM_CP_IO,

.cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

{ .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,

.access = PL2_RW, .writefn = vmsa_tcr_el12_write,

+ .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.tcr_el[2]) },

{ .name = "VTCR", .state = ARM_CP_STATE_AA32,

.cp = 15, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.access = PL2_RW, .accessfn = access_el3_aa32ns,

.fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2),

- .writefn = vttbr_write },

+ .writefn = vttbr_write, .raw_writefn = raw_write },

{ .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,

- .access = PL2_RW, .writefn = vttbr_write,

+ .access = PL2_RW, .writefn = vttbr_write, .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2) },

{ .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[2]) },

{ .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,

- .access = PL2_RW, .resetvalue = 0, .writefn = vmsa_tcr_ttbr_el2_write,

+ .access = PL2_RW, .resetvalue = 0,

+ .writefn = vmsa_tcr_ttbr_el2_write, .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) },

{ .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,

.access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_cp_reginfo[] = {

{ .name = "SCR_EL3", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),

- .resetfn = scr_reset, .writefn = scr_write },

+ .resetfn = scr_reset, .writefn = scr_write, .raw_writefn = raw_write },

{ .name = "SCR", .type = ARM_CP_ALIAS | ARM_CP_NEWEL,

.cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL1_RW, .accessfn = access_trap_aa32s_el1,

.fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),

- .writefn = scr_write },

+ .writefn = scr_write, .raw_writefn = raw_write },

{ .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1,

.access = PL3_RW, .resetvalue = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vhe_reginfo[] = {

{ .name = "TTBR1_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 1,

.access = PL2_RW, .writefn = vmsa_tcr_ttbr_el2_write,

+ .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.ttbr1_el[2]) },

#ifndef CONFIG_USER_ONLY

{ .name = "CNTHV_CVAL_EL2", .state = ARM_CP_STATE_AA64,

2.34.1

From: Yuquan Wang <wangyuquan1236@phytium.com.cn>

The current sbsa-ref cannot use EHCI controller which is only

able to do 32-bit DMA, since sbsa-ref doesn't have RAM below 4GB.

Hence, this uses XHCI to provide a usb controller with 64-bit

DMA capablity instead of EHCI.

We bump the platform version to 0.3 with this change. Although the

hardware at the USB controller address changes, the firmware and

Linux can both cope with this -- on an older non-XHCI-aware

firmware/kernel setup the probe routine simply fails and the guest

proceeds without any USB. (This isn't a loss of functionality,

because the old USB controller never worked in the first place.) So

we can call this a backwards-compatible change and only bump the

minor version.

Signed-off-by: Yuquan Wang <wangyuquan1236@phytium.com.cn>

Message-id: 20230621103847.447508-2-wangyuquan1236@phytium.com.cn

[PMM: tweaked commit message; add line to docs about what

changes in platform version 0.3]

docs/system/arm/sbsa.rst | 5 ++++-

hw/arm/sbsa-ref.c | 23 +++++++++++++----------

hw/arm/Kconfig | 2 +-

3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/docs/system/arm/sbsa.rst b/docs/system/arm/sbsa.rst

--- a/docs/system/arm/sbsa.rst

+++ b/docs/system/arm/sbsa.rst

@@ -XXX,XX +XXX,XX @@ The ``sbsa-ref`` board supports:

- A configurable number of AArch64 CPUs

- GIC version 3

- System bus AHCI controller

- - System bus EHCI controller

+ - System bus XHCI controller

- CDROM and hard disc on AHCI bus

- E1000E ethernet card on PCIe bus

- Bochs display adapter on PCIe bus

@@ -XXX,XX +XXX,XX @@ Platform version changes:

0.2

GIC ITS information is present in devicetree.

+

+0.3

+ The USB controller is an XHCI device, not EHCI

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/sbsa-ref.c

+++ b/hw/arm/sbsa-ref.c

@@ -XXX,XX +XXX,XX @@

#include "hw/pci-host/gpex.h"

#include "hw/qdev-properties.h"

#include "hw/usb.h"

+#include "hw/usb/xhci.h"

#include "hw/char/pl011.h"

#include "hw/watchdog/sbsa_gwdt.h"

#include "net/net.h"

@@ -XXX,XX +XXX,XX @@ enum {

SBSA_SECURE_UART_MM,

SBSA_SECURE_MEM,

SBSA_AHCI,

- SBSA_EHCI,

+ SBSA_XHCI,

};

struct SBSAMachineState {

@@ -XXX,XX +XXX,XX @@ static const MemMapEntry sbsa_ref_memmap[] = {

[SBSA_SMMU] = { 0x60050000, 0x00020000 },

/* Space here reserved for more SMMUs */

[SBSA_AHCI] = { 0x60100000, 0x00010000 },

- [SBSA_EHCI] = { 0x60110000, 0x00010000 },

+ [SBSA_XHCI] = { 0x60110000, 0x00010000 },

/* Space here reserved for other devices */

[SBSA_PCIE_PIO] = { 0x7fff0000, 0x00010000 },

/* 32-bit address PCIE MMIO space */

@@ -XXX,XX +XXX,XX @@ static const int sbsa_ref_irqmap[] = {

[SBSA_SECURE_UART] = 8,

[SBSA_SECURE_UART_MM] = 9,

[SBSA_AHCI] = 10,

- [SBSA_EHCI] = 11,

+ [SBSA_XHCI] = 11,

[SBSA_SMMU] = 12, /* ... to 15 */

[SBSA_GWDT_WS0] = 16,

};

@@ -XXX,XX +XXX,XX @@ static void create_fdt(SBSAMachineState *sms)

* fw compatibility.

*/

qemu_fdt_setprop_cell(fdt, "/", "machine-version-major", 0);

- qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 2);

+ qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 3);

if (ms->numa_state->have_numa_distance) {

int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);

@@ -XXX,XX +XXX,XX @@ static void create_ahci(const SBSAMachineState *sms)

}

-static void create_ehci(const SBSAMachineState *sms)

+static void create_xhci(const SBSAMachineState *sms)

- hwaddr base = sbsa_ref_memmap[SBSA_EHCI].base;

- int irq = sbsa_ref_irqmap[SBSA_EHCI];

+ hwaddr base = sbsa_ref_memmap[SBSA_XHCI].base;

+ int irq = sbsa_ref_irqmap[SBSA_XHCI];

+ DeviceState *dev = qdev_new(TYPE_XHCI_SYSBUS);

- sysbus_create_simple("platform-ehci-usb", base,

- qdev_get_gpio_in(sms->gic, irq));

+ sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);

+ sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);

+ sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, qdev_get_gpio_in(sms->gic, irq));

2.34.1

Some assemblers will complain about attempts to access

id_aa64zfr0_el1 and id_aa64smfr0_el1 by name if the test

binary isn't built for the right processor type:

/tmp/ccASXpLo.s:782: Error: selected processor does not support system register name 'id_aa64zfr0_el1'

/tmp/ccASXpLo.s:829: Error: selected processor does not support system register name 'id_aa64smfr0_el1'

However, these registers are in the ID space and are guaranteed to

read-as-zero on older CPUs, so the access is both safe and sensible.

Switch to using the S syntax, as we already do for ID_AA64ISAR2_EL1

and ID_AA64MMFR2_EL1. This allows us to drop the HAS_ARMV9_SME check

and the makefile machinery to adjust the CFLAGS for this test, so we

don't rely on having a sufficiently new compiler to be able to check

these registers.

This means we're actually testing the SME ID register: no released

GCC yet recognizes -march=armv9-a+sme, so that was always skipped.

It also avoids a future problem if we try to switch the "do we have

SME support in the toolchain" check from "in the compiler" to "in the

assembler" (at which point we would otherwise run into the above

errors).

tests/tcg/aarch64/sysregs.c | 11 +++++++----

tests/tcg/aarch64/Makefile.target | 7 +------

2 files changed, 8 insertions(+), 10 deletions(-)

@@ -XXX,XX +XXX,XX @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7

mte-%: CFLAGS += -march=armv8.5-a+memtag

endif

-ifneq ($(CROSS_CC_HAS_SVE),)

# System Registers Tests

AARCH64_TESTS += sysregs

-ifneq ($(CROSS_CC_HAS_ARMV9_SME),)

-sysregs: CFLAGS+=-march=armv9-a+sme -DHAS_ARMV9_SME

-else

-sysregs: CFLAGS+=-march=armv8.1-a+sve

-endif

+ifneq ($(CROSS_CC_HAS_SVE),)

# SVE ioctl test

AARCH64_TESTS += sve-ioctls

sve-ioctls: CFLAGS+=-march=armv8.1-a+sve

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Always print each matrix row whole, one per line, so that we

get the entire matrix in the proper shape.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20230622151201.1578522-3-richard.henderson@linaro.org

target/arm/cpu.c | 18 ++++++++++++++++++

1 file changed, 18 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

i, q[1], q[0], (i & 1 ? "\n" : " "));

+

+ if (cpu_isar_feature(aa64_sme, cpu) &&

+ FIELD_EX64(env->svcr, SVCR, ZA) &&

+ sme_exception_el(env, el) == 0) {

+ int zcr_len = sve_vqm1_for_el_sm(env, el, true);

+ int svl = (zcr_len + 1) * 16;

+ int svl_lg10 = svl < 100 ? 2 : 3;

+

+ for (i = 0; i < svl; i++) {

+ qemu_fprintf(f, "ZA[%0*d]=", svl_lg10, i);

+ for (j = zcr_len; j >= 0; --j) {

+ qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%c",

+ env->zarray[i].d[2 * j + 1],

+ env->zarray[i].d[2 * j],

+ j ? ':' : '\n');

+ }

+ }

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

For the outer product set of insns, which take an entire matrix

tile as output, the argument is not a combined tile+column.

Therefore using get_tile_rowcol was incorrect, as we extracted

the tile number from itself.

The test case relies only on assembler support for SME, since

no release of GCC recognizes -march=armv9-a+sme yet.

Cc: qemu-stable@nongnu.org

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1620

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20230622151201.1578522-5-richard.henderson@linaro.org

[PMM: dropped now-unneeded changes to sysregs CFLAGS]

target/arm/tcg/translate-sme.c | 24 ++++++---

tests/tcg/aarch64/sme-outprod1.c | 83 +++++++++++++++++++++++++++++++

tests/tcg/aarch64/Makefile.target | 7 ++-

3 files changed, 107 insertions(+), 7 deletions(-)

create mode 100644 tests/tcg/aarch64/sme-outprod1.c

diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c

--- a/target/arm/tcg/translate-sme.c

+++ b/target/arm/tcg/translate-sme.c

@@ -XXX,XX +XXX,XX @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,

return addr;

}

+/*

+ * Resolve tile.size[0] to a host pointer.

+ * Used by e.g. outer product insns where we require the entire tile.

+ */

+static TCGv_ptr get_tile(DisasContext *s, int esz, int tile)

+{

+ TCGv_ptr addr = tcg_temp_new_ptr();

+ int offset;

+

+ offset = tile * sizeof(ARMVectorReg) + offsetof(CPUARMState, zarray);

+

+ tcg_gen_addi_ptr(addr, cpu_env, offset);

+ return addr;

+}

+

static bool trans_ZERO(DisasContext *s, arg_ZERO *a)

{

if (!dc_isar_feature(aa64_sme, s)) {

@@ -XXX,XX +XXX,XX @@ static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

pn = pred_full_reg_ptr(s, a->pn);

pm = pred_full_reg_ptr(s, a->pm);

@@ -XXX,XX +XXX,XX @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

zm = vec_full_reg_ptr(s, a->zm);

pn = pred_full_reg_ptr(s, a->pn);

@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

zm = vec_full_reg_ptr(s, a->zm);

pn = pred_full_reg_ptr(s, a->pn);

diff --git a/tests/tcg/aarch64/sme-outprod1.c b/tests/tcg/aarch64/sme-outprod1.c

new file mode 100644

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/tcg/aarch64/sme-outprod1.c

@@ -XXX,XX +XXX,XX @@

+/*

+ * SME outer product, 1 x 1.

+ * SPDX-License-Identifier: GPL-2.0-or-later

+ */

+

+#include <stdio.h>

+

+extern void foo(float *dst);

+

+asm(

+"    .arch_extension sme\n"

+"    .type foo, @function\n"

+"foo:\n"

+"    stp x29, x30, [sp, -80]!\n"

+"    mov x29, sp\n"

+"    stp d8, d9, [sp, 16]\n"

+"    stp d10, d11, [sp, 32]\n"

+"    stp d12, d13, [sp, 48]\n"

+"    stp d14, d15, [sp, 64]\n"

+"    smstart\n"

+"    ptrue p0.s, vl4\n"

+"    fmov z0.s, #1.0\n"

+/*

+ * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.

+ * Note that we are using tile 1 here (za1.s) rather than tile 0.

+ */

+"    zero {za}\n"

+"    fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n"

+/*

+ * Read the first 4x4 sub-matrix of elements from tile 1:

+ * Note that za1h should be interchangable here.

+ */

+"    mov w12, #0\n"

+"    mova z0.s, p0/m, za1v.s[w12, #0]\n"

+"    mova z1.s, p0/m, za1v.s[w12, #1]\n"

+"    mova z2.s, p0/m, za1v.s[w12, #2]\n"

+"    mova z3.s, p0/m, za1v.s[w12, #3]\n"

+/*

+ * And store them to the input pointer (dst in the C code):

+ */

+"    st1w {z0.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z1.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z2.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z3.s}, p0, [x0]\n"

+"    smstop\n"

+"    ldp d8, d9, [sp, 16]\n"

+"    ldp d10, d11, [sp, 32]\n"

+"    ldp d12, d13, [sp, 48]\n"

+"    ldp d14, d15, [sp, 64]\n"

+"    ldp x29, x30, [sp], 80\n"

+"    ret\n"

+"    .size foo, . - foo"

+);

+

+int main()

+{

+ float dst[16];

+ int i, j;

+

+ foo(dst);

+

+ for (i = 0; i < 16; i++) {

+ if (dst[i] != 1.0f) {

+ break;

+ }

+ }

+

+ if (i == 16) {

+ return 0; /* success */

+ }

+

+ /* failure */

+ for (i = 0; i < 4; ++i) {

+ for (j = 0; j < 4; ++j) {

+ printf("%f ", (double)dst[i * 4 + j]);

+ }

+ printf("\n");

+ }

+ return 1;

+}

@@ -XXX,XX +XXX,XX @@ config-cc.mak: Makefile

     $(call cc-option,-march=armv8.5-a, CROSS_CC_HAS_ARMV8_5); \

     $(call cc-option,-mbranch-protection=standard, CROSS_CC_HAS_ARMV8_BTI); \

     $(call cc-option,-march=armv8.5-a+memtag, CROSS_CC_HAS_ARMV8_MTE); \

-     $(call cc-option,-march=armv9-a+sme, CROSS_CC_HAS_ARMV9_SME)) 3> config-cc.mak

+     $(call cc-option,-Wa$(COMMA)-march=armv9-a+sme, CROSS_AS_HAS_ARMV9_SME)) 3> config-cc.mak

-include config-cc.mak

ifneq ($(CROSS_CC_HAS_ARMV8_2),)

@@ -XXX,XX +XXX,XX @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7

mte-%: CFLAGS += -march=armv8.5-a+memtag

endif

+# SME Tests

+ifneq ($(CROSS_AS_HAS_ARMV9_SME),)

+AARCH64_TESTS += sme-outprod1

+endif

# System Registers Tests

AARCH64_TESTS += sysregs

2.34.1

From: John Högberg <john.hogberg@ericsson.com>

Unlike architectures with precise self-modifying code semantics

(e.g. x86) ARM processors do not maintain coherency for instruction

execution and memory, requiring an instruction synchronization

barrier on every core that will execute the new code, and on many

models also the explicit use of cache management instructions.

While this is required to make JITs work on actual hardware, QEMU

has gotten away with not handling this since it does not emulate

caches, and unconditionally invalidates code whenever the softmmu

or the user-mode page protection logic detects that code has been

modified.

Unfortunately the latter does not work in the face of dual-mapped

code (a common W^X workaround), where one page is executable and

the other is writable: user-mode has no way to connect one with the

other as that is only known to the kernel and the emulated

application.

This commit works around the issue by telling software that

instruction cache invalidation is required by clearing the

CPR_EL0.DIC flag (regardless of whether the emulated processor

needs it), and then invalidating code in IC IVAU instructions.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1034

Co-authored-by: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: John Högberg <john.hogberg@ericsson.com>

Message-id: 168778890374.24232.3402138851538068785-1@git.sr.ht

[PMM: removed unnecessary AArch64 feature check; moved

"clear CTR_EL1.DIC" code up a bit so it's not in the middle

of the vfp/neon related tests]

target/arm/cpu.c | 11 +++++++++++

target/arm/helper.c | 47 ++++++++++++++++++++++++++++++++++++++++++---

2 files changed, 55 insertions(+), 3 deletions(-)

@@ -XXX,XX +XXX,XX @@ static void mdcr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,

}

+#ifdef CONFIG_USER_ONLY

+ * `IC IVAU` is handled to improve compatibility with JITs that dual-map their

+ * code to get around W^X restrictions, where one region is writable and the

+ * other is executable.

+ * Since the executable region is never written to we cannot detect code

+ * changes when running in user mode, and rely on the emulated JIT telling us

+ * that the code has changed by executing this instruction.

+static void ic_ivau_write(CPUARMState *env, const ARMCPRegInfo *ri,

+ uint64_t value)

+ uint64_t icache_line_mask, start_address, end_address;

+ const ARMCPU *cpu;

+

+ cpu = env_archcpu(env);

+

+ icache_line_mask = (4 << extract32(cpu->ctr, 0, 4)) - 1;

+ start_address = value & ~icache_line_mask;

+ end_address = value | icache_line_mask;

+

+ mmap_lock();

+

+ tb_invalidate_phys_range(start_address, end_address);

+

+ mmap_unlock();

+}

+

static const ARMCPRegInfo v8_cp_reginfo[] = {

/*

* Minimal set of EL0-visible registers. This will need to be expanded

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {

{ .name = "CURRENTEL", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 0, .opc2 = 2, .crn = 4, .crm = 2,

.access = PL1_R, .type = ARM_CP_CURRENTEL },

- /* Cache ops: all NOPs since we don't emulate caches */

+ * Instruction cache ops. All of these except `IC IVAU` NOP because we

+ * don't emulate caches.

+ */

{ .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64,

.opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,

.access = PL1_W, .type = ARM_CP_NOP,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {

.accessfn = access_tocu },

{ .name = "IC_IVAU", .state = ARM_CP_STATE_AA64,

.opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1,

- .access = PL0_W, .type = ARM_CP_NOP,

+ .access = PL0_W,

.fgt = FGT_ICIVAU,

- .accessfn = access_tocu },

+ .accessfn = access_tocu,

+#ifdef CONFIG_USER_ONLY

+ .type = ARM_CP_NO_RAW,

+ .writefn = ic_ivau_write

+#else

+ .type = ARM_CP_NOP

+ },

+ /* Cache ops: all NOPs since we don't emulate caches */

{ .name = "DC_IVAC", .state = ARM_CP_STATE_AA64,

.opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,

.access = PL1_W, .accessfn = aa64_cacheop_poc_access,

2.34.1