Series comparison

-[PULL 00/52] target-arm queue
+[PULL 00/26] target-arm queue
-Big pullreq this week, though none of the new features are
+Hi; here's a target-arm pullreq. Mostly this is RTH's FEAT_RME
-particularly earthshaking. Most of the bulk is from code cleanup
+series; there are also a handful of bug fixes including some
-patches from me or rth.
+which aren't arm-specific but which it's convenient to include
 here.
 thanks
 -- PMM
-The following changes since commit b651b80822fa8cb66ca30087ac7fbc75507ae5d2:
+The following changes since commit b455ce4c2f300c8ba47cba7232dd03261368a4cb:
-  Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-5.0-pull-request' into staging (2020-02-20 17:35:42 +0000)
+  Merge tag 'q800-for-8.1-pull-request' of https://github.com/vivier/qemu-m68k into staging (2023-06-22 10:18:32 +0200)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200221
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230623
-for you to fetch changes up to 270a679b3f950d7c4c600f324aab8bff292d0971:
+for you to fetch changes up to 497fad38979c16b6412388927401e577eba43d26:
-  target/arm: Add missing checks for fpsp_v2 (2020-02-21 12:54:25 +0000)
+  pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym (2023-06-23 11:46:02 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * aspeed/scu: Implement chip ID register
+ * Add (experimental) support for FEAT_RME
- * hw/misc/iotkit-secctl: Fix writing to 'PPC Interrupt Clear' register
+ * host-utils: Avoid using __builtin_subcll on buggy versions of Apple Clang
- * mainstone: Make providing flash images non-mandatory
+ * target/arm: Restructure has_vfp_d32 test
- * z2: Make providing flash images non-mandatory
+ * hw/arm/sbsa-ref: add ITS support in SBSA GIC
- * Fix failures to flush SVE high bits after AdvSIMD INS/ZIP/UZP/TRN/TBL/TBX/EXT
+ * target/arm: Fix sve predicate store, 8 <= VQ <= 15
- * Minor performance improvement: spend less time recalculating hflags values
+ * pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym
  * Code cleanup to isar_feature function tests
  * Implement ARMv8.1-PMU and ARMv8.4-PMU extensions
  * Bugfix: correct handling of PMCR_EL0.LC bit
  * Bugfix: correct definition of PMCRDP
  * Correctly implement ACTLR2, HACTLR2
  * allwinner: Wire up USB ports
  * Vectorize emulation of USHL, SSHL, PMUL*
  * xilinx_spips: Correct the number of dummy cycles for the FAST_READ_4 cmd
  * sh4: Fix PCI ISA IO memory subregion
  * Code cleanup to use more isar_feature tests and fewer ARM_FEATURE_* tests
 ----------------------------------------------------------------
-Francisco Iglesias (1):
+Peter Maydell (2):
-      xilinx_spips: Correct the number of dummy cycles for the FAST_READ_4 cmd
+      host-utils: Avoid using __builtin_subcll on buggy versions of Apple Clang
       pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym
-Guenter Roeck (6):
+Richard Henderson (23):
-      mainstone: Make providing flash images non-mandatory
+      target/arm: Add isar_feature_aa64_rme
-      z2: Make providing flash images non-mandatory
+      target/arm: Update SCR and HCR for RME
-      hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI to include file
+      target/arm: SCR_EL3.NS may be RES1
-      hcd-ehci: Introduce "companion-enable" sysbus property
+      target/arm: Add RME cpregs
-      arm: allwinner: Wire up USB ports
+      target/arm: Introduce ARMSecuritySpace
-      sh4: Fix PCI ISA IO memory subregion
+      include/exec/memattrs: Add two bits of space to MemTxAttrs
       target/arm: Adjust the order of Phys and Stage2 ARMMMUIdx
       target/arm: Introduce ARMMMUIdx_Phys_{Realm,Root}
       target/arm: Remove __attribute__((nonnull)) from ptw.c
       target/arm: Pipe ARMSecuritySpace through ptw.c
       target/arm: NSTable is RES0 for the RME EL3 regime
       target/arm: Handle Block and Page bits for security space
       target/arm: Handle no-execute for Realm and Root regimes
       target/arm: Use get_phys_addr_with_struct in S1_ptw_translate
       target/arm: Move s1_is_el0 into S1Translate
       target/arm: Use get_phys_addr_with_struct for stage2
       target/arm: Add GPC syndrome
       target/arm: Implement GPC exceptions
       target/arm: Implement the granule protection check
       target/arm: Add cpu properties for enabling FEAT_RME
       docs/system/arm: Document FEAT_RME
       target/arm: Restructure has_vfp_d32 test
       target/arm: Fix sve predicate store, 8 <= VQ <= 15
-Joel Stanley (2):
+Shashi Mallela (1):
-      aspeed/scu: Create separate write callbacks
+      hw/arm/sbsa-ref: add ITS support in SBSA GIC
       aspeed/scu: Implement chip ID register
-Peter Maydell (21):
+ docs/system/arm/cpu-features.rst |  23 ++
-      target/arm: Add _aa32_ to isar_feature functions testing 32-bit ID registers
+ docs/system/arm/emulation.rst    |   1 +
-      target/arm: Check aa32_pan in take_aarch32_exception(), not aa64_pan
+ docs/system/arm/sbsa.rst         |  14 +
-      target/arm: Add isar_feature_any_fp16 and document naming/usage conventions
+ include/exec/memattrs.h          |   9 +-
-      target/arm: Define and use any_predinv isar_feature test
+ include/qemu/compiler.h          |  13 +
-      target/arm: Factor out PMU register definitions
+ include/qemu/host-utils.h        |   2 +-
-      target/arm: Add and use FIELD definitions for ID_AA64DFR0_EL1
+ target/arm/cpu.h                 | 151 ++++++++---
-      target/arm: Use FIELD macros for clearing ID_DFR0 PERFMON field
+ target/arm/internals.h           |  27 ++
-      target/arm: Define an aa32_pmu_8_1 isar feature test function
+ target/arm/syndrome.h            |  10 +
-      target/arm: Add _aa64_ and _any_ versions of pmu_8_1 isar checks
+ hw/arm/sbsa-ref.c                |  33 ++-
-      target/arm: Stop assuming DBGDIDR always exists
+ target/arm/cpu.c                 |  32 ++-
-      target/arm: Move DBGDIDR into ARMISARegisters
+ target/arm/helper.c              | 162 ++++++++++-
-      target/arm: Read debug-related ID registers from KVM
+ target/arm/ptw.c                 | 570 +++++++++++++++++++++++++++++++--------
-      target/arm: Implement ARMv8.1-PMU extension
+ target/arm/tcg/cpu64.c           |  53 ++++
-      target/arm: Implement ARMv8.4-PMU extension
+ target/arm/tcg/tlb_helper.c      |  96 ++++++-
-      target/arm: Provide ARMv8.4-PMU in '-cpu max'
+ target/arm/tcg/translate-sve.c   |   2 +-
-      target/arm: Correct definition of PMCRDP
+ pc-bios/keymaps/meson.build      |   2 +-
-      target/arm: Correct handling of PMCR_EL0.LC bit
+files changed, 1034 insertions(+), 166 deletions(-)
       target/arm: Test correct register in aa32_pan and aa32_ats1e1 checks
       target/arm: Use isar_feature function for testing AA32HPD feature
       target/arm: Use FIELD_EX32 for testing 32-bit fields
       target/arm: Correctly implement ACTLR2, HACTLR2
 Philippe Mathieu-Daudé (1):
       hw/misc/iotkit-secctl: Fix writing to 'PPC Interrupt Clear' register
 Richard Henderson (21):
       target/arm: Flush high bits of sve register after AdvSIMD EXT
       target/arm: Flush high bits of sve register after AdvSIMD TBL/TBX
       target/arm: Flush high bits of sve register after AdvSIMD ZIP/UZP/TRN
       target/arm: Flush high bits of sve register after AdvSIMD INS
       target/arm: Use bit 55 explicitly for pauth
       target/arm: Fix select for aa64_va_parameters_both
       target/arm: Remove ttbr1_valid check from get_phys_addr_lpae
       target/arm: Split out aa64_va_parameter_tbi, aa64_va_parameter_tbid
       target/arm: Vectorize USHL and SSHL
       target/arm: Convert PMUL.8 to gvec
       target/arm: Convert PMULL.64 to gvec
       target/arm: Convert PMULL.8 to gvec
       target/arm: Rename isar_feature_aa32_simd_r32
       target/arm: Use isar_feature_aa32_simd_r32 more places
       target/arm: Set MVFR0.FPSP for ARMv5 cpus
       target/arm: Add isar_feature_aa32_simd_r16
       target/arm: Rename isar_feature_aa32_fpdp_v2
       target/arm: Add isar_feature_aa32_{fpsp_v2, fpsp_v3, fpdp_v3}
       target/arm: Perform fpdp_v2 check first
       target/arm: Replace ARM_FEATURE_VFP3 checks with fp{sp, dp}_v3
       target/arm: Add missing checks for fpsp_v2
  hw/usb/hcd-ohci.h              |  16 ++
  include/hw/arm/allwinner-a10.h |   6 +
  target/arm/cpu.h               | 173 ++++++++++++---
  target/arm/helper-sve.h        |   2 +
  target/arm/helper.h            |  21 +-
  target/arm/internals.h         |  47 +++-
  target/arm/translate.h         |   6 +
  hw/arm/allwinner-a10.c         |  43 ++++
  hw/arm/mainstone.c             |  11 +-
  hw/arm/z2.c                    |   6 -
  hw/intc/armv7m_nvic.c          |  30 +--
  hw/misc/aspeed_scu.c           |  93 ++++++--
  hw/misc/iotkit-secctl.c        |   2 +-
  hw/sh4/sh_pci.c                |  11 +-
  hw/ssi/xilinx_spips.c          |   2 +-
  hw/usb/hcd-ehci-sysbus.c       |   2 +
  hw/usb/hcd-ohci.c              |  15 --
  linux-user/arm/signal.c        |   4 +-
  linux-user/elfload.c           |   4 +-
  target/arm/arch_dump.c         |  11 +-
  target/arm/cpu.c               | 175 +++++++--------
  target/arm/cpu64.c             |  58 +++--
  target/arm/debug_helper.c      |   6 +-
  target/arm/helper.c            | 472 +++++++++++++++++++++++------------------
  target/arm/kvm32.c             |  25 +++
  target/arm/kvm64.c             |  46 ++++
  target/arm/m_helper.c          |  11 +-
  target/arm/machine.c           |   3 +-
  target/arm/neon_helper.c       | 117 ----------
  target/arm/pauth_helper.c      |   3 +-
  target/arm/translate-a64.c     |  92 ++++----
  target/arm/translate-vfp.inc.c | 263 ++++++++++++++---------
  target/arm/translate.c         | 356 ++++++++++++++++++++++++++-----
  target/arm/vec_helper.c        | 211 ++++++++++++++++++
  target/arm/vfp_helper.c        |   2 +-
 files changed, 1564 insertions(+), 781 deletions(-)

-[PULL 01/52] aspeed/scu: Create separate write callbacks
+Deleted patch
-From: Joel Stanley <joel@jms.id.au>
-This splits the common write callback into separate ast2400 and ast2500
-implementations. This makes it clearer when implementing differing
-behaviour.
-Signed-off-by: Joel Stanley <joel@jms.id.au>
-Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200121013302.43839-2-joel@jms.id.au
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/misc/aspeed_scu.c | 80 +++++++++++++++++++++++++++++++-------------
-file changed, 57 insertions(+), 23 deletions(-)
-diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/aspeed_scu.c
-+++ b/hw/misc/aspeed_scu.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_scu_read(void *opaque, hwaddr offset, unsigned size)
-     return s->regs[reg];
- }
--static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data,
--                             unsigned size)
-+static void aspeed_ast2400_scu_write(void *opaque, hwaddr offset,
-+                                     uint64_t data, unsigned size)
-+{
-+    AspeedSCUState *s = ASPEED_SCU(opaque);
-+    int reg = TO_REG(offset);
-+
-+    if (reg >= ASPEED_SCU_NR_REGS) {
-+        qemu_log_mask(LOG_GUEST_ERROR,
-+                      "%s: Out-of-bounds write at offset 0x%" HWADDR_PRIx "\n",
-+                      __func__, offset);
-+        return;
-+    }
-+
-+    if (reg > PROT_KEY && reg < CPU2_BASE_SEG1 &&
-+            !s->regs[PROT_KEY]) {
-+        qemu_log_mask(LOG_GUEST_ERROR, "%s: SCU is locked!\n", __func__);
-+    }
-+
-+    trace_aspeed_scu_write(offset, size, data);
-+
-+    switch (reg) {
-+    case PROT_KEY:
-+        s->regs[reg] = (data == ASPEED_SCU_PROT_KEY) ? 1 : 0;
-+        return;
-+    case SILICON_REV:
-+    case FREQ_CNTR_EVAL:
-+    case VGA_SCRATCH1 ... VGA_SCRATCH8:
-+    case RNG_DATA:
-+    case FREE_CNTR4:
-+    case FREE_CNTR4_EXT:
-+        qemu_log_mask(LOG_GUEST_ERROR,
-+                      "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
-+                      __func__, offset);
-+        return;
-+    }
-+
-+    s->regs[reg] = data;
-+}
-+
-+static void aspeed_ast2500_scu_write(void *opaque, hwaddr offset,
-+                                     uint64_t data, unsigned size)
- {
-     AspeedSCUState *s = ASPEED_SCU(opaque);
-     int reg = TO_REG(offset);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data,
-     case PROT_KEY:
-         s->regs[reg] = (data == ASPEED_SCU_PROT_KEY) ? 1 : 0;
-         return;
--    case CLK_SEL:
--        s->regs[reg] = data;
--        break;
-     case HW_STRAP1:
--        if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) {
--            s->regs[HW_STRAP1] |= data;
--            return;
--        }
--        /* Jump to assignment below */
--        break;
-+        s->regs[HW_STRAP1] |= data;
-+        return;
-     case SILICON_REV:
--        if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) {
--            s->regs[HW_STRAP1] &= ~data;
--        } else {
--            qemu_log_mask(LOG_GUEST_ERROR,
--                          "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
--                          __func__, offset);
--        }
--        /* Avoid assignment below, we've handled everything */
-+        s->regs[HW_STRAP1] &= ~data;
-         return;
-     case FREQ_CNTR_EVAL:
-     case VGA_SCRATCH1 ... VGA_SCRATCH8:
-@@ -XXX,XX +XXX,XX @@ static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data,
-     s->regs[reg] = data;
- }
--static const MemoryRegionOps aspeed_scu_ops = {
-+static const MemoryRegionOps aspeed_ast2400_scu_ops = {
-     .read = aspeed_scu_read,
--    .write = aspeed_scu_write,
-+    .write = aspeed_ast2400_scu_write,
-+    .endianness = DEVICE_LITTLE_ENDIAN,
-+    .valid.min_access_size = 4,
-+    .valid.max_access_size = 4,
-+    .valid.unaligned = false,
-+};
-+
-+static const MemoryRegionOps aspeed_ast2500_scu_ops = {
-+    .read = aspeed_scu_read,
-+    .write = aspeed_ast2500_scu_write,
-     .endianness = DEVICE_LITTLE_ENDIAN,
-     .valid.min_access_size = 4,
-     .valid.max_access_size = 4,
-@@ -XXX,XX +XXX,XX @@ static void aspeed_2400_scu_class_init(ObjectClass *klass, void *data)
-     asc->calc_hpll = aspeed_2400_scu_calc_hpll;
-     asc->apb_divider = 2;
-     asc->nr_regs = ASPEED_SCU_NR_REGS;
--    asc->ops = &aspeed_scu_ops;
-+    asc->ops = &aspeed_ast2400_scu_ops;
- }
- static const TypeInfo aspeed_2400_scu_info = {
-@@ -XXX,XX +XXX,XX @@ static void aspeed_2500_scu_class_init(ObjectClass *klass, void *data)
-     asc->calc_hpll = aspeed_2500_scu_calc_hpll;
-     asc->apb_divider = 4;
-     asc->nr_regs = ASPEED_SCU_NR_REGS;
--    asc->ops = &aspeed_scu_ops;
-+    asc->ops = &aspeed_ast2500_scu_ops;
- }
- static const TypeInfo aspeed_2500_scu_info = {
---
-.20.1

-[PULL 02/52] aspeed/scu: Implement chip ID register
+Deleted patch
-From: Joel Stanley <joel@jms.id.au>
-This returns a fixed but non-zero value for the chip id.
-Signed-off-by: Joel Stanley <joel@jms.id.au>
-Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200121013302.43839-3-joel@jms.id.au
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/misc/aspeed_scu.c | 13 +++++++++++++
-file changed, 13 insertions(+)
-diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/aspeed_scu.c
-+++ b/hw/misc/aspeed_scu.c
-@@ -XXX,XX +XXX,XX @@
- #define CPU2_BASE_SEG4       TO_REG(0x110)
- #define CPU2_BASE_SEG5       TO_REG(0x114)
- #define CPU2_CACHE_CTRL      TO_REG(0x118)
-+#define CHIP_ID0             TO_REG(0x150)
-+#define CHIP_ID1             TO_REG(0x154)
- #define UART_HPLL_CLK        TO_REG(0x160)
- #define PCIE_CTRL            TO_REG(0x180)
- #define BMC_MMIO_CTRL        TO_REG(0x184)
-@@ -XXX,XX +XXX,XX @@
- #define AST2600_HW_STRAP2_PROT    TO_REG(0x518)
- #define AST2600_RNG_CTRL          TO_REG(0x524)
- #define AST2600_RNG_DATA          TO_REG(0x540)
-+#define AST2600_CHIP_ID0          TO_REG(0x5B0)
-+#define AST2600_CHIP_ID1          TO_REG(0x5B4)
- #define AST2600_CLK TO_REG(0x40)
-@@ -XXX,XX +XXX,XX @@ static const uint32_t ast2500_a1_resets[ASPEED_SCU_NR_REGS] = {
-      [CPU2_BASE_SEG1]  = 0x80000000U,
-      [CPU2_BASE_SEG4]  = 0x1E600000U,
-      [CPU2_BASE_SEG5]  = 0xC0000000U,
-+     [CHIP_ID0]        = 0x1234ABCDU,
-+     [CHIP_ID1]        = 0x88884444U,
-      [UART_HPLL_CLK]   = 0x00001903U,
-      [PCIE_CTRL]       = 0x0000007BU,
-      [BMC_DEV_ID]      = 0x00002402U
-@@ -XXX,XX +XXX,XX @@ static void aspeed_ast2500_scu_write(void *opaque, hwaddr offset,
-     case RNG_DATA:
-     case FREE_CNTR4:
-     case FREE_CNTR4_EXT:
-+    case CHIP_ID0:
-+    case CHIP_ID1:
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
-                       __func__, offset);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_ast2600_scu_write(void *opaque, hwaddr offset,
-     case AST2600_RNG_DATA:
-     case AST2600_SILICON_REV:
-     case AST2600_SILICON_REV2:
-+    case AST2600_CHIP_ID0:
-+    case AST2600_CHIP_ID1:
-         /* Add read only registers here */
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
-@@ -XXX,XX +XXX,XX @@ static const uint32_t ast2600_a0_resets[ASPEED_AST2600_SCU_NR_REGS] = {
-     [AST2600_CLK_STOP_CTRL2]    = 0xFFF0FFF0,
-     [AST2600_SDRAM_HANDSHAKE]   = 0x00000040,  /* SoC completed DRAM init */
-     [AST2600_HPLL_PARAM]        = 0x1000405F,
-+    [AST2600_CHIP_ID0]          = 0x1234ABCD,
-+    [AST2600_CHIP_ID1]          = 0x88884444,
-+
- };
- static void aspeed_ast2600_scu_reset(DeviceState *dev)
---
-.20.1

-[PULL 03/52] hw/misc/iotkit-secctl: Fix writing to 'PPC Interrupt Clear' register
+Deleted patch
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Fix warning reported by Clang static code analyzer:
-    CC      hw/misc/iotkit-secctl.o
-  hw/misc/iotkit-secctl.c:343:9: warning: Value stored to 'value' is never read
-          value &= 0x00f000f3;
-          ^        ~~~~~~~~~~
-Fixes: b3717c23e1c
-Reported-by: Clang Static Analyzer
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20200217132922.24607-1-f4bug@amsat.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/misc/iotkit-secctl.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/misc/iotkit-secctl.c b/hw/misc/iotkit-secctl.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/iotkit-secctl.c
-+++ b/hw/misc/iotkit-secctl.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult iotkit_secctl_s_write(void *opaque, hwaddr addr,
-         qemu_set_irq(s->sec_resp_cfg, s->secrespcfg);
-         break;
-     case A_SECPPCINTCLR:
--        value &= 0x00f000f3;
-+        s->secppcintstat &= ~(value & 0x00f000f3);
-         foreach_ppc(s, iotkit_secctl_ppc_update_irq_clear);
-         break;
-     case A_SECPPCINTEN:
---
-.20.1

-[PULL 04/52] mainstone: Make providing flash images non-mandatory
+Deleted patch
-From: Guenter Roeck <linux@roeck-us.net>
-Up to now, the mainstone machine only boots if two flash images are
-provided. This is not really necessary; the machine can boot from initrd
-or from SD without it. At the same time, having to provide dummy flash
-images is a nuisance and does not add any real value. Make it optional.
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200217210824.18513-1-linux@roeck-us.net
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/mainstone.c | 11 +----------
-file changed, 1 insertion(+), 10 deletions(-)
-diff --git a/hw/arm/mainstone.c b/hw/arm/mainstone.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/mainstone.c
-+++ b/hw/arm/mainstone.c
-@@ -XXX,XX +XXX,XX @@ static void mainstone_common_init(MemoryRegion *address_space_mem,
-     /* There are two 32MiB flash devices on the board */
-     for (i = 0; i < 2; i ++) {
-         dinfo = drive_get(IF_PFLASH, 0, i);
--        if (!dinfo) {
--            if (qtest_enabled()) {
--                break;
--            }
--            error_report("Two flash images must be given with the "
--                         "'pflash' parameter");
--            exit(1);
--        }
--
-         if (!pflash_cfi01_register(mainstone_flash_base[i],
-                                    i ? "mainstone.flash1" : "mainstone.flash0",
-                                    MAINSTONE_FLASH,
--                                   blk_by_legacy_dinfo(dinfo),
-+                                   dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
-                                    sector_len, 4, 0, 0, 0, 0, be)) {
-             error_report("Error registering flash memory");
-             exit(1);
---
-.20.1

-[PULL 05/52] z2: Make providing flash images non-mandatory
+Deleted patch
-From: Guenter Roeck <linux@roeck-us.net>
-Up to now, the z2 machine only boots if a flash image is provided.
-This is not really necessary; the machine can boot from initrd or from
-SD without it. At the same time, having to provide dummy flash images
-is a nuisance and does not add any real value. Make it optional.
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200217210903.18602-1-linux@roeck-us.net
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/z2.c | 6 ------
-file changed, 6 deletions(-)
-diff --git a/hw/arm/z2.c b/hw/arm/z2.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/z2.c
-+++ b/hw/arm/z2.c
-@@ -XXX,XX +XXX,XX @@ static void z2_init(MachineState *machine)
-     be = 0;
- #endif
-     dinfo = drive_get(IF_PFLASH, 0, 0);
--    if (!dinfo && !qtest_enabled()) {
--        error_report("Flash image must be given with the "
--                     "'pflash' parameter");
--        exit(1);
--    }
--
-     if (!pflash_cfi01_register(Z2_FLASH_BASE, "z2.flash0", Z2_FLASH_SIZE,
-                                dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
-                                sector_len, 4, 0, 0, 0, 0, be)) {
---
-.20.1

-[PULL 06/52] target/arm: Flush high bits of sve register after AdvSIMD EXT
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Writes to AdvSIMD registers flush the bits above 128.
-Buglink: https://bugs.launchpad.net/bugs/1863247
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214194643.23317-2-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate-a64.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
-+++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_ext(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_resl);
-     write_vec_element(s, tcg_resh, rd, 1, MO_64);
-     tcg_temp_free_i64(tcg_resh);
-+    clear_vec_high(s, true, rd);
- }
- /* TBL/TBX
---
-.20.1

-[PULL 07/52] target/arm: Flush high bits of sve register after AdvSIMD TBL/TBX
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Writes to AdvSIMD registers flush the bits above 128.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214194643.23317-3-richard.henderson@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate-a64.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
-+++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_tb(DisasContext *s, uint32_t insn)
-     tcg_temp_free_i64(tcg_resl);
-     write_vec_element(s, tcg_resh, rd, 1, MO_64);
-     tcg_temp_free_i64(tcg_resh);
-+    clear_vec_high(s, true, rd);
- }
- /* ZIP/UZP/TRN
---
-.20.1

-[PULL 22/52] target/arm: Add _aa64_ and _any_ versions of pmu_8_1 isar checks
+[PULL 01/26] target/arm: Add isar_feature_aa64_rme
-Add the 64-bit version of the "is this a v8.1 PMUv3?"
+From: Richard Henderson <richard.henderson@linaro.org>
 ID register check function, and the _any_ version that
 checks for either AArch32 or AArch64 support. We'll use
 this in a later commit.
-We don't (yet) do any isar_feature checks on ID_AA64DFR1_EL1,
+Add the missing field for ID_AA64PFR0, and the predicate.
-but we move id_aa64dfr1 into the ARMISARegisters struct with
+Disable it if EL3 is forced off by the board or command-line.
 id_aa64dfr0, for consistency.
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20230620124418.805717-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-10-peter.maydell@linaro.org
 ---
- target/arm/cpu.h    | 15 +++++++++++++--
+ target/arm/cpu.h | 6 ++++++
- target/arm/cpu.c    |  3 ++-
+ target/arm/cpu.c | 4 ++++
- target/arm/cpu64.c  |  6 +++---
+files changed, 10 insertions(+)
  target/arm/helper.c | 12 +++++++-----
 files changed, 25 insertions(+), 11 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64PFR0, SEL2, 36, 4)
-         uint64_t id_aa64mmfr0;
+ FIELD(ID_AA64PFR0, MPAM, 40, 4)
-         uint64_t id_aa64mmfr1;
+ FIELD(ID_AA64PFR0, AMU, 44, 4)
-         uint64_t id_aa64mmfr2;
+ FIELD(ID_AA64PFR0, DIT, 48, 4)
-+        uint64_t id_aa64dfr0;
++FIELD(ID_AA64PFR0, RME, 52, 4)
-+        uint64_t id_aa64dfr1;
+ FIELD(ID_AA64PFR0, CSV2, 56, 4)
-     } isar;
+ FIELD(ID_AA64PFR0, CSV3, 60, 4)
-     uint32_t midr;
-     uint32_t revidr;
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_sel2(const ARMISARegisters *id)
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
+     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, SEL2) != 0;
      uint32_t id_mmfr2;
      uint32_t id_mmfr3;
      uint32_t id_mmfr4;
 -    uint64_t id_aa64dfr0;
 -    uint64_t id_aa64dfr1;
      uint64_t id_aa64afr0;
      uint64_t id_aa64afr1;
      uint32_t dbgdidr;
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_bti(const ARMISARegisters *id)
      return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, BT) != 0;
  }
-+static inline bool isar_feature_aa64_pmu_8_1(const ARMISARegisters *id)
++static inline bool isar_feature_aa64_rme(const ARMISARegisters *id)
 +{
-+    return FIELD_EX64(id->id_aa64dfr0, ID_AA64DFR0, PMUVER) >= 4 &&
++    return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, RME) != 0;
 +        FIELD_EX64(id->id_aa64dfr0, ID_AA64DFR0, PMUVER) != 0xf;
 +}
 +
- /*
+ static inline bool isar_feature_aa64_vh(const ARMISARegisters *id)
-  * Feature tests for "does this exist in either 32-bit or 64-bit?"
+ {
-  */
+     return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, VH) != 0;
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_any_predinv(const ARMISARegisters *id)
      return isar_feature_aa64_predinv(id) || isar_feature_aa32_predinv(id);
  }
 +static inline bool isar_feature_any_pmu_8_1(const ARMISARegisters *id)
 +{
 +    return isar_feature_aa64_pmu_8_1(id) || isar_feature_aa32_pmu_8_1(id);
 +}
 +
  /*
   * Forward to the above feature tests given an ARMCPU pointer.
   */
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
 @@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
-                 cpu);
+         cpu->isar.id_dfr0 = FIELD_DP32(cpu->isar.id_dfr0, ID_DFR0, COPSDBG, 0);
- #endif
+         cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
-     } else {
+                                            ID_AA64PFR0, EL3, 0);
--        cpu->id_aa64dfr0 = FIELD_DP64(cpu->id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
++
-+        cpu->isar.id_aa64dfr0 =
++        /* Disable the realm management extension, which requires EL3. */
-+            FIELD_DP64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
++        cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
-         cpu->isar.id_dfr0 = FIELD_DP32(cpu->isar.id_dfr0, ID_DFR0, PERFMON, 0);
++                                           ID_AA64PFR0, RME, 0);
          cpu->pmceid0 = 0;
          cpu->pmceid1 = 0;
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
      cpu->isar.id_isar5 = 0x00011121;
      cpu->isar.id_isar6 = 0;
      cpu->isar.id_aa64pfr0 = 0x00002222;
 -    cpu->id_aa64dfr0 = 0x10305106;
 +    cpu->isar.id_aa64dfr0 = 0x10305106;
      cpu->isar.id_aa64isar0 = 0x00011120;
      cpu->isar.id_aa64mmfr0 = 0x00001124;
      cpu->dbgdidr = 0x3516d000;
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
      cpu->isar.id_isar5 = 0x00011121;
      cpu->isar.id_isar6 = 0;
      cpu->isar.id_aa64pfr0 = 0x00002222;
 -    cpu->id_aa64dfr0 = 0x10305106;
 +    cpu->isar.id_aa64dfr0 = 0x10305106;
      cpu->isar.id_aa64isar0 = 0x00011120;
      cpu->isar.id_aa64mmfr0 = 0x00001122; /* 40 bit physical addr */
      cpu->dbgdidr = 0x3516d000;
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
      cpu->isar.id_isar4 = 0x00011142;
      cpu->isar.id_isar5 = 0x00011121;
      cpu->isar.id_aa64pfr0 = 0x00002222;
 -    cpu->id_aa64dfr0 = 0x10305106;
 +    cpu->isar.id_aa64dfr0 = 0x10305106;
      cpu->isar.id_aa64isar0 = 0x00011120;
      cpu->isar.id_aa64mmfr0 = 0x00001124;
      cpu->dbgdidr = 0x3516d000;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/semihosting/semihost.h"
  #include "sysemu/cpus.h"
  #include "sysemu/kvm.h"
 +#include "sysemu/tcg.h"
  #include "qemu/range.h"
  #include "qapi/qapi-commands-machine-target.h"
  #include "qapi/error.h"
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
       * check that if they both exist then they agree.
       */
      if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 -        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, BRPS) == brps);
 -        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, WRPS) == wrps);
 -        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) == ctx_cmps);
 +        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) == brps);
 +        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) == wrps);
 +        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS)
 +               == ctx_cmps);
      }
-     define_one_arm_cp_reg(cpu, &dbgdidr);
+     if (!cpu->has_el2) {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
                .access = PL1_R, .type = ARM_CP_CONST,
                .accessfn = access_aa64_tid3,
 -              .resetvalue = cpu->id_aa64dfr0 },
 +              .resetvalue = cpu->isar.id_aa64dfr0 },
              { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
                .access = PL1_R, .type = ARM_CP_CONST,
                .accessfn = access_aa64_tid3,
 -              .resetvalue = cpu->id_aa64dfr1 },
 +              .resetvalue = cpu->isar.id_aa64dfr1 },
              { .name = "ID_AA64DFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 2,
                .access = PL1_R, .type = ARM_CP_CONST,
 --
-.20.1
+.34.1

-[PULL 34/52] target/arm: Correctly implement ACTLR2, HACTLR2
+[PULL 02/26] target/arm: Update SCR and HCR for RME
-The ACTLR2 and HACTLR2 AArch32 system registers didn't exist in ARMv7
+From: Richard Henderson <richard.henderson@linaro.org>
 or the original ARMv8.  They were later added as optional registers,
 whose presence is signaled by the ID_MMFR4.AC2 field.  From ARMv8.2
 they are mandatory (ie ID_MMFR4.AC2 must be non-zero).
-We implemented HACTLR2 in commit 0e0456ab8895a5e85, but we
+Define the missing SCR and HCR bits, allow SCR_NSE and {SCR,HCR}_GPF
-incorrectly made it exist for all v8 CPUs, and we didn't implement
+to be set, and invalidate TLBs when NSE changes.
 ACTLR2 at all.
-Sort this out by implementing both registers only when they are
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-supposed to exist, and setting the ID_MMFR4 bit for -cpu max.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230620124418.805717-3-richard.henderson@linaro.org
 Note that this removes HACTLR2 from our Cortex-A53, -A47 and -A72
 CPU models; this is correct, because those CPUs do not implement
 this register.
 Fixes: 0e0456ab8895a5e85
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214175116.9164-22-peter.maydell@linaro.org
 ---
- target/arm/cpu.h    |  5 +++++
+ target/arm/cpu.h    |  5 +++--
- target/arm/cpu.c    |  1 +
+ target/arm/helper.c | 10 ++++++++--
- target/arm/cpu64.c  |  4 ++++
+files changed, 11 insertions(+), 4 deletions(-)
  target/arm/helper.c | 32 +++++++++++++++++++++++---------
 files changed, 33 insertions(+), 9 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_hpd(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
-     return FIELD_EX32(id->id_mmfr4, ID_MMFR4, HPDS) != 0;
+ #define HCR_TERR      (1ULL << 36)
- }
+ #define HCR_TEA       (1ULL << 37)
+ #define HCR_MIOCNCE   (1ULL << 38)
-+static inline bool isar_feature_aa32_ac2(const ARMISARegisters *id)
+-/* RES0 bit 39 */
-+{
++#define HCR_TME       (1ULL << 39)
-+    return FIELD_EX32(id->id_mmfr4, ID_MMFR4, AC2) != 0;
+ #define HCR_APK       (1ULL << 40)
-+}
+ #define HCR_API       (1ULL << 41)
-+
+ #define HCR_NV        (1ULL << 42)
- /*
+@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
-  * 64-bit feature tests via id registers.
+ #define HCR_NV2       (1ULL << 45)
-  */
+ #define HCR_FWB       (1ULL << 46)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+ #define HCR_FIEN      (1ULL << 47)
-index XXXXXXX..XXXXXXX 100644
+-/* RES0 bit 48 */
---- a/target/arm/cpu.c
++#define HCR_GPF       (1ULL << 48)
-+++ b/target/arm/cpu.c
+ #define HCR_TID4      (1ULL << 49)
-@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
+ #define HCR_TICAB     (1ULL << 50)
+ #define HCR_AMVOFFEN  (1ULL << 51)
-             t = cpu->isar.id_mmfr4;
+@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
-             t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
+ #define SCR_TRNDR             (1ULL << 40)
-+            t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
+ #define SCR_ENTP2             (1ULL << 41)
-             cpu->isar.id_mmfr4 = t;
+ #define SCR_GPF               (1ULL << 48)
-         }
++#define SCR_NSE               (1ULL << 62)
- #endif
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+ #define HSTR_TTEE (1 << 16)
-index XXXXXXX..XXXXXXX 100644
+ #define HSTR_TJDBX (1 << 17)
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
          u = FIELD_DP32(u, ID_MMFR3, PAN, 2); /* ATS1E1 */
          cpu->isar.id_mmfr3 = u;
 +        u = cpu->isar.id_mmfr4;
 +        u = FIELD_DP32(u, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
 +        cpu->isar.id_mmfr4 = u;
 +
          u = cpu->isar.id_aa64dfr0;
          u = FIELD_DP64(u, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
          cpu->isar.id_aa64dfr0 = u;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ats1cp_reginfo[] = {
+@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
- };
+         if (cpu_isar_feature(aa64_fgt, cpu)) {
- #endif
+             valid_mask |= SCR_FGTEN;
 +/*
 + * ACTLR2 and HACTLR2 map to ACTLR_EL1[63:32] and
 + * ACTLR_EL2[63:32]. They exist only if the ID_MMFR4.AC2 field
 + * is non-zero, which is never for ARMv7, optionally in ARMv8
 + * and mandatorily for ARMv8.2 and up.
 + * ACTLR2 is banked for S and NS if EL3 is AArch32. Since QEMU's
 + * implementation is RAZ/WI we can ignore this detail, as we
 + * do for ACTLR.
 + */
 +static const ARMCPRegInfo actlr2_hactlr2_reginfo[] = {
 +    { .name = "ACTLR2", .state = ARM_CP_STATE_AA32,
 +      .cp = 15, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 3,
 +      .access = PL1_RW, .type = ARM_CP_CONST,
 +      .resetvalue = 0 },
 +    { .name = "HACTLR2", .state = ARM_CP_STATE_AA32,
 +      .cp = 15, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 3,
 +      .access = PL2_RW, .type = ARM_CP_CONST,
 +      .resetvalue = 0 },
 +    REGINFO_SENTINEL
 +};
 +
  void register_cp_regs_for_features(ARMCPU *cpu)
  {
      /* Register all the coprocessor registers based on feature bits */
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
              REGINFO_SENTINEL
          };
          define_arm_cp_regs(cpu, auxcr_reginfo);
 -        if (arm_feature(env, ARM_FEATURE_V8)) {
 -            /* HACTLR2 maps to ACTLR_EL2[63:32] and is not in ARMv7 */
 -            ARMCPRegInfo hactlr2_reginfo = {
 -                .name = "HACTLR2", .state = ARM_CP_STATE_AA32,
 -                .cp = 15, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 3,
 -                .access = PL2_RW, .type = ARM_CP_CONST,
 -                .resetvalue = 0
 -            };
 -            define_one_arm_cp_reg(cpu, &hactlr2_reginfo);
 +        if (cpu_isar_feature(aa32_ac2, cpu)) {
 +            define_arm_cp_regs(cpu, actlr2_hactlr2_reginfo);
          }
++        if (cpu_isar_feature(aa64_rme, cpu)) {
++            valid_mask |= SCR_NSE | SCR_GPF;
++        }
+     } else {
+         valid_mask &= ~(SCR_RW | SCR_ST);
+         if (cpu_isar_feature(aa32_ras, cpu)) {
+@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+     env->cp15.scr_el3 = value;
+     /*
+-     * If SCR_EL3.NS changes, i.e. arm_is_secure_below_el3, then
++     * If SCR_EL3.{NS,NSE} changes, i.e. change of security state,
+      * we must invalidate all TLBs below EL3.
+      */
+-    if (changed & SCR_NS) {
++    if (changed & (SCR_NS | SCR_NSE)) {
+         tlb_flush_by_mmuidx(env_cpu(env), (ARMMMUIdxBit_E10_0 |
+                                            ARMMMUIdxBit_E20_0 |
+                                            ARMMMUIdxBit_E10_1 |
+@@ -XXX,XX +XXX,XX @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
+         if (cpu_isar_feature(aa64_fwb, cpu)) {
+             valid_mask |= HCR_FWB;
+         }
++        if (cpu_isar_feature(aa64_rme, cpu)) {
++            valid_mask |= HCR_GPF;
++        }
      }
+     if (cpu_isar_feature(any_evt, cpu)) {
 --
-.20.1
+.34.1

-[PULL 11/52] target/arm: Fix select for aa64_va_parameters_both
+[PULL 03/26] target/arm: SCR_EL3.NS may be RES1
 From: Richard Henderson <richard.henderson@linaro.org>
-Select should always be 0 for a regime with one range.
+With RME, SEL2 must also be present to support secure state.
 The NS bit is RES1 if SEL2 is not present.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200216194343.21331-3-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-4-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 46 +++++++++++++++++++++++----------------------
+ target/arm/helper.c | 3 +++
-file changed, 24 insertions(+), 22 deletions(-)
+file changed, 3 insertions(+)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
+@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
      bool tbi, tbid, epd, hpd, using16k, using64k;
      int select, tsz;
 -    /*
 -     * Bit 55 is always between the two regions, and is canonical for
 -     * determining if address tagging is enabled.
 -     */
 -    select = extract64(va, 55, 1);
 -
      if (!regime_has_2_ranges(mmu_idx)) {
 +        select = 0;
          tsz = extract32(tcr, 0, 6);
          using64k = extract32(tcr, 14, 1);
          using16k = extract32(tcr, 15, 1);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
              tbid = extract32(tcr, 29, 1);
          }
-         epd = false;
+         if (cpu_isar_feature(aa64_sel2, cpu)) {
--    } else if (!select) {
+             valid_mask |= SCR_EEL2;
--        tsz = extract32(tcr, 0, 6);
++        } else if (cpu_isar_feature(aa64_rme, cpu)) {
--        epd = extract32(tcr, 7, 1);
++            /* With RME and without SEL2, NS is RES1 (R_GSWWH, I_DJJQJ). */
--        using64k = extract32(tcr, 14, 1);
++            value |= SCR_NS;
--        using16k = extract32(tcr, 15, 1);
+         }
--        tbi = extract64(tcr, 37, 1);
+         if (cpu_isar_feature(aa64_mte, cpu)) {
--        hpd = extract64(tcr, 41, 1);
+             valid_mask |= SCR_ATA;
 -        tbid = extract64(tcr, 51, 1);
      } else {
 -        int tg = extract32(tcr, 30, 2);
 -        using16k = tg == 1;
 -        using64k = tg == 3;
 -        tsz = extract32(tcr, 16, 6);
 -        epd = extract32(tcr, 23, 1);
 -        tbi = extract64(tcr, 38, 1);
 -        hpd = extract64(tcr, 42, 1);
 -        tbid = extract64(tcr, 52, 1);
 +        /*
 +         * Bit 55 is always between the two regions, and is canonical for
 +         * determining if address tagging is enabled.
 +         */
 +        select = extract64(va, 55, 1);
 +        if (!select) {
 +            tsz = extract32(tcr, 0, 6);
 +            epd = extract32(tcr, 7, 1);
 +            using64k = extract32(tcr, 14, 1);
 +            using16k = extract32(tcr, 15, 1);
 +            tbi = extract64(tcr, 37, 1);
 +            hpd = extract64(tcr, 41, 1);
 +            tbid = extract64(tcr, 51, 1);
 +        } else {
 +            int tg = extract32(tcr, 30, 2);
 +            using16k = tg == 1;
 +            using64k = tg == 3;
 +            tsz = extract32(tcr, 16, 6);
 +            epd = extract32(tcr, 23, 1);
 +            tbi = extract64(tcr, 38, 1);
 +            hpd = extract64(tcr, 42, 1);
 +            tbid = extract64(tcr, 52, 1);
 +        }
      }
      tsz = MIN(tsz, 39);  /* TODO: ARMv8.4-TTST */
      tsz = MAX(tsz, 16);  /* TODO: ARMv8.2-LVA  */
 --
-.20.1
+.34.1

-[PULL 27/52] target/arm: Implement ARMv8.4-PMU extension
+[PULL 04/26] target/arm: Add RME cpregs
-The ARMv8.4-PMU extension adds:
+From: Richard Henderson <richard.henderson@linaro.org>
  * one new required event, STALL
  * one new system register PMMIR_EL1
-(There are also some more L1-cache related events, but since
+This includes GPCCR, GPTBR, MFAR, the TLB flush insns PAALL, PAALLOS,
-we don't implement any cache we don't provide these, in the
+RPALOS, RPAOS, and the cache flush insns CIPAPA and CIGDPAPA.
 same way we don't provide the base-PMUv3 cache events.)
-The STALL event "counts every attributable cycle on which no
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-attributable instruction or operation was sent for execution on this
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-PE".  QEMU doesn't stall in this sense, so this is another
+Message-id: 20230620124418.805717-5-richard.henderson@linaro.org
 always-reads-zero event.
 The PMMIR_EL1 register is a read-only register providing
 implementation-specific information about the PMU; currently it has
 only one field, SLOTS, which defines behaviour of the STALL_SLOT PMU
 event.  Since QEMU doesn't implement the STALL_SLOT event, we can
 validly make the register read zero.
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-15-peter.maydell@linaro.org
 ---
- target/arm/cpu.h    | 18 ++++++++++++++++++
+ target/arm/cpu.h    | 19 ++++++++++
- target/arm/helper.c | 22 +++++++++++++++++++++-
+ target/arm/helper.c | 84 +++++++++++++++++++++++++++++++++++++++++++++
-files changed, 39 insertions(+), 1 deletion(-)
+files changed, 103 insertions(+)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_pmu_8_1(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@ typedef struct CPUArchState {
-         FIELD_EX32(id->id_dfr0, ID_DFR0, PERFMON) != 0xf;
+         uint64_t fgt_read[2]; /* HFGRTR, HDFGRTR */
- }
+         uint64_t fgt_write[2]; /* HFGWTR, HDFGWTR */
+         uint64_t fgt_exec[1]; /* HFGITR */
 +static inline bool isar_feature_aa32_pmu_8_4(const ARMISARegisters *id)
 +{
 +    /* 0xf means "non-standard IMPDEF PMU" */
 +    return FIELD_EX32(id->id_dfr0, ID_DFR0, PERFMON) >= 5 &&
 +        FIELD_EX32(id->id_dfr0, ID_DFR0, PERFMON) != 0xf;
 +}
 +
- /*
++        /* RME registers */
-  * 64-bit feature tests via id registers.
++        uint64_t gpccr_el3;
-  */
++        uint64_t gptbr_el3;
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_pmu_8_1(const ARMISARegisters *id)
++        uint64_t mfar_el3;
-         FIELD_EX64(id->id_aa64dfr0, ID_AA64DFR0, PMUVER) != 0xf;
+     } cp15;
- }
+     struct {
-+static inline bool isar_feature_aa64_pmu_8_4(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
-+{
+     uint64_t reset_cbar;
-+    return FIELD_EX32(id->id_aa64dfr0, ID_AA64DFR0, PMUVER) >= 5 &&
+     uint32_t reset_auxcr;
-+        FIELD_EX32(id->id_aa64dfr0, ID_AA64DFR0, PMUVER) != 0xf;
+     bool reset_hivecs;
-+}
++    uint8_t reset_l0gptsz;
      /*
       * Intermediate values used during property parsing.
@@ -XXX,XX +XXX,XX @@ FIELD(MVFR1, SIMDFMAC, 28, 4)
  FIELD(MVFR2, SIMDMISC, 0, 4)
  FIELD(MVFR2, FPMISC, 4, 4)
 +FIELD(GPCCR, PPS, 0, 3)
 +FIELD(GPCCR, IRGN, 8, 2)
 +FIELD(GPCCR, ORGN, 10, 2)
 +FIELD(GPCCR, SH, 12, 2)
 +FIELD(GPCCR, PGS, 14, 2)
 +FIELD(GPCCR, GPC, 16, 1)
 +FIELD(GPCCR, GPCP, 17, 1)
 +FIELD(GPCCR, L0GPTSZ, 20, 4)
 +
- /*
++FIELD(MFAR, FPA, 12, 40)
-  * Feature tests for "does this exist in either 32-bit or 64-bit?"
++FIELD(MFAR, NSE, 62, 1)
-  */
++FIELD(MFAR, NS, 63, 1)
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_any_pmu_8_1(const ARMISARegisters *id)
      return isar_feature_aa64_pmu_8_1(id) || isar_feature_aa32_pmu_8_1(id);
  }
 +static inline bool isar_feature_any_pmu_8_4(const ARMISARegisters *id)
 +{
 +    return isar_feature_aa64_pmu_8_4(id) || isar_feature_aa32_pmu_8_4(id);
 +}
 +
- /*
+ QEMU_BUILD_BUG_ON(ARRAY_SIZE(((ARMCPU *)0)->ccsidr) <= R_V7M_CSSELR_INDEX_MASK);
-  * Forward to the above feature tests given an ARMCPU pointer.
-  */
+ /* If adding a feature bit which corresponds to a Linux ELF
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static bool pmu_8_1_events_supported(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo sme_reginfo[] = {
-     return cpu_isar_feature(any_pmu_8_1, env_archcpu(env));
+       .access = PL2_RW, .accessfn = access_esm,
- }
+       .type = ARM_CP_CONST, .resetvalue = 0 },
+ };
-+static bool pmu_8_4_events_supported(CPUARMState *env)
++
 +static void tlbi_aa64_paall_write(CPUARMState *env, const ARMCPRegInfo *ri,
 +                                  uint64_t value)
 +{
-+    /* For events which are supported in any v8.1 PMU */
++    CPUState *cs = env_cpu(env);
-+    return cpu_isar_feature(any_pmu_8_4, env_archcpu(env));
++
 +    tlb_flush(cs);
 +}
 +
- static uint64_t zero_event_get_count(CPUARMState *env)
++static void gpccr_write(CPUARMState *env, const ARMCPRegInfo *ri,
- {
++                        uint64_t value)
-     /* For events which on QEMU never fire, so their count is always zero */
++{
-@@ -XXX,XX +XXX,XX @@ static const pm_event pm_events[] = {
++    /* L0GPTSZ is RO; other bits not mentioned are RES0. */
-       .get_count = zero_event_get_count,
++    uint64_t rw_mask = R_GPCCR_PPS_MASK | R_GPCCR_IRGN_MASK |
-       .ns_per_count = zero_event_ns_per,
++        R_GPCCR_ORGN_MASK | R_GPCCR_SH_MASK | R_GPCCR_PGS_MASK |
-     },
++        R_GPCCR_GPC_MASK | R_GPCCR_GPCP_MASK;
-+    { .number = 0x03c, /* STALL */
++
-+      .supported = pmu_8_4_events_supported,
++    env->cp15.gpccr_el3 = (value & rw_mask) | (env->cp15.gpccr_el3 & ~rw_mask);
-+      .get_count = zero_event_get_count,
++}
-+      .ns_per_count = zero_event_ns_per,
++
-+    },
++static void gpccr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
- };
++{
++    env->cp15.gpccr_el3 = FIELD_DP64(0, GPCCR, L0GPTSZ,
- /*
++                                     env_archcpu(env)->reset_l0gptsz);
-@@ -XXX,XX +XXX,XX @@ static const pm_event pm_events[] = {
++}
-  * should first be updated to something sparse instead of the current
++
-  * supported_event_map[] array.
++static void tlbi_aa64_paallos_write(CPUARMState *env, const ARMCPRegInfo *ri,
-  */
++                                    uint64_t value)
--#define MAX_EVENT_ID 0x24
++{
-+#define MAX_EVENT_ID 0x3c
++    CPUState *cs = env_cpu(env);
- #define UNSUPPORTED_EVENT UINT16_MAX
++
- static uint16_t supported_event_map[MAX_EVENT_ID + 1];
++    tlb_flush_all_cpus_synced(cs);
++}
-@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
++
-         };
++static const ARMCPRegInfo rme_reginfo[] = {
-         define_arm_cp_regs(cpu, v81_pmu_regs);
++    { .name = "GPCCR_EL3", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 1, .opc2 = 6,
 +      .access = PL3_RW, .writefn = gpccr_write, .resetfn = gpccr_reset,
 +      .fieldoffset = offsetof(CPUARMState, cp15.gpccr_el3) },
 +    { .name = "GPTBR_EL3", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 1, .opc2 = 4,
 +      .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.gptbr_el3) },
 +    { .name = "MFAR_EL3", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 6, .crn = 6, .crm = 0, .opc2 = 5,
 +      .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mfar_el3) },
 +    { .name = "TLBI_PAALL", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 4,
 +      .access = PL3_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_paall_write },
 +    { .name = "TLBI_PAALLOS", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 4,
 +      .access = PL3_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_paallos_write },
 +    /*
 +     * QEMU does not have a way to invalidate by physical address, thus
 +     * invalidating a range of physical addresses is accomplished by
 +     * flushing all tlb entries in the outer sharable domain,
 +     * just like PAALLOS.
 +     */
 +    { .name = "TLBI_RPALOS", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 4, .opc2 = 7,
 +      .access = PL3_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_paallos_write },
 +    { .name = "TLBI_RPAOS", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 4, .opc2 = 3,
 +      .access = PL3_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_paallos_write },
 +    { .name = "DC_CIPAPA", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 14, .opc2 = 1,
 +      .access = PL3_W, .type = ARM_CP_NOP },
 +};
 +
 +static const ARMCPRegInfo rme_mte_reginfo[] = {
 +    { .name = "DC_CIGDPAPA", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 14, .opc2 = 5,
 +      .access = PL3_W, .type = ARM_CP_NOP },
 +};
  #endif /* TARGET_AARCH64 */
  static void define_pmu_regs(ARMCPU *cpu)
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
      if (cpu_isar_feature(aa64_fgt, cpu)) {
          define_arm_cp_regs(cpu, fgt_reginfo);
      }
-+    if (cpu_isar_feature(any_pmu_8_4, cpu)) {
++
-+        static const ARMCPRegInfo v84_pmmir = {
++    if (cpu_isar_feature(aa64_rme, cpu)) {
-+            .name = "PMMIR_EL1", .state = ARM_CP_STATE_BOTH,
++        define_arm_cp_regs(cpu, rme_reginfo);
-+            .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 6,
++        if (cpu_isar_feature(aa64_mte, cpu)) {
-+            .access = PL1_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
++            define_arm_cp_regs(cpu, rme_mte_reginfo);
-+            .resetvalue = 0
++        }
 +        };
 +        define_one_arm_cp_reg(cpu, &v84_pmmir);
 +    }
- }
+ #endif
- /* We don't know until after realize whether there's a GICv3
+     if (cpu_isar_feature(any_predinv, cpu)) {
 --
-.20.1
+.34.1

-[PULL 47/52] target/arm: Add isar_feature_aa32_simd_r16
+[PULL 05/26] target/arm: Introduce ARMSecuritySpace
 From: Richard Henderson <richard.henderson@linaro.org>
-Use this in the places that were checking ARM_FEATURE_VFP, and
+Introduce both the enumeration and functions to retrieve
-are obviously testing for the existance of the register set
+the current state, and state outside of EL3.
 as opposed to testing for some particular instruction extension.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214181547.21408-6-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-6-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h        |  6 ++++++
+ target/arm/cpu.h    | 89 ++++++++++++++++++++++++++++++++++-----------
- hw/intc/armv7m_nvic.c   | 20 ++++++++++----------
+ target/arm/helper.c | 60 ++++++++++++++++++++++++++++++
- linux-user/arm/signal.c |  4 ++--
+files changed, 127 insertions(+), 22 deletions(-)
  target/arm/arch_dump.c  | 11 ++++++-----
  target/arm/cpu.c        |  8 ++++----
  target/arm/helper.c     |  4 ++--
  target/arm/m_helper.c   | 11 ++++++-----
  target/arm/machine.c    |  3 +--
 files changed, 37 insertions(+), 30 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fp16_arith(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@ static inline int arm_feature(CPUARMState *env, int feature)
-     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, FP) == 1;
- }
+ void arm_cpu_finalize_features(ARMCPU *cpu, Error **errp);
-+static inline bool isar_feature_aa32_simd_r16(const ARMISARegisters *id)
+-#if !defined(CONFIG_USER_ONLY)
-+{
+ /*
-+    /* Return true if D0-D15 are implemented */
++ * ARM v9 security states.
-+    return FIELD_EX32(id->mvfr0, MVFR0, SIMDREG) > 0;
++ * The ordering of the enumeration corresponds to the low 2 bits
-+}
++ * of the GPI value, and (except for Root) the concat of NSE:NS.
-+
++ */
- static inline bool isar_feature_aa32_simd_r32(const ARMISARegisters *id)
++
- {
++typedef enum ARMSecuritySpace {
-     /* Return true if D16-D31 are implemented */
++    ARMSS_Secure     = 0,
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
++    ARMSS_NonSecure  = 1,
-index XXXXXXX..XXXXXXX 100644
++    ARMSS_Root       = 2,
---- a/hw/intc/armv7m_nvic.c
++    ARMSS_Realm      = 3,
-+++ b/hw/intc/armv7m_nvic.c
++} ARMSecuritySpace;
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
++
-     case 0xd84: /* CSSELR */
++/* Return true if @space is secure, in the pre-v9 sense. */
-         return cpu->env.v7m.csselr[attrs.secure];
++static inline bool arm_space_is_secure(ARMSecuritySpace space)
-     case 0xd88: /* CPACR */
++{
--        if (!arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
++    return space == ARMSS_Secure || space == ARMSS_Root;
-+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
++}
-             return 0;
++
-         }
++/* Return the ARMSecuritySpace for @secure, assuming !RME or EL[0-2]. */
-         return cpu->env.v7m.cpacr[attrs.secure];
++static inline ARMSecuritySpace arm_secure_to_space(bool secure)
-     case 0xd8c: /* NSACR */
++{
--        if (!attrs.secure || !arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
++    return secure ? ARMSS_Secure : ARMSS_NonSecure;
-+        if (!attrs.secure || !cpu_isar_feature(aa32_simd_r16, cpu)) {
++}
-             return 0;
++
-         }
++#if !defined(CONFIG_USER_ONLY)
-         return cpu->env.v7m.nsacr;
++/**
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
++ * arm_security_space_below_el3:
-         }
++ * @env: cpu context
-         return cpu->env.v7m.sfar;
++ *
-     case 0xf34: /* FPCCR */
++ * Return the security space of exception levels below EL3, following
--        if (!arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
++ * an exception return to those levels.  Unlike arm_security_space,
-+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
++ * this doesn't care about the current EL.
-             return 0;
++ */
-         }
++ARMSecuritySpace arm_security_space_below_el3(CPUARMState *env);
-         if (attrs.secure) {
++
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
++/**
-             return value;
++ * arm_is_secure_below_el3:
-         }
++ * @env: cpu context
-     case 0xf38: /* FPCAR */
++ *
--        if (!arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+  * Return true if exception levels below EL3 are in secure state,
-+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
+- * or would be following an exception return to that level.
-             return 0;
+- * Unlike arm_is_secure() (which is always a question about the
-         }
+- * _current_ state of the CPU) this doesn't care about the current
-         return cpu->env.v7m.fpcar[attrs.secure];
+- * EL or mode.
-     case 0xf3c: /* FPDSCR */
++ * or would be following an exception return to those levels.
--        if (!arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+  */
-+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
+ static inline bool arm_is_secure_below_el3(CPUARMState *env)
-             return 0;
+ {
-         }
+-    assert(!arm_feature(env, ARM_FEATURE_M));
-         return cpu->env.v7m.fpdscr[attrs.secure];
+-    if (arm_feature(env, ARM_FEATURE_EL3)) {
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
+-        return !(env->cp15.scr_el3 & SCR_NS);
-         }
+-    } else {
-         break;
+-        /* If EL3 is not supported then the secure state is implementation
-     case 0xd88: /* CPACR */
+-         * defined, in which case QEMU defaults to non-secure.
--        if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+-         */
-+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
+-        return false;
-             /* We implement only the Floating Point extension's CP10/CP11 */
+-    }
-             cpu->env.v7m.cpacr[attrs.secure] = value & (0xf << 20);
++    ARMSecuritySpace ss = arm_security_space_below_el3(env);
-         }
++    return ss == ARMSS_Secure;
-         break;
+ }
-     case 0xd8c: /* NSACR */
--        if (attrs.secure && arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+ /* Return true if the CPU is AArch64 EL3 or AArch32 Mon */
-+        if (attrs.secure && cpu_isar_feature(aa32_simd_r16, cpu)) {
+@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_el3_or_mon(CPUARMState *env)
-             /* We implement only the Floating Point extension's CP10/CP11 */
+     return false;
-             cpu->env.v7m.nsacr = value & (3 << 10);
+ }
-         }
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
+-/* Return true if the processor is in secure state */
-         break;
++/**
-     }
++ * arm_security_space:
-     case 0xf34: /* FPCCR */
++ * @env: cpu context
--        if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
++ *
-+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
++ * Return the current security space of the cpu.
-             /* Not all bits here are banked. */
++ */
-             uint32_t fpccr_s;
++ARMSecuritySpace arm_security_space(CPUARMState *env);
++
-@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
++/**
-         }
++ * arm_is_secure:
-         break;
++ * @env: cpu context
-     case 0xf38: /* FPCAR */
++ *
--        if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
++ * Return true if the processor is in secure state.
-+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
++ */
-             value &= ~7;
+ static inline bool arm_is_secure(CPUARMState *env)
-             cpu->env.v7m.fpcar[attrs.secure] = value;
+ {
-         }
+-    if (arm_feature(env, ARM_FEATURE_M)) {
-         break;
+-        return env->v7m.secure;
-     case 0xf3c: /* FPDSCR */
+-    }
--        if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+-    if (arm_is_el3_or_mon(env)) {
-+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
+-        return true;
-             value &= 0x07c00000;
+-    }
-             cpu->env.v7m.fpdscr[attrs.secure] = value;
+-    return arm_is_secure_below_el3(env);
-         }
++    return arm_space_is_secure(arm_security_space(env));
-diff --git a/linux-user/arm/signal.c b/linux-user/arm/signal.c
+ }
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/arm/signal.c
+ /*
-+++ b/linux-user/arm/signal.c
+@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_el2_enabled(CPUARMState *env)
-@@ -XXX,XX +XXX,XX @@ static void setup_sigframe_v2(struct target_ucontext_v2 *uc,
+ }
-     setup_sigcontext(&uc->tuc_mcontext, env, set->sig[0]);
-     /* Save coprocessor signal frame.  */
+ #else
-     regspace = uc->tuc_regspace;
++static inline ARMSecuritySpace arm_security_space_below_el3(CPUARMState *env)
--    if (arm_feature(env, ARM_FEATURE_VFP)) {
++{
-+    if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env))) {
++    return ARMSS_NonSecure;
-         regspace = setup_sigframe_v2_vfp(regspace, env);
++}
-     }
++
-     if (arm_feature(env, ARM_FEATURE_IWMMXT)) {
+ static inline bool arm_is_secure_below_el3(CPUARMState *env)
-@@ -XXX,XX +XXX,XX @@ static int do_sigframe_return_v2(CPUARMState *env,
+ {
+     return false;
-     /* Restore coprocessor signal frame */
+ }
-     regspace = uc->tuc_regspace;
--    if (arm_feature(env, ARM_FEATURE_VFP)) {
++static inline ARMSecuritySpace arm_security_space(CPUARMState *env)
-+    if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env))) {
++{
-         regspace = restore_sigframe_v2_vfp(env, regspace);
++    return ARMSS_NonSecure;
-         if (!regspace) {
++}
-             return 1;
++
-diff --git a/target/arm/arch_dump.c b/target/arm/arch_dump.c
+ static inline bool arm_is_secure(CPUARMState *env)
-index XXXXXXX..XXXXXXX 100644
+ {
---- a/target/arm/arch_dump.c
+     return false;
 +++ b/target/arm/arch_dump.c
@@ -XXX,XX +XXX,XX @@ int arm_cpu_write_elf32_note(WriteCoreDumpFunction f, CPUState *cs,
                               int cpuid, void *opaque)
  {
      struct arm_note note;
 -    CPUARMState *env = &ARM_CPU(cs)->env;
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
      DumpState *s = opaque;
 -    int ret, i, fpvalid = !!arm_feature(env, ARM_FEATURE_VFP);
 +    int ret, i;
 +    bool fpvalid = cpu_isar_feature(aa32_simd_r16, cpu);
      arm_note_init(&note, s, "CORE", 5, NT_PRSTATUS, sizeof(note.prstatus));
@@ -XXX,XX +XXX,XX @@ int cpu_get_dump_info(ArchDumpInfo *info,
  ssize_t cpu_get_note_size(int class, int machine, int nr_cpus)
  {
      ARMCPU *cpu = ARM_CPU(first_cpu);
 -    CPUARMState *env = &cpu->env;
      size_t note_size;
      if (class == ELFCLASS64) {
@@ -XXX,XX +XXX,XX @@ ssize_t cpu_get_note_size(int class, int machine, int nr_cpus)
          note_size += AARCH64_PRFPREG_NOTE_SIZE;
  #ifdef TARGET_AARCH64
          if (cpu_isar_feature(aa64_sve, cpu)) {
 -            note_size += AARCH64_SVE_NOTE_SIZE(env);
 +            note_size += AARCH64_SVE_NOTE_SIZE(&cpu->env);
          }
  #endif
      } else {
          note_size = ARM_PRSTATUS_NOTE_SIZE;
 -        if (arm_feature(env, ARM_FEATURE_VFP)) {
 +        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
              note_size += ARM_VFP_NOTE_SIZE;
          }
      }
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s)
              env->v7m.ccr[M_REG_S] |= R_V7M_CCR_UNALIGN_TRP_MASK;
          }
 -        if (arm_feature(env, ARM_FEATURE_VFP)) {
 +        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
              env->v7m.fpccr[M_REG_NS] = R_V7M_FPCCR_ASPEN_MASK;
              env->v7m.fpccr[M_REG_S] = R_V7M_FPCCR_ASPEN_MASK |
                  R_V7M_FPCCR_LSPEN_MASK | R_V7M_FPCCR_S_MASK;
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
          int numvfpregs = 0;
          if (cpu_isar_feature(aa32_simd_r32, cpu)) {
              numvfpregs = 32;
 -        } else if (arm_feature(env, ARM_FEATURE_VFP)) {
 +        } else if (cpu_isar_feature(aa32_simd_r16, cpu)) {
              numvfpregs = 16;
          }
          for (i = 0; i < numvfpregs; i++) {
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
       * KVM does not currently allow us to lie to the guest about its
       * ID/feature registers, so the guest always sees what the host has.
       */
 -    if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
 +    if (cpu_isar_feature(aa32_simd_r16, cpu)) {
          cpu->has_vfp = true;
          if (!kvm_enabled()) {
              qdev_property_add_static(DEVICE(obj), &arm_cpu_has_vfp_property);
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
       * We rely on no XScale CPU having VFP so we can use the same bits in the
       * TB flags field for VECSTRIDE and XSCALE_CPAR.
       */
 -    assert(!(arm_feature(env, ARM_FEATURE_VFP) &&
 +    assert(!(cpu_isar_feature(aa32_simd_r16, cpu) &&
               arm_feature(env, ARM_FEATURE_XSCALE)));
      if (arm_feature(env, ARM_FEATURE_V7) &&
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
           * ASEDIS [31] and D32DIS [30] are both UNK/SBZP without VFP.
           * TRCDIS [28] is RAZ/WI since we do not implement a trace macrocell.
           */
 -        if (arm_feature(env, ARM_FEATURE_VFP)) {
 +        if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env))) {
              /* VFP coprocessor: cp10 & cp11 [23:20] */
              mask |= (1 << 31) | (1 << 30) | (0xf << 20);
@@ -XXX,XX +XXX,XX @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
      } else if (cpu_isar_feature(aa32_simd_r32, cpu)) {
          gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
 , "arm-vfp3.xml", 0);
 -    } else if (arm_feature(env, ARM_FEATURE_VFP)) {
 +    } else if (cpu_isar_feature(aa32_simd_r16, cpu)) {
          gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
 , "arm-vfp.xml", 0);
      }
-diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
+ }
-index XXXXXXX..XXXXXXX 100644
+ #endif
---- a/target/arm/m_helper.c
++
-+++ b/target/arm/m_helper.c
++#ifndef CONFIG_USER_ONLY
-@@ -XXX,XX +XXX,XX @@ static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
++ARMSecuritySpace arm_security_space(CPUARMState *env)
-      */
++{
-     uint32_t sig = 0xfefa125a;
++    if (arm_feature(env, ARM_FEATURE_M)) {
++        return arm_secure_to_space(env->v7m.secure);
--    if (!arm_feature(env, ARM_FEATURE_VFP) || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
++    }
-+    if (!cpu_isar_feature(aa32_simd_r16, env_archcpu(env))
++
-+        || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
++    /*
-         sig |= 1;
++     * If EL3 is not supported then the secure state is implementation
-     }
++     * defined, in which case QEMU defaults to non-secure.
-     return sig;
++     */
-@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
++    if (!arm_feature(env, ARM_FEATURE_EL3)) {
++        return ARMSS_NonSecure;
-     if (dotailchain) {
++    }
-         /* Sanitize LR FType and PREFIX bits */
++
--        if (!arm_feature(env, ARM_FEATURE_VFP)) {
++    /* Check for AArch64 EL3 or AArch32 Mon. */
-+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
++    if (is_a64(env)) {
-             lr |= R_V7M_EXCRET_FTYPE_MASK;
++        if (extract32(env->pstate, 2, 2) == 3) {
-         }
++            if (cpu_isar_feature(aa64_rme, env_archcpu(env))) {
-         lr = deposit32(lr, 24, 8, 0xff);
++                return ARMSS_Root;
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
++            } else {
++                return ARMSS_Secure;
-     ftype = excret & R_V7M_EXCRET_FTYPE_MASK;
++            }
++        }
--    if (!arm_feature(env, ARM_FEATURE_VFP) && !ftype) {
++    } else {
-+    if (!ftype && !cpu_isar_feature(aa32_simd_r16, cpu)) {
++        if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON) {
-         qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero FTYPE in exception "
++            return ARMSS_Secure;
-                       "exit PC value 0x%" PRIx32 " is UNPREDICTABLE "
++        }
-                       "if FPU not present\n",
++    }
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
++
-              * SFPA is RAZ/WI from NS. FPCA is RO if NSACR.CP10 == 0,
++    return arm_security_space_below_el3(env);
-              * RES0 if the FPU is not present, and is stored in the S bank
++}
-              */
++
--            if (arm_feature(env, ARM_FEATURE_VFP) &&
++ARMSecuritySpace arm_security_space_below_el3(CPUARMState *env)
-+            if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env)) &&
++{
-                 extract32(env->v7m.nsacr, 10, 1)) {
++    assert(!arm_feature(env, ARM_FEATURE_M));
-                 env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
++
-                 env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
++    /*
-@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
++     * If EL3 is not supported then the secure state is implementation
-             env->v7m.control[env->v7m.secure] &= ~R_V7M_CONTROL_NPRIV_MASK;
++     * defined, in which case QEMU defaults to non-secure.
-             env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
++     */
-         }
++    if (!arm_feature(env, ARM_FEATURE_EL3)) {
--        if (arm_feature(env, ARM_FEATURE_VFP)) {
++        return ARMSS_NonSecure;
-+        if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env))) {
++    }
-             /*
++
-              * SFPA is RAZ/WI from NS or if no FPU.
++    /*
-              * FPCA is RO if NSACR.CP10 == 0, RES0 if the FPU is not present.
++     * Note NSE cannot be set without RME, and NSE & !NS is Reserved.
-diff --git a/target/arm/machine.c b/target/arm/machine.c
++     * Ignoring NSE when !NS retains consistency without having to
-index XXXXXXX..XXXXXXX 100644
++     * modify other predicates.
---- a/target/arm/machine.c
++     */
-+++ b/target/arm/machine.c
++    if (!(env->cp15.scr_el3 & SCR_NS)) {
-@@ -XXX,XX +XXX,XX @@
++        return ARMSS_Secure;
- static bool vfp_needed(void *opaque)
++    } else if (env->cp15.scr_el3 & SCR_NSE) {
- {
++        return ARMSS_Realm;
-     ARMCPU *cpu = opaque;
++    } else {
--    CPUARMState *env = &cpu->env;
++        return ARMSS_NonSecure;
++    }
--    return arm_feature(env, ARM_FEATURE_VFP);
++}
-+    return cpu_isar_feature(aa32_simd_r16, cpu);
++#endif /* !CONFIG_USER_ONLY */
  }
  static int get_fpscr(QEMUFile *f, void *opaque, size_t size,
 --
-.20.1
+.34.1

-[PULL 52/52] target/arm: Add missing checks for fpsp_v2
+[PULL 06/26] include/exec/memattrs: Add two bits of space to MemTxAttrs
 From: Richard Henderson <richard.henderson@linaro.org>
-We will eventually remove the early ARM_FEATURE_VFP test,
+We will need 2 bits to represent ARMSecurityState.
 so add a proper test for each trans_* that does not already
 have another ISA test.
+Do not attempt to replace or widen secure, even though it
+logically overlaps the new field -- there are uses within
+e.g. hw/block/pflash_cfi01.c, which don't know anything
+specific about ARM.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214181547.21408-11-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-7-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-vfp.inc.c | 78 ++++++++++++++++++++++++++++++----
+ include/exec/memattrs.h | 9 ++++++++-
-file changed, 69 insertions(+), 9 deletions(-)
+file changed, 8 insertions(+), 1 deletion(-)
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.inc.c
+--- a/include/exec/memattrs.h
-+++ b/target/arm/translate-vfp.inc.c
++++ b/include/exec/memattrs.h
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_to_gp(DisasContext *s, arg_VMOV_to_gp *a)
+@@ -XXX,XX +XXX,XX @@ typedef struct MemTxAttrs {
-     int pass;
+      * "didn't specify" if necessary.
-     uint32_t offset;
+      */
+     unsigned int unspecified:1;
-+    /* SIZE == 2 is a VFP instruction; otherwise NEON.  */
+-    /* ARM/AMBA: TrustZone Secure access
-+    if (a->size == 2
++    /*
-+        ? !dc_isar_feature(aa32_fpsp_v2, s)
++     * ARM/AMBA: TrustZone Secure access
-+        : !arm_dc_feature(s, ARM_FEATURE_NEON)) {
+      * x86: System Management Mode access
-+        return false;
+      */
-+    }
+     unsigned int secure:1;
-+
++    /*
-     /* UNDEF accesses to D16-D31 if they don't exist */
++     * ARM: ArmSecuritySpace.  This partially overlaps secure, but it is
-     if (!dc_isar_feature(aa32_simd_r32, s) && (a->vn & 0x10)) {
++     * easier to have both fields to assist code that does not understand
-         return false;
++     * ARMv9 RME, or no specific knowledge of ARM at all (e.g. pflash).
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_to_gp(DisasContext *s, arg_VMOV_to_gp *a)
++     */
-     pass = extract32(offset, 2, 1);
++    unsigned int space:2;
-     offset = extract32(offset, 0, 2) * 8;
+     /* Memory access is usermode (unprivileged) */
+     unsigned int user:1;
 -    if (a->size != 2 && !arm_dc_feature(s, ARM_FEATURE_NEON)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_from_gp(DisasContext *s, arg_VMOV_from_gp *a)
      int pass;
      uint32_t offset;
 +    /* SIZE == 2 is a VFP instruction; otherwise NEON.  */
 +    if (a->size == 2
 +        ? !dc_isar_feature(aa32_fpsp_v2, s)
 +        : !arm_dc_feature(s, ARM_FEATURE_NEON)) {
 +        return false;
 +    }
 +
      /* UNDEF accesses to D16-D31 if they don't exist */
      if (!dc_isar_feature(aa32_simd_r32, s) && (a->vn & 0x10)) {
          return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_from_gp(DisasContext *s, arg_VMOV_from_gp *a)
      pass = extract32(offset, 2, 1);
      offset = extract32(offset, 0, 2) * 8;
 -    if (a->size != 2 && !arm_dc_feature(s, ARM_FEATURE_NEON)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
      TCGv_i32 tmp;
      bool ignore_vfp_enabled = false;
 +    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
 +        return false;
 +    }
 +
      if (arm_dc_feature(s, ARM_FEATURE_M)) {
          /*
           * The only M-profile VFP vmrs/vmsr sysreg is FPSCR.
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_single(DisasContext *s, arg_VMOV_single *a)
  {
      TCGv_i32 tmp;
 +    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
 +        return false;
 +    }
 +
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_64_sp(DisasContext *s, arg_VMOV_64_sp *a)
  {
      TCGv_i32 tmp;
 +    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
 +        return false;
 +    }
 +
      /*
-      * VMOV between two general-purpose registers and two single precision
-      * floating point registers
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_64_dp(DisasContext *s, arg_VMOV_64_dp *a)
-     /*
-      * VMOV between two general-purpose registers and one double precision
--     * floating point register
-+     * floating point register.  Note that this does not require support
-+     * for double precision arithmetic.
-      */
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-     /* UNDEF accesses to D16-D31 if they don't exist */
-     if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
-@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_sp(DisasContext *s, arg_VLDR_VSTR_sp *a)
-     uint32_t offset;
-     TCGv_i32 addr, tmp;
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     if (!vfp_access_check(s)) {
-         return true;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_dp(DisasContext *s, arg_VLDR_VSTR_dp *a)
-     TCGv_i32 addr;
-     TCGv_i64 tmp;
-+    /* Note that this does not require support for double arithmetic.  */
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     /* UNDEF accesses to D16-D31 if they don't exist */
-     if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
-         return false;
-@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_sp(DisasContext *s, arg_VLDM_VSTM_sp *a)
-     TCGv_i32 addr, tmp;
-     int i, n;
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     n = a->imm;
-     if (n == 0 || (a->vd + n) > 32) {
-@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_dp(DisasContext *s, arg_VLDM_VSTM_dp *a)
-     TCGv_i64 tmp;
-     int i, n;
-+    /* Note that this does not require support for double arithmetic.  */
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     n = a->imm >> 1;
-     if (n == 0 || (a->vd + n) > 32 || n > 16) {
-@@ -XXX,XX +XXX,XX @@ static bool do_vfp_3op_sp(DisasContext *s, VFPGen3OpSPFn *fn,
-     TCGv_i32 f0, f1, fd;
-     TCGv_ptr fpst;
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     if (!dc_isar_feature(aa32_fpshvec, s) &&
-         (veclen != 0 || s->vec_stride != 0)) {
-         return false;
-@@ -XXX,XX +XXX,XX @@ static bool do_vfp_2op_sp(DisasContext *s, VFPGen2OpSPFn *fn, int vd, int vm)
-     int veclen = s->vec_len;
-     TCGv_i32 f0, fd;
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     if (!dc_isar_feature(aa32_fpshvec, s) &&
-         (veclen != 0 || s->vec_stride != 0)) {
-         return false;
-@@ -XXX,XX +XXX,XX @@ static bool trans_VCMP_sp(DisasContext *s, arg_VCMP_sp *a)
- {
-     TCGv_i32 vd, vm;
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     /* Vm/M bits must be zero for the Z variant */
-     if (a->z && a->vm != 0) {
-         return false;
-@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_int_sp(DisasContext *s, arg_VCVT_int_sp *a)
-     TCGv_i32 vm;
-     TCGv_ptr fpst;
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     if (!vfp_access_check(s)) {
-         return true;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_sp_int(DisasContext *s, arg_VCVT_sp_int *a)
-     TCGv_i32 vm;
-     TCGv_ptr fpst;
-+    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
-+        return false;
-+    }
-+
-     if (!vfp_access_check(s)) {
-         return true;
-     }
 --
-.20.1
+.34.1

-[PULL 44/52] target/arm: Rename isar_feature_aa32_simd_r32
+[PULL 07/26] target/arm: Adjust the order of Phys and Stage2 ARMMMUIdx
 From: Richard Henderson <richard.henderson@linaro.org>
-The old name, isar_feature_aa32_fp_d32, does not reflect
+It will be helpful to have ARMMMUIdx_Phys_* to be in the same
-the MVFR0 field name, SIMDReg.
+relative order as ARMSecuritySpace enumerators. This requires
 the adjustment to the nstable check. While there, check for being
 in secure state rather than rely on clearing the low bit making
 no change to non-secure state.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20230620124418.805717-8-richard.henderson@linaro.org
 Message-id: 20200214181547.21408-3-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 [PMM: wrapped one long line]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h               |  2 +-
+ target/arm/cpu.h | 12 ++++++------
- target/arm/translate-vfp.inc.c | 53 +++++++++++++++++-----------------
+ target/arm/ptw.c | 12 +++++-------
-files changed, 28 insertions(+), 27 deletions(-)
+files changed, 11 insertions(+), 13 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fp16_arith(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
-     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, FP) == 1;
+     ARMMMUIdx_E2        = 6 | ARM_MMU_IDX_A,
- }
+     ARMMMUIdx_E3        = 7 | ARM_MMU_IDX_A,
--static inline bool isar_feature_aa32_fp_d32(const ARMISARegisters *id)
+-    /* TLBs with 1-1 mapping to the physical address spaces. */
-+static inline bool isar_feature_aa32_simd_r32(const ARMISARegisters *id)
+-    ARMMMUIdx_Phys_NS   = 8 | ARM_MMU_IDX_A,
- {
+-    ARMMMUIdx_Phys_S    = 9 | ARM_MMU_IDX_A,
-     /* Return true if D16-D31 are implemented */
+-
-     return FIELD_EX32(id->mvfr0, MVFR0, SIMDREG) >= 2;
+     /*
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+      * Used for second stage of an S12 page table walk, or for descriptor
       * loads during first stage of an S1 page table walk.  Note that both
       * are in use simultaneously for SecureEL2: the security state for
       * the S2 ptw is selected by the NS bit from the S1 ptw.
       */
 -    ARMMMUIdx_Stage2    = 10 | ARM_MMU_IDX_A,
 -    ARMMMUIdx_Stage2_S  = 11 | ARM_MMU_IDX_A,
 +    ARMMMUIdx_Stage2_S  = 8 | ARM_MMU_IDX_A,
 +    ARMMMUIdx_Stage2    = 9 | ARM_MMU_IDX_A,
 +
 +    /* TLBs with 1-1 mapping to the physical address spaces. */
 +    ARMMMUIdx_Phys_S    = 10 | ARM_MMU_IDX_A,
 +    ARMMMUIdx_Phys_NS   = 11 | ARM_MMU_IDX_A,
      /*
       * These are not allocated TLBs and are used only for AT system
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.inc.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-vfp.inc.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_VSEL(DisasContext *s, arg_VSEL *a)
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      descaddr |= (address >> (stride * (4 - level))) & indexmask;
      descaddr &= ~7ULL;
      nstable = !regime_is_stage2(mmu_idx) && extract32(tableattrs, 4, 1);
 -    if (nstable) {
 +    if (nstable && ptw->in_secure) {
          /*
           * Stage2_S -> Stage2 or Phys_S -> Phys_NS
 -         * Assert that the non-secure idx are even, and relative order.
 +         * Assert the relative order of the secure/non-secure indexes.
           */
 -        QEMU_BUILD_BUG_ON((ARMMMUIdx_Phys_NS & 1) != 0);
 -        QEMU_BUILD_BUG_ON((ARMMMUIdx_Stage2 & 1) != 0);
 -        QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS + 1 != ARMMMUIdx_Phys_S);
 -        QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2 + 1 != ARMMMUIdx_Stage2_S);
 -        ptw->in_ptw_idx &= ~1;
 +        QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_S + 1 != ARMMMUIdx_Phys_NS);
 +        QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2_S + 1 != ARMMMUIdx_Stage2);
 +        ptw->in_ptw_idx += 1;
          ptw->in_secure = false;
      }
+     if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (dp && !dc_isar_feature(aa32_fp_d32, s) &&
 +    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
          ((a->vm | a->vn | a->vd) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMINMAXNM(DisasContext *s, arg_VMINMAXNM *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (dp && !dc_isar_feature(aa32_fp_d32, s) &&
 +    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
          ((a->vm | a->vn | a->vd) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINT(DisasContext *s, arg_VRINT *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (dp && !dc_isar_feature(aa32_fp_d32, s) &&
 +    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
          ((a->vm | a->vd) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT(DisasContext *s, arg_VCVT *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (dp && !dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
 +    if (dp && !dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_to_gp(DisasContext *s, arg_VMOV_to_gp *a)
      uint32_t offset;
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vn & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vn & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_from_gp(DisasContext *s, arg_VMOV_from_gp *a)
      uint32_t offset;
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vn & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vn & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VDUP(DisasContext *s, arg_VDUP *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vn & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vn & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_64_dp(DisasContext *s, arg_VMOV_64_dp *a)
       */
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_dp(DisasContext *s, arg_VLDR_VSTR_dp *a)
      TCGv_i64 tmp;
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_dp(DisasContext *s, arg_VLDM_VSTM_dp *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd + n) > 16) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd + n) > 16) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_3op_dp(DisasContext *s, VFPGen3OpDPFn *fn,
      TCGv_ptr fpst;
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && ((vd | vn | vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vn | vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_2op_dp(DisasContext *s, VFPGen2OpDPFn *fn, int vd, int vm)
      TCGv_i64 f0, fd;
      /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && ((vd | vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VFM_dp(DisasContext *s, arg_VFM_dp *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vn | a->vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) &&
 +        ((a->vd | a->vn | a->vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
      vd = a->vd;
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (vd & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (vd & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCMP_dp(DisasContext *s, arg_VCMP_dp *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && ((a->vd | a->vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f64_f16(DisasContext *s, arg_VCVT_f64_f16 *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd  & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd  & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f16_f64(DisasContext *s, arg_VCVT_f16_f64 *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm  & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm  & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTR_dp(DisasContext *s, arg_VRINTR_dp *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && ((a->vd | a->vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTZ_dp(DisasContext *s, arg_VRINTZ_dp *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && ((a->vd | a->vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTX_dp(DisasContext *s, arg_VRINTX_dp *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && ((a->vd | a->vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_sp(DisasContext *s, arg_VCVT_sp *a)
      TCGv_i32 vm;
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp(DisasContext *s, arg_VCVT_dp *a)
      TCGv_i32 vd;
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_int_dp(DisasContext *s, arg_VCVT_int_dp *a)
      TCGv_ptr fpst;
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VJCVT(DisasContext *s, arg_VJCVT *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_dp(DisasContext *s, arg_VCVT_fix_dp *a)
      }
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp_int(DisasContext *s, arg_VCVT_dp_int *a)
      TCGv_ptr fpst;
      /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
          return false;
      }
 --
-.20.1
+.34.1

-[PULL 49/52] target/arm: Add isar_feature_aa32_{fpsp_v2, fpsp_v3, fpdp_v3}
+[PULL 08/26] target/arm: Introduce ARMMMUIdx_Phys_{Realm,Root}
 From: Richard Henderson <richard.henderson@linaro.org>
-We will shortly use these to test for VFPv2 and VFPv3
+With FEAT_RME, there are four physical address spaces.
-in different situations.
+For now, just define the symbols, and mention them in
 the same spots as the other Phys indexes in ptw.c.
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214181547.21408-8-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-9-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h | 18 ++++++++++++++++++
+ target/arm/cpu.h | 23 +++++++++++++++++++++--
-file changed, 18 insertions(+)
+ target/arm/ptw.c | 10 ++++++++--
 files changed, 29 insertions(+), 4 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fpshvec(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
-     return FIELD_EX32(id->mvfr0, MVFR0, FPSHVEC) > 0;
+     ARMMMUIdx_Stage2    = 9 | ARM_MMU_IDX_A,
- }
+     /* TLBs with 1-1 mapping to the physical address spaces. */
-+static inline bool isar_feature_aa32_fpsp_v2(const ARMISARegisters *id)
+-    ARMMMUIdx_Phys_S    = 10 | ARM_MMU_IDX_A,
 -    ARMMMUIdx_Phys_NS   = 11 | ARM_MMU_IDX_A,
 +    ARMMMUIdx_Phys_S     = 10 | ARM_MMU_IDX_A,
 +    ARMMMUIdx_Phys_NS    = 11 | ARM_MMU_IDX_A,
 +    ARMMMUIdx_Phys_Root  = 12 | ARM_MMU_IDX_A,
 +    ARMMMUIdx_Phys_Realm = 13 | ARM_MMU_IDX_A,
      /*
       * These are not allocated TLBs and are used only for AT system
@@ -XXX,XX +XXX,XX @@ typedef enum ARMASIdx {
      ARMASIdx_TagS = 3,
  } ARMASIdx;
 +static inline ARMMMUIdx arm_space_to_phys(ARMSecuritySpace space)
 +{
-+    /* Return true if CPU supports single precision floating point, VFPv2 */
++    /* Assert the relative order of the physical mmu indexes. */
-+    return FIELD_EX32(id->mvfr0, MVFR0, FPSP) > 0;
++    QEMU_BUILD_BUG_ON(ARMSS_Secure != 0);
 +    QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS != ARMMMUIdx_Phys_S + ARMSS_NonSecure);
 +    QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_Root != ARMMMUIdx_Phys_S + ARMSS_Root);
 +    QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_Realm != ARMMMUIdx_Phys_S + ARMSS_Realm);
 +
 +    return ARMMMUIdx_Phys_S + space;
 +}
 +
-+static inline bool isar_feature_aa32_fpsp_v3(const ARMISARegisters *id)
++static inline ARMSecuritySpace arm_phys_to_space(ARMMMUIdx idx)
 +{
-+    /* Return true if CPU supports single precision floating point, VFPv3 */
++    assert(idx >= ARMMMUIdx_Phys_S && idx <= ARMMMUIdx_Phys_Realm);
-+    return FIELD_EX32(id->mvfr0, MVFR0, FPSP) >= 2;
++    return idx - ARMMMUIdx_Phys_S;
 +}
 +
- static inline bool isar_feature_aa32_fpdp_v2(const ARMISARegisters *id)
+ static inline bool arm_v7m_csselr_razwi(ARMCPU *cpu)
  {
-     /* Return true if CPU supports double precision floating point, VFPv2 */
+     /* If all the CLIDR.Ctypem bits are 0 there are no caches, and
-     return FIELD_EX32(id->mvfr0, MVFR0, FPDP) > 0;
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
- }
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
-+static inline bool isar_feature_aa32_fpdp_v3(const ARMISARegisters *id)
++++ b/target/arm/ptw.c
-+{
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
-+    /* Return true if CPU supports double precision floating point, VFPv3 */
+     case ARMMMUIdx_E3:
-+    return FIELD_EX32(id->mvfr0, MVFR0, FPDP) >= 2;
+         break;
-+}
-+
+-    case ARMMMUIdx_Phys_NS:
- /*
+     case ARMMMUIdx_Phys_S:
-  * We always set the FP and SIMD FP16 fields to indicate identical
++    case ARMMMUIdx_Phys_NS:
-  * levels of support (assuming SIMD is implemented at all), so
++    case ARMMMUIdx_Phys_Root:
 +    case ARMMMUIdx_Phys_Realm:
          /* No translation for physical address spaces. */
          return true;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
      switch (mmu_idx) {
      case ARMMMUIdx_Stage2:
      case ARMMMUIdx_Stage2_S:
 -    case ARMMMUIdx_Phys_NS:
      case ARMMMUIdx_Phys_S:
 +    case ARMMMUIdx_Phys_NS:
 +    case ARMMMUIdx_Phys_Root:
 +    case ARMMMUIdx_Phys_Realm:
          break;
      default:
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
      switch (mmu_idx) {
      case ARMMMUIdx_Phys_S:
      case ARMMMUIdx_Phys_NS:
 +    case ARMMMUIdx_Phys_Root:
 +    case ARMMMUIdx_Phys_Realm:
          /* Checking Phys early avoids special casing later vs regime_el. */
          return get_phys_addr_disabled(env, address, access_type, mmu_idx,
                                        is_secure, result, fi);
 --
-.20.1
+.34.1

-[PULL 46/52] target/arm: Set MVFR0.FPSP for ARMv5 cpus
+[PULL 09/26] target/arm: Remove __attribute__((nonnull)) from ptw.c
 From: Richard Henderson <richard.henderson@linaro.org>
-We are going to convert FEATURE tests to ISAR tests,
+This was added in 7e98e21c098 as part of a reorg in which
-so FPSP needs to be set for these cpus, like we have
+one of the argument had been legally NULL, and this caught
-already for FPDP.
+actual instances.  Now that the reorg is complete, this
 serves little purpose.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214181547.21408-5-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-10-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c | 10 ++++++----
+ target/arm/ptw.c | 6 ++----
-file changed, 6 insertions(+), 4 deletions(-)
+file changed, 2 insertions(+), 4 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/cpu.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
-      */
+ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+                                uint64_t address,
-     /*
+                                MMUAccessType access_type, bool s1_is_el0,
--     * Similarly, we need to set MVFR0 fields to enable double precision
+-                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
--     * and short vector support even though ARMv5 doesn't have this register.
+-    __attribute__((nonnull));
-+     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
++                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi);
-+     * support even though ARMv5 doesn't have this register.
-      */
+ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
-     cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+                                       target_ulong address,
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
+                                       MMUAccessType access_type,
-     cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
+                                       GetPhysAddrResult *result,
- }
+-                                      ARMMMUFaultInfo *fi)
+-    __attribute__((nonnull));
-@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
++                                      ARMMMUFaultInfo *fi);
-      */
-     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+ /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
-     /*
+ static const uint8_t pamax_map[] = {
 -     * Similarly, we need to set MVFR0 fields to enable double precision
 -     * and short vector support even though ARMv5 doesn't have this register.
 +     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
 +     * support even though ARMv5 doesn't have this register.
       */
      cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
 +    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
      cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
      {
 --
-.20.1
+.34.1

-[PULL 09/52] target/arm: Flush high bits of sve register after AdvSIMD INS
+[PULL 10/26] target/arm: Pipe ARMSecuritySpace through ptw.c
 From: Richard Henderson <richard.henderson@linaro.org>
-Writes to AdvSIMD registers flush the bits above 128.
+Add input and output space members to S1Translate.  Set and adjust
 them in S1_ptw_translate, and the various points at which we drop
 secure state.  Initialize the space in get_phys_addr; for now leave
 get_phys_addr_with_secure considering only secure vs non-secure spaces.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214194643.23317-5-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-11-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 6 ++++++
+ target/arm/ptw.c | 86 +++++++++++++++++++++++++++++++++++++++---------
-file changed, 6 insertions(+)
+file changed, 71 insertions(+), 15 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_inse(DisasContext *s, int rd, int rn,
+@@ -XXX,XX +XXX,XX @@
-     write_vec_element(s, tmp, rd, dst_index, size);
+ typedef struct S1Translate {
+     ARMMMUIdx in_mmu_idx;
-     tcg_temp_free_i64(tmp);
+     ARMMMUIdx in_ptw_idx;
 +    ARMSecuritySpace in_space;
      bool in_secure;
      bool in_debug;
      bool out_secure;
      bool out_rw;
      bool out_be;
 +    ARMSecuritySpace out_space;
      hwaddr out_virt;
      hwaddr out_phys;
      void *out_host;
@@ -XXX,XX +XXX,XX @@ static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
  static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
                               hwaddr addr, ARMMMUFaultInfo *fi)
  {
 +    ARMSecuritySpace space = ptw->in_space;
      bool is_secure = ptw->in_secure;
      ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
      ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
                  .in_mmu_idx = s2_mmu_idx,
                  .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
                  .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
 +                .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
 +                             : space == ARMSS_Realm ? ARMSS_Realm
 +                             : ARMSS_NonSecure),
                  .in_debug = true,
              };
              GetPhysAddrResult s2 = { };
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
              ptw->out_phys = s2.f.phys_addr;
              pte_attrs = s2.cacheattrs.attrs;
              ptw->out_secure = s2.f.attrs.secure;
 +            ptw->out_space = s2.f.attrs.space;
          } else {
              /* Regime is physical. */
              ptw->out_phys = addr;
              pte_attrs = 0;
              ptw->out_secure = s2_mmu_idx == ARMMMUIdx_Phys_S;
 +            ptw->out_space = (s2_mmu_idx == ARMMMUIdx_Phys_S ? ARMSS_Secure
 +                              : space == ARMSS_Realm ? ARMSS_Realm
 +                              : ARMSS_NonSecure);
          }
          ptw->out_host = NULL;
          ptw->out_rw = false;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
          ptw->out_rw = full->prot & PAGE_WRITE;
          pte_attrs = full->pte_attrs;
          ptw->out_secure = full->attrs.secure;
 +        ptw->out_space = full->attrs.space;
  #else
          g_assert_not_reached();
  #endif
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw,
          }
      } else {
          /* Page tables are in MMIO. */
 -        MemTxAttrs attrs = { .secure = ptw->out_secure };
 +        MemTxAttrs attrs = {
 +            .secure = ptw->out_secure,
 +            .space = ptw->out_space,
 +        };
          AddressSpace *as = arm_addressspace(cs, attrs);
          MemTxResult result = MEMTX_OK;
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
  #endif
      } else {
          /* Page tables are in MMIO. */
 -        MemTxAttrs attrs = { .secure = ptw->out_secure };
 +        MemTxAttrs attrs = {
 +            .secure = ptw->out_secure,
 +            .space = ptw->out_space,
 +        };
          AddressSpace *as = arm_addressspace(cs, attrs);
          MemTxResult result = MEMTX_OK;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw,
           * regime, because the attribute will already be non-secure.
           */
          result->f.attrs.secure = false;
 +        result->f.attrs.space = ARMSS_NonSecure;
      }
      result->f.phys_addr = phys_addr;
      return false;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
           * regime, because the attribute will already be non-secure.
           */
          result->f.attrs.secure = false;
 +        result->f.attrs.space = ARMSS_NonSecure;
      }
      if (regime_is_stage2(mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
               */
              if (sattrs.ns) {
                  result->f.attrs.secure = false;
 +                result->f.attrs.space = ARMSS_NonSecure;
              } else if (!secure) {
                  /*
                   * NS access to S memory must fault.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
      bool is_secure = ptw->in_secure;
      bool ret, ipa_secure;
      ARMCacheAttrs cacheattrs1;
 +    ARMSecuritySpace ipa_space;
      bool is_el0;
      uint64_t hcr;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
      ipa = result->f.phys_addr;
      ipa_secure = result->f.attrs.secure;
 +    ipa_space = result->f.attrs.space;
      is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
      ptw->in_mmu_idx = ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
      ptw->in_secure = ipa_secure;
 +    ptw->in_space = ipa_space;
      ptw->in_ptw_idx = ptw_idx_for_stage_2(env, ptw->in_mmu_idx);
      /*
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
      ARMMMUIdx s1_mmu_idx;
      /*
 -     * The page table entries may downgrade secure to non-secure, but
 -     * cannot upgrade an non-secure translation regime's attributes
 -     * to secure.
 +     * The page table entries may downgrade Secure to NonSecure, but
 +     * cannot upgrade a NonSecure translation regime's attributes
 +     * to Secure or Realm.
       */
      result->f.attrs.secure = is_secure;
 +    result->f.attrs.space = ptw->in_space;
      switch (mmu_idx) {
      case ARMMMUIdx_Phys_S:
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
      default:
          /* Single stage uses physical for ptw. */
 -        ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
 +        ptw->in_ptw_idx = arm_space_to_phys(ptw->in_space);
          break;
      }
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
      S1Translate ptw = {
          .in_mmu_idx = mmu_idx,
          .in_secure = is_secure,
 +        .in_space = arm_secure_to_space(is_secure),
      };
      return get_phys_addr_with_struct(env, &ptw, address, access_type,
                                       result, fi);
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
                     MMUAccessType access_type, ARMMMUIdx mmu_idx,
                     GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
  {
 -    bool is_secure;
 +    S1Translate ptw = {
 +        .in_mmu_idx = mmu_idx,
 +    };
 +    ARMSecuritySpace ss;
      switch (mmu_idx) {
      case ARMMMUIdx_E10_0:
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
      case ARMMMUIdx_Stage1_E1:
      case ARMMMUIdx_Stage1_E1_PAN:
      case ARMMMUIdx_E2:
 -        is_secure = arm_is_secure_below_el3(env);
 +        ss = arm_security_space_below_el3(env);
          break;
      case ARMMMUIdx_Stage2:
 +        /*
 +         * For Secure EL2, we need this index to be NonSecure;
 +         * otherwise this will already be NonSecure or Realm.
 +         */
 +        ss = arm_security_space_below_el3(env);
 +        if (ss == ARMSS_Secure) {
 +            ss = ARMSS_NonSecure;
 +        }
 +        break;
      case ARMMMUIdx_Phys_NS:
      case ARMMMUIdx_MPrivNegPri:
      case ARMMMUIdx_MUserNegPri:
      case ARMMMUIdx_MPriv:
      case ARMMMUIdx_MUser:
 -        is_secure = false;
 +        ss = ARMSS_NonSecure;
          break;
 -    case ARMMMUIdx_E3:
      case ARMMMUIdx_Stage2_S:
      case ARMMMUIdx_Phys_S:
      case ARMMMUIdx_MSPrivNegPri:
      case ARMMMUIdx_MSUserNegPri:
      case ARMMMUIdx_MSPriv:
      case ARMMMUIdx_MSUser:
 -        is_secure = true;
 +        ss = ARMSS_Secure;
 +        break;
 +    case ARMMMUIdx_E3:
 +        if (arm_feature(env, ARM_FEATURE_AARCH64) &&
 +            cpu_isar_feature(aa64_rme, env_archcpu(env))) {
 +            ss = ARMSS_Root;
 +        } else {
 +            ss = ARMSS_Secure;
 +        }
 +        break;
 +    case ARMMMUIdx_Phys_Root:
 +        ss = ARMSS_Root;
 +        break;
 +    case ARMMMUIdx_Phys_Realm:
 +        ss = ARMSS_Realm;
          break;
      default:
          g_assert_not_reached();
      }
 -    return get_phys_addr_with_secure(env, address, access_type, mmu_idx,
 -                                     is_secure, result, fi);
 +
-+    /* INS is considered a 128-bit write for SVE. */
++    ptw.in_space = ss;
-+    clear_vec_high(s, true, rd);
++    ptw.in_secure = arm_space_is_secure(ss);
 +    return get_phys_addr_with_struct(env, &ptw, address, access_type,
 +                                     result, fi);
  }
+ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
-@@ -XXX,XX +XXX,XX @@ static void handle_simd_insg(DisasContext *s, int rd, int rn, int imm5)
+@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
+ {
-     idx = extract32(imm5, 1 + size, 4 - size);
+     ARMCPU *cpu = ARM_CPU(cs);
-     write_vec_element(s, cpu_reg(s, rn), rd, idx, size);
+     CPUARMState *env = &cpu->env;
-+
++    ARMMMUIdx mmu_idx = arm_mmu_idx(env);
-+    /* INS is considered a 128-bit write for SVE. */
++    ARMSecuritySpace ss = arm_security_space(env);
-+    clear_vec_high(s, true, rd);
+     S1Translate ptw = {
- }
+-        .in_mmu_idx = arm_mmu_idx(env),
+-        .in_secure = arm_is_secure(env),
- /*
++        .in_mmu_idx = mmu_idx,
 +        .in_space = ss,
 +        .in_secure = arm_space_is_secure(ss),
          .in_debug = true,
      };
      GetPhysAddrResult res = {};
 --
-.20.1
+.34.1

-[PULL 12/52] target/arm: Remove ttbr1_valid check from get_phys_addr_lpae
+[PULL 11/26] target/arm: NSTable is RES0 for the RME EL3 regime
 From: Richard Henderson <richard.henderson@linaro.org>
-Now that aa64_va_parameters_both sets select based on the number
+Test in_space instead of in_secure so that we don't
-of ranges in the regime, the ttbr1_valid check is redundant.
+switch out of Root space.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200216194343.21331-4-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-12-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 6 +-----
+ target/arm/ptw.c | 28 ++++++++++++++--------------
-file changed, 1 insertion(+), 5 deletions(-)
+file changed, 14 insertions(+), 14 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     TCR *tcr = regime_tcr(env, mmu_idx);
+ {
-     int ap, ns, xn, pxn;
+     ARMCPU *cpu = env_archcpu(env);
-     uint32_t el = regime_el(env, mmu_idx);
+     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
--    bool ttbr1_valid;
+-    bool is_secure = ptw->in_secure;
      int32_t level;
      ARMVAParameters param;
      uint64_t ttbr;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      uint64_t descaddrmask;
      bool aarch64 = arm_el_is_aa64(env, el);
-     bool guarded = false;
+     uint64_t descriptor, new_descriptor;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
+-    bool nstable;
-         param = aa64_va_parameters(env, address, mmu_idx,
-                                    access_type != MMU_INST_FETCH);
+     /* TODO: This code does not support shareability levels. */
-         level = 0;
+     if (aarch64) {
--        ttbr1_valid = regime_has_2_ranges(mmu_idx);
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-         addrsize = 64 - 8 * param.tbi;
+         descaddrmask = MAKE_64BIT_MASK(0, 40);
          inputsize = 64 - param.tsz;
      } else {
          param = aa32_va_parameters(env, address, mmu_idx);
          level = 1;
 -        /* There is no TTBR1 for EL2 */
 -        ttbr1_valid = (el != 2);
          addrsize = (mmu_idx == ARMMMUIdx_Stage2 ? 40 : 32);
          inputsize = addrsize - param.tsz;
      }
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
+     descaddrmask &= ~indexmask_grainsize;
-     if (inputsize < addrsize) {
+-
-         target_ulong top_bits = sextract64(address, inputsize,
+-    /*
-                                            addrsize - inputsize);
+-     * Secure stage 1 accesses start with the page table in secure memory and
--        if (-top_bits != param.select || (param.select && !ttbr1_valid)) {
+-     * can be downgraded to non-secure at any step. Non-secure accesses
-+        if (-top_bits != param.select) {
+-     * remain non-secure. We implement this by just ORing in the NSTable/NS
-             /* The gap between the two regions is a Translation fault */
+-     * bits at each step.
-             fault_type = ARMFault_Translation;
+-     * Stage 2 never gets this kind of downgrade.
-             goto do_fault;
+-     */
 -    tableattrs = is_secure ? 0 : (1 << 4);
 +    tableattrs = 0;
   next_level:
      descaddr |= (address >> (stride * (4 - level))) & indexmask;
      descaddr &= ~7ULL;
 -    nstable = !regime_is_stage2(mmu_idx) && extract32(tableattrs, 4, 1);
 -    if (nstable && ptw->in_secure) {
 +
 +    /*
 +     * Process the NSTable bit from the previous level.  This changes
 +     * the table address space and the output space from Secure to
 +     * NonSecure.  With RME, the EL3 translation regime does not change
 +     * from Root to NonSecure.
 +     */
 +    if (ptw->in_space == ARMSS_Secure
 +        && !regime_is_stage2(mmu_idx)
 +        && extract32(tableattrs, 4, 1)) {
          /*
           * Stage2_S -> Stage2 or Phys_S -> Phys_NS
           * Assert the relative order of the secure/non-secure indexes.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2_S + 1 != ARMMMUIdx_Stage2);
          ptw->in_ptw_idx += 1;
          ptw->in_secure = false;
 +        ptw->in_space = ARMSS_NonSecure;
      }
 +
      if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
          goto do_fault;
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
       */
      attrs = new_descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
      if (!regime_is_stage2(mmu_idx)) {
 -        attrs |= nstable << 5; /* NS */
 +        attrs |= !ptw->in_secure << 5; /* NS */
          if (!param.hpd) {
              attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
              /*
 --
-.20.1
+.34.1

-[PULL 50/52] target/arm: Perform fpdp_v2 check first
+[PULL 12/26] target/arm: Handle Block and Page bits for security space
 From: Richard Henderson <richard.henderson@linaro.org>
-Shuffle the order of the checks so that we test the ISA
+With Realm security state, bit 55 of a block or page descriptor during
-before we test anything else, such as the register arguments.
+the stage2 walk becomes the NS bit; during the stage1 walk the bit 5
 NS bit is RES0.  With Root security state, bit 11 of the block or page
 descriptor during the stage1 walk becomes the NSE bit.
+Rather than collecting an NS bit and applying it later, compute the
+output pa space from the input pa space and unconditionally assign.
+This means that we no longer need to adjust the output space earlier
+for the NSTable bit.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214181547.21408-9-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-13-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-vfp.inc.c | 144 ++++++++++++++++-----------------
+ target/arm/ptw.c | 89 +++++++++++++++++++++++++++++++++++++++---------
-file changed, 72 insertions(+), 72 deletions(-)
+file changed, 73 insertions(+), 16 deletions(-)
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.inc.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-vfp.inc.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_VSEL(DisasContext *s, arg_VSEL *a)
+@@ -XXX,XX +XXX,XX @@ static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
-         return false;
+  * @mmu_idx: MMU index indicating required translation regime
   * @is_aa64: TRUE if AArch64
   * @ap:      The 2-bit simple AP (AP[2:1])
 - * @ns:      NS (non-secure) bit
   * @xn:      XN (execute-never) bit
   * @pxn:     PXN (privileged execute-never) bit
 + * @in_pa:   The original input pa space
 + * @out_pa:  The output pa space, modified by NSTable, NS, and NSE
   */
  static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
 -                      int ap, int ns, int xn, int pxn)
 +                      int ap, int xn, int pxn,
 +                      ARMSecuritySpace in_pa, ARMSecuritySpace out_pa)
  {
      ARMCPU *cpu = env_archcpu(env);
      bool is_user = regime_is_user(env, mmu_idx);
@@ -XXX,XX +XXX,XX @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
          }
      }
--    /* UNDEF accesses to D16-D31 if they don't exist */
+-    if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) {
--    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
++    if (out_pa == ARMSS_NonSecure && in_pa == ARMSS_Secure &&
--        ((a->vm | a->vn | a->vd) & 0x10)) {
++        (env->cp15.scr_el3 & SCR_SIF)) {
-+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+         return prot_rw;
          return false;
      }
--    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-+    /* UNDEF accesses to D16-D31 if they don't exist */
+     int32_t stride;
-+    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
+     int addrsize, inputsize, outputsize;
-+        ((a->vm | a->vn | a->vd) & 0x10)) {
+     uint64_t tcr = regime_tcr(env, mmu_idx);
-         return false;
+-    int ap, ns, xn, pxn;
 +    int ap, xn, pxn;
      uint32_t el = regime_el(env, mmu_idx);
      uint64_t descaddrmask;
      bool aarch64 = arm_el_is_aa64(env, el);
      uint64_t descriptor, new_descriptor;
 +    ARMSecuritySpace out_space;
      /* TODO: This code does not support shareability levels. */
      if (aarch64) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      }
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMINMAXNM(DisasContext *s, arg_VMINMAXNM *a)
+     ap = extract32(attrs, 6, 2);
-         return false;
++    out_space = ptw->in_space;
      if (regime_is_stage2(mmu_idx)) {
 -        ns = mmu_idx == ARMMMUIdx_Stage2;
 +        /*
 +         * R_GYNXY: For stage2 in Realm security state, bit 55 is NS.
 +         * The bit remains ignored for other security states.
 +         */
 +        if (out_space == ARMSS_Realm && extract64(attrs, 55, 1)) {
 +            out_space = ARMSS_NonSecure;
 +        }
          xn = extract64(attrs, 53, 2);
          result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
      } else {
 -        ns = extract32(attrs, 5, 1);
 +        int nse, ns = extract32(attrs, 5, 1);
 +        switch (out_space) {
 +        case ARMSS_Root:
 +            /*
 +             * R_GVZML: Bit 11 becomes the NSE field in the EL3 regime.
 +             * R_XTYPW: NSE and NS together select the output pa space.
 +             */
 +            nse = extract32(attrs, 11, 1);
 +            out_space = (nse << 1) | ns;
 +            if (out_space == ARMSS_Secure &&
 +                !cpu_isar_feature(aa64_sel2, cpu)) {
 +                out_space = ARMSS_NonSecure;
 +            }
 +            break;
 +        case ARMSS_Secure:
 +            if (ns) {
 +                out_space = ARMSS_NonSecure;
 +            }
 +            break;
 +        case ARMSS_Realm:
 +            switch (mmu_idx) {
 +            case ARMMMUIdx_Stage1_E0:
 +            case ARMMMUIdx_Stage1_E1:
 +            case ARMMMUIdx_Stage1_E1_PAN:
 +                /* I_CZPRF: For Realm EL1&0 stage1, NS bit is RES0. */
 +                break;
 +            case ARMMMUIdx_E2:
 +            case ARMMMUIdx_E20_0:
 +            case ARMMMUIdx_E20_2:
 +            case ARMMMUIdx_E20_2_PAN:
 +                /*
 +                 * R_LYKFZ, R_WGRZN: For Realm EL2 and EL2&1,
 +                 * NS changes the output to non-secure space.
 +                 */
 +                if (ns) {
 +                    out_space = ARMSS_NonSecure;
 +                }
 +                break;
 +            default:
 +                g_assert_not_reached();
 +            }
 +            break;
 +        case ARMSS_NonSecure:
 +            /* R_QRMFF: For NonSecure state, the NS bit is RES0. */
 +            break;
 +        default:
 +            g_assert_not_reached();
 +        }
          xn = extract64(attrs, 54, 1);
          pxn = extract64(attrs, 53, 1);
 -        result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
 +
 +        /*
 +         * Note that we modified ptw->in_space earlier for NSTable, but
 +         * result->f.attrs retains a copy of the original security space.
 +         */
 +        result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, xn, pxn,
 +                                    result->f.attrs.space, out_space);
      }
--    /* UNDEF accesses to D16-D31 if they don't exist */
+     if (!(result->f.prot & (1 << access_type))) {
--    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
--        ((a->vm | a->vn | a->vd) & 0x10)) {
+         }
 +    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
--    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+-    if (ns) {
-+    /* UNDEF accesses to D16-D31 if they don't exist */
+-        /*
-+    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
+-         * The NS bit will (as required by the architecture) have no effect if
-+        ((a->vm | a->vn | a->vd) & 0x10)) {
+-         * the CPU doesn't support TZ or this is a non-secure translation
-         return false;
+-         * regime, because the attribute will already be non-secure.
-     }
+-         */
+-        result->f.attrs.secure = false;
-@@ -XXX,XX +XXX,XX @@ static bool trans_VRINT(DisasContext *s, arg_VRINT *a)
+-        result->f.attrs.space = ARMSS_NonSecure;
          return false;
      }
 -    /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
 -        ((a->vm | a->vd) & 0x10)) {
 +    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist */
 +    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
 +        ((a->vm | a->vd) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT(DisasContext *s, arg_VCVT *a)
          return false;
      }
 -    /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (dp && !dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
 +    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist */
 +    if (dp && !dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_3op_dp(DisasContext *s, VFPGen3OpDPFn *fn,
      TCGv_i64 f0, f1, fd;
      TCGv_ptr fpst;
 -    /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vn | vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist */
 +    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vn | vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_2op_dp(DisasContext *s, VFPGen2OpDPFn *fn, int vd, int vm)
      int veclen = s->vec_len;
      TCGv_i64 f0, fd;
 -    /* UNDEF accesses to D16-D31 if they don't exist */
 -    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist */
 +    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VFM_dp(DisasContext *s, arg_VFM_dp *a)
          return false;
      }
 -    /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_simd_r32, s) &&
 -        ((a->vd | a->vn | a->vm) & 0x10)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist. */
 +    if (!dc_isar_feature(aa32_simd_r32, s) &&
 +        ((a->vd | a->vn | a->vm) & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
      vd = a->vd;
 -    /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_simd_r32, s) && (vd & 0x10)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist. */
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (vd & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCMP_dp(DisasContext *s, arg_VCMP_dp *a)
  {
      TCGv_i64 vd, vm;
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +        return false;
 +    }
 +
      /* Vm/M bits must be zero for the Z variant */
      if (a->z && a->vm != 0) {
          return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_VCMP_dp(DisasContext *s, arg_VCMP_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
--
++    result->f.attrs.space = out_space;
-     if (!vfp_access_check(s)) {
++    result->f.attrs.secure = arm_space_is_secure(out_space);
-         return true;
-     }
+     if (regime_is_stage2(mmu_idx)) {
-@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f64_f16(DisasContext *s, arg_VCVT_f64_f16 *a)
+         result->cacheattrs.is_s2_format = true;
      TCGv_i32 tmp;
      TCGv_i64 vd;
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +        return false;
 +    }
 +
      if (!dc_isar_feature(aa32_fp16_dpconv, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f64_f16(DisasContext *s, arg_VCVT_f64_f16 *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f16_f64(DisasContext *s, arg_VCVT_f16_f64 *a)
      TCGv_i32 tmp;
      TCGv_i64 vm;
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +        return false;
 +    }
 +
      if (!dc_isar_feature(aa32_fp16_dpconv, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f16_f64(DisasContext *s, arg_VCVT_f16_f64 *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTR_dp(DisasContext *s, arg_VRINTR_dp *a)
      TCGv_ptr fpst;
      TCGv_i64 tmp;
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +        return false;
 +    }
 +
      if (!dc_isar_feature(aa32_vrint, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTR_dp(DisasContext *s, arg_VRINTR_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTZ_dp(DisasContext *s, arg_VRINTZ_dp *a)
      TCGv_i64 tmp;
      TCGv_i32 tcg_rmode;
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +        return false;
 +    }
 +
      if (!dc_isar_feature(aa32_vrint, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTZ_dp(DisasContext *s, arg_VRINTZ_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTX_dp(DisasContext *s, arg_VRINTX_dp *a)
      TCGv_ptr fpst;
      TCGv_i64 tmp;
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +        return false;
 +    }
 +
      if (!dc_isar_feature(aa32_vrint, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTX_dp(DisasContext *s, arg_VRINTX_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_sp(DisasContext *s, arg_VCVT_sp *a)
      TCGv_i64 vd;
      TCGv_i32 vm;
 -    /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist. */
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp(DisasContext *s, arg_VCVT_dp *a)
      TCGv_i64 vm;
      TCGv_i32 vd;
 -    /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist. */
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_int_dp(DisasContext *s, arg_VCVT_int_dp *a)
      TCGv_i64 vd;
      TCGv_ptr fpst;
 -    /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist. */
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VJCVT(DisasContext *s, arg_VJCVT *a)
      TCGv_i32 vd;
      TCGv_i64 vm;
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +        return false;
 +    }
 +
      if (!dc_isar_feature(aa32_jscvt, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VJCVT(DisasContext *s, arg_VJCVT *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_dp(DisasContext *s, arg_VCVT_fix_dp *a)
      TCGv_ptr fpst;
      int frac_bits;
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +        return false;
 +    }
 +
      if (!arm_dc_feature(s, ARM_FEATURE_VFP3)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_dp(DisasContext *s, arg_VCVT_fix_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp_int(DisasContext *s, arg_VCVT_dp_int *a)
      TCGv_i64 vm;
      TCGv_ptr fpst;
 -    /* UNDEF accesses to D16-D31 if they don't exist. */
 -    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 +    /* UNDEF accesses to D16-D31 if they don't exist. */
 +    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
          return false;
      }
 --
-.20.1
+.34.1

-[PULL 48/52] target/arm: Rename isar_feature_aa32_fpdp_v2
+[PULL 13/26] target/arm: Handle no-execute for Realm and Root regimes
 From: Richard Henderson <richard.henderson@linaro.org>
-The old name, isar_feature_aa32_fpdp, does not reflect
+While Root and Realm may read and write data from other spaces,
-that the test includes VFPv2.  We will introduce further
+neither may execute from other pa spaces.
 feature tests for VFPv3.
+This happens for Stage1 EL3, EL2, EL2&0, and Stage2 EL1&0.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20230620124418.805717-14-richard.henderson@linaro.org
 Message-id: 20200214181547.21408-7-richard.henderson@linaro.org
 [PMM: fixed grammar in commit message]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h               |  4 ++--
+ target/arm/ptw.c | 52 ++++++++++++++++++++++++++++++++++++++++++------
- target/arm/translate-vfp.inc.c | 40 +++++++++++++++++-----------------
+file changed, 46 insertions(+), 6 deletions(-)
 files changed, 22 insertions(+), 22 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fpshvec(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@ do_fault:
-     return FIELD_EX32(id->mvfr0, MVFR0, FPSHVEC) > 0;
+  * @xn:      XN (execute-never) bits
- }
+  * @s1_is_el0: true if this is S2 of an S1+2 walk for EL0
+  */
--static inline bool isar_feature_aa32_fpdp(const ARMISARegisters *id)
+-static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
-+static inline bool isar_feature_aa32_fpdp_v2(const ARMISARegisters *id)
++static int get_S2prot_noexecute(int s2ap)
  {
--    /* Return true if CPU supports double precision floating point */
+     int prot = 0;
-+    /* Return true if CPU supports double precision floating point, VFPv2 */
-     return FIELD_EX32(id->mvfr0, MVFR0, FPDP) > 0;
+@@ -XXX,XX +XXX,XX @@ static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
- }
+     if (s2ap & 2) {
+         prot |= PAGE_WRITE;
 diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.inc.c
 +++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VSEL(DisasContext *s, arg_VSEL *a)
          return false;
      }
++    return prot;
--    if (dp && !dc_isar_feature(aa32_fpdp, s)) {
++}
-+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
++
-         return false;
++static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
 +{
 +    int prot = get_S2prot_noexecute(s2ap);
      if (cpu_isar_feature(any_tts2uxn, env_archcpu(env))) {
          switch (xn) {
@@ -XXX,XX +XXX,XX @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
          }
      }
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMINMAXNM(DisasContext *s, arg_VMINMAXNM *a)
+-    if (out_pa == ARMSS_NonSecure && in_pa == ARMSS_Secure &&
-         return false;
+-        (env->cp15.scr_el3 & SCR_SIF)) {
 -        return prot_rw;
 +    if (in_pa != out_pa) {
 +        switch (in_pa) {
 +        case ARMSS_Root:
 +            /*
 +             * R_ZWRVD: permission fault for insn fetched from non-Root,
 +             * I_WWBFB: SIF has no effect in EL3.
 +             */
 +            return prot_rw;
 +        case ARMSS_Realm:
 +            /*
 +             * R_PKTDS: permission fault for insn fetched from non-Realm,
 +             * for Realm EL2 or EL2&0.  The corresponding fault for EL1&0
 +             * happens during any stage2 translation.
 +             */
 +            switch (mmu_idx) {
 +            case ARMMMUIdx_E2:
 +            case ARMMMUIdx_E20_0:
 +            case ARMMMUIdx_E20_2:
 +            case ARMMMUIdx_E20_2_PAN:
 +                return prot_rw;
 +            default:
 +                break;
 +            }
 +            break;
 +        case ARMSS_Secure:
 +            if (env->cp15.scr_el3 & SCR_SIF) {
 +                return prot_rw;
 +            }
 +            break;
 +        default:
 +            /* Input NonSecure must have output NonSecure. */
 +            g_assert_not_reached();
 +        }
      }
--    if (dp && !dc_isar_feature(aa32_fpdp, s)) {
+     /* TODO have_wxn should be replaced with
-+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-         return false;
+         /*
-     }
+          * R_GYNXY: For stage2 in Realm security state, bit 55 is NS.
+          * The bit remains ignored for other security states.
-@@ -XXX,XX +XXX,XX @@ static bool trans_VRINT(DisasContext *s, arg_VRINT *a)
++         * R_YMCSL: Executing an insn fetched from non-Realm causes
-         return false;
++         * a stage2 permission fault.
-     }
+          */
+         if (out_space == ARMSS_Realm && extract64(attrs, 55, 1)) {
--    if (dp && !dc_isar_feature(aa32_fpdp, s)) {
+             out_space = ARMSS_NonSecure;
-+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
++            result->f.prot = get_S2prot_noexecute(ap);
-         return false;
++        } else {
-     }
++            xn = extract64(attrs, 53, 2);
++            result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
-@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT(DisasContext *s, arg_VCVT *a)
+         }
-         return false;
+-        xn = extract64(attrs, 53, 2);
-     }
+-        result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
+     } else {
--    if (dp && !dc_isar_feature(aa32_fpdp, s)) {
+         int nse, ns = extract32(attrs, 5, 1);
-+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+         switch (out_space) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_3op_dp(DisasContext *s, VFPGen3OpDPFn *fn,
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_2op_dp(DisasContext *s, VFPGen2OpDPFn *fn, int vd, int vm)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VFM_dp(DisasContext *s, arg_VFM_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCMP_dp(DisasContext *s, arg_VCMP_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f64_f16(DisasContext *s, arg_VCVT_f64_f16 *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f16_f64(DisasContext *s, arg_VCVT_f16_f64 *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTR_dp(DisasContext *s, arg_VRINTR_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTZ_dp(DisasContext *s, arg_VRINTZ_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTX_dp(DisasContext *s, arg_VRINTX_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_sp(DisasContext *s, arg_VCVT_sp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp(DisasContext *s, arg_VCVT_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_int_dp(DisasContext *s, arg_VCVT_int_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VJCVT(DisasContext *s, arg_VJCVT *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_dp(DisasContext *s, arg_VCVT_fix_dp *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp_int(DisasContext *s, arg_VCVT_dp_int *a)
          return false;
      }
 -    if (!dc_isar_feature(aa32_fpdp, s)) {
 +    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
          return false;
      }
 --
-.20.1
+.34.1

-[PULL 41/52] target/arm: Convert PMULL.8 to gvec
+[PULL 14/26] target/arm: Use get_phys_addr_with_struct in S1_ptw_translate
 From: Richard Henderson <richard.henderson@linaro.org>
-We still need two different helpers, since NEON and SVE2 get the
+Do not provide a fast-path for physical addresses,
-inputs from different locations within the source vector.  However,
+as those will need to be validated for GPC.
 we can convert both to the same internal form for computation.
-The sve2 helper is not used yet, but adding it with this patch
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 helps illustrate why the neon changes are helpful.
 Tested-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200216214232.4230-5-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-15-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper-sve.h    |  2 ++
+ target/arm/ptw.c | 44 +++++++++++++++++---------------------------
- target/arm/helper.h        |  3 +-
+file changed, 17 insertions(+), 27 deletions(-)
  target/arm/neon_helper.c   | 32 --------------------
  target/arm/translate-a64.c | 27 +++++++++++------
  target/arm/translate.c     | 26 ++++++++---------
  target/arm/vec_helper.c    | 60 ++++++++++++++++++++++++++++++++++++++
 files changed, 95 insertions(+), 55 deletions(-)
-diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sve.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper-sve.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(sve_stdd_le_zd, TCG_CALL_NO_WG,
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-                    void, env, ptr, ptr, ptr, tl, i32)
+          * From gdbstub, do not use softmmu so that we don't modify the
- DEF_HELPER_FLAGS_6(sve_stdd_be_zd, TCG_CALL_NO_WG,
+          * state of the cpu at all, including softmmu tlb contents.
-                    void, env, ptr, ptr, ptr, tl, i32)
+          */
-+
+-        if (regime_is_stage2(s2_mmu_idx)) {
-+DEF_HELPER_FLAGS_4(sve2_pmull_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+-            S1Translate s2ptw = {
-diff --git a/target/arm/helper.h b/target/arm/helper.h
+-                .in_mmu_idx = s2_mmu_idx,
-index XXXXXXX..XXXXXXX 100644
+-                .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
---- a/target/arm/helper.h
+-                .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
-+++ b/target/arm/helper.h
+-                .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(neon_sub_u8, i32, i32, i32)
+-                             : space == ARMSS_Realm ? ARMSS_Realm
- DEF_HELPER_2(neon_sub_u16, i32, i32, i32)
+-                             : ARMSS_NonSecure),
- DEF_HELPER_2(neon_mul_u8, i32, i32, i32)
+-                .in_debug = true,
- DEF_HELPER_2(neon_mul_u16, i32, i32, i32)
+-            };
--DEF_HELPER_2(neon_mull_p8, i64, i32, i32)
+-            GetPhysAddrResult s2 = { };
++        S1Translate s2ptw = {
- DEF_HELPER_2(neon_tst_u8, i32, i32, i32)
++            .in_mmu_idx = s2_mmu_idx,
- DEF_HELPER_2(neon_tst_u16, i32, i32, i32)
++            .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++            .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
- DEF_HELPER_FLAGS_4(gvec_pmul_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++            .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
- DEF_HELPER_FLAGS_4(gvec_pmull_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++                         : space == ARMSS_Realm ? ARMSS_Realm
++                         : ARMSS_NonSecure),
-+DEF_HELPER_FLAGS_4(neon_pmull_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++            .in_debug = true,
-+
++        };
- #ifdef TARGET_AARCH64
++        GetPhysAddrResult s2 = { };
- #include "helper-a64.h"
- #include "helper-sve.h"
+-            if (get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
-diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
+-                                   false, &s2, fi)) {
-index XXXXXXX..XXXXXXX 100644
+-                goto fail;
---- a/target/arm/neon_helper.c
+-            }
-+++ b/target/arm/neon_helper.c
+-            ptw->out_phys = s2.f.phys_addr;
-@@ -XXX,XX +XXX,XX @@ NEON_VOP(mul_u8, neon_u8, 4)
+-            pte_attrs = s2.cacheattrs.attrs;
- NEON_VOP(mul_u16, neon_u16, 2)
+-            ptw->out_secure = s2.f.attrs.secure;
- #undef NEON_FN
+-            ptw->out_space = s2.f.attrs.space;
+-        } else {
--/* Polynomial multiplication is like integer multiplication except the
+-            /* Regime is physical. */
--   partial products are XORed, not added.  */
+-            ptw->out_phys = addr;
--uint64_t HELPER(neon_mull_p8)(uint32_t op1, uint32_t op2)
+-            pte_attrs = 0;
--{
+-            ptw->out_secure = s2_mmu_idx == ARMMMUIdx_Phys_S;
--    uint64_t result = 0;
+-            ptw->out_space = (s2_mmu_idx == ARMMMUIdx_Phys_S ? ARMSS_Secure
--    uint64_t mask;
+-                              : space == ARMSS_Realm ? ARMSS_Realm
--    uint64_t op2ex = op2;
+-                              : ARMSS_NonSecure);
--    op2ex = (op2ex & 0xff) |
++        if (get_phys_addr_with_struct(env, &s2ptw, addr,
--        ((op2ex & 0xff00) << 8) |
++                                      MMU_DATA_LOAD, &s2, fi)) {
--        ((op2ex & 0xff0000) << 16) |
++            goto fail;
 -        ((op2ex & 0xff000000) << 24);
 -    while (op1) {
 -        mask = 0;
 -        if (op1 & 1) {
 -            mask |= 0xffff;
 -        }
 -        if (op1 & (1 << 8)) {
 -            mask |= (0xffffU << 16);
 -        }
 -        if (op1 & (1 << 16)) {
 -            mask |= (0xffffULL << 32);
 -        }
 -        if (op1 & (1 << 24)) {
 -            mask |= (0xffffULL << 48);
 -        }
 -        result ^= op2ex & mask;
 -        op1 = (op1 >> 1) & 0x7f7f7f7f;
 -        op2ex <<= 1;
 -    }
 -    return result;
 -}
 -
  #define NEON_FN(dest, src1, src2) dest = (src1 & src2) ? -1 : 0
  NEON_VOP(tst_u8, neon_u8, 4)
  NEON_VOP(tst_u16, neon_u16, 2)
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_3rd_widening(DisasContext *s, int is_q, int is_u, int size,
                  gen_helper_neon_addl_saturate_s32(tcg_passres, cpu_env,
                                                    tcg_passres, tcg_passres);
                  break;
 -            case 14: /* PMULL */
 -                assert(size == 0);
 -                gen_helper_neon_mull_p8(tcg_passres, tcg_op1, tcg_op2);
 -                break;
              default:
                  g_assert_not_reached();
              }
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_diff(DisasContext *s, uint32_t insn)
          handle_3rd_narrowing(s, is_q, is_u, size, opcode, rd, rn, rm);
          break;
      case 14: /* PMULL, PMULL2 */
 -        if (is_u || size == 1 || size == 2) {
 +        if (is_u) {
              unallocated_encoding(s);
              return;
          }
--        if (size == 3) {
++        ptw->out_phys = s2.f.phys_addr;
-+        switch (size) {
++        pte_attrs = s2.cacheattrs.attrs;
-+        case 0: /* PMULL.P8 */
+         ptw->out_host = NULL;
-+            if (!fp_access_check(s)) {
+         ptw->out_rw = false;
-+                return;
++        ptw->out_secure = s2.f.attrs.secure;
-+            }
++        ptw->out_space = s2.f.attrs.space;
-+            /* The Q field specifies lo/hi half input for this insn.  */
+     } else {
-+            gen_gvec_op3_ool(s, true, rd, rn, rm, is_q,
+ #ifdef CONFIG_TCG
-+                             gen_helper_neon_pmull_h);
+         CPUTLBEntryFull *full;
 +            break;
 +
 +        case 3: /* PMULL.P64 */
              if (!dc_isar_feature(aa64_pmull, s)) {
                  unallocated_encoding(s);
                  return;
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_diff(DisasContext *s, uint32_t insn)
              /* The Q field specifies lo/hi half input for this insn.  */
              gen_gvec_op3_ool(s, true, rd, rn, rm, is_q,
                               gen_helper_gvec_pmull_q);
 -            return;
 +            break;
 +
 +        default:
 +            unallocated_encoding(s);
 +            break;
          }
 -        goto is_widening;
 +        return;
      case 9: /* SQDMLAL, SQDMLAL2 */
      case 11: /* SQDMLSL, SQDMLSL2 */
      case 13: /* SQDMULL, SQDMULL2 */
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_diff(DisasContext *s, uint32_t insn)
              unallocated_encoding(s);
              return;
          }
 -    is_widening:
          if (!fp_access_check(s)) {
              return;
          }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                      return 1;
                  }
 -                /* Handle VMULL.P64 (Polynomial 64x64 to 128 bit multiply)
 -                 * outside the loop below as it only performs a single pass.
 -                 */
 -                if (op == 14 && size == 2) {
 -                    if (!dc_isar_feature(aa32_pmull, s)) {
 -                        return 1;
 +                /* Handle polynomial VMULL in a single pass.  */
 +                if (op == 14) {
 +                    if (size == 0) {
 +                        /* VMULL.P8 */
 +                        tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, 16, 16,
 +                                           0, gen_helper_neon_pmull_h);
 +                    } else {
 +                        /* VMULL.P64 */
 +                        if (!dc_isar_feature(aa32_pmull, s)) {
 +                            return 1;
 +                        }
 +                        tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, 16, 16,
 +                                           0, gen_helper_gvec_pmull_q);
                      }
 -                    tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, 16, 16,
 -                                       0, gen_helper_gvec_pmull_q);
                      return 0;
                  }
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                          /* VMLAL, VQDMLAL, VMLSL, VQDMLSL, VMULL, VQDMULL */
                          gen_neon_mull(cpu_V0, tmp, tmp2, size, u);
                          break;
 -                    case 14: /* Polynomial VMULL */
 -                        gen_helper_neon_mull_p8(cpu_V0, tmp, tmp2);
 -                        tcg_temp_free_i32(tmp2);
 -                        tcg_temp_free_i32(tmp);
 -                        break;
                      default: /* 15 is RESERVED: caught earlier  */
                          abort();
                      }
 diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/vec_helper.c
 +++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_pmull_q)(void *vd, void *vn, void *vm, uint32_t desc)
      }
      clear_tail(d, opr_sz, simd_maxsz(desc));
  }
 +
 +/*
 + * 8x8->16 polynomial multiply.
 + *
 + * The byte inputs are expanded to (or extracted from) half-words.
 + * Note that neon and sve2 get the inputs from different positions.
 + * This allows 4 bytes to be processed in parallel with uint64_t.
 + */
 +
 +static uint64_t expand_byte_to_half(uint64_t x)
 +{
 +    return  (x & 0x000000ff)
 +         | ((x & 0x0000ff00) << 8)
 +         | ((x & 0x00ff0000) << 16)
 +         | ((x & 0xff000000) << 24);
 +}
 +
 +static uint64_t pmull_h(uint64_t op1, uint64_t op2)
 +{
 +    uint64_t result = 0;
 +    int i;
 +
 +    for (i = 0; i < 8; ++i) {
 +        uint64_t mask = (op1 & 0x0001000100010001ull) * 0xffff;
 +        result ^= op2 & mask;
 +        op1 >>= 1;
 +        op2 <<= 1;
 +    }
 +    return result;
 +}
 +
 +void HELPER(neon_pmull_h)(void *vd, void *vn, void *vm, uint32_t desc)
 +{
 +    int hi = simd_data(desc);
 +    uint64_t *d = vd, *n = vn, *m = vm;
 +    uint64_t nn = n[hi], mm = m[hi];
 +
 +    d[0] = pmull_h(expand_byte_to_half(nn), expand_byte_to_half(mm));
 +    nn >>= 32;
 +    mm >>= 32;
 +    d[1] = pmull_h(expand_byte_to_half(nn), expand_byte_to_half(mm));
 +
 +    clear_tail(d, 16, simd_maxsz(desc));
 +}
 +
 +#ifdef TARGET_AARCH64
 +void HELPER(sve2_pmull_h)(void *vd, void *vn, void *vm, uint32_t desc)
 +{
 +    int shift = simd_data(desc) * 8;
 +    intptr_t i, opr_sz = simd_oprsz(desc);
 +    uint64_t *d = vd, *n = vn, *m = vm;
 +
 +    for (i = 0; i < opr_sz / 8; ++i) {
 +        uint64_t nn = (n[i] >> shift) & 0x00ff00ff00ff00ffull;
 +        uint64_t mm = (m[i] >> shift) & 0x00ff00ff00ff00ffull;
 +
 +        d[i] = pmull_h(nn, mm);
 +    }
 +}
 +#endif
 --
-.20.1
+.34.1

-[PULL 51/52] target/arm: Replace ARM_FEATURE_VFP3 checks with fp{sp, dp}_v3
+[PULL 15/26] target/arm: Move s1_is_el0 into S1Translate
 From: Richard Henderson <richard.henderson@linaro.org>
-Sort this check to the start of a trans_* function.
+Instead of passing this to get_phys_addr_lpae, stash it
-Merge this with any existing test for fpdp_v2.
+in the S1Translate structure.
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214181547.21408-10-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-16-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-vfp.inc.c | 24 ++++++++----------------
+ target/arm/ptw.c | 27 ++++++++++++---------------
-file changed, 8 insertions(+), 16 deletions(-)
+file changed, 12 insertions(+), 15 deletions(-)
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.inc.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-vfp.inc.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
+@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
-          * VFPv2 allows access to FPSID from userspace; VFPv3 restricts
+     ARMSecuritySpace in_space;
-          * all ID registers to privileged access only.
+     bool in_secure;
-          */
+     bool in_debug;
--        if (IS_USER(s) && arm_dc_feature(s, ARM_FEATURE_VFP3)) {
++    /*
-+        if (IS_USER(s) && dc_isar_feature(aa32_fpsp_v3, s)) {
++     * If this is stage 2 of a stage 1+2 page table walk, then this must
-             return false;
++     * be true if stage 1 is an EL0 access; otherwise this is ignored.
 +     * Stage 2 is indicated by in_mmu_idx set to ARMMMUIdx_Stage2{,_S}.
 +     */
 +    bool in_s1_is_el0;
      bool out_secure;
      bool out_rw;
      bool out_be;
@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
  } S1Translate;
  static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
 -                               uint64_t address,
 -                               MMUAccessType access_type, bool s1_is_el0,
 +                               uint64_t address, MMUAccessType access_type,
                                 GetPhysAddrResult *result, ARMMMUFaultInfo *fi);
  static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
@@ -XXX,XX +XXX,XX @@ static int check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, uint64_t tcr,
   * @ptw: Current and next stage parameters for the walk.
   * @address: virtual address to get physical address for
   * @access_type: MMU_DATA_LOAD, MMU_DATA_STORE or MMU_INST_FETCH
 - * @s1_is_el0: if @ptw->in_mmu_idx is ARMMMUIdx_Stage2
 - *             (so this is a stage 2 page table walk),
 - *             must be true if this is stage 2 of a stage 1+2
 - *             walk for an EL0 access. If @mmu_idx is anything else,
 - *             @s1_is_el0 is ignored.
   * @result: set on translation success,
   * @fi: set to fault info if the translation fails
   */
  static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
                                 uint64_t address,
 -                               MMUAccessType access_type, bool s1_is_el0,
 +                               MMUAccessType access_type,
                                 GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
  {
      ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
              result->f.prot = get_S2prot_noexecute(ap);
          } else {
              xn = extract64(attrs, 53, 2);
 -            result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
 +            result->f.prot = get_S2prot(env, ap, xn, ptw->in_s1_is_el0);
          }
-         ignore_vfp_enabled = true;
+     } else {
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
+         int nse, ns = extract32(attrs, 5, 1);
-     case ARM_VFP_FPINST:
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-     case ARM_VFP_FPINST2:
+     bool ret, ipa_secure;
-         /* Not present in VFPv3 */
+     ARMCacheAttrs cacheattrs1;
--        if (IS_USER(s) || arm_dc_feature(s, ARM_FEATURE_VFP3)) {
+     ARMSecuritySpace ipa_space;
-+        if (IS_USER(s) || dc_isar_feature(aa32_fpsp_v3, s)) {
+-    bool is_el0;
-             return false;
+     uint64_t hcr;
-         }
-         break;
+     ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_sp(DisasContext *s, arg_VMOV_imm_sp *a)
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+     ipa_secure = result->f.attrs.secure;
-     vd = a->vd;
+     ipa_space = result->f.attrs.space;
--    if (!dc_isar_feature(aa32_fpshvec, s) &&
+-    is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
--        (veclen != 0 || s->vec_stride != 0)) {
++    ptw->in_s1_is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
-+    if (!dc_isar_feature(aa32_fpsp_v3, s)) {
+     ptw->in_mmu_idx = ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
-         return false;
+     ptw->in_secure = ipa_secure;
      ptw->in_space = ipa_space;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
          ret = get_phys_addr_pmsav8(env, ipa, access_type,
                                     ptw->in_mmu_idx, is_secure, result, fi);
      } else {
 -        ret = get_phys_addr_lpae(env, ptw, ipa, access_type,
 -                                 is_el0, result, fi);
 +        ret = get_phys_addr_lpae(env, ptw, ipa, access_type, result, fi);
      }
+     fi->s2addr = ipa;
--    if (!arm_dc_feature(s, ARM_FEATURE_VFP3)) {
-+    if (!dc_isar_feature(aa32_fpshvec, s) &&
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
 +        (veclen != 0 || s->vec_stride != 0)) {
          return false;
      }
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
+     if (regime_using_lpae_format(env, mmu_idx)) {
+-        return get_phys_addr_lpae(env, ptw, address, access_type, false,
-     vd = a->vd;
+-                                  result, fi);
++        return get_phys_addr_lpae(env, ptw, address, access_type, result, fi);
--    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+     } else if (arm_feature(env, ARM_FEATURE_V7) ||
-+    if (!dc_isar_feature(aa32_fpdp_v3, s)) {
+                regime_sctlr(env, mmu_idx) & SCTLR_XP) {
-         return false;
+         return get_phys_addr_v6(env, ptw, address, access_type, result, fi);
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
          return false;
      }
 -    if (!arm_dc_feature(s, ARM_FEATURE_VFP3)) {
 -        return false;
 -    }
 -
      if (!vfp_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_sp(DisasContext *s, arg_VCVT_fix_sp *a)
      TCGv_ptr fpst;
      int frac_bits;
 -    if (!arm_dc_feature(s, ARM_FEATURE_VFP3)) {
 +    if (!dc_isar_feature(aa32_fpsp_v3, s)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_dp(DisasContext *s, arg_VCVT_fix_dp *a)
      TCGv_ptr fpst;
      int frac_bits;
 -    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
 -        return false;
 -    }
 -
 -    if (!arm_dc_feature(s, ARM_FEATURE_VFP3)) {
 +    if (!dc_isar_feature(aa32_fpdp_v3, s)) {
          return false;
      }
 --
-.20.1
+.34.1

-[PULL 40/52] target/arm: Convert PMULL.64 to gvec
+[PULL 16/26] target/arm: Use get_phys_addr_with_struct for stage2
 From: Richard Henderson <richard.henderson@linaro.org>
-The gvec form will be needed for implementing SVE2.
+This fixes a bug in which we failed to initialize
 the result attributes properly after the memset.
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200216214232.4230-4-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-17-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.h        |  4 +---
+ target/arm/ptw.c | 11 +----------
- target/arm/neon_helper.c   | 30 ------------------------------
+file changed, 1 insertion(+), 10 deletions(-)
  target/arm/translate-a64.c | 28 +++-------------------------
  target/arm/translate.c     | 16 ++--------------
  target/arm/vec_helper.c    | 33 +++++++++++++++++++++++++++++++++
 files changed, 39 insertions(+), 72 deletions(-)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(crc32, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
+@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
- DEF_HELPER_FLAGS_3(crc32c, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
+     void *out_host;
- DEF_HELPER_2(dc_zva, void, env, i64)
+ } S1Translate;
--DEF_HELPER_FLAGS_2(neon_pmull_64_lo, TCG_CALL_NO_RWG_SE, i64, i64, i64)
+-static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
--DEF_HELPER_FLAGS_2(neon_pmull_64_hi, TCG_CALL_NO_RWG_SE, i64, i64, i64)
+-                               uint64_t address, MMUAccessType access_type,
 -                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi);
 -
- DEF_HELPER_FLAGS_5(gvec_qrdmlah_s16, TCG_CALL_NO_RWG,
+ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
-                    void, ptr, ptr, ptr, ptr, i32)
+                                       target_ulong address,
- DEF_HELPER_FLAGS_5(gvec_qrdmlsh_s16, TCG_CALL_NO_RWG,
+                                       MMUAccessType access_type,
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(gvec_ushl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
- DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+     cacheattrs1 = result->cacheattrs;
+     memset(result, 0, sizeof(*result));
- DEF_HELPER_FLAGS_4(gvec_pmul_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_4(gvec_pmull_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+-    if (arm_feature(env, ARM_FEATURE_PMSA)) {
+-        ret = get_phys_addr_pmsav8(env, ipa, access_type,
- #ifdef TARGET_AARCH64
+-                                   ptw->in_mmu_idx, is_secure, result, fi);
- #include "helper-a64.h"
+-    } else {
-diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
+-        ret = get_phys_addr_lpae(env, ptw, ipa, access_type, result, fi);
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/neon_helper.c
 +++ b/target/arm/neon_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(neon_zip16)(void *vd, void *vm)
      rm[0] = m0;
      rd[0] = d0;
  }
 -
 -/* Helper function for 64 bit polynomial multiply case:
 - * perform PolynomialMult(op1, op2) and return either the top or
 - * bottom half of the 128 bit result.
 - */
 -uint64_t HELPER(neon_pmull_64_lo)(uint64_t op1, uint64_t op2)
 -{
 -    int bitnum;
 -    uint64_t res = 0;
 -
 -    for (bitnum = 0; bitnum < 64; bitnum++) {
 -        if (op1 & (1ULL << bitnum)) {
 -            res ^= op2 << bitnum;
 -        }
 -    }
--    return res;
++    ret = get_phys_addr_with_struct(env, ptw, ipa, access_type, result, fi);
--}
+     fi->s2addr = ipa;
--uint64_t HELPER(neon_pmull_64_hi)(uint64_t op1, uint64_t op2)
--{
+     /* Combine the S1 and S2 perms.  */
 -    int bitnum;
 -    uint64_t res = 0;
 -
 -    /* bit 0 of op1 can't influence the high 64 bits at all */
 -    for (bitnum = 1; bitnum < 64; bitnum++) {
 -        if (op1 & (1ULL << bitnum)) {
 -            res ^= op2 >> (64 - bitnum);
 -        }
 -    }
 -    return res;
 -}
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_3rd_narrowing(DisasContext *s, int is_q, int is_u, int size,
      clear_vec_high(s, is_q, rd);
  }
 -static void handle_pmull_64(DisasContext *s, int is_q, int rd, int rn, int rm)
 -{
 -    /* PMULL of 64 x 64 -> 128 is an odd special case because it
 -     * is the only three-reg-diff instruction which produces a
 -     * 128-bit wide result from a single operation. However since
 -     * it's possible to calculate the two halves more or less
 -     * separately we just use two helper calls.
 -     */
 -    TCGv_i64 tcg_op1 = tcg_temp_new_i64();
 -    TCGv_i64 tcg_op2 = tcg_temp_new_i64();
 -    TCGv_i64 tcg_res = tcg_temp_new_i64();
 -
 -    read_vec_element(s, tcg_op1, rn, is_q, MO_64);
 -    read_vec_element(s, tcg_op2, rm, is_q, MO_64);
 -    gen_helper_neon_pmull_64_lo(tcg_res, tcg_op1, tcg_op2);
 -    write_vec_element(s, tcg_res, rd, 0, MO_64);
 -    gen_helper_neon_pmull_64_hi(tcg_res, tcg_op1, tcg_op2);
 -    write_vec_element(s, tcg_res, rd, 1, MO_64);
 -
 -    tcg_temp_free_i64(tcg_op1);
 -    tcg_temp_free_i64(tcg_op2);
 -    tcg_temp_free_i64(tcg_res);
 -}
 -
  /* AdvSIMD three different
   *   31  30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
   * +---+---+---+-----------+------+---+------+--------+-----+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_diff(DisasContext *s, uint32_t insn)
              if (!fp_access_check(s)) {
                  return;
              }
 -            handle_pmull_64(s, is_q, rd, rn, rm);
 +            /* The Q field specifies lo/hi half input for this insn.  */
 +            gen_gvec_op3_ool(s, true, rd, rn, rm, is_q,
 +                             gen_helper_gvec_pmull_q);
              return;
          }
          goto is_widening;
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                   * outside the loop below as it only performs a single pass.
                   */
                  if (op == 14 && size == 2) {
 -                    TCGv_i64 tcg_rn, tcg_rm, tcg_rd;
 -
                      if (!dc_isar_feature(aa32_pmull, s)) {
                          return 1;
                      }
 -                    tcg_rn = tcg_temp_new_i64();
 -                    tcg_rm = tcg_temp_new_i64();
 -                    tcg_rd = tcg_temp_new_i64();
 -                    neon_load_reg64(tcg_rn, rn);
 -                    neon_load_reg64(tcg_rm, rm);
 -                    gen_helper_neon_pmull_64_lo(tcg_rd, tcg_rn, tcg_rm);
 -                    neon_store_reg64(tcg_rd, rd);
 -                    gen_helper_neon_pmull_64_hi(tcg_rd, tcg_rn, tcg_rm);
 -                    neon_store_reg64(tcg_rd, rd + 1);
 -                    tcg_temp_free_i64(tcg_rn);
 -                    tcg_temp_free_i64(tcg_rm);
 -                    tcg_temp_free_i64(tcg_rd);
 +                    tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, 16, 16,
 +                                       0, gen_helper_gvec_pmull_q);
                      return 0;
                  }
 diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/vec_helper.c
 +++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_pmul_b)(void *vd, void *vn, void *vm, uint32_t desc)
      }
      clear_tail(d, opr_sz, simd_maxsz(desc));
  }
 +
 +/*
 + * 64x64->128 polynomial multiply.
 + * Because of the lanes are not accessed in strict columns,
 + * this probably cannot be turned into a generic helper.
 + */
 +void HELPER(gvec_pmull_q)(void *vd, void *vn, void *vm, uint32_t desc)
 +{
 +    intptr_t i, j, opr_sz = simd_oprsz(desc);
 +    intptr_t hi = simd_data(desc);
 +    uint64_t *d = vd, *n = vn, *m = vm;
 +
 +    for (i = 0; i < opr_sz / 8; i += 2) {
 +        uint64_t nn = n[i + hi];
 +        uint64_t mm = m[i + hi];
 +        uint64_t rhi = 0;
 +        uint64_t rlo = 0;
 +
 +        /* Bit 0 can only influence the low 64-bit result.  */
 +        if (nn & 1) {
 +            rlo = mm;
 +        }
 +
 +        for (j = 1; j < 64; ++j) {
 +            uint64_t mask = -((nn >> j) & 1);
 +            rlo ^= (mm << j) & mask;
 +            rhi ^= (mm >> (64 - j)) & mask;
 +        }
 +        d[i] = rlo;
 +        d[i + 1] = rhi;
 +    }
 +    clear_tail(d, opr_sz, simd_maxsz(desc));
 +}
 --
-.20.1
+.34.1

-[PULL 08/52] target/arm: Flush high bits of sve register after AdvSIMD ZIP/UZP/TRN
+[PULL 17/26] target/arm: Add GPC syndrome
 From: Richard Henderson <richard.henderson@linaro.org>
-Writes to AdvSIMD registers flush the bits above 128.
+The function takes the fields as filled in by
 the Arm ARM pseudocode for TakeGPCException.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214194643.23317-4-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-18-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 1 +
+ target/arm/syndrome.h | 10 ++++++++++
-file changed, 1 insertion(+)
+file changed, 10 insertions(+)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/syndrome.h
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/syndrome.h
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_zip_trn(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ enum arm_exception_class {
-     tcg_temp_free_i64(tcg_resl);
+     EC_SVEACCESSTRAP          = 0x19,
-     write_vec_element(s, tcg_resh, rd, 1, MO_64);
+     EC_ERETTRAP               = 0x1a,
-     tcg_temp_free_i64(tcg_resh);
+     EC_SMETRAP                = 0x1d,
-+    clear_vec_high(s, true, rd);
++    EC_GPC                    = 0x1e,
      EC_INSNABORT              = 0x20,
      EC_INSNABORT_SAME_EL      = 0x21,
      EC_PCALIGNMENT            = 0x22,
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_bxjtrap(int cv, int cond, int rm)
          (cv << 24) | (cond << 20) | rm;
  }
- /*
++static inline uint32_t syn_gpc(int s2ptw, int ind, int gpcsc,
 +                               int cm, int s1ptw, int wnr, int fsc)
 +{
 +    /* TODO: FEAT_NV2 adds VNCR */
 +    return (EC_GPC << ARM_EL_EC_SHIFT) | ARM_EL_IL | (s2ptw << 21)
 +            | (ind << 20) | (gpcsc << 14) | (cm << 8) | (s1ptw << 7)
 +            | (wnr << 6) | fsc;
 +}
 +
  static inline uint32_t syn_insn_abort(int same_el, int ea, int s1ptw, int fsc)
  {
      return (EC_INSNABORT << ARM_EL_EC_SHIFT) | (same_el << ARM_EL_EC_SHIFT)
 --
-.20.1
+.34.1

-[PULL 23/52] target/arm: Stop assuming DBGDIDR always exists
+[PULL 18/26] target/arm: Implement GPC exceptions
-The AArch32 DBGDIDR defines properties like the number of
+From: Richard Henderson <richard.henderson@linaro.org>
 breakpoints, watchpoints and context-matching comparators.  On an
 AArch64 CPU, the register may not even exist if AArch32 is not
 supported at EL1.
-Currently we hard-code use of DBGDIDR to identify the number of
+Handle GPC Fault types in arm_deliver_fault, reporting as
-breakpoints etc; this works for all our TCG CPUs, but will break if
+either a GPC exception at EL3, or falling through to insn
-we ever add an AArch64-only CPU.  We also have an assert() that the
+or data aborts at various exception levels.
 AArch32 and AArch64 registers match, which currently works only by
 luck for KVM because we don't populate either of these ID registers
 from the KVM vCPU and so they are both zero.
-Clean this up so we have functions for finding the number
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-of breakpoints, watchpoints and context comparators which look
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-in the appropriate ID register.
+Message-id: 20230620124418.805717-19-richard.henderson@linaro.org
 This allows us to drop the "check that AArch64 and AArch32 agree
 on the number of breakpoints etc" asserts:
  * we no longer look at the AArch32 versions unless that's the
    right place to be looking
  * it's valid to have a CPU (eg AArch64-only) where they don't match
  * we shouldn't have been asserting the validity of ID registers
    in a codepath used with KVM anyway
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214175116.9164-11-peter.maydell@linaro.org
 ---
- target/arm/cpu.h          |  7 +++++++
+ target/arm/cpu.h            |  1 +
- target/arm/internals.h    | 42 +++++++++++++++++++++++++++++++++++++++
+ target/arm/internals.h      | 27 +++++++++++
- target/arm/debug_helper.c |  6 +++---
+ target/arm/helper.c         |  5 ++
- target/arm/helper.c       | 21 +++++---------------
+ target/arm/tcg/tlb_helper.c | 96 +++++++++++++++++++++++++++++++++++--
-files changed, 57 insertions(+), 19 deletions(-)
+files changed, 126 insertions(+), 3 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ FIELD(ID_DFR0, MPROFDBG, 20, 4)
+@@ -XXX,XX +XXX,XX @@
- FIELD(ID_DFR0, PERFMON, 24, 4)
+ #define EXCP_UNALIGNED      22   /* v7M UNALIGNED UsageFault */
- FIELD(ID_DFR0, TRACEFILT, 28, 4)
+ #define EXCP_DIVBYZERO      23   /* v7M DIVBYZERO UsageFault */
+ #define EXCP_VSERR          24
-+FIELD(DBGDIDR, SE_IMP, 12, 1)
++#define EXCP_GPC            25   /* v9 Granule Protection Check Fault */
-+FIELD(DBGDIDR, NSUHD_IMP, 14, 1)
+ /* NB: add new EXCP_ defines to the array in arm_log_exception() too */
-+FIELD(DBGDIDR, VERSION, 16, 4)
-+FIELD(DBGDIDR, CTX_CMPS, 20, 4)
+ #define ARMV7M_EXCP_RESET   1
 +FIELD(DBGDIDR, BRPS, 24, 4)
 +FIELD(DBGDIDR, WRPS, 28, 4)
 +
  FIELD(MVFR0, SIMDREG, 0, 4)
  FIELD(MVFR0, FPSP, 4, 4)
  FIELD(MVFR0, FPDP, 8, 4)
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/internals.h
 +++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_debug_exception_fsr(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ typedef enum ARMFaultType {
      ARMFault_ICacheMaint,
      ARMFault_QEMU_NSCExec, /* v8M: NS executing in S&NSC memory */
      ARMFault_QEMU_SFault, /* v8M: SecureFault INVTRAN, INVEP or AUVIOL */
 +    ARMFault_GPCFOnWalk,
 +    ARMFault_GPCFOnOutput,
  } ARMFaultType;
 +typedef enum ARMGPCF {
 +    GPCF_None,
 +    GPCF_AddressSize,
 +    GPCF_Walk,
 +    GPCF_EABT,
 +    GPCF_Fail,
 +} ARMGPCF;
 +
  /**
   * ARMMMUFaultInfo: Information describing an ARM MMU Fault
   * @type: Type of fault
 + * @gpcf: Subtype of ARMFault_GPCFOn{Walk,Output}.
   * @level: Table walk level (for translation, access flag and permission faults)
   * @domain: Domain of the fault address (for non-LPAE CPUs only)
   * @s2addr: Address that caused a fault at stage 2
 + * @paddr: physical address that caused a fault for gpc
 + * @paddr_space: physical address space that caused a fault for gpc
   * @stage2: True if we faulted at stage 2
   * @s1ptw: True if we faulted at stage 2 while doing a stage 1 page-table walk
   * @s1ns: True if we faulted on a non-secure IPA while in secure state
@@ -XXX,XX +XXX,XX @@ typedef enum ARMFaultType {
  typedef struct ARMMMUFaultInfo ARMMMUFaultInfo;
  struct ARMMMUFaultInfo {
      ARMFaultType type;
 +    ARMGPCF gpcf;
      target_ulong s2addr;
 +    target_ulong paddr;
 +    ARMSecuritySpace paddr_space;
      int level;
      int domain;
      bool stage2;
@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi)
      case ARMFault_Exclusive:
          fsc = 0x35;
          break;
 +    case ARMFault_GPCFOnWalk:
 +        assert(fi->level >= -1 && fi->level <= 3);
 +        if (fi->level < 0) {
 +            fsc = 0b100011;
 +        } else {
 +            fsc = 0b100100 | fi->level;
 +        }
 +        break;
 +    case ARMFault_GPCFOnOutput:
 +        fsc = 0b101000;
 +        break;
      default:
          /* Other faults can't occur in a context that requires a
           * long-format status code.
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void arm_log_exception(CPUState *cs)
              [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
              [EXCP_DIVBYZERO] = "v7M DIVBYZERO UsageFault",
              [EXCP_VSERR] = "Virtual SERR",
 +            [EXCP_GPC] = "Granule Protection Check",
          };
          if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
      }
+     switch (cs->exception_index) {
++    case EXCP_GPC:
++        qemu_log_mask(CPU_LOG_INT, "...with MFAR 0x%" PRIx64 "\n",
++                      env->cp15.mfar_el3);
++        /* fall through */
+     case EXCP_PREFETCH_ABORT:
+     case EXCP_DATA_ABORT:
+         /*
+diff --git a/target/arm/tcg/tlb_helper.c b/target/arm/tcg/tlb_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/tlb_helper.c
++++ b/target/arm/tcg/tlb_helper.c
+@@ -XXX,XX +XXX,XX @@ static uint32_t compute_fsr_fsc(CPUARMState *env, ARMMMUFaultInfo *fi,
+     return fsr;
  }
-+/**
++static bool report_as_gpc_exception(ARMCPU *cpu, int current_el,
-+ * arm_num_brps: Return number of implemented breakpoints.
++                                    ARMMMUFaultInfo *fi)
 + * Note that the ID register BRPS field is "number of bps - 1",
 + * and we return the actual number of breakpoints.
 + */
 +static inline int arm_num_brps(ARMCPU *cpu)
 +{
-+    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
++    bool ret;
-+        return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) + 1;
++
 +    switch (fi->gpcf) {
 +    case GPCF_None:
 +        return false;
 +    case GPCF_AddressSize:
 +    case GPCF_Walk:
 +    case GPCF_EABT:
 +        /* R_PYTGX: GPT faults are reported as GPC. */
 +        ret = true;
 +        break;
 +    case GPCF_Fail:
 +        /*
 +         * R_BLYPM: A GPF at EL3 is reported as insn or data abort.
 +         * R_VBZMW, R_LXHQR: A GPF at EL[0-2] is reported as a GPC
 +         * if SCR_EL3.GPF is set, otherwise an insn or data abort.
 +         */
 +        ret = (cpu->env.cp15.scr_el3 & SCR_GPF) && current_el != 3;
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +
 +    assert(cpu_isar_feature(aa64_rme, cpu));
 +    assert(fi->type == ARMFault_GPCFOnWalk ||
 +           fi->type == ARMFault_GPCFOnOutput);
 +    if (fi->gpcf == GPCF_AddressSize) {
 +        assert(fi->level == 0);
 +    } else {
-+        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, BRPS) + 1;
++        assert(fi->level >= 0 && fi->level <= 1);
 +    }
 +
 +    return ret;
 +}
 +
-+/**
++static unsigned encode_gpcsc(ARMMMUFaultInfo *fi)
 + * arm_num_wrps: Return number of implemented watchpoints.
 + * Note that the ID register WRPS field is "number of wps - 1",
 + * and we return the actual number of watchpoints.
 + */
 +static inline int arm_num_wrps(ARMCPU *cpu)
 +{
-+    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
++    static uint8_t const gpcsc[] = {
-+        return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) + 1;
++        [GPCF_AddressSize] = 0b000000,
-+    } else {
++        [GPCF_Walk]        = 0b000100,
-+        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, WRPS) + 1;
++        [GPCF_Fail]        = 0b001100,
-+    }
++        [GPCF_EABT]        = 0b010100,
 +    };
 +
 +    /* Note that we've validated fi->gpcf and fi->level above. */
 +    return gpcsc[fi->gpcf] | fi->level;
 +}
 +
-+/**
+ static G_NORETURN
-+ * arm_num_ctx_cmps: Return number of implemented context comparators.
+ void arm_deliver_fault(ARMCPU *cpu, vaddr addr,
-+ * Note that the ID register CTX_CMPS field is "number of cmps - 1",
+                        MMUAccessType access_type,
-+ * and we return the actual number of comparators.
+                        int mmu_idx, ARMMMUFaultInfo *fi)
 + */
 +static inline int arm_num_ctx_cmps(ARMCPU *cpu)
 +{
 +    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 +        return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) + 1;
 +    } else {
 +        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, CTX_CMPS) + 1;
 +    }
 +}
 +
  /* Note make_memop_idx reserves 4 bits for mmu_idx, and MO_BSWAP is bit 3.
   * Thus a TCGMemOpIdx, without any MO_ALIGN bits, fits in 8 bits.
   */
 diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/debug_helper.c
 +++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
  {
      CPUARMState *env = &cpu->env;
-     uint64_t bcr = env->cp15.dbgbcr[lbn];
+-    int target_el;
--    int brps = extract32(cpu->dbgdidr, 24, 4);
++    int target_el = exception_target_el(env);
--    int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
++    int current_el = arm_current_el(env);
-+    int brps = arm_num_brps(cpu);
+     bool same_el;
-+    int ctx_cmps = arm_num_ctx_cmps(cpu);
+     uint32_t syn, exc, fsr, fsc;
-     int bt;
-     uint32_t contextidr;
+-    target_el = exception_target_el(env);
-     uint64_t hcr_el2;
++    if (report_as_gpc_exception(cpu, current_el, fi)) {
-@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
++        target_el = 3;
-      * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
++
-      * We choose the former.
++        fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
-      */
++
--    if (lbn > brps || lbn < (brps - ctx_cmps)) {
++        syn = syn_gpc(fi->stage2 && fi->type == ARMFault_GPCFOnWalk,
-+    if (lbn >= brps || lbn < (brps - ctx_cmps)) {
++                      access_type == MMU_INST_FETCH,
-         return false;
++                      encode_gpcsc(fi), 0, fi->s1ptw,
 +                      access_type == MMU_DATA_STORE, fsc);
 +
 +        env->cp15.mfar_el3 = fi->paddr;
 +        switch (fi->paddr_space) {
 +        case ARMSS_Secure:
 +            break;
 +        case ARMSS_NonSecure:
 +            env->cp15.mfar_el3 |= R_MFAR_NS_MASK;
 +            break;
 +        case ARMSS_Root:
 +            env->cp15.mfar_el3 |= R_MFAR_NSE_MASK;
 +            break;
 +        case ARMSS_Realm:
 +            env->cp15.mfar_el3 |= R_MFAR_NSE_MASK | R_MFAR_NS_MASK;
 +            break;
 +        default:
 +            g_assert_not_reached();
 +        }
 +
 +        exc = EXCP_GPC;
 +        goto do_raise;
 +    }
 +
 +    /* If SCR_EL3.GPF is unset, GPF may still be routed to EL2. */
 +    if (fi->gpcf == GPCF_Fail && target_el < 2) {
 +        if (arm_hcr_el2_eff(env) & HCR_GPF) {
 +            target_el = 2;
 +        }
 +    }
 +
      if (fi->stage2) {
          target_el = 2;
          env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
@@ -XXX,XX +XXX,XX @@ void arm_deliver_fault(ARMCPU *cpu, vaddr addr,
              env->cp15.hpfar_el2 |= HPFAR_NS;
          }
      }
+-    same_el = (arm_current_el(env) == target_el);
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
++    same_el = current_el == target_el;
---- a/target/arm/helper.c
+     fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
+     if (access_type == MMU_INST_FETCH) {
-     };
+@@ -XXX,XX +XXX,XX @@ void arm_deliver_fault(ARMCPU *cpu, vaddr addr,
+         exc = EXCP_DATA_ABORT;
      /* Note that all these register fields hold "number of Xs minus 1". */
 -    brps = extract32(cpu->dbgdidr, 24, 4);
 -    wrps = extract32(cpu->dbgdidr, 28, 4);
 -    ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
 +    brps = arm_num_brps(cpu);
 +    wrps = arm_num_wrps(cpu);
 +    ctx_cmps = arm_num_ctx_cmps(cpu);
      assert(ctx_cmps <= brps);
 -    /* The DBGDIDR and ID_AA64DFR0_EL1 define various properties
 -     * of the debug registers such as number of breakpoints;
 -     * check that if they both exist then they agree.
 -     */
 -    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 -        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) == brps);
 -        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) == wrps);
 -        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS)
 -               == ctx_cmps);
 -    }
 -
      define_one_arm_cp_reg(cpu, &dbgdidr);
      define_arm_cp_regs(cpu, debug_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
          define_arm_cp_regs(cpu, debug_lpae_cp_reginfo);
      }
--    for (i = 0; i < brps + 1; i++) {
++ do_raise:
-+    for (i = 0; i < brps; i++) {
+     env->exception.vaddress = addr;
-         ARMCPRegInfo dbgregs[] = {
+     env->exception.fsr = fsr;
-             { .name = "DBGBVR", .state = ARM_CP_STATE_BOTH,
+     raise_exception(env, exc, syn, target_el);
                .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 4,
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
          define_arm_cp_regs(cpu, dbgregs);
      }
 -    for (i = 0; i < wrps + 1; i++) {
 +    for (i = 0; i < wrps; i++) {
          ARMCPRegInfo dbgregs[] = {
              { .name = "DBGWVR", .state = ARM_CP_STATE_BOTH,
                .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 6,
 --
-.20.1
+.34.1

-[PULL 13/52] target/arm: Split out aa64_va_parameter_tbi, aa64_va_parameter_tbid
+[PULL 19/26] target/arm: Implement the granule protection check
 From: Richard Henderson <richard.henderson@linaro.org>
-For the purpose of rebuild_hflags_a64, we do not need to compute
+Place the check at the end of get_phys_addr_with_struct,
-all of the va parameters, only tbi.  Moreover, we can compute them
+so that we check all physical results.
 in a form that is more useful to storing in hflags.
 This eliminates the need for aa64_va_parameter_both, so fold that
 in to aa64_va_parameter.  The remaining calls to aa64_va_parameter
 are in get_phys_addr_lpae and in pauth_helper.c.
 This reduces the total cpu consumption of aa64_va_parameter in a
 kernel boot plus a kvm guest kernel boot from 3% to 0.5%.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200216194343.21331-5-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-20-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/internals.h |  3 --
+ target/arm/ptw.c | 249 +++++++++++++++++++++++++++++++++++++++++++----
- target/arm/helper.c    | 68 +++++++++++++++++++++++-------------------
+file changed, 232 insertions(+), 17 deletions(-)
 files changed, 37 insertions(+), 34 deletions(-)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/internals.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
+@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
-     unsigned tsz    : 8;
+     void *out_host;
-     unsigned select : 1;
+ } S1Translate;
-     bool tbi        : 1;
--    bool tbid       : 1;
+-static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
-     bool epd        : 1;
+-                                      target_ulong address,
-     bool hpd        : 1;
+-                                      MMUAccessType access_type,
-     bool using16k   : 1;
+-                                      GetPhysAddrResult *result,
-     bool using64k   : 1;
+-                                      ARMMMUFaultInfo *fi);
- } ARMVAParameters;
++static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
++                                target_ulong address,
--ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
++                                MMUAccessType access_type,
--                                        ARMMMUIdx mmu_idx);
++                                GetPhysAddrResult *result,
- ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
++                                ARMMMUFaultInfo *fi);
-                                    ARMMMUIdx mmu_idx, bool data);
++
++static bool get_phys_addr_gpc(CPUARMState *env, S1Translate *ptw,
-diff --git a/target/arm/helper.c b/target/arm/helper.c
++                              target_ulong address,
-index XXXXXXX..XXXXXXX 100644
++                              MMUAccessType access_type,
---- a/target/arm/helper.c
++                              GetPhysAddrResult *result,
-+++ b/target/arm/helper.c
++                              ARMMMUFaultInfo *fi);
-@@ -XXX,XX +XXX,XX @@ static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
- }
+ /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
- #endif /* !CONFIG_USER_ONLY */
+ static const uint8_t pamax_map[] = {
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
--ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
+     return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
--                                        ARMMMUIdx mmu_idx)
+ }
-+static int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
 +static bool granule_protection_check(CPUARMState *env, uint64_t paddress,
 +                                     ARMSecuritySpace pspace,
 +                                     ARMMMUFaultInfo *fi)
 +{
-+    if (regime_has_2_ranges(mmu_idx)) {
++    MemTxAttrs attrs = {
-+        return extract64(tcr, 37, 2);
++        .secure = true,
-+    } else if (mmu_idx == ARMMMUIdx_Stage2) {
++        .space = ARMSS_Root,
-+        return 0; /* VTCR_EL2 */
++    };
-+    } else {
++    ARMCPU *cpu = env_archcpu(env);
-+        return extract32(tcr, 20, 1);
++    uint64_t gpccr = env->cp15.gpccr_el3;
-+    }
++    unsigned pps, pgs, l0gptsz, level = 0;
 +    uint64_t tableaddr, pps_mask, align, entry, index;
 +    AddressSpace *as;
 +    MemTxResult result;
 +    int gpi;
 +
 +    if (!FIELD_EX64(gpccr, GPCCR, GPC)) {
 +        return true;
 +    }
 +
 +    /*
 +     * GPC Priority 1 (R_GMGRR):
 +     * R_JWCSM: If the configuration of GPCCR_EL3 is invalid,
 +     * the access fails as GPT walk fault at level 0.
 +     */
 +
 +    /*
 +     * Configuration of PPS to a value exceeding the implemented
 +     * physical address size is invalid.
 +     */
 +    pps = FIELD_EX64(gpccr, GPCCR, PPS);
 +    if (pps > FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE)) {
 +        goto fault_walk;
 +    }
 +    pps = pamax_map[pps];
 +    pps_mask = MAKE_64BIT_MASK(0, pps);
 +
 +    switch (FIELD_EX64(gpccr, GPCCR, SH)) {
 +    case 0b10: /* outer shareable */
 +        break;
 +    case 0b00: /* non-shareable */
 +    case 0b11: /* inner shareable */
 +        /* Inner and Outer non-cacheable requires Outer shareable. */
 +        if (FIELD_EX64(gpccr, GPCCR, ORGN) == 0 &&
 +            FIELD_EX64(gpccr, GPCCR, IRGN) == 0) {
 +            goto fault_walk;
 +        }
 +        break;
 +    default:   /* reserved */
 +        goto fault_walk;
 +    }
 +
 +    switch (FIELD_EX64(gpccr, GPCCR, PGS)) {
 +    case 0b00: /* 4KB */
 +        pgs = 12;
 +        break;
 +    case 0b01: /* 64KB */
 +        pgs = 16;
 +        break;
 +    case 0b10: /* 16KB */
 +        pgs = 14;
 +        break;
 +    default: /* reserved */
 +        goto fault_walk;
 +    }
 +
 +    /* Note this field is read-only and fixed at reset. */
 +    l0gptsz = 30 + FIELD_EX64(gpccr, GPCCR, L0GPTSZ);
 +
 +    /*
 +     * GPC Priority 2: Secure, Realm or Root address exceeds PPS.
 +     * R_CPDSB: A NonSecure physical address input exceeding PPS
 +     * does not experience any fault.
 +     */
 +    if (paddress & ~pps_mask) {
 +        if (pspace == ARMSS_NonSecure) {
 +            return true;
 +        }
 +        goto fault_size;
 +    }
 +
 +    /* GPC Priority 3: the base address of GPTBR_EL3 exceeds PPS. */
 +    tableaddr = env->cp15.gptbr_el3 << 12;
 +    if (tableaddr & ~pps_mask) {
 +        goto fault_size;
 +    }
 +
 +    /*
 +     * BADDR is aligned per a function of PPS and L0GPTSZ.
 +     * These bits of GPTBR_EL3 are RES0, but are not a configuration error,
 +     * unlike the RES0 bits of the GPT entries (R_XNKFZ).
 +     */
 +    align = MAX(pps - l0gptsz + 3, 12);
 +    align = MAKE_64BIT_MASK(0, align);
 +    tableaddr &= ~align;
 +
 +    as = arm_addressspace(env_cpu(env), attrs);
 +
 +    /* Level 0 lookup. */
 +    index = extract64(paddress, l0gptsz, pps - l0gptsz);
 +    tableaddr += index * 8;
 +    entry = address_space_ldq_le(as, tableaddr, attrs, &result);
 +    if (result != MEMTX_OK) {
 +        goto fault_eabt;
 +    }
 +
 +    switch (extract32(entry, 0, 4)) {
 +    case 1: /* block descriptor */
 +        if (entry >> 8) {
 +            goto fault_walk; /* RES0 bits not 0 */
 +        }
 +        gpi = extract32(entry, 4, 4);
 +        goto found;
 +    case 3: /* table descriptor */
 +        tableaddr = entry & ~0xf;
 +        align = MAX(l0gptsz - pgs - 1, 12);
 +        align = MAKE_64BIT_MASK(0, align);
 +        if (tableaddr & (~pps_mask | align)) {
 +            goto fault_walk; /* RES0 bits not 0 */
 +        }
 +        break;
 +    default: /* invalid */
 +        goto fault_walk;
 +    }
 +
 +    /* Level 1 lookup */
 +    level = 1;
 +    index = extract64(paddress, pgs + 4, l0gptsz - pgs - 4);
 +    tableaddr += index * 8;
 +    entry = address_space_ldq_le(as, tableaddr, attrs, &result);
 +    if (result != MEMTX_OK) {
 +        goto fault_eabt;
 +    }
 +
 +    switch (extract32(entry, 0, 4)) {
 +    case 1: /* contiguous descriptor */
 +        if (entry >> 10) {
 +            goto fault_walk; /* RES0 bits not 0 */
 +        }
 +        /*
 +         * Because the softmmu tlb only works on units of TARGET_PAGE_SIZE,
 +         * and because we cannot invalidate by pa, and thus will always
 +         * flush entire tlbs, we don't actually care about the range here
 +         * and can simply extract the GPI as the result.
 +         */
 +        if (extract32(entry, 8, 2) == 0) {
 +            goto fault_walk; /* reserved contig */
 +        }
 +        gpi = extract32(entry, 4, 4);
 +        break;
 +    default:
 +        index = extract64(paddress, pgs, 4);
 +        gpi = extract64(entry, index * 4, 4);
 +        break;
 +    }
 +
 + found:
 +    switch (gpi) {
 +    case 0b0000: /* no access */
 +        break;
 +    case 0b1111: /* all access */
 +        return true;
 +    case 0b1000:
 +    case 0b1001:
 +    case 0b1010:
 +    case 0b1011:
 +        if (pspace == (gpi & 3)) {
 +            return true;
 +        }
 +        break;
 +    default:
 +        goto fault_walk; /* reserved */
 +    }
 +
 +    fi->gpcf = GPCF_Fail;
 +    goto fault_common;
 + fault_eabt:
 +    fi->gpcf = GPCF_EABT;
 +    goto fault_common;
 + fault_size:
 +    fi->gpcf = GPCF_AddressSize;
 +    goto fault_common;
 + fault_walk:
 +    fi->gpcf = GPCF_Walk;
 + fault_common:
 +    fi->level = level;
 +    fi->paddr = paddress;
 +    fi->paddr_space = pspace;
 +    return false;
 +}
 +
-+static int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx)
+ static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
  {
      /*
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
          };
          GetPhysAddrResult s2 = { };
 -        if (get_phys_addr_with_struct(env, &s2ptw, addr,
 -                                      MMU_DATA_LOAD, &s2, fi)) {
 +        if (get_phys_addr_gpc(env, &s2ptw, addr, MMU_DATA_LOAD, &s2, fi)) {
              goto fail;
          }
 +
          ptw->out_phys = s2.f.phys_addr;
          pte_attrs = s2.cacheattrs.attrs;
          ptw->out_host = NULL;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
   fail:
      assert(fi->type != ARMFault_None);
 +    if (fi->type == ARMFault_GPCFOnOutput) {
 +        fi->type = ARMFault_GPCFOnWalk;
 +    }
      fi->s2addr = addr;
      fi->stage2 = true;
      fi->s1ptw = true;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
                                     ARMMMUFaultInfo *fi)
  {
      uint8_t memattr = 0x00;    /* Device nGnRnE */
 -    uint8_t shareability = 0;  /* non-sharable */
 +    uint8_t shareability = 0;  /* non-shareable */
      int r_el;
      switch (mmu_idx) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
              } else {
                  memattr = 0x44;  /* Normal, NC, No */
              }
 -            shareability = 2; /* outer sharable */
 +            shareability = 2; /* outer shareable */
          }
          result->cacheattrs.is_s2_format = false;
          break;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
      ARMSecuritySpace ipa_space;
      uint64_t hcr;
 -    ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
 +    ret = get_phys_addr_nogpc(env, ptw, address, access_type, result, fi);
      /* If S1 fails, return early.  */
      if (ret) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
      cacheattrs1 = result->cacheattrs;
      memset(result, 0, sizeof(*result));
 -    ret = get_phys_addr_with_struct(env, ptw, ipa, access_type, result, fi);
 +    ret = get_phys_addr_nogpc(env, ptw, ipa, access_type, result, fi);
      fi->s2addr = ipa;
      /* Combine the S1 and S2 perms.  */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
      return false;
  }
 -static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
 +static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
                                        target_ulong address,
                                        MMUAccessType access_type,
                                        GetPhysAddrResult *result,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
      }
  }
 +static bool get_phys_addr_gpc(CPUARMState *env, S1Translate *ptw,
 +                              target_ulong address,
 +                              MMUAccessType access_type,
 +                              GetPhysAddrResult *result,
 +                              ARMMMUFaultInfo *fi)
 +{
-+    if (regime_has_2_ranges(mmu_idx)) {
++    if (get_phys_addr_nogpc(env, ptw, address, access_type, result, fi)) {
-+        return extract64(tcr, 51, 2);
++        return true;
-+    } else if (mmu_idx == ARMMMUIdx_Stage2) {
++    }
-+        return 0; /* VTCR_EL2 */
++    if (!granule_protection_check(env, result->f.phys_addr,
-+    } else {
++                                  result->f.attrs.space, fi)) {
-+        return extract32(tcr, 29, 1);
++        fi->type = ARMFault_GPCFOnOutput;
-+    }
++        return true;
 +    }
 +    return false;
 +}
 +
-+ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
-+                                   ARMMMUIdx mmu_idx, bool data)
+                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
- {
+                                bool is_secure, GetPhysAddrResult *result,
-     uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
--    bool tbi, tbid, epd, hpd, using16k, using64k;
+         .in_secure = is_secure,
--    int select, tsz;
+         .in_space = arm_secure_to_space(is_secure),
 +    bool epd, hpd, using16k, using64k;
 +    int select, tsz, tbi;
      if (!regime_has_2_ranges(mmu_idx)) {
          select = 0;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
          using16k = extract32(tcr, 15, 1);
          if (mmu_idx == ARMMMUIdx_Stage2) {
              /* VTCR_EL2 */
 -            tbi = tbid = hpd = false;
 +            hpd = false;
          } else {
 -            tbi = extract32(tcr, 20, 1);
              hpd = extract32(tcr, 24, 1);
 -            tbid = extract32(tcr, 29, 1);
          }
          epd = false;
      } else {
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
              epd = extract32(tcr, 7, 1);
              using64k = extract32(tcr, 14, 1);
              using16k = extract32(tcr, 15, 1);
 -            tbi = extract64(tcr, 37, 1);
              hpd = extract64(tcr, 41, 1);
 -            tbid = extract64(tcr, 51, 1);
          } else {
              int tg = extract32(tcr, 30, 2);
              using16k = tg == 1;
              using64k = tg == 3;
              tsz = extract32(tcr, 16, 6);
              epd = extract32(tcr, 23, 1);
 -            tbi = extract64(tcr, 38, 1);
              hpd = extract64(tcr, 42, 1);
 -            tbid = extract64(tcr, 52, 1);
          }
      }
      tsz = MIN(tsz, 39);  /* TODO: ARMv8.4-TTST */
      tsz = MAX(tsz, 16);  /* TODO: ARMv8.2-LVA  */
 +    /* Present TBI as a composite with TBID.  */
 +    tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
 +    if (!data) {
 +        tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);
 +    }
 +    tbi = (tbi >> select) & 1;
 +
      return (ARMVAParameters) {
          .tsz = tsz,
          .select = select,
          .tbi = tbi,
 -        .tbid = tbid,
          .epd = epd,
          .hpd = hpd,
          .using16k = using16k,
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
      };
- }
+-    return get_phys_addr_with_struct(env, &ptw, address, access_type,
+-                                     result, fi);
--ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
++    return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi);
--                                   ARMMMUIdx mmu_idx, bool data)
+ }
--{
--    ARMVAParameters ret = aa64_va_parameters_both(env, va, mmu_idx);
+ bool get_phys_addr(CPUARMState *env, target_ulong address,
--
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
--    /* Present TBI as a composite with TBID.  */
--    ret.tbi &= (data || !ret.tbid);
+     ptw.in_space = ss;
--    return ret;
+     ptw.in_secure = arm_space_is_secure(ss);
--}
+-    return get_phys_addr_with_struct(env, &ptw, address, access_type,
--
+-                                     result, fi);
- #ifndef CONFIG_USER_ONLY
++    return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi);
- static ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
+ }
-                                           ARMMMUIdx mmu_idx)
-@@ -XXX,XX +XXX,XX @@ static uint32_t rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
+ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
- {
+@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
-     uint32_t flags = rebuild_hflags_aprofile(env);
+     ARMMMUFaultInfo fi = {};
-     ARMMMUIdx stage1 = stage_1_mmu_idx(mmu_idx);
+     bool ret;
--    ARMVAParameters p0 = aa64_va_parameters_both(env, 0, stage1);
-+    uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
+-    ret = get_phys_addr_with_struct(env, &ptw, addr, MMU_DATA_LOAD, &res, &fi);
-     uint64_t sctlr;
++    ret = get_phys_addr_gpc(env, &ptw, addr, MMU_DATA_LOAD, &res, &fi);
-     int tbii, tbid;
+     *attrs = res.f.attrs;
-     flags = FIELD_DP32(flags, TBFLAG_ANY, AARCH64_STATE, 1);
+     if (ret) {
      /* Get control bits for tagged addresses.  */
 -    if (regime_has_2_ranges(mmu_idx)) {
 -        ARMVAParameters p1 = aa64_va_parameters_both(env, -1, stage1);
 -        tbid = (p1.tbi << 1) | p0.tbi;
 -        tbii = tbid & ~((p1.tbid << 1) | p0.tbid);
 -    } else {
 -        tbid = p0.tbi;
 -        tbii = tbid & !p0.tbid;
 -    }
 +    tbid = aa64_va_parameter_tbi(tcr, mmu_idx);
 +    tbii = tbid & ~aa64_va_parameter_tbid(tcr, mmu_idx);
      flags = FIELD_DP32(flags, TBFLAG_A64, TBII, tbii);
      flags = FIELD_DP32(flags, TBFLAG_A64, TBID, tbid);
 --
-.20.1
+.34.1

-[PULL 38/52] target/arm: Vectorize USHL and SSHL
+[PULL 20/26] target/arm: Add cpu properties for enabling FEAT_RME
 From: Richard Henderson <richard.henderson@linaro.org>
-These instructions shift left or right depending on the sign
+Add an x-rme cpu property to enable FEAT_RME.
-of the input, and 7 bits are significant to the shift.  This
+Add an x-l0gptsz property to set GPCCR_EL3.L0GPTSZ,
-requires several masks and selects in addition to the actual
+for testing various possible configurations.
 shifts to form the complete answer.
-That said, the operation is still a small improvement even for
+We're not currently completely sure whether FEAT_RME will
-two 64-bit elements -- 13 vector operations instead of 2 * 7
+be OK to enable purely as a CPU-level property, or if it will
-integer operations.
+need board co-operation, so we're making these experimental
 x- properties, so that the people developing the system
 level software for RME can try to start using this and let
 us know how it goes. The command line syntax for enabling
 this will change in future, without backwards-compatibility.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200216214232.4230-2-richard.henderson@linaro.org
+Message-id: 20230620124418.805717-21-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.h        |  11 +-
+ target/arm/tcg/cpu64.c | 53 ++++++++++++++++++++++++++++++++++++++++++
- target/arm/translate.h     |   6 +
+file changed, 53 insertions(+)
  target/arm/neon_helper.c   |  33 ----
  target/arm/translate-a64.c |  18 +--
  target/arm/translate.c     | 299 +++++++++++++++++++++++++++++++++++--
  target/arm/vec_helper.c    |  88 +++++++++++
 files changed, 389 insertions(+), 66 deletions(-)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
+diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
+--- a/target/arm/tcg/cpu64.c
-+++ b/target/arm/helper.h
++++ b/target/arm/tcg/cpu64.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(neon_abd_s16, i32, i32, i32)
+@@ -XXX,XX +XXX,XX @@ static void cpu_max_set_sve_max_vq(Object *obj, Visitor *v, const char *name,
- DEF_HELPER_2(neon_abd_u32, i32, i32, i32)
+     cpu->sve_max_vq = max_vq;
- DEF_HELPER_2(neon_abd_s32, i32, i32, i32)
+ }
--DEF_HELPER_2(neon_shl_u8, i32, i32, i32)
++static bool cpu_arm_get_rme(Object *obj, Error **errp)
 -DEF_HELPER_2(neon_shl_s8, i32, i32, i32)
  DEF_HELPER_2(neon_shl_u16, i32, i32, i32)
  DEF_HELPER_2(neon_shl_s16, i32, i32, i32)
 -DEF_HELPER_2(neon_shl_u32, i32, i32, i32)
 -DEF_HELPER_2(neon_shl_s32, i32, i32, i32)
 -DEF_HELPER_2(neon_shl_u64, i64, i64, i64)
 -DEF_HELPER_2(neon_shl_s64, i64, i64, i64)
  DEF_HELPER_2(neon_rshl_u8, i32, i32, i32)
  DEF_HELPER_2(neon_rshl_s8, i32, i32, i32)
  DEF_HELPER_2(neon_rshl_u16, i32, i32, i32)
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_2(frint64_s, TCG_CALL_NO_RWG, f32, f32, ptr)
  DEF_HELPER_FLAGS_2(frint32_d, TCG_CALL_NO_RWG, f64, f64, ptr)
  DEF_HELPER_FLAGS_2(frint64_d, TCG_CALL_NO_RWG, f64, f64, ptr)
 +DEF_HELPER_FLAGS_4(gvec_sshl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(gvec_sshl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(gvec_ushl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +
  #ifdef TARGET_AARCH64
  #include "helper-a64.h"
  #include "helper-sve.h"
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ uint64_t vfp_expand_imm(int size, uint8_t imm8);
  extern const GVecGen3 mla_op[4];
  extern const GVecGen3 mls_op[4];
  extern const GVecGen3 cmtst_op[4];
 +extern const GVecGen3 sshl_op[4];
 +extern const GVecGen3 ushl_op[4];
  extern const GVecGen2i ssra_op[4];
  extern const GVecGen2i usra_op[4];
  extern const GVecGen2i sri_op[4];
@@ -XXX,XX +XXX,XX @@ extern const GVecGen4 sqadd_op[4];
  extern const GVecGen4 uqsub_op[4];
  extern const GVecGen4 sqsub_op[4];
  void gen_cmtst_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
 +void gen_ushl_i32(TCGv_i32 d, TCGv_i32 a, TCGv_i32 b);
 +void gen_sshl_i32(TCGv_i32 d, TCGv_i32 a, TCGv_i32 b);
 +void gen_ushl_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
 +void gen_sshl_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
  /*
   * Forward to the isar_feature_* tests given a DisasContext pointer.
 diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/neon_helper.c
 +++ b/target/arm/neon_helper.c
@@ -XXX,XX +XXX,XX @@ NEON_VOP(abd_u32, neon_u32, 1)
      } else { \
          dest = src1 << tmp; \
      }} while (0)
 -NEON_VOP(shl_u8, neon_u8, 4)
  NEON_VOP(shl_u16, neon_u16, 2)
 -NEON_VOP(shl_u32, neon_u32, 1)
  #undef NEON_FN
 -uint64_t HELPER(neon_shl_u64)(uint64_t val, uint64_t shiftop)
 -{
 -    int8_t shift = (int8_t)shiftop;
 -    if (shift >= 64 || shift <= -64) {
 -        val = 0;
 -    } else if (shift < 0) {
 -        val >>= -shift;
 -    } else {
 -        val <<= shift;
 -    }
 -    return val;
 -}
 -
  #define NEON_FN(dest, src1, src2) do { \
      int8_t tmp; \
      tmp = (int8_t)src2; \
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_shl_u64)(uint64_t val, uint64_t shiftop)
      } else { \
          dest = src1 << tmp; \
      }} while (0)
 -NEON_VOP(shl_s8, neon_s8, 4)
  NEON_VOP(shl_s16, neon_s16, 2)
 -NEON_VOP(shl_s32, neon_s32, 1)
  #undef NEON_FN
 -uint64_t HELPER(neon_shl_s64)(uint64_t valop, uint64_t shiftop)
 -{
 -    int8_t shift = (int8_t)shiftop;
 -    int64_t val = valop;
 -    if (shift >= 64) {
 -        val = 0;
 -    } else if (shift <= -64) {
 -        val >>= 63;
 -    } else if (shift < 0) {
 -        val >>= -shift;
 -    } else {
 -        val <<= shift;
 -    }
 -    return val;
 -}
 -
  #define NEON_FN(dest, src1, src2) do { \
      int8_t tmp; \
      tmp = (int8_t)src2; \
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_3same_64(DisasContext *s, int opcode, bool u,
          break;
      case 0x8: /* SSHL, USHL */
          if (u) {
 -            gen_helper_neon_shl_u64(tcg_rd, tcg_rn, tcg_rm);
 +            gen_ushl_i64(tcg_rd, tcg_rn, tcg_rm);
          } else {
 -            gen_helper_neon_shl_s64(tcg_rd, tcg_rn, tcg_rm);
 +            gen_sshl_i64(tcg_rd, tcg_rn, tcg_rm);
          }
          break;
      case 0x9: /* SQSHL, UQSHL */
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                         is_q ? 16 : 8, vec_full_reg_size(s),
                         (u ? uqsub_op : sqsub_op) + size);
          return;
 +    case 0x08: /* SSHL, USHL */
 +        gen_gvec_op3(s, is_q, rd, rn, rm,
 +                     u ? &ushl_op[size] : &sshl_op[size]);
 +        return;
      case 0x0c: /* SMAX, UMAX */
          if (u) {
              gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umax, size);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                  genfn = fns[size][u];
                  break;
              }
 -            case 0x8: /* SSHL, USHL */
 -            {
 -                static NeonGenTwoOpFn * const fns[3][2] = {
 -                    { gen_helper_neon_shl_s8, gen_helper_neon_shl_u8 },
 -                    { gen_helper_neon_shl_s16, gen_helper_neon_shl_u16 },
 -                    { gen_helper_neon_shl_s32, gen_helper_neon_shl_u32 },
 -                };
 -                genfn = fns[size][u];
 -                break;
 -            }
              case 0x9: /* SQSHL, UQSHL */
              {
                  static NeonGenTwoOpEnvFn * const fns[3][2] = {
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_neon_shift_narrow(int size, TCGv_i32 var, TCGv_i32 shift,
          if (u) {
              switch (size) {
              case 1: gen_helper_neon_shl_u16(var, var, shift); break;
 -            case 2: gen_helper_neon_shl_u32(var, var, shift); break;
 +            case 2: gen_ushl_i32(var, var, shift); break;
              default: abort();
              }
          } else {
              switch (size) {
              case 1: gen_helper_neon_shl_s16(var, var, shift); break;
 -            case 2: gen_helper_neon_shl_s32(var, var, shift); break;
 +            case 2: gen_sshl_i32(var, var, shift); break;
              default: abort();
              }
          }
@@ -XXX,XX +XXX,XX @@ const GVecGen3 cmtst_op[4] = {
        .vece = MO_64 },
  };
 +void gen_ushl_i32(TCGv_i32 dst, TCGv_i32 src, TCGv_i32 shift)
 +{
-+    TCGv_i32 lval = tcg_temp_new_i32();
++    ARMCPU *cpu = ARM_CPU(obj);
-+    TCGv_i32 rval = tcg_temp_new_i32();
++    return cpu_isar_feature(aa64_rme, cpu);
 +    TCGv_i32 lsh = tcg_temp_new_i32();
 +    TCGv_i32 rsh = tcg_temp_new_i32();
 +    TCGv_i32 zero = tcg_const_i32(0);
 +    TCGv_i32 max = tcg_const_i32(32);
 +
 +    /*
 +     * Rely on the TCG guarantee that out of range shifts produce
 +     * unspecified results, not undefined behaviour (i.e. no trap).
 +     * Discard out-of-range results after the fact.
 +     */
 +    tcg_gen_ext8s_i32(lsh, shift);
 +    tcg_gen_neg_i32(rsh, lsh);
 +    tcg_gen_shl_i32(lval, src, lsh);
 +    tcg_gen_shr_i32(rval, src, rsh);
 +    tcg_gen_movcond_i32(TCG_COND_LTU, dst, lsh, max, lval, zero);
 +    tcg_gen_movcond_i32(TCG_COND_LTU, dst, rsh, max, rval, dst);
 +
 +    tcg_temp_free_i32(lval);
 +    tcg_temp_free_i32(rval);
 +    tcg_temp_free_i32(lsh);
 +    tcg_temp_free_i32(rsh);
 +    tcg_temp_free_i32(zero);
 +    tcg_temp_free_i32(max);
 +}
 +
-+void gen_ushl_i64(TCGv_i64 dst, TCGv_i64 src, TCGv_i64 shift)
++static void cpu_arm_set_rme(Object *obj, bool value, Error **errp)
 +{
-+    TCGv_i64 lval = tcg_temp_new_i64();
++    ARMCPU *cpu = ARM_CPU(obj);
-+    TCGv_i64 rval = tcg_temp_new_i64();
++    uint64_t t;
 +    TCGv_i64 lsh = tcg_temp_new_i64();
 +    TCGv_i64 rsh = tcg_temp_new_i64();
 +    TCGv_i64 zero = tcg_const_i64(0);
 +    TCGv_i64 max = tcg_const_i64(64);
 +
-+    /*
++    t = cpu->isar.id_aa64pfr0;
-+     * Rely on the TCG guarantee that out of range shifts produce
++    t = FIELD_DP64(t, ID_AA64PFR0, RME, value);
-+     * unspecified results, not undefined behaviour (i.e. no trap).
++    cpu->isar.id_aa64pfr0 = t;
 +     * Discard out-of-range results after the fact.
 +     */
 +    tcg_gen_ext8s_i64(lsh, shift);
 +    tcg_gen_neg_i64(rsh, lsh);
 +    tcg_gen_shl_i64(lval, src, lsh);
 +    tcg_gen_shr_i64(rval, src, rsh);
 +    tcg_gen_movcond_i64(TCG_COND_LTU, dst, lsh, max, lval, zero);
 +    tcg_gen_movcond_i64(TCG_COND_LTU, dst, rsh, max, rval, dst);
 +
 +    tcg_temp_free_i64(lval);
 +    tcg_temp_free_i64(rval);
 +    tcg_temp_free_i64(lsh);
 +    tcg_temp_free_i64(rsh);
 +    tcg_temp_free_i64(zero);
 +    tcg_temp_free_i64(max);
 +}
 +
-+static void gen_ushl_vec(unsigned vece, TCGv_vec dst,
++static void cpu_max_set_l0gptsz(Object *obj, Visitor *v, const char *name,
-+                         TCGv_vec src, TCGv_vec shift)
++                                void *opaque, Error **errp)
 +{
-+    TCGv_vec lval = tcg_temp_new_vec_matching(dst);
++    ARMCPU *cpu = ARM_CPU(obj);
-+    TCGv_vec rval = tcg_temp_new_vec_matching(dst);
++    uint32_t value;
 +    TCGv_vec lsh = tcg_temp_new_vec_matching(dst);
 +    TCGv_vec rsh = tcg_temp_new_vec_matching(dst);
 +    TCGv_vec msk, max;
 +
-+    tcg_gen_neg_vec(vece, rsh, shift);
++    if (!visit_type_uint32(v, name, &value, errp)) {
-+    if (vece == MO_8) {
++        return;
 +        tcg_gen_mov_vec(lsh, shift);
 +    } else {
 +        msk = tcg_temp_new_vec_matching(dst);
 +        tcg_gen_dupi_vec(vece, msk, 0xff);
 +        tcg_gen_and_vec(vece, lsh, shift, msk);
 +        tcg_gen_and_vec(vece, rsh, rsh, msk);
 +        tcg_temp_free_vec(msk);
 +    }
 +
-+    /*
++    /* Encode the value for the GPCCR_EL3 field. */
-+     * Rely on the TCG guarantee that out of range shifts produce
++    switch (value) {
-+     * unspecified results, not undefined behaviour (i.e. no trap).
++    case 30:
-+     * Discard out-of-range results after the fact.
++    case 34:
-+     */
++    case 36:
-+    tcg_gen_shlv_vec(vece, lval, src, lsh);
++    case 39:
-+    tcg_gen_shrv_vec(vece, rval, src, rsh);
++        cpu->reset_l0gptsz = value - 30;
-+
++        break;
-+    max = tcg_temp_new_vec_matching(dst);
++    default:
-+    tcg_gen_dupi_vec(vece, max, 8 << vece);
++        error_setg(errp, "invalid value for l0gptsz");
-+
++        error_append_hint(errp, "valid values are 30, 34, 36, 39\n");
-+    /*
++        break;
 +     * The choice of LT (signed) and GEU (unsigned) are biased toward
 +     * the instructions of the x86_64 host.  For MO_8, the whole byte
 +     * is significant so we must use an unsigned compare; otherwise we
 +     * have already masked to a byte and so a signed compare works.
 +     * Other tcg hosts have a full set of comparisons and do not care.
 +     */
 +    if (vece == MO_8) {
 +        tcg_gen_cmp_vec(TCG_COND_GEU, vece, lsh, lsh, max);
 +        tcg_gen_cmp_vec(TCG_COND_GEU, vece, rsh, rsh, max);
 +        tcg_gen_andc_vec(vece, lval, lval, lsh);
 +        tcg_gen_andc_vec(vece, rval, rval, rsh);
 +    } else {
 +        tcg_gen_cmp_vec(TCG_COND_LT, vece, lsh, lsh, max);
 +        tcg_gen_cmp_vec(TCG_COND_LT, vece, rsh, rsh, max);
 +        tcg_gen_and_vec(vece, lval, lval, lsh);
 +        tcg_gen_and_vec(vece, rval, rval, rsh);
 +    }
-+    tcg_gen_or_vec(vece, dst, lval, rval);
-+
-+    tcg_temp_free_vec(max);
-+    tcg_temp_free_vec(lval);
-+    tcg_temp_free_vec(rval);
-+    tcg_temp_free_vec(lsh);
-+    tcg_temp_free_vec(rsh);
 +}
 +
-+static const TCGOpcode ushl_list[] = {
++static void cpu_max_get_l0gptsz(Object *obj, Visitor *v, const char *name,
-+    INDEX_op_neg_vec, INDEX_op_shlv_vec,
++                                void *opaque, Error **errp)
-+    INDEX_op_shrv_vec, INDEX_op_cmp_vec, 0
++{
-+};
++    ARMCPU *cpu = ARM_CPU(obj);
 +    uint32_t value = cpu->reset_l0gptsz + 30;
 +
-+const GVecGen3 ushl_op[4] = {
++    visit_type_uint32(v, name, &value, errp);
 +    { .fniv = gen_ushl_vec,
 +      .fno = gen_helper_gvec_ushl_b,
 +      .opt_opc = ushl_list,
 +      .vece = MO_8 },
 +    { .fniv = gen_ushl_vec,
 +      .fno = gen_helper_gvec_ushl_h,
 +      .opt_opc = ushl_list,
 +      .vece = MO_16 },
 +    { .fni4 = gen_ushl_i32,
 +      .fniv = gen_ushl_vec,
 +      .opt_opc = ushl_list,
 +      .vece = MO_32 },
 +    { .fni8 = gen_ushl_i64,
 +      .fniv = gen_ushl_vec,
 +      .opt_opc = ushl_list,
 +      .vece = MO_64 },
 +};
 +
 +void gen_sshl_i32(TCGv_i32 dst, TCGv_i32 src, TCGv_i32 shift)
 +{
 +    TCGv_i32 lval = tcg_temp_new_i32();
 +    TCGv_i32 rval = tcg_temp_new_i32();
 +    TCGv_i32 lsh = tcg_temp_new_i32();
 +    TCGv_i32 rsh = tcg_temp_new_i32();
 +    TCGv_i32 zero = tcg_const_i32(0);
 +    TCGv_i32 max = tcg_const_i32(31);
 +
 +    /*
 +     * Rely on the TCG guarantee that out of range shifts produce
 +     * unspecified results, not undefined behaviour (i.e. no trap).
 +     * Discard out-of-range results after the fact.
 +     */
 +    tcg_gen_ext8s_i32(lsh, shift);
 +    tcg_gen_neg_i32(rsh, lsh);
 +    tcg_gen_shl_i32(lval, src, lsh);
 +    tcg_gen_umin_i32(rsh, rsh, max);
 +    tcg_gen_sar_i32(rval, src, rsh);
 +    tcg_gen_movcond_i32(TCG_COND_LEU, lval, lsh, max, lval, zero);
 +    tcg_gen_movcond_i32(TCG_COND_LT, dst, lsh, zero, rval, lval);
 +
 +    tcg_temp_free_i32(lval);
 +    tcg_temp_free_i32(rval);
 +    tcg_temp_free_i32(lsh);
 +    tcg_temp_free_i32(rsh);
 +    tcg_temp_free_i32(zero);
 +    tcg_temp_free_i32(max);
 +}
 +
-+void gen_sshl_i64(TCGv_i64 dst, TCGv_i64 src, TCGv_i64 shift)
+ static Property arm_cpu_lpa2_property =
-+{
+     DEFINE_PROP_BOOL("lpa2", ARMCPU, prop_lpa2, true);
-+    TCGv_i64 lval = tcg_temp_new_i64();
-+    TCGv_i64 rval = tcg_temp_new_i64();
+@@ -XXX,XX +XXX,XX @@ void aarch64_max_tcg_initfn(Object *obj)
-+    TCGv_i64 lsh = tcg_temp_new_i64();
+     aarch64_add_sme_properties(obj);
-+    TCGv_i64 rsh = tcg_temp_new_i64();
+     object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_max_vq,
-+    TCGv_i64 zero = tcg_const_i64(0);
+                         cpu_max_set_sve_max_vq, NULL, NULL);
-+    TCGv_i64 max = tcg_const_i64(63);
++    object_property_add_bool(obj, "x-rme", cpu_arm_get_rme, cpu_arm_set_rme);
-+
++    object_property_add(obj, "x-l0gptsz", "uint32", cpu_max_get_l0gptsz,
-+    /*
++                        cpu_max_set_l0gptsz, NULL, NULL);
-+     * Rely on the TCG guarantee that out of range shifts produce
+     qdev_property_add_static(DEVICE(obj), &arm_cpu_lpa2_property);
 +     * unspecified results, not undefined behaviour (i.e. no trap).
 +     * Discard out-of-range results after the fact.
 +     */
 +    tcg_gen_ext8s_i64(lsh, shift);
 +    tcg_gen_neg_i64(rsh, lsh);
 +    tcg_gen_shl_i64(lval, src, lsh);
 +    tcg_gen_umin_i64(rsh, rsh, max);
 +    tcg_gen_sar_i64(rval, src, rsh);
 +    tcg_gen_movcond_i64(TCG_COND_LEU, lval, lsh, max, lval, zero);
 +    tcg_gen_movcond_i64(TCG_COND_LT, dst, lsh, zero, rval, lval);
 +
 +    tcg_temp_free_i64(lval);
 +    tcg_temp_free_i64(rval);
 +    tcg_temp_free_i64(lsh);
 +    tcg_temp_free_i64(rsh);
 +    tcg_temp_free_i64(zero);
 +    tcg_temp_free_i64(max);
 +}
 +
 +static void gen_sshl_vec(unsigned vece, TCGv_vec dst,
 +                         TCGv_vec src, TCGv_vec shift)
 +{
 +    TCGv_vec lval = tcg_temp_new_vec_matching(dst);
 +    TCGv_vec rval = tcg_temp_new_vec_matching(dst);
 +    TCGv_vec lsh = tcg_temp_new_vec_matching(dst);
 +    TCGv_vec rsh = tcg_temp_new_vec_matching(dst);
 +    TCGv_vec tmp = tcg_temp_new_vec_matching(dst);
 +
 +    /*
 +     * Rely on the TCG guarantee that out of range shifts produce
 +     * unspecified results, not undefined behaviour (i.e. no trap).
 +     * Discard out-of-range results after the fact.
 +     */
 +    tcg_gen_neg_vec(vece, rsh, shift);
 +    if (vece == MO_8) {
 +        tcg_gen_mov_vec(lsh, shift);
 +    } else {
 +        tcg_gen_dupi_vec(vece, tmp, 0xff);
 +        tcg_gen_and_vec(vece, lsh, shift, tmp);
 +        tcg_gen_and_vec(vece, rsh, rsh, tmp);
 +    }
 +
 +    /* Bound rsh so out of bound right shift gets -1.  */
 +    tcg_gen_dupi_vec(vece, tmp, (8 << vece) - 1);
 +    tcg_gen_umin_vec(vece, rsh, rsh, tmp);
 +    tcg_gen_cmp_vec(TCG_COND_GT, vece, tmp, lsh, tmp);
 +
 +    tcg_gen_shlv_vec(vece, lval, src, lsh);
 +    tcg_gen_sarv_vec(vece, rval, src, rsh);
 +
 +    /* Select in-bound left shift.  */
 +    tcg_gen_andc_vec(vece, lval, lval, tmp);
 +
 +    /* Select between left and right shift.  */
 +    if (vece == MO_8) {
 +        tcg_gen_dupi_vec(vece, tmp, 0);
 +        tcg_gen_cmpsel_vec(TCG_COND_LT, vece, dst, lsh, tmp, rval, lval);
 +    } else {
 +        tcg_gen_dupi_vec(vece, tmp, 0x80);
 +        tcg_gen_cmpsel_vec(TCG_COND_LT, vece, dst, lsh, tmp, lval, rval);
 +    }
 +
 +    tcg_temp_free_vec(lval);
 +    tcg_temp_free_vec(rval);
 +    tcg_temp_free_vec(lsh);
 +    tcg_temp_free_vec(rsh);
 +    tcg_temp_free_vec(tmp);
 +}
 +
 +static const TCGOpcode sshl_list[] = {
 +    INDEX_op_neg_vec, INDEX_op_umin_vec, INDEX_op_shlv_vec,
 +    INDEX_op_sarv_vec, INDEX_op_cmp_vec, INDEX_op_cmpsel_vec, 0
 +};
 +
 +const GVecGen3 sshl_op[4] = {
 +    { .fniv = gen_sshl_vec,
 +      .fno = gen_helper_gvec_sshl_b,
 +      .opt_opc = sshl_list,
 +      .vece = MO_8 },
 +    { .fniv = gen_sshl_vec,
 +      .fno = gen_helper_gvec_sshl_h,
 +      .opt_opc = sshl_list,
 +      .vece = MO_16 },
 +    { .fni4 = gen_sshl_i32,
 +      .fniv = gen_sshl_vec,
 +      .opt_opc = sshl_list,
 +      .vece = MO_32 },
 +    { .fni8 = gen_sshl_i64,
 +      .fniv = gen_sshl_vec,
 +      .opt_opc = sshl_list,
 +      .vece = MO_64 },
 +};
 +
  static void gen_uqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
                            TCGv_vec a, TCGv_vec b)
  {
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                    vec_size, vec_size);
              }
              return 0;
 +
 +        case NEON_3R_VSHL:
 +            /* Note the operation is vshl vd,vm,vn */
 +            tcg_gen_gvec_3(rd_ofs, rm_ofs, rn_ofs, vec_size, vec_size,
 +                           u ? &ushl_op[size] : &sshl_op[size]);
 +            return 0;
          }
          if (size == 3) {
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                  neon_load_reg64(cpu_V0, rn + pass);
                  neon_load_reg64(cpu_V1, rm + pass);
                  switch (op) {
 -                case NEON_3R_VSHL:
 -                    if (u) {
 -                        gen_helper_neon_shl_u64(cpu_V0, cpu_V1, cpu_V0);
 -                    } else {
 -                        gen_helper_neon_shl_s64(cpu_V0, cpu_V1, cpu_V0);
 -                    }
 -                    break;
                  case NEON_3R_VQSHL:
                      if (u) {
                          gen_helper_neon_qshl_u64(cpu_V0, cpu_env,
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
          }
          pairwise = 0;
          switch (op) {
 -        case NEON_3R_VSHL:
          case NEON_3R_VQSHL:
          case NEON_3R_VRSHL:
          case NEON_3R_VQRSHL:
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
          case NEON_3R_VHSUB:
              GEN_NEON_INTEGER_OP(hsub);
              break;
 -        case NEON_3R_VSHL:
 -            GEN_NEON_INTEGER_OP(shl);
 -            break;
          case NEON_3R_VQSHL:
              GEN_NEON_INTEGER_OP_ENV(qshl);
              break;
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                              }
                          } else {
                              if (input_unsigned) {
 -                                gen_helper_neon_shl_u64(cpu_V0, in, tmp64);
 +                                gen_ushl_i64(cpu_V0, in, tmp64);
                              } else {
 -                                gen_helper_neon_shl_s64(cpu_V0, in, tmp64);
 +                                gen_sshl_i64(cpu_V0, in, tmp64);
                              }
                          }
                          tmp = tcg_temp_new_i32();
 diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/vec_helper.c
 +++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_fmlal_idx_a64)(void *vd, void *vn, void *vm,
      do_fmlal_idx(vd, vn, vm, &env->vfp.fp_status, desc,
                   get_flush_inputs_to_zero(&env->vfp.fp_status_f16));
  }
-+
 +void HELPER(gvec_sshl_b)(void *vd, void *vn, void *vm, uint32_t desc)
 +{
 +    intptr_t i, opr_sz = simd_oprsz(desc);
 +    int8_t *d = vd, *n = vn, *m = vm;
 +
 +    for (i = 0; i < opr_sz; ++i) {
 +        int8_t mm = m[i];
 +        int8_t nn = n[i];
 +        int8_t res = 0;
 +        if (mm >= 0) {
 +            if (mm < 8) {
 +                res = nn << mm;
 +            }
 +        } else {
 +            res = nn >> (mm > -8 ? -mm : 7);
 +        }
 +        d[i] = res;
 +    }
 +    clear_tail(d, opr_sz, simd_maxsz(desc));
 +}
 +
 +void HELPER(gvec_sshl_h)(void *vd, void *vn, void *vm, uint32_t desc)
 +{
 +    intptr_t i, opr_sz = simd_oprsz(desc);
 +    int16_t *d = vd, *n = vn, *m = vm;
 +
 +    for (i = 0; i < opr_sz / 2; ++i) {
 +        int8_t mm = m[i];   /* only 8 bits of shift are significant */
 +        int16_t nn = n[i];
 +        int16_t res = 0;
 +        if (mm >= 0) {
 +            if (mm < 16) {
 +                res = nn << mm;
 +            }
 +        } else {
 +            res = nn >> (mm > -16 ? -mm : 15);
 +        }
 +        d[i] = res;
 +    }
 +    clear_tail(d, opr_sz, simd_maxsz(desc));
 +}
 +
 +void HELPER(gvec_ushl_b)(void *vd, void *vn, void *vm, uint32_t desc)
 +{
 +    intptr_t i, opr_sz = simd_oprsz(desc);
 +    uint8_t *d = vd, *n = vn, *m = vm;
 +
 +    for (i = 0; i < opr_sz; ++i) {
 +        int8_t mm = m[i];
 +        uint8_t nn = n[i];
 +        uint8_t res = 0;
 +        if (mm >= 0) {
 +            if (mm < 8) {
 +                res = nn << mm;
 +            }
 +        } else {
 +            if (mm > -8) {
 +                res = nn >> -mm;
 +            }
 +        }
 +        d[i] = res;
 +    }
 +    clear_tail(d, opr_sz, simd_maxsz(desc));
 +}
 +
 +void HELPER(gvec_ushl_h)(void *vd, void *vn, void *vm, uint32_t desc)
 +{
 +    intptr_t i, opr_sz = simd_oprsz(desc);
 +    uint16_t *d = vd, *n = vn, *m = vm;
 +
 +    for (i = 0; i < opr_sz / 2; ++i) {
 +        int8_t mm = m[i];   /* only 8 bits of shift are significant */
 +        uint16_t nn = n[i];
 +        uint16_t res = 0;
 +        if (mm >= 0) {
 +            if (mm < 16) {
 +                res = nn << mm;
 +            }
 +        } else {
 +            if (mm > -16) {
 +                res = nn >> -mm;
 +            }
 +        }
 +        d[i] = res;
 +    }
 +    clear_tail(d, opr_sz, simd_maxsz(desc));
 +}
 --
-.20.1
+.34.1

-[PULL 39/52] target/arm: Convert PMUL.8 to gvec
+[PULL 21/26] docs/system/arm: Document FEAT_RME
 From: Richard Henderson <richard.henderson@linaro.org>
-The gvec form will be needed for implementing SVE2.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Extend the implementation to operate on uint64_t instead of uint32_t.
 Use a counted inner loop instead of terminating when op1 goes to zero,
 looking toward the required implementation for ARMv8.4-DIT.
 Tested-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230622143046.1578160-1-richard.henderson@linaro.org
-Message-id: 20200216214232.4230-3-richard.henderson@linaro.org
+[PMM: fixed typo; note experimental status in emulation.rst too]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.h        |  3 ++-
+ docs/system/arm/cpu-features.rst | 23 +++++++++++++++++++++++
- target/arm/neon_helper.c   | 22 ----------------------
+ docs/system/arm/emulation.rst    |  1 +
- target/arm/translate-a64.c | 10 +++-------
+files changed, 24 insertions(+)
  target/arm/translate.c     | 11 ++++-------
  target/arm/vec_helper.c    | 30 ++++++++++++++++++++++++++++++
 files changed, 39 insertions(+), 37 deletions(-)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
+diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
+--- a/docs/system/arm/cpu-features.rst
-+++ b/target/arm/helper.h
++++ b/docs/system/arm/cpu-features.rst
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(neon_sub_u8, i32, i32, i32)
+@@ -XXX,XX +XXX,XX @@ As with ``sve-default-vector-length``, if the default length is larger
- DEF_HELPER_2(neon_sub_u16, i32, i32, i32)
+ than the maximum vector length enabled, the actual vector length will
- DEF_HELPER_2(neon_mul_u8, i32, i32, i32)
+ be reduced.  If this property is set to ``-1`` then the default vector
- DEF_HELPER_2(neon_mul_u16, i32, i32, i32)
+ length is set to the maximum possible length.
 -DEF_HELPER_2(neon_mul_p8, i32, i32, i32)
  DEF_HELPER_2(neon_mull_p8, i64, i32, i32)
  DEF_HELPER_2(neon_tst_u8, i32, i32, i32)
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(gvec_sshl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_4(gvec_ushl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(gvec_pmul_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +
- #ifdef TARGET_AARCH64
++RME CPU Properties
- #include "helper-a64.h"
++==================
- #include "helper-sve.h"
++
-diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
++The status of RME support with QEMU is experimental.  At this time we
 +only support RME within the CPU proper, not within the SMMU or GIC.
 +The feature is enabled by the CPU property ``x-rme``, with the ``x-``
 +prefix present as a reminder of the experimental status, and defaults off.
 +
 +The method for enabling RME will change in some future QEMU release
 +without notice or backward compatibility.
 +
 +RME Level 0 GPT Size Property
 +-----------------------------
 +
 +To aid firmware developers in testing different possible CPU
 +configurations, ``x-l0gptsz=S`` may be used to specify the value
 +to encode into ``GPCCR_EL3.L0GPTSZ``, a read-only field that
 +specifies the size of the Level 0 Granule Protection Table.
 +Legal values for ``S`` are 30, 34, 36, and 39; the default is 30.
 +
 +As with ``x-rme``, the ``x-l0gptsz`` property may be renamed or
 +removed in some future QEMU release.
 diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/neon_helper.c
+--- a/docs/system/arm/emulation.rst
-+++ b/target/arm/neon_helper.c
++++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ NEON_VOP(mul_u16, neon_u16, 2)
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+ - FEAT_RAS (Reliability, availability, and serviceability)
- /* Polynomial multiplication is like integer multiplication except the
+ - FEAT_RASv1p1 (RAS Extension v1.1)
-    partial products are XORed, not added.  */
+ - FEAT_RDM (Advanced SIMD rounding double multiply accumulate instructions)
--uint32_t HELPER(neon_mul_p8)(uint32_t op1, uint32_t op2)
++- FEAT_RME (Realm Management Extension) (NB: support status in QEMU is experimental)
--{
+ - FEAT_RNG (Random number generator)
--    uint32_t mask;
+ - FEAT_S2FWB (Stage 2 forced Write-Back)
--    uint32_t result;
+ - FEAT_SB (Speculation Barrier)
 -    result = 0;
 -    while (op1) {
 -        mask = 0;
 -        if (op1 & 1)
 -            mask |= 0xff;
 -        if (op1 & (1 << 8))
 -            mask |= (0xff << 8);
 -        if (op1 & (1 << 16))
 -            mask |= (0xff << 16);
 -        if (op1 & (1 << 24))
 -            mask |= (0xff << 24);
 -        result ^= op2 & mask;
 -        op1 = (op1 >> 1) & 0x7f7f7f7f;
 -        op2 = (op2 << 1) & 0xfefefefe;
 -    }
 -    return result;
 -}
 -
  uint64_t HELPER(neon_mull_p8)(uint32_t op1, uint32_t op2)
  {
      uint64_t result = 0;
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
      case 0x13: /* MUL, PMUL */
          if (!u) { /* MUL */
              gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_mul, size);
 -            return;
 +        } else {  /* PMUL */
 +            gen_gvec_op3_ool(s, is_q, rd, rn, rm, 0, gen_helper_gvec_pmul_b);
          }
 -        break;
 +        return;
      case 0x12: /* MLA, MLS */
          if (u) {
              gen_gvec_op3(s, is_q, rd, rn, rm, &mls_op[size]);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                  genfn = fns[size][u];
                  break;
              }
 -            case 0x13: /* MUL, PMUL */
 -                assert(u); /* PMUL */
 -                assert(size == 0);
 -                genfn = gen_helper_neon_mul_p8;
 -                break;
              case 0x16: /* SQDMULH, SQRDMULH */
              {
                  static NeonGenTwoOpEnvFn * const fns[2][2] = {
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
          case NEON_3R_VMUL: /* VMUL */
              if (u) {
 -                /* Polynomial case allows only P8 and is handled below.  */
 +                /* Polynomial case allows only P8.  */
                  if (size != 0) {
                      return 1;
                  }
 +                tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, vec_size, vec_size,
 +                                   0, gen_helper_gvec_pmul_b);
              } else {
                  tcg_gen_gvec_mul(size, rd_ofs, rn_ofs, rm_ofs,
                                   vec_size, vec_size);
 -                return 0;
              }
 -            break;
 +            return 0;
          case NEON_3R_VML: /* VMLA, VMLS */
              tcg_gen_gvec_3(rd_ofs, rn_ofs, rm_ofs, vec_size, vec_size,
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
              tmp2 = neon_load_reg(rd, pass);
              gen_neon_add(size, tmp, tmp2);
              break;
 -        case NEON_3R_VMUL:
 -            /* VMUL.P8; other cases already eliminated.  */
 -            gen_helper_neon_mul_p8(tmp, tmp, tmp2);
 -            break;
          case NEON_3R_VPMAX:
              GEN_NEON_INTEGER_OP(pmax);
              break;
 diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/vec_helper.c
 +++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_ushl_h)(void *vd, void *vn, void *vm, uint32_t desc)
      }
      clear_tail(d, opr_sz, simd_maxsz(desc));
  }
 +
 +/*
 + * 8x8->8 polynomial multiply.
 + *
 + * Polynomial multiplication is like integer multiplication except the
 + * partial products are XORed, not added.
 + *
 + * TODO: expose this as a generic vector operation, as it is a common
 + * crypto building block.
 + */
 +void HELPER(gvec_pmul_b)(void *vd, void *vn, void *vm, uint32_t desc)
 +{
 +    intptr_t i, j, opr_sz = simd_oprsz(desc);
 +    uint64_t *d = vd, *n = vn, *m = vm;
 +
 +    for (i = 0; i < opr_sz / 8; ++i) {
 +        uint64_t nn = n[i];
 +        uint64_t mm = m[i];
 +        uint64_t rr = 0;
 +
 +        for (j = 0; j < 8; ++j) {
 +            uint64_t mask = (nn & 0x0101010101010101ull) * 0xff;
 +            rr ^= mm & mask;
 +            mm = (mm << 1) & 0xfefefefefefefefeull;
 +            nn >>= 1;
 +        }
 +        d[i] = rr;
 +    }
 +    clear_tail(d, opr_sz, simd_maxsz(desc));
 +}
 --
-.20.1
+.34.1

-[PULL 33/52] target/arm: Use FIELD_EX32 for testing 32-bit fields
+[PULL 22/26] host-utils: Avoid using __builtin_subcll on buggy versions of Apple Clang
-Cut-and-paste errors mean we're using FIELD_EX64() to extract fields from
+We use __builtin_subcll() to do a 64-bit subtract with borrow-in and
-some 32-bit ID register fields. Use FIELD_EX32() instead. (This makes
+borrow-out when the host compiler supports it.  Unfortunately some
-no difference in behaviour, it's just more consistent.)
+versions of Apple Clang have a bug in their implementation of this
 intrinsic which means it returns the wrong value.  The effect is that
 a QEMU built with the affected compiler will hang when emulating x86
 or m68k float80 division.
+The upstream LLVM issue is:
+https://github.com/llvm/llvm-project/issues/55253
+The commit that introduced the bug apparently never made it into an
+upstream LLVM release without the subsequent fix
+https://github.com/llvm/llvm-project/commit/fffb6e6afdbaba563189c1f715058ed401fbc88d
+but unfortunately it did make it into Apple Clang 14.0, as shipped
+in Xcode 14.3 (14.2 is reported to be OK). The Apple bug number is
+FB12210478.
+Add ifdefs to avoid use of __builtin_subcll() on Apple Clang version
+or greater.  There is not currently a version of Apple Clang which
+has the bug fix -- when one appears we should be able to add an upper
+bound to the ifdef condition so we can start using the builtin again.
+We make the lower bound a conservative "any Apple clang with major
+version 14 or greater" because the consequences of incorrectly
+disabling the builtin when it would work are pretty small and the
+consequences of not disabling it when we should are pretty bad.
+Many thanks to those users who both reported this bug and also
+did a lot of work in identifying the root cause; in particular
+to Daniel Bertalan and osy.
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1631
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1659
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214175116.9164-21-peter.maydell@linaro.org
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
 Tested-by: Daniel Bertalan <dani@danielbertalan.dev>
 Tested-by: Tested-By: Solra Bizna <solra@bizna.name>
 Message-id: 20230622130823.1631719-1-peter.maydell@linaro.org
 ---
- target/arm/cpu.h | 18 +++++++++---------
+ include/qemu/compiler.h   | 13 +++++++++++++
-file changed, 9 insertions(+), 9 deletions(-)
+ include/qemu/host-utils.h |  2 +-
 files changed, 14 insertions(+), 1 deletion(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/include/qemu/compiler.h b/include/qemu/compiler.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/include/qemu/compiler.h
-+++ b/target/arm/cpu.h
++++ b/include/qemu/compiler.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fp16_arith(const ARMISARegisters *id)
+@@ -XXX,XX +XXX,XX @@
- static inline bool isar_feature_aa32_fp_d32(const ARMISARegisters *id)
+ #define QEMU_DISABLE_CFI
  #endif
 +/*
 + * Apple clang version 14 has a bug in its __builtin_subcll(); define
 + * BUILTIN_SUBCLL_BROKEN for the offending versions so we can avoid it.
 + * When a version of Apple clang which has this bug fixed is released
 + * we can add an upper bound to this check.
 + * See https://gitlab.com/qemu-project/qemu/-/issues/1631
 + * and https://gitlab.com/qemu-project/qemu/-/issues/1659 for details.
 + * The bug never made it into any upstream LLVM releases, only Apple ones.
 + */
 +#if defined(__apple_build_version__) && __clang_major__ >= 14
 +#define BUILTIN_SUBCLL_BROKEN
 +#endif
 +
  #endif /* COMPILER_H */
 diff --git a/include/qemu/host-utils.h b/include/qemu/host-utils.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/qemu/host-utils.h
 +++ b/include/qemu/host-utils.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t uadd64_carry(uint64_t x, uint64_t y, bool *pcarry)
   */
  static inline uint64_t usub64_borrow(uint64_t x, uint64_t y, bool *pborrow)
  {
-     /* Return true if D16-D31 are implemented */
+-#if __has_builtin(__builtin_subcll)
--    return FIELD_EX64(id->mvfr0, MVFR0, SIMDREG) >= 2;
++#if __has_builtin(__builtin_subcll) && !defined(BUILTIN_SUBCLL_BROKEN)
-+    return FIELD_EX32(id->mvfr0, MVFR0, SIMDREG) >= 2;
+     unsigned long long b = *pborrow;
- }
+     x = __builtin_subcll(x, y, b, &b);
+     *pborrow = b & 1;
  static inline bool isar_feature_aa32_fpshvec(const ARMISARegisters *id)
  {
 -    return FIELD_EX64(id->mvfr0, MVFR0, FPSHVEC) > 0;
 +    return FIELD_EX32(id->mvfr0, MVFR0, FPSHVEC) > 0;
  }
  static inline bool isar_feature_aa32_fpdp(const ARMISARegisters *id)
  {
      /* Return true if CPU supports double precision floating point */
 -    return FIELD_EX64(id->mvfr0, MVFR0, FPDP) > 0;
 +    return FIELD_EX32(id->mvfr0, MVFR0, FPDP) > 0;
  }
  /*
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fpdp(const ARMISARegisters *id)
   */
  static inline bool isar_feature_aa32_fp16_spconv(const ARMISARegisters *id)
  {
 -    return FIELD_EX64(id->mvfr1, MVFR1, FPHP) > 0;
 +    return FIELD_EX32(id->mvfr1, MVFR1, FPHP) > 0;
  }
  static inline bool isar_feature_aa32_fp16_dpconv(const ARMISARegisters *id)
  {
 -    return FIELD_EX64(id->mvfr1, MVFR1, FPHP) > 1;
 +    return FIELD_EX32(id->mvfr1, MVFR1, FPHP) > 1;
  }
  static inline bool isar_feature_aa32_vsel(const ARMISARegisters *id)
  {
 -    return FIELD_EX64(id->mvfr2, MVFR2, FPMISC) >= 1;
 +    return FIELD_EX32(id->mvfr2, MVFR2, FPMISC) >= 1;
  }
  static inline bool isar_feature_aa32_vcvt_dr(const ARMISARegisters *id)
  {
 -    return FIELD_EX64(id->mvfr2, MVFR2, FPMISC) >= 2;
 +    return FIELD_EX32(id->mvfr2, MVFR2, FPMISC) >= 2;
  }
  static inline bool isar_feature_aa32_vrint(const ARMISARegisters *id)
  {
 -    return FIELD_EX64(id->mvfr2, MVFR2, FPMISC) >= 3;
 +    return FIELD_EX32(id->mvfr2, MVFR2, FPMISC) >= 3;
  }
  static inline bool isar_feature_aa32_vminmaxnm(const ARMISARegisters *id)
  {
 -    return FIELD_EX64(id->mvfr2, MVFR2, FPMISC) >= 4;
 +    return FIELD_EX32(id->mvfr2, MVFR2, FPMISC) >= 4;
  }
  static inline bool isar_feature_aa32_pan(const ARMISARegisters *id)
 --
-.20.1
+.34.1

-[PULL 45/52] target/arm: Use isar_feature_aa32_simd_r32 more places
+[PULL 23/26] target/arm: Restructure has_vfp_d32 test
 From: Richard Henderson <richard.henderson@linaro.org>
-Many uses of ARM_FEATURE_VFP3 are testing for the number of simd
+One cannot test for feature aa32_simd_r32 without first
-registers implemented.  Use the proper test vs MVFR0.SIMDReg.
+testing if AArch32 mode is supported at all.  This leads to
+qemu-system-aarch64: ARM CPUs must have both VFP-D32 and Neon or neither
+for Apple M1 cpus.
+We already have a check for ARMv8-A never setting vfp-d32 true,
+so restructure the code so that AArch64 avoids the test entirely.
+Reported-by: Mads Ynddal <mads@ynddal.dk>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214181547.21408-4-richard.henderson@linaro.org
+Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-[PMM: fix typo in commit message]
+Tested-by: Mads Ynddal <m.ynddal@samsung.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Cédric Le Goater <clg@kaod.org>
 Reviewed-by: Mads Ynddal <m.ynddal@samsung.com>
 Message-id: 20230619140216.402530-1-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c       |  9 ++++-----
+ target/arm/cpu.c | 28 +++++++++++++++-------------
- target/arm/helper.c    | 13 ++++++-------
+file changed, 15 insertions(+), 13 deletions(-)
  target/arm/translate.c |  2 +-
 files changed, 11 insertions(+), 13 deletions(-)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
+      * KVM does not currently allow us to lie to the guest about its
-     if (flags & CPU_DUMP_FPU) {
+      * ID/feature registers, so the guest always sees what the host has.
-         int numvfpregs = 0;
+      */
--        if (arm_feature(env, ARM_FEATURE_VFP)) {
+-    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)
--            numvfpregs += 16;
+-        ? cpu_isar_feature(aa64_fp_simd, cpu)
--        }
+-        : cpu_isar_feature(aa32_vfp, cpu)) {
--        if (arm_feature(env, ARM_FEATURE_VFP3)) {
+-        cpu->has_vfp = true;
--            numvfpregs += 16;
+-        if (!kvm_enabled()) {
 -            qdev_property_add_static(DEVICE(obj), &arm_cpu_has_vfp_property);
 +    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 +        if (cpu_isar_feature(aa64_fp_simd, cpu)) {
 +            cpu->has_vfp = true;
 +            cpu->has_vfp_d32 = true;
 +            if (tcg_enabled() || qtest_enabled()) {
 +                qdev_property_add_static(DEVICE(obj),
 +                                         &arm_cpu_has_vfp_property);
 +            }
          }
 -    }
 -
 -    if (cpu->has_vfp && cpu_isar_feature(aa32_simd_r32, cpu)) {
 -        cpu->has_vfp_d32 = true;
 -        if (!kvm_enabled()) {
 +    } else if (cpu_isar_feature(aa32_vfp, cpu)) {
 +        cpu->has_vfp = true;
 +        if (cpu_isar_feature(aa32_simd_r32, cpu)) {
-+            numvfpregs = 32;
++            cpu->has_vfp_d32 = true;
-+        } else if (arm_feature(env, ARM_FEATURE_VFP)) {
+             /*
-+            numvfpregs = 16;
+              * The permitted values of the SIMDReg bits [3:0] on
-         }
+              * Armv8-A are either 0b0000 and 0b0010. On such CPUs,
-         for (i = 0; i < numvfpregs; i++) {
+              * make sure that has_vfp_d32 can not be set to false.
              uint64_t v = *aa32_vfp_dreg(env, i);
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void switch_mode(CPUARMState *env, int mode);
  static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
  {
 -    int nregs;
 +    ARMCPU *cpu = env_archcpu(env);
 +    int nregs = cpu_isar_feature(aa32_simd_r32, cpu) ? 32 : 16;
      /* VFP data registers are always little-endian.  */
 -    nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
      if (reg < nregs) {
          stq_le_p(buf, *aa32_vfp_dreg(env, reg));
          return 8;
@@ -XXX,XX +XXX,XX @@ static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
  static int vfp_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
  {
 -    int nregs;
 +    ARMCPU *cpu = env_archcpu(env);
 +    int nregs = cpu_isar_feature(aa32_simd_r32, cpu) ? 32 : 16;
 -    nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
      if (reg < nregs) {
          *aa32_vfp_dreg(env, reg) = ldq_le_p(buf);
          return 8;
@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
              /* VFPv3 and upwards with NEON implement 32 double precision
               * registers (D0-D31).
               */
--            if (!arm_feature(env, ARM_FEATURE_NEON) ||
+-            if (!(arm_feature(&cpu->env, ARM_FEATURE_V8) &&
--                    !arm_feature(env, ARM_FEATURE_VFP3)) {
+-                  !arm_feature(&cpu->env, ARM_FEATURE_M))) {
-+            if (!cpu_isar_feature(aa32_simd_r32, env_archcpu(env))) {
++            if ((tcg_enabled() || qtest_enabled())
-                 /* D32DIS [30] is RAO/WI if D16-31 are not implemented. */
++                && !(arm_feature(&cpu->env, ARM_FEATURE_V8)
-                 value |= (1 << 30);
++                     && !arm_feature(&cpu->env, ARM_FEATURE_M))) {
                  qdev_property_add_static(DEVICE(obj),
                                           &arm_cpu_has_vfp_d32_property);
              }
-@@ -XXX,XX +XXX,XX @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
-     } else if (arm_feature(env, ARM_FEATURE_NEON)) {
-         gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
-, "arm-neon.xml", 0);
--    } else if (arm_feature(env, ARM_FEATURE_VFP3)) {
-+    } else if (cpu_isar_feature(aa32_simd_r32, cpu)) {
-         gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
-, "arm-vfp3.xml", 0);
-     } else if (arm_feature(env, ARM_FEATURE_VFP)) {
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static int disas_dsp_insn(DisasContext *s, uint32_t insn)
- #define VFP_SREG(insn, bigbit, smallbit) \
-   ((VFP_REG_SHR(insn, bigbit - 1) & 0x1e) | (((insn) >> (smallbit)) & 1))
- #define VFP_DREG(reg, insn, bigbit, smallbit) do { \
--    if (arm_dc_feature(s, ARM_FEATURE_VFP3)) { \
-+    if (dc_isar_feature(aa32_simd_r32, s)) { \
-         reg = (((insn) >> (bigbit)) & 0x0f) \
-               | (((insn) >> ((smallbit) - 4)) & 0x10); \
-     } else { \
 --
-.20.1
+.34.1

-[PULL 37/52] arm: allwinner: Wire up USB ports
+[PULL 24/26] hw/arm/sbsa-ref: add ITS support in SBSA GIC
-From: Guenter Roeck <linux@roeck-us.net>
+From: Shashi Mallela <shashi.mallela@linaro.org>
-Instantiate EHCI and OHCI controllers on Allwinner A10. OHCI ports are
+Create ITS as part of SBSA platform GIC initialization.
 modeled as companions of the respective EHCI ports.
-With this patch applied, USB controllers are discovered and instantiated
+GIC ITS information is in DeviceTree so TF-A can pass it to EDK2.
 when booting the cubieboard machine with a recent Linux kernel.
-ehci-platform 1c14000.usb: EHCI Host Controller
+Bumping platform version to 0.2 as this is important hardware change.
 ehci-platform 1c14000.usb: new USB bus registered, assigned bus number 1
 ehci-platform 1c14000.usb: irq 26, io mem 0x01c14000
 ehci-platform 1c14000.usb: USB 2.0 started, EHCI 1.00
 ehci-platform 1c1c000.usb: EHCI Host Controller
 ehci-platform 1c1c000.usb: new USB bus registered, assigned bus number 2
 ehci-platform 1c1c000.usb: irq 31, io mem 0x01c1c000
 ehci-platform 1c1c000.usb: USB 2.0 started, EHCI 1.00
 ohci-platform 1c14400.usb: Generic Platform OHCI controller
 ohci-platform 1c14400.usb: new USB bus registered, assigned bus number 3
 ohci-platform 1c14400.usb: irq 27, io mem 0x01c14400
 ohci-platform 1c1c400.usb: Generic Platform OHCI controller
 ohci-platform 1c1c400.usb: new USB bus registered, assigned bus number 4
 ohci-platform 1c1c400.usb: irq 32, io mem 0x01c1c400
 usb 2-1: new high-speed USB device number 2 using ehci-platform
 usb-storage 2-1:1.0: USB Mass Storage device detected
 scsi host1: usb-storage 2-1:1.0
 usb 3-1: new full-speed USB device number 2 using ohci-platform
 input: QEMU QEMU USB Mouse as /devices/platform/soc/1c14400.usb/usb3/3-1/3-1:1.0/0003:0627:0001.0001/input/input0
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Shashi Mallela <shashi.mallela@linaro.org>
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
-Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20230619170913.517373-2-marcin.juszkiewicz@linaro.org
-Message-id: 20200217204812.9857-4-linux@roeck-us.net
+Co-authored-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
 Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/allwinner-a10.h |  6 +++++
+ docs/system/arm/sbsa.rst | 14 ++++++++++++++
- hw/arm/allwinner-a10.c         | 43 ++++++++++++++++++++++++++++++++++
+ hw/arm/sbsa-ref.c        | 33 ++++++++++++++++++++++++++++++---
-files changed, 49 insertions(+)
+files changed, 44 insertions(+), 3 deletions(-)
-diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
+diff --git a/docs/system/arm/sbsa.rst b/docs/system/arm/sbsa.rst
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/allwinner-a10.h
+--- a/docs/system/arm/sbsa.rst
-+++ b/include/hw/arm/allwinner-a10.h
++++ b/docs/system/arm/sbsa.rst
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ to be a complete compliant DT. It currently reports:
- #include "hw/intc/allwinner-a10-pic.h"
+    - platform version
- #include "hw/net/allwinner_emac.h"
+    - GIC addresses
- #include "hw/ide/ahci.h"
-+#include "hw/usb/hcd-ohci.h"
++Platform version
-+#include "hw/usb/hcd-ehci.h"
++''''''''''''''''
  #include "target/arm/cpu.h"
  #define AW_A10_SDRAM_BASE       0x40000000
 +#define AW_A10_NUM_USB          2
 +
- #define TYPE_AW_A10 "allwinner-a10"
+ The platform version is only for informing platform firmware about
- #define AW_A10(obj) OBJECT_CHECK(AwA10State, (obj), TYPE_AW_A10)
+ what kind of ``sbsa-ref`` board it is running on. It is neither
+ a QEMU versioned machine type nor a reflection of the level of the
-@@ -XXX,XX +XXX,XX @@ typedef struct AwA10State {
+@@ -XXX,XX +XXX,XX @@ SBSA/SystemReady SR support provided.
-     AwEmacState emac;
+ The ``machine-version-major`` value is updated when changes breaking
-     AllwinnerAHCIState sata;
+ fw compatibility are introduced. The ``machine-version-minor`` value
-     MemoryRegion sram_a;
+ is updated when features are added that don't break fw compatibility.
-+    EHCISysBusState ehci[AW_A10_NUM_USB];
++
-+    OHCISysBusState ohci[AW_A10_NUM_USB];
++Platform version changes:
- } AwA10State;
++
++0.0
- #endif
++  Devicetree holds information about CPUs, memory and platform version.
-diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
++
 +0.1
 +  GIC information is present in devicetree.
 +
 +0.2
 +  GIC ITS information is present in devicetree.
 diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/allwinner-a10.c
+--- a/hw/arm/sbsa-ref.c
-+++ b/hw/arm/allwinner-a10.c
++++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ enum {
- #include "hw/arm/allwinner-a10.h"
+     SBSA_CPUPERIPHS,
- #include "hw/misc/unimp.h"
+     SBSA_GIC_DIST,
- #include "sysemu/sysemu.h"
+     SBSA_GIC_REDIST,
-+#include "hw/boards.h"
++    SBSA_GIC_ITS,
-+#include "hw/usb/hcd-ohci.h"
+     SBSA_SECURE_EC,
+     SBSA_GWDT_WS0,
- #define AW_A10_PIC_REG_BASE     0x01c20400
+     SBSA_GWDT_REFRESH,
- #define AW_A10_PIT_REG_BASE     0x01c20c00
+@@ -XXX,XX +XXX,XX @@ static const MemMapEntry sbsa_ref_memmap[] = {
- #define AW_A10_UART0_REG_BASE   0x01c28000
+     [SBSA_CPUPERIPHS] =         { 0x40000000, 0x00040000 },
- #define AW_A10_EMAC_BASE        0x01c0b000
+     [SBSA_GIC_DIST] =           { 0x40060000, 0x00010000 },
-+#define AW_A10_EHCI_BASE        0x01c14000
+     [SBSA_GIC_REDIST] =         { 0x40080000, 0x04000000 },
-+#define AW_A10_OHCI_BASE        0x01c14400
++    [SBSA_GIC_ITS] =            { 0x44081000, 0x00020000 },
- #define AW_A10_SATA_BASE        0x01c18000
+     [SBSA_SECURE_EC] =          { 0x50000000, 0x00001000 },
+     [SBSA_GWDT_REFRESH] =       { 0x50010000, 0x00001000 },
- static void aw_a10_init(Object *obj)
+     [SBSA_GWDT_CONTROL] =       { 0x50011000, 0x00001000 },
-@@ -XXX,XX +XXX,XX @@ static void aw_a10_init(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static void sbsa_fdt_add_gic_node(SBSAMachineState *sms)
+, sbsa_ref_memmap[SBSA_GIC_REDIST].base,
-     sysbus_init_child_obj(obj, "sata", &s->sata, sizeof(s->sata),
+, sbsa_ref_memmap[SBSA_GIC_REDIST].size);
-                           TYPE_ALLWINNER_AHCI);
 +    nodename = g_strdup_printf("/intc/its");
 +    qemu_fdt_add_subnode(sms->fdt, nodename);
 +    qemu_fdt_setprop_sized_cells(sms->fdt, nodename, "reg",
 +                                 2, sbsa_ref_memmap[SBSA_GIC_ITS].base,
 +                                 2, sbsa_ref_memmap[SBSA_GIC_ITS].size);
 +
-+    if (machine_usb(current_machine)) {
+     g_free(nodename);
-+        int i;
+ }
 +
-+        for (i = 0; i < AW_A10_NUM_USB; i++) {
+ /*
-+            sysbus_init_child_obj(obj, "ehci[*]", OBJECT(&s->ehci[i]),
+  * Firmware on this machine only uses ACPI table to load OS, these limited
-+                                  sizeof(s->ehci[i]), TYPE_PLATFORM_EHCI);
+  * device tree nodes are just to let firmware know the info which varies from
-+            sysbus_init_child_obj(obj, "ohci[*]", OBJECT(&s->ohci[i]),
+@@ -XXX,XX +XXX,XX @@ static void create_fdt(SBSAMachineState *sms)
-+                                  sizeof(s->ohci[i]), TYPE_SYSBUS_OHCI);
+      *                        fw compatibility.
-+        }
+      */
-+    }
+     qemu_fdt_setprop_cell(fdt, "/", "machine-version-major", 0);
 -    qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 1);
 +    qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 2);
      if (ms->numa_state->have_numa_distance) {
          int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);
@@ -XXX,XX +XXX,XX @@ static void create_secure_ram(SBSAMachineState *sms,
      memory_region_add_subregion(secure_sysmem, base, secram);
  }
- static void aw_a10_realize(DeviceState *dev, Error **errp)
+-static void create_gic(SBSAMachineState *sms)
-@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
++static void create_its(SBSAMachineState *sms)
-     serial_mm_init(get_system_memory(), AW_A10_UART0_REG_BASE, 2,
++{
-                    qdev_get_gpio_in(dev, 1),
++    const char *itsclass = its_class_name();
-, serial_hd(0), DEVICE_NATIVE_ENDIAN);
++    DeviceState *dev;
 +
-+    if (machine_usb(current_machine)) {
++    dev = qdev_new(itsclass);
 +        int i;
 +
-+        for (i = 0; i < AW_A10_NUM_USB; i++) {
++    object_property_set_link(OBJECT(dev), "parent-gicv3", OBJECT(sms->gic),
-+            char bus[16];
++                             &error_abort);
 +    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, sbsa_ref_memmap[SBSA_GIC_ITS].base);
 +}
 +
-+            sprintf(bus, "usb-bus.%d", i);
++static void create_gic(SBSAMachineState *sms, MemoryRegion *mem)
  {
      unsigned int smp_cpus = MACHINE(sms)->smp.cpus;
      SysBusDevice *gicbusdev;
@@ -XXX,XX +XXX,XX @@ static void create_gic(SBSAMachineState *sms)
      qdev_prop_set_uint32(sms->gic, "len-redist-region-count", 1);
      qdev_prop_set_uint32(sms->gic, "redist-region-count[0]", redist0_count);
 +    object_property_set_link(OBJECT(sms->gic), "sysmem",
 +                             OBJECT(mem), &error_fatal);
 +    qdev_prop_set_bit(sms->gic, "has-lpi", true);
 +
-+            object_property_set_bool(OBJECT(&s->ehci[i]), true,
+     gicbusdev = SYS_BUS_DEVICE(sms->gic);
-+                                     "companion-enable", &error_fatal);
+     sysbus_realize_and_unref(gicbusdev, &error_fatal);
-+            object_property_set_bool(OBJECT(&s->ehci[i]), true, "realized",
+     sysbus_mmio_map(gicbusdev, 0, sbsa_ref_memmap[SBSA_GIC_DIST].base);
-+                                     &error_fatal);
+@@ -XXX,XX +XXX,XX @@ static void create_gic(SBSAMachineState *sms)
-+            sysbus_mmio_map(SYS_BUS_DEVICE(&s->ehci[i]), 0,
+         sysbus_connect_irq(gicbusdev, i + 3 * smp_cpus,
-+                            AW_A10_EHCI_BASE + i * 0x8000);
+                            qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
-+            sysbus_connect_irq(SYS_BUS_DEVICE(&s->ehci[i]), 0,
+     }
-+                               qdev_get_gpio_in(dev, 39 + i));
++    create_its(sms);
 +
 +            object_property_set_str(OBJECT(&s->ohci[i]), bus, "masterbus",
 +                                    &error_fatal);
 +            object_property_set_bool(OBJECT(&s->ohci[i]), true, "realized",
 +                                     &error_fatal);
 +            sysbus_mmio_map(SYS_BUS_DEVICE(&s->ohci[i]), 0,
 +                            AW_A10_OHCI_BASE + i * 0x8000);
 +            sysbus_connect_irq(SYS_BUS_DEVICE(&s->ohci[i]), 0,
 +                               qdev_get_gpio_in(dev, 64 + i));
 +        }
 +    }
  }
- static void aw_a10_class_init(ObjectClass *oc, void *data)
+ static void create_uart(const SBSAMachineState *sms, int uart,
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
      create_secure_ram(sms, secure_sysmem);
 -    create_gic(sms);
 +    create_gic(sms, sysmem);
      create_uart(sms, SBSA_UART, sysmem, serial_hd(0));
      create_uart(sms, SBSA_SECURE_UART, secure_sysmem, serial_hd(1));
 --
-.20.1
+.34.1

-[PULL 10/52] target/arm: Use bit 55 explicitly for pauth
+[PULL 25/26] target/arm: Fix sve predicate store, 8 <= VQ <= 15
 From: Richard Henderson <richard.henderson@linaro.org>
-The psuedocode in aarch64/functions/pac/auth/Auth and
+Brown bag time: store instead of load results in uninitialized temp.
 aarch64/functions/pac/strip/Strip always uses bit 55 for
 extfield and do not consider if the current regime has 2 ranges.
-Suggested-by: Peter Maydell <peter.maydell@linaro.org>
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1704
 Reported-by: Mark Rutland <mark.rutland@arm.com>
 Tested-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20230620134659.817559-1-richard.henderson@linaro.org
 Fixes: e6dd5e782be ("target/arm: Use tcg_gen_qemu_{ld, st}_i128 in gen_sve_{ld, st}r")
 Tested-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200216194343.21331-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/pauth_helper.c | 3 ++-
+ target/arm/tcg/translate-sve.c | 2 +-
-file changed, 2 insertions(+), 1 deletion(-)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
+diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/pauth_helper.c
+--- a/target/arm/tcg/translate-sve.c
-+++ b/target/arm/pauth_helper.c
++++ b/target/arm/tcg/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_addpac(CPUARMState *env, uint64_t ptr, uint64_t modifier,
+@@ -XXX,XX +XXX,XX @@ void gen_sve_str(DisasContext *s, TCGv_ptr base, int vofs,
+     /* Predicate register stores can be any multiple of 2.  */
- static uint64_t pauth_original_ptr(uint64_t ptr, ARMVAParameters param)
+     if (len_remain >= 8) {
- {
+         t0 = tcg_temp_new_i64();
--    uint64_t extfield = -param.select;
+-        tcg_gen_st_i64(t0, base, vofs + len_align);
-+    /* Note that bit 55 is used whether or not the regime has 2 ranges. */
++        tcg_gen_ld_i64(t0, base, vofs + len_align);
-+    uint64_t extfield = sextract64(ptr, 55, 1);
+         tcg_gen_qemu_st_i64(t0, clean_addr, midx, MO_LEUQ | MO_ATOM_NONE);
-     int bot_pac_bit = 64 - param.tsz;
+         len_remain -= 8;
-     int top_pac_bit = 64 - 8 * param.tbi;
+         len_align += 8;
 --
-.20.1
+.34.1

-[PULL 14/52] target/arm: Add _aa32_ to isar_feature functions testing 32-bit ID registers
+Deleted patch
-Enforce a convention that an isar_feature function that tests a
--bit ID register always has _aa32_ in its name, and one that
-tests a 64-bit ID register always has _aa64_ in its name.
-We already follow this except for three cases: thumb_div,
-arm_div and jazelle, which all need _aa32_ adding.
-(As noted in the comment, isar_feature_aa32_fp16_arith()
-is an exception in that it currently tests ID_AA64PFR0_EL1,
-but will switch to MVFR1 once we've properly implemented
-FP16 for AArch32.)
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-2-peter.maydell@linaro.org
----
- target/arm/cpu.h       | 13 ++++++++++---
- target/arm/internals.h |  2 +-
- linux-user/elfload.c   |  4 ++--
- target/arm/cpu.c       |  6 ++++--
- target/arm/helper.c    |  2 +-
- target/arm/translate.c |  6 +++---
-files changed, 21 insertions(+), 12 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline uint64_t *aa64_vfp_qreg(CPUARMState *env, unsigned regno)
- /* Shared between translate-sve.c and sve_helper.c.  */
- extern const uint64_t pred_esz_masks[4];
-+/*
-+ * Naming convention for isar_feature functions:
-+ * Functions which test 32-bit ID registers should have _aa32_ in
-+ * their name. Functions which test 64-bit ID registers should have
-+ * _aa64_ in their name.
-+ */
-+
- /*
-  * 32-bit feature tests via id registers.
-  */
--static inline bool isar_feature_thumb_div(const ARMISARegisters *id)
-+static inline bool isar_feature_aa32_thumb_div(const ARMISARegisters *id)
- {
-     return FIELD_EX32(id->id_isar0, ID_ISAR0, DIVIDE) != 0;
- }
--static inline bool isar_feature_arm_div(const ARMISARegisters *id)
-+static inline bool isar_feature_aa32_arm_div(const ARMISARegisters *id)
- {
-     return FIELD_EX32(id->id_isar0, ID_ISAR0, DIVIDE) > 1;
- }
--static inline bool isar_feature_jazelle(const ARMISARegisters *id)
-+static inline bool isar_feature_aa32_jazelle(const ARMISARegisters *id)
- {
-     return FIELD_EX32(id->id_isar1, ID_ISAR1, JAZELLE) != 0;
- }
-diff --git a/target/arm/internals.h b/target/arm/internals.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
-+++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t aarch32_cpsr_valid_mask(uint64_t features,
-     if ((features >> ARM_FEATURE_THUMB2) & 1) {
-         valid |= CPSR_IT;
-     }
--    if (isar_feature_jazelle(id)) {
-+    if (isar_feature_aa32_jazelle(id)) {
-         valid |= CPSR_J;
-     }
-     if (isar_feature_aa32_pan(id)) {
-diff --git a/linux-user/elfload.c b/linux-user/elfload.c
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/elfload.c
-+++ b/linux-user/elfload.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap(void)
-     GET_FEATURE(ARM_FEATURE_VFP3, ARM_HWCAP_ARM_VFPv3);
-     GET_FEATURE(ARM_FEATURE_V6K, ARM_HWCAP_ARM_TLS);
-     GET_FEATURE(ARM_FEATURE_VFP4, ARM_HWCAP_ARM_VFPv4);
--    GET_FEATURE_ID(arm_div, ARM_HWCAP_ARM_IDIVA);
--    GET_FEATURE_ID(thumb_div, ARM_HWCAP_ARM_IDIVT);
-+    GET_FEATURE_ID(aa32_arm_div, ARM_HWCAP_ARM_IDIVA);
-+    GET_FEATURE_ID(aa32_thumb_div, ARM_HWCAP_ARM_IDIVT);
-     /* All QEMU's VFPv3 CPUs have 32 registers, see VFP_DREG in translate.c.
-      * Note that the ARM_HWCAP_ARM_VFPv3D16 bit is always the inverse of
-      * ARM_HWCAP_ARM_VFPD32 (and so always clear for QEMU); it is unrelated
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
-          * Presence of EL2 itself is ARM_FEATURE_EL2, and of the
-          * Security Extensions is ARM_FEATURE_EL3.
-          */
--        assert(!tcg_enabled() || no_aa32 || cpu_isar_feature(arm_div, cpu));
-+        assert(!tcg_enabled() || no_aa32 ||
-+               cpu_isar_feature(aa32_arm_div, cpu));
-         set_feature(env, ARM_FEATURE_LPAE);
-         set_feature(env, ARM_FEATURE_V7);
-     }
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
-     if (arm_feature(env, ARM_FEATURE_V6)) {
-         set_feature(env, ARM_FEATURE_V5);
-         if (!arm_feature(env, ARM_FEATURE_M)) {
--            assert(!tcg_enabled() || no_aa32 || cpu_isar_feature(jazelle, cpu));
-+            assert(!tcg_enabled() || no_aa32 ||
-+                   cpu_isar_feature(aa32_jazelle, cpu));
-             set_feature(env, ARM_FEATURE_AUXCR);
-         }
-     }
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-     if (arm_feature(env, ARM_FEATURE_LPAE)) {
-         define_arm_cp_regs(cpu, lpae_cp_reginfo);
-     }
--    if (cpu_isar_feature(jazelle, cpu)) {
-+    if (cpu_isar_feature(aa32_jazelle, cpu)) {
-         define_arm_cp_regs(cpu, jazelle_regs);
-     }
-     /* Slightly awkwardly, the OMAP and StrongARM cores need all of
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@
- #define ENABLE_ARCH_5     arm_dc_feature(s, ARM_FEATURE_V5)
- /* currently all emulated v5 cores are also v5TE, so don't bother */
- #define ENABLE_ARCH_5TE   arm_dc_feature(s, ARM_FEATURE_V5)
--#define ENABLE_ARCH_5J    dc_isar_feature(jazelle, s)
-+#define ENABLE_ARCH_5J    dc_isar_feature(aa32_jazelle, s)
- #define ENABLE_ARCH_6     arm_dc_feature(s, ARM_FEATURE_V6)
- #define ENABLE_ARCH_6K    arm_dc_feature(s, ARM_FEATURE_V6K)
- #define ENABLE_ARCH_6T2   arm_dc_feature(s, ARM_FEATURE_THUMB2)
-@@ -XXX,XX +XXX,XX @@ static bool op_div(DisasContext *s, arg_rrr *a, bool u)
-     TCGv_i32 t1, t2;
-     if (s->thumb
--        ? !dc_isar_feature(thumb_div, s)
--        : !dc_isar_feature(arm_div, s)) {
-+        ? !dc_isar_feature(aa32_thumb_div, s)
-+        : !dc_isar_feature(aa32_arm_div, s)) {
-         return false;
-     }
---
-.20.1

-[PULL 15/52] target/arm: Check aa32_pan in take_aarch32_exception(), not aa64_pan
+[PULL 26/26] pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym
-In take_aarch32_exception(), we know we are dealing with a CPU that
+The xkb official name for the Arabic keyboard layout is 'ara'.
-has AArch32, so the right isar_feature test is aa32_pan, not aa64_pan.
+However xkb has for at least the past 15 years also permitted it to
 be named via the legacy synonym 'ar'.  In xkeyboard-config 2.39 this
 synoynm was removed, which breaks compilation of QEMU:
+FAILED: pc-bios/keymaps/ar
+/home/fred/qemu-git/src/qemu/build-full/qemu-keymap -f pc-bios/keymaps/ar -l ar
+xkbcommon: ERROR: Couldn't find file "symbols/ar" in include paths
+xkbcommon: ERROR: 1 include paths searched:
+xkbcommon: ERROR:     /usr/share/X11/xkb
+xkbcommon: ERROR: 3 include paths could not be added:
+xkbcommon: ERROR:     /home/fred/.config/xkb
+xkbcommon: ERROR:     /home/fred/.xkb
+xkbcommon: ERROR:     /etc/xkb
+xkbcommon: ERROR: Abandoning symbols file "(unnamed)"
+xkbcommon: ERROR: Failed to compile xkb_symbols
+xkbcommon: ERROR: Failed to compile keymap
+The upstream xkeyboard-config change removing the compat
+mapping is:
+https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/commit/470ad2cd8fea84d7210377161d86b31999bb5ea6
+Make QEMU always ask for the 'ara' xkb layout, which should work on
+both older and newer xkeyboard-config.  We leave the QEMU name for
+this keyboard layout as 'ar'; it is not the only one where our name
+for it deviates from the xkb standard name.
+Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214175116.9164-3-peter.maydell@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
 Message-id: 20230620162024.1132013-1-peter.maydell@linaro.org
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1709
 ---
- target/arm/helper.c | 2 +-
+ pc-bios/keymaps/meson.build | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/pc-bios/keymaps/meson.build b/pc-bios/keymaps/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/pc-bios/keymaps/meson.build
-+++ b/target/arm/helper.c
++++ b/pc-bios/keymaps/meson.build
-@@ -XXX,XX +XXX,XX @@ static void take_aarch32_exception(CPUARMState *env, int new_mode,
+@@ -XXX,XX +XXX,XX @@
-         env->elr_el[2] = env->regs[15];
+ keymaps = {
-     } else {
+-  'ar': '-l ar',
-         /* CPSR.PAN is normally preserved preserved unless...  */
++  'ar': '-l ara',
--        if (cpu_isar_feature(aa64_pan, env_archcpu(env))) {
+   'bepo': '-l fr -v dvorak',
-+        if (cpu_isar_feature(aa32_pan, env_archcpu(env))) {
+   'cz': '-l cz',
-             switch (new_el) {
+   'da': '-l dk',
              case 3:
                  if (!arm_is_secure_below_el3(env)) {
 --
-.20.1
+.34.1

-[PULL 16/52] target/arm: Add isar_feature_any_fp16 and document naming/usage conventions
+Deleted patch
-Our current usage of the isar_feature feature tests almost always
-uses an _aa32_ test when the code path is known to be AArch32
-specific and an _aa64_ test when the code path is known to be
-AArch64 specific. There is just one exception: in the vfp_set_fpscr
-helper we check aa64_fp16 to determine whether the FZ16 bit in
-the FP(S)CR exists, but this code is also used for AArch32.
-There are other places in future where we're likely to want
-a general "does this feature exist for either AArch32 or
-AArch64" check (typically where architecturally the feature exists
-for both CPU states if it exists at all, but the CPU might be
-AArch32-only or AArch64-only, and so only have one set of ID
-registers).
-Introduce a new category of isar_feature_* functions:
-isar_feature_any_foo() should be tested when what we want to
-know is "does this feature exist for either AArch32 or AArch64",
-and always returns the logical OR of isar_feature_aa32_foo()
-and isar_feature_aa64_foo().
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-4-peter.maydell@linaro.org
----
- target/arm/cpu.h        | 19 ++++++++++++++++++-
- target/arm/vfp_helper.c |  2 +-
-files changed, 19 insertions(+), 2 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ extern const uint64_t pred_esz_masks[4];
-  * Naming convention for isar_feature functions:
-  * Functions which test 32-bit ID registers should have _aa32_ in
-  * their name. Functions which test 64-bit ID registers should have
-- * _aa64_ in their name.
-+ * _aa64_ in their name. These must only be used in code where we
-+ * know for certain that the CPU has AArch32 or AArch64 respectively
-+ * or where the correct answer for a CPU which doesn't implement that
-+ * CPU state is "false" (eg when generating A32 or A64 code, if adding
-+ * system registers that are specific to that CPU state, for "should
-+ * we let this system register bit be set" tests where the 32-bit
-+ * flavour of the register doesn't have the bit, and so on).
-+ * Functions which simply ask "does this feature exist at all" have
-+ * _any_ in their name, and always return the logical OR of the _aa64_
-+ * and the _aa32_ function.
-  */
- /*
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_bti(const ARMISARegisters *id)
-     return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, BT) != 0;
- }
-+/*
-+ * Feature tests for "does this exist in either 32-bit or 64-bit?"
-+ */
-+static inline bool isar_feature_any_fp16(const ARMISARegisters *id)
-+{
-+    return isar_feature_aa64_fp16(id) || isar_feature_aa32_fp16_arith(id);
-+}
-+
- /*
-  * Forward to the above feature tests given an ARMCPU pointer.
-  */
-diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vfp_helper.c
-+++ b/target/arm/vfp_helper.c
-@@ -XXX,XX +XXX,XX @@ uint32_t vfp_get_fpscr(CPUARMState *env)
- void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
- {
-     /* When ARMv8.2-FP16 is not supported, FZ16 is RES0.  */
--    if (!cpu_isar_feature(aa64_fp16, env_archcpu(env))) {
-+    if (!cpu_isar_feature(any_fp16, env_archcpu(env))) {
-         val &= ~FPCR_FZ16;
-     }
---
-.20.1

-[PULL 17/52] target/arm: Define and use any_predinv isar_feature test
+Deleted patch
-Instead of open-coding "ARM_FEATURE_AARCH64 ? aa64_predinv: aa32_predinv",
-define and use an any_predinv isar_feature test function.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-5-peter.maydell@linaro.org
----
- target/arm/cpu.h    | 5 +++++
- target/arm/helper.c | 9 +--------
-files changed, 6 insertions(+), 8 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_any_fp16(const ARMISARegisters *id)
-     return isar_feature_aa64_fp16(id) || isar_feature_aa32_fp16_arith(id);
- }
-+static inline bool isar_feature_any_predinv(const ARMISARegisters *id)
-+{
-+    return isar_feature_aa64_predinv(id) || isar_feature_aa32_predinv(id);
-+}
-+
- /*
-  * Forward to the above feature tests given an ARMCPU pointer.
-  */
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
- #endif /*CONFIG_USER_ONLY*/
- #endif
--    /*
--     * While all v8.0 cpus support aarch64, QEMU does have configurations
--     * that do not set ID_AA64ISAR1, e.g. user-only qemu-arm -cpu max,
--     * which will set ID_ISAR6.
--     */
--    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)
--        ? cpu_isar_feature(aa64_predinv, cpu)
--        : cpu_isar_feature(aa32_predinv, cpu)) {
-+    if (cpu_isar_feature(any_predinv, cpu)) {
-         define_arm_cp_regs(cpu, predinv_reginfo);
-     }
---
-.20.1

-[PULL 18/52] target/arm: Factor out PMU register definitions
+Deleted patch
-Pull the code that defines the various PMU registers out
-into its own function, matching the pattern we have
-already for the debug registers.
-Apart from one style fix to a multi-line comment, this
-is purely movement of code with no changes to it.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-6-peter.maydell@linaro.org
----
- target/arm/helper.c | 158 +++++++++++++++++++++++---------------------
-file changed, 82 insertions(+), 76 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
-     }
- }
-+static void define_pmu_regs(ARMCPU *cpu)
-+{
-+    /*
-+     * v7 performance monitor control register: same implementor
-+     * field as main ID register, and we implement four counters in
-+     * addition to the cycle count register.
-+     */
-+    unsigned int i, pmcrn = 4;
-+    ARMCPRegInfo pmcr = {
-+        .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
-+        .access = PL0_RW,
-+        .type = ARM_CP_IO | ARM_CP_ALIAS,
-+        .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
-+        .accessfn = pmreg_access, .writefn = pmcr_write,
-+        .raw_writefn = raw_write,
-+    };
-+    ARMCPRegInfo pmcr64 = {
-+        .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
-+        .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
-+        .access = PL0_RW, .accessfn = pmreg_access,
-+        .type = ARM_CP_IO,
-+        .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
-+        .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT),
-+        .writefn = pmcr_write, .raw_writefn = raw_write,
-+    };
-+    define_one_arm_cp_reg(cpu, &pmcr);
-+    define_one_arm_cp_reg(cpu, &pmcr64);
-+    for (i = 0; i < pmcrn; i++) {
-+        char *pmevcntr_name = g_strdup_printf("PMEVCNTR%d", i);
-+        char *pmevcntr_el0_name = g_strdup_printf("PMEVCNTR%d_EL0", i);
-+        char *pmevtyper_name = g_strdup_printf("PMEVTYPER%d", i);
-+        char *pmevtyper_el0_name = g_strdup_printf("PMEVTYPER%d_EL0", i);
-+        ARMCPRegInfo pmev_regs[] = {
-+            { .name = pmevcntr_name, .cp = 15, .crn = 14,
-+              .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
-+              .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
-+              .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
-+              .accessfn = pmreg_access },
-+            { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
-+              .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
-+              .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
-+              .type = ARM_CP_IO,
-+              .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
-+              .raw_readfn = pmevcntr_rawread,
-+              .raw_writefn = pmevcntr_rawwrite },
-+            { .name = pmevtyper_name, .cp = 15, .crn = 14,
-+              .crm = 12 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
-+              .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
-+              .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
-+              .accessfn = pmreg_access },
-+            { .name = pmevtyper_el0_name, .state = ARM_CP_STATE_AA64,
-+              .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 12 | (3 & (i >> 3)),
-+              .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
-+              .type = ARM_CP_IO,
-+              .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
-+              .raw_writefn = pmevtyper_rawwrite },
-+            REGINFO_SENTINEL
-+        };
-+        define_arm_cp_regs(cpu, pmev_regs);
-+        g_free(pmevcntr_name);
-+        g_free(pmevcntr_el0_name);
-+        g_free(pmevtyper_name);
-+        g_free(pmevtyper_el0_name);
-+    }
-+    if (FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) >= 4 &&
-+            FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) != 0xf) {
-+        ARMCPRegInfo v81_pmu_regs[] = {
-+            { .name = "PMCEID2", .state = ARM_CP_STATE_AA32,
-+              .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 4,
-+              .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
-+              .resetvalue = extract64(cpu->pmceid0, 32, 32) },
-+            { .name = "PMCEID3", .state = ARM_CP_STATE_AA32,
-+              .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 5,
-+              .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
-+              .resetvalue = extract64(cpu->pmceid1, 32, 32) },
-+            REGINFO_SENTINEL
-+        };
-+        define_arm_cp_regs(cpu, v81_pmu_regs);
-+    }
-+}
-+
- /* We don't know until after realize whether there's a GICv3
-  * attached, and that is what registers the gicv3 sysregs.
-  * So we have to fill in the GIC fields in ID_PFR/ID_PFR1_EL1/ID_AA64PFR0_EL1
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-         define_arm_cp_regs(cpu, pmovsset_cp_reginfo);
-     }
-     if (arm_feature(env, ARM_FEATURE_V7)) {
--        /* v7 performance monitor control register: same implementor
--         * field as main ID register, and we implement four counters in
--         * addition to the cycle count register.
--         */
--        unsigned int i, pmcrn = 4;
--        ARMCPRegInfo pmcr = {
--            .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
--            .access = PL0_RW,
--            .type = ARM_CP_IO | ARM_CP_ALIAS,
--            .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
--            .accessfn = pmreg_access, .writefn = pmcr_write,
--            .raw_writefn = raw_write,
--        };
--        ARMCPRegInfo pmcr64 = {
--            .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
--            .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
--            .access = PL0_RW, .accessfn = pmreg_access,
--            .type = ARM_CP_IO,
--            .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
--            .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT),
--            .writefn = pmcr_write, .raw_writefn = raw_write,
--        };
--        define_one_arm_cp_reg(cpu, &pmcr);
--        define_one_arm_cp_reg(cpu, &pmcr64);
--        for (i = 0; i < pmcrn; i++) {
--            char *pmevcntr_name = g_strdup_printf("PMEVCNTR%d", i);
--            char *pmevcntr_el0_name = g_strdup_printf("PMEVCNTR%d_EL0", i);
--            char *pmevtyper_name = g_strdup_printf("PMEVTYPER%d", i);
--            char *pmevtyper_el0_name = g_strdup_printf("PMEVTYPER%d_EL0", i);
--            ARMCPRegInfo pmev_regs[] = {
--                { .name = pmevcntr_name, .cp = 15, .crn = 14,
--                  .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
--                  .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
--                  .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
--                  .accessfn = pmreg_access },
--                { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
--                  .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
--                  .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
--                  .type = ARM_CP_IO,
--                  .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
--                  .raw_readfn = pmevcntr_rawread,
--                  .raw_writefn = pmevcntr_rawwrite },
--                { .name = pmevtyper_name, .cp = 15, .crn = 14,
--                  .crm = 12 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
--                  .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
--                  .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
--                  .accessfn = pmreg_access },
--                { .name = pmevtyper_el0_name, .state = ARM_CP_STATE_AA64,
--                  .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 12 | (3 & (i >> 3)),
--                  .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
--                  .type = ARM_CP_IO,
--                  .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
--                  .raw_writefn = pmevtyper_rawwrite },
--                REGINFO_SENTINEL
--            };
--            define_arm_cp_regs(cpu, pmev_regs);
--            g_free(pmevcntr_name);
--            g_free(pmevcntr_el0_name);
--            g_free(pmevtyper_name);
--            g_free(pmevtyper_el0_name);
--        }
-         ARMCPRegInfo clidr = {
-             .name = "CLIDR", .state = ARM_CP_STATE_BOTH,
-             .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 1,
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-         define_one_arm_cp_reg(cpu, &clidr);
-         define_arm_cp_regs(cpu, v7_cp_reginfo);
-         define_debug_regs(cpu);
-+        define_pmu_regs(cpu);
-     } else {
-         define_arm_cp_regs(cpu, not_v7_cp_reginfo);
-     }
--    if (FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) >= 4 &&
--            FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) != 0xf) {
--        ARMCPRegInfo v81_pmu_regs[] = {
--            { .name = "PMCEID2", .state = ARM_CP_STATE_AA32,
--              .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 4,
--              .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
--              .resetvalue = extract64(cpu->pmceid0, 32, 32) },
--            { .name = "PMCEID3", .state = ARM_CP_STATE_AA32,
--              .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 5,
--              .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
--              .resetvalue = extract64(cpu->pmceid1, 32, 32) },
--            REGINFO_SENTINEL
--        };
--        define_arm_cp_regs(cpu, v81_pmu_regs);
--    }
-     if (arm_feature(env, ARM_FEATURE_V8)) {
-         /* AArch64 ID registers, which all have impdef reset values.
-          * Note that within the ID register ranges the unused slots
---
-.20.1

-[PULL 19/52] target/arm: Add and use FIELD definitions for ID_AA64DFR0_EL1
+Deleted patch
-Add FIELD() definitions for the ID_AA64DFR0_EL1 and use them
-where we currently have hard-coded bit values.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-7-peter.maydell@linaro.org
----
- target/arm/cpu.h    | 10 ++++++++++
- target/arm/cpu.c    |  2 +-
- target/arm/helper.c |  6 +++---
-files changed, 14 insertions(+), 4 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64MMFR2, BBM, 52, 4)
- FIELD(ID_AA64MMFR2, EVT, 56, 4)
- FIELD(ID_AA64MMFR2, E0PD, 60, 4)
-+FIELD(ID_AA64DFR0, DEBUGVER, 0, 4)
-+FIELD(ID_AA64DFR0, TRACEVER, 4, 4)
-+FIELD(ID_AA64DFR0, PMUVER, 8, 4)
-+FIELD(ID_AA64DFR0, BRPS, 12, 4)
-+FIELD(ID_AA64DFR0, WRPS, 20, 4)
-+FIELD(ID_AA64DFR0, CTX_CMPS, 28, 4)
-+FIELD(ID_AA64DFR0, PMSVER, 32, 4)
-+FIELD(ID_AA64DFR0, DOUBLELOCK, 36, 4)
-+FIELD(ID_AA64DFR0, TRACEFILT, 40, 4)
-+
- FIELD(ID_DFR0, COPDBG, 0, 4)
- FIELD(ID_DFR0, COPSDBG, 4, 4)
- FIELD(ID_DFR0, MMAPDBG, 8, 4)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
-                 cpu);
- #endif
-     } else {
--        cpu->id_aa64dfr0 &= ~0xf00;
-+        cpu->id_aa64dfr0 = FIELD_DP64(cpu->id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
-         cpu->id_dfr0 &= ~(0xf << 24);
-         cpu->pmceid0 = 0;
-         cpu->pmceid1 = 0;
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
-      * check that if they both exist then they agree.
-      */
-     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
--        assert(extract32(cpu->id_aa64dfr0, 12, 4) == brps);
--        assert(extract32(cpu->id_aa64dfr0, 20, 4) == wrps);
--        assert(extract32(cpu->id_aa64dfr0, 28, 4) == ctx_cmps);
-+        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, BRPS) == brps);
-+        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, WRPS) == wrps);
-+        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) == ctx_cmps);
-     }
-     define_one_arm_cp_reg(cpu, &dbgdidr);
---
-.20.1

-[PULL 20/52] target/arm: Use FIELD macros for clearing ID_DFR0 PERFMON field
+Deleted patch
-We already define FIELD macros for ID_DFR0, so use them in the
-one place where we're doing direct bit value manipulation.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-8-peter.maydell@linaro.org
----
- target/arm/cpu.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
- #endif
-     } else {
-         cpu->id_aa64dfr0 = FIELD_DP64(cpu->id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
--        cpu->id_dfr0 &= ~(0xf << 24);
-+        cpu->id_dfr0 = FIELD_DP32(cpu->id_dfr0, ID_DFR0, PERFMON, 0);
-         cpu->pmceid0 = 0;
-         cpu->pmceid1 = 0;
-     }
---
-.20.1

-[PULL 21/52] target/arm: Define an aa32_pmu_8_1 isar feature test function
+Deleted patch
-Instead of open-coding a check on the ID_DFR0 PerfMon ID register
-field, create a standardly-named isar_feature for "does AArch32 have
-a v8.1 PMUv3" and use it.
-This entails moving the id_dfr0 field into the ARMISARegisters struct.
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-9-peter.maydell@linaro.org
----
- target/arm/cpu.h      |  9 ++++++++-
- hw/intc/armv7m_nvic.c |  2 +-
- target/arm/cpu.c      | 28 ++++++++++++++--------------
- target/arm/cpu64.c    |  6 +++---
- target/arm/helper.c   |  5 ++---
-files changed, 28 insertions(+), 22 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-         uint32_t mvfr0;
-         uint32_t mvfr1;
-         uint32_t mvfr2;
-+        uint32_t id_dfr0;
-         uint64_t id_aa64isar0;
-         uint64_t id_aa64isar1;
-         uint64_t id_aa64pfr0;
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-     uint32_t reset_sctlr;
-     uint32_t id_pfr0;
-     uint32_t id_pfr1;
--    uint32_t id_dfr0;
-     uint64_t pmceid0;
-     uint64_t pmceid1;
-     uint32_t id_afr0;
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_ats1e1(const ARMISARegisters *id)
-     return FIELD_EX64(id->mvfr0, ID_MMFR3, PAN) >= 2;
- }
-+static inline bool isar_feature_aa32_pmu_8_1(const ARMISARegisters *id)
-+{
-+    /* 0xf means "non-standard IMPDEF PMU" */
-+    return FIELD_EX32(id->id_dfr0, ID_DFR0, PERFMON) >= 4 &&
-+        FIELD_EX32(id->id_dfr0, ID_DFR0, PERFMON) != 0xf;
-+}
-+
- /*
-  * 64-bit feature tests via id registers.
-  */
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-     case 0xd44: /* PFR1.  */
-         return cpu->id_pfr1;
-     case 0xd48: /* DFR0.  */
--        return cpu->id_dfr0;
-+        return cpu->isar.id_dfr0;
-     case 0xd4c: /* AFR0.  */
-         return cpu->id_afr0;
-     case 0xd50: /* MMFR0.  */
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
- #endif
-     } else {
-         cpu->id_aa64dfr0 = FIELD_DP64(cpu->id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
--        cpu->id_dfr0 = FIELD_DP32(cpu->id_dfr0, ID_DFR0, PERFMON, 0);
-+        cpu->isar.id_dfr0 = FIELD_DP32(cpu->isar.id_dfr0, ID_DFR0, PERFMON, 0);
-         cpu->pmceid0 = 0;
-         cpu->pmceid1 = 0;
-     }
-@@ -XXX,XX +XXX,XX @@ static void arm1136_r2_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00050078;
-     cpu->id_pfr0 = 0x111;
-     cpu->id_pfr1 = 0x1;
--    cpu->id_dfr0 = 0x2;
-+    cpu->isar.id_dfr0 = 0x2;
-     cpu->id_afr0 = 0x3;
-     cpu->id_mmfr0 = 0x01130003;
-     cpu->id_mmfr1 = 0x10030302;
-@@ -XXX,XX +XXX,XX @@ static void arm1136_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00050078;
-     cpu->id_pfr0 = 0x111;
-     cpu->id_pfr1 = 0x1;
--    cpu->id_dfr0 = 0x2;
-+    cpu->isar.id_dfr0 = 0x2;
-     cpu->id_afr0 = 0x3;
-     cpu->id_mmfr0 = 0x01130003;
-     cpu->id_mmfr1 = 0x10030302;
-@@ -XXX,XX +XXX,XX @@ static void arm1176_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00050078;
-     cpu->id_pfr0 = 0x111;
-     cpu->id_pfr1 = 0x11;
--    cpu->id_dfr0 = 0x33;
-+    cpu->isar.id_dfr0 = 0x33;
-     cpu->id_afr0 = 0;
-     cpu->id_mmfr0 = 0x01130003;
-     cpu->id_mmfr1 = 0x10030302;
-@@ -XXX,XX +XXX,XX @@ static void arm11mpcore_initfn(Object *obj)
-     cpu->ctr = 0x1d192992; /* 32K icache 32K dcache */
-     cpu->id_pfr0 = 0x111;
-     cpu->id_pfr1 = 0x1;
--    cpu->id_dfr0 = 0;
-+    cpu->isar.id_dfr0 = 0;
-     cpu->id_afr0 = 0x2;
-     cpu->id_mmfr0 = 0x01100103;
-     cpu->id_mmfr1 = 0x10020302;
-@@ -XXX,XX +XXX,XX @@ static void cortex_m3_initfn(Object *obj)
-     cpu->pmsav7_dregion = 8;
-     cpu->id_pfr0 = 0x00000030;
-     cpu->id_pfr1 = 0x00000200;
--    cpu->id_dfr0 = 0x00100000;
-+    cpu->isar.id_dfr0 = 0x00100000;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x00000030;
-     cpu->id_mmfr1 = 0x00000000;
-@@ -XXX,XX +XXX,XX @@ static void cortex_m4_initfn(Object *obj)
-     cpu->isar.mvfr2 = 0x00000000;
-     cpu->id_pfr0 = 0x00000030;
-     cpu->id_pfr1 = 0x00000200;
--    cpu->id_dfr0 = 0x00100000;
-+    cpu->isar.id_dfr0 = 0x00100000;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x00000030;
-     cpu->id_mmfr1 = 0x00000000;
-@@ -XXX,XX +XXX,XX @@ static void cortex_m7_initfn(Object *obj)
-     cpu->isar.mvfr2 = 0x00000040;
-     cpu->id_pfr0 = 0x00000030;
-     cpu->id_pfr1 = 0x00000200;
--    cpu->id_dfr0 = 0x00100000;
-+    cpu->isar.id_dfr0 = 0x00100000;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x00100030;
-     cpu->id_mmfr1 = 0x00000000;
-@@ -XXX,XX +XXX,XX @@ static void cortex_m33_initfn(Object *obj)
-     cpu->isar.mvfr2 = 0x00000040;
-     cpu->id_pfr0 = 0x00000030;
-     cpu->id_pfr1 = 0x00000210;
--    cpu->id_dfr0 = 0x00200000;
-+    cpu->isar.id_dfr0 = 0x00200000;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x00101F40;
-     cpu->id_mmfr1 = 0x00000000;
-@@ -XXX,XX +XXX,XX @@ static void cortex_r5_initfn(Object *obj)
-     cpu->midr = 0x411fc153; /* r1p3 */
-     cpu->id_pfr0 = 0x0131;
-     cpu->id_pfr1 = 0x001;
--    cpu->id_dfr0 = 0x010400;
-+    cpu->isar.id_dfr0 = 0x010400;
-     cpu->id_afr0 = 0x0;
-     cpu->id_mmfr0 = 0x0210030;
-     cpu->id_mmfr1 = 0x00000000;
-@@ -XXX,XX +XXX,XX @@ static void cortex_a8_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00c50078;
-     cpu->id_pfr0 = 0x1031;
-     cpu->id_pfr1 = 0x11;
--    cpu->id_dfr0 = 0x400;
-+    cpu->isar.id_dfr0 = 0x400;
-     cpu->id_afr0 = 0;
-     cpu->id_mmfr0 = 0x31100003;
-     cpu->id_mmfr1 = 0x20000000;
-@@ -XXX,XX +XXX,XX @@ static void cortex_a9_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00c50078;
-     cpu->id_pfr0 = 0x1031;
-     cpu->id_pfr1 = 0x11;
--    cpu->id_dfr0 = 0x000;
-+    cpu->isar.id_dfr0 = 0x000;
-     cpu->id_afr0 = 0;
-     cpu->id_mmfr0 = 0x00100103;
-     cpu->id_mmfr1 = 0x20000000;
-@@ -XXX,XX +XXX,XX @@ static void cortex_a7_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00c50078;
-     cpu->id_pfr0 = 0x00001131;
-     cpu->id_pfr1 = 0x00011011;
--    cpu->id_dfr0 = 0x02010555;
-+    cpu->isar.id_dfr0 = 0x02010555;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x10101105;
-     cpu->id_mmfr1 = 0x40000000;
-@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00c50078;
-     cpu->id_pfr0 = 0x00001131;
-     cpu->id_pfr1 = 0x00011011;
--    cpu->id_dfr0 = 0x02010555;
-+    cpu->isar.id_dfr0 = 0x02010555;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x10201105;
-     cpu->id_mmfr1 = 0x20000000;
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00c50838;
-     cpu->id_pfr0 = 0x00000131;
-     cpu->id_pfr1 = 0x00011011;
--    cpu->id_dfr0 = 0x03010066;
-+    cpu->isar.id_dfr0 = 0x03010066;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x10101105;
-     cpu->id_mmfr1 = 0x40000000;
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00c50838;
-     cpu->id_pfr0 = 0x00000131;
-     cpu->id_pfr1 = 0x00011011;
--    cpu->id_dfr0 = 0x03010066;
-+    cpu->isar.id_dfr0 = 0x03010066;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x10101105;
-     cpu->id_mmfr1 = 0x40000000;
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
-     cpu->reset_sctlr = 0x00c50838;
-     cpu->id_pfr0 = 0x00000131;
-     cpu->id_pfr1 = 0x00011011;
--    cpu->id_dfr0 = 0x03010066;
-+    cpu->isar.id_dfr0 = 0x03010066;
-     cpu->id_afr0 = 0x00000000;
-     cpu->id_mmfr0 = 0x10201105;
-     cpu->id_mmfr1 = 0x40000000;
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
-         g_free(pmevtyper_name);
-         g_free(pmevtyper_el0_name);
-     }
--    if (FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) >= 4 &&
--            FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) != 0xf) {
-+    if (cpu_isar_feature(aa32_pmu_8_1, cpu)) {
-         ARMCPRegInfo v81_pmu_regs[] = {
-             { .name = "PMCEID2", .state = ARM_CP_STATE_AA32,
-               .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 4,
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 2,
-               .access = PL1_R, .type = ARM_CP_CONST,
-               .accessfn = access_aa32_tid3,
--              .resetvalue = cpu->id_dfr0 },
-+              .resetvalue = cpu->isar.id_dfr0 },
-             { .name = "ID_AFR0", .state = ARM_CP_STATE_BOTH,
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 3,
-               .access = PL1_R, .type = ARM_CP_CONST,
---
-.20.1

-[PULL 24/52] target/arm: Move DBGDIDR into ARMISARegisters
+Deleted patch
-We're going to want to read the DBGDIDR register from KVM in
-a subsequent commit, which means it needs to be in the
-ARMISARegisters sub-struct. Move it.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214175116.9164-12-peter.maydell@linaro.org
----
- target/arm/cpu.h       | 2 +-
- target/arm/internals.h | 6 +++---
- target/arm/cpu.c       | 8 ++++----
- target/arm/cpu64.c     | 6 +++---
- target/arm/helper.c    | 2 +-
-files changed, 12 insertions(+), 12 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-         uint32_t mvfr1;
-         uint32_t mvfr2;
-         uint32_t id_dfr0;
-+        uint32_t dbgdidr;
-         uint64_t id_aa64isar0;
-         uint64_t id_aa64isar1;
-         uint64_t id_aa64pfr0;
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-     uint32_t id_mmfr4;
-     uint64_t id_aa64afr0;
-     uint64_t id_aa64afr1;
--    uint32_t dbgdidr;
-     uint32_t clidr;
-     uint64_t mp_affinity; /* MP ID without feature bits */
-     /* The elements of this array are the CCSIDR values for each cache,
-diff --git a/target/arm/internals.h b/target/arm/internals.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
-+++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static inline int arm_num_brps(ARMCPU *cpu)
-     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
-         return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) + 1;
-     } else {
--        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, BRPS) + 1;
-+        return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, BRPS) + 1;
-     }
- }
-@@ -XXX,XX +XXX,XX @@ static inline int arm_num_wrps(ARMCPU *cpu)
-     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
-         return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) + 1;
-     } else {
--        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, WRPS) + 1;
-+        return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, WRPS) + 1;
-     }
- }
-@@ -XXX,XX +XXX,XX @@ static inline int arm_num_ctx_cmps(ARMCPU *cpu)
-     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
-         return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) + 1;
-     } else {
--        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, CTX_CMPS) + 1;
-+        return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, CTX_CMPS) + 1;
-     }
- }
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void cortex_a8_initfn(Object *obj)
-     cpu->isar.id_isar2 = 0x21232031;
-     cpu->isar.id_isar3 = 0x11112131;
-     cpu->isar.id_isar4 = 0x00111142;
--    cpu->dbgdidr = 0x15141000;
-+    cpu->isar.dbgdidr = 0x15141000;
-     cpu->clidr = (1 << 27) | (2 << 24) | 3;
-     cpu->ccsidr[0] = 0xe007e01a; /* 16k L1 dcache. */
-     cpu->ccsidr[1] = 0x2007e01a; /* 16k L1 icache. */
-@@ -XXX,XX +XXX,XX @@ static void cortex_a9_initfn(Object *obj)
-     cpu->isar.id_isar2 = 0x21232041;
-     cpu->isar.id_isar3 = 0x11112131;
-     cpu->isar.id_isar4 = 0x00111142;
--    cpu->dbgdidr = 0x35141000;
-+    cpu->isar.dbgdidr = 0x35141000;
-     cpu->clidr = (1 << 27) | (1 << 24) | 3;
-     cpu->ccsidr[0] = 0xe00fe019; /* 16k L1 dcache. */
-     cpu->ccsidr[1] = 0x200fe019; /* 16k L1 icache. */
-@@ -XXX,XX +XXX,XX @@ static void cortex_a7_initfn(Object *obj)
-     cpu->isar.id_isar2 = 0x21232041;
-     cpu->isar.id_isar3 = 0x11112131;
-     cpu->isar.id_isar4 = 0x10011142;
--    cpu->dbgdidr = 0x3515f005;
-+    cpu->isar.dbgdidr = 0x3515f005;
-     cpu->clidr = 0x0a200023;
-     cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */
-     cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */
-@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
-     cpu->isar.id_isar2 = 0x21232041;
-     cpu->isar.id_isar3 = 0x11112131;
-     cpu->isar.id_isar4 = 0x10011142;
--    cpu->dbgdidr = 0x3515f021;
-+    cpu->isar.dbgdidr = 0x3515f021;
-     cpu->clidr = 0x0a200023;
-     cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */
-     cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
-     cpu->isar.id_aa64dfr0 = 0x10305106;
-     cpu->isar.id_aa64isar0 = 0x00011120;
-     cpu->isar.id_aa64mmfr0 = 0x00001124;
--    cpu->dbgdidr = 0x3516d000;
-+    cpu->isar.dbgdidr = 0x3516d000;
-     cpu->clidr = 0x0a200023;
-     cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
-     cpu->ccsidr[1] = 0x201fe012; /* 48KB L1 icache */
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
-     cpu->isar.id_aa64dfr0 = 0x10305106;
-     cpu->isar.id_aa64isar0 = 0x00011120;
-     cpu->isar.id_aa64mmfr0 = 0x00001122; /* 40 bit physical addr */
--    cpu->dbgdidr = 0x3516d000;
-+    cpu->isar.dbgdidr = 0x3516d000;
-     cpu->clidr = 0x0a200023;
-     cpu->ccsidr[0] = 0x700fe01a; /* 32KB L1 dcache */
-     cpu->ccsidr[1] = 0x201fe00a; /* 32KB L1 icache */
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
-     cpu->isar.id_aa64dfr0 = 0x10305106;
-     cpu->isar.id_aa64isar0 = 0x00011120;
-     cpu->isar.id_aa64mmfr0 = 0x00001124;
--    cpu->dbgdidr = 0x3516d000;
-+    cpu->isar.dbgdidr = 0x3516d000;
-     cpu->clidr = 0x0a200023;
-     cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
-     cpu->ccsidr[1] = 0x201fe012; /* 48KB L1 icache */
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
-     ARMCPRegInfo dbgdidr = {
-         .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0,
-         .access = PL0_R, .accessfn = access_tda,
--        .type = ARM_CP_CONST, .resetvalue = cpu->dbgdidr,
-+        .type = ARM_CP_CONST, .resetvalue = cpu->isar.dbgdidr,
-     };
-     /* Note that all these register fields hold "number of Xs minus 1". */
---
-.20.1

-[PULL 25/52] target/arm: Read debug-related ID registers from KVM
+Deleted patch
-Now we have isar_feature test functions that look at fields in the
-ID_AA64DFR0_EL1 and ID_DFR0 ID registers, add the code that reads
-these register values from KVM so that the checks behave correctly
-when we're using KVM.
-No isar_feature function tests ID_AA64DFR1_EL1 or DBGDIDR yet, but we
-add it to maintain the invariant that every field in the
-ARMISARegisters struct is populated for a KVM CPU and can be relied
-on.  This requirement isn't actually written down yet, so add a note
-to the relevant comment.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214175116.9164-13-peter.maydell@linaro.org
----
- target/arm/cpu.h   |  5 +++++
- target/arm/kvm32.c |  8 ++++++++
- target/arm/kvm64.c | 36 ++++++++++++++++++++++++++++++++++++
-files changed, 49 insertions(+)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-      * prefix means a constant register.
-      * Some of these registers are split out into a substructure that
-      * is shared with the translators to control the ISA.
-+     *
-+     * Note that if you add an ID register to the ARMISARegisters struct
-+     * you need to also update the 32-bit and 64-bit versions of the
-+     * kvm_arm_get_host_cpu_features() function to correctly populate the
-+     * field by reading the value from the KVM vCPU.
-      */
-     struct ARMISARegisters {
-         uint32_t id_isar0;
-diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm32.c
-+++ b/target/arm/kvm32.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-         ahcf->isar.id_isar6 = 0;
-     }
-+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_dfr0,
-+                          ARM_CP15_REG32(0, 0, 1, 2));
-+
-     err |= read_sys_reg32(fdarray[2], &ahcf->isar.mvfr0,
-                           KVM_REG_ARM | KVM_REG_SIZE_U32 |
-                           KVM_REG_ARM_VFP | KVM_REG_ARM_VFP_MVFR0);
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-      * Fortunately there is not yet anything in there that affects migration.
-      */
-+    /*
-+     * There is no way to read DBGDIDR, because currently 32-bit KVM
-+     * doesn't implement debug at all. Leave it at zero.
-+     */
-+
-     kvm_arm_destroy_scratch_host_vcpu(fdarray);
-     if (err < 0) {
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm64.c
-+++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-     } else {
-         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64pfr1,
-                               ARM64_SYS_REG(3, 0, 0, 4, 1));
-+        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64dfr0,
-+                              ARM64_SYS_REG(3, 0, 0, 5, 0));
-+        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64dfr1,
-+                              ARM64_SYS_REG(3, 0, 0, 5, 1));
-         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64isar0,
-                               ARM64_SYS_REG(3, 0, 0, 6, 0));
-         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64isar1,
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-          * than skipping the reads and leaving 0, as we must avoid
-          * considering the values in every case.
-          */
-+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_dfr0,
-+                              ARM64_SYS_REG(3, 0, 0, 1, 2));
-         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar0,
-                               ARM64_SYS_REG(3, 0, 0, 2, 0));
-         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar1,
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-                               ARM64_SYS_REG(3, 0, 0, 3, 1));
-         err |= read_sys_reg32(fdarray[2], &ahcf->isar.mvfr2,
-                               ARM64_SYS_REG(3, 0, 0, 3, 2));
-+
-+        /*
-+         * DBGDIDR is a bit complicated because the kernel doesn't
-+         * provide an accessor for it in 64-bit mode, which is what this
-+         * scratch VM is in, and there's no architected "64-bit sysreg
-+         * which reads the same as the 32-bit register" the way there is
-+         * for other ID registers. Instead we synthesize a value from the
-+         * AArch64 ID_AA64DFR0, the same way the kernel code in
-+         * arch/arm64/kvm/sys_regs.c:trap_dbgidr() does.
-+         * We only do this if the CPU supports AArch32 at EL1.
-+         */
-+        if (FIELD_EX32(ahcf->isar.id_aa64pfr0, ID_AA64PFR0, EL1) >= 2) {
-+            int wrps = FIELD_EX64(ahcf->isar.id_aa64dfr0, ID_AA64DFR0, WRPS);
-+            int brps = FIELD_EX64(ahcf->isar.id_aa64dfr0, ID_AA64DFR0, BRPS);
-+            int ctx_cmps =
-+                FIELD_EX64(ahcf->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS);
-+            int version = 6; /* ARMv8 debug architecture */
-+            bool has_el3 =
-+                !!FIELD_EX32(ahcf->isar.id_aa64pfr0, ID_AA64PFR0, EL3);
-+            uint32_t dbgdidr = 0;
-+
-+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, WRPS, wrps);
-+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, BRPS, brps);
-+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, CTX_CMPS, ctx_cmps);
-+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, VERSION, version);
-+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, NSUHD_IMP, has_el3);
-+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, SE_IMP, has_el3);
-+            dbgdidr |= (1 << 15); /* RES1 bit */
-+            ahcf->isar.dbgdidr = dbgdidr;
-+        }
-     }
-     sve_supported = ioctl(fdarray[0], KVM_CHECK_EXTENSION, KVM_CAP_ARM_SVE) > 0;
---
-.20.1

-[PULL 26/52] target/arm: Implement ARMv8.1-PMU extension
+Deleted patch
-The ARMv8.1-PMU extension requires:
- * the evtCount field in PMETYPER<n>_EL0 is 16 bits, not 10
- * MDCR_EL2.HPMD allows event counting to be disabled at EL2
- * two new required events, STALL_FRONTEND and STALL_BACKEND
- * ID register bits in ID_AA64DFR0_EL1 and ID_DFR0
-We already implement the 16-bit evtCount field and the
-HPMD bit, so all that is missing is the two new events:
-  STALL_FRONTEND
-   "counts every cycle counted by the CPU_CYCLES event on which no
-    operation was issued because there are no operations available
-    to issue to this PE from the frontend"
-  STALL_BACKEND
-   "counts every cycle counted by the CPU_CYCLES event on which no
-    operation was issued because the backend is unable to accept
-    any available operations from the frontend"
-QEMU never stalls in this sense, so our implementation is trivial:
-always return a zero count.
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-14-peter.maydell@linaro.org
----
- target/arm/helper.c | 32 ++++++++++++++++++++++++++++++--
-file changed, 30 insertions(+), 2 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static int64_t instructions_ns_per(uint64_t icount)
- }
- #endif
-+static bool pmu_8_1_events_supported(CPUARMState *env)
-+{
-+    /* For events which are supported in any v8.1 PMU */
-+    return cpu_isar_feature(any_pmu_8_1, env_archcpu(env));
-+}
-+
-+static uint64_t zero_event_get_count(CPUARMState *env)
-+{
-+    /* For events which on QEMU never fire, so their count is always zero */
-+    return 0;
-+}
-+
-+static int64_t zero_event_ns_per(uint64_t cycles)
-+{
-+    /* An event which never fires can never overflow */
-+    return -1;
-+}
-+
- static const pm_event pm_events[] = {
-     { .number = 0x000, /* SW_INCR */
-       .supported = event_always_supported,
-@@ -XXX,XX +XXX,XX @@ static const pm_event pm_events[] = {
-       .supported = event_always_supported,
-       .get_count = cycles_get_count,
-       .ns_per_count = cycles_ns_per,
--    }
-+    },
- #endif
-+    { .number = 0x023, /* STALL_FRONTEND */
-+      .supported = pmu_8_1_events_supported,
-+      .get_count = zero_event_get_count,
-+      .ns_per_count = zero_event_ns_per,
-+    },
-+    { .number = 0x024, /* STALL_BACKEND */
-+      .supported = pmu_8_1_events_supported,
-+      .get_count = zero_event_get_count,
-+      .ns_per_count = zero_event_ns_per,
-+    },
- };
- /*
-@@ -XXX,XX +XXX,XX @@ static const pm_event pm_events[] = {
-  * should first be updated to something sparse instead of the current
-  * supported_event_map[] array.
-  */
--#define MAX_EVENT_ID 0x11
-+#define MAX_EVENT_ID 0x24
- #define UNSUPPORTED_EVENT UINT16_MAX
- static uint16_t supported_event_map[MAX_EVENT_ID + 1];
---
-.20.1

-[PULL 28/52] target/arm: Provide ARMv8.4-PMU in '-cpu max'
+Deleted patch
-Set the ID register bits to provide ARMv8.4-PMU (and implicitly
-also ARMv8.1-PMU) in the 'max' CPU.
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-16-peter.maydell@linaro.org
----
- target/arm/cpu64.c | 8 ++++++++
-file changed, 8 insertions(+)
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-         u = FIELD_DP32(u, ID_MMFR3, PAN, 2); /* ATS1E1 */
-         cpu->id_mmfr3 = u;
-+        u = cpu->isar.id_aa64dfr0;
-+        u = FIELD_DP64(u, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
-+        cpu->isar.id_aa64dfr0 = u;
-+
-+        u = cpu->isar.id_dfr0;
-+        u = FIELD_DP32(u, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
-+        cpu->isar.id_dfr0 = u;
-+
-         /*
-          * FIXME: We do not yet support ARMv8.2-fp16 for AArch32 yet,
-          * so do not set MVFR1.FPHP.  Strictly speaking this is not legal,
---
-.20.1

-[PULL 29/52] target/arm: Correct definition of PMCRDP
+Deleted patch
-The PMCR_EL0.DP bit is bit 5, which is 0x20, not 0x10.  0x10 is 'X'.
-Correct our #define of PMCRDP and add the missing PMCRX.
-We do have the correct behaviour for handling the DP bit being
-set, so this fixes a guest-visible bug.
-Fixes: 033614c47de
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-17-peter.maydell@linaro.org
----
- target/arm/helper.c | 3 ++-
-file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
- #define PMCRN_MASK  0xf800
- #define PMCRN_SHIFT 11
- #define PMCRLC  0x40
--#define PMCRDP  0x10
-+#define PMCRDP  0x20
-+#define PMCRX   0x10
- #define PMCRD   0x8
- #define PMCRC   0x4
- #define PMCRP   0x2
---
-.20.1

-[PULL 30/52] target/arm: Correct handling of PMCR_EL0.LC bit
+Deleted patch
-The LC bit in the PMCR_EL0 register is supposed to be:
- * read/write
- * RES1 on an AArch64-only implementation
- * an architecturally UNKNOWN value on reset
-(and use of LC==0 by software is deprecated).
-We were implementing it incorrectly as read-only always zero,
-though we do have all the code needed to test it and behave
-accordingly.
-Instead make it a read-write bit which resets to 1 always, which
-satisfies all the architectural requirements above.
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200214175116.9164-18-peter.maydell@linaro.org
----
- target/arm/helper.c | 13 +++++++++----
-file changed, 9 insertions(+), 4 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
- #define PMCRC   0x4
- #define PMCRP   0x2
- #define PMCRE   0x1
-+/*
-+ * Mask of PMCR bits writeable by guest (not including WO bits like C, P,
-+ * which can be written as 1 to trigger behaviour but which stay RAZ).
-+ */
-+#define PMCR_WRITEABLE_MASK (PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
- #define PMXEVTYPER_P          0x80000000
- #define PMXEVTYPER_U          0x40000000
-@@ -XXX,XX +XXX,XX @@ static void pmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-         }
-     }
--    /* only the DP, X, D and E bits are writable */
--    env->cp15.c9_pmcr &= ~0x39;
--    env->cp15.c9_pmcr |= (value & 0x39);
-+    env->cp15.c9_pmcr &= ~PMCR_WRITEABLE_MASK;
-+    env->cp15.c9_pmcr |= (value & PMCR_WRITEABLE_MASK);
-     pmu_op_finish(env);
- }
-@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
-         .access = PL0_RW, .accessfn = pmreg_access,
-         .type = ARM_CP_IO,
-         .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
--        .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT),
-+        .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT) |
-+                      PMCRLC,
-         .writefn = pmcr_write, .raw_writefn = raw_write,
-     };
-     define_one_arm_cp_reg(cpu, &pmcr);
---
-.20.1

-[PULL 31/52] target/arm: Test correct register in aa32_pan and aa32_ats1e1 checks
+Deleted patch
-The isar_feature_aa32_pan and isar_feature_aa32_ats1e1 functions
-are supposed to be testing fields in ID_MMFR3; but a cut-and-paste
-error meant we were looking at MVFR0 instead.
-Fix the functions to look at the right register; this requires
-us to move at least id_mmfr3 to the ARMISARegisters struct; we
-choose to move all the ID_MMFRn registers for consistency.
-Fixes: 3d6ad6bb466f
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214175116.9164-19-peter.maydell@linaro.org
----
- target/arm/cpu.h      |  14 +++---
- hw/intc/armv7m_nvic.c |   8 ++--
- target/arm/cpu.c      | 104 +++++++++++++++++++++---------------------
- target/arm/cpu64.c    |  28 ++++++------
- target/arm/helper.c   |  12 ++---
- target/arm/kvm32.c    |  17 +++++++
- target/arm/kvm64.c    |  10 ++++
-files changed, 110 insertions(+), 83 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-         uint32_t id_isar4;
-         uint32_t id_isar5;
-         uint32_t id_isar6;
-+        uint32_t id_mmfr0;
-+        uint32_t id_mmfr1;
-+        uint32_t id_mmfr2;
-+        uint32_t id_mmfr3;
-+        uint32_t id_mmfr4;
-         uint32_t mvfr0;
-         uint32_t mvfr1;
-         uint32_t mvfr2;
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-     uint64_t pmceid0;
-     uint64_t pmceid1;
-     uint32_t id_afr0;
--    uint32_t id_mmfr0;
--    uint32_t id_mmfr1;
--    uint32_t id_mmfr2;
--    uint32_t id_mmfr3;
--    uint32_t id_mmfr4;
-     uint64_t id_aa64afr0;
-     uint64_t id_aa64afr1;
-     uint32_t clidr;
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_vminmaxnm(const ARMISARegisters *id)
- static inline bool isar_feature_aa32_pan(const ARMISARegisters *id)
- {
--    return FIELD_EX64(id->mvfr0, ID_MMFR3, PAN) != 0;
-+    return FIELD_EX32(id->id_mmfr3, ID_MMFR3, PAN) != 0;
- }
- static inline bool isar_feature_aa32_ats1e1(const ARMISARegisters *id)
- {
--    return FIELD_EX64(id->mvfr0, ID_MMFR3, PAN) >= 2;
-+    return FIELD_EX32(id->id_mmfr3, ID_MMFR3, PAN) >= 2;
- }
- static inline bool isar_feature_aa32_pmu_8_1(const ARMISARegisters *id)
-diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/armv7m_nvic.c
-+++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-     case 0xd4c: /* AFR0.  */
-         return cpu->id_afr0;
-     case 0xd50: /* MMFR0.  */
--        return cpu->id_mmfr0;
-+        return cpu->isar.id_mmfr0;
-     case 0xd54: /* MMFR1.  */
--        return cpu->id_mmfr1;
-+        return cpu->isar.id_mmfr1;
-     case 0xd58: /* MMFR2.  */
--        return cpu->id_mmfr2;
-+        return cpu->isar.id_mmfr2;
-     case 0xd5c: /* MMFR3.  */
--        return cpu->id_mmfr3;
-+        return cpu->isar.id_mmfr3;
-     case 0xd60: /* ISAR0.  */
-         return cpu->isar.id_isar0;
-     case 0xd64: /* ISAR1.  */
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm1136_r2_initfn(Object *obj)
-     cpu->id_pfr1 = 0x1;
-     cpu->isar.id_dfr0 = 0x2;
-     cpu->id_afr0 = 0x3;
--    cpu->id_mmfr0 = 0x01130003;
--    cpu->id_mmfr1 = 0x10030302;
--    cpu->id_mmfr2 = 0x01222110;
-+    cpu->isar.id_mmfr0 = 0x01130003;
-+    cpu->isar.id_mmfr1 = 0x10030302;
-+    cpu->isar.id_mmfr2 = 0x01222110;
-     cpu->isar.id_isar0 = 0x00140011;
-     cpu->isar.id_isar1 = 0x12002111;
-     cpu->isar.id_isar2 = 0x11231111;
-@@ -XXX,XX +XXX,XX @@ static void arm1136_initfn(Object *obj)
-     cpu->id_pfr1 = 0x1;
-     cpu->isar.id_dfr0 = 0x2;
-     cpu->id_afr0 = 0x3;
--    cpu->id_mmfr0 = 0x01130003;
--    cpu->id_mmfr1 = 0x10030302;
--    cpu->id_mmfr2 = 0x01222110;
-+    cpu->isar.id_mmfr0 = 0x01130003;
-+    cpu->isar.id_mmfr1 = 0x10030302;
-+    cpu->isar.id_mmfr2 = 0x01222110;
-     cpu->isar.id_isar0 = 0x00140011;
-     cpu->isar.id_isar1 = 0x12002111;
-     cpu->isar.id_isar2 = 0x11231111;
-@@ -XXX,XX +XXX,XX @@ static void arm1176_initfn(Object *obj)
-     cpu->id_pfr1 = 0x11;
-     cpu->isar.id_dfr0 = 0x33;
-     cpu->id_afr0 = 0;
--    cpu->id_mmfr0 = 0x01130003;
--    cpu->id_mmfr1 = 0x10030302;
--    cpu->id_mmfr2 = 0x01222100;
-+    cpu->isar.id_mmfr0 = 0x01130003;
-+    cpu->isar.id_mmfr1 = 0x10030302;
-+    cpu->isar.id_mmfr2 = 0x01222100;
-     cpu->isar.id_isar0 = 0x0140011;
-     cpu->isar.id_isar1 = 0x12002111;
-     cpu->isar.id_isar2 = 0x11231121;
-@@ -XXX,XX +XXX,XX @@ static void arm11mpcore_initfn(Object *obj)
-     cpu->id_pfr1 = 0x1;
-     cpu->isar.id_dfr0 = 0;
-     cpu->id_afr0 = 0x2;
--    cpu->id_mmfr0 = 0x01100103;
--    cpu->id_mmfr1 = 0x10020302;
--    cpu->id_mmfr2 = 0x01222000;
-+    cpu->isar.id_mmfr0 = 0x01100103;
-+    cpu->isar.id_mmfr1 = 0x10020302;
-+    cpu->isar.id_mmfr2 = 0x01222000;
-     cpu->isar.id_isar0 = 0x00100011;
-     cpu->isar.id_isar1 = 0x12002111;
-     cpu->isar.id_isar2 = 0x11221011;
-@@ -XXX,XX +XXX,XX @@ static void cortex_m3_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00000200;
-     cpu->isar.id_dfr0 = 0x00100000;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x00000030;
--    cpu->id_mmfr1 = 0x00000000;
--    cpu->id_mmfr2 = 0x00000000;
--    cpu->id_mmfr3 = 0x00000000;
-+    cpu->isar.id_mmfr0 = 0x00000030;
-+    cpu->isar.id_mmfr1 = 0x00000000;
-+    cpu->isar.id_mmfr2 = 0x00000000;
-+    cpu->isar.id_mmfr3 = 0x00000000;
-     cpu->isar.id_isar0 = 0x01141110;
-     cpu->isar.id_isar1 = 0x02111000;
-     cpu->isar.id_isar2 = 0x21112231;
-@@ -XXX,XX +XXX,XX @@ static void cortex_m4_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00000200;
-     cpu->isar.id_dfr0 = 0x00100000;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x00000030;
--    cpu->id_mmfr1 = 0x00000000;
--    cpu->id_mmfr2 = 0x00000000;
--    cpu->id_mmfr3 = 0x00000000;
-+    cpu->isar.id_mmfr0 = 0x00000030;
-+    cpu->isar.id_mmfr1 = 0x00000000;
-+    cpu->isar.id_mmfr2 = 0x00000000;
-+    cpu->isar.id_mmfr3 = 0x00000000;
-     cpu->isar.id_isar0 = 0x01141110;
-     cpu->isar.id_isar1 = 0x02111000;
-     cpu->isar.id_isar2 = 0x21112231;
-@@ -XXX,XX +XXX,XX @@ static void cortex_m7_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00000200;
-     cpu->isar.id_dfr0 = 0x00100000;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x00100030;
--    cpu->id_mmfr1 = 0x00000000;
--    cpu->id_mmfr2 = 0x01000000;
--    cpu->id_mmfr3 = 0x00000000;
-+    cpu->isar.id_mmfr0 = 0x00100030;
-+    cpu->isar.id_mmfr1 = 0x00000000;
-+    cpu->isar.id_mmfr2 = 0x01000000;
-+    cpu->isar.id_mmfr3 = 0x00000000;
-     cpu->isar.id_isar0 = 0x01101110;
-     cpu->isar.id_isar1 = 0x02112000;
-     cpu->isar.id_isar2 = 0x20232231;
-@@ -XXX,XX +XXX,XX @@ static void cortex_m33_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00000210;
-     cpu->isar.id_dfr0 = 0x00200000;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x00101F40;
--    cpu->id_mmfr1 = 0x00000000;
--    cpu->id_mmfr2 = 0x01000000;
--    cpu->id_mmfr3 = 0x00000000;
-+    cpu->isar.id_mmfr0 = 0x00101F40;
-+    cpu->isar.id_mmfr1 = 0x00000000;
-+    cpu->isar.id_mmfr2 = 0x01000000;
-+    cpu->isar.id_mmfr3 = 0x00000000;
-     cpu->isar.id_isar0 = 0x01101110;
-     cpu->isar.id_isar1 = 0x02212000;
-     cpu->isar.id_isar2 = 0x20232232;
-@@ -XXX,XX +XXX,XX @@ static void cortex_r5_initfn(Object *obj)
-     cpu->id_pfr1 = 0x001;
-     cpu->isar.id_dfr0 = 0x010400;
-     cpu->id_afr0 = 0x0;
--    cpu->id_mmfr0 = 0x0210030;
--    cpu->id_mmfr1 = 0x00000000;
--    cpu->id_mmfr2 = 0x01200000;
--    cpu->id_mmfr3 = 0x0211;
-+    cpu->isar.id_mmfr0 = 0x0210030;
-+    cpu->isar.id_mmfr1 = 0x00000000;
-+    cpu->isar.id_mmfr2 = 0x01200000;
-+    cpu->isar.id_mmfr3 = 0x0211;
-     cpu->isar.id_isar0 = 0x02101111;
-     cpu->isar.id_isar1 = 0x13112111;
-     cpu->isar.id_isar2 = 0x21232141;
-@@ -XXX,XX +XXX,XX @@ static void cortex_a8_initfn(Object *obj)
-     cpu->id_pfr1 = 0x11;
-     cpu->isar.id_dfr0 = 0x400;
-     cpu->id_afr0 = 0;
--    cpu->id_mmfr0 = 0x31100003;
--    cpu->id_mmfr1 = 0x20000000;
--    cpu->id_mmfr2 = 0x01202000;
--    cpu->id_mmfr3 = 0x11;
-+    cpu->isar.id_mmfr0 = 0x31100003;
-+    cpu->isar.id_mmfr1 = 0x20000000;
-+    cpu->isar.id_mmfr2 = 0x01202000;
-+    cpu->isar.id_mmfr3 = 0x11;
-     cpu->isar.id_isar0 = 0x00101111;
-     cpu->isar.id_isar1 = 0x12112111;
-     cpu->isar.id_isar2 = 0x21232031;
-@@ -XXX,XX +XXX,XX @@ static void cortex_a9_initfn(Object *obj)
-     cpu->id_pfr1 = 0x11;
-     cpu->isar.id_dfr0 = 0x000;
-     cpu->id_afr0 = 0;
--    cpu->id_mmfr0 = 0x00100103;
--    cpu->id_mmfr1 = 0x20000000;
--    cpu->id_mmfr2 = 0x01230000;
--    cpu->id_mmfr3 = 0x00002111;
-+    cpu->isar.id_mmfr0 = 0x00100103;
-+    cpu->isar.id_mmfr1 = 0x20000000;
-+    cpu->isar.id_mmfr2 = 0x01230000;
-+    cpu->isar.id_mmfr3 = 0x00002111;
-     cpu->isar.id_isar0 = 0x00101111;
-     cpu->isar.id_isar1 = 0x13112111;
-     cpu->isar.id_isar2 = 0x21232041;
-@@ -XXX,XX +XXX,XX @@ static void cortex_a7_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00011011;
-     cpu->isar.id_dfr0 = 0x02010555;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x10101105;
--    cpu->id_mmfr1 = 0x40000000;
--    cpu->id_mmfr2 = 0x01240000;
--    cpu->id_mmfr3 = 0x02102211;
-+    cpu->isar.id_mmfr0 = 0x10101105;
-+    cpu->isar.id_mmfr1 = 0x40000000;
-+    cpu->isar.id_mmfr2 = 0x01240000;
-+    cpu->isar.id_mmfr3 = 0x02102211;
-     /* a7_mpcore_r0p5_trm, page 4-4 gives 0x01101110; but
-      * table 4-41 gives 0x02101110, which includes the arm div insns.
-      */
-@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00011011;
-     cpu->isar.id_dfr0 = 0x02010555;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x10201105;
--    cpu->id_mmfr1 = 0x20000000;
--    cpu->id_mmfr2 = 0x01240000;
--    cpu->id_mmfr3 = 0x02102211;
-+    cpu->isar.id_mmfr0 = 0x10201105;
-+    cpu->isar.id_mmfr1 = 0x20000000;
-+    cpu->isar.id_mmfr2 = 0x01240000;
-+    cpu->isar.id_mmfr3 = 0x02102211;
-     cpu->isar.id_isar0 = 0x02101110;
-     cpu->isar.id_isar1 = 0x13112111;
-     cpu->isar.id_isar2 = 0x21232041;
-@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
-             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
-             cpu->isar.mvfr2 = t;
--            t = cpu->id_mmfr3;
-+            t = cpu->isar.id_mmfr3;
-             t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
--            cpu->id_mmfr3 = t;
-+            cpu->isar.id_mmfr3 = t;
--            t = cpu->id_mmfr4;
-+            t = cpu->isar.id_mmfr4;
-             t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
--            cpu->id_mmfr4 = t;
-+            cpu->isar.id_mmfr4 = t;
-         }
- #endif
-     }
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00011011;
-     cpu->isar.id_dfr0 = 0x03010066;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x10101105;
--    cpu->id_mmfr1 = 0x40000000;
--    cpu->id_mmfr2 = 0x01260000;
--    cpu->id_mmfr3 = 0x02102211;
-+    cpu->isar.id_mmfr0 = 0x10101105;
-+    cpu->isar.id_mmfr1 = 0x40000000;
-+    cpu->isar.id_mmfr2 = 0x01260000;
-+    cpu->isar.id_mmfr3 = 0x02102211;
-     cpu->isar.id_isar0 = 0x02101110;
-     cpu->isar.id_isar1 = 0x13112111;
-     cpu->isar.id_isar2 = 0x21232042;
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00011011;
-     cpu->isar.id_dfr0 = 0x03010066;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x10101105;
--    cpu->id_mmfr1 = 0x40000000;
--    cpu->id_mmfr2 = 0x01260000;
--    cpu->id_mmfr3 = 0x02102211;
-+    cpu->isar.id_mmfr0 = 0x10101105;
-+    cpu->isar.id_mmfr1 = 0x40000000;
-+    cpu->isar.id_mmfr2 = 0x01260000;
-+    cpu->isar.id_mmfr3 = 0x02102211;
-     cpu->isar.id_isar0 = 0x02101110;
-     cpu->isar.id_isar1 = 0x13112111;
-     cpu->isar.id_isar2 = 0x21232042;
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
-     cpu->id_pfr1 = 0x00011011;
-     cpu->isar.id_dfr0 = 0x03010066;
-     cpu->id_afr0 = 0x00000000;
--    cpu->id_mmfr0 = 0x10201105;
--    cpu->id_mmfr1 = 0x40000000;
--    cpu->id_mmfr2 = 0x01260000;
--    cpu->id_mmfr3 = 0x02102211;
-+    cpu->isar.id_mmfr0 = 0x10201105;
-+    cpu->isar.id_mmfr1 = 0x40000000;
-+    cpu->isar.id_mmfr2 = 0x01260000;
-+    cpu->isar.id_mmfr3 = 0x02102211;
-     cpu->isar.id_isar0 = 0x02101110;
-     cpu->isar.id_isar1 = 0x13112111;
-     cpu->isar.id_isar2 = 0x21232042;
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-         u = FIELD_DP32(u, ID_ISAR6, SPECRES, 1);
-         cpu->isar.id_isar6 = u;
--        u = cpu->id_mmfr3;
-+        u = cpu->isar.id_mmfr3;
-         u = FIELD_DP32(u, ID_MMFR3, PAN, 2); /* ATS1E1 */
--        cpu->id_mmfr3 = u;
-+        cpu->isar.id_mmfr3 = u;
-         u = cpu->isar.id_aa64dfr0;
-         u = FIELD_DP64(u, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 4,
-               .access = PL1_R, .type = ARM_CP_CONST,
-               .accessfn = access_aa32_tid3,
--              .resetvalue = cpu->id_mmfr0 },
-+              .resetvalue = cpu->isar.id_mmfr0 },
-             { .name = "ID_MMFR1", .state = ARM_CP_STATE_BOTH,
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 5,
-               .access = PL1_R, .type = ARM_CP_CONST,
-               .accessfn = access_aa32_tid3,
--              .resetvalue = cpu->id_mmfr1 },
-+              .resetvalue = cpu->isar.id_mmfr1 },
-             { .name = "ID_MMFR2", .state = ARM_CP_STATE_BOTH,
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 6,
-               .access = PL1_R, .type = ARM_CP_CONST,
-               .accessfn = access_aa32_tid3,
--              .resetvalue = cpu->id_mmfr2 },
-+              .resetvalue = cpu->isar.id_mmfr2 },
-             { .name = "ID_MMFR3", .state = ARM_CP_STATE_BOTH,
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 7,
-               .access = PL1_R, .type = ARM_CP_CONST,
-               .accessfn = access_aa32_tid3,
--              .resetvalue = cpu->id_mmfr3 },
-+              .resetvalue = cpu->isar.id_mmfr3 },
-             { .name = "ID_ISAR0", .state = ARM_CP_STATE_BOTH,
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
-               .access = PL1_R, .type = ARM_CP_CONST,
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6,
-               .access = PL1_R, .type = ARM_CP_CONST,
-               .accessfn = access_aa32_tid3,
--              .resetvalue = cpu->id_mmfr4 },
-+              .resetvalue = cpu->isar.id_mmfr4 },
-             { .name = "ID_ISAR6", .state = ARM_CP_STATE_BOTH,
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 7,
-               .access = PL1_R, .type = ARM_CP_CONST,
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-         define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
-         define_arm_cp_regs(cpu, vmsa_cp_reginfo);
-         /* TTCBR2 is introduced with ARMv8.2-A32HPD.  */
--        if (FIELD_EX32(cpu->id_mmfr4, ID_MMFR4, HPDS) != 0) {
-+        if (FIELD_EX32(cpu->isar.id_mmfr4, ID_MMFR4, HPDS) != 0) {
-             define_one_arm_cp_reg(cpu, &ttbcr2_reginfo);
-         }
-     }
-diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm32.c
-+++ b/target/arm/kvm32.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-      * Fortunately there is not yet anything in there that affects migration.
-      */
-+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr0,
-+                          ARM_CP15_REG32(0, 0, 1, 4));
-+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr1,
-+                          ARM_CP15_REG32(0, 0, 1, 5));
-+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr2,
-+                          ARM_CP15_REG32(0, 0, 1, 6));
-+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr3,
-+                          ARM_CP15_REG32(0, 0, 1, 7));
-+    if (read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr4,
-+                       ARM_CP15_REG32(0, 0, 2, 6))) {
-+        /*
-+         * Older kernels don't support reading ID_MMFR4 (a new in v8
-+         * register); assume it's zero.
-+         */
-+        ahcf->isar.id_mmfr4 = 0;
-+    }
-+
-     /*
-      * There is no way to read DBGDIDR, because currently 32-bit KVM
-      * doesn't implement debug at all. Leave it at zero.
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm64.c
-+++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-          */
-         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_dfr0,
-                               ARM64_SYS_REG(3, 0, 0, 1, 2));
-+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr0,
-+                              ARM64_SYS_REG(3, 0, 0, 1, 4));
-+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr1,
-+                              ARM64_SYS_REG(3, 0, 0, 1, 5));
-+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr2,
-+                              ARM64_SYS_REG(3, 0, 0, 1, 6));
-+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr3,
-+                              ARM64_SYS_REG(3, 0, 0, 1, 7));
-         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar0,
-                               ARM64_SYS_REG(3, 0, 0, 2, 0));
-         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar1,
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-                               ARM64_SYS_REG(3, 0, 0, 2, 4));
-         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar5,
-                               ARM64_SYS_REG(3, 0, 0, 2, 5));
-+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr4,
-+                              ARM64_SYS_REG(3, 0, 0, 2, 6));
-         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar6,
-                               ARM64_SYS_REG(3, 0, 0, 2, 7));
---
-.20.1

-[PULL 32/52] target/arm: Use isar_feature function for testing AA32HPD feature
+Deleted patch
-Now we have moved ID_MMFR4 into the ARMISARegisters struct, we
-can define and use an isar_feature for the presence of the
-ARMv8.2-AA32HPD feature, rather than open-coding the test.
-While we're here, correct a comment typo which missed an 'A'
-from the feature name.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200214175116.9164-20-peter.maydell@linaro.org
----
- target/arm/cpu.h    | 5 +++++
- target/arm/helper.c | 4 ++--
-files changed, 7 insertions(+), 2 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_pmu_8_4(const ARMISARegisters *id)
-         FIELD_EX32(id->id_dfr0, ID_DFR0, PERFMON) != 0xf;
- }
-+static inline bool isar_feature_aa32_hpd(const ARMISARegisters *id)
-+{
-+    return FIELD_EX32(id->id_mmfr4, ID_MMFR4, HPDS) != 0;
-+}
-+
- /*
-  * 64-bit feature tests via id registers.
-  */
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-     } else {
-         define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
-         define_arm_cp_regs(cpu, vmsa_cp_reginfo);
--        /* TTCBR2 is introduced with ARMv8.2-A32HPD.  */
--        if (FIELD_EX32(cpu->isar.id_mmfr4, ID_MMFR4, HPDS) != 0) {
-+        /* TTCBR2 is introduced with ARMv8.2-AA32HPD.  */
-+        if (cpu_isar_feature(aa32_hpd, cpu)) {
-             define_one_arm_cp_reg(cpu, &ttbcr2_reginfo);
-         }
-     }
---
-.20.1

-[PULL 35/52] hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI to include file
+Deleted patch
-From: Guenter Roeck <linux@roeck-us.net>
-We need to be able to use OHCISysBusState outside hcd-ohci.c, so move it
-to its include file.
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
-Message-id: 20200217204812.9857-2-linux@roeck-us.net
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/usb/hcd-ohci.h | 16 ++++++++++++++++
- hw/usb/hcd-ohci.c | 15 ---------------
-files changed, 16 insertions(+), 15 deletions(-)
-diff --git a/hw/usb/hcd-ohci.h b/hw/usb/hcd-ohci.h
-index XXXXXXX..XXXXXXX 100644
---- a/hw/usb/hcd-ohci.h
-+++ b/hw/usb/hcd-ohci.h
-@@ -XXX,XX +XXX,XX @@
- #define HCD_OHCI_H
- #include "sysemu/dma.h"
-+#include "hw/usb.h"
- /* Number of Downstream Ports on the root hub: */
- #define OHCI_MAX_PORTS 15
-@@ -XXX,XX +XXX,XX @@ typedef struct OHCIState {
-     void (*ohci_die)(struct OHCIState *ohci);
- } OHCIState;
-+#define TYPE_SYSBUS_OHCI "sysbus-ohci"
-+#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
-+
-+typedef struct {
-+    /*< private >*/
-+    SysBusDevice parent_obj;
-+    /*< public >*/
-+
-+    OHCIState ohci;
-+    char *masterbus;
-+    uint32_t num_ports;
-+    uint32_t firstport;
-+    dma_addr_t dma_offset;
-+} OHCISysBusState;
-+
- extern const VMStateDescription vmstate_ohci_state;
- void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -XXX,XX +XXX,XX @@ void ohci_sysbus_die(struct OHCIState *ohci)
-     ohci_bus_stop(ohci);
- }
--#define TYPE_SYSBUS_OHCI "sysbus-ohci"
--#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
--
--typedef struct {
--    /*< private >*/
--    SysBusDevice parent_obj;
--    /*< public >*/
--
--    OHCIState ohci;
--    char *masterbus;
--    uint32_t num_ports;
--    uint32_t firstport;
--    dma_addr_t dma_offset;
--} OHCISysBusState;
--
- static void ohci_realize_pxa(DeviceState *dev, Error **errp)
- {
-     OHCISysBusState *s = SYSBUS_OHCI(dev);
---
-.20.1

-[PULL 36/52] hcd-ehci: Introduce "companion-enable" sysbus property
+Deleted patch
-From: Guenter Roeck <linux@roeck-us.net>
-We'll use this property in a follow-up patch to insantiate an EHCI
-bus with companion support.
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
-Message-id: 20200217204812.9857-3-linux@roeck-us.net
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/usb/hcd-ehci-sysbus.c | 2 ++
-file changed, 2 insertions(+)
-diff --git a/hw/usb/hcd-ehci-sysbus.c b/hw/usb/hcd-ehci-sysbus.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/usb/hcd-ehci-sysbus.c
-+++ b/hw/usb/hcd-ehci-sysbus.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_ehci_sysbus = {
- static Property ehci_sysbus_properties[] = {
-     DEFINE_PROP_UINT32("maxframes", EHCISysBusState, ehci.maxframes, 128),
-+    DEFINE_PROP_BOOL("companion-enable", EHCISysBusState, ehci.companion_enable,
-+                     false),
-     DEFINE_PROP_END_OF_LIST(),
- };
---
-.20.1

-[PULL 42/52] xilinx_spips: Correct the number of dummy cycles for the FAST_READ_4 cmd
+Deleted patch
-From: Francisco Iglesias <francisco.iglesias@xilinx.com>
-Correct the number of dummy cycles required by the FAST_READ_4 command (to
-be eight, one dummy byte).
-Fixes: ef06ca3946 ("xilinx_spips: Add support for RX discard and RX drain")
-Suggested-by: Cédric Le Goater <clg@kaod.org>
-Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Message-id: 20200218113350.6090-1-frasse.iglesias@gmail.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/ssi/xilinx_spips.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/xilinx_spips.c
-+++ b/hw/ssi/xilinx_spips.c
-@@ -XXX,XX +XXX,XX @@ static int xilinx_spips_num_dummies(XilinxQSPIPS *qs, uint8_t command)
-     case FAST_READ:
-     case DOR:
-     case QOR:
-+    case FAST_READ_4:
-     case DOR_4:
-     case QOR_4:
-         return 1;
-     case DIOR:
--    case FAST_READ_4:
-     case DIOR_4:
-         return 2;
-     case QIOR:
---
-.20.1

-[PULL 43/52] sh4: Fix PCI ISA IO memory subregion
+Deleted patch
-From: Guenter Roeck <linux@roeck-us.net>
-Booting the r2d machine from flash fails because flash is not discovered.
-Looking at the flattened memory tree, we see the following.
-FlatView #1
- AS "memory", root: system
- AS "cpu-memory-0", root: system
- AS "sh_pci_host", root: bus master container
- Root memory region: system
-  0000000000000000-000000000000ffff (prio 0, i/o): io
-  0000000000010000-0000000000ffffff (prio 0, i/o): r2d.flash @0000000000010000
-The overlapping memory region is sh_pci.isa, ie the ISA I/O region bridge.
-This region is initially assigned to address 0xfe240000, but overwritten
-with a write into the PCIIOBR register. This write is expected to adjust
-the PCI memory window, but not to change the region's base adddress.
-Peter Maydell provided the following detailed explanation.
-"Section 22.3.7 and in particular figure 22.3 (of "SSH7751R user's manual:
-hardware") are clear about how this is supposed to work: there is a window
-at 0xfe240000 in the system register space for PCI I/O space. When the CPU
-makes an access into that area, the PCI controller calculates the PCI
-address to use by combining bits 0..17 of the system address with the
-bits 31..18 value that the guest has put into the PCIIOBR. That is, writing
-to the PCIIOBR changes which section of the IO address space is visible in
-the 0xfe240000 window. Instead what QEMU's implementation does is move the
-window to whatever value the guest writes to the PCIIOBR register -- so if
-the guest writes 0 we put the window at 0 in system address space."
-Fix the problem by calling memory_region_set_alias_offset() instead of
-removing and re-adding the PCI ISA subregion on writes into PCIIOBR.
-At the same time, in sh_pci_device_realize(), don't set iobr since
-it is overwritten later anyway. Instead, pass the base address to
-memory_region_add_subregion() directly.
-Many thanks to Peter Maydell for the detailed problem analysis, and for
-providing suggestions on how to fix the problem.
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Message-id: 20200218201050.15273-1-linux@roeck-us.net
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/sh4/sh_pci.c | 11 +++--------
-file changed, 3 insertions(+), 8 deletions(-)
-diff --git a/hw/sh4/sh_pci.c b/hw/sh4/sh_pci.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/sh4/sh_pci.c
-+++ b/hw/sh4/sh_pci.c
-@@ -XXX,XX +XXX,XX @@ static void sh_pci_reg_write (void *p, hwaddr addr, uint64_t val,
-         pcic->mbr = val & 0xff000001;
-         break;
-     case 0x1c8:
--        if ((val & 0xfffc0000) != (pcic->iobr & 0xfffc0000)) {
--            memory_region_del_subregion(get_system_memory(), &pcic->isa);
--            pcic->iobr = val & 0xfffc0001;
--            memory_region_add_subregion(get_system_memory(),
--                                        pcic->iobr & 0xfffc0000, &pcic->isa);
--        }
-+        pcic->iobr = val & 0xfffc0001;
-+        memory_region_set_alias_offset(&pcic->isa, val & 0xfffc0000);
-         break;
-     case 0x220:
-         pci_data_write(phb->bus, pcic->par, val, 4);
-@@ -XXX,XX +XXX,XX @@ static void sh_pci_device_realize(DeviceState *dev, Error **errp)
-                              get_system_io(), 0, 0x40000);
-     sysbus_init_mmio(sbd, &s->memconfig_p4);
-     sysbus_init_mmio(sbd, &s->memconfig_a7);
--    s->iobr = 0xfe240000;
--    memory_region_add_subregion(get_system_memory(), s->iobr, &s->isa);
-+    memory_region_add_subregion(get_system_memory(), 0xfe240000, &s->isa);
-     s->dev = pci_create_simple(phb->bus, PCI_DEVFN(0, 0), "sh_pci_host");
- }
---
-.20.1

Big pullreq this week, though none of the new features are
particularly earthshaking. Most of the bulk is from code cleanup
patches from me or rth.

thanks
-- PMM

The following changes since commit b651b80822fa8cb66ca30087ac7fbc75507ae5d2:

Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-5.0-pull-request' into staging (2020-02-20 17:35:42 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200221

for you to fetch changes up to 270a679b3f950d7c4c600f324aab8bff292d0971:

target/arm: Add missing checks for fpsp_v2 (2020-02-21 12:54:25 +0000)

----------------------------------------------------------------
target-arm queue:
 * aspeed/scu: Implement chip ID register
 * hw/misc/iotkit-secctl: Fix writing to 'PPC Interrupt Clear' register
 * mainstone: Make providing flash images non-mandatory
 * z2: Make providing flash images non-mandatory
 * Fix failures to flush SVE high bits after AdvSIMD INS/ZIP/UZP/TRN/TBL/TBX/EXT
 * Minor performance improvement: spend less time recalculating hflags values
 * Code cleanup to isar_feature function tests
 * Implement ARMv8.1-PMU and ARMv8.4-PMU extensions
 * Bugfix: correct handling of PMCR_EL0.LC bit
 * Bugfix: correct definition of PMCRDP
 * Correctly implement ACTLR2, HACTLR2
 * allwinner: Wire up USB ports
 * Vectorize emulation of USHL, SSHL, PMUL*
 * xilinx_spips: Correct the number of dummy cycles for the FAST_READ_4 cmd
 * sh4: Fix PCI ISA IO memory subregion
 * Code cleanup to use more isar_feature tests and fewer ARM_FEATURE_* tests

----------------------------------------------------------------
Francisco Iglesias (1):
      xilinx_spips: Correct the number of dummy cycles for the FAST_READ_4 cmd

Guenter Roeck (6):
      mainstone: Make providing flash images non-mandatory
      z2: Make providing flash images non-mandatory
      hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI to include file
      hcd-ehci: Introduce "companion-enable" sysbus property
      arm: allwinner: Wire up USB ports
      sh4: Fix PCI ISA IO memory subregion

Joel Stanley (2):
      aspeed/scu: Create separate write callbacks
      aspeed/scu: Implement chip ID register

Peter Maydell (21):
      target/arm: Add _aa32_ to isar_feature functions testing 32-bit ID registers
      target/arm: Check aa32_pan in take_aarch32_exception(), not aa64_pan
      target/arm: Add isar_feature_any_fp16 and document naming/usage conventions
      target/arm: Define and use any_predinv isar_feature test
      target/arm: Factor out PMU register definitions
      target/arm: Add and use FIELD definitions for ID_AA64DFR0_EL1
      target/arm: Use FIELD macros for clearing ID_DFR0 PERFMON field
      target/arm: Define an aa32_pmu_8_1 isar feature test function
      target/arm: Add _aa64_ and _any_ versions of pmu_8_1 isar checks
      target/arm: Stop assuming DBGDIDR always exists
      target/arm: Move DBGDIDR into ARMISARegisters
      target/arm: Read debug-related ID registers from KVM
      target/arm: Implement ARMv8.1-PMU extension
      target/arm: Implement ARMv8.4-PMU extension
      target/arm: Provide ARMv8.4-PMU in '-cpu max'
      target/arm: Correct definition of PMCRDP
      target/arm: Correct handling of PMCR_EL0.LC bit
      target/arm: Test correct register in aa32_pan and aa32_ats1e1 checks
      target/arm: Use isar_feature function for testing AA32HPD feature
      target/arm: Use FIELD_EX32 for testing 32-bit fields
      target/arm: Correctly implement ACTLR2, HACTLR2

Philippe Mathieu-Daudé (1):
      hw/misc/iotkit-secctl: Fix writing to 'PPC Interrupt Clear' register

Richard Henderson (21):
      target/arm: Flush high bits of sve register after AdvSIMD EXT
      target/arm: Flush high bits of sve register after AdvSIMD TBL/TBX
      target/arm: Flush high bits of sve register after AdvSIMD ZIP/UZP/TRN
      target/arm: Flush high bits of sve register after AdvSIMD INS
      target/arm: Use bit 55 explicitly for pauth
      target/arm: Fix select for aa64_va_parameters_both
      target/arm: Remove ttbr1_valid check from get_phys_addr_lpae
      target/arm: Split out aa64_va_parameter_tbi, aa64_va_parameter_tbid
      target/arm: Vectorize USHL and SSHL
      target/arm: Convert PMUL.8 to gvec
      target/arm: Convert PMULL.64 to gvec
      target/arm: Convert PMULL.8 to gvec
      target/arm: Rename isar_feature_aa32_simd_r32
      target/arm: Use isar_feature_aa32_simd_r32 more places
      target/arm: Set MVFR0.FPSP for ARMv5 cpus
      target/arm: Add isar_feature_aa32_simd_r16
      target/arm: Rename isar_feature_aa32_fpdp_v2
      target/arm: Add isar_feature_aa32_{fpsp_v2, fpsp_v3, fpdp_v3}
      target/arm: Perform fpdp_v2 check first
      target/arm: Replace ARM_FEATURE_VFP3 checks with fp{sp, dp}_v3
      target/arm: Add missing checks for fpsp_v2

From: Joel Stanley <joel@jms.id.au>

This splits the common write callback into separate ast2400 and ast2500
implementations. This makes it clearer when implementing differing
behaviour.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200121013302.43839-2-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/aspeed_scu.c | 80 +++++++++++++++++++++++++++++++-------------
 1 file changed, 57 insertions(+), 23 deletions(-)

diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/aspeed_scu.c
+++ b/hw/misc/aspeed_scu.c
@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_scu_read(void *opaque, hwaddr offset, unsigned size)
     return s->regs[reg];
 }
 
-static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data,
-                             unsigned size)
+static void aspeed_ast2400_scu_write(void *opaque, hwaddr offset,
+                                     uint64_t data, unsigned size)
+{
+    AspeedSCUState *s = ASPEED_SCU(opaque);
+    int reg = TO_REG(offset);
+
+    if (reg >= ASPEED_SCU_NR_REGS) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Out-of-bounds write at offset 0x%" HWADDR_PRIx "\n",
+                      __func__, offset);
+        return;
+    }
+
+    if (reg > PROT_KEY && reg < CPU2_BASE_SEG1 &&
+            !s->regs[PROT_KEY]) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: SCU is locked!\n", __func__);
+    }
+
+    trace_aspeed_scu_write(offset, size, data);
+
+    switch (reg) {
+    case PROT_KEY:
+        s->regs[reg] = (data == ASPEED_SCU_PROT_KEY) ? 1 : 0;
+        return;
+    case SILICON_REV:
+    case FREQ_CNTR_EVAL:
+    case VGA_SCRATCH1 ... VGA_SCRATCH8:
+    case RNG_DATA:
+    case FREE_CNTR4:
+    case FREE_CNTR4_EXT:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
+                      __func__, offset);
+        return;
+    }
+
+    s->regs[reg] = data;
+}
+
+static void aspeed_ast2500_scu_write(void *opaque, hwaddr offset,
+                                     uint64_t data, unsigned size)
 {
     AspeedSCUState *s = ASPEED_SCU(opaque);
     int reg = TO_REG(offset);
@@ -XXX,XX +XXX,XX @@ static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data,
     case PROT_KEY:
         s->regs[reg] = (data == ASPEED_SCU_PROT_KEY) ? 1 : 0;
         return;
-    case CLK_SEL:
-        s->regs[reg] = data;
-        break;
     case HW_STRAP1:
-        if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) {
-            s->regs[HW_STRAP1] |= data;
-            return;
-        }
-        /* Jump to assignment below */
-        break;
+        s->regs[HW_STRAP1] |= data;
+        return;
     case SILICON_REV:
-        if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) {
-            s->regs[HW_STRAP1] &= ~data;
-        } else {
-            qemu_log_mask(LOG_GUEST_ERROR,
-                          "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
-                          __func__, offset);
-        }
-        /* Avoid assignment below, we've handled everything */
+        s->regs[HW_STRAP1] &= ~data;
         return;
     case FREQ_CNTR_EVAL:
     case VGA_SCRATCH1 ... VGA_SCRATCH8:
@@ -XXX,XX +XXX,XX @@ static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data,
     s->regs[reg] = data;
 }
 
-static const MemoryRegionOps aspeed_scu_ops = {
+static const MemoryRegionOps aspeed_ast2400_scu_ops = {
     .read = aspeed_scu_read,
-    .write = aspeed_scu_write,
+    .write = aspeed_ast2400_scu_write,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid.min_access_size = 4,
+    .valid.max_access_size = 4,
+    .valid.unaligned = false,
+};
+
+static const MemoryRegionOps aspeed_ast2500_scu_ops = {
+    .read = aspeed_scu_read,
+    .write = aspeed_ast2500_scu_write,
     .endianness = DEVICE_LITTLE_ENDIAN,
     .valid.min_access_size = 4,
     .valid.max_access_size = 4,
@@ -XXX,XX +XXX,XX @@ static void aspeed_2400_scu_class_init(ObjectClass *klass, void *data)
     asc->calc_hpll = aspeed_2400_scu_calc_hpll;
     asc->apb_divider = 2;
     asc->nr_regs = ASPEED_SCU_NR_REGS;
-    asc->ops = &aspeed_scu_ops;
+    asc->ops = &aspeed_ast2400_scu_ops;
 }
 
 static const TypeInfo aspeed_2400_scu_info = {
@@ -XXX,XX +XXX,XX @@ static void aspeed_2500_scu_class_init(ObjectClass *klass, void *data)
     asc->calc_hpll = aspeed_2500_scu_calc_hpll;
     asc->apb_divider = 4;
     asc->nr_regs = ASPEED_SCU_NR_REGS;
-    asc->ops = &aspeed_scu_ops;
+    asc->ops = &aspeed_ast2500_scu_ops;
 }
 
 static const TypeInfo aspeed_2500_scu_info = {
-- 
2.20.1

From: Joel Stanley <joel@jms.id.au>

This returns a fixed but non-zero value for the chip id.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200121013302.43839-3-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/aspeed_scu.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/aspeed_scu.c
+++ b/hw/misc/aspeed_scu.c
@@ -XXX,XX +XXX,XX @@
 #define CPU2_BASE_SEG4       TO_REG(0x110)
 #define CPU2_BASE_SEG5       TO_REG(0x114)
 #define CPU2_CACHE_CTRL      TO_REG(0x118)
+#define CHIP_ID0             TO_REG(0x150)
+#define CHIP_ID1             TO_REG(0x154)
 #define UART_HPLL_CLK        TO_REG(0x160)
 #define PCIE_CTRL            TO_REG(0x180)
 #define BMC_MMIO_CTRL        TO_REG(0x184)
@@ -XXX,XX +XXX,XX @@
 #define AST2600_HW_STRAP2_PROT    TO_REG(0x518)
 #define AST2600_RNG_CTRL          TO_REG(0x524)
 #define AST2600_RNG_DATA          TO_REG(0x540)
+#define AST2600_CHIP_ID0          TO_REG(0x5B0)
+#define AST2600_CHIP_ID1          TO_REG(0x5B4)
 
 #define AST2600_CLK TO_REG(0x40)
 
@@ -XXX,XX +XXX,XX @@ static const uint32_t ast2500_a1_resets[ASPEED_SCU_NR_REGS] = {
      [CPU2_BASE_SEG1]  = 0x80000000U,
      [CPU2_BASE_SEG4]  = 0x1E600000U,
      [CPU2_BASE_SEG5]  = 0xC0000000U,
+     [CHIP_ID0]        = 0x1234ABCDU,
+     [CHIP_ID1]        = 0x88884444U,
      [UART_HPLL_CLK]   = 0x00001903U,
      [PCIE_CTRL]       = 0x0000007BU,
      [BMC_DEV_ID]      = 0x00002402U
@@ -XXX,XX +XXX,XX @@ static void aspeed_ast2500_scu_write(void *opaque, hwaddr offset,
     case RNG_DATA:
     case FREE_CNTR4:
     case FREE_CNTR4_EXT:
+    case CHIP_ID0:
+    case CHIP_ID1:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
                       __func__, offset);
@@ -XXX,XX +XXX,XX @@ static void aspeed_ast2600_scu_write(void *opaque, hwaddr offset,
     case AST2600_RNG_DATA:
     case AST2600_SILICON_REV:
     case AST2600_SILICON_REV2:
+    case AST2600_CHIP_ID0:
+    case AST2600_CHIP_ID1:
         /* Add read only registers here */
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
@@ -XXX,XX +XXX,XX @@ static const uint32_t ast2600_a0_resets[ASPEED_AST2600_SCU_NR_REGS] = {
     [AST2600_CLK_STOP_CTRL2]    = 0xFFF0FFF0,
     [AST2600_SDRAM_HANDSHAKE]   = 0x00000040,  /* SoC completed DRAM init */
     [AST2600_HPLL_PARAM]        = 0x1000405F,
+    [AST2600_CHIP_ID0]          = 0x1234ABCD,
+    [AST2600_CHIP_ID1]          = 0x88884444,
+
 };
 
 static void aspeed_ast2600_scu_reset(DeviceState *dev)
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Fix warning reported by Clang static code analyzer:

CC      hw/misc/iotkit-secctl.o
  hw/misc/iotkit-secctl.c:343:9: warning: Value stored to 'value' is never read
          value &= 0x00f000f3;
          ^        ~~~~~~~~~~

Fixes: b3717c23e1c
Reported-by: Clang Static Analyzer
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200217132922.24607-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/iotkit-secctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/misc/iotkit-secctl.c b/hw/misc/iotkit-secctl.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/iotkit-secctl.c
+++ b/hw/misc/iotkit-secctl.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult iotkit_secctl_s_write(void *opaque, hwaddr addr,
         qemu_set_irq(s->sec_resp_cfg, s->secrespcfg);
         break;
     case A_SECPPCINTCLR:
-        value &= 0x00f000f3;
+        s->secppcintstat &= ~(value & 0x00f000f3);
         foreach_ppc(s, iotkit_secctl_ppc_update_irq_clear);
         break;
     case A_SECPPCINTEN:
-- 
2.20.1

From: Guenter Roeck <linux@roeck-us.net>

Up to now, the mainstone machine only boots if two flash images are
provided. This is not really necessary; the machine can boot from initrd
or from SD without it. At the same time, having to provide dummy flash
images is a nuisance and does not add any real value. Make it optional.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200217210824.18513-1-linux@roeck-us.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/mainstone.c | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/hw/arm/mainstone.c b/hw/arm/mainstone.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mainstone.c
+++ b/hw/arm/mainstone.c
@@ -XXX,XX +XXX,XX @@ static void mainstone_common_init(MemoryRegion *address_space_mem,
     /* There are two 32MiB flash devices on the board */
     for (i = 0; i < 2; i ++) {
         dinfo = drive_get(IF_PFLASH, 0, i);
-        if (!dinfo) {
-            if (qtest_enabled()) {
-                break;
-            }
-            error_report("Two flash images must be given with the "
-                         "'pflash' parameter");
-            exit(1);
-        }
-
         if (!pflash_cfi01_register(mainstone_flash_base[i],
                                    i ? "mainstone.flash1" : "mainstone.flash0",
                                    MAINSTONE_FLASH,
-                                   blk_by_legacy_dinfo(dinfo),
+                                   dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                                    sector_len, 4, 0, 0, 0, 0, be)) {
             error_report("Error registering flash memory");
             exit(1);
-- 
2.20.1

From: Guenter Roeck <linux@roeck-us.net>

Up to now, the z2 machine only boots if a flash image is provided.
This is not really necessary; the machine can boot from initrd or from
SD without it. At the same time, having to provide dummy flash images
is a nuisance and does not add any real value. Make it optional.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200217210903.18602-1-linux@roeck-us.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/z2.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/hw/arm/z2.c b/hw/arm/z2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/z2.c
+++ b/hw/arm/z2.c
@@ -XXX,XX +XXX,XX @@ static void z2_init(MachineState *machine)
     be = 0;
 #endif
     dinfo = drive_get(IF_PFLASH, 0, 0);
-    if (!dinfo && !qtest_enabled()) {
-        error_report("Flash image must be given with the "
-                     "'pflash' parameter");
-        exit(1);
-    }
-
     if (!pflash_cfi01_register(Z2_FLASH_BASE, "z2.flash0", Z2_FLASH_SIZE,
                                dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                                sector_len, 4, 0, 0, 0, 0, be)) {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Writes to AdvSIMD registers flush the bits above 128.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214194643.23317-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_simd_inse(DisasContext *s, int rd, int rn,
     write_vec_element(s, tmp, rd, dst_index, size);
 
     tcg_temp_free_i64(tmp);
+
+    /* INS is considered a 128-bit write for SVE. */
+    clear_vec_high(s, true, rd);
 }
 
 
@@ -XXX,XX +XXX,XX @@ static void handle_simd_insg(DisasContext *s, int rd, int rn, int imm5)
 
     idx = extract32(imm5, 1 + size, 4 - size);
     write_vec_element(s, cpu_reg(s, rn), rd, idx, size);
+
+    /* INS is considered a 128-bit write for SVE. */
+    clear_vec_high(s, true, rd);
 }
 
 /*
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The psuedocode in aarch64/functions/pac/auth/Auth and
aarch64/functions/pac/strip/Strip always uses bit 55 for
extfield and do not consider if the current regime has 2 ranges.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200216194343.21331-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/pauth_helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/pauth_helper.c
+++ b/target/arm/pauth_helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_addpac(CPUARMState *env, uint64_t ptr, uint64_t modifier,
 
 static uint64_t pauth_original_ptr(uint64_t ptr, ARMVAParameters param)
 {
-    uint64_t extfield = -param.select;
+    /* Note that bit 55 is used whether or not the regime has 2 ranges. */
+    uint64_t extfield = sextract64(ptr, 55, 1);
     int bot_pac_bit = 64 - param.tsz;
     int top_pac_bit = 64 - 8 * param.tbi;
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Select should always be 0 for a regime with one range.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200216194343.21331-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 46 +++++++++++++++++++++++----------------------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
     bool tbi, tbid, epd, hpd, using16k, using64k;
     int select, tsz;
 
-    /*
-     * Bit 55 is always between the two regions, and is canonical for
-     * determining if address tagging is enabled.
-     */
-    select = extract64(va, 55, 1);
-
     if (!regime_has_2_ranges(mmu_idx)) {
+        select = 0;
         tsz = extract32(tcr, 0, 6);
         using64k = extract32(tcr, 14, 1);
         using16k = extract32(tcr, 15, 1);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
             tbid = extract32(tcr, 29, 1);
         }
         epd = false;
-    } else if (!select) {
-        tsz = extract32(tcr, 0, 6);
-        epd = extract32(tcr, 7, 1);
-        using64k = extract32(tcr, 14, 1);
-        using16k = extract32(tcr, 15, 1);
-        tbi = extract64(tcr, 37, 1);
-        hpd = extract64(tcr, 41, 1);
-        tbid = extract64(tcr, 51, 1);
     } else {
-        int tg = extract32(tcr, 30, 2);
-        using16k = tg == 1;
-        using64k = tg == 3;
-        tsz = extract32(tcr, 16, 6);
-        epd = extract32(tcr, 23, 1);
-        tbi = extract64(tcr, 38, 1);
-        hpd = extract64(tcr, 42, 1);
-        tbid = extract64(tcr, 52, 1);
+        /*
+         * Bit 55 is always between the two regions, and is canonical for
+         * determining if address tagging is enabled.
+         */
+        select = extract64(va, 55, 1);
+        if (!select) {
+            tsz = extract32(tcr, 0, 6);
+            epd = extract32(tcr, 7, 1);
+            using64k = extract32(tcr, 14, 1);
+            using16k = extract32(tcr, 15, 1);
+            tbi = extract64(tcr, 37, 1);
+            hpd = extract64(tcr, 41, 1);
+            tbid = extract64(tcr, 51, 1);
+        } else {
+            int tg = extract32(tcr, 30, 2);
+            using16k = tg == 1;
+            using64k = tg == 3;
+            tsz = extract32(tcr, 16, 6);
+            epd = extract32(tcr, 23, 1);
+            tbi = extract64(tcr, 38, 1);
+            hpd = extract64(tcr, 42, 1);
+            tbid = extract64(tcr, 52, 1);
+        }
     }
     tsz = MIN(tsz, 39);  /* TODO: ARMv8.4-TTST */
     tsz = MAX(tsz, 16);  /* TODO: ARMv8.2-LVA  */
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Now that aa64_va_parameters_both sets select based on the number
of ranges in the regime, the ttbr1_valid check is redundant.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200216194343.21331-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
     TCR *tcr = regime_tcr(env, mmu_idx);
     int ap, ns, xn, pxn;
     uint32_t el = regime_el(env, mmu_idx);
-    bool ttbr1_valid;
     uint64_t descaddrmask;
     bool aarch64 = arm_el_is_aa64(env, el);
     bool guarded = false;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
         param = aa64_va_parameters(env, address, mmu_idx,
                                    access_type != MMU_INST_FETCH);
         level = 0;
-        ttbr1_valid = regime_has_2_ranges(mmu_idx);
         addrsize = 64 - 8 * param.tbi;
         inputsize = 64 - param.tsz;
     } else {
         param = aa32_va_parameters(env, address, mmu_idx);
         level = 1;
-        /* There is no TTBR1 for EL2 */
-        ttbr1_valid = (el != 2);
         addrsize = (mmu_idx == ARMMMUIdx_Stage2 ? 40 : 32);
         inputsize = addrsize - param.tsz;
     }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
     if (inputsize < addrsize) {
         target_ulong top_bits = sextract64(address, inputsize,
                                            addrsize - inputsize);
-        if (-top_bits != param.select || (param.select && !ttbr1_valid)) {
+        if (-top_bits != param.select) {
             /* The gap between the two regions is a Translation fault */
             fault_type = ARMFault_Translation;
             goto do_fault;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

For the purpose of rebuild_hflags_a64, we do not need to compute
all of the va parameters, only tbi.  Moreover, we can compute them
in a form that is more useful to storing in hflags.

This eliminates the need for aa64_va_parameter_both, so fold that
in to aa64_va_parameter.  The remaining calls to aa64_va_parameter
are in get_phys_addr_lpae and in pauth_helper.c.

This reduces the total cpu consumption of aa64_va_parameter in a
kernel boot plus a kvm guest kernel boot from 3% to 0.5%.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200216194343.21331-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h |  3 --
 target/arm/helper.c    | 68 +++++++++++++++++++++++-------------------
 2 files changed, 37 insertions(+), 34 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
     unsigned tsz    : 8;
     unsigned select : 1;
     bool tbi        : 1;
-    bool tbid       : 1;
     bool epd        : 1;
     bool hpd        : 1;
     bool using16k   : 1;
     bool using64k   : 1;
 } ARMVAParameters;
 
-ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
-                                        ARMMMUIdx mmu_idx);
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
                                    ARMMMUIdx mmu_idx, bool data);
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
 }
 #endif /* !CONFIG_USER_ONLY */
 
-ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
-                                        ARMMMUIdx mmu_idx)
+static int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
+{
+    if (regime_has_2_ranges(mmu_idx)) {
+        return extract64(tcr, 37, 2);
+    } else if (mmu_idx == ARMMMUIdx_Stage2) {
+        return 0; /* VTCR_EL2 */
+    } else {
+        return extract32(tcr, 20, 1);
+    }
+}
+
+static int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx)
+{
+    if (regime_has_2_ranges(mmu_idx)) {
+        return extract64(tcr, 51, 2);
+    } else if (mmu_idx == ARMMMUIdx_Stage2) {
+        return 0; /* VTCR_EL2 */
+    } else {
+        return extract32(tcr, 29, 1);
+    }
+}
+
+ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+                                   ARMMMUIdx mmu_idx, bool data)
 {
     uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
-    bool tbi, tbid, epd, hpd, using16k, using64k;
-    int select, tsz;
+    bool epd, hpd, using16k, using64k;
+    int select, tsz, tbi;
 
     if (!regime_has_2_ranges(mmu_idx)) {
         select = 0;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
         using16k = extract32(tcr, 15, 1);
         if (mmu_idx == ARMMMUIdx_Stage2) {
             /* VTCR_EL2 */
-            tbi = tbid = hpd = false;
+            hpd = false;
         } else {
-            tbi = extract32(tcr, 20, 1);
             hpd = extract32(tcr, 24, 1);
-            tbid = extract32(tcr, 29, 1);
         }
         epd = false;
     } else {
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
             epd = extract32(tcr, 7, 1);
             using64k = extract32(tcr, 14, 1);
             using16k = extract32(tcr, 15, 1);
-            tbi = extract64(tcr, 37, 1);
             hpd = extract64(tcr, 41, 1);
-            tbid = extract64(tcr, 51, 1);
         } else {
             int tg = extract32(tcr, 30, 2);
             using16k = tg == 1;
             using64k = tg == 3;
             tsz = extract32(tcr, 16, 6);
             epd = extract32(tcr, 23, 1);
-            tbi = extract64(tcr, 38, 1);
             hpd = extract64(tcr, 42, 1);
-            tbid = extract64(tcr, 52, 1);
         }
     }
     tsz = MIN(tsz, 39);  /* TODO: ARMv8.4-TTST */
     tsz = MAX(tsz, 16);  /* TODO: ARMv8.2-LVA  */
 
+    /* Present TBI as a composite with TBID.  */
+    tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
+    if (!data) {
+        tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);
+    }
+    tbi = (tbi >> select) & 1;
+
     return (ARMVAParameters) {
         .tsz = tsz,
         .select = select,
         .tbi = tbi,
-        .tbid = tbid,
         .epd = epd,
         .hpd = hpd,
         .using16k = using16k,
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
     };
 }
 
-ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-                                   ARMMMUIdx mmu_idx, bool data)
-{
-    ARMVAParameters ret = aa64_va_parameters_both(env, va, mmu_idx);
-
-    /* Present TBI as a composite with TBID.  */
-    ret.tbi &= (data || !ret.tbid);
-    return ret;
-}
-
 #ifndef CONFIG_USER_ONLY
 static ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
                                           ARMMMUIdx mmu_idx)
@@ -XXX,XX +XXX,XX @@ static uint32_t rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
 {
     uint32_t flags = rebuild_hflags_aprofile(env);
     ARMMMUIdx stage1 = stage_1_mmu_idx(mmu_idx);
-    ARMVAParameters p0 = aa64_va_parameters_both(env, 0, stage1);
+    uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
     uint64_t sctlr;
     int tbii, tbid;
 
     flags = FIELD_DP32(flags, TBFLAG_ANY, AARCH64_STATE, 1);
 
     /* Get control bits for tagged addresses.  */
-    if (regime_has_2_ranges(mmu_idx)) {
-        ARMVAParameters p1 = aa64_va_parameters_both(env, -1, stage1);
-        tbid = (p1.tbi << 1) | p0.tbi;
-        tbii = tbid & ~((p1.tbid << 1) | p0.tbid);
-    } else {
-        tbid = p0.tbi;
-        tbii = tbid & !p0.tbid;
-    }
+    tbid = aa64_va_parameter_tbi(tcr, mmu_idx);
+    tbii = tbid & ~aa64_va_parameter_tbid(tcr, mmu_idx);
 
     flags = FIELD_DP32(flags, TBFLAG_A64, TBII, tbii);
     flags = FIELD_DP32(flags, TBFLAG_A64, TBID, tbid);
-- 
2.20.1

Enforce a convention that an isar_feature function that tests a
32-bit ID register always has _aa32_ in its name, and one that
tests a 64-bit ID register always has _aa64_ in its name.
We already follow this except for three cases: thumb_div,
arm_div and jazelle, which all need _aa32_ adding.

(As noted in the comment, isar_feature_aa32_fp16_arith()
is an exception in that it currently tests ID_AA64PFR0_EL1,
but will switch to MVFR1 once we've properly implemented
FP16 for AArch32.)

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-2-peter.maydell@linaro.org
---
 target/arm/cpu.h       | 13 ++++++++++---
 target/arm/internals.h |  2 +-
 linux-user/elfload.c   |  4 ++--
 target/arm/cpu.c       |  6 ++++--
 target/arm/helper.c    |  2 +-
 target/arm/translate.c |  6 +++---
 6 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t *aa64_vfp_qreg(CPUARMState *env, unsigned regno)
 /* Shared between translate-sve.c and sve_helper.c.  */
 extern const uint64_t pred_esz_masks[4];
 
+/*
+ * Naming convention for isar_feature functions:
+ * Functions which test 32-bit ID registers should have _aa32_ in
+ * their name. Functions which test 64-bit ID registers should have
+ * _aa64_ in their name.
+ */
+
 /*
  * 32-bit feature tests via id registers.
  */
-static inline bool isar_feature_thumb_div(const ARMISARegisters *id)
+static inline bool isar_feature_aa32_thumb_div(const ARMISARegisters *id)
 {
     return FIELD_EX32(id->id_isar0, ID_ISAR0, DIVIDE) != 0;
 }
 
-static inline bool isar_feature_arm_div(const ARMISARegisters *id)
+static inline bool isar_feature_aa32_arm_div(const ARMISARegisters *id)
 {
     return FIELD_EX32(id->id_isar0, ID_ISAR0, DIVIDE) > 1;
 }
 
-static inline bool isar_feature_jazelle(const ARMISARegisters *id)
+static inline bool isar_feature_aa32_jazelle(const ARMISARegisters *id)
 {
     return FIELD_EX32(id->id_isar1, ID_ISAR1, JAZELLE) != 0;
 }
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t aarch32_cpsr_valid_mask(uint64_t features,
     if ((features >> ARM_FEATURE_THUMB2) & 1) {
         valid |= CPSR_IT;
     }
-    if (isar_feature_jazelle(id)) {
+    if (isar_feature_aa32_jazelle(id)) {
         valid |= CPSR_J;
     }
     if (isar_feature_aa32_pan(id)) {
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap(void)
     GET_FEATURE(ARM_FEATURE_VFP3, ARM_HWCAP_ARM_VFPv3);
     GET_FEATURE(ARM_FEATURE_V6K, ARM_HWCAP_ARM_TLS);
     GET_FEATURE(ARM_FEATURE_VFP4, ARM_HWCAP_ARM_VFPv4);
-    GET_FEATURE_ID(arm_div, ARM_HWCAP_ARM_IDIVA);
-    GET_FEATURE_ID(thumb_div, ARM_HWCAP_ARM_IDIVT);
+    GET_FEATURE_ID(aa32_arm_div, ARM_HWCAP_ARM_IDIVA);
+    GET_FEATURE_ID(aa32_thumb_div, ARM_HWCAP_ARM_IDIVT);
     /* All QEMU's VFPv3 CPUs have 32 registers, see VFP_DREG in translate.c.
      * Note that the ARM_HWCAP_ARM_VFPv3D16 bit is always the inverse of
      * ARM_HWCAP_ARM_VFPD32 (and so always clear for QEMU); it is unrelated
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
          * Presence of EL2 itself is ARM_FEATURE_EL2, and of the
          * Security Extensions is ARM_FEATURE_EL3.
          */
-        assert(!tcg_enabled() || no_aa32 || cpu_isar_feature(arm_div, cpu));
+        assert(!tcg_enabled() || no_aa32 ||
+               cpu_isar_feature(aa32_arm_div, cpu));
         set_feature(env, ARM_FEATURE_LPAE);
         set_feature(env, ARM_FEATURE_V7);
     }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
     if (arm_feature(env, ARM_FEATURE_V6)) {
         set_feature(env, ARM_FEATURE_V5);
         if (!arm_feature(env, ARM_FEATURE_M)) {
-            assert(!tcg_enabled() || no_aa32 || cpu_isar_feature(jazelle, cpu));
+            assert(!tcg_enabled() || no_aa32 ||
+                   cpu_isar_feature(aa32_jazelle, cpu));
             set_feature(env, ARM_FEATURE_AUXCR);
         }
     }
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
     if (arm_feature(env, ARM_FEATURE_LPAE)) {
         define_arm_cp_regs(cpu, lpae_cp_reginfo);
     }
-    if (cpu_isar_feature(jazelle, cpu)) {
+    if (cpu_isar_feature(aa32_jazelle, cpu)) {
         define_arm_cp_regs(cpu, jazelle_regs);
     }
     /* Slightly awkwardly, the OMAP and StrongARM cores need all of
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@
 #define ENABLE_ARCH_5     arm_dc_feature(s, ARM_FEATURE_V5)
 /* currently all emulated v5 cores are also v5TE, so don't bother */
 #define ENABLE_ARCH_5TE   arm_dc_feature(s, ARM_FEATURE_V5)
-#define ENABLE_ARCH_5J    dc_isar_feature(jazelle, s)
+#define ENABLE_ARCH_5J    dc_isar_feature(aa32_jazelle, s)
 #define ENABLE_ARCH_6     arm_dc_feature(s, ARM_FEATURE_V6)
 #define ENABLE_ARCH_6K    arm_dc_feature(s, ARM_FEATURE_V6K)
 #define ENABLE_ARCH_6T2   arm_dc_feature(s, ARM_FEATURE_THUMB2)
@@ -XXX,XX +XXX,XX @@ static bool op_div(DisasContext *s, arg_rrr *a, bool u)
     TCGv_i32 t1, t2;
 
     if (s->thumb
-        ? !dc_isar_feature(thumb_div, s)
-        : !dc_isar_feature(arm_div, s)) {
+        ? !dc_isar_feature(aa32_thumb_div, s)
+        : !dc_isar_feature(aa32_arm_div, s)) {
         return false;
     }
 
-- 
2.20.1

Our current usage of the isar_feature feature tests almost always
uses an _aa32_ test when the code path is known to be AArch32
specific and an _aa64_ test when the code path is known to be
AArch64 specific. There is just one exception: in the vfp_set_fpscr
helper we check aa64_fp16 to determine whether the FZ16 bit in
the FP(S)CR exists, but this code is also used for AArch32.
There are other places in future where we're likely to want
a general "does this feature exist for either AArch32 or
AArch64" check (typically where architecturally the feature exists
for both CPU states if it exists at all, but the CPU might be
AArch32-only or AArch64-only, and so only have one set of ID
registers).

Introduce a new category of isar_feature_* functions:
isar_feature_any_foo() should be tested when what we want to
know is "does this feature exist for either AArch32 or AArch64",
and always returns the logical OR of isar_feature_aa32_foo()
and isar_feature_aa64_foo().

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-4-peter.maydell@linaro.org
---
 target/arm/cpu.h        | 19 ++++++++++++++++++-
 target/arm/vfp_helper.c |  2 +-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ extern const uint64_t pred_esz_masks[4];
  * Naming convention for isar_feature functions:
  * Functions which test 32-bit ID registers should have _aa32_ in
  * their name. Functions which test 64-bit ID registers should have
- * _aa64_ in their name.
+ * _aa64_ in their name. These must only be used in code where we
+ * know for certain that the CPU has AArch32 or AArch64 respectively
+ * or where the correct answer for a CPU which doesn't implement that
+ * CPU state is "false" (eg when generating A32 or A64 code, if adding
+ * system registers that are specific to that CPU state, for "should
+ * we let this system register bit be set" tests where the 32-bit
+ * flavour of the register doesn't have the bit, and so on).
+ * Functions which simply ask "does this feature exist at all" have
+ * _any_ in their name, and always return the logical OR of the _aa64_
+ * and the _aa32_ function.
  */
 
 /*
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_bti(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, BT) != 0;
 }
 
+/*
+ * Feature tests for "does this exist in either 32-bit or 64-bit?"
+ */
+static inline bool isar_feature_any_fp16(const ARMISARegisters *id)
+{
+    return isar_feature_aa64_fp16(id) || isar_feature_aa32_fp16_arith(id);
+}
+
 /*
  * Forward to the above feature tests given an ARMCPU pointer.
  */
diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vfp_helper.c
+++ b/target/arm/vfp_helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t vfp_get_fpscr(CPUARMState *env)
 void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
 {
     /* When ARMv8.2-FP16 is not supported, FZ16 is RES0.  */
-    if (!cpu_isar_feature(aa64_fp16, env_archcpu(env))) {
+    if (!cpu_isar_feature(any_fp16, env_archcpu(env))) {
         val &= ~FPCR_FZ16;
     }
 
-- 
2.20.1

Instead of open-coding "ARM_FEATURE_AARCH64 ? aa64_predinv: aa32_predinv",
define and use an any_predinv isar_feature test function.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-5-peter.maydell@linaro.org
---
 target/arm/cpu.h    | 5 +++++
 target/arm/helper.c | 9 +--------
 2 files changed, 6 insertions(+), 8 deletions(-)

Pull the code that defines the various PMU registers out
into its own function, matching the pattern we have
already for the debug registers.

Apart from one style fix to a multi-line comment, this
is purely movement of code with no changes to it.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-6-peter.maydell@linaro.org
---
 target/arm/helper.c | 158 +++++++++++++++++++++++---------------------
 1 file changed, 82 insertions(+), 76 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
     }
 }
 
+static void define_pmu_regs(ARMCPU *cpu)
+{
+    /*
+     * v7 performance monitor control register: same implementor
+     * field as main ID register, and we implement four counters in
+     * addition to the cycle count register.
+     */
+    unsigned int i, pmcrn = 4;
+    ARMCPRegInfo pmcr = {
+        .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
+        .access = PL0_RW,
+        .type = ARM_CP_IO | ARM_CP_ALIAS,
+        .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
+        .accessfn = pmreg_access, .writefn = pmcr_write,
+        .raw_writefn = raw_write,
+    };
+    ARMCPRegInfo pmcr64 = {
+        .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
+        .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
+        .access = PL0_RW, .accessfn = pmreg_access,
+        .type = ARM_CP_IO,
+        .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
+        .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT),
+        .writefn = pmcr_write, .raw_writefn = raw_write,
+    };
+    define_one_arm_cp_reg(cpu, &pmcr);
+    define_one_arm_cp_reg(cpu, &pmcr64);
+    for (i = 0; i < pmcrn; i++) {
+        char *pmevcntr_name = g_strdup_printf("PMEVCNTR%d", i);
+        char *pmevcntr_el0_name = g_strdup_printf("PMEVCNTR%d_EL0", i);
+        char *pmevtyper_name = g_strdup_printf("PMEVTYPER%d", i);
+        char *pmevtyper_el0_name = g_strdup_printf("PMEVTYPER%d_EL0", i);
+        ARMCPRegInfo pmev_regs[] = {
+            { .name = pmevcntr_name, .cp = 15, .crn = 14,
+              .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
+              .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
+              .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
+              .accessfn = pmreg_access },
+            { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
+              .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
+              .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
+              .type = ARM_CP_IO,
+              .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
+              .raw_readfn = pmevcntr_rawread,
+              .raw_writefn = pmevcntr_rawwrite },
+            { .name = pmevtyper_name, .cp = 15, .crn = 14,
+              .crm = 12 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
+              .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
+              .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
+              .accessfn = pmreg_access },
+            { .name = pmevtyper_el0_name, .state = ARM_CP_STATE_AA64,
+              .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 12 | (3 & (i >> 3)),
+              .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
+              .type = ARM_CP_IO,
+              .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
+              .raw_writefn = pmevtyper_rawwrite },
+            REGINFO_SENTINEL
+        };
+        define_arm_cp_regs(cpu, pmev_regs);
+        g_free(pmevcntr_name);
+        g_free(pmevcntr_el0_name);
+        g_free(pmevtyper_name);
+        g_free(pmevtyper_el0_name);
+    }
+    if (FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) >= 4 &&
+            FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) != 0xf) {
+        ARMCPRegInfo v81_pmu_regs[] = {
+            { .name = "PMCEID2", .state = ARM_CP_STATE_AA32,
+              .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 4,
+              .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
+              .resetvalue = extract64(cpu->pmceid0, 32, 32) },
+            { .name = "PMCEID3", .state = ARM_CP_STATE_AA32,
+              .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 5,
+              .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
+              .resetvalue = extract64(cpu->pmceid1, 32, 32) },
+            REGINFO_SENTINEL
+        };
+        define_arm_cp_regs(cpu, v81_pmu_regs);
+    }
+}
+
 /* We don't know until after realize whether there's a GICv3
  * attached, and that is what registers the gicv3 sysregs.
  * So we have to fill in the GIC fields in ID_PFR/ID_PFR1_EL1/ID_AA64PFR0_EL1
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
         define_arm_cp_regs(cpu, pmovsset_cp_reginfo);
     }
     if (arm_feature(env, ARM_FEATURE_V7)) {
-        /* v7 performance monitor control register: same implementor
-         * field as main ID register, and we implement four counters in
-         * addition to the cycle count register.
-         */
-        unsigned int i, pmcrn = 4;
-        ARMCPRegInfo pmcr = {
-            .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
-            .access = PL0_RW,
-            .type = ARM_CP_IO | ARM_CP_ALIAS,
-            .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
-            .accessfn = pmreg_access, .writefn = pmcr_write,
-            .raw_writefn = raw_write,
-        };
-        ARMCPRegInfo pmcr64 = {
-            .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
-            .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
-            .access = PL0_RW, .accessfn = pmreg_access,
-            .type = ARM_CP_IO,
-            .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
-            .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT),
-            .writefn = pmcr_write, .raw_writefn = raw_write,
-        };
-        define_one_arm_cp_reg(cpu, &pmcr);
-        define_one_arm_cp_reg(cpu, &pmcr64);
-        for (i = 0; i < pmcrn; i++) {
-            char *pmevcntr_name = g_strdup_printf("PMEVCNTR%d", i);
-            char *pmevcntr_el0_name = g_strdup_printf("PMEVCNTR%d_EL0", i);
-            char *pmevtyper_name = g_strdup_printf("PMEVTYPER%d", i);
-            char *pmevtyper_el0_name = g_strdup_printf("PMEVTYPER%d_EL0", i);
-            ARMCPRegInfo pmev_regs[] = {
-                { .name = pmevcntr_name, .cp = 15, .crn = 14,
-                  .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
-                  .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
-                  .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
-                  .accessfn = pmreg_access },
-                { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
-                  .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
-                  .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
-                  .type = ARM_CP_IO,
-                  .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
-                  .raw_readfn = pmevcntr_rawread,
-                  .raw_writefn = pmevcntr_rawwrite },
-                { .name = pmevtyper_name, .cp = 15, .crn = 14,
-                  .crm = 12 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
-                  .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
-                  .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
-                  .accessfn = pmreg_access },
-                { .name = pmevtyper_el0_name, .state = ARM_CP_STATE_AA64,
-                  .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 12 | (3 & (i >> 3)),
-                  .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
-                  .type = ARM_CP_IO,
-                  .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
-                  .raw_writefn = pmevtyper_rawwrite },
-                REGINFO_SENTINEL
-            };
-            define_arm_cp_regs(cpu, pmev_regs);
-            g_free(pmevcntr_name);
-            g_free(pmevcntr_el0_name);
-            g_free(pmevtyper_name);
-            g_free(pmevtyper_el0_name);
-        }
         ARMCPRegInfo clidr = {
             .name = "CLIDR", .state = ARM_CP_STATE_BOTH,
             .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 1,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
         define_one_arm_cp_reg(cpu, &clidr);
         define_arm_cp_regs(cpu, v7_cp_reginfo);
         define_debug_regs(cpu);
+        define_pmu_regs(cpu);
     } else {
         define_arm_cp_regs(cpu, not_v7_cp_reginfo);
     }
-    if (FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) >= 4 &&
-            FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) != 0xf) {
-        ARMCPRegInfo v81_pmu_regs[] = {
-            { .name = "PMCEID2", .state = ARM_CP_STATE_AA32,
-              .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 4,
-              .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
-              .resetvalue = extract64(cpu->pmceid0, 32, 32) },
-            { .name = "PMCEID3", .state = ARM_CP_STATE_AA32,
-              .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 5,
-              .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
-              .resetvalue = extract64(cpu->pmceid1, 32, 32) },
-            REGINFO_SENTINEL
-        };
-        define_arm_cp_regs(cpu, v81_pmu_regs);
-    }
     if (arm_feature(env, ARM_FEATURE_V8)) {
         /* AArch64 ID registers, which all have impdef reset values.
          * Note that within the ID register ranges the unused slots
-- 
2.20.1

Add FIELD() definitions for the ID_AA64DFR0_EL1 and use them
where we currently have hard-coded bit values.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-7-peter.maydell@linaro.org
---
 target/arm/cpu.h    | 10 ++++++++++
 target/arm/cpu.c    |  2 +-
 target/arm/helper.c |  6 +++---
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64MMFR2, BBM, 52, 4)
 FIELD(ID_AA64MMFR2, EVT, 56, 4)
 FIELD(ID_AA64MMFR2, E0PD, 60, 4)
 
+FIELD(ID_AA64DFR0, DEBUGVER, 0, 4)
+FIELD(ID_AA64DFR0, TRACEVER, 4, 4)
+FIELD(ID_AA64DFR0, PMUVER, 8, 4)
+FIELD(ID_AA64DFR0, BRPS, 12, 4)
+FIELD(ID_AA64DFR0, WRPS, 20, 4)
+FIELD(ID_AA64DFR0, CTX_CMPS, 28, 4)
+FIELD(ID_AA64DFR0, PMSVER, 32, 4)
+FIELD(ID_AA64DFR0, DOUBLELOCK, 36, 4)
+FIELD(ID_AA64DFR0, TRACEFILT, 40, 4)
+
 FIELD(ID_DFR0, COPDBG, 0, 4)
 FIELD(ID_DFR0, COPSDBG, 4, 4)
 FIELD(ID_DFR0, MMAPDBG, 8, 4)
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
                 cpu);
 #endif
     } else {
-        cpu->id_aa64dfr0 &= ~0xf00;
+        cpu->id_aa64dfr0 = FIELD_DP64(cpu->id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
         cpu->id_dfr0 &= ~(0xf << 24);
         cpu->pmceid0 = 0;
         cpu->pmceid1 = 0;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
      * check that if they both exist then they agree.
      */
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
-        assert(extract32(cpu->id_aa64dfr0, 12, 4) == brps);
-        assert(extract32(cpu->id_aa64dfr0, 20, 4) == wrps);
-        assert(extract32(cpu->id_aa64dfr0, 28, 4) == ctx_cmps);
+        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, BRPS) == brps);
+        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, WRPS) == wrps);
+        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) == ctx_cmps);
     }
 
     define_one_arm_cp_reg(cpu, &dbgdidr);
-- 
2.20.1

Instead of open-coding a check on the ID_DFR0 PerfMon ID register
field, create a standardly-named isar_feature for "does AArch32 have
a v8.1 PMUv3" and use it.

This entails moving the id_dfr0 field into the ARMISARegisters struct.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-9-peter.maydell@linaro.org
---
 target/arm/cpu.h      |  9 ++++++++-
 hw/intc/armv7m_nvic.c |  2 +-
 target/arm/cpu.c      | 28 ++++++++++++++--------------
 target/arm/cpu64.c    |  6 +++---
 target/arm/helper.c   |  5 ++---
 5 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
         uint32_t mvfr0;
         uint32_t mvfr1;
         uint32_t mvfr2;
+        uint32_t id_dfr0;
         uint64_t id_aa64isar0;
         uint64_t id_aa64isar1;
         uint64_t id_aa64pfr0;
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
     uint32_t reset_sctlr;
     uint32_t id_pfr0;
     uint32_t id_pfr1;
-    uint32_t id_dfr0;
     uint64_t pmceid0;
     uint64_t pmceid1;
     uint32_t id_afr0;
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_ats1e1(const ARMISARegisters *id)
     return FIELD_EX64(id->mvfr0, ID_MMFR3, PAN) >= 2;
 }
 
+static inline bool isar_feature_aa32_pmu_8_1(const ARMISARegisters *id)
+{
+    /* 0xf means "non-standard IMPDEF PMU" */
+    return FIELD_EX32(id->id_dfr0, ID_DFR0, PERFMON) >= 4 &&
+        FIELD_EX32(id->id_dfr0, ID_DFR0, PERFMON) != 0xf;
+}
+
 /*
  * 64-bit feature tests via id registers.
  */
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
     case 0xd44: /* PFR1.  */
         return cpu->id_pfr1;
     case 0xd48: /* DFR0.  */
-        return cpu->id_dfr0;
+        return cpu->isar.id_dfr0;
     case 0xd4c: /* AFR0.  */
         return cpu->id_afr0;
     case 0xd50: /* MMFR0.  */
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
 #endif
     } else {
         cpu->id_aa64dfr0 = FIELD_DP64(cpu->id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
-        cpu->id_dfr0 = FIELD_DP32(cpu->id_dfr0, ID_DFR0, PERFMON, 0);
+        cpu->isar.id_dfr0 = FIELD_DP32(cpu->isar.id_dfr0, ID_DFR0, PERFMON, 0);
         cpu->pmceid0 = 0;
         cpu->pmceid1 = 0;
     }
@@ -XXX,XX +XXX,XX @@ static void arm1136_r2_initfn(Object *obj)
     cpu->reset_sctlr = 0x00050078;
     cpu->id_pfr0 = 0x111;
     cpu->id_pfr1 = 0x1;
-    cpu->id_dfr0 = 0x2;
+    cpu->isar.id_dfr0 = 0x2;
     cpu->id_afr0 = 0x3;
     cpu->id_mmfr0 = 0x01130003;
     cpu->id_mmfr1 = 0x10030302;
@@ -XXX,XX +XXX,XX @@ static void arm1136_initfn(Object *obj)
     cpu->reset_sctlr = 0x00050078;
     cpu->id_pfr0 = 0x111;
     cpu->id_pfr1 = 0x1;
-    cpu->id_dfr0 = 0x2;
+    cpu->isar.id_dfr0 = 0x2;
     cpu->id_afr0 = 0x3;
     cpu->id_mmfr0 = 0x01130003;
     cpu->id_mmfr1 = 0x10030302;
@@ -XXX,XX +XXX,XX @@ static void arm1176_initfn(Object *obj)
     cpu->reset_sctlr = 0x00050078;
     cpu->id_pfr0 = 0x111;
     cpu->id_pfr1 = 0x11;
-    cpu->id_dfr0 = 0x33;
+    cpu->isar.id_dfr0 = 0x33;
     cpu->id_afr0 = 0;
     cpu->id_mmfr0 = 0x01130003;
     cpu->id_mmfr1 = 0x10030302;
@@ -XXX,XX +XXX,XX @@ static void arm11mpcore_initfn(Object *obj)
     cpu->ctr = 0x1d192992; /* 32K icache 32K dcache */
     cpu->id_pfr0 = 0x111;
     cpu->id_pfr1 = 0x1;
-    cpu->id_dfr0 = 0;
+    cpu->isar.id_dfr0 = 0;
     cpu->id_afr0 = 0x2;
     cpu->id_mmfr0 = 0x01100103;
     cpu->id_mmfr1 = 0x10020302;
@@ -XXX,XX +XXX,XX @@ static void cortex_m3_initfn(Object *obj)
     cpu->pmsav7_dregion = 8;
     cpu->id_pfr0 = 0x00000030;
     cpu->id_pfr1 = 0x00000200;
-    cpu->id_dfr0 = 0x00100000;
+    cpu->isar.id_dfr0 = 0x00100000;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x00000030;
     cpu->id_mmfr1 = 0x00000000;
@@ -XXX,XX +XXX,XX @@ static void cortex_m4_initfn(Object *obj)
     cpu->isar.mvfr2 = 0x00000000;
     cpu->id_pfr0 = 0x00000030;
     cpu->id_pfr1 = 0x00000200;
-    cpu->id_dfr0 = 0x00100000;
+    cpu->isar.id_dfr0 = 0x00100000;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x00000030;
     cpu->id_mmfr1 = 0x00000000;
@@ -XXX,XX +XXX,XX @@ static void cortex_m7_initfn(Object *obj)
     cpu->isar.mvfr2 = 0x00000040;
     cpu->id_pfr0 = 0x00000030;
     cpu->id_pfr1 = 0x00000200;
-    cpu->id_dfr0 = 0x00100000;
+    cpu->isar.id_dfr0 = 0x00100000;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x00100030;
     cpu->id_mmfr1 = 0x00000000;
@@ -XXX,XX +XXX,XX @@ static void cortex_m33_initfn(Object *obj)
     cpu->isar.mvfr2 = 0x00000040;
     cpu->id_pfr0 = 0x00000030;
     cpu->id_pfr1 = 0x00000210;
-    cpu->id_dfr0 = 0x00200000;
+    cpu->isar.id_dfr0 = 0x00200000;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x00101F40;
     cpu->id_mmfr1 = 0x00000000;
@@ -XXX,XX +XXX,XX @@ static void cortex_r5_initfn(Object *obj)
     cpu->midr = 0x411fc153; /* r1p3 */
     cpu->id_pfr0 = 0x0131;
     cpu->id_pfr1 = 0x001;
-    cpu->id_dfr0 = 0x010400;
+    cpu->isar.id_dfr0 = 0x010400;
     cpu->id_afr0 = 0x0;
     cpu->id_mmfr0 = 0x0210030;
     cpu->id_mmfr1 = 0x00000000;
@@ -XXX,XX +XXX,XX @@ static void cortex_a8_initfn(Object *obj)
     cpu->reset_sctlr = 0x00c50078;
     cpu->id_pfr0 = 0x1031;
     cpu->id_pfr1 = 0x11;
-    cpu->id_dfr0 = 0x400;
+    cpu->isar.id_dfr0 = 0x400;
     cpu->id_afr0 = 0;
     cpu->id_mmfr0 = 0x31100003;
     cpu->id_mmfr1 = 0x20000000;
@@ -XXX,XX +XXX,XX @@ static void cortex_a9_initfn(Object *obj)
     cpu->reset_sctlr = 0x00c50078;
     cpu->id_pfr0 = 0x1031;
     cpu->id_pfr1 = 0x11;
-    cpu->id_dfr0 = 0x000;
+    cpu->isar.id_dfr0 = 0x000;
     cpu->id_afr0 = 0;
     cpu->id_mmfr0 = 0x00100103;
     cpu->id_mmfr1 = 0x20000000;
@@ -XXX,XX +XXX,XX @@ static void cortex_a7_initfn(Object *obj)
     cpu->reset_sctlr = 0x00c50078;
     cpu->id_pfr0 = 0x00001131;
     cpu->id_pfr1 = 0x00011011;
-    cpu->id_dfr0 = 0x02010555;
+    cpu->isar.id_dfr0 = 0x02010555;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x10101105;
     cpu->id_mmfr1 = 0x40000000;
@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
     cpu->reset_sctlr = 0x00c50078;
     cpu->id_pfr0 = 0x00001131;
     cpu->id_pfr1 = 0x00011011;
-    cpu->id_dfr0 = 0x02010555;
+    cpu->isar.id_dfr0 = 0x02010555;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x10201105;
     cpu->id_mmfr1 = 0x20000000;
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
     cpu->reset_sctlr = 0x00c50838;
     cpu->id_pfr0 = 0x00000131;
     cpu->id_pfr1 = 0x00011011;
-    cpu->id_dfr0 = 0x03010066;
+    cpu->isar.id_dfr0 = 0x03010066;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x10101105;
     cpu->id_mmfr1 = 0x40000000;
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
     cpu->reset_sctlr = 0x00c50838;
     cpu->id_pfr0 = 0x00000131;
     cpu->id_pfr1 = 0x00011011;
-    cpu->id_dfr0 = 0x03010066;
+    cpu->isar.id_dfr0 = 0x03010066;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x10101105;
     cpu->id_mmfr1 = 0x40000000;
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
     cpu->reset_sctlr = 0x00c50838;
     cpu->id_pfr0 = 0x00000131;
     cpu->id_pfr1 = 0x00011011;
-    cpu->id_dfr0 = 0x03010066;
+    cpu->isar.id_dfr0 = 0x03010066;
     cpu->id_afr0 = 0x00000000;
     cpu->id_mmfr0 = 0x10201105;
     cpu->id_mmfr1 = 0x40000000;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
         g_free(pmevtyper_name);
         g_free(pmevtyper_el0_name);
     }
-    if (FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) >= 4 &&
-            FIELD_EX32(cpu->id_dfr0, ID_DFR0, PERFMON) != 0xf) {
+    if (cpu_isar_feature(aa32_pmu_8_1, cpu)) {
         ARMCPRegInfo v81_pmu_regs[] = {
             { .name = "PMCEID2", .state = ARM_CP_STATE_AA32,
               .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 4,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa32_tid3,
-              .resetvalue = cpu->id_dfr0 },
+              .resetvalue = cpu->isar.id_dfr0 },
             { .name = "ID_AFR0", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 3,
               .access = PL1_R, .type = ARM_CP_CONST,
-- 
2.20.1

Add the 64-bit version of the "is this a v8.1 PMUv3?"
ID register check function, and the _any_ version that
checks for either AArch32 or AArch64 support. We'll use
this in a later commit.

We don't (yet) do any isar_feature checks on ID_AA64DFR1_EL1,
but we move id_aa64dfr1 into the ARMISARegisters struct with
id_aa64dfr0, for consistency.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-10-peter.maydell@linaro.org
---
 target/arm/cpu.h    | 15 +++++++++++++--
 target/arm/cpu.c    |  3 ++-
 target/arm/cpu64.c  |  6 +++---
 target/arm/helper.c | 12 +++++++-----
 4 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
         uint64_t id_aa64mmfr0;
         uint64_t id_aa64mmfr1;
         uint64_t id_aa64mmfr2;
+        uint64_t id_aa64dfr0;
+        uint64_t id_aa64dfr1;
     } isar;
     uint32_t midr;
     uint32_t revidr;
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
     uint32_t id_mmfr2;
     uint32_t id_mmfr3;
     uint32_t id_mmfr4;
-    uint64_t id_aa64dfr0;
-    uint64_t id_aa64dfr1;
     uint64_t id_aa64afr0;
     uint64_t id_aa64afr1;
     uint32_t dbgdidr;
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_bti(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, BT) != 0;
 }
 
+static inline bool isar_feature_aa64_pmu_8_1(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64dfr0, ID_AA64DFR0, PMUVER) >= 4 &&
+        FIELD_EX64(id->id_aa64dfr0, ID_AA64DFR0, PMUVER) != 0xf;
+}
+
 /*
  * Feature tests for "does this exist in either 32-bit or 64-bit?"
  */
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_any_predinv(const ARMISARegisters *id)
     return isar_feature_aa64_predinv(id) || isar_feature_aa32_predinv(id);
 }
 
+static inline bool isar_feature_any_pmu_8_1(const ARMISARegisters *id)
+{
+    return isar_feature_aa64_pmu_8_1(id) || isar_feature_aa32_pmu_8_1(id);
+}
+
 /*
  * Forward to the above feature tests given an ARMCPU pointer.
  */
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
                 cpu);
 #endif
     } else {
-        cpu->id_aa64dfr0 = FIELD_DP64(cpu->id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
+        cpu->isar.id_aa64dfr0 =
+            FIELD_DP64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, PMUVER, 0);
         cpu->isar.id_dfr0 = FIELD_DP32(cpu->isar.id_dfr0, ID_DFR0, PERFMON, 0);
         cpu->pmceid0 = 0;
         cpu->pmceid1 = 0;
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
     cpu->isar.id_isar5 = 0x00011121;
     cpu->isar.id_isar6 = 0;
     cpu->isar.id_aa64pfr0 = 0x00002222;
-    cpu->id_aa64dfr0 = 0x10305106;
+    cpu->isar.id_aa64dfr0 = 0x10305106;
     cpu->isar.id_aa64isar0 = 0x00011120;
     cpu->isar.id_aa64mmfr0 = 0x00001124;
     cpu->dbgdidr = 0x3516d000;
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
     cpu->isar.id_isar5 = 0x00011121;
     cpu->isar.id_isar6 = 0;
     cpu->isar.id_aa64pfr0 = 0x00002222;
-    cpu->id_aa64dfr0 = 0x10305106;
+    cpu->isar.id_aa64dfr0 = 0x10305106;
     cpu->isar.id_aa64isar0 = 0x00011120;
     cpu->isar.id_aa64mmfr0 = 0x00001122; /* 40 bit physical addr */
     cpu->dbgdidr = 0x3516d000;
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
     cpu->isar.id_isar4 = 0x00011142;
     cpu->isar.id_isar5 = 0x00011121;
     cpu->isar.id_aa64pfr0 = 0x00002222;
-    cpu->id_aa64dfr0 = 0x10305106;
+    cpu->isar.id_aa64dfr0 = 0x10305106;
     cpu->isar.id_aa64isar0 = 0x00011120;
     cpu->isar.id_aa64mmfr0 = 0x00001124;
     cpu->dbgdidr = 0x3516d000;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/semihosting/semihost.h"
 #include "sysemu/cpus.h"
 #include "sysemu/kvm.h"
+#include "sysemu/tcg.h"
 #include "qemu/range.h"
 #include "qapi/qapi-commands-machine-target.h"
 #include "qapi/error.h"
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
      * check that if they both exist then they agree.
      */
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
-        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, BRPS) == brps);
-        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, WRPS) == wrps);
-        assert(FIELD_EX64(cpu->id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) == ctx_cmps);
+        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) == brps);
+        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) == wrps);
+        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS)
+               == ctx_cmps);
     }
 
     define_one_arm_cp_reg(cpu, &dbgdidr);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa64_tid3,
-              .resetvalue = cpu->id_aa64dfr0 },
+              .resetvalue = cpu->isar.id_aa64dfr0 },
             { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa64_tid3,
-              .resetvalue = cpu->id_aa64dfr1 },
+              .resetvalue = cpu->isar.id_aa64dfr1 },
             { .name = "ID_AA64DFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
-- 
2.20.1

The AArch32 DBGDIDR defines properties like the number of
breakpoints, watchpoints and context-matching comparators.  On an
AArch64 CPU, the register may not even exist if AArch32 is not
supported at EL1.

Currently we hard-code use of DBGDIDR to identify the number of
breakpoints etc; this works for all our TCG CPUs, but will break if
we ever add an AArch64-only CPU.  We also have an assert() that the
AArch32 and AArch64 registers match, which currently works only by
luck for KVM because we don't populate either of these ID registers
from the KVM vCPU and so they are both zero.

Clean this up so we have functions for finding the number
of breakpoints, watchpoints and context comparators which look
in the appropriate ID register.

This allows us to drop the "check that AArch64 and AArch32 agree
on the number of breakpoints etc" asserts:
 * we no longer look at the AArch32 versions unless that's the
   right place to be looking
 * it's valid to have a CPU (eg AArch64-only) where they don't match
 * we shouldn't have been asserting the validity of ID registers
   in a codepath used with KVM anyway

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214175116.9164-11-peter.maydell@linaro.org
---
 target/arm/cpu.h          |  7 +++++++
 target/arm/internals.h    | 42 +++++++++++++++++++++++++++++++++++++++
 target/arm/debug_helper.c |  6 +++---
 target/arm/helper.c       | 21 +++++---------------
 4 files changed, 57 insertions(+), 19 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(ID_DFR0, MPROFDBG, 20, 4)
 FIELD(ID_DFR0, PERFMON, 24, 4)
 FIELD(ID_DFR0, TRACEFILT, 28, 4)
 
+FIELD(DBGDIDR, SE_IMP, 12, 1)
+FIELD(DBGDIDR, NSUHD_IMP, 14, 1)
+FIELD(DBGDIDR, VERSION, 16, 4)
+FIELD(DBGDIDR, CTX_CMPS, 20, 4)
+FIELD(DBGDIDR, BRPS, 24, 4)
+FIELD(DBGDIDR, WRPS, 28, 4)
+
 FIELD(MVFR0, SIMDREG, 0, 4)
 FIELD(MVFR0, FPSP, 4, 4)
 FIELD(MVFR0, FPDP, 8, 4)
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_debug_exception_fsr(CPUARMState *env)
     }
 }
 
+/**
+ * arm_num_brps: Return number of implemented breakpoints.
+ * Note that the ID register BRPS field is "number of bps - 1",
+ * and we return the actual number of breakpoints.
+ */
+static inline int arm_num_brps(ARMCPU *cpu)
+{
+    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
+        return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) + 1;
+    } else {
+        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, BRPS) + 1;
+    }
+}
+
+/**
+ * arm_num_wrps: Return number of implemented watchpoints.
+ * Note that the ID register WRPS field is "number of wps - 1",
+ * and we return the actual number of watchpoints.
+ */
+static inline int arm_num_wrps(ARMCPU *cpu)
+{
+    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
+        return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) + 1;
+    } else {
+        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, WRPS) + 1;
+    }
+}
+
+/**
+ * arm_num_ctx_cmps: Return number of implemented context comparators.
+ * Note that the ID register CTX_CMPS field is "number of cmps - 1",
+ * and we return the actual number of comparators.
+ */
+static inline int arm_num_ctx_cmps(ARMCPU *cpu)
+{
+    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
+        return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) + 1;
+    } else {
+        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, CTX_CMPS) + 1;
+    }
+}
+
 /* Note make_memop_idx reserves 4 bits for mmu_idx, and MO_BSWAP is bit 3.
  * Thus a TCGMemOpIdx, without any MO_ALIGN bits, fits in 8 bits.
  */
diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
 {
     CPUARMState *env = &cpu->env;
     uint64_t bcr = env->cp15.dbgbcr[lbn];
-    int brps = extract32(cpu->dbgdidr, 24, 4);
-    int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
+    int brps = arm_num_brps(cpu);
+    int ctx_cmps = arm_num_ctx_cmps(cpu);
     int bt;
     uint32_t contextidr;
     uint64_t hcr_el2;
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
      * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
      * We choose the former.
      */
-    if (lbn > brps || lbn < (brps - ctx_cmps)) {
+    if (lbn >= brps || lbn < (brps - ctx_cmps)) {
         return false;
     }
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
     };
 
     /* Note that all these register fields hold "number of Xs minus 1". */
-    brps = extract32(cpu->dbgdidr, 24, 4);
-    wrps = extract32(cpu->dbgdidr, 28, 4);
-    ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
+    brps = arm_num_brps(cpu);
+    wrps = arm_num_wrps(cpu);
+    ctx_cmps = arm_num_ctx_cmps(cpu);
 
     assert(ctx_cmps <= brps);
 
-    /* The DBGDIDR and ID_AA64DFR0_EL1 define various properties
-     * of the debug registers such as number of breakpoints;
-     * check that if they both exist then they agree.
-     */
-    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
-        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) == brps);
-        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) == wrps);
-        assert(FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS)
-               == ctx_cmps);
-    }
-
     define_one_arm_cp_reg(cpu, &dbgdidr);
     define_arm_cp_regs(cpu, debug_cp_reginfo);
 
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
         define_arm_cp_regs(cpu, debug_lpae_cp_reginfo);
     }
 
-    for (i = 0; i < brps + 1; i++) {
+    for (i = 0; i < brps; i++) {
         ARMCPRegInfo dbgregs[] = {
             { .name = "DBGBVR", .state = ARM_CP_STATE_BOTH,
               .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 4,
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
         define_arm_cp_regs(cpu, dbgregs);
     }
 
-    for (i = 0; i < wrps + 1; i++) {
+    for (i = 0; i < wrps; i++) {
         ARMCPRegInfo dbgregs[] = {
             { .name = "DBGWVR", .state = ARM_CP_STATE_BOTH,
               .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 6,
-- 
2.20.1

We're going to want to read the DBGDIDR register from KVM in
a subsequent commit, which means it needs to be in the
ARMISARegisters sub-struct. Move it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214175116.9164-12-peter.maydell@linaro.org
---
 target/arm/cpu.h       | 2 +-
 target/arm/internals.h | 6 +++---
 target/arm/cpu.c       | 8 ++++----
 target/arm/cpu64.c     | 6 +++---
 target/arm/helper.c    | 2 +-
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
         uint32_t mvfr1;
         uint32_t mvfr2;
         uint32_t id_dfr0;
+        uint32_t dbgdidr;
         uint64_t id_aa64isar0;
         uint64_t id_aa64isar1;
         uint64_t id_aa64pfr0;
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
     uint32_t id_mmfr4;
     uint64_t id_aa64afr0;
     uint64_t id_aa64afr1;
-    uint32_t dbgdidr;
     uint32_t clidr;
     uint64_t mp_affinity; /* MP ID without feature bits */
     /* The elements of this array are the CCSIDR values for each cache,
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline int arm_num_brps(ARMCPU *cpu)
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
         return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, BRPS) + 1;
     } else {
-        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, BRPS) + 1;
+        return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, BRPS) + 1;
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static inline int arm_num_wrps(ARMCPU *cpu)
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
         return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, WRPS) + 1;
     } else {
-        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, WRPS) + 1;
+        return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, WRPS) + 1;
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static inline int arm_num_ctx_cmps(ARMCPU *cpu)
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
         return FIELD_EX64(cpu->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS) + 1;
     } else {
-        return FIELD_EX32(cpu->dbgdidr, DBGDIDR, CTX_CMPS) + 1;
+        return FIELD_EX32(cpu->isar.dbgdidr, DBGDIDR, CTX_CMPS) + 1;
     }
 }
 
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void cortex_a8_initfn(Object *obj)
     cpu->isar.id_isar2 = 0x21232031;
     cpu->isar.id_isar3 = 0x11112131;
     cpu->isar.id_isar4 = 0x00111142;
-    cpu->dbgdidr = 0x15141000;
+    cpu->isar.dbgdidr = 0x15141000;
     cpu->clidr = (1 << 27) | (2 << 24) | 3;
     cpu->ccsidr[0] = 0xe007e01a; /* 16k L1 dcache. */
     cpu->ccsidr[1] = 0x2007e01a; /* 16k L1 icache. */
@@ -XXX,XX +XXX,XX @@ static void cortex_a9_initfn(Object *obj)
     cpu->isar.id_isar2 = 0x21232041;
     cpu->isar.id_isar3 = 0x11112131;
     cpu->isar.id_isar4 = 0x00111142;
-    cpu->dbgdidr = 0x35141000;
+    cpu->isar.dbgdidr = 0x35141000;
     cpu->clidr = (1 << 27) | (1 << 24) | 3;
     cpu->ccsidr[0] = 0xe00fe019; /* 16k L1 dcache. */
     cpu->ccsidr[1] = 0x200fe019; /* 16k L1 icache. */
@@ -XXX,XX +XXX,XX @@ static void cortex_a7_initfn(Object *obj)
     cpu->isar.id_isar2 = 0x21232041;
     cpu->isar.id_isar3 = 0x11112131;
     cpu->isar.id_isar4 = 0x10011142;
-    cpu->dbgdidr = 0x3515f005;
+    cpu->isar.dbgdidr = 0x3515f005;
     cpu->clidr = 0x0a200023;
     cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */
     cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */
@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
     cpu->isar.id_isar2 = 0x21232041;
     cpu->isar.id_isar3 = 0x11112131;
     cpu->isar.id_isar4 = 0x10011142;
-    cpu->dbgdidr = 0x3515f021;
+    cpu->isar.dbgdidr = 0x3515f021;
     cpu->clidr = 0x0a200023;
     cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */
     cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
     cpu->isar.id_aa64dfr0 = 0x10305106;
     cpu->isar.id_aa64isar0 = 0x00011120;
     cpu->isar.id_aa64mmfr0 = 0x00001124;
-    cpu->dbgdidr = 0x3516d000;
+    cpu->isar.dbgdidr = 0x3516d000;
     cpu->clidr = 0x0a200023;
     cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
     cpu->ccsidr[1] = 0x201fe012; /* 48KB L1 icache */
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
     cpu->isar.id_aa64dfr0 = 0x10305106;
     cpu->isar.id_aa64isar0 = 0x00011120;
     cpu->isar.id_aa64mmfr0 = 0x00001122; /* 40 bit physical addr */
-    cpu->dbgdidr = 0x3516d000;
+    cpu->isar.dbgdidr = 0x3516d000;
     cpu->clidr = 0x0a200023;
     cpu->ccsidr[0] = 0x700fe01a; /* 32KB L1 dcache */
     cpu->ccsidr[1] = 0x201fe00a; /* 32KB L1 icache */
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
     cpu->isar.id_aa64dfr0 = 0x10305106;
     cpu->isar.id_aa64isar0 = 0x00011120;
     cpu->isar.id_aa64mmfr0 = 0x00001124;
-    cpu->dbgdidr = 0x3516d000;
+    cpu->isar.dbgdidr = 0x3516d000;
     cpu->clidr = 0x0a200023;
     cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
     cpu->ccsidr[1] = 0x201fe012; /* 48KB L1 icache */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
     ARMCPRegInfo dbgdidr = {
         .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0,
         .access = PL0_R, .accessfn = access_tda,
-        .type = ARM_CP_CONST, .resetvalue = cpu->dbgdidr,
+        .type = ARM_CP_CONST, .resetvalue = cpu->isar.dbgdidr,
     };
 
     /* Note that all these register fields hold "number of Xs minus 1". */
-- 
2.20.1

Now we have isar_feature test functions that look at fields in the
ID_AA64DFR0_EL1 and ID_DFR0 ID registers, add the code that reads
these register values from KVM so that the checks behave correctly
when we're using KVM.

No isar_feature function tests ID_AA64DFR1_EL1 or DBGDIDR yet, but we
add it to maintain the invariant that every field in the
ARMISARegisters struct is populated for a KVM CPU and can be relied
on.  This requirement isn't actually written down yet, so add a note
to the relevant comment.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214175116.9164-13-peter.maydell@linaro.org
---
 target/arm/cpu.h   |  5 +++++
 target/arm/kvm32.c |  8 ++++++++
 target/arm/kvm64.c | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
      * prefix means a constant register.
      * Some of these registers are split out into a substructure that
      * is shared with the translators to control the ISA.
+     *
+     * Note that if you add an ID register to the ARMISARegisters struct
+     * you need to also update the 32-bit and 64-bit versions of the
+     * kvm_arm_get_host_cpu_features() function to correctly populate the
+     * field by reading the value from the KVM vCPU.
      */
     struct ARMISARegisters {
         uint32_t id_isar0;
diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
         ahcf->isar.id_isar6 = 0;
     }
 
+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_dfr0,
+                          ARM_CP15_REG32(0, 0, 1, 2));
+
     err |= read_sys_reg32(fdarray[2], &ahcf->isar.mvfr0,
                           KVM_REG_ARM | KVM_REG_SIZE_U32 |
                           KVM_REG_ARM_VFP | KVM_REG_ARM_VFP_MVFR0);
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
      * Fortunately there is not yet anything in there that affects migration.
      */
 
+    /*
+     * There is no way to read DBGDIDR, because currently 32-bit KVM
+     * doesn't implement debug at all. Leave it at zero.
+     */
+
     kvm_arm_destroy_scratch_host_vcpu(fdarray);
 
     if (err < 0) {
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     } else {
         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64pfr1,
                               ARM64_SYS_REG(3, 0, 0, 4, 1));
+        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64dfr0,
+                              ARM64_SYS_REG(3, 0, 0, 5, 0));
+        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64dfr1,
+                              ARM64_SYS_REG(3, 0, 0, 5, 1));
         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64isar0,
                               ARM64_SYS_REG(3, 0, 0, 6, 0));
         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64isar1,
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
          * than skipping the reads and leaving 0, as we must avoid
          * considering the values in every case.
          */
+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_dfr0,
+                              ARM64_SYS_REG(3, 0, 0, 1, 2));
         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar0,
                               ARM64_SYS_REG(3, 0, 0, 2, 0));
         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar1,
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
                               ARM64_SYS_REG(3, 0, 0, 3, 1));
         err |= read_sys_reg32(fdarray[2], &ahcf->isar.mvfr2,
                               ARM64_SYS_REG(3, 0, 0, 3, 2));
+
+        /*
+         * DBGDIDR is a bit complicated because the kernel doesn't
+         * provide an accessor for it in 64-bit mode, which is what this
+         * scratch VM is in, and there's no architected "64-bit sysreg
+         * which reads the same as the 32-bit register" the way there is
+         * for other ID registers. Instead we synthesize a value from the
+         * AArch64 ID_AA64DFR0, the same way the kernel code in
+         * arch/arm64/kvm/sys_regs.c:trap_dbgidr() does.
+         * We only do this if the CPU supports AArch32 at EL1.
+         */
+        if (FIELD_EX32(ahcf->isar.id_aa64pfr0, ID_AA64PFR0, EL1) >= 2) {
+            int wrps = FIELD_EX64(ahcf->isar.id_aa64dfr0, ID_AA64DFR0, WRPS);
+            int brps = FIELD_EX64(ahcf->isar.id_aa64dfr0, ID_AA64DFR0, BRPS);
+            int ctx_cmps =
+                FIELD_EX64(ahcf->isar.id_aa64dfr0, ID_AA64DFR0, CTX_CMPS);
+            int version = 6; /* ARMv8 debug architecture */
+            bool has_el3 =
+                !!FIELD_EX32(ahcf->isar.id_aa64pfr0, ID_AA64PFR0, EL3);
+            uint32_t dbgdidr = 0;
+
+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, WRPS, wrps);
+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, BRPS, brps);
+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, CTX_CMPS, ctx_cmps);
+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, VERSION, version);
+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, NSUHD_IMP, has_el3);
+            dbgdidr = FIELD_DP32(dbgdidr, DBGDIDR, SE_IMP, has_el3);
+            dbgdidr |= (1 << 15); /* RES1 bit */
+            ahcf->isar.dbgdidr = dbgdidr;
+        }
     }
 
     sve_supported = ioctl(fdarray[0], KVM_CHECK_EXTENSION, KVM_CAP_ARM_SVE) > 0;
-- 
2.20.1

The ARMv8.1-PMU extension requires:
 * the evtCount field in PMETYPER<n>_EL0 is 16 bits, not 10
 * MDCR_EL2.HPMD allows event counting to be disabled at EL2
 * two new required events, STALL_FRONTEND and STALL_BACKEND
 * ID register bits in ID_AA64DFR0_EL1 and ID_DFR0

We already implement the 16-bit evtCount field and the
HPMD bit, so all that is missing is the two new events:
  STALL_FRONTEND
   "counts every cycle counted by the CPU_CYCLES event on which no
    operation was issued because there are no operations available
    to issue to this PE from the frontend"
  STALL_BACKEND
   "counts every cycle counted by the CPU_CYCLES event on which no
    operation was issued because the backend is unable to accept
    any available operations from the frontend"

QEMU never stalls in this sense, so our implementation is trivial:
always return a zero count.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-14-peter.maydell@linaro.org
---
 target/arm/helper.c | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static int64_t instructions_ns_per(uint64_t icount)
 }
 #endif
 
+static bool pmu_8_1_events_supported(CPUARMState *env)
+{
+    /* For events which are supported in any v8.1 PMU */
+    return cpu_isar_feature(any_pmu_8_1, env_archcpu(env));
+}
+
+static uint64_t zero_event_get_count(CPUARMState *env)
+{
+    /* For events which on QEMU never fire, so their count is always zero */
+    return 0;
+}
+
+static int64_t zero_event_ns_per(uint64_t cycles)
+{
+    /* An event which never fires can never overflow */
+    return -1;
+}
+
 static const pm_event pm_events[] = {
     { .number = 0x000, /* SW_INCR */
       .supported = event_always_supported,
@@ -XXX,XX +XXX,XX @@ static const pm_event pm_events[] = {
       .supported = event_always_supported,
       .get_count = cycles_get_count,
       .ns_per_count = cycles_ns_per,
-    }
+    },
 #endif
+    { .number = 0x023, /* STALL_FRONTEND */
+      .supported = pmu_8_1_events_supported,
+      .get_count = zero_event_get_count,
+      .ns_per_count = zero_event_ns_per,
+    },
+    { .number = 0x024, /* STALL_BACKEND */
+      .supported = pmu_8_1_events_supported,
+      .get_count = zero_event_get_count,
+      .ns_per_count = zero_event_ns_per,
+    },
 };
 
 /*
@@ -XXX,XX +XXX,XX @@ static const pm_event pm_events[] = {
  * should first be updated to something sparse instead of the current
  * supported_event_map[] array.
  */
-#define MAX_EVENT_ID 0x11
+#define MAX_EVENT_ID 0x24
 #define UNSUPPORTED_EVENT UINT16_MAX
 static uint16_t supported_event_map[MAX_EVENT_ID + 1];
 
-- 
2.20.1

The ARMv8.4-PMU extension adds:
 * one new required event, STALL
 * one new system register PMMIR_EL1

(There are also some more L1-cache related events, but since
we don't implement any cache we don't provide these, in the
same way we don't provide the base-PMUv3 cache events.)

The STALL event "counts every attributable cycle on which no
attributable instruction or operation was sent for execution on this
PE".  QEMU doesn't stall in this sense, so this is another
always-reads-zero event.

The PMMIR_EL1 register is a read-only register providing
implementation-specific information about the PMU; currently it has
only one field, SLOTS, which defines behaviour of the STALL_SLOT PMU
event.  Since QEMU doesn't implement the STALL_SLOT event, we can
validly make the register read zero.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-15-peter.maydell@linaro.org
---
 target/arm/cpu.h    | 18 ++++++++++++++++++
 target/arm/helper.c | 22 +++++++++++++++++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)

Set the ID register bits to provide ARMv8.4-PMU (and implicitly
also ARMv8.1-PMU) in the 'max' CPU.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-16-peter.maydell@linaro.org
---
 target/arm/cpu64.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
         u = FIELD_DP32(u, ID_MMFR3, PAN, 2); /* ATS1E1 */
         cpu->id_mmfr3 = u;
 
+        u = cpu->isar.id_aa64dfr0;
+        u = FIELD_DP64(u, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
+        cpu->isar.id_aa64dfr0 = u;
+
+        u = cpu->isar.id_dfr0;
+        u = FIELD_DP32(u, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
+        cpu->isar.id_dfr0 = u;
+
         /*
          * FIXME: We do not yet support ARMv8.2-fp16 for AArch32 yet,
          * so do not set MVFR1.FPHP.  Strictly speaking this is not legal,
-- 
2.20.1

The LC bit in the PMCR_EL0 register is supposed to be:
 * read/write
 * RES1 on an AArch64-only implementation
 * an architecturally UNKNOWN value on reset
(and use of LC==0 by software is deprecated).

We were implementing it incorrectly as read-only always zero,
though we do have all the code needed to test it and behave
accordingly.

Instead make it a read-write bit which resets to 1 always, which
satisfies all the architectural requirements above.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200214175116.9164-18-peter.maydell@linaro.org
---
 target/arm/helper.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
 #define PMCRC   0x4
 #define PMCRP   0x2
 #define PMCRE   0x1
+/*
+ * Mask of PMCR bits writeable by guest (not including WO bits like C, P,
+ * which can be written as 1 to trigger behaviour but which stay RAZ).
+ */
+#define PMCR_WRITEABLE_MASK (PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
 
 #define PMXEVTYPER_P          0x80000000
 #define PMXEVTYPER_U          0x40000000
@@ -XXX,XX +XXX,XX @@ static void pmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
         }
     }
 
-    /* only the DP, X, D and E bits are writable */
-    env->cp15.c9_pmcr &= ~0x39;
-    env->cp15.c9_pmcr |= (value & 0x39);
+    env->cp15.c9_pmcr &= ~PMCR_WRITEABLE_MASK;
+    env->cp15.c9_pmcr |= (value & PMCR_WRITEABLE_MASK);
 
     pmu_op_finish(env);
 }
@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
         .access = PL0_RW, .accessfn = pmreg_access,
         .type = ARM_CP_IO,
         .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
-        .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT),
+        .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT) |
+                      PMCRLC,
         .writefn = pmcr_write, .raw_writefn = raw_write,
     };
     define_one_arm_cp_reg(cpu, &pmcr);
-- 
2.20.1

The isar_feature_aa32_pan and isar_feature_aa32_ats1e1 functions
are supposed to be testing fields in ID_MMFR3; but a cut-and-paste
error meant we were looking at MVFR0 instead.

Fix the functions to look at the right register; this requires
us to move at least id_mmfr3 to the ARMISARegisters struct; we
choose to move all the ID_MMFRn registers for consistency.

Fixes: 3d6ad6bb466f
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214175116.9164-19-peter.maydell@linaro.org
---
 target/arm/cpu.h      |  14 +++---
 hw/intc/armv7m_nvic.c |   8 ++--
 target/arm/cpu.c      | 104 +++++++++++++++++++++---------------------
 target/arm/cpu64.c    |  28 ++++++------
 target/arm/helper.c   |  12 ++---
 target/arm/kvm32.c    |  17 +++++++
 target/arm/kvm64.c    |  10 ++++
 7 files changed, 110 insertions(+), 83 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
         uint32_t id_isar4;
         uint32_t id_isar5;
         uint32_t id_isar6;
+        uint32_t id_mmfr0;
+        uint32_t id_mmfr1;
+        uint32_t id_mmfr2;
+        uint32_t id_mmfr3;
+        uint32_t id_mmfr4;
         uint32_t mvfr0;
         uint32_t mvfr1;
         uint32_t mvfr2;
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
     uint64_t pmceid0;
     uint64_t pmceid1;
     uint32_t id_afr0;
-    uint32_t id_mmfr0;
-    uint32_t id_mmfr1;
-    uint32_t id_mmfr2;
-    uint32_t id_mmfr3;
-    uint32_t id_mmfr4;
     uint64_t id_aa64afr0;
     uint64_t id_aa64afr1;
     uint32_t clidr;
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_vminmaxnm(const ARMISARegisters *id)
 
 static inline bool isar_feature_aa32_pan(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr0, ID_MMFR3, PAN) != 0;
+    return FIELD_EX32(id->id_mmfr3, ID_MMFR3, PAN) != 0;
 }
 
 static inline bool isar_feature_aa32_ats1e1(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr0, ID_MMFR3, PAN) >= 2;
+    return FIELD_EX32(id->id_mmfr3, ID_MMFR3, PAN) >= 2;
 }
 
 static inline bool isar_feature_aa32_pmu_8_1(const ARMISARegisters *id)
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
     case 0xd4c: /* AFR0.  */
         return cpu->id_afr0;
     case 0xd50: /* MMFR0.  */
-        return cpu->id_mmfr0;
+        return cpu->isar.id_mmfr0;
     case 0xd54: /* MMFR1.  */
-        return cpu->id_mmfr1;
+        return cpu->isar.id_mmfr1;
     case 0xd58: /* MMFR2.  */
-        return cpu->id_mmfr2;
+        return cpu->isar.id_mmfr2;
     case 0xd5c: /* MMFR3.  */
-        return cpu->id_mmfr3;
+        return cpu->isar.id_mmfr3;
     case 0xd60: /* ISAR0.  */
         return cpu->isar.id_isar0;
     case 0xd64: /* ISAR1.  */
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm1136_r2_initfn(Object *obj)
     cpu->id_pfr1 = 0x1;
     cpu->isar.id_dfr0 = 0x2;
     cpu->id_afr0 = 0x3;
-    cpu->id_mmfr0 = 0x01130003;
-    cpu->id_mmfr1 = 0x10030302;
-    cpu->id_mmfr2 = 0x01222110;
+    cpu->isar.id_mmfr0 = 0x01130003;
+    cpu->isar.id_mmfr1 = 0x10030302;
+    cpu->isar.id_mmfr2 = 0x01222110;
     cpu->isar.id_isar0 = 0x00140011;
     cpu->isar.id_isar1 = 0x12002111;
     cpu->isar.id_isar2 = 0x11231111;
@@ -XXX,XX +XXX,XX @@ static void arm1136_initfn(Object *obj)
     cpu->id_pfr1 = 0x1;
     cpu->isar.id_dfr0 = 0x2;
     cpu->id_afr0 = 0x3;
-    cpu->id_mmfr0 = 0x01130003;
-    cpu->id_mmfr1 = 0x10030302;
-    cpu->id_mmfr2 = 0x01222110;
+    cpu->isar.id_mmfr0 = 0x01130003;
+    cpu->isar.id_mmfr1 = 0x10030302;
+    cpu->isar.id_mmfr2 = 0x01222110;
     cpu->isar.id_isar0 = 0x00140011;
     cpu->isar.id_isar1 = 0x12002111;
     cpu->isar.id_isar2 = 0x11231111;
@@ -XXX,XX +XXX,XX @@ static void arm1176_initfn(Object *obj)
     cpu->id_pfr1 = 0x11;
     cpu->isar.id_dfr0 = 0x33;
     cpu->id_afr0 = 0;
-    cpu->id_mmfr0 = 0x01130003;
-    cpu->id_mmfr1 = 0x10030302;
-    cpu->id_mmfr2 = 0x01222100;
+    cpu->isar.id_mmfr0 = 0x01130003;
+    cpu->isar.id_mmfr1 = 0x10030302;
+    cpu->isar.id_mmfr2 = 0x01222100;
     cpu->isar.id_isar0 = 0x0140011;
     cpu->isar.id_isar1 = 0x12002111;
     cpu->isar.id_isar2 = 0x11231121;
@@ -XXX,XX +XXX,XX @@ static void arm11mpcore_initfn(Object *obj)
     cpu->id_pfr1 = 0x1;
     cpu->isar.id_dfr0 = 0;
     cpu->id_afr0 = 0x2;
-    cpu->id_mmfr0 = 0x01100103;
-    cpu->id_mmfr1 = 0x10020302;
-    cpu->id_mmfr2 = 0x01222000;
+    cpu->isar.id_mmfr0 = 0x01100103;
+    cpu->isar.id_mmfr1 = 0x10020302;
+    cpu->isar.id_mmfr2 = 0x01222000;
     cpu->isar.id_isar0 = 0x00100011;
     cpu->isar.id_isar1 = 0x12002111;
     cpu->isar.id_isar2 = 0x11221011;
@@ -XXX,XX +XXX,XX @@ static void cortex_m3_initfn(Object *obj)
     cpu->id_pfr1 = 0x00000200;
     cpu->isar.id_dfr0 = 0x00100000;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x00000030;
-    cpu->id_mmfr1 = 0x00000000;
-    cpu->id_mmfr2 = 0x00000000;
-    cpu->id_mmfr3 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x00000030;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x00000000;
+    cpu->isar.id_mmfr3 = 0x00000000;
     cpu->isar.id_isar0 = 0x01141110;
     cpu->isar.id_isar1 = 0x02111000;
     cpu->isar.id_isar2 = 0x21112231;
@@ -XXX,XX +XXX,XX @@ static void cortex_m4_initfn(Object *obj)
     cpu->id_pfr1 = 0x00000200;
     cpu->isar.id_dfr0 = 0x00100000;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x00000030;
-    cpu->id_mmfr1 = 0x00000000;
-    cpu->id_mmfr2 = 0x00000000;
-    cpu->id_mmfr3 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x00000030;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x00000000;
+    cpu->isar.id_mmfr3 = 0x00000000;
     cpu->isar.id_isar0 = 0x01141110;
     cpu->isar.id_isar1 = 0x02111000;
     cpu->isar.id_isar2 = 0x21112231;
@@ -XXX,XX +XXX,XX @@ static void cortex_m7_initfn(Object *obj)
     cpu->id_pfr1 = 0x00000200;
     cpu->isar.id_dfr0 = 0x00100000;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x00100030;
-    cpu->id_mmfr1 = 0x00000000;
-    cpu->id_mmfr2 = 0x01000000;
-    cpu->id_mmfr3 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x00100030;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x01000000;
+    cpu->isar.id_mmfr3 = 0x00000000;
     cpu->isar.id_isar0 = 0x01101110;
     cpu->isar.id_isar1 = 0x02112000;
     cpu->isar.id_isar2 = 0x20232231;
@@ -XXX,XX +XXX,XX @@ static void cortex_m33_initfn(Object *obj)
     cpu->id_pfr1 = 0x00000210;
     cpu->isar.id_dfr0 = 0x00200000;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x00101F40;
-    cpu->id_mmfr1 = 0x00000000;
-    cpu->id_mmfr2 = 0x01000000;
-    cpu->id_mmfr3 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x00101F40;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x01000000;
+    cpu->isar.id_mmfr3 = 0x00000000;
     cpu->isar.id_isar0 = 0x01101110;
     cpu->isar.id_isar1 = 0x02212000;
     cpu->isar.id_isar2 = 0x20232232;
@@ -XXX,XX +XXX,XX @@ static void cortex_r5_initfn(Object *obj)
     cpu->id_pfr1 = 0x001;
     cpu->isar.id_dfr0 = 0x010400;
     cpu->id_afr0 = 0x0;
-    cpu->id_mmfr0 = 0x0210030;
-    cpu->id_mmfr1 = 0x00000000;
-    cpu->id_mmfr2 = 0x01200000;
-    cpu->id_mmfr3 = 0x0211;
+    cpu->isar.id_mmfr0 = 0x0210030;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x01200000;
+    cpu->isar.id_mmfr3 = 0x0211;
     cpu->isar.id_isar0 = 0x02101111;
     cpu->isar.id_isar1 = 0x13112111;
     cpu->isar.id_isar2 = 0x21232141;
@@ -XXX,XX +XXX,XX @@ static void cortex_a8_initfn(Object *obj)
     cpu->id_pfr1 = 0x11;
     cpu->isar.id_dfr0 = 0x400;
     cpu->id_afr0 = 0;
-    cpu->id_mmfr0 = 0x31100003;
-    cpu->id_mmfr1 = 0x20000000;
-    cpu->id_mmfr2 = 0x01202000;
-    cpu->id_mmfr3 = 0x11;
+    cpu->isar.id_mmfr0 = 0x31100003;
+    cpu->isar.id_mmfr1 = 0x20000000;
+    cpu->isar.id_mmfr2 = 0x01202000;
+    cpu->isar.id_mmfr3 = 0x11;
     cpu->isar.id_isar0 = 0x00101111;
     cpu->isar.id_isar1 = 0x12112111;
     cpu->isar.id_isar2 = 0x21232031;
@@ -XXX,XX +XXX,XX @@ static void cortex_a9_initfn(Object *obj)
     cpu->id_pfr1 = 0x11;
     cpu->isar.id_dfr0 = 0x000;
     cpu->id_afr0 = 0;
-    cpu->id_mmfr0 = 0x00100103;
-    cpu->id_mmfr1 = 0x20000000;
-    cpu->id_mmfr2 = 0x01230000;
-    cpu->id_mmfr3 = 0x00002111;
+    cpu->isar.id_mmfr0 = 0x00100103;
+    cpu->isar.id_mmfr1 = 0x20000000;
+    cpu->isar.id_mmfr2 = 0x01230000;
+    cpu->isar.id_mmfr3 = 0x00002111;
     cpu->isar.id_isar0 = 0x00101111;
     cpu->isar.id_isar1 = 0x13112111;
     cpu->isar.id_isar2 = 0x21232041;
@@ -XXX,XX +XXX,XX @@ static void cortex_a7_initfn(Object *obj)
     cpu->id_pfr1 = 0x00011011;
     cpu->isar.id_dfr0 = 0x02010555;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x10101105;
-    cpu->id_mmfr1 = 0x40000000;
-    cpu->id_mmfr2 = 0x01240000;
-    cpu->id_mmfr3 = 0x02102211;
+    cpu->isar.id_mmfr0 = 0x10101105;
+    cpu->isar.id_mmfr1 = 0x40000000;
+    cpu->isar.id_mmfr2 = 0x01240000;
+    cpu->isar.id_mmfr3 = 0x02102211;
     /* a7_mpcore_r0p5_trm, page 4-4 gives 0x01101110; but
      * table 4-41 gives 0x02101110, which includes the arm div insns.
      */
@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
     cpu->id_pfr1 = 0x00011011;
     cpu->isar.id_dfr0 = 0x02010555;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x10201105;
-    cpu->id_mmfr1 = 0x20000000;
-    cpu->id_mmfr2 = 0x01240000;
-    cpu->id_mmfr3 = 0x02102211;
+    cpu->isar.id_mmfr0 = 0x10201105;
+    cpu->isar.id_mmfr1 = 0x20000000;
+    cpu->isar.id_mmfr2 = 0x01240000;
+    cpu->isar.id_mmfr3 = 0x02102211;
     cpu->isar.id_isar0 = 0x02101110;
     cpu->isar.id_isar1 = 0x13112111;
     cpu->isar.id_isar2 = 0x21232041;
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
             cpu->isar.mvfr2 = t;
 
-            t = cpu->id_mmfr3;
+            t = cpu->isar.id_mmfr3;
             t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
-            cpu->id_mmfr3 = t;
+            cpu->isar.id_mmfr3 = t;
 
-            t = cpu->id_mmfr4;
+            t = cpu->isar.id_mmfr4;
             t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
-            cpu->id_mmfr4 = t;
+            cpu->isar.id_mmfr4 = t;
         }
 #endif
     }
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
     cpu->id_pfr1 = 0x00011011;
     cpu->isar.id_dfr0 = 0x03010066;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x10101105;
-    cpu->id_mmfr1 = 0x40000000;
-    cpu->id_mmfr2 = 0x01260000;
-    cpu->id_mmfr3 = 0x02102211;
+    cpu->isar.id_mmfr0 = 0x10101105;
+    cpu->isar.id_mmfr1 = 0x40000000;
+    cpu->isar.id_mmfr2 = 0x01260000;
+    cpu->isar.id_mmfr3 = 0x02102211;
     cpu->isar.id_isar0 = 0x02101110;
     cpu->isar.id_isar1 = 0x13112111;
     cpu->isar.id_isar2 = 0x21232042;
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
     cpu->id_pfr1 = 0x00011011;
     cpu->isar.id_dfr0 = 0x03010066;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x10101105;
-    cpu->id_mmfr1 = 0x40000000;
-    cpu->id_mmfr2 = 0x01260000;
-    cpu->id_mmfr3 = 0x02102211;
+    cpu->isar.id_mmfr0 = 0x10101105;
+    cpu->isar.id_mmfr1 = 0x40000000;
+    cpu->isar.id_mmfr2 = 0x01260000;
+    cpu->isar.id_mmfr3 = 0x02102211;
     cpu->isar.id_isar0 = 0x02101110;
     cpu->isar.id_isar1 = 0x13112111;
     cpu->isar.id_isar2 = 0x21232042;
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
     cpu->id_pfr1 = 0x00011011;
     cpu->isar.id_dfr0 = 0x03010066;
     cpu->id_afr0 = 0x00000000;
-    cpu->id_mmfr0 = 0x10201105;
-    cpu->id_mmfr1 = 0x40000000;
-    cpu->id_mmfr2 = 0x01260000;
-    cpu->id_mmfr3 = 0x02102211;
+    cpu->isar.id_mmfr0 = 0x10201105;
+    cpu->isar.id_mmfr1 = 0x40000000;
+    cpu->isar.id_mmfr2 = 0x01260000;
+    cpu->isar.id_mmfr3 = 0x02102211;
     cpu->isar.id_isar0 = 0x02101110;
     cpu->isar.id_isar1 = 0x13112111;
     cpu->isar.id_isar2 = 0x21232042;
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
         u = FIELD_DP32(u, ID_ISAR6, SPECRES, 1);
         cpu->isar.id_isar6 = u;
 
-        u = cpu->id_mmfr3;
+        u = cpu->isar.id_mmfr3;
         u = FIELD_DP32(u, ID_MMFR3, PAN, 2); /* ATS1E1 */
-        cpu->id_mmfr3 = u;
+        cpu->isar.id_mmfr3 = u;
 
         u = cpu->isar.id_aa64dfr0;
         u = FIELD_DP64(u, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 4,
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa32_tid3,
-              .resetvalue = cpu->id_mmfr0 },
+              .resetvalue = cpu->isar.id_mmfr0 },
             { .name = "ID_MMFR1", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 5,
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa32_tid3,
-              .resetvalue = cpu->id_mmfr1 },
+              .resetvalue = cpu->isar.id_mmfr1 },
             { .name = "ID_MMFR2", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa32_tid3,
-              .resetvalue = cpu->id_mmfr2 },
+              .resetvalue = cpu->isar.id_mmfr2 },
             { .name = "ID_MMFR3", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa32_tid3,
-              .resetvalue = cpu->id_mmfr3 },
+              .resetvalue = cpu->isar.id_mmfr3 },
             { .name = "ID_ISAR0", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa32_tid3,
-              .resetvalue = cpu->id_mmfr4 },
+              .resetvalue = cpu->isar.id_mmfr4 },
             { .name = "ID_ISAR6", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
         define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
         define_arm_cp_regs(cpu, vmsa_cp_reginfo);
         /* TTCBR2 is introduced with ARMv8.2-A32HPD.  */
-        if (FIELD_EX32(cpu->id_mmfr4, ID_MMFR4, HPDS) != 0) {
+        if (FIELD_EX32(cpu->isar.id_mmfr4, ID_MMFR4, HPDS) != 0) {
             define_one_arm_cp_reg(cpu, &ttbcr2_reginfo);
         }
     }
diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
      * Fortunately there is not yet anything in there that affects migration.
      */
 
+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr0,
+                          ARM_CP15_REG32(0, 0, 1, 4));
+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr1,
+                          ARM_CP15_REG32(0, 0, 1, 5));
+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr2,
+                          ARM_CP15_REG32(0, 0, 1, 6));
+    err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr3,
+                          ARM_CP15_REG32(0, 0, 1, 7));
+    if (read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr4,
+                       ARM_CP15_REG32(0, 0, 2, 6))) {
+        /*
+         * Older kernels don't support reading ID_MMFR4 (a new in v8
+         * register); assume it's zero.
+         */
+        ahcf->isar.id_mmfr4 = 0;
+    }
+
     /*
      * There is no way to read DBGDIDR, because currently 32-bit KVM
      * doesn't implement debug at all. Leave it at zero.
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
          */
         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_dfr0,
                               ARM64_SYS_REG(3, 0, 0, 1, 2));
+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr0,
+                              ARM64_SYS_REG(3, 0, 0, 1, 4));
+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr1,
+                              ARM64_SYS_REG(3, 0, 0, 1, 5));
+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr2,
+                              ARM64_SYS_REG(3, 0, 0, 1, 6));
+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr3,
+                              ARM64_SYS_REG(3, 0, 0, 1, 7));
         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar0,
                               ARM64_SYS_REG(3, 0, 0, 2, 0));
         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar1,
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
                               ARM64_SYS_REG(3, 0, 0, 2, 4));
         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar5,
                               ARM64_SYS_REG(3, 0, 0, 2, 5));
+        err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_mmfr4,
+                              ARM64_SYS_REG(3, 0, 0, 2, 6));
         err |= read_sys_reg32(fdarray[2], &ahcf->isar.id_isar6,
                               ARM64_SYS_REG(3, 0, 0, 2, 7));
 
-- 
2.20.1

Now we have moved ID_MMFR4 into the ARMISARegisters struct, we
can define and use an isar_feature for the presence of the
ARMv8.2-AA32HPD feature, rather than open-coding the test.

While we're here, correct a comment typo which missed an 'A'
from the feature name.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214175116.9164-20-peter.maydell@linaro.org
---
 target/arm/cpu.h    | 5 +++++
 target/arm/helper.c | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

Cut-and-paste errors mean we're using FIELD_EX64() to extract fields from
some 32-bit ID register fields. Use FIELD_EX32() instead. (This makes
no difference in behaviour, it's just more consistent.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214175116.9164-21-peter.maydell@linaro.org
---
 target/arm/cpu.h | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fp16_arith(const ARMISARegisters *id)
 static inline bool isar_feature_aa32_fp_d32(const ARMISARegisters *id)
 {
     /* Return true if D16-D31 are implemented */
-    return FIELD_EX64(id->mvfr0, MVFR0, SIMDREG) >= 2;
+    return FIELD_EX32(id->mvfr0, MVFR0, SIMDREG) >= 2;
 }
 
 static inline bool isar_feature_aa32_fpshvec(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr0, MVFR0, FPSHVEC) > 0;
+    return FIELD_EX32(id->mvfr0, MVFR0, FPSHVEC) > 0;
 }
 
 static inline bool isar_feature_aa32_fpdp(const ARMISARegisters *id)
 {
     /* Return true if CPU supports double precision floating point */
-    return FIELD_EX64(id->mvfr0, MVFR0, FPDP) > 0;
+    return FIELD_EX32(id->mvfr0, MVFR0, FPDP) > 0;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fpdp(const ARMISARegisters *id)
  */
 static inline bool isar_feature_aa32_fp16_spconv(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr1, MVFR1, FPHP) > 0;
+    return FIELD_EX32(id->mvfr1, MVFR1, FPHP) > 0;
 }
 
 static inline bool isar_feature_aa32_fp16_dpconv(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr1, MVFR1, FPHP) > 1;
+    return FIELD_EX32(id->mvfr1, MVFR1, FPHP) > 1;
 }
 
 static inline bool isar_feature_aa32_vsel(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr2, MVFR2, FPMISC) >= 1;
+    return FIELD_EX32(id->mvfr2, MVFR2, FPMISC) >= 1;
 }
 
 static inline bool isar_feature_aa32_vcvt_dr(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr2, MVFR2, FPMISC) >= 2;
+    return FIELD_EX32(id->mvfr2, MVFR2, FPMISC) >= 2;
 }
 
 static inline bool isar_feature_aa32_vrint(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr2, MVFR2, FPMISC) >= 3;
+    return FIELD_EX32(id->mvfr2, MVFR2, FPMISC) >= 3;
 }
 
 static inline bool isar_feature_aa32_vminmaxnm(const ARMISARegisters *id)
 {
-    return FIELD_EX64(id->mvfr2, MVFR2, FPMISC) >= 4;
+    return FIELD_EX32(id->mvfr2, MVFR2, FPMISC) >= 4;
 }
 
 static inline bool isar_feature_aa32_pan(const ARMISARegisters *id)
-- 
2.20.1

The ACTLR2 and HACTLR2 AArch32 system registers didn't exist in ARMv7
or the original ARMv8.  They were later added as optional registers,
whose presence is signaled by the ID_MMFR4.AC2 field.  From ARMv8.2
they are mandatory (ie ID_MMFR4.AC2 must be non-zero).

We implemented HACTLR2 in commit 0e0456ab8895a5e85, but we
incorrectly made it exist for all v8 CPUs, and we didn't implement
ACTLR2 at all.

Sort this out by implementing both registers only when they are
supposed to exist, and setting the ID_MMFR4 bit for -cpu max.

Note that this removes HACTLR2 from our Cortex-A53, -A47 and -A72
CPU models; this is correct, because those CPUs do not implement
this register.

Fixes: 0e0456ab8895a5e85
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214175116.9164-22-peter.maydell@linaro.org
---
 target/arm/cpu.h    |  5 +++++
 target/arm/cpu.c    |  1 +
 target/arm/cpu64.c  |  4 ++++
 target/arm/helper.c | 32 +++++++++++++++++++++++---------
 4 files changed, 33 insertions(+), 9 deletions(-)

From: Guenter Roeck <linux@roeck-us.net>

We need to be able to use OHCISysBusState outside hcd-ohci.c, so move it
to its include file.

Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20200217204812.9857-2-linux@roeck-us.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/usb/hcd-ohci.h | 16 ++++++++++++++++
 hw/usb/hcd-ohci.c | 15 ---------------
 2 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/hw/usb/hcd-ohci.h b/hw/usb/hcd-ohci.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/hcd-ohci.h
+++ b/hw/usb/hcd-ohci.h
@@ -XXX,XX +XXX,XX @@
 #define HCD_OHCI_H
 
 #include "sysemu/dma.h"
+#include "hw/usb.h"
 
 /* Number of Downstream Ports on the root hub: */
 #define OHCI_MAX_PORTS 15
@@ -XXX,XX +XXX,XX @@ typedef struct OHCIState {
     void (*ohci_die)(struct OHCIState *ohci);
 } OHCIState;
 
+#define TYPE_SYSBUS_OHCI "sysbus-ohci"
+#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
+
+typedef struct {
+    /*< private >*/
+    SysBusDevice parent_obj;
+    /*< public >*/
+
+    OHCIState ohci;
+    char *masterbus;
+    uint32_t num_ports;
+    uint32_t firstport;
+    dma_addr_t dma_offset;
+} OHCISysBusState;
+
 extern const VMStateDescription vmstate_ohci_state;
 
 void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -XXX,XX +XXX,XX @@ void ohci_sysbus_die(struct OHCIState *ohci)
     ohci_bus_stop(ohci);
 }
 
-#define TYPE_SYSBUS_OHCI "sysbus-ohci"
-#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
-
-typedef struct {
-    /*< private >*/
-    SysBusDevice parent_obj;
-    /*< public >*/
-
-    OHCIState ohci;
-    char *masterbus;
-    uint32_t num_ports;
-    uint32_t firstport;
-    dma_addr_t dma_offset;
-} OHCISysBusState;
-
 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
 {
     OHCISysBusState *s = SYSBUS_OHCI(dev);
-- 
2.20.1

From: Guenter Roeck <linux@roeck-us.net>

Instantiate EHCI and OHCI controllers on Allwinner A10. OHCI ports are
modeled as companions of the respective EHCI ports.

With this patch applied, USB controllers are discovered and instantiated
when booting the cubieboard machine with a recent Linux kernel.

ehci-platform 1c14000.usb: EHCI Host Controller
ehci-platform 1c14000.usb: new USB bus registered, assigned bus number 1
ehci-platform 1c14000.usb: irq 26, io mem 0x01c14000
ehci-platform 1c14000.usb: USB 2.0 started, EHCI 1.00
ehci-platform 1c1c000.usb: EHCI Host Controller
ehci-platform 1c1c000.usb: new USB bus registered, assigned bus number 2
ehci-platform 1c1c000.usb: irq 31, io mem 0x01c1c000
ehci-platform 1c1c000.usb: USB 2.0 started, EHCI 1.00
ohci-platform 1c14400.usb: Generic Platform OHCI controller
ohci-platform 1c14400.usb: new USB bus registered, assigned bus number 3
ohci-platform 1c14400.usb: irq 27, io mem 0x01c14400
ohci-platform 1c1c400.usb: Generic Platform OHCI controller
ohci-platform 1c1c400.usb: new USB bus registered, assigned bus number 4
ohci-platform 1c1c400.usb: irq 32, io mem 0x01c1c400
usb 2-1: new high-speed USB device number 2 using ehci-platform
usb-storage 2-1:1.0: USB Mass Storage device detected
scsi host1: usb-storage 2-1:1.0
usb 3-1: new full-speed USB device number 2 using ohci-platform
input: QEMU QEMU USB Mouse as /devices/platform/soc/1c14400.usb/usb3/3-1/3-1:1.0/0003:0627:0001.0001/input/input0

Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20200217204812.9857-4-linux@roeck-us.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/allwinner-a10.h |  6 +++++
 hw/arm/allwinner-a10.c         | 43 ++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/allwinner-a10.h
+++ b/include/hw/arm/allwinner-a10.h
@@ -XXX,XX +XXX,XX @@
 #include "hw/intc/allwinner-a10-pic.h"
 #include "hw/net/allwinner_emac.h"
 #include "hw/ide/ahci.h"
+#include "hw/usb/hcd-ohci.h"
+#include "hw/usb/hcd-ehci.h"
 
 #include "target/arm/cpu.h"
 
 
 #define AW_A10_SDRAM_BASE       0x40000000
 
+#define AW_A10_NUM_USB          2
+
 #define TYPE_AW_A10 "allwinner-a10"
 #define AW_A10(obj) OBJECT_CHECK(AwA10State, (obj), TYPE_AW_A10)
 
@@ -XXX,XX +XXX,XX @@ typedef struct AwA10State {
     AwEmacState emac;
     AllwinnerAHCIState sata;
     MemoryRegion sram_a;
+    EHCISysBusState ehci[AW_A10_NUM_USB];
+    OHCISysBusState ohci[AW_A10_NUM_USB];
 } AwA10State;
 
 #endif
diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/allwinner-a10.c
+++ b/hw/arm/allwinner-a10.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/allwinner-a10.h"
 #include "hw/misc/unimp.h"
 #include "sysemu/sysemu.h"
+#include "hw/boards.h"
+#include "hw/usb/hcd-ohci.h"
 
 #define AW_A10_PIC_REG_BASE     0x01c20400
 #define AW_A10_PIT_REG_BASE     0x01c20c00
 #define AW_A10_UART0_REG_BASE   0x01c28000
 #define AW_A10_EMAC_BASE        0x01c0b000
+#define AW_A10_EHCI_BASE        0x01c14000
+#define AW_A10_OHCI_BASE        0x01c14400
 #define AW_A10_SATA_BASE        0x01c18000
 
 static void aw_a10_init(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void aw_a10_init(Object *obj)
 
     sysbus_init_child_obj(obj, "sata", &s->sata, sizeof(s->sata),
                           TYPE_ALLWINNER_AHCI);
+
+    if (machine_usb(current_machine)) {
+        int i;
+
+        for (i = 0; i < AW_A10_NUM_USB; i++) {
+            sysbus_init_child_obj(obj, "ehci[*]", OBJECT(&s->ehci[i]),
+                                  sizeof(s->ehci[i]), TYPE_PLATFORM_EHCI);
+            sysbus_init_child_obj(obj, "ohci[*]", OBJECT(&s->ohci[i]),
+                                  sizeof(s->ohci[i]), TYPE_SYSBUS_OHCI);
+        }
+    }
 }
 
 static void aw_a10_realize(DeviceState *dev, Error **errp)
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
     serial_mm_init(get_system_memory(), AW_A10_UART0_REG_BASE, 2,
                    qdev_get_gpio_in(dev, 1),
                    115200, serial_hd(0), DEVICE_NATIVE_ENDIAN);
+
+    if (machine_usb(current_machine)) {
+        int i;
+
+        for (i = 0; i < AW_A10_NUM_USB; i++) {
+            char bus[16];
+
+            sprintf(bus, "usb-bus.%d", i);
+
+            object_property_set_bool(OBJECT(&s->ehci[i]), true,
+                                     "companion-enable", &error_fatal);
+            object_property_set_bool(OBJECT(&s->ehci[i]), true, "realized",
+                                     &error_fatal);
+            sysbus_mmio_map(SYS_BUS_DEVICE(&s->ehci[i]), 0,
+                            AW_A10_EHCI_BASE + i * 0x8000);
+            sysbus_connect_irq(SYS_BUS_DEVICE(&s->ehci[i]), 0,
+                               qdev_get_gpio_in(dev, 39 + i));
+
+            object_property_set_str(OBJECT(&s->ohci[i]), bus, "masterbus",
+                                    &error_fatal);
+            object_property_set_bool(OBJECT(&s->ohci[i]), true, "realized",
+                                     &error_fatal);
+            sysbus_mmio_map(SYS_BUS_DEVICE(&s->ohci[i]), 0,
+                            AW_A10_OHCI_BASE + i * 0x8000);
+            sysbus_connect_irq(SYS_BUS_DEVICE(&s->ohci[i]), 0,
+                               qdev_get_gpio_in(dev, 64 + i));
+        }
+    }
 }
 
 static void aw_a10_class_init(ObjectClass *oc, void *data)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

These instructions shift left or right depending on the sign
of the input, and 7 bits are significant to the shift.  This
requires several masks and selects in addition to the actual
shifts to form the complete answer.

That said, the operation is still a small improvement even for
two 64-bit elements -- 13 vector operations instead of 2 * 7
integer operations.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200216214232.4230-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  11 +-
 target/arm/translate.h     |   6 +
 target/arm/neon_helper.c   |  33 ----
 target/arm/translate-a64.c |  18 +--
 target/arm/translate.c     | 299 +++++++++++++++++++++++++++++++++++--
 target/arm/vec_helper.c    |  88 +++++++++++
 6 files changed, 389 insertions(+), 66 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(neon_abd_s16, i32, i32, i32)
 DEF_HELPER_2(neon_abd_u32, i32, i32, i32)
 DEF_HELPER_2(neon_abd_s32, i32, i32, i32)
 
-DEF_HELPER_2(neon_shl_u8, i32, i32, i32)
-DEF_HELPER_2(neon_shl_s8, i32, i32, i32)
 DEF_HELPER_2(neon_shl_u16, i32, i32, i32)
 DEF_HELPER_2(neon_shl_s16, i32, i32, i32)
-DEF_HELPER_2(neon_shl_u32, i32, i32, i32)
-DEF_HELPER_2(neon_shl_s32, i32, i32, i32)
-DEF_HELPER_2(neon_shl_u64, i64, i64, i64)
-DEF_HELPER_2(neon_shl_s64, i64, i64, i64)
 DEF_HELPER_2(neon_rshl_u8, i32, i32, i32)
 DEF_HELPER_2(neon_rshl_s8, i32, i32, i32)
 DEF_HELPER_2(neon_rshl_u16, i32, i32, i32)
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_2(frint64_s, TCG_CALL_NO_RWG, f32, f32, ptr)
 DEF_HELPER_FLAGS_2(frint32_d, TCG_CALL_NO_RWG, f64, f64, ptr)
 DEF_HELPER_FLAGS_2(frint64_d, TCG_CALL_NO_RWG, f64, f64, ptr)
 
+DEF_HELPER_FLAGS_4(gvec_sshl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(gvec_sshl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(gvec_ushl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ uint64_t vfp_expand_imm(int size, uint8_t imm8);
 extern const GVecGen3 mla_op[4];
 extern const GVecGen3 mls_op[4];
 extern const GVecGen3 cmtst_op[4];
+extern const GVecGen3 sshl_op[4];
+extern const GVecGen3 ushl_op[4];
 extern const GVecGen2i ssra_op[4];
 extern const GVecGen2i usra_op[4];
 extern const GVecGen2i sri_op[4];
@@ -XXX,XX +XXX,XX @@ extern const GVecGen4 sqadd_op[4];
 extern const GVecGen4 uqsub_op[4];
 extern const GVecGen4 sqsub_op[4];
 void gen_cmtst_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
+void gen_ushl_i32(TCGv_i32 d, TCGv_i32 a, TCGv_i32 b);
+void gen_sshl_i32(TCGv_i32 d, TCGv_i32 a, TCGv_i32 b);
+void gen_ushl_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
+void gen_sshl_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
 
 /*
  * Forward to the isar_feature_* tests given a DisasContext pointer.
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -XXX,XX +XXX,XX @@ NEON_VOP(abd_u32, neon_u32, 1)
     } else { \
         dest = src1 << tmp; \
     }} while (0)
-NEON_VOP(shl_u8, neon_u8, 4)
 NEON_VOP(shl_u16, neon_u16, 2)
-NEON_VOP(shl_u32, neon_u32, 1)
 #undef NEON_FN
 
-uint64_t HELPER(neon_shl_u64)(uint64_t val, uint64_t shiftop)
-{
-    int8_t shift = (int8_t)shiftop;
-    if (shift >= 64 || shift <= -64) {
-        val = 0;
-    } else if (shift < 0) {
-        val >>= -shift;
-    } else {
-        val <<= shift;
-    }
-    return val;
-}
-
 #define NEON_FN(dest, src1, src2) do { \
     int8_t tmp; \
     tmp = (int8_t)src2; \
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_shl_u64)(uint64_t val, uint64_t shiftop)
     } else { \
         dest = src1 << tmp; \
     }} while (0)
-NEON_VOP(shl_s8, neon_s8, 4)
 NEON_VOP(shl_s16, neon_s16, 2)
-NEON_VOP(shl_s32, neon_s32, 1)
 #undef NEON_FN
 
-uint64_t HELPER(neon_shl_s64)(uint64_t valop, uint64_t shiftop)
-{
-    int8_t shift = (int8_t)shiftop;
-    int64_t val = valop;
-    if (shift >= 64) {
-        val = 0;
-    } else if (shift <= -64) {
-        val >>= 63;
-    } else if (shift < 0) {
-        val >>= -shift;
-    } else {
-        val <<= shift;
-    }
-    return val;
-}
-
 #define NEON_FN(dest, src1, src2) do { \
     int8_t tmp; \
     tmp = (int8_t)src2; \
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_3same_64(DisasContext *s, int opcode, bool u,
         break;
     case 0x8: /* SSHL, USHL */
         if (u) {
-            gen_helper_neon_shl_u64(tcg_rd, tcg_rn, tcg_rm);
+            gen_ushl_i64(tcg_rd, tcg_rn, tcg_rm);
         } else {
-            gen_helper_neon_shl_s64(tcg_rd, tcg_rn, tcg_rm);
+            gen_sshl_i64(tcg_rd, tcg_rn, tcg_rm);
         }
         break;
     case 0x9: /* SQSHL, UQSHL */
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                        is_q ? 16 : 8, vec_full_reg_size(s),
                        (u ? uqsub_op : sqsub_op) + size);
         return;
+    case 0x08: /* SSHL, USHL */
+        gen_gvec_op3(s, is_q, rd, rn, rm,
+                     u ? &ushl_op[size] : &sshl_op[size]);
+        return;
     case 0x0c: /* SMAX, UMAX */
         if (u) {
             gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_umax, size);
@@ -XXX,XX +XXX,XX @@ static void disas_simd_3same_int(DisasContext *s, uint32_t insn)
                 genfn = fns[size][u];
                 break;
             }
-            case 0x8: /* SSHL, USHL */
-            {
-                static NeonGenTwoOpFn * const fns[3][2] = {
-                    { gen_helper_neon_shl_s8, gen_helper_neon_shl_u8 },
-                    { gen_helper_neon_shl_s16, gen_helper_neon_shl_u16 },
-                    { gen_helper_neon_shl_s32, gen_helper_neon_shl_u32 },
-                };
-                genfn = fns[size][u];
-                break;
-            }
             case 0x9: /* SQSHL, UQSHL */
             {
                 static NeonGenTwoOpEnvFn * const fns[3][2] = {
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_neon_shift_narrow(int size, TCGv_i32 var, TCGv_i32 shift,
         if (u) {
             switch (size) {
             case 1: gen_helper_neon_shl_u16(var, var, shift); break;
-            case 2: gen_helper_neon_shl_u32(var, var, shift); break;
+            case 2: gen_ushl_i32(var, var, shift); break;
             default: abort();
             }
         } else {
             switch (size) {
             case 1: gen_helper_neon_shl_s16(var, var, shift); break;
-            case 2: gen_helper_neon_shl_s32(var, var, shift); break;
+            case 2: gen_sshl_i32(var, var, shift); break;
             default: abort();
             }
         }
@@ -XXX,XX +XXX,XX @@ const GVecGen3 cmtst_op[4] = {
       .vece = MO_64 },
 };
 
+void gen_ushl_i32(TCGv_i32 dst, TCGv_i32 src, TCGv_i32 shift)
+{
+    TCGv_i32 lval = tcg_temp_new_i32();
+    TCGv_i32 rval = tcg_temp_new_i32();
+    TCGv_i32 lsh = tcg_temp_new_i32();
+    TCGv_i32 rsh = tcg_temp_new_i32();
+    TCGv_i32 zero = tcg_const_i32(0);
+    TCGv_i32 max = tcg_const_i32(32);
+
+    /*
+     * Rely on the TCG guarantee that out of range shifts produce
+     * unspecified results, not undefined behaviour (i.e. no trap).
+     * Discard out-of-range results after the fact.
+     */
+    tcg_gen_ext8s_i32(lsh, shift);
+    tcg_gen_neg_i32(rsh, lsh);
+    tcg_gen_shl_i32(lval, src, lsh);
+    tcg_gen_shr_i32(rval, src, rsh);
+    tcg_gen_movcond_i32(TCG_COND_LTU, dst, lsh, max, lval, zero);
+    tcg_gen_movcond_i32(TCG_COND_LTU, dst, rsh, max, rval, dst);
+
+    tcg_temp_free_i32(lval);
+    tcg_temp_free_i32(rval);
+    tcg_temp_free_i32(lsh);
+    tcg_temp_free_i32(rsh);
+    tcg_temp_free_i32(zero);
+    tcg_temp_free_i32(max);
+}
+
+void gen_ushl_i64(TCGv_i64 dst, TCGv_i64 src, TCGv_i64 shift)
+{
+    TCGv_i64 lval = tcg_temp_new_i64();
+    TCGv_i64 rval = tcg_temp_new_i64();
+    TCGv_i64 lsh = tcg_temp_new_i64();
+    TCGv_i64 rsh = tcg_temp_new_i64();
+    TCGv_i64 zero = tcg_const_i64(0);
+    TCGv_i64 max = tcg_const_i64(64);
+
+    /*
+     * Rely on the TCG guarantee that out of range shifts produce
+     * unspecified results, not undefined behaviour (i.e. no trap).
+     * Discard out-of-range results after the fact.
+     */
+    tcg_gen_ext8s_i64(lsh, shift);
+    tcg_gen_neg_i64(rsh, lsh);
+    tcg_gen_shl_i64(lval, src, lsh);
+    tcg_gen_shr_i64(rval, src, rsh);
+    tcg_gen_movcond_i64(TCG_COND_LTU, dst, lsh, max, lval, zero);
+    tcg_gen_movcond_i64(TCG_COND_LTU, dst, rsh, max, rval, dst);
+
+    tcg_temp_free_i64(lval);
+    tcg_temp_free_i64(rval);
+    tcg_temp_free_i64(lsh);
+    tcg_temp_free_i64(rsh);
+    tcg_temp_free_i64(zero);
+    tcg_temp_free_i64(max);
+}
+
+static void gen_ushl_vec(unsigned vece, TCGv_vec dst,
+                         TCGv_vec src, TCGv_vec shift)
+{
+    TCGv_vec lval = tcg_temp_new_vec_matching(dst);
+    TCGv_vec rval = tcg_temp_new_vec_matching(dst);
+    TCGv_vec lsh = tcg_temp_new_vec_matching(dst);
+    TCGv_vec rsh = tcg_temp_new_vec_matching(dst);
+    TCGv_vec msk, max;
+
+    tcg_gen_neg_vec(vece, rsh, shift);
+    if (vece == MO_8) {
+        tcg_gen_mov_vec(lsh, shift);
+    } else {
+        msk = tcg_temp_new_vec_matching(dst);
+        tcg_gen_dupi_vec(vece, msk, 0xff);
+        tcg_gen_and_vec(vece, lsh, shift, msk);
+        tcg_gen_and_vec(vece, rsh, rsh, msk);
+        tcg_temp_free_vec(msk);
+    }
+
+    /*
+     * Rely on the TCG guarantee that out of range shifts produce
+     * unspecified results, not undefined behaviour (i.e. no trap).
+     * Discard out-of-range results after the fact.
+     */
+    tcg_gen_shlv_vec(vece, lval, src, lsh);
+    tcg_gen_shrv_vec(vece, rval, src, rsh);
+
+    max = tcg_temp_new_vec_matching(dst);
+    tcg_gen_dupi_vec(vece, max, 8 << vece);
+
+    /*
+     * The choice of LT (signed) and GEU (unsigned) are biased toward
+     * the instructions of the x86_64 host.  For MO_8, the whole byte
+     * is significant so we must use an unsigned compare; otherwise we
+     * have already masked to a byte and so a signed compare works.
+     * Other tcg hosts have a full set of comparisons and do not care.
+     */
+    if (vece == MO_8) {
+        tcg_gen_cmp_vec(TCG_COND_GEU, vece, lsh, lsh, max);
+        tcg_gen_cmp_vec(TCG_COND_GEU, vece, rsh, rsh, max);
+        tcg_gen_andc_vec(vece, lval, lval, lsh);
+        tcg_gen_andc_vec(vece, rval, rval, rsh);
+    } else {
+        tcg_gen_cmp_vec(TCG_COND_LT, vece, lsh, lsh, max);
+        tcg_gen_cmp_vec(TCG_COND_LT, vece, rsh, rsh, max);
+        tcg_gen_and_vec(vece, lval, lval, lsh);
+        tcg_gen_and_vec(vece, rval, rval, rsh);
+    }
+    tcg_gen_or_vec(vece, dst, lval, rval);
+
+    tcg_temp_free_vec(max);
+    tcg_temp_free_vec(lval);
+    tcg_temp_free_vec(rval);
+    tcg_temp_free_vec(lsh);
+    tcg_temp_free_vec(rsh);
+}
+
+static const TCGOpcode ushl_list[] = {
+    INDEX_op_neg_vec, INDEX_op_shlv_vec,
+    INDEX_op_shrv_vec, INDEX_op_cmp_vec, 0
+};
+
+const GVecGen3 ushl_op[4] = {
+    { .fniv = gen_ushl_vec,
+      .fno = gen_helper_gvec_ushl_b,
+      .opt_opc = ushl_list,
+      .vece = MO_8 },
+    { .fniv = gen_ushl_vec,
+      .fno = gen_helper_gvec_ushl_h,
+      .opt_opc = ushl_list,
+      .vece = MO_16 },
+    { .fni4 = gen_ushl_i32,
+      .fniv = gen_ushl_vec,
+      .opt_opc = ushl_list,
+      .vece = MO_32 },
+    { .fni8 = gen_ushl_i64,
+      .fniv = gen_ushl_vec,
+      .opt_opc = ushl_list,
+      .vece = MO_64 },
+};
+
+void gen_sshl_i32(TCGv_i32 dst, TCGv_i32 src, TCGv_i32 shift)
+{
+    TCGv_i32 lval = tcg_temp_new_i32();
+    TCGv_i32 rval = tcg_temp_new_i32();
+    TCGv_i32 lsh = tcg_temp_new_i32();
+    TCGv_i32 rsh = tcg_temp_new_i32();
+    TCGv_i32 zero = tcg_const_i32(0);
+    TCGv_i32 max = tcg_const_i32(31);
+
+    /*
+     * Rely on the TCG guarantee that out of range shifts produce
+     * unspecified results, not undefined behaviour (i.e. no trap).
+     * Discard out-of-range results after the fact.
+     */
+    tcg_gen_ext8s_i32(lsh, shift);
+    tcg_gen_neg_i32(rsh, lsh);
+    tcg_gen_shl_i32(lval, src, lsh);
+    tcg_gen_umin_i32(rsh, rsh, max);
+    tcg_gen_sar_i32(rval, src, rsh);
+    tcg_gen_movcond_i32(TCG_COND_LEU, lval, lsh, max, lval, zero);
+    tcg_gen_movcond_i32(TCG_COND_LT, dst, lsh, zero, rval, lval);
+
+    tcg_temp_free_i32(lval);
+    tcg_temp_free_i32(rval);
+    tcg_temp_free_i32(lsh);
+    tcg_temp_free_i32(rsh);
+    tcg_temp_free_i32(zero);
+    tcg_temp_free_i32(max);
+}
+
+void gen_sshl_i64(TCGv_i64 dst, TCGv_i64 src, TCGv_i64 shift)
+{
+    TCGv_i64 lval = tcg_temp_new_i64();
+    TCGv_i64 rval = tcg_temp_new_i64();
+    TCGv_i64 lsh = tcg_temp_new_i64();
+    TCGv_i64 rsh = tcg_temp_new_i64();
+    TCGv_i64 zero = tcg_const_i64(0);
+    TCGv_i64 max = tcg_const_i64(63);
+
+    /*
+     * Rely on the TCG guarantee that out of range shifts produce
+     * unspecified results, not undefined behaviour (i.e. no trap).
+     * Discard out-of-range results after the fact.
+     */
+    tcg_gen_ext8s_i64(lsh, shift);
+    tcg_gen_neg_i64(rsh, lsh);
+    tcg_gen_shl_i64(lval, src, lsh);
+    tcg_gen_umin_i64(rsh, rsh, max);
+    tcg_gen_sar_i64(rval, src, rsh);
+    tcg_gen_movcond_i64(TCG_COND_LEU, lval, lsh, max, lval, zero);
+    tcg_gen_movcond_i64(TCG_COND_LT, dst, lsh, zero, rval, lval);
+
+    tcg_temp_free_i64(lval);
+    tcg_temp_free_i64(rval);
+    tcg_temp_free_i64(lsh);
+    tcg_temp_free_i64(rsh);
+    tcg_temp_free_i64(zero);
+    tcg_temp_free_i64(max);
+}
+
+static void gen_sshl_vec(unsigned vece, TCGv_vec dst,
+                         TCGv_vec src, TCGv_vec shift)
+{
+    TCGv_vec lval = tcg_temp_new_vec_matching(dst);
+    TCGv_vec rval = tcg_temp_new_vec_matching(dst);
+    TCGv_vec lsh = tcg_temp_new_vec_matching(dst);
+    TCGv_vec rsh = tcg_temp_new_vec_matching(dst);
+    TCGv_vec tmp = tcg_temp_new_vec_matching(dst);
+
+    /*
+     * Rely on the TCG guarantee that out of range shifts produce
+     * unspecified results, not undefined behaviour (i.e. no trap).
+     * Discard out-of-range results after the fact.
+     */
+    tcg_gen_neg_vec(vece, rsh, shift);
+    if (vece == MO_8) {
+        tcg_gen_mov_vec(lsh, shift);
+    } else {
+        tcg_gen_dupi_vec(vece, tmp, 0xff);
+        tcg_gen_and_vec(vece, lsh, shift, tmp);
+        tcg_gen_and_vec(vece, rsh, rsh, tmp);
+    }
+
+    /* Bound rsh so out of bound right shift gets -1.  */
+    tcg_gen_dupi_vec(vece, tmp, (8 << vece) - 1);
+    tcg_gen_umin_vec(vece, rsh, rsh, tmp);
+    tcg_gen_cmp_vec(TCG_COND_GT, vece, tmp, lsh, tmp);
+
+    tcg_gen_shlv_vec(vece, lval, src, lsh);
+    tcg_gen_sarv_vec(vece, rval, src, rsh);
+
+    /* Select in-bound left shift.  */
+    tcg_gen_andc_vec(vece, lval, lval, tmp);
+
+    /* Select between left and right shift.  */
+    if (vece == MO_8) {
+        tcg_gen_dupi_vec(vece, tmp, 0);
+        tcg_gen_cmpsel_vec(TCG_COND_LT, vece, dst, lsh, tmp, rval, lval);
+    } else {
+        tcg_gen_dupi_vec(vece, tmp, 0x80);
+        tcg_gen_cmpsel_vec(TCG_COND_LT, vece, dst, lsh, tmp, lval, rval);
+    }
+
+    tcg_temp_free_vec(lval);
+    tcg_temp_free_vec(rval);
+    tcg_temp_free_vec(lsh);
+    tcg_temp_free_vec(rsh);
+    tcg_temp_free_vec(tmp);
+}
+
+static const TCGOpcode sshl_list[] = {
+    INDEX_op_neg_vec, INDEX_op_umin_vec, INDEX_op_shlv_vec,
+    INDEX_op_sarv_vec, INDEX_op_cmp_vec, INDEX_op_cmpsel_vec, 0
+};
+
+const GVecGen3 sshl_op[4] = {
+    { .fniv = gen_sshl_vec,
+      .fno = gen_helper_gvec_sshl_b,
+      .opt_opc = sshl_list,
+      .vece = MO_8 },
+    { .fniv = gen_sshl_vec,
+      .fno = gen_helper_gvec_sshl_h,
+      .opt_opc = sshl_list,
+      .vece = MO_16 },
+    { .fni4 = gen_sshl_i32,
+      .fniv = gen_sshl_vec,
+      .opt_opc = sshl_list,
+      .vece = MO_32 },
+    { .fni8 = gen_sshl_i64,
+      .fniv = gen_sshl_vec,
+      .opt_opc = sshl_list,
+      .vece = MO_64 },
+};
+
 static void gen_uqadd_vec(unsigned vece, TCGv_vec t, TCGv_vec sat,
                           TCGv_vec a, TCGv_vec b)
 {
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                   vec_size, vec_size);
             }
             return 0;
+
+        case NEON_3R_VSHL:
+            /* Note the operation is vshl vd,vm,vn */
+            tcg_gen_gvec_3(rd_ofs, rm_ofs, rn_ofs, vec_size, vec_size,
+                           u ? &ushl_op[size] : &sshl_op[size]);
+            return 0;
         }
 
         if (size == 3) {
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                 neon_load_reg64(cpu_V0, rn + pass);
                 neon_load_reg64(cpu_V1, rm + pass);
                 switch (op) {
-                case NEON_3R_VSHL:
-                    if (u) {
-                        gen_helper_neon_shl_u64(cpu_V0, cpu_V1, cpu_V0);
-                    } else {
-                        gen_helper_neon_shl_s64(cpu_V0, cpu_V1, cpu_V0);
-                    }
-                    break;
                 case NEON_3R_VQSHL:
                     if (u) {
                         gen_helper_neon_qshl_u64(cpu_V0, cpu_env,
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
         }
         pairwise = 0;
         switch (op) {
-        case NEON_3R_VSHL:
         case NEON_3R_VQSHL:
         case NEON_3R_VRSHL:
         case NEON_3R_VQRSHL:
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
         case NEON_3R_VHSUB:
             GEN_NEON_INTEGER_OP(hsub);
             break;
-        case NEON_3R_VSHL:
-            GEN_NEON_INTEGER_OP(shl);
-            break;
         case NEON_3R_VQSHL:
             GEN_NEON_INTEGER_OP_ENV(qshl);
             break;
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                             }
                         } else {
                             if (input_unsigned) {
-                                gen_helper_neon_shl_u64(cpu_V0, in, tmp64);
+                                gen_ushl_i64(cpu_V0, in, tmp64);
                             } else {
-                                gen_helper_neon_shl_s64(cpu_V0, in, tmp64);
+                                gen_sshl_i64(cpu_V0, in, tmp64);
                             }
                         }
                         tmp = tcg_temp_new_i32();
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_fmlal_idx_a64)(void *vd, void *vn, void *vm,
     do_fmlal_idx(vd, vn, vm, &env->vfp.fp_status, desc,
                  get_flush_inputs_to_zero(&env->vfp.fp_status_f16));
 }
+
+void HELPER(gvec_sshl_b)(void *vd, void *vn, void *vm, uint32_t desc)
+{
+    intptr_t i, opr_sz = simd_oprsz(desc);
+    int8_t *d = vd, *n = vn, *m = vm;
+
+    for (i = 0; i < opr_sz; ++i) {
+        int8_t mm = m[i];
+        int8_t nn = n[i];
+        int8_t res = 0;
+        if (mm >= 0) {
+            if (mm < 8) {
+                res = nn << mm;
+            }
+        } else {
+            res = nn >> (mm > -8 ? -mm : 7);
+        }
+        d[i] = res;
+    }
+    clear_tail(d, opr_sz, simd_maxsz(desc));
+}
+
+void HELPER(gvec_sshl_h)(void *vd, void *vn, void *vm, uint32_t desc)
+{
+    intptr_t i, opr_sz = simd_oprsz(desc);
+    int16_t *d = vd, *n = vn, *m = vm;
+
+    for (i = 0; i < opr_sz / 2; ++i) {
+        int8_t mm = m[i];   /* only 8 bits of shift are significant */
+        int16_t nn = n[i];
+        int16_t res = 0;
+        if (mm >= 0) {
+            if (mm < 16) {
+                res = nn << mm;
+            }
+        } else {
+            res = nn >> (mm > -16 ? -mm : 15);
+        }
+        d[i] = res;
+    }
+    clear_tail(d, opr_sz, simd_maxsz(desc));
+}
+
+void HELPER(gvec_ushl_b)(void *vd, void *vn, void *vm, uint32_t desc)
+{
+    intptr_t i, opr_sz = simd_oprsz(desc);
+    uint8_t *d = vd, *n = vn, *m = vm;
+
+    for (i = 0; i < opr_sz; ++i) {
+        int8_t mm = m[i];
+        uint8_t nn = n[i];
+        uint8_t res = 0;
+        if (mm >= 0) {
+            if (mm < 8) {
+                res = nn << mm;
+            }
+        } else {
+            if (mm > -8) {
+                res = nn >> -mm;
+            }
+        }
+        d[i] = res;
+    }
+    clear_tail(d, opr_sz, simd_maxsz(desc));
+}
+
+void HELPER(gvec_ushl_h)(void *vd, void *vn, void *vm, uint32_t desc)
+{
+    intptr_t i, opr_sz = simd_oprsz(desc);
+    uint16_t *d = vd, *n = vn, *m = vm;
+
+    for (i = 0; i < opr_sz / 2; ++i) {
+        int8_t mm = m[i];   /* only 8 bits of shift are significant */
+        uint16_t nn = n[i];
+        uint16_t res = 0;
+        if (mm >= 0) {
+            if (mm < 16) {
+                res = nn << mm;
+            }
+        } else {
+            if (mm > -16) {
+                res = nn >> -mm;
+            }
+        }
+        d[i] = res;
+    }
+    clear_tail(d, opr_sz, simd_maxsz(desc));
+}
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The gvec form will be needed for implementing SVE2.

Extend the implementation to operate on uint64_t instead of uint32_t.
Use a counted inner loop instead of terminating when op1 goes to zero,
looking toward the required implementation for ARMv8.4-DIT.

Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200216214232.4230-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  3 ++-
 target/arm/neon_helper.c   | 22 ----------------------
 target/arm/translate-a64.c | 10 +++-------
 target/arm/translate.c     | 11 ++++-------
 target/arm/vec_helper.c    | 30 ++++++++++++++++++++++++++++++
 5 files changed, 39 insertions(+), 37 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

The gvec form will be needed for implementing SVE2.

Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200216214232.4230-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  4 +---
 target/arm/neon_helper.c   | 30 ------------------------------
 target/arm/translate-a64.c | 28 +++-------------------------
 target/arm/translate.c     | 16 ++--------------
 target/arm/vec_helper.c    | 33 +++++++++++++++++++++++++++++++++
 5 files changed, 39 insertions(+), 72 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(crc32, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
 DEF_HELPER_FLAGS_3(crc32c, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
 DEF_HELPER_2(dc_zva, void, env, i64)
 
-DEF_HELPER_FLAGS_2(neon_pmull_64_lo, TCG_CALL_NO_RWG_SE, i64, i64, i64)
-DEF_HELPER_FLAGS_2(neon_pmull_64_hi, TCG_CALL_NO_RWG_SE, i64, i64, i64)
-
 DEF_HELPER_FLAGS_5(gvec_qrdmlah_s16, TCG_CALL_NO_RWG,
                    void, ptr, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_5(gvec_qrdmlsh_s16, TCG_CALL_NO_RWG,
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(gvec_ushl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
 DEF_HELPER_FLAGS_4(gvec_pmul_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(gvec_pmull_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(neon_zip16)(void *vd, void *vm)
     rm[0] = m0;
     rd[0] = d0;
 }
-
-/* Helper function for 64 bit polynomial multiply case:
- * perform PolynomialMult(op1, op2) and return either the top or
- * bottom half of the 128 bit result.
- */
-uint64_t HELPER(neon_pmull_64_lo)(uint64_t op1, uint64_t op2)
-{
-    int bitnum;
-    uint64_t res = 0;
-
-    for (bitnum = 0; bitnum < 64; bitnum++) {
-        if (op1 & (1ULL << bitnum)) {
-            res ^= op2 << bitnum;
-        }
-    }
-    return res;
-}
-uint64_t HELPER(neon_pmull_64_hi)(uint64_t op1, uint64_t op2)
-{
-    int bitnum;
-    uint64_t res = 0;
-
-    /* bit 0 of op1 can't influence the high 64 bits at all */
-    for (bitnum = 1; bitnum < 64; bitnum++) {
-        if (op1 & (1ULL << bitnum)) {
-            res ^= op2 >> (64 - bitnum);
-        }
-    }
-    return res;
-}
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_3rd_narrowing(DisasContext *s, int is_q, int is_u, int size,
     clear_vec_high(s, is_q, rd);
 }
 
-static void handle_pmull_64(DisasContext *s, int is_q, int rd, int rn, int rm)
-{
-    /* PMULL of 64 x 64 -> 128 is an odd special case because it
-     * is the only three-reg-diff instruction which produces a
-     * 128-bit wide result from a single operation. However since
-     * it's possible to calculate the two halves more or less
-     * separately we just use two helper calls.
-     */
-    TCGv_i64 tcg_op1 = tcg_temp_new_i64();
-    TCGv_i64 tcg_op2 = tcg_temp_new_i64();
-    TCGv_i64 tcg_res = tcg_temp_new_i64();
-
-    read_vec_element(s, tcg_op1, rn, is_q, MO_64);
-    read_vec_element(s, tcg_op2, rm, is_q, MO_64);
-    gen_helper_neon_pmull_64_lo(tcg_res, tcg_op1, tcg_op2);
-    write_vec_element(s, tcg_res, rd, 0, MO_64);
-    gen_helper_neon_pmull_64_hi(tcg_res, tcg_op1, tcg_op2);
-    write_vec_element(s, tcg_res, rd, 1, MO_64);
-
-    tcg_temp_free_i64(tcg_op1);
-    tcg_temp_free_i64(tcg_op2);
-    tcg_temp_free_i64(tcg_res);
-}
-
 /* AdvSIMD three different
  *   31  30  29 28       24 23  22  21 20  16 15    12 11 10 9    5 4    0
  * +---+---+---+-----------+------+---+------+--------+-----+------+------+
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_diff(DisasContext *s, uint32_t insn)
             if (!fp_access_check(s)) {
                 return;
             }
-            handle_pmull_64(s, is_q, rd, rn, rm);
+            /* The Q field specifies lo/hi half input for this insn.  */
+            gen_gvec_op3_ool(s, true, rd, rn, rm, is_q,
+                             gen_helper_gvec_pmull_q);
             return;
         }
         goto is_widening;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                  * outside the loop below as it only performs a single pass.
                  */
                 if (op == 14 && size == 2) {
-                    TCGv_i64 tcg_rn, tcg_rm, tcg_rd;
-
                     if (!dc_isar_feature(aa32_pmull, s)) {
                         return 1;
                     }
-                    tcg_rn = tcg_temp_new_i64();
-                    tcg_rm = tcg_temp_new_i64();
-                    tcg_rd = tcg_temp_new_i64();
-                    neon_load_reg64(tcg_rn, rn);
-                    neon_load_reg64(tcg_rm, rm);
-                    gen_helper_neon_pmull_64_lo(tcg_rd, tcg_rn, tcg_rm);
-                    neon_store_reg64(tcg_rd, rd);
-                    gen_helper_neon_pmull_64_hi(tcg_rd, tcg_rn, tcg_rm);
-                    neon_store_reg64(tcg_rd, rd + 1);
-                    tcg_temp_free_i64(tcg_rn);
-                    tcg_temp_free_i64(tcg_rm);
-                    tcg_temp_free_i64(tcg_rd);
+                    tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, 16, 16,
+                                       0, gen_helper_gvec_pmull_q);
                     return 0;
                 }
 
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_pmul_b)(void *vd, void *vn, void *vm, uint32_t desc)
     }
     clear_tail(d, opr_sz, simd_maxsz(desc));
 }
+
+/*
+ * 64x64->128 polynomial multiply.
+ * Because of the lanes are not accessed in strict columns,
+ * this probably cannot be turned into a generic helper.
+ */
+void HELPER(gvec_pmull_q)(void *vd, void *vn, void *vm, uint32_t desc)
+{
+    intptr_t i, j, opr_sz = simd_oprsz(desc);
+    intptr_t hi = simd_data(desc);
+    uint64_t *d = vd, *n = vn, *m = vm;
+
+    for (i = 0; i < opr_sz / 8; i += 2) {
+        uint64_t nn = n[i + hi];
+        uint64_t mm = m[i + hi];
+        uint64_t rhi = 0;
+        uint64_t rlo = 0;
+
+        /* Bit 0 can only influence the low 64-bit result.  */
+        if (nn & 1) {
+            rlo = mm;
+        }
+
+        for (j = 1; j < 64; ++j) {
+            uint64_t mask = -((nn >> j) & 1);
+            rlo ^= (mm << j) & mask;
+            rhi ^= (mm >> (64 - j)) & mask;
+        }
+        d[i] = rlo;
+        d[i + 1] = rhi;
+    }
+    clear_tail(d, opr_sz, simd_maxsz(desc));
+}
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We still need two different helpers, since NEON and SVE2 get the
inputs from different locations within the source vector.  However,
we can convert both to the same internal form for computation.

The sve2 helper is not used yet, but adding it with this patch
helps illustrate why the neon changes are helpful.

Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200216214232.4230-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sve.h    |  2 ++
 target/arm/helper.h        |  3 +-
 target/arm/neon_helper.c   | 32 --------------------
 target/arm/translate-a64.c | 27 +++++++++++------
 target/arm/translate.c     | 26 ++++++++---------
 target/arm/vec_helper.c    | 60 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 95 insertions(+), 55 deletions(-)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(sve_stdd_le_zd, TCG_CALL_NO_WG,
                    void, env, ptr, ptr, ptr, tl, i32)
 DEF_HELPER_FLAGS_6(sve_stdd_be_zd, TCG_CALL_NO_WG,
                    void, env, ptr, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve2_pmull_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(neon_sub_u8, i32, i32, i32)
 DEF_HELPER_2(neon_sub_u16, i32, i32, i32)
 DEF_HELPER_2(neon_mul_u8, i32, i32, i32)
 DEF_HELPER_2(neon_mul_u16, i32, i32, i32)
-DEF_HELPER_2(neon_mull_p8, i64, i32, i32)
 
 DEF_HELPER_2(neon_tst_u8, i32, i32, i32)
 DEF_HELPER_2(neon_tst_u16, i32, i32, i32)
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_pmul_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_pmull_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_4(neon_pmull_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -XXX,XX +XXX,XX @@ NEON_VOP(mul_u8, neon_u8, 4)
 NEON_VOP(mul_u16, neon_u16, 2)
 #undef NEON_FN
 
-/* Polynomial multiplication is like integer multiplication except the
-   partial products are XORed, not added.  */
-uint64_t HELPER(neon_mull_p8)(uint32_t op1, uint32_t op2)
-{
-    uint64_t result = 0;
-    uint64_t mask;
-    uint64_t op2ex = op2;
-    op2ex = (op2ex & 0xff) |
-        ((op2ex & 0xff00) << 8) |
-        ((op2ex & 0xff0000) << 16) |
-        ((op2ex & 0xff000000) << 24);
-    while (op1) {
-        mask = 0;
-        if (op1 & 1) {
-            mask |= 0xffff;
-        }
-        if (op1 & (1 << 8)) {
-            mask |= (0xffffU << 16);
-        }
-        if (op1 & (1 << 16)) {
-            mask |= (0xffffULL << 32);
-        }
-        if (op1 & (1 << 24)) {
-            mask |= (0xffffULL << 48);
-        }
-        result ^= op2ex & mask;
-        op1 = (op1 >> 1) & 0x7f7f7f7f;
-        op2ex <<= 1;
-    }
-    return result;
-}
-
 #define NEON_FN(dest, src1, src2) dest = (src1 & src2) ? -1 : 0
 NEON_VOP(tst_u8, neon_u8, 4)
 NEON_VOP(tst_u16, neon_u16, 2)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_3rd_widening(DisasContext *s, int is_q, int is_u, int size,
                 gen_helper_neon_addl_saturate_s32(tcg_passres, cpu_env,
                                                   tcg_passres, tcg_passres);
                 break;
-            case 14: /* PMULL */
-                assert(size == 0);
-                gen_helper_neon_mull_p8(tcg_passres, tcg_op1, tcg_op2);
-                break;
             default:
                 g_assert_not_reached();
             }
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_diff(DisasContext *s, uint32_t insn)
         handle_3rd_narrowing(s, is_q, is_u, size, opcode, rd, rn, rm);
         break;
     case 14: /* PMULL, PMULL2 */
-        if (is_u || size == 1 || size == 2) {
+        if (is_u) {
             unallocated_encoding(s);
             return;
         }
-        if (size == 3) {
+        switch (size) {
+        case 0: /* PMULL.P8 */
+            if (!fp_access_check(s)) {
+                return;
+            }
+            /* The Q field specifies lo/hi half input for this insn.  */
+            gen_gvec_op3_ool(s, true, rd, rn, rm, is_q,
+                             gen_helper_neon_pmull_h);
+            break;
+
+        case 3: /* PMULL.P64 */
             if (!dc_isar_feature(aa64_pmull, s)) {
                 unallocated_encoding(s);
                 return;
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_diff(DisasContext *s, uint32_t insn)
             /* The Q field specifies lo/hi half input for this insn.  */
             gen_gvec_op3_ool(s, true, rd, rn, rm, is_q,
                              gen_helper_gvec_pmull_q);
-            return;
+            break;
+
+        default:
+            unallocated_encoding(s);
+            break;
         }
-        goto is_widening;
+        return;
     case 9: /* SQDMLAL, SQDMLAL2 */
     case 11: /* SQDMLSL, SQDMLSL2 */
     case 13: /* SQDMULL, SQDMULL2 */
@@ -XXX,XX +XXX,XX @@ static void disas_simd_three_reg_diff(DisasContext *s, uint32_t insn)
             unallocated_encoding(s);
             return;
         }
-    is_widening:
         if (!fp_access_check(s)) {
             return;
         }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                     return 1;
                 }
 
-                /* Handle VMULL.P64 (Polynomial 64x64 to 128 bit multiply)
-                 * outside the loop below as it only performs a single pass.
-                 */
-                if (op == 14 && size == 2) {
-                    if (!dc_isar_feature(aa32_pmull, s)) {
-                        return 1;
+                /* Handle polynomial VMULL in a single pass.  */
+                if (op == 14) {
+                    if (size == 0) {
+                        /* VMULL.P8 */
+                        tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, 16, 16,
+                                           0, gen_helper_neon_pmull_h);
+                    } else {
+                        /* VMULL.P64 */
+                        if (!dc_isar_feature(aa32_pmull, s)) {
+                            return 1;
+                        }
+                        tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, 16, 16,
+                                           0, gen_helper_gvec_pmull_q);
                     }
-                    tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, 16, 16,
-                                       0, gen_helper_gvec_pmull_q);
                     return 0;
                 }
 
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                         /* VMLAL, VQDMLAL, VMLSL, VQDMLSL, VMULL, VQDMULL */
                         gen_neon_mull(cpu_V0, tmp, tmp2, size, u);
                         break;
-                    case 14: /* Polynomial VMULL */
-                        gen_helper_neon_mull_p8(cpu_V0, tmp, tmp2);
-                        tcg_temp_free_i32(tmp2);
-                        tcg_temp_free_i32(tmp);
-                        break;
                     default: /* 15 is RESERVED: caught earlier  */
                         abort();
                     }
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_pmull_q)(void *vd, void *vn, void *vm, uint32_t desc)
     }
     clear_tail(d, opr_sz, simd_maxsz(desc));
 }
+
+/*
+ * 8x8->16 polynomial multiply.
+ *
+ * The byte inputs are expanded to (or extracted from) half-words.
+ * Note that neon and sve2 get the inputs from different positions.
+ * This allows 4 bytes to be processed in parallel with uint64_t.
+ */
+
+static uint64_t expand_byte_to_half(uint64_t x)
+{
+    return  (x & 0x000000ff)
+         | ((x & 0x0000ff00) << 8)
+         | ((x & 0x00ff0000) << 16)
+         | ((x & 0xff000000) << 24);
+}
+
+static uint64_t pmull_h(uint64_t op1, uint64_t op2)
+{
+    uint64_t result = 0;
+    int i;
+
+    for (i = 0; i < 8; ++i) {
+        uint64_t mask = (op1 & 0x0001000100010001ull) * 0xffff;
+        result ^= op2 & mask;
+        op1 >>= 1;
+        op2 <<= 1;
+    }
+    return result;
+}
+
+void HELPER(neon_pmull_h)(void *vd, void *vn, void *vm, uint32_t desc)
+{
+    int hi = simd_data(desc);
+    uint64_t *d = vd, *n = vn, *m = vm;
+    uint64_t nn = n[hi], mm = m[hi];
+
+    d[0] = pmull_h(expand_byte_to_half(nn), expand_byte_to_half(mm));
+    nn >>= 32;
+    mm >>= 32;
+    d[1] = pmull_h(expand_byte_to_half(nn), expand_byte_to_half(mm));
+
+    clear_tail(d, 16, simd_maxsz(desc));
+}
+
+#ifdef TARGET_AARCH64
+void HELPER(sve2_pmull_h)(void *vd, void *vn, void *vm, uint32_t desc)
+{
+    int shift = simd_data(desc) * 8;
+    intptr_t i, opr_sz = simd_oprsz(desc);
+    uint64_t *d = vd, *n = vn, *m = vm;
+
+    for (i = 0; i < opr_sz / 8; ++i) {
+        uint64_t nn = (n[i] >> shift) & 0x00ff00ff00ff00ffull;
+        uint64_t mm = (m[i] >> shift) & 0x00ff00ff00ff00ffull;
+
+        d[i] = pmull_h(nn, mm);
+    }
+}
+#endif
-- 
2.20.1

From: Francisco Iglesias <francisco.iglesias@xilinx.com>

Correct the number of dummy cycles required by the FAST_READ_4 command (to
be eight, one dummy byte).

Fixes: ef06ca3946 ("xilinx_spips: Add support for RX discard and RX drain")
Suggested-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20200218113350.6090-1-frasse.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static int xilinx_spips_num_dummies(XilinxQSPIPS *qs, uint8_t command)
     case FAST_READ:
     case DOR:
     case QOR:
+    case FAST_READ_4:
     case DOR_4:
     case QOR_4:
         return 1;
     case DIOR:
-    case FAST_READ_4:
     case DIOR_4:
         return 2;
     case QIOR:
-- 
2.20.1

From: Guenter Roeck <linux@roeck-us.net>

Booting the r2d machine from flash fails because flash is not discovered.
Looking at the flattened memory tree, we see the following.

FlatView #1
 AS "memory", root: system
 AS "cpu-memory-0", root: system
 AS "sh_pci_host", root: bus master container
 Root memory region: system
  0000000000000000-000000000000ffff (prio 0, i/o): io
  0000000000010000-0000000000ffffff (prio 0, i/o): r2d.flash @0000000000010000

The overlapping memory region is sh_pci.isa, ie the ISA I/O region bridge.
This region is initially assigned to address 0xfe240000, but overwritten
with a write into the PCIIOBR register. This write is expected to adjust
the PCI memory window, but not to change the region's base adddress.

Peter Maydell provided the following detailed explanation.

"Section 22.3.7 and in particular figure 22.3 (of "SSH7751R user's manual:
hardware") are clear about how this is supposed to work: there is a window
at 0xfe240000 in the system register space for PCI I/O space. When the CPU
makes an access into that area, the PCI controller calculates the PCI
address to use by combining bits 0..17 of the system address with the
bits 31..18 value that the guest has put into the PCIIOBR. That is, writing
to the PCIIOBR changes which section of the IO address space is visible in
the 0xfe240000 window. Instead what QEMU's implementation does is move the
window to whatever value the guest writes to the PCIIOBR register -- so if
the guest writes 0 we put the window at 0 in system address space."

Fix the problem by calling memory_region_set_alias_offset() instead of
removing and re-adding the PCI ISA subregion on writes into PCIIOBR.
At the same time, in sh_pci_device_realize(), don't set iobr since
it is overwritten later anyway. Instead, pass the base address to
memory_region_add_subregion() directly.

Many thanks to Peter Maydell for the detailed problem analysis, and for
providing suggestions on how to fix the problem.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Message-id: 20200218201050.15273-1-linux@roeck-us.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sh4/sh_pci.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/hw/sh4/sh_pci.c b/hw/sh4/sh_pci.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sh4/sh_pci.c
+++ b/hw/sh4/sh_pci.c
@@ -XXX,XX +XXX,XX @@ static void sh_pci_reg_write (void *p, hwaddr addr, uint64_t val,
         pcic->mbr = val & 0xff000001;
         break;
     case 0x1c8:
-        if ((val & 0xfffc0000) != (pcic->iobr & 0xfffc0000)) {
-            memory_region_del_subregion(get_system_memory(), &pcic->isa);
-            pcic->iobr = val & 0xfffc0001;
-            memory_region_add_subregion(get_system_memory(),
-                                        pcic->iobr & 0xfffc0000, &pcic->isa);
-        }
+        pcic->iobr = val & 0xfffc0001;
+        memory_region_set_alias_offset(&pcic->isa, val & 0xfffc0000);
         break;
     case 0x220:
         pci_data_write(phb->bus, pcic->par, val, 4);
@@ -XXX,XX +XXX,XX @@ static void sh_pci_device_realize(DeviceState *dev, Error **errp)
                              get_system_io(), 0, 0x40000);
     sysbus_init_mmio(sbd, &s->memconfig_p4);
     sysbus_init_mmio(sbd, &s->memconfig_a7);
-    s->iobr = 0xfe240000;
-    memory_region_add_subregion(get_system_memory(), s->iobr, &s->isa);
+    memory_region_add_subregion(get_system_memory(), 0xfe240000, &s->isa);
 
     s->dev = pci_create_simple(phb->bus, PCI_DEVFN(0, 0), "sh_pci_host");
 }
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The old name, isar_feature_aa32_fp_d32, does not reflect
the MVFR0 field name, SIMDReg.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200214181547.21408-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: wrapped one long line]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h               |  2 +-
 target/arm/translate-vfp.inc.c | 53 +++++++++++++++++-----------------
 2 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fp16_arith(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, FP) == 1;
 }
 
-static inline bool isar_feature_aa32_fp_d32(const ARMISARegisters *id)
+static inline bool isar_feature_aa32_simd_r32(const ARMISARegisters *id)
 {
     /* Return true if D16-D31 are implemented */
     return FIELD_EX32(id->mvfr0, MVFR0, SIMDREG) >= 2;
diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VSEL(DisasContext *s, arg_VSEL *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (dp && !dc_isar_feature(aa32_fp_d32, s) &&
+    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
         ((a->vm | a->vn | a->vd) & 0x10)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VMINMAXNM(DisasContext *s, arg_VMINMAXNM *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (dp && !dc_isar_feature(aa32_fp_d32, s) &&
+    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
         ((a->vm | a->vn | a->vd) & 0x10)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINT(DisasContext *s, arg_VRINT *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (dp && !dc_isar_feature(aa32_fp_d32, s) &&
+    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
         ((a->vm | a->vd) & 0x10)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT(DisasContext *s, arg_VCVT *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (dp && !dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
+    if (dp && !dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_to_gp(DisasContext *s, arg_VMOV_to_gp *a)
     uint32_t offset;
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vn & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vn & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_from_gp(DisasContext *s, arg_VMOV_from_gp *a)
     uint32_t offset;
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vn & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vn & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VDUP(DisasContext *s, arg_VDUP *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vn & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vn & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_64_dp(DisasContext *s, arg_VMOV_64_dp *a)
      */
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDR_VSTR_dp(DisasContext *s, arg_VLDR_VSTR_dp *a)
     TCGv_i64 tmp;
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDM_VSTM_dp(DisasContext *s, arg_VLDM_VSTM_dp *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd + n) > 16) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd + n) > 16) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_3op_dp(DisasContext *s, VFPGen3OpDPFn *fn,
     TCGv_ptr fpst;
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_fp_d32, s) && ((vd | vn | vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vn | vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_2op_dp(DisasContext *s, VFPGen2OpDPFn *fn, int vd, int vm)
     TCGv_i64 f0, fd;
 
     /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_fp_d32, s) && ((vd | vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VFM_dp(DisasContext *s, arg_VFM_dp *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vn | a->vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) &&
+        ((a->vd | a->vn | a->vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
     vd = a->vd;
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (vd & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (vd & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCMP_dp(DisasContext *s, arg_VCMP_dp *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && ((a->vd | a->vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f64_f16(DisasContext *s, arg_VCVT_f64_f16 *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd  & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd  & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f16_f64(DisasContext *s, arg_VCVT_f16_f64 *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm  & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm  & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTR_dp(DisasContext *s, arg_VRINTR_dp *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && ((a->vd | a->vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTZ_dp(DisasContext *s, arg_VRINTZ_dp *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && ((a->vd | a->vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTX_dp(DisasContext *s, arg_VRINTX_dp *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && ((a->vd | a->vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && ((a->vd | a->vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_sp(DisasContext *s, arg_VCVT_sp *a)
     TCGv_i32 vm;
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp(DisasContext *s, arg_VCVT_dp *a)
     TCGv_i32 vd;
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_int_dp(DisasContext *s, arg_VCVT_int_dp *a)
     TCGv_ptr fpst;
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VJCVT(DisasContext *s, arg_VJCVT *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_dp(DisasContext *s, arg_VCVT_fix_dp *a)
     }
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vd & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp_int(DisasContext *s, arg_VCVT_dp_int *a)
     TCGv_ptr fpst;
 
     /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_fp_d32, s) && (a->vm & 0x10)) {
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
         return false;
     }
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Many uses of ARM_FEATURE_VFP3 are testing for the number of simd
registers implemented.  Use the proper test vs MVFR0.SIMDReg.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214181547.21408-4-richard.henderson@linaro.org
[PMM: fix typo in commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c       |  9 ++++-----
 target/arm/helper.c    | 13 ++++++-------
 target/arm/translate.c |  2 +-
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 
     if (flags & CPU_DUMP_FPU) {
         int numvfpregs = 0;
-        if (arm_feature(env, ARM_FEATURE_VFP)) {
-            numvfpregs += 16;
-        }
-        if (arm_feature(env, ARM_FEATURE_VFP3)) {
-            numvfpregs += 16;
+        if (cpu_isar_feature(aa32_simd_r32, cpu)) {
+            numvfpregs = 32;
+        } else if (arm_feature(env, ARM_FEATURE_VFP)) {
+            numvfpregs = 16;
         }
         for (i = 0; i < numvfpregs; i++) {
             uint64_t v = *aa32_vfp_dreg(env, i);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void switch_mode(CPUARMState *env, int mode);
 
 static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
 {
-    int nregs;
+    ARMCPU *cpu = env_archcpu(env);
+    int nregs = cpu_isar_feature(aa32_simd_r32, cpu) ? 32 : 16;
 
     /* VFP data registers are always little-endian.  */
-    nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
     if (reg < nregs) {
         stq_le_p(buf, *aa32_vfp_dreg(env, reg));
         return 8;
@@ -XXX,XX +XXX,XX @@ static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
 
 static int vfp_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
 {
-    int nregs;
+    ARMCPU *cpu = env_archcpu(env);
+    int nregs = cpu_isar_feature(aa32_simd_r32, cpu) ? 32 : 16;
 
-    nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
     if (reg < nregs) {
         *aa32_vfp_dreg(env, reg) = ldq_le_p(buf);
         return 8;
@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
             /* VFPv3 and upwards with NEON implement 32 double precision
              * registers (D0-D31).
              */
-            if (!arm_feature(env, ARM_FEATURE_NEON) ||
-                    !arm_feature(env, ARM_FEATURE_VFP3)) {
+            if (!cpu_isar_feature(aa32_simd_r32, env_archcpu(env))) {
                 /* D32DIS [30] is RAO/WI if D16-31 are not implemented. */
                 value |= (1 << 30);
             }
@@ -XXX,XX +XXX,XX @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
     } else if (arm_feature(env, ARM_FEATURE_NEON)) {
         gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
                                  51, "arm-neon.xml", 0);
-    } else if (arm_feature(env, ARM_FEATURE_VFP3)) {
+    } else if (cpu_isar_feature(aa32_simd_r32, cpu)) {
         gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
                                  35, "arm-vfp3.xml", 0);
     } else if (arm_feature(env, ARM_FEATURE_VFP)) {
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_dsp_insn(DisasContext *s, uint32_t insn)
 #define VFP_SREG(insn, bigbit, smallbit) \
   ((VFP_REG_SHR(insn, bigbit - 1) & 0x1e) | (((insn) >> (smallbit)) & 1))
 #define VFP_DREG(reg, insn, bigbit, smallbit) do { \
-    if (arm_dc_feature(s, ARM_FEATURE_VFP3)) { \
+    if (dc_isar_feature(aa32_simd_r32, s)) { \
         reg = (((insn) >> (bigbit)) & 0x0f) \
               | (((insn) >> ((smallbit) - 4)) & 0x10); \
     } else { \
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We are going to convert FEATURE tests to ISAR tests,
so FPSP needs to be set for these cpus, like we have
already for FPDP.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214181547.21408-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
     /*
-     * Similarly, we need to set MVFR0 fields to enable double precision
-     * and short vector support even though ARMv5 doesn't have this register.
+     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
+     * support even though ARMv5 doesn't have this register.
      */
     cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
     cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 }
 
@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
     /*
-     * Similarly, we need to set MVFR0 fields to enable double precision
-     * and short vector support even though ARMv5 doesn't have this register.
+     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
+     * support even though ARMv5 doesn't have this register.
      */
     cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
     cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 
     {
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Use this in the places that were checking ARM_FEATURE_VFP, and
are obviously testing for the existance of the register set
as opposed to testing for some particular instruction extension.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214181547.21408-6-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h        |  6 ++++++
 hw/intc/armv7m_nvic.c   | 20 ++++++++++----------
 linux-user/arm/signal.c |  4 ++--
 target/arm/arch_dump.c  | 11 ++++++-----
 target/arm/cpu.c        |  8 ++++----
 target/arm/helper.c     |  4 ++--
 target/arm/m_helper.c   | 11 ++++++-----
 target/arm/machine.c    |  3 +--
 8 files changed, 37 insertions(+), 30 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_fp16_arith(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, FP) == 1;
 }
 
+static inline bool isar_feature_aa32_simd_r16(const ARMISARegisters *id)
+{
+    /* Return true if D0-D15 are implemented */
+    return FIELD_EX32(id->mvfr0, MVFR0, SIMDREG) > 0;
+}
+
 static inline bool isar_feature_aa32_simd_r32(const ARMISARegisters *id)
 {
     /* Return true if D16-D31 are implemented */
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
     case 0xd84: /* CSSELR */
         return cpu->env.v7m.csselr[attrs.secure];
     case 0xd88: /* CPACR */
-        if (!arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
             return 0;
         }
         return cpu->env.v7m.cpacr[attrs.secure];
     case 0xd8c: /* NSACR */
-        if (!attrs.secure || !arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (!attrs.secure || !cpu_isar_feature(aa32_simd_r16, cpu)) {
             return 0;
         }
         return cpu->env.v7m.nsacr;
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         }
         return cpu->env.v7m.sfar;
     case 0xf34: /* FPCCR */
-        if (!arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
             return 0;
         }
         if (attrs.secure) {
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
             return value;
         }
     case 0xf38: /* FPCAR */
-        if (!arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
             return 0;
         }
         return cpu->env.v7m.fpcar[attrs.secure];
     case 0xf3c: /* FPDSCR */
-        if (!arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
             return 0;
         }
         return cpu->env.v7m.fpdscr[attrs.secure];
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
         }
         break;
     case 0xd88: /* CPACR */
-        if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
             /* We implement only the Floating Point extension's CP10/CP11 */
             cpu->env.v7m.cpacr[attrs.secure] = value & (0xf << 20);
         }
         break;
     case 0xd8c: /* NSACR */
-        if (attrs.secure && arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (attrs.secure && cpu_isar_feature(aa32_simd_r16, cpu)) {
             /* We implement only the Floating Point extension's CP10/CP11 */
             cpu->env.v7m.nsacr = value & (3 << 10);
         }
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
         break;
     }
     case 0xf34: /* FPCCR */
-        if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
             /* Not all bits here are banked. */
             uint32_t fpccr_s;
 
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
         }
         break;
     case 0xf38: /* FPCAR */
-        if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
             value &= ~7;
             cpu->env.v7m.fpcar[attrs.secure] = value;
         }
         break;
     case 0xf3c: /* FPDSCR */
-        if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
             value &= 0x07c00000;
             cpu->env.v7m.fpdscr[attrs.secure] = value;
         }
diff --git a/linux-user/arm/signal.c b/linux-user/arm/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/arm/signal.c
+++ b/linux-user/arm/signal.c
@@ -XXX,XX +XXX,XX @@ static void setup_sigframe_v2(struct target_ucontext_v2 *uc,
     setup_sigcontext(&uc->tuc_mcontext, env, set->sig[0]);
     /* Save coprocessor signal frame.  */
     regspace = uc->tuc_regspace;
-    if (arm_feature(env, ARM_FEATURE_VFP)) {
+    if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env))) {
         regspace = setup_sigframe_v2_vfp(regspace, env);
     }
     if (arm_feature(env, ARM_FEATURE_IWMMXT)) {
@@ -XXX,XX +XXX,XX @@ static int do_sigframe_return_v2(CPUARMState *env,
 
     /* Restore coprocessor signal frame */
     regspace = uc->tuc_regspace;
-    if (arm_feature(env, ARM_FEATURE_VFP)) {
+    if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env))) {
         regspace = restore_sigframe_v2_vfp(env, regspace);
         if (!regspace) {
             return 1;
diff --git a/target/arm/arch_dump.c b/target/arm/arch_dump.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/arch_dump.c
+++ b/target/arm/arch_dump.c
@@ -XXX,XX +XXX,XX @@ int arm_cpu_write_elf32_note(WriteCoreDumpFunction f, CPUState *cs,
                              int cpuid, void *opaque)
 {
     struct arm_note note;
-    CPUARMState *env = &ARM_CPU(cs)->env;
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
     DumpState *s = opaque;
-    int ret, i, fpvalid = !!arm_feature(env, ARM_FEATURE_VFP);
+    int ret, i;
+    bool fpvalid = cpu_isar_feature(aa32_simd_r16, cpu);
 
     arm_note_init(&note, s, "CORE", 5, NT_PRSTATUS, sizeof(note.prstatus));
 
@@ -XXX,XX +XXX,XX @@ int cpu_get_dump_info(ArchDumpInfo *info,
 ssize_t cpu_get_note_size(int class, int machine, int nr_cpus)
 {
     ARMCPU *cpu = ARM_CPU(first_cpu);
-    CPUARMState *env = &cpu->env;
     size_t note_size;
 
     if (class == ELFCLASS64) {
@@ -XXX,XX +XXX,XX @@ ssize_t cpu_get_note_size(int class, int machine, int nr_cpus)
         note_size += AARCH64_PRFPREG_NOTE_SIZE;
 #ifdef TARGET_AARCH64
         if (cpu_isar_feature(aa64_sve, cpu)) {
-            note_size += AARCH64_SVE_NOTE_SIZE(env);
+            note_size += AARCH64_SVE_NOTE_SIZE(&cpu->env);
         }
 #endif
     } else {
         note_size = ARM_PRSTATUS_NOTE_SIZE;
-        if (arm_feature(env, ARM_FEATURE_VFP)) {
+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
             note_size += ARM_VFP_NOTE_SIZE;
         }
     }
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s)
             env->v7m.ccr[M_REG_S] |= R_V7M_CCR_UNALIGN_TRP_MASK;
         }
 
-        if (arm_feature(env, ARM_FEATURE_VFP)) {
+        if (cpu_isar_feature(aa32_simd_r16, cpu)) {
             env->v7m.fpccr[M_REG_NS] = R_V7M_FPCCR_ASPEN_MASK;
             env->v7m.fpccr[M_REG_S] = R_V7M_FPCCR_ASPEN_MASK |
                 R_V7M_FPCCR_LSPEN_MASK | R_V7M_FPCCR_S_MASK;
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
         int numvfpregs = 0;
         if (cpu_isar_feature(aa32_simd_r32, cpu)) {
             numvfpregs = 32;
-        } else if (arm_feature(env, ARM_FEATURE_VFP)) {
+        } else if (cpu_isar_feature(aa32_simd_r16, cpu)) {
             numvfpregs = 16;
         }
         for (i = 0; i < numvfpregs; i++) {
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
      * KVM does not currently allow us to lie to the guest about its
      * ID/feature registers, so the guest always sees what the host has.
      */
-    if (arm_feature(&cpu->env, ARM_FEATURE_VFP)) {
+    if (cpu_isar_feature(aa32_simd_r16, cpu)) {
         cpu->has_vfp = true;
         if (!kvm_enabled()) {
             qdev_property_add_static(DEVICE(obj), &arm_cpu_has_vfp_property);
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
      * We rely on no XScale CPU having VFP so we can use the same bits in the
      * TB flags field for VECSTRIDE and XSCALE_CPAR.
      */
-    assert(!(arm_feature(env, ARM_FEATURE_VFP) &&
+    assert(!(cpu_isar_feature(aa32_simd_r16, cpu) &&
              arm_feature(env, ARM_FEATURE_XSCALE)));
 
     if (arm_feature(env, ARM_FEATURE_V7) &&
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
          * ASEDIS [31] and D32DIS [30] are both UNK/SBZP without VFP.
          * TRCDIS [28] is RAZ/WI since we do not implement a trace macrocell.
          */
-        if (arm_feature(env, ARM_FEATURE_VFP)) {
+        if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env))) {
             /* VFP coprocessor: cp10 & cp11 [23:20] */
             mask |= (1 << 31) | (1 << 30) | (0xf << 20);
 
@@ -XXX,XX +XXX,XX @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
     } else if (cpu_isar_feature(aa32_simd_r32, cpu)) {
         gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
                                  35, "arm-vfp3.xml", 0);
-    } else if (arm_feature(env, ARM_FEATURE_VFP)) {
+    } else if (cpu_isar_feature(aa32_simd_r16, cpu)) {
         gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
                                  19, "arm-vfp.xml", 0);
     }
diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
      */
     uint32_t sig = 0xfefa125a;
 
-    if (!arm_feature(env, ARM_FEATURE_VFP) || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
+    if (!cpu_isar_feature(aa32_simd_r16, env_archcpu(env))
+        || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
         sig |= 1;
     }
     return sig;
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
 
     if (dotailchain) {
         /* Sanitize LR FType and PREFIX bits */
-        if (!arm_feature(env, ARM_FEATURE_VFP)) {
+        if (!cpu_isar_feature(aa32_simd_r16, cpu)) {
             lr |= R_V7M_EXCRET_FTYPE_MASK;
         }
         lr = deposit32(lr, 24, 8, 0xff);
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
 
     ftype = excret & R_V7M_EXCRET_FTYPE_MASK;
 
-    if (!arm_feature(env, ARM_FEATURE_VFP) && !ftype) {
+    if (!ftype && !cpu_isar_feature(aa32_simd_r16, cpu)) {
         qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero FTYPE in exception "
                       "exit PC value 0x%" PRIx32 " is UNPREDICTABLE "
                       "if FPU not present\n",
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
              * SFPA is RAZ/WI from NS. FPCA is RO if NSACR.CP10 == 0,
              * RES0 if the FPU is not present, and is stored in the S bank
              */
-            if (arm_feature(env, ARM_FEATURE_VFP) &&
+            if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env)) &&
                 extract32(env->v7m.nsacr, 10, 1)) {
                 env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
                 env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
             env->v7m.control[env->v7m.secure] &= ~R_V7M_CONTROL_NPRIV_MASK;
             env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
         }
-        if (arm_feature(env, ARM_FEATURE_VFP)) {
+        if (cpu_isar_feature(aa32_simd_r16, env_archcpu(env))) {
             /*
              * SFPA is RAZ/WI from NS or if no FPU.
              * FPCA is RO if NSACR.CP10 == 0, RES0 if the FPU is not present.
diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@
 static bool vfp_needed(void *opaque)
 {
     ARMCPU *cpu = opaque;
-    CPUARMState *env = &cpu->env;
 
-    return arm_feature(env, ARM_FEATURE_VFP);
+    return cpu_isar_feature(aa32_simd_r16, cpu);
 }
 
 static int get_fpscr(QEMUFile *f, void *opaque, size_t size,
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The old name, isar_feature_aa32_fpdp, does not reflect
that the test includes VFPv2.  We will introduce further
feature tests for VFPv3.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200214181547.21408-7-richard.henderson@linaro.org
[PMM: fixed grammar in commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h               |  4 ++--
 target/arm/translate-vfp.inc.c | 40 +++++++++++++++++-----------------
 2 files changed, 22 insertions(+), 22 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

We will shortly use these to test for VFPv2 and VFPv3
in different situations.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214181547.21408-8-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Shuffle the order of the checks so that we test the ISA
before we test anything else, such as the register arguments.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214181547.21408-9-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-vfp.inc.c | 144 ++++++++++++++++-----------------
 1 file changed, 72 insertions(+), 72 deletions(-)

diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VSEL(DisasContext *s, arg_VSEL *a)
         return false;
     }
 
-    /* UNDEF accesses to D16-D31 if they don't exist */
-    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
-        ((a->vm | a->vn | a->vd) & 0x10)) {
+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist */
+    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
+        ((a->vm | a->vn | a->vd) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VMINMAXNM(DisasContext *s, arg_VMINMAXNM *a)
         return false;
     }
 
-    /* UNDEF accesses to D16-D31 if they don't exist */
-    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
-        ((a->vm | a->vn | a->vd) & 0x10)) {
+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist */
+    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
+        ((a->vm | a->vn | a->vd) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINT(DisasContext *s, arg_VRINT *a)
         return false;
     }
 
-    /* UNDEF accesses to D16-D31 if they don't exist */
-    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
-        ((a->vm | a->vd) & 0x10)) {
+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist */
+    if (dp && !dc_isar_feature(aa32_simd_r32, s) &&
+        ((a->vm | a->vd) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT(DisasContext *s, arg_VCVT *a)
         return false;
     }
 
-    /* UNDEF accesses to D16-D31 if they don't exist */
-    if (dp && !dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
+    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (dp && !dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist */
+    if (dp && !dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_3op_dp(DisasContext *s, VFPGen3OpDPFn *fn,
     TCGv_i64 f0, f1, fd;
     TCGv_ptr fpst;
 
-    /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vn | vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist */
+    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vn | vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool do_vfp_2op_dp(DisasContext *s, VFPGen2OpDPFn *fn, int vd, int vm)
     int veclen = s->vec_len;
     TCGv_i64 f0, fd;
 
-    /* UNDEF accesses to D16-D31 if they don't exist */
-    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist */
+    if (!dc_isar_feature(aa32_simd_r32, s) && ((vd | vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VFM_dp(DisasContext *s, arg_VFM_dp *a)
         return false;
     }
 
-    /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_simd_r32, s) &&
-        ((a->vd | a->vn | a->vm) & 0x10)) {
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist. */
+    if (!dc_isar_feature(aa32_simd_r32, s) &&
+        ((a->vd | a->vn | a->vm) & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_imm_dp(DisasContext *s, arg_VMOV_imm_dp *a)
 
     vd = a->vd;
 
-    /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_simd_r32, s) && (vd & 0x10)) {
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist. */
+    if (!dc_isar_feature(aa32_simd_r32, s) && (vd & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCMP_dp(DisasContext *s, arg_VCMP_dp *a)
 {
     TCGv_i64 vd, vm;
 
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+        return false;
+    }
+
     /* Vm/M bits must be zero for the Z variant */
     if (a->z && a->vm != 0) {
         return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_VCMP_dp(DisasContext *s, arg_VCMP_dp *a)
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
-        return false;
-    }
-
     if (!vfp_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f64_f16(DisasContext *s, arg_VCVT_f64_f16 *a)
     TCGv_i32 tmp;
     TCGv_i64 vd;
 
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+        return false;
+    }
+
     if (!dc_isar_feature(aa32_fp16_dpconv, s)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f64_f16(DisasContext *s, arg_VCVT_f64_f16 *a)
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
-        return false;
-    }
-
     if (!vfp_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f16_f64(DisasContext *s, arg_VCVT_f16_f64 *a)
     TCGv_i32 tmp;
     TCGv_i64 vm;
 
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+        return false;
+    }
+
     if (!dc_isar_feature(aa32_fp16_dpconv, s)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_f16_f64(DisasContext *s, arg_VCVT_f16_f64 *a)
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
-        return false;
-    }
-
     if (!vfp_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTR_dp(DisasContext *s, arg_VRINTR_dp *a)
     TCGv_ptr fpst;
     TCGv_i64 tmp;
 
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+        return false;
+    }
+
     if (!dc_isar_feature(aa32_vrint, s)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTR_dp(DisasContext *s, arg_VRINTR_dp *a)
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
-        return false;
-    }
-
     if (!vfp_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTZ_dp(DisasContext *s, arg_VRINTZ_dp *a)
     TCGv_i64 tmp;
     TCGv_i32 tcg_rmode;
 
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+        return false;
+    }
+
     if (!dc_isar_feature(aa32_vrint, s)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTZ_dp(DisasContext *s, arg_VRINTZ_dp *a)
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
-        return false;
-    }
-
     if (!vfp_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTX_dp(DisasContext *s, arg_VRINTX_dp *a)
     TCGv_ptr fpst;
     TCGv_i64 tmp;
 
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+        return false;
+    }
+
     if (!dc_isar_feature(aa32_vrint, s)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VRINTX_dp(DisasContext *s, arg_VRINTX_dp *a)
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
-        return false;
-    }
-
     if (!vfp_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_sp(DisasContext *s, arg_VCVT_sp *a)
     TCGv_i64 vd;
     TCGv_i32 vm;
 
-    /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist. */
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp(DisasContext *s, arg_VCVT_dp *a)
     TCGv_i64 vm;
     TCGv_i32 vd;
 
-    /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist. */
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_int_dp(DisasContext *s, arg_VCVT_int_dp *a)
     TCGv_i64 vd;
     TCGv_ptr fpst;
 
-    /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist. */
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vd & 0x10)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VJCVT(DisasContext *s, arg_VJCVT *a)
     TCGv_i32 vd;
     TCGv_i64 vm;
 
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+        return false;
+    }
+
     if (!dc_isar_feature(aa32_jscvt, s)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VJCVT(DisasContext *s, arg_VJCVT *a)
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
-        return false;
-    }
-
     if (!vfp_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_dp(DisasContext *s, arg_VCVT_fix_dp *a)
     TCGv_ptr fpst;
     int frac_bits;
 
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+        return false;
+    }
+
     if (!arm_dc_feature(s, ARM_FEATURE_VFP3)) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_fix_dp(DisasContext *s, arg_VCVT_fix_dp *a)
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
-        return false;
-    }
-
     if (!vfp_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_VCVT_dp_int(DisasContext *s, arg_VCVT_dp_int *a)
     TCGv_i64 vm;
     TCGv_ptr fpst;
 
-    /* UNDEF accesses to D16-D31 if they don't exist. */
-    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
+    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
         return false;
     }
 
-    if (!dc_isar_feature(aa32_fpdp_v2, s)) {
+    /* UNDEF accesses to D16-D31 if they don't exist. */
+    if (!dc_isar_feature(aa32_simd_r32, s) && (a->vm & 0x10)) {
         return false;
     }
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Sort this check to the start of a trans_* function.
Merge this with any existing test for fpdp_v2.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214181547.21408-10-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-vfp.inc.c | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

We will eventually remove the early ARM_FEATURE_VFP test,
so add a proper test for each trans_* that does not already
have another ISA test.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200214181547.21408-11-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-vfp.inc.c | 78 ++++++++++++++++++++++++++++++----
 1 file changed, 69 insertions(+), 9 deletions(-)

Hi; here's a target-arm pullreq. Mostly this is RTH's FEAT_RME
series; there are also a handful of bug fixes including some
which aren't arm-specific but which it's convenient to include
here.

thanks
-- PMM

The following changes since commit b455ce4c2f300c8ba47cba7232dd03261368a4cb:

Merge tag 'q800-for-8.1-pull-request' of https://github.com/vivier/qemu-m68k into staging (2023-06-22 10:18:32 +0200)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230623

for you to fetch changes up to 497fad38979c16b6412388927401e577eba43d26:

pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym (2023-06-23 11:46:02 +0100)

----------------------------------------------------------------
target-arm queue:
 * Add (experimental) support for FEAT_RME
 * host-utils: Avoid using __builtin_subcll on buggy versions of Apple Clang
 * target/arm: Restructure has_vfp_d32 test
 * hw/arm/sbsa-ref: add ITS support in SBSA GIC
 * target/arm: Fix sve predicate store, 8 <= VQ <= 15
 * pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym

----------------------------------------------------------------
Peter Maydell (2):
      host-utils: Avoid using __builtin_subcll on buggy versions of Apple Clang
      pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym

Richard Henderson (23):
      target/arm: Add isar_feature_aa64_rme
      target/arm: Update SCR and HCR for RME
      target/arm: SCR_EL3.NS may be RES1
      target/arm: Add RME cpregs
      target/arm: Introduce ARMSecuritySpace
      include/exec/memattrs: Add two bits of space to MemTxAttrs
      target/arm: Adjust the order of Phys and Stage2 ARMMMUIdx
      target/arm: Introduce ARMMMUIdx_Phys_{Realm,Root}
      target/arm: Remove __attribute__((nonnull)) from ptw.c
      target/arm: Pipe ARMSecuritySpace through ptw.c
      target/arm: NSTable is RES0 for the RME EL3 regime
      target/arm: Handle Block and Page bits for security space
      target/arm: Handle no-execute for Realm and Root regimes
      target/arm: Use get_phys_addr_with_struct in S1_ptw_translate
      target/arm: Move s1_is_el0 into S1Translate
      target/arm: Use get_phys_addr_with_struct for stage2
      target/arm: Add GPC syndrome
      target/arm: Implement GPC exceptions
      target/arm: Implement the granule protection check
      target/arm: Add cpu properties for enabling FEAT_RME
      docs/system/arm: Document FEAT_RME
      target/arm: Restructure has_vfp_d32 test
      target/arm: Fix sve predicate store, 8 <= VQ <= 15

Shashi Mallela (1):
      hw/arm/sbsa-ref: add ITS support in SBSA GIC

From: Richard Henderson <richard.henderson@linaro.org>

Add the missing field for ID_AA64PFR0, and the predicate.
Disable it if EL3 is forced off by the board or command-line.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 6 ++++++
 target/arm/cpu.c | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64PFR0, SEL2, 36, 4)
 FIELD(ID_AA64PFR0, MPAM, 40, 4)
 FIELD(ID_AA64PFR0, AMU, 44, 4)
 FIELD(ID_AA64PFR0, DIT, 48, 4)
+FIELD(ID_AA64PFR0, RME, 52, 4)
 FIELD(ID_AA64PFR0, CSV2, 56, 4)
 FIELD(ID_AA64PFR0, CSV3, 60, 4)
 
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_sel2(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, SEL2) != 0;
 }
 
+static inline bool isar_feature_aa64_rme(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, RME) != 0;
+}
+
 static inline bool isar_feature_aa64_vh(const ARMISARegisters *id)
 {
     return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, VH) != 0;
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
         cpu->isar.id_dfr0 = FIELD_DP32(cpu->isar.id_dfr0, ID_DFR0, COPSDBG, 0);
         cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
                                            ID_AA64PFR0, EL3, 0);
+
+        /* Disable the realm management extension, which requires EL3. */
+        cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
+                                           ID_AA64PFR0, RME, 0);
     }
 
     if (!cpu->has_el2) {
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Define the missing SCR and HCR bits, allow SCR_NSE and {SCR,HCR}_GPF
to be set, and invalidate TLBs when NSE changes.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  5 +++--
 target/arm/helper.c | 10 ++++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
 #define HCR_TERR      (1ULL << 36)
 #define HCR_TEA       (1ULL << 37)
 #define HCR_MIOCNCE   (1ULL << 38)
-/* RES0 bit 39 */
+#define HCR_TME       (1ULL << 39)
 #define HCR_APK       (1ULL << 40)
 #define HCR_API       (1ULL << 41)
 #define HCR_NV        (1ULL << 42)
@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
 #define HCR_NV2       (1ULL << 45)
 #define HCR_FWB       (1ULL << 46)
 #define HCR_FIEN      (1ULL << 47)
-/* RES0 bit 48 */
+#define HCR_GPF       (1ULL << 48)
 #define HCR_TID4      (1ULL << 49)
 #define HCR_TICAB     (1ULL << 50)
 #define HCR_AMVOFFEN  (1ULL << 51)
@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
 #define SCR_TRNDR             (1ULL << 40)
 #define SCR_ENTP2             (1ULL << 41)
 #define SCR_GPF               (1ULL << 48)
+#define SCR_NSE               (1ULL << 62)
 
 #define HSTR_TTEE (1 << 16)
 #define HSTR_TJDBX (1 << 17)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         if (cpu_isar_feature(aa64_fgt, cpu)) {
             valid_mask |= SCR_FGTEN;
         }
+        if (cpu_isar_feature(aa64_rme, cpu)) {
+            valid_mask |= SCR_NSE | SCR_GPF;
+        }
     } else {
         valid_mask &= ~(SCR_RW | SCR_ST);
         if (cpu_isar_feature(aa32_ras, cpu)) {
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
     env->cp15.scr_el3 = value;
 
     /*
-     * If SCR_EL3.NS changes, i.e. arm_is_secure_below_el3, then
+     * If SCR_EL3.{NS,NSE} changes, i.e. change of security state,
      * we must invalidate all TLBs below EL3.
      */
-    if (changed & SCR_NS) {
+    if (changed & (SCR_NS | SCR_NSE)) {
         tlb_flush_by_mmuidx(env_cpu(env), (ARMMMUIdxBit_E10_0 |
                                            ARMMMUIdxBit_E20_0 |
                                            ARMMMUIdxBit_E10_1 |
@@ -XXX,XX +XXX,XX @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
         if (cpu_isar_feature(aa64_fwb, cpu)) {
             valid_mask |= HCR_FWB;
         }
+        if (cpu_isar_feature(aa64_rme, cpu)) {
+            valid_mask |= HCR_GPF;
+        }
     }
 
     if (cpu_isar_feature(any_evt, cpu)) {
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

With RME, SEL2 must also be present to support secure state.
The NS bit is RES1 if SEL2 is not present.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         }
         if (cpu_isar_feature(aa64_sel2, cpu)) {
             valid_mask |= SCR_EEL2;
+        } else if (cpu_isar_feature(aa64_rme, cpu)) {
+            /* With RME and without SEL2, NS is RES1 (R_GSWWH, I_DJJQJ). */
+            value |= SCR_NS;
         }
         if (cpu_isar_feature(aa64_mte, cpu)) {
             valid_mask |= SCR_ATA;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

This includes GPCCR, GPTBR, MFAR, the TLB flush insns PAALL, PAALLOS,
RPALOS, RPAOS, and the cache flush insns CIPAPA and CIGDPAPA.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    | 19 ++++++++++
 target/arm/helper.c | 84 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 103 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUArchState {
         uint64_t fgt_read[2]; /* HFGRTR, HDFGRTR */
         uint64_t fgt_write[2]; /* HFGWTR, HDFGWTR */
         uint64_t fgt_exec[1]; /* HFGITR */
+
+        /* RME registers */
+        uint64_t gpccr_el3;
+        uint64_t gptbr_el3;
+        uint64_t mfar_el3;
     } cp15;
 
     struct {
@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
     uint64_t reset_cbar;
     uint32_t reset_auxcr;
     bool reset_hivecs;
+    uint8_t reset_l0gptsz;
 
     /*
      * Intermediate values used during property parsing.
@@ -XXX,XX +XXX,XX @@ FIELD(MVFR1, SIMDFMAC, 28, 4)
 FIELD(MVFR2, SIMDMISC, 0, 4)
 FIELD(MVFR2, FPMISC, 4, 4)
 
+FIELD(GPCCR, PPS, 0, 3)
+FIELD(GPCCR, IRGN, 8, 2)
+FIELD(GPCCR, ORGN, 10, 2)
+FIELD(GPCCR, SH, 12, 2)
+FIELD(GPCCR, PGS, 14, 2)
+FIELD(GPCCR, GPC, 16, 1)
+FIELD(GPCCR, GPCP, 17, 1)
+FIELD(GPCCR, L0GPTSZ, 20, 4)
+
+FIELD(MFAR, FPA, 12, 40)
+FIELD(MFAR, NSE, 62, 1)
+FIELD(MFAR, NS, 63, 1)
+
 QEMU_BUILD_BUG_ON(ARRAY_SIZE(((ARMCPU *)0)->ccsidr) <= R_V7M_CSSELR_INDEX_MASK);
 
 /* If adding a feature bit which corresponds to a Linux ELF
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo sme_reginfo[] = {
       .access = PL2_RW, .accessfn = access_esm,
       .type = ARM_CP_CONST, .resetvalue = 0 },
 };
+
+static void tlbi_aa64_paall_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                  uint64_t value)
+{
+    CPUState *cs = env_cpu(env);
+
+    tlb_flush(cs);
+}
+
+static void gpccr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                        uint64_t value)
+{
+    /* L0GPTSZ is RO; other bits not mentioned are RES0. */
+    uint64_t rw_mask = R_GPCCR_PPS_MASK | R_GPCCR_IRGN_MASK |
+        R_GPCCR_ORGN_MASK | R_GPCCR_SH_MASK | R_GPCCR_PGS_MASK |
+        R_GPCCR_GPC_MASK | R_GPCCR_GPCP_MASK;
+
+    env->cp15.gpccr_el3 = (value & rw_mask) | (env->cp15.gpccr_el3 & ~rw_mask);
+}
+
+static void gpccr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    env->cp15.gpccr_el3 = FIELD_DP64(0, GPCCR, L0GPTSZ,
+                                     env_archcpu(env)->reset_l0gptsz);
+}
+
+static void tlbi_aa64_paallos_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                    uint64_t value)
+{
+    CPUState *cs = env_cpu(env);
+
+    tlb_flush_all_cpus_synced(cs);
+}
+
+static const ARMCPRegInfo rme_reginfo[] = {
+    { .name = "GPCCR_EL3", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 1, .opc2 = 6,
+      .access = PL3_RW, .writefn = gpccr_write, .resetfn = gpccr_reset,
+      .fieldoffset = offsetof(CPUARMState, cp15.gpccr_el3) },
+    { .name = "GPTBR_EL3", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 1, .opc2 = 4,
+      .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.gptbr_el3) },
+    { .name = "MFAR_EL3", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 6, .crn = 6, .crm = 0, .opc2 = 5,
+      .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mfar_el3) },
+    { .name = "TLBI_PAALL", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 4,
+      .access = PL3_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_paall_write },
+    { .name = "TLBI_PAALLOS", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 4,
+      .access = PL3_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_paallos_write },
+    /*
+     * QEMU does not have a way to invalidate by physical address, thus
+     * invalidating a range of physical addresses is accomplished by
+     * flushing all tlb entries in the outer sharable domain,
+     * just like PAALLOS.
+     */
+    { .name = "TLBI_RPALOS", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 4, .opc2 = 7,
+      .access = PL3_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_paallos_write },
+    { .name = "TLBI_RPAOS", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 4, .opc2 = 3,
+      .access = PL3_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_paallos_write },
+    { .name = "DC_CIPAPA", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 14, .opc2 = 1,
+      .access = PL3_W, .type = ARM_CP_NOP },
+};
+
+static const ARMCPRegInfo rme_mte_reginfo[] = {
+    { .name = "DC_CIGDPAPA", .state = ARM_CP_STATE_AA64,
+      .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 14, .opc2 = 5,
+      .access = PL3_W, .type = ARM_CP_NOP },
+};
 #endif /* TARGET_AARCH64 */
 
 static void define_pmu_regs(ARMCPU *cpu)
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
     if (cpu_isar_feature(aa64_fgt, cpu)) {
         define_arm_cp_regs(cpu, fgt_reginfo);
     }
+
+    if (cpu_isar_feature(aa64_rme, cpu)) {
+        define_arm_cp_regs(cpu, rme_reginfo);
+        if (cpu_isar_feature(aa64_mte, cpu)) {
+            define_arm_cp_regs(cpu, rme_mte_reginfo);
+        }
+    }
 #endif
 
     if (cpu_isar_feature(any_predinv, cpu)) {
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Introduce both the enumeration and functions to retrieve
the current state, and state outside of EL3.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    | 89 ++++++++++++++++++++++++++++++++++-----------
 target/arm/helper.c | 60 ++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+), 22 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline int arm_feature(CPUARMState *env, int feature)
 
 void arm_cpu_finalize_features(ARMCPU *cpu, Error **errp);
 
-#if !defined(CONFIG_USER_ONLY)
 /*
+ * ARM v9 security states.
+ * The ordering of the enumeration corresponds to the low 2 bits
+ * of the GPI value, and (except for Root) the concat of NSE:NS.
+ */
+
+typedef enum ARMSecuritySpace {
+    ARMSS_Secure     = 0,
+    ARMSS_NonSecure  = 1,
+    ARMSS_Root       = 2,
+    ARMSS_Realm      = 3,
+} ARMSecuritySpace;
+
+/* Return true if @space is secure, in the pre-v9 sense. */
+static inline bool arm_space_is_secure(ARMSecuritySpace space)
+{
+    return space == ARMSS_Secure || space == ARMSS_Root;
+}
+
+/* Return the ARMSecuritySpace for @secure, assuming !RME or EL[0-2]. */
+static inline ARMSecuritySpace arm_secure_to_space(bool secure)
+{
+    return secure ? ARMSS_Secure : ARMSS_NonSecure;
+}
+
+#if !defined(CONFIG_USER_ONLY)
+/**
+ * arm_security_space_below_el3:
+ * @env: cpu context
+ *
+ * Return the security space of exception levels below EL3, following
+ * an exception return to those levels.  Unlike arm_security_space,
+ * this doesn't care about the current EL.
+ */
+ARMSecuritySpace arm_security_space_below_el3(CPUARMState *env);
+
+/**
+ * arm_is_secure_below_el3:
+ * @env: cpu context
+ *
  * Return true if exception levels below EL3 are in secure state,
- * or would be following an exception return to that level.
- * Unlike arm_is_secure() (which is always a question about the
- * _current_ state of the CPU) this doesn't care about the current
- * EL or mode.
+ * or would be following an exception return to those levels.
  */
 static inline bool arm_is_secure_below_el3(CPUARMState *env)
 {
-    assert(!arm_feature(env, ARM_FEATURE_M));
-    if (arm_feature(env, ARM_FEATURE_EL3)) {
-        return !(env->cp15.scr_el3 & SCR_NS);
-    } else {
-        /* If EL3 is not supported then the secure state is implementation
-         * defined, in which case QEMU defaults to non-secure.
-         */
-        return false;
-    }
+    ARMSecuritySpace ss = arm_security_space_below_el3(env);
+    return ss == ARMSS_Secure;
 }
 
 /* Return true if the CPU is AArch64 EL3 or AArch32 Mon */
@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_el3_or_mon(CPUARMState *env)
     return false;
 }
 
-/* Return true if the processor is in secure state */
+/**
+ * arm_security_space:
+ * @env: cpu context
+ *
+ * Return the current security space of the cpu.
+ */
+ARMSecuritySpace arm_security_space(CPUARMState *env);
+
+/**
+ * arm_is_secure:
+ * @env: cpu context
+ *
+ * Return true if the processor is in secure state.
+ */
 static inline bool arm_is_secure(CPUARMState *env)
 {
-    if (arm_feature(env, ARM_FEATURE_M)) {
-        return env->v7m.secure;
-    }
-    if (arm_is_el3_or_mon(env)) {
-        return true;
-    }
-    return arm_is_secure_below_el3(env);
+    return arm_space_is_secure(arm_security_space(env));
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_el2_enabled(CPUARMState *env)
 }
 
 #else
+static inline ARMSecuritySpace arm_security_space_below_el3(CPUARMState *env)
+{
+    return ARMSS_NonSecure;
+}
+
 static inline bool arm_is_secure_below_el3(CPUARMState *env)
 {
     return false;
 }
 
+static inline ARMSecuritySpace arm_security_space(CPUARMState *env)
+{
+    return ARMSS_NonSecure;
+}
+
 static inline bool arm_is_secure(CPUARMState *env)
 {
     return false;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
     }
 }
 #endif
+
+#ifndef CONFIG_USER_ONLY
+ARMSecuritySpace arm_security_space(CPUARMState *env)
+{
+    if (arm_feature(env, ARM_FEATURE_M)) {
+        return arm_secure_to_space(env->v7m.secure);
+    }
+
+    /*
+     * If EL3 is not supported then the secure state is implementation
+     * defined, in which case QEMU defaults to non-secure.
+     */
+    if (!arm_feature(env, ARM_FEATURE_EL3)) {
+        return ARMSS_NonSecure;
+    }
+
+    /* Check for AArch64 EL3 or AArch32 Mon. */
+    if (is_a64(env)) {
+        if (extract32(env->pstate, 2, 2) == 3) {
+            if (cpu_isar_feature(aa64_rme, env_archcpu(env))) {
+                return ARMSS_Root;
+            } else {
+                return ARMSS_Secure;
+            }
+        }
+    } else {
+        if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON) {
+            return ARMSS_Secure;
+        }
+    }
+
+    return arm_security_space_below_el3(env);
+}
+
+ARMSecuritySpace arm_security_space_below_el3(CPUARMState *env)
+{
+    assert(!arm_feature(env, ARM_FEATURE_M));
+
+    /*
+     * If EL3 is not supported then the secure state is implementation
+     * defined, in which case QEMU defaults to non-secure.
+     */
+    if (!arm_feature(env, ARM_FEATURE_EL3)) {
+        return ARMSS_NonSecure;
+    }
+
+    /*
+     * Note NSE cannot be set without RME, and NSE & !NS is Reserved.
+     * Ignoring NSE when !NS retains consistency without having to
+     * modify other predicates.
+     */
+    if (!(env->cp15.scr_el3 & SCR_NS)) {
+        return ARMSS_Secure;
+    } else if (env->cp15.scr_el3 & SCR_NSE) {
+        return ARMSS_Realm;
+    } else {
+        return ARMSS_NonSecure;
+    }
+}
+#endif /* !CONFIG_USER_ONLY */
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

We will need 2 bits to represent ARMSecurityState.

Do not attempt to replace or widen secure, even though it
logically overlaps the new field -- there are uses within
e.g. hw/block/pflash_cfi01.c, which don't know anything
specific about ARM.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/memattrs.h | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memattrs.h
+++ b/include/exec/memattrs.h
@@ -XXX,XX +XXX,XX @@ typedef struct MemTxAttrs {
      * "didn't specify" if necessary.
      */
     unsigned int unspecified:1;
-    /* ARM/AMBA: TrustZone Secure access
+    /*
+     * ARM/AMBA: TrustZone Secure access
      * x86: System Management Mode access
      */
     unsigned int secure:1;
+    /*
+     * ARM: ArmSecuritySpace.  This partially overlaps secure, but it is
+     * easier to have both fields to assist code that does not understand
+     * ARMv9 RME, or no specific knowledge of ARM at all (e.g. pflash).
+     */
+    unsigned int space:2;
     /* Memory access is usermode (unprivileged) */
     unsigned int user:1;
     /*
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

It will be helpful to have ARMMMUIdx_Phys_* to be in the same
relative order as ARMSecuritySpace enumerators. This requires
the adjustment to the nstable check. While there, check for being
in secure state rather than rely on clearing the low bit making
no change to non-secure state.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 12 ++++++------
 target/arm/ptw.c | 12 +++++-------
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
     ARMMMUIdx_E2        = 6 | ARM_MMU_IDX_A,
     ARMMMUIdx_E3        = 7 | ARM_MMU_IDX_A,
 
-    /* TLBs with 1-1 mapping to the physical address spaces. */
-    ARMMMUIdx_Phys_NS   = 8 | ARM_MMU_IDX_A,
-    ARMMMUIdx_Phys_S    = 9 | ARM_MMU_IDX_A,
-
     /*
      * Used for second stage of an S12 page table walk, or for descriptor
      * loads during first stage of an S1 page table walk.  Note that both
      * are in use simultaneously for SecureEL2: the security state for
      * the S2 ptw is selected by the NS bit from the S1 ptw.
      */
-    ARMMMUIdx_Stage2    = 10 | ARM_MMU_IDX_A,
-    ARMMMUIdx_Stage2_S  = 11 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Stage2_S  = 8 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Stage2    = 9 | ARM_MMU_IDX_A,
+
+    /* TLBs with 1-1 mapping to the physical address spaces. */
+    ARMMMUIdx_Phys_S    = 10 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Phys_NS   = 11 | ARM_MMU_IDX_A,
 
     /*
      * These are not allocated TLBs and are used only for AT system
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     descaddr |= (address >> (stride * (4 - level))) & indexmask;
     descaddr &= ~7ULL;
     nstable = !regime_is_stage2(mmu_idx) && extract32(tableattrs, 4, 1);
-    if (nstable) {
+    if (nstable && ptw->in_secure) {
         /*
          * Stage2_S -> Stage2 or Phys_S -> Phys_NS
-         * Assert that the non-secure idx are even, and relative order.
+         * Assert the relative order of the secure/non-secure indexes.
          */
-        QEMU_BUILD_BUG_ON((ARMMMUIdx_Phys_NS & 1) != 0);
-        QEMU_BUILD_BUG_ON((ARMMMUIdx_Stage2 & 1) != 0);
-        QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS + 1 != ARMMMUIdx_Phys_S);
-        QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2 + 1 != ARMMMUIdx_Stage2_S);
-        ptw->in_ptw_idx &= ~1;
+        QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_S + 1 != ARMMMUIdx_Phys_NS);
+        QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2_S + 1 != ARMMMUIdx_Stage2);
+        ptw->in_ptw_idx += 1;
         ptw->in_secure = false;
     }
     if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

With FEAT_RME, there are four physical address spaces.
For now, just define the symbols, and mention them in
the same spots as the other Phys indexes in ptw.c.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 23 +++++++++++++++++++++--
 target/arm/ptw.c | 10 ++++++++--
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
     ARMMMUIdx_Stage2    = 9 | ARM_MMU_IDX_A,
 
     /* TLBs with 1-1 mapping to the physical address spaces. */
-    ARMMMUIdx_Phys_S    = 10 | ARM_MMU_IDX_A,
-    ARMMMUIdx_Phys_NS   = 11 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Phys_S     = 10 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Phys_NS    = 11 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Phys_Root  = 12 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Phys_Realm = 13 | ARM_MMU_IDX_A,
 
     /*
      * These are not allocated TLBs and are used only for AT system
@@ -XXX,XX +XXX,XX @@ typedef enum ARMASIdx {
     ARMASIdx_TagS = 3,
 } ARMASIdx;
 
+static inline ARMMMUIdx arm_space_to_phys(ARMSecuritySpace space)
+{
+    /* Assert the relative order of the physical mmu indexes. */
+    QEMU_BUILD_BUG_ON(ARMSS_Secure != 0);
+    QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS != ARMMMUIdx_Phys_S + ARMSS_NonSecure);
+    QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_Root != ARMMMUIdx_Phys_S + ARMSS_Root);
+    QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_Realm != ARMMMUIdx_Phys_S + ARMSS_Realm);
+
+    return ARMMMUIdx_Phys_S + space;
+}
+
+static inline ARMSecuritySpace arm_phys_to_space(ARMMMUIdx idx)
+{
+    assert(idx >= ARMMMUIdx_Phys_S && idx <= ARMMMUIdx_Phys_Realm);
+    return idx - ARMMMUIdx_Phys_S;
+}
+
 static inline bool arm_v7m_csselr_razwi(ARMCPU *cpu)
 {
     /* If all the CLIDR.Ctypem bits are 0 there are no caches, and
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
     case ARMMMUIdx_E3:
         break;
 
-    case ARMMMUIdx_Phys_NS:
     case ARMMMUIdx_Phys_S:
+    case ARMMMUIdx_Phys_NS:
+    case ARMMMUIdx_Phys_Root:
+    case ARMMMUIdx_Phys_Realm:
         /* No translation for physical address spaces. */
         return true;
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
     switch (mmu_idx) {
     case ARMMMUIdx_Stage2:
     case ARMMMUIdx_Stage2_S:
-    case ARMMMUIdx_Phys_NS:
     case ARMMMUIdx_Phys_S:
+    case ARMMMUIdx_Phys_NS:
+    case ARMMMUIdx_Phys_Root:
+    case ARMMMUIdx_Phys_Realm:
         break;
 
     default:
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
     switch (mmu_idx) {
     case ARMMMUIdx_Phys_S:
     case ARMMMUIdx_Phys_NS:
+    case ARMMMUIdx_Phys_Root:
+    case ARMMMUIdx_Phys_Realm:
         /* Checking Phys early avoids special casing later vs regime_el. */
         return get_phys_addr_disabled(env, address, access_type, mmu_idx,
                                       is_secure, result, fi);
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

This was added in 7e98e21c098 as part of a reorg in which
one of the argument had been legally NULL, and this caught
actual instances.  Now that the reorg is complete, this
serves little purpose.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
 static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
                                uint64_t address,
                                MMUAccessType access_type, bool s1_is_el0,
-                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
-    __attribute__((nonnull));
+                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi);
 
 static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
                                       target_ulong address,
                                       MMUAccessType access_type,
                                       GetPhysAddrResult *result,
-                                      ARMMMUFaultInfo *fi)
-    __attribute__((nonnull));
+                                      ARMMMUFaultInfo *fi);
 
 /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
 static const uint8_t pamax_map[] = {
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Add input and output space members to S1Translate.  Set and adjust
them in S1_ptw_translate, and the various points at which we drop
secure state.  Initialize the space in get_phys_addr; for now leave
get_phys_addr_with_secure considering only secure vs non-secure spaces.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 86 +++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 71 insertions(+), 15 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@
 typedef struct S1Translate {
     ARMMMUIdx in_mmu_idx;
     ARMMMUIdx in_ptw_idx;
+    ARMSecuritySpace in_space;
     bool in_secure;
     bool in_debug;
     bool out_secure;
     bool out_rw;
     bool out_be;
+    ARMSecuritySpace out_space;
     hwaddr out_virt;
     hwaddr out_phys;
     void *out_host;
@@ -XXX,XX +XXX,XX @@ static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
 static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
                              hwaddr addr, ARMMMUFaultInfo *fi)
 {
+    ARMSecuritySpace space = ptw->in_space;
     bool is_secure = ptw->in_secure;
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
                 .in_mmu_idx = s2_mmu_idx,
                 .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
                 .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
+                .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
+                             : space == ARMSS_Realm ? ARMSS_Realm
+                             : ARMSS_NonSecure),
                 .in_debug = true,
             };
             GetPhysAddrResult s2 = { };
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
             ptw->out_phys = s2.f.phys_addr;
             pte_attrs = s2.cacheattrs.attrs;
             ptw->out_secure = s2.f.attrs.secure;
+            ptw->out_space = s2.f.attrs.space;
         } else {
             /* Regime is physical. */
             ptw->out_phys = addr;
             pte_attrs = 0;
             ptw->out_secure = s2_mmu_idx == ARMMMUIdx_Phys_S;
+            ptw->out_space = (s2_mmu_idx == ARMMMUIdx_Phys_S ? ARMSS_Secure
+                              : space == ARMSS_Realm ? ARMSS_Realm
+                              : ARMSS_NonSecure);
         }
         ptw->out_host = NULL;
         ptw->out_rw = false;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
         ptw->out_rw = full->prot & PAGE_WRITE;
         pte_attrs = full->pte_attrs;
         ptw->out_secure = full->attrs.secure;
+        ptw->out_space = full->attrs.space;
 #else
         g_assert_not_reached();
 #endif
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw,
         }
     } else {
         /* Page tables are in MMIO. */
-        MemTxAttrs attrs = { .secure = ptw->out_secure };
+        MemTxAttrs attrs = {
+            .secure = ptw->out_secure,
+            .space = ptw->out_space,
+        };
         AddressSpace *as = arm_addressspace(cs, attrs);
         MemTxResult result = MEMTX_OK;
 
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
 #endif
     } else {
         /* Page tables are in MMIO. */
-        MemTxAttrs attrs = { .secure = ptw->out_secure };
+        MemTxAttrs attrs = {
+            .secure = ptw->out_secure,
+            .space = ptw->out_space,
+        };
         AddressSpace *as = arm_addressspace(cs, attrs);
         MemTxResult result = MEMTX_OK;
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw,
          * regime, because the attribute will already be non-secure.
          */
         result->f.attrs.secure = false;
+        result->f.attrs.space = ARMSS_NonSecure;
     }
     result->f.phys_addr = phys_addr;
     return false;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          * regime, because the attribute will already be non-secure.
          */
         result->f.attrs.secure = false;
+        result->f.attrs.space = ARMSS_NonSecure;
     }
 
     if (regime_is_stage2(mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
              */
             if (sattrs.ns) {
                 result->f.attrs.secure = false;
+                result->f.attrs.space = ARMSS_NonSecure;
             } else if (!secure) {
                 /*
                  * NS access to S memory must fault.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
     bool is_secure = ptw->in_secure;
     bool ret, ipa_secure;
     ARMCacheAttrs cacheattrs1;
+    ARMSecuritySpace ipa_space;
     bool is_el0;
     uint64_t hcr;
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
 
     ipa = result->f.phys_addr;
     ipa_secure = result->f.attrs.secure;
+    ipa_space = result->f.attrs.space;
 
     is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
     ptw->in_mmu_idx = ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
     ptw->in_secure = ipa_secure;
+    ptw->in_space = ipa_space;
     ptw->in_ptw_idx = ptw_idx_for_stage_2(env, ptw->in_mmu_idx);
 
     /*
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
     ARMMMUIdx s1_mmu_idx;
 
     /*
-     * The page table entries may downgrade secure to non-secure, but
-     * cannot upgrade an non-secure translation regime's attributes
-     * to secure.
+     * The page table entries may downgrade Secure to NonSecure, but
+     * cannot upgrade a NonSecure translation regime's attributes
+     * to Secure or Realm.
      */
     result->f.attrs.secure = is_secure;
+    result->f.attrs.space = ptw->in_space;
 
     switch (mmu_idx) {
     case ARMMMUIdx_Phys_S:
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
 
     default:
         /* Single stage uses physical for ptw. */
-        ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
+        ptw->in_ptw_idx = arm_space_to_phys(ptw->in_space);
         break;
     }
 
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
     S1Translate ptw = {
         .in_mmu_idx = mmu_idx,
         .in_secure = is_secure,
+        .in_space = arm_secure_to_space(is_secure),
     };
     return get_phys_addr_with_struct(env, &ptw, address, access_type,
                                      result, fi);
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
                    MMUAccessType access_type, ARMMMUIdx mmu_idx,
                    GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 {
-    bool is_secure;
+    S1Translate ptw = {
+        .in_mmu_idx = mmu_idx,
+    };
+    ARMSecuritySpace ss;
 
     switch (mmu_idx) {
     case ARMMMUIdx_E10_0:
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
     case ARMMMUIdx_Stage1_E1:
     case ARMMMUIdx_Stage1_E1_PAN:
     case ARMMMUIdx_E2:
-        is_secure = arm_is_secure_below_el3(env);
+        ss = arm_security_space_below_el3(env);
         break;
     case ARMMMUIdx_Stage2:
+        /*
+         * For Secure EL2, we need this index to be NonSecure;
+         * otherwise this will already be NonSecure or Realm.
+         */
+        ss = arm_security_space_below_el3(env);
+        if (ss == ARMSS_Secure) {
+            ss = ARMSS_NonSecure;
+        }
+        break;
     case ARMMMUIdx_Phys_NS:
     case ARMMMUIdx_MPrivNegPri:
     case ARMMMUIdx_MUserNegPri:
     case ARMMMUIdx_MPriv:
     case ARMMMUIdx_MUser:
-        is_secure = false;
+        ss = ARMSS_NonSecure;
         break;
-    case ARMMMUIdx_E3:
     case ARMMMUIdx_Stage2_S:
     case ARMMMUIdx_Phys_S:
     case ARMMMUIdx_MSPrivNegPri:
     case ARMMMUIdx_MSUserNegPri:
     case ARMMMUIdx_MSPriv:
     case ARMMMUIdx_MSUser:
-        is_secure = true;
+        ss = ARMSS_Secure;
+        break;
+    case ARMMMUIdx_E3:
+        if (arm_feature(env, ARM_FEATURE_AARCH64) &&
+            cpu_isar_feature(aa64_rme, env_archcpu(env))) {
+            ss = ARMSS_Root;
+        } else {
+            ss = ARMSS_Secure;
+        }
+        break;
+    case ARMMMUIdx_Phys_Root:
+        ss = ARMSS_Root;
+        break;
+    case ARMMMUIdx_Phys_Realm:
+        ss = ARMSS_Realm;
         break;
     default:
         g_assert_not_reached();
     }
-    return get_phys_addr_with_secure(env, address, access_type, mmu_idx,
-                                     is_secure, result, fi);
+
+    ptw.in_space = ss;
+    ptw.in_secure = arm_space_is_secure(ss);
+    return get_phys_addr_with_struct(env, &ptw, address, access_type,
+                                     result, fi);
 }
 
 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
 {
     ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
+    ARMMMUIdx mmu_idx = arm_mmu_idx(env);
+    ARMSecuritySpace ss = arm_security_space(env);
     S1Translate ptw = {
-        .in_mmu_idx = arm_mmu_idx(env),
-        .in_secure = arm_is_secure(env),
+        .in_mmu_idx = mmu_idx,
+        .in_space = ss,
+        .in_secure = arm_space_is_secure(ss),
         .in_debug = true,
     };
     GetPhysAddrResult res = {};
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Test in_space instead of in_secure so that we don't
switch out of Root space.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
 {
     ARMCPU *cpu = env_archcpu(env);
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
-    bool is_secure = ptw->in_secure;
     int32_t level;
     ARMVAParameters param;
     uint64_t ttbr;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     uint64_t descaddrmask;
     bool aarch64 = arm_el_is_aa64(env, el);
     uint64_t descriptor, new_descriptor;
-    bool nstable;
 
     /* TODO: This code does not support shareability levels. */
     if (aarch64) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         descaddrmask = MAKE_64BIT_MASK(0, 40);
     }
     descaddrmask &= ~indexmask_grainsize;
-
-    /*
-     * Secure stage 1 accesses start with the page table in secure memory and
-     * can be downgraded to non-secure at any step. Non-secure accesses
-     * remain non-secure. We implement this by just ORing in the NSTable/NS
-     * bits at each step.
-     * Stage 2 never gets this kind of downgrade.
-     */
-    tableattrs = is_secure ? 0 : (1 << 4);
+    tableattrs = 0;
 
  next_level:
     descaddr |= (address >> (stride * (4 - level))) & indexmask;
     descaddr &= ~7ULL;
-    nstable = !regime_is_stage2(mmu_idx) && extract32(tableattrs, 4, 1);
-    if (nstable && ptw->in_secure) {
+
+    /*
+     * Process the NSTable bit from the previous level.  This changes
+     * the table address space and the output space from Secure to
+     * NonSecure.  With RME, the EL3 translation regime does not change
+     * from Root to NonSecure.
+     */
+    if (ptw->in_space == ARMSS_Secure
+        && !regime_is_stage2(mmu_idx)
+        && extract32(tableattrs, 4, 1)) {
         /*
          * Stage2_S -> Stage2 or Phys_S -> Phys_NS
          * Assert the relative order of the secure/non-secure indexes.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2_S + 1 != ARMMMUIdx_Stage2);
         ptw->in_ptw_idx += 1;
         ptw->in_secure = false;
+        ptw->in_space = ARMSS_NonSecure;
     }
+
     if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
         goto do_fault;
     }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      */
     attrs = new_descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
     if (!regime_is_stage2(mmu_idx)) {
-        attrs |= nstable << 5; /* NS */
+        attrs |= !ptw->in_secure << 5; /* NS */
         if (!param.hpd) {
             attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
             /*
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

With Realm security state, bit 55 of a block or page descriptor during
the stage2 walk becomes the NS bit; during the stage1 walk the bit 5
NS bit is RES0.  With Root security state, bit 11 of the block or page
descriptor during the stage1 walk becomes the NSE bit.

Rather than collecting an NS bit and applying it later, compute the
output pa space from the input pa space and unconditionally assign.
This means that we no longer need to adjust the output space earlier
for the NSTable bit.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 89 +++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 73 insertions(+), 16 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
  * @mmu_idx: MMU index indicating required translation regime
  * @is_aa64: TRUE if AArch64
  * @ap:      The 2-bit simple AP (AP[2:1])
- * @ns:      NS (non-secure) bit
  * @xn:      XN (execute-never) bit
  * @pxn:     PXN (privileged execute-never) bit
+ * @in_pa:   The original input pa space
+ * @out_pa:  The output pa space, modified by NSTable, NS, and NSE
  */
 static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
-                      int ap, int ns, int xn, int pxn)
+                      int ap, int xn, int pxn,
+                      ARMSecuritySpace in_pa, ARMSecuritySpace out_pa)
 {
     ARMCPU *cpu = env_archcpu(env);
     bool is_user = regime_is_user(env, mmu_idx);
@@ -XXX,XX +XXX,XX @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
         }
     }
 
-    if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) {
+    if (out_pa == ARMSS_NonSecure && in_pa == ARMSS_Secure &&
+        (env->cp15.scr_el3 & SCR_SIF)) {
         return prot_rw;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     int32_t stride;
     int addrsize, inputsize, outputsize;
     uint64_t tcr = regime_tcr(env, mmu_idx);
-    int ap, ns, xn, pxn;
+    int ap, xn, pxn;
     uint32_t el = regime_el(env, mmu_idx);
     uint64_t descaddrmask;
     bool aarch64 = arm_el_is_aa64(env, el);
     uint64_t descriptor, new_descriptor;
+    ARMSecuritySpace out_space;
 
     /* TODO: This code does not support shareability levels. */
     if (aarch64) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     }
 
     ap = extract32(attrs, 6, 2);
+    out_space = ptw->in_space;
     if (regime_is_stage2(mmu_idx)) {
-        ns = mmu_idx == ARMMMUIdx_Stage2;
+        /*
+         * R_GYNXY: For stage2 in Realm security state, bit 55 is NS.
+         * The bit remains ignored for other security states.
+         */
+        if (out_space == ARMSS_Realm && extract64(attrs, 55, 1)) {
+            out_space = ARMSS_NonSecure;
+        }
         xn = extract64(attrs, 53, 2);
         result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
     } else {
-        ns = extract32(attrs, 5, 1);
+        int nse, ns = extract32(attrs, 5, 1);
+        switch (out_space) {
+        case ARMSS_Root:
+            /*
+             * R_GVZML: Bit 11 becomes the NSE field in the EL3 regime.
+             * R_XTYPW: NSE and NS together select the output pa space.
+             */
+            nse = extract32(attrs, 11, 1);
+            out_space = (nse << 1) | ns;
+            if (out_space == ARMSS_Secure &&
+                !cpu_isar_feature(aa64_sel2, cpu)) {
+                out_space = ARMSS_NonSecure;
+            }
+            break;
+        case ARMSS_Secure:
+            if (ns) {
+                out_space = ARMSS_NonSecure;
+            }
+            break;
+        case ARMSS_Realm:
+            switch (mmu_idx) {
+            case ARMMMUIdx_Stage1_E0:
+            case ARMMMUIdx_Stage1_E1:
+            case ARMMMUIdx_Stage1_E1_PAN:
+                /* I_CZPRF: For Realm EL1&0 stage1, NS bit is RES0. */
+                break;
+            case ARMMMUIdx_E2:
+            case ARMMMUIdx_E20_0:
+            case ARMMMUIdx_E20_2:
+            case ARMMMUIdx_E20_2_PAN:
+                /*
+                 * R_LYKFZ, R_WGRZN: For Realm EL2 and EL2&1,
+                 * NS changes the output to non-secure space.
+                 */
+                if (ns) {
+                    out_space = ARMSS_NonSecure;
+                }
+                break;
+            default:
+                g_assert_not_reached();
+            }
+            break;
+        case ARMSS_NonSecure:
+            /* R_QRMFF: For NonSecure state, the NS bit is RES0. */
+            break;
+        default:
+            g_assert_not_reached();
+        }
         xn = extract64(attrs, 54, 1);
         pxn = extract64(attrs, 53, 1);
-        result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
+
+        /*
+         * Note that we modified ptw->in_space earlier for NSTable, but
+         * result->f.attrs retains a copy of the original security space.
+         */
+        result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, xn, pxn,
+                                    result->f.attrs.space, out_space);
     }
 
     if (!(result->f.prot & (1 << access_type))) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         }
     }
 
-    if (ns) {
-        /*
-         * The NS bit will (as required by the architecture) have no effect if
-         * the CPU doesn't support TZ or this is a non-secure translation
-         * regime, because the attribute will already be non-secure.
-         */
-        result->f.attrs.secure = false;
-        result->f.attrs.space = ARMSS_NonSecure;
-    }
+    result->f.attrs.space = out_space;
+    result->f.attrs.secure = arm_space_is_secure(out_space);
 
     if (regime_is_stage2(mmu_idx)) {
         result->cacheattrs.is_s2_format = true;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

While Root and Realm may read and write data from other spaces,
neither may execute from other pa spaces.

This happens for Stage1 EL3, EL2, EL2&0, and Stage2 EL1&0.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 52 ++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 46 insertions(+), 6 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ do_fault:
  * @xn:      XN (execute-never) bits
  * @s1_is_el0: true if this is S2 of an S1+2 walk for EL0
  */
-static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
+static int get_S2prot_noexecute(int s2ap)
 {
     int prot = 0;
 
@@ -XXX,XX +XXX,XX @@ static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
     if (s2ap & 2) {
         prot |= PAGE_WRITE;
     }
+    return prot;
+}
+
+static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
+{
+    int prot = get_S2prot_noexecute(s2ap);
 
     if (cpu_isar_feature(any_tts2uxn, env_archcpu(env))) {
         switch (xn) {
@@ -XXX,XX +XXX,XX @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
         }
     }
 
-    if (out_pa == ARMSS_NonSecure && in_pa == ARMSS_Secure &&
-        (env->cp15.scr_el3 & SCR_SIF)) {
-        return prot_rw;
+    if (in_pa != out_pa) {
+        switch (in_pa) {
+        case ARMSS_Root:
+            /*
+             * R_ZWRVD: permission fault for insn fetched from non-Root,
+             * I_WWBFB: SIF has no effect in EL3.
+             */
+            return prot_rw;
+        case ARMSS_Realm:
+            /*
+             * R_PKTDS: permission fault for insn fetched from non-Realm,
+             * for Realm EL2 or EL2&0.  The corresponding fault for EL1&0
+             * happens during any stage2 translation.
+             */
+            switch (mmu_idx) {
+            case ARMMMUIdx_E2:
+            case ARMMMUIdx_E20_0:
+            case ARMMMUIdx_E20_2:
+            case ARMMMUIdx_E20_2_PAN:
+                return prot_rw;
+            default:
+                break;
+            }
+            break;
+        case ARMSS_Secure:
+            if (env->cp15.scr_el3 & SCR_SIF) {
+                return prot_rw;
+            }
+            break;
+        default:
+            /* Input NonSecure must have output NonSecure. */
+            g_assert_not_reached();
+        }
     }
 
     /* TODO have_wxn should be replaced with
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         /*
          * R_GYNXY: For stage2 in Realm security state, bit 55 is NS.
          * The bit remains ignored for other security states.
+         * R_YMCSL: Executing an insn fetched from non-Realm causes
+         * a stage2 permission fault.
          */
         if (out_space == ARMSS_Realm && extract64(attrs, 55, 1)) {
             out_space = ARMSS_NonSecure;
+            result->f.prot = get_S2prot_noexecute(ap);
+        } else {
+            xn = extract64(attrs, 53, 2);
+            result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
         }
-        xn = extract64(attrs, 53, 2);
-        result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
     } else {
         int nse, ns = extract32(attrs, 5, 1);
         switch (out_space) {
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Do not provide a fast-path for physical addresses,
as those will need to be validated for GPC.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 44 +++++++++++++++++---------------------------
 1 file changed, 17 insertions(+), 27 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
          * From gdbstub, do not use softmmu so that we don't modify the
          * state of the cpu at all, including softmmu tlb contents.
          */
-        if (regime_is_stage2(s2_mmu_idx)) {
-            S1Translate s2ptw = {
-                .in_mmu_idx = s2_mmu_idx,
-                .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
-                .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
-                .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
-                             : space == ARMSS_Realm ? ARMSS_Realm
-                             : ARMSS_NonSecure),
-                .in_debug = true,
-            };
-            GetPhysAddrResult s2 = { };
+        S1Translate s2ptw = {
+            .in_mmu_idx = s2_mmu_idx,
+            .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
+            .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
+            .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
+                         : space == ARMSS_Realm ? ARMSS_Realm
+                         : ARMSS_NonSecure),
+            .in_debug = true,
+        };
+        GetPhysAddrResult s2 = { };
 
-            if (get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
-                                   false, &s2, fi)) {
-                goto fail;
-            }
-            ptw->out_phys = s2.f.phys_addr;
-            pte_attrs = s2.cacheattrs.attrs;
-            ptw->out_secure = s2.f.attrs.secure;
-            ptw->out_space = s2.f.attrs.space;
-        } else {
-            /* Regime is physical. */
-            ptw->out_phys = addr;
-            pte_attrs = 0;
-            ptw->out_secure = s2_mmu_idx == ARMMMUIdx_Phys_S;
-            ptw->out_space = (s2_mmu_idx == ARMMMUIdx_Phys_S ? ARMSS_Secure
-                              : space == ARMSS_Realm ? ARMSS_Realm
-                              : ARMSS_NonSecure);
+        if (get_phys_addr_with_struct(env, &s2ptw, addr,
+                                      MMU_DATA_LOAD, &s2, fi)) {
+            goto fail;
         }
+        ptw->out_phys = s2.f.phys_addr;
+        pte_attrs = s2.cacheattrs.attrs;
         ptw->out_host = NULL;
         ptw->out_rw = false;
+        ptw->out_secure = s2.f.attrs.secure;
+        ptw->out_space = s2.f.attrs.space;
     } else {
 #ifdef CONFIG_TCG
         CPUTLBEntryFull *full;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Instead of passing this to get_phys_addr_lpae, stash it
in the S1Translate structure.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
     ARMSecuritySpace in_space;
     bool in_secure;
     bool in_debug;
+    /*
+     * If this is stage 2 of a stage 1+2 page table walk, then this must
+     * be true if stage 1 is an EL0 access; otherwise this is ignored.
+     * Stage 2 is indicated by in_mmu_idx set to ARMMMUIdx_Stage2{,_S}.
+     */
+    bool in_s1_is_el0;
     bool out_secure;
     bool out_rw;
     bool out_be;
@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
 } S1Translate;
 
 static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-                               uint64_t address,
-                               MMUAccessType access_type, bool s1_is_el0,
+                               uint64_t address, MMUAccessType access_type,
                                GetPhysAddrResult *result, ARMMMUFaultInfo *fi);
 
 static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
@@ -XXX,XX +XXX,XX @@ static int check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, uint64_t tcr,
  * @ptw: Current and next stage parameters for the walk.
  * @address: virtual address to get physical address for
  * @access_type: MMU_DATA_LOAD, MMU_DATA_STORE or MMU_INST_FETCH
- * @s1_is_el0: if @ptw->in_mmu_idx is ARMMMUIdx_Stage2
- *             (so this is a stage 2 page table walk),
- *             must be true if this is stage 2 of a stage 1+2
- *             walk for an EL0 access. If @mmu_idx is anything else,
- *             @s1_is_el0 is ignored.
  * @result: set on translation success,
  * @fi: set to fault info if the translation fails
  */
 static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
                                uint64_t address,
-                               MMUAccessType access_type, bool s1_is_el0,
+                               MMUAccessType access_type,
                                GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 {
     ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
             result->f.prot = get_S2prot_noexecute(ap);
         } else {
             xn = extract64(attrs, 53, 2);
-            result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
+            result->f.prot = get_S2prot(env, ap, xn, ptw->in_s1_is_el0);
         }
     } else {
         int nse, ns = extract32(attrs, 5, 1);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
     bool ret, ipa_secure;
     ARMCacheAttrs cacheattrs1;
     ARMSecuritySpace ipa_space;
-    bool is_el0;
     uint64_t hcr;
 
     ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
     ipa_secure = result->f.attrs.secure;
     ipa_space = result->f.attrs.space;
 
-    is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
+    ptw->in_s1_is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
     ptw->in_mmu_idx = ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
     ptw->in_secure = ipa_secure;
     ptw->in_space = ipa_space;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
         ret = get_phys_addr_pmsav8(env, ipa, access_type,
                                    ptw->in_mmu_idx, is_secure, result, fi);
     } else {
-        ret = get_phys_addr_lpae(env, ptw, ipa, access_type,
-                                 is_el0, result, fi);
+        ret = get_phys_addr_lpae(env, ptw, ipa, access_type, result, fi);
     }
     fi->s2addr = ipa;
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
     }
 
     if (regime_using_lpae_format(env, mmu_idx)) {
-        return get_phys_addr_lpae(env, ptw, address, access_type, false,
-                                  result, fi);
+        return get_phys_addr_lpae(env, ptw, address, access_type, result, fi);
     } else if (arm_feature(env, ARM_FEATURE_V7) ||
                regime_sctlr(env, mmu_idx) & SCTLR_XP) {
         return get_phys_addr_v6(env, ptw, address, access_type, result, fi);
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

This fixes a bug in which we failed to initialize
the result attributes properly after the memset.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

The function takes the fields as filled in by
the Arm ARM pseudocode for TakeGPCException.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-18-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/syndrome.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/syndrome.h
+++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ enum arm_exception_class {
     EC_SVEACCESSTRAP          = 0x19,
     EC_ERETTRAP               = 0x1a,
     EC_SMETRAP                = 0x1d,
+    EC_GPC                    = 0x1e,
     EC_INSNABORT              = 0x20,
     EC_INSNABORT_SAME_EL      = 0x21,
     EC_PCALIGNMENT            = 0x22,
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_bxjtrap(int cv, int cond, int rm)
         (cv << 24) | (cond << 20) | rm;
 }
 
+static inline uint32_t syn_gpc(int s2ptw, int ind, int gpcsc,
+                               int cm, int s1ptw, int wnr, int fsc)
+{
+    /* TODO: FEAT_NV2 adds VNCR */
+    return (EC_GPC << ARM_EL_EC_SHIFT) | ARM_EL_IL | (s2ptw << 21)
+            | (ind << 20) | (gpcsc << 14) | (cm << 8) | (s1ptw << 7)
+            | (wnr << 6) | fsc;
+}
+
 static inline uint32_t syn_insn_abort(int same_el, int ea, int s1ptw, int fsc)
 {
     return (EC_INSNABORT << ARM_EL_EC_SHIFT) | (same_el << ARM_EL_EC_SHIFT)
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Handle GPC Fault types in arm_deliver_fault, reporting as
either a GPC exception at EL3, or falling through to insn
or data aborts at various exception levels.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-19-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h            |  1 +
 target/arm/internals.h      | 27 +++++++++++
 target/arm/helper.c         |  5 ++
 target/arm/tcg/tlb_helper.c | 96 +++++++++++++++++++++++++++++++++++--
 4 files changed, 126 insertions(+), 3 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@
 #define EXCP_UNALIGNED      22   /* v7M UNALIGNED UsageFault */
 #define EXCP_DIVBYZERO      23   /* v7M DIVBYZERO UsageFault */
 #define EXCP_VSERR          24
+#define EXCP_GPC            25   /* v9 Granule Protection Check Fault */
 /* NB: add new EXCP_ defines to the array in arm_log_exception() too */
 
 #define ARMV7M_EXCP_RESET   1
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef enum ARMFaultType {
     ARMFault_ICacheMaint,
     ARMFault_QEMU_NSCExec, /* v8M: NS executing in S&NSC memory */
     ARMFault_QEMU_SFault, /* v8M: SecureFault INVTRAN, INVEP or AUVIOL */
+    ARMFault_GPCFOnWalk,
+    ARMFault_GPCFOnOutput,
 } ARMFaultType;
 
+typedef enum ARMGPCF {
+    GPCF_None,
+    GPCF_AddressSize,
+    GPCF_Walk,
+    GPCF_EABT,
+    GPCF_Fail,
+} ARMGPCF;
+
 /**
  * ARMMMUFaultInfo: Information describing an ARM MMU Fault
  * @type: Type of fault
+ * @gpcf: Subtype of ARMFault_GPCFOn{Walk,Output}.
  * @level: Table walk level (for translation, access flag and permission faults)
  * @domain: Domain of the fault address (for non-LPAE CPUs only)
  * @s2addr: Address that caused a fault at stage 2
+ * @paddr: physical address that caused a fault for gpc
+ * @paddr_space: physical address space that caused a fault for gpc
  * @stage2: True if we faulted at stage 2
  * @s1ptw: True if we faulted at stage 2 while doing a stage 1 page-table walk
  * @s1ns: True if we faulted on a non-secure IPA while in secure state
@@ -XXX,XX +XXX,XX @@ typedef enum ARMFaultType {
 typedef struct ARMMMUFaultInfo ARMMMUFaultInfo;
 struct ARMMMUFaultInfo {
     ARMFaultType type;
+    ARMGPCF gpcf;
     target_ulong s2addr;
+    target_ulong paddr;
+    ARMSecuritySpace paddr_space;
     int level;
     int domain;
     bool stage2;
@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi)
     case ARMFault_Exclusive:
         fsc = 0x35;
         break;
+    case ARMFault_GPCFOnWalk:
+        assert(fi->level >= -1 && fi->level <= 3);
+        if (fi->level < 0) {
+            fsc = 0b100011;
+        } else {
+            fsc = 0b100100 | fi->level;
+        }
+        break;
+    case ARMFault_GPCFOnOutput:
+        fsc = 0b101000;
+        break;
     default:
         /* Other faults can't occur in a context that requires a
          * long-format status code.
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void arm_log_exception(CPUState *cs)
             [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
             [EXCP_DIVBYZERO] = "v7M DIVBYZERO UsageFault",
             [EXCP_VSERR] = "Virtual SERR",
+            [EXCP_GPC] = "Granule Protection Check",
         };
 
         if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
     }
 
     switch (cs->exception_index) {
+    case EXCP_GPC:
+        qemu_log_mask(CPU_LOG_INT, "...with MFAR 0x%" PRIx64 "\n",
+                      env->cp15.mfar_el3);
+        /* fall through */
     case EXCP_PREFETCH_ABORT:
     case EXCP_DATA_ABORT:
         /*
diff --git a/target/arm/tcg/tlb_helper.c b/target/arm/tcg/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/tlb_helper.c
+++ b/target/arm/tcg/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ static uint32_t compute_fsr_fsc(CPUARMState *env, ARMMMUFaultInfo *fi,
     return fsr;
 }
 
+static bool report_as_gpc_exception(ARMCPU *cpu, int current_el,
+                                    ARMMMUFaultInfo *fi)
+{
+    bool ret;
+
+    switch (fi->gpcf) {
+    case GPCF_None:
+        return false;
+    case GPCF_AddressSize:
+    case GPCF_Walk:
+    case GPCF_EABT:
+        /* R_PYTGX: GPT faults are reported as GPC. */
+        ret = true;
+        break;
+    case GPCF_Fail:
+        /*
+         * R_BLYPM: A GPF at EL3 is reported as insn or data abort.
+         * R_VBZMW, R_LXHQR: A GPF at EL[0-2] is reported as a GPC
+         * if SCR_EL3.GPF is set, otherwise an insn or data abort.
+         */
+        ret = (cpu->env.cp15.scr_el3 & SCR_GPF) && current_el != 3;
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    assert(cpu_isar_feature(aa64_rme, cpu));
+    assert(fi->type == ARMFault_GPCFOnWalk ||
+           fi->type == ARMFault_GPCFOnOutput);
+    if (fi->gpcf == GPCF_AddressSize) {
+        assert(fi->level == 0);
+    } else {
+        assert(fi->level >= 0 && fi->level <= 1);
+    }
+
+    return ret;
+}
+
+static unsigned encode_gpcsc(ARMMMUFaultInfo *fi)
+{
+    static uint8_t const gpcsc[] = {
+        [GPCF_AddressSize] = 0b000000,
+        [GPCF_Walk]        = 0b000100,
+        [GPCF_Fail]        = 0b001100,
+        [GPCF_EABT]        = 0b010100,
+    };
+
+    /* Note that we've validated fi->gpcf and fi->level above. */
+    return gpcsc[fi->gpcf] | fi->level;
+}
+
 static G_NORETURN
 void arm_deliver_fault(ARMCPU *cpu, vaddr addr,
                        MMUAccessType access_type,
                        int mmu_idx, ARMMMUFaultInfo *fi)
 {
     CPUARMState *env = &cpu->env;
-    int target_el;
+    int target_el = exception_target_el(env);
+    int current_el = arm_current_el(env);
     bool same_el;
     uint32_t syn, exc, fsr, fsc;
 
-    target_el = exception_target_el(env);
+    if (report_as_gpc_exception(cpu, current_el, fi)) {
+        target_el = 3;
+
+        fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
+
+        syn = syn_gpc(fi->stage2 && fi->type == ARMFault_GPCFOnWalk,
+                      access_type == MMU_INST_FETCH,
+                      encode_gpcsc(fi), 0, fi->s1ptw,
+                      access_type == MMU_DATA_STORE, fsc);
+
+        env->cp15.mfar_el3 = fi->paddr;
+        switch (fi->paddr_space) {
+        case ARMSS_Secure:
+            break;
+        case ARMSS_NonSecure:
+            env->cp15.mfar_el3 |= R_MFAR_NS_MASK;
+            break;
+        case ARMSS_Root:
+            env->cp15.mfar_el3 |= R_MFAR_NSE_MASK;
+            break;
+        case ARMSS_Realm:
+            env->cp15.mfar_el3 |= R_MFAR_NSE_MASK | R_MFAR_NS_MASK;
+            break;
+        default:
+            g_assert_not_reached();
+        }
+
+        exc = EXCP_GPC;
+        goto do_raise;
+    }
+
+    /* If SCR_EL3.GPF is unset, GPF may still be routed to EL2. */
+    if (fi->gpcf == GPCF_Fail && target_el < 2) {
+        if (arm_hcr_el2_eff(env) & HCR_GPF) {
+            target_el = 2;
+        }
+    }
+
     if (fi->stage2) {
         target_el = 2;
         env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
@@ -XXX,XX +XXX,XX @@ void arm_deliver_fault(ARMCPU *cpu, vaddr addr,
             env->cp15.hpfar_el2 |= HPFAR_NS;
         }
     }
-    same_el = (arm_current_el(env) == target_el);
 
+    same_el = current_el == target_el;
     fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
 
     if (access_type == MMU_INST_FETCH) {
@@ -XXX,XX +XXX,XX @@ void arm_deliver_fault(ARMCPU *cpu, vaddr addr,
         exc = EXCP_DATA_ABORT;
     }
 
+ do_raise:
     env->exception.vaddress = addr;
     env->exception.fsr = fsr;
     raise_exception(env, exc, syn, target_el);
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Place the check at the end of get_phys_addr_with_struct,
so that we check all physical results.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-20-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 249 +++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 232 insertions(+), 17 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
     void *out_host;
 } S1Translate;
 
-static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
-                                      target_ulong address,
-                                      MMUAccessType access_type,
-                                      GetPhysAddrResult *result,
-                                      ARMMMUFaultInfo *fi);
+static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+                                target_ulong address,
+                                MMUAccessType access_type,
+                                GetPhysAddrResult *result,
+                                ARMMMUFaultInfo *fi);
+
+static bool get_phys_addr_gpc(CPUARMState *env, S1Translate *ptw,
+                              target_ulong address,
+                              MMUAccessType access_type,
+                              GetPhysAddrResult *result,
+                              ARMMMUFaultInfo *fi);
 
 /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
 static const uint8_t pamax_map[] = {
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
     return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
 }
 
+static bool granule_protection_check(CPUARMState *env, uint64_t paddress,
+                                     ARMSecuritySpace pspace,
+                                     ARMMMUFaultInfo *fi)
+{
+    MemTxAttrs attrs = {
+        .secure = true,
+        .space = ARMSS_Root,
+    };
+    ARMCPU *cpu = env_archcpu(env);
+    uint64_t gpccr = env->cp15.gpccr_el3;
+    unsigned pps, pgs, l0gptsz, level = 0;
+    uint64_t tableaddr, pps_mask, align, entry, index;
+    AddressSpace *as;
+    MemTxResult result;
+    int gpi;
+
+    if (!FIELD_EX64(gpccr, GPCCR, GPC)) {
+        return true;
+    }
+
+    /*
+     * GPC Priority 1 (R_GMGRR):
+     * R_JWCSM: If the configuration of GPCCR_EL3 is invalid,
+     * the access fails as GPT walk fault at level 0.
+     */
+
+    /*
+     * Configuration of PPS to a value exceeding the implemented
+     * physical address size is invalid.
+     */
+    pps = FIELD_EX64(gpccr, GPCCR, PPS);
+    if (pps > FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE)) {
+        goto fault_walk;
+    }
+    pps = pamax_map[pps];
+    pps_mask = MAKE_64BIT_MASK(0, pps);
+
+    switch (FIELD_EX64(gpccr, GPCCR, SH)) {
+    case 0b10: /* outer shareable */
+        break;
+    case 0b00: /* non-shareable */
+    case 0b11: /* inner shareable */
+        /* Inner and Outer non-cacheable requires Outer shareable. */
+        if (FIELD_EX64(gpccr, GPCCR, ORGN) == 0 &&
+            FIELD_EX64(gpccr, GPCCR, IRGN) == 0) {
+            goto fault_walk;
+        }
+        break;
+    default:   /* reserved */
+        goto fault_walk;
+    }
+
+    switch (FIELD_EX64(gpccr, GPCCR, PGS)) {
+    case 0b00: /* 4KB */
+        pgs = 12;
+        break;
+    case 0b01: /* 64KB */
+        pgs = 16;
+        break;
+    case 0b10: /* 16KB */
+        pgs = 14;
+        break;
+    default: /* reserved */
+        goto fault_walk;
+    }
+
+    /* Note this field is read-only and fixed at reset. */
+    l0gptsz = 30 + FIELD_EX64(gpccr, GPCCR, L0GPTSZ);
+
+    /*
+     * GPC Priority 2: Secure, Realm or Root address exceeds PPS.
+     * R_CPDSB: A NonSecure physical address input exceeding PPS
+     * does not experience any fault.
+     */
+    if (paddress & ~pps_mask) {
+        if (pspace == ARMSS_NonSecure) {
+            return true;
+        }
+        goto fault_size;
+    }
+
+    /* GPC Priority 3: the base address of GPTBR_EL3 exceeds PPS. */
+    tableaddr = env->cp15.gptbr_el3 << 12;
+    if (tableaddr & ~pps_mask) {
+        goto fault_size;
+    }
+
+    /*
+     * BADDR is aligned per a function of PPS and L0GPTSZ.
+     * These bits of GPTBR_EL3 are RES0, but are not a configuration error,
+     * unlike the RES0 bits of the GPT entries (R_XNKFZ).
+     */
+    align = MAX(pps - l0gptsz + 3, 12);
+    align = MAKE_64BIT_MASK(0, align);
+    tableaddr &= ~align;
+
+    as = arm_addressspace(env_cpu(env), attrs);
+
+    /* Level 0 lookup. */
+    index = extract64(paddress, l0gptsz, pps - l0gptsz);
+    tableaddr += index * 8;
+    entry = address_space_ldq_le(as, tableaddr, attrs, &result);
+    if (result != MEMTX_OK) {
+        goto fault_eabt;
+    }
+
+    switch (extract32(entry, 0, 4)) {
+    case 1: /* block descriptor */
+        if (entry >> 8) {
+            goto fault_walk; /* RES0 bits not 0 */
+        }
+        gpi = extract32(entry, 4, 4);
+        goto found;
+    case 3: /* table descriptor */
+        tableaddr = entry & ~0xf;
+        align = MAX(l0gptsz - pgs - 1, 12);
+        align = MAKE_64BIT_MASK(0, align);
+        if (tableaddr & (~pps_mask | align)) {
+            goto fault_walk; /* RES0 bits not 0 */
+        }
+        break;
+    default: /* invalid */
+        goto fault_walk;
+    }
+
+    /* Level 1 lookup */
+    level = 1;
+    index = extract64(paddress, pgs + 4, l0gptsz - pgs - 4);
+    tableaddr += index * 8;
+    entry = address_space_ldq_le(as, tableaddr, attrs, &result);
+    if (result != MEMTX_OK) {
+        goto fault_eabt;
+    }
+
+    switch (extract32(entry, 0, 4)) {
+    case 1: /* contiguous descriptor */
+        if (entry >> 10) {
+            goto fault_walk; /* RES0 bits not 0 */
+        }
+        /*
+         * Because the softmmu tlb only works on units of TARGET_PAGE_SIZE,
+         * and because we cannot invalidate by pa, and thus will always
+         * flush entire tlbs, we don't actually care about the range here
+         * and can simply extract the GPI as the result.
+         */
+        if (extract32(entry, 8, 2) == 0) {
+            goto fault_walk; /* reserved contig */
+        }
+        gpi = extract32(entry, 4, 4);
+        break;
+    default:
+        index = extract64(paddress, pgs, 4);
+        gpi = extract64(entry, index * 4, 4);
+        break;
+    }
+
+ found:
+    switch (gpi) {
+    case 0b0000: /* no access */
+        break;
+    case 0b1111: /* all access */
+        return true;
+    case 0b1000:
+    case 0b1001:
+    case 0b1010:
+    case 0b1011:
+        if (pspace == (gpi & 3)) {
+            return true;
+        }
+        break;
+    default:
+        goto fault_walk; /* reserved */
+    }
+
+    fi->gpcf = GPCF_Fail;
+    goto fault_common;
+ fault_eabt:
+    fi->gpcf = GPCF_EABT;
+    goto fault_common;
+ fault_size:
+    fi->gpcf = GPCF_AddressSize;
+    goto fault_common;
+ fault_walk:
+    fi->gpcf = GPCF_Walk;
+ fault_common:
+    fi->level = level;
+    fi->paddr = paddress;
+    fi->paddr_space = pspace;
+    return false;
+}
+
 static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
         };
         GetPhysAddrResult s2 = { };
 
-        if (get_phys_addr_with_struct(env, &s2ptw, addr,
-                                      MMU_DATA_LOAD, &s2, fi)) {
+        if (get_phys_addr_gpc(env, &s2ptw, addr, MMU_DATA_LOAD, &s2, fi)) {
             goto fail;
         }
+
         ptw->out_phys = s2.f.phys_addr;
         pte_attrs = s2.cacheattrs.attrs;
         ptw->out_host = NULL;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
 
  fail:
     assert(fi->type != ARMFault_None);
+    if (fi->type == ARMFault_GPCFOnOutput) {
+        fi->type = ARMFault_GPCFOnWalk;
+    }
     fi->s2addr = addr;
     fi->stage2 = true;
     fi->s1ptw = true;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
                                    ARMMMUFaultInfo *fi)
 {
     uint8_t memattr = 0x00;    /* Device nGnRnE */
-    uint8_t shareability = 0;  /* non-sharable */
+    uint8_t shareability = 0;  /* non-shareable */
     int r_el;
 
     switch (mmu_idx) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
             } else {
                 memattr = 0x44;  /* Normal, NC, No */
             }
-            shareability = 2; /* outer sharable */
+            shareability = 2; /* outer shareable */
         }
         result->cacheattrs.is_s2_format = false;
         break;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
     ARMSecuritySpace ipa_space;
     uint64_t hcr;
 
-    ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
+    ret = get_phys_addr_nogpc(env, ptw, address, access_type, result, fi);
 
     /* If S1 fails, return early.  */
     if (ret) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
     cacheattrs1 = result->cacheattrs;
     memset(result, 0, sizeof(*result));
 
-    ret = get_phys_addr_with_struct(env, ptw, ipa, access_type, result, fi);
+    ret = get_phys_addr_nogpc(env, ptw, ipa, access_type, result, fi);
     fi->s2addr = ipa;
 
     /* Combine the S1 and S2 perms.  */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
     return false;
 }
 
-static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
+static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
                                       target_ulong address,
                                       MMUAccessType access_type,
                                       GetPhysAddrResult *result,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
     }
 }
 
+static bool get_phys_addr_gpc(CPUARMState *env, S1Translate *ptw,
+                              target_ulong address,
+                              MMUAccessType access_type,
+                              GetPhysAddrResult *result,
+                              ARMMMUFaultInfo *fi)
+{
+    if (get_phys_addr_nogpc(env, ptw, address, access_type, result, fi)) {
+        return true;
+    }
+    if (!granule_protection_check(env, result->f.phys_addr,
+                                  result->f.attrs.space, fi)) {
+        fi->type = ARMFault_GPCFOnOutput;
+        return true;
+    }
+    return false;
+}
+
 bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
                                bool is_secure, GetPhysAddrResult *result,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
         .in_secure = is_secure,
         .in_space = arm_secure_to_space(is_secure),
     };
-    return get_phys_addr_with_struct(env, &ptw, address, access_type,
-                                     result, fi);
+    return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi);
 }
 
 bool get_phys_addr(CPUARMState *env, target_ulong address,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
 
     ptw.in_space = ss;
     ptw.in_secure = arm_space_is_secure(ss);
-    return get_phys_addr_with_struct(env, &ptw, address, access_type,
-                                     result, fi);
+    return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi);
 }
 
 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
     ARMMMUFaultInfo fi = {};
     bool ret;
 
-    ret = get_phys_addr_with_struct(env, &ptw, addr, MMU_DATA_LOAD, &res, &fi);
+    ret = get_phys_addr_gpc(env, &ptw, addr, MMU_DATA_LOAD, &res, &fi);
     *attrs = res.f.attrs;
 
     if (ret) {
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Add an x-rme cpu property to enable FEAT_RME.
Add an x-l0gptsz property to set GPCCR_EL3.L0GPTSZ,
for testing various possible configurations.

We're not currently completely sure whether FEAT_RME will
be OK to enable purely as a CPU-level property, or if it will
need board co-operation, so we're making these experimental
x- properties, so that the people developing the system
level software for RME can try to start using this and let
us know how it goes. The command line syntax for enabling
this will change in future, without backwards-compatibility.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620124418.805717-21-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/cpu64.c | 53 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/cpu64.c
+++ b/target/arm/tcg/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void cpu_max_set_sve_max_vq(Object *obj, Visitor *v, const char *name,
     cpu->sve_max_vq = max_vq;
 }
 
+static bool cpu_arm_get_rme(Object *obj, Error **errp)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    return cpu_isar_feature(aa64_rme, cpu);
+}
+
+static void cpu_arm_set_rme(Object *obj, bool value, Error **errp)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    uint64_t t;
+
+    t = cpu->isar.id_aa64pfr0;
+    t = FIELD_DP64(t, ID_AA64PFR0, RME, value);
+    cpu->isar.id_aa64pfr0 = t;
+}
+
+static void cpu_max_set_l0gptsz(Object *obj, Visitor *v, const char *name,
+                                void *opaque, Error **errp)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    uint32_t value;
+
+    if (!visit_type_uint32(v, name, &value, errp)) {
+        return;
+    }
+
+    /* Encode the value for the GPCCR_EL3 field. */
+    switch (value) {
+    case 30:
+    case 34:
+    case 36:
+    case 39:
+        cpu->reset_l0gptsz = value - 30;
+        break;
+    default:
+        error_setg(errp, "invalid value for l0gptsz");
+        error_append_hint(errp, "valid values are 30, 34, 36, 39\n");
+        break;
+    }
+}
+
+static void cpu_max_get_l0gptsz(Object *obj, Visitor *v, const char *name,
+                                void *opaque, Error **errp)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    uint32_t value = cpu->reset_l0gptsz + 30;
+
+    visit_type_uint32(v, name, &value, errp);
+}
+
 static Property arm_cpu_lpa2_property =
     DEFINE_PROP_BOOL("lpa2", ARMCPU, prop_lpa2, true);
 
@@ -XXX,XX +XXX,XX @@ void aarch64_max_tcg_initfn(Object *obj)
     aarch64_add_sme_properties(obj);
     object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_max_vq,
                         cpu_max_set_sve_max_vq, NULL, NULL);
+    object_property_add_bool(obj, "x-rme", cpu_arm_get_rme, cpu_arm_set_rme);
+    object_property_add(obj, "x-l0gptsz", "uint32", cpu_max_get_l0gptsz,
+                        cpu_max_set_l0gptsz, NULL, NULL);
     qdev_property_add_static(DEVICE(obj), &arm_cpu_lpa2_property);
 }
 
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20230622143046.1578160-1-richard.henderson@linaro.org
[PMM: fixed typo; note experimental status in emulation.rst too]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/cpu-features.rst | 23 +++++++++++++++++++++++
 docs/system/arm/emulation.rst    |  1 +
 2 files changed, 24 insertions(+)

diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/cpu-features.rst
+++ b/docs/system/arm/cpu-features.rst
@@ -XXX,XX +XXX,XX @@ As with ``sve-default-vector-length``, if the default length is larger
 than the maximum vector length enabled, the actual vector length will
 be reduced.  If this property is set to ``-1`` then the default vector
 length is set to the maximum possible length.
+
+RME CPU Properties
+==================
+
+The status of RME support with QEMU is experimental.  At this time we
+only support RME within the CPU proper, not within the SMMU or GIC.
+The feature is enabled by the CPU property ``x-rme``, with the ``x-``
+prefix present as a reminder of the experimental status, and defaults off.
+
+The method for enabling RME will change in some future QEMU release
+without notice or backward compatibility.
+
+RME Level 0 GPT Size Property
+-----------------------------
+
+To aid firmware developers in testing different possible CPU
+configurations, ``x-l0gptsz=S`` may be used to specify the value
+to encode into ``GPCCR_EL3.L0GPTSZ``, a read-only field that
+specifies the size of the Level 0 Granule Protection Table.
+Legal values for ``S`` are 30, 34, 36, and 39; the default is 30.
+
+As with ``x-rme``, the ``x-l0gptsz`` property may be renamed or
+removed in some future QEMU release.
diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
 - FEAT_RAS (Reliability, availability, and serviceability)
 - FEAT_RASv1p1 (RAS Extension v1.1)
 - FEAT_RDM (Advanced SIMD rounding double multiply accumulate instructions)
+- FEAT_RME (Realm Management Extension) (NB: support status in QEMU is experimental)
 - FEAT_RNG (Random number generator)
 - FEAT_S2FWB (Stage 2 forced Write-Back)
 - FEAT_SB (Speculation Barrier)
-- 
2.34.1

We use __builtin_subcll() to do a 64-bit subtract with borrow-in and
borrow-out when the host compiler supports it.  Unfortunately some
versions of Apple Clang have a bug in their implementation of this
intrinsic which means it returns the wrong value.  The effect is that
a QEMU built with the affected compiler will hang when emulating x86
or m68k float80 division.

The upstream LLVM issue is:
https://github.com/llvm/llvm-project/issues/55253

The commit that introduced the bug apparently never made it into an
upstream LLVM release without the subsequent fix
https://github.com/llvm/llvm-project/commit/fffb6e6afdbaba563189c1f715058ed401fbc88d
but unfortunately it did make it into Apple Clang 14.0, as shipped
in Xcode 14.3 (14.2 is reported to be OK). The Apple bug number is
FB12210478.

Add ifdefs to avoid use of __builtin_subcll() on Apple Clang version
14 or greater.  There is not currently a version of Apple Clang which
has the bug fix -- when one appears we should be able to add an upper
bound to the ifdef condition so we can start using the builtin again.
We make the lower bound a conservative "any Apple clang with major
version 14 or greater" because the consequences of incorrectly
disabling the builtin when it would work are pretty small and the
consequences of not disabling it when we should are pretty bad.

Many thanks to those users who both reported this bug and also
did a lot of work in identifying the root cause; in particular
to Daniel Bertalan and osy.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1631
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1659
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Tested-by: Daniel Bertalan <dani@danielbertalan.dev>
Tested-by: Tested-By: Solra Bizna <solra@bizna.name>
Message-id: 20230622130823.1631719-1-peter.maydell@linaro.org
---
 include/qemu/compiler.h   | 13 +++++++++++++
 include/qemu/host-utils.h |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/include/qemu/compiler.h b/include/qemu/compiler.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/compiler.h
+++ b/include/qemu/compiler.h
@@ -XXX,XX +XXX,XX @@
 #define QEMU_DISABLE_CFI
 #endif
 
+/*
+ * Apple clang version 14 has a bug in its __builtin_subcll(); define
+ * BUILTIN_SUBCLL_BROKEN for the offending versions so we can avoid it.
+ * When a version of Apple clang which has this bug fixed is released
+ * we can add an upper bound to this check.
+ * See https://gitlab.com/qemu-project/qemu/-/issues/1631
+ * and https://gitlab.com/qemu-project/qemu/-/issues/1659 for details.
+ * The bug never made it into any upstream LLVM releases, only Apple ones.
+ */
+#if defined(__apple_build_version__) && __clang_major__ >= 14
+#define BUILTIN_SUBCLL_BROKEN
+#endif
+
 #endif /* COMPILER_H */
diff --git a/include/qemu/host-utils.h b/include/qemu/host-utils.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/host-utils.h
+++ b/include/qemu/host-utils.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t uadd64_carry(uint64_t x, uint64_t y, bool *pcarry)
  */
 static inline uint64_t usub64_borrow(uint64_t x, uint64_t y, bool *pborrow)
 {
-#if __has_builtin(__builtin_subcll)
+#if __has_builtin(__builtin_subcll) && !defined(BUILTIN_SUBCLL_BROKEN)
     unsigned long long b = *pborrow;
     x = __builtin_subcll(x, y, b, &b);
     *pborrow = b & 1;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

One cannot test for feature aa32_simd_r32 without first
testing if AArch32 mode is supported at all.  This leads to

qemu-system-aarch64: ARM CPUs must have both VFP-D32 and Neon or neither

for Apple M1 cpus.

We already have a check for ARMv8-A never setting vfp-d32 true,
so restructure the code so that AArch64 avoids the test entirely.

Reported-by: Mads Ynddal <mads@ynddal.dk>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Mads Ynddal <m.ynddal@samsung.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Mads Ynddal <m.ynddal@samsung.com>
Message-id: 20230619140216.402530-1-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
      * KVM does not currently allow us to lie to the guest about its
      * ID/feature registers, so the guest always sees what the host has.
      */
-    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)
-        ? cpu_isar_feature(aa64_fp_simd, cpu)
-        : cpu_isar_feature(aa32_vfp, cpu)) {
-        cpu->has_vfp = true;
-        if (!kvm_enabled()) {
-            qdev_property_add_static(DEVICE(obj), &arm_cpu_has_vfp_property);
+    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
+        if (cpu_isar_feature(aa64_fp_simd, cpu)) {
+            cpu->has_vfp = true;
+            cpu->has_vfp_d32 = true;
+            if (tcg_enabled() || qtest_enabled()) {
+                qdev_property_add_static(DEVICE(obj),
+                                         &arm_cpu_has_vfp_property);
+            }
         }
-    }
-
-    if (cpu->has_vfp && cpu_isar_feature(aa32_simd_r32, cpu)) {
-        cpu->has_vfp_d32 = true;
-        if (!kvm_enabled()) {
+    } else if (cpu_isar_feature(aa32_vfp, cpu)) {
+        cpu->has_vfp = true;
+        if (cpu_isar_feature(aa32_simd_r32, cpu)) {
+            cpu->has_vfp_d32 = true;
             /*
              * The permitted values of the SIMDReg bits [3:0] on
              * Armv8-A are either 0b0000 and 0b0010. On such CPUs,
              * make sure that has_vfp_d32 can not be set to false.
              */
-            if (!(arm_feature(&cpu->env, ARM_FEATURE_V8) &&
-                  !arm_feature(&cpu->env, ARM_FEATURE_M))) {
+            if ((tcg_enabled() || qtest_enabled())
+                && !(arm_feature(&cpu->env, ARM_FEATURE_V8)
+                     && !arm_feature(&cpu->env, ARM_FEATURE_M))) {
                 qdev_property_add_static(DEVICE(obj),
                                          &arm_cpu_has_vfp_d32_property);
             }
-- 
2.34.1

From: Shashi Mallela <shashi.mallela@linaro.org>

Create ITS as part of SBSA platform GIC initialization.

GIC ITS information is in DeviceTree so TF-A can pass it to EDK2.

Bumping platform version to 0.2 as this is important hardware change.

Signed-off-by: Shashi Mallela <shashi.mallela@linaro.org>
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Message-id: 20230619170913.517373-2-marcin.juszkiewicz@linaro.org
Co-authored-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/sbsa.rst | 14 ++++++++++++++
 hw/arm/sbsa-ref.c        | 33 ++++++++++++++++++++++++++++++---
 2 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/docs/system/arm/sbsa.rst b/docs/system/arm/sbsa.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/sbsa.rst
+++ b/docs/system/arm/sbsa.rst
@@ -XXX,XX +XXX,XX @@ to be a complete compliant DT. It currently reports:
    - platform version
    - GIC addresses
 
+Platform version
+''''''''''''''''
+
 The platform version is only for informing platform firmware about
 what kind of ``sbsa-ref`` board it is running on. It is neither
 a QEMU versioned machine type nor a reflection of the level of the
@@ -XXX,XX +XXX,XX @@ SBSA/SystemReady SR support provided.
 The ``machine-version-major`` value is updated when changes breaking
 fw compatibility are introduced. The ``machine-version-minor`` value
 is updated when features are added that don't break fw compatibility.
+
+Platform version changes:
+
+0.0
+  Devicetree holds information about CPUs, memory and platform version.
+
+0.1
+  GIC information is present in devicetree.
+
+0.2
+  GIC ITS information is present in devicetree.
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ enum {
     SBSA_CPUPERIPHS,
     SBSA_GIC_DIST,
     SBSA_GIC_REDIST,
+    SBSA_GIC_ITS,
     SBSA_SECURE_EC,
     SBSA_GWDT_WS0,
     SBSA_GWDT_REFRESH,
@@ -XXX,XX +XXX,XX @@ static const MemMapEntry sbsa_ref_memmap[] = {
     [SBSA_CPUPERIPHS] =         { 0x40000000, 0x00040000 },
     [SBSA_GIC_DIST] =           { 0x40060000, 0x00010000 },
     [SBSA_GIC_REDIST] =         { 0x40080000, 0x04000000 },
+    [SBSA_GIC_ITS] =            { 0x44081000, 0x00020000 },
     [SBSA_SECURE_EC] =          { 0x50000000, 0x00001000 },
     [SBSA_GWDT_REFRESH] =       { 0x50010000, 0x00001000 },
     [SBSA_GWDT_CONTROL] =       { 0x50011000, 0x00001000 },
@@ -XXX,XX +XXX,XX @@ static void sbsa_fdt_add_gic_node(SBSAMachineState *sms)
                                  2, sbsa_ref_memmap[SBSA_GIC_REDIST].base,
                                  2, sbsa_ref_memmap[SBSA_GIC_REDIST].size);
 
+    nodename = g_strdup_printf("/intc/its");
+    qemu_fdt_add_subnode(sms->fdt, nodename);
+    qemu_fdt_setprop_sized_cells(sms->fdt, nodename, "reg",
+                                 2, sbsa_ref_memmap[SBSA_GIC_ITS].base,
+                                 2, sbsa_ref_memmap[SBSA_GIC_ITS].size);
+
     g_free(nodename);
 }
+
 /*
  * Firmware on this machine only uses ACPI table to load OS, these limited
  * device tree nodes are just to let firmware know the info which varies from
@@ -XXX,XX +XXX,XX @@ static void create_fdt(SBSAMachineState *sms)
      *                        fw compatibility.
      */
     qemu_fdt_setprop_cell(fdt, "/", "machine-version-major", 0);
-    qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 1);
+    qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 2);
 
     if (ms->numa_state->have_numa_distance) {
         int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);
@@ -XXX,XX +XXX,XX @@ static void create_secure_ram(SBSAMachineState *sms,
     memory_region_add_subregion(secure_sysmem, base, secram);
 }
 
-static void create_gic(SBSAMachineState *sms)
+static void create_its(SBSAMachineState *sms)
+{
+    const char *itsclass = its_class_name();
+    DeviceState *dev;
+
+    dev = qdev_new(itsclass);
+
+    object_property_set_link(OBJECT(dev), "parent-gicv3", OBJECT(sms->gic),
+                             &error_abort);
+    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, sbsa_ref_memmap[SBSA_GIC_ITS].base);
+}
+
+static void create_gic(SBSAMachineState *sms, MemoryRegion *mem)
 {
     unsigned int smp_cpus = MACHINE(sms)->smp.cpus;
     SysBusDevice *gicbusdev;
@@ -XXX,XX +XXX,XX @@ static void create_gic(SBSAMachineState *sms)
     qdev_prop_set_uint32(sms->gic, "len-redist-region-count", 1);
     qdev_prop_set_uint32(sms->gic, "redist-region-count[0]", redist0_count);
 
+    object_property_set_link(OBJECT(sms->gic), "sysmem",
+                             OBJECT(mem), &error_fatal);
+    qdev_prop_set_bit(sms->gic, "has-lpi", true);
+
     gicbusdev = SYS_BUS_DEVICE(sms->gic);
     sysbus_realize_and_unref(gicbusdev, &error_fatal);
     sysbus_mmio_map(gicbusdev, 0, sbsa_ref_memmap[SBSA_GIC_DIST].base);
@@ -XXX,XX +XXX,XX @@ static void create_gic(SBSAMachineState *sms)
         sysbus_connect_irq(gicbusdev, i + 3 * smp_cpus,
                            qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
     }
+    create_its(sms);
 }
 
 static void create_uart(const SBSAMachineState *sms, int uart,
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
 
     create_secure_ram(sms, secure_sysmem);
 
-    create_gic(sms);
+    create_gic(sms, sysmem);
 
     create_uart(sms, SBSA_UART, sysmem, serial_hd(0));
     create_uart(sms, SBSA_SECURE_UART, secure_sysmem, serial_hd(1));
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Brown bag time: store instead of load results in uninitialized temp.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1704
Reported-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230620134659.817559-1-richard.henderson@linaro.org
Fixes: e6dd5e782be ("target/arm: Use tcg_gen_qemu_{ld, st}_i128 in gen_sve_{ld, st}r")
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-sve.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -XXX,XX +XXX,XX @@ void gen_sve_str(DisasContext *s, TCGv_ptr base, int vofs,
     /* Predicate register stores can be any multiple of 2.  */
     if (len_remain >= 8) {
         t0 = tcg_temp_new_i64();
-        tcg_gen_st_i64(t0, base, vofs + len_align);
+        tcg_gen_ld_i64(t0, base, vofs + len_align);
         tcg_gen_qemu_st_i64(t0, clean_addr, midx, MO_LEUQ | MO_ATOM_NONE);
         len_remain -= 8;
         len_align += 8;
-- 
2.34.1

The xkb official name for the Arabic keyboard layout is 'ara'.
However xkb has for at least the past 15 years also permitted it to
be named via the legacy synonym 'ar'.  In xkeyboard-config 2.39 this
synoynm was removed, which breaks compilation of QEMU:

FAILED: pc-bios/keymaps/ar
/home/fred/qemu-git/src/qemu/build-full/qemu-keymap -f pc-bios/keymaps/ar -l ar
xkbcommon: ERROR: Couldn't find file "symbols/ar" in include paths
xkbcommon: ERROR: 1 include paths searched:
xkbcommon: ERROR: 	/usr/share/X11/xkb
xkbcommon: ERROR: 3 include paths could not be added:
xkbcommon: ERROR: 	/home/fred/.config/xkb
xkbcommon: ERROR: 	/home/fred/.xkb
xkbcommon: ERROR: 	/etc/xkb
xkbcommon: ERROR: Abandoning symbols file "(unnamed)"
xkbcommon: ERROR: Failed to compile xkb_symbols
xkbcommon: ERROR: Failed to compile keymap

The upstream xkeyboard-config change removing the compat
mapping is:
https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/commit/470ad2cd8fea84d7210377161d86b31999bb5ea6

Make QEMU always ask for the 'ara' xkb layout, which should work on
both older and newer xkeyboard-config.  We leave the QEMU name for
this keyboard layout as 'ar'; it is not the only one where our name
for it deviates from the xkb standard name.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20230620162024.1132013-1-peter.maydell@linaro.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1709
---
 pc-bios/keymaps/meson.build | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pc-bios/keymaps/meson.build b/pc-bios/keymaps/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/pc-bios/keymaps/meson.build
+++ b/pc-bios/keymaps/meson.build
@@ -XXX,XX +XXX,XX @@
 keymaps = {
-  'ar': '-l ar',
+  'ar': '-l ara',
   'bepo': '-l fr -v dvorak',
   'cz': '-l cz',
   'da': '-l dk',
-- 
2.34.1